@azure/msal-common 15.2.0 → 15.3.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/account/AccountInfo.mjs +1 -1
- package/dist/account/AuthToken.mjs +1 -1
- package/dist/account/CcsCredential.mjs +1 -1
- package/dist/account/ClientInfo.mjs +1 -1
- package/dist/account/TokenClaims.mjs +1 -1
- package/dist/authority/Authority.mjs +1 -1
- package/dist/authority/AuthorityFactory.mjs +1 -1
- package/dist/authority/AuthorityMetadata.mjs +1 -1
- package/dist/authority/AuthorityOptions.mjs +1 -1
- package/dist/authority/AuthorityType.mjs +1 -1
- package/dist/authority/CloudInstanceDiscoveryErrorResponse.mjs +1 -1
- package/dist/authority/CloudInstanceDiscoveryResponse.mjs +1 -1
- package/dist/authority/OpenIdConfigResponse.mjs +1 -1
- package/dist/authority/ProtocolMode.mjs +1 -1
- package/dist/authority/RegionDiscovery.mjs +1 -1
- package/dist/cache/CacheManager.mjs +1 -1
- package/dist/cache/entities/AccountEntity.mjs +1 -1
- package/dist/cache/persistence/TokenCacheContext.mjs +1 -1
- package/dist/cache/utils/CacheHelpers.mjs +1 -1
- package/dist/client/AuthorizationCodeClient.d.ts +0 -31
- package/dist/client/AuthorizationCodeClient.d.ts.map +1 -1
- package/dist/client/AuthorizationCodeClient.mjs +43 -258
- package/dist/client/AuthorizationCodeClient.mjs.map +1 -1
- package/dist/client/BaseClient.d.ts.map +1 -1
- package/dist/client/BaseClient.mjs +9 -10
- package/dist/client/BaseClient.mjs.map +1 -1
- package/dist/client/RefreshTokenClient.d.ts.map +1 -1
- package/dist/client/RefreshTokenClient.mjs +29 -41
- package/dist/client/RefreshTokenClient.mjs.map +1 -1
- package/dist/client/SilentFlowClient.mjs +1 -1
- package/dist/config/ClientConfiguration.mjs +1 -1
- package/dist/constants/AADServerParamKeys.d.ts +1 -0
- package/dist/constants/AADServerParamKeys.d.ts.map +1 -1
- package/dist/constants/AADServerParamKeys.mjs +4 -3
- package/dist/constants/AADServerParamKeys.mjs.map +1 -1
- package/dist/crypto/ICrypto.mjs +1 -1
- package/dist/crypto/JoseHeader.mjs +1 -1
- package/dist/crypto/PopTokenGenerator.mjs +1 -1
- package/dist/error/AuthError.mjs +1 -1
- package/dist/error/AuthErrorCodes.mjs +1 -1
- package/dist/error/CacheError.mjs +1 -1
- package/dist/error/CacheErrorCodes.mjs +1 -1
- package/dist/error/ClientAuthError.mjs +1 -1
- package/dist/error/ClientAuthErrorCodes.mjs +1 -1
- package/dist/error/ClientConfigurationError.mjs +1 -1
- package/dist/error/ClientConfigurationErrorCodes.mjs +1 -1
- package/dist/error/InteractionRequiredAuthError.mjs +1 -1
- package/dist/error/InteractionRequiredAuthErrorCodes.mjs +1 -1
- package/dist/error/JoseHeaderError.mjs +1 -1
- package/dist/error/JoseHeaderErrorCodes.mjs +1 -1
- package/dist/error/NetworkError.mjs +1 -1
- package/dist/error/ServerError.mjs +1 -1
- package/dist/exports-common.d.ts +4 -3
- package/dist/exports-common.d.ts.map +1 -1
- package/dist/index-browser.mjs +6 -2
- package/dist/index-browser.mjs.map +1 -1
- package/dist/index-node.mjs +6 -2
- package/dist/index-node.mjs.map +1 -1
- package/dist/index.mjs +6 -2
- package/dist/index.mjs.map +1 -1
- package/dist/logger/Logger.mjs +1 -1
- package/dist/network/INetworkModule.mjs +1 -1
- package/dist/network/RequestThumbprint.d.ts +3 -0
- package/dist/network/RequestThumbprint.d.ts.map +1 -1
- package/dist/network/RequestThumbprint.mjs +24 -0
- package/dist/network/RequestThumbprint.mjs.map +1 -0
- package/dist/network/ThrottlingUtils.d.ts.map +1 -1
- package/dist/network/ThrottlingUtils.mjs +3 -13
- package/dist/network/ThrottlingUtils.mjs.map +1 -1
- package/dist/packageMetadata.d.ts +1 -1
- package/dist/packageMetadata.mjs +2 -2
- package/dist/protocol/Authorize.d.ts +37 -0
- package/dist/protocol/Authorize.d.ts.map +1 -0
- package/dist/protocol/Authorize.mjs +237 -0
- package/dist/protocol/Authorize.mjs.map +1 -0
- package/dist/request/AuthenticationHeaderParser.mjs +1 -1
- package/dist/request/BaseAuthRequest.d.ts +2 -0
- package/dist/request/BaseAuthRequest.d.ts.map +1 -1
- package/dist/request/CommonAuthorizationCodeRequest.d.ts +0 -2
- package/dist/request/CommonAuthorizationCodeRequest.d.ts.map +1 -1
- package/dist/request/CommonDeviceCodeRequest.d.ts +1 -1
- package/dist/request/CommonDeviceCodeRequest.d.ts.map +1 -1
- package/dist/request/CommonRefreshTokenRequest.d.ts +0 -2
- package/dist/request/CommonRefreshTokenRequest.d.ts.map +1 -1
- package/dist/request/CommonSilentFlowRequest.d.ts +0 -3
- package/dist/request/CommonSilentFlowRequest.d.ts.map +1 -1
- package/dist/request/RequestParameterBuilder.d.ts +206 -218
- package/dist/request/RequestParameterBuilder.d.ts.map +1 -1
- package/dist/request/RequestParameterBuilder.mjs +356 -369
- package/dist/request/RequestParameterBuilder.mjs.map +1 -1
- package/dist/request/RequestValidator.mjs +1 -1
- package/dist/request/ScopeSet.mjs +1 -1
- package/dist/response/AuthorizeResponse.d.ts +72 -0
- package/dist/response/AuthorizeResponse.d.ts.map +1 -0
- package/dist/response/ResponseHandler.d.ts +0 -8
- package/dist/response/ResponseHandler.d.ts.map +1 -1
- package/dist/response/ResponseHandler.mjs +7 -52
- package/dist/response/ResponseHandler.mjs.map +1 -1
- package/dist/telemetry/performance/PerformanceClient.mjs +1 -1
- package/dist/telemetry/performance/PerformanceEvent.d.ts +1 -2
- package/dist/telemetry/performance/PerformanceEvent.d.ts.map +1 -1
- package/dist/telemetry/performance/PerformanceEvent.mjs +2 -11
- package/dist/telemetry/performance/PerformanceEvent.mjs.map +1 -1
- package/dist/telemetry/performance/StubPerformanceClient.mjs +1 -1
- package/dist/telemetry/server/ServerTelemetryManager.mjs +1 -1
- package/dist/url/UrlString.mjs +1 -1
- package/dist/utils/ClientAssertionUtils.mjs +1 -1
- package/dist/utils/Constants.mjs +1 -1
- package/dist/utils/FunctionWrappers.mjs +1 -1
- package/dist/utils/ProtocolUtils.mjs +1 -1
- package/dist/utils/StringUtils.mjs +1 -1
- package/dist/utils/TimeUtils.d.ts +10 -0
- package/dist/utils/TimeUtils.d.ts.map +1 -1
- package/dist/utils/TimeUtils.mjs +20 -2
- package/dist/utils/TimeUtils.mjs.map +1 -1
- package/dist/utils/UrlUtils.d.ts +6 -2
- package/dist/utils/UrlUtils.d.ts.map +1 -1
- package/dist/utils/UrlUtils.mjs +12 -2
- package/dist/utils/UrlUtils.mjs.map +1 -1
- package/lib/index-browser.cjs +4 -2
- package/lib/index-browser.cjs.map +1 -1
- package/lib/{index-node-0IMDqzO0.js → index-node-BjtDFnOl.js} +828 -805
- package/lib/index-node-BjtDFnOl.js.map +1 -0
- package/lib/index-node.cjs +4 -2
- package/lib/index-node.cjs.map +1 -1
- package/lib/index.cjs +4 -2
- package/lib/index.cjs.map +1 -1
- package/lib/types/client/AuthorizationCodeClient.d.ts +0 -31
- package/lib/types/client/AuthorizationCodeClient.d.ts.map +1 -1
- package/lib/types/client/BaseClient.d.ts.map +1 -1
- package/lib/types/client/RefreshTokenClient.d.ts.map +1 -1
- package/lib/types/constants/AADServerParamKeys.d.ts +1 -0
- package/lib/types/constants/AADServerParamKeys.d.ts.map +1 -1
- package/lib/types/exports-common.d.ts +4 -3
- package/lib/types/exports-common.d.ts.map +1 -1
- package/lib/types/network/RequestThumbprint.d.ts +3 -0
- package/lib/types/network/RequestThumbprint.d.ts.map +1 -1
- package/lib/types/network/ThrottlingUtils.d.ts.map +1 -1
- package/lib/types/packageMetadata.d.ts +1 -1
- package/lib/types/protocol/Authorize.d.ts +37 -0
- package/lib/types/protocol/Authorize.d.ts.map +1 -0
- package/lib/types/request/BaseAuthRequest.d.ts +2 -0
- package/lib/types/request/BaseAuthRequest.d.ts.map +1 -1
- package/lib/types/request/CommonAuthorizationCodeRequest.d.ts +0 -2
- package/lib/types/request/CommonAuthorizationCodeRequest.d.ts.map +1 -1
- package/lib/types/request/CommonDeviceCodeRequest.d.ts +1 -1
- package/lib/types/request/CommonDeviceCodeRequest.d.ts.map +1 -1
- package/lib/types/request/CommonRefreshTokenRequest.d.ts +0 -2
- package/lib/types/request/CommonRefreshTokenRequest.d.ts.map +1 -1
- package/lib/types/request/CommonSilentFlowRequest.d.ts +0 -3
- package/lib/types/request/CommonSilentFlowRequest.d.ts.map +1 -1
- package/lib/types/request/RequestParameterBuilder.d.ts +206 -218
- package/lib/types/request/RequestParameterBuilder.d.ts.map +1 -1
- package/lib/types/response/AuthorizeResponse.d.ts +72 -0
- package/lib/types/response/AuthorizeResponse.d.ts.map +1 -0
- package/lib/types/response/ResponseHandler.d.ts +0 -8
- package/lib/types/response/ResponseHandler.d.ts.map +1 -1
- package/lib/types/telemetry/performance/PerformanceEvent.d.ts +1 -2
- package/lib/types/telemetry/performance/PerformanceEvent.d.ts.map +1 -1
- package/lib/types/utils/TimeUtils.d.ts +10 -0
- package/lib/types/utils/TimeUtils.d.ts.map +1 -1
- package/lib/types/utils/UrlUtils.d.ts +6 -2
- package/lib/types/utils/UrlUtils.d.ts.map +1 -1
- package/package.json +1 -1
- package/src/client/AuthorizationCodeClient.ts +89 -409
- package/src/client/BaseClient.ts +20 -12
- package/src/client/RefreshTokenClient.ts +66 -44
- package/src/constants/AADServerParamKeys.ts +1 -0
- package/src/exports-common.ts +8 -3
- package/src/network/RequestThumbprint.ts +23 -0
- package/src/network/ThrottlingUtils.ts +9 -14
- package/src/packageMetadata.ts +1 -1
- package/src/protocol/Authorize.ts +409 -0
- package/src/request/BaseAuthRequest.ts +2 -0
- package/src/request/CommonAuthorizationCodeRequest.ts +0 -2
- package/src/request/CommonDeviceCodeRequest.ts +1 -1
- package/src/request/CommonRefreshTokenRequest.ts +0 -2
- package/src/request/CommonSilentFlowRequest.ts +0 -3
- package/src/request/RequestParameterBuilder.ts +508 -543
- package/src/response/AuthorizeResponse.ts +76 -0
- package/src/response/ResponseHandler.ts +8 -104
- package/src/telemetry/performance/PerformanceEvent.ts +1 -11
- package/src/utils/TimeUtils.ts +20 -0
- package/src/utils/UrlUtils.ts +18 -4
- package/dist/response/ServerAuthorizationCodeResponse.d.ts +0 -27
- package/dist/response/ServerAuthorizationCodeResponse.d.ts.map +0 -1
- package/lib/index-node-0IMDqzO0.js.map +0 -1
- package/lib/types/response/ServerAuthorizationCodeResponse.d.ts +0 -27
- package/lib/types/response/ServerAuthorizationCodeResponse.d.ts.map +0 -1
- package/src/response/ServerAuthorizationCodeResponse.ts +0 -34
|
@@ -4,14 +4,13 @@
|
|
|
4
4
|
*/
|
|
5
5
|
|
|
6
6
|
import { BaseClient } from "./BaseClient.js";
|
|
7
|
-
import { CommonAuthorizationUrlRequest } from "../request/CommonAuthorizationUrlRequest.js";
|
|
8
7
|
import { CommonAuthorizationCodeRequest } from "../request/CommonAuthorizationCodeRequest.js";
|
|
9
8
|
import { Authority } from "../authority/Authority.js";
|
|
10
|
-
import
|
|
9
|
+
import * as RequestParameterBuilder from "../request/RequestParameterBuilder.js";
|
|
10
|
+
import * as UrlUtils from "../utils/UrlUtils.js";
|
|
11
11
|
import {
|
|
12
12
|
GrantType,
|
|
13
13
|
AuthenticationScheme,
|
|
14
|
-
PromptValue,
|
|
15
14
|
Separators,
|
|
16
15
|
HeaderNames,
|
|
17
16
|
} from "../utils/Constants.js";
|
|
@@ -30,13 +29,10 @@ import {
|
|
|
30
29
|
createClientAuthError,
|
|
31
30
|
} from "../error/ClientAuthError.js";
|
|
32
31
|
import { UrlString } from "../url/UrlString.js";
|
|
33
|
-
import { ServerAuthorizationCodeResponse } from "../response/ServerAuthorizationCodeResponse.js";
|
|
34
32
|
import { CommonEndSessionRequest } from "../request/CommonEndSessionRequest.js";
|
|
35
33
|
import { PopTokenGenerator } from "../crypto/PopTokenGenerator.js";
|
|
36
|
-
import { RequestThumbprint } from "../network/RequestThumbprint.js";
|
|
37
34
|
import { AuthorizationCodePayload } from "../response/AuthorizationCodePayload.js";
|
|
38
35
|
import * as TimeUtils from "../utils/TimeUtils.js";
|
|
39
|
-
import { AccountInfo } from "../account/AccountInfo.js";
|
|
40
36
|
import {
|
|
41
37
|
buildClientInfoFromHomeAccountId,
|
|
42
38
|
buildClientInfo,
|
|
@@ -52,6 +48,7 @@ import { PerformanceEvents } from "../telemetry/performance/PerformanceEvent.js"
|
|
|
52
48
|
import { invokeAsync } from "../utils/FunctionWrappers.js";
|
|
53
49
|
import { ClientAssertion } from "../account/ClientCredentials.js";
|
|
54
50
|
import { getClientAssertion } from "../utils/ClientAssertionUtils.js";
|
|
51
|
+
import { getRequestThumbprint } from "../network/RequestThumbprint.js";
|
|
55
52
|
|
|
56
53
|
/**
|
|
57
54
|
* Oauth2.0 Authorization Code client
|
|
@@ -71,38 +68,6 @@ export class AuthorizationCodeClient extends BaseClient {
|
|
|
71
68
|
this.config.authOptions.authority.options.OIDCOptions?.defaultScopes;
|
|
72
69
|
}
|
|
73
70
|
|
|
74
|
-
/**
|
|
75
|
-
* Creates the URL of the authorization request letting the user input credentials and consent to the
|
|
76
|
-
* application. The URL target the /authorize endpoint of the authority configured in the
|
|
77
|
-
* application object.
|
|
78
|
-
*
|
|
79
|
-
* Once the user inputs their credentials and consents, the authority will send a response to the redirect URI
|
|
80
|
-
* sent in the request and should contain an authorization code, which can then be used to acquire tokens via
|
|
81
|
-
* acquireToken(AuthorizationCodeRequest)
|
|
82
|
-
* @param request
|
|
83
|
-
*/
|
|
84
|
-
async getAuthCodeUrl(
|
|
85
|
-
request: CommonAuthorizationUrlRequest
|
|
86
|
-
): Promise<string> {
|
|
87
|
-
this.performanceClient?.addQueueMeasurement(
|
|
88
|
-
PerformanceEvents.GetAuthCodeUrl,
|
|
89
|
-
request.correlationId
|
|
90
|
-
);
|
|
91
|
-
|
|
92
|
-
const queryString = await invokeAsync(
|
|
93
|
-
this.createAuthCodeUrlQueryString.bind(this),
|
|
94
|
-
PerformanceEvents.AuthClientCreateQueryString,
|
|
95
|
-
this.logger,
|
|
96
|
-
this.performanceClient,
|
|
97
|
-
request.correlationId
|
|
98
|
-
)(request);
|
|
99
|
-
|
|
100
|
-
return UrlString.appendQueryString(
|
|
101
|
-
this.authority.authorizationEndpoint,
|
|
102
|
-
queryString
|
|
103
|
-
);
|
|
104
|
-
}
|
|
105
|
-
|
|
106
71
|
/**
|
|
107
72
|
* API to acquire a token in exchange of 'authorization_code` acquired by the user in the first leg of the
|
|
108
73
|
* authorization_code_grant
|
|
@@ -167,41 +132,6 @@ export class AuthorizationCodeClient extends BaseClient {
|
|
|
167
132
|
);
|
|
168
133
|
}
|
|
169
134
|
|
|
170
|
-
/**
|
|
171
|
-
* Handles the hash fragment response from public client code request. Returns a code response used by
|
|
172
|
-
* the client to exchange for a token in acquireToken.
|
|
173
|
-
* @param hashFragment
|
|
174
|
-
*/
|
|
175
|
-
handleFragmentResponse(
|
|
176
|
-
serverParams: ServerAuthorizationCodeResponse,
|
|
177
|
-
cachedState: string
|
|
178
|
-
): AuthorizationCodePayload {
|
|
179
|
-
// Handle responses.
|
|
180
|
-
const responseHandler = new ResponseHandler(
|
|
181
|
-
this.config.authOptions.clientId,
|
|
182
|
-
this.cacheManager,
|
|
183
|
-
this.cryptoUtils,
|
|
184
|
-
this.logger,
|
|
185
|
-
null,
|
|
186
|
-
null
|
|
187
|
-
);
|
|
188
|
-
|
|
189
|
-
// Get code response
|
|
190
|
-
responseHandler.validateServerAuthorizationCodeResponse(
|
|
191
|
-
serverParams,
|
|
192
|
-
cachedState
|
|
193
|
-
);
|
|
194
|
-
|
|
195
|
-
// throw when there is no auth code in the response
|
|
196
|
-
if (!serverParams.code) {
|
|
197
|
-
throw createClientAuthError(
|
|
198
|
-
ClientAuthErrorCodes.authorizationCodeMissingFromServerResponse
|
|
199
|
-
);
|
|
200
|
-
}
|
|
201
|
-
|
|
202
|
-
return serverParams as AuthorizationCodePayload;
|
|
203
|
-
}
|
|
204
|
-
|
|
205
135
|
/**
|
|
206
136
|
* Used to log out the current user, and redirect the user to the postLogoutRedirectUri.
|
|
207
137
|
* Default behaviour is to redirect the user to `window.location.href`.
|
|
@@ -272,19 +202,10 @@ export class AuthorizationCodeClient extends BaseClient {
|
|
|
272
202
|
ccsCredential || request.ccsCredential
|
|
273
203
|
);
|
|
274
204
|
|
|
275
|
-
const thumbprint
|
|
276
|
-
clientId
|
|
277
|
-
|
|
278
|
-
|
|
279
|
-
authority: authority.canonicalAuthority,
|
|
280
|
-
scopes: request.scopes,
|
|
281
|
-
claims: request.claims,
|
|
282
|
-
authenticationScheme: request.authenticationScheme,
|
|
283
|
-
resourceRequestMethod: request.resourceRequestMethod,
|
|
284
|
-
resourceRequestUri: request.resourceRequestUri,
|
|
285
|
-
shrClaims: request.shrClaims,
|
|
286
|
-
sshKid: request.sshKid,
|
|
287
|
-
};
|
|
205
|
+
const thumbprint = getRequestThumbprint(
|
|
206
|
+
this.config.authOptions.clientId,
|
|
207
|
+
request
|
|
208
|
+
);
|
|
288
209
|
|
|
289
210
|
return invokeAsync(
|
|
290
211
|
this.executePostToTokenEndpoint.bind(this),
|
|
@@ -314,12 +235,10 @@ export class AuthorizationCodeClient extends BaseClient {
|
|
|
314
235
|
request.correlationId
|
|
315
236
|
);
|
|
316
237
|
|
|
317
|
-
const
|
|
318
|
-
request.correlationId,
|
|
319
|
-
this.performanceClient
|
|
320
|
-
);
|
|
238
|
+
const parameters = new Map<string, string>();
|
|
321
239
|
|
|
322
|
-
|
|
240
|
+
RequestParameterBuilder.addClientId(
|
|
241
|
+
parameters,
|
|
323
242
|
request.embeddedClientId ||
|
|
324
243
|
request.tokenBodyParameters?.[AADServerParamKeys.CLIENT_ID] ||
|
|
325
244
|
this.config.authOptions.clientId
|
|
@@ -334,37 +253,52 @@ export class AuthorizationCodeClient extends BaseClient {
|
|
|
334
253
|
RequestValidator.validateRedirectUri(request.redirectUri);
|
|
335
254
|
} else {
|
|
336
255
|
// Validate and include redirect uri
|
|
337
|
-
|
|
256
|
+
RequestParameterBuilder.addRedirectUri(
|
|
257
|
+
parameters,
|
|
258
|
+
request.redirectUri
|
|
259
|
+
);
|
|
338
260
|
}
|
|
339
261
|
|
|
340
262
|
// Add scope array, parameter builder will add default scopes and dedupe
|
|
341
|
-
|
|
263
|
+
RequestParameterBuilder.addScopes(
|
|
264
|
+
parameters,
|
|
342
265
|
request.scopes,
|
|
343
266
|
true,
|
|
344
267
|
this.oidcDefaultScopes
|
|
345
268
|
);
|
|
346
269
|
|
|
347
270
|
// add code: user set, not validated
|
|
348
|
-
|
|
271
|
+
RequestParameterBuilder.addAuthorizationCode(parameters, request.code);
|
|
349
272
|
|
|
350
273
|
// Add library metadata
|
|
351
|
-
|
|
352
|
-
|
|
274
|
+
RequestParameterBuilder.addLibraryInfo(
|
|
275
|
+
parameters,
|
|
276
|
+
this.config.libraryInfo
|
|
277
|
+
);
|
|
278
|
+
RequestParameterBuilder.addApplicationTelemetry(
|
|
279
|
+
parameters,
|
|
353
280
|
this.config.telemetry.application
|
|
354
281
|
);
|
|
355
|
-
|
|
282
|
+
RequestParameterBuilder.addThrottling(parameters);
|
|
356
283
|
|
|
357
284
|
if (this.serverTelemetryManager && !isOidcProtocolMode(this.config)) {
|
|
358
|
-
|
|
285
|
+
RequestParameterBuilder.addServerTelemetry(
|
|
286
|
+
parameters,
|
|
287
|
+
this.serverTelemetryManager
|
|
288
|
+
);
|
|
359
289
|
}
|
|
360
290
|
|
|
361
291
|
// add code_verifier if passed
|
|
362
292
|
if (request.codeVerifier) {
|
|
363
|
-
|
|
293
|
+
RequestParameterBuilder.addCodeVerifier(
|
|
294
|
+
parameters,
|
|
295
|
+
request.codeVerifier
|
|
296
|
+
);
|
|
364
297
|
}
|
|
365
298
|
|
|
366
299
|
if (this.config.clientCredentials.clientSecret) {
|
|
367
|
-
|
|
300
|
+
RequestParameterBuilder.addClientSecret(
|
|
301
|
+
parameters,
|
|
368
302
|
this.config.clientCredentials.clientSecret
|
|
369
303
|
);
|
|
370
304
|
}
|
|
@@ -373,20 +307,25 @@ export class AuthorizationCodeClient extends BaseClient {
|
|
|
373
307
|
const clientAssertion: ClientAssertion =
|
|
374
308
|
this.config.clientCredentials.clientAssertion;
|
|
375
309
|
|
|
376
|
-
|
|
310
|
+
RequestParameterBuilder.addClientAssertion(
|
|
311
|
+
parameters,
|
|
377
312
|
await getClientAssertion(
|
|
378
313
|
clientAssertion.assertion,
|
|
379
314
|
this.config.authOptions.clientId,
|
|
380
315
|
request.resourceRequestUri
|
|
381
316
|
)
|
|
382
317
|
);
|
|
383
|
-
|
|
318
|
+
RequestParameterBuilder.addClientAssertionType(
|
|
319
|
+
parameters,
|
|
384
320
|
clientAssertion.assertionType
|
|
385
321
|
);
|
|
386
322
|
}
|
|
387
323
|
|
|
388
|
-
|
|
389
|
-
|
|
324
|
+
RequestParameterBuilder.addGrantType(
|
|
325
|
+
parameters,
|
|
326
|
+
GrantType.AUTHORIZATION_CODE_GRANT
|
|
327
|
+
);
|
|
328
|
+
RequestParameterBuilder.addClientInfo(parameters);
|
|
390
329
|
|
|
391
330
|
if (request.authenticationScheme === AuthenticationScheme.POP) {
|
|
392
331
|
const popTokenGenerator = new PopTokenGenerator(
|
|
@@ -409,10 +348,10 @@ export class AuthorizationCodeClient extends BaseClient {
|
|
|
409
348
|
}
|
|
410
349
|
|
|
411
350
|
// SPA PoP requires full Base64Url encoded req_cnf string (unhashed)
|
|
412
|
-
|
|
351
|
+
RequestParameterBuilder.addPopToken(parameters, reqCnfData);
|
|
413
352
|
} else if (request.authenticationScheme === AuthenticationScheme.SSH) {
|
|
414
353
|
if (request.sshJwk) {
|
|
415
|
-
|
|
354
|
+
RequestParameterBuilder.addSshJwk(parameters, request.sshJwk);
|
|
416
355
|
} else {
|
|
417
356
|
throw createClientConfigurationError(
|
|
418
357
|
ClientConfigurationErrorCodes.missingSshJwk
|
|
@@ -425,7 +364,8 @@ export class AuthorizationCodeClient extends BaseClient {
|
|
|
425
364
|
(this.config.authOptions.clientCapabilities &&
|
|
426
365
|
this.config.authOptions.clientCapabilities.length > 0)
|
|
427
366
|
) {
|
|
428
|
-
|
|
367
|
+
RequestParameterBuilder.addClaims(
|
|
368
|
+
parameters,
|
|
429
369
|
request.claims,
|
|
430
370
|
this.config.authOptions.clientCapabilities
|
|
431
371
|
);
|
|
@@ -459,7 +399,10 @@ export class AuthorizationCodeClient extends BaseClient {
|
|
|
459
399
|
const clientInfo = buildClientInfoFromHomeAccountId(
|
|
460
400
|
ccsCred.credential
|
|
461
401
|
);
|
|
462
|
-
|
|
402
|
+
RequestParameterBuilder.addCcsOid(
|
|
403
|
+
parameters,
|
|
404
|
+
clientInfo
|
|
405
|
+
);
|
|
463
406
|
} catch (e) {
|
|
464
407
|
this.logger.verbose(
|
|
465
408
|
"Could not parse home account ID for CCS Header: " +
|
|
@@ -468,20 +411,25 @@ export class AuthorizationCodeClient extends BaseClient {
|
|
|
468
411
|
}
|
|
469
412
|
break;
|
|
470
413
|
case CcsCredentialType.UPN:
|
|
471
|
-
|
|
414
|
+
RequestParameterBuilder.addCcsUpn(
|
|
415
|
+
parameters,
|
|
416
|
+
ccsCred.credential
|
|
417
|
+
);
|
|
472
418
|
break;
|
|
473
419
|
}
|
|
474
420
|
}
|
|
475
421
|
|
|
476
422
|
if (request.embeddedClientId) {
|
|
477
|
-
|
|
478
|
-
|
|
479
|
-
|
|
480
|
-
|
|
423
|
+
RequestParameterBuilder.addBrokerParameters(
|
|
424
|
+
parameters,
|
|
425
|
+
this.config.authOptions.clientId,
|
|
426
|
+
this.config.authOptions.redirectUri
|
|
427
|
+
);
|
|
481
428
|
}
|
|
482
429
|
|
|
483
430
|
if (request.tokenBodyParameters) {
|
|
484
|
-
|
|
431
|
+
RequestParameterBuilder.addExtraQueryParameters(
|
|
432
|
+
parameters,
|
|
485
433
|
request.tokenBodyParameters
|
|
486
434
|
);
|
|
487
435
|
}
|
|
@@ -494,268 +442,17 @@ export class AuthorizationCodeClient extends BaseClient {
|
|
|
494
442
|
AADServerParamKeys.RETURN_SPA_CODE
|
|
495
443
|
])
|
|
496
444
|
) {
|
|
497
|
-
|
|
445
|
+
RequestParameterBuilder.addExtraQueryParameters(parameters, {
|
|
498
446
|
[AADServerParamKeys.RETURN_SPA_CODE]: "1",
|
|
499
447
|
});
|
|
500
448
|
}
|
|
501
449
|
|
|
502
|
-
|
|
503
|
-
|
|
504
|
-
|
|
505
|
-
/**
|
|
506
|
-
* This API validates the `AuthorizationCodeUrlRequest` and creates a URL
|
|
507
|
-
* @param request
|
|
508
|
-
*/
|
|
509
|
-
private async createAuthCodeUrlQueryString(
|
|
510
|
-
request: CommonAuthorizationUrlRequest
|
|
511
|
-
): Promise<string> {
|
|
512
|
-
// generate the correlationId if not set by the user and add
|
|
513
|
-
const correlationId =
|
|
514
|
-
request.correlationId ||
|
|
515
|
-
this.config.cryptoInterface.createNewGuid();
|
|
516
|
-
|
|
517
|
-
this.performanceClient?.addQueueMeasurement(
|
|
518
|
-
PerformanceEvents.AuthClientCreateQueryString,
|
|
519
|
-
correlationId
|
|
520
|
-
);
|
|
521
|
-
|
|
522
|
-
const parameterBuilder = new RequestParameterBuilder(
|
|
523
|
-
correlationId,
|
|
450
|
+
RequestParameterBuilder.instrumentBrokerParams(
|
|
451
|
+
parameters,
|
|
452
|
+
request.correlationId,
|
|
524
453
|
this.performanceClient
|
|
525
454
|
);
|
|
526
|
-
|
|
527
|
-
parameterBuilder.addClientId(
|
|
528
|
-
request.embeddedClientId ||
|
|
529
|
-
request.extraQueryParameters?.[AADServerParamKeys.CLIENT_ID] ||
|
|
530
|
-
this.config.authOptions.clientId
|
|
531
|
-
);
|
|
532
|
-
|
|
533
|
-
const requestScopes = [
|
|
534
|
-
...(request.scopes || []),
|
|
535
|
-
...(request.extraScopesToConsent || []),
|
|
536
|
-
];
|
|
537
|
-
parameterBuilder.addScopes(requestScopes, true, this.oidcDefaultScopes);
|
|
538
|
-
|
|
539
|
-
// validate the redirectUri (to be a non null value)
|
|
540
|
-
parameterBuilder.addRedirectUri(request.redirectUri);
|
|
541
|
-
|
|
542
|
-
parameterBuilder.addCorrelationId(correlationId);
|
|
543
|
-
|
|
544
|
-
// add response_mode. If not passed in it defaults to query.
|
|
545
|
-
parameterBuilder.addResponseMode(request.responseMode);
|
|
546
|
-
|
|
547
|
-
// add response_type = code
|
|
548
|
-
parameterBuilder.addResponseTypeCode();
|
|
549
|
-
|
|
550
|
-
// add library info parameters
|
|
551
|
-
parameterBuilder.addLibraryInfo(this.config.libraryInfo);
|
|
552
|
-
if (!isOidcProtocolMode(this.config)) {
|
|
553
|
-
parameterBuilder.addApplicationTelemetry(
|
|
554
|
-
this.config.telemetry.application
|
|
555
|
-
);
|
|
556
|
-
}
|
|
557
|
-
|
|
558
|
-
// add client_info=1
|
|
559
|
-
parameterBuilder.addClientInfo();
|
|
560
|
-
|
|
561
|
-
if (request.codeChallenge && request.codeChallengeMethod) {
|
|
562
|
-
parameterBuilder.addCodeChallengeParams(
|
|
563
|
-
request.codeChallenge,
|
|
564
|
-
request.codeChallengeMethod
|
|
565
|
-
);
|
|
566
|
-
}
|
|
567
|
-
|
|
568
|
-
if (request.prompt) {
|
|
569
|
-
parameterBuilder.addPrompt(request.prompt);
|
|
570
|
-
}
|
|
571
|
-
|
|
572
|
-
if (request.domainHint) {
|
|
573
|
-
parameterBuilder.addDomainHint(request.domainHint);
|
|
574
|
-
this.performanceClient?.addFields(
|
|
575
|
-
{ domainHintFromRequest: true },
|
|
576
|
-
correlationId
|
|
577
|
-
);
|
|
578
|
-
}
|
|
579
|
-
|
|
580
|
-
this.performanceClient?.addFields(
|
|
581
|
-
{ prompt: request.prompt },
|
|
582
|
-
correlationId
|
|
583
|
-
);
|
|
584
|
-
|
|
585
|
-
// Add sid or loginHint with preference for login_hint claim (in request) -> sid -> loginHint (upn/email) -> username of AccountInfo object
|
|
586
|
-
if (request.prompt !== PromptValue.SELECT_ACCOUNT) {
|
|
587
|
-
// AAD will throw if prompt=select_account is passed with an account hint
|
|
588
|
-
if (request.sid && request.prompt === PromptValue.NONE) {
|
|
589
|
-
// SessionID is only used in silent calls
|
|
590
|
-
this.logger.verbose(
|
|
591
|
-
"createAuthCodeUrlQueryString: Prompt is none, adding sid from request"
|
|
592
|
-
);
|
|
593
|
-
parameterBuilder.addSid(request.sid);
|
|
594
|
-
this.performanceClient?.addFields(
|
|
595
|
-
{ sidFromRequest: true },
|
|
596
|
-
correlationId
|
|
597
|
-
);
|
|
598
|
-
} else if (request.account) {
|
|
599
|
-
const accountSid = this.extractAccountSid(request.account);
|
|
600
|
-
let accountLoginHintClaim = this.extractLoginHint(
|
|
601
|
-
request.account
|
|
602
|
-
);
|
|
603
|
-
|
|
604
|
-
if (accountLoginHintClaim && request.domainHint) {
|
|
605
|
-
this.logger.warning(
|
|
606
|
-
`AuthorizationCodeClient.createAuthCodeUrlQueryString: "domainHint" param is set, skipping opaque "login_hint" claim. Please consider not passing domainHint`
|
|
607
|
-
);
|
|
608
|
-
accountLoginHintClaim = null;
|
|
609
|
-
}
|
|
610
|
-
|
|
611
|
-
// If login_hint claim is present, use it over sid/username
|
|
612
|
-
if (accountLoginHintClaim) {
|
|
613
|
-
this.logger.verbose(
|
|
614
|
-
"createAuthCodeUrlQueryString: login_hint claim present on account"
|
|
615
|
-
);
|
|
616
|
-
parameterBuilder.addLoginHint(accountLoginHintClaim);
|
|
617
|
-
this.performanceClient?.addFields(
|
|
618
|
-
{ loginHintFromClaim: true },
|
|
619
|
-
correlationId
|
|
620
|
-
);
|
|
621
|
-
try {
|
|
622
|
-
const clientInfo = buildClientInfoFromHomeAccountId(
|
|
623
|
-
request.account.homeAccountId
|
|
624
|
-
);
|
|
625
|
-
parameterBuilder.addCcsOid(clientInfo);
|
|
626
|
-
} catch (e) {
|
|
627
|
-
this.logger.verbose(
|
|
628
|
-
"createAuthCodeUrlQueryString: Could not parse home account ID for CCS Header"
|
|
629
|
-
);
|
|
630
|
-
}
|
|
631
|
-
} else if (accountSid && request.prompt === PromptValue.NONE) {
|
|
632
|
-
/*
|
|
633
|
-
* If account and loginHint are provided, we will check account first for sid before adding loginHint
|
|
634
|
-
* SessionId is only used in silent calls
|
|
635
|
-
*/
|
|
636
|
-
this.logger.verbose(
|
|
637
|
-
"createAuthCodeUrlQueryString: Prompt is none, adding sid from account"
|
|
638
|
-
);
|
|
639
|
-
parameterBuilder.addSid(accountSid);
|
|
640
|
-
this.performanceClient?.addFields(
|
|
641
|
-
{ sidFromClaim: true },
|
|
642
|
-
correlationId
|
|
643
|
-
);
|
|
644
|
-
try {
|
|
645
|
-
const clientInfo = buildClientInfoFromHomeAccountId(
|
|
646
|
-
request.account.homeAccountId
|
|
647
|
-
);
|
|
648
|
-
parameterBuilder.addCcsOid(clientInfo);
|
|
649
|
-
} catch (e) {
|
|
650
|
-
this.logger.verbose(
|
|
651
|
-
"createAuthCodeUrlQueryString: Could not parse home account ID for CCS Header"
|
|
652
|
-
);
|
|
653
|
-
}
|
|
654
|
-
} else if (request.loginHint) {
|
|
655
|
-
this.logger.verbose(
|
|
656
|
-
"createAuthCodeUrlQueryString: Adding login_hint from request"
|
|
657
|
-
);
|
|
658
|
-
parameterBuilder.addLoginHint(request.loginHint);
|
|
659
|
-
parameterBuilder.addCcsUpn(request.loginHint);
|
|
660
|
-
this.performanceClient?.addFields(
|
|
661
|
-
{ loginHintFromRequest: true },
|
|
662
|
-
correlationId
|
|
663
|
-
);
|
|
664
|
-
} else if (request.account.username) {
|
|
665
|
-
// Fallback to account username if provided
|
|
666
|
-
this.logger.verbose(
|
|
667
|
-
"createAuthCodeUrlQueryString: Adding login_hint from account"
|
|
668
|
-
);
|
|
669
|
-
parameterBuilder.addLoginHint(request.account.username);
|
|
670
|
-
this.performanceClient?.addFields(
|
|
671
|
-
{ loginHintFromUpn: true },
|
|
672
|
-
correlationId
|
|
673
|
-
);
|
|
674
|
-
try {
|
|
675
|
-
const clientInfo = buildClientInfoFromHomeAccountId(
|
|
676
|
-
request.account.homeAccountId
|
|
677
|
-
);
|
|
678
|
-
parameterBuilder.addCcsOid(clientInfo);
|
|
679
|
-
} catch (e) {
|
|
680
|
-
this.logger.verbose(
|
|
681
|
-
"createAuthCodeUrlQueryString: Could not parse home account ID for CCS Header"
|
|
682
|
-
);
|
|
683
|
-
}
|
|
684
|
-
}
|
|
685
|
-
} else if (request.loginHint) {
|
|
686
|
-
this.logger.verbose(
|
|
687
|
-
"createAuthCodeUrlQueryString: No account, adding login_hint from request"
|
|
688
|
-
);
|
|
689
|
-
parameterBuilder.addLoginHint(request.loginHint);
|
|
690
|
-
parameterBuilder.addCcsUpn(request.loginHint);
|
|
691
|
-
this.performanceClient?.addFields(
|
|
692
|
-
{ loginHintFromRequest: true },
|
|
693
|
-
correlationId
|
|
694
|
-
);
|
|
695
|
-
}
|
|
696
|
-
} else {
|
|
697
|
-
this.logger.verbose(
|
|
698
|
-
"createAuthCodeUrlQueryString: Prompt is select_account, ignoring account hints"
|
|
699
|
-
);
|
|
700
|
-
}
|
|
701
|
-
|
|
702
|
-
if (request.nonce) {
|
|
703
|
-
parameterBuilder.addNonce(request.nonce);
|
|
704
|
-
}
|
|
705
|
-
|
|
706
|
-
if (request.state) {
|
|
707
|
-
parameterBuilder.addState(request.state);
|
|
708
|
-
}
|
|
709
|
-
|
|
710
|
-
if (
|
|
711
|
-
request.claims ||
|
|
712
|
-
(this.config.authOptions.clientCapabilities &&
|
|
713
|
-
this.config.authOptions.clientCapabilities.length > 0)
|
|
714
|
-
) {
|
|
715
|
-
parameterBuilder.addClaims(
|
|
716
|
-
request.claims,
|
|
717
|
-
this.config.authOptions.clientCapabilities
|
|
718
|
-
);
|
|
719
|
-
}
|
|
720
|
-
|
|
721
|
-
if (request.embeddedClientId) {
|
|
722
|
-
parameterBuilder.addBrokerParameters({
|
|
723
|
-
brokerClientId: this.config.authOptions.clientId,
|
|
724
|
-
brokerRedirectUri: this.config.authOptions.redirectUri,
|
|
725
|
-
});
|
|
726
|
-
}
|
|
727
|
-
|
|
728
|
-
this.addExtraQueryParams(request, parameterBuilder);
|
|
729
|
-
|
|
730
|
-
if (request.platformBroker) {
|
|
731
|
-
// signal ests that this is a WAM call
|
|
732
|
-
parameterBuilder.addNativeBroker();
|
|
733
|
-
|
|
734
|
-
// pass the req_cnf for POP
|
|
735
|
-
if (request.authenticationScheme === AuthenticationScheme.POP) {
|
|
736
|
-
const popTokenGenerator = new PopTokenGenerator(
|
|
737
|
-
this.cryptoUtils
|
|
738
|
-
);
|
|
739
|
-
|
|
740
|
-
// req_cnf is always sent as a string for SPAs
|
|
741
|
-
let reqCnfData;
|
|
742
|
-
if (!request.popKid) {
|
|
743
|
-
const generatedReqCnfData = await invokeAsync(
|
|
744
|
-
popTokenGenerator.generateCnf.bind(popTokenGenerator),
|
|
745
|
-
PerformanceEvents.PopTokenGenerateCnf,
|
|
746
|
-
this.logger,
|
|
747
|
-
this.performanceClient,
|
|
748
|
-
request.correlationId
|
|
749
|
-
)(request, this.logger);
|
|
750
|
-
reqCnfData = generatedReqCnfData.reqCnfString;
|
|
751
|
-
} else {
|
|
752
|
-
reqCnfData = this.cryptoUtils.encodeKid(request.popKid);
|
|
753
|
-
}
|
|
754
|
-
parameterBuilder.addPopToken(reqCnfData);
|
|
755
|
-
}
|
|
756
|
-
}
|
|
757
|
-
|
|
758
|
-
return parameterBuilder.createQueryString();
|
|
455
|
+
return UrlUtils.mapToQueryString(parameters);
|
|
759
456
|
}
|
|
760
457
|
|
|
761
458
|
/**
|
|
@@ -765,68 +462,51 @@ export class AuthorizationCodeClient extends BaseClient {
|
|
|
765
462
|
private createLogoutUrlQueryString(
|
|
766
463
|
request: CommonEndSessionRequest
|
|
767
464
|
): string {
|
|
768
|
-
const
|
|
769
|
-
request.correlationId,
|
|
770
|
-
this.performanceClient
|
|
771
|
-
);
|
|
465
|
+
const parameters = new Map<string, string>();
|
|
772
466
|
|
|
773
467
|
if (request.postLogoutRedirectUri) {
|
|
774
|
-
|
|
468
|
+
RequestParameterBuilder.addPostLogoutRedirectUri(
|
|
469
|
+
parameters,
|
|
775
470
|
request.postLogoutRedirectUri
|
|
776
471
|
);
|
|
777
472
|
}
|
|
778
473
|
|
|
779
474
|
if (request.correlationId) {
|
|
780
|
-
|
|
475
|
+
RequestParameterBuilder.addCorrelationId(
|
|
476
|
+
parameters,
|
|
477
|
+
request.correlationId
|
|
478
|
+
);
|
|
781
479
|
}
|
|
782
480
|
|
|
783
481
|
if (request.idTokenHint) {
|
|
784
|
-
|
|
482
|
+
RequestParameterBuilder.addIdTokenHint(
|
|
483
|
+
parameters,
|
|
484
|
+
request.idTokenHint
|
|
485
|
+
);
|
|
785
486
|
}
|
|
786
487
|
|
|
787
488
|
if (request.state) {
|
|
788
|
-
|
|
489
|
+
RequestParameterBuilder.addState(parameters, request.state);
|
|
789
490
|
}
|
|
790
491
|
|
|
791
492
|
if (request.logoutHint) {
|
|
792
|
-
|
|
793
|
-
|
|
794
|
-
|
|
795
|
-
|
|
796
|
-
|
|
797
|
-
return parameterBuilder.createQueryString();
|
|
798
|
-
}
|
|
799
|
-
|
|
800
|
-
private addExtraQueryParams(
|
|
801
|
-
request: CommonAuthorizationUrlRequest | CommonEndSessionRequest,
|
|
802
|
-
parameterBuilder: RequestParameterBuilder
|
|
803
|
-
) {
|
|
804
|
-
const hasRequestInstanceAware =
|
|
805
|
-
request.extraQueryParameters &&
|
|
806
|
-
request.extraQueryParameters.hasOwnProperty("instance_aware");
|
|
807
|
-
|
|
808
|
-
// Set instance_aware flag if config auth param is set
|
|
809
|
-
if (!hasRequestInstanceAware && this.config.authOptions.instanceAware) {
|
|
810
|
-
request.extraQueryParameters = request.extraQueryParameters || {};
|
|
811
|
-
request.extraQueryParameters["instance_aware"] = "true";
|
|
493
|
+
RequestParameterBuilder.addLogoutHint(
|
|
494
|
+
parameters,
|
|
495
|
+
request.logoutHint
|
|
496
|
+
);
|
|
812
497
|
}
|
|
813
498
|
|
|
814
499
|
if (request.extraQueryParameters) {
|
|
815
|
-
|
|
500
|
+
RequestParameterBuilder.addExtraQueryParameters(
|
|
501
|
+
parameters,
|
|
816
502
|
request.extraQueryParameters
|
|
817
503
|
);
|
|
818
504
|
}
|
|
819
|
-
}
|
|
820
505
|
|
|
821
|
-
|
|
822
|
-
|
|
823
|
-
|
|
824
|
-
*/
|
|
825
|
-
private extractAccountSid(account: AccountInfo): string | null {
|
|
826
|
-
return account.idTokenClaims?.sid || null;
|
|
827
|
-
}
|
|
506
|
+
if (this.config.authOptions.instanceAware) {
|
|
507
|
+
RequestParameterBuilder.addInstanceAware(parameters);
|
|
508
|
+
}
|
|
828
509
|
|
|
829
|
-
|
|
830
|
-
return account.idTokenClaims?.login_hint || null;
|
|
510
|
+
return UrlUtils.mapToQueryString(parameters);
|
|
831
511
|
}
|
|
832
512
|
}
|