@azure/msal-common 15.2.1 → 15.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (170) hide show
  1. package/dist/account/AccountInfo.mjs +1 -1
  2. package/dist/account/AuthToken.mjs +1 -1
  3. package/dist/account/CcsCredential.mjs +1 -1
  4. package/dist/account/ClientInfo.mjs +1 -1
  5. package/dist/account/TokenClaims.mjs +1 -1
  6. package/dist/authority/Authority.mjs +3 -3
  7. package/dist/authority/Authority.mjs.map +1 -1
  8. package/dist/authority/AuthorityFactory.mjs +1 -1
  9. package/dist/authority/AuthorityMetadata.mjs +1 -1
  10. package/dist/authority/AuthorityOptions.mjs +1 -1
  11. package/dist/authority/AuthorityType.mjs +1 -1
  12. package/dist/authority/CloudInstanceDiscoveryErrorResponse.mjs +1 -1
  13. package/dist/authority/CloudInstanceDiscoveryResponse.mjs +1 -1
  14. package/dist/authority/OpenIdConfigResponse.mjs +1 -1
  15. package/dist/authority/ProtocolMode.d.ts +11 -0
  16. package/dist/authority/ProtocolMode.d.ts.map +1 -1
  17. package/dist/authority/ProtocolMode.mjs +12 -1
  18. package/dist/authority/ProtocolMode.mjs.map +1 -1
  19. package/dist/authority/RegionDiscovery.mjs +1 -1
  20. package/dist/cache/CacheManager.mjs +1 -1
  21. package/dist/cache/entities/AccountEntity.mjs +4 -4
  22. package/dist/cache/entities/AccountEntity.mjs.map +1 -1
  23. package/dist/cache/persistence/TokenCacheContext.mjs +1 -1
  24. package/dist/cache/utils/CacheHelpers.mjs +1 -1
  25. package/dist/client/AuthorizationCodeClient.d.ts +0 -31
  26. package/dist/client/AuthorizationCodeClient.d.ts.map +1 -1
  27. package/dist/client/AuthorizationCodeClient.mjs +41 -246
  28. package/dist/client/AuthorizationCodeClient.mjs.map +1 -1
  29. package/dist/client/BaseClient.d.ts.map +1 -1
  30. package/dist/client/BaseClient.mjs +9 -10
  31. package/dist/client/BaseClient.mjs.map +1 -1
  32. package/dist/client/RefreshTokenClient.d.ts.map +1 -1
  33. package/dist/client/RefreshTokenClient.mjs +27 -29
  34. package/dist/client/RefreshTokenClient.mjs.map +1 -1
  35. package/dist/client/SilentFlowClient.mjs +1 -1
  36. package/dist/config/ClientConfiguration.mjs +1 -1
  37. package/dist/constants/AADServerParamKeys.d.ts +3 -0
  38. package/dist/constants/AADServerParamKeys.d.ts.map +1 -1
  39. package/dist/constants/AADServerParamKeys.mjs +6 -3
  40. package/dist/constants/AADServerParamKeys.mjs.map +1 -1
  41. package/dist/crypto/ICrypto.mjs +1 -1
  42. package/dist/crypto/JoseHeader.mjs +1 -1
  43. package/dist/crypto/PopTokenGenerator.mjs +1 -1
  44. package/dist/error/AuthError.mjs +1 -1
  45. package/dist/error/AuthErrorCodes.mjs +1 -1
  46. package/dist/error/CacheError.mjs +1 -1
  47. package/dist/error/CacheErrorCodes.mjs +1 -1
  48. package/dist/error/ClientAuthError.mjs +1 -1
  49. package/dist/error/ClientAuthErrorCodes.mjs +1 -1
  50. package/dist/error/ClientConfigurationError.mjs +1 -1
  51. package/dist/error/ClientConfigurationErrorCodes.mjs +1 -1
  52. package/dist/error/InteractionRequiredAuthError.mjs +1 -1
  53. package/dist/error/InteractionRequiredAuthErrorCodes.mjs +1 -1
  54. package/dist/error/JoseHeaderError.mjs +1 -1
  55. package/dist/error/JoseHeaderErrorCodes.mjs +1 -1
  56. package/dist/error/NetworkError.mjs +1 -1
  57. package/dist/error/ServerError.mjs +1 -1
  58. package/dist/exports-common.d.ts +4 -3
  59. package/dist/exports-common.d.ts.map +1 -1
  60. package/dist/index-browser.mjs +6 -3
  61. package/dist/index-browser.mjs.map +1 -1
  62. package/dist/index-node.mjs +6 -3
  63. package/dist/index-node.mjs.map +1 -1
  64. package/dist/index.mjs +6 -3
  65. package/dist/index.mjs.map +1 -1
  66. package/dist/logger/Logger.mjs +1 -1
  67. package/dist/network/INetworkModule.mjs +1 -1
  68. package/dist/network/RequestThumbprint.mjs +1 -1
  69. package/dist/network/ThrottlingUtils.mjs +1 -1
  70. package/dist/packageMetadata.d.ts +1 -1
  71. package/dist/packageMetadata.mjs +2 -2
  72. package/dist/protocol/Authorize.d.ts +37 -0
  73. package/dist/protocol/Authorize.d.ts.map +1 -0
  74. package/dist/protocol/Authorize.mjs +237 -0
  75. package/dist/protocol/Authorize.mjs.map +1 -0
  76. package/dist/request/AuthenticationHeaderParser.mjs +1 -1
  77. package/dist/request/CommonAuthorizationUrlRequest.d.ts +3 -2
  78. package/dist/request/CommonAuthorizationUrlRequest.d.ts.map +1 -1
  79. package/dist/request/RequestParameterBuilder.d.ts +211 -219
  80. package/dist/request/RequestParameterBuilder.d.ts.map +1 -1
  81. package/dist/request/RequestParameterBuilder.mjs +364 -370
  82. package/dist/request/RequestParameterBuilder.mjs.map +1 -1
  83. package/dist/request/RequestValidator.mjs +1 -1
  84. package/dist/request/ScopeSet.mjs +1 -1
  85. package/dist/response/AuthorizeResponse.d.ts +76 -0
  86. package/dist/response/AuthorizeResponse.d.ts.map +1 -0
  87. package/dist/response/ResponseHandler.d.ts +0 -8
  88. package/dist/response/ResponseHandler.d.ts.map +1 -1
  89. package/dist/response/ResponseHandler.mjs +2 -49
  90. package/dist/response/ResponseHandler.mjs.map +1 -1
  91. package/dist/telemetry/performance/PerformanceClient.mjs +1 -1
  92. package/dist/telemetry/performance/PerformanceEvent.d.ts +6 -2
  93. package/dist/telemetry/performance/PerformanceEvent.d.ts.map +1 -1
  94. package/dist/telemetry/performance/PerformanceEvent.mjs +15 -11
  95. package/dist/telemetry/performance/PerformanceEvent.mjs.map +1 -1
  96. package/dist/telemetry/performance/StubPerformanceClient.mjs +1 -1
  97. package/dist/telemetry/server/ServerTelemetryManager.mjs +1 -1
  98. package/dist/url/UrlString.mjs +1 -1
  99. package/dist/utils/ClientAssertionUtils.mjs +1 -1
  100. package/dist/utils/Constants.d.ts +11 -5
  101. package/dist/utils/Constants.d.ts.map +1 -1
  102. package/dist/utils/Constants.mjs +13 -8
  103. package/dist/utils/Constants.mjs.map +1 -1
  104. package/dist/utils/FunctionWrappers.mjs +1 -1
  105. package/dist/utils/ProtocolUtils.mjs +1 -1
  106. package/dist/utils/StringUtils.mjs +1 -1
  107. package/dist/utils/TimeUtils.mjs +1 -1
  108. package/dist/utils/UrlUtils.d.ts +6 -2
  109. package/dist/utils/UrlUtils.d.ts.map +1 -1
  110. package/dist/utils/UrlUtils.mjs +13 -2
  111. package/dist/utils/UrlUtils.mjs.map +1 -1
  112. package/lib/index-browser.cjs +4 -2
  113. package/lib/index-browser.cjs.map +1 -1
  114. package/lib/{index-node--LMD5Re1.js → index-node-C56U0Gkp.js} +833 -777
  115. package/lib/index-node-C56U0Gkp.js.map +1 -0
  116. package/lib/index-node.cjs +4 -2
  117. package/lib/index-node.cjs.map +1 -1
  118. package/lib/index.cjs +4 -2
  119. package/lib/index.cjs.map +1 -1
  120. package/lib/types/authority/ProtocolMode.d.ts +11 -0
  121. package/lib/types/authority/ProtocolMode.d.ts.map +1 -1
  122. package/lib/types/client/AuthorizationCodeClient.d.ts +0 -31
  123. package/lib/types/client/AuthorizationCodeClient.d.ts.map +1 -1
  124. package/lib/types/client/BaseClient.d.ts.map +1 -1
  125. package/lib/types/client/RefreshTokenClient.d.ts.map +1 -1
  126. package/lib/types/constants/AADServerParamKeys.d.ts +3 -0
  127. package/lib/types/constants/AADServerParamKeys.d.ts.map +1 -1
  128. package/lib/types/exports-common.d.ts +4 -3
  129. package/lib/types/exports-common.d.ts.map +1 -1
  130. package/lib/types/packageMetadata.d.ts +1 -1
  131. package/lib/types/protocol/Authorize.d.ts +37 -0
  132. package/lib/types/protocol/Authorize.d.ts.map +1 -0
  133. package/lib/types/request/CommonAuthorizationUrlRequest.d.ts +3 -2
  134. package/lib/types/request/CommonAuthorizationUrlRequest.d.ts.map +1 -1
  135. package/lib/types/request/RequestParameterBuilder.d.ts +211 -219
  136. package/lib/types/request/RequestParameterBuilder.d.ts.map +1 -1
  137. package/lib/types/response/AuthorizeResponse.d.ts +76 -0
  138. package/lib/types/response/AuthorizeResponse.d.ts.map +1 -0
  139. package/lib/types/response/ResponseHandler.d.ts +0 -8
  140. package/lib/types/response/ResponseHandler.d.ts.map +1 -1
  141. package/lib/types/telemetry/performance/PerformanceEvent.d.ts +6 -2
  142. package/lib/types/telemetry/performance/PerformanceEvent.d.ts.map +1 -1
  143. package/lib/types/utils/Constants.d.ts +11 -5
  144. package/lib/types/utils/Constants.d.ts.map +1 -1
  145. package/lib/types/utils/UrlUtils.d.ts +6 -2
  146. package/lib/types/utils/UrlUtils.d.ts.map +1 -1
  147. package/package.json +1 -1
  148. package/src/authority/Authority.ts +2 -2
  149. package/src/authority/ProtocolMode.ts +11 -0
  150. package/src/cache/entities/AccountEntity.ts +3 -3
  151. package/src/client/AuthorizationCodeClient.ts +84 -395
  152. package/src/client/BaseClient.ts +20 -12
  153. package/src/client/RefreshTokenClient.ts +60 -30
  154. package/src/constants/AADServerParamKeys.ts +3 -0
  155. package/src/exports-common.ts +5 -2
  156. package/src/packageMetadata.ts +1 -1
  157. package/src/protocol/Authorize.ts +409 -0
  158. package/src/request/CommonAuthorizationUrlRequest.ts +3 -2
  159. package/src/request/RequestParameterBuilder.ts +516 -545
  160. package/src/response/AuthorizeResponse.ts +80 -0
  161. package/src/response/ResponseHandler.ts +0 -98
  162. package/src/telemetry/performance/PerformanceEvent.ts +14 -11
  163. package/src/utils/Constants.ts +14 -6
  164. package/src/utils/UrlUtils.ts +19 -4
  165. package/dist/response/ServerAuthorizationCodeResponse.d.ts +0 -27
  166. package/dist/response/ServerAuthorizationCodeResponse.d.ts.map +0 -1
  167. package/lib/index-node--LMD5Re1.js.map +0 -1
  168. package/lib/types/response/ServerAuthorizationCodeResponse.d.ts +0 -27
  169. package/lib/types/response/ServerAuthorizationCodeResponse.d.ts.map +0 -1
  170. package/src/response/ServerAuthorizationCodeResponse.ts +0 -34
@@ -1,4 +1,4 @@
1
- /*! @azure/msal-common v15.2.1 2025-03-11 */
1
+ /*! @azure/msal-common v15.4.0 2025-03-25 */
2
2
  'use strict';
3
3
  'use strict';
4
4
 
@@ -36,11 +36,8 @@ const Constants = {
36
36
  PROFILE_SCOPE: "profile",
37
37
  OFFLINE_ACCESS_SCOPE: "offline_access",
38
38
  EMAIL_SCOPE: "email",
39
- // Default response type for authorization code flow
40
- CODE_RESPONSE_TYPE: "code",
41
39
  CODE_GRANT_TYPE: "authorization_code",
42
40
  RT_GRANT_TYPE: "refresh_token",
43
- FRAGMENT_RESPONSE_MODE: "fragment",
44
41
  S256_CODE_CHALLENGE_METHOD: "S256",
45
42
  URL_FORM_CONTENT_TYPE: "application/x-www-form-urlencoded;charset=utf-8",
46
43
  AUTHORIZATION_PENDING: "authorization_pending",
@@ -60,8 +57,6 @@ const Constants = {
60
57
  "login.microsoft.com",
61
58
  "sts.windows.net",
62
59
  ],
63
- TOKEN_RESPONSE_TYPE: "token",
64
- ID_TOKEN_RESPONSE_TYPE: "id_token",
65
60
  SHR_NONCE_VALIDITY: 240,
66
61
  INVALID_INSTANCE: "invalid_instance",
67
62
  };
@@ -145,8 +140,17 @@ const CodeChallengeMethodValues = {
145
140
  PLAIN: "plain",
146
141
  S256: "S256",
147
142
  };
143
+ /**
144
+ * Allowed values for response_type
145
+ */
146
+ const OAuthResponseType = {
147
+ CODE: "code",
148
+ IDTOKEN_TOKEN: "id_token token",
149
+ IDTOKEN_TOKEN_REFRESHTOKEN: "id_token token refresh_token",
150
+ };
148
151
  /**
149
152
  * allowed values for server response type
153
+ * @deprecated Use ResponseMode instead
150
154
  */
151
155
  const ServerResponseType = {
152
156
  QUERY: "query",
@@ -156,7 +160,8 @@ const ServerResponseType = {
156
160
  * allowed values for response_mode
157
161
  */
158
162
  const ResponseMode = {
159
- ...ServerResponseType,
163
+ QUERY: "query",
164
+ FRAGMENT: "fragment",
160
165
  FORM_POST: "form_post",
161
166
  };
162
167
  /**
@@ -1139,6 +1144,7 @@ function getDeserializedResponse(responseString) {
1139
1144
  const deserializedHash = Object.fromEntries(new URLSearchParams(normalizedResponse));
1140
1145
  // Check for known response properties
1141
1146
  if (deserializedHash.code ||
1147
+ deserializedHash.ear_jwe ||
1142
1148
  deserializedHash.error ||
1143
1149
  deserializedHash.error_description ||
1144
1150
  deserializedHash.state) {
@@ -1149,11 +1155,22 @@ function getDeserializedResponse(responseString) {
1149
1155
  throw createClientAuthError(hashNotDeserialized);
1150
1156
  }
1151
1157
  return null;
1158
+ }
1159
+ /**
1160
+ * Utility to create a URL from the params map
1161
+ */
1162
+ function mapToQueryString(parameters) {
1163
+ const queryParameterArray = new Array();
1164
+ parameters.forEach((value, key) => {
1165
+ queryParameterArray.push(`${key}=${encodeURIComponent(value)}`);
1166
+ });
1167
+ return queryParameterArray.join("&");
1152
1168
  }
1153
1169
 
1154
1170
  var UrlUtils = /*#__PURE__*/Object.freeze({
1155
1171
  __proto__: null,
1156
1172
  getDeserializedResponse: getDeserializedResponse,
1173
+ mapToQueryString: mapToQueryString,
1157
1174
  stripLeadingHashOrQuery: stripLeadingHashOrQuery
1158
1175
  });
1159
1176
 
@@ -1465,8 +1482,19 @@ function getCloudDiscoveryMetadataFromNetworkResponse(response, authorityHost) {
1465
1482
  * Protocol modes supported by MSAL.
1466
1483
  */
1467
1484
  const ProtocolMode = {
1485
+ /**
1486
+ * Auth Code + PKCE with Entra ID (formerly AAD) specific optimizations and features
1487
+ */
1468
1488
  AAD: "AAD",
1489
+ /**
1490
+ * Auth Code + PKCE without Entra ID specific optimizations and features. For use only with non-Microsoft owned authorities.
1491
+ * Support is limited for this mode.
1492
+ */
1469
1493
  OIDC: "OIDC",
1494
+ /**
1495
+ * Encrypted Authorize Response (EAR) with Entra ID specific optimizations and features
1496
+ */
1497
+ EAR: "EAR",
1470
1498
  };
1471
1499
 
1472
1500
  /*
@@ -1681,16 +1709,19 @@ const PerformanceEvents = {
1681
1709
  StandardInteractionClientCreateAuthCodeClient: "standardInteractionClientCreateAuthCodeClient",
1682
1710
  StandardInteractionClientGetClientConfiguration: "standardInteractionClientGetClientConfiguration",
1683
1711
  StandardInteractionClientInitializeAuthorizationRequest: "standardInteractionClientInitializeAuthorizationRequest",
1684
- StandardInteractionClientInitializeAuthorizationCodeRequest: "standardInteractionClientInitializeAuthorizationCodeRequest",
1685
1712
  /**
1686
1713
  * getAuthCodeUrl API (msal-browser and msal-node).
1687
1714
  */
1688
1715
  GetAuthCodeUrl: "getAuthCodeUrl",
1716
+ GetStandardParams: "getStandardParams",
1689
1717
  /**
1690
1718
  * Functions from InteractionHandler (msal-browser)
1691
1719
  */
1692
1720
  HandleCodeResponseFromServer: "handleCodeResponseFromServer",
1693
1721
  HandleCodeResponse: "handleCodeResponse",
1722
+ HandleResponseEar: "handleResponseEar",
1723
+ HandleResponsePlatformBroker: "handleResponsePlatformBroker",
1724
+ HandleResponseCode: "handleResponseCode",
1694
1725
  UpdateTokenEndpointAuthority: "updateTokenEndpointAuthority",
1695
1726
  /**
1696
1727
  * APIs in Authorization Code Client (msal-common)
@@ -1698,7 +1729,6 @@ const PerformanceEvents = {
1698
1729
  AuthClientAcquireToken: "authClientAcquireToken",
1699
1730
  AuthClientExecuteTokenRequest: "authClientExecuteTokenRequest",
1700
1731
  AuthClientCreateTokenRequestBody: "authClientCreateTokenRequestBody",
1701
- AuthClientCreateQueryString: "authClientCreateQueryString",
1702
1732
  /**
1703
1733
  * Generate functions in PopTokenGenerator (msal-common)
1704
1734
  */
@@ -1758,6 +1788,8 @@ const PerformanceEvents = {
1758
1788
  UrlEncodeArr: "urlEncodeArr",
1759
1789
  Encrypt: "encrypt",
1760
1790
  Decrypt: "decrypt",
1791
+ GenerateEarKey: "generateEarKey",
1792
+ DecryptEarResponse: "decryptEarResponse",
1761
1793
  };
1762
1794
  const PerformanceEventAbbreviations = new Map([
1763
1795
  [PerformanceEvents.AcquireTokenByCode, "ATByCode"],
@@ -1869,16 +1901,18 @@ const PerformanceEventAbbreviations = new Map([
1869
1901
  PerformanceEvents.StandardInteractionClientInitializeAuthorizationRequest,
1870
1902
  "StdIntClientInitAuthReq",
1871
1903
  ],
1872
- [
1873
- PerformanceEvents.StandardInteractionClientInitializeAuthorizationCodeRequest,
1874
- "StdIntClientInitAuthCodeReq",
1875
- ],
1876
1904
  [PerformanceEvents.GetAuthCodeUrl, "GetAuthCodeUrl"],
1877
1905
  [
1878
1906
  PerformanceEvents.HandleCodeResponseFromServer,
1879
1907
  "HandleCodeResFromServer",
1880
1908
  ],
1881
1909
  [PerformanceEvents.HandleCodeResponse, "HandleCodeResp"],
1910
+ [PerformanceEvents.HandleResponseEar, "HandleRespEar"],
1911
+ [PerformanceEvents.HandleResponseCode, "HandleRespCode"],
1912
+ [
1913
+ PerformanceEvents.HandleResponsePlatformBroker,
1914
+ "HandleRespPlatBroker",
1915
+ ],
1882
1916
  [PerformanceEvents.UpdateTokenEndpointAuthority, "UpdTEndpointAuth"],
1883
1917
  [PerformanceEvents.AuthClientAcquireToken, "AuthClientAT"],
1884
1918
  [PerformanceEvents.AuthClientExecuteTokenRequest, "AuthClientExecTReq"],
@@ -1886,10 +1920,6 @@ const PerformanceEventAbbreviations = new Map([
1886
1920
  PerformanceEvents.AuthClientCreateTokenRequestBody,
1887
1921
  "AuthClientCreateTReqBody",
1888
1922
  ],
1889
- [
1890
- PerformanceEvents.AuthClientCreateQueryString,
1891
- "AuthClientCreateQueryStr",
1892
- ],
1893
1923
  [PerformanceEvents.PopTokenGenerateCnf, "PopTGenCnf"],
1894
1924
  [PerformanceEvents.PopTokenGenerateKid, "PopTGenKid"],
1895
1925
  [PerformanceEvents.HandleServerTokenResponse, "HandleServerTRes"],
@@ -1985,6 +2015,8 @@ const PerformanceEventAbbreviations = new Map([
1985
2015
  [PerformanceEvents.UrlEncodeArr, "urlEncArr"],
1986
2016
  [PerformanceEvents.Encrypt, "encrypt"],
1987
2017
  [PerformanceEvents.Decrypt, "decrypt"],
2018
+ [PerformanceEvents.GenerateEarKey, "genEarKey"],
2019
+ [PerformanceEvents.DecryptEarResponse, "decryptEarResp"],
1988
2020
  ]);
1989
2021
  /**
1990
2022
  * State of the performance event.
@@ -2810,7 +2842,7 @@ class Authority {
2810
2842
  return (authorityUri.PathSegments.length === 1 &&
2811
2843
  !Authority.reservedTenantDomains.has(authorityUri.PathSegments[0]) &&
2812
2844
  this.getAuthorityType(authorityUri) === AuthorityType.Default &&
2813
- this.protocolMode === ProtocolMode.AAD);
2845
+ this.protocolMode !== ProtocolMode.OIDC);
2814
2846
  }
2815
2847
  /**
2816
2848
  * Replaces tenant in url path with current tenant. Defaults to common.
@@ -2857,7 +2889,7 @@ class Authority {
2857
2889
  const canonicalAuthorityHost = this.hostnameAndPort;
2858
2890
  if (this.canonicalAuthority.endsWith("v2.0/") ||
2859
2891
  this.authorityType === AuthorityType.Adfs ||
2860
- (this.protocolMode !== ProtocolMode.AAD &&
2892
+ (this.protocolMode === ProtocolMode.OIDC &&
2861
2893
  !this.isAliasOfKnownMicrosoftAuthority(canonicalAuthorityHost))) {
2862
2894
  return `${this.canonicalAuthority}.well-known/openid-configuration`;
2863
2895
  }
@@ -3563,7 +3595,10 @@ const LOGIN_HINT = "login_hint";
3563
3595
  const DOMAIN_HINT = "domain_hint";
3564
3596
  const X_CLIENT_EXTRA_SKU = "x-client-xtra-sku";
3565
3597
  const BROKER_CLIENT_ID = "brk_client_id";
3566
- const BROKER_REDIRECT_URI = "brk_redirect_uri";
3598
+ const BROKER_REDIRECT_URI = "brk_redirect_uri";
3599
+ const INSTANCE_AWARE = "instance_aware";
3600
+ const EAR_JWK = "ear_jwk";
3601
+ const EAR_JWE_CRYPTO = "ear_jwe_crypto";
3567
3602
 
3568
3603
  var AADServerParamKeys = /*#__PURE__*/Object.freeze({
3569
3604
  __proto__: null,
@@ -3584,6 +3619,8 @@ var AADServerParamKeys = /*#__PURE__*/Object.freeze({
3584
3619
  CODE_VERIFIER: CODE_VERIFIER,
3585
3620
  DEVICE_CODE: DEVICE_CODE,
3586
3621
  DOMAIN_HINT: DOMAIN_HINT,
3622
+ EAR_JWE_CRYPTO: EAR_JWE_CRYPTO,
3623
+ EAR_JWK: EAR_JWK,
3587
3624
  ERROR: ERROR,
3588
3625
  ERROR_DESCRIPTION: ERROR_DESCRIPTION,
3589
3626
  EXPIRES_IN: EXPIRES_IN,
@@ -3591,6 +3628,7 @@ var AADServerParamKeys = /*#__PURE__*/Object.freeze({
3591
3628
  GRANT_TYPE: GRANT_TYPE,
3592
3629
  ID_TOKEN: ID_TOKEN,
3593
3630
  ID_TOKEN_HINT: ID_TOKEN_HINT,
3631
+ INSTANCE_AWARE: INSTANCE_AWARE,
3594
3632
  LOGIN_HINT: LOGIN_HINT,
3595
3633
  LOGOUT_HINT: LOGOUT_HINT,
3596
3634
  NATIVE_BROKER: NATIVE_BROKER,
@@ -3852,7 +3890,7 @@ class Logger {
3852
3890
 
3853
3891
  /* eslint-disable header/header */
3854
3892
  const name = "@azure/msal-common";
3855
- const version = "15.2.1";
3893
+ const version = "15.4.0";
3856
3894
 
3857
3895
  /*
3858
3896
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -4274,11 +4312,11 @@ class AccountEntity {
4274
4312
  if (authority.authorityType === AuthorityType.Adfs) {
4275
4313
  account.authorityType = CacheAccountType.ADFS_ACCOUNT_TYPE;
4276
4314
  }
4277
- else if (authority.protocolMode === ProtocolMode.AAD) {
4278
- account.authorityType = CacheAccountType.MSSTS_ACCOUNT_TYPE;
4315
+ else if (authority.protocolMode === ProtocolMode.OIDC) {
4316
+ account.authorityType = CacheAccountType.GENERIC_ACCOUNT_TYPE;
4279
4317
  }
4280
4318
  else {
4281
- account.authorityType = CacheAccountType.GENERIC_ACCOUNT_TYPE;
4319
+ account.authorityType = CacheAccountType.MSSTS_ACCOUNT_TYPE;
4282
4320
  }
4283
4321
  let clientInfo;
4284
4322
  if (accountDetails.clientInfo && base64Decode) {
@@ -5748,71 +5786,6 @@ const CcsCredentialType = {
5748
5786
  UPN: "UPN",
5749
5787
  };
5750
5788
 
5751
- /*
5752
- * Copyright (c) Microsoft Corporation. All rights reserved.
5753
- * Licensed under the MIT License.
5754
- */
5755
- /**
5756
- * Validates server consumable params from the "request" objects
5757
- */
5758
- class RequestValidator {
5759
- /**
5760
- * Utility to check if the `redirectUri` in the request is a non-null value
5761
- * @param redirectUri
5762
- */
5763
- static validateRedirectUri(redirectUri) {
5764
- if (!redirectUri) {
5765
- throw createClientConfigurationError(redirectUriEmpty);
5766
- }
5767
- }
5768
- /**
5769
- * Utility to validate prompt sent by the user in the request
5770
- * @param prompt
5771
- */
5772
- static validatePrompt(prompt) {
5773
- const promptValues = [];
5774
- for (const value in PromptValue) {
5775
- promptValues.push(PromptValue[value]);
5776
- }
5777
- if (promptValues.indexOf(prompt) < 0) {
5778
- throw createClientConfigurationError(invalidPromptValue);
5779
- }
5780
- }
5781
- static validateClaims(claims) {
5782
- try {
5783
- JSON.parse(claims);
5784
- }
5785
- catch (e) {
5786
- throw createClientConfigurationError(invalidClaims);
5787
- }
5788
- }
5789
- /**
5790
- * Utility to validate code_challenge and code_challenge_method
5791
- * @param codeChallenge
5792
- * @param codeChallengeMethod
5793
- */
5794
- static validateCodeChallengeParams(codeChallenge, codeChallengeMethod) {
5795
- if (!codeChallenge || !codeChallengeMethod) {
5796
- throw createClientConfigurationError(pkceParamsMissing);
5797
- }
5798
- else {
5799
- this.validateCodeChallengeMethod(codeChallengeMethod);
5800
- }
5801
- }
5802
- /**
5803
- * Utility to validate code_challenge_method
5804
- * @param codeChallengeMethod
5805
- */
5806
- static validateCodeChallengeMethod(codeChallengeMethod) {
5807
- if ([
5808
- CodeChallengeMethodValues.PLAIN,
5809
- CodeChallengeMethodValues.S256,
5810
- ].indexOf(codeChallengeMethod) < 0) {
5811
- throw createClientConfigurationError(invalidCodeChallengeMethod);
5812
- }
5813
- }
5814
- }
5815
-
5816
5789
  /*
5817
5790
  * Copyright (c) Microsoft Corporation. All rights reserved.
5818
5791
  * Licensed under the MIT License.
@@ -5829,396 +5802,440 @@ function instrumentBrokerParams(parameters, correlationId, performanceClient) {
5829
5802
  }, correlationId);
5830
5803
  }
5831
5804
  }
5832
- /** @internal */
5833
- class RequestParameterBuilder {
5834
- constructor(correlationId, performanceClient) {
5835
- this.parameters = new Map();
5836
- this.performanceClient = performanceClient;
5837
- this.correlationId = correlationId;
5838
- }
5839
- /**
5840
- * add response_type = code
5841
- */
5842
- addResponseTypeCode() {
5843
- this.parameters.set(RESPONSE_TYPE, encodeURIComponent(Constants.CODE_RESPONSE_TYPE));
5844
- }
5845
- /**
5846
- * add response_type = token id_token
5847
- */
5848
- addResponseTypeForTokenAndIdToken() {
5849
- this.parameters.set(RESPONSE_TYPE, encodeURIComponent(`${Constants.TOKEN_RESPONSE_TYPE} ${Constants.ID_TOKEN_RESPONSE_TYPE}`));
5850
- }
5851
- /**
5852
- * add response_mode. defaults to query.
5853
- * @param responseMode
5854
- */
5855
- addResponseMode(responseMode) {
5856
- this.parameters.set(RESPONSE_MODE, encodeURIComponent(responseMode ? responseMode : ResponseMode.QUERY));
5857
- }
5858
- /**
5859
- * Add flag to indicate STS should attempt to use WAM if available
5860
- */
5861
- addNativeBroker() {
5862
- this.parameters.set(NATIVE_BROKER, encodeURIComponent("1"));
5863
- }
5864
- /**
5865
- * add scopes. set addOidcScopes to false to prevent default scopes in non-user scenarios
5866
- * @param scopeSet
5867
- * @param addOidcScopes
5868
- */
5869
- addScopes(scopes, addOidcScopes = true, defaultScopes = OIDC_DEFAULT_SCOPES) {
5870
- // Always add openid to the scopes when adding OIDC scopes
5871
- if (addOidcScopes &&
5872
- !defaultScopes.includes("openid") &&
5873
- !scopes.includes("openid")) {
5874
- defaultScopes.push("openid");
5875
- }
5876
- const requestScopes = addOidcScopes
5877
- ? [...(scopes || []), ...defaultScopes]
5878
- : scopes || [];
5879
- const scopeSet = new ScopeSet(requestScopes);
5880
- this.parameters.set(SCOPE, encodeURIComponent(scopeSet.printScopes()));
5805
+ /**
5806
+ * Add the given response_type
5807
+ * @param parameters
5808
+ * @param responseType
5809
+ */
5810
+ function addResponseType(parameters, responseType) {
5811
+ parameters.set(RESPONSE_TYPE, responseType);
5812
+ }
5813
+ /**
5814
+ * add response_mode. defaults to query.
5815
+ * @param responseMode
5816
+ */
5817
+ function addResponseMode(parameters, responseMode) {
5818
+ parameters.set(RESPONSE_MODE, responseMode ? responseMode : ResponseMode.QUERY);
5819
+ }
5820
+ /**
5821
+ * Add flag to indicate STS should attempt to use WAM if available
5822
+ */
5823
+ function addNativeBroker(parameters) {
5824
+ parameters.set(NATIVE_BROKER, "1");
5825
+ }
5826
+ /**
5827
+ * add scopes. set addOidcScopes to false to prevent default scopes in non-user scenarios
5828
+ * @param scopeSet
5829
+ * @param addOidcScopes
5830
+ */
5831
+ function addScopes(parameters, scopes, addOidcScopes = true, defaultScopes = OIDC_DEFAULT_SCOPES) {
5832
+ // Always add openid to the scopes when adding OIDC scopes
5833
+ if (addOidcScopes &&
5834
+ !defaultScopes.includes("openid") &&
5835
+ !scopes.includes("openid")) {
5836
+ defaultScopes.push("openid");
5837
+ }
5838
+ const requestScopes = addOidcScopes
5839
+ ? [...(scopes || []), ...defaultScopes]
5840
+ : scopes || [];
5841
+ const scopeSet = new ScopeSet(requestScopes);
5842
+ parameters.set(SCOPE, scopeSet.printScopes());
5843
+ }
5844
+ /**
5845
+ * add clientId
5846
+ * @param clientId
5847
+ */
5848
+ function addClientId(parameters, clientId) {
5849
+ parameters.set(CLIENT_ID, clientId);
5850
+ }
5851
+ /**
5852
+ * add redirect_uri
5853
+ * @param redirectUri
5854
+ */
5855
+ function addRedirectUri(parameters, redirectUri) {
5856
+ parameters.set(REDIRECT_URI, redirectUri);
5857
+ }
5858
+ /**
5859
+ * add post logout redirectUri
5860
+ * @param redirectUri
5861
+ */
5862
+ function addPostLogoutRedirectUri(parameters, redirectUri) {
5863
+ parameters.set(POST_LOGOUT_URI, redirectUri);
5864
+ }
5865
+ /**
5866
+ * add id_token_hint to logout request
5867
+ * @param idTokenHint
5868
+ */
5869
+ function addIdTokenHint(parameters, idTokenHint) {
5870
+ parameters.set(ID_TOKEN_HINT, idTokenHint);
5871
+ }
5872
+ /**
5873
+ * add domain_hint
5874
+ * @param domainHint
5875
+ */
5876
+ function addDomainHint(parameters, domainHint) {
5877
+ parameters.set(DOMAIN_HINT, domainHint);
5878
+ }
5879
+ /**
5880
+ * add login_hint
5881
+ * @param loginHint
5882
+ */
5883
+ function addLoginHint(parameters, loginHint) {
5884
+ parameters.set(LOGIN_HINT, loginHint);
5885
+ }
5886
+ /**
5887
+ * Adds the CCS (Cache Credential Service) query parameter for login_hint
5888
+ * @param loginHint
5889
+ */
5890
+ function addCcsUpn(parameters, loginHint) {
5891
+ parameters.set(HeaderNames.CCS_HEADER, `UPN:${loginHint}`);
5892
+ }
5893
+ /**
5894
+ * Adds the CCS (Cache Credential Service) query parameter for account object
5895
+ * @param loginHint
5896
+ */
5897
+ function addCcsOid(parameters, clientInfo) {
5898
+ parameters.set(HeaderNames.CCS_HEADER, `Oid:${clientInfo.uid}@${clientInfo.utid}`);
5899
+ }
5900
+ /**
5901
+ * add sid
5902
+ * @param sid
5903
+ */
5904
+ function addSid(parameters, sid) {
5905
+ parameters.set(SID, sid);
5906
+ }
5907
+ /**
5908
+ * add claims
5909
+ * @param claims
5910
+ */
5911
+ function addClaims(parameters, claims, clientCapabilities) {
5912
+ const mergedClaims = addClientCapabilitiesToClaims(claims, clientCapabilities);
5913
+ try {
5914
+ JSON.parse(mergedClaims);
5881
5915
  }
5882
- /**
5883
- * add clientId
5884
- * @param clientId
5885
- */
5886
- addClientId(clientId) {
5887
- this.parameters.set(CLIENT_ID, encodeURIComponent(clientId));
5916
+ catch (e) {
5917
+ throw createClientConfigurationError(invalidClaims);
5888
5918
  }
5889
- /**
5890
- * add redirect_uri
5891
- * @param redirectUri
5892
- */
5893
- addRedirectUri(redirectUri) {
5894
- RequestValidator.validateRedirectUri(redirectUri);
5895
- this.parameters.set(REDIRECT_URI, encodeURIComponent(redirectUri));
5919
+ parameters.set(CLAIMS, mergedClaims);
5920
+ }
5921
+ /**
5922
+ * add correlationId
5923
+ * @param correlationId
5924
+ */
5925
+ function addCorrelationId(parameters, correlationId) {
5926
+ parameters.set(CLIENT_REQUEST_ID, correlationId);
5927
+ }
5928
+ /**
5929
+ * add library info query params
5930
+ * @param libraryInfo
5931
+ */
5932
+ function addLibraryInfo(parameters, libraryInfo) {
5933
+ // Telemetry Info
5934
+ parameters.set(X_CLIENT_SKU, libraryInfo.sku);
5935
+ parameters.set(X_CLIENT_VER, libraryInfo.version);
5936
+ if (libraryInfo.os) {
5937
+ parameters.set(X_CLIENT_OS, libraryInfo.os);
5896
5938
  }
5897
- /**
5898
- * add post logout redirectUri
5899
- * @param redirectUri
5900
- */
5901
- addPostLogoutRedirectUri(redirectUri) {
5902
- RequestValidator.validateRedirectUri(redirectUri);
5903
- this.parameters.set(POST_LOGOUT_URI, encodeURIComponent(redirectUri));
5939
+ if (libraryInfo.cpu) {
5940
+ parameters.set(X_CLIENT_CPU, libraryInfo.cpu);
5904
5941
  }
5905
- /**
5906
- * add id_token_hint to logout request
5907
- * @param idTokenHint
5908
- */
5909
- addIdTokenHint(idTokenHint) {
5910
- this.parameters.set(ID_TOKEN_HINT, encodeURIComponent(idTokenHint));
5942
+ }
5943
+ /**
5944
+ * Add client telemetry parameters
5945
+ * @param appTelemetry
5946
+ */
5947
+ function addApplicationTelemetry(parameters, appTelemetry) {
5948
+ if (appTelemetry?.appName) {
5949
+ parameters.set(X_APP_NAME, appTelemetry.appName);
5911
5950
  }
5912
- /**
5913
- * add domain_hint
5914
- * @param domainHint
5915
- */
5916
- addDomainHint(domainHint) {
5917
- this.parameters.set(DOMAIN_HINT, encodeURIComponent(domainHint));
5951
+ if (appTelemetry?.appVersion) {
5952
+ parameters.set(X_APP_VER, appTelemetry.appVersion);
5918
5953
  }
5919
- /**
5920
- * add login_hint
5921
- * @param loginHint
5922
- */
5923
- addLoginHint(loginHint) {
5924
- this.parameters.set(LOGIN_HINT, encodeURIComponent(loginHint));
5954
+ }
5955
+ /**
5956
+ * add prompt
5957
+ * @param prompt
5958
+ */
5959
+ function addPrompt(parameters, prompt) {
5960
+ parameters.set(PROMPT, prompt);
5961
+ }
5962
+ /**
5963
+ * add state
5964
+ * @param state
5965
+ */
5966
+ function addState(parameters, state) {
5967
+ if (state) {
5968
+ parameters.set(STATE, state);
5925
5969
  }
5926
- /**
5927
- * Adds the CCS (Cache Credential Service) query parameter for login_hint
5928
- * @param loginHint
5929
- */
5930
- addCcsUpn(loginHint) {
5931
- this.parameters.set(HeaderNames.CCS_HEADER, encodeURIComponent(`UPN:${loginHint}`));
5970
+ }
5971
+ /**
5972
+ * add nonce
5973
+ * @param nonce
5974
+ */
5975
+ function addNonce(parameters, nonce) {
5976
+ parameters.set(NONCE, nonce);
5977
+ }
5978
+ /**
5979
+ * add code_challenge and code_challenge_method
5980
+ * - throw if either of them are not passed
5981
+ * @param codeChallenge
5982
+ * @param codeChallengeMethod
5983
+ */
5984
+ function addCodeChallengeParams(parameters, codeChallenge, codeChallengeMethod) {
5985
+ if (codeChallenge && codeChallengeMethod) {
5986
+ parameters.set(CODE_CHALLENGE, codeChallenge);
5987
+ parameters.set(CODE_CHALLENGE_METHOD, codeChallengeMethod);
5932
5988
  }
5933
- /**
5934
- * Adds the CCS (Cache Credential Service) query parameter for account object
5935
- * @param loginHint
5936
- */
5937
- addCcsOid(clientInfo) {
5938
- this.parameters.set(HeaderNames.CCS_HEADER, encodeURIComponent(`Oid:${clientInfo.uid}@${clientInfo.utid}`));
5989
+ else {
5990
+ throw createClientConfigurationError(pkceParamsMissing);
5939
5991
  }
5940
- /**
5941
- * add sid
5942
- * @param sid
5943
- */
5944
- addSid(sid) {
5945
- this.parameters.set(SID, encodeURIComponent(sid));
5992
+ }
5993
+ /**
5994
+ * add the `authorization_code` passed by the user to exchange for a token
5995
+ * @param code
5996
+ */
5997
+ function addAuthorizationCode(parameters, code) {
5998
+ parameters.set(CODE, code);
5999
+ }
6000
+ /**
6001
+ * add the `authorization_code` passed by the user to exchange for a token
6002
+ * @param code
6003
+ */
6004
+ function addDeviceCode(parameters, code) {
6005
+ parameters.set(DEVICE_CODE, code);
6006
+ }
6007
+ /**
6008
+ * add the `refreshToken` passed by the user
6009
+ * @param refreshToken
6010
+ */
6011
+ function addRefreshToken(parameters, refreshToken) {
6012
+ parameters.set(REFRESH_TOKEN, refreshToken);
6013
+ }
6014
+ /**
6015
+ * add the `code_verifier` passed by the user to exchange for a token
6016
+ * @param codeVerifier
6017
+ */
6018
+ function addCodeVerifier(parameters, codeVerifier) {
6019
+ parameters.set(CODE_VERIFIER, codeVerifier);
6020
+ }
6021
+ /**
6022
+ * add client_secret
6023
+ * @param clientSecret
6024
+ */
6025
+ function addClientSecret(parameters, clientSecret) {
6026
+ parameters.set(CLIENT_SECRET, clientSecret);
6027
+ }
6028
+ /**
6029
+ * add clientAssertion for confidential client flows
6030
+ * @param clientAssertion
6031
+ */
6032
+ function addClientAssertion(parameters, clientAssertion) {
6033
+ if (clientAssertion) {
6034
+ parameters.set(CLIENT_ASSERTION, clientAssertion);
5946
6035
  }
5947
- /**
5948
- * add claims
5949
- * @param claims
5950
- */
5951
- addClaims(claims, clientCapabilities) {
5952
- const mergedClaims = this.addClientCapabilitiesToClaims(claims, clientCapabilities);
5953
- RequestValidator.validateClaims(mergedClaims);
5954
- this.parameters.set(CLAIMS, encodeURIComponent(mergedClaims));
6036
+ }
6037
+ /**
6038
+ * add clientAssertionType for confidential client flows
6039
+ * @param clientAssertionType
6040
+ */
6041
+ function addClientAssertionType(parameters, clientAssertionType) {
6042
+ if (clientAssertionType) {
6043
+ parameters.set(CLIENT_ASSERTION_TYPE, clientAssertionType);
5955
6044
  }
5956
- /**
5957
- * add correlationId
5958
- * @param correlationId
5959
- */
5960
- addCorrelationId(correlationId) {
5961
- this.parameters.set(CLIENT_REQUEST_ID, encodeURIComponent(correlationId));
6045
+ }
6046
+ /**
6047
+ * add OBO assertion for confidential client flows
6048
+ * @param clientAssertion
6049
+ */
6050
+ function addOboAssertion(parameters, oboAssertion) {
6051
+ parameters.set(OBO_ASSERTION, oboAssertion);
6052
+ }
6053
+ /**
6054
+ * add grant type
6055
+ * @param grantType
6056
+ */
6057
+ function addRequestTokenUse(parameters, tokenUse) {
6058
+ parameters.set(REQUESTED_TOKEN_USE, tokenUse);
6059
+ }
6060
+ /**
6061
+ * add grant type
6062
+ * @param grantType
6063
+ */
6064
+ function addGrantType(parameters, grantType) {
6065
+ parameters.set(GRANT_TYPE, grantType);
6066
+ }
6067
+ /**
6068
+ * add client info
6069
+ *
6070
+ */
6071
+ function addClientInfo(parameters) {
6072
+ parameters.set(CLIENT_INFO$1, "1");
6073
+ }
6074
+ function addInstanceAware(parameters) {
6075
+ if (!parameters.has(INSTANCE_AWARE)) {
6076
+ parameters.set(INSTANCE_AWARE, "true");
5962
6077
  }
5963
- /**
5964
- * add library info query params
5965
- * @param libraryInfo
5966
- */
5967
- addLibraryInfo(libraryInfo) {
5968
- // Telemetry Info
5969
- this.parameters.set(X_CLIENT_SKU, libraryInfo.sku);
5970
- this.parameters.set(X_CLIENT_VER, libraryInfo.version);
5971
- if (libraryInfo.os) {
5972
- this.parameters.set(X_CLIENT_OS, libraryInfo.os);
5973
- }
5974
- if (libraryInfo.cpu) {
5975
- this.parameters.set(X_CLIENT_CPU, libraryInfo.cpu);
6078
+ }
6079
+ /**
6080
+ * add extraQueryParams
6081
+ * @param eQParams
6082
+ */
6083
+ function addExtraQueryParameters(parameters, eQParams) {
6084
+ Object.entries(eQParams).forEach(([key, value]) => {
6085
+ if (!parameters.has(key) && value) {
6086
+ parameters.set(key, value);
5976
6087
  }
6088
+ });
6089
+ }
6090
+ function addClientCapabilitiesToClaims(claims, clientCapabilities) {
6091
+ let mergedClaims;
6092
+ // Parse provided claims into JSON object or initialize empty object
6093
+ if (!claims) {
6094
+ mergedClaims = {};
5977
6095
  }
5978
- /**
5979
- * Add client telemetry parameters
5980
- * @param appTelemetry
5981
- */
5982
- addApplicationTelemetry(appTelemetry) {
5983
- if (appTelemetry?.appName) {
5984
- this.parameters.set(X_APP_NAME, appTelemetry.appName);
6096
+ else {
6097
+ try {
6098
+ mergedClaims = JSON.parse(claims);
5985
6099
  }
5986
- if (appTelemetry?.appVersion) {
5987
- this.parameters.set(X_APP_VER, appTelemetry.appVersion);
6100
+ catch (e) {
6101
+ throw createClientConfigurationError(invalidClaims);
5988
6102
  }
5989
6103
  }
5990
- /**
5991
- * add prompt
5992
- * @param prompt
5993
- */
5994
- addPrompt(prompt) {
5995
- RequestValidator.validatePrompt(prompt);
5996
- this.parameters.set(`${PROMPT}`, encodeURIComponent(prompt));
5997
- }
5998
- /**
5999
- * add state
6000
- * @param state
6001
- */
6002
- addState(state) {
6003
- if (state) {
6004
- this.parameters.set(STATE, encodeURIComponent(state));
6005
- }
6006
- }
6007
- /**
6008
- * add nonce
6009
- * @param nonce
6010
- */
6011
- addNonce(nonce) {
6012
- this.parameters.set(NONCE, encodeURIComponent(nonce));
6013
- }
6014
- /**
6015
- * add code_challenge and code_challenge_method
6016
- * - throw if either of them are not passed
6017
- * @param codeChallenge
6018
- * @param codeChallengeMethod
6019
- */
6020
- addCodeChallengeParams(codeChallenge, codeChallengeMethod) {
6021
- RequestValidator.validateCodeChallengeParams(codeChallenge, codeChallengeMethod);
6022
- if (codeChallenge && codeChallengeMethod) {
6023
- this.parameters.set(CODE_CHALLENGE, encodeURIComponent(codeChallenge));
6024
- this.parameters.set(CODE_CHALLENGE_METHOD, encodeURIComponent(codeChallengeMethod));
6025
- }
6026
- else {
6027
- throw createClientConfigurationError(pkceParamsMissing);
6028
- }
6029
- }
6030
- /**
6031
- * add the `authorization_code` passed by the user to exchange for a token
6032
- * @param code
6033
- */
6034
- addAuthorizationCode(code) {
6035
- this.parameters.set(CODE, encodeURIComponent(code));
6036
- }
6037
- /**
6038
- * add the `authorization_code` passed by the user to exchange for a token
6039
- * @param code
6040
- */
6041
- addDeviceCode(code) {
6042
- this.parameters.set(DEVICE_CODE, encodeURIComponent(code));
6043
- }
6044
- /**
6045
- * add the `refreshToken` passed by the user
6046
- * @param refreshToken
6047
- */
6048
- addRefreshToken(refreshToken) {
6049
- this.parameters.set(REFRESH_TOKEN, encodeURIComponent(refreshToken));
6050
- }
6051
- /**
6052
- * add the `code_verifier` passed by the user to exchange for a token
6053
- * @param codeVerifier
6054
- */
6055
- addCodeVerifier(codeVerifier) {
6056
- this.parameters.set(CODE_VERIFIER, encodeURIComponent(codeVerifier));
6057
- }
6058
- /**
6059
- * add client_secret
6060
- * @param clientSecret
6061
- */
6062
- addClientSecret(clientSecret) {
6063
- this.parameters.set(CLIENT_SECRET, encodeURIComponent(clientSecret));
6064
- }
6065
- /**
6066
- * add clientAssertion for confidential client flows
6067
- * @param clientAssertion
6068
- */
6069
- addClientAssertion(clientAssertion) {
6070
- if (clientAssertion) {
6071
- this.parameters.set(CLIENT_ASSERTION, encodeURIComponent(clientAssertion));
6072
- }
6073
- }
6074
- /**
6075
- * add clientAssertionType for confidential client flows
6076
- * @param clientAssertionType
6077
- */
6078
- addClientAssertionType(clientAssertionType) {
6079
- if (clientAssertionType) {
6080
- this.parameters.set(CLIENT_ASSERTION_TYPE, encodeURIComponent(clientAssertionType));
6081
- }
6082
- }
6083
- /**
6084
- * add OBO assertion for confidential client flows
6085
- * @param clientAssertion
6086
- */
6087
- addOboAssertion(oboAssertion) {
6088
- this.parameters.set(OBO_ASSERTION, encodeURIComponent(oboAssertion));
6089
- }
6090
- /**
6091
- * add grant type
6092
- * @param grantType
6093
- */
6094
- addRequestTokenUse(tokenUse) {
6095
- this.parameters.set(REQUESTED_TOKEN_USE, encodeURIComponent(tokenUse));
6096
- }
6097
- /**
6098
- * add grant type
6099
- * @param grantType
6100
- */
6101
- addGrantType(grantType) {
6102
- this.parameters.set(GRANT_TYPE, encodeURIComponent(grantType));
6103
- }
6104
- /**
6105
- * add client info
6106
- *
6107
- */
6108
- addClientInfo() {
6109
- this.parameters.set(CLIENT_INFO$1, "1");
6110
- }
6111
- /**
6112
- * add extraQueryParams
6113
- * @param eQParams
6114
- */
6115
- addExtraQueryParameters(eQParams) {
6116
- Object.entries(eQParams).forEach(([key, value]) => {
6117
- if (!this.parameters.has(key) && value) {
6118
- this.parameters.set(key, value);
6119
- }
6120
- });
6121
- }
6122
- addClientCapabilitiesToClaims(claims, clientCapabilities) {
6123
- let mergedClaims;
6124
- // Parse provided claims into JSON object or initialize empty object
6125
- if (!claims) {
6126
- mergedClaims = {};
6127
- }
6128
- else {
6129
- try {
6130
- mergedClaims = JSON.parse(claims);
6131
- }
6132
- catch (e) {
6133
- throw createClientConfigurationError(invalidClaims);
6134
- }
6104
+ if (clientCapabilities && clientCapabilities.length > 0) {
6105
+ if (!mergedClaims.hasOwnProperty(ClaimsRequestKeys.ACCESS_TOKEN)) {
6106
+ // Add access_token key to claims object
6107
+ mergedClaims[ClaimsRequestKeys.ACCESS_TOKEN] = {};
6135
6108
  }
6136
- if (clientCapabilities && clientCapabilities.length > 0) {
6137
- if (!mergedClaims.hasOwnProperty(ClaimsRequestKeys.ACCESS_TOKEN)) {
6138
- // Add access_token key to claims object
6139
- mergedClaims[ClaimsRequestKeys.ACCESS_TOKEN] = {};
6140
- }
6141
- // Add xms_cc claim with provided clientCapabilities to access_token key
6142
- mergedClaims[ClaimsRequestKeys.ACCESS_TOKEN][ClaimsRequestKeys.XMS_CC] = {
6109
+ // Add xms_cc claim with provided clientCapabilities to access_token key
6110
+ mergedClaims[ClaimsRequestKeys.ACCESS_TOKEN][ClaimsRequestKeys.XMS_CC] =
6111
+ {
6143
6112
  values: clientCapabilities,
6144
6113
  };
6145
- }
6146
- return JSON.stringify(mergedClaims);
6147
- }
6148
- /**
6149
- * adds `username` for Password Grant flow
6150
- * @param username
6151
- */
6152
- addUsername(username) {
6153
- this.parameters.set(PasswordGrantConstants.username, encodeURIComponent(username));
6154
- }
6155
- /**
6156
- * adds `password` for Password Grant flow
6157
- * @param password
6158
- */
6159
- addPassword(password) {
6160
- this.parameters.set(PasswordGrantConstants.password, encodeURIComponent(password));
6161
- }
6162
- /**
6163
- * add pop_jwk to query params
6164
- * @param cnfString
6165
- */
6166
- addPopToken(cnfString) {
6167
- if (cnfString) {
6168
- this.parameters.set(TOKEN_TYPE, AuthenticationScheme.POP);
6169
- this.parameters.set(REQ_CNF, encodeURIComponent(cnfString));
6170
- }
6171
- }
6172
- /**
6173
- * add SSH JWK and key ID to query params
6174
- */
6175
- addSshJwk(sshJwkString) {
6176
- if (sshJwkString) {
6177
- this.parameters.set(TOKEN_TYPE, AuthenticationScheme.SSH);
6178
- this.parameters.set(REQ_CNF, encodeURIComponent(sshJwkString));
6179
- }
6180
- }
6181
- /**
6182
- * add server telemetry fields
6183
- * @param serverTelemetryManager
6184
- */
6185
- addServerTelemetry(serverTelemetryManager) {
6186
- this.parameters.set(X_CLIENT_CURR_TELEM, serverTelemetryManager.generateCurrentRequestHeaderValue());
6187
- this.parameters.set(X_CLIENT_LAST_TELEM, serverTelemetryManager.generateLastRequestHeaderValue());
6188
6114
  }
6189
- /**
6190
- * Adds parameter that indicates to the server that throttling is supported
6191
- */
6192
- addThrottling() {
6193
- this.parameters.set(X_MS_LIB_CAPABILITY, ThrottlingConstants.X_MS_LIB_CAPABILITY_VALUE);
6115
+ return JSON.stringify(mergedClaims);
6116
+ }
6117
+ /**
6118
+ * adds `username` for Password Grant flow
6119
+ * @param username
6120
+ */
6121
+ function addUsername(parameters, username) {
6122
+ parameters.set(PasswordGrantConstants.username, username);
6123
+ }
6124
+ /**
6125
+ * adds `password` for Password Grant flow
6126
+ * @param password
6127
+ */
6128
+ function addPassword(parameters, password) {
6129
+ parameters.set(PasswordGrantConstants.password, password);
6130
+ }
6131
+ /**
6132
+ * add pop_jwk to query params
6133
+ * @param cnfString
6134
+ */
6135
+ function addPopToken(parameters, cnfString) {
6136
+ if (cnfString) {
6137
+ parameters.set(TOKEN_TYPE, AuthenticationScheme.POP);
6138
+ parameters.set(REQ_CNF, cnfString);
6194
6139
  }
6195
- /**
6196
- * Adds logout_hint parameter for "silent" logout which prevent server account picker
6197
- */
6198
- addLogoutHint(logoutHint) {
6199
- this.parameters.set(LOGOUT_HINT, encodeURIComponent(logoutHint));
6140
+ }
6141
+ /**
6142
+ * add SSH JWK and key ID to query params
6143
+ */
6144
+ function addSshJwk(parameters, sshJwkString) {
6145
+ if (sshJwkString) {
6146
+ parameters.set(TOKEN_TYPE, AuthenticationScheme.SSH);
6147
+ parameters.set(REQ_CNF, sshJwkString);
6200
6148
  }
6201
- addBrokerParameters(params) {
6202
- const brokerParams = {};
6203
- brokerParams[BROKER_CLIENT_ID] =
6204
- params.brokerClientId;
6205
- brokerParams[BROKER_REDIRECT_URI] =
6206
- params.brokerRedirectUri;
6207
- this.addExtraQueryParameters(brokerParams);
6149
+ }
6150
+ /**
6151
+ * add server telemetry fields
6152
+ * @param serverTelemetryManager
6153
+ */
6154
+ function addServerTelemetry(parameters, serverTelemetryManager) {
6155
+ parameters.set(X_CLIENT_CURR_TELEM, serverTelemetryManager.generateCurrentRequestHeaderValue());
6156
+ parameters.set(X_CLIENT_LAST_TELEM, serverTelemetryManager.generateLastRequestHeaderValue());
6157
+ }
6158
+ /**
6159
+ * Adds parameter that indicates to the server that throttling is supported
6160
+ */
6161
+ function addThrottling(parameters) {
6162
+ parameters.set(X_MS_LIB_CAPABILITY, ThrottlingConstants.X_MS_LIB_CAPABILITY_VALUE);
6163
+ }
6164
+ /**
6165
+ * Adds logout_hint parameter for "silent" logout which prevent server account picker
6166
+ */
6167
+ function addLogoutHint(parameters, logoutHint) {
6168
+ parameters.set(LOGOUT_HINT, logoutHint);
6169
+ }
6170
+ function addBrokerParameters(parameters, brokerClientId, brokerRedirectUri) {
6171
+ if (!parameters.has(BROKER_CLIENT_ID)) {
6172
+ parameters.set(BROKER_CLIENT_ID, brokerClientId);
6208
6173
  }
6209
- /**
6210
- * Utility to create a URL from the params map
6211
- */
6212
- createQueryString() {
6213
- const queryParameterArray = new Array();
6214
- this.parameters.forEach((value, key) => {
6215
- queryParameterArray.push(`${key}=${value}`);
6216
- });
6217
- instrumentBrokerParams(this.parameters, this.correlationId, this.performanceClient);
6218
- return queryParameterArray.join("&");
6174
+ if (!parameters.has(BROKER_REDIRECT_URI)) {
6175
+ parameters.set(BROKER_REDIRECT_URI, brokerRedirectUri);
6219
6176
  }
6177
+ }
6178
+ /**
6179
+ * Add EAR (Encrypted Authorize Response) request parameters
6180
+ * @param parameters
6181
+ * @param jwk
6182
+ */
6183
+ function addEARParameters(parameters, jwk) {
6184
+ parameters.set(EAR_JWK, encodeURIComponent(jwk));
6185
+ // ear_jwe_crypto will always have value: {"alg":"dir","enc":"A256GCM"} so we can hardcode this
6186
+ const jweCryptoB64Encoded = "eyJhbGciOiJkaXIiLCJlbmMiOiJBMjU2R0NNIn0";
6187
+ parameters.set(EAR_JWE_CRYPTO, jweCryptoB64Encoded);
6220
6188
  }
6221
6189
 
6190
+ var RequestParameterBuilder = /*#__PURE__*/Object.freeze({
6191
+ __proto__: null,
6192
+ addApplicationTelemetry: addApplicationTelemetry,
6193
+ addAuthorizationCode: addAuthorizationCode,
6194
+ addBrokerParameters: addBrokerParameters,
6195
+ addCcsOid: addCcsOid,
6196
+ addCcsUpn: addCcsUpn,
6197
+ addClaims: addClaims,
6198
+ addClientAssertion: addClientAssertion,
6199
+ addClientAssertionType: addClientAssertionType,
6200
+ addClientCapabilitiesToClaims: addClientCapabilitiesToClaims,
6201
+ addClientId: addClientId,
6202
+ addClientInfo: addClientInfo,
6203
+ addClientSecret: addClientSecret,
6204
+ addCodeChallengeParams: addCodeChallengeParams,
6205
+ addCodeVerifier: addCodeVerifier,
6206
+ addCorrelationId: addCorrelationId,
6207
+ addDeviceCode: addDeviceCode,
6208
+ addDomainHint: addDomainHint,
6209
+ addEARParameters: addEARParameters,
6210
+ addExtraQueryParameters: addExtraQueryParameters,
6211
+ addGrantType: addGrantType,
6212
+ addIdTokenHint: addIdTokenHint,
6213
+ addInstanceAware: addInstanceAware,
6214
+ addLibraryInfo: addLibraryInfo,
6215
+ addLoginHint: addLoginHint,
6216
+ addLogoutHint: addLogoutHint,
6217
+ addNativeBroker: addNativeBroker,
6218
+ addNonce: addNonce,
6219
+ addOboAssertion: addOboAssertion,
6220
+ addPassword: addPassword,
6221
+ addPopToken: addPopToken,
6222
+ addPostLogoutRedirectUri: addPostLogoutRedirectUri,
6223
+ addPrompt: addPrompt,
6224
+ addRedirectUri: addRedirectUri,
6225
+ addRefreshToken: addRefreshToken,
6226
+ addRequestTokenUse: addRequestTokenUse,
6227
+ addResponseMode: addResponseMode,
6228
+ addResponseType: addResponseType,
6229
+ addScopes: addScopes,
6230
+ addServerTelemetry: addServerTelemetry,
6231
+ addSid: addSid,
6232
+ addSshJwk: addSshJwk,
6233
+ addState: addState,
6234
+ addThrottling: addThrottling,
6235
+ addUsername: addUsername,
6236
+ instrumentBrokerParams: instrumentBrokerParams
6237
+ });
6238
+
6222
6239
  /*
6223
6240
  * Copyright (c) Microsoft Corporation. All rights reserved.
6224
6241
  * Licensed under the MIT License.
@@ -6502,18 +6519,16 @@ class BaseClient {
6502
6519
  * @param request
6503
6520
  */
6504
6521
  createTokenQueryParameters(request) {
6505
- const parameterBuilder = new RequestParameterBuilder(request.correlationId, this.performanceClient);
6522
+ const parameters = new Map();
6506
6523
  if (request.embeddedClientId) {
6507
- parameterBuilder.addBrokerParameters({
6508
- brokerClientId: this.config.authOptions.clientId,
6509
- brokerRedirectUri: this.config.authOptions.redirectUri,
6510
- });
6524
+ addBrokerParameters(parameters, this.config.authOptions.clientId, this.config.authOptions.redirectUri);
6511
6525
  }
6512
6526
  if (request.tokenQueryParameters) {
6513
- parameterBuilder.addExtraQueryParameters(request.tokenQueryParameters);
6527
+ addExtraQueryParameters(parameters, request.tokenQueryParameters);
6514
6528
  }
6515
- parameterBuilder.addCorrelationId(request.correlationId);
6516
- return parameterBuilder.createQueryString();
6529
+ addCorrelationId(parameters, request.correlationId);
6530
+ instrumentBrokerParams(parameters, request.correlationId, this.performanceClient);
6531
+ return mapToQueryString(parameters);
6517
6532
  }
6518
6533
  }
6519
6534
 
@@ -6810,13 +6825,6 @@ class PopTokenGenerator {
6810
6825
  * Copyright (c) Microsoft Corporation. All rights reserved.
6811
6826
  * Licensed under the MIT License.
6812
6827
  */
6813
- function parseServerErrorNo(serverResponse) {
6814
- const errorCodePrefix = "code=";
6815
- const errorCodePrefixIndex = serverResponse.error_uri?.lastIndexOf(errorCodePrefix);
6816
- return errorCodePrefixIndex && errorCodePrefixIndex >= 0
6817
- ? serverResponse.error_uri?.substring(errorCodePrefixIndex + errorCodePrefix.length)
6818
- : undefined;
6819
- }
6820
6828
  /**
6821
6829
  * Class that handles response parsing.
6822
6830
  * @internal
@@ -6831,46 +6839,6 @@ class ResponseHandler {
6831
6839
  this.persistencePlugin = persistencePlugin;
6832
6840
  this.performanceClient = performanceClient;
6833
6841
  }
6834
- /**
6835
- * Function which validates server authorization code response.
6836
- * @param serverResponseHash
6837
- * @param requestState
6838
- * @param cryptoObj
6839
- */
6840
- validateServerAuthorizationCodeResponse(serverResponse, requestState) {
6841
- if (!serverResponse.state || !requestState) {
6842
- throw serverResponse.state
6843
- ? createClientAuthError(stateNotFound, "Cached State")
6844
- : createClientAuthError(stateNotFound, "Server State");
6845
- }
6846
- let decodedServerResponseState;
6847
- let decodedRequestState;
6848
- try {
6849
- decodedServerResponseState = decodeURIComponent(serverResponse.state);
6850
- }
6851
- catch (e) {
6852
- throw createClientAuthError(invalidState, serverResponse.state);
6853
- }
6854
- try {
6855
- decodedRequestState = decodeURIComponent(requestState);
6856
- }
6857
- catch (e) {
6858
- throw createClientAuthError(invalidState, serverResponse.state);
6859
- }
6860
- if (decodedServerResponseState !== decodedRequestState) {
6861
- throw createClientAuthError(stateMismatch);
6862
- }
6863
- // Check for error
6864
- if (serverResponse.error ||
6865
- serverResponse.error_description ||
6866
- serverResponse.suberror) {
6867
- const serverErrorNo = parseServerErrorNo(serverResponse);
6868
- if (isInteractionRequiredError(serverResponse.error, serverResponse.error_description, serverResponse.suberror)) {
6869
- throw new InteractionRequiredAuthError(serverResponse.error || "", serverResponse.error_description, serverResponse.suberror, serverResponse.timestamp || "", serverResponse.trace_id || "", serverResponse.correlation_id || "", serverResponse.claims || "", serverErrorNo);
6870
- }
6871
- throw new ServerError(serverResponse.error || "", serverResponse.error_description, serverResponse.suberror, serverErrorNo);
6872
- }
6873
- }
6874
6842
  /**
6875
6843
  * Function which validates server authorization token response.
6876
6844
  * @param serverResponse
@@ -7182,6 +7150,71 @@ function buildAccountToCache(cacheStorage, authority, homeAccountId, base64Decod
7182
7150
  return baseAccount;
7183
7151
  }
7184
7152
 
7153
+ /*
7154
+ * Copyright (c) Microsoft Corporation. All rights reserved.
7155
+ * Licensed under the MIT License.
7156
+ */
7157
+ /**
7158
+ * Validates server consumable params from the "request" objects
7159
+ */
7160
+ class RequestValidator {
7161
+ /**
7162
+ * Utility to check if the `redirectUri` in the request is a non-null value
7163
+ * @param redirectUri
7164
+ */
7165
+ static validateRedirectUri(redirectUri) {
7166
+ if (!redirectUri) {
7167
+ throw createClientConfigurationError(redirectUriEmpty);
7168
+ }
7169
+ }
7170
+ /**
7171
+ * Utility to validate prompt sent by the user in the request
7172
+ * @param prompt
7173
+ */
7174
+ static validatePrompt(prompt) {
7175
+ const promptValues = [];
7176
+ for (const value in PromptValue) {
7177
+ promptValues.push(PromptValue[value]);
7178
+ }
7179
+ if (promptValues.indexOf(prompt) < 0) {
7180
+ throw createClientConfigurationError(invalidPromptValue);
7181
+ }
7182
+ }
7183
+ static validateClaims(claims) {
7184
+ try {
7185
+ JSON.parse(claims);
7186
+ }
7187
+ catch (e) {
7188
+ throw createClientConfigurationError(invalidClaims);
7189
+ }
7190
+ }
7191
+ /**
7192
+ * Utility to validate code_challenge and code_challenge_method
7193
+ * @param codeChallenge
7194
+ * @param codeChallengeMethod
7195
+ */
7196
+ static validateCodeChallengeParams(codeChallenge, codeChallengeMethod) {
7197
+ if (!codeChallenge || !codeChallengeMethod) {
7198
+ throw createClientConfigurationError(pkceParamsMissing);
7199
+ }
7200
+ else {
7201
+ this.validateCodeChallengeMethod(codeChallengeMethod);
7202
+ }
7203
+ }
7204
+ /**
7205
+ * Utility to validate code_challenge_method
7206
+ * @param codeChallengeMethod
7207
+ */
7208
+ static validateCodeChallengeMethod(codeChallengeMethod) {
7209
+ if ([
7210
+ CodeChallengeMethodValues.PLAIN,
7211
+ CodeChallengeMethodValues.S256,
7212
+ ].indexOf(codeChallengeMethod) < 0) {
7213
+ throw createClientConfigurationError(invalidCodeChallengeMethod);
7214
+ }
7215
+ }
7216
+ }
7217
+
7185
7218
  /*
7186
7219
  * Copyright (c) Microsoft Corporation. All rights reserved.
7187
7220
  * Licensed under the MIT License.
@@ -7220,21 +7253,6 @@ class AuthorizationCodeClient extends BaseClient {
7220
7253
  this.oidcDefaultScopes =
7221
7254
  this.config.authOptions.authority.options.OIDCOptions?.defaultScopes;
7222
7255
  }
7223
- /**
7224
- * Creates the URL of the authorization request letting the user input credentials and consent to the
7225
- * application. The URL target the /authorize endpoint of the authority configured in the
7226
- * application object.
7227
- *
7228
- * Once the user inputs their credentials and consents, the authority will send a response to the redirect URI
7229
- * sent in the request and should contain an authorization code, which can then be used to acquire tokens via
7230
- * acquireToken(AuthorizationCodeRequest)
7231
- * @param request
7232
- */
7233
- async getAuthCodeUrl(request) {
7234
- this.performanceClient?.addQueueMeasurement(PerformanceEvents.GetAuthCodeUrl, request.correlationId);
7235
- const queryString = await invokeAsync(this.createAuthCodeUrlQueryString.bind(this), PerformanceEvents.AuthClientCreateQueryString, this.logger, this.performanceClient, request.correlationId)(request);
7236
- return UrlString.appendQueryString(this.authority.authorizationEndpoint, queryString);
7237
- }
7238
7256
  /**
7239
7257
  * API to acquire a token in exchange of 'authorization_code` acquired by the user in the first leg of the
7240
7258
  * authorization_code_grant
@@ -7254,22 +7272,6 @@ class AuthorizationCodeClient extends BaseClient {
7254
7272
  responseHandler.validateTokenResponse(response.body);
7255
7273
  return invokeAsync(responseHandler.handleServerTokenResponse.bind(responseHandler), PerformanceEvents.HandleServerTokenResponse, this.logger, this.performanceClient, request.correlationId)(response.body, this.authority, reqTimestamp, request, authCodePayload, undefined, undefined, undefined, requestId);
7256
7274
  }
7257
- /**
7258
- * Handles the hash fragment response from public client code request. Returns a code response used by
7259
- * the client to exchange for a token in acquireToken.
7260
- * @param hashFragment
7261
- */
7262
- handleFragmentResponse(serverParams, cachedState) {
7263
- // Handle responses.
7264
- const responseHandler = new ResponseHandler(this.config.authOptions.clientId, this.cacheManager, this.cryptoUtils, this.logger, null, null);
7265
- // Get code response
7266
- responseHandler.validateServerAuthorizationCodeResponse(serverParams, cachedState);
7267
- // throw when there is no auth code in the response
7268
- if (!serverParams.code) {
7269
- throw createClientAuthError(authorizationCodeMissingFromServerResponse);
7270
- }
7271
- return serverParams;
7272
- }
7273
7275
  /**
7274
7276
  * Used to log out the current user, and redirect the user to the postLogoutRedirectUri.
7275
7277
  * Default behaviour is to redirect the user to `window.location.href`.
@@ -7317,8 +7319,8 @@ class AuthorizationCodeClient extends BaseClient {
7317
7319
  */
7318
7320
  async createTokenRequestBody(request) {
7319
7321
  this.performanceClient?.addQueueMeasurement(PerformanceEvents.AuthClientCreateTokenRequestBody, request.correlationId);
7320
- const parameterBuilder = new RequestParameterBuilder(request.correlationId, this.performanceClient);
7321
- parameterBuilder.addClientId(request.embeddedClientId ||
7322
+ const parameters = new Map();
7323
+ addClientId(parameters, request.embeddedClientId ||
7322
7324
  request.tokenBodyParameters?.[CLIENT_ID] ||
7323
7325
  this.config.authOptions.clientId);
7324
7326
  /*
@@ -7331,33 +7333,33 @@ class AuthorizationCodeClient extends BaseClient {
7331
7333
  }
7332
7334
  else {
7333
7335
  // Validate and include redirect uri
7334
- parameterBuilder.addRedirectUri(request.redirectUri);
7336
+ addRedirectUri(parameters, request.redirectUri);
7335
7337
  }
7336
7338
  // Add scope array, parameter builder will add default scopes and dedupe
7337
- parameterBuilder.addScopes(request.scopes, true, this.oidcDefaultScopes);
7339
+ addScopes(parameters, request.scopes, true, this.oidcDefaultScopes);
7338
7340
  // add code: user set, not validated
7339
- parameterBuilder.addAuthorizationCode(request.code);
7341
+ addAuthorizationCode(parameters, request.code);
7340
7342
  // Add library metadata
7341
- parameterBuilder.addLibraryInfo(this.config.libraryInfo);
7342
- parameterBuilder.addApplicationTelemetry(this.config.telemetry.application);
7343
- parameterBuilder.addThrottling();
7343
+ addLibraryInfo(parameters, this.config.libraryInfo);
7344
+ addApplicationTelemetry(parameters, this.config.telemetry.application);
7345
+ addThrottling(parameters);
7344
7346
  if (this.serverTelemetryManager && !isOidcProtocolMode(this.config)) {
7345
- parameterBuilder.addServerTelemetry(this.serverTelemetryManager);
7347
+ addServerTelemetry(parameters, this.serverTelemetryManager);
7346
7348
  }
7347
7349
  // add code_verifier if passed
7348
7350
  if (request.codeVerifier) {
7349
- parameterBuilder.addCodeVerifier(request.codeVerifier);
7351
+ addCodeVerifier(parameters, request.codeVerifier);
7350
7352
  }
7351
7353
  if (this.config.clientCredentials.clientSecret) {
7352
- parameterBuilder.addClientSecret(this.config.clientCredentials.clientSecret);
7354
+ addClientSecret(parameters, this.config.clientCredentials.clientSecret);
7353
7355
  }
7354
7356
  if (this.config.clientCredentials.clientAssertion) {
7355
7357
  const clientAssertion = this.config.clientCredentials.clientAssertion;
7356
- parameterBuilder.addClientAssertion(await getClientAssertion(clientAssertion.assertion, this.config.authOptions.clientId, request.resourceRequestUri));
7357
- parameterBuilder.addClientAssertionType(clientAssertion.assertionType);
7358
+ addClientAssertion(parameters, await getClientAssertion(clientAssertion.assertion, this.config.authOptions.clientId, request.resourceRequestUri));
7359
+ addClientAssertionType(parameters, clientAssertion.assertionType);
7358
7360
  }
7359
- parameterBuilder.addGrantType(GrantType.AUTHORIZATION_CODE_GRANT);
7360
- parameterBuilder.addClientInfo();
7361
+ addGrantType(parameters, GrantType.AUTHORIZATION_CODE_GRANT);
7362
+ addClientInfo(parameters);
7361
7363
  if (request.authenticationScheme === AuthenticationScheme.POP) {
7362
7364
  const popTokenGenerator = new PopTokenGenerator(this.cryptoUtils, this.performanceClient);
7363
7365
  let reqCnfData;
@@ -7369,11 +7371,11 @@ class AuthorizationCodeClient extends BaseClient {
7369
7371
  reqCnfData = this.cryptoUtils.encodeKid(request.popKid);
7370
7372
  }
7371
7373
  // SPA PoP requires full Base64Url encoded req_cnf string (unhashed)
7372
- parameterBuilder.addPopToken(reqCnfData);
7374
+ addPopToken(parameters, reqCnfData);
7373
7375
  }
7374
7376
  else if (request.authenticationScheme === AuthenticationScheme.SSH) {
7375
7377
  if (request.sshJwk) {
7376
- parameterBuilder.addSshJwk(request.sshJwk);
7378
+ addSshJwk(parameters, request.sshJwk);
7377
7379
  }
7378
7380
  else {
7379
7381
  throw createClientConfigurationError(missingSshJwk);
@@ -7382,7 +7384,7 @@ class AuthorizationCodeClient extends BaseClient {
7382
7384
  if (!StringUtils.isEmptyObj(request.claims) ||
7383
7385
  (this.config.authOptions.clientCapabilities &&
7384
7386
  this.config.authOptions.clientCapabilities.length > 0)) {
7385
- parameterBuilder.addClaims(request.claims, this.config.authOptions.clientCapabilities);
7387
+ addClaims(parameters, request.claims, this.config.authOptions.clientCapabilities);
7386
7388
  }
7387
7389
  let ccsCred = undefined;
7388
7390
  if (request.clientInfo) {
@@ -7406,7 +7408,7 @@ class AuthorizationCodeClient extends BaseClient {
7406
7408
  case CcsCredentialType.HOME_ACCOUNT_ID:
7407
7409
  try {
7408
7410
  const clientInfo = buildClientInfoFromHomeAccountId(ccsCred.credential);
7409
- parameterBuilder.addCcsOid(clientInfo);
7411
+ addCcsOid(parameters, clientInfo);
7410
7412
  }
7411
7413
  catch (e) {
7412
7414
  this.logger.verbose("Could not parse home account ID for CCS Header: " +
@@ -7414,230 +7416,55 @@ class AuthorizationCodeClient extends BaseClient {
7414
7416
  }
7415
7417
  break;
7416
7418
  case CcsCredentialType.UPN:
7417
- parameterBuilder.addCcsUpn(ccsCred.credential);
7419
+ addCcsUpn(parameters, ccsCred.credential);
7418
7420
  break;
7419
7421
  }
7420
7422
  }
7421
7423
  if (request.embeddedClientId) {
7422
- parameterBuilder.addBrokerParameters({
7423
- brokerClientId: this.config.authOptions.clientId,
7424
- brokerRedirectUri: this.config.authOptions.redirectUri,
7425
- });
7424
+ addBrokerParameters(parameters, this.config.authOptions.clientId, this.config.authOptions.redirectUri);
7426
7425
  }
7427
7426
  if (request.tokenBodyParameters) {
7428
- parameterBuilder.addExtraQueryParameters(request.tokenBodyParameters);
7427
+ addExtraQueryParameters(parameters, request.tokenBodyParameters);
7429
7428
  }
7430
7429
  // Add hybrid spa parameters if not already provided
7431
7430
  if (request.enableSpaAuthorizationCode &&
7432
7431
  (!request.tokenBodyParameters ||
7433
7432
  !request.tokenBodyParameters[RETURN_SPA_CODE])) {
7434
- parameterBuilder.addExtraQueryParameters({
7433
+ addExtraQueryParameters(parameters, {
7435
7434
  [RETURN_SPA_CODE]: "1",
7436
7435
  });
7437
7436
  }
7438
- return parameterBuilder.createQueryString();
7439
- }
7440
- /**
7441
- * This API validates the `AuthorizationCodeUrlRequest` and creates a URL
7442
- * @param request
7443
- */
7444
- async createAuthCodeUrlQueryString(request) {
7445
- // generate the correlationId if not set by the user and add
7446
- const correlationId = request.correlationId ||
7447
- this.config.cryptoInterface.createNewGuid();
7448
- this.performanceClient?.addQueueMeasurement(PerformanceEvents.AuthClientCreateQueryString, correlationId);
7449
- const parameterBuilder = new RequestParameterBuilder(correlationId, this.performanceClient);
7450
- parameterBuilder.addClientId(request.embeddedClientId ||
7451
- request.extraQueryParameters?.[CLIENT_ID] ||
7452
- this.config.authOptions.clientId);
7453
- const requestScopes = [
7454
- ...(request.scopes || []),
7455
- ...(request.extraScopesToConsent || []),
7456
- ];
7457
- parameterBuilder.addScopes(requestScopes, true, this.oidcDefaultScopes);
7458
- // validate the redirectUri (to be a non null value)
7459
- parameterBuilder.addRedirectUri(request.redirectUri);
7460
- parameterBuilder.addCorrelationId(correlationId);
7461
- // add response_mode. If not passed in it defaults to query.
7462
- parameterBuilder.addResponseMode(request.responseMode);
7463
- // add response_type = code
7464
- parameterBuilder.addResponseTypeCode();
7465
- // add library info parameters
7466
- parameterBuilder.addLibraryInfo(this.config.libraryInfo);
7467
- if (!isOidcProtocolMode(this.config)) {
7468
- parameterBuilder.addApplicationTelemetry(this.config.telemetry.application);
7469
- }
7470
- // add client_info=1
7471
- parameterBuilder.addClientInfo();
7472
- if (request.codeChallenge && request.codeChallengeMethod) {
7473
- parameterBuilder.addCodeChallengeParams(request.codeChallenge, request.codeChallengeMethod);
7474
- }
7475
- if (request.prompt) {
7476
- parameterBuilder.addPrompt(request.prompt);
7477
- }
7478
- if (request.domainHint) {
7479
- parameterBuilder.addDomainHint(request.domainHint);
7480
- this.performanceClient?.addFields({ domainHintFromRequest: true }, correlationId);
7481
- }
7482
- this.performanceClient?.addFields({ prompt: request.prompt }, correlationId);
7483
- // Add sid or loginHint with preference for login_hint claim (in request) -> sid -> loginHint (upn/email) -> username of AccountInfo object
7484
- if (request.prompt !== PromptValue.SELECT_ACCOUNT) {
7485
- // AAD will throw if prompt=select_account is passed with an account hint
7486
- if (request.sid && request.prompt === PromptValue.NONE) {
7487
- // SessionID is only used in silent calls
7488
- this.logger.verbose("createAuthCodeUrlQueryString: Prompt is none, adding sid from request");
7489
- parameterBuilder.addSid(request.sid);
7490
- this.performanceClient?.addFields({ sidFromRequest: true }, correlationId);
7491
- }
7492
- else if (request.account) {
7493
- const accountSid = this.extractAccountSid(request.account);
7494
- let accountLoginHintClaim = this.extractLoginHint(request.account);
7495
- if (accountLoginHintClaim && request.domainHint) {
7496
- this.logger.warning(`AuthorizationCodeClient.createAuthCodeUrlQueryString: "domainHint" param is set, skipping opaque "login_hint" claim. Please consider not passing domainHint`);
7497
- accountLoginHintClaim = null;
7498
- }
7499
- // If login_hint claim is present, use it over sid/username
7500
- if (accountLoginHintClaim) {
7501
- this.logger.verbose("createAuthCodeUrlQueryString: login_hint claim present on account");
7502
- parameterBuilder.addLoginHint(accountLoginHintClaim);
7503
- this.performanceClient?.addFields({ loginHintFromClaim: true }, correlationId);
7504
- try {
7505
- const clientInfo = buildClientInfoFromHomeAccountId(request.account.homeAccountId);
7506
- parameterBuilder.addCcsOid(clientInfo);
7507
- }
7508
- catch (e) {
7509
- this.logger.verbose("createAuthCodeUrlQueryString: Could not parse home account ID for CCS Header");
7510
- }
7511
- }
7512
- else if (accountSid && request.prompt === PromptValue.NONE) {
7513
- /*
7514
- * If account and loginHint are provided, we will check account first for sid before adding loginHint
7515
- * SessionId is only used in silent calls
7516
- */
7517
- this.logger.verbose("createAuthCodeUrlQueryString: Prompt is none, adding sid from account");
7518
- parameterBuilder.addSid(accountSid);
7519
- this.performanceClient?.addFields({ sidFromClaim: true }, correlationId);
7520
- try {
7521
- const clientInfo = buildClientInfoFromHomeAccountId(request.account.homeAccountId);
7522
- parameterBuilder.addCcsOid(clientInfo);
7523
- }
7524
- catch (e) {
7525
- this.logger.verbose("createAuthCodeUrlQueryString: Could not parse home account ID for CCS Header");
7526
- }
7527
- }
7528
- else if (request.loginHint) {
7529
- this.logger.verbose("createAuthCodeUrlQueryString: Adding login_hint from request");
7530
- parameterBuilder.addLoginHint(request.loginHint);
7531
- parameterBuilder.addCcsUpn(request.loginHint);
7532
- this.performanceClient?.addFields({ loginHintFromRequest: true }, correlationId);
7533
- }
7534
- else if (request.account.username) {
7535
- // Fallback to account username if provided
7536
- this.logger.verbose("createAuthCodeUrlQueryString: Adding login_hint from account");
7537
- parameterBuilder.addLoginHint(request.account.username);
7538
- this.performanceClient?.addFields({ loginHintFromUpn: true }, correlationId);
7539
- try {
7540
- const clientInfo = buildClientInfoFromHomeAccountId(request.account.homeAccountId);
7541
- parameterBuilder.addCcsOid(clientInfo);
7542
- }
7543
- catch (e) {
7544
- this.logger.verbose("createAuthCodeUrlQueryString: Could not parse home account ID for CCS Header");
7545
- }
7546
- }
7547
- }
7548
- else if (request.loginHint) {
7549
- this.logger.verbose("createAuthCodeUrlQueryString: No account, adding login_hint from request");
7550
- parameterBuilder.addLoginHint(request.loginHint);
7551
- parameterBuilder.addCcsUpn(request.loginHint);
7552
- this.performanceClient?.addFields({ loginHintFromRequest: true }, correlationId);
7553
- }
7554
- }
7555
- else {
7556
- this.logger.verbose("createAuthCodeUrlQueryString: Prompt is select_account, ignoring account hints");
7557
- }
7558
- if (request.nonce) {
7559
- parameterBuilder.addNonce(request.nonce);
7560
- }
7561
- if (request.state) {
7562
- parameterBuilder.addState(request.state);
7563
- }
7564
- if (request.claims ||
7565
- (this.config.authOptions.clientCapabilities &&
7566
- this.config.authOptions.clientCapabilities.length > 0)) {
7567
- parameterBuilder.addClaims(request.claims, this.config.authOptions.clientCapabilities);
7568
- }
7569
- if (request.embeddedClientId) {
7570
- parameterBuilder.addBrokerParameters({
7571
- brokerClientId: this.config.authOptions.clientId,
7572
- brokerRedirectUri: this.config.authOptions.redirectUri,
7573
- });
7574
- }
7575
- this.addExtraQueryParams(request, parameterBuilder);
7576
- if (request.platformBroker) {
7577
- // signal ests that this is a WAM call
7578
- parameterBuilder.addNativeBroker();
7579
- // pass the req_cnf for POP
7580
- if (request.authenticationScheme === AuthenticationScheme.POP) {
7581
- const popTokenGenerator = new PopTokenGenerator(this.cryptoUtils);
7582
- // req_cnf is always sent as a string for SPAs
7583
- let reqCnfData;
7584
- if (!request.popKid) {
7585
- const generatedReqCnfData = await invokeAsync(popTokenGenerator.generateCnf.bind(popTokenGenerator), PerformanceEvents.PopTokenGenerateCnf, this.logger, this.performanceClient, request.correlationId)(request, this.logger);
7586
- reqCnfData = generatedReqCnfData.reqCnfString;
7587
- }
7588
- else {
7589
- reqCnfData = this.cryptoUtils.encodeKid(request.popKid);
7590
- }
7591
- parameterBuilder.addPopToken(reqCnfData);
7592
- }
7593
- }
7594
- return parameterBuilder.createQueryString();
7437
+ instrumentBrokerParams(parameters, request.correlationId, this.performanceClient);
7438
+ return mapToQueryString(parameters);
7595
7439
  }
7596
7440
  /**
7597
7441
  * This API validates the `EndSessionRequest` and creates a URL
7598
7442
  * @param request
7599
7443
  */
7600
7444
  createLogoutUrlQueryString(request) {
7601
- const parameterBuilder = new RequestParameterBuilder(request.correlationId, this.performanceClient);
7445
+ const parameters = new Map();
7602
7446
  if (request.postLogoutRedirectUri) {
7603
- parameterBuilder.addPostLogoutRedirectUri(request.postLogoutRedirectUri);
7447
+ addPostLogoutRedirectUri(parameters, request.postLogoutRedirectUri);
7604
7448
  }
7605
7449
  if (request.correlationId) {
7606
- parameterBuilder.addCorrelationId(request.correlationId);
7450
+ addCorrelationId(parameters, request.correlationId);
7607
7451
  }
7608
7452
  if (request.idTokenHint) {
7609
- parameterBuilder.addIdTokenHint(request.idTokenHint);
7453
+ addIdTokenHint(parameters, request.idTokenHint);
7610
7454
  }
7611
7455
  if (request.state) {
7612
- parameterBuilder.addState(request.state);
7456
+ addState(parameters, request.state);
7613
7457
  }
7614
7458
  if (request.logoutHint) {
7615
- parameterBuilder.addLogoutHint(request.logoutHint);
7616
- }
7617
- this.addExtraQueryParams(request, parameterBuilder);
7618
- return parameterBuilder.createQueryString();
7619
- }
7620
- addExtraQueryParams(request, parameterBuilder) {
7621
- const hasRequestInstanceAware = request.extraQueryParameters &&
7622
- request.extraQueryParameters.hasOwnProperty("instance_aware");
7623
- // Set instance_aware flag if config auth param is set
7624
- if (!hasRequestInstanceAware && this.config.authOptions.instanceAware) {
7625
- request.extraQueryParameters = request.extraQueryParameters || {};
7626
- request.extraQueryParameters["instance_aware"] = "true";
7459
+ addLogoutHint(parameters, request.logoutHint);
7627
7460
  }
7628
7461
  if (request.extraQueryParameters) {
7629
- parameterBuilder.addExtraQueryParameters(request.extraQueryParameters);
7462
+ addExtraQueryParameters(parameters, request.extraQueryParameters);
7630
7463
  }
7631
- }
7632
- /**
7633
- * Helper to get sid from account. Returns null if idTokenClaims are not present or sid is not present.
7634
- * @param account
7635
- */
7636
- extractAccountSid(account) {
7637
- return account.idTokenClaims?.sid || null;
7638
- }
7639
- extractLoginHint(account) {
7640
- return account.idTokenClaims?.login_hint || null;
7464
+ if (this.config.authOptions.instanceAware) {
7465
+ addInstanceAware(parameters);
7466
+ }
7467
+ return mapToQueryString(parameters);
7641
7468
  }
7642
7469
  }
7643
7470
 
@@ -7768,31 +7595,30 @@ class RefreshTokenClient extends BaseClient {
7768
7595
  */
7769
7596
  async createTokenRequestBody(request) {
7770
7597
  this.performanceClient?.addQueueMeasurement(PerformanceEvents.RefreshTokenClientCreateTokenRequestBody, request.correlationId);
7771
- const correlationId = request.correlationId;
7772
- const parameterBuilder = new RequestParameterBuilder(correlationId, this.performanceClient);
7773
- parameterBuilder.addClientId(request.embeddedClientId ||
7598
+ const parameters = new Map();
7599
+ addClientId(parameters, request.embeddedClientId ||
7774
7600
  request.tokenBodyParameters?.[CLIENT_ID] ||
7775
7601
  this.config.authOptions.clientId);
7776
7602
  if (request.redirectUri) {
7777
- parameterBuilder.addRedirectUri(request.redirectUri);
7778
- }
7779
- parameterBuilder.addScopes(request.scopes, true, this.config.authOptions.authority.options.OIDCOptions?.defaultScopes);
7780
- parameterBuilder.addGrantType(GrantType.REFRESH_TOKEN_GRANT);
7781
- parameterBuilder.addClientInfo();
7782
- parameterBuilder.addLibraryInfo(this.config.libraryInfo);
7783
- parameterBuilder.addApplicationTelemetry(this.config.telemetry.application);
7784
- parameterBuilder.addThrottling();
7603
+ addRedirectUri(parameters, request.redirectUri);
7604
+ }
7605
+ addScopes(parameters, request.scopes, true, this.config.authOptions.authority.options.OIDCOptions?.defaultScopes);
7606
+ addGrantType(parameters, GrantType.REFRESH_TOKEN_GRANT);
7607
+ addClientInfo(parameters);
7608
+ addLibraryInfo(parameters, this.config.libraryInfo);
7609
+ addApplicationTelemetry(parameters, this.config.telemetry.application);
7610
+ addThrottling(parameters);
7785
7611
  if (this.serverTelemetryManager && !isOidcProtocolMode(this.config)) {
7786
- parameterBuilder.addServerTelemetry(this.serverTelemetryManager);
7612
+ addServerTelemetry(parameters, this.serverTelemetryManager);
7787
7613
  }
7788
- parameterBuilder.addRefreshToken(request.refreshToken);
7614
+ addRefreshToken(parameters, request.refreshToken);
7789
7615
  if (this.config.clientCredentials.clientSecret) {
7790
- parameterBuilder.addClientSecret(this.config.clientCredentials.clientSecret);
7616
+ addClientSecret(parameters, this.config.clientCredentials.clientSecret);
7791
7617
  }
7792
7618
  if (this.config.clientCredentials.clientAssertion) {
7793
7619
  const clientAssertion = this.config.clientCredentials.clientAssertion;
7794
- parameterBuilder.addClientAssertion(await getClientAssertion(clientAssertion.assertion, this.config.authOptions.clientId, request.resourceRequestUri));
7795
- parameterBuilder.addClientAssertionType(clientAssertion.assertionType);
7620
+ addClientAssertion(parameters, await getClientAssertion(clientAssertion.assertion, this.config.authOptions.clientId, request.resourceRequestUri));
7621
+ addClientAssertionType(parameters, clientAssertion.assertionType);
7796
7622
  }
7797
7623
  if (request.authenticationScheme === AuthenticationScheme.POP) {
7798
7624
  const popTokenGenerator = new PopTokenGenerator(this.cryptoUtils, this.performanceClient);
@@ -7805,11 +7631,11 @@ class RefreshTokenClient extends BaseClient {
7805
7631
  reqCnfData = this.cryptoUtils.encodeKid(request.popKid);
7806
7632
  }
7807
7633
  // SPA PoP requires full Base64Url encoded req_cnf string (unhashed)
7808
- parameterBuilder.addPopToken(reqCnfData);
7634
+ addPopToken(parameters, reqCnfData);
7809
7635
  }
7810
7636
  else if (request.authenticationScheme === AuthenticationScheme.SSH) {
7811
7637
  if (request.sshJwk) {
7812
- parameterBuilder.addSshJwk(request.sshJwk);
7638
+ addSshJwk(parameters, request.sshJwk);
7813
7639
  }
7814
7640
  else {
7815
7641
  throw createClientConfigurationError(missingSshJwk);
@@ -7818,7 +7644,7 @@ class RefreshTokenClient extends BaseClient {
7818
7644
  if (!StringUtils.isEmptyObj(request.claims) ||
7819
7645
  (this.config.authOptions.clientCapabilities &&
7820
7646
  this.config.authOptions.clientCapabilities.length > 0)) {
7821
- parameterBuilder.addClaims(request.claims, this.config.authOptions.clientCapabilities);
7647
+ addClaims(parameters, request.claims, this.config.authOptions.clientCapabilities);
7822
7648
  }
7823
7649
  if (this.config.systemOptions.preventCorsPreflight &&
7824
7650
  request.ccsCredential) {
@@ -7826,7 +7652,7 @@ class RefreshTokenClient extends BaseClient {
7826
7652
  case CcsCredentialType.HOME_ACCOUNT_ID:
7827
7653
  try {
7828
7654
  const clientInfo = buildClientInfoFromHomeAccountId(request.ccsCredential.credential);
7829
- parameterBuilder.addCcsOid(clientInfo);
7655
+ addCcsOid(parameters, clientInfo);
7830
7656
  }
7831
7657
  catch (e) {
7832
7658
  this.logger.verbose("Could not parse home account ID for CCS Header: " +
@@ -7834,20 +7660,18 @@ class RefreshTokenClient extends BaseClient {
7834
7660
  }
7835
7661
  break;
7836
7662
  case CcsCredentialType.UPN:
7837
- parameterBuilder.addCcsUpn(request.ccsCredential.credential);
7663
+ addCcsUpn(parameters, request.ccsCredential.credential);
7838
7664
  break;
7839
7665
  }
7840
7666
  }
7841
7667
  if (request.embeddedClientId) {
7842
- parameterBuilder.addBrokerParameters({
7843
- brokerClientId: this.config.authOptions.clientId,
7844
- brokerRedirectUri: this.config.authOptions.redirectUri,
7845
- });
7668
+ addBrokerParameters(parameters, this.config.authOptions.clientId, this.config.authOptions.redirectUri);
7846
7669
  }
7847
7670
  if (request.tokenBodyParameters) {
7848
- parameterBuilder.addExtraQueryParameters(request.tokenBodyParameters);
7671
+ addExtraQueryParameters(parameters, request.tokenBodyParameters);
7849
7672
  }
7850
- return parameterBuilder.createQueryString();
7673
+ instrumentBrokerParams(parameters, request.correlationId, this.performanceClient);
7674
+ return mapToQueryString(parameters);
7851
7675
  }
7852
7676
  }
7853
7677
 
@@ -7960,6 +7784,236 @@ const StubbedNetworkModule = {
7960
7784
  },
7961
7785
  };
7962
7786
 
7787
+ /*
7788
+ * Copyright (c) Microsoft Corporation. All rights reserved.
7789
+ * Licensed under the MIT License.
7790
+ */
7791
+ /**
7792
+ * Returns map of parameters that are applicable to all calls to /authorize whether using PKCE or EAR
7793
+ * @param config
7794
+ * @param request
7795
+ * @param logger
7796
+ * @param performanceClient
7797
+ * @returns
7798
+ */
7799
+ function getStandardAuthorizeRequestParameters(authOptions, request, logger, performanceClient) {
7800
+ // generate the correlationId if not set by the user and add
7801
+ const correlationId = request.correlationId;
7802
+ const parameters = new Map();
7803
+ addClientId(parameters, request.embeddedClientId ||
7804
+ request.extraQueryParameters?.[CLIENT_ID] ||
7805
+ authOptions.clientId);
7806
+ const requestScopes = [
7807
+ ...(request.scopes || []),
7808
+ ...(request.extraScopesToConsent || []),
7809
+ ];
7810
+ addScopes(parameters, requestScopes, true, authOptions.authority.options.OIDCOptions?.defaultScopes);
7811
+ addRedirectUri(parameters, request.redirectUri);
7812
+ addCorrelationId(parameters, correlationId);
7813
+ // add response_mode. If not passed in it defaults to query.
7814
+ addResponseMode(parameters, request.responseMode);
7815
+ // add client_info=1
7816
+ addClientInfo(parameters);
7817
+ if (request.prompt) {
7818
+ addPrompt(parameters, request.prompt);
7819
+ performanceClient?.addFields({ prompt: request.prompt }, correlationId);
7820
+ }
7821
+ if (request.domainHint) {
7822
+ addDomainHint(parameters, request.domainHint);
7823
+ performanceClient?.addFields({ domainHintFromRequest: true }, correlationId);
7824
+ }
7825
+ // Add sid or loginHint with preference for login_hint claim (in request) -> sid -> loginHint (upn/email) -> username of AccountInfo object
7826
+ if (request.prompt !== PromptValue.SELECT_ACCOUNT) {
7827
+ // AAD will throw if prompt=select_account is passed with an account hint
7828
+ if (request.sid && request.prompt === PromptValue.NONE) {
7829
+ // SessionID is only used in silent calls
7830
+ logger.verbose("createAuthCodeUrlQueryString: Prompt is none, adding sid from request");
7831
+ addSid(parameters, request.sid);
7832
+ performanceClient?.addFields({ sidFromRequest: true }, correlationId);
7833
+ }
7834
+ else if (request.account) {
7835
+ const accountSid = extractAccountSid(request.account);
7836
+ let accountLoginHintClaim = extractLoginHint(request.account);
7837
+ if (accountLoginHintClaim && request.domainHint) {
7838
+ logger.warning(`AuthorizationCodeClient.createAuthCodeUrlQueryString: "domainHint" param is set, skipping opaque "login_hint" claim. Please consider not passing domainHint`);
7839
+ accountLoginHintClaim = null;
7840
+ }
7841
+ // If login_hint claim is present, use it over sid/username
7842
+ if (accountLoginHintClaim) {
7843
+ logger.verbose("createAuthCodeUrlQueryString: login_hint claim present on account");
7844
+ addLoginHint(parameters, accountLoginHintClaim);
7845
+ performanceClient?.addFields({ loginHintFromClaim: true }, correlationId);
7846
+ try {
7847
+ const clientInfo = buildClientInfoFromHomeAccountId(request.account.homeAccountId);
7848
+ addCcsOid(parameters, clientInfo);
7849
+ }
7850
+ catch (e) {
7851
+ logger.verbose("createAuthCodeUrlQueryString: Could not parse home account ID for CCS Header");
7852
+ }
7853
+ }
7854
+ else if (accountSid && request.prompt === PromptValue.NONE) {
7855
+ /*
7856
+ * If account and loginHint are provided, we will check account first for sid before adding loginHint
7857
+ * SessionId is only used in silent calls
7858
+ */
7859
+ logger.verbose("createAuthCodeUrlQueryString: Prompt is none, adding sid from account");
7860
+ addSid(parameters, accountSid);
7861
+ performanceClient?.addFields({ sidFromClaim: true }, correlationId);
7862
+ try {
7863
+ const clientInfo = buildClientInfoFromHomeAccountId(request.account.homeAccountId);
7864
+ addCcsOid(parameters, clientInfo);
7865
+ }
7866
+ catch (e) {
7867
+ logger.verbose("createAuthCodeUrlQueryString: Could not parse home account ID for CCS Header");
7868
+ }
7869
+ }
7870
+ else if (request.loginHint) {
7871
+ logger.verbose("createAuthCodeUrlQueryString: Adding login_hint from request");
7872
+ addLoginHint(parameters, request.loginHint);
7873
+ addCcsUpn(parameters, request.loginHint);
7874
+ performanceClient?.addFields({ loginHintFromRequest: true }, correlationId);
7875
+ }
7876
+ else if (request.account.username) {
7877
+ // Fallback to account username if provided
7878
+ logger.verbose("createAuthCodeUrlQueryString: Adding login_hint from account");
7879
+ addLoginHint(parameters, request.account.username);
7880
+ performanceClient?.addFields({ loginHintFromUpn: true }, correlationId);
7881
+ try {
7882
+ const clientInfo = buildClientInfoFromHomeAccountId(request.account.homeAccountId);
7883
+ addCcsOid(parameters, clientInfo);
7884
+ }
7885
+ catch (e) {
7886
+ logger.verbose("createAuthCodeUrlQueryString: Could not parse home account ID for CCS Header");
7887
+ }
7888
+ }
7889
+ }
7890
+ else if (request.loginHint) {
7891
+ logger.verbose("createAuthCodeUrlQueryString: No account, adding login_hint from request");
7892
+ addLoginHint(parameters, request.loginHint);
7893
+ addCcsUpn(parameters, request.loginHint);
7894
+ performanceClient?.addFields({ loginHintFromRequest: true }, correlationId);
7895
+ }
7896
+ }
7897
+ else {
7898
+ logger.verbose("createAuthCodeUrlQueryString: Prompt is select_account, ignoring account hints");
7899
+ }
7900
+ if (request.nonce) {
7901
+ addNonce(parameters, request.nonce);
7902
+ }
7903
+ if (request.state) {
7904
+ addState(parameters, request.state);
7905
+ }
7906
+ if (request.claims ||
7907
+ (authOptions.clientCapabilities &&
7908
+ authOptions.clientCapabilities.length > 0)) {
7909
+ addClaims(parameters, request.claims, authOptions.clientCapabilities);
7910
+ }
7911
+ if (request.embeddedClientId) {
7912
+ addBrokerParameters(parameters, authOptions.clientId, authOptions.redirectUri);
7913
+ }
7914
+ // If extraQueryParameters includes instance_aware its value will be added when extraQueryParameters are added
7915
+ if (authOptions.instanceAware &&
7916
+ (!request.extraQueryParameters ||
7917
+ !Object.keys(request.extraQueryParameters).includes(INSTANCE_AWARE))) {
7918
+ addInstanceAware(parameters);
7919
+ }
7920
+ return parameters;
7921
+ }
7922
+ /**
7923
+ * Returns authorize endpoint with given request parameters in the query string
7924
+ * @param authority
7925
+ * @param requestParameters
7926
+ * @returns
7927
+ */
7928
+ function getAuthorizeUrl(authority, requestParameters) {
7929
+ const queryString = mapToQueryString(requestParameters);
7930
+ return UrlString.appendQueryString(authority.authorizationEndpoint, queryString);
7931
+ }
7932
+ /**
7933
+ * Handles the hash fragment response from public client code request. Returns a code response used by
7934
+ * the client to exchange for a token in acquireToken.
7935
+ * @param serverParams
7936
+ * @param cachedState
7937
+ */
7938
+ function getAuthorizationCodePayload(serverParams, cachedState) {
7939
+ // Get code response
7940
+ validateAuthorizationResponse(serverParams, cachedState);
7941
+ // throw when there is no auth code in the response
7942
+ if (!serverParams.code) {
7943
+ throw createClientAuthError(authorizationCodeMissingFromServerResponse);
7944
+ }
7945
+ return serverParams;
7946
+ }
7947
+ /**
7948
+ * Function which validates server authorization code response.
7949
+ * @param serverResponseHash
7950
+ * @param requestState
7951
+ */
7952
+ function validateAuthorizationResponse(serverResponse, requestState) {
7953
+ if (!serverResponse.state || !requestState) {
7954
+ throw serverResponse.state
7955
+ ? createClientAuthError(stateNotFound, "Cached State")
7956
+ : createClientAuthError(stateNotFound, "Server State");
7957
+ }
7958
+ let decodedServerResponseState;
7959
+ let decodedRequestState;
7960
+ try {
7961
+ decodedServerResponseState = decodeURIComponent(serverResponse.state);
7962
+ }
7963
+ catch (e) {
7964
+ throw createClientAuthError(invalidState, serverResponse.state);
7965
+ }
7966
+ try {
7967
+ decodedRequestState = decodeURIComponent(requestState);
7968
+ }
7969
+ catch (e) {
7970
+ throw createClientAuthError(invalidState, serverResponse.state);
7971
+ }
7972
+ if (decodedServerResponseState !== decodedRequestState) {
7973
+ throw createClientAuthError(stateMismatch);
7974
+ }
7975
+ // Check for error
7976
+ if (serverResponse.error ||
7977
+ serverResponse.error_description ||
7978
+ serverResponse.suberror) {
7979
+ const serverErrorNo = parseServerErrorNo(serverResponse);
7980
+ if (isInteractionRequiredError(serverResponse.error, serverResponse.error_description, serverResponse.suberror)) {
7981
+ throw new InteractionRequiredAuthError(serverResponse.error || "", serverResponse.error_description, serverResponse.suberror, serverResponse.timestamp || "", serverResponse.trace_id || "", serverResponse.correlation_id || "", serverResponse.claims || "", serverErrorNo);
7982
+ }
7983
+ throw new ServerError(serverResponse.error || "", serverResponse.error_description, serverResponse.suberror, serverErrorNo);
7984
+ }
7985
+ }
7986
+ /**
7987
+ * Get server error No from the error_uri
7988
+ * @param serverResponse
7989
+ * @returns
7990
+ */
7991
+ function parseServerErrorNo(serverResponse) {
7992
+ const errorCodePrefix = "code=";
7993
+ const errorCodePrefixIndex = serverResponse.error_uri?.lastIndexOf(errorCodePrefix);
7994
+ return errorCodePrefixIndex && errorCodePrefixIndex >= 0
7995
+ ? serverResponse.error_uri?.substring(errorCodePrefixIndex + errorCodePrefix.length)
7996
+ : undefined;
7997
+ }
7998
+ /**
7999
+ * Helper to get sid from account. Returns null if idTokenClaims are not present or sid is not present.
8000
+ * @param account
8001
+ */
8002
+ function extractAccountSid(account) {
8003
+ return account.idTokenClaims?.sid || null;
8004
+ }
8005
+ function extractLoginHint(account) {
8006
+ return account.idTokenClaims?.login_hint || null;
8007
+ }
8008
+
8009
+ var Authorize = /*#__PURE__*/Object.freeze({
8010
+ __proto__: null,
8011
+ getAuthorizationCodePayload: getAuthorizationCodePayload,
8012
+ getAuthorizeUrl: getAuthorizeUrl,
8013
+ getStandardAuthorizeRequestParameters: getStandardAuthorizeRequestParameters,
8014
+ validateAuthorizationResponse: validateAuthorizationResponse
8015
+ });
8016
+
7963
8017
  /*
7964
8018
  * Copyright (c) Microsoft Corporation. All rights reserved.
7965
8019
  * Licensed under the MIT License.
@@ -8290,6 +8344,7 @@ exports.Authority = Authority;
8290
8344
  exports.AuthorityFactory = AuthorityFactory;
8291
8345
  exports.AuthorityType = AuthorityType;
8292
8346
  exports.AuthorizationCodeClient = AuthorizationCodeClient;
8347
+ exports.Authorize = Authorize;
8293
8348
  exports.AzureCloudInstance = AzureCloudInstance;
8294
8349
  exports.BaseClient = BaseClient;
8295
8350
  exports.CacheAccountType = CacheAccountType;
@@ -8326,6 +8381,7 @@ exports.InteractionRequiredAuthErrorMessage = InteractionRequiredAuthErrorMessag
8326
8381
  exports.JsonWebTokenTypes = JsonWebTokenTypes;
8327
8382
  exports.Logger = Logger;
8328
8383
  exports.NetworkError = NetworkError;
8384
+ exports.OAuthResponseType = OAuthResponseType;
8329
8385
  exports.OIDC_DEFAULT_SCOPES = OIDC_DEFAULT_SCOPES;
8330
8386
  exports.ONE_DAY_IN_MS = ONE_DAY_IN_MS;
8331
8387
  exports.PasswordGrantConstants = PasswordGrantConstants;
@@ -8374,4 +8430,4 @@ exports.invokeAsync = invokeAsync;
8374
8430
  exports.tenantIdMatchesHomeTenant = tenantIdMatchesHomeTenant;
8375
8431
  exports.updateAccountTenantProfileData = updateAccountTenantProfileData;
8376
8432
  exports.version = version;
8377
- //# sourceMappingURL=index-node--LMD5Re1.js.map
8433
+ //# sourceMappingURL=index-node-C56U0Gkp.js.map