@azure/msal-common 16.9.0 → 16.11.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/account/AccountInfo.mjs +9 -3
- package/dist/account/AccountInfo.mjs.map +1 -1
- package/dist/account/AuthToken.mjs +9 -23
- package/dist/account/AuthToken.mjs.map +1 -1
- package/dist/account/CcsCredential.mjs +1 -1
- package/dist/account/CcsCredential.mjs.map +1 -1
- package/dist/account/ClientInfo.mjs +4 -4
- package/dist/account/ClientInfo.mjs.map +1 -1
- package/dist/account/TokenClaims.mjs +1 -1
- package/dist/account/TokenClaims.mjs.map +1 -1
- package/dist/authority/Authority.mjs +36 -37
- package/dist/authority/Authority.mjs.map +1 -1
- package/dist/authority/AuthorityFactory.mjs +3 -3
- package/dist/authority/AuthorityFactory.mjs.map +1 -1
- package/dist/authority/AuthorityMetadata.mjs +2 -2
- package/dist/authority/AuthorityMetadata.mjs.map +1 -1
- package/dist/authority/AuthorityOptions.mjs +1 -1
- package/dist/authority/AuthorityOptions.mjs.map +1 -1
- package/dist/authority/AuthorityType.mjs +1 -1
- package/dist/authority/AuthorityType.mjs.map +1 -1
- package/dist/authority/CloudInstanceDiscoveryErrorResponse.mjs +1 -1
- package/dist/authority/CloudInstanceDiscoveryResponse.mjs +1 -1
- package/dist/authority/OpenIdConfigResponse.mjs +1 -1
- package/dist/authority/ProtocolMode.mjs +1 -1
- package/dist/authority/ProtocolMode.mjs.map +1 -1
- package/dist/authority/RegionDiscovery.mjs +16 -10
- package/dist/authority/RegionDiscovery.mjs.map +1 -1
- package/dist/cache/CacheManager.mjs +62 -46
- package/dist/cache/CacheManager.mjs.map +1 -1
- package/dist/cache/persistence/TokenCacheContext.mjs +1 -1
- package/dist/cache/persistence/TokenCacheContext.mjs.map +1 -1
- package/dist/cache/utils/AccountEntityUtils.mjs +18 -8
- package/dist/cache/utils/AccountEntityUtils.mjs.map +1 -1
- package/dist/cache/utils/CacheHelpers.mjs +10 -5
- package/dist/cache/utils/CacheHelpers.mjs.map +1 -1
- package/dist/client/AuthorizationCodeClient.mjs +7 -7
- package/dist/client/AuthorizationCodeClient.mjs.map +1 -1
- package/dist/client/RefreshTokenClient.mjs +8 -8
- package/dist/client/RefreshTokenClient.mjs.map +1 -1
- package/dist/client/SilentFlowClient.mjs +10 -18
- package/dist/client/SilentFlowClient.mjs.map +1 -1
- package/dist/config/ClientConfiguration.mjs +3 -3
- package/dist/config/ClientConfiguration.mjs.map +1 -1
- package/dist/constants/AADServerParamKeys.mjs +7 -3
- package/dist/constants/AADServerParamKeys.mjs.map +1 -1
- package/dist/crypto/ICrypto.mjs +11 -11
- package/dist/crypto/ICrypto.mjs.map +1 -1
- package/dist/crypto/JoseHeader.mjs +3 -3
- package/dist/crypto/JoseHeader.mjs.map +1 -1
- package/dist/crypto/PopTokenGenerator.mjs +2 -2
- package/dist/crypto/PopTokenGenerator.mjs.map +1 -1
- package/dist/error/AuthError.mjs +5 -7
- package/dist/error/AuthError.mjs.map +1 -1
- package/dist/error/AuthErrorCodes.mjs +1 -1
- package/dist/error/CacheError.mjs +1 -1
- package/dist/error/CacheError.mjs.map +1 -1
- package/dist/error/CacheErrorCodes.mjs +1 -1
- package/dist/error/ClientAuthError.mjs +5 -5
- package/dist/error/ClientAuthError.mjs.map +1 -1
- package/dist/error/ClientAuthErrorCodes.mjs +2 -4
- package/dist/error/ClientAuthErrorCodes.mjs.map +1 -1
- package/dist/error/ClientConfigurationError.mjs +5 -5
- package/dist/error/ClientConfigurationError.mjs.map +1 -1
- package/dist/error/ClientConfigurationErrorCodes.mjs +1 -1
- package/dist/error/InteractionRequiredAuthError.mjs +5 -6
- package/dist/error/InteractionRequiredAuthError.mjs.map +1 -1
- package/dist/error/InteractionRequiredAuthErrorCodes.mjs +1 -1
- package/dist/error/JoseHeaderError.mjs +5 -5
- package/dist/error/JoseHeaderError.mjs.map +1 -1
- package/dist/error/JoseHeaderErrorCodes.mjs +1 -1
- package/dist/error/NetworkError.mjs +2 -2
- package/dist/error/NetworkError.mjs.map +1 -1
- package/dist/error/PlatformBrokerError.mjs +3 -3
- package/dist/error/PlatformBrokerError.mjs.map +1 -1
- package/dist/error/ServerError.mjs +3 -3
- package/dist/error/ServerError.mjs.map +1 -1
- package/dist/index-node.mjs +53 -53
- package/dist/index.mjs +59 -59
- package/dist/logger/Logger.mjs +1 -1
- package/dist/logger/Logger.mjs.map +1 -1
- package/dist/network/INetworkModule.mjs +4 -3
- package/dist/network/INetworkModule.mjs.map +1 -1
- package/dist/network/RequestThumbprint.mjs +2 -1
- package/dist/network/RequestThumbprint.mjs.map +1 -1
- package/dist/network/ThrottlingUtils.mjs +2 -2
- package/dist/network/ThrottlingUtils.mjs.map +1 -1
- package/dist/packageMetadata.mjs +2 -2
- package/dist/protocol/Authorize.mjs +16 -14
- package/dist/protocol/Authorize.mjs.map +1 -1
- package/dist/protocol/Token.mjs +2 -2
- package/dist/protocol/Token.mjs.map +1 -1
- package/dist/request/AuthenticationHeaderParser.mjs +4 -4
- package/dist/request/AuthenticationHeaderParser.mjs.map +1 -1
- package/dist/request/BaseAuthRequest.mjs +3 -3
- package/dist/request/BaseAuthRequest.mjs.map +1 -1
- package/dist/request/RequestParameterBuilder.mjs +51 -33
- package/dist/request/RequestParameterBuilder.mjs.map +1 -1
- package/dist/request/ScopeSet.mjs +13 -12
- package/dist/request/ScopeSet.mjs.map +1 -1
- package/dist/response/ResponseHandler.mjs +29 -27
- package/dist/response/ResponseHandler.mjs.map +1 -1
- package/dist/telemetry/performance/PerformanceClient.mjs +20 -1
- package/dist/telemetry/performance/PerformanceClient.mjs.map +1 -1
- package/dist/telemetry/performance/PerformanceEvent.mjs +1 -1
- package/dist/telemetry/performance/PerformanceEvent.mjs.map +1 -1
- package/dist/telemetry/performance/PerformanceEvents.mjs +1 -1
- package/dist/telemetry/performance/StubPerformanceClient.mjs +4 -1
- package/dist/telemetry/performance/StubPerformanceClient.mjs.map +1 -1
- package/dist/telemetry/server/ServerTelemetryManager.mjs +2 -2
- package/dist/telemetry/server/ServerTelemetryManager.mjs.map +1 -1
- package/dist/url/UrlString.mjs +15 -14
- package/dist/url/UrlString.mjs.map +1 -1
- package/dist/utils/ClientAssertionUtils.mjs +3 -2
- package/dist/utils/ClientAssertionUtils.mjs.map +1 -1
- package/dist/utils/Constants.mjs +7 -3
- package/dist/utils/Constants.mjs.map +1 -1
- package/dist/utils/FunctionWrappers.mjs +1 -1
- package/dist/utils/FunctionWrappers.mjs.map +1 -1
- package/dist/utils/ProtocolUtils.mjs +12 -9
- package/dist/utils/ProtocolUtils.mjs.map +1 -1
- package/dist/utils/StringUtils.mjs +1 -1
- package/dist/utils/StringUtils.mjs.map +1 -1
- package/dist/utils/TimeUtils.mjs +1 -1
- package/dist/utils/TimeUtils.mjs.map +1 -1
- package/dist/utils/UrlUtils.mjs +4 -4
- package/dist/utils/UrlUtils.mjs.map +1 -1
- package/dist-browser/account/AccountInfo.mjs +9 -3
- package/dist-browser/account/AccountInfo.mjs.map +1 -1
- package/dist-browser/account/AuthToken.mjs +9 -23
- package/dist-browser/account/AuthToken.mjs.map +1 -1
- package/dist-browser/account/CcsCredential.mjs +1 -1
- package/dist-browser/account/CcsCredential.mjs.map +1 -1
- package/dist-browser/account/ClientInfo.mjs +4 -4
- package/dist-browser/account/ClientInfo.mjs.map +1 -1
- package/dist-browser/account/TokenClaims.mjs +1 -1
- package/dist-browser/account/TokenClaims.mjs.map +1 -1
- package/dist-browser/authority/Authority.mjs +36 -37
- package/dist-browser/authority/Authority.mjs.map +1 -1
- package/dist-browser/authority/AuthorityFactory.mjs +3 -3
- package/dist-browser/authority/AuthorityFactory.mjs.map +1 -1
- package/dist-browser/authority/AuthorityMetadata.mjs +2 -2
- package/dist-browser/authority/AuthorityMetadata.mjs.map +1 -1
- package/dist-browser/authority/AuthorityOptions.mjs +1 -1
- package/dist-browser/authority/AuthorityOptions.mjs.map +1 -1
- package/dist-browser/authority/AuthorityType.mjs +1 -1
- package/dist-browser/authority/AuthorityType.mjs.map +1 -1
- package/dist-browser/authority/CloudInstanceDiscoveryErrorResponse.mjs +1 -1
- package/dist-browser/authority/CloudInstanceDiscoveryResponse.mjs +1 -1
- package/dist-browser/authority/OpenIdConfigResponse.mjs +1 -1
- package/dist-browser/authority/ProtocolMode.mjs +1 -1
- package/dist-browser/authority/ProtocolMode.mjs.map +1 -1
- package/dist-browser/authority/RegionDiscovery.mjs +16 -10
- package/dist-browser/authority/RegionDiscovery.mjs.map +1 -1
- package/dist-browser/cache/CacheManager.mjs +62 -46
- package/dist-browser/cache/CacheManager.mjs.map +1 -1
- package/dist-browser/cache/persistence/TokenCacheContext.mjs +1 -1
- package/dist-browser/cache/persistence/TokenCacheContext.mjs.map +1 -1
- package/dist-browser/cache/utils/AccountEntityUtils.mjs +18 -8
- package/dist-browser/cache/utils/AccountEntityUtils.mjs.map +1 -1
- package/dist-browser/cache/utils/CacheHelpers.mjs +10 -5
- package/dist-browser/cache/utils/CacheHelpers.mjs.map +1 -1
- package/dist-browser/client/AuthorizationCodeClient.mjs +7 -7
- package/dist-browser/client/AuthorizationCodeClient.mjs.map +1 -1
- package/dist-browser/client/RefreshTokenClient.mjs +8 -8
- package/dist-browser/client/RefreshTokenClient.mjs.map +1 -1
- package/dist-browser/client/SilentFlowClient.mjs +10 -18
- package/dist-browser/client/SilentFlowClient.mjs.map +1 -1
- package/dist-browser/config/ClientConfiguration.mjs +3 -3
- package/dist-browser/config/ClientConfiguration.mjs.map +1 -1
- package/dist-browser/constants/AADServerParamKeys.mjs +7 -3
- package/dist-browser/constants/AADServerParamKeys.mjs.map +1 -1
- package/dist-browser/crypto/ICrypto.mjs +11 -11
- package/dist-browser/crypto/ICrypto.mjs.map +1 -1
- package/dist-browser/crypto/JoseHeader.mjs +3 -3
- package/dist-browser/crypto/JoseHeader.mjs.map +1 -1
- package/dist-browser/crypto/PopTokenGenerator.mjs +2 -2
- package/dist-browser/crypto/PopTokenGenerator.mjs.map +1 -1
- package/dist-browser/error/AuthError.mjs +5 -7
- package/dist-browser/error/AuthError.mjs.map +1 -1
- package/dist-browser/error/AuthErrorCodes.mjs +1 -1
- package/dist-browser/error/CacheError.mjs +1 -1
- package/dist-browser/error/CacheError.mjs.map +1 -1
- package/dist-browser/error/CacheErrorCodes.mjs +1 -1
- package/dist-browser/error/ClientAuthError.mjs +5 -5
- package/dist-browser/error/ClientAuthError.mjs.map +1 -1
- package/dist-browser/error/ClientAuthErrorCodes.mjs +2 -4
- package/dist-browser/error/ClientAuthErrorCodes.mjs.map +1 -1
- package/dist-browser/error/ClientConfigurationError.mjs +5 -5
- package/dist-browser/error/ClientConfigurationError.mjs.map +1 -1
- package/dist-browser/error/ClientConfigurationErrorCodes.mjs +1 -1
- package/dist-browser/error/InteractionRequiredAuthError.mjs +5 -6
- package/dist-browser/error/InteractionRequiredAuthError.mjs.map +1 -1
- package/dist-browser/error/InteractionRequiredAuthErrorCodes.mjs +1 -1
- package/dist-browser/error/JoseHeaderError.mjs +5 -5
- package/dist-browser/error/JoseHeaderError.mjs.map +1 -1
- package/dist-browser/error/JoseHeaderErrorCodes.mjs +1 -1
- package/dist-browser/error/NetworkError.mjs +2 -2
- package/dist-browser/error/NetworkError.mjs.map +1 -1
- package/dist-browser/error/PlatformBrokerError.mjs +3 -3
- package/dist-browser/error/PlatformBrokerError.mjs.map +1 -1
- package/dist-browser/error/ServerError.mjs +3 -3
- package/dist-browser/error/ServerError.mjs.map +1 -1
- package/dist-browser/index-browser.mjs +55 -55
- package/dist-browser/index.mjs +59 -59
- package/dist-browser/log-strings-mapping.json +2 -2
- package/dist-browser/logger/Logger.mjs +1 -1
- package/dist-browser/logger/Logger.mjs.map +1 -1
- package/dist-browser/network/INetworkModule.mjs +4 -3
- package/dist-browser/network/INetworkModule.mjs.map +1 -1
- package/dist-browser/network/RequestThumbprint.mjs +2 -1
- package/dist-browser/network/RequestThumbprint.mjs.map +1 -1
- package/dist-browser/network/ThrottlingUtils.mjs +2 -2
- package/dist-browser/network/ThrottlingUtils.mjs.map +1 -1
- package/dist-browser/packageMetadata.mjs +2 -2
- package/dist-browser/protocol/Authorize.mjs +16 -14
- package/dist-browser/protocol/Authorize.mjs.map +1 -1
- package/dist-browser/protocol/Token.mjs +2 -2
- package/dist-browser/protocol/Token.mjs.map +1 -1
- package/dist-browser/request/AuthenticationHeaderParser.mjs +4 -4
- package/dist-browser/request/AuthenticationHeaderParser.mjs.map +1 -1
- package/dist-browser/request/BaseAuthRequest.mjs +3 -3
- package/dist-browser/request/BaseAuthRequest.mjs.map +1 -1
- package/dist-browser/request/RequestParameterBuilder.mjs +51 -33
- package/dist-browser/request/RequestParameterBuilder.mjs.map +1 -1
- package/dist-browser/request/ScopeSet.mjs +13 -12
- package/dist-browser/request/ScopeSet.mjs.map +1 -1
- package/dist-browser/response/ResponseHandler.mjs +29 -27
- package/dist-browser/response/ResponseHandler.mjs.map +1 -1
- package/dist-browser/telemetry/performance/PerformanceClient.mjs +20 -1
- package/dist-browser/telemetry/performance/PerformanceClient.mjs.map +1 -1
- package/dist-browser/telemetry/performance/PerformanceEvent.mjs +1 -1
- package/dist-browser/telemetry/performance/PerformanceEvent.mjs.map +1 -1
- package/dist-browser/telemetry/performance/PerformanceEvents.mjs +1 -1
- package/dist-browser/telemetry/performance/StubPerformanceClient.mjs +4 -1
- package/dist-browser/telemetry/performance/StubPerformanceClient.mjs.map +1 -1
- package/dist-browser/telemetry/server/ServerTelemetryManager.mjs +2 -2
- package/dist-browser/telemetry/server/ServerTelemetryManager.mjs.map +1 -1
- package/dist-browser/url/UrlString.mjs +15 -14
- package/dist-browser/url/UrlString.mjs.map +1 -1
- package/dist-browser/utils/ClientAssertionUtils.mjs +3 -2
- package/dist-browser/utils/ClientAssertionUtils.mjs.map +1 -1
- package/dist-browser/utils/Constants.mjs +7 -3
- package/dist-browser/utils/Constants.mjs.map +1 -1
- package/dist-browser/utils/FunctionWrappers.mjs +1 -1
- package/dist-browser/utils/FunctionWrappers.mjs.map +1 -1
- package/dist-browser/utils/ProtocolUtils.mjs +12 -9
- package/dist-browser/utils/ProtocolUtils.mjs.map +1 -1
- package/dist-browser/utils/StringUtils.mjs +1 -1
- package/dist-browser/utils/StringUtils.mjs.map +1 -1
- package/dist-browser/utils/TimeUtils.mjs +1 -1
- package/dist-browser/utils/TimeUtils.mjs.map +1 -1
- package/dist-browser/utils/UrlUtils.mjs +4 -4
- package/dist-browser/utils/UrlUtils.mjs.map +1 -1
- package/lib/index-browser.cjs +27 -8
- package/lib/index-browser.cjs.map +1 -1
- package/lib/{index-node-CcOYLhxB.js → index-node-C_uKaUiZ.js} +368 -312
- package/lib/index-node-C_uKaUiZ.js.map +1 -0
- package/lib/index-node.cjs +2 -2
- package/lib/index.cjs +2 -2
- package/package.json +1 -1
- package/src/account/AccountInfo.ts +19 -1
- package/src/account/AuthToken.ts +19 -21
- package/src/account/ClientCredentials.ts +1 -0
- package/src/account/ClientInfo.ts +8 -3
- package/src/authority/Authority.ts +72 -37
- package/src/authority/AuthorityFactory.ts +4 -2
- package/src/authority/AuthorityMetadata.ts +2 -1
- package/src/authority/RegionDiscovery.ts +18 -11
- package/src/cache/CacheManager.ts +160 -57
- package/src/cache/entities/AccountEntity.ts +4 -0
- package/src/cache/entities/CredentialEntity.ts +2 -0
- package/src/cache/utils/AccountEntityUtils.ts +23 -3
- package/src/cache/utils/CacheHelpers.ts +15 -3
- package/src/cache/utils/CacheTypes.ts +2 -0
- package/src/client/AuthorizationCodeClient.ts +10 -4
- package/src/client/RefreshTokenClient.ts +12 -5
- package/src/client/SilentFlowClient.ts +17 -20
- package/src/config/ClientConfiguration.ts +8 -2
- package/src/constants/AADServerParamKeys.ts +5 -0
- package/src/crypto/ICrypto.ts +40 -10
- package/src/crypto/JoseHeader.ts +8 -2
- package/src/crypto/PopTokenGenerator.ts +1 -1
- package/src/error/AuthError.ts +9 -5
- package/src/error/ClientAuthError.ts +8 -3
- package/src/error/ClientAuthErrorCodes.ts +0 -2
- package/src/error/ClientConfigurationError.ts +5 -4
- package/src/error/InteractionRequiredAuthError.ts +9 -5
- package/src/error/JoseHeaderError.ts +11 -4
- package/src/error/NetworkError.ts +6 -1
- package/src/error/PlatformBrokerError.ts +2 -1
- package/src/error/ServerError.ts +3 -2
- package/src/network/INetworkModule.ts +3 -2
- package/src/network/RequestThumbprint.ts +2 -0
- package/src/network/ThrottlingUtils.ts +1 -0
- package/src/packageMetadata.ts +1 -1
- package/src/protocol/Authorize.ts +21 -6
- package/src/protocol/Token.ts +4 -1
- package/src/request/AuthenticationHeaderParser.ts +6 -3
- package/src/request/BaseAuthRequest.ts +8 -2
- package/src/request/RequestParameterBuilder.ts +66 -43
- package/src/request/ScopeSet.ts +27 -11
- package/src/response/ImdsComputeResponse.ts +14 -0
- package/src/response/ResponseHandler.ts +45 -32
- package/src/telemetry/performance/IPerformanceClient.ts +1 -0
- package/src/telemetry/performance/PerformanceClient.ts +28 -0
- package/src/telemetry/performance/StubPerformanceClient.ts +4 -0
- package/src/url/UrlString.ts +32 -13
- package/src/utils/ClientAssertionUtils.ts +3 -1
- package/src/utils/Constants.ts +6 -3
- package/src/utils/ProtocolUtils.ts +26 -8
- package/src/utils/UrlUtils.ts +8 -3
- package/types/account/AccountInfo.d.ts +8 -2
- package/types/account/AccountInfo.d.ts.map +1 -1
- package/types/account/AuthToken.d.ts +2 -6
- package/types/account/AuthToken.d.ts.map +1 -1
- package/types/account/ClientCredentials.d.ts +1 -0
- package/types/account/ClientCredentials.d.ts.map +1 -1
- package/types/account/ClientInfo.d.ts.map +1 -1
- package/types/authority/Authority.d.ts +4 -4
- package/types/authority/Authority.d.ts.map +1 -1
- package/types/authority/AuthorityFactory.d.ts.map +1 -1
- package/types/authority/AuthorityMetadata.d.ts.map +1 -1
- package/types/authority/RegionDiscovery.d.ts +3 -2
- package/types/authority/RegionDiscovery.d.ts.map +1 -1
- package/types/cache/CacheManager.d.ts +0 -7
- package/types/cache/CacheManager.d.ts.map +1 -1
- package/types/cache/entities/AccountEntity.d.ts +4 -0
- package/types/cache/entities/AccountEntity.d.ts.map +1 -1
- package/types/cache/entities/CredentialEntity.d.ts +2 -0
- package/types/cache/entities/CredentialEntity.d.ts.map +1 -1
- package/types/cache/utils/AccountEntityUtils.d.ts +1 -1
- package/types/cache/utils/AccountEntityUtils.d.ts.map +1 -1
- package/types/cache/utils/CacheHelpers.d.ts +1 -1
- package/types/cache/utils/CacheHelpers.d.ts.map +1 -1
- package/types/cache/utils/CacheTypes.d.ts +2 -1
- package/types/cache/utils/CacheTypes.d.ts.map +1 -1
- package/types/client/AuthorizationCodeClient.d.ts.map +1 -1
- package/types/client/RefreshTokenClient.d.ts.map +1 -1
- package/types/client/SilentFlowClient.d.ts.map +1 -1
- package/types/config/ClientConfiguration.d.ts.map +1 -1
- package/types/constants/AADServerParamKeys.d.ts +4 -0
- package/types/constants/AADServerParamKeys.d.ts.map +1 -1
- package/types/crypto/ICrypto.d.ts.map +1 -1
- package/types/crypto/JoseHeader.d.ts.map +1 -1
- package/types/error/AuthError.d.ts +2 -3
- package/types/error/AuthError.d.ts.map +1 -1
- package/types/error/ClientAuthError.d.ts +2 -2
- package/types/error/ClientAuthError.d.ts.map +1 -1
- package/types/error/ClientAuthErrorCodes.d.ts +0 -2
- package/types/error/ClientAuthErrorCodes.d.ts.map +1 -1
- package/types/error/ClientConfigurationError.d.ts +2 -2
- package/types/error/ClientConfigurationError.d.ts.map +1 -1
- package/types/error/InteractionRequiredAuthError.d.ts +2 -2
- package/types/error/InteractionRequiredAuthError.d.ts.map +1 -1
- package/types/error/JoseHeaderError.d.ts +2 -2
- package/types/error/JoseHeaderError.d.ts.map +1 -1
- package/types/error/NetworkError.d.ts.map +1 -1
- package/types/error/PlatformBrokerError.d.ts +1 -1
- package/types/error/PlatformBrokerError.d.ts.map +1 -1
- package/types/error/ServerError.d.ts +1 -1
- package/types/error/ServerError.d.ts.map +1 -1
- package/types/network/INetworkModule.d.ts.map +1 -1
- package/types/network/RequestThumbprint.d.ts +1 -0
- package/types/network/RequestThumbprint.d.ts.map +1 -1
- package/types/network/ThrottlingUtils.d.ts.map +1 -1
- package/types/packageMetadata.d.ts +1 -1
- package/types/packageMetadata.d.ts.map +1 -1
- package/types/protocol/Authorize.d.ts +4 -2
- package/types/protocol/Authorize.d.ts.map +1 -1
- package/types/protocol/Token.d.ts.map +1 -1
- package/types/request/AuthenticationHeaderParser.d.ts.map +1 -1
- package/types/request/BaseAuthRequest.d.ts +4 -0
- package/types/request/BaseAuthRequest.d.ts.map +1 -1
- package/types/request/RequestParameterBuilder.d.ts +12 -3
- package/types/request/RequestParameterBuilder.d.ts.map +1 -1
- package/types/request/ScopeSet.d.ts +4 -3
- package/types/request/ScopeSet.d.ts.map +1 -1
- package/types/response/ImdsComputeResponse.d.ts +10 -0
- package/types/response/ImdsComputeResponse.d.ts.map +1 -0
- package/types/response/ResponseHandler.d.ts +1 -1
- package/types/response/ResponseHandler.d.ts.map +1 -1
- package/types/telemetry/performance/IPerformanceClient.d.ts +3 -0
- package/types/telemetry/performance/IPerformanceClient.d.ts.map +1 -1
- package/types/telemetry/performance/PerformanceClient.d.ts +18 -0
- package/types/telemetry/performance/PerformanceClient.d.ts.map +1 -1
- package/types/telemetry/performance/StubPerformanceClient.d.ts +1 -0
- package/types/telemetry/performance/StubPerformanceClient.d.ts.map +1 -1
- package/types/url/UrlString.d.ts +5 -4
- package/types/url/UrlString.d.ts.map +1 -1
- package/types/utils/ClientAssertionUtils.d.ts +1 -1
- package/types/utils/ClientAssertionUtils.d.ts.map +1 -1
- package/types/utils/Constants.d.ts +6 -2
- package/types/utils/Constants.d.ts.map +1 -1
- package/types/utils/ProtocolUtils.d.ts +6 -3
- package/types/utils/ProtocolUtils.d.ts.map +1 -1
- package/types/utils/UrlUtils.d.ts.map +1 -1
- package/lib/index-node-CcOYLhxB.js.map +0 -1
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
/*! @azure/msal-common v16.
|
|
1
|
+
/*! @azure/msal-common v16.11.0 2026-06-30 */
|
|
2
2
|
'use strict';
|
|
3
3
|
'use strict';
|
|
4
4
|
|
|
@@ -29,7 +29,7 @@ function getDefaultErrorMessage(code) {
|
|
|
29
29
|
* General error class thrown by the MSAL.js library.
|
|
30
30
|
*/
|
|
31
31
|
class AuthError extends Error {
|
|
32
|
-
constructor(errorCode, errorMessage, suberror) {
|
|
32
|
+
constructor(errorCode, correlationId, errorMessage, suberror) {
|
|
33
33
|
const message = errorMessage ||
|
|
34
34
|
(errorCode ? getDefaultErrorMessage(errorCode) : "");
|
|
35
35
|
const errorString = message ? `${errorCode}: ${message}` : errorCode;
|
|
@@ -38,14 +38,12 @@ class AuthError extends Error {
|
|
|
38
38
|
this.errorCode = errorCode || "";
|
|
39
39
|
this.errorMessage = message || "";
|
|
40
40
|
this.subError = suberror || "";
|
|
41
|
-
this.name = "AuthError";
|
|
42
|
-
}
|
|
43
|
-
setCorrelationId(correlationId) {
|
|
44
41
|
this.correlationId = correlationId;
|
|
42
|
+
this.name = "AuthError";
|
|
45
43
|
}
|
|
46
44
|
}
|
|
47
|
-
function createAuthError(code, additionalMessage) {
|
|
48
|
-
return new AuthError(code, additionalMessage || getDefaultErrorMessage(code));
|
|
45
|
+
function createAuthError(code, correlationId, additionalMessage) {
|
|
46
|
+
return new AuthError(code, correlationId, additionalMessage || getDefaultErrorMessage(code));
|
|
49
47
|
}
|
|
50
48
|
|
|
51
49
|
/*
|
|
@@ -64,8 +62,6 @@ const invalidState = "invalid_state";
|
|
|
64
62
|
const stateMismatch = "state_mismatch";
|
|
65
63
|
const stateNotFound = "state_not_found";
|
|
66
64
|
const nonceMismatch = "nonce_mismatch";
|
|
67
|
-
const authTimeNotFound = "auth_time_not_found";
|
|
68
|
-
const maxAgeTranspired = "max_age_transpired";
|
|
69
65
|
const multipleMatchingTokens = "multiple_matching_tokens";
|
|
70
66
|
const multipleMatchingAppMetadata = "multiple_matching_appMetadata";
|
|
71
67
|
const requestCannotBeMade = "request_cannot_be_made";
|
|
@@ -94,7 +90,6 @@ const misplacedResourceParam = "misplaced_resource_parameter";
|
|
|
94
90
|
|
|
95
91
|
var ClientAuthErrorCodes = /*#__PURE__*/Object.freeze({
|
|
96
92
|
__proto__: null,
|
|
97
|
-
authTimeNotFound: authTimeNotFound,
|
|
98
93
|
authorizationCodeMissingFromServerResponse: authorizationCodeMissingFromServerResponse,
|
|
99
94
|
bindingKeyNotRemoved: bindingKeyNotRemoved,
|
|
100
95
|
cannotAppendScopeSet: cannotAppendScopeSet,
|
|
@@ -109,7 +104,6 @@ var ClientAuthErrorCodes = /*#__PURE__*/Object.freeze({
|
|
|
109
104
|
invalidCacheRecord: invalidCacheRecord,
|
|
110
105
|
invalidState: invalidState,
|
|
111
106
|
keyIdMissing: keyIdMissing,
|
|
112
|
-
maxAgeTranspired: maxAgeTranspired,
|
|
113
107
|
methodNotImplemented: methodNotImplemented,
|
|
114
108
|
misplacedResourceParam: misplacedResourceParam,
|
|
115
109
|
multipleMatchingAppMetadata: multipleMatchingAppMetadata,
|
|
@@ -146,14 +140,14 @@ var ClientAuthErrorCodes = /*#__PURE__*/Object.freeze({
|
|
|
146
140
|
* Error thrown when there is an error in the client code running on the browser.
|
|
147
141
|
*/
|
|
148
142
|
class ClientAuthError extends AuthError {
|
|
149
|
-
constructor(errorCode, additionalMessage) {
|
|
150
|
-
super(errorCode, additionalMessage);
|
|
143
|
+
constructor(errorCode, correlationId, additionalMessage) {
|
|
144
|
+
super(errorCode, correlationId, additionalMessage);
|
|
151
145
|
this.name = "ClientAuthError";
|
|
152
146
|
Object.setPrototypeOf(this, ClientAuthError.prototype);
|
|
153
147
|
}
|
|
154
148
|
}
|
|
155
|
-
function createClientAuthError(errorCode, additionalMessage) {
|
|
156
|
-
return new ClientAuthError(errorCode, additionalMessage);
|
|
149
|
+
function createClientAuthError(errorCode, correlationId, additionalMessage) {
|
|
150
|
+
return new ClientAuthError(errorCode, correlationId, additionalMessage);
|
|
157
151
|
}
|
|
158
152
|
|
|
159
153
|
/*
|
|
@@ -165,8 +159,8 @@ function createClientAuthError(errorCode, additionalMessage) {
|
|
|
165
159
|
*
|
|
166
160
|
* @param encodedToken
|
|
167
161
|
*/
|
|
168
|
-
function extractTokenClaims(encodedToken, base64Decode) {
|
|
169
|
-
const jswPayload = getJWSPayload(encodedToken);
|
|
162
|
+
function extractTokenClaims(encodedToken, base64Decode, correlationId) {
|
|
163
|
+
const jswPayload = getJWSPayload(encodedToken, correlationId);
|
|
170
164
|
// token will be decoded to get the username
|
|
171
165
|
try {
|
|
172
166
|
// base64Decode() should throw an error if there is an issue
|
|
@@ -174,7 +168,7 @@ function extractTokenClaims(encodedToken, base64Decode) {
|
|
|
174
168
|
return JSON.parse(base64Decoded);
|
|
175
169
|
}
|
|
176
170
|
catch (err) {
|
|
177
|
-
throw createClientAuthError(tokenParsingError);
|
|
171
|
+
throw createClientAuthError(tokenParsingError, correlationId);
|
|
178
172
|
}
|
|
179
173
|
}
|
|
180
174
|
/**
|
|
@@ -201,14 +195,14 @@ function isKmsi(idTokenClaims) {
|
|
|
201
195
|
*
|
|
202
196
|
* @param authToken
|
|
203
197
|
*/
|
|
204
|
-
function getJWSPayload(authToken) {
|
|
198
|
+
function getJWSPayload(authToken, correlationId) {
|
|
205
199
|
if (!authToken) {
|
|
206
|
-
throw createClientAuthError(nullOrEmptyToken);
|
|
200
|
+
throw createClientAuthError(nullOrEmptyToken, correlationId);
|
|
207
201
|
}
|
|
208
202
|
const tokenPartsRegex = /^([^\.\s]*)\.([^\.\s]+)\.([^\.\s]*)$/;
|
|
209
203
|
const matches = tokenPartsRegex.exec(authToken);
|
|
210
204
|
if (!matches || matches.length < 4) {
|
|
211
|
-
throw createClientAuthError(tokenParsingError);
|
|
205
|
+
throw createClientAuthError(tokenParsingError, correlationId);
|
|
212
206
|
}
|
|
213
207
|
/**
|
|
214
208
|
* const crackedToken = {
|
|
@@ -218,25 +212,10 @@ function getJWSPayload(authToken) {
|
|
|
218
212
|
* };
|
|
219
213
|
*/
|
|
220
214
|
return matches[2];
|
|
221
|
-
}
|
|
222
|
-
/**
|
|
223
|
-
* Determine if the token's max_age has transpired
|
|
224
|
-
*/
|
|
225
|
-
function checkMaxAge(authTime, maxAge) {
|
|
226
|
-
/*
|
|
227
|
-
* per https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest
|
|
228
|
-
* To force an immediate re-authentication: If an app requires that a user re-authenticate prior to access,
|
|
229
|
-
* provide a value of 0 for the max_age parameter and the AS will force a fresh login.
|
|
230
|
-
*/
|
|
231
|
-
const fiveMinuteSkew = 300000; // five minutes in milliseconds
|
|
232
|
-
if (maxAge === 0 || Date.now() - fiveMinuteSkew > authTime + maxAge) {
|
|
233
|
-
throw createClientAuthError(maxAgeTranspired);
|
|
234
|
-
}
|
|
235
215
|
}
|
|
236
216
|
|
|
237
217
|
var AuthToken = /*#__PURE__*/Object.freeze({
|
|
238
218
|
__proto__: null,
|
|
239
|
-
checkMaxAge: checkMaxAge,
|
|
240
219
|
extractTokenClaims: extractTokenClaims,
|
|
241
220
|
getJWSPayload: getJWSPayload,
|
|
242
221
|
isKmsi: isKmsi
|
|
@@ -332,14 +311,14 @@ var ClientConfigurationErrorCodes = /*#__PURE__*/Object.freeze({
|
|
|
332
311
|
* Error thrown when there is an error in configuration of the MSAL.js library.
|
|
333
312
|
*/
|
|
334
313
|
class ClientConfigurationError extends AuthError {
|
|
335
|
-
constructor(errorCode) {
|
|
336
|
-
super(errorCode);
|
|
314
|
+
constructor(errorCode, correlationId) {
|
|
315
|
+
super(errorCode, correlationId);
|
|
337
316
|
this.name = "ClientConfigurationError";
|
|
338
317
|
Object.setPrototypeOf(this, ClientConfigurationError.prototype);
|
|
339
318
|
}
|
|
340
319
|
}
|
|
341
|
-
function createClientConfigurationError(errorCode) {
|
|
342
|
-
return new ClientConfigurationError(errorCode);
|
|
320
|
+
function createClientConfigurationError(errorCode, correlationId) {
|
|
321
|
+
return new ClientConfigurationError(errorCode, correlationId);
|
|
343
322
|
}
|
|
344
323
|
|
|
345
324
|
/*
|
|
@@ -454,8 +433,8 @@ const AUTHORIZATION_PENDING = "authorization_pending";
|
|
|
454
433
|
const NOT_APPLICABLE = "N/A";
|
|
455
434
|
const NOT_AVAILABLE = "Not Available";
|
|
456
435
|
const FORWARD_SLASH = "/";
|
|
457
|
-
const IMDS_ENDPOINT = "http://169.254.169.254/metadata/instance/compute
|
|
458
|
-
const IMDS_VERSION = "
|
|
436
|
+
const IMDS_ENDPOINT = "http://169.254.169.254/metadata/instance/compute";
|
|
437
|
+
const IMDS_VERSION = "2021-02-01";
|
|
459
438
|
const IMDS_TIMEOUT = 2000;
|
|
460
439
|
const AZURE_REGION_AUTO_DISCOVER_FLAG = "TryAutoDetect";
|
|
461
440
|
const REGIONAL_AUTH_PUBLIC_CLOUD_SUFFIX = "login.microsoft.com";
|
|
@@ -529,6 +508,9 @@ const AADAuthority = {
|
|
|
529
508
|
const ClaimsRequestKeys = {
|
|
530
509
|
ACCESS_TOKEN: "access_token",
|
|
531
510
|
XMS_CC: "xms_cc",
|
|
511
|
+
ID_TOKEN: "id_token",
|
|
512
|
+
SIGNIN_STATE: "signin_state",
|
|
513
|
+
LOGIN_HINT: "login_hint",
|
|
532
514
|
};
|
|
533
515
|
/**
|
|
534
516
|
* we considered making this "enum" in the request instead of string, however it looks like the allowed list of
|
|
@@ -577,6 +559,7 @@ const GrantType = {
|
|
|
577
559
|
REFRESH_TOKEN_GRANT: "refresh_token",
|
|
578
560
|
DEVICE_CODE_GRANT: "device_code",
|
|
579
561
|
JWT_BEARER: "urn:ietf:params:oauth:grant-type:jwt-bearer",
|
|
562
|
+
USER_FIC: "user_fic",
|
|
580
563
|
};
|
|
581
564
|
/**
|
|
582
565
|
* Account types in Cache
|
|
@@ -830,11 +813,12 @@ class UrlString {
|
|
|
830
813
|
get urlString() {
|
|
831
814
|
return this._urlString;
|
|
832
815
|
}
|
|
833
|
-
constructor(url) {
|
|
816
|
+
constructor(url, correlationId) {
|
|
834
817
|
this._urlString = url;
|
|
818
|
+
this.correlationId = correlationId;
|
|
835
819
|
if (!this._urlString) {
|
|
836
820
|
// Throws error if url is empty
|
|
837
|
-
throw createClientConfigurationError(urlEmptyError);
|
|
821
|
+
throw createClientConfigurationError(urlEmptyError, correlationId);
|
|
838
822
|
}
|
|
839
823
|
if (!url.includes("#")) {
|
|
840
824
|
this._urlString = UrlString.canonicalizeUri(url);
|
|
@@ -870,16 +854,16 @@ class UrlString {
|
|
|
870
854
|
components = this.getUrlComponents();
|
|
871
855
|
}
|
|
872
856
|
catch (e) {
|
|
873
|
-
throw createClientConfigurationError(urlParseError);
|
|
857
|
+
throw createClientConfigurationError(urlParseError, this.correlationId);
|
|
874
858
|
}
|
|
875
859
|
// Throw error if URI or path segments are not parseable.
|
|
876
860
|
if (!components.HostNameAndPort || !components.PathSegments) {
|
|
877
|
-
throw createClientConfigurationError(urlParseError);
|
|
861
|
+
throw createClientConfigurationError(urlParseError, this.correlationId);
|
|
878
862
|
}
|
|
879
863
|
// Throw error if uri is insecure.
|
|
880
864
|
if (!components.Protocol ||
|
|
881
865
|
components.Protocol.toLowerCase() !== "https:") {
|
|
882
|
-
throw createClientConfigurationError(authorityUriInsecure);
|
|
866
|
+
throw createClientConfigurationError(authorityUriInsecure, this.correlationId);
|
|
883
867
|
}
|
|
884
868
|
}
|
|
885
869
|
/**
|
|
@@ -916,7 +900,7 @@ class UrlString {
|
|
|
916
900
|
pathArray[0] === AADAuthority.ORGANIZATIONS)) {
|
|
917
901
|
pathArray[0] = tenantId;
|
|
918
902
|
}
|
|
919
|
-
return UrlString.constructAuthorityUriFromObject(urlObject);
|
|
903
|
+
return UrlString.constructAuthorityUriFromObject(urlObject, this.correlationId);
|
|
920
904
|
}
|
|
921
905
|
/**
|
|
922
906
|
* Parses out the components from a url string.
|
|
@@ -928,7 +912,7 @@ class UrlString {
|
|
|
928
912
|
// If url string does not match regEx, we throw an error
|
|
929
913
|
const match = this.urlString.match(regEx);
|
|
930
914
|
if (!match) {
|
|
931
|
-
throw createClientConfigurationError(urlParseError);
|
|
915
|
+
throw createClientConfigurationError(urlParseError, this.correlationId);
|
|
932
916
|
}
|
|
933
917
|
// Url component object
|
|
934
918
|
const urlComponents = {
|
|
@@ -946,17 +930,17 @@ class UrlString {
|
|
|
946
930
|
}
|
|
947
931
|
return urlComponents;
|
|
948
932
|
}
|
|
949
|
-
static getDomainFromUrl(url) {
|
|
933
|
+
static getDomainFromUrl(url, correlationId) {
|
|
950
934
|
const regEx = RegExp("^([^:/?#]+://)?([^/?#]*)");
|
|
951
935
|
const match = url.match(regEx);
|
|
952
936
|
if (!match) {
|
|
953
|
-
throw createClientConfigurationError(urlParseError);
|
|
937
|
+
throw createClientConfigurationError(urlParseError, correlationId);
|
|
954
938
|
}
|
|
955
939
|
return match[2];
|
|
956
940
|
}
|
|
957
|
-
static getAbsoluteUrl(relativeUrl, baseUrl) {
|
|
941
|
+
static getAbsoluteUrl(relativeUrl, baseUrl, correlationId) {
|
|
958
942
|
if (relativeUrl[0] === FORWARD_SLASH) {
|
|
959
|
-
const url = new UrlString(baseUrl);
|
|
943
|
+
const url = new UrlString(baseUrl, correlationId);
|
|
960
944
|
const baseComponents = url.getUrlComponents();
|
|
961
945
|
return (baseComponents.Protocol +
|
|
962
946
|
"//" +
|
|
@@ -965,12 +949,12 @@ class UrlString {
|
|
|
965
949
|
}
|
|
966
950
|
return relativeUrl;
|
|
967
951
|
}
|
|
968
|
-
static constructAuthorityUriFromObject(urlObject) {
|
|
952
|
+
static constructAuthorityUriFromObject(urlObject, correlationId) {
|
|
969
953
|
return new UrlString(urlObject.Protocol +
|
|
970
954
|
"//" +
|
|
971
955
|
urlObject.HostNameAndPort +
|
|
972
956
|
"/" +
|
|
973
|
-
urlObject.PathSegments.join("/"));
|
|
957
|
+
urlObject.PathSegments.join("/"), correlationId);
|
|
974
958
|
}
|
|
975
959
|
}
|
|
976
960
|
|
|
@@ -1088,7 +1072,7 @@ function getAliasesFromStaticSources(staticAuthorityOptions, logger, correlation
|
|
|
1088
1072
|
let staticAliases;
|
|
1089
1073
|
const canonicalAuthority = staticAuthorityOptions.canonicalAuthority;
|
|
1090
1074
|
if (canonicalAuthority) {
|
|
1091
|
-
const authorityHost = new UrlString(canonicalAuthority).getUrlComponents().HostNameAndPort;
|
|
1075
|
+
const authorityHost = new UrlString(canonicalAuthority, correlationId).getUrlComponents().HostNameAndPort;
|
|
1092
1076
|
staticAliases =
|
|
1093
1077
|
getAliasesFromMetadata(logger, correlationId, authorityHost, staticAuthorityOptions.cloudDiscoveryMetadata?.metadata, AuthorityMetadataSource.CONFIG) ||
|
|
1094
1078
|
getAliasesFromMetadata(logger, correlationId, authorityHost, InstanceDiscoveryMetadata.metadata, AuthorityMetadataSource.HARDCODED_VALUES) ||
|
|
@@ -1415,9 +1399,12 @@ class RegionDiscovery {
|
|
|
1415
1399
|
try {
|
|
1416
1400
|
const localIMDSVersionResponse = await invokeAsync(this.getRegionFromIMDS.bind(this), RegionDiscoveryGetRegionFromIMDS, this.logger, this.performanceClient, this.correlationId)(IMDS_VERSION, options);
|
|
1417
1401
|
if (localIMDSVersionResponse.status === HTTP_SUCCESS) {
|
|
1418
|
-
autodetectedRegionName =
|
|
1419
|
-
|
|
1420
|
-
|
|
1402
|
+
autodetectedRegionName =
|
|
1403
|
+
localIMDSVersionResponse.body?.location;
|
|
1404
|
+
if (autodetectedRegionName) {
|
|
1405
|
+
regionDiscoveryMetadata.region_source =
|
|
1406
|
+
RegionDiscoverySources.IMDS;
|
|
1407
|
+
}
|
|
1421
1408
|
}
|
|
1422
1409
|
// If the response using the local IMDS version failed, try to fetch the current version of IMDS and retry.
|
|
1423
1410
|
if (localIMDSVersionResponse.status ===
|
|
@@ -1432,9 +1419,11 @@ class RegionDiscovery {
|
|
|
1432
1419
|
if (currentIMDSVersionResponse.status ===
|
|
1433
1420
|
HTTP_SUCCESS) {
|
|
1434
1421
|
autodetectedRegionName =
|
|
1435
|
-
currentIMDSVersionResponse.body;
|
|
1436
|
-
|
|
1437
|
-
|
|
1422
|
+
currentIMDSVersionResponse.body?.location;
|
|
1423
|
+
if (autodetectedRegionName) {
|
|
1424
|
+
regionDiscoveryMetadata.region_source =
|
|
1425
|
+
RegionDiscoverySources.IMDS;
|
|
1426
|
+
}
|
|
1438
1427
|
}
|
|
1439
1428
|
}
|
|
1440
1429
|
}
|
|
@@ -1458,11 +1447,12 @@ class RegionDiscovery {
|
|
|
1458
1447
|
/**
|
|
1459
1448
|
* Make the call to the IMDS endpoint
|
|
1460
1449
|
*
|
|
1461
|
-
* @param
|
|
1462
|
-
* @
|
|
1450
|
+
* @param version
|
|
1451
|
+
* @param options
|
|
1452
|
+
* @returns Promise<NetworkResponse<ImdsComputeResponse>>
|
|
1463
1453
|
*/
|
|
1464
1454
|
async getRegionFromIMDS(version, options) {
|
|
1465
|
-
return this.networkInterface.sendGetRequestAsync(`${IMDS_ENDPOINT}?api-version=${version}
|
|
1455
|
+
return this.networkInterface.sendGetRequestAsync(`${IMDS_ENDPOINT}?api-version=${version}`, options, IMDS_TIMEOUT);
|
|
1466
1456
|
}
|
|
1467
1457
|
/**
|
|
1468
1458
|
* Get the most recent version of the IMDS endpoint available
|
|
@@ -1610,7 +1600,7 @@ function createIdTokenEntity(homeAccountId, environment, idToken, clientId, tena
|
|
|
1610
1600
|
* @param expiresOn
|
|
1611
1601
|
* @param extExpiresOn
|
|
1612
1602
|
*/
|
|
1613
|
-
function createAccessTokenEntity(homeAccountId, environment, accessToken, clientId, tenantId, scopes, expiresOn, extExpiresOn, base64Decode, refreshOn, tokenType, userAssertionHash, keyId) {
|
|
1603
|
+
function createAccessTokenEntity(homeAccountId, environment, accessToken, clientId, tenantId, scopes, expiresOn, extExpiresOn, base64Decode, correlationId, refreshOn, tokenType, userAssertionHash, keyId, additionalCacheKeyComponents) {
|
|
1614
1604
|
const atEntity = {
|
|
1615
1605
|
homeAccountId: homeAccountId,
|
|
1616
1606
|
credentialType: CredentialType.ACCESS_TOKEN,
|
|
@@ -1642,9 +1632,9 @@ function createAccessTokenEntity(homeAccountId, environment, accessToken, client
|
|
|
1642
1632
|
switch (atEntity.tokenType) {
|
|
1643
1633
|
case AuthenticationScheme.POP:
|
|
1644
1634
|
// Make sure keyId is present and add it to credential
|
|
1645
|
-
const tokenClaims = extractTokenClaims(accessToken, base64Decode);
|
|
1635
|
+
const tokenClaims = extractTokenClaims(accessToken, base64Decode, correlationId);
|
|
1646
1636
|
if (!tokenClaims?.cnf?.kid) {
|
|
1647
|
-
throw createClientAuthError(tokenClaimsCnfRequiredForSignedJwt);
|
|
1637
|
+
throw createClientAuthError(tokenClaimsCnfRequiredForSignedJwt, correlationId);
|
|
1648
1638
|
}
|
|
1649
1639
|
atEntity.keyId = tokenClaims.cnf.kid;
|
|
1650
1640
|
break;
|
|
@@ -1652,6 +1642,11 @@ function createAccessTokenEntity(homeAccountId, environment, accessToken, client
|
|
|
1652
1642
|
atEntity.keyId = keyId;
|
|
1653
1643
|
}
|
|
1654
1644
|
}
|
|
1645
|
+
/* Additional cache key components for cache isolation (e.g., FMI path) */
|
|
1646
|
+
if (additionalCacheKeyComponents &&
|
|
1647
|
+
Object.keys(additionalCacheKeyComponents).length > 0) {
|
|
1648
|
+
atEntity.additionalCacheKeyComponents = additionalCacheKeyComponents;
|
|
1649
|
+
}
|
|
1655
1650
|
return atEntity;
|
|
1656
1651
|
}
|
|
1657
1652
|
/**
|
|
@@ -1930,7 +1925,7 @@ class Authority {
|
|
|
1930
1925
|
* Sets canonical authority.
|
|
1931
1926
|
*/
|
|
1932
1927
|
set canonicalAuthority(url) {
|
|
1933
|
-
this._canonicalAuthority = new UrlString(url);
|
|
1928
|
+
this._canonicalAuthority = new UrlString(url, this.correlationId);
|
|
1934
1929
|
this._canonicalAuthority.validateAsUri();
|
|
1935
1930
|
this._canonicalAuthorityUrlComponents = null;
|
|
1936
1931
|
}
|
|
@@ -1964,7 +1959,7 @@ class Authority {
|
|
|
1964
1959
|
return this.replacePath(this.metadata.authorization_endpoint);
|
|
1965
1960
|
}
|
|
1966
1961
|
else {
|
|
1967
|
-
throw createClientAuthError(endpointResolutionError);
|
|
1962
|
+
throw createClientAuthError(endpointResolutionError, this.correlationId);
|
|
1968
1963
|
}
|
|
1969
1964
|
}
|
|
1970
1965
|
/**
|
|
@@ -1975,7 +1970,7 @@ class Authority {
|
|
|
1975
1970
|
return this.replacePath(this.metadata.token_endpoint);
|
|
1976
1971
|
}
|
|
1977
1972
|
else {
|
|
1978
|
-
throw createClientAuthError(endpointResolutionError);
|
|
1973
|
+
throw createClientAuthError(endpointResolutionError, this.correlationId);
|
|
1979
1974
|
}
|
|
1980
1975
|
}
|
|
1981
1976
|
get deviceCodeEndpoint() {
|
|
@@ -1983,7 +1978,7 @@ class Authority {
|
|
|
1983
1978
|
return this.replacePath(this.metadata.token_endpoint.replace("/token", "/devicecode"));
|
|
1984
1979
|
}
|
|
1985
1980
|
else {
|
|
1986
|
-
throw createClientAuthError(endpointResolutionError);
|
|
1981
|
+
throw createClientAuthError(endpointResolutionError, this.correlationId);
|
|
1987
1982
|
}
|
|
1988
1983
|
}
|
|
1989
1984
|
/**
|
|
@@ -1993,12 +1988,12 @@ class Authority {
|
|
|
1993
1988
|
if (this.discoveryComplete()) {
|
|
1994
1989
|
// ROPC policies may not have end_session_endpoint set
|
|
1995
1990
|
if (!this.metadata.end_session_endpoint) {
|
|
1996
|
-
throw createClientAuthError(endSessionEndpointNotSupported);
|
|
1991
|
+
throw createClientAuthError(endSessionEndpointNotSupported, this.correlationId);
|
|
1997
1992
|
}
|
|
1998
1993
|
return this.replacePath(this.metadata.end_session_endpoint);
|
|
1999
1994
|
}
|
|
2000
1995
|
else {
|
|
2001
|
-
throw createClientAuthError(endpointResolutionError);
|
|
1996
|
+
throw createClientAuthError(endpointResolutionError, this.correlationId);
|
|
2002
1997
|
}
|
|
2003
1998
|
}
|
|
2004
1999
|
/**
|
|
@@ -2009,7 +2004,7 @@ class Authority {
|
|
|
2009
2004
|
return this.replacePath(this.metadata.issuer);
|
|
2010
2005
|
}
|
|
2011
2006
|
else {
|
|
2012
|
-
throw createClientAuthError(endpointResolutionError);
|
|
2007
|
+
throw createClientAuthError(endpointResolutionError, this.correlationId);
|
|
2013
2008
|
}
|
|
2014
2009
|
}
|
|
2015
2010
|
/**
|
|
@@ -2020,7 +2015,7 @@ class Authority {
|
|
|
2020
2015
|
return this.replacePath(this.metadata.jwks_uri);
|
|
2021
2016
|
}
|
|
2022
2017
|
else {
|
|
2023
|
-
throw createClientAuthError(endpointResolutionError);
|
|
2018
|
+
throw createClientAuthError(endpointResolutionError, this.correlationId);
|
|
2024
2019
|
}
|
|
2025
2020
|
}
|
|
2026
2021
|
/**
|
|
@@ -2047,7 +2042,7 @@ class Authority {
|
|
|
2047
2042
|
*/
|
|
2048
2043
|
replacePath(urlString) {
|
|
2049
2044
|
let endpoint = urlString;
|
|
2050
|
-
const cachedAuthorityUrl = new UrlString(this.metadata.canonical_authority);
|
|
2045
|
+
const cachedAuthorityUrl = new UrlString(this.metadata.canonical_authority, this.correlationId);
|
|
2051
2046
|
const cachedAuthorityUrlComponents = cachedAuthorityUrl.getUrlComponents();
|
|
2052
2047
|
const cachedAuthorityParts = cachedAuthorityUrlComponents.PathSegments;
|
|
2053
2048
|
const currentAuthorityParts = this.canonicalAuthorityUrlComponents.PathSegments;
|
|
@@ -2055,7 +2050,7 @@ class Authority {
|
|
|
2055
2050
|
let cachedPart = cachedAuthorityParts[index];
|
|
2056
2051
|
if (index === 0 &&
|
|
2057
2052
|
this.canReplaceTenant(cachedAuthorityUrlComponents)) {
|
|
2058
|
-
const tenantId = new UrlString(this.metadata.authorization_endpoint).getUrlComponents().PathSegments[0];
|
|
2053
|
+
const tenantId = new UrlString(this.metadata.authorization_endpoint, this.correlationId).getUrlComponents().PathSegments[0];
|
|
2059
2054
|
/**
|
|
2060
2055
|
* Check if AAD canonical authority contains tenant domain name, for example "testdomain.onmicrosoft.com",
|
|
2061
2056
|
* by comparing its first path segment to the corresponding authorization endpoint path segment, which is
|
|
@@ -2189,7 +2184,7 @@ class Authority {
|
|
|
2189
2184
|
}
|
|
2190
2185
|
else {
|
|
2191
2186
|
// Metadata could not be obtained from the config, cache, network or hardcoded values
|
|
2192
|
-
throw createClientAuthError(openIdConfigError, this.defaultOpenIdConfigurationEndpoint);
|
|
2187
|
+
throw createClientAuthError(openIdConfigError, this.defaultOpenIdConfigurationEndpoint, this.correlationId);
|
|
2193
2188
|
}
|
|
2194
2189
|
}
|
|
2195
2190
|
/**
|
|
@@ -2241,7 +2236,7 @@ class Authority {
|
|
|
2241
2236
|
* @param metadataEntity
|
|
2242
2237
|
*/
|
|
2243
2238
|
isAuthoritySameType(metadataEntity) {
|
|
2244
|
-
const cachedAuthorityUrl = new UrlString(metadataEntity.canonical_authority);
|
|
2239
|
+
const cachedAuthorityUrl = new UrlString(metadataEntity.canonical_authority, this.correlationId);
|
|
2245
2240
|
const cachedParts = cachedAuthorityUrl.getUrlComponents().PathSegments;
|
|
2246
2241
|
return (cachedParts.length ===
|
|
2247
2242
|
this.canonicalAuthorityUrlComponents.PathSegments.length);
|
|
@@ -2255,7 +2250,7 @@ class Authority {
|
|
|
2255
2250
|
return JSON.parse(this.authorityOptions.authorityMetadata);
|
|
2256
2251
|
}
|
|
2257
2252
|
catch (e) {
|
|
2258
|
-
throw createClientConfigurationError(invalidAuthorityMetadata);
|
|
2253
|
+
throw createClientConfigurationError(invalidAuthorityMetadata, this.correlationId);
|
|
2259
2254
|
}
|
|
2260
2255
|
}
|
|
2261
2256
|
return null;
|
|
@@ -2311,7 +2306,7 @@ class Authority {
|
|
|
2311
2306
|
RegionDiscoveryOutcomes.CONFIGURED_NO_AUTO_DETECTION;
|
|
2312
2307
|
this.regionDiscoveryMetadata.region_used =
|
|
2313
2308
|
userConfiguredAzureRegion;
|
|
2314
|
-
return Authority.replaceWithRegionalInformation(metadata, userConfiguredAzureRegion);
|
|
2309
|
+
return Authority.replaceWithRegionalInformation(metadata, userConfiguredAzureRegion, this.correlationId);
|
|
2315
2310
|
}
|
|
2316
2311
|
const autodetectedRegionName = await invokeAsync(this.regionDiscovery.detectRegion.bind(this.regionDiscovery), RegionDiscoveryDetectRegion, this.logger, this.performanceClient, this.correlationId)(this.authorityOptions.azureRegionConfiguration
|
|
2317
2312
|
?.environmentRegion, this.regionDiscoveryMetadata);
|
|
@@ -2320,7 +2315,7 @@ class Authority {
|
|
|
2320
2315
|
RegionDiscoveryOutcomes.AUTO_DETECTION_REQUESTED_SUCCESSFUL;
|
|
2321
2316
|
this.regionDiscoveryMetadata.region_used =
|
|
2322
2317
|
autodetectedRegionName;
|
|
2323
|
-
return Authority.replaceWithRegionalInformation(metadata, autodetectedRegionName);
|
|
2318
|
+
return Authority.replaceWithRegionalInformation(metadata, autodetectedRegionName, this.correlationId);
|
|
2324
2319
|
}
|
|
2325
2320
|
this.regionDiscoveryMetadata.region_outcome =
|
|
2326
2321
|
RegionDiscoveryOutcomes.AUTO_DETECTION_REQUESTED_FAILED;
|
|
@@ -2345,7 +2340,7 @@ class Authority {
|
|
|
2345
2340
|
return AuthorityMetadataSource.NETWORK;
|
|
2346
2341
|
}
|
|
2347
2342
|
// Metadata could not be obtained from the config, cache, network or hardcoded values
|
|
2348
|
-
throw createClientConfigurationError(untrustedAuthority);
|
|
2343
|
+
throw createClientConfigurationError(untrustedAuthority, this.correlationId);
|
|
2349
2344
|
}
|
|
2350
2345
|
updateCloudDiscoveryMetadataFromLocalSources(metadataEntity) {
|
|
2351
2346
|
this.logger.verbose("Attempting to get cloud discovery metadata from authority configuration", this.correlationId);
|
|
@@ -2409,7 +2404,7 @@ class Authority {
|
|
|
2409
2404
|
}
|
|
2410
2405
|
catch (e) {
|
|
2411
2406
|
this.logger.verbose("Unable to parse the cloud discovery metadata. Throwing Invalid Cloud Discovery Metadata Error.", this.correlationId);
|
|
2412
|
-
throw createClientConfigurationError(invalidCloudDiscoveryMetadata);
|
|
2407
|
+
throw createClientConfigurationError(invalidCloudDiscoveryMetadata, this.correlationId);
|
|
2413
2408
|
}
|
|
2414
2409
|
}
|
|
2415
2410
|
// If cloudDiscoveryMetadata is empty or does not contain the host, check knownAuthorities
|
|
@@ -2487,8 +2482,7 @@ class Authority {
|
|
|
2487
2482
|
const normalizedHost = host.toLowerCase();
|
|
2488
2483
|
const matches = this.authorityOptions.knownAuthorities.filter((authority) => {
|
|
2489
2484
|
return (authority &&
|
|
2490
|
-
UrlString.getDomainFromUrl(authority).toLowerCase() ===
|
|
2491
|
-
normalizedHost);
|
|
2485
|
+
UrlString.getDomainFromUrl(authority, this.correlationId).toLowerCase() === normalizedHost);
|
|
2492
2486
|
});
|
|
2493
2487
|
return matches.length > 0;
|
|
2494
2488
|
}
|
|
@@ -2532,7 +2526,7 @@ class Authority {
|
|
|
2532
2526
|
return this.metadata.preferred_cache;
|
|
2533
2527
|
}
|
|
2534
2528
|
else {
|
|
2535
|
-
throw createClientAuthError(endpointResolutionError);
|
|
2529
|
+
throw createClientAuthError(endpointResolutionError, this.correlationId);
|
|
2536
2530
|
}
|
|
2537
2531
|
}
|
|
2538
2532
|
/**
|
|
@@ -2575,7 +2569,7 @@ class Authority {
|
|
|
2575
2569
|
*/
|
|
2576
2570
|
validateIssuer(issuer) {
|
|
2577
2571
|
if (!issuer) {
|
|
2578
|
-
throw createClientConfigurationError(issuerValidationFailed);
|
|
2572
|
+
throw createClientConfigurationError(issuerValidationFailed, this.correlationId);
|
|
2579
2573
|
}
|
|
2580
2574
|
// Parse with the WHATWG URL API. URL normalizes scheme + host to lowercase per RFC 3986.
|
|
2581
2575
|
let issuerUrl;
|
|
@@ -2583,7 +2577,7 @@ class Authority {
|
|
|
2583
2577
|
issuerUrl = new URL(issuer);
|
|
2584
2578
|
}
|
|
2585
2579
|
catch {
|
|
2586
|
-
throw createClientConfigurationError(issuerValidationFailed);
|
|
2580
|
+
throw createClientConfigurationError(issuerValidationFailed, this.correlationId);
|
|
2587
2581
|
}
|
|
2588
2582
|
const issuerScheme = issuerUrl.protocol;
|
|
2589
2583
|
const issuerHost = issuerUrl.host;
|
|
@@ -2621,7 +2615,7 @@ class Authority {
|
|
|
2621
2615
|
return;
|
|
2622
2616
|
}
|
|
2623
2617
|
// issuer validation fails if none of the above rules are satisfied
|
|
2624
|
-
throw createClientConfigurationError(issuerValidationFailed);
|
|
2618
|
+
throw createClientConfigurationError(issuerValidationFailed, this.correlationId);
|
|
2625
2619
|
}
|
|
2626
2620
|
/**
|
|
2627
2621
|
* Rule 1: The issuer scheme + host (and port) match the authority's. Path
|
|
@@ -2709,9 +2703,9 @@ class Authority {
|
|
|
2709
2703
|
* @param host string
|
|
2710
2704
|
* @param region string
|
|
2711
2705
|
*/
|
|
2712
|
-
static buildRegionalAuthorityString(host, region, queryString) {
|
|
2706
|
+
static buildRegionalAuthorityString(host, region, correlationId, queryString) {
|
|
2713
2707
|
// Create and validate a Url string object with the initial authority string
|
|
2714
|
-
const authorityUrlInstance = new UrlString(host);
|
|
2708
|
+
const authorityUrlInstance = new UrlString(host, correlationId);
|
|
2715
2709
|
authorityUrlInstance.validateAsUri();
|
|
2716
2710
|
const authorityUrlParts = authorityUrlInstance.getUrlComponents();
|
|
2717
2711
|
let hostNameAndPort = `${region}.${authorityUrlParts.HostNameAndPort}`;
|
|
@@ -2722,7 +2716,7 @@ class Authority {
|
|
|
2722
2716
|
const url = UrlString.constructAuthorityUriFromObject({
|
|
2723
2717
|
...authorityUrlInstance.getUrlComponents(),
|
|
2724
2718
|
HostNameAndPort: hostNameAndPort,
|
|
2725
|
-
}).urlString;
|
|
2719
|
+
}, correlationId).urlString;
|
|
2726
2720
|
// Add the query string if a query string was provided
|
|
2727
2721
|
if (queryString)
|
|
2728
2722
|
return `${url}?${queryString}`;
|
|
@@ -2734,15 +2728,15 @@ class Authority {
|
|
|
2734
2728
|
* @param metadata OpenIdConfigResponse
|
|
2735
2729
|
* @param azureRegion string
|
|
2736
2730
|
*/
|
|
2737
|
-
static replaceWithRegionalInformation(metadata, azureRegion) {
|
|
2731
|
+
static replaceWithRegionalInformation(metadata, azureRegion, correlationId) {
|
|
2738
2732
|
const regionalMetadata = { ...metadata };
|
|
2739
2733
|
regionalMetadata.authorization_endpoint =
|
|
2740
|
-
Authority.buildRegionalAuthorityString(regionalMetadata.authorization_endpoint, azureRegion);
|
|
2734
|
+
Authority.buildRegionalAuthorityString(regionalMetadata.authorization_endpoint, azureRegion, correlationId);
|
|
2741
2735
|
regionalMetadata.token_endpoint =
|
|
2742
|
-
Authority.buildRegionalAuthorityString(regionalMetadata.token_endpoint, azureRegion);
|
|
2736
|
+
Authority.buildRegionalAuthorityString(regionalMetadata.token_endpoint, azureRegion, correlationId);
|
|
2743
2737
|
if (regionalMetadata.end_session_endpoint) {
|
|
2744
2738
|
regionalMetadata.end_session_endpoint =
|
|
2745
|
-
Authority.buildRegionalAuthorityString(regionalMetadata.end_session_endpoint, azureRegion);
|
|
2739
|
+
Authority.buildRegionalAuthorityString(regionalMetadata.end_session_endpoint, azureRegion, correlationId);
|
|
2746
2740
|
}
|
|
2747
2741
|
return regionalMetadata;
|
|
2748
2742
|
}
|
|
@@ -2755,9 +2749,9 @@ class Authority {
|
|
|
2755
2749
|
*
|
|
2756
2750
|
* @param authority
|
|
2757
2751
|
*/
|
|
2758
|
-
static transformCIAMAuthority(authority) {
|
|
2752
|
+
static transformCIAMAuthority(authority, correlationId) {
|
|
2759
2753
|
let ciamAuthority = authority;
|
|
2760
|
-
const authorityUrl = new UrlString(authority);
|
|
2754
|
+
const authorityUrl = new UrlString(authority, correlationId);
|
|
2761
2755
|
const authorityUrlComponents = authorityUrl.getUrlComponents();
|
|
2762
2756
|
// check if transformation is needed
|
|
2763
2757
|
if (authorityUrlComponents.PathSegments.length === 0 &&
|
|
@@ -2779,8 +2773,8 @@ Authority.reservedTenantDomains = new Set([
|
|
|
2779
2773
|
/**
|
|
2780
2774
|
* Extract tenantId from authority
|
|
2781
2775
|
*/
|
|
2782
|
-
function getTenantFromAuthorityString(authority) {
|
|
2783
|
-
const authorityUrl = new UrlString(authority);
|
|
2776
|
+
function getTenantFromAuthorityString(authority, correlationId) {
|
|
2777
|
+
const authorityUrl = new UrlString(authority, correlationId);
|
|
2784
2778
|
const authorityUrlComponents = authorityUrl.getUrlComponents();
|
|
2785
2779
|
/**
|
|
2786
2780
|
* For credential matching purposes, tenantId is the last path segment of the authority URL:
|
|
@@ -2813,7 +2807,7 @@ function buildStaticAuthorityOptions(authOptions) {
|
|
|
2813
2807
|
cloudDiscoveryMetadata = JSON.parse(rawCloudDiscoveryMetadata);
|
|
2814
2808
|
}
|
|
2815
2809
|
catch (e) {
|
|
2816
|
-
throw createClientConfigurationError(invalidCloudDiscoveryMetadata);
|
|
2810
|
+
throw createClientConfigurationError(invalidCloudDiscoveryMetadata, "");
|
|
2817
2811
|
}
|
|
2818
2812
|
}
|
|
2819
2813
|
return {
|
|
@@ -2845,7 +2839,7 @@ function buildStaticAuthorityOptions(authOptions) {
|
|
|
2845
2839
|
* @internal
|
|
2846
2840
|
*/
|
|
2847
2841
|
async function createDiscoveredInstance(authorityUri, networkClient, cacheManager, authorityOptions, logger, correlationId, performanceClient) {
|
|
2848
|
-
const authorityUriFinal = Authority.transformCIAMAuthority(formatAuthorityUri(authorityUri));
|
|
2842
|
+
const authorityUriFinal = Authority.transformCIAMAuthority(formatAuthorityUri(authorityUri), correlationId);
|
|
2849
2843
|
// Initialize authority and perform discovery endpoint check.
|
|
2850
2844
|
const acquireTokenAuthority = new Authority(authorityUriFinal, networkClient, cacheManager, authorityOptions, logger, correlationId, performanceClient);
|
|
2851
2845
|
try {
|
|
@@ -2853,7 +2847,7 @@ async function createDiscoveredInstance(authorityUri, networkClient, cacheManage
|
|
|
2853
2847
|
return acquireTokenAuthority;
|
|
2854
2848
|
}
|
|
2855
2849
|
catch (e) {
|
|
2856
|
-
throw createClientAuthError(endpointResolutionError);
|
|
2850
|
+
throw createClientAuthError(endpointResolutionError, correlationId);
|
|
2857
2851
|
}
|
|
2858
2852
|
}
|
|
2859
2853
|
|
|
@@ -2903,7 +2897,7 @@ function getDeserializedResponse(responseString) {
|
|
|
2903
2897
|
}
|
|
2904
2898
|
}
|
|
2905
2899
|
catch (e) {
|
|
2906
|
-
throw createClientAuthError(hashNotDeserialized);
|
|
2900
|
+
throw createClientAuthError(hashNotDeserialized, "");
|
|
2907
2901
|
}
|
|
2908
2902
|
return null;
|
|
2909
2903
|
}
|
|
@@ -2960,7 +2954,7 @@ function normalizeUrlForComparison(url, logger, correlationId) {
|
|
|
2960
2954
|
}
|
|
2961
2955
|
catch (e) {
|
|
2962
2956
|
logger?.error(`Failed to normalize URL for comparison: '${e}'`, correlationId || "");
|
|
2963
|
-
throw createClientConfigurationError(urlParseError);
|
|
2957
|
+
throw createClientConfigurationError(urlParseError, correlationId || "");
|
|
2964
2958
|
}
|
|
2965
2959
|
}
|
|
2966
2960
|
/**
|
|
@@ -2978,7 +2972,7 @@ function validateUrl(url, logger, correlationId) {
|
|
|
2978
2972
|
}
|
|
2979
2973
|
catch (e) {
|
|
2980
2974
|
logger?.error(`Failed to validate URL: '${e}'`, correlationId || "");
|
|
2981
|
-
throw createClientConfigurationError(urlParseError);
|
|
2975
|
+
throw createClientConfigurationError(urlParseError, correlationId || "");
|
|
2982
2976
|
}
|
|
2983
2977
|
}
|
|
2984
2978
|
|
|
@@ -3054,7 +3048,11 @@ const INSTANCE_AWARE = "instance_aware";
|
|
|
3054
3048
|
const EAR_JWK = "ear_jwk";
|
|
3055
3049
|
const EAR_JWE_CRYPTO = "ear_jwe_crypto";
|
|
3056
3050
|
const RESOURCE = "resource";
|
|
3057
|
-
const CLI_DATA = "clidata";
|
|
3051
|
+
const CLI_DATA = "clidata";
|
|
3052
|
+
const USER_FEDERATED_IDENTITY_CREDENTIAL = "user_federated_identity_credential";
|
|
3053
|
+
const USERNAME = "username";
|
|
3054
|
+
const USER_ID = "user_id";
|
|
3055
|
+
const FMI_PATH = "fmi_path";
|
|
3058
3056
|
|
|
3059
3057
|
var AADServerParamKeys = /*#__PURE__*/Object.freeze({
|
|
3060
3058
|
__proto__: null,
|
|
@@ -3081,6 +3079,7 @@ var AADServerParamKeys = /*#__PURE__*/Object.freeze({
|
|
|
3081
3079
|
ERROR: ERROR,
|
|
3082
3080
|
ERROR_DESCRIPTION: ERROR_DESCRIPTION,
|
|
3083
3081
|
EXPIRES_IN: EXPIRES_IN,
|
|
3082
|
+
FMI_PATH: FMI_PATH,
|
|
3084
3083
|
FOCI: FOCI,
|
|
3085
3084
|
GRANT_TYPE: GRANT_TYPE,
|
|
3086
3085
|
ID_TOKEN: ID_TOKEN,
|
|
@@ -3108,6 +3107,9 @@ var AADServerParamKeys = /*#__PURE__*/Object.freeze({
|
|
|
3108
3107
|
SID: SID,
|
|
3109
3108
|
STATE: STATE,
|
|
3110
3109
|
TOKEN_TYPE: TOKEN_TYPE,
|
|
3110
|
+
USERNAME: USERNAME,
|
|
3111
|
+
USER_FEDERATED_IDENTITY_CREDENTIAL: USER_FEDERATED_IDENTITY_CREDENTIAL,
|
|
3112
|
+
USER_ID: USER_ID,
|
|
3111
3113
|
X_APP_NAME: X_APP_NAME,
|
|
3112
3114
|
X_APP_VER: X_APP_VER,
|
|
3113
3115
|
X_CLIENT_CPU: X_CLIENT_CPU,
|
|
@@ -3131,14 +3133,14 @@ var AADServerParamKeys = /*#__PURE__*/Object.freeze({
|
|
|
3131
3133
|
*/
|
|
3132
3134
|
function buildClientInfo(rawClientInfo, base64Decode) {
|
|
3133
3135
|
if (!rawClientInfo) {
|
|
3134
|
-
throw createClientAuthError(clientInfoEmptyError);
|
|
3136
|
+
throw createClientAuthError(clientInfoEmptyError, "");
|
|
3135
3137
|
}
|
|
3136
3138
|
try {
|
|
3137
3139
|
const decodedClientInfo = base64Decode(rawClientInfo);
|
|
3138
3140
|
return JSON.parse(decodedClientInfo);
|
|
3139
3141
|
}
|
|
3140
3142
|
catch (e) {
|
|
3141
|
-
throw createClientAuthError(clientInfoDecodingError);
|
|
3143
|
+
throw createClientAuthError(clientInfoDecodingError, "");
|
|
3142
3144
|
}
|
|
3143
3145
|
}
|
|
3144
3146
|
/**
|
|
@@ -3147,7 +3149,7 @@ function buildClientInfo(rawClientInfo, base64Decode) {
|
|
|
3147
3149
|
*/
|
|
3148
3150
|
function buildClientInfoFromHomeAccountId(homeAccountId) {
|
|
3149
3151
|
if (!homeAccountId) {
|
|
3150
|
-
throw createClientAuthError(clientInfoDecodingError);
|
|
3152
|
+
throw createClientAuthError(clientInfoDecodingError, "");
|
|
3151
3153
|
}
|
|
3152
3154
|
const clientInfoParts = homeAccountId.split(CLIENT_INFO_SEPARATOR, 2);
|
|
3153
3155
|
return {
|
|
@@ -3176,10 +3178,11 @@ function tenantIdMatchesHomeTenant(tenantId, homeAccountId) {
|
|
|
3176
3178
|
* @param homeAccountId - Home account identifier for this account object
|
|
3177
3179
|
* @param localAccountId - Local account identifer for this account object
|
|
3178
3180
|
* @param tenantId - Full tenant or organizational id that this account belongs to
|
|
3181
|
+
* @param nativeAccountId - Native account identifier for this tenant
|
|
3179
3182
|
* @param idTokenClaims - Claims from the ID token
|
|
3180
3183
|
* @returns
|
|
3181
3184
|
*/
|
|
3182
|
-
function buildTenantProfile(homeAccountId, localAccountId, tenantId, idTokenClaims) {
|
|
3185
|
+
function buildTenantProfile(homeAccountId, localAccountId, tenantId, nativeAccountId, idTokenClaims) {
|
|
3183
3186
|
if (idTokenClaims) {
|
|
3184
3187
|
const { oid, sub, tid, name, tfp, acr, preferred_username, upn, login_hint, } = idTokenClaims;
|
|
3185
3188
|
/**
|
|
@@ -3197,6 +3200,7 @@ function buildTenantProfile(homeAccountId, localAccountId, tenantId, idTokenClai
|
|
|
3197
3200
|
loginHint: login_hint,
|
|
3198
3201
|
isHomeTenant: tenantIdMatchesHomeTenant(tenantId, homeAccountId),
|
|
3199
3202
|
upn: upn,
|
|
3203
|
+
...(nativeAccountId && { nativeAccountId }),
|
|
3200
3204
|
};
|
|
3201
3205
|
}
|
|
3202
3206
|
else {
|
|
@@ -3205,6 +3209,7 @@ function buildTenantProfile(homeAccountId, localAccountId, tenantId, idTokenClai
|
|
|
3205
3209
|
localAccountId,
|
|
3206
3210
|
username: "",
|
|
3207
3211
|
isHomeTenant: tenantIdMatchesHomeTenant(tenantId, homeAccountId),
|
|
3212
|
+
...(nativeAccountId && { nativeAccountId }),
|
|
3208
3213
|
};
|
|
3209
3214
|
}
|
|
3210
3215
|
}
|
|
@@ -3226,12 +3231,13 @@ function updateAccountTenantProfileData(baseAccountInfo, tenantProfile, idTokenC
|
|
|
3226
3231
|
if (idTokenClaims) {
|
|
3227
3232
|
// Ignore isHomeTenant which is a utility property of tenant profile but not required in base account info
|
|
3228
3233
|
// eslint-disable-next-line @typescript-eslint/no-unused-vars
|
|
3229
|
-
const { isHomeTenant, ...claimsSourcedTenantProfile } = buildTenantProfile(baseAccountInfo.homeAccountId, baseAccountInfo.localAccountId, baseAccountInfo.tenantId, idTokenClaims);
|
|
3234
|
+
const { isHomeTenant, ...claimsSourcedTenantProfile } = buildTenantProfile(baseAccountInfo.homeAccountId, baseAccountInfo.localAccountId, baseAccountInfo.tenantId, updatedAccountInfo.nativeAccountId, idTokenClaims);
|
|
3230
3235
|
updatedAccountInfo = {
|
|
3231
3236
|
...updatedAccountInfo,
|
|
3232
3237
|
...claimsSourcedTenantProfile,
|
|
3233
3238
|
idTokenClaims: idTokenClaims,
|
|
3234
3239
|
idToken: idTokenSecret,
|
|
3240
|
+
kmsi: isKmsi(idTokenClaims),
|
|
3235
3241
|
};
|
|
3236
3242
|
return updatedAccountInfo;
|
|
3237
3243
|
}
|
|
@@ -3284,8 +3290,11 @@ function getAccountInfo(accountEntity) {
|
|
|
3284
3290
|
if (tenantProfiles.length === 0 &&
|
|
3285
3291
|
accountEntity.realm &&
|
|
3286
3292
|
accountEntity.localAccountId) {
|
|
3287
|
-
tenantProfiles.push(buildTenantProfile(accountEntity.homeAccountId, accountEntity.localAccountId, accountEntity.realm));
|
|
3293
|
+
tenantProfiles.push(buildTenantProfile(accountEntity.homeAccountId, accountEntity.localAccountId, accountEntity.realm, accountEntity.nativeAccountId));
|
|
3288
3294
|
}
|
|
3295
|
+
// Resolve nativeAccountId from the home tenant profile first, fall back to top-level (deprecated) for old cache entries
|
|
3296
|
+
const homeTenantProfile = tenantProfiles.find((tp) => tp.tenantId === accountEntity.realm);
|
|
3297
|
+
const nativeAccountId = homeTenantProfile?.nativeAccountId || accountEntity.nativeAccountId;
|
|
3289
3298
|
return {
|
|
3290
3299
|
homeAccountId: accountEntity.homeAccountId,
|
|
3291
3300
|
environment: accountEntity.environment,
|
|
@@ -3294,7 +3303,7 @@ function getAccountInfo(accountEntity) {
|
|
|
3294
3303
|
localAccountId: accountEntity.localAccountId,
|
|
3295
3304
|
loginHint: accountEntity.loginHint,
|
|
3296
3305
|
name: accountEntity.name,
|
|
3297
|
-
nativeAccountId:
|
|
3306
|
+
nativeAccountId: nativeAccountId,
|
|
3298
3307
|
authorityType: accountEntity.authorityType,
|
|
3299
3308
|
// Deserialize tenant profiles array into a Map
|
|
3300
3309
|
tenantProfiles: new Map(tenantProfiles.map((tenantProfile) => {
|
|
@@ -3315,7 +3324,7 @@ function isSingleTenant(accountEntity) {
|
|
|
3315
3324
|
* @param accountDetails
|
|
3316
3325
|
* @internal
|
|
3317
3326
|
*/
|
|
3318
|
-
function createAccountEntity(accountDetails, authority, base64Decode) {
|
|
3327
|
+
function createAccountEntity(accountDetails, authority, correlationId, base64Decode) {
|
|
3319
3328
|
let authorityType;
|
|
3320
3329
|
if (authority.authorityType === AuthorityType.Adfs) {
|
|
3321
3330
|
authorityType = CACHE_ACCOUNT_TYPE_ADFS;
|
|
@@ -3337,7 +3346,7 @@ function createAccountEntity(accountDetails, authority, base64Decode) {
|
|
|
3337
3346
|
const env = accountDetails.environment ||
|
|
3338
3347
|
(authority && authority.getPreferredCache());
|
|
3339
3348
|
if (!env) {
|
|
3340
|
-
throw createClientAuthError(invalidCacheEnvironment);
|
|
3349
|
+
throw createClientAuthError(invalidCacheEnvironment, correlationId);
|
|
3341
3350
|
}
|
|
3342
3351
|
/*
|
|
3343
3352
|
* In B2C scenarios the emails claim is used instead of preferred_username and it is an array.
|
|
@@ -3364,7 +3373,7 @@ function createAccountEntity(accountDetails, authority, base64Decode) {
|
|
|
3364
3373
|
tenantProfiles = accountDetails.tenantProfiles;
|
|
3365
3374
|
}
|
|
3366
3375
|
else {
|
|
3367
|
-
const tenantProfile = buildTenantProfile(accountDetails.homeAccountId, localAccountId, realm, accountDetails.idTokenClaims);
|
|
3376
|
+
const tenantProfile = buildTenantProfile(accountDetails.homeAccountId, localAccountId, realm, accountDetails.nativeAccountId, accountDetails.idTokenClaims);
|
|
3368
3377
|
tenantProfiles = [tenantProfile];
|
|
3369
3378
|
}
|
|
3370
3379
|
return {
|
|
@@ -3401,7 +3410,14 @@ function createAccountEntityFromAccountInfo(accountInfo, cloudGraphHostName, msG
|
|
|
3401
3410
|
if (tenantProfiles.length === 0 &&
|
|
3402
3411
|
accountInfo.tenantId &&
|
|
3403
3412
|
accountInfo.localAccountId) {
|
|
3404
|
-
tenantProfiles.push(buildTenantProfile(accountInfo.homeAccountId, accountInfo.localAccountId, accountInfo.tenantId, accountInfo.idTokenClaims));
|
|
3413
|
+
tenantProfiles.push(buildTenantProfile(accountInfo.homeAccountId, accountInfo.localAccountId, accountInfo.tenantId, accountInfo.nativeAccountId, accountInfo.idTokenClaims));
|
|
3414
|
+
}
|
|
3415
|
+
else if (accountInfo.nativeAccountId) {
|
|
3416
|
+
// Ensure nativeAccountId is set on the matching tenant profile
|
|
3417
|
+
const matchingProfile = tenantProfiles.find((tp) => tp.tenantId === accountInfo.tenantId);
|
|
3418
|
+
if (matchingProfile && !matchingProfile.nativeAccountId) {
|
|
3419
|
+
matchingProfile.nativeAccountId = accountInfo.nativeAccountId;
|
|
3420
|
+
}
|
|
3405
3421
|
}
|
|
3406
3422
|
return {
|
|
3407
3423
|
authorityType: accountInfo.authorityType || CACHE_ACCOUNT_TYPE_GENERIC,
|
|
@@ -3480,7 +3496,8 @@ var AccountEntityUtils = /*#__PURE__*/Object.freeze({
|
|
|
3480
3496
|
* to ensure uniqueness of strings.
|
|
3481
3497
|
*/
|
|
3482
3498
|
class ScopeSet {
|
|
3483
|
-
constructor(inputScopes) {
|
|
3499
|
+
constructor(inputScopes, correlationId) {
|
|
3500
|
+
this.correlationId = correlationId;
|
|
3484
3501
|
// Filter empty string and null/undefined array items
|
|
3485
3502
|
const scopeArr = inputScopes
|
|
3486
3503
|
? StringUtils.trimArrayEntries([...inputScopes])
|
|
@@ -3490,7 +3507,7 @@ class ScopeSet {
|
|
|
3490
3507
|
: [];
|
|
3491
3508
|
// Check if scopes array has at least one member
|
|
3492
3509
|
if (!filteredInput || !filteredInput.length) {
|
|
3493
|
-
throw createClientConfigurationError(emptyInputScopesError);
|
|
3510
|
+
throw createClientConfigurationError(emptyInputScopesError, correlationId);
|
|
3494
3511
|
}
|
|
3495
3512
|
this.scopes = new Set(); // Iterator in constructor not supported by IE11
|
|
3496
3513
|
filteredInput.forEach((scope) => this.scopes.add(scope));
|
|
@@ -3501,22 +3518,22 @@ class ScopeSet {
|
|
|
3501
3518
|
* @param appClientId
|
|
3502
3519
|
* @param scopesRequired
|
|
3503
3520
|
*/
|
|
3504
|
-
static fromString(inputScopeString) {
|
|
3521
|
+
static fromString(inputScopeString, correlationId) {
|
|
3505
3522
|
const scopeString = inputScopeString || "";
|
|
3506
3523
|
const inputScopes = scopeString.split(" ");
|
|
3507
|
-
return new ScopeSet(inputScopes);
|
|
3524
|
+
return new ScopeSet(inputScopes, correlationId);
|
|
3508
3525
|
}
|
|
3509
3526
|
/**
|
|
3510
3527
|
* Creates the set of scopes to search for in cache lookups
|
|
3511
3528
|
* @param inputScopeString
|
|
3512
3529
|
* @returns
|
|
3513
3530
|
*/
|
|
3514
|
-
static createSearchScopes(inputScopeString) {
|
|
3531
|
+
static createSearchScopes(inputScopeString, correlationId) {
|
|
3515
3532
|
// Handle empty scopes by using default OIDC scopes for cache lookup
|
|
3516
3533
|
const scopesToUse = inputScopeString && inputScopeString.length > 0
|
|
3517
3534
|
? inputScopeString
|
|
3518
3535
|
: [...OIDC_DEFAULT_SCOPES];
|
|
3519
|
-
const scopeSet = new ScopeSet(scopesToUse);
|
|
3536
|
+
const scopeSet = new ScopeSet(scopesToUse, correlationId);
|
|
3520
3537
|
if (!scopeSet.containsOnlyOIDCScopes()) {
|
|
3521
3538
|
scopeSet.removeOIDCScopes();
|
|
3522
3539
|
}
|
|
@@ -3531,7 +3548,7 @@ class ScopeSet {
|
|
|
3531
3548
|
*/
|
|
3532
3549
|
containsScope(scope) {
|
|
3533
3550
|
const lowerCaseScopes = this.printScopesLowerCase().split(" ");
|
|
3534
|
-
const lowerCaseScopesSet = new ScopeSet(lowerCaseScopes);
|
|
3551
|
+
const lowerCaseScopesSet = new ScopeSet(lowerCaseScopes, this.correlationId);
|
|
3535
3552
|
// compare lowercase scopes
|
|
3536
3553
|
return scope
|
|
3537
3554
|
? lowerCaseScopesSet.scopes.has(scope.toLowerCase())
|
|
@@ -3578,7 +3595,7 @@ class ScopeSet {
|
|
|
3578
3595
|
newScopes.forEach((newScope) => this.appendScope(newScope));
|
|
3579
3596
|
}
|
|
3580
3597
|
catch (e) {
|
|
3581
|
-
throw createClientAuthError(cannotAppendScopeSet);
|
|
3598
|
+
throw createClientAuthError(cannotAppendScopeSet, this.correlationId);
|
|
3582
3599
|
}
|
|
3583
3600
|
}
|
|
3584
3601
|
/**
|
|
@@ -3587,7 +3604,7 @@ class ScopeSet {
|
|
|
3587
3604
|
*/
|
|
3588
3605
|
removeScope(scope) {
|
|
3589
3606
|
if (!scope) {
|
|
3590
|
-
throw createClientAuthError(cannotRemoveEmptyScope);
|
|
3607
|
+
throw createClientAuthError(cannotRemoveEmptyScope, this.correlationId);
|
|
3591
3608
|
}
|
|
3592
3609
|
this.scopes.delete(scope.trim());
|
|
3593
3610
|
}
|
|
@@ -3606,7 +3623,7 @@ class ScopeSet {
|
|
|
3606
3623
|
*/
|
|
3607
3624
|
unionScopeSets(otherScopes) {
|
|
3608
3625
|
if (!otherScopes) {
|
|
3609
|
-
throw createClientAuthError(emptyInputScopeSet);
|
|
3626
|
+
throw createClientAuthError(emptyInputScopeSet, this.correlationId);
|
|
3610
3627
|
}
|
|
3611
3628
|
const unionScopes = new Set(); // Iterator in constructor not supported in IE11
|
|
3612
3629
|
otherScopes.scopes.forEach((scope) => unionScopes.add(scope.toLowerCase()));
|
|
@@ -3619,7 +3636,7 @@ class ScopeSet {
|
|
|
3619
3636
|
*/
|
|
3620
3637
|
intersectingScopeSets(otherScopes) {
|
|
3621
3638
|
if (!otherScopes) {
|
|
3622
|
-
throw createClientAuthError(emptyInputScopeSet);
|
|
3639
|
+
throw createClientAuthError(emptyInputScopeSet, this.correlationId);
|
|
3623
3640
|
}
|
|
3624
3641
|
// Do not allow OIDC scopes to be the only intersecting scopes
|
|
3625
3642
|
if (!otherScopes.containsOnlyOIDCScopes()) {
|
|
@@ -3705,7 +3722,7 @@ function addNativeBroker(parameters) {
|
|
|
3705
3722
|
* @param scopeSet
|
|
3706
3723
|
* @param addOidcScopes
|
|
3707
3724
|
*/
|
|
3708
|
-
function addScopes(parameters, scopes, addOidcScopes = true, defaultScopes = OIDC_DEFAULT_SCOPES) {
|
|
3725
|
+
function addScopes(parameters, scopes, correlationId, addOidcScopes = true, defaultScopes = OIDC_DEFAULT_SCOPES) {
|
|
3709
3726
|
// Always add openid to the scopes when adding OIDC scopes
|
|
3710
3727
|
if (addOidcScopes &&
|
|
3711
3728
|
!defaultScopes.includes("openid") &&
|
|
@@ -3715,7 +3732,7 @@ function addScopes(parameters, scopes, addOidcScopes = true, defaultScopes = OID
|
|
|
3715
3732
|
const requestScopes = addOidcScopes
|
|
3716
3733
|
? [...(scopes || []), ...defaultScopes]
|
|
3717
3734
|
: scopes || [];
|
|
3718
|
-
const scopeSet = new ScopeSet(requestScopes);
|
|
3735
|
+
const scopeSet = new ScopeSet(requestScopes, correlationId);
|
|
3719
3736
|
parameters.set(SCOPE, scopeSet.printScopes());
|
|
3720
3737
|
}
|
|
3721
3738
|
/**
|
|
@@ -3785,26 +3802,18 @@ function addSid(parameters, sid) {
|
|
|
3785
3802
|
* Adds claims to request parameters, conditionally excluding clientCapabilities
|
|
3786
3803
|
* when skipBrokerClaims is true and a brokered flow is in effect.
|
|
3787
3804
|
* @param parameters - The request parameters map
|
|
3805
|
+
* @param correlationId - The request correlation id
|
|
3788
3806
|
* @param claims - The claims string from the request
|
|
3789
3807
|
* @param clientCapabilities - The client capabilities from configuration
|
|
3790
3808
|
* @param skipBrokerClaims - When true and BROKER_CLIENT_ID is present, excludes clientCapabilities from claims
|
|
3791
3809
|
*/
|
|
3792
|
-
function addClaims(parameters, claims, clientCapabilities, skipBrokerClaims) {
|
|
3810
|
+
function addClaims(parameters, correlationId, claims, clientCapabilities, skipBrokerClaims) {
|
|
3793
3811
|
// Skip clientCapabilities if skipBrokerClaims is set to true and this is a brokered authentication flow
|
|
3794
3812
|
const configClaims = skipBrokerClaims && parameters.has(BROKER_CLIENT_ID)
|
|
3795
3813
|
? undefined
|
|
3796
3814
|
: clientCapabilities;
|
|
3797
|
-
|
|
3798
|
-
|
|
3799
|
-
const mergedClaims = addClientCapabilitiesToClaims(claims, configClaims);
|
|
3800
|
-
try {
|
|
3801
|
-
JSON.parse(mergedClaims);
|
|
3802
|
-
}
|
|
3803
|
-
catch (e) {
|
|
3804
|
-
throw createClientConfigurationError(invalidClaims);
|
|
3805
|
-
}
|
|
3806
|
-
parameters.set(CLAIMS, mergedClaims);
|
|
3807
|
-
}
|
|
3815
|
+
const mergedClaims = buildMergedClaims(claims, configClaims, correlationId);
|
|
3816
|
+
parameters.set(CLAIMS, mergedClaims);
|
|
3808
3817
|
}
|
|
3809
3818
|
/**
|
|
3810
3819
|
* add correlationId
|
|
@@ -3875,7 +3884,7 @@ function addCodeChallengeParams(parameters, codeChallenge, codeChallengeMethod)
|
|
|
3875
3884
|
parameters.set(CODE_CHALLENGE_METHOD, codeChallengeMethod);
|
|
3876
3885
|
}
|
|
3877
3886
|
else {
|
|
3878
|
-
throw createClientConfigurationError(pkceParamsMissing);
|
|
3887
|
+
throw createClientConfigurationError(pkceParamsMissing, "");
|
|
3879
3888
|
}
|
|
3880
3889
|
}
|
|
3881
3890
|
/**
|
|
@@ -3981,7 +3990,23 @@ function addExtraParameters(parameters, extraParams) {
|
|
|
3981
3990
|
}
|
|
3982
3991
|
});
|
|
3983
3992
|
}
|
|
3984
|
-
|
|
3993
|
+
/**
|
|
3994
|
+
* Default optional idToken claims requested on all auth requests.
|
|
3995
|
+
* signin_state enables KMSI detection; login_hint enables login hint propagation.
|
|
3996
|
+
*/
|
|
3997
|
+
const DEFAULT_ID_TOKEN_CLAIMS = {
|
|
3998
|
+
[ClaimsRequestKeys.SIGNIN_STATE]: { essential: false },
|
|
3999
|
+
[ClaimsRequestKeys.LOGIN_HINT]: { essential: false },
|
|
4000
|
+
};
|
|
4001
|
+
/**
|
|
4002
|
+
* Parses claims JSON, merges default optional idToken claims (signin_state, login_hint),
|
|
4003
|
+
* and appends client capabilities (xms_cc) to the access_token section.
|
|
4004
|
+
* Does not overwrite idToken claims already specified by the caller.
|
|
4005
|
+
* @param claims - Existing claims JSON string from the request (may be undefined)
|
|
4006
|
+
* @param clientCapabilities - Client capabilities array from configuration
|
|
4007
|
+
* @returns Merged claims JSON string
|
|
4008
|
+
*/
|
|
4009
|
+
function buildMergedClaims(claims, clientCapabilities, correlationId = "") {
|
|
3985
4010
|
let mergedClaims;
|
|
3986
4011
|
// Parse provided claims into JSON object or initialize empty object
|
|
3987
4012
|
if (!claims) {
|
|
@@ -3989,14 +4014,31 @@ function addClientCapabilitiesToClaims(claims, clientCapabilities) {
|
|
|
3989
4014
|
}
|
|
3990
4015
|
else {
|
|
3991
4016
|
try {
|
|
3992
|
-
|
|
4017
|
+
const parsed = JSON.parse(claims);
|
|
4018
|
+
if (typeof parsed !== "object" ||
|
|
4019
|
+
parsed === null ||
|
|
4020
|
+
Array.isArray(parsed)) {
|
|
4021
|
+
throw new Error("Claims must be a JSON object");
|
|
4022
|
+
}
|
|
4023
|
+
mergedClaims = parsed;
|
|
3993
4024
|
}
|
|
3994
4025
|
catch (e) {
|
|
3995
|
-
throw createClientConfigurationError(invalidClaims);
|
|
4026
|
+
throw createClientConfigurationError(invalidClaims, correlationId);
|
|
4027
|
+
}
|
|
4028
|
+
}
|
|
4029
|
+
// Add default optional idToken claims
|
|
4030
|
+
if (!Object.prototype.hasOwnProperty.call(mergedClaims, ClaimsRequestKeys.ID_TOKEN)) {
|
|
4031
|
+
mergedClaims[ClaimsRequestKeys.ID_TOKEN] = {};
|
|
4032
|
+
}
|
|
4033
|
+
const idTokenClaims = mergedClaims[ClaimsRequestKeys.ID_TOKEN];
|
|
4034
|
+
for (const [key, value] of Object.entries(DEFAULT_ID_TOKEN_CLAIMS)) {
|
|
4035
|
+
if (!(key in idTokenClaims)) {
|
|
4036
|
+
idTokenClaims[key] = value;
|
|
3996
4037
|
}
|
|
3997
4038
|
}
|
|
4039
|
+
// Add client capabilities
|
|
3998
4040
|
if (clientCapabilities && clientCapabilities.length > 0) {
|
|
3999
|
-
if (!
|
|
4041
|
+
if (!Object.prototype.hasOwnProperty.call(mergedClaims, ClaimsRequestKeys.ACCESS_TOKEN)) {
|
|
4000
4042
|
// Add access_token key to claims object
|
|
4001
4043
|
mergedClaims[ClaimsRequestKeys.ACCESS_TOKEN] = {};
|
|
4002
4044
|
}
|
|
@@ -4046,14 +4088,8 @@ function addSshJwk(parameters, sshJwkString) {
|
|
|
4046
4088
|
* @internal
|
|
4047
4089
|
*/
|
|
4048
4090
|
function addServerTelemetry(parameters, serverTelemetryManager) {
|
|
4049
|
-
|
|
4050
|
-
|
|
4051
|
-
if (currentTelemetryHeader) {
|
|
4052
|
-
parameters.set(X_CLIENT_CURR_TELEM, currentTelemetryHeader);
|
|
4053
|
-
}
|
|
4054
|
-
if (lastTelemetryHeader) {
|
|
4055
|
-
parameters.set(X_CLIENT_LAST_TELEM, lastTelemetryHeader);
|
|
4056
|
-
}
|
|
4091
|
+
parameters.set(X_CLIENT_CURR_TELEM, serverTelemetryManager.generateCurrentRequestHeaderValue());
|
|
4092
|
+
parameters.set(X_CLIENT_LAST_TELEM, serverTelemetryManager.generateLastRequestHeaderValue());
|
|
4057
4093
|
}
|
|
4058
4094
|
/**
|
|
4059
4095
|
* Adds parameter that indicates to the server that throttling is supported
|
|
@@ -4103,7 +4139,6 @@ var RequestParameterBuilder = /*#__PURE__*/Object.freeze({
|
|
|
4103
4139
|
addCliData: addCliData,
|
|
4104
4140
|
addClientAssertion: addClientAssertion,
|
|
4105
4141
|
addClientAssertionType: addClientAssertionType,
|
|
4106
|
-
addClientCapabilitiesToClaims: addClientCapabilitiesToClaims,
|
|
4107
4142
|
addClientId: addClientId,
|
|
4108
4143
|
addClientInfo: addClientInfo,
|
|
4109
4144
|
addClientSecret: addClientSecret,
|
|
@@ -4140,6 +4175,7 @@ var RequestParameterBuilder = /*#__PURE__*/Object.freeze({
|
|
|
4140
4175
|
addState: addState,
|
|
4141
4176
|
addThrottling: addThrottling,
|
|
4142
4177
|
addUsername: addUsername,
|
|
4178
|
+
buildMergedClaims: buildMergedClaims,
|
|
4143
4179
|
instrumentBrokerParams: instrumentBrokerParams
|
|
4144
4180
|
});
|
|
4145
4181
|
|
|
@@ -4149,34 +4185,34 @@ var RequestParameterBuilder = /*#__PURE__*/Object.freeze({
|
|
|
4149
4185
|
*/
|
|
4150
4186
|
const DEFAULT_CRYPTO_IMPLEMENTATION = {
|
|
4151
4187
|
createNewGuid: () => {
|
|
4152
|
-
throw createClientAuthError(methodNotImplemented);
|
|
4188
|
+
throw createClientAuthError(methodNotImplemented, "");
|
|
4153
4189
|
},
|
|
4154
4190
|
base64Decode: () => {
|
|
4155
|
-
throw createClientAuthError(methodNotImplemented);
|
|
4191
|
+
throw createClientAuthError(methodNotImplemented, "");
|
|
4156
4192
|
},
|
|
4157
4193
|
base64Encode: () => {
|
|
4158
|
-
throw createClientAuthError(methodNotImplemented);
|
|
4194
|
+
throw createClientAuthError(methodNotImplemented, "");
|
|
4159
4195
|
},
|
|
4160
4196
|
base64UrlEncode: () => {
|
|
4161
|
-
throw createClientAuthError(methodNotImplemented);
|
|
4197
|
+
throw createClientAuthError(methodNotImplemented, "");
|
|
4162
4198
|
},
|
|
4163
4199
|
encodeKid: () => {
|
|
4164
|
-
throw createClientAuthError(methodNotImplemented);
|
|
4200
|
+
throw createClientAuthError(methodNotImplemented, "");
|
|
4165
4201
|
},
|
|
4166
4202
|
async getPublicKeyThumbprint() {
|
|
4167
|
-
throw createClientAuthError(methodNotImplemented);
|
|
4203
|
+
throw createClientAuthError(methodNotImplemented, "");
|
|
4168
4204
|
},
|
|
4169
4205
|
async removeTokenBindingKey() {
|
|
4170
|
-
throw createClientAuthError(methodNotImplemented);
|
|
4206
|
+
throw createClientAuthError(methodNotImplemented, "");
|
|
4171
4207
|
},
|
|
4172
4208
|
async clearKeystore() {
|
|
4173
|
-
throw createClientAuthError(methodNotImplemented);
|
|
4209
|
+
throw createClientAuthError(methodNotImplemented, "");
|
|
4174
4210
|
},
|
|
4175
4211
|
async signJwt() {
|
|
4176
|
-
throw createClientAuthError(methodNotImplemented);
|
|
4212
|
+
throw createClientAuthError(methodNotImplemented, "");
|
|
4177
4213
|
},
|
|
4178
4214
|
async hashString() {
|
|
4179
|
-
throw createClientAuthError(methodNotImplemented);
|
|
4215
|
+
throw createClientAuthError(methodNotImplemented, "");
|
|
4180
4216
|
},
|
|
4181
4217
|
};
|
|
4182
4218
|
|
|
@@ -4470,7 +4506,7 @@ class Logger {
|
|
|
4470
4506
|
|
|
4471
4507
|
/* eslint-disable header/header */
|
|
4472
4508
|
const name = "@azure/msal-common";
|
|
4473
|
-
const version = "16.
|
|
4509
|
+
const version = "16.11.0";
|
|
4474
4510
|
|
|
4475
4511
|
/*
|
|
4476
4512
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
@@ -4608,7 +4644,7 @@ class CacheManager {
|
|
|
4608
4644
|
}
|
|
4609
4645
|
const idToken = this.getIdToken(accountInfo, correlationId, tokenKeys, tenantProfile.tenantId);
|
|
4610
4646
|
if (idToken) {
|
|
4611
|
-
idTokenClaims = extractTokenClaims(idToken.secret, this.cryptoImpl.base64Decode);
|
|
4647
|
+
idTokenClaims = extractTokenClaims(idToken.secret, this.cryptoImpl.base64Decode, correlationId);
|
|
4612
4648
|
if (!this.idTokenClaimsMatchTenantProfileFilter(idTokenClaims, tenantProfileFilter)) {
|
|
4613
4649
|
// ID token sourced claims don't match so this tenant profile is not a match
|
|
4614
4650
|
return null;
|
|
@@ -4671,6 +4707,11 @@ class CacheManager {
|
|
|
4671
4707
|
!(tenantProfile.upn === tenantProfileFilter.upn)) {
|
|
4672
4708
|
return false;
|
|
4673
4709
|
}
|
|
4710
|
+
if (!!tenantProfileFilter.nativeAccountId &&
|
|
4711
|
+
tenantProfile.nativeAccountId !==
|
|
4712
|
+
tenantProfileFilter.nativeAccountId) {
|
|
4713
|
+
return false;
|
|
4714
|
+
}
|
|
4674
4715
|
return true;
|
|
4675
4716
|
}
|
|
4676
4717
|
idTokenClaimsMatchTenantProfileFilter(idTokenClaims, tenantProfileFilter) {
|
|
@@ -4708,7 +4749,7 @@ class CacheManager {
|
|
|
4708
4749
|
*/
|
|
4709
4750
|
async saveCacheRecord(cacheRecord, correlationId, kmsi, apiId, storeInCache) {
|
|
4710
4751
|
if (!cacheRecord) {
|
|
4711
|
-
throw createClientAuthError(invalidCacheRecord);
|
|
4752
|
+
throw createClientAuthError(invalidCacheRecord, correlationId);
|
|
4712
4753
|
}
|
|
4713
4754
|
try {
|
|
4714
4755
|
if (!!cacheRecord.account) {
|
|
@@ -4753,7 +4794,7 @@ class CacheManager {
|
|
|
4753
4794
|
tokenType: credential.tokenType,
|
|
4754
4795
|
};
|
|
4755
4796
|
const tokenKeys = this.getTokenKeys();
|
|
4756
|
-
const currentScopes = ScopeSet.fromString(credential.target);
|
|
4797
|
+
const currentScopes = ScopeSet.fromString(credential.target, correlationId);
|
|
4757
4798
|
tokenKeys.accessToken.forEach((key) => {
|
|
4758
4799
|
if (!this.accessTokenKeyMatchesFilter(key, accessTokenFilter, false)) {
|
|
4759
4800
|
return;
|
|
@@ -4761,7 +4802,7 @@ class CacheManager {
|
|
|
4761
4802
|
const tokenEntity = this.getAccessTokenCredential(key, correlationId);
|
|
4762
4803
|
if (tokenEntity &&
|
|
4763
4804
|
this.credentialMatchesFilter(tokenEntity, accessTokenFilter, correlationId)) {
|
|
4764
|
-
const tokenScopeSet = ScopeSet.fromString(tokenEntity.target);
|
|
4805
|
+
const tokenScopeSet = ScopeSet.fromString(tokenEntity.target, correlationId);
|
|
4765
4806
|
if (tokenScopeSet.intersectingScopeSets(currentScopes)) {
|
|
4766
4807
|
this.removeAccessToken(key, correlationId);
|
|
4767
4808
|
}
|
|
@@ -4795,10 +4836,6 @@ class CacheManager {
|
|
|
4795
4836
|
!this.matchRealm(entity, accountFilter.realm)) {
|
|
4796
4837
|
return;
|
|
4797
4838
|
}
|
|
4798
|
-
if (!!accountFilter.nativeAccountId &&
|
|
4799
|
-
!this.matchNativeAccountId(entity, accountFilter.nativeAccountId)) {
|
|
4800
|
-
return;
|
|
4801
|
-
}
|
|
4802
4839
|
if (!!accountFilter.authorityType &&
|
|
4803
4840
|
!this.matchAuthorityType(entity, accountFilter.authorityType)) {
|
|
4804
4841
|
return;
|
|
@@ -4810,6 +4847,7 @@ class CacheManager {
|
|
|
4810
4847
|
username: accountFilter?.username,
|
|
4811
4848
|
loginHint: accountFilter?.loginHint,
|
|
4812
4849
|
upn: accountFilter?.upn,
|
|
4850
|
+
nativeAccountId: accountFilter?.nativeAccountId,
|
|
4813
4851
|
};
|
|
4814
4852
|
const matchingTenantProfiles = entity.tenantProfiles?.filter((tenantProfile) => {
|
|
4815
4853
|
return this.tenantProfileMatchesFilter(tenantProfile, tenantProfileFilter);
|
|
@@ -4863,7 +4901,8 @@ class CacheManager {
|
|
|
4863
4901
|
* idTokens do not have "target", target specific refreshTokens do exist for some types of authentication
|
|
4864
4902
|
* Resource specific refresh tokens case will be added when the support is deemed necessary
|
|
4865
4903
|
*/
|
|
4866
|
-
if (!!filter.target &&
|
|
4904
|
+
if (!!filter.target &&
|
|
4905
|
+
!this.matchTarget(entity, filter.target, correlationId)) {
|
|
4867
4906
|
return false;
|
|
4868
4907
|
}
|
|
4869
4908
|
// Access Token with Auth Scheme specific matching
|
|
@@ -4880,6 +4919,28 @@ class CacheManager {
|
|
|
4880
4919
|
}
|
|
4881
4920
|
}
|
|
4882
4921
|
}
|
|
4922
|
+
// Additional cache key components matching (bidirectional isolation)
|
|
4923
|
+
const entityComponents = entity.additionalCacheKeyComponents;
|
|
4924
|
+
const filterComponents = filter.additionalCacheKeyComponents;
|
|
4925
|
+
const entityHasComponents = !!entityComponents && Object.keys(entityComponents).length > 0;
|
|
4926
|
+
const filterHasComponents = !!filterComponents && Object.keys(filterComponents).length > 0;
|
|
4927
|
+
if (entityHasComponents !== filterHasComponents) {
|
|
4928
|
+
return false;
|
|
4929
|
+
}
|
|
4930
|
+
if (entityHasComponents && filterHasComponents) {
|
|
4931
|
+
const entityKeys = Object.keys(entityComponents).sort();
|
|
4932
|
+
const filterKeys = Object.keys(filterComponents).sort();
|
|
4933
|
+
if (entityKeys.length !== filterKeys.length) {
|
|
4934
|
+
return false;
|
|
4935
|
+
}
|
|
4936
|
+
for (let i = 0; i < entityKeys.length; i++) {
|
|
4937
|
+
if (entityKeys[i] !== filterKeys[i] ||
|
|
4938
|
+
entityComponents[entityKeys[i]] !==
|
|
4939
|
+
filterComponents[filterKeys[i]]) {
|
|
4940
|
+
return false;
|
|
4941
|
+
}
|
|
4942
|
+
}
|
|
4943
|
+
}
|
|
4883
4944
|
return true;
|
|
4884
4945
|
}
|
|
4885
4946
|
/**
|
|
@@ -5147,7 +5208,7 @@ class CacheManager {
|
|
|
5147
5208
|
getAccessToken(account, request, tokenKeys, targetRealm) {
|
|
5148
5209
|
const correlationId = request.correlationId;
|
|
5149
5210
|
this.commonLogger.trace("CacheManager - getAccessToken called", correlationId);
|
|
5150
|
-
const scopes = ScopeSet.createSearchScopes(request.scopes);
|
|
5211
|
+
const scopes = ScopeSet.createSearchScopes(request.scopes, correlationId);
|
|
5151
5212
|
const authScheme = request.authenticationScheme ||
|
|
5152
5213
|
AuthenticationScheme.BEARER;
|
|
5153
5214
|
/*
|
|
@@ -5338,7 +5399,7 @@ class CacheManager {
|
|
|
5338
5399
|
return null;
|
|
5339
5400
|
}
|
|
5340
5401
|
else if (numAppMetadata > 1) {
|
|
5341
|
-
throw createClientAuthError(multipleMatchingAppMetadata);
|
|
5402
|
+
throw createClientAuthError(multipleMatchingAppMetadata, correlationId);
|
|
5342
5403
|
}
|
|
5343
5404
|
return appMetadataEntries[0];
|
|
5344
5405
|
}
|
|
@@ -5468,15 +5529,6 @@ class CacheManager {
|
|
|
5468
5529
|
matchRealm(entity, realm) {
|
|
5469
5530
|
return !!(entity.realm?.toLowerCase() === realm.toLowerCase());
|
|
5470
5531
|
}
|
|
5471
|
-
/**
|
|
5472
|
-
* helper to match nativeAccountId
|
|
5473
|
-
* @param entity
|
|
5474
|
-
* @param nativeAccountId
|
|
5475
|
-
* @returns boolean indicating the match result
|
|
5476
|
-
*/
|
|
5477
|
-
matchNativeAccountId(entity, nativeAccountId) {
|
|
5478
|
-
return !!(entity.nativeAccountId && nativeAccountId === entity.nativeAccountId);
|
|
5479
|
-
}
|
|
5480
5532
|
/**
|
|
5481
5533
|
* helper to match loginHint which can be either:
|
|
5482
5534
|
* 1. login_hint ID token claim
|
|
@@ -5520,14 +5572,14 @@ class CacheManager {
|
|
|
5520
5572
|
* @param entity
|
|
5521
5573
|
* @param target
|
|
5522
5574
|
*/
|
|
5523
|
-
matchTarget(entity, target) {
|
|
5575
|
+
matchTarget(entity, target, correlationId) {
|
|
5524
5576
|
const isNotAccessTokenCredential = entity.credentialType !== CredentialType.ACCESS_TOKEN &&
|
|
5525
5577
|
entity.credentialType !==
|
|
5526
5578
|
CredentialType.ACCESS_TOKEN_WITH_AUTH_SCHEME;
|
|
5527
5579
|
if (isNotAccessTokenCredential || !entity.target) {
|
|
5528
5580
|
return false;
|
|
5529
5581
|
}
|
|
5530
|
-
const entityScopeSet = ScopeSet.fromString(entity.target);
|
|
5582
|
+
const entityScopeSet = ScopeSet.fromString(entity.target, correlationId);
|
|
5531
5583
|
return entityScopeSet.containsScopeSet(target);
|
|
5532
5584
|
}
|
|
5533
5585
|
/**
|
|
@@ -5581,73 +5633,73 @@ class CacheManager {
|
|
|
5581
5633
|
/** @internal */
|
|
5582
5634
|
class DefaultStorageClass extends CacheManager {
|
|
5583
5635
|
async setAccount() {
|
|
5584
|
-
throw createClientAuthError(methodNotImplemented);
|
|
5636
|
+
throw createClientAuthError(methodNotImplemented, "");
|
|
5585
5637
|
}
|
|
5586
5638
|
getAccount() {
|
|
5587
|
-
throw createClientAuthError(methodNotImplemented);
|
|
5639
|
+
throw createClientAuthError(methodNotImplemented, "");
|
|
5588
5640
|
}
|
|
5589
5641
|
async setIdTokenCredential() {
|
|
5590
|
-
throw createClientAuthError(methodNotImplemented);
|
|
5642
|
+
throw createClientAuthError(methodNotImplemented, "");
|
|
5591
5643
|
}
|
|
5592
5644
|
getIdTokenCredential() {
|
|
5593
|
-
throw createClientAuthError(methodNotImplemented);
|
|
5645
|
+
throw createClientAuthError(methodNotImplemented, "");
|
|
5594
5646
|
}
|
|
5595
5647
|
async setAccessTokenCredential() {
|
|
5596
|
-
throw createClientAuthError(methodNotImplemented);
|
|
5648
|
+
throw createClientAuthError(methodNotImplemented, "");
|
|
5597
5649
|
}
|
|
5598
5650
|
getAccessTokenCredential() {
|
|
5599
|
-
throw createClientAuthError(methodNotImplemented);
|
|
5651
|
+
throw createClientAuthError(methodNotImplemented, "");
|
|
5600
5652
|
}
|
|
5601
5653
|
async setRefreshTokenCredential() {
|
|
5602
|
-
throw createClientAuthError(methodNotImplemented);
|
|
5654
|
+
throw createClientAuthError(methodNotImplemented, "");
|
|
5603
5655
|
}
|
|
5604
5656
|
getRefreshTokenCredential() {
|
|
5605
|
-
throw createClientAuthError(methodNotImplemented);
|
|
5657
|
+
throw createClientAuthError(methodNotImplemented, "");
|
|
5606
5658
|
}
|
|
5607
5659
|
setAppMetadata() {
|
|
5608
|
-
throw createClientAuthError(methodNotImplemented);
|
|
5660
|
+
throw createClientAuthError(methodNotImplemented, "");
|
|
5609
5661
|
}
|
|
5610
5662
|
getAppMetadata() {
|
|
5611
|
-
throw createClientAuthError(methodNotImplemented);
|
|
5663
|
+
throw createClientAuthError(methodNotImplemented, "");
|
|
5612
5664
|
}
|
|
5613
5665
|
setServerTelemetry() {
|
|
5614
|
-
throw createClientAuthError(methodNotImplemented);
|
|
5666
|
+
throw createClientAuthError(methodNotImplemented, "");
|
|
5615
5667
|
}
|
|
5616
5668
|
getServerTelemetry() {
|
|
5617
|
-
throw createClientAuthError(methodNotImplemented);
|
|
5669
|
+
throw createClientAuthError(methodNotImplemented, "");
|
|
5618
5670
|
}
|
|
5619
5671
|
setAuthorityMetadata() {
|
|
5620
|
-
throw createClientAuthError(methodNotImplemented);
|
|
5672
|
+
throw createClientAuthError(methodNotImplemented, "");
|
|
5621
5673
|
}
|
|
5622
5674
|
getAuthorityMetadata() {
|
|
5623
|
-
throw createClientAuthError(methodNotImplemented);
|
|
5675
|
+
throw createClientAuthError(methodNotImplemented, "");
|
|
5624
5676
|
}
|
|
5625
5677
|
getAuthorityMetadataKeys() {
|
|
5626
|
-
throw createClientAuthError(methodNotImplemented);
|
|
5678
|
+
throw createClientAuthError(methodNotImplemented, "");
|
|
5627
5679
|
}
|
|
5628
5680
|
setThrottlingCache() {
|
|
5629
|
-
throw createClientAuthError(methodNotImplemented);
|
|
5681
|
+
throw createClientAuthError(methodNotImplemented, "");
|
|
5630
5682
|
}
|
|
5631
5683
|
getThrottlingCache() {
|
|
5632
|
-
throw createClientAuthError(methodNotImplemented);
|
|
5684
|
+
throw createClientAuthError(methodNotImplemented, "");
|
|
5633
5685
|
}
|
|
5634
5686
|
removeItem() {
|
|
5635
|
-
throw createClientAuthError(methodNotImplemented);
|
|
5687
|
+
throw createClientAuthError(methodNotImplemented, "");
|
|
5636
5688
|
}
|
|
5637
5689
|
getKeys() {
|
|
5638
|
-
throw createClientAuthError(methodNotImplemented);
|
|
5690
|
+
throw createClientAuthError(methodNotImplemented, "");
|
|
5639
5691
|
}
|
|
5640
5692
|
getAccountKeys() {
|
|
5641
|
-
throw createClientAuthError(methodNotImplemented);
|
|
5693
|
+
throw createClientAuthError(methodNotImplemented, "");
|
|
5642
5694
|
}
|
|
5643
5695
|
getTokenKeys() {
|
|
5644
|
-
throw createClientAuthError(methodNotImplemented);
|
|
5696
|
+
throw createClientAuthError(methodNotImplemented, "");
|
|
5645
5697
|
}
|
|
5646
5698
|
generateCredentialKey() {
|
|
5647
|
-
throw createClientAuthError(methodNotImplemented);
|
|
5699
|
+
throw createClientAuthError(methodNotImplemented, "");
|
|
5648
5700
|
}
|
|
5649
5701
|
generateAccountKey() {
|
|
5650
|
-
throw createClientAuthError(methodNotImplemented);
|
|
5702
|
+
throw createClientAuthError(methodNotImplemented, "");
|
|
5651
5703
|
}
|
|
5652
5704
|
}
|
|
5653
5705
|
|
|
@@ -5760,6 +5812,9 @@ class StubPerformanceClient {
|
|
|
5760
5812
|
addFields() {
|
|
5761
5813
|
return;
|
|
5762
5814
|
}
|
|
5815
|
+
addGlobalFields() {
|
|
5816
|
+
return;
|
|
5817
|
+
}
|
|
5763
5818
|
incrementFields() {
|
|
5764
5819
|
return;
|
|
5765
5820
|
}
|
|
@@ -5786,10 +5841,10 @@ const DEFAULT_LOGGER_IMPLEMENTATION = {
|
|
|
5786
5841
|
};
|
|
5787
5842
|
const DEFAULT_NETWORK_IMPLEMENTATION = {
|
|
5788
5843
|
async sendGetRequestAsync() {
|
|
5789
|
-
throw createClientAuthError(methodNotImplemented);
|
|
5844
|
+
throw createClientAuthError(methodNotImplemented, "");
|
|
5790
5845
|
},
|
|
5791
5846
|
async sendPostRequestAsync() {
|
|
5792
|
-
throw createClientAuthError(methodNotImplemented);
|
|
5847
|
+
throw createClientAuthError(methodNotImplemented, "");
|
|
5793
5848
|
},
|
|
5794
5849
|
};
|
|
5795
5850
|
const DEFAULT_LIBRARY_INFO = {
|
|
@@ -5947,7 +6002,7 @@ class PopTokenGenerator {
|
|
|
5947
6002
|
// Deconstruct request to extract SHR parameters
|
|
5948
6003
|
const { resourceRequestMethod, resourceRequestUri, shrClaims, shrNonce, shrOptions, } = request;
|
|
5949
6004
|
const resourceUrlString = resourceRequestUri
|
|
5950
|
-
? new UrlString(resourceRequestUri)
|
|
6005
|
+
? new UrlString(resourceRequestUri, request.correlationId)
|
|
5951
6006
|
: undefined;
|
|
5952
6007
|
const resourceUrlComponents = resourceUrlString?.getUrlComponents();
|
|
5953
6008
|
return this.cryptoUtils.signJwt({
|
|
@@ -6058,12 +6113,11 @@ const InteractionRequiredAuthSubErrorMessage = [
|
|
|
6058
6113
|
* Error thrown when user interaction is required.
|
|
6059
6114
|
*/
|
|
6060
6115
|
class InteractionRequiredAuthError extends AuthError {
|
|
6061
|
-
constructor(errorCode, errorMessage, subError, timestamp, traceId,
|
|
6062
|
-
super(errorCode, errorMessage, subError);
|
|
6116
|
+
constructor(errorCode, correlationId, errorMessage, subError, timestamp, traceId, claims, errorNo) {
|
|
6117
|
+
super(errorCode, correlationId, errorMessage, subError);
|
|
6063
6118
|
Object.setPrototypeOf(this, InteractionRequiredAuthError.prototype);
|
|
6064
6119
|
this.timestamp = timestamp || "";
|
|
6065
6120
|
this.traceId = traceId || "";
|
|
6066
|
-
this.correlationId = correlationId || "";
|
|
6067
6121
|
this.claims = claims || "";
|
|
6068
6122
|
this.name = "InteractionRequiredAuthError";
|
|
6069
6123
|
this.errorNo = errorNo;
|
|
@@ -6091,8 +6145,8 @@ function isInteractionRequiredError(errorCode, errorString, subError) {
|
|
|
6091
6145
|
/**
|
|
6092
6146
|
* Creates an InteractionRequiredAuthError
|
|
6093
6147
|
*/
|
|
6094
|
-
function createInteractionRequiredAuthError(errorCode, errorMessage) {
|
|
6095
|
-
return new InteractionRequiredAuthError(errorCode, errorMessage);
|
|
6148
|
+
function createInteractionRequiredAuthError(errorCode, correlationId, errorMessage) {
|
|
6149
|
+
return new InteractionRequiredAuthError(errorCode, correlationId, errorMessage);
|
|
6096
6150
|
}
|
|
6097
6151
|
|
|
6098
6152
|
/*
|
|
@@ -6103,8 +6157,8 @@ function createInteractionRequiredAuthError(errorCode, errorMessage) {
|
|
|
6103
6157
|
* Error thrown when there is an error with the server code, for example, unavailability.
|
|
6104
6158
|
*/
|
|
6105
6159
|
class ServerError extends AuthError {
|
|
6106
|
-
constructor(errorCode, errorMessage, subError, errorNo, status) {
|
|
6107
|
-
super(errorCode, errorMessage, subError);
|
|
6160
|
+
constructor(errorCode, correlationId, errorMessage, subError, errorNo, status) {
|
|
6161
|
+
super(errorCode, correlationId, errorMessage, subError);
|
|
6108
6162
|
this.name = "ServerError";
|
|
6109
6163
|
this.errorNo = errorNo;
|
|
6110
6164
|
this.status = status;
|
|
@@ -6121,9 +6175,10 @@ class ServerError extends AuthError {
|
|
|
6121
6175
|
* @param cryptoObj
|
|
6122
6176
|
* @param userState
|
|
6123
6177
|
* @param meta
|
|
6178
|
+
* @param correlationId
|
|
6124
6179
|
*/
|
|
6125
|
-
function setRequestState(cryptoObj, userState, meta) {
|
|
6126
|
-
const libraryState = generateLibraryState(cryptoObj, meta);
|
|
6180
|
+
function setRequestState(cryptoObj, userState, meta, correlationId) {
|
|
6181
|
+
const libraryState = generateLibraryState(cryptoObj, correlationId, meta);
|
|
6127
6182
|
return userState
|
|
6128
6183
|
? `${libraryState}${RESOURCE_DELIM}${userState}`
|
|
6129
6184
|
: libraryState;
|
|
@@ -6131,11 +6186,12 @@ function setRequestState(cryptoObj, userState, meta) {
|
|
|
6131
6186
|
/**
|
|
6132
6187
|
* Generates the state value used by the common library.
|
|
6133
6188
|
* @param cryptoObj
|
|
6189
|
+
* @param correlationId
|
|
6134
6190
|
* @param meta
|
|
6135
6191
|
*/
|
|
6136
|
-
function generateLibraryState(cryptoObj, meta) {
|
|
6192
|
+
function generateLibraryState(cryptoObj, correlationId, meta) {
|
|
6137
6193
|
if (!cryptoObj) {
|
|
6138
|
-
throw createClientAuthError(noCryptoObject);
|
|
6194
|
+
throw createClientAuthError(noCryptoObject, correlationId);
|
|
6139
6195
|
}
|
|
6140
6196
|
// Create a state object containing a unique id and the timestamp of the request creation
|
|
6141
6197
|
const stateObj = {
|
|
@@ -6151,13 +6207,14 @@ function generateLibraryState(cryptoObj, meta) {
|
|
|
6151
6207
|
* Parses the state into the RequestStateObject, which contains the LibraryState info and the state passed by the user.
|
|
6152
6208
|
* @param base64Decode
|
|
6153
6209
|
* @param state
|
|
6210
|
+
* @param correlationId
|
|
6154
6211
|
*/
|
|
6155
|
-
function parseRequestState(base64Decode, state) {
|
|
6212
|
+
function parseRequestState(base64Decode, state, correlationId) {
|
|
6156
6213
|
if (!base64Decode) {
|
|
6157
|
-
throw createClientAuthError(noCryptoObject);
|
|
6214
|
+
throw createClientAuthError(noCryptoObject, correlationId);
|
|
6158
6215
|
}
|
|
6159
6216
|
if (!state) {
|
|
6160
|
-
throw createClientAuthError(invalidState);
|
|
6217
|
+
throw createClientAuthError(invalidState, correlationId);
|
|
6161
6218
|
}
|
|
6162
6219
|
try {
|
|
6163
6220
|
// Split the state between library state and user passed state and decode them separately
|
|
@@ -6174,7 +6231,7 @@ function parseRequestState(base64Decode, state) {
|
|
|
6174
6231
|
};
|
|
6175
6232
|
}
|
|
6176
6233
|
catch (e) {
|
|
6177
|
-
throw createClientAuthError(invalidState);
|
|
6234
|
+
throw createClientAuthError(invalidState, correlationId);
|
|
6178
6235
|
}
|
|
6179
6236
|
}
|
|
6180
6237
|
|
|
@@ -6218,7 +6275,7 @@ class ResponseHandler {
|
|
|
6218
6275
|
const serverErrorNo = serverResponse.error_codes?.length
|
|
6219
6276
|
? serverResponse.error_codes[0]
|
|
6220
6277
|
: undefined;
|
|
6221
|
-
const serverError = new ServerError(serverResponse.error, errString, serverResponse.suberror, serverErrorNo, serverResponse.status);
|
|
6278
|
+
const serverError = new ServerError(serverResponse.error || "", serverResponse.correlation_id || "", errString, serverResponse.suberror, serverErrorNo, serverResponse.status);
|
|
6222
6279
|
// check if 500 error
|
|
6223
6280
|
if (refreshAccessToken &&
|
|
6224
6281
|
serverResponse.status &&
|
|
@@ -6240,7 +6297,7 @@ class ResponseHandler {
|
|
|
6240
6297
|
return;
|
|
6241
6298
|
}
|
|
6242
6299
|
if (isInteractionRequiredError(serverResponse.error, serverResponse.error_description, serverResponse.suberror)) {
|
|
6243
|
-
throw new InteractionRequiredAuthError(serverResponse.error, serverResponse.error_description, serverResponse.suberror, serverResponse.timestamp || "", serverResponse.trace_id || "", serverResponse.
|
|
6300
|
+
throw new InteractionRequiredAuthError(serverResponse.error || "", serverResponse.correlation_id || "", serverResponse.error_description, serverResponse.suberror, serverResponse.timestamp || "", serverResponse.trace_id || "", serverResponse.claims || "", serverErrorNo);
|
|
6244
6301
|
}
|
|
6245
6302
|
throw serverError;
|
|
6246
6303
|
}
|
|
@@ -6250,37 +6307,29 @@ class ResponseHandler {
|
|
|
6250
6307
|
* @param serverTokenResponse
|
|
6251
6308
|
* @param authority
|
|
6252
6309
|
*/
|
|
6253
|
-
async handleServerTokenResponse(serverTokenResponse, authority, reqTimestamp, request, apiId, authCodePayload, userAssertionHash, handlingRefreshTokenResponse, forceCacheRefreshTokenResponse, serverRequestId) {
|
|
6310
|
+
async handleServerTokenResponse(serverTokenResponse, authority, reqTimestamp, request, apiId, authCodePayload, userAssertionHash, handlingRefreshTokenResponse, forceCacheRefreshTokenResponse, serverRequestId, additionalCacheKeyComponents) {
|
|
6254
6311
|
// create an idToken object (not entity)
|
|
6255
6312
|
let idTokenClaims;
|
|
6256
6313
|
if (serverTokenResponse.id_token) {
|
|
6257
|
-
idTokenClaims = extractTokenClaims(serverTokenResponse.id_token || "", this.cryptoObj.base64Decode);
|
|
6314
|
+
idTokenClaims = extractTokenClaims(serverTokenResponse.id_token || "", this.cryptoObj.base64Decode, request.correlationId);
|
|
6258
6315
|
// token nonce check (TODO: Add a warning if no nonce is given?)
|
|
6259
6316
|
if (authCodePayload && authCodePayload.nonce) {
|
|
6260
6317
|
if (idTokenClaims.nonce !== authCodePayload.nonce) {
|
|
6261
|
-
throw createClientAuthError(nonceMismatch);
|
|
6318
|
+
throw createClientAuthError(nonceMismatch, request.correlationId);
|
|
6262
6319
|
}
|
|
6263
6320
|
}
|
|
6264
|
-
// token max_age check
|
|
6265
|
-
if (request.maxAge || request.maxAge === 0) {
|
|
6266
|
-
const authTime = idTokenClaims.auth_time;
|
|
6267
|
-
if (!authTime) {
|
|
6268
|
-
throw createClientAuthError(authTimeNotFound);
|
|
6269
|
-
}
|
|
6270
|
-
checkMaxAge(authTime, request.maxAge);
|
|
6271
|
-
}
|
|
6272
6321
|
}
|
|
6273
6322
|
// generate homeAccountId
|
|
6274
6323
|
this.homeAccountIdentifier = generateHomeAccountId(serverTokenResponse.client_info || "", authority.authorityType, this.logger, this.cryptoObj, request.correlationId, idTokenClaims);
|
|
6275
6324
|
// save the response tokens
|
|
6276
6325
|
let requestStateObj;
|
|
6277
6326
|
if (!!authCodePayload && !!authCodePayload.state) {
|
|
6278
|
-
requestStateObj = parseRequestState(this.cryptoObj.base64Decode, authCodePayload.state);
|
|
6327
|
+
requestStateObj = parseRequestState(this.cryptoObj.base64Decode, authCodePayload.state, request.correlationId);
|
|
6279
6328
|
}
|
|
6280
6329
|
// Add keyId from request to serverTokenResponse if defined
|
|
6281
6330
|
serverTokenResponse.key_id =
|
|
6282
6331
|
serverTokenResponse.key_id || request.sshKid || undefined;
|
|
6283
|
-
const cacheRecord = this.generateCacheRecord(serverTokenResponse, authority, reqTimestamp, request, idTokenClaims, userAssertionHash, authCodePayload);
|
|
6332
|
+
const cacheRecord = this.generateCacheRecord(serverTokenResponse, authority, reqTimestamp, request, idTokenClaims, userAssertionHash, authCodePayload, additionalCacheKeyComponents);
|
|
6284
6333
|
let cacheContext;
|
|
6285
6334
|
try {
|
|
6286
6335
|
if (this.persistencePlugin && this.serializableCache) {
|
|
@@ -6327,10 +6376,10 @@ class ResponseHandler {
|
|
|
6327
6376
|
* @param idTokenObj
|
|
6328
6377
|
* @param authority
|
|
6329
6378
|
*/
|
|
6330
|
-
generateCacheRecord(serverTokenResponse, authority, reqTimestamp, request, idTokenClaims, userAssertionHash, authCodePayload) {
|
|
6379
|
+
generateCacheRecord(serverTokenResponse, authority, reqTimestamp, request, idTokenClaims, userAssertionHash, authCodePayload, additionalCacheKeyComponents) {
|
|
6331
6380
|
const env = authority.getPreferredCache();
|
|
6332
6381
|
if (!env) {
|
|
6333
|
-
throw createClientAuthError(invalidCacheEnvironment);
|
|
6382
|
+
throw createClientAuthError(invalidCacheEnvironment, request.correlationId);
|
|
6334
6383
|
}
|
|
6335
6384
|
const claimsTenantId = getTenantIdFromIdTokenClaims(idTokenClaims);
|
|
6336
6385
|
// IdToken: non AAD scenarios can have empty realm
|
|
@@ -6346,8 +6395,8 @@ class ResponseHandler {
|
|
|
6346
6395
|
if (serverTokenResponse.access_token) {
|
|
6347
6396
|
// If scopes not returned in server response, use request scopes
|
|
6348
6397
|
const responseScopes = serverTokenResponse.scope
|
|
6349
|
-
? ScopeSet.fromString(serverTokenResponse.scope)
|
|
6350
|
-
: new ScopeSet(request.scopes || []);
|
|
6398
|
+
? ScopeSet.fromString(serverTokenResponse.scope, request.correlationId)
|
|
6399
|
+
: new ScopeSet(request.scopes || [], request.correlationId);
|
|
6351
6400
|
/*
|
|
6352
6401
|
* Use timestamp calculated before request
|
|
6353
6402
|
* Server may return timestamps as strings, parse to numbers if so.
|
|
@@ -6367,7 +6416,7 @@ class ResponseHandler {
|
|
|
6367
6416
|
? reqTimestamp + refreshIn
|
|
6368
6417
|
: undefined;
|
|
6369
6418
|
// non AAD scenarios can have empty realm
|
|
6370
|
-
cachedAccessToken = createAccessTokenEntity(this.homeAccountIdentifier, env, serverTokenResponse.access_token, this.clientId, claimsTenantId || authority.tenant || "", responseScopes.printScopes(), tokenExpirationSeconds, extendedTokenExpirationSeconds, this.cryptoObj.base64Decode, refreshOnSeconds, serverTokenResponse.token_type, userAssertionHash, serverTokenResponse.key_id);
|
|
6419
|
+
cachedAccessToken = createAccessTokenEntity(this.homeAccountIdentifier, env, serverTokenResponse.access_token, this.clientId, claimsTenantId || authority.tenant || "", responseScopes.printScopes(), tokenExpirationSeconds, extendedTokenExpirationSeconds, this.cryptoObj.base64Decode, request.correlationId, refreshOnSeconds, serverTokenResponse.token_type, userAssertionHash, serverTokenResponse.key_id, additionalCacheKeyComponents);
|
|
6371
6420
|
// Set resource (to be used for MCP scenarios)
|
|
6372
6421
|
const resource = request.resource || null;
|
|
6373
6422
|
if (resource) {
|
|
@@ -6433,14 +6482,14 @@ class ResponseHandler {
|
|
|
6433
6482
|
const popTokenGenerator = new PopTokenGenerator(cryptoObj, performanceClient);
|
|
6434
6483
|
const { secret, keyId } = cacheRecord.accessToken;
|
|
6435
6484
|
if (!keyId) {
|
|
6436
|
-
throw createClientAuthError(keyIdMissing);
|
|
6485
|
+
throw createClientAuthError(keyIdMissing, request.correlationId);
|
|
6437
6486
|
}
|
|
6438
6487
|
accessToken = await popTokenGenerator.signPopToken(secret, keyId, request);
|
|
6439
6488
|
}
|
|
6440
6489
|
else {
|
|
6441
6490
|
accessToken = cacheRecord.accessToken.secret;
|
|
6442
6491
|
}
|
|
6443
|
-
responseScopes = ScopeSet.fromString(cacheRecord.accessToken.target).asArray();
|
|
6492
|
+
responseScopes = ScopeSet.fromString(cacheRecord.accessToken.target, request.correlationId).asArray();
|
|
6444
6493
|
// Access token expiresOn cached in seconds, converting to Date for AuthenticationResult
|
|
6445
6494
|
expiresOn = toDateFromSeconds(cacheRecord.accessToken.expiresOn);
|
|
6446
6495
|
extExpiresOn = toDateFromSeconds(cacheRecord.accessToken.extendedExpiresOn);
|
|
@@ -6458,8 +6507,18 @@ class ResponseHandler {
|
|
|
6458
6507
|
const tid = idTokenClaims?.tid || "";
|
|
6459
6508
|
// for hybrid + native bridge enablement, send back the native account Id
|
|
6460
6509
|
if (serverTokenResponse?.spa_accountid && !!cacheRecord.account) {
|
|
6510
|
+
// Set on deprecated top-level for downgrade compat
|
|
6461
6511
|
cacheRecord.account.nativeAccountId =
|
|
6462
6512
|
serverTokenResponse?.spa_accountid;
|
|
6513
|
+
// Set on the matching tenant profile (source of truth)
|
|
6514
|
+
const targetTenantId = tid || cacheRecord.account.realm;
|
|
6515
|
+
if (cacheRecord.account.tenantProfiles) {
|
|
6516
|
+
const matchingProfile = cacheRecord.account.tenantProfiles.find((tp) => tp.tenantId === targetTenantId);
|
|
6517
|
+
if (matchingProfile) {
|
|
6518
|
+
matchingProfile.nativeAccountId =
|
|
6519
|
+
serverTokenResponse.spa_accountid;
|
|
6520
|
+
}
|
|
6521
|
+
}
|
|
6463
6522
|
}
|
|
6464
6523
|
const accountInfo = cacheRecord.account
|
|
6465
6524
|
? updateAccountTenantProfileData(getAccountInfo(cacheRecord.account), undefined, // tenantProfile optional
|
|
@@ -6518,14 +6577,14 @@ function buildAccountToCache(cacheStorage, authority, homeAccountId, base64Decod
|
|
|
6518
6577
|
cloudGraphHostName: authCodePayload?.cloud_graph_host_name,
|
|
6519
6578
|
msGraphHost: authCodePayload?.msgraph_host,
|
|
6520
6579
|
nativeAccountId: nativeAccountId,
|
|
6521
|
-
}, authority, base64Decode);
|
|
6580
|
+
}, authority, correlationId, base64Decode);
|
|
6522
6581
|
const tenantProfiles = baseAccount.tenantProfiles || [];
|
|
6523
6582
|
const tenantId = claimsTenantId || baseAccount.realm;
|
|
6524
6583
|
if (tenantId &&
|
|
6525
6584
|
!tenantProfiles.find((tenantProfile) => {
|
|
6526
6585
|
return tenantProfile.tenantId === tenantId;
|
|
6527
6586
|
})) {
|
|
6528
|
-
const newTenantProfile = buildTenantProfile(homeAccountId, baseAccount.localAccountId, tenantId, idTokenClaims);
|
|
6587
|
+
const newTenantProfile = buildTenantProfile(homeAccountId, baseAccount.localAccountId, tenantId, nativeAccountId, idTokenClaims);
|
|
6529
6588
|
tenantProfiles.push(newTenantProfile);
|
|
6530
6589
|
}
|
|
6531
6590
|
baseAccount.tenantProfiles = tenantProfiles;
|
|
@@ -6545,7 +6604,7 @@ const CcsCredentialType = {
|
|
|
6545
6604
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
6546
6605
|
* Licensed under the MIT License.
|
|
6547
6606
|
*/
|
|
6548
|
-
async function getClientAssertion(clientAssertion, clientId, tokenEndpoint) {
|
|
6607
|
+
async function getClientAssertion(clientAssertion, clientId, tokenEndpoint, fmiPath) {
|
|
6549
6608
|
if (typeof clientAssertion === "string") {
|
|
6550
6609
|
return clientAssertion;
|
|
6551
6610
|
}
|
|
@@ -6553,6 +6612,7 @@ async function getClientAssertion(clientAssertion, clientId, tokenEndpoint) {
|
|
|
6553
6612
|
const config = {
|
|
6554
6613
|
clientId: clientId,
|
|
6555
6614
|
tokenEndpoint: tokenEndpoint,
|
|
6615
|
+
fmiPath: fmiPath,
|
|
6556
6616
|
};
|
|
6557
6617
|
return clientAssertion(config);
|
|
6558
6618
|
}
|
|
@@ -6580,6 +6640,7 @@ function getRequestThumbprint(clientId, request, homeAccountId) {
|
|
|
6580
6640
|
shrClaims: request.shrClaims,
|
|
6581
6641
|
sshKid: request.sshKid,
|
|
6582
6642
|
embeddedClientId: request.embeddedClientId || request.extraParameters?.clientId,
|
|
6643
|
+
resource: request.resource,
|
|
6583
6644
|
};
|
|
6584
6645
|
}
|
|
6585
6646
|
|
|
@@ -6609,7 +6670,7 @@ class ThrottlingUtils {
|
|
|
6609
6670
|
cacheManager.removeItem(key, correlationId);
|
|
6610
6671
|
return;
|
|
6611
6672
|
}
|
|
6612
|
-
throw new ServerError(value.errorCodes?.join(" ") || "", value.errorMessage, value.subError);
|
|
6673
|
+
throw new ServerError(value.errorCodes?.join(" ") || "", correlationId, value.errorMessage, value.subError);
|
|
6613
6674
|
}
|
|
6614
6675
|
}
|
|
6615
6676
|
/**
|
|
@@ -6676,7 +6737,7 @@ class ThrottlingUtils {
|
|
|
6676
6737
|
*/
|
|
6677
6738
|
class NetworkError extends AuthError {
|
|
6678
6739
|
constructor(error, httpStatus, responseHeaders) {
|
|
6679
|
-
super(error.errorCode, error.errorMessage, error.subError);
|
|
6740
|
+
super(error.errorCode, error.correlationId, error.errorMessage, error.subError);
|
|
6680
6741
|
Object.setPrototypeOf(this, NetworkError.prototype);
|
|
6681
6742
|
this.name = "NetworkError";
|
|
6682
6743
|
this.error = error;
|
|
@@ -6803,7 +6864,7 @@ async function sendPostRequest(thumbprint, tokenEndpoint, options, correlationId
|
|
|
6803
6864
|
throw e;
|
|
6804
6865
|
}
|
|
6805
6866
|
else {
|
|
6806
|
-
throw createClientAuthError(networkError);
|
|
6867
|
+
throw createClientAuthError(networkError, correlationId);
|
|
6807
6868
|
}
|
|
6808
6869
|
}
|
|
6809
6870
|
ThrottlingUtils.postProcess(cacheManager, thumbprint, response, correlationId);
|
|
@@ -6856,7 +6917,7 @@ class AuthorizationCodeClient {
|
|
|
6856
6917
|
*/
|
|
6857
6918
|
async acquireToken(request, apiId, authCodePayload) {
|
|
6858
6919
|
if (!request.code) {
|
|
6859
|
-
throw createClientAuthError(requestCannotBeMade);
|
|
6920
|
+
throw createClientAuthError(requestCannotBeMade, request.correlationId);
|
|
6860
6921
|
}
|
|
6861
6922
|
// Check for new cloud instance
|
|
6862
6923
|
if (authCodePayload && authCodePayload.cloud_instance_host_name) {
|
|
@@ -6879,7 +6940,7 @@ class AuthorizationCodeClient {
|
|
|
6879
6940
|
getLogoutUri(logoutRequest) {
|
|
6880
6941
|
// Throw error if logoutRequest is null/undefined
|
|
6881
6942
|
if (!logoutRequest) {
|
|
6882
|
-
throw createClientConfigurationError(logoutRequestEmpty);
|
|
6943
|
+
throw createClientConfigurationError(logoutRequestEmpty, "");
|
|
6883
6944
|
}
|
|
6884
6945
|
const queryString = this.createLogoutUrlQueryString(logoutRequest);
|
|
6885
6946
|
// Construct logout URI
|
|
@@ -6927,7 +6988,7 @@ class AuthorizationCodeClient {
|
|
|
6927
6988
|
if (!this.includeRedirectUri) {
|
|
6928
6989
|
// Just validate
|
|
6929
6990
|
if (!request.redirectUri) {
|
|
6930
|
-
throw createClientConfigurationError(redirectUriEmpty);
|
|
6991
|
+
throw createClientConfigurationError(redirectUriEmpty, request.correlationId);
|
|
6931
6992
|
}
|
|
6932
6993
|
}
|
|
6933
6994
|
else {
|
|
@@ -6935,7 +6996,7 @@ class AuthorizationCodeClient {
|
|
|
6935
6996
|
addRedirectUri(parameters, request.redirectUri);
|
|
6936
6997
|
}
|
|
6937
6998
|
// Add scope array, parameter builder will add default scopes and dedupe
|
|
6938
|
-
addScopes(parameters, request.scopes, true, this.oidcDefaultScopes);
|
|
6999
|
+
addScopes(parameters, request.scopes, request.correlationId, true, this.oidcDefaultScopes);
|
|
6939
7000
|
addResource(parameters, request.resource);
|
|
6940
7001
|
// add code: user set, not validated
|
|
6941
7002
|
addAuthorizationCode(parameters, request.code);
|
|
@@ -6978,7 +7039,7 @@ class AuthorizationCodeClient {
|
|
|
6978
7039
|
addSshJwk(parameters, request.sshJwk);
|
|
6979
7040
|
}
|
|
6980
7041
|
else {
|
|
6981
|
-
throw createClientConfigurationError(missingSshJwk);
|
|
7042
|
+
throw createClientConfigurationError(missingSshJwk, request.correlationId);
|
|
6982
7043
|
}
|
|
6983
7044
|
}
|
|
6984
7045
|
let ccsCred = undefined;
|
|
@@ -7029,7 +7090,7 @@ class AuthorizationCodeClient {
|
|
|
7029
7090
|
});
|
|
7030
7091
|
}
|
|
7031
7092
|
instrumentBrokerParams(parameters, request.correlationId, this.performanceClient);
|
|
7032
|
-
addClaims(parameters, request.claims, this.config.authOptions.clientCapabilities, request.skipBrokerClaims);
|
|
7093
|
+
addClaims(parameters, request.correlationId, request.claims, this.config.authOptions.clientCapabilities, request.skipBrokerClaims);
|
|
7033
7094
|
return mapToQueryString(parameters);
|
|
7034
7095
|
}
|
|
7035
7096
|
/**
|
|
@@ -7117,11 +7178,11 @@ class RefreshTokenClient {
|
|
|
7117
7178
|
async acquireTokenByRefreshToken(request, apiId) {
|
|
7118
7179
|
// Cannot renew token if no request object is given.
|
|
7119
7180
|
if (!request) {
|
|
7120
|
-
throw createClientConfigurationError(tokenRequestEmpty);
|
|
7181
|
+
throw createClientConfigurationError(tokenRequestEmpty, "");
|
|
7121
7182
|
}
|
|
7122
7183
|
// We currently do not support silent flow for account === null use cases; This will be revisited for confidential flow usecases
|
|
7123
7184
|
if (!request.account) {
|
|
7124
|
-
throw createClientAuthError(noAccountInSilentRequest);
|
|
7185
|
+
throw createClientAuthError(noAccountInSilentRequest, request.correlationId);
|
|
7125
7186
|
}
|
|
7126
7187
|
// try checking if FOCI is enabled for the given application
|
|
7127
7188
|
const isFOCI = this.cacheManager.isAppMetadataFOCI(request.account.environment, request.correlationId);
|
|
@@ -7158,7 +7219,7 @@ class RefreshTokenClient {
|
|
|
7158
7219
|
// fetches family RT or application RT based on FOCI value
|
|
7159
7220
|
const refreshToken = invoke(this.cacheManager.getRefreshToken.bind(this.cacheManager), CacheManagerGetRefreshToken, this.logger, this.performanceClient, request.correlationId)(request.account, foci, request.correlationId, undefined);
|
|
7160
7221
|
if (!refreshToken) {
|
|
7161
|
-
throw createInteractionRequiredAuthError(noTokensFound);
|
|
7222
|
+
throw createInteractionRequiredAuthError(noTokensFound, request.correlationId);
|
|
7162
7223
|
}
|
|
7163
7224
|
if (refreshToken.expiresOn) {
|
|
7164
7225
|
const offset = request.refreshTokenExpirationOffsetSeconds ||
|
|
@@ -7168,7 +7229,7 @@ class RefreshTokenClient {
|
|
|
7168
7229
|
rtOffsetSeconds: offset,
|
|
7169
7230
|
}, request.correlationId);
|
|
7170
7231
|
if (isTokenExpired(refreshToken.expiresOn, offset)) {
|
|
7171
|
-
throw createInteractionRequiredAuthError(refreshTokenExpired);
|
|
7232
|
+
throw createInteractionRequiredAuthError(refreshTokenExpired, request.correlationId);
|
|
7172
7233
|
}
|
|
7173
7234
|
}
|
|
7174
7235
|
// attach cached RT size to the current measurement
|
|
@@ -7222,7 +7283,7 @@ class RefreshTokenClient {
|
|
|
7222
7283
|
if (request.redirectUri) {
|
|
7223
7284
|
addRedirectUri(parameters, request.redirectUri);
|
|
7224
7285
|
}
|
|
7225
|
-
addScopes(parameters, request.scopes, true, this.config.authOptions.authority.options.OIDCOptions?.defaultScopes);
|
|
7286
|
+
addScopes(parameters, request.scopes, request.correlationId, true, this.config.authOptions.authority.options.OIDCOptions?.defaultScopes);
|
|
7226
7287
|
addGrantType(parameters, GrantType.REFRESH_TOKEN_GRANT);
|
|
7227
7288
|
addClientInfo(parameters);
|
|
7228
7289
|
addLibraryInfo(parameters, this.config.libraryInfo);
|
|
@@ -7258,7 +7319,7 @@ class RefreshTokenClient {
|
|
|
7258
7319
|
addSshJwk(parameters, request.sshJwk);
|
|
7259
7320
|
}
|
|
7260
7321
|
else {
|
|
7261
|
-
throw createClientConfigurationError(missingSshJwk);
|
|
7322
|
+
throw createClientConfigurationError(missingSshJwk, request.correlationId);
|
|
7262
7323
|
}
|
|
7263
7324
|
}
|
|
7264
7325
|
if (this.config.systemOptions.preventCorsPreflight &&
|
|
@@ -7287,7 +7348,7 @@ class RefreshTokenClient {
|
|
|
7287
7348
|
});
|
|
7288
7349
|
}
|
|
7289
7350
|
instrumentBrokerParams(parameters, request.correlationId, this.performanceClient);
|
|
7290
|
-
addClaims(parameters, request.claims, this.config.authOptions.clientCapabilities, request.skipBrokerClaims);
|
|
7351
|
+
addClaims(parameters, request.correlationId, request.claims, this.config.authOptions.clientCapabilities, request.skipBrokerClaims);
|
|
7291
7352
|
return mapToQueryString(parameters);
|
|
7292
7353
|
}
|
|
7293
7354
|
}
|
|
@@ -7325,32 +7386,32 @@ class SilentFlowClient {
|
|
|
7325
7386
|
if (request.forceRefresh || !StringUtils.isEmptyObj(request.claims)) {
|
|
7326
7387
|
// Must refresh due to present force_refresh flag.
|
|
7327
7388
|
this.setCacheOutcome(CacheOutcome.FORCE_REFRESH_OR_CLAIMS, request.correlationId);
|
|
7328
|
-
throw createClientAuthError(tokenRefreshRequired);
|
|
7389
|
+
throw createClientAuthError(tokenRefreshRequired, request.correlationId);
|
|
7329
7390
|
}
|
|
7330
7391
|
// We currently do not support silent flow for account === null use cases; This will be revisited for confidential flow usecases
|
|
7331
7392
|
if (!request.account) {
|
|
7332
|
-
throw createClientAuthError(noAccountInSilentRequest);
|
|
7393
|
+
throw createClientAuthError(noAccountInSilentRequest, request.correlationId);
|
|
7333
7394
|
}
|
|
7334
7395
|
const requestTenantId = request.account.tenantId ||
|
|
7335
|
-
getTenantFromAuthorityString(request.authority);
|
|
7396
|
+
getTenantFromAuthorityString(request.authority, request.correlationId);
|
|
7336
7397
|
const tokenKeys = this.cacheManager.getTokenKeys();
|
|
7337
7398
|
const cachedAccessToken = this.cacheManager.getAccessToken(request.account, request, tokenKeys, requestTenantId);
|
|
7338
7399
|
if (!cachedAccessToken) {
|
|
7339
7400
|
// must refresh due to non-existent access_token
|
|
7340
7401
|
this.setCacheOutcome(CacheOutcome.NO_CACHED_ACCESS_TOKEN, request.correlationId);
|
|
7341
|
-
throw createClientAuthError(tokenRefreshRequired);
|
|
7402
|
+
throw createClientAuthError(tokenRefreshRequired, request.correlationId);
|
|
7342
7403
|
}
|
|
7343
7404
|
else if (wasClockTurnedBack(cachedAccessToken.cachedAt) ||
|
|
7344
7405
|
isTokenExpired(cachedAccessToken.expiresOn, this.config.systemOptions.tokenRenewalOffsetSeconds)) {
|
|
7345
7406
|
// must refresh due to the expires_in value
|
|
7346
7407
|
this.setCacheOutcome(CacheOutcome.CACHED_ACCESS_TOKEN_EXPIRED, request.correlationId);
|
|
7347
|
-
throw createClientAuthError(tokenRefreshRequired);
|
|
7408
|
+
throw createClientAuthError(tokenRefreshRequired, request.correlationId);
|
|
7348
7409
|
}
|
|
7349
7410
|
else if (request.resource) {
|
|
7350
7411
|
// cached access token must have a resource that matches the request resource for MCP scenarios
|
|
7351
7412
|
if (cachedAccessToken.resource !== request.resource) {
|
|
7352
7413
|
this.setCacheOutcome(CacheOutcome.NO_CACHED_ACCESS_TOKEN, request.correlationId);
|
|
7353
|
-
throw createClientAuthError(tokenRefreshRequired);
|
|
7414
|
+
throw createClientAuthError(tokenRefreshRequired, request.correlationId);
|
|
7354
7415
|
}
|
|
7355
7416
|
}
|
|
7356
7417
|
else if (cachedAccessToken.refreshOn &&
|
|
@@ -7392,15 +7453,7 @@ class SilentFlowClient {
|
|
|
7392
7453
|
async generateResultFromCacheRecord(cacheRecord, request) {
|
|
7393
7454
|
let idTokenClaims;
|
|
7394
7455
|
if (cacheRecord.idToken) {
|
|
7395
|
-
idTokenClaims = extractTokenClaims(cacheRecord.idToken.secret, this.config.cryptoInterface.base64Decode);
|
|
7396
|
-
}
|
|
7397
|
-
// token max_age check
|
|
7398
|
-
if (request.maxAge || request.maxAge === 0) {
|
|
7399
|
-
const authTime = idTokenClaims?.auth_time;
|
|
7400
|
-
if (!authTime) {
|
|
7401
|
-
throw createClientAuthError(authTimeNotFound);
|
|
7402
|
-
}
|
|
7403
|
-
checkMaxAge(authTime, request.maxAge);
|
|
7456
|
+
idTokenClaims = extractTokenClaims(cacheRecord.idToken.secret, this.config.cryptoInterface.base64Decode, request.correlationId);
|
|
7404
7457
|
}
|
|
7405
7458
|
return ResponseHandler.generateAuthenticationResult(this.cryptoUtils, this.authority, cacheRecord, true, request, this.performanceClient, idTokenClaims);
|
|
7406
7459
|
}
|
|
@@ -7411,11 +7464,12 @@ class SilentFlowClient {
|
|
|
7411
7464
|
* Licensed under the MIT License.
|
|
7412
7465
|
*/
|
|
7413
7466
|
const StubbedNetworkModule = {
|
|
7467
|
+
// Module-level singleton: no per-request correlationId available
|
|
7414
7468
|
sendGetRequestAsync: () => {
|
|
7415
|
-
return Promise.reject(createClientAuthError(methodNotImplemented));
|
|
7469
|
+
return Promise.reject(createClientAuthError(methodNotImplemented, ""));
|
|
7416
7470
|
},
|
|
7417
7471
|
sendPostRequestAsync: () => {
|
|
7418
|
-
return Promise.reject(createClientAuthError(methodNotImplemented));
|
|
7472
|
+
return Promise.reject(createClientAuthError(methodNotImplemented, ""));
|
|
7419
7473
|
},
|
|
7420
7474
|
};
|
|
7421
7475
|
|
|
@@ -7443,7 +7497,7 @@ function getStandardAuthorizeRequestParameters(authOptions, request, logger, per
|
|
|
7443
7497
|
...(request.scopes || []),
|
|
7444
7498
|
...(request.extraScopesToConsent || []),
|
|
7445
7499
|
];
|
|
7446
|
-
addScopes(parameters, requestScopes, true, authOptions.authority.options.OIDCOptions?.defaultScopes);
|
|
7500
|
+
addScopes(parameters, requestScopes, request.correlationId, true, authOptions.authority.options.OIDCOptions?.defaultScopes);
|
|
7447
7501
|
addResource(parameters, request.resource);
|
|
7448
7502
|
addRedirectUri(parameters, request.redirectUri);
|
|
7449
7503
|
addCorrelationId(parameters, correlationId);
|
|
@@ -7545,7 +7599,7 @@ function getStandardAuthorizeRequestParameters(authOptions, request, logger, per
|
|
|
7545
7599
|
if (request.embeddedClientId) {
|
|
7546
7600
|
addBrokerParameters(parameters, authOptions.clientId, authOptions.redirectUri);
|
|
7547
7601
|
}
|
|
7548
|
-
addClaims(parameters, request.claims, authOptions.clientCapabilities, request.skipBrokerClaims);
|
|
7602
|
+
addClaims(parameters, request.correlationId, request.claims, authOptions.clientCapabilities, request.skipBrokerClaims);
|
|
7549
7603
|
// If extraQueryParameters includes instance_aware its value will be added when extraQueryParameters are added
|
|
7550
7604
|
if (authOptions.instanceAware &&
|
|
7551
7605
|
(!request.extraQueryParameters ||
|
|
@@ -7570,13 +7624,14 @@ function getAuthorizeUrl(authority, requestParameters) {
|
|
|
7570
7624
|
* the client to exchange for a token in acquireToken.
|
|
7571
7625
|
* @param serverParams
|
|
7572
7626
|
* @param cachedState
|
|
7627
|
+
* @param correlationId
|
|
7573
7628
|
*/
|
|
7574
|
-
function getAuthorizationCodePayload(serverParams, cachedState) {
|
|
7629
|
+
function getAuthorizationCodePayload(serverParams, cachedState, correlationId) {
|
|
7575
7630
|
// Get code response
|
|
7576
|
-
validateAuthorizationResponse(serverParams, cachedState);
|
|
7631
|
+
validateAuthorizationResponse(serverParams, cachedState, correlationId);
|
|
7577
7632
|
// throw when there is no auth code in the response
|
|
7578
7633
|
if (!serverParams.code) {
|
|
7579
|
-
throw createClientAuthError(authorizationCodeMissingFromServerResponse);
|
|
7634
|
+
throw createClientAuthError(authorizationCodeMissingFromServerResponse, correlationId);
|
|
7580
7635
|
}
|
|
7581
7636
|
return serverParams;
|
|
7582
7637
|
}
|
|
@@ -7584,12 +7639,13 @@ function getAuthorizationCodePayload(serverParams, cachedState) {
|
|
|
7584
7639
|
* Function which validates server authorization code response.
|
|
7585
7640
|
* @param serverResponseHash
|
|
7586
7641
|
* @param requestState
|
|
7642
|
+
* @param correlationId
|
|
7587
7643
|
*/
|
|
7588
|
-
function validateAuthorizationResponse(serverResponse, requestState) {
|
|
7644
|
+
function validateAuthorizationResponse(serverResponse, requestState, correlationId) {
|
|
7589
7645
|
if (!serverResponse.state || !requestState) {
|
|
7590
7646
|
throw serverResponse.state
|
|
7591
|
-
? createClientAuthError(stateNotFound, "Cached State")
|
|
7592
|
-
: createClientAuthError(stateNotFound, "Server State");
|
|
7647
|
+
? createClientAuthError(stateNotFound, correlationId, "Cached State")
|
|
7648
|
+
: createClientAuthError(stateNotFound, correlationId, "Server State");
|
|
7593
7649
|
}
|
|
7594
7650
|
let decodedServerResponseState;
|
|
7595
7651
|
let decodedRequestState;
|
|
@@ -7597,16 +7653,16 @@ function validateAuthorizationResponse(serverResponse, requestState) {
|
|
|
7597
7653
|
decodedServerResponseState = decodeURIComponent(serverResponse.state);
|
|
7598
7654
|
}
|
|
7599
7655
|
catch (e) {
|
|
7600
|
-
throw createClientAuthError(invalidState, serverResponse.state);
|
|
7656
|
+
throw createClientAuthError(invalidState, correlationId, serverResponse.state);
|
|
7601
7657
|
}
|
|
7602
7658
|
try {
|
|
7603
7659
|
decodedRequestState = decodeURIComponent(requestState);
|
|
7604
7660
|
}
|
|
7605
7661
|
catch (e) {
|
|
7606
|
-
throw createClientAuthError(invalidState, serverResponse.state);
|
|
7662
|
+
throw createClientAuthError(invalidState, correlationId, serverResponse.state);
|
|
7607
7663
|
}
|
|
7608
7664
|
if (decodedServerResponseState !== decodedRequestState) {
|
|
7609
|
-
throw createClientAuthError(stateMismatch);
|
|
7665
|
+
throw createClientAuthError(stateMismatch, correlationId);
|
|
7610
7666
|
}
|
|
7611
7667
|
// Check for error
|
|
7612
7668
|
if (serverResponse.error ||
|
|
@@ -7614,9 +7670,9 @@ function validateAuthorizationResponse(serverResponse, requestState) {
|
|
|
7614
7670
|
serverResponse.suberror) {
|
|
7615
7671
|
const serverErrorNo = parseServerErrorNo(serverResponse);
|
|
7616
7672
|
if (isInteractionRequiredError(serverResponse.error, serverResponse.error_description, serverResponse.suberror)) {
|
|
7617
|
-
throw new InteractionRequiredAuthError(serverResponse.error || "", serverResponse.error_description, serverResponse.suberror, serverResponse.timestamp || "", serverResponse.trace_id || "", serverResponse.
|
|
7673
|
+
throw new InteractionRequiredAuthError(serverResponse.error || "", serverResponse.correlation_id || correlationId, serverResponse.error_description, serverResponse.suberror, serverResponse.timestamp || "", serverResponse.trace_id || "", serverResponse.claims || "", serverErrorNo);
|
|
7618
7674
|
}
|
|
7619
|
-
throw new ServerError(serverResponse.error || "", serverResponse.error_description, serverResponse.suberror, serverErrorNo);
|
|
7675
|
+
throw new ServerError(serverResponse.error || "", serverResponse.correlation_id || correlationId, serverResponse.error_description, serverResponse.suberror, serverErrorNo);
|
|
7620
7676
|
}
|
|
7621
7677
|
}
|
|
7622
7678
|
/**
|
|
@@ -7668,10 +7724,10 @@ function enforceResourceParameter(isMcp, request) {
|
|
|
7668
7724
|
if (request.resource &&
|
|
7669
7725
|
(containsResourceParam(request.extraParameters) ||
|
|
7670
7726
|
containsResourceParam(request.extraQueryParameters))) {
|
|
7671
|
-
throw createClientAuthError(misplacedResourceParam);
|
|
7727
|
+
throw createClientAuthError(misplacedResourceParam, request.correlationId || "");
|
|
7672
7728
|
}
|
|
7673
7729
|
if (!request.resource) {
|
|
7674
|
-
throw createClientAuthError(resourceParameterRequired);
|
|
7730
|
+
throw createClientAuthError(resourceParameterRequired, request.correlationId || "");
|
|
7675
7731
|
}
|
|
7676
7732
|
}
|
|
7677
7733
|
function containsResourceParam(params) {
|
|
@@ -7705,7 +7761,7 @@ class AuthenticationHeaderParser {
|
|
|
7705
7761
|
if (authenticationInfoChallenges.nextnonce) {
|
|
7706
7762
|
return authenticationInfoChallenges.nextnonce;
|
|
7707
7763
|
}
|
|
7708
|
-
throw createClientConfigurationError(invalidAuthenticationHeader);
|
|
7764
|
+
throw createClientConfigurationError(invalidAuthenticationHeader, "");
|
|
7709
7765
|
}
|
|
7710
7766
|
// Attempt to parse nonce from WWW-Authenticate
|
|
7711
7767
|
const wwwAuthenticate = this.headers[HeaderNames.WWWAuthenticate];
|
|
@@ -7714,10 +7770,10 @@ class AuthenticationHeaderParser {
|
|
|
7714
7770
|
if (wwwAuthenticateChallenges.nonce) {
|
|
7715
7771
|
return wwwAuthenticateChallenges.nonce;
|
|
7716
7772
|
}
|
|
7717
|
-
throw createClientConfigurationError(invalidAuthenticationHeader);
|
|
7773
|
+
throw createClientConfigurationError(invalidAuthenticationHeader, "");
|
|
7718
7774
|
}
|
|
7719
7775
|
// If neither header is present, throw missing headers error
|
|
7720
|
-
throw createClientConfigurationError(missingNonceAuthenticationHeader);
|
|
7776
|
+
throw createClientConfigurationError(missingNonceAuthenticationHeader, "");
|
|
7721
7777
|
}
|
|
7722
7778
|
/**
|
|
7723
7779
|
* Parses an HTTP header's challenge set into a key/value map.
|
|
@@ -7767,12 +7823,12 @@ function tagToString(tag) {
|
|
|
7767
7823
|
* Error class for MSAL Runtime errors that preserves detailed broker information
|
|
7768
7824
|
*/
|
|
7769
7825
|
class PlatformBrokerError extends AuthError {
|
|
7770
|
-
constructor(errorStatus, errorContext, errorCode, errorTag) {
|
|
7826
|
+
constructor(errorStatus, correlationId, errorContext, errorCode, errorTag) {
|
|
7771
7827
|
const tagString = tagToString(errorTag);
|
|
7772
7828
|
const enhancedErrorContext = errorContext
|
|
7773
7829
|
? `${errorContext} (Error Code: ${errorCode}, Tag: ${tagString})`
|
|
7774
7830
|
: `(Error Code: ${errorCode}, Tag: ${tagString})`;
|
|
7775
|
-
super(errorStatus, enhancedErrorContext);
|
|
7831
|
+
super(errorStatus, correlationId, enhancedErrorContext);
|
|
7776
7832
|
this.name = "PlatformBrokerError";
|
|
7777
7833
|
this.statusCode = errorCode;
|
|
7778
7834
|
this.tag = tagString;
|
|
@@ -8150,4 +8206,4 @@ exports.invokeAsync = invokeAsync;
|
|
|
8150
8206
|
exports.tenantIdMatchesHomeTenant = tenantIdMatchesHomeTenant;
|
|
8151
8207
|
exports.updateAccountTenantProfileData = updateAccountTenantProfileData;
|
|
8152
8208
|
exports.version = version;
|
|
8153
|
-
//# sourceMappingURL=index-node-
|
|
8209
|
+
//# sourceMappingURL=index-node-C_uKaUiZ.js.map
|