@azure/msal-common 15.2.1 → 15.4.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/account/AccountInfo.mjs +1 -1
- package/dist/account/AuthToken.mjs +1 -1
- package/dist/account/CcsCredential.mjs +1 -1
- package/dist/account/ClientInfo.mjs +1 -1
- package/dist/account/TokenClaims.mjs +1 -1
- package/dist/authority/Authority.mjs +3 -3
- package/dist/authority/Authority.mjs.map +1 -1
- package/dist/authority/AuthorityFactory.mjs +1 -1
- package/dist/authority/AuthorityMetadata.mjs +1 -1
- package/dist/authority/AuthorityOptions.mjs +1 -1
- package/dist/authority/AuthorityType.mjs +1 -1
- package/dist/authority/CloudInstanceDiscoveryErrorResponse.mjs +1 -1
- package/dist/authority/CloudInstanceDiscoveryResponse.mjs +1 -1
- package/dist/authority/OpenIdConfigResponse.mjs +1 -1
- package/dist/authority/ProtocolMode.d.ts +11 -0
- package/dist/authority/ProtocolMode.d.ts.map +1 -1
- package/dist/authority/ProtocolMode.mjs +12 -1
- package/dist/authority/ProtocolMode.mjs.map +1 -1
- package/dist/authority/RegionDiscovery.mjs +1 -1
- package/dist/cache/CacheManager.mjs +1 -1
- package/dist/cache/entities/AccountEntity.mjs +4 -4
- package/dist/cache/entities/AccountEntity.mjs.map +1 -1
- package/dist/cache/persistence/TokenCacheContext.mjs +1 -1
- package/dist/cache/utils/CacheHelpers.mjs +1 -1
- package/dist/client/AuthorizationCodeClient.d.ts +0 -31
- package/dist/client/AuthorizationCodeClient.d.ts.map +1 -1
- package/dist/client/AuthorizationCodeClient.mjs +41 -246
- package/dist/client/AuthorizationCodeClient.mjs.map +1 -1
- package/dist/client/BaseClient.d.ts.map +1 -1
- package/dist/client/BaseClient.mjs +9 -10
- package/dist/client/BaseClient.mjs.map +1 -1
- package/dist/client/RefreshTokenClient.d.ts.map +1 -1
- package/dist/client/RefreshTokenClient.mjs +27 -29
- package/dist/client/RefreshTokenClient.mjs.map +1 -1
- package/dist/client/SilentFlowClient.mjs +1 -1
- package/dist/config/ClientConfiguration.mjs +1 -1
- package/dist/constants/AADServerParamKeys.d.ts +3 -0
- package/dist/constants/AADServerParamKeys.d.ts.map +1 -1
- package/dist/constants/AADServerParamKeys.mjs +6 -3
- package/dist/constants/AADServerParamKeys.mjs.map +1 -1
- package/dist/crypto/ICrypto.mjs +1 -1
- package/dist/crypto/JoseHeader.mjs +1 -1
- package/dist/crypto/PopTokenGenerator.mjs +1 -1
- package/dist/error/AuthError.mjs +1 -1
- package/dist/error/AuthErrorCodes.mjs +1 -1
- package/dist/error/CacheError.mjs +1 -1
- package/dist/error/CacheErrorCodes.mjs +1 -1
- package/dist/error/ClientAuthError.mjs +1 -1
- package/dist/error/ClientAuthErrorCodes.mjs +1 -1
- package/dist/error/ClientConfigurationError.mjs +1 -1
- package/dist/error/ClientConfigurationErrorCodes.mjs +1 -1
- package/dist/error/InteractionRequiredAuthError.mjs +1 -1
- package/dist/error/InteractionRequiredAuthErrorCodes.mjs +1 -1
- package/dist/error/JoseHeaderError.mjs +1 -1
- package/dist/error/JoseHeaderErrorCodes.mjs +1 -1
- package/dist/error/NetworkError.mjs +1 -1
- package/dist/error/ServerError.mjs +1 -1
- package/dist/exports-common.d.ts +4 -3
- package/dist/exports-common.d.ts.map +1 -1
- package/dist/index-browser.mjs +6 -3
- package/dist/index-browser.mjs.map +1 -1
- package/dist/index-node.mjs +6 -3
- package/dist/index-node.mjs.map +1 -1
- package/dist/index.mjs +6 -3
- package/dist/index.mjs.map +1 -1
- package/dist/logger/Logger.mjs +1 -1
- package/dist/network/INetworkModule.mjs +1 -1
- package/dist/network/RequestThumbprint.mjs +1 -1
- package/dist/network/ThrottlingUtils.mjs +1 -1
- package/dist/packageMetadata.d.ts +1 -1
- package/dist/packageMetadata.mjs +2 -2
- package/dist/protocol/Authorize.d.ts +37 -0
- package/dist/protocol/Authorize.d.ts.map +1 -0
- package/dist/protocol/Authorize.mjs +237 -0
- package/dist/protocol/Authorize.mjs.map +1 -0
- package/dist/request/AuthenticationHeaderParser.mjs +1 -1
- package/dist/request/CommonAuthorizationUrlRequest.d.ts +3 -2
- package/dist/request/CommonAuthorizationUrlRequest.d.ts.map +1 -1
- package/dist/request/RequestParameterBuilder.d.ts +211 -219
- package/dist/request/RequestParameterBuilder.d.ts.map +1 -1
- package/dist/request/RequestParameterBuilder.mjs +364 -370
- package/dist/request/RequestParameterBuilder.mjs.map +1 -1
- package/dist/request/RequestValidator.mjs +1 -1
- package/dist/request/ScopeSet.mjs +1 -1
- package/dist/response/AuthorizeResponse.d.ts +76 -0
- package/dist/response/AuthorizeResponse.d.ts.map +1 -0
- package/dist/response/ResponseHandler.d.ts +0 -8
- package/dist/response/ResponseHandler.d.ts.map +1 -1
- package/dist/response/ResponseHandler.mjs +2 -49
- package/dist/response/ResponseHandler.mjs.map +1 -1
- package/dist/telemetry/performance/PerformanceClient.mjs +1 -1
- package/dist/telemetry/performance/PerformanceEvent.d.ts +6 -2
- package/dist/telemetry/performance/PerformanceEvent.d.ts.map +1 -1
- package/dist/telemetry/performance/PerformanceEvent.mjs +15 -11
- package/dist/telemetry/performance/PerformanceEvent.mjs.map +1 -1
- package/dist/telemetry/performance/StubPerformanceClient.mjs +1 -1
- package/dist/telemetry/server/ServerTelemetryManager.mjs +1 -1
- package/dist/url/UrlString.mjs +1 -1
- package/dist/utils/ClientAssertionUtils.mjs +1 -1
- package/dist/utils/Constants.d.ts +11 -5
- package/dist/utils/Constants.d.ts.map +1 -1
- package/dist/utils/Constants.mjs +13 -8
- package/dist/utils/Constants.mjs.map +1 -1
- package/dist/utils/FunctionWrappers.mjs +1 -1
- package/dist/utils/ProtocolUtils.mjs +1 -1
- package/dist/utils/StringUtils.mjs +1 -1
- package/dist/utils/TimeUtils.mjs +1 -1
- package/dist/utils/UrlUtils.d.ts +6 -2
- package/dist/utils/UrlUtils.d.ts.map +1 -1
- package/dist/utils/UrlUtils.mjs +13 -2
- package/dist/utils/UrlUtils.mjs.map +1 -1
- package/lib/index-browser.cjs +4 -2
- package/lib/index-browser.cjs.map +1 -1
- package/lib/{index-node--LMD5Re1.js → index-node-C56U0Gkp.js} +833 -777
- package/lib/index-node-C56U0Gkp.js.map +1 -0
- package/lib/index-node.cjs +4 -2
- package/lib/index-node.cjs.map +1 -1
- package/lib/index.cjs +4 -2
- package/lib/index.cjs.map +1 -1
- package/lib/types/authority/ProtocolMode.d.ts +11 -0
- package/lib/types/authority/ProtocolMode.d.ts.map +1 -1
- package/lib/types/client/AuthorizationCodeClient.d.ts +0 -31
- package/lib/types/client/AuthorizationCodeClient.d.ts.map +1 -1
- package/lib/types/client/BaseClient.d.ts.map +1 -1
- package/lib/types/client/RefreshTokenClient.d.ts.map +1 -1
- package/lib/types/constants/AADServerParamKeys.d.ts +3 -0
- package/lib/types/constants/AADServerParamKeys.d.ts.map +1 -1
- package/lib/types/exports-common.d.ts +4 -3
- package/lib/types/exports-common.d.ts.map +1 -1
- package/lib/types/packageMetadata.d.ts +1 -1
- package/lib/types/protocol/Authorize.d.ts +37 -0
- package/lib/types/protocol/Authorize.d.ts.map +1 -0
- package/lib/types/request/CommonAuthorizationUrlRequest.d.ts +3 -2
- package/lib/types/request/CommonAuthorizationUrlRequest.d.ts.map +1 -1
- package/lib/types/request/RequestParameterBuilder.d.ts +211 -219
- package/lib/types/request/RequestParameterBuilder.d.ts.map +1 -1
- package/lib/types/response/AuthorizeResponse.d.ts +76 -0
- package/lib/types/response/AuthorizeResponse.d.ts.map +1 -0
- package/lib/types/response/ResponseHandler.d.ts +0 -8
- package/lib/types/response/ResponseHandler.d.ts.map +1 -1
- package/lib/types/telemetry/performance/PerformanceEvent.d.ts +6 -2
- package/lib/types/telemetry/performance/PerformanceEvent.d.ts.map +1 -1
- package/lib/types/utils/Constants.d.ts +11 -5
- package/lib/types/utils/Constants.d.ts.map +1 -1
- package/lib/types/utils/UrlUtils.d.ts +6 -2
- package/lib/types/utils/UrlUtils.d.ts.map +1 -1
- package/package.json +1 -1
- package/src/authority/Authority.ts +2 -2
- package/src/authority/ProtocolMode.ts +11 -0
- package/src/cache/entities/AccountEntity.ts +3 -3
- package/src/client/AuthorizationCodeClient.ts +84 -395
- package/src/client/BaseClient.ts +20 -12
- package/src/client/RefreshTokenClient.ts +60 -30
- package/src/constants/AADServerParamKeys.ts +3 -0
- package/src/exports-common.ts +5 -2
- package/src/packageMetadata.ts +1 -1
- package/src/protocol/Authorize.ts +409 -0
- package/src/request/CommonAuthorizationUrlRequest.ts +3 -2
- package/src/request/RequestParameterBuilder.ts +516 -545
- package/src/response/AuthorizeResponse.ts +80 -0
- package/src/response/ResponseHandler.ts +0 -98
- package/src/telemetry/performance/PerformanceEvent.ts +14 -11
- package/src/utils/Constants.ts +14 -6
- package/src/utils/UrlUtils.ts +19 -4
- package/dist/response/ServerAuthorizationCodeResponse.d.ts +0 -27
- package/dist/response/ServerAuthorizationCodeResponse.d.ts.map +0 -1
- package/lib/index-node--LMD5Re1.js.map +0 -1
- package/lib/types/response/ServerAuthorizationCodeResponse.d.ts +0 -27
- package/lib/types/response/ServerAuthorizationCodeResponse.d.ts.map +0 -1
- package/src/response/ServerAuthorizationCodeResponse.ts +0 -34
|
@@ -4,14 +4,13 @@
|
|
|
4
4
|
*/
|
|
5
5
|
|
|
6
6
|
import { BaseClient } from "./BaseClient.js";
|
|
7
|
-
import { CommonAuthorizationUrlRequest } from "../request/CommonAuthorizationUrlRequest.js";
|
|
8
7
|
import { CommonAuthorizationCodeRequest } from "../request/CommonAuthorizationCodeRequest.js";
|
|
9
8
|
import { Authority } from "../authority/Authority.js";
|
|
10
|
-
import
|
|
9
|
+
import * as RequestParameterBuilder from "../request/RequestParameterBuilder.js";
|
|
10
|
+
import * as UrlUtils from "../utils/UrlUtils.js";
|
|
11
11
|
import {
|
|
12
12
|
GrantType,
|
|
13
13
|
AuthenticationScheme,
|
|
14
|
-
PromptValue,
|
|
15
14
|
Separators,
|
|
16
15
|
HeaderNames,
|
|
17
16
|
} from "../utils/Constants.js";
|
|
@@ -30,12 +29,10 @@ import {
|
|
|
30
29
|
createClientAuthError,
|
|
31
30
|
} from "../error/ClientAuthError.js";
|
|
32
31
|
import { UrlString } from "../url/UrlString.js";
|
|
33
|
-
import { ServerAuthorizationCodeResponse } from "../response/ServerAuthorizationCodeResponse.js";
|
|
34
32
|
import { CommonEndSessionRequest } from "../request/CommonEndSessionRequest.js";
|
|
35
33
|
import { PopTokenGenerator } from "../crypto/PopTokenGenerator.js";
|
|
36
34
|
import { AuthorizationCodePayload } from "../response/AuthorizationCodePayload.js";
|
|
37
35
|
import * as TimeUtils from "../utils/TimeUtils.js";
|
|
38
|
-
import { AccountInfo } from "../account/AccountInfo.js";
|
|
39
36
|
import {
|
|
40
37
|
buildClientInfoFromHomeAccountId,
|
|
41
38
|
buildClientInfo,
|
|
@@ -71,38 +68,6 @@ export class AuthorizationCodeClient extends BaseClient {
|
|
|
71
68
|
this.config.authOptions.authority.options.OIDCOptions?.defaultScopes;
|
|
72
69
|
}
|
|
73
70
|
|
|
74
|
-
/**
|
|
75
|
-
* Creates the URL of the authorization request letting the user input credentials and consent to the
|
|
76
|
-
* application. The URL target the /authorize endpoint of the authority configured in the
|
|
77
|
-
* application object.
|
|
78
|
-
*
|
|
79
|
-
* Once the user inputs their credentials and consents, the authority will send a response to the redirect URI
|
|
80
|
-
* sent in the request and should contain an authorization code, which can then be used to acquire tokens via
|
|
81
|
-
* acquireToken(AuthorizationCodeRequest)
|
|
82
|
-
* @param request
|
|
83
|
-
*/
|
|
84
|
-
async getAuthCodeUrl(
|
|
85
|
-
request: CommonAuthorizationUrlRequest
|
|
86
|
-
): Promise<string> {
|
|
87
|
-
this.performanceClient?.addQueueMeasurement(
|
|
88
|
-
PerformanceEvents.GetAuthCodeUrl,
|
|
89
|
-
request.correlationId
|
|
90
|
-
);
|
|
91
|
-
|
|
92
|
-
const queryString = await invokeAsync(
|
|
93
|
-
this.createAuthCodeUrlQueryString.bind(this),
|
|
94
|
-
PerformanceEvents.AuthClientCreateQueryString,
|
|
95
|
-
this.logger,
|
|
96
|
-
this.performanceClient,
|
|
97
|
-
request.correlationId
|
|
98
|
-
)(request);
|
|
99
|
-
|
|
100
|
-
return UrlString.appendQueryString(
|
|
101
|
-
this.authority.authorizationEndpoint,
|
|
102
|
-
queryString
|
|
103
|
-
);
|
|
104
|
-
}
|
|
105
|
-
|
|
106
71
|
/**
|
|
107
72
|
* API to acquire a token in exchange of 'authorization_code` acquired by the user in the first leg of the
|
|
108
73
|
* authorization_code_grant
|
|
@@ -167,41 +132,6 @@ export class AuthorizationCodeClient extends BaseClient {
|
|
|
167
132
|
);
|
|
168
133
|
}
|
|
169
134
|
|
|
170
|
-
/**
|
|
171
|
-
* Handles the hash fragment response from public client code request. Returns a code response used by
|
|
172
|
-
* the client to exchange for a token in acquireToken.
|
|
173
|
-
* @param hashFragment
|
|
174
|
-
*/
|
|
175
|
-
handleFragmentResponse(
|
|
176
|
-
serverParams: ServerAuthorizationCodeResponse,
|
|
177
|
-
cachedState: string
|
|
178
|
-
): AuthorizationCodePayload {
|
|
179
|
-
// Handle responses.
|
|
180
|
-
const responseHandler = new ResponseHandler(
|
|
181
|
-
this.config.authOptions.clientId,
|
|
182
|
-
this.cacheManager,
|
|
183
|
-
this.cryptoUtils,
|
|
184
|
-
this.logger,
|
|
185
|
-
null,
|
|
186
|
-
null
|
|
187
|
-
);
|
|
188
|
-
|
|
189
|
-
// Get code response
|
|
190
|
-
responseHandler.validateServerAuthorizationCodeResponse(
|
|
191
|
-
serverParams,
|
|
192
|
-
cachedState
|
|
193
|
-
);
|
|
194
|
-
|
|
195
|
-
// throw when there is no auth code in the response
|
|
196
|
-
if (!serverParams.code) {
|
|
197
|
-
throw createClientAuthError(
|
|
198
|
-
ClientAuthErrorCodes.authorizationCodeMissingFromServerResponse
|
|
199
|
-
);
|
|
200
|
-
}
|
|
201
|
-
|
|
202
|
-
return serverParams as AuthorizationCodePayload;
|
|
203
|
-
}
|
|
204
|
-
|
|
205
135
|
/**
|
|
206
136
|
* Used to log out the current user, and redirect the user to the postLogoutRedirectUri.
|
|
207
137
|
* Default behaviour is to redirect the user to `window.location.href`.
|
|
@@ -305,12 +235,10 @@ export class AuthorizationCodeClient extends BaseClient {
|
|
|
305
235
|
request.correlationId
|
|
306
236
|
);
|
|
307
237
|
|
|
308
|
-
const
|
|
309
|
-
request.correlationId,
|
|
310
|
-
this.performanceClient
|
|
311
|
-
);
|
|
238
|
+
const parameters = new Map<string, string>();
|
|
312
239
|
|
|
313
|
-
|
|
240
|
+
RequestParameterBuilder.addClientId(
|
|
241
|
+
parameters,
|
|
314
242
|
request.embeddedClientId ||
|
|
315
243
|
request.tokenBodyParameters?.[AADServerParamKeys.CLIENT_ID] ||
|
|
316
244
|
this.config.authOptions.clientId
|
|
@@ -325,37 +253,52 @@ export class AuthorizationCodeClient extends BaseClient {
|
|
|
325
253
|
RequestValidator.validateRedirectUri(request.redirectUri);
|
|
326
254
|
} else {
|
|
327
255
|
// Validate and include redirect uri
|
|
328
|
-
|
|
256
|
+
RequestParameterBuilder.addRedirectUri(
|
|
257
|
+
parameters,
|
|
258
|
+
request.redirectUri
|
|
259
|
+
);
|
|
329
260
|
}
|
|
330
261
|
|
|
331
262
|
// Add scope array, parameter builder will add default scopes and dedupe
|
|
332
|
-
|
|
263
|
+
RequestParameterBuilder.addScopes(
|
|
264
|
+
parameters,
|
|
333
265
|
request.scopes,
|
|
334
266
|
true,
|
|
335
267
|
this.oidcDefaultScopes
|
|
336
268
|
);
|
|
337
269
|
|
|
338
270
|
// add code: user set, not validated
|
|
339
|
-
|
|
271
|
+
RequestParameterBuilder.addAuthorizationCode(parameters, request.code);
|
|
340
272
|
|
|
341
273
|
// Add library metadata
|
|
342
|
-
|
|
343
|
-
|
|
274
|
+
RequestParameterBuilder.addLibraryInfo(
|
|
275
|
+
parameters,
|
|
276
|
+
this.config.libraryInfo
|
|
277
|
+
);
|
|
278
|
+
RequestParameterBuilder.addApplicationTelemetry(
|
|
279
|
+
parameters,
|
|
344
280
|
this.config.telemetry.application
|
|
345
281
|
);
|
|
346
|
-
|
|
282
|
+
RequestParameterBuilder.addThrottling(parameters);
|
|
347
283
|
|
|
348
284
|
if (this.serverTelemetryManager && !isOidcProtocolMode(this.config)) {
|
|
349
|
-
|
|
285
|
+
RequestParameterBuilder.addServerTelemetry(
|
|
286
|
+
parameters,
|
|
287
|
+
this.serverTelemetryManager
|
|
288
|
+
);
|
|
350
289
|
}
|
|
351
290
|
|
|
352
291
|
// add code_verifier if passed
|
|
353
292
|
if (request.codeVerifier) {
|
|
354
|
-
|
|
293
|
+
RequestParameterBuilder.addCodeVerifier(
|
|
294
|
+
parameters,
|
|
295
|
+
request.codeVerifier
|
|
296
|
+
);
|
|
355
297
|
}
|
|
356
298
|
|
|
357
299
|
if (this.config.clientCredentials.clientSecret) {
|
|
358
|
-
|
|
300
|
+
RequestParameterBuilder.addClientSecret(
|
|
301
|
+
parameters,
|
|
359
302
|
this.config.clientCredentials.clientSecret
|
|
360
303
|
);
|
|
361
304
|
}
|
|
@@ -364,20 +307,25 @@ export class AuthorizationCodeClient extends BaseClient {
|
|
|
364
307
|
const clientAssertion: ClientAssertion =
|
|
365
308
|
this.config.clientCredentials.clientAssertion;
|
|
366
309
|
|
|
367
|
-
|
|
310
|
+
RequestParameterBuilder.addClientAssertion(
|
|
311
|
+
parameters,
|
|
368
312
|
await getClientAssertion(
|
|
369
313
|
clientAssertion.assertion,
|
|
370
314
|
this.config.authOptions.clientId,
|
|
371
315
|
request.resourceRequestUri
|
|
372
316
|
)
|
|
373
317
|
);
|
|
374
|
-
|
|
318
|
+
RequestParameterBuilder.addClientAssertionType(
|
|
319
|
+
parameters,
|
|
375
320
|
clientAssertion.assertionType
|
|
376
321
|
);
|
|
377
322
|
}
|
|
378
323
|
|
|
379
|
-
|
|
380
|
-
|
|
324
|
+
RequestParameterBuilder.addGrantType(
|
|
325
|
+
parameters,
|
|
326
|
+
GrantType.AUTHORIZATION_CODE_GRANT
|
|
327
|
+
);
|
|
328
|
+
RequestParameterBuilder.addClientInfo(parameters);
|
|
381
329
|
|
|
382
330
|
if (request.authenticationScheme === AuthenticationScheme.POP) {
|
|
383
331
|
const popTokenGenerator = new PopTokenGenerator(
|
|
@@ -400,10 +348,10 @@ export class AuthorizationCodeClient extends BaseClient {
|
|
|
400
348
|
}
|
|
401
349
|
|
|
402
350
|
// SPA PoP requires full Base64Url encoded req_cnf string (unhashed)
|
|
403
|
-
|
|
351
|
+
RequestParameterBuilder.addPopToken(parameters, reqCnfData);
|
|
404
352
|
} else if (request.authenticationScheme === AuthenticationScheme.SSH) {
|
|
405
353
|
if (request.sshJwk) {
|
|
406
|
-
|
|
354
|
+
RequestParameterBuilder.addSshJwk(parameters, request.sshJwk);
|
|
407
355
|
} else {
|
|
408
356
|
throw createClientConfigurationError(
|
|
409
357
|
ClientConfigurationErrorCodes.missingSshJwk
|
|
@@ -416,7 +364,8 @@ export class AuthorizationCodeClient extends BaseClient {
|
|
|
416
364
|
(this.config.authOptions.clientCapabilities &&
|
|
417
365
|
this.config.authOptions.clientCapabilities.length > 0)
|
|
418
366
|
) {
|
|
419
|
-
|
|
367
|
+
RequestParameterBuilder.addClaims(
|
|
368
|
+
parameters,
|
|
420
369
|
request.claims,
|
|
421
370
|
this.config.authOptions.clientCapabilities
|
|
422
371
|
);
|
|
@@ -450,7 +399,10 @@ export class AuthorizationCodeClient extends BaseClient {
|
|
|
450
399
|
const clientInfo = buildClientInfoFromHomeAccountId(
|
|
451
400
|
ccsCred.credential
|
|
452
401
|
);
|
|
453
|
-
|
|
402
|
+
RequestParameterBuilder.addCcsOid(
|
|
403
|
+
parameters,
|
|
404
|
+
clientInfo
|
|
405
|
+
);
|
|
454
406
|
} catch (e) {
|
|
455
407
|
this.logger.verbose(
|
|
456
408
|
"Could not parse home account ID for CCS Header: " +
|
|
@@ -459,20 +411,25 @@ export class AuthorizationCodeClient extends BaseClient {
|
|
|
459
411
|
}
|
|
460
412
|
break;
|
|
461
413
|
case CcsCredentialType.UPN:
|
|
462
|
-
|
|
414
|
+
RequestParameterBuilder.addCcsUpn(
|
|
415
|
+
parameters,
|
|
416
|
+
ccsCred.credential
|
|
417
|
+
);
|
|
463
418
|
break;
|
|
464
419
|
}
|
|
465
420
|
}
|
|
466
421
|
|
|
467
422
|
if (request.embeddedClientId) {
|
|
468
|
-
|
|
469
|
-
|
|
470
|
-
|
|
471
|
-
|
|
423
|
+
RequestParameterBuilder.addBrokerParameters(
|
|
424
|
+
parameters,
|
|
425
|
+
this.config.authOptions.clientId,
|
|
426
|
+
this.config.authOptions.redirectUri
|
|
427
|
+
);
|
|
472
428
|
}
|
|
473
429
|
|
|
474
430
|
if (request.tokenBodyParameters) {
|
|
475
|
-
|
|
431
|
+
RequestParameterBuilder.addExtraQueryParameters(
|
|
432
|
+
parameters,
|
|
476
433
|
request.tokenBodyParameters
|
|
477
434
|
);
|
|
478
435
|
}
|
|
@@ -485,268 +442,17 @@ export class AuthorizationCodeClient extends BaseClient {
|
|
|
485
442
|
AADServerParamKeys.RETURN_SPA_CODE
|
|
486
443
|
])
|
|
487
444
|
) {
|
|
488
|
-
|
|
445
|
+
RequestParameterBuilder.addExtraQueryParameters(parameters, {
|
|
489
446
|
[AADServerParamKeys.RETURN_SPA_CODE]: "1",
|
|
490
447
|
});
|
|
491
448
|
}
|
|
492
449
|
|
|
493
|
-
|
|
494
|
-
|
|
495
|
-
|
|
496
|
-
/**
|
|
497
|
-
* This API validates the `AuthorizationCodeUrlRequest` and creates a URL
|
|
498
|
-
* @param request
|
|
499
|
-
*/
|
|
500
|
-
private async createAuthCodeUrlQueryString(
|
|
501
|
-
request: CommonAuthorizationUrlRequest
|
|
502
|
-
): Promise<string> {
|
|
503
|
-
// generate the correlationId if not set by the user and add
|
|
504
|
-
const correlationId =
|
|
505
|
-
request.correlationId ||
|
|
506
|
-
this.config.cryptoInterface.createNewGuid();
|
|
507
|
-
|
|
508
|
-
this.performanceClient?.addQueueMeasurement(
|
|
509
|
-
PerformanceEvents.AuthClientCreateQueryString,
|
|
510
|
-
correlationId
|
|
511
|
-
);
|
|
512
|
-
|
|
513
|
-
const parameterBuilder = new RequestParameterBuilder(
|
|
514
|
-
correlationId,
|
|
450
|
+
RequestParameterBuilder.instrumentBrokerParams(
|
|
451
|
+
parameters,
|
|
452
|
+
request.correlationId,
|
|
515
453
|
this.performanceClient
|
|
516
454
|
);
|
|
517
|
-
|
|
518
|
-
parameterBuilder.addClientId(
|
|
519
|
-
request.embeddedClientId ||
|
|
520
|
-
request.extraQueryParameters?.[AADServerParamKeys.CLIENT_ID] ||
|
|
521
|
-
this.config.authOptions.clientId
|
|
522
|
-
);
|
|
523
|
-
|
|
524
|
-
const requestScopes = [
|
|
525
|
-
...(request.scopes || []),
|
|
526
|
-
...(request.extraScopesToConsent || []),
|
|
527
|
-
];
|
|
528
|
-
parameterBuilder.addScopes(requestScopes, true, this.oidcDefaultScopes);
|
|
529
|
-
|
|
530
|
-
// validate the redirectUri (to be a non null value)
|
|
531
|
-
parameterBuilder.addRedirectUri(request.redirectUri);
|
|
532
|
-
|
|
533
|
-
parameterBuilder.addCorrelationId(correlationId);
|
|
534
|
-
|
|
535
|
-
// add response_mode. If not passed in it defaults to query.
|
|
536
|
-
parameterBuilder.addResponseMode(request.responseMode);
|
|
537
|
-
|
|
538
|
-
// add response_type = code
|
|
539
|
-
parameterBuilder.addResponseTypeCode();
|
|
540
|
-
|
|
541
|
-
// add library info parameters
|
|
542
|
-
parameterBuilder.addLibraryInfo(this.config.libraryInfo);
|
|
543
|
-
if (!isOidcProtocolMode(this.config)) {
|
|
544
|
-
parameterBuilder.addApplicationTelemetry(
|
|
545
|
-
this.config.telemetry.application
|
|
546
|
-
);
|
|
547
|
-
}
|
|
548
|
-
|
|
549
|
-
// add client_info=1
|
|
550
|
-
parameterBuilder.addClientInfo();
|
|
551
|
-
|
|
552
|
-
if (request.codeChallenge && request.codeChallengeMethod) {
|
|
553
|
-
parameterBuilder.addCodeChallengeParams(
|
|
554
|
-
request.codeChallenge,
|
|
555
|
-
request.codeChallengeMethod
|
|
556
|
-
);
|
|
557
|
-
}
|
|
558
|
-
|
|
559
|
-
if (request.prompt) {
|
|
560
|
-
parameterBuilder.addPrompt(request.prompt);
|
|
561
|
-
}
|
|
562
|
-
|
|
563
|
-
if (request.domainHint) {
|
|
564
|
-
parameterBuilder.addDomainHint(request.domainHint);
|
|
565
|
-
this.performanceClient?.addFields(
|
|
566
|
-
{ domainHintFromRequest: true },
|
|
567
|
-
correlationId
|
|
568
|
-
);
|
|
569
|
-
}
|
|
570
|
-
|
|
571
|
-
this.performanceClient?.addFields(
|
|
572
|
-
{ prompt: request.prompt },
|
|
573
|
-
correlationId
|
|
574
|
-
);
|
|
575
|
-
|
|
576
|
-
// Add sid or loginHint with preference for login_hint claim (in request) -> sid -> loginHint (upn/email) -> username of AccountInfo object
|
|
577
|
-
if (request.prompt !== PromptValue.SELECT_ACCOUNT) {
|
|
578
|
-
// AAD will throw if prompt=select_account is passed with an account hint
|
|
579
|
-
if (request.sid && request.prompt === PromptValue.NONE) {
|
|
580
|
-
// SessionID is only used in silent calls
|
|
581
|
-
this.logger.verbose(
|
|
582
|
-
"createAuthCodeUrlQueryString: Prompt is none, adding sid from request"
|
|
583
|
-
);
|
|
584
|
-
parameterBuilder.addSid(request.sid);
|
|
585
|
-
this.performanceClient?.addFields(
|
|
586
|
-
{ sidFromRequest: true },
|
|
587
|
-
correlationId
|
|
588
|
-
);
|
|
589
|
-
} else if (request.account) {
|
|
590
|
-
const accountSid = this.extractAccountSid(request.account);
|
|
591
|
-
let accountLoginHintClaim = this.extractLoginHint(
|
|
592
|
-
request.account
|
|
593
|
-
);
|
|
594
|
-
|
|
595
|
-
if (accountLoginHintClaim && request.domainHint) {
|
|
596
|
-
this.logger.warning(
|
|
597
|
-
`AuthorizationCodeClient.createAuthCodeUrlQueryString: "domainHint" param is set, skipping opaque "login_hint" claim. Please consider not passing domainHint`
|
|
598
|
-
);
|
|
599
|
-
accountLoginHintClaim = null;
|
|
600
|
-
}
|
|
601
|
-
|
|
602
|
-
// If login_hint claim is present, use it over sid/username
|
|
603
|
-
if (accountLoginHintClaim) {
|
|
604
|
-
this.logger.verbose(
|
|
605
|
-
"createAuthCodeUrlQueryString: login_hint claim present on account"
|
|
606
|
-
);
|
|
607
|
-
parameterBuilder.addLoginHint(accountLoginHintClaim);
|
|
608
|
-
this.performanceClient?.addFields(
|
|
609
|
-
{ loginHintFromClaim: true },
|
|
610
|
-
correlationId
|
|
611
|
-
);
|
|
612
|
-
try {
|
|
613
|
-
const clientInfo = buildClientInfoFromHomeAccountId(
|
|
614
|
-
request.account.homeAccountId
|
|
615
|
-
);
|
|
616
|
-
parameterBuilder.addCcsOid(clientInfo);
|
|
617
|
-
} catch (e) {
|
|
618
|
-
this.logger.verbose(
|
|
619
|
-
"createAuthCodeUrlQueryString: Could not parse home account ID for CCS Header"
|
|
620
|
-
);
|
|
621
|
-
}
|
|
622
|
-
} else if (accountSid && request.prompt === PromptValue.NONE) {
|
|
623
|
-
/*
|
|
624
|
-
* If account and loginHint are provided, we will check account first for sid before adding loginHint
|
|
625
|
-
* SessionId is only used in silent calls
|
|
626
|
-
*/
|
|
627
|
-
this.logger.verbose(
|
|
628
|
-
"createAuthCodeUrlQueryString: Prompt is none, adding sid from account"
|
|
629
|
-
);
|
|
630
|
-
parameterBuilder.addSid(accountSid);
|
|
631
|
-
this.performanceClient?.addFields(
|
|
632
|
-
{ sidFromClaim: true },
|
|
633
|
-
correlationId
|
|
634
|
-
);
|
|
635
|
-
try {
|
|
636
|
-
const clientInfo = buildClientInfoFromHomeAccountId(
|
|
637
|
-
request.account.homeAccountId
|
|
638
|
-
);
|
|
639
|
-
parameterBuilder.addCcsOid(clientInfo);
|
|
640
|
-
} catch (e) {
|
|
641
|
-
this.logger.verbose(
|
|
642
|
-
"createAuthCodeUrlQueryString: Could not parse home account ID for CCS Header"
|
|
643
|
-
);
|
|
644
|
-
}
|
|
645
|
-
} else if (request.loginHint) {
|
|
646
|
-
this.logger.verbose(
|
|
647
|
-
"createAuthCodeUrlQueryString: Adding login_hint from request"
|
|
648
|
-
);
|
|
649
|
-
parameterBuilder.addLoginHint(request.loginHint);
|
|
650
|
-
parameterBuilder.addCcsUpn(request.loginHint);
|
|
651
|
-
this.performanceClient?.addFields(
|
|
652
|
-
{ loginHintFromRequest: true },
|
|
653
|
-
correlationId
|
|
654
|
-
);
|
|
655
|
-
} else if (request.account.username) {
|
|
656
|
-
// Fallback to account username if provided
|
|
657
|
-
this.logger.verbose(
|
|
658
|
-
"createAuthCodeUrlQueryString: Adding login_hint from account"
|
|
659
|
-
);
|
|
660
|
-
parameterBuilder.addLoginHint(request.account.username);
|
|
661
|
-
this.performanceClient?.addFields(
|
|
662
|
-
{ loginHintFromUpn: true },
|
|
663
|
-
correlationId
|
|
664
|
-
);
|
|
665
|
-
try {
|
|
666
|
-
const clientInfo = buildClientInfoFromHomeAccountId(
|
|
667
|
-
request.account.homeAccountId
|
|
668
|
-
);
|
|
669
|
-
parameterBuilder.addCcsOid(clientInfo);
|
|
670
|
-
} catch (e) {
|
|
671
|
-
this.logger.verbose(
|
|
672
|
-
"createAuthCodeUrlQueryString: Could not parse home account ID for CCS Header"
|
|
673
|
-
);
|
|
674
|
-
}
|
|
675
|
-
}
|
|
676
|
-
} else if (request.loginHint) {
|
|
677
|
-
this.logger.verbose(
|
|
678
|
-
"createAuthCodeUrlQueryString: No account, adding login_hint from request"
|
|
679
|
-
);
|
|
680
|
-
parameterBuilder.addLoginHint(request.loginHint);
|
|
681
|
-
parameterBuilder.addCcsUpn(request.loginHint);
|
|
682
|
-
this.performanceClient?.addFields(
|
|
683
|
-
{ loginHintFromRequest: true },
|
|
684
|
-
correlationId
|
|
685
|
-
);
|
|
686
|
-
}
|
|
687
|
-
} else {
|
|
688
|
-
this.logger.verbose(
|
|
689
|
-
"createAuthCodeUrlQueryString: Prompt is select_account, ignoring account hints"
|
|
690
|
-
);
|
|
691
|
-
}
|
|
692
|
-
|
|
693
|
-
if (request.nonce) {
|
|
694
|
-
parameterBuilder.addNonce(request.nonce);
|
|
695
|
-
}
|
|
696
|
-
|
|
697
|
-
if (request.state) {
|
|
698
|
-
parameterBuilder.addState(request.state);
|
|
699
|
-
}
|
|
700
|
-
|
|
701
|
-
if (
|
|
702
|
-
request.claims ||
|
|
703
|
-
(this.config.authOptions.clientCapabilities &&
|
|
704
|
-
this.config.authOptions.clientCapabilities.length > 0)
|
|
705
|
-
) {
|
|
706
|
-
parameterBuilder.addClaims(
|
|
707
|
-
request.claims,
|
|
708
|
-
this.config.authOptions.clientCapabilities
|
|
709
|
-
);
|
|
710
|
-
}
|
|
711
|
-
|
|
712
|
-
if (request.embeddedClientId) {
|
|
713
|
-
parameterBuilder.addBrokerParameters({
|
|
714
|
-
brokerClientId: this.config.authOptions.clientId,
|
|
715
|
-
brokerRedirectUri: this.config.authOptions.redirectUri,
|
|
716
|
-
});
|
|
717
|
-
}
|
|
718
|
-
|
|
719
|
-
this.addExtraQueryParams(request, parameterBuilder);
|
|
720
|
-
|
|
721
|
-
if (request.platformBroker) {
|
|
722
|
-
// signal ests that this is a WAM call
|
|
723
|
-
parameterBuilder.addNativeBroker();
|
|
724
|
-
|
|
725
|
-
// pass the req_cnf for POP
|
|
726
|
-
if (request.authenticationScheme === AuthenticationScheme.POP) {
|
|
727
|
-
const popTokenGenerator = new PopTokenGenerator(
|
|
728
|
-
this.cryptoUtils
|
|
729
|
-
);
|
|
730
|
-
|
|
731
|
-
// req_cnf is always sent as a string for SPAs
|
|
732
|
-
let reqCnfData;
|
|
733
|
-
if (!request.popKid) {
|
|
734
|
-
const generatedReqCnfData = await invokeAsync(
|
|
735
|
-
popTokenGenerator.generateCnf.bind(popTokenGenerator),
|
|
736
|
-
PerformanceEvents.PopTokenGenerateCnf,
|
|
737
|
-
this.logger,
|
|
738
|
-
this.performanceClient,
|
|
739
|
-
request.correlationId
|
|
740
|
-
)(request, this.logger);
|
|
741
|
-
reqCnfData = generatedReqCnfData.reqCnfString;
|
|
742
|
-
} else {
|
|
743
|
-
reqCnfData = this.cryptoUtils.encodeKid(request.popKid);
|
|
744
|
-
}
|
|
745
|
-
parameterBuilder.addPopToken(reqCnfData);
|
|
746
|
-
}
|
|
747
|
-
}
|
|
748
|
-
|
|
749
|
-
return parameterBuilder.createQueryString();
|
|
455
|
+
return UrlUtils.mapToQueryString(parameters);
|
|
750
456
|
}
|
|
751
457
|
|
|
752
458
|
/**
|
|
@@ -756,68 +462,51 @@ export class AuthorizationCodeClient extends BaseClient {
|
|
|
756
462
|
private createLogoutUrlQueryString(
|
|
757
463
|
request: CommonEndSessionRequest
|
|
758
464
|
): string {
|
|
759
|
-
const
|
|
760
|
-
request.correlationId,
|
|
761
|
-
this.performanceClient
|
|
762
|
-
);
|
|
465
|
+
const parameters = new Map<string, string>();
|
|
763
466
|
|
|
764
467
|
if (request.postLogoutRedirectUri) {
|
|
765
|
-
|
|
468
|
+
RequestParameterBuilder.addPostLogoutRedirectUri(
|
|
469
|
+
parameters,
|
|
766
470
|
request.postLogoutRedirectUri
|
|
767
471
|
);
|
|
768
472
|
}
|
|
769
473
|
|
|
770
474
|
if (request.correlationId) {
|
|
771
|
-
|
|
475
|
+
RequestParameterBuilder.addCorrelationId(
|
|
476
|
+
parameters,
|
|
477
|
+
request.correlationId
|
|
478
|
+
);
|
|
772
479
|
}
|
|
773
480
|
|
|
774
481
|
if (request.idTokenHint) {
|
|
775
|
-
|
|
482
|
+
RequestParameterBuilder.addIdTokenHint(
|
|
483
|
+
parameters,
|
|
484
|
+
request.idTokenHint
|
|
485
|
+
);
|
|
776
486
|
}
|
|
777
487
|
|
|
778
488
|
if (request.state) {
|
|
779
|
-
|
|
489
|
+
RequestParameterBuilder.addState(parameters, request.state);
|
|
780
490
|
}
|
|
781
491
|
|
|
782
492
|
if (request.logoutHint) {
|
|
783
|
-
|
|
784
|
-
|
|
785
|
-
|
|
786
|
-
|
|
787
|
-
|
|
788
|
-
return parameterBuilder.createQueryString();
|
|
789
|
-
}
|
|
790
|
-
|
|
791
|
-
private addExtraQueryParams(
|
|
792
|
-
request: CommonAuthorizationUrlRequest | CommonEndSessionRequest,
|
|
793
|
-
parameterBuilder: RequestParameterBuilder
|
|
794
|
-
) {
|
|
795
|
-
const hasRequestInstanceAware =
|
|
796
|
-
request.extraQueryParameters &&
|
|
797
|
-
request.extraQueryParameters.hasOwnProperty("instance_aware");
|
|
798
|
-
|
|
799
|
-
// Set instance_aware flag if config auth param is set
|
|
800
|
-
if (!hasRequestInstanceAware && this.config.authOptions.instanceAware) {
|
|
801
|
-
request.extraQueryParameters = request.extraQueryParameters || {};
|
|
802
|
-
request.extraQueryParameters["instance_aware"] = "true";
|
|
493
|
+
RequestParameterBuilder.addLogoutHint(
|
|
494
|
+
parameters,
|
|
495
|
+
request.logoutHint
|
|
496
|
+
);
|
|
803
497
|
}
|
|
804
498
|
|
|
805
499
|
if (request.extraQueryParameters) {
|
|
806
|
-
|
|
500
|
+
RequestParameterBuilder.addExtraQueryParameters(
|
|
501
|
+
parameters,
|
|
807
502
|
request.extraQueryParameters
|
|
808
503
|
);
|
|
809
504
|
}
|
|
810
|
-
}
|
|
811
505
|
|
|
812
|
-
|
|
813
|
-
|
|
814
|
-
|
|
815
|
-
*/
|
|
816
|
-
private extractAccountSid(account: AccountInfo): string | null {
|
|
817
|
-
return account.idTokenClaims?.sid || null;
|
|
818
|
-
}
|
|
506
|
+
if (this.config.authOptions.instanceAware) {
|
|
507
|
+
RequestParameterBuilder.addInstanceAware(parameters);
|
|
508
|
+
}
|
|
819
509
|
|
|
820
|
-
|
|
821
|
-
return account.idTokenClaims?.login_hint || null;
|
|
510
|
+
return UrlUtils.mapToQueryString(parameters);
|
|
822
511
|
}
|
|
823
512
|
}
|