UNPKG

@azure/msal-common

Version:

Microsoft Authentication Library for js

github.com/AzureAD/microsoft-authentication-library-for-js

AzureAD/microsoft-authentication-library-for-js

94 lines (86 loc) 2.91 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
/* * Copyright (c) Microsoft Corporation. All rights reserved. * Licensed under the MIT License. */ import { TokenClaims } from "./TokenClaims.js"; import { createClientAuthError, ClientAuthErrorCodes, } from "../error/ClientAuthError.js"; /** * Extract token by decoding the rawToken * * @param encodedToken */ export function extractTokenClaims( encodedToken: string, base64Decode: (input: string) => string ): TokenClaims { const jswPayload = getJWSPayload(encodedToken); // token will be decoded to get the username try { // base64Decode() should throw an error if there is an issue const base64Decoded = base64Decode(jswPayload); return JSON.parse(base64Decoded) as TokenClaims; } catch (err) { throw createClientAuthError(ClientAuthErrorCodes.tokenParsingError); } } /** * Check if the signin_state claim contains "kmsi" * @param idTokenClaims * @returns */ export function isKmsi(idTokenClaims: TokenClaims): boolean { if (!idTokenClaims.signin_state) { return false; } /** * Signin_state claim known values: * dvc_mngd - device is managed * dvc_dmjd - device is domain joined * kmsi - user opted to "keep me signed in" * inknownntwk - Request made inside a known network. Don't use this, use CAE instead. */ const kmsiClaims = ["kmsi", "dvc_dmjd"]; // There are some cases where kmsi may not be returned but persistent storage is still OK - allow dvc_dmjd as well return idTokenClaims.signin_state.some((value) => kmsiClaims.includes(value.trim().toLowerCase()) ); } /** * decode a JWT * * @param authToken */ export function getJWSPayload(authToken: string): string { if (!authToken) { throw createClientAuthError(ClientAuthErrorCodes.nullOrEmptyToken); } const tokenPartsRegex = /^([^\.\s]*)\.([^\.\s]+)\.([^\.\s]*)$/; const matches = tokenPartsRegex.exec(authToken); if (!matches || matches.length < 4) { throw createClientAuthError(ClientAuthErrorCodes.tokenParsingError); } /** * const crackedToken = { * header: matches[1], * JWSPayload: matches[2], * JWSSig: matches[3], * }; */ return matches[2]; } /** * Determine if the token's max_age has transpired */ export function checkMaxAge(authTime: number, maxAge: number): void { /* * per https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest * To force an immediate re-authentication: If an app requires that a user re-authenticate prior to access, * provide a value of 0 for the max_age parameter and the AS will force a fresh login. */ const fiveMinuteSkew = 300000; // five minutes in milliseconds if (maxAge === 0 || Date.now() - fiveMinuteSkew > authTime + maxAge) { throw createClientAuthError(ClientAuthErrorCodes.maxAgeTranspired); } }