push neon reactor

This commit is contained in:
2026-07-12 15:11:38 +02:00
parent 172e72dbcd
commit aeab5f7820
9597 changed files with 2407488 additions and 0 deletions
@@ -0,0 +1,45 @@
import { BaseClient } from "./BaseClient.js";
import { CommonAuthorizationCodeRequest } from "../request/CommonAuthorizationCodeRequest.js";
import { ClientConfiguration } from "../config/ClientConfiguration.js";
import { AuthenticationResult } from "../response/AuthenticationResult.js";
import { CommonEndSessionRequest } from "../request/CommonEndSessionRequest.js";
import { AuthorizationCodePayload } from "../response/AuthorizationCodePayload.js";
import { IPerformanceClient } from "../telemetry/performance/IPerformanceClient.js";
/**
* Oauth2.0 Authorization Code client
* @internal
*/
export declare class AuthorizationCodeClient extends BaseClient {
protected includeRedirectUri: boolean;
private oidcDefaultScopes;
constructor(configuration: ClientConfiguration, performanceClient?: IPerformanceClient);
/**
* API to acquire a token in exchange of 'authorization_code` acquired by the user in the first leg of the
* authorization_code_grant
* @param request
*/
acquireToken(request: CommonAuthorizationCodeRequest, authCodePayload?: AuthorizationCodePayload): Promise<AuthenticationResult>;
/**
* Used to log out the current user, and redirect the user to the postLogoutRedirectUri.
* Default behaviour is to redirect the user to `window.location.href`.
* @param authorityUri
*/
getLogoutUri(logoutRequest: CommonEndSessionRequest): string;
/**
* Executes POST request to token endpoint
* @param authority
* @param request
*/
private executeTokenRequest;
/**
* Generates a map for all the params to be sent to the service
* @param request
*/
private createTokenRequestBody;
/**
* This API validates the `EndSessionRequest` and creates a URL
* @param request
*/
private createLogoutUrlQueryString;
}
//# sourceMappingURL=AuthorizationCodeClient.d.ts.map
@@ -0,0 +1 @@
{"version":3,"file":"AuthorizationCodeClient.d.ts","sourceRoot":"","sources":["../../src/client/AuthorizationCodeClient.ts"],"names":[],"mappings":"AAKA,OAAO,EAAE,UAAU,EAAE,MAAM,iBAAiB,CAAC;AAC7C,OAAO,EAAE,8BAA8B,EAAE,MAAM,8CAA8C,CAAC;AAW9F,OAAO,EACH,mBAAmB,EAEtB,MAAM,kCAAkC,CAAC;AAI1C,OAAO,EAAE,oBAAoB,EAAE,MAAM,qCAAqC,CAAC;AAO3E,OAAO,EAAE,uBAAuB,EAAE,MAAM,uCAAuC,CAAC;AAEhF,OAAO,EAAE,wBAAwB,EAAE,MAAM,yCAAyC,CAAC;AAWnF,OAAO,EAAE,kBAAkB,EAAE,MAAM,gDAAgD,CAAC;AAOpF;;;GAGG;AACH,qBAAa,uBAAwB,SAAQ,UAAU;IAEnD,SAAS,CAAC,kBAAkB,EAAE,OAAO,CAAQ;IAC7C,OAAO,CAAC,iBAAiB,CAAC;gBAGtB,aAAa,EAAE,mBAAmB,EAClC,iBAAiB,CAAC,EAAE,kBAAkB;IAO1C;;;;OAIG;IACG,YAAY,CACd,OAAO,EAAE,8BAA8B,EACvC,eAAe,CAAC,EAAE,wBAAwB,GAC3C,OAAO,CAAC,oBAAoB,CAAC;IAwDhC;;;;OAIG;IACH,YAAY,CAAC,aAAa,EAAE,uBAAuB,GAAG,MAAM;IAgB5D;;;;OAIG;YACW,mBAAmB;IAiEjC;;;OAGG;YACW,sBAAsB;IAwOpC;;;OAGG;IACH,OAAO,CAAC,0BAA0B;CAsDrC"}
@@ -0,0 +1,259 @@
/*! @azure/msal-common v15.8.1 2025-07-08 */
'use strict';
import { BaseClient } from './BaseClient.mjs';
import { addClientId, addRedirectUri, addScopes, addAuthorizationCode, addLibraryInfo, addApplicationTelemetry, addThrottling, addServerTelemetry, addCodeVerifier, addClientSecret, addClientAssertion, addClientAssertionType, addGrantType, addClientInfo, addPopToken, addSshJwk, addClaims, addCcsUpn, addCcsOid, addBrokerParameters, addExtraQueryParameters, instrumentBrokerParams, addPostLogoutRedirectUri, addCorrelationId, addIdTokenHint, addState, addLogoutHint, addInstanceAware } from '../request/RequestParameterBuilder.mjs';
import { mapToQueryString } from '../utils/UrlUtils.mjs';
import { Separators, AuthenticationScheme, HeaderNames, GrantType } from '../utils/Constants.mjs';
import { RETURN_SPA_CODE, CLIENT_ID } from '../constants/AADServerParamKeys.mjs';
import { isOidcProtocolMode } from '../config/ClientConfiguration.mjs';
import { ResponseHandler } from '../response/ResponseHandler.mjs';
import { StringUtils } from '../utils/StringUtils.mjs';
import { createClientAuthError } from '../error/ClientAuthError.mjs';
import { UrlString } from '../url/UrlString.mjs';
import { PopTokenGenerator } from '../crypto/PopTokenGenerator.mjs';
import { nowSeconds } from '../utils/TimeUtils.mjs';
import { buildClientInfo, buildClientInfoFromHomeAccountId } from '../account/ClientInfo.mjs';
import { CcsCredentialType } from '../account/CcsCredential.mjs';
import { createClientConfigurationError } from '../error/ClientConfigurationError.mjs';
import { PerformanceEvents } from '../telemetry/performance/PerformanceEvent.mjs';
import { invokeAsync } from '../utils/FunctionWrappers.mjs';
import { getClientAssertion } from '../utils/ClientAssertionUtils.mjs';
import { getRequestThumbprint } from '../network/RequestThumbprint.mjs';
import { requestCannotBeMade } from '../error/ClientAuthErrorCodes.mjs';
import { logoutRequestEmpty, redirectUriEmpty, missingSshJwk } from '../error/ClientConfigurationErrorCodes.mjs';
/*
* Copyright (c) Microsoft Corporation. All rights reserved.
* Licensed under the MIT License.
*/
/**
* Oauth2.0 Authorization Code client
* @internal
*/
class AuthorizationCodeClient extends BaseClient {
constructor(configuration, performanceClient) {
super(configuration, performanceClient);
// Flag to indicate if client is for hybrid spa auth code redemption
this.includeRedirectUri = true;
this.oidcDefaultScopes =
this.config.authOptions.authority.options.OIDCOptions?.defaultScopes;
}
/**
* API to acquire a token in exchange of 'authorization_code` acquired by the user in the first leg of the
* authorization_code_grant
* @param request
*/
async acquireToken(request, authCodePayload) {
this.performanceClient?.addQueueMeasurement(PerformanceEvents.AuthClientAcquireToken, request.correlationId);
if (!request.code) {
throw createClientAuthError(requestCannotBeMade);
}
const reqTimestamp = nowSeconds();
const response = await invokeAsync(this.executeTokenRequest.bind(this), PerformanceEvents.AuthClientExecuteTokenRequest, this.logger, this.performanceClient, request.correlationId)(this.authority, request);
// Retrieve requestId from response headers
const requestId = response.headers?.[HeaderNames.X_MS_REQUEST_ID];
const responseHandler = new ResponseHandler(this.config.authOptions.clientId, this.cacheManager, this.cryptoUtils, this.logger, this.config.serializableCache, this.config.persistencePlugin, this.performanceClient);
// Validate response. This function throws a server error if an error is returned by the server.
responseHandler.validateTokenResponse(response.body);
return invokeAsync(responseHandler.handleServerTokenResponse.bind(responseHandler), PerformanceEvents.HandleServerTokenResponse, this.logger, this.performanceClient, request.correlationId)(response.body, this.authority, reqTimestamp, request, authCodePayload, undefined, undefined, undefined, requestId);
}
/**
* Used to log out the current user, and redirect the user to the postLogoutRedirectUri.
* Default behaviour is to redirect the user to `window.location.href`.
* @param authorityUri
*/
getLogoutUri(logoutRequest) {
// Throw error if logoutRequest is null/undefined
if (!logoutRequest) {
throw createClientConfigurationError(logoutRequestEmpty);
}
const queryString = this.createLogoutUrlQueryString(logoutRequest);
// Construct logout URI
return UrlString.appendQueryString(this.authority.endSessionEndpoint, queryString);
}
/**
* Executes POST request to token endpoint
* @param authority
* @param request
*/
async executeTokenRequest(authority, request) {
this.performanceClient?.addQueueMeasurement(PerformanceEvents.AuthClientExecuteTokenRequest, request.correlationId);
const queryParametersString = this.createTokenQueryParameters(request);
const endpoint = UrlString.appendQueryString(authority.tokenEndpoint, queryParametersString);
const requestBody = await invokeAsync(this.createTokenRequestBody.bind(this), PerformanceEvents.AuthClientCreateTokenRequestBody, this.logger, this.performanceClient, request.correlationId)(request);
let ccsCredential = undefined;
if (request.clientInfo) {
try {
const clientInfo = buildClientInfo(request.clientInfo, this.cryptoUtils.base64Decode);
ccsCredential = {
credential: `${clientInfo.uid}${Separators.CLIENT_INFO_SEPARATOR}${clientInfo.utid}`,
type: CcsCredentialType.HOME_ACCOUNT_ID,
};
}
catch (e) {
this.logger.verbose("Could not parse client info for CCS Header: " + e);
}
}
const headers = this.createTokenRequestHeaders(ccsCredential || request.ccsCredential);
const thumbprint = getRequestThumbprint(this.config.authOptions.clientId, request);
return invokeAsync(this.executePostToTokenEndpoint.bind(this), PerformanceEvents.AuthorizationCodeClientExecutePostToTokenEndpoint, this.logger, this.performanceClient, request.correlationId)(endpoint, requestBody, headers, thumbprint, request.correlationId, PerformanceEvents.AuthorizationCodeClientExecutePostToTokenEndpoint);
}
/**
* Generates a map for all the params to be sent to the service
* @param request
*/
async createTokenRequestBody(request) {
this.performanceClient?.addQueueMeasurement(PerformanceEvents.AuthClientCreateTokenRequestBody, request.correlationId);
const parameters = new Map();
addClientId(parameters, request.embeddedClientId ||
request.tokenBodyParameters?.[CLIENT_ID] ||
this.config.authOptions.clientId);
/*
* For hybrid spa flow, there will be a code but no verifier
* In this scenario, don't include redirect uri as auth code will not be bound to redirect URI
*/
if (!this.includeRedirectUri) {
// Just validate
if (!request.redirectUri) {
throw createClientConfigurationError(redirectUriEmpty);
}
}
else {
// Validate and include redirect uri
addRedirectUri(parameters, request.redirectUri);
}
// Add scope array, parameter builder will add default scopes and dedupe
addScopes(parameters, request.scopes, true, this.oidcDefaultScopes);
// add code: user set, not validated
addAuthorizationCode(parameters, request.code);
// Add library metadata
addLibraryInfo(parameters, this.config.libraryInfo);
addApplicationTelemetry(parameters, this.config.telemetry.application);
addThrottling(parameters);
if (this.serverTelemetryManager && !isOidcProtocolMode(this.config)) {
addServerTelemetry(parameters, this.serverTelemetryManager);
}
// add code_verifier if passed
if (request.codeVerifier) {
addCodeVerifier(parameters, request.codeVerifier);
}
if (this.config.clientCredentials.clientSecret) {
addClientSecret(parameters, this.config.clientCredentials.clientSecret);
}
if (this.config.clientCredentials.clientAssertion) {
const clientAssertion = this.config.clientCredentials.clientAssertion;
addClientAssertion(parameters, await getClientAssertion(clientAssertion.assertion, this.config.authOptions.clientId, request.resourceRequestUri));
addClientAssertionType(parameters, clientAssertion.assertionType);
}
addGrantType(parameters, GrantType.AUTHORIZATION_CODE_GRANT);
addClientInfo(parameters);
if (request.authenticationScheme === AuthenticationScheme.POP) {
const popTokenGenerator = new PopTokenGenerator(this.cryptoUtils, this.performanceClient);
let reqCnfData;
if (!request.popKid) {
const generatedReqCnfData = await invokeAsync(popTokenGenerator.generateCnf.bind(popTokenGenerator), PerformanceEvents.PopTokenGenerateCnf, this.logger, this.performanceClient, request.correlationId)(request, this.logger);
reqCnfData = generatedReqCnfData.reqCnfString;
}
else {
reqCnfData = this.cryptoUtils.encodeKid(request.popKid);
}
// SPA PoP requires full Base64Url encoded req_cnf string (unhashed)
addPopToken(parameters, reqCnfData);
}
else if (request.authenticationScheme === AuthenticationScheme.SSH) {
if (request.sshJwk) {
addSshJwk(parameters, request.sshJwk);
}
else {
throw createClientConfigurationError(missingSshJwk);
}
}
if (!StringUtils.isEmptyObj(request.claims) ||
(this.config.authOptions.clientCapabilities &&
this.config.authOptions.clientCapabilities.length > 0)) {
addClaims(parameters, request.claims, this.config.authOptions.clientCapabilities);
}
let ccsCred = undefined;
if (request.clientInfo) {
try {
const clientInfo = buildClientInfo(request.clientInfo, this.cryptoUtils.base64Decode);
ccsCred = {
credential: `${clientInfo.uid}${Separators.CLIENT_INFO_SEPARATOR}${clientInfo.utid}`,
type: CcsCredentialType.HOME_ACCOUNT_ID,
};
}
catch (e) {
this.logger.verbose("Could not parse client info for CCS Header: " + e);
}
}
else {
ccsCred = request.ccsCredential;
}
// Adds these as parameters in the request instead of headers to prevent CORS preflight request
if (this.config.systemOptions.preventCorsPreflight && ccsCred) {
switch (ccsCred.type) {
case CcsCredentialType.HOME_ACCOUNT_ID:
try {
const clientInfo = buildClientInfoFromHomeAccountId(ccsCred.credential);
addCcsOid(parameters, clientInfo);
}
catch (e) {
this.logger.verbose("Could not parse home account ID for CCS Header: " +
e);
}
break;
case CcsCredentialType.UPN:
addCcsUpn(parameters, ccsCred.credential);
break;
}
}
if (request.embeddedClientId) {
addBrokerParameters(parameters, this.config.authOptions.clientId, this.config.authOptions.redirectUri);
}
if (request.tokenBodyParameters) {
addExtraQueryParameters(parameters, request.tokenBodyParameters);
}
// Add hybrid spa parameters if not already provided
if (request.enableSpaAuthorizationCode &&
(!request.tokenBodyParameters ||
!request.tokenBodyParameters[RETURN_SPA_CODE])) {
addExtraQueryParameters(parameters, {
[RETURN_SPA_CODE]: "1",
});
}
instrumentBrokerParams(parameters, request.correlationId, this.performanceClient);
return mapToQueryString(parameters);
}
/**
* This API validates the `EndSessionRequest` and creates a URL
* @param request
*/
createLogoutUrlQueryString(request) {
const parameters = new Map();
if (request.postLogoutRedirectUri) {
addPostLogoutRedirectUri(parameters, request.postLogoutRedirectUri);
}
if (request.correlationId) {
addCorrelationId(parameters, request.correlationId);
}
if (request.idTokenHint) {
addIdTokenHint(parameters, request.idTokenHint);
}
if (request.state) {
addState(parameters, request.state);
}
if (request.logoutHint) {
addLogoutHint(parameters, request.logoutHint);
}
if (request.extraQueryParameters) {
addExtraQueryParameters(parameters, request.extraQueryParameters);
}
if (this.config.authOptions.instanceAware) {
addInstanceAware(parameters);
}
return mapToQueryString(parameters, this.config.authOptions.encodeExtraQueryParams, request.extraQueryParameters);
}
}
export { AuthorizationCodeClient };
//# sourceMappingURL=AuthorizationCodeClient.mjs.map
File diff suppressed because one or more lines are too long
@@ -0,0 +1,59 @@
import { ClientConfiguration, CommonClientConfiguration } from "../config/ClientConfiguration.js";
import { INetworkModule, NetworkRequestOptions } from "../network/INetworkModule.js";
import { NetworkResponse } from "../network/NetworkResponse.js";
import { ICrypto } from "../crypto/ICrypto.js";
import { Authority } from "../authority/Authority.js";
import { Logger } from "../logger/Logger.js";
import { ServerAuthorizationTokenResponse } from "../response/ServerAuthorizationTokenResponse.js";
import { CacheManager } from "../cache/CacheManager.js";
import { ServerTelemetryManager } from "../telemetry/server/ServerTelemetryManager.js";
import { RequestThumbprint } from "../network/RequestThumbprint.js";
import { CcsCredential } from "../account/CcsCredential.js";
import { IPerformanceClient } from "../telemetry/performance/IPerformanceClient.js";
import { BaseAuthRequest } from "../request/BaseAuthRequest.js";
/**
* Base application class which will construct requests to send to and handle responses from the Microsoft STS using the authorization code flow.
* @internal
*/
export declare abstract class BaseClient {
logger: Logger;
protected config: CommonClientConfiguration;
protected cryptoUtils: ICrypto;
protected cacheManager: CacheManager;
protected networkClient: INetworkModule;
protected serverTelemetryManager: ServerTelemetryManager | null;
authority: Authority;
protected performanceClient?: IPerformanceClient;
protected constructor(configuration: ClientConfiguration, performanceClient?: IPerformanceClient);
/**
* Creates default headers for requests to token endpoint
*/
protected createTokenRequestHeaders(ccsCred?: CcsCredential): Record<string, string>;
/**
* Http post to token endpoint
* @param tokenEndpoint
* @param queryString
* @param headers
* @param thumbprint
*/
protected executePostToTokenEndpoint(tokenEndpoint: string, queryString: string, headers: Record<string, string>, thumbprint: RequestThumbprint, correlationId: string, queuedEvent?: string): Promise<NetworkResponse<ServerAuthorizationTokenResponse>>;
/**
* Wraps sendPostRequestAsync with necessary preflight and postflight logic
* @param thumbprint - Request thumbprint for throttling
* @param tokenEndpoint - Endpoint to make the POST to
* @param options - Body and Headers to include on the POST request
* @param correlationId - CorrelationId for telemetry
*/
sendPostRequest<T extends ServerAuthorizationTokenResponse>(thumbprint: RequestThumbprint, tokenEndpoint: string, options: NetworkRequestOptions, correlationId: string): Promise<NetworkResponse<T>>;
/**
* Updates the authority object of the client. Endpoint discovery must be completed.
* @param updatedAuthority
*/
updateAuthority(cloudInstanceHostname: string, correlationId: string): Promise<void>;
/**
* Creates query string for the /token request
* @param request
*/
createTokenQueryParameters(request: BaseAuthRequest): string;
}
//# sourceMappingURL=BaseClient.d.ts.map
@@ -0,0 +1 @@
{"version":3,"file":"BaseClient.d.ts","sourceRoot":"","sources":["../../src/client/BaseClient.ts"],"names":[],"mappings":"AAKA,OAAO,EACH,mBAAmB,EAEnB,yBAAyB,EAC5B,MAAM,kCAAkC,CAAC;AAC1C,OAAO,EACH,cAAc,EACd,qBAAqB,EACxB,MAAM,8BAA8B,CAAC;AACtC,OAAO,EAAE,eAAe,EAAE,MAAM,+BAA+B,CAAC;AAChE,OAAO,EAAE,OAAO,EAAE,MAAM,sBAAsB,CAAC;AAC/C,OAAO,EAAE,SAAS,EAAE,MAAM,2BAA2B,CAAC;AACtD,OAAO,EAAE,MAAM,EAAE,MAAM,qBAAqB,CAAC;AAE7C,OAAO,EAAE,gCAAgC,EAAE,MAAM,iDAAiD,CAAC;AACnG,OAAO,EAAE,YAAY,EAAE,MAAM,0BAA0B,CAAC;AACxD,OAAO,EAAE,sBAAsB,EAAE,MAAM,+CAA+C,CAAC;AACvF,OAAO,EAAE,iBAAiB,EAAE,MAAM,iCAAiC,CAAC;AAEpE,OAAO,EAAE,aAAa,EAAqB,MAAM,6BAA6B,CAAC;AAE/E,OAAO,EAAE,kBAAkB,EAAE,MAAM,gDAAgD,CAAC;AAGpF,OAAO,EAAE,eAAe,EAAE,MAAM,+BAA+B,CAAC;AAYhE;;;GAGG;AACH,8BAAsB,UAAU;IAErB,MAAM,EAAE,MAAM,CAAC;IAGtB,SAAS,CAAC,MAAM,EAAE,yBAAyB,CAAC;IAG5C,SAAS,CAAC,WAAW,EAAE,OAAO,CAAC;IAG/B,SAAS,CAAC,YAAY,EAAE,YAAY,CAAC;IAGrC,SAAS,CAAC,aAAa,EAAE,cAAc,CAAC;IAGxC,SAAS,CAAC,sBAAsB,EAAE,sBAAsB,GAAG,IAAI,CAAC;IAGzD,SAAS,EAAE,SAAS,CAAC;IAG5B,SAAS,CAAC,iBAAiB,CAAC,EAAE,kBAAkB,CAAC;IAEjD,SAAS,aACL,aAAa,EAAE,mBAAmB,EAClC,iBAAiB,CAAC,EAAE,kBAAkB;IA2B1C;;OAEG;IACH,SAAS,CAAC,yBAAyB,CAC/B,OAAO,CAAC,EAAE,aAAa,GACxB,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC;IA8BzB;;;;;;OAMG;cACa,0BAA0B,CACtC,aAAa,EAAE,MAAM,EACrB,WAAW,EAAE,MAAM,EACnB,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,EAC/B,UAAU,EAAE,iBAAiB,EAC7B,aAAa,EAAE,MAAM,EACrB,WAAW,CAAC,EAAE,MAAM,GACrB,OAAO,CAAC,eAAe,CAAC,gCAAgC,CAAC,CAAC;IA4B7D;;;;;;OAMG;IACG,eAAe,CAAC,CAAC,SAAS,gCAAgC,EAC5D,UAAU,EAAE,iBAAiB,EAC7B,aAAa,EAAE,MAAM,EACrB,OAAO,EAAE,qBAAqB,EAC9B,aAAa,EAAE,MAAM,GACtB,OAAO,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC;IAwE9B;;;OAGG;IACG,eAAe,CACjB,qBAAqB,EAAE,MAAM,EAC7B,aAAa,EAAE,MAAM,GACtB,OAAO,CAAC,IAAI,CAAC;IAkBhB;;;OAGG;IACH,0BAA0B,CAAC,OAAO,EAAE,eAAe,GAAG,MAAM;CA8B/D"}
@@ -0,0 +1,167 @@
/*! @azure/msal-common v15.8.1 2025-07-08 */
'use strict';
import { buildClientConfiguration } from '../config/ClientConfiguration.mjs';
import { Logger } from '../logger/Logger.mjs';
import { Constants, HeaderNames } from '../utils/Constants.mjs';
import { name, version } from '../packageMetadata.mjs';
import { CcsCredentialType } from '../account/CcsCredential.mjs';
import { buildClientInfoFromHomeAccountId } from '../account/ClientInfo.mjs';
import { addBrokerParameters, addExtraQueryParameters, addCorrelationId, instrumentBrokerParams } from '../request/RequestParameterBuilder.mjs';
import { mapToQueryString } from '../utils/UrlUtils.mjs';
import { createDiscoveredInstance } from '../authority/AuthorityFactory.mjs';
import { PerformanceEvents } from '../telemetry/performance/PerformanceEvent.mjs';
import { ThrottlingUtils } from '../network/ThrottlingUtils.mjs';
import { AuthError } from '../error/AuthError.mjs';
import { createClientAuthError } from '../error/ClientAuthError.mjs';
import { NetworkError } from '../error/NetworkError.mjs';
import { invokeAsync } from '../utils/FunctionWrappers.mjs';
import { networkError } from '../error/ClientAuthErrorCodes.mjs';
/*
* Copyright (c) Microsoft Corporation. All rights reserved.
* Licensed under the MIT License.
*/
/**
* Base application class which will construct requests to send to and handle responses from the Microsoft STS using the authorization code flow.
* @internal
*/
class BaseClient {
constructor(configuration, performanceClient) {
// Set the configuration
this.config = buildClientConfiguration(configuration);
// Initialize the logger
this.logger = new Logger(this.config.loggerOptions, name, version);
// Initialize crypto
this.cryptoUtils = this.config.cryptoInterface;
// Initialize storage interface
this.cacheManager = this.config.storageInterface;
// Set the network interface
this.networkClient = this.config.networkInterface;
// Set TelemetryManager
this.serverTelemetryManager = this.config.serverTelemetryManager;
// set Authority
this.authority = this.config.authOptions.authority;
// set performance telemetry client
this.performanceClient = performanceClient;
}
/**
* Creates default headers for requests to token endpoint
*/
createTokenRequestHeaders(ccsCred) {
const headers = {};
headers[HeaderNames.CONTENT_TYPE] = Constants.URL_FORM_CONTENT_TYPE;
if (!this.config.systemOptions.preventCorsPreflight && ccsCred) {
switch (ccsCred.type) {
case CcsCredentialType.HOME_ACCOUNT_ID:
try {
const clientInfo = buildClientInfoFromHomeAccountId(ccsCred.credential);
headers[HeaderNames.CCS_HEADER] = `Oid:${clientInfo.uid}@${clientInfo.utid}`;
}
catch (e) {
this.logger.verbose("Could not parse home account ID for CCS Header: " +
e);
}
break;
case CcsCredentialType.UPN:
headers[HeaderNames.CCS_HEADER] = `UPN: ${ccsCred.credential}`;
break;
}
}
return headers;
}
/**
* Http post to token endpoint
* @param tokenEndpoint
* @param queryString
* @param headers
* @param thumbprint
*/
async executePostToTokenEndpoint(tokenEndpoint, queryString, headers, thumbprint, correlationId, queuedEvent) {
if (queuedEvent) {
this.performanceClient?.addQueueMeasurement(queuedEvent, correlationId);
}
const response = await this.sendPostRequest(thumbprint, tokenEndpoint, { body: queryString, headers: headers }, correlationId);
if (this.config.serverTelemetryManager &&
response.status < 500 &&
response.status !== 429) {
// Telemetry data successfully logged by server, clear Telemetry cache
this.config.serverTelemetryManager.clearTelemetryCache();
}
return response;
}
/**
* Wraps sendPostRequestAsync with necessary preflight and postflight logic
* @param thumbprint - Request thumbprint for throttling
* @param tokenEndpoint - Endpoint to make the POST to
* @param options - Body and Headers to include on the POST request
* @param correlationId - CorrelationId for telemetry
*/
async sendPostRequest(thumbprint, tokenEndpoint, options, correlationId) {
ThrottlingUtils.preProcess(this.cacheManager, thumbprint, correlationId);
let response;
try {
response = await invokeAsync((this.networkClient.sendPostRequestAsync.bind(this.networkClient)), PerformanceEvents.NetworkClientSendPostRequestAsync, this.logger, this.performanceClient, correlationId)(tokenEndpoint, options);
const responseHeaders = response.headers || {};
this.performanceClient?.addFields({
refreshTokenSize: response.body.refresh_token?.length || 0,
httpVerToken: responseHeaders[HeaderNames.X_MS_HTTP_VERSION] || "",
requestId: responseHeaders[HeaderNames.X_MS_REQUEST_ID] || "",
}, correlationId);
}
catch (e) {
if (e instanceof NetworkError) {
const responseHeaders = e.responseHeaders;
if (responseHeaders) {
this.performanceClient?.addFields({
httpVerToken: responseHeaders[HeaderNames.X_MS_HTTP_VERSION] || "",
requestId: responseHeaders[HeaderNames.X_MS_REQUEST_ID] ||
"",
contentTypeHeader: responseHeaders[HeaderNames.CONTENT_TYPE] ||
undefined,
contentLengthHeader: responseHeaders[HeaderNames.CONTENT_LENGTH] ||
undefined,
httpStatus: e.httpStatus,
}, correlationId);
}
throw e.error;
}
if (e instanceof AuthError) {
throw e;
}
else {
throw createClientAuthError(networkError);
}
}
ThrottlingUtils.postProcess(this.cacheManager, thumbprint, response, correlationId);
return response;
}
/**
* Updates the authority object of the client. Endpoint discovery must be completed.
* @param updatedAuthority
*/
async updateAuthority(cloudInstanceHostname, correlationId) {
this.performanceClient?.addQueueMeasurement(PerformanceEvents.UpdateTokenEndpointAuthority, correlationId);
const cloudInstanceAuthorityUri = `https://${cloudInstanceHostname}/${this.authority.tenant}/`;
const cloudInstanceAuthority = await createDiscoveredInstance(cloudInstanceAuthorityUri, this.networkClient, this.cacheManager, this.authority.options, this.logger, correlationId, this.performanceClient);
this.authority = cloudInstanceAuthority;
}
/**
* Creates query string for the /token request
* @param request
*/
createTokenQueryParameters(request) {
const parameters = new Map();
if (request.embeddedClientId) {
addBrokerParameters(parameters, this.config.authOptions.clientId, this.config.authOptions.redirectUri);
}
if (request.tokenQueryParameters) {
addExtraQueryParameters(parameters, request.tokenQueryParameters);
}
addCorrelationId(parameters, request.correlationId);
instrumentBrokerParams(parameters, request.correlationId, this.performanceClient);
return mapToQueryString(parameters);
}
}
export { BaseClient };
//# sourceMappingURL=BaseClient.mjs.map
@@ -0,0 +1 @@
{"version":3,"file":"BaseClient.mjs","sources":["../../src/client/BaseClient.ts"],"sourcesContent":[null],"names":["ClientAuthErrorCodes.networkError","RequestParameterBuilder.addBrokerParameters","RequestParameterBuilder.addExtraQueryParameters","RequestParameterBuilder.addCorrelationId","RequestParameterBuilder.instrumentBrokerParams","UrlUtils.mapToQueryString"],"mappings":";;;;;;;;;;;;;;;;;;;AAAA;;;AAGG;AAsCH;;;AAGG;MACmB,UAAU,CAAA;IAyB5B,WACI,CAAA,aAAkC,EAClC,iBAAsC,EAAA;;AAGtC,QAAA,IAAI,CAAC,MAAM,GAAG,wBAAwB,CAAC,aAAa,CAAC,CAAC;;AAGtD,QAAA,IAAI,CAAC,MAAM,GAAG,IAAI,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,aAAa,EAAE,IAAI,EAAE,OAAO,CAAC,CAAC;;QAGnE,IAAI,CAAC,WAAW,GAAG,IAAI,CAAC,MAAM,CAAC,eAAe,CAAC;;QAG/C,IAAI,CAAC,YAAY,GAAG,IAAI,CAAC,MAAM,CAAC,gBAAgB,CAAC;;QAGjD,IAAI,CAAC,aAAa,GAAG,IAAI,CAAC,MAAM,CAAC,gBAAgB,CAAC;;QAGlD,IAAI,CAAC,sBAAsB,GAAG,IAAI,CAAC,MAAM,CAAC,sBAAsB,CAAC;;QAGjE,IAAI,CAAC,SAAS,GAAG,IAAI,CAAC,MAAM,CAAC,WAAW,CAAC,SAAS,CAAC;;AAGnD,QAAA,IAAI,CAAC,iBAAiB,GAAG,iBAAiB,CAAC;KAC9C;AAED;;AAEG;AACO,IAAA,yBAAyB,CAC/B,OAAuB,EAAA;QAEvB,MAAM,OAAO,GAA2B,EAAE,CAAC;QAC3C,OAAO,CAAC,WAAW,CAAC,YAAY,CAAC,GAAG,SAAS,CAAC,qBAAqB,CAAC;QACpE,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,aAAa,CAAC,oBAAoB,IAAI,OAAO,EAAE;YAC5D,QAAQ,OAAO,CAAC,IAAI;gBAChB,KAAK,iBAAiB,CAAC,eAAe;oBAClC,IAAI;wBACA,MAAM,UAAU,GAAG,gCAAgC,CAC/C,OAAO,CAAC,UAAU,CACrB,CAAC;AACF,wBAAA,OAAO,CACH,WAAW,CAAC,UAAU,CACzB,GAAG,CAAA,IAAA,EAAO,UAAU,CAAC,GAAG,CAAI,CAAA,EAAA,UAAU,CAAC,IAAI,EAAE,CAAC;AAClD,qBAAA;AAAC,oBAAA,OAAO,CAAC,EAAE;AACR,wBAAA,IAAI,CAAC,MAAM,CAAC,OAAO,CACf,kDAAkD;AAC9C,4BAAA,CAAC,CACR,CAAC;AACL,qBAAA;oBACD,MAAM;gBACV,KAAK,iBAAiB,CAAC,GAAG;oBACtB,OAAO,CACH,WAAW,CAAC,UAAU,CACzB,GAAG,CAAA,KAAA,EAAQ,OAAO,CAAC,UAAU,CAAA,CAAE,CAAC;oBACjC,MAAM;AACb,aAAA;AACJ,SAAA;AACD,QAAA,OAAO,OAAO,CAAC;KAClB;AAED;;;;;;AAMG;AACO,IAAA,MAAM,0BAA0B,CACtC,aAAqB,EACrB,WAAmB,EACnB,OAA+B,EAC/B,UAA6B,EAC7B,aAAqB,EACrB,WAAoB,EAAA;AAEpB,QAAA,IAAI,WAAW,EAAE;YACb,IAAI,CAAC,iBAAiB,EAAE,mBAAmB,CACvC,WAAW,EACX,aAAa,CAChB,CAAC;AACL,SAAA;QAED,MAAM,QAAQ,GACV,MAAM,IAAI,CAAC,eAAe,CACtB,UAAU,EACV,aAAa,EACb,EAAE,IAAI,EAAE,WAAW,EAAE,OAAO,EAAE,OAAO,EAAE,EACvC,aAAa,CAChB,CAAC;AAEN,QAAA,IACI,IAAI,CAAC,MAAM,CAAC,sBAAsB;YAClC,QAAQ,CAAC,MAAM,GAAG,GAAG;AACrB,YAAA,QAAQ,CAAC,MAAM,KAAK,GAAG,EACzB;;AAEE,YAAA,IAAI,CAAC,MAAM,CAAC,sBAAsB,CAAC,mBAAmB,EAAE,CAAC;AAC5D,SAAA;AAED,QAAA,OAAO,QAAQ,CAAC;KACnB;AAED;;;;;;AAMG;IACH,MAAM,eAAe,CACjB,UAA6B,EAC7B,aAAqB,EACrB,OAA8B,EAC9B,aAAqB,EAAA;QAErB,eAAe,CAAC,UAAU,CACtB,IAAI,CAAC,YAAY,EACjB,UAAU,EACV,aAAa,CAChB,CAAC;AAEF,QAAA,IAAI,QAAQ,CAAC;QACb,IAAI;AACA,YAAA,QAAQ,GAAG,MAAM,WAAW,EACxB,IAAI,CAAC,aAAa,CAAC,oBAAoB,CAAC,IAAI,CACxC,IAAI,CAAC,aAAa,CAClB,GACJ,iBAAiB,CAAC,iCAAiC,EACnD,IAAI,CAAC,MAAM,EACX,IAAI,CAAC,iBAAiB,EACtB,aAAa,CAChB,CAAC,aAAa,EAAE,OAAO,CAAC,CAAC;AAC1B,YAAA,MAAM,eAAe,GAAG,QAAQ,CAAC,OAAO,IAAI,EAAE,CAAC;AAC/C,YAAA,IAAI,CAAC,iBAAiB,EAAE,SAAS,CAC7B;gBACI,gBAAgB,EAAE,QAAQ,CAAC,IAAI,CAAC,aAAa,EAAE,MAAM,IAAI,CAAC;gBAC1D,YAAY,EACR,eAAe,CAAC,WAAW,CAAC,iBAAiB,CAAC,IAAI,EAAE;gBACxD,SAAS,EACL,eAAe,CAAC,WAAW,CAAC,eAAe,CAAC,IAAI,EAAE;aACzD,EACD,aAAa,CAChB,CAAC;AACL,SAAA;AAAC,QAAA,OAAO,CAAC,EAAE;YACR,IAAI,CAAC,YAAY,YAAY,EAAE;AAC3B,gBAAA,MAAM,eAAe,GAAG,CAAC,CAAC,eAAe,CAAC;AAC1C,gBAAA,IAAI,eAAe,EAAE;AACjB,oBAAA,IAAI,CAAC,iBAAiB,EAAE,SAAS,CAC7B;wBACI,YAAY,EACR,eAAe,CACX,WAAW,CAAC,iBAAiB,CAChC,IAAI,EAAE;AACX,wBAAA,SAAS,EACL,eAAe,CAAC,WAAW,CAAC,eAAe,CAAC;4BAC5C,EAAE;AACN,wBAAA,iBAAiB,EACb,eAAe,CAAC,WAAW,CAAC,YAAY,CAAC;4BACzC,SAAS;AACb,wBAAA,mBAAmB,EACf,eAAe,CAAC,WAAW,CAAC,cAAc,CAAC;4BAC3C,SAAS;wBACb,UAAU,EAAE,CAAC,CAAC,UAAU;qBAC3B,EACD,aAAa,CAChB,CAAC;AACL,iBAAA;gBACD,MAAM,CAAC,CAAC,KAAK,CAAC;AACjB,aAAA;YACD,IAAI,CAAC,YAAY,SAAS,EAAE;AACxB,gBAAA,MAAM,CAAC,CAAC;AACX,aAAA;AAAM,iBAAA;AACH,gBAAA,MAAM,qBAAqB,CAACA,YAAiC,CAAC,CAAC;AAClE,aAAA;AACJ,SAAA;AAED,QAAA,eAAe,CAAC,WAAW,CACvB,IAAI,CAAC,YAAY,EACjB,UAAU,EACV,QAAQ,EACR,aAAa,CAChB,CAAC;AAEF,QAAA,OAAO,QAAQ,CAAC;KACnB;AAED;;;AAGG;AACH,IAAA,MAAM,eAAe,CACjB,qBAA6B,EAC7B,aAAqB,EAAA;QAErB,IAAI,CAAC,iBAAiB,EAAE,mBAAmB,CACvC,iBAAiB,CAAC,4BAA4B,EAC9C,aAAa,CAChB,CAAC;QACF,MAAM,yBAAyB,GAAG,CAAA,QAAA,EAAW,qBAAqB,CAAA,CAAA,EAAI,IAAI,CAAC,SAAS,CAAC,MAAM,CAAA,CAAA,CAAG,CAAC;AAC/F,QAAA,MAAM,sBAAsB,GAAG,MAAM,wBAAwB,CACzD,yBAAyB,EACzB,IAAI,CAAC,aAAa,EAClB,IAAI,CAAC,YAAY,EACjB,IAAI,CAAC,SAAS,CAAC,OAAO,EACtB,IAAI,CAAC,MAAM,EACX,aAAa,EACb,IAAI,CAAC,iBAAiB,CACzB,CAAC;AACF,QAAA,IAAI,CAAC,SAAS,GAAG,sBAAsB,CAAC;KAC3C;AAED;;;AAGG;AACH,IAAA,0BAA0B,CAAC,OAAwB,EAAA;AAC/C,QAAA,MAAM,UAAU,GAAG,IAAI,GAAG,EAAkB,CAAC;QAE7C,IAAI,OAAO,CAAC,gBAAgB,EAAE;YAC1BC,mBAA2C,CACvC,UAAU,EACV,IAAI,CAAC,MAAM,CAAC,WAAW,CAAC,QAAQ,EAChC,IAAI,CAAC,MAAM,CAAC,WAAW,CAAC,WAAW,CACtC,CAAC;AACL,SAAA;QAED,IAAI,OAAO,CAAC,oBAAoB,EAAE;YAC9BC,uBAA+C,CAC3C,UAAU,EACV,OAAO,CAAC,oBAAoB,CAC/B,CAAC;AACL,SAAA;QAEDC,gBAAwC,CACpC,UAAU,EACV,OAAO,CAAC,aAAa,CACxB,CAAC;AAEF,QAAAC,sBAA8C,CAC1C,UAAU,EACV,OAAO,CAAC,aAAa,EACrB,IAAI,CAAC,iBAAiB,CACzB,CAAC;AACF,QAAA,OAAOC,gBAAyB,CAAC,UAAU,CAAC,CAAC;KAChD;AACJ;;;;"}
@@ -0,0 +1,36 @@
import { ClientConfiguration } from "../config/ClientConfiguration.js";
import { BaseClient } from "./BaseClient.js";
import { CommonRefreshTokenRequest } from "../request/CommonRefreshTokenRequest.js";
import { AuthenticationResult } from "../response/AuthenticationResult.js";
import { CommonSilentFlowRequest } from "../request/CommonSilentFlowRequest.js";
import { IPerformanceClient } from "../telemetry/performance/IPerformanceClient.js";
/**
* OAuth2.0 refresh token client
* @internal
*/
export declare class RefreshTokenClient extends BaseClient {
constructor(configuration: ClientConfiguration, performanceClient?: IPerformanceClient);
acquireToken(request: CommonRefreshTokenRequest): Promise<AuthenticationResult>;
/**
* Gets cached refresh token and attaches to request, then calls acquireToken API
* @param request
*/
acquireTokenByRefreshToken(request: CommonSilentFlowRequest): Promise<AuthenticationResult>;
/**
* makes a network call to acquire tokens by exchanging RefreshToken available in userCache; throws if refresh token is not cached
* @param request
*/
private acquireTokenWithCachedRefreshToken;
/**
* Constructs the network message and makes a NW call to the underlying secure token service
* @param request
* @param authority
*/
private executeTokenRequest;
/**
* Helper function to create the token request body
* @param request
*/
private createTokenRequestBody;
}
//# sourceMappingURL=RefreshTokenClient.d.ts.map
@@ -0,0 +1 @@
{"version":3,"file":"RefreshTokenClient.d.ts","sourceRoot":"","sources":["../../src/client/RefreshTokenClient.ts"],"names":[],"mappings":"AAKA,OAAO,EACH,mBAAmB,EAEtB,MAAM,kCAAkC,CAAC;AAC1C,OAAO,EAAE,UAAU,EAAE,MAAM,iBAAiB,CAAC;AAC7C,OAAO,EAAE,yBAAyB,EAAE,MAAM,yCAAyC,CAAC;AAapF,OAAO,EAAE,oBAAoB,EAAE,MAAM,qCAAqC,CAAC;AAI3E,OAAO,EAAE,uBAAuB,EAAE,MAAM,uCAAuC,CAAC;AAoBhF,OAAO,EAAE,kBAAkB,EAAE,MAAM,gDAAgD,CAAC;AASpF;;;GAGG;AACH,qBAAa,kBAAmB,SAAQ,UAAU;gBAE1C,aAAa,EAAE,mBAAmB,EAClC,iBAAiB,CAAC,EAAE,kBAAkB;IAI7B,YAAY,CACrB,OAAO,EAAE,yBAAyB,GACnC,OAAO,CAAC,oBAAoB,CAAC;IA8ChC;;;OAGG;IACU,0BAA0B,CACnC,OAAO,EAAE,uBAAuB,GACjC,OAAO,CAAC,oBAAoB,CAAC;IAsEhC;;;OAGG;YACW,kCAAkC;IA4FhD;;;;OAIG;YACW,mBAAmB;IA+CjC;;;OAGG;YACW,sBAAsB;CAsLvC"}
@@ -0,0 +1,237 @@
/*! @azure/msal-common v15.8.1 2025-07-08 */
'use strict';
import { isOidcProtocolMode } from '../config/ClientConfiguration.mjs';
import { BaseClient } from './BaseClient.mjs';
import { addClientId, addRedirectUri, addScopes, addGrantType, addClientInfo, addLibraryInfo, addApplicationTelemetry, addThrottling, addServerTelemetry, addRefreshToken, addClientSecret, addClientAssertion, addClientAssertionType, addPopToken, addSshJwk, addClaims, addCcsUpn, addCcsOid, addBrokerParameters, addExtraQueryParameters, instrumentBrokerParams } from '../request/RequestParameterBuilder.mjs';
import { mapToQueryString } from '../utils/UrlUtils.mjs';
import { AuthenticationScheme, HeaderNames, Errors, GrantType } from '../utils/Constants.mjs';
import { CLIENT_ID } from '../constants/AADServerParamKeys.mjs';
import { ResponseHandler } from '../response/ResponseHandler.mjs';
import { PopTokenGenerator } from '../crypto/PopTokenGenerator.mjs';
import { StringUtils } from '../utils/StringUtils.mjs';
import { createClientConfigurationError } from '../error/ClientConfigurationError.mjs';
import { createClientAuthError } from '../error/ClientAuthError.mjs';
import { ServerError } from '../error/ServerError.mjs';
import { nowSeconds, isTokenExpired } from '../utils/TimeUtils.mjs';
import { UrlString } from '../url/UrlString.mjs';
import { CcsCredentialType } from '../account/CcsCredential.mjs';
import { buildClientInfoFromHomeAccountId } from '../account/ClientInfo.mjs';
import { createInteractionRequiredAuthError, InteractionRequiredAuthError } from '../error/InteractionRequiredAuthError.mjs';
import { PerformanceEvents } from '../telemetry/performance/PerformanceEvent.mjs';
import { invokeAsync, invoke } from '../utils/FunctionWrappers.mjs';
import { generateCredentialKey } from '../cache/utils/CacheHelpers.mjs';
import { getClientAssertion } from '../utils/ClientAssertionUtils.mjs';
import { getRequestThumbprint } from '../network/RequestThumbprint.mjs';
import { badToken, noTokensFound, refreshTokenExpired } from '../error/InteractionRequiredAuthErrorCodes.mjs';
import { tokenRequestEmpty, missingSshJwk } from '../error/ClientConfigurationErrorCodes.mjs';
import { noAccountInSilentRequest } from '../error/ClientAuthErrorCodes.mjs';
/*
* Copyright (c) Microsoft Corporation. All rights reserved.
* Licensed under the MIT License.
*/
const DEFAULT_REFRESH_TOKEN_EXPIRATION_OFFSET_SECONDS = 300; // 5 Minutes
/**
* OAuth2.0 refresh token client
* @internal
*/
class RefreshTokenClient extends BaseClient {
constructor(configuration, performanceClient) {
super(configuration, performanceClient);
}
async acquireToken(request) {
this.performanceClient?.addQueueMeasurement(PerformanceEvents.RefreshTokenClientAcquireToken, request.correlationId);
const reqTimestamp = nowSeconds();
const response = await invokeAsync(this.executeTokenRequest.bind(this), PerformanceEvents.RefreshTokenClientExecuteTokenRequest, this.logger, this.performanceClient, request.correlationId)(request, this.authority);
// Retrieve requestId from response headers
const requestId = response.headers?.[HeaderNames.X_MS_REQUEST_ID];
const responseHandler = new ResponseHandler(this.config.authOptions.clientId, this.cacheManager, this.cryptoUtils, this.logger, this.config.serializableCache, this.config.persistencePlugin);
responseHandler.validateTokenResponse(response.body);
return invokeAsync(responseHandler.handleServerTokenResponse.bind(responseHandler), PerformanceEvents.HandleServerTokenResponse, this.logger, this.performanceClient, request.correlationId)(response.body, this.authority, reqTimestamp, request, undefined, undefined, true, request.forceCache, requestId);
}
/**
* Gets cached refresh token and attaches to request, then calls acquireToken API
* @param request
*/
async acquireTokenByRefreshToken(request) {
// Cannot renew token if no request object is given.
if (!request) {
throw createClientConfigurationError(tokenRequestEmpty);
}
this.performanceClient?.addQueueMeasurement(PerformanceEvents.RefreshTokenClientAcquireTokenByRefreshToken, request.correlationId);
// We currently do not support silent flow for account === null use cases; This will be revisited for confidential flow usecases
if (!request.account) {
throw createClientAuthError(noAccountInSilentRequest);
}
// try checking if FOCI is enabled for the given application
const isFOCI = this.cacheManager.isAppMetadataFOCI(request.account.environment);
// if the app is part of the family, retrive a Family refresh token if present and make a refreshTokenRequest
if (isFOCI) {
try {
return await invokeAsync(this.acquireTokenWithCachedRefreshToken.bind(this), PerformanceEvents.RefreshTokenClientAcquireTokenWithCachedRefreshToken, this.logger, this.performanceClient, request.correlationId)(request, true);
}
catch (e) {
const noFamilyRTInCache = e instanceof InteractionRequiredAuthError &&
e.errorCode ===
noTokensFound;
const clientMismatchErrorWithFamilyRT = e instanceof ServerError &&
e.errorCode === Errors.INVALID_GRANT_ERROR &&
e.subError === Errors.CLIENT_MISMATCH_ERROR;
// if family Refresh Token (FRT) cache acquisition fails or if client_mismatch error is seen with FRT, reattempt with application Refresh Token (ART)
if (noFamilyRTInCache || clientMismatchErrorWithFamilyRT) {
return invokeAsync(this.acquireTokenWithCachedRefreshToken.bind(this), PerformanceEvents.RefreshTokenClientAcquireTokenWithCachedRefreshToken, this.logger, this.performanceClient, request.correlationId)(request, false);
// throw in all other cases
}
else {
throw e;
}
}
}
// fall back to application refresh token acquisition
return invokeAsync(this.acquireTokenWithCachedRefreshToken.bind(this), PerformanceEvents.RefreshTokenClientAcquireTokenWithCachedRefreshToken, this.logger, this.performanceClient, request.correlationId)(request, false);
}
/**
* makes a network call to acquire tokens by exchanging RefreshToken available in userCache; throws if refresh token is not cached
* @param request
*/
async acquireTokenWithCachedRefreshToken(request, foci) {
this.performanceClient?.addQueueMeasurement(PerformanceEvents.RefreshTokenClientAcquireTokenWithCachedRefreshToken, request.correlationId);
// fetches family RT or application RT based on FOCI value
const refreshToken = invoke(this.cacheManager.getRefreshToken.bind(this.cacheManager), PerformanceEvents.CacheManagerGetRefreshToken, this.logger, this.performanceClient, request.correlationId)(request.account, foci, request.correlationId, undefined, this.performanceClient);
if (!refreshToken) {
throw createInteractionRequiredAuthError(noTokensFound);
}
if (refreshToken.expiresOn &&
isTokenExpired(refreshToken.expiresOn, request.refreshTokenExpirationOffsetSeconds ||
DEFAULT_REFRESH_TOKEN_EXPIRATION_OFFSET_SECONDS)) {
this.performanceClient?.addFields({ rtExpiresOnMs: Number(refreshToken.expiresOn) }, request.correlationId);
throw createInteractionRequiredAuthError(refreshTokenExpired);
}
// attach cached RT size to the current measurement
const refreshTokenRequest = {
...request,
refreshToken: refreshToken.secret,
authenticationScheme: request.authenticationScheme || AuthenticationScheme.BEARER,
ccsCredential: {
credential: request.account.homeAccountId,
type: CcsCredentialType.HOME_ACCOUNT_ID,
},
};
try {
return await invokeAsync(this.acquireToken.bind(this), PerformanceEvents.RefreshTokenClientAcquireToken, this.logger, this.performanceClient, request.correlationId)(refreshTokenRequest);
}
catch (e) {
if (e instanceof InteractionRequiredAuthError) {
this.performanceClient?.addFields({ rtExpiresOnMs: Number(refreshToken.expiresOn) }, request.correlationId);
if (e.subError === badToken) {
// Remove bad refresh token from cache
this.logger.verbose("acquireTokenWithRefreshToken: bad refresh token, removing from cache");
const badRefreshTokenKey = generateCredentialKey(refreshToken);
this.cacheManager.removeRefreshToken(badRefreshTokenKey, request.correlationId);
}
}
throw e;
}
}
/**
* Constructs the network message and makes a NW call to the underlying secure token service
* @param request
* @param authority
*/
async executeTokenRequest(request, authority) {
this.performanceClient?.addQueueMeasurement(PerformanceEvents.RefreshTokenClientExecuteTokenRequest, request.correlationId);
const queryParametersString = this.createTokenQueryParameters(request);
const endpoint = UrlString.appendQueryString(authority.tokenEndpoint, queryParametersString);
const requestBody = await invokeAsync(this.createTokenRequestBody.bind(this), PerformanceEvents.RefreshTokenClientCreateTokenRequestBody, this.logger, this.performanceClient, request.correlationId)(request);
const headers = this.createTokenRequestHeaders(request.ccsCredential);
const thumbprint = getRequestThumbprint(this.config.authOptions.clientId, request);
return invokeAsync(this.executePostToTokenEndpoint.bind(this), PerformanceEvents.RefreshTokenClientExecutePostToTokenEndpoint, this.logger, this.performanceClient, request.correlationId)(endpoint, requestBody, headers, thumbprint, request.correlationId, PerformanceEvents.RefreshTokenClientExecutePostToTokenEndpoint);
}
/**
* Helper function to create the token request body
* @param request
*/
async createTokenRequestBody(request) {
this.performanceClient?.addQueueMeasurement(PerformanceEvents.RefreshTokenClientCreateTokenRequestBody, request.correlationId);
const parameters = new Map();
addClientId(parameters, request.embeddedClientId ||
request.tokenBodyParameters?.[CLIENT_ID] ||
this.config.authOptions.clientId);
if (request.redirectUri) {
addRedirectUri(parameters, request.redirectUri);
}
addScopes(parameters, request.scopes, true, this.config.authOptions.authority.options.OIDCOptions?.defaultScopes);
addGrantType(parameters, GrantType.REFRESH_TOKEN_GRANT);
addClientInfo(parameters);
addLibraryInfo(parameters, this.config.libraryInfo);
addApplicationTelemetry(parameters, this.config.telemetry.application);
addThrottling(parameters);
if (this.serverTelemetryManager && !isOidcProtocolMode(this.config)) {
addServerTelemetry(parameters, this.serverTelemetryManager);
}
addRefreshToken(parameters, request.refreshToken);
if (this.config.clientCredentials.clientSecret) {
addClientSecret(parameters, this.config.clientCredentials.clientSecret);
}
if (this.config.clientCredentials.clientAssertion) {
const clientAssertion = this.config.clientCredentials.clientAssertion;
addClientAssertion(parameters, await getClientAssertion(clientAssertion.assertion, this.config.authOptions.clientId, request.resourceRequestUri));
addClientAssertionType(parameters, clientAssertion.assertionType);
}
if (request.authenticationScheme === AuthenticationScheme.POP) {
const popTokenGenerator = new PopTokenGenerator(this.cryptoUtils, this.performanceClient);
let reqCnfData;
if (!request.popKid) {
const generatedReqCnfData = await invokeAsync(popTokenGenerator.generateCnf.bind(popTokenGenerator), PerformanceEvents.PopTokenGenerateCnf, this.logger, this.performanceClient, request.correlationId)(request, this.logger);
reqCnfData = generatedReqCnfData.reqCnfString;
}
else {
reqCnfData = this.cryptoUtils.encodeKid(request.popKid);
}
// SPA PoP requires full Base64Url encoded req_cnf string (unhashed)
addPopToken(parameters, reqCnfData);
}
else if (request.authenticationScheme === AuthenticationScheme.SSH) {
if (request.sshJwk) {
addSshJwk(parameters, request.sshJwk);
}
else {
throw createClientConfigurationError(missingSshJwk);
}
}
if (!StringUtils.isEmptyObj(request.claims) ||
(this.config.authOptions.clientCapabilities &&
this.config.authOptions.clientCapabilities.length > 0)) {
addClaims(parameters, request.claims, this.config.authOptions.clientCapabilities);
}
if (this.config.systemOptions.preventCorsPreflight &&
request.ccsCredential) {
switch (request.ccsCredential.type) {
case CcsCredentialType.HOME_ACCOUNT_ID:
try {
const clientInfo = buildClientInfoFromHomeAccountId(request.ccsCredential.credential);
addCcsOid(parameters, clientInfo);
}
catch (e) {
this.logger.verbose("Could not parse home account ID for CCS Header: " +
e);
}
break;
case CcsCredentialType.UPN:
addCcsUpn(parameters, request.ccsCredential.credential);
break;
}
}
if (request.embeddedClientId) {
addBrokerParameters(parameters, this.config.authOptions.clientId, this.config.authOptions.redirectUri);
}
if (request.tokenBodyParameters) {
addExtraQueryParameters(parameters, request.tokenBodyParameters);
}
instrumentBrokerParams(parameters, request.correlationId, this.performanceClient);
return mapToQueryString(parameters);
}
}
export { RefreshTokenClient };
//# sourceMappingURL=RefreshTokenClient.mjs.map
File diff suppressed because one or more lines are too long
@@ -0,0 +1,22 @@
import { BaseClient } from "./BaseClient.js";
import { ClientConfiguration } from "../config/ClientConfiguration.js";
import { CommonSilentFlowRequest } from "../request/CommonSilentFlowRequest.js";
import { AuthenticationResult } from "../response/AuthenticationResult.js";
import { CacheOutcome } from "../utils/Constants.js";
import { IPerformanceClient } from "../telemetry/performance/IPerformanceClient.js";
/** @internal */
export declare class SilentFlowClient extends BaseClient {
constructor(configuration: ClientConfiguration, performanceClient?: IPerformanceClient);
/**
* Retrieves token from cache or throws an error if it must be refreshed.
* @param request
*/
acquireCachedToken(request: CommonSilentFlowRequest): Promise<[AuthenticationResult, CacheOutcome]>;
private setCacheOutcome;
/**
* Helper function to build response object from the CacheRecord
* @param cacheRecord
*/
private generateResultFromCacheRecord;
}
//# sourceMappingURL=SilentFlowClient.d.ts.map
@@ -0,0 +1 @@
{"version":3,"file":"SilentFlowClient.d.ts","sourceRoot":"","sources":["../../src/client/SilentFlowClient.ts"],"names":[],"mappings":"AAKA,OAAO,EAAE,UAAU,EAAE,MAAM,iBAAiB,CAAC;AAC7C,OAAO,EAAE,mBAAmB,EAAE,MAAM,kCAAkC,CAAC;AACvE,OAAO,EAAE,uBAAuB,EAAE,MAAM,uCAAuC,CAAC;AAChF,OAAO,EAAE,oBAAoB,EAAE,MAAM,qCAAqC,CAAC;AAQ3E,OAAO,EAAE,YAAY,EAAE,MAAM,uBAAuB,CAAC;AACrD,OAAO,EAAE,kBAAkB,EAAE,MAAM,gDAAgD,CAAC;AAQpF,gBAAgB;AAChB,qBAAa,gBAAiB,SAAQ,UAAU;gBAExC,aAAa,EAAE,mBAAmB,EAClC,iBAAiB,CAAC,EAAE,kBAAkB;IAK1C;;;OAGG;IACG,kBAAkB,CACpB,OAAO,EAAE,uBAAuB,GACjC,OAAO,CAAC,CAAC,oBAAoB,EAAE,YAAY,CAAC,CAAC;IAgHhD,OAAO,CAAC,eAAe;IAkBvB;;;OAGG;YACW,6BAA6B;CAqC9C"}
@@ -0,0 +1,112 @@
/*! @azure/msal-common v15.8.1 2025-07-08 */
'use strict';
import { BaseClient } from './BaseClient.mjs';
import { wasClockTurnedBack, isTokenExpired } from '../utils/TimeUtils.mjs';
import { createClientAuthError } from '../error/ClientAuthError.mjs';
import { ResponseHandler } from '../response/ResponseHandler.mjs';
import { CacheOutcome } from '../utils/Constants.mjs';
import { StringUtils } from '../utils/StringUtils.mjs';
import { extractTokenClaims, checkMaxAge } from '../account/AuthToken.mjs';
import { PerformanceEvents } from '../telemetry/performance/PerformanceEvent.mjs';
import { invokeAsync } from '../utils/FunctionWrappers.mjs';
import { getTenantFromAuthorityString } from '../authority/Authority.mjs';
import { tokenRefreshRequired, noAccountInSilentRequest, authTimeNotFound } from '../error/ClientAuthErrorCodes.mjs';
/*
* Copyright (c) Microsoft Corporation. All rights reserved.
* Licensed under the MIT License.
*/
/** @internal */
class SilentFlowClient extends BaseClient {
constructor(configuration, performanceClient) {
super(configuration, performanceClient);
}
/**
* Retrieves token from cache or throws an error if it must be refreshed.
* @param request
*/
async acquireCachedToken(request) {
this.performanceClient?.addQueueMeasurement(PerformanceEvents.SilentFlowClientAcquireCachedToken, request.correlationId);
let lastCacheOutcome = CacheOutcome.NOT_APPLICABLE;
if (request.forceRefresh ||
(!this.config.cacheOptions.claimsBasedCachingEnabled &&
!StringUtils.isEmptyObj(request.claims))) {
// Must refresh due to present force_refresh flag.
this.setCacheOutcome(CacheOutcome.FORCE_REFRESH_OR_CLAIMS, request.correlationId);
throw createClientAuthError(tokenRefreshRequired);
}
// We currently do not support silent flow for account === null use cases; This will be revisited for confidential flow usecases
if (!request.account) {
throw createClientAuthError(noAccountInSilentRequest);
}
const requestTenantId = request.account.tenantId ||
getTenantFromAuthorityString(request.authority);
const tokenKeys = this.cacheManager.getTokenKeys();
const cachedAccessToken = this.cacheManager.getAccessToken(request.account, request, tokenKeys, requestTenantId);
if (!cachedAccessToken) {
// must refresh due to non-existent access_token
this.setCacheOutcome(CacheOutcome.NO_CACHED_ACCESS_TOKEN, request.correlationId);
throw createClientAuthError(tokenRefreshRequired);
}
else if (wasClockTurnedBack(cachedAccessToken.cachedAt) ||
isTokenExpired(cachedAccessToken.expiresOn, this.config.systemOptions.tokenRenewalOffsetSeconds)) {
// must refresh due to the expires_in value
this.setCacheOutcome(CacheOutcome.CACHED_ACCESS_TOKEN_EXPIRED, request.correlationId);
throw createClientAuthError(tokenRefreshRequired);
}
else if (cachedAccessToken.refreshOn &&
isTokenExpired(cachedAccessToken.refreshOn, 0)) {
// must refresh (in the background) due to the refresh_in value
lastCacheOutcome = CacheOutcome.PROACTIVELY_REFRESHED;
// don't throw ClientAuthError.createRefreshRequiredError(), return cached token instead
}
const environment = request.authority || this.authority.getPreferredCache();
const cacheRecord = {
account: this.cacheManager.readAccountFromCache(request.account, request.correlationId),
accessToken: cachedAccessToken,
idToken: this.cacheManager.getIdToken(request.account, request.correlationId, tokenKeys, requestTenantId, this.performanceClient),
refreshToken: null,
appMetadata: this.cacheManager.readAppMetadataFromCache(environment),
};
this.setCacheOutcome(lastCacheOutcome, request.correlationId);
if (this.config.serverTelemetryManager) {
this.config.serverTelemetryManager.incrementCacheHits();
}
return [
await invokeAsync(this.generateResultFromCacheRecord.bind(this), PerformanceEvents.SilentFlowClientGenerateResultFromCacheRecord, this.logger, this.performanceClient, request.correlationId)(cacheRecord, request),
lastCacheOutcome,
];
}
setCacheOutcome(cacheOutcome, correlationId) {
this.serverTelemetryManager?.setCacheOutcome(cacheOutcome);
this.performanceClient?.addFields({
cacheOutcome: cacheOutcome,
}, correlationId);
if (cacheOutcome !== CacheOutcome.NOT_APPLICABLE) {
this.logger.info(`Token refresh is required due to cache outcome: ${cacheOutcome}`);
}
}
/**
* Helper function to build response object from the CacheRecord
* @param cacheRecord
*/
async generateResultFromCacheRecord(cacheRecord, request) {
this.performanceClient?.addQueueMeasurement(PerformanceEvents.SilentFlowClientGenerateResultFromCacheRecord, request.correlationId);
let idTokenClaims;
if (cacheRecord.idToken) {
idTokenClaims = extractTokenClaims(cacheRecord.idToken.secret, this.config.cryptoInterface.base64Decode);
}
// token max_age check
if (request.maxAge || request.maxAge === 0) {
const authTime = idTokenClaims?.auth_time;
if (!authTime) {
throw createClientAuthError(authTimeNotFound);
}
checkMaxAge(authTime, request.maxAge);
}
return ResponseHandler.generateAuthenticationResult(this.cryptoUtils, this.authority, cacheRecord, true, request, idTokenClaims);
}
}
export { SilentFlowClient };
//# sourceMappingURL=SilentFlowClient.mjs.map
@@ -0,0 +1 @@
{"version":3,"file":"SilentFlowClient.mjs","sources":["../../src/client/SilentFlowClient.ts"],"sourcesContent":[null],"names":["ClientAuthErrorCodes.tokenRefreshRequired","ClientAuthErrorCodes.noAccountInSilentRequest","TimeUtils.wasClockTurnedBack","TimeUtils.isTokenExpired","ClientAuthErrorCodes.authTimeNotFound"],"mappings":";;;;;;;;;;;;;;AAAA;;;AAGG;AAsBH;AACM,MAAO,gBAAiB,SAAQ,UAAU,CAAA;IAC5C,WACI,CAAA,aAAkC,EAClC,iBAAsC,EAAA;AAEtC,QAAA,KAAK,CAAC,aAAa,EAAE,iBAAiB,CAAC,CAAC;KAC3C;AAED;;;AAGG;IACH,MAAM,kBAAkB,CACpB,OAAgC,EAAA;AAEhC,QAAA,IAAI,CAAC,iBAAiB,EAAE,mBAAmB,CACvC,iBAAiB,CAAC,kCAAkC,EACpD,OAAO,CAAC,aAAa,CACxB,CAAC;AACF,QAAA,IAAI,gBAAgB,GAAiB,YAAY,CAAC,cAAc,CAAC;QAEjE,IACI,OAAO,CAAC,YAAY;AACpB,aAAC,CAAC,IAAI,CAAC,MAAM,CAAC,YAAY,CAAC,yBAAyB;gBAChD,CAAC,WAAW,CAAC,UAAU,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,EAC9C;;YAEE,IAAI,CAAC,eAAe,CAChB,YAAY,CAAC,uBAAuB,EACpC,OAAO,CAAC,aAAa,CACxB,CAAC;AACF,YAAA,MAAM,qBAAqB,CACvBA,oBAAyC,CAC5C,CAAC;AACL,SAAA;;AAGD,QAAA,IAAI,CAAC,OAAO,CAAC,OAAO,EAAE;AAClB,YAAA,MAAM,qBAAqB,CACvBC,wBAA6C,CAChD,CAAC;AACL,SAAA;AAED,QAAA,MAAM,eAAe,GACjB,OAAO,CAAC,OAAO,CAAC,QAAQ;AACxB,YAAA,4BAA4B,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;QACpD,MAAM,SAAS,GAAG,IAAI,CAAC,YAAY,CAAC,YAAY,EAAE,CAAC;AACnD,QAAA,MAAM,iBAAiB,GAAG,IAAI,CAAC,YAAY,CAAC,cAAc,CACtD,OAAO,CAAC,OAAO,EACf,OAAO,EACP,SAAS,EACT,eAAe,CAClB,CAAC;QAEF,IAAI,CAAC,iBAAiB,EAAE;;YAEpB,IAAI,CAAC,eAAe,CAChB,YAAY,CAAC,sBAAsB,EACnC,OAAO,CAAC,aAAa,CACxB,CAAC;AACF,YAAA,MAAM,qBAAqB,CACvBD,oBAAyC,CAC5C,CAAC;AACL,SAAA;AAAM,aAAA,IACHE,kBAA4B,CAAC,iBAAiB,CAAC,QAAQ,CAAC;AACxD,YAAAC,cAAwB,CACpB,iBAAiB,CAAC,SAAS,EAC3B,IAAI,CAAC,MAAM,CAAC,aAAa,CAAC,yBAAyB,CACtD,EACH;;YAEE,IAAI,CAAC,eAAe,CAChB,YAAY,CAAC,2BAA2B,EACxC,OAAO,CAAC,aAAa,CACxB,CAAC;AACF,YAAA,MAAM,qBAAqB,CACvBH,oBAAyC,CAC5C,CAAC;AACL,SAAA;aAAM,IACH,iBAAiB,CAAC,SAAS;YAC3BG,cAAwB,CAAC,iBAAiB,CAAC,SAAS,EAAE,CAAC,CAAC,EAC1D;;AAEE,YAAA,gBAAgB,GAAG,YAAY,CAAC,qBAAqB,CAAC;;AAGzD,SAAA;AAED,QAAA,MAAM,WAAW,GACb,OAAO,CAAC,SAAS,IAAI,IAAI,CAAC,SAAS,CAAC,iBAAiB,EAAE,CAAC;AAC5D,QAAA,MAAM,WAAW,GAAgB;AAC7B,YAAA,OAAO,EAAE,IAAI,CAAC,YAAY,CAAC,oBAAoB,CAC3C,OAAO,CAAC,OAAO,EACf,OAAO,CAAC,aAAa,CACxB;AACD,YAAA,WAAW,EAAE,iBAAiB;YAC9B,OAAO,EAAE,IAAI,CAAC,YAAY,CAAC,UAAU,CACjC,OAAO,CAAC,OAAO,EACf,OAAO,CAAC,aAAa,EACrB,SAAS,EACT,eAAe,EACf,IAAI,CAAC,iBAAiB,CACzB;AACD,YAAA,YAAY,EAAE,IAAI;YAClB,WAAW,EACP,IAAI,CAAC,YAAY,CAAC,wBAAwB,CAAC,WAAW,CAAC;SAC9D,CAAC;QAEF,IAAI,CAAC,eAAe,CAAC,gBAAgB,EAAE,OAAO,CAAC,aAAa,CAAC,CAAC;AAE9D,QAAA,IAAI,IAAI,CAAC,MAAM,CAAC,sBAAsB,EAAE;AACpC,YAAA,IAAI,CAAC,MAAM,CAAC,sBAAsB,CAAC,kBAAkB,EAAE,CAAC;AAC3D,SAAA;QAED,OAAO;AACH,YAAA,MAAM,WAAW,CACb,IAAI,CAAC,6BAA6B,CAAC,IAAI,CAAC,IAAI,CAAC,EAC7C,iBAAiB,CAAC,6CAA6C,EAC/D,IAAI,CAAC,MAAM,EACX,IAAI,CAAC,iBAAiB,EACtB,OAAO,CAAC,aAAa,CACxB,CAAC,WAAW,EAAE,OAAO,CAAC;YACvB,gBAAgB;SACnB,CAAC;KACL;IAEO,eAAe,CACnB,YAA0B,EAC1B,aAAqB,EAAA;AAErB,QAAA,IAAI,CAAC,sBAAsB,EAAE,eAAe,CAAC,YAAY,CAAC,CAAC;AAC3D,QAAA,IAAI,CAAC,iBAAiB,EAAE,SAAS,CAC7B;AACI,YAAA,YAAY,EAAE,YAAY;SAC7B,EACD,aAAa,CAChB,CAAC;AACF,QAAA,IAAI,YAAY,KAAK,YAAY,CAAC,cAAc,EAAE;YAC9C,IAAI,CAAC,MAAM,CAAC,IAAI,CACZ,CAAmD,gDAAA,EAAA,YAAY,CAAE,CAAA,CACpE,CAAC;AACL,SAAA;KACJ;AAED;;;AAGG;AACK,IAAA,MAAM,6BAA6B,CACvC,WAAwB,EACxB,OAAgC,EAAA;AAEhC,QAAA,IAAI,CAAC,iBAAiB,EAAE,mBAAmB,CACvC,iBAAiB,CAAC,6CAA6C,EAC/D,OAAO,CAAC,aAAa,CACxB,CAAC;AACF,QAAA,IAAI,aAAsC,CAAC;QAC3C,IAAI,WAAW,CAAC,OAAO,EAAE;AACrB,YAAA,aAAa,GAAG,kBAAkB,CAC9B,WAAW,CAAC,OAAO,CAAC,MAAM,EAC1B,IAAI,CAAC,MAAM,CAAC,eAAe,CAAC,YAAY,CAC3C,CAAC;AACL,SAAA;;QAGD,IAAI,OAAO,CAAC,MAAM,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC,EAAE;AACxC,YAAA,MAAM,QAAQ,GAAG,aAAa,EAAE,SAAS,CAAC;YAC1C,IAAI,CAAC,QAAQ,EAAE;AACX,gBAAA,MAAM,qBAAqB,CACvBC,gBAAqC,CACxC,CAAC;AACL,aAAA;AAED,YAAA,WAAW,CAAC,QAAQ,EAAE,OAAO,CAAC,MAAM,CAAC,CAAC;AACzC,SAAA;QAED,OAAO,eAAe,CAAC,4BAA4B,CAC/C,IAAI,CAAC,WAAW,EAChB,IAAI,CAAC,SAAS,EACd,WAAW,EACX,IAAI,EACJ,OAAO,EACP,aAAa,CAChB,CAAC;KACL;AACJ;;;;"}