UNPKG

@azure/msal-common

Version:

Microsoft Authentication Library for js

github.com/AzureAD/microsoft-authentication-library-for-js

AzureAD/microsoft-authentication-library-for-js

151 lines (143 loc) 5.55 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
/* * Copyright (c) Microsoft Corporation. All rights reserved. * Licensed under the MIT License. */ import { AuthenticationScheme, HttpMethod } from "../utils/Constants.js"; import type { AzureCloudOptions } from "../config/ClientConfiguration.js"; import { StringDict } from "../utils/MsalTypes.js"; import { StoreInCache } from "./StoreInCache.js"; import { ShrOptions } from "../crypto/SignedHttpRequest.js"; import { createClientAuthError } from "../error/ClientAuthError.js"; import * as ClientAuthErrorCodes from "../error/ClientAuthErrorCodes.js"; /** * BaseAuthRequest */ export type BaseAuthRequest = { /** * URL of the authority, the security token service (STS) from which MSAL will acquire tokens. Defaults to https://login.microsoftonline.com/common. If using the same authority for all request, authority should set on client application object and not request, to avoid resolving authority endpoints multiple times. */ authority: string; /** * Unique GUID set per request to trace a request end-to-end for telemetry purposes. */ correlationId: string; /** * Array of scopes the application is requesting access to. */ scopes: Array<string>; /** * The type of token retrieved. Defaults to "Bearer". Can also be type "pop" or "SSH". */ authenticationScheme?: AuthenticationScheme; /** * A stringified claims request which will be added to all /authorize and /token calls */ claims?: string; /** * A stringified claims object which will be added to a Signed HTTP Request */ shrClaims?: string; /** * A server-generated timestamp that has been encrypted and base64URL encoded, which will be added to a Signed HTTP Request. */ shrNonce?: string; /** * An object containing options for the Signed HTTP Request */ shrOptions?: ShrOptions; /** * HTTP Request type used to request data from the resource (i.e. "GET", "POST", etc.). Used for proof-of-possession flows. */ resourceRequestMethod?: string; /** * URI that token will be used for. Used for proof-of-possession flows. */ resourceRequestUri?: string; /** * A stringified JSON Web Key representing a public key that can be signed by an SSH certificate. */ sshJwk?: string; /** * Key ID that uniquely identifies the SSH public key mentioned above. */ sshKid?: string; /** * Convenience string enums for users to provide public/sovereign cloud ids */ azureCloudOptions?: AzureCloudOptions; /** * Maximum allowed age, in milliseconds, of the user's authentication before a new sign-in is required. */ maxAge?: number; /** * Object containing boolean values indicating whether to store tokens in the cache or not (default is true) */ storeInCache?: StoreInCache; /** * Scenario id to track custom user prompts */ scenarioId?: string; /** * Key ID to identify the public key for PoP token request */ popKid?: string; /** * Embedded client id. When specified, broker client id (brk_client_id) and redirect uri (brk_redirect_uri) params are set with values from the config, overriding the corresponding extra parameters, if present. */ embeddedClientId?: string; /** * HTTP method to use for the /authorize request. Defaults to GET, but can be set to POST if the request requires body parameters. */ httpMethod?: HttpMethod; /** * Resource parameter to be sent with the request. Used for MCP flows. */ resource?: string; /** * When true and a brokered flow is in effect—i.e., when a broker client id (brk_client_id), typically derived from embeddedClientId or other broker parameters, is included in the request—clientCapabilities from configuration will be excluded from claims. Has no effect when brk_client_id is not present (non-brokered flows). */ skipBrokerClaims?: boolean; /** * String to string map of custom query parameters added to outgoing token service requests. Unless the parameter is only supported on query strings use extraParameters instead */ extraQueryParameters?: StringDict; /** * String to string map of custom parameters added to outgoing token service requests. */ extraParameters?: StringDict; }; /** * Helper to enforce resource parameter presence in token requests when isMcp is set in the configuration. * If resource parameter is set in both the request and in extraQueryParameters or extraParameters, an error will be thrown. * This is used for MCP flows. * @param isMcp - Flag indicating if application is an MCP app, from configuration * @param request - Auth request */ export function enforceResourceParameter( isMcp: boolean, request: Partial<BaseAuthRequest> ): void { if (!isMcp) { return; } if ( request.resource && (containsResourceParam(request.extraParameters) || containsResourceParam(request.extraQueryParameters)) ) { throw createClientAuthError( ClientAuthErrorCodes.misplacedResourceParam ); } if (!request.resource) { throw createClientAuthError( ClientAuthErrorCodes.resourceParameterRequired ); } } function containsResourceParam(params?: StringDict): boolean { if (!params) { return false; } return Object.prototype.hasOwnProperty.call(params, "resource"); }