push neon reactor

This commit is contained in:
2026-07-12 15:11:38 +02:00
parent 172e72dbcd
commit aeab5f7820
9597 changed files with 2407488 additions and 0 deletions
+2
View File
@@ -0,0 +1,2 @@
AZURE_USERNAME=lago@powerplatform.top
AZURE_PASSWORD=BJyEfmTWa8cnxdYtJ77INZidd1LtLAV0CeY5xiaTjDZ23F0BjNbmJQQJ99CFACAAAAAIchlnAAASAZDO5IEj
+33
View File
@@ -0,0 +1,33 @@
# Neon Reactor Code App
Arcade-style Power Apps Code App proof of concept for pipeline validation.
## What This POC Demonstrates
- A complete React + TypeScript Code App with no external data connections.
- Fast iteration UI suitable for demos (mini reflex game).
- CI/CD behavior for create/reuse deployment:
- if appId is null in power.config.json, push creates a new app
- if appId has a value, push reuses that app
## Gameplay
- You have 30 seconds per round.
- Hit cyan targets for points.
- Avoid magenta traps (they reduce score and break combo).
- Track recent scores and best score.
## Local Commands
```bash
npm ci
npm run dev
npm run build
pac code push
```
## Deployment Notes
- This folder is intended to be the active Code App root for CI.
- The pipeline should run commands from this directory.
- power.config.json controls appId create/reuse behavior.
+1
View File
@@ -0,0 +1 @@
:root{font-family:Trebuchet MS,Segoe UI,sans-serif;line-height:1.35;font-weight:400;font-synthesis:none;text-rendering:optimizeLegibility;-webkit-font-smoothing:antialiased;-moz-osx-font-smoothing:grayscale}*{box-sizing:border-box}html,body,#root{margin:0;min-height:100%}body{color:#e6f4ff}.arcade-shell{min-height:100vh;display:grid;grid-template-columns:360px 1fr;gap:20px;padding:24px;background:radial-gradient(circle at 15% 10%,rgba(29,198,219,.25),transparent 38%),radial-gradient(circle at 85% 85%,rgba(244,72,200,.2),transparent 40%),linear-gradient(145deg,#071219,#0f1f2f 55%,#10263b)}.hud-card,.arena-card{border:1px solid rgba(255,255,255,.1);border-radius:18px;-webkit-backdrop-filter:blur(10px);backdrop-filter:blur(10px);background:#090f189e;box-shadow:0 20px 60px #00000059}.hud-card{padding:22px;display:flex;flex-direction:column}.eyebrow{font-size:.75rem;text-transform:uppercase;letter-spacing:.12em;color:#77f4ff;margin:0}.hud-card h1{font-size:2rem;margin:8px 0;color:#f5fbff}.subline{margin:0 0 14px;color:#e1eef8b8;line-height:1.4}.metrics{display:grid;grid-template-columns:1fr 1fr;gap:10px;margin-bottom:12px}.metric-box{padding:10px;border-radius:12px;background:#ffffff0f;border:1px solid rgba(255,255,255,.08)}.metric-box span{display:block;color:#caddebbf;font-size:.8rem}.metric-box strong{color:#eaffff;font-size:1.25rem}.feature-hint{margin:0 0 14px;color:#bbf0ffeb;font-size:.86rem;line-height:1.35}.primary-btn{border:none;border-radius:12px;padding:12px 14px;color:#00151e;background:linear-gradient(120deg,#60f0ff,#99ffd9);font-weight:700;cursor:pointer}.primary-btn:hover{filter:brightness(1.06)}.history{margin-top:14px}.history span{color:#caddebcc;font-size:.9rem}.history ul{display:flex;gap:8px;list-style:none;margin:10px 0 0;padding:0;flex-wrap:wrap}.history li{min-width:56px;text-align:center;padding:6px 8px;border-radius:999px;background:#60f0ff26;border:1px solid rgba(96,240,255,.35)}.arena-card{padding:14px}.arena-grid{position:relative;height:calc(100vh - 76px);min-height:520px;border-radius:14px;border:1px dashed rgba(125,229,255,.35);background:linear-gradient(rgba(126,225,255,.07) 1px,transparent 1px),linear-gradient(90deg,rgba(126,225,255,.07) 1px,transparent 1px),radial-gradient(circle at center,#10304e80,#060e18e6);background-size:32px 32px,32px 32px,auto;overflow:hidden}.target{position:absolute;transform:translate(-50%,-50%);border-radius:999px;border:2px solid;cursor:pointer;transition:left .22s ease,top .22s ease,transform .12s ease}.target.active:hover{transform:translate(-50%,-50%) scale(1.08)}.target.good{background:radial-gradient(circle,#93fff6f2,#11b5c9cc);border-color:#96ffeff2;box-shadow:0 0 24px #5ffaff99}.target.bad{background:radial-gradient(circle,#ffa9edf2,#dd32a8c7);border-color:#ffb3f0f2;box-shadow:0 0 24px #ff60ce99}.target.disabled{pointer-events:none}.overlay{position:absolute;inset:0;display:grid;place-content:center;text-align:center;color:#d8f7ff;gap:6px;background:#050c1494}.overlay h2{margin:0;font-size:2rem}.overlay p{margin:0;color:#d8f7ffcc}@media(max-width:980px){.arcade-shell{grid-template-columns:1fr}.arena-grid{height:62vh;min-height:420px}}
File diff suppressed because one or more lines are too long
+13
View File
@@ -0,0 +1,13 @@
<!doctype html>
<html lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
<title>Weather Forecast Dashboard</title>
<script type="module" crossorigin src="./assets/index-B6xK0-Wu.js"></script>
<link rel="stylesheet" crossorigin href="./assets/index-5lrCEl-J.css">
</head>
<body>
<div id="root"></div>
</body>
</html>
+10
View File
@@ -0,0 +1,10 @@
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 100 100">
<defs>
<linearGradient id="g" x1="0%" y1="0%" x2="100%" y2="100%">
<stop offset="0%" stop-color="#6366f1"/>
<stop offset="100%" stop-color="#8b5cf6"/>
</linearGradient>
</defs>
<rect width="100" height="100" rx="20" fill="url(#g)"/>
<text x="50" y="68" text-anchor="middle" font-size="50" fill="white" font-family="Segoe UI, system-ui, sans-serif" font-weight="bold"></text>
</svg>

After

Width:  |  Height:  |  Size: 476 B

+23
View File
@@ -0,0 +1,23 @@
import js from '@eslint/js'
import globals from 'globals'
import reactHooks from 'eslint-plugin-react-hooks'
import reactRefresh from 'eslint-plugin-react-refresh'
import tseslint from 'typescript-eslint'
import { defineConfig, globalIgnores } from 'eslint/config'
export default defineConfig([
globalIgnores(['dist']),
{
files: ['**/*.{ts,tsx}'],
extends: [
js.configs.recommended,
tseslint.configs.recommended,
reactHooks.configs.flat.recommended,
reactRefresh.configs.vite,
],
languageOptions: {
ecmaVersion: 2020,
globals: globals.browser,
},
},
])
+12
View File
@@ -0,0 +1,12 @@
<!doctype html>
<html lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
<title>Weather Forecast Dashboard</title>
</head>
<body>
<div id="root"></div>
<script type="module" src="/src/main.tsx"></script>
</body>
</html>
+1
View File
@@ -0,0 +1 @@
../acorn/bin/acorn
+1
View File
@@ -0,0 +1 @@
../baseline-browser-mapping/dist/cli.cjs
+1
View File
@@ -0,0 +1 @@
../browserslist/cli.js
+1
View File
@@ -0,0 +1 @@
../esbuild/bin/esbuild
+1
View File
@@ -0,0 +1 @@
../eslint/bin/eslint.js
+1
View File
@@ -0,0 +1 @@
../is-docker/cli.js
+1
View File
@@ -0,0 +1 @@
../js-yaml/bin/js-yaml.js
+1
View File
@@ -0,0 +1 @@
../jsesc/bin/jsesc
+1
View File
@@ -0,0 +1 @@
../json5/lib/cli.js
+1
View File
@@ -0,0 +1 @@
../nanoid/bin/nanoid.cjs
+1
View File
@@ -0,0 +1 @@
../which/bin/node-which
+1
View File
@@ -0,0 +1 @@
../@babel/parser/bin/babel-parser.js
+1
View File
@@ -0,0 +1 @@
../@microsoft/power-apps-cli/dist/Bin.js
+1
View File
@@ -0,0 +1 @@
../prebuild-install/bin.js
+1
View File
@@ -0,0 +1 @@
../prettier/bin/prettier.cjs
+1
View File
@@ -0,0 +1 @@
../rc/cli.js
+1
View File
@@ -0,0 +1 @@
../rollup/dist/bin/rollup
+1
View File
@@ -0,0 +1 @@
../semver/bin/semver.js
+1
View File
@@ -0,0 +1 @@
../typescript/bin/tsc
+1
View File
@@ -0,0 +1 @@
../typescript/bin/tsserver
+1
View File
@@ -0,0 +1 @@
../update-browserslist-db/cli.js
+1
View File
@@ -0,0 +1 @@
../uuid/dist/bin/uuid
+1
View File
@@ -0,0 +1 @@
../vite/bin/vite.js
File diff suppressed because it is too large Load Diff
+1
View File
@@ -0,0 +1 @@
{"root":["../../src/App.tsx","../../src/main.tsx"],"version":"5.9.3"}
+1
View File
@@ -0,0 +1 @@
{"root":["../../vite.config.ts"],"version":"5.9.3"}
+21
View File
@@ -0,0 +1,21 @@
MIT License
Copyright (c) Microsoft Corporation. All rights reserved.
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE
+53
View File
@@ -0,0 +1,53 @@
# Microsoft Authentication Library for JavaScript (MSAL.js) Common Protocols Package
[![npm version](https://img.shields.io/npm/v/@azure/msal-common.svg?style=flat)](https://www.npmjs.com/package/@azure/msal-common/)
[![npm version](https://img.shields.io/npm/dm/@azure/msal-common.svg)](https://nodei.co/npm/@azure/msal-common/)
[![codecov](https://codecov.io/gh/AzureAD/microsoft-authentication-library-for-js/branch/dev/graph/badge.svg?flag=msal-common)](https://codecov.io/gh/AzureAD/microsoft-authentication-library-for-js)
| <a href="https://docs.microsoft.com/azure/active-directory/develop/guidedsetups/active-directory-javascriptspa" target="_blank">Getting Started</a> | <a href="https://aka.ms/aaddevv2" target="_blank">AAD Docs</a> | <a href="https://azuread.github.io/microsoft-authentication-library-for-js/ref/modules/_azure_msal_common.html" target="_blank">Library Reference</a> |
| --------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------- |
1. [About](#about)
2. [FAQ](https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-common/FAQ.md)
3. [Changelog](https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-common/CHANGELOG.md)
4. [Releases](#releases)
5. [Prerequisites and Usage](#prerequisites-and-usage)
6. [Installation](#installation)
7. [Security Reporting](#security-reporting)
8. [License](#license)
9. [Code of Conduct](#we-value-and-adhere-to-the-microsoft-open-source-code-of-conduct)
## About
The MSAL library for JavaScript enables client-side JavaScript applications to authenticate users using [Azure AD](https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-overview) work and school accounts (AAD), Microsoft personal accounts (MSA) and social identity providers like Facebook, Google, LinkedIn, Microsoft accounts, etc. through [Azure AD B2C](https://docs.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-overview#identity-providers) service. It also enables your app to get tokens to access [Microsoft Cloud](https://www.microsoft.com/enterprise) services such as [Microsoft Graph](https://graph.microsoft.io).
The `@azure/msal-common` package described by the code in this folder serves as a common package dependency for the `@azure/msal-browser` package (and in the future, the msal-node package). Be aware that this is an internal library, and is subject to frequent change. **It is not meant for production consumption by itself.**
## FAQ
See [here](https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-common/FAQ.md).
## Prerequisites and Usage
This library is not meant for production use. Please use one of these packages specific to the platform you are developing for:
- [MSAL for Single Page Applications (SPAs)](https://github.com/AzureAD/microsoft-authentication-library-for-js/tree/dev/lib/msal-browser)
- [MSAL for Node.js](https://github.com/AzureAD/microsoft-authentication-library-for-js/tree/dev/lib/msal-node)
## Installation
### Via NPM:
npm install @azure/msal-common
## Security Reporting
If you find a security issue with our libraries or services please report it to [secure@microsoft.com](mailto:secure@microsoft.com) with as much detail as possible. Your submission may be eligible for a bounty through the [Microsoft Bounty](http://aka.ms/bugbounty) program. Please do not post security issues to GitHub Issues or any other public site. We will contact you shortly upon receiving the information. We encourage you to get notifications of when security incidents occur by visiting [this page](https://technet.microsoft.com/en-us/security/dd252948) and subscribing to Security Advisory Alerts.
## License
Copyright (c) Microsoft Corporation. All rights reserved. Licensed under the MIT License (the "License");
## We Value and Adhere to the Microsoft Open Source Code of Conduct
This project has adopted the [Microsoft Open Source Code of Conduct](https://opensource.microsoft.com/codeofconduct/). For more information see the [Code of Conduct FAQ](https://opensource.microsoft.com/codeofconduct/faq/) or contact [opencode@microsoft.com](mailto:opencode@microsoft.com) with any additional questions or comments.
@@ -0,0 +1 @@
Do not remove or rename. This folder allows subpath imports in environments that don't understand the exports field.
@@ -0,0 +1,5 @@
{
"main": "../lib/index-browser.cjs",
"module": "../dist/index-browser.mjs",
"types": "../lib/types/index-browser.d.ts"
}
@@ -0,0 +1,68 @@
import { TokenClaims } from "./TokenClaims.js";
/**
* Account object with the following signature:
* - homeAccountId - Home account identifier for this account object
* - environment - Entity which issued the token represented by the domain of the issuer (e.g. login.microsoftonline.com)
* - tenantId - Full tenant or organizational id that this account belongs to
* - username - preferred_username claim of the id_token that represents this account
* - localAccountId - Local, tenant-specific account identifer for this account object, usually used in legacy cases
* - name - Full name for the account, including given name and family name
* - idToken - raw ID token
* - idTokenClaims - Object contains claims from ID token
* - nativeAccountId - The user's native account ID
* - tenantProfiles - Map of tenant profile objects for each tenant that the account has authenticated with in the browser
*/
export type AccountInfo = {
homeAccountId: string;
environment: string;
tenantId: string;
username: string;
localAccountId: string;
name?: string;
idToken?: string;
idTokenClaims?: TokenClaims & {
[key: string]: string | number | string[] | object | undefined | unknown;
};
nativeAccountId?: string;
authorityType?: string;
tenantProfiles?: Map<string, TenantProfile>;
};
/**
* Account details that vary across tenants for the same user
*/
export type TenantProfile = Pick<AccountInfo, "tenantId" | "localAccountId" | "name"> & {
/**
* - isHomeTenant - True if this is the home tenant profile of the account, false if it's a guest tenant profile
*/
isHomeTenant?: boolean;
};
export type ActiveAccountFilters = {
homeAccountId: string;
localAccountId: string;
tenantId?: string;
lastUpdatedAt?: string;
};
/**
* Returns true if tenantId matches the utid portion of homeAccountId
* @param tenantId
* @param homeAccountId
* @returns
*/
export declare function tenantIdMatchesHomeTenant(tenantId?: string, homeAccountId?: string): boolean;
/**
* Build tenant profile
* @param homeAccountId - Home account identifier for this account object
* @param localAccountId - Local account identifer for this account object
* @param tenantId - Full tenant or organizational id that this account belongs to
* @param idTokenClaims - Claims from the ID token
* @returns
*/
export declare function buildTenantProfile(homeAccountId: string, localAccountId: string, tenantId: string, idTokenClaims?: TokenClaims): TenantProfile;
/**
* Replaces account info that varies by tenant profile sourced from the ID token claims passed in with the tenant-specific account info
* @param baseAccountInfo
* @param idTokenClaims
* @returns
*/
export declare function updateAccountTenantProfileData(baseAccountInfo: AccountInfo, tenantProfile?: TenantProfile, idTokenClaims?: TokenClaims, idTokenSecret?: string): AccountInfo;
//# sourceMappingURL=AccountInfo.d.ts.map
@@ -0,0 +1 @@
{"version":3,"file":"AccountInfo.d.ts","sourceRoot":"","sources":["../../src/account/AccountInfo.ts"],"names":[],"mappings":"AAKA,OAAO,EAAE,WAAW,EAAE,MAAM,kBAAkB,CAAC;AAC/C;;;;;;;;;;;;GAYG;AACH,MAAM,MAAM,WAAW,GAAG;IACtB,aAAa,EAAE,MAAM,CAAC;IACtB,WAAW,EAAE,MAAM,CAAC;IACpB,QAAQ,EAAE,MAAM,CAAC;IACjB,QAAQ,EAAE,MAAM,CAAC;IACjB,cAAc,EAAE,MAAM,CAAC;IACvB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,aAAa,CAAC,EAAE,WAAW,GAAG;QAC1B,CAAC,GAAG,EAAE,MAAM,GACN,MAAM,GACN,MAAM,GACN,MAAM,EAAE,GACR,MAAM,GACN,SAAS,GACT,OAAO,CAAC;KACjB,CAAC;IACF,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,cAAc,CAAC,EAAE,GAAG,CAAC,MAAM,EAAE,aAAa,CAAC,CAAC;CAC/C,CAAC;AAEF;;GAEG;AACH,MAAM,MAAM,aAAa,GAAG,IAAI,CAC5B,WAAW,EACX,UAAU,GAAG,gBAAgB,GAAG,MAAM,CACzC,GAAG;IACA;;OAEG;IACH,YAAY,CAAC,EAAE,OAAO,CAAC;CAC1B,CAAC;AAEF,MAAM,MAAM,oBAAoB,GAAG;IAC/B,aAAa,EAAE,MAAM,CAAC;IACtB,cAAc,EAAE,MAAM,CAAC;IACvB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,aAAa,CAAC,EAAE,MAAM,CAAC;CAC1B,CAAC;AAEF;;;;;GAKG;AACH,wBAAgB,yBAAyB,CACrC,QAAQ,CAAC,EAAE,MAAM,EACjB,aAAa,CAAC,EAAE,MAAM,GACvB,OAAO,CAMT;AAED;;;;;;;GAOG;AACH,wBAAgB,kBAAkB,CAC9B,aAAa,EAAE,MAAM,EACrB,cAAc,EAAE,MAAM,EACtB,QAAQ,EAAE,MAAM,EAChB,aAAa,CAAC,EAAE,WAAW,GAC5B,aAAa,CAyBf;AAED;;;;;GAKG;AACH,wBAAgB,8BAA8B,CAC1C,eAAe,EAAE,WAAW,EAC5B,aAAa,CAAC,EAAE,aAAa,EAC7B,aAAa,CAAC,EAAE,WAAW,EAC3B,aAAa,CAAC,EAAE,MAAM,GACvB,WAAW,CAgCb"}
@@ -0,0 +1,82 @@
/*! @azure/msal-common v15.8.1 2025-07-08 */
'use strict';
/*
* Copyright (c) Microsoft Corporation. All rights reserved.
* Licensed under the MIT License.
*/
/**
* Returns true if tenantId matches the utid portion of homeAccountId
* @param tenantId
* @param homeAccountId
* @returns
*/
function tenantIdMatchesHomeTenant(tenantId, homeAccountId) {
return (!!tenantId &&
!!homeAccountId &&
tenantId === homeAccountId.split(".")[1]);
}
/**
* Build tenant profile
* @param homeAccountId - Home account identifier for this account object
* @param localAccountId - Local account identifer for this account object
* @param tenantId - Full tenant or organizational id that this account belongs to
* @param idTokenClaims - Claims from the ID token
* @returns
*/
function buildTenantProfile(homeAccountId, localAccountId, tenantId, idTokenClaims) {
if (idTokenClaims) {
const { oid, sub, tid, name, tfp, acr } = idTokenClaims;
/**
* Since there is no way to determine if the authority is AAD or B2C, we exhaust all the possible claims that can serve as tenant ID with the following precedence:
* tid - TenantID claim that identifies the tenant that issued the token in AAD. Expected in all AAD ID tokens, not present in B2C ID Tokens.
* tfp - Trust Framework Policy claim that identifies the policy that was used to authenticate the user. Functions as tenant for B2C scenarios.
* acr - Authentication Context Class Reference claim used only with older B2C policies. Fallback in case tfp is not present, but likely won't be present anyway.
*/
const tenantId = tid || tfp || acr || "";
return {
tenantId: tenantId,
localAccountId: oid || sub || "",
name: name,
isHomeTenant: tenantIdMatchesHomeTenant(tenantId, homeAccountId),
};
}
else {
return {
tenantId,
localAccountId,
isHomeTenant: tenantIdMatchesHomeTenant(tenantId, homeAccountId),
};
}
}
/**
* Replaces account info that varies by tenant profile sourced from the ID token claims passed in with the tenant-specific account info
* @param baseAccountInfo
* @param idTokenClaims
* @returns
*/
function updateAccountTenantProfileData(baseAccountInfo, tenantProfile, idTokenClaims, idTokenSecret) {
let updatedAccountInfo = baseAccountInfo;
// Tenant Profile overrides passed in account info
if (tenantProfile) {
// eslint-disable-next-line @typescript-eslint/no-unused-vars
const { isHomeTenant, ...tenantProfileOverride } = tenantProfile;
updatedAccountInfo = { ...baseAccountInfo, ...tenantProfileOverride };
}
// ID token claims override passed in account info and tenant profile
if (idTokenClaims) {
// Ignore isHomeTenant, loginHint, and sid which are part of tenant profile but not base account info
// eslint-disable-next-line @typescript-eslint/no-unused-vars
const { isHomeTenant, ...claimsSourcedTenantProfile } = buildTenantProfile(baseAccountInfo.homeAccountId, baseAccountInfo.localAccountId, baseAccountInfo.tenantId, idTokenClaims);
updatedAccountInfo = {
...updatedAccountInfo,
...claimsSourcedTenantProfile,
idTokenClaims: idTokenClaims,
idToken: idTokenSecret,
};
return updatedAccountInfo;
}
return updatedAccountInfo;
}
export { buildTenantProfile, tenantIdMatchesHomeTenant, updateAccountTenantProfileData };
//# sourceMappingURL=AccountInfo.mjs.map
@@ -0,0 +1 @@
{"version":3,"file":"AccountInfo.mjs","sources":["../../src/account/AccountInfo.ts"],"sourcesContent":[null],"names":[],"mappings":";;AAAA;;;AAGG;AA0DH;;;;;AAKG;AACa,SAAA,yBAAyB,CACrC,QAAiB,EACjB,aAAsB,EAAA;IAEtB,QACI,CAAC,CAAC,QAAQ;AACV,QAAA,CAAC,CAAC,aAAa;QACf,QAAQ,KAAK,aAAa,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,EAC1C;AACN,CAAC;AAED;;;;;;;AAOG;AACG,SAAU,kBAAkB,CAC9B,aAAqB,EACrB,cAAsB,EACtB,QAAgB,EAChB,aAA2B,EAAA;AAE3B,IAAA,IAAI,aAAa,EAAE;AACf,QAAA,MAAM,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,IAAI,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,aAAa,CAAC;AAExD;;;;;AAKG;QACH,MAAM,QAAQ,GAAG,GAAG,IAAI,GAAG,IAAI,GAAG,IAAI,EAAE,CAAC;QAEzC,OAAO;AACH,YAAA,QAAQ,EAAE,QAAQ;AAClB,YAAA,cAAc,EAAE,GAAG,IAAI,GAAG,IAAI,EAAE;AAChC,YAAA,IAAI,EAAE,IAAI;AACV,YAAA,YAAY,EAAE,yBAAyB,CAAC,QAAQ,EAAE,aAAa,CAAC;SACnE,CAAC;AACL,KAAA;AAAM,SAAA;QACH,OAAO;YACH,QAAQ;YACR,cAAc;AACd,YAAA,YAAY,EAAE,yBAAyB,CAAC,QAAQ,EAAE,aAAa,CAAC;SACnE,CAAC;AACL,KAAA;AACL,CAAC;AAED;;;;;AAKG;AACG,SAAU,8BAA8B,CAC1C,eAA4B,EAC5B,aAA6B,EAC7B,aAA2B,EAC3B,aAAsB,EAAA;IAEtB,IAAI,kBAAkB,GAAG,eAAe,CAAC;;AAEzC,IAAA,IAAI,aAAa,EAAE;;QAEf,MAAM,EAAE,YAAY,EAAE,GAAG,qBAAqB,EAAE,GAAG,aAAa,CAAC;QACjE,kBAAkB,GAAG,EAAE,GAAG,eAAe,EAAE,GAAG,qBAAqB,EAAE,CAAC;AACzE,KAAA;;AAGD,IAAA,IAAI,aAAa,EAAE;;;QAGf,MAAM,EAAE,YAAY,EAAE,GAAG,0BAA0B,EAAE,GACjD,kBAAkB,CACd,eAAe,CAAC,aAAa,EAC7B,eAAe,CAAC,cAAc,EAC9B,eAAe,CAAC,QAAQ,EACxB,aAAa,CAChB,CAAC;AAEN,QAAA,kBAAkB,GAAG;AACjB,YAAA,GAAG,kBAAkB;AACrB,YAAA,GAAG,0BAA0B;AAC7B,YAAA,aAAa,EAAE,aAAa;AAC5B,YAAA,OAAO,EAAE,aAAa;SACzB,CAAC;AAEF,QAAA,OAAO,kBAAkB,CAAC;AAC7B,KAAA;AAED,IAAA,OAAO,kBAAkB,CAAC;AAC9B;;;;"}
@@ -0,0 +1,18 @@
import { TokenClaims } from "./TokenClaims.js";
/**
* Extract token by decoding the rawToken
*
* @param encodedToken
*/
export declare function extractTokenClaims(encodedToken: string, base64Decode: (input: string) => string): TokenClaims;
/**
* decode a JWT
*
* @param authToken
*/
export declare function getJWSPayload(authToken: string): string;
/**
* Determine if the token's max_age has transpired
*/
export declare function checkMaxAge(authTime: number, maxAge: number): void;
//# sourceMappingURL=AuthToken.d.ts.map
@@ -0,0 +1 @@
{"version":3,"file":"AuthToken.d.ts","sourceRoot":"","sources":["../../src/account/AuthToken.ts"],"names":[],"mappings":"AAKA,OAAO,EAAE,WAAW,EAAE,MAAM,kBAAkB,CAAC;AAM/C;;;;GAIG;AACH,wBAAgB,kBAAkB,CAC9B,YAAY,EAAE,MAAM,EACpB,YAAY,EAAE,CAAC,KAAK,EAAE,MAAM,KAAK,MAAM,GACxC,WAAW,CAWb;AAED;;;;GAIG;AACH,wBAAgB,aAAa,CAAC,SAAS,EAAE,MAAM,GAAG,MAAM,CAkBvD;AAED;;GAEG;AACH,wBAAgB,WAAW,CAAC,QAAQ,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,IAAI,CAUlE"}
@@ -0,0 +1,66 @@
/*! @azure/msal-common v15.8.1 2025-07-08 */
'use strict';
import { createClientAuthError } from '../error/ClientAuthError.mjs';
import { tokenParsingError, nullOrEmptyToken, maxAgeTranspired } from '../error/ClientAuthErrorCodes.mjs';
/*
* Copyright (c) Microsoft Corporation. All rights reserved.
* Licensed under the MIT License.
*/
/**
* Extract token by decoding the rawToken
*
* @param encodedToken
*/
function extractTokenClaims(encodedToken, base64Decode) {
const jswPayload = getJWSPayload(encodedToken);
// token will be decoded to get the username
try {
// base64Decode() should throw an error if there is an issue
const base64Decoded = base64Decode(jswPayload);
return JSON.parse(base64Decoded);
}
catch (err) {
throw createClientAuthError(tokenParsingError);
}
}
/**
* decode a JWT
*
* @param authToken
*/
function getJWSPayload(authToken) {
if (!authToken) {
throw createClientAuthError(nullOrEmptyToken);
}
const tokenPartsRegex = /^([^\.\s]*)\.([^\.\s]+)\.([^\.\s]*)$/;
const matches = tokenPartsRegex.exec(authToken);
if (!matches || matches.length < 4) {
throw createClientAuthError(tokenParsingError);
}
/**
* const crackedToken = {
* header: matches[1],
* JWSPayload: matches[2],
* JWSSig: matches[3],
* };
*/
return matches[2];
}
/**
* Determine if the token's max_age has transpired
*/
function checkMaxAge(authTime, maxAge) {
/*
* per https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest
* To force an immediate re-authentication: If an app requires that a user re-authenticate prior to access,
* provide a value of 0 for the max_age parameter and the AS will force a fresh login.
*/
const fiveMinuteSkew = 300000; // five minutes in milliseconds
if (maxAge === 0 || Date.now() - fiveMinuteSkew > authTime + maxAge) {
throw createClientAuthError(maxAgeTranspired);
}
}
export { checkMaxAge, extractTokenClaims, getJWSPayload };
//# sourceMappingURL=AuthToken.mjs.map
@@ -0,0 +1 @@
{"version":3,"file":"AuthToken.mjs","sources":["../../src/account/AuthToken.ts"],"sourcesContent":[null],"names":["ClientAuthErrorCodes.tokenParsingError","ClientAuthErrorCodes.nullOrEmptyToken","ClientAuthErrorCodes.maxAgeTranspired"],"mappings":";;;;;AAAA;;;AAGG;AAQH;;;;AAIG;AACa,SAAA,kBAAkB,CAC9B,YAAoB,EACpB,YAAuC,EAAA;AAEvC,IAAA,MAAM,UAAU,GAAG,aAAa,CAAC,YAAY,CAAC,CAAC;;IAG/C,IAAI;;AAEA,QAAA,MAAM,aAAa,GAAG,YAAY,CAAC,UAAU,CAAC,CAAC;AAC/C,QAAA,OAAO,IAAI,CAAC,KAAK,CAAC,aAAa,CAAgB,CAAC;AACnD,KAAA;AAAC,IAAA,OAAO,GAAG,EAAE;AACV,QAAA,MAAM,qBAAqB,CAACA,iBAAsC,CAAC,CAAC;AACvE,KAAA;AACL,CAAC;AAED;;;;AAIG;AACG,SAAU,aAAa,CAAC,SAAiB,EAAA;IAC3C,IAAI,CAAC,SAAS,EAAE;AACZ,QAAA,MAAM,qBAAqB,CAACC,gBAAqC,CAAC,CAAC;AACtE,KAAA;IACD,MAAM,eAAe,GAAG,sCAAsC,CAAC;IAC/D,MAAM,OAAO,GAAG,eAAe,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;IAChD,IAAI,CAAC,OAAO,IAAI,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE;AAChC,QAAA,MAAM,qBAAqB,CAACD,iBAAsC,CAAC,CAAC;AACvE,KAAA;AACD;;;;;;AAMG;AAEH,IAAA,OAAO,OAAO,CAAC,CAAC,CAAC,CAAC;AACtB,CAAC;AAED;;AAEG;AACa,SAAA,WAAW,CAAC,QAAgB,EAAE,MAAc,EAAA;AACxD;;;;AAIG;AACH,IAAA,MAAM,cAAc,GAAG,MAAM,CAAC;AAC9B,IAAA,IAAI,MAAM,KAAK,CAAC,IAAI,IAAI,CAAC,GAAG,EAAE,GAAG,cAAc,GAAG,QAAQ,GAAG,MAAM,EAAE;AACjE,QAAA,MAAM,qBAAqB,CAACE,gBAAqC,CAAC,CAAC;AACtE,KAAA;AACL;;;;"}
@@ -0,0 +1,10 @@
export type CcsCredential = {
credential: string;
type: CcsCredentialType;
};
export declare const CcsCredentialType: {
readonly HOME_ACCOUNT_ID: "home_account_id";
readonly UPN: "UPN";
};
export type CcsCredentialType = (typeof CcsCredentialType)[keyof typeof CcsCredentialType];
//# sourceMappingURL=CcsCredential.d.ts.map
@@ -0,0 +1 @@
{"version":3,"file":"CcsCredential.d.ts","sourceRoot":"","sources":["../../src/account/CcsCredential.ts"],"names":[],"mappings":"AAKA,MAAM,MAAM,aAAa,GAAG;IACxB,UAAU,EAAE,MAAM,CAAC;IACnB,IAAI,EAAE,iBAAiB,CAAC;CAC3B,CAAC;AAEF,eAAO,MAAM,iBAAiB;;;CAGpB,CAAC;AACX,MAAM,MAAM,iBAAiB,GACzB,CAAC,OAAO,iBAAiB,CAAC,CAAC,MAAM,OAAO,iBAAiB,CAAC,CAAC"}
@@ -0,0 +1,13 @@
/*! @azure/msal-common v15.8.1 2025-07-08 */
'use strict';
/*
* Copyright (c) Microsoft Corporation. All rights reserved.
* Licensed under the MIT License.
*/
const CcsCredentialType = {
HOME_ACCOUNT_ID: "home_account_id",
UPN: "UPN",
};
export { CcsCredentialType };
//# sourceMappingURL=CcsCredential.mjs.map
@@ -0,0 +1 @@
{"version":3,"file":"CcsCredential.mjs","sources":["../../src/account/CcsCredential.ts"],"sourcesContent":[null],"names":[],"mappings":";;AAAA;;;AAGG;AAOU,MAAA,iBAAiB,GAAG;AAC7B,IAAA,eAAe,EAAE,iBAAiB;AAClC,IAAA,GAAG,EAAE,KAAK;;;;;"}
@@ -0,0 +1,20 @@
export type ClientAssertionConfig = {
clientId: string;
tokenEndpoint?: string;
};
export type ClientAssertionCallback = (config: ClientAssertionConfig) => Promise<string>;
/**
* Client Assertion credential for Confidential Clients
*/
export type ClientAssertion = {
assertion: string | ClientAssertionCallback;
assertionType: string;
};
/**
* Client Credentials set for Confidential Clients
*/
export type ClientCredentials = {
clientSecret?: string;
clientAssertion?: ClientAssertion;
};
//# sourceMappingURL=ClientCredentials.d.ts.map
@@ -0,0 +1 @@
{"version":3,"file":"ClientCredentials.d.ts","sourceRoot":"","sources":["../../src/account/ClientCredentials.ts"],"names":[],"mappings":"AAKA,MAAM,MAAM,qBAAqB,GAAG;IAChC,QAAQ,EAAE,MAAM,CAAC;IACjB,aAAa,CAAC,EAAE,MAAM,CAAC;CAC1B,CAAC;AAEF,MAAM,MAAM,uBAAuB,GAAG,CAClC,MAAM,EAAE,qBAAqB,KAC5B,OAAO,CAAC,MAAM,CAAC,CAAC;AAErB;;GAEG;AACH,MAAM,MAAM,eAAe,GAAG;IAC1B,SAAS,EAAE,MAAM,GAAG,uBAAuB,CAAC;IAC5C,aAAa,EAAE,MAAM,CAAC;CACzB,CAAC;AAEF;;GAEG;AACH,MAAM,MAAM,iBAAiB,GAAG;IAC5B,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,eAAe,CAAC,EAAE,eAAe,CAAC;CACrC,CAAC"}
@@ -0,0 +1,19 @@
/**
* Client info object which consists of two IDs. Need to add more info here.
*/
export type ClientInfo = {
uid: string;
utid: string;
};
/**
* Function to build a client info object from server clientInfo string
* @param rawClientInfo
* @param crypto
*/
export declare function buildClientInfo(rawClientInfo: string, base64Decode: (input: string) => string): ClientInfo;
/**
* Function to build a client info object from cached homeAccountId string
* @param homeAccountId
*/
export declare function buildClientInfoFromHomeAccountId(homeAccountId: string): ClientInfo;
//# sourceMappingURL=ClientInfo.d.ts.map
@@ -0,0 +1 @@
{"version":3,"file":"ClientInfo.d.ts","sourceRoot":"","sources":["../../src/account/ClientInfo.ts"],"names":[],"mappings":"AAWA;;GAEG;AACH,MAAM,MAAM,UAAU,GAAG;IACrB,GAAG,EAAE,MAAM,CAAC;IACZ,IAAI,EAAE,MAAM,CAAC;CAChB,CAAC;AAEF;;;;GAIG;AACH,wBAAgB,eAAe,CAC3B,aAAa,EAAE,MAAM,EACrB,YAAY,EAAE,CAAC,KAAK,EAAE,MAAM,KAAK,MAAM,GACxC,UAAU,CAaZ;AAED;;;GAGG;AACH,wBAAgB,gCAAgC,CAC5C,aAAa,EAAE,MAAM,GACtB,UAAU,CAiBZ"}
@@ -0,0 +1,46 @@
/*! @azure/msal-common v15.8.1 2025-07-08 */
'use strict';
import { createClientAuthError } from '../error/ClientAuthError.mjs';
import { Separators, Constants } from '../utils/Constants.mjs';
import { clientInfoEmptyError, clientInfoDecodingError } from '../error/ClientAuthErrorCodes.mjs';
/*
* Copyright (c) Microsoft Corporation. All rights reserved.
* Licensed under the MIT License.
*/
/**
* Function to build a client info object from server clientInfo string
* @param rawClientInfo
* @param crypto
*/
function buildClientInfo(rawClientInfo, base64Decode) {
if (!rawClientInfo) {
throw createClientAuthError(clientInfoEmptyError);
}
try {
const decodedClientInfo = base64Decode(rawClientInfo);
return JSON.parse(decodedClientInfo);
}
catch (e) {
throw createClientAuthError(clientInfoDecodingError);
}
}
/**
* Function to build a client info object from cached homeAccountId string
* @param homeAccountId
*/
function buildClientInfoFromHomeAccountId(homeAccountId) {
if (!homeAccountId) {
throw createClientAuthError(clientInfoDecodingError);
}
const clientInfoParts = homeAccountId.split(Separators.CLIENT_INFO_SEPARATOR, 2);
return {
uid: clientInfoParts[0],
utid: clientInfoParts.length < 2
? Constants.EMPTY_STRING
: clientInfoParts[1],
};
}
export { buildClientInfo, buildClientInfoFromHomeAccountId };
//# sourceMappingURL=ClientInfo.mjs.map
@@ -0,0 +1 @@
{"version":3,"file":"ClientInfo.mjs","sources":["../../src/account/ClientInfo.ts"],"sourcesContent":[null],"names":["ClientAuthErrorCodes.clientInfoEmptyError","ClientAuthErrorCodes.clientInfoDecodingError"],"mappings":";;;;;;AAAA;;;AAGG;AAgBH;;;;AAIG;AACa,SAAA,eAAe,CAC3B,aAAqB,EACrB,YAAuC,EAAA;IAEvC,IAAI,CAAC,aAAa,EAAE;AAChB,QAAA,MAAM,qBAAqB,CAACA,oBAAyC,CAAC,CAAC;AAC1E,KAAA;IAED,IAAI;AACA,QAAA,MAAM,iBAAiB,GAAW,YAAY,CAAC,aAAa,CAAC,CAAC;AAC9D,QAAA,OAAO,IAAI,CAAC,KAAK,CAAC,iBAAiB,CAAe,CAAC;AACtD,KAAA;AAAC,IAAA,OAAO,CAAC,EAAE;AACR,QAAA,MAAM,qBAAqB,CACvBC,uBAA4C,CAC/C,CAAC;AACL,KAAA;AACL,CAAC;AAED;;;AAGG;AACG,SAAU,gCAAgC,CAC5C,aAAqB,EAAA;IAErB,IAAI,CAAC,aAAa,EAAE;AAChB,QAAA,MAAM,qBAAqB,CACvBA,uBAA4C,CAC/C,CAAC;AACL,KAAA;AACD,IAAA,MAAM,eAAe,GAAa,aAAa,CAAC,KAAK,CACjD,UAAU,CAAC,qBAAqB,EAChC,CAAC,CACJ,CAAC;IACF,OAAO;AACH,QAAA,GAAG,EAAE,eAAe,CAAC,CAAC,CAAC;AACvB,QAAA,IAAI,EACA,eAAe,CAAC,MAAM,GAAG,CAAC;cACpB,SAAS,CAAC,YAAY;AACxB,cAAE,eAAe,CAAC,CAAC,CAAC;KAC/B,CAAC;AACN;;;;"}
@@ -0,0 +1,84 @@
/**
* Type which describes Id Token claims known by MSAL.
*/
export type TokenClaims = {
/**
* Audience
*/
aud?: string;
/**
* Issuer
*/
iss?: string;
/**
* Issued at
*/
iat?: number;
/**
* Not valid before
*/
nbf?: number;
/**
* Immutable object identifier, this ID uniquely identifies the user across applications
*/
oid?: string;
/**
* Immutable subject identifier, this is a pairwise identifier - it is unique to a particular application ID
*/
sub?: string;
/**
* Users' tenant or '9188040d-6c67-4c5b-b112-36a304b66dad' for personal accounts.
*/
tid?: string;
/**
* Trusted Framework Policy (B2C) The name of the policy that was used to acquire the ID token.
*/
tfp?: string;
/**
* Authentication Context Class Reference (B2C) Used only with older policies.
*/
acr?: string;
ver?: string;
upn?: string;
preferred_username?: string;
login_hint?: string;
emails?: string[];
name?: string;
nonce?: string;
/**
* Expiration
*/
exp?: number;
home_oid?: string;
sid?: string;
cloud_instance_host_name?: string;
cnf?: {
kid: string;
};
x5c_ca?: string[];
ts?: number;
at?: string;
u?: string;
p?: string;
m?: string;
roles?: string[];
amr?: string[];
idp?: string;
auth_time?: number;
/**
* Region of the resource tenant
*/
tenant_region_scope?: string;
tenant_region_sub_scope?: string;
};
/**
* Gets tenantId from available ID token claims to set as credential realm with the following precedence:
* 1. tid - if the token is acquired from an Azure AD tenant tid will be present
* 2. tfp - if the token is acquired from a modern B2C tenant tfp should be present
* 3. acr - if the token is acquired from a legacy B2C tenant acr should be present
* Downcased to match the realm case-insensitive comparison requirements
* @param idTokenClaims
* @returns
*/
export declare function getTenantIdFromIdTokenClaims(idTokenClaims?: TokenClaims): string | null;
//# sourceMappingURL=TokenClaims.d.ts.map
@@ -0,0 +1 @@
{"version":3,"file":"TokenClaims.d.ts","sourceRoot":"","sources":["../../src/account/TokenClaims.ts"],"names":[],"mappings":"AAKA;;GAEG;AACH,MAAM,MAAM,WAAW,GAAG;IACtB;;OAEG;IACH,GAAG,CAAC,EAAE,MAAM,CAAC;IACb;;OAEG;IACH,GAAG,CAAC,EAAE,MAAM,CAAC;IACb;;OAEG;IACH,GAAG,CAAC,EAAE,MAAM,CAAC;IACb;;OAEG;IACH,GAAG,CAAC,EAAE,MAAM,CAAC;IACb;;OAEG;IACH,GAAG,CAAC,EAAE,MAAM,CAAC;IACb;;OAEG;IACH,GAAG,CAAC,EAAE,MAAM,CAAC;IACb;;OAEG;IACH,GAAG,CAAC,EAAE,MAAM,CAAC;IACb;;OAEG;IACH,GAAG,CAAC,EAAE,MAAM,CAAC;IACb;;OAEG;IACH,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,MAAM,CAAC,EAAE,MAAM,EAAE,CAAC;IAClB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,KAAK,CAAC,EAAE,MAAM,CAAC;IACf;;OAEG;IACH,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,wBAAwB,CAAC,EAAE,MAAM,CAAC;IAClC,GAAG,CAAC,EAAE;QACF,GAAG,EAAE,MAAM,CAAC;KACf,CAAC;IACF,MAAM,CAAC,EAAE,MAAM,EAAE,CAAC;IAClB,EAAE,CAAC,EAAE,MAAM,CAAC;IACZ,EAAE,CAAC,EAAE,MAAM,CAAC;IACZ,CAAC,CAAC,EAAE,MAAM,CAAC;IACX,CAAC,CAAC,EAAE,MAAM,CAAC;IACX,CAAC,CAAC,EAAE,MAAM,CAAC;IACX,KAAK,CAAC,EAAE,MAAM,EAAE,CAAC;IACjB,GAAG,CAAC,EAAE,MAAM,EAAE,CAAC;IACf,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB;;OAEG;IACH,mBAAmB,CAAC,EAAE,MAAM,CAAC;IAC7B,uBAAuB,CAAC,EAAE,MAAM,CAAC;CACpC,CAAC;AAEF;;;;;;;;GAQG;AACH,wBAAgB,4BAA4B,CACxC,aAAa,CAAC,EAAE,WAAW,GAC5B,MAAM,GAAG,IAAI,CAOf"}
@@ -0,0 +1,25 @@
/*! @azure/msal-common v15.8.1 2025-07-08 */
'use strict';
/*
* Copyright (c) Microsoft Corporation. All rights reserved.
* Licensed under the MIT License.
*/
/**
* Gets tenantId from available ID token claims to set as credential realm with the following precedence:
* 1. tid - if the token is acquired from an Azure AD tenant tid will be present
* 2. tfp - if the token is acquired from a modern B2C tenant tfp should be present
* 3. acr - if the token is acquired from a legacy B2C tenant acr should be present
* Downcased to match the realm case-insensitive comparison requirements
* @param idTokenClaims
* @returns
*/
function getTenantIdFromIdTokenClaims(idTokenClaims) {
if (idTokenClaims) {
const tenantId = idTokenClaims.tid || idTokenClaims.tfp || idTokenClaims.acr;
return tenantId || null;
}
return null;
}
export { getTenantIdFromIdTokenClaims };
//# sourceMappingURL=TokenClaims.mjs.map
@@ -0,0 +1 @@
{"version":3,"file":"TokenClaims.mjs","sources":["../../src/account/TokenClaims.ts"],"sourcesContent":[null],"names":[],"mappings":";;AAAA;;;AAGG;AA4EH;;;;;;;;AAQG;AACG,SAAU,4BAA4B,CACxC,aAA2B,EAAA;AAE3B,IAAA,IAAI,aAAa,EAAE;AACf,QAAA,MAAM,QAAQ,GACV,aAAa,CAAC,GAAG,IAAI,aAAa,CAAC,GAAG,IAAI,aAAa,CAAC,GAAG,CAAC;QAChE,OAAO,QAAQ,IAAI,IAAI,CAAC;AAC3B,KAAA;AACD,IAAA,OAAO,IAAI,CAAC;AAChB;;;;"}
@@ -0,0 +1,255 @@
import { AuthorityType } from "./AuthorityType.js";
import { OpenIdConfigResponse } from "./OpenIdConfigResponse.js";
import { IUri } from "../url/IUri.js";
import { INetworkModule } from "../network/INetworkModule.js";
import { ProtocolMode } from "./ProtocolMode.js";
import { ICacheManager } from "../cache/interface/ICacheManager.js";
import { AuthorityOptions, StaticAuthorityOptions } from "./AuthorityOptions.js";
import { CloudDiscoveryMetadata } from "./CloudDiscoveryMetadata.js";
import { RegionDiscoveryMetadata } from "./RegionDiscoveryMetadata.js";
import type { AzureCloudOptions } from "../config/ClientConfiguration.js";
import { Logger } from "../logger/Logger.js";
import { IPerformanceClient } from "../telemetry/performance/IPerformanceClient.js";
/**
* The authority class validates the authority URIs used by the user, and retrieves the OpenID Configuration Data from the
* endpoint. It will store the pertinent config data in this object for use during token calls.
* @internal
*/
export declare class Authority {
private _canonicalAuthority;
private _canonicalAuthorityUrlComponents;
protected networkInterface: INetworkModule;
protected cacheManager: ICacheManager;
private authorityOptions;
private metadata;
private regionDiscovery;
regionDiscoveryMetadata: RegionDiscoveryMetadata;
private logger;
protected performanceClient: IPerformanceClient | undefined;
protected correlationId: string;
private managedIdentity;
private static reservedTenantDomains;
constructor(authority: string, networkInterface: INetworkModule, cacheManager: ICacheManager, authorityOptions: AuthorityOptions, logger: Logger, correlationId: string, performanceClient?: IPerformanceClient, managedIdentity?: boolean);
/**
* Get {@link AuthorityType}
* @param authorityUri {@link IUri}
* @private
*/
private getAuthorityType;
get authorityType(): AuthorityType;
/**
* ProtocolMode enum representing the way endpoints are constructed.
*/
get protocolMode(): ProtocolMode;
/**
* Returns authorityOptions which can be used to reinstantiate a new authority instance
*/
get options(): AuthorityOptions;
/**
* A URL that is the authority set by the developer
*/
get canonicalAuthority(): string;
/**
* Sets canonical authority.
*/
set canonicalAuthority(url: string);
/**
* Get authority components.
*/
get canonicalAuthorityUrlComponents(): IUri;
/**
* Get hostname and port i.e. login.microsoftonline.com
*/
get hostnameAndPort(): string;
/**
* Get tenant for authority.
*/
get tenant(): string;
/**
* OAuth /authorize endpoint for requests
*/
get authorizationEndpoint(): string;
/**
* OAuth /token endpoint for requests
*/
get tokenEndpoint(): string;
get deviceCodeEndpoint(): string;
/**
* OAuth logout endpoint for requests
*/
get endSessionEndpoint(): string;
/**
* OAuth issuer for requests
*/
get selfSignedJwtAudience(): string;
/**
* Jwks_uri for token signing keys
*/
get jwksUri(): string;
/**
* Returns a flag indicating that tenant name can be replaced in authority {@link IUri}
* @param authorityUri {@link IUri}
* @private
*/
private canReplaceTenant;
/**
* Replaces tenant in url path with current tenant. Defaults to common.
* @param urlString
*/
private replaceTenant;
/**
* Replaces path such as tenant or policy with the current tenant or policy.
* @param urlString
*/
private replacePath;
/**
* The default open id configuration endpoint for any canonical authority.
*/
protected get defaultOpenIdConfigurationEndpoint(): string;
/**
* Boolean that returns whether or not tenant discovery has been completed.
*/
discoveryComplete(): boolean;
/**
* Perform endpoint discovery to discover aliases, preferred_cache, preferred_network
* and the /authorize, /token and logout endpoints.
*/
resolveEndpointsAsync(): Promise<void>;
/**
* Returns metadata entity from cache if it exists, otherwiser returns a new metadata entity built
* from the configured canonical authority
* @returns
*/
private getCurrentMetadataEntity;
/**
* Updates cached metadata based on metadata source and sets the instance's metadata
* property to the same value
* @param metadataEntity
* @param cloudDiscoverySource
* @param endpointMetadataResult
*/
private updateCachedMetadata;
/**
* Update AuthorityMetadataEntity with new endpoints and return where the information came from
* @param metadataEntity
*/
private updateEndpointMetadata;
/**
* Updates endpoint metadata from local sources and returns where the information was retrieved from and the metadata config
* response if the source is hardcoded metadata
* @param metadataEntity
* @returns
*/
private updateEndpointMetadataFromLocalSources;
/**
* Compares the number of url components after the domain to determine if the cached
* authority metadata can be used for the requested authority. Protects against same domain different
* authority such as login.microsoftonline.com/tenant and login.microsoftonline.com/tfp/tenant/policy
* @param metadataEntity
*/
private isAuthoritySameType;
/**
* Parse authorityMetadata config option
*/
private getEndpointMetadataFromConfig;
/**
* Gets OAuth endpoints from the given OpenID configuration endpoint.
*
* @param hasHardcodedMetadata boolean
*/
private getEndpointMetadataFromNetwork;
/**
* Get OAuth endpoints for common authorities.
*/
private getEndpointMetadataFromHardcodedValues;
/**
* Update the retrieved metadata with regional information.
* User selected Azure region will be used if configured.
*/
private updateMetadataWithRegionalInformation;
/**
* Updates the AuthorityMetadataEntity with new aliases, preferred_network and preferred_cache
* and returns where the information was retrieved from
* @param metadataEntity
* @returns AuthorityMetadataSource
*/
private updateCloudDiscoveryMetadata;
private updateCloudDiscoveryMetadataFromLocalSources;
/**
* Parse cloudDiscoveryMetadata config or check knownAuthorities
*/
private getCloudDiscoveryMetadataFromConfig;
/**
* Called to get metadata from network if CloudDiscoveryMetadata was not populated by config
*
* @param hasHardcodedMetadata boolean
*/
private getCloudDiscoveryMetadataFromNetwork;
/**
* Helper function to determine if this host is included in the knownAuthorities config option
*/
private isInKnownAuthorities;
/**
* helper function to populate the authority based on azureCloudOptions
* @param authorityString
* @param azureCloudOptions
*/
static generateAuthority(authorityString: string, azureCloudOptions?: AzureCloudOptions): string;
/**
* Creates cloud discovery metadata object from a given host
* @param host
*/
static createCloudDiscoveryMetadataFromHost(host: string): CloudDiscoveryMetadata;
/**
* helper function to generate environment from authority object
*/
getPreferredCache(): string;
/**
* Returns whether or not the provided host is an alias of this authority instance
* @param host
*/
isAlias(host: string): boolean;
/**
* Returns whether or not the provided host is an alias of a known Microsoft authority for purposes of endpoint discovery
* @param host
*/
isAliasOfKnownMicrosoftAuthority(host: string): boolean;
/**
* Checks whether the provided host is that of a public cloud authority
*
* @param authority string
* @returns bool
*/
static isPublicCloudAuthority(host: string): boolean;
/**
* Rebuild the authority string with the region
*
* @param host string
* @param region string
*/
static buildRegionalAuthorityString(host: string, region: string, queryString?: string): string;
/**
* Replace the endpoints in the metadata object with their regional equivalents.
*
* @param metadata OpenIdConfigResponse
* @param azureRegion string
*/
static replaceWithRegionalInformation(metadata: OpenIdConfigResponse, azureRegion: string): OpenIdConfigResponse;
/**
* Transform CIAM_AUTHORIY as per the below rules:
* If no path segments found and it is a CIAM authority (hostname ends with .ciamlogin.com), then transform it
*
* NOTE: The transformation path should go away once STS supports CIAM with the format: `tenantIdorDomain.ciamlogin.com`
* `ciamlogin.com` can also change in the future and we should accommodate the same
*
* @param authority
*/
static transformCIAMAuthority(authority: string): string;
}
/**
* Extract tenantId from authority
*/
export declare function getTenantFromAuthorityString(authority: string): string | undefined;
export declare function formatAuthorityUri(authorityUri: string): string;
export declare function buildStaticAuthorityOptions(authOptions: Partial<AuthorityOptions>): StaticAuthorityOptions;
//# sourceMappingURL=Authority.d.ts.map
@@ -0,0 +1 @@
{"version":3,"file":"Authority.d.ts","sourceRoot":"","sources":["../../src/authority/Authority.ts"],"names":[],"mappings":"AAKA,OAAO,EAAE,aAAa,EAAE,MAAM,oBAAoB,CAAC;AACnD,OAAO,EAEH,oBAAoB,EACvB,MAAM,2BAA2B,CAAC;AAEnC,OAAO,EAAE,IAAI,EAAE,MAAM,gBAAgB,CAAC;AAKtC,OAAO,EAAE,cAAc,EAAE,MAAM,8BAA8B,CAAC;AAiB9D,OAAO,EAAE,YAAY,EAAE,MAAM,mBAAmB,CAAC;AACjD,OAAO,EAAE,aAAa,EAAE,MAAM,qCAAqC,CAAC;AAEpE,OAAO,EACH,gBAAgB,EAEhB,sBAAsB,EACzB,MAAM,uBAAuB,CAAC;AAS/B,OAAO,EAAE,sBAAsB,EAAE,MAAM,6BAA6B,CAAC;AAErE,OAAO,EAAE,uBAAuB,EAAE,MAAM,8BAA8B,CAAC;AAEvE,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,kCAAkC,CAAC;AAC1E,OAAO,EAAE,MAAM,EAAE,MAAM,qBAAqB,CAAC;AAE7C,OAAO,EAAE,kBAAkB,EAAE,MAAM,gDAAgD,CAAC;AAKpF;;;;GAIG;AACH,qBAAa,SAAS;IAElB,OAAO,CAAC,mBAAmB,CAAY;IAEvC,OAAO,CAAC,gCAAgC,CAAc;IAEtD,SAAS,CAAC,gBAAgB,EAAE,cAAc,CAAC;IAE3C,SAAS,CAAC,YAAY,EAAE,aAAa,CAAC;IAEtC,OAAO,CAAC,gBAAgB,CAAmB;IAE3C,OAAO,CAAC,QAAQ,CAA0B;IAE1C,OAAO,CAAC,eAAe,CAAkB;IAElC,uBAAuB,EAAE,uBAAuB,CAAC;IAExD,OAAO,CAAC,MAAM,CAAS;IAEvB,SAAS,CAAC,iBAAiB,EAAE,kBAAkB,GAAG,SAAS,CAAC;IAE5D,SAAS,CAAC,aAAa,EAAE,MAAM,CAAC;IAEhC,OAAO,CAAC,eAAe,CAAU;IAEjC,OAAO,CAAC,MAAM,CAAC,qBAAqB,CAMjC;gBAGC,SAAS,EAAE,MAAM,EACjB,gBAAgB,EAAE,cAAc,EAChC,YAAY,EAAE,aAAa,EAC3B,gBAAgB,EAAE,gBAAgB,EAClC,MAAM,EAAE,MAAM,EACd,aAAa,EAAE,MAAM,EACrB,iBAAiB,CAAC,EAAE,kBAAkB,EACtC,eAAe,CAAC,EAAE,OAAO;IAwB7B;;;;OAIG;IACH,OAAO,CAAC,gBAAgB;IAqBxB,IAAW,aAAa,IAAI,aAAa,CAExC;IAED;;OAEG;IACH,IAAW,YAAY,IAAI,YAAY,CAEtC;IAED;;OAEG;IACH,IAAW,OAAO,IAAI,gBAAgB,CAErC;IAED;;OAEG;IACH,IAAW,kBAAkB,IAAI,MAAM,CAEtC;IAED;;OAEG;IACH,IAAW,kBAAkB,CAAC,GAAG,EAAE,MAAM,EAIxC;IAED;;OAEG;IACH,IAAW,+BAA+B,IAAI,IAAI,CAOjD;IAED;;OAEG;IACH,IAAW,eAAe,IAAI,MAAM,CAEnC;IAED;;OAEG;IACH,IAAW,MAAM,IAAI,MAAM,CAE1B;IAED;;OAEG;IACH,IAAW,qBAAqB,IAAI,MAAM,CAQzC;IAED;;OAEG;IACH,IAAW,aAAa,IAAI,MAAM,CAQjC;IAED,IAAW,kBAAkB,IAAI,MAAM,CAUtC;IAED;;OAEG;IACH,IAAW,kBAAkB,IAAI,MAAM,CActC;IAED;;OAEG;IACH,IAAW,qBAAqB,IAAI,MAAM,CAQzC;IAED;;OAEG;IACH,IAAW,OAAO,IAAI,MAAM,CAQ3B;IAED;;;;OAIG;IACH,OAAO,CAAC,gBAAgB;IAWxB;;;OAGG;IACH,OAAO,CAAC,aAAa;IAIrB;;;OAGG;IACH,OAAO,CAAC,WAAW;IA2CnB;;OAEG;IACH,SAAS,KAAK,kCAAkC,IAAI,MAAM,CAWzD;IAED;;OAEG;IACH,iBAAiB,IAAI,OAAO;IAI5B;;;OAGG;IACU,qBAAqB,IAAI,OAAO,CAAC,IAAI,CAAC;IAsCnD;;;;OAIG;IACH,OAAO,CAAC,wBAAwB;IAuBhC;;;;;;OAMG;IACH,OAAO,CAAC,oBAAoB;IAyB5B;;;OAGG;YACW,sBAAsB;IA+EpC;;;;;OAKG;IACH,OAAO,CAAC,sCAAsC;IAuE9C;;;;;OAKG;IACH,OAAO,CAAC,mBAAmB;IAc3B;;OAEG;IACH,OAAO,CAAC,6BAA6B;IAgBrC;;;;OAIG;YACW,8BAA8B;IA0C5C;;OAEG;IACH,OAAO,CAAC,sCAAsC;IAQ9C;;;OAGG;YACW,qCAAqC;IAwDnD;;;;;OAKG;YACW,4BAA4B;IAqC1C,OAAO,CAAC,4CAA4C;IAoFpD;;OAEG;IACH,OAAO,CAAC,mCAAmC;IA6D3C;;;;OAIG;YACW,oCAAoC;IAqGlD;;OAEG;IACH,OAAO,CAAC,oBAAoB;IAa5B;;;;OAIG;IACH,MAAM,CAAC,iBAAiB,CACpB,eAAe,EAAE,MAAM,EACvB,iBAAiB,CAAC,EAAE,iBAAiB,GACtC,MAAM;IAkBT;;;OAGG;IACH,MAAM,CAAC,oCAAoC,CACvC,IAAI,EAAE,MAAM,GACb,sBAAsB;IAQzB;;OAEG;IACH,iBAAiB,IAAI,MAAM;IAY3B;;;OAGG;IACH,OAAO,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO;IAI9B;;;OAGG;IACH,gCAAgC,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO;IAIvD;;;;;OAKG;IACH,MAAM,CAAC,sBAAsB,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO;IAIpD;;;;;OAKG;IACH,MAAM,CAAC,4BAA4B,CAC/B,IAAI,EAAE,MAAM,EACZ,MAAM,EAAE,MAAM,EACd,WAAW,CAAC,EAAE,MAAM,GACrB,MAAM;IAyBT;;;;;OAKG;IACH,MAAM,CAAC,8BAA8B,CACjC,QAAQ,EAAE,oBAAoB,EAC9B,WAAW,EAAE,MAAM,GACpB,oBAAoB;IAyBvB;;;;;;;;OAQG;IACH,MAAM,CAAC,sBAAsB,CAAC,SAAS,EAAE,MAAM,GAAG,MAAM;CAmB3D;AAED;;GAEG;AACH,wBAAgB,4BAA4B,CACxC,SAAS,EAAE,MAAM,GAClB,MAAM,GAAG,SAAS,CAsBpB;AAED,wBAAgB,kBAAkB,CAAC,YAAY,EAAE,MAAM,GAAG,MAAM,CAI/D;AAED,wBAAgB,2BAA2B,CACvC,WAAW,EAAE,OAAO,CAAC,gBAAgB,CAAC,GACvC,sBAAsB,CAoBxB"}
@@ -0,0 +1,860 @@
/*! @azure/msal-common v15.8.1 2025-07-08 */
'use strict';
import { AuthorityType } from './AuthorityType.mjs';
import { isOpenIdConfigResponse } from './OpenIdConfigResponse.mjs';
import { UrlString } from '../url/UrlString.mjs';
import { createClientAuthError } from '../error/ClientAuthError.mjs';
import { Constants, AuthorityMetadataSource, RegionDiscoveryOutcomes, AADAuthorityConstants } from '../utils/Constants.mjs';
import { EndpointMetadata, getCloudDiscoveryMetadataFromHardcodedValues, getCloudDiscoveryMetadataFromNetworkResponse, InstanceDiscoveryMetadataAliases } from './AuthorityMetadata.mjs';
import { createClientConfigurationError } from '../error/ClientConfigurationError.mjs';
import { ProtocolMode } from './ProtocolMode.mjs';
import { AzureCloudInstance } from './AuthorityOptions.mjs';
import { isCloudInstanceDiscoveryResponse } from './CloudInstanceDiscoveryResponse.mjs';
import { isCloudInstanceDiscoveryErrorResponse } from './CloudInstanceDiscoveryErrorResponse.mjs';
import { RegionDiscovery } from './RegionDiscovery.mjs';
import { AuthError } from '../error/AuthError.mjs';
import { PerformanceEvents } from '../telemetry/performance/PerformanceEvent.mjs';
import { invokeAsync } from '../utils/FunctionWrappers.mjs';
import { generateAuthorityMetadataExpiresAt, updateAuthorityEndpointMetadata, isAuthorityMetadataExpired, updateCloudDiscoveryMetadata } from '../cache/utils/CacheHelpers.mjs';
import { endpointResolutionError, endSessionEndpointNotSupported, openIdConfigError } from '../error/ClientAuthErrorCodes.mjs';
import { invalidAuthorityMetadata, untrustedAuthority, invalidCloudDiscoveryMetadata } from '../error/ClientConfigurationErrorCodes.mjs';
/*
* Copyright (c) Microsoft Corporation. All rights reserved.
* Licensed under the MIT License.
*/
/**
* The authority class validates the authority URIs used by the user, and retrieves the OpenID Configuration Data from the
* endpoint. It will store the pertinent config data in this object for use during token calls.
* @internal
*/
class Authority {
constructor(authority, networkInterface, cacheManager, authorityOptions, logger, correlationId, performanceClient, managedIdentity) {
this.canonicalAuthority = authority;
this._canonicalAuthority.validateAsUri();
this.networkInterface = networkInterface;
this.cacheManager = cacheManager;
this.authorityOptions = authorityOptions;
this.regionDiscoveryMetadata = {
region_used: undefined,
region_source: undefined,
region_outcome: undefined,
};
this.logger = logger;
this.performanceClient = performanceClient;
this.correlationId = correlationId;
this.managedIdentity = managedIdentity || false;
this.regionDiscovery = new RegionDiscovery(networkInterface, this.logger, this.performanceClient, this.correlationId);
}
/**
* Get {@link AuthorityType}
* @param authorityUri {@link IUri}
* @private
*/
getAuthorityType(authorityUri) {
// CIAM auth url pattern is being standardized as: <tenant>.ciamlogin.com
if (authorityUri.HostNameAndPort.endsWith(Constants.CIAM_AUTH_URL)) {
return AuthorityType.Ciam;
}
const pathSegments = authorityUri.PathSegments;
if (pathSegments.length) {
switch (pathSegments[0].toLowerCase()) {
case Constants.ADFS:
return AuthorityType.Adfs;
case Constants.DSTS:
return AuthorityType.Dsts;
}
}
return AuthorityType.Default;
}
// See above for AuthorityType
get authorityType() {
return this.getAuthorityType(this.canonicalAuthorityUrlComponents);
}
/**
* ProtocolMode enum representing the way endpoints are constructed.
*/
get protocolMode() {
return this.authorityOptions.protocolMode;
}
/**
* Returns authorityOptions which can be used to reinstantiate a new authority instance
*/
get options() {
return this.authorityOptions;
}
/**
* A URL that is the authority set by the developer
*/
get canonicalAuthority() {
return this._canonicalAuthority.urlString;
}
/**
* Sets canonical authority.
*/
set canonicalAuthority(url) {
this._canonicalAuthority = new UrlString(url);
this._canonicalAuthority.validateAsUri();
this._canonicalAuthorityUrlComponents = null;
}
/**
* Get authority components.
*/
get canonicalAuthorityUrlComponents() {
if (!this._canonicalAuthorityUrlComponents) {
this._canonicalAuthorityUrlComponents =
this._canonicalAuthority.getUrlComponents();
}
return this._canonicalAuthorityUrlComponents;
}
/**
* Get hostname and port i.e. login.microsoftonline.com
*/
get hostnameAndPort() {
return this.canonicalAuthorityUrlComponents.HostNameAndPort.toLowerCase();
}
/**
* Get tenant for authority.
*/
get tenant() {
return this.canonicalAuthorityUrlComponents.PathSegments[0];
}
/**
* OAuth /authorize endpoint for requests
*/
get authorizationEndpoint() {
if (this.discoveryComplete()) {
return this.replacePath(this.metadata.authorization_endpoint);
}
else {
throw createClientAuthError(endpointResolutionError);
}
}
/**
* OAuth /token endpoint for requests
*/
get tokenEndpoint() {
if (this.discoveryComplete()) {
return this.replacePath(this.metadata.token_endpoint);
}
else {
throw createClientAuthError(endpointResolutionError);
}
}
get deviceCodeEndpoint() {
if (this.discoveryComplete()) {
return this.replacePath(this.metadata.token_endpoint.replace("/token", "/devicecode"));
}
else {
throw createClientAuthError(endpointResolutionError);
}
}
/**
* OAuth logout endpoint for requests
*/
get endSessionEndpoint() {
if (this.discoveryComplete()) {
// ROPC policies may not have end_session_endpoint set
if (!this.metadata.end_session_endpoint) {
throw createClientAuthError(endSessionEndpointNotSupported);
}
return this.replacePath(this.metadata.end_session_endpoint);
}
else {
throw createClientAuthError(endpointResolutionError);
}
}
/**
* OAuth issuer for requests
*/
get selfSignedJwtAudience() {
if (this.discoveryComplete()) {
return this.replacePath(this.metadata.issuer);
}
else {
throw createClientAuthError(endpointResolutionError);
}
}
/**
* Jwks_uri for token signing keys
*/
get jwksUri() {
if (this.discoveryComplete()) {
return this.replacePath(this.metadata.jwks_uri);
}
else {
throw createClientAuthError(endpointResolutionError);
}
}
/**
* Returns a flag indicating that tenant name can be replaced in authority {@link IUri}
* @param authorityUri {@link IUri}
* @private
*/
canReplaceTenant(authorityUri) {
return (authorityUri.PathSegments.length === 1 &&
!Authority.reservedTenantDomains.has(authorityUri.PathSegments[0]) &&
this.getAuthorityType(authorityUri) === AuthorityType.Default &&
this.protocolMode !== ProtocolMode.OIDC);
}
/**
* Replaces tenant in url path with current tenant. Defaults to common.
* @param urlString
*/
replaceTenant(urlString) {
return urlString.replace(/{tenant}|{tenantid}/g, this.tenant);
}
/**
* Replaces path such as tenant or policy with the current tenant or policy.
* @param urlString
*/
replacePath(urlString) {
let endpoint = urlString;
const cachedAuthorityUrl = new UrlString(this.metadata.canonical_authority);
const cachedAuthorityUrlComponents = cachedAuthorityUrl.getUrlComponents();
const cachedAuthorityParts = cachedAuthorityUrlComponents.PathSegments;
const currentAuthorityParts = this.canonicalAuthorityUrlComponents.PathSegments;
currentAuthorityParts.forEach((currentPart, index) => {
let cachedPart = cachedAuthorityParts[index];
if (index === 0 &&
this.canReplaceTenant(cachedAuthorityUrlComponents)) {
const tenantId = new UrlString(this.metadata.authorization_endpoint).getUrlComponents().PathSegments[0];
/**
* Check if AAD canonical authority contains tenant domain name, for example "testdomain.onmicrosoft.com",
* by comparing its first path segment to the corresponding authorization endpoint path segment, which is
* always resolved with tenant id by OIDC.
*/
if (cachedPart !== tenantId) {
this.logger.verbose(`Replacing tenant domain name ${cachedPart} with id ${tenantId}`);
cachedPart = tenantId;
}
}
if (currentPart !== cachedPart) {
endpoint = endpoint.replace(`/${cachedPart}/`, `/${currentPart}/`);
}
});
return this.replaceTenant(endpoint);
}
/**
* The default open id configuration endpoint for any canonical authority.
*/
get defaultOpenIdConfigurationEndpoint() {
const canonicalAuthorityHost = this.hostnameAndPort;
if (this.canonicalAuthority.endsWith("v2.0/") ||
this.authorityType === AuthorityType.Adfs ||
(this.protocolMode === ProtocolMode.OIDC &&
!this.isAliasOfKnownMicrosoftAuthority(canonicalAuthorityHost))) {
return `${this.canonicalAuthority}.well-known/openid-configuration`;
}
return `${this.canonicalAuthority}v2.0/.well-known/openid-configuration`;
}
/**
* Boolean that returns whether or not tenant discovery has been completed.
*/
discoveryComplete() {
return !!this.metadata;
}
/**
* Perform endpoint discovery to discover aliases, preferred_cache, preferred_network
* and the /authorize, /token and logout endpoints.
*/
async resolveEndpointsAsync() {
this.performanceClient?.addQueueMeasurement(PerformanceEvents.AuthorityResolveEndpointsAsync, this.correlationId);
const metadataEntity = this.getCurrentMetadataEntity();
const cloudDiscoverySource = await invokeAsync(this.updateCloudDiscoveryMetadata.bind(this), PerformanceEvents.AuthorityUpdateCloudDiscoveryMetadata, this.logger, this.performanceClient, this.correlationId)(metadataEntity);
this.canonicalAuthority = this.canonicalAuthority.replace(this.hostnameAndPort, metadataEntity.preferred_network);
const endpointSource = await invokeAsync(this.updateEndpointMetadata.bind(this), PerformanceEvents.AuthorityUpdateEndpointMetadata, this.logger, this.performanceClient, this.correlationId)(metadataEntity);
this.updateCachedMetadata(metadataEntity, cloudDiscoverySource, {
source: endpointSource,
});
this.performanceClient?.addFields({
cloudDiscoverySource: cloudDiscoverySource,
authorityEndpointSource: endpointSource,
}, this.correlationId);
}
/**
* Returns metadata entity from cache if it exists, otherwiser returns a new metadata entity built
* from the configured canonical authority
* @returns
*/
getCurrentMetadataEntity() {
let metadataEntity = this.cacheManager.getAuthorityMetadataByAlias(this.hostnameAndPort);
if (!metadataEntity) {
metadataEntity = {
aliases: [],
preferred_cache: this.hostnameAndPort,
preferred_network: this.hostnameAndPort,
canonical_authority: this.canonicalAuthority,
authorization_endpoint: "",
token_endpoint: "",
end_session_endpoint: "",
issuer: "",
aliasesFromNetwork: false,
endpointsFromNetwork: false,
expiresAt: generateAuthorityMetadataExpiresAt(),
jwks_uri: "",
};
}
return metadataEntity;
}
/**
* Updates cached metadata based on metadata source and sets the instance's metadata
* property to the same value
* @param metadataEntity
* @param cloudDiscoverySource
* @param endpointMetadataResult
*/
updateCachedMetadata(metadataEntity, cloudDiscoverySource, endpointMetadataResult) {
if (cloudDiscoverySource !== AuthorityMetadataSource.CACHE &&
endpointMetadataResult?.source !== AuthorityMetadataSource.CACHE) {
// Reset the expiration time unless both values came from a successful cache lookup
metadataEntity.expiresAt =
generateAuthorityMetadataExpiresAt();
metadataEntity.canonical_authority = this.canonicalAuthority;
}
const cacheKey = this.cacheManager.generateAuthorityMetadataCacheKey(metadataEntity.preferred_cache);
this.cacheManager.setAuthorityMetadata(cacheKey, metadataEntity);
this.metadata = metadataEntity;
}
/**
* Update AuthorityMetadataEntity with new endpoints and return where the information came from
* @param metadataEntity
*/
async updateEndpointMetadata(metadataEntity) {
this.performanceClient?.addQueueMeasurement(PerformanceEvents.AuthorityUpdateEndpointMetadata, this.correlationId);
const localMetadata = this.updateEndpointMetadataFromLocalSources(metadataEntity);
// Further update may be required for hardcoded metadata if regional metadata is preferred
if (localMetadata) {
if (localMetadata.source ===
AuthorityMetadataSource.HARDCODED_VALUES) {
// If the user prefers to use an azure region replace the global endpoints with regional information.
if (this.authorityOptions.azureRegionConfiguration?.azureRegion) {
if (localMetadata.metadata) {
const hardcodedMetadata = await invokeAsync(this.updateMetadataWithRegionalInformation.bind(this), PerformanceEvents.AuthorityUpdateMetadataWithRegionalInformation, this.logger, this.performanceClient, this.correlationId)(localMetadata.metadata);
updateAuthorityEndpointMetadata(metadataEntity, hardcodedMetadata, false);
metadataEntity.canonical_authority =
this.canonicalAuthority;
}
}
}
return localMetadata.source;
}
// Get metadata from network if local sources aren't available
let metadata = await invokeAsync(this.getEndpointMetadataFromNetwork.bind(this), PerformanceEvents.AuthorityGetEndpointMetadataFromNetwork, this.logger, this.performanceClient, this.correlationId)();
if (metadata) {
// If the user prefers to use an azure region replace the global endpoints with regional information.
if (this.authorityOptions.azureRegionConfiguration?.azureRegion) {
metadata = await invokeAsync(this.updateMetadataWithRegionalInformation.bind(this), PerformanceEvents.AuthorityUpdateMetadataWithRegionalInformation, this.logger, this.performanceClient, this.correlationId)(metadata);
}
updateAuthorityEndpointMetadata(metadataEntity, metadata, true);
return AuthorityMetadataSource.NETWORK;
}
else {
// Metadata could not be obtained from the config, cache, network or hardcoded values
throw createClientAuthError(openIdConfigError, this.defaultOpenIdConfigurationEndpoint);
}
}
/**
* Updates endpoint metadata from local sources and returns where the information was retrieved from and the metadata config
* response if the source is hardcoded metadata
* @param metadataEntity
* @returns
*/
updateEndpointMetadataFromLocalSources(metadataEntity) {
this.logger.verbose("Attempting to get endpoint metadata from authority configuration");
const configMetadata = this.getEndpointMetadataFromConfig();
if (configMetadata) {
this.logger.verbose("Found endpoint metadata in authority configuration");
updateAuthorityEndpointMetadata(metadataEntity, configMetadata, false);
return {
source: AuthorityMetadataSource.CONFIG,
};
}
this.logger.verbose("Did not find endpoint metadata in the config... Attempting to get endpoint metadata from the hardcoded values.");
// skipAuthorityMetadataCache is used to bypass hardcoded authority metadata and force a network metadata cache lookup and network metadata request if no cached response is available.
if (this.authorityOptions.skipAuthorityMetadataCache) {
this.logger.verbose("Skipping hardcoded metadata cache since skipAuthorityMetadataCache is set to true. Attempting to get endpoint metadata from the network metadata cache.");
}
else {
const hardcodedMetadata = this.getEndpointMetadataFromHardcodedValues();
if (hardcodedMetadata) {
updateAuthorityEndpointMetadata(metadataEntity, hardcodedMetadata, false);
return {
source: AuthorityMetadataSource.HARDCODED_VALUES,
metadata: hardcodedMetadata,
};
}
else {
this.logger.verbose("Did not find endpoint metadata in hardcoded values... Attempting to get endpoint metadata from the network metadata cache.");
}
}
// Check cached metadata entity expiration status
const metadataEntityExpired = isAuthorityMetadataExpired(metadataEntity);
if (this.isAuthoritySameType(metadataEntity) &&
metadataEntity.endpointsFromNetwork &&
!metadataEntityExpired) {
// No need to update
this.logger.verbose("Found endpoint metadata in the cache.");
return { source: AuthorityMetadataSource.CACHE };
}
else if (metadataEntityExpired) {
this.logger.verbose("The metadata entity is expired.");
}
return null;
}
/**
* Compares the number of url components after the domain to determine if the cached
* authority metadata can be used for the requested authority. Protects against same domain different
* authority such as login.microsoftonline.com/tenant and login.microsoftonline.com/tfp/tenant/policy
* @param metadataEntity
*/
isAuthoritySameType(metadataEntity) {
const cachedAuthorityUrl = new UrlString(metadataEntity.canonical_authority);
const cachedParts = cachedAuthorityUrl.getUrlComponents().PathSegments;
return (cachedParts.length ===
this.canonicalAuthorityUrlComponents.PathSegments.length);
}
/**
* Parse authorityMetadata config option
*/
getEndpointMetadataFromConfig() {
if (this.authorityOptions.authorityMetadata) {
try {
return JSON.parse(this.authorityOptions.authorityMetadata);
}
catch (e) {
throw createClientConfigurationError(invalidAuthorityMetadata);
}
}
return null;
}
/**
* Gets OAuth endpoints from the given OpenID configuration endpoint.
*
* @param hasHardcodedMetadata boolean
*/
async getEndpointMetadataFromNetwork() {
this.performanceClient?.addQueueMeasurement(PerformanceEvents.AuthorityGetEndpointMetadataFromNetwork, this.correlationId);
const options = {};
/*
* TODO: Add a timeout if the authority exists in our library's
* hardcoded list of metadata
*/
const openIdConfigurationEndpoint = this.defaultOpenIdConfigurationEndpoint;
this.logger.verbose(`Authority.getEndpointMetadataFromNetwork: attempting to retrieve OAuth endpoints from ${openIdConfigurationEndpoint}`);
try {
const response = await this.networkInterface.sendGetRequestAsync(openIdConfigurationEndpoint, options);
const isValidResponse = isOpenIdConfigResponse(response.body);
if (isValidResponse) {
return response.body;
}
else {
this.logger.verbose(`Authority.getEndpointMetadataFromNetwork: could not parse response as OpenID configuration`);
return null;
}
}
catch (e) {
this.logger.verbose(`Authority.getEndpointMetadataFromNetwork: ${e}`);
return null;
}
}
/**
* Get OAuth endpoints for common authorities.
*/
getEndpointMetadataFromHardcodedValues() {
if (this.hostnameAndPort in EndpointMetadata) {
return EndpointMetadata[this.hostnameAndPort];
}
return null;
}
/**
* Update the retrieved metadata with regional information.
* User selected Azure region will be used if configured.
*/
async updateMetadataWithRegionalInformation(metadata) {
this.performanceClient?.addQueueMeasurement(PerformanceEvents.AuthorityUpdateMetadataWithRegionalInformation, this.correlationId);
const userConfiguredAzureRegion = this.authorityOptions.azureRegionConfiguration?.azureRegion;
if (userConfiguredAzureRegion) {
if (userConfiguredAzureRegion !==
Constants.AZURE_REGION_AUTO_DISCOVER_FLAG) {
this.regionDiscoveryMetadata.region_outcome =
RegionDiscoveryOutcomes.CONFIGURED_NO_AUTO_DETECTION;
this.regionDiscoveryMetadata.region_used =
userConfiguredAzureRegion;
return Authority.replaceWithRegionalInformation(metadata, userConfiguredAzureRegion);
}
const autodetectedRegionName = await invokeAsync(this.regionDiscovery.detectRegion.bind(this.regionDiscovery), PerformanceEvents.RegionDiscoveryDetectRegion, this.logger, this.performanceClient, this.correlationId)(this.authorityOptions.azureRegionConfiguration
?.environmentRegion, this.regionDiscoveryMetadata);
if (autodetectedRegionName) {
this.regionDiscoveryMetadata.region_outcome =
RegionDiscoveryOutcomes.AUTO_DETECTION_REQUESTED_SUCCESSFUL;
this.regionDiscoveryMetadata.region_used =
autodetectedRegionName;
return Authority.replaceWithRegionalInformation(metadata, autodetectedRegionName);
}
this.regionDiscoveryMetadata.region_outcome =
RegionDiscoveryOutcomes.AUTO_DETECTION_REQUESTED_FAILED;
}
return metadata;
}
/**
* Updates the AuthorityMetadataEntity with new aliases, preferred_network and preferred_cache
* and returns where the information was retrieved from
* @param metadataEntity
* @returns AuthorityMetadataSource
*/
async updateCloudDiscoveryMetadata(metadataEntity) {
this.performanceClient?.addQueueMeasurement(PerformanceEvents.AuthorityUpdateCloudDiscoveryMetadata, this.correlationId);
const localMetadataSource = this.updateCloudDiscoveryMetadataFromLocalSources(metadataEntity);
if (localMetadataSource) {
return localMetadataSource;
}
// Fallback to network as metadata source
const metadata = await invokeAsync(this.getCloudDiscoveryMetadataFromNetwork.bind(this), PerformanceEvents.AuthorityGetCloudDiscoveryMetadataFromNetwork, this.logger, this.performanceClient, this.correlationId)();
if (metadata) {
updateCloudDiscoveryMetadata(metadataEntity, metadata, true);
return AuthorityMetadataSource.NETWORK;
}
// Metadata could not be obtained from the config, cache, network or hardcoded values
throw createClientConfigurationError(untrustedAuthority);
}
updateCloudDiscoveryMetadataFromLocalSources(metadataEntity) {
this.logger.verbose("Attempting to get cloud discovery metadata from authority configuration");
this.logger.verbosePii(`Known Authorities: ${this.authorityOptions.knownAuthorities ||
Constants.NOT_APPLICABLE}`);
this.logger.verbosePii(`Authority Metadata: ${this.authorityOptions.authorityMetadata ||
Constants.NOT_APPLICABLE}`);
this.logger.verbosePii(`Canonical Authority: ${metadataEntity.canonical_authority || Constants.NOT_APPLICABLE}`);
const metadata = this.getCloudDiscoveryMetadataFromConfig();
if (metadata) {
this.logger.verbose("Found cloud discovery metadata in authority configuration");
updateCloudDiscoveryMetadata(metadataEntity, metadata, false);
return AuthorityMetadataSource.CONFIG;
}
// If the cached metadata came from config but that config was not passed to this instance, we must go to hardcoded values
this.logger.verbose("Did not find cloud discovery metadata in the config... Attempting to get cloud discovery metadata from the hardcoded values.");
if (this.options.skipAuthorityMetadataCache) {
this.logger.verbose("Skipping hardcoded cloud discovery metadata cache since skipAuthorityMetadataCache is set to true. Attempting to get cloud discovery metadata from the network metadata cache.");
}
else {
const hardcodedMetadata = getCloudDiscoveryMetadataFromHardcodedValues(this.hostnameAndPort);
if (hardcodedMetadata) {
this.logger.verbose("Found cloud discovery metadata from hardcoded values.");
updateCloudDiscoveryMetadata(metadataEntity, hardcodedMetadata, false);
return AuthorityMetadataSource.HARDCODED_VALUES;
}
this.logger.verbose("Did not find cloud discovery metadata in hardcoded values... Attempting to get cloud discovery metadata from the network metadata cache.");
}
const metadataEntityExpired = isAuthorityMetadataExpired(metadataEntity);
if (this.isAuthoritySameType(metadataEntity) &&
metadataEntity.aliasesFromNetwork &&
!metadataEntityExpired) {
this.logger.verbose("Found cloud discovery metadata in the cache.");
// No need to update
return AuthorityMetadataSource.CACHE;
}
else if (metadataEntityExpired) {
this.logger.verbose("The metadata entity is expired.");
}
return null;
}
/**
* Parse cloudDiscoveryMetadata config or check knownAuthorities
*/
getCloudDiscoveryMetadataFromConfig() {
// CIAM does not support cloud discovery metadata
if (this.authorityType === AuthorityType.Ciam) {
this.logger.verbose("CIAM authorities do not support cloud discovery metadata, generate the aliases from authority host.");
return Authority.createCloudDiscoveryMetadataFromHost(this.hostnameAndPort);
}
// Check if network response was provided in config
if (this.authorityOptions.cloudDiscoveryMetadata) {
this.logger.verbose("The cloud discovery metadata has been provided as a network response, in the config.");
try {
this.logger.verbose("Attempting to parse the cloud discovery metadata.");
const parsedResponse = JSON.parse(this.authorityOptions.cloudDiscoveryMetadata);
const metadata = getCloudDiscoveryMetadataFromNetworkResponse(parsedResponse.metadata, this.hostnameAndPort);
this.logger.verbose("Parsed the cloud discovery metadata.");
if (metadata) {
this.logger.verbose("There is returnable metadata attached to the parsed cloud discovery metadata.");
return metadata;
}
else {
this.logger.verbose("There is no metadata attached to the parsed cloud discovery metadata.");
}
}
catch (e) {
this.logger.verbose("Unable to parse the cloud discovery metadata. Throwing Invalid Cloud Discovery Metadata Error.");
throw createClientConfigurationError(invalidCloudDiscoveryMetadata);
}
}
// If cloudDiscoveryMetadata is empty or does not contain the host, check knownAuthorities
if (this.isInKnownAuthorities()) {
this.logger.verbose("The host is included in knownAuthorities. Creating new cloud discovery metadata from the host.");
return Authority.createCloudDiscoveryMetadataFromHost(this.hostnameAndPort);
}
return null;
}
/**
* Called to get metadata from network if CloudDiscoveryMetadata was not populated by config
*
* @param hasHardcodedMetadata boolean
*/
async getCloudDiscoveryMetadataFromNetwork() {
this.performanceClient?.addQueueMeasurement(PerformanceEvents.AuthorityGetCloudDiscoveryMetadataFromNetwork, this.correlationId);
const instanceDiscoveryEndpoint = `${Constants.AAD_INSTANCE_DISCOVERY_ENDPT}${this.canonicalAuthority}oauth2/v2.0/authorize`;
const options = {};
/*
* TODO: Add a timeout if the authority exists in our library's
* hardcoded list of metadata
*/
let match = null;
try {
const response = await this.networkInterface.sendGetRequestAsync(instanceDiscoveryEndpoint, options);
let typedResponseBody;
let metadata;
if (isCloudInstanceDiscoveryResponse(response.body)) {
typedResponseBody =
response.body;
metadata = typedResponseBody.metadata;
this.logger.verbosePii(`tenant_discovery_endpoint is: ${typedResponseBody.tenant_discovery_endpoint}`);
}
else if (isCloudInstanceDiscoveryErrorResponse(response.body)) {
this.logger.warning(`A CloudInstanceDiscoveryErrorResponse was returned. The cloud instance discovery network request's status code is: ${response.status}`);
typedResponseBody =
response.body;
if (typedResponseBody.error === Constants.INVALID_INSTANCE) {
this.logger.error("The CloudInstanceDiscoveryErrorResponse error is invalid_instance.");
return null;
}
this.logger.warning(`The CloudInstanceDiscoveryErrorResponse error is ${typedResponseBody.error}`);
this.logger.warning(`The CloudInstanceDiscoveryErrorResponse error description is ${typedResponseBody.error_description}`);
this.logger.warning("Setting the value of the CloudInstanceDiscoveryMetadata (returned from the network) to []");
metadata = [];
}
else {
this.logger.error("AAD did not return a CloudInstanceDiscoveryResponse or CloudInstanceDiscoveryErrorResponse");
return null;
}
this.logger.verbose("Attempting to find a match between the developer's authority and the CloudInstanceDiscoveryMetadata returned from the network request.");
match = getCloudDiscoveryMetadataFromNetworkResponse(metadata, this.hostnameAndPort);
}
catch (error) {
if (error instanceof AuthError) {
this.logger.error(`There was a network error while attempting to get the cloud discovery instance metadata.\nError: ${error.errorCode}\nError Description: ${error.errorMessage}`);
}
else {
const typedError = error;
this.logger.error(`A non-MSALJS error was thrown while attempting to get the cloud instance discovery metadata.\nError: ${typedError.name}\nError Description: ${typedError.message}`);
}
return null;
}
// Custom Domain scenario, host is trusted because Instance Discovery call succeeded
if (!match) {
this.logger.warning("The developer's authority was not found within the CloudInstanceDiscoveryMetadata returned from the network request.");
this.logger.verbose("Creating custom Authority for custom domain scenario.");
match = Authority.createCloudDiscoveryMetadataFromHost(this.hostnameAndPort);
}
return match;
}
/**
* Helper function to determine if this host is included in the knownAuthorities config option
*/
isInKnownAuthorities() {
const matches = this.authorityOptions.knownAuthorities.filter((authority) => {
return (authority &&
UrlString.getDomainFromUrl(authority).toLowerCase() ===
this.hostnameAndPort);
});
return matches.length > 0;
}
/**
* helper function to populate the authority based on azureCloudOptions
* @param authorityString
* @param azureCloudOptions
*/
static generateAuthority(authorityString, azureCloudOptions) {
let authorityAzureCloudInstance;
if (azureCloudOptions &&
azureCloudOptions.azureCloudInstance !== AzureCloudInstance.None) {
const tenant = azureCloudOptions.tenant
? azureCloudOptions.tenant
: Constants.DEFAULT_COMMON_TENANT;
authorityAzureCloudInstance = `${azureCloudOptions.azureCloudInstance}/${tenant}/`;
}
return authorityAzureCloudInstance
? authorityAzureCloudInstance
: authorityString;
}
/**
* Creates cloud discovery metadata object from a given host
* @param host
*/
static createCloudDiscoveryMetadataFromHost(host) {
return {
preferred_network: host,
preferred_cache: host,
aliases: [host],
};
}
/**
* helper function to generate environment from authority object
*/
getPreferredCache() {
if (this.managedIdentity) {
return Constants.DEFAULT_AUTHORITY_HOST;
}
else if (this.discoveryComplete()) {
return this.metadata.preferred_cache;
}
else {
throw createClientAuthError(endpointResolutionError);
}
}
/**
* Returns whether or not the provided host is an alias of this authority instance
* @param host
*/
isAlias(host) {
return this.metadata.aliases.indexOf(host) > -1;
}
/**
* Returns whether or not the provided host is an alias of a known Microsoft authority for purposes of endpoint discovery
* @param host
*/
isAliasOfKnownMicrosoftAuthority(host) {
return InstanceDiscoveryMetadataAliases.has(host);
}
/**
* Checks whether the provided host is that of a public cloud authority
*
* @param authority string
* @returns bool
*/
static isPublicCloudAuthority(host) {
return Constants.KNOWN_PUBLIC_CLOUDS.indexOf(host) >= 0;
}
/**
* Rebuild the authority string with the region
*
* @param host string
* @param region string
*/
static buildRegionalAuthorityString(host, region, queryString) {
// Create and validate a Url string object with the initial authority string
const authorityUrlInstance = new UrlString(host);
authorityUrlInstance.validateAsUri();
const authorityUrlParts = authorityUrlInstance.getUrlComponents();
let hostNameAndPort = `${region}.${authorityUrlParts.HostNameAndPort}`;
if (this.isPublicCloudAuthority(authorityUrlParts.HostNameAndPort)) {
hostNameAndPort = `${region}.${Constants.REGIONAL_AUTH_PUBLIC_CLOUD_SUFFIX}`;
}
// Include the query string portion of the url
const url = UrlString.constructAuthorityUriFromObject({
...authorityUrlInstance.getUrlComponents(),
HostNameAndPort: hostNameAndPort,
}).urlString;
// Add the query string if a query string was provided
if (queryString)
return `${url}?${queryString}`;
return url;
}
/**
* Replace the endpoints in the metadata object with their regional equivalents.
*
* @param metadata OpenIdConfigResponse
* @param azureRegion string
*/
static replaceWithRegionalInformation(metadata, azureRegion) {
const regionalMetadata = { ...metadata };
regionalMetadata.authorization_endpoint =
Authority.buildRegionalAuthorityString(regionalMetadata.authorization_endpoint, azureRegion);
regionalMetadata.token_endpoint =
Authority.buildRegionalAuthorityString(regionalMetadata.token_endpoint, azureRegion);
if (regionalMetadata.end_session_endpoint) {
regionalMetadata.end_session_endpoint =
Authority.buildRegionalAuthorityString(regionalMetadata.end_session_endpoint, azureRegion);
}
return regionalMetadata;
}
/**
* Transform CIAM_AUTHORIY as per the below rules:
* If no path segments found and it is a CIAM authority (hostname ends with .ciamlogin.com), then transform it
*
* NOTE: The transformation path should go away once STS supports CIAM with the format: `tenantIdorDomain.ciamlogin.com`
* `ciamlogin.com` can also change in the future and we should accommodate the same
*
* @param authority
*/
static transformCIAMAuthority(authority) {
let ciamAuthority = authority;
const authorityUrl = new UrlString(authority);
const authorityUrlComponents = authorityUrl.getUrlComponents();
// check if transformation is needed
if (authorityUrlComponents.PathSegments.length === 0 &&
authorityUrlComponents.HostNameAndPort.endsWith(Constants.CIAM_AUTH_URL)) {
const tenantIdOrDomain = authorityUrlComponents.HostNameAndPort.split(".")[0];
ciamAuthority = `${ciamAuthority}${tenantIdOrDomain}${Constants.AAD_TENANT_DOMAIN_SUFFIX}`;
}
return ciamAuthority;
}
}
// Reserved tenant domain names that will not be replaced with tenant id
Authority.reservedTenantDomains = new Set([
"{tenant}",
"{tenantid}",
AADAuthorityConstants.COMMON,
AADAuthorityConstants.CONSUMERS,
AADAuthorityConstants.ORGANIZATIONS,
]);
/**
* Extract tenantId from authority
*/
function getTenantFromAuthorityString(authority) {
const authorityUrl = new UrlString(authority);
const authorityUrlComponents = authorityUrl.getUrlComponents();
/**
* For credential matching purposes, tenantId is the last path segment of the authority URL:
* AAD Authority - domain/tenantId -> Credentials are cached with realm = tenantId
* B2C Authority - domain/{tenantId}?/.../policy -> Credentials are cached with realm = policy
* tenantId is downcased because B2C policies can have mixed case but tfp claim is downcased
*
* Note that we may not have any path segments in certain OIDC scenarios.
*/
const tenantId = authorityUrlComponents.PathSegments.slice(-1)[0]?.toLowerCase();
switch (tenantId) {
case AADAuthorityConstants.COMMON:
case AADAuthorityConstants.ORGANIZATIONS:
case AADAuthorityConstants.CONSUMERS:
return undefined;
default:
return tenantId;
}
}
function formatAuthorityUri(authorityUri) {
return authorityUri.endsWith(Constants.FORWARD_SLASH)
? authorityUri
: `${authorityUri}${Constants.FORWARD_SLASH}`;
}
function buildStaticAuthorityOptions(authOptions) {
const rawCloudDiscoveryMetadata = authOptions.cloudDiscoveryMetadata;
let cloudDiscoveryMetadata = undefined;
if (rawCloudDiscoveryMetadata) {
try {
cloudDiscoveryMetadata = JSON.parse(rawCloudDiscoveryMetadata);
}
catch (e) {
throw createClientConfigurationError(invalidCloudDiscoveryMetadata);
}
}
return {
canonicalAuthority: authOptions.authority
? formatAuthorityUri(authOptions.authority)
: undefined,
knownAuthorities: authOptions.knownAuthorities,
cloudDiscoveryMetadata: cloudDiscoveryMetadata,
};
}
export { Authority, buildStaticAuthorityOptions, formatAuthorityUri, getTenantFromAuthorityString };
//# sourceMappingURL=Authority.mjs.map
File diff suppressed because one or more lines are too long
@@ -0,0 +1,19 @@
import { Authority } from "./Authority.js";
import { INetworkModule } from "../network/INetworkModule.js";
import { ICacheManager } from "../cache/interface/ICacheManager.js";
import { AuthorityOptions } from "./AuthorityOptions.js";
import { Logger } from "../logger/Logger.js";
import { IPerformanceClient } from "../telemetry/performance/IPerformanceClient.js";
/**
* Create an authority object of the correct type based on the url
* Performs basic authority validation - checks to see if the authority is of a valid type (i.e. aad, b2c, adfs)
*
* Also performs endpoint discovery.
*
* @param authorityUri
* @param networkClient
* @param protocolMode
* @internal
*/
export declare function createDiscoveredInstance(authorityUri: string, networkClient: INetworkModule, cacheManager: ICacheManager, authorityOptions: AuthorityOptions, logger: Logger, correlationId: string, performanceClient?: IPerformanceClient): Promise<Authority>;
//# sourceMappingURL=AuthorityFactory.d.ts.map
@@ -0,0 +1 @@
{"version":3,"file":"AuthorityFactory.d.ts","sourceRoot":"","sources":["../../src/authority/AuthorityFactory.ts"],"names":[],"mappings":"AAKA,OAAO,EAAE,SAAS,EAAsB,MAAM,gBAAgB,CAAC;AAC/D,OAAO,EAAE,cAAc,EAAE,MAAM,8BAA8B,CAAC;AAK9D,OAAO,EAAE,aAAa,EAAE,MAAM,qCAAqC,CAAC;AACpE,OAAO,EAAE,gBAAgB,EAAE,MAAM,uBAAuB,CAAC;AACzD,OAAO,EAAE,MAAM,EAAE,MAAM,qBAAqB,CAAC;AAC7C,OAAO,EAAE,kBAAkB,EAAE,MAAM,gDAAgD,CAAC;AAIpF;;;;;;;;;;GAUG;AACH,wBAAsB,wBAAwB,CAC1C,YAAY,EAAE,MAAM,EACpB,aAAa,EAAE,cAAc,EAC7B,YAAY,EAAE,aAAa,EAC3B,gBAAgB,EAAE,gBAAgB,EAClC,MAAM,EAAE,MAAM,EACd,aAAa,EAAE,MAAM,EACrB,iBAAiB,CAAC,EAAE,kBAAkB,GACvC,OAAO,CAAC,SAAS,CAAC,CAoCpB"}
@@ -0,0 +1,39 @@
/*! @azure/msal-common v15.8.1 2025-07-08 */
'use strict';
import { Authority, formatAuthorityUri } from './Authority.mjs';
import { createClientAuthError } from '../error/ClientAuthError.mjs';
import { PerformanceEvents } from '../telemetry/performance/PerformanceEvent.mjs';
import { invokeAsync } from '../utils/FunctionWrappers.mjs';
import { endpointResolutionError } from '../error/ClientAuthErrorCodes.mjs';
/*
* Copyright (c) Microsoft Corporation. All rights reserved.
* Licensed under the MIT License.
*/
/**
* Create an authority object of the correct type based on the url
* Performs basic authority validation - checks to see if the authority is of a valid type (i.e. aad, b2c, adfs)
*
* Also performs endpoint discovery.
*
* @param authorityUri
* @param networkClient
* @param protocolMode
* @internal
*/
async function createDiscoveredInstance(authorityUri, networkClient, cacheManager, authorityOptions, logger, correlationId, performanceClient) {
performanceClient?.addQueueMeasurement(PerformanceEvents.AuthorityFactoryCreateDiscoveredInstance, correlationId);
const authorityUriFinal = Authority.transformCIAMAuthority(formatAuthorityUri(authorityUri));
// Initialize authority and perform discovery endpoint check.
const acquireTokenAuthority = new Authority(authorityUriFinal, networkClient, cacheManager, authorityOptions, logger, correlationId, performanceClient);
try {
await invokeAsync(acquireTokenAuthority.resolveEndpointsAsync.bind(acquireTokenAuthority), PerformanceEvents.AuthorityResolveEndpointsAsync, logger, performanceClient, correlationId)();
return acquireTokenAuthority;
}
catch (e) {
throw createClientAuthError(endpointResolutionError);
}
}
export { createDiscoveredInstance };
//# sourceMappingURL=AuthorityFactory.mjs.map
@@ -0,0 +1 @@
{"version":3,"file":"AuthorityFactory.mjs","sources":["../../src/authority/AuthorityFactory.ts"],"sourcesContent":[null],"names":["ClientAuthErrorCodes.endpointResolutionError"],"mappings":";;;;;;;;AAAA;;;AAGG;AAeH;;;;;;;;;;AAUG;AACI,eAAe,wBAAwB,CAC1C,YAAoB,EACpB,aAA6B,EAC7B,YAA2B,EAC3B,gBAAkC,EAClC,MAAc,EACd,aAAqB,EACrB,iBAAsC,EAAA;IAEtC,iBAAiB,EAAE,mBAAmB,CAClC,iBAAiB,CAAC,wCAAwC,EAC1D,aAAa,CAChB,CAAC;IACF,MAAM,iBAAiB,GAAG,SAAS,CAAC,sBAAsB,CACtD,kBAAkB,CAAC,YAAY,CAAC,CACnC,CAAC;;AAGF,IAAA,MAAM,qBAAqB,GAAc,IAAI,SAAS,CAClD,iBAAiB,EACjB,aAAa,EACb,YAAY,EACZ,gBAAgB,EAChB,MAAM,EACN,aAAa,EACb,iBAAiB,CACpB,CAAC;IAEF,IAAI;QACA,MAAM,WAAW,CACb,qBAAqB,CAAC,qBAAqB,CAAC,IAAI,CAC5C,qBAAqB,CACxB,EACD,iBAAiB,CAAC,8BAA8B,EAChD,MAAM,EACN,iBAAiB,EACjB,aAAa,CAChB,EAAE,CAAC;AACJ,QAAA,OAAO,qBAAqB,CAAC;AAChC,KAAA;AAAC,IAAA,OAAO,CAAC,EAAE;AACR,QAAA,MAAM,qBAAqB,CACvBA,uBAA4C,CAC/C,CAAC;AACL,KAAA;AACL;;;;"}
@@ -0,0 +1,44 @@
import { Logger } from "../logger/Logger.js";
import { AuthorityMetadataSource } from "../utils/Constants.js";
import { StaticAuthorityOptions } from "./AuthorityOptions.js";
import { CloudDiscoveryMetadata } from "./CloudDiscoveryMetadata.js";
import { CloudInstanceDiscoveryResponse } from "./CloudInstanceDiscoveryResponse.js";
import { OpenIdConfigResponse } from "./OpenIdConfigResponse.js";
type RawMetadata = {
endpointMetadata: {
[key: string]: OpenIdConfigResponse;
};
instanceDiscoveryMetadata: CloudInstanceDiscoveryResponse;
};
export declare const rawMetdataJSON: RawMetadata;
export declare const EndpointMetadata: {
[key: string]: OpenIdConfigResponse;
};
export declare const InstanceDiscoveryMetadata: CloudInstanceDiscoveryResponse;
export declare const InstanceDiscoveryMetadataAliases: Set<String>;
/**
* Attempts to get an aliases array from the static authority metadata sources based on the canonical authority host
* @param staticAuthorityOptions
* @param logger
* @returns
*/
export declare function getAliasesFromStaticSources(staticAuthorityOptions: StaticAuthorityOptions, logger?: Logger): string[];
/**
* Returns aliases for from the raw cloud discovery metadata passed in
* @param authorityHost
* @param rawCloudDiscoveryMetadata
* @returns
*/
export declare function getAliasesFromMetadata(authorityHost?: string, cloudDiscoveryMetadata?: CloudDiscoveryMetadata[], source?: AuthorityMetadataSource, logger?: Logger): string[] | null;
/**
* Get cloud discovery metadata for common authorities
*/
export declare function getCloudDiscoveryMetadataFromHardcodedValues(authorityHost: string): CloudDiscoveryMetadata | null;
/**
* Searches instance discovery network response for the entry that contains the host in the aliases list
* @param response
* @param authority
*/
export declare function getCloudDiscoveryMetadataFromNetworkResponse(response: CloudDiscoveryMetadata[], authorityHost: string): CloudDiscoveryMetadata | null;
export {};
//# sourceMappingURL=AuthorityMetadata.d.ts.map
@@ -0,0 +1 @@
{"version":3,"file":"AuthorityMetadata.d.ts","sourceRoot":"","sources":["../../src/authority/AuthorityMetadata.ts"],"names":[],"mappings":"AAKA,OAAO,EAAE,MAAM,EAAE,MAAM,qBAAqB,CAAC;AAE7C,OAAO,EAAE,uBAAuB,EAAE,MAAM,uBAAuB,CAAC;AAChE,OAAO,EAAE,sBAAsB,EAAE,MAAM,uBAAuB,CAAC;AAC/D,OAAO,EAAE,sBAAsB,EAAE,MAAM,6BAA6B,CAAC;AACrE,OAAO,EAAE,8BAA8B,EAAE,MAAM,qCAAqC,CAAC;AACrF,OAAO,EAAE,oBAAoB,EAAE,MAAM,2BAA2B,CAAC;AAEjE,KAAK,WAAW,GAAG;IACf,gBAAgB,EAAE;QAAE,CAAC,GAAG,EAAE,MAAM,GAAG,oBAAoB,CAAA;KAAE,CAAC;IAC1D,yBAAyB,EAAE,8BAA8B,CAAC;CAC7D,CAAC;AAEF,eAAO,MAAM,cAAc,EAAE,WA8E5B,CAAC;AAEF,eAAO,MAAM,gBAAgB;;CAAkC,CAAC;AAChE,eAAO,MAAM,yBAAyB,gCACM,CAAC;AAE7C,eAAO,MAAM,gCAAgC,EAAE,GAAG,CAAC,MAAM,CAAa,CAAC;AASvE;;;;;GAKG;AACH,wBAAgB,2BAA2B,CACvC,sBAAsB,EAAE,sBAAsB,EAC9C,MAAM,CAAC,EAAE,MAAM,GAChB,MAAM,EAAE,CAwBV;AAED;;;;;GAKG;AACH,wBAAgB,sBAAsB,CAClC,aAAa,CAAC,EAAE,MAAM,EACtB,sBAAsB,CAAC,EAAE,sBAAsB,EAAE,EACjD,MAAM,CAAC,EAAE,uBAAuB,EAChC,MAAM,CAAC,EAAE,MAAM,GAChB,MAAM,EAAE,GAAG,IAAI,CAqBjB;AAED;;GAEG;AACH,wBAAgB,4CAA4C,CACxD,aAAa,EAAE,MAAM,GACtB,sBAAsB,GAAG,IAAI,CAM/B;AAED;;;;GAIG;AACH,wBAAgB,4CAA4C,CACxD,QAAQ,EAAE,sBAAsB,EAAE,EAClC,aAAa,EAAE,MAAM,GACtB,sBAAsB,GAAG,IAAI,CAS/B"}
@@ -0,0 +1,144 @@
/*! @azure/msal-common v15.8.1 2025-07-08 */
'use strict';
import { UrlString } from '../url/UrlString.mjs';
import { AuthorityMetadataSource } from '../utils/Constants.mjs';
/*
* Copyright (c) Microsoft Corporation. All rights reserved.
* Licensed under the MIT License.
*/
const rawMetdataJSON = {
endpointMetadata: {
"login.microsoftonline.com": {
token_endpoint: "https://login.microsoftonline.com/{tenantid}/oauth2/v2.0/token",
jwks_uri: "https://login.microsoftonline.com/{tenantid}/discovery/v2.0/keys",
issuer: "https://login.microsoftonline.com/{tenantid}/v2.0",
authorization_endpoint: "https://login.microsoftonline.com/{tenantid}/oauth2/v2.0/authorize",
end_session_endpoint: "https://login.microsoftonline.com/{tenantid}/oauth2/v2.0/logout",
},
"login.chinacloudapi.cn": {
token_endpoint: "https://login.chinacloudapi.cn/{tenantid}/oauth2/v2.0/token",
jwks_uri: "https://login.chinacloudapi.cn/{tenantid}/discovery/v2.0/keys",
issuer: "https://login.partner.microsoftonline.cn/{tenantid}/v2.0",
authorization_endpoint: "https://login.chinacloudapi.cn/{tenantid}/oauth2/v2.0/authorize",
end_session_endpoint: "https://login.chinacloudapi.cn/{tenantid}/oauth2/v2.0/logout",
},
"login.microsoftonline.us": {
token_endpoint: "https://login.microsoftonline.us/{tenantid}/oauth2/v2.0/token",
jwks_uri: "https://login.microsoftonline.us/{tenantid}/discovery/v2.0/keys",
issuer: "https://login.microsoftonline.us/{tenantid}/v2.0",
authorization_endpoint: "https://login.microsoftonline.us/{tenantid}/oauth2/v2.0/authorize",
end_session_endpoint: "https://login.microsoftonline.us/{tenantid}/oauth2/v2.0/logout",
},
},
instanceDiscoveryMetadata: {
metadata: [
{
preferred_network: "login.microsoftonline.com",
preferred_cache: "login.windows.net",
aliases: [
"login.microsoftonline.com",
"login.windows.net",
"login.microsoft.com",
"sts.windows.net",
],
},
{
preferred_network: "login.partner.microsoftonline.cn",
preferred_cache: "login.partner.microsoftonline.cn",
aliases: [
"login.partner.microsoftonline.cn",
"login.chinacloudapi.cn",
],
},
{
preferred_network: "login.microsoftonline.de",
preferred_cache: "login.microsoftonline.de",
aliases: ["login.microsoftonline.de"],
},
{
preferred_network: "login.microsoftonline.us",
preferred_cache: "login.microsoftonline.us",
aliases: [
"login.microsoftonline.us",
"login.usgovcloudapi.net",
],
},
{
preferred_network: "login-us.microsoftonline.com",
preferred_cache: "login-us.microsoftonline.com",
aliases: ["login-us.microsoftonline.com"],
},
],
},
};
const EndpointMetadata = rawMetdataJSON.endpointMetadata;
const InstanceDiscoveryMetadata = rawMetdataJSON.instanceDiscoveryMetadata;
const InstanceDiscoveryMetadataAliases = new Set();
InstanceDiscoveryMetadata.metadata.forEach((metadataEntry) => {
metadataEntry.aliases.forEach((alias) => {
InstanceDiscoveryMetadataAliases.add(alias);
});
});
/**
* Attempts to get an aliases array from the static authority metadata sources based on the canonical authority host
* @param staticAuthorityOptions
* @param logger
* @returns
*/
function getAliasesFromStaticSources(staticAuthorityOptions, logger) {
let staticAliases;
const canonicalAuthority = staticAuthorityOptions.canonicalAuthority;
if (canonicalAuthority) {
const authorityHost = new UrlString(canonicalAuthority).getUrlComponents().HostNameAndPort;
staticAliases =
getAliasesFromMetadata(authorityHost, staticAuthorityOptions.cloudDiscoveryMetadata?.metadata, AuthorityMetadataSource.CONFIG, logger) ||
getAliasesFromMetadata(authorityHost, InstanceDiscoveryMetadata.metadata, AuthorityMetadataSource.HARDCODED_VALUES, logger) ||
staticAuthorityOptions.knownAuthorities;
}
return staticAliases || [];
}
/**
* Returns aliases for from the raw cloud discovery metadata passed in
* @param authorityHost
* @param rawCloudDiscoveryMetadata
* @returns
*/
function getAliasesFromMetadata(authorityHost, cloudDiscoveryMetadata, source, logger) {
logger?.trace(`getAliasesFromMetadata called with source: ${source}`);
if (authorityHost && cloudDiscoveryMetadata) {
const metadata = getCloudDiscoveryMetadataFromNetworkResponse(cloudDiscoveryMetadata, authorityHost);
if (metadata) {
logger?.trace(`getAliasesFromMetadata: found cloud discovery metadata in ${source}, returning aliases`);
return metadata.aliases;
}
else {
logger?.trace(`getAliasesFromMetadata: did not find cloud discovery metadata in ${source}`);
}
}
return null;
}
/**
* Get cloud discovery metadata for common authorities
*/
function getCloudDiscoveryMetadataFromHardcodedValues(authorityHost) {
const metadata = getCloudDiscoveryMetadataFromNetworkResponse(InstanceDiscoveryMetadata.metadata, authorityHost);
return metadata;
}
/**
* Searches instance discovery network response for the entry that contains the host in the aliases list
* @param response
* @param authority
*/
function getCloudDiscoveryMetadataFromNetworkResponse(response, authorityHost) {
for (let i = 0; i < response.length; i++) {
const metadata = response[i];
if (metadata.aliases.includes(authorityHost)) {
return metadata;
}
}
return null;
}
export { EndpointMetadata, InstanceDiscoveryMetadata, InstanceDiscoveryMetadataAliases, getAliasesFromMetadata, getAliasesFromStaticSources, getCloudDiscoveryMetadataFromHardcodedValues, getCloudDiscoveryMetadataFromNetworkResponse, rawMetdataJSON };
//# sourceMappingURL=AuthorityMetadata.mjs.map
@@ -0,0 +1 @@
{"version":3,"file":"AuthorityMetadata.mjs","sources":["../../src/authority/AuthorityMetadata.ts"],"sourcesContent":[null],"names":[],"mappings":";;;;;AAAA;;;AAGG;AAeU,MAAA,cAAc,GAAgB;AACvC,IAAA,gBAAgB,EAAE;AACd,QAAA,2BAA2B,EAAE;AACzB,YAAA,cAAc,EACV,gEAAgE;AACpE,YAAA,QAAQ,EACJ,kEAAkE;AACtE,YAAA,MAAM,EAAE,mDAAmD;AAC3D,YAAA,sBAAsB,EAClB,oEAAoE;AACxE,YAAA,oBAAoB,EAChB,iEAAiE;AACxE,SAAA;AACD,QAAA,wBAAwB,EAAE;AACtB,YAAA,cAAc,EACV,6DAA6D;AACjE,YAAA,QAAQ,EACJ,+DAA+D;AACnE,YAAA,MAAM,EAAE,0DAA0D;AAClE,YAAA,sBAAsB,EAClB,iEAAiE;AACrE,YAAA,oBAAoB,EAChB,8DAA8D;AACrE,SAAA;AACD,QAAA,0BAA0B,EAAE;AACxB,YAAA,cAAc,EACV,+DAA+D;AACnE,YAAA,QAAQ,EACJ,iEAAiE;AACrE,YAAA,MAAM,EAAE,kDAAkD;AAC1D,YAAA,sBAAsB,EAClB,mEAAmE;AACvE,YAAA,oBAAoB,EAChB,gEAAgE;AACvE,SAAA;AACJ,KAAA;AACD,IAAA,yBAAyB,EAAE;AACvB,QAEA,QAAQ,EAAE;AACN,YAAA;AACI,gBAAA,iBAAiB,EAAE,2BAA2B;AAC9C,gBAAA,eAAe,EAAE,mBAAmB;AACpC,gBAAA,OAAO,EAAE;oBACL,2BAA2B;oBAC3B,mBAAmB;oBACnB,qBAAqB;oBACrB,iBAAiB;AACpB,iBAAA;AACJ,aAAA;AACD,YAAA;AACI,gBAAA,iBAAiB,EAAE,kCAAkC;AACrD,gBAAA,eAAe,EAAE,kCAAkC;AACnD,gBAAA,OAAO,EAAE;oBACL,kCAAkC;oBAClC,wBAAwB;AAC3B,iBAAA;AACJ,aAAA;AACD,YAAA;AACI,gBAAA,iBAAiB,EAAE,0BAA0B;AAC7C,gBAAA,eAAe,EAAE,0BAA0B;gBAC3C,OAAO,EAAE,CAAC,0BAA0B,CAAC;AACxC,aAAA;AACD,YAAA;AACI,gBAAA,iBAAiB,EAAE,0BAA0B;AAC7C,gBAAA,eAAe,EAAE,0BAA0B;AAC3C,gBAAA,OAAO,EAAE;oBACL,0BAA0B;oBAC1B,yBAAyB;AAC5B,iBAAA;AACJ,aAAA;AACD,YAAA;AACI,gBAAA,iBAAiB,EAAE,8BAA8B;AACjD,gBAAA,eAAe,EAAE,8BAA8B;gBAC/C,OAAO,EAAE,CAAC,8BAA8B,CAAC;AAC5C,aAAA;AACJ,SAAA;AACJ,KAAA;EACH;AAEW,MAAA,gBAAgB,GAAG,cAAc,CAAC,iBAAiB;AACnD,MAAA,yBAAyB,GAClC,cAAc,CAAC,0BAA0B;AAEhC,MAAA,gCAAgC,GAAgB,IAAI,GAAG,GAAG;AACvE,yBAAyB,CAAC,QAAQ,CAAC,OAAO,CACtC,CAAC,aAAqC,KAAI;IACtC,aAAa,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,KAAa,KAAI;AAC5C,QAAA,gCAAgC,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;AAChD,KAAC,CAAC,CAAC;AACP,CAAC,CACJ,CAAC;AAEF;;;;;AAKG;AACa,SAAA,2BAA2B,CACvC,sBAA8C,EAC9C,MAAe,EAAA;AAEf,IAAA,IAAI,aAAmC,CAAC;AACxC,IAAA,MAAM,kBAAkB,GAAG,sBAAsB,CAAC,kBAAkB,CAAC;AACrE,IAAA,IAAI,kBAAkB,EAAE;AACpB,QAAA,MAAM,aAAa,GAAG,IAAI,SAAS,CAC/B,kBAAkB,CACrB,CAAC,gBAAgB,EAAE,CAAC,eAAe,CAAC;QACrC,aAAa;AACT,YAAA,sBAAsB,CAClB,aAAa,EACb,sBAAsB,CAAC,sBAAsB,EAAE,QAAQ,EACvD,uBAAuB,CAAC,MAAM,EAC9B,MAAM,CACT;AACD,gBAAA,sBAAsB,CAClB,aAAa,EACb,yBAAyB,CAAC,QAAQ,EAClC,uBAAuB,CAAC,gBAAgB,EACxC,MAAM,CACT;gBACD,sBAAsB,CAAC,gBAAgB,CAAC;AAC/C,KAAA;IAED,OAAO,aAAa,IAAI,EAAE,CAAC;AAC/B,CAAC;AAED;;;;;AAKG;AACG,SAAU,sBAAsB,CAClC,aAAsB,EACtB,sBAAiD,EACjD,MAAgC,EAChC,MAAe,EAAA;AAEf,IAAA,MAAM,EAAE,KAAK,CAAC,8CAA8C,MAAM,CAAA,CAAE,CAAC,CAAC;IACtE,IAAI,aAAa,IAAI,sBAAsB,EAAE;QACzC,MAAM,QAAQ,GAAG,4CAA4C,CACzD,sBAAsB,EACtB,aAAa,CAChB,CAAC;AAEF,QAAA,IAAI,QAAQ,EAAE;AACV,YAAA,MAAM,EAAE,KAAK,CACT,6DAA6D,MAAM,CAAA,mBAAA,CAAqB,CAC3F,CAAC;YACF,OAAO,QAAQ,CAAC,OAAO,CAAC;AAC3B,SAAA;AAAM,aAAA;AACH,YAAA,MAAM,EAAE,KAAK,CACT,oEAAoE,MAAM,CAAA,CAAE,CAC/E,CAAC;AACL,SAAA;AACJ,KAAA;AAED,IAAA,OAAO,IAAI,CAAC;AAChB,CAAC;AAED;;AAEG;AACG,SAAU,4CAA4C,CACxD,aAAqB,EAAA;IAErB,MAAM,QAAQ,GAAG,4CAA4C,CACzD,yBAAyB,CAAC,QAAQ,EAClC,aAAa,CAChB,CAAC;AACF,IAAA,OAAO,QAAQ,CAAC;AACpB,CAAC;AAED;;;;AAIG;AACa,SAAA,4CAA4C,CACxD,QAAkC,EAClC,aAAqB,EAAA;AAErB,IAAA,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,QAAQ,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE;AACtC,QAAA,MAAM,QAAQ,GAAG,QAAQ,CAAC,CAAC,CAAC,CAAC;QAC7B,IAAI,QAAQ,CAAC,OAAO,CAAC,QAAQ,CAAC,aAAa,CAAC,EAAE;AAC1C,YAAA,OAAO,QAAQ,CAAC;AACnB,SAAA;AACJ,KAAA;AAED,IAAA,OAAO,IAAI,CAAC;AAChB;;;;"}
@@ -0,0 +1,28 @@
import { ProtocolMode } from "./ProtocolMode.js";
import { OIDCOptions } from "./OIDCOptions.js";
import { AzureRegionConfiguration } from "./AzureRegionConfiguration.js";
import { CloudInstanceDiscoveryResponse } from "./CloudInstanceDiscoveryResponse.js";
export type AuthorityOptions = {
protocolMode: ProtocolMode;
OIDCOptions?: OIDCOptions | null;
knownAuthorities: Array<string>;
cloudDiscoveryMetadata: string;
authorityMetadata: string;
skipAuthorityMetadataCache?: boolean;
azureRegionConfiguration?: AzureRegionConfiguration;
authority?: string;
};
export type StaticAuthorityOptions = Partial<Pick<AuthorityOptions, "knownAuthorities">> & {
canonicalAuthority?: string;
cloudDiscoveryMetadata?: CloudInstanceDiscoveryResponse;
};
export declare const AzureCloudInstance: {
readonly None: "none";
readonly AzurePublic: "https://login.microsoftonline.com";
readonly AzurePpe: "https://login.windows-ppe.net";
readonly AzureChina: "https://login.chinacloudapi.cn";
readonly AzureGermany: "https://login.microsoftonline.de";
readonly AzureUsGovernment: "https://login.microsoftonline.us";
};
export type AzureCloudInstance = (typeof AzureCloudInstance)[keyof typeof AzureCloudInstance];
//# sourceMappingURL=AuthorityOptions.d.ts.map
@@ -0,0 +1 @@
{"version":3,"file":"AuthorityOptions.d.ts","sourceRoot":"","sources":["../../src/authority/AuthorityOptions.ts"],"names":[],"mappings":"AAKA,OAAO,EAAE,YAAY,EAAE,MAAM,mBAAmB,CAAC;AACjD,OAAO,EAAE,WAAW,EAAE,MAAM,kBAAkB,CAAC;AAC/C,OAAO,EAAE,wBAAwB,EAAE,MAAM,+BAA+B,CAAC;AACzE,OAAO,EAAE,8BAA8B,EAAE,MAAM,qCAAqC,CAAC;AAErF,MAAM,MAAM,gBAAgB,GAAG;IAC3B,YAAY,EAAE,YAAY,CAAC;IAC3B,WAAW,CAAC,EAAE,WAAW,GAAG,IAAI,CAAC;IACjC,gBAAgB,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;IAChC,sBAAsB,EAAE,MAAM,CAAC;IAC/B,iBAAiB,EAAE,MAAM,CAAC;IAC1B,0BAA0B,CAAC,EAAE,OAAO,CAAC;IACrC,wBAAwB,CAAC,EAAE,wBAAwB,CAAC;IACpD,SAAS,CAAC,EAAE,MAAM,CAAC;CACtB,CAAC;AAEF,MAAM,MAAM,sBAAsB,GAAG,OAAO,CACxC,IAAI,CAAC,gBAAgB,EAAE,kBAAkB,CAAC,CAC7C,GAAG;IACA,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B,sBAAsB,CAAC,EAAE,8BAA8B,CAAC;CAC3D,CAAC;AAEF,eAAO,MAAM,kBAAkB;;;;;;;CAkBrB,CAAC;AACX,MAAM,MAAM,kBAAkB,GAC1B,CAAC,OAAO,kBAAkB,CAAC,CAAC,MAAM,OAAO,kBAAkB,CAAC,CAAC"}
@@ -0,0 +1,23 @@
/*! @azure/msal-common v15.8.1 2025-07-08 */
'use strict';
/*
* Copyright (c) Microsoft Corporation. All rights reserved.
* Licensed under the MIT License.
*/
const AzureCloudInstance = {
// AzureCloudInstance is not specified.
None: "none",
// Microsoft Azure public cloud
AzurePublic: "https://login.microsoftonline.com",
// Microsoft PPE
AzurePpe: "https://login.windows-ppe.net",
// Microsoft Chinese national/regional cloud
AzureChina: "https://login.chinacloudapi.cn",
// Microsoft German national/regional cloud ("Black Forest")
AzureGermany: "https://login.microsoftonline.de",
// US Government cloud
AzureUsGovernment: "https://login.microsoftonline.us",
};
export { AzureCloudInstance };
//# sourceMappingURL=AuthorityOptions.mjs.map
@@ -0,0 +1 @@
{"version":3,"file":"AuthorityOptions.mjs","sources":["../../src/authority/AuthorityOptions.ts"],"sourcesContent":[null],"names":[],"mappings":";;AAAA;;;AAGG;AAyBU,MAAA,kBAAkB,GAAG;;AAE9B,IAAA,IAAI,EAAE,MAAM;;AAGZ,IAAA,WAAW,EAAE,mCAAmC;;AAGhD,IAAA,QAAQ,EAAE,+BAA+B;;AAGzC,IAAA,UAAU,EAAE,gCAAgC;;AAG5C,IAAA,YAAY,EAAE,kCAAkC;;AAGhD,IAAA,iBAAiB,EAAE,kCAAkC;;;;;"}
@@ -0,0 +1,11 @@
/**
* Authority types supported by MSAL.
*/
export declare const AuthorityType: {
readonly Default: 0;
readonly Adfs: 1;
readonly Dsts: 2;
readonly Ciam: 3;
};
export type AuthorityType = (typeof AuthorityType)[keyof typeof AuthorityType];
//# sourceMappingURL=AuthorityType.d.ts.map
@@ -0,0 +1 @@
{"version":3,"file":"AuthorityType.d.ts","sourceRoot":"","sources":["../../src/authority/AuthorityType.ts"],"names":[],"mappings":"AAKA;;GAEG;AACH,eAAO,MAAM,aAAa;;;;;CAKhB,CAAC;AACX,MAAM,MAAM,aAAa,GAAG,CAAC,OAAO,aAAa,CAAC,CAAC,MAAM,OAAO,aAAa,CAAC,CAAC"}
@@ -0,0 +1,18 @@
/*! @azure/msal-common v15.8.1 2025-07-08 */
'use strict';
/*
* Copyright (c) Microsoft Corporation. All rights reserved.
* Licensed under the MIT License.
*/
/**
* Authority types supported by MSAL.
*/
const AuthorityType = {
Default: 0,
Adfs: 1,
Dsts: 2,
Ciam: 3,
};
export { AuthorityType };
//# sourceMappingURL=AuthorityType.mjs.map
@@ -0,0 +1 @@
{"version":3,"file":"AuthorityType.mjs","sources":["../../src/authority/AuthorityType.ts"],"sourcesContent":[null],"names":[],"mappings":";;AAAA;;;AAGG;AAEH;;AAEG;AACU,MAAA,aAAa,GAAG;AACzB,IAAA,OAAO,EAAE,CAAC;AACV,IAAA,IAAI,EAAE,CAAC;AACP,IAAA,IAAI,EAAE,CAAC;AACP,IAAA,IAAI,EAAE,CAAC;;;;;"}
@@ -0,0 +1,2 @@
export type AzureRegion = string;
//# sourceMappingURL=AzureRegion.d.ts.map
@@ -0,0 +1 @@
{"version":3,"file":"AzureRegion.d.ts","sourceRoot":"","sources":["../../src/authority/AzureRegion.ts"],"names":[],"mappings":"AAMA,MAAM,MAAM,WAAW,GAAG,MAAM,CAAC"}
@@ -0,0 +1,6 @@
import { AzureRegion } from "./AzureRegion.js";
export type AzureRegionConfiguration = {
azureRegion?: AzureRegion;
environmentRegion: string | undefined;
};
//# sourceMappingURL=AzureRegionConfiguration.d.ts.map
@@ -0,0 +1 @@
{"version":3,"file":"AzureRegionConfiguration.d.ts","sourceRoot":"","sources":["../../src/authority/AzureRegionConfiguration.ts"],"names":[],"mappings":"AAKA,OAAO,EAAE,WAAW,EAAE,MAAM,kBAAkB,CAAC;AAO/C,MAAM,MAAM,wBAAwB,GAAG;IACnC,WAAW,CAAC,EAAE,WAAW,CAAC;IAC1B,iBAAiB,EAAE,MAAM,GAAG,SAAS,CAAC;CACzC,CAAC"}
@@ -0,0 +1,6 @@
export type CloudDiscoveryMetadata = {
preferred_network: string;
preferred_cache: string;
aliases: Array<string>;
};
//# sourceMappingURL=CloudDiscoveryMetadata.d.ts.map
@@ -0,0 +1 @@
{"version":3,"file":"CloudDiscoveryMetadata.d.ts","sourceRoot":"","sources":["../../src/authority/CloudDiscoveryMetadata.ts"],"names":[],"mappings":"AAKA,MAAM,MAAM,sBAAsB,GAAG;IACjC,iBAAiB,EAAE,MAAM,CAAC;IAC1B,eAAe,EAAE,MAAM,CAAC;IACxB,OAAO,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;CAC1B,CAAC"}
@@ -0,0 +1,14 @@
/**
* The OpenID Configuration Endpoint Response type. Used by the authority class to get relevant OAuth endpoints.
*/
export type CloudInstanceDiscoveryErrorResponse = {
error: String;
error_description: String;
error_codes?: Array<Number>;
timestamp?: String;
trace_id?: String;
correlation_id?: String;
error_uri?: String;
};
export declare function isCloudInstanceDiscoveryErrorResponse(response: object): boolean;
//# sourceMappingURL=CloudInstanceDiscoveryErrorResponse.d.ts.map
@@ -0,0 +1 @@
{"version":3,"file":"CloudInstanceDiscoveryErrorResponse.d.ts","sourceRoot":"","sources":["../../src/authority/CloudInstanceDiscoveryErrorResponse.ts"],"names":[],"mappings":"AAKA;;GAEG;AACH,MAAM,MAAM,mCAAmC,GAAG;IAC9C,KAAK,EAAE,MAAM,CAAC;IACd,iBAAiB,EAAE,MAAM,CAAC;IAC1B,WAAW,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;IAC5B,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,SAAS,CAAC,EAAE,MAAM,CAAC;CACtB,CAAC;AAEF,wBAAgB,qCAAqC,CACjD,QAAQ,EAAE,MAAM,GACjB,OAAO,CAKT"}
@@ -0,0 +1,13 @@
/*! @azure/msal-common v15.8.1 2025-07-08 */
'use strict';
/*
* Copyright (c) Microsoft Corporation. All rights reserved.
* Licensed under the MIT License.
*/
function isCloudInstanceDiscoveryErrorResponse(response) {
return (response.hasOwnProperty("error") &&
response.hasOwnProperty("error_description"));
}
export { isCloudInstanceDiscoveryErrorResponse };
//# sourceMappingURL=CloudInstanceDiscoveryErrorResponse.mjs.map
@@ -0,0 +1 @@
{"version":3,"file":"CloudInstanceDiscoveryErrorResponse.mjs","sources":["../../src/authority/CloudInstanceDiscoveryErrorResponse.ts"],"sourcesContent":[null],"names":[],"mappings":";;AAAA;;;AAGG;AAeG,SAAU,qCAAqC,CACjD,QAAgB,EAAA;AAEhB,IAAA,QACI,QAAQ,CAAC,cAAc,CAAC,OAAO,CAAC;AAChC,QAAA,QAAQ,CAAC,cAAc,CAAC,mBAAmB,CAAC,EAC9C;AACN;;;;"}
@@ -0,0 +1,10 @@
import { CloudDiscoveryMetadata } from "./CloudDiscoveryMetadata.js";
/**
* The OpenID Configuration Endpoint Response type. Used by the authority class to get relevant OAuth endpoints.
*/
export type CloudInstanceDiscoveryResponse = {
tenant_discovery_endpoint: string;
metadata: Array<CloudDiscoveryMetadata>;
};
export declare function isCloudInstanceDiscoveryResponse(response: object): boolean;
//# sourceMappingURL=CloudInstanceDiscoveryResponse.d.ts.map
@@ -0,0 +1 @@
{"version":3,"file":"CloudInstanceDiscoveryResponse.d.ts","sourceRoot":"","sources":["../../src/authority/CloudInstanceDiscoveryResponse.ts"],"names":[],"mappings":"AAKA,OAAO,EAAE,sBAAsB,EAAE,MAAM,6BAA6B,CAAC;AAErE;;GAEG;AACH,MAAM,MAAM,8BAA8B,GAAG;IACzC,yBAAyB,EAAE,MAAM,CAAC;IAClC,QAAQ,EAAE,KAAK,CAAC,sBAAsB,CAAC,CAAC;CAC3C,CAAC;AAEF,wBAAgB,gCAAgC,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAK1E"}
@@ -0,0 +1,13 @@
/*! @azure/msal-common v15.8.1 2025-07-08 */
'use strict';
/*
* Copyright (c) Microsoft Corporation. All rights reserved.
* Licensed under the MIT License.
*/
function isCloudInstanceDiscoveryResponse(response) {
return (response.hasOwnProperty("tenant_discovery_endpoint") &&
response.hasOwnProperty("metadata"));
}
export { isCloudInstanceDiscoveryResponse };
//# sourceMappingURL=CloudInstanceDiscoveryResponse.mjs.map
@@ -0,0 +1 @@
{"version":3,"file":"CloudInstanceDiscoveryResponse.mjs","sources":["../../src/authority/CloudInstanceDiscoveryResponse.ts"],"sourcesContent":[null],"names":[],"mappings":";;AAAA;;;AAGG;AAYG,SAAU,gCAAgC,CAAC,QAAgB,EAAA;AAC7D,IAAA,QACI,QAAQ,CAAC,cAAc,CAAC,2BAA2B,CAAC;AACpD,QAAA,QAAQ,CAAC,cAAc,CAAC,UAAU,CAAC,EACrC;AACN;;;;"}
@@ -0,0 +1,6 @@
export type ImdsOptions = {
headers?: {
Metadata: string;
};
};
//# sourceMappingURL=ImdsOptions.d.ts.map
@@ -0,0 +1 @@
{"version":3,"file":"ImdsOptions.d.ts","sourceRoot":"","sources":["../../src/authority/ImdsOptions.ts"],"names":[],"mappings":"AAKA,MAAM,MAAM,WAAW,GAAG;IACtB,OAAO,CAAC,EAAE;QACN,QAAQ,EAAE,MAAM,CAAC;KACpB,CAAC;CACL,CAAC"}
@@ -0,0 +1,9 @@
import { ServerResponseType } from "../utils/Constants.js";
/**
* Options for the OIDC protocol mode.
*/
export type OIDCOptions = {
serverResponseType?: ServerResponseType;
defaultScopes?: Array<string>;
};
//# sourceMappingURL=OIDCOptions.d.ts.map
@@ -0,0 +1 @@
{"version":3,"file":"OIDCOptions.d.ts","sourceRoot":"","sources":["../../src/authority/OIDCOptions.ts"],"names":[],"mappings":"AAKA,OAAO,EAAE,kBAAkB,EAAE,MAAM,uBAAuB,CAAC;AAE3D;;GAEG;AACH,MAAM,MAAM,WAAW,GAAG;IACtB,kBAAkB,CAAC,EAAE,kBAAkB,CAAC;IACxC,aAAa,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;CACjC,CAAC"}
@@ -0,0 +1,12 @@
/**
* Tenant Discovery Response which contains the relevant OAuth endpoints and data needed for authentication and authorization.
*/
export type OpenIdConfigResponse = {
authorization_endpoint: string;
token_endpoint: string;
end_session_endpoint?: string;
issuer: string;
jwks_uri: string;
};
export declare function isOpenIdConfigResponse(response: object): boolean;
//# sourceMappingURL=OpenIdConfigResponse.d.ts.map
@@ -0,0 +1 @@
{"version":3,"file":"OpenIdConfigResponse.d.ts","sourceRoot":"","sources":["../../src/authority/OpenIdConfigResponse.ts"],"names":[],"mappings":"AAKA;;GAEG;AACH,MAAM,MAAM,oBAAoB,GAAG;IAC/B,sBAAsB,EAAE,MAAM,CAAC;IAC/B,cAAc,EAAE,MAAM,CAAC;IACvB,oBAAoB,CAAC,EAAE,MAAM,CAAC;IAC9B,MAAM,EAAE,MAAM,CAAC;IACf,QAAQ,EAAE,MAAM,CAAC;CACpB,CAAC;AAEF,wBAAgB,sBAAsB,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAOhE"}

Some files were not shown because too many files have changed in this diff Show More