@azure/msal-common 15.2.0 → 15.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (190) hide show
  1. package/dist/account/AccountInfo.mjs +1 -1
  2. package/dist/account/AuthToken.mjs +1 -1
  3. package/dist/account/CcsCredential.mjs +1 -1
  4. package/dist/account/ClientInfo.mjs +1 -1
  5. package/dist/account/TokenClaims.mjs +1 -1
  6. package/dist/authority/Authority.mjs +1 -1
  7. package/dist/authority/AuthorityFactory.mjs +1 -1
  8. package/dist/authority/AuthorityMetadata.mjs +1 -1
  9. package/dist/authority/AuthorityOptions.mjs +1 -1
  10. package/dist/authority/AuthorityType.mjs +1 -1
  11. package/dist/authority/CloudInstanceDiscoveryErrorResponse.mjs +1 -1
  12. package/dist/authority/CloudInstanceDiscoveryResponse.mjs +1 -1
  13. package/dist/authority/OpenIdConfigResponse.mjs +1 -1
  14. package/dist/authority/ProtocolMode.mjs +1 -1
  15. package/dist/authority/RegionDiscovery.mjs +1 -1
  16. package/dist/cache/CacheManager.mjs +1 -1
  17. package/dist/cache/entities/AccountEntity.mjs +1 -1
  18. package/dist/cache/persistence/TokenCacheContext.mjs +1 -1
  19. package/dist/cache/utils/CacheHelpers.mjs +1 -1
  20. package/dist/client/AuthorizationCodeClient.d.ts +0 -31
  21. package/dist/client/AuthorizationCodeClient.d.ts.map +1 -1
  22. package/dist/client/AuthorizationCodeClient.mjs +43 -258
  23. package/dist/client/AuthorizationCodeClient.mjs.map +1 -1
  24. package/dist/client/BaseClient.d.ts.map +1 -1
  25. package/dist/client/BaseClient.mjs +9 -10
  26. package/dist/client/BaseClient.mjs.map +1 -1
  27. package/dist/client/RefreshTokenClient.d.ts.map +1 -1
  28. package/dist/client/RefreshTokenClient.mjs +29 -41
  29. package/dist/client/RefreshTokenClient.mjs.map +1 -1
  30. package/dist/client/SilentFlowClient.mjs +1 -1
  31. package/dist/config/ClientConfiguration.mjs +1 -1
  32. package/dist/constants/AADServerParamKeys.d.ts +1 -0
  33. package/dist/constants/AADServerParamKeys.d.ts.map +1 -1
  34. package/dist/constants/AADServerParamKeys.mjs +4 -3
  35. package/dist/constants/AADServerParamKeys.mjs.map +1 -1
  36. package/dist/crypto/ICrypto.mjs +1 -1
  37. package/dist/crypto/JoseHeader.mjs +1 -1
  38. package/dist/crypto/PopTokenGenerator.mjs +1 -1
  39. package/dist/error/AuthError.mjs +1 -1
  40. package/dist/error/AuthErrorCodes.mjs +1 -1
  41. package/dist/error/CacheError.mjs +1 -1
  42. package/dist/error/CacheErrorCodes.mjs +1 -1
  43. package/dist/error/ClientAuthError.mjs +1 -1
  44. package/dist/error/ClientAuthErrorCodes.mjs +1 -1
  45. package/dist/error/ClientConfigurationError.mjs +1 -1
  46. package/dist/error/ClientConfigurationErrorCodes.mjs +1 -1
  47. package/dist/error/InteractionRequiredAuthError.mjs +1 -1
  48. package/dist/error/InteractionRequiredAuthErrorCodes.mjs +1 -1
  49. package/dist/error/JoseHeaderError.mjs +1 -1
  50. package/dist/error/JoseHeaderErrorCodes.mjs +1 -1
  51. package/dist/error/NetworkError.mjs +1 -1
  52. package/dist/error/ServerError.mjs +1 -1
  53. package/dist/exports-common.d.ts +4 -3
  54. package/dist/exports-common.d.ts.map +1 -1
  55. package/dist/index-browser.mjs +6 -2
  56. package/dist/index-browser.mjs.map +1 -1
  57. package/dist/index-node.mjs +6 -2
  58. package/dist/index-node.mjs.map +1 -1
  59. package/dist/index.mjs +6 -2
  60. package/dist/index.mjs.map +1 -1
  61. package/dist/logger/Logger.mjs +1 -1
  62. package/dist/network/INetworkModule.mjs +1 -1
  63. package/dist/network/RequestThumbprint.d.ts +3 -0
  64. package/dist/network/RequestThumbprint.d.ts.map +1 -1
  65. package/dist/network/RequestThumbprint.mjs +24 -0
  66. package/dist/network/RequestThumbprint.mjs.map +1 -0
  67. package/dist/network/ThrottlingUtils.d.ts.map +1 -1
  68. package/dist/network/ThrottlingUtils.mjs +3 -13
  69. package/dist/network/ThrottlingUtils.mjs.map +1 -1
  70. package/dist/packageMetadata.d.ts +1 -1
  71. package/dist/packageMetadata.mjs +2 -2
  72. package/dist/protocol/Authorize.d.ts +37 -0
  73. package/dist/protocol/Authorize.d.ts.map +1 -0
  74. package/dist/protocol/Authorize.mjs +237 -0
  75. package/dist/protocol/Authorize.mjs.map +1 -0
  76. package/dist/request/AuthenticationHeaderParser.mjs +1 -1
  77. package/dist/request/BaseAuthRequest.d.ts +2 -0
  78. package/dist/request/BaseAuthRequest.d.ts.map +1 -1
  79. package/dist/request/CommonAuthorizationCodeRequest.d.ts +0 -2
  80. package/dist/request/CommonAuthorizationCodeRequest.d.ts.map +1 -1
  81. package/dist/request/CommonDeviceCodeRequest.d.ts +1 -1
  82. package/dist/request/CommonDeviceCodeRequest.d.ts.map +1 -1
  83. package/dist/request/CommonRefreshTokenRequest.d.ts +0 -2
  84. package/dist/request/CommonRefreshTokenRequest.d.ts.map +1 -1
  85. package/dist/request/CommonSilentFlowRequest.d.ts +0 -3
  86. package/dist/request/CommonSilentFlowRequest.d.ts.map +1 -1
  87. package/dist/request/RequestParameterBuilder.d.ts +206 -218
  88. package/dist/request/RequestParameterBuilder.d.ts.map +1 -1
  89. package/dist/request/RequestParameterBuilder.mjs +356 -369
  90. package/dist/request/RequestParameterBuilder.mjs.map +1 -1
  91. package/dist/request/RequestValidator.mjs +1 -1
  92. package/dist/request/ScopeSet.mjs +1 -1
  93. package/dist/response/AuthorizeResponse.d.ts +72 -0
  94. package/dist/response/AuthorizeResponse.d.ts.map +1 -0
  95. package/dist/response/ResponseHandler.d.ts +0 -8
  96. package/dist/response/ResponseHandler.d.ts.map +1 -1
  97. package/dist/response/ResponseHandler.mjs +7 -52
  98. package/dist/response/ResponseHandler.mjs.map +1 -1
  99. package/dist/telemetry/performance/PerformanceClient.mjs +1 -1
  100. package/dist/telemetry/performance/PerformanceEvent.d.ts +1 -2
  101. package/dist/telemetry/performance/PerformanceEvent.d.ts.map +1 -1
  102. package/dist/telemetry/performance/PerformanceEvent.mjs +2 -11
  103. package/dist/telemetry/performance/PerformanceEvent.mjs.map +1 -1
  104. package/dist/telemetry/performance/StubPerformanceClient.mjs +1 -1
  105. package/dist/telemetry/server/ServerTelemetryManager.mjs +1 -1
  106. package/dist/url/UrlString.mjs +1 -1
  107. package/dist/utils/ClientAssertionUtils.mjs +1 -1
  108. package/dist/utils/Constants.mjs +1 -1
  109. package/dist/utils/FunctionWrappers.mjs +1 -1
  110. package/dist/utils/ProtocolUtils.mjs +1 -1
  111. package/dist/utils/StringUtils.mjs +1 -1
  112. package/dist/utils/TimeUtils.d.ts +10 -0
  113. package/dist/utils/TimeUtils.d.ts.map +1 -1
  114. package/dist/utils/TimeUtils.mjs +20 -2
  115. package/dist/utils/TimeUtils.mjs.map +1 -1
  116. package/dist/utils/UrlUtils.d.ts +6 -2
  117. package/dist/utils/UrlUtils.d.ts.map +1 -1
  118. package/dist/utils/UrlUtils.mjs +12 -2
  119. package/dist/utils/UrlUtils.mjs.map +1 -1
  120. package/lib/index-browser.cjs +4 -2
  121. package/lib/index-browser.cjs.map +1 -1
  122. package/lib/{index-node-0IMDqzO0.js → index-node-BjtDFnOl.js} +828 -805
  123. package/lib/index-node-BjtDFnOl.js.map +1 -0
  124. package/lib/index-node.cjs +4 -2
  125. package/lib/index-node.cjs.map +1 -1
  126. package/lib/index.cjs +4 -2
  127. package/lib/index.cjs.map +1 -1
  128. package/lib/types/client/AuthorizationCodeClient.d.ts +0 -31
  129. package/lib/types/client/AuthorizationCodeClient.d.ts.map +1 -1
  130. package/lib/types/client/BaseClient.d.ts.map +1 -1
  131. package/lib/types/client/RefreshTokenClient.d.ts.map +1 -1
  132. package/lib/types/constants/AADServerParamKeys.d.ts +1 -0
  133. package/lib/types/constants/AADServerParamKeys.d.ts.map +1 -1
  134. package/lib/types/exports-common.d.ts +4 -3
  135. package/lib/types/exports-common.d.ts.map +1 -1
  136. package/lib/types/network/RequestThumbprint.d.ts +3 -0
  137. package/lib/types/network/RequestThumbprint.d.ts.map +1 -1
  138. package/lib/types/network/ThrottlingUtils.d.ts.map +1 -1
  139. package/lib/types/packageMetadata.d.ts +1 -1
  140. package/lib/types/protocol/Authorize.d.ts +37 -0
  141. package/lib/types/protocol/Authorize.d.ts.map +1 -0
  142. package/lib/types/request/BaseAuthRequest.d.ts +2 -0
  143. package/lib/types/request/BaseAuthRequest.d.ts.map +1 -1
  144. package/lib/types/request/CommonAuthorizationCodeRequest.d.ts +0 -2
  145. package/lib/types/request/CommonAuthorizationCodeRequest.d.ts.map +1 -1
  146. package/lib/types/request/CommonDeviceCodeRequest.d.ts +1 -1
  147. package/lib/types/request/CommonDeviceCodeRequest.d.ts.map +1 -1
  148. package/lib/types/request/CommonRefreshTokenRequest.d.ts +0 -2
  149. package/lib/types/request/CommonRefreshTokenRequest.d.ts.map +1 -1
  150. package/lib/types/request/CommonSilentFlowRequest.d.ts +0 -3
  151. package/lib/types/request/CommonSilentFlowRequest.d.ts.map +1 -1
  152. package/lib/types/request/RequestParameterBuilder.d.ts +206 -218
  153. package/lib/types/request/RequestParameterBuilder.d.ts.map +1 -1
  154. package/lib/types/response/AuthorizeResponse.d.ts +72 -0
  155. package/lib/types/response/AuthorizeResponse.d.ts.map +1 -0
  156. package/lib/types/response/ResponseHandler.d.ts +0 -8
  157. package/lib/types/response/ResponseHandler.d.ts.map +1 -1
  158. package/lib/types/telemetry/performance/PerformanceEvent.d.ts +1 -2
  159. package/lib/types/telemetry/performance/PerformanceEvent.d.ts.map +1 -1
  160. package/lib/types/utils/TimeUtils.d.ts +10 -0
  161. package/lib/types/utils/TimeUtils.d.ts.map +1 -1
  162. package/lib/types/utils/UrlUtils.d.ts +6 -2
  163. package/lib/types/utils/UrlUtils.d.ts.map +1 -1
  164. package/package.json +1 -1
  165. package/src/client/AuthorizationCodeClient.ts +89 -409
  166. package/src/client/BaseClient.ts +20 -12
  167. package/src/client/RefreshTokenClient.ts +66 -44
  168. package/src/constants/AADServerParamKeys.ts +1 -0
  169. package/src/exports-common.ts +8 -3
  170. package/src/network/RequestThumbprint.ts +23 -0
  171. package/src/network/ThrottlingUtils.ts +9 -14
  172. package/src/packageMetadata.ts +1 -1
  173. package/src/protocol/Authorize.ts +409 -0
  174. package/src/request/BaseAuthRequest.ts +2 -0
  175. package/src/request/CommonAuthorizationCodeRequest.ts +0 -2
  176. package/src/request/CommonDeviceCodeRequest.ts +1 -1
  177. package/src/request/CommonRefreshTokenRequest.ts +0 -2
  178. package/src/request/CommonSilentFlowRequest.ts +0 -3
  179. package/src/request/RequestParameterBuilder.ts +508 -543
  180. package/src/response/AuthorizeResponse.ts +76 -0
  181. package/src/response/ResponseHandler.ts +8 -104
  182. package/src/telemetry/performance/PerformanceEvent.ts +1 -11
  183. package/src/utils/TimeUtils.ts +20 -0
  184. package/src/utils/UrlUtils.ts +18 -4
  185. package/dist/response/ServerAuthorizationCodeResponse.d.ts +0 -27
  186. package/dist/response/ServerAuthorizationCodeResponse.d.ts.map +0 -1
  187. package/lib/index-node-0IMDqzO0.js.map +0 -1
  188. package/lib/types/response/ServerAuthorizationCodeResponse.d.ts +0 -27
  189. package/lib/types/response/ServerAuthorizationCodeResponse.d.ts.map +0 -1
  190. package/src/response/ServerAuthorizationCodeResponse.ts +0 -34
@@ -0,0 +1,409 @@
1
+ /*
2
+ * Copyright (c) Microsoft Corporation. All rights reserved.
3
+ * Licensed under the MIT License.
4
+ */
5
+
6
+ import { CommonAuthorizationUrlRequest } from "../request/CommonAuthorizationUrlRequest.js";
7
+ import * as RequestParameterBuilder from "../request/RequestParameterBuilder.js";
8
+ import { IPerformanceClient } from "../telemetry/performance/IPerformanceClient.js";
9
+ import * as AADServerParamKeys from "../constants/AADServerParamKeys.js";
10
+ import { AuthOptions } from "../config/ClientConfiguration.js";
11
+ import { PromptValue } from "../utils/Constants.js";
12
+ import { AccountInfo } from "../account/AccountInfo.js";
13
+ import { Logger } from "../logger/Logger.js";
14
+ import { buildClientInfoFromHomeAccountId } from "../account/ClientInfo.js";
15
+ import { Authority } from "../authority/Authority.js";
16
+ import { mapToQueryString } from "../utils/UrlUtils.js";
17
+ import { UrlString } from "../url/UrlString.js";
18
+ import { AuthorizationCodePayload } from "../response/AuthorizationCodePayload.js";
19
+ import { AuthorizeResponse } from "../response/AuthorizeResponse.js";
20
+ import {
21
+ ClientAuthErrorCodes,
22
+ createClientAuthError,
23
+ } from "../error/ClientAuthError.js";
24
+ import {
25
+ InteractionRequiredAuthError,
26
+ isInteractionRequiredError,
27
+ } from "../error/InteractionRequiredAuthError.js";
28
+ import { ServerError } from "../error/ServerError.js";
29
+
30
+ /**
31
+ * Returns map of parameters that are applicable to all calls to /authorize whether using PKCE or EAR
32
+ * @param config
33
+ * @param request
34
+ * @param logger
35
+ * @param performanceClient
36
+ * @returns
37
+ */
38
+ export function getStandardAuthorizeRequestParameters(
39
+ authOptions: AuthOptions,
40
+ request: CommonAuthorizationUrlRequest,
41
+ logger: Logger,
42
+ performanceClient?: IPerformanceClient
43
+ ): Map<string, string> {
44
+ // generate the correlationId if not set by the user and add
45
+ const correlationId = request.correlationId;
46
+
47
+ const parameters = new Map<string, string>();
48
+
49
+ RequestParameterBuilder.addClientId(
50
+ parameters,
51
+ request.embeddedClientId ||
52
+ request.extraQueryParameters?.[AADServerParamKeys.CLIENT_ID] ||
53
+ authOptions.clientId
54
+ );
55
+
56
+ const requestScopes = [
57
+ ...(request.scopes || []),
58
+ ...(request.extraScopesToConsent || []),
59
+ ];
60
+ RequestParameterBuilder.addScopes(
61
+ parameters,
62
+ requestScopes,
63
+ true,
64
+ authOptions.authority.options.OIDCOptions?.defaultScopes
65
+ );
66
+
67
+ RequestParameterBuilder.addRedirectUri(parameters, request.redirectUri);
68
+
69
+ RequestParameterBuilder.addCorrelationId(parameters, correlationId);
70
+
71
+ // add response_mode. If not passed in it defaults to query.
72
+ RequestParameterBuilder.addResponseMode(parameters, request.responseMode);
73
+
74
+ // add client_info=1
75
+ RequestParameterBuilder.addClientInfo(parameters);
76
+
77
+ if (request.prompt) {
78
+ RequestParameterBuilder.addPrompt(parameters, request.prompt);
79
+ performanceClient?.addFields({ prompt: request.prompt }, correlationId);
80
+ }
81
+
82
+ if (request.domainHint) {
83
+ RequestParameterBuilder.addDomainHint(parameters, request.domainHint);
84
+ performanceClient?.addFields(
85
+ { domainHintFromRequest: true },
86
+ correlationId
87
+ );
88
+ }
89
+
90
+ // Add sid or loginHint with preference for login_hint claim (in request) -> sid -> loginHint (upn/email) -> username of AccountInfo object
91
+ if (request.prompt !== PromptValue.SELECT_ACCOUNT) {
92
+ // AAD will throw if prompt=select_account is passed with an account hint
93
+ if (request.sid && request.prompt === PromptValue.NONE) {
94
+ // SessionID is only used in silent calls
95
+ logger.verbose(
96
+ "createAuthCodeUrlQueryString: Prompt is none, adding sid from request"
97
+ );
98
+ RequestParameterBuilder.addSid(parameters, request.sid);
99
+ performanceClient?.addFields(
100
+ { sidFromRequest: true },
101
+ correlationId
102
+ );
103
+ } else if (request.account) {
104
+ const accountSid = extractAccountSid(request.account);
105
+ let accountLoginHintClaim = extractLoginHint(request.account);
106
+
107
+ if (accountLoginHintClaim && request.domainHint) {
108
+ logger.warning(
109
+ `AuthorizationCodeClient.createAuthCodeUrlQueryString: "domainHint" param is set, skipping opaque "login_hint" claim. Please consider not passing domainHint`
110
+ );
111
+ accountLoginHintClaim = null;
112
+ }
113
+
114
+ // If login_hint claim is present, use it over sid/username
115
+ if (accountLoginHintClaim) {
116
+ logger.verbose(
117
+ "createAuthCodeUrlQueryString: login_hint claim present on account"
118
+ );
119
+ RequestParameterBuilder.addLoginHint(
120
+ parameters,
121
+ accountLoginHintClaim
122
+ );
123
+ performanceClient?.addFields(
124
+ { loginHintFromClaim: true },
125
+ correlationId
126
+ );
127
+ try {
128
+ const clientInfo = buildClientInfoFromHomeAccountId(
129
+ request.account.homeAccountId
130
+ );
131
+ RequestParameterBuilder.addCcsOid(parameters, clientInfo);
132
+ } catch (e) {
133
+ logger.verbose(
134
+ "createAuthCodeUrlQueryString: Could not parse home account ID for CCS Header"
135
+ );
136
+ }
137
+ } else if (accountSid && request.prompt === PromptValue.NONE) {
138
+ /*
139
+ * If account and loginHint are provided, we will check account first for sid before adding loginHint
140
+ * SessionId is only used in silent calls
141
+ */
142
+ logger.verbose(
143
+ "createAuthCodeUrlQueryString: Prompt is none, adding sid from account"
144
+ );
145
+ RequestParameterBuilder.addSid(parameters, accountSid);
146
+ performanceClient?.addFields(
147
+ { sidFromClaim: true },
148
+ correlationId
149
+ );
150
+ try {
151
+ const clientInfo = buildClientInfoFromHomeAccountId(
152
+ request.account.homeAccountId
153
+ );
154
+ RequestParameterBuilder.addCcsOid(parameters, clientInfo);
155
+ } catch (e) {
156
+ logger.verbose(
157
+ "createAuthCodeUrlQueryString: Could not parse home account ID for CCS Header"
158
+ );
159
+ }
160
+ } else if (request.loginHint) {
161
+ logger.verbose(
162
+ "createAuthCodeUrlQueryString: Adding login_hint from request"
163
+ );
164
+ RequestParameterBuilder.addLoginHint(
165
+ parameters,
166
+ request.loginHint
167
+ );
168
+ RequestParameterBuilder.addCcsUpn(
169
+ parameters,
170
+ request.loginHint
171
+ );
172
+ performanceClient?.addFields(
173
+ { loginHintFromRequest: true },
174
+ correlationId
175
+ );
176
+ } else if (request.account.username) {
177
+ // Fallback to account username if provided
178
+ logger.verbose(
179
+ "createAuthCodeUrlQueryString: Adding login_hint from account"
180
+ );
181
+ RequestParameterBuilder.addLoginHint(
182
+ parameters,
183
+ request.account.username
184
+ );
185
+ performanceClient?.addFields(
186
+ { loginHintFromUpn: true },
187
+ correlationId
188
+ );
189
+ try {
190
+ const clientInfo = buildClientInfoFromHomeAccountId(
191
+ request.account.homeAccountId
192
+ );
193
+ RequestParameterBuilder.addCcsOid(parameters, clientInfo);
194
+ } catch (e) {
195
+ logger.verbose(
196
+ "createAuthCodeUrlQueryString: Could not parse home account ID for CCS Header"
197
+ );
198
+ }
199
+ }
200
+ } else if (request.loginHint) {
201
+ logger.verbose(
202
+ "createAuthCodeUrlQueryString: No account, adding login_hint from request"
203
+ );
204
+ RequestParameterBuilder.addLoginHint(parameters, request.loginHint);
205
+ RequestParameterBuilder.addCcsUpn(parameters, request.loginHint);
206
+ performanceClient?.addFields(
207
+ { loginHintFromRequest: true },
208
+ correlationId
209
+ );
210
+ }
211
+ } else {
212
+ logger.verbose(
213
+ "createAuthCodeUrlQueryString: Prompt is select_account, ignoring account hints"
214
+ );
215
+ }
216
+
217
+ if (request.nonce) {
218
+ RequestParameterBuilder.addNonce(parameters, request.nonce);
219
+ }
220
+
221
+ if (request.state) {
222
+ RequestParameterBuilder.addState(parameters, request.state);
223
+ }
224
+
225
+ if (
226
+ request.claims ||
227
+ (authOptions.clientCapabilities &&
228
+ authOptions.clientCapabilities.length > 0)
229
+ ) {
230
+ RequestParameterBuilder.addClaims(
231
+ parameters,
232
+ request.claims,
233
+ authOptions.clientCapabilities
234
+ );
235
+ }
236
+
237
+ if (request.embeddedClientId) {
238
+ RequestParameterBuilder.addBrokerParameters(
239
+ parameters,
240
+ authOptions.clientId,
241
+ authOptions.redirectUri
242
+ );
243
+ }
244
+
245
+ if (request.extraQueryParameters) {
246
+ RequestParameterBuilder.addExtraQueryParameters(
247
+ parameters,
248
+ request.extraQueryParameters
249
+ );
250
+ }
251
+
252
+ if (authOptions.instanceAware) {
253
+ RequestParameterBuilder.addInstanceAware(parameters);
254
+ }
255
+
256
+ return parameters;
257
+ }
258
+
259
+ /**
260
+ * Returns authorize endpoint with given request parameters in the query string
261
+ * @param authority
262
+ * @param requestParameters
263
+ * @returns
264
+ */
265
+ export function getAuthorizeUrl(
266
+ authority: Authority,
267
+ requestParameters: Map<string, string>
268
+ ): string {
269
+ const queryString = mapToQueryString(requestParameters);
270
+
271
+ return UrlString.appendQueryString(
272
+ authority.authorizationEndpoint,
273
+ queryString
274
+ );
275
+ }
276
+
277
+ /**
278
+ * Handles the hash fragment response from public client code request. Returns a code response used by
279
+ * the client to exchange for a token in acquireToken.
280
+ * @param serverParams
281
+ * @param cachedState
282
+ */
283
+ export function getAuthorizationCodePayload(
284
+ serverParams: AuthorizeResponse,
285
+ cachedState: string
286
+ ): AuthorizationCodePayload {
287
+ // Get code response
288
+ validateAuthorizationResponse(serverParams, cachedState);
289
+
290
+ // throw when there is no auth code in the response
291
+ if (!serverParams.code) {
292
+ throw createClientAuthError(
293
+ ClientAuthErrorCodes.authorizationCodeMissingFromServerResponse
294
+ );
295
+ }
296
+
297
+ return serverParams as AuthorizationCodePayload;
298
+ }
299
+
300
+ /**
301
+ * Function which validates server authorization code response.
302
+ * @param serverResponseHash
303
+ * @param requestState
304
+ */
305
+ export function validateAuthorizationResponse(
306
+ serverResponse: AuthorizeResponse,
307
+ requestState: string
308
+ ): void {
309
+ if (!serverResponse.state || !requestState) {
310
+ throw serverResponse.state
311
+ ? createClientAuthError(
312
+ ClientAuthErrorCodes.stateNotFound,
313
+ "Cached State"
314
+ )
315
+ : createClientAuthError(
316
+ ClientAuthErrorCodes.stateNotFound,
317
+ "Server State"
318
+ );
319
+ }
320
+
321
+ let decodedServerResponseState: string;
322
+ let decodedRequestState: string;
323
+
324
+ try {
325
+ decodedServerResponseState = decodeURIComponent(serverResponse.state);
326
+ } catch (e) {
327
+ throw createClientAuthError(
328
+ ClientAuthErrorCodes.invalidState,
329
+ serverResponse.state
330
+ );
331
+ }
332
+
333
+ try {
334
+ decodedRequestState = decodeURIComponent(requestState);
335
+ } catch (e) {
336
+ throw createClientAuthError(
337
+ ClientAuthErrorCodes.invalidState,
338
+ serverResponse.state
339
+ );
340
+ }
341
+
342
+ if (decodedServerResponseState !== decodedRequestState) {
343
+ throw createClientAuthError(ClientAuthErrorCodes.stateMismatch);
344
+ }
345
+
346
+ // Check for error
347
+ if (
348
+ serverResponse.error ||
349
+ serverResponse.error_description ||
350
+ serverResponse.suberror
351
+ ) {
352
+ const serverErrorNo = parseServerErrorNo(serverResponse);
353
+ if (
354
+ isInteractionRequiredError(
355
+ serverResponse.error,
356
+ serverResponse.error_description,
357
+ serverResponse.suberror
358
+ )
359
+ ) {
360
+ throw new InteractionRequiredAuthError(
361
+ serverResponse.error || "",
362
+ serverResponse.error_description,
363
+ serverResponse.suberror,
364
+ serverResponse.timestamp || "",
365
+ serverResponse.trace_id || "",
366
+ serverResponse.correlation_id || "",
367
+ serverResponse.claims || "",
368
+ serverErrorNo
369
+ );
370
+ }
371
+
372
+ throw new ServerError(
373
+ serverResponse.error || "",
374
+ serverResponse.error_description,
375
+ serverResponse.suberror,
376
+ serverErrorNo
377
+ );
378
+ }
379
+ }
380
+
381
+ /**
382
+ * Get server error No from the error_uri
383
+ * @param serverResponse
384
+ * @returns
385
+ */
386
+ function parseServerErrorNo(
387
+ serverResponse: AuthorizeResponse
388
+ ): string | undefined {
389
+ const errorCodePrefix = "code=";
390
+ const errorCodePrefixIndex =
391
+ serverResponse.error_uri?.lastIndexOf(errorCodePrefix);
392
+ return errorCodePrefixIndex && errorCodePrefixIndex >= 0
393
+ ? serverResponse.error_uri?.substring(
394
+ errorCodePrefixIndex + errorCodePrefix.length
395
+ )
396
+ : undefined;
397
+ }
398
+
399
+ /**
400
+ * Helper to get sid from account. Returns null if idTokenClaims are not present or sid is not present.
401
+ * @param account
402
+ */
403
+ function extractAccountSid(account: AccountInfo): string | null {
404
+ return account.idTokenClaims?.sid || null;
405
+ }
406
+
407
+ function extractLoginHint(account: AccountInfo): string | null {
408
+ return account.idTokenClaims?.login_hint || null;
409
+ }
@@ -26,6 +26,7 @@ import { ShrOptions } from "../crypto/SignedHttpRequest.js";
26
26
  * - azureCloudOptions - Convenience string enums for users to provide public/sovereign cloud ids
27
27
  * - requestedClaimsHash - SHA 256 hash string of the requested claims string, used as part of an access token cache key so tokens can be filtered by requested claims
28
28
  * - tokenQueryParameters - String to string map of custom query parameters added to the /token call
29
+ * - tokenBodyParameters - String to string map of custom parameters added to the body of the /token call
29
30
  * - storeInCache - Object containing boolean values indicating whether to store tokens in the cache or not (default is true)
30
31
  * - scenarioId - Scenario id to track custom user prompts
31
32
  * - popKid - Key ID to identify the public key for PoP token request
@@ -47,6 +48,7 @@ export type BaseAuthRequest = {
47
48
  azureCloudOptions?: AzureCloudOptions;
48
49
  requestedClaimsHash?: string;
49
50
  maxAge?: number;
51
+ tokenBodyParameters?: StringDict;
50
52
  tokenQueryParameters?: StringDict;
51
53
  storeInCache?: StoreInCache;
52
54
  scenarioId?: string;
@@ -4,7 +4,6 @@
4
4
  */
5
5
 
6
6
  import { BaseAuthRequest } from "./BaseAuthRequest.js";
7
- import { StringDict } from "../utils/MsalTypes.js";
8
7
  import { CcsCredential } from "../account/CcsCredential.js";
9
8
 
10
9
  /**
@@ -26,7 +25,6 @@ export type CommonAuthorizationCodeRequest = BaseAuthRequest & {
26
25
  code: string;
27
26
  redirectUri: string;
28
27
  codeVerifier?: string;
29
- tokenBodyParameters?: StringDict;
30
28
  enableSpaAuthorizationCode?: boolean;
31
29
  clientInfo?: string;
32
30
  ccsCredential?: CcsCredential;
@@ -22,7 +22,7 @@ import { BaseAuthRequest } from "./BaseAuthRequest.js";
22
22
  // export type CommonDeviceCodeRequest = BaseAuthRequest & {
23
23
  export type CommonDeviceCodeRequest = Omit<
24
24
  BaseAuthRequest,
25
- "tokenQueryParameters"
25
+ "tokenQueryParameters" | "tokenBodyParameters"
26
26
  > & {
27
27
  deviceCodeCallback: (response: DeviceCodeResponse) => void;
28
28
  cancel?: boolean;
@@ -5,7 +5,6 @@
5
5
 
6
6
  import { BaseAuthRequest } from "./BaseAuthRequest.js";
7
7
  import { CcsCredential } from "../account/CcsCredential.js";
8
- import { StringDict } from "../utils/MsalTypes.js";
9
8
 
10
9
  /**
11
10
  * CommonRefreshTokenRequest
@@ -23,6 +22,5 @@ export type CommonRefreshTokenRequest = BaseAuthRequest & {
23
22
  refreshToken: string;
24
23
  ccsCredential?: CcsCredential;
25
24
  forceCache?: boolean;
26
- tokenBodyParameters?: StringDict;
27
25
  redirectUri?: string;
28
26
  };
@@ -4,7 +4,6 @@
4
4
  */
5
5
 
6
6
  import { AccountInfo } from "../account/AccountInfo.js";
7
- import { StringDict } from "../utils/MsalTypes.js";
8
7
  import { BaseAuthRequest } from "./BaseAuthRequest.js";
9
8
 
10
9
  /**
@@ -26,8 +25,6 @@ export type CommonSilentFlowRequest = BaseAuthRequest & {
26
25
  forceRefresh: boolean;
27
26
  /** RedirectUri registered on the app registration - only required in brokering scenarios */
28
27
  redirectUri?: string;
29
- /** Key value pairs to include on the POST body to the /token endpoint */
30
- tokenBodyParameters?: StringDict;
31
28
  /** If refresh token will expire within the configured value, consider it already expired. Used to pre-emptively invoke interaction when cached refresh token is close to expiry. */
32
29
  refreshTokenExpirationOffsetSeconds?: number;
33
30
  };