@sphereon/ssi-sdk.ms-authenticator 0.34.1-next.91 → 0.36.1-feat.SSISDK.83.11

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (6) hide show
  1. package/dist/index.cjs +2 -2
  2. package/dist/index.cjs.map +1 -1
  3. package/dist/index.js +1 -1
  4. package/dist/index.js.map +1 -1
  5. package/package.json +2 -2
  6. package/src/authenticators/MsAuthenticator.ts +1 -1
package/dist/index.cjs CHANGED
@@ -45,7 +45,7 @@ module.exports = __toCommonJS(index_exports);
45
45
 
46
46
  // src/authenticators/MsAuthenticator.ts
47
47
  var import_msal_node = require("@azure/msal-node");
48
- var import_cross_fetch = require("cross-fetch");
48
+ var import_cross_fetch = __toESM(require("cross-fetch"), 1);
49
49
  var import_object_hash = __toESM(require("object-hash"), 1);
50
50
  var EU = "EU";
51
51
  var HTTP_METHOD_GET = "GET";
@@ -58,7 +58,7 @@ var ERROR_CREDENTIAL_MANIFEST_REGION = `Error in config file. CredentialManifest
58
58
  var ERROR_ACQUIRE_ACCESS_TOKEN_FOR_CLIENT = "Could not acquire verifiableCredentials to access your Azure Key Vault:\n";
59
59
  var ERROR_FAILED_AUTHENTICATION = "failed to authenticate: ";
60
60
  async function getMSOpenIDClientRegion(azTenantId) {
61
- return (0, import_cross_fetch.fetch)(MS_LOGIN_PREFIX + azTenantId + MS_LOGIN_OPENID_CONFIG_POSTFIX, {
61
+ return (0, import_cross_fetch.default)(MS_LOGIN_PREFIX + azTenantId + MS_LOGIN_OPENID_CONFIG_POSTFIX, {
62
62
  method: HTTP_METHOD_GET
63
63
  }).then((res) => res.json()).then(async (resp) => {
64
64
  return resp.tenant_region_scope ?? EU;
package/dist/index.cjs.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"sources":["../src/index.ts","../src/authenticators/MsAuthenticator.ts"],"sourcesContent":["export * from './authenticators'\nexport * from './types'\n","import {\n AuthenticationResult,\n ConfidentialClientApplication,\n Configuration,\n LogLevel,\n NodeAuthOptions,\n PublicClientApplication,\n UsernamePasswordRequest,\n} from '@azure/msal-node'\nimport { fetch } from 'cross-fetch'\nimport { IMSClientCredentialAuthInfo, IMsAuthenticationClientCredentialArgs, IMsAuthenticationUsernamePasswordArgs } from '../index'\n\nimport hash from 'object-hash'\n\nconst EU = 'EU'\n\nconst HTTP_METHOD_GET = 'GET'\n\n// Event though there are many regions, MS has only 2 DID identity host names (EU and NON_EU)\n// https://docs.microsoft.com/en-us/azure/active-directory/verifiable-credentials/whats-new#are-there-any-changes-to-the-way-that-we-use-the-request-api-as-a-result-of-this-move\nexport const MS_DID_ENDPOINT_NON_EU = 'https://beta.did.msidentity.com/v1.0/'\nexport const MS_DID_ENDPOINT_EU = 'https://beta.eu.did.msidentity.com/v1.0/'\nconst MS_LOGIN_PREFIX = 'https://login.microsoftonline.com/'\nconst MS_LOGIN_OPENID_CONFIG_POSTFIX = '/v2.0/.well-known/openid-configuration'\nconst MS_CLIENT_CREDENTIAL_DEFAULT_SCOPE = '3db474b9-6a0c-4840-96ac-1fceb342124f/.default'\n\nconst ERROR_CREDENTIAL_MANIFEST_REGION = `Error in config file. CredentialManifest URL configured for wrong tenant region. Should start with:`\nconst ERROR_ACQUIRE_ACCESS_TOKEN_FOR_CLIENT = 'Could not acquire verifiableCredentials to access your Azure Key Vault:\\n'\nconst ERROR_FAILED_AUTHENTICATION = 'failed to authenticate: '\n\n// todo: This is a pretty heavy operation. Getting all the OIDC discovery data from a fetch only to return the region. Probably wise to add some caching and refactor so we can do more with the other OIDC info as well\nexport async function getMSOpenIDClientRegion(azTenantId: string): Promise<string> {\n return fetch(MS_LOGIN_PREFIX + azTenantId + MS_LOGIN_OPENID_CONFIG_POSTFIX, { method: HTTP_METHOD_GET })\n .then((res) => res.json())\n .then(async (resp) => {\n return resp.tenant_region_scope ?? EU\n })\n}\n\nexport async function getEntraDIDEndpoint(opts: { region?: string; azTenantId: string }) {\n const region = opts?.region ?? (await getMSOpenIDClientRegion(opts.azTenantId))\n return region === EU ? MS_DID_ENDPOINT_EU : MS_DID_ENDPOINT_NON_EU\n}\n\nexport async function assertEntraCredentialManifestUrlInCorrectRegion(authenticationArgs: IMsAuthenticationClientCredentialArgs): Promise<string> {\n const msDIDEndpoint = await getEntraDIDEndpoint(authenticationArgs)\n // Check that the Credential Manifest URL is in the same tenant Region and throw an error if it's not\n if (!authenticationArgs.credentialManifestUrl?.startsWith(msDIDEndpoint)) {\n throw new Error(ERROR_CREDENTIAL_MANIFEST_REGION + msDIDEndpoint + `. value: ${authenticationArgs.credentialManifestUrl}`)\n }\n return msDIDEndpoint\n}\n\n/**\n * necessary fields are:\n * azClientId: clientId of the application you're trying to login\n * azClientSecret: secret of the application you're trying to login\n * azTenantId: your MS Azure tenantId\n * optional fields:\n * credentialManifest: address of your credential manifest. usually in following format:\n * https://beta.eu.did.msidentity.com/v1.0/<tenant_id>/verifiableCredential/contracts/<verifiable_credential_schema>\n * @param authenticationArgs\n * @constructor\n */\nexport async function getMSClientCredentialAccessToken(\n authenticationArgs: IMsAuthenticationClientCredentialArgs,\n opts?: {\n confidentialClient?: ConfidentialClientApplication\n },\n): Promise<AuthenticationResult> {\n const confidentialClient =\n opts?.confidentialClient ?? (await newMSClientCredentialAuthenticator(authenticationArgs).then((cca) => cca.confidentialClient))\n if (!confidentialClient) {\n throw Error('No Credential Client Authenticator could be constructed')\n }\n if (authenticationArgs?.credentialManifestUrl) {\n await assertEntraCredentialManifestUrlInCorrectRegion(authenticationArgs)\n }\n\n const msalClientCredentialRequest = {\n scopes: authenticationArgs.scopes ?? (authenticationArgs?.credentialManifestUrl ? [MS_CLIENT_CREDENTIAL_DEFAULT_SCOPE] : []),\n skipCache: authenticationArgs.skipCache ?? false,\n }\n\n // get the Access Token\n try {\n const result = await confidentialClient.acquireTokenByClientCredential(msalClientCredentialRequest)\n if (result) {\n return result\n }\n } catch (err) {\n throw {\n error: ERROR_ACQUIRE_ACCESS_TOKEN_FOR_CLIENT + err,\n }\n }\n throw {\n error: ERROR_ACQUIRE_ACCESS_TOKEN_FOR_CLIENT,\n }\n}\n\nexport async function newMSClientCredentialAuthenticator(\n authenticationArgs: IMsAuthenticationClientCredentialArgs,\n): Promise<IMSClientCredentialAuthInfo> {\n const didEndpoint = authenticationArgs?.credentialManifestUrl\n ? await assertEntraCredentialManifestUrlInCorrectRegion(authenticationArgs)\n : undefined\n const auth = authOptions(authenticationArgs)\n const id = hash(auth)\n const msalConfig: Configuration = {\n auth,\n system: {\n loggerOptions: {\n piiLoggingEnabled: authenticationArgs.piiLoggingEnabled ? authenticationArgs.piiLoggingEnabled : false,\n logLevel: authenticationArgs.logLevel ? authenticationArgs.logLevel : LogLevel.Verbose,\n },\n },\n }\n const confidentialClientApp = new ConfidentialClientApplication(msalConfig)\n\n return { confidentialClient: confidentialClientApp, msalConfig, authenticationArgs, didEndpoint, id }\n}\n\n/**\n * Logs in with provided authenticationArgs and returns access token\n * @param authenticationArgs\n * @constructor\n */\nexport async function UsernamePasswordAuthenticator(authenticationArgs: IMsAuthenticationUsernamePasswordArgs): Promise<string> {\n const msalConfig = {\n auth: authOptions(authenticationArgs),\n }\n const pca = new PublicClientApplication(msalConfig)\n return await pca\n .acquireTokenByUsernamePassword(authenticationArgs as UsernamePasswordRequest)\n .then((response: any) => {\n return response\n })\n .catch((error: any) => {\n throw new Error(ERROR_FAILED_AUTHENTICATION + error)\n })\n}\n\nfunction authOptions(authenticationArgs: IMsAuthenticationClientCredentialArgs | IMsAuthenticationUsernamePasswordArgs): NodeAuthOptions {\n return {\n clientId: authenticationArgs.azClientId,\n authority: authenticationArgs.authority ? authenticationArgs.authority : MS_LOGIN_PREFIX + authenticationArgs.azTenantId,\n ...(authenticationArgs && 'azClientSecret' in authenticationArgs && { clientSecret: authenticationArgs.azClientSecret }),\n }\n}\n\nexport function determineMSAuthId(authenticationArgs: IMsAuthenticationClientCredentialArgs | IMsAuthenticationUsernamePasswordArgs): string {\n return hash(authOptions(authenticationArgs))\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA;;;;;;;;;;;;;;;ACAA,uBAQO;AACP,yBAAsB;AAGtB,yBAAiB;AAEjB,IAAMA,KAAK;AAEX,IAAMC,kBAAkB;AAIjB,IAAMC,yBAAyB;AAC/B,IAAMC,qBAAqB;AAClC,IAAMC,kBAAkB;AACxB,IAAMC,iCAAiC;AACvC,IAAMC,qCAAqC;AAE3C,IAAMC,mCAAmC;AACzC,IAAMC,wCAAwC;AAC9C,IAAMC,8BAA8B;AAGpC,eAAsBC,wBAAwBC,YAAkB;AAC9D,aAAOC,0BAAMR,kBAAkBO,aAAaN,gCAAgC;IAAEQ,QAAQZ;EAAgB,CAAA,EACnGa,KAAK,CAACC,QAAQA,IAAIC,KAAI,CAAA,EACtBF,KAAK,OAAOG,SAAAA;AACX,WAAOA,KAAKC,uBAAuBlB;EACrC,CAAA;AACJ;AANsBU;AAQtB,eAAsBS,oBAAoBC,MAA6C;AACrF,QAAMC,SAASD,MAAMC,UAAW,MAAMX,wBAAwBU,KAAKT,UAAU;AAC7E,SAAOU,WAAWrB,KAAKG,qBAAqBD;AAC9C;AAHsBiB;AAKtB,eAAsBG,gDAAgDC,oBAAyD;AAC7H,QAAMC,gBAAgB,MAAML,oBAAoBI,kBAAAA;AAEhD,MAAI,CAACA,mBAAmBE,uBAAuBC,WAAWF,aAAAA,GAAgB;AACxE,UAAM,IAAIG,MAAMpB,mCAAmCiB,gBAAgB,YAAYD,mBAAmBE,qBAAqB,EAAE;EAC3H;AACA,SAAOD;AACT;AAPsBF;AAoBtB,eAAsBM,iCACpBL,oBACAH,MAEC;AAED,QAAMS,qBACJT,MAAMS,sBAAuB,MAAMC,mCAAmCP,kBAAAA,EAAoBT,KAAK,CAACiB,QAAQA,IAAIF,kBAAkB;AAChI,MAAI,CAACA,oBAAoB;AACvB,UAAMF,MAAM,yDAAA;EACd;AACA,MAAIJ,oBAAoBE,uBAAuB;AAC7C,UAAMH,gDAAgDC,kBAAAA;EACxD;AAEA,QAAMS,8BAA8B;IAClCC,QAAQV,mBAAmBU,WAAWV,oBAAoBE,wBAAwB;MAACnB;QAAsC,CAAA;IACzH4B,WAAWX,mBAAmBW,aAAa;EAC7C;AAGA,MAAI;AACF,UAAMC,SAAS,MAAMN,mBAAmBO,+BAA+BJ,2BAAAA;AACvE,QAAIG,QAAQ;AACV,aAAOA;IACT;EACF,SAASE,KAAK;AACZ,UAAM;MACJC,OAAO9B,wCAAwC6B;IACjD;EACF;AACA,QAAM;IACJC,OAAO9B;EACT;AACF;AAlCsBoB;AAoCtB,eAAsBE,mCACpBP,oBAAyD;AAEzD,QAAMgB,cAAchB,oBAAoBE,wBACpC,MAAMH,gDAAgDC,kBAAAA,IACtDiB;AACJ,QAAMC,OAAOC,YAAYnB,kBAAAA;AACzB,QAAMoB,SAAKC,mBAAAA,SAAKH,IAAAA;AAChB,QAAMI,aAA4B;IAChCJ;IACAK,QAAQ;MACNC,eAAe;QACbC,mBAAmBzB,mBAAmByB,oBAAoBzB,mBAAmByB,oBAAoB;QACjGC,UAAU1B,mBAAmB0B,WAAW1B,mBAAmB0B,WAAWC,0BAASC;MACjF;IACF;EACF;AACA,QAAMC,wBAAwB,IAAIC,+CAA8BR,UAAAA;AAEhE,SAAO;IAAEhB,oBAAoBuB;IAAuBP;IAAYtB;IAAoBgB;IAAaI;EAAG;AACtG;AApBsBb;AA2BtB,eAAsBwB,8BAA8B/B,oBAAyD;AAC3G,QAAMsB,aAAa;IACjBJ,MAAMC,YAAYnB,kBAAAA;EACpB;AACA,QAAMgC,MAAM,IAAIC,yCAAwBX,UAAAA;AACxC,SAAO,MAAMU,IACVE,+BAA+BlC,kBAAAA,EAC/BT,KAAK,CAAC4C,aAAAA;AACL,WAAOA;EACT,CAAA,EACCC,MAAM,CAACrB,UAAAA;AACN,UAAM,IAAIX,MAAMlB,8BAA8B6B,KAAAA;EAChD,CAAA;AACJ;AAbsBgB;AAetB,SAASZ,YAAYnB,oBAAiG;AACpH,SAAO;IACLqC,UAAUrC,mBAAmBsC;IAC7BC,WAAWvC,mBAAmBuC,YAAYvC,mBAAmBuC,YAAY1D,kBAAkBmB,mBAAmBZ;IAC9G,GAAIY,sBAAsB,oBAAoBA,sBAAsB;MAAEwC,cAAcxC,mBAAmByC;IAAe;EACxH;AACF;AANStB;AAQF,SAASuB,kBAAkB1C,oBAAiG;AACjI,aAAOqB,mBAAAA,SAAKF,YAAYnB,kBAAAA,CAAAA;AAC1B;AAFgB0C;","names":["EU","HTTP_METHOD_GET","MS_DID_ENDPOINT_NON_EU","MS_DID_ENDPOINT_EU","MS_LOGIN_PREFIX","MS_LOGIN_OPENID_CONFIG_POSTFIX","MS_CLIENT_CREDENTIAL_DEFAULT_SCOPE","ERROR_CREDENTIAL_MANIFEST_REGION","ERROR_ACQUIRE_ACCESS_TOKEN_FOR_CLIENT","ERROR_FAILED_AUTHENTICATION","getMSOpenIDClientRegion","azTenantId","fetch","method","then","res","json","resp","tenant_region_scope","getEntraDIDEndpoint","opts","region","assertEntraCredentialManifestUrlInCorrectRegion","authenticationArgs","msDIDEndpoint","credentialManifestUrl","startsWith","Error","getMSClientCredentialAccessToken","confidentialClient","newMSClientCredentialAuthenticator","cca","msalClientCredentialRequest","scopes","skipCache","result","acquireTokenByClientCredential","err","error","didEndpoint","undefined","auth","authOptions","id","hash","msalConfig","system","loggerOptions","piiLoggingEnabled","logLevel","LogLevel","Verbose","confidentialClientApp","ConfidentialClientApplication","UsernamePasswordAuthenticator","pca","PublicClientApplication","acquireTokenByUsernamePassword","response","catch","clientId","azClientId","authority","clientSecret","azClientSecret","determineMSAuthId"]}
1
+ {"version":3,"sources":["../src/index.ts","../src/authenticators/MsAuthenticator.ts"],"sourcesContent":["export * from './authenticators'\nexport * from './types'\n","import {\n AuthenticationResult,\n ConfidentialClientApplication,\n Configuration,\n LogLevel,\n NodeAuthOptions,\n PublicClientApplication,\n UsernamePasswordRequest,\n} from '@azure/msal-node'\nimport fetch from 'cross-fetch'\nimport { IMSClientCredentialAuthInfo, IMsAuthenticationClientCredentialArgs, IMsAuthenticationUsernamePasswordArgs } from '../index'\n\nimport hash from 'object-hash'\n\nconst EU = 'EU'\n\nconst HTTP_METHOD_GET = 'GET'\n\n// Event though there are many regions, MS has only 2 DID identity host names (EU and NON_EU)\n// https://docs.microsoft.com/en-us/azure/active-directory/verifiable-credentials/whats-new#are-there-any-changes-to-the-way-that-we-use-the-request-api-as-a-result-of-this-move\nexport const MS_DID_ENDPOINT_NON_EU = 'https://beta.did.msidentity.com/v1.0/'\nexport const MS_DID_ENDPOINT_EU = 'https://beta.eu.did.msidentity.com/v1.0/'\nconst MS_LOGIN_PREFIX = 'https://login.microsoftonline.com/'\nconst MS_LOGIN_OPENID_CONFIG_POSTFIX = '/v2.0/.well-known/openid-configuration'\nconst MS_CLIENT_CREDENTIAL_DEFAULT_SCOPE = '3db474b9-6a0c-4840-96ac-1fceb342124f/.default'\n\nconst ERROR_CREDENTIAL_MANIFEST_REGION = `Error in config file. CredentialManifest URL configured for wrong tenant region. Should start with:`\nconst ERROR_ACQUIRE_ACCESS_TOKEN_FOR_CLIENT = 'Could not acquire verifiableCredentials to access your Azure Key Vault:\\n'\nconst ERROR_FAILED_AUTHENTICATION = 'failed to authenticate: '\n\n// todo: This is a pretty heavy operation. Getting all the OIDC discovery data from a fetch only to return the region. Probably wise to add some caching and refactor so we can do more with the other OIDC info as well\nexport async function getMSOpenIDClientRegion(azTenantId: string): Promise<string> {\n return fetch(MS_LOGIN_PREFIX + azTenantId + MS_LOGIN_OPENID_CONFIG_POSTFIX, { method: HTTP_METHOD_GET })\n .then((res) => res.json())\n .then(async (resp) => {\n return resp.tenant_region_scope ?? EU\n })\n}\n\nexport async function getEntraDIDEndpoint(opts: { region?: string; azTenantId: string }) {\n const region = opts?.region ?? (await getMSOpenIDClientRegion(opts.azTenantId))\n return region === EU ? MS_DID_ENDPOINT_EU : MS_DID_ENDPOINT_NON_EU\n}\n\nexport async function assertEntraCredentialManifestUrlInCorrectRegion(authenticationArgs: IMsAuthenticationClientCredentialArgs): Promise<string> {\n const msDIDEndpoint = await getEntraDIDEndpoint(authenticationArgs)\n // Check that the Credential Manifest URL is in the same tenant Region and throw an error if it's not\n if (!authenticationArgs.credentialManifestUrl?.startsWith(msDIDEndpoint)) {\n throw new Error(ERROR_CREDENTIAL_MANIFEST_REGION + msDIDEndpoint + `. value: ${authenticationArgs.credentialManifestUrl}`)\n }\n return msDIDEndpoint\n}\n\n/**\n * necessary fields are:\n * azClientId: clientId of the application you're trying to login\n * azClientSecret: secret of the application you're trying to login\n * azTenantId: your MS Azure tenantId\n * optional fields:\n * credentialManifest: address of your credential manifest. usually in following format:\n * https://beta.eu.did.msidentity.com/v1.0/<tenant_id>/verifiableCredential/contracts/<verifiable_credential_schema>\n * @param authenticationArgs\n * @constructor\n */\nexport async function getMSClientCredentialAccessToken(\n authenticationArgs: IMsAuthenticationClientCredentialArgs,\n opts?: {\n confidentialClient?: ConfidentialClientApplication\n },\n): Promise<AuthenticationResult> {\n const confidentialClient =\n opts?.confidentialClient ?? (await newMSClientCredentialAuthenticator(authenticationArgs).then((cca) => cca.confidentialClient))\n if (!confidentialClient) {\n throw Error('No Credential Client Authenticator could be constructed')\n }\n if (authenticationArgs?.credentialManifestUrl) {\n await assertEntraCredentialManifestUrlInCorrectRegion(authenticationArgs)\n }\n\n const msalClientCredentialRequest = {\n scopes: authenticationArgs.scopes ?? (authenticationArgs?.credentialManifestUrl ? [MS_CLIENT_CREDENTIAL_DEFAULT_SCOPE] : []),\n skipCache: authenticationArgs.skipCache ?? false,\n }\n\n // get the Access Token\n try {\n const result = await confidentialClient.acquireTokenByClientCredential(msalClientCredentialRequest)\n if (result) {\n return result\n }\n } catch (err) {\n throw {\n error: ERROR_ACQUIRE_ACCESS_TOKEN_FOR_CLIENT + err,\n }\n }\n throw {\n error: ERROR_ACQUIRE_ACCESS_TOKEN_FOR_CLIENT,\n }\n}\n\nexport async function newMSClientCredentialAuthenticator(\n authenticationArgs: IMsAuthenticationClientCredentialArgs,\n): Promise<IMSClientCredentialAuthInfo> {\n const didEndpoint = authenticationArgs?.credentialManifestUrl\n ? await assertEntraCredentialManifestUrlInCorrectRegion(authenticationArgs)\n : undefined\n const auth = authOptions(authenticationArgs)\n const id = hash(auth)\n const msalConfig: Configuration = {\n auth,\n system: {\n loggerOptions: {\n piiLoggingEnabled: authenticationArgs.piiLoggingEnabled ? authenticationArgs.piiLoggingEnabled : false,\n logLevel: authenticationArgs.logLevel ? authenticationArgs.logLevel : LogLevel.Verbose,\n },\n },\n }\n const confidentialClientApp = new ConfidentialClientApplication(msalConfig)\n\n return { confidentialClient: confidentialClientApp, msalConfig, authenticationArgs, didEndpoint, id }\n}\n\n/**\n * Logs in with provided authenticationArgs and returns access token\n * @param authenticationArgs\n * @constructor\n */\nexport async function UsernamePasswordAuthenticator(authenticationArgs: IMsAuthenticationUsernamePasswordArgs): Promise<string> {\n const msalConfig = {\n auth: authOptions(authenticationArgs),\n }\n const pca = new PublicClientApplication(msalConfig)\n return await pca\n .acquireTokenByUsernamePassword(authenticationArgs as UsernamePasswordRequest)\n .then((response: any) => {\n return response\n })\n .catch((error: any) => {\n throw new Error(ERROR_FAILED_AUTHENTICATION + error)\n })\n}\n\nfunction authOptions(authenticationArgs: IMsAuthenticationClientCredentialArgs | IMsAuthenticationUsernamePasswordArgs): NodeAuthOptions {\n return {\n clientId: authenticationArgs.azClientId,\n authority: authenticationArgs.authority ? authenticationArgs.authority : MS_LOGIN_PREFIX + authenticationArgs.azTenantId,\n ...(authenticationArgs && 'azClientSecret' in authenticationArgs && { clientSecret: authenticationArgs.azClientSecret }),\n }\n}\n\nexport function determineMSAuthId(authenticationArgs: IMsAuthenticationClientCredentialArgs | IMsAuthenticationUsernamePasswordArgs): string {\n return hash(authOptions(authenticationArgs))\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA;;;;;;;;;;;;;;;ACAA,uBAQO;AACP,yBAAkB;AAGlB,yBAAiB;AAEjB,IAAMA,KAAK;AAEX,IAAMC,kBAAkB;AAIjB,IAAMC,yBAAyB;AAC/B,IAAMC,qBAAqB;AAClC,IAAMC,kBAAkB;AACxB,IAAMC,iCAAiC;AACvC,IAAMC,qCAAqC;AAE3C,IAAMC,mCAAmC;AACzC,IAAMC,wCAAwC;AAC9C,IAAMC,8BAA8B;AAGpC,eAAsBC,wBAAwBC,YAAkB;AAC9D,aAAOC,mBAAAA,SAAMR,kBAAkBO,aAAaN,gCAAgC;IAAEQ,QAAQZ;EAAgB,CAAA,EACnGa,KAAK,CAACC,QAAQA,IAAIC,KAAI,CAAA,EACtBF,KAAK,OAAOG,SAAAA;AACX,WAAOA,KAAKC,uBAAuBlB;EACrC,CAAA;AACJ;AANsBU;AAQtB,eAAsBS,oBAAoBC,MAA6C;AACrF,QAAMC,SAASD,MAAMC,UAAW,MAAMX,wBAAwBU,KAAKT,UAAU;AAC7E,SAAOU,WAAWrB,KAAKG,qBAAqBD;AAC9C;AAHsBiB;AAKtB,eAAsBG,gDAAgDC,oBAAyD;AAC7H,QAAMC,gBAAgB,MAAML,oBAAoBI,kBAAAA;AAEhD,MAAI,CAACA,mBAAmBE,uBAAuBC,WAAWF,aAAAA,GAAgB;AACxE,UAAM,IAAIG,MAAMpB,mCAAmCiB,gBAAgB,YAAYD,mBAAmBE,qBAAqB,EAAE;EAC3H;AACA,SAAOD;AACT;AAPsBF;AAoBtB,eAAsBM,iCACpBL,oBACAH,MAEC;AAED,QAAMS,qBACJT,MAAMS,sBAAuB,MAAMC,mCAAmCP,kBAAAA,EAAoBT,KAAK,CAACiB,QAAQA,IAAIF,kBAAkB;AAChI,MAAI,CAACA,oBAAoB;AACvB,UAAMF,MAAM,yDAAA;EACd;AACA,MAAIJ,oBAAoBE,uBAAuB;AAC7C,UAAMH,gDAAgDC,kBAAAA;EACxD;AAEA,QAAMS,8BAA8B;IAClCC,QAAQV,mBAAmBU,WAAWV,oBAAoBE,wBAAwB;MAACnB;QAAsC,CAAA;IACzH4B,WAAWX,mBAAmBW,aAAa;EAC7C;AAGA,MAAI;AACF,UAAMC,SAAS,MAAMN,mBAAmBO,+BAA+BJ,2BAAAA;AACvE,QAAIG,QAAQ;AACV,aAAOA;IACT;EACF,SAASE,KAAK;AACZ,UAAM;MACJC,OAAO9B,wCAAwC6B;IACjD;EACF;AACA,QAAM;IACJC,OAAO9B;EACT;AACF;AAlCsBoB;AAoCtB,eAAsBE,mCACpBP,oBAAyD;AAEzD,QAAMgB,cAAchB,oBAAoBE,wBACpC,MAAMH,gDAAgDC,kBAAAA,IACtDiB;AACJ,QAAMC,OAAOC,YAAYnB,kBAAAA;AACzB,QAAMoB,SAAKC,mBAAAA,SAAKH,IAAAA;AAChB,QAAMI,aAA4B;IAChCJ;IACAK,QAAQ;MACNC,eAAe;QACbC,mBAAmBzB,mBAAmByB,oBAAoBzB,mBAAmByB,oBAAoB;QACjGC,UAAU1B,mBAAmB0B,WAAW1B,mBAAmB0B,WAAWC,0BAASC;MACjF;IACF;EACF;AACA,QAAMC,wBAAwB,IAAIC,+CAA8BR,UAAAA;AAEhE,SAAO;IAAEhB,oBAAoBuB;IAAuBP;IAAYtB;IAAoBgB;IAAaI;EAAG;AACtG;AApBsBb;AA2BtB,eAAsBwB,8BAA8B/B,oBAAyD;AAC3G,QAAMsB,aAAa;IACjBJ,MAAMC,YAAYnB,kBAAAA;EACpB;AACA,QAAMgC,MAAM,IAAIC,yCAAwBX,UAAAA;AACxC,SAAO,MAAMU,IACVE,+BAA+BlC,kBAAAA,EAC/BT,KAAK,CAAC4C,aAAAA;AACL,WAAOA;EACT,CAAA,EACCC,MAAM,CAACrB,UAAAA;AACN,UAAM,IAAIX,MAAMlB,8BAA8B6B,KAAAA;EAChD,CAAA;AACJ;AAbsBgB;AAetB,SAASZ,YAAYnB,oBAAiG;AACpH,SAAO;IACLqC,UAAUrC,mBAAmBsC;IAC7BC,WAAWvC,mBAAmBuC,YAAYvC,mBAAmBuC,YAAY1D,kBAAkBmB,mBAAmBZ;IAC9G,GAAIY,sBAAsB,oBAAoBA,sBAAsB;MAAEwC,cAAcxC,mBAAmByC;IAAe;EACxH;AACF;AANStB;AAQF,SAASuB,kBAAkB1C,oBAAiG;AACjI,aAAOqB,mBAAAA,SAAKF,YAAYnB,kBAAAA,CAAAA;AAC1B;AAFgB0C;","names":["EU","HTTP_METHOD_GET","MS_DID_ENDPOINT_NON_EU","MS_DID_ENDPOINT_EU","MS_LOGIN_PREFIX","MS_LOGIN_OPENID_CONFIG_POSTFIX","MS_CLIENT_CREDENTIAL_DEFAULT_SCOPE","ERROR_CREDENTIAL_MANIFEST_REGION","ERROR_ACQUIRE_ACCESS_TOKEN_FOR_CLIENT","ERROR_FAILED_AUTHENTICATION","getMSOpenIDClientRegion","azTenantId","fetch","method","then","res","json","resp","tenant_region_scope","getEntraDIDEndpoint","opts","region","assertEntraCredentialManifestUrlInCorrectRegion","authenticationArgs","msDIDEndpoint","credentialManifestUrl","startsWith","Error","getMSClientCredentialAccessToken","confidentialClient","newMSClientCredentialAuthenticator","cca","msalClientCredentialRequest","scopes","skipCache","result","acquireTokenByClientCredential","err","error","didEndpoint","undefined","auth","authOptions","id","hash","msalConfig","system","loggerOptions","piiLoggingEnabled","logLevel","LogLevel","Verbose","confidentialClientApp","ConfidentialClientApplication","UsernamePasswordAuthenticator","pca","PublicClientApplication","acquireTokenByUsernamePassword","response","catch","clientId","azClientId","authority","clientSecret","azClientSecret","determineMSAuthId"]}
package/dist/index.js CHANGED
@@ -3,7 +3,7 @@ var __name = (target, value) => __defProp(target, "name", { value, configurable:
3
3
 
4
4
  // src/authenticators/MsAuthenticator.ts
5
5
  import { ConfidentialClientApplication, LogLevel, PublicClientApplication } from "@azure/msal-node";
6
- import { fetch } from "cross-fetch";
6
+ import fetch from "cross-fetch";
7
7
  import hash from "object-hash";
8
8
  var EU = "EU";
9
9
  var HTTP_METHOD_GET = "GET";
package/dist/index.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"sources":["../src/authenticators/MsAuthenticator.ts"],"sourcesContent":["import {\n AuthenticationResult,\n ConfidentialClientApplication,\n Configuration,\n LogLevel,\n NodeAuthOptions,\n PublicClientApplication,\n UsernamePasswordRequest,\n} from '@azure/msal-node'\nimport { fetch } from 'cross-fetch'\nimport { IMSClientCredentialAuthInfo, IMsAuthenticationClientCredentialArgs, IMsAuthenticationUsernamePasswordArgs } from '../index'\n\nimport hash from 'object-hash'\n\nconst EU = 'EU'\n\nconst HTTP_METHOD_GET = 'GET'\n\n// Event though there are many regions, MS has only 2 DID identity host names (EU and NON_EU)\n// https://docs.microsoft.com/en-us/azure/active-directory/verifiable-credentials/whats-new#are-there-any-changes-to-the-way-that-we-use-the-request-api-as-a-result-of-this-move\nexport const MS_DID_ENDPOINT_NON_EU = 'https://beta.did.msidentity.com/v1.0/'\nexport const MS_DID_ENDPOINT_EU = 'https://beta.eu.did.msidentity.com/v1.0/'\nconst MS_LOGIN_PREFIX = 'https://login.microsoftonline.com/'\nconst MS_LOGIN_OPENID_CONFIG_POSTFIX = '/v2.0/.well-known/openid-configuration'\nconst MS_CLIENT_CREDENTIAL_DEFAULT_SCOPE = '3db474b9-6a0c-4840-96ac-1fceb342124f/.default'\n\nconst ERROR_CREDENTIAL_MANIFEST_REGION = `Error in config file. CredentialManifest URL configured for wrong tenant region. Should start with:`\nconst ERROR_ACQUIRE_ACCESS_TOKEN_FOR_CLIENT = 'Could not acquire verifiableCredentials to access your Azure Key Vault:\\n'\nconst ERROR_FAILED_AUTHENTICATION = 'failed to authenticate: '\n\n// todo: This is a pretty heavy operation. Getting all the OIDC discovery data from a fetch only to return the region. Probably wise to add some caching and refactor so we can do more with the other OIDC info as well\nexport async function getMSOpenIDClientRegion(azTenantId: string): Promise<string> {\n return fetch(MS_LOGIN_PREFIX + azTenantId + MS_LOGIN_OPENID_CONFIG_POSTFIX, { method: HTTP_METHOD_GET })\n .then((res) => res.json())\n .then(async (resp) => {\n return resp.tenant_region_scope ?? EU\n })\n}\n\nexport async function getEntraDIDEndpoint(opts: { region?: string; azTenantId: string }) {\n const region = opts?.region ?? (await getMSOpenIDClientRegion(opts.azTenantId))\n return region === EU ? MS_DID_ENDPOINT_EU : MS_DID_ENDPOINT_NON_EU\n}\n\nexport async function assertEntraCredentialManifestUrlInCorrectRegion(authenticationArgs: IMsAuthenticationClientCredentialArgs): Promise<string> {\n const msDIDEndpoint = await getEntraDIDEndpoint(authenticationArgs)\n // Check that the Credential Manifest URL is in the same tenant Region and throw an error if it's not\n if (!authenticationArgs.credentialManifestUrl?.startsWith(msDIDEndpoint)) {\n throw new Error(ERROR_CREDENTIAL_MANIFEST_REGION + msDIDEndpoint + `. value: ${authenticationArgs.credentialManifestUrl}`)\n }\n return msDIDEndpoint\n}\n\n/**\n * necessary fields are:\n * azClientId: clientId of the application you're trying to login\n * azClientSecret: secret of the application you're trying to login\n * azTenantId: your MS Azure tenantId\n * optional fields:\n * credentialManifest: address of your credential manifest. usually in following format:\n * https://beta.eu.did.msidentity.com/v1.0/<tenant_id>/verifiableCredential/contracts/<verifiable_credential_schema>\n * @param authenticationArgs\n * @constructor\n */\nexport async function getMSClientCredentialAccessToken(\n authenticationArgs: IMsAuthenticationClientCredentialArgs,\n opts?: {\n confidentialClient?: ConfidentialClientApplication\n },\n): Promise<AuthenticationResult> {\n const confidentialClient =\n opts?.confidentialClient ?? (await newMSClientCredentialAuthenticator(authenticationArgs).then((cca) => cca.confidentialClient))\n if (!confidentialClient) {\n throw Error('No Credential Client Authenticator could be constructed')\n }\n if (authenticationArgs?.credentialManifestUrl) {\n await assertEntraCredentialManifestUrlInCorrectRegion(authenticationArgs)\n }\n\n const msalClientCredentialRequest = {\n scopes: authenticationArgs.scopes ?? (authenticationArgs?.credentialManifestUrl ? [MS_CLIENT_CREDENTIAL_DEFAULT_SCOPE] : []),\n skipCache: authenticationArgs.skipCache ?? false,\n }\n\n // get the Access Token\n try {\n const result = await confidentialClient.acquireTokenByClientCredential(msalClientCredentialRequest)\n if (result) {\n return result\n }\n } catch (err) {\n throw {\n error: ERROR_ACQUIRE_ACCESS_TOKEN_FOR_CLIENT + err,\n }\n }\n throw {\n error: ERROR_ACQUIRE_ACCESS_TOKEN_FOR_CLIENT,\n }\n}\n\nexport async function newMSClientCredentialAuthenticator(\n authenticationArgs: IMsAuthenticationClientCredentialArgs,\n): Promise<IMSClientCredentialAuthInfo> {\n const didEndpoint = authenticationArgs?.credentialManifestUrl\n ? await assertEntraCredentialManifestUrlInCorrectRegion(authenticationArgs)\n : undefined\n const auth = authOptions(authenticationArgs)\n const id = hash(auth)\n const msalConfig: Configuration = {\n auth,\n system: {\n loggerOptions: {\n piiLoggingEnabled: authenticationArgs.piiLoggingEnabled ? authenticationArgs.piiLoggingEnabled : false,\n logLevel: authenticationArgs.logLevel ? authenticationArgs.logLevel : LogLevel.Verbose,\n },\n },\n }\n const confidentialClientApp = new ConfidentialClientApplication(msalConfig)\n\n return { confidentialClient: confidentialClientApp, msalConfig, authenticationArgs, didEndpoint, id }\n}\n\n/**\n * Logs in with provided authenticationArgs and returns access token\n * @param authenticationArgs\n * @constructor\n */\nexport async function UsernamePasswordAuthenticator(authenticationArgs: IMsAuthenticationUsernamePasswordArgs): Promise<string> {\n const msalConfig = {\n auth: authOptions(authenticationArgs),\n }\n const pca = new PublicClientApplication(msalConfig)\n return await pca\n .acquireTokenByUsernamePassword(authenticationArgs as UsernamePasswordRequest)\n .then((response: any) => {\n return response\n })\n .catch((error: any) => {\n throw new Error(ERROR_FAILED_AUTHENTICATION + error)\n })\n}\n\nfunction authOptions(authenticationArgs: IMsAuthenticationClientCredentialArgs | IMsAuthenticationUsernamePasswordArgs): NodeAuthOptions {\n return {\n clientId: authenticationArgs.azClientId,\n authority: authenticationArgs.authority ? authenticationArgs.authority : MS_LOGIN_PREFIX + authenticationArgs.azTenantId,\n ...(authenticationArgs && 'azClientSecret' in authenticationArgs && { clientSecret: authenticationArgs.azClientSecret }),\n }\n}\n\nexport function determineMSAuthId(authenticationArgs: IMsAuthenticationClientCredentialArgs | IMsAuthenticationUsernamePasswordArgs): string {\n return hash(authOptions(authenticationArgs))\n}\n"],"mappings":";;;;AAAA,SAEEA,+BAEAC,UAEAC,+BAEK;AACP,SAASC,aAAa;AAGtB,OAAOC,UAAU;AAEjB,IAAMC,KAAK;AAEX,IAAMC,kBAAkB;AAIjB,IAAMC,yBAAyB;AAC/B,IAAMC,qBAAqB;AAClC,IAAMC,kBAAkB;AACxB,IAAMC,iCAAiC;AACvC,IAAMC,qCAAqC;AAE3C,IAAMC,mCAAmC;AACzC,IAAMC,wCAAwC;AAC9C,IAAMC,8BAA8B;AAGpC,eAAsBC,wBAAwBC,YAAkB;AAC9D,SAAOC,MAAMR,kBAAkBO,aAAaN,gCAAgC;IAAEQ,QAAQZ;EAAgB,CAAA,EACnGa,KAAK,CAACC,QAAQA,IAAIC,KAAI,CAAA,EACtBF,KAAK,OAAOG,SAAAA;AACX,WAAOA,KAAKC,uBAAuBlB;EACrC,CAAA;AACJ;AANsBU;AAQtB,eAAsBS,oBAAoBC,MAA6C;AACrF,QAAMC,SAASD,MAAMC,UAAW,MAAMX,wBAAwBU,KAAKT,UAAU;AAC7E,SAAOU,WAAWrB,KAAKG,qBAAqBD;AAC9C;AAHsBiB;AAKtB,eAAsBG,gDAAgDC,oBAAyD;AAC7H,QAAMC,gBAAgB,MAAML,oBAAoBI,kBAAAA;AAEhD,MAAI,CAACA,mBAAmBE,uBAAuBC,WAAWF,aAAAA,GAAgB;AACxE,UAAM,IAAIG,MAAMpB,mCAAmCiB,gBAAgB,YAAYD,mBAAmBE,qBAAqB,EAAE;EAC3H;AACA,SAAOD;AACT;AAPsBF;AAoBtB,eAAsBM,iCACpBL,oBACAH,MAEC;AAED,QAAMS,qBACJT,MAAMS,sBAAuB,MAAMC,mCAAmCP,kBAAAA,EAAoBT,KAAK,CAACiB,QAAQA,IAAIF,kBAAkB;AAChI,MAAI,CAACA,oBAAoB;AACvB,UAAMF,MAAM,yDAAA;EACd;AACA,MAAIJ,oBAAoBE,uBAAuB;AAC7C,UAAMH,gDAAgDC,kBAAAA;EACxD;AAEA,QAAMS,8BAA8B;IAClCC,QAAQV,mBAAmBU,WAAWV,oBAAoBE,wBAAwB;MAACnB;QAAsC,CAAA;IACzH4B,WAAWX,mBAAmBW,aAAa;EAC7C;AAGA,MAAI;AACF,UAAMC,SAAS,MAAMN,mBAAmBO,+BAA+BJ,2BAAAA;AACvE,QAAIG,QAAQ;AACV,aAAOA;IACT;EACF,SAASE,KAAK;AACZ,UAAM;MACJC,OAAO9B,wCAAwC6B;IACjD;EACF;AACA,QAAM;IACJC,OAAO9B;EACT;AACF;AAlCsBoB;AAoCtB,eAAsBE,mCACpBP,oBAAyD;AAEzD,QAAMgB,cAAchB,oBAAoBE,wBACpC,MAAMH,gDAAgDC,kBAAAA,IACtDiB;AACJ,QAAMC,OAAOC,YAAYnB,kBAAAA;AACzB,QAAMoB,KAAKC,KAAKH,IAAAA;AAChB,QAAMI,aAA4B;IAChCJ;IACAK,QAAQ;MACNC,eAAe;QACbC,mBAAmBzB,mBAAmByB,oBAAoBzB,mBAAmByB,oBAAoB;QACjGC,UAAU1B,mBAAmB0B,WAAW1B,mBAAmB0B,WAAWC,SAASC;MACjF;IACF;EACF;AACA,QAAMC,wBAAwB,IAAIC,8BAA8BR,UAAAA;AAEhE,SAAO;IAAEhB,oBAAoBuB;IAAuBP;IAAYtB;IAAoBgB;IAAaI;EAAG;AACtG;AApBsBb;AA2BtB,eAAsBwB,8BAA8B/B,oBAAyD;AAC3G,QAAMsB,aAAa;IACjBJ,MAAMC,YAAYnB,kBAAAA;EACpB;AACA,QAAMgC,MAAM,IAAIC,wBAAwBX,UAAAA;AACxC,SAAO,MAAMU,IACVE,+BAA+BlC,kBAAAA,EAC/BT,KAAK,CAAC4C,aAAAA;AACL,WAAOA;EACT,CAAA,EACCC,MAAM,CAACrB,UAAAA;AACN,UAAM,IAAIX,MAAMlB,8BAA8B6B,KAAAA;EAChD,CAAA;AACJ;AAbsBgB;AAetB,SAASZ,YAAYnB,oBAAiG;AACpH,SAAO;IACLqC,UAAUrC,mBAAmBsC;IAC7BC,WAAWvC,mBAAmBuC,YAAYvC,mBAAmBuC,YAAY1D,kBAAkBmB,mBAAmBZ;IAC9G,GAAIY,sBAAsB,oBAAoBA,sBAAsB;MAAEwC,cAAcxC,mBAAmByC;IAAe;EACxH;AACF;AANStB;AAQF,SAASuB,kBAAkB1C,oBAAiG;AACjI,SAAOqB,KAAKF,YAAYnB,kBAAAA,CAAAA;AAC1B;AAFgB0C;","names":["ConfidentialClientApplication","LogLevel","PublicClientApplication","fetch","hash","EU","HTTP_METHOD_GET","MS_DID_ENDPOINT_NON_EU","MS_DID_ENDPOINT_EU","MS_LOGIN_PREFIX","MS_LOGIN_OPENID_CONFIG_POSTFIX","MS_CLIENT_CREDENTIAL_DEFAULT_SCOPE","ERROR_CREDENTIAL_MANIFEST_REGION","ERROR_ACQUIRE_ACCESS_TOKEN_FOR_CLIENT","ERROR_FAILED_AUTHENTICATION","getMSOpenIDClientRegion","azTenantId","fetch","method","then","res","json","resp","tenant_region_scope","getEntraDIDEndpoint","opts","region","assertEntraCredentialManifestUrlInCorrectRegion","authenticationArgs","msDIDEndpoint","credentialManifestUrl","startsWith","Error","getMSClientCredentialAccessToken","confidentialClient","newMSClientCredentialAuthenticator","cca","msalClientCredentialRequest","scopes","skipCache","result","acquireTokenByClientCredential","err","error","didEndpoint","undefined","auth","authOptions","id","hash","msalConfig","system","loggerOptions","piiLoggingEnabled","logLevel","LogLevel","Verbose","confidentialClientApp","ConfidentialClientApplication","UsernamePasswordAuthenticator","pca","PublicClientApplication","acquireTokenByUsernamePassword","response","catch","clientId","azClientId","authority","clientSecret","azClientSecret","determineMSAuthId"]}
1
+ {"version":3,"sources":["../src/authenticators/MsAuthenticator.ts"],"sourcesContent":["import {\n AuthenticationResult,\n ConfidentialClientApplication,\n Configuration,\n LogLevel,\n NodeAuthOptions,\n PublicClientApplication,\n UsernamePasswordRequest,\n} from '@azure/msal-node'\nimport fetch from 'cross-fetch'\nimport { IMSClientCredentialAuthInfo, IMsAuthenticationClientCredentialArgs, IMsAuthenticationUsernamePasswordArgs } from '../index'\n\nimport hash from 'object-hash'\n\nconst EU = 'EU'\n\nconst HTTP_METHOD_GET = 'GET'\n\n// Event though there are many regions, MS has only 2 DID identity host names (EU and NON_EU)\n// https://docs.microsoft.com/en-us/azure/active-directory/verifiable-credentials/whats-new#are-there-any-changes-to-the-way-that-we-use-the-request-api-as-a-result-of-this-move\nexport const MS_DID_ENDPOINT_NON_EU = 'https://beta.did.msidentity.com/v1.0/'\nexport const MS_DID_ENDPOINT_EU = 'https://beta.eu.did.msidentity.com/v1.0/'\nconst MS_LOGIN_PREFIX = 'https://login.microsoftonline.com/'\nconst MS_LOGIN_OPENID_CONFIG_POSTFIX = '/v2.0/.well-known/openid-configuration'\nconst MS_CLIENT_CREDENTIAL_DEFAULT_SCOPE = '3db474b9-6a0c-4840-96ac-1fceb342124f/.default'\n\nconst ERROR_CREDENTIAL_MANIFEST_REGION = `Error in config file. CredentialManifest URL configured for wrong tenant region. Should start with:`\nconst ERROR_ACQUIRE_ACCESS_TOKEN_FOR_CLIENT = 'Could not acquire verifiableCredentials to access your Azure Key Vault:\\n'\nconst ERROR_FAILED_AUTHENTICATION = 'failed to authenticate: '\n\n// todo: This is a pretty heavy operation. Getting all the OIDC discovery data from a fetch only to return the region. Probably wise to add some caching and refactor so we can do more with the other OIDC info as well\nexport async function getMSOpenIDClientRegion(azTenantId: string): Promise<string> {\n return fetch(MS_LOGIN_PREFIX + azTenantId + MS_LOGIN_OPENID_CONFIG_POSTFIX, { method: HTTP_METHOD_GET })\n .then((res) => res.json())\n .then(async (resp) => {\n return resp.tenant_region_scope ?? EU\n })\n}\n\nexport async function getEntraDIDEndpoint(opts: { region?: string; azTenantId: string }) {\n const region = opts?.region ?? (await getMSOpenIDClientRegion(opts.azTenantId))\n return region === EU ? MS_DID_ENDPOINT_EU : MS_DID_ENDPOINT_NON_EU\n}\n\nexport async function assertEntraCredentialManifestUrlInCorrectRegion(authenticationArgs: IMsAuthenticationClientCredentialArgs): Promise<string> {\n const msDIDEndpoint = await getEntraDIDEndpoint(authenticationArgs)\n // Check that the Credential Manifest URL is in the same tenant Region and throw an error if it's not\n if (!authenticationArgs.credentialManifestUrl?.startsWith(msDIDEndpoint)) {\n throw new Error(ERROR_CREDENTIAL_MANIFEST_REGION + msDIDEndpoint + `. value: ${authenticationArgs.credentialManifestUrl}`)\n }\n return msDIDEndpoint\n}\n\n/**\n * necessary fields are:\n * azClientId: clientId of the application you're trying to login\n * azClientSecret: secret of the application you're trying to login\n * azTenantId: your MS Azure tenantId\n * optional fields:\n * credentialManifest: address of your credential manifest. usually in following format:\n * https://beta.eu.did.msidentity.com/v1.0/<tenant_id>/verifiableCredential/contracts/<verifiable_credential_schema>\n * @param authenticationArgs\n * @constructor\n */\nexport async function getMSClientCredentialAccessToken(\n authenticationArgs: IMsAuthenticationClientCredentialArgs,\n opts?: {\n confidentialClient?: ConfidentialClientApplication\n },\n): Promise<AuthenticationResult> {\n const confidentialClient =\n opts?.confidentialClient ?? (await newMSClientCredentialAuthenticator(authenticationArgs).then((cca) => cca.confidentialClient))\n if (!confidentialClient) {\n throw Error('No Credential Client Authenticator could be constructed')\n }\n if (authenticationArgs?.credentialManifestUrl) {\n await assertEntraCredentialManifestUrlInCorrectRegion(authenticationArgs)\n }\n\n const msalClientCredentialRequest = {\n scopes: authenticationArgs.scopes ?? (authenticationArgs?.credentialManifestUrl ? [MS_CLIENT_CREDENTIAL_DEFAULT_SCOPE] : []),\n skipCache: authenticationArgs.skipCache ?? false,\n }\n\n // get the Access Token\n try {\n const result = await confidentialClient.acquireTokenByClientCredential(msalClientCredentialRequest)\n if (result) {\n return result\n }\n } catch (err) {\n throw {\n error: ERROR_ACQUIRE_ACCESS_TOKEN_FOR_CLIENT + err,\n }\n }\n throw {\n error: ERROR_ACQUIRE_ACCESS_TOKEN_FOR_CLIENT,\n }\n}\n\nexport async function newMSClientCredentialAuthenticator(\n authenticationArgs: IMsAuthenticationClientCredentialArgs,\n): Promise<IMSClientCredentialAuthInfo> {\n const didEndpoint = authenticationArgs?.credentialManifestUrl\n ? await assertEntraCredentialManifestUrlInCorrectRegion(authenticationArgs)\n : undefined\n const auth = authOptions(authenticationArgs)\n const id = hash(auth)\n const msalConfig: Configuration = {\n auth,\n system: {\n loggerOptions: {\n piiLoggingEnabled: authenticationArgs.piiLoggingEnabled ? authenticationArgs.piiLoggingEnabled : false,\n logLevel: authenticationArgs.logLevel ? authenticationArgs.logLevel : LogLevel.Verbose,\n },\n },\n }\n const confidentialClientApp = new ConfidentialClientApplication(msalConfig)\n\n return { confidentialClient: confidentialClientApp, msalConfig, authenticationArgs, didEndpoint, id }\n}\n\n/**\n * Logs in with provided authenticationArgs and returns access token\n * @param authenticationArgs\n * @constructor\n */\nexport async function UsernamePasswordAuthenticator(authenticationArgs: IMsAuthenticationUsernamePasswordArgs): Promise<string> {\n const msalConfig = {\n auth: authOptions(authenticationArgs),\n }\n const pca = new PublicClientApplication(msalConfig)\n return await pca\n .acquireTokenByUsernamePassword(authenticationArgs as UsernamePasswordRequest)\n .then((response: any) => {\n return response\n })\n .catch((error: any) => {\n throw new Error(ERROR_FAILED_AUTHENTICATION + error)\n })\n}\n\nfunction authOptions(authenticationArgs: IMsAuthenticationClientCredentialArgs | IMsAuthenticationUsernamePasswordArgs): NodeAuthOptions {\n return {\n clientId: authenticationArgs.azClientId,\n authority: authenticationArgs.authority ? authenticationArgs.authority : MS_LOGIN_PREFIX + authenticationArgs.azTenantId,\n ...(authenticationArgs && 'azClientSecret' in authenticationArgs && { clientSecret: authenticationArgs.azClientSecret }),\n }\n}\n\nexport function determineMSAuthId(authenticationArgs: IMsAuthenticationClientCredentialArgs | IMsAuthenticationUsernamePasswordArgs): string {\n return hash(authOptions(authenticationArgs))\n}\n"],"mappings":";;;;AAAA,SAEEA,+BAEAC,UAEAC,+BAEK;AACP,OAAOC,WAAW;AAGlB,OAAOC,UAAU;AAEjB,IAAMC,KAAK;AAEX,IAAMC,kBAAkB;AAIjB,IAAMC,yBAAyB;AAC/B,IAAMC,qBAAqB;AAClC,IAAMC,kBAAkB;AACxB,IAAMC,iCAAiC;AACvC,IAAMC,qCAAqC;AAE3C,IAAMC,mCAAmC;AACzC,IAAMC,wCAAwC;AAC9C,IAAMC,8BAA8B;AAGpC,eAAsBC,wBAAwBC,YAAkB;AAC9D,SAAOC,MAAMR,kBAAkBO,aAAaN,gCAAgC;IAAEQ,QAAQZ;EAAgB,CAAA,EACnGa,KAAK,CAACC,QAAQA,IAAIC,KAAI,CAAA,EACtBF,KAAK,OAAOG,SAAAA;AACX,WAAOA,KAAKC,uBAAuBlB;EACrC,CAAA;AACJ;AANsBU;AAQtB,eAAsBS,oBAAoBC,MAA6C;AACrF,QAAMC,SAASD,MAAMC,UAAW,MAAMX,wBAAwBU,KAAKT,UAAU;AAC7E,SAAOU,WAAWrB,KAAKG,qBAAqBD;AAC9C;AAHsBiB;AAKtB,eAAsBG,gDAAgDC,oBAAyD;AAC7H,QAAMC,gBAAgB,MAAML,oBAAoBI,kBAAAA;AAEhD,MAAI,CAACA,mBAAmBE,uBAAuBC,WAAWF,aAAAA,GAAgB;AACxE,UAAM,IAAIG,MAAMpB,mCAAmCiB,gBAAgB,YAAYD,mBAAmBE,qBAAqB,EAAE;EAC3H;AACA,SAAOD;AACT;AAPsBF;AAoBtB,eAAsBM,iCACpBL,oBACAH,MAEC;AAED,QAAMS,qBACJT,MAAMS,sBAAuB,MAAMC,mCAAmCP,kBAAAA,EAAoBT,KAAK,CAACiB,QAAQA,IAAIF,kBAAkB;AAChI,MAAI,CAACA,oBAAoB;AACvB,UAAMF,MAAM,yDAAA;EACd;AACA,MAAIJ,oBAAoBE,uBAAuB;AAC7C,UAAMH,gDAAgDC,kBAAAA;EACxD;AAEA,QAAMS,8BAA8B;IAClCC,QAAQV,mBAAmBU,WAAWV,oBAAoBE,wBAAwB;MAACnB;QAAsC,CAAA;IACzH4B,WAAWX,mBAAmBW,aAAa;EAC7C;AAGA,MAAI;AACF,UAAMC,SAAS,MAAMN,mBAAmBO,+BAA+BJ,2BAAAA;AACvE,QAAIG,QAAQ;AACV,aAAOA;IACT;EACF,SAASE,KAAK;AACZ,UAAM;MACJC,OAAO9B,wCAAwC6B;IACjD;EACF;AACA,QAAM;IACJC,OAAO9B;EACT;AACF;AAlCsBoB;AAoCtB,eAAsBE,mCACpBP,oBAAyD;AAEzD,QAAMgB,cAAchB,oBAAoBE,wBACpC,MAAMH,gDAAgDC,kBAAAA,IACtDiB;AACJ,QAAMC,OAAOC,YAAYnB,kBAAAA;AACzB,QAAMoB,KAAKC,KAAKH,IAAAA;AAChB,QAAMI,aAA4B;IAChCJ;IACAK,QAAQ;MACNC,eAAe;QACbC,mBAAmBzB,mBAAmByB,oBAAoBzB,mBAAmByB,oBAAoB;QACjGC,UAAU1B,mBAAmB0B,WAAW1B,mBAAmB0B,WAAWC,SAASC;MACjF;IACF;EACF;AACA,QAAMC,wBAAwB,IAAIC,8BAA8BR,UAAAA;AAEhE,SAAO;IAAEhB,oBAAoBuB;IAAuBP;IAAYtB;IAAoBgB;IAAaI;EAAG;AACtG;AApBsBb;AA2BtB,eAAsBwB,8BAA8B/B,oBAAyD;AAC3G,QAAMsB,aAAa;IACjBJ,MAAMC,YAAYnB,kBAAAA;EACpB;AACA,QAAMgC,MAAM,IAAIC,wBAAwBX,UAAAA;AACxC,SAAO,MAAMU,IACVE,+BAA+BlC,kBAAAA,EAC/BT,KAAK,CAAC4C,aAAAA;AACL,WAAOA;EACT,CAAA,EACCC,MAAM,CAACrB,UAAAA;AACN,UAAM,IAAIX,MAAMlB,8BAA8B6B,KAAAA;EAChD,CAAA;AACJ;AAbsBgB;AAetB,SAASZ,YAAYnB,oBAAiG;AACpH,SAAO;IACLqC,UAAUrC,mBAAmBsC;IAC7BC,WAAWvC,mBAAmBuC,YAAYvC,mBAAmBuC,YAAY1D,kBAAkBmB,mBAAmBZ;IAC9G,GAAIY,sBAAsB,oBAAoBA,sBAAsB;MAAEwC,cAAcxC,mBAAmByC;IAAe;EACxH;AACF;AANStB;AAQF,SAASuB,kBAAkB1C,oBAAiG;AACjI,SAAOqB,KAAKF,YAAYnB,kBAAAA,CAAAA;AAC1B;AAFgB0C;","names":["ConfidentialClientApplication","LogLevel","PublicClientApplication","fetch","hash","EU","HTTP_METHOD_GET","MS_DID_ENDPOINT_NON_EU","MS_DID_ENDPOINT_EU","MS_LOGIN_PREFIX","MS_LOGIN_OPENID_CONFIG_POSTFIX","MS_CLIENT_CREDENTIAL_DEFAULT_SCOPE","ERROR_CREDENTIAL_MANIFEST_REGION","ERROR_ACQUIRE_ACCESS_TOKEN_FOR_CLIENT","ERROR_FAILED_AUTHENTICATION","getMSOpenIDClientRegion","azTenantId","fetch","method","then","res","json","resp","tenant_region_scope","getEntraDIDEndpoint","opts","region","assertEntraCredentialManifestUrlInCorrectRegion","authenticationArgs","msDIDEndpoint","credentialManifestUrl","startsWith","Error","getMSClientCredentialAccessToken","confidentialClient","newMSClientCredentialAuthenticator","cca","msalClientCredentialRequest","scopes","skipCache","result","acquireTokenByClientCredential","err","error","didEndpoint","undefined","auth","authOptions","id","hash","msalConfig","system","loggerOptions","piiLoggingEnabled","logLevel","LogLevel","Verbose","confidentialClientApp","ConfidentialClientApplication","UsernamePasswordAuthenticator","pca","PublicClientApplication","acquireTokenByUsernamePassword","response","catch","clientId","azClientId","authority","clientSecret","azClientSecret","determineMSAuthId"]}
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@sphereon/ssi-sdk.ms-authenticator",
3
- "version": "0.34.1-next.91+3c949810",
3
+ "version": "0.36.1-feat.SSISDK.83.11+15665c90",
4
4
  "source": "src/index.ts",
5
5
  "type": "module",
6
6
  "main": "./dist/index.cjs",
@@ -55,5 +55,5 @@
55
55
  "SSI",
56
56
  "Veramo"
57
57
  ],
58
- "gitHead": "3c9498100ca07dfc2ba7979e7347fb9b19c47d18"
58
+ "gitHead": "15665c90d27b72a0c3b7267375f60512d2cd4085"
59
59
  }
package/src/authenticators/MsAuthenticator.ts CHANGED
@@ -7,7 +7,7 @@ import {
7
7
  PublicClientApplication,
8
8
  UsernamePasswordRequest,
9
9
  } from '@azure/msal-node'
10
- import { fetch } from 'cross-fetch'
10
+ import fetch from 'cross-fetch'
11
11
  import { IMSClientCredentialAuthInfo, IMsAuthenticationClientCredentialArgs, IMsAuthenticationUsernamePasswordArgs } from '../index'
12
12
 
13
13
  import hash from 'object-hash'