@azure/msal-common 15.2.1 → 15.4.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/account/AccountInfo.mjs +1 -1
- package/dist/account/AuthToken.mjs +1 -1
- package/dist/account/CcsCredential.mjs +1 -1
- package/dist/account/ClientInfo.mjs +1 -1
- package/dist/account/TokenClaims.mjs +1 -1
- package/dist/authority/Authority.mjs +3 -3
- package/dist/authority/Authority.mjs.map +1 -1
- package/dist/authority/AuthorityFactory.mjs +1 -1
- package/dist/authority/AuthorityMetadata.mjs +1 -1
- package/dist/authority/AuthorityOptions.mjs +1 -1
- package/dist/authority/AuthorityType.mjs +1 -1
- package/dist/authority/CloudInstanceDiscoveryErrorResponse.mjs +1 -1
- package/dist/authority/CloudInstanceDiscoveryResponse.mjs +1 -1
- package/dist/authority/OpenIdConfigResponse.mjs +1 -1
- package/dist/authority/ProtocolMode.d.ts +11 -0
- package/dist/authority/ProtocolMode.d.ts.map +1 -1
- package/dist/authority/ProtocolMode.mjs +12 -1
- package/dist/authority/ProtocolMode.mjs.map +1 -1
- package/dist/authority/RegionDiscovery.mjs +1 -1
- package/dist/cache/CacheManager.mjs +1 -1
- package/dist/cache/entities/AccountEntity.mjs +4 -4
- package/dist/cache/entities/AccountEntity.mjs.map +1 -1
- package/dist/cache/persistence/TokenCacheContext.mjs +1 -1
- package/dist/cache/utils/CacheHelpers.mjs +1 -1
- package/dist/client/AuthorizationCodeClient.d.ts +0 -31
- package/dist/client/AuthorizationCodeClient.d.ts.map +1 -1
- package/dist/client/AuthorizationCodeClient.mjs +41 -246
- package/dist/client/AuthorizationCodeClient.mjs.map +1 -1
- package/dist/client/BaseClient.d.ts.map +1 -1
- package/dist/client/BaseClient.mjs +9 -10
- package/dist/client/BaseClient.mjs.map +1 -1
- package/dist/client/RefreshTokenClient.d.ts.map +1 -1
- package/dist/client/RefreshTokenClient.mjs +27 -29
- package/dist/client/RefreshTokenClient.mjs.map +1 -1
- package/dist/client/SilentFlowClient.mjs +1 -1
- package/dist/config/ClientConfiguration.mjs +1 -1
- package/dist/constants/AADServerParamKeys.d.ts +3 -0
- package/dist/constants/AADServerParamKeys.d.ts.map +1 -1
- package/dist/constants/AADServerParamKeys.mjs +6 -3
- package/dist/constants/AADServerParamKeys.mjs.map +1 -1
- package/dist/crypto/ICrypto.mjs +1 -1
- package/dist/crypto/JoseHeader.mjs +1 -1
- package/dist/crypto/PopTokenGenerator.mjs +1 -1
- package/dist/error/AuthError.mjs +1 -1
- package/dist/error/AuthErrorCodes.mjs +1 -1
- package/dist/error/CacheError.mjs +1 -1
- package/dist/error/CacheErrorCodes.mjs +1 -1
- package/dist/error/ClientAuthError.mjs +1 -1
- package/dist/error/ClientAuthErrorCodes.mjs +1 -1
- package/dist/error/ClientConfigurationError.mjs +1 -1
- package/dist/error/ClientConfigurationErrorCodes.mjs +1 -1
- package/dist/error/InteractionRequiredAuthError.mjs +1 -1
- package/dist/error/InteractionRequiredAuthErrorCodes.mjs +1 -1
- package/dist/error/JoseHeaderError.mjs +1 -1
- package/dist/error/JoseHeaderErrorCodes.mjs +1 -1
- package/dist/error/NetworkError.mjs +1 -1
- package/dist/error/ServerError.mjs +1 -1
- package/dist/exports-common.d.ts +4 -3
- package/dist/exports-common.d.ts.map +1 -1
- package/dist/index-browser.mjs +6 -3
- package/dist/index-browser.mjs.map +1 -1
- package/dist/index-node.mjs +6 -3
- package/dist/index-node.mjs.map +1 -1
- package/dist/index.mjs +6 -3
- package/dist/index.mjs.map +1 -1
- package/dist/logger/Logger.mjs +1 -1
- package/dist/network/INetworkModule.mjs +1 -1
- package/dist/network/RequestThumbprint.mjs +1 -1
- package/dist/network/ThrottlingUtils.mjs +1 -1
- package/dist/packageMetadata.d.ts +1 -1
- package/dist/packageMetadata.mjs +2 -2
- package/dist/protocol/Authorize.d.ts +37 -0
- package/dist/protocol/Authorize.d.ts.map +1 -0
- package/dist/protocol/Authorize.mjs +237 -0
- package/dist/protocol/Authorize.mjs.map +1 -0
- package/dist/request/AuthenticationHeaderParser.mjs +1 -1
- package/dist/request/CommonAuthorizationUrlRequest.d.ts +3 -2
- package/dist/request/CommonAuthorizationUrlRequest.d.ts.map +1 -1
- package/dist/request/RequestParameterBuilder.d.ts +211 -219
- package/dist/request/RequestParameterBuilder.d.ts.map +1 -1
- package/dist/request/RequestParameterBuilder.mjs +364 -370
- package/dist/request/RequestParameterBuilder.mjs.map +1 -1
- package/dist/request/RequestValidator.mjs +1 -1
- package/dist/request/ScopeSet.mjs +1 -1
- package/dist/response/AuthorizeResponse.d.ts +76 -0
- package/dist/response/AuthorizeResponse.d.ts.map +1 -0
- package/dist/response/ResponseHandler.d.ts +0 -8
- package/dist/response/ResponseHandler.d.ts.map +1 -1
- package/dist/response/ResponseHandler.mjs +2 -49
- package/dist/response/ResponseHandler.mjs.map +1 -1
- package/dist/telemetry/performance/PerformanceClient.mjs +1 -1
- package/dist/telemetry/performance/PerformanceEvent.d.ts +6 -2
- package/dist/telemetry/performance/PerformanceEvent.d.ts.map +1 -1
- package/dist/telemetry/performance/PerformanceEvent.mjs +15 -11
- package/dist/telemetry/performance/PerformanceEvent.mjs.map +1 -1
- package/dist/telemetry/performance/StubPerformanceClient.mjs +1 -1
- package/dist/telemetry/server/ServerTelemetryManager.mjs +1 -1
- package/dist/url/UrlString.mjs +1 -1
- package/dist/utils/ClientAssertionUtils.mjs +1 -1
- package/dist/utils/Constants.d.ts +11 -5
- package/dist/utils/Constants.d.ts.map +1 -1
- package/dist/utils/Constants.mjs +13 -8
- package/dist/utils/Constants.mjs.map +1 -1
- package/dist/utils/FunctionWrappers.mjs +1 -1
- package/dist/utils/ProtocolUtils.mjs +1 -1
- package/dist/utils/StringUtils.mjs +1 -1
- package/dist/utils/TimeUtils.mjs +1 -1
- package/dist/utils/UrlUtils.d.ts +6 -2
- package/dist/utils/UrlUtils.d.ts.map +1 -1
- package/dist/utils/UrlUtils.mjs +13 -2
- package/dist/utils/UrlUtils.mjs.map +1 -1
- package/lib/index-browser.cjs +4 -2
- package/lib/index-browser.cjs.map +1 -1
- package/lib/{index-node--LMD5Re1.js → index-node-C56U0Gkp.js} +833 -777
- package/lib/index-node-C56U0Gkp.js.map +1 -0
- package/lib/index-node.cjs +4 -2
- package/lib/index-node.cjs.map +1 -1
- package/lib/index.cjs +4 -2
- package/lib/index.cjs.map +1 -1
- package/lib/types/authority/ProtocolMode.d.ts +11 -0
- package/lib/types/authority/ProtocolMode.d.ts.map +1 -1
- package/lib/types/client/AuthorizationCodeClient.d.ts +0 -31
- package/lib/types/client/AuthorizationCodeClient.d.ts.map +1 -1
- package/lib/types/client/BaseClient.d.ts.map +1 -1
- package/lib/types/client/RefreshTokenClient.d.ts.map +1 -1
- package/lib/types/constants/AADServerParamKeys.d.ts +3 -0
- package/lib/types/constants/AADServerParamKeys.d.ts.map +1 -1
- package/lib/types/exports-common.d.ts +4 -3
- package/lib/types/exports-common.d.ts.map +1 -1
- package/lib/types/packageMetadata.d.ts +1 -1
- package/lib/types/protocol/Authorize.d.ts +37 -0
- package/lib/types/protocol/Authorize.d.ts.map +1 -0
- package/lib/types/request/CommonAuthorizationUrlRequest.d.ts +3 -2
- package/lib/types/request/CommonAuthorizationUrlRequest.d.ts.map +1 -1
- package/lib/types/request/RequestParameterBuilder.d.ts +211 -219
- package/lib/types/request/RequestParameterBuilder.d.ts.map +1 -1
- package/lib/types/response/AuthorizeResponse.d.ts +76 -0
- package/lib/types/response/AuthorizeResponse.d.ts.map +1 -0
- package/lib/types/response/ResponseHandler.d.ts +0 -8
- package/lib/types/response/ResponseHandler.d.ts.map +1 -1
- package/lib/types/telemetry/performance/PerformanceEvent.d.ts +6 -2
- package/lib/types/telemetry/performance/PerformanceEvent.d.ts.map +1 -1
- package/lib/types/utils/Constants.d.ts +11 -5
- package/lib/types/utils/Constants.d.ts.map +1 -1
- package/lib/types/utils/UrlUtils.d.ts +6 -2
- package/lib/types/utils/UrlUtils.d.ts.map +1 -1
- package/package.json +1 -1
- package/src/authority/Authority.ts +2 -2
- package/src/authority/ProtocolMode.ts +11 -0
- package/src/cache/entities/AccountEntity.ts +3 -3
- package/src/client/AuthorizationCodeClient.ts +84 -395
- package/src/client/BaseClient.ts +20 -12
- package/src/client/RefreshTokenClient.ts +60 -30
- package/src/constants/AADServerParamKeys.ts +3 -0
- package/src/exports-common.ts +5 -2
- package/src/packageMetadata.ts +1 -1
- package/src/protocol/Authorize.ts +409 -0
- package/src/request/CommonAuthorizationUrlRequest.ts +3 -2
- package/src/request/RequestParameterBuilder.ts +516 -545
- package/src/response/AuthorizeResponse.ts +80 -0
- package/src/response/ResponseHandler.ts +0 -98
- package/src/telemetry/performance/PerformanceEvent.ts +14 -11
- package/src/utils/Constants.ts +14 -6
- package/src/utils/UrlUtils.ts +19 -4
- package/dist/response/ServerAuthorizationCodeResponse.d.ts +0 -27
- package/dist/response/ServerAuthorizationCodeResponse.d.ts.map +0 -1
- package/lib/index-node--LMD5Re1.js.map +0 -1
- package/lib/types/response/ServerAuthorizationCodeResponse.d.ts +0 -27
- package/lib/types/response/ServerAuthorizationCodeResponse.d.ts.map +0 -1
- package/src/response/ServerAuthorizationCodeResponse.ts +0 -34
package/src/client/BaseClient.ts
CHANGED
|
@@ -25,7 +25,8 @@ import { version, name } from "../packageMetadata.js";
|
|
|
25
25
|
import { CcsCredential, CcsCredentialType } from "../account/CcsCredential.js";
|
|
26
26
|
import { buildClientInfoFromHomeAccountId } from "../account/ClientInfo.js";
|
|
27
27
|
import { IPerformanceClient } from "../telemetry/performance/IPerformanceClient.js";
|
|
28
|
-
import
|
|
28
|
+
import * as RequestParameterBuilder from "../request/RequestParameterBuilder.js";
|
|
29
|
+
import * as UrlUtils from "../utils/UrlUtils.js";
|
|
29
30
|
import { BaseAuthRequest } from "../request/BaseAuthRequest.js";
|
|
30
31
|
import { createDiscoveredInstance } from "../authority/AuthorityFactory.js";
|
|
31
32
|
import { PerformanceEvents } from "../telemetry/performance/PerformanceEvent.js";
|
|
@@ -278,26 +279,33 @@ export abstract class BaseClient {
|
|
|
278
279
|
* @param request
|
|
279
280
|
*/
|
|
280
281
|
createTokenQueryParameters(request: BaseAuthRequest): string {
|
|
281
|
-
const
|
|
282
|
-
request.correlationId,
|
|
283
|
-
this.performanceClient
|
|
284
|
-
);
|
|
282
|
+
const parameters = new Map<string, string>();
|
|
285
283
|
|
|
286
284
|
if (request.embeddedClientId) {
|
|
287
|
-
|
|
288
|
-
|
|
289
|
-
|
|
290
|
-
|
|
285
|
+
RequestParameterBuilder.addBrokerParameters(
|
|
286
|
+
parameters,
|
|
287
|
+
this.config.authOptions.clientId,
|
|
288
|
+
this.config.authOptions.redirectUri
|
|
289
|
+
);
|
|
291
290
|
}
|
|
292
291
|
|
|
293
292
|
if (request.tokenQueryParameters) {
|
|
294
|
-
|
|
293
|
+
RequestParameterBuilder.addExtraQueryParameters(
|
|
294
|
+
parameters,
|
|
295
295
|
request.tokenQueryParameters
|
|
296
296
|
);
|
|
297
297
|
}
|
|
298
298
|
|
|
299
|
-
|
|
299
|
+
RequestParameterBuilder.addCorrelationId(
|
|
300
|
+
parameters,
|
|
301
|
+
request.correlationId
|
|
302
|
+
);
|
|
300
303
|
|
|
301
|
-
|
|
304
|
+
RequestParameterBuilder.instrumentBrokerParams(
|
|
305
|
+
parameters,
|
|
306
|
+
request.correlationId,
|
|
307
|
+
this.performanceClient
|
|
308
|
+
);
|
|
309
|
+
return UrlUtils.mapToQueryString(parameters);
|
|
302
310
|
}
|
|
303
311
|
}
|
|
@@ -11,7 +11,8 @@ import { BaseClient } from "./BaseClient.js";
|
|
|
11
11
|
import { CommonRefreshTokenRequest } from "../request/CommonRefreshTokenRequest.js";
|
|
12
12
|
import { Authority } from "../authority/Authority.js";
|
|
13
13
|
import { ServerAuthorizationTokenResponse } from "../response/ServerAuthorizationTokenResponse.js";
|
|
14
|
-
import
|
|
14
|
+
import * as RequestParameterBuilder from "../request/RequestParameterBuilder.js";
|
|
15
|
+
import * as UrlUtils from "../utils/UrlUtils.js";
|
|
15
16
|
import {
|
|
16
17
|
GrantType,
|
|
17
18
|
AuthenticationScheme,
|
|
@@ -345,46 +346,61 @@ export class RefreshTokenClient extends BaseClient {
|
|
|
345
346
|
request.correlationId
|
|
346
347
|
);
|
|
347
348
|
|
|
348
|
-
const
|
|
349
|
-
const parameterBuilder = new RequestParameterBuilder(
|
|
350
|
-
correlationId,
|
|
351
|
-
this.performanceClient
|
|
352
|
-
);
|
|
349
|
+
const parameters = new Map<string, string>();
|
|
353
350
|
|
|
354
|
-
|
|
351
|
+
RequestParameterBuilder.addClientId(
|
|
352
|
+
parameters,
|
|
355
353
|
request.embeddedClientId ||
|
|
356
354
|
request.tokenBodyParameters?.[AADServerParamKeys.CLIENT_ID] ||
|
|
357
355
|
this.config.authOptions.clientId
|
|
358
356
|
);
|
|
359
357
|
|
|
360
358
|
if (request.redirectUri) {
|
|
361
|
-
|
|
359
|
+
RequestParameterBuilder.addRedirectUri(
|
|
360
|
+
parameters,
|
|
361
|
+
request.redirectUri
|
|
362
|
+
);
|
|
362
363
|
}
|
|
363
364
|
|
|
364
|
-
|
|
365
|
+
RequestParameterBuilder.addScopes(
|
|
366
|
+
parameters,
|
|
365
367
|
request.scopes,
|
|
366
368
|
true,
|
|
367
369
|
this.config.authOptions.authority.options.OIDCOptions?.defaultScopes
|
|
368
370
|
);
|
|
369
371
|
|
|
370
|
-
|
|
372
|
+
RequestParameterBuilder.addGrantType(
|
|
373
|
+
parameters,
|
|
374
|
+
GrantType.REFRESH_TOKEN_GRANT
|
|
375
|
+
);
|
|
371
376
|
|
|
372
|
-
|
|
377
|
+
RequestParameterBuilder.addClientInfo(parameters);
|
|
373
378
|
|
|
374
|
-
|
|
375
|
-
|
|
379
|
+
RequestParameterBuilder.addLibraryInfo(
|
|
380
|
+
parameters,
|
|
381
|
+
this.config.libraryInfo
|
|
382
|
+
);
|
|
383
|
+
RequestParameterBuilder.addApplicationTelemetry(
|
|
384
|
+
parameters,
|
|
376
385
|
this.config.telemetry.application
|
|
377
386
|
);
|
|
378
|
-
|
|
387
|
+
RequestParameterBuilder.addThrottling(parameters);
|
|
379
388
|
|
|
380
389
|
if (this.serverTelemetryManager && !isOidcProtocolMode(this.config)) {
|
|
381
|
-
|
|
390
|
+
RequestParameterBuilder.addServerTelemetry(
|
|
391
|
+
parameters,
|
|
392
|
+
this.serverTelemetryManager
|
|
393
|
+
);
|
|
382
394
|
}
|
|
383
395
|
|
|
384
|
-
|
|
396
|
+
RequestParameterBuilder.addRefreshToken(
|
|
397
|
+
parameters,
|
|
398
|
+
request.refreshToken
|
|
399
|
+
);
|
|
385
400
|
|
|
386
401
|
if (this.config.clientCredentials.clientSecret) {
|
|
387
|
-
|
|
402
|
+
RequestParameterBuilder.addClientSecret(
|
|
403
|
+
parameters,
|
|
388
404
|
this.config.clientCredentials.clientSecret
|
|
389
405
|
);
|
|
390
406
|
}
|
|
@@ -393,14 +409,16 @@ export class RefreshTokenClient extends BaseClient {
|
|
|
393
409
|
const clientAssertion: ClientAssertion =
|
|
394
410
|
this.config.clientCredentials.clientAssertion;
|
|
395
411
|
|
|
396
|
-
|
|
412
|
+
RequestParameterBuilder.addClientAssertion(
|
|
413
|
+
parameters,
|
|
397
414
|
await getClientAssertion(
|
|
398
415
|
clientAssertion.assertion,
|
|
399
416
|
this.config.authOptions.clientId,
|
|
400
417
|
request.resourceRequestUri
|
|
401
418
|
)
|
|
402
419
|
);
|
|
403
|
-
|
|
420
|
+
RequestParameterBuilder.addClientAssertionType(
|
|
421
|
+
parameters,
|
|
404
422
|
clientAssertion.assertionType
|
|
405
423
|
);
|
|
406
424
|
}
|
|
@@ -427,10 +445,10 @@ export class RefreshTokenClient extends BaseClient {
|
|
|
427
445
|
}
|
|
428
446
|
|
|
429
447
|
// SPA PoP requires full Base64Url encoded req_cnf string (unhashed)
|
|
430
|
-
|
|
448
|
+
RequestParameterBuilder.addPopToken(parameters, reqCnfData);
|
|
431
449
|
} else if (request.authenticationScheme === AuthenticationScheme.SSH) {
|
|
432
450
|
if (request.sshJwk) {
|
|
433
|
-
|
|
451
|
+
RequestParameterBuilder.addSshJwk(parameters, request.sshJwk);
|
|
434
452
|
} else {
|
|
435
453
|
throw createClientConfigurationError(
|
|
436
454
|
ClientConfigurationErrorCodes.missingSshJwk
|
|
@@ -443,7 +461,8 @@ export class RefreshTokenClient extends BaseClient {
|
|
|
443
461
|
(this.config.authOptions.clientCapabilities &&
|
|
444
462
|
this.config.authOptions.clientCapabilities.length > 0)
|
|
445
463
|
) {
|
|
446
|
-
|
|
464
|
+
RequestParameterBuilder.addClaims(
|
|
465
|
+
parameters,
|
|
447
466
|
request.claims,
|
|
448
467
|
this.config.authOptions.clientCapabilities
|
|
449
468
|
);
|
|
@@ -459,7 +478,10 @@ export class RefreshTokenClient extends BaseClient {
|
|
|
459
478
|
const clientInfo = buildClientInfoFromHomeAccountId(
|
|
460
479
|
request.ccsCredential.credential
|
|
461
480
|
);
|
|
462
|
-
|
|
481
|
+
RequestParameterBuilder.addCcsOid(
|
|
482
|
+
parameters,
|
|
483
|
+
clientInfo
|
|
484
|
+
);
|
|
463
485
|
} catch (e) {
|
|
464
486
|
this.logger.verbose(
|
|
465
487
|
"Could not parse home account ID for CCS Header: " +
|
|
@@ -468,7 +490,8 @@ export class RefreshTokenClient extends BaseClient {
|
|
|
468
490
|
}
|
|
469
491
|
break;
|
|
470
492
|
case CcsCredentialType.UPN:
|
|
471
|
-
|
|
493
|
+
RequestParameterBuilder.addCcsUpn(
|
|
494
|
+
parameters,
|
|
472
495
|
request.ccsCredential.credential
|
|
473
496
|
);
|
|
474
497
|
break;
|
|
@@ -476,18 +499,25 @@ export class RefreshTokenClient extends BaseClient {
|
|
|
476
499
|
}
|
|
477
500
|
|
|
478
501
|
if (request.embeddedClientId) {
|
|
479
|
-
|
|
480
|
-
|
|
481
|
-
|
|
482
|
-
|
|
502
|
+
RequestParameterBuilder.addBrokerParameters(
|
|
503
|
+
parameters,
|
|
504
|
+
this.config.authOptions.clientId,
|
|
505
|
+
this.config.authOptions.redirectUri
|
|
506
|
+
);
|
|
483
507
|
}
|
|
484
508
|
|
|
485
509
|
if (request.tokenBodyParameters) {
|
|
486
|
-
|
|
510
|
+
RequestParameterBuilder.addExtraQueryParameters(
|
|
511
|
+
parameters,
|
|
487
512
|
request.tokenBodyParameters
|
|
488
513
|
);
|
|
489
514
|
}
|
|
490
515
|
|
|
491
|
-
|
|
516
|
+
RequestParameterBuilder.instrumentBrokerParams(
|
|
517
|
+
parameters,
|
|
518
|
+
request.correlationId,
|
|
519
|
+
this.performanceClient
|
|
520
|
+
);
|
|
521
|
+
return UrlUtils.mapToQueryString(parameters);
|
|
492
522
|
}
|
|
493
523
|
}
|
|
@@ -58,3 +58,6 @@ export const DOMAIN_HINT = "domain_hint";
|
|
|
58
58
|
export const X_CLIENT_EXTRA_SKU = "x-client-xtra-sku";
|
|
59
59
|
export const BROKER_CLIENT_ID = "brk_client_id";
|
|
60
60
|
export const BROKER_REDIRECT_URI = "brk_redirect_uri";
|
|
61
|
+
export const INSTANCE_AWARE = "instance_aware";
|
|
62
|
+
export const EAR_JWK = "ear_jwk";
|
|
63
|
+
export const EAR_JWE_CRYPTO = "ear_jwe_crypto";
|
package/src/exports-common.ts
CHANGED
|
@@ -105,19 +105,21 @@ export {
|
|
|
105
105
|
DEFAULT_CRYPTO_IMPLEMENTATION,
|
|
106
106
|
SignedHttpRequestParameters,
|
|
107
107
|
} from "./crypto/ICrypto.js";
|
|
108
|
+
|
|
109
|
+
export * as AuthorizeProtocol from "./protocol/Authorize.js";
|
|
108
110
|
export { BaseAuthRequest } from "./request/BaseAuthRequest.js";
|
|
109
111
|
export { CommonAuthorizationUrlRequest } from "./request/CommonAuthorizationUrlRequest.js";
|
|
110
112
|
export { CommonAuthorizationCodeRequest } from "./request/CommonAuthorizationCodeRequest.js";
|
|
111
113
|
export { CommonRefreshTokenRequest } from "./request/CommonRefreshTokenRequest.js";
|
|
112
114
|
export { CommonSilentFlowRequest } from "./request/CommonSilentFlowRequest.js";
|
|
113
115
|
export { CommonEndSessionRequest } from "./request/CommonEndSessionRequest.js";
|
|
114
|
-
export
|
|
116
|
+
export * as RequestParameterBuilder from "./request/RequestParameterBuilder.js";
|
|
115
117
|
export { StoreInCache } from "./request/StoreInCache.js";
|
|
116
118
|
export { AzureRegion } from "./authority/AzureRegion.js";
|
|
117
119
|
export { AzureRegionConfiguration } from "./authority/AzureRegionConfiguration.js";
|
|
118
120
|
export { AuthenticationResult } from "./response/AuthenticationResult.js";
|
|
119
121
|
export { AuthorizationCodePayload } from "./response/AuthorizationCodePayload.js";
|
|
120
|
-
export {
|
|
122
|
+
export { AuthorizeResponse } from "./response/AuthorizeResponse.js";
|
|
121
123
|
export { ServerAuthorizationTokenResponse } from "./response/ServerAuthorizationTokenResponse.js";
|
|
122
124
|
export {
|
|
123
125
|
ResponseHandler,
|
|
@@ -158,6 +160,7 @@ export {
|
|
|
158
160
|
OIDC_DEFAULT_SCOPES,
|
|
159
161
|
PromptValue,
|
|
160
162
|
PersistentCacheKeys,
|
|
163
|
+
OAuthResponseType,
|
|
161
164
|
ServerResponseType,
|
|
162
165
|
ResponseMode,
|
|
163
166
|
CacheOutcome,
|
package/src/packageMetadata.ts
CHANGED
|
@@ -0,0 +1,409 @@
|
|
|
1
|
+
/*
|
|
2
|
+
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
3
|
+
* Licensed under the MIT License.
|
|
4
|
+
*/
|
|
5
|
+
|
|
6
|
+
import { CommonAuthorizationUrlRequest } from "../request/CommonAuthorizationUrlRequest.js";
|
|
7
|
+
import * as RequestParameterBuilder from "../request/RequestParameterBuilder.js";
|
|
8
|
+
import { IPerformanceClient } from "../telemetry/performance/IPerformanceClient.js";
|
|
9
|
+
import * as AADServerParamKeys from "../constants/AADServerParamKeys.js";
|
|
10
|
+
import { AuthOptions } from "../config/ClientConfiguration.js";
|
|
11
|
+
import { PromptValue } from "../utils/Constants.js";
|
|
12
|
+
import { AccountInfo } from "../account/AccountInfo.js";
|
|
13
|
+
import { Logger } from "../logger/Logger.js";
|
|
14
|
+
import { buildClientInfoFromHomeAccountId } from "../account/ClientInfo.js";
|
|
15
|
+
import { Authority } from "../authority/Authority.js";
|
|
16
|
+
import { mapToQueryString } from "../utils/UrlUtils.js";
|
|
17
|
+
import { UrlString } from "../url/UrlString.js";
|
|
18
|
+
import { AuthorizationCodePayload } from "../response/AuthorizationCodePayload.js";
|
|
19
|
+
import { AuthorizeResponse } from "../response/AuthorizeResponse.js";
|
|
20
|
+
import {
|
|
21
|
+
ClientAuthErrorCodes,
|
|
22
|
+
createClientAuthError,
|
|
23
|
+
} from "../error/ClientAuthError.js";
|
|
24
|
+
import {
|
|
25
|
+
InteractionRequiredAuthError,
|
|
26
|
+
isInteractionRequiredError,
|
|
27
|
+
} from "../error/InteractionRequiredAuthError.js";
|
|
28
|
+
import { ServerError } from "../error/ServerError.js";
|
|
29
|
+
|
|
30
|
+
/**
|
|
31
|
+
* Returns map of parameters that are applicable to all calls to /authorize whether using PKCE or EAR
|
|
32
|
+
* @param config
|
|
33
|
+
* @param request
|
|
34
|
+
* @param logger
|
|
35
|
+
* @param performanceClient
|
|
36
|
+
* @returns
|
|
37
|
+
*/
|
|
38
|
+
export function getStandardAuthorizeRequestParameters(
|
|
39
|
+
authOptions: AuthOptions,
|
|
40
|
+
request: CommonAuthorizationUrlRequest,
|
|
41
|
+
logger: Logger,
|
|
42
|
+
performanceClient?: IPerformanceClient
|
|
43
|
+
): Map<string, string> {
|
|
44
|
+
// generate the correlationId if not set by the user and add
|
|
45
|
+
const correlationId = request.correlationId;
|
|
46
|
+
|
|
47
|
+
const parameters = new Map<string, string>();
|
|
48
|
+
|
|
49
|
+
RequestParameterBuilder.addClientId(
|
|
50
|
+
parameters,
|
|
51
|
+
request.embeddedClientId ||
|
|
52
|
+
request.extraQueryParameters?.[AADServerParamKeys.CLIENT_ID] ||
|
|
53
|
+
authOptions.clientId
|
|
54
|
+
);
|
|
55
|
+
|
|
56
|
+
const requestScopes = [
|
|
57
|
+
...(request.scopes || []),
|
|
58
|
+
...(request.extraScopesToConsent || []),
|
|
59
|
+
];
|
|
60
|
+
RequestParameterBuilder.addScopes(
|
|
61
|
+
parameters,
|
|
62
|
+
requestScopes,
|
|
63
|
+
true,
|
|
64
|
+
authOptions.authority.options.OIDCOptions?.defaultScopes
|
|
65
|
+
);
|
|
66
|
+
|
|
67
|
+
RequestParameterBuilder.addRedirectUri(parameters, request.redirectUri);
|
|
68
|
+
|
|
69
|
+
RequestParameterBuilder.addCorrelationId(parameters, correlationId);
|
|
70
|
+
|
|
71
|
+
// add response_mode. If not passed in it defaults to query.
|
|
72
|
+
RequestParameterBuilder.addResponseMode(parameters, request.responseMode);
|
|
73
|
+
|
|
74
|
+
// add client_info=1
|
|
75
|
+
RequestParameterBuilder.addClientInfo(parameters);
|
|
76
|
+
|
|
77
|
+
if (request.prompt) {
|
|
78
|
+
RequestParameterBuilder.addPrompt(parameters, request.prompt);
|
|
79
|
+
performanceClient?.addFields({ prompt: request.prompt }, correlationId);
|
|
80
|
+
}
|
|
81
|
+
|
|
82
|
+
if (request.domainHint) {
|
|
83
|
+
RequestParameterBuilder.addDomainHint(parameters, request.domainHint);
|
|
84
|
+
performanceClient?.addFields(
|
|
85
|
+
{ domainHintFromRequest: true },
|
|
86
|
+
correlationId
|
|
87
|
+
);
|
|
88
|
+
}
|
|
89
|
+
|
|
90
|
+
// Add sid or loginHint with preference for login_hint claim (in request) -> sid -> loginHint (upn/email) -> username of AccountInfo object
|
|
91
|
+
if (request.prompt !== PromptValue.SELECT_ACCOUNT) {
|
|
92
|
+
// AAD will throw if prompt=select_account is passed with an account hint
|
|
93
|
+
if (request.sid && request.prompt === PromptValue.NONE) {
|
|
94
|
+
// SessionID is only used in silent calls
|
|
95
|
+
logger.verbose(
|
|
96
|
+
"createAuthCodeUrlQueryString: Prompt is none, adding sid from request"
|
|
97
|
+
);
|
|
98
|
+
RequestParameterBuilder.addSid(parameters, request.sid);
|
|
99
|
+
performanceClient?.addFields(
|
|
100
|
+
{ sidFromRequest: true },
|
|
101
|
+
correlationId
|
|
102
|
+
);
|
|
103
|
+
} else if (request.account) {
|
|
104
|
+
const accountSid = extractAccountSid(request.account);
|
|
105
|
+
let accountLoginHintClaim = extractLoginHint(request.account);
|
|
106
|
+
|
|
107
|
+
if (accountLoginHintClaim && request.domainHint) {
|
|
108
|
+
logger.warning(
|
|
109
|
+
`AuthorizationCodeClient.createAuthCodeUrlQueryString: "domainHint" param is set, skipping opaque "login_hint" claim. Please consider not passing domainHint`
|
|
110
|
+
);
|
|
111
|
+
accountLoginHintClaim = null;
|
|
112
|
+
}
|
|
113
|
+
|
|
114
|
+
// If login_hint claim is present, use it over sid/username
|
|
115
|
+
if (accountLoginHintClaim) {
|
|
116
|
+
logger.verbose(
|
|
117
|
+
"createAuthCodeUrlQueryString: login_hint claim present on account"
|
|
118
|
+
);
|
|
119
|
+
RequestParameterBuilder.addLoginHint(
|
|
120
|
+
parameters,
|
|
121
|
+
accountLoginHintClaim
|
|
122
|
+
);
|
|
123
|
+
performanceClient?.addFields(
|
|
124
|
+
{ loginHintFromClaim: true },
|
|
125
|
+
correlationId
|
|
126
|
+
);
|
|
127
|
+
try {
|
|
128
|
+
const clientInfo = buildClientInfoFromHomeAccountId(
|
|
129
|
+
request.account.homeAccountId
|
|
130
|
+
);
|
|
131
|
+
RequestParameterBuilder.addCcsOid(parameters, clientInfo);
|
|
132
|
+
} catch (e) {
|
|
133
|
+
logger.verbose(
|
|
134
|
+
"createAuthCodeUrlQueryString: Could not parse home account ID for CCS Header"
|
|
135
|
+
);
|
|
136
|
+
}
|
|
137
|
+
} else if (accountSid && request.prompt === PromptValue.NONE) {
|
|
138
|
+
/*
|
|
139
|
+
* If account and loginHint are provided, we will check account first for sid before adding loginHint
|
|
140
|
+
* SessionId is only used in silent calls
|
|
141
|
+
*/
|
|
142
|
+
logger.verbose(
|
|
143
|
+
"createAuthCodeUrlQueryString: Prompt is none, adding sid from account"
|
|
144
|
+
);
|
|
145
|
+
RequestParameterBuilder.addSid(parameters, accountSid);
|
|
146
|
+
performanceClient?.addFields(
|
|
147
|
+
{ sidFromClaim: true },
|
|
148
|
+
correlationId
|
|
149
|
+
);
|
|
150
|
+
try {
|
|
151
|
+
const clientInfo = buildClientInfoFromHomeAccountId(
|
|
152
|
+
request.account.homeAccountId
|
|
153
|
+
);
|
|
154
|
+
RequestParameterBuilder.addCcsOid(parameters, clientInfo);
|
|
155
|
+
} catch (e) {
|
|
156
|
+
logger.verbose(
|
|
157
|
+
"createAuthCodeUrlQueryString: Could not parse home account ID for CCS Header"
|
|
158
|
+
);
|
|
159
|
+
}
|
|
160
|
+
} else if (request.loginHint) {
|
|
161
|
+
logger.verbose(
|
|
162
|
+
"createAuthCodeUrlQueryString: Adding login_hint from request"
|
|
163
|
+
);
|
|
164
|
+
RequestParameterBuilder.addLoginHint(
|
|
165
|
+
parameters,
|
|
166
|
+
request.loginHint
|
|
167
|
+
);
|
|
168
|
+
RequestParameterBuilder.addCcsUpn(
|
|
169
|
+
parameters,
|
|
170
|
+
request.loginHint
|
|
171
|
+
);
|
|
172
|
+
performanceClient?.addFields(
|
|
173
|
+
{ loginHintFromRequest: true },
|
|
174
|
+
correlationId
|
|
175
|
+
);
|
|
176
|
+
} else if (request.account.username) {
|
|
177
|
+
// Fallback to account username if provided
|
|
178
|
+
logger.verbose(
|
|
179
|
+
"createAuthCodeUrlQueryString: Adding login_hint from account"
|
|
180
|
+
);
|
|
181
|
+
RequestParameterBuilder.addLoginHint(
|
|
182
|
+
parameters,
|
|
183
|
+
request.account.username
|
|
184
|
+
);
|
|
185
|
+
performanceClient?.addFields(
|
|
186
|
+
{ loginHintFromUpn: true },
|
|
187
|
+
correlationId
|
|
188
|
+
);
|
|
189
|
+
try {
|
|
190
|
+
const clientInfo = buildClientInfoFromHomeAccountId(
|
|
191
|
+
request.account.homeAccountId
|
|
192
|
+
);
|
|
193
|
+
RequestParameterBuilder.addCcsOid(parameters, clientInfo);
|
|
194
|
+
} catch (e) {
|
|
195
|
+
logger.verbose(
|
|
196
|
+
"createAuthCodeUrlQueryString: Could not parse home account ID for CCS Header"
|
|
197
|
+
);
|
|
198
|
+
}
|
|
199
|
+
}
|
|
200
|
+
} else if (request.loginHint) {
|
|
201
|
+
logger.verbose(
|
|
202
|
+
"createAuthCodeUrlQueryString: No account, adding login_hint from request"
|
|
203
|
+
);
|
|
204
|
+
RequestParameterBuilder.addLoginHint(parameters, request.loginHint);
|
|
205
|
+
RequestParameterBuilder.addCcsUpn(parameters, request.loginHint);
|
|
206
|
+
performanceClient?.addFields(
|
|
207
|
+
{ loginHintFromRequest: true },
|
|
208
|
+
correlationId
|
|
209
|
+
);
|
|
210
|
+
}
|
|
211
|
+
} else {
|
|
212
|
+
logger.verbose(
|
|
213
|
+
"createAuthCodeUrlQueryString: Prompt is select_account, ignoring account hints"
|
|
214
|
+
);
|
|
215
|
+
}
|
|
216
|
+
|
|
217
|
+
if (request.nonce) {
|
|
218
|
+
RequestParameterBuilder.addNonce(parameters, request.nonce);
|
|
219
|
+
}
|
|
220
|
+
|
|
221
|
+
if (request.state) {
|
|
222
|
+
RequestParameterBuilder.addState(parameters, request.state);
|
|
223
|
+
}
|
|
224
|
+
|
|
225
|
+
if (
|
|
226
|
+
request.claims ||
|
|
227
|
+
(authOptions.clientCapabilities &&
|
|
228
|
+
authOptions.clientCapabilities.length > 0)
|
|
229
|
+
) {
|
|
230
|
+
RequestParameterBuilder.addClaims(
|
|
231
|
+
parameters,
|
|
232
|
+
request.claims,
|
|
233
|
+
authOptions.clientCapabilities
|
|
234
|
+
);
|
|
235
|
+
}
|
|
236
|
+
|
|
237
|
+
if (request.embeddedClientId) {
|
|
238
|
+
RequestParameterBuilder.addBrokerParameters(
|
|
239
|
+
parameters,
|
|
240
|
+
authOptions.clientId,
|
|
241
|
+
authOptions.redirectUri
|
|
242
|
+
);
|
|
243
|
+
}
|
|
244
|
+
|
|
245
|
+
// If extraQueryParameters includes instance_aware its value will be added when extraQueryParameters are added
|
|
246
|
+
if (
|
|
247
|
+
authOptions.instanceAware &&
|
|
248
|
+
(!request.extraQueryParameters ||
|
|
249
|
+
!Object.keys(request.extraQueryParameters).includes(
|
|
250
|
+
AADServerParamKeys.INSTANCE_AWARE
|
|
251
|
+
))
|
|
252
|
+
) {
|
|
253
|
+
RequestParameterBuilder.addInstanceAware(parameters);
|
|
254
|
+
}
|
|
255
|
+
|
|
256
|
+
return parameters;
|
|
257
|
+
}
|
|
258
|
+
|
|
259
|
+
/**
|
|
260
|
+
* Returns authorize endpoint with given request parameters in the query string
|
|
261
|
+
* @param authority
|
|
262
|
+
* @param requestParameters
|
|
263
|
+
* @returns
|
|
264
|
+
*/
|
|
265
|
+
export function getAuthorizeUrl(
|
|
266
|
+
authority: Authority,
|
|
267
|
+
requestParameters: Map<string, string>
|
|
268
|
+
): string {
|
|
269
|
+
const queryString = mapToQueryString(requestParameters);
|
|
270
|
+
|
|
271
|
+
return UrlString.appendQueryString(
|
|
272
|
+
authority.authorizationEndpoint,
|
|
273
|
+
queryString
|
|
274
|
+
);
|
|
275
|
+
}
|
|
276
|
+
|
|
277
|
+
/**
|
|
278
|
+
* Handles the hash fragment response from public client code request. Returns a code response used by
|
|
279
|
+
* the client to exchange for a token in acquireToken.
|
|
280
|
+
* @param serverParams
|
|
281
|
+
* @param cachedState
|
|
282
|
+
*/
|
|
283
|
+
export function getAuthorizationCodePayload(
|
|
284
|
+
serverParams: AuthorizeResponse,
|
|
285
|
+
cachedState: string
|
|
286
|
+
): AuthorizationCodePayload {
|
|
287
|
+
// Get code response
|
|
288
|
+
validateAuthorizationResponse(serverParams, cachedState);
|
|
289
|
+
|
|
290
|
+
// throw when there is no auth code in the response
|
|
291
|
+
if (!serverParams.code) {
|
|
292
|
+
throw createClientAuthError(
|
|
293
|
+
ClientAuthErrorCodes.authorizationCodeMissingFromServerResponse
|
|
294
|
+
);
|
|
295
|
+
}
|
|
296
|
+
|
|
297
|
+
return serverParams as AuthorizationCodePayload;
|
|
298
|
+
}
|
|
299
|
+
|
|
300
|
+
/**
|
|
301
|
+
* Function which validates server authorization code response.
|
|
302
|
+
* @param serverResponseHash
|
|
303
|
+
* @param requestState
|
|
304
|
+
*/
|
|
305
|
+
export function validateAuthorizationResponse(
|
|
306
|
+
serverResponse: AuthorizeResponse,
|
|
307
|
+
requestState: string
|
|
308
|
+
): void {
|
|
309
|
+
if (!serverResponse.state || !requestState) {
|
|
310
|
+
throw serverResponse.state
|
|
311
|
+
? createClientAuthError(
|
|
312
|
+
ClientAuthErrorCodes.stateNotFound,
|
|
313
|
+
"Cached State"
|
|
314
|
+
)
|
|
315
|
+
: createClientAuthError(
|
|
316
|
+
ClientAuthErrorCodes.stateNotFound,
|
|
317
|
+
"Server State"
|
|
318
|
+
);
|
|
319
|
+
}
|
|
320
|
+
|
|
321
|
+
let decodedServerResponseState: string;
|
|
322
|
+
let decodedRequestState: string;
|
|
323
|
+
|
|
324
|
+
try {
|
|
325
|
+
decodedServerResponseState = decodeURIComponent(serverResponse.state);
|
|
326
|
+
} catch (e) {
|
|
327
|
+
throw createClientAuthError(
|
|
328
|
+
ClientAuthErrorCodes.invalidState,
|
|
329
|
+
serverResponse.state
|
|
330
|
+
);
|
|
331
|
+
}
|
|
332
|
+
|
|
333
|
+
try {
|
|
334
|
+
decodedRequestState = decodeURIComponent(requestState);
|
|
335
|
+
} catch (e) {
|
|
336
|
+
throw createClientAuthError(
|
|
337
|
+
ClientAuthErrorCodes.invalidState,
|
|
338
|
+
serverResponse.state
|
|
339
|
+
);
|
|
340
|
+
}
|
|
341
|
+
|
|
342
|
+
if (decodedServerResponseState !== decodedRequestState) {
|
|
343
|
+
throw createClientAuthError(ClientAuthErrorCodes.stateMismatch);
|
|
344
|
+
}
|
|
345
|
+
|
|
346
|
+
// Check for error
|
|
347
|
+
if (
|
|
348
|
+
serverResponse.error ||
|
|
349
|
+
serverResponse.error_description ||
|
|
350
|
+
serverResponse.suberror
|
|
351
|
+
) {
|
|
352
|
+
const serverErrorNo = parseServerErrorNo(serverResponse);
|
|
353
|
+
if (
|
|
354
|
+
isInteractionRequiredError(
|
|
355
|
+
serverResponse.error,
|
|
356
|
+
serverResponse.error_description,
|
|
357
|
+
serverResponse.suberror
|
|
358
|
+
)
|
|
359
|
+
) {
|
|
360
|
+
throw new InteractionRequiredAuthError(
|
|
361
|
+
serverResponse.error || "",
|
|
362
|
+
serverResponse.error_description,
|
|
363
|
+
serverResponse.suberror,
|
|
364
|
+
serverResponse.timestamp || "",
|
|
365
|
+
serverResponse.trace_id || "",
|
|
366
|
+
serverResponse.correlation_id || "",
|
|
367
|
+
serverResponse.claims || "",
|
|
368
|
+
serverErrorNo
|
|
369
|
+
);
|
|
370
|
+
}
|
|
371
|
+
|
|
372
|
+
throw new ServerError(
|
|
373
|
+
serverResponse.error || "",
|
|
374
|
+
serverResponse.error_description,
|
|
375
|
+
serverResponse.suberror,
|
|
376
|
+
serverErrorNo
|
|
377
|
+
);
|
|
378
|
+
}
|
|
379
|
+
}
|
|
380
|
+
|
|
381
|
+
/**
|
|
382
|
+
* Get server error No from the error_uri
|
|
383
|
+
* @param serverResponse
|
|
384
|
+
* @returns
|
|
385
|
+
*/
|
|
386
|
+
function parseServerErrorNo(
|
|
387
|
+
serverResponse: AuthorizeResponse
|
|
388
|
+
): string | undefined {
|
|
389
|
+
const errorCodePrefix = "code=";
|
|
390
|
+
const errorCodePrefixIndex =
|
|
391
|
+
serverResponse.error_uri?.lastIndexOf(errorCodePrefix);
|
|
392
|
+
return errorCodePrefixIndex && errorCodePrefixIndex >= 0
|
|
393
|
+
? serverResponse.error_uri?.substring(
|
|
394
|
+
errorCodePrefixIndex + errorCodePrefix.length
|
|
395
|
+
)
|
|
396
|
+
: undefined;
|
|
397
|
+
}
|
|
398
|
+
|
|
399
|
+
/**
|
|
400
|
+
* Helper to get sid from account. Returns null if idTokenClaims are not present or sid is not present.
|
|
401
|
+
* @param account
|
|
402
|
+
*/
|
|
403
|
+
function extractAccountSid(account: AccountInfo): string | null {
|
|
404
|
+
return account.idTokenClaims?.sid || null;
|
|
405
|
+
}
|
|
406
|
+
|
|
407
|
+
function extractLoginHint(account: AccountInfo): string | null {
|
|
408
|
+
return account.idTokenClaims?.login_hint || null;
|
|
409
|
+
}
|