@azure/msal-common 15.2.1 → 15.4.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/account/AccountInfo.mjs +1 -1
- package/dist/account/AuthToken.mjs +1 -1
- package/dist/account/CcsCredential.mjs +1 -1
- package/dist/account/ClientInfo.mjs +1 -1
- package/dist/account/TokenClaims.mjs +1 -1
- package/dist/authority/Authority.mjs +3 -3
- package/dist/authority/Authority.mjs.map +1 -1
- package/dist/authority/AuthorityFactory.mjs +1 -1
- package/dist/authority/AuthorityMetadata.mjs +1 -1
- package/dist/authority/AuthorityOptions.mjs +1 -1
- package/dist/authority/AuthorityType.mjs +1 -1
- package/dist/authority/CloudInstanceDiscoveryErrorResponse.mjs +1 -1
- package/dist/authority/CloudInstanceDiscoveryResponse.mjs +1 -1
- package/dist/authority/OpenIdConfigResponse.mjs +1 -1
- package/dist/authority/ProtocolMode.d.ts +11 -0
- package/dist/authority/ProtocolMode.d.ts.map +1 -1
- package/dist/authority/ProtocolMode.mjs +12 -1
- package/dist/authority/ProtocolMode.mjs.map +1 -1
- package/dist/authority/RegionDiscovery.mjs +1 -1
- package/dist/cache/CacheManager.mjs +1 -1
- package/dist/cache/entities/AccountEntity.mjs +4 -4
- package/dist/cache/entities/AccountEntity.mjs.map +1 -1
- package/dist/cache/persistence/TokenCacheContext.mjs +1 -1
- package/dist/cache/utils/CacheHelpers.mjs +1 -1
- package/dist/client/AuthorizationCodeClient.d.ts +0 -31
- package/dist/client/AuthorizationCodeClient.d.ts.map +1 -1
- package/dist/client/AuthorizationCodeClient.mjs +41 -246
- package/dist/client/AuthorizationCodeClient.mjs.map +1 -1
- package/dist/client/BaseClient.d.ts.map +1 -1
- package/dist/client/BaseClient.mjs +9 -10
- package/dist/client/BaseClient.mjs.map +1 -1
- package/dist/client/RefreshTokenClient.d.ts.map +1 -1
- package/dist/client/RefreshTokenClient.mjs +27 -29
- package/dist/client/RefreshTokenClient.mjs.map +1 -1
- package/dist/client/SilentFlowClient.mjs +1 -1
- package/dist/config/ClientConfiguration.mjs +1 -1
- package/dist/constants/AADServerParamKeys.d.ts +3 -0
- package/dist/constants/AADServerParamKeys.d.ts.map +1 -1
- package/dist/constants/AADServerParamKeys.mjs +6 -3
- package/dist/constants/AADServerParamKeys.mjs.map +1 -1
- package/dist/crypto/ICrypto.mjs +1 -1
- package/dist/crypto/JoseHeader.mjs +1 -1
- package/dist/crypto/PopTokenGenerator.mjs +1 -1
- package/dist/error/AuthError.mjs +1 -1
- package/dist/error/AuthErrorCodes.mjs +1 -1
- package/dist/error/CacheError.mjs +1 -1
- package/dist/error/CacheErrorCodes.mjs +1 -1
- package/dist/error/ClientAuthError.mjs +1 -1
- package/dist/error/ClientAuthErrorCodes.mjs +1 -1
- package/dist/error/ClientConfigurationError.mjs +1 -1
- package/dist/error/ClientConfigurationErrorCodes.mjs +1 -1
- package/dist/error/InteractionRequiredAuthError.mjs +1 -1
- package/dist/error/InteractionRequiredAuthErrorCodes.mjs +1 -1
- package/dist/error/JoseHeaderError.mjs +1 -1
- package/dist/error/JoseHeaderErrorCodes.mjs +1 -1
- package/dist/error/NetworkError.mjs +1 -1
- package/dist/error/ServerError.mjs +1 -1
- package/dist/exports-common.d.ts +4 -3
- package/dist/exports-common.d.ts.map +1 -1
- package/dist/index-browser.mjs +6 -3
- package/dist/index-browser.mjs.map +1 -1
- package/dist/index-node.mjs +6 -3
- package/dist/index-node.mjs.map +1 -1
- package/dist/index.mjs +6 -3
- package/dist/index.mjs.map +1 -1
- package/dist/logger/Logger.mjs +1 -1
- package/dist/network/INetworkModule.mjs +1 -1
- package/dist/network/RequestThumbprint.mjs +1 -1
- package/dist/network/ThrottlingUtils.mjs +1 -1
- package/dist/packageMetadata.d.ts +1 -1
- package/dist/packageMetadata.mjs +2 -2
- package/dist/protocol/Authorize.d.ts +37 -0
- package/dist/protocol/Authorize.d.ts.map +1 -0
- package/dist/protocol/Authorize.mjs +237 -0
- package/dist/protocol/Authorize.mjs.map +1 -0
- package/dist/request/AuthenticationHeaderParser.mjs +1 -1
- package/dist/request/CommonAuthorizationUrlRequest.d.ts +3 -2
- package/dist/request/CommonAuthorizationUrlRequest.d.ts.map +1 -1
- package/dist/request/RequestParameterBuilder.d.ts +211 -219
- package/dist/request/RequestParameterBuilder.d.ts.map +1 -1
- package/dist/request/RequestParameterBuilder.mjs +364 -370
- package/dist/request/RequestParameterBuilder.mjs.map +1 -1
- package/dist/request/RequestValidator.mjs +1 -1
- package/dist/request/ScopeSet.mjs +1 -1
- package/dist/response/AuthorizeResponse.d.ts +76 -0
- package/dist/response/AuthorizeResponse.d.ts.map +1 -0
- package/dist/response/ResponseHandler.d.ts +0 -8
- package/dist/response/ResponseHandler.d.ts.map +1 -1
- package/dist/response/ResponseHandler.mjs +2 -49
- package/dist/response/ResponseHandler.mjs.map +1 -1
- package/dist/telemetry/performance/PerformanceClient.mjs +1 -1
- package/dist/telemetry/performance/PerformanceEvent.d.ts +6 -2
- package/dist/telemetry/performance/PerformanceEvent.d.ts.map +1 -1
- package/dist/telemetry/performance/PerformanceEvent.mjs +15 -11
- package/dist/telemetry/performance/PerformanceEvent.mjs.map +1 -1
- package/dist/telemetry/performance/StubPerformanceClient.mjs +1 -1
- package/dist/telemetry/server/ServerTelemetryManager.mjs +1 -1
- package/dist/url/UrlString.mjs +1 -1
- package/dist/utils/ClientAssertionUtils.mjs +1 -1
- package/dist/utils/Constants.d.ts +11 -5
- package/dist/utils/Constants.d.ts.map +1 -1
- package/dist/utils/Constants.mjs +13 -8
- package/dist/utils/Constants.mjs.map +1 -1
- package/dist/utils/FunctionWrappers.mjs +1 -1
- package/dist/utils/ProtocolUtils.mjs +1 -1
- package/dist/utils/StringUtils.mjs +1 -1
- package/dist/utils/TimeUtils.mjs +1 -1
- package/dist/utils/UrlUtils.d.ts +6 -2
- package/dist/utils/UrlUtils.d.ts.map +1 -1
- package/dist/utils/UrlUtils.mjs +13 -2
- package/dist/utils/UrlUtils.mjs.map +1 -1
- package/lib/index-browser.cjs +4 -2
- package/lib/index-browser.cjs.map +1 -1
- package/lib/{index-node--LMD5Re1.js → index-node-C56U0Gkp.js} +833 -777
- package/lib/index-node-C56U0Gkp.js.map +1 -0
- package/lib/index-node.cjs +4 -2
- package/lib/index-node.cjs.map +1 -1
- package/lib/index.cjs +4 -2
- package/lib/index.cjs.map +1 -1
- package/lib/types/authority/ProtocolMode.d.ts +11 -0
- package/lib/types/authority/ProtocolMode.d.ts.map +1 -1
- package/lib/types/client/AuthorizationCodeClient.d.ts +0 -31
- package/lib/types/client/AuthorizationCodeClient.d.ts.map +1 -1
- package/lib/types/client/BaseClient.d.ts.map +1 -1
- package/lib/types/client/RefreshTokenClient.d.ts.map +1 -1
- package/lib/types/constants/AADServerParamKeys.d.ts +3 -0
- package/lib/types/constants/AADServerParamKeys.d.ts.map +1 -1
- package/lib/types/exports-common.d.ts +4 -3
- package/lib/types/exports-common.d.ts.map +1 -1
- package/lib/types/packageMetadata.d.ts +1 -1
- package/lib/types/protocol/Authorize.d.ts +37 -0
- package/lib/types/protocol/Authorize.d.ts.map +1 -0
- package/lib/types/request/CommonAuthorizationUrlRequest.d.ts +3 -2
- package/lib/types/request/CommonAuthorizationUrlRequest.d.ts.map +1 -1
- package/lib/types/request/RequestParameterBuilder.d.ts +211 -219
- package/lib/types/request/RequestParameterBuilder.d.ts.map +1 -1
- package/lib/types/response/AuthorizeResponse.d.ts +76 -0
- package/lib/types/response/AuthorizeResponse.d.ts.map +1 -0
- package/lib/types/response/ResponseHandler.d.ts +0 -8
- package/lib/types/response/ResponseHandler.d.ts.map +1 -1
- package/lib/types/telemetry/performance/PerformanceEvent.d.ts +6 -2
- package/lib/types/telemetry/performance/PerformanceEvent.d.ts.map +1 -1
- package/lib/types/utils/Constants.d.ts +11 -5
- package/lib/types/utils/Constants.d.ts.map +1 -1
- package/lib/types/utils/UrlUtils.d.ts +6 -2
- package/lib/types/utils/UrlUtils.d.ts.map +1 -1
- package/package.json +1 -1
- package/src/authority/Authority.ts +2 -2
- package/src/authority/ProtocolMode.ts +11 -0
- package/src/cache/entities/AccountEntity.ts +3 -3
- package/src/client/AuthorizationCodeClient.ts +84 -395
- package/src/client/BaseClient.ts +20 -12
- package/src/client/RefreshTokenClient.ts +60 -30
- package/src/constants/AADServerParamKeys.ts +3 -0
- package/src/exports-common.ts +5 -2
- package/src/packageMetadata.ts +1 -1
- package/src/protocol/Authorize.ts +409 -0
- package/src/request/CommonAuthorizationUrlRequest.ts +3 -2
- package/src/request/RequestParameterBuilder.ts +516 -545
- package/src/response/AuthorizeResponse.ts +80 -0
- package/src/response/ResponseHandler.ts +0 -98
- package/src/telemetry/performance/PerformanceEvent.ts +14 -11
- package/src/utils/Constants.ts +14 -6
- package/src/utils/UrlUtils.ts +19 -4
- package/dist/response/ServerAuthorizationCodeResponse.d.ts +0 -27
- package/dist/response/ServerAuthorizationCodeResponse.d.ts.map +0 -1
- package/lib/index-node--LMD5Re1.js.map +0 -1
- package/lib/types/response/ServerAuthorizationCodeResponse.d.ts +0 -27
- package/lib/types/response/ServerAuthorizationCodeResponse.d.ts.map +0 -1
- package/src/response/ServerAuthorizationCodeResponse.ts +0 -34
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
/*! @azure/msal-common v15.
|
|
1
|
+
/*! @azure/msal-common v15.4.0 2025-03-25 */
|
|
2
2
|
'use strict';
|
|
3
3
|
'use strict';
|
|
4
4
|
|
|
@@ -36,11 +36,8 @@ const Constants = {
|
|
|
36
36
|
PROFILE_SCOPE: "profile",
|
|
37
37
|
OFFLINE_ACCESS_SCOPE: "offline_access",
|
|
38
38
|
EMAIL_SCOPE: "email",
|
|
39
|
-
// Default response type for authorization code flow
|
|
40
|
-
CODE_RESPONSE_TYPE: "code",
|
|
41
39
|
CODE_GRANT_TYPE: "authorization_code",
|
|
42
40
|
RT_GRANT_TYPE: "refresh_token",
|
|
43
|
-
FRAGMENT_RESPONSE_MODE: "fragment",
|
|
44
41
|
S256_CODE_CHALLENGE_METHOD: "S256",
|
|
45
42
|
URL_FORM_CONTENT_TYPE: "application/x-www-form-urlencoded;charset=utf-8",
|
|
46
43
|
AUTHORIZATION_PENDING: "authorization_pending",
|
|
@@ -60,8 +57,6 @@ const Constants = {
|
|
|
60
57
|
"login.microsoft.com",
|
|
61
58
|
"sts.windows.net",
|
|
62
59
|
],
|
|
63
|
-
TOKEN_RESPONSE_TYPE: "token",
|
|
64
|
-
ID_TOKEN_RESPONSE_TYPE: "id_token",
|
|
65
60
|
SHR_NONCE_VALIDITY: 240,
|
|
66
61
|
INVALID_INSTANCE: "invalid_instance",
|
|
67
62
|
};
|
|
@@ -145,8 +140,17 @@ const CodeChallengeMethodValues = {
|
|
|
145
140
|
PLAIN: "plain",
|
|
146
141
|
S256: "S256",
|
|
147
142
|
};
|
|
143
|
+
/**
|
|
144
|
+
* Allowed values for response_type
|
|
145
|
+
*/
|
|
146
|
+
const OAuthResponseType = {
|
|
147
|
+
CODE: "code",
|
|
148
|
+
IDTOKEN_TOKEN: "id_token token",
|
|
149
|
+
IDTOKEN_TOKEN_REFRESHTOKEN: "id_token token refresh_token",
|
|
150
|
+
};
|
|
148
151
|
/**
|
|
149
152
|
* allowed values for server response type
|
|
153
|
+
* @deprecated Use ResponseMode instead
|
|
150
154
|
*/
|
|
151
155
|
const ServerResponseType = {
|
|
152
156
|
QUERY: "query",
|
|
@@ -156,7 +160,8 @@ const ServerResponseType = {
|
|
|
156
160
|
* allowed values for response_mode
|
|
157
161
|
*/
|
|
158
162
|
const ResponseMode = {
|
|
159
|
-
|
|
163
|
+
QUERY: "query",
|
|
164
|
+
FRAGMENT: "fragment",
|
|
160
165
|
FORM_POST: "form_post",
|
|
161
166
|
};
|
|
162
167
|
/**
|
|
@@ -1139,6 +1144,7 @@ function getDeserializedResponse(responseString) {
|
|
|
1139
1144
|
const deserializedHash = Object.fromEntries(new URLSearchParams(normalizedResponse));
|
|
1140
1145
|
// Check for known response properties
|
|
1141
1146
|
if (deserializedHash.code ||
|
|
1147
|
+
deserializedHash.ear_jwe ||
|
|
1142
1148
|
deserializedHash.error ||
|
|
1143
1149
|
deserializedHash.error_description ||
|
|
1144
1150
|
deserializedHash.state) {
|
|
@@ -1149,11 +1155,22 @@ function getDeserializedResponse(responseString) {
|
|
|
1149
1155
|
throw createClientAuthError(hashNotDeserialized);
|
|
1150
1156
|
}
|
|
1151
1157
|
return null;
|
|
1158
|
+
}
|
|
1159
|
+
/**
|
|
1160
|
+
* Utility to create a URL from the params map
|
|
1161
|
+
*/
|
|
1162
|
+
function mapToQueryString(parameters) {
|
|
1163
|
+
const queryParameterArray = new Array();
|
|
1164
|
+
parameters.forEach((value, key) => {
|
|
1165
|
+
queryParameterArray.push(`${key}=${encodeURIComponent(value)}`);
|
|
1166
|
+
});
|
|
1167
|
+
return queryParameterArray.join("&");
|
|
1152
1168
|
}
|
|
1153
1169
|
|
|
1154
1170
|
var UrlUtils = /*#__PURE__*/Object.freeze({
|
|
1155
1171
|
__proto__: null,
|
|
1156
1172
|
getDeserializedResponse: getDeserializedResponse,
|
|
1173
|
+
mapToQueryString: mapToQueryString,
|
|
1157
1174
|
stripLeadingHashOrQuery: stripLeadingHashOrQuery
|
|
1158
1175
|
});
|
|
1159
1176
|
|
|
@@ -1465,8 +1482,19 @@ function getCloudDiscoveryMetadataFromNetworkResponse(response, authorityHost) {
|
|
|
1465
1482
|
* Protocol modes supported by MSAL.
|
|
1466
1483
|
*/
|
|
1467
1484
|
const ProtocolMode = {
|
|
1485
|
+
/**
|
|
1486
|
+
* Auth Code + PKCE with Entra ID (formerly AAD) specific optimizations and features
|
|
1487
|
+
*/
|
|
1468
1488
|
AAD: "AAD",
|
|
1489
|
+
/**
|
|
1490
|
+
* Auth Code + PKCE without Entra ID specific optimizations and features. For use only with non-Microsoft owned authorities.
|
|
1491
|
+
* Support is limited for this mode.
|
|
1492
|
+
*/
|
|
1469
1493
|
OIDC: "OIDC",
|
|
1494
|
+
/**
|
|
1495
|
+
* Encrypted Authorize Response (EAR) with Entra ID specific optimizations and features
|
|
1496
|
+
*/
|
|
1497
|
+
EAR: "EAR",
|
|
1470
1498
|
};
|
|
1471
1499
|
|
|
1472
1500
|
/*
|
|
@@ -1681,16 +1709,19 @@ const PerformanceEvents = {
|
|
|
1681
1709
|
StandardInteractionClientCreateAuthCodeClient: "standardInteractionClientCreateAuthCodeClient",
|
|
1682
1710
|
StandardInteractionClientGetClientConfiguration: "standardInteractionClientGetClientConfiguration",
|
|
1683
1711
|
StandardInteractionClientInitializeAuthorizationRequest: "standardInteractionClientInitializeAuthorizationRequest",
|
|
1684
|
-
StandardInteractionClientInitializeAuthorizationCodeRequest: "standardInteractionClientInitializeAuthorizationCodeRequest",
|
|
1685
1712
|
/**
|
|
1686
1713
|
* getAuthCodeUrl API (msal-browser and msal-node).
|
|
1687
1714
|
*/
|
|
1688
1715
|
GetAuthCodeUrl: "getAuthCodeUrl",
|
|
1716
|
+
GetStandardParams: "getStandardParams",
|
|
1689
1717
|
/**
|
|
1690
1718
|
* Functions from InteractionHandler (msal-browser)
|
|
1691
1719
|
*/
|
|
1692
1720
|
HandleCodeResponseFromServer: "handleCodeResponseFromServer",
|
|
1693
1721
|
HandleCodeResponse: "handleCodeResponse",
|
|
1722
|
+
HandleResponseEar: "handleResponseEar",
|
|
1723
|
+
HandleResponsePlatformBroker: "handleResponsePlatformBroker",
|
|
1724
|
+
HandleResponseCode: "handleResponseCode",
|
|
1694
1725
|
UpdateTokenEndpointAuthority: "updateTokenEndpointAuthority",
|
|
1695
1726
|
/**
|
|
1696
1727
|
* APIs in Authorization Code Client (msal-common)
|
|
@@ -1698,7 +1729,6 @@ const PerformanceEvents = {
|
|
|
1698
1729
|
AuthClientAcquireToken: "authClientAcquireToken",
|
|
1699
1730
|
AuthClientExecuteTokenRequest: "authClientExecuteTokenRequest",
|
|
1700
1731
|
AuthClientCreateTokenRequestBody: "authClientCreateTokenRequestBody",
|
|
1701
|
-
AuthClientCreateQueryString: "authClientCreateQueryString",
|
|
1702
1732
|
/**
|
|
1703
1733
|
* Generate functions in PopTokenGenerator (msal-common)
|
|
1704
1734
|
*/
|
|
@@ -1758,6 +1788,8 @@ const PerformanceEvents = {
|
|
|
1758
1788
|
UrlEncodeArr: "urlEncodeArr",
|
|
1759
1789
|
Encrypt: "encrypt",
|
|
1760
1790
|
Decrypt: "decrypt",
|
|
1791
|
+
GenerateEarKey: "generateEarKey",
|
|
1792
|
+
DecryptEarResponse: "decryptEarResponse",
|
|
1761
1793
|
};
|
|
1762
1794
|
const PerformanceEventAbbreviations = new Map([
|
|
1763
1795
|
[PerformanceEvents.AcquireTokenByCode, "ATByCode"],
|
|
@@ -1869,16 +1901,18 @@ const PerformanceEventAbbreviations = new Map([
|
|
|
1869
1901
|
PerformanceEvents.StandardInteractionClientInitializeAuthorizationRequest,
|
|
1870
1902
|
"StdIntClientInitAuthReq",
|
|
1871
1903
|
],
|
|
1872
|
-
[
|
|
1873
|
-
PerformanceEvents.StandardInteractionClientInitializeAuthorizationCodeRequest,
|
|
1874
|
-
"StdIntClientInitAuthCodeReq",
|
|
1875
|
-
],
|
|
1876
1904
|
[PerformanceEvents.GetAuthCodeUrl, "GetAuthCodeUrl"],
|
|
1877
1905
|
[
|
|
1878
1906
|
PerformanceEvents.HandleCodeResponseFromServer,
|
|
1879
1907
|
"HandleCodeResFromServer",
|
|
1880
1908
|
],
|
|
1881
1909
|
[PerformanceEvents.HandleCodeResponse, "HandleCodeResp"],
|
|
1910
|
+
[PerformanceEvents.HandleResponseEar, "HandleRespEar"],
|
|
1911
|
+
[PerformanceEvents.HandleResponseCode, "HandleRespCode"],
|
|
1912
|
+
[
|
|
1913
|
+
PerformanceEvents.HandleResponsePlatformBroker,
|
|
1914
|
+
"HandleRespPlatBroker",
|
|
1915
|
+
],
|
|
1882
1916
|
[PerformanceEvents.UpdateTokenEndpointAuthority, "UpdTEndpointAuth"],
|
|
1883
1917
|
[PerformanceEvents.AuthClientAcquireToken, "AuthClientAT"],
|
|
1884
1918
|
[PerformanceEvents.AuthClientExecuteTokenRequest, "AuthClientExecTReq"],
|
|
@@ -1886,10 +1920,6 @@ const PerformanceEventAbbreviations = new Map([
|
|
|
1886
1920
|
PerformanceEvents.AuthClientCreateTokenRequestBody,
|
|
1887
1921
|
"AuthClientCreateTReqBody",
|
|
1888
1922
|
],
|
|
1889
|
-
[
|
|
1890
|
-
PerformanceEvents.AuthClientCreateQueryString,
|
|
1891
|
-
"AuthClientCreateQueryStr",
|
|
1892
|
-
],
|
|
1893
1923
|
[PerformanceEvents.PopTokenGenerateCnf, "PopTGenCnf"],
|
|
1894
1924
|
[PerformanceEvents.PopTokenGenerateKid, "PopTGenKid"],
|
|
1895
1925
|
[PerformanceEvents.HandleServerTokenResponse, "HandleServerTRes"],
|
|
@@ -1985,6 +2015,8 @@ const PerformanceEventAbbreviations = new Map([
|
|
|
1985
2015
|
[PerformanceEvents.UrlEncodeArr, "urlEncArr"],
|
|
1986
2016
|
[PerformanceEvents.Encrypt, "encrypt"],
|
|
1987
2017
|
[PerformanceEvents.Decrypt, "decrypt"],
|
|
2018
|
+
[PerformanceEvents.GenerateEarKey, "genEarKey"],
|
|
2019
|
+
[PerformanceEvents.DecryptEarResponse, "decryptEarResp"],
|
|
1988
2020
|
]);
|
|
1989
2021
|
/**
|
|
1990
2022
|
* State of the performance event.
|
|
@@ -2810,7 +2842,7 @@ class Authority {
|
|
|
2810
2842
|
return (authorityUri.PathSegments.length === 1 &&
|
|
2811
2843
|
!Authority.reservedTenantDomains.has(authorityUri.PathSegments[0]) &&
|
|
2812
2844
|
this.getAuthorityType(authorityUri) === AuthorityType.Default &&
|
|
2813
|
-
this.protocolMode
|
|
2845
|
+
this.protocolMode !== ProtocolMode.OIDC);
|
|
2814
2846
|
}
|
|
2815
2847
|
/**
|
|
2816
2848
|
* Replaces tenant in url path with current tenant. Defaults to common.
|
|
@@ -2857,7 +2889,7 @@ class Authority {
|
|
|
2857
2889
|
const canonicalAuthorityHost = this.hostnameAndPort;
|
|
2858
2890
|
if (this.canonicalAuthority.endsWith("v2.0/") ||
|
|
2859
2891
|
this.authorityType === AuthorityType.Adfs ||
|
|
2860
|
-
(this.protocolMode
|
|
2892
|
+
(this.protocolMode === ProtocolMode.OIDC &&
|
|
2861
2893
|
!this.isAliasOfKnownMicrosoftAuthority(canonicalAuthorityHost))) {
|
|
2862
2894
|
return `${this.canonicalAuthority}.well-known/openid-configuration`;
|
|
2863
2895
|
}
|
|
@@ -3563,7 +3595,10 @@ const LOGIN_HINT = "login_hint";
|
|
|
3563
3595
|
const DOMAIN_HINT = "domain_hint";
|
|
3564
3596
|
const X_CLIENT_EXTRA_SKU = "x-client-xtra-sku";
|
|
3565
3597
|
const BROKER_CLIENT_ID = "brk_client_id";
|
|
3566
|
-
const BROKER_REDIRECT_URI = "brk_redirect_uri";
|
|
3598
|
+
const BROKER_REDIRECT_URI = "brk_redirect_uri";
|
|
3599
|
+
const INSTANCE_AWARE = "instance_aware";
|
|
3600
|
+
const EAR_JWK = "ear_jwk";
|
|
3601
|
+
const EAR_JWE_CRYPTO = "ear_jwe_crypto";
|
|
3567
3602
|
|
|
3568
3603
|
var AADServerParamKeys = /*#__PURE__*/Object.freeze({
|
|
3569
3604
|
__proto__: null,
|
|
@@ -3584,6 +3619,8 @@ var AADServerParamKeys = /*#__PURE__*/Object.freeze({
|
|
|
3584
3619
|
CODE_VERIFIER: CODE_VERIFIER,
|
|
3585
3620
|
DEVICE_CODE: DEVICE_CODE,
|
|
3586
3621
|
DOMAIN_HINT: DOMAIN_HINT,
|
|
3622
|
+
EAR_JWE_CRYPTO: EAR_JWE_CRYPTO,
|
|
3623
|
+
EAR_JWK: EAR_JWK,
|
|
3587
3624
|
ERROR: ERROR,
|
|
3588
3625
|
ERROR_DESCRIPTION: ERROR_DESCRIPTION,
|
|
3589
3626
|
EXPIRES_IN: EXPIRES_IN,
|
|
@@ -3591,6 +3628,7 @@ var AADServerParamKeys = /*#__PURE__*/Object.freeze({
|
|
|
3591
3628
|
GRANT_TYPE: GRANT_TYPE,
|
|
3592
3629
|
ID_TOKEN: ID_TOKEN,
|
|
3593
3630
|
ID_TOKEN_HINT: ID_TOKEN_HINT,
|
|
3631
|
+
INSTANCE_AWARE: INSTANCE_AWARE,
|
|
3594
3632
|
LOGIN_HINT: LOGIN_HINT,
|
|
3595
3633
|
LOGOUT_HINT: LOGOUT_HINT,
|
|
3596
3634
|
NATIVE_BROKER: NATIVE_BROKER,
|
|
@@ -3852,7 +3890,7 @@ class Logger {
|
|
|
3852
3890
|
|
|
3853
3891
|
/* eslint-disable header/header */
|
|
3854
3892
|
const name = "@azure/msal-common";
|
|
3855
|
-
const version = "15.
|
|
3893
|
+
const version = "15.4.0";
|
|
3856
3894
|
|
|
3857
3895
|
/*
|
|
3858
3896
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
@@ -4274,11 +4312,11 @@ class AccountEntity {
|
|
|
4274
4312
|
if (authority.authorityType === AuthorityType.Adfs) {
|
|
4275
4313
|
account.authorityType = CacheAccountType.ADFS_ACCOUNT_TYPE;
|
|
4276
4314
|
}
|
|
4277
|
-
else if (authority.protocolMode === ProtocolMode.
|
|
4278
|
-
account.authorityType = CacheAccountType.
|
|
4315
|
+
else if (authority.protocolMode === ProtocolMode.OIDC) {
|
|
4316
|
+
account.authorityType = CacheAccountType.GENERIC_ACCOUNT_TYPE;
|
|
4279
4317
|
}
|
|
4280
4318
|
else {
|
|
4281
|
-
account.authorityType = CacheAccountType.
|
|
4319
|
+
account.authorityType = CacheAccountType.MSSTS_ACCOUNT_TYPE;
|
|
4282
4320
|
}
|
|
4283
4321
|
let clientInfo;
|
|
4284
4322
|
if (accountDetails.clientInfo && base64Decode) {
|
|
@@ -5748,71 +5786,6 @@ const CcsCredentialType = {
|
|
|
5748
5786
|
UPN: "UPN",
|
|
5749
5787
|
};
|
|
5750
5788
|
|
|
5751
|
-
/*
|
|
5752
|
-
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
5753
|
-
* Licensed under the MIT License.
|
|
5754
|
-
*/
|
|
5755
|
-
/**
|
|
5756
|
-
* Validates server consumable params from the "request" objects
|
|
5757
|
-
*/
|
|
5758
|
-
class RequestValidator {
|
|
5759
|
-
/**
|
|
5760
|
-
* Utility to check if the `redirectUri` in the request is a non-null value
|
|
5761
|
-
* @param redirectUri
|
|
5762
|
-
*/
|
|
5763
|
-
static validateRedirectUri(redirectUri) {
|
|
5764
|
-
if (!redirectUri) {
|
|
5765
|
-
throw createClientConfigurationError(redirectUriEmpty);
|
|
5766
|
-
}
|
|
5767
|
-
}
|
|
5768
|
-
/**
|
|
5769
|
-
* Utility to validate prompt sent by the user in the request
|
|
5770
|
-
* @param prompt
|
|
5771
|
-
*/
|
|
5772
|
-
static validatePrompt(prompt) {
|
|
5773
|
-
const promptValues = [];
|
|
5774
|
-
for (const value in PromptValue) {
|
|
5775
|
-
promptValues.push(PromptValue[value]);
|
|
5776
|
-
}
|
|
5777
|
-
if (promptValues.indexOf(prompt) < 0) {
|
|
5778
|
-
throw createClientConfigurationError(invalidPromptValue);
|
|
5779
|
-
}
|
|
5780
|
-
}
|
|
5781
|
-
static validateClaims(claims) {
|
|
5782
|
-
try {
|
|
5783
|
-
JSON.parse(claims);
|
|
5784
|
-
}
|
|
5785
|
-
catch (e) {
|
|
5786
|
-
throw createClientConfigurationError(invalidClaims);
|
|
5787
|
-
}
|
|
5788
|
-
}
|
|
5789
|
-
/**
|
|
5790
|
-
* Utility to validate code_challenge and code_challenge_method
|
|
5791
|
-
* @param codeChallenge
|
|
5792
|
-
* @param codeChallengeMethod
|
|
5793
|
-
*/
|
|
5794
|
-
static validateCodeChallengeParams(codeChallenge, codeChallengeMethod) {
|
|
5795
|
-
if (!codeChallenge || !codeChallengeMethod) {
|
|
5796
|
-
throw createClientConfigurationError(pkceParamsMissing);
|
|
5797
|
-
}
|
|
5798
|
-
else {
|
|
5799
|
-
this.validateCodeChallengeMethod(codeChallengeMethod);
|
|
5800
|
-
}
|
|
5801
|
-
}
|
|
5802
|
-
/**
|
|
5803
|
-
* Utility to validate code_challenge_method
|
|
5804
|
-
* @param codeChallengeMethod
|
|
5805
|
-
*/
|
|
5806
|
-
static validateCodeChallengeMethod(codeChallengeMethod) {
|
|
5807
|
-
if ([
|
|
5808
|
-
CodeChallengeMethodValues.PLAIN,
|
|
5809
|
-
CodeChallengeMethodValues.S256,
|
|
5810
|
-
].indexOf(codeChallengeMethod) < 0) {
|
|
5811
|
-
throw createClientConfigurationError(invalidCodeChallengeMethod);
|
|
5812
|
-
}
|
|
5813
|
-
}
|
|
5814
|
-
}
|
|
5815
|
-
|
|
5816
5789
|
/*
|
|
5817
5790
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
5818
5791
|
* Licensed under the MIT License.
|
|
@@ -5829,396 +5802,440 @@ function instrumentBrokerParams(parameters, correlationId, performanceClient) {
|
|
|
5829
5802
|
}, correlationId);
|
|
5830
5803
|
}
|
|
5831
5804
|
}
|
|
5832
|
-
/**
|
|
5833
|
-
|
|
5834
|
-
|
|
5835
|
-
|
|
5836
|
-
|
|
5837
|
-
|
|
5838
|
-
|
|
5839
|
-
|
|
5840
|
-
|
|
5841
|
-
|
|
5842
|
-
|
|
5843
|
-
|
|
5844
|
-
|
|
5845
|
-
|
|
5846
|
-
|
|
5847
|
-
|
|
5848
|
-
|
|
5849
|
-
|
|
5850
|
-
|
|
5851
|
-
|
|
5852
|
-
|
|
5853
|
-
|
|
5854
|
-
|
|
5855
|
-
|
|
5856
|
-
|
|
5857
|
-
|
|
5858
|
-
|
|
5859
|
-
|
|
5860
|
-
|
|
5861
|
-
|
|
5862
|
-
|
|
5863
|
-
|
|
5864
|
-
|
|
5865
|
-
|
|
5866
|
-
|
|
5867
|
-
|
|
5868
|
-
|
|
5869
|
-
|
|
5870
|
-
|
|
5871
|
-
|
|
5872
|
-
|
|
5873
|
-
|
|
5874
|
-
|
|
5875
|
-
|
|
5876
|
-
|
|
5877
|
-
|
|
5878
|
-
|
|
5879
|
-
|
|
5880
|
-
|
|
5805
|
+
/**
|
|
5806
|
+
* Add the given response_type
|
|
5807
|
+
* @param parameters
|
|
5808
|
+
* @param responseType
|
|
5809
|
+
*/
|
|
5810
|
+
function addResponseType(parameters, responseType) {
|
|
5811
|
+
parameters.set(RESPONSE_TYPE, responseType);
|
|
5812
|
+
}
|
|
5813
|
+
/**
|
|
5814
|
+
* add response_mode. defaults to query.
|
|
5815
|
+
* @param responseMode
|
|
5816
|
+
*/
|
|
5817
|
+
function addResponseMode(parameters, responseMode) {
|
|
5818
|
+
parameters.set(RESPONSE_MODE, responseMode ? responseMode : ResponseMode.QUERY);
|
|
5819
|
+
}
|
|
5820
|
+
/**
|
|
5821
|
+
* Add flag to indicate STS should attempt to use WAM if available
|
|
5822
|
+
*/
|
|
5823
|
+
function addNativeBroker(parameters) {
|
|
5824
|
+
parameters.set(NATIVE_BROKER, "1");
|
|
5825
|
+
}
|
|
5826
|
+
/**
|
|
5827
|
+
* add scopes. set addOidcScopes to false to prevent default scopes in non-user scenarios
|
|
5828
|
+
* @param scopeSet
|
|
5829
|
+
* @param addOidcScopes
|
|
5830
|
+
*/
|
|
5831
|
+
function addScopes(parameters, scopes, addOidcScopes = true, defaultScopes = OIDC_DEFAULT_SCOPES) {
|
|
5832
|
+
// Always add openid to the scopes when adding OIDC scopes
|
|
5833
|
+
if (addOidcScopes &&
|
|
5834
|
+
!defaultScopes.includes("openid") &&
|
|
5835
|
+
!scopes.includes("openid")) {
|
|
5836
|
+
defaultScopes.push("openid");
|
|
5837
|
+
}
|
|
5838
|
+
const requestScopes = addOidcScopes
|
|
5839
|
+
? [...(scopes || []), ...defaultScopes]
|
|
5840
|
+
: scopes || [];
|
|
5841
|
+
const scopeSet = new ScopeSet(requestScopes);
|
|
5842
|
+
parameters.set(SCOPE, scopeSet.printScopes());
|
|
5843
|
+
}
|
|
5844
|
+
/**
|
|
5845
|
+
* add clientId
|
|
5846
|
+
* @param clientId
|
|
5847
|
+
*/
|
|
5848
|
+
function addClientId(parameters, clientId) {
|
|
5849
|
+
parameters.set(CLIENT_ID, clientId);
|
|
5850
|
+
}
|
|
5851
|
+
/**
|
|
5852
|
+
* add redirect_uri
|
|
5853
|
+
* @param redirectUri
|
|
5854
|
+
*/
|
|
5855
|
+
function addRedirectUri(parameters, redirectUri) {
|
|
5856
|
+
parameters.set(REDIRECT_URI, redirectUri);
|
|
5857
|
+
}
|
|
5858
|
+
/**
|
|
5859
|
+
* add post logout redirectUri
|
|
5860
|
+
* @param redirectUri
|
|
5861
|
+
*/
|
|
5862
|
+
function addPostLogoutRedirectUri(parameters, redirectUri) {
|
|
5863
|
+
parameters.set(POST_LOGOUT_URI, redirectUri);
|
|
5864
|
+
}
|
|
5865
|
+
/**
|
|
5866
|
+
* add id_token_hint to logout request
|
|
5867
|
+
* @param idTokenHint
|
|
5868
|
+
*/
|
|
5869
|
+
function addIdTokenHint(parameters, idTokenHint) {
|
|
5870
|
+
parameters.set(ID_TOKEN_HINT, idTokenHint);
|
|
5871
|
+
}
|
|
5872
|
+
/**
|
|
5873
|
+
* add domain_hint
|
|
5874
|
+
* @param domainHint
|
|
5875
|
+
*/
|
|
5876
|
+
function addDomainHint(parameters, domainHint) {
|
|
5877
|
+
parameters.set(DOMAIN_HINT, domainHint);
|
|
5878
|
+
}
|
|
5879
|
+
/**
|
|
5880
|
+
* add login_hint
|
|
5881
|
+
* @param loginHint
|
|
5882
|
+
*/
|
|
5883
|
+
function addLoginHint(parameters, loginHint) {
|
|
5884
|
+
parameters.set(LOGIN_HINT, loginHint);
|
|
5885
|
+
}
|
|
5886
|
+
/**
|
|
5887
|
+
* Adds the CCS (Cache Credential Service) query parameter for login_hint
|
|
5888
|
+
* @param loginHint
|
|
5889
|
+
*/
|
|
5890
|
+
function addCcsUpn(parameters, loginHint) {
|
|
5891
|
+
parameters.set(HeaderNames.CCS_HEADER, `UPN:${loginHint}`);
|
|
5892
|
+
}
|
|
5893
|
+
/**
|
|
5894
|
+
* Adds the CCS (Cache Credential Service) query parameter for account object
|
|
5895
|
+
* @param loginHint
|
|
5896
|
+
*/
|
|
5897
|
+
function addCcsOid(parameters, clientInfo) {
|
|
5898
|
+
parameters.set(HeaderNames.CCS_HEADER, `Oid:${clientInfo.uid}@${clientInfo.utid}`);
|
|
5899
|
+
}
|
|
5900
|
+
/**
|
|
5901
|
+
* add sid
|
|
5902
|
+
* @param sid
|
|
5903
|
+
*/
|
|
5904
|
+
function addSid(parameters, sid) {
|
|
5905
|
+
parameters.set(SID, sid);
|
|
5906
|
+
}
|
|
5907
|
+
/**
|
|
5908
|
+
* add claims
|
|
5909
|
+
* @param claims
|
|
5910
|
+
*/
|
|
5911
|
+
function addClaims(parameters, claims, clientCapabilities) {
|
|
5912
|
+
const mergedClaims = addClientCapabilitiesToClaims(claims, clientCapabilities);
|
|
5913
|
+
try {
|
|
5914
|
+
JSON.parse(mergedClaims);
|
|
5881
5915
|
}
|
|
5882
|
-
|
|
5883
|
-
|
|
5884
|
-
* @param clientId
|
|
5885
|
-
*/
|
|
5886
|
-
addClientId(clientId) {
|
|
5887
|
-
this.parameters.set(CLIENT_ID, encodeURIComponent(clientId));
|
|
5916
|
+
catch (e) {
|
|
5917
|
+
throw createClientConfigurationError(invalidClaims);
|
|
5888
5918
|
}
|
|
5889
|
-
|
|
5890
|
-
|
|
5891
|
-
|
|
5892
|
-
|
|
5893
|
-
|
|
5894
|
-
|
|
5895
|
-
|
|
5919
|
+
parameters.set(CLAIMS, mergedClaims);
|
|
5920
|
+
}
|
|
5921
|
+
/**
|
|
5922
|
+
* add correlationId
|
|
5923
|
+
* @param correlationId
|
|
5924
|
+
*/
|
|
5925
|
+
function addCorrelationId(parameters, correlationId) {
|
|
5926
|
+
parameters.set(CLIENT_REQUEST_ID, correlationId);
|
|
5927
|
+
}
|
|
5928
|
+
/**
|
|
5929
|
+
* add library info query params
|
|
5930
|
+
* @param libraryInfo
|
|
5931
|
+
*/
|
|
5932
|
+
function addLibraryInfo(parameters, libraryInfo) {
|
|
5933
|
+
// Telemetry Info
|
|
5934
|
+
parameters.set(X_CLIENT_SKU, libraryInfo.sku);
|
|
5935
|
+
parameters.set(X_CLIENT_VER, libraryInfo.version);
|
|
5936
|
+
if (libraryInfo.os) {
|
|
5937
|
+
parameters.set(X_CLIENT_OS, libraryInfo.os);
|
|
5896
5938
|
}
|
|
5897
|
-
|
|
5898
|
-
|
|
5899
|
-
* @param redirectUri
|
|
5900
|
-
*/
|
|
5901
|
-
addPostLogoutRedirectUri(redirectUri) {
|
|
5902
|
-
RequestValidator.validateRedirectUri(redirectUri);
|
|
5903
|
-
this.parameters.set(POST_LOGOUT_URI, encodeURIComponent(redirectUri));
|
|
5939
|
+
if (libraryInfo.cpu) {
|
|
5940
|
+
parameters.set(X_CLIENT_CPU, libraryInfo.cpu);
|
|
5904
5941
|
}
|
|
5905
|
-
|
|
5906
|
-
|
|
5907
|
-
|
|
5908
|
-
|
|
5909
|
-
|
|
5910
|
-
|
|
5942
|
+
}
|
|
5943
|
+
/**
|
|
5944
|
+
* Add client telemetry parameters
|
|
5945
|
+
* @param appTelemetry
|
|
5946
|
+
*/
|
|
5947
|
+
function addApplicationTelemetry(parameters, appTelemetry) {
|
|
5948
|
+
if (appTelemetry?.appName) {
|
|
5949
|
+
parameters.set(X_APP_NAME, appTelemetry.appName);
|
|
5911
5950
|
}
|
|
5912
|
-
|
|
5913
|
-
|
|
5914
|
-
* @param domainHint
|
|
5915
|
-
*/
|
|
5916
|
-
addDomainHint(domainHint) {
|
|
5917
|
-
this.parameters.set(DOMAIN_HINT, encodeURIComponent(domainHint));
|
|
5951
|
+
if (appTelemetry?.appVersion) {
|
|
5952
|
+
parameters.set(X_APP_VER, appTelemetry.appVersion);
|
|
5918
5953
|
}
|
|
5919
|
-
|
|
5920
|
-
|
|
5921
|
-
|
|
5922
|
-
|
|
5923
|
-
|
|
5924
|
-
|
|
5954
|
+
}
|
|
5955
|
+
/**
|
|
5956
|
+
* add prompt
|
|
5957
|
+
* @param prompt
|
|
5958
|
+
*/
|
|
5959
|
+
function addPrompt(parameters, prompt) {
|
|
5960
|
+
parameters.set(PROMPT, prompt);
|
|
5961
|
+
}
|
|
5962
|
+
/**
|
|
5963
|
+
* add state
|
|
5964
|
+
* @param state
|
|
5965
|
+
*/
|
|
5966
|
+
function addState(parameters, state) {
|
|
5967
|
+
if (state) {
|
|
5968
|
+
parameters.set(STATE, state);
|
|
5925
5969
|
}
|
|
5926
|
-
|
|
5927
|
-
|
|
5928
|
-
|
|
5929
|
-
|
|
5930
|
-
|
|
5931
|
-
|
|
5970
|
+
}
|
|
5971
|
+
/**
|
|
5972
|
+
* add nonce
|
|
5973
|
+
* @param nonce
|
|
5974
|
+
*/
|
|
5975
|
+
function addNonce(parameters, nonce) {
|
|
5976
|
+
parameters.set(NONCE, nonce);
|
|
5977
|
+
}
|
|
5978
|
+
/**
|
|
5979
|
+
* add code_challenge and code_challenge_method
|
|
5980
|
+
* - throw if either of them are not passed
|
|
5981
|
+
* @param codeChallenge
|
|
5982
|
+
* @param codeChallengeMethod
|
|
5983
|
+
*/
|
|
5984
|
+
function addCodeChallengeParams(parameters, codeChallenge, codeChallengeMethod) {
|
|
5985
|
+
if (codeChallenge && codeChallengeMethod) {
|
|
5986
|
+
parameters.set(CODE_CHALLENGE, codeChallenge);
|
|
5987
|
+
parameters.set(CODE_CHALLENGE_METHOD, codeChallengeMethod);
|
|
5932
5988
|
}
|
|
5933
|
-
|
|
5934
|
-
|
|
5935
|
-
* @param loginHint
|
|
5936
|
-
*/
|
|
5937
|
-
addCcsOid(clientInfo) {
|
|
5938
|
-
this.parameters.set(HeaderNames.CCS_HEADER, encodeURIComponent(`Oid:${clientInfo.uid}@${clientInfo.utid}`));
|
|
5989
|
+
else {
|
|
5990
|
+
throw createClientConfigurationError(pkceParamsMissing);
|
|
5939
5991
|
}
|
|
5940
|
-
|
|
5941
|
-
|
|
5942
|
-
|
|
5943
|
-
|
|
5944
|
-
|
|
5945
|
-
|
|
5992
|
+
}
|
|
5993
|
+
/**
|
|
5994
|
+
* add the `authorization_code` passed by the user to exchange for a token
|
|
5995
|
+
* @param code
|
|
5996
|
+
*/
|
|
5997
|
+
function addAuthorizationCode(parameters, code) {
|
|
5998
|
+
parameters.set(CODE, code);
|
|
5999
|
+
}
|
|
6000
|
+
/**
|
|
6001
|
+
* add the `authorization_code` passed by the user to exchange for a token
|
|
6002
|
+
* @param code
|
|
6003
|
+
*/
|
|
6004
|
+
function addDeviceCode(parameters, code) {
|
|
6005
|
+
parameters.set(DEVICE_CODE, code);
|
|
6006
|
+
}
|
|
6007
|
+
/**
|
|
6008
|
+
* add the `refreshToken` passed by the user
|
|
6009
|
+
* @param refreshToken
|
|
6010
|
+
*/
|
|
6011
|
+
function addRefreshToken(parameters, refreshToken) {
|
|
6012
|
+
parameters.set(REFRESH_TOKEN, refreshToken);
|
|
6013
|
+
}
|
|
6014
|
+
/**
|
|
6015
|
+
* add the `code_verifier` passed by the user to exchange for a token
|
|
6016
|
+
* @param codeVerifier
|
|
6017
|
+
*/
|
|
6018
|
+
function addCodeVerifier(parameters, codeVerifier) {
|
|
6019
|
+
parameters.set(CODE_VERIFIER, codeVerifier);
|
|
6020
|
+
}
|
|
6021
|
+
/**
|
|
6022
|
+
* add client_secret
|
|
6023
|
+
* @param clientSecret
|
|
6024
|
+
*/
|
|
6025
|
+
function addClientSecret(parameters, clientSecret) {
|
|
6026
|
+
parameters.set(CLIENT_SECRET, clientSecret);
|
|
6027
|
+
}
|
|
6028
|
+
/**
|
|
6029
|
+
* add clientAssertion for confidential client flows
|
|
6030
|
+
* @param clientAssertion
|
|
6031
|
+
*/
|
|
6032
|
+
function addClientAssertion(parameters, clientAssertion) {
|
|
6033
|
+
if (clientAssertion) {
|
|
6034
|
+
parameters.set(CLIENT_ASSERTION, clientAssertion);
|
|
5946
6035
|
}
|
|
5947
|
-
|
|
5948
|
-
|
|
5949
|
-
|
|
5950
|
-
|
|
5951
|
-
|
|
5952
|
-
|
|
5953
|
-
|
|
5954
|
-
|
|
6036
|
+
}
|
|
6037
|
+
/**
|
|
6038
|
+
* add clientAssertionType for confidential client flows
|
|
6039
|
+
* @param clientAssertionType
|
|
6040
|
+
*/
|
|
6041
|
+
function addClientAssertionType(parameters, clientAssertionType) {
|
|
6042
|
+
if (clientAssertionType) {
|
|
6043
|
+
parameters.set(CLIENT_ASSERTION_TYPE, clientAssertionType);
|
|
5955
6044
|
}
|
|
5956
|
-
|
|
5957
|
-
|
|
5958
|
-
|
|
5959
|
-
|
|
5960
|
-
|
|
5961
|
-
|
|
6045
|
+
}
|
|
6046
|
+
/**
|
|
6047
|
+
* add OBO assertion for confidential client flows
|
|
6048
|
+
* @param clientAssertion
|
|
6049
|
+
*/
|
|
6050
|
+
function addOboAssertion(parameters, oboAssertion) {
|
|
6051
|
+
parameters.set(OBO_ASSERTION, oboAssertion);
|
|
6052
|
+
}
|
|
6053
|
+
/**
|
|
6054
|
+
* add grant type
|
|
6055
|
+
* @param grantType
|
|
6056
|
+
*/
|
|
6057
|
+
function addRequestTokenUse(parameters, tokenUse) {
|
|
6058
|
+
parameters.set(REQUESTED_TOKEN_USE, tokenUse);
|
|
6059
|
+
}
|
|
6060
|
+
/**
|
|
6061
|
+
* add grant type
|
|
6062
|
+
* @param grantType
|
|
6063
|
+
*/
|
|
6064
|
+
function addGrantType(parameters, grantType) {
|
|
6065
|
+
parameters.set(GRANT_TYPE, grantType);
|
|
6066
|
+
}
|
|
6067
|
+
/**
|
|
6068
|
+
* add client info
|
|
6069
|
+
*
|
|
6070
|
+
*/
|
|
6071
|
+
function addClientInfo(parameters) {
|
|
6072
|
+
parameters.set(CLIENT_INFO$1, "1");
|
|
6073
|
+
}
|
|
6074
|
+
function addInstanceAware(parameters) {
|
|
6075
|
+
if (!parameters.has(INSTANCE_AWARE)) {
|
|
6076
|
+
parameters.set(INSTANCE_AWARE, "true");
|
|
5962
6077
|
}
|
|
5963
|
-
|
|
5964
|
-
|
|
5965
|
-
|
|
5966
|
-
|
|
5967
|
-
|
|
5968
|
-
|
|
5969
|
-
|
|
5970
|
-
|
|
5971
|
-
|
|
5972
|
-
this.parameters.set(X_CLIENT_OS, libraryInfo.os);
|
|
5973
|
-
}
|
|
5974
|
-
if (libraryInfo.cpu) {
|
|
5975
|
-
this.parameters.set(X_CLIENT_CPU, libraryInfo.cpu);
|
|
6078
|
+
}
|
|
6079
|
+
/**
|
|
6080
|
+
* add extraQueryParams
|
|
6081
|
+
* @param eQParams
|
|
6082
|
+
*/
|
|
6083
|
+
function addExtraQueryParameters(parameters, eQParams) {
|
|
6084
|
+
Object.entries(eQParams).forEach(([key, value]) => {
|
|
6085
|
+
if (!parameters.has(key) && value) {
|
|
6086
|
+
parameters.set(key, value);
|
|
5976
6087
|
}
|
|
6088
|
+
});
|
|
6089
|
+
}
|
|
6090
|
+
function addClientCapabilitiesToClaims(claims, clientCapabilities) {
|
|
6091
|
+
let mergedClaims;
|
|
6092
|
+
// Parse provided claims into JSON object or initialize empty object
|
|
6093
|
+
if (!claims) {
|
|
6094
|
+
mergedClaims = {};
|
|
5977
6095
|
}
|
|
5978
|
-
|
|
5979
|
-
|
|
5980
|
-
|
|
5981
|
-
*/
|
|
5982
|
-
addApplicationTelemetry(appTelemetry) {
|
|
5983
|
-
if (appTelemetry?.appName) {
|
|
5984
|
-
this.parameters.set(X_APP_NAME, appTelemetry.appName);
|
|
6096
|
+
else {
|
|
6097
|
+
try {
|
|
6098
|
+
mergedClaims = JSON.parse(claims);
|
|
5985
6099
|
}
|
|
5986
|
-
|
|
5987
|
-
|
|
6100
|
+
catch (e) {
|
|
6101
|
+
throw createClientConfigurationError(invalidClaims);
|
|
5988
6102
|
}
|
|
5989
6103
|
}
|
|
5990
|
-
|
|
5991
|
-
|
|
5992
|
-
|
|
5993
|
-
|
|
5994
|
-
addPrompt(prompt) {
|
|
5995
|
-
RequestValidator.validatePrompt(prompt);
|
|
5996
|
-
this.parameters.set(`${PROMPT}`, encodeURIComponent(prompt));
|
|
5997
|
-
}
|
|
5998
|
-
/**
|
|
5999
|
-
* add state
|
|
6000
|
-
* @param state
|
|
6001
|
-
*/
|
|
6002
|
-
addState(state) {
|
|
6003
|
-
if (state) {
|
|
6004
|
-
this.parameters.set(STATE, encodeURIComponent(state));
|
|
6005
|
-
}
|
|
6006
|
-
}
|
|
6007
|
-
/**
|
|
6008
|
-
* add nonce
|
|
6009
|
-
* @param nonce
|
|
6010
|
-
*/
|
|
6011
|
-
addNonce(nonce) {
|
|
6012
|
-
this.parameters.set(NONCE, encodeURIComponent(nonce));
|
|
6013
|
-
}
|
|
6014
|
-
/**
|
|
6015
|
-
* add code_challenge and code_challenge_method
|
|
6016
|
-
* - throw if either of them are not passed
|
|
6017
|
-
* @param codeChallenge
|
|
6018
|
-
* @param codeChallengeMethod
|
|
6019
|
-
*/
|
|
6020
|
-
addCodeChallengeParams(codeChallenge, codeChallengeMethod) {
|
|
6021
|
-
RequestValidator.validateCodeChallengeParams(codeChallenge, codeChallengeMethod);
|
|
6022
|
-
if (codeChallenge && codeChallengeMethod) {
|
|
6023
|
-
this.parameters.set(CODE_CHALLENGE, encodeURIComponent(codeChallenge));
|
|
6024
|
-
this.parameters.set(CODE_CHALLENGE_METHOD, encodeURIComponent(codeChallengeMethod));
|
|
6025
|
-
}
|
|
6026
|
-
else {
|
|
6027
|
-
throw createClientConfigurationError(pkceParamsMissing);
|
|
6028
|
-
}
|
|
6029
|
-
}
|
|
6030
|
-
/**
|
|
6031
|
-
* add the `authorization_code` passed by the user to exchange for a token
|
|
6032
|
-
* @param code
|
|
6033
|
-
*/
|
|
6034
|
-
addAuthorizationCode(code) {
|
|
6035
|
-
this.parameters.set(CODE, encodeURIComponent(code));
|
|
6036
|
-
}
|
|
6037
|
-
/**
|
|
6038
|
-
* add the `authorization_code` passed by the user to exchange for a token
|
|
6039
|
-
* @param code
|
|
6040
|
-
*/
|
|
6041
|
-
addDeviceCode(code) {
|
|
6042
|
-
this.parameters.set(DEVICE_CODE, encodeURIComponent(code));
|
|
6043
|
-
}
|
|
6044
|
-
/**
|
|
6045
|
-
* add the `refreshToken` passed by the user
|
|
6046
|
-
* @param refreshToken
|
|
6047
|
-
*/
|
|
6048
|
-
addRefreshToken(refreshToken) {
|
|
6049
|
-
this.parameters.set(REFRESH_TOKEN, encodeURIComponent(refreshToken));
|
|
6050
|
-
}
|
|
6051
|
-
/**
|
|
6052
|
-
* add the `code_verifier` passed by the user to exchange for a token
|
|
6053
|
-
* @param codeVerifier
|
|
6054
|
-
*/
|
|
6055
|
-
addCodeVerifier(codeVerifier) {
|
|
6056
|
-
this.parameters.set(CODE_VERIFIER, encodeURIComponent(codeVerifier));
|
|
6057
|
-
}
|
|
6058
|
-
/**
|
|
6059
|
-
* add client_secret
|
|
6060
|
-
* @param clientSecret
|
|
6061
|
-
*/
|
|
6062
|
-
addClientSecret(clientSecret) {
|
|
6063
|
-
this.parameters.set(CLIENT_SECRET, encodeURIComponent(clientSecret));
|
|
6064
|
-
}
|
|
6065
|
-
/**
|
|
6066
|
-
* add clientAssertion for confidential client flows
|
|
6067
|
-
* @param clientAssertion
|
|
6068
|
-
*/
|
|
6069
|
-
addClientAssertion(clientAssertion) {
|
|
6070
|
-
if (clientAssertion) {
|
|
6071
|
-
this.parameters.set(CLIENT_ASSERTION, encodeURIComponent(clientAssertion));
|
|
6072
|
-
}
|
|
6073
|
-
}
|
|
6074
|
-
/**
|
|
6075
|
-
* add clientAssertionType for confidential client flows
|
|
6076
|
-
* @param clientAssertionType
|
|
6077
|
-
*/
|
|
6078
|
-
addClientAssertionType(clientAssertionType) {
|
|
6079
|
-
if (clientAssertionType) {
|
|
6080
|
-
this.parameters.set(CLIENT_ASSERTION_TYPE, encodeURIComponent(clientAssertionType));
|
|
6081
|
-
}
|
|
6082
|
-
}
|
|
6083
|
-
/**
|
|
6084
|
-
* add OBO assertion for confidential client flows
|
|
6085
|
-
* @param clientAssertion
|
|
6086
|
-
*/
|
|
6087
|
-
addOboAssertion(oboAssertion) {
|
|
6088
|
-
this.parameters.set(OBO_ASSERTION, encodeURIComponent(oboAssertion));
|
|
6089
|
-
}
|
|
6090
|
-
/**
|
|
6091
|
-
* add grant type
|
|
6092
|
-
* @param grantType
|
|
6093
|
-
*/
|
|
6094
|
-
addRequestTokenUse(tokenUse) {
|
|
6095
|
-
this.parameters.set(REQUESTED_TOKEN_USE, encodeURIComponent(tokenUse));
|
|
6096
|
-
}
|
|
6097
|
-
/**
|
|
6098
|
-
* add grant type
|
|
6099
|
-
* @param grantType
|
|
6100
|
-
*/
|
|
6101
|
-
addGrantType(grantType) {
|
|
6102
|
-
this.parameters.set(GRANT_TYPE, encodeURIComponent(grantType));
|
|
6103
|
-
}
|
|
6104
|
-
/**
|
|
6105
|
-
* add client info
|
|
6106
|
-
*
|
|
6107
|
-
*/
|
|
6108
|
-
addClientInfo() {
|
|
6109
|
-
this.parameters.set(CLIENT_INFO$1, "1");
|
|
6110
|
-
}
|
|
6111
|
-
/**
|
|
6112
|
-
* add extraQueryParams
|
|
6113
|
-
* @param eQParams
|
|
6114
|
-
*/
|
|
6115
|
-
addExtraQueryParameters(eQParams) {
|
|
6116
|
-
Object.entries(eQParams).forEach(([key, value]) => {
|
|
6117
|
-
if (!this.parameters.has(key) && value) {
|
|
6118
|
-
this.parameters.set(key, value);
|
|
6119
|
-
}
|
|
6120
|
-
});
|
|
6121
|
-
}
|
|
6122
|
-
addClientCapabilitiesToClaims(claims, clientCapabilities) {
|
|
6123
|
-
let mergedClaims;
|
|
6124
|
-
// Parse provided claims into JSON object or initialize empty object
|
|
6125
|
-
if (!claims) {
|
|
6126
|
-
mergedClaims = {};
|
|
6127
|
-
}
|
|
6128
|
-
else {
|
|
6129
|
-
try {
|
|
6130
|
-
mergedClaims = JSON.parse(claims);
|
|
6131
|
-
}
|
|
6132
|
-
catch (e) {
|
|
6133
|
-
throw createClientConfigurationError(invalidClaims);
|
|
6134
|
-
}
|
|
6104
|
+
if (clientCapabilities && clientCapabilities.length > 0) {
|
|
6105
|
+
if (!mergedClaims.hasOwnProperty(ClaimsRequestKeys.ACCESS_TOKEN)) {
|
|
6106
|
+
// Add access_token key to claims object
|
|
6107
|
+
mergedClaims[ClaimsRequestKeys.ACCESS_TOKEN] = {};
|
|
6135
6108
|
}
|
|
6136
|
-
|
|
6137
|
-
|
|
6138
|
-
|
|
6139
|
-
mergedClaims[ClaimsRequestKeys.ACCESS_TOKEN] = {};
|
|
6140
|
-
}
|
|
6141
|
-
// Add xms_cc claim with provided clientCapabilities to access_token key
|
|
6142
|
-
mergedClaims[ClaimsRequestKeys.ACCESS_TOKEN][ClaimsRequestKeys.XMS_CC] = {
|
|
6109
|
+
// Add xms_cc claim with provided clientCapabilities to access_token key
|
|
6110
|
+
mergedClaims[ClaimsRequestKeys.ACCESS_TOKEN][ClaimsRequestKeys.XMS_CC] =
|
|
6111
|
+
{
|
|
6143
6112
|
values: clientCapabilities,
|
|
6144
6113
|
};
|
|
6145
|
-
}
|
|
6146
|
-
return JSON.stringify(mergedClaims);
|
|
6147
|
-
}
|
|
6148
|
-
/**
|
|
6149
|
-
* adds `username` for Password Grant flow
|
|
6150
|
-
* @param username
|
|
6151
|
-
*/
|
|
6152
|
-
addUsername(username) {
|
|
6153
|
-
this.parameters.set(PasswordGrantConstants.username, encodeURIComponent(username));
|
|
6154
|
-
}
|
|
6155
|
-
/**
|
|
6156
|
-
* adds `password` for Password Grant flow
|
|
6157
|
-
* @param password
|
|
6158
|
-
*/
|
|
6159
|
-
addPassword(password) {
|
|
6160
|
-
this.parameters.set(PasswordGrantConstants.password, encodeURIComponent(password));
|
|
6161
|
-
}
|
|
6162
|
-
/**
|
|
6163
|
-
* add pop_jwk to query params
|
|
6164
|
-
* @param cnfString
|
|
6165
|
-
*/
|
|
6166
|
-
addPopToken(cnfString) {
|
|
6167
|
-
if (cnfString) {
|
|
6168
|
-
this.parameters.set(TOKEN_TYPE, AuthenticationScheme.POP);
|
|
6169
|
-
this.parameters.set(REQ_CNF, encodeURIComponent(cnfString));
|
|
6170
|
-
}
|
|
6171
|
-
}
|
|
6172
|
-
/**
|
|
6173
|
-
* add SSH JWK and key ID to query params
|
|
6174
|
-
*/
|
|
6175
|
-
addSshJwk(sshJwkString) {
|
|
6176
|
-
if (sshJwkString) {
|
|
6177
|
-
this.parameters.set(TOKEN_TYPE, AuthenticationScheme.SSH);
|
|
6178
|
-
this.parameters.set(REQ_CNF, encodeURIComponent(sshJwkString));
|
|
6179
|
-
}
|
|
6180
|
-
}
|
|
6181
|
-
/**
|
|
6182
|
-
* add server telemetry fields
|
|
6183
|
-
* @param serverTelemetryManager
|
|
6184
|
-
*/
|
|
6185
|
-
addServerTelemetry(serverTelemetryManager) {
|
|
6186
|
-
this.parameters.set(X_CLIENT_CURR_TELEM, serverTelemetryManager.generateCurrentRequestHeaderValue());
|
|
6187
|
-
this.parameters.set(X_CLIENT_LAST_TELEM, serverTelemetryManager.generateLastRequestHeaderValue());
|
|
6188
6114
|
}
|
|
6189
|
-
|
|
6190
|
-
|
|
6191
|
-
|
|
6192
|
-
|
|
6193
|
-
|
|
6115
|
+
return JSON.stringify(mergedClaims);
|
|
6116
|
+
}
|
|
6117
|
+
/**
|
|
6118
|
+
* adds `username` for Password Grant flow
|
|
6119
|
+
* @param username
|
|
6120
|
+
*/
|
|
6121
|
+
function addUsername(parameters, username) {
|
|
6122
|
+
parameters.set(PasswordGrantConstants.username, username);
|
|
6123
|
+
}
|
|
6124
|
+
/**
|
|
6125
|
+
* adds `password` for Password Grant flow
|
|
6126
|
+
* @param password
|
|
6127
|
+
*/
|
|
6128
|
+
function addPassword(parameters, password) {
|
|
6129
|
+
parameters.set(PasswordGrantConstants.password, password);
|
|
6130
|
+
}
|
|
6131
|
+
/**
|
|
6132
|
+
* add pop_jwk to query params
|
|
6133
|
+
* @param cnfString
|
|
6134
|
+
*/
|
|
6135
|
+
function addPopToken(parameters, cnfString) {
|
|
6136
|
+
if (cnfString) {
|
|
6137
|
+
parameters.set(TOKEN_TYPE, AuthenticationScheme.POP);
|
|
6138
|
+
parameters.set(REQ_CNF, cnfString);
|
|
6194
6139
|
}
|
|
6195
|
-
|
|
6196
|
-
|
|
6197
|
-
|
|
6198
|
-
|
|
6199
|
-
|
|
6140
|
+
}
|
|
6141
|
+
/**
|
|
6142
|
+
* add SSH JWK and key ID to query params
|
|
6143
|
+
*/
|
|
6144
|
+
function addSshJwk(parameters, sshJwkString) {
|
|
6145
|
+
if (sshJwkString) {
|
|
6146
|
+
parameters.set(TOKEN_TYPE, AuthenticationScheme.SSH);
|
|
6147
|
+
parameters.set(REQ_CNF, sshJwkString);
|
|
6200
6148
|
}
|
|
6201
|
-
|
|
6202
|
-
|
|
6203
|
-
|
|
6204
|
-
|
|
6205
|
-
|
|
6206
|
-
|
|
6207
|
-
|
|
6149
|
+
}
|
|
6150
|
+
/**
|
|
6151
|
+
* add server telemetry fields
|
|
6152
|
+
* @param serverTelemetryManager
|
|
6153
|
+
*/
|
|
6154
|
+
function addServerTelemetry(parameters, serverTelemetryManager) {
|
|
6155
|
+
parameters.set(X_CLIENT_CURR_TELEM, serverTelemetryManager.generateCurrentRequestHeaderValue());
|
|
6156
|
+
parameters.set(X_CLIENT_LAST_TELEM, serverTelemetryManager.generateLastRequestHeaderValue());
|
|
6157
|
+
}
|
|
6158
|
+
/**
|
|
6159
|
+
* Adds parameter that indicates to the server that throttling is supported
|
|
6160
|
+
*/
|
|
6161
|
+
function addThrottling(parameters) {
|
|
6162
|
+
parameters.set(X_MS_LIB_CAPABILITY, ThrottlingConstants.X_MS_LIB_CAPABILITY_VALUE);
|
|
6163
|
+
}
|
|
6164
|
+
/**
|
|
6165
|
+
* Adds logout_hint parameter for "silent" logout which prevent server account picker
|
|
6166
|
+
*/
|
|
6167
|
+
function addLogoutHint(parameters, logoutHint) {
|
|
6168
|
+
parameters.set(LOGOUT_HINT, logoutHint);
|
|
6169
|
+
}
|
|
6170
|
+
function addBrokerParameters(parameters, brokerClientId, brokerRedirectUri) {
|
|
6171
|
+
if (!parameters.has(BROKER_CLIENT_ID)) {
|
|
6172
|
+
parameters.set(BROKER_CLIENT_ID, brokerClientId);
|
|
6208
6173
|
}
|
|
6209
|
-
|
|
6210
|
-
|
|
6211
|
-
*/
|
|
6212
|
-
createQueryString() {
|
|
6213
|
-
const queryParameterArray = new Array();
|
|
6214
|
-
this.parameters.forEach((value, key) => {
|
|
6215
|
-
queryParameterArray.push(`${key}=${value}`);
|
|
6216
|
-
});
|
|
6217
|
-
instrumentBrokerParams(this.parameters, this.correlationId, this.performanceClient);
|
|
6218
|
-
return queryParameterArray.join("&");
|
|
6174
|
+
if (!parameters.has(BROKER_REDIRECT_URI)) {
|
|
6175
|
+
parameters.set(BROKER_REDIRECT_URI, brokerRedirectUri);
|
|
6219
6176
|
}
|
|
6177
|
+
}
|
|
6178
|
+
/**
|
|
6179
|
+
* Add EAR (Encrypted Authorize Response) request parameters
|
|
6180
|
+
* @param parameters
|
|
6181
|
+
* @param jwk
|
|
6182
|
+
*/
|
|
6183
|
+
function addEARParameters(parameters, jwk) {
|
|
6184
|
+
parameters.set(EAR_JWK, encodeURIComponent(jwk));
|
|
6185
|
+
// ear_jwe_crypto will always have value: {"alg":"dir","enc":"A256GCM"} so we can hardcode this
|
|
6186
|
+
const jweCryptoB64Encoded = "eyJhbGciOiJkaXIiLCJlbmMiOiJBMjU2R0NNIn0";
|
|
6187
|
+
parameters.set(EAR_JWE_CRYPTO, jweCryptoB64Encoded);
|
|
6220
6188
|
}
|
|
6221
6189
|
|
|
6190
|
+
var RequestParameterBuilder = /*#__PURE__*/Object.freeze({
|
|
6191
|
+
__proto__: null,
|
|
6192
|
+
addApplicationTelemetry: addApplicationTelemetry,
|
|
6193
|
+
addAuthorizationCode: addAuthorizationCode,
|
|
6194
|
+
addBrokerParameters: addBrokerParameters,
|
|
6195
|
+
addCcsOid: addCcsOid,
|
|
6196
|
+
addCcsUpn: addCcsUpn,
|
|
6197
|
+
addClaims: addClaims,
|
|
6198
|
+
addClientAssertion: addClientAssertion,
|
|
6199
|
+
addClientAssertionType: addClientAssertionType,
|
|
6200
|
+
addClientCapabilitiesToClaims: addClientCapabilitiesToClaims,
|
|
6201
|
+
addClientId: addClientId,
|
|
6202
|
+
addClientInfo: addClientInfo,
|
|
6203
|
+
addClientSecret: addClientSecret,
|
|
6204
|
+
addCodeChallengeParams: addCodeChallengeParams,
|
|
6205
|
+
addCodeVerifier: addCodeVerifier,
|
|
6206
|
+
addCorrelationId: addCorrelationId,
|
|
6207
|
+
addDeviceCode: addDeviceCode,
|
|
6208
|
+
addDomainHint: addDomainHint,
|
|
6209
|
+
addEARParameters: addEARParameters,
|
|
6210
|
+
addExtraQueryParameters: addExtraQueryParameters,
|
|
6211
|
+
addGrantType: addGrantType,
|
|
6212
|
+
addIdTokenHint: addIdTokenHint,
|
|
6213
|
+
addInstanceAware: addInstanceAware,
|
|
6214
|
+
addLibraryInfo: addLibraryInfo,
|
|
6215
|
+
addLoginHint: addLoginHint,
|
|
6216
|
+
addLogoutHint: addLogoutHint,
|
|
6217
|
+
addNativeBroker: addNativeBroker,
|
|
6218
|
+
addNonce: addNonce,
|
|
6219
|
+
addOboAssertion: addOboAssertion,
|
|
6220
|
+
addPassword: addPassword,
|
|
6221
|
+
addPopToken: addPopToken,
|
|
6222
|
+
addPostLogoutRedirectUri: addPostLogoutRedirectUri,
|
|
6223
|
+
addPrompt: addPrompt,
|
|
6224
|
+
addRedirectUri: addRedirectUri,
|
|
6225
|
+
addRefreshToken: addRefreshToken,
|
|
6226
|
+
addRequestTokenUse: addRequestTokenUse,
|
|
6227
|
+
addResponseMode: addResponseMode,
|
|
6228
|
+
addResponseType: addResponseType,
|
|
6229
|
+
addScopes: addScopes,
|
|
6230
|
+
addServerTelemetry: addServerTelemetry,
|
|
6231
|
+
addSid: addSid,
|
|
6232
|
+
addSshJwk: addSshJwk,
|
|
6233
|
+
addState: addState,
|
|
6234
|
+
addThrottling: addThrottling,
|
|
6235
|
+
addUsername: addUsername,
|
|
6236
|
+
instrumentBrokerParams: instrumentBrokerParams
|
|
6237
|
+
});
|
|
6238
|
+
|
|
6222
6239
|
/*
|
|
6223
6240
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
6224
6241
|
* Licensed under the MIT License.
|
|
@@ -6502,18 +6519,16 @@ class BaseClient {
|
|
|
6502
6519
|
* @param request
|
|
6503
6520
|
*/
|
|
6504
6521
|
createTokenQueryParameters(request) {
|
|
6505
|
-
const
|
|
6522
|
+
const parameters = new Map();
|
|
6506
6523
|
if (request.embeddedClientId) {
|
|
6507
|
-
|
|
6508
|
-
brokerClientId: this.config.authOptions.clientId,
|
|
6509
|
-
brokerRedirectUri: this.config.authOptions.redirectUri,
|
|
6510
|
-
});
|
|
6524
|
+
addBrokerParameters(parameters, this.config.authOptions.clientId, this.config.authOptions.redirectUri);
|
|
6511
6525
|
}
|
|
6512
6526
|
if (request.tokenQueryParameters) {
|
|
6513
|
-
|
|
6527
|
+
addExtraQueryParameters(parameters, request.tokenQueryParameters);
|
|
6514
6528
|
}
|
|
6515
|
-
|
|
6516
|
-
|
|
6529
|
+
addCorrelationId(parameters, request.correlationId);
|
|
6530
|
+
instrumentBrokerParams(parameters, request.correlationId, this.performanceClient);
|
|
6531
|
+
return mapToQueryString(parameters);
|
|
6517
6532
|
}
|
|
6518
6533
|
}
|
|
6519
6534
|
|
|
@@ -6810,13 +6825,6 @@ class PopTokenGenerator {
|
|
|
6810
6825
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
6811
6826
|
* Licensed under the MIT License.
|
|
6812
6827
|
*/
|
|
6813
|
-
function parseServerErrorNo(serverResponse) {
|
|
6814
|
-
const errorCodePrefix = "code=";
|
|
6815
|
-
const errorCodePrefixIndex = serverResponse.error_uri?.lastIndexOf(errorCodePrefix);
|
|
6816
|
-
return errorCodePrefixIndex && errorCodePrefixIndex >= 0
|
|
6817
|
-
? serverResponse.error_uri?.substring(errorCodePrefixIndex + errorCodePrefix.length)
|
|
6818
|
-
: undefined;
|
|
6819
|
-
}
|
|
6820
6828
|
/**
|
|
6821
6829
|
* Class that handles response parsing.
|
|
6822
6830
|
* @internal
|
|
@@ -6831,46 +6839,6 @@ class ResponseHandler {
|
|
|
6831
6839
|
this.persistencePlugin = persistencePlugin;
|
|
6832
6840
|
this.performanceClient = performanceClient;
|
|
6833
6841
|
}
|
|
6834
|
-
/**
|
|
6835
|
-
* Function which validates server authorization code response.
|
|
6836
|
-
* @param serverResponseHash
|
|
6837
|
-
* @param requestState
|
|
6838
|
-
* @param cryptoObj
|
|
6839
|
-
*/
|
|
6840
|
-
validateServerAuthorizationCodeResponse(serverResponse, requestState) {
|
|
6841
|
-
if (!serverResponse.state || !requestState) {
|
|
6842
|
-
throw serverResponse.state
|
|
6843
|
-
? createClientAuthError(stateNotFound, "Cached State")
|
|
6844
|
-
: createClientAuthError(stateNotFound, "Server State");
|
|
6845
|
-
}
|
|
6846
|
-
let decodedServerResponseState;
|
|
6847
|
-
let decodedRequestState;
|
|
6848
|
-
try {
|
|
6849
|
-
decodedServerResponseState = decodeURIComponent(serverResponse.state);
|
|
6850
|
-
}
|
|
6851
|
-
catch (e) {
|
|
6852
|
-
throw createClientAuthError(invalidState, serverResponse.state);
|
|
6853
|
-
}
|
|
6854
|
-
try {
|
|
6855
|
-
decodedRequestState = decodeURIComponent(requestState);
|
|
6856
|
-
}
|
|
6857
|
-
catch (e) {
|
|
6858
|
-
throw createClientAuthError(invalidState, serverResponse.state);
|
|
6859
|
-
}
|
|
6860
|
-
if (decodedServerResponseState !== decodedRequestState) {
|
|
6861
|
-
throw createClientAuthError(stateMismatch);
|
|
6862
|
-
}
|
|
6863
|
-
// Check for error
|
|
6864
|
-
if (serverResponse.error ||
|
|
6865
|
-
serverResponse.error_description ||
|
|
6866
|
-
serverResponse.suberror) {
|
|
6867
|
-
const serverErrorNo = parseServerErrorNo(serverResponse);
|
|
6868
|
-
if (isInteractionRequiredError(serverResponse.error, serverResponse.error_description, serverResponse.suberror)) {
|
|
6869
|
-
throw new InteractionRequiredAuthError(serverResponse.error || "", serverResponse.error_description, serverResponse.suberror, serverResponse.timestamp || "", serverResponse.trace_id || "", serverResponse.correlation_id || "", serverResponse.claims || "", serverErrorNo);
|
|
6870
|
-
}
|
|
6871
|
-
throw new ServerError(serverResponse.error || "", serverResponse.error_description, serverResponse.suberror, serverErrorNo);
|
|
6872
|
-
}
|
|
6873
|
-
}
|
|
6874
6842
|
/**
|
|
6875
6843
|
* Function which validates server authorization token response.
|
|
6876
6844
|
* @param serverResponse
|
|
@@ -7182,6 +7150,71 @@ function buildAccountToCache(cacheStorage, authority, homeAccountId, base64Decod
|
|
|
7182
7150
|
return baseAccount;
|
|
7183
7151
|
}
|
|
7184
7152
|
|
|
7153
|
+
/*
|
|
7154
|
+
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
7155
|
+
* Licensed under the MIT License.
|
|
7156
|
+
*/
|
|
7157
|
+
/**
|
|
7158
|
+
* Validates server consumable params from the "request" objects
|
|
7159
|
+
*/
|
|
7160
|
+
class RequestValidator {
|
|
7161
|
+
/**
|
|
7162
|
+
* Utility to check if the `redirectUri` in the request is a non-null value
|
|
7163
|
+
* @param redirectUri
|
|
7164
|
+
*/
|
|
7165
|
+
static validateRedirectUri(redirectUri) {
|
|
7166
|
+
if (!redirectUri) {
|
|
7167
|
+
throw createClientConfigurationError(redirectUriEmpty);
|
|
7168
|
+
}
|
|
7169
|
+
}
|
|
7170
|
+
/**
|
|
7171
|
+
* Utility to validate prompt sent by the user in the request
|
|
7172
|
+
* @param prompt
|
|
7173
|
+
*/
|
|
7174
|
+
static validatePrompt(prompt) {
|
|
7175
|
+
const promptValues = [];
|
|
7176
|
+
for (const value in PromptValue) {
|
|
7177
|
+
promptValues.push(PromptValue[value]);
|
|
7178
|
+
}
|
|
7179
|
+
if (promptValues.indexOf(prompt) < 0) {
|
|
7180
|
+
throw createClientConfigurationError(invalidPromptValue);
|
|
7181
|
+
}
|
|
7182
|
+
}
|
|
7183
|
+
static validateClaims(claims) {
|
|
7184
|
+
try {
|
|
7185
|
+
JSON.parse(claims);
|
|
7186
|
+
}
|
|
7187
|
+
catch (e) {
|
|
7188
|
+
throw createClientConfigurationError(invalidClaims);
|
|
7189
|
+
}
|
|
7190
|
+
}
|
|
7191
|
+
/**
|
|
7192
|
+
* Utility to validate code_challenge and code_challenge_method
|
|
7193
|
+
* @param codeChallenge
|
|
7194
|
+
* @param codeChallengeMethod
|
|
7195
|
+
*/
|
|
7196
|
+
static validateCodeChallengeParams(codeChallenge, codeChallengeMethod) {
|
|
7197
|
+
if (!codeChallenge || !codeChallengeMethod) {
|
|
7198
|
+
throw createClientConfigurationError(pkceParamsMissing);
|
|
7199
|
+
}
|
|
7200
|
+
else {
|
|
7201
|
+
this.validateCodeChallengeMethod(codeChallengeMethod);
|
|
7202
|
+
}
|
|
7203
|
+
}
|
|
7204
|
+
/**
|
|
7205
|
+
* Utility to validate code_challenge_method
|
|
7206
|
+
* @param codeChallengeMethod
|
|
7207
|
+
*/
|
|
7208
|
+
static validateCodeChallengeMethod(codeChallengeMethod) {
|
|
7209
|
+
if ([
|
|
7210
|
+
CodeChallengeMethodValues.PLAIN,
|
|
7211
|
+
CodeChallengeMethodValues.S256,
|
|
7212
|
+
].indexOf(codeChallengeMethod) < 0) {
|
|
7213
|
+
throw createClientConfigurationError(invalidCodeChallengeMethod);
|
|
7214
|
+
}
|
|
7215
|
+
}
|
|
7216
|
+
}
|
|
7217
|
+
|
|
7185
7218
|
/*
|
|
7186
7219
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
7187
7220
|
* Licensed under the MIT License.
|
|
@@ -7220,21 +7253,6 @@ class AuthorizationCodeClient extends BaseClient {
|
|
|
7220
7253
|
this.oidcDefaultScopes =
|
|
7221
7254
|
this.config.authOptions.authority.options.OIDCOptions?.defaultScopes;
|
|
7222
7255
|
}
|
|
7223
|
-
/**
|
|
7224
|
-
* Creates the URL of the authorization request letting the user input credentials and consent to the
|
|
7225
|
-
* application. The URL target the /authorize endpoint of the authority configured in the
|
|
7226
|
-
* application object.
|
|
7227
|
-
*
|
|
7228
|
-
* Once the user inputs their credentials and consents, the authority will send a response to the redirect URI
|
|
7229
|
-
* sent in the request and should contain an authorization code, which can then be used to acquire tokens via
|
|
7230
|
-
* acquireToken(AuthorizationCodeRequest)
|
|
7231
|
-
* @param request
|
|
7232
|
-
*/
|
|
7233
|
-
async getAuthCodeUrl(request) {
|
|
7234
|
-
this.performanceClient?.addQueueMeasurement(PerformanceEvents.GetAuthCodeUrl, request.correlationId);
|
|
7235
|
-
const queryString = await invokeAsync(this.createAuthCodeUrlQueryString.bind(this), PerformanceEvents.AuthClientCreateQueryString, this.logger, this.performanceClient, request.correlationId)(request);
|
|
7236
|
-
return UrlString.appendQueryString(this.authority.authorizationEndpoint, queryString);
|
|
7237
|
-
}
|
|
7238
7256
|
/**
|
|
7239
7257
|
* API to acquire a token in exchange of 'authorization_code` acquired by the user in the first leg of the
|
|
7240
7258
|
* authorization_code_grant
|
|
@@ -7254,22 +7272,6 @@ class AuthorizationCodeClient extends BaseClient {
|
|
|
7254
7272
|
responseHandler.validateTokenResponse(response.body);
|
|
7255
7273
|
return invokeAsync(responseHandler.handleServerTokenResponse.bind(responseHandler), PerformanceEvents.HandleServerTokenResponse, this.logger, this.performanceClient, request.correlationId)(response.body, this.authority, reqTimestamp, request, authCodePayload, undefined, undefined, undefined, requestId);
|
|
7256
7274
|
}
|
|
7257
|
-
/**
|
|
7258
|
-
* Handles the hash fragment response from public client code request. Returns a code response used by
|
|
7259
|
-
* the client to exchange for a token in acquireToken.
|
|
7260
|
-
* @param hashFragment
|
|
7261
|
-
*/
|
|
7262
|
-
handleFragmentResponse(serverParams, cachedState) {
|
|
7263
|
-
// Handle responses.
|
|
7264
|
-
const responseHandler = new ResponseHandler(this.config.authOptions.clientId, this.cacheManager, this.cryptoUtils, this.logger, null, null);
|
|
7265
|
-
// Get code response
|
|
7266
|
-
responseHandler.validateServerAuthorizationCodeResponse(serverParams, cachedState);
|
|
7267
|
-
// throw when there is no auth code in the response
|
|
7268
|
-
if (!serverParams.code) {
|
|
7269
|
-
throw createClientAuthError(authorizationCodeMissingFromServerResponse);
|
|
7270
|
-
}
|
|
7271
|
-
return serverParams;
|
|
7272
|
-
}
|
|
7273
7275
|
/**
|
|
7274
7276
|
* Used to log out the current user, and redirect the user to the postLogoutRedirectUri.
|
|
7275
7277
|
* Default behaviour is to redirect the user to `window.location.href`.
|
|
@@ -7317,8 +7319,8 @@ class AuthorizationCodeClient extends BaseClient {
|
|
|
7317
7319
|
*/
|
|
7318
7320
|
async createTokenRequestBody(request) {
|
|
7319
7321
|
this.performanceClient?.addQueueMeasurement(PerformanceEvents.AuthClientCreateTokenRequestBody, request.correlationId);
|
|
7320
|
-
const
|
|
7321
|
-
|
|
7322
|
+
const parameters = new Map();
|
|
7323
|
+
addClientId(parameters, request.embeddedClientId ||
|
|
7322
7324
|
request.tokenBodyParameters?.[CLIENT_ID] ||
|
|
7323
7325
|
this.config.authOptions.clientId);
|
|
7324
7326
|
/*
|
|
@@ -7331,33 +7333,33 @@ class AuthorizationCodeClient extends BaseClient {
|
|
|
7331
7333
|
}
|
|
7332
7334
|
else {
|
|
7333
7335
|
// Validate and include redirect uri
|
|
7334
|
-
|
|
7336
|
+
addRedirectUri(parameters, request.redirectUri);
|
|
7335
7337
|
}
|
|
7336
7338
|
// Add scope array, parameter builder will add default scopes and dedupe
|
|
7337
|
-
|
|
7339
|
+
addScopes(parameters, request.scopes, true, this.oidcDefaultScopes);
|
|
7338
7340
|
// add code: user set, not validated
|
|
7339
|
-
|
|
7341
|
+
addAuthorizationCode(parameters, request.code);
|
|
7340
7342
|
// Add library metadata
|
|
7341
|
-
|
|
7342
|
-
|
|
7343
|
-
|
|
7343
|
+
addLibraryInfo(parameters, this.config.libraryInfo);
|
|
7344
|
+
addApplicationTelemetry(parameters, this.config.telemetry.application);
|
|
7345
|
+
addThrottling(parameters);
|
|
7344
7346
|
if (this.serverTelemetryManager && !isOidcProtocolMode(this.config)) {
|
|
7345
|
-
|
|
7347
|
+
addServerTelemetry(parameters, this.serverTelemetryManager);
|
|
7346
7348
|
}
|
|
7347
7349
|
// add code_verifier if passed
|
|
7348
7350
|
if (request.codeVerifier) {
|
|
7349
|
-
|
|
7351
|
+
addCodeVerifier(parameters, request.codeVerifier);
|
|
7350
7352
|
}
|
|
7351
7353
|
if (this.config.clientCredentials.clientSecret) {
|
|
7352
|
-
|
|
7354
|
+
addClientSecret(parameters, this.config.clientCredentials.clientSecret);
|
|
7353
7355
|
}
|
|
7354
7356
|
if (this.config.clientCredentials.clientAssertion) {
|
|
7355
7357
|
const clientAssertion = this.config.clientCredentials.clientAssertion;
|
|
7356
|
-
|
|
7357
|
-
|
|
7358
|
+
addClientAssertion(parameters, await getClientAssertion(clientAssertion.assertion, this.config.authOptions.clientId, request.resourceRequestUri));
|
|
7359
|
+
addClientAssertionType(parameters, clientAssertion.assertionType);
|
|
7358
7360
|
}
|
|
7359
|
-
|
|
7360
|
-
|
|
7361
|
+
addGrantType(parameters, GrantType.AUTHORIZATION_CODE_GRANT);
|
|
7362
|
+
addClientInfo(parameters);
|
|
7361
7363
|
if (request.authenticationScheme === AuthenticationScheme.POP) {
|
|
7362
7364
|
const popTokenGenerator = new PopTokenGenerator(this.cryptoUtils, this.performanceClient);
|
|
7363
7365
|
let reqCnfData;
|
|
@@ -7369,11 +7371,11 @@ class AuthorizationCodeClient extends BaseClient {
|
|
|
7369
7371
|
reqCnfData = this.cryptoUtils.encodeKid(request.popKid);
|
|
7370
7372
|
}
|
|
7371
7373
|
// SPA PoP requires full Base64Url encoded req_cnf string (unhashed)
|
|
7372
|
-
|
|
7374
|
+
addPopToken(parameters, reqCnfData);
|
|
7373
7375
|
}
|
|
7374
7376
|
else if (request.authenticationScheme === AuthenticationScheme.SSH) {
|
|
7375
7377
|
if (request.sshJwk) {
|
|
7376
|
-
|
|
7378
|
+
addSshJwk(parameters, request.sshJwk);
|
|
7377
7379
|
}
|
|
7378
7380
|
else {
|
|
7379
7381
|
throw createClientConfigurationError(missingSshJwk);
|
|
@@ -7382,7 +7384,7 @@ class AuthorizationCodeClient extends BaseClient {
|
|
|
7382
7384
|
if (!StringUtils.isEmptyObj(request.claims) ||
|
|
7383
7385
|
(this.config.authOptions.clientCapabilities &&
|
|
7384
7386
|
this.config.authOptions.clientCapabilities.length > 0)) {
|
|
7385
|
-
|
|
7387
|
+
addClaims(parameters, request.claims, this.config.authOptions.clientCapabilities);
|
|
7386
7388
|
}
|
|
7387
7389
|
let ccsCred = undefined;
|
|
7388
7390
|
if (request.clientInfo) {
|
|
@@ -7406,7 +7408,7 @@ class AuthorizationCodeClient extends BaseClient {
|
|
|
7406
7408
|
case CcsCredentialType.HOME_ACCOUNT_ID:
|
|
7407
7409
|
try {
|
|
7408
7410
|
const clientInfo = buildClientInfoFromHomeAccountId(ccsCred.credential);
|
|
7409
|
-
|
|
7411
|
+
addCcsOid(parameters, clientInfo);
|
|
7410
7412
|
}
|
|
7411
7413
|
catch (e) {
|
|
7412
7414
|
this.logger.verbose("Could not parse home account ID for CCS Header: " +
|
|
@@ -7414,230 +7416,55 @@ class AuthorizationCodeClient extends BaseClient {
|
|
|
7414
7416
|
}
|
|
7415
7417
|
break;
|
|
7416
7418
|
case CcsCredentialType.UPN:
|
|
7417
|
-
|
|
7419
|
+
addCcsUpn(parameters, ccsCred.credential);
|
|
7418
7420
|
break;
|
|
7419
7421
|
}
|
|
7420
7422
|
}
|
|
7421
7423
|
if (request.embeddedClientId) {
|
|
7422
|
-
|
|
7423
|
-
brokerClientId: this.config.authOptions.clientId,
|
|
7424
|
-
brokerRedirectUri: this.config.authOptions.redirectUri,
|
|
7425
|
-
});
|
|
7424
|
+
addBrokerParameters(parameters, this.config.authOptions.clientId, this.config.authOptions.redirectUri);
|
|
7426
7425
|
}
|
|
7427
7426
|
if (request.tokenBodyParameters) {
|
|
7428
|
-
|
|
7427
|
+
addExtraQueryParameters(parameters, request.tokenBodyParameters);
|
|
7429
7428
|
}
|
|
7430
7429
|
// Add hybrid spa parameters if not already provided
|
|
7431
7430
|
if (request.enableSpaAuthorizationCode &&
|
|
7432
7431
|
(!request.tokenBodyParameters ||
|
|
7433
7432
|
!request.tokenBodyParameters[RETURN_SPA_CODE])) {
|
|
7434
|
-
|
|
7433
|
+
addExtraQueryParameters(parameters, {
|
|
7435
7434
|
[RETURN_SPA_CODE]: "1",
|
|
7436
7435
|
});
|
|
7437
7436
|
}
|
|
7438
|
-
|
|
7439
|
-
|
|
7440
|
-
/**
|
|
7441
|
-
* This API validates the `AuthorizationCodeUrlRequest` and creates a URL
|
|
7442
|
-
* @param request
|
|
7443
|
-
*/
|
|
7444
|
-
async createAuthCodeUrlQueryString(request) {
|
|
7445
|
-
// generate the correlationId if not set by the user and add
|
|
7446
|
-
const correlationId = request.correlationId ||
|
|
7447
|
-
this.config.cryptoInterface.createNewGuid();
|
|
7448
|
-
this.performanceClient?.addQueueMeasurement(PerformanceEvents.AuthClientCreateQueryString, correlationId);
|
|
7449
|
-
const parameterBuilder = new RequestParameterBuilder(correlationId, this.performanceClient);
|
|
7450
|
-
parameterBuilder.addClientId(request.embeddedClientId ||
|
|
7451
|
-
request.extraQueryParameters?.[CLIENT_ID] ||
|
|
7452
|
-
this.config.authOptions.clientId);
|
|
7453
|
-
const requestScopes = [
|
|
7454
|
-
...(request.scopes || []),
|
|
7455
|
-
...(request.extraScopesToConsent || []),
|
|
7456
|
-
];
|
|
7457
|
-
parameterBuilder.addScopes(requestScopes, true, this.oidcDefaultScopes);
|
|
7458
|
-
// validate the redirectUri (to be a non null value)
|
|
7459
|
-
parameterBuilder.addRedirectUri(request.redirectUri);
|
|
7460
|
-
parameterBuilder.addCorrelationId(correlationId);
|
|
7461
|
-
// add response_mode. If not passed in it defaults to query.
|
|
7462
|
-
parameterBuilder.addResponseMode(request.responseMode);
|
|
7463
|
-
// add response_type = code
|
|
7464
|
-
parameterBuilder.addResponseTypeCode();
|
|
7465
|
-
// add library info parameters
|
|
7466
|
-
parameterBuilder.addLibraryInfo(this.config.libraryInfo);
|
|
7467
|
-
if (!isOidcProtocolMode(this.config)) {
|
|
7468
|
-
parameterBuilder.addApplicationTelemetry(this.config.telemetry.application);
|
|
7469
|
-
}
|
|
7470
|
-
// add client_info=1
|
|
7471
|
-
parameterBuilder.addClientInfo();
|
|
7472
|
-
if (request.codeChallenge && request.codeChallengeMethod) {
|
|
7473
|
-
parameterBuilder.addCodeChallengeParams(request.codeChallenge, request.codeChallengeMethod);
|
|
7474
|
-
}
|
|
7475
|
-
if (request.prompt) {
|
|
7476
|
-
parameterBuilder.addPrompt(request.prompt);
|
|
7477
|
-
}
|
|
7478
|
-
if (request.domainHint) {
|
|
7479
|
-
parameterBuilder.addDomainHint(request.domainHint);
|
|
7480
|
-
this.performanceClient?.addFields({ domainHintFromRequest: true }, correlationId);
|
|
7481
|
-
}
|
|
7482
|
-
this.performanceClient?.addFields({ prompt: request.prompt }, correlationId);
|
|
7483
|
-
// Add sid or loginHint with preference for login_hint claim (in request) -> sid -> loginHint (upn/email) -> username of AccountInfo object
|
|
7484
|
-
if (request.prompt !== PromptValue.SELECT_ACCOUNT) {
|
|
7485
|
-
// AAD will throw if prompt=select_account is passed with an account hint
|
|
7486
|
-
if (request.sid && request.prompt === PromptValue.NONE) {
|
|
7487
|
-
// SessionID is only used in silent calls
|
|
7488
|
-
this.logger.verbose("createAuthCodeUrlQueryString: Prompt is none, adding sid from request");
|
|
7489
|
-
parameterBuilder.addSid(request.sid);
|
|
7490
|
-
this.performanceClient?.addFields({ sidFromRequest: true }, correlationId);
|
|
7491
|
-
}
|
|
7492
|
-
else if (request.account) {
|
|
7493
|
-
const accountSid = this.extractAccountSid(request.account);
|
|
7494
|
-
let accountLoginHintClaim = this.extractLoginHint(request.account);
|
|
7495
|
-
if (accountLoginHintClaim && request.domainHint) {
|
|
7496
|
-
this.logger.warning(`AuthorizationCodeClient.createAuthCodeUrlQueryString: "domainHint" param is set, skipping opaque "login_hint" claim. Please consider not passing domainHint`);
|
|
7497
|
-
accountLoginHintClaim = null;
|
|
7498
|
-
}
|
|
7499
|
-
// If login_hint claim is present, use it over sid/username
|
|
7500
|
-
if (accountLoginHintClaim) {
|
|
7501
|
-
this.logger.verbose("createAuthCodeUrlQueryString: login_hint claim present on account");
|
|
7502
|
-
parameterBuilder.addLoginHint(accountLoginHintClaim);
|
|
7503
|
-
this.performanceClient?.addFields({ loginHintFromClaim: true }, correlationId);
|
|
7504
|
-
try {
|
|
7505
|
-
const clientInfo = buildClientInfoFromHomeAccountId(request.account.homeAccountId);
|
|
7506
|
-
parameterBuilder.addCcsOid(clientInfo);
|
|
7507
|
-
}
|
|
7508
|
-
catch (e) {
|
|
7509
|
-
this.logger.verbose("createAuthCodeUrlQueryString: Could not parse home account ID for CCS Header");
|
|
7510
|
-
}
|
|
7511
|
-
}
|
|
7512
|
-
else if (accountSid && request.prompt === PromptValue.NONE) {
|
|
7513
|
-
/*
|
|
7514
|
-
* If account and loginHint are provided, we will check account first for sid before adding loginHint
|
|
7515
|
-
* SessionId is only used in silent calls
|
|
7516
|
-
*/
|
|
7517
|
-
this.logger.verbose("createAuthCodeUrlQueryString: Prompt is none, adding sid from account");
|
|
7518
|
-
parameterBuilder.addSid(accountSid);
|
|
7519
|
-
this.performanceClient?.addFields({ sidFromClaim: true }, correlationId);
|
|
7520
|
-
try {
|
|
7521
|
-
const clientInfo = buildClientInfoFromHomeAccountId(request.account.homeAccountId);
|
|
7522
|
-
parameterBuilder.addCcsOid(clientInfo);
|
|
7523
|
-
}
|
|
7524
|
-
catch (e) {
|
|
7525
|
-
this.logger.verbose("createAuthCodeUrlQueryString: Could not parse home account ID for CCS Header");
|
|
7526
|
-
}
|
|
7527
|
-
}
|
|
7528
|
-
else if (request.loginHint) {
|
|
7529
|
-
this.logger.verbose("createAuthCodeUrlQueryString: Adding login_hint from request");
|
|
7530
|
-
parameterBuilder.addLoginHint(request.loginHint);
|
|
7531
|
-
parameterBuilder.addCcsUpn(request.loginHint);
|
|
7532
|
-
this.performanceClient?.addFields({ loginHintFromRequest: true }, correlationId);
|
|
7533
|
-
}
|
|
7534
|
-
else if (request.account.username) {
|
|
7535
|
-
// Fallback to account username if provided
|
|
7536
|
-
this.logger.verbose("createAuthCodeUrlQueryString: Adding login_hint from account");
|
|
7537
|
-
parameterBuilder.addLoginHint(request.account.username);
|
|
7538
|
-
this.performanceClient?.addFields({ loginHintFromUpn: true }, correlationId);
|
|
7539
|
-
try {
|
|
7540
|
-
const clientInfo = buildClientInfoFromHomeAccountId(request.account.homeAccountId);
|
|
7541
|
-
parameterBuilder.addCcsOid(clientInfo);
|
|
7542
|
-
}
|
|
7543
|
-
catch (e) {
|
|
7544
|
-
this.logger.verbose("createAuthCodeUrlQueryString: Could not parse home account ID for CCS Header");
|
|
7545
|
-
}
|
|
7546
|
-
}
|
|
7547
|
-
}
|
|
7548
|
-
else if (request.loginHint) {
|
|
7549
|
-
this.logger.verbose("createAuthCodeUrlQueryString: No account, adding login_hint from request");
|
|
7550
|
-
parameterBuilder.addLoginHint(request.loginHint);
|
|
7551
|
-
parameterBuilder.addCcsUpn(request.loginHint);
|
|
7552
|
-
this.performanceClient?.addFields({ loginHintFromRequest: true }, correlationId);
|
|
7553
|
-
}
|
|
7554
|
-
}
|
|
7555
|
-
else {
|
|
7556
|
-
this.logger.verbose("createAuthCodeUrlQueryString: Prompt is select_account, ignoring account hints");
|
|
7557
|
-
}
|
|
7558
|
-
if (request.nonce) {
|
|
7559
|
-
parameterBuilder.addNonce(request.nonce);
|
|
7560
|
-
}
|
|
7561
|
-
if (request.state) {
|
|
7562
|
-
parameterBuilder.addState(request.state);
|
|
7563
|
-
}
|
|
7564
|
-
if (request.claims ||
|
|
7565
|
-
(this.config.authOptions.clientCapabilities &&
|
|
7566
|
-
this.config.authOptions.clientCapabilities.length > 0)) {
|
|
7567
|
-
parameterBuilder.addClaims(request.claims, this.config.authOptions.clientCapabilities);
|
|
7568
|
-
}
|
|
7569
|
-
if (request.embeddedClientId) {
|
|
7570
|
-
parameterBuilder.addBrokerParameters({
|
|
7571
|
-
brokerClientId: this.config.authOptions.clientId,
|
|
7572
|
-
brokerRedirectUri: this.config.authOptions.redirectUri,
|
|
7573
|
-
});
|
|
7574
|
-
}
|
|
7575
|
-
this.addExtraQueryParams(request, parameterBuilder);
|
|
7576
|
-
if (request.platformBroker) {
|
|
7577
|
-
// signal ests that this is a WAM call
|
|
7578
|
-
parameterBuilder.addNativeBroker();
|
|
7579
|
-
// pass the req_cnf for POP
|
|
7580
|
-
if (request.authenticationScheme === AuthenticationScheme.POP) {
|
|
7581
|
-
const popTokenGenerator = new PopTokenGenerator(this.cryptoUtils);
|
|
7582
|
-
// req_cnf is always sent as a string for SPAs
|
|
7583
|
-
let reqCnfData;
|
|
7584
|
-
if (!request.popKid) {
|
|
7585
|
-
const generatedReqCnfData = await invokeAsync(popTokenGenerator.generateCnf.bind(popTokenGenerator), PerformanceEvents.PopTokenGenerateCnf, this.logger, this.performanceClient, request.correlationId)(request, this.logger);
|
|
7586
|
-
reqCnfData = generatedReqCnfData.reqCnfString;
|
|
7587
|
-
}
|
|
7588
|
-
else {
|
|
7589
|
-
reqCnfData = this.cryptoUtils.encodeKid(request.popKid);
|
|
7590
|
-
}
|
|
7591
|
-
parameterBuilder.addPopToken(reqCnfData);
|
|
7592
|
-
}
|
|
7593
|
-
}
|
|
7594
|
-
return parameterBuilder.createQueryString();
|
|
7437
|
+
instrumentBrokerParams(parameters, request.correlationId, this.performanceClient);
|
|
7438
|
+
return mapToQueryString(parameters);
|
|
7595
7439
|
}
|
|
7596
7440
|
/**
|
|
7597
7441
|
* This API validates the `EndSessionRequest` and creates a URL
|
|
7598
7442
|
* @param request
|
|
7599
7443
|
*/
|
|
7600
7444
|
createLogoutUrlQueryString(request) {
|
|
7601
|
-
const
|
|
7445
|
+
const parameters = new Map();
|
|
7602
7446
|
if (request.postLogoutRedirectUri) {
|
|
7603
|
-
|
|
7447
|
+
addPostLogoutRedirectUri(parameters, request.postLogoutRedirectUri);
|
|
7604
7448
|
}
|
|
7605
7449
|
if (request.correlationId) {
|
|
7606
|
-
|
|
7450
|
+
addCorrelationId(parameters, request.correlationId);
|
|
7607
7451
|
}
|
|
7608
7452
|
if (request.idTokenHint) {
|
|
7609
|
-
|
|
7453
|
+
addIdTokenHint(parameters, request.idTokenHint);
|
|
7610
7454
|
}
|
|
7611
7455
|
if (request.state) {
|
|
7612
|
-
|
|
7456
|
+
addState(parameters, request.state);
|
|
7613
7457
|
}
|
|
7614
7458
|
if (request.logoutHint) {
|
|
7615
|
-
|
|
7616
|
-
}
|
|
7617
|
-
this.addExtraQueryParams(request, parameterBuilder);
|
|
7618
|
-
return parameterBuilder.createQueryString();
|
|
7619
|
-
}
|
|
7620
|
-
addExtraQueryParams(request, parameterBuilder) {
|
|
7621
|
-
const hasRequestInstanceAware = request.extraQueryParameters &&
|
|
7622
|
-
request.extraQueryParameters.hasOwnProperty("instance_aware");
|
|
7623
|
-
// Set instance_aware flag if config auth param is set
|
|
7624
|
-
if (!hasRequestInstanceAware && this.config.authOptions.instanceAware) {
|
|
7625
|
-
request.extraQueryParameters = request.extraQueryParameters || {};
|
|
7626
|
-
request.extraQueryParameters["instance_aware"] = "true";
|
|
7459
|
+
addLogoutHint(parameters, request.logoutHint);
|
|
7627
7460
|
}
|
|
7628
7461
|
if (request.extraQueryParameters) {
|
|
7629
|
-
|
|
7462
|
+
addExtraQueryParameters(parameters, request.extraQueryParameters);
|
|
7630
7463
|
}
|
|
7631
|
-
|
|
7632
|
-
|
|
7633
|
-
|
|
7634
|
-
|
|
7635
|
-
*/
|
|
7636
|
-
extractAccountSid(account) {
|
|
7637
|
-
return account.idTokenClaims?.sid || null;
|
|
7638
|
-
}
|
|
7639
|
-
extractLoginHint(account) {
|
|
7640
|
-
return account.idTokenClaims?.login_hint || null;
|
|
7464
|
+
if (this.config.authOptions.instanceAware) {
|
|
7465
|
+
addInstanceAware(parameters);
|
|
7466
|
+
}
|
|
7467
|
+
return mapToQueryString(parameters);
|
|
7641
7468
|
}
|
|
7642
7469
|
}
|
|
7643
7470
|
|
|
@@ -7768,31 +7595,30 @@ class RefreshTokenClient extends BaseClient {
|
|
|
7768
7595
|
*/
|
|
7769
7596
|
async createTokenRequestBody(request) {
|
|
7770
7597
|
this.performanceClient?.addQueueMeasurement(PerformanceEvents.RefreshTokenClientCreateTokenRequestBody, request.correlationId);
|
|
7771
|
-
const
|
|
7772
|
-
|
|
7773
|
-
parameterBuilder.addClientId(request.embeddedClientId ||
|
|
7598
|
+
const parameters = new Map();
|
|
7599
|
+
addClientId(parameters, request.embeddedClientId ||
|
|
7774
7600
|
request.tokenBodyParameters?.[CLIENT_ID] ||
|
|
7775
7601
|
this.config.authOptions.clientId);
|
|
7776
7602
|
if (request.redirectUri) {
|
|
7777
|
-
|
|
7778
|
-
}
|
|
7779
|
-
|
|
7780
|
-
|
|
7781
|
-
|
|
7782
|
-
|
|
7783
|
-
|
|
7784
|
-
|
|
7603
|
+
addRedirectUri(parameters, request.redirectUri);
|
|
7604
|
+
}
|
|
7605
|
+
addScopes(parameters, request.scopes, true, this.config.authOptions.authority.options.OIDCOptions?.defaultScopes);
|
|
7606
|
+
addGrantType(parameters, GrantType.REFRESH_TOKEN_GRANT);
|
|
7607
|
+
addClientInfo(parameters);
|
|
7608
|
+
addLibraryInfo(parameters, this.config.libraryInfo);
|
|
7609
|
+
addApplicationTelemetry(parameters, this.config.telemetry.application);
|
|
7610
|
+
addThrottling(parameters);
|
|
7785
7611
|
if (this.serverTelemetryManager && !isOidcProtocolMode(this.config)) {
|
|
7786
|
-
|
|
7612
|
+
addServerTelemetry(parameters, this.serverTelemetryManager);
|
|
7787
7613
|
}
|
|
7788
|
-
|
|
7614
|
+
addRefreshToken(parameters, request.refreshToken);
|
|
7789
7615
|
if (this.config.clientCredentials.clientSecret) {
|
|
7790
|
-
|
|
7616
|
+
addClientSecret(parameters, this.config.clientCredentials.clientSecret);
|
|
7791
7617
|
}
|
|
7792
7618
|
if (this.config.clientCredentials.clientAssertion) {
|
|
7793
7619
|
const clientAssertion = this.config.clientCredentials.clientAssertion;
|
|
7794
|
-
|
|
7795
|
-
|
|
7620
|
+
addClientAssertion(parameters, await getClientAssertion(clientAssertion.assertion, this.config.authOptions.clientId, request.resourceRequestUri));
|
|
7621
|
+
addClientAssertionType(parameters, clientAssertion.assertionType);
|
|
7796
7622
|
}
|
|
7797
7623
|
if (request.authenticationScheme === AuthenticationScheme.POP) {
|
|
7798
7624
|
const popTokenGenerator = new PopTokenGenerator(this.cryptoUtils, this.performanceClient);
|
|
@@ -7805,11 +7631,11 @@ class RefreshTokenClient extends BaseClient {
|
|
|
7805
7631
|
reqCnfData = this.cryptoUtils.encodeKid(request.popKid);
|
|
7806
7632
|
}
|
|
7807
7633
|
// SPA PoP requires full Base64Url encoded req_cnf string (unhashed)
|
|
7808
|
-
|
|
7634
|
+
addPopToken(parameters, reqCnfData);
|
|
7809
7635
|
}
|
|
7810
7636
|
else if (request.authenticationScheme === AuthenticationScheme.SSH) {
|
|
7811
7637
|
if (request.sshJwk) {
|
|
7812
|
-
|
|
7638
|
+
addSshJwk(parameters, request.sshJwk);
|
|
7813
7639
|
}
|
|
7814
7640
|
else {
|
|
7815
7641
|
throw createClientConfigurationError(missingSshJwk);
|
|
@@ -7818,7 +7644,7 @@ class RefreshTokenClient extends BaseClient {
|
|
|
7818
7644
|
if (!StringUtils.isEmptyObj(request.claims) ||
|
|
7819
7645
|
(this.config.authOptions.clientCapabilities &&
|
|
7820
7646
|
this.config.authOptions.clientCapabilities.length > 0)) {
|
|
7821
|
-
|
|
7647
|
+
addClaims(parameters, request.claims, this.config.authOptions.clientCapabilities);
|
|
7822
7648
|
}
|
|
7823
7649
|
if (this.config.systemOptions.preventCorsPreflight &&
|
|
7824
7650
|
request.ccsCredential) {
|
|
@@ -7826,7 +7652,7 @@ class RefreshTokenClient extends BaseClient {
|
|
|
7826
7652
|
case CcsCredentialType.HOME_ACCOUNT_ID:
|
|
7827
7653
|
try {
|
|
7828
7654
|
const clientInfo = buildClientInfoFromHomeAccountId(request.ccsCredential.credential);
|
|
7829
|
-
|
|
7655
|
+
addCcsOid(parameters, clientInfo);
|
|
7830
7656
|
}
|
|
7831
7657
|
catch (e) {
|
|
7832
7658
|
this.logger.verbose("Could not parse home account ID for CCS Header: " +
|
|
@@ -7834,20 +7660,18 @@ class RefreshTokenClient extends BaseClient {
|
|
|
7834
7660
|
}
|
|
7835
7661
|
break;
|
|
7836
7662
|
case CcsCredentialType.UPN:
|
|
7837
|
-
|
|
7663
|
+
addCcsUpn(parameters, request.ccsCredential.credential);
|
|
7838
7664
|
break;
|
|
7839
7665
|
}
|
|
7840
7666
|
}
|
|
7841
7667
|
if (request.embeddedClientId) {
|
|
7842
|
-
|
|
7843
|
-
brokerClientId: this.config.authOptions.clientId,
|
|
7844
|
-
brokerRedirectUri: this.config.authOptions.redirectUri,
|
|
7845
|
-
});
|
|
7668
|
+
addBrokerParameters(parameters, this.config.authOptions.clientId, this.config.authOptions.redirectUri);
|
|
7846
7669
|
}
|
|
7847
7670
|
if (request.tokenBodyParameters) {
|
|
7848
|
-
|
|
7671
|
+
addExtraQueryParameters(parameters, request.tokenBodyParameters);
|
|
7849
7672
|
}
|
|
7850
|
-
|
|
7673
|
+
instrumentBrokerParams(parameters, request.correlationId, this.performanceClient);
|
|
7674
|
+
return mapToQueryString(parameters);
|
|
7851
7675
|
}
|
|
7852
7676
|
}
|
|
7853
7677
|
|
|
@@ -7960,6 +7784,236 @@ const StubbedNetworkModule = {
|
|
|
7960
7784
|
},
|
|
7961
7785
|
};
|
|
7962
7786
|
|
|
7787
|
+
/*
|
|
7788
|
+
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
7789
|
+
* Licensed under the MIT License.
|
|
7790
|
+
*/
|
|
7791
|
+
/**
|
|
7792
|
+
* Returns map of parameters that are applicable to all calls to /authorize whether using PKCE or EAR
|
|
7793
|
+
* @param config
|
|
7794
|
+
* @param request
|
|
7795
|
+
* @param logger
|
|
7796
|
+
* @param performanceClient
|
|
7797
|
+
* @returns
|
|
7798
|
+
*/
|
|
7799
|
+
function getStandardAuthorizeRequestParameters(authOptions, request, logger, performanceClient) {
|
|
7800
|
+
// generate the correlationId if not set by the user and add
|
|
7801
|
+
const correlationId = request.correlationId;
|
|
7802
|
+
const parameters = new Map();
|
|
7803
|
+
addClientId(parameters, request.embeddedClientId ||
|
|
7804
|
+
request.extraQueryParameters?.[CLIENT_ID] ||
|
|
7805
|
+
authOptions.clientId);
|
|
7806
|
+
const requestScopes = [
|
|
7807
|
+
...(request.scopes || []),
|
|
7808
|
+
...(request.extraScopesToConsent || []),
|
|
7809
|
+
];
|
|
7810
|
+
addScopes(parameters, requestScopes, true, authOptions.authority.options.OIDCOptions?.defaultScopes);
|
|
7811
|
+
addRedirectUri(parameters, request.redirectUri);
|
|
7812
|
+
addCorrelationId(parameters, correlationId);
|
|
7813
|
+
// add response_mode. If not passed in it defaults to query.
|
|
7814
|
+
addResponseMode(parameters, request.responseMode);
|
|
7815
|
+
// add client_info=1
|
|
7816
|
+
addClientInfo(parameters);
|
|
7817
|
+
if (request.prompt) {
|
|
7818
|
+
addPrompt(parameters, request.prompt);
|
|
7819
|
+
performanceClient?.addFields({ prompt: request.prompt }, correlationId);
|
|
7820
|
+
}
|
|
7821
|
+
if (request.domainHint) {
|
|
7822
|
+
addDomainHint(parameters, request.domainHint);
|
|
7823
|
+
performanceClient?.addFields({ domainHintFromRequest: true }, correlationId);
|
|
7824
|
+
}
|
|
7825
|
+
// Add sid or loginHint with preference for login_hint claim (in request) -> sid -> loginHint (upn/email) -> username of AccountInfo object
|
|
7826
|
+
if (request.prompt !== PromptValue.SELECT_ACCOUNT) {
|
|
7827
|
+
// AAD will throw if prompt=select_account is passed with an account hint
|
|
7828
|
+
if (request.sid && request.prompt === PromptValue.NONE) {
|
|
7829
|
+
// SessionID is only used in silent calls
|
|
7830
|
+
logger.verbose("createAuthCodeUrlQueryString: Prompt is none, adding sid from request");
|
|
7831
|
+
addSid(parameters, request.sid);
|
|
7832
|
+
performanceClient?.addFields({ sidFromRequest: true }, correlationId);
|
|
7833
|
+
}
|
|
7834
|
+
else if (request.account) {
|
|
7835
|
+
const accountSid = extractAccountSid(request.account);
|
|
7836
|
+
let accountLoginHintClaim = extractLoginHint(request.account);
|
|
7837
|
+
if (accountLoginHintClaim && request.domainHint) {
|
|
7838
|
+
logger.warning(`AuthorizationCodeClient.createAuthCodeUrlQueryString: "domainHint" param is set, skipping opaque "login_hint" claim. Please consider not passing domainHint`);
|
|
7839
|
+
accountLoginHintClaim = null;
|
|
7840
|
+
}
|
|
7841
|
+
// If login_hint claim is present, use it over sid/username
|
|
7842
|
+
if (accountLoginHintClaim) {
|
|
7843
|
+
logger.verbose("createAuthCodeUrlQueryString: login_hint claim present on account");
|
|
7844
|
+
addLoginHint(parameters, accountLoginHintClaim);
|
|
7845
|
+
performanceClient?.addFields({ loginHintFromClaim: true }, correlationId);
|
|
7846
|
+
try {
|
|
7847
|
+
const clientInfo = buildClientInfoFromHomeAccountId(request.account.homeAccountId);
|
|
7848
|
+
addCcsOid(parameters, clientInfo);
|
|
7849
|
+
}
|
|
7850
|
+
catch (e) {
|
|
7851
|
+
logger.verbose("createAuthCodeUrlQueryString: Could not parse home account ID for CCS Header");
|
|
7852
|
+
}
|
|
7853
|
+
}
|
|
7854
|
+
else if (accountSid && request.prompt === PromptValue.NONE) {
|
|
7855
|
+
/*
|
|
7856
|
+
* If account and loginHint are provided, we will check account first for sid before adding loginHint
|
|
7857
|
+
* SessionId is only used in silent calls
|
|
7858
|
+
*/
|
|
7859
|
+
logger.verbose("createAuthCodeUrlQueryString: Prompt is none, adding sid from account");
|
|
7860
|
+
addSid(parameters, accountSid);
|
|
7861
|
+
performanceClient?.addFields({ sidFromClaim: true }, correlationId);
|
|
7862
|
+
try {
|
|
7863
|
+
const clientInfo = buildClientInfoFromHomeAccountId(request.account.homeAccountId);
|
|
7864
|
+
addCcsOid(parameters, clientInfo);
|
|
7865
|
+
}
|
|
7866
|
+
catch (e) {
|
|
7867
|
+
logger.verbose("createAuthCodeUrlQueryString: Could not parse home account ID for CCS Header");
|
|
7868
|
+
}
|
|
7869
|
+
}
|
|
7870
|
+
else if (request.loginHint) {
|
|
7871
|
+
logger.verbose("createAuthCodeUrlQueryString: Adding login_hint from request");
|
|
7872
|
+
addLoginHint(parameters, request.loginHint);
|
|
7873
|
+
addCcsUpn(parameters, request.loginHint);
|
|
7874
|
+
performanceClient?.addFields({ loginHintFromRequest: true }, correlationId);
|
|
7875
|
+
}
|
|
7876
|
+
else if (request.account.username) {
|
|
7877
|
+
// Fallback to account username if provided
|
|
7878
|
+
logger.verbose("createAuthCodeUrlQueryString: Adding login_hint from account");
|
|
7879
|
+
addLoginHint(parameters, request.account.username);
|
|
7880
|
+
performanceClient?.addFields({ loginHintFromUpn: true }, correlationId);
|
|
7881
|
+
try {
|
|
7882
|
+
const clientInfo = buildClientInfoFromHomeAccountId(request.account.homeAccountId);
|
|
7883
|
+
addCcsOid(parameters, clientInfo);
|
|
7884
|
+
}
|
|
7885
|
+
catch (e) {
|
|
7886
|
+
logger.verbose("createAuthCodeUrlQueryString: Could not parse home account ID for CCS Header");
|
|
7887
|
+
}
|
|
7888
|
+
}
|
|
7889
|
+
}
|
|
7890
|
+
else if (request.loginHint) {
|
|
7891
|
+
logger.verbose("createAuthCodeUrlQueryString: No account, adding login_hint from request");
|
|
7892
|
+
addLoginHint(parameters, request.loginHint);
|
|
7893
|
+
addCcsUpn(parameters, request.loginHint);
|
|
7894
|
+
performanceClient?.addFields({ loginHintFromRequest: true }, correlationId);
|
|
7895
|
+
}
|
|
7896
|
+
}
|
|
7897
|
+
else {
|
|
7898
|
+
logger.verbose("createAuthCodeUrlQueryString: Prompt is select_account, ignoring account hints");
|
|
7899
|
+
}
|
|
7900
|
+
if (request.nonce) {
|
|
7901
|
+
addNonce(parameters, request.nonce);
|
|
7902
|
+
}
|
|
7903
|
+
if (request.state) {
|
|
7904
|
+
addState(parameters, request.state);
|
|
7905
|
+
}
|
|
7906
|
+
if (request.claims ||
|
|
7907
|
+
(authOptions.clientCapabilities &&
|
|
7908
|
+
authOptions.clientCapabilities.length > 0)) {
|
|
7909
|
+
addClaims(parameters, request.claims, authOptions.clientCapabilities);
|
|
7910
|
+
}
|
|
7911
|
+
if (request.embeddedClientId) {
|
|
7912
|
+
addBrokerParameters(parameters, authOptions.clientId, authOptions.redirectUri);
|
|
7913
|
+
}
|
|
7914
|
+
// If extraQueryParameters includes instance_aware its value will be added when extraQueryParameters are added
|
|
7915
|
+
if (authOptions.instanceAware &&
|
|
7916
|
+
(!request.extraQueryParameters ||
|
|
7917
|
+
!Object.keys(request.extraQueryParameters).includes(INSTANCE_AWARE))) {
|
|
7918
|
+
addInstanceAware(parameters);
|
|
7919
|
+
}
|
|
7920
|
+
return parameters;
|
|
7921
|
+
}
|
|
7922
|
+
/**
|
|
7923
|
+
* Returns authorize endpoint with given request parameters in the query string
|
|
7924
|
+
* @param authority
|
|
7925
|
+
* @param requestParameters
|
|
7926
|
+
* @returns
|
|
7927
|
+
*/
|
|
7928
|
+
function getAuthorizeUrl(authority, requestParameters) {
|
|
7929
|
+
const queryString = mapToQueryString(requestParameters);
|
|
7930
|
+
return UrlString.appendQueryString(authority.authorizationEndpoint, queryString);
|
|
7931
|
+
}
|
|
7932
|
+
/**
|
|
7933
|
+
* Handles the hash fragment response from public client code request. Returns a code response used by
|
|
7934
|
+
* the client to exchange for a token in acquireToken.
|
|
7935
|
+
* @param serverParams
|
|
7936
|
+
* @param cachedState
|
|
7937
|
+
*/
|
|
7938
|
+
function getAuthorizationCodePayload(serverParams, cachedState) {
|
|
7939
|
+
// Get code response
|
|
7940
|
+
validateAuthorizationResponse(serverParams, cachedState);
|
|
7941
|
+
// throw when there is no auth code in the response
|
|
7942
|
+
if (!serverParams.code) {
|
|
7943
|
+
throw createClientAuthError(authorizationCodeMissingFromServerResponse);
|
|
7944
|
+
}
|
|
7945
|
+
return serverParams;
|
|
7946
|
+
}
|
|
7947
|
+
/**
|
|
7948
|
+
* Function which validates server authorization code response.
|
|
7949
|
+
* @param serverResponseHash
|
|
7950
|
+
* @param requestState
|
|
7951
|
+
*/
|
|
7952
|
+
function validateAuthorizationResponse(serverResponse, requestState) {
|
|
7953
|
+
if (!serverResponse.state || !requestState) {
|
|
7954
|
+
throw serverResponse.state
|
|
7955
|
+
? createClientAuthError(stateNotFound, "Cached State")
|
|
7956
|
+
: createClientAuthError(stateNotFound, "Server State");
|
|
7957
|
+
}
|
|
7958
|
+
let decodedServerResponseState;
|
|
7959
|
+
let decodedRequestState;
|
|
7960
|
+
try {
|
|
7961
|
+
decodedServerResponseState = decodeURIComponent(serverResponse.state);
|
|
7962
|
+
}
|
|
7963
|
+
catch (e) {
|
|
7964
|
+
throw createClientAuthError(invalidState, serverResponse.state);
|
|
7965
|
+
}
|
|
7966
|
+
try {
|
|
7967
|
+
decodedRequestState = decodeURIComponent(requestState);
|
|
7968
|
+
}
|
|
7969
|
+
catch (e) {
|
|
7970
|
+
throw createClientAuthError(invalidState, serverResponse.state);
|
|
7971
|
+
}
|
|
7972
|
+
if (decodedServerResponseState !== decodedRequestState) {
|
|
7973
|
+
throw createClientAuthError(stateMismatch);
|
|
7974
|
+
}
|
|
7975
|
+
// Check for error
|
|
7976
|
+
if (serverResponse.error ||
|
|
7977
|
+
serverResponse.error_description ||
|
|
7978
|
+
serverResponse.suberror) {
|
|
7979
|
+
const serverErrorNo = parseServerErrorNo(serverResponse);
|
|
7980
|
+
if (isInteractionRequiredError(serverResponse.error, serverResponse.error_description, serverResponse.suberror)) {
|
|
7981
|
+
throw new InteractionRequiredAuthError(serverResponse.error || "", serverResponse.error_description, serverResponse.suberror, serverResponse.timestamp || "", serverResponse.trace_id || "", serverResponse.correlation_id || "", serverResponse.claims || "", serverErrorNo);
|
|
7982
|
+
}
|
|
7983
|
+
throw new ServerError(serverResponse.error || "", serverResponse.error_description, serverResponse.suberror, serverErrorNo);
|
|
7984
|
+
}
|
|
7985
|
+
}
|
|
7986
|
+
/**
|
|
7987
|
+
* Get server error No from the error_uri
|
|
7988
|
+
* @param serverResponse
|
|
7989
|
+
* @returns
|
|
7990
|
+
*/
|
|
7991
|
+
function parseServerErrorNo(serverResponse) {
|
|
7992
|
+
const errorCodePrefix = "code=";
|
|
7993
|
+
const errorCodePrefixIndex = serverResponse.error_uri?.lastIndexOf(errorCodePrefix);
|
|
7994
|
+
return errorCodePrefixIndex && errorCodePrefixIndex >= 0
|
|
7995
|
+
? serverResponse.error_uri?.substring(errorCodePrefixIndex + errorCodePrefix.length)
|
|
7996
|
+
: undefined;
|
|
7997
|
+
}
|
|
7998
|
+
/**
|
|
7999
|
+
* Helper to get sid from account. Returns null if idTokenClaims are not present or sid is not present.
|
|
8000
|
+
* @param account
|
|
8001
|
+
*/
|
|
8002
|
+
function extractAccountSid(account) {
|
|
8003
|
+
return account.idTokenClaims?.sid || null;
|
|
8004
|
+
}
|
|
8005
|
+
function extractLoginHint(account) {
|
|
8006
|
+
return account.idTokenClaims?.login_hint || null;
|
|
8007
|
+
}
|
|
8008
|
+
|
|
8009
|
+
var Authorize = /*#__PURE__*/Object.freeze({
|
|
8010
|
+
__proto__: null,
|
|
8011
|
+
getAuthorizationCodePayload: getAuthorizationCodePayload,
|
|
8012
|
+
getAuthorizeUrl: getAuthorizeUrl,
|
|
8013
|
+
getStandardAuthorizeRequestParameters: getStandardAuthorizeRequestParameters,
|
|
8014
|
+
validateAuthorizationResponse: validateAuthorizationResponse
|
|
8015
|
+
});
|
|
8016
|
+
|
|
7963
8017
|
/*
|
|
7964
8018
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
7965
8019
|
* Licensed under the MIT License.
|
|
@@ -8290,6 +8344,7 @@ exports.Authority = Authority;
|
|
|
8290
8344
|
exports.AuthorityFactory = AuthorityFactory;
|
|
8291
8345
|
exports.AuthorityType = AuthorityType;
|
|
8292
8346
|
exports.AuthorizationCodeClient = AuthorizationCodeClient;
|
|
8347
|
+
exports.Authorize = Authorize;
|
|
8293
8348
|
exports.AzureCloudInstance = AzureCloudInstance;
|
|
8294
8349
|
exports.BaseClient = BaseClient;
|
|
8295
8350
|
exports.CacheAccountType = CacheAccountType;
|
|
@@ -8326,6 +8381,7 @@ exports.InteractionRequiredAuthErrorMessage = InteractionRequiredAuthErrorMessag
|
|
|
8326
8381
|
exports.JsonWebTokenTypes = JsonWebTokenTypes;
|
|
8327
8382
|
exports.Logger = Logger;
|
|
8328
8383
|
exports.NetworkError = NetworkError;
|
|
8384
|
+
exports.OAuthResponseType = OAuthResponseType;
|
|
8329
8385
|
exports.OIDC_DEFAULT_SCOPES = OIDC_DEFAULT_SCOPES;
|
|
8330
8386
|
exports.ONE_DAY_IN_MS = ONE_DAY_IN_MS;
|
|
8331
8387
|
exports.PasswordGrantConstants = PasswordGrantConstants;
|
|
@@ -8374,4 +8430,4 @@ exports.invokeAsync = invokeAsync;
|
|
|
8374
8430
|
exports.tenantIdMatchesHomeTenant = tenantIdMatchesHomeTenant;
|
|
8375
8431
|
exports.updateAccountTenantProfileData = updateAccountTenantProfileData;
|
|
8376
8432
|
exports.version = version;
|
|
8377
|
-
//# sourceMappingURL=index-node
|
|
8433
|
+
//# sourceMappingURL=index-node-C56U0Gkp.js.map
|