@azure/msal-common 15.2.0 → 15.3.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/account/AccountInfo.mjs +1 -1
- package/dist/account/AuthToken.mjs +1 -1
- package/dist/account/CcsCredential.mjs +1 -1
- package/dist/account/ClientInfo.mjs +1 -1
- package/dist/account/TokenClaims.mjs +1 -1
- package/dist/authority/Authority.mjs +1 -1
- package/dist/authority/AuthorityFactory.mjs +1 -1
- package/dist/authority/AuthorityMetadata.mjs +1 -1
- package/dist/authority/AuthorityOptions.mjs +1 -1
- package/dist/authority/AuthorityType.mjs +1 -1
- package/dist/authority/CloudInstanceDiscoveryErrorResponse.mjs +1 -1
- package/dist/authority/CloudInstanceDiscoveryResponse.mjs +1 -1
- package/dist/authority/OpenIdConfigResponse.mjs +1 -1
- package/dist/authority/ProtocolMode.mjs +1 -1
- package/dist/authority/RegionDiscovery.mjs +1 -1
- package/dist/cache/CacheManager.mjs +1 -1
- package/dist/cache/entities/AccountEntity.mjs +1 -1
- package/dist/cache/persistence/TokenCacheContext.mjs +1 -1
- package/dist/cache/utils/CacheHelpers.mjs +1 -1
- package/dist/client/AuthorizationCodeClient.d.ts +0 -31
- package/dist/client/AuthorizationCodeClient.d.ts.map +1 -1
- package/dist/client/AuthorizationCodeClient.mjs +43 -258
- package/dist/client/AuthorizationCodeClient.mjs.map +1 -1
- package/dist/client/BaseClient.d.ts.map +1 -1
- package/dist/client/BaseClient.mjs +9 -10
- package/dist/client/BaseClient.mjs.map +1 -1
- package/dist/client/RefreshTokenClient.d.ts.map +1 -1
- package/dist/client/RefreshTokenClient.mjs +29 -41
- package/dist/client/RefreshTokenClient.mjs.map +1 -1
- package/dist/client/SilentFlowClient.mjs +1 -1
- package/dist/config/ClientConfiguration.mjs +1 -1
- package/dist/constants/AADServerParamKeys.d.ts +1 -0
- package/dist/constants/AADServerParamKeys.d.ts.map +1 -1
- package/dist/constants/AADServerParamKeys.mjs +4 -3
- package/dist/constants/AADServerParamKeys.mjs.map +1 -1
- package/dist/crypto/ICrypto.mjs +1 -1
- package/dist/crypto/JoseHeader.mjs +1 -1
- package/dist/crypto/PopTokenGenerator.mjs +1 -1
- package/dist/error/AuthError.mjs +1 -1
- package/dist/error/AuthErrorCodes.mjs +1 -1
- package/dist/error/CacheError.mjs +1 -1
- package/dist/error/CacheErrorCodes.mjs +1 -1
- package/dist/error/ClientAuthError.mjs +1 -1
- package/dist/error/ClientAuthErrorCodes.mjs +1 -1
- package/dist/error/ClientConfigurationError.mjs +1 -1
- package/dist/error/ClientConfigurationErrorCodes.mjs +1 -1
- package/dist/error/InteractionRequiredAuthError.mjs +1 -1
- package/dist/error/InteractionRequiredAuthErrorCodes.mjs +1 -1
- package/dist/error/JoseHeaderError.mjs +1 -1
- package/dist/error/JoseHeaderErrorCodes.mjs +1 -1
- package/dist/error/NetworkError.mjs +1 -1
- package/dist/error/ServerError.mjs +1 -1
- package/dist/exports-common.d.ts +4 -3
- package/dist/exports-common.d.ts.map +1 -1
- package/dist/index-browser.mjs +6 -2
- package/dist/index-browser.mjs.map +1 -1
- package/dist/index-node.mjs +6 -2
- package/dist/index-node.mjs.map +1 -1
- package/dist/index.mjs +6 -2
- package/dist/index.mjs.map +1 -1
- package/dist/logger/Logger.mjs +1 -1
- package/dist/network/INetworkModule.mjs +1 -1
- package/dist/network/RequestThumbprint.d.ts +3 -0
- package/dist/network/RequestThumbprint.d.ts.map +1 -1
- package/dist/network/RequestThumbprint.mjs +24 -0
- package/dist/network/RequestThumbprint.mjs.map +1 -0
- package/dist/network/ThrottlingUtils.d.ts.map +1 -1
- package/dist/network/ThrottlingUtils.mjs +3 -13
- package/dist/network/ThrottlingUtils.mjs.map +1 -1
- package/dist/packageMetadata.d.ts +1 -1
- package/dist/packageMetadata.mjs +2 -2
- package/dist/protocol/Authorize.d.ts +37 -0
- package/dist/protocol/Authorize.d.ts.map +1 -0
- package/dist/protocol/Authorize.mjs +237 -0
- package/dist/protocol/Authorize.mjs.map +1 -0
- package/dist/request/AuthenticationHeaderParser.mjs +1 -1
- package/dist/request/BaseAuthRequest.d.ts +2 -0
- package/dist/request/BaseAuthRequest.d.ts.map +1 -1
- package/dist/request/CommonAuthorizationCodeRequest.d.ts +0 -2
- package/dist/request/CommonAuthorizationCodeRequest.d.ts.map +1 -1
- package/dist/request/CommonDeviceCodeRequest.d.ts +1 -1
- package/dist/request/CommonDeviceCodeRequest.d.ts.map +1 -1
- package/dist/request/CommonRefreshTokenRequest.d.ts +0 -2
- package/dist/request/CommonRefreshTokenRequest.d.ts.map +1 -1
- package/dist/request/CommonSilentFlowRequest.d.ts +0 -3
- package/dist/request/CommonSilentFlowRequest.d.ts.map +1 -1
- package/dist/request/RequestParameterBuilder.d.ts +206 -218
- package/dist/request/RequestParameterBuilder.d.ts.map +1 -1
- package/dist/request/RequestParameterBuilder.mjs +356 -369
- package/dist/request/RequestParameterBuilder.mjs.map +1 -1
- package/dist/request/RequestValidator.mjs +1 -1
- package/dist/request/ScopeSet.mjs +1 -1
- package/dist/response/AuthorizeResponse.d.ts +72 -0
- package/dist/response/AuthorizeResponse.d.ts.map +1 -0
- package/dist/response/ResponseHandler.d.ts +0 -8
- package/dist/response/ResponseHandler.d.ts.map +1 -1
- package/dist/response/ResponseHandler.mjs +7 -52
- package/dist/response/ResponseHandler.mjs.map +1 -1
- package/dist/telemetry/performance/PerformanceClient.mjs +1 -1
- package/dist/telemetry/performance/PerformanceEvent.d.ts +1 -2
- package/dist/telemetry/performance/PerformanceEvent.d.ts.map +1 -1
- package/dist/telemetry/performance/PerformanceEvent.mjs +2 -11
- package/dist/telemetry/performance/PerformanceEvent.mjs.map +1 -1
- package/dist/telemetry/performance/StubPerformanceClient.mjs +1 -1
- package/dist/telemetry/server/ServerTelemetryManager.mjs +1 -1
- package/dist/url/UrlString.mjs +1 -1
- package/dist/utils/ClientAssertionUtils.mjs +1 -1
- package/dist/utils/Constants.mjs +1 -1
- package/dist/utils/FunctionWrappers.mjs +1 -1
- package/dist/utils/ProtocolUtils.mjs +1 -1
- package/dist/utils/StringUtils.mjs +1 -1
- package/dist/utils/TimeUtils.d.ts +10 -0
- package/dist/utils/TimeUtils.d.ts.map +1 -1
- package/dist/utils/TimeUtils.mjs +20 -2
- package/dist/utils/TimeUtils.mjs.map +1 -1
- package/dist/utils/UrlUtils.d.ts +6 -2
- package/dist/utils/UrlUtils.d.ts.map +1 -1
- package/dist/utils/UrlUtils.mjs +12 -2
- package/dist/utils/UrlUtils.mjs.map +1 -1
- package/lib/index-browser.cjs +4 -2
- package/lib/index-browser.cjs.map +1 -1
- package/lib/{index-node-0IMDqzO0.js → index-node-BjtDFnOl.js} +828 -805
- package/lib/index-node-BjtDFnOl.js.map +1 -0
- package/lib/index-node.cjs +4 -2
- package/lib/index-node.cjs.map +1 -1
- package/lib/index.cjs +4 -2
- package/lib/index.cjs.map +1 -1
- package/lib/types/client/AuthorizationCodeClient.d.ts +0 -31
- package/lib/types/client/AuthorizationCodeClient.d.ts.map +1 -1
- package/lib/types/client/BaseClient.d.ts.map +1 -1
- package/lib/types/client/RefreshTokenClient.d.ts.map +1 -1
- package/lib/types/constants/AADServerParamKeys.d.ts +1 -0
- package/lib/types/constants/AADServerParamKeys.d.ts.map +1 -1
- package/lib/types/exports-common.d.ts +4 -3
- package/lib/types/exports-common.d.ts.map +1 -1
- package/lib/types/network/RequestThumbprint.d.ts +3 -0
- package/lib/types/network/RequestThumbprint.d.ts.map +1 -1
- package/lib/types/network/ThrottlingUtils.d.ts.map +1 -1
- package/lib/types/packageMetadata.d.ts +1 -1
- package/lib/types/protocol/Authorize.d.ts +37 -0
- package/lib/types/protocol/Authorize.d.ts.map +1 -0
- package/lib/types/request/BaseAuthRequest.d.ts +2 -0
- package/lib/types/request/BaseAuthRequest.d.ts.map +1 -1
- package/lib/types/request/CommonAuthorizationCodeRequest.d.ts +0 -2
- package/lib/types/request/CommonAuthorizationCodeRequest.d.ts.map +1 -1
- package/lib/types/request/CommonDeviceCodeRequest.d.ts +1 -1
- package/lib/types/request/CommonDeviceCodeRequest.d.ts.map +1 -1
- package/lib/types/request/CommonRefreshTokenRequest.d.ts +0 -2
- package/lib/types/request/CommonRefreshTokenRequest.d.ts.map +1 -1
- package/lib/types/request/CommonSilentFlowRequest.d.ts +0 -3
- package/lib/types/request/CommonSilentFlowRequest.d.ts.map +1 -1
- package/lib/types/request/RequestParameterBuilder.d.ts +206 -218
- package/lib/types/request/RequestParameterBuilder.d.ts.map +1 -1
- package/lib/types/response/AuthorizeResponse.d.ts +72 -0
- package/lib/types/response/AuthorizeResponse.d.ts.map +1 -0
- package/lib/types/response/ResponseHandler.d.ts +0 -8
- package/lib/types/response/ResponseHandler.d.ts.map +1 -1
- package/lib/types/telemetry/performance/PerformanceEvent.d.ts +1 -2
- package/lib/types/telemetry/performance/PerformanceEvent.d.ts.map +1 -1
- package/lib/types/utils/TimeUtils.d.ts +10 -0
- package/lib/types/utils/TimeUtils.d.ts.map +1 -1
- package/lib/types/utils/UrlUtils.d.ts +6 -2
- package/lib/types/utils/UrlUtils.d.ts.map +1 -1
- package/package.json +1 -1
- package/src/client/AuthorizationCodeClient.ts +89 -409
- package/src/client/BaseClient.ts +20 -12
- package/src/client/RefreshTokenClient.ts +66 -44
- package/src/constants/AADServerParamKeys.ts +1 -0
- package/src/exports-common.ts +8 -3
- package/src/network/RequestThumbprint.ts +23 -0
- package/src/network/ThrottlingUtils.ts +9 -14
- package/src/packageMetadata.ts +1 -1
- package/src/protocol/Authorize.ts +409 -0
- package/src/request/BaseAuthRequest.ts +2 -0
- package/src/request/CommonAuthorizationCodeRequest.ts +0 -2
- package/src/request/CommonDeviceCodeRequest.ts +1 -1
- package/src/request/CommonRefreshTokenRequest.ts +0 -2
- package/src/request/CommonSilentFlowRequest.ts +0 -3
- package/src/request/RequestParameterBuilder.ts +508 -543
- package/src/response/AuthorizeResponse.ts +76 -0
- package/src/response/ResponseHandler.ts +8 -104
- package/src/telemetry/performance/PerformanceEvent.ts +1 -11
- package/src/utils/TimeUtils.ts +20 -0
- package/src/utils/UrlUtils.ts +18 -4
- package/dist/response/ServerAuthorizationCodeResponse.d.ts +0 -27
- package/dist/response/ServerAuthorizationCodeResponse.d.ts.map +0 -1
- package/lib/index-node-0IMDqzO0.js.map +0 -1
- package/lib/types/response/ServerAuthorizationCodeResponse.d.ts +0 -27
- package/lib/types/response/ServerAuthorizationCodeResponse.d.ts.map +0 -1
- package/src/response/ServerAuthorizationCodeResponse.ts +0 -34
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
/*! @azure/msal-common v15.
|
|
1
|
+
/*! @azure/msal-common v15.3.0 2025-03-20 */
|
|
2
2
|
'use strict';
|
|
3
3
|
'use strict';
|
|
4
4
|
|
|
@@ -1149,11 +1149,22 @@ function getDeserializedResponse(responseString) {
|
|
|
1149
1149
|
throw createClientAuthError(hashNotDeserialized);
|
|
1150
1150
|
}
|
|
1151
1151
|
return null;
|
|
1152
|
+
}
|
|
1153
|
+
/**
|
|
1154
|
+
* Utility to create a URL from the params map
|
|
1155
|
+
*/
|
|
1156
|
+
function mapToQueryString(parameters) {
|
|
1157
|
+
const queryParameterArray = new Array();
|
|
1158
|
+
parameters.forEach((value, key) => {
|
|
1159
|
+
queryParameterArray.push(`${key}=${encodeURIComponent(value)}`);
|
|
1160
|
+
});
|
|
1161
|
+
return queryParameterArray.join("&");
|
|
1152
1162
|
}
|
|
1153
1163
|
|
|
1154
1164
|
var UrlUtils = /*#__PURE__*/Object.freeze({
|
|
1155
1165
|
__proto__: null,
|
|
1156
1166
|
getDeserializedResponse: getDeserializedResponse,
|
|
1167
|
+
mapToQueryString: mapToQueryString,
|
|
1157
1168
|
stripLeadingHashOrQuery: stripLeadingHashOrQuery
|
|
1158
1169
|
});
|
|
1159
1170
|
|
|
@@ -1681,11 +1692,11 @@ const PerformanceEvents = {
|
|
|
1681
1692
|
StandardInteractionClientCreateAuthCodeClient: "standardInteractionClientCreateAuthCodeClient",
|
|
1682
1693
|
StandardInteractionClientGetClientConfiguration: "standardInteractionClientGetClientConfiguration",
|
|
1683
1694
|
StandardInteractionClientInitializeAuthorizationRequest: "standardInteractionClientInitializeAuthorizationRequest",
|
|
1684
|
-
StandardInteractionClientInitializeAuthorizationCodeRequest: "standardInteractionClientInitializeAuthorizationCodeRequest",
|
|
1685
1695
|
/**
|
|
1686
1696
|
* getAuthCodeUrl API (msal-browser and msal-node).
|
|
1687
1697
|
*/
|
|
1688
1698
|
GetAuthCodeUrl: "getAuthCodeUrl",
|
|
1699
|
+
GetStandardParams: "getStandardParams",
|
|
1689
1700
|
/**
|
|
1690
1701
|
* Functions from InteractionHandler (msal-browser)
|
|
1691
1702
|
*/
|
|
@@ -1698,7 +1709,6 @@ const PerformanceEvents = {
|
|
|
1698
1709
|
AuthClientAcquireToken: "authClientAcquireToken",
|
|
1699
1710
|
AuthClientExecuteTokenRequest: "authClientExecuteTokenRequest",
|
|
1700
1711
|
AuthClientCreateTokenRequestBody: "authClientCreateTokenRequestBody",
|
|
1701
|
-
AuthClientCreateQueryString: "authClientCreateQueryString",
|
|
1702
1712
|
/**
|
|
1703
1713
|
* Generate functions in PopTokenGenerator (msal-common)
|
|
1704
1714
|
*/
|
|
@@ -1869,10 +1879,6 @@ const PerformanceEventAbbreviations = new Map([
|
|
|
1869
1879
|
PerformanceEvents.StandardInteractionClientInitializeAuthorizationRequest,
|
|
1870
1880
|
"StdIntClientInitAuthReq",
|
|
1871
1881
|
],
|
|
1872
|
-
[
|
|
1873
|
-
PerformanceEvents.StandardInteractionClientInitializeAuthorizationCodeRequest,
|
|
1874
|
-
"StdIntClientInitAuthCodeReq",
|
|
1875
|
-
],
|
|
1876
1882
|
[PerformanceEvents.GetAuthCodeUrl, "GetAuthCodeUrl"],
|
|
1877
1883
|
[
|
|
1878
1884
|
PerformanceEvents.HandleCodeResponseFromServer,
|
|
@@ -1886,10 +1892,6 @@ const PerformanceEventAbbreviations = new Map([
|
|
|
1886
1892
|
PerformanceEvents.AuthClientCreateTokenRequestBody,
|
|
1887
1893
|
"AuthClientCreateTReqBody",
|
|
1888
1894
|
],
|
|
1889
|
-
[
|
|
1890
|
-
PerformanceEvents.AuthClientCreateQueryString,
|
|
1891
|
-
"AuthClientCreateQueryStr",
|
|
1892
|
-
],
|
|
1893
1895
|
[PerformanceEvents.PopTokenGenerateCnf, "PopTGenCnf"],
|
|
1894
1896
|
[PerformanceEvents.PopTokenGenerateKid, "PopTGenKid"],
|
|
1895
1897
|
[PerformanceEvents.HandleServerTokenResponse, "HandleServerTRes"],
|
|
@@ -2230,6 +2232,24 @@ function nowSeconds() {
|
|
|
2230
2232
|
// Date.getTime() returns in milliseconds.
|
|
2231
2233
|
return Math.round(new Date().getTime() / 1000.0);
|
|
2232
2234
|
}
|
|
2235
|
+
/**
|
|
2236
|
+
* Converts JS Date object to seconds
|
|
2237
|
+
* @param date Date
|
|
2238
|
+
*/
|
|
2239
|
+
function toSecondsFromDate(date) {
|
|
2240
|
+
// Convert date to seconds
|
|
2241
|
+
return date.getTime() / 1000;
|
|
2242
|
+
}
|
|
2243
|
+
/**
|
|
2244
|
+
* Convert seconds to JS Date object. Seconds can be in a number or string format or undefined (will still return a date).
|
|
2245
|
+
* @param seconds
|
|
2246
|
+
*/
|
|
2247
|
+
function toDateFromSeconds(seconds) {
|
|
2248
|
+
if (seconds) {
|
|
2249
|
+
return new Date(Number(seconds) * 1000);
|
|
2250
|
+
}
|
|
2251
|
+
return new Date();
|
|
2252
|
+
}
|
|
2233
2253
|
/**
|
|
2234
2254
|
* check if a token is expired based on given UTC time in seconds.
|
|
2235
2255
|
* @param expiresOn
|
|
@@ -2265,6 +2285,8 @@ var TimeUtils = /*#__PURE__*/Object.freeze({
|
|
|
2265
2285
|
delay: delay,
|
|
2266
2286
|
isTokenExpired: isTokenExpired,
|
|
2267
2287
|
nowSeconds: nowSeconds,
|
|
2288
|
+
toDateFromSeconds: toDateFromSeconds,
|
|
2289
|
+
toSecondsFromDate: toSecondsFromDate,
|
|
2268
2290
|
wasClockTurnedBack: wasClockTurnedBack
|
|
2269
2291
|
});
|
|
2270
2292
|
|
|
@@ -3543,7 +3565,8 @@ const LOGIN_HINT = "login_hint";
|
|
|
3543
3565
|
const DOMAIN_HINT = "domain_hint";
|
|
3544
3566
|
const X_CLIENT_EXTRA_SKU = "x-client-xtra-sku";
|
|
3545
3567
|
const BROKER_CLIENT_ID = "brk_client_id";
|
|
3546
|
-
const BROKER_REDIRECT_URI = "brk_redirect_uri";
|
|
3568
|
+
const BROKER_REDIRECT_URI = "brk_redirect_uri";
|
|
3569
|
+
const INSTANCE_AWARE = "instance_aware";
|
|
3547
3570
|
|
|
3548
3571
|
var AADServerParamKeys = /*#__PURE__*/Object.freeze({
|
|
3549
3572
|
__proto__: null,
|
|
@@ -3571,6 +3594,7 @@ var AADServerParamKeys = /*#__PURE__*/Object.freeze({
|
|
|
3571
3594
|
GRANT_TYPE: GRANT_TYPE,
|
|
3572
3595
|
ID_TOKEN: ID_TOKEN,
|
|
3573
3596
|
ID_TOKEN_HINT: ID_TOKEN_HINT,
|
|
3597
|
+
INSTANCE_AWARE: INSTANCE_AWARE,
|
|
3574
3598
|
LOGIN_HINT: LOGIN_HINT,
|
|
3575
3599
|
LOGOUT_HINT: LOGOUT_HINT,
|
|
3576
3600
|
NATIVE_BROKER: NATIVE_BROKER,
|
|
@@ -3832,7 +3856,7 @@ class Logger {
|
|
|
3832
3856
|
|
|
3833
3857
|
/* eslint-disable header/header */
|
|
3834
3858
|
const name = "@azure/msal-common";
|
|
3835
|
-
const version = "15.
|
|
3859
|
+
const version = "15.3.0";
|
|
3836
3860
|
|
|
3837
3861
|
/*
|
|
3838
3862
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
@@ -5728,71 +5752,6 @@ const CcsCredentialType = {
|
|
|
5728
5752
|
UPN: "UPN",
|
|
5729
5753
|
};
|
|
5730
5754
|
|
|
5731
|
-
/*
|
|
5732
|
-
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
5733
|
-
* Licensed under the MIT License.
|
|
5734
|
-
*/
|
|
5735
|
-
/**
|
|
5736
|
-
* Validates server consumable params from the "request" objects
|
|
5737
|
-
*/
|
|
5738
|
-
class RequestValidator {
|
|
5739
|
-
/**
|
|
5740
|
-
* Utility to check if the `redirectUri` in the request is a non-null value
|
|
5741
|
-
* @param redirectUri
|
|
5742
|
-
*/
|
|
5743
|
-
static validateRedirectUri(redirectUri) {
|
|
5744
|
-
if (!redirectUri) {
|
|
5745
|
-
throw createClientConfigurationError(redirectUriEmpty);
|
|
5746
|
-
}
|
|
5747
|
-
}
|
|
5748
|
-
/**
|
|
5749
|
-
* Utility to validate prompt sent by the user in the request
|
|
5750
|
-
* @param prompt
|
|
5751
|
-
*/
|
|
5752
|
-
static validatePrompt(prompt) {
|
|
5753
|
-
const promptValues = [];
|
|
5754
|
-
for (const value in PromptValue) {
|
|
5755
|
-
promptValues.push(PromptValue[value]);
|
|
5756
|
-
}
|
|
5757
|
-
if (promptValues.indexOf(prompt) < 0) {
|
|
5758
|
-
throw createClientConfigurationError(invalidPromptValue);
|
|
5759
|
-
}
|
|
5760
|
-
}
|
|
5761
|
-
static validateClaims(claims) {
|
|
5762
|
-
try {
|
|
5763
|
-
JSON.parse(claims);
|
|
5764
|
-
}
|
|
5765
|
-
catch (e) {
|
|
5766
|
-
throw createClientConfigurationError(invalidClaims);
|
|
5767
|
-
}
|
|
5768
|
-
}
|
|
5769
|
-
/**
|
|
5770
|
-
* Utility to validate code_challenge and code_challenge_method
|
|
5771
|
-
* @param codeChallenge
|
|
5772
|
-
* @param codeChallengeMethod
|
|
5773
|
-
*/
|
|
5774
|
-
static validateCodeChallengeParams(codeChallenge, codeChallengeMethod) {
|
|
5775
|
-
if (!codeChallenge || !codeChallengeMethod) {
|
|
5776
|
-
throw createClientConfigurationError(pkceParamsMissing);
|
|
5777
|
-
}
|
|
5778
|
-
else {
|
|
5779
|
-
this.validateCodeChallengeMethod(codeChallengeMethod);
|
|
5780
|
-
}
|
|
5781
|
-
}
|
|
5782
|
-
/**
|
|
5783
|
-
* Utility to validate code_challenge_method
|
|
5784
|
-
* @param codeChallengeMethod
|
|
5785
|
-
*/
|
|
5786
|
-
static validateCodeChallengeMethod(codeChallengeMethod) {
|
|
5787
|
-
if ([
|
|
5788
|
-
CodeChallengeMethodValues.PLAIN,
|
|
5789
|
-
CodeChallengeMethodValues.S256,
|
|
5790
|
-
].indexOf(codeChallengeMethod) < 0) {
|
|
5791
|
-
throw createClientConfigurationError(invalidCodeChallengeMethod);
|
|
5792
|
-
}
|
|
5793
|
-
}
|
|
5794
|
-
}
|
|
5795
|
-
|
|
5796
5755
|
/*
|
|
5797
5756
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
5798
5757
|
* Licensed under the MIT License.
|
|
@@ -5809,396 +5768,433 @@ function instrumentBrokerParams(parameters, correlationId, performanceClient) {
|
|
|
5809
5768
|
}, correlationId);
|
|
5810
5769
|
}
|
|
5811
5770
|
}
|
|
5812
|
-
/**
|
|
5813
|
-
|
|
5814
|
-
|
|
5815
|
-
|
|
5816
|
-
|
|
5817
|
-
|
|
5818
|
-
|
|
5819
|
-
|
|
5820
|
-
|
|
5821
|
-
|
|
5822
|
-
|
|
5823
|
-
|
|
5824
|
-
|
|
5825
|
-
|
|
5826
|
-
|
|
5827
|
-
|
|
5828
|
-
|
|
5829
|
-
|
|
5830
|
-
|
|
5831
|
-
|
|
5832
|
-
|
|
5833
|
-
|
|
5834
|
-
|
|
5835
|
-
|
|
5836
|
-
|
|
5837
|
-
|
|
5838
|
-
|
|
5839
|
-
|
|
5840
|
-
|
|
5841
|
-
|
|
5842
|
-
|
|
5843
|
-
|
|
5844
|
-
|
|
5845
|
-
|
|
5846
|
-
|
|
5847
|
-
|
|
5848
|
-
|
|
5849
|
-
|
|
5850
|
-
|
|
5851
|
-
|
|
5852
|
-
|
|
5853
|
-
|
|
5854
|
-
|
|
5855
|
-
|
|
5856
|
-
|
|
5857
|
-
|
|
5858
|
-
|
|
5859
|
-
|
|
5860
|
-
|
|
5771
|
+
/**
|
|
5772
|
+
* add response_type = code
|
|
5773
|
+
*/
|
|
5774
|
+
function addResponseTypeCode(parameters) {
|
|
5775
|
+
parameters.set(RESPONSE_TYPE, Constants.CODE_RESPONSE_TYPE);
|
|
5776
|
+
}
|
|
5777
|
+
/**
|
|
5778
|
+
* add response_type = token id_token
|
|
5779
|
+
*/
|
|
5780
|
+
function addResponseTypeForTokenAndIdToken(parameters) {
|
|
5781
|
+
parameters.set(RESPONSE_TYPE, `${Constants.TOKEN_RESPONSE_TYPE} ${Constants.ID_TOKEN_RESPONSE_TYPE}`);
|
|
5782
|
+
}
|
|
5783
|
+
/**
|
|
5784
|
+
* add response_mode. defaults to query.
|
|
5785
|
+
* @param responseMode
|
|
5786
|
+
*/
|
|
5787
|
+
function addResponseMode(parameters, responseMode) {
|
|
5788
|
+
parameters.set(RESPONSE_MODE, responseMode ? responseMode : ResponseMode.QUERY);
|
|
5789
|
+
}
|
|
5790
|
+
/**
|
|
5791
|
+
* Add flag to indicate STS should attempt to use WAM if available
|
|
5792
|
+
*/
|
|
5793
|
+
function addNativeBroker(parameters) {
|
|
5794
|
+
parameters.set(NATIVE_BROKER, "1");
|
|
5795
|
+
}
|
|
5796
|
+
/**
|
|
5797
|
+
* add scopes. set addOidcScopes to false to prevent default scopes in non-user scenarios
|
|
5798
|
+
* @param scopeSet
|
|
5799
|
+
* @param addOidcScopes
|
|
5800
|
+
*/
|
|
5801
|
+
function addScopes(parameters, scopes, addOidcScopes = true, defaultScopes = OIDC_DEFAULT_SCOPES) {
|
|
5802
|
+
// Always add openid to the scopes when adding OIDC scopes
|
|
5803
|
+
if (addOidcScopes &&
|
|
5804
|
+
!defaultScopes.includes("openid") &&
|
|
5805
|
+
!scopes.includes("openid")) {
|
|
5806
|
+
defaultScopes.push("openid");
|
|
5807
|
+
}
|
|
5808
|
+
const requestScopes = addOidcScopes
|
|
5809
|
+
? [...(scopes || []), ...defaultScopes]
|
|
5810
|
+
: scopes || [];
|
|
5811
|
+
const scopeSet = new ScopeSet(requestScopes);
|
|
5812
|
+
parameters.set(SCOPE, scopeSet.printScopes());
|
|
5813
|
+
}
|
|
5814
|
+
/**
|
|
5815
|
+
* add clientId
|
|
5816
|
+
* @param clientId
|
|
5817
|
+
*/
|
|
5818
|
+
function addClientId(parameters, clientId) {
|
|
5819
|
+
parameters.set(CLIENT_ID, clientId);
|
|
5820
|
+
}
|
|
5821
|
+
/**
|
|
5822
|
+
* add redirect_uri
|
|
5823
|
+
* @param redirectUri
|
|
5824
|
+
*/
|
|
5825
|
+
function addRedirectUri(parameters, redirectUri) {
|
|
5826
|
+
parameters.set(REDIRECT_URI, redirectUri);
|
|
5827
|
+
}
|
|
5828
|
+
/**
|
|
5829
|
+
* add post logout redirectUri
|
|
5830
|
+
* @param redirectUri
|
|
5831
|
+
*/
|
|
5832
|
+
function addPostLogoutRedirectUri(parameters, redirectUri) {
|
|
5833
|
+
parameters.set(POST_LOGOUT_URI, redirectUri);
|
|
5834
|
+
}
|
|
5835
|
+
/**
|
|
5836
|
+
* add id_token_hint to logout request
|
|
5837
|
+
* @param idTokenHint
|
|
5838
|
+
*/
|
|
5839
|
+
function addIdTokenHint(parameters, idTokenHint) {
|
|
5840
|
+
parameters.set(ID_TOKEN_HINT, idTokenHint);
|
|
5841
|
+
}
|
|
5842
|
+
/**
|
|
5843
|
+
* add domain_hint
|
|
5844
|
+
* @param domainHint
|
|
5845
|
+
*/
|
|
5846
|
+
function addDomainHint(parameters, domainHint) {
|
|
5847
|
+
parameters.set(DOMAIN_HINT, domainHint);
|
|
5848
|
+
}
|
|
5849
|
+
/**
|
|
5850
|
+
* add login_hint
|
|
5851
|
+
* @param loginHint
|
|
5852
|
+
*/
|
|
5853
|
+
function addLoginHint(parameters, loginHint) {
|
|
5854
|
+
parameters.set(LOGIN_HINT, loginHint);
|
|
5855
|
+
}
|
|
5856
|
+
/**
|
|
5857
|
+
* Adds the CCS (Cache Credential Service) query parameter for login_hint
|
|
5858
|
+
* @param loginHint
|
|
5859
|
+
*/
|
|
5860
|
+
function addCcsUpn(parameters, loginHint) {
|
|
5861
|
+
parameters.set(HeaderNames.CCS_HEADER, `UPN:${loginHint}`);
|
|
5862
|
+
}
|
|
5863
|
+
/**
|
|
5864
|
+
* Adds the CCS (Cache Credential Service) query parameter for account object
|
|
5865
|
+
* @param loginHint
|
|
5866
|
+
*/
|
|
5867
|
+
function addCcsOid(parameters, clientInfo) {
|
|
5868
|
+
parameters.set(HeaderNames.CCS_HEADER, `Oid:${clientInfo.uid}@${clientInfo.utid}`);
|
|
5869
|
+
}
|
|
5870
|
+
/**
|
|
5871
|
+
* add sid
|
|
5872
|
+
* @param sid
|
|
5873
|
+
*/
|
|
5874
|
+
function addSid(parameters, sid) {
|
|
5875
|
+
parameters.set(SID, sid);
|
|
5876
|
+
}
|
|
5877
|
+
/**
|
|
5878
|
+
* add claims
|
|
5879
|
+
* @param claims
|
|
5880
|
+
*/
|
|
5881
|
+
function addClaims(parameters, claims, clientCapabilities) {
|
|
5882
|
+
const mergedClaims = addClientCapabilitiesToClaims(claims, clientCapabilities);
|
|
5883
|
+
try {
|
|
5884
|
+
JSON.parse(mergedClaims);
|
|
5861
5885
|
}
|
|
5862
|
-
|
|
5863
|
-
|
|
5864
|
-
* @param clientId
|
|
5865
|
-
*/
|
|
5866
|
-
addClientId(clientId) {
|
|
5867
|
-
this.parameters.set(CLIENT_ID, encodeURIComponent(clientId));
|
|
5886
|
+
catch (e) {
|
|
5887
|
+
throw createClientConfigurationError(invalidClaims);
|
|
5868
5888
|
}
|
|
5869
|
-
|
|
5870
|
-
|
|
5871
|
-
|
|
5872
|
-
|
|
5873
|
-
|
|
5874
|
-
|
|
5875
|
-
|
|
5889
|
+
parameters.set(CLAIMS, mergedClaims);
|
|
5890
|
+
}
|
|
5891
|
+
/**
|
|
5892
|
+
* add correlationId
|
|
5893
|
+
* @param correlationId
|
|
5894
|
+
*/
|
|
5895
|
+
function addCorrelationId(parameters, correlationId) {
|
|
5896
|
+
parameters.set(CLIENT_REQUEST_ID, correlationId);
|
|
5897
|
+
}
|
|
5898
|
+
/**
|
|
5899
|
+
* add library info query params
|
|
5900
|
+
* @param libraryInfo
|
|
5901
|
+
*/
|
|
5902
|
+
function addLibraryInfo(parameters, libraryInfo) {
|
|
5903
|
+
// Telemetry Info
|
|
5904
|
+
parameters.set(X_CLIENT_SKU, libraryInfo.sku);
|
|
5905
|
+
parameters.set(X_CLIENT_VER, libraryInfo.version);
|
|
5906
|
+
if (libraryInfo.os) {
|
|
5907
|
+
parameters.set(X_CLIENT_OS, libraryInfo.os);
|
|
5876
5908
|
}
|
|
5877
|
-
|
|
5878
|
-
|
|
5879
|
-
* @param redirectUri
|
|
5880
|
-
*/
|
|
5881
|
-
addPostLogoutRedirectUri(redirectUri) {
|
|
5882
|
-
RequestValidator.validateRedirectUri(redirectUri);
|
|
5883
|
-
this.parameters.set(POST_LOGOUT_URI, encodeURIComponent(redirectUri));
|
|
5909
|
+
if (libraryInfo.cpu) {
|
|
5910
|
+
parameters.set(X_CLIENT_CPU, libraryInfo.cpu);
|
|
5884
5911
|
}
|
|
5885
|
-
|
|
5886
|
-
|
|
5887
|
-
|
|
5888
|
-
|
|
5889
|
-
|
|
5890
|
-
|
|
5912
|
+
}
|
|
5913
|
+
/**
|
|
5914
|
+
* Add client telemetry parameters
|
|
5915
|
+
* @param appTelemetry
|
|
5916
|
+
*/
|
|
5917
|
+
function addApplicationTelemetry(parameters, appTelemetry) {
|
|
5918
|
+
if (appTelemetry?.appName) {
|
|
5919
|
+
parameters.set(X_APP_NAME, appTelemetry.appName);
|
|
5891
5920
|
}
|
|
5892
|
-
|
|
5893
|
-
|
|
5894
|
-
* @param domainHint
|
|
5895
|
-
*/
|
|
5896
|
-
addDomainHint(domainHint) {
|
|
5897
|
-
this.parameters.set(DOMAIN_HINT, encodeURIComponent(domainHint));
|
|
5921
|
+
if (appTelemetry?.appVersion) {
|
|
5922
|
+
parameters.set(X_APP_VER, appTelemetry.appVersion);
|
|
5898
5923
|
}
|
|
5899
|
-
|
|
5900
|
-
|
|
5901
|
-
|
|
5902
|
-
|
|
5903
|
-
|
|
5904
|
-
|
|
5924
|
+
}
|
|
5925
|
+
/**
|
|
5926
|
+
* add prompt
|
|
5927
|
+
* @param prompt
|
|
5928
|
+
*/
|
|
5929
|
+
function addPrompt(parameters, prompt) {
|
|
5930
|
+
parameters.set(PROMPT, prompt);
|
|
5931
|
+
}
|
|
5932
|
+
/**
|
|
5933
|
+
* add state
|
|
5934
|
+
* @param state
|
|
5935
|
+
*/
|
|
5936
|
+
function addState(parameters, state) {
|
|
5937
|
+
if (state) {
|
|
5938
|
+
parameters.set(STATE, state);
|
|
5905
5939
|
}
|
|
5906
|
-
|
|
5907
|
-
|
|
5908
|
-
|
|
5909
|
-
|
|
5910
|
-
|
|
5911
|
-
|
|
5940
|
+
}
|
|
5941
|
+
/**
|
|
5942
|
+
* add nonce
|
|
5943
|
+
* @param nonce
|
|
5944
|
+
*/
|
|
5945
|
+
function addNonce(parameters, nonce) {
|
|
5946
|
+
parameters.set(NONCE, nonce);
|
|
5947
|
+
}
|
|
5948
|
+
/**
|
|
5949
|
+
* add code_challenge and code_challenge_method
|
|
5950
|
+
* - throw if either of them are not passed
|
|
5951
|
+
* @param codeChallenge
|
|
5952
|
+
* @param codeChallengeMethod
|
|
5953
|
+
*/
|
|
5954
|
+
function addCodeChallengeParams(parameters, codeChallenge, codeChallengeMethod) {
|
|
5955
|
+
if (codeChallenge && codeChallengeMethod) {
|
|
5956
|
+
parameters.set(CODE_CHALLENGE, codeChallenge);
|
|
5957
|
+
parameters.set(CODE_CHALLENGE_METHOD, codeChallengeMethod);
|
|
5912
5958
|
}
|
|
5913
|
-
|
|
5914
|
-
|
|
5915
|
-
* @param loginHint
|
|
5916
|
-
*/
|
|
5917
|
-
addCcsOid(clientInfo) {
|
|
5918
|
-
this.parameters.set(HeaderNames.CCS_HEADER, encodeURIComponent(`Oid:${clientInfo.uid}@${clientInfo.utid}`));
|
|
5959
|
+
else {
|
|
5960
|
+
throw createClientConfigurationError(pkceParamsMissing);
|
|
5919
5961
|
}
|
|
5920
|
-
|
|
5921
|
-
|
|
5922
|
-
|
|
5923
|
-
|
|
5924
|
-
|
|
5925
|
-
|
|
5962
|
+
}
|
|
5963
|
+
/**
|
|
5964
|
+
* add the `authorization_code` passed by the user to exchange for a token
|
|
5965
|
+
* @param code
|
|
5966
|
+
*/
|
|
5967
|
+
function addAuthorizationCode(parameters, code) {
|
|
5968
|
+
parameters.set(CODE, code);
|
|
5969
|
+
}
|
|
5970
|
+
/**
|
|
5971
|
+
* add the `authorization_code` passed by the user to exchange for a token
|
|
5972
|
+
* @param code
|
|
5973
|
+
*/
|
|
5974
|
+
function addDeviceCode(parameters, code) {
|
|
5975
|
+
parameters.set(DEVICE_CODE, code);
|
|
5976
|
+
}
|
|
5977
|
+
/**
|
|
5978
|
+
* add the `refreshToken` passed by the user
|
|
5979
|
+
* @param refreshToken
|
|
5980
|
+
*/
|
|
5981
|
+
function addRefreshToken(parameters, refreshToken) {
|
|
5982
|
+
parameters.set(REFRESH_TOKEN, refreshToken);
|
|
5983
|
+
}
|
|
5984
|
+
/**
|
|
5985
|
+
* add the `code_verifier` passed by the user to exchange for a token
|
|
5986
|
+
* @param codeVerifier
|
|
5987
|
+
*/
|
|
5988
|
+
function addCodeVerifier(parameters, codeVerifier) {
|
|
5989
|
+
parameters.set(CODE_VERIFIER, codeVerifier);
|
|
5990
|
+
}
|
|
5991
|
+
/**
|
|
5992
|
+
* add client_secret
|
|
5993
|
+
* @param clientSecret
|
|
5994
|
+
*/
|
|
5995
|
+
function addClientSecret(parameters, clientSecret) {
|
|
5996
|
+
parameters.set(CLIENT_SECRET, clientSecret);
|
|
5997
|
+
}
|
|
5998
|
+
/**
|
|
5999
|
+
* add clientAssertion for confidential client flows
|
|
6000
|
+
* @param clientAssertion
|
|
6001
|
+
*/
|
|
6002
|
+
function addClientAssertion(parameters, clientAssertion) {
|
|
6003
|
+
if (clientAssertion) {
|
|
6004
|
+
parameters.set(CLIENT_ASSERTION, clientAssertion);
|
|
5926
6005
|
}
|
|
5927
|
-
|
|
5928
|
-
|
|
5929
|
-
|
|
5930
|
-
|
|
5931
|
-
|
|
5932
|
-
|
|
5933
|
-
|
|
5934
|
-
|
|
6006
|
+
}
|
|
6007
|
+
/**
|
|
6008
|
+
* add clientAssertionType for confidential client flows
|
|
6009
|
+
* @param clientAssertionType
|
|
6010
|
+
*/
|
|
6011
|
+
function addClientAssertionType(parameters, clientAssertionType) {
|
|
6012
|
+
if (clientAssertionType) {
|
|
6013
|
+
parameters.set(CLIENT_ASSERTION_TYPE, clientAssertionType);
|
|
5935
6014
|
}
|
|
5936
|
-
|
|
5937
|
-
|
|
5938
|
-
|
|
5939
|
-
|
|
5940
|
-
|
|
5941
|
-
|
|
6015
|
+
}
|
|
6016
|
+
/**
|
|
6017
|
+
* add OBO assertion for confidential client flows
|
|
6018
|
+
* @param clientAssertion
|
|
6019
|
+
*/
|
|
6020
|
+
function addOboAssertion(parameters, oboAssertion) {
|
|
6021
|
+
parameters.set(OBO_ASSERTION, oboAssertion);
|
|
6022
|
+
}
|
|
6023
|
+
/**
|
|
6024
|
+
* add grant type
|
|
6025
|
+
* @param grantType
|
|
6026
|
+
*/
|
|
6027
|
+
function addRequestTokenUse(parameters, tokenUse) {
|
|
6028
|
+
parameters.set(REQUESTED_TOKEN_USE, tokenUse);
|
|
6029
|
+
}
|
|
6030
|
+
/**
|
|
6031
|
+
* add grant type
|
|
6032
|
+
* @param grantType
|
|
6033
|
+
*/
|
|
6034
|
+
function addGrantType(parameters, grantType) {
|
|
6035
|
+
parameters.set(GRANT_TYPE, grantType);
|
|
6036
|
+
}
|
|
6037
|
+
/**
|
|
6038
|
+
* add client info
|
|
6039
|
+
*
|
|
6040
|
+
*/
|
|
6041
|
+
function addClientInfo(parameters) {
|
|
6042
|
+
parameters.set(CLIENT_INFO$1, "1");
|
|
6043
|
+
}
|
|
6044
|
+
function addInstanceAware(parameters) {
|
|
6045
|
+
if (!parameters.has(INSTANCE_AWARE)) {
|
|
6046
|
+
parameters.set(INSTANCE_AWARE, "true");
|
|
5942
6047
|
}
|
|
5943
|
-
|
|
5944
|
-
|
|
5945
|
-
|
|
5946
|
-
|
|
5947
|
-
|
|
5948
|
-
|
|
5949
|
-
|
|
5950
|
-
|
|
5951
|
-
|
|
5952
|
-
this.parameters.set(X_CLIENT_OS, libraryInfo.os);
|
|
5953
|
-
}
|
|
5954
|
-
if (libraryInfo.cpu) {
|
|
5955
|
-
this.parameters.set(X_CLIENT_CPU, libraryInfo.cpu);
|
|
6048
|
+
}
|
|
6049
|
+
/**
|
|
6050
|
+
* add extraQueryParams
|
|
6051
|
+
* @param eQParams
|
|
6052
|
+
*/
|
|
6053
|
+
function addExtraQueryParameters(parameters, eQParams) {
|
|
6054
|
+
Object.entries(eQParams).forEach(([key, value]) => {
|
|
6055
|
+
if (!parameters.has(key) && value) {
|
|
6056
|
+
parameters.set(key, value);
|
|
5956
6057
|
}
|
|
6058
|
+
});
|
|
6059
|
+
}
|
|
6060
|
+
function addClientCapabilitiesToClaims(claims, clientCapabilities) {
|
|
6061
|
+
let mergedClaims;
|
|
6062
|
+
// Parse provided claims into JSON object or initialize empty object
|
|
6063
|
+
if (!claims) {
|
|
6064
|
+
mergedClaims = {};
|
|
5957
6065
|
}
|
|
5958
|
-
|
|
5959
|
-
|
|
5960
|
-
|
|
5961
|
-
*/
|
|
5962
|
-
addApplicationTelemetry(appTelemetry) {
|
|
5963
|
-
if (appTelemetry?.appName) {
|
|
5964
|
-
this.parameters.set(X_APP_NAME, appTelemetry.appName);
|
|
6066
|
+
else {
|
|
6067
|
+
try {
|
|
6068
|
+
mergedClaims = JSON.parse(claims);
|
|
5965
6069
|
}
|
|
5966
|
-
|
|
5967
|
-
|
|
6070
|
+
catch (e) {
|
|
6071
|
+
throw createClientConfigurationError(invalidClaims);
|
|
5968
6072
|
}
|
|
5969
6073
|
}
|
|
5970
|
-
|
|
5971
|
-
|
|
5972
|
-
|
|
5973
|
-
|
|
5974
|
-
addPrompt(prompt) {
|
|
5975
|
-
RequestValidator.validatePrompt(prompt);
|
|
5976
|
-
this.parameters.set(`${PROMPT}`, encodeURIComponent(prompt));
|
|
5977
|
-
}
|
|
5978
|
-
/**
|
|
5979
|
-
* add state
|
|
5980
|
-
* @param state
|
|
5981
|
-
*/
|
|
5982
|
-
addState(state) {
|
|
5983
|
-
if (state) {
|
|
5984
|
-
this.parameters.set(STATE, encodeURIComponent(state));
|
|
6074
|
+
if (clientCapabilities && clientCapabilities.length > 0) {
|
|
6075
|
+
if (!mergedClaims.hasOwnProperty(ClaimsRequestKeys.ACCESS_TOKEN)) {
|
|
6076
|
+
// Add access_token key to claims object
|
|
6077
|
+
mergedClaims[ClaimsRequestKeys.ACCESS_TOKEN] = {};
|
|
5985
6078
|
}
|
|
5986
|
-
|
|
5987
|
-
|
|
5988
|
-
|
|
5989
|
-
* @param nonce
|
|
5990
|
-
*/
|
|
5991
|
-
addNonce(nonce) {
|
|
5992
|
-
this.parameters.set(NONCE, encodeURIComponent(nonce));
|
|
5993
|
-
}
|
|
5994
|
-
/**
|
|
5995
|
-
* add code_challenge and code_challenge_method
|
|
5996
|
-
* - throw if either of them are not passed
|
|
5997
|
-
* @param codeChallenge
|
|
5998
|
-
* @param codeChallengeMethod
|
|
5999
|
-
*/
|
|
6000
|
-
addCodeChallengeParams(codeChallenge, codeChallengeMethod) {
|
|
6001
|
-
RequestValidator.validateCodeChallengeParams(codeChallenge, codeChallengeMethod);
|
|
6002
|
-
if (codeChallenge && codeChallengeMethod) {
|
|
6003
|
-
this.parameters.set(CODE_CHALLENGE, encodeURIComponent(codeChallenge));
|
|
6004
|
-
this.parameters.set(CODE_CHALLENGE_METHOD, encodeURIComponent(codeChallengeMethod));
|
|
6005
|
-
}
|
|
6006
|
-
else {
|
|
6007
|
-
throw createClientConfigurationError(pkceParamsMissing);
|
|
6008
|
-
}
|
|
6009
|
-
}
|
|
6010
|
-
/**
|
|
6011
|
-
* add the `authorization_code` passed by the user to exchange for a token
|
|
6012
|
-
* @param code
|
|
6013
|
-
*/
|
|
6014
|
-
addAuthorizationCode(code) {
|
|
6015
|
-
this.parameters.set(CODE, encodeURIComponent(code));
|
|
6016
|
-
}
|
|
6017
|
-
/**
|
|
6018
|
-
* add the `authorization_code` passed by the user to exchange for a token
|
|
6019
|
-
* @param code
|
|
6020
|
-
*/
|
|
6021
|
-
addDeviceCode(code) {
|
|
6022
|
-
this.parameters.set(DEVICE_CODE, encodeURIComponent(code));
|
|
6023
|
-
}
|
|
6024
|
-
/**
|
|
6025
|
-
* add the `refreshToken` passed by the user
|
|
6026
|
-
* @param refreshToken
|
|
6027
|
-
*/
|
|
6028
|
-
addRefreshToken(refreshToken) {
|
|
6029
|
-
this.parameters.set(REFRESH_TOKEN, encodeURIComponent(refreshToken));
|
|
6030
|
-
}
|
|
6031
|
-
/**
|
|
6032
|
-
* add the `code_verifier` passed by the user to exchange for a token
|
|
6033
|
-
* @param codeVerifier
|
|
6034
|
-
*/
|
|
6035
|
-
addCodeVerifier(codeVerifier) {
|
|
6036
|
-
this.parameters.set(CODE_VERIFIER, encodeURIComponent(codeVerifier));
|
|
6037
|
-
}
|
|
6038
|
-
/**
|
|
6039
|
-
* add client_secret
|
|
6040
|
-
* @param clientSecret
|
|
6041
|
-
*/
|
|
6042
|
-
addClientSecret(clientSecret) {
|
|
6043
|
-
this.parameters.set(CLIENT_SECRET, encodeURIComponent(clientSecret));
|
|
6044
|
-
}
|
|
6045
|
-
/**
|
|
6046
|
-
* add clientAssertion for confidential client flows
|
|
6047
|
-
* @param clientAssertion
|
|
6048
|
-
*/
|
|
6049
|
-
addClientAssertion(clientAssertion) {
|
|
6050
|
-
if (clientAssertion) {
|
|
6051
|
-
this.parameters.set(CLIENT_ASSERTION, encodeURIComponent(clientAssertion));
|
|
6052
|
-
}
|
|
6053
|
-
}
|
|
6054
|
-
/**
|
|
6055
|
-
* add clientAssertionType for confidential client flows
|
|
6056
|
-
* @param clientAssertionType
|
|
6057
|
-
*/
|
|
6058
|
-
addClientAssertionType(clientAssertionType) {
|
|
6059
|
-
if (clientAssertionType) {
|
|
6060
|
-
this.parameters.set(CLIENT_ASSERTION_TYPE, encodeURIComponent(clientAssertionType));
|
|
6061
|
-
}
|
|
6062
|
-
}
|
|
6063
|
-
/**
|
|
6064
|
-
* add OBO assertion for confidential client flows
|
|
6065
|
-
* @param clientAssertion
|
|
6066
|
-
*/
|
|
6067
|
-
addOboAssertion(oboAssertion) {
|
|
6068
|
-
this.parameters.set(OBO_ASSERTION, encodeURIComponent(oboAssertion));
|
|
6069
|
-
}
|
|
6070
|
-
/**
|
|
6071
|
-
* add grant type
|
|
6072
|
-
* @param grantType
|
|
6073
|
-
*/
|
|
6074
|
-
addRequestTokenUse(tokenUse) {
|
|
6075
|
-
this.parameters.set(REQUESTED_TOKEN_USE, encodeURIComponent(tokenUse));
|
|
6076
|
-
}
|
|
6077
|
-
/**
|
|
6078
|
-
* add grant type
|
|
6079
|
-
* @param grantType
|
|
6080
|
-
*/
|
|
6081
|
-
addGrantType(grantType) {
|
|
6082
|
-
this.parameters.set(GRANT_TYPE, encodeURIComponent(grantType));
|
|
6083
|
-
}
|
|
6084
|
-
/**
|
|
6085
|
-
* add client info
|
|
6086
|
-
*
|
|
6087
|
-
*/
|
|
6088
|
-
addClientInfo() {
|
|
6089
|
-
this.parameters.set(CLIENT_INFO$1, "1");
|
|
6090
|
-
}
|
|
6091
|
-
/**
|
|
6092
|
-
* add extraQueryParams
|
|
6093
|
-
* @param eQParams
|
|
6094
|
-
*/
|
|
6095
|
-
addExtraQueryParameters(eQParams) {
|
|
6096
|
-
Object.entries(eQParams).forEach(([key, value]) => {
|
|
6097
|
-
if (!this.parameters.has(key) && value) {
|
|
6098
|
-
this.parameters.set(key, value);
|
|
6099
|
-
}
|
|
6100
|
-
});
|
|
6101
|
-
}
|
|
6102
|
-
addClientCapabilitiesToClaims(claims, clientCapabilities) {
|
|
6103
|
-
let mergedClaims;
|
|
6104
|
-
// Parse provided claims into JSON object or initialize empty object
|
|
6105
|
-
if (!claims) {
|
|
6106
|
-
mergedClaims = {};
|
|
6107
|
-
}
|
|
6108
|
-
else {
|
|
6109
|
-
try {
|
|
6110
|
-
mergedClaims = JSON.parse(claims);
|
|
6111
|
-
}
|
|
6112
|
-
catch (e) {
|
|
6113
|
-
throw createClientConfigurationError(invalidClaims);
|
|
6114
|
-
}
|
|
6115
|
-
}
|
|
6116
|
-
if (clientCapabilities && clientCapabilities.length > 0) {
|
|
6117
|
-
if (!mergedClaims.hasOwnProperty(ClaimsRequestKeys.ACCESS_TOKEN)) {
|
|
6118
|
-
// Add access_token key to claims object
|
|
6119
|
-
mergedClaims[ClaimsRequestKeys.ACCESS_TOKEN] = {};
|
|
6120
|
-
}
|
|
6121
|
-
// Add xms_cc claim with provided clientCapabilities to access_token key
|
|
6122
|
-
mergedClaims[ClaimsRequestKeys.ACCESS_TOKEN][ClaimsRequestKeys.XMS_CC] = {
|
|
6079
|
+
// Add xms_cc claim with provided clientCapabilities to access_token key
|
|
6080
|
+
mergedClaims[ClaimsRequestKeys.ACCESS_TOKEN][ClaimsRequestKeys.XMS_CC] =
|
|
6081
|
+
{
|
|
6123
6082
|
values: clientCapabilities,
|
|
6124
6083
|
};
|
|
6125
|
-
}
|
|
6126
|
-
return JSON.stringify(mergedClaims);
|
|
6127
6084
|
}
|
|
6128
|
-
|
|
6129
|
-
|
|
6130
|
-
|
|
6131
|
-
|
|
6132
|
-
|
|
6133
|
-
|
|
6134
|
-
|
|
6135
|
-
|
|
6136
|
-
|
|
6137
|
-
|
|
6138
|
-
|
|
6139
|
-
|
|
6140
|
-
|
|
6141
|
-
|
|
6142
|
-
|
|
6143
|
-
|
|
6144
|
-
|
|
6145
|
-
|
|
6146
|
-
|
|
6147
|
-
|
|
6148
|
-
|
|
6149
|
-
|
|
6150
|
-
|
|
6151
|
-
|
|
6152
|
-
/**
|
|
6153
|
-
* add SSH JWK and key ID to query params
|
|
6154
|
-
*/
|
|
6155
|
-
addSshJwk(sshJwkString) {
|
|
6156
|
-
if (sshJwkString) {
|
|
6157
|
-
this.parameters.set(TOKEN_TYPE, AuthenticationScheme.SSH);
|
|
6158
|
-
this.parameters.set(REQ_CNF, encodeURIComponent(sshJwkString));
|
|
6159
|
-
}
|
|
6160
|
-
}
|
|
6161
|
-
/**
|
|
6162
|
-
* add server telemetry fields
|
|
6163
|
-
* @param serverTelemetryManager
|
|
6164
|
-
*/
|
|
6165
|
-
addServerTelemetry(serverTelemetryManager) {
|
|
6166
|
-
this.parameters.set(X_CLIENT_CURR_TELEM, serverTelemetryManager.generateCurrentRequestHeaderValue());
|
|
6167
|
-
this.parameters.set(X_CLIENT_LAST_TELEM, serverTelemetryManager.generateLastRequestHeaderValue());
|
|
6168
|
-
}
|
|
6169
|
-
/**
|
|
6170
|
-
* Adds parameter that indicates to the server that throttling is supported
|
|
6171
|
-
*/
|
|
6172
|
-
addThrottling() {
|
|
6173
|
-
this.parameters.set(X_MS_LIB_CAPABILITY, ThrottlingConstants.X_MS_LIB_CAPABILITY_VALUE);
|
|
6085
|
+
return JSON.stringify(mergedClaims);
|
|
6086
|
+
}
|
|
6087
|
+
/**
|
|
6088
|
+
* adds `username` for Password Grant flow
|
|
6089
|
+
* @param username
|
|
6090
|
+
*/
|
|
6091
|
+
function addUsername(parameters, username) {
|
|
6092
|
+
parameters.set(PasswordGrantConstants.username, username);
|
|
6093
|
+
}
|
|
6094
|
+
/**
|
|
6095
|
+
* adds `password` for Password Grant flow
|
|
6096
|
+
* @param password
|
|
6097
|
+
*/
|
|
6098
|
+
function addPassword(parameters, password) {
|
|
6099
|
+
parameters.set(PasswordGrantConstants.password, password);
|
|
6100
|
+
}
|
|
6101
|
+
/**
|
|
6102
|
+
* add pop_jwk to query params
|
|
6103
|
+
* @param cnfString
|
|
6104
|
+
*/
|
|
6105
|
+
function addPopToken(parameters, cnfString) {
|
|
6106
|
+
if (cnfString) {
|
|
6107
|
+
parameters.set(TOKEN_TYPE, AuthenticationScheme.POP);
|
|
6108
|
+
parameters.set(REQ_CNF, cnfString);
|
|
6174
6109
|
}
|
|
6175
|
-
|
|
6176
|
-
|
|
6177
|
-
|
|
6178
|
-
|
|
6179
|
-
|
|
6110
|
+
}
|
|
6111
|
+
/**
|
|
6112
|
+
* add SSH JWK and key ID to query params
|
|
6113
|
+
*/
|
|
6114
|
+
function addSshJwk(parameters, sshJwkString) {
|
|
6115
|
+
if (sshJwkString) {
|
|
6116
|
+
parameters.set(TOKEN_TYPE, AuthenticationScheme.SSH);
|
|
6117
|
+
parameters.set(REQ_CNF, sshJwkString);
|
|
6180
6118
|
}
|
|
6181
|
-
|
|
6182
|
-
|
|
6183
|
-
|
|
6184
|
-
|
|
6185
|
-
|
|
6186
|
-
|
|
6187
|
-
|
|
6119
|
+
}
|
|
6120
|
+
/**
|
|
6121
|
+
* add server telemetry fields
|
|
6122
|
+
* @param serverTelemetryManager
|
|
6123
|
+
*/
|
|
6124
|
+
function addServerTelemetry(parameters, serverTelemetryManager) {
|
|
6125
|
+
parameters.set(X_CLIENT_CURR_TELEM, serverTelemetryManager.generateCurrentRequestHeaderValue());
|
|
6126
|
+
parameters.set(X_CLIENT_LAST_TELEM, serverTelemetryManager.generateLastRequestHeaderValue());
|
|
6127
|
+
}
|
|
6128
|
+
/**
|
|
6129
|
+
* Adds parameter that indicates to the server that throttling is supported
|
|
6130
|
+
*/
|
|
6131
|
+
function addThrottling(parameters) {
|
|
6132
|
+
parameters.set(X_MS_LIB_CAPABILITY, ThrottlingConstants.X_MS_LIB_CAPABILITY_VALUE);
|
|
6133
|
+
}
|
|
6134
|
+
/**
|
|
6135
|
+
* Adds logout_hint parameter for "silent" logout which prevent server account picker
|
|
6136
|
+
*/
|
|
6137
|
+
function addLogoutHint(parameters, logoutHint) {
|
|
6138
|
+
parameters.set(LOGOUT_HINT, logoutHint);
|
|
6139
|
+
}
|
|
6140
|
+
function addBrokerParameters(parameters, brokerClientId, brokerRedirectUri) {
|
|
6141
|
+
if (!parameters.has(BROKER_CLIENT_ID)) {
|
|
6142
|
+
parameters.set(BROKER_CLIENT_ID, brokerClientId);
|
|
6188
6143
|
}
|
|
6189
|
-
|
|
6190
|
-
|
|
6191
|
-
*/
|
|
6192
|
-
createQueryString() {
|
|
6193
|
-
const queryParameterArray = new Array();
|
|
6194
|
-
this.parameters.forEach((value, key) => {
|
|
6195
|
-
queryParameterArray.push(`${key}=${value}`);
|
|
6196
|
-
});
|
|
6197
|
-
instrumentBrokerParams(this.parameters, this.correlationId, this.performanceClient);
|
|
6198
|
-
return queryParameterArray.join("&");
|
|
6144
|
+
if (!parameters.has(BROKER_REDIRECT_URI)) {
|
|
6145
|
+
parameters.set(BROKER_REDIRECT_URI, brokerRedirectUri);
|
|
6199
6146
|
}
|
|
6200
6147
|
}
|
|
6201
6148
|
|
|
6149
|
+
var RequestParameterBuilder = /*#__PURE__*/Object.freeze({
|
|
6150
|
+
__proto__: null,
|
|
6151
|
+
addApplicationTelemetry: addApplicationTelemetry,
|
|
6152
|
+
addAuthorizationCode: addAuthorizationCode,
|
|
6153
|
+
addBrokerParameters: addBrokerParameters,
|
|
6154
|
+
addCcsOid: addCcsOid,
|
|
6155
|
+
addCcsUpn: addCcsUpn,
|
|
6156
|
+
addClaims: addClaims,
|
|
6157
|
+
addClientAssertion: addClientAssertion,
|
|
6158
|
+
addClientAssertionType: addClientAssertionType,
|
|
6159
|
+
addClientCapabilitiesToClaims: addClientCapabilitiesToClaims,
|
|
6160
|
+
addClientId: addClientId,
|
|
6161
|
+
addClientInfo: addClientInfo,
|
|
6162
|
+
addClientSecret: addClientSecret,
|
|
6163
|
+
addCodeChallengeParams: addCodeChallengeParams,
|
|
6164
|
+
addCodeVerifier: addCodeVerifier,
|
|
6165
|
+
addCorrelationId: addCorrelationId,
|
|
6166
|
+
addDeviceCode: addDeviceCode,
|
|
6167
|
+
addDomainHint: addDomainHint,
|
|
6168
|
+
addExtraQueryParameters: addExtraQueryParameters,
|
|
6169
|
+
addGrantType: addGrantType,
|
|
6170
|
+
addIdTokenHint: addIdTokenHint,
|
|
6171
|
+
addInstanceAware: addInstanceAware,
|
|
6172
|
+
addLibraryInfo: addLibraryInfo,
|
|
6173
|
+
addLoginHint: addLoginHint,
|
|
6174
|
+
addLogoutHint: addLogoutHint,
|
|
6175
|
+
addNativeBroker: addNativeBroker,
|
|
6176
|
+
addNonce: addNonce,
|
|
6177
|
+
addOboAssertion: addOboAssertion,
|
|
6178
|
+
addPassword: addPassword,
|
|
6179
|
+
addPopToken: addPopToken,
|
|
6180
|
+
addPostLogoutRedirectUri: addPostLogoutRedirectUri,
|
|
6181
|
+
addPrompt: addPrompt,
|
|
6182
|
+
addRedirectUri: addRedirectUri,
|
|
6183
|
+
addRefreshToken: addRefreshToken,
|
|
6184
|
+
addRequestTokenUse: addRequestTokenUse,
|
|
6185
|
+
addResponseMode: addResponseMode,
|
|
6186
|
+
addResponseTypeCode: addResponseTypeCode,
|
|
6187
|
+
addResponseTypeForTokenAndIdToken: addResponseTypeForTokenAndIdToken,
|
|
6188
|
+
addScopes: addScopes,
|
|
6189
|
+
addServerTelemetry: addServerTelemetry,
|
|
6190
|
+
addSid: addSid,
|
|
6191
|
+
addSshJwk: addSshJwk,
|
|
6192
|
+
addState: addState,
|
|
6193
|
+
addThrottling: addThrottling,
|
|
6194
|
+
addUsername: addUsername,
|
|
6195
|
+
instrumentBrokerParams: instrumentBrokerParams
|
|
6196
|
+
});
|
|
6197
|
+
|
|
6202
6198
|
/*
|
|
6203
6199
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
6204
6200
|
* Licensed under the MIT License.
|
|
@@ -6216,6 +6212,26 @@ class ServerError extends AuthError {
|
|
|
6216
6212
|
}
|
|
6217
6213
|
}
|
|
6218
6214
|
|
|
6215
|
+
/*
|
|
6216
|
+
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
6217
|
+
* Licensed under the MIT License.
|
|
6218
|
+
*/
|
|
6219
|
+
function getRequestThumbprint(clientId, request, homeAccountId) {
|
|
6220
|
+
return {
|
|
6221
|
+
clientId: clientId,
|
|
6222
|
+
authority: request.authority,
|
|
6223
|
+
scopes: request.scopes,
|
|
6224
|
+
homeAccountIdentifier: homeAccountId,
|
|
6225
|
+
claims: request.claims,
|
|
6226
|
+
authenticationScheme: request.authenticationScheme,
|
|
6227
|
+
resourceRequestMethod: request.resourceRequestMethod,
|
|
6228
|
+
resourceRequestUri: request.resourceRequestUri,
|
|
6229
|
+
shrClaims: request.shrClaims,
|
|
6230
|
+
sshKid: request.sshKid,
|
|
6231
|
+
embeddedClientId: request.embeddedClientId || request.tokenBodyParameters?.clientId,
|
|
6232
|
+
};
|
|
6233
|
+
}
|
|
6234
|
+
|
|
6219
6235
|
/*
|
|
6220
6236
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
6221
6237
|
* Licensed under the MIT License.
|
|
@@ -6295,18 +6311,7 @@ class ThrottlingUtils {
|
|
|
6295
6311
|
ThrottlingConstants.DEFAULT_MAX_THROTTLE_TIME_SECONDS) * 1000);
|
|
6296
6312
|
}
|
|
6297
6313
|
static removeThrottle(cacheManager, clientId, request, homeAccountIdentifier) {
|
|
6298
|
-
const thumbprint =
|
|
6299
|
-
clientId: clientId,
|
|
6300
|
-
authority: request.authority,
|
|
6301
|
-
scopes: request.scopes,
|
|
6302
|
-
homeAccountIdentifier: homeAccountIdentifier,
|
|
6303
|
-
claims: request.claims,
|
|
6304
|
-
authenticationScheme: request.authenticationScheme,
|
|
6305
|
-
resourceRequestMethod: request.resourceRequestMethod,
|
|
6306
|
-
resourceRequestUri: request.resourceRequestUri,
|
|
6307
|
-
shrClaims: request.shrClaims,
|
|
6308
|
-
sshKid: request.sshKid,
|
|
6309
|
-
};
|
|
6314
|
+
const thumbprint = getRequestThumbprint(clientId, request, homeAccountIdentifier);
|
|
6310
6315
|
const key = this.generateThrottlingStorageKey(thumbprint);
|
|
6311
6316
|
cacheManager.removeItem(key);
|
|
6312
6317
|
}
|
|
@@ -6473,18 +6478,16 @@ class BaseClient {
|
|
|
6473
6478
|
* @param request
|
|
6474
6479
|
*/
|
|
6475
6480
|
createTokenQueryParameters(request) {
|
|
6476
|
-
const
|
|
6481
|
+
const parameters = new Map();
|
|
6477
6482
|
if (request.embeddedClientId) {
|
|
6478
|
-
|
|
6479
|
-
brokerClientId: this.config.authOptions.clientId,
|
|
6480
|
-
brokerRedirectUri: this.config.authOptions.redirectUri,
|
|
6481
|
-
});
|
|
6483
|
+
addBrokerParameters(parameters, this.config.authOptions.clientId, this.config.authOptions.redirectUri);
|
|
6482
6484
|
}
|
|
6483
6485
|
if (request.tokenQueryParameters) {
|
|
6484
|
-
|
|
6486
|
+
addExtraQueryParameters(parameters, request.tokenQueryParameters);
|
|
6485
6487
|
}
|
|
6486
|
-
|
|
6487
|
-
|
|
6488
|
+
addCorrelationId(parameters, request.correlationId);
|
|
6489
|
+
instrumentBrokerParams(parameters, request.correlationId, this.performanceClient);
|
|
6490
|
+
return mapToQueryString(parameters);
|
|
6488
6491
|
}
|
|
6489
6492
|
}
|
|
6490
6493
|
|
|
@@ -6781,13 +6784,6 @@ class PopTokenGenerator {
|
|
|
6781
6784
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
6782
6785
|
* Licensed under the MIT License.
|
|
6783
6786
|
*/
|
|
6784
|
-
function parseServerErrorNo(serverResponse) {
|
|
6785
|
-
const errorCodePrefix = "code=";
|
|
6786
|
-
const errorCodePrefixIndex = serverResponse.error_uri?.lastIndexOf(errorCodePrefix);
|
|
6787
|
-
return errorCodePrefixIndex && errorCodePrefixIndex >= 0
|
|
6788
|
-
? serverResponse.error_uri?.substring(errorCodePrefixIndex + errorCodePrefix.length)
|
|
6789
|
-
: undefined;
|
|
6790
|
-
}
|
|
6791
6787
|
/**
|
|
6792
6788
|
* Class that handles response parsing.
|
|
6793
6789
|
* @internal
|
|
@@ -6802,46 +6798,6 @@ class ResponseHandler {
|
|
|
6802
6798
|
this.persistencePlugin = persistencePlugin;
|
|
6803
6799
|
this.performanceClient = performanceClient;
|
|
6804
6800
|
}
|
|
6805
|
-
/**
|
|
6806
|
-
* Function which validates server authorization code response.
|
|
6807
|
-
* @param serverResponseHash
|
|
6808
|
-
* @param requestState
|
|
6809
|
-
* @param cryptoObj
|
|
6810
|
-
*/
|
|
6811
|
-
validateServerAuthorizationCodeResponse(serverResponse, requestState) {
|
|
6812
|
-
if (!serverResponse.state || !requestState) {
|
|
6813
|
-
throw serverResponse.state
|
|
6814
|
-
? createClientAuthError(stateNotFound, "Cached State")
|
|
6815
|
-
: createClientAuthError(stateNotFound, "Server State");
|
|
6816
|
-
}
|
|
6817
|
-
let decodedServerResponseState;
|
|
6818
|
-
let decodedRequestState;
|
|
6819
|
-
try {
|
|
6820
|
-
decodedServerResponseState = decodeURIComponent(serverResponse.state);
|
|
6821
|
-
}
|
|
6822
|
-
catch (e) {
|
|
6823
|
-
throw createClientAuthError(invalidState, serverResponse.state);
|
|
6824
|
-
}
|
|
6825
|
-
try {
|
|
6826
|
-
decodedRequestState = decodeURIComponent(requestState);
|
|
6827
|
-
}
|
|
6828
|
-
catch (e) {
|
|
6829
|
-
throw createClientAuthError(invalidState, serverResponse.state);
|
|
6830
|
-
}
|
|
6831
|
-
if (decodedServerResponseState !== decodedRequestState) {
|
|
6832
|
-
throw createClientAuthError(stateMismatch);
|
|
6833
|
-
}
|
|
6834
|
-
// Check for error
|
|
6835
|
-
if (serverResponse.error ||
|
|
6836
|
-
serverResponse.error_description ||
|
|
6837
|
-
serverResponse.suberror) {
|
|
6838
|
-
const serverErrorNo = parseServerErrorNo(serverResponse);
|
|
6839
|
-
if (isInteractionRequiredError(serverResponse.error, serverResponse.error_description, serverResponse.suberror)) {
|
|
6840
|
-
throw new InteractionRequiredAuthError(serverResponse.error || "", serverResponse.error_description, serverResponse.suberror, serverResponse.timestamp || "", serverResponse.trace_id || "", serverResponse.correlation_id || "", serverResponse.claims || "", serverErrorNo);
|
|
6841
|
-
}
|
|
6842
|
-
throw new ServerError(serverResponse.error || "", serverResponse.error_description, serverResponse.suberror, serverErrorNo);
|
|
6843
|
-
}
|
|
6844
|
-
}
|
|
6845
6801
|
/**
|
|
6846
6802
|
* Function which validates server authorization token response.
|
|
6847
6803
|
* @param serverResponse
|
|
@@ -7067,10 +7023,11 @@ class ResponseHandler {
|
|
|
7067
7023
|
accessToken = cacheRecord.accessToken.secret;
|
|
7068
7024
|
}
|
|
7069
7025
|
responseScopes = ScopeSet.fromString(cacheRecord.accessToken.target).asArray();
|
|
7070
|
-
expiresOn
|
|
7071
|
-
|
|
7026
|
+
// Access token expiresOn cached in seconds, converting to Date for AuthenticationResult
|
|
7027
|
+
expiresOn = toDateFromSeconds(cacheRecord.accessToken.expiresOn);
|
|
7028
|
+
extExpiresOn = toDateFromSeconds(cacheRecord.accessToken.extendedExpiresOn);
|
|
7072
7029
|
if (cacheRecord.accessToken.refreshOn) {
|
|
7073
|
-
refreshOn =
|
|
7030
|
+
refreshOn = toDateFromSeconds(cacheRecord.accessToken.refreshOn);
|
|
7074
7031
|
}
|
|
7075
7032
|
}
|
|
7076
7033
|
if (cacheRecord.appMetadata) {
|
|
@@ -7152,6 +7109,71 @@ function buildAccountToCache(cacheStorage, authority, homeAccountId, base64Decod
|
|
|
7152
7109
|
return baseAccount;
|
|
7153
7110
|
}
|
|
7154
7111
|
|
|
7112
|
+
/*
|
|
7113
|
+
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
7114
|
+
* Licensed under the MIT License.
|
|
7115
|
+
*/
|
|
7116
|
+
/**
|
|
7117
|
+
* Validates server consumable params from the "request" objects
|
|
7118
|
+
*/
|
|
7119
|
+
class RequestValidator {
|
|
7120
|
+
/**
|
|
7121
|
+
* Utility to check if the `redirectUri` in the request is a non-null value
|
|
7122
|
+
* @param redirectUri
|
|
7123
|
+
*/
|
|
7124
|
+
static validateRedirectUri(redirectUri) {
|
|
7125
|
+
if (!redirectUri) {
|
|
7126
|
+
throw createClientConfigurationError(redirectUriEmpty);
|
|
7127
|
+
}
|
|
7128
|
+
}
|
|
7129
|
+
/**
|
|
7130
|
+
* Utility to validate prompt sent by the user in the request
|
|
7131
|
+
* @param prompt
|
|
7132
|
+
*/
|
|
7133
|
+
static validatePrompt(prompt) {
|
|
7134
|
+
const promptValues = [];
|
|
7135
|
+
for (const value in PromptValue) {
|
|
7136
|
+
promptValues.push(PromptValue[value]);
|
|
7137
|
+
}
|
|
7138
|
+
if (promptValues.indexOf(prompt) < 0) {
|
|
7139
|
+
throw createClientConfigurationError(invalidPromptValue);
|
|
7140
|
+
}
|
|
7141
|
+
}
|
|
7142
|
+
static validateClaims(claims) {
|
|
7143
|
+
try {
|
|
7144
|
+
JSON.parse(claims);
|
|
7145
|
+
}
|
|
7146
|
+
catch (e) {
|
|
7147
|
+
throw createClientConfigurationError(invalidClaims);
|
|
7148
|
+
}
|
|
7149
|
+
}
|
|
7150
|
+
/**
|
|
7151
|
+
* Utility to validate code_challenge and code_challenge_method
|
|
7152
|
+
* @param codeChallenge
|
|
7153
|
+
* @param codeChallengeMethod
|
|
7154
|
+
*/
|
|
7155
|
+
static validateCodeChallengeParams(codeChallenge, codeChallengeMethod) {
|
|
7156
|
+
if (!codeChallenge || !codeChallengeMethod) {
|
|
7157
|
+
throw createClientConfigurationError(pkceParamsMissing);
|
|
7158
|
+
}
|
|
7159
|
+
else {
|
|
7160
|
+
this.validateCodeChallengeMethod(codeChallengeMethod);
|
|
7161
|
+
}
|
|
7162
|
+
}
|
|
7163
|
+
/**
|
|
7164
|
+
* Utility to validate code_challenge_method
|
|
7165
|
+
* @param codeChallengeMethod
|
|
7166
|
+
*/
|
|
7167
|
+
static validateCodeChallengeMethod(codeChallengeMethod) {
|
|
7168
|
+
if ([
|
|
7169
|
+
CodeChallengeMethodValues.PLAIN,
|
|
7170
|
+
CodeChallengeMethodValues.S256,
|
|
7171
|
+
].indexOf(codeChallengeMethod) < 0) {
|
|
7172
|
+
throw createClientConfigurationError(invalidCodeChallengeMethod);
|
|
7173
|
+
}
|
|
7174
|
+
}
|
|
7175
|
+
}
|
|
7176
|
+
|
|
7155
7177
|
/*
|
|
7156
7178
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
7157
7179
|
* Licensed under the MIT License.
|
|
@@ -7190,21 +7212,6 @@ class AuthorizationCodeClient extends BaseClient {
|
|
|
7190
7212
|
this.oidcDefaultScopes =
|
|
7191
7213
|
this.config.authOptions.authority.options.OIDCOptions?.defaultScopes;
|
|
7192
7214
|
}
|
|
7193
|
-
/**
|
|
7194
|
-
* Creates the URL of the authorization request letting the user input credentials and consent to the
|
|
7195
|
-
* application. The URL target the /authorize endpoint of the authority configured in the
|
|
7196
|
-
* application object.
|
|
7197
|
-
*
|
|
7198
|
-
* Once the user inputs their credentials and consents, the authority will send a response to the redirect URI
|
|
7199
|
-
* sent in the request and should contain an authorization code, which can then be used to acquire tokens via
|
|
7200
|
-
* acquireToken(AuthorizationCodeRequest)
|
|
7201
|
-
* @param request
|
|
7202
|
-
*/
|
|
7203
|
-
async getAuthCodeUrl(request) {
|
|
7204
|
-
this.performanceClient?.addQueueMeasurement(PerformanceEvents.GetAuthCodeUrl, request.correlationId);
|
|
7205
|
-
const queryString = await invokeAsync(this.createAuthCodeUrlQueryString.bind(this), PerformanceEvents.AuthClientCreateQueryString, this.logger, this.performanceClient, request.correlationId)(request);
|
|
7206
|
-
return UrlString.appendQueryString(this.authority.authorizationEndpoint, queryString);
|
|
7207
|
-
}
|
|
7208
7215
|
/**
|
|
7209
7216
|
* API to acquire a token in exchange of 'authorization_code` acquired by the user in the first leg of the
|
|
7210
7217
|
* authorization_code_grant
|
|
@@ -7224,22 +7231,6 @@ class AuthorizationCodeClient extends BaseClient {
|
|
|
7224
7231
|
responseHandler.validateTokenResponse(response.body);
|
|
7225
7232
|
return invokeAsync(responseHandler.handleServerTokenResponse.bind(responseHandler), PerformanceEvents.HandleServerTokenResponse, this.logger, this.performanceClient, request.correlationId)(response.body, this.authority, reqTimestamp, request, authCodePayload, undefined, undefined, undefined, requestId);
|
|
7226
7233
|
}
|
|
7227
|
-
/**
|
|
7228
|
-
* Handles the hash fragment response from public client code request. Returns a code response used by
|
|
7229
|
-
* the client to exchange for a token in acquireToken.
|
|
7230
|
-
* @param hashFragment
|
|
7231
|
-
*/
|
|
7232
|
-
handleFragmentResponse(serverParams, cachedState) {
|
|
7233
|
-
// Handle responses.
|
|
7234
|
-
const responseHandler = new ResponseHandler(this.config.authOptions.clientId, this.cacheManager, this.cryptoUtils, this.logger, null, null);
|
|
7235
|
-
// Get code response
|
|
7236
|
-
responseHandler.validateServerAuthorizationCodeResponse(serverParams, cachedState);
|
|
7237
|
-
// throw when there is no auth code in the response
|
|
7238
|
-
if (!serverParams.code) {
|
|
7239
|
-
throw createClientAuthError(authorizationCodeMissingFromServerResponse);
|
|
7240
|
-
}
|
|
7241
|
-
return serverParams;
|
|
7242
|
-
}
|
|
7243
7234
|
/**
|
|
7244
7235
|
* Used to log out the current user, and redirect the user to the postLogoutRedirectUri.
|
|
7245
7236
|
* Default behaviour is to redirect the user to `window.location.href`.
|
|
@@ -7278,18 +7269,7 @@ class AuthorizationCodeClient extends BaseClient {
|
|
|
7278
7269
|
}
|
|
7279
7270
|
}
|
|
7280
7271
|
const headers = this.createTokenRequestHeaders(ccsCredential || request.ccsCredential);
|
|
7281
|
-
const thumbprint =
|
|
7282
|
-
clientId: request.tokenBodyParameters?.clientId ||
|
|
7283
|
-
this.config.authOptions.clientId,
|
|
7284
|
-
authority: authority.canonicalAuthority,
|
|
7285
|
-
scopes: request.scopes,
|
|
7286
|
-
claims: request.claims,
|
|
7287
|
-
authenticationScheme: request.authenticationScheme,
|
|
7288
|
-
resourceRequestMethod: request.resourceRequestMethod,
|
|
7289
|
-
resourceRequestUri: request.resourceRequestUri,
|
|
7290
|
-
shrClaims: request.shrClaims,
|
|
7291
|
-
sshKid: request.sshKid,
|
|
7292
|
-
};
|
|
7272
|
+
const thumbprint = getRequestThumbprint(this.config.authOptions.clientId, request);
|
|
7293
7273
|
return invokeAsync(this.executePostToTokenEndpoint.bind(this), PerformanceEvents.AuthorizationCodeClientExecutePostToTokenEndpoint, this.logger, this.performanceClient, request.correlationId)(endpoint, requestBody, headers, thumbprint, request.correlationId, PerformanceEvents.AuthorizationCodeClientExecutePostToTokenEndpoint);
|
|
7294
7274
|
}
|
|
7295
7275
|
/**
|
|
@@ -7298,8 +7278,8 @@ class AuthorizationCodeClient extends BaseClient {
|
|
|
7298
7278
|
*/
|
|
7299
7279
|
async createTokenRequestBody(request) {
|
|
7300
7280
|
this.performanceClient?.addQueueMeasurement(PerformanceEvents.AuthClientCreateTokenRequestBody, request.correlationId);
|
|
7301
|
-
const
|
|
7302
|
-
|
|
7281
|
+
const parameters = new Map();
|
|
7282
|
+
addClientId(parameters, request.embeddedClientId ||
|
|
7303
7283
|
request.tokenBodyParameters?.[CLIENT_ID] ||
|
|
7304
7284
|
this.config.authOptions.clientId);
|
|
7305
7285
|
/*
|
|
@@ -7312,33 +7292,33 @@ class AuthorizationCodeClient extends BaseClient {
|
|
|
7312
7292
|
}
|
|
7313
7293
|
else {
|
|
7314
7294
|
// Validate and include redirect uri
|
|
7315
|
-
|
|
7295
|
+
addRedirectUri(parameters, request.redirectUri);
|
|
7316
7296
|
}
|
|
7317
7297
|
// Add scope array, parameter builder will add default scopes and dedupe
|
|
7318
|
-
|
|
7298
|
+
addScopes(parameters, request.scopes, true, this.oidcDefaultScopes);
|
|
7319
7299
|
// add code: user set, not validated
|
|
7320
|
-
|
|
7300
|
+
addAuthorizationCode(parameters, request.code);
|
|
7321
7301
|
// Add library metadata
|
|
7322
|
-
|
|
7323
|
-
|
|
7324
|
-
|
|
7302
|
+
addLibraryInfo(parameters, this.config.libraryInfo);
|
|
7303
|
+
addApplicationTelemetry(parameters, this.config.telemetry.application);
|
|
7304
|
+
addThrottling(parameters);
|
|
7325
7305
|
if (this.serverTelemetryManager && !isOidcProtocolMode(this.config)) {
|
|
7326
|
-
|
|
7306
|
+
addServerTelemetry(parameters, this.serverTelemetryManager);
|
|
7327
7307
|
}
|
|
7328
7308
|
// add code_verifier if passed
|
|
7329
7309
|
if (request.codeVerifier) {
|
|
7330
|
-
|
|
7310
|
+
addCodeVerifier(parameters, request.codeVerifier);
|
|
7331
7311
|
}
|
|
7332
7312
|
if (this.config.clientCredentials.clientSecret) {
|
|
7333
|
-
|
|
7313
|
+
addClientSecret(parameters, this.config.clientCredentials.clientSecret);
|
|
7334
7314
|
}
|
|
7335
7315
|
if (this.config.clientCredentials.clientAssertion) {
|
|
7336
7316
|
const clientAssertion = this.config.clientCredentials.clientAssertion;
|
|
7337
|
-
|
|
7338
|
-
|
|
7317
|
+
addClientAssertion(parameters, await getClientAssertion(clientAssertion.assertion, this.config.authOptions.clientId, request.resourceRequestUri));
|
|
7318
|
+
addClientAssertionType(parameters, clientAssertion.assertionType);
|
|
7339
7319
|
}
|
|
7340
|
-
|
|
7341
|
-
|
|
7320
|
+
addGrantType(parameters, GrantType.AUTHORIZATION_CODE_GRANT);
|
|
7321
|
+
addClientInfo(parameters);
|
|
7342
7322
|
if (request.authenticationScheme === AuthenticationScheme.POP) {
|
|
7343
7323
|
const popTokenGenerator = new PopTokenGenerator(this.cryptoUtils, this.performanceClient);
|
|
7344
7324
|
let reqCnfData;
|
|
@@ -7350,11 +7330,11 @@ class AuthorizationCodeClient extends BaseClient {
|
|
|
7350
7330
|
reqCnfData = this.cryptoUtils.encodeKid(request.popKid);
|
|
7351
7331
|
}
|
|
7352
7332
|
// SPA PoP requires full Base64Url encoded req_cnf string (unhashed)
|
|
7353
|
-
|
|
7333
|
+
addPopToken(parameters, reqCnfData);
|
|
7354
7334
|
}
|
|
7355
7335
|
else if (request.authenticationScheme === AuthenticationScheme.SSH) {
|
|
7356
7336
|
if (request.sshJwk) {
|
|
7357
|
-
|
|
7337
|
+
addSshJwk(parameters, request.sshJwk);
|
|
7358
7338
|
}
|
|
7359
7339
|
else {
|
|
7360
7340
|
throw createClientConfigurationError(missingSshJwk);
|
|
@@ -7363,7 +7343,7 @@ class AuthorizationCodeClient extends BaseClient {
|
|
|
7363
7343
|
if (!StringUtils.isEmptyObj(request.claims) ||
|
|
7364
7344
|
(this.config.authOptions.clientCapabilities &&
|
|
7365
7345
|
this.config.authOptions.clientCapabilities.length > 0)) {
|
|
7366
|
-
|
|
7346
|
+
addClaims(parameters, request.claims, this.config.authOptions.clientCapabilities);
|
|
7367
7347
|
}
|
|
7368
7348
|
let ccsCred = undefined;
|
|
7369
7349
|
if (request.clientInfo) {
|
|
@@ -7387,7 +7367,7 @@ class AuthorizationCodeClient extends BaseClient {
|
|
|
7387
7367
|
case CcsCredentialType.HOME_ACCOUNT_ID:
|
|
7388
7368
|
try {
|
|
7389
7369
|
const clientInfo = buildClientInfoFromHomeAccountId(ccsCred.credential);
|
|
7390
|
-
|
|
7370
|
+
addCcsOid(parameters, clientInfo);
|
|
7391
7371
|
}
|
|
7392
7372
|
catch (e) {
|
|
7393
7373
|
this.logger.verbose("Could not parse home account ID for CCS Header: " +
|
|
@@ -7395,230 +7375,55 @@ class AuthorizationCodeClient extends BaseClient {
|
|
|
7395
7375
|
}
|
|
7396
7376
|
break;
|
|
7397
7377
|
case CcsCredentialType.UPN:
|
|
7398
|
-
|
|
7378
|
+
addCcsUpn(parameters, ccsCred.credential);
|
|
7399
7379
|
break;
|
|
7400
7380
|
}
|
|
7401
7381
|
}
|
|
7402
7382
|
if (request.embeddedClientId) {
|
|
7403
|
-
|
|
7404
|
-
brokerClientId: this.config.authOptions.clientId,
|
|
7405
|
-
brokerRedirectUri: this.config.authOptions.redirectUri,
|
|
7406
|
-
});
|
|
7383
|
+
addBrokerParameters(parameters, this.config.authOptions.clientId, this.config.authOptions.redirectUri);
|
|
7407
7384
|
}
|
|
7408
7385
|
if (request.tokenBodyParameters) {
|
|
7409
|
-
|
|
7386
|
+
addExtraQueryParameters(parameters, request.tokenBodyParameters);
|
|
7410
7387
|
}
|
|
7411
7388
|
// Add hybrid spa parameters if not already provided
|
|
7412
7389
|
if (request.enableSpaAuthorizationCode &&
|
|
7413
7390
|
(!request.tokenBodyParameters ||
|
|
7414
7391
|
!request.tokenBodyParameters[RETURN_SPA_CODE])) {
|
|
7415
|
-
|
|
7392
|
+
addExtraQueryParameters(parameters, {
|
|
7416
7393
|
[RETURN_SPA_CODE]: "1",
|
|
7417
7394
|
});
|
|
7418
7395
|
}
|
|
7419
|
-
|
|
7420
|
-
|
|
7421
|
-
/**
|
|
7422
|
-
* This API validates the `AuthorizationCodeUrlRequest` and creates a URL
|
|
7423
|
-
* @param request
|
|
7424
|
-
*/
|
|
7425
|
-
async createAuthCodeUrlQueryString(request) {
|
|
7426
|
-
// generate the correlationId if not set by the user and add
|
|
7427
|
-
const correlationId = request.correlationId ||
|
|
7428
|
-
this.config.cryptoInterface.createNewGuid();
|
|
7429
|
-
this.performanceClient?.addQueueMeasurement(PerformanceEvents.AuthClientCreateQueryString, correlationId);
|
|
7430
|
-
const parameterBuilder = new RequestParameterBuilder(correlationId, this.performanceClient);
|
|
7431
|
-
parameterBuilder.addClientId(request.embeddedClientId ||
|
|
7432
|
-
request.extraQueryParameters?.[CLIENT_ID] ||
|
|
7433
|
-
this.config.authOptions.clientId);
|
|
7434
|
-
const requestScopes = [
|
|
7435
|
-
...(request.scopes || []),
|
|
7436
|
-
...(request.extraScopesToConsent || []),
|
|
7437
|
-
];
|
|
7438
|
-
parameterBuilder.addScopes(requestScopes, true, this.oidcDefaultScopes);
|
|
7439
|
-
// validate the redirectUri (to be a non null value)
|
|
7440
|
-
parameterBuilder.addRedirectUri(request.redirectUri);
|
|
7441
|
-
parameterBuilder.addCorrelationId(correlationId);
|
|
7442
|
-
// add response_mode. If not passed in it defaults to query.
|
|
7443
|
-
parameterBuilder.addResponseMode(request.responseMode);
|
|
7444
|
-
// add response_type = code
|
|
7445
|
-
parameterBuilder.addResponseTypeCode();
|
|
7446
|
-
// add library info parameters
|
|
7447
|
-
parameterBuilder.addLibraryInfo(this.config.libraryInfo);
|
|
7448
|
-
if (!isOidcProtocolMode(this.config)) {
|
|
7449
|
-
parameterBuilder.addApplicationTelemetry(this.config.telemetry.application);
|
|
7450
|
-
}
|
|
7451
|
-
// add client_info=1
|
|
7452
|
-
parameterBuilder.addClientInfo();
|
|
7453
|
-
if (request.codeChallenge && request.codeChallengeMethod) {
|
|
7454
|
-
parameterBuilder.addCodeChallengeParams(request.codeChallenge, request.codeChallengeMethod);
|
|
7455
|
-
}
|
|
7456
|
-
if (request.prompt) {
|
|
7457
|
-
parameterBuilder.addPrompt(request.prompt);
|
|
7458
|
-
}
|
|
7459
|
-
if (request.domainHint) {
|
|
7460
|
-
parameterBuilder.addDomainHint(request.domainHint);
|
|
7461
|
-
this.performanceClient?.addFields({ domainHintFromRequest: true }, correlationId);
|
|
7462
|
-
}
|
|
7463
|
-
this.performanceClient?.addFields({ prompt: request.prompt }, correlationId);
|
|
7464
|
-
// Add sid or loginHint with preference for login_hint claim (in request) -> sid -> loginHint (upn/email) -> username of AccountInfo object
|
|
7465
|
-
if (request.prompt !== PromptValue.SELECT_ACCOUNT) {
|
|
7466
|
-
// AAD will throw if prompt=select_account is passed with an account hint
|
|
7467
|
-
if (request.sid && request.prompt === PromptValue.NONE) {
|
|
7468
|
-
// SessionID is only used in silent calls
|
|
7469
|
-
this.logger.verbose("createAuthCodeUrlQueryString: Prompt is none, adding sid from request");
|
|
7470
|
-
parameterBuilder.addSid(request.sid);
|
|
7471
|
-
this.performanceClient?.addFields({ sidFromRequest: true }, correlationId);
|
|
7472
|
-
}
|
|
7473
|
-
else if (request.account) {
|
|
7474
|
-
const accountSid = this.extractAccountSid(request.account);
|
|
7475
|
-
let accountLoginHintClaim = this.extractLoginHint(request.account);
|
|
7476
|
-
if (accountLoginHintClaim && request.domainHint) {
|
|
7477
|
-
this.logger.warning(`AuthorizationCodeClient.createAuthCodeUrlQueryString: "domainHint" param is set, skipping opaque "login_hint" claim. Please consider not passing domainHint`);
|
|
7478
|
-
accountLoginHintClaim = null;
|
|
7479
|
-
}
|
|
7480
|
-
// If login_hint claim is present, use it over sid/username
|
|
7481
|
-
if (accountLoginHintClaim) {
|
|
7482
|
-
this.logger.verbose("createAuthCodeUrlQueryString: login_hint claim present on account");
|
|
7483
|
-
parameterBuilder.addLoginHint(accountLoginHintClaim);
|
|
7484
|
-
this.performanceClient?.addFields({ loginHintFromClaim: true }, correlationId);
|
|
7485
|
-
try {
|
|
7486
|
-
const clientInfo = buildClientInfoFromHomeAccountId(request.account.homeAccountId);
|
|
7487
|
-
parameterBuilder.addCcsOid(clientInfo);
|
|
7488
|
-
}
|
|
7489
|
-
catch (e) {
|
|
7490
|
-
this.logger.verbose("createAuthCodeUrlQueryString: Could not parse home account ID for CCS Header");
|
|
7491
|
-
}
|
|
7492
|
-
}
|
|
7493
|
-
else if (accountSid && request.prompt === PromptValue.NONE) {
|
|
7494
|
-
/*
|
|
7495
|
-
* If account and loginHint are provided, we will check account first for sid before adding loginHint
|
|
7496
|
-
* SessionId is only used in silent calls
|
|
7497
|
-
*/
|
|
7498
|
-
this.logger.verbose("createAuthCodeUrlQueryString: Prompt is none, adding sid from account");
|
|
7499
|
-
parameterBuilder.addSid(accountSid);
|
|
7500
|
-
this.performanceClient?.addFields({ sidFromClaim: true }, correlationId);
|
|
7501
|
-
try {
|
|
7502
|
-
const clientInfo = buildClientInfoFromHomeAccountId(request.account.homeAccountId);
|
|
7503
|
-
parameterBuilder.addCcsOid(clientInfo);
|
|
7504
|
-
}
|
|
7505
|
-
catch (e) {
|
|
7506
|
-
this.logger.verbose("createAuthCodeUrlQueryString: Could not parse home account ID for CCS Header");
|
|
7507
|
-
}
|
|
7508
|
-
}
|
|
7509
|
-
else if (request.loginHint) {
|
|
7510
|
-
this.logger.verbose("createAuthCodeUrlQueryString: Adding login_hint from request");
|
|
7511
|
-
parameterBuilder.addLoginHint(request.loginHint);
|
|
7512
|
-
parameterBuilder.addCcsUpn(request.loginHint);
|
|
7513
|
-
this.performanceClient?.addFields({ loginHintFromRequest: true }, correlationId);
|
|
7514
|
-
}
|
|
7515
|
-
else if (request.account.username) {
|
|
7516
|
-
// Fallback to account username if provided
|
|
7517
|
-
this.logger.verbose("createAuthCodeUrlQueryString: Adding login_hint from account");
|
|
7518
|
-
parameterBuilder.addLoginHint(request.account.username);
|
|
7519
|
-
this.performanceClient?.addFields({ loginHintFromUpn: true }, correlationId);
|
|
7520
|
-
try {
|
|
7521
|
-
const clientInfo = buildClientInfoFromHomeAccountId(request.account.homeAccountId);
|
|
7522
|
-
parameterBuilder.addCcsOid(clientInfo);
|
|
7523
|
-
}
|
|
7524
|
-
catch (e) {
|
|
7525
|
-
this.logger.verbose("createAuthCodeUrlQueryString: Could not parse home account ID for CCS Header");
|
|
7526
|
-
}
|
|
7527
|
-
}
|
|
7528
|
-
}
|
|
7529
|
-
else if (request.loginHint) {
|
|
7530
|
-
this.logger.verbose("createAuthCodeUrlQueryString: No account, adding login_hint from request");
|
|
7531
|
-
parameterBuilder.addLoginHint(request.loginHint);
|
|
7532
|
-
parameterBuilder.addCcsUpn(request.loginHint);
|
|
7533
|
-
this.performanceClient?.addFields({ loginHintFromRequest: true }, correlationId);
|
|
7534
|
-
}
|
|
7535
|
-
}
|
|
7536
|
-
else {
|
|
7537
|
-
this.logger.verbose("createAuthCodeUrlQueryString: Prompt is select_account, ignoring account hints");
|
|
7538
|
-
}
|
|
7539
|
-
if (request.nonce) {
|
|
7540
|
-
parameterBuilder.addNonce(request.nonce);
|
|
7541
|
-
}
|
|
7542
|
-
if (request.state) {
|
|
7543
|
-
parameterBuilder.addState(request.state);
|
|
7544
|
-
}
|
|
7545
|
-
if (request.claims ||
|
|
7546
|
-
(this.config.authOptions.clientCapabilities &&
|
|
7547
|
-
this.config.authOptions.clientCapabilities.length > 0)) {
|
|
7548
|
-
parameterBuilder.addClaims(request.claims, this.config.authOptions.clientCapabilities);
|
|
7549
|
-
}
|
|
7550
|
-
if (request.embeddedClientId) {
|
|
7551
|
-
parameterBuilder.addBrokerParameters({
|
|
7552
|
-
brokerClientId: this.config.authOptions.clientId,
|
|
7553
|
-
brokerRedirectUri: this.config.authOptions.redirectUri,
|
|
7554
|
-
});
|
|
7555
|
-
}
|
|
7556
|
-
this.addExtraQueryParams(request, parameterBuilder);
|
|
7557
|
-
if (request.platformBroker) {
|
|
7558
|
-
// signal ests that this is a WAM call
|
|
7559
|
-
parameterBuilder.addNativeBroker();
|
|
7560
|
-
// pass the req_cnf for POP
|
|
7561
|
-
if (request.authenticationScheme === AuthenticationScheme.POP) {
|
|
7562
|
-
const popTokenGenerator = new PopTokenGenerator(this.cryptoUtils);
|
|
7563
|
-
// req_cnf is always sent as a string for SPAs
|
|
7564
|
-
let reqCnfData;
|
|
7565
|
-
if (!request.popKid) {
|
|
7566
|
-
const generatedReqCnfData = await invokeAsync(popTokenGenerator.generateCnf.bind(popTokenGenerator), PerformanceEvents.PopTokenGenerateCnf, this.logger, this.performanceClient, request.correlationId)(request, this.logger);
|
|
7567
|
-
reqCnfData = generatedReqCnfData.reqCnfString;
|
|
7568
|
-
}
|
|
7569
|
-
else {
|
|
7570
|
-
reqCnfData = this.cryptoUtils.encodeKid(request.popKid);
|
|
7571
|
-
}
|
|
7572
|
-
parameterBuilder.addPopToken(reqCnfData);
|
|
7573
|
-
}
|
|
7574
|
-
}
|
|
7575
|
-
return parameterBuilder.createQueryString();
|
|
7396
|
+
instrumentBrokerParams(parameters, request.correlationId, this.performanceClient);
|
|
7397
|
+
return mapToQueryString(parameters);
|
|
7576
7398
|
}
|
|
7577
7399
|
/**
|
|
7578
7400
|
* This API validates the `EndSessionRequest` and creates a URL
|
|
7579
7401
|
* @param request
|
|
7580
7402
|
*/
|
|
7581
7403
|
createLogoutUrlQueryString(request) {
|
|
7582
|
-
const
|
|
7404
|
+
const parameters = new Map();
|
|
7583
7405
|
if (request.postLogoutRedirectUri) {
|
|
7584
|
-
|
|
7406
|
+
addPostLogoutRedirectUri(parameters, request.postLogoutRedirectUri);
|
|
7585
7407
|
}
|
|
7586
7408
|
if (request.correlationId) {
|
|
7587
|
-
|
|
7409
|
+
addCorrelationId(parameters, request.correlationId);
|
|
7588
7410
|
}
|
|
7589
7411
|
if (request.idTokenHint) {
|
|
7590
|
-
|
|
7412
|
+
addIdTokenHint(parameters, request.idTokenHint);
|
|
7591
7413
|
}
|
|
7592
7414
|
if (request.state) {
|
|
7593
|
-
|
|
7415
|
+
addState(parameters, request.state);
|
|
7594
7416
|
}
|
|
7595
7417
|
if (request.logoutHint) {
|
|
7596
|
-
|
|
7597
|
-
}
|
|
7598
|
-
this.addExtraQueryParams(request, parameterBuilder);
|
|
7599
|
-
return parameterBuilder.createQueryString();
|
|
7600
|
-
}
|
|
7601
|
-
addExtraQueryParams(request, parameterBuilder) {
|
|
7602
|
-
const hasRequestInstanceAware = request.extraQueryParameters &&
|
|
7603
|
-
request.extraQueryParameters.hasOwnProperty("instance_aware");
|
|
7604
|
-
// Set instance_aware flag if config auth param is set
|
|
7605
|
-
if (!hasRequestInstanceAware && this.config.authOptions.instanceAware) {
|
|
7606
|
-
request.extraQueryParameters = request.extraQueryParameters || {};
|
|
7607
|
-
request.extraQueryParameters["instance_aware"] = "true";
|
|
7418
|
+
addLogoutHint(parameters, request.logoutHint);
|
|
7608
7419
|
}
|
|
7609
7420
|
if (request.extraQueryParameters) {
|
|
7610
|
-
|
|
7421
|
+
addExtraQueryParameters(parameters, request.extraQueryParameters);
|
|
7611
7422
|
}
|
|
7612
|
-
|
|
7613
|
-
|
|
7614
|
-
|
|
7615
|
-
|
|
7616
|
-
*/
|
|
7617
|
-
extractAccountSid(account) {
|
|
7618
|
-
return account.idTokenClaims?.sid || null;
|
|
7619
|
-
}
|
|
7620
|
-
extractLoginHint(account) {
|
|
7621
|
-
return account.idTokenClaims?.login_hint || null;
|
|
7423
|
+
if (this.config.authOptions.instanceAware) {
|
|
7424
|
+
addInstanceAware(parameters);
|
|
7425
|
+
}
|
|
7426
|
+
return mapToQueryString(parameters);
|
|
7622
7427
|
}
|
|
7623
7428
|
}
|
|
7624
7429
|
|
|
@@ -7740,18 +7545,7 @@ class RefreshTokenClient extends BaseClient {
|
|
|
7740
7545
|
const endpoint = UrlString.appendQueryString(authority.tokenEndpoint, queryParametersString);
|
|
7741
7546
|
const requestBody = await invokeAsync(this.createTokenRequestBody.bind(this), PerformanceEvents.RefreshTokenClientCreateTokenRequestBody, this.logger, this.performanceClient, request.correlationId)(request);
|
|
7742
7547
|
const headers = this.createTokenRequestHeaders(request.ccsCredential);
|
|
7743
|
-
const thumbprint =
|
|
7744
|
-
clientId: request.tokenBodyParameters?.clientId ||
|
|
7745
|
-
this.config.authOptions.clientId,
|
|
7746
|
-
authority: authority.canonicalAuthority,
|
|
7747
|
-
scopes: request.scopes,
|
|
7748
|
-
claims: request.claims,
|
|
7749
|
-
authenticationScheme: request.authenticationScheme,
|
|
7750
|
-
resourceRequestMethod: request.resourceRequestMethod,
|
|
7751
|
-
resourceRequestUri: request.resourceRequestUri,
|
|
7752
|
-
shrClaims: request.shrClaims,
|
|
7753
|
-
sshKid: request.sshKid,
|
|
7754
|
-
};
|
|
7548
|
+
const thumbprint = getRequestThumbprint(this.config.authOptions.clientId, request);
|
|
7755
7549
|
return invokeAsync(this.executePostToTokenEndpoint.bind(this), PerformanceEvents.RefreshTokenClientExecutePostToTokenEndpoint, this.logger, this.performanceClient, request.correlationId)(endpoint, requestBody, headers, thumbprint, request.correlationId, PerformanceEvents.RefreshTokenClientExecutePostToTokenEndpoint);
|
|
7756
7550
|
}
|
|
7757
7551
|
/**
|
|
@@ -7760,31 +7554,30 @@ class RefreshTokenClient extends BaseClient {
|
|
|
7760
7554
|
*/
|
|
7761
7555
|
async createTokenRequestBody(request) {
|
|
7762
7556
|
this.performanceClient?.addQueueMeasurement(PerformanceEvents.RefreshTokenClientCreateTokenRequestBody, request.correlationId);
|
|
7763
|
-
const
|
|
7764
|
-
|
|
7765
|
-
parameterBuilder.addClientId(request.embeddedClientId ||
|
|
7557
|
+
const parameters = new Map();
|
|
7558
|
+
addClientId(parameters, request.embeddedClientId ||
|
|
7766
7559
|
request.tokenBodyParameters?.[CLIENT_ID] ||
|
|
7767
7560
|
this.config.authOptions.clientId);
|
|
7768
7561
|
if (request.redirectUri) {
|
|
7769
|
-
|
|
7770
|
-
}
|
|
7771
|
-
|
|
7772
|
-
|
|
7773
|
-
|
|
7774
|
-
|
|
7775
|
-
|
|
7776
|
-
|
|
7562
|
+
addRedirectUri(parameters, request.redirectUri);
|
|
7563
|
+
}
|
|
7564
|
+
addScopes(parameters, request.scopes, true, this.config.authOptions.authority.options.OIDCOptions?.defaultScopes);
|
|
7565
|
+
addGrantType(parameters, GrantType.REFRESH_TOKEN_GRANT);
|
|
7566
|
+
addClientInfo(parameters);
|
|
7567
|
+
addLibraryInfo(parameters, this.config.libraryInfo);
|
|
7568
|
+
addApplicationTelemetry(parameters, this.config.telemetry.application);
|
|
7569
|
+
addThrottling(parameters);
|
|
7777
7570
|
if (this.serverTelemetryManager && !isOidcProtocolMode(this.config)) {
|
|
7778
|
-
|
|
7571
|
+
addServerTelemetry(parameters, this.serverTelemetryManager);
|
|
7779
7572
|
}
|
|
7780
|
-
|
|
7573
|
+
addRefreshToken(parameters, request.refreshToken);
|
|
7781
7574
|
if (this.config.clientCredentials.clientSecret) {
|
|
7782
|
-
|
|
7575
|
+
addClientSecret(parameters, this.config.clientCredentials.clientSecret);
|
|
7783
7576
|
}
|
|
7784
7577
|
if (this.config.clientCredentials.clientAssertion) {
|
|
7785
7578
|
const clientAssertion = this.config.clientCredentials.clientAssertion;
|
|
7786
|
-
|
|
7787
|
-
|
|
7579
|
+
addClientAssertion(parameters, await getClientAssertion(clientAssertion.assertion, this.config.authOptions.clientId, request.resourceRequestUri));
|
|
7580
|
+
addClientAssertionType(parameters, clientAssertion.assertionType);
|
|
7788
7581
|
}
|
|
7789
7582
|
if (request.authenticationScheme === AuthenticationScheme.POP) {
|
|
7790
7583
|
const popTokenGenerator = new PopTokenGenerator(this.cryptoUtils, this.performanceClient);
|
|
@@ -7797,11 +7590,11 @@ class RefreshTokenClient extends BaseClient {
|
|
|
7797
7590
|
reqCnfData = this.cryptoUtils.encodeKid(request.popKid);
|
|
7798
7591
|
}
|
|
7799
7592
|
// SPA PoP requires full Base64Url encoded req_cnf string (unhashed)
|
|
7800
|
-
|
|
7593
|
+
addPopToken(parameters, reqCnfData);
|
|
7801
7594
|
}
|
|
7802
7595
|
else if (request.authenticationScheme === AuthenticationScheme.SSH) {
|
|
7803
7596
|
if (request.sshJwk) {
|
|
7804
|
-
|
|
7597
|
+
addSshJwk(parameters, request.sshJwk);
|
|
7805
7598
|
}
|
|
7806
7599
|
else {
|
|
7807
7600
|
throw createClientConfigurationError(missingSshJwk);
|
|
@@ -7810,7 +7603,7 @@ class RefreshTokenClient extends BaseClient {
|
|
|
7810
7603
|
if (!StringUtils.isEmptyObj(request.claims) ||
|
|
7811
7604
|
(this.config.authOptions.clientCapabilities &&
|
|
7812
7605
|
this.config.authOptions.clientCapabilities.length > 0)) {
|
|
7813
|
-
|
|
7606
|
+
addClaims(parameters, request.claims, this.config.authOptions.clientCapabilities);
|
|
7814
7607
|
}
|
|
7815
7608
|
if (this.config.systemOptions.preventCorsPreflight &&
|
|
7816
7609
|
request.ccsCredential) {
|
|
@@ -7818,7 +7611,7 @@ class RefreshTokenClient extends BaseClient {
|
|
|
7818
7611
|
case CcsCredentialType.HOME_ACCOUNT_ID:
|
|
7819
7612
|
try {
|
|
7820
7613
|
const clientInfo = buildClientInfoFromHomeAccountId(request.ccsCredential.credential);
|
|
7821
|
-
|
|
7614
|
+
addCcsOid(parameters, clientInfo);
|
|
7822
7615
|
}
|
|
7823
7616
|
catch (e) {
|
|
7824
7617
|
this.logger.verbose("Could not parse home account ID for CCS Header: " +
|
|
@@ -7826,20 +7619,18 @@ class RefreshTokenClient extends BaseClient {
|
|
|
7826
7619
|
}
|
|
7827
7620
|
break;
|
|
7828
7621
|
case CcsCredentialType.UPN:
|
|
7829
|
-
|
|
7622
|
+
addCcsUpn(parameters, request.ccsCredential.credential);
|
|
7830
7623
|
break;
|
|
7831
7624
|
}
|
|
7832
7625
|
}
|
|
7833
7626
|
if (request.embeddedClientId) {
|
|
7834
|
-
|
|
7835
|
-
brokerClientId: this.config.authOptions.clientId,
|
|
7836
|
-
brokerRedirectUri: this.config.authOptions.redirectUri,
|
|
7837
|
-
});
|
|
7627
|
+
addBrokerParameters(parameters, this.config.authOptions.clientId, this.config.authOptions.redirectUri);
|
|
7838
7628
|
}
|
|
7839
7629
|
if (request.tokenBodyParameters) {
|
|
7840
|
-
|
|
7630
|
+
addExtraQueryParameters(parameters, request.tokenBodyParameters);
|
|
7841
7631
|
}
|
|
7842
|
-
|
|
7632
|
+
instrumentBrokerParams(parameters, request.correlationId, this.performanceClient);
|
|
7633
|
+
return mapToQueryString(parameters);
|
|
7843
7634
|
}
|
|
7844
7635
|
}
|
|
7845
7636
|
|
|
@@ -7952,6 +7743,236 @@ const StubbedNetworkModule = {
|
|
|
7952
7743
|
},
|
|
7953
7744
|
};
|
|
7954
7745
|
|
|
7746
|
+
/*
|
|
7747
|
+
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
7748
|
+
* Licensed under the MIT License.
|
|
7749
|
+
*/
|
|
7750
|
+
/**
|
|
7751
|
+
* Returns map of parameters that are applicable to all calls to /authorize whether using PKCE or EAR
|
|
7752
|
+
* @param config
|
|
7753
|
+
* @param request
|
|
7754
|
+
* @param logger
|
|
7755
|
+
* @param performanceClient
|
|
7756
|
+
* @returns
|
|
7757
|
+
*/
|
|
7758
|
+
function getStandardAuthorizeRequestParameters(authOptions, request, logger, performanceClient) {
|
|
7759
|
+
// generate the correlationId if not set by the user and add
|
|
7760
|
+
const correlationId = request.correlationId;
|
|
7761
|
+
const parameters = new Map();
|
|
7762
|
+
addClientId(parameters, request.embeddedClientId ||
|
|
7763
|
+
request.extraQueryParameters?.[CLIENT_ID] ||
|
|
7764
|
+
authOptions.clientId);
|
|
7765
|
+
const requestScopes = [
|
|
7766
|
+
...(request.scopes || []),
|
|
7767
|
+
...(request.extraScopesToConsent || []),
|
|
7768
|
+
];
|
|
7769
|
+
addScopes(parameters, requestScopes, true, authOptions.authority.options.OIDCOptions?.defaultScopes);
|
|
7770
|
+
addRedirectUri(parameters, request.redirectUri);
|
|
7771
|
+
addCorrelationId(parameters, correlationId);
|
|
7772
|
+
// add response_mode. If not passed in it defaults to query.
|
|
7773
|
+
addResponseMode(parameters, request.responseMode);
|
|
7774
|
+
// add client_info=1
|
|
7775
|
+
addClientInfo(parameters);
|
|
7776
|
+
if (request.prompt) {
|
|
7777
|
+
addPrompt(parameters, request.prompt);
|
|
7778
|
+
performanceClient?.addFields({ prompt: request.prompt }, correlationId);
|
|
7779
|
+
}
|
|
7780
|
+
if (request.domainHint) {
|
|
7781
|
+
addDomainHint(parameters, request.domainHint);
|
|
7782
|
+
performanceClient?.addFields({ domainHintFromRequest: true }, correlationId);
|
|
7783
|
+
}
|
|
7784
|
+
// Add sid or loginHint with preference for login_hint claim (in request) -> sid -> loginHint (upn/email) -> username of AccountInfo object
|
|
7785
|
+
if (request.prompt !== PromptValue.SELECT_ACCOUNT) {
|
|
7786
|
+
// AAD will throw if prompt=select_account is passed with an account hint
|
|
7787
|
+
if (request.sid && request.prompt === PromptValue.NONE) {
|
|
7788
|
+
// SessionID is only used in silent calls
|
|
7789
|
+
logger.verbose("createAuthCodeUrlQueryString: Prompt is none, adding sid from request");
|
|
7790
|
+
addSid(parameters, request.sid);
|
|
7791
|
+
performanceClient?.addFields({ sidFromRequest: true }, correlationId);
|
|
7792
|
+
}
|
|
7793
|
+
else if (request.account) {
|
|
7794
|
+
const accountSid = extractAccountSid(request.account);
|
|
7795
|
+
let accountLoginHintClaim = extractLoginHint(request.account);
|
|
7796
|
+
if (accountLoginHintClaim && request.domainHint) {
|
|
7797
|
+
logger.warning(`AuthorizationCodeClient.createAuthCodeUrlQueryString: "domainHint" param is set, skipping opaque "login_hint" claim. Please consider not passing domainHint`);
|
|
7798
|
+
accountLoginHintClaim = null;
|
|
7799
|
+
}
|
|
7800
|
+
// If login_hint claim is present, use it over sid/username
|
|
7801
|
+
if (accountLoginHintClaim) {
|
|
7802
|
+
logger.verbose("createAuthCodeUrlQueryString: login_hint claim present on account");
|
|
7803
|
+
addLoginHint(parameters, accountLoginHintClaim);
|
|
7804
|
+
performanceClient?.addFields({ loginHintFromClaim: true }, correlationId);
|
|
7805
|
+
try {
|
|
7806
|
+
const clientInfo = buildClientInfoFromHomeAccountId(request.account.homeAccountId);
|
|
7807
|
+
addCcsOid(parameters, clientInfo);
|
|
7808
|
+
}
|
|
7809
|
+
catch (e) {
|
|
7810
|
+
logger.verbose("createAuthCodeUrlQueryString: Could not parse home account ID for CCS Header");
|
|
7811
|
+
}
|
|
7812
|
+
}
|
|
7813
|
+
else if (accountSid && request.prompt === PromptValue.NONE) {
|
|
7814
|
+
/*
|
|
7815
|
+
* If account and loginHint are provided, we will check account first for sid before adding loginHint
|
|
7816
|
+
* SessionId is only used in silent calls
|
|
7817
|
+
*/
|
|
7818
|
+
logger.verbose("createAuthCodeUrlQueryString: Prompt is none, adding sid from account");
|
|
7819
|
+
addSid(parameters, accountSid);
|
|
7820
|
+
performanceClient?.addFields({ sidFromClaim: true }, correlationId);
|
|
7821
|
+
try {
|
|
7822
|
+
const clientInfo = buildClientInfoFromHomeAccountId(request.account.homeAccountId);
|
|
7823
|
+
addCcsOid(parameters, clientInfo);
|
|
7824
|
+
}
|
|
7825
|
+
catch (e) {
|
|
7826
|
+
logger.verbose("createAuthCodeUrlQueryString: Could not parse home account ID for CCS Header");
|
|
7827
|
+
}
|
|
7828
|
+
}
|
|
7829
|
+
else if (request.loginHint) {
|
|
7830
|
+
logger.verbose("createAuthCodeUrlQueryString: Adding login_hint from request");
|
|
7831
|
+
addLoginHint(parameters, request.loginHint);
|
|
7832
|
+
addCcsUpn(parameters, request.loginHint);
|
|
7833
|
+
performanceClient?.addFields({ loginHintFromRequest: true }, correlationId);
|
|
7834
|
+
}
|
|
7835
|
+
else if (request.account.username) {
|
|
7836
|
+
// Fallback to account username if provided
|
|
7837
|
+
logger.verbose("createAuthCodeUrlQueryString: Adding login_hint from account");
|
|
7838
|
+
addLoginHint(parameters, request.account.username);
|
|
7839
|
+
performanceClient?.addFields({ loginHintFromUpn: true }, correlationId);
|
|
7840
|
+
try {
|
|
7841
|
+
const clientInfo = buildClientInfoFromHomeAccountId(request.account.homeAccountId);
|
|
7842
|
+
addCcsOid(parameters, clientInfo);
|
|
7843
|
+
}
|
|
7844
|
+
catch (e) {
|
|
7845
|
+
logger.verbose("createAuthCodeUrlQueryString: Could not parse home account ID for CCS Header");
|
|
7846
|
+
}
|
|
7847
|
+
}
|
|
7848
|
+
}
|
|
7849
|
+
else if (request.loginHint) {
|
|
7850
|
+
logger.verbose("createAuthCodeUrlQueryString: No account, adding login_hint from request");
|
|
7851
|
+
addLoginHint(parameters, request.loginHint);
|
|
7852
|
+
addCcsUpn(parameters, request.loginHint);
|
|
7853
|
+
performanceClient?.addFields({ loginHintFromRequest: true }, correlationId);
|
|
7854
|
+
}
|
|
7855
|
+
}
|
|
7856
|
+
else {
|
|
7857
|
+
logger.verbose("createAuthCodeUrlQueryString: Prompt is select_account, ignoring account hints");
|
|
7858
|
+
}
|
|
7859
|
+
if (request.nonce) {
|
|
7860
|
+
addNonce(parameters, request.nonce);
|
|
7861
|
+
}
|
|
7862
|
+
if (request.state) {
|
|
7863
|
+
addState(parameters, request.state);
|
|
7864
|
+
}
|
|
7865
|
+
if (request.claims ||
|
|
7866
|
+
(authOptions.clientCapabilities &&
|
|
7867
|
+
authOptions.clientCapabilities.length > 0)) {
|
|
7868
|
+
addClaims(parameters, request.claims, authOptions.clientCapabilities);
|
|
7869
|
+
}
|
|
7870
|
+
if (request.embeddedClientId) {
|
|
7871
|
+
addBrokerParameters(parameters, authOptions.clientId, authOptions.redirectUri);
|
|
7872
|
+
}
|
|
7873
|
+
if (request.extraQueryParameters) {
|
|
7874
|
+
addExtraQueryParameters(parameters, request.extraQueryParameters);
|
|
7875
|
+
}
|
|
7876
|
+
if (authOptions.instanceAware) {
|
|
7877
|
+
addInstanceAware(parameters);
|
|
7878
|
+
}
|
|
7879
|
+
return parameters;
|
|
7880
|
+
}
|
|
7881
|
+
/**
|
|
7882
|
+
* Returns authorize endpoint with given request parameters in the query string
|
|
7883
|
+
* @param authority
|
|
7884
|
+
* @param requestParameters
|
|
7885
|
+
* @returns
|
|
7886
|
+
*/
|
|
7887
|
+
function getAuthorizeUrl(authority, requestParameters) {
|
|
7888
|
+
const queryString = mapToQueryString(requestParameters);
|
|
7889
|
+
return UrlString.appendQueryString(authority.authorizationEndpoint, queryString);
|
|
7890
|
+
}
|
|
7891
|
+
/**
|
|
7892
|
+
* Handles the hash fragment response from public client code request. Returns a code response used by
|
|
7893
|
+
* the client to exchange for a token in acquireToken.
|
|
7894
|
+
* @param serverParams
|
|
7895
|
+
* @param cachedState
|
|
7896
|
+
*/
|
|
7897
|
+
function getAuthorizationCodePayload(serverParams, cachedState) {
|
|
7898
|
+
// Get code response
|
|
7899
|
+
validateAuthorizationResponse(serverParams, cachedState);
|
|
7900
|
+
// throw when there is no auth code in the response
|
|
7901
|
+
if (!serverParams.code) {
|
|
7902
|
+
throw createClientAuthError(authorizationCodeMissingFromServerResponse);
|
|
7903
|
+
}
|
|
7904
|
+
return serverParams;
|
|
7905
|
+
}
|
|
7906
|
+
/**
|
|
7907
|
+
* Function which validates server authorization code response.
|
|
7908
|
+
* @param serverResponseHash
|
|
7909
|
+
* @param requestState
|
|
7910
|
+
*/
|
|
7911
|
+
function validateAuthorizationResponse(serverResponse, requestState) {
|
|
7912
|
+
if (!serverResponse.state || !requestState) {
|
|
7913
|
+
throw serverResponse.state
|
|
7914
|
+
? createClientAuthError(stateNotFound, "Cached State")
|
|
7915
|
+
: createClientAuthError(stateNotFound, "Server State");
|
|
7916
|
+
}
|
|
7917
|
+
let decodedServerResponseState;
|
|
7918
|
+
let decodedRequestState;
|
|
7919
|
+
try {
|
|
7920
|
+
decodedServerResponseState = decodeURIComponent(serverResponse.state);
|
|
7921
|
+
}
|
|
7922
|
+
catch (e) {
|
|
7923
|
+
throw createClientAuthError(invalidState, serverResponse.state);
|
|
7924
|
+
}
|
|
7925
|
+
try {
|
|
7926
|
+
decodedRequestState = decodeURIComponent(requestState);
|
|
7927
|
+
}
|
|
7928
|
+
catch (e) {
|
|
7929
|
+
throw createClientAuthError(invalidState, serverResponse.state);
|
|
7930
|
+
}
|
|
7931
|
+
if (decodedServerResponseState !== decodedRequestState) {
|
|
7932
|
+
throw createClientAuthError(stateMismatch);
|
|
7933
|
+
}
|
|
7934
|
+
// Check for error
|
|
7935
|
+
if (serverResponse.error ||
|
|
7936
|
+
serverResponse.error_description ||
|
|
7937
|
+
serverResponse.suberror) {
|
|
7938
|
+
const serverErrorNo = parseServerErrorNo(serverResponse);
|
|
7939
|
+
if (isInteractionRequiredError(serverResponse.error, serverResponse.error_description, serverResponse.suberror)) {
|
|
7940
|
+
throw new InteractionRequiredAuthError(serverResponse.error || "", serverResponse.error_description, serverResponse.suberror, serverResponse.timestamp || "", serverResponse.trace_id || "", serverResponse.correlation_id || "", serverResponse.claims || "", serverErrorNo);
|
|
7941
|
+
}
|
|
7942
|
+
throw new ServerError(serverResponse.error || "", serverResponse.error_description, serverResponse.suberror, serverErrorNo);
|
|
7943
|
+
}
|
|
7944
|
+
}
|
|
7945
|
+
/**
|
|
7946
|
+
* Get server error No from the error_uri
|
|
7947
|
+
* @param serverResponse
|
|
7948
|
+
* @returns
|
|
7949
|
+
*/
|
|
7950
|
+
function parseServerErrorNo(serverResponse) {
|
|
7951
|
+
const errorCodePrefix = "code=";
|
|
7952
|
+
const errorCodePrefixIndex = serverResponse.error_uri?.lastIndexOf(errorCodePrefix);
|
|
7953
|
+
return errorCodePrefixIndex && errorCodePrefixIndex >= 0
|
|
7954
|
+
? serverResponse.error_uri?.substring(errorCodePrefixIndex + errorCodePrefix.length)
|
|
7955
|
+
: undefined;
|
|
7956
|
+
}
|
|
7957
|
+
/**
|
|
7958
|
+
* Helper to get sid from account. Returns null if idTokenClaims are not present or sid is not present.
|
|
7959
|
+
* @param account
|
|
7960
|
+
*/
|
|
7961
|
+
function extractAccountSid(account) {
|
|
7962
|
+
return account.idTokenClaims?.sid || null;
|
|
7963
|
+
}
|
|
7964
|
+
function extractLoginHint(account) {
|
|
7965
|
+
return account.idTokenClaims?.login_hint || null;
|
|
7966
|
+
}
|
|
7967
|
+
|
|
7968
|
+
var Authorize = /*#__PURE__*/Object.freeze({
|
|
7969
|
+
__proto__: null,
|
|
7970
|
+
getAuthorizationCodePayload: getAuthorizationCodePayload,
|
|
7971
|
+
getAuthorizeUrl: getAuthorizeUrl,
|
|
7972
|
+
getStandardAuthorizeRequestParameters: getStandardAuthorizeRequestParameters,
|
|
7973
|
+
validateAuthorizationResponse: validateAuthorizationResponse
|
|
7974
|
+
});
|
|
7975
|
+
|
|
7955
7976
|
/*
|
|
7956
7977
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
7957
7978
|
* Licensed under the MIT License.
|
|
@@ -8282,6 +8303,7 @@ exports.Authority = Authority;
|
|
|
8282
8303
|
exports.AuthorityFactory = AuthorityFactory;
|
|
8283
8304
|
exports.AuthorityType = AuthorityType;
|
|
8284
8305
|
exports.AuthorizationCodeClient = AuthorizationCodeClient;
|
|
8306
|
+
exports.Authorize = Authorize;
|
|
8285
8307
|
exports.AzureCloudInstance = AzureCloudInstance;
|
|
8286
8308
|
exports.BaseClient = BaseClient;
|
|
8287
8309
|
exports.CacheAccountType = CacheAccountType;
|
|
@@ -8359,10 +8381,11 @@ exports.createInteractionRequiredAuthError = createInteractionRequiredAuthError;
|
|
|
8359
8381
|
exports.createNetworkError = createNetworkError;
|
|
8360
8382
|
exports.formatAuthorityUri = formatAuthorityUri;
|
|
8361
8383
|
exports.getClientAssertion = getClientAssertion;
|
|
8384
|
+
exports.getRequestThumbprint = getRequestThumbprint;
|
|
8362
8385
|
exports.getTenantIdFromIdTokenClaims = getTenantIdFromIdTokenClaims;
|
|
8363
8386
|
exports.invoke = invoke;
|
|
8364
8387
|
exports.invokeAsync = invokeAsync;
|
|
8365
8388
|
exports.tenantIdMatchesHomeTenant = tenantIdMatchesHomeTenant;
|
|
8366
8389
|
exports.updateAccountTenantProfileData = updateAccountTenantProfileData;
|
|
8367
8390
|
exports.version = version;
|
|
8368
|
-
//# sourceMappingURL=index-node-
|
|
8391
|
+
//# sourceMappingURL=index-node-BjtDFnOl.js.map
|