UNPKG

@azure/msal-browser

Version:

Microsoft Authentication Library for js

github.com/AzureAD/microsoft-authentication-library-for-js

AzureAD/microsoft-authentication-library-for-js

1,241 lines (1,221 loc) • 932 kB

JavaScript

/*! @azure/msal-browser v4.12.0 2025-05-06 */ 'use strict'; (function (global, factory) { typeof exports === 'object' && typeof module !== 'undefined' ? factory(exports) : typeof define === 'function' && define.amd ? define(['exports'], factory) : (global = typeof globalThis !== 'undefined' ? globalThis : global || self, factory(global.msal = {})); })(this, (function (exports) { 'use strict'; /*! @azure/msal-common v15.6.0 2025-05-06 */ /* * Copyright (c) Microsoft Corporation. All rights reserved. * Licensed under the MIT License. */ const Constants = { LIBRARY_NAME: "MSAL.JS", SKU: "msal.js.common", // Prefix for all library cache entries CACHE_PREFIX: "msal", // default authority DEFAULT_AUTHORITY: "https://login.microsoftonline.com/common/", DEFAULT_AUTHORITY_HOST: "login.microsoftonline.com", DEFAULT_COMMON_TENANT: "common", // ADFS String ADFS: "adfs", DSTS: "dstsv2", // Default AAD Instance Discovery Endpoint AAD_INSTANCE_DISCOVERY_ENDPT: "https://login.microsoftonline.com/common/discovery/instance?api-version=1.1&authorization_endpoint=", // CIAM URL CIAM_AUTH_URL: ".ciamlogin.com", AAD_TENANT_DOMAIN_SUFFIX: ".onmicrosoft.com", // Resource delimiter - used for certain cache entries RESOURCE_DELIM: "|", // Placeholder for non-existent account ids/objects NO_ACCOUNT: "NO_ACCOUNT", // Claims CLAIMS: "claims", // Consumer UTID CONSUMER_UTID: "9188040d-6c67-4c5b-b112-36a304b66dad", // Default scopes OPENID_SCOPE: "openid", PROFILE_SCOPE: "profile", OFFLINE_ACCESS_SCOPE: "offline_access", EMAIL_SCOPE: "email", CODE_GRANT_TYPE: "authorization_code", RT_GRANT_TYPE: "refresh_token", S256_CODE_CHALLENGE_METHOD: "S256", URL_FORM_CONTENT_TYPE: "application/x-www-form-urlencoded;charset=utf-8", AUTHORIZATION_PENDING: "authorization_pending", NOT_DEFINED: "not_defined", EMPTY_STRING: "", NOT_APPLICABLE: "N/A", NOT_AVAILABLE: "Not Available", FORWARD_SLASH: "/", IMDS_ENDPOINT: "http://169.254.169.254/metadata/instance/compute/location", IMDS_VERSION: "2020-06-01", IMDS_TIMEOUT: 2000, AZURE_REGION_AUTO_DISCOVER_FLAG: "TryAutoDetect", REGIONAL_AUTH_PUBLIC_CLOUD_SUFFIX: "login.microsoft.com", KNOWN_PUBLIC_CLOUDS: [ "login.microsoftonline.com", "login.windows.net", "login.microsoft.com", "sts.windows.net", ], SHR_NONCE_VALIDITY: 240, INVALID_INSTANCE: "invalid_instance", }; const HttpStatus = { SUCCESS: 200, SUCCESS_RANGE_START: 200, SUCCESS_RANGE_END: 299, REDIRECT: 302, CLIENT_ERROR: 400, CLIENT_ERROR_RANGE_START: 400, BAD_REQUEST: 400, UNAUTHORIZED: 401, NOT_FOUND: 404, REQUEST_TIMEOUT: 408, GONE: 410, TOO_MANY_REQUESTS: 429, CLIENT_ERROR_RANGE_END: 499, SERVER_ERROR: 500, SERVER_ERROR_RANGE_START: 500, SERVICE_UNAVAILABLE: 503, GATEWAY_TIMEOUT: 504, SERVER_ERROR_RANGE_END: 599, MULTI_SIDED_ERROR: 600, }; const OIDC_DEFAULT_SCOPES = [ Constants.OPENID_SCOPE, Constants.PROFILE_SCOPE, Constants.OFFLINE_ACCESS_SCOPE, ]; const OIDC_SCOPES = [...OIDC_DEFAULT_SCOPES, Constants.EMAIL_SCOPE]; /** * Request header names */ const HeaderNames = { CONTENT_TYPE: "Content-Type", CONTENT_LENGTH: "Content-Length", RETRY_AFTER: "Retry-After", CCS_HEADER: "X-AnchorMailbox", WWWAuthenticate: "WWW-Authenticate", AuthenticationInfo: "Authentication-Info", X_MS_REQUEST_ID: "x-ms-request-id", X_MS_HTTP_VERSION: "x-ms-httpver", }; /** * Persistent cache keys MSAL which stay while user is logged in. */ const PersistentCacheKeys = { ACTIVE_ACCOUNT_FILTERS: "active-account-filters", // new cache entry for active_account for a more robust version for browser }; /** * String constants related to AAD Authority */ const AADAuthorityConstants = { COMMON: "common", ORGANIZATIONS: "organizations", CONSUMERS: "consumers", }; /** * Claims request keys */ const ClaimsRequestKeys = { ACCESS_TOKEN: "access_token", XMS_CC: "xms_cc", }; /** * we considered making this "enum" in the request instead of string, however it looks like the allowed list of * prompt values kept changing over past couple of years. There are some undocumented prompt values for some * internal partners too, hence the choice of generic "string" type instead of the "enum" */ const PromptValue = { LOGIN: "login", SELECT_ACCOUNT: "select_account", CONSENT: "consent", NONE: "none", CREATE: "create", NO_SESSION: "no_session", }; /** * allowed values for codeVerifier */ const CodeChallengeMethodValues = { PLAIN: "plain", S256: "S256", }; /** * Allowed values for response_type */ const OAuthResponseType = { CODE: "code", IDTOKEN_TOKEN: "id_token token", IDTOKEN_TOKEN_REFRESHTOKEN: "id_token token refresh_token", }; /** * allowed values for server response type * @deprecated Use ResponseMode instead */ const ServerResponseType = { QUERY: "query", FRAGMENT: "fragment", }; /** * allowed values for response_mode */ const ResponseMode = { QUERY: "query", FRAGMENT: "fragment", FORM_POST: "form_post", }; /** * allowed grant_type */ const GrantType = { IMPLICIT_GRANT: "implicit", AUTHORIZATION_CODE_GRANT: "authorization_code", CLIENT_CREDENTIALS_GRANT: "client_credentials", RESOURCE_OWNER_PASSWORD_GRANT: "password", REFRESH_TOKEN_GRANT: "refresh_token", DEVICE_CODE_GRANT: "device_code", JWT_BEARER: "urn:ietf:params:oauth:grant-type:jwt-bearer", }; /** * Account types in Cache */ const CacheAccountType = { MSSTS_ACCOUNT_TYPE: "MSSTS", ADFS_ACCOUNT_TYPE: "ADFS", MSAV1_ACCOUNT_TYPE: "MSA", GENERIC_ACCOUNT_TYPE: "Generic", // NTLM, Kerberos, FBA, Basic etc }; /** * Separators used in cache */ const Separators = { CACHE_KEY_SEPARATOR: "-", CLIENT_INFO_SEPARATOR: ".", }; /** * Credential Type stored in the cache */ const CredentialType = { ID_TOKEN: "IdToken", ACCESS_TOKEN: "AccessToken", ACCESS_TOKEN_WITH_AUTH_SCHEME: "AccessToken_With_AuthScheme", REFRESH_TOKEN: "RefreshToken", }; /** * More Cache related constants */ const APP_METADATA = "appmetadata"; const CLIENT_INFO = "client_info"; const THE_FAMILY_ID = "1"; const AUTHORITY_METADATA_CONSTANTS = { CACHE_KEY: "authority-metadata", REFRESH_TIME_SECONDS: 3600 * 24, // 24 Hours }; const AuthorityMetadataSource = { CONFIG: "config", CACHE: "cache", NETWORK: "network", HARDCODED_VALUES: "hardcoded_values", }; const SERVER_TELEM_CONSTANTS = { SCHEMA_VERSION: 5, MAX_CUR_HEADER_BYTES: 80, MAX_LAST_HEADER_BYTES: 330, MAX_CACHED_ERRORS: 50, CACHE_KEY: "server-telemetry", CATEGORY_SEPARATOR: "|", VALUE_SEPARATOR: ",", OVERFLOW_TRUE: "1", OVERFLOW_FALSE: "0", UNKNOWN_ERROR: "unknown_error", }; /** * Type of the authentication request */ const AuthenticationScheme = { BEARER: "Bearer", POP: "pop", SSH: "ssh-cert", }; /** * Constants related to throttling */ const ThrottlingConstants = { // Default time to throttle RequestThumbprint in seconds DEFAULT_THROTTLE_TIME_SECONDS: 60, // Default maximum time to throttle in seconds, overrides what the server sends back DEFAULT_MAX_THROTTLE_TIME_SECONDS: 3600, // Prefix for storing throttling entries THROTTLING_PREFIX: "throttling", // Value assigned to the x-ms-lib-capability header to indicate to the server the library supports throttling X_MS_LIB_CAPABILITY_VALUE: "retry-after, h429", }; const Errors = { INVALID_GRANT_ERROR: "invalid_grant", CLIENT_MISMATCH_ERROR: "client_mismatch", }; /** * Response codes */ const ResponseCodes = { httpSuccess: 200, httpBadRequest: 400, }; /** * Region Discovery Sources */ const RegionDiscoverySources = { FAILED_AUTO_DETECTION: "1", INTERNAL_CACHE: "2", ENVIRONMENT_VARIABLE: "3", IMDS: "4", }; /** * Region Discovery Outcomes */ const RegionDiscoveryOutcomes = { CONFIGURED_MATCHES_DETECTED: "1", CONFIGURED_NO_AUTO_DETECTION: "2", CONFIGURED_NOT_DETECTED: "3", AUTO_DETECTION_REQUESTED_SUCCESSFUL: "4", AUTO_DETECTION_REQUESTED_FAILED: "5", }; /** * Specifies the reason for fetching the access token from the identity provider */ const CacheOutcome = { // When a token is found in the cache or the cache is not supposed to be hit when making the request NOT_APPLICABLE: "0", // When the token request goes to the identity provider because force_refresh was set to true. Also occurs if claims were requested FORCE_REFRESH_OR_CLAIMS: "1", // When the token request goes to the identity provider because no cached access token exists NO_CACHED_ACCESS_TOKEN: "2", // When the token request goes to the identity provider because cached access token expired CACHED_ACCESS_TOKEN_EXPIRED: "3", // When the token request goes to the identity provider because refresh_in was used and the existing token needs to be refreshed PROACTIVELY_REFRESHED: "4", }; const JsonWebTokenTypes = { Jwt: "JWT", Jwk: "JWK", Pop: "pop", }; // Token renewal offset default in seconds const DEFAULT_TOKEN_RENEWAL_OFFSET_SEC = 300; /*! @azure/msal-common v15.6.0 2025-05-06 */ /* * Copyright (c) Microsoft Corporation. All rights reserved. * Licensed under the MIT License. */ /** * AuthErrorMessage class containing string constants used by error codes and messages. */ const unexpectedError = "unexpected_error"; const postRequestFailed$1 = "post_request_failed"; var AuthErrorCodes = /*#__PURE__*/Object.freeze({ __proto__: null, postRequestFailed: postRequestFailed$1, unexpectedError: unexpectedError }); /*! @azure/msal-common v15.6.0 2025-05-06 */ /* * Copyright (c) Microsoft Corporation. All rights reserved. * Licensed under the MIT License. */ const AuthErrorMessages = { [unexpectedError]: "Unexpected error in authentication.", [postRequestFailed$1]: "Post request failed from the network, could be a 4xx/5xx or a network unavailability. Please check the exact error code for details.", }; /** * AuthErrorMessage class containing string constants used by error codes and messages. * @deprecated Use AuthErrorCodes instead */ const AuthErrorMessage = { unexpectedError: { code: unexpectedError, desc: AuthErrorMessages[unexpectedError], }, postRequestFailed: { code: postRequestFailed$1, desc: AuthErrorMessages[postRequestFailed$1], }, }; /** * General error class thrown by the MSAL.js library. */ class AuthError extends Error { constructor(errorCode, errorMessage, suberror) { const errorString = errorMessage ? `${errorCode}: ${errorMessage}` : errorCode; super(errorString); Object.setPrototypeOf(this, AuthError.prototype); this.errorCode = errorCode || Constants.EMPTY_STRING; this.errorMessage = errorMessage || Constants.EMPTY_STRING; this.subError = suberror || Constants.EMPTY_STRING; this.name = "AuthError"; } setCorrelationId(correlationId) { this.correlationId = correlationId; } } function createAuthError(code, additionalMessage) { return new AuthError(code, additionalMessage ? `${AuthErrorMessages[code]} ${additionalMessage}` : AuthErrorMessages[code]); } /*! @azure/msal-common v15.6.0 2025-05-06 */ /* * Copyright (c) Microsoft Corporation. All rights reserved. * Licensed under the MIT License. */ const clientInfoDecodingError = "client_info_decoding_error"; const clientInfoEmptyError = "client_info_empty_error"; const tokenParsingError = "token_parsing_error"; const nullOrEmptyToken = "null_or_empty_token"; const endpointResolutionError = "endpoints_resolution_error"; const networkError = "network_error"; const openIdConfigError = "openid_config_error"; const hashNotDeserialized = "hash_not_deserialized"; const invalidState = "invalid_state"; const stateMismatch = "state_mismatch"; const stateNotFound = "state_not_found"; const nonceMismatch = "nonce_mismatch"; const authTimeNotFound = "auth_time_not_found"; const maxAgeTranspired = "max_age_transpired"; const multipleMatchingTokens = "multiple_matching_tokens"; const multipleMatchingAccounts = "multiple_matching_accounts"; const multipleMatchingAppMetadata = "multiple_matching_appMetadata"; const requestCannotBeMade = "request_cannot_be_made"; const cannotRemoveEmptyScope = "cannot_remove_empty_scope"; const cannotAppendScopeSet = "cannot_append_scopeset"; const emptyInputScopeSet = "empty_input_scopeset"; const deviceCodePollingCancelled = "device_code_polling_cancelled"; const deviceCodeExpired = "device_code_expired"; const deviceCodeUnknownError = "device_code_unknown_error"; const noAccountInSilentRequest = "no_account_in_silent_request"; const invalidCacheRecord = "invalid_cache_record"; const invalidCacheEnvironment = "invalid_cache_environment"; const noAccountFound = "no_account_found"; const noCryptoObject = "no_crypto_object"; const unexpectedCredentialType = "unexpected_credential_type"; const invalidAssertion = "invalid_assertion"; const invalidClientCredential = "invalid_client_credential"; const tokenRefreshRequired = "token_refresh_required"; const userTimeoutReached = "user_timeout_reached"; const tokenClaimsCnfRequiredForSignedJwt = "token_claims_cnf_required_for_signedjwt"; const authorizationCodeMissingFromServerResponse = "authorization_code_missing_from_server_response"; const bindingKeyNotRemoved = "binding_key_not_removed"; const endSessionEndpointNotSupported = "end_session_endpoint_not_supported"; const keyIdMissing = "key_id_missing"; const noNetworkConnectivity$1 = "no_network_connectivity"; const userCanceled = "user_canceled"; const missingTenantIdError = "missing_tenant_id_error"; const methodNotImplemented = "method_not_implemented"; const nestedAppAuthBridgeDisabled = "nested_app_auth_bridge_disabled"; var ClientAuthErrorCodes = /*#__PURE__*/Object.freeze({ __proto__: null, authTimeNotFound: authTimeNotFound, authorizationCodeMissingFromServerResponse: authorizationCodeMissingFromServerResponse, bindingKeyNotRemoved: bindingKeyNotRemoved, cannotAppendScopeSet: cannotAppendScopeSet, cannotRemoveEmptyScope: cannotRemoveEmptyScope, clientInfoDecodingError: clientInfoDecodingError, clientInfoEmptyError: clientInfoEmptyError, deviceCodeExpired: deviceCodeExpired, deviceCodePollingCancelled: deviceCodePollingCancelled, deviceCodeUnknownError: deviceCodeUnknownError, emptyInputScopeSet: emptyInputScopeSet, endSessionEndpointNotSupported: endSessionEndpointNotSupported, endpointResolutionError: endpointResolutionError, hashNotDeserialized: hashNotDeserialized, invalidAssertion: invalidAssertion, invalidCacheEnvironment: invalidCacheEnvironment, invalidCacheRecord: invalidCacheRecord, invalidClientCredential: invalidClientCredential, invalidState: invalidState, keyIdMissing: keyIdMissing, maxAgeTranspired: maxAgeTranspired, methodNotImplemented: methodNotImplemented, missingTenantIdError: missingTenantIdError, multipleMatchingAccounts: multipleMatchingAccounts, multipleMatchingAppMetadata: multipleMatchingAppMetadata, multipleMatchingTokens: multipleMatchingTokens, nestedAppAuthBridgeDisabled: nestedAppAuthBridgeDisabled, networkError: networkError, noAccountFound: noAccountFound, noAccountInSilentRequest: noAccountInSilentRequest, noCryptoObject: noCryptoObject, noNetworkConnectivity: noNetworkConnectivity$1, nonceMismatch: nonceMismatch, nullOrEmptyToken: nullOrEmptyToken, openIdConfigError: openIdConfigError, requestCannotBeMade: requestCannotBeMade, stateMismatch: stateMismatch, stateNotFound: stateNotFound, tokenClaimsCnfRequiredForSignedJwt: tokenClaimsCnfRequiredForSignedJwt, tokenParsingError: tokenParsingError, tokenRefreshRequired: tokenRefreshRequired, unexpectedCredentialType: unexpectedCredentialType, userCanceled: userCanceled, userTimeoutReached: userTimeoutReached }); /*! @azure/msal-common v15.6.0 2025-05-06 */ /* * Copyright (c) Microsoft Corporation. All rights reserved. * Licensed under the MIT License. */ /** * ClientAuthErrorMessage class containing string constants used by error codes and messages. */ const ClientAuthErrorMessages = { [clientInfoDecodingError]: "The client info could not be parsed/decoded correctly", [clientInfoEmptyError]: "The client info was empty", [tokenParsingError]: "Token cannot be parsed", [nullOrEmptyToken]: "The token is null or empty", [endpointResolutionError]: "Endpoints cannot be resolved", [networkError]: "Network request failed", [openIdConfigError]: "Could not retrieve endpoints. Check your authority and verify the .well-known/openid-configuration endpoint returns the required endpoints.", [hashNotDeserialized]: "The hash parameters could not be deserialized", [invalidState]: "State was not the expected format", [stateMismatch]: "State mismatch error", [stateNotFound]: "State not found", [nonceMismatch]: "Nonce mismatch error", [authTimeNotFound]: "Max Age was requested and the ID token is missing the auth_time variable." + " auth_time is an optional claim and is not enabled by default - it must be enabled." + " See https://aka.ms/msaljs/optional-claims for more information.", [maxAgeTranspired]: "Max Age is set to 0, or too much time has elapsed since the last end-user authentication.", [multipleMatchingTokens]: "The cache contains multiple tokens satisfying the requirements. " + "Call AcquireToken again providing more requirements such as authority or account.", [multipleMatchingAccounts]: "The cache contains multiple accounts satisfying the given parameters. Please pass more info to obtain the correct account", [multipleMatchingAppMetadata]: "The cache contains multiple appMetadata satisfying the given parameters. Please pass more info to obtain the correct appMetadata", [requestCannotBeMade]: "Token request cannot be made without authorization code or refresh token.", [cannotRemoveEmptyScope]: "Cannot remove null or empty scope from ScopeSet", [cannotAppendScopeSet]: "Cannot append ScopeSet", [emptyInputScopeSet]: "Empty input ScopeSet cannot be processed", [deviceCodePollingCancelled]: "Caller has cancelled token endpoint polling during device code flow by setting DeviceCodeRequest.cancel = true.", [deviceCodeExpired]: "Device code is expired.", [deviceCodeUnknownError]: "Device code stopped polling for unknown reasons.", [noAccountInSilentRequest]: "Please pass an account object, silent flow is not supported without account information", [invalidCacheRecord]: "Cache record object was null or undefined.", [invalidCacheEnvironment]: "Invalid environment when attempting to create cache entry", [noAccountFound]: "No account found in cache for given key.", [noCryptoObject]: "No crypto object detected.", [unexpectedCredentialType]: "Unexpected credential type.", [invalidAssertion]: "Client assertion must meet requirements described in https://tools.ietf.org/html/rfc7515", [invalidClientCredential]: "Client credential (secret, certificate, or assertion) must not be empty when creating a confidential client. An application should at most have one credential", [tokenRefreshRequired]: "Cannot return token from cache because it must be refreshed. This may be due to one of the following reasons: forceRefresh parameter is set to true, claims have been requested, there is no cached access token or it is expired.", [userTimeoutReached]: "User defined timeout for device code polling reached", [tokenClaimsCnfRequiredForSignedJwt]: "Cannot generate a POP jwt if the token_claims are not populated", [authorizationCodeMissingFromServerResponse]: "Server response does not contain an authorization code to proceed", [bindingKeyNotRemoved]: "Could not remove the credential's binding key from storage.", [endSessionEndpointNotSupported]: "The provided authority does not support logout", [keyIdMissing]: "A keyId value is missing from the requested bound token's cache record and is required to match the token to it's stored binding key.", [noNetworkConnectivity$1]: "No network connectivity. Check your internet connection.", [userCanceled]: "User cancelled the flow.", [missingTenantIdError]: "A tenant id - not common, organizations, or consumers - must be specified when using the client_credentials flow.", [methodNotImplemented]: "This method has not been implemented", [nestedAppAuthBridgeDisabled]: "The nested app auth bridge is disabled", }; /** * String constants used by error codes and messages. * @deprecated Use ClientAuthErrorCodes instead */ const ClientAuthErrorMessage = { clientInfoDecodingError: { code: clientInfoDecodingError, desc: ClientAuthErrorMessages[clientInfoDecodingError], }, clientInfoEmptyError: { code: clientInfoEmptyError, desc: ClientAuthErrorMessages[clientInfoEmptyError], }, tokenParsingError: { code: tokenParsingError, desc: ClientAuthErrorMessages[tokenParsingError], }, nullOrEmptyToken: { code: nullOrEmptyToken, desc: ClientAuthErrorMessages[nullOrEmptyToken], }, endpointResolutionError: { code: endpointResolutionError, desc: ClientAuthErrorMessages[endpointResolutionError], }, networkError: { code: networkError, desc: ClientAuthErrorMessages[networkError], }, unableToGetOpenidConfigError: { code: openIdConfigError, desc: ClientAuthErrorMessages[openIdConfigError], }, hashNotDeserialized: { code: hashNotDeserialized, desc: ClientAuthErrorMessages[hashNotDeserialized], }, invalidStateError: { code: invalidState, desc: ClientAuthErrorMessages[invalidState], }, stateMismatchError: { code: stateMismatch, desc: ClientAuthErrorMessages[stateMismatch], }, stateNotFoundError: { code: stateNotFound, desc: ClientAuthErrorMessages[stateNotFound], }, nonceMismatchError: { code: nonceMismatch, desc: ClientAuthErrorMessages[nonceMismatch], }, authTimeNotFoundError: { code: authTimeNotFound, desc: ClientAuthErrorMessages[authTimeNotFound], }, maxAgeTranspired: { code: maxAgeTranspired, desc: ClientAuthErrorMessages[maxAgeTranspired], }, multipleMatchingTokens: { code: multipleMatchingTokens, desc: ClientAuthErrorMessages[multipleMatchingTokens], }, multipleMatchingAccounts: { code: multipleMatchingAccounts, desc: ClientAuthErrorMessages[multipleMatchingAccounts], }, multipleMatchingAppMetadata: { code: multipleMatchingAppMetadata, desc: ClientAuthErrorMessages[multipleMatchingAppMetadata], }, tokenRequestCannotBeMade: { code: requestCannotBeMade, desc: ClientAuthErrorMessages[requestCannotBeMade], }, removeEmptyScopeError: { code: cannotRemoveEmptyScope, desc: ClientAuthErrorMessages[cannotRemoveEmptyScope], }, appendScopeSetError: { code: cannotAppendScopeSet, desc: ClientAuthErrorMessages[cannotAppendScopeSet], }, emptyInputScopeSetError: { code: emptyInputScopeSet, desc: ClientAuthErrorMessages[emptyInputScopeSet], }, DeviceCodePollingCancelled: { code: deviceCodePollingCancelled, desc: ClientAuthErrorMessages[deviceCodePollingCancelled], }, DeviceCodeExpired: { code: deviceCodeExpired, desc: ClientAuthErrorMessages[deviceCodeExpired], }, DeviceCodeUnknownError: { code: deviceCodeUnknownError, desc: ClientAuthErrorMessages[deviceCodeUnknownError], }, NoAccountInSilentRequest: { code: noAccountInSilentRequest, desc: ClientAuthErrorMessages[noAccountInSilentRequest], }, invalidCacheRecord: { code: invalidCacheRecord, desc: ClientAuthErrorMessages[invalidCacheRecord], }, invalidCacheEnvironment: { code: invalidCacheEnvironment, desc: ClientAuthErrorMessages[invalidCacheEnvironment], }, noAccountFound: { code: noAccountFound, desc: ClientAuthErrorMessages[noAccountFound], }, noCryptoObj: { code: noCryptoObject, desc: ClientAuthErrorMessages[noCryptoObject], }, unexpectedCredentialType: { code: unexpectedCredentialType, desc: ClientAuthErrorMessages[unexpectedCredentialType], }, invalidAssertion: { code: invalidAssertion, desc: ClientAuthErrorMessages[invalidAssertion], }, invalidClientCredential: { code: invalidClientCredential, desc: ClientAuthErrorMessages[invalidClientCredential], }, tokenRefreshRequired: { code: tokenRefreshRequired, desc: ClientAuthErrorMessages[tokenRefreshRequired], }, userTimeoutReached: { code: userTimeoutReached, desc: ClientAuthErrorMessages[userTimeoutReached], }, tokenClaimsRequired: { code: tokenClaimsCnfRequiredForSignedJwt, desc: ClientAuthErrorMessages[tokenClaimsCnfRequiredForSignedJwt], }, noAuthorizationCodeFromServer: { code: authorizationCodeMissingFromServerResponse, desc: ClientAuthErrorMessages[authorizationCodeMissingFromServerResponse], }, bindingKeyNotRemovedError: { code: bindingKeyNotRemoved, desc: ClientAuthErrorMessages[bindingKeyNotRemoved], }, logoutNotSupported: { code: endSessionEndpointNotSupported, desc: ClientAuthErrorMessages[endSessionEndpointNotSupported], }, keyIdMissing: { code: keyIdMissing, desc: ClientAuthErrorMessages[keyIdMissing], }, noNetworkConnectivity: { code: noNetworkConnectivity$1, desc: ClientAuthErrorMessages[noNetworkConnectivity$1], }, userCanceledError: { code: userCanceled, desc: ClientAuthErrorMessages[userCanceled], }, missingTenantIdError: { code: missingTenantIdError, desc: ClientAuthErrorMessages[missingTenantIdError], }, nestedAppAuthBridgeDisabled: { code: nestedAppAuthBridgeDisabled, desc: ClientAuthErrorMessages[nestedAppAuthBridgeDisabled], }, }; /** * Error thrown when there is an error in the client code running on the browser. */ class ClientAuthError extends AuthError { constructor(errorCode, additionalMessage) { super(errorCode, additionalMessage ? `${ClientAuthErrorMessages[errorCode]}: ${additionalMessage}` : ClientAuthErrorMessages[errorCode]); this.name = "ClientAuthError"; Object.setPrototypeOf(this, ClientAuthError.prototype); } } function createClientAuthError(errorCode, additionalMessage) { return new ClientAuthError(errorCode, additionalMessage); } /*! @azure/msal-common v15.6.0 2025-05-06 */ /* * Copyright (c) Microsoft Corporation. All rights reserved. * Licensed under the MIT License. */ const DEFAULT_CRYPTO_IMPLEMENTATION = { createNewGuid: () => { throw createClientAuthError(methodNotImplemented); }, base64Decode: () => { throw createClientAuthError(methodNotImplemented); }, base64Encode: () => { throw createClientAuthError(methodNotImplemented); }, base64UrlEncode: () => { throw createClientAuthError(methodNotImplemented); }, encodeKid: () => { throw createClientAuthError(methodNotImplemented); }, async getPublicKeyThumbprint() { throw createClientAuthError(methodNotImplemented); }, async removeTokenBindingKey() { throw createClientAuthError(methodNotImplemented); }, async clearKeystore() { throw createClientAuthError(methodNotImplemented); }, async signJwt() { throw createClientAuthError(methodNotImplemented); }, async hashString() { throw createClientAuthError(methodNotImplemented); }, }; /*! @azure/msal-common v15.6.0 2025-05-06 */ /* * Copyright (c) Microsoft Corporation. All rights reserved. * Licensed under the MIT License. */ /** * Log message level. */ exports.LogLevel = void 0; (function (LogLevel) { LogLevel[LogLevel["Error"] = 0] = "Error"; LogLevel[LogLevel["Warning"] = 1] = "Warning"; LogLevel[LogLevel["Info"] = 2] = "Info"; LogLevel[LogLevel["Verbose"] = 3] = "Verbose"; LogLevel[LogLevel["Trace"] = 4] = "Trace"; })(exports.LogLevel || (exports.LogLevel = {})); /** * Class which facilitates logging of messages to a specific place. */ class Logger { constructor(loggerOptions, packageName, packageVersion) { // Current log level, defaults to info. this.level = exports.LogLevel.Info; const defaultLoggerCallback = () => { return; }; const setLoggerOptions = loggerOptions || Logger.createDefaultLoggerOptions(); this.localCallback = setLoggerOptions.loggerCallback || defaultLoggerCallback; this.piiLoggingEnabled = setLoggerOptions.piiLoggingEnabled || false; this.level = typeof setLoggerOptions.logLevel === "number" ? setLoggerOptions.logLevel : exports.LogLevel.Info; this.correlationId = setLoggerOptions.correlationId || Constants.EMPTY_STRING; this.packageName = packageName || Constants.EMPTY_STRING; this.packageVersion = packageVersion || Constants.EMPTY_STRING; } static createDefaultLoggerOptions() { return { loggerCallback: () => { // allow users to not set loggerCallback }, piiLoggingEnabled: false, logLevel: exports.LogLevel.Info, }; } /** * Create new Logger with existing configurations. */ clone(packageName, packageVersion, correlationId) { return new Logger({ loggerCallback: this.localCallback, piiLoggingEnabled: this.piiLoggingEnabled, logLevel: this.level, correlationId: correlationId || this.correlationId, }, packageName, packageVersion); } /** * Log message with required options. */ logMessage(logMessage, options) { if (options.logLevel > this.level || (!this.piiLoggingEnabled && options.containsPii)) { return; } const timestamp = new Date().toUTCString(); // Add correlationId to logs if set, correlationId provided on log messages take precedence const logHeader = `[${timestamp}] : [${options.correlationId || this.correlationId || ""}]`; const log = `${logHeader} : ${this.packageName}@${this.packageVersion} : ${exports.LogLevel[options.logLevel]} - ${logMessage}`; // debug(`msal:${LogLevel[options.logLevel]}${options.containsPii ? "-Pii": Constants.EMPTY_STRING}${options.context ? `:${options.context}` : Constants.EMPTY_STRING}`)(logMessage); this.executeCallback(options.logLevel, log, options.containsPii || false); } /** * Execute callback with message. */ executeCallback(level, message, containsPii) { if (this.localCallback) { this.localCallback(level, message, containsPii); } } /** * Logs error messages. */ error(message, correlationId) { this.logMessage(message, { logLevel: exports.LogLevel.Error, containsPii: false, correlationId: correlationId || Constants.EMPTY_STRING, }); } /** * Logs error messages with PII. */ errorPii(message, correlationId) { this.logMessage(message, { logLevel: exports.LogLevel.Error, containsPii: true, correlationId: correlationId || Constants.EMPTY_STRING, }); } /** * Logs warning messages. */ warning(message, correlationId) { this.logMessage(message, { logLevel: exports.LogLevel.Warning, containsPii: false, correlationId: correlationId || Constants.EMPTY_STRING, }); } /** * Logs warning messages with PII. */ warningPii(message, correlationId) { this.logMessage(message, { logLevel: exports.LogLevel.Warning, containsPii: true, correlationId: correlationId || Constants.EMPTY_STRING, }); } /** * Logs info messages. */ info(message, correlationId) { this.logMessage(message, { logLevel: exports.LogLevel.Info, containsPii: false, correlationId: correlationId || Constants.EMPTY_STRING, }); } /** * Logs info messages with PII. */ infoPii(message, correlationId) { this.logMessage(message, { logLevel: exports.LogLevel.Info, containsPii: true, correlationId: correlationId || Constants.EMPTY_STRING, }); } /** * Logs verbose messages. */ verbose(message, correlationId) { this.logMessage(message, { logLevel: exports.LogLevel.Verbose, containsPii: false, correlationId: correlationId || Constants.EMPTY_STRING, }); } /** * Logs verbose messages with PII. */ verbosePii(message, correlationId) { this.logMessage(message, { logLevel: exports.LogLevel.Verbose, containsPii: true, correlationId: correlationId || Constants.EMPTY_STRING, }); } /** * Logs trace messages. */ trace(message, correlationId) { this.logMessage(message, { logLevel: exports.LogLevel.Trace, containsPii: false, correlationId: correlationId || Constants.EMPTY_STRING, }); } /** * Logs trace messages with PII. */ tracePii(message, correlationId) { this.logMessage(message, { logLevel: exports.LogLevel.Trace, containsPii: true, correlationId: correlationId || Constants.EMPTY_STRING, }); } /** * Returns whether PII Logging is enabled or not. */ isPiiLoggingEnabled() { return this.piiLoggingEnabled || false; } } /*! @azure/msal-common v15.6.0 2025-05-06 */ /* eslint-disable header/header */ const name$1 = "@azure/msal-common"; const version$1 = "15.6.0"; /*! @azure/msal-common v15.6.0 2025-05-06 */ /* * Copyright (c) Microsoft Corporation. All rights reserved. * Licensed under the MIT License. */ const AzureCloudInstance = { // AzureCloudInstance is not specified. None: "none", // Microsoft Azure public cloud AzurePublic: "https://login.microsoftonline.com", // Microsoft PPE AzurePpe: "https://login.windows-ppe.net", // Microsoft Chinese national/regional cloud AzureChina: "https://login.chinacloudapi.cn", // Microsoft German national/regional cloud ("Black Forest") AzureGermany: "https://login.microsoftonline.de", // US Government cloud AzureUsGovernment: "https://login.microsoftonline.us", }; /*! @azure/msal-common v15.6.0 2025-05-06 */ /* * Copyright (c) Microsoft Corporation. All rights reserved. * Licensed under the MIT License. */ /** * Extract token by decoding the rawToken * * @param encodedToken */ function extractTokenClaims(encodedToken, base64Decode) { const jswPayload = getJWSPayload(encodedToken); // token will be decoded to get the username try { // base64Decode() should throw an error if there is an issue const base64Decoded = base64Decode(jswPayload); return JSON.parse(base64Decoded); } catch (err) { throw createClientAuthError(tokenParsingError); } } /** * decode a JWT * * @param authToken */ function getJWSPayload(authToken) { if (!authToken) { throw createClientAuthError(nullOrEmptyToken); } const tokenPartsRegex = /^([^\.\s]*)\.([^\.\s]+)\.([^\.\s]*)$/; const matches = tokenPartsRegex.exec(authToken); if (!matches || matches.length < 4) { throw createClientAuthError(tokenParsingError); } /** * const crackedToken = { * header: matches[1], * JWSPayload: matches[2], * JWSSig: matches[3], * }; */ return matches[2]; } /** * Determine if the token's max_age has transpired */ function checkMaxAge(authTime, maxAge) { /* * per https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest * To force an immediate re-authentication: If an app requires that a user re-authenticate prior to access, * provide a value of 0 for the max_age parameter and the AS will force a fresh login. */ const fiveMinuteSkew = 300000; // five minutes in milliseconds if (maxAge === 0 || Date.now() - fiveMinuteSkew > authTime + maxAge) { throw createClientAuthError(maxAgeTranspired); } } /*! @azure/msal-common v15.6.0 2025-05-06 */ /* * Copyright (c) Microsoft Corporation. All rights reserved. * Licensed under the MIT License. */ /** * Utility functions for managing date and time operations. */ /** * return the current time in Unix time (seconds). */ function nowSeconds() { // Date.getTime() returns in milliseconds. return Math.round(new Date().getTime() / 1000.0); } /** * Converts JS Date object to seconds * @param date Date */ function toSecondsFromDate(date) { // Convert date to seconds return date.getTime() / 1000; } /** * Convert seconds to JS Date object. Seconds can be in a number or string format or undefined (will still return a date). * @param seconds */ function toDateFromSeconds(seconds) { if (seconds) { return new Date(Number(seconds) * 1000); } return new Date(); } /** * check if a token is expired based on given UTC time in seconds. * @param expiresOn */ function isTokenExpired(expiresOn, offset) { // check for access token expiry const expirationSec = Number(expiresOn) || 0; const offsetCurrentTimeSec = nowSeconds() + offset; // If current time + offset is greater than token expiration time, then token is expired. return offsetCurrentTimeSec > expirationSec; } /** * If the current time is earlier than the time that a token was cached at, we must discard the token * i.e. The system clock was turned back after acquiring the cached token * @param cachedAt * @param offset */ function wasClockTurnedBack(cachedAt) { const cachedAtSec = Number(cachedAt); return cachedAtSec > nowSeconds(); } /*! @azure/msal-common v15.6.0 2025-05-06 */ /* * Copyright (c) Microsoft Corporation. All rights reserved. * Licensed under the MIT License. */ /** * Cache Key: <home_account_id>-<environment>-<credential_type>-<client_id or familyId>-<realm>-<scopes>-<claims hash>-<scheme> * IdToken Example: uid.utid-login.microsoftonline.com-idtoken-app_client_id-contoso.com * AccessToken Example: uid.utid-login.microsoftonline.com-accesstoken-app_client_id-contoso.com-scope1 scope2--pop * RefreshToken Example: uid.utid-login.microsoftonline.com-refreshtoken-1-contoso.com * @param credentialEntity * @returns */ function generateCredentialKey(credentialEntity) { const credentialKey = [ generateAccountId(credentialEntity), generateCredentialId(credentialEntity), generateTarget(credentialEntity), generateClaimsHash(credentialEntity), generateScheme(credentialEntity), ]; return credentialKey.join(Separators.CACHE_KEY_SEPARATOR).toLowerCase(); } /** * Create IdTokenEntity * @param homeAccountId * @param authenticationResult * @param clientId * @param authority */ function createIdTokenEntity(homeAccountId, environment, idToken, clientId, tenantId) { const idTokenEntity = { credentialType: CredentialType.ID_TOKEN, homeAccountId: homeAccountId, environment: environment, clientId: clientId, secret: idToken, realm: tenantId, }; return idTokenEntity; } /** * Create AccessTokenEntity * @param homeAccountId * @param environment * @param accessToken * @param clientId * @param tenantId * @param scopes * @param expiresOn * @param extExpiresOn */ function createAccessTokenEntity(homeAccountId, environment, accessToken, clientId, tenantId, scopes, expiresOn, extExpiresOn, base64Decode, refreshOn, tokenType, userAssertionHash, keyId, requestedClaims, requestedClaimsHash) { const atEntity = { homeAccountId: homeAccountId, credentialType: CredentialType.ACCESS_TOKEN, secret: accessToken, cachedAt: nowSeconds().toString(), expiresOn: expiresOn.toString(), extendedExpiresOn: extExpiresOn.toString(), environment: environment, clientId: clientId, realm: tenantId, target: scopes, tokenType: tokenType || AuthenticationScheme.BEARER, }; if (userAssertionHash) { atEntity.userAssertionHash = userAssertionHash; } if (refreshOn) { atEntity.refreshOn = refreshOn.toString(); } if (requestedClaims) { atEntity.requestedClaims = requestedClaims; atEntity.requestedClaimsHash = requestedClaimsHash; } /* * Create Access Token With Auth Scheme instead of regular access token * Cast to lower to handle "bearer" from ADFS */ if (atEntity.tokenType?.toLowerCase() !== AuthenticationScheme.BEARER.toLowerCase()) { atEntity.credentialType = CredentialType.ACCESS_TOKEN_WITH_AUTH_SCHEME; switch (atEntity.tokenType) { case AuthenticationScheme.POP: // Make sure keyId is present and add it to credential const tokenClaims = extractTokenClaims(accessToken, base64Decode); if (!tokenClaims?.cnf?.kid) { throw createClientAuthError(tokenClaimsCnfRequiredForSignedJwt); } atEntity.keyId = tokenClaims.cnf.kid; break; case AuthenticationScheme.SSH: atEntity.keyId = keyId; } } return atEntity; } /** * Create RefreshTokenEntity * @param homeAccountId * @param authenticationResult * @param clientId * @param authority */ function createRefreshTokenEntity(homeAccountId, environment, refreshToken, clientId, familyId, userAssertionHash, expiresOn) { const rtEntity = { credentialType: CredentialType.REFRESH_TOKEN, homeAccountId: homeAccountId, environment: environment, clientId: clientId, secret: refreshToken, }; if (userAssertionHash) { rtEntity.userAssertionHash = userAssertionHash; } if (familyId) { rtEntity.familyId = familyId; } if (expiresOn) { rtEntity.expiresOn = expiresOn.toString(); } return rtEntity; } function isCredentialEntity(entity) { return (entity.hasOwnProperty("homeAccountId") && entity.hasOwnProperty("environment") && entity.hasOwnProperty("credentialType") && entity.hasOwnProperty("clientId") && entity.hasOwnProperty("secret")); } /** * Validates an entity: checks for all expected params * @param entity */ function isAccessTokenEntity(entity) { if (!entity) { return false; } return (isCredentialEntity(entity) && entity.hasOwnProperty("realm") && entity.hasOwnPrope