@azure/msal-common 15.2.1 → 15.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (170) hide show
  1. package/dist/account/AccountInfo.mjs +1 -1
  2. package/dist/account/AuthToken.mjs +1 -1
  3. package/dist/account/CcsCredential.mjs +1 -1
  4. package/dist/account/ClientInfo.mjs +1 -1
  5. package/dist/account/TokenClaims.mjs +1 -1
  6. package/dist/authority/Authority.mjs +3 -3
  7. package/dist/authority/Authority.mjs.map +1 -1
  8. package/dist/authority/AuthorityFactory.mjs +1 -1
  9. package/dist/authority/AuthorityMetadata.mjs +1 -1
  10. package/dist/authority/AuthorityOptions.mjs +1 -1
  11. package/dist/authority/AuthorityType.mjs +1 -1
  12. package/dist/authority/CloudInstanceDiscoveryErrorResponse.mjs +1 -1
  13. package/dist/authority/CloudInstanceDiscoveryResponse.mjs +1 -1
  14. package/dist/authority/OpenIdConfigResponse.mjs +1 -1
  15. package/dist/authority/ProtocolMode.d.ts +11 -0
  16. package/dist/authority/ProtocolMode.d.ts.map +1 -1
  17. package/dist/authority/ProtocolMode.mjs +12 -1
  18. package/dist/authority/ProtocolMode.mjs.map +1 -1
  19. package/dist/authority/RegionDiscovery.mjs +1 -1
  20. package/dist/cache/CacheManager.mjs +1 -1
  21. package/dist/cache/entities/AccountEntity.mjs +4 -4
  22. package/dist/cache/entities/AccountEntity.mjs.map +1 -1
  23. package/dist/cache/persistence/TokenCacheContext.mjs +1 -1
  24. package/dist/cache/utils/CacheHelpers.mjs +1 -1
  25. package/dist/client/AuthorizationCodeClient.d.ts +0 -31
  26. package/dist/client/AuthorizationCodeClient.d.ts.map +1 -1
  27. package/dist/client/AuthorizationCodeClient.mjs +41 -246
  28. package/dist/client/AuthorizationCodeClient.mjs.map +1 -1
  29. package/dist/client/BaseClient.d.ts.map +1 -1
  30. package/dist/client/BaseClient.mjs +9 -10
  31. package/dist/client/BaseClient.mjs.map +1 -1
  32. package/dist/client/RefreshTokenClient.d.ts.map +1 -1
  33. package/dist/client/RefreshTokenClient.mjs +27 -29
  34. package/dist/client/RefreshTokenClient.mjs.map +1 -1
  35. package/dist/client/SilentFlowClient.mjs +1 -1
  36. package/dist/config/ClientConfiguration.mjs +1 -1
  37. package/dist/constants/AADServerParamKeys.d.ts +3 -0
  38. package/dist/constants/AADServerParamKeys.d.ts.map +1 -1
  39. package/dist/constants/AADServerParamKeys.mjs +6 -3
  40. package/dist/constants/AADServerParamKeys.mjs.map +1 -1
  41. package/dist/crypto/ICrypto.mjs +1 -1
  42. package/dist/crypto/JoseHeader.mjs +1 -1
  43. package/dist/crypto/PopTokenGenerator.mjs +1 -1
  44. package/dist/error/AuthError.mjs +1 -1
  45. package/dist/error/AuthErrorCodes.mjs +1 -1
  46. package/dist/error/CacheError.mjs +1 -1
  47. package/dist/error/CacheErrorCodes.mjs +1 -1
  48. package/dist/error/ClientAuthError.mjs +1 -1
  49. package/dist/error/ClientAuthErrorCodes.mjs +1 -1
  50. package/dist/error/ClientConfigurationError.mjs +1 -1
  51. package/dist/error/ClientConfigurationErrorCodes.mjs +1 -1
  52. package/dist/error/InteractionRequiredAuthError.mjs +1 -1
  53. package/dist/error/InteractionRequiredAuthErrorCodes.mjs +1 -1
  54. package/dist/error/JoseHeaderError.mjs +1 -1
  55. package/dist/error/JoseHeaderErrorCodes.mjs +1 -1
  56. package/dist/error/NetworkError.mjs +1 -1
  57. package/dist/error/ServerError.mjs +1 -1
  58. package/dist/exports-common.d.ts +4 -3
  59. package/dist/exports-common.d.ts.map +1 -1
  60. package/dist/index-browser.mjs +6 -3
  61. package/dist/index-browser.mjs.map +1 -1
  62. package/dist/index-node.mjs +6 -3
  63. package/dist/index-node.mjs.map +1 -1
  64. package/dist/index.mjs +6 -3
  65. package/dist/index.mjs.map +1 -1
  66. package/dist/logger/Logger.mjs +1 -1
  67. package/dist/network/INetworkModule.mjs +1 -1
  68. package/dist/network/RequestThumbprint.mjs +1 -1
  69. package/dist/network/ThrottlingUtils.mjs +1 -1
  70. package/dist/packageMetadata.d.ts +1 -1
  71. package/dist/packageMetadata.mjs +2 -2
  72. package/dist/protocol/Authorize.d.ts +37 -0
  73. package/dist/protocol/Authorize.d.ts.map +1 -0
  74. package/dist/protocol/Authorize.mjs +237 -0
  75. package/dist/protocol/Authorize.mjs.map +1 -0
  76. package/dist/request/AuthenticationHeaderParser.mjs +1 -1
  77. package/dist/request/CommonAuthorizationUrlRequest.d.ts +3 -2
  78. package/dist/request/CommonAuthorizationUrlRequest.d.ts.map +1 -1
  79. package/dist/request/RequestParameterBuilder.d.ts +211 -219
  80. package/dist/request/RequestParameterBuilder.d.ts.map +1 -1
  81. package/dist/request/RequestParameterBuilder.mjs +364 -370
  82. package/dist/request/RequestParameterBuilder.mjs.map +1 -1
  83. package/dist/request/RequestValidator.mjs +1 -1
  84. package/dist/request/ScopeSet.mjs +1 -1
  85. package/dist/response/AuthorizeResponse.d.ts +76 -0
  86. package/dist/response/AuthorizeResponse.d.ts.map +1 -0
  87. package/dist/response/ResponseHandler.d.ts +0 -8
  88. package/dist/response/ResponseHandler.d.ts.map +1 -1
  89. package/dist/response/ResponseHandler.mjs +2 -49
  90. package/dist/response/ResponseHandler.mjs.map +1 -1
  91. package/dist/telemetry/performance/PerformanceClient.mjs +1 -1
  92. package/dist/telemetry/performance/PerformanceEvent.d.ts +6 -2
  93. package/dist/telemetry/performance/PerformanceEvent.d.ts.map +1 -1
  94. package/dist/telemetry/performance/PerformanceEvent.mjs +15 -11
  95. package/dist/telemetry/performance/PerformanceEvent.mjs.map +1 -1
  96. package/dist/telemetry/performance/StubPerformanceClient.mjs +1 -1
  97. package/dist/telemetry/server/ServerTelemetryManager.mjs +1 -1
  98. package/dist/url/UrlString.mjs +1 -1
  99. package/dist/utils/ClientAssertionUtils.mjs +1 -1
  100. package/dist/utils/Constants.d.ts +11 -5
  101. package/dist/utils/Constants.d.ts.map +1 -1
  102. package/dist/utils/Constants.mjs +13 -8
  103. package/dist/utils/Constants.mjs.map +1 -1
  104. package/dist/utils/FunctionWrappers.mjs +1 -1
  105. package/dist/utils/ProtocolUtils.mjs +1 -1
  106. package/dist/utils/StringUtils.mjs +1 -1
  107. package/dist/utils/TimeUtils.mjs +1 -1
  108. package/dist/utils/UrlUtils.d.ts +6 -2
  109. package/dist/utils/UrlUtils.d.ts.map +1 -1
  110. package/dist/utils/UrlUtils.mjs +13 -2
  111. package/dist/utils/UrlUtils.mjs.map +1 -1
  112. package/lib/index-browser.cjs +4 -2
  113. package/lib/index-browser.cjs.map +1 -1
  114. package/lib/{index-node--LMD5Re1.js → index-node-C56U0Gkp.js} +833 -777
  115. package/lib/index-node-C56U0Gkp.js.map +1 -0
  116. package/lib/index-node.cjs +4 -2
  117. package/lib/index-node.cjs.map +1 -1
  118. package/lib/index.cjs +4 -2
  119. package/lib/index.cjs.map +1 -1
  120. package/lib/types/authority/ProtocolMode.d.ts +11 -0
  121. package/lib/types/authority/ProtocolMode.d.ts.map +1 -1
  122. package/lib/types/client/AuthorizationCodeClient.d.ts +0 -31
  123. package/lib/types/client/AuthorizationCodeClient.d.ts.map +1 -1
  124. package/lib/types/client/BaseClient.d.ts.map +1 -1
  125. package/lib/types/client/RefreshTokenClient.d.ts.map +1 -1
  126. package/lib/types/constants/AADServerParamKeys.d.ts +3 -0
  127. package/lib/types/constants/AADServerParamKeys.d.ts.map +1 -1
  128. package/lib/types/exports-common.d.ts +4 -3
  129. package/lib/types/exports-common.d.ts.map +1 -1
  130. package/lib/types/packageMetadata.d.ts +1 -1
  131. package/lib/types/protocol/Authorize.d.ts +37 -0
  132. package/lib/types/protocol/Authorize.d.ts.map +1 -0
  133. package/lib/types/request/CommonAuthorizationUrlRequest.d.ts +3 -2
  134. package/lib/types/request/CommonAuthorizationUrlRequest.d.ts.map +1 -1
  135. package/lib/types/request/RequestParameterBuilder.d.ts +211 -219
  136. package/lib/types/request/RequestParameterBuilder.d.ts.map +1 -1
  137. package/lib/types/response/AuthorizeResponse.d.ts +76 -0
  138. package/lib/types/response/AuthorizeResponse.d.ts.map +1 -0
  139. package/lib/types/response/ResponseHandler.d.ts +0 -8
  140. package/lib/types/response/ResponseHandler.d.ts.map +1 -1
  141. package/lib/types/telemetry/performance/PerformanceEvent.d.ts +6 -2
  142. package/lib/types/telemetry/performance/PerformanceEvent.d.ts.map +1 -1
  143. package/lib/types/utils/Constants.d.ts +11 -5
  144. package/lib/types/utils/Constants.d.ts.map +1 -1
  145. package/lib/types/utils/UrlUtils.d.ts +6 -2
  146. package/lib/types/utils/UrlUtils.d.ts.map +1 -1
  147. package/package.json +1 -1
  148. package/src/authority/Authority.ts +2 -2
  149. package/src/authority/ProtocolMode.ts +11 -0
  150. package/src/cache/entities/AccountEntity.ts +3 -3
  151. package/src/client/AuthorizationCodeClient.ts +84 -395
  152. package/src/client/BaseClient.ts +20 -12
  153. package/src/client/RefreshTokenClient.ts +60 -30
  154. package/src/constants/AADServerParamKeys.ts +3 -0
  155. package/src/exports-common.ts +5 -2
  156. package/src/packageMetadata.ts +1 -1
  157. package/src/protocol/Authorize.ts +409 -0
  158. package/src/request/CommonAuthorizationUrlRequest.ts +3 -2
  159. package/src/request/RequestParameterBuilder.ts +516 -545
  160. package/src/response/AuthorizeResponse.ts +80 -0
  161. package/src/response/ResponseHandler.ts +0 -98
  162. package/src/telemetry/performance/PerformanceEvent.ts +14 -11
  163. package/src/utils/Constants.ts +14 -6
  164. package/src/utils/UrlUtils.ts +19 -4
  165. package/dist/response/ServerAuthorizationCodeResponse.d.ts +0 -27
  166. package/dist/response/ServerAuthorizationCodeResponse.d.ts.map +0 -1
  167. package/lib/index-node--LMD5Re1.js.map +0 -1
  168. package/lib/types/response/ServerAuthorizationCodeResponse.d.ts +0 -27
  169. package/lib/types/response/ServerAuthorizationCodeResponse.d.ts.map +0 -1
  170. package/src/response/ServerAuthorizationCodeResponse.ts +0 -34
@@ -25,7 +25,8 @@ import { version, name } from "../packageMetadata.js";
25
25
  import { CcsCredential, CcsCredentialType } from "../account/CcsCredential.js";
26
26
  import { buildClientInfoFromHomeAccountId } from "../account/ClientInfo.js";
27
27
  import { IPerformanceClient } from "../telemetry/performance/IPerformanceClient.js";
28
- import { RequestParameterBuilder } from "../request/RequestParameterBuilder.js";
28
+ import * as RequestParameterBuilder from "../request/RequestParameterBuilder.js";
29
+ import * as UrlUtils from "../utils/UrlUtils.js";
29
30
  import { BaseAuthRequest } from "../request/BaseAuthRequest.js";
30
31
  import { createDiscoveredInstance } from "../authority/AuthorityFactory.js";
31
32
  import { PerformanceEvents } from "../telemetry/performance/PerformanceEvent.js";
@@ -278,26 +279,33 @@ export abstract class BaseClient {
278
279
  * @param request
279
280
  */
280
281
  createTokenQueryParameters(request: BaseAuthRequest): string {
281
- const parameterBuilder = new RequestParameterBuilder(
282
- request.correlationId,
283
- this.performanceClient
284
- );
282
+ const parameters = new Map<string, string>();
285
283
 
286
284
  if (request.embeddedClientId) {
287
- parameterBuilder.addBrokerParameters({
288
- brokerClientId: this.config.authOptions.clientId,
289
- brokerRedirectUri: this.config.authOptions.redirectUri,
290
- });
285
+ RequestParameterBuilder.addBrokerParameters(
286
+ parameters,
287
+ this.config.authOptions.clientId,
288
+ this.config.authOptions.redirectUri
289
+ );
291
290
  }
292
291
 
293
292
  if (request.tokenQueryParameters) {
294
- parameterBuilder.addExtraQueryParameters(
293
+ RequestParameterBuilder.addExtraQueryParameters(
294
+ parameters,
295
295
  request.tokenQueryParameters
296
296
  );
297
297
  }
298
298
 
299
- parameterBuilder.addCorrelationId(request.correlationId);
299
+ RequestParameterBuilder.addCorrelationId(
300
+ parameters,
301
+ request.correlationId
302
+ );
300
303
 
301
- return parameterBuilder.createQueryString();
304
+ RequestParameterBuilder.instrumentBrokerParams(
305
+ parameters,
306
+ request.correlationId,
307
+ this.performanceClient
308
+ );
309
+ return UrlUtils.mapToQueryString(parameters);
302
310
  }
303
311
  }
@@ -11,7 +11,8 @@ import { BaseClient } from "./BaseClient.js";
11
11
  import { CommonRefreshTokenRequest } from "../request/CommonRefreshTokenRequest.js";
12
12
  import { Authority } from "../authority/Authority.js";
13
13
  import { ServerAuthorizationTokenResponse } from "../response/ServerAuthorizationTokenResponse.js";
14
- import { RequestParameterBuilder } from "../request/RequestParameterBuilder.js";
14
+ import * as RequestParameterBuilder from "../request/RequestParameterBuilder.js";
15
+ import * as UrlUtils from "../utils/UrlUtils.js";
15
16
  import {
16
17
  GrantType,
17
18
  AuthenticationScheme,
@@ -345,46 +346,61 @@ export class RefreshTokenClient extends BaseClient {
345
346
  request.correlationId
346
347
  );
347
348
 
348
- const correlationId = request.correlationId;
349
- const parameterBuilder = new RequestParameterBuilder(
350
- correlationId,
351
- this.performanceClient
352
- );
349
+ const parameters = new Map<string, string>();
353
350
 
354
- parameterBuilder.addClientId(
351
+ RequestParameterBuilder.addClientId(
352
+ parameters,
355
353
  request.embeddedClientId ||
356
354
  request.tokenBodyParameters?.[AADServerParamKeys.CLIENT_ID] ||
357
355
  this.config.authOptions.clientId
358
356
  );
359
357
 
360
358
  if (request.redirectUri) {
361
- parameterBuilder.addRedirectUri(request.redirectUri);
359
+ RequestParameterBuilder.addRedirectUri(
360
+ parameters,
361
+ request.redirectUri
362
+ );
362
363
  }
363
364
 
364
- parameterBuilder.addScopes(
365
+ RequestParameterBuilder.addScopes(
366
+ parameters,
365
367
  request.scopes,
366
368
  true,
367
369
  this.config.authOptions.authority.options.OIDCOptions?.defaultScopes
368
370
  );
369
371
 
370
- parameterBuilder.addGrantType(GrantType.REFRESH_TOKEN_GRANT);
372
+ RequestParameterBuilder.addGrantType(
373
+ parameters,
374
+ GrantType.REFRESH_TOKEN_GRANT
375
+ );
371
376
 
372
- parameterBuilder.addClientInfo();
377
+ RequestParameterBuilder.addClientInfo(parameters);
373
378
 
374
- parameterBuilder.addLibraryInfo(this.config.libraryInfo);
375
- parameterBuilder.addApplicationTelemetry(
379
+ RequestParameterBuilder.addLibraryInfo(
380
+ parameters,
381
+ this.config.libraryInfo
382
+ );
383
+ RequestParameterBuilder.addApplicationTelemetry(
384
+ parameters,
376
385
  this.config.telemetry.application
377
386
  );
378
- parameterBuilder.addThrottling();
387
+ RequestParameterBuilder.addThrottling(parameters);
379
388
 
380
389
  if (this.serverTelemetryManager && !isOidcProtocolMode(this.config)) {
381
- parameterBuilder.addServerTelemetry(this.serverTelemetryManager);
390
+ RequestParameterBuilder.addServerTelemetry(
391
+ parameters,
392
+ this.serverTelemetryManager
393
+ );
382
394
  }
383
395
 
384
- parameterBuilder.addRefreshToken(request.refreshToken);
396
+ RequestParameterBuilder.addRefreshToken(
397
+ parameters,
398
+ request.refreshToken
399
+ );
385
400
 
386
401
  if (this.config.clientCredentials.clientSecret) {
387
- parameterBuilder.addClientSecret(
402
+ RequestParameterBuilder.addClientSecret(
403
+ parameters,
388
404
  this.config.clientCredentials.clientSecret
389
405
  );
390
406
  }
@@ -393,14 +409,16 @@ export class RefreshTokenClient extends BaseClient {
393
409
  const clientAssertion: ClientAssertion =
394
410
  this.config.clientCredentials.clientAssertion;
395
411
 
396
- parameterBuilder.addClientAssertion(
412
+ RequestParameterBuilder.addClientAssertion(
413
+ parameters,
397
414
  await getClientAssertion(
398
415
  clientAssertion.assertion,
399
416
  this.config.authOptions.clientId,
400
417
  request.resourceRequestUri
401
418
  )
402
419
  );
403
- parameterBuilder.addClientAssertionType(
420
+ RequestParameterBuilder.addClientAssertionType(
421
+ parameters,
404
422
  clientAssertion.assertionType
405
423
  );
406
424
  }
@@ -427,10 +445,10 @@ export class RefreshTokenClient extends BaseClient {
427
445
  }
428
446
 
429
447
  // SPA PoP requires full Base64Url encoded req_cnf string (unhashed)
430
- parameterBuilder.addPopToken(reqCnfData);
448
+ RequestParameterBuilder.addPopToken(parameters, reqCnfData);
431
449
  } else if (request.authenticationScheme === AuthenticationScheme.SSH) {
432
450
  if (request.sshJwk) {
433
- parameterBuilder.addSshJwk(request.sshJwk);
451
+ RequestParameterBuilder.addSshJwk(parameters, request.sshJwk);
434
452
  } else {
435
453
  throw createClientConfigurationError(
436
454
  ClientConfigurationErrorCodes.missingSshJwk
@@ -443,7 +461,8 @@ export class RefreshTokenClient extends BaseClient {
443
461
  (this.config.authOptions.clientCapabilities &&
444
462
  this.config.authOptions.clientCapabilities.length > 0)
445
463
  ) {
446
- parameterBuilder.addClaims(
464
+ RequestParameterBuilder.addClaims(
465
+ parameters,
447
466
  request.claims,
448
467
  this.config.authOptions.clientCapabilities
449
468
  );
@@ -459,7 +478,10 @@ export class RefreshTokenClient extends BaseClient {
459
478
  const clientInfo = buildClientInfoFromHomeAccountId(
460
479
  request.ccsCredential.credential
461
480
  );
462
- parameterBuilder.addCcsOid(clientInfo);
481
+ RequestParameterBuilder.addCcsOid(
482
+ parameters,
483
+ clientInfo
484
+ );
463
485
  } catch (e) {
464
486
  this.logger.verbose(
465
487
  "Could not parse home account ID for CCS Header: " +
@@ -468,7 +490,8 @@ export class RefreshTokenClient extends BaseClient {
468
490
  }
469
491
  break;
470
492
  case CcsCredentialType.UPN:
471
- parameterBuilder.addCcsUpn(
493
+ RequestParameterBuilder.addCcsUpn(
494
+ parameters,
472
495
  request.ccsCredential.credential
473
496
  );
474
497
  break;
@@ -476,18 +499,25 @@ export class RefreshTokenClient extends BaseClient {
476
499
  }
477
500
 
478
501
  if (request.embeddedClientId) {
479
- parameterBuilder.addBrokerParameters({
480
- brokerClientId: this.config.authOptions.clientId,
481
- brokerRedirectUri: this.config.authOptions.redirectUri,
482
- });
502
+ RequestParameterBuilder.addBrokerParameters(
503
+ parameters,
504
+ this.config.authOptions.clientId,
505
+ this.config.authOptions.redirectUri
506
+ );
483
507
  }
484
508
 
485
509
  if (request.tokenBodyParameters) {
486
- parameterBuilder.addExtraQueryParameters(
510
+ RequestParameterBuilder.addExtraQueryParameters(
511
+ parameters,
487
512
  request.tokenBodyParameters
488
513
  );
489
514
  }
490
515
 
491
- return parameterBuilder.createQueryString();
516
+ RequestParameterBuilder.instrumentBrokerParams(
517
+ parameters,
518
+ request.correlationId,
519
+ this.performanceClient
520
+ );
521
+ return UrlUtils.mapToQueryString(parameters);
492
522
  }
493
523
  }
@@ -58,3 +58,6 @@ export const DOMAIN_HINT = "domain_hint";
58
58
  export const X_CLIENT_EXTRA_SKU = "x-client-xtra-sku";
59
59
  export const BROKER_CLIENT_ID = "brk_client_id";
60
60
  export const BROKER_REDIRECT_URI = "brk_redirect_uri";
61
+ export const INSTANCE_AWARE = "instance_aware";
62
+ export const EAR_JWK = "ear_jwk";
63
+ export const EAR_JWE_CRYPTO = "ear_jwe_crypto";
@@ -105,19 +105,21 @@ export {
105
105
  DEFAULT_CRYPTO_IMPLEMENTATION,
106
106
  SignedHttpRequestParameters,
107
107
  } from "./crypto/ICrypto.js";
108
+
109
+ export * as AuthorizeProtocol from "./protocol/Authorize.js";
108
110
  export { BaseAuthRequest } from "./request/BaseAuthRequest.js";
109
111
  export { CommonAuthorizationUrlRequest } from "./request/CommonAuthorizationUrlRequest.js";
110
112
  export { CommonAuthorizationCodeRequest } from "./request/CommonAuthorizationCodeRequest.js";
111
113
  export { CommonRefreshTokenRequest } from "./request/CommonRefreshTokenRequest.js";
112
114
  export { CommonSilentFlowRequest } from "./request/CommonSilentFlowRequest.js";
113
115
  export { CommonEndSessionRequest } from "./request/CommonEndSessionRequest.js";
114
- export { RequestParameterBuilder } from "./request/RequestParameterBuilder.js";
116
+ export * as RequestParameterBuilder from "./request/RequestParameterBuilder.js";
115
117
  export { StoreInCache } from "./request/StoreInCache.js";
116
118
  export { AzureRegion } from "./authority/AzureRegion.js";
117
119
  export { AzureRegionConfiguration } from "./authority/AzureRegionConfiguration.js";
118
120
  export { AuthenticationResult } from "./response/AuthenticationResult.js";
119
121
  export { AuthorizationCodePayload } from "./response/AuthorizationCodePayload.js";
120
- export { ServerAuthorizationCodeResponse } from "./response/ServerAuthorizationCodeResponse.js";
122
+ export { AuthorizeResponse } from "./response/AuthorizeResponse.js";
121
123
  export { ServerAuthorizationTokenResponse } from "./response/ServerAuthorizationTokenResponse.js";
122
124
  export {
123
125
  ResponseHandler,
@@ -158,6 +160,7 @@ export {
158
160
  OIDC_DEFAULT_SCOPES,
159
161
  PromptValue,
160
162
  PersistentCacheKeys,
163
+ OAuthResponseType,
161
164
  ServerResponseType,
162
165
  ResponseMode,
163
166
  CacheOutcome,
@@ -1,3 +1,3 @@
1
1
  /* eslint-disable header/header */
2
2
  export const name = "@azure/msal-common";
3
- export const version = "15.2.1";
3
+ export const version = "15.4.0";
@@ -0,0 +1,409 @@
1
+ /*
2
+ * Copyright (c) Microsoft Corporation. All rights reserved.
3
+ * Licensed under the MIT License.
4
+ */
5
+
6
+ import { CommonAuthorizationUrlRequest } from "../request/CommonAuthorizationUrlRequest.js";
7
+ import * as RequestParameterBuilder from "../request/RequestParameterBuilder.js";
8
+ import { IPerformanceClient } from "../telemetry/performance/IPerformanceClient.js";
9
+ import * as AADServerParamKeys from "../constants/AADServerParamKeys.js";
10
+ import { AuthOptions } from "../config/ClientConfiguration.js";
11
+ import { PromptValue } from "../utils/Constants.js";
12
+ import { AccountInfo } from "../account/AccountInfo.js";
13
+ import { Logger } from "../logger/Logger.js";
14
+ import { buildClientInfoFromHomeAccountId } from "../account/ClientInfo.js";
15
+ import { Authority } from "../authority/Authority.js";
16
+ import { mapToQueryString } from "../utils/UrlUtils.js";
17
+ import { UrlString } from "../url/UrlString.js";
18
+ import { AuthorizationCodePayload } from "../response/AuthorizationCodePayload.js";
19
+ import { AuthorizeResponse } from "../response/AuthorizeResponse.js";
20
+ import {
21
+ ClientAuthErrorCodes,
22
+ createClientAuthError,
23
+ } from "../error/ClientAuthError.js";
24
+ import {
25
+ InteractionRequiredAuthError,
26
+ isInteractionRequiredError,
27
+ } from "../error/InteractionRequiredAuthError.js";
28
+ import { ServerError } from "../error/ServerError.js";
29
+
30
+ /**
31
+ * Returns map of parameters that are applicable to all calls to /authorize whether using PKCE or EAR
32
+ * @param config
33
+ * @param request
34
+ * @param logger
35
+ * @param performanceClient
36
+ * @returns
37
+ */
38
+ export function getStandardAuthorizeRequestParameters(
39
+ authOptions: AuthOptions,
40
+ request: CommonAuthorizationUrlRequest,
41
+ logger: Logger,
42
+ performanceClient?: IPerformanceClient
43
+ ): Map<string, string> {
44
+ // generate the correlationId if not set by the user and add
45
+ const correlationId = request.correlationId;
46
+
47
+ const parameters = new Map<string, string>();
48
+
49
+ RequestParameterBuilder.addClientId(
50
+ parameters,
51
+ request.embeddedClientId ||
52
+ request.extraQueryParameters?.[AADServerParamKeys.CLIENT_ID] ||
53
+ authOptions.clientId
54
+ );
55
+
56
+ const requestScopes = [
57
+ ...(request.scopes || []),
58
+ ...(request.extraScopesToConsent || []),
59
+ ];
60
+ RequestParameterBuilder.addScopes(
61
+ parameters,
62
+ requestScopes,
63
+ true,
64
+ authOptions.authority.options.OIDCOptions?.defaultScopes
65
+ );
66
+
67
+ RequestParameterBuilder.addRedirectUri(parameters, request.redirectUri);
68
+
69
+ RequestParameterBuilder.addCorrelationId(parameters, correlationId);
70
+
71
+ // add response_mode. If not passed in it defaults to query.
72
+ RequestParameterBuilder.addResponseMode(parameters, request.responseMode);
73
+
74
+ // add client_info=1
75
+ RequestParameterBuilder.addClientInfo(parameters);
76
+
77
+ if (request.prompt) {
78
+ RequestParameterBuilder.addPrompt(parameters, request.prompt);
79
+ performanceClient?.addFields({ prompt: request.prompt }, correlationId);
80
+ }
81
+
82
+ if (request.domainHint) {
83
+ RequestParameterBuilder.addDomainHint(parameters, request.domainHint);
84
+ performanceClient?.addFields(
85
+ { domainHintFromRequest: true },
86
+ correlationId
87
+ );
88
+ }
89
+
90
+ // Add sid or loginHint with preference for login_hint claim (in request) -> sid -> loginHint (upn/email) -> username of AccountInfo object
91
+ if (request.prompt !== PromptValue.SELECT_ACCOUNT) {
92
+ // AAD will throw if prompt=select_account is passed with an account hint
93
+ if (request.sid && request.prompt === PromptValue.NONE) {
94
+ // SessionID is only used in silent calls
95
+ logger.verbose(
96
+ "createAuthCodeUrlQueryString: Prompt is none, adding sid from request"
97
+ );
98
+ RequestParameterBuilder.addSid(parameters, request.sid);
99
+ performanceClient?.addFields(
100
+ { sidFromRequest: true },
101
+ correlationId
102
+ );
103
+ } else if (request.account) {
104
+ const accountSid = extractAccountSid(request.account);
105
+ let accountLoginHintClaim = extractLoginHint(request.account);
106
+
107
+ if (accountLoginHintClaim && request.domainHint) {
108
+ logger.warning(
109
+ `AuthorizationCodeClient.createAuthCodeUrlQueryString: "domainHint" param is set, skipping opaque "login_hint" claim. Please consider not passing domainHint`
110
+ );
111
+ accountLoginHintClaim = null;
112
+ }
113
+
114
+ // If login_hint claim is present, use it over sid/username
115
+ if (accountLoginHintClaim) {
116
+ logger.verbose(
117
+ "createAuthCodeUrlQueryString: login_hint claim present on account"
118
+ );
119
+ RequestParameterBuilder.addLoginHint(
120
+ parameters,
121
+ accountLoginHintClaim
122
+ );
123
+ performanceClient?.addFields(
124
+ { loginHintFromClaim: true },
125
+ correlationId
126
+ );
127
+ try {
128
+ const clientInfo = buildClientInfoFromHomeAccountId(
129
+ request.account.homeAccountId
130
+ );
131
+ RequestParameterBuilder.addCcsOid(parameters, clientInfo);
132
+ } catch (e) {
133
+ logger.verbose(
134
+ "createAuthCodeUrlQueryString: Could not parse home account ID for CCS Header"
135
+ );
136
+ }
137
+ } else if (accountSid && request.prompt === PromptValue.NONE) {
138
+ /*
139
+ * If account and loginHint are provided, we will check account first for sid before adding loginHint
140
+ * SessionId is only used in silent calls
141
+ */
142
+ logger.verbose(
143
+ "createAuthCodeUrlQueryString: Prompt is none, adding sid from account"
144
+ );
145
+ RequestParameterBuilder.addSid(parameters, accountSid);
146
+ performanceClient?.addFields(
147
+ { sidFromClaim: true },
148
+ correlationId
149
+ );
150
+ try {
151
+ const clientInfo = buildClientInfoFromHomeAccountId(
152
+ request.account.homeAccountId
153
+ );
154
+ RequestParameterBuilder.addCcsOid(parameters, clientInfo);
155
+ } catch (e) {
156
+ logger.verbose(
157
+ "createAuthCodeUrlQueryString: Could not parse home account ID for CCS Header"
158
+ );
159
+ }
160
+ } else if (request.loginHint) {
161
+ logger.verbose(
162
+ "createAuthCodeUrlQueryString: Adding login_hint from request"
163
+ );
164
+ RequestParameterBuilder.addLoginHint(
165
+ parameters,
166
+ request.loginHint
167
+ );
168
+ RequestParameterBuilder.addCcsUpn(
169
+ parameters,
170
+ request.loginHint
171
+ );
172
+ performanceClient?.addFields(
173
+ { loginHintFromRequest: true },
174
+ correlationId
175
+ );
176
+ } else if (request.account.username) {
177
+ // Fallback to account username if provided
178
+ logger.verbose(
179
+ "createAuthCodeUrlQueryString: Adding login_hint from account"
180
+ );
181
+ RequestParameterBuilder.addLoginHint(
182
+ parameters,
183
+ request.account.username
184
+ );
185
+ performanceClient?.addFields(
186
+ { loginHintFromUpn: true },
187
+ correlationId
188
+ );
189
+ try {
190
+ const clientInfo = buildClientInfoFromHomeAccountId(
191
+ request.account.homeAccountId
192
+ );
193
+ RequestParameterBuilder.addCcsOid(parameters, clientInfo);
194
+ } catch (e) {
195
+ logger.verbose(
196
+ "createAuthCodeUrlQueryString: Could not parse home account ID for CCS Header"
197
+ );
198
+ }
199
+ }
200
+ } else if (request.loginHint) {
201
+ logger.verbose(
202
+ "createAuthCodeUrlQueryString: No account, adding login_hint from request"
203
+ );
204
+ RequestParameterBuilder.addLoginHint(parameters, request.loginHint);
205
+ RequestParameterBuilder.addCcsUpn(parameters, request.loginHint);
206
+ performanceClient?.addFields(
207
+ { loginHintFromRequest: true },
208
+ correlationId
209
+ );
210
+ }
211
+ } else {
212
+ logger.verbose(
213
+ "createAuthCodeUrlQueryString: Prompt is select_account, ignoring account hints"
214
+ );
215
+ }
216
+
217
+ if (request.nonce) {
218
+ RequestParameterBuilder.addNonce(parameters, request.nonce);
219
+ }
220
+
221
+ if (request.state) {
222
+ RequestParameterBuilder.addState(parameters, request.state);
223
+ }
224
+
225
+ if (
226
+ request.claims ||
227
+ (authOptions.clientCapabilities &&
228
+ authOptions.clientCapabilities.length > 0)
229
+ ) {
230
+ RequestParameterBuilder.addClaims(
231
+ parameters,
232
+ request.claims,
233
+ authOptions.clientCapabilities
234
+ );
235
+ }
236
+
237
+ if (request.embeddedClientId) {
238
+ RequestParameterBuilder.addBrokerParameters(
239
+ parameters,
240
+ authOptions.clientId,
241
+ authOptions.redirectUri
242
+ );
243
+ }
244
+
245
+ // If extraQueryParameters includes instance_aware its value will be added when extraQueryParameters are added
246
+ if (
247
+ authOptions.instanceAware &&
248
+ (!request.extraQueryParameters ||
249
+ !Object.keys(request.extraQueryParameters).includes(
250
+ AADServerParamKeys.INSTANCE_AWARE
251
+ ))
252
+ ) {
253
+ RequestParameterBuilder.addInstanceAware(parameters);
254
+ }
255
+
256
+ return parameters;
257
+ }
258
+
259
+ /**
260
+ * Returns authorize endpoint with given request parameters in the query string
261
+ * @param authority
262
+ * @param requestParameters
263
+ * @returns
264
+ */
265
+ export function getAuthorizeUrl(
266
+ authority: Authority,
267
+ requestParameters: Map<string, string>
268
+ ): string {
269
+ const queryString = mapToQueryString(requestParameters);
270
+
271
+ return UrlString.appendQueryString(
272
+ authority.authorizationEndpoint,
273
+ queryString
274
+ );
275
+ }
276
+
277
+ /**
278
+ * Handles the hash fragment response from public client code request. Returns a code response used by
279
+ * the client to exchange for a token in acquireToken.
280
+ * @param serverParams
281
+ * @param cachedState
282
+ */
283
+ export function getAuthorizationCodePayload(
284
+ serverParams: AuthorizeResponse,
285
+ cachedState: string
286
+ ): AuthorizationCodePayload {
287
+ // Get code response
288
+ validateAuthorizationResponse(serverParams, cachedState);
289
+
290
+ // throw when there is no auth code in the response
291
+ if (!serverParams.code) {
292
+ throw createClientAuthError(
293
+ ClientAuthErrorCodes.authorizationCodeMissingFromServerResponse
294
+ );
295
+ }
296
+
297
+ return serverParams as AuthorizationCodePayload;
298
+ }
299
+
300
+ /**
301
+ * Function which validates server authorization code response.
302
+ * @param serverResponseHash
303
+ * @param requestState
304
+ */
305
+ export function validateAuthorizationResponse(
306
+ serverResponse: AuthorizeResponse,
307
+ requestState: string
308
+ ): void {
309
+ if (!serverResponse.state || !requestState) {
310
+ throw serverResponse.state
311
+ ? createClientAuthError(
312
+ ClientAuthErrorCodes.stateNotFound,
313
+ "Cached State"
314
+ )
315
+ : createClientAuthError(
316
+ ClientAuthErrorCodes.stateNotFound,
317
+ "Server State"
318
+ );
319
+ }
320
+
321
+ let decodedServerResponseState: string;
322
+ let decodedRequestState: string;
323
+
324
+ try {
325
+ decodedServerResponseState = decodeURIComponent(serverResponse.state);
326
+ } catch (e) {
327
+ throw createClientAuthError(
328
+ ClientAuthErrorCodes.invalidState,
329
+ serverResponse.state
330
+ );
331
+ }
332
+
333
+ try {
334
+ decodedRequestState = decodeURIComponent(requestState);
335
+ } catch (e) {
336
+ throw createClientAuthError(
337
+ ClientAuthErrorCodes.invalidState,
338
+ serverResponse.state
339
+ );
340
+ }
341
+
342
+ if (decodedServerResponseState !== decodedRequestState) {
343
+ throw createClientAuthError(ClientAuthErrorCodes.stateMismatch);
344
+ }
345
+
346
+ // Check for error
347
+ if (
348
+ serverResponse.error ||
349
+ serverResponse.error_description ||
350
+ serverResponse.suberror
351
+ ) {
352
+ const serverErrorNo = parseServerErrorNo(serverResponse);
353
+ if (
354
+ isInteractionRequiredError(
355
+ serverResponse.error,
356
+ serverResponse.error_description,
357
+ serverResponse.suberror
358
+ )
359
+ ) {
360
+ throw new InteractionRequiredAuthError(
361
+ serverResponse.error || "",
362
+ serverResponse.error_description,
363
+ serverResponse.suberror,
364
+ serverResponse.timestamp || "",
365
+ serverResponse.trace_id || "",
366
+ serverResponse.correlation_id || "",
367
+ serverResponse.claims || "",
368
+ serverErrorNo
369
+ );
370
+ }
371
+
372
+ throw new ServerError(
373
+ serverResponse.error || "",
374
+ serverResponse.error_description,
375
+ serverResponse.suberror,
376
+ serverErrorNo
377
+ );
378
+ }
379
+ }
380
+
381
+ /**
382
+ * Get server error No from the error_uri
383
+ * @param serverResponse
384
+ * @returns
385
+ */
386
+ function parseServerErrorNo(
387
+ serverResponse: AuthorizeResponse
388
+ ): string | undefined {
389
+ const errorCodePrefix = "code=";
390
+ const errorCodePrefixIndex =
391
+ serverResponse.error_uri?.lastIndexOf(errorCodePrefix);
392
+ return errorCodePrefixIndex && errorCodePrefixIndex >= 0
393
+ ? serverResponse.error_uri?.substring(
394
+ errorCodePrefixIndex + errorCodePrefix.length
395
+ )
396
+ : undefined;
397
+ }
398
+
399
+ /**
400
+ * Helper to get sid from account. Returns null if idTokenClaims are not present or sid is not present.
401
+ * @param account
402
+ */
403
+ function extractAccountSid(account: AccountInfo): string | null {
404
+ return account.idTokenClaims?.sid || null;
405
+ }
406
+
407
+ function extractLoginHint(account: AccountInfo): string | null {
408
+ return account.idTokenClaims?.login_hint || null;
409
+ }