@azure/msal-common 16.6.0 → 16.6.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/account/AccountInfo.mjs +1 -1
- package/dist/account/AuthToken.mjs +1 -1
- package/dist/account/CcsCredential.mjs +1 -1
- package/dist/account/ClientInfo.mjs +1 -1
- package/dist/account/TokenClaims.mjs +1 -1
- package/dist/authority/Authority.mjs +140 -5
- package/dist/authority/Authority.mjs.map +1 -1
- package/dist/authority/AuthorityFactory.mjs +1 -1
- package/dist/authority/AuthorityMetadata.mjs +10 -1
- package/dist/authority/AuthorityMetadata.mjs.map +1 -1
- package/dist/authority/AuthorityOptions.mjs +1 -1
- package/dist/authority/AuthorityType.mjs +1 -1
- package/dist/authority/CloudInstanceDiscoveryErrorResponse.mjs +1 -1
- package/dist/authority/CloudInstanceDiscoveryResponse.mjs +1 -1
- package/dist/authority/OpenIdConfigResponse.mjs +1 -1
- package/dist/authority/ProtocolMode.mjs +1 -1
- package/dist/authority/RegionDiscovery.mjs +1 -1
- package/dist/cache/CacheManager.mjs +1 -1
- package/dist/cache/persistence/TokenCacheContext.mjs +1 -1
- package/dist/cache/utils/AccountEntityUtils.mjs +1 -1
- package/dist/cache/utils/CacheHelpers.mjs +1 -1
- package/dist/client/AuthorizationCodeClient.mjs +1 -1
- package/dist/client/RefreshTokenClient.mjs +1 -1
- package/dist/client/SilentFlowClient.mjs +1 -1
- package/dist/config/ClientConfiguration.mjs +1 -1
- package/dist/constants/AADServerParamKeys.mjs +1 -1
- package/dist/crypto/ICrypto.mjs +1 -1
- package/dist/crypto/JoseHeader.mjs +1 -1
- package/dist/crypto/PopTokenGenerator.mjs +1 -1
- package/dist/error/AuthError.mjs +1 -1
- package/dist/error/AuthErrorCodes.mjs +1 -1
- package/dist/error/CacheError.mjs +1 -1
- package/dist/error/CacheErrorCodes.mjs +1 -1
- package/dist/error/ClientAuthError.mjs +1 -1
- package/dist/error/ClientAuthErrorCodes.mjs +1 -1
- package/dist/error/ClientConfigurationError.mjs +1 -1
- package/dist/error/ClientConfigurationErrorCodes.mjs +5 -3
- package/dist/error/ClientConfigurationErrorCodes.mjs.map +1 -1
- package/dist/error/InteractionRequiredAuthError.mjs +1 -1
- package/dist/error/InteractionRequiredAuthErrorCodes.mjs +1 -1
- package/dist/error/JoseHeaderError.mjs +1 -1
- package/dist/error/JoseHeaderErrorCodes.mjs +1 -1
- package/dist/error/NetworkError.mjs +1 -1
- package/dist/error/PlatformBrokerError.mjs +1 -1
- package/dist/error/ServerError.mjs +1 -1
- package/dist/index-node.mjs +1 -1
- package/dist/index.mjs +1 -1
- package/dist/logger/Logger.mjs +1 -1
- package/dist/network/INetworkModule.mjs +1 -1
- package/dist/network/RequestThumbprint.mjs +1 -1
- package/dist/network/ThrottlingUtils.mjs +1 -1
- package/dist/packageMetadata.mjs +2 -2
- package/dist/protocol/Authorize.mjs +1 -1
- package/dist/protocol/Token.mjs +1 -1
- package/dist/request/AuthenticationHeaderParser.mjs +1 -1
- package/dist/request/BaseAuthRequest.mjs +1 -1
- package/dist/request/RequestParameterBuilder.mjs +1 -1
- package/dist/request/ScopeSet.mjs +1 -1
- package/dist/response/ResponseHandler.mjs +1 -1
- package/dist/telemetry/performance/PerformanceClient.mjs +1 -1
- package/dist/telemetry/performance/PerformanceEvent.mjs +1 -1
- package/dist/telemetry/performance/PerformanceEvents.mjs +1 -1
- package/dist/telemetry/performance/StubPerformanceClient.mjs +1 -1
- package/dist/telemetry/server/ServerTelemetryManager.mjs +1 -1
- package/dist/url/UrlString.mjs +1 -1
- package/dist/utils/ClientAssertionUtils.mjs +1 -1
- package/dist/utils/Constants.mjs +1 -1
- package/dist/utils/FunctionWrappers.mjs +1 -1
- package/dist/utils/ProtocolUtils.mjs +1 -1
- package/dist/utils/StringUtils.mjs +1 -1
- package/dist/utils/TimeUtils.mjs +1 -1
- package/dist/utils/UrlUtils.mjs +1 -1
- package/dist-browser/account/AccountInfo.mjs +1 -1
- package/dist-browser/account/AuthToken.mjs +1 -1
- package/dist-browser/account/CcsCredential.mjs +1 -1
- package/dist-browser/account/ClientInfo.mjs +1 -1
- package/dist-browser/account/TokenClaims.mjs +1 -1
- package/dist-browser/authority/Authority.mjs +140 -5
- package/dist-browser/authority/Authority.mjs.map +1 -1
- package/dist-browser/authority/AuthorityFactory.mjs +1 -1
- package/dist-browser/authority/AuthorityMetadata.mjs +10 -1
- package/dist-browser/authority/AuthorityMetadata.mjs.map +1 -1
- package/dist-browser/authority/AuthorityOptions.mjs +1 -1
- package/dist-browser/authority/AuthorityType.mjs +1 -1
- package/dist-browser/authority/CloudInstanceDiscoveryErrorResponse.mjs +1 -1
- package/dist-browser/authority/CloudInstanceDiscoveryResponse.mjs +1 -1
- package/dist-browser/authority/OpenIdConfigResponse.mjs +1 -1
- package/dist-browser/authority/ProtocolMode.mjs +1 -1
- package/dist-browser/authority/RegionDiscovery.mjs +1 -1
- package/dist-browser/cache/CacheManager.mjs +1 -1
- package/dist-browser/cache/persistence/TokenCacheContext.mjs +1 -1
- package/dist-browser/cache/utils/AccountEntityUtils.mjs +1 -1
- package/dist-browser/cache/utils/CacheHelpers.mjs +1 -1
- package/dist-browser/client/AuthorizationCodeClient.mjs +1 -1
- package/dist-browser/client/RefreshTokenClient.mjs +1 -1
- package/dist-browser/client/SilentFlowClient.mjs +1 -1
- package/dist-browser/config/ClientConfiguration.mjs +1 -1
- package/dist-browser/constants/AADServerParamKeys.mjs +1 -1
- package/dist-browser/crypto/ICrypto.mjs +1 -1
- package/dist-browser/crypto/JoseHeader.mjs +1 -1
- package/dist-browser/crypto/PopTokenGenerator.mjs +1 -1
- package/dist-browser/error/AuthError.mjs +1 -1
- package/dist-browser/error/AuthErrorCodes.mjs +1 -1
- package/dist-browser/error/CacheError.mjs +1 -1
- package/dist-browser/error/CacheErrorCodes.mjs +1 -1
- package/dist-browser/error/ClientAuthError.mjs +1 -1
- package/dist-browser/error/ClientAuthErrorCodes.mjs +1 -1
- package/dist-browser/error/ClientConfigurationError.mjs +1 -1
- package/dist-browser/error/ClientConfigurationErrorCodes.mjs +5 -3
- package/dist-browser/error/ClientConfigurationErrorCodes.mjs.map +1 -1
- package/dist-browser/error/InteractionRequiredAuthError.mjs +1 -1
- package/dist-browser/error/InteractionRequiredAuthErrorCodes.mjs +1 -1
- package/dist-browser/error/JoseHeaderError.mjs +1 -1
- package/dist-browser/error/JoseHeaderErrorCodes.mjs +1 -1
- package/dist-browser/error/NetworkError.mjs +1 -1
- package/dist-browser/error/PlatformBrokerError.mjs +1 -1
- package/dist-browser/error/ServerError.mjs +1 -1
- package/dist-browser/index-browser.mjs +1 -1
- package/dist-browser/index.mjs +1 -1
- package/dist-browser/log-strings-mapping.json +4 -4
- package/dist-browser/logger/Logger.mjs +1 -1
- package/dist-browser/network/INetworkModule.mjs +1 -1
- package/dist-browser/network/RequestThumbprint.mjs +1 -1
- package/dist-browser/network/ThrottlingUtils.mjs +1 -1
- package/dist-browser/packageMetadata.mjs +2 -2
- package/dist-browser/protocol/Authorize.mjs +1 -1
- package/dist-browser/protocol/Token.mjs +1 -1
- package/dist-browser/request/AuthenticationHeaderParser.mjs +1 -1
- package/dist-browser/request/BaseAuthRequest.mjs +1 -1
- package/dist-browser/request/RequestParameterBuilder.mjs +1 -1
- package/dist-browser/request/ScopeSet.mjs +1 -1
- package/dist-browser/response/ResponseHandler.mjs +1 -1
- package/dist-browser/telemetry/performance/PerformanceClient.mjs +1 -1
- package/dist-browser/telemetry/performance/PerformanceEvent.mjs +1 -1
- package/dist-browser/telemetry/performance/PerformanceEvents.mjs +1 -1
- package/dist-browser/telemetry/performance/StubPerformanceClient.mjs +1 -1
- package/dist-browser/telemetry/server/ServerTelemetryManager.mjs +1 -1
- package/dist-browser/url/UrlString.mjs +1 -1
- package/dist-browser/utils/ClientAssertionUtils.mjs +1 -1
- package/dist-browser/utils/Constants.mjs +1 -1
- package/dist-browser/utils/FunctionWrappers.mjs +1 -1
- package/dist-browser/utils/ProtocolUtils.mjs +1 -1
- package/dist-browser/utils/StringUtils.mjs +1 -1
- package/dist-browser/utils/TimeUtils.mjs +1 -1
- package/dist-browser/utils/UrlUtils.mjs +1 -1
- package/lib/index-browser.cjs +2 -2
- package/lib/{index-node-BtcbvYTx.js → index-node-9_Gz5QUk.js} +154 -6
- package/lib/index-node-9_Gz5QUk.js.map +1 -0
- package/lib/index-node.cjs +2 -2
- package/lib/index.cjs +2 -2
- package/package.json +1 -1
- package/src/authority/Authority.ts +189 -2
- package/src/authority/AuthorityMetadata.ts +9 -0
- package/src/error/ClientConfigurationErrorCodes.ts +3 -0
- package/src/packageMetadata.ts +1 -1
- package/types/authority/Authority.d.ts +47 -1
- package/types/authority/Authority.d.ts.map +1 -1
- package/types/authority/AuthorityMetadata.d.ts.map +1 -1
- package/types/error/ClientConfigurationErrorCodes.d.ts +2 -0
- package/types/error/ClientConfigurationErrorCodes.d.ts.map +1 -1
- package/types/packageMetadata.d.ts +1 -1
- package/lib/index-node-BtcbvYTx.js.map +0 -1
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
/*! @azure/msal-common v16.6.
|
|
1
|
+
/*! @azure/msal-common v16.6.2 2026-05-19 */
|
|
2
2
|
'use strict';
|
|
3
3
|
'use strict';
|
|
4
4
|
|
|
@@ -292,7 +292,9 @@ const invalidAuthenticationHeader = "invalid_authentication_header";
|
|
|
292
292
|
const cannotSetOIDCOptions = "cannot_set_OIDCOptions";
|
|
293
293
|
const cannotAllowPlatformBroker = "cannot_allow_platform_broker";
|
|
294
294
|
const authorityMismatch = "authority_mismatch";
|
|
295
|
-
const invalidRequestMethodForEAR = "invalid_request_method_for_EAR";
|
|
295
|
+
const invalidRequestMethodForEAR = "invalid_request_method_for_EAR";
|
|
296
|
+
const invalidPlatformBrokerConfiguration = "invalid_platform_broker_configuration";
|
|
297
|
+
const issuerValidationFailed = "issuer_validation_failed";
|
|
296
298
|
|
|
297
299
|
var ClientConfigurationErrorCodes = /*#__PURE__*/Object.freeze({
|
|
298
300
|
__proto__: null,
|
|
@@ -307,7 +309,9 @@ var ClientConfigurationErrorCodes = /*#__PURE__*/Object.freeze({
|
|
|
307
309
|
invalidClaims: invalidClaims,
|
|
308
310
|
invalidCloudDiscoveryMetadata: invalidCloudDiscoveryMetadata,
|
|
309
311
|
invalidCodeChallengeMethod: invalidCodeChallengeMethod,
|
|
312
|
+
invalidPlatformBrokerConfiguration: invalidPlatformBrokerConfiguration,
|
|
310
313
|
invalidRequestMethodForEAR: invalidRequestMethodForEAR,
|
|
314
|
+
issuerValidationFailed: issuerValidationFailed,
|
|
311
315
|
logoutRequestEmpty: logoutRequestEmpty,
|
|
312
316
|
missingNonceAuthenticationHeader: missingNonceAuthenticationHeader,
|
|
313
317
|
missingSshJwk: missingSshJwk,
|
|
@@ -1054,6 +1058,15 @@ const rawMetdataJSON = {
|
|
|
1054
1058
|
preferred_cache: "login.sovcloud-identity.sg",
|
|
1055
1059
|
aliases: ["login.sovcloud-identity.sg"],
|
|
1056
1060
|
},
|
|
1061
|
+
{
|
|
1062
|
+
preferred_network: "login.windows-ppe.net",
|
|
1063
|
+
preferred_cache: "login.windows-ppe.net",
|
|
1064
|
+
aliases: [
|
|
1065
|
+
"login.windows-ppe.net",
|
|
1066
|
+
"sts.windows-ppe.net",
|
|
1067
|
+
"login.microsoft-ppe.com",
|
|
1068
|
+
],
|
|
1069
|
+
},
|
|
1057
1070
|
],
|
|
1058
1071
|
},
|
|
1059
1072
|
};
|
|
@@ -2093,7 +2106,7 @@ class Authority {
|
|
|
2093
2106
|
}, this.correlationId);
|
|
2094
2107
|
}
|
|
2095
2108
|
/**
|
|
2096
|
-
* Returns metadata entity from cache if it exists,
|
|
2109
|
+
* Returns metadata entity from cache if it exists, otherwise returns a new metadata entity built
|
|
2097
2110
|
* from the configured canonical authority
|
|
2098
2111
|
* @returns
|
|
2099
2112
|
*/
|
|
@@ -2162,6 +2175,8 @@ class Authority {
|
|
|
2162
2175
|
// Get metadata from network if local sources aren't available
|
|
2163
2176
|
let metadata = await invokeAsync(this.getEndpointMetadataFromNetwork.bind(this), AuthorityGetEndpointMetadataFromNetwork, this.logger, this.performanceClient, this.correlationId)();
|
|
2164
2177
|
if (metadata) {
|
|
2178
|
+
// Validate the issuer returned by the OIDC discovery document.
|
|
2179
|
+
this.validateIssuer(metadata.issuer);
|
|
2165
2180
|
// If the user prefers to use an azure region replace the global endpoints with regional information.
|
|
2166
2181
|
if (this.authorityOptions.azureRegionConfiguration?.azureRegion) {
|
|
2167
2182
|
metadata = await invokeAsync(this.updateMetadataWithRegionalInformation.bind(this), AuthorityUpdateMetadataWithRegionalInformation, this.logger, this.performanceClient, this.correlationId)(metadata);
|
|
@@ -2330,7 +2345,7 @@ class Authority {
|
|
|
2330
2345
|
throw createClientConfigurationError(untrustedAuthority);
|
|
2331
2346
|
}
|
|
2332
2347
|
updateCloudDiscoveryMetadataFromLocalSources(metadataEntity) {
|
|
2333
|
-
this.logger.verbose("Attempting to get cloud discovery metadata
|
|
2348
|
+
this.logger.verbose("Attempting to get cloud discovery metadata from authority configuration", this.correlationId);
|
|
2334
2349
|
this.logger.verbosePii(`Known Authorities: '${this.authorityOptions.knownAuthorities ||
|
|
2335
2350
|
NOT_APPLICABLE}'`, this.correlationId);
|
|
2336
2351
|
this.logger.verbosePii(`Authority Metadata: '${this.authorityOptions.authorityMetadata ||
|
|
@@ -2530,6 +2545,139 @@ class Authority {
|
|
|
2530
2545
|
isAliasOfKnownMicrosoftAuthority(host) {
|
|
2531
2546
|
return InstanceDiscoveryMetadataAliases.has(host);
|
|
2532
2547
|
}
|
|
2548
|
+
/**
|
|
2549
|
+
* Validates the `issuer` returned by an OIDC discovery document against
|
|
2550
|
+
* this authority, per
|
|
2551
|
+
* https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationValidation
|
|
2552
|
+
*
|
|
2553
|
+
* The issuer is accepted when ANY of the following holds:
|
|
2554
|
+
* 1. The issuer scheme + host + port match the authority's (path may
|
|
2555
|
+
* differ). Applies to all authorities.
|
|
2556
|
+
* 2. The authority is a Microsoft cloud authority (public, sovereign,
|
|
2557
|
+
* or CIAM), the issuer is HTTPS, and the issuer host is in the known
|
|
2558
|
+
* Microsoft authority host set.
|
|
2559
|
+
* 3. Same as (2), but the issuer host is a single-label regional variant
|
|
2560
|
+
* of a known Microsoft host (e.g. `westus.login.microsoftonline.com`).
|
|
2561
|
+
* 4. Same as (2), but the issuer host matches the CIAM tenant pattern
|
|
2562
|
+
* `{tenant}.ciamlogin.com` with an optional `/{tenant}[.onmicrosoft.com][/v2.0]`
|
|
2563
|
+
* path.
|
|
2564
|
+
*
|
|
2565
|
+
* @param issuer The `issuer` value returned in the OIDC discovery document.
|
|
2566
|
+
* @throws ClientConfigurationError("issuer_validation_failed") on failure.
|
|
2567
|
+
*/
|
|
2568
|
+
validateIssuer(issuer) {
|
|
2569
|
+
if (!issuer) {
|
|
2570
|
+
throw createClientConfigurationError(issuerValidationFailed);
|
|
2571
|
+
}
|
|
2572
|
+
// Parse with the WHATWG URL API. URL normalizes scheme + host to lowercase per RFC 3986.
|
|
2573
|
+
let issuerUrl;
|
|
2574
|
+
try {
|
|
2575
|
+
issuerUrl = new URL(issuer);
|
|
2576
|
+
}
|
|
2577
|
+
catch {
|
|
2578
|
+
throw createClientConfigurationError(issuerValidationFailed);
|
|
2579
|
+
}
|
|
2580
|
+
const issuerScheme = issuerUrl.protocol;
|
|
2581
|
+
const issuerHost = issuerUrl.host;
|
|
2582
|
+
const authorityScheme = (this.canonicalAuthorityUrlComponents.Protocol || "").toLowerCase();
|
|
2583
|
+
const authorityHost = (this.canonicalAuthorityUrlComponents.HostNameAndPort || "").toLowerCase();
|
|
2584
|
+
// Rule 1: Same scheme and host
|
|
2585
|
+
const matchesAuthorityOrigin = this.matchesAuthorityOrigin(issuerScheme, issuerHost, authorityScheme, authorityHost);
|
|
2586
|
+
// Rule 2: The issuer host is a well-known Microsoft authority host (HTTPS only)
|
|
2587
|
+
const matchesKnownMicrosoftHost = issuerScheme === "https:" &&
|
|
2588
|
+
this.isAliasOfKnownMicrosoftAuthority(issuerHost);
|
|
2589
|
+
/*
|
|
2590
|
+
* Rule 3: The issuer host is a regional variant ({region}.{host}) of a well-known host
|
|
2591
|
+
* (HTTPS only). E.g. westus2.login.microsoft.com
|
|
2592
|
+
*/
|
|
2593
|
+
const matchesRegionalMicrosoftHost = issuerScheme === "https:" &&
|
|
2594
|
+
this.matchesRegionalMicrosoftHost(issuerHost);
|
|
2595
|
+
/*
|
|
2596
|
+
* Rule 4: CIAM-specific validation. In a CIAM scenario the issuer is expected to
|
|
2597
|
+
* have "{tenant}.ciamlogin.com" as the host, even when using a custom domain.
|
|
2598
|
+
*/
|
|
2599
|
+
const matchesCiamTenantPattern = this.matchesCiamTenantPattern(issuerUrl, authorityHost, this.canonicalAuthorityUrlComponents.PathSegments);
|
|
2600
|
+
// Each rule is an independent boolean; the issuer is valid if ANY rule matches.
|
|
2601
|
+
if (matchesAuthorityOrigin ||
|
|
2602
|
+
matchesKnownMicrosoftHost ||
|
|
2603
|
+
matchesRegionalMicrosoftHost ||
|
|
2604
|
+
matchesCiamTenantPattern) {
|
|
2605
|
+
return;
|
|
2606
|
+
}
|
|
2607
|
+
// issuer validation fails if none of the above rules are satisfied
|
|
2608
|
+
throw createClientConfigurationError(issuerValidationFailed);
|
|
2609
|
+
}
|
|
2610
|
+
/**
|
|
2611
|
+
* Rule 1: The issuer scheme + host (and port) match the authority's. Path
|
|
2612
|
+
* may differ. Applies to all authorities.
|
|
2613
|
+
*/
|
|
2614
|
+
matchesAuthorityOrigin(issuerScheme, issuerHost, authorityScheme, authorityHost) {
|
|
2615
|
+
return issuerScheme === authorityScheme && issuerHost === authorityHost;
|
|
2616
|
+
}
|
|
2617
|
+
/**
|
|
2618
|
+
* Rule 3: The issuer host is a regional variant
|
|
2619
|
+
* (`{region}.{host}`) of a known Microsoft authority host.
|
|
2620
|
+
* E.g. `westus2.login.microsoft.com`.
|
|
2621
|
+
*/
|
|
2622
|
+
matchesRegionalMicrosoftHost(issuerHost) {
|
|
2623
|
+
const firstDot = issuerHost.indexOf(".");
|
|
2624
|
+
if (firstDot > 0 && firstDot < issuerHost.length - 1) {
|
|
2625
|
+
const hostWithoutRegion = issuerHost.substring(firstDot + 1);
|
|
2626
|
+
return this.isAliasOfKnownMicrosoftAuthority(hostWithoutRegion);
|
|
2627
|
+
}
|
|
2628
|
+
return false;
|
|
2629
|
+
}
|
|
2630
|
+
/**
|
|
2631
|
+
* Rule 4: The issuer matches one of the well-known CIAM tenant patterns
|
|
2632
|
+
* (`https://{tenant}.ciamlogin.com[/{tenant}[.onmicrosoft.com][/v2.0]]`).
|
|
2633
|
+
*
|
|
2634
|
+
* The bare tenant name is extracted from the authority's first path segment
|
|
2635
|
+
* when available (stripping the `.onmicrosoft.com` suffix that
|
|
2636
|
+
* `transformCIAMAuthority` adds), or otherwise from the leftmost label of
|
|
2637
|
+
* the authority host (to support CIAM custom domain scenarios).
|
|
2638
|
+
*
|
|
2639
|
+
* Both `/{tenant}` and `/{tenant}.onmicrosoft.com` path forms are accepted
|
|
2640
|
+
* because the OIDC issuer may use either form depending on the authority URL
|
|
2641
|
+
* that was used to trigger discovery.
|
|
2642
|
+
*/
|
|
2643
|
+
matchesCiamTenantPattern(issuerUrl, authorityHost, authorityPathSegments) {
|
|
2644
|
+
/*
|
|
2645
|
+
* authorityPathSegments[0] is the first path segment of the *authority
|
|
2646
|
+
* URL* after transformCIAMAuthority runs (e.g. "contoso.onmicrosoft.com").
|
|
2647
|
+
* Additional CIAM issuer path segments such as "/v2.0" are part of the
|
|
2648
|
+
* issuer string, not the authority URL's PathSegments.
|
|
2649
|
+
*/
|
|
2650
|
+
const pathSegment = authorityPathSegments[0];
|
|
2651
|
+
/*
|
|
2652
|
+
* Extract the bare tenant name: strip the .onmicrosoft.com suffix when
|
|
2653
|
+
* present (introduced by transformCIAMAuthority), or fall back to the
|
|
2654
|
+
* first label of the authority hostname for non-transformed/custom-domain
|
|
2655
|
+
* CIAM authorities.
|
|
2656
|
+
*/
|
|
2657
|
+
const tenantName = pathSegment
|
|
2658
|
+
? pathSegment.endsWith(AAD_TENANT_DOMAIN_SUFFIX)
|
|
2659
|
+
? pathSegment.slice(0, -AAD_TENANT_DOMAIN_SUFFIX.length)
|
|
2660
|
+
: pathSegment
|
|
2661
|
+
: authorityHost.split(".")[0];
|
|
2662
|
+
if (!tenantName) {
|
|
2663
|
+
return false;
|
|
2664
|
+
}
|
|
2665
|
+
const ciamBaseURL = `https://${tenantName}${CIAM_AUTH_URL}`;
|
|
2666
|
+
const validCiamPatterns = [
|
|
2667
|
+
ciamBaseURL,
|
|
2668
|
+
`${ciamBaseURL}/${tenantName}`,
|
|
2669
|
+
`${ciamBaseURL}/${tenantName}/v2.0`,
|
|
2670
|
+
`${ciamBaseURL}/${tenantName}${AAD_TENANT_DOMAIN_SUFFIX}`,
|
|
2671
|
+
`${ciamBaseURL}/${tenantName}${AAD_TENANT_DOMAIN_SUFFIX}/v2.0`, // https://{tenant}.ciamlogin.com/{tenant}.onmicrosoft.com/v2.0
|
|
2672
|
+
];
|
|
2673
|
+
/*
|
|
2674
|
+
* Compose the canonical issuer string from URL components and strip any
|
|
2675
|
+
* trailing slashes from the path so it can be compared to the pattern set.
|
|
2676
|
+
*/
|
|
2677
|
+
const issuerPath = issuerUrl.pathname.replace(/\/+$/, "");
|
|
2678
|
+
const normalizedIssuer = `${issuerUrl.protocol}//${issuerUrl.host}${issuerPath}`;
|
|
2679
|
+
return validCiamPatterns.some((pattern) => pattern === normalizedIssuer);
|
|
2680
|
+
}
|
|
2533
2681
|
/**
|
|
2534
2682
|
* Checks whether the provided host is that of a public cloud authority
|
|
2535
2683
|
*
|
|
@@ -4265,7 +4413,7 @@ class Logger {
|
|
|
4265
4413
|
|
|
4266
4414
|
/* eslint-disable header/header */
|
|
4267
4415
|
const name = "@azure/msal-common";
|
|
4268
|
-
const version = "16.6.
|
|
4416
|
+
const version = "16.6.2";
|
|
4269
4417
|
|
|
4270
4418
|
/*
|
|
4271
4419
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
@@ -7893,4 +8041,4 @@ exports.invokeAsync = invokeAsync;
|
|
|
7893
8041
|
exports.tenantIdMatchesHomeTenant = tenantIdMatchesHomeTenant;
|
|
7894
8042
|
exports.updateAccountTenantProfileData = updateAccountTenantProfileData;
|
|
7895
8043
|
exports.version = version;
|
|
7896
|
-
//# sourceMappingURL=index-node-
|
|
8044
|
+
//# sourceMappingURL=index-node-9_Gz5QUk.js.map
|