@azure/msal-browser

/* * Copyright (c) Microsoft Corporation. All rights reserved. * Licensed under the MIT License. */ import { CryptoOps } from "../crypto/CryptoOps.js"; import { InteractionRequiredAuthError, AccountInfo, INetworkModule, Logger, CommonSilentFlowRequest, ICrypto, DEFAULT_CRYPTO_IMPLEMENTATION, AuthError, PerformanceCallbackFunction, IPerformanceClient, BaseAuthRequest, InProgressPerformanceEvent, getRequestThumbprint, invokeAsync, createClientAuthError, ClientAuthErrorCodes, AccountFilter, buildStaticAuthorityOptions, InteractionRequiredAuthErrorCodes, PkceCodes, AccountEntityUtils, Constants, AuthToken, enforceResourceParameter, } from "@azure/msal-common/browser"; import * as BrowserPerformanceEvents from "../telemetry/BrowserPerformanceEvents.js"; import * as BrowserRootPerformanceEvents from "../telemetry/BrowserRootPerformanceEvents.js"; import { BrowserCacheManager, DEFAULT_BROWSER_CACHE_MANAGER, } from "../cache/BrowserCacheManager.js"; import * as CacheKeys from "../cache/CacheKeys.js"; import * as AccountManager from "../cache/AccountManager.js"; import { BrowserConfiguration, CacheOptions } from "../config/Configuration.js"; import { InteractionType, ApiId, BrowserCacheLocation, WrapperSKU, CacheLookupPolicy, DEFAULT_REQUEST, BrowserConstants, iFrameRenewalPolicies, INTERACTION_TYPE, } from "../utils/BrowserConstants.js"; import * as BrowserUtils from "../utils/BrowserUtils.js"; import { RedirectRequest } from "../request/RedirectRequest.js"; import { PopupRequest } from "../request/PopupRequest.js"; import { SsoSilentRequest } from "../request/SsoSilentRequest.js"; import { EventCallbackFunction, EventError } from "../event/EventMessage.js"; import { EventType } from "../event/EventType.js"; import { EndSessionRequest } from "../request/EndSessionRequest.js"; import { EndSessionPopupRequest } from "../request/EndSessionPopupRequest.js"; import { INavigationClient } from "../navigation/INavigationClient.js"; import { EventHandler } from "../event/EventHandler.js"; import { PopupClient } from "../interaction_client/PopupClient.js"; import { RedirectClient } from "../interaction_client/RedirectClient.js"; import { SilentIframeClient } from "../interaction_client/SilentIframeClient.js"; import { SilentRefreshClient } from "../interaction_client/SilentRefreshClient.js"; import { PlatformAuthInteractionClient } from "../interaction_client/PlatformAuthInteractionClient.js"; import { SilentRequest } from "../request/SilentRequest.js"; import { NativeAuthError, isFatalNativeAuthError, } from "../error/NativeAuthError.js"; import { SilentCacheClient } from "../interaction_client/SilentCacheClient.js"; import { SilentAuthCodeClient } from "../interaction_client/SilentAuthCodeClient.js"; import { createBrowserAuthError, BrowserAuthErrorCodes, } from "../error/BrowserAuthError.js"; import { AuthorizationCodeRequest } from "../request/AuthorizationCodeRequest.js"; import { PlatformAuthRequest } from "../broker/nativeBroker/PlatformAuthRequest.js"; import { StandardOperatingContext } from "../operatingcontext/StandardOperatingContext.js"; import { BaseOperatingContext } from "../operatingcontext/BaseOperatingContext.js"; import { IController } from "./IController.js"; import { AuthenticationResult } from "../response/AuthenticationResult.js"; import { ClearCacheRequest } from "../request/ClearCacheRequest.js"; import { createNewGuid } from "../crypto/BrowserCrypto.js"; import { initializeSilentRequest } from "../request/RequestHelpers.js"; import { InitializeApplicationRequest } from "../request/InitializeApplicationRequest.js"; import { generatePkceCodes } from "../crypto/PkceGenerator.js"; import { getPlatformAuthProvider, isPlatformAuthAllowed, } from "../broker/nativeBroker/PlatformAuthProvider.js"; import { IPlatformAuthHandler } from "../broker/nativeBroker/IPlatformAuthHandler.js"; import { collectInstanceStats } from "../utils/MsalFrameStatsUtils.js"; import { HandleRedirectPromiseOptions } from "../request/HandleRedirectPromiseOptions.js"; function preflightCheck( initialized: boolean, performanceEvent: InProgressPerformanceEvent, config: BrowserConfiguration, request: RedirectRequest | PopupRequest | SsoSilentRequest | SilentRequest ) { try { BrowserUtils.preflightCheck(initialized); enforceResourceParameter(config.auth.isMcp, request); } catch (e) { performanceEvent.end({ success: false }, e, request.account); throw e; } } export class StandardController implements IController { // OperatingContext protected readonly operatingContext: StandardOperatingContext; // Crypto interface implementation protected readonly browserCrypto: ICrypto; // Storage interface implementation protected readonly browserStorage: BrowserCacheManager; // Native Cache in memory storage implementation protected readonly nativeInternalStorage: BrowserCacheManager; // Network interface implementation protected readonly networkClient: INetworkModule; // Navigation interface implementation protected navigationClient: INavigationClient; // Input configuration by developer/user protected readonly config: BrowserConfiguration; // Logger protected logger: Logger; // Flag to indicate if in browser environment protected isBrowserEnvironment: boolean; protected readonly eventHandler: EventHandler; // Redirect Response Object protected readonly redirectResponse: Map< string, Promise<AuthenticationResult | null> >; // Native Extension Provider protected platformAuthProvider: IPlatformAuthHandler | undefined; // Hybrid auth code responses private hybridAuthCodeResponses: Map<string, Promise<AuthenticationResult>>; // Performance telemetry client protected readonly performanceClient: IPerformanceClient; // Flag representing whether or not the initialize API has been called and completed protected initialized: boolean; // Active requests private activeSilentTokenRequests: Map< string, Promise<AuthenticationResult> >; // Active Iframe request private activeIframeRequest: [Promise<boolean>, string] | undefined; private ssoSilentMeasurement?: InProgressPerformanceEvent; private acquireTokenByCodeAsyncMeasurement?: InProgressPerformanceEvent; private pkceCode: PkceCodes | undefined; /** * @constructor * Constructor for the PublicClientApplication used to instantiate the PublicClientApplication object * * Important attributes in the Configuration object for auth are: * - clientID: the application ID of your application. You can obtain one by registering your application with our Application registration portal : https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/RegisteredAppsPreview * - authority: the authority URL for your application. * - redirect_uri: the uri of your application registered in the portal. * * In Azure AD, authority is a URL indicating the Azure active directory that MSAL uses to obtain tokens. * It is of the form https://login.microsoftonline.com/{Enter_the_Tenant_Info_Here} * If your application supports Accounts in one organizational directory, replace "Enter_the_Tenant_Info_Here" value with the Tenant Id or Tenant name (for example, contoso.microsoft.com). * If your application supports Accounts in any organizational directory, replace "Enter_the_Tenant_Info_Here" value with organizations. * If your application supports Accounts in any organizational directory and personal Microsoft accounts, replace "Enter_the_Tenant_Info_Here" value with common. * To restrict support to Personal Microsoft accounts only, replace "Enter_the_Tenant_Info_Here" value with consumers. * * In Azure B2C, authority is of the form https://{instance}/tfp/{tenant}/{policyName}/ * Full B2C functionality will be available in this library in future versions. * * @param configuration Object for the MSAL PublicClientApplication instance */ constructor(operatingContext: StandardOperatingContext) { this.operatingContext = operatingContext; this.isBrowserEnvironment = this.operatingContext.isBrowserEnvironment(); // Set the configuration. this.config = operatingContext.getConfig(); this.initialized = false; // Initialize logger this.logger = this.operatingContext.getLogger(); // Initialize the network module class. this.networkClient = this.config.system.networkClient; // Initialize the navigation client class. this.navigationClient = this.config.system.navigationClient; // Initialize redirectResponse Map this.redirectResponse = new Map(); // Initial hybrid spa map this.hybridAuthCodeResponses = new Map(); // Initialize performance client this.performanceClient = this.config.telemetry.client; // Initialize the crypto class. this.browserCrypto = this.isBrowserEnvironment ? new CryptoOps(this.logger, this.performanceClient) : DEFAULT_CRYPTO_IMPLEMENTATION; this.eventHandler = new EventHandler(this.logger); // Initialize the browser storage class. this.browserStorage = this.isBrowserEnvironment ? new BrowserCacheManager( this.config.auth.clientId, this.config.cache, this.browserCrypto, this.logger, this.performanceClient, this.eventHandler, buildStaticAuthorityOptions(this.config.auth) ) : DEFAULT_BROWSER_CACHE_MANAGER( this.config.auth.clientId, this.logger, this.performanceClient, this.eventHandler ); // initialize in memory storage for native flows const nativeCacheOptions: Required<CacheOptions> = { cacheLocation: BrowserCacheLocation.MemoryStorage, cacheRetentionDays: 5, }; this.nativeInternalStorage = new BrowserCacheManager( this.config.auth.clientId, nativeCacheOptions, this.browserCrypto, this.logger, this.performanceClient, this.eventHandler ); this.activeSilentTokenRequests = new Map(); // Register listener functions this.trackStateChange = this.trackStateChange.bind(this); // Register listener functions this.trackStateChangeWithMeasurement = this.trackStateChangeWithMeasurement.bind(this); } static async createController( operatingContext: BaseOperatingContext, request?: InitializeApplicationRequest ): Promise<IController> { const controller = new StandardController(operatingContext); await controller.initialize(request); return controller; } private trackStateChange( correlationId: string | undefined, event: Event ): void { if (!correlationId) { return; } if (event.type === "visibilitychange") { this.logger.info("Perf: Visibility change detected", correlationId); this.performanceClient.incrementFields( { visibilityChangeCount: 1 }, correlationId ); } else if (event.type === "online") { this.logger.info( "Perf: Online status change detected", correlationId ); this.performanceClient.incrementFields( { onlineStatusChangeCount: 1 }, correlationId ); } else if (event.type === "offline") { this.logger.info( "Perf: Offline status change detected", correlationId ); this.performanceClient.incrementFields( { onlineStatusChangeCount: 1 }, correlationId ); } } /** * Initializer function to perform async startup tasks such as connecting to WAM extension * @param request {?InitializeApplicationRequest} correlation id */ async initialize(request?: InitializeApplicationRequest): Promise<void> { const correlationId = this.getRequestCorrelationId(request); this.logger.trace("initialize called", correlationId); if (this.initialized) { this.logger.info( "initialize has already been called, exiting early.", correlationId ); return; } if (!this.isBrowserEnvironment) { this.logger.info( "in non-browser environment, exiting early.", correlationId ); this.initialized = true; this.eventHandler.emitEvent( EventType.INITIALIZE_END, correlationId ); return; } const allowPlatformBroker = this.config.system.allowPlatformBroker; const initMeasurement = this.performanceClient.startMeasurement( BrowserRootPerformanceEvents.InitializeClientApplication, correlationId ); this.eventHandler.emitEvent(EventType.INITIALIZE_START, correlationId); // Broker applications are initialized twice, so we avoid double-counting it this.logMultipleInstances(initMeasurement, correlationId); initMeasurement.add({ isMcp: this.config.auth.isMcp }); await invokeAsync( this.browserStorage.initialize.bind(this.browserStorage), BrowserPerformanceEvents.InitializeCache, this.logger, this.performanceClient, correlationId )(correlationId); if (allowPlatformBroker) { try { // check if platform authentication is available via DOM or browser extension and create relevant handlers this.platformAuthProvider = await getPlatformAuthProvider( this.logger, this.performanceClient, correlationId, this.config.system.nativeBrokerHandshakeTimeout ); } catch (e) { this.logger.verbose(e as string, correlationId); } } if ( this.config.cache.cacheLocation === BrowserCacheLocation.LocalStorage ) { this.eventHandler.subscribeCrossTab(); } !this.config.system.navigatePopups && (await this.preGeneratePkceCodes(correlationId)); this.initialized = true; this.eventHandler.emitEvent(EventType.INITIALIZE_END, correlationId); initMeasurement.end({ allowPlatformBroker: allowPlatformBroker, success: true, }); } // #region Redirect Flow /** * Event handler function which allows users to fire events after the PublicClientApplication object * has loaded during redirect flows. This should be invoked on all page loads involved in redirect * auth flows. * @param hash Hash to process. Defaults to the current value of window.location.hash. Only needs to be provided explicitly if the response to be handled is not contained in the current value. * @param options Object containing optional configuration for redirect promise handling. * @returns Token response or null. If the return value is null, then no auth redirect was detected. */ async handleRedirectPromise( options?: HandleRedirectPromiseOptions ): Promise<AuthenticationResult | null> { this.logger.verbose("handleRedirectPromise called", ""); // Block token acquisition before initialize has been called BrowserUtils.blockAPICallsBeforeInitialize(this.initialized); if (this.isBrowserEnvironment) { /** * Store the promise on the PublicClientApplication instance if this is the first invocation of handleRedirectPromise, * otherwise return the promise from the first invocation. Prevents race conditions when handleRedirectPromise is called * several times concurrently. */ const redirectResponseKey = options?.hash || ""; let response = this.redirectResponse.get(redirectResponseKey); if (typeof response === "undefined") { response = this.handleRedirectPromiseInternal(options); this.redirectResponse.set(redirectResponseKey, response); this.logger.verbose( "handleRedirectPromise has been called for the first time, storing the promise", "" ); } else { this.logger.verbose( "handleRedirectPromise has been called previously, returning the result from the first call", "" ); } return response; } this.logger.verbose( "handleRedirectPromise returns null, not browser environment", "" ); return null; } /** * The internal details of handleRedirectPromise. This is separated out to a helper to allow handleRedirectPromise to memoize requests * @param hash * @returns */ private async handleRedirectPromiseInternal( options?: HandleRedirectPromiseOptions ): Promise<AuthenticationResult | null> { if (!this.browserStorage.isInteractionInProgress(true)) { this.logger.info( "handleRedirectPromise called but there is no interaction in progress, returning null.", "" ); return null; } const interactionType = this.browserStorage.getInteractionInProgress()?.type; if (interactionType === INTERACTION_TYPE.SIGNOUT) { this.logger.verbose( "handleRedirectPromise removing interaction_in_progress flag and returning null after sign-out", "" ); this.browserStorage.setInteractionInProgress(false); return Promise.resolve(null); } const loggedInAccounts = this.getAllAccounts(); const platformBrokerRequest: PlatformAuthRequest | null = this.browserStorage.getCachedNativeRequest(); const useNative = platformBrokerRequest && !options?.hash; let rootMeasurement: InProgressPerformanceEvent; let redirectResponse: Promise<AuthenticationResult | null>; let cachedRedirectRequest: SsoSilentRequest | undefined; try { if (useNative && this.platformAuthProvider) { const correlationId = platformBrokerRequest?.correlationId || ""; this.eventHandler.emitEvent( EventType.HANDLE_REDIRECT_START, correlationId, InteractionType.Redirect ); rootMeasurement = this.performanceClient.startMeasurement( BrowserRootPerformanceEvents.AcquireTokenRedirect, correlationId ); this.logger.trace( "handleRedirectPromise - acquiring token from native platform", correlationId ); rootMeasurement.add({ isPlatformBrokerRequest: true, }); const nativeClient = new PlatformAuthInteractionClient( this.config, this.browserStorage, this.browserCrypto, this.logger, this.eventHandler, this.navigationClient, ApiId.handleRedirectPromise, this.performanceClient, this.platformAuthProvider, platformBrokerRequest.accountId, this.nativeInternalStorage, platformBrokerRequest.correlationId ); redirectResponse = invokeAsync( nativeClient.handleRedirectPromise.bind(nativeClient), BrowserPerformanceEvents.HandleNativeRedirectPromiseMeasurement, this.logger, this.performanceClient, rootMeasurement.event.correlationId )(); } else { const [standardRequest, codeVerifier] = this.browserStorage.getCachedRequest(""); cachedRedirectRequest = standardRequest; const correlationId = standardRequest.correlationId; this.eventHandler.emitEvent( EventType.HANDLE_REDIRECT_START, correlationId, InteractionType.Redirect ); // Reset rootMeasurement now that we have correlationId rootMeasurement = this.performanceClient.startMeasurement( BrowserRootPerformanceEvents.AcquireTokenRedirect, correlationId ); this.logger.trace( "handleRedirectPromise - acquiring token from web flow", correlationId ); const redirectClient = this.createRedirectClient(correlationId); redirectResponse = invokeAsync( redirectClient.handleRedirectPromise.bind(redirectClient), BrowserPerformanceEvents.HandleRedirectPromiseMeasurement, this.logger, this.performanceClient, rootMeasurement.event.correlationId )(standardRequest, codeVerifier, rootMeasurement, options); } } catch (e) { this.browserStorage.resetRequestCache(""); throw e; } return redirectResponse .then((result: AuthenticationResult | null) => { if (result) { this.browserStorage.resetRequestCache(result.correlationId); this.eventHandler.emitEvent( EventType.ACQUIRE_TOKEN_SUCCESS, result.correlationId, InteractionType.Redirect, result ); this.logger.verbose( "handleRedirectResponse returned result, acquire token success", result.correlationId ); // Emit login event if number of accounts change const isLoggingIn = loggedInAccounts.length < this.getAllAccounts().length; if (isLoggingIn) { this.eventHandler.emitEvent( EventType.LOGIN_SUCCESS, result.correlationId, InteractionType.Redirect, result.account ); this.logger.verbose( "handleRedirectResponse returned result, login success", result.correlationId ); } rootMeasurement.end( { success: true, }, undefined, result.account ); // Fire-and-forget SSO capability verification in background this.verifySsoCapability( cachedRedirectRequest, InteractionType.Redirect ); } else { /* * Instrument an event only if an error code is set. Otherwise, discard it when the redirect response * is empty and the error code is missing. */ if (rootMeasurement.event.errorCode) { rootMeasurement.end({ success: false }, undefined); } else { rootMeasurement.discard(); } } this.eventHandler.emitEvent( EventType.HANDLE_REDIRECT_END, rootMeasurement.event.correlationId, InteractionType.Redirect ); return result; }) .catch((e) => { this.browserStorage.resetRequestCache( rootMeasurement.event.correlationId ); const eventError = e as EventError; this.eventHandler.emitEvent( EventType.ACQUIRE_TOKEN_FAILURE, rootMeasurement.event.correlationId, InteractionType.Redirect, null, eventError ); this.eventHandler.emitEvent( EventType.HANDLE_REDIRECT_END, rootMeasurement.event.correlationId, InteractionType.Redirect ); rootMeasurement.end( { success: false, }, eventError ); throw e; }); } /** * Use when you want to obtain an access_token for your API by redirecting the user's browser window to the authorization endpoint. This function redirects * the page, so any code that follows this function will not execute. * * IMPORTANT: It is NOT recommended to have code that is dependent on the resolution of the Promise. This function will navigate away from the current * browser window. It currently returns a Promise in order to reflect the asynchronous nature of the code running in this function. * * @param request */ async acquireTokenRedirect(request: RedirectRequest): Promise<void> { // Preflight request const correlationId = this.getRequestCorrelationId(request); this.logger.verbose("acquireTokenRedirect called", correlationId); const atrMeasurement = this.performanceClient.startMeasurement( BrowserRootPerformanceEvents.AcquireTokenPreRedirect, correlationId ); atrMeasurement.add({ scenarioId: request.scenarioId, }); const configOnRedirectNavigateCb = this.config.auth.onRedirectNavigate; this.config.auth.onRedirectNavigate = (url: string) => { const navigate = typeof configOnRedirectNavigateCb === "function" ? configOnRedirectNavigateCb(url) : undefined; atrMeasurement.add({ navigateCallbackResult: navigate !== false, }); atrMeasurement.event = atrMeasurement.end( { success: true }, undefined, request.account ) || atrMeasurement.event; return navigate; }; try { BrowserUtils.redirectPreflightCheck(this.initialized, this.config); enforceResourceParameter(this.config.auth.isMcp, request); this.browserStorage.setInteractionInProgress( true, INTERACTION_TYPE.SIGNIN ); this.eventHandler.emitEvent( EventType.ACQUIRE_TOKEN_START, correlationId, InteractionType.Redirect, request ); let result: Promise<void>; if ( this.platformAuthProvider && this.canUsePlatformBroker(request) ) { const nativeClient = new PlatformAuthInteractionClient( this.config, this.browserStorage, this.browserCrypto, this.logger, this.eventHandler, this.navigationClient, ApiId.acquireTokenRedirect, this.performanceClient, this.platformAuthProvider, this.getNativeAccountId(request), this.nativeInternalStorage, correlationId ); result = invokeAsync( nativeClient.acquireTokenRedirect.bind(nativeClient), BrowserPerformanceEvents.NativeInteractionClientAcquireTokenRedirect, this.logger, this.performanceClient, correlationId )(request, atrMeasurement).catch((e: AuthError) => { atrMeasurement.add({ brokerErrorName: e.name, brokerErrorCode: e.errorCode, }); if ( e instanceof NativeAuthError && isFatalNativeAuthError(e) ) { this.platformAuthProvider = undefined; // If extension gets uninstalled during session prevent future requests from continuing to attempt platform broker calls const redirectClient = this.createRedirectClient(correlationId); return redirectClient.acquireToken(request); } else if (e instanceof InteractionRequiredAuthError) { this.logger.verbose( "acquireTokenRedirect - Resolving interaction required error thrown by native broker by falling back to web flow", correlationId ); const redirectClient = this.createRedirectClient(correlationId); return redirectClient.acquireToken(request); } throw e; }); } else { const redirectClient = this.createRedirectClient(correlationId); result = redirectClient.acquireToken(request); } return await result; } catch (e) { this.browserStorage.resetRequestCache(correlationId); /* * Pre-redirect event completes before navigation occurs. * Timed out navigation needs to be instrumented separately as a post-redirect event. */ if (atrMeasurement.event.status === 2) { this.performanceClient .startMeasurement( BrowserRootPerformanceEvents.AcquireTokenRedirect, correlationId ) .end({ success: false }, e, request.account); } else { atrMeasurement.end({ success: false }, e, request.account); } this.eventHandler.emitEvent( EventType.ACQUIRE_TOKEN_FAILURE, correlationId, InteractionType.Redirect, null, e as EventError ); throw e; } } // #endregion // #region Popup Flow /** * Use when you want to obtain an access_token for your API via opening a popup window in the user's browser * * @param request * * @returns A promise that is fulfilled when this function has completed, or rejected if an error was raised. */ acquireTokenPopup(request: PopupRequest): Promise<AuthenticationResult> { const correlationId = this.getRequestCorrelationId(request); const atPopupMeasurement = this.performanceClient.startMeasurement( BrowserRootPerformanceEvents.AcquireTokenPopup, correlationId ); atPopupMeasurement.add({ scenarioId: request.scenarioId, }); try { this.logger.verbose("acquireTokenPopup called", correlationId); preflightCheck( this.initialized, atPopupMeasurement, this.config, request ); this.browserStorage.setInteractionInProgress( true, INTERACTION_TYPE.SIGNIN, request.overrideInteractionInProgress, correlationId ); } catch (e) { // Since this function is syncronous we need to reject return Promise.reject(e); } // If logged in, emit acquire token events const loggedInAccounts = this.getAllAccounts(); this.eventHandler.emitEvent( EventType.ACQUIRE_TOKEN_START, correlationId, InteractionType.Popup, request ); let result: Promise<AuthenticationResult>; const pkce = this.getPreGeneratedPkceCodes(correlationId); if (this.canUsePlatformBroker(request)) { atPopupMeasurement.add({ isPlatformBrokerRequest: true, }); result = this.acquireTokenNative( { ...request, correlationId, }, ApiId.acquireTokenPopup ) .then((response) => { atPopupMeasurement.end( { success: true, isNativeBroker: true, }, undefined, response.account ); return response; }) .catch((e: AuthError) => { atPopupMeasurement.add({ brokerErrorName: e.name, brokerErrorCode: e.errorCode, }); if ( e instanceof NativeAuthError && isFatalNativeAuthError(e) ) { this.platformAuthProvider = undefined; // If extension gets uninstalled during session prevent future requests from continuing to attempt platform broker calls const popupClient = this.createPopupClient(correlationId); return popupClient.acquireToken(request, pkce); } else if (e instanceof InteractionRequiredAuthError) { this.logger.verbose( "acquireTokenPopup - Resolving interaction required error thrown by native broker by falling back to web flow", correlationId ); const popupClient = this.createPopupClient(correlationId); return popupClient.acquireToken(request, pkce); } throw e; }); } else { const popupClient = this.createPopupClient(correlationId); result = popupClient.acquireToken(request, pkce); } return result .then((result) => { /* * If logged in, emit acquire token events */ const isLoggingIn = loggedInAccounts.length < this.getAllAccounts().length; this.eventHandler.emitEvent( EventType.ACQUIRE_TOKEN_SUCCESS, correlationId, InteractionType.Popup, result ); if (isLoggingIn) { this.eventHandler.emitEvent( EventType.LOGIN_SUCCESS, correlationId, InteractionType.Popup, result.account ); } atPopupMeasurement.end( { success: true, accessTokenSize: result.accessToken.length, idTokenSize: result.idToken.length, }, undefined, result.account ); // SSO capability verification in background this.verifySsoCapability(request, InteractionType.Popup); return result; }) .catch((e: Error) => { this.eventHandler.emitEvent( EventType.ACQUIRE_TOKEN_FAILURE, correlationId, InteractionType.Popup, null, e ); atPopupMeasurement.end( { success: false, }, e, request.account ); // Since this function is syncronous we need to reject return Promise.reject(e); }) .finally(async () => { this.browserStorage.setInteractionInProgress(false); if (!this.config.system.navigatePopups) { await this.preGeneratePkceCodes(correlationId); } }); } private trackStateChangeWithMeasurement(event: Event): void { const measurement = this.ssoSilentMeasurement || this.acquireTokenByCodeAsyncMeasurement; if (!measurement) { return; } if (event.type === "visibilitychange") { this.logger.info( `Perf: Visibility change detected in '${measurement.event.name}'`, measurement.event.correlationId ); measurement.increment({ visibilityChangeCount: 1, }); } else if (event.type === "online") { this.logger.info( `Perf: Online status change detected in '${measurement.event.name}'`, measurement.event.correlationId ); measurement.increment({ onlineStatusChangeCount: 1, }); } else if (event.type === "offline") { this.logger.info( `Perf: Offline status change detected in '${measurement.event.name}'`, measurement.event.correlationId ); measurement.increment({ onlineStatusChangeCount: 1, }); } } private addStateChangeListeners(listener: (event: Event) => void): void { document.addEventListener("visibilitychange", listener); window.addEventListener("online", listener); window.addEventListener("offline", listener); } private removeStateChangeListeners(listener: (event: Event) => void): void { document.removeEventListener("visibilitychange", listener); window.removeEventListener("online", listener); window.removeEventListener("offline", listener); } /** * Reads the cached ssoCapable value from localStorage. * @returns The cached ssoCapable boolean value, or undefined if not cached or expired. */ private getCachedSsoCapable(): boolean | undefined { try { const cachedValue = window.localStorage.getItem( CacheKeys.SSO_CAPABLE ); if (cachedValue) { const parsed = JSON.parse(cachedValue); if ( parsed && typeof parsed.ssoCapable === "boolean" && parsed.expiresOn && Date.now() < parsed.expiresOn ) { return parsed.ssoCapable; } } } catch { // If parsing fails, return undefined } return undefined; } /** * SSO capability verification in the background. * This method makes an iframe request to /authorize to verify SSO capability without calling /token. * This method does not block the caller and tracks telemetry for success/failure. * This method only executes if verifySSO is set to true in the auth configuration. * The result is cached in localStorage with a 24-hour TTL; the SSO verification call * is only attempted when the cached value is absent or expired. * @param request - The original request used for the authentication flow * @param interactionType - The interactionType of the AT operation for logging purposes */ private verifySsoCapability( request: SsoSilentRequest | undefined, interactionType: InteractionType ): void { // Check if SSO capability verification is enabled if (!this.config.auth.verifySSO) { return; } // Check TTL: derive ssoCapable state from localStorage and skip if not expired const ssoCacheKey = CacheKeys.SSO_CAPABLE; const SSO_CAPABLE_TTL_MS = 24 * 60 * 60 * 1000; // 24 hours const cachedSsoCapable = this.getCachedSsoCapable(); if (cachedSsoCapable !== undefined) { this.logger.verbose( `SSO capability verification skipped - cached value has not expired (interactionType: '${interactionType}')`, "" ); return; } const correlationId = createNewGuid(); const ssoCapableMeasurement = this.performanceClient.startMeasurement( BrowserRootPerformanceEvents.SsoCapable, correlationId ); ssoCapableMeasurement.add({ "ext.interactionType": interactionType, }); this.logger.verbose( `SSO capability verification initiated after '${interactionType}'`, correlationId ); /* * Use setTimeout to ensure this runs in a separate macrotask after the current call stack completes * This ensures the result is returned to the caller before the SSO verification starts and doesn't affect performance */ setTimeout(() => { const ssoVerificationRequest: SsoSilentRequest = { ...request, correlationId: correlationId, }; const silentIframeClient = this.createSilentIframeClient(correlationId); silentIframeClient .verifySso(ssoVerificationRequest) .then((result: boolean) => { this.logger.verbose( `SSO capability verification completed after '${interactionType}', result: '${result}'`, correlationId ); // TBD to add profileTelemetry later in localStorage with 24h TTL try { const cacheEntry = JSON.stringify({ ssoCapable: result, expiresOn: Date.now() + SSO_CAPABLE_TTL_MS, }); window.localStorage.setItem(ssoCacheKey, cacheEntry); } catch { this.logger.warning( `Failed to cache SSO capability verification result (interactionType: '${interactionType}')`, correlationId ); } ssoCapableMeasurement.end( { fromCache: false, success: result, }, undefined ); }) .catch((error: Error) => { this.logger.warning( `SSO capability verification failed after '${interactionType}': '${error.message}'`, correlationId ); // reset the cache try { window.localStorage.removeItem(ssoCacheKey); } catch { this.logger.warning( `Failed to reset cached SSO capability verification result (interactionType: '${interactionType}')`, correlationId ); } ssoCapableMeasurement.end( { fromCache: false, success: false, }, error ); }); }, 0); } // #endregion // #region Silent Flow /** * This function uses a hidden iframe to fetch an authorization code from the eSTS. There are cases where this may not work: * - Any browser using a form of Intelligent Tracking Prevention * - If there is not an established session with the service * * In these cases, the request must be done inside a popup or full frame redirect. * * For the cases where interaction is required, you cannot send a request with prompt=none. * * If your refresh token has expired, you can use this function to fetch a new set of tokens silently as long as * you session on the server still exists. * @param request {@link SsoSilentRequest} * * @returns A promise that is fulfilled when this function has completed, or rejected if an error was raised. */ async ssoSilent(request: SsoSilentRequest): Promise<AuthenticationResult> { const correlationId = this.getRequestCorrelationId(request); const validRequest = { ...request, correlationId: correlationId, }; this.ssoSilentMeasurement = this.performanceClient.startMeasurement( BrowserRootPerformanceEvents.SsoSilent, correlationId ); this.ssoSilentMeasurement?.add({ scenarioId: request.scenarioId, ssoCapable: this.getCachedSsoCapable(), }); preflightCheck( this.initialized, this.ssoSilentMeasurement, this.config, validRequest ); this.ssoSilentMeasurement?.increment({ visibilityChangeCount: 0, onlineStatusChangeCount: 0, }); this.addStateChangeListeners(this.trackStateChangeWithMeasurement); const loggedInAccounts = this.getAllAccounts(); this.logger.verbose("ssoSilent called", correlationId); this.eventHandler.emitEvent( EventType.ACQUIRE_TOKEN_START, correlationId, InteractionType.Silent, validRequest ); let result: Promise<AuthenticationResult>; if (this.canUsePlatformBroker(validRequest)) { this.ssoSilentMeasurement?.add({ isPlatformBrokerRequest: true, }); result = this.acquireTokenNative( validRequest, ApiId.ssoSilent ).catch((e: AuthError) => { this.ssoSilentMeasurement?.add({ brokerErrorName: e.name, brokerErrorCode: e.errorCode, }); // If native token acquisition fails for availability reasons fallback to standard flow if (e instanceof NativeAuthError && isFatalNativeAuthError(e)) { this.platformAuthProvider = undefined; // If extension gets uninstalled during session prevent future requests from continuing to attempt platform broker calls const silentIframeClient = this.createSilentIframeClient( validRequest.correlationId ); return silentIframeClient.acquireToken(validRequest); } throw e; }); } else { const silentIframeClient = this.createSilentIframeClient( validRequest.correlationId ); result = silentIframeClient.acquireToken(validRequest); } return result .then((response) => { const isLoggingIn = loggedInAccounts.length < this.getAllAccounts().length; this.eventHandler.emitEvent( EventType.ACQUIRE_TOKEN_SUCCESS, correlationId, InteractionType.Silent, response ); if (isLoggingIn) { this.eventHandler.emitEvent( EventType.LOGIN_SUCCESS, correlationId, InteractionType.Silent, response.account ); } this.ssoSilentMeasurement?.end( { success: true, isNativeBroker: response.fromPlatformBroker, accessTokenSize: response.accessToken.length, idTokenSize: response.idToken.length, },