@azure/msal-common 15.2.0 → 15.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (190) hide show
  1. package/dist/account/AccountInfo.mjs +1 -1
  2. package/dist/account/AuthToken.mjs +1 -1
  3. package/dist/account/CcsCredential.mjs +1 -1
  4. package/dist/account/ClientInfo.mjs +1 -1
  5. package/dist/account/TokenClaims.mjs +1 -1
  6. package/dist/authority/Authority.mjs +1 -1
  7. package/dist/authority/AuthorityFactory.mjs +1 -1
  8. package/dist/authority/AuthorityMetadata.mjs +1 -1
  9. package/dist/authority/AuthorityOptions.mjs +1 -1
  10. package/dist/authority/AuthorityType.mjs +1 -1
  11. package/dist/authority/CloudInstanceDiscoveryErrorResponse.mjs +1 -1
  12. package/dist/authority/CloudInstanceDiscoveryResponse.mjs +1 -1
  13. package/dist/authority/OpenIdConfigResponse.mjs +1 -1
  14. package/dist/authority/ProtocolMode.mjs +1 -1
  15. package/dist/authority/RegionDiscovery.mjs +1 -1
  16. package/dist/cache/CacheManager.mjs +1 -1
  17. package/dist/cache/entities/AccountEntity.mjs +1 -1
  18. package/dist/cache/persistence/TokenCacheContext.mjs +1 -1
  19. package/dist/cache/utils/CacheHelpers.mjs +1 -1
  20. package/dist/client/AuthorizationCodeClient.d.ts +0 -31
  21. package/dist/client/AuthorizationCodeClient.d.ts.map +1 -1
  22. package/dist/client/AuthorizationCodeClient.mjs +43 -258
  23. package/dist/client/AuthorizationCodeClient.mjs.map +1 -1
  24. package/dist/client/BaseClient.d.ts.map +1 -1
  25. package/dist/client/BaseClient.mjs +9 -10
  26. package/dist/client/BaseClient.mjs.map +1 -1
  27. package/dist/client/RefreshTokenClient.d.ts.map +1 -1
  28. package/dist/client/RefreshTokenClient.mjs +29 -41
  29. package/dist/client/RefreshTokenClient.mjs.map +1 -1
  30. package/dist/client/SilentFlowClient.mjs +1 -1
  31. package/dist/config/ClientConfiguration.mjs +1 -1
  32. package/dist/constants/AADServerParamKeys.d.ts +1 -0
  33. package/dist/constants/AADServerParamKeys.d.ts.map +1 -1
  34. package/dist/constants/AADServerParamKeys.mjs +4 -3
  35. package/dist/constants/AADServerParamKeys.mjs.map +1 -1
  36. package/dist/crypto/ICrypto.mjs +1 -1
  37. package/dist/crypto/JoseHeader.mjs +1 -1
  38. package/dist/crypto/PopTokenGenerator.mjs +1 -1
  39. package/dist/error/AuthError.mjs +1 -1
  40. package/dist/error/AuthErrorCodes.mjs +1 -1
  41. package/dist/error/CacheError.mjs +1 -1
  42. package/dist/error/CacheErrorCodes.mjs +1 -1
  43. package/dist/error/ClientAuthError.mjs +1 -1
  44. package/dist/error/ClientAuthErrorCodes.mjs +1 -1
  45. package/dist/error/ClientConfigurationError.mjs +1 -1
  46. package/dist/error/ClientConfigurationErrorCodes.mjs +1 -1
  47. package/dist/error/InteractionRequiredAuthError.mjs +1 -1
  48. package/dist/error/InteractionRequiredAuthErrorCodes.mjs +1 -1
  49. package/dist/error/JoseHeaderError.mjs +1 -1
  50. package/dist/error/JoseHeaderErrorCodes.mjs +1 -1
  51. package/dist/error/NetworkError.mjs +1 -1
  52. package/dist/error/ServerError.mjs +1 -1
  53. package/dist/exports-common.d.ts +4 -3
  54. package/dist/exports-common.d.ts.map +1 -1
  55. package/dist/index-browser.mjs +6 -2
  56. package/dist/index-browser.mjs.map +1 -1
  57. package/dist/index-node.mjs +6 -2
  58. package/dist/index-node.mjs.map +1 -1
  59. package/dist/index.mjs +6 -2
  60. package/dist/index.mjs.map +1 -1
  61. package/dist/logger/Logger.mjs +1 -1
  62. package/dist/network/INetworkModule.mjs +1 -1
  63. package/dist/network/RequestThumbprint.d.ts +3 -0
  64. package/dist/network/RequestThumbprint.d.ts.map +1 -1
  65. package/dist/network/RequestThumbprint.mjs +24 -0
  66. package/dist/network/RequestThumbprint.mjs.map +1 -0
  67. package/dist/network/ThrottlingUtils.d.ts.map +1 -1
  68. package/dist/network/ThrottlingUtils.mjs +3 -13
  69. package/dist/network/ThrottlingUtils.mjs.map +1 -1
  70. package/dist/packageMetadata.d.ts +1 -1
  71. package/dist/packageMetadata.mjs +2 -2
  72. package/dist/protocol/Authorize.d.ts +37 -0
  73. package/dist/protocol/Authorize.d.ts.map +1 -0
  74. package/dist/protocol/Authorize.mjs +237 -0
  75. package/dist/protocol/Authorize.mjs.map +1 -0
  76. package/dist/request/AuthenticationHeaderParser.mjs +1 -1
  77. package/dist/request/BaseAuthRequest.d.ts +2 -0
  78. package/dist/request/BaseAuthRequest.d.ts.map +1 -1
  79. package/dist/request/CommonAuthorizationCodeRequest.d.ts +0 -2
  80. package/dist/request/CommonAuthorizationCodeRequest.d.ts.map +1 -1
  81. package/dist/request/CommonDeviceCodeRequest.d.ts +1 -1
  82. package/dist/request/CommonDeviceCodeRequest.d.ts.map +1 -1
  83. package/dist/request/CommonRefreshTokenRequest.d.ts +0 -2
  84. package/dist/request/CommonRefreshTokenRequest.d.ts.map +1 -1
  85. package/dist/request/CommonSilentFlowRequest.d.ts +0 -3
  86. package/dist/request/CommonSilentFlowRequest.d.ts.map +1 -1
  87. package/dist/request/RequestParameterBuilder.d.ts +206 -218
  88. package/dist/request/RequestParameterBuilder.d.ts.map +1 -1
  89. package/dist/request/RequestParameterBuilder.mjs +356 -369
  90. package/dist/request/RequestParameterBuilder.mjs.map +1 -1
  91. package/dist/request/RequestValidator.mjs +1 -1
  92. package/dist/request/ScopeSet.mjs +1 -1
  93. package/dist/response/AuthorizeResponse.d.ts +72 -0
  94. package/dist/response/AuthorizeResponse.d.ts.map +1 -0
  95. package/dist/response/ResponseHandler.d.ts +0 -8
  96. package/dist/response/ResponseHandler.d.ts.map +1 -1
  97. package/dist/response/ResponseHandler.mjs +7 -52
  98. package/dist/response/ResponseHandler.mjs.map +1 -1
  99. package/dist/telemetry/performance/PerformanceClient.mjs +1 -1
  100. package/dist/telemetry/performance/PerformanceEvent.d.ts +1 -2
  101. package/dist/telemetry/performance/PerformanceEvent.d.ts.map +1 -1
  102. package/dist/telemetry/performance/PerformanceEvent.mjs +2 -11
  103. package/dist/telemetry/performance/PerformanceEvent.mjs.map +1 -1
  104. package/dist/telemetry/performance/StubPerformanceClient.mjs +1 -1
  105. package/dist/telemetry/server/ServerTelemetryManager.mjs +1 -1
  106. package/dist/url/UrlString.mjs +1 -1
  107. package/dist/utils/ClientAssertionUtils.mjs +1 -1
  108. package/dist/utils/Constants.mjs +1 -1
  109. package/dist/utils/FunctionWrappers.mjs +1 -1
  110. package/dist/utils/ProtocolUtils.mjs +1 -1
  111. package/dist/utils/StringUtils.mjs +1 -1
  112. package/dist/utils/TimeUtils.d.ts +10 -0
  113. package/dist/utils/TimeUtils.d.ts.map +1 -1
  114. package/dist/utils/TimeUtils.mjs +20 -2
  115. package/dist/utils/TimeUtils.mjs.map +1 -1
  116. package/dist/utils/UrlUtils.d.ts +6 -2
  117. package/dist/utils/UrlUtils.d.ts.map +1 -1
  118. package/dist/utils/UrlUtils.mjs +12 -2
  119. package/dist/utils/UrlUtils.mjs.map +1 -1
  120. package/lib/index-browser.cjs +4 -2
  121. package/lib/index-browser.cjs.map +1 -1
  122. package/lib/{index-node-0IMDqzO0.js → index-node-BjtDFnOl.js} +828 -805
  123. package/lib/index-node-BjtDFnOl.js.map +1 -0
  124. package/lib/index-node.cjs +4 -2
  125. package/lib/index-node.cjs.map +1 -1
  126. package/lib/index.cjs +4 -2
  127. package/lib/index.cjs.map +1 -1
  128. package/lib/types/client/AuthorizationCodeClient.d.ts +0 -31
  129. package/lib/types/client/AuthorizationCodeClient.d.ts.map +1 -1
  130. package/lib/types/client/BaseClient.d.ts.map +1 -1
  131. package/lib/types/client/RefreshTokenClient.d.ts.map +1 -1
  132. package/lib/types/constants/AADServerParamKeys.d.ts +1 -0
  133. package/lib/types/constants/AADServerParamKeys.d.ts.map +1 -1
  134. package/lib/types/exports-common.d.ts +4 -3
  135. package/lib/types/exports-common.d.ts.map +1 -1
  136. package/lib/types/network/RequestThumbprint.d.ts +3 -0
  137. package/lib/types/network/RequestThumbprint.d.ts.map +1 -1
  138. package/lib/types/network/ThrottlingUtils.d.ts.map +1 -1
  139. package/lib/types/packageMetadata.d.ts +1 -1
  140. package/lib/types/protocol/Authorize.d.ts +37 -0
  141. package/lib/types/protocol/Authorize.d.ts.map +1 -0
  142. package/lib/types/request/BaseAuthRequest.d.ts +2 -0
  143. package/lib/types/request/BaseAuthRequest.d.ts.map +1 -1
  144. package/lib/types/request/CommonAuthorizationCodeRequest.d.ts +0 -2
  145. package/lib/types/request/CommonAuthorizationCodeRequest.d.ts.map +1 -1
  146. package/lib/types/request/CommonDeviceCodeRequest.d.ts +1 -1
  147. package/lib/types/request/CommonDeviceCodeRequest.d.ts.map +1 -1
  148. package/lib/types/request/CommonRefreshTokenRequest.d.ts +0 -2
  149. package/lib/types/request/CommonRefreshTokenRequest.d.ts.map +1 -1
  150. package/lib/types/request/CommonSilentFlowRequest.d.ts +0 -3
  151. package/lib/types/request/CommonSilentFlowRequest.d.ts.map +1 -1
  152. package/lib/types/request/RequestParameterBuilder.d.ts +206 -218
  153. package/lib/types/request/RequestParameterBuilder.d.ts.map +1 -1
  154. package/lib/types/response/AuthorizeResponse.d.ts +72 -0
  155. package/lib/types/response/AuthorizeResponse.d.ts.map +1 -0
  156. package/lib/types/response/ResponseHandler.d.ts +0 -8
  157. package/lib/types/response/ResponseHandler.d.ts.map +1 -1
  158. package/lib/types/telemetry/performance/PerformanceEvent.d.ts +1 -2
  159. package/lib/types/telemetry/performance/PerformanceEvent.d.ts.map +1 -1
  160. package/lib/types/utils/TimeUtils.d.ts +10 -0
  161. package/lib/types/utils/TimeUtils.d.ts.map +1 -1
  162. package/lib/types/utils/UrlUtils.d.ts +6 -2
  163. package/lib/types/utils/UrlUtils.d.ts.map +1 -1
  164. package/package.json +1 -1
  165. package/src/client/AuthorizationCodeClient.ts +89 -409
  166. package/src/client/BaseClient.ts +20 -12
  167. package/src/client/RefreshTokenClient.ts +66 -44
  168. package/src/constants/AADServerParamKeys.ts +1 -0
  169. package/src/exports-common.ts +8 -3
  170. package/src/network/RequestThumbprint.ts +23 -0
  171. package/src/network/ThrottlingUtils.ts +9 -14
  172. package/src/packageMetadata.ts +1 -1
  173. package/src/protocol/Authorize.ts +409 -0
  174. package/src/request/BaseAuthRequest.ts +2 -0
  175. package/src/request/CommonAuthorizationCodeRequest.ts +0 -2
  176. package/src/request/CommonDeviceCodeRequest.ts +1 -1
  177. package/src/request/CommonRefreshTokenRequest.ts +0 -2
  178. package/src/request/CommonSilentFlowRequest.ts +0 -3
  179. package/src/request/RequestParameterBuilder.ts +508 -543
  180. package/src/response/AuthorizeResponse.ts +76 -0
  181. package/src/response/ResponseHandler.ts +8 -104
  182. package/src/telemetry/performance/PerformanceEvent.ts +1 -11
  183. package/src/utils/TimeUtils.ts +20 -0
  184. package/src/utils/UrlUtils.ts +18 -4
  185. package/dist/response/ServerAuthorizationCodeResponse.d.ts +0 -27
  186. package/dist/response/ServerAuthorizationCodeResponse.d.ts.map +0 -1
  187. package/lib/index-node-0IMDqzO0.js.map +0 -1
  188. package/lib/types/response/ServerAuthorizationCodeResponse.d.ts +0 -27
  189. package/lib/types/response/ServerAuthorizationCodeResponse.d.ts.map +0 -1
  190. package/src/response/ServerAuthorizationCodeResponse.ts +0 -34
@@ -1,4 +1,4 @@
1
- /*! @azure/msal-common v15.2.0 2025-02-18 */
1
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
2
2
  'use strict';
3
3
  'use strict';
4
4
 
@@ -1149,11 +1149,22 @@ function getDeserializedResponse(responseString) {
1149
1149
  throw createClientAuthError(hashNotDeserialized);
1150
1150
  }
1151
1151
  return null;
1152
+ }
1153
+ /**
1154
+ * Utility to create a URL from the params map
1155
+ */
1156
+ function mapToQueryString(parameters) {
1157
+ const queryParameterArray = new Array();
1158
+ parameters.forEach((value, key) => {
1159
+ queryParameterArray.push(`${key}=${encodeURIComponent(value)}`);
1160
+ });
1161
+ return queryParameterArray.join("&");
1152
1162
  }
1153
1163
 
1154
1164
  var UrlUtils = /*#__PURE__*/Object.freeze({
1155
1165
  __proto__: null,
1156
1166
  getDeserializedResponse: getDeserializedResponse,
1167
+ mapToQueryString: mapToQueryString,
1157
1168
  stripLeadingHashOrQuery: stripLeadingHashOrQuery
1158
1169
  });
1159
1170
 
@@ -1681,11 +1692,11 @@ const PerformanceEvents = {
1681
1692
  StandardInteractionClientCreateAuthCodeClient: "standardInteractionClientCreateAuthCodeClient",
1682
1693
  StandardInteractionClientGetClientConfiguration: "standardInteractionClientGetClientConfiguration",
1683
1694
  StandardInteractionClientInitializeAuthorizationRequest: "standardInteractionClientInitializeAuthorizationRequest",
1684
- StandardInteractionClientInitializeAuthorizationCodeRequest: "standardInteractionClientInitializeAuthorizationCodeRequest",
1685
1695
  /**
1686
1696
  * getAuthCodeUrl API (msal-browser and msal-node).
1687
1697
  */
1688
1698
  GetAuthCodeUrl: "getAuthCodeUrl",
1699
+ GetStandardParams: "getStandardParams",
1689
1700
  /**
1690
1701
  * Functions from InteractionHandler (msal-browser)
1691
1702
  */
@@ -1698,7 +1709,6 @@ const PerformanceEvents = {
1698
1709
  AuthClientAcquireToken: "authClientAcquireToken",
1699
1710
  AuthClientExecuteTokenRequest: "authClientExecuteTokenRequest",
1700
1711
  AuthClientCreateTokenRequestBody: "authClientCreateTokenRequestBody",
1701
- AuthClientCreateQueryString: "authClientCreateQueryString",
1702
1712
  /**
1703
1713
  * Generate functions in PopTokenGenerator (msal-common)
1704
1714
  */
@@ -1869,10 +1879,6 @@ const PerformanceEventAbbreviations = new Map([
1869
1879
  PerformanceEvents.StandardInteractionClientInitializeAuthorizationRequest,
1870
1880
  "StdIntClientInitAuthReq",
1871
1881
  ],
1872
- [
1873
- PerformanceEvents.StandardInteractionClientInitializeAuthorizationCodeRequest,
1874
- "StdIntClientInitAuthCodeReq",
1875
- ],
1876
1882
  [PerformanceEvents.GetAuthCodeUrl, "GetAuthCodeUrl"],
1877
1883
  [
1878
1884
  PerformanceEvents.HandleCodeResponseFromServer,
@@ -1886,10 +1892,6 @@ const PerformanceEventAbbreviations = new Map([
1886
1892
  PerformanceEvents.AuthClientCreateTokenRequestBody,
1887
1893
  "AuthClientCreateTReqBody",
1888
1894
  ],
1889
- [
1890
- PerformanceEvents.AuthClientCreateQueryString,
1891
- "AuthClientCreateQueryStr",
1892
- ],
1893
1895
  [PerformanceEvents.PopTokenGenerateCnf, "PopTGenCnf"],
1894
1896
  [PerformanceEvents.PopTokenGenerateKid, "PopTGenKid"],
1895
1897
  [PerformanceEvents.HandleServerTokenResponse, "HandleServerTRes"],
@@ -2230,6 +2232,24 @@ function nowSeconds() {
2230
2232
  // Date.getTime() returns in milliseconds.
2231
2233
  return Math.round(new Date().getTime() / 1000.0);
2232
2234
  }
2235
+ /**
2236
+ * Converts JS Date object to seconds
2237
+ * @param date Date
2238
+ */
2239
+ function toSecondsFromDate(date) {
2240
+ // Convert date to seconds
2241
+ return date.getTime() / 1000;
2242
+ }
2243
+ /**
2244
+ * Convert seconds to JS Date object. Seconds can be in a number or string format or undefined (will still return a date).
2245
+ * @param seconds
2246
+ */
2247
+ function toDateFromSeconds(seconds) {
2248
+ if (seconds) {
2249
+ return new Date(Number(seconds) * 1000);
2250
+ }
2251
+ return new Date();
2252
+ }
2233
2253
  /**
2234
2254
  * check if a token is expired based on given UTC time in seconds.
2235
2255
  * @param expiresOn
@@ -2265,6 +2285,8 @@ var TimeUtils = /*#__PURE__*/Object.freeze({
2265
2285
  delay: delay,
2266
2286
  isTokenExpired: isTokenExpired,
2267
2287
  nowSeconds: nowSeconds,
2288
+ toDateFromSeconds: toDateFromSeconds,
2289
+ toSecondsFromDate: toSecondsFromDate,
2268
2290
  wasClockTurnedBack: wasClockTurnedBack
2269
2291
  });
2270
2292
 
@@ -3543,7 +3565,8 @@ const LOGIN_HINT = "login_hint";
3543
3565
  const DOMAIN_HINT = "domain_hint";
3544
3566
  const X_CLIENT_EXTRA_SKU = "x-client-xtra-sku";
3545
3567
  const BROKER_CLIENT_ID = "brk_client_id";
3546
- const BROKER_REDIRECT_URI = "brk_redirect_uri";
3568
+ const BROKER_REDIRECT_URI = "brk_redirect_uri";
3569
+ const INSTANCE_AWARE = "instance_aware";
3547
3570
 
3548
3571
  var AADServerParamKeys = /*#__PURE__*/Object.freeze({
3549
3572
  __proto__: null,
@@ -3571,6 +3594,7 @@ var AADServerParamKeys = /*#__PURE__*/Object.freeze({
3571
3594
  GRANT_TYPE: GRANT_TYPE,
3572
3595
  ID_TOKEN: ID_TOKEN,
3573
3596
  ID_TOKEN_HINT: ID_TOKEN_HINT,
3597
+ INSTANCE_AWARE: INSTANCE_AWARE,
3574
3598
  LOGIN_HINT: LOGIN_HINT,
3575
3599
  LOGOUT_HINT: LOGOUT_HINT,
3576
3600
  NATIVE_BROKER: NATIVE_BROKER,
@@ -3832,7 +3856,7 @@ class Logger {
3832
3856
 
3833
3857
  /* eslint-disable header/header */
3834
3858
  const name = "@azure/msal-common";
3835
- const version = "15.2.0";
3859
+ const version = "15.3.0";
3836
3860
 
3837
3861
  /*
3838
3862
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -5728,71 +5752,6 @@ const CcsCredentialType = {
5728
5752
  UPN: "UPN",
5729
5753
  };
5730
5754
 
5731
- /*
5732
- * Copyright (c) Microsoft Corporation. All rights reserved.
5733
- * Licensed under the MIT License.
5734
- */
5735
- /**
5736
- * Validates server consumable params from the "request" objects
5737
- */
5738
- class RequestValidator {
5739
- /**
5740
- * Utility to check if the `redirectUri` in the request is a non-null value
5741
- * @param redirectUri
5742
- */
5743
- static validateRedirectUri(redirectUri) {
5744
- if (!redirectUri) {
5745
- throw createClientConfigurationError(redirectUriEmpty);
5746
- }
5747
- }
5748
- /**
5749
- * Utility to validate prompt sent by the user in the request
5750
- * @param prompt
5751
- */
5752
- static validatePrompt(prompt) {
5753
- const promptValues = [];
5754
- for (const value in PromptValue) {
5755
- promptValues.push(PromptValue[value]);
5756
- }
5757
- if (promptValues.indexOf(prompt) < 0) {
5758
- throw createClientConfigurationError(invalidPromptValue);
5759
- }
5760
- }
5761
- static validateClaims(claims) {
5762
- try {
5763
- JSON.parse(claims);
5764
- }
5765
- catch (e) {
5766
- throw createClientConfigurationError(invalidClaims);
5767
- }
5768
- }
5769
- /**
5770
- * Utility to validate code_challenge and code_challenge_method
5771
- * @param codeChallenge
5772
- * @param codeChallengeMethod
5773
- */
5774
- static validateCodeChallengeParams(codeChallenge, codeChallengeMethod) {
5775
- if (!codeChallenge || !codeChallengeMethod) {
5776
- throw createClientConfigurationError(pkceParamsMissing);
5777
- }
5778
- else {
5779
- this.validateCodeChallengeMethod(codeChallengeMethod);
5780
- }
5781
- }
5782
- /**
5783
- * Utility to validate code_challenge_method
5784
- * @param codeChallengeMethod
5785
- */
5786
- static validateCodeChallengeMethod(codeChallengeMethod) {
5787
- if ([
5788
- CodeChallengeMethodValues.PLAIN,
5789
- CodeChallengeMethodValues.S256,
5790
- ].indexOf(codeChallengeMethod) < 0) {
5791
- throw createClientConfigurationError(invalidCodeChallengeMethod);
5792
- }
5793
- }
5794
- }
5795
-
5796
5755
  /*
5797
5756
  * Copyright (c) Microsoft Corporation. All rights reserved.
5798
5757
  * Licensed under the MIT License.
@@ -5809,396 +5768,433 @@ function instrumentBrokerParams(parameters, correlationId, performanceClient) {
5809
5768
  }, correlationId);
5810
5769
  }
5811
5770
  }
5812
- /** @internal */
5813
- class RequestParameterBuilder {
5814
- constructor(correlationId, performanceClient) {
5815
- this.parameters = new Map();
5816
- this.performanceClient = performanceClient;
5817
- this.correlationId = correlationId;
5818
- }
5819
- /**
5820
- * add response_type = code
5821
- */
5822
- addResponseTypeCode() {
5823
- this.parameters.set(RESPONSE_TYPE, encodeURIComponent(Constants.CODE_RESPONSE_TYPE));
5824
- }
5825
- /**
5826
- * add response_type = token id_token
5827
- */
5828
- addResponseTypeForTokenAndIdToken() {
5829
- this.parameters.set(RESPONSE_TYPE, encodeURIComponent(`${Constants.TOKEN_RESPONSE_TYPE} ${Constants.ID_TOKEN_RESPONSE_TYPE}`));
5830
- }
5831
- /**
5832
- * add response_mode. defaults to query.
5833
- * @param responseMode
5834
- */
5835
- addResponseMode(responseMode) {
5836
- this.parameters.set(RESPONSE_MODE, encodeURIComponent(responseMode ? responseMode : ResponseMode.QUERY));
5837
- }
5838
- /**
5839
- * Add flag to indicate STS should attempt to use WAM if available
5840
- */
5841
- addNativeBroker() {
5842
- this.parameters.set(NATIVE_BROKER, encodeURIComponent("1"));
5843
- }
5844
- /**
5845
- * add scopes. set addOidcScopes to false to prevent default scopes in non-user scenarios
5846
- * @param scopeSet
5847
- * @param addOidcScopes
5848
- */
5849
- addScopes(scopes, addOidcScopes = true, defaultScopes = OIDC_DEFAULT_SCOPES) {
5850
- // Always add openid to the scopes when adding OIDC scopes
5851
- if (addOidcScopes &&
5852
- !defaultScopes.includes("openid") &&
5853
- !scopes.includes("openid")) {
5854
- defaultScopes.push("openid");
5855
- }
5856
- const requestScopes = addOidcScopes
5857
- ? [...(scopes || []), ...defaultScopes]
5858
- : scopes || [];
5859
- const scopeSet = new ScopeSet(requestScopes);
5860
- this.parameters.set(SCOPE, encodeURIComponent(scopeSet.printScopes()));
5771
+ /**
5772
+ * add response_type = code
5773
+ */
5774
+ function addResponseTypeCode(parameters) {
5775
+ parameters.set(RESPONSE_TYPE, Constants.CODE_RESPONSE_TYPE);
5776
+ }
5777
+ /**
5778
+ * add response_type = token id_token
5779
+ */
5780
+ function addResponseTypeForTokenAndIdToken(parameters) {
5781
+ parameters.set(RESPONSE_TYPE, `${Constants.TOKEN_RESPONSE_TYPE} ${Constants.ID_TOKEN_RESPONSE_TYPE}`);
5782
+ }
5783
+ /**
5784
+ * add response_mode. defaults to query.
5785
+ * @param responseMode
5786
+ */
5787
+ function addResponseMode(parameters, responseMode) {
5788
+ parameters.set(RESPONSE_MODE, responseMode ? responseMode : ResponseMode.QUERY);
5789
+ }
5790
+ /**
5791
+ * Add flag to indicate STS should attempt to use WAM if available
5792
+ */
5793
+ function addNativeBroker(parameters) {
5794
+ parameters.set(NATIVE_BROKER, "1");
5795
+ }
5796
+ /**
5797
+ * add scopes. set addOidcScopes to false to prevent default scopes in non-user scenarios
5798
+ * @param scopeSet
5799
+ * @param addOidcScopes
5800
+ */
5801
+ function addScopes(parameters, scopes, addOidcScopes = true, defaultScopes = OIDC_DEFAULT_SCOPES) {
5802
+ // Always add openid to the scopes when adding OIDC scopes
5803
+ if (addOidcScopes &&
5804
+ !defaultScopes.includes("openid") &&
5805
+ !scopes.includes("openid")) {
5806
+ defaultScopes.push("openid");
5807
+ }
5808
+ const requestScopes = addOidcScopes
5809
+ ? [...(scopes || []), ...defaultScopes]
5810
+ : scopes || [];
5811
+ const scopeSet = new ScopeSet(requestScopes);
5812
+ parameters.set(SCOPE, scopeSet.printScopes());
5813
+ }
5814
+ /**
5815
+ * add clientId
5816
+ * @param clientId
5817
+ */
5818
+ function addClientId(parameters, clientId) {
5819
+ parameters.set(CLIENT_ID, clientId);
5820
+ }
5821
+ /**
5822
+ * add redirect_uri
5823
+ * @param redirectUri
5824
+ */
5825
+ function addRedirectUri(parameters, redirectUri) {
5826
+ parameters.set(REDIRECT_URI, redirectUri);
5827
+ }
5828
+ /**
5829
+ * add post logout redirectUri
5830
+ * @param redirectUri
5831
+ */
5832
+ function addPostLogoutRedirectUri(parameters, redirectUri) {
5833
+ parameters.set(POST_LOGOUT_URI, redirectUri);
5834
+ }
5835
+ /**
5836
+ * add id_token_hint to logout request
5837
+ * @param idTokenHint
5838
+ */
5839
+ function addIdTokenHint(parameters, idTokenHint) {
5840
+ parameters.set(ID_TOKEN_HINT, idTokenHint);
5841
+ }
5842
+ /**
5843
+ * add domain_hint
5844
+ * @param domainHint
5845
+ */
5846
+ function addDomainHint(parameters, domainHint) {
5847
+ parameters.set(DOMAIN_HINT, domainHint);
5848
+ }
5849
+ /**
5850
+ * add login_hint
5851
+ * @param loginHint
5852
+ */
5853
+ function addLoginHint(parameters, loginHint) {
5854
+ parameters.set(LOGIN_HINT, loginHint);
5855
+ }
5856
+ /**
5857
+ * Adds the CCS (Cache Credential Service) query parameter for login_hint
5858
+ * @param loginHint
5859
+ */
5860
+ function addCcsUpn(parameters, loginHint) {
5861
+ parameters.set(HeaderNames.CCS_HEADER, `UPN:${loginHint}`);
5862
+ }
5863
+ /**
5864
+ * Adds the CCS (Cache Credential Service) query parameter for account object
5865
+ * @param loginHint
5866
+ */
5867
+ function addCcsOid(parameters, clientInfo) {
5868
+ parameters.set(HeaderNames.CCS_HEADER, `Oid:${clientInfo.uid}@${clientInfo.utid}`);
5869
+ }
5870
+ /**
5871
+ * add sid
5872
+ * @param sid
5873
+ */
5874
+ function addSid(parameters, sid) {
5875
+ parameters.set(SID, sid);
5876
+ }
5877
+ /**
5878
+ * add claims
5879
+ * @param claims
5880
+ */
5881
+ function addClaims(parameters, claims, clientCapabilities) {
5882
+ const mergedClaims = addClientCapabilitiesToClaims(claims, clientCapabilities);
5883
+ try {
5884
+ JSON.parse(mergedClaims);
5861
5885
  }
5862
- /**
5863
- * add clientId
5864
- * @param clientId
5865
- */
5866
- addClientId(clientId) {
5867
- this.parameters.set(CLIENT_ID, encodeURIComponent(clientId));
5886
+ catch (e) {
5887
+ throw createClientConfigurationError(invalidClaims);
5868
5888
  }
5869
- /**
5870
- * add redirect_uri
5871
- * @param redirectUri
5872
- */
5873
- addRedirectUri(redirectUri) {
5874
- RequestValidator.validateRedirectUri(redirectUri);
5875
- this.parameters.set(REDIRECT_URI, encodeURIComponent(redirectUri));
5889
+ parameters.set(CLAIMS, mergedClaims);
5890
+ }
5891
+ /**
5892
+ * add correlationId
5893
+ * @param correlationId
5894
+ */
5895
+ function addCorrelationId(parameters, correlationId) {
5896
+ parameters.set(CLIENT_REQUEST_ID, correlationId);
5897
+ }
5898
+ /**
5899
+ * add library info query params
5900
+ * @param libraryInfo
5901
+ */
5902
+ function addLibraryInfo(parameters, libraryInfo) {
5903
+ // Telemetry Info
5904
+ parameters.set(X_CLIENT_SKU, libraryInfo.sku);
5905
+ parameters.set(X_CLIENT_VER, libraryInfo.version);
5906
+ if (libraryInfo.os) {
5907
+ parameters.set(X_CLIENT_OS, libraryInfo.os);
5876
5908
  }
5877
- /**
5878
- * add post logout redirectUri
5879
- * @param redirectUri
5880
- */
5881
- addPostLogoutRedirectUri(redirectUri) {
5882
- RequestValidator.validateRedirectUri(redirectUri);
5883
- this.parameters.set(POST_LOGOUT_URI, encodeURIComponent(redirectUri));
5909
+ if (libraryInfo.cpu) {
5910
+ parameters.set(X_CLIENT_CPU, libraryInfo.cpu);
5884
5911
  }
5885
- /**
5886
- * add id_token_hint to logout request
5887
- * @param idTokenHint
5888
- */
5889
- addIdTokenHint(idTokenHint) {
5890
- this.parameters.set(ID_TOKEN_HINT, encodeURIComponent(idTokenHint));
5912
+ }
5913
+ /**
5914
+ * Add client telemetry parameters
5915
+ * @param appTelemetry
5916
+ */
5917
+ function addApplicationTelemetry(parameters, appTelemetry) {
5918
+ if (appTelemetry?.appName) {
5919
+ parameters.set(X_APP_NAME, appTelemetry.appName);
5891
5920
  }
5892
- /**
5893
- * add domain_hint
5894
- * @param domainHint
5895
- */
5896
- addDomainHint(domainHint) {
5897
- this.parameters.set(DOMAIN_HINT, encodeURIComponent(domainHint));
5921
+ if (appTelemetry?.appVersion) {
5922
+ parameters.set(X_APP_VER, appTelemetry.appVersion);
5898
5923
  }
5899
- /**
5900
- * add login_hint
5901
- * @param loginHint
5902
- */
5903
- addLoginHint(loginHint) {
5904
- this.parameters.set(LOGIN_HINT, encodeURIComponent(loginHint));
5924
+ }
5925
+ /**
5926
+ * add prompt
5927
+ * @param prompt
5928
+ */
5929
+ function addPrompt(parameters, prompt) {
5930
+ parameters.set(PROMPT, prompt);
5931
+ }
5932
+ /**
5933
+ * add state
5934
+ * @param state
5935
+ */
5936
+ function addState(parameters, state) {
5937
+ if (state) {
5938
+ parameters.set(STATE, state);
5905
5939
  }
5906
- /**
5907
- * Adds the CCS (Cache Credential Service) query parameter for login_hint
5908
- * @param loginHint
5909
- */
5910
- addCcsUpn(loginHint) {
5911
- this.parameters.set(HeaderNames.CCS_HEADER, encodeURIComponent(`UPN:${loginHint}`));
5940
+ }
5941
+ /**
5942
+ * add nonce
5943
+ * @param nonce
5944
+ */
5945
+ function addNonce(parameters, nonce) {
5946
+ parameters.set(NONCE, nonce);
5947
+ }
5948
+ /**
5949
+ * add code_challenge and code_challenge_method
5950
+ * - throw if either of them are not passed
5951
+ * @param codeChallenge
5952
+ * @param codeChallengeMethod
5953
+ */
5954
+ function addCodeChallengeParams(parameters, codeChallenge, codeChallengeMethod) {
5955
+ if (codeChallenge && codeChallengeMethod) {
5956
+ parameters.set(CODE_CHALLENGE, codeChallenge);
5957
+ parameters.set(CODE_CHALLENGE_METHOD, codeChallengeMethod);
5912
5958
  }
5913
- /**
5914
- * Adds the CCS (Cache Credential Service) query parameter for account object
5915
- * @param loginHint
5916
- */
5917
- addCcsOid(clientInfo) {
5918
- this.parameters.set(HeaderNames.CCS_HEADER, encodeURIComponent(`Oid:${clientInfo.uid}@${clientInfo.utid}`));
5959
+ else {
5960
+ throw createClientConfigurationError(pkceParamsMissing);
5919
5961
  }
5920
- /**
5921
- * add sid
5922
- * @param sid
5923
- */
5924
- addSid(sid) {
5925
- this.parameters.set(SID, encodeURIComponent(sid));
5962
+ }
5963
+ /**
5964
+ * add the `authorization_code` passed by the user to exchange for a token
5965
+ * @param code
5966
+ */
5967
+ function addAuthorizationCode(parameters, code) {
5968
+ parameters.set(CODE, code);
5969
+ }
5970
+ /**
5971
+ * add the `authorization_code` passed by the user to exchange for a token
5972
+ * @param code
5973
+ */
5974
+ function addDeviceCode(parameters, code) {
5975
+ parameters.set(DEVICE_CODE, code);
5976
+ }
5977
+ /**
5978
+ * add the `refreshToken` passed by the user
5979
+ * @param refreshToken
5980
+ */
5981
+ function addRefreshToken(parameters, refreshToken) {
5982
+ parameters.set(REFRESH_TOKEN, refreshToken);
5983
+ }
5984
+ /**
5985
+ * add the `code_verifier` passed by the user to exchange for a token
5986
+ * @param codeVerifier
5987
+ */
5988
+ function addCodeVerifier(parameters, codeVerifier) {
5989
+ parameters.set(CODE_VERIFIER, codeVerifier);
5990
+ }
5991
+ /**
5992
+ * add client_secret
5993
+ * @param clientSecret
5994
+ */
5995
+ function addClientSecret(parameters, clientSecret) {
5996
+ parameters.set(CLIENT_SECRET, clientSecret);
5997
+ }
5998
+ /**
5999
+ * add clientAssertion for confidential client flows
6000
+ * @param clientAssertion
6001
+ */
6002
+ function addClientAssertion(parameters, clientAssertion) {
6003
+ if (clientAssertion) {
6004
+ parameters.set(CLIENT_ASSERTION, clientAssertion);
5926
6005
  }
5927
- /**
5928
- * add claims
5929
- * @param claims
5930
- */
5931
- addClaims(claims, clientCapabilities) {
5932
- const mergedClaims = this.addClientCapabilitiesToClaims(claims, clientCapabilities);
5933
- RequestValidator.validateClaims(mergedClaims);
5934
- this.parameters.set(CLAIMS, encodeURIComponent(mergedClaims));
6006
+ }
6007
+ /**
6008
+ * add clientAssertionType for confidential client flows
6009
+ * @param clientAssertionType
6010
+ */
6011
+ function addClientAssertionType(parameters, clientAssertionType) {
6012
+ if (clientAssertionType) {
6013
+ parameters.set(CLIENT_ASSERTION_TYPE, clientAssertionType);
5935
6014
  }
5936
- /**
5937
- * add correlationId
5938
- * @param correlationId
5939
- */
5940
- addCorrelationId(correlationId) {
5941
- this.parameters.set(CLIENT_REQUEST_ID, encodeURIComponent(correlationId));
6015
+ }
6016
+ /**
6017
+ * add OBO assertion for confidential client flows
6018
+ * @param clientAssertion
6019
+ */
6020
+ function addOboAssertion(parameters, oboAssertion) {
6021
+ parameters.set(OBO_ASSERTION, oboAssertion);
6022
+ }
6023
+ /**
6024
+ * add grant type
6025
+ * @param grantType
6026
+ */
6027
+ function addRequestTokenUse(parameters, tokenUse) {
6028
+ parameters.set(REQUESTED_TOKEN_USE, tokenUse);
6029
+ }
6030
+ /**
6031
+ * add grant type
6032
+ * @param grantType
6033
+ */
6034
+ function addGrantType(parameters, grantType) {
6035
+ parameters.set(GRANT_TYPE, grantType);
6036
+ }
6037
+ /**
6038
+ * add client info
6039
+ *
6040
+ */
6041
+ function addClientInfo(parameters) {
6042
+ parameters.set(CLIENT_INFO$1, "1");
6043
+ }
6044
+ function addInstanceAware(parameters) {
6045
+ if (!parameters.has(INSTANCE_AWARE)) {
6046
+ parameters.set(INSTANCE_AWARE, "true");
5942
6047
  }
5943
- /**
5944
- * add library info query params
5945
- * @param libraryInfo
5946
- */
5947
- addLibraryInfo(libraryInfo) {
5948
- // Telemetry Info
5949
- this.parameters.set(X_CLIENT_SKU, libraryInfo.sku);
5950
- this.parameters.set(X_CLIENT_VER, libraryInfo.version);
5951
- if (libraryInfo.os) {
5952
- this.parameters.set(X_CLIENT_OS, libraryInfo.os);
5953
- }
5954
- if (libraryInfo.cpu) {
5955
- this.parameters.set(X_CLIENT_CPU, libraryInfo.cpu);
6048
+ }
6049
+ /**
6050
+ * add extraQueryParams
6051
+ * @param eQParams
6052
+ */
6053
+ function addExtraQueryParameters(parameters, eQParams) {
6054
+ Object.entries(eQParams).forEach(([key, value]) => {
6055
+ if (!parameters.has(key) && value) {
6056
+ parameters.set(key, value);
5956
6057
  }
6058
+ });
6059
+ }
6060
+ function addClientCapabilitiesToClaims(claims, clientCapabilities) {
6061
+ let mergedClaims;
6062
+ // Parse provided claims into JSON object or initialize empty object
6063
+ if (!claims) {
6064
+ mergedClaims = {};
5957
6065
  }
5958
- /**
5959
- * Add client telemetry parameters
5960
- * @param appTelemetry
5961
- */
5962
- addApplicationTelemetry(appTelemetry) {
5963
- if (appTelemetry?.appName) {
5964
- this.parameters.set(X_APP_NAME, appTelemetry.appName);
6066
+ else {
6067
+ try {
6068
+ mergedClaims = JSON.parse(claims);
5965
6069
  }
5966
- if (appTelemetry?.appVersion) {
5967
- this.parameters.set(X_APP_VER, appTelemetry.appVersion);
6070
+ catch (e) {
6071
+ throw createClientConfigurationError(invalidClaims);
5968
6072
  }
5969
6073
  }
5970
- /**
5971
- * add prompt
5972
- * @param prompt
5973
- */
5974
- addPrompt(prompt) {
5975
- RequestValidator.validatePrompt(prompt);
5976
- this.parameters.set(`${PROMPT}`, encodeURIComponent(prompt));
5977
- }
5978
- /**
5979
- * add state
5980
- * @param state
5981
- */
5982
- addState(state) {
5983
- if (state) {
5984
- this.parameters.set(STATE, encodeURIComponent(state));
6074
+ if (clientCapabilities && clientCapabilities.length > 0) {
6075
+ if (!mergedClaims.hasOwnProperty(ClaimsRequestKeys.ACCESS_TOKEN)) {
6076
+ // Add access_token key to claims object
6077
+ mergedClaims[ClaimsRequestKeys.ACCESS_TOKEN] = {};
5985
6078
  }
5986
- }
5987
- /**
5988
- * add nonce
5989
- * @param nonce
5990
- */
5991
- addNonce(nonce) {
5992
- this.parameters.set(NONCE, encodeURIComponent(nonce));
5993
- }
5994
- /**
5995
- * add code_challenge and code_challenge_method
5996
- * - throw if either of them are not passed
5997
- * @param codeChallenge
5998
- * @param codeChallengeMethod
5999
- */
6000
- addCodeChallengeParams(codeChallenge, codeChallengeMethod) {
6001
- RequestValidator.validateCodeChallengeParams(codeChallenge, codeChallengeMethod);
6002
- if (codeChallenge && codeChallengeMethod) {
6003
- this.parameters.set(CODE_CHALLENGE, encodeURIComponent(codeChallenge));
6004
- this.parameters.set(CODE_CHALLENGE_METHOD, encodeURIComponent(codeChallengeMethod));
6005
- }
6006
- else {
6007
- throw createClientConfigurationError(pkceParamsMissing);
6008
- }
6009
- }
6010
- /**
6011
- * add the `authorization_code` passed by the user to exchange for a token
6012
- * @param code
6013
- */
6014
- addAuthorizationCode(code) {
6015
- this.parameters.set(CODE, encodeURIComponent(code));
6016
- }
6017
- /**
6018
- * add the `authorization_code` passed by the user to exchange for a token
6019
- * @param code
6020
- */
6021
- addDeviceCode(code) {
6022
- this.parameters.set(DEVICE_CODE, encodeURIComponent(code));
6023
- }
6024
- /**
6025
- * add the `refreshToken` passed by the user
6026
- * @param refreshToken
6027
- */
6028
- addRefreshToken(refreshToken) {
6029
- this.parameters.set(REFRESH_TOKEN, encodeURIComponent(refreshToken));
6030
- }
6031
- /**
6032
- * add the `code_verifier` passed by the user to exchange for a token
6033
- * @param codeVerifier
6034
- */
6035
- addCodeVerifier(codeVerifier) {
6036
- this.parameters.set(CODE_VERIFIER, encodeURIComponent(codeVerifier));
6037
- }
6038
- /**
6039
- * add client_secret
6040
- * @param clientSecret
6041
- */
6042
- addClientSecret(clientSecret) {
6043
- this.parameters.set(CLIENT_SECRET, encodeURIComponent(clientSecret));
6044
- }
6045
- /**
6046
- * add clientAssertion for confidential client flows
6047
- * @param clientAssertion
6048
- */
6049
- addClientAssertion(clientAssertion) {
6050
- if (clientAssertion) {
6051
- this.parameters.set(CLIENT_ASSERTION, encodeURIComponent(clientAssertion));
6052
- }
6053
- }
6054
- /**
6055
- * add clientAssertionType for confidential client flows
6056
- * @param clientAssertionType
6057
- */
6058
- addClientAssertionType(clientAssertionType) {
6059
- if (clientAssertionType) {
6060
- this.parameters.set(CLIENT_ASSERTION_TYPE, encodeURIComponent(clientAssertionType));
6061
- }
6062
- }
6063
- /**
6064
- * add OBO assertion for confidential client flows
6065
- * @param clientAssertion
6066
- */
6067
- addOboAssertion(oboAssertion) {
6068
- this.parameters.set(OBO_ASSERTION, encodeURIComponent(oboAssertion));
6069
- }
6070
- /**
6071
- * add grant type
6072
- * @param grantType
6073
- */
6074
- addRequestTokenUse(tokenUse) {
6075
- this.parameters.set(REQUESTED_TOKEN_USE, encodeURIComponent(tokenUse));
6076
- }
6077
- /**
6078
- * add grant type
6079
- * @param grantType
6080
- */
6081
- addGrantType(grantType) {
6082
- this.parameters.set(GRANT_TYPE, encodeURIComponent(grantType));
6083
- }
6084
- /**
6085
- * add client info
6086
- *
6087
- */
6088
- addClientInfo() {
6089
- this.parameters.set(CLIENT_INFO$1, "1");
6090
- }
6091
- /**
6092
- * add extraQueryParams
6093
- * @param eQParams
6094
- */
6095
- addExtraQueryParameters(eQParams) {
6096
- Object.entries(eQParams).forEach(([key, value]) => {
6097
- if (!this.parameters.has(key) && value) {
6098
- this.parameters.set(key, value);
6099
- }
6100
- });
6101
- }
6102
- addClientCapabilitiesToClaims(claims, clientCapabilities) {
6103
- let mergedClaims;
6104
- // Parse provided claims into JSON object or initialize empty object
6105
- if (!claims) {
6106
- mergedClaims = {};
6107
- }
6108
- else {
6109
- try {
6110
- mergedClaims = JSON.parse(claims);
6111
- }
6112
- catch (e) {
6113
- throw createClientConfigurationError(invalidClaims);
6114
- }
6115
- }
6116
- if (clientCapabilities && clientCapabilities.length > 0) {
6117
- if (!mergedClaims.hasOwnProperty(ClaimsRequestKeys.ACCESS_TOKEN)) {
6118
- // Add access_token key to claims object
6119
- mergedClaims[ClaimsRequestKeys.ACCESS_TOKEN] = {};
6120
- }
6121
- // Add xms_cc claim with provided clientCapabilities to access_token key
6122
- mergedClaims[ClaimsRequestKeys.ACCESS_TOKEN][ClaimsRequestKeys.XMS_CC] = {
6079
+ // Add xms_cc claim with provided clientCapabilities to access_token key
6080
+ mergedClaims[ClaimsRequestKeys.ACCESS_TOKEN][ClaimsRequestKeys.XMS_CC] =
6081
+ {
6123
6082
  values: clientCapabilities,
6124
6083
  };
6125
- }
6126
- return JSON.stringify(mergedClaims);
6127
6084
  }
6128
- /**
6129
- * adds `username` for Password Grant flow
6130
- * @param username
6131
- */
6132
- addUsername(username) {
6133
- this.parameters.set(PasswordGrantConstants.username, encodeURIComponent(username));
6134
- }
6135
- /**
6136
- * adds `password` for Password Grant flow
6137
- * @param password
6138
- */
6139
- addPassword(password) {
6140
- this.parameters.set(PasswordGrantConstants.password, encodeURIComponent(password));
6141
- }
6142
- /**
6143
- * add pop_jwk to query params
6144
- * @param cnfString
6145
- */
6146
- addPopToken(cnfString) {
6147
- if (cnfString) {
6148
- this.parameters.set(TOKEN_TYPE, AuthenticationScheme.POP);
6149
- this.parameters.set(REQ_CNF, encodeURIComponent(cnfString));
6150
- }
6151
- }
6152
- /**
6153
- * add SSH JWK and key ID to query params
6154
- */
6155
- addSshJwk(sshJwkString) {
6156
- if (sshJwkString) {
6157
- this.parameters.set(TOKEN_TYPE, AuthenticationScheme.SSH);
6158
- this.parameters.set(REQ_CNF, encodeURIComponent(sshJwkString));
6159
- }
6160
- }
6161
- /**
6162
- * add server telemetry fields
6163
- * @param serverTelemetryManager
6164
- */
6165
- addServerTelemetry(serverTelemetryManager) {
6166
- this.parameters.set(X_CLIENT_CURR_TELEM, serverTelemetryManager.generateCurrentRequestHeaderValue());
6167
- this.parameters.set(X_CLIENT_LAST_TELEM, serverTelemetryManager.generateLastRequestHeaderValue());
6168
- }
6169
- /**
6170
- * Adds parameter that indicates to the server that throttling is supported
6171
- */
6172
- addThrottling() {
6173
- this.parameters.set(X_MS_LIB_CAPABILITY, ThrottlingConstants.X_MS_LIB_CAPABILITY_VALUE);
6085
+ return JSON.stringify(mergedClaims);
6086
+ }
6087
+ /**
6088
+ * adds `username` for Password Grant flow
6089
+ * @param username
6090
+ */
6091
+ function addUsername(parameters, username) {
6092
+ parameters.set(PasswordGrantConstants.username, username);
6093
+ }
6094
+ /**
6095
+ * adds `password` for Password Grant flow
6096
+ * @param password
6097
+ */
6098
+ function addPassword(parameters, password) {
6099
+ parameters.set(PasswordGrantConstants.password, password);
6100
+ }
6101
+ /**
6102
+ * add pop_jwk to query params
6103
+ * @param cnfString
6104
+ */
6105
+ function addPopToken(parameters, cnfString) {
6106
+ if (cnfString) {
6107
+ parameters.set(TOKEN_TYPE, AuthenticationScheme.POP);
6108
+ parameters.set(REQ_CNF, cnfString);
6174
6109
  }
6175
- /**
6176
- * Adds logout_hint parameter for "silent" logout which prevent server account picker
6177
- */
6178
- addLogoutHint(logoutHint) {
6179
- this.parameters.set(LOGOUT_HINT, encodeURIComponent(logoutHint));
6110
+ }
6111
+ /**
6112
+ * add SSH JWK and key ID to query params
6113
+ */
6114
+ function addSshJwk(parameters, sshJwkString) {
6115
+ if (sshJwkString) {
6116
+ parameters.set(TOKEN_TYPE, AuthenticationScheme.SSH);
6117
+ parameters.set(REQ_CNF, sshJwkString);
6180
6118
  }
6181
- addBrokerParameters(params) {
6182
- const brokerParams = {};
6183
- brokerParams[BROKER_CLIENT_ID] =
6184
- params.brokerClientId;
6185
- brokerParams[BROKER_REDIRECT_URI] =
6186
- params.brokerRedirectUri;
6187
- this.addExtraQueryParameters(brokerParams);
6119
+ }
6120
+ /**
6121
+ * add server telemetry fields
6122
+ * @param serverTelemetryManager
6123
+ */
6124
+ function addServerTelemetry(parameters, serverTelemetryManager) {
6125
+ parameters.set(X_CLIENT_CURR_TELEM, serverTelemetryManager.generateCurrentRequestHeaderValue());
6126
+ parameters.set(X_CLIENT_LAST_TELEM, serverTelemetryManager.generateLastRequestHeaderValue());
6127
+ }
6128
+ /**
6129
+ * Adds parameter that indicates to the server that throttling is supported
6130
+ */
6131
+ function addThrottling(parameters) {
6132
+ parameters.set(X_MS_LIB_CAPABILITY, ThrottlingConstants.X_MS_LIB_CAPABILITY_VALUE);
6133
+ }
6134
+ /**
6135
+ * Adds logout_hint parameter for "silent" logout which prevent server account picker
6136
+ */
6137
+ function addLogoutHint(parameters, logoutHint) {
6138
+ parameters.set(LOGOUT_HINT, logoutHint);
6139
+ }
6140
+ function addBrokerParameters(parameters, brokerClientId, brokerRedirectUri) {
6141
+ if (!parameters.has(BROKER_CLIENT_ID)) {
6142
+ parameters.set(BROKER_CLIENT_ID, brokerClientId);
6188
6143
  }
6189
- /**
6190
- * Utility to create a URL from the params map
6191
- */
6192
- createQueryString() {
6193
- const queryParameterArray = new Array();
6194
- this.parameters.forEach((value, key) => {
6195
- queryParameterArray.push(`${key}=${value}`);
6196
- });
6197
- instrumentBrokerParams(this.parameters, this.correlationId, this.performanceClient);
6198
- return queryParameterArray.join("&");
6144
+ if (!parameters.has(BROKER_REDIRECT_URI)) {
6145
+ parameters.set(BROKER_REDIRECT_URI, brokerRedirectUri);
6199
6146
  }
6200
6147
  }
6201
6148
 
6149
+ var RequestParameterBuilder = /*#__PURE__*/Object.freeze({
6150
+ __proto__: null,
6151
+ addApplicationTelemetry: addApplicationTelemetry,
6152
+ addAuthorizationCode: addAuthorizationCode,
6153
+ addBrokerParameters: addBrokerParameters,
6154
+ addCcsOid: addCcsOid,
6155
+ addCcsUpn: addCcsUpn,
6156
+ addClaims: addClaims,
6157
+ addClientAssertion: addClientAssertion,
6158
+ addClientAssertionType: addClientAssertionType,
6159
+ addClientCapabilitiesToClaims: addClientCapabilitiesToClaims,
6160
+ addClientId: addClientId,
6161
+ addClientInfo: addClientInfo,
6162
+ addClientSecret: addClientSecret,
6163
+ addCodeChallengeParams: addCodeChallengeParams,
6164
+ addCodeVerifier: addCodeVerifier,
6165
+ addCorrelationId: addCorrelationId,
6166
+ addDeviceCode: addDeviceCode,
6167
+ addDomainHint: addDomainHint,
6168
+ addExtraQueryParameters: addExtraQueryParameters,
6169
+ addGrantType: addGrantType,
6170
+ addIdTokenHint: addIdTokenHint,
6171
+ addInstanceAware: addInstanceAware,
6172
+ addLibraryInfo: addLibraryInfo,
6173
+ addLoginHint: addLoginHint,
6174
+ addLogoutHint: addLogoutHint,
6175
+ addNativeBroker: addNativeBroker,
6176
+ addNonce: addNonce,
6177
+ addOboAssertion: addOboAssertion,
6178
+ addPassword: addPassword,
6179
+ addPopToken: addPopToken,
6180
+ addPostLogoutRedirectUri: addPostLogoutRedirectUri,
6181
+ addPrompt: addPrompt,
6182
+ addRedirectUri: addRedirectUri,
6183
+ addRefreshToken: addRefreshToken,
6184
+ addRequestTokenUse: addRequestTokenUse,
6185
+ addResponseMode: addResponseMode,
6186
+ addResponseTypeCode: addResponseTypeCode,
6187
+ addResponseTypeForTokenAndIdToken: addResponseTypeForTokenAndIdToken,
6188
+ addScopes: addScopes,
6189
+ addServerTelemetry: addServerTelemetry,
6190
+ addSid: addSid,
6191
+ addSshJwk: addSshJwk,
6192
+ addState: addState,
6193
+ addThrottling: addThrottling,
6194
+ addUsername: addUsername,
6195
+ instrumentBrokerParams: instrumentBrokerParams
6196
+ });
6197
+
6202
6198
  /*
6203
6199
  * Copyright (c) Microsoft Corporation. All rights reserved.
6204
6200
  * Licensed under the MIT License.
@@ -6216,6 +6212,26 @@ class ServerError extends AuthError {
6216
6212
  }
6217
6213
  }
6218
6214
 
6215
+ /*
6216
+ * Copyright (c) Microsoft Corporation. All rights reserved.
6217
+ * Licensed under the MIT License.
6218
+ */
6219
+ function getRequestThumbprint(clientId, request, homeAccountId) {
6220
+ return {
6221
+ clientId: clientId,
6222
+ authority: request.authority,
6223
+ scopes: request.scopes,
6224
+ homeAccountIdentifier: homeAccountId,
6225
+ claims: request.claims,
6226
+ authenticationScheme: request.authenticationScheme,
6227
+ resourceRequestMethod: request.resourceRequestMethod,
6228
+ resourceRequestUri: request.resourceRequestUri,
6229
+ shrClaims: request.shrClaims,
6230
+ sshKid: request.sshKid,
6231
+ embeddedClientId: request.embeddedClientId || request.tokenBodyParameters?.clientId,
6232
+ };
6233
+ }
6234
+
6219
6235
  /*
6220
6236
  * Copyright (c) Microsoft Corporation. All rights reserved.
6221
6237
  * Licensed under the MIT License.
@@ -6295,18 +6311,7 @@ class ThrottlingUtils {
6295
6311
  ThrottlingConstants.DEFAULT_MAX_THROTTLE_TIME_SECONDS) * 1000);
6296
6312
  }
6297
6313
  static removeThrottle(cacheManager, clientId, request, homeAccountIdentifier) {
6298
- const thumbprint = {
6299
- clientId: clientId,
6300
- authority: request.authority,
6301
- scopes: request.scopes,
6302
- homeAccountIdentifier: homeAccountIdentifier,
6303
- claims: request.claims,
6304
- authenticationScheme: request.authenticationScheme,
6305
- resourceRequestMethod: request.resourceRequestMethod,
6306
- resourceRequestUri: request.resourceRequestUri,
6307
- shrClaims: request.shrClaims,
6308
- sshKid: request.sshKid,
6309
- };
6314
+ const thumbprint = getRequestThumbprint(clientId, request, homeAccountIdentifier);
6310
6315
  const key = this.generateThrottlingStorageKey(thumbprint);
6311
6316
  cacheManager.removeItem(key);
6312
6317
  }
@@ -6473,18 +6478,16 @@ class BaseClient {
6473
6478
  * @param request
6474
6479
  */
6475
6480
  createTokenQueryParameters(request) {
6476
- const parameterBuilder = new RequestParameterBuilder(request.correlationId, this.performanceClient);
6481
+ const parameters = new Map();
6477
6482
  if (request.embeddedClientId) {
6478
- parameterBuilder.addBrokerParameters({
6479
- brokerClientId: this.config.authOptions.clientId,
6480
- brokerRedirectUri: this.config.authOptions.redirectUri,
6481
- });
6483
+ addBrokerParameters(parameters, this.config.authOptions.clientId, this.config.authOptions.redirectUri);
6482
6484
  }
6483
6485
  if (request.tokenQueryParameters) {
6484
- parameterBuilder.addExtraQueryParameters(request.tokenQueryParameters);
6486
+ addExtraQueryParameters(parameters, request.tokenQueryParameters);
6485
6487
  }
6486
- parameterBuilder.addCorrelationId(request.correlationId);
6487
- return parameterBuilder.createQueryString();
6488
+ addCorrelationId(parameters, request.correlationId);
6489
+ instrumentBrokerParams(parameters, request.correlationId, this.performanceClient);
6490
+ return mapToQueryString(parameters);
6488
6491
  }
6489
6492
  }
6490
6493
 
@@ -6781,13 +6784,6 @@ class PopTokenGenerator {
6781
6784
  * Copyright (c) Microsoft Corporation. All rights reserved.
6782
6785
  * Licensed under the MIT License.
6783
6786
  */
6784
- function parseServerErrorNo(serverResponse) {
6785
- const errorCodePrefix = "code=";
6786
- const errorCodePrefixIndex = serverResponse.error_uri?.lastIndexOf(errorCodePrefix);
6787
- return errorCodePrefixIndex && errorCodePrefixIndex >= 0
6788
- ? serverResponse.error_uri?.substring(errorCodePrefixIndex + errorCodePrefix.length)
6789
- : undefined;
6790
- }
6791
6787
  /**
6792
6788
  * Class that handles response parsing.
6793
6789
  * @internal
@@ -6802,46 +6798,6 @@ class ResponseHandler {
6802
6798
  this.persistencePlugin = persistencePlugin;
6803
6799
  this.performanceClient = performanceClient;
6804
6800
  }
6805
- /**
6806
- * Function which validates server authorization code response.
6807
- * @param serverResponseHash
6808
- * @param requestState
6809
- * @param cryptoObj
6810
- */
6811
- validateServerAuthorizationCodeResponse(serverResponse, requestState) {
6812
- if (!serverResponse.state || !requestState) {
6813
- throw serverResponse.state
6814
- ? createClientAuthError(stateNotFound, "Cached State")
6815
- : createClientAuthError(stateNotFound, "Server State");
6816
- }
6817
- let decodedServerResponseState;
6818
- let decodedRequestState;
6819
- try {
6820
- decodedServerResponseState = decodeURIComponent(serverResponse.state);
6821
- }
6822
- catch (e) {
6823
- throw createClientAuthError(invalidState, serverResponse.state);
6824
- }
6825
- try {
6826
- decodedRequestState = decodeURIComponent(requestState);
6827
- }
6828
- catch (e) {
6829
- throw createClientAuthError(invalidState, serverResponse.state);
6830
- }
6831
- if (decodedServerResponseState !== decodedRequestState) {
6832
- throw createClientAuthError(stateMismatch);
6833
- }
6834
- // Check for error
6835
- if (serverResponse.error ||
6836
- serverResponse.error_description ||
6837
- serverResponse.suberror) {
6838
- const serverErrorNo = parseServerErrorNo(serverResponse);
6839
- if (isInteractionRequiredError(serverResponse.error, serverResponse.error_description, serverResponse.suberror)) {
6840
- throw new InteractionRequiredAuthError(serverResponse.error || "", serverResponse.error_description, serverResponse.suberror, serverResponse.timestamp || "", serverResponse.trace_id || "", serverResponse.correlation_id || "", serverResponse.claims || "", serverErrorNo);
6841
- }
6842
- throw new ServerError(serverResponse.error || "", serverResponse.error_description, serverResponse.suberror, serverErrorNo);
6843
- }
6844
- }
6845
6801
  /**
6846
6802
  * Function which validates server authorization token response.
6847
6803
  * @param serverResponse
@@ -7067,10 +7023,11 @@ class ResponseHandler {
7067
7023
  accessToken = cacheRecord.accessToken.secret;
7068
7024
  }
7069
7025
  responseScopes = ScopeSet.fromString(cacheRecord.accessToken.target).asArray();
7070
- expiresOn = new Date(Number(cacheRecord.accessToken.expiresOn) * 1000);
7071
- extExpiresOn = new Date(Number(cacheRecord.accessToken.extendedExpiresOn) * 1000);
7026
+ // Access token expiresOn cached in seconds, converting to Date for AuthenticationResult
7027
+ expiresOn = toDateFromSeconds(cacheRecord.accessToken.expiresOn);
7028
+ extExpiresOn = toDateFromSeconds(cacheRecord.accessToken.extendedExpiresOn);
7072
7029
  if (cacheRecord.accessToken.refreshOn) {
7073
- refreshOn = new Date(Number(cacheRecord.accessToken.refreshOn) * 1000);
7030
+ refreshOn = toDateFromSeconds(cacheRecord.accessToken.refreshOn);
7074
7031
  }
7075
7032
  }
7076
7033
  if (cacheRecord.appMetadata) {
@@ -7152,6 +7109,71 @@ function buildAccountToCache(cacheStorage, authority, homeAccountId, base64Decod
7152
7109
  return baseAccount;
7153
7110
  }
7154
7111
 
7112
+ /*
7113
+ * Copyright (c) Microsoft Corporation. All rights reserved.
7114
+ * Licensed under the MIT License.
7115
+ */
7116
+ /**
7117
+ * Validates server consumable params from the "request" objects
7118
+ */
7119
+ class RequestValidator {
7120
+ /**
7121
+ * Utility to check if the `redirectUri` in the request is a non-null value
7122
+ * @param redirectUri
7123
+ */
7124
+ static validateRedirectUri(redirectUri) {
7125
+ if (!redirectUri) {
7126
+ throw createClientConfigurationError(redirectUriEmpty);
7127
+ }
7128
+ }
7129
+ /**
7130
+ * Utility to validate prompt sent by the user in the request
7131
+ * @param prompt
7132
+ */
7133
+ static validatePrompt(prompt) {
7134
+ const promptValues = [];
7135
+ for (const value in PromptValue) {
7136
+ promptValues.push(PromptValue[value]);
7137
+ }
7138
+ if (promptValues.indexOf(prompt) < 0) {
7139
+ throw createClientConfigurationError(invalidPromptValue);
7140
+ }
7141
+ }
7142
+ static validateClaims(claims) {
7143
+ try {
7144
+ JSON.parse(claims);
7145
+ }
7146
+ catch (e) {
7147
+ throw createClientConfigurationError(invalidClaims);
7148
+ }
7149
+ }
7150
+ /**
7151
+ * Utility to validate code_challenge and code_challenge_method
7152
+ * @param codeChallenge
7153
+ * @param codeChallengeMethod
7154
+ */
7155
+ static validateCodeChallengeParams(codeChallenge, codeChallengeMethod) {
7156
+ if (!codeChallenge || !codeChallengeMethod) {
7157
+ throw createClientConfigurationError(pkceParamsMissing);
7158
+ }
7159
+ else {
7160
+ this.validateCodeChallengeMethod(codeChallengeMethod);
7161
+ }
7162
+ }
7163
+ /**
7164
+ * Utility to validate code_challenge_method
7165
+ * @param codeChallengeMethod
7166
+ */
7167
+ static validateCodeChallengeMethod(codeChallengeMethod) {
7168
+ if ([
7169
+ CodeChallengeMethodValues.PLAIN,
7170
+ CodeChallengeMethodValues.S256,
7171
+ ].indexOf(codeChallengeMethod) < 0) {
7172
+ throw createClientConfigurationError(invalidCodeChallengeMethod);
7173
+ }
7174
+ }
7175
+ }
7176
+
7155
7177
  /*
7156
7178
  * Copyright (c) Microsoft Corporation. All rights reserved.
7157
7179
  * Licensed under the MIT License.
@@ -7190,21 +7212,6 @@ class AuthorizationCodeClient extends BaseClient {
7190
7212
  this.oidcDefaultScopes =
7191
7213
  this.config.authOptions.authority.options.OIDCOptions?.defaultScopes;
7192
7214
  }
7193
- /**
7194
- * Creates the URL of the authorization request letting the user input credentials and consent to the
7195
- * application. The URL target the /authorize endpoint of the authority configured in the
7196
- * application object.
7197
- *
7198
- * Once the user inputs their credentials and consents, the authority will send a response to the redirect URI
7199
- * sent in the request and should contain an authorization code, which can then be used to acquire tokens via
7200
- * acquireToken(AuthorizationCodeRequest)
7201
- * @param request
7202
- */
7203
- async getAuthCodeUrl(request) {
7204
- this.performanceClient?.addQueueMeasurement(PerformanceEvents.GetAuthCodeUrl, request.correlationId);
7205
- const queryString = await invokeAsync(this.createAuthCodeUrlQueryString.bind(this), PerformanceEvents.AuthClientCreateQueryString, this.logger, this.performanceClient, request.correlationId)(request);
7206
- return UrlString.appendQueryString(this.authority.authorizationEndpoint, queryString);
7207
- }
7208
7215
  /**
7209
7216
  * API to acquire a token in exchange of 'authorization_code` acquired by the user in the first leg of the
7210
7217
  * authorization_code_grant
@@ -7224,22 +7231,6 @@ class AuthorizationCodeClient extends BaseClient {
7224
7231
  responseHandler.validateTokenResponse(response.body);
7225
7232
  return invokeAsync(responseHandler.handleServerTokenResponse.bind(responseHandler), PerformanceEvents.HandleServerTokenResponse, this.logger, this.performanceClient, request.correlationId)(response.body, this.authority, reqTimestamp, request, authCodePayload, undefined, undefined, undefined, requestId);
7226
7233
  }
7227
- /**
7228
- * Handles the hash fragment response from public client code request. Returns a code response used by
7229
- * the client to exchange for a token in acquireToken.
7230
- * @param hashFragment
7231
- */
7232
- handleFragmentResponse(serverParams, cachedState) {
7233
- // Handle responses.
7234
- const responseHandler = new ResponseHandler(this.config.authOptions.clientId, this.cacheManager, this.cryptoUtils, this.logger, null, null);
7235
- // Get code response
7236
- responseHandler.validateServerAuthorizationCodeResponse(serverParams, cachedState);
7237
- // throw when there is no auth code in the response
7238
- if (!serverParams.code) {
7239
- throw createClientAuthError(authorizationCodeMissingFromServerResponse);
7240
- }
7241
- return serverParams;
7242
- }
7243
7234
  /**
7244
7235
  * Used to log out the current user, and redirect the user to the postLogoutRedirectUri.
7245
7236
  * Default behaviour is to redirect the user to `window.location.href`.
@@ -7278,18 +7269,7 @@ class AuthorizationCodeClient extends BaseClient {
7278
7269
  }
7279
7270
  }
7280
7271
  const headers = this.createTokenRequestHeaders(ccsCredential || request.ccsCredential);
7281
- const thumbprint = {
7282
- clientId: request.tokenBodyParameters?.clientId ||
7283
- this.config.authOptions.clientId,
7284
- authority: authority.canonicalAuthority,
7285
- scopes: request.scopes,
7286
- claims: request.claims,
7287
- authenticationScheme: request.authenticationScheme,
7288
- resourceRequestMethod: request.resourceRequestMethod,
7289
- resourceRequestUri: request.resourceRequestUri,
7290
- shrClaims: request.shrClaims,
7291
- sshKid: request.sshKid,
7292
- };
7272
+ const thumbprint = getRequestThumbprint(this.config.authOptions.clientId, request);
7293
7273
  return invokeAsync(this.executePostToTokenEndpoint.bind(this), PerformanceEvents.AuthorizationCodeClientExecutePostToTokenEndpoint, this.logger, this.performanceClient, request.correlationId)(endpoint, requestBody, headers, thumbprint, request.correlationId, PerformanceEvents.AuthorizationCodeClientExecutePostToTokenEndpoint);
7294
7274
  }
7295
7275
  /**
@@ -7298,8 +7278,8 @@ class AuthorizationCodeClient extends BaseClient {
7298
7278
  */
7299
7279
  async createTokenRequestBody(request) {
7300
7280
  this.performanceClient?.addQueueMeasurement(PerformanceEvents.AuthClientCreateTokenRequestBody, request.correlationId);
7301
- const parameterBuilder = new RequestParameterBuilder(request.correlationId, this.performanceClient);
7302
- parameterBuilder.addClientId(request.embeddedClientId ||
7281
+ const parameters = new Map();
7282
+ addClientId(parameters, request.embeddedClientId ||
7303
7283
  request.tokenBodyParameters?.[CLIENT_ID] ||
7304
7284
  this.config.authOptions.clientId);
7305
7285
  /*
@@ -7312,33 +7292,33 @@ class AuthorizationCodeClient extends BaseClient {
7312
7292
  }
7313
7293
  else {
7314
7294
  // Validate and include redirect uri
7315
- parameterBuilder.addRedirectUri(request.redirectUri);
7295
+ addRedirectUri(parameters, request.redirectUri);
7316
7296
  }
7317
7297
  // Add scope array, parameter builder will add default scopes and dedupe
7318
- parameterBuilder.addScopes(request.scopes, true, this.oidcDefaultScopes);
7298
+ addScopes(parameters, request.scopes, true, this.oidcDefaultScopes);
7319
7299
  // add code: user set, not validated
7320
- parameterBuilder.addAuthorizationCode(request.code);
7300
+ addAuthorizationCode(parameters, request.code);
7321
7301
  // Add library metadata
7322
- parameterBuilder.addLibraryInfo(this.config.libraryInfo);
7323
- parameterBuilder.addApplicationTelemetry(this.config.telemetry.application);
7324
- parameterBuilder.addThrottling();
7302
+ addLibraryInfo(parameters, this.config.libraryInfo);
7303
+ addApplicationTelemetry(parameters, this.config.telemetry.application);
7304
+ addThrottling(parameters);
7325
7305
  if (this.serverTelemetryManager && !isOidcProtocolMode(this.config)) {
7326
- parameterBuilder.addServerTelemetry(this.serverTelemetryManager);
7306
+ addServerTelemetry(parameters, this.serverTelemetryManager);
7327
7307
  }
7328
7308
  // add code_verifier if passed
7329
7309
  if (request.codeVerifier) {
7330
- parameterBuilder.addCodeVerifier(request.codeVerifier);
7310
+ addCodeVerifier(parameters, request.codeVerifier);
7331
7311
  }
7332
7312
  if (this.config.clientCredentials.clientSecret) {
7333
- parameterBuilder.addClientSecret(this.config.clientCredentials.clientSecret);
7313
+ addClientSecret(parameters, this.config.clientCredentials.clientSecret);
7334
7314
  }
7335
7315
  if (this.config.clientCredentials.clientAssertion) {
7336
7316
  const clientAssertion = this.config.clientCredentials.clientAssertion;
7337
- parameterBuilder.addClientAssertion(await getClientAssertion(clientAssertion.assertion, this.config.authOptions.clientId, request.resourceRequestUri));
7338
- parameterBuilder.addClientAssertionType(clientAssertion.assertionType);
7317
+ addClientAssertion(parameters, await getClientAssertion(clientAssertion.assertion, this.config.authOptions.clientId, request.resourceRequestUri));
7318
+ addClientAssertionType(parameters, clientAssertion.assertionType);
7339
7319
  }
7340
- parameterBuilder.addGrantType(GrantType.AUTHORIZATION_CODE_GRANT);
7341
- parameterBuilder.addClientInfo();
7320
+ addGrantType(parameters, GrantType.AUTHORIZATION_CODE_GRANT);
7321
+ addClientInfo(parameters);
7342
7322
  if (request.authenticationScheme === AuthenticationScheme.POP) {
7343
7323
  const popTokenGenerator = new PopTokenGenerator(this.cryptoUtils, this.performanceClient);
7344
7324
  let reqCnfData;
@@ -7350,11 +7330,11 @@ class AuthorizationCodeClient extends BaseClient {
7350
7330
  reqCnfData = this.cryptoUtils.encodeKid(request.popKid);
7351
7331
  }
7352
7332
  // SPA PoP requires full Base64Url encoded req_cnf string (unhashed)
7353
- parameterBuilder.addPopToken(reqCnfData);
7333
+ addPopToken(parameters, reqCnfData);
7354
7334
  }
7355
7335
  else if (request.authenticationScheme === AuthenticationScheme.SSH) {
7356
7336
  if (request.sshJwk) {
7357
- parameterBuilder.addSshJwk(request.sshJwk);
7337
+ addSshJwk(parameters, request.sshJwk);
7358
7338
  }
7359
7339
  else {
7360
7340
  throw createClientConfigurationError(missingSshJwk);
@@ -7363,7 +7343,7 @@ class AuthorizationCodeClient extends BaseClient {
7363
7343
  if (!StringUtils.isEmptyObj(request.claims) ||
7364
7344
  (this.config.authOptions.clientCapabilities &&
7365
7345
  this.config.authOptions.clientCapabilities.length > 0)) {
7366
- parameterBuilder.addClaims(request.claims, this.config.authOptions.clientCapabilities);
7346
+ addClaims(parameters, request.claims, this.config.authOptions.clientCapabilities);
7367
7347
  }
7368
7348
  let ccsCred = undefined;
7369
7349
  if (request.clientInfo) {
@@ -7387,7 +7367,7 @@ class AuthorizationCodeClient extends BaseClient {
7387
7367
  case CcsCredentialType.HOME_ACCOUNT_ID:
7388
7368
  try {
7389
7369
  const clientInfo = buildClientInfoFromHomeAccountId(ccsCred.credential);
7390
- parameterBuilder.addCcsOid(clientInfo);
7370
+ addCcsOid(parameters, clientInfo);
7391
7371
  }
7392
7372
  catch (e) {
7393
7373
  this.logger.verbose("Could not parse home account ID for CCS Header: " +
@@ -7395,230 +7375,55 @@ class AuthorizationCodeClient extends BaseClient {
7395
7375
  }
7396
7376
  break;
7397
7377
  case CcsCredentialType.UPN:
7398
- parameterBuilder.addCcsUpn(ccsCred.credential);
7378
+ addCcsUpn(parameters, ccsCred.credential);
7399
7379
  break;
7400
7380
  }
7401
7381
  }
7402
7382
  if (request.embeddedClientId) {
7403
- parameterBuilder.addBrokerParameters({
7404
- brokerClientId: this.config.authOptions.clientId,
7405
- brokerRedirectUri: this.config.authOptions.redirectUri,
7406
- });
7383
+ addBrokerParameters(parameters, this.config.authOptions.clientId, this.config.authOptions.redirectUri);
7407
7384
  }
7408
7385
  if (request.tokenBodyParameters) {
7409
- parameterBuilder.addExtraQueryParameters(request.tokenBodyParameters);
7386
+ addExtraQueryParameters(parameters, request.tokenBodyParameters);
7410
7387
  }
7411
7388
  // Add hybrid spa parameters if not already provided
7412
7389
  if (request.enableSpaAuthorizationCode &&
7413
7390
  (!request.tokenBodyParameters ||
7414
7391
  !request.tokenBodyParameters[RETURN_SPA_CODE])) {
7415
- parameterBuilder.addExtraQueryParameters({
7392
+ addExtraQueryParameters(parameters, {
7416
7393
  [RETURN_SPA_CODE]: "1",
7417
7394
  });
7418
7395
  }
7419
- return parameterBuilder.createQueryString();
7420
- }
7421
- /**
7422
- * This API validates the `AuthorizationCodeUrlRequest` and creates a URL
7423
- * @param request
7424
- */
7425
- async createAuthCodeUrlQueryString(request) {
7426
- // generate the correlationId if not set by the user and add
7427
- const correlationId = request.correlationId ||
7428
- this.config.cryptoInterface.createNewGuid();
7429
- this.performanceClient?.addQueueMeasurement(PerformanceEvents.AuthClientCreateQueryString, correlationId);
7430
- const parameterBuilder = new RequestParameterBuilder(correlationId, this.performanceClient);
7431
- parameterBuilder.addClientId(request.embeddedClientId ||
7432
- request.extraQueryParameters?.[CLIENT_ID] ||
7433
- this.config.authOptions.clientId);
7434
- const requestScopes = [
7435
- ...(request.scopes || []),
7436
- ...(request.extraScopesToConsent || []),
7437
- ];
7438
- parameterBuilder.addScopes(requestScopes, true, this.oidcDefaultScopes);
7439
- // validate the redirectUri (to be a non null value)
7440
- parameterBuilder.addRedirectUri(request.redirectUri);
7441
- parameterBuilder.addCorrelationId(correlationId);
7442
- // add response_mode. If not passed in it defaults to query.
7443
- parameterBuilder.addResponseMode(request.responseMode);
7444
- // add response_type = code
7445
- parameterBuilder.addResponseTypeCode();
7446
- // add library info parameters
7447
- parameterBuilder.addLibraryInfo(this.config.libraryInfo);
7448
- if (!isOidcProtocolMode(this.config)) {
7449
- parameterBuilder.addApplicationTelemetry(this.config.telemetry.application);
7450
- }
7451
- // add client_info=1
7452
- parameterBuilder.addClientInfo();
7453
- if (request.codeChallenge && request.codeChallengeMethod) {
7454
- parameterBuilder.addCodeChallengeParams(request.codeChallenge, request.codeChallengeMethod);
7455
- }
7456
- if (request.prompt) {
7457
- parameterBuilder.addPrompt(request.prompt);
7458
- }
7459
- if (request.domainHint) {
7460
- parameterBuilder.addDomainHint(request.domainHint);
7461
- this.performanceClient?.addFields({ domainHintFromRequest: true }, correlationId);
7462
- }
7463
- this.performanceClient?.addFields({ prompt: request.prompt }, correlationId);
7464
- // Add sid or loginHint with preference for login_hint claim (in request) -> sid -> loginHint (upn/email) -> username of AccountInfo object
7465
- if (request.prompt !== PromptValue.SELECT_ACCOUNT) {
7466
- // AAD will throw if prompt=select_account is passed with an account hint
7467
- if (request.sid && request.prompt === PromptValue.NONE) {
7468
- // SessionID is only used in silent calls
7469
- this.logger.verbose("createAuthCodeUrlQueryString: Prompt is none, adding sid from request");
7470
- parameterBuilder.addSid(request.sid);
7471
- this.performanceClient?.addFields({ sidFromRequest: true }, correlationId);
7472
- }
7473
- else if (request.account) {
7474
- const accountSid = this.extractAccountSid(request.account);
7475
- let accountLoginHintClaim = this.extractLoginHint(request.account);
7476
- if (accountLoginHintClaim && request.domainHint) {
7477
- this.logger.warning(`AuthorizationCodeClient.createAuthCodeUrlQueryString: "domainHint" param is set, skipping opaque "login_hint" claim. Please consider not passing domainHint`);
7478
- accountLoginHintClaim = null;
7479
- }
7480
- // If login_hint claim is present, use it over sid/username
7481
- if (accountLoginHintClaim) {
7482
- this.logger.verbose("createAuthCodeUrlQueryString: login_hint claim present on account");
7483
- parameterBuilder.addLoginHint(accountLoginHintClaim);
7484
- this.performanceClient?.addFields({ loginHintFromClaim: true }, correlationId);
7485
- try {
7486
- const clientInfo = buildClientInfoFromHomeAccountId(request.account.homeAccountId);
7487
- parameterBuilder.addCcsOid(clientInfo);
7488
- }
7489
- catch (e) {
7490
- this.logger.verbose("createAuthCodeUrlQueryString: Could not parse home account ID for CCS Header");
7491
- }
7492
- }
7493
- else if (accountSid && request.prompt === PromptValue.NONE) {
7494
- /*
7495
- * If account and loginHint are provided, we will check account first for sid before adding loginHint
7496
- * SessionId is only used in silent calls
7497
- */
7498
- this.logger.verbose("createAuthCodeUrlQueryString: Prompt is none, adding sid from account");
7499
- parameterBuilder.addSid(accountSid);
7500
- this.performanceClient?.addFields({ sidFromClaim: true }, correlationId);
7501
- try {
7502
- const clientInfo = buildClientInfoFromHomeAccountId(request.account.homeAccountId);
7503
- parameterBuilder.addCcsOid(clientInfo);
7504
- }
7505
- catch (e) {
7506
- this.logger.verbose("createAuthCodeUrlQueryString: Could not parse home account ID for CCS Header");
7507
- }
7508
- }
7509
- else if (request.loginHint) {
7510
- this.logger.verbose("createAuthCodeUrlQueryString: Adding login_hint from request");
7511
- parameterBuilder.addLoginHint(request.loginHint);
7512
- parameterBuilder.addCcsUpn(request.loginHint);
7513
- this.performanceClient?.addFields({ loginHintFromRequest: true }, correlationId);
7514
- }
7515
- else if (request.account.username) {
7516
- // Fallback to account username if provided
7517
- this.logger.verbose("createAuthCodeUrlQueryString: Adding login_hint from account");
7518
- parameterBuilder.addLoginHint(request.account.username);
7519
- this.performanceClient?.addFields({ loginHintFromUpn: true }, correlationId);
7520
- try {
7521
- const clientInfo = buildClientInfoFromHomeAccountId(request.account.homeAccountId);
7522
- parameterBuilder.addCcsOid(clientInfo);
7523
- }
7524
- catch (e) {
7525
- this.logger.verbose("createAuthCodeUrlQueryString: Could not parse home account ID for CCS Header");
7526
- }
7527
- }
7528
- }
7529
- else if (request.loginHint) {
7530
- this.logger.verbose("createAuthCodeUrlQueryString: No account, adding login_hint from request");
7531
- parameterBuilder.addLoginHint(request.loginHint);
7532
- parameterBuilder.addCcsUpn(request.loginHint);
7533
- this.performanceClient?.addFields({ loginHintFromRequest: true }, correlationId);
7534
- }
7535
- }
7536
- else {
7537
- this.logger.verbose("createAuthCodeUrlQueryString: Prompt is select_account, ignoring account hints");
7538
- }
7539
- if (request.nonce) {
7540
- parameterBuilder.addNonce(request.nonce);
7541
- }
7542
- if (request.state) {
7543
- parameterBuilder.addState(request.state);
7544
- }
7545
- if (request.claims ||
7546
- (this.config.authOptions.clientCapabilities &&
7547
- this.config.authOptions.clientCapabilities.length > 0)) {
7548
- parameterBuilder.addClaims(request.claims, this.config.authOptions.clientCapabilities);
7549
- }
7550
- if (request.embeddedClientId) {
7551
- parameterBuilder.addBrokerParameters({
7552
- brokerClientId: this.config.authOptions.clientId,
7553
- brokerRedirectUri: this.config.authOptions.redirectUri,
7554
- });
7555
- }
7556
- this.addExtraQueryParams(request, parameterBuilder);
7557
- if (request.platformBroker) {
7558
- // signal ests that this is a WAM call
7559
- parameterBuilder.addNativeBroker();
7560
- // pass the req_cnf for POP
7561
- if (request.authenticationScheme === AuthenticationScheme.POP) {
7562
- const popTokenGenerator = new PopTokenGenerator(this.cryptoUtils);
7563
- // req_cnf is always sent as a string for SPAs
7564
- let reqCnfData;
7565
- if (!request.popKid) {
7566
- const generatedReqCnfData = await invokeAsync(popTokenGenerator.generateCnf.bind(popTokenGenerator), PerformanceEvents.PopTokenGenerateCnf, this.logger, this.performanceClient, request.correlationId)(request, this.logger);
7567
- reqCnfData = generatedReqCnfData.reqCnfString;
7568
- }
7569
- else {
7570
- reqCnfData = this.cryptoUtils.encodeKid(request.popKid);
7571
- }
7572
- parameterBuilder.addPopToken(reqCnfData);
7573
- }
7574
- }
7575
- return parameterBuilder.createQueryString();
7396
+ instrumentBrokerParams(parameters, request.correlationId, this.performanceClient);
7397
+ return mapToQueryString(parameters);
7576
7398
  }
7577
7399
  /**
7578
7400
  * This API validates the `EndSessionRequest` and creates a URL
7579
7401
  * @param request
7580
7402
  */
7581
7403
  createLogoutUrlQueryString(request) {
7582
- const parameterBuilder = new RequestParameterBuilder(request.correlationId, this.performanceClient);
7404
+ const parameters = new Map();
7583
7405
  if (request.postLogoutRedirectUri) {
7584
- parameterBuilder.addPostLogoutRedirectUri(request.postLogoutRedirectUri);
7406
+ addPostLogoutRedirectUri(parameters, request.postLogoutRedirectUri);
7585
7407
  }
7586
7408
  if (request.correlationId) {
7587
- parameterBuilder.addCorrelationId(request.correlationId);
7409
+ addCorrelationId(parameters, request.correlationId);
7588
7410
  }
7589
7411
  if (request.idTokenHint) {
7590
- parameterBuilder.addIdTokenHint(request.idTokenHint);
7412
+ addIdTokenHint(parameters, request.idTokenHint);
7591
7413
  }
7592
7414
  if (request.state) {
7593
- parameterBuilder.addState(request.state);
7415
+ addState(parameters, request.state);
7594
7416
  }
7595
7417
  if (request.logoutHint) {
7596
- parameterBuilder.addLogoutHint(request.logoutHint);
7597
- }
7598
- this.addExtraQueryParams(request, parameterBuilder);
7599
- return parameterBuilder.createQueryString();
7600
- }
7601
- addExtraQueryParams(request, parameterBuilder) {
7602
- const hasRequestInstanceAware = request.extraQueryParameters &&
7603
- request.extraQueryParameters.hasOwnProperty("instance_aware");
7604
- // Set instance_aware flag if config auth param is set
7605
- if (!hasRequestInstanceAware && this.config.authOptions.instanceAware) {
7606
- request.extraQueryParameters = request.extraQueryParameters || {};
7607
- request.extraQueryParameters["instance_aware"] = "true";
7418
+ addLogoutHint(parameters, request.logoutHint);
7608
7419
  }
7609
7420
  if (request.extraQueryParameters) {
7610
- parameterBuilder.addExtraQueryParameters(request.extraQueryParameters);
7421
+ addExtraQueryParameters(parameters, request.extraQueryParameters);
7611
7422
  }
7612
- }
7613
- /**
7614
- * Helper to get sid from account. Returns null if idTokenClaims are not present or sid is not present.
7615
- * @param account
7616
- */
7617
- extractAccountSid(account) {
7618
- return account.idTokenClaims?.sid || null;
7619
- }
7620
- extractLoginHint(account) {
7621
- return account.idTokenClaims?.login_hint || null;
7423
+ if (this.config.authOptions.instanceAware) {
7424
+ addInstanceAware(parameters);
7425
+ }
7426
+ return mapToQueryString(parameters);
7622
7427
  }
7623
7428
  }
7624
7429
 
@@ -7740,18 +7545,7 @@ class RefreshTokenClient extends BaseClient {
7740
7545
  const endpoint = UrlString.appendQueryString(authority.tokenEndpoint, queryParametersString);
7741
7546
  const requestBody = await invokeAsync(this.createTokenRequestBody.bind(this), PerformanceEvents.RefreshTokenClientCreateTokenRequestBody, this.logger, this.performanceClient, request.correlationId)(request);
7742
7547
  const headers = this.createTokenRequestHeaders(request.ccsCredential);
7743
- const thumbprint = {
7744
- clientId: request.tokenBodyParameters?.clientId ||
7745
- this.config.authOptions.clientId,
7746
- authority: authority.canonicalAuthority,
7747
- scopes: request.scopes,
7748
- claims: request.claims,
7749
- authenticationScheme: request.authenticationScheme,
7750
- resourceRequestMethod: request.resourceRequestMethod,
7751
- resourceRequestUri: request.resourceRequestUri,
7752
- shrClaims: request.shrClaims,
7753
- sshKid: request.sshKid,
7754
- };
7548
+ const thumbprint = getRequestThumbprint(this.config.authOptions.clientId, request);
7755
7549
  return invokeAsync(this.executePostToTokenEndpoint.bind(this), PerformanceEvents.RefreshTokenClientExecutePostToTokenEndpoint, this.logger, this.performanceClient, request.correlationId)(endpoint, requestBody, headers, thumbprint, request.correlationId, PerformanceEvents.RefreshTokenClientExecutePostToTokenEndpoint);
7756
7550
  }
7757
7551
  /**
@@ -7760,31 +7554,30 @@ class RefreshTokenClient extends BaseClient {
7760
7554
  */
7761
7555
  async createTokenRequestBody(request) {
7762
7556
  this.performanceClient?.addQueueMeasurement(PerformanceEvents.RefreshTokenClientCreateTokenRequestBody, request.correlationId);
7763
- const correlationId = request.correlationId;
7764
- const parameterBuilder = new RequestParameterBuilder(correlationId, this.performanceClient);
7765
- parameterBuilder.addClientId(request.embeddedClientId ||
7557
+ const parameters = new Map();
7558
+ addClientId(parameters, request.embeddedClientId ||
7766
7559
  request.tokenBodyParameters?.[CLIENT_ID] ||
7767
7560
  this.config.authOptions.clientId);
7768
7561
  if (request.redirectUri) {
7769
- parameterBuilder.addRedirectUri(request.redirectUri);
7770
- }
7771
- parameterBuilder.addScopes(request.scopes, true, this.config.authOptions.authority.options.OIDCOptions?.defaultScopes);
7772
- parameterBuilder.addGrantType(GrantType.REFRESH_TOKEN_GRANT);
7773
- parameterBuilder.addClientInfo();
7774
- parameterBuilder.addLibraryInfo(this.config.libraryInfo);
7775
- parameterBuilder.addApplicationTelemetry(this.config.telemetry.application);
7776
- parameterBuilder.addThrottling();
7562
+ addRedirectUri(parameters, request.redirectUri);
7563
+ }
7564
+ addScopes(parameters, request.scopes, true, this.config.authOptions.authority.options.OIDCOptions?.defaultScopes);
7565
+ addGrantType(parameters, GrantType.REFRESH_TOKEN_GRANT);
7566
+ addClientInfo(parameters);
7567
+ addLibraryInfo(parameters, this.config.libraryInfo);
7568
+ addApplicationTelemetry(parameters, this.config.telemetry.application);
7569
+ addThrottling(parameters);
7777
7570
  if (this.serverTelemetryManager && !isOidcProtocolMode(this.config)) {
7778
- parameterBuilder.addServerTelemetry(this.serverTelemetryManager);
7571
+ addServerTelemetry(parameters, this.serverTelemetryManager);
7779
7572
  }
7780
- parameterBuilder.addRefreshToken(request.refreshToken);
7573
+ addRefreshToken(parameters, request.refreshToken);
7781
7574
  if (this.config.clientCredentials.clientSecret) {
7782
- parameterBuilder.addClientSecret(this.config.clientCredentials.clientSecret);
7575
+ addClientSecret(parameters, this.config.clientCredentials.clientSecret);
7783
7576
  }
7784
7577
  if (this.config.clientCredentials.clientAssertion) {
7785
7578
  const clientAssertion = this.config.clientCredentials.clientAssertion;
7786
- parameterBuilder.addClientAssertion(await getClientAssertion(clientAssertion.assertion, this.config.authOptions.clientId, request.resourceRequestUri));
7787
- parameterBuilder.addClientAssertionType(clientAssertion.assertionType);
7579
+ addClientAssertion(parameters, await getClientAssertion(clientAssertion.assertion, this.config.authOptions.clientId, request.resourceRequestUri));
7580
+ addClientAssertionType(parameters, clientAssertion.assertionType);
7788
7581
  }
7789
7582
  if (request.authenticationScheme === AuthenticationScheme.POP) {
7790
7583
  const popTokenGenerator = new PopTokenGenerator(this.cryptoUtils, this.performanceClient);
@@ -7797,11 +7590,11 @@ class RefreshTokenClient extends BaseClient {
7797
7590
  reqCnfData = this.cryptoUtils.encodeKid(request.popKid);
7798
7591
  }
7799
7592
  // SPA PoP requires full Base64Url encoded req_cnf string (unhashed)
7800
- parameterBuilder.addPopToken(reqCnfData);
7593
+ addPopToken(parameters, reqCnfData);
7801
7594
  }
7802
7595
  else if (request.authenticationScheme === AuthenticationScheme.SSH) {
7803
7596
  if (request.sshJwk) {
7804
- parameterBuilder.addSshJwk(request.sshJwk);
7597
+ addSshJwk(parameters, request.sshJwk);
7805
7598
  }
7806
7599
  else {
7807
7600
  throw createClientConfigurationError(missingSshJwk);
@@ -7810,7 +7603,7 @@ class RefreshTokenClient extends BaseClient {
7810
7603
  if (!StringUtils.isEmptyObj(request.claims) ||
7811
7604
  (this.config.authOptions.clientCapabilities &&
7812
7605
  this.config.authOptions.clientCapabilities.length > 0)) {
7813
- parameterBuilder.addClaims(request.claims, this.config.authOptions.clientCapabilities);
7606
+ addClaims(parameters, request.claims, this.config.authOptions.clientCapabilities);
7814
7607
  }
7815
7608
  if (this.config.systemOptions.preventCorsPreflight &&
7816
7609
  request.ccsCredential) {
@@ -7818,7 +7611,7 @@ class RefreshTokenClient extends BaseClient {
7818
7611
  case CcsCredentialType.HOME_ACCOUNT_ID:
7819
7612
  try {
7820
7613
  const clientInfo = buildClientInfoFromHomeAccountId(request.ccsCredential.credential);
7821
- parameterBuilder.addCcsOid(clientInfo);
7614
+ addCcsOid(parameters, clientInfo);
7822
7615
  }
7823
7616
  catch (e) {
7824
7617
  this.logger.verbose("Could not parse home account ID for CCS Header: " +
@@ -7826,20 +7619,18 @@ class RefreshTokenClient extends BaseClient {
7826
7619
  }
7827
7620
  break;
7828
7621
  case CcsCredentialType.UPN:
7829
- parameterBuilder.addCcsUpn(request.ccsCredential.credential);
7622
+ addCcsUpn(parameters, request.ccsCredential.credential);
7830
7623
  break;
7831
7624
  }
7832
7625
  }
7833
7626
  if (request.embeddedClientId) {
7834
- parameterBuilder.addBrokerParameters({
7835
- brokerClientId: this.config.authOptions.clientId,
7836
- brokerRedirectUri: this.config.authOptions.redirectUri,
7837
- });
7627
+ addBrokerParameters(parameters, this.config.authOptions.clientId, this.config.authOptions.redirectUri);
7838
7628
  }
7839
7629
  if (request.tokenBodyParameters) {
7840
- parameterBuilder.addExtraQueryParameters(request.tokenBodyParameters);
7630
+ addExtraQueryParameters(parameters, request.tokenBodyParameters);
7841
7631
  }
7842
- return parameterBuilder.createQueryString();
7632
+ instrumentBrokerParams(parameters, request.correlationId, this.performanceClient);
7633
+ return mapToQueryString(parameters);
7843
7634
  }
7844
7635
  }
7845
7636
 
@@ -7952,6 +7743,236 @@ const StubbedNetworkModule = {
7952
7743
  },
7953
7744
  };
7954
7745
 
7746
+ /*
7747
+ * Copyright (c) Microsoft Corporation. All rights reserved.
7748
+ * Licensed under the MIT License.
7749
+ */
7750
+ /**
7751
+ * Returns map of parameters that are applicable to all calls to /authorize whether using PKCE or EAR
7752
+ * @param config
7753
+ * @param request
7754
+ * @param logger
7755
+ * @param performanceClient
7756
+ * @returns
7757
+ */
7758
+ function getStandardAuthorizeRequestParameters(authOptions, request, logger, performanceClient) {
7759
+ // generate the correlationId if not set by the user and add
7760
+ const correlationId = request.correlationId;
7761
+ const parameters = new Map();
7762
+ addClientId(parameters, request.embeddedClientId ||
7763
+ request.extraQueryParameters?.[CLIENT_ID] ||
7764
+ authOptions.clientId);
7765
+ const requestScopes = [
7766
+ ...(request.scopes || []),
7767
+ ...(request.extraScopesToConsent || []),
7768
+ ];
7769
+ addScopes(parameters, requestScopes, true, authOptions.authority.options.OIDCOptions?.defaultScopes);
7770
+ addRedirectUri(parameters, request.redirectUri);
7771
+ addCorrelationId(parameters, correlationId);
7772
+ // add response_mode. If not passed in it defaults to query.
7773
+ addResponseMode(parameters, request.responseMode);
7774
+ // add client_info=1
7775
+ addClientInfo(parameters);
7776
+ if (request.prompt) {
7777
+ addPrompt(parameters, request.prompt);
7778
+ performanceClient?.addFields({ prompt: request.prompt }, correlationId);
7779
+ }
7780
+ if (request.domainHint) {
7781
+ addDomainHint(parameters, request.domainHint);
7782
+ performanceClient?.addFields({ domainHintFromRequest: true }, correlationId);
7783
+ }
7784
+ // Add sid or loginHint with preference for login_hint claim (in request) -> sid -> loginHint (upn/email) -> username of AccountInfo object
7785
+ if (request.prompt !== PromptValue.SELECT_ACCOUNT) {
7786
+ // AAD will throw if prompt=select_account is passed with an account hint
7787
+ if (request.sid && request.prompt === PromptValue.NONE) {
7788
+ // SessionID is only used in silent calls
7789
+ logger.verbose("createAuthCodeUrlQueryString: Prompt is none, adding sid from request");
7790
+ addSid(parameters, request.sid);
7791
+ performanceClient?.addFields({ sidFromRequest: true }, correlationId);
7792
+ }
7793
+ else if (request.account) {
7794
+ const accountSid = extractAccountSid(request.account);
7795
+ let accountLoginHintClaim = extractLoginHint(request.account);
7796
+ if (accountLoginHintClaim && request.domainHint) {
7797
+ logger.warning(`AuthorizationCodeClient.createAuthCodeUrlQueryString: "domainHint" param is set, skipping opaque "login_hint" claim. Please consider not passing domainHint`);
7798
+ accountLoginHintClaim = null;
7799
+ }
7800
+ // If login_hint claim is present, use it over sid/username
7801
+ if (accountLoginHintClaim) {
7802
+ logger.verbose("createAuthCodeUrlQueryString: login_hint claim present on account");
7803
+ addLoginHint(parameters, accountLoginHintClaim);
7804
+ performanceClient?.addFields({ loginHintFromClaim: true }, correlationId);
7805
+ try {
7806
+ const clientInfo = buildClientInfoFromHomeAccountId(request.account.homeAccountId);
7807
+ addCcsOid(parameters, clientInfo);
7808
+ }
7809
+ catch (e) {
7810
+ logger.verbose("createAuthCodeUrlQueryString: Could not parse home account ID for CCS Header");
7811
+ }
7812
+ }
7813
+ else if (accountSid && request.prompt === PromptValue.NONE) {
7814
+ /*
7815
+ * If account and loginHint are provided, we will check account first for sid before adding loginHint
7816
+ * SessionId is only used in silent calls
7817
+ */
7818
+ logger.verbose("createAuthCodeUrlQueryString: Prompt is none, adding sid from account");
7819
+ addSid(parameters, accountSid);
7820
+ performanceClient?.addFields({ sidFromClaim: true }, correlationId);
7821
+ try {
7822
+ const clientInfo = buildClientInfoFromHomeAccountId(request.account.homeAccountId);
7823
+ addCcsOid(parameters, clientInfo);
7824
+ }
7825
+ catch (e) {
7826
+ logger.verbose("createAuthCodeUrlQueryString: Could not parse home account ID for CCS Header");
7827
+ }
7828
+ }
7829
+ else if (request.loginHint) {
7830
+ logger.verbose("createAuthCodeUrlQueryString: Adding login_hint from request");
7831
+ addLoginHint(parameters, request.loginHint);
7832
+ addCcsUpn(parameters, request.loginHint);
7833
+ performanceClient?.addFields({ loginHintFromRequest: true }, correlationId);
7834
+ }
7835
+ else if (request.account.username) {
7836
+ // Fallback to account username if provided
7837
+ logger.verbose("createAuthCodeUrlQueryString: Adding login_hint from account");
7838
+ addLoginHint(parameters, request.account.username);
7839
+ performanceClient?.addFields({ loginHintFromUpn: true }, correlationId);
7840
+ try {
7841
+ const clientInfo = buildClientInfoFromHomeAccountId(request.account.homeAccountId);
7842
+ addCcsOid(parameters, clientInfo);
7843
+ }
7844
+ catch (e) {
7845
+ logger.verbose("createAuthCodeUrlQueryString: Could not parse home account ID for CCS Header");
7846
+ }
7847
+ }
7848
+ }
7849
+ else if (request.loginHint) {
7850
+ logger.verbose("createAuthCodeUrlQueryString: No account, adding login_hint from request");
7851
+ addLoginHint(parameters, request.loginHint);
7852
+ addCcsUpn(parameters, request.loginHint);
7853
+ performanceClient?.addFields({ loginHintFromRequest: true }, correlationId);
7854
+ }
7855
+ }
7856
+ else {
7857
+ logger.verbose("createAuthCodeUrlQueryString: Prompt is select_account, ignoring account hints");
7858
+ }
7859
+ if (request.nonce) {
7860
+ addNonce(parameters, request.nonce);
7861
+ }
7862
+ if (request.state) {
7863
+ addState(parameters, request.state);
7864
+ }
7865
+ if (request.claims ||
7866
+ (authOptions.clientCapabilities &&
7867
+ authOptions.clientCapabilities.length > 0)) {
7868
+ addClaims(parameters, request.claims, authOptions.clientCapabilities);
7869
+ }
7870
+ if (request.embeddedClientId) {
7871
+ addBrokerParameters(parameters, authOptions.clientId, authOptions.redirectUri);
7872
+ }
7873
+ if (request.extraQueryParameters) {
7874
+ addExtraQueryParameters(parameters, request.extraQueryParameters);
7875
+ }
7876
+ if (authOptions.instanceAware) {
7877
+ addInstanceAware(parameters);
7878
+ }
7879
+ return parameters;
7880
+ }
7881
+ /**
7882
+ * Returns authorize endpoint with given request parameters in the query string
7883
+ * @param authority
7884
+ * @param requestParameters
7885
+ * @returns
7886
+ */
7887
+ function getAuthorizeUrl(authority, requestParameters) {
7888
+ const queryString = mapToQueryString(requestParameters);
7889
+ return UrlString.appendQueryString(authority.authorizationEndpoint, queryString);
7890
+ }
7891
+ /**
7892
+ * Handles the hash fragment response from public client code request. Returns a code response used by
7893
+ * the client to exchange for a token in acquireToken.
7894
+ * @param serverParams
7895
+ * @param cachedState
7896
+ */
7897
+ function getAuthorizationCodePayload(serverParams, cachedState) {
7898
+ // Get code response
7899
+ validateAuthorizationResponse(serverParams, cachedState);
7900
+ // throw when there is no auth code in the response
7901
+ if (!serverParams.code) {
7902
+ throw createClientAuthError(authorizationCodeMissingFromServerResponse);
7903
+ }
7904
+ return serverParams;
7905
+ }
7906
+ /**
7907
+ * Function which validates server authorization code response.
7908
+ * @param serverResponseHash
7909
+ * @param requestState
7910
+ */
7911
+ function validateAuthorizationResponse(serverResponse, requestState) {
7912
+ if (!serverResponse.state || !requestState) {
7913
+ throw serverResponse.state
7914
+ ? createClientAuthError(stateNotFound, "Cached State")
7915
+ : createClientAuthError(stateNotFound, "Server State");
7916
+ }
7917
+ let decodedServerResponseState;
7918
+ let decodedRequestState;
7919
+ try {
7920
+ decodedServerResponseState = decodeURIComponent(serverResponse.state);
7921
+ }
7922
+ catch (e) {
7923
+ throw createClientAuthError(invalidState, serverResponse.state);
7924
+ }
7925
+ try {
7926
+ decodedRequestState = decodeURIComponent(requestState);
7927
+ }
7928
+ catch (e) {
7929
+ throw createClientAuthError(invalidState, serverResponse.state);
7930
+ }
7931
+ if (decodedServerResponseState !== decodedRequestState) {
7932
+ throw createClientAuthError(stateMismatch);
7933
+ }
7934
+ // Check for error
7935
+ if (serverResponse.error ||
7936
+ serverResponse.error_description ||
7937
+ serverResponse.suberror) {
7938
+ const serverErrorNo = parseServerErrorNo(serverResponse);
7939
+ if (isInteractionRequiredError(serverResponse.error, serverResponse.error_description, serverResponse.suberror)) {
7940
+ throw new InteractionRequiredAuthError(serverResponse.error || "", serverResponse.error_description, serverResponse.suberror, serverResponse.timestamp || "", serverResponse.trace_id || "", serverResponse.correlation_id || "", serverResponse.claims || "", serverErrorNo);
7941
+ }
7942
+ throw new ServerError(serverResponse.error || "", serverResponse.error_description, serverResponse.suberror, serverErrorNo);
7943
+ }
7944
+ }
7945
+ /**
7946
+ * Get server error No from the error_uri
7947
+ * @param serverResponse
7948
+ * @returns
7949
+ */
7950
+ function parseServerErrorNo(serverResponse) {
7951
+ const errorCodePrefix = "code=";
7952
+ const errorCodePrefixIndex = serverResponse.error_uri?.lastIndexOf(errorCodePrefix);
7953
+ return errorCodePrefixIndex && errorCodePrefixIndex >= 0
7954
+ ? serverResponse.error_uri?.substring(errorCodePrefixIndex + errorCodePrefix.length)
7955
+ : undefined;
7956
+ }
7957
+ /**
7958
+ * Helper to get sid from account. Returns null if idTokenClaims are not present or sid is not present.
7959
+ * @param account
7960
+ */
7961
+ function extractAccountSid(account) {
7962
+ return account.idTokenClaims?.sid || null;
7963
+ }
7964
+ function extractLoginHint(account) {
7965
+ return account.idTokenClaims?.login_hint || null;
7966
+ }
7967
+
7968
+ var Authorize = /*#__PURE__*/Object.freeze({
7969
+ __proto__: null,
7970
+ getAuthorizationCodePayload: getAuthorizationCodePayload,
7971
+ getAuthorizeUrl: getAuthorizeUrl,
7972
+ getStandardAuthorizeRequestParameters: getStandardAuthorizeRequestParameters,
7973
+ validateAuthorizationResponse: validateAuthorizationResponse
7974
+ });
7975
+
7955
7976
  /*
7956
7977
  * Copyright (c) Microsoft Corporation. All rights reserved.
7957
7978
  * Licensed under the MIT License.
@@ -8282,6 +8303,7 @@ exports.Authority = Authority;
8282
8303
  exports.AuthorityFactory = AuthorityFactory;
8283
8304
  exports.AuthorityType = AuthorityType;
8284
8305
  exports.AuthorizationCodeClient = AuthorizationCodeClient;
8306
+ exports.Authorize = Authorize;
8285
8307
  exports.AzureCloudInstance = AzureCloudInstance;
8286
8308
  exports.BaseClient = BaseClient;
8287
8309
  exports.CacheAccountType = CacheAccountType;
@@ -8359,10 +8381,11 @@ exports.createInteractionRequiredAuthError = createInteractionRequiredAuthError;
8359
8381
  exports.createNetworkError = createNetworkError;
8360
8382
  exports.formatAuthorityUri = formatAuthorityUri;
8361
8383
  exports.getClientAssertion = getClientAssertion;
8384
+ exports.getRequestThumbprint = getRequestThumbprint;
8362
8385
  exports.getTenantIdFromIdTokenClaims = getTenantIdFromIdTokenClaims;
8363
8386
  exports.invoke = invoke;
8364
8387
  exports.invokeAsync = invokeAsync;
8365
8388
  exports.tenantIdMatchesHomeTenant = tenantIdMatchesHomeTenant;
8366
8389
  exports.updateAccountTenantProfileData = updateAccountTenantProfileData;
8367
8390
  exports.version = version;
8368
- //# sourceMappingURL=index-node-0IMDqzO0.js.map
8391
+ //# sourceMappingURL=index-node-BjtDFnOl.js.map