@azure/msal-common 16.9.0 → 16.10.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (383) hide show
  1. package/dist/account/AccountInfo.mjs +9 -3
  2. package/dist/account/AccountInfo.mjs.map +1 -1
  3. package/dist/account/AuthToken.mjs +9 -23
  4. package/dist/account/AuthToken.mjs.map +1 -1
  5. package/dist/account/CcsCredential.mjs +1 -1
  6. package/dist/account/CcsCredential.mjs.map +1 -1
  7. package/dist/account/ClientInfo.mjs +4 -4
  8. package/dist/account/ClientInfo.mjs.map +1 -1
  9. package/dist/account/TokenClaims.mjs +1 -1
  10. package/dist/account/TokenClaims.mjs.map +1 -1
  11. package/dist/authority/Authority.mjs +36 -37
  12. package/dist/authority/Authority.mjs.map +1 -1
  13. package/dist/authority/AuthorityFactory.mjs +3 -3
  14. package/dist/authority/AuthorityFactory.mjs.map +1 -1
  15. package/dist/authority/AuthorityMetadata.mjs +2 -2
  16. package/dist/authority/AuthorityMetadata.mjs.map +1 -1
  17. package/dist/authority/AuthorityOptions.mjs +1 -1
  18. package/dist/authority/AuthorityOptions.mjs.map +1 -1
  19. package/dist/authority/AuthorityType.mjs +1 -1
  20. package/dist/authority/AuthorityType.mjs.map +1 -1
  21. package/dist/authority/CloudInstanceDiscoveryErrorResponse.mjs +1 -1
  22. package/dist/authority/CloudInstanceDiscoveryResponse.mjs +1 -1
  23. package/dist/authority/OpenIdConfigResponse.mjs +1 -1
  24. package/dist/authority/ProtocolMode.mjs +1 -1
  25. package/dist/authority/ProtocolMode.mjs.map +1 -1
  26. package/dist/authority/RegionDiscovery.mjs +16 -10
  27. package/dist/authority/RegionDiscovery.mjs.map +1 -1
  28. package/dist/cache/CacheManager.mjs +62 -46
  29. package/dist/cache/CacheManager.mjs.map +1 -1
  30. package/dist/cache/persistence/TokenCacheContext.mjs +1 -1
  31. package/dist/cache/persistence/TokenCacheContext.mjs.map +1 -1
  32. package/dist/cache/utils/AccountEntityUtils.mjs +18 -8
  33. package/dist/cache/utils/AccountEntityUtils.mjs.map +1 -1
  34. package/dist/cache/utils/CacheHelpers.mjs +10 -5
  35. package/dist/cache/utils/CacheHelpers.mjs.map +1 -1
  36. package/dist/client/AuthorizationCodeClient.mjs +7 -7
  37. package/dist/client/AuthorizationCodeClient.mjs.map +1 -1
  38. package/dist/client/RefreshTokenClient.mjs +8 -8
  39. package/dist/client/RefreshTokenClient.mjs.map +1 -1
  40. package/dist/client/SilentFlowClient.mjs +10 -18
  41. package/dist/client/SilentFlowClient.mjs.map +1 -1
  42. package/dist/config/ClientConfiguration.mjs +3 -3
  43. package/dist/config/ClientConfiguration.mjs.map +1 -1
  44. package/dist/constants/AADServerParamKeys.mjs +7 -3
  45. package/dist/constants/AADServerParamKeys.mjs.map +1 -1
  46. package/dist/crypto/ICrypto.mjs +11 -11
  47. package/dist/crypto/ICrypto.mjs.map +1 -1
  48. package/dist/crypto/JoseHeader.mjs +3 -3
  49. package/dist/crypto/JoseHeader.mjs.map +1 -1
  50. package/dist/crypto/PopTokenGenerator.mjs +2 -2
  51. package/dist/crypto/PopTokenGenerator.mjs.map +1 -1
  52. package/dist/error/AuthError.mjs +5 -7
  53. package/dist/error/AuthError.mjs.map +1 -1
  54. package/dist/error/AuthErrorCodes.mjs +1 -1
  55. package/dist/error/CacheError.mjs +1 -1
  56. package/dist/error/CacheError.mjs.map +1 -1
  57. package/dist/error/CacheErrorCodes.mjs +1 -1
  58. package/dist/error/ClientAuthError.mjs +5 -5
  59. package/dist/error/ClientAuthError.mjs.map +1 -1
  60. package/dist/error/ClientAuthErrorCodes.mjs +2 -4
  61. package/dist/error/ClientAuthErrorCodes.mjs.map +1 -1
  62. package/dist/error/ClientConfigurationError.mjs +5 -5
  63. package/dist/error/ClientConfigurationError.mjs.map +1 -1
  64. package/dist/error/ClientConfigurationErrorCodes.mjs +1 -1
  65. package/dist/error/InteractionRequiredAuthError.mjs +5 -6
  66. package/dist/error/InteractionRequiredAuthError.mjs.map +1 -1
  67. package/dist/error/InteractionRequiredAuthErrorCodes.mjs +1 -1
  68. package/dist/error/JoseHeaderError.mjs +5 -5
  69. package/dist/error/JoseHeaderError.mjs.map +1 -1
  70. package/dist/error/JoseHeaderErrorCodes.mjs +1 -1
  71. package/dist/error/NetworkError.mjs +2 -2
  72. package/dist/error/NetworkError.mjs.map +1 -1
  73. package/dist/error/PlatformBrokerError.mjs +3 -3
  74. package/dist/error/PlatformBrokerError.mjs.map +1 -1
  75. package/dist/error/ServerError.mjs +3 -3
  76. package/dist/error/ServerError.mjs.map +1 -1
  77. package/dist/index-node.mjs +53 -53
  78. package/dist/index.mjs +59 -59
  79. package/dist/logger/Logger.mjs +1 -1
  80. package/dist/logger/Logger.mjs.map +1 -1
  81. package/dist/network/INetworkModule.mjs +4 -3
  82. package/dist/network/INetworkModule.mjs.map +1 -1
  83. package/dist/network/RequestThumbprint.mjs +1 -1
  84. package/dist/network/ThrottlingUtils.mjs +2 -2
  85. package/dist/network/ThrottlingUtils.mjs.map +1 -1
  86. package/dist/packageMetadata.mjs +2 -2
  87. package/dist/protocol/Authorize.mjs +16 -14
  88. package/dist/protocol/Authorize.mjs.map +1 -1
  89. package/dist/protocol/Token.mjs +2 -2
  90. package/dist/protocol/Token.mjs.map +1 -1
  91. package/dist/request/AuthenticationHeaderParser.mjs +4 -4
  92. package/dist/request/AuthenticationHeaderParser.mjs.map +1 -1
  93. package/dist/request/BaseAuthRequest.mjs +3 -3
  94. package/dist/request/BaseAuthRequest.mjs.map +1 -1
  95. package/dist/request/RequestParameterBuilder.mjs +51 -33
  96. package/dist/request/RequestParameterBuilder.mjs.map +1 -1
  97. package/dist/request/ScopeSet.mjs +13 -12
  98. package/dist/request/ScopeSet.mjs.map +1 -1
  99. package/dist/response/ResponseHandler.mjs +29 -27
  100. package/dist/response/ResponseHandler.mjs.map +1 -1
  101. package/dist/telemetry/performance/PerformanceClient.mjs +1 -1
  102. package/dist/telemetry/performance/PerformanceClient.mjs.map +1 -1
  103. package/dist/telemetry/performance/PerformanceEvent.mjs +1 -1
  104. package/dist/telemetry/performance/PerformanceEvent.mjs.map +1 -1
  105. package/dist/telemetry/performance/PerformanceEvents.mjs +1 -1
  106. package/dist/telemetry/performance/StubPerformanceClient.mjs +1 -1
  107. package/dist/telemetry/performance/StubPerformanceClient.mjs.map +1 -1
  108. package/dist/telemetry/server/ServerTelemetryManager.mjs +2 -2
  109. package/dist/telemetry/server/ServerTelemetryManager.mjs.map +1 -1
  110. package/dist/url/UrlString.mjs +15 -14
  111. package/dist/url/UrlString.mjs.map +1 -1
  112. package/dist/utils/ClientAssertionUtils.mjs +3 -2
  113. package/dist/utils/ClientAssertionUtils.mjs.map +1 -1
  114. package/dist/utils/Constants.mjs +7 -3
  115. package/dist/utils/Constants.mjs.map +1 -1
  116. package/dist/utils/FunctionWrappers.mjs +1 -1
  117. package/dist/utils/FunctionWrappers.mjs.map +1 -1
  118. package/dist/utils/ProtocolUtils.mjs +12 -9
  119. package/dist/utils/ProtocolUtils.mjs.map +1 -1
  120. package/dist/utils/StringUtils.mjs +1 -1
  121. package/dist/utils/StringUtils.mjs.map +1 -1
  122. package/dist/utils/TimeUtils.mjs +1 -1
  123. package/dist/utils/TimeUtils.mjs.map +1 -1
  124. package/dist/utils/UrlUtils.mjs +4 -4
  125. package/dist/utils/UrlUtils.mjs.map +1 -1
  126. package/dist-browser/account/AccountInfo.mjs +9 -3
  127. package/dist-browser/account/AccountInfo.mjs.map +1 -1
  128. package/dist-browser/account/AuthToken.mjs +9 -23
  129. package/dist-browser/account/AuthToken.mjs.map +1 -1
  130. package/dist-browser/account/CcsCredential.mjs +1 -1
  131. package/dist-browser/account/CcsCredential.mjs.map +1 -1
  132. package/dist-browser/account/ClientInfo.mjs +4 -4
  133. package/dist-browser/account/ClientInfo.mjs.map +1 -1
  134. package/dist-browser/account/TokenClaims.mjs +1 -1
  135. package/dist-browser/account/TokenClaims.mjs.map +1 -1
  136. package/dist-browser/authority/Authority.mjs +36 -37
  137. package/dist-browser/authority/Authority.mjs.map +1 -1
  138. package/dist-browser/authority/AuthorityFactory.mjs +3 -3
  139. package/dist-browser/authority/AuthorityFactory.mjs.map +1 -1
  140. package/dist-browser/authority/AuthorityMetadata.mjs +2 -2
  141. package/dist-browser/authority/AuthorityMetadata.mjs.map +1 -1
  142. package/dist-browser/authority/AuthorityOptions.mjs +1 -1
  143. package/dist-browser/authority/AuthorityOptions.mjs.map +1 -1
  144. package/dist-browser/authority/AuthorityType.mjs +1 -1
  145. package/dist-browser/authority/AuthorityType.mjs.map +1 -1
  146. package/dist-browser/authority/CloudInstanceDiscoveryErrorResponse.mjs +1 -1
  147. package/dist-browser/authority/CloudInstanceDiscoveryResponse.mjs +1 -1
  148. package/dist-browser/authority/OpenIdConfigResponse.mjs +1 -1
  149. package/dist-browser/authority/ProtocolMode.mjs +1 -1
  150. package/dist-browser/authority/ProtocolMode.mjs.map +1 -1
  151. package/dist-browser/authority/RegionDiscovery.mjs +16 -10
  152. package/dist-browser/authority/RegionDiscovery.mjs.map +1 -1
  153. package/dist-browser/cache/CacheManager.mjs +62 -46
  154. package/dist-browser/cache/CacheManager.mjs.map +1 -1
  155. package/dist-browser/cache/persistence/TokenCacheContext.mjs +1 -1
  156. package/dist-browser/cache/persistence/TokenCacheContext.mjs.map +1 -1
  157. package/dist-browser/cache/utils/AccountEntityUtils.mjs +18 -8
  158. package/dist-browser/cache/utils/AccountEntityUtils.mjs.map +1 -1
  159. package/dist-browser/cache/utils/CacheHelpers.mjs +10 -5
  160. package/dist-browser/cache/utils/CacheHelpers.mjs.map +1 -1
  161. package/dist-browser/client/AuthorizationCodeClient.mjs +7 -7
  162. package/dist-browser/client/AuthorizationCodeClient.mjs.map +1 -1
  163. package/dist-browser/client/RefreshTokenClient.mjs +8 -8
  164. package/dist-browser/client/RefreshTokenClient.mjs.map +1 -1
  165. package/dist-browser/client/SilentFlowClient.mjs +10 -18
  166. package/dist-browser/client/SilentFlowClient.mjs.map +1 -1
  167. package/dist-browser/config/ClientConfiguration.mjs +3 -3
  168. package/dist-browser/config/ClientConfiguration.mjs.map +1 -1
  169. package/dist-browser/constants/AADServerParamKeys.mjs +7 -3
  170. package/dist-browser/constants/AADServerParamKeys.mjs.map +1 -1
  171. package/dist-browser/crypto/ICrypto.mjs +11 -11
  172. package/dist-browser/crypto/ICrypto.mjs.map +1 -1
  173. package/dist-browser/crypto/JoseHeader.mjs +3 -3
  174. package/dist-browser/crypto/JoseHeader.mjs.map +1 -1
  175. package/dist-browser/crypto/PopTokenGenerator.mjs +2 -2
  176. package/dist-browser/crypto/PopTokenGenerator.mjs.map +1 -1
  177. package/dist-browser/error/AuthError.mjs +5 -7
  178. package/dist-browser/error/AuthError.mjs.map +1 -1
  179. package/dist-browser/error/AuthErrorCodes.mjs +1 -1
  180. package/dist-browser/error/CacheError.mjs +1 -1
  181. package/dist-browser/error/CacheError.mjs.map +1 -1
  182. package/dist-browser/error/CacheErrorCodes.mjs +1 -1
  183. package/dist-browser/error/ClientAuthError.mjs +5 -5
  184. package/dist-browser/error/ClientAuthError.mjs.map +1 -1
  185. package/dist-browser/error/ClientAuthErrorCodes.mjs +2 -4
  186. package/dist-browser/error/ClientAuthErrorCodes.mjs.map +1 -1
  187. package/dist-browser/error/ClientConfigurationError.mjs +5 -5
  188. package/dist-browser/error/ClientConfigurationError.mjs.map +1 -1
  189. package/dist-browser/error/ClientConfigurationErrorCodes.mjs +1 -1
  190. package/dist-browser/error/InteractionRequiredAuthError.mjs +5 -6
  191. package/dist-browser/error/InteractionRequiredAuthError.mjs.map +1 -1
  192. package/dist-browser/error/InteractionRequiredAuthErrorCodes.mjs +1 -1
  193. package/dist-browser/error/JoseHeaderError.mjs +5 -5
  194. package/dist-browser/error/JoseHeaderError.mjs.map +1 -1
  195. package/dist-browser/error/JoseHeaderErrorCodes.mjs +1 -1
  196. package/dist-browser/error/NetworkError.mjs +2 -2
  197. package/dist-browser/error/NetworkError.mjs.map +1 -1
  198. package/dist-browser/error/PlatformBrokerError.mjs +3 -3
  199. package/dist-browser/error/PlatformBrokerError.mjs.map +1 -1
  200. package/dist-browser/error/ServerError.mjs +3 -3
  201. package/dist-browser/error/ServerError.mjs.map +1 -1
  202. package/dist-browser/index-browser.mjs +55 -55
  203. package/dist-browser/index.mjs +59 -59
  204. package/dist-browser/log-strings-mapping.json +2 -2
  205. package/dist-browser/logger/Logger.mjs +1 -1
  206. package/dist-browser/logger/Logger.mjs.map +1 -1
  207. package/dist-browser/network/INetworkModule.mjs +4 -3
  208. package/dist-browser/network/INetworkModule.mjs.map +1 -1
  209. package/dist-browser/network/RequestThumbprint.mjs +1 -1
  210. package/dist-browser/network/ThrottlingUtils.mjs +2 -2
  211. package/dist-browser/network/ThrottlingUtils.mjs.map +1 -1
  212. package/dist-browser/packageMetadata.mjs +2 -2
  213. package/dist-browser/protocol/Authorize.mjs +16 -14
  214. package/dist-browser/protocol/Authorize.mjs.map +1 -1
  215. package/dist-browser/protocol/Token.mjs +2 -2
  216. package/dist-browser/protocol/Token.mjs.map +1 -1
  217. package/dist-browser/request/AuthenticationHeaderParser.mjs +4 -4
  218. package/dist-browser/request/AuthenticationHeaderParser.mjs.map +1 -1
  219. package/dist-browser/request/BaseAuthRequest.mjs +3 -3
  220. package/dist-browser/request/BaseAuthRequest.mjs.map +1 -1
  221. package/dist-browser/request/RequestParameterBuilder.mjs +51 -33
  222. package/dist-browser/request/RequestParameterBuilder.mjs.map +1 -1
  223. package/dist-browser/request/ScopeSet.mjs +13 -12
  224. package/dist-browser/request/ScopeSet.mjs.map +1 -1
  225. package/dist-browser/response/ResponseHandler.mjs +29 -27
  226. package/dist-browser/response/ResponseHandler.mjs.map +1 -1
  227. package/dist-browser/telemetry/performance/PerformanceClient.mjs +1 -1
  228. package/dist-browser/telemetry/performance/PerformanceClient.mjs.map +1 -1
  229. package/dist-browser/telemetry/performance/PerformanceEvent.mjs +1 -1
  230. package/dist-browser/telemetry/performance/PerformanceEvent.mjs.map +1 -1
  231. package/dist-browser/telemetry/performance/PerformanceEvents.mjs +1 -1
  232. package/dist-browser/telemetry/performance/StubPerformanceClient.mjs +1 -1
  233. package/dist-browser/telemetry/performance/StubPerformanceClient.mjs.map +1 -1
  234. package/dist-browser/telemetry/server/ServerTelemetryManager.mjs +2 -2
  235. package/dist-browser/telemetry/server/ServerTelemetryManager.mjs.map +1 -1
  236. package/dist-browser/url/UrlString.mjs +15 -14
  237. package/dist-browser/url/UrlString.mjs.map +1 -1
  238. package/dist-browser/utils/ClientAssertionUtils.mjs +3 -2
  239. package/dist-browser/utils/ClientAssertionUtils.mjs.map +1 -1
  240. package/dist-browser/utils/Constants.mjs +7 -3
  241. package/dist-browser/utils/Constants.mjs.map +1 -1
  242. package/dist-browser/utils/FunctionWrappers.mjs +1 -1
  243. package/dist-browser/utils/FunctionWrappers.mjs.map +1 -1
  244. package/dist-browser/utils/ProtocolUtils.mjs +12 -9
  245. package/dist-browser/utils/ProtocolUtils.mjs.map +1 -1
  246. package/dist-browser/utils/StringUtils.mjs +1 -1
  247. package/dist-browser/utils/StringUtils.mjs.map +1 -1
  248. package/dist-browser/utils/TimeUtils.mjs +1 -1
  249. package/dist-browser/utils/TimeUtils.mjs.map +1 -1
  250. package/dist-browser/utils/UrlUtils.mjs +4 -4
  251. package/dist-browser/utils/UrlUtils.mjs.map +1 -1
  252. package/lib/index-browser.cjs +8 -8
  253. package/lib/index-browser.cjs.map +1 -1
  254. package/lib/{index-node-CcOYLhxB.js → index-node-BSFEsmmC.js} +364 -312
  255. package/lib/index-node-BSFEsmmC.js.map +1 -0
  256. package/lib/index-node.cjs +2 -2
  257. package/lib/index.cjs +2 -2
  258. package/package.json +1 -1
  259. package/src/account/AccountInfo.ts +19 -1
  260. package/src/account/AuthToken.ts +19 -21
  261. package/src/account/ClientCredentials.ts +1 -0
  262. package/src/account/ClientInfo.ts +8 -3
  263. package/src/authority/Authority.ts +72 -37
  264. package/src/authority/AuthorityFactory.ts +4 -2
  265. package/src/authority/AuthorityMetadata.ts +2 -1
  266. package/src/authority/RegionDiscovery.ts +18 -11
  267. package/src/cache/CacheManager.ts +160 -57
  268. package/src/cache/entities/AccountEntity.ts +4 -0
  269. package/src/cache/entities/CredentialEntity.ts +2 -0
  270. package/src/cache/utils/AccountEntityUtils.ts +23 -3
  271. package/src/cache/utils/CacheHelpers.ts +15 -3
  272. package/src/cache/utils/CacheTypes.ts +2 -0
  273. package/src/client/AuthorizationCodeClient.ts +10 -4
  274. package/src/client/RefreshTokenClient.ts +12 -5
  275. package/src/client/SilentFlowClient.ts +17 -20
  276. package/src/config/ClientConfiguration.ts +8 -2
  277. package/src/constants/AADServerParamKeys.ts +5 -0
  278. package/src/crypto/ICrypto.ts +40 -10
  279. package/src/crypto/JoseHeader.ts +8 -2
  280. package/src/crypto/PopTokenGenerator.ts +1 -1
  281. package/src/error/AuthError.ts +9 -5
  282. package/src/error/ClientAuthError.ts +8 -3
  283. package/src/error/ClientAuthErrorCodes.ts +0 -2
  284. package/src/error/ClientConfigurationError.ts +5 -4
  285. package/src/error/InteractionRequiredAuthError.ts +9 -5
  286. package/src/error/JoseHeaderError.ts +11 -4
  287. package/src/error/NetworkError.ts +6 -1
  288. package/src/error/PlatformBrokerError.ts +2 -1
  289. package/src/error/ServerError.ts +3 -2
  290. package/src/network/INetworkModule.ts +3 -2
  291. package/src/network/ThrottlingUtils.ts +1 -0
  292. package/src/packageMetadata.ts +1 -1
  293. package/src/protocol/Authorize.ts +21 -6
  294. package/src/protocol/Token.ts +4 -1
  295. package/src/request/AuthenticationHeaderParser.ts +6 -3
  296. package/src/request/BaseAuthRequest.ts +8 -2
  297. package/src/request/RequestParameterBuilder.ts +66 -43
  298. package/src/request/ScopeSet.ts +27 -11
  299. package/src/response/ImdsComputeResponse.ts +14 -0
  300. package/src/response/ResponseHandler.ts +45 -32
  301. package/src/url/UrlString.ts +32 -13
  302. package/src/utils/ClientAssertionUtils.ts +3 -1
  303. package/src/utils/Constants.ts +6 -3
  304. package/src/utils/ProtocolUtils.ts +26 -8
  305. package/src/utils/UrlUtils.ts +8 -3
  306. package/types/account/AccountInfo.d.ts +8 -2
  307. package/types/account/AccountInfo.d.ts.map +1 -1
  308. package/types/account/AuthToken.d.ts +2 -6
  309. package/types/account/AuthToken.d.ts.map +1 -1
  310. package/types/account/ClientCredentials.d.ts +1 -0
  311. package/types/account/ClientCredentials.d.ts.map +1 -1
  312. package/types/account/ClientInfo.d.ts.map +1 -1
  313. package/types/authority/Authority.d.ts +4 -4
  314. package/types/authority/Authority.d.ts.map +1 -1
  315. package/types/authority/AuthorityFactory.d.ts.map +1 -1
  316. package/types/authority/AuthorityMetadata.d.ts.map +1 -1
  317. package/types/authority/RegionDiscovery.d.ts +3 -2
  318. package/types/authority/RegionDiscovery.d.ts.map +1 -1
  319. package/types/cache/CacheManager.d.ts +0 -7
  320. package/types/cache/CacheManager.d.ts.map +1 -1
  321. package/types/cache/entities/AccountEntity.d.ts +4 -0
  322. package/types/cache/entities/AccountEntity.d.ts.map +1 -1
  323. package/types/cache/entities/CredentialEntity.d.ts +2 -0
  324. package/types/cache/entities/CredentialEntity.d.ts.map +1 -1
  325. package/types/cache/utils/AccountEntityUtils.d.ts +1 -1
  326. package/types/cache/utils/AccountEntityUtils.d.ts.map +1 -1
  327. package/types/cache/utils/CacheHelpers.d.ts +1 -1
  328. package/types/cache/utils/CacheHelpers.d.ts.map +1 -1
  329. package/types/cache/utils/CacheTypes.d.ts +2 -1
  330. package/types/cache/utils/CacheTypes.d.ts.map +1 -1
  331. package/types/client/AuthorizationCodeClient.d.ts.map +1 -1
  332. package/types/client/RefreshTokenClient.d.ts.map +1 -1
  333. package/types/client/SilentFlowClient.d.ts.map +1 -1
  334. package/types/config/ClientConfiguration.d.ts.map +1 -1
  335. package/types/constants/AADServerParamKeys.d.ts +4 -0
  336. package/types/constants/AADServerParamKeys.d.ts.map +1 -1
  337. package/types/crypto/ICrypto.d.ts.map +1 -1
  338. package/types/crypto/JoseHeader.d.ts.map +1 -1
  339. package/types/error/AuthError.d.ts +2 -3
  340. package/types/error/AuthError.d.ts.map +1 -1
  341. package/types/error/ClientAuthError.d.ts +2 -2
  342. package/types/error/ClientAuthError.d.ts.map +1 -1
  343. package/types/error/ClientAuthErrorCodes.d.ts +0 -2
  344. package/types/error/ClientAuthErrorCodes.d.ts.map +1 -1
  345. package/types/error/ClientConfigurationError.d.ts +2 -2
  346. package/types/error/ClientConfigurationError.d.ts.map +1 -1
  347. package/types/error/InteractionRequiredAuthError.d.ts +2 -2
  348. package/types/error/InteractionRequiredAuthError.d.ts.map +1 -1
  349. package/types/error/JoseHeaderError.d.ts +2 -2
  350. package/types/error/JoseHeaderError.d.ts.map +1 -1
  351. package/types/error/NetworkError.d.ts.map +1 -1
  352. package/types/error/PlatformBrokerError.d.ts +1 -1
  353. package/types/error/PlatformBrokerError.d.ts.map +1 -1
  354. package/types/error/ServerError.d.ts +1 -1
  355. package/types/error/ServerError.d.ts.map +1 -1
  356. package/types/network/INetworkModule.d.ts.map +1 -1
  357. package/types/network/ThrottlingUtils.d.ts.map +1 -1
  358. package/types/packageMetadata.d.ts +1 -1
  359. package/types/packageMetadata.d.ts.map +1 -1
  360. package/types/protocol/Authorize.d.ts +4 -2
  361. package/types/protocol/Authorize.d.ts.map +1 -1
  362. package/types/protocol/Token.d.ts.map +1 -1
  363. package/types/request/AuthenticationHeaderParser.d.ts.map +1 -1
  364. package/types/request/BaseAuthRequest.d.ts +4 -0
  365. package/types/request/BaseAuthRequest.d.ts.map +1 -1
  366. package/types/request/RequestParameterBuilder.d.ts +12 -3
  367. package/types/request/RequestParameterBuilder.d.ts.map +1 -1
  368. package/types/request/ScopeSet.d.ts +4 -3
  369. package/types/request/ScopeSet.d.ts.map +1 -1
  370. package/types/response/ImdsComputeResponse.d.ts +10 -0
  371. package/types/response/ImdsComputeResponse.d.ts.map +1 -0
  372. package/types/response/ResponseHandler.d.ts +1 -1
  373. package/types/response/ResponseHandler.d.ts.map +1 -1
  374. package/types/url/UrlString.d.ts +5 -4
  375. package/types/url/UrlString.d.ts.map +1 -1
  376. package/types/utils/ClientAssertionUtils.d.ts +1 -1
  377. package/types/utils/ClientAssertionUtils.d.ts.map +1 -1
  378. package/types/utils/Constants.d.ts +6 -2
  379. package/types/utils/Constants.d.ts.map +1 -1
  380. package/types/utils/ProtocolUtils.d.ts +6 -3
  381. package/types/utils/ProtocolUtils.d.ts.map +1 -1
  382. package/types/utils/UrlUtils.d.ts.map +1 -1
  383. package/lib/index-node-CcOYLhxB.js.map +0 -1
@@ -1,4 +1,4 @@
1
- /*! @azure/msal-common v16.9.0 2026-06-16 */
1
+ /*! @azure/msal-common v16.10.0 2026-06-23 */
2
2
  'use strict';
3
3
  'use strict';
4
4
 
@@ -29,7 +29,7 @@ function getDefaultErrorMessage(code) {
29
29
  * General error class thrown by the MSAL.js library.
30
30
  */
31
31
  class AuthError extends Error {
32
- constructor(errorCode, errorMessage, suberror) {
32
+ constructor(errorCode, correlationId, errorMessage, suberror) {
33
33
  const message = errorMessage ||
34
34
  (errorCode ? getDefaultErrorMessage(errorCode) : "");
35
35
  const errorString = message ? `${errorCode}: ${message}` : errorCode;
@@ -38,14 +38,12 @@ class AuthError extends Error {
38
38
  this.errorCode = errorCode || "";
39
39
  this.errorMessage = message || "";
40
40
  this.subError = suberror || "";
41
- this.name = "AuthError";
42
- }
43
- setCorrelationId(correlationId) {
44
41
  this.correlationId = correlationId;
42
+ this.name = "AuthError";
45
43
  }
46
44
  }
47
- function createAuthError(code, additionalMessage) {
48
- return new AuthError(code, additionalMessage || getDefaultErrorMessage(code));
45
+ function createAuthError(code, correlationId, additionalMessage) {
46
+ return new AuthError(code, correlationId, additionalMessage || getDefaultErrorMessage(code));
49
47
  }
50
48
 
51
49
  /*
@@ -64,8 +62,6 @@ const invalidState = "invalid_state";
64
62
  const stateMismatch = "state_mismatch";
65
63
  const stateNotFound = "state_not_found";
66
64
  const nonceMismatch = "nonce_mismatch";
67
- const authTimeNotFound = "auth_time_not_found";
68
- const maxAgeTranspired = "max_age_transpired";
69
65
  const multipleMatchingTokens = "multiple_matching_tokens";
70
66
  const multipleMatchingAppMetadata = "multiple_matching_appMetadata";
71
67
  const requestCannotBeMade = "request_cannot_be_made";
@@ -94,7 +90,6 @@ const misplacedResourceParam = "misplaced_resource_parameter";
94
90
 
95
91
  var ClientAuthErrorCodes = /*#__PURE__*/Object.freeze({
96
92
  __proto__: null,
97
- authTimeNotFound: authTimeNotFound,
98
93
  authorizationCodeMissingFromServerResponse: authorizationCodeMissingFromServerResponse,
99
94
  bindingKeyNotRemoved: bindingKeyNotRemoved,
100
95
  cannotAppendScopeSet: cannotAppendScopeSet,
@@ -109,7 +104,6 @@ var ClientAuthErrorCodes = /*#__PURE__*/Object.freeze({
109
104
  invalidCacheRecord: invalidCacheRecord,
110
105
  invalidState: invalidState,
111
106
  keyIdMissing: keyIdMissing,
112
- maxAgeTranspired: maxAgeTranspired,
113
107
  methodNotImplemented: methodNotImplemented,
114
108
  misplacedResourceParam: misplacedResourceParam,
115
109
  multipleMatchingAppMetadata: multipleMatchingAppMetadata,
@@ -146,14 +140,14 @@ var ClientAuthErrorCodes = /*#__PURE__*/Object.freeze({
146
140
  * Error thrown when there is an error in the client code running on the browser.
147
141
  */
148
142
  class ClientAuthError extends AuthError {
149
- constructor(errorCode, additionalMessage) {
150
- super(errorCode, additionalMessage);
143
+ constructor(errorCode, correlationId, additionalMessage) {
144
+ super(errorCode, correlationId, additionalMessage);
151
145
  this.name = "ClientAuthError";
152
146
  Object.setPrototypeOf(this, ClientAuthError.prototype);
153
147
  }
154
148
  }
155
- function createClientAuthError(errorCode, additionalMessage) {
156
- return new ClientAuthError(errorCode, additionalMessage);
149
+ function createClientAuthError(errorCode, correlationId, additionalMessage) {
150
+ return new ClientAuthError(errorCode, correlationId, additionalMessage);
157
151
  }
158
152
 
159
153
  /*
@@ -165,8 +159,8 @@ function createClientAuthError(errorCode, additionalMessage) {
165
159
  *
166
160
  * @param encodedToken
167
161
  */
168
- function extractTokenClaims(encodedToken, base64Decode) {
169
- const jswPayload = getJWSPayload(encodedToken);
162
+ function extractTokenClaims(encodedToken, base64Decode, correlationId) {
163
+ const jswPayload = getJWSPayload(encodedToken, correlationId);
170
164
  // token will be decoded to get the username
171
165
  try {
172
166
  // base64Decode() should throw an error if there is an issue
@@ -174,7 +168,7 @@ function extractTokenClaims(encodedToken, base64Decode) {
174
168
  return JSON.parse(base64Decoded);
175
169
  }
176
170
  catch (err) {
177
- throw createClientAuthError(tokenParsingError);
171
+ throw createClientAuthError(tokenParsingError, correlationId);
178
172
  }
179
173
  }
180
174
  /**
@@ -201,14 +195,14 @@ function isKmsi(idTokenClaims) {
201
195
  *
202
196
  * @param authToken
203
197
  */
204
- function getJWSPayload(authToken) {
198
+ function getJWSPayload(authToken, correlationId) {
205
199
  if (!authToken) {
206
- throw createClientAuthError(nullOrEmptyToken);
200
+ throw createClientAuthError(nullOrEmptyToken, correlationId);
207
201
  }
208
202
  const tokenPartsRegex = /^([^\.\s]*)\.([^\.\s]+)\.([^\.\s]*)$/;
209
203
  const matches = tokenPartsRegex.exec(authToken);
210
204
  if (!matches || matches.length < 4) {
211
- throw createClientAuthError(tokenParsingError);
205
+ throw createClientAuthError(tokenParsingError, correlationId);
212
206
  }
213
207
  /**
214
208
  * const crackedToken = {
@@ -218,25 +212,10 @@ function getJWSPayload(authToken) {
218
212
  * };
219
213
  */
220
214
  return matches[2];
221
- }
222
- /**
223
- * Determine if the token's max_age has transpired
224
- */
225
- function checkMaxAge(authTime, maxAge) {
226
- /*
227
- * per https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest
228
- * To force an immediate re-authentication: If an app requires that a user re-authenticate prior to access,
229
- * provide a value of 0 for the max_age parameter and the AS will force a fresh login.
230
- */
231
- const fiveMinuteSkew = 300000; // five minutes in milliseconds
232
- if (maxAge === 0 || Date.now() - fiveMinuteSkew > authTime + maxAge) {
233
- throw createClientAuthError(maxAgeTranspired);
234
- }
235
215
  }
236
216
 
237
217
  var AuthToken = /*#__PURE__*/Object.freeze({
238
218
  __proto__: null,
239
- checkMaxAge: checkMaxAge,
240
219
  extractTokenClaims: extractTokenClaims,
241
220
  getJWSPayload: getJWSPayload,
242
221
  isKmsi: isKmsi
@@ -332,14 +311,14 @@ var ClientConfigurationErrorCodes = /*#__PURE__*/Object.freeze({
332
311
  * Error thrown when there is an error in configuration of the MSAL.js library.
333
312
  */
334
313
  class ClientConfigurationError extends AuthError {
335
- constructor(errorCode) {
336
- super(errorCode);
314
+ constructor(errorCode, correlationId) {
315
+ super(errorCode, correlationId);
337
316
  this.name = "ClientConfigurationError";
338
317
  Object.setPrototypeOf(this, ClientConfigurationError.prototype);
339
318
  }
340
319
  }
341
- function createClientConfigurationError(errorCode) {
342
- return new ClientConfigurationError(errorCode);
320
+ function createClientConfigurationError(errorCode, correlationId) {
321
+ return new ClientConfigurationError(errorCode, correlationId);
343
322
  }
344
323
 
345
324
  /*
@@ -454,8 +433,8 @@ const AUTHORIZATION_PENDING = "authorization_pending";
454
433
  const NOT_APPLICABLE = "N/A";
455
434
  const NOT_AVAILABLE = "Not Available";
456
435
  const FORWARD_SLASH = "/";
457
- const IMDS_ENDPOINT = "http://169.254.169.254/metadata/instance/compute/location";
458
- const IMDS_VERSION = "2020-06-01";
436
+ const IMDS_ENDPOINT = "http://169.254.169.254/metadata/instance/compute";
437
+ const IMDS_VERSION = "2021-02-01";
459
438
  const IMDS_TIMEOUT = 2000;
460
439
  const AZURE_REGION_AUTO_DISCOVER_FLAG = "TryAutoDetect";
461
440
  const REGIONAL_AUTH_PUBLIC_CLOUD_SUFFIX = "login.microsoft.com";
@@ -529,6 +508,9 @@ const AADAuthority = {
529
508
  const ClaimsRequestKeys = {
530
509
  ACCESS_TOKEN: "access_token",
531
510
  XMS_CC: "xms_cc",
511
+ ID_TOKEN: "id_token",
512
+ SIGNIN_STATE: "signin_state",
513
+ LOGIN_HINT: "login_hint",
532
514
  };
533
515
  /**
534
516
  * we considered making this "enum" in the request instead of string, however it looks like the allowed list of
@@ -577,6 +559,7 @@ const GrantType = {
577
559
  REFRESH_TOKEN_GRANT: "refresh_token",
578
560
  DEVICE_CODE_GRANT: "device_code",
579
561
  JWT_BEARER: "urn:ietf:params:oauth:grant-type:jwt-bearer",
562
+ USER_FIC: "user_fic",
580
563
  };
581
564
  /**
582
565
  * Account types in Cache
@@ -830,11 +813,12 @@ class UrlString {
830
813
  get urlString() {
831
814
  return this._urlString;
832
815
  }
833
- constructor(url) {
816
+ constructor(url, correlationId) {
834
817
  this._urlString = url;
818
+ this.correlationId = correlationId;
835
819
  if (!this._urlString) {
836
820
  // Throws error if url is empty
837
- throw createClientConfigurationError(urlEmptyError);
821
+ throw createClientConfigurationError(urlEmptyError, correlationId);
838
822
  }
839
823
  if (!url.includes("#")) {
840
824
  this._urlString = UrlString.canonicalizeUri(url);
@@ -870,16 +854,16 @@ class UrlString {
870
854
  components = this.getUrlComponents();
871
855
  }
872
856
  catch (e) {
873
- throw createClientConfigurationError(urlParseError);
857
+ throw createClientConfigurationError(urlParseError, this.correlationId);
874
858
  }
875
859
  // Throw error if URI or path segments are not parseable.
876
860
  if (!components.HostNameAndPort || !components.PathSegments) {
877
- throw createClientConfigurationError(urlParseError);
861
+ throw createClientConfigurationError(urlParseError, this.correlationId);
878
862
  }
879
863
  // Throw error if uri is insecure.
880
864
  if (!components.Protocol ||
881
865
  components.Protocol.toLowerCase() !== "https:") {
882
- throw createClientConfigurationError(authorityUriInsecure);
866
+ throw createClientConfigurationError(authorityUriInsecure, this.correlationId);
883
867
  }
884
868
  }
885
869
  /**
@@ -916,7 +900,7 @@ class UrlString {
916
900
  pathArray[0] === AADAuthority.ORGANIZATIONS)) {
917
901
  pathArray[0] = tenantId;
918
902
  }
919
- return UrlString.constructAuthorityUriFromObject(urlObject);
903
+ return UrlString.constructAuthorityUriFromObject(urlObject, this.correlationId);
920
904
  }
921
905
  /**
922
906
  * Parses out the components from a url string.
@@ -928,7 +912,7 @@ class UrlString {
928
912
  // If url string does not match regEx, we throw an error
929
913
  const match = this.urlString.match(regEx);
930
914
  if (!match) {
931
- throw createClientConfigurationError(urlParseError);
915
+ throw createClientConfigurationError(urlParseError, this.correlationId);
932
916
  }
933
917
  // Url component object
934
918
  const urlComponents = {
@@ -946,17 +930,17 @@ class UrlString {
946
930
  }
947
931
  return urlComponents;
948
932
  }
949
- static getDomainFromUrl(url) {
933
+ static getDomainFromUrl(url, correlationId) {
950
934
  const regEx = RegExp("^([^:/?#]+://)?([^/?#]*)");
951
935
  const match = url.match(regEx);
952
936
  if (!match) {
953
- throw createClientConfigurationError(urlParseError);
937
+ throw createClientConfigurationError(urlParseError, correlationId);
954
938
  }
955
939
  return match[2];
956
940
  }
957
- static getAbsoluteUrl(relativeUrl, baseUrl) {
941
+ static getAbsoluteUrl(relativeUrl, baseUrl, correlationId) {
958
942
  if (relativeUrl[0] === FORWARD_SLASH) {
959
- const url = new UrlString(baseUrl);
943
+ const url = new UrlString(baseUrl, correlationId);
960
944
  const baseComponents = url.getUrlComponents();
961
945
  return (baseComponents.Protocol +
962
946
  "//" +
@@ -965,12 +949,12 @@ class UrlString {
965
949
  }
966
950
  return relativeUrl;
967
951
  }
968
- static constructAuthorityUriFromObject(urlObject) {
952
+ static constructAuthorityUriFromObject(urlObject, correlationId) {
969
953
  return new UrlString(urlObject.Protocol +
970
954
  "//" +
971
955
  urlObject.HostNameAndPort +
972
956
  "/" +
973
- urlObject.PathSegments.join("/"));
957
+ urlObject.PathSegments.join("/"), correlationId);
974
958
  }
975
959
  }
976
960
 
@@ -1088,7 +1072,7 @@ function getAliasesFromStaticSources(staticAuthorityOptions, logger, correlation
1088
1072
  let staticAliases;
1089
1073
  const canonicalAuthority = staticAuthorityOptions.canonicalAuthority;
1090
1074
  if (canonicalAuthority) {
1091
- const authorityHost = new UrlString(canonicalAuthority).getUrlComponents().HostNameAndPort;
1075
+ const authorityHost = new UrlString(canonicalAuthority, correlationId).getUrlComponents().HostNameAndPort;
1092
1076
  staticAliases =
1093
1077
  getAliasesFromMetadata(logger, correlationId, authorityHost, staticAuthorityOptions.cloudDiscoveryMetadata?.metadata, AuthorityMetadataSource.CONFIG) ||
1094
1078
  getAliasesFromMetadata(logger, correlationId, authorityHost, InstanceDiscoveryMetadata.metadata, AuthorityMetadataSource.HARDCODED_VALUES) ||
@@ -1415,9 +1399,12 @@ class RegionDiscovery {
1415
1399
  try {
1416
1400
  const localIMDSVersionResponse = await invokeAsync(this.getRegionFromIMDS.bind(this), RegionDiscoveryGetRegionFromIMDS, this.logger, this.performanceClient, this.correlationId)(IMDS_VERSION, options);
1417
1401
  if (localIMDSVersionResponse.status === HTTP_SUCCESS) {
1418
- autodetectedRegionName = localIMDSVersionResponse.body;
1419
- regionDiscoveryMetadata.region_source =
1420
- RegionDiscoverySources.IMDS;
1402
+ autodetectedRegionName =
1403
+ localIMDSVersionResponse.body?.location;
1404
+ if (autodetectedRegionName) {
1405
+ regionDiscoveryMetadata.region_source =
1406
+ RegionDiscoverySources.IMDS;
1407
+ }
1421
1408
  }
1422
1409
  // If the response using the local IMDS version failed, try to fetch the current version of IMDS and retry.
1423
1410
  if (localIMDSVersionResponse.status ===
@@ -1432,9 +1419,11 @@ class RegionDiscovery {
1432
1419
  if (currentIMDSVersionResponse.status ===
1433
1420
  HTTP_SUCCESS) {
1434
1421
  autodetectedRegionName =
1435
- currentIMDSVersionResponse.body;
1436
- regionDiscoveryMetadata.region_source =
1437
- RegionDiscoverySources.IMDS;
1422
+ currentIMDSVersionResponse.body?.location;
1423
+ if (autodetectedRegionName) {
1424
+ regionDiscoveryMetadata.region_source =
1425
+ RegionDiscoverySources.IMDS;
1426
+ }
1438
1427
  }
1439
1428
  }
1440
1429
  }
@@ -1458,11 +1447,12 @@ class RegionDiscovery {
1458
1447
  /**
1459
1448
  * Make the call to the IMDS endpoint
1460
1449
  *
1461
- * @param imdsEndpointUrl
1462
- * @returns Promise<NetworkResponse<string>>
1450
+ * @param version
1451
+ * @param options
1452
+ * @returns Promise<NetworkResponse<ImdsComputeResponse>>
1463
1453
  */
1464
1454
  async getRegionFromIMDS(version, options) {
1465
- return this.networkInterface.sendGetRequestAsync(`${IMDS_ENDPOINT}?api-version=${version}&format=text`, options, IMDS_TIMEOUT);
1455
+ return this.networkInterface.sendGetRequestAsync(`${IMDS_ENDPOINT}?api-version=${version}`, options, IMDS_TIMEOUT);
1466
1456
  }
1467
1457
  /**
1468
1458
  * Get the most recent version of the IMDS endpoint available
@@ -1610,7 +1600,7 @@ function createIdTokenEntity(homeAccountId, environment, idToken, clientId, tena
1610
1600
  * @param expiresOn
1611
1601
  * @param extExpiresOn
1612
1602
  */
1613
- function createAccessTokenEntity(homeAccountId, environment, accessToken, clientId, tenantId, scopes, expiresOn, extExpiresOn, base64Decode, refreshOn, tokenType, userAssertionHash, keyId) {
1603
+ function createAccessTokenEntity(homeAccountId, environment, accessToken, clientId, tenantId, scopes, expiresOn, extExpiresOn, base64Decode, correlationId, refreshOn, tokenType, userAssertionHash, keyId, additionalCacheKeyComponents) {
1614
1604
  const atEntity = {
1615
1605
  homeAccountId: homeAccountId,
1616
1606
  credentialType: CredentialType.ACCESS_TOKEN,
@@ -1642,9 +1632,9 @@ function createAccessTokenEntity(homeAccountId, environment, accessToken, client
1642
1632
  switch (atEntity.tokenType) {
1643
1633
  case AuthenticationScheme.POP:
1644
1634
  // Make sure keyId is present and add it to credential
1645
- const tokenClaims = extractTokenClaims(accessToken, base64Decode);
1635
+ const tokenClaims = extractTokenClaims(accessToken, base64Decode, correlationId);
1646
1636
  if (!tokenClaims?.cnf?.kid) {
1647
- throw createClientAuthError(tokenClaimsCnfRequiredForSignedJwt);
1637
+ throw createClientAuthError(tokenClaimsCnfRequiredForSignedJwt, correlationId);
1648
1638
  }
1649
1639
  atEntity.keyId = tokenClaims.cnf.kid;
1650
1640
  break;
@@ -1652,6 +1642,11 @@ function createAccessTokenEntity(homeAccountId, environment, accessToken, client
1652
1642
  atEntity.keyId = keyId;
1653
1643
  }
1654
1644
  }
1645
+ /* Additional cache key components for cache isolation (e.g., FMI path) */
1646
+ if (additionalCacheKeyComponents &&
1647
+ Object.keys(additionalCacheKeyComponents).length > 0) {
1648
+ atEntity.additionalCacheKeyComponents = additionalCacheKeyComponents;
1649
+ }
1655
1650
  return atEntity;
1656
1651
  }
1657
1652
  /**
@@ -1930,7 +1925,7 @@ class Authority {
1930
1925
  * Sets canonical authority.
1931
1926
  */
1932
1927
  set canonicalAuthority(url) {
1933
- this._canonicalAuthority = new UrlString(url);
1928
+ this._canonicalAuthority = new UrlString(url, this.correlationId);
1934
1929
  this._canonicalAuthority.validateAsUri();
1935
1930
  this._canonicalAuthorityUrlComponents = null;
1936
1931
  }
@@ -1964,7 +1959,7 @@ class Authority {
1964
1959
  return this.replacePath(this.metadata.authorization_endpoint);
1965
1960
  }
1966
1961
  else {
1967
- throw createClientAuthError(endpointResolutionError);
1962
+ throw createClientAuthError(endpointResolutionError, this.correlationId);
1968
1963
  }
1969
1964
  }
1970
1965
  /**
@@ -1975,7 +1970,7 @@ class Authority {
1975
1970
  return this.replacePath(this.metadata.token_endpoint);
1976
1971
  }
1977
1972
  else {
1978
- throw createClientAuthError(endpointResolutionError);
1973
+ throw createClientAuthError(endpointResolutionError, this.correlationId);
1979
1974
  }
1980
1975
  }
1981
1976
  get deviceCodeEndpoint() {
@@ -1983,7 +1978,7 @@ class Authority {
1983
1978
  return this.replacePath(this.metadata.token_endpoint.replace("/token", "/devicecode"));
1984
1979
  }
1985
1980
  else {
1986
- throw createClientAuthError(endpointResolutionError);
1981
+ throw createClientAuthError(endpointResolutionError, this.correlationId);
1987
1982
  }
1988
1983
  }
1989
1984
  /**
@@ -1993,12 +1988,12 @@ class Authority {
1993
1988
  if (this.discoveryComplete()) {
1994
1989
  // ROPC policies may not have end_session_endpoint set
1995
1990
  if (!this.metadata.end_session_endpoint) {
1996
- throw createClientAuthError(endSessionEndpointNotSupported);
1991
+ throw createClientAuthError(endSessionEndpointNotSupported, this.correlationId);
1997
1992
  }
1998
1993
  return this.replacePath(this.metadata.end_session_endpoint);
1999
1994
  }
2000
1995
  else {
2001
- throw createClientAuthError(endpointResolutionError);
1996
+ throw createClientAuthError(endpointResolutionError, this.correlationId);
2002
1997
  }
2003
1998
  }
2004
1999
  /**
@@ -2009,7 +2004,7 @@ class Authority {
2009
2004
  return this.replacePath(this.metadata.issuer);
2010
2005
  }
2011
2006
  else {
2012
- throw createClientAuthError(endpointResolutionError);
2007
+ throw createClientAuthError(endpointResolutionError, this.correlationId);
2013
2008
  }
2014
2009
  }
2015
2010
  /**
@@ -2020,7 +2015,7 @@ class Authority {
2020
2015
  return this.replacePath(this.metadata.jwks_uri);
2021
2016
  }
2022
2017
  else {
2023
- throw createClientAuthError(endpointResolutionError);
2018
+ throw createClientAuthError(endpointResolutionError, this.correlationId);
2024
2019
  }
2025
2020
  }
2026
2021
  /**
@@ -2047,7 +2042,7 @@ class Authority {
2047
2042
  */
2048
2043
  replacePath(urlString) {
2049
2044
  let endpoint = urlString;
2050
- const cachedAuthorityUrl = new UrlString(this.metadata.canonical_authority);
2045
+ const cachedAuthorityUrl = new UrlString(this.metadata.canonical_authority, this.correlationId);
2051
2046
  const cachedAuthorityUrlComponents = cachedAuthorityUrl.getUrlComponents();
2052
2047
  const cachedAuthorityParts = cachedAuthorityUrlComponents.PathSegments;
2053
2048
  const currentAuthorityParts = this.canonicalAuthorityUrlComponents.PathSegments;
@@ -2055,7 +2050,7 @@ class Authority {
2055
2050
  let cachedPart = cachedAuthorityParts[index];
2056
2051
  if (index === 0 &&
2057
2052
  this.canReplaceTenant(cachedAuthorityUrlComponents)) {
2058
- const tenantId = new UrlString(this.metadata.authorization_endpoint).getUrlComponents().PathSegments[0];
2053
+ const tenantId = new UrlString(this.metadata.authorization_endpoint, this.correlationId).getUrlComponents().PathSegments[0];
2059
2054
  /**
2060
2055
  * Check if AAD canonical authority contains tenant domain name, for example "testdomain.onmicrosoft.com",
2061
2056
  * by comparing its first path segment to the corresponding authorization endpoint path segment, which is
@@ -2189,7 +2184,7 @@ class Authority {
2189
2184
  }
2190
2185
  else {
2191
2186
  // Metadata could not be obtained from the config, cache, network or hardcoded values
2192
- throw createClientAuthError(openIdConfigError, this.defaultOpenIdConfigurationEndpoint);
2187
+ throw createClientAuthError(openIdConfigError, this.defaultOpenIdConfigurationEndpoint, this.correlationId);
2193
2188
  }
2194
2189
  }
2195
2190
  /**
@@ -2241,7 +2236,7 @@ class Authority {
2241
2236
  * @param metadataEntity
2242
2237
  */
2243
2238
  isAuthoritySameType(metadataEntity) {
2244
- const cachedAuthorityUrl = new UrlString(metadataEntity.canonical_authority);
2239
+ const cachedAuthorityUrl = new UrlString(metadataEntity.canonical_authority, this.correlationId);
2245
2240
  const cachedParts = cachedAuthorityUrl.getUrlComponents().PathSegments;
2246
2241
  return (cachedParts.length ===
2247
2242
  this.canonicalAuthorityUrlComponents.PathSegments.length);
@@ -2255,7 +2250,7 @@ class Authority {
2255
2250
  return JSON.parse(this.authorityOptions.authorityMetadata);
2256
2251
  }
2257
2252
  catch (e) {
2258
- throw createClientConfigurationError(invalidAuthorityMetadata);
2253
+ throw createClientConfigurationError(invalidAuthorityMetadata, this.correlationId);
2259
2254
  }
2260
2255
  }
2261
2256
  return null;
@@ -2311,7 +2306,7 @@ class Authority {
2311
2306
  RegionDiscoveryOutcomes.CONFIGURED_NO_AUTO_DETECTION;
2312
2307
  this.regionDiscoveryMetadata.region_used =
2313
2308
  userConfiguredAzureRegion;
2314
- return Authority.replaceWithRegionalInformation(metadata, userConfiguredAzureRegion);
2309
+ return Authority.replaceWithRegionalInformation(metadata, userConfiguredAzureRegion, this.correlationId);
2315
2310
  }
2316
2311
  const autodetectedRegionName = await invokeAsync(this.regionDiscovery.detectRegion.bind(this.regionDiscovery), RegionDiscoveryDetectRegion, this.logger, this.performanceClient, this.correlationId)(this.authorityOptions.azureRegionConfiguration
2317
2312
  ?.environmentRegion, this.regionDiscoveryMetadata);
@@ -2320,7 +2315,7 @@ class Authority {
2320
2315
  RegionDiscoveryOutcomes.AUTO_DETECTION_REQUESTED_SUCCESSFUL;
2321
2316
  this.regionDiscoveryMetadata.region_used =
2322
2317
  autodetectedRegionName;
2323
- return Authority.replaceWithRegionalInformation(metadata, autodetectedRegionName);
2318
+ return Authority.replaceWithRegionalInformation(metadata, autodetectedRegionName, this.correlationId);
2324
2319
  }
2325
2320
  this.regionDiscoveryMetadata.region_outcome =
2326
2321
  RegionDiscoveryOutcomes.AUTO_DETECTION_REQUESTED_FAILED;
@@ -2345,7 +2340,7 @@ class Authority {
2345
2340
  return AuthorityMetadataSource.NETWORK;
2346
2341
  }
2347
2342
  // Metadata could not be obtained from the config, cache, network or hardcoded values
2348
- throw createClientConfigurationError(untrustedAuthority);
2343
+ throw createClientConfigurationError(untrustedAuthority, this.correlationId);
2349
2344
  }
2350
2345
  updateCloudDiscoveryMetadataFromLocalSources(metadataEntity) {
2351
2346
  this.logger.verbose("Attempting to get cloud discovery metadata from authority configuration", this.correlationId);
@@ -2409,7 +2404,7 @@ class Authority {
2409
2404
  }
2410
2405
  catch (e) {
2411
2406
  this.logger.verbose("Unable to parse the cloud discovery metadata. Throwing Invalid Cloud Discovery Metadata Error.", this.correlationId);
2412
- throw createClientConfigurationError(invalidCloudDiscoveryMetadata);
2407
+ throw createClientConfigurationError(invalidCloudDiscoveryMetadata, this.correlationId);
2413
2408
  }
2414
2409
  }
2415
2410
  // If cloudDiscoveryMetadata is empty or does not contain the host, check knownAuthorities
@@ -2487,8 +2482,7 @@ class Authority {
2487
2482
  const normalizedHost = host.toLowerCase();
2488
2483
  const matches = this.authorityOptions.knownAuthorities.filter((authority) => {
2489
2484
  return (authority &&
2490
- UrlString.getDomainFromUrl(authority).toLowerCase() ===
2491
- normalizedHost);
2485
+ UrlString.getDomainFromUrl(authority, this.correlationId).toLowerCase() === normalizedHost);
2492
2486
  });
2493
2487
  return matches.length > 0;
2494
2488
  }
@@ -2532,7 +2526,7 @@ class Authority {
2532
2526
  return this.metadata.preferred_cache;
2533
2527
  }
2534
2528
  else {
2535
- throw createClientAuthError(endpointResolutionError);
2529
+ throw createClientAuthError(endpointResolutionError, this.correlationId);
2536
2530
  }
2537
2531
  }
2538
2532
  /**
@@ -2575,7 +2569,7 @@ class Authority {
2575
2569
  */
2576
2570
  validateIssuer(issuer) {
2577
2571
  if (!issuer) {
2578
- throw createClientConfigurationError(issuerValidationFailed);
2572
+ throw createClientConfigurationError(issuerValidationFailed, this.correlationId);
2579
2573
  }
2580
2574
  // Parse with the WHATWG URL API. URL normalizes scheme + host to lowercase per RFC 3986.
2581
2575
  let issuerUrl;
@@ -2583,7 +2577,7 @@ class Authority {
2583
2577
  issuerUrl = new URL(issuer);
2584
2578
  }
2585
2579
  catch {
2586
- throw createClientConfigurationError(issuerValidationFailed);
2580
+ throw createClientConfigurationError(issuerValidationFailed, this.correlationId);
2587
2581
  }
2588
2582
  const issuerScheme = issuerUrl.protocol;
2589
2583
  const issuerHost = issuerUrl.host;
@@ -2621,7 +2615,7 @@ class Authority {
2621
2615
  return;
2622
2616
  }
2623
2617
  // issuer validation fails if none of the above rules are satisfied
2624
- throw createClientConfigurationError(issuerValidationFailed);
2618
+ throw createClientConfigurationError(issuerValidationFailed, this.correlationId);
2625
2619
  }
2626
2620
  /**
2627
2621
  * Rule 1: The issuer scheme + host (and port) match the authority's. Path
@@ -2709,9 +2703,9 @@ class Authority {
2709
2703
  * @param host string
2710
2704
  * @param region string
2711
2705
  */
2712
- static buildRegionalAuthorityString(host, region, queryString) {
2706
+ static buildRegionalAuthorityString(host, region, correlationId, queryString) {
2713
2707
  // Create and validate a Url string object with the initial authority string
2714
- const authorityUrlInstance = new UrlString(host);
2708
+ const authorityUrlInstance = new UrlString(host, correlationId);
2715
2709
  authorityUrlInstance.validateAsUri();
2716
2710
  const authorityUrlParts = authorityUrlInstance.getUrlComponents();
2717
2711
  let hostNameAndPort = `${region}.${authorityUrlParts.HostNameAndPort}`;
@@ -2722,7 +2716,7 @@ class Authority {
2722
2716
  const url = UrlString.constructAuthorityUriFromObject({
2723
2717
  ...authorityUrlInstance.getUrlComponents(),
2724
2718
  HostNameAndPort: hostNameAndPort,
2725
- }).urlString;
2719
+ }, correlationId).urlString;
2726
2720
  // Add the query string if a query string was provided
2727
2721
  if (queryString)
2728
2722
  return `${url}?${queryString}`;
@@ -2734,15 +2728,15 @@ class Authority {
2734
2728
  * @param metadata OpenIdConfigResponse
2735
2729
  * @param azureRegion string
2736
2730
  */
2737
- static replaceWithRegionalInformation(metadata, azureRegion) {
2731
+ static replaceWithRegionalInformation(metadata, azureRegion, correlationId) {
2738
2732
  const regionalMetadata = { ...metadata };
2739
2733
  regionalMetadata.authorization_endpoint =
2740
- Authority.buildRegionalAuthorityString(regionalMetadata.authorization_endpoint, azureRegion);
2734
+ Authority.buildRegionalAuthorityString(regionalMetadata.authorization_endpoint, azureRegion, correlationId);
2741
2735
  regionalMetadata.token_endpoint =
2742
- Authority.buildRegionalAuthorityString(regionalMetadata.token_endpoint, azureRegion);
2736
+ Authority.buildRegionalAuthorityString(regionalMetadata.token_endpoint, azureRegion, correlationId);
2743
2737
  if (regionalMetadata.end_session_endpoint) {
2744
2738
  regionalMetadata.end_session_endpoint =
2745
- Authority.buildRegionalAuthorityString(regionalMetadata.end_session_endpoint, azureRegion);
2739
+ Authority.buildRegionalAuthorityString(regionalMetadata.end_session_endpoint, azureRegion, correlationId);
2746
2740
  }
2747
2741
  return regionalMetadata;
2748
2742
  }
@@ -2755,9 +2749,9 @@ class Authority {
2755
2749
  *
2756
2750
  * @param authority
2757
2751
  */
2758
- static transformCIAMAuthority(authority) {
2752
+ static transformCIAMAuthority(authority, correlationId) {
2759
2753
  let ciamAuthority = authority;
2760
- const authorityUrl = new UrlString(authority);
2754
+ const authorityUrl = new UrlString(authority, correlationId);
2761
2755
  const authorityUrlComponents = authorityUrl.getUrlComponents();
2762
2756
  // check if transformation is needed
2763
2757
  if (authorityUrlComponents.PathSegments.length === 0 &&
@@ -2779,8 +2773,8 @@ Authority.reservedTenantDomains = new Set([
2779
2773
  /**
2780
2774
  * Extract tenantId from authority
2781
2775
  */
2782
- function getTenantFromAuthorityString(authority) {
2783
- const authorityUrl = new UrlString(authority);
2776
+ function getTenantFromAuthorityString(authority, correlationId) {
2777
+ const authorityUrl = new UrlString(authority, correlationId);
2784
2778
  const authorityUrlComponents = authorityUrl.getUrlComponents();
2785
2779
  /**
2786
2780
  * For credential matching purposes, tenantId is the last path segment of the authority URL:
@@ -2813,7 +2807,7 @@ function buildStaticAuthorityOptions(authOptions) {
2813
2807
  cloudDiscoveryMetadata = JSON.parse(rawCloudDiscoveryMetadata);
2814
2808
  }
2815
2809
  catch (e) {
2816
- throw createClientConfigurationError(invalidCloudDiscoveryMetadata);
2810
+ throw createClientConfigurationError(invalidCloudDiscoveryMetadata, "");
2817
2811
  }
2818
2812
  }
2819
2813
  return {
@@ -2845,7 +2839,7 @@ function buildStaticAuthorityOptions(authOptions) {
2845
2839
  * @internal
2846
2840
  */
2847
2841
  async function createDiscoveredInstance(authorityUri, networkClient, cacheManager, authorityOptions, logger, correlationId, performanceClient) {
2848
- const authorityUriFinal = Authority.transformCIAMAuthority(formatAuthorityUri(authorityUri));
2842
+ const authorityUriFinal = Authority.transformCIAMAuthority(formatAuthorityUri(authorityUri), correlationId);
2849
2843
  // Initialize authority and perform discovery endpoint check.
2850
2844
  const acquireTokenAuthority = new Authority(authorityUriFinal, networkClient, cacheManager, authorityOptions, logger, correlationId, performanceClient);
2851
2845
  try {
@@ -2853,7 +2847,7 @@ async function createDiscoveredInstance(authorityUri, networkClient, cacheManage
2853
2847
  return acquireTokenAuthority;
2854
2848
  }
2855
2849
  catch (e) {
2856
- throw createClientAuthError(endpointResolutionError);
2850
+ throw createClientAuthError(endpointResolutionError, correlationId);
2857
2851
  }
2858
2852
  }
2859
2853
 
@@ -2903,7 +2897,7 @@ function getDeserializedResponse(responseString) {
2903
2897
  }
2904
2898
  }
2905
2899
  catch (e) {
2906
- throw createClientAuthError(hashNotDeserialized);
2900
+ throw createClientAuthError(hashNotDeserialized, "");
2907
2901
  }
2908
2902
  return null;
2909
2903
  }
@@ -2960,7 +2954,7 @@ function normalizeUrlForComparison(url, logger, correlationId) {
2960
2954
  }
2961
2955
  catch (e) {
2962
2956
  logger?.error(`Failed to normalize URL for comparison: '${e}'`, correlationId || "");
2963
- throw createClientConfigurationError(urlParseError);
2957
+ throw createClientConfigurationError(urlParseError, correlationId || "");
2964
2958
  }
2965
2959
  }
2966
2960
  /**
@@ -2978,7 +2972,7 @@ function validateUrl(url, logger, correlationId) {
2978
2972
  }
2979
2973
  catch (e) {
2980
2974
  logger?.error(`Failed to validate URL: '${e}'`, correlationId || "");
2981
- throw createClientConfigurationError(urlParseError);
2975
+ throw createClientConfigurationError(urlParseError, correlationId || "");
2982
2976
  }
2983
2977
  }
2984
2978
 
@@ -3054,7 +3048,11 @@ const INSTANCE_AWARE = "instance_aware";
3054
3048
  const EAR_JWK = "ear_jwk";
3055
3049
  const EAR_JWE_CRYPTO = "ear_jwe_crypto";
3056
3050
  const RESOURCE = "resource";
3057
- const CLI_DATA = "clidata";
3051
+ const CLI_DATA = "clidata";
3052
+ const USER_FEDERATED_IDENTITY_CREDENTIAL = "user_federated_identity_credential";
3053
+ const USERNAME = "username";
3054
+ const USER_ID = "user_id";
3055
+ const FMI_PATH = "fmi_path";
3058
3056
 
3059
3057
  var AADServerParamKeys = /*#__PURE__*/Object.freeze({
3060
3058
  __proto__: null,
@@ -3081,6 +3079,7 @@ var AADServerParamKeys = /*#__PURE__*/Object.freeze({
3081
3079
  ERROR: ERROR,
3082
3080
  ERROR_DESCRIPTION: ERROR_DESCRIPTION,
3083
3081
  EXPIRES_IN: EXPIRES_IN,
3082
+ FMI_PATH: FMI_PATH,
3084
3083
  FOCI: FOCI,
3085
3084
  GRANT_TYPE: GRANT_TYPE,
3086
3085
  ID_TOKEN: ID_TOKEN,
@@ -3108,6 +3107,9 @@ var AADServerParamKeys = /*#__PURE__*/Object.freeze({
3108
3107
  SID: SID,
3109
3108
  STATE: STATE,
3110
3109
  TOKEN_TYPE: TOKEN_TYPE,
3110
+ USERNAME: USERNAME,
3111
+ USER_FEDERATED_IDENTITY_CREDENTIAL: USER_FEDERATED_IDENTITY_CREDENTIAL,
3112
+ USER_ID: USER_ID,
3111
3113
  X_APP_NAME: X_APP_NAME,
3112
3114
  X_APP_VER: X_APP_VER,
3113
3115
  X_CLIENT_CPU: X_CLIENT_CPU,
@@ -3131,14 +3133,14 @@ var AADServerParamKeys = /*#__PURE__*/Object.freeze({
3131
3133
  */
3132
3134
  function buildClientInfo(rawClientInfo, base64Decode) {
3133
3135
  if (!rawClientInfo) {
3134
- throw createClientAuthError(clientInfoEmptyError);
3136
+ throw createClientAuthError(clientInfoEmptyError, "");
3135
3137
  }
3136
3138
  try {
3137
3139
  const decodedClientInfo = base64Decode(rawClientInfo);
3138
3140
  return JSON.parse(decodedClientInfo);
3139
3141
  }
3140
3142
  catch (e) {
3141
- throw createClientAuthError(clientInfoDecodingError);
3143
+ throw createClientAuthError(clientInfoDecodingError, "");
3142
3144
  }
3143
3145
  }
3144
3146
  /**
@@ -3147,7 +3149,7 @@ function buildClientInfo(rawClientInfo, base64Decode) {
3147
3149
  */
3148
3150
  function buildClientInfoFromHomeAccountId(homeAccountId) {
3149
3151
  if (!homeAccountId) {
3150
- throw createClientAuthError(clientInfoDecodingError);
3152
+ throw createClientAuthError(clientInfoDecodingError, "");
3151
3153
  }
3152
3154
  const clientInfoParts = homeAccountId.split(CLIENT_INFO_SEPARATOR, 2);
3153
3155
  return {
@@ -3176,10 +3178,11 @@ function tenantIdMatchesHomeTenant(tenantId, homeAccountId) {
3176
3178
  * @param homeAccountId - Home account identifier for this account object
3177
3179
  * @param localAccountId - Local account identifer for this account object
3178
3180
  * @param tenantId - Full tenant or organizational id that this account belongs to
3181
+ * @param nativeAccountId - Native account identifier for this tenant
3179
3182
  * @param idTokenClaims - Claims from the ID token
3180
3183
  * @returns
3181
3184
  */
3182
- function buildTenantProfile(homeAccountId, localAccountId, tenantId, idTokenClaims) {
3185
+ function buildTenantProfile(homeAccountId, localAccountId, tenantId, nativeAccountId, idTokenClaims) {
3183
3186
  if (idTokenClaims) {
3184
3187
  const { oid, sub, tid, name, tfp, acr, preferred_username, upn, login_hint, } = idTokenClaims;
3185
3188
  /**
@@ -3197,6 +3200,7 @@ function buildTenantProfile(homeAccountId, localAccountId, tenantId, idTokenClai
3197
3200
  loginHint: login_hint,
3198
3201
  isHomeTenant: tenantIdMatchesHomeTenant(tenantId, homeAccountId),
3199
3202
  upn: upn,
3203
+ ...(nativeAccountId && { nativeAccountId }),
3200
3204
  };
3201
3205
  }
3202
3206
  else {
@@ -3205,6 +3209,7 @@ function buildTenantProfile(homeAccountId, localAccountId, tenantId, idTokenClai
3205
3209
  localAccountId,
3206
3210
  username: "",
3207
3211
  isHomeTenant: tenantIdMatchesHomeTenant(tenantId, homeAccountId),
3212
+ ...(nativeAccountId && { nativeAccountId }),
3208
3213
  };
3209
3214
  }
3210
3215
  }
@@ -3226,12 +3231,13 @@ function updateAccountTenantProfileData(baseAccountInfo, tenantProfile, idTokenC
3226
3231
  if (idTokenClaims) {
3227
3232
  // Ignore isHomeTenant which is a utility property of tenant profile but not required in base account info
3228
3233
  // eslint-disable-next-line @typescript-eslint/no-unused-vars
3229
- const { isHomeTenant, ...claimsSourcedTenantProfile } = buildTenantProfile(baseAccountInfo.homeAccountId, baseAccountInfo.localAccountId, baseAccountInfo.tenantId, idTokenClaims);
3234
+ const { isHomeTenant, ...claimsSourcedTenantProfile } = buildTenantProfile(baseAccountInfo.homeAccountId, baseAccountInfo.localAccountId, baseAccountInfo.tenantId, updatedAccountInfo.nativeAccountId, idTokenClaims);
3230
3235
  updatedAccountInfo = {
3231
3236
  ...updatedAccountInfo,
3232
3237
  ...claimsSourcedTenantProfile,
3233
3238
  idTokenClaims: idTokenClaims,
3234
3239
  idToken: idTokenSecret,
3240
+ kmsi: isKmsi(idTokenClaims),
3235
3241
  };
3236
3242
  return updatedAccountInfo;
3237
3243
  }
@@ -3284,8 +3290,11 @@ function getAccountInfo(accountEntity) {
3284
3290
  if (tenantProfiles.length === 0 &&
3285
3291
  accountEntity.realm &&
3286
3292
  accountEntity.localAccountId) {
3287
- tenantProfiles.push(buildTenantProfile(accountEntity.homeAccountId, accountEntity.localAccountId, accountEntity.realm));
3293
+ tenantProfiles.push(buildTenantProfile(accountEntity.homeAccountId, accountEntity.localAccountId, accountEntity.realm, accountEntity.nativeAccountId));
3288
3294
  }
3295
+ // Resolve nativeAccountId from the home tenant profile first, fall back to top-level (deprecated) for old cache entries
3296
+ const homeTenantProfile = tenantProfiles.find((tp) => tp.tenantId === accountEntity.realm);
3297
+ const nativeAccountId = homeTenantProfile?.nativeAccountId || accountEntity.nativeAccountId;
3289
3298
  return {
3290
3299
  homeAccountId: accountEntity.homeAccountId,
3291
3300
  environment: accountEntity.environment,
@@ -3294,7 +3303,7 @@ function getAccountInfo(accountEntity) {
3294
3303
  localAccountId: accountEntity.localAccountId,
3295
3304
  loginHint: accountEntity.loginHint,
3296
3305
  name: accountEntity.name,
3297
- nativeAccountId: accountEntity.nativeAccountId,
3306
+ nativeAccountId: nativeAccountId,
3298
3307
  authorityType: accountEntity.authorityType,
3299
3308
  // Deserialize tenant profiles array into a Map
3300
3309
  tenantProfiles: new Map(tenantProfiles.map((tenantProfile) => {
@@ -3315,7 +3324,7 @@ function isSingleTenant(accountEntity) {
3315
3324
  * @param accountDetails
3316
3325
  * @internal
3317
3326
  */
3318
- function createAccountEntity(accountDetails, authority, base64Decode) {
3327
+ function createAccountEntity(accountDetails, authority, correlationId, base64Decode) {
3319
3328
  let authorityType;
3320
3329
  if (authority.authorityType === AuthorityType.Adfs) {
3321
3330
  authorityType = CACHE_ACCOUNT_TYPE_ADFS;
@@ -3337,7 +3346,7 @@ function createAccountEntity(accountDetails, authority, base64Decode) {
3337
3346
  const env = accountDetails.environment ||
3338
3347
  (authority && authority.getPreferredCache());
3339
3348
  if (!env) {
3340
- throw createClientAuthError(invalidCacheEnvironment);
3349
+ throw createClientAuthError(invalidCacheEnvironment, correlationId);
3341
3350
  }
3342
3351
  /*
3343
3352
  * In B2C scenarios the emails claim is used instead of preferred_username and it is an array.
@@ -3364,7 +3373,7 @@ function createAccountEntity(accountDetails, authority, base64Decode) {
3364
3373
  tenantProfiles = accountDetails.tenantProfiles;
3365
3374
  }
3366
3375
  else {
3367
- const tenantProfile = buildTenantProfile(accountDetails.homeAccountId, localAccountId, realm, accountDetails.idTokenClaims);
3376
+ const tenantProfile = buildTenantProfile(accountDetails.homeAccountId, localAccountId, realm, accountDetails.nativeAccountId, accountDetails.idTokenClaims);
3368
3377
  tenantProfiles = [tenantProfile];
3369
3378
  }
3370
3379
  return {
@@ -3401,7 +3410,14 @@ function createAccountEntityFromAccountInfo(accountInfo, cloudGraphHostName, msG
3401
3410
  if (tenantProfiles.length === 0 &&
3402
3411
  accountInfo.tenantId &&
3403
3412
  accountInfo.localAccountId) {
3404
- tenantProfiles.push(buildTenantProfile(accountInfo.homeAccountId, accountInfo.localAccountId, accountInfo.tenantId, accountInfo.idTokenClaims));
3413
+ tenantProfiles.push(buildTenantProfile(accountInfo.homeAccountId, accountInfo.localAccountId, accountInfo.tenantId, accountInfo.nativeAccountId, accountInfo.idTokenClaims));
3414
+ }
3415
+ else if (accountInfo.nativeAccountId) {
3416
+ // Ensure nativeAccountId is set on the matching tenant profile
3417
+ const matchingProfile = tenantProfiles.find((tp) => tp.tenantId === accountInfo.tenantId);
3418
+ if (matchingProfile && !matchingProfile.nativeAccountId) {
3419
+ matchingProfile.nativeAccountId = accountInfo.nativeAccountId;
3420
+ }
3405
3421
  }
3406
3422
  return {
3407
3423
  authorityType: accountInfo.authorityType || CACHE_ACCOUNT_TYPE_GENERIC,
@@ -3480,7 +3496,8 @@ var AccountEntityUtils = /*#__PURE__*/Object.freeze({
3480
3496
  * to ensure uniqueness of strings.
3481
3497
  */
3482
3498
  class ScopeSet {
3483
- constructor(inputScopes) {
3499
+ constructor(inputScopes, correlationId) {
3500
+ this.correlationId = correlationId;
3484
3501
  // Filter empty string and null/undefined array items
3485
3502
  const scopeArr = inputScopes
3486
3503
  ? StringUtils.trimArrayEntries([...inputScopes])
@@ -3490,7 +3507,7 @@ class ScopeSet {
3490
3507
  : [];
3491
3508
  // Check if scopes array has at least one member
3492
3509
  if (!filteredInput || !filteredInput.length) {
3493
- throw createClientConfigurationError(emptyInputScopesError);
3510
+ throw createClientConfigurationError(emptyInputScopesError, correlationId);
3494
3511
  }
3495
3512
  this.scopes = new Set(); // Iterator in constructor not supported by IE11
3496
3513
  filteredInput.forEach((scope) => this.scopes.add(scope));
@@ -3501,22 +3518,22 @@ class ScopeSet {
3501
3518
  * @param appClientId
3502
3519
  * @param scopesRequired
3503
3520
  */
3504
- static fromString(inputScopeString) {
3521
+ static fromString(inputScopeString, correlationId) {
3505
3522
  const scopeString = inputScopeString || "";
3506
3523
  const inputScopes = scopeString.split(" ");
3507
- return new ScopeSet(inputScopes);
3524
+ return new ScopeSet(inputScopes, correlationId);
3508
3525
  }
3509
3526
  /**
3510
3527
  * Creates the set of scopes to search for in cache lookups
3511
3528
  * @param inputScopeString
3512
3529
  * @returns
3513
3530
  */
3514
- static createSearchScopes(inputScopeString) {
3531
+ static createSearchScopes(inputScopeString, correlationId) {
3515
3532
  // Handle empty scopes by using default OIDC scopes for cache lookup
3516
3533
  const scopesToUse = inputScopeString && inputScopeString.length > 0
3517
3534
  ? inputScopeString
3518
3535
  : [...OIDC_DEFAULT_SCOPES];
3519
- const scopeSet = new ScopeSet(scopesToUse);
3536
+ const scopeSet = new ScopeSet(scopesToUse, correlationId);
3520
3537
  if (!scopeSet.containsOnlyOIDCScopes()) {
3521
3538
  scopeSet.removeOIDCScopes();
3522
3539
  }
@@ -3531,7 +3548,7 @@ class ScopeSet {
3531
3548
  */
3532
3549
  containsScope(scope) {
3533
3550
  const lowerCaseScopes = this.printScopesLowerCase().split(" ");
3534
- const lowerCaseScopesSet = new ScopeSet(lowerCaseScopes);
3551
+ const lowerCaseScopesSet = new ScopeSet(lowerCaseScopes, this.correlationId);
3535
3552
  // compare lowercase scopes
3536
3553
  return scope
3537
3554
  ? lowerCaseScopesSet.scopes.has(scope.toLowerCase())
@@ -3578,7 +3595,7 @@ class ScopeSet {
3578
3595
  newScopes.forEach((newScope) => this.appendScope(newScope));
3579
3596
  }
3580
3597
  catch (e) {
3581
- throw createClientAuthError(cannotAppendScopeSet);
3598
+ throw createClientAuthError(cannotAppendScopeSet, this.correlationId);
3582
3599
  }
3583
3600
  }
3584
3601
  /**
@@ -3587,7 +3604,7 @@ class ScopeSet {
3587
3604
  */
3588
3605
  removeScope(scope) {
3589
3606
  if (!scope) {
3590
- throw createClientAuthError(cannotRemoveEmptyScope);
3607
+ throw createClientAuthError(cannotRemoveEmptyScope, this.correlationId);
3591
3608
  }
3592
3609
  this.scopes.delete(scope.trim());
3593
3610
  }
@@ -3606,7 +3623,7 @@ class ScopeSet {
3606
3623
  */
3607
3624
  unionScopeSets(otherScopes) {
3608
3625
  if (!otherScopes) {
3609
- throw createClientAuthError(emptyInputScopeSet);
3626
+ throw createClientAuthError(emptyInputScopeSet, this.correlationId);
3610
3627
  }
3611
3628
  const unionScopes = new Set(); // Iterator in constructor not supported in IE11
3612
3629
  otherScopes.scopes.forEach((scope) => unionScopes.add(scope.toLowerCase()));
@@ -3619,7 +3636,7 @@ class ScopeSet {
3619
3636
  */
3620
3637
  intersectingScopeSets(otherScopes) {
3621
3638
  if (!otherScopes) {
3622
- throw createClientAuthError(emptyInputScopeSet);
3639
+ throw createClientAuthError(emptyInputScopeSet, this.correlationId);
3623
3640
  }
3624
3641
  // Do not allow OIDC scopes to be the only intersecting scopes
3625
3642
  if (!otherScopes.containsOnlyOIDCScopes()) {
@@ -3705,7 +3722,7 @@ function addNativeBroker(parameters) {
3705
3722
  * @param scopeSet
3706
3723
  * @param addOidcScopes
3707
3724
  */
3708
- function addScopes(parameters, scopes, addOidcScopes = true, defaultScopes = OIDC_DEFAULT_SCOPES) {
3725
+ function addScopes(parameters, scopes, correlationId, addOidcScopes = true, defaultScopes = OIDC_DEFAULT_SCOPES) {
3709
3726
  // Always add openid to the scopes when adding OIDC scopes
3710
3727
  if (addOidcScopes &&
3711
3728
  !defaultScopes.includes("openid") &&
@@ -3715,7 +3732,7 @@ function addScopes(parameters, scopes, addOidcScopes = true, defaultScopes = OID
3715
3732
  const requestScopes = addOidcScopes
3716
3733
  ? [...(scopes || []), ...defaultScopes]
3717
3734
  : scopes || [];
3718
- const scopeSet = new ScopeSet(requestScopes);
3735
+ const scopeSet = new ScopeSet(requestScopes, correlationId);
3719
3736
  parameters.set(SCOPE, scopeSet.printScopes());
3720
3737
  }
3721
3738
  /**
@@ -3785,26 +3802,18 @@ function addSid(parameters, sid) {
3785
3802
  * Adds claims to request parameters, conditionally excluding clientCapabilities
3786
3803
  * when skipBrokerClaims is true and a brokered flow is in effect.
3787
3804
  * @param parameters - The request parameters map
3805
+ * @param correlationId - The request correlation id
3788
3806
  * @param claims - The claims string from the request
3789
3807
  * @param clientCapabilities - The client capabilities from configuration
3790
3808
  * @param skipBrokerClaims - When true and BROKER_CLIENT_ID is present, excludes clientCapabilities from claims
3791
3809
  */
3792
- function addClaims(parameters, claims, clientCapabilities, skipBrokerClaims) {
3810
+ function addClaims(parameters, correlationId, claims, clientCapabilities, skipBrokerClaims) {
3793
3811
  // Skip clientCapabilities if skipBrokerClaims is set to true and this is a brokered authentication flow
3794
3812
  const configClaims = skipBrokerClaims && parameters.has(BROKER_CLIENT_ID)
3795
3813
  ? undefined
3796
3814
  : clientCapabilities;
3797
- if (!StringUtils.isEmptyObj(claims) ||
3798
- (configClaims && configClaims.length > 0)) {
3799
- const mergedClaims = addClientCapabilitiesToClaims(claims, configClaims);
3800
- try {
3801
- JSON.parse(mergedClaims);
3802
- }
3803
- catch (e) {
3804
- throw createClientConfigurationError(invalidClaims);
3805
- }
3806
- parameters.set(CLAIMS, mergedClaims);
3807
- }
3815
+ const mergedClaims = buildMergedClaims(claims, configClaims, correlationId);
3816
+ parameters.set(CLAIMS, mergedClaims);
3808
3817
  }
3809
3818
  /**
3810
3819
  * add correlationId
@@ -3875,7 +3884,7 @@ function addCodeChallengeParams(parameters, codeChallenge, codeChallengeMethod)
3875
3884
  parameters.set(CODE_CHALLENGE_METHOD, codeChallengeMethod);
3876
3885
  }
3877
3886
  else {
3878
- throw createClientConfigurationError(pkceParamsMissing);
3887
+ throw createClientConfigurationError(pkceParamsMissing, "");
3879
3888
  }
3880
3889
  }
3881
3890
  /**
@@ -3981,7 +3990,23 @@ function addExtraParameters(parameters, extraParams) {
3981
3990
  }
3982
3991
  });
3983
3992
  }
3984
- function addClientCapabilitiesToClaims(claims, clientCapabilities) {
3993
+ /**
3994
+ * Default optional idToken claims requested on all auth requests.
3995
+ * signin_state enables KMSI detection; login_hint enables login hint propagation.
3996
+ */
3997
+ const DEFAULT_ID_TOKEN_CLAIMS = {
3998
+ [ClaimsRequestKeys.SIGNIN_STATE]: { essential: false },
3999
+ [ClaimsRequestKeys.LOGIN_HINT]: { essential: false },
4000
+ };
4001
+ /**
4002
+ * Parses claims JSON, merges default optional idToken claims (signin_state, login_hint),
4003
+ * and appends client capabilities (xms_cc) to the access_token section.
4004
+ * Does not overwrite idToken claims already specified by the caller.
4005
+ * @param claims - Existing claims JSON string from the request (may be undefined)
4006
+ * @param clientCapabilities - Client capabilities array from configuration
4007
+ * @returns Merged claims JSON string
4008
+ */
4009
+ function buildMergedClaims(claims, clientCapabilities, correlationId = "") {
3985
4010
  let mergedClaims;
3986
4011
  // Parse provided claims into JSON object or initialize empty object
3987
4012
  if (!claims) {
@@ -3989,14 +4014,31 @@ function addClientCapabilitiesToClaims(claims, clientCapabilities) {
3989
4014
  }
3990
4015
  else {
3991
4016
  try {
3992
- mergedClaims = JSON.parse(claims);
4017
+ const parsed = JSON.parse(claims);
4018
+ if (typeof parsed !== "object" ||
4019
+ parsed === null ||
4020
+ Array.isArray(parsed)) {
4021
+ throw new Error("Claims must be a JSON object");
4022
+ }
4023
+ mergedClaims = parsed;
3993
4024
  }
3994
4025
  catch (e) {
3995
- throw createClientConfigurationError(invalidClaims);
4026
+ throw createClientConfigurationError(invalidClaims, correlationId);
4027
+ }
4028
+ }
4029
+ // Add default optional idToken claims
4030
+ if (!Object.prototype.hasOwnProperty.call(mergedClaims, ClaimsRequestKeys.ID_TOKEN)) {
4031
+ mergedClaims[ClaimsRequestKeys.ID_TOKEN] = {};
4032
+ }
4033
+ const idTokenClaims = mergedClaims[ClaimsRequestKeys.ID_TOKEN];
4034
+ for (const [key, value] of Object.entries(DEFAULT_ID_TOKEN_CLAIMS)) {
4035
+ if (!(key in idTokenClaims)) {
4036
+ idTokenClaims[key] = value;
3996
4037
  }
3997
4038
  }
4039
+ // Add client capabilities
3998
4040
  if (clientCapabilities && clientCapabilities.length > 0) {
3999
- if (!mergedClaims.hasOwnProperty(ClaimsRequestKeys.ACCESS_TOKEN)) {
4041
+ if (!Object.prototype.hasOwnProperty.call(mergedClaims, ClaimsRequestKeys.ACCESS_TOKEN)) {
4000
4042
  // Add access_token key to claims object
4001
4043
  mergedClaims[ClaimsRequestKeys.ACCESS_TOKEN] = {};
4002
4044
  }
@@ -4046,14 +4088,8 @@ function addSshJwk(parameters, sshJwkString) {
4046
4088
  * @internal
4047
4089
  */
4048
4090
  function addServerTelemetry(parameters, serverTelemetryManager) {
4049
- const currentTelemetryHeader = serverTelemetryManager.generateCurrentRequestHeaderValue();
4050
- const lastTelemetryHeader = serverTelemetryManager.generateLastRequestHeaderValue();
4051
- if (currentTelemetryHeader) {
4052
- parameters.set(X_CLIENT_CURR_TELEM, currentTelemetryHeader);
4053
- }
4054
- if (lastTelemetryHeader) {
4055
- parameters.set(X_CLIENT_LAST_TELEM, lastTelemetryHeader);
4056
- }
4091
+ parameters.set(X_CLIENT_CURR_TELEM, serverTelemetryManager.generateCurrentRequestHeaderValue());
4092
+ parameters.set(X_CLIENT_LAST_TELEM, serverTelemetryManager.generateLastRequestHeaderValue());
4057
4093
  }
4058
4094
  /**
4059
4095
  * Adds parameter that indicates to the server that throttling is supported
@@ -4103,7 +4139,6 @@ var RequestParameterBuilder = /*#__PURE__*/Object.freeze({
4103
4139
  addCliData: addCliData,
4104
4140
  addClientAssertion: addClientAssertion,
4105
4141
  addClientAssertionType: addClientAssertionType,
4106
- addClientCapabilitiesToClaims: addClientCapabilitiesToClaims,
4107
4142
  addClientId: addClientId,
4108
4143
  addClientInfo: addClientInfo,
4109
4144
  addClientSecret: addClientSecret,
@@ -4140,6 +4175,7 @@ var RequestParameterBuilder = /*#__PURE__*/Object.freeze({
4140
4175
  addState: addState,
4141
4176
  addThrottling: addThrottling,
4142
4177
  addUsername: addUsername,
4178
+ buildMergedClaims: buildMergedClaims,
4143
4179
  instrumentBrokerParams: instrumentBrokerParams
4144
4180
  });
4145
4181
 
@@ -4149,34 +4185,34 @@ var RequestParameterBuilder = /*#__PURE__*/Object.freeze({
4149
4185
  */
4150
4186
  const DEFAULT_CRYPTO_IMPLEMENTATION = {
4151
4187
  createNewGuid: () => {
4152
- throw createClientAuthError(methodNotImplemented);
4188
+ throw createClientAuthError(methodNotImplemented, "");
4153
4189
  },
4154
4190
  base64Decode: () => {
4155
- throw createClientAuthError(methodNotImplemented);
4191
+ throw createClientAuthError(methodNotImplemented, "");
4156
4192
  },
4157
4193
  base64Encode: () => {
4158
- throw createClientAuthError(methodNotImplemented);
4194
+ throw createClientAuthError(methodNotImplemented, "");
4159
4195
  },
4160
4196
  base64UrlEncode: () => {
4161
- throw createClientAuthError(methodNotImplemented);
4197
+ throw createClientAuthError(methodNotImplemented, "");
4162
4198
  },
4163
4199
  encodeKid: () => {
4164
- throw createClientAuthError(methodNotImplemented);
4200
+ throw createClientAuthError(methodNotImplemented, "");
4165
4201
  },
4166
4202
  async getPublicKeyThumbprint() {
4167
- throw createClientAuthError(methodNotImplemented);
4203
+ throw createClientAuthError(methodNotImplemented, "");
4168
4204
  },
4169
4205
  async removeTokenBindingKey() {
4170
- throw createClientAuthError(methodNotImplemented);
4206
+ throw createClientAuthError(methodNotImplemented, "");
4171
4207
  },
4172
4208
  async clearKeystore() {
4173
- throw createClientAuthError(methodNotImplemented);
4209
+ throw createClientAuthError(methodNotImplemented, "");
4174
4210
  },
4175
4211
  async signJwt() {
4176
- throw createClientAuthError(methodNotImplemented);
4212
+ throw createClientAuthError(methodNotImplemented, "");
4177
4213
  },
4178
4214
  async hashString() {
4179
- throw createClientAuthError(methodNotImplemented);
4215
+ throw createClientAuthError(methodNotImplemented, "");
4180
4216
  },
4181
4217
  };
4182
4218
 
@@ -4470,7 +4506,7 @@ class Logger {
4470
4506
 
4471
4507
  /* eslint-disable header/header */
4472
4508
  const name = "@azure/msal-common";
4473
- const version = "16.9.0";
4509
+ const version = "16.10.0";
4474
4510
 
4475
4511
  /*
4476
4512
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -4608,7 +4644,7 @@ class CacheManager {
4608
4644
  }
4609
4645
  const idToken = this.getIdToken(accountInfo, correlationId, tokenKeys, tenantProfile.tenantId);
4610
4646
  if (idToken) {
4611
- idTokenClaims = extractTokenClaims(idToken.secret, this.cryptoImpl.base64Decode);
4647
+ idTokenClaims = extractTokenClaims(idToken.secret, this.cryptoImpl.base64Decode, correlationId);
4612
4648
  if (!this.idTokenClaimsMatchTenantProfileFilter(idTokenClaims, tenantProfileFilter)) {
4613
4649
  // ID token sourced claims don't match so this tenant profile is not a match
4614
4650
  return null;
@@ -4671,6 +4707,11 @@ class CacheManager {
4671
4707
  !(tenantProfile.upn === tenantProfileFilter.upn)) {
4672
4708
  return false;
4673
4709
  }
4710
+ if (!!tenantProfileFilter.nativeAccountId &&
4711
+ tenantProfile.nativeAccountId !==
4712
+ tenantProfileFilter.nativeAccountId) {
4713
+ return false;
4714
+ }
4674
4715
  return true;
4675
4716
  }
4676
4717
  idTokenClaimsMatchTenantProfileFilter(idTokenClaims, tenantProfileFilter) {
@@ -4708,7 +4749,7 @@ class CacheManager {
4708
4749
  */
4709
4750
  async saveCacheRecord(cacheRecord, correlationId, kmsi, apiId, storeInCache) {
4710
4751
  if (!cacheRecord) {
4711
- throw createClientAuthError(invalidCacheRecord);
4752
+ throw createClientAuthError(invalidCacheRecord, correlationId);
4712
4753
  }
4713
4754
  try {
4714
4755
  if (!!cacheRecord.account) {
@@ -4753,7 +4794,7 @@ class CacheManager {
4753
4794
  tokenType: credential.tokenType,
4754
4795
  };
4755
4796
  const tokenKeys = this.getTokenKeys();
4756
- const currentScopes = ScopeSet.fromString(credential.target);
4797
+ const currentScopes = ScopeSet.fromString(credential.target, correlationId);
4757
4798
  tokenKeys.accessToken.forEach((key) => {
4758
4799
  if (!this.accessTokenKeyMatchesFilter(key, accessTokenFilter, false)) {
4759
4800
  return;
@@ -4761,7 +4802,7 @@ class CacheManager {
4761
4802
  const tokenEntity = this.getAccessTokenCredential(key, correlationId);
4762
4803
  if (tokenEntity &&
4763
4804
  this.credentialMatchesFilter(tokenEntity, accessTokenFilter, correlationId)) {
4764
- const tokenScopeSet = ScopeSet.fromString(tokenEntity.target);
4805
+ const tokenScopeSet = ScopeSet.fromString(tokenEntity.target, correlationId);
4765
4806
  if (tokenScopeSet.intersectingScopeSets(currentScopes)) {
4766
4807
  this.removeAccessToken(key, correlationId);
4767
4808
  }
@@ -4795,10 +4836,6 @@ class CacheManager {
4795
4836
  !this.matchRealm(entity, accountFilter.realm)) {
4796
4837
  return;
4797
4838
  }
4798
- if (!!accountFilter.nativeAccountId &&
4799
- !this.matchNativeAccountId(entity, accountFilter.nativeAccountId)) {
4800
- return;
4801
- }
4802
4839
  if (!!accountFilter.authorityType &&
4803
4840
  !this.matchAuthorityType(entity, accountFilter.authorityType)) {
4804
4841
  return;
@@ -4810,6 +4847,7 @@ class CacheManager {
4810
4847
  username: accountFilter?.username,
4811
4848
  loginHint: accountFilter?.loginHint,
4812
4849
  upn: accountFilter?.upn,
4850
+ nativeAccountId: accountFilter?.nativeAccountId,
4813
4851
  };
4814
4852
  const matchingTenantProfiles = entity.tenantProfiles?.filter((tenantProfile) => {
4815
4853
  return this.tenantProfileMatchesFilter(tenantProfile, tenantProfileFilter);
@@ -4863,7 +4901,8 @@ class CacheManager {
4863
4901
  * idTokens do not have "target", target specific refreshTokens do exist for some types of authentication
4864
4902
  * Resource specific refresh tokens case will be added when the support is deemed necessary
4865
4903
  */
4866
- if (!!filter.target && !this.matchTarget(entity, filter.target)) {
4904
+ if (!!filter.target &&
4905
+ !this.matchTarget(entity, filter.target, correlationId)) {
4867
4906
  return false;
4868
4907
  }
4869
4908
  // Access Token with Auth Scheme specific matching
@@ -4880,6 +4919,28 @@ class CacheManager {
4880
4919
  }
4881
4920
  }
4882
4921
  }
4922
+ // Additional cache key components matching (bidirectional isolation)
4923
+ const entityComponents = entity.additionalCacheKeyComponents;
4924
+ const filterComponents = filter.additionalCacheKeyComponents;
4925
+ const entityHasComponents = !!entityComponents && Object.keys(entityComponents).length > 0;
4926
+ const filterHasComponents = !!filterComponents && Object.keys(filterComponents).length > 0;
4927
+ if (entityHasComponents !== filterHasComponents) {
4928
+ return false;
4929
+ }
4930
+ if (entityHasComponents && filterHasComponents) {
4931
+ const entityKeys = Object.keys(entityComponents).sort();
4932
+ const filterKeys = Object.keys(filterComponents).sort();
4933
+ if (entityKeys.length !== filterKeys.length) {
4934
+ return false;
4935
+ }
4936
+ for (let i = 0; i < entityKeys.length; i++) {
4937
+ if (entityKeys[i] !== filterKeys[i] ||
4938
+ entityComponents[entityKeys[i]] !==
4939
+ filterComponents[filterKeys[i]]) {
4940
+ return false;
4941
+ }
4942
+ }
4943
+ }
4883
4944
  return true;
4884
4945
  }
4885
4946
  /**
@@ -5147,7 +5208,7 @@ class CacheManager {
5147
5208
  getAccessToken(account, request, tokenKeys, targetRealm) {
5148
5209
  const correlationId = request.correlationId;
5149
5210
  this.commonLogger.trace("CacheManager - getAccessToken called", correlationId);
5150
- const scopes = ScopeSet.createSearchScopes(request.scopes);
5211
+ const scopes = ScopeSet.createSearchScopes(request.scopes, correlationId);
5151
5212
  const authScheme = request.authenticationScheme ||
5152
5213
  AuthenticationScheme.BEARER;
5153
5214
  /*
@@ -5338,7 +5399,7 @@ class CacheManager {
5338
5399
  return null;
5339
5400
  }
5340
5401
  else if (numAppMetadata > 1) {
5341
- throw createClientAuthError(multipleMatchingAppMetadata);
5402
+ throw createClientAuthError(multipleMatchingAppMetadata, correlationId);
5342
5403
  }
5343
5404
  return appMetadataEntries[0];
5344
5405
  }
@@ -5468,15 +5529,6 @@ class CacheManager {
5468
5529
  matchRealm(entity, realm) {
5469
5530
  return !!(entity.realm?.toLowerCase() === realm.toLowerCase());
5470
5531
  }
5471
- /**
5472
- * helper to match nativeAccountId
5473
- * @param entity
5474
- * @param nativeAccountId
5475
- * @returns boolean indicating the match result
5476
- */
5477
- matchNativeAccountId(entity, nativeAccountId) {
5478
- return !!(entity.nativeAccountId && nativeAccountId === entity.nativeAccountId);
5479
- }
5480
5532
  /**
5481
5533
  * helper to match loginHint which can be either:
5482
5534
  * 1. login_hint ID token claim
@@ -5520,14 +5572,14 @@ class CacheManager {
5520
5572
  * @param entity
5521
5573
  * @param target
5522
5574
  */
5523
- matchTarget(entity, target) {
5575
+ matchTarget(entity, target, correlationId) {
5524
5576
  const isNotAccessTokenCredential = entity.credentialType !== CredentialType.ACCESS_TOKEN &&
5525
5577
  entity.credentialType !==
5526
5578
  CredentialType.ACCESS_TOKEN_WITH_AUTH_SCHEME;
5527
5579
  if (isNotAccessTokenCredential || !entity.target) {
5528
5580
  return false;
5529
5581
  }
5530
- const entityScopeSet = ScopeSet.fromString(entity.target);
5582
+ const entityScopeSet = ScopeSet.fromString(entity.target, correlationId);
5531
5583
  return entityScopeSet.containsScopeSet(target);
5532
5584
  }
5533
5585
  /**
@@ -5581,73 +5633,73 @@ class CacheManager {
5581
5633
  /** @internal */
5582
5634
  class DefaultStorageClass extends CacheManager {
5583
5635
  async setAccount() {
5584
- throw createClientAuthError(methodNotImplemented);
5636
+ throw createClientAuthError(methodNotImplemented, "");
5585
5637
  }
5586
5638
  getAccount() {
5587
- throw createClientAuthError(methodNotImplemented);
5639
+ throw createClientAuthError(methodNotImplemented, "");
5588
5640
  }
5589
5641
  async setIdTokenCredential() {
5590
- throw createClientAuthError(methodNotImplemented);
5642
+ throw createClientAuthError(methodNotImplemented, "");
5591
5643
  }
5592
5644
  getIdTokenCredential() {
5593
- throw createClientAuthError(methodNotImplemented);
5645
+ throw createClientAuthError(methodNotImplemented, "");
5594
5646
  }
5595
5647
  async setAccessTokenCredential() {
5596
- throw createClientAuthError(methodNotImplemented);
5648
+ throw createClientAuthError(methodNotImplemented, "");
5597
5649
  }
5598
5650
  getAccessTokenCredential() {
5599
- throw createClientAuthError(methodNotImplemented);
5651
+ throw createClientAuthError(methodNotImplemented, "");
5600
5652
  }
5601
5653
  async setRefreshTokenCredential() {
5602
- throw createClientAuthError(methodNotImplemented);
5654
+ throw createClientAuthError(methodNotImplemented, "");
5603
5655
  }
5604
5656
  getRefreshTokenCredential() {
5605
- throw createClientAuthError(methodNotImplemented);
5657
+ throw createClientAuthError(methodNotImplemented, "");
5606
5658
  }
5607
5659
  setAppMetadata() {
5608
- throw createClientAuthError(methodNotImplemented);
5660
+ throw createClientAuthError(methodNotImplemented, "");
5609
5661
  }
5610
5662
  getAppMetadata() {
5611
- throw createClientAuthError(methodNotImplemented);
5663
+ throw createClientAuthError(methodNotImplemented, "");
5612
5664
  }
5613
5665
  setServerTelemetry() {
5614
- throw createClientAuthError(methodNotImplemented);
5666
+ throw createClientAuthError(methodNotImplemented, "");
5615
5667
  }
5616
5668
  getServerTelemetry() {
5617
- throw createClientAuthError(methodNotImplemented);
5669
+ throw createClientAuthError(methodNotImplemented, "");
5618
5670
  }
5619
5671
  setAuthorityMetadata() {
5620
- throw createClientAuthError(methodNotImplemented);
5672
+ throw createClientAuthError(methodNotImplemented, "");
5621
5673
  }
5622
5674
  getAuthorityMetadata() {
5623
- throw createClientAuthError(methodNotImplemented);
5675
+ throw createClientAuthError(methodNotImplemented, "");
5624
5676
  }
5625
5677
  getAuthorityMetadataKeys() {
5626
- throw createClientAuthError(methodNotImplemented);
5678
+ throw createClientAuthError(methodNotImplemented, "");
5627
5679
  }
5628
5680
  setThrottlingCache() {
5629
- throw createClientAuthError(methodNotImplemented);
5681
+ throw createClientAuthError(methodNotImplemented, "");
5630
5682
  }
5631
5683
  getThrottlingCache() {
5632
- throw createClientAuthError(methodNotImplemented);
5684
+ throw createClientAuthError(methodNotImplemented, "");
5633
5685
  }
5634
5686
  removeItem() {
5635
- throw createClientAuthError(methodNotImplemented);
5687
+ throw createClientAuthError(methodNotImplemented, "");
5636
5688
  }
5637
5689
  getKeys() {
5638
- throw createClientAuthError(methodNotImplemented);
5690
+ throw createClientAuthError(methodNotImplemented, "");
5639
5691
  }
5640
5692
  getAccountKeys() {
5641
- throw createClientAuthError(methodNotImplemented);
5693
+ throw createClientAuthError(methodNotImplemented, "");
5642
5694
  }
5643
5695
  getTokenKeys() {
5644
- throw createClientAuthError(methodNotImplemented);
5696
+ throw createClientAuthError(methodNotImplemented, "");
5645
5697
  }
5646
5698
  generateCredentialKey() {
5647
- throw createClientAuthError(methodNotImplemented);
5699
+ throw createClientAuthError(methodNotImplemented, "");
5648
5700
  }
5649
5701
  generateAccountKey() {
5650
- throw createClientAuthError(methodNotImplemented);
5702
+ throw createClientAuthError(methodNotImplemented, "");
5651
5703
  }
5652
5704
  }
5653
5705
 
@@ -5786,10 +5838,10 @@ const DEFAULT_LOGGER_IMPLEMENTATION = {
5786
5838
  };
5787
5839
  const DEFAULT_NETWORK_IMPLEMENTATION = {
5788
5840
  async sendGetRequestAsync() {
5789
- throw createClientAuthError(methodNotImplemented);
5841
+ throw createClientAuthError(methodNotImplemented, "");
5790
5842
  },
5791
5843
  async sendPostRequestAsync() {
5792
- throw createClientAuthError(methodNotImplemented);
5844
+ throw createClientAuthError(methodNotImplemented, "");
5793
5845
  },
5794
5846
  };
5795
5847
  const DEFAULT_LIBRARY_INFO = {
@@ -5947,7 +5999,7 @@ class PopTokenGenerator {
5947
5999
  // Deconstruct request to extract SHR parameters
5948
6000
  const { resourceRequestMethod, resourceRequestUri, shrClaims, shrNonce, shrOptions, } = request;
5949
6001
  const resourceUrlString = resourceRequestUri
5950
- ? new UrlString(resourceRequestUri)
6002
+ ? new UrlString(resourceRequestUri, request.correlationId)
5951
6003
  : undefined;
5952
6004
  const resourceUrlComponents = resourceUrlString?.getUrlComponents();
5953
6005
  return this.cryptoUtils.signJwt({
@@ -6058,12 +6110,11 @@ const InteractionRequiredAuthSubErrorMessage = [
6058
6110
  * Error thrown when user interaction is required.
6059
6111
  */
6060
6112
  class InteractionRequiredAuthError extends AuthError {
6061
- constructor(errorCode, errorMessage, subError, timestamp, traceId, correlationId, claims, errorNo) {
6062
- super(errorCode, errorMessage, subError);
6113
+ constructor(errorCode, correlationId, errorMessage, subError, timestamp, traceId, claims, errorNo) {
6114
+ super(errorCode, correlationId, errorMessage, subError);
6063
6115
  Object.setPrototypeOf(this, InteractionRequiredAuthError.prototype);
6064
6116
  this.timestamp = timestamp || "";
6065
6117
  this.traceId = traceId || "";
6066
- this.correlationId = correlationId || "";
6067
6118
  this.claims = claims || "";
6068
6119
  this.name = "InteractionRequiredAuthError";
6069
6120
  this.errorNo = errorNo;
@@ -6091,8 +6142,8 @@ function isInteractionRequiredError(errorCode, errorString, subError) {
6091
6142
  /**
6092
6143
  * Creates an InteractionRequiredAuthError
6093
6144
  */
6094
- function createInteractionRequiredAuthError(errorCode, errorMessage) {
6095
- return new InteractionRequiredAuthError(errorCode, errorMessage);
6145
+ function createInteractionRequiredAuthError(errorCode, correlationId, errorMessage) {
6146
+ return new InteractionRequiredAuthError(errorCode, correlationId, errorMessage);
6096
6147
  }
6097
6148
 
6098
6149
  /*
@@ -6103,8 +6154,8 @@ function createInteractionRequiredAuthError(errorCode, errorMessage) {
6103
6154
  * Error thrown when there is an error with the server code, for example, unavailability.
6104
6155
  */
6105
6156
  class ServerError extends AuthError {
6106
- constructor(errorCode, errorMessage, subError, errorNo, status) {
6107
- super(errorCode, errorMessage, subError);
6157
+ constructor(errorCode, correlationId, errorMessage, subError, errorNo, status) {
6158
+ super(errorCode, correlationId, errorMessage, subError);
6108
6159
  this.name = "ServerError";
6109
6160
  this.errorNo = errorNo;
6110
6161
  this.status = status;
@@ -6121,9 +6172,10 @@ class ServerError extends AuthError {
6121
6172
  * @param cryptoObj
6122
6173
  * @param userState
6123
6174
  * @param meta
6175
+ * @param correlationId
6124
6176
  */
6125
- function setRequestState(cryptoObj, userState, meta) {
6126
- const libraryState = generateLibraryState(cryptoObj, meta);
6177
+ function setRequestState(cryptoObj, userState, meta, correlationId) {
6178
+ const libraryState = generateLibraryState(cryptoObj, correlationId, meta);
6127
6179
  return userState
6128
6180
  ? `${libraryState}${RESOURCE_DELIM}${userState}`
6129
6181
  : libraryState;
@@ -6131,11 +6183,12 @@ function setRequestState(cryptoObj, userState, meta) {
6131
6183
  /**
6132
6184
  * Generates the state value used by the common library.
6133
6185
  * @param cryptoObj
6186
+ * @param correlationId
6134
6187
  * @param meta
6135
6188
  */
6136
- function generateLibraryState(cryptoObj, meta) {
6189
+ function generateLibraryState(cryptoObj, correlationId, meta) {
6137
6190
  if (!cryptoObj) {
6138
- throw createClientAuthError(noCryptoObject);
6191
+ throw createClientAuthError(noCryptoObject, correlationId);
6139
6192
  }
6140
6193
  // Create a state object containing a unique id and the timestamp of the request creation
6141
6194
  const stateObj = {
@@ -6151,13 +6204,14 @@ function generateLibraryState(cryptoObj, meta) {
6151
6204
  * Parses the state into the RequestStateObject, which contains the LibraryState info and the state passed by the user.
6152
6205
  * @param base64Decode
6153
6206
  * @param state
6207
+ * @param correlationId
6154
6208
  */
6155
- function parseRequestState(base64Decode, state) {
6209
+ function parseRequestState(base64Decode, state, correlationId) {
6156
6210
  if (!base64Decode) {
6157
- throw createClientAuthError(noCryptoObject);
6211
+ throw createClientAuthError(noCryptoObject, correlationId);
6158
6212
  }
6159
6213
  if (!state) {
6160
- throw createClientAuthError(invalidState);
6214
+ throw createClientAuthError(invalidState, correlationId);
6161
6215
  }
6162
6216
  try {
6163
6217
  // Split the state between library state and user passed state and decode them separately
@@ -6174,7 +6228,7 @@ function parseRequestState(base64Decode, state) {
6174
6228
  };
6175
6229
  }
6176
6230
  catch (e) {
6177
- throw createClientAuthError(invalidState);
6231
+ throw createClientAuthError(invalidState, correlationId);
6178
6232
  }
6179
6233
  }
6180
6234
 
@@ -6218,7 +6272,7 @@ class ResponseHandler {
6218
6272
  const serverErrorNo = serverResponse.error_codes?.length
6219
6273
  ? serverResponse.error_codes[0]
6220
6274
  : undefined;
6221
- const serverError = new ServerError(serverResponse.error, errString, serverResponse.suberror, serverErrorNo, serverResponse.status);
6275
+ const serverError = new ServerError(serverResponse.error || "", serverResponse.correlation_id || "", errString, serverResponse.suberror, serverErrorNo, serverResponse.status);
6222
6276
  // check if 500 error
6223
6277
  if (refreshAccessToken &&
6224
6278
  serverResponse.status &&
@@ -6240,7 +6294,7 @@ class ResponseHandler {
6240
6294
  return;
6241
6295
  }
6242
6296
  if (isInteractionRequiredError(serverResponse.error, serverResponse.error_description, serverResponse.suberror)) {
6243
- throw new InteractionRequiredAuthError(serverResponse.error, serverResponse.error_description, serverResponse.suberror, serverResponse.timestamp || "", serverResponse.trace_id || "", serverResponse.correlation_id || "", serverResponse.claims || "", serverErrorNo);
6297
+ throw new InteractionRequiredAuthError(serverResponse.error || "", serverResponse.correlation_id || "", serverResponse.error_description, serverResponse.suberror, serverResponse.timestamp || "", serverResponse.trace_id || "", serverResponse.claims || "", serverErrorNo);
6244
6298
  }
6245
6299
  throw serverError;
6246
6300
  }
@@ -6250,37 +6304,29 @@ class ResponseHandler {
6250
6304
  * @param serverTokenResponse
6251
6305
  * @param authority
6252
6306
  */
6253
- async handleServerTokenResponse(serverTokenResponse, authority, reqTimestamp, request, apiId, authCodePayload, userAssertionHash, handlingRefreshTokenResponse, forceCacheRefreshTokenResponse, serverRequestId) {
6307
+ async handleServerTokenResponse(serverTokenResponse, authority, reqTimestamp, request, apiId, authCodePayload, userAssertionHash, handlingRefreshTokenResponse, forceCacheRefreshTokenResponse, serverRequestId, additionalCacheKeyComponents) {
6254
6308
  // create an idToken object (not entity)
6255
6309
  let idTokenClaims;
6256
6310
  if (serverTokenResponse.id_token) {
6257
- idTokenClaims = extractTokenClaims(serverTokenResponse.id_token || "", this.cryptoObj.base64Decode);
6311
+ idTokenClaims = extractTokenClaims(serverTokenResponse.id_token || "", this.cryptoObj.base64Decode, request.correlationId);
6258
6312
  // token nonce check (TODO: Add a warning if no nonce is given?)
6259
6313
  if (authCodePayload && authCodePayload.nonce) {
6260
6314
  if (idTokenClaims.nonce !== authCodePayload.nonce) {
6261
- throw createClientAuthError(nonceMismatch);
6315
+ throw createClientAuthError(nonceMismatch, request.correlationId);
6262
6316
  }
6263
6317
  }
6264
- // token max_age check
6265
- if (request.maxAge || request.maxAge === 0) {
6266
- const authTime = idTokenClaims.auth_time;
6267
- if (!authTime) {
6268
- throw createClientAuthError(authTimeNotFound);
6269
- }
6270
- checkMaxAge(authTime, request.maxAge);
6271
- }
6272
6318
  }
6273
6319
  // generate homeAccountId
6274
6320
  this.homeAccountIdentifier = generateHomeAccountId(serverTokenResponse.client_info || "", authority.authorityType, this.logger, this.cryptoObj, request.correlationId, idTokenClaims);
6275
6321
  // save the response tokens
6276
6322
  let requestStateObj;
6277
6323
  if (!!authCodePayload && !!authCodePayload.state) {
6278
- requestStateObj = parseRequestState(this.cryptoObj.base64Decode, authCodePayload.state);
6324
+ requestStateObj = parseRequestState(this.cryptoObj.base64Decode, authCodePayload.state, request.correlationId);
6279
6325
  }
6280
6326
  // Add keyId from request to serverTokenResponse if defined
6281
6327
  serverTokenResponse.key_id =
6282
6328
  serverTokenResponse.key_id || request.sshKid || undefined;
6283
- const cacheRecord = this.generateCacheRecord(serverTokenResponse, authority, reqTimestamp, request, idTokenClaims, userAssertionHash, authCodePayload);
6329
+ const cacheRecord = this.generateCacheRecord(serverTokenResponse, authority, reqTimestamp, request, idTokenClaims, userAssertionHash, authCodePayload, additionalCacheKeyComponents);
6284
6330
  let cacheContext;
6285
6331
  try {
6286
6332
  if (this.persistencePlugin && this.serializableCache) {
@@ -6327,10 +6373,10 @@ class ResponseHandler {
6327
6373
  * @param idTokenObj
6328
6374
  * @param authority
6329
6375
  */
6330
- generateCacheRecord(serverTokenResponse, authority, reqTimestamp, request, idTokenClaims, userAssertionHash, authCodePayload) {
6376
+ generateCacheRecord(serverTokenResponse, authority, reqTimestamp, request, idTokenClaims, userAssertionHash, authCodePayload, additionalCacheKeyComponents) {
6331
6377
  const env = authority.getPreferredCache();
6332
6378
  if (!env) {
6333
- throw createClientAuthError(invalidCacheEnvironment);
6379
+ throw createClientAuthError(invalidCacheEnvironment, request.correlationId);
6334
6380
  }
6335
6381
  const claimsTenantId = getTenantIdFromIdTokenClaims(idTokenClaims);
6336
6382
  // IdToken: non AAD scenarios can have empty realm
@@ -6346,8 +6392,8 @@ class ResponseHandler {
6346
6392
  if (serverTokenResponse.access_token) {
6347
6393
  // If scopes not returned in server response, use request scopes
6348
6394
  const responseScopes = serverTokenResponse.scope
6349
- ? ScopeSet.fromString(serverTokenResponse.scope)
6350
- : new ScopeSet(request.scopes || []);
6395
+ ? ScopeSet.fromString(serverTokenResponse.scope, request.correlationId)
6396
+ : new ScopeSet(request.scopes || [], request.correlationId);
6351
6397
  /*
6352
6398
  * Use timestamp calculated before request
6353
6399
  * Server may return timestamps as strings, parse to numbers if so.
@@ -6367,7 +6413,7 @@ class ResponseHandler {
6367
6413
  ? reqTimestamp + refreshIn
6368
6414
  : undefined;
6369
6415
  // non AAD scenarios can have empty realm
6370
- cachedAccessToken = createAccessTokenEntity(this.homeAccountIdentifier, env, serverTokenResponse.access_token, this.clientId, claimsTenantId || authority.tenant || "", responseScopes.printScopes(), tokenExpirationSeconds, extendedTokenExpirationSeconds, this.cryptoObj.base64Decode, refreshOnSeconds, serverTokenResponse.token_type, userAssertionHash, serverTokenResponse.key_id);
6416
+ cachedAccessToken = createAccessTokenEntity(this.homeAccountIdentifier, env, serverTokenResponse.access_token, this.clientId, claimsTenantId || authority.tenant || "", responseScopes.printScopes(), tokenExpirationSeconds, extendedTokenExpirationSeconds, this.cryptoObj.base64Decode, request.correlationId, refreshOnSeconds, serverTokenResponse.token_type, userAssertionHash, serverTokenResponse.key_id, additionalCacheKeyComponents);
6371
6417
  // Set resource (to be used for MCP scenarios)
6372
6418
  const resource = request.resource || null;
6373
6419
  if (resource) {
@@ -6433,14 +6479,14 @@ class ResponseHandler {
6433
6479
  const popTokenGenerator = new PopTokenGenerator(cryptoObj, performanceClient);
6434
6480
  const { secret, keyId } = cacheRecord.accessToken;
6435
6481
  if (!keyId) {
6436
- throw createClientAuthError(keyIdMissing);
6482
+ throw createClientAuthError(keyIdMissing, request.correlationId);
6437
6483
  }
6438
6484
  accessToken = await popTokenGenerator.signPopToken(secret, keyId, request);
6439
6485
  }
6440
6486
  else {
6441
6487
  accessToken = cacheRecord.accessToken.secret;
6442
6488
  }
6443
- responseScopes = ScopeSet.fromString(cacheRecord.accessToken.target).asArray();
6489
+ responseScopes = ScopeSet.fromString(cacheRecord.accessToken.target, request.correlationId).asArray();
6444
6490
  // Access token expiresOn cached in seconds, converting to Date for AuthenticationResult
6445
6491
  expiresOn = toDateFromSeconds(cacheRecord.accessToken.expiresOn);
6446
6492
  extExpiresOn = toDateFromSeconds(cacheRecord.accessToken.extendedExpiresOn);
@@ -6458,8 +6504,18 @@ class ResponseHandler {
6458
6504
  const tid = idTokenClaims?.tid || "";
6459
6505
  // for hybrid + native bridge enablement, send back the native account Id
6460
6506
  if (serverTokenResponse?.spa_accountid && !!cacheRecord.account) {
6507
+ // Set on deprecated top-level for downgrade compat
6461
6508
  cacheRecord.account.nativeAccountId =
6462
6509
  serverTokenResponse?.spa_accountid;
6510
+ // Set on the matching tenant profile (source of truth)
6511
+ const targetTenantId = tid || cacheRecord.account.realm;
6512
+ if (cacheRecord.account.tenantProfiles) {
6513
+ const matchingProfile = cacheRecord.account.tenantProfiles.find((tp) => tp.tenantId === targetTenantId);
6514
+ if (matchingProfile) {
6515
+ matchingProfile.nativeAccountId =
6516
+ serverTokenResponse.spa_accountid;
6517
+ }
6518
+ }
6463
6519
  }
6464
6520
  const accountInfo = cacheRecord.account
6465
6521
  ? updateAccountTenantProfileData(getAccountInfo(cacheRecord.account), undefined, // tenantProfile optional
@@ -6518,14 +6574,14 @@ function buildAccountToCache(cacheStorage, authority, homeAccountId, base64Decod
6518
6574
  cloudGraphHostName: authCodePayload?.cloud_graph_host_name,
6519
6575
  msGraphHost: authCodePayload?.msgraph_host,
6520
6576
  nativeAccountId: nativeAccountId,
6521
- }, authority, base64Decode);
6577
+ }, authority, correlationId, base64Decode);
6522
6578
  const tenantProfiles = baseAccount.tenantProfiles || [];
6523
6579
  const tenantId = claimsTenantId || baseAccount.realm;
6524
6580
  if (tenantId &&
6525
6581
  !tenantProfiles.find((tenantProfile) => {
6526
6582
  return tenantProfile.tenantId === tenantId;
6527
6583
  })) {
6528
- const newTenantProfile = buildTenantProfile(homeAccountId, baseAccount.localAccountId, tenantId, idTokenClaims);
6584
+ const newTenantProfile = buildTenantProfile(homeAccountId, baseAccount.localAccountId, tenantId, nativeAccountId, idTokenClaims);
6529
6585
  tenantProfiles.push(newTenantProfile);
6530
6586
  }
6531
6587
  baseAccount.tenantProfiles = tenantProfiles;
@@ -6545,7 +6601,7 @@ const CcsCredentialType = {
6545
6601
  * Copyright (c) Microsoft Corporation. All rights reserved.
6546
6602
  * Licensed under the MIT License.
6547
6603
  */
6548
- async function getClientAssertion(clientAssertion, clientId, tokenEndpoint) {
6604
+ async function getClientAssertion(clientAssertion, clientId, tokenEndpoint, fmiPath) {
6549
6605
  if (typeof clientAssertion === "string") {
6550
6606
  return clientAssertion;
6551
6607
  }
@@ -6553,6 +6609,7 @@ async function getClientAssertion(clientAssertion, clientId, tokenEndpoint) {
6553
6609
  const config = {
6554
6610
  clientId: clientId,
6555
6611
  tokenEndpoint: tokenEndpoint,
6612
+ fmiPath: fmiPath,
6556
6613
  };
6557
6614
  return clientAssertion(config);
6558
6615
  }
@@ -6609,7 +6666,7 @@ class ThrottlingUtils {
6609
6666
  cacheManager.removeItem(key, correlationId);
6610
6667
  return;
6611
6668
  }
6612
- throw new ServerError(value.errorCodes?.join(" ") || "", value.errorMessage, value.subError);
6669
+ throw new ServerError(value.errorCodes?.join(" ") || "", correlationId, value.errorMessage, value.subError);
6613
6670
  }
6614
6671
  }
6615
6672
  /**
@@ -6676,7 +6733,7 @@ class ThrottlingUtils {
6676
6733
  */
6677
6734
  class NetworkError extends AuthError {
6678
6735
  constructor(error, httpStatus, responseHeaders) {
6679
- super(error.errorCode, error.errorMessage, error.subError);
6736
+ super(error.errorCode, error.correlationId, error.errorMessage, error.subError);
6680
6737
  Object.setPrototypeOf(this, NetworkError.prototype);
6681
6738
  this.name = "NetworkError";
6682
6739
  this.error = error;
@@ -6803,7 +6860,7 @@ async function sendPostRequest(thumbprint, tokenEndpoint, options, correlationId
6803
6860
  throw e;
6804
6861
  }
6805
6862
  else {
6806
- throw createClientAuthError(networkError);
6863
+ throw createClientAuthError(networkError, correlationId);
6807
6864
  }
6808
6865
  }
6809
6866
  ThrottlingUtils.postProcess(cacheManager, thumbprint, response, correlationId);
@@ -6856,7 +6913,7 @@ class AuthorizationCodeClient {
6856
6913
  */
6857
6914
  async acquireToken(request, apiId, authCodePayload) {
6858
6915
  if (!request.code) {
6859
- throw createClientAuthError(requestCannotBeMade);
6916
+ throw createClientAuthError(requestCannotBeMade, request.correlationId);
6860
6917
  }
6861
6918
  // Check for new cloud instance
6862
6919
  if (authCodePayload && authCodePayload.cloud_instance_host_name) {
@@ -6879,7 +6936,7 @@ class AuthorizationCodeClient {
6879
6936
  getLogoutUri(logoutRequest) {
6880
6937
  // Throw error if logoutRequest is null/undefined
6881
6938
  if (!logoutRequest) {
6882
- throw createClientConfigurationError(logoutRequestEmpty);
6939
+ throw createClientConfigurationError(logoutRequestEmpty, "");
6883
6940
  }
6884
6941
  const queryString = this.createLogoutUrlQueryString(logoutRequest);
6885
6942
  // Construct logout URI
@@ -6927,7 +6984,7 @@ class AuthorizationCodeClient {
6927
6984
  if (!this.includeRedirectUri) {
6928
6985
  // Just validate
6929
6986
  if (!request.redirectUri) {
6930
- throw createClientConfigurationError(redirectUriEmpty);
6987
+ throw createClientConfigurationError(redirectUriEmpty, request.correlationId);
6931
6988
  }
6932
6989
  }
6933
6990
  else {
@@ -6935,7 +6992,7 @@ class AuthorizationCodeClient {
6935
6992
  addRedirectUri(parameters, request.redirectUri);
6936
6993
  }
6937
6994
  // Add scope array, parameter builder will add default scopes and dedupe
6938
- addScopes(parameters, request.scopes, true, this.oidcDefaultScopes);
6995
+ addScopes(parameters, request.scopes, request.correlationId, true, this.oidcDefaultScopes);
6939
6996
  addResource(parameters, request.resource);
6940
6997
  // add code: user set, not validated
6941
6998
  addAuthorizationCode(parameters, request.code);
@@ -6978,7 +7035,7 @@ class AuthorizationCodeClient {
6978
7035
  addSshJwk(parameters, request.sshJwk);
6979
7036
  }
6980
7037
  else {
6981
- throw createClientConfigurationError(missingSshJwk);
7038
+ throw createClientConfigurationError(missingSshJwk, request.correlationId);
6982
7039
  }
6983
7040
  }
6984
7041
  let ccsCred = undefined;
@@ -7029,7 +7086,7 @@ class AuthorizationCodeClient {
7029
7086
  });
7030
7087
  }
7031
7088
  instrumentBrokerParams(parameters, request.correlationId, this.performanceClient);
7032
- addClaims(parameters, request.claims, this.config.authOptions.clientCapabilities, request.skipBrokerClaims);
7089
+ addClaims(parameters, request.correlationId, request.claims, this.config.authOptions.clientCapabilities, request.skipBrokerClaims);
7033
7090
  return mapToQueryString(parameters);
7034
7091
  }
7035
7092
  /**
@@ -7117,11 +7174,11 @@ class RefreshTokenClient {
7117
7174
  async acquireTokenByRefreshToken(request, apiId) {
7118
7175
  // Cannot renew token if no request object is given.
7119
7176
  if (!request) {
7120
- throw createClientConfigurationError(tokenRequestEmpty);
7177
+ throw createClientConfigurationError(tokenRequestEmpty, "");
7121
7178
  }
7122
7179
  // We currently do not support silent flow for account === null use cases; This will be revisited for confidential flow usecases
7123
7180
  if (!request.account) {
7124
- throw createClientAuthError(noAccountInSilentRequest);
7181
+ throw createClientAuthError(noAccountInSilentRequest, request.correlationId);
7125
7182
  }
7126
7183
  // try checking if FOCI is enabled for the given application
7127
7184
  const isFOCI = this.cacheManager.isAppMetadataFOCI(request.account.environment, request.correlationId);
@@ -7158,7 +7215,7 @@ class RefreshTokenClient {
7158
7215
  // fetches family RT or application RT based on FOCI value
7159
7216
  const refreshToken = invoke(this.cacheManager.getRefreshToken.bind(this.cacheManager), CacheManagerGetRefreshToken, this.logger, this.performanceClient, request.correlationId)(request.account, foci, request.correlationId, undefined);
7160
7217
  if (!refreshToken) {
7161
- throw createInteractionRequiredAuthError(noTokensFound);
7218
+ throw createInteractionRequiredAuthError(noTokensFound, request.correlationId);
7162
7219
  }
7163
7220
  if (refreshToken.expiresOn) {
7164
7221
  const offset = request.refreshTokenExpirationOffsetSeconds ||
@@ -7168,7 +7225,7 @@ class RefreshTokenClient {
7168
7225
  rtOffsetSeconds: offset,
7169
7226
  }, request.correlationId);
7170
7227
  if (isTokenExpired(refreshToken.expiresOn, offset)) {
7171
- throw createInteractionRequiredAuthError(refreshTokenExpired);
7228
+ throw createInteractionRequiredAuthError(refreshTokenExpired, request.correlationId);
7172
7229
  }
7173
7230
  }
7174
7231
  // attach cached RT size to the current measurement
@@ -7222,7 +7279,7 @@ class RefreshTokenClient {
7222
7279
  if (request.redirectUri) {
7223
7280
  addRedirectUri(parameters, request.redirectUri);
7224
7281
  }
7225
- addScopes(parameters, request.scopes, true, this.config.authOptions.authority.options.OIDCOptions?.defaultScopes);
7282
+ addScopes(parameters, request.scopes, request.correlationId, true, this.config.authOptions.authority.options.OIDCOptions?.defaultScopes);
7226
7283
  addGrantType(parameters, GrantType.REFRESH_TOKEN_GRANT);
7227
7284
  addClientInfo(parameters);
7228
7285
  addLibraryInfo(parameters, this.config.libraryInfo);
@@ -7258,7 +7315,7 @@ class RefreshTokenClient {
7258
7315
  addSshJwk(parameters, request.sshJwk);
7259
7316
  }
7260
7317
  else {
7261
- throw createClientConfigurationError(missingSshJwk);
7318
+ throw createClientConfigurationError(missingSshJwk, request.correlationId);
7262
7319
  }
7263
7320
  }
7264
7321
  if (this.config.systemOptions.preventCorsPreflight &&
@@ -7287,7 +7344,7 @@ class RefreshTokenClient {
7287
7344
  });
7288
7345
  }
7289
7346
  instrumentBrokerParams(parameters, request.correlationId, this.performanceClient);
7290
- addClaims(parameters, request.claims, this.config.authOptions.clientCapabilities, request.skipBrokerClaims);
7347
+ addClaims(parameters, request.correlationId, request.claims, this.config.authOptions.clientCapabilities, request.skipBrokerClaims);
7291
7348
  return mapToQueryString(parameters);
7292
7349
  }
7293
7350
  }
@@ -7325,32 +7382,32 @@ class SilentFlowClient {
7325
7382
  if (request.forceRefresh || !StringUtils.isEmptyObj(request.claims)) {
7326
7383
  // Must refresh due to present force_refresh flag.
7327
7384
  this.setCacheOutcome(CacheOutcome.FORCE_REFRESH_OR_CLAIMS, request.correlationId);
7328
- throw createClientAuthError(tokenRefreshRequired);
7385
+ throw createClientAuthError(tokenRefreshRequired, request.correlationId);
7329
7386
  }
7330
7387
  // We currently do not support silent flow for account === null use cases; This will be revisited for confidential flow usecases
7331
7388
  if (!request.account) {
7332
- throw createClientAuthError(noAccountInSilentRequest);
7389
+ throw createClientAuthError(noAccountInSilentRequest, request.correlationId);
7333
7390
  }
7334
7391
  const requestTenantId = request.account.tenantId ||
7335
- getTenantFromAuthorityString(request.authority);
7392
+ getTenantFromAuthorityString(request.authority, request.correlationId);
7336
7393
  const tokenKeys = this.cacheManager.getTokenKeys();
7337
7394
  const cachedAccessToken = this.cacheManager.getAccessToken(request.account, request, tokenKeys, requestTenantId);
7338
7395
  if (!cachedAccessToken) {
7339
7396
  // must refresh due to non-existent access_token
7340
7397
  this.setCacheOutcome(CacheOutcome.NO_CACHED_ACCESS_TOKEN, request.correlationId);
7341
- throw createClientAuthError(tokenRefreshRequired);
7398
+ throw createClientAuthError(tokenRefreshRequired, request.correlationId);
7342
7399
  }
7343
7400
  else if (wasClockTurnedBack(cachedAccessToken.cachedAt) ||
7344
7401
  isTokenExpired(cachedAccessToken.expiresOn, this.config.systemOptions.tokenRenewalOffsetSeconds)) {
7345
7402
  // must refresh due to the expires_in value
7346
7403
  this.setCacheOutcome(CacheOutcome.CACHED_ACCESS_TOKEN_EXPIRED, request.correlationId);
7347
- throw createClientAuthError(tokenRefreshRequired);
7404
+ throw createClientAuthError(tokenRefreshRequired, request.correlationId);
7348
7405
  }
7349
7406
  else if (request.resource) {
7350
7407
  // cached access token must have a resource that matches the request resource for MCP scenarios
7351
7408
  if (cachedAccessToken.resource !== request.resource) {
7352
7409
  this.setCacheOutcome(CacheOutcome.NO_CACHED_ACCESS_TOKEN, request.correlationId);
7353
- throw createClientAuthError(tokenRefreshRequired);
7410
+ throw createClientAuthError(tokenRefreshRequired, request.correlationId);
7354
7411
  }
7355
7412
  }
7356
7413
  else if (cachedAccessToken.refreshOn &&
@@ -7392,15 +7449,7 @@ class SilentFlowClient {
7392
7449
  async generateResultFromCacheRecord(cacheRecord, request) {
7393
7450
  let idTokenClaims;
7394
7451
  if (cacheRecord.idToken) {
7395
- idTokenClaims = extractTokenClaims(cacheRecord.idToken.secret, this.config.cryptoInterface.base64Decode);
7396
- }
7397
- // token max_age check
7398
- if (request.maxAge || request.maxAge === 0) {
7399
- const authTime = idTokenClaims?.auth_time;
7400
- if (!authTime) {
7401
- throw createClientAuthError(authTimeNotFound);
7402
- }
7403
- checkMaxAge(authTime, request.maxAge);
7452
+ idTokenClaims = extractTokenClaims(cacheRecord.idToken.secret, this.config.cryptoInterface.base64Decode, request.correlationId);
7404
7453
  }
7405
7454
  return ResponseHandler.generateAuthenticationResult(this.cryptoUtils, this.authority, cacheRecord, true, request, this.performanceClient, idTokenClaims);
7406
7455
  }
@@ -7411,11 +7460,12 @@ class SilentFlowClient {
7411
7460
  * Licensed under the MIT License.
7412
7461
  */
7413
7462
  const StubbedNetworkModule = {
7463
+ // Module-level singleton: no per-request correlationId available
7414
7464
  sendGetRequestAsync: () => {
7415
- return Promise.reject(createClientAuthError(methodNotImplemented));
7465
+ return Promise.reject(createClientAuthError(methodNotImplemented, ""));
7416
7466
  },
7417
7467
  sendPostRequestAsync: () => {
7418
- return Promise.reject(createClientAuthError(methodNotImplemented));
7468
+ return Promise.reject(createClientAuthError(methodNotImplemented, ""));
7419
7469
  },
7420
7470
  };
7421
7471
 
@@ -7443,7 +7493,7 @@ function getStandardAuthorizeRequestParameters(authOptions, request, logger, per
7443
7493
  ...(request.scopes || []),
7444
7494
  ...(request.extraScopesToConsent || []),
7445
7495
  ];
7446
- addScopes(parameters, requestScopes, true, authOptions.authority.options.OIDCOptions?.defaultScopes);
7496
+ addScopes(parameters, requestScopes, request.correlationId, true, authOptions.authority.options.OIDCOptions?.defaultScopes);
7447
7497
  addResource(parameters, request.resource);
7448
7498
  addRedirectUri(parameters, request.redirectUri);
7449
7499
  addCorrelationId(parameters, correlationId);
@@ -7545,7 +7595,7 @@ function getStandardAuthorizeRequestParameters(authOptions, request, logger, per
7545
7595
  if (request.embeddedClientId) {
7546
7596
  addBrokerParameters(parameters, authOptions.clientId, authOptions.redirectUri);
7547
7597
  }
7548
- addClaims(parameters, request.claims, authOptions.clientCapabilities, request.skipBrokerClaims);
7598
+ addClaims(parameters, request.correlationId, request.claims, authOptions.clientCapabilities, request.skipBrokerClaims);
7549
7599
  // If extraQueryParameters includes instance_aware its value will be added when extraQueryParameters are added
7550
7600
  if (authOptions.instanceAware &&
7551
7601
  (!request.extraQueryParameters ||
@@ -7570,13 +7620,14 @@ function getAuthorizeUrl(authority, requestParameters) {
7570
7620
  * the client to exchange for a token in acquireToken.
7571
7621
  * @param serverParams
7572
7622
  * @param cachedState
7623
+ * @param correlationId
7573
7624
  */
7574
- function getAuthorizationCodePayload(serverParams, cachedState) {
7625
+ function getAuthorizationCodePayload(serverParams, cachedState, correlationId) {
7575
7626
  // Get code response
7576
- validateAuthorizationResponse(serverParams, cachedState);
7627
+ validateAuthorizationResponse(serverParams, cachedState, correlationId);
7577
7628
  // throw when there is no auth code in the response
7578
7629
  if (!serverParams.code) {
7579
- throw createClientAuthError(authorizationCodeMissingFromServerResponse);
7630
+ throw createClientAuthError(authorizationCodeMissingFromServerResponse, correlationId);
7580
7631
  }
7581
7632
  return serverParams;
7582
7633
  }
@@ -7584,12 +7635,13 @@ function getAuthorizationCodePayload(serverParams, cachedState) {
7584
7635
  * Function which validates server authorization code response.
7585
7636
  * @param serverResponseHash
7586
7637
  * @param requestState
7638
+ * @param correlationId
7587
7639
  */
7588
- function validateAuthorizationResponse(serverResponse, requestState) {
7640
+ function validateAuthorizationResponse(serverResponse, requestState, correlationId) {
7589
7641
  if (!serverResponse.state || !requestState) {
7590
7642
  throw serverResponse.state
7591
- ? createClientAuthError(stateNotFound, "Cached State")
7592
- : createClientAuthError(stateNotFound, "Server State");
7643
+ ? createClientAuthError(stateNotFound, correlationId, "Cached State")
7644
+ : createClientAuthError(stateNotFound, correlationId, "Server State");
7593
7645
  }
7594
7646
  let decodedServerResponseState;
7595
7647
  let decodedRequestState;
@@ -7597,16 +7649,16 @@ function validateAuthorizationResponse(serverResponse, requestState) {
7597
7649
  decodedServerResponseState = decodeURIComponent(serverResponse.state);
7598
7650
  }
7599
7651
  catch (e) {
7600
- throw createClientAuthError(invalidState, serverResponse.state);
7652
+ throw createClientAuthError(invalidState, correlationId, serverResponse.state);
7601
7653
  }
7602
7654
  try {
7603
7655
  decodedRequestState = decodeURIComponent(requestState);
7604
7656
  }
7605
7657
  catch (e) {
7606
- throw createClientAuthError(invalidState, serverResponse.state);
7658
+ throw createClientAuthError(invalidState, correlationId, serverResponse.state);
7607
7659
  }
7608
7660
  if (decodedServerResponseState !== decodedRequestState) {
7609
- throw createClientAuthError(stateMismatch);
7661
+ throw createClientAuthError(stateMismatch, correlationId);
7610
7662
  }
7611
7663
  // Check for error
7612
7664
  if (serverResponse.error ||
@@ -7614,9 +7666,9 @@ function validateAuthorizationResponse(serverResponse, requestState) {
7614
7666
  serverResponse.suberror) {
7615
7667
  const serverErrorNo = parseServerErrorNo(serverResponse);
7616
7668
  if (isInteractionRequiredError(serverResponse.error, serverResponse.error_description, serverResponse.suberror)) {
7617
- throw new InteractionRequiredAuthError(serverResponse.error || "", serverResponse.error_description, serverResponse.suberror, serverResponse.timestamp || "", serverResponse.trace_id || "", serverResponse.correlation_id || "", serverResponse.claims || "", serverErrorNo);
7669
+ throw new InteractionRequiredAuthError(serverResponse.error || "", serverResponse.correlation_id || correlationId, serverResponse.error_description, serverResponse.suberror, serverResponse.timestamp || "", serverResponse.trace_id || "", serverResponse.claims || "", serverErrorNo);
7618
7670
  }
7619
- throw new ServerError(serverResponse.error || "", serverResponse.error_description, serverResponse.suberror, serverErrorNo);
7671
+ throw new ServerError(serverResponse.error || "", serverResponse.correlation_id || correlationId, serverResponse.error_description, serverResponse.suberror, serverErrorNo);
7620
7672
  }
7621
7673
  }
7622
7674
  /**
@@ -7668,10 +7720,10 @@ function enforceResourceParameter(isMcp, request) {
7668
7720
  if (request.resource &&
7669
7721
  (containsResourceParam(request.extraParameters) ||
7670
7722
  containsResourceParam(request.extraQueryParameters))) {
7671
- throw createClientAuthError(misplacedResourceParam);
7723
+ throw createClientAuthError(misplacedResourceParam, request.correlationId || "");
7672
7724
  }
7673
7725
  if (!request.resource) {
7674
- throw createClientAuthError(resourceParameterRequired);
7726
+ throw createClientAuthError(resourceParameterRequired, request.correlationId || "");
7675
7727
  }
7676
7728
  }
7677
7729
  function containsResourceParam(params) {
@@ -7705,7 +7757,7 @@ class AuthenticationHeaderParser {
7705
7757
  if (authenticationInfoChallenges.nextnonce) {
7706
7758
  return authenticationInfoChallenges.nextnonce;
7707
7759
  }
7708
- throw createClientConfigurationError(invalidAuthenticationHeader);
7760
+ throw createClientConfigurationError(invalidAuthenticationHeader, "");
7709
7761
  }
7710
7762
  // Attempt to parse nonce from WWW-Authenticate
7711
7763
  const wwwAuthenticate = this.headers[HeaderNames.WWWAuthenticate];
@@ -7714,10 +7766,10 @@ class AuthenticationHeaderParser {
7714
7766
  if (wwwAuthenticateChallenges.nonce) {
7715
7767
  return wwwAuthenticateChallenges.nonce;
7716
7768
  }
7717
- throw createClientConfigurationError(invalidAuthenticationHeader);
7769
+ throw createClientConfigurationError(invalidAuthenticationHeader, "");
7718
7770
  }
7719
7771
  // If neither header is present, throw missing headers error
7720
- throw createClientConfigurationError(missingNonceAuthenticationHeader);
7772
+ throw createClientConfigurationError(missingNonceAuthenticationHeader, "");
7721
7773
  }
7722
7774
  /**
7723
7775
  * Parses an HTTP header's challenge set into a key/value map.
@@ -7767,12 +7819,12 @@ function tagToString(tag) {
7767
7819
  * Error class for MSAL Runtime errors that preserves detailed broker information
7768
7820
  */
7769
7821
  class PlatformBrokerError extends AuthError {
7770
- constructor(errorStatus, errorContext, errorCode, errorTag) {
7822
+ constructor(errorStatus, correlationId, errorContext, errorCode, errorTag) {
7771
7823
  const tagString = tagToString(errorTag);
7772
7824
  const enhancedErrorContext = errorContext
7773
7825
  ? `${errorContext} (Error Code: ${errorCode}, Tag: ${tagString})`
7774
7826
  : `(Error Code: ${errorCode}, Tag: ${tagString})`;
7775
- super(errorStatus, enhancedErrorContext);
7827
+ super(errorStatus, correlationId, enhancedErrorContext);
7776
7828
  this.name = "PlatformBrokerError";
7777
7829
  this.statusCode = errorCode;
7778
7830
  this.tag = tagString;
@@ -8150,4 +8202,4 @@ exports.invokeAsync = invokeAsync;
8150
8202
  exports.tenantIdMatchesHomeTenant = tenantIdMatchesHomeTenant;
8151
8203
  exports.updateAccountTenantProfileData = updateAccountTenantProfileData;
8152
8204
  exports.version = version;
8153
- //# sourceMappingURL=index-node-CcOYLhxB.js.map
8205
+ //# sourceMappingURL=index-node-BSFEsmmC.js.map