@azure/msal-common 16.11.1 → 16.11.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/account/AccountInfo.mjs +1 -1
- package/dist/account/AuthToken.mjs +1 -1
- package/dist/account/CcsCredential.mjs +1 -1
- package/dist/account/ClientInfo.mjs +1 -1
- package/dist/account/TokenClaims.mjs +1 -1
- package/dist/authority/Authority.mjs +1 -1
- package/dist/authority/AuthorityFactory.mjs +1 -1
- package/dist/authority/AuthorityMetadata.mjs +1 -1
- package/dist/authority/AuthorityOptions.mjs +1 -1
- package/dist/authority/AuthorityType.mjs +1 -1
- package/dist/authority/CloudInstanceDiscoveryErrorResponse.mjs +1 -1
- package/dist/authority/CloudInstanceDiscoveryResponse.mjs +1 -1
- package/dist/authority/OpenIdConfigResponse.mjs +1 -1
- package/dist/authority/ProtocolMode.mjs +1 -1
- package/dist/authority/RegionDiscovery.mjs +1 -1
- package/dist/cache/CacheManager.mjs +1 -1
- package/dist/cache/persistence/TokenCacheContext.mjs +1 -1
- package/dist/cache/utils/AccountEntityUtils.mjs +1 -1
- package/dist/cache/utils/CacheHelpers.mjs +1 -1
- package/dist/client/AuthorizationCodeClient.mjs +1 -1
- package/dist/client/RefreshTokenClient.mjs +1 -1
- package/dist/client/SilentFlowClient.mjs +1 -1
- package/dist/config/ClientConfiguration.mjs +1 -1
- package/dist/constants/AADServerParamKeys.mjs +1 -1
- package/dist/crypto/ICrypto.mjs +5 -1
- package/dist/crypto/ICrypto.mjs.map +1 -1
- package/dist/crypto/JoseHeader.mjs +1 -1
- package/dist/crypto/PopTokenGenerator.mjs +1 -1
- package/dist/error/AuthError.mjs +1 -1
- package/dist/error/AuthErrorCodes.mjs +1 -1
- package/dist/error/CacheError.mjs +1 -1
- package/dist/error/CacheErrorCodes.mjs +1 -1
- package/dist/error/ClientAuthError.mjs +1 -1
- package/dist/error/ClientAuthErrorCodes.mjs +1 -1
- package/dist/error/ClientConfigurationError.mjs +1 -1
- package/dist/error/ClientConfigurationErrorCodes.mjs +5 -3
- package/dist/error/ClientConfigurationErrorCodes.mjs.map +1 -1
- package/dist/error/InteractionRequiredAuthError.mjs +1 -1
- package/dist/error/InteractionRequiredAuthErrorCodes.mjs +1 -1
- package/dist/error/JoseHeaderError.mjs +1 -1
- package/dist/error/JoseHeaderErrorCodes.mjs +1 -1
- package/dist/error/NetworkError.mjs +1 -1
- package/dist/error/PlatformBrokerError.mjs +1 -1
- package/dist/error/ServerError.mjs +1 -1
- package/dist/index-node.mjs +1 -1
- package/dist/index.mjs +1 -1
- package/dist/logger/Logger.mjs +1 -1
- package/dist/network/INetworkModule.mjs +1 -1
- package/dist/network/RequestThumbprint.mjs +1 -1
- package/dist/network/ThrottlingUtils.mjs +1 -1
- package/dist/packageMetadata.mjs +2 -2
- package/dist/protocol/Authorize.mjs +1 -1
- package/dist/protocol/Token.mjs +1 -1
- package/dist/request/AuthenticationHeaderParser.mjs +1 -1
- package/dist/request/BaseAuthRequest.mjs +1 -1
- package/dist/request/RequestParameterBuilder.mjs +1 -1
- package/dist/request/ScopeSet.mjs +1 -1
- package/dist/response/ResponseHandler.mjs +1 -1
- package/dist/telemetry/performance/PerformanceClient.mjs +1 -1
- package/dist/telemetry/performance/PerformanceEvent.mjs +1 -1
- package/dist/telemetry/performance/PerformanceEvents.mjs +1 -1
- package/dist/telemetry/performance/StubPerformanceClient.mjs +1 -1
- package/dist/telemetry/server/ServerTelemetryManager.mjs +1 -1
- package/dist/url/UrlString.mjs +1 -1
- package/dist/utils/ClientAssertionUtils.mjs +1 -1
- package/dist/utils/Constants.mjs +1 -1
- package/dist/utils/FunctionWrappers.mjs +1 -1
- package/dist/utils/ProtocolUtils.mjs +1 -1
- package/dist/utils/StringUtils.mjs +1 -1
- package/dist/utils/TimeUtils.mjs +1 -1
- package/dist/utils/UrlUtils.mjs +1 -1
- package/dist-browser/account/AccountInfo.mjs +1 -1
- package/dist-browser/account/AuthToken.mjs +1 -1
- package/dist-browser/account/CcsCredential.mjs +1 -1
- package/dist-browser/account/ClientInfo.mjs +1 -1
- package/dist-browser/account/TokenClaims.mjs +1 -1
- package/dist-browser/authority/Authority.mjs +1 -1
- package/dist-browser/authority/AuthorityFactory.mjs +1 -1
- package/dist-browser/authority/AuthorityMetadata.mjs +1 -1
- package/dist-browser/authority/AuthorityOptions.mjs +1 -1
- package/dist-browser/authority/AuthorityType.mjs +1 -1
- package/dist-browser/authority/CloudInstanceDiscoveryErrorResponse.mjs +1 -1
- package/dist-browser/authority/CloudInstanceDiscoveryResponse.mjs +1 -1
- package/dist-browser/authority/OpenIdConfigResponse.mjs +1 -1
- package/dist-browser/authority/ProtocolMode.mjs +1 -1
- package/dist-browser/authority/RegionDiscovery.mjs +1 -1
- package/dist-browser/cache/CacheManager.mjs +1 -1
- package/dist-browser/cache/persistence/TokenCacheContext.mjs +1 -1
- package/dist-browser/cache/utils/AccountEntityUtils.mjs +1 -1
- package/dist-browser/cache/utils/CacheHelpers.mjs +1 -1
- package/dist-browser/client/AuthorizationCodeClient.mjs +1 -1
- package/dist-browser/client/RefreshTokenClient.mjs +1 -1
- package/dist-browser/client/SilentFlowClient.mjs +1 -1
- package/dist-browser/config/ClientConfiguration.mjs +1 -1
- package/dist-browser/constants/AADServerParamKeys.mjs +1 -1
- package/dist-browser/crypto/ICrypto.mjs +5 -1
- package/dist-browser/crypto/ICrypto.mjs.map +1 -1
- package/dist-browser/crypto/JoseHeader.mjs +1 -1
- package/dist-browser/crypto/PopTokenGenerator.mjs +1 -1
- package/dist-browser/error/AuthError.mjs +1 -1
- package/dist-browser/error/AuthErrorCodes.mjs +1 -1
- package/dist-browser/error/CacheError.mjs +1 -1
- package/dist-browser/error/CacheErrorCodes.mjs +1 -1
- package/dist-browser/error/ClientAuthError.mjs +1 -1
- package/dist-browser/error/ClientAuthErrorCodes.mjs +1 -1
- package/dist-browser/error/ClientConfigurationError.mjs +1 -1
- package/dist-browser/error/ClientConfigurationErrorCodes.mjs +5 -3
- package/dist-browser/error/ClientConfigurationErrorCodes.mjs.map +1 -1
- package/dist-browser/error/InteractionRequiredAuthError.mjs +1 -1
- package/dist-browser/error/InteractionRequiredAuthErrorCodes.mjs +1 -1
- package/dist-browser/error/JoseHeaderError.mjs +1 -1
- package/dist-browser/error/JoseHeaderErrorCodes.mjs +1 -1
- package/dist-browser/error/NetworkError.mjs +1 -1
- package/dist-browser/error/PlatformBrokerError.mjs +1 -1
- package/dist-browser/error/ServerError.mjs +1 -1
- package/dist-browser/index-browser.mjs +1 -1
- package/dist-browser/index.mjs +1 -1
- package/dist-browser/log-strings-mapping.json +2 -2
- package/dist-browser/logger/Logger.mjs +1 -1
- package/dist-browser/network/INetworkModule.mjs +1 -1
- package/dist-browser/network/RequestThumbprint.mjs +1 -1
- package/dist-browser/network/ThrottlingUtils.mjs +1 -1
- package/dist-browser/packageMetadata.mjs +2 -2
- package/dist-browser/protocol/Authorize.mjs +1 -1
- package/dist-browser/protocol/Token.mjs +1 -1
- package/dist-browser/request/AuthenticationHeaderParser.mjs +1 -1
- package/dist-browser/request/BaseAuthRequest.mjs +1 -1
- package/dist-browser/request/RequestParameterBuilder.mjs +1 -1
- package/dist-browser/request/ScopeSet.mjs +1 -1
- package/dist-browser/response/ResponseHandler.mjs +1 -1
- package/dist-browser/telemetry/performance/PerformanceClient.mjs +1 -1
- package/dist-browser/telemetry/performance/PerformanceEvent.mjs +1 -1
- package/dist-browser/telemetry/performance/PerformanceEvents.mjs +1 -1
- package/dist-browser/telemetry/performance/StubPerformanceClient.mjs +1 -1
- package/dist-browser/telemetry/server/ServerTelemetryManager.mjs +1 -1
- package/dist-browser/url/UrlString.mjs +1 -1
- package/dist-browser/utils/ClientAssertionUtils.mjs +1 -1
- package/dist-browser/utils/Constants.mjs +1 -1
- package/dist-browser/utils/FunctionWrappers.mjs +1 -1
- package/dist-browser/utils/ProtocolUtils.mjs +1 -1
- package/dist-browser/utils/StringUtils.mjs +1 -1
- package/dist-browser/utils/TimeUtils.mjs +1 -1
- package/dist-browser/utils/UrlUtils.mjs +1 -1
- package/lib/index-browser.cjs +2 -2
- package/lib/{index-node-Byp4nlZZ.js → index-node-CqVflMt1.js} +12 -4
- package/lib/index-node-CqVflMt1.js.map +1 -0
- package/lib/index-node.cjs +2 -2
- package/lib/index.cjs +2 -2
- package/package.json +1 -1
- package/src/crypto/DpopProofGenerator.ts +247 -0
- package/src/crypto/ICrypto.ts +15 -3
- package/src/error/ClientConfigurationErrorCodes.ts +2 -0
- package/src/packageMetadata.ts +1 -1
- package/types/crypto/DpopProofGenerator.d.ts +105 -0
- package/types/crypto/DpopProofGenerator.d.ts.map +1 -0
- package/types/crypto/ICrypto.d.ts +15 -3
- package/types/crypto/ICrypto.d.ts.map +1 -1
- package/types/error/ClientConfigurationErrorCodes.d.ts +2 -0
- package/types/error/ClientConfigurationErrorCodes.d.ts.map +1 -1
- package/types/packageMetadata.d.ts +1 -1
- package/lib/index-node-Byp4nlZZ.js.map +0 -1
|
@@ -0,0 +1,247 @@
|
|
|
1
|
+
/*
|
|
2
|
+
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
3
|
+
* Licensed under the MIT License.
|
|
4
|
+
*/
|
|
5
|
+
|
|
6
|
+
import { ICrypto, JsonWebTokenAlgorithms } from "./ICrypto.js";
|
|
7
|
+
import * as TimeUtils from "../utils/TimeUtils.js";
|
|
8
|
+
import {
|
|
9
|
+
createClientConfigurationError,
|
|
10
|
+
ClientConfigurationErrorCodes,
|
|
11
|
+
} from "../error/ClientConfigurationError.js";
|
|
12
|
+
|
|
13
|
+
/**
|
|
14
|
+
* RFC 9449 DPoP proof JWT payload claims.
|
|
15
|
+
* Not exported from any public package entry point.
|
|
16
|
+
* @internal
|
|
17
|
+
*/
|
|
18
|
+
export type DpopProofClaims = {
|
|
19
|
+
jti: string;
|
|
20
|
+
htm: string;
|
|
21
|
+
htu: string;
|
|
22
|
+
iat: number;
|
|
23
|
+
nonce?: string;
|
|
24
|
+
ath?: string;
|
|
25
|
+
};
|
|
26
|
+
|
|
27
|
+
/**
|
|
28
|
+
* Parameters for building a token-endpoint DPoP proof.
|
|
29
|
+
* @internal
|
|
30
|
+
*/
|
|
31
|
+
export type DpopTokenProofParams = {
|
|
32
|
+
tokenEndpoint: string;
|
|
33
|
+
nonce?: string;
|
|
34
|
+
};
|
|
35
|
+
|
|
36
|
+
/**
|
|
37
|
+
* Parameters for building a resource-endpoint DPoP proof.
|
|
38
|
+
* @internal
|
|
39
|
+
*/
|
|
40
|
+
export type DpopResourceProofParams = {
|
|
41
|
+
resourceUrl: string;
|
|
42
|
+
htm: string;
|
|
43
|
+
ath: string;
|
|
44
|
+
nonce?: string;
|
|
45
|
+
};
|
|
46
|
+
|
|
47
|
+
/**
|
|
48
|
+
* Public JWK embedded in the DPoP proof header.
|
|
49
|
+
* @internal
|
|
50
|
+
*/
|
|
51
|
+
export type DpopPublicJwk = Record<string, unknown>;
|
|
52
|
+
|
|
53
|
+
/**
|
|
54
|
+
* RFC 9449 DPoP proof JWT header.
|
|
55
|
+
* @internal
|
|
56
|
+
*/
|
|
57
|
+
export type DpopProofHeader = {
|
|
58
|
+
typ: typeof DPOP_JWT_HEADER_TYPE;
|
|
59
|
+
alg: string;
|
|
60
|
+
jwk: DpopPublicJwk;
|
|
61
|
+
};
|
|
62
|
+
|
|
63
|
+
/**
|
|
64
|
+
* Signs the ASCII DPoP JWT signing input with the declared JOSE alg
|
|
65
|
+
* and returns a base64url-encoded signature.
|
|
66
|
+
* @internal
|
|
67
|
+
*/
|
|
68
|
+
export type DpopProofSigner = {
|
|
69
|
+
alg: string;
|
|
70
|
+
sign: (signingInput: string, correlationId: string) => Promise<string>;
|
|
71
|
+
};
|
|
72
|
+
|
|
73
|
+
/**
|
|
74
|
+
* Parameters shared by token and resource DPoP proof generation.
|
|
75
|
+
* @internal
|
|
76
|
+
*/
|
|
77
|
+
export type DpopProofGenerationParams = {
|
|
78
|
+
publicJwk: DpopPublicJwk;
|
|
79
|
+
signer: DpopProofSigner;
|
|
80
|
+
};
|
|
81
|
+
|
|
82
|
+
const DPOP_HTM_REGEX = /^[!#$%&'*+\-.^_`|~0-9A-Za-z]+$/;
|
|
83
|
+
export const DPOP_JWT_HEADER_TYPE = "dpop+jwt";
|
|
84
|
+
export const DPOP_JWT_HEADER_ALGORITHM = JsonWebTokenAlgorithms.ES256;
|
|
85
|
+
|
|
86
|
+
function buildProofHeader(params: DpopProofGenerationParams): DpopProofHeader {
|
|
87
|
+
return {
|
|
88
|
+
typ: DPOP_JWT_HEADER_TYPE,
|
|
89
|
+
alg: params.signer.alg,
|
|
90
|
+
jwk: params.publicJwk,
|
|
91
|
+
};
|
|
92
|
+
}
|
|
93
|
+
|
|
94
|
+
function normalizeHtm(htm: string, correlationId: string): string {
|
|
95
|
+
if (typeof htm !== "string" || !DPOP_HTM_REGEX.test(htm)) {
|
|
96
|
+
throw createClientConfigurationError(
|
|
97
|
+
ClientConfigurationErrorCodes.invalidDpopHtm,
|
|
98
|
+
correlationId
|
|
99
|
+
);
|
|
100
|
+
}
|
|
101
|
+
|
|
102
|
+
return htm.toUpperCase();
|
|
103
|
+
}
|
|
104
|
+
|
|
105
|
+
/**
|
|
106
|
+
* Normalizes a URL for use as the DPoP htu claim.
|
|
107
|
+
* Per RFC 9449 §4.2, htu is the target URI without query and fragment components.
|
|
108
|
+
* WHATWG URL serialization handles RFC 3986 syntax- and scheme-based normalization
|
|
109
|
+
* such as lowercasing scheme/host and eliding default ports.
|
|
110
|
+
*/
|
|
111
|
+
function normalizeHtu(url: string, correlationId: string): string {
|
|
112
|
+
let parsedUrl: URL;
|
|
113
|
+
try {
|
|
114
|
+
parsedUrl = new URL(url);
|
|
115
|
+
} catch {
|
|
116
|
+
throw createClientConfigurationError(
|
|
117
|
+
ClientConfigurationErrorCodes.urlParseError,
|
|
118
|
+
correlationId
|
|
119
|
+
);
|
|
120
|
+
}
|
|
121
|
+
|
|
122
|
+
if (
|
|
123
|
+
!/^https:\/\//i.test(url) ||
|
|
124
|
+
parsedUrl.protocol !== "https:" ||
|
|
125
|
+
parsedUrl.username ||
|
|
126
|
+
parsedUrl.password
|
|
127
|
+
) {
|
|
128
|
+
throw createClientConfigurationError(
|
|
129
|
+
ClientConfigurationErrorCodes.invalidDpopHtu,
|
|
130
|
+
correlationId
|
|
131
|
+
);
|
|
132
|
+
}
|
|
133
|
+
|
|
134
|
+
parsedUrl.search = "";
|
|
135
|
+
parsedUrl.hash = "";
|
|
136
|
+
return parsedUrl.href;
|
|
137
|
+
}
|
|
138
|
+
|
|
139
|
+
/**
|
|
140
|
+
* Builds RFC 9449 DPoP proof JWT payloads for token-endpoint and
|
|
141
|
+
* resource-endpoint proof bindings.
|
|
142
|
+
*
|
|
143
|
+
* Not exported from any public package entry point.
|
|
144
|
+
* This helper is internal-only until DPoP is wired into acquisition flows
|
|
145
|
+
* in a subsequent work item.
|
|
146
|
+
*
|
|
147
|
+
* DPoP proofs do not contain SHR fields (at, ts, m, u, p, q).
|
|
148
|
+
* @internal
|
|
149
|
+
*/
|
|
150
|
+
export class DpopProofGenerator {
|
|
151
|
+
private cryptoUtils: ICrypto;
|
|
152
|
+
|
|
153
|
+
constructor(cryptoUtils: ICrypto) {
|
|
154
|
+
this.cryptoUtils = cryptoUtils;
|
|
155
|
+
}
|
|
156
|
+
|
|
157
|
+
/**
|
|
158
|
+
* Builds RFC 9449 claims for a token-endpoint DPoP proof.
|
|
159
|
+
* - htm is always "POST" because token endpoint requests use HTTP POST (RFC 9449 §5).
|
|
160
|
+
* - htu is the normalized token endpoint URI (query and fragment stripped).
|
|
161
|
+
* - jti is a fresh CSPRNG-backed unique identifier for every proof.
|
|
162
|
+
*/
|
|
163
|
+
buildTokenProofClaims(
|
|
164
|
+
params: DpopTokenProofParams,
|
|
165
|
+
correlationId: string = ""
|
|
166
|
+
): DpopProofClaims {
|
|
167
|
+
const claims: DpopProofClaims = {
|
|
168
|
+
jti: this.cryptoUtils.createNewGuid(),
|
|
169
|
+
htm: "POST",
|
|
170
|
+
htu: normalizeHtu(params.tokenEndpoint, correlationId),
|
|
171
|
+
iat: TimeUtils.nowSeconds(),
|
|
172
|
+
};
|
|
173
|
+
if (params.nonce !== undefined) {
|
|
174
|
+
claims.nonce = params.nonce;
|
|
175
|
+
}
|
|
176
|
+
return claims;
|
|
177
|
+
}
|
|
178
|
+
|
|
179
|
+
/**
|
|
180
|
+
* Builds and signs a compact DPoP proof JWT for a token-endpoint request.
|
|
181
|
+
*/
|
|
182
|
+
async generateTokenProof(
|
|
183
|
+
params: DpopTokenProofParams & DpopProofGenerationParams,
|
|
184
|
+
correlationId: string = ""
|
|
185
|
+
): Promise<string> {
|
|
186
|
+
return this.generateProof(
|
|
187
|
+
this.buildTokenProofClaims(params, correlationId),
|
|
188
|
+
params,
|
|
189
|
+
correlationId
|
|
190
|
+
);
|
|
191
|
+
}
|
|
192
|
+
|
|
193
|
+
/**
|
|
194
|
+
* Builds RFC 9449 claims for a resource-endpoint DPoP proof.
|
|
195
|
+
* - htm is uppercased per RFC 9449 §4.2.
|
|
196
|
+
* - htu is the normalized resource URI (query and fragment stripped).
|
|
197
|
+
* - ath is the base64url-encoded SHA-256 hash of the ASCII access token.
|
|
198
|
+
* - jti is a fresh CSPRNG-backed unique identifier for every proof.
|
|
199
|
+
*/
|
|
200
|
+
buildResourceProofClaims(
|
|
201
|
+
params: DpopResourceProofParams,
|
|
202
|
+
correlationId: string = ""
|
|
203
|
+
): DpopProofClaims {
|
|
204
|
+
const claims: DpopProofClaims = {
|
|
205
|
+
jti: this.cryptoUtils.createNewGuid(),
|
|
206
|
+
htm: normalizeHtm(params.htm, correlationId),
|
|
207
|
+
htu: normalizeHtu(params.resourceUrl, correlationId),
|
|
208
|
+
ath: params.ath,
|
|
209
|
+
iat: TimeUtils.nowSeconds(),
|
|
210
|
+
};
|
|
211
|
+
if (params.nonce !== undefined) {
|
|
212
|
+
claims.nonce = params.nonce;
|
|
213
|
+
}
|
|
214
|
+
return claims;
|
|
215
|
+
}
|
|
216
|
+
|
|
217
|
+
/**
|
|
218
|
+
* Builds and signs a compact DPoP proof JWT for a resource request.
|
|
219
|
+
*/
|
|
220
|
+
async generateResourceProof(
|
|
221
|
+
params: DpopResourceProofParams & DpopProofGenerationParams,
|
|
222
|
+
correlationId: string = ""
|
|
223
|
+
): Promise<string> {
|
|
224
|
+
return this.generateProof(
|
|
225
|
+
this.buildResourceProofClaims(params, correlationId),
|
|
226
|
+
params,
|
|
227
|
+
correlationId
|
|
228
|
+
);
|
|
229
|
+
}
|
|
230
|
+
|
|
231
|
+
private async generateProof(
|
|
232
|
+
claims: DpopProofClaims,
|
|
233
|
+
params: DpopProofGenerationParams,
|
|
234
|
+
correlationId: string
|
|
235
|
+
): Promise<string> {
|
|
236
|
+
const encodedHeader = this.cryptoUtils.base64UrlEncode(
|
|
237
|
+
JSON.stringify(buildProofHeader(params))
|
|
238
|
+
);
|
|
239
|
+
const encodedClaims = this.cryptoUtils.base64UrlEncode(
|
|
240
|
+
JSON.stringify(claims)
|
|
241
|
+
);
|
|
242
|
+
const signingInput = `${encodedHeader}.${encodedClaims}`;
|
|
243
|
+
const signature = await params.signer.sign(signingInput, correlationId);
|
|
244
|
+
|
|
245
|
+
return `${signingInput}.${signature}`;
|
|
246
|
+
}
|
|
247
|
+
}
|
package/src/crypto/ICrypto.ts
CHANGED
|
@@ -11,15 +11,17 @@ import type { BaseAuthRequest } from "../request/BaseAuthRequest.js";
|
|
|
11
11
|
import type { ShrOptions, SignedHttpRequest } from "./SignedHttpRequest.js";
|
|
12
12
|
|
|
13
13
|
/**
|
|
14
|
-
*
|
|
15
|
-
* of objects that contain PKCE code
|
|
16
|
-
* challenge and verifier pairs
|
|
14
|
+
* PKCE code verifier and challenge pair used by authorization code flows.
|
|
17
15
|
*/
|
|
18
16
|
export type PkceCodes = {
|
|
19
17
|
verifier: string;
|
|
20
18
|
challenge: string;
|
|
21
19
|
};
|
|
22
20
|
|
|
21
|
+
/**
|
|
22
|
+
* Parameters used by crypto implementations to build signed HTTP request
|
|
23
|
+
* proof-of-possession tokens.
|
|
24
|
+
*/
|
|
23
25
|
export type SignedHttpRequestParameters = Pick<
|
|
24
26
|
BaseAuthRequest,
|
|
25
27
|
| "resourceRequestMethod"
|
|
@@ -31,6 +33,12 @@ export type SignedHttpRequestParameters = Pick<
|
|
|
31
33
|
correlationId: string;
|
|
32
34
|
};
|
|
33
35
|
|
|
36
|
+
/**
|
|
37
|
+
* Shared JOSE algorithm literals used by MSAL package internals.
|
|
38
|
+
*/
|
|
39
|
+
export const JsonWebTokenAlgorithms = {
|
|
40
|
+
ES256: "ES256",
|
|
41
|
+
} as const;
|
|
34
42
|
/**
|
|
35
43
|
* Interface for crypto functions used by library
|
|
36
44
|
*/
|
|
@@ -94,6 +102,10 @@ export interface ICrypto {
|
|
|
94
102
|
hashString(plainText: string): Promise<string>;
|
|
95
103
|
}
|
|
96
104
|
|
|
105
|
+
/**
|
|
106
|
+
* Default crypto implementation used when a platform-specific implementation has
|
|
107
|
+
* not been provided.
|
|
108
|
+
*/
|
|
97
109
|
export const DEFAULT_CRYPTO_IMPLEMENTATION: ICrypto = {
|
|
98
110
|
createNewGuid: (): string => {
|
|
99
111
|
throw createClientAuthError(
|
|
@@ -30,3 +30,5 @@ export const invalidPlatformBrokerConfiguration =
|
|
|
30
30
|
"invalid_platform_broker_configuration";
|
|
31
31
|
export const issuerValidationFailed = "issuer_validation_failed";
|
|
32
32
|
export const invalidResponseMode = "invalid_response_mode";
|
|
33
|
+
export const invalidDpopHtm = "invalid_dpop_htm";
|
|
34
|
+
export const invalidDpopHtu = "invalid_dpop_htu";
|
package/src/packageMetadata.ts
CHANGED
|
@@ -0,0 +1,105 @@
|
|
|
1
|
+
import { ICrypto } from "./ICrypto.js";
|
|
2
|
+
/**
|
|
3
|
+
* RFC 9449 DPoP proof JWT payload claims.
|
|
4
|
+
* Not exported from any public package entry point.
|
|
5
|
+
* @internal
|
|
6
|
+
*/
|
|
7
|
+
export type DpopProofClaims = {
|
|
8
|
+
jti: string;
|
|
9
|
+
htm: string;
|
|
10
|
+
htu: string;
|
|
11
|
+
iat: number;
|
|
12
|
+
nonce?: string;
|
|
13
|
+
ath?: string;
|
|
14
|
+
};
|
|
15
|
+
/**
|
|
16
|
+
* Parameters for building a token-endpoint DPoP proof.
|
|
17
|
+
* @internal
|
|
18
|
+
*/
|
|
19
|
+
export type DpopTokenProofParams = {
|
|
20
|
+
tokenEndpoint: string;
|
|
21
|
+
nonce?: string;
|
|
22
|
+
};
|
|
23
|
+
/**
|
|
24
|
+
* Parameters for building a resource-endpoint DPoP proof.
|
|
25
|
+
* @internal
|
|
26
|
+
*/
|
|
27
|
+
export type DpopResourceProofParams = {
|
|
28
|
+
resourceUrl: string;
|
|
29
|
+
htm: string;
|
|
30
|
+
ath: string;
|
|
31
|
+
nonce?: string;
|
|
32
|
+
};
|
|
33
|
+
/**
|
|
34
|
+
* Public JWK embedded in the DPoP proof header.
|
|
35
|
+
* @internal
|
|
36
|
+
*/
|
|
37
|
+
export type DpopPublicJwk = Record<string, unknown>;
|
|
38
|
+
/**
|
|
39
|
+
* RFC 9449 DPoP proof JWT header.
|
|
40
|
+
* @internal
|
|
41
|
+
*/
|
|
42
|
+
export type DpopProofHeader = {
|
|
43
|
+
typ: typeof DPOP_JWT_HEADER_TYPE;
|
|
44
|
+
alg: string;
|
|
45
|
+
jwk: DpopPublicJwk;
|
|
46
|
+
};
|
|
47
|
+
/**
|
|
48
|
+
* Signs the ASCII DPoP JWT signing input with the declared JOSE alg
|
|
49
|
+
* and returns a base64url-encoded signature.
|
|
50
|
+
* @internal
|
|
51
|
+
*/
|
|
52
|
+
export type DpopProofSigner = {
|
|
53
|
+
alg: string;
|
|
54
|
+
sign: (signingInput: string, correlationId: string) => Promise<string>;
|
|
55
|
+
};
|
|
56
|
+
/**
|
|
57
|
+
* Parameters shared by token and resource DPoP proof generation.
|
|
58
|
+
* @internal
|
|
59
|
+
*/
|
|
60
|
+
export type DpopProofGenerationParams = {
|
|
61
|
+
publicJwk: DpopPublicJwk;
|
|
62
|
+
signer: DpopProofSigner;
|
|
63
|
+
};
|
|
64
|
+
export declare const DPOP_JWT_HEADER_TYPE = "dpop+jwt";
|
|
65
|
+
export declare const DPOP_JWT_HEADER_ALGORITHM: "ES256";
|
|
66
|
+
/**
|
|
67
|
+
* Builds RFC 9449 DPoP proof JWT payloads for token-endpoint and
|
|
68
|
+
* resource-endpoint proof bindings.
|
|
69
|
+
*
|
|
70
|
+
* Not exported from any public package entry point.
|
|
71
|
+
* This helper is internal-only until DPoP is wired into acquisition flows
|
|
72
|
+
* in a subsequent work item.
|
|
73
|
+
*
|
|
74
|
+
* DPoP proofs do not contain SHR fields (at, ts, m, u, p, q).
|
|
75
|
+
* @internal
|
|
76
|
+
*/
|
|
77
|
+
export declare class DpopProofGenerator {
|
|
78
|
+
private cryptoUtils;
|
|
79
|
+
constructor(cryptoUtils: ICrypto);
|
|
80
|
+
/**
|
|
81
|
+
* Builds RFC 9449 claims for a token-endpoint DPoP proof.
|
|
82
|
+
* - htm is always "POST" because token endpoint requests use HTTP POST (RFC 9449 §5).
|
|
83
|
+
* - htu is the normalized token endpoint URI (query and fragment stripped).
|
|
84
|
+
* - jti is a fresh CSPRNG-backed unique identifier for every proof.
|
|
85
|
+
*/
|
|
86
|
+
buildTokenProofClaims(params: DpopTokenProofParams, correlationId?: string): DpopProofClaims;
|
|
87
|
+
/**
|
|
88
|
+
* Builds and signs a compact DPoP proof JWT for a token-endpoint request.
|
|
89
|
+
*/
|
|
90
|
+
generateTokenProof(params: DpopTokenProofParams & DpopProofGenerationParams, correlationId?: string): Promise<string>;
|
|
91
|
+
/**
|
|
92
|
+
* Builds RFC 9449 claims for a resource-endpoint DPoP proof.
|
|
93
|
+
* - htm is uppercased per RFC 9449 §4.2.
|
|
94
|
+
* - htu is the normalized resource URI (query and fragment stripped).
|
|
95
|
+
* - ath is the base64url-encoded SHA-256 hash of the ASCII access token.
|
|
96
|
+
* - jti is a fresh CSPRNG-backed unique identifier for every proof.
|
|
97
|
+
*/
|
|
98
|
+
buildResourceProofClaims(params: DpopResourceProofParams, correlationId?: string): DpopProofClaims;
|
|
99
|
+
/**
|
|
100
|
+
* Builds and signs a compact DPoP proof JWT for a resource request.
|
|
101
|
+
*/
|
|
102
|
+
generateResourceProof(params: DpopResourceProofParams & DpopProofGenerationParams, correlationId?: string): Promise<string>;
|
|
103
|
+
private generateProof;
|
|
104
|
+
}
|
|
105
|
+
//# sourceMappingURL=DpopProofGenerator.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"DpopProofGenerator.d.ts","sourceRoot":"","sources":["../../src/crypto/DpopProofGenerator.ts"],"names":[],"mappings":"AAKA,OAAO,EAAE,OAAO,EAA0B,MAAM,cAAc,CAAC;AAO/D;;;;GAIG;AACH,MAAM,MAAM,eAAe,GAAG;IAC1B,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,EAAE,MAAM,CAAC;IACZ,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,GAAG,CAAC,EAAE,MAAM,CAAC;CAChB,CAAC;AAEF;;;GAGG;AACH,MAAM,MAAM,oBAAoB,GAAG;IAC/B,aAAa,EAAE,MAAM,CAAC;IACtB,KAAK,CAAC,EAAE,MAAM,CAAC;CAClB,CAAC;AAEF;;;GAGG;AACH,MAAM,MAAM,uBAAuB,GAAG;IAClC,WAAW,EAAE,MAAM,CAAC;IACpB,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,EAAE,MAAM,CAAC;IACZ,KAAK,CAAC,EAAE,MAAM,CAAC;CAClB,CAAC;AAEF;;;GAGG;AACH,MAAM,MAAM,aAAa,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;AAEpD;;;GAGG;AACH,MAAM,MAAM,eAAe,GAAG;IAC1B,GAAG,EAAE,OAAO,oBAAoB,CAAC;IACjC,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,EAAE,aAAa,CAAC;CACtB,CAAC;AAEF;;;;GAIG;AACH,MAAM,MAAM,eAAe,GAAG;IAC1B,GAAG,EAAE,MAAM,CAAC;IACZ,IAAI,EAAE,CAAC,YAAY,EAAE,MAAM,EAAE,aAAa,EAAE,MAAM,KAAK,OAAO,CAAC,MAAM,CAAC,CAAC;CAC1E,CAAC;AAEF;;;GAGG;AACH,MAAM,MAAM,yBAAyB,GAAG;IACpC,SAAS,EAAE,aAAa,CAAC;IACzB,MAAM,EAAE,eAAe,CAAC;CAC3B,CAAC;AAGF,eAAO,MAAM,oBAAoB,aAAa,CAAC;AAC/C,eAAO,MAAM,yBAAyB,SAA+B,CAAC;AAuDtE;;;;;;;;;;GAUG;AACH,qBAAa,kBAAkB;IAC3B,OAAO,CAAC,WAAW,CAAU;gBAEjB,WAAW,EAAE,OAAO;IAIhC;;;;;OAKG;IACH,qBAAqB,CACjB,MAAM,EAAE,oBAAoB,EAC5B,aAAa,GAAE,MAAW,GAC3B,eAAe;IAalB;;OAEG;IACG,kBAAkB,CACpB,MAAM,EAAE,oBAAoB,GAAG,yBAAyB,EACxD,aAAa,GAAE,MAAW,GAC3B,OAAO,CAAC,MAAM,CAAC;IAQlB;;;;;;OAMG;IACH,wBAAwB,CACpB,MAAM,EAAE,uBAAuB,EAC/B,aAAa,GAAE,MAAW,GAC3B,eAAe;IAclB;;OAEG;IACG,qBAAqB,CACvB,MAAM,EAAE,uBAAuB,GAAG,yBAAyB,EAC3D,aAAa,GAAE,MAAW,GAC3B,OAAO,CAAC,MAAM,CAAC;YAQJ,aAAa;CAgB9B"}
|
|
@@ -1,17 +1,25 @@
|
|
|
1
1
|
import type { BaseAuthRequest } from "../request/BaseAuthRequest.js";
|
|
2
2
|
import type { ShrOptions, SignedHttpRequest } from "./SignedHttpRequest.js";
|
|
3
3
|
/**
|
|
4
|
-
*
|
|
5
|
-
* of objects that contain PKCE code
|
|
6
|
-
* challenge and verifier pairs
|
|
4
|
+
* PKCE code verifier and challenge pair used by authorization code flows.
|
|
7
5
|
*/
|
|
8
6
|
export type PkceCodes = {
|
|
9
7
|
verifier: string;
|
|
10
8
|
challenge: string;
|
|
11
9
|
};
|
|
10
|
+
/**
|
|
11
|
+
* Parameters used by crypto implementations to build signed HTTP request
|
|
12
|
+
* proof-of-possession tokens.
|
|
13
|
+
*/
|
|
12
14
|
export type SignedHttpRequestParameters = Pick<BaseAuthRequest, "resourceRequestMethod" | "resourceRequestUri" | "shrClaims" | "shrNonce" | "shrOptions"> & {
|
|
13
15
|
correlationId: string;
|
|
14
16
|
};
|
|
17
|
+
/**
|
|
18
|
+
* Shared JOSE algorithm literals used by MSAL package internals.
|
|
19
|
+
*/
|
|
20
|
+
export declare const JsonWebTokenAlgorithms: {
|
|
21
|
+
readonly ES256: "ES256";
|
|
22
|
+
};
|
|
15
23
|
/**
|
|
16
24
|
* Interface for crypto functions used by library
|
|
17
25
|
*/
|
|
@@ -67,5 +75,9 @@ export interface ICrypto {
|
|
|
67
75
|
*/
|
|
68
76
|
hashString(plainText: string): Promise<string>;
|
|
69
77
|
}
|
|
78
|
+
/**
|
|
79
|
+
* Default crypto implementation used when a platform-specific implementation has
|
|
80
|
+
* not been provided.
|
|
81
|
+
*/
|
|
70
82
|
export declare const DEFAULT_CRYPTO_IMPLEMENTATION: ICrypto;
|
|
71
83
|
//# sourceMappingURL=ICrypto.d.ts.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"ICrypto.d.ts","sourceRoot":"","sources":["../../src/crypto/ICrypto.ts"],"names":[],"mappings":"AASA,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,+BAA+B,CAAC;AACrE,OAAO,KAAK,EAAE,UAAU,EAAE,iBAAiB,EAAE,MAAM,wBAAwB,CAAC;AAE5E
|
|
1
|
+
{"version":3,"file":"ICrypto.d.ts","sourceRoot":"","sources":["../../src/crypto/ICrypto.ts"],"names":[],"mappings":"AASA,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,+BAA+B,CAAC;AACrE,OAAO,KAAK,EAAE,UAAU,EAAE,iBAAiB,EAAE,MAAM,wBAAwB,CAAC;AAE5E;;GAEG;AACH,MAAM,MAAM,SAAS,GAAG;IACpB,QAAQ,EAAE,MAAM,CAAC;IACjB,SAAS,EAAE,MAAM,CAAC;CACrB,CAAC;AAEF;;;GAGG;AACH,MAAM,MAAM,2BAA2B,GAAG,IAAI,CAC1C,eAAe,EACb,uBAAuB,GACvB,oBAAoB,GACpB,WAAW,GACX,UAAU,GACV,YAAY,CACjB,GAAG;IACA,aAAa,EAAE,MAAM,CAAC;CACzB,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,sBAAsB;;CAEzB,CAAC;AACX;;GAEG;AACH,MAAM,WAAW,OAAO;IACpB;;OAEG;IACH,aAAa,IAAI,MAAM,CAAC;IACxB;;;OAGG;IACH,YAAY,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAAC;IACpC;;;OAGG;IACH,YAAY,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAAC;IACpC;;OAEG;IACH,eAAe,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAAC;IACvC;;;;OAIG;IACH,SAAS,CAAC,QAAQ,EAAE,MAAM,GAAG,MAAM,CAAC;IACpC;;;OAGG;IACH,sBAAsB,CAClB,OAAO,EAAE,2BAA2B,GACrC,OAAO,CAAC,MAAM,CAAC,CAAC;IACnB;;;;OAIG;IACH,qBAAqB,CAAC,GAAG,EAAE,MAAM,EAAE,aAAa,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IACzE;;;OAGG;IACH,aAAa,CAAC,aAAa,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;IACvD;;;OAGG;IACH,OAAO,CACH,OAAO,EAAE,iBAAiB,EAC1B,GAAG,EAAE,MAAM,EACX,UAAU,CAAC,EAAE,UAAU,EACvB,aAAa,CAAC,EAAE,MAAM,GACvB,OAAO,CAAC,MAAM,CAAC,CAAC;IACnB;;;OAGG;IACH,UAAU,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;CAClD;AAED;;;GAGG;AACH,eAAO,MAAM,6BAA6B,EAAE,OA6D3C,CAAC"}
|
|
@@ -23,4 +23,6 @@ export declare const invalidRequestMethodForEAR = "invalid_request_method_for_EA
|
|
|
23
23
|
export declare const invalidPlatformBrokerConfiguration = "invalid_platform_broker_configuration";
|
|
24
24
|
export declare const issuerValidationFailed = "issuer_validation_failed";
|
|
25
25
|
export declare const invalidResponseMode = "invalid_response_mode";
|
|
26
|
+
export declare const invalidDpopHtm = "invalid_dpop_htm";
|
|
27
|
+
export declare const invalidDpopHtu = "invalid_dpop_htu";
|
|
26
28
|
//# sourceMappingURL=ClientConfigurationErrorCodes.d.ts.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"ClientConfigurationErrorCodes.d.ts","sourceRoot":"","sources":["../../src/error/ClientConfigurationErrorCodes.ts"],"names":[],"mappings":"AAKA,eAAO,MAAM,gBAAgB,uBAAuB,CAAC;AACrD,eAAO,MAAM,yBAAyB,iCAAiC,CAAC;AACxE,eAAO,MAAM,oBAAoB,2BAA2B,CAAC;AAC7D,eAAO,MAAM,aAAa,oBAAoB,CAAC;AAC/C,eAAO,MAAM,aAAa,oBAAoB,CAAC;AAC/C,eAAO,MAAM,qBAAqB,6BAA6B,CAAC;AAChE,eAAO,MAAM,aAAa,mBAAmB,CAAC;AAC9C,eAAO,MAAM,iBAAiB,wBAAwB,CAAC;AACvD,eAAO,MAAM,kBAAkB,yBAAyB,CAAC;AACzD,eAAO,MAAM,0BAA0B,kCAAkC,CAAC;AAC1E,eAAO,MAAM,iBAAiB,wBAAwB,CAAC;AACvD,eAAO,MAAM,6BAA6B,qCAAqC,CAAC;AAChF,eAAO,MAAM,wBAAwB,+BAA+B,CAAC;AACrE,eAAO,MAAM,kBAAkB,wBAAwB,CAAC;AACxD,eAAO,MAAM,aAAa,oBAAoB,CAAC;AAC/C,eAAO,MAAM,aAAa,oBAAoB,CAAC;AAC/C,eAAO,MAAM,gCAAgC,wCACJ,CAAC;AAC1C,eAAO,MAAM,2BAA2B,kCAAkC,CAAC;AAC3E,eAAO,MAAM,oBAAoB,2BAA2B,CAAC;AAC7D,eAAO,MAAM,yBAAyB,iCAAiC,CAAC;AACxE,eAAO,MAAM,iBAAiB,uBAAuB,CAAC;AACtD,eAAO,MAAM,0BAA0B,mCAAmC,CAAC;AAC3E,eAAO,MAAM,kCAAkC,0CACJ,CAAC;AAC5C,eAAO,MAAM,sBAAsB,6BAA6B,CAAC;AACjE,eAAO,MAAM,mBAAmB,0BAA0B,CAAC"}
|
|
1
|
+
{"version":3,"file":"ClientConfigurationErrorCodes.d.ts","sourceRoot":"","sources":["../../src/error/ClientConfigurationErrorCodes.ts"],"names":[],"mappings":"AAKA,eAAO,MAAM,gBAAgB,uBAAuB,CAAC;AACrD,eAAO,MAAM,yBAAyB,iCAAiC,CAAC;AACxE,eAAO,MAAM,oBAAoB,2BAA2B,CAAC;AAC7D,eAAO,MAAM,aAAa,oBAAoB,CAAC;AAC/C,eAAO,MAAM,aAAa,oBAAoB,CAAC;AAC/C,eAAO,MAAM,qBAAqB,6BAA6B,CAAC;AAChE,eAAO,MAAM,aAAa,mBAAmB,CAAC;AAC9C,eAAO,MAAM,iBAAiB,wBAAwB,CAAC;AACvD,eAAO,MAAM,kBAAkB,yBAAyB,CAAC;AACzD,eAAO,MAAM,0BAA0B,kCAAkC,CAAC;AAC1E,eAAO,MAAM,iBAAiB,wBAAwB,CAAC;AACvD,eAAO,MAAM,6BAA6B,qCAAqC,CAAC;AAChF,eAAO,MAAM,wBAAwB,+BAA+B,CAAC;AACrE,eAAO,MAAM,kBAAkB,wBAAwB,CAAC;AACxD,eAAO,MAAM,aAAa,oBAAoB,CAAC;AAC/C,eAAO,MAAM,aAAa,oBAAoB,CAAC;AAC/C,eAAO,MAAM,gCAAgC,wCACJ,CAAC;AAC1C,eAAO,MAAM,2BAA2B,kCAAkC,CAAC;AAC3E,eAAO,MAAM,oBAAoB,2BAA2B,CAAC;AAC7D,eAAO,MAAM,yBAAyB,iCAAiC,CAAC;AACxE,eAAO,MAAM,iBAAiB,uBAAuB,CAAC;AACtD,eAAO,MAAM,0BAA0B,mCAAmC,CAAC;AAC3E,eAAO,MAAM,kCAAkC,0CACJ,CAAC;AAC5C,eAAO,MAAM,sBAAsB,6BAA6B,CAAC;AACjE,eAAO,MAAM,mBAAmB,0BAA0B,CAAC;AAC3D,eAAO,MAAM,cAAc,qBAAqB,CAAC;AACjD,eAAO,MAAM,cAAc,qBAAqB,CAAC"}
|