@azure/msal-common 16.11.1 → 16.11.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (161) hide show
  1. package/dist/account/AccountInfo.mjs +1 -1
  2. package/dist/account/AuthToken.mjs +1 -1
  3. package/dist/account/CcsCredential.mjs +1 -1
  4. package/dist/account/ClientInfo.mjs +1 -1
  5. package/dist/account/TokenClaims.mjs +1 -1
  6. package/dist/authority/Authority.mjs +1 -1
  7. package/dist/authority/AuthorityFactory.mjs +1 -1
  8. package/dist/authority/AuthorityMetadata.mjs +1 -1
  9. package/dist/authority/AuthorityOptions.mjs +1 -1
  10. package/dist/authority/AuthorityType.mjs +1 -1
  11. package/dist/authority/CloudInstanceDiscoveryErrorResponse.mjs +1 -1
  12. package/dist/authority/CloudInstanceDiscoveryResponse.mjs +1 -1
  13. package/dist/authority/OpenIdConfigResponse.mjs +1 -1
  14. package/dist/authority/ProtocolMode.mjs +1 -1
  15. package/dist/authority/RegionDiscovery.mjs +1 -1
  16. package/dist/cache/CacheManager.mjs +1 -1
  17. package/dist/cache/persistence/TokenCacheContext.mjs +1 -1
  18. package/dist/cache/utils/AccountEntityUtils.mjs +1 -1
  19. package/dist/cache/utils/CacheHelpers.mjs +1 -1
  20. package/dist/client/AuthorizationCodeClient.mjs +1 -1
  21. package/dist/client/RefreshTokenClient.mjs +1 -1
  22. package/dist/client/SilentFlowClient.mjs +1 -1
  23. package/dist/config/ClientConfiguration.mjs +1 -1
  24. package/dist/constants/AADServerParamKeys.mjs +1 -1
  25. package/dist/crypto/ICrypto.mjs +5 -1
  26. package/dist/crypto/ICrypto.mjs.map +1 -1
  27. package/dist/crypto/JoseHeader.mjs +1 -1
  28. package/dist/crypto/PopTokenGenerator.mjs +1 -1
  29. package/dist/error/AuthError.mjs +1 -1
  30. package/dist/error/AuthErrorCodes.mjs +1 -1
  31. package/dist/error/CacheError.mjs +1 -1
  32. package/dist/error/CacheErrorCodes.mjs +1 -1
  33. package/dist/error/ClientAuthError.mjs +1 -1
  34. package/dist/error/ClientAuthErrorCodes.mjs +1 -1
  35. package/dist/error/ClientConfigurationError.mjs +1 -1
  36. package/dist/error/ClientConfigurationErrorCodes.mjs +5 -3
  37. package/dist/error/ClientConfigurationErrorCodes.mjs.map +1 -1
  38. package/dist/error/InteractionRequiredAuthError.mjs +1 -1
  39. package/dist/error/InteractionRequiredAuthErrorCodes.mjs +1 -1
  40. package/dist/error/JoseHeaderError.mjs +1 -1
  41. package/dist/error/JoseHeaderErrorCodes.mjs +1 -1
  42. package/dist/error/NetworkError.mjs +1 -1
  43. package/dist/error/PlatformBrokerError.mjs +1 -1
  44. package/dist/error/ServerError.mjs +1 -1
  45. package/dist/index-node.mjs +1 -1
  46. package/dist/index.mjs +1 -1
  47. package/dist/logger/Logger.mjs +1 -1
  48. package/dist/network/INetworkModule.mjs +1 -1
  49. package/dist/network/RequestThumbprint.mjs +1 -1
  50. package/dist/network/ThrottlingUtils.mjs +1 -1
  51. package/dist/packageMetadata.mjs +2 -2
  52. package/dist/protocol/Authorize.mjs +1 -1
  53. package/dist/protocol/Token.mjs +1 -1
  54. package/dist/request/AuthenticationHeaderParser.mjs +1 -1
  55. package/dist/request/BaseAuthRequest.mjs +1 -1
  56. package/dist/request/RequestParameterBuilder.mjs +1 -1
  57. package/dist/request/ScopeSet.mjs +1 -1
  58. package/dist/response/ResponseHandler.mjs +1 -1
  59. package/dist/telemetry/performance/PerformanceClient.mjs +1 -1
  60. package/dist/telemetry/performance/PerformanceEvent.mjs +1 -1
  61. package/dist/telemetry/performance/PerformanceEvents.mjs +1 -1
  62. package/dist/telemetry/performance/StubPerformanceClient.mjs +1 -1
  63. package/dist/telemetry/server/ServerTelemetryManager.mjs +1 -1
  64. package/dist/url/UrlString.mjs +1 -1
  65. package/dist/utils/ClientAssertionUtils.mjs +1 -1
  66. package/dist/utils/Constants.mjs +1 -1
  67. package/dist/utils/FunctionWrappers.mjs +1 -1
  68. package/dist/utils/ProtocolUtils.mjs +1 -1
  69. package/dist/utils/StringUtils.mjs +1 -1
  70. package/dist/utils/TimeUtils.mjs +1 -1
  71. package/dist/utils/UrlUtils.mjs +1 -1
  72. package/dist-browser/account/AccountInfo.mjs +1 -1
  73. package/dist-browser/account/AuthToken.mjs +1 -1
  74. package/dist-browser/account/CcsCredential.mjs +1 -1
  75. package/dist-browser/account/ClientInfo.mjs +1 -1
  76. package/dist-browser/account/TokenClaims.mjs +1 -1
  77. package/dist-browser/authority/Authority.mjs +1 -1
  78. package/dist-browser/authority/AuthorityFactory.mjs +1 -1
  79. package/dist-browser/authority/AuthorityMetadata.mjs +1 -1
  80. package/dist-browser/authority/AuthorityOptions.mjs +1 -1
  81. package/dist-browser/authority/AuthorityType.mjs +1 -1
  82. package/dist-browser/authority/CloudInstanceDiscoveryErrorResponse.mjs +1 -1
  83. package/dist-browser/authority/CloudInstanceDiscoveryResponse.mjs +1 -1
  84. package/dist-browser/authority/OpenIdConfigResponse.mjs +1 -1
  85. package/dist-browser/authority/ProtocolMode.mjs +1 -1
  86. package/dist-browser/authority/RegionDiscovery.mjs +1 -1
  87. package/dist-browser/cache/CacheManager.mjs +1 -1
  88. package/dist-browser/cache/persistence/TokenCacheContext.mjs +1 -1
  89. package/dist-browser/cache/utils/AccountEntityUtils.mjs +1 -1
  90. package/dist-browser/cache/utils/CacheHelpers.mjs +1 -1
  91. package/dist-browser/client/AuthorizationCodeClient.mjs +1 -1
  92. package/dist-browser/client/RefreshTokenClient.mjs +1 -1
  93. package/dist-browser/client/SilentFlowClient.mjs +1 -1
  94. package/dist-browser/config/ClientConfiguration.mjs +1 -1
  95. package/dist-browser/constants/AADServerParamKeys.mjs +1 -1
  96. package/dist-browser/crypto/ICrypto.mjs +5 -1
  97. package/dist-browser/crypto/ICrypto.mjs.map +1 -1
  98. package/dist-browser/crypto/JoseHeader.mjs +1 -1
  99. package/dist-browser/crypto/PopTokenGenerator.mjs +1 -1
  100. package/dist-browser/error/AuthError.mjs +1 -1
  101. package/dist-browser/error/AuthErrorCodes.mjs +1 -1
  102. package/dist-browser/error/CacheError.mjs +1 -1
  103. package/dist-browser/error/CacheErrorCodes.mjs +1 -1
  104. package/dist-browser/error/ClientAuthError.mjs +1 -1
  105. package/dist-browser/error/ClientAuthErrorCodes.mjs +1 -1
  106. package/dist-browser/error/ClientConfigurationError.mjs +1 -1
  107. package/dist-browser/error/ClientConfigurationErrorCodes.mjs +5 -3
  108. package/dist-browser/error/ClientConfigurationErrorCodes.mjs.map +1 -1
  109. package/dist-browser/error/InteractionRequiredAuthError.mjs +1 -1
  110. package/dist-browser/error/InteractionRequiredAuthErrorCodes.mjs +1 -1
  111. package/dist-browser/error/JoseHeaderError.mjs +1 -1
  112. package/dist-browser/error/JoseHeaderErrorCodes.mjs +1 -1
  113. package/dist-browser/error/NetworkError.mjs +1 -1
  114. package/dist-browser/error/PlatformBrokerError.mjs +1 -1
  115. package/dist-browser/error/ServerError.mjs +1 -1
  116. package/dist-browser/index-browser.mjs +1 -1
  117. package/dist-browser/index.mjs +1 -1
  118. package/dist-browser/log-strings-mapping.json +2 -2
  119. package/dist-browser/logger/Logger.mjs +1 -1
  120. package/dist-browser/network/INetworkModule.mjs +1 -1
  121. package/dist-browser/network/RequestThumbprint.mjs +1 -1
  122. package/dist-browser/network/ThrottlingUtils.mjs +1 -1
  123. package/dist-browser/packageMetadata.mjs +2 -2
  124. package/dist-browser/protocol/Authorize.mjs +1 -1
  125. package/dist-browser/protocol/Token.mjs +1 -1
  126. package/dist-browser/request/AuthenticationHeaderParser.mjs +1 -1
  127. package/dist-browser/request/BaseAuthRequest.mjs +1 -1
  128. package/dist-browser/request/RequestParameterBuilder.mjs +1 -1
  129. package/dist-browser/request/ScopeSet.mjs +1 -1
  130. package/dist-browser/response/ResponseHandler.mjs +1 -1
  131. package/dist-browser/telemetry/performance/PerformanceClient.mjs +1 -1
  132. package/dist-browser/telemetry/performance/PerformanceEvent.mjs +1 -1
  133. package/dist-browser/telemetry/performance/PerformanceEvents.mjs +1 -1
  134. package/dist-browser/telemetry/performance/StubPerformanceClient.mjs +1 -1
  135. package/dist-browser/telemetry/server/ServerTelemetryManager.mjs +1 -1
  136. package/dist-browser/url/UrlString.mjs +1 -1
  137. package/dist-browser/utils/ClientAssertionUtils.mjs +1 -1
  138. package/dist-browser/utils/Constants.mjs +1 -1
  139. package/dist-browser/utils/FunctionWrappers.mjs +1 -1
  140. package/dist-browser/utils/ProtocolUtils.mjs +1 -1
  141. package/dist-browser/utils/StringUtils.mjs +1 -1
  142. package/dist-browser/utils/TimeUtils.mjs +1 -1
  143. package/dist-browser/utils/UrlUtils.mjs +1 -1
  144. package/lib/index-browser.cjs +2 -2
  145. package/lib/{index-node-Byp4nlZZ.js → index-node-CqVflMt1.js} +12 -4
  146. package/lib/index-node-CqVflMt1.js.map +1 -0
  147. package/lib/index-node.cjs +2 -2
  148. package/lib/index.cjs +2 -2
  149. package/package.json +1 -1
  150. package/src/crypto/DpopProofGenerator.ts +247 -0
  151. package/src/crypto/ICrypto.ts +15 -3
  152. package/src/error/ClientConfigurationErrorCodes.ts +2 -0
  153. package/src/packageMetadata.ts +1 -1
  154. package/types/crypto/DpopProofGenerator.d.ts +105 -0
  155. package/types/crypto/DpopProofGenerator.d.ts.map +1 -0
  156. package/types/crypto/ICrypto.d.ts +15 -3
  157. package/types/crypto/ICrypto.d.ts.map +1 -1
  158. package/types/error/ClientConfigurationErrorCodes.d.ts +2 -0
  159. package/types/error/ClientConfigurationErrorCodes.d.ts.map +1 -1
  160. package/types/packageMetadata.d.ts +1 -1
  161. package/lib/index-node-Byp4nlZZ.js.map +0 -1
@@ -0,0 +1,247 @@
1
+ /*
2
+ * Copyright (c) Microsoft Corporation. All rights reserved.
3
+ * Licensed under the MIT License.
4
+ */
5
+
6
+ import { ICrypto, JsonWebTokenAlgorithms } from "./ICrypto.js";
7
+ import * as TimeUtils from "../utils/TimeUtils.js";
8
+ import {
9
+ createClientConfigurationError,
10
+ ClientConfigurationErrorCodes,
11
+ } from "../error/ClientConfigurationError.js";
12
+
13
+ /**
14
+ * RFC 9449 DPoP proof JWT payload claims.
15
+ * Not exported from any public package entry point.
16
+ * @internal
17
+ */
18
+ export type DpopProofClaims = {
19
+ jti: string;
20
+ htm: string;
21
+ htu: string;
22
+ iat: number;
23
+ nonce?: string;
24
+ ath?: string;
25
+ };
26
+
27
+ /**
28
+ * Parameters for building a token-endpoint DPoP proof.
29
+ * @internal
30
+ */
31
+ export type DpopTokenProofParams = {
32
+ tokenEndpoint: string;
33
+ nonce?: string;
34
+ };
35
+
36
+ /**
37
+ * Parameters for building a resource-endpoint DPoP proof.
38
+ * @internal
39
+ */
40
+ export type DpopResourceProofParams = {
41
+ resourceUrl: string;
42
+ htm: string;
43
+ ath: string;
44
+ nonce?: string;
45
+ };
46
+
47
+ /**
48
+ * Public JWK embedded in the DPoP proof header.
49
+ * @internal
50
+ */
51
+ export type DpopPublicJwk = Record<string, unknown>;
52
+
53
+ /**
54
+ * RFC 9449 DPoP proof JWT header.
55
+ * @internal
56
+ */
57
+ export type DpopProofHeader = {
58
+ typ: typeof DPOP_JWT_HEADER_TYPE;
59
+ alg: string;
60
+ jwk: DpopPublicJwk;
61
+ };
62
+
63
+ /**
64
+ * Signs the ASCII DPoP JWT signing input with the declared JOSE alg
65
+ * and returns a base64url-encoded signature.
66
+ * @internal
67
+ */
68
+ export type DpopProofSigner = {
69
+ alg: string;
70
+ sign: (signingInput: string, correlationId: string) => Promise<string>;
71
+ };
72
+
73
+ /**
74
+ * Parameters shared by token and resource DPoP proof generation.
75
+ * @internal
76
+ */
77
+ export type DpopProofGenerationParams = {
78
+ publicJwk: DpopPublicJwk;
79
+ signer: DpopProofSigner;
80
+ };
81
+
82
+ const DPOP_HTM_REGEX = /^[!#$%&'*+\-.^_`|~0-9A-Za-z]+$/;
83
+ export const DPOP_JWT_HEADER_TYPE = "dpop+jwt";
84
+ export const DPOP_JWT_HEADER_ALGORITHM = JsonWebTokenAlgorithms.ES256;
85
+
86
+ function buildProofHeader(params: DpopProofGenerationParams): DpopProofHeader {
87
+ return {
88
+ typ: DPOP_JWT_HEADER_TYPE,
89
+ alg: params.signer.alg,
90
+ jwk: params.publicJwk,
91
+ };
92
+ }
93
+
94
+ function normalizeHtm(htm: string, correlationId: string): string {
95
+ if (typeof htm !== "string" || !DPOP_HTM_REGEX.test(htm)) {
96
+ throw createClientConfigurationError(
97
+ ClientConfigurationErrorCodes.invalidDpopHtm,
98
+ correlationId
99
+ );
100
+ }
101
+
102
+ return htm.toUpperCase();
103
+ }
104
+
105
+ /**
106
+ * Normalizes a URL for use as the DPoP htu claim.
107
+ * Per RFC 9449 §4.2, htu is the target URI without query and fragment components.
108
+ * WHATWG URL serialization handles RFC 3986 syntax- and scheme-based normalization
109
+ * such as lowercasing scheme/host and eliding default ports.
110
+ */
111
+ function normalizeHtu(url: string, correlationId: string): string {
112
+ let parsedUrl: URL;
113
+ try {
114
+ parsedUrl = new URL(url);
115
+ } catch {
116
+ throw createClientConfigurationError(
117
+ ClientConfigurationErrorCodes.urlParseError,
118
+ correlationId
119
+ );
120
+ }
121
+
122
+ if (
123
+ !/^https:\/\//i.test(url) ||
124
+ parsedUrl.protocol !== "https:" ||
125
+ parsedUrl.username ||
126
+ parsedUrl.password
127
+ ) {
128
+ throw createClientConfigurationError(
129
+ ClientConfigurationErrorCodes.invalidDpopHtu,
130
+ correlationId
131
+ );
132
+ }
133
+
134
+ parsedUrl.search = "";
135
+ parsedUrl.hash = "";
136
+ return parsedUrl.href;
137
+ }
138
+
139
+ /**
140
+ * Builds RFC 9449 DPoP proof JWT payloads for token-endpoint and
141
+ * resource-endpoint proof bindings.
142
+ *
143
+ * Not exported from any public package entry point.
144
+ * This helper is internal-only until DPoP is wired into acquisition flows
145
+ * in a subsequent work item.
146
+ *
147
+ * DPoP proofs do not contain SHR fields (at, ts, m, u, p, q).
148
+ * @internal
149
+ */
150
+ export class DpopProofGenerator {
151
+ private cryptoUtils: ICrypto;
152
+
153
+ constructor(cryptoUtils: ICrypto) {
154
+ this.cryptoUtils = cryptoUtils;
155
+ }
156
+
157
+ /**
158
+ * Builds RFC 9449 claims for a token-endpoint DPoP proof.
159
+ * - htm is always "POST" because token endpoint requests use HTTP POST (RFC 9449 §5).
160
+ * - htu is the normalized token endpoint URI (query and fragment stripped).
161
+ * - jti is a fresh CSPRNG-backed unique identifier for every proof.
162
+ */
163
+ buildTokenProofClaims(
164
+ params: DpopTokenProofParams,
165
+ correlationId: string = ""
166
+ ): DpopProofClaims {
167
+ const claims: DpopProofClaims = {
168
+ jti: this.cryptoUtils.createNewGuid(),
169
+ htm: "POST",
170
+ htu: normalizeHtu(params.tokenEndpoint, correlationId),
171
+ iat: TimeUtils.nowSeconds(),
172
+ };
173
+ if (params.nonce !== undefined) {
174
+ claims.nonce = params.nonce;
175
+ }
176
+ return claims;
177
+ }
178
+
179
+ /**
180
+ * Builds and signs a compact DPoP proof JWT for a token-endpoint request.
181
+ */
182
+ async generateTokenProof(
183
+ params: DpopTokenProofParams & DpopProofGenerationParams,
184
+ correlationId: string = ""
185
+ ): Promise<string> {
186
+ return this.generateProof(
187
+ this.buildTokenProofClaims(params, correlationId),
188
+ params,
189
+ correlationId
190
+ );
191
+ }
192
+
193
+ /**
194
+ * Builds RFC 9449 claims for a resource-endpoint DPoP proof.
195
+ * - htm is uppercased per RFC 9449 §4.2.
196
+ * - htu is the normalized resource URI (query and fragment stripped).
197
+ * - ath is the base64url-encoded SHA-256 hash of the ASCII access token.
198
+ * - jti is a fresh CSPRNG-backed unique identifier for every proof.
199
+ */
200
+ buildResourceProofClaims(
201
+ params: DpopResourceProofParams,
202
+ correlationId: string = ""
203
+ ): DpopProofClaims {
204
+ const claims: DpopProofClaims = {
205
+ jti: this.cryptoUtils.createNewGuid(),
206
+ htm: normalizeHtm(params.htm, correlationId),
207
+ htu: normalizeHtu(params.resourceUrl, correlationId),
208
+ ath: params.ath,
209
+ iat: TimeUtils.nowSeconds(),
210
+ };
211
+ if (params.nonce !== undefined) {
212
+ claims.nonce = params.nonce;
213
+ }
214
+ return claims;
215
+ }
216
+
217
+ /**
218
+ * Builds and signs a compact DPoP proof JWT for a resource request.
219
+ */
220
+ async generateResourceProof(
221
+ params: DpopResourceProofParams & DpopProofGenerationParams,
222
+ correlationId: string = ""
223
+ ): Promise<string> {
224
+ return this.generateProof(
225
+ this.buildResourceProofClaims(params, correlationId),
226
+ params,
227
+ correlationId
228
+ );
229
+ }
230
+
231
+ private async generateProof(
232
+ claims: DpopProofClaims,
233
+ params: DpopProofGenerationParams,
234
+ correlationId: string
235
+ ): Promise<string> {
236
+ const encodedHeader = this.cryptoUtils.base64UrlEncode(
237
+ JSON.stringify(buildProofHeader(params))
238
+ );
239
+ const encodedClaims = this.cryptoUtils.base64UrlEncode(
240
+ JSON.stringify(claims)
241
+ );
242
+ const signingInput = `${encodedHeader}.${encodedClaims}`;
243
+ const signature = await params.signer.sign(signingInput, correlationId);
244
+
245
+ return `${signingInput}.${signature}`;
246
+ }
247
+ }
@@ -11,15 +11,17 @@ import type { BaseAuthRequest } from "../request/BaseAuthRequest.js";
11
11
  import type { ShrOptions, SignedHttpRequest } from "./SignedHttpRequest.js";
12
12
 
13
13
  /**
14
- * The PkceCodes type describes the structure
15
- * of objects that contain PKCE code
16
- * challenge and verifier pairs
14
+ * PKCE code verifier and challenge pair used by authorization code flows.
17
15
  */
18
16
  export type PkceCodes = {
19
17
  verifier: string;
20
18
  challenge: string;
21
19
  };
22
20
 
21
+ /**
22
+ * Parameters used by crypto implementations to build signed HTTP request
23
+ * proof-of-possession tokens.
24
+ */
23
25
  export type SignedHttpRequestParameters = Pick<
24
26
  BaseAuthRequest,
25
27
  | "resourceRequestMethod"
@@ -31,6 +33,12 @@ export type SignedHttpRequestParameters = Pick<
31
33
  correlationId: string;
32
34
  };
33
35
 
36
+ /**
37
+ * Shared JOSE algorithm literals used by MSAL package internals.
38
+ */
39
+ export const JsonWebTokenAlgorithms = {
40
+ ES256: "ES256",
41
+ } as const;
34
42
  /**
35
43
  * Interface for crypto functions used by library
36
44
  */
@@ -94,6 +102,10 @@ export interface ICrypto {
94
102
  hashString(plainText: string): Promise<string>;
95
103
  }
96
104
 
105
+ /**
106
+ * Default crypto implementation used when a platform-specific implementation has
107
+ * not been provided.
108
+ */
97
109
  export const DEFAULT_CRYPTO_IMPLEMENTATION: ICrypto = {
98
110
  createNewGuid: (): string => {
99
111
  throw createClientAuthError(
@@ -30,3 +30,5 @@ export const invalidPlatformBrokerConfiguration =
30
30
  "invalid_platform_broker_configuration";
31
31
  export const issuerValidationFailed = "issuer_validation_failed";
32
32
  export const invalidResponseMode = "invalid_response_mode";
33
+ export const invalidDpopHtm = "invalid_dpop_htm";
34
+ export const invalidDpopHtu = "invalid_dpop_htu";
@@ -1,3 +1,3 @@
1
1
  /* eslint-disable header/header */
2
2
  export const name = "@azure/msal-common";
3
- export const version = "16.11.1";
3
+ export const version = "16.11.2";
@@ -0,0 +1,105 @@
1
+ import { ICrypto } from "./ICrypto.js";
2
+ /**
3
+ * RFC 9449 DPoP proof JWT payload claims.
4
+ * Not exported from any public package entry point.
5
+ * @internal
6
+ */
7
+ export type DpopProofClaims = {
8
+ jti: string;
9
+ htm: string;
10
+ htu: string;
11
+ iat: number;
12
+ nonce?: string;
13
+ ath?: string;
14
+ };
15
+ /**
16
+ * Parameters for building a token-endpoint DPoP proof.
17
+ * @internal
18
+ */
19
+ export type DpopTokenProofParams = {
20
+ tokenEndpoint: string;
21
+ nonce?: string;
22
+ };
23
+ /**
24
+ * Parameters for building a resource-endpoint DPoP proof.
25
+ * @internal
26
+ */
27
+ export type DpopResourceProofParams = {
28
+ resourceUrl: string;
29
+ htm: string;
30
+ ath: string;
31
+ nonce?: string;
32
+ };
33
+ /**
34
+ * Public JWK embedded in the DPoP proof header.
35
+ * @internal
36
+ */
37
+ export type DpopPublicJwk = Record<string, unknown>;
38
+ /**
39
+ * RFC 9449 DPoP proof JWT header.
40
+ * @internal
41
+ */
42
+ export type DpopProofHeader = {
43
+ typ: typeof DPOP_JWT_HEADER_TYPE;
44
+ alg: string;
45
+ jwk: DpopPublicJwk;
46
+ };
47
+ /**
48
+ * Signs the ASCII DPoP JWT signing input with the declared JOSE alg
49
+ * and returns a base64url-encoded signature.
50
+ * @internal
51
+ */
52
+ export type DpopProofSigner = {
53
+ alg: string;
54
+ sign: (signingInput: string, correlationId: string) => Promise<string>;
55
+ };
56
+ /**
57
+ * Parameters shared by token and resource DPoP proof generation.
58
+ * @internal
59
+ */
60
+ export type DpopProofGenerationParams = {
61
+ publicJwk: DpopPublicJwk;
62
+ signer: DpopProofSigner;
63
+ };
64
+ export declare const DPOP_JWT_HEADER_TYPE = "dpop+jwt";
65
+ export declare const DPOP_JWT_HEADER_ALGORITHM: "ES256";
66
+ /**
67
+ * Builds RFC 9449 DPoP proof JWT payloads for token-endpoint and
68
+ * resource-endpoint proof bindings.
69
+ *
70
+ * Not exported from any public package entry point.
71
+ * This helper is internal-only until DPoP is wired into acquisition flows
72
+ * in a subsequent work item.
73
+ *
74
+ * DPoP proofs do not contain SHR fields (at, ts, m, u, p, q).
75
+ * @internal
76
+ */
77
+ export declare class DpopProofGenerator {
78
+ private cryptoUtils;
79
+ constructor(cryptoUtils: ICrypto);
80
+ /**
81
+ * Builds RFC 9449 claims for a token-endpoint DPoP proof.
82
+ * - htm is always "POST" because token endpoint requests use HTTP POST (RFC 9449 §5).
83
+ * - htu is the normalized token endpoint URI (query and fragment stripped).
84
+ * - jti is a fresh CSPRNG-backed unique identifier for every proof.
85
+ */
86
+ buildTokenProofClaims(params: DpopTokenProofParams, correlationId?: string): DpopProofClaims;
87
+ /**
88
+ * Builds and signs a compact DPoP proof JWT for a token-endpoint request.
89
+ */
90
+ generateTokenProof(params: DpopTokenProofParams & DpopProofGenerationParams, correlationId?: string): Promise<string>;
91
+ /**
92
+ * Builds RFC 9449 claims for a resource-endpoint DPoP proof.
93
+ * - htm is uppercased per RFC 9449 §4.2.
94
+ * - htu is the normalized resource URI (query and fragment stripped).
95
+ * - ath is the base64url-encoded SHA-256 hash of the ASCII access token.
96
+ * - jti is a fresh CSPRNG-backed unique identifier for every proof.
97
+ */
98
+ buildResourceProofClaims(params: DpopResourceProofParams, correlationId?: string): DpopProofClaims;
99
+ /**
100
+ * Builds and signs a compact DPoP proof JWT for a resource request.
101
+ */
102
+ generateResourceProof(params: DpopResourceProofParams & DpopProofGenerationParams, correlationId?: string): Promise<string>;
103
+ private generateProof;
104
+ }
105
+ //# sourceMappingURL=DpopProofGenerator.d.ts.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"DpopProofGenerator.d.ts","sourceRoot":"","sources":["../../src/crypto/DpopProofGenerator.ts"],"names":[],"mappings":"AAKA,OAAO,EAAE,OAAO,EAA0B,MAAM,cAAc,CAAC;AAO/D;;;;GAIG;AACH,MAAM,MAAM,eAAe,GAAG;IAC1B,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,EAAE,MAAM,CAAC;IACZ,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,GAAG,CAAC,EAAE,MAAM,CAAC;CAChB,CAAC;AAEF;;;GAGG;AACH,MAAM,MAAM,oBAAoB,GAAG;IAC/B,aAAa,EAAE,MAAM,CAAC;IACtB,KAAK,CAAC,EAAE,MAAM,CAAC;CAClB,CAAC;AAEF;;;GAGG;AACH,MAAM,MAAM,uBAAuB,GAAG;IAClC,WAAW,EAAE,MAAM,CAAC;IACpB,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,EAAE,MAAM,CAAC;IACZ,KAAK,CAAC,EAAE,MAAM,CAAC;CAClB,CAAC;AAEF;;;GAGG;AACH,MAAM,MAAM,aAAa,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;AAEpD;;;GAGG;AACH,MAAM,MAAM,eAAe,GAAG;IAC1B,GAAG,EAAE,OAAO,oBAAoB,CAAC;IACjC,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,EAAE,aAAa,CAAC;CACtB,CAAC;AAEF;;;;GAIG;AACH,MAAM,MAAM,eAAe,GAAG;IAC1B,GAAG,EAAE,MAAM,CAAC;IACZ,IAAI,EAAE,CAAC,YAAY,EAAE,MAAM,EAAE,aAAa,EAAE,MAAM,KAAK,OAAO,CAAC,MAAM,CAAC,CAAC;CAC1E,CAAC;AAEF;;;GAGG;AACH,MAAM,MAAM,yBAAyB,GAAG;IACpC,SAAS,EAAE,aAAa,CAAC;IACzB,MAAM,EAAE,eAAe,CAAC;CAC3B,CAAC;AAGF,eAAO,MAAM,oBAAoB,aAAa,CAAC;AAC/C,eAAO,MAAM,yBAAyB,SAA+B,CAAC;AAuDtE;;;;;;;;;;GAUG;AACH,qBAAa,kBAAkB;IAC3B,OAAO,CAAC,WAAW,CAAU;gBAEjB,WAAW,EAAE,OAAO;IAIhC;;;;;OAKG;IACH,qBAAqB,CACjB,MAAM,EAAE,oBAAoB,EAC5B,aAAa,GAAE,MAAW,GAC3B,eAAe;IAalB;;OAEG;IACG,kBAAkB,CACpB,MAAM,EAAE,oBAAoB,GAAG,yBAAyB,EACxD,aAAa,GAAE,MAAW,GAC3B,OAAO,CAAC,MAAM,CAAC;IAQlB;;;;;;OAMG;IACH,wBAAwB,CACpB,MAAM,EAAE,uBAAuB,EAC/B,aAAa,GAAE,MAAW,GAC3B,eAAe;IAclB;;OAEG;IACG,qBAAqB,CACvB,MAAM,EAAE,uBAAuB,GAAG,yBAAyB,EAC3D,aAAa,GAAE,MAAW,GAC3B,OAAO,CAAC,MAAM,CAAC;YAQJ,aAAa;CAgB9B"}
@@ -1,17 +1,25 @@
1
1
  import type { BaseAuthRequest } from "../request/BaseAuthRequest.js";
2
2
  import type { ShrOptions, SignedHttpRequest } from "./SignedHttpRequest.js";
3
3
  /**
4
- * The PkceCodes type describes the structure
5
- * of objects that contain PKCE code
6
- * challenge and verifier pairs
4
+ * PKCE code verifier and challenge pair used by authorization code flows.
7
5
  */
8
6
  export type PkceCodes = {
9
7
  verifier: string;
10
8
  challenge: string;
11
9
  };
10
+ /**
11
+ * Parameters used by crypto implementations to build signed HTTP request
12
+ * proof-of-possession tokens.
13
+ */
12
14
  export type SignedHttpRequestParameters = Pick<BaseAuthRequest, "resourceRequestMethod" | "resourceRequestUri" | "shrClaims" | "shrNonce" | "shrOptions"> & {
13
15
  correlationId: string;
14
16
  };
17
+ /**
18
+ * Shared JOSE algorithm literals used by MSAL package internals.
19
+ */
20
+ export declare const JsonWebTokenAlgorithms: {
21
+ readonly ES256: "ES256";
22
+ };
15
23
  /**
16
24
  * Interface for crypto functions used by library
17
25
  */
@@ -67,5 +75,9 @@ export interface ICrypto {
67
75
  */
68
76
  hashString(plainText: string): Promise<string>;
69
77
  }
78
+ /**
79
+ * Default crypto implementation used when a platform-specific implementation has
80
+ * not been provided.
81
+ */
70
82
  export declare const DEFAULT_CRYPTO_IMPLEMENTATION: ICrypto;
71
83
  //# sourceMappingURL=ICrypto.d.ts.map
@@ -1 +1 @@
1
- {"version":3,"file":"ICrypto.d.ts","sourceRoot":"","sources":["../../src/crypto/ICrypto.ts"],"names":[],"mappings":"AASA,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,+BAA+B,CAAC;AACrE,OAAO,KAAK,EAAE,UAAU,EAAE,iBAAiB,EAAE,MAAM,wBAAwB,CAAC;AAE5E;;;;GAIG;AACH,MAAM,MAAM,SAAS,GAAG;IACpB,QAAQ,EAAE,MAAM,CAAC;IACjB,SAAS,EAAE,MAAM,CAAC;CACrB,CAAC;AAEF,MAAM,MAAM,2BAA2B,GAAG,IAAI,CAC1C,eAAe,EACb,uBAAuB,GACvB,oBAAoB,GACpB,WAAW,GACX,UAAU,GACV,YAAY,CACjB,GAAG;IACA,aAAa,EAAE,MAAM,CAAC;CACzB,CAAC;AAEF;;GAEG;AACH,MAAM,WAAW,OAAO;IACpB;;OAEG;IACH,aAAa,IAAI,MAAM,CAAC;IACxB;;;OAGG;IACH,YAAY,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAAC;IACpC;;;OAGG;IACH,YAAY,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAAC;IACpC;;OAEG;IACH,eAAe,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAAC;IACvC;;;;OAIG;IACH,SAAS,CAAC,QAAQ,EAAE,MAAM,GAAG,MAAM,CAAC;IACpC;;;OAGG;IACH,sBAAsB,CAClB,OAAO,EAAE,2BAA2B,GACrC,OAAO,CAAC,MAAM,CAAC,CAAC;IACnB;;;;OAIG;IACH,qBAAqB,CAAC,GAAG,EAAE,MAAM,EAAE,aAAa,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IACzE;;;OAGG;IACH,aAAa,CAAC,aAAa,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;IACvD;;;OAGG;IACH,OAAO,CACH,OAAO,EAAE,iBAAiB,EAC1B,GAAG,EAAE,MAAM,EACX,UAAU,CAAC,EAAE,UAAU,EACvB,aAAa,CAAC,EAAE,MAAM,GACvB,OAAO,CAAC,MAAM,CAAC,CAAC;IACnB;;;OAGG;IACH,UAAU,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;CAClD;AAED,eAAO,MAAM,6BAA6B,EAAE,OA6D3C,CAAC"}
1
+ {"version":3,"file":"ICrypto.d.ts","sourceRoot":"","sources":["../../src/crypto/ICrypto.ts"],"names":[],"mappings":"AASA,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,+BAA+B,CAAC;AACrE,OAAO,KAAK,EAAE,UAAU,EAAE,iBAAiB,EAAE,MAAM,wBAAwB,CAAC;AAE5E;;GAEG;AACH,MAAM,MAAM,SAAS,GAAG;IACpB,QAAQ,EAAE,MAAM,CAAC;IACjB,SAAS,EAAE,MAAM,CAAC;CACrB,CAAC;AAEF;;;GAGG;AACH,MAAM,MAAM,2BAA2B,GAAG,IAAI,CAC1C,eAAe,EACb,uBAAuB,GACvB,oBAAoB,GACpB,WAAW,GACX,UAAU,GACV,YAAY,CACjB,GAAG;IACA,aAAa,EAAE,MAAM,CAAC;CACzB,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,sBAAsB;;CAEzB,CAAC;AACX;;GAEG;AACH,MAAM,WAAW,OAAO;IACpB;;OAEG;IACH,aAAa,IAAI,MAAM,CAAC;IACxB;;;OAGG;IACH,YAAY,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAAC;IACpC;;;OAGG;IACH,YAAY,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAAC;IACpC;;OAEG;IACH,eAAe,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAAC;IACvC;;;;OAIG;IACH,SAAS,CAAC,QAAQ,EAAE,MAAM,GAAG,MAAM,CAAC;IACpC;;;OAGG;IACH,sBAAsB,CAClB,OAAO,EAAE,2BAA2B,GACrC,OAAO,CAAC,MAAM,CAAC,CAAC;IACnB;;;;OAIG;IACH,qBAAqB,CAAC,GAAG,EAAE,MAAM,EAAE,aAAa,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IACzE;;;OAGG;IACH,aAAa,CAAC,aAAa,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;IACvD;;;OAGG;IACH,OAAO,CACH,OAAO,EAAE,iBAAiB,EAC1B,GAAG,EAAE,MAAM,EACX,UAAU,CAAC,EAAE,UAAU,EACvB,aAAa,CAAC,EAAE,MAAM,GACvB,OAAO,CAAC,MAAM,CAAC,CAAC;IACnB;;;OAGG;IACH,UAAU,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;CAClD;AAED;;;GAGG;AACH,eAAO,MAAM,6BAA6B,EAAE,OA6D3C,CAAC"}
@@ -23,4 +23,6 @@ export declare const invalidRequestMethodForEAR = "invalid_request_method_for_EA
23
23
  export declare const invalidPlatformBrokerConfiguration = "invalid_platform_broker_configuration";
24
24
  export declare const issuerValidationFailed = "issuer_validation_failed";
25
25
  export declare const invalidResponseMode = "invalid_response_mode";
26
+ export declare const invalidDpopHtm = "invalid_dpop_htm";
27
+ export declare const invalidDpopHtu = "invalid_dpop_htu";
26
28
  //# sourceMappingURL=ClientConfigurationErrorCodes.d.ts.map
@@ -1 +1 @@
1
- {"version":3,"file":"ClientConfigurationErrorCodes.d.ts","sourceRoot":"","sources":["../../src/error/ClientConfigurationErrorCodes.ts"],"names":[],"mappings":"AAKA,eAAO,MAAM,gBAAgB,uBAAuB,CAAC;AACrD,eAAO,MAAM,yBAAyB,iCAAiC,CAAC;AACxE,eAAO,MAAM,oBAAoB,2BAA2B,CAAC;AAC7D,eAAO,MAAM,aAAa,oBAAoB,CAAC;AAC/C,eAAO,MAAM,aAAa,oBAAoB,CAAC;AAC/C,eAAO,MAAM,qBAAqB,6BAA6B,CAAC;AAChE,eAAO,MAAM,aAAa,mBAAmB,CAAC;AAC9C,eAAO,MAAM,iBAAiB,wBAAwB,CAAC;AACvD,eAAO,MAAM,kBAAkB,yBAAyB,CAAC;AACzD,eAAO,MAAM,0BAA0B,kCAAkC,CAAC;AAC1E,eAAO,MAAM,iBAAiB,wBAAwB,CAAC;AACvD,eAAO,MAAM,6BAA6B,qCAAqC,CAAC;AAChF,eAAO,MAAM,wBAAwB,+BAA+B,CAAC;AACrE,eAAO,MAAM,kBAAkB,wBAAwB,CAAC;AACxD,eAAO,MAAM,aAAa,oBAAoB,CAAC;AAC/C,eAAO,MAAM,aAAa,oBAAoB,CAAC;AAC/C,eAAO,MAAM,gCAAgC,wCACJ,CAAC;AAC1C,eAAO,MAAM,2BAA2B,kCAAkC,CAAC;AAC3E,eAAO,MAAM,oBAAoB,2BAA2B,CAAC;AAC7D,eAAO,MAAM,yBAAyB,iCAAiC,CAAC;AACxE,eAAO,MAAM,iBAAiB,uBAAuB,CAAC;AACtD,eAAO,MAAM,0BAA0B,mCAAmC,CAAC;AAC3E,eAAO,MAAM,kCAAkC,0CACJ,CAAC;AAC5C,eAAO,MAAM,sBAAsB,6BAA6B,CAAC;AACjE,eAAO,MAAM,mBAAmB,0BAA0B,CAAC"}
1
+ {"version":3,"file":"ClientConfigurationErrorCodes.d.ts","sourceRoot":"","sources":["../../src/error/ClientConfigurationErrorCodes.ts"],"names":[],"mappings":"AAKA,eAAO,MAAM,gBAAgB,uBAAuB,CAAC;AACrD,eAAO,MAAM,yBAAyB,iCAAiC,CAAC;AACxE,eAAO,MAAM,oBAAoB,2BAA2B,CAAC;AAC7D,eAAO,MAAM,aAAa,oBAAoB,CAAC;AAC/C,eAAO,MAAM,aAAa,oBAAoB,CAAC;AAC/C,eAAO,MAAM,qBAAqB,6BAA6B,CAAC;AAChE,eAAO,MAAM,aAAa,mBAAmB,CAAC;AAC9C,eAAO,MAAM,iBAAiB,wBAAwB,CAAC;AACvD,eAAO,MAAM,kBAAkB,yBAAyB,CAAC;AACzD,eAAO,MAAM,0BAA0B,kCAAkC,CAAC;AAC1E,eAAO,MAAM,iBAAiB,wBAAwB,CAAC;AACvD,eAAO,MAAM,6BAA6B,qCAAqC,CAAC;AAChF,eAAO,MAAM,wBAAwB,+BAA+B,CAAC;AACrE,eAAO,MAAM,kBAAkB,wBAAwB,CAAC;AACxD,eAAO,MAAM,aAAa,oBAAoB,CAAC;AAC/C,eAAO,MAAM,aAAa,oBAAoB,CAAC;AAC/C,eAAO,MAAM,gCAAgC,wCACJ,CAAC;AAC1C,eAAO,MAAM,2BAA2B,kCAAkC,CAAC;AAC3E,eAAO,MAAM,oBAAoB,2BAA2B,CAAC;AAC7D,eAAO,MAAM,yBAAyB,iCAAiC,CAAC;AACxE,eAAO,MAAM,iBAAiB,uBAAuB,CAAC;AACtD,eAAO,MAAM,0BAA0B,mCAAmC,CAAC;AAC3E,eAAO,MAAM,kCAAkC,0CACJ,CAAC;AAC5C,eAAO,MAAM,sBAAsB,6BAA6B,CAAC;AACjE,eAAO,MAAM,mBAAmB,0BAA0B,CAAC;AAC3D,eAAO,MAAM,cAAc,qBAAqB,CAAC;AACjD,eAAO,MAAM,cAAc,qBAAqB,CAAC"}
@@ -1,3 +1,3 @@
1
1
  export declare const name = "@azure/msal-common";
2
- export declare const version = "16.11.1";
2
+ export declare const version = "16.11.2";
3
3
  //# sourceMappingURL=packageMetadata.d.ts.map