@azure/msal-common 15.2.1 → 15.3.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/account/AccountInfo.mjs +1 -1
- package/dist/account/AuthToken.mjs +1 -1
- package/dist/account/CcsCredential.mjs +1 -1
- package/dist/account/ClientInfo.mjs +1 -1
- package/dist/account/TokenClaims.mjs +1 -1
- package/dist/authority/Authority.mjs +1 -1
- package/dist/authority/AuthorityFactory.mjs +1 -1
- package/dist/authority/AuthorityMetadata.mjs +1 -1
- package/dist/authority/AuthorityOptions.mjs +1 -1
- package/dist/authority/AuthorityType.mjs +1 -1
- package/dist/authority/CloudInstanceDiscoveryErrorResponse.mjs +1 -1
- package/dist/authority/CloudInstanceDiscoveryResponse.mjs +1 -1
- package/dist/authority/OpenIdConfigResponse.mjs +1 -1
- package/dist/authority/ProtocolMode.mjs +1 -1
- package/dist/authority/RegionDiscovery.mjs +1 -1
- package/dist/cache/CacheManager.mjs +1 -1
- package/dist/cache/entities/AccountEntity.mjs +1 -1
- package/dist/cache/persistence/TokenCacheContext.mjs +1 -1
- package/dist/cache/utils/CacheHelpers.mjs +1 -1
- package/dist/client/AuthorizationCodeClient.d.ts +0 -31
- package/dist/client/AuthorizationCodeClient.d.ts.map +1 -1
- package/dist/client/AuthorizationCodeClient.mjs +41 -246
- package/dist/client/AuthorizationCodeClient.mjs.map +1 -1
- package/dist/client/BaseClient.d.ts.map +1 -1
- package/dist/client/BaseClient.mjs +9 -10
- package/dist/client/BaseClient.mjs.map +1 -1
- package/dist/client/RefreshTokenClient.d.ts.map +1 -1
- package/dist/client/RefreshTokenClient.mjs +27 -29
- package/dist/client/RefreshTokenClient.mjs.map +1 -1
- package/dist/client/SilentFlowClient.mjs +1 -1
- package/dist/config/ClientConfiguration.mjs +1 -1
- package/dist/constants/AADServerParamKeys.d.ts +1 -0
- package/dist/constants/AADServerParamKeys.d.ts.map +1 -1
- package/dist/constants/AADServerParamKeys.mjs +4 -3
- package/dist/constants/AADServerParamKeys.mjs.map +1 -1
- package/dist/crypto/ICrypto.mjs +1 -1
- package/dist/crypto/JoseHeader.mjs +1 -1
- package/dist/crypto/PopTokenGenerator.mjs +1 -1
- package/dist/error/AuthError.mjs +1 -1
- package/dist/error/AuthErrorCodes.mjs +1 -1
- package/dist/error/CacheError.mjs +1 -1
- package/dist/error/CacheErrorCodes.mjs +1 -1
- package/dist/error/ClientAuthError.mjs +1 -1
- package/dist/error/ClientAuthErrorCodes.mjs +1 -1
- package/dist/error/ClientConfigurationError.mjs +1 -1
- package/dist/error/ClientConfigurationErrorCodes.mjs +1 -1
- package/dist/error/InteractionRequiredAuthError.mjs +1 -1
- package/dist/error/InteractionRequiredAuthErrorCodes.mjs +1 -1
- package/dist/error/JoseHeaderError.mjs +1 -1
- package/dist/error/JoseHeaderErrorCodes.mjs +1 -1
- package/dist/error/NetworkError.mjs +1 -1
- package/dist/error/ServerError.mjs +1 -1
- package/dist/exports-common.d.ts +3 -2
- package/dist/exports-common.d.ts.map +1 -1
- package/dist/index-browser.mjs +5 -2
- package/dist/index-browser.mjs.map +1 -1
- package/dist/index-node.mjs +5 -2
- package/dist/index-node.mjs.map +1 -1
- package/dist/index.mjs +5 -2
- package/dist/index.mjs.map +1 -1
- package/dist/logger/Logger.mjs +1 -1
- package/dist/network/INetworkModule.mjs +1 -1
- package/dist/network/RequestThumbprint.mjs +1 -1
- package/dist/network/ThrottlingUtils.mjs +1 -1
- package/dist/packageMetadata.d.ts +1 -1
- package/dist/packageMetadata.mjs +2 -2
- package/dist/protocol/Authorize.d.ts +37 -0
- package/dist/protocol/Authorize.d.ts.map +1 -0
- package/dist/protocol/Authorize.mjs +237 -0
- package/dist/protocol/Authorize.mjs.map +1 -0
- package/dist/request/AuthenticationHeaderParser.mjs +1 -1
- package/dist/request/RequestParameterBuilder.d.ts +206 -218
- package/dist/request/RequestParameterBuilder.d.ts.map +1 -1
- package/dist/request/RequestParameterBuilder.mjs +356 -369
- package/dist/request/RequestParameterBuilder.mjs.map +1 -1
- package/dist/request/RequestValidator.mjs +1 -1
- package/dist/request/ScopeSet.mjs +1 -1
- package/dist/response/AuthorizeResponse.d.ts +72 -0
- package/dist/response/AuthorizeResponse.d.ts.map +1 -0
- package/dist/response/ResponseHandler.d.ts +0 -8
- package/dist/response/ResponseHandler.d.ts.map +1 -1
- package/dist/response/ResponseHandler.mjs +2 -49
- package/dist/response/ResponseHandler.mjs.map +1 -1
- package/dist/telemetry/performance/PerformanceClient.mjs +1 -1
- package/dist/telemetry/performance/PerformanceEvent.d.ts +1 -2
- package/dist/telemetry/performance/PerformanceEvent.d.ts.map +1 -1
- package/dist/telemetry/performance/PerformanceEvent.mjs +2 -11
- package/dist/telemetry/performance/PerformanceEvent.mjs.map +1 -1
- package/dist/telemetry/performance/StubPerformanceClient.mjs +1 -1
- package/dist/telemetry/server/ServerTelemetryManager.mjs +1 -1
- package/dist/url/UrlString.mjs +1 -1
- package/dist/utils/ClientAssertionUtils.mjs +1 -1
- package/dist/utils/Constants.mjs +1 -1
- package/dist/utils/FunctionWrappers.mjs +1 -1
- package/dist/utils/ProtocolUtils.mjs +1 -1
- package/dist/utils/StringUtils.mjs +1 -1
- package/dist/utils/TimeUtils.mjs +1 -1
- package/dist/utils/UrlUtils.d.ts +6 -2
- package/dist/utils/UrlUtils.d.ts.map +1 -1
- package/dist/utils/UrlUtils.mjs +12 -2
- package/dist/utils/UrlUtils.mjs.map +1 -1
- package/lib/index-browser.cjs +3 -2
- package/lib/index-browser.cjs.map +1 -1
- package/lib/{index-node--LMD5Re1.js → index-node-BjtDFnOl.js} +782 -768
- package/lib/index-node-BjtDFnOl.js.map +1 -0
- package/lib/index-node.cjs +3 -2
- package/lib/index-node.cjs.map +1 -1
- package/lib/index.cjs +3 -2
- package/lib/index.cjs.map +1 -1
- package/lib/types/client/AuthorizationCodeClient.d.ts +0 -31
- package/lib/types/client/AuthorizationCodeClient.d.ts.map +1 -1
- package/lib/types/client/BaseClient.d.ts.map +1 -1
- package/lib/types/client/RefreshTokenClient.d.ts.map +1 -1
- package/lib/types/constants/AADServerParamKeys.d.ts +1 -0
- package/lib/types/constants/AADServerParamKeys.d.ts.map +1 -1
- package/lib/types/exports-common.d.ts +3 -2
- package/lib/types/exports-common.d.ts.map +1 -1
- package/lib/types/packageMetadata.d.ts +1 -1
- package/lib/types/protocol/Authorize.d.ts +37 -0
- package/lib/types/protocol/Authorize.d.ts.map +1 -0
- package/lib/types/request/RequestParameterBuilder.d.ts +206 -218
- package/lib/types/request/RequestParameterBuilder.d.ts.map +1 -1
- package/lib/types/response/AuthorizeResponse.d.ts +72 -0
- package/lib/types/response/AuthorizeResponse.d.ts.map +1 -0
- package/lib/types/response/ResponseHandler.d.ts +0 -8
- package/lib/types/response/ResponseHandler.d.ts.map +1 -1
- package/lib/types/telemetry/performance/PerformanceEvent.d.ts +1 -2
- package/lib/types/telemetry/performance/PerformanceEvent.d.ts.map +1 -1
- package/lib/types/utils/UrlUtils.d.ts +6 -2
- package/lib/types/utils/UrlUtils.d.ts.map +1 -1
- package/package.json +1 -1
- package/src/client/AuthorizationCodeClient.ts +84 -395
- package/src/client/BaseClient.ts +20 -12
- package/src/client/RefreshTokenClient.ts +60 -30
- package/src/constants/AADServerParamKeys.ts +1 -0
- package/src/exports-common.ts +4 -2
- package/src/packageMetadata.ts +1 -1
- package/src/protocol/Authorize.ts +409 -0
- package/src/request/RequestParameterBuilder.ts +508 -543
- package/src/response/AuthorizeResponse.ts +76 -0
- package/src/response/ResponseHandler.ts +0 -98
- package/src/telemetry/performance/PerformanceEvent.ts +1 -11
- package/src/utils/UrlUtils.ts +18 -4
- package/dist/response/ServerAuthorizationCodeResponse.d.ts +0 -27
- package/dist/response/ServerAuthorizationCodeResponse.d.ts.map +0 -1
- package/lib/index-node--LMD5Re1.js.map +0 -1
- package/lib/types/response/ServerAuthorizationCodeResponse.d.ts +0 -27
- package/lib/types/response/ServerAuthorizationCodeResponse.d.ts.map +0 -1
- package/src/response/ServerAuthorizationCodeResponse.ts +0 -34
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
/*! @azure/msal-common v15.
|
|
1
|
+
/*! @azure/msal-common v15.3.0 2025-03-20 */
|
|
2
2
|
'use strict';
|
|
3
3
|
'use strict';
|
|
4
4
|
|
|
@@ -1149,11 +1149,22 @@ function getDeserializedResponse(responseString) {
|
|
|
1149
1149
|
throw createClientAuthError(hashNotDeserialized);
|
|
1150
1150
|
}
|
|
1151
1151
|
return null;
|
|
1152
|
+
}
|
|
1153
|
+
/**
|
|
1154
|
+
* Utility to create a URL from the params map
|
|
1155
|
+
*/
|
|
1156
|
+
function mapToQueryString(parameters) {
|
|
1157
|
+
const queryParameterArray = new Array();
|
|
1158
|
+
parameters.forEach((value, key) => {
|
|
1159
|
+
queryParameterArray.push(`${key}=${encodeURIComponent(value)}`);
|
|
1160
|
+
});
|
|
1161
|
+
return queryParameterArray.join("&");
|
|
1152
1162
|
}
|
|
1153
1163
|
|
|
1154
1164
|
var UrlUtils = /*#__PURE__*/Object.freeze({
|
|
1155
1165
|
__proto__: null,
|
|
1156
1166
|
getDeserializedResponse: getDeserializedResponse,
|
|
1167
|
+
mapToQueryString: mapToQueryString,
|
|
1157
1168
|
stripLeadingHashOrQuery: stripLeadingHashOrQuery
|
|
1158
1169
|
});
|
|
1159
1170
|
|
|
@@ -1681,11 +1692,11 @@ const PerformanceEvents = {
|
|
|
1681
1692
|
StandardInteractionClientCreateAuthCodeClient: "standardInteractionClientCreateAuthCodeClient",
|
|
1682
1693
|
StandardInteractionClientGetClientConfiguration: "standardInteractionClientGetClientConfiguration",
|
|
1683
1694
|
StandardInteractionClientInitializeAuthorizationRequest: "standardInteractionClientInitializeAuthorizationRequest",
|
|
1684
|
-
StandardInteractionClientInitializeAuthorizationCodeRequest: "standardInteractionClientInitializeAuthorizationCodeRequest",
|
|
1685
1695
|
/**
|
|
1686
1696
|
* getAuthCodeUrl API (msal-browser and msal-node).
|
|
1687
1697
|
*/
|
|
1688
1698
|
GetAuthCodeUrl: "getAuthCodeUrl",
|
|
1699
|
+
GetStandardParams: "getStandardParams",
|
|
1689
1700
|
/**
|
|
1690
1701
|
* Functions from InteractionHandler (msal-browser)
|
|
1691
1702
|
*/
|
|
@@ -1698,7 +1709,6 @@ const PerformanceEvents = {
|
|
|
1698
1709
|
AuthClientAcquireToken: "authClientAcquireToken",
|
|
1699
1710
|
AuthClientExecuteTokenRequest: "authClientExecuteTokenRequest",
|
|
1700
1711
|
AuthClientCreateTokenRequestBody: "authClientCreateTokenRequestBody",
|
|
1701
|
-
AuthClientCreateQueryString: "authClientCreateQueryString",
|
|
1702
1712
|
/**
|
|
1703
1713
|
* Generate functions in PopTokenGenerator (msal-common)
|
|
1704
1714
|
*/
|
|
@@ -1869,10 +1879,6 @@ const PerformanceEventAbbreviations = new Map([
|
|
|
1869
1879
|
PerformanceEvents.StandardInteractionClientInitializeAuthorizationRequest,
|
|
1870
1880
|
"StdIntClientInitAuthReq",
|
|
1871
1881
|
],
|
|
1872
|
-
[
|
|
1873
|
-
PerformanceEvents.StandardInteractionClientInitializeAuthorizationCodeRequest,
|
|
1874
|
-
"StdIntClientInitAuthCodeReq",
|
|
1875
|
-
],
|
|
1876
1882
|
[PerformanceEvents.GetAuthCodeUrl, "GetAuthCodeUrl"],
|
|
1877
1883
|
[
|
|
1878
1884
|
PerformanceEvents.HandleCodeResponseFromServer,
|
|
@@ -1886,10 +1892,6 @@ const PerformanceEventAbbreviations = new Map([
|
|
|
1886
1892
|
PerformanceEvents.AuthClientCreateTokenRequestBody,
|
|
1887
1893
|
"AuthClientCreateTReqBody",
|
|
1888
1894
|
],
|
|
1889
|
-
[
|
|
1890
|
-
PerformanceEvents.AuthClientCreateQueryString,
|
|
1891
|
-
"AuthClientCreateQueryStr",
|
|
1892
|
-
],
|
|
1893
1895
|
[PerformanceEvents.PopTokenGenerateCnf, "PopTGenCnf"],
|
|
1894
1896
|
[PerformanceEvents.PopTokenGenerateKid, "PopTGenKid"],
|
|
1895
1897
|
[PerformanceEvents.HandleServerTokenResponse, "HandleServerTRes"],
|
|
@@ -3563,7 +3565,8 @@ const LOGIN_HINT = "login_hint";
|
|
|
3563
3565
|
const DOMAIN_HINT = "domain_hint";
|
|
3564
3566
|
const X_CLIENT_EXTRA_SKU = "x-client-xtra-sku";
|
|
3565
3567
|
const BROKER_CLIENT_ID = "brk_client_id";
|
|
3566
|
-
const BROKER_REDIRECT_URI = "brk_redirect_uri";
|
|
3568
|
+
const BROKER_REDIRECT_URI = "brk_redirect_uri";
|
|
3569
|
+
const INSTANCE_AWARE = "instance_aware";
|
|
3567
3570
|
|
|
3568
3571
|
var AADServerParamKeys = /*#__PURE__*/Object.freeze({
|
|
3569
3572
|
__proto__: null,
|
|
@@ -3591,6 +3594,7 @@ var AADServerParamKeys = /*#__PURE__*/Object.freeze({
|
|
|
3591
3594
|
GRANT_TYPE: GRANT_TYPE,
|
|
3592
3595
|
ID_TOKEN: ID_TOKEN,
|
|
3593
3596
|
ID_TOKEN_HINT: ID_TOKEN_HINT,
|
|
3597
|
+
INSTANCE_AWARE: INSTANCE_AWARE,
|
|
3594
3598
|
LOGIN_HINT: LOGIN_HINT,
|
|
3595
3599
|
LOGOUT_HINT: LOGOUT_HINT,
|
|
3596
3600
|
NATIVE_BROKER: NATIVE_BROKER,
|
|
@@ -3852,7 +3856,7 @@ class Logger {
|
|
|
3852
3856
|
|
|
3853
3857
|
/* eslint-disable header/header */
|
|
3854
3858
|
const name = "@azure/msal-common";
|
|
3855
|
-
const version = "15.
|
|
3859
|
+
const version = "15.3.0";
|
|
3856
3860
|
|
|
3857
3861
|
/*
|
|
3858
3862
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
@@ -5748,71 +5752,6 @@ const CcsCredentialType = {
|
|
|
5748
5752
|
UPN: "UPN",
|
|
5749
5753
|
};
|
|
5750
5754
|
|
|
5751
|
-
/*
|
|
5752
|
-
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
5753
|
-
* Licensed under the MIT License.
|
|
5754
|
-
*/
|
|
5755
|
-
/**
|
|
5756
|
-
* Validates server consumable params from the "request" objects
|
|
5757
|
-
*/
|
|
5758
|
-
class RequestValidator {
|
|
5759
|
-
/**
|
|
5760
|
-
* Utility to check if the `redirectUri` in the request is a non-null value
|
|
5761
|
-
* @param redirectUri
|
|
5762
|
-
*/
|
|
5763
|
-
static validateRedirectUri(redirectUri) {
|
|
5764
|
-
if (!redirectUri) {
|
|
5765
|
-
throw createClientConfigurationError(redirectUriEmpty);
|
|
5766
|
-
}
|
|
5767
|
-
}
|
|
5768
|
-
/**
|
|
5769
|
-
* Utility to validate prompt sent by the user in the request
|
|
5770
|
-
* @param prompt
|
|
5771
|
-
*/
|
|
5772
|
-
static validatePrompt(prompt) {
|
|
5773
|
-
const promptValues = [];
|
|
5774
|
-
for (const value in PromptValue) {
|
|
5775
|
-
promptValues.push(PromptValue[value]);
|
|
5776
|
-
}
|
|
5777
|
-
if (promptValues.indexOf(prompt) < 0) {
|
|
5778
|
-
throw createClientConfigurationError(invalidPromptValue);
|
|
5779
|
-
}
|
|
5780
|
-
}
|
|
5781
|
-
static validateClaims(claims) {
|
|
5782
|
-
try {
|
|
5783
|
-
JSON.parse(claims);
|
|
5784
|
-
}
|
|
5785
|
-
catch (e) {
|
|
5786
|
-
throw createClientConfigurationError(invalidClaims);
|
|
5787
|
-
}
|
|
5788
|
-
}
|
|
5789
|
-
/**
|
|
5790
|
-
* Utility to validate code_challenge and code_challenge_method
|
|
5791
|
-
* @param codeChallenge
|
|
5792
|
-
* @param codeChallengeMethod
|
|
5793
|
-
*/
|
|
5794
|
-
static validateCodeChallengeParams(codeChallenge, codeChallengeMethod) {
|
|
5795
|
-
if (!codeChallenge || !codeChallengeMethod) {
|
|
5796
|
-
throw createClientConfigurationError(pkceParamsMissing);
|
|
5797
|
-
}
|
|
5798
|
-
else {
|
|
5799
|
-
this.validateCodeChallengeMethod(codeChallengeMethod);
|
|
5800
|
-
}
|
|
5801
|
-
}
|
|
5802
|
-
/**
|
|
5803
|
-
* Utility to validate code_challenge_method
|
|
5804
|
-
* @param codeChallengeMethod
|
|
5805
|
-
*/
|
|
5806
|
-
static validateCodeChallengeMethod(codeChallengeMethod) {
|
|
5807
|
-
if ([
|
|
5808
|
-
CodeChallengeMethodValues.PLAIN,
|
|
5809
|
-
CodeChallengeMethodValues.S256,
|
|
5810
|
-
].indexOf(codeChallengeMethod) < 0) {
|
|
5811
|
-
throw createClientConfigurationError(invalidCodeChallengeMethod);
|
|
5812
|
-
}
|
|
5813
|
-
}
|
|
5814
|
-
}
|
|
5815
|
-
|
|
5816
5755
|
/*
|
|
5817
5756
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
5818
5757
|
* Licensed under the MIT License.
|
|
@@ -5829,396 +5768,433 @@ function instrumentBrokerParams(parameters, correlationId, performanceClient) {
|
|
|
5829
5768
|
}, correlationId);
|
|
5830
5769
|
}
|
|
5831
5770
|
}
|
|
5832
|
-
/**
|
|
5833
|
-
|
|
5834
|
-
|
|
5835
|
-
|
|
5836
|
-
|
|
5837
|
-
|
|
5838
|
-
|
|
5839
|
-
|
|
5840
|
-
|
|
5841
|
-
|
|
5842
|
-
|
|
5843
|
-
|
|
5844
|
-
|
|
5845
|
-
|
|
5846
|
-
|
|
5847
|
-
|
|
5848
|
-
|
|
5849
|
-
|
|
5850
|
-
|
|
5851
|
-
|
|
5852
|
-
|
|
5853
|
-
|
|
5854
|
-
|
|
5855
|
-
|
|
5856
|
-
|
|
5857
|
-
|
|
5858
|
-
|
|
5859
|
-
|
|
5860
|
-
|
|
5861
|
-
|
|
5862
|
-
|
|
5863
|
-
|
|
5864
|
-
|
|
5865
|
-
|
|
5866
|
-
|
|
5867
|
-
|
|
5868
|
-
|
|
5869
|
-
|
|
5870
|
-
|
|
5871
|
-
|
|
5872
|
-
|
|
5873
|
-
|
|
5874
|
-
|
|
5875
|
-
|
|
5876
|
-
|
|
5877
|
-
|
|
5878
|
-
|
|
5879
|
-
|
|
5880
|
-
|
|
5771
|
+
/**
|
|
5772
|
+
* add response_type = code
|
|
5773
|
+
*/
|
|
5774
|
+
function addResponseTypeCode(parameters) {
|
|
5775
|
+
parameters.set(RESPONSE_TYPE, Constants.CODE_RESPONSE_TYPE);
|
|
5776
|
+
}
|
|
5777
|
+
/**
|
|
5778
|
+
* add response_type = token id_token
|
|
5779
|
+
*/
|
|
5780
|
+
function addResponseTypeForTokenAndIdToken(parameters) {
|
|
5781
|
+
parameters.set(RESPONSE_TYPE, `${Constants.TOKEN_RESPONSE_TYPE} ${Constants.ID_TOKEN_RESPONSE_TYPE}`);
|
|
5782
|
+
}
|
|
5783
|
+
/**
|
|
5784
|
+
* add response_mode. defaults to query.
|
|
5785
|
+
* @param responseMode
|
|
5786
|
+
*/
|
|
5787
|
+
function addResponseMode(parameters, responseMode) {
|
|
5788
|
+
parameters.set(RESPONSE_MODE, responseMode ? responseMode : ResponseMode.QUERY);
|
|
5789
|
+
}
|
|
5790
|
+
/**
|
|
5791
|
+
* Add flag to indicate STS should attempt to use WAM if available
|
|
5792
|
+
*/
|
|
5793
|
+
function addNativeBroker(parameters) {
|
|
5794
|
+
parameters.set(NATIVE_BROKER, "1");
|
|
5795
|
+
}
|
|
5796
|
+
/**
|
|
5797
|
+
* add scopes. set addOidcScopes to false to prevent default scopes in non-user scenarios
|
|
5798
|
+
* @param scopeSet
|
|
5799
|
+
* @param addOidcScopes
|
|
5800
|
+
*/
|
|
5801
|
+
function addScopes(parameters, scopes, addOidcScopes = true, defaultScopes = OIDC_DEFAULT_SCOPES) {
|
|
5802
|
+
// Always add openid to the scopes when adding OIDC scopes
|
|
5803
|
+
if (addOidcScopes &&
|
|
5804
|
+
!defaultScopes.includes("openid") &&
|
|
5805
|
+
!scopes.includes("openid")) {
|
|
5806
|
+
defaultScopes.push("openid");
|
|
5807
|
+
}
|
|
5808
|
+
const requestScopes = addOidcScopes
|
|
5809
|
+
? [...(scopes || []), ...defaultScopes]
|
|
5810
|
+
: scopes || [];
|
|
5811
|
+
const scopeSet = new ScopeSet(requestScopes);
|
|
5812
|
+
parameters.set(SCOPE, scopeSet.printScopes());
|
|
5813
|
+
}
|
|
5814
|
+
/**
|
|
5815
|
+
* add clientId
|
|
5816
|
+
* @param clientId
|
|
5817
|
+
*/
|
|
5818
|
+
function addClientId(parameters, clientId) {
|
|
5819
|
+
parameters.set(CLIENT_ID, clientId);
|
|
5820
|
+
}
|
|
5821
|
+
/**
|
|
5822
|
+
* add redirect_uri
|
|
5823
|
+
* @param redirectUri
|
|
5824
|
+
*/
|
|
5825
|
+
function addRedirectUri(parameters, redirectUri) {
|
|
5826
|
+
parameters.set(REDIRECT_URI, redirectUri);
|
|
5827
|
+
}
|
|
5828
|
+
/**
|
|
5829
|
+
* add post logout redirectUri
|
|
5830
|
+
* @param redirectUri
|
|
5831
|
+
*/
|
|
5832
|
+
function addPostLogoutRedirectUri(parameters, redirectUri) {
|
|
5833
|
+
parameters.set(POST_LOGOUT_URI, redirectUri);
|
|
5834
|
+
}
|
|
5835
|
+
/**
|
|
5836
|
+
* add id_token_hint to logout request
|
|
5837
|
+
* @param idTokenHint
|
|
5838
|
+
*/
|
|
5839
|
+
function addIdTokenHint(parameters, idTokenHint) {
|
|
5840
|
+
parameters.set(ID_TOKEN_HINT, idTokenHint);
|
|
5841
|
+
}
|
|
5842
|
+
/**
|
|
5843
|
+
* add domain_hint
|
|
5844
|
+
* @param domainHint
|
|
5845
|
+
*/
|
|
5846
|
+
function addDomainHint(parameters, domainHint) {
|
|
5847
|
+
parameters.set(DOMAIN_HINT, domainHint);
|
|
5848
|
+
}
|
|
5849
|
+
/**
|
|
5850
|
+
* add login_hint
|
|
5851
|
+
* @param loginHint
|
|
5852
|
+
*/
|
|
5853
|
+
function addLoginHint(parameters, loginHint) {
|
|
5854
|
+
parameters.set(LOGIN_HINT, loginHint);
|
|
5855
|
+
}
|
|
5856
|
+
/**
|
|
5857
|
+
* Adds the CCS (Cache Credential Service) query parameter for login_hint
|
|
5858
|
+
* @param loginHint
|
|
5859
|
+
*/
|
|
5860
|
+
function addCcsUpn(parameters, loginHint) {
|
|
5861
|
+
parameters.set(HeaderNames.CCS_HEADER, `UPN:${loginHint}`);
|
|
5862
|
+
}
|
|
5863
|
+
/**
|
|
5864
|
+
* Adds the CCS (Cache Credential Service) query parameter for account object
|
|
5865
|
+
* @param loginHint
|
|
5866
|
+
*/
|
|
5867
|
+
function addCcsOid(parameters, clientInfo) {
|
|
5868
|
+
parameters.set(HeaderNames.CCS_HEADER, `Oid:${clientInfo.uid}@${clientInfo.utid}`);
|
|
5869
|
+
}
|
|
5870
|
+
/**
|
|
5871
|
+
* add sid
|
|
5872
|
+
* @param sid
|
|
5873
|
+
*/
|
|
5874
|
+
function addSid(parameters, sid) {
|
|
5875
|
+
parameters.set(SID, sid);
|
|
5876
|
+
}
|
|
5877
|
+
/**
|
|
5878
|
+
* add claims
|
|
5879
|
+
* @param claims
|
|
5880
|
+
*/
|
|
5881
|
+
function addClaims(parameters, claims, clientCapabilities) {
|
|
5882
|
+
const mergedClaims = addClientCapabilitiesToClaims(claims, clientCapabilities);
|
|
5883
|
+
try {
|
|
5884
|
+
JSON.parse(mergedClaims);
|
|
5881
5885
|
}
|
|
5882
|
-
|
|
5883
|
-
|
|
5884
|
-
* @param clientId
|
|
5885
|
-
*/
|
|
5886
|
-
addClientId(clientId) {
|
|
5887
|
-
this.parameters.set(CLIENT_ID, encodeURIComponent(clientId));
|
|
5886
|
+
catch (e) {
|
|
5887
|
+
throw createClientConfigurationError(invalidClaims);
|
|
5888
5888
|
}
|
|
5889
|
-
|
|
5890
|
-
|
|
5891
|
-
|
|
5892
|
-
|
|
5893
|
-
|
|
5894
|
-
|
|
5895
|
-
|
|
5889
|
+
parameters.set(CLAIMS, mergedClaims);
|
|
5890
|
+
}
|
|
5891
|
+
/**
|
|
5892
|
+
* add correlationId
|
|
5893
|
+
* @param correlationId
|
|
5894
|
+
*/
|
|
5895
|
+
function addCorrelationId(parameters, correlationId) {
|
|
5896
|
+
parameters.set(CLIENT_REQUEST_ID, correlationId);
|
|
5897
|
+
}
|
|
5898
|
+
/**
|
|
5899
|
+
* add library info query params
|
|
5900
|
+
* @param libraryInfo
|
|
5901
|
+
*/
|
|
5902
|
+
function addLibraryInfo(parameters, libraryInfo) {
|
|
5903
|
+
// Telemetry Info
|
|
5904
|
+
parameters.set(X_CLIENT_SKU, libraryInfo.sku);
|
|
5905
|
+
parameters.set(X_CLIENT_VER, libraryInfo.version);
|
|
5906
|
+
if (libraryInfo.os) {
|
|
5907
|
+
parameters.set(X_CLIENT_OS, libraryInfo.os);
|
|
5896
5908
|
}
|
|
5897
|
-
|
|
5898
|
-
|
|
5899
|
-
* @param redirectUri
|
|
5900
|
-
*/
|
|
5901
|
-
addPostLogoutRedirectUri(redirectUri) {
|
|
5902
|
-
RequestValidator.validateRedirectUri(redirectUri);
|
|
5903
|
-
this.parameters.set(POST_LOGOUT_URI, encodeURIComponent(redirectUri));
|
|
5909
|
+
if (libraryInfo.cpu) {
|
|
5910
|
+
parameters.set(X_CLIENT_CPU, libraryInfo.cpu);
|
|
5904
5911
|
}
|
|
5905
|
-
|
|
5906
|
-
|
|
5907
|
-
|
|
5908
|
-
|
|
5909
|
-
|
|
5910
|
-
|
|
5912
|
+
}
|
|
5913
|
+
/**
|
|
5914
|
+
* Add client telemetry parameters
|
|
5915
|
+
* @param appTelemetry
|
|
5916
|
+
*/
|
|
5917
|
+
function addApplicationTelemetry(parameters, appTelemetry) {
|
|
5918
|
+
if (appTelemetry?.appName) {
|
|
5919
|
+
parameters.set(X_APP_NAME, appTelemetry.appName);
|
|
5911
5920
|
}
|
|
5912
|
-
|
|
5913
|
-
|
|
5914
|
-
* @param domainHint
|
|
5915
|
-
*/
|
|
5916
|
-
addDomainHint(domainHint) {
|
|
5917
|
-
this.parameters.set(DOMAIN_HINT, encodeURIComponent(domainHint));
|
|
5921
|
+
if (appTelemetry?.appVersion) {
|
|
5922
|
+
parameters.set(X_APP_VER, appTelemetry.appVersion);
|
|
5918
5923
|
}
|
|
5919
|
-
|
|
5920
|
-
|
|
5921
|
-
|
|
5922
|
-
|
|
5923
|
-
|
|
5924
|
-
|
|
5924
|
+
}
|
|
5925
|
+
/**
|
|
5926
|
+
* add prompt
|
|
5927
|
+
* @param prompt
|
|
5928
|
+
*/
|
|
5929
|
+
function addPrompt(parameters, prompt) {
|
|
5930
|
+
parameters.set(PROMPT, prompt);
|
|
5931
|
+
}
|
|
5932
|
+
/**
|
|
5933
|
+
* add state
|
|
5934
|
+
* @param state
|
|
5935
|
+
*/
|
|
5936
|
+
function addState(parameters, state) {
|
|
5937
|
+
if (state) {
|
|
5938
|
+
parameters.set(STATE, state);
|
|
5925
5939
|
}
|
|
5926
|
-
|
|
5927
|
-
|
|
5928
|
-
|
|
5929
|
-
|
|
5930
|
-
|
|
5931
|
-
|
|
5940
|
+
}
|
|
5941
|
+
/**
|
|
5942
|
+
* add nonce
|
|
5943
|
+
* @param nonce
|
|
5944
|
+
*/
|
|
5945
|
+
function addNonce(parameters, nonce) {
|
|
5946
|
+
parameters.set(NONCE, nonce);
|
|
5947
|
+
}
|
|
5948
|
+
/**
|
|
5949
|
+
* add code_challenge and code_challenge_method
|
|
5950
|
+
* - throw if either of them are not passed
|
|
5951
|
+
* @param codeChallenge
|
|
5952
|
+
* @param codeChallengeMethod
|
|
5953
|
+
*/
|
|
5954
|
+
function addCodeChallengeParams(parameters, codeChallenge, codeChallengeMethod) {
|
|
5955
|
+
if (codeChallenge && codeChallengeMethod) {
|
|
5956
|
+
parameters.set(CODE_CHALLENGE, codeChallenge);
|
|
5957
|
+
parameters.set(CODE_CHALLENGE_METHOD, codeChallengeMethod);
|
|
5932
5958
|
}
|
|
5933
|
-
|
|
5934
|
-
|
|
5935
|
-
* @param loginHint
|
|
5936
|
-
*/
|
|
5937
|
-
addCcsOid(clientInfo) {
|
|
5938
|
-
this.parameters.set(HeaderNames.CCS_HEADER, encodeURIComponent(`Oid:${clientInfo.uid}@${clientInfo.utid}`));
|
|
5959
|
+
else {
|
|
5960
|
+
throw createClientConfigurationError(pkceParamsMissing);
|
|
5939
5961
|
}
|
|
5940
|
-
|
|
5941
|
-
|
|
5942
|
-
|
|
5943
|
-
|
|
5944
|
-
|
|
5945
|
-
|
|
5962
|
+
}
|
|
5963
|
+
/**
|
|
5964
|
+
* add the `authorization_code` passed by the user to exchange for a token
|
|
5965
|
+
* @param code
|
|
5966
|
+
*/
|
|
5967
|
+
function addAuthorizationCode(parameters, code) {
|
|
5968
|
+
parameters.set(CODE, code);
|
|
5969
|
+
}
|
|
5970
|
+
/**
|
|
5971
|
+
* add the `authorization_code` passed by the user to exchange for a token
|
|
5972
|
+
* @param code
|
|
5973
|
+
*/
|
|
5974
|
+
function addDeviceCode(parameters, code) {
|
|
5975
|
+
parameters.set(DEVICE_CODE, code);
|
|
5976
|
+
}
|
|
5977
|
+
/**
|
|
5978
|
+
* add the `refreshToken` passed by the user
|
|
5979
|
+
* @param refreshToken
|
|
5980
|
+
*/
|
|
5981
|
+
function addRefreshToken(parameters, refreshToken) {
|
|
5982
|
+
parameters.set(REFRESH_TOKEN, refreshToken);
|
|
5983
|
+
}
|
|
5984
|
+
/**
|
|
5985
|
+
* add the `code_verifier` passed by the user to exchange for a token
|
|
5986
|
+
* @param codeVerifier
|
|
5987
|
+
*/
|
|
5988
|
+
function addCodeVerifier(parameters, codeVerifier) {
|
|
5989
|
+
parameters.set(CODE_VERIFIER, codeVerifier);
|
|
5990
|
+
}
|
|
5991
|
+
/**
|
|
5992
|
+
* add client_secret
|
|
5993
|
+
* @param clientSecret
|
|
5994
|
+
*/
|
|
5995
|
+
function addClientSecret(parameters, clientSecret) {
|
|
5996
|
+
parameters.set(CLIENT_SECRET, clientSecret);
|
|
5997
|
+
}
|
|
5998
|
+
/**
|
|
5999
|
+
* add clientAssertion for confidential client flows
|
|
6000
|
+
* @param clientAssertion
|
|
6001
|
+
*/
|
|
6002
|
+
function addClientAssertion(parameters, clientAssertion) {
|
|
6003
|
+
if (clientAssertion) {
|
|
6004
|
+
parameters.set(CLIENT_ASSERTION, clientAssertion);
|
|
5946
6005
|
}
|
|
5947
|
-
|
|
5948
|
-
|
|
5949
|
-
|
|
5950
|
-
|
|
5951
|
-
|
|
5952
|
-
|
|
5953
|
-
|
|
5954
|
-
|
|
6006
|
+
}
|
|
6007
|
+
/**
|
|
6008
|
+
* add clientAssertionType for confidential client flows
|
|
6009
|
+
* @param clientAssertionType
|
|
6010
|
+
*/
|
|
6011
|
+
function addClientAssertionType(parameters, clientAssertionType) {
|
|
6012
|
+
if (clientAssertionType) {
|
|
6013
|
+
parameters.set(CLIENT_ASSERTION_TYPE, clientAssertionType);
|
|
5955
6014
|
}
|
|
5956
|
-
|
|
5957
|
-
|
|
5958
|
-
|
|
5959
|
-
|
|
5960
|
-
|
|
5961
|
-
|
|
6015
|
+
}
|
|
6016
|
+
/**
|
|
6017
|
+
* add OBO assertion for confidential client flows
|
|
6018
|
+
* @param clientAssertion
|
|
6019
|
+
*/
|
|
6020
|
+
function addOboAssertion(parameters, oboAssertion) {
|
|
6021
|
+
parameters.set(OBO_ASSERTION, oboAssertion);
|
|
6022
|
+
}
|
|
6023
|
+
/**
|
|
6024
|
+
* add grant type
|
|
6025
|
+
* @param grantType
|
|
6026
|
+
*/
|
|
6027
|
+
function addRequestTokenUse(parameters, tokenUse) {
|
|
6028
|
+
parameters.set(REQUESTED_TOKEN_USE, tokenUse);
|
|
6029
|
+
}
|
|
6030
|
+
/**
|
|
6031
|
+
* add grant type
|
|
6032
|
+
* @param grantType
|
|
6033
|
+
*/
|
|
6034
|
+
function addGrantType(parameters, grantType) {
|
|
6035
|
+
parameters.set(GRANT_TYPE, grantType);
|
|
6036
|
+
}
|
|
6037
|
+
/**
|
|
6038
|
+
* add client info
|
|
6039
|
+
*
|
|
6040
|
+
*/
|
|
6041
|
+
function addClientInfo(parameters) {
|
|
6042
|
+
parameters.set(CLIENT_INFO$1, "1");
|
|
6043
|
+
}
|
|
6044
|
+
function addInstanceAware(parameters) {
|
|
6045
|
+
if (!parameters.has(INSTANCE_AWARE)) {
|
|
6046
|
+
parameters.set(INSTANCE_AWARE, "true");
|
|
5962
6047
|
}
|
|
5963
|
-
|
|
5964
|
-
|
|
5965
|
-
|
|
5966
|
-
|
|
5967
|
-
|
|
5968
|
-
|
|
5969
|
-
|
|
5970
|
-
|
|
5971
|
-
|
|
5972
|
-
this.parameters.set(X_CLIENT_OS, libraryInfo.os);
|
|
5973
|
-
}
|
|
5974
|
-
if (libraryInfo.cpu) {
|
|
5975
|
-
this.parameters.set(X_CLIENT_CPU, libraryInfo.cpu);
|
|
6048
|
+
}
|
|
6049
|
+
/**
|
|
6050
|
+
* add extraQueryParams
|
|
6051
|
+
* @param eQParams
|
|
6052
|
+
*/
|
|
6053
|
+
function addExtraQueryParameters(parameters, eQParams) {
|
|
6054
|
+
Object.entries(eQParams).forEach(([key, value]) => {
|
|
6055
|
+
if (!parameters.has(key) && value) {
|
|
6056
|
+
parameters.set(key, value);
|
|
5976
6057
|
}
|
|
6058
|
+
});
|
|
6059
|
+
}
|
|
6060
|
+
function addClientCapabilitiesToClaims(claims, clientCapabilities) {
|
|
6061
|
+
let mergedClaims;
|
|
6062
|
+
// Parse provided claims into JSON object or initialize empty object
|
|
6063
|
+
if (!claims) {
|
|
6064
|
+
mergedClaims = {};
|
|
5977
6065
|
}
|
|
5978
|
-
|
|
5979
|
-
|
|
5980
|
-
|
|
5981
|
-
*/
|
|
5982
|
-
addApplicationTelemetry(appTelemetry) {
|
|
5983
|
-
if (appTelemetry?.appName) {
|
|
5984
|
-
this.parameters.set(X_APP_NAME, appTelemetry.appName);
|
|
6066
|
+
else {
|
|
6067
|
+
try {
|
|
6068
|
+
mergedClaims = JSON.parse(claims);
|
|
5985
6069
|
}
|
|
5986
|
-
|
|
5987
|
-
|
|
6070
|
+
catch (e) {
|
|
6071
|
+
throw createClientConfigurationError(invalidClaims);
|
|
5988
6072
|
}
|
|
5989
6073
|
}
|
|
5990
|
-
|
|
5991
|
-
|
|
5992
|
-
|
|
5993
|
-
|
|
5994
|
-
addPrompt(prompt) {
|
|
5995
|
-
RequestValidator.validatePrompt(prompt);
|
|
5996
|
-
this.parameters.set(`${PROMPT}`, encodeURIComponent(prompt));
|
|
5997
|
-
}
|
|
5998
|
-
/**
|
|
5999
|
-
* add state
|
|
6000
|
-
* @param state
|
|
6001
|
-
*/
|
|
6002
|
-
addState(state) {
|
|
6003
|
-
if (state) {
|
|
6004
|
-
this.parameters.set(STATE, encodeURIComponent(state));
|
|
6074
|
+
if (clientCapabilities && clientCapabilities.length > 0) {
|
|
6075
|
+
if (!mergedClaims.hasOwnProperty(ClaimsRequestKeys.ACCESS_TOKEN)) {
|
|
6076
|
+
// Add access_token key to claims object
|
|
6077
|
+
mergedClaims[ClaimsRequestKeys.ACCESS_TOKEN] = {};
|
|
6005
6078
|
}
|
|
6079
|
+
// Add xms_cc claim with provided clientCapabilities to access_token key
|
|
6080
|
+
mergedClaims[ClaimsRequestKeys.ACCESS_TOKEN][ClaimsRequestKeys.XMS_CC] =
|
|
6081
|
+
{
|
|
6082
|
+
values: clientCapabilities,
|
|
6083
|
+
};
|
|
6006
6084
|
}
|
|
6007
|
-
|
|
6008
|
-
|
|
6009
|
-
|
|
6010
|
-
|
|
6011
|
-
|
|
6012
|
-
|
|
6013
|
-
|
|
6014
|
-
|
|
6015
|
-
|
|
6016
|
-
|
|
6017
|
-
|
|
6018
|
-
|
|
6019
|
-
|
|
6020
|
-
|
|
6021
|
-
|
|
6022
|
-
|
|
6023
|
-
|
|
6024
|
-
|
|
6025
|
-
|
|
6026
|
-
|
|
6027
|
-
|
|
6028
|
-
|
|
6029
|
-
|
|
6030
|
-
|
|
6031
|
-
* add the `authorization_code` passed by the user to exchange for a token
|
|
6032
|
-
* @param code
|
|
6033
|
-
*/
|
|
6034
|
-
addAuthorizationCode(code) {
|
|
6035
|
-
this.parameters.set(CODE, encodeURIComponent(code));
|
|
6036
|
-
}
|
|
6037
|
-
/**
|
|
6038
|
-
* add the `authorization_code` passed by the user to exchange for a token
|
|
6039
|
-
* @param code
|
|
6040
|
-
*/
|
|
6041
|
-
addDeviceCode(code) {
|
|
6042
|
-
this.parameters.set(DEVICE_CODE, encodeURIComponent(code));
|
|
6043
|
-
}
|
|
6044
|
-
/**
|
|
6045
|
-
* add the `refreshToken` passed by the user
|
|
6046
|
-
* @param refreshToken
|
|
6047
|
-
*/
|
|
6048
|
-
addRefreshToken(refreshToken) {
|
|
6049
|
-
this.parameters.set(REFRESH_TOKEN, encodeURIComponent(refreshToken));
|
|
6050
|
-
}
|
|
6051
|
-
/**
|
|
6052
|
-
* add the `code_verifier` passed by the user to exchange for a token
|
|
6053
|
-
* @param codeVerifier
|
|
6054
|
-
*/
|
|
6055
|
-
addCodeVerifier(codeVerifier) {
|
|
6056
|
-
this.parameters.set(CODE_VERIFIER, encodeURIComponent(codeVerifier));
|
|
6057
|
-
}
|
|
6058
|
-
/**
|
|
6059
|
-
* add client_secret
|
|
6060
|
-
* @param clientSecret
|
|
6061
|
-
*/
|
|
6062
|
-
addClientSecret(clientSecret) {
|
|
6063
|
-
this.parameters.set(CLIENT_SECRET, encodeURIComponent(clientSecret));
|
|
6064
|
-
}
|
|
6065
|
-
/**
|
|
6066
|
-
* add clientAssertion for confidential client flows
|
|
6067
|
-
* @param clientAssertion
|
|
6068
|
-
*/
|
|
6069
|
-
addClientAssertion(clientAssertion) {
|
|
6070
|
-
if (clientAssertion) {
|
|
6071
|
-
this.parameters.set(CLIENT_ASSERTION, encodeURIComponent(clientAssertion));
|
|
6072
|
-
}
|
|
6073
|
-
}
|
|
6074
|
-
/**
|
|
6075
|
-
* add clientAssertionType for confidential client flows
|
|
6076
|
-
* @param clientAssertionType
|
|
6077
|
-
*/
|
|
6078
|
-
addClientAssertionType(clientAssertionType) {
|
|
6079
|
-
if (clientAssertionType) {
|
|
6080
|
-
this.parameters.set(CLIENT_ASSERTION_TYPE, encodeURIComponent(clientAssertionType));
|
|
6081
|
-
}
|
|
6082
|
-
}
|
|
6083
|
-
/**
|
|
6084
|
-
* add OBO assertion for confidential client flows
|
|
6085
|
-
* @param clientAssertion
|
|
6086
|
-
*/
|
|
6087
|
-
addOboAssertion(oboAssertion) {
|
|
6088
|
-
this.parameters.set(OBO_ASSERTION, encodeURIComponent(oboAssertion));
|
|
6089
|
-
}
|
|
6090
|
-
/**
|
|
6091
|
-
* add grant type
|
|
6092
|
-
* @param grantType
|
|
6093
|
-
*/
|
|
6094
|
-
addRequestTokenUse(tokenUse) {
|
|
6095
|
-
this.parameters.set(REQUESTED_TOKEN_USE, encodeURIComponent(tokenUse));
|
|
6096
|
-
}
|
|
6097
|
-
/**
|
|
6098
|
-
* add grant type
|
|
6099
|
-
* @param grantType
|
|
6100
|
-
*/
|
|
6101
|
-
addGrantType(grantType) {
|
|
6102
|
-
this.parameters.set(GRANT_TYPE, encodeURIComponent(grantType));
|
|
6103
|
-
}
|
|
6104
|
-
/**
|
|
6105
|
-
* add client info
|
|
6106
|
-
*
|
|
6107
|
-
*/
|
|
6108
|
-
addClientInfo() {
|
|
6109
|
-
this.parameters.set(CLIENT_INFO$1, "1");
|
|
6110
|
-
}
|
|
6111
|
-
/**
|
|
6112
|
-
* add extraQueryParams
|
|
6113
|
-
* @param eQParams
|
|
6114
|
-
*/
|
|
6115
|
-
addExtraQueryParameters(eQParams) {
|
|
6116
|
-
Object.entries(eQParams).forEach(([key, value]) => {
|
|
6117
|
-
if (!this.parameters.has(key) && value) {
|
|
6118
|
-
this.parameters.set(key, value);
|
|
6119
|
-
}
|
|
6120
|
-
});
|
|
6121
|
-
}
|
|
6122
|
-
addClientCapabilitiesToClaims(claims, clientCapabilities) {
|
|
6123
|
-
let mergedClaims;
|
|
6124
|
-
// Parse provided claims into JSON object or initialize empty object
|
|
6125
|
-
if (!claims) {
|
|
6126
|
-
mergedClaims = {};
|
|
6127
|
-
}
|
|
6128
|
-
else {
|
|
6129
|
-
try {
|
|
6130
|
-
mergedClaims = JSON.parse(claims);
|
|
6131
|
-
}
|
|
6132
|
-
catch (e) {
|
|
6133
|
-
throw createClientConfigurationError(invalidClaims);
|
|
6134
|
-
}
|
|
6135
|
-
}
|
|
6136
|
-
if (clientCapabilities && clientCapabilities.length > 0) {
|
|
6137
|
-
if (!mergedClaims.hasOwnProperty(ClaimsRequestKeys.ACCESS_TOKEN)) {
|
|
6138
|
-
// Add access_token key to claims object
|
|
6139
|
-
mergedClaims[ClaimsRequestKeys.ACCESS_TOKEN] = {};
|
|
6140
|
-
}
|
|
6141
|
-
// Add xms_cc claim with provided clientCapabilities to access_token key
|
|
6142
|
-
mergedClaims[ClaimsRequestKeys.ACCESS_TOKEN][ClaimsRequestKeys.XMS_CC] = {
|
|
6143
|
-
values: clientCapabilities,
|
|
6144
|
-
};
|
|
6145
|
-
}
|
|
6146
|
-
return JSON.stringify(mergedClaims);
|
|
6147
|
-
}
|
|
6148
|
-
/**
|
|
6149
|
-
* adds `username` for Password Grant flow
|
|
6150
|
-
* @param username
|
|
6151
|
-
*/
|
|
6152
|
-
addUsername(username) {
|
|
6153
|
-
this.parameters.set(PasswordGrantConstants.username, encodeURIComponent(username));
|
|
6154
|
-
}
|
|
6155
|
-
/**
|
|
6156
|
-
* adds `password` for Password Grant flow
|
|
6157
|
-
* @param password
|
|
6158
|
-
*/
|
|
6159
|
-
addPassword(password) {
|
|
6160
|
-
this.parameters.set(PasswordGrantConstants.password, encodeURIComponent(password));
|
|
6161
|
-
}
|
|
6162
|
-
/**
|
|
6163
|
-
* add pop_jwk to query params
|
|
6164
|
-
* @param cnfString
|
|
6165
|
-
*/
|
|
6166
|
-
addPopToken(cnfString) {
|
|
6167
|
-
if (cnfString) {
|
|
6168
|
-
this.parameters.set(TOKEN_TYPE, AuthenticationScheme.POP);
|
|
6169
|
-
this.parameters.set(REQ_CNF, encodeURIComponent(cnfString));
|
|
6170
|
-
}
|
|
6171
|
-
}
|
|
6172
|
-
/**
|
|
6173
|
-
* add SSH JWK and key ID to query params
|
|
6174
|
-
*/
|
|
6175
|
-
addSshJwk(sshJwkString) {
|
|
6176
|
-
if (sshJwkString) {
|
|
6177
|
-
this.parameters.set(TOKEN_TYPE, AuthenticationScheme.SSH);
|
|
6178
|
-
this.parameters.set(REQ_CNF, encodeURIComponent(sshJwkString));
|
|
6179
|
-
}
|
|
6180
|
-
}
|
|
6181
|
-
/**
|
|
6182
|
-
* add server telemetry fields
|
|
6183
|
-
* @param serverTelemetryManager
|
|
6184
|
-
*/
|
|
6185
|
-
addServerTelemetry(serverTelemetryManager) {
|
|
6186
|
-
this.parameters.set(X_CLIENT_CURR_TELEM, serverTelemetryManager.generateCurrentRequestHeaderValue());
|
|
6187
|
-
this.parameters.set(X_CLIENT_LAST_TELEM, serverTelemetryManager.generateLastRequestHeaderValue());
|
|
6188
|
-
}
|
|
6189
|
-
/**
|
|
6190
|
-
* Adds parameter that indicates to the server that throttling is supported
|
|
6191
|
-
*/
|
|
6192
|
-
addThrottling() {
|
|
6193
|
-
this.parameters.set(X_MS_LIB_CAPABILITY, ThrottlingConstants.X_MS_LIB_CAPABILITY_VALUE);
|
|
6085
|
+
return JSON.stringify(mergedClaims);
|
|
6086
|
+
}
|
|
6087
|
+
/**
|
|
6088
|
+
* adds `username` for Password Grant flow
|
|
6089
|
+
* @param username
|
|
6090
|
+
*/
|
|
6091
|
+
function addUsername(parameters, username) {
|
|
6092
|
+
parameters.set(PasswordGrantConstants.username, username);
|
|
6093
|
+
}
|
|
6094
|
+
/**
|
|
6095
|
+
* adds `password` for Password Grant flow
|
|
6096
|
+
* @param password
|
|
6097
|
+
*/
|
|
6098
|
+
function addPassword(parameters, password) {
|
|
6099
|
+
parameters.set(PasswordGrantConstants.password, password);
|
|
6100
|
+
}
|
|
6101
|
+
/**
|
|
6102
|
+
* add pop_jwk to query params
|
|
6103
|
+
* @param cnfString
|
|
6104
|
+
*/
|
|
6105
|
+
function addPopToken(parameters, cnfString) {
|
|
6106
|
+
if (cnfString) {
|
|
6107
|
+
parameters.set(TOKEN_TYPE, AuthenticationScheme.POP);
|
|
6108
|
+
parameters.set(REQ_CNF, cnfString);
|
|
6194
6109
|
}
|
|
6195
|
-
|
|
6196
|
-
|
|
6197
|
-
|
|
6198
|
-
|
|
6199
|
-
|
|
6110
|
+
}
|
|
6111
|
+
/**
|
|
6112
|
+
* add SSH JWK and key ID to query params
|
|
6113
|
+
*/
|
|
6114
|
+
function addSshJwk(parameters, sshJwkString) {
|
|
6115
|
+
if (sshJwkString) {
|
|
6116
|
+
parameters.set(TOKEN_TYPE, AuthenticationScheme.SSH);
|
|
6117
|
+
parameters.set(REQ_CNF, sshJwkString);
|
|
6200
6118
|
}
|
|
6201
|
-
|
|
6202
|
-
|
|
6203
|
-
|
|
6204
|
-
|
|
6205
|
-
|
|
6206
|
-
|
|
6207
|
-
|
|
6119
|
+
}
|
|
6120
|
+
/**
|
|
6121
|
+
* add server telemetry fields
|
|
6122
|
+
* @param serverTelemetryManager
|
|
6123
|
+
*/
|
|
6124
|
+
function addServerTelemetry(parameters, serverTelemetryManager) {
|
|
6125
|
+
parameters.set(X_CLIENT_CURR_TELEM, serverTelemetryManager.generateCurrentRequestHeaderValue());
|
|
6126
|
+
parameters.set(X_CLIENT_LAST_TELEM, serverTelemetryManager.generateLastRequestHeaderValue());
|
|
6127
|
+
}
|
|
6128
|
+
/**
|
|
6129
|
+
* Adds parameter that indicates to the server that throttling is supported
|
|
6130
|
+
*/
|
|
6131
|
+
function addThrottling(parameters) {
|
|
6132
|
+
parameters.set(X_MS_LIB_CAPABILITY, ThrottlingConstants.X_MS_LIB_CAPABILITY_VALUE);
|
|
6133
|
+
}
|
|
6134
|
+
/**
|
|
6135
|
+
* Adds logout_hint parameter for "silent" logout which prevent server account picker
|
|
6136
|
+
*/
|
|
6137
|
+
function addLogoutHint(parameters, logoutHint) {
|
|
6138
|
+
parameters.set(LOGOUT_HINT, logoutHint);
|
|
6139
|
+
}
|
|
6140
|
+
function addBrokerParameters(parameters, brokerClientId, brokerRedirectUri) {
|
|
6141
|
+
if (!parameters.has(BROKER_CLIENT_ID)) {
|
|
6142
|
+
parameters.set(BROKER_CLIENT_ID, brokerClientId);
|
|
6208
6143
|
}
|
|
6209
|
-
|
|
6210
|
-
|
|
6211
|
-
*/
|
|
6212
|
-
createQueryString() {
|
|
6213
|
-
const queryParameterArray = new Array();
|
|
6214
|
-
this.parameters.forEach((value, key) => {
|
|
6215
|
-
queryParameterArray.push(`${key}=${value}`);
|
|
6216
|
-
});
|
|
6217
|
-
instrumentBrokerParams(this.parameters, this.correlationId, this.performanceClient);
|
|
6218
|
-
return queryParameterArray.join("&");
|
|
6144
|
+
if (!parameters.has(BROKER_REDIRECT_URI)) {
|
|
6145
|
+
parameters.set(BROKER_REDIRECT_URI, brokerRedirectUri);
|
|
6219
6146
|
}
|
|
6220
6147
|
}
|
|
6221
6148
|
|
|
6149
|
+
var RequestParameterBuilder = /*#__PURE__*/Object.freeze({
|
|
6150
|
+
__proto__: null,
|
|
6151
|
+
addApplicationTelemetry: addApplicationTelemetry,
|
|
6152
|
+
addAuthorizationCode: addAuthorizationCode,
|
|
6153
|
+
addBrokerParameters: addBrokerParameters,
|
|
6154
|
+
addCcsOid: addCcsOid,
|
|
6155
|
+
addCcsUpn: addCcsUpn,
|
|
6156
|
+
addClaims: addClaims,
|
|
6157
|
+
addClientAssertion: addClientAssertion,
|
|
6158
|
+
addClientAssertionType: addClientAssertionType,
|
|
6159
|
+
addClientCapabilitiesToClaims: addClientCapabilitiesToClaims,
|
|
6160
|
+
addClientId: addClientId,
|
|
6161
|
+
addClientInfo: addClientInfo,
|
|
6162
|
+
addClientSecret: addClientSecret,
|
|
6163
|
+
addCodeChallengeParams: addCodeChallengeParams,
|
|
6164
|
+
addCodeVerifier: addCodeVerifier,
|
|
6165
|
+
addCorrelationId: addCorrelationId,
|
|
6166
|
+
addDeviceCode: addDeviceCode,
|
|
6167
|
+
addDomainHint: addDomainHint,
|
|
6168
|
+
addExtraQueryParameters: addExtraQueryParameters,
|
|
6169
|
+
addGrantType: addGrantType,
|
|
6170
|
+
addIdTokenHint: addIdTokenHint,
|
|
6171
|
+
addInstanceAware: addInstanceAware,
|
|
6172
|
+
addLibraryInfo: addLibraryInfo,
|
|
6173
|
+
addLoginHint: addLoginHint,
|
|
6174
|
+
addLogoutHint: addLogoutHint,
|
|
6175
|
+
addNativeBroker: addNativeBroker,
|
|
6176
|
+
addNonce: addNonce,
|
|
6177
|
+
addOboAssertion: addOboAssertion,
|
|
6178
|
+
addPassword: addPassword,
|
|
6179
|
+
addPopToken: addPopToken,
|
|
6180
|
+
addPostLogoutRedirectUri: addPostLogoutRedirectUri,
|
|
6181
|
+
addPrompt: addPrompt,
|
|
6182
|
+
addRedirectUri: addRedirectUri,
|
|
6183
|
+
addRefreshToken: addRefreshToken,
|
|
6184
|
+
addRequestTokenUse: addRequestTokenUse,
|
|
6185
|
+
addResponseMode: addResponseMode,
|
|
6186
|
+
addResponseTypeCode: addResponseTypeCode,
|
|
6187
|
+
addResponseTypeForTokenAndIdToken: addResponseTypeForTokenAndIdToken,
|
|
6188
|
+
addScopes: addScopes,
|
|
6189
|
+
addServerTelemetry: addServerTelemetry,
|
|
6190
|
+
addSid: addSid,
|
|
6191
|
+
addSshJwk: addSshJwk,
|
|
6192
|
+
addState: addState,
|
|
6193
|
+
addThrottling: addThrottling,
|
|
6194
|
+
addUsername: addUsername,
|
|
6195
|
+
instrumentBrokerParams: instrumentBrokerParams
|
|
6196
|
+
});
|
|
6197
|
+
|
|
6222
6198
|
/*
|
|
6223
6199
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
6224
6200
|
* Licensed under the MIT License.
|
|
@@ -6502,18 +6478,16 @@ class BaseClient {
|
|
|
6502
6478
|
* @param request
|
|
6503
6479
|
*/
|
|
6504
6480
|
createTokenQueryParameters(request) {
|
|
6505
|
-
const
|
|
6481
|
+
const parameters = new Map();
|
|
6506
6482
|
if (request.embeddedClientId) {
|
|
6507
|
-
|
|
6508
|
-
brokerClientId: this.config.authOptions.clientId,
|
|
6509
|
-
brokerRedirectUri: this.config.authOptions.redirectUri,
|
|
6510
|
-
});
|
|
6483
|
+
addBrokerParameters(parameters, this.config.authOptions.clientId, this.config.authOptions.redirectUri);
|
|
6511
6484
|
}
|
|
6512
6485
|
if (request.tokenQueryParameters) {
|
|
6513
|
-
|
|
6486
|
+
addExtraQueryParameters(parameters, request.tokenQueryParameters);
|
|
6514
6487
|
}
|
|
6515
|
-
|
|
6516
|
-
|
|
6488
|
+
addCorrelationId(parameters, request.correlationId);
|
|
6489
|
+
instrumentBrokerParams(parameters, request.correlationId, this.performanceClient);
|
|
6490
|
+
return mapToQueryString(parameters);
|
|
6517
6491
|
}
|
|
6518
6492
|
}
|
|
6519
6493
|
|
|
@@ -6810,13 +6784,6 @@ class PopTokenGenerator {
|
|
|
6810
6784
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
6811
6785
|
* Licensed under the MIT License.
|
|
6812
6786
|
*/
|
|
6813
|
-
function parseServerErrorNo(serverResponse) {
|
|
6814
|
-
const errorCodePrefix = "code=";
|
|
6815
|
-
const errorCodePrefixIndex = serverResponse.error_uri?.lastIndexOf(errorCodePrefix);
|
|
6816
|
-
return errorCodePrefixIndex && errorCodePrefixIndex >= 0
|
|
6817
|
-
? serverResponse.error_uri?.substring(errorCodePrefixIndex + errorCodePrefix.length)
|
|
6818
|
-
: undefined;
|
|
6819
|
-
}
|
|
6820
6787
|
/**
|
|
6821
6788
|
* Class that handles response parsing.
|
|
6822
6789
|
* @internal
|
|
@@ -6831,46 +6798,6 @@ class ResponseHandler {
|
|
|
6831
6798
|
this.persistencePlugin = persistencePlugin;
|
|
6832
6799
|
this.performanceClient = performanceClient;
|
|
6833
6800
|
}
|
|
6834
|
-
/**
|
|
6835
|
-
* Function which validates server authorization code response.
|
|
6836
|
-
* @param serverResponseHash
|
|
6837
|
-
* @param requestState
|
|
6838
|
-
* @param cryptoObj
|
|
6839
|
-
*/
|
|
6840
|
-
validateServerAuthorizationCodeResponse(serverResponse, requestState) {
|
|
6841
|
-
if (!serverResponse.state || !requestState) {
|
|
6842
|
-
throw serverResponse.state
|
|
6843
|
-
? createClientAuthError(stateNotFound, "Cached State")
|
|
6844
|
-
: createClientAuthError(stateNotFound, "Server State");
|
|
6845
|
-
}
|
|
6846
|
-
let decodedServerResponseState;
|
|
6847
|
-
let decodedRequestState;
|
|
6848
|
-
try {
|
|
6849
|
-
decodedServerResponseState = decodeURIComponent(serverResponse.state);
|
|
6850
|
-
}
|
|
6851
|
-
catch (e) {
|
|
6852
|
-
throw createClientAuthError(invalidState, serverResponse.state);
|
|
6853
|
-
}
|
|
6854
|
-
try {
|
|
6855
|
-
decodedRequestState = decodeURIComponent(requestState);
|
|
6856
|
-
}
|
|
6857
|
-
catch (e) {
|
|
6858
|
-
throw createClientAuthError(invalidState, serverResponse.state);
|
|
6859
|
-
}
|
|
6860
|
-
if (decodedServerResponseState !== decodedRequestState) {
|
|
6861
|
-
throw createClientAuthError(stateMismatch);
|
|
6862
|
-
}
|
|
6863
|
-
// Check for error
|
|
6864
|
-
if (serverResponse.error ||
|
|
6865
|
-
serverResponse.error_description ||
|
|
6866
|
-
serverResponse.suberror) {
|
|
6867
|
-
const serverErrorNo = parseServerErrorNo(serverResponse);
|
|
6868
|
-
if (isInteractionRequiredError(serverResponse.error, serverResponse.error_description, serverResponse.suberror)) {
|
|
6869
|
-
throw new InteractionRequiredAuthError(serverResponse.error || "", serverResponse.error_description, serverResponse.suberror, serverResponse.timestamp || "", serverResponse.trace_id || "", serverResponse.correlation_id || "", serverResponse.claims || "", serverErrorNo);
|
|
6870
|
-
}
|
|
6871
|
-
throw new ServerError(serverResponse.error || "", serverResponse.error_description, serverResponse.suberror, serverErrorNo);
|
|
6872
|
-
}
|
|
6873
|
-
}
|
|
6874
6801
|
/**
|
|
6875
6802
|
* Function which validates server authorization token response.
|
|
6876
6803
|
* @param serverResponse
|
|
@@ -7182,6 +7109,71 @@ function buildAccountToCache(cacheStorage, authority, homeAccountId, base64Decod
|
|
|
7182
7109
|
return baseAccount;
|
|
7183
7110
|
}
|
|
7184
7111
|
|
|
7112
|
+
/*
|
|
7113
|
+
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
7114
|
+
* Licensed under the MIT License.
|
|
7115
|
+
*/
|
|
7116
|
+
/**
|
|
7117
|
+
* Validates server consumable params from the "request" objects
|
|
7118
|
+
*/
|
|
7119
|
+
class RequestValidator {
|
|
7120
|
+
/**
|
|
7121
|
+
* Utility to check if the `redirectUri` in the request is a non-null value
|
|
7122
|
+
* @param redirectUri
|
|
7123
|
+
*/
|
|
7124
|
+
static validateRedirectUri(redirectUri) {
|
|
7125
|
+
if (!redirectUri) {
|
|
7126
|
+
throw createClientConfigurationError(redirectUriEmpty);
|
|
7127
|
+
}
|
|
7128
|
+
}
|
|
7129
|
+
/**
|
|
7130
|
+
* Utility to validate prompt sent by the user in the request
|
|
7131
|
+
* @param prompt
|
|
7132
|
+
*/
|
|
7133
|
+
static validatePrompt(prompt) {
|
|
7134
|
+
const promptValues = [];
|
|
7135
|
+
for (const value in PromptValue) {
|
|
7136
|
+
promptValues.push(PromptValue[value]);
|
|
7137
|
+
}
|
|
7138
|
+
if (promptValues.indexOf(prompt) < 0) {
|
|
7139
|
+
throw createClientConfigurationError(invalidPromptValue);
|
|
7140
|
+
}
|
|
7141
|
+
}
|
|
7142
|
+
static validateClaims(claims) {
|
|
7143
|
+
try {
|
|
7144
|
+
JSON.parse(claims);
|
|
7145
|
+
}
|
|
7146
|
+
catch (e) {
|
|
7147
|
+
throw createClientConfigurationError(invalidClaims);
|
|
7148
|
+
}
|
|
7149
|
+
}
|
|
7150
|
+
/**
|
|
7151
|
+
* Utility to validate code_challenge and code_challenge_method
|
|
7152
|
+
* @param codeChallenge
|
|
7153
|
+
* @param codeChallengeMethod
|
|
7154
|
+
*/
|
|
7155
|
+
static validateCodeChallengeParams(codeChallenge, codeChallengeMethod) {
|
|
7156
|
+
if (!codeChallenge || !codeChallengeMethod) {
|
|
7157
|
+
throw createClientConfigurationError(pkceParamsMissing);
|
|
7158
|
+
}
|
|
7159
|
+
else {
|
|
7160
|
+
this.validateCodeChallengeMethod(codeChallengeMethod);
|
|
7161
|
+
}
|
|
7162
|
+
}
|
|
7163
|
+
/**
|
|
7164
|
+
* Utility to validate code_challenge_method
|
|
7165
|
+
* @param codeChallengeMethod
|
|
7166
|
+
*/
|
|
7167
|
+
static validateCodeChallengeMethod(codeChallengeMethod) {
|
|
7168
|
+
if ([
|
|
7169
|
+
CodeChallengeMethodValues.PLAIN,
|
|
7170
|
+
CodeChallengeMethodValues.S256,
|
|
7171
|
+
].indexOf(codeChallengeMethod) < 0) {
|
|
7172
|
+
throw createClientConfigurationError(invalidCodeChallengeMethod);
|
|
7173
|
+
}
|
|
7174
|
+
}
|
|
7175
|
+
}
|
|
7176
|
+
|
|
7185
7177
|
/*
|
|
7186
7178
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
7187
7179
|
* Licensed under the MIT License.
|
|
@@ -7220,21 +7212,6 @@ class AuthorizationCodeClient extends BaseClient {
|
|
|
7220
7212
|
this.oidcDefaultScopes =
|
|
7221
7213
|
this.config.authOptions.authority.options.OIDCOptions?.defaultScopes;
|
|
7222
7214
|
}
|
|
7223
|
-
/**
|
|
7224
|
-
* Creates the URL of the authorization request letting the user input credentials and consent to the
|
|
7225
|
-
* application. The URL target the /authorize endpoint of the authority configured in the
|
|
7226
|
-
* application object.
|
|
7227
|
-
*
|
|
7228
|
-
* Once the user inputs their credentials and consents, the authority will send a response to the redirect URI
|
|
7229
|
-
* sent in the request and should contain an authorization code, which can then be used to acquire tokens via
|
|
7230
|
-
* acquireToken(AuthorizationCodeRequest)
|
|
7231
|
-
* @param request
|
|
7232
|
-
*/
|
|
7233
|
-
async getAuthCodeUrl(request) {
|
|
7234
|
-
this.performanceClient?.addQueueMeasurement(PerformanceEvents.GetAuthCodeUrl, request.correlationId);
|
|
7235
|
-
const queryString = await invokeAsync(this.createAuthCodeUrlQueryString.bind(this), PerformanceEvents.AuthClientCreateQueryString, this.logger, this.performanceClient, request.correlationId)(request);
|
|
7236
|
-
return UrlString.appendQueryString(this.authority.authorizationEndpoint, queryString);
|
|
7237
|
-
}
|
|
7238
7215
|
/**
|
|
7239
7216
|
* API to acquire a token in exchange of 'authorization_code` acquired by the user in the first leg of the
|
|
7240
7217
|
* authorization_code_grant
|
|
@@ -7254,22 +7231,6 @@ class AuthorizationCodeClient extends BaseClient {
|
|
|
7254
7231
|
responseHandler.validateTokenResponse(response.body);
|
|
7255
7232
|
return invokeAsync(responseHandler.handleServerTokenResponse.bind(responseHandler), PerformanceEvents.HandleServerTokenResponse, this.logger, this.performanceClient, request.correlationId)(response.body, this.authority, reqTimestamp, request, authCodePayload, undefined, undefined, undefined, requestId);
|
|
7256
7233
|
}
|
|
7257
|
-
/**
|
|
7258
|
-
* Handles the hash fragment response from public client code request. Returns a code response used by
|
|
7259
|
-
* the client to exchange for a token in acquireToken.
|
|
7260
|
-
* @param hashFragment
|
|
7261
|
-
*/
|
|
7262
|
-
handleFragmentResponse(serverParams, cachedState) {
|
|
7263
|
-
// Handle responses.
|
|
7264
|
-
const responseHandler = new ResponseHandler(this.config.authOptions.clientId, this.cacheManager, this.cryptoUtils, this.logger, null, null);
|
|
7265
|
-
// Get code response
|
|
7266
|
-
responseHandler.validateServerAuthorizationCodeResponse(serverParams, cachedState);
|
|
7267
|
-
// throw when there is no auth code in the response
|
|
7268
|
-
if (!serverParams.code) {
|
|
7269
|
-
throw createClientAuthError(authorizationCodeMissingFromServerResponse);
|
|
7270
|
-
}
|
|
7271
|
-
return serverParams;
|
|
7272
|
-
}
|
|
7273
7234
|
/**
|
|
7274
7235
|
* Used to log out the current user, and redirect the user to the postLogoutRedirectUri.
|
|
7275
7236
|
* Default behaviour is to redirect the user to `window.location.href`.
|
|
@@ -7317,8 +7278,8 @@ class AuthorizationCodeClient extends BaseClient {
|
|
|
7317
7278
|
*/
|
|
7318
7279
|
async createTokenRequestBody(request) {
|
|
7319
7280
|
this.performanceClient?.addQueueMeasurement(PerformanceEvents.AuthClientCreateTokenRequestBody, request.correlationId);
|
|
7320
|
-
const
|
|
7321
|
-
|
|
7281
|
+
const parameters = new Map();
|
|
7282
|
+
addClientId(parameters, request.embeddedClientId ||
|
|
7322
7283
|
request.tokenBodyParameters?.[CLIENT_ID] ||
|
|
7323
7284
|
this.config.authOptions.clientId);
|
|
7324
7285
|
/*
|
|
@@ -7331,33 +7292,33 @@ class AuthorizationCodeClient extends BaseClient {
|
|
|
7331
7292
|
}
|
|
7332
7293
|
else {
|
|
7333
7294
|
// Validate and include redirect uri
|
|
7334
|
-
|
|
7295
|
+
addRedirectUri(parameters, request.redirectUri);
|
|
7335
7296
|
}
|
|
7336
7297
|
// Add scope array, parameter builder will add default scopes and dedupe
|
|
7337
|
-
|
|
7298
|
+
addScopes(parameters, request.scopes, true, this.oidcDefaultScopes);
|
|
7338
7299
|
// add code: user set, not validated
|
|
7339
|
-
|
|
7300
|
+
addAuthorizationCode(parameters, request.code);
|
|
7340
7301
|
// Add library metadata
|
|
7341
|
-
|
|
7342
|
-
|
|
7343
|
-
|
|
7302
|
+
addLibraryInfo(parameters, this.config.libraryInfo);
|
|
7303
|
+
addApplicationTelemetry(parameters, this.config.telemetry.application);
|
|
7304
|
+
addThrottling(parameters);
|
|
7344
7305
|
if (this.serverTelemetryManager && !isOidcProtocolMode(this.config)) {
|
|
7345
|
-
|
|
7306
|
+
addServerTelemetry(parameters, this.serverTelemetryManager);
|
|
7346
7307
|
}
|
|
7347
7308
|
// add code_verifier if passed
|
|
7348
7309
|
if (request.codeVerifier) {
|
|
7349
|
-
|
|
7310
|
+
addCodeVerifier(parameters, request.codeVerifier);
|
|
7350
7311
|
}
|
|
7351
7312
|
if (this.config.clientCredentials.clientSecret) {
|
|
7352
|
-
|
|
7313
|
+
addClientSecret(parameters, this.config.clientCredentials.clientSecret);
|
|
7353
7314
|
}
|
|
7354
7315
|
if (this.config.clientCredentials.clientAssertion) {
|
|
7355
7316
|
const clientAssertion = this.config.clientCredentials.clientAssertion;
|
|
7356
|
-
|
|
7357
|
-
|
|
7317
|
+
addClientAssertion(parameters, await getClientAssertion(clientAssertion.assertion, this.config.authOptions.clientId, request.resourceRequestUri));
|
|
7318
|
+
addClientAssertionType(parameters, clientAssertion.assertionType);
|
|
7358
7319
|
}
|
|
7359
|
-
|
|
7360
|
-
|
|
7320
|
+
addGrantType(parameters, GrantType.AUTHORIZATION_CODE_GRANT);
|
|
7321
|
+
addClientInfo(parameters);
|
|
7361
7322
|
if (request.authenticationScheme === AuthenticationScheme.POP) {
|
|
7362
7323
|
const popTokenGenerator = new PopTokenGenerator(this.cryptoUtils, this.performanceClient);
|
|
7363
7324
|
let reqCnfData;
|
|
@@ -7369,11 +7330,11 @@ class AuthorizationCodeClient extends BaseClient {
|
|
|
7369
7330
|
reqCnfData = this.cryptoUtils.encodeKid(request.popKid);
|
|
7370
7331
|
}
|
|
7371
7332
|
// SPA PoP requires full Base64Url encoded req_cnf string (unhashed)
|
|
7372
|
-
|
|
7333
|
+
addPopToken(parameters, reqCnfData);
|
|
7373
7334
|
}
|
|
7374
7335
|
else if (request.authenticationScheme === AuthenticationScheme.SSH) {
|
|
7375
7336
|
if (request.sshJwk) {
|
|
7376
|
-
|
|
7337
|
+
addSshJwk(parameters, request.sshJwk);
|
|
7377
7338
|
}
|
|
7378
7339
|
else {
|
|
7379
7340
|
throw createClientConfigurationError(missingSshJwk);
|
|
@@ -7382,7 +7343,7 @@ class AuthorizationCodeClient extends BaseClient {
|
|
|
7382
7343
|
if (!StringUtils.isEmptyObj(request.claims) ||
|
|
7383
7344
|
(this.config.authOptions.clientCapabilities &&
|
|
7384
7345
|
this.config.authOptions.clientCapabilities.length > 0)) {
|
|
7385
|
-
|
|
7346
|
+
addClaims(parameters, request.claims, this.config.authOptions.clientCapabilities);
|
|
7386
7347
|
}
|
|
7387
7348
|
let ccsCred = undefined;
|
|
7388
7349
|
if (request.clientInfo) {
|
|
@@ -7406,7 +7367,7 @@ class AuthorizationCodeClient extends BaseClient {
|
|
|
7406
7367
|
case CcsCredentialType.HOME_ACCOUNT_ID:
|
|
7407
7368
|
try {
|
|
7408
7369
|
const clientInfo = buildClientInfoFromHomeAccountId(ccsCred.credential);
|
|
7409
|
-
|
|
7370
|
+
addCcsOid(parameters, clientInfo);
|
|
7410
7371
|
}
|
|
7411
7372
|
catch (e) {
|
|
7412
7373
|
this.logger.verbose("Could not parse home account ID for CCS Header: " +
|
|
@@ -7414,230 +7375,55 @@ class AuthorizationCodeClient extends BaseClient {
|
|
|
7414
7375
|
}
|
|
7415
7376
|
break;
|
|
7416
7377
|
case CcsCredentialType.UPN:
|
|
7417
|
-
|
|
7378
|
+
addCcsUpn(parameters, ccsCred.credential);
|
|
7418
7379
|
break;
|
|
7419
7380
|
}
|
|
7420
7381
|
}
|
|
7421
7382
|
if (request.embeddedClientId) {
|
|
7422
|
-
|
|
7423
|
-
brokerClientId: this.config.authOptions.clientId,
|
|
7424
|
-
brokerRedirectUri: this.config.authOptions.redirectUri,
|
|
7425
|
-
});
|
|
7383
|
+
addBrokerParameters(parameters, this.config.authOptions.clientId, this.config.authOptions.redirectUri);
|
|
7426
7384
|
}
|
|
7427
7385
|
if (request.tokenBodyParameters) {
|
|
7428
|
-
|
|
7386
|
+
addExtraQueryParameters(parameters, request.tokenBodyParameters);
|
|
7429
7387
|
}
|
|
7430
7388
|
// Add hybrid spa parameters if not already provided
|
|
7431
7389
|
if (request.enableSpaAuthorizationCode &&
|
|
7432
7390
|
(!request.tokenBodyParameters ||
|
|
7433
7391
|
!request.tokenBodyParameters[RETURN_SPA_CODE])) {
|
|
7434
|
-
|
|
7392
|
+
addExtraQueryParameters(parameters, {
|
|
7435
7393
|
[RETURN_SPA_CODE]: "1",
|
|
7436
7394
|
});
|
|
7437
7395
|
}
|
|
7438
|
-
|
|
7439
|
-
|
|
7440
|
-
/**
|
|
7441
|
-
* This API validates the `AuthorizationCodeUrlRequest` and creates a URL
|
|
7442
|
-
* @param request
|
|
7443
|
-
*/
|
|
7444
|
-
async createAuthCodeUrlQueryString(request) {
|
|
7445
|
-
// generate the correlationId if not set by the user and add
|
|
7446
|
-
const correlationId = request.correlationId ||
|
|
7447
|
-
this.config.cryptoInterface.createNewGuid();
|
|
7448
|
-
this.performanceClient?.addQueueMeasurement(PerformanceEvents.AuthClientCreateQueryString, correlationId);
|
|
7449
|
-
const parameterBuilder = new RequestParameterBuilder(correlationId, this.performanceClient);
|
|
7450
|
-
parameterBuilder.addClientId(request.embeddedClientId ||
|
|
7451
|
-
request.extraQueryParameters?.[CLIENT_ID] ||
|
|
7452
|
-
this.config.authOptions.clientId);
|
|
7453
|
-
const requestScopes = [
|
|
7454
|
-
...(request.scopes || []),
|
|
7455
|
-
...(request.extraScopesToConsent || []),
|
|
7456
|
-
];
|
|
7457
|
-
parameterBuilder.addScopes(requestScopes, true, this.oidcDefaultScopes);
|
|
7458
|
-
// validate the redirectUri (to be a non null value)
|
|
7459
|
-
parameterBuilder.addRedirectUri(request.redirectUri);
|
|
7460
|
-
parameterBuilder.addCorrelationId(correlationId);
|
|
7461
|
-
// add response_mode. If not passed in it defaults to query.
|
|
7462
|
-
parameterBuilder.addResponseMode(request.responseMode);
|
|
7463
|
-
// add response_type = code
|
|
7464
|
-
parameterBuilder.addResponseTypeCode();
|
|
7465
|
-
// add library info parameters
|
|
7466
|
-
parameterBuilder.addLibraryInfo(this.config.libraryInfo);
|
|
7467
|
-
if (!isOidcProtocolMode(this.config)) {
|
|
7468
|
-
parameterBuilder.addApplicationTelemetry(this.config.telemetry.application);
|
|
7469
|
-
}
|
|
7470
|
-
// add client_info=1
|
|
7471
|
-
parameterBuilder.addClientInfo();
|
|
7472
|
-
if (request.codeChallenge && request.codeChallengeMethod) {
|
|
7473
|
-
parameterBuilder.addCodeChallengeParams(request.codeChallenge, request.codeChallengeMethod);
|
|
7474
|
-
}
|
|
7475
|
-
if (request.prompt) {
|
|
7476
|
-
parameterBuilder.addPrompt(request.prompt);
|
|
7477
|
-
}
|
|
7478
|
-
if (request.domainHint) {
|
|
7479
|
-
parameterBuilder.addDomainHint(request.domainHint);
|
|
7480
|
-
this.performanceClient?.addFields({ domainHintFromRequest: true }, correlationId);
|
|
7481
|
-
}
|
|
7482
|
-
this.performanceClient?.addFields({ prompt: request.prompt }, correlationId);
|
|
7483
|
-
// Add sid or loginHint with preference for login_hint claim (in request) -> sid -> loginHint (upn/email) -> username of AccountInfo object
|
|
7484
|
-
if (request.prompt !== PromptValue.SELECT_ACCOUNT) {
|
|
7485
|
-
// AAD will throw if prompt=select_account is passed with an account hint
|
|
7486
|
-
if (request.sid && request.prompt === PromptValue.NONE) {
|
|
7487
|
-
// SessionID is only used in silent calls
|
|
7488
|
-
this.logger.verbose("createAuthCodeUrlQueryString: Prompt is none, adding sid from request");
|
|
7489
|
-
parameterBuilder.addSid(request.sid);
|
|
7490
|
-
this.performanceClient?.addFields({ sidFromRequest: true }, correlationId);
|
|
7491
|
-
}
|
|
7492
|
-
else if (request.account) {
|
|
7493
|
-
const accountSid = this.extractAccountSid(request.account);
|
|
7494
|
-
let accountLoginHintClaim = this.extractLoginHint(request.account);
|
|
7495
|
-
if (accountLoginHintClaim && request.domainHint) {
|
|
7496
|
-
this.logger.warning(`AuthorizationCodeClient.createAuthCodeUrlQueryString: "domainHint" param is set, skipping opaque "login_hint" claim. Please consider not passing domainHint`);
|
|
7497
|
-
accountLoginHintClaim = null;
|
|
7498
|
-
}
|
|
7499
|
-
// If login_hint claim is present, use it over sid/username
|
|
7500
|
-
if (accountLoginHintClaim) {
|
|
7501
|
-
this.logger.verbose("createAuthCodeUrlQueryString: login_hint claim present on account");
|
|
7502
|
-
parameterBuilder.addLoginHint(accountLoginHintClaim);
|
|
7503
|
-
this.performanceClient?.addFields({ loginHintFromClaim: true }, correlationId);
|
|
7504
|
-
try {
|
|
7505
|
-
const clientInfo = buildClientInfoFromHomeAccountId(request.account.homeAccountId);
|
|
7506
|
-
parameterBuilder.addCcsOid(clientInfo);
|
|
7507
|
-
}
|
|
7508
|
-
catch (e) {
|
|
7509
|
-
this.logger.verbose("createAuthCodeUrlQueryString: Could not parse home account ID for CCS Header");
|
|
7510
|
-
}
|
|
7511
|
-
}
|
|
7512
|
-
else if (accountSid && request.prompt === PromptValue.NONE) {
|
|
7513
|
-
/*
|
|
7514
|
-
* If account and loginHint are provided, we will check account first for sid before adding loginHint
|
|
7515
|
-
* SessionId is only used in silent calls
|
|
7516
|
-
*/
|
|
7517
|
-
this.logger.verbose("createAuthCodeUrlQueryString: Prompt is none, adding sid from account");
|
|
7518
|
-
parameterBuilder.addSid(accountSid);
|
|
7519
|
-
this.performanceClient?.addFields({ sidFromClaim: true }, correlationId);
|
|
7520
|
-
try {
|
|
7521
|
-
const clientInfo = buildClientInfoFromHomeAccountId(request.account.homeAccountId);
|
|
7522
|
-
parameterBuilder.addCcsOid(clientInfo);
|
|
7523
|
-
}
|
|
7524
|
-
catch (e) {
|
|
7525
|
-
this.logger.verbose("createAuthCodeUrlQueryString: Could not parse home account ID for CCS Header");
|
|
7526
|
-
}
|
|
7527
|
-
}
|
|
7528
|
-
else if (request.loginHint) {
|
|
7529
|
-
this.logger.verbose("createAuthCodeUrlQueryString: Adding login_hint from request");
|
|
7530
|
-
parameterBuilder.addLoginHint(request.loginHint);
|
|
7531
|
-
parameterBuilder.addCcsUpn(request.loginHint);
|
|
7532
|
-
this.performanceClient?.addFields({ loginHintFromRequest: true }, correlationId);
|
|
7533
|
-
}
|
|
7534
|
-
else if (request.account.username) {
|
|
7535
|
-
// Fallback to account username if provided
|
|
7536
|
-
this.logger.verbose("createAuthCodeUrlQueryString: Adding login_hint from account");
|
|
7537
|
-
parameterBuilder.addLoginHint(request.account.username);
|
|
7538
|
-
this.performanceClient?.addFields({ loginHintFromUpn: true }, correlationId);
|
|
7539
|
-
try {
|
|
7540
|
-
const clientInfo = buildClientInfoFromHomeAccountId(request.account.homeAccountId);
|
|
7541
|
-
parameterBuilder.addCcsOid(clientInfo);
|
|
7542
|
-
}
|
|
7543
|
-
catch (e) {
|
|
7544
|
-
this.logger.verbose("createAuthCodeUrlQueryString: Could not parse home account ID for CCS Header");
|
|
7545
|
-
}
|
|
7546
|
-
}
|
|
7547
|
-
}
|
|
7548
|
-
else if (request.loginHint) {
|
|
7549
|
-
this.logger.verbose("createAuthCodeUrlQueryString: No account, adding login_hint from request");
|
|
7550
|
-
parameterBuilder.addLoginHint(request.loginHint);
|
|
7551
|
-
parameterBuilder.addCcsUpn(request.loginHint);
|
|
7552
|
-
this.performanceClient?.addFields({ loginHintFromRequest: true }, correlationId);
|
|
7553
|
-
}
|
|
7554
|
-
}
|
|
7555
|
-
else {
|
|
7556
|
-
this.logger.verbose("createAuthCodeUrlQueryString: Prompt is select_account, ignoring account hints");
|
|
7557
|
-
}
|
|
7558
|
-
if (request.nonce) {
|
|
7559
|
-
parameterBuilder.addNonce(request.nonce);
|
|
7560
|
-
}
|
|
7561
|
-
if (request.state) {
|
|
7562
|
-
parameterBuilder.addState(request.state);
|
|
7563
|
-
}
|
|
7564
|
-
if (request.claims ||
|
|
7565
|
-
(this.config.authOptions.clientCapabilities &&
|
|
7566
|
-
this.config.authOptions.clientCapabilities.length > 0)) {
|
|
7567
|
-
parameterBuilder.addClaims(request.claims, this.config.authOptions.clientCapabilities);
|
|
7568
|
-
}
|
|
7569
|
-
if (request.embeddedClientId) {
|
|
7570
|
-
parameterBuilder.addBrokerParameters({
|
|
7571
|
-
brokerClientId: this.config.authOptions.clientId,
|
|
7572
|
-
brokerRedirectUri: this.config.authOptions.redirectUri,
|
|
7573
|
-
});
|
|
7574
|
-
}
|
|
7575
|
-
this.addExtraQueryParams(request, parameterBuilder);
|
|
7576
|
-
if (request.platformBroker) {
|
|
7577
|
-
// signal ests that this is a WAM call
|
|
7578
|
-
parameterBuilder.addNativeBroker();
|
|
7579
|
-
// pass the req_cnf for POP
|
|
7580
|
-
if (request.authenticationScheme === AuthenticationScheme.POP) {
|
|
7581
|
-
const popTokenGenerator = new PopTokenGenerator(this.cryptoUtils);
|
|
7582
|
-
// req_cnf is always sent as a string for SPAs
|
|
7583
|
-
let reqCnfData;
|
|
7584
|
-
if (!request.popKid) {
|
|
7585
|
-
const generatedReqCnfData = await invokeAsync(popTokenGenerator.generateCnf.bind(popTokenGenerator), PerformanceEvents.PopTokenGenerateCnf, this.logger, this.performanceClient, request.correlationId)(request, this.logger);
|
|
7586
|
-
reqCnfData = generatedReqCnfData.reqCnfString;
|
|
7587
|
-
}
|
|
7588
|
-
else {
|
|
7589
|
-
reqCnfData = this.cryptoUtils.encodeKid(request.popKid);
|
|
7590
|
-
}
|
|
7591
|
-
parameterBuilder.addPopToken(reqCnfData);
|
|
7592
|
-
}
|
|
7593
|
-
}
|
|
7594
|
-
return parameterBuilder.createQueryString();
|
|
7396
|
+
instrumentBrokerParams(parameters, request.correlationId, this.performanceClient);
|
|
7397
|
+
return mapToQueryString(parameters);
|
|
7595
7398
|
}
|
|
7596
7399
|
/**
|
|
7597
7400
|
* This API validates the `EndSessionRequest` and creates a URL
|
|
7598
7401
|
* @param request
|
|
7599
7402
|
*/
|
|
7600
7403
|
createLogoutUrlQueryString(request) {
|
|
7601
|
-
const
|
|
7404
|
+
const parameters = new Map();
|
|
7602
7405
|
if (request.postLogoutRedirectUri) {
|
|
7603
|
-
|
|
7406
|
+
addPostLogoutRedirectUri(parameters, request.postLogoutRedirectUri);
|
|
7604
7407
|
}
|
|
7605
7408
|
if (request.correlationId) {
|
|
7606
|
-
|
|
7409
|
+
addCorrelationId(parameters, request.correlationId);
|
|
7607
7410
|
}
|
|
7608
7411
|
if (request.idTokenHint) {
|
|
7609
|
-
|
|
7412
|
+
addIdTokenHint(parameters, request.idTokenHint);
|
|
7610
7413
|
}
|
|
7611
7414
|
if (request.state) {
|
|
7612
|
-
|
|
7415
|
+
addState(parameters, request.state);
|
|
7613
7416
|
}
|
|
7614
7417
|
if (request.logoutHint) {
|
|
7615
|
-
|
|
7616
|
-
}
|
|
7617
|
-
this.addExtraQueryParams(request, parameterBuilder);
|
|
7618
|
-
return parameterBuilder.createQueryString();
|
|
7619
|
-
}
|
|
7620
|
-
addExtraQueryParams(request, parameterBuilder) {
|
|
7621
|
-
const hasRequestInstanceAware = request.extraQueryParameters &&
|
|
7622
|
-
request.extraQueryParameters.hasOwnProperty("instance_aware");
|
|
7623
|
-
// Set instance_aware flag if config auth param is set
|
|
7624
|
-
if (!hasRequestInstanceAware && this.config.authOptions.instanceAware) {
|
|
7625
|
-
request.extraQueryParameters = request.extraQueryParameters || {};
|
|
7626
|
-
request.extraQueryParameters["instance_aware"] = "true";
|
|
7418
|
+
addLogoutHint(parameters, request.logoutHint);
|
|
7627
7419
|
}
|
|
7628
7420
|
if (request.extraQueryParameters) {
|
|
7629
|
-
|
|
7421
|
+
addExtraQueryParameters(parameters, request.extraQueryParameters);
|
|
7630
7422
|
}
|
|
7631
|
-
|
|
7632
|
-
|
|
7633
|
-
|
|
7634
|
-
|
|
7635
|
-
*/
|
|
7636
|
-
extractAccountSid(account) {
|
|
7637
|
-
return account.idTokenClaims?.sid || null;
|
|
7638
|
-
}
|
|
7639
|
-
extractLoginHint(account) {
|
|
7640
|
-
return account.idTokenClaims?.login_hint || null;
|
|
7423
|
+
if (this.config.authOptions.instanceAware) {
|
|
7424
|
+
addInstanceAware(parameters);
|
|
7425
|
+
}
|
|
7426
|
+
return mapToQueryString(parameters);
|
|
7641
7427
|
}
|
|
7642
7428
|
}
|
|
7643
7429
|
|
|
@@ -7768,31 +7554,30 @@ class RefreshTokenClient extends BaseClient {
|
|
|
7768
7554
|
*/
|
|
7769
7555
|
async createTokenRequestBody(request) {
|
|
7770
7556
|
this.performanceClient?.addQueueMeasurement(PerformanceEvents.RefreshTokenClientCreateTokenRequestBody, request.correlationId);
|
|
7771
|
-
const
|
|
7772
|
-
|
|
7773
|
-
parameterBuilder.addClientId(request.embeddedClientId ||
|
|
7557
|
+
const parameters = new Map();
|
|
7558
|
+
addClientId(parameters, request.embeddedClientId ||
|
|
7774
7559
|
request.tokenBodyParameters?.[CLIENT_ID] ||
|
|
7775
7560
|
this.config.authOptions.clientId);
|
|
7776
7561
|
if (request.redirectUri) {
|
|
7777
|
-
|
|
7778
|
-
}
|
|
7779
|
-
|
|
7780
|
-
|
|
7781
|
-
|
|
7782
|
-
|
|
7783
|
-
|
|
7784
|
-
|
|
7562
|
+
addRedirectUri(parameters, request.redirectUri);
|
|
7563
|
+
}
|
|
7564
|
+
addScopes(parameters, request.scopes, true, this.config.authOptions.authority.options.OIDCOptions?.defaultScopes);
|
|
7565
|
+
addGrantType(parameters, GrantType.REFRESH_TOKEN_GRANT);
|
|
7566
|
+
addClientInfo(parameters);
|
|
7567
|
+
addLibraryInfo(parameters, this.config.libraryInfo);
|
|
7568
|
+
addApplicationTelemetry(parameters, this.config.telemetry.application);
|
|
7569
|
+
addThrottling(parameters);
|
|
7785
7570
|
if (this.serverTelemetryManager && !isOidcProtocolMode(this.config)) {
|
|
7786
|
-
|
|
7571
|
+
addServerTelemetry(parameters, this.serverTelemetryManager);
|
|
7787
7572
|
}
|
|
7788
|
-
|
|
7573
|
+
addRefreshToken(parameters, request.refreshToken);
|
|
7789
7574
|
if (this.config.clientCredentials.clientSecret) {
|
|
7790
|
-
|
|
7575
|
+
addClientSecret(parameters, this.config.clientCredentials.clientSecret);
|
|
7791
7576
|
}
|
|
7792
7577
|
if (this.config.clientCredentials.clientAssertion) {
|
|
7793
7578
|
const clientAssertion = this.config.clientCredentials.clientAssertion;
|
|
7794
|
-
|
|
7795
|
-
|
|
7579
|
+
addClientAssertion(parameters, await getClientAssertion(clientAssertion.assertion, this.config.authOptions.clientId, request.resourceRequestUri));
|
|
7580
|
+
addClientAssertionType(parameters, clientAssertion.assertionType);
|
|
7796
7581
|
}
|
|
7797
7582
|
if (request.authenticationScheme === AuthenticationScheme.POP) {
|
|
7798
7583
|
const popTokenGenerator = new PopTokenGenerator(this.cryptoUtils, this.performanceClient);
|
|
@@ -7805,11 +7590,11 @@ class RefreshTokenClient extends BaseClient {
|
|
|
7805
7590
|
reqCnfData = this.cryptoUtils.encodeKid(request.popKid);
|
|
7806
7591
|
}
|
|
7807
7592
|
// SPA PoP requires full Base64Url encoded req_cnf string (unhashed)
|
|
7808
|
-
|
|
7593
|
+
addPopToken(parameters, reqCnfData);
|
|
7809
7594
|
}
|
|
7810
7595
|
else if (request.authenticationScheme === AuthenticationScheme.SSH) {
|
|
7811
7596
|
if (request.sshJwk) {
|
|
7812
|
-
|
|
7597
|
+
addSshJwk(parameters, request.sshJwk);
|
|
7813
7598
|
}
|
|
7814
7599
|
else {
|
|
7815
7600
|
throw createClientConfigurationError(missingSshJwk);
|
|
@@ -7818,7 +7603,7 @@ class RefreshTokenClient extends BaseClient {
|
|
|
7818
7603
|
if (!StringUtils.isEmptyObj(request.claims) ||
|
|
7819
7604
|
(this.config.authOptions.clientCapabilities &&
|
|
7820
7605
|
this.config.authOptions.clientCapabilities.length > 0)) {
|
|
7821
|
-
|
|
7606
|
+
addClaims(parameters, request.claims, this.config.authOptions.clientCapabilities);
|
|
7822
7607
|
}
|
|
7823
7608
|
if (this.config.systemOptions.preventCorsPreflight &&
|
|
7824
7609
|
request.ccsCredential) {
|
|
@@ -7826,7 +7611,7 @@ class RefreshTokenClient extends BaseClient {
|
|
|
7826
7611
|
case CcsCredentialType.HOME_ACCOUNT_ID:
|
|
7827
7612
|
try {
|
|
7828
7613
|
const clientInfo = buildClientInfoFromHomeAccountId(request.ccsCredential.credential);
|
|
7829
|
-
|
|
7614
|
+
addCcsOid(parameters, clientInfo);
|
|
7830
7615
|
}
|
|
7831
7616
|
catch (e) {
|
|
7832
7617
|
this.logger.verbose("Could not parse home account ID for CCS Header: " +
|
|
@@ -7834,20 +7619,18 @@ class RefreshTokenClient extends BaseClient {
|
|
|
7834
7619
|
}
|
|
7835
7620
|
break;
|
|
7836
7621
|
case CcsCredentialType.UPN:
|
|
7837
|
-
|
|
7622
|
+
addCcsUpn(parameters, request.ccsCredential.credential);
|
|
7838
7623
|
break;
|
|
7839
7624
|
}
|
|
7840
7625
|
}
|
|
7841
7626
|
if (request.embeddedClientId) {
|
|
7842
|
-
|
|
7843
|
-
brokerClientId: this.config.authOptions.clientId,
|
|
7844
|
-
brokerRedirectUri: this.config.authOptions.redirectUri,
|
|
7845
|
-
});
|
|
7627
|
+
addBrokerParameters(parameters, this.config.authOptions.clientId, this.config.authOptions.redirectUri);
|
|
7846
7628
|
}
|
|
7847
7629
|
if (request.tokenBodyParameters) {
|
|
7848
|
-
|
|
7630
|
+
addExtraQueryParameters(parameters, request.tokenBodyParameters);
|
|
7849
7631
|
}
|
|
7850
|
-
|
|
7632
|
+
instrumentBrokerParams(parameters, request.correlationId, this.performanceClient);
|
|
7633
|
+
return mapToQueryString(parameters);
|
|
7851
7634
|
}
|
|
7852
7635
|
}
|
|
7853
7636
|
|
|
@@ -7960,6 +7743,236 @@ const StubbedNetworkModule = {
|
|
|
7960
7743
|
},
|
|
7961
7744
|
};
|
|
7962
7745
|
|
|
7746
|
+
/*
|
|
7747
|
+
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
7748
|
+
* Licensed under the MIT License.
|
|
7749
|
+
*/
|
|
7750
|
+
/**
|
|
7751
|
+
* Returns map of parameters that are applicable to all calls to /authorize whether using PKCE or EAR
|
|
7752
|
+
* @param config
|
|
7753
|
+
* @param request
|
|
7754
|
+
* @param logger
|
|
7755
|
+
* @param performanceClient
|
|
7756
|
+
* @returns
|
|
7757
|
+
*/
|
|
7758
|
+
function getStandardAuthorizeRequestParameters(authOptions, request, logger, performanceClient) {
|
|
7759
|
+
// generate the correlationId if not set by the user and add
|
|
7760
|
+
const correlationId = request.correlationId;
|
|
7761
|
+
const parameters = new Map();
|
|
7762
|
+
addClientId(parameters, request.embeddedClientId ||
|
|
7763
|
+
request.extraQueryParameters?.[CLIENT_ID] ||
|
|
7764
|
+
authOptions.clientId);
|
|
7765
|
+
const requestScopes = [
|
|
7766
|
+
...(request.scopes || []),
|
|
7767
|
+
...(request.extraScopesToConsent || []),
|
|
7768
|
+
];
|
|
7769
|
+
addScopes(parameters, requestScopes, true, authOptions.authority.options.OIDCOptions?.defaultScopes);
|
|
7770
|
+
addRedirectUri(parameters, request.redirectUri);
|
|
7771
|
+
addCorrelationId(parameters, correlationId);
|
|
7772
|
+
// add response_mode. If not passed in it defaults to query.
|
|
7773
|
+
addResponseMode(parameters, request.responseMode);
|
|
7774
|
+
// add client_info=1
|
|
7775
|
+
addClientInfo(parameters);
|
|
7776
|
+
if (request.prompt) {
|
|
7777
|
+
addPrompt(parameters, request.prompt);
|
|
7778
|
+
performanceClient?.addFields({ prompt: request.prompt }, correlationId);
|
|
7779
|
+
}
|
|
7780
|
+
if (request.domainHint) {
|
|
7781
|
+
addDomainHint(parameters, request.domainHint);
|
|
7782
|
+
performanceClient?.addFields({ domainHintFromRequest: true }, correlationId);
|
|
7783
|
+
}
|
|
7784
|
+
// Add sid or loginHint with preference for login_hint claim (in request) -> sid -> loginHint (upn/email) -> username of AccountInfo object
|
|
7785
|
+
if (request.prompt !== PromptValue.SELECT_ACCOUNT) {
|
|
7786
|
+
// AAD will throw if prompt=select_account is passed with an account hint
|
|
7787
|
+
if (request.sid && request.prompt === PromptValue.NONE) {
|
|
7788
|
+
// SessionID is only used in silent calls
|
|
7789
|
+
logger.verbose("createAuthCodeUrlQueryString: Prompt is none, adding sid from request");
|
|
7790
|
+
addSid(parameters, request.sid);
|
|
7791
|
+
performanceClient?.addFields({ sidFromRequest: true }, correlationId);
|
|
7792
|
+
}
|
|
7793
|
+
else if (request.account) {
|
|
7794
|
+
const accountSid = extractAccountSid(request.account);
|
|
7795
|
+
let accountLoginHintClaim = extractLoginHint(request.account);
|
|
7796
|
+
if (accountLoginHintClaim && request.domainHint) {
|
|
7797
|
+
logger.warning(`AuthorizationCodeClient.createAuthCodeUrlQueryString: "domainHint" param is set, skipping opaque "login_hint" claim. Please consider not passing domainHint`);
|
|
7798
|
+
accountLoginHintClaim = null;
|
|
7799
|
+
}
|
|
7800
|
+
// If login_hint claim is present, use it over sid/username
|
|
7801
|
+
if (accountLoginHintClaim) {
|
|
7802
|
+
logger.verbose("createAuthCodeUrlQueryString: login_hint claim present on account");
|
|
7803
|
+
addLoginHint(parameters, accountLoginHintClaim);
|
|
7804
|
+
performanceClient?.addFields({ loginHintFromClaim: true }, correlationId);
|
|
7805
|
+
try {
|
|
7806
|
+
const clientInfo = buildClientInfoFromHomeAccountId(request.account.homeAccountId);
|
|
7807
|
+
addCcsOid(parameters, clientInfo);
|
|
7808
|
+
}
|
|
7809
|
+
catch (e) {
|
|
7810
|
+
logger.verbose("createAuthCodeUrlQueryString: Could not parse home account ID for CCS Header");
|
|
7811
|
+
}
|
|
7812
|
+
}
|
|
7813
|
+
else if (accountSid && request.prompt === PromptValue.NONE) {
|
|
7814
|
+
/*
|
|
7815
|
+
* If account and loginHint are provided, we will check account first for sid before adding loginHint
|
|
7816
|
+
* SessionId is only used in silent calls
|
|
7817
|
+
*/
|
|
7818
|
+
logger.verbose("createAuthCodeUrlQueryString: Prompt is none, adding sid from account");
|
|
7819
|
+
addSid(parameters, accountSid);
|
|
7820
|
+
performanceClient?.addFields({ sidFromClaim: true }, correlationId);
|
|
7821
|
+
try {
|
|
7822
|
+
const clientInfo = buildClientInfoFromHomeAccountId(request.account.homeAccountId);
|
|
7823
|
+
addCcsOid(parameters, clientInfo);
|
|
7824
|
+
}
|
|
7825
|
+
catch (e) {
|
|
7826
|
+
logger.verbose("createAuthCodeUrlQueryString: Could not parse home account ID for CCS Header");
|
|
7827
|
+
}
|
|
7828
|
+
}
|
|
7829
|
+
else if (request.loginHint) {
|
|
7830
|
+
logger.verbose("createAuthCodeUrlQueryString: Adding login_hint from request");
|
|
7831
|
+
addLoginHint(parameters, request.loginHint);
|
|
7832
|
+
addCcsUpn(parameters, request.loginHint);
|
|
7833
|
+
performanceClient?.addFields({ loginHintFromRequest: true }, correlationId);
|
|
7834
|
+
}
|
|
7835
|
+
else if (request.account.username) {
|
|
7836
|
+
// Fallback to account username if provided
|
|
7837
|
+
logger.verbose("createAuthCodeUrlQueryString: Adding login_hint from account");
|
|
7838
|
+
addLoginHint(parameters, request.account.username);
|
|
7839
|
+
performanceClient?.addFields({ loginHintFromUpn: true }, correlationId);
|
|
7840
|
+
try {
|
|
7841
|
+
const clientInfo = buildClientInfoFromHomeAccountId(request.account.homeAccountId);
|
|
7842
|
+
addCcsOid(parameters, clientInfo);
|
|
7843
|
+
}
|
|
7844
|
+
catch (e) {
|
|
7845
|
+
logger.verbose("createAuthCodeUrlQueryString: Could not parse home account ID for CCS Header");
|
|
7846
|
+
}
|
|
7847
|
+
}
|
|
7848
|
+
}
|
|
7849
|
+
else if (request.loginHint) {
|
|
7850
|
+
logger.verbose("createAuthCodeUrlQueryString: No account, adding login_hint from request");
|
|
7851
|
+
addLoginHint(parameters, request.loginHint);
|
|
7852
|
+
addCcsUpn(parameters, request.loginHint);
|
|
7853
|
+
performanceClient?.addFields({ loginHintFromRequest: true }, correlationId);
|
|
7854
|
+
}
|
|
7855
|
+
}
|
|
7856
|
+
else {
|
|
7857
|
+
logger.verbose("createAuthCodeUrlQueryString: Prompt is select_account, ignoring account hints");
|
|
7858
|
+
}
|
|
7859
|
+
if (request.nonce) {
|
|
7860
|
+
addNonce(parameters, request.nonce);
|
|
7861
|
+
}
|
|
7862
|
+
if (request.state) {
|
|
7863
|
+
addState(parameters, request.state);
|
|
7864
|
+
}
|
|
7865
|
+
if (request.claims ||
|
|
7866
|
+
(authOptions.clientCapabilities &&
|
|
7867
|
+
authOptions.clientCapabilities.length > 0)) {
|
|
7868
|
+
addClaims(parameters, request.claims, authOptions.clientCapabilities);
|
|
7869
|
+
}
|
|
7870
|
+
if (request.embeddedClientId) {
|
|
7871
|
+
addBrokerParameters(parameters, authOptions.clientId, authOptions.redirectUri);
|
|
7872
|
+
}
|
|
7873
|
+
if (request.extraQueryParameters) {
|
|
7874
|
+
addExtraQueryParameters(parameters, request.extraQueryParameters);
|
|
7875
|
+
}
|
|
7876
|
+
if (authOptions.instanceAware) {
|
|
7877
|
+
addInstanceAware(parameters);
|
|
7878
|
+
}
|
|
7879
|
+
return parameters;
|
|
7880
|
+
}
|
|
7881
|
+
/**
|
|
7882
|
+
* Returns authorize endpoint with given request parameters in the query string
|
|
7883
|
+
* @param authority
|
|
7884
|
+
* @param requestParameters
|
|
7885
|
+
* @returns
|
|
7886
|
+
*/
|
|
7887
|
+
function getAuthorizeUrl(authority, requestParameters) {
|
|
7888
|
+
const queryString = mapToQueryString(requestParameters);
|
|
7889
|
+
return UrlString.appendQueryString(authority.authorizationEndpoint, queryString);
|
|
7890
|
+
}
|
|
7891
|
+
/**
|
|
7892
|
+
* Handles the hash fragment response from public client code request. Returns a code response used by
|
|
7893
|
+
* the client to exchange for a token in acquireToken.
|
|
7894
|
+
* @param serverParams
|
|
7895
|
+
* @param cachedState
|
|
7896
|
+
*/
|
|
7897
|
+
function getAuthorizationCodePayload(serverParams, cachedState) {
|
|
7898
|
+
// Get code response
|
|
7899
|
+
validateAuthorizationResponse(serverParams, cachedState);
|
|
7900
|
+
// throw when there is no auth code in the response
|
|
7901
|
+
if (!serverParams.code) {
|
|
7902
|
+
throw createClientAuthError(authorizationCodeMissingFromServerResponse);
|
|
7903
|
+
}
|
|
7904
|
+
return serverParams;
|
|
7905
|
+
}
|
|
7906
|
+
/**
|
|
7907
|
+
* Function which validates server authorization code response.
|
|
7908
|
+
* @param serverResponseHash
|
|
7909
|
+
* @param requestState
|
|
7910
|
+
*/
|
|
7911
|
+
function validateAuthorizationResponse(serverResponse, requestState) {
|
|
7912
|
+
if (!serverResponse.state || !requestState) {
|
|
7913
|
+
throw serverResponse.state
|
|
7914
|
+
? createClientAuthError(stateNotFound, "Cached State")
|
|
7915
|
+
: createClientAuthError(stateNotFound, "Server State");
|
|
7916
|
+
}
|
|
7917
|
+
let decodedServerResponseState;
|
|
7918
|
+
let decodedRequestState;
|
|
7919
|
+
try {
|
|
7920
|
+
decodedServerResponseState = decodeURIComponent(serverResponse.state);
|
|
7921
|
+
}
|
|
7922
|
+
catch (e) {
|
|
7923
|
+
throw createClientAuthError(invalidState, serverResponse.state);
|
|
7924
|
+
}
|
|
7925
|
+
try {
|
|
7926
|
+
decodedRequestState = decodeURIComponent(requestState);
|
|
7927
|
+
}
|
|
7928
|
+
catch (e) {
|
|
7929
|
+
throw createClientAuthError(invalidState, serverResponse.state);
|
|
7930
|
+
}
|
|
7931
|
+
if (decodedServerResponseState !== decodedRequestState) {
|
|
7932
|
+
throw createClientAuthError(stateMismatch);
|
|
7933
|
+
}
|
|
7934
|
+
// Check for error
|
|
7935
|
+
if (serverResponse.error ||
|
|
7936
|
+
serverResponse.error_description ||
|
|
7937
|
+
serverResponse.suberror) {
|
|
7938
|
+
const serverErrorNo = parseServerErrorNo(serverResponse);
|
|
7939
|
+
if (isInteractionRequiredError(serverResponse.error, serverResponse.error_description, serverResponse.suberror)) {
|
|
7940
|
+
throw new InteractionRequiredAuthError(serverResponse.error || "", serverResponse.error_description, serverResponse.suberror, serverResponse.timestamp || "", serverResponse.trace_id || "", serverResponse.correlation_id || "", serverResponse.claims || "", serverErrorNo);
|
|
7941
|
+
}
|
|
7942
|
+
throw new ServerError(serverResponse.error || "", serverResponse.error_description, serverResponse.suberror, serverErrorNo);
|
|
7943
|
+
}
|
|
7944
|
+
}
|
|
7945
|
+
/**
|
|
7946
|
+
* Get server error No from the error_uri
|
|
7947
|
+
* @param serverResponse
|
|
7948
|
+
* @returns
|
|
7949
|
+
*/
|
|
7950
|
+
function parseServerErrorNo(serverResponse) {
|
|
7951
|
+
const errorCodePrefix = "code=";
|
|
7952
|
+
const errorCodePrefixIndex = serverResponse.error_uri?.lastIndexOf(errorCodePrefix);
|
|
7953
|
+
return errorCodePrefixIndex && errorCodePrefixIndex >= 0
|
|
7954
|
+
? serverResponse.error_uri?.substring(errorCodePrefixIndex + errorCodePrefix.length)
|
|
7955
|
+
: undefined;
|
|
7956
|
+
}
|
|
7957
|
+
/**
|
|
7958
|
+
* Helper to get sid from account. Returns null if idTokenClaims are not present or sid is not present.
|
|
7959
|
+
* @param account
|
|
7960
|
+
*/
|
|
7961
|
+
function extractAccountSid(account) {
|
|
7962
|
+
return account.idTokenClaims?.sid || null;
|
|
7963
|
+
}
|
|
7964
|
+
function extractLoginHint(account) {
|
|
7965
|
+
return account.idTokenClaims?.login_hint || null;
|
|
7966
|
+
}
|
|
7967
|
+
|
|
7968
|
+
var Authorize = /*#__PURE__*/Object.freeze({
|
|
7969
|
+
__proto__: null,
|
|
7970
|
+
getAuthorizationCodePayload: getAuthorizationCodePayload,
|
|
7971
|
+
getAuthorizeUrl: getAuthorizeUrl,
|
|
7972
|
+
getStandardAuthorizeRequestParameters: getStandardAuthorizeRequestParameters,
|
|
7973
|
+
validateAuthorizationResponse: validateAuthorizationResponse
|
|
7974
|
+
});
|
|
7975
|
+
|
|
7963
7976
|
/*
|
|
7964
7977
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
7965
7978
|
* Licensed under the MIT License.
|
|
@@ -8290,6 +8303,7 @@ exports.Authority = Authority;
|
|
|
8290
8303
|
exports.AuthorityFactory = AuthorityFactory;
|
|
8291
8304
|
exports.AuthorityType = AuthorityType;
|
|
8292
8305
|
exports.AuthorizationCodeClient = AuthorizationCodeClient;
|
|
8306
|
+
exports.Authorize = Authorize;
|
|
8293
8307
|
exports.AzureCloudInstance = AzureCloudInstance;
|
|
8294
8308
|
exports.BaseClient = BaseClient;
|
|
8295
8309
|
exports.CacheAccountType = CacheAccountType;
|
|
@@ -8374,4 +8388,4 @@ exports.invokeAsync = invokeAsync;
|
|
|
8374
8388
|
exports.tenantIdMatchesHomeTenant = tenantIdMatchesHomeTenant;
|
|
8375
8389
|
exports.updateAccountTenantProfileData = updateAccountTenantProfileData;
|
|
8376
8390
|
exports.version = version;
|
|
8377
|
-
//# sourceMappingURL=index-node
|
|
8391
|
+
//# sourceMappingURL=index-node-BjtDFnOl.js.map
|