@azure/msal-common 16.8.0 → 16.10.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/account/AccountInfo.mjs +9 -3
- package/dist/account/AccountInfo.mjs.map +1 -1
- package/dist/account/AuthToken.mjs +9 -23
- package/dist/account/AuthToken.mjs.map +1 -1
- package/dist/account/CcsCredential.mjs +1 -1
- package/dist/account/ClientInfo.mjs +4 -4
- package/dist/account/ClientInfo.mjs.map +1 -1
- package/dist/account/TokenClaims.mjs +1 -1
- package/dist/authority/Authority.mjs +36 -37
- package/dist/authority/Authority.mjs.map +1 -1
- package/dist/authority/AuthorityFactory.mjs +3 -3
- package/dist/authority/AuthorityFactory.mjs.map +1 -1
- package/dist/authority/AuthorityMetadata.mjs +2 -2
- package/dist/authority/AuthorityMetadata.mjs.map +1 -1
- package/dist/authority/AuthorityOptions.mjs +1 -1
- package/dist/authority/AuthorityType.mjs +1 -1
- package/dist/authority/CloudInstanceDiscoveryErrorResponse.mjs +1 -1
- package/dist/authority/CloudInstanceDiscoveryResponse.mjs +1 -1
- package/dist/authority/OpenIdConfigResponse.mjs +1 -1
- package/dist/authority/ProtocolMode.mjs +1 -1
- package/dist/authority/RegionDiscovery.mjs +16 -10
- package/dist/authority/RegionDiscovery.mjs.map +1 -1
- package/dist/cache/CacheManager.mjs +62 -46
- package/dist/cache/CacheManager.mjs.map +1 -1
- package/dist/cache/persistence/TokenCacheContext.mjs +1 -1
- package/dist/cache/utils/AccountEntityUtils.mjs +23 -7
- package/dist/cache/utils/AccountEntityUtils.mjs.map +1 -1
- package/dist/cache/utils/CacheHelpers.mjs +12 -4
- package/dist/cache/utils/CacheHelpers.mjs.map +1 -1
- package/dist/client/AuthorizationCodeClient.mjs +7 -7
- package/dist/client/AuthorizationCodeClient.mjs.map +1 -1
- package/dist/client/RefreshTokenClient.mjs +8 -8
- package/dist/client/RefreshTokenClient.mjs.map +1 -1
- package/dist/client/SilentFlowClient.mjs +10 -18
- package/dist/client/SilentFlowClient.mjs.map +1 -1
- package/dist/config/ClientConfiguration.mjs +6 -5
- package/dist/config/ClientConfiguration.mjs.map +1 -1
- package/dist/constants/AADServerParamKeys.mjs +7 -3
- package/dist/constants/AADServerParamKeys.mjs.map +1 -1
- package/dist/crypto/ICrypto.mjs +11 -11
- package/dist/crypto/ICrypto.mjs.map +1 -1
- package/dist/crypto/JoseHeader.mjs +3 -3
- package/dist/crypto/JoseHeader.mjs.map +1 -1
- package/dist/crypto/PopTokenGenerator.mjs +2 -2
- package/dist/crypto/PopTokenGenerator.mjs.map +1 -1
- package/dist/error/AuthError.mjs +5 -7
- package/dist/error/AuthError.mjs.map +1 -1
- package/dist/error/AuthErrorCodes.mjs +1 -1
- package/dist/error/CacheError.mjs +1 -1
- package/dist/error/CacheErrorCodes.mjs +1 -1
- package/dist/error/ClientAuthError.mjs +5 -5
- package/dist/error/ClientAuthError.mjs.map +1 -1
- package/dist/error/ClientAuthErrorCodes.mjs +2 -4
- package/dist/error/ClientAuthErrorCodes.mjs.map +1 -1
- package/dist/error/ClientConfigurationError.mjs +5 -5
- package/dist/error/ClientConfigurationError.mjs.map +1 -1
- package/dist/error/ClientConfigurationErrorCodes.mjs +1 -1
- package/dist/error/InteractionRequiredAuthError.mjs +5 -6
- package/dist/error/InteractionRequiredAuthError.mjs.map +1 -1
- package/dist/error/InteractionRequiredAuthErrorCodes.mjs +1 -1
- package/dist/error/JoseHeaderError.mjs +5 -5
- package/dist/error/JoseHeaderError.mjs.map +1 -1
- package/dist/error/JoseHeaderErrorCodes.mjs +1 -1
- package/dist/error/NetworkError.mjs +2 -2
- package/dist/error/NetworkError.mjs.map +1 -1
- package/dist/error/PlatformBrokerError.mjs +3 -3
- package/dist/error/PlatformBrokerError.mjs.map +1 -1
- package/dist/error/ServerError.mjs +3 -3
- package/dist/error/ServerError.mjs.map +1 -1
- package/dist/index-node.mjs +1 -1
- package/dist/index.mjs +1 -1
- package/dist/logger/Logger.mjs +25 -11
- package/dist/logger/Logger.mjs.map +1 -1
- package/dist/network/INetworkModule.mjs +4 -3
- package/dist/network/INetworkModule.mjs.map +1 -1
- package/dist/network/RequestThumbprint.mjs +1 -1
- package/dist/network/ThrottlingUtils.mjs +2 -2
- package/dist/network/ThrottlingUtils.mjs.map +1 -1
- package/dist/packageMetadata.mjs +2 -2
- package/dist/protocol/Authorize.mjs +18 -14
- package/dist/protocol/Authorize.mjs.map +1 -1
- package/dist/protocol/Token.mjs +4 -2
- package/dist/protocol/Token.mjs.map +1 -1
- package/dist/request/AuthenticationHeaderParser.mjs +4 -4
- package/dist/request/AuthenticationHeaderParser.mjs.map +1 -1
- package/dist/request/BaseAuthRequest.mjs +3 -3
- package/dist/request/BaseAuthRequest.mjs.map +1 -1
- package/dist/request/RequestParameterBuilder.mjs +50 -31
- package/dist/request/RequestParameterBuilder.mjs.map +1 -1
- package/dist/request/ScopeSet.mjs +13 -12
- package/dist/request/ScopeSet.mjs.map +1 -1
- package/dist/response/ResponseHandler.mjs +30 -27
- package/dist/response/ResponseHandler.mjs.map +1 -1
- package/dist/telemetry/performance/PerformanceClient.mjs +1 -1
- package/dist/telemetry/performance/PerformanceEvent.mjs +1 -1
- package/dist/telemetry/performance/PerformanceEvents.mjs +1 -1
- package/dist/telemetry/performance/StubPerformanceClient.mjs +1 -1
- package/dist/telemetry/server/ServerTelemetryManager.mjs +1 -1
- package/dist/url/UrlString.mjs +15 -14
- package/dist/url/UrlString.mjs.map +1 -1
- package/dist/utils/ClientAssertionUtils.mjs +3 -2
- package/dist/utils/ClientAssertionUtils.mjs.map +1 -1
- package/dist/utils/Constants.mjs +7 -3
- package/dist/utils/Constants.mjs.map +1 -1
- package/dist/utils/FunctionWrappers.mjs +1 -1
- package/dist/utils/ProtocolUtils.mjs +12 -9
- package/dist/utils/ProtocolUtils.mjs.map +1 -1
- package/dist/utils/StringUtils.mjs +1 -1
- package/dist/utils/TimeUtils.mjs +1 -1
- package/dist/utils/UrlUtils.mjs +4 -4
- package/dist/utils/UrlUtils.mjs.map +1 -1
- package/dist-browser/account/AccountInfo.mjs +9 -3
- package/dist-browser/account/AccountInfo.mjs.map +1 -1
- package/dist-browser/account/AuthToken.mjs +9 -23
- package/dist-browser/account/AuthToken.mjs.map +1 -1
- package/dist-browser/account/CcsCredential.mjs +1 -1
- package/dist-browser/account/ClientInfo.mjs +4 -4
- package/dist-browser/account/ClientInfo.mjs.map +1 -1
- package/dist-browser/account/TokenClaims.mjs +1 -1
- package/dist-browser/authority/Authority.mjs +52 -50
- package/dist-browser/authority/Authority.mjs.map +1 -1
- package/dist-browser/authority/AuthorityFactory.mjs +3 -3
- package/dist-browser/authority/AuthorityFactory.mjs.map +1 -1
- package/dist-browser/authority/AuthorityMetadata.mjs +8 -7
- package/dist-browser/authority/AuthorityMetadata.mjs.map +1 -1
- package/dist-browser/authority/AuthorityOptions.mjs +1 -1
- package/dist-browser/authority/AuthorityType.mjs +1 -1
- package/dist-browser/authority/CloudInstanceDiscoveryErrorResponse.mjs +1 -1
- package/dist-browser/authority/CloudInstanceDiscoveryResponse.mjs +1 -1
- package/dist-browser/authority/OpenIdConfigResponse.mjs +1 -1
- package/dist-browser/authority/ProtocolMode.mjs +1 -1
- package/dist-browser/authority/RegionDiscovery.mjs +16 -10
- package/dist-browser/authority/RegionDiscovery.mjs.map +1 -1
- package/dist-browser/cache/CacheManager.mjs +63 -47
- package/dist-browser/cache/CacheManager.mjs.map +1 -1
- package/dist-browser/cache/persistence/TokenCacheContext.mjs +1 -1
- package/dist-browser/cache/utils/AccountEntityUtils.mjs +23 -7
- package/dist-browser/cache/utils/AccountEntityUtils.mjs.map +1 -1
- package/dist-browser/cache/utils/CacheHelpers.mjs +12 -4
- package/dist-browser/cache/utils/CacheHelpers.mjs.map +1 -1
- package/dist-browser/client/AuthorizationCodeClient.mjs +10 -10
- package/dist-browser/client/AuthorizationCodeClient.mjs.map +1 -1
- package/dist-browser/client/RefreshTokenClient.mjs +9 -9
- package/dist-browser/client/RefreshTokenClient.mjs.map +1 -1
- package/dist-browser/client/SilentFlowClient.mjs +11 -19
- package/dist-browser/client/SilentFlowClient.mjs.map +1 -1
- package/dist-browser/config/ClientConfiguration.mjs +6 -5
- package/dist-browser/config/ClientConfiguration.mjs.map +1 -1
- package/dist-browser/constants/AADServerParamKeys.mjs +7 -3
- package/dist-browser/constants/AADServerParamKeys.mjs.map +1 -1
- package/dist-browser/crypto/ICrypto.mjs +11 -11
- package/dist-browser/crypto/ICrypto.mjs.map +1 -1
- package/dist-browser/crypto/JoseHeader.mjs +3 -3
- package/dist-browser/crypto/JoseHeader.mjs.map +1 -1
- package/dist-browser/crypto/PopTokenGenerator.mjs +2 -2
- package/dist-browser/crypto/PopTokenGenerator.mjs.map +1 -1
- package/dist-browser/error/AuthError.mjs +5 -7
- package/dist-browser/error/AuthError.mjs.map +1 -1
- package/dist-browser/error/AuthErrorCodes.mjs +1 -1
- package/dist-browser/error/CacheError.mjs +1 -1
- package/dist-browser/error/CacheErrorCodes.mjs +1 -1
- package/dist-browser/error/ClientAuthError.mjs +5 -5
- package/dist-browser/error/ClientAuthError.mjs.map +1 -1
- package/dist-browser/error/ClientAuthErrorCodes.mjs +2 -4
- package/dist-browser/error/ClientAuthErrorCodes.mjs.map +1 -1
- package/dist-browser/error/ClientConfigurationError.mjs +5 -5
- package/dist-browser/error/ClientConfigurationError.mjs.map +1 -1
- package/dist-browser/error/ClientConfigurationErrorCodes.mjs +1 -1
- package/dist-browser/error/InteractionRequiredAuthError.mjs +5 -6
- package/dist-browser/error/InteractionRequiredAuthError.mjs.map +1 -1
- package/dist-browser/error/InteractionRequiredAuthErrorCodes.mjs +1 -1
- package/dist-browser/error/JoseHeaderError.mjs +5 -5
- package/dist-browser/error/JoseHeaderError.mjs.map +1 -1
- package/dist-browser/error/JoseHeaderErrorCodes.mjs +1 -1
- package/dist-browser/error/NetworkError.mjs +2 -2
- package/dist-browser/error/NetworkError.mjs.map +1 -1
- package/dist-browser/error/PlatformBrokerError.mjs +3 -3
- package/dist-browser/error/PlatformBrokerError.mjs.map +1 -1
- package/dist-browser/error/ServerError.mjs +3 -3
- package/dist-browser/error/ServerError.mjs.map +1 -1
- package/dist-browser/index-browser.mjs +1 -1
- package/dist-browser/index.mjs +1 -1
- package/dist-browser/log-strings-mapping.json +2 -2
- package/dist-browser/logger/Logger.mjs +25 -11
- package/dist-browser/logger/Logger.mjs.map +1 -1
- package/dist-browser/network/INetworkModule.mjs +4 -3
- package/dist-browser/network/INetworkModule.mjs.map +1 -1
- package/dist-browser/network/RequestThumbprint.mjs +1 -1
- package/dist-browser/network/ThrottlingUtils.mjs +2 -2
- package/dist-browser/network/ThrottlingUtils.mjs.map +1 -1
- package/dist-browser/packageMetadata.mjs +2 -2
- package/dist-browser/protocol/Authorize.mjs +18 -14
- package/dist-browser/protocol/Authorize.mjs.map +1 -1
- package/dist-browser/protocol/Token.mjs +5 -3
- package/dist-browser/protocol/Token.mjs.map +1 -1
- package/dist-browser/request/AuthenticationHeaderParser.mjs +4 -4
- package/dist-browser/request/AuthenticationHeaderParser.mjs.map +1 -1
- package/dist-browser/request/BaseAuthRequest.mjs +3 -3
- package/dist-browser/request/BaseAuthRequest.mjs.map +1 -1
- package/dist-browser/request/RequestParameterBuilder.mjs +50 -31
- package/dist-browser/request/RequestParameterBuilder.mjs.map +1 -1
- package/dist-browser/request/ScopeSet.mjs +13 -12
- package/dist-browser/request/ScopeSet.mjs.map +1 -1
- package/dist-browser/response/ResponseHandler.mjs +32 -29
- package/dist-browser/response/ResponseHandler.mjs.map +1 -1
- package/dist-browser/telemetry/performance/PerformanceClient.mjs +9 -9
- package/dist-browser/telemetry/performance/PerformanceClient.mjs.map +1 -1
- package/dist-browser/telemetry/performance/PerformanceEvent.mjs +1 -1
- package/dist-browser/telemetry/performance/PerformanceEvents.mjs +1 -1
- package/dist-browser/telemetry/performance/StubPerformanceClient.mjs +1 -1
- package/dist-browser/telemetry/server/ServerTelemetryManager.mjs +1 -1
- package/dist-browser/url/UrlString.mjs +15 -14
- package/dist-browser/url/UrlString.mjs.map +1 -1
- package/dist-browser/utils/ClientAssertionUtils.mjs +3 -2
- package/dist-browser/utils/ClientAssertionUtils.mjs.map +1 -1
- package/dist-browser/utils/Constants.mjs +7 -3
- package/dist-browser/utils/Constants.mjs.map +1 -1
- package/dist-browser/utils/FunctionWrappers.mjs +7 -7
- package/dist-browser/utils/FunctionWrappers.mjs.map +1 -1
- package/dist-browser/utils/ProtocolUtils.mjs +12 -9
- package/dist-browser/utils/ProtocolUtils.mjs.map +1 -1
- package/dist-browser/utils/StringUtils.mjs +1 -1
- package/dist-browser/utils/TimeUtils.mjs +1 -1
- package/dist-browser/utils/UrlUtils.mjs +6 -6
- package/dist-browser/utils/UrlUtils.mjs.map +1 -1
- package/lib/index-browser.cjs +8 -8
- package/lib/index-browser.cjs.map +1 -1
- package/lib/{index-node-7wFgJ2eB.js → index-node-BSFEsmmC.js} +407 -325
- package/lib/index-node-BSFEsmmC.js.map +1 -0
- package/lib/index-node.cjs +2 -2
- package/lib/index.cjs +2 -2
- package/package.json +3 -5
- package/src/account/AccountInfo.ts +19 -1
- package/src/account/AuthToken.ts +19 -21
- package/src/account/ClientCredentials.ts +1 -0
- package/src/account/ClientInfo.ts +8 -3
- package/src/authority/Authority.ts +73 -38
- package/src/authority/AuthorityFactory.ts +4 -2
- package/src/authority/AuthorityMetadata.ts +2 -1
- package/src/authority/RegionDiscovery.ts +18 -11
- package/src/cache/CacheManager.ts +160 -57
- package/src/cache/entities/AccountEntity.ts +4 -0
- package/src/cache/entities/CredentialEntity.ts +2 -0
- package/src/cache/interface/ICacheManager.ts +1 -0
- package/src/cache/utils/AccountEntityUtils.ts +29 -3
- package/src/cache/utils/CacheHelpers.ts +18 -3
- package/src/cache/utils/CacheTypes.ts +2 -0
- package/src/client/AuthorizationCodeClient.ts +10 -4
- package/src/client/RefreshTokenClient.ts +12 -5
- package/src/client/SilentFlowClient.ts +17 -20
- package/src/config/ClientConfiguration.ts +14 -4
- package/src/constants/AADServerParamKeys.ts +5 -0
- package/src/crypto/ICrypto.ts +40 -10
- package/src/crypto/JoseHeader.ts +8 -2
- package/src/crypto/PopTokenGenerator.ts +1 -1
- package/src/error/AuthError.ts +9 -5
- package/src/error/ClientAuthError.ts +8 -3
- package/src/error/ClientAuthErrorCodes.ts +0 -2
- package/src/error/ClientConfigurationError.ts +5 -4
- package/src/error/InteractionRequiredAuthError.ts +9 -5
- package/src/error/JoseHeaderError.ts +11 -4
- package/src/error/NetworkError.ts +6 -1
- package/src/error/PlatformBrokerError.ts +2 -1
- package/src/error/ServerError.ts +3 -2
- package/src/logger/Logger.ts +25 -10
- package/src/network/INetworkModule.ts +3 -2
- package/src/network/ThrottlingUtils.ts +1 -0
- package/src/packageMetadata.ts +1 -1
- package/src/protocol/Authorize.ts +23 -6
- package/src/protocol/Token.ts +6 -1
- package/src/request/AuthenticationHeaderParser.ts +6 -3
- package/src/request/BaseAuthRequest.ts +8 -2
- package/src/request/RequestParameterBuilder.ts +67 -43
- package/src/request/ScopeSet.ts +27 -11
- package/src/response/ImdsComputeResponse.ts +14 -0
- package/src/response/ResponseHandler.ts +46 -32
- package/src/url/UrlString.ts +32 -13
- package/src/utils/ClientAssertionUtils.ts +3 -1
- package/src/utils/Constants.ts +6 -3
- package/src/utils/ProtocolUtils.ts +26 -8
- package/src/utils/UrlUtils.ts +8 -3
- package/types/account/AccountInfo.d.ts +8 -2
- package/types/account/AccountInfo.d.ts.map +1 -1
- package/types/account/AuthToken.d.ts +2 -6
- package/types/account/AuthToken.d.ts.map +1 -1
- package/types/account/ClientCredentials.d.ts +1 -0
- package/types/account/ClientCredentials.d.ts.map +1 -1
- package/types/account/ClientInfo.d.ts.map +1 -1
- package/types/authority/Authority.d.ts +5 -5
- package/types/authority/Authority.d.ts.map +1 -1
- package/types/authority/AuthorityFactory.d.ts.map +1 -1
- package/types/authority/AuthorityMetadata.d.ts.map +1 -1
- package/types/authority/RegionDiscovery.d.ts +3 -2
- package/types/authority/RegionDiscovery.d.ts.map +1 -1
- package/types/cache/CacheManager.d.ts +0 -7
- package/types/cache/CacheManager.d.ts.map +1 -1
- package/types/cache/entities/AccountEntity.d.ts +4 -0
- package/types/cache/entities/AccountEntity.d.ts.map +1 -1
- package/types/cache/entities/CredentialEntity.d.ts +2 -0
- package/types/cache/entities/CredentialEntity.d.ts.map +1 -1
- package/types/cache/interface/ICacheManager.d.ts +1 -0
- package/types/cache/interface/ICacheManager.d.ts.map +1 -1
- package/types/cache/utils/AccountEntityUtils.d.ts +7 -1
- package/types/cache/utils/AccountEntityUtils.d.ts.map +1 -1
- package/types/cache/utils/CacheHelpers.d.ts +4 -1
- package/types/cache/utils/CacheHelpers.d.ts.map +1 -1
- package/types/cache/utils/CacheTypes.d.ts +2 -1
- package/types/cache/utils/CacheTypes.d.ts.map +1 -1
- package/types/client/AuthorizationCodeClient.d.ts.map +1 -1
- package/types/client/RefreshTokenClient.d.ts.map +1 -1
- package/types/client/SilentFlowClient.d.ts.map +1 -1
- package/types/config/ClientConfiguration.d.ts +4 -0
- package/types/config/ClientConfiguration.d.ts.map +1 -1
- package/types/constants/AADServerParamKeys.d.ts +4 -0
- package/types/constants/AADServerParamKeys.d.ts.map +1 -1
- package/types/crypto/ICrypto.d.ts.map +1 -1
- package/types/crypto/JoseHeader.d.ts.map +1 -1
- package/types/error/AuthError.d.ts +2 -3
- package/types/error/AuthError.d.ts.map +1 -1
- package/types/error/ClientAuthError.d.ts +2 -2
- package/types/error/ClientAuthError.d.ts.map +1 -1
- package/types/error/ClientAuthErrorCodes.d.ts +0 -2
- package/types/error/ClientAuthErrorCodes.d.ts.map +1 -1
- package/types/error/ClientConfigurationError.d.ts +2 -2
- package/types/error/ClientConfigurationError.d.ts.map +1 -1
- package/types/error/InteractionRequiredAuthError.d.ts +2 -2
- package/types/error/InteractionRequiredAuthError.d.ts.map +1 -1
- package/types/error/JoseHeaderError.d.ts +2 -2
- package/types/error/JoseHeaderError.d.ts.map +1 -1
- package/types/error/NetworkError.d.ts.map +1 -1
- package/types/error/PlatformBrokerError.d.ts +1 -1
- package/types/error/PlatformBrokerError.d.ts.map +1 -1
- package/types/error/ServerError.d.ts +1 -1
- package/types/error/ServerError.d.ts.map +1 -1
- package/types/logger/Logger.d.ts.map +1 -1
- package/types/network/INetworkModule.d.ts.map +1 -1
- package/types/network/ThrottlingUtils.d.ts.map +1 -1
- package/types/packageMetadata.d.ts +1 -1
- package/types/packageMetadata.d.ts.map +1 -1
- package/types/protocol/Authorize.d.ts +6 -2
- package/types/protocol/Authorize.d.ts.map +1 -1
- package/types/protocol/Token.d.ts +2 -0
- package/types/protocol/Token.d.ts.map +1 -1
- package/types/request/AuthenticationHeaderParser.d.ts.map +1 -1
- package/types/request/BaseAuthRequest.d.ts +4 -0
- package/types/request/BaseAuthRequest.d.ts.map +1 -1
- package/types/request/RequestParameterBuilder.d.ts +13 -3
- package/types/request/RequestParameterBuilder.d.ts.map +1 -1
- package/types/request/ScopeSet.d.ts +4 -3
- package/types/request/ScopeSet.d.ts.map +1 -1
- package/types/response/ImdsComputeResponse.d.ts +10 -0
- package/types/response/ImdsComputeResponse.d.ts.map +1 -0
- package/types/response/ResponseHandler.d.ts +2 -1
- package/types/response/ResponseHandler.d.ts.map +1 -1
- package/types/url/UrlString.d.ts +5 -4
- package/types/url/UrlString.d.ts.map +1 -1
- package/types/utils/ClientAssertionUtils.d.ts +1 -1
- package/types/utils/ClientAssertionUtils.d.ts.map +1 -1
- package/types/utils/Constants.d.ts +6 -2
- package/types/utils/Constants.d.ts.map +1 -1
- package/types/utils/ProtocolUtils.d.ts +6 -3
- package/types/utils/ProtocolUtils.d.ts.map +1 -1
- package/types/utils/UrlUtils.d.ts.map +1 -1
- package/lib/index-node-7wFgJ2eB.js.map +0 -1
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
/*! @azure/msal-common v16.
|
|
1
|
+
/*! @azure/msal-common v16.10.0 2026-06-23 */
|
|
2
2
|
'use strict';
|
|
3
3
|
'use strict';
|
|
4
4
|
|
|
@@ -29,7 +29,7 @@ function getDefaultErrorMessage(code) {
|
|
|
29
29
|
* General error class thrown by the MSAL.js library.
|
|
30
30
|
*/
|
|
31
31
|
class AuthError extends Error {
|
|
32
|
-
constructor(errorCode, errorMessage, suberror) {
|
|
32
|
+
constructor(errorCode, correlationId, errorMessage, suberror) {
|
|
33
33
|
const message = errorMessage ||
|
|
34
34
|
(errorCode ? getDefaultErrorMessage(errorCode) : "");
|
|
35
35
|
const errorString = message ? `${errorCode}: ${message}` : errorCode;
|
|
@@ -38,14 +38,12 @@ class AuthError extends Error {
|
|
|
38
38
|
this.errorCode = errorCode || "";
|
|
39
39
|
this.errorMessage = message || "";
|
|
40
40
|
this.subError = suberror || "";
|
|
41
|
-
this.name = "AuthError";
|
|
42
|
-
}
|
|
43
|
-
setCorrelationId(correlationId) {
|
|
44
41
|
this.correlationId = correlationId;
|
|
42
|
+
this.name = "AuthError";
|
|
45
43
|
}
|
|
46
44
|
}
|
|
47
|
-
function createAuthError(code, additionalMessage) {
|
|
48
|
-
return new AuthError(code, additionalMessage || getDefaultErrorMessage(code));
|
|
45
|
+
function createAuthError(code, correlationId, additionalMessage) {
|
|
46
|
+
return new AuthError(code, correlationId, additionalMessage || getDefaultErrorMessage(code));
|
|
49
47
|
}
|
|
50
48
|
|
|
51
49
|
/*
|
|
@@ -64,8 +62,6 @@ const invalidState = "invalid_state";
|
|
|
64
62
|
const stateMismatch = "state_mismatch";
|
|
65
63
|
const stateNotFound = "state_not_found";
|
|
66
64
|
const nonceMismatch = "nonce_mismatch";
|
|
67
|
-
const authTimeNotFound = "auth_time_not_found";
|
|
68
|
-
const maxAgeTranspired = "max_age_transpired";
|
|
69
65
|
const multipleMatchingTokens = "multiple_matching_tokens";
|
|
70
66
|
const multipleMatchingAppMetadata = "multiple_matching_appMetadata";
|
|
71
67
|
const requestCannotBeMade = "request_cannot_be_made";
|
|
@@ -94,7 +90,6 @@ const misplacedResourceParam = "misplaced_resource_parameter";
|
|
|
94
90
|
|
|
95
91
|
var ClientAuthErrorCodes = /*#__PURE__*/Object.freeze({
|
|
96
92
|
__proto__: null,
|
|
97
|
-
authTimeNotFound: authTimeNotFound,
|
|
98
93
|
authorizationCodeMissingFromServerResponse: authorizationCodeMissingFromServerResponse,
|
|
99
94
|
bindingKeyNotRemoved: bindingKeyNotRemoved,
|
|
100
95
|
cannotAppendScopeSet: cannotAppendScopeSet,
|
|
@@ -109,7 +104,6 @@ var ClientAuthErrorCodes = /*#__PURE__*/Object.freeze({
|
|
|
109
104
|
invalidCacheRecord: invalidCacheRecord,
|
|
110
105
|
invalidState: invalidState,
|
|
111
106
|
keyIdMissing: keyIdMissing,
|
|
112
|
-
maxAgeTranspired: maxAgeTranspired,
|
|
113
107
|
methodNotImplemented: methodNotImplemented,
|
|
114
108
|
misplacedResourceParam: misplacedResourceParam,
|
|
115
109
|
multipleMatchingAppMetadata: multipleMatchingAppMetadata,
|
|
@@ -146,14 +140,14 @@ var ClientAuthErrorCodes = /*#__PURE__*/Object.freeze({
|
|
|
146
140
|
* Error thrown when there is an error in the client code running on the browser.
|
|
147
141
|
*/
|
|
148
142
|
class ClientAuthError extends AuthError {
|
|
149
|
-
constructor(errorCode, additionalMessage) {
|
|
150
|
-
super(errorCode, additionalMessage);
|
|
143
|
+
constructor(errorCode, correlationId, additionalMessage) {
|
|
144
|
+
super(errorCode, correlationId, additionalMessage);
|
|
151
145
|
this.name = "ClientAuthError";
|
|
152
146
|
Object.setPrototypeOf(this, ClientAuthError.prototype);
|
|
153
147
|
}
|
|
154
148
|
}
|
|
155
|
-
function createClientAuthError(errorCode, additionalMessage) {
|
|
156
|
-
return new ClientAuthError(errorCode, additionalMessage);
|
|
149
|
+
function createClientAuthError(errorCode, correlationId, additionalMessage) {
|
|
150
|
+
return new ClientAuthError(errorCode, correlationId, additionalMessage);
|
|
157
151
|
}
|
|
158
152
|
|
|
159
153
|
/*
|
|
@@ -165,8 +159,8 @@ function createClientAuthError(errorCode, additionalMessage) {
|
|
|
165
159
|
*
|
|
166
160
|
* @param encodedToken
|
|
167
161
|
*/
|
|
168
|
-
function extractTokenClaims(encodedToken, base64Decode) {
|
|
169
|
-
const jswPayload = getJWSPayload(encodedToken);
|
|
162
|
+
function extractTokenClaims(encodedToken, base64Decode, correlationId) {
|
|
163
|
+
const jswPayload = getJWSPayload(encodedToken, correlationId);
|
|
170
164
|
// token will be decoded to get the username
|
|
171
165
|
try {
|
|
172
166
|
// base64Decode() should throw an error if there is an issue
|
|
@@ -174,7 +168,7 @@ function extractTokenClaims(encodedToken, base64Decode) {
|
|
|
174
168
|
return JSON.parse(base64Decoded);
|
|
175
169
|
}
|
|
176
170
|
catch (err) {
|
|
177
|
-
throw createClientAuthError(tokenParsingError);
|
|
171
|
+
throw createClientAuthError(tokenParsingError, correlationId);
|
|
178
172
|
}
|
|
179
173
|
}
|
|
180
174
|
/**
|
|
@@ -201,14 +195,14 @@ function isKmsi(idTokenClaims) {
|
|
|
201
195
|
*
|
|
202
196
|
* @param authToken
|
|
203
197
|
*/
|
|
204
|
-
function getJWSPayload(authToken) {
|
|
198
|
+
function getJWSPayload(authToken, correlationId) {
|
|
205
199
|
if (!authToken) {
|
|
206
|
-
throw createClientAuthError(nullOrEmptyToken);
|
|
200
|
+
throw createClientAuthError(nullOrEmptyToken, correlationId);
|
|
207
201
|
}
|
|
208
202
|
const tokenPartsRegex = /^([^\.\s]*)\.([^\.\s]+)\.([^\.\s]*)$/;
|
|
209
203
|
const matches = tokenPartsRegex.exec(authToken);
|
|
210
204
|
if (!matches || matches.length < 4) {
|
|
211
|
-
throw createClientAuthError(tokenParsingError);
|
|
205
|
+
throw createClientAuthError(tokenParsingError, correlationId);
|
|
212
206
|
}
|
|
213
207
|
/**
|
|
214
208
|
* const crackedToken = {
|
|
@@ -218,25 +212,10 @@ function getJWSPayload(authToken) {
|
|
|
218
212
|
* };
|
|
219
213
|
*/
|
|
220
214
|
return matches[2];
|
|
221
|
-
}
|
|
222
|
-
/**
|
|
223
|
-
* Determine if the token's max_age has transpired
|
|
224
|
-
*/
|
|
225
|
-
function checkMaxAge(authTime, maxAge) {
|
|
226
|
-
/*
|
|
227
|
-
* per https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest
|
|
228
|
-
* To force an immediate re-authentication: If an app requires that a user re-authenticate prior to access,
|
|
229
|
-
* provide a value of 0 for the max_age parameter and the AS will force a fresh login.
|
|
230
|
-
*/
|
|
231
|
-
const fiveMinuteSkew = 300000; // five minutes in milliseconds
|
|
232
|
-
if (maxAge === 0 || Date.now() - fiveMinuteSkew > authTime + maxAge) {
|
|
233
|
-
throw createClientAuthError(maxAgeTranspired);
|
|
234
|
-
}
|
|
235
215
|
}
|
|
236
216
|
|
|
237
217
|
var AuthToken = /*#__PURE__*/Object.freeze({
|
|
238
218
|
__proto__: null,
|
|
239
|
-
checkMaxAge: checkMaxAge,
|
|
240
219
|
extractTokenClaims: extractTokenClaims,
|
|
241
220
|
getJWSPayload: getJWSPayload,
|
|
242
221
|
isKmsi: isKmsi
|
|
@@ -332,14 +311,14 @@ var ClientConfigurationErrorCodes = /*#__PURE__*/Object.freeze({
|
|
|
332
311
|
* Error thrown when there is an error in configuration of the MSAL.js library.
|
|
333
312
|
*/
|
|
334
313
|
class ClientConfigurationError extends AuthError {
|
|
335
|
-
constructor(errorCode) {
|
|
336
|
-
super(errorCode);
|
|
314
|
+
constructor(errorCode, correlationId) {
|
|
315
|
+
super(errorCode, correlationId);
|
|
337
316
|
this.name = "ClientConfigurationError";
|
|
338
317
|
Object.setPrototypeOf(this, ClientConfigurationError.prototype);
|
|
339
318
|
}
|
|
340
319
|
}
|
|
341
|
-
function createClientConfigurationError(errorCode) {
|
|
342
|
-
return new ClientConfigurationError(errorCode);
|
|
320
|
+
function createClientConfigurationError(errorCode, correlationId) {
|
|
321
|
+
return new ClientConfigurationError(errorCode, correlationId);
|
|
343
322
|
}
|
|
344
323
|
|
|
345
324
|
/*
|
|
@@ -454,8 +433,8 @@ const AUTHORIZATION_PENDING = "authorization_pending";
|
|
|
454
433
|
const NOT_APPLICABLE = "N/A";
|
|
455
434
|
const NOT_AVAILABLE = "Not Available";
|
|
456
435
|
const FORWARD_SLASH = "/";
|
|
457
|
-
const IMDS_ENDPOINT = "http://169.254.169.254/metadata/instance/compute
|
|
458
|
-
const IMDS_VERSION = "
|
|
436
|
+
const IMDS_ENDPOINT = "http://169.254.169.254/metadata/instance/compute";
|
|
437
|
+
const IMDS_VERSION = "2021-02-01";
|
|
459
438
|
const IMDS_TIMEOUT = 2000;
|
|
460
439
|
const AZURE_REGION_AUTO_DISCOVER_FLAG = "TryAutoDetect";
|
|
461
440
|
const REGIONAL_AUTH_PUBLIC_CLOUD_SUFFIX = "login.microsoft.com";
|
|
@@ -529,6 +508,9 @@ const AADAuthority = {
|
|
|
529
508
|
const ClaimsRequestKeys = {
|
|
530
509
|
ACCESS_TOKEN: "access_token",
|
|
531
510
|
XMS_CC: "xms_cc",
|
|
511
|
+
ID_TOKEN: "id_token",
|
|
512
|
+
SIGNIN_STATE: "signin_state",
|
|
513
|
+
LOGIN_HINT: "login_hint",
|
|
532
514
|
};
|
|
533
515
|
/**
|
|
534
516
|
* we considered making this "enum" in the request instead of string, however it looks like the allowed list of
|
|
@@ -577,6 +559,7 @@ const GrantType = {
|
|
|
577
559
|
REFRESH_TOKEN_GRANT: "refresh_token",
|
|
578
560
|
DEVICE_CODE_GRANT: "device_code",
|
|
579
561
|
JWT_BEARER: "urn:ietf:params:oauth:grant-type:jwt-bearer",
|
|
562
|
+
USER_FIC: "user_fic",
|
|
580
563
|
};
|
|
581
564
|
/**
|
|
582
565
|
* Account types in Cache
|
|
@@ -830,11 +813,12 @@ class UrlString {
|
|
|
830
813
|
get urlString() {
|
|
831
814
|
return this._urlString;
|
|
832
815
|
}
|
|
833
|
-
constructor(url) {
|
|
816
|
+
constructor(url, correlationId) {
|
|
834
817
|
this._urlString = url;
|
|
818
|
+
this.correlationId = correlationId;
|
|
835
819
|
if (!this._urlString) {
|
|
836
820
|
// Throws error if url is empty
|
|
837
|
-
throw createClientConfigurationError(urlEmptyError);
|
|
821
|
+
throw createClientConfigurationError(urlEmptyError, correlationId);
|
|
838
822
|
}
|
|
839
823
|
if (!url.includes("#")) {
|
|
840
824
|
this._urlString = UrlString.canonicalizeUri(url);
|
|
@@ -870,16 +854,16 @@ class UrlString {
|
|
|
870
854
|
components = this.getUrlComponents();
|
|
871
855
|
}
|
|
872
856
|
catch (e) {
|
|
873
|
-
throw createClientConfigurationError(urlParseError);
|
|
857
|
+
throw createClientConfigurationError(urlParseError, this.correlationId);
|
|
874
858
|
}
|
|
875
859
|
// Throw error if URI or path segments are not parseable.
|
|
876
860
|
if (!components.HostNameAndPort || !components.PathSegments) {
|
|
877
|
-
throw createClientConfigurationError(urlParseError);
|
|
861
|
+
throw createClientConfigurationError(urlParseError, this.correlationId);
|
|
878
862
|
}
|
|
879
863
|
// Throw error if uri is insecure.
|
|
880
864
|
if (!components.Protocol ||
|
|
881
865
|
components.Protocol.toLowerCase() !== "https:") {
|
|
882
|
-
throw createClientConfigurationError(authorityUriInsecure);
|
|
866
|
+
throw createClientConfigurationError(authorityUriInsecure, this.correlationId);
|
|
883
867
|
}
|
|
884
868
|
}
|
|
885
869
|
/**
|
|
@@ -916,7 +900,7 @@ class UrlString {
|
|
|
916
900
|
pathArray[0] === AADAuthority.ORGANIZATIONS)) {
|
|
917
901
|
pathArray[0] = tenantId;
|
|
918
902
|
}
|
|
919
|
-
return UrlString.constructAuthorityUriFromObject(urlObject);
|
|
903
|
+
return UrlString.constructAuthorityUriFromObject(urlObject, this.correlationId);
|
|
920
904
|
}
|
|
921
905
|
/**
|
|
922
906
|
* Parses out the components from a url string.
|
|
@@ -928,7 +912,7 @@ class UrlString {
|
|
|
928
912
|
// If url string does not match regEx, we throw an error
|
|
929
913
|
const match = this.urlString.match(regEx);
|
|
930
914
|
if (!match) {
|
|
931
|
-
throw createClientConfigurationError(urlParseError);
|
|
915
|
+
throw createClientConfigurationError(urlParseError, this.correlationId);
|
|
932
916
|
}
|
|
933
917
|
// Url component object
|
|
934
918
|
const urlComponents = {
|
|
@@ -946,17 +930,17 @@ class UrlString {
|
|
|
946
930
|
}
|
|
947
931
|
return urlComponents;
|
|
948
932
|
}
|
|
949
|
-
static getDomainFromUrl(url) {
|
|
933
|
+
static getDomainFromUrl(url, correlationId) {
|
|
950
934
|
const regEx = RegExp("^([^:/?#]+://)?([^/?#]*)");
|
|
951
935
|
const match = url.match(regEx);
|
|
952
936
|
if (!match) {
|
|
953
|
-
throw createClientConfigurationError(urlParseError);
|
|
937
|
+
throw createClientConfigurationError(urlParseError, correlationId);
|
|
954
938
|
}
|
|
955
939
|
return match[2];
|
|
956
940
|
}
|
|
957
|
-
static getAbsoluteUrl(relativeUrl, baseUrl) {
|
|
941
|
+
static getAbsoluteUrl(relativeUrl, baseUrl, correlationId) {
|
|
958
942
|
if (relativeUrl[0] === FORWARD_SLASH) {
|
|
959
|
-
const url = new UrlString(baseUrl);
|
|
943
|
+
const url = new UrlString(baseUrl, correlationId);
|
|
960
944
|
const baseComponents = url.getUrlComponents();
|
|
961
945
|
return (baseComponents.Protocol +
|
|
962
946
|
"//" +
|
|
@@ -965,12 +949,12 @@ class UrlString {
|
|
|
965
949
|
}
|
|
966
950
|
return relativeUrl;
|
|
967
951
|
}
|
|
968
|
-
static constructAuthorityUriFromObject(urlObject) {
|
|
952
|
+
static constructAuthorityUriFromObject(urlObject, correlationId) {
|
|
969
953
|
return new UrlString(urlObject.Protocol +
|
|
970
954
|
"//" +
|
|
971
955
|
urlObject.HostNameAndPort +
|
|
972
956
|
"/" +
|
|
973
|
-
urlObject.PathSegments.join("/"));
|
|
957
|
+
urlObject.PathSegments.join("/"), correlationId);
|
|
974
958
|
}
|
|
975
959
|
}
|
|
976
960
|
|
|
@@ -1088,7 +1072,7 @@ function getAliasesFromStaticSources(staticAuthorityOptions, logger, correlation
|
|
|
1088
1072
|
let staticAliases;
|
|
1089
1073
|
const canonicalAuthority = staticAuthorityOptions.canonicalAuthority;
|
|
1090
1074
|
if (canonicalAuthority) {
|
|
1091
|
-
const authorityHost = new UrlString(canonicalAuthority).getUrlComponents().HostNameAndPort;
|
|
1075
|
+
const authorityHost = new UrlString(canonicalAuthority, correlationId).getUrlComponents().HostNameAndPort;
|
|
1092
1076
|
staticAliases =
|
|
1093
1077
|
getAliasesFromMetadata(logger, correlationId, authorityHost, staticAuthorityOptions.cloudDiscoveryMetadata?.metadata, AuthorityMetadataSource.CONFIG) ||
|
|
1094
1078
|
getAliasesFromMetadata(logger, correlationId, authorityHost, InstanceDiscoveryMetadata.metadata, AuthorityMetadataSource.HARDCODED_VALUES) ||
|
|
@@ -1415,9 +1399,12 @@ class RegionDiscovery {
|
|
|
1415
1399
|
try {
|
|
1416
1400
|
const localIMDSVersionResponse = await invokeAsync(this.getRegionFromIMDS.bind(this), RegionDiscoveryGetRegionFromIMDS, this.logger, this.performanceClient, this.correlationId)(IMDS_VERSION, options);
|
|
1417
1401
|
if (localIMDSVersionResponse.status === HTTP_SUCCESS) {
|
|
1418
|
-
autodetectedRegionName =
|
|
1419
|
-
|
|
1420
|
-
|
|
1402
|
+
autodetectedRegionName =
|
|
1403
|
+
localIMDSVersionResponse.body?.location;
|
|
1404
|
+
if (autodetectedRegionName) {
|
|
1405
|
+
regionDiscoveryMetadata.region_source =
|
|
1406
|
+
RegionDiscoverySources.IMDS;
|
|
1407
|
+
}
|
|
1421
1408
|
}
|
|
1422
1409
|
// If the response using the local IMDS version failed, try to fetch the current version of IMDS and retry.
|
|
1423
1410
|
if (localIMDSVersionResponse.status ===
|
|
@@ -1432,9 +1419,11 @@ class RegionDiscovery {
|
|
|
1432
1419
|
if (currentIMDSVersionResponse.status ===
|
|
1433
1420
|
HTTP_SUCCESS) {
|
|
1434
1421
|
autodetectedRegionName =
|
|
1435
|
-
currentIMDSVersionResponse.body;
|
|
1436
|
-
|
|
1437
|
-
|
|
1422
|
+
currentIMDSVersionResponse.body?.location;
|
|
1423
|
+
if (autodetectedRegionName) {
|
|
1424
|
+
regionDiscoveryMetadata.region_source =
|
|
1425
|
+
RegionDiscoverySources.IMDS;
|
|
1426
|
+
}
|
|
1438
1427
|
}
|
|
1439
1428
|
}
|
|
1440
1429
|
}
|
|
@@ -1458,11 +1447,12 @@ class RegionDiscovery {
|
|
|
1458
1447
|
/**
|
|
1459
1448
|
* Make the call to the IMDS endpoint
|
|
1460
1449
|
*
|
|
1461
|
-
* @param
|
|
1462
|
-
* @
|
|
1450
|
+
* @param version
|
|
1451
|
+
* @param options
|
|
1452
|
+
* @returns Promise<NetworkResponse<ImdsComputeResponse>>
|
|
1463
1453
|
*/
|
|
1464
1454
|
async getRegionFromIMDS(version, options) {
|
|
1465
|
-
return this.networkInterface.sendGetRequestAsync(`${IMDS_ENDPOINT}?api-version=${version}
|
|
1455
|
+
return this.networkInterface.sendGetRequestAsync(`${IMDS_ENDPOINT}?api-version=${version}`, options, IMDS_TIMEOUT);
|
|
1466
1456
|
}
|
|
1467
1457
|
/**
|
|
1468
1458
|
* Get the most recent version of the IMDS endpoint available
|
|
@@ -1610,7 +1600,7 @@ function createIdTokenEntity(homeAccountId, environment, idToken, clientId, tena
|
|
|
1610
1600
|
* @param expiresOn
|
|
1611
1601
|
* @param extExpiresOn
|
|
1612
1602
|
*/
|
|
1613
|
-
function createAccessTokenEntity(homeAccountId, environment, accessToken, clientId, tenantId, scopes, expiresOn, extExpiresOn, base64Decode, refreshOn, tokenType, userAssertionHash, keyId) {
|
|
1603
|
+
function createAccessTokenEntity(homeAccountId, environment, accessToken, clientId, tenantId, scopes, expiresOn, extExpiresOn, base64Decode, correlationId, refreshOn, tokenType, userAssertionHash, keyId, additionalCacheKeyComponents) {
|
|
1614
1604
|
const atEntity = {
|
|
1615
1605
|
homeAccountId: homeAccountId,
|
|
1616
1606
|
credentialType: CredentialType.ACCESS_TOKEN,
|
|
@@ -1642,9 +1632,9 @@ function createAccessTokenEntity(homeAccountId, environment, accessToken, client
|
|
|
1642
1632
|
switch (atEntity.tokenType) {
|
|
1643
1633
|
case AuthenticationScheme.POP:
|
|
1644
1634
|
// Make sure keyId is present and add it to credential
|
|
1645
|
-
const tokenClaims = extractTokenClaims(accessToken, base64Decode);
|
|
1635
|
+
const tokenClaims = extractTokenClaims(accessToken, base64Decode, correlationId);
|
|
1646
1636
|
if (!tokenClaims?.cnf?.kid) {
|
|
1647
|
-
throw createClientAuthError(tokenClaimsCnfRequiredForSignedJwt);
|
|
1637
|
+
throw createClientAuthError(tokenClaimsCnfRequiredForSignedJwt, correlationId);
|
|
1648
1638
|
}
|
|
1649
1639
|
atEntity.keyId = tokenClaims.cnf.kid;
|
|
1650
1640
|
break;
|
|
@@ -1652,6 +1642,11 @@ function createAccessTokenEntity(homeAccountId, environment, accessToken, client
|
|
|
1652
1642
|
atEntity.keyId = keyId;
|
|
1653
1643
|
}
|
|
1654
1644
|
}
|
|
1645
|
+
/* Additional cache key components for cache isolation (e.g., FMI path) */
|
|
1646
|
+
if (additionalCacheKeyComponents &&
|
|
1647
|
+
Object.keys(additionalCacheKeyComponents).length > 0) {
|
|
1648
|
+
atEntity.additionalCacheKeyComponents = additionalCacheKeyComponents;
|
|
1649
|
+
}
|
|
1655
1650
|
return atEntity;
|
|
1656
1651
|
}
|
|
1657
1652
|
/**
|
|
@@ -1811,6 +1806,7 @@ function generateAuthorityMetadataExpiresAt() {
|
|
|
1811
1806
|
return (nowSeconds() +
|
|
1812
1807
|
AUTHORITY_METADATA_REFRESH_TIME_SECONDS);
|
|
1813
1808
|
}
|
|
1809
|
+
/** @internal */
|
|
1814
1810
|
function updateAuthorityEndpointMetadata(authorityMetadata, updatedValues, fromNetwork) {
|
|
1815
1811
|
authorityMetadata.authorization_endpoint =
|
|
1816
1812
|
updatedValues.authorization_endpoint;
|
|
@@ -1820,6 +1816,7 @@ function updateAuthorityEndpointMetadata(authorityMetadata, updatedValues, fromN
|
|
|
1820
1816
|
authorityMetadata.endpointsFromNetwork = fromNetwork;
|
|
1821
1817
|
authorityMetadata.jwks_uri = updatedValues.jwks_uri;
|
|
1822
1818
|
}
|
|
1819
|
+
/** @internal */
|
|
1823
1820
|
function updateCloudDiscoveryMetadata(authorityMetadata, updatedValues, fromNetwork) {
|
|
1824
1821
|
authorityMetadata.aliases = updatedValues.aliases;
|
|
1825
1822
|
authorityMetadata.preferred_cache = updatedValues.preferred_cache;
|
|
@@ -1828,6 +1825,7 @@ function updateCloudDiscoveryMetadata(authorityMetadata, updatedValues, fromNetw
|
|
|
1828
1825
|
}
|
|
1829
1826
|
/**
|
|
1830
1827
|
* Returns whether or not the data needs to be refreshed
|
|
1828
|
+
* @internal
|
|
1831
1829
|
*/
|
|
1832
1830
|
function isAuthorityMetadataExpired(metadata) {
|
|
1833
1831
|
return metadata.expiresAt <= nowSeconds();
|
|
@@ -1881,7 +1879,7 @@ class Authority {
|
|
|
1881
1879
|
this.regionDiscovery = new RegionDiscovery(networkInterface, this.logger, this.performanceClient, this.correlationId);
|
|
1882
1880
|
}
|
|
1883
1881
|
/**
|
|
1884
|
-
* Get {@link AuthorityType}
|
|
1882
|
+
* Get {@link AuthorityType:type}
|
|
1885
1883
|
* @param authorityUri {@link IUri}
|
|
1886
1884
|
* @private
|
|
1887
1885
|
*/
|
|
@@ -1927,7 +1925,7 @@ class Authority {
|
|
|
1927
1925
|
* Sets canonical authority.
|
|
1928
1926
|
*/
|
|
1929
1927
|
set canonicalAuthority(url) {
|
|
1930
|
-
this._canonicalAuthority = new UrlString(url);
|
|
1928
|
+
this._canonicalAuthority = new UrlString(url, this.correlationId);
|
|
1931
1929
|
this._canonicalAuthority.validateAsUri();
|
|
1932
1930
|
this._canonicalAuthorityUrlComponents = null;
|
|
1933
1931
|
}
|
|
@@ -1961,7 +1959,7 @@ class Authority {
|
|
|
1961
1959
|
return this.replacePath(this.metadata.authorization_endpoint);
|
|
1962
1960
|
}
|
|
1963
1961
|
else {
|
|
1964
|
-
throw createClientAuthError(endpointResolutionError);
|
|
1962
|
+
throw createClientAuthError(endpointResolutionError, this.correlationId);
|
|
1965
1963
|
}
|
|
1966
1964
|
}
|
|
1967
1965
|
/**
|
|
@@ -1972,7 +1970,7 @@ class Authority {
|
|
|
1972
1970
|
return this.replacePath(this.metadata.token_endpoint);
|
|
1973
1971
|
}
|
|
1974
1972
|
else {
|
|
1975
|
-
throw createClientAuthError(endpointResolutionError);
|
|
1973
|
+
throw createClientAuthError(endpointResolutionError, this.correlationId);
|
|
1976
1974
|
}
|
|
1977
1975
|
}
|
|
1978
1976
|
get deviceCodeEndpoint() {
|
|
@@ -1980,7 +1978,7 @@ class Authority {
|
|
|
1980
1978
|
return this.replacePath(this.metadata.token_endpoint.replace("/token", "/devicecode"));
|
|
1981
1979
|
}
|
|
1982
1980
|
else {
|
|
1983
|
-
throw createClientAuthError(endpointResolutionError);
|
|
1981
|
+
throw createClientAuthError(endpointResolutionError, this.correlationId);
|
|
1984
1982
|
}
|
|
1985
1983
|
}
|
|
1986
1984
|
/**
|
|
@@ -1990,12 +1988,12 @@ class Authority {
|
|
|
1990
1988
|
if (this.discoveryComplete()) {
|
|
1991
1989
|
// ROPC policies may not have end_session_endpoint set
|
|
1992
1990
|
if (!this.metadata.end_session_endpoint) {
|
|
1993
|
-
throw createClientAuthError(endSessionEndpointNotSupported);
|
|
1991
|
+
throw createClientAuthError(endSessionEndpointNotSupported, this.correlationId);
|
|
1994
1992
|
}
|
|
1995
1993
|
return this.replacePath(this.metadata.end_session_endpoint);
|
|
1996
1994
|
}
|
|
1997
1995
|
else {
|
|
1998
|
-
throw createClientAuthError(endpointResolutionError);
|
|
1996
|
+
throw createClientAuthError(endpointResolutionError, this.correlationId);
|
|
1999
1997
|
}
|
|
2000
1998
|
}
|
|
2001
1999
|
/**
|
|
@@ -2006,7 +2004,7 @@ class Authority {
|
|
|
2006
2004
|
return this.replacePath(this.metadata.issuer);
|
|
2007
2005
|
}
|
|
2008
2006
|
else {
|
|
2009
|
-
throw createClientAuthError(endpointResolutionError);
|
|
2007
|
+
throw createClientAuthError(endpointResolutionError, this.correlationId);
|
|
2010
2008
|
}
|
|
2011
2009
|
}
|
|
2012
2010
|
/**
|
|
@@ -2017,7 +2015,7 @@ class Authority {
|
|
|
2017
2015
|
return this.replacePath(this.metadata.jwks_uri);
|
|
2018
2016
|
}
|
|
2019
2017
|
else {
|
|
2020
|
-
throw createClientAuthError(endpointResolutionError);
|
|
2018
|
+
throw createClientAuthError(endpointResolutionError, this.correlationId);
|
|
2021
2019
|
}
|
|
2022
2020
|
}
|
|
2023
2021
|
/**
|
|
@@ -2044,7 +2042,7 @@ class Authority {
|
|
|
2044
2042
|
*/
|
|
2045
2043
|
replacePath(urlString) {
|
|
2046
2044
|
let endpoint = urlString;
|
|
2047
|
-
const cachedAuthorityUrl = new UrlString(this.metadata.canonical_authority);
|
|
2045
|
+
const cachedAuthorityUrl = new UrlString(this.metadata.canonical_authority, this.correlationId);
|
|
2048
2046
|
const cachedAuthorityUrlComponents = cachedAuthorityUrl.getUrlComponents();
|
|
2049
2047
|
const cachedAuthorityParts = cachedAuthorityUrlComponents.PathSegments;
|
|
2050
2048
|
const currentAuthorityParts = this.canonicalAuthorityUrlComponents.PathSegments;
|
|
@@ -2052,7 +2050,7 @@ class Authority {
|
|
|
2052
2050
|
let cachedPart = cachedAuthorityParts[index];
|
|
2053
2051
|
if (index === 0 &&
|
|
2054
2052
|
this.canReplaceTenant(cachedAuthorityUrlComponents)) {
|
|
2055
|
-
const tenantId = new UrlString(this.metadata.authorization_endpoint).getUrlComponents().PathSegments[0];
|
|
2053
|
+
const tenantId = new UrlString(this.metadata.authorization_endpoint, this.correlationId).getUrlComponents().PathSegments[0];
|
|
2056
2054
|
/**
|
|
2057
2055
|
* Check if AAD canonical authority contains tenant domain name, for example "testdomain.onmicrosoft.com",
|
|
2058
2056
|
* by comparing its first path segment to the corresponding authorization endpoint path segment, which is
|
|
@@ -2186,7 +2184,7 @@ class Authority {
|
|
|
2186
2184
|
}
|
|
2187
2185
|
else {
|
|
2188
2186
|
// Metadata could not be obtained from the config, cache, network or hardcoded values
|
|
2189
|
-
throw createClientAuthError(openIdConfigError, this.defaultOpenIdConfigurationEndpoint);
|
|
2187
|
+
throw createClientAuthError(openIdConfigError, this.defaultOpenIdConfigurationEndpoint, this.correlationId);
|
|
2190
2188
|
}
|
|
2191
2189
|
}
|
|
2192
2190
|
/**
|
|
@@ -2238,7 +2236,7 @@ class Authority {
|
|
|
2238
2236
|
* @param metadataEntity
|
|
2239
2237
|
*/
|
|
2240
2238
|
isAuthoritySameType(metadataEntity) {
|
|
2241
|
-
const cachedAuthorityUrl = new UrlString(metadataEntity.canonical_authority);
|
|
2239
|
+
const cachedAuthorityUrl = new UrlString(metadataEntity.canonical_authority, this.correlationId);
|
|
2242
2240
|
const cachedParts = cachedAuthorityUrl.getUrlComponents().PathSegments;
|
|
2243
2241
|
return (cachedParts.length ===
|
|
2244
2242
|
this.canonicalAuthorityUrlComponents.PathSegments.length);
|
|
@@ -2252,7 +2250,7 @@ class Authority {
|
|
|
2252
2250
|
return JSON.parse(this.authorityOptions.authorityMetadata);
|
|
2253
2251
|
}
|
|
2254
2252
|
catch (e) {
|
|
2255
|
-
throw createClientConfigurationError(invalidAuthorityMetadata);
|
|
2253
|
+
throw createClientConfigurationError(invalidAuthorityMetadata, this.correlationId);
|
|
2256
2254
|
}
|
|
2257
2255
|
}
|
|
2258
2256
|
return null;
|
|
@@ -2308,7 +2306,7 @@ class Authority {
|
|
|
2308
2306
|
RegionDiscoveryOutcomes.CONFIGURED_NO_AUTO_DETECTION;
|
|
2309
2307
|
this.regionDiscoveryMetadata.region_used =
|
|
2310
2308
|
userConfiguredAzureRegion;
|
|
2311
|
-
return Authority.replaceWithRegionalInformation(metadata, userConfiguredAzureRegion);
|
|
2309
|
+
return Authority.replaceWithRegionalInformation(metadata, userConfiguredAzureRegion, this.correlationId);
|
|
2312
2310
|
}
|
|
2313
2311
|
const autodetectedRegionName = await invokeAsync(this.regionDiscovery.detectRegion.bind(this.regionDiscovery), RegionDiscoveryDetectRegion, this.logger, this.performanceClient, this.correlationId)(this.authorityOptions.azureRegionConfiguration
|
|
2314
2312
|
?.environmentRegion, this.regionDiscoveryMetadata);
|
|
@@ -2317,7 +2315,7 @@ class Authority {
|
|
|
2317
2315
|
RegionDiscoveryOutcomes.AUTO_DETECTION_REQUESTED_SUCCESSFUL;
|
|
2318
2316
|
this.regionDiscoveryMetadata.region_used =
|
|
2319
2317
|
autodetectedRegionName;
|
|
2320
|
-
return Authority.replaceWithRegionalInformation(metadata, autodetectedRegionName);
|
|
2318
|
+
return Authority.replaceWithRegionalInformation(metadata, autodetectedRegionName, this.correlationId);
|
|
2321
2319
|
}
|
|
2322
2320
|
this.regionDiscoveryMetadata.region_outcome =
|
|
2323
2321
|
RegionDiscoveryOutcomes.AUTO_DETECTION_REQUESTED_FAILED;
|
|
@@ -2342,7 +2340,7 @@ class Authority {
|
|
|
2342
2340
|
return AuthorityMetadataSource.NETWORK;
|
|
2343
2341
|
}
|
|
2344
2342
|
// Metadata could not be obtained from the config, cache, network or hardcoded values
|
|
2345
|
-
throw createClientConfigurationError(untrustedAuthority);
|
|
2343
|
+
throw createClientConfigurationError(untrustedAuthority, this.correlationId);
|
|
2346
2344
|
}
|
|
2347
2345
|
updateCloudDiscoveryMetadataFromLocalSources(metadataEntity) {
|
|
2348
2346
|
this.logger.verbose("Attempting to get cloud discovery metadata from authority configuration", this.correlationId);
|
|
@@ -2406,7 +2404,7 @@ class Authority {
|
|
|
2406
2404
|
}
|
|
2407
2405
|
catch (e) {
|
|
2408
2406
|
this.logger.verbose("Unable to parse the cloud discovery metadata. Throwing Invalid Cloud Discovery Metadata Error.", this.correlationId);
|
|
2409
|
-
throw createClientConfigurationError(invalidCloudDiscoveryMetadata);
|
|
2407
|
+
throw createClientConfigurationError(invalidCloudDiscoveryMetadata, this.correlationId);
|
|
2410
2408
|
}
|
|
2411
2409
|
}
|
|
2412
2410
|
// If cloudDiscoveryMetadata is empty or does not contain the host, check knownAuthorities
|
|
@@ -2484,8 +2482,7 @@ class Authority {
|
|
|
2484
2482
|
const normalizedHost = host.toLowerCase();
|
|
2485
2483
|
const matches = this.authorityOptions.knownAuthorities.filter((authority) => {
|
|
2486
2484
|
return (authority &&
|
|
2487
|
-
UrlString.getDomainFromUrl(authority).toLowerCase() ===
|
|
2488
|
-
normalizedHost);
|
|
2485
|
+
UrlString.getDomainFromUrl(authority, this.correlationId).toLowerCase() === normalizedHost);
|
|
2489
2486
|
});
|
|
2490
2487
|
return matches.length > 0;
|
|
2491
2488
|
}
|
|
@@ -2529,7 +2526,7 @@ class Authority {
|
|
|
2529
2526
|
return this.metadata.preferred_cache;
|
|
2530
2527
|
}
|
|
2531
2528
|
else {
|
|
2532
|
-
throw createClientAuthError(endpointResolutionError);
|
|
2529
|
+
throw createClientAuthError(endpointResolutionError, this.correlationId);
|
|
2533
2530
|
}
|
|
2534
2531
|
}
|
|
2535
2532
|
/**
|
|
@@ -2572,7 +2569,7 @@ class Authority {
|
|
|
2572
2569
|
*/
|
|
2573
2570
|
validateIssuer(issuer) {
|
|
2574
2571
|
if (!issuer) {
|
|
2575
|
-
throw createClientConfigurationError(issuerValidationFailed);
|
|
2572
|
+
throw createClientConfigurationError(issuerValidationFailed, this.correlationId);
|
|
2576
2573
|
}
|
|
2577
2574
|
// Parse with the WHATWG URL API. URL normalizes scheme + host to lowercase per RFC 3986.
|
|
2578
2575
|
let issuerUrl;
|
|
@@ -2580,7 +2577,7 @@ class Authority {
|
|
|
2580
2577
|
issuerUrl = new URL(issuer);
|
|
2581
2578
|
}
|
|
2582
2579
|
catch {
|
|
2583
|
-
throw createClientConfigurationError(issuerValidationFailed);
|
|
2580
|
+
throw createClientConfigurationError(issuerValidationFailed, this.correlationId);
|
|
2584
2581
|
}
|
|
2585
2582
|
const issuerScheme = issuerUrl.protocol;
|
|
2586
2583
|
const issuerHost = issuerUrl.host;
|
|
@@ -2618,7 +2615,7 @@ class Authority {
|
|
|
2618
2615
|
return;
|
|
2619
2616
|
}
|
|
2620
2617
|
// issuer validation fails if none of the above rules are satisfied
|
|
2621
|
-
throw createClientConfigurationError(issuerValidationFailed);
|
|
2618
|
+
throw createClientConfigurationError(issuerValidationFailed, this.correlationId);
|
|
2622
2619
|
}
|
|
2623
2620
|
/**
|
|
2624
2621
|
* Rule 1: The issuer scheme + host (and port) match the authority's. Path
|
|
@@ -2706,9 +2703,9 @@ class Authority {
|
|
|
2706
2703
|
* @param host string
|
|
2707
2704
|
* @param region string
|
|
2708
2705
|
*/
|
|
2709
|
-
static buildRegionalAuthorityString(host, region, queryString) {
|
|
2706
|
+
static buildRegionalAuthorityString(host, region, correlationId, queryString) {
|
|
2710
2707
|
// Create and validate a Url string object with the initial authority string
|
|
2711
|
-
const authorityUrlInstance = new UrlString(host);
|
|
2708
|
+
const authorityUrlInstance = new UrlString(host, correlationId);
|
|
2712
2709
|
authorityUrlInstance.validateAsUri();
|
|
2713
2710
|
const authorityUrlParts = authorityUrlInstance.getUrlComponents();
|
|
2714
2711
|
let hostNameAndPort = `${region}.${authorityUrlParts.HostNameAndPort}`;
|
|
@@ -2719,7 +2716,7 @@ class Authority {
|
|
|
2719
2716
|
const url = UrlString.constructAuthorityUriFromObject({
|
|
2720
2717
|
...authorityUrlInstance.getUrlComponents(),
|
|
2721
2718
|
HostNameAndPort: hostNameAndPort,
|
|
2722
|
-
}).urlString;
|
|
2719
|
+
}, correlationId).urlString;
|
|
2723
2720
|
// Add the query string if a query string was provided
|
|
2724
2721
|
if (queryString)
|
|
2725
2722
|
return `${url}?${queryString}`;
|
|
@@ -2731,15 +2728,15 @@ class Authority {
|
|
|
2731
2728
|
* @param metadata OpenIdConfigResponse
|
|
2732
2729
|
* @param azureRegion string
|
|
2733
2730
|
*/
|
|
2734
|
-
static replaceWithRegionalInformation(metadata, azureRegion) {
|
|
2731
|
+
static replaceWithRegionalInformation(metadata, azureRegion, correlationId) {
|
|
2735
2732
|
const regionalMetadata = { ...metadata };
|
|
2736
2733
|
regionalMetadata.authorization_endpoint =
|
|
2737
|
-
Authority.buildRegionalAuthorityString(regionalMetadata.authorization_endpoint, azureRegion);
|
|
2734
|
+
Authority.buildRegionalAuthorityString(regionalMetadata.authorization_endpoint, azureRegion, correlationId);
|
|
2738
2735
|
regionalMetadata.token_endpoint =
|
|
2739
|
-
Authority.buildRegionalAuthorityString(regionalMetadata.token_endpoint, azureRegion);
|
|
2736
|
+
Authority.buildRegionalAuthorityString(regionalMetadata.token_endpoint, azureRegion, correlationId);
|
|
2740
2737
|
if (regionalMetadata.end_session_endpoint) {
|
|
2741
2738
|
regionalMetadata.end_session_endpoint =
|
|
2742
|
-
Authority.buildRegionalAuthorityString(regionalMetadata.end_session_endpoint, azureRegion);
|
|
2739
|
+
Authority.buildRegionalAuthorityString(regionalMetadata.end_session_endpoint, azureRegion, correlationId);
|
|
2743
2740
|
}
|
|
2744
2741
|
return regionalMetadata;
|
|
2745
2742
|
}
|
|
@@ -2752,9 +2749,9 @@ class Authority {
|
|
|
2752
2749
|
*
|
|
2753
2750
|
* @param authority
|
|
2754
2751
|
*/
|
|
2755
|
-
static transformCIAMAuthority(authority) {
|
|
2752
|
+
static transformCIAMAuthority(authority, correlationId) {
|
|
2756
2753
|
let ciamAuthority = authority;
|
|
2757
|
-
const authorityUrl = new UrlString(authority);
|
|
2754
|
+
const authorityUrl = new UrlString(authority, correlationId);
|
|
2758
2755
|
const authorityUrlComponents = authorityUrl.getUrlComponents();
|
|
2759
2756
|
// check if transformation is needed
|
|
2760
2757
|
if (authorityUrlComponents.PathSegments.length === 0 &&
|
|
@@ -2776,8 +2773,8 @@ Authority.reservedTenantDomains = new Set([
|
|
|
2776
2773
|
/**
|
|
2777
2774
|
* Extract tenantId from authority
|
|
2778
2775
|
*/
|
|
2779
|
-
function getTenantFromAuthorityString(authority) {
|
|
2780
|
-
const authorityUrl = new UrlString(authority);
|
|
2776
|
+
function getTenantFromAuthorityString(authority, correlationId) {
|
|
2777
|
+
const authorityUrl = new UrlString(authority, correlationId);
|
|
2781
2778
|
const authorityUrlComponents = authorityUrl.getUrlComponents();
|
|
2782
2779
|
/**
|
|
2783
2780
|
* For credential matching purposes, tenantId is the last path segment of the authority URL:
|
|
@@ -2810,7 +2807,7 @@ function buildStaticAuthorityOptions(authOptions) {
|
|
|
2810
2807
|
cloudDiscoveryMetadata = JSON.parse(rawCloudDiscoveryMetadata);
|
|
2811
2808
|
}
|
|
2812
2809
|
catch (e) {
|
|
2813
|
-
throw createClientConfigurationError(invalidCloudDiscoveryMetadata);
|
|
2810
|
+
throw createClientConfigurationError(invalidCloudDiscoveryMetadata, "");
|
|
2814
2811
|
}
|
|
2815
2812
|
}
|
|
2816
2813
|
return {
|
|
@@ -2842,7 +2839,7 @@ function buildStaticAuthorityOptions(authOptions) {
|
|
|
2842
2839
|
* @internal
|
|
2843
2840
|
*/
|
|
2844
2841
|
async function createDiscoveredInstance(authorityUri, networkClient, cacheManager, authorityOptions, logger, correlationId, performanceClient) {
|
|
2845
|
-
const authorityUriFinal = Authority.transformCIAMAuthority(formatAuthorityUri(authorityUri));
|
|
2842
|
+
const authorityUriFinal = Authority.transformCIAMAuthority(formatAuthorityUri(authorityUri), correlationId);
|
|
2846
2843
|
// Initialize authority and perform discovery endpoint check.
|
|
2847
2844
|
const acquireTokenAuthority = new Authority(authorityUriFinal, networkClient, cacheManager, authorityOptions, logger, correlationId, performanceClient);
|
|
2848
2845
|
try {
|
|
@@ -2850,7 +2847,7 @@ async function createDiscoveredInstance(authorityUri, networkClient, cacheManage
|
|
|
2850
2847
|
return acquireTokenAuthority;
|
|
2851
2848
|
}
|
|
2852
2849
|
catch (e) {
|
|
2853
|
-
throw createClientAuthError(endpointResolutionError);
|
|
2850
|
+
throw createClientAuthError(endpointResolutionError, correlationId);
|
|
2854
2851
|
}
|
|
2855
2852
|
}
|
|
2856
2853
|
|
|
@@ -2900,7 +2897,7 @@ function getDeserializedResponse(responseString) {
|
|
|
2900
2897
|
}
|
|
2901
2898
|
}
|
|
2902
2899
|
catch (e) {
|
|
2903
|
-
throw createClientAuthError(hashNotDeserialized);
|
|
2900
|
+
throw createClientAuthError(hashNotDeserialized, "");
|
|
2904
2901
|
}
|
|
2905
2902
|
return null;
|
|
2906
2903
|
}
|
|
@@ -2957,7 +2954,7 @@ function normalizeUrlForComparison(url, logger, correlationId) {
|
|
|
2957
2954
|
}
|
|
2958
2955
|
catch (e) {
|
|
2959
2956
|
logger?.error(`Failed to normalize URL for comparison: '${e}'`, correlationId || "");
|
|
2960
|
-
throw createClientConfigurationError(urlParseError);
|
|
2957
|
+
throw createClientConfigurationError(urlParseError, correlationId || "");
|
|
2961
2958
|
}
|
|
2962
2959
|
}
|
|
2963
2960
|
/**
|
|
@@ -2975,7 +2972,7 @@ function validateUrl(url, logger, correlationId) {
|
|
|
2975
2972
|
}
|
|
2976
2973
|
catch (e) {
|
|
2977
2974
|
logger?.error(`Failed to validate URL: '${e}'`, correlationId || "");
|
|
2978
|
-
throw createClientConfigurationError(urlParseError);
|
|
2975
|
+
throw createClientConfigurationError(urlParseError, correlationId || "");
|
|
2979
2976
|
}
|
|
2980
2977
|
}
|
|
2981
2978
|
|
|
@@ -3051,7 +3048,11 @@ const INSTANCE_AWARE = "instance_aware";
|
|
|
3051
3048
|
const EAR_JWK = "ear_jwk";
|
|
3052
3049
|
const EAR_JWE_CRYPTO = "ear_jwe_crypto";
|
|
3053
3050
|
const RESOURCE = "resource";
|
|
3054
|
-
const CLI_DATA = "clidata";
|
|
3051
|
+
const CLI_DATA = "clidata";
|
|
3052
|
+
const USER_FEDERATED_IDENTITY_CREDENTIAL = "user_federated_identity_credential";
|
|
3053
|
+
const USERNAME = "username";
|
|
3054
|
+
const USER_ID = "user_id";
|
|
3055
|
+
const FMI_PATH = "fmi_path";
|
|
3055
3056
|
|
|
3056
3057
|
var AADServerParamKeys = /*#__PURE__*/Object.freeze({
|
|
3057
3058
|
__proto__: null,
|
|
@@ -3078,6 +3079,7 @@ var AADServerParamKeys = /*#__PURE__*/Object.freeze({
|
|
|
3078
3079
|
ERROR: ERROR,
|
|
3079
3080
|
ERROR_DESCRIPTION: ERROR_DESCRIPTION,
|
|
3080
3081
|
EXPIRES_IN: EXPIRES_IN,
|
|
3082
|
+
FMI_PATH: FMI_PATH,
|
|
3081
3083
|
FOCI: FOCI,
|
|
3082
3084
|
GRANT_TYPE: GRANT_TYPE,
|
|
3083
3085
|
ID_TOKEN: ID_TOKEN,
|
|
@@ -3105,6 +3107,9 @@ var AADServerParamKeys = /*#__PURE__*/Object.freeze({
|
|
|
3105
3107
|
SID: SID,
|
|
3106
3108
|
STATE: STATE,
|
|
3107
3109
|
TOKEN_TYPE: TOKEN_TYPE,
|
|
3110
|
+
USERNAME: USERNAME,
|
|
3111
|
+
USER_FEDERATED_IDENTITY_CREDENTIAL: USER_FEDERATED_IDENTITY_CREDENTIAL,
|
|
3112
|
+
USER_ID: USER_ID,
|
|
3108
3113
|
X_APP_NAME: X_APP_NAME,
|
|
3109
3114
|
X_APP_VER: X_APP_VER,
|
|
3110
3115
|
X_CLIENT_CPU: X_CLIENT_CPU,
|
|
@@ -3128,14 +3133,14 @@ var AADServerParamKeys = /*#__PURE__*/Object.freeze({
|
|
|
3128
3133
|
*/
|
|
3129
3134
|
function buildClientInfo(rawClientInfo, base64Decode) {
|
|
3130
3135
|
if (!rawClientInfo) {
|
|
3131
|
-
throw createClientAuthError(clientInfoEmptyError);
|
|
3136
|
+
throw createClientAuthError(clientInfoEmptyError, "");
|
|
3132
3137
|
}
|
|
3133
3138
|
try {
|
|
3134
3139
|
const decodedClientInfo = base64Decode(rawClientInfo);
|
|
3135
3140
|
return JSON.parse(decodedClientInfo);
|
|
3136
3141
|
}
|
|
3137
3142
|
catch (e) {
|
|
3138
|
-
throw createClientAuthError(clientInfoDecodingError);
|
|
3143
|
+
throw createClientAuthError(clientInfoDecodingError, "");
|
|
3139
3144
|
}
|
|
3140
3145
|
}
|
|
3141
3146
|
/**
|
|
@@ -3144,7 +3149,7 @@ function buildClientInfo(rawClientInfo, base64Decode) {
|
|
|
3144
3149
|
*/
|
|
3145
3150
|
function buildClientInfoFromHomeAccountId(homeAccountId) {
|
|
3146
3151
|
if (!homeAccountId) {
|
|
3147
|
-
throw createClientAuthError(clientInfoDecodingError);
|
|
3152
|
+
throw createClientAuthError(clientInfoDecodingError, "");
|
|
3148
3153
|
}
|
|
3149
3154
|
const clientInfoParts = homeAccountId.split(CLIENT_INFO_SEPARATOR, 2);
|
|
3150
3155
|
return {
|
|
@@ -3173,10 +3178,11 @@ function tenantIdMatchesHomeTenant(tenantId, homeAccountId) {
|
|
|
3173
3178
|
* @param homeAccountId - Home account identifier for this account object
|
|
3174
3179
|
* @param localAccountId - Local account identifer for this account object
|
|
3175
3180
|
* @param tenantId - Full tenant or organizational id that this account belongs to
|
|
3181
|
+
* @param nativeAccountId - Native account identifier for this tenant
|
|
3176
3182
|
* @param idTokenClaims - Claims from the ID token
|
|
3177
3183
|
* @returns
|
|
3178
3184
|
*/
|
|
3179
|
-
function buildTenantProfile(homeAccountId, localAccountId, tenantId, idTokenClaims) {
|
|
3185
|
+
function buildTenantProfile(homeAccountId, localAccountId, tenantId, nativeAccountId, idTokenClaims) {
|
|
3180
3186
|
if (idTokenClaims) {
|
|
3181
3187
|
const { oid, sub, tid, name, tfp, acr, preferred_username, upn, login_hint, } = idTokenClaims;
|
|
3182
3188
|
/**
|
|
@@ -3194,6 +3200,7 @@ function buildTenantProfile(homeAccountId, localAccountId, tenantId, idTokenClai
|
|
|
3194
3200
|
loginHint: login_hint,
|
|
3195
3201
|
isHomeTenant: tenantIdMatchesHomeTenant(tenantId, homeAccountId),
|
|
3196
3202
|
upn: upn,
|
|
3203
|
+
...(nativeAccountId && { nativeAccountId }),
|
|
3197
3204
|
};
|
|
3198
3205
|
}
|
|
3199
3206
|
else {
|
|
@@ -3202,6 +3209,7 @@ function buildTenantProfile(homeAccountId, localAccountId, tenantId, idTokenClai
|
|
|
3202
3209
|
localAccountId,
|
|
3203
3210
|
username: "",
|
|
3204
3211
|
isHomeTenant: tenantIdMatchesHomeTenant(tenantId, homeAccountId),
|
|
3212
|
+
...(nativeAccountId && { nativeAccountId }),
|
|
3205
3213
|
};
|
|
3206
3214
|
}
|
|
3207
3215
|
}
|
|
@@ -3223,12 +3231,13 @@ function updateAccountTenantProfileData(baseAccountInfo, tenantProfile, idTokenC
|
|
|
3223
3231
|
if (idTokenClaims) {
|
|
3224
3232
|
// Ignore isHomeTenant which is a utility property of tenant profile but not required in base account info
|
|
3225
3233
|
// eslint-disable-next-line @typescript-eslint/no-unused-vars
|
|
3226
|
-
const { isHomeTenant, ...claimsSourcedTenantProfile } = buildTenantProfile(baseAccountInfo.homeAccountId, baseAccountInfo.localAccountId, baseAccountInfo.tenantId, idTokenClaims);
|
|
3234
|
+
const { isHomeTenant, ...claimsSourcedTenantProfile } = buildTenantProfile(baseAccountInfo.homeAccountId, baseAccountInfo.localAccountId, baseAccountInfo.tenantId, updatedAccountInfo.nativeAccountId, idTokenClaims);
|
|
3227
3235
|
updatedAccountInfo = {
|
|
3228
3236
|
...updatedAccountInfo,
|
|
3229
3237
|
...claimsSourcedTenantProfile,
|
|
3230
3238
|
idTokenClaims: idTokenClaims,
|
|
3231
3239
|
idToken: idTokenSecret,
|
|
3240
|
+
kmsi: isKmsi(idTokenClaims),
|
|
3232
3241
|
};
|
|
3233
3242
|
return updatedAccountInfo;
|
|
3234
3243
|
}
|
|
@@ -3262,6 +3271,7 @@ function getTenantIdFromIdTokenClaims(idTokenClaims) {
|
|
|
3262
3271
|
*/
|
|
3263
3272
|
/**
|
|
3264
3273
|
* Generate Account Id key component as per the schema: <home_account_id>-<environment>
|
|
3274
|
+
* @internal
|
|
3265
3275
|
*/
|
|
3266
3276
|
function generateAccountId(accountEntity) {
|
|
3267
3277
|
const accountId = [
|
|
@@ -3272,6 +3282,7 @@ function generateAccountId(accountEntity) {
|
|
|
3272
3282
|
}
|
|
3273
3283
|
/**
|
|
3274
3284
|
* Returns the AccountInfo interface for this account.
|
|
3285
|
+
* @internal
|
|
3275
3286
|
*/
|
|
3276
3287
|
function getAccountInfo(accountEntity) {
|
|
3277
3288
|
const tenantProfiles = accountEntity.tenantProfiles || [];
|
|
@@ -3279,8 +3290,11 @@ function getAccountInfo(accountEntity) {
|
|
|
3279
3290
|
if (tenantProfiles.length === 0 &&
|
|
3280
3291
|
accountEntity.realm &&
|
|
3281
3292
|
accountEntity.localAccountId) {
|
|
3282
|
-
tenantProfiles.push(buildTenantProfile(accountEntity.homeAccountId, accountEntity.localAccountId, accountEntity.realm));
|
|
3293
|
+
tenantProfiles.push(buildTenantProfile(accountEntity.homeAccountId, accountEntity.localAccountId, accountEntity.realm, accountEntity.nativeAccountId));
|
|
3283
3294
|
}
|
|
3295
|
+
// Resolve nativeAccountId from the home tenant profile first, fall back to top-level (deprecated) for old cache entries
|
|
3296
|
+
const homeTenantProfile = tenantProfiles.find((tp) => tp.tenantId === accountEntity.realm);
|
|
3297
|
+
const nativeAccountId = homeTenantProfile?.nativeAccountId || accountEntity.nativeAccountId;
|
|
3284
3298
|
return {
|
|
3285
3299
|
homeAccountId: accountEntity.homeAccountId,
|
|
3286
3300
|
environment: accountEntity.environment,
|
|
@@ -3289,7 +3303,7 @@ function getAccountInfo(accountEntity) {
|
|
|
3289
3303
|
localAccountId: accountEntity.localAccountId,
|
|
3290
3304
|
loginHint: accountEntity.loginHint,
|
|
3291
3305
|
name: accountEntity.name,
|
|
3292
|
-
nativeAccountId:
|
|
3306
|
+
nativeAccountId: nativeAccountId,
|
|
3293
3307
|
authorityType: accountEntity.authorityType,
|
|
3294
3308
|
// Deserialize tenant profiles array into a Map
|
|
3295
3309
|
tenantProfiles: new Map(tenantProfiles.map((tenantProfile) => {
|
|
@@ -3300,6 +3314,7 @@ function getAccountInfo(accountEntity) {
|
|
|
3300
3314
|
}
|
|
3301
3315
|
/**
|
|
3302
3316
|
* Returns true if the account entity is in single tenant format (outdated), false otherwise
|
|
3317
|
+
* @internal
|
|
3303
3318
|
*/
|
|
3304
3319
|
function isSingleTenant(accountEntity) {
|
|
3305
3320
|
return !accountEntity.tenantProfiles;
|
|
@@ -3307,8 +3322,9 @@ function isSingleTenant(accountEntity) {
|
|
|
3307
3322
|
/**
|
|
3308
3323
|
* Build Account cache from IdToken, clientInfo and authority/policy. Associated with AAD.
|
|
3309
3324
|
* @param accountDetails
|
|
3325
|
+
* @internal
|
|
3310
3326
|
*/
|
|
3311
|
-
function createAccountEntity(accountDetails, authority, base64Decode) {
|
|
3327
|
+
function createAccountEntity(accountDetails, authority, correlationId, base64Decode) {
|
|
3312
3328
|
let authorityType;
|
|
3313
3329
|
if (authority.authorityType === AuthorityType.Adfs) {
|
|
3314
3330
|
authorityType = CACHE_ACCOUNT_TYPE_ADFS;
|
|
@@ -3330,7 +3346,7 @@ function createAccountEntity(accountDetails, authority, base64Decode) {
|
|
|
3330
3346
|
const env = accountDetails.environment ||
|
|
3331
3347
|
(authority && authority.getPreferredCache());
|
|
3332
3348
|
if (!env) {
|
|
3333
|
-
throw createClientAuthError(invalidCacheEnvironment);
|
|
3349
|
+
throw createClientAuthError(invalidCacheEnvironment, correlationId);
|
|
3334
3350
|
}
|
|
3335
3351
|
/*
|
|
3336
3352
|
* In B2C scenarios the emails claim is used instead of preferred_username and it is an array.
|
|
@@ -3357,7 +3373,7 @@ function createAccountEntity(accountDetails, authority, base64Decode) {
|
|
|
3357
3373
|
tenantProfiles = accountDetails.tenantProfiles;
|
|
3358
3374
|
}
|
|
3359
3375
|
else {
|
|
3360
|
-
const tenantProfile = buildTenantProfile(accountDetails.homeAccountId, localAccountId, realm, accountDetails.idTokenClaims);
|
|
3376
|
+
const tenantProfile = buildTenantProfile(accountDetails.homeAccountId, localAccountId, realm, accountDetails.nativeAccountId, accountDetails.idTokenClaims);
|
|
3361
3377
|
tenantProfiles = [tenantProfile];
|
|
3362
3378
|
}
|
|
3363
3379
|
return {
|
|
@@ -3385,6 +3401,7 @@ function createAccountEntity(accountDetails, authority, base64Decode) {
|
|
|
3385
3401
|
* @param cloudGraphHostName
|
|
3386
3402
|
* @param msGraphHost
|
|
3387
3403
|
* @returns
|
|
3404
|
+
* @internal
|
|
3388
3405
|
*/
|
|
3389
3406
|
function createAccountEntityFromAccountInfo(accountInfo, cloudGraphHostName, msGraphHost) {
|
|
3390
3407
|
// Serialize tenant profiles map into an array
|
|
@@ -3393,7 +3410,14 @@ function createAccountEntityFromAccountInfo(accountInfo, cloudGraphHostName, msG
|
|
|
3393
3410
|
if (tenantProfiles.length === 0 &&
|
|
3394
3411
|
accountInfo.tenantId &&
|
|
3395
3412
|
accountInfo.localAccountId) {
|
|
3396
|
-
tenantProfiles.push(buildTenantProfile(accountInfo.homeAccountId, accountInfo.localAccountId, accountInfo.tenantId, accountInfo.idTokenClaims));
|
|
3413
|
+
tenantProfiles.push(buildTenantProfile(accountInfo.homeAccountId, accountInfo.localAccountId, accountInfo.tenantId, accountInfo.nativeAccountId, accountInfo.idTokenClaims));
|
|
3414
|
+
}
|
|
3415
|
+
else if (accountInfo.nativeAccountId) {
|
|
3416
|
+
// Ensure nativeAccountId is set on the matching tenant profile
|
|
3417
|
+
const matchingProfile = tenantProfiles.find((tp) => tp.tenantId === accountInfo.tenantId);
|
|
3418
|
+
if (matchingProfile && !matchingProfile.nativeAccountId) {
|
|
3419
|
+
matchingProfile.nativeAccountId = accountInfo.nativeAccountId;
|
|
3420
|
+
}
|
|
3397
3421
|
}
|
|
3398
3422
|
return {
|
|
3399
3423
|
authorityType: accountInfo.authorityType || CACHE_ACCOUNT_TYPE_GENERIC,
|
|
@@ -3437,6 +3461,7 @@ function generateHomeAccountId(serverClientInfo, authType, logger, cryptoObj, co
|
|
|
3437
3461
|
/**
|
|
3438
3462
|
* Validates an entity: checks for all expected params
|
|
3439
3463
|
* @param entity
|
|
3464
|
+
* @internal
|
|
3440
3465
|
*/
|
|
3441
3466
|
function isAccountEntity(entity) {
|
|
3442
3467
|
if (!entity) {
|
|
@@ -3471,7 +3496,8 @@ var AccountEntityUtils = /*#__PURE__*/Object.freeze({
|
|
|
3471
3496
|
* to ensure uniqueness of strings.
|
|
3472
3497
|
*/
|
|
3473
3498
|
class ScopeSet {
|
|
3474
|
-
constructor(inputScopes) {
|
|
3499
|
+
constructor(inputScopes, correlationId) {
|
|
3500
|
+
this.correlationId = correlationId;
|
|
3475
3501
|
// Filter empty string and null/undefined array items
|
|
3476
3502
|
const scopeArr = inputScopes
|
|
3477
3503
|
? StringUtils.trimArrayEntries([...inputScopes])
|
|
@@ -3481,7 +3507,7 @@ class ScopeSet {
|
|
|
3481
3507
|
: [];
|
|
3482
3508
|
// Check if scopes array has at least one member
|
|
3483
3509
|
if (!filteredInput || !filteredInput.length) {
|
|
3484
|
-
throw createClientConfigurationError(emptyInputScopesError);
|
|
3510
|
+
throw createClientConfigurationError(emptyInputScopesError, correlationId);
|
|
3485
3511
|
}
|
|
3486
3512
|
this.scopes = new Set(); // Iterator in constructor not supported by IE11
|
|
3487
3513
|
filteredInput.forEach((scope) => this.scopes.add(scope));
|
|
@@ -3492,22 +3518,22 @@ class ScopeSet {
|
|
|
3492
3518
|
* @param appClientId
|
|
3493
3519
|
* @param scopesRequired
|
|
3494
3520
|
*/
|
|
3495
|
-
static fromString(inputScopeString) {
|
|
3521
|
+
static fromString(inputScopeString, correlationId) {
|
|
3496
3522
|
const scopeString = inputScopeString || "";
|
|
3497
3523
|
const inputScopes = scopeString.split(" ");
|
|
3498
|
-
return new ScopeSet(inputScopes);
|
|
3524
|
+
return new ScopeSet(inputScopes, correlationId);
|
|
3499
3525
|
}
|
|
3500
3526
|
/**
|
|
3501
3527
|
* Creates the set of scopes to search for in cache lookups
|
|
3502
3528
|
* @param inputScopeString
|
|
3503
3529
|
* @returns
|
|
3504
3530
|
*/
|
|
3505
|
-
static createSearchScopes(inputScopeString) {
|
|
3531
|
+
static createSearchScopes(inputScopeString, correlationId) {
|
|
3506
3532
|
// Handle empty scopes by using default OIDC scopes for cache lookup
|
|
3507
3533
|
const scopesToUse = inputScopeString && inputScopeString.length > 0
|
|
3508
3534
|
? inputScopeString
|
|
3509
3535
|
: [...OIDC_DEFAULT_SCOPES];
|
|
3510
|
-
const scopeSet = new ScopeSet(scopesToUse);
|
|
3536
|
+
const scopeSet = new ScopeSet(scopesToUse, correlationId);
|
|
3511
3537
|
if (!scopeSet.containsOnlyOIDCScopes()) {
|
|
3512
3538
|
scopeSet.removeOIDCScopes();
|
|
3513
3539
|
}
|
|
@@ -3522,7 +3548,7 @@ class ScopeSet {
|
|
|
3522
3548
|
*/
|
|
3523
3549
|
containsScope(scope) {
|
|
3524
3550
|
const lowerCaseScopes = this.printScopesLowerCase().split(" ");
|
|
3525
|
-
const lowerCaseScopesSet = new ScopeSet(lowerCaseScopes);
|
|
3551
|
+
const lowerCaseScopesSet = new ScopeSet(lowerCaseScopes, this.correlationId);
|
|
3526
3552
|
// compare lowercase scopes
|
|
3527
3553
|
return scope
|
|
3528
3554
|
? lowerCaseScopesSet.scopes.has(scope.toLowerCase())
|
|
@@ -3569,7 +3595,7 @@ class ScopeSet {
|
|
|
3569
3595
|
newScopes.forEach((newScope) => this.appendScope(newScope));
|
|
3570
3596
|
}
|
|
3571
3597
|
catch (e) {
|
|
3572
|
-
throw createClientAuthError(cannotAppendScopeSet);
|
|
3598
|
+
throw createClientAuthError(cannotAppendScopeSet, this.correlationId);
|
|
3573
3599
|
}
|
|
3574
3600
|
}
|
|
3575
3601
|
/**
|
|
@@ -3578,7 +3604,7 @@ class ScopeSet {
|
|
|
3578
3604
|
*/
|
|
3579
3605
|
removeScope(scope) {
|
|
3580
3606
|
if (!scope) {
|
|
3581
|
-
throw createClientAuthError(cannotRemoveEmptyScope);
|
|
3607
|
+
throw createClientAuthError(cannotRemoveEmptyScope, this.correlationId);
|
|
3582
3608
|
}
|
|
3583
3609
|
this.scopes.delete(scope.trim());
|
|
3584
3610
|
}
|
|
@@ -3597,7 +3623,7 @@ class ScopeSet {
|
|
|
3597
3623
|
*/
|
|
3598
3624
|
unionScopeSets(otherScopes) {
|
|
3599
3625
|
if (!otherScopes) {
|
|
3600
|
-
throw createClientAuthError(emptyInputScopeSet);
|
|
3626
|
+
throw createClientAuthError(emptyInputScopeSet, this.correlationId);
|
|
3601
3627
|
}
|
|
3602
3628
|
const unionScopes = new Set(); // Iterator in constructor not supported in IE11
|
|
3603
3629
|
otherScopes.scopes.forEach((scope) => unionScopes.add(scope.toLowerCase()));
|
|
@@ -3610,7 +3636,7 @@ class ScopeSet {
|
|
|
3610
3636
|
*/
|
|
3611
3637
|
intersectingScopeSets(otherScopes) {
|
|
3612
3638
|
if (!otherScopes) {
|
|
3613
|
-
throw createClientAuthError(emptyInputScopeSet);
|
|
3639
|
+
throw createClientAuthError(emptyInputScopeSet, this.correlationId);
|
|
3614
3640
|
}
|
|
3615
3641
|
// Do not allow OIDC scopes to be the only intersecting scopes
|
|
3616
3642
|
if (!otherScopes.containsOnlyOIDCScopes()) {
|
|
@@ -3696,7 +3722,7 @@ function addNativeBroker(parameters) {
|
|
|
3696
3722
|
* @param scopeSet
|
|
3697
3723
|
* @param addOidcScopes
|
|
3698
3724
|
*/
|
|
3699
|
-
function addScopes(parameters, scopes, addOidcScopes = true, defaultScopes = OIDC_DEFAULT_SCOPES) {
|
|
3725
|
+
function addScopes(parameters, scopes, correlationId, addOidcScopes = true, defaultScopes = OIDC_DEFAULT_SCOPES) {
|
|
3700
3726
|
// Always add openid to the scopes when adding OIDC scopes
|
|
3701
3727
|
if (addOidcScopes &&
|
|
3702
3728
|
!defaultScopes.includes("openid") &&
|
|
@@ -3706,7 +3732,7 @@ function addScopes(parameters, scopes, addOidcScopes = true, defaultScopes = OID
|
|
|
3706
3732
|
const requestScopes = addOidcScopes
|
|
3707
3733
|
? [...(scopes || []), ...defaultScopes]
|
|
3708
3734
|
: scopes || [];
|
|
3709
|
-
const scopeSet = new ScopeSet(requestScopes);
|
|
3735
|
+
const scopeSet = new ScopeSet(requestScopes, correlationId);
|
|
3710
3736
|
parameters.set(SCOPE, scopeSet.printScopes());
|
|
3711
3737
|
}
|
|
3712
3738
|
/**
|
|
@@ -3776,26 +3802,18 @@ function addSid(parameters, sid) {
|
|
|
3776
3802
|
* Adds claims to request parameters, conditionally excluding clientCapabilities
|
|
3777
3803
|
* when skipBrokerClaims is true and a brokered flow is in effect.
|
|
3778
3804
|
* @param parameters - The request parameters map
|
|
3805
|
+
* @param correlationId - The request correlation id
|
|
3779
3806
|
* @param claims - The claims string from the request
|
|
3780
3807
|
* @param clientCapabilities - The client capabilities from configuration
|
|
3781
3808
|
* @param skipBrokerClaims - When true and BROKER_CLIENT_ID is present, excludes clientCapabilities from claims
|
|
3782
3809
|
*/
|
|
3783
|
-
function addClaims(parameters, claims, clientCapabilities, skipBrokerClaims) {
|
|
3810
|
+
function addClaims(parameters, correlationId, claims, clientCapabilities, skipBrokerClaims) {
|
|
3784
3811
|
// Skip clientCapabilities if skipBrokerClaims is set to true and this is a brokered authentication flow
|
|
3785
3812
|
const configClaims = skipBrokerClaims && parameters.has(BROKER_CLIENT_ID)
|
|
3786
3813
|
? undefined
|
|
3787
3814
|
: clientCapabilities;
|
|
3788
|
-
|
|
3789
|
-
|
|
3790
|
-
const mergedClaims = addClientCapabilitiesToClaims(claims, configClaims);
|
|
3791
|
-
try {
|
|
3792
|
-
JSON.parse(mergedClaims);
|
|
3793
|
-
}
|
|
3794
|
-
catch (e) {
|
|
3795
|
-
throw createClientConfigurationError(invalidClaims);
|
|
3796
|
-
}
|
|
3797
|
-
parameters.set(CLAIMS, mergedClaims);
|
|
3798
|
-
}
|
|
3815
|
+
const mergedClaims = buildMergedClaims(claims, configClaims, correlationId);
|
|
3816
|
+
parameters.set(CLAIMS, mergedClaims);
|
|
3799
3817
|
}
|
|
3800
3818
|
/**
|
|
3801
3819
|
* add correlationId
|
|
@@ -3866,7 +3884,7 @@ function addCodeChallengeParams(parameters, codeChallenge, codeChallengeMethod)
|
|
|
3866
3884
|
parameters.set(CODE_CHALLENGE_METHOD, codeChallengeMethod);
|
|
3867
3885
|
}
|
|
3868
3886
|
else {
|
|
3869
|
-
throw createClientConfigurationError(pkceParamsMissing);
|
|
3887
|
+
throw createClientConfigurationError(pkceParamsMissing, "");
|
|
3870
3888
|
}
|
|
3871
3889
|
}
|
|
3872
3890
|
/**
|
|
@@ -3972,7 +3990,23 @@ function addExtraParameters(parameters, extraParams) {
|
|
|
3972
3990
|
}
|
|
3973
3991
|
});
|
|
3974
3992
|
}
|
|
3975
|
-
|
|
3993
|
+
/**
|
|
3994
|
+
* Default optional idToken claims requested on all auth requests.
|
|
3995
|
+
* signin_state enables KMSI detection; login_hint enables login hint propagation.
|
|
3996
|
+
*/
|
|
3997
|
+
const DEFAULT_ID_TOKEN_CLAIMS = {
|
|
3998
|
+
[ClaimsRequestKeys.SIGNIN_STATE]: { essential: false },
|
|
3999
|
+
[ClaimsRequestKeys.LOGIN_HINT]: { essential: false },
|
|
4000
|
+
};
|
|
4001
|
+
/**
|
|
4002
|
+
* Parses claims JSON, merges default optional idToken claims (signin_state, login_hint),
|
|
4003
|
+
* and appends client capabilities (xms_cc) to the access_token section.
|
|
4004
|
+
* Does not overwrite idToken claims already specified by the caller.
|
|
4005
|
+
* @param claims - Existing claims JSON string from the request (may be undefined)
|
|
4006
|
+
* @param clientCapabilities - Client capabilities array from configuration
|
|
4007
|
+
* @returns Merged claims JSON string
|
|
4008
|
+
*/
|
|
4009
|
+
function buildMergedClaims(claims, clientCapabilities, correlationId = "") {
|
|
3976
4010
|
let mergedClaims;
|
|
3977
4011
|
// Parse provided claims into JSON object or initialize empty object
|
|
3978
4012
|
if (!claims) {
|
|
@@ -3980,14 +4014,31 @@ function addClientCapabilitiesToClaims(claims, clientCapabilities) {
|
|
|
3980
4014
|
}
|
|
3981
4015
|
else {
|
|
3982
4016
|
try {
|
|
3983
|
-
|
|
4017
|
+
const parsed = JSON.parse(claims);
|
|
4018
|
+
if (typeof parsed !== "object" ||
|
|
4019
|
+
parsed === null ||
|
|
4020
|
+
Array.isArray(parsed)) {
|
|
4021
|
+
throw new Error("Claims must be a JSON object");
|
|
4022
|
+
}
|
|
4023
|
+
mergedClaims = parsed;
|
|
3984
4024
|
}
|
|
3985
4025
|
catch (e) {
|
|
3986
|
-
throw createClientConfigurationError(invalidClaims);
|
|
4026
|
+
throw createClientConfigurationError(invalidClaims, correlationId);
|
|
3987
4027
|
}
|
|
3988
4028
|
}
|
|
4029
|
+
// Add default optional idToken claims
|
|
4030
|
+
if (!Object.prototype.hasOwnProperty.call(mergedClaims, ClaimsRequestKeys.ID_TOKEN)) {
|
|
4031
|
+
mergedClaims[ClaimsRequestKeys.ID_TOKEN] = {};
|
|
4032
|
+
}
|
|
4033
|
+
const idTokenClaims = mergedClaims[ClaimsRequestKeys.ID_TOKEN];
|
|
4034
|
+
for (const [key, value] of Object.entries(DEFAULT_ID_TOKEN_CLAIMS)) {
|
|
4035
|
+
if (!(key in idTokenClaims)) {
|
|
4036
|
+
idTokenClaims[key] = value;
|
|
4037
|
+
}
|
|
4038
|
+
}
|
|
4039
|
+
// Add client capabilities
|
|
3989
4040
|
if (clientCapabilities && clientCapabilities.length > 0) {
|
|
3990
|
-
if (!
|
|
4041
|
+
if (!Object.prototype.hasOwnProperty.call(mergedClaims, ClaimsRequestKeys.ACCESS_TOKEN)) {
|
|
3991
4042
|
// Add access_token key to claims object
|
|
3992
4043
|
mergedClaims[ClaimsRequestKeys.ACCESS_TOKEN] = {};
|
|
3993
4044
|
}
|
|
@@ -4034,16 +4085,11 @@ function addSshJwk(parameters, sshJwkString) {
|
|
|
4034
4085
|
/**
|
|
4035
4086
|
* add server telemetry fields
|
|
4036
4087
|
* @param serverTelemetryManager
|
|
4088
|
+
* @internal
|
|
4037
4089
|
*/
|
|
4038
4090
|
function addServerTelemetry(parameters, serverTelemetryManager) {
|
|
4039
|
-
|
|
4040
|
-
|
|
4041
|
-
if (currentTelemetryHeader) {
|
|
4042
|
-
parameters.set(X_CLIENT_CURR_TELEM, currentTelemetryHeader);
|
|
4043
|
-
}
|
|
4044
|
-
if (lastTelemetryHeader) {
|
|
4045
|
-
parameters.set(X_CLIENT_LAST_TELEM, lastTelemetryHeader);
|
|
4046
|
-
}
|
|
4091
|
+
parameters.set(X_CLIENT_CURR_TELEM, serverTelemetryManager.generateCurrentRequestHeaderValue());
|
|
4092
|
+
parameters.set(X_CLIENT_LAST_TELEM, serverTelemetryManager.generateLastRequestHeaderValue());
|
|
4047
4093
|
}
|
|
4048
4094
|
/**
|
|
4049
4095
|
* Adds parameter that indicates to the server that throttling is supported
|
|
@@ -4093,7 +4139,6 @@ var RequestParameterBuilder = /*#__PURE__*/Object.freeze({
|
|
|
4093
4139
|
addCliData: addCliData,
|
|
4094
4140
|
addClientAssertion: addClientAssertion,
|
|
4095
4141
|
addClientAssertionType: addClientAssertionType,
|
|
4096
|
-
addClientCapabilitiesToClaims: addClientCapabilitiesToClaims,
|
|
4097
4142
|
addClientId: addClientId,
|
|
4098
4143
|
addClientInfo: addClientInfo,
|
|
4099
4144
|
addClientSecret: addClientSecret,
|
|
@@ -4130,6 +4175,7 @@ var RequestParameterBuilder = /*#__PURE__*/Object.freeze({
|
|
|
4130
4175
|
addState: addState,
|
|
4131
4176
|
addThrottling: addThrottling,
|
|
4132
4177
|
addUsername: addUsername,
|
|
4178
|
+
buildMergedClaims: buildMergedClaims,
|
|
4133
4179
|
instrumentBrokerParams: instrumentBrokerParams
|
|
4134
4180
|
});
|
|
4135
4181
|
|
|
@@ -4139,34 +4185,34 @@ var RequestParameterBuilder = /*#__PURE__*/Object.freeze({
|
|
|
4139
4185
|
*/
|
|
4140
4186
|
const DEFAULT_CRYPTO_IMPLEMENTATION = {
|
|
4141
4187
|
createNewGuid: () => {
|
|
4142
|
-
throw createClientAuthError(methodNotImplemented);
|
|
4188
|
+
throw createClientAuthError(methodNotImplemented, "");
|
|
4143
4189
|
},
|
|
4144
4190
|
base64Decode: () => {
|
|
4145
|
-
throw createClientAuthError(methodNotImplemented);
|
|
4191
|
+
throw createClientAuthError(methodNotImplemented, "");
|
|
4146
4192
|
},
|
|
4147
4193
|
base64Encode: () => {
|
|
4148
|
-
throw createClientAuthError(methodNotImplemented);
|
|
4194
|
+
throw createClientAuthError(methodNotImplemented, "");
|
|
4149
4195
|
},
|
|
4150
4196
|
base64UrlEncode: () => {
|
|
4151
|
-
throw createClientAuthError(methodNotImplemented);
|
|
4197
|
+
throw createClientAuthError(methodNotImplemented, "");
|
|
4152
4198
|
},
|
|
4153
4199
|
encodeKid: () => {
|
|
4154
|
-
throw createClientAuthError(methodNotImplemented);
|
|
4200
|
+
throw createClientAuthError(methodNotImplemented, "");
|
|
4155
4201
|
},
|
|
4156
4202
|
async getPublicKeyThumbprint() {
|
|
4157
|
-
throw createClientAuthError(methodNotImplemented);
|
|
4203
|
+
throw createClientAuthError(methodNotImplemented, "");
|
|
4158
4204
|
},
|
|
4159
4205
|
async removeTokenBindingKey() {
|
|
4160
|
-
throw createClientAuthError(methodNotImplemented);
|
|
4206
|
+
throw createClientAuthError(methodNotImplemented, "");
|
|
4161
4207
|
},
|
|
4162
4208
|
async clearKeystore() {
|
|
4163
|
-
throw createClientAuthError(methodNotImplemented);
|
|
4209
|
+
throw createClientAuthError(methodNotImplemented, "");
|
|
4164
4210
|
},
|
|
4165
4211
|
async signJwt() {
|
|
4166
|
-
throw createClientAuthError(methodNotImplemented);
|
|
4212
|
+
throw createClientAuthError(methodNotImplemented, "");
|
|
4167
4213
|
},
|
|
4168
4214
|
async hashString() {
|
|
4169
|
-
throw createClientAuthError(methodNotImplemented);
|
|
4215
|
+
throw createClientAuthError(methodNotImplemented, "");
|
|
4170
4216
|
},
|
|
4171
4217
|
};
|
|
4172
4218
|
|
|
@@ -4246,22 +4292,36 @@ function getAndFlushLogsFromCache(correlationId) {
|
|
|
4246
4292
|
return res;
|
|
4247
4293
|
}
|
|
4248
4294
|
/**
|
|
4249
|
-
*
|
|
4250
|
-
|
|
4251
|
-
|
|
4252
|
-
|
|
4253
|
-
|
|
4295
|
+
* Extracts the leading minification hash from a log message, if present.
|
|
4296
|
+
*
|
|
4297
|
+
* Minified messages are produced by the logger-minify rollup plugin and are
|
|
4298
|
+
* either a bare 6-character alphanumeric hash, or that hash followed by a space
|
|
4299
|
+
* and runtime variables appended for local (console) logging, e.g.
|
|
4300
|
+
* "abc123 user-1 popup". Only the leading hash is returned so that telemetry
|
|
4301
|
+
* never captures the appended variables. Returns null when the message is not
|
|
4302
|
+
* a minified message.
|
|
4303
|
+
*/
|
|
4304
|
+
function getMessageHash(str) {
|
|
4305
|
+
if (str.length < 6) {
|
|
4306
|
+
return null;
|
|
4254
4307
|
}
|
|
4255
|
-
|
|
4308
|
+
/*
|
|
4309
|
+
* If the message is longer than the hash, the hash must be delimited by a
|
|
4310
|
+
* space (the separator the plugin inserts before appended variables).
|
|
4311
|
+
*/
|
|
4312
|
+
if (str.length > 6 && str[6] !== " ") {
|
|
4313
|
+
return null;
|
|
4314
|
+
}
|
|
4315
|
+
for (let i = 0; i < 6; i++) {
|
|
4256
4316
|
const char = str[i];
|
|
4257
4317
|
const isAlphaNumeric = (char >= "a" && char <= "z") ||
|
|
4258
4318
|
(char >= "A" && char <= "Z") ||
|
|
4259
4319
|
(char >= "0" && char <= "9");
|
|
4260
4320
|
if (!isAlphaNumeric) {
|
|
4261
|
-
return
|
|
4321
|
+
return null;
|
|
4262
4322
|
}
|
|
4263
4323
|
}
|
|
4264
|
-
return
|
|
4324
|
+
return str.substring(0, 6);
|
|
4265
4325
|
}
|
|
4266
4326
|
/**
|
|
4267
4327
|
* Class which facilitates logging of messages to a specific place.
|
|
@@ -4308,10 +4368,10 @@ class Logger {
|
|
|
4308
4368
|
*/
|
|
4309
4369
|
logMessage(logMessage, options) {
|
|
4310
4370
|
const correlationId = options.correlationId;
|
|
4311
|
-
const
|
|
4312
|
-
if (
|
|
4371
|
+
const messageHash = getMessageHash(logMessage);
|
|
4372
|
+
if (messageHash) {
|
|
4313
4373
|
const loggedMessage = {
|
|
4314
|
-
hash:
|
|
4374
|
+
hash: messageHash,
|
|
4315
4375
|
level: options.logLevel,
|
|
4316
4376
|
containsPii: options.containsPii || false,
|
|
4317
4377
|
milliseconds: 0, // Will be calculated in addLogToCache
|
|
@@ -4446,7 +4506,7 @@ class Logger {
|
|
|
4446
4506
|
|
|
4447
4507
|
/* eslint-disable header/header */
|
|
4448
4508
|
const name = "@azure/msal-common";
|
|
4449
|
-
const version = "16.
|
|
4509
|
+
const version = "16.10.0";
|
|
4450
4510
|
|
|
4451
4511
|
/*
|
|
4452
4512
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
@@ -4584,7 +4644,7 @@ class CacheManager {
|
|
|
4584
4644
|
}
|
|
4585
4645
|
const idToken = this.getIdToken(accountInfo, correlationId, tokenKeys, tenantProfile.tenantId);
|
|
4586
4646
|
if (idToken) {
|
|
4587
|
-
idTokenClaims = extractTokenClaims(idToken.secret, this.cryptoImpl.base64Decode);
|
|
4647
|
+
idTokenClaims = extractTokenClaims(idToken.secret, this.cryptoImpl.base64Decode, correlationId);
|
|
4588
4648
|
if (!this.idTokenClaimsMatchTenantProfileFilter(idTokenClaims, tenantProfileFilter)) {
|
|
4589
4649
|
// ID token sourced claims don't match so this tenant profile is not a match
|
|
4590
4650
|
return null;
|
|
@@ -4647,6 +4707,11 @@ class CacheManager {
|
|
|
4647
4707
|
!(tenantProfile.upn === tenantProfileFilter.upn)) {
|
|
4648
4708
|
return false;
|
|
4649
4709
|
}
|
|
4710
|
+
if (!!tenantProfileFilter.nativeAccountId &&
|
|
4711
|
+
tenantProfile.nativeAccountId !==
|
|
4712
|
+
tenantProfileFilter.nativeAccountId) {
|
|
4713
|
+
return false;
|
|
4714
|
+
}
|
|
4650
4715
|
return true;
|
|
4651
4716
|
}
|
|
4652
4717
|
idTokenClaimsMatchTenantProfileFilter(idTokenClaims, tenantProfileFilter) {
|
|
@@ -4684,7 +4749,7 @@ class CacheManager {
|
|
|
4684
4749
|
*/
|
|
4685
4750
|
async saveCacheRecord(cacheRecord, correlationId, kmsi, apiId, storeInCache) {
|
|
4686
4751
|
if (!cacheRecord) {
|
|
4687
|
-
throw createClientAuthError(invalidCacheRecord);
|
|
4752
|
+
throw createClientAuthError(invalidCacheRecord, correlationId);
|
|
4688
4753
|
}
|
|
4689
4754
|
try {
|
|
4690
4755
|
if (!!cacheRecord.account) {
|
|
@@ -4729,7 +4794,7 @@ class CacheManager {
|
|
|
4729
4794
|
tokenType: credential.tokenType,
|
|
4730
4795
|
};
|
|
4731
4796
|
const tokenKeys = this.getTokenKeys();
|
|
4732
|
-
const currentScopes = ScopeSet.fromString(credential.target);
|
|
4797
|
+
const currentScopes = ScopeSet.fromString(credential.target, correlationId);
|
|
4733
4798
|
tokenKeys.accessToken.forEach((key) => {
|
|
4734
4799
|
if (!this.accessTokenKeyMatchesFilter(key, accessTokenFilter, false)) {
|
|
4735
4800
|
return;
|
|
@@ -4737,7 +4802,7 @@ class CacheManager {
|
|
|
4737
4802
|
const tokenEntity = this.getAccessTokenCredential(key, correlationId);
|
|
4738
4803
|
if (tokenEntity &&
|
|
4739
4804
|
this.credentialMatchesFilter(tokenEntity, accessTokenFilter, correlationId)) {
|
|
4740
|
-
const tokenScopeSet = ScopeSet.fromString(tokenEntity.target);
|
|
4805
|
+
const tokenScopeSet = ScopeSet.fromString(tokenEntity.target, correlationId);
|
|
4741
4806
|
if (tokenScopeSet.intersectingScopeSets(currentScopes)) {
|
|
4742
4807
|
this.removeAccessToken(key, correlationId);
|
|
4743
4808
|
}
|
|
@@ -4771,10 +4836,6 @@ class CacheManager {
|
|
|
4771
4836
|
!this.matchRealm(entity, accountFilter.realm)) {
|
|
4772
4837
|
return;
|
|
4773
4838
|
}
|
|
4774
|
-
if (!!accountFilter.nativeAccountId &&
|
|
4775
|
-
!this.matchNativeAccountId(entity, accountFilter.nativeAccountId)) {
|
|
4776
|
-
return;
|
|
4777
|
-
}
|
|
4778
4839
|
if (!!accountFilter.authorityType &&
|
|
4779
4840
|
!this.matchAuthorityType(entity, accountFilter.authorityType)) {
|
|
4780
4841
|
return;
|
|
@@ -4786,6 +4847,7 @@ class CacheManager {
|
|
|
4786
4847
|
username: accountFilter?.username,
|
|
4787
4848
|
loginHint: accountFilter?.loginHint,
|
|
4788
4849
|
upn: accountFilter?.upn,
|
|
4850
|
+
nativeAccountId: accountFilter?.nativeAccountId,
|
|
4789
4851
|
};
|
|
4790
4852
|
const matchingTenantProfiles = entity.tenantProfiles?.filter((tenantProfile) => {
|
|
4791
4853
|
return this.tenantProfileMatchesFilter(tenantProfile, tenantProfileFilter);
|
|
@@ -4839,7 +4901,8 @@ class CacheManager {
|
|
|
4839
4901
|
* idTokens do not have "target", target specific refreshTokens do exist for some types of authentication
|
|
4840
4902
|
* Resource specific refresh tokens case will be added when the support is deemed necessary
|
|
4841
4903
|
*/
|
|
4842
|
-
if (!!filter.target &&
|
|
4904
|
+
if (!!filter.target &&
|
|
4905
|
+
!this.matchTarget(entity, filter.target, correlationId)) {
|
|
4843
4906
|
return false;
|
|
4844
4907
|
}
|
|
4845
4908
|
// Access Token with Auth Scheme specific matching
|
|
@@ -4856,6 +4919,28 @@ class CacheManager {
|
|
|
4856
4919
|
}
|
|
4857
4920
|
}
|
|
4858
4921
|
}
|
|
4922
|
+
// Additional cache key components matching (bidirectional isolation)
|
|
4923
|
+
const entityComponents = entity.additionalCacheKeyComponents;
|
|
4924
|
+
const filterComponents = filter.additionalCacheKeyComponents;
|
|
4925
|
+
const entityHasComponents = !!entityComponents && Object.keys(entityComponents).length > 0;
|
|
4926
|
+
const filterHasComponents = !!filterComponents && Object.keys(filterComponents).length > 0;
|
|
4927
|
+
if (entityHasComponents !== filterHasComponents) {
|
|
4928
|
+
return false;
|
|
4929
|
+
}
|
|
4930
|
+
if (entityHasComponents && filterHasComponents) {
|
|
4931
|
+
const entityKeys = Object.keys(entityComponents).sort();
|
|
4932
|
+
const filterKeys = Object.keys(filterComponents).sort();
|
|
4933
|
+
if (entityKeys.length !== filterKeys.length) {
|
|
4934
|
+
return false;
|
|
4935
|
+
}
|
|
4936
|
+
for (let i = 0; i < entityKeys.length; i++) {
|
|
4937
|
+
if (entityKeys[i] !== filterKeys[i] ||
|
|
4938
|
+
entityComponents[entityKeys[i]] !==
|
|
4939
|
+
filterComponents[filterKeys[i]]) {
|
|
4940
|
+
return false;
|
|
4941
|
+
}
|
|
4942
|
+
}
|
|
4943
|
+
}
|
|
4859
4944
|
return true;
|
|
4860
4945
|
}
|
|
4861
4946
|
/**
|
|
@@ -5123,7 +5208,7 @@ class CacheManager {
|
|
|
5123
5208
|
getAccessToken(account, request, tokenKeys, targetRealm) {
|
|
5124
5209
|
const correlationId = request.correlationId;
|
|
5125
5210
|
this.commonLogger.trace("CacheManager - getAccessToken called", correlationId);
|
|
5126
|
-
const scopes = ScopeSet.createSearchScopes(request.scopes);
|
|
5211
|
+
const scopes = ScopeSet.createSearchScopes(request.scopes, correlationId);
|
|
5127
5212
|
const authScheme = request.authenticationScheme ||
|
|
5128
5213
|
AuthenticationScheme.BEARER;
|
|
5129
5214
|
/*
|
|
@@ -5314,7 +5399,7 @@ class CacheManager {
|
|
|
5314
5399
|
return null;
|
|
5315
5400
|
}
|
|
5316
5401
|
else if (numAppMetadata > 1) {
|
|
5317
|
-
throw createClientAuthError(multipleMatchingAppMetadata);
|
|
5402
|
+
throw createClientAuthError(multipleMatchingAppMetadata, correlationId);
|
|
5318
5403
|
}
|
|
5319
5404
|
return appMetadataEntries[0];
|
|
5320
5405
|
}
|
|
@@ -5444,15 +5529,6 @@ class CacheManager {
|
|
|
5444
5529
|
matchRealm(entity, realm) {
|
|
5445
5530
|
return !!(entity.realm?.toLowerCase() === realm.toLowerCase());
|
|
5446
5531
|
}
|
|
5447
|
-
/**
|
|
5448
|
-
* helper to match nativeAccountId
|
|
5449
|
-
* @param entity
|
|
5450
|
-
* @param nativeAccountId
|
|
5451
|
-
* @returns boolean indicating the match result
|
|
5452
|
-
*/
|
|
5453
|
-
matchNativeAccountId(entity, nativeAccountId) {
|
|
5454
|
-
return !!(entity.nativeAccountId && nativeAccountId === entity.nativeAccountId);
|
|
5455
|
-
}
|
|
5456
5532
|
/**
|
|
5457
5533
|
* helper to match loginHint which can be either:
|
|
5458
5534
|
* 1. login_hint ID token claim
|
|
@@ -5496,14 +5572,14 @@ class CacheManager {
|
|
|
5496
5572
|
* @param entity
|
|
5497
5573
|
* @param target
|
|
5498
5574
|
*/
|
|
5499
|
-
matchTarget(entity, target) {
|
|
5575
|
+
matchTarget(entity, target, correlationId) {
|
|
5500
5576
|
const isNotAccessTokenCredential = entity.credentialType !== CredentialType.ACCESS_TOKEN &&
|
|
5501
5577
|
entity.credentialType !==
|
|
5502
5578
|
CredentialType.ACCESS_TOKEN_WITH_AUTH_SCHEME;
|
|
5503
5579
|
if (isNotAccessTokenCredential || !entity.target) {
|
|
5504
5580
|
return false;
|
|
5505
5581
|
}
|
|
5506
|
-
const entityScopeSet = ScopeSet.fromString(entity.target);
|
|
5582
|
+
const entityScopeSet = ScopeSet.fromString(entity.target, correlationId);
|
|
5507
5583
|
return entityScopeSet.containsScopeSet(target);
|
|
5508
5584
|
}
|
|
5509
5585
|
/**
|
|
@@ -5557,73 +5633,73 @@ class CacheManager {
|
|
|
5557
5633
|
/** @internal */
|
|
5558
5634
|
class DefaultStorageClass extends CacheManager {
|
|
5559
5635
|
async setAccount() {
|
|
5560
|
-
throw createClientAuthError(methodNotImplemented);
|
|
5636
|
+
throw createClientAuthError(methodNotImplemented, "");
|
|
5561
5637
|
}
|
|
5562
5638
|
getAccount() {
|
|
5563
|
-
throw createClientAuthError(methodNotImplemented);
|
|
5639
|
+
throw createClientAuthError(methodNotImplemented, "");
|
|
5564
5640
|
}
|
|
5565
5641
|
async setIdTokenCredential() {
|
|
5566
|
-
throw createClientAuthError(methodNotImplemented);
|
|
5642
|
+
throw createClientAuthError(methodNotImplemented, "");
|
|
5567
5643
|
}
|
|
5568
5644
|
getIdTokenCredential() {
|
|
5569
|
-
throw createClientAuthError(methodNotImplemented);
|
|
5645
|
+
throw createClientAuthError(methodNotImplemented, "");
|
|
5570
5646
|
}
|
|
5571
5647
|
async setAccessTokenCredential() {
|
|
5572
|
-
throw createClientAuthError(methodNotImplemented);
|
|
5648
|
+
throw createClientAuthError(methodNotImplemented, "");
|
|
5573
5649
|
}
|
|
5574
5650
|
getAccessTokenCredential() {
|
|
5575
|
-
throw createClientAuthError(methodNotImplemented);
|
|
5651
|
+
throw createClientAuthError(methodNotImplemented, "");
|
|
5576
5652
|
}
|
|
5577
5653
|
async setRefreshTokenCredential() {
|
|
5578
|
-
throw createClientAuthError(methodNotImplemented);
|
|
5654
|
+
throw createClientAuthError(methodNotImplemented, "");
|
|
5579
5655
|
}
|
|
5580
5656
|
getRefreshTokenCredential() {
|
|
5581
|
-
throw createClientAuthError(methodNotImplemented);
|
|
5657
|
+
throw createClientAuthError(methodNotImplemented, "");
|
|
5582
5658
|
}
|
|
5583
5659
|
setAppMetadata() {
|
|
5584
|
-
throw createClientAuthError(methodNotImplemented);
|
|
5660
|
+
throw createClientAuthError(methodNotImplemented, "");
|
|
5585
5661
|
}
|
|
5586
5662
|
getAppMetadata() {
|
|
5587
|
-
throw createClientAuthError(methodNotImplemented);
|
|
5663
|
+
throw createClientAuthError(methodNotImplemented, "");
|
|
5588
5664
|
}
|
|
5589
5665
|
setServerTelemetry() {
|
|
5590
|
-
throw createClientAuthError(methodNotImplemented);
|
|
5666
|
+
throw createClientAuthError(methodNotImplemented, "");
|
|
5591
5667
|
}
|
|
5592
5668
|
getServerTelemetry() {
|
|
5593
|
-
throw createClientAuthError(methodNotImplemented);
|
|
5669
|
+
throw createClientAuthError(methodNotImplemented, "");
|
|
5594
5670
|
}
|
|
5595
5671
|
setAuthorityMetadata() {
|
|
5596
|
-
throw createClientAuthError(methodNotImplemented);
|
|
5672
|
+
throw createClientAuthError(methodNotImplemented, "");
|
|
5597
5673
|
}
|
|
5598
5674
|
getAuthorityMetadata() {
|
|
5599
|
-
throw createClientAuthError(methodNotImplemented);
|
|
5675
|
+
throw createClientAuthError(methodNotImplemented, "");
|
|
5600
5676
|
}
|
|
5601
5677
|
getAuthorityMetadataKeys() {
|
|
5602
|
-
throw createClientAuthError(methodNotImplemented);
|
|
5678
|
+
throw createClientAuthError(methodNotImplemented, "");
|
|
5603
5679
|
}
|
|
5604
5680
|
setThrottlingCache() {
|
|
5605
|
-
throw createClientAuthError(methodNotImplemented);
|
|
5681
|
+
throw createClientAuthError(methodNotImplemented, "");
|
|
5606
5682
|
}
|
|
5607
5683
|
getThrottlingCache() {
|
|
5608
|
-
throw createClientAuthError(methodNotImplemented);
|
|
5684
|
+
throw createClientAuthError(methodNotImplemented, "");
|
|
5609
5685
|
}
|
|
5610
5686
|
removeItem() {
|
|
5611
|
-
throw createClientAuthError(methodNotImplemented);
|
|
5687
|
+
throw createClientAuthError(methodNotImplemented, "");
|
|
5612
5688
|
}
|
|
5613
5689
|
getKeys() {
|
|
5614
|
-
throw createClientAuthError(methodNotImplemented);
|
|
5690
|
+
throw createClientAuthError(methodNotImplemented, "");
|
|
5615
5691
|
}
|
|
5616
5692
|
getAccountKeys() {
|
|
5617
|
-
throw createClientAuthError(methodNotImplemented);
|
|
5693
|
+
throw createClientAuthError(methodNotImplemented, "");
|
|
5618
5694
|
}
|
|
5619
5695
|
getTokenKeys() {
|
|
5620
|
-
throw createClientAuthError(methodNotImplemented);
|
|
5696
|
+
throw createClientAuthError(methodNotImplemented, "");
|
|
5621
5697
|
}
|
|
5622
5698
|
generateCredentialKey() {
|
|
5623
|
-
throw createClientAuthError(methodNotImplemented);
|
|
5699
|
+
throw createClientAuthError(methodNotImplemented, "");
|
|
5624
5700
|
}
|
|
5625
5701
|
generateAccountKey() {
|
|
5626
|
-
throw createClientAuthError(methodNotImplemented);
|
|
5702
|
+
throw createClientAuthError(methodNotImplemented, "");
|
|
5627
5703
|
}
|
|
5628
5704
|
}
|
|
5629
5705
|
|
|
@@ -5762,10 +5838,10 @@ const DEFAULT_LOGGER_IMPLEMENTATION = {
|
|
|
5762
5838
|
};
|
|
5763
5839
|
const DEFAULT_NETWORK_IMPLEMENTATION = {
|
|
5764
5840
|
async sendGetRequestAsync() {
|
|
5765
|
-
throw createClientAuthError(methodNotImplemented);
|
|
5841
|
+
throw createClientAuthError(methodNotImplemented, "");
|
|
5766
5842
|
},
|
|
5767
5843
|
async sendPostRequestAsync() {
|
|
5768
|
-
throw createClientAuthError(methodNotImplemented);
|
|
5844
|
+
throw createClientAuthError(methodNotImplemented, "");
|
|
5769
5845
|
},
|
|
5770
5846
|
};
|
|
5771
5847
|
const DEFAULT_LIBRARY_INFO = {
|
|
@@ -5794,6 +5870,7 @@ const DEFAULT_TELEMETRY_OPTIONS = {
|
|
|
5794
5870
|
* @param Configuration
|
|
5795
5871
|
*
|
|
5796
5872
|
* @returns Configuration
|
|
5873
|
+
* @internal
|
|
5797
5874
|
*/
|
|
5798
5875
|
function buildClientConfiguration({ authOptions: userAuthOptions, systemOptions: userSystemOptions, loggerOptions: userLoggerOption, storageInterface: storageImplementation, networkInterface: networkImplementation, cryptoInterface: cryptoImplementation, clientCredentials: clientCredentials, libraryInfo: libraryInfo, telemetry: telemetry, serverTelemetryManager: serverTelemetryManager, persistencePlugin: persistencePlugin, serializableCache: serializableCache, }) {
|
|
5799
5876
|
const loggerOptions = {
|
|
@@ -5805,7 +5882,7 @@ function buildClientConfiguration({ authOptions: userAuthOptions, systemOptions:
|
|
|
5805
5882
|
systemOptions: { ...DEFAULT_SYSTEM_OPTIONS, ...userSystemOptions },
|
|
5806
5883
|
loggerOptions: loggerOptions,
|
|
5807
5884
|
storageInterface: storageImplementation ||
|
|
5808
|
-
new DefaultStorageClass(userAuthOptions.clientId, DEFAULT_CRYPTO_IMPLEMENTATION, new Logger(loggerOptions), new StubPerformanceClient()),
|
|
5885
|
+
new DefaultStorageClass(userAuthOptions.clientId, DEFAULT_CRYPTO_IMPLEMENTATION, new Logger(loggerOptions, name, version), new StubPerformanceClient()),
|
|
5809
5886
|
networkInterface: networkImplementation || DEFAULT_NETWORK_IMPLEMENTATION,
|
|
5810
5887
|
cryptoInterface: cryptoImplementation || DEFAULT_CRYPTO_IMPLEMENTATION,
|
|
5811
5888
|
clientCredentials: clientCredentials || DEFAULT_CLIENT_CREDENTIALS,
|
|
@@ -5922,7 +5999,7 @@ class PopTokenGenerator {
|
|
|
5922
5999
|
// Deconstruct request to extract SHR parameters
|
|
5923
6000
|
const { resourceRequestMethod, resourceRequestUri, shrClaims, shrNonce, shrOptions, } = request;
|
|
5924
6001
|
const resourceUrlString = resourceRequestUri
|
|
5925
|
-
? new UrlString(resourceRequestUri)
|
|
6002
|
+
? new UrlString(resourceRequestUri, request.correlationId)
|
|
5926
6003
|
: undefined;
|
|
5927
6004
|
const resourceUrlComponents = resourceUrlString?.getUrlComponents();
|
|
5928
6005
|
return this.cryptoUtils.signJwt({
|
|
@@ -6033,12 +6110,11 @@ const InteractionRequiredAuthSubErrorMessage = [
|
|
|
6033
6110
|
* Error thrown when user interaction is required.
|
|
6034
6111
|
*/
|
|
6035
6112
|
class InteractionRequiredAuthError extends AuthError {
|
|
6036
|
-
constructor(errorCode, errorMessage, subError, timestamp, traceId,
|
|
6037
|
-
super(errorCode, errorMessage, subError);
|
|
6113
|
+
constructor(errorCode, correlationId, errorMessage, subError, timestamp, traceId, claims, errorNo) {
|
|
6114
|
+
super(errorCode, correlationId, errorMessage, subError);
|
|
6038
6115
|
Object.setPrototypeOf(this, InteractionRequiredAuthError.prototype);
|
|
6039
6116
|
this.timestamp = timestamp || "";
|
|
6040
6117
|
this.traceId = traceId || "";
|
|
6041
|
-
this.correlationId = correlationId || "";
|
|
6042
6118
|
this.claims = claims || "";
|
|
6043
6119
|
this.name = "InteractionRequiredAuthError";
|
|
6044
6120
|
this.errorNo = errorNo;
|
|
@@ -6066,8 +6142,8 @@ function isInteractionRequiredError(errorCode, errorString, subError) {
|
|
|
6066
6142
|
/**
|
|
6067
6143
|
* Creates an InteractionRequiredAuthError
|
|
6068
6144
|
*/
|
|
6069
|
-
function createInteractionRequiredAuthError(errorCode, errorMessage) {
|
|
6070
|
-
return new InteractionRequiredAuthError(errorCode, errorMessage);
|
|
6145
|
+
function createInteractionRequiredAuthError(errorCode, correlationId, errorMessage) {
|
|
6146
|
+
return new InteractionRequiredAuthError(errorCode, correlationId, errorMessage);
|
|
6071
6147
|
}
|
|
6072
6148
|
|
|
6073
6149
|
/*
|
|
@@ -6078,8 +6154,8 @@ function createInteractionRequiredAuthError(errorCode, errorMessage) {
|
|
|
6078
6154
|
* Error thrown when there is an error with the server code, for example, unavailability.
|
|
6079
6155
|
*/
|
|
6080
6156
|
class ServerError extends AuthError {
|
|
6081
|
-
constructor(errorCode, errorMessage, subError, errorNo, status) {
|
|
6082
|
-
super(errorCode, errorMessage, subError);
|
|
6157
|
+
constructor(errorCode, correlationId, errorMessage, subError, errorNo, status) {
|
|
6158
|
+
super(errorCode, correlationId, errorMessage, subError);
|
|
6083
6159
|
this.name = "ServerError";
|
|
6084
6160
|
this.errorNo = errorNo;
|
|
6085
6161
|
this.status = status;
|
|
@@ -6096,9 +6172,10 @@ class ServerError extends AuthError {
|
|
|
6096
6172
|
* @param cryptoObj
|
|
6097
6173
|
* @param userState
|
|
6098
6174
|
* @param meta
|
|
6175
|
+
* @param correlationId
|
|
6099
6176
|
*/
|
|
6100
|
-
function setRequestState(cryptoObj, userState, meta) {
|
|
6101
|
-
const libraryState = generateLibraryState(cryptoObj, meta);
|
|
6177
|
+
function setRequestState(cryptoObj, userState, meta, correlationId) {
|
|
6178
|
+
const libraryState = generateLibraryState(cryptoObj, correlationId, meta);
|
|
6102
6179
|
return userState
|
|
6103
6180
|
? `${libraryState}${RESOURCE_DELIM}${userState}`
|
|
6104
6181
|
: libraryState;
|
|
@@ -6106,11 +6183,12 @@ function setRequestState(cryptoObj, userState, meta) {
|
|
|
6106
6183
|
/**
|
|
6107
6184
|
* Generates the state value used by the common library.
|
|
6108
6185
|
* @param cryptoObj
|
|
6186
|
+
* @param correlationId
|
|
6109
6187
|
* @param meta
|
|
6110
6188
|
*/
|
|
6111
|
-
function generateLibraryState(cryptoObj, meta) {
|
|
6189
|
+
function generateLibraryState(cryptoObj, correlationId, meta) {
|
|
6112
6190
|
if (!cryptoObj) {
|
|
6113
|
-
throw createClientAuthError(noCryptoObject);
|
|
6191
|
+
throw createClientAuthError(noCryptoObject, correlationId);
|
|
6114
6192
|
}
|
|
6115
6193
|
// Create a state object containing a unique id and the timestamp of the request creation
|
|
6116
6194
|
const stateObj = {
|
|
@@ -6126,13 +6204,14 @@ function generateLibraryState(cryptoObj, meta) {
|
|
|
6126
6204
|
* Parses the state into the RequestStateObject, which contains the LibraryState info and the state passed by the user.
|
|
6127
6205
|
* @param base64Decode
|
|
6128
6206
|
* @param state
|
|
6207
|
+
* @param correlationId
|
|
6129
6208
|
*/
|
|
6130
|
-
function parseRequestState(base64Decode, state) {
|
|
6209
|
+
function parseRequestState(base64Decode, state, correlationId) {
|
|
6131
6210
|
if (!base64Decode) {
|
|
6132
|
-
throw createClientAuthError(noCryptoObject);
|
|
6211
|
+
throw createClientAuthError(noCryptoObject, correlationId);
|
|
6133
6212
|
}
|
|
6134
6213
|
if (!state) {
|
|
6135
|
-
throw createClientAuthError(invalidState);
|
|
6214
|
+
throw createClientAuthError(invalidState, correlationId);
|
|
6136
6215
|
}
|
|
6137
6216
|
try {
|
|
6138
6217
|
// Split the state between library state and user passed state and decode them separately
|
|
@@ -6149,7 +6228,7 @@ function parseRequestState(base64Decode, state) {
|
|
|
6149
6228
|
};
|
|
6150
6229
|
}
|
|
6151
6230
|
catch (e) {
|
|
6152
|
-
throw createClientAuthError(invalidState);
|
|
6231
|
+
throw createClientAuthError(invalidState, correlationId);
|
|
6153
6232
|
}
|
|
6154
6233
|
}
|
|
6155
6234
|
|
|
@@ -6193,7 +6272,7 @@ class ResponseHandler {
|
|
|
6193
6272
|
const serverErrorNo = serverResponse.error_codes?.length
|
|
6194
6273
|
? serverResponse.error_codes[0]
|
|
6195
6274
|
: undefined;
|
|
6196
|
-
const serverError = new ServerError(serverResponse.error, errString, serverResponse.suberror, serverErrorNo, serverResponse.status);
|
|
6275
|
+
const serverError = new ServerError(serverResponse.error || "", serverResponse.correlation_id || "", errString, serverResponse.suberror, serverErrorNo, serverResponse.status);
|
|
6197
6276
|
// check if 500 error
|
|
6198
6277
|
if (refreshAccessToken &&
|
|
6199
6278
|
serverResponse.status &&
|
|
@@ -6215,7 +6294,7 @@ class ResponseHandler {
|
|
|
6215
6294
|
return;
|
|
6216
6295
|
}
|
|
6217
6296
|
if (isInteractionRequiredError(serverResponse.error, serverResponse.error_description, serverResponse.suberror)) {
|
|
6218
|
-
throw new InteractionRequiredAuthError(serverResponse.error, serverResponse.error_description, serverResponse.suberror, serverResponse.timestamp || "", serverResponse.trace_id || "", serverResponse.
|
|
6297
|
+
throw new InteractionRequiredAuthError(serverResponse.error || "", serverResponse.correlation_id || "", serverResponse.error_description, serverResponse.suberror, serverResponse.timestamp || "", serverResponse.trace_id || "", serverResponse.claims || "", serverErrorNo);
|
|
6219
6298
|
}
|
|
6220
6299
|
throw serverError;
|
|
6221
6300
|
}
|
|
@@ -6225,24 +6304,16 @@ class ResponseHandler {
|
|
|
6225
6304
|
* @param serverTokenResponse
|
|
6226
6305
|
* @param authority
|
|
6227
6306
|
*/
|
|
6228
|
-
async handleServerTokenResponse(serverTokenResponse, authority, reqTimestamp, request, apiId, authCodePayload, userAssertionHash, handlingRefreshTokenResponse, forceCacheRefreshTokenResponse, serverRequestId) {
|
|
6307
|
+
async handleServerTokenResponse(serverTokenResponse, authority, reqTimestamp, request, apiId, authCodePayload, userAssertionHash, handlingRefreshTokenResponse, forceCacheRefreshTokenResponse, serverRequestId, additionalCacheKeyComponents) {
|
|
6229
6308
|
// create an idToken object (not entity)
|
|
6230
6309
|
let idTokenClaims;
|
|
6231
6310
|
if (serverTokenResponse.id_token) {
|
|
6232
|
-
idTokenClaims = extractTokenClaims(serverTokenResponse.id_token || "", this.cryptoObj.base64Decode);
|
|
6311
|
+
idTokenClaims = extractTokenClaims(serverTokenResponse.id_token || "", this.cryptoObj.base64Decode, request.correlationId);
|
|
6233
6312
|
// token nonce check (TODO: Add a warning if no nonce is given?)
|
|
6234
6313
|
if (authCodePayload && authCodePayload.nonce) {
|
|
6235
6314
|
if (idTokenClaims.nonce !== authCodePayload.nonce) {
|
|
6236
|
-
throw createClientAuthError(nonceMismatch);
|
|
6237
|
-
}
|
|
6238
|
-
}
|
|
6239
|
-
// token max_age check
|
|
6240
|
-
if (request.maxAge || request.maxAge === 0) {
|
|
6241
|
-
const authTime = idTokenClaims.auth_time;
|
|
6242
|
-
if (!authTime) {
|
|
6243
|
-
throw createClientAuthError(authTimeNotFound);
|
|
6315
|
+
throw createClientAuthError(nonceMismatch, request.correlationId);
|
|
6244
6316
|
}
|
|
6245
|
-
checkMaxAge(authTime, request.maxAge);
|
|
6246
6317
|
}
|
|
6247
6318
|
}
|
|
6248
6319
|
// generate homeAccountId
|
|
@@ -6250,12 +6321,12 @@ class ResponseHandler {
|
|
|
6250
6321
|
// save the response tokens
|
|
6251
6322
|
let requestStateObj;
|
|
6252
6323
|
if (!!authCodePayload && !!authCodePayload.state) {
|
|
6253
|
-
requestStateObj = parseRequestState(this.cryptoObj.base64Decode, authCodePayload.state);
|
|
6324
|
+
requestStateObj = parseRequestState(this.cryptoObj.base64Decode, authCodePayload.state, request.correlationId);
|
|
6254
6325
|
}
|
|
6255
6326
|
// Add keyId from request to serverTokenResponse if defined
|
|
6256
6327
|
serverTokenResponse.key_id =
|
|
6257
6328
|
serverTokenResponse.key_id || request.sshKid || undefined;
|
|
6258
|
-
const cacheRecord = this.generateCacheRecord(serverTokenResponse, authority, reqTimestamp, request, idTokenClaims, userAssertionHash, authCodePayload);
|
|
6329
|
+
const cacheRecord = this.generateCacheRecord(serverTokenResponse, authority, reqTimestamp, request, idTokenClaims, userAssertionHash, authCodePayload, additionalCacheKeyComponents);
|
|
6259
6330
|
let cacheContext;
|
|
6260
6331
|
try {
|
|
6261
6332
|
if (this.persistencePlugin && this.serializableCache) {
|
|
@@ -6302,10 +6373,10 @@ class ResponseHandler {
|
|
|
6302
6373
|
* @param idTokenObj
|
|
6303
6374
|
* @param authority
|
|
6304
6375
|
*/
|
|
6305
|
-
generateCacheRecord(serverTokenResponse, authority, reqTimestamp, request, idTokenClaims, userAssertionHash, authCodePayload) {
|
|
6376
|
+
generateCacheRecord(serverTokenResponse, authority, reqTimestamp, request, idTokenClaims, userAssertionHash, authCodePayload, additionalCacheKeyComponents) {
|
|
6306
6377
|
const env = authority.getPreferredCache();
|
|
6307
6378
|
if (!env) {
|
|
6308
|
-
throw createClientAuthError(invalidCacheEnvironment);
|
|
6379
|
+
throw createClientAuthError(invalidCacheEnvironment, request.correlationId);
|
|
6309
6380
|
}
|
|
6310
6381
|
const claimsTenantId = getTenantIdFromIdTokenClaims(idTokenClaims);
|
|
6311
6382
|
// IdToken: non AAD scenarios can have empty realm
|
|
@@ -6321,8 +6392,8 @@ class ResponseHandler {
|
|
|
6321
6392
|
if (serverTokenResponse.access_token) {
|
|
6322
6393
|
// If scopes not returned in server response, use request scopes
|
|
6323
6394
|
const responseScopes = serverTokenResponse.scope
|
|
6324
|
-
? ScopeSet.fromString(serverTokenResponse.scope)
|
|
6325
|
-
: new ScopeSet(request.scopes || []);
|
|
6395
|
+
? ScopeSet.fromString(serverTokenResponse.scope, request.correlationId)
|
|
6396
|
+
: new ScopeSet(request.scopes || [], request.correlationId);
|
|
6326
6397
|
/*
|
|
6327
6398
|
* Use timestamp calculated before request
|
|
6328
6399
|
* Server may return timestamps as strings, parse to numbers if so.
|
|
@@ -6342,7 +6413,7 @@ class ResponseHandler {
|
|
|
6342
6413
|
? reqTimestamp + refreshIn
|
|
6343
6414
|
: undefined;
|
|
6344
6415
|
// non AAD scenarios can have empty realm
|
|
6345
|
-
cachedAccessToken = createAccessTokenEntity(this.homeAccountIdentifier, env, serverTokenResponse.access_token, this.clientId, claimsTenantId || authority.tenant || "", responseScopes.printScopes(), tokenExpirationSeconds, extendedTokenExpirationSeconds, this.cryptoObj.base64Decode, refreshOnSeconds, serverTokenResponse.token_type, userAssertionHash, serverTokenResponse.key_id);
|
|
6416
|
+
cachedAccessToken = createAccessTokenEntity(this.homeAccountIdentifier, env, serverTokenResponse.access_token, this.clientId, claimsTenantId || authority.tenant || "", responseScopes.printScopes(), tokenExpirationSeconds, extendedTokenExpirationSeconds, this.cryptoObj.base64Decode, request.correlationId, refreshOnSeconds, serverTokenResponse.token_type, userAssertionHash, serverTokenResponse.key_id, additionalCacheKeyComponents);
|
|
6346
6417
|
// Set resource (to be used for MCP scenarios)
|
|
6347
6418
|
const resource = request.resource || null;
|
|
6348
6419
|
if (resource) {
|
|
@@ -6408,14 +6479,14 @@ class ResponseHandler {
|
|
|
6408
6479
|
const popTokenGenerator = new PopTokenGenerator(cryptoObj, performanceClient);
|
|
6409
6480
|
const { secret, keyId } = cacheRecord.accessToken;
|
|
6410
6481
|
if (!keyId) {
|
|
6411
|
-
throw createClientAuthError(keyIdMissing);
|
|
6482
|
+
throw createClientAuthError(keyIdMissing, request.correlationId);
|
|
6412
6483
|
}
|
|
6413
6484
|
accessToken = await popTokenGenerator.signPopToken(secret, keyId, request);
|
|
6414
6485
|
}
|
|
6415
6486
|
else {
|
|
6416
6487
|
accessToken = cacheRecord.accessToken.secret;
|
|
6417
6488
|
}
|
|
6418
|
-
responseScopes = ScopeSet.fromString(cacheRecord.accessToken.target).asArray();
|
|
6489
|
+
responseScopes = ScopeSet.fromString(cacheRecord.accessToken.target, request.correlationId).asArray();
|
|
6419
6490
|
// Access token expiresOn cached in seconds, converting to Date for AuthenticationResult
|
|
6420
6491
|
expiresOn = toDateFromSeconds(cacheRecord.accessToken.expiresOn);
|
|
6421
6492
|
extExpiresOn = toDateFromSeconds(cacheRecord.accessToken.extendedExpiresOn);
|
|
@@ -6433,8 +6504,18 @@ class ResponseHandler {
|
|
|
6433
6504
|
const tid = idTokenClaims?.tid || "";
|
|
6434
6505
|
// for hybrid + native bridge enablement, send back the native account Id
|
|
6435
6506
|
if (serverTokenResponse?.spa_accountid && !!cacheRecord.account) {
|
|
6507
|
+
// Set on deprecated top-level for downgrade compat
|
|
6436
6508
|
cacheRecord.account.nativeAccountId =
|
|
6437
6509
|
serverTokenResponse?.spa_accountid;
|
|
6510
|
+
// Set on the matching tenant profile (source of truth)
|
|
6511
|
+
const targetTenantId = tid || cacheRecord.account.realm;
|
|
6512
|
+
if (cacheRecord.account.tenantProfiles) {
|
|
6513
|
+
const matchingProfile = cacheRecord.account.tenantProfiles.find((tp) => tp.tenantId === targetTenantId);
|
|
6514
|
+
if (matchingProfile) {
|
|
6515
|
+
matchingProfile.nativeAccountId =
|
|
6516
|
+
serverTokenResponse.spa_accountid;
|
|
6517
|
+
}
|
|
6518
|
+
}
|
|
6438
6519
|
}
|
|
6439
6520
|
const accountInfo = cacheRecord.account
|
|
6440
6521
|
? updateAccountTenantProfileData(getAccountInfo(cacheRecord.account), undefined, // tenantProfile optional
|
|
@@ -6465,6 +6546,7 @@ class ResponseHandler {
|
|
|
6465
6546
|
};
|
|
6466
6547
|
}
|
|
6467
6548
|
}
|
|
6549
|
+
/** @internal */
|
|
6468
6550
|
function buildAccountToCache(cacheStorage, authority, homeAccountId, base64Decode, correlationId, idTokenClaims, clientInfo, environment, claimsTenantId, authCodePayload, nativeAccountId, logger, performanceClient) {
|
|
6469
6551
|
logger?.verbose("setCachedAccount called", correlationId);
|
|
6470
6552
|
/*
|
|
@@ -6492,14 +6574,14 @@ function buildAccountToCache(cacheStorage, authority, homeAccountId, base64Decod
|
|
|
6492
6574
|
cloudGraphHostName: authCodePayload?.cloud_graph_host_name,
|
|
6493
6575
|
msGraphHost: authCodePayload?.msgraph_host,
|
|
6494
6576
|
nativeAccountId: nativeAccountId,
|
|
6495
|
-
}, authority, base64Decode);
|
|
6577
|
+
}, authority, correlationId, base64Decode);
|
|
6496
6578
|
const tenantProfiles = baseAccount.tenantProfiles || [];
|
|
6497
6579
|
const tenantId = claimsTenantId || baseAccount.realm;
|
|
6498
6580
|
if (tenantId &&
|
|
6499
6581
|
!tenantProfiles.find((tenantProfile) => {
|
|
6500
6582
|
return tenantProfile.tenantId === tenantId;
|
|
6501
6583
|
})) {
|
|
6502
|
-
const newTenantProfile = buildTenantProfile(homeAccountId, baseAccount.localAccountId, tenantId, idTokenClaims);
|
|
6584
|
+
const newTenantProfile = buildTenantProfile(homeAccountId, baseAccount.localAccountId, tenantId, nativeAccountId, idTokenClaims);
|
|
6503
6585
|
tenantProfiles.push(newTenantProfile);
|
|
6504
6586
|
}
|
|
6505
6587
|
baseAccount.tenantProfiles = tenantProfiles;
|
|
@@ -6519,7 +6601,7 @@ const CcsCredentialType = {
|
|
|
6519
6601
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
6520
6602
|
* Licensed under the MIT License.
|
|
6521
6603
|
*/
|
|
6522
|
-
async function getClientAssertion(clientAssertion, clientId, tokenEndpoint) {
|
|
6604
|
+
async function getClientAssertion(clientAssertion, clientId, tokenEndpoint, fmiPath) {
|
|
6523
6605
|
if (typeof clientAssertion === "string") {
|
|
6524
6606
|
return clientAssertion;
|
|
6525
6607
|
}
|
|
@@ -6527,6 +6609,7 @@ async function getClientAssertion(clientAssertion, clientId, tokenEndpoint) {
|
|
|
6527
6609
|
const config = {
|
|
6528
6610
|
clientId: clientId,
|
|
6529
6611
|
tokenEndpoint: tokenEndpoint,
|
|
6612
|
+
fmiPath: fmiPath,
|
|
6530
6613
|
};
|
|
6531
6614
|
return clientAssertion(config);
|
|
6532
6615
|
}
|
|
@@ -6583,7 +6666,7 @@ class ThrottlingUtils {
|
|
|
6583
6666
|
cacheManager.removeItem(key, correlationId);
|
|
6584
6667
|
return;
|
|
6585
6668
|
}
|
|
6586
|
-
throw new ServerError(value.errorCodes?.join(" ") || "", value.errorMessage, value.subError);
|
|
6669
|
+
throw new ServerError(value.errorCodes?.join(" ") || "", correlationId, value.errorMessage, value.subError);
|
|
6587
6670
|
}
|
|
6588
6671
|
}
|
|
6589
6672
|
/**
|
|
@@ -6650,7 +6733,7 @@ class ThrottlingUtils {
|
|
|
6650
6733
|
*/
|
|
6651
6734
|
class NetworkError extends AuthError {
|
|
6652
6735
|
constructor(error, httpStatus, responseHeaders) {
|
|
6653
|
-
super(error.errorCode, error.errorMessage, error.subError);
|
|
6736
|
+
super(error.errorCode, error.correlationId, error.errorMessage, error.subError);
|
|
6654
6737
|
Object.setPrototypeOf(this, NetworkError.prototype);
|
|
6655
6738
|
this.name = "NetworkError";
|
|
6656
6739
|
this.error = error;
|
|
@@ -6720,6 +6803,7 @@ function createTokenQueryParameters(request, clientId, redirectUri, performanceC
|
|
|
6720
6803
|
* @param queryString
|
|
6721
6804
|
* @param headers
|
|
6722
6805
|
* @param thumbprint
|
|
6806
|
+
* @internal
|
|
6723
6807
|
*/
|
|
6724
6808
|
async function executePostToTokenEndpoint(tokenEndpoint, queryString, headers, thumbprint, correlationId, cacheManager, networkClient, logger, performanceClient, serverTelemetryManager) {
|
|
6725
6809
|
const response = await sendPostRequest(thumbprint, tokenEndpoint, { body: queryString, headers: headers }, correlationId, cacheManager, networkClient, logger, performanceClient);
|
|
@@ -6741,6 +6825,7 @@ async function executePostToTokenEndpoint(tokenEndpoint, queryString, headers, t
|
|
|
6741
6825
|
* @param networkClient - Network module instance
|
|
6742
6826
|
* @param logger - Logger instance
|
|
6743
6827
|
* @param performanceClient - Performance client instance
|
|
6828
|
+
* @internal
|
|
6744
6829
|
*/
|
|
6745
6830
|
async function sendPostRequest(thumbprint, tokenEndpoint, options, correlationId, cacheManager, networkClient, logger, performanceClient) {
|
|
6746
6831
|
ThrottlingUtils.preProcess(cacheManager, thumbprint, correlationId);
|
|
@@ -6775,7 +6860,7 @@ async function sendPostRequest(thumbprint, tokenEndpoint, options, correlationId
|
|
|
6775
6860
|
throw e;
|
|
6776
6861
|
}
|
|
6777
6862
|
else {
|
|
6778
|
-
throw createClientAuthError(networkError);
|
|
6863
|
+
throw createClientAuthError(networkError, correlationId);
|
|
6779
6864
|
}
|
|
6780
6865
|
}
|
|
6781
6866
|
ThrottlingUtils.postProcess(cacheManager, thumbprint, response, correlationId);
|
|
@@ -6828,7 +6913,7 @@ class AuthorizationCodeClient {
|
|
|
6828
6913
|
*/
|
|
6829
6914
|
async acquireToken(request, apiId, authCodePayload) {
|
|
6830
6915
|
if (!request.code) {
|
|
6831
|
-
throw createClientAuthError(requestCannotBeMade);
|
|
6916
|
+
throw createClientAuthError(requestCannotBeMade, request.correlationId);
|
|
6832
6917
|
}
|
|
6833
6918
|
// Check for new cloud instance
|
|
6834
6919
|
if (authCodePayload && authCodePayload.cloud_instance_host_name) {
|
|
@@ -6851,7 +6936,7 @@ class AuthorizationCodeClient {
|
|
|
6851
6936
|
getLogoutUri(logoutRequest) {
|
|
6852
6937
|
// Throw error if logoutRequest is null/undefined
|
|
6853
6938
|
if (!logoutRequest) {
|
|
6854
|
-
throw createClientConfigurationError(logoutRequestEmpty);
|
|
6939
|
+
throw createClientConfigurationError(logoutRequestEmpty, "");
|
|
6855
6940
|
}
|
|
6856
6941
|
const queryString = this.createLogoutUrlQueryString(logoutRequest);
|
|
6857
6942
|
// Construct logout URI
|
|
@@ -6899,7 +6984,7 @@ class AuthorizationCodeClient {
|
|
|
6899
6984
|
if (!this.includeRedirectUri) {
|
|
6900
6985
|
// Just validate
|
|
6901
6986
|
if (!request.redirectUri) {
|
|
6902
|
-
throw createClientConfigurationError(redirectUriEmpty);
|
|
6987
|
+
throw createClientConfigurationError(redirectUriEmpty, request.correlationId);
|
|
6903
6988
|
}
|
|
6904
6989
|
}
|
|
6905
6990
|
else {
|
|
@@ -6907,7 +6992,7 @@ class AuthorizationCodeClient {
|
|
|
6907
6992
|
addRedirectUri(parameters, request.redirectUri);
|
|
6908
6993
|
}
|
|
6909
6994
|
// Add scope array, parameter builder will add default scopes and dedupe
|
|
6910
|
-
addScopes(parameters, request.scopes, true, this.oidcDefaultScopes);
|
|
6995
|
+
addScopes(parameters, request.scopes, request.correlationId, true, this.oidcDefaultScopes);
|
|
6911
6996
|
addResource(parameters, request.resource);
|
|
6912
6997
|
// add code: user set, not validated
|
|
6913
6998
|
addAuthorizationCode(parameters, request.code);
|
|
@@ -6950,7 +7035,7 @@ class AuthorizationCodeClient {
|
|
|
6950
7035
|
addSshJwk(parameters, request.sshJwk);
|
|
6951
7036
|
}
|
|
6952
7037
|
else {
|
|
6953
|
-
throw createClientConfigurationError(missingSshJwk);
|
|
7038
|
+
throw createClientConfigurationError(missingSshJwk, request.correlationId);
|
|
6954
7039
|
}
|
|
6955
7040
|
}
|
|
6956
7041
|
let ccsCred = undefined;
|
|
@@ -7001,7 +7086,7 @@ class AuthorizationCodeClient {
|
|
|
7001
7086
|
});
|
|
7002
7087
|
}
|
|
7003
7088
|
instrumentBrokerParams(parameters, request.correlationId, this.performanceClient);
|
|
7004
|
-
addClaims(parameters, request.claims, this.config.authOptions.clientCapabilities, request.skipBrokerClaims);
|
|
7089
|
+
addClaims(parameters, request.correlationId, request.claims, this.config.authOptions.clientCapabilities, request.skipBrokerClaims);
|
|
7005
7090
|
return mapToQueryString(parameters);
|
|
7006
7091
|
}
|
|
7007
7092
|
/**
|
|
@@ -7089,11 +7174,11 @@ class RefreshTokenClient {
|
|
|
7089
7174
|
async acquireTokenByRefreshToken(request, apiId) {
|
|
7090
7175
|
// Cannot renew token if no request object is given.
|
|
7091
7176
|
if (!request) {
|
|
7092
|
-
throw createClientConfigurationError(tokenRequestEmpty);
|
|
7177
|
+
throw createClientConfigurationError(tokenRequestEmpty, "");
|
|
7093
7178
|
}
|
|
7094
7179
|
// We currently do not support silent flow for account === null use cases; This will be revisited for confidential flow usecases
|
|
7095
7180
|
if (!request.account) {
|
|
7096
|
-
throw createClientAuthError(noAccountInSilentRequest);
|
|
7181
|
+
throw createClientAuthError(noAccountInSilentRequest, request.correlationId);
|
|
7097
7182
|
}
|
|
7098
7183
|
// try checking if FOCI is enabled for the given application
|
|
7099
7184
|
const isFOCI = this.cacheManager.isAppMetadataFOCI(request.account.environment, request.correlationId);
|
|
@@ -7130,7 +7215,7 @@ class RefreshTokenClient {
|
|
|
7130
7215
|
// fetches family RT or application RT based on FOCI value
|
|
7131
7216
|
const refreshToken = invoke(this.cacheManager.getRefreshToken.bind(this.cacheManager), CacheManagerGetRefreshToken, this.logger, this.performanceClient, request.correlationId)(request.account, foci, request.correlationId, undefined);
|
|
7132
7217
|
if (!refreshToken) {
|
|
7133
|
-
throw createInteractionRequiredAuthError(noTokensFound);
|
|
7218
|
+
throw createInteractionRequiredAuthError(noTokensFound, request.correlationId);
|
|
7134
7219
|
}
|
|
7135
7220
|
if (refreshToken.expiresOn) {
|
|
7136
7221
|
const offset = request.refreshTokenExpirationOffsetSeconds ||
|
|
@@ -7140,7 +7225,7 @@ class RefreshTokenClient {
|
|
|
7140
7225
|
rtOffsetSeconds: offset,
|
|
7141
7226
|
}, request.correlationId);
|
|
7142
7227
|
if (isTokenExpired(refreshToken.expiresOn, offset)) {
|
|
7143
|
-
throw createInteractionRequiredAuthError(refreshTokenExpired);
|
|
7228
|
+
throw createInteractionRequiredAuthError(refreshTokenExpired, request.correlationId);
|
|
7144
7229
|
}
|
|
7145
7230
|
}
|
|
7146
7231
|
// attach cached RT size to the current measurement
|
|
@@ -7194,7 +7279,7 @@ class RefreshTokenClient {
|
|
|
7194
7279
|
if (request.redirectUri) {
|
|
7195
7280
|
addRedirectUri(parameters, request.redirectUri);
|
|
7196
7281
|
}
|
|
7197
|
-
addScopes(parameters, request.scopes, true, this.config.authOptions.authority.options.OIDCOptions?.defaultScopes);
|
|
7282
|
+
addScopes(parameters, request.scopes, request.correlationId, true, this.config.authOptions.authority.options.OIDCOptions?.defaultScopes);
|
|
7198
7283
|
addGrantType(parameters, GrantType.REFRESH_TOKEN_GRANT);
|
|
7199
7284
|
addClientInfo(parameters);
|
|
7200
7285
|
addLibraryInfo(parameters, this.config.libraryInfo);
|
|
@@ -7230,7 +7315,7 @@ class RefreshTokenClient {
|
|
|
7230
7315
|
addSshJwk(parameters, request.sshJwk);
|
|
7231
7316
|
}
|
|
7232
7317
|
else {
|
|
7233
|
-
throw createClientConfigurationError(missingSshJwk);
|
|
7318
|
+
throw createClientConfigurationError(missingSshJwk, request.correlationId);
|
|
7234
7319
|
}
|
|
7235
7320
|
}
|
|
7236
7321
|
if (this.config.systemOptions.preventCorsPreflight &&
|
|
@@ -7259,7 +7344,7 @@ class RefreshTokenClient {
|
|
|
7259
7344
|
});
|
|
7260
7345
|
}
|
|
7261
7346
|
instrumentBrokerParams(parameters, request.correlationId, this.performanceClient);
|
|
7262
|
-
addClaims(parameters, request.claims, this.config.authOptions.clientCapabilities, request.skipBrokerClaims);
|
|
7347
|
+
addClaims(parameters, request.correlationId, request.claims, this.config.authOptions.clientCapabilities, request.skipBrokerClaims);
|
|
7263
7348
|
return mapToQueryString(parameters);
|
|
7264
7349
|
}
|
|
7265
7350
|
}
|
|
@@ -7297,32 +7382,32 @@ class SilentFlowClient {
|
|
|
7297
7382
|
if (request.forceRefresh || !StringUtils.isEmptyObj(request.claims)) {
|
|
7298
7383
|
// Must refresh due to present force_refresh flag.
|
|
7299
7384
|
this.setCacheOutcome(CacheOutcome.FORCE_REFRESH_OR_CLAIMS, request.correlationId);
|
|
7300
|
-
throw createClientAuthError(tokenRefreshRequired);
|
|
7385
|
+
throw createClientAuthError(tokenRefreshRequired, request.correlationId);
|
|
7301
7386
|
}
|
|
7302
7387
|
// We currently do not support silent flow for account === null use cases; This will be revisited for confidential flow usecases
|
|
7303
7388
|
if (!request.account) {
|
|
7304
|
-
throw createClientAuthError(noAccountInSilentRequest);
|
|
7389
|
+
throw createClientAuthError(noAccountInSilentRequest, request.correlationId);
|
|
7305
7390
|
}
|
|
7306
7391
|
const requestTenantId = request.account.tenantId ||
|
|
7307
|
-
getTenantFromAuthorityString(request.authority);
|
|
7392
|
+
getTenantFromAuthorityString(request.authority, request.correlationId);
|
|
7308
7393
|
const tokenKeys = this.cacheManager.getTokenKeys();
|
|
7309
7394
|
const cachedAccessToken = this.cacheManager.getAccessToken(request.account, request, tokenKeys, requestTenantId);
|
|
7310
7395
|
if (!cachedAccessToken) {
|
|
7311
7396
|
// must refresh due to non-existent access_token
|
|
7312
7397
|
this.setCacheOutcome(CacheOutcome.NO_CACHED_ACCESS_TOKEN, request.correlationId);
|
|
7313
|
-
throw createClientAuthError(tokenRefreshRequired);
|
|
7398
|
+
throw createClientAuthError(tokenRefreshRequired, request.correlationId);
|
|
7314
7399
|
}
|
|
7315
7400
|
else if (wasClockTurnedBack(cachedAccessToken.cachedAt) ||
|
|
7316
7401
|
isTokenExpired(cachedAccessToken.expiresOn, this.config.systemOptions.tokenRenewalOffsetSeconds)) {
|
|
7317
7402
|
// must refresh due to the expires_in value
|
|
7318
7403
|
this.setCacheOutcome(CacheOutcome.CACHED_ACCESS_TOKEN_EXPIRED, request.correlationId);
|
|
7319
|
-
throw createClientAuthError(tokenRefreshRequired);
|
|
7404
|
+
throw createClientAuthError(tokenRefreshRequired, request.correlationId);
|
|
7320
7405
|
}
|
|
7321
7406
|
else if (request.resource) {
|
|
7322
7407
|
// cached access token must have a resource that matches the request resource for MCP scenarios
|
|
7323
7408
|
if (cachedAccessToken.resource !== request.resource) {
|
|
7324
7409
|
this.setCacheOutcome(CacheOutcome.NO_CACHED_ACCESS_TOKEN, request.correlationId);
|
|
7325
|
-
throw createClientAuthError(tokenRefreshRequired);
|
|
7410
|
+
throw createClientAuthError(tokenRefreshRequired, request.correlationId);
|
|
7326
7411
|
}
|
|
7327
7412
|
}
|
|
7328
7413
|
else if (cachedAccessToken.refreshOn &&
|
|
@@ -7364,15 +7449,7 @@ class SilentFlowClient {
|
|
|
7364
7449
|
async generateResultFromCacheRecord(cacheRecord, request) {
|
|
7365
7450
|
let idTokenClaims;
|
|
7366
7451
|
if (cacheRecord.idToken) {
|
|
7367
|
-
idTokenClaims = extractTokenClaims(cacheRecord.idToken.secret, this.config.cryptoInterface.base64Decode);
|
|
7368
|
-
}
|
|
7369
|
-
// token max_age check
|
|
7370
|
-
if (request.maxAge || request.maxAge === 0) {
|
|
7371
|
-
const authTime = idTokenClaims?.auth_time;
|
|
7372
|
-
if (!authTime) {
|
|
7373
|
-
throw createClientAuthError(authTimeNotFound);
|
|
7374
|
-
}
|
|
7375
|
-
checkMaxAge(authTime, request.maxAge);
|
|
7452
|
+
idTokenClaims = extractTokenClaims(cacheRecord.idToken.secret, this.config.cryptoInterface.base64Decode, request.correlationId);
|
|
7376
7453
|
}
|
|
7377
7454
|
return ResponseHandler.generateAuthenticationResult(this.cryptoUtils, this.authority, cacheRecord, true, request, this.performanceClient, idTokenClaims);
|
|
7378
7455
|
}
|
|
@@ -7383,11 +7460,12 @@ class SilentFlowClient {
|
|
|
7383
7460
|
* Licensed under the MIT License.
|
|
7384
7461
|
*/
|
|
7385
7462
|
const StubbedNetworkModule = {
|
|
7463
|
+
// Module-level singleton: no per-request correlationId available
|
|
7386
7464
|
sendGetRequestAsync: () => {
|
|
7387
|
-
return Promise.reject(createClientAuthError(methodNotImplemented));
|
|
7465
|
+
return Promise.reject(createClientAuthError(methodNotImplemented, ""));
|
|
7388
7466
|
},
|
|
7389
7467
|
sendPostRequestAsync: () => {
|
|
7390
|
-
return Promise.reject(createClientAuthError(methodNotImplemented));
|
|
7468
|
+
return Promise.reject(createClientAuthError(methodNotImplemented, ""));
|
|
7391
7469
|
},
|
|
7392
7470
|
};
|
|
7393
7471
|
|
|
@@ -7402,6 +7480,7 @@ const StubbedNetworkModule = {
|
|
|
7402
7480
|
* @param logger
|
|
7403
7481
|
* @param performanceClient
|
|
7404
7482
|
* @returns
|
|
7483
|
+
* @internal
|
|
7405
7484
|
*/
|
|
7406
7485
|
function getStandardAuthorizeRequestParameters(authOptions, request, logger, performanceClient) {
|
|
7407
7486
|
// generate the correlationId if not set by the user and add
|
|
@@ -7414,7 +7493,7 @@ function getStandardAuthorizeRequestParameters(authOptions, request, logger, per
|
|
|
7414
7493
|
...(request.scopes || []),
|
|
7415
7494
|
...(request.extraScopesToConsent || []),
|
|
7416
7495
|
];
|
|
7417
|
-
addScopes(parameters, requestScopes, true, authOptions.authority.options.OIDCOptions?.defaultScopes);
|
|
7496
|
+
addScopes(parameters, requestScopes, request.correlationId, true, authOptions.authority.options.OIDCOptions?.defaultScopes);
|
|
7418
7497
|
addResource(parameters, request.resource);
|
|
7419
7498
|
addRedirectUri(parameters, request.redirectUri);
|
|
7420
7499
|
addCorrelationId(parameters, correlationId);
|
|
@@ -7516,7 +7595,7 @@ function getStandardAuthorizeRequestParameters(authOptions, request, logger, per
|
|
|
7516
7595
|
if (request.embeddedClientId) {
|
|
7517
7596
|
addBrokerParameters(parameters, authOptions.clientId, authOptions.redirectUri);
|
|
7518
7597
|
}
|
|
7519
|
-
addClaims(parameters, request.claims, authOptions.clientCapabilities, request.skipBrokerClaims);
|
|
7598
|
+
addClaims(parameters, request.correlationId, request.claims, authOptions.clientCapabilities, request.skipBrokerClaims);
|
|
7520
7599
|
// If extraQueryParameters includes instance_aware its value will be added when extraQueryParameters are added
|
|
7521
7600
|
if (authOptions.instanceAware &&
|
|
7522
7601
|
(!request.extraQueryParameters ||
|
|
@@ -7530,6 +7609,7 @@ function getStandardAuthorizeRequestParameters(authOptions, request, logger, per
|
|
|
7530
7609
|
* @param authority
|
|
7531
7610
|
* @param requestParameters
|
|
7532
7611
|
* @returns
|
|
7612
|
+
* @internal
|
|
7533
7613
|
*/
|
|
7534
7614
|
function getAuthorizeUrl(authority, requestParameters) {
|
|
7535
7615
|
const queryString = mapToQueryString(requestParameters);
|
|
@@ -7540,13 +7620,14 @@ function getAuthorizeUrl(authority, requestParameters) {
|
|
|
7540
7620
|
* the client to exchange for a token in acquireToken.
|
|
7541
7621
|
* @param serverParams
|
|
7542
7622
|
* @param cachedState
|
|
7623
|
+
* @param correlationId
|
|
7543
7624
|
*/
|
|
7544
|
-
function getAuthorizationCodePayload(serverParams, cachedState) {
|
|
7625
|
+
function getAuthorizationCodePayload(serverParams, cachedState, correlationId) {
|
|
7545
7626
|
// Get code response
|
|
7546
|
-
validateAuthorizationResponse(serverParams, cachedState);
|
|
7627
|
+
validateAuthorizationResponse(serverParams, cachedState, correlationId);
|
|
7547
7628
|
// throw when there is no auth code in the response
|
|
7548
7629
|
if (!serverParams.code) {
|
|
7549
|
-
throw createClientAuthError(authorizationCodeMissingFromServerResponse);
|
|
7630
|
+
throw createClientAuthError(authorizationCodeMissingFromServerResponse, correlationId);
|
|
7550
7631
|
}
|
|
7551
7632
|
return serverParams;
|
|
7552
7633
|
}
|
|
@@ -7554,12 +7635,13 @@ function getAuthorizationCodePayload(serverParams, cachedState) {
|
|
|
7554
7635
|
* Function which validates server authorization code response.
|
|
7555
7636
|
* @param serverResponseHash
|
|
7556
7637
|
* @param requestState
|
|
7638
|
+
* @param correlationId
|
|
7557
7639
|
*/
|
|
7558
|
-
function validateAuthorizationResponse(serverResponse, requestState) {
|
|
7640
|
+
function validateAuthorizationResponse(serverResponse, requestState, correlationId) {
|
|
7559
7641
|
if (!serverResponse.state || !requestState) {
|
|
7560
7642
|
throw serverResponse.state
|
|
7561
|
-
? createClientAuthError(stateNotFound, "Cached State")
|
|
7562
|
-
: createClientAuthError(stateNotFound, "Server State");
|
|
7643
|
+
? createClientAuthError(stateNotFound, correlationId, "Cached State")
|
|
7644
|
+
: createClientAuthError(stateNotFound, correlationId, "Server State");
|
|
7563
7645
|
}
|
|
7564
7646
|
let decodedServerResponseState;
|
|
7565
7647
|
let decodedRequestState;
|
|
@@ -7567,16 +7649,16 @@ function validateAuthorizationResponse(serverResponse, requestState) {
|
|
|
7567
7649
|
decodedServerResponseState = decodeURIComponent(serverResponse.state);
|
|
7568
7650
|
}
|
|
7569
7651
|
catch (e) {
|
|
7570
|
-
throw createClientAuthError(invalidState, serverResponse.state);
|
|
7652
|
+
throw createClientAuthError(invalidState, correlationId, serverResponse.state);
|
|
7571
7653
|
}
|
|
7572
7654
|
try {
|
|
7573
7655
|
decodedRequestState = decodeURIComponent(requestState);
|
|
7574
7656
|
}
|
|
7575
7657
|
catch (e) {
|
|
7576
|
-
throw createClientAuthError(invalidState, serverResponse.state);
|
|
7658
|
+
throw createClientAuthError(invalidState, correlationId, serverResponse.state);
|
|
7577
7659
|
}
|
|
7578
7660
|
if (decodedServerResponseState !== decodedRequestState) {
|
|
7579
|
-
throw createClientAuthError(stateMismatch);
|
|
7661
|
+
throw createClientAuthError(stateMismatch, correlationId);
|
|
7580
7662
|
}
|
|
7581
7663
|
// Check for error
|
|
7582
7664
|
if (serverResponse.error ||
|
|
@@ -7584,9 +7666,9 @@ function validateAuthorizationResponse(serverResponse, requestState) {
|
|
|
7584
7666
|
serverResponse.suberror) {
|
|
7585
7667
|
const serverErrorNo = parseServerErrorNo(serverResponse);
|
|
7586
7668
|
if (isInteractionRequiredError(serverResponse.error, serverResponse.error_description, serverResponse.suberror)) {
|
|
7587
|
-
throw new InteractionRequiredAuthError(serverResponse.error || "", serverResponse.error_description, serverResponse.suberror, serverResponse.timestamp || "", serverResponse.trace_id || "", serverResponse.
|
|
7669
|
+
throw new InteractionRequiredAuthError(serverResponse.error || "", serverResponse.correlation_id || correlationId, serverResponse.error_description, serverResponse.suberror, serverResponse.timestamp || "", serverResponse.trace_id || "", serverResponse.claims || "", serverErrorNo);
|
|
7588
7670
|
}
|
|
7589
|
-
throw new ServerError(serverResponse.error || "", serverResponse.error_description, serverResponse.suberror, serverErrorNo);
|
|
7671
|
+
throw new ServerError(serverResponse.error || "", serverResponse.correlation_id || correlationId, serverResponse.error_description, serverResponse.suberror, serverErrorNo);
|
|
7590
7672
|
}
|
|
7591
7673
|
}
|
|
7592
7674
|
/**
|
|
@@ -7638,10 +7720,10 @@ function enforceResourceParameter(isMcp, request) {
|
|
|
7638
7720
|
if (request.resource &&
|
|
7639
7721
|
(containsResourceParam(request.extraParameters) ||
|
|
7640
7722
|
containsResourceParam(request.extraQueryParameters))) {
|
|
7641
|
-
throw createClientAuthError(misplacedResourceParam);
|
|
7723
|
+
throw createClientAuthError(misplacedResourceParam, request.correlationId || "");
|
|
7642
7724
|
}
|
|
7643
7725
|
if (!request.resource) {
|
|
7644
|
-
throw createClientAuthError(resourceParameterRequired);
|
|
7726
|
+
throw createClientAuthError(resourceParameterRequired, request.correlationId || "");
|
|
7645
7727
|
}
|
|
7646
7728
|
}
|
|
7647
7729
|
function containsResourceParam(params) {
|
|
@@ -7675,7 +7757,7 @@ class AuthenticationHeaderParser {
|
|
|
7675
7757
|
if (authenticationInfoChallenges.nextnonce) {
|
|
7676
7758
|
return authenticationInfoChallenges.nextnonce;
|
|
7677
7759
|
}
|
|
7678
|
-
throw createClientConfigurationError(invalidAuthenticationHeader);
|
|
7760
|
+
throw createClientConfigurationError(invalidAuthenticationHeader, "");
|
|
7679
7761
|
}
|
|
7680
7762
|
// Attempt to parse nonce from WWW-Authenticate
|
|
7681
7763
|
const wwwAuthenticate = this.headers[HeaderNames.WWWAuthenticate];
|
|
@@ -7684,10 +7766,10 @@ class AuthenticationHeaderParser {
|
|
|
7684
7766
|
if (wwwAuthenticateChallenges.nonce) {
|
|
7685
7767
|
return wwwAuthenticateChallenges.nonce;
|
|
7686
7768
|
}
|
|
7687
|
-
throw createClientConfigurationError(invalidAuthenticationHeader);
|
|
7769
|
+
throw createClientConfigurationError(invalidAuthenticationHeader, "");
|
|
7688
7770
|
}
|
|
7689
7771
|
// If neither header is present, throw missing headers error
|
|
7690
|
-
throw createClientConfigurationError(missingNonceAuthenticationHeader);
|
|
7772
|
+
throw createClientConfigurationError(missingNonceAuthenticationHeader, "");
|
|
7691
7773
|
}
|
|
7692
7774
|
/**
|
|
7693
7775
|
* Parses an HTTP header's challenge set into a key/value map.
|
|
@@ -7737,12 +7819,12 @@ function tagToString(tag) {
|
|
|
7737
7819
|
* Error class for MSAL Runtime errors that preserves detailed broker information
|
|
7738
7820
|
*/
|
|
7739
7821
|
class PlatformBrokerError extends AuthError {
|
|
7740
|
-
constructor(errorStatus, errorContext, errorCode, errorTag) {
|
|
7822
|
+
constructor(errorStatus, correlationId, errorContext, errorCode, errorTag) {
|
|
7741
7823
|
const tagString = tagToString(errorTag);
|
|
7742
7824
|
const enhancedErrorContext = errorContext
|
|
7743
7825
|
? `${errorContext} (Error Code: ${errorCode}, Tag: ${tagString})`
|
|
7744
7826
|
: `(Error Code: ${errorCode}, Tag: ${tagString})`;
|
|
7745
|
-
super(errorStatus, enhancedErrorContext);
|
|
7827
|
+
super(errorStatus, correlationId, enhancedErrorContext);
|
|
7746
7828
|
this.name = "PlatformBrokerError";
|
|
7747
7829
|
this.statusCode = errorCode;
|
|
7748
7830
|
this.tag = tagString;
|
|
@@ -8120,4 +8202,4 @@ exports.invokeAsync = invokeAsync;
|
|
|
8120
8202
|
exports.tenantIdMatchesHomeTenant = tenantIdMatchesHomeTenant;
|
|
8121
8203
|
exports.updateAccountTenantProfileData = updateAccountTenantProfileData;
|
|
8122
8204
|
exports.version = version;
|
|
8123
|
-
//# sourceMappingURL=index-node-
|
|
8205
|
+
//# sourceMappingURL=index-node-BSFEsmmC.js.map
|