@microsoft/teamsfx 0.3.3-alpha.3dc53ce2.0 → 0.3.3-alpha.5cb301a1.0

package/dist/index.node.cjs.js

@@ -0,0 +1,1653 @@
+'use strict';
+
+Object.defineProperty(exports, '__esModule', { value: true });
+
+var tslib = require('tslib');
+var jwt_decode = require('jwt-decode');
+var msalNode = require('@azure/msal-node');
+var crypto = require('crypto');
+var microsoftGraphClient = require('@microsoft/microsoft-graph-client');
+var identity = require('@azure/identity');
+var botbuilder = require('botbuilder');
+var botbuilderDialogs = require('botbuilder-dialogs');
+var uuid = require('uuid');
+
+function _interopDefaultLegacy (e) { return e && typeof e === 'object' && 'default' in e ? e : { 'default': e }; }
+
+var jwt_decode__default = /*#__PURE__*/_interopDefaultLegacy(jwt_decode);
+
+// Copyright (c) Microsoft Corporation.
+/**
+ * Error code to trace the error types.
+ * @beta
+ */
+exports.ErrorCode = void 0;
+(function (ErrorCode) {
+    /**
+     * Invalid parameter error.
+     */
+    ErrorCode["InvalidParameter"] = "InvalidParameter";
+    /**
+     * Invalid configuration error.
+     */
+    ErrorCode["InvalidConfiguration"] = "InvalidConfiguration";
+    /**
+     * Invalid certificate error.
+     */
+    ErrorCode["InvalidCertificate"] = "InvalidCertificate";
+    /**
+     * Internal error.
+     */
+    ErrorCode["InternalError"] = "InternalError";
+    /**
+     * Channel is not supported error.
+     */
+    ErrorCode["ChannelNotSupported"] = "ChannelNotSupported";
+    /**
+     * Runtime is not supported error.
+     */
+    ErrorCode["RuntimeNotSupported"] = "RuntimeNotSupported";
+    /**
+     * User failed to finish the AAD consent flow failed.
+     */
+    ErrorCode["ConsentFailed"] = "ConsentFailed";
+    /**
+     * The user or administrator has not consented to use the application error.
+     */
+    ErrorCode["UiRequiredError"] = "UiRequiredError";
+    /**
+     * Token is not within its valid time range error.
+     */
+    ErrorCode["TokenExpiredError"] = "TokenExpiredError";
+    /**
+     * Call service (AAD or simple authentication server) failed.
+     */
+    ErrorCode["ServiceError"] = "ServiceError";
+    /**
+     * Operation failed.
+     */
+    ErrorCode["FailedOperation"] = "FailedOperation";
+})(exports.ErrorCode || (exports.ErrorCode = {}));
+/**
+ * @internal
+ */
+var ErrorMessage = /** @class */ (function () {
+    function ErrorMessage() {
+    }
+    // InvalidConfiguration Error
+    ErrorMessage.InvalidConfiguration = "{0} in configuration is invalid: {1}.";
+    ErrorMessage.ConfigurationNotExists = "Configuration does not exist. {0}";
+    ErrorMessage.ResourceConfigurationNotExists = "{0} resource configuration does not exist.";
+    ErrorMessage.MissingResourceConfiguration = "Missing resource configuration with type: {0}, name: {1}.";
+    ErrorMessage.AuthenticationConfigurationNotExists = "Authentication configuration does not exist.";
+    // RuntimeNotSupported Error
+    ErrorMessage.BrowserRuntimeNotSupported = "{0} is not supported in browser.";
+    ErrorMessage.NodejsRuntimeNotSupported = "{0} is not supported in Node.";
+    // Internal Error
+    ErrorMessage.FailToAcquireTokenOnBehalfOfUser = "Failed to acquire access token on behalf of user: {0}";
+    // ChannelNotSupported Error
+    ErrorMessage.OnlyMSTeamsChannelSupported = "{0} is only supported in MS Teams Channel";
+    return ErrorMessage;
+}());
+/**
+ * Error class with code and message thrown by the SDK.
+ *
+ * @beta
+ */
+var ErrorWithCode = /** @class */ (function (_super) {
+    tslib.__extends(ErrorWithCode, _super);
+    /**
+     * Constructor of ErrorWithCode.
+     *
+     * @param {string} message - error message.
+     * @param {ErrorCode} code - error code.
+     *
+     * @beta
+     */
+    function ErrorWithCode(message, code) {
+        var _newTarget = this.constructor;
+        var _this = this;
+        if (!code) {
+            _this = _super.call(this, message) || this;
+            return _this;
+        }
+        _this = _super.call(this, message) || this;
+        Object.setPrototypeOf(_this, ErrorWithCode.prototype);
+        _this.name = _newTarget.name + "." + code;
+        _this.code = code;
+        return _this;
+    }
+    return ErrorWithCode;
+}(Error));
+
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT license.
+/**
+ * Available resource type.
+ * @beta
+ */
+exports.ResourceType = void 0;
+(function (ResourceType) {
+    /**
+     * SQL database.
+     *
+     */
+    ResourceType[ResourceType["SQL"] = 0] = "SQL";
+    /**
+     * Rest API.
+     *
+     */
+    ResourceType[ResourceType["API"] = 1] = "API";
+})(exports.ResourceType || (exports.ResourceType = {}));
+
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT license.
+/**
+ * Log level.
+ *
+ * @beta
+ */
+exports.LogLevel = void 0;
+(function (LogLevel) {
+    /**
+     * Show verbose, information, warning and error message.
+     */
+    LogLevel[LogLevel["Verbose"] = 0] = "Verbose";
+    /**
+     * Show information, warning and error message.
+     */
+    LogLevel[LogLevel["Info"] = 1] = "Info";
+    /**
+     * Show warning and error message.
+     */
+    LogLevel[LogLevel["Warn"] = 2] = "Warn";
+    /**
+     * Show error message.
+     */
+    LogLevel[LogLevel["Error"] = 3] = "Error";
+})(exports.LogLevel || (exports.LogLevel = {}));
+/**
+ * Update log level helper.
+ *
+ * @param { LogLevel } level - log level in configuration
+ *
+ * @beta
+ */
+function setLogLevel(level) {
+    internalLogger.level = level;
+}
+/**
+ * Get log level.
+ *
+ * @returns Log level
+ *
+ * @beta
+ */
+function getLogLevel() {
+    return internalLogger.level;
+}
+var InternalLogger = /** @class */ (function () {
+    function InternalLogger() {
+        this.level = undefined;
+        this.defaultLogger = {
+            verbose: console.debug,
+            info: console.info,
+            warn: console.warn,
+            error: console.error,
+        };
+    }
+    InternalLogger.prototype.error = function (message) {
+        this.log(exports.LogLevel.Error, function (x) { return x.error; }, message);
+    };
+    InternalLogger.prototype.warn = function (message) {
+        this.log(exports.LogLevel.Warn, function (x) { return x.warn; }, message);
+    };
+    InternalLogger.prototype.info = function (message) {
+        this.log(exports.LogLevel.Info, function (x) { return x.info; }, message);
+    };
+    InternalLogger.prototype.verbose = function (message) {
+        this.log(exports.LogLevel.Verbose, function (x) { return x.verbose; }, message);
+    };
+    InternalLogger.prototype.log = function (logLevel, logFunction, message) {
+        if (message.trim() === "") {
+            return;
+        }
+        var timestamp = new Date().toUTCString();
+        var logHeader = "[" + timestamp + "] : @microsoft/teamsfx : " + exports.LogLevel[logLevel] + " - ";
+        var logMessage = "" + logHeader + message;
+        if (this.level !== undefined && this.level <= logLevel) {
+            if (this.customLogger) {
+                logFunction(this.customLogger)(logMessage);
+            }
+            else if (this.customLogFunction) {
+                this.customLogFunction(logLevel, logMessage);
+            }
+            else {
+                logFunction(this.defaultLogger)(logMessage);
+            }
+        }
+    };
+    return InternalLogger;
+}());
+/**
+ * Logger instance used internally
+ *
+ * @internal
+ */
+var internalLogger = new InternalLogger();
+/**
+ * Set custom logger. Use the output functions if it's set. Priority is higher than setLogFunction.
+ *
+ * @param {Logger} logger - custom logger. If it's undefined, custom logger will be cleared.
+ *
+ * @example
+ * ```typescript
+ * setLogger({
+ *   verbose: console.debug,
+ *   info: console.info,
+ *   warn: console.warn,
+ *   error: console.error,
+ * });
+ * ```
+ *
+ * @beta
+ */
+function setLogger(logger) {
+    internalLogger.customLogger = logger;
+}
+/**
+ * Set custom log function. Use the function if it's set. Priority is lower than setLogger.
+ *
+ * @param {LogFunction} logFunction - custom log function. If it's undefined, custom log function will be cleared.
+ *
+ * @example
+ * ```typescript
+ * setLogFunction((level: LogLevel, message: string) => {
+ *   if (level === LogLevel.Error) {
+ *     console.log(message);
+ *   }
+ * });
+ * ```
+ *
+ * @beta
+ */
+function setLogFunction(logFunction) {
+    internalLogger.customLogFunction = logFunction;
+}
+
+// Copyright (c) Microsoft Corporation.
+/**
+ * Parse jwt token payload
+ *
+ * @param token
+ *
+ * @returns Payload object
+ *
+ * @internal
+ */
+function parseJwt(token) {
+    try {
+        var tokenObj = jwt_decode__default["default"](token);
+        if (!tokenObj || !tokenObj.exp) {
+            throw new ErrorWithCode("Decoded token is null or exp claim does not exists.", exports.ErrorCode.InternalError);
+        }
+        return tokenObj;
+    }
+    catch (err) {
+        var errorMsg = "Parse jwt token failed in node env with error: " + err.message;
+        internalLogger.error(errorMsg);
+        throw new ErrorWithCode(errorMsg, exports.ErrorCode.InternalError);
+    }
+}
+/**
+ * @internal
+ */
+function getUserInfoFromSsoToken(ssoToken) {
+    if (!ssoToken) {
+        var errorMsg = "SSO token is undefined.";
+        internalLogger.error(errorMsg);
+        throw new ErrorWithCode(errorMsg, exports.ErrorCode.InvalidParameter);
+    }
+    var tokenObject = parseJwt(ssoToken);
+    var userInfo = {
+        displayName: tokenObject.name,
+        objectId: tokenObject.oid,
+        preferredUserName: "",
+    };
+    if (tokenObject.ver === "2.0") {
+        userInfo.preferredUserName = tokenObject.preferred_username;
+    }
+    else if (tokenObject.ver === "1.0") {
+        userInfo.preferredUserName = tokenObject.upn;
+    }
+    return userInfo;
+}
+/**
+ * Format string template with replacements
+ *
+ * ```typescript
+ * const template = "{0} and {1} are fruit. {0} is my favorite one."
+ * const formattedStr = formatString(template, "apple", "pear"); // formattedStr: "apple and pear are fruit. apple is my favorite one."
+ * ```
+ *
+ * @param str string template
+ * @param replacements replacement string array
+ * @returns Formatted string
+ *
+ * @internal
+ */
+function formatString(str) {
+    var replacements = [];
+    for (var _i = 1; _i < arguments.length; _i++) {
+        replacements[_i - 1] = arguments[_i];
+    }
+    var args = replacements;
+    return str.replace(/{(\d+)}/g, function (match, number) {
+        return typeof args[number] != "undefined" ? args[number] : match;
+    });
+}
+/**
+ * @internal
+ */
+function validateScopesType(value) {
+    // string
+    if (typeof value === "string" || value instanceof String) {
+        return;
+    }
+    // empty array
+    if (Array.isArray(value) && value.length === 0) {
+        return;
+    }
+    // string array
+    if (Array.isArray(value) && value.length > 0 && value.every(function (item) { return typeof item === "string"; })) {
+        return;
+    }
+    var errorMsg = "The type of scopes is not valid, it must be string or string array";
+    internalLogger.error(errorMsg);
+    throw new ErrorWithCode(errorMsg, exports.ErrorCode.InvalidParameter);
+}
+/**
+ * @internal
+ */
+function getScopesArray(scopes) {
+    var scopesArray = typeof scopes === "string" ? scopes.split(" ") : scopes;
+    return scopesArray.filter(function (x) { return x !== null && x !== ""; });
+}
+/**
+ * @internal
+ */
+function getAuthority(authorityHost, tenantId) {
+    var normalizedAuthorityHost = authorityHost.replace(/\/+$/g, "");
+    return normalizedAuthorityHost + "/" + tenantId;
+}
+/**
+ * @internal
+ */
+var isNode = typeof process !== "undefined" &&
+    !!process.version &&
+    !!process.versions &&
+    !!process.versions.node;
+
+// Copyright (c) Microsoft Corporation.
+/**
+ * Global configuration instance
+ *
+ */
+var config;
+/**
+ * Initialize configuration from environment variables or configuration object and set the global instance
+ *
+ * @param {Configuration} configuration - Optional configuration that overrides the default configuration values. The override depth is 1.
+ *
+ * @throws {@link ErrorCode|InvalidParameter} when configuration is not passed in browser environment
+ *
+ * @beta
+ */
+function loadConfiguration(configuration) {
+    internalLogger.info("load configuration");
+    // browser environment
+    if (!isNode) {
+        if (!configuration) {
+            var errorMsg = "You are running the code in browser. Configuration must be passed in.";
+            internalLogger.error(errorMsg);
+            throw new ErrorWithCode(errorMsg, exports.ErrorCode.InvalidParameter);
+        }
+        config = configuration;
+        return;
+    }
+    // node environment
+    var newAuthentication;
+    var newResources = [];
+    var defaultResourceName = "default";
+    if (configuration === null || configuration === void 0 ? void 0 : configuration.authentication) {
+        newAuthentication = configuration.authentication;
+    }
+    else {
+        newAuthentication = {
+            authorityHost: process.env.M365_AUTHORITY_HOST,
+            tenantId: process.env.M365_TENANT_ID,
+            clientId: process.env.M365_CLIENT_ID,
+            clientSecret: process.env.M365_CLIENT_SECRET,
+            simpleAuthEndpoint: process.env.SIMPLE_AUTH_ENDPOINT,
+            initiateLoginEndpoint: process.env.INITIATE_LOGIN_ENDPOINT,
+            applicationIdUri: process.env.M365_APPLICATION_ID_URI,
+        };
+    }
+    if (configuration === null || configuration === void 0 ? void 0 : configuration.resources) {
+        newResources = configuration.resources;
+    }
+    else {
+        newResources = [
+            {
+                // SQL resource
+                type: exports.ResourceType.SQL,
+                name: defaultResourceName,
+                properties: {
+                    sqlServerEndpoint: process.env.SQL_ENDPOINT,
+                    sqlUsername: process.env.SQL_USER_NAME,
+                    sqlPassword: process.env.SQL_PASSWORD,
+                    sqlDatabaseName: process.env.SQL_DATABASE_NAME,
+                    sqlIdentityId: process.env.IDENTITY_ID,
+                },
+            },
+            {
+                // API resource
+                type: exports.ResourceType.API,
+                name: defaultResourceName,
+                properties: {
+                    endpoint: process.env.API_ENDPOINT,
+                },
+            },
+        ];
+    }
+    config = {
+        authentication: newAuthentication,
+        resources: newResources,
+    };
+}
+/**
+ * Get configuration for a specific resource.
+ * @param {ResourceType} resourceType - The type of resource
+ * @param {string} resourceName - The name of resource, default value is "default".
+ *
+ * @returns Resource configuration for target resource from global configuration instance.
+ *
+ * @throws {@link ErrorCode|InvalidConfiguration} when resource configuration with the specific type and name is not found
+ *
+ * @beta
+ */
+function getResourceConfiguration(resourceType, resourceName) {
+    var _a;
+    if (resourceName === void 0) { resourceName = "default"; }
+    internalLogger.info("Get resource configuration of " + exports.ResourceType[resourceType] + " from " + resourceName);
+    var result = (_a = config.resources) === null || _a === void 0 ? void 0 : _a.find(function (item) { return item.type === resourceType && item.name === resourceName; });
+    if (result) {
+        return result.properties;
+    }
+    var errorMsg = formatString(ErrorMessage.MissingResourceConfiguration, exports.ResourceType[resourceType], resourceName);
+    internalLogger.error(errorMsg);
+    throw new ErrorWithCode(errorMsg, exports.ErrorCode.InvalidConfiguration);
+}
+/**
+ * Get configuration for authentication.
+ *
+ * @returns Authentication configuration from global configuration instance, the value may be undefined if no authentication config exists in current environment.
+ *
+ * @throws {@link ErrorCode|InvalidConfiguration} when global configuration does not exist
+ *
+ * @beta
+ */
+function getAuthenticationConfiguration() {
+    internalLogger.info("Get authentication configuration");
+    if (config) {
+        return config.authentication;
+    }
+    var errorMsg = "Please call loadConfiguration() first before calling getAuthenticationConfiguration().";
+    internalLogger.error(errorMsg);
+    throw new ErrorWithCode(formatString(ErrorMessage.ConfigurationNotExists, errorMsg), exports.ErrorCode.InvalidConfiguration);
+}
+
+/**
+ * @internal
+ */
+function createConfidentialClientApplication(authentication) {
+    var authority = getAuthority(authentication.authorityHost, authentication.tenantId);
+    var clientCertificate = parseCertificate(authentication.certificateContent);
+    var auth = {
+        clientId: authentication.clientId,
+        authority: authority,
+    };
+    if (clientCertificate) {
+        auth.clientCertificate = clientCertificate;
+    }
+    else {
+        auth.clientSecret = authentication.clientSecret;
+    }
+    return new msalNode.ConfidentialClientApplication({
+        auth: auth,
+    });
+}
+/**
+ * @internal
+ */
+function parseCertificate(certificateContent) {
+    if (!certificateContent) {
+        return undefined;
+    }
+    var certificatePattern = /(-+BEGIN CERTIFICATE-+)(\n\r?|\r\n?)([A-Za-z0-9+/\n\r]+=*)(\n\r?|\r\n?)(-+END CERTIFICATE-+)/;
+    var match = certificatePattern.exec(certificateContent);
+    if (!match) {
+        var errorMsg = "The certificate content does not contain a PEM-encoded certificate.";
+        internalLogger.error(errorMsg);
+        throw new ErrorWithCode(errorMsg, exports.ErrorCode.InvalidCertificate);
+    }
+    var thumbprint = crypto.createHash("sha1")
+        .update(Buffer.from(match[3], "base64"))
+        .digest("hex")
+        .toUpperCase();
+    return {
+        thumbprint: thumbprint,
+        privateKey: certificateContent,
+    };
+}
+
+// Copyright (c) Microsoft Corporation.
+/**
+ * Represent Microsoft 365 tenant identity, and it is usually used when user is not involved like time-triggered automation job.
+ *
+ * @example
+ * ```typescript
+ * loadConfiguration(); // load configuration from environment variables
+ * const credential = new M365TenantCredential();
+ * ```
+ *
+ * @remarks
+ * Only works in in server side.
+ *
+ * @beta
+ */
+var M365TenantCredential = /** @class */ (function () {
+    /**
+     * Constructor of M365TenantCredential.
+     *
+     * @remarks
+     * Only works in in server side.
+     *
+     * @throws {@link ErrorCode|InvalidConfiguration} when client id, client secret or tenant id is not found in config.
+     * @throws {@link ErrorCode|RuntimeNotSupported} when runtime is nodeJS.
+     *
+     * @beta
+     */
+    function M365TenantCredential() {
+        internalLogger.info("Create M365 tenant credential");
+        var config = this.loadAndValidateConfig();
+        this.msalClient = createConfidentialClientApplication(config);
+    }
+    /**
+     * Get access token for credential.
+     *
+     * @example
+     * ```typescript
+     * await credential.getToken(["User.Read.All"]) // Get Graph access token for single scope using string array
+     * await credential.getToken("User.Read.All") // Get Graph access token for single scope using string
+     * await credential.getToken(["User.Read.All", "Calendars.Read"]) // Get Graph access token for multiple scopes using string array
+     * await credential.getToken("User.Read.All Calendars.Read") // Get Graph access token for multiple scopes using space-separated string
+     * await credential.getToken("https://graph.microsoft.com/User.Read.All") // Get Graph access token with full resource URI
+     * await credential.getToken(["https://outlook.office.com/Mail.Read"]) // Get Outlook access token
+     * ```
+     *
+     * @param {string | string[]} scopes - The list of scopes for which the token will have access.
+     * @param {GetTokenOptions} options - The options used to configure any requests this TokenCredential implementation might make.
+     *
+     * @throws {@link ErrorCode|ServiceError} when get access token with authentication error.
+     * @throws {@link ErrorCode|InternalError} when get access token with unknown error.
+     * @throws {@link ErrorCode|InvalidParameter} when scopes is not a valid string or string array.
+     * @throws {@link ErrorCode|RuntimeNotSupported} when runtime is nodeJS.
+     *
+     * @returns Access token with expected scopes.
+     * Throw error if get access token failed.
+     *
+     * @beta
+     */
+    M365TenantCredential.prototype.getToken = function (scopes, options) {
+        return tslib.__awaiter(this, void 0, void 0, function () {
+            var accessToken, scopesStr, scopesArray, authenticationResult, err_1, errorMsg, errorMsg;
+            return tslib.__generator(this, function (_a) {
+                switch (_a.label) {
+                    case 0:
+                        validateScopesType(scopes);
+                        scopesStr = typeof scopes === "string" ? scopes : scopes.join(" ");
+                        internalLogger.info("Get access token with scopes: " + scopesStr);
+                        _a.label = 1;
+                    case 1:
+                        _a.trys.push([1, 3, , 4]);
+                        scopesArray = getScopesArray(scopes);
+                        return [4 /*yield*/, this.msalClient.acquireTokenByClientCredential({
+                                scopes: scopesArray,
+                            })];
+                    case 2:
+                        authenticationResult = _a.sent();
+                        if (authenticationResult) {
+                            accessToken = {
+                                token: authenticationResult.accessToken,
+                                expiresOnTimestamp: authenticationResult.expiresOn.getTime(),
+                            };
+                        }
+                        return [3 /*break*/, 4];
+                    case 3:
+                        err_1 = _a.sent();
+                        errorMsg = "Get M365 tenant credential failed with error: " + err_1.message;
+                        internalLogger.error(errorMsg);
+                        throw new ErrorWithCode(errorMsg, exports.ErrorCode.ServiceError);
+                    case 4:
+                        if (!accessToken) {
+                            errorMsg = "Get M365 tenant credential access token failed with empty access token";
+                            internalLogger.error(errorMsg);
+                            throw new ErrorWithCode(errorMsg, exports.ErrorCode.InternalError);
+                        }
+                        return [2 /*return*/, accessToken];
+                }
+            });
+        });
+    };
+    /**
+     * Load and validate authentication configuration
+     * @returns Authentication configuration
+     */
+    M365TenantCredential.prototype.loadAndValidateConfig = function () {
+        internalLogger.verbose("Validate authentication configuration");
+        var config = getAuthenticationConfiguration();
+        if (!config) {
+            internalLogger.error(ErrorMessage.AuthenticationConfigurationNotExists);
+            throw new ErrorWithCode(ErrorMessage.AuthenticationConfigurationNotExists, exports.ErrorCode.InvalidConfiguration);
+        }
+        if (config.clientId && (config.clientSecret || config.certificateContent) && config.tenantId) {
+            return config;
+        }
+        var missingValues = [];
+        if (!config.clientId) {
+            missingValues.push("clientId");
+        }
+        if (!config.clientSecret && !config.certificateContent) {
+            missingValues.push("clientSecret or certificateContent");
+        }
+        if (!config.tenantId) {
+            missingValues.push("tenantId");
+        }
+        var errorMsg = formatString(ErrorMessage.InvalidConfiguration, missingValues.join(", "), "undefined");
+        internalLogger.error(errorMsg);
+        throw new ErrorWithCode(errorMsg, exports.ErrorCode.InvalidConfiguration);
+    };
+    return M365TenantCredential;
+}());
+
+// Copyright (c) Microsoft Corporation.
+/**
+ * Represent on-behalf-of flow to get user identity, and it is designed to be used in server side.
+ *
+ * @example
+ * ```typescript
+ * loadConfiguration(); // load configuration from environment variables
+ * const credential = new OnBehalfOfUserCredential(ssoToken);
+ * ```
+ *
+ * @remarks
+ * Can only be used in server side.
+ *
+ * @beta
+ */
+var OnBehalfOfUserCredential = /** @class */ (function () {
+    /**
+     * Constructor of OnBehalfOfUserCredential
+     *
+     * @remarks
+     * Only works in in server side.
+     *
+     * @param {string} ssoToken - User token provided by Teams SSO feature.
+     *
+     * @throws {@link ErrorCode|InvalidConfiguration} when client id, client secret, certificate content, authority host or tenant id is not found in config.
+     * @throws {@link ErrorCode|InternalError} when SSO token is not valid.
+     * @throws {@link ErrorCode|RuntimeNotSupported} when runtime is browser.
+     *
+     * @beta
+     */
+    function OnBehalfOfUserCredential(ssoToken) {
+        var _a, _b, _c, _d, _e;
+        internalLogger.info("Get on behalf of user credential");
+        var missingConfigurations = [];
+        if (!((_a = config === null || config === void 0 ? void 0 : config.authentication) === null || _a === void 0 ? void 0 : _a.clientId)) {
+            missingConfigurations.push("clientId");
+        }
+        if (!((_b = config === null || config === void 0 ? void 0 : config.authentication) === null || _b === void 0 ? void 0 : _b.authorityHost)) {
+            missingConfigurations.push("authorityHost");
+        }
+        if (!((_c = config === null || config === void 0 ? void 0 : config.authentication) === null || _c === void 0 ? void 0 : _c.clientSecret) && !((_d = config === null || config === void 0 ? void 0 : config.authentication) === null || _d === void 0 ? void 0 : _d.certificateContent)) {
+            missingConfigurations.push("clientSecret or certificateContent");
+        }
+        if (!((_e = config === null || config === void 0 ? void 0 : config.authentication) === null || _e === void 0 ? void 0 : _e.tenantId)) {
+            missingConfigurations.push("tenantId");
+        }
+        if (missingConfigurations.length != 0) {
+            var errorMsg = formatString(ErrorMessage.InvalidConfiguration, missingConfigurations.join(", "), "undefined");
+            internalLogger.error(errorMsg);
+            throw new ErrorWithCode(errorMsg, exports.ErrorCode.InvalidConfiguration);
+        }
+        this.msalClient = createConfidentialClientApplication(config.authentication);
+        var decodedSsoToken = parseJwt(ssoToken);
+        this.ssoToken = {
+            token: ssoToken,
+            expiresOnTimestamp: decodedSsoToken.exp,
+        };
+    }
+    /**
+     * Get access token from credential.
+     *
+     * @example
+     * ```typescript
+     * await credential.getToken([]) // Get SSO token using empty string array
+     * await credential.getToken("") // Get SSO token using empty string
+     * await credential.getToken([".default"]) // Get Graph access token with default scope using string array
+     * await credential.getToken(".default") // Get Graph access token with default scope using string
+     * await credential.getToken(["User.Read"]) // Get Graph access token for single scope using string array
+     * await credential.getToken("User.Read") // Get Graph access token for single scope using string
+     * await credential.getToken(["User.Read", "Application.Read.All"]) // Get Graph access token for multiple scopes using string array
+     * await credential.getToken("User.Read Application.Read.All") // Get Graph access token for multiple scopes using space-separated string
+     * await credential.getToken("https://graph.microsoft.com/User.Read") // Get Graph access token with full resource URI
+     * await credential.getToken(["https://outlook.office.com/Mail.Read"]) // Get Outlook access token
+     * ```
+     *
+     * @param {string | string[]} scopes - The list of scopes for which the token will have access.
+     * @param {GetTokenOptions} options - The options used to configure any requests this TokenCredential implementation might make.
+     *
+     * @throws {@link ErrorCode|InternalError} when failed to acquire access token on behalf of user with unknown error.
+     * @throws {@link ErrorCode|TokenExpiredError} when SSO token has already expired.
+     * @throws {@link ErrorCode|UiRequiredError} when need user consent to get access token.
+     * @throws {@link ErrorCode|ServiceError} when failed to get access token from simple auth server.
+     * @throws {@link ErrorCode|InvalidParameter} when scopes is not a valid string or string array.
+     * @throws {@link ErrorCode|RuntimeNotSupported} when runtime is browser.
+     *
+     * @returns Access token with expected scopes.
+     *
+     * @remarks
+     * If scopes is empty string or array, it returns SSO token.
+     * If scopes is non-empty, it returns access token for target scope.
+     *
+     * @beta
+     */
+    OnBehalfOfUserCredential.prototype.getToken = function (scopes, options) {
+        return tslib.__awaiter(this, void 0, void 0, function () {
+            var scopesArray, result, errorMsg, authenticationResult, error_1, errorMsg;
+            return tslib.__generator(this, function (_a) {
+                switch (_a.label) {
+                    case 0:
+                        validateScopesType(scopes);
+                        scopesArray = getScopesArray(scopes);
+                        if (!!scopesArray.length) return [3 /*break*/, 1];
+                        internalLogger.info("Get SSO token.");
+                        if (Math.floor(Date.now() / 1000) > this.ssoToken.expiresOnTimestamp) {
+                            errorMsg = "Sso token has already expired.";
+                            internalLogger.error(errorMsg);
+                            throw new ErrorWithCode(errorMsg, exports.ErrorCode.TokenExpiredError);
+                        }
+                        result = this.ssoToken;
+                        return [3 /*break*/, 6];
+                    case 1:
+                        internalLogger.info("Get access token with scopes: " + scopesArray.join(" "));
+                        authenticationResult = void 0;
+                        _a.label = 2;
+                    case 2:
+                        _a.trys.push([2, 4, , 5]);
+                        return [4 /*yield*/, this.msalClient.acquireTokenOnBehalfOf({
+                                oboAssertion: this.ssoToken.token,
+                                scopes: scopesArray,
+                            })];
+                    case 3:
+                        authenticationResult = _a.sent();
+                        return [3 /*break*/, 5];
+                    case 4:
+                        error_1 = _a.sent();
+                        throw this.generateAuthServerError(error_1);
+                    case 5:
+                        if (!authenticationResult) {
+                            errorMsg = "Access token is null";
+                            internalLogger.error(errorMsg);
+                            throw new ErrorWithCode(formatString(ErrorMessage.FailToAcquireTokenOnBehalfOfUser, errorMsg), exports.ErrorCode.InternalError);
+                        }
+                        result = {
+                            token: authenticationResult.accessToken,
+                            expiresOnTimestamp: authenticationResult.expiresOn.getTime(),
+                        };
+                        _a.label = 6;
+                    case 6: return [2 /*return*/, result];
+                }
+            });
+        });
+    };
+    /**
+     * Get basic user info from SSO token.
+     *
+     * @example
+     * ```typescript
+     * const currentUser = getUserInfo();
+     * ```
+     *
+     * @throws {@link ErrorCode|InternalError} when SSO token is not valid.
+     * @throws {@link ErrorCode|RuntimeNotSupported} when runtime is browser.
+     *
+     * @returns Basic user info with user displayName, objectId and preferredUserName.
+     *
+     * @beta
+     */
+    OnBehalfOfUserCredential.prototype.getUserInfo = function () {
+        internalLogger.info("Get basic user info from SSO token");
+        return getUserInfoFromSsoToken(this.ssoToken.token);
+    };
+    OnBehalfOfUserCredential.prototype.generateAuthServerError = function (err) {
+        var errorMessage = err.errorMessage;
+        if (err.name === "InteractionRequiredAuthError") {
+            var fullErrorMsg = "Failed to get access token from AAD server, interaction required: " + errorMessage;
+            internalLogger.warn(fullErrorMsg);
+            return new ErrorWithCode(fullErrorMsg, exports.ErrorCode.UiRequiredError);
+        }
+        else if (errorMessage && errorMessage.indexOf("AADSTS500133") >= 0) {
+            var fullErrorMsg = "Failed to get access token from AAD server, sso token expired: " + errorMessage;
+            internalLogger.error(fullErrorMsg);
+            return new ErrorWithCode(fullErrorMsg, exports.ErrorCode.TokenExpiredError);
+        }
+        else {
+            var fullErrorMsg = formatString(ErrorMessage.FailToAcquireTokenOnBehalfOfUser, errorMessage);
+            internalLogger.error(fullErrorMsg);
+            return new ErrorWithCode(fullErrorMsg, exports.ErrorCode.ServiceError);
+        }
+    };
+    return OnBehalfOfUserCredential;
+}());
+
+// Copyright (c) Microsoft Corporation.
+/**
+ * Represent Teams current user's identity, and it is used within Teams client applications.
+ *
+ * @remarks
+ * Can only be used within Teams.
+ *
+ * @beta
+ */
+var TeamsUserCredential = /** @class */ (function () {
+    /**
+     * Constructor of TeamsUserCredential.
+     * @remarks
+     * Can only be used within Teams.
+     * @beta
+     */
+    function TeamsUserCredential() {
+        throw new ErrorWithCode(formatString(ErrorMessage.NodejsRuntimeNotSupported, "TeamsUserCredential"), exports.ErrorCode.RuntimeNotSupported);
+    }
+    /**
+     * Popup login page to get user's access token with specific scopes.
+     * @remarks
+     * Can only be used within Teams.
+     * @beta
+     */
+    TeamsUserCredential.prototype.login = function (scopes) {
+        return tslib.__awaiter(this, void 0, void 0, function () {
+            return tslib.__generator(this, function (_a) {
+                throw new ErrorWithCode(formatString(ErrorMessage.NodejsRuntimeNotSupported, "TeamsUserCredential"), exports.ErrorCode.RuntimeNotSupported);
+            });
+        });
+    };
+    /**
+     * Get access token from credential.
+     * @remarks
+     * Can only be used within Teams.
+     * @beta
+     */
+    TeamsUserCredential.prototype.getToken = function (scopes, options) {
+        return tslib.__awaiter(this, void 0, void 0, function () {
+            return tslib.__generator(this, function (_a) {
+                throw new ErrorWithCode(formatString(ErrorMessage.NodejsRuntimeNotSupported, "TeamsUserCredential"), exports.ErrorCode.RuntimeNotSupported);
+            });
+        });
+    };
+    /**
+     * Get basic user info from SSO token
+     * @remarks
+     * Can only be used within Teams.
+     * @beta
+     */
+    TeamsUserCredential.prototype.getUserInfo = function () {
+        throw new ErrorWithCode(formatString(ErrorMessage.NodejsRuntimeNotSupported, "TeamsUserCredential"), exports.ErrorCode.RuntimeNotSupported);
+    };
+    return TeamsUserCredential;
+}());
+
+// Copyright (c) Microsoft Corporation.
+var defaultScope = "https://graph.microsoft.com/.default";
+/**
+ * Microsoft Graph auth provider for Teams Framework
+ *
+ * @beta
+ */
+var MsGraphAuthProvider = /** @class */ (function () {
+    /**
+     * Constructor of MsGraphAuthProvider.
+     *
+     * @param {TokenCredential} credential - Credential used to invoke Microsoft Graph APIs.
+     * @param {string | string[]} scopes - The list of scopes for which the token will have access.
+     *
+     * @throws {@link ErrorCode|InvalidParameter} when scopes is not a valid string or string array.
+     *
+     * @returns An instance of MsGraphAuthProvider.
+     *
+     * @beta
+     */
+    function MsGraphAuthProvider(credential, scopes) {
+        this.credential = credential;
+        var scopesStr = defaultScope;
+        if (scopes) {
+            validateScopesType(scopes);
+            scopesStr = typeof scopes === "string" ? scopes : scopes.join(" ");
+            if (scopesStr === "") {
+                scopesStr = defaultScope;
+            }
+        }
+        internalLogger.info("Create Microsoft Graph Authentication Provider with scopes: '" + scopesStr + "'");
+        this.scopes = scopesStr;
+    }
+    /**
+     * Get access token for Microsoft Graph API requests.
+     *
+     * @throws {@link ErrorCode|InternalError} when get access token failed due to empty token or unknown other problems.
+     * @throws {@link ErrorCode|TokenExpiredError} when SSO token has already expired.
+     * @throws {@link ErrorCode|UiRequiredError} when need user consent to get access token.
+     * @throws {@link ErrorCode|ServiceError} when failed to get access token from simple auth or AAD server.
+     * @throws {@link ErrorCode|InvalidParameter} when scopes is not a valid string or string array.
+     *
+     * @returns Access token from the credential.
+     *
+     */
+    MsGraphAuthProvider.prototype.getAccessToken = function () {
+        return tslib.__awaiter(this, void 0, void 0, function () {
+            var accessToken;
+            return tslib.__generator(this, function (_a) {
+                switch (_a.label) {
+                    case 0:
+                        internalLogger.info("Get Graph Access token with scopes: '" + this.scopes + "'");
+                        return [4 /*yield*/, this.credential.getToken(this.scopes)];
+                    case 1:
+                        accessToken = _a.sent();
+                        return [2 /*return*/, new Promise(function (resolve, reject) {
+                                if (accessToken) {
+                                    resolve(accessToken.token);
+                                }
+                                else {
+                                    var errorMsg = "Graph access token is undefined or empty";
+                                    internalLogger.error(errorMsg);
+                                    reject(new ErrorWithCode(errorMsg, exports.ErrorCode.InternalError));
+                                }
+                            })];
+                }
+            });
+        });
+    };
+    return MsGraphAuthProvider;
+}());
+
+// Copyright (c) Microsoft Corporation.
+/**
+ * Get Microsoft graph client.
+ *
+ * @example
+ * Get Microsoft graph client by TokenCredential
+ * ```typescript
+ * // Sso token example (Azure Function)
+ * const ssoToken = "YOUR_TOKEN_STRING";
+ * const options = {"AAD_APP_ID", "AAD_APP_SECRET"};
+ * const credential = new OnBehalfOfAADUserCredential(ssoToken, options);
+ * const graphClient = await createMicrosoftGraphClient(credential);
+ * const profile = await graphClient.api("/me").get();
+ *
+ * // TeamsBotSsoPrompt example (Bot Application)
+ * const requiredScopes = ["User.Read"];
+ * const config: Configuration = {
+ *    loginUrl: loginUrl,
+ *    clientId: clientId,
+ *    clientSecret: clientSecret,
+ *    tenantId: tenantId
+ * };
+ * const prompt = new TeamsBotSsoPrompt(dialogId, {
+ *    config: config
+ *    scopes: '["User.Read"],
+ * });
+ * this.addDialog(prompt);
+ *
+ * const oboCredential = new OnBehalfOfAADUserCredential(
+ *  getUserId(dialogContext),
+ *  {
+ *    clientId: "AAD_APP_ID",
+ *    clientSecret: "AAD_APP_SECRET"
+ *  });
+ * try {
+ *    const graphClient = await createMicrosoftGraphClient(credential);
+ *    const profile = await graphClient.api("/me").get();
+ * } catch (e) {
+ *    dialogContext.beginDialog(dialogId);
+ *    return Dialog.endOfTurn();
+ * }
+ * ```
+ *
+ * @param {TokenCredential} credential - token credential instance.
+ * @param scopes - The array of Microsoft Token scope of access. Default value is `[.default]`.
+ *
+ * @throws {@link ErrorCode|InvalidParameter} when scopes is not a valid string or string array.
+ *
+ * @returns Graph client with specified scopes.
+ *
+ * @beta
+ */
+function createMicrosoftGraphClient(credential, scopes) {
+    internalLogger.info("Create Microsoft Graph Client");
+    var authProvider = new MsGraphAuthProvider(credential, scopes);
+    var graphClient = microsoftGraphClient.Client.initWithMiddleware({
+        authProvider: authProvider,
+    });
+    return graphClient;
+}
+
+// Copyright (c) Microsoft Corporation.
+/**
+ * SQL connection configuration instance.
+ * @remarks
+ * Only works in in server side.
+ *
+ * @beta
+ *
+ */
+var DefaultTediousConnectionConfiguration = /** @class */ (function () {
+    function DefaultTediousConnectionConfiguration() {
+        /**
+         * MSSQL default scope
+         * https://docs.microsoft.com/en-us/azure/app-service/app-service-web-tutorial-connect-msi
+         */
+        this.defaultSQLScope = "https://database.windows.net/";
+    }
+    /**
+     * Generate connection configuration consumed by tedious.
+     *
+     * @returns Connection configuration of tedious for the SQL.
+     *
+     * @throws {@link ErrorCode|InvalidConfiguration} when SQL config resource configuration is invalid.
+     * @throws {@link ErrorCode|InternalError} when get user MSI token failed or MSI token is invalid.
+     * @throws {@link ErrorCode|RuntimeNotSupported} when runtime is browser.
+     *
+     * @beta
+     */
+    DefaultTediousConnectionConfiguration.prototype.getConfig = function () {
+        return tslib.__awaiter(this, void 0, void 0, function () {
+            var configuration, errMsg, configWithUPS, configWithToken, error_1;
+            return tslib.__generator(this, function (_a) {
+                switch (_a.label) {
+                    case 0:
+                        internalLogger.info("Get SQL configuration");
+                        configuration = getResourceConfiguration(exports.ResourceType.SQL);
+                        if (!configuration) {
+                            errMsg = "SQL resource configuration not exist";
+                            internalLogger.error(errMsg);
+                            throw new ErrorWithCode(errMsg, exports.ErrorCode.InvalidConfiguration);
+                        }
+                        try {
+                            this.isSQLConfigurationValid(configuration);
+                        }
+                        catch (err) {
+                            throw err;
+                        }
+                        if (!this.isMsiAuthentication()) {
+                            configWithUPS = this.generateDefaultConfig(configuration);
+                            internalLogger.verbose("SQL configuration with username and password generated");
+                            return [2 /*return*/, configWithUPS];
+                        }
+                        _a.label = 1;
+                    case 1:
+                        _a.trys.push([1, 3, , 4]);
+                        return [4 /*yield*/, this.generateTokenConfig(configuration)];
+                    case 2:
+                        configWithToken = _a.sent();
+                        internalLogger.verbose("SQL configuration with MSI token generated");
+                        return [2 /*return*/, configWithToken];
+                    case 3:
+                        error_1 = _a.sent();
+                        throw error_1;
+                    case 4: return [2 /*return*/];
+                }
+            });
+        });
+    };
+    /**
+     * Check SQL use MSI identity or username and password.
+     *
+     * @returns false - login with SQL MSI identity, true - login with username and password.
+     * @internal
+     */
+    DefaultTediousConnectionConfiguration.prototype.isMsiAuthentication = function () {
+        internalLogger.verbose("Check connection config using MSI access token or username and password");
+        var configuration = getResourceConfiguration(exports.ResourceType.SQL);
+        if ((configuration === null || configuration === void 0 ? void 0 : configuration.sqlUsername) != null && (configuration === null || configuration === void 0 ? void 0 : configuration.sqlPassword) != null) {
+            internalLogger.verbose("Login with username and password");
+            return false;
+        }
+        internalLogger.verbose("Login with MSI identity");
+        return true;
+    };
+    /**
+     * check configuration is an available configurations.
+     * @param { SqlConfiguration } sqlConfig
+     *
+     * @returns true - SQL configuration has a valid SQL endpoints, SQL username with password or identity ID.
+     *          false - configuration is not valid.
+     * @internal
+     */
+    DefaultTediousConnectionConfiguration.prototype.isSQLConfigurationValid = function (sqlConfig) {
+        internalLogger.verbose("Check SQL configuration if valid");
+        if (!sqlConfig.sqlServerEndpoint) {
+            internalLogger.error("SQL configuration is not valid without SQL server endpoint exist");
+            throw new ErrorWithCode("SQL configuration error without SQL server endpoint exist", exports.ErrorCode.InvalidConfiguration);
+        }
+        if (!(sqlConfig.sqlUsername && sqlConfig.sqlPassword) && !sqlConfig.sqlIdentityId) {
+            var errMsg = "SQL configuration is not valid without " + (sqlConfig.sqlIdentityId ? "" : "identity id ") + " " + (sqlConfig.sqlUsername ? "" : "SQL username ") + " " + (sqlConfig.sqlPassword ? "" : "SQL password") + " exist";
+            internalLogger.error(errMsg);
+            throw new ErrorWithCode(errMsg, exports.ErrorCode.InvalidConfiguration);
+        }
+        internalLogger.verbose("SQL configuration is valid");
+    };
+    /**
+     * Generate tedious connection configuration with default authentication type.
+     *
+     * @param { SqlConfiguration } SQL configuration with username and password.
+     *
+     * @returns Tedious connection configuration with username and password.
+     * @internal
+     */
+    DefaultTediousConnectionConfiguration.prototype.generateDefaultConfig = function (sqlConfig) {
+        internalLogger.verbose("SQL server " + sqlConfig.sqlServerEndpoint + ", user name " + sqlConfig.sqlUsername + ", database name " + sqlConfig.sqlDatabaseName);
+        var config = {
+            server: sqlConfig.sqlServerEndpoint,
+            authentication: {
+                type: TediousAuthenticationType.default,
+                options: {
+                    userName: sqlConfig.sqlUsername,
+                    password: sqlConfig.sqlPassword,
+                },
+            },
+            options: {
+                database: sqlConfig.sqlDatabaseName,
+                encrypt: true,
+            },
+        };
+        return config;
+    };
+    /**
+     * Generate tedious connection configuration with azure-active-directory-access-token authentication type.
+     *
+     * @param { SqlConfiguration } SQL configuration with AAD access token.
+     *
+     * @returns Tedious connection configuration with access token.
+     * @internal
+     */
+    DefaultTediousConnectionConfiguration.prototype.generateTokenConfig = function (sqlConfig) {
+        return tslib.__awaiter(this, void 0, void 0, function () {
+            var token, credential, errMsg, config;
+            return tslib.__generator(this, function (_a) {
+                switch (_a.label) {
+                    case 0:
+                        internalLogger.verbose("Generate tedious config with MSI token");
+                        _a.label = 1;
+                    case 1:
+                        _a.trys.push([1, 3, , 4]);
+                        credential = new identity.ManagedIdentityCredential(sqlConfig.sqlIdentityId);
+                        return [4 /*yield*/, credential.getToken(this.defaultSQLScope)];
+                    case 2:
+                        token = _a.sent();
+                        return [3 /*break*/, 4];
+                    case 3:
+                        _a.sent();
+                        errMsg = "Get user MSI token failed";
+                        internalLogger.error(errMsg);
+                        throw new ErrorWithCode(errMsg, exports.ErrorCode.InternalError);
+                    case 4:
+                        if (token) {
+                            config = {
+                                server: sqlConfig.sqlServerEndpoint,
+                                authentication: {
+                                    type: TediousAuthenticationType.MSI,
+                                    options: {
+                                        token: token.token,
+                                    },
+                                },
+                                options: {
+                                    database: sqlConfig.sqlDatabaseName,
+                                    encrypt: true,
+                                },
+                            };
+                            internalLogger.verbose("Generate token configuration success, server endpoint is " + sqlConfig.sqlServerEndpoint + ", database name is " + sqlConfig.sqlDatabaseName);
+                            return [2 /*return*/, config];
+                        }
+                        internalLogger.error("Generate token configuration, server endpoint is " + sqlConfig.sqlServerEndpoint + ", MSI token is not valid");
+                        throw new ErrorWithCode("MSI token is not valid", exports.ErrorCode.InternalError);
+                }
+            });
+        });
+    };
+    return DefaultTediousConnectionConfiguration;
+}());
+/**
+ * tedious connection config authentication type.
+ * https://tediousjs.github.io/tedious/api-connection.html
+ * @internal
+ */
+var TediousAuthenticationType;
+(function (TediousAuthenticationType) {
+    TediousAuthenticationType["default"] = "default";
+    TediousAuthenticationType["MSI"] = "azure-active-directory-access-token";
+})(TediousAuthenticationType || (TediousAuthenticationType = {}));
+
+// Copyright (c) Microsoft Corporation.
+var invokeResponseType = "invokeResponse";
+/**
+ * Response body returned for a token exchange invoke activity.
+ *
+ * @beta
+ */
+var TokenExchangeInvokeResponse = /** @class */ (function () {
+    function TokenExchangeInvokeResponse(id, failureDetail) {
+        this.id = id;
+        this.failureDetail = failureDetail;
+    }
+    return TokenExchangeInvokeResponse;
+}());
+/**
+ * Creates a new prompt that leverage Teams Single Sign On (SSO) support for bot to automatically sign in user and
+ * help receive oauth token, asks the user to consent if needed.
+ *
+ * @remarks
+ * The prompt will attempt to retrieve the users current token of the desired scopes and store it in
+ * the token store.
+ *
+ * User will be automatically signed in leveraging Teams support of Bot Single Sign On(SSO):
+ * https://docs.microsoft.com/en-us/microsoftteams/platform/bots/how-to/authentication/auth-aad-sso-bots
+ *
+ * @example
+ * When used with your bots `DialogSet` you can simply add a new instance of the prompt as a named
+ * dialog using `DialogSet.add()`. You can then start the prompt from a waterfall step using either
+ * `DialogContext.beginDialog()` or `DialogContext.prompt()`. The user will be prompted to sign in as
+ * needed and their access token will be passed as an argument to the callers next waterfall step:
+ *
+ * ```JavaScript
+ * const { ConversationState, MemoryStorage } = require('botbuilder');
+ * const { DialogSet, WaterfallDialog } = require('botbuilder-dialogs');
+ * const { TeamsBotSsoPrompt } = require('@microsoft/teamsfx');
+ *
+ * const convoState = new ConversationState(new MemoryStorage());
+ * const dialogState = convoState.createProperty('dialogState');
+ * const dialogs = new DialogSet(dialogState);
+ *
+ * loadConfiguration();
+ * dialogs.add(new TeamsBotSsoPrompt('TeamsBotSsoPrompt', {
+ *    scopes: ["User.Read"],
+ * }));
+ *
+ * dialogs.add(new WaterfallDialog('taskNeedingLogin', [
+ *      async (step) => {
+ *          return await step.beginDialog('TeamsBotSsoPrompt');
+ *      },
+ *      async (step) => {
+ *          const token = step.result;
+ *          if (token) {
+ *
+ *              // ... continue with task needing access token ...
+ *
+ *          } else {
+ *              await step.context.sendActivity(`Sorry... We couldn't log you in. Try again later.`);
+ *              return await step.endDialog();
+ *          }
+ *      }
+ * ]));
+ * ```
+ *
+ * @beta
+ */
+var TeamsBotSsoPrompt = /** @class */ (function (_super) {
+    tslib.__extends(TeamsBotSsoPrompt, _super);
+    /**
+     * Constructor of TeamsBotSsoPrompt.
+     *
+     * @param dialogId Unique ID of the dialog within its parent `DialogSet` or `ComponentDialog`.
+     * @param settings Settings used to configure the prompt.
+     *
+     * @throws {@link ErrorCode|InvalidParameter} when scopes is not a valid string or string array.
+     * @throws {@link ErrorCode|RuntimeNotSupported} when runtime is browser.
+     *
+     * @beta
+     */
+    function TeamsBotSsoPrompt(dialogId, settings) {
+        var _this = _super.call(this, dialogId) || this;
+        _this.settings = settings;
+        validateScopesType(settings.scopes);
+        internalLogger.info("Create a new Teams Bot SSO Prompt");
+        return _this;
+    }
+    /**
+     * Called when a prompt dialog is pushed onto the dialog stack and is being activated.
+     * @remarks
+     * If the task is successful, the result indicates whether the prompt is still
+     * active after the turn has been processed by the prompt.
+     *
+     * @param dc The DialogContext for the current turn of the conversation.
+     *
+     * @throws {@link ErrorCode|InvalidParameter} when timeout property in teams bot sso prompt settings is not number or is not positive.
+     * @throws {@link ErrorCode|ChannelNotSupported} when bot channel is not MS Teams.
+     * @throws {@link ErrorCode|RuntimeNotSupported} when runtime is browser.
+     *
+     * @returns A `Promise` representing the asynchronous operation.
+     *
+     * @beta
+     */
+    TeamsBotSsoPrompt.prototype.beginDialog = function (dc) {
+        var _a;
+        return tslib.__awaiter(this, void 0, void 0, function () {
+            var default_timeout, timeout, errorMsg, errorMsg, state;
+            return tslib.__generator(this, function (_b) {
+                switch (_b.label) {
+                    case 0:
+                        internalLogger.info("Begin Teams Bot SSO Prompt");
+                        this.ensureMsTeamsChannel(dc);
+                        default_timeout = 900000;
+                        timeout = default_timeout;
+                        if (this.settings.timeout) {
+                            if (typeof this.settings.timeout != "number") {
+                                errorMsg = "type of timeout property in teamsBotSsoPromptSettings should be number.";
+                                internalLogger.error(errorMsg);
+                                throw new ErrorWithCode(errorMsg, exports.ErrorCode.InvalidParameter);
+                            }
+                            if (this.settings.timeout <= 0) {
+                                errorMsg = "value of timeout property in teamsBotSsoPromptSettings should be positive.";
+                                internalLogger.error(errorMsg);
+                                throw new ErrorWithCode(errorMsg, exports.ErrorCode.InvalidParameter);
+                            }
+                            timeout = this.settings.timeout;
+                        }
+                        if (this.settings.endOnInvalidMessage === undefined) {
+                            this.settings.endOnInvalidMessage = true;
+                        }
+                        state = (_a = dc.activeDialog) === null || _a === void 0 ? void 0 : _a.state;
+                        state.state = {};
+                        state.options = {};
+                        state.expires = new Date().getTime() + timeout;
+                        // Send OAuth card to get SSO token
+                        return [4 /*yield*/, this.sendOAuthCardAsync(dc.context)];
+                    case 1:
+                        // Send OAuth card to get SSO token
+                        _b.sent();
+                        return [2 /*return*/, botbuilderDialogs.Dialog.EndOfTurn];
+                }
+            });
+        });
+    };
+    /**
+     * Called when a prompt dialog is the active dialog and the user replied with a new activity.
+     *
+     * @remarks
+     * If the task is successful, the result indicates whether the dialog is still
+     * active after the turn has been processed by the dialog.
+     * The prompt generally continues to receive the user's replies until it accepts the
+     * user's reply as valid input for the prompt.
+     *
+     * @param dc The DialogContext for the current turn of the conversation.
+     *
+     * @returns A `Promise` representing the asynchronous operation.
+     *
+     * @throws {@link ErrorCode|ChannelNotSupported} when bot channel is not MS Teams.
+     * @throws {@link ErrorCode|RuntimeNotSupported} when runtime is browser.
+     *
+     * @beta
+     */
+    TeamsBotSsoPrompt.prototype.continueDialog = function (dc) {
+        var _a;
+        return tslib.__awaiter(this, void 0, void 0, function () {
+            var state, isMessage, isTimeoutActivityType, hasTimedOut, recognized;
+            return tslib.__generator(this, function (_b) {
+                switch (_b.label) {
+                    case 0:
+                        internalLogger.info("Continue Teams Bot SSO Prompt");
+                        this.ensureMsTeamsChannel(dc);
+                        state = (_a = dc.activeDialog) === null || _a === void 0 ? void 0 : _a.state;
+                        isMessage = dc.context.activity.type === botbuilder.ActivityTypes.Message;
+                        isTimeoutActivityType = isMessage ||
+                            this.isTeamsVerificationInvoke(dc.context) ||
+                            this.isTokenExchangeRequestInvoke(dc.context);
+                        hasTimedOut = isTimeoutActivityType && new Date().getTime() > state.expires;
+                        if (!hasTimedOut) return [3 /*break*/, 2];
+                        internalLogger.warn("End Teams Bot SSO Prompt due to timeout");
+                        return [4 /*yield*/, dc.endDialog(undefined)];
+                    case 1: return [2 /*return*/, _b.sent()];
+                    case 2:
+                        if (!(this.isTeamsVerificationInvoke(dc.context) ||
+                            this.isTokenExchangeRequestInvoke(dc.context))) return [3 /*break*/, 6];
+                        return [4 /*yield*/, this.recognizeToken(dc)];
+                    case 3:
+                        recognized = _b.sent();
+                        if (!recognized.succeeded) return [3 /*break*/, 5];
+                        return [4 /*yield*/, dc.endDialog(recognized.value)];
+                    case 4: return [2 /*return*/, _b.sent()];
+                    case 5: return [3 /*break*/, 8];
+                    case 6:
+                        if (!(isMessage && this.settings.endOnInvalidMessage)) return [3 /*break*/, 8];
+                        internalLogger.warn("End Teams Bot SSO Prompt due to invalid message");
+                        return [4 /*yield*/, dc.endDialog(undefined)];
+                    case 7: return [2 /*return*/, _b.sent()];
+                    case 8: return [2 /*return*/, botbuilderDialogs.Dialog.EndOfTurn];
+                }
+            });
+        });
+    };
+    /**
+     * Ensure bot is running in MS Teams since TeamsBotSsoPrompt is only supported in MS Teams channel.
+     * @param dc dialog context
+     * @throws {@link ErrorCode|ChannelNotSupported} if bot channel is not MS Teams
+     * @internal
+     */
+    TeamsBotSsoPrompt.prototype.ensureMsTeamsChannel = function (dc) {
+        if (dc.context.activity.channelId != botbuilder.Channels.Msteams) {
+            var errorMsg = formatString(ErrorMessage.OnlyMSTeamsChannelSupported, "Teams Bot SSO Prompt");
+            internalLogger.error(errorMsg);
+            throw new ErrorWithCode(errorMsg, exports.ErrorCode.ChannelNotSupported);
+        }
+    };
+    /**
+     * Send OAuthCard that tells Teams to obtain an authentication token for the bot application.
+     * For details see https://docs.microsoft.com/en-us/microsoftteams/platform/bots/how-to/authentication/auth-aad-sso-bots.
+     *
+     * @internal
+     */
+    TeamsBotSsoPrompt.prototype.sendOAuthCardAsync = function (context) {
+        return tslib.__awaiter(this, void 0, void 0, function () {
+            var account, loginHint, signInResource, card, msg;
+            return tslib.__generator(this, function (_a) {
+                switch (_a.label) {
+                    case 0:
+                        internalLogger.verbose("Send OAuth card to get SSO token");
+                        return [4 /*yield*/, botbuilder.TeamsInfo.getMember(context, context.activity.from.id)];
+                    case 1:
+                        account = _a.sent();
+                        internalLogger.verbose("Get Teams member account user principal name: " + account.userPrincipalName);
+                        loginHint = account.userPrincipalName ? account.userPrincipalName : "";
+                        signInResource = this.getSignInResource(loginHint);
+                        card = botbuilder.CardFactory.oauthCard("", "Teams SSO Sign In", "Sign In", signInResource.signInLink, signInResource.tokenExchangeResource);
+                        card.content.buttons[0].type = botbuilder.ActionTypes.Signin;
+                        msg = botbuilder.MessageFactory.attachment(card);
+                        // Send prompt
+                        return [4 /*yield*/, context.sendActivity(msg)];
+                    case 2:
+                        // Send prompt
+                        _a.sent();
+                        return [2 /*return*/];
+                }
+            });
+        });
+    };
+    /**
+     * Get sign in resource.
+     *
+     * @throws {@link ErrorCode|InvalidConfiguration} if client id, tenant id or initiate login endpoint is not found in config.
+     *
+     * @internal
+     */
+    TeamsBotSsoPrompt.prototype.getSignInResource = function (loginHint) {
+        var _a, _b, _c, _d, _e;
+        internalLogger.verbose("Get sign in authentication configuration");
+        var missingConfigurations = [];
+        if (!((_a = config === null || config === void 0 ? void 0 : config.authentication) === null || _a === void 0 ? void 0 : _a.initiateLoginEndpoint)) {
+            missingConfigurations.push("initiateLoginEndpoint");
+        }
+        if (!((_b = config === null || config === void 0 ? void 0 : config.authentication) === null || _b === void 0 ? void 0 : _b.clientId)) {
+            missingConfigurations.push("clientId");
+        }
+        if (!((_c = config === null || config === void 0 ? void 0 : config.authentication) === null || _c === void 0 ? void 0 : _c.tenantId)) {
+            missingConfigurations.push("tenantId");
+        }
+        if (!((_d = config === null || config === void 0 ? void 0 : config.authentication) === null || _d === void 0 ? void 0 : _d.applicationIdUri)) {
+            missingConfigurations.push("applicationIdUri");
+        }
+        if (missingConfigurations.length != 0) {
+            var errorMsg = formatString(ErrorMessage.InvalidConfiguration, missingConfigurations.join(", "), "undefined");
+            internalLogger.error(errorMsg);
+            throw new ErrorWithCode(errorMsg, exports.ErrorCode.InvalidConfiguration);
+        }
+        var signInLink = config.authentication.initiateLoginEndpoint + "?scope=" + encodeURI(this.settings.scopes.join(" ")) + "&clientId=" + config.authentication.clientId + "&tenantId=" + config.authentication.tenantId + "&loginHint=" + loginHint;
+        internalLogger.verbose("Sign in link: " + signInLink);
+        var tokenExchangeResource = {
+            id: uuid.v4(),
+            uri: ((_e = config.authentication) === null || _e === void 0 ? void 0 : _e.applicationIdUri.replace(/\/$/, "")) + "/access_as_user",
+        };
+        internalLogger.verbose("Token exchange resource uri: " + tokenExchangeResource.uri);
+        return {
+            signInLink: signInLink,
+            tokenExchangeResource: tokenExchangeResource,
+        };
+    };
+    /**
+     * @internal
+     */
+    TeamsBotSsoPrompt.prototype.recognizeToken = function (dc) {
+        return tslib.__awaiter(this, void 0, void 0, function () {
+            var context, tokenResponse, warningMsg, ssoToken, credential, exchangedToken, ssoTokenExpiration, warningMsg;
+            return tslib.__generator(this, function (_a) {
+                switch (_a.label) {
+                    case 0:
+                        context = dc.context;
+                        if (!this.isTokenExchangeRequestInvoke(context)) return [3 /*break*/, 10];
+                        internalLogger.verbose("Receive token exchange request");
+                        if (!!(context.activity.value && this.isTokenExchangeRequest(context.activity.value))) return [3 /*break*/, 2];
+                        warningMsg = "The bot received an InvokeActivity that is missing a TokenExchangeInvokeRequest value. This is required to be sent with the InvokeActivity.";
+                        internalLogger.warn(warningMsg);
+                        return [4 /*yield*/, context.sendActivity(this.getTokenExchangeInvokeResponse(botbuilder.StatusCodes.BAD_REQUEST, warningMsg))];
+                    case 1:
+                        _a.sent();
+                        return [3 /*break*/, 9];
+                    case 2:
+                        ssoToken = context.activity.value.token;
+                        credential = new OnBehalfOfUserCredential(ssoToken);
+                        exchangedToken = void 0;
+                        _a.label = 3;
+                    case 3:
+                        _a.trys.push([3, 7, , 9]);
+                        return [4 /*yield*/, credential.getToken(this.settings.scopes)];
+                    case 4:
+                        exchangedToken = _a.sent();
+                        if (!exchangedToken) return [3 /*break*/, 6];
+                        return [4 /*yield*/, context.sendActivity(this.getTokenExchangeInvokeResponse(botbuilder.StatusCodes.OK, "", context.activity.value.id))];
+                    case 5:
+                        _a.sent();
+                        ssoTokenExpiration = parseJwt(ssoToken).exp;
+                        tokenResponse = {
+                            ssoToken: ssoToken,
+                            ssoTokenExpiration: new Date(ssoTokenExpiration * 1000).toISOString(),
+                            connectionName: "",
+                            token: exchangedToken.token,
+                            expiration: exchangedToken.expiresOnTimestamp.toString(),
+                        };
+                        _a.label = 6;
+                    case 6: return [3 /*break*/, 9];
+                    case 7:
+                        _a.sent();
+                        warningMsg = "The bot is unable to exchange token. Ask for user consent.";
+                        internalLogger.info(warningMsg);
+                        return [4 /*yield*/, context.sendActivity(this.getTokenExchangeInvokeResponse(botbuilder.StatusCodes.PRECONDITION_FAILED, warningMsg, context.activity.value.id))];
+                    case 8:
+                        _a.sent();
+                        return [3 /*break*/, 9];
+                    case 9: return [3 /*break*/, 13];
+                    case 10:
+                        if (!this.isTeamsVerificationInvoke(context)) return [3 /*break*/, 13];
+                        internalLogger.verbose("Receive Teams state verification request");
+                        return [4 /*yield*/, this.sendOAuthCardAsync(dc.context)];
+                    case 11:
+                        _a.sent();
+                        return [4 /*yield*/, context.sendActivity({ type: invokeResponseType, value: { status: botbuilder.StatusCodes.OK } })];
+                    case 12:
+                        _a.sent();
+                        _a.label = 13;
+                    case 13: return [2 /*return*/, tokenResponse !== undefined
+                            ? { succeeded: true, value: tokenResponse }
+                            : { succeeded: false }];
+                }
+            });
+        });
+    };
+    /**
+     * @internal
+     */
+    TeamsBotSsoPrompt.prototype.getTokenExchangeInvokeResponse = function (status, failureDetail, id) {
+        var invokeResponse = {
+            type: invokeResponseType,
+            value: { status: status, body: new TokenExchangeInvokeResponse(id, failureDetail) },
+        };
+        return invokeResponse;
+    };
+    /**
+     * @internal
+     */
+    TeamsBotSsoPrompt.prototype.isTeamsVerificationInvoke = function (context) {
+        var activity = context.activity;
+        return activity.type === botbuilder.ActivityTypes.Invoke && activity.name === botbuilder.verifyStateOperationName;
+    };
+    /**
+     * @internal
+     */
+    TeamsBotSsoPrompt.prototype.isTokenExchangeRequestInvoke = function (context) {
+        var activity = context.activity;
+        return activity.type === botbuilder.ActivityTypes.Invoke && activity.name === botbuilder.tokenExchangeOperationName;
+    };
+    /**
+     * @internal
+     */
+    TeamsBotSsoPrompt.prototype.isTokenExchangeRequest = function (obj) {
+        return obj.hasOwnProperty("token");
+    };
+    return TeamsBotSsoPrompt;
+}(botbuilderDialogs.Dialog));
+
+exports.DefaultTediousConnectionConfiguration = DefaultTediousConnectionConfiguration;
+exports.ErrorWithCode = ErrorWithCode;
+exports.M365TenantCredential = M365TenantCredential;
+exports.MsGraphAuthProvider = MsGraphAuthProvider;
+exports.OnBehalfOfUserCredential = OnBehalfOfUserCredential;
+exports.TeamsBotSsoPrompt = TeamsBotSsoPrompt;
+exports.TeamsUserCredential = TeamsUserCredential;
+exports.createMicrosoftGraphClient = createMicrosoftGraphClient;
+exports.getAuthenticationConfiguration = getAuthenticationConfiguration;
+exports.getLogLevel = getLogLevel;
+exports.getResourceConfiguration = getResourceConfiguration;
+exports.loadConfiguration = loadConfiguration;
+exports.setLogFunction = setLogFunction;
+exports.setLogLevel = setLogLevel;
+exports.setLogger = setLogger;
+//# sourceMappingURL=index.node.cjs.js.map