@azure/msal-node
Version:
Microsoft Authentication Library for Node
1 lines • 668 kB
Source Map (JSON)
{"version":3,"file":"msal-node.cjs","sources":["../../src/cache/serializer/Serializer.ts","../../msal-common/dist/utils/Constants.mjs","../../msal-common/dist/constants/AADServerParamKeys.mjs","../../msal-common/dist/error/AuthError.mjs","../../msal-common/dist/error/ClientConfigurationError.mjs","../../msal-common/dist/utils/StringUtils.mjs","../../msal-common/dist/error/ClientAuthError.mjs","../../msal-common/dist/error/ClientConfigurationErrorCodes.mjs","../../msal-common/dist/error/ClientAuthErrorCodes.mjs","../../msal-common/dist/request/ScopeSet.mjs","../../msal-common/dist/request/RequestParameterBuilder.mjs","../../msal-common/dist/utils/UrlUtils.mjs","../../msal-common/dist/crypto/ICrypto.mjs","../../msal-common/dist/logger/Logger.mjs","../../msal-common/dist/packageMetadata.mjs","../../msal-common/dist/authority/AuthorityOptions.mjs","../../msal-common/dist/account/AccountInfo.mjs","../../msal-common/dist/account/AuthToken.mjs","../../msal-common/dist/url/UrlString.mjs","../../msal-common/dist/authority/AuthorityMetadata.mjs","../../msal-common/dist/error/CacheErrorCodes.mjs","../../msal-common/dist/error/CacheError.mjs","../../msal-common/dist/account/ClientInfo.mjs","../../msal-common/dist/authority/AuthorityType.mjs","../../msal-common/dist/account/TokenClaims.mjs","../../msal-common/dist/authority/ProtocolMode.mjs","../../msal-common/dist/cache/utils/AccountEntityUtils.mjs","../../msal-common/dist/cache/CacheManager.mjs","../../msal-common/dist/telemetry/performance/PerformanceEvent.mjs","../../msal-common/dist/telemetry/performance/StubPerformanceClient.mjs","../../msal-common/dist/config/ClientConfiguration.mjs","../../msal-common/dist/error/ServerError.mjs","../../msal-common/dist/error/InteractionRequiredAuthErrorCodes.mjs","../../msal-common/dist/error/InteractionRequiredAuthError.mjs","../../msal-common/dist/utils/ProtocolUtils.mjs","../../msal-common/dist/utils/TimeUtils.mjs","../../msal-common/dist/telemetry/performance/PerformanceEvents.mjs","../../msal-common/dist/utils/FunctionWrappers.mjs","../../msal-common/dist/crypto/PopTokenGenerator.mjs","../../msal-common/dist/cache/persistence/TokenCacheContext.mjs","../../msal-common/dist/cache/utils/CacheHelpers.mjs","../../msal-common/dist/response/ResponseHandler.mjs","../../msal-common/dist/account/CcsCredential.mjs","../../msal-common/dist/utils/ClientAssertionUtils.mjs","../../msal-common/dist/network/RequestThumbprint.mjs","../../msal-common/dist/network/ThrottlingUtils.mjs","../../msal-common/dist/error/NetworkError.mjs","../../msal-common/dist/protocol/Token.mjs","../../msal-common/dist/authority/OpenIdConfigResponse.mjs","../../msal-common/dist/authority/CloudInstanceDiscoveryResponse.mjs","../../msal-common/dist/authority/CloudInstanceDiscoveryErrorResponse.mjs","../../msal-common/dist/authority/RegionDiscovery.mjs","../../msal-common/dist/authority/Authority.mjs","../../msal-common/dist/authority/AuthorityFactory.mjs","../../msal-common/dist/client/AuthorizationCodeClient.mjs","../../msal-common/dist/client/RefreshTokenClient.mjs","../../msal-common/dist/client/SilentFlowClient.mjs","../../msal-common/dist/protocol/Authorize.mjs","../../msal-common/dist/error/AuthErrorCodes.mjs","../../msal-common/dist/telemetry/server/ServerTelemetryManager.mjs","../../src/cache/serializer/Deserializer.ts","../../src/internals.ts","../../src/utils/Constants.ts","../../src/network/HttpClient.ts","../../src/error/ManagedIdentityErrorCodes.ts","../../src/error/ManagedIdentityError.ts","../../src/config/ManagedIdentityId.ts","../../src/error/NodeAuthError.ts","../../src/config/Configuration.ts","../../src/crypto/GuidGenerator.ts","../../src/utils/EncodingUtils.ts","../../src/crypto/HashUtils.ts","../../src/crypto/PkceGenerator.ts","../../src/crypto/CryptoProvider.ts","../../src/cache/CacheHelpers.ts","../../src/cache/NodeStorage.ts","../../src/cache/TokenCache.ts","../../src/error/ClientAuthErrorCodes.ts","../../src/client/ClientAssertion.ts","../../src/packageMetadata.ts","../../src/client/BaseClient.ts","../../src/client/UsernamePasswordClient.ts","../../src/protocol/Authorize.ts","../../src/client/ClientApplication.ts","../../src/network/LoopbackClient.ts","../../src/client/DeviceCodeClient.ts","../../src/client/PublicClientApplication.ts","../../src/client/ClientCredentialClient.ts","../../src/client/OnBehalfOfClient.ts","../../src/client/ConfidentialClientApplication.ts","../../src/utils/TimeUtils.ts","../../src/network/HttpClientWithRetries.ts","../../src/client/ManagedIdentitySources/BaseManagedIdentitySource.ts","../../src/retry/LinearRetryStrategy.ts","../../src/retry/DefaultManagedIdentityRetryPolicy.ts","../../src/config/ManagedIdentityRequestParameters.ts","../../src/client/ManagedIdentitySources/AppService.ts","../../src/client/ManagedIdentitySources/AzureArc.ts","../../src/client/ManagedIdentitySources/CloudShell.ts","../../src/retry/ExponentialRetryStrategy.ts","../../src/retry/ImdsRetryPolicy.ts","../../src/client/ManagedIdentitySources/Imds.ts","../../src/client/ManagedIdentitySources/ServiceFabric.ts","../../src/client/ManagedIdentitySources/MachineLearning.ts","../../src/client/ManagedIdentityClient.ts","../../src/client/ManagedIdentityApplication.ts","../../src/cache/distributed/DistributedCachePlugin.ts","../../src/index.ts"],"sourcesContent":[null,"/*! @azure/msal-common v16.0.3 2026-01-28 */\n'use strict';\n/*\r\n * Copyright (c) Microsoft Corporation. All rights reserved.\r\n * Licensed under the MIT License.\r\n */\r\nconst SKU = \"msal.js.common\";\r\n// default authority\r\nconst DEFAULT_AUTHORITY = \"https://login.microsoftonline.com/common/\";\r\nconst DEFAULT_AUTHORITY_HOST = \"login.microsoftonline.com\";\r\nconst DEFAULT_COMMON_TENANT = \"common\";\r\n// ADFS String\r\nconst ADFS = \"adfs\";\r\nconst DSTS = \"dstsv2\";\r\n// Default AAD Instance Discovery Endpoint\r\nconst AAD_INSTANCE_DISCOVERY_ENDPT = `${DEFAULT_AUTHORITY}discovery/instance?api-version=1.1&authorization_endpoint=`;\r\n// CIAM URL\r\nconst CIAM_AUTH_URL = \".ciamlogin.com\";\r\nconst AAD_TENANT_DOMAIN_SUFFIX = \".onmicrosoft.com\";\r\n// Resource delimiter - used for certain cache entries\r\nconst RESOURCE_DELIM = \"|\";\r\n// Consumer UTID\r\nconst CONSUMER_UTID = \"9188040d-6c67-4c5b-b112-36a304b66dad\";\r\n// Default scopes\r\nconst OPENID_SCOPE = \"openid\";\r\nconst PROFILE_SCOPE = \"profile\";\r\nconst OFFLINE_ACCESS_SCOPE = \"offline_access\";\r\nconst EMAIL_SCOPE = \"email\";\r\nconst CODE_GRANT_TYPE = \"authorization_code\";\r\nconst S256_CODE_CHALLENGE_METHOD = \"S256\";\r\nconst URL_FORM_CONTENT_TYPE = \"application/x-www-form-urlencoded;charset=utf-8\";\r\nconst AUTHORIZATION_PENDING = \"authorization_pending\";\r\nconst NOT_APPLICABLE = \"N/A\";\r\nconst NOT_AVAILABLE = \"Not Available\";\r\nconst FORWARD_SLASH = \"/\";\r\nconst IMDS_ENDPOINT = \"http://169.254.169.254/metadata/instance/compute/location\";\r\nconst IMDS_VERSION = \"2020-06-01\";\r\nconst IMDS_TIMEOUT = 2000;\r\nconst AZURE_REGION_AUTO_DISCOVER_FLAG = \"TryAutoDetect\";\r\nconst REGIONAL_AUTH_PUBLIC_CLOUD_SUFFIX = \"login.microsoft.com\";\r\nconst KNOWN_PUBLIC_CLOUDS = [\r\n \"login.microsoftonline.com\",\r\n \"login.windows.net\",\r\n \"login.microsoft.com\",\r\n \"sts.windows.net\",\r\n];\r\nconst SHR_NONCE_VALIDITY = 240;\r\nconst INVALID_INSTANCE = \"invalid_instance\";\r\nconst HTTP_SUCCESS = 200;\r\nconst HTTP_SUCCESS_RANGE_START = 200;\r\nconst HTTP_SUCCESS_RANGE_END = 299;\r\nconst HTTP_REDIRECT = 302;\r\nconst HTTP_CLIENT_ERROR = 400;\r\nconst HTTP_CLIENT_ERROR_RANGE_START = 400;\r\nconst HTTP_BAD_REQUEST = 400;\r\nconst HTTP_UNAUTHORIZED = 401;\r\nconst HTTP_NOT_FOUND = 404;\r\nconst HTTP_REQUEST_TIMEOUT = 408;\r\nconst HTTP_GONE = 410;\r\nconst HTTP_TOO_MANY_REQUESTS = 429;\r\nconst HTTP_CLIENT_ERROR_RANGE_END = 499;\r\nconst HTTP_SERVER_ERROR = 500;\r\nconst HTTP_SERVER_ERROR_RANGE_START = 500;\r\nconst HTTP_SERVICE_UNAVAILABLE = 503;\r\nconst HTTP_GATEWAY_TIMEOUT = 504;\r\nconst HTTP_SERVER_ERROR_RANGE_END = 599;\r\nconst HTTP_MULTI_SIDED_ERROR = 600;\r\nconst HttpMethod = {\r\n GET: \"GET\",\r\n POST: \"POST\",\r\n};\r\nconst OIDC_DEFAULT_SCOPES = [\r\n OPENID_SCOPE,\r\n PROFILE_SCOPE,\r\n OFFLINE_ACCESS_SCOPE,\r\n];\r\nconst OIDC_SCOPES = [...OIDC_DEFAULT_SCOPES, EMAIL_SCOPE];\r\n/**\r\n * Request header names\r\n */\r\nconst HeaderNames = {\r\n CONTENT_TYPE: \"Content-Type\",\r\n CONTENT_LENGTH: \"Content-Length\",\r\n RETRY_AFTER: \"Retry-After\",\r\n CCS_HEADER: \"X-AnchorMailbox\",\r\n WWWAuthenticate: \"WWW-Authenticate\",\r\n AuthenticationInfo: \"Authentication-Info\",\r\n X_MS_REQUEST_ID: \"x-ms-request-id\",\r\n X_MS_HTTP_VERSION: \"x-ms-httpver\",\r\n};\r\n/**\r\n * Persistent cache keys MSAL which stay while user is logged in.\r\n */\r\nconst PersistentCacheKeys = {\r\n ACTIVE_ACCOUNT_FILTERS: \"active-account-filters\", // new cache entry for active_account for a more robust version for browser\r\n};\r\n/**\r\n * String constants related to AAD Authority\r\n */\r\nconst AADAuthority = {\r\n COMMON: \"common\",\r\n ORGANIZATIONS: \"organizations\",\r\n CONSUMERS: \"consumers\",\r\n};\r\n/**\r\n * Claims request keys\r\n */\r\nconst ClaimsRequestKeys = {\r\n ACCESS_TOKEN: \"access_token\",\r\n XMS_CC: \"xms_cc\",\r\n};\r\n/**\r\n * we considered making this \"enum\" in the request instead of string, however it looks like the allowed list of\r\n * prompt values kept changing over past couple of years. There are some undocumented prompt values for some\r\n * internal partners too, hence the choice of generic \"string\" type instead of the \"enum\"\r\n */\r\nconst PromptValue = {\r\n LOGIN: \"login\",\r\n SELECT_ACCOUNT: \"select_account\",\r\n CONSENT: \"consent\",\r\n NONE: \"none\",\r\n CREATE: \"create\",\r\n NO_SESSION: \"no_session\",\r\n};\r\n/**\r\n * allowed values for codeVerifier\r\n */\r\nconst CodeChallengeMethodValues = {\r\n PLAIN: \"plain\",\r\n S256: \"S256\",\r\n};\r\n/**\r\n * Allowed values for response_type\r\n */\r\nconst OAuthResponseType = {\r\n CODE: \"code\",\r\n IDTOKEN_TOKEN: \"id_token token\",\r\n IDTOKEN_TOKEN_REFRESHTOKEN: \"id_token token refresh_token\",\r\n};\r\n/**\r\n * allowed values for response_mode\r\n */\r\nconst ResponseMode = {\r\n QUERY: \"query\",\r\n FRAGMENT: \"fragment\",\r\n FORM_POST: \"form_post\",\r\n};\r\n/**\r\n * allowed grant_type\r\n */\r\nconst GrantType = {\r\n IMPLICIT_GRANT: \"implicit\",\r\n AUTHORIZATION_CODE_GRANT: \"authorization_code\",\r\n CLIENT_CREDENTIALS_GRANT: \"client_credentials\",\r\n RESOURCE_OWNER_PASSWORD_GRANT: \"password\",\r\n REFRESH_TOKEN_GRANT: \"refresh_token\",\r\n DEVICE_CODE_GRANT: \"device_code\",\r\n JWT_BEARER: \"urn:ietf:params:oauth:grant-type:jwt-bearer\",\r\n};\r\n/**\r\n * Account types in Cache\r\n */\r\nconst CACHE_ACCOUNT_TYPE_MSSTS = \"MSSTS\";\r\nconst CACHE_ACCOUNT_TYPE_ADFS = \"ADFS\";\r\nconst CACHE_ACCOUNT_TYPE_MSAV1 = \"MSA\";\r\nconst CACHE_ACCOUNT_TYPE_GENERIC = \"Generic\";\r\n/**\r\n * Separators used in cache\r\n */\r\nconst CACHE_KEY_SEPARATOR = \"-\";\r\nconst CLIENT_INFO_SEPARATOR = \".\";\r\n/**\r\n * Credential Type stored in the cache\r\n */\r\nconst CredentialType = {\r\n ID_TOKEN: \"IdToken\",\r\n ACCESS_TOKEN: \"AccessToken\",\r\n ACCESS_TOKEN_WITH_AUTH_SCHEME: \"AccessToken_With_AuthScheme\",\r\n REFRESH_TOKEN: \"RefreshToken\",\r\n};\r\n/**\r\n * Combine all cache types\r\n */\r\nconst CacheType = {\r\n ADFS: 1001,\r\n MSA: 1002,\r\n MSSTS: 1003,\r\n GENERIC: 1004,\r\n ACCESS_TOKEN: 2001,\r\n REFRESH_TOKEN: 2002,\r\n ID_TOKEN: 2003,\r\n APP_METADATA: 3001,\r\n UNDEFINED: 9999,\r\n};\r\n/**\r\n * More Cache related constants\r\n */\r\nconst APP_METADATA = \"appmetadata\";\r\nconst CLIENT_INFO = \"client_info\";\r\nconst THE_FAMILY_ID = \"1\";\r\nconst AUTHORITY_METADATA_CACHE_KEY = \"authority-metadata\";\r\nconst AUTHORITY_METADATA_REFRESH_TIME_SECONDS = 3600 * 24; // 24 Hours\r\nconst AuthorityMetadataSource = {\r\n CONFIG: \"config\",\r\n CACHE: \"cache\",\r\n NETWORK: \"network\",\r\n HARDCODED_VALUES: \"hardcoded_values\",\r\n};\r\nconst SERVER_TELEM_SCHEMA_VERSION = 5;\r\nconst SERVER_TELEM_MAX_CUR_HEADER_BYTES = 80; // ESTS limit is 100B, set to 80 to provide a 20B buffer\r\nconst SERVER_TELEM_MAX_LAST_HEADER_BYTES = 330; // ESTS limit is 350B, set to 330 to provide a 20B buffer,\r\nconst SERVER_TELEM_MAX_CACHED_ERRORS = 50; // Limit the number of errors that can be stored to prevent uncontrolled size gains\r\nconst SERVER_TELEM_CACHE_KEY = \"server-telemetry\";\r\nconst SERVER_TELEM_CATEGORY_SEPARATOR = \"|\";\r\nconst SERVER_TELEM_VALUE_SEPARATOR = \",\";\r\nconst SERVER_TELEM_OVERFLOW_TRUE = \"1\";\r\nconst SERVER_TELEM_OVERFLOW_FALSE = \"0\";\r\nconst SERVER_TELEM_UNKNOWN_ERROR = \"unknown_error\";\r\n/**\r\n * Type of the authentication request\r\n */\r\nconst AuthenticationScheme = {\r\n BEARER: \"Bearer\",\r\n POP: \"pop\",\r\n SSH: \"ssh-cert\",\r\n};\r\n/**\r\n * Constants related to throttling\r\n */\r\nconst DEFAULT_THROTTLE_TIME_SECONDS = 60;\r\n// Default maximum time to throttle in seconds, overrides what the server sends back\r\nconst DEFAULT_MAX_THROTTLE_TIME_SECONDS = 3600;\r\n// Prefix for storing throttling entries\r\nconst THROTTLING_PREFIX = \"throttling\";\r\n// Value assigned to the x-ms-lib-capability header to indicate to the server the library supports throttling\r\nconst X_MS_LIB_CAPABILITY_VALUE = \"retry-after, h429\";\r\n/**\r\n * Errors\r\n */\r\nconst INVALID_GRANT_ERROR = \"invalid_grant\";\r\nconst CLIENT_MISMATCH_ERROR = \"client_mismatch\";\r\n/**\r\n * Password grant parameters\r\n */\r\nconst PasswordGrantConstants = {\r\n username: \"username\",\r\n password: \"password\",\r\n};\r\n/**\r\n * Region Discovery Sources\r\n */\r\nconst RegionDiscoverySources = {\r\n FAILED_AUTO_DETECTION: \"1\",\r\n INTERNAL_CACHE: \"2\",\r\n ENVIRONMENT_VARIABLE: \"3\",\r\n IMDS: \"4\",\r\n};\r\n/**\r\n * Region Discovery Outcomes\r\n */\r\nconst RegionDiscoveryOutcomes = {\r\n CONFIGURED_MATCHES_DETECTED: \"1\",\r\n CONFIGURED_NO_AUTO_DETECTION: \"2\",\r\n CONFIGURED_NOT_DETECTED: \"3\",\r\n AUTO_DETECTION_REQUESTED_SUCCESSFUL: \"4\",\r\n AUTO_DETECTION_REQUESTED_FAILED: \"5\",\r\n};\r\n/**\r\n * Specifies the reason for fetching the access token from the identity provider\r\n */\r\nconst CacheOutcome = {\r\n // When a token is found in the cache or the cache is not supposed to be hit when making the request\r\n NOT_APPLICABLE: \"0\",\r\n // When the token request goes to the identity provider because force_refresh was set to true. Also occurs if claims were requested\r\n FORCE_REFRESH_OR_CLAIMS: \"1\",\r\n // When the token request goes to the identity provider because no cached access token exists\r\n NO_CACHED_ACCESS_TOKEN: \"2\",\r\n // When the token request goes to the identity provider because cached access token expired\r\n CACHED_ACCESS_TOKEN_EXPIRED: \"3\",\r\n // When the token request goes to the identity provider because refresh_in was used and the existing token needs to be refreshed\r\n PROACTIVELY_REFRESHED: \"4\",\r\n};\r\nconst JsonWebTokenTypes = {\r\n Jwt: \"JWT\",\r\n Jwk: \"JWK\",\r\n Pop: \"pop\",\r\n};\r\nconst ONE_DAY_IN_MS = 86400000;\r\n// Token renewal offset default in seconds\r\nconst DEFAULT_TOKEN_RENEWAL_OFFSET_SEC = 300;\r\nconst EncodingTypes = {\r\n BASE64: \"base64\",\r\n HEX: \"hex\",\r\n UTF8: \"utf-8\",\r\n};\n\nexport { AADAuthority, AAD_INSTANCE_DISCOVERY_ENDPT, AAD_TENANT_DOMAIN_SUFFIX, ADFS, APP_METADATA, AUTHORITY_METADATA_CACHE_KEY, AUTHORITY_METADATA_REFRESH_TIME_SECONDS, AUTHORIZATION_PENDING, AZURE_REGION_AUTO_DISCOVER_FLAG, AuthenticationScheme, AuthorityMetadataSource, CACHE_ACCOUNT_TYPE_ADFS, CACHE_ACCOUNT_TYPE_GENERIC, CACHE_ACCOUNT_TYPE_MSAV1, CACHE_ACCOUNT_TYPE_MSSTS, CACHE_KEY_SEPARATOR, CIAM_AUTH_URL, CLIENT_INFO, CLIENT_INFO_SEPARATOR, CLIENT_MISMATCH_ERROR, CODE_GRANT_TYPE, CONSUMER_UTID, CacheOutcome, CacheType, ClaimsRequestKeys, CodeChallengeMethodValues, CredentialType, DEFAULT_AUTHORITY, DEFAULT_AUTHORITY_HOST, DEFAULT_COMMON_TENANT, DEFAULT_MAX_THROTTLE_TIME_SECONDS, DEFAULT_THROTTLE_TIME_SECONDS, DEFAULT_TOKEN_RENEWAL_OFFSET_SEC, DSTS, EMAIL_SCOPE, EncodingTypes, FORWARD_SLASH, GrantType, HTTP_BAD_REQUEST, HTTP_CLIENT_ERROR, HTTP_CLIENT_ERROR_RANGE_END, HTTP_CLIENT_ERROR_RANGE_START, HTTP_GATEWAY_TIMEOUT, HTTP_GONE, HTTP_MULTI_SIDED_ERROR, HTTP_NOT_FOUND, HTTP_REDIRECT, HTTP_REQUEST_TIMEOUT, HTTP_SERVER_ERROR, HTTP_SERVER_ERROR_RANGE_END, HTTP_SERVER_ERROR_RANGE_START, HTTP_SERVICE_UNAVAILABLE, HTTP_SUCCESS, HTTP_SUCCESS_RANGE_END, HTTP_SUCCESS_RANGE_START, HTTP_TOO_MANY_REQUESTS, HTTP_UNAUTHORIZED, HeaderNames, HttpMethod, IMDS_ENDPOINT, IMDS_TIMEOUT, IMDS_VERSION, INVALID_GRANT_ERROR, INVALID_INSTANCE, JsonWebTokenTypes, KNOWN_PUBLIC_CLOUDS, NOT_APPLICABLE, NOT_AVAILABLE, OAuthResponseType, OFFLINE_ACCESS_SCOPE, OIDC_DEFAULT_SCOPES, OIDC_SCOPES, ONE_DAY_IN_MS, OPENID_SCOPE, PROFILE_SCOPE, PasswordGrantConstants, PersistentCacheKeys, PromptValue, REGIONAL_AUTH_PUBLIC_CLOUD_SUFFIX, RESOURCE_DELIM, RegionDiscoveryOutcomes, RegionDiscoverySources, ResponseMode, S256_CODE_CHALLENGE_METHOD, SERVER_TELEM_CACHE_KEY, SERVER_TELEM_CATEGORY_SEPARATOR, SERVER_TELEM_MAX_CACHED_ERRORS, SERVER_TELEM_MAX_CUR_HEADER_BYTES, SERVER_TELEM_MAX_LAST_HEADER_BYTES, SERVER_TELEM_OVERFLOW_FALSE, SERVER_TELEM_OVERFLOW_TRUE, SERVER_TELEM_SCHEMA_VERSION, SERVER_TELEM_UNKNOWN_ERROR, SERVER_TELEM_VALUE_SEPARATOR, SHR_NONCE_VALIDITY, SKU, THE_FAMILY_ID, THROTTLING_PREFIX, URL_FORM_CONTENT_TYPE, X_MS_LIB_CAPABILITY_VALUE };\n//# sourceMappingURL=Constants.mjs.map\n","/*! @azure/msal-common v16.0.3 2026-01-28 */\n'use strict';\n/*\r\n * Copyright (c) Microsoft Corporation. All rights reserved.\r\n * Licensed under the MIT License.\r\n */\r\nconst CLIENT_ID = \"client_id\";\r\nconst REDIRECT_URI = \"redirect_uri\";\r\nconst RESPONSE_TYPE = \"response_type\";\r\nconst RESPONSE_MODE = \"response_mode\";\r\nconst GRANT_TYPE = \"grant_type\";\r\nconst CLAIMS = \"claims\";\r\nconst SCOPE = \"scope\";\r\nconst ERROR = \"error\";\r\nconst ERROR_DESCRIPTION = \"error_description\";\r\nconst ACCESS_TOKEN = \"access_token\";\r\nconst ID_TOKEN = \"id_token\";\r\nconst REFRESH_TOKEN = \"refresh_token\";\r\nconst EXPIRES_IN = \"expires_in\";\r\nconst REFRESH_TOKEN_EXPIRES_IN = \"refresh_token_expires_in\";\r\nconst STATE = \"state\";\r\nconst NONCE = \"nonce\";\r\nconst PROMPT = \"prompt\";\r\nconst SESSION_STATE = \"session_state\";\r\nconst CLIENT_INFO = \"client_info\";\r\nconst CODE = \"code\";\r\nconst CODE_CHALLENGE = \"code_challenge\";\r\nconst CODE_CHALLENGE_METHOD = \"code_challenge_method\";\r\nconst CODE_VERIFIER = \"code_verifier\";\r\nconst CLIENT_REQUEST_ID = \"client-request-id\";\r\nconst X_CLIENT_SKU = \"x-client-SKU\";\r\nconst X_CLIENT_VER = \"x-client-VER\";\r\nconst X_CLIENT_OS = \"x-client-OS\";\r\nconst X_CLIENT_CPU = \"x-client-CPU\";\r\nconst X_CLIENT_CURR_TELEM = \"x-client-current-telemetry\";\r\nconst X_CLIENT_LAST_TELEM = \"x-client-last-telemetry\";\r\nconst X_MS_LIB_CAPABILITY = \"x-ms-lib-capability\";\r\nconst X_APP_NAME = \"x-app-name\";\r\nconst X_APP_VER = \"x-app-ver\";\r\nconst POST_LOGOUT_URI = \"post_logout_redirect_uri\";\r\nconst ID_TOKEN_HINT = \"id_token_hint\";\r\nconst DEVICE_CODE = \"device_code\";\r\nconst CLIENT_SECRET = \"client_secret\";\r\nconst CLIENT_ASSERTION = \"client_assertion\";\r\nconst CLIENT_ASSERTION_TYPE = \"client_assertion_type\";\r\nconst TOKEN_TYPE = \"token_type\";\r\nconst REQ_CNF = \"req_cnf\";\r\nconst OBO_ASSERTION = \"assertion\";\r\nconst REQUESTED_TOKEN_USE = \"requested_token_use\";\r\nconst ON_BEHALF_OF = \"on_behalf_of\";\r\nconst FOCI = \"foci\";\r\nconst CCS_HEADER = \"X-AnchorMailbox\";\r\nconst RETURN_SPA_CODE = \"return_spa_code\";\r\nconst NATIVE_BROKER = \"nativebroker\";\r\nconst LOGOUT_HINT = \"logout_hint\";\r\nconst SID = \"sid\";\r\nconst LOGIN_HINT = \"login_hint\";\r\nconst DOMAIN_HINT = \"domain_hint\";\r\nconst X_CLIENT_EXTRA_SKU = \"x-client-xtra-sku\";\r\nconst BROKER_CLIENT_ID = \"brk_client_id\";\r\nconst BROKER_REDIRECT_URI = \"brk_redirect_uri\";\r\nconst INSTANCE_AWARE = \"instance_aware\";\r\nconst EAR_JWK = \"ear_jwk\";\r\nconst EAR_JWE_CRYPTO = \"ear_jwe_crypto\";\n\nexport { ACCESS_TOKEN, BROKER_CLIENT_ID, BROKER_REDIRECT_URI, CCS_HEADER, CLAIMS, CLIENT_ASSERTION, CLIENT_ASSERTION_TYPE, CLIENT_ID, CLIENT_INFO, CLIENT_REQUEST_ID, CLIENT_SECRET, CODE, CODE_CHALLENGE, CODE_CHALLENGE_METHOD, CODE_VERIFIER, DEVICE_CODE, DOMAIN_HINT, EAR_JWE_CRYPTO, EAR_JWK, ERROR, ERROR_DESCRIPTION, EXPIRES_IN, FOCI, GRANT_TYPE, ID_TOKEN, ID_TOKEN_HINT, INSTANCE_AWARE, LOGIN_HINT, LOGOUT_HINT, NATIVE_BROKER, NONCE, OBO_ASSERTION, ON_BEHALF_OF, POST_LOGOUT_URI, PROMPT, REDIRECT_URI, REFRESH_TOKEN, REFRESH_TOKEN_EXPIRES_IN, REQUESTED_TOKEN_USE, REQ_CNF, RESPONSE_MODE, RESPONSE_TYPE, RETURN_SPA_CODE, SCOPE, SESSION_STATE, SID, STATE, TOKEN_TYPE, X_APP_NAME, X_APP_VER, X_CLIENT_CPU, X_CLIENT_CURR_TELEM, X_CLIENT_EXTRA_SKU, X_CLIENT_LAST_TELEM, X_CLIENT_OS, X_CLIENT_SKU, X_CLIENT_VER, X_MS_LIB_CAPABILITY };\n//# sourceMappingURL=AADServerParamKeys.mjs.map\n","/*! @azure/msal-common v16.0.3 2026-01-28 */\n'use strict';\n/*\r\n * Copyright (c) Microsoft Corporation. All rights reserved.\r\n * Licensed under the MIT License.\r\n */\r\nfunction getDefaultErrorMessage(code) {\r\n return `See https://aka.ms/msal.js.errors#${code} for details`;\r\n}\r\n/**\r\n * General error class thrown by the MSAL.js library.\r\n */\r\nclass AuthError extends Error {\r\n constructor(errorCode, errorMessage, suberror) {\r\n const message = errorMessage ||\r\n (errorCode ? getDefaultErrorMessage(errorCode) : \"\");\r\n const errorString = message ? `${errorCode}: ${message}` : errorCode;\r\n super(errorString);\r\n Object.setPrototypeOf(this, AuthError.prototype);\r\n this.errorCode = errorCode || \"\";\r\n this.errorMessage = message || \"\";\r\n this.subError = suberror || \"\";\r\n this.name = \"AuthError\";\r\n }\r\n setCorrelationId(correlationId) {\r\n this.correlationId = correlationId;\r\n }\r\n}\r\nfunction createAuthError(code, additionalMessage) {\r\n return new AuthError(code, additionalMessage || getDefaultErrorMessage(code));\r\n}\n\nexport { AuthError, createAuthError, getDefaultErrorMessage };\n//# sourceMappingURL=AuthError.mjs.map\n","/*! @azure/msal-common v16.0.3 2026-01-28 */\n'use strict';\nimport { AuthError } from './AuthError.mjs';\n\n/*\r\n * Copyright (c) Microsoft Corporation. All rights reserved.\r\n * Licensed under the MIT License.\r\n */\r\n/**\r\n * Error thrown when there is an error in configuration of the MSAL.js library.\r\n */\r\nclass ClientConfigurationError extends AuthError {\r\n constructor(errorCode) {\r\n super(errorCode);\r\n this.name = \"ClientConfigurationError\";\r\n Object.setPrototypeOf(this, ClientConfigurationError.prototype);\r\n }\r\n}\r\nfunction createClientConfigurationError(errorCode) {\r\n return new ClientConfigurationError(errorCode);\r\n}\n\nexport { ClientConfigurationError, createClientConfigurationError };\n//# sourceMappingURL=ClientConfigurationError.mjs.map\n","/*! @azure/msal-common v16.0.3 2026-01-28 */\n'use strict';\n/*\r\n * Copyright (c) Microsoft Corporation. All rights reserved.\r\n * Licensed under the MIT License.\r\n */\r\n/**\r\n * @hidden\r\n */\r\nclass StringUtils {\r\n /**\r\n * Check if stringified object is empty\r\n * @param strObj\r\n */\r\n static isEmptyObj(strObj) {\r\n if (strObj) {\r\n try {\r\n const obj = JSON.parse(strObj);\r\n return Object.keys(obj).length === 0;\r\n }\r\n catch (e) { }\r\n }\r\n return true;\r\n }\r\n static startsWith(str, search) {\r\n return str.indexOf(search) === 0;\r\n }\r\n static endsWith(str, search) {\r\n return (str.length >= search.length &&\r\n str.lastIndexOf(search) === str.length - search.length);\r\n }\r\n /**\r\n * Parses string into an object.\r\n *\r\n * @param query\r\n */\r\n static queryStringToObject(query) {\r\n const obj = {};\r\n const params = query.split(\"&\");\r\n const decode = (s) => decodeURIComponent(s.replace(/\\+/g, \" \"));\r\n params.forEach((pair) => {\r\n if (pair.trim()) {\r\n const [key, value] = pair.split(/=(.+)/g, 2); // Split on the first occurence of the '=' character\r\n if (key && value) {\r\n obj[decode(key)] = decode(value);\r\n }\r\n }\r\n });\r\n return obj;\r\n }\r\n /**\r\n * Trims entries in an array.\r\n *\r\n * @param arr\r\n */\r\n static trimArrayEntries(arr) {\r\n return arr.map((entry) => entry.trim());\r\n }\r\n /**\r\n * Removes empty strings from array\r\n * @param arr\r\n */\r\n static removeEmptyStringsFromArray(arr) {\r\n return arr.filter((entry) => {\r\n return !!entry;\r\n });\r\n }\r\n /**\r\n * Attempts to parse a string into JSON\r\n * @param str\r\n */\r\n static jsonParseHelper(str) {\r\n try {\r\n return JSON.parse(str);\r\n }\r\n catch (e) {\r\n return null;\r\n }\r\n }\r\n /**\r\n * Tests if a given string matches a given pattern, with support for wildcards and queries.\r\n * @param pattern Wildcard pattern to string match. Supports \"*\" for wildcards and \"?\" for queries\r\n * @param input String to match against\r\n */\r\n static matchPattern(pattern, input) {\r\n /**\r\n * Wildcard support: https://stackoverflow.com/a/3117248/4888559\r\n * Queries: replaces \"?\" in string with escaped \"\\?\" for regex test\r\n */\r\n // eslint-disable-next-line security/detect-non-literal-regexp\r\n const regex = new RegExp(pattern\r\n .replace(/\\\\/g, \"\\\\\\\\\")\r\n .replace(/\\*/g, \"[^ ]*\")\r\n .replace(/\\?/g, \"\\\\?\"));\r\n return regex.test(input);\r\n }\r\n}\n\nexport { StringUtils };\n//# sourceMappingURL=StringUtils.mjs.map\n","/*! @azure/msal-common v16.0.3 2026-01-28 */\n'use strict';\nimport { AuthError } from './AuthError.mjs';\n\n/*\r\n * Copyright (c) Microsoft Corporation. All rights reserved.\r\n * Licensed under the MIT License.\r\n */\r\n/**\r\n * ClientAuthErrorMessage class containing string constants used by error codes and messages.\r\n */\r\n/**\r\n * Error thrown when there is an error in the client code running on the browser.\r\n */\r\nclass ClientAuthError extends AuthError {\r\n constructor(errorCode, additionalMessage) {\r\n super(errorCode, additionalMessage);\r\n this.name = \"ClientAuthError\";\r\n Object.setPrototypeOf(this, ClientAuthError.prototype);\r\n }\r\n}\r\nfunction createClientAuthError(errorCode, additionalMessage) {\r\n return new ClientAuthError(errorCode, additionalMessage);\r\n}\n\nexport { ClientAuthError, createClientAuthError };\n//# sourceMappingURL=ClientAuthError.mjs.map\n","/*! @azure/msal-common v16.0.3 2026-01-28 */\n'use strict';\n/*\r\n * Copyright (c) Microsoft Corporation. All rights reserved.\r\n * Licensed under the MIT License.\r\n */\r\nconst redirectUriEmpty = \"redirect_uri_empty\";\r\nconst claimsRequestParsingError = \"claims_request_parsing_error\";\r\nconst authorityUriInsecure = \"authority_uri_insecure\";\r\nconst urlParseError = \"url_parse_error\";\r\nconst urlEmptyError = \"empty_url_error\";\r\nconst emptyInputScopesError = \"empty_input_scopes_error\";\r\nconst invalidClaims = \"invalid_claims\";\r\nconst tokenRequestEmpty = \"token_request_empty\";\r\nconst logoutRequestEmpty = \"logout_request_empty\";\r\nconst invalidCodeChallengeMethod = \"invalid_code_challenge_method\";\r\nconst pkceParamsMissing = \"pkce_params_missing\";\r\nconst invalidCloudDiscoveryMetadata = \"invalid_cloud_discovery_metadata\";\r\nconst invalidAuthorityMetadata = \"invalid_authority_metadata\";\r\nconst untrustedAuthority = \"untrusted_authority\";\r\nconst missingSshJwk = \"missing_ssh_jwk\";\r\nconst missingSshKid = \"missing_ssh_kid\";\r\nconst missingNonceAuthenticationHeader = \"missing_nonce_authentication_header\";\r\nconst invalidAuthenticationHeader = \"invalid_authentication_header\";\r\nconst cannotSetOIDCOptions = \"cannot_set_OIDCOptions\";\r\nconst cannotAllowPlatformBroker = \"cannot_allow_platform_broker\";\r\nconst authorityMismatch = \"authority_mismatch\";\r\nconst invalidRequestMethodForEAR = \"invalid_request_method_for_EAR\";\n\nexport { authorityMismatch, authorityUriInsecure, cannotAllowPlatformBroker, cannotSetOIDCOptions, claimsRequestParsingError, emptyInputScopesError, invalidAuthenticationHeader, invalidAuthorityMetadata, invalidClaims, invalidCloudDiscoveryMetadata, invalidCodeChallengeMethod, invalidRequestMethodForEAR, logoutRequestEmpty, missingNonceAuthenticationHeader, missingSshJwk, missingSshKid, pkceParamsMissing, redirectUriEmpty, tokenRequestEmpty, untrustedAuthority, urlEmptyError, urlParseError };\n//# sourceMappingURL=ClientConfigurationErrorCodes.mjs.map\n","/*! @azure/msal-common v16.0.3 2026-01-28 */\n'use strict';\n/*\r\n * Copyright (c) Microsoft Corporation. All rights reserved.\r\n * Licensed under the MIT License.\r\n */\r\nconst clientInfoDecodingError = \"client_info_decoding_error\";\r\nconst clientInfoEmptyError = \"client_info_empty_error\";\r\nconst tokenParsingError = \"token_parsing_error\";\r\nconst nullOrEmptyToken = \"null_or_empty_token\";\r\nconst endpointResolutionError = \"endpoints_resolution_error\";\r\nconst networkError = \"network_error\";\r\nconst openIdConfigError = \"openid_config_error\";\r\nconst hashNotDeserialized = \"hash_not_deserialized\";\r\nconst invalidState = \"invalid_state\";\r\nconst stateMismatch = \"state_mismatch\";\r\nconst stateNotFound = \"state_not_found\";\r\nconst nonceMismatch = \"nonce_mismatch\";\r\nconst authTimeNotFound = \"auth_time_not_found\";\r\nconst maxAgeTranspired = \"max_age_transpired\";\r\nconst multipleMatchingTokens = \"multiple_matching_tokens\";\r\nconst multipleMatchingAppMetadata = \"multiple_matching_appMetadata\";\r\nconst requestCannotBeMade = \"request_cannot_be_made\";\r\nconst cannotRemoveEmptyScope = \"cannot_remove_empty_scope\";\r\nconst cannotAppendScopeSet = \"cannot_append_scopeset\";\r\nconst emptyInputScopeSet = \"empty_input_scopeset\";\r\nconst noAccountInSilentRequest = \"no_account_in_silent_request\";\r\nconst invalidCacheRecord = \"invalid_cache_record\";\r\nconst invalidCacheEnvironment = \"invalid_cache_environment\";\r\nconst noAccountFound = \"no_account_found\";\r\nconst noCryptoObject = \"no_crypto_object\";\r\nconst unexpectedCredentialType = \"unexpected_credential_type\";\r\nconst tokenRefreshRequired = \"token_refresh_required\";\r\nconst tokenClaimsCnfRequiredForSignedJwt = \"token_claims_cnf_required_for_signedjwt\";\r\nconst authorizationCodeMissingFromServerResponse = \"authorization_code_missing_from_server_response\";\r\nconst bindingKeyNotRemoved = \"binding_key_not_removed\";\r\nconst endSessionEndpointNotSupported = \"end_session_endpoint_not_supported\";\r\nconst keyIdMissing = \"key_id_missing\";\r\nconst noNetworkConnectivity = \"no_network_connectivity\";\r\nconst userCanceled = \"user_canceled\";\r\nconst methodNotImplemented = \"method_not_implemented\";\r\nconst nestedAppAuthBridgeDisabled = \"nested_app_auth_bridge_disabled\";\r\nconst platformBrokerError = \"platform_broker_error\";\n\nexport { authTimeNotFound, authorizationCodeMissingFromServerResponse, bindingKeyNotRemoved, cannotAppendScopeSet, cannotRemoveEmptyScope, clientInfoDecodingError, clientInfoEmptyError, emptyInputScopeSet, endSessionEndpointNotSupported, endpointResolutionError, hashNotDeserialized, invalidCacheEnvironment, invalidCacheRecord, invalidState, keyIdMissing, maxAgeTranspired, methodNotImplemented, multipleMatchingAppMetadata, multipleMatchingTokens, nestedAppAuthBridgeDisabled, networkError, noAccountFound, noAccountInSilentRequest, noCryptoObject, noNetworkConnectivity, nonceMismatch, nullOrEmptyToken, openIdConfigError, platformBrokerError, requestCannotBeMade, stateMismatch, stateNotFound, tokenClaimsCnfRequiredForSignedJwt, tokenParsingError, tokenRefreshRequired, unexpectedCredentialType, userCanceled };\n//# sourceMappingURL=ClientAuthErrorCodes.mjs.map\n","/*! @azure/msal-common v16.0.3 2026-01-28 */\n'use strict';\nimport { createClientConfigurationError } from '../error/ClientConfigurationError.mjs';\nimport { StringUtils } from '../utils/StringUtils.mjs';\nimport { createClientAuthError } from '../error/ClientAuthError.mjs';\nimport { OIDC_DEFAULT_SCOPES, OFFLINE_ACCESS_SCOPE, OIDC_SCOPES } from '../utils/Constants.mjs';\nimport { emptyInputScopesError } from '../error/ClientConfigurationErrorCodes.mjs';\nimport { cannotAppendScopeSet, cannotRemoveEmptyScope, emptyInputScopeSet } from '../error/ClientAuthErrorCodes.mjs';\n\n/*\r\n * Copyright (c) Microsoft Corporation. All rights reserved.\r\n * Licensed under the MIT License.\r\n */\r\n/**\r\n * The ScopeSet class creates a set of scopes. Scopes are case-insensitive, unique values, so the Set object in JS makes\r\n * the most sense to implement for this class. All scopes are trimmed and converted to lower case strings in intersection and union functions\r\n * to ensure uniqueness of strings.\r\n */\r\nclass ScopeSet {\r\n constructor(inputScopes) {\r\n // Filter empty string and null/undefined array items\r\n const scopeArr = inputScopes\r\n ? StringUtils.trimArrayEntries([...inputScopes])\r\n : [];\r\n const filteredInput = scopeArr\r\n ? StringUtils.removeEmptyStringsFromArray(scopeArr)\r\n : [];\r\n // Check if scopes array has at least one member\r\n if (!filteredInput || !filteredInput.length) {\r\n throw createClientConfigurationError(emptyInputScopesError);\r\n }\r\n this.scopes = new Set(); // Iterator in constructor not supported by IE11\r\n filteredInput.forEach((scope) => this.scopes.add(scope));\r\n }\r\n /**\r\n * Factory method to create ScopeSet from space-delimited string\r\n * @param inputScopeString\r\n * @param appClientId\r\n * @param scopesRequired\r\n */\r\n static fromString(inputScopeString) {\r\n const scopeString = inputScopeString || \"\";\r\n const inputScopes = scopeString.split(\" \");\r\n return new ScopeSet(inputScopes);\r\n }\r\n /**\r\n * Creates the set of scopes to search for in cache lookups\r\n * @param inputScopeString\r\n * @returns\r\n */\r\n static createSearchScopes(inputScopeString) {\r\n // Handle empty scopes by using default OIDC scopes for cache lookup\r\n const scopesToUse = inputScopeString && inputScopeString.length > 0\r\n ? inputScopeString\r\n : [...OIDC_DEFAULT_SCOPES];\r\n const scopeSet = new ScopeSet(scopesToUse);\r\n if (!scopeSet.containsOnlyOIDCScopes()) {\r\n scopeSet.removeOIDCScopes();\r\n }\r\n else {\r\n scopeSet.removeScope(OFFLINE_ACCESS_SCOPE);\r\n }\r\n return scopeSet;\r\n }\r\n /**\r\n * Check if a given scope is present in this set of scopes.\r\n * @param scope\r\n */\r\n containsScope(scope) {\r\n const lowerCaseScopes = this.printScopesLowerCase().split(\" \");\r\n const lowerCaseScopesSet = new ScopeSet(lowerCaseScopes);\r\n // compare lowercase scopes\r\n return scope\r\n ? lowerCaseScopesSet.scopes.has(scope.toLowerCase())\r\n : false;\r\n }\r\n /**\r\n * Check if a set of scopes is present in this set of scopes.\r\n * @param scopeSet\r\n */\r\n containsScopeSet(scopeSet) {\r\n if (!scopeSet || scopeSet.scopes.size <= 0) {\r\n return false;\r\n }\r\n return (this.scopes.size >= scopeSet.scopes.size &&\r\n scopeSet.asArray().every((scope) => this.containsScope(scope)));\r\n }\r\n /**\r\n * Check if set of scopes contains only the defaults\r\n */\r\n containsOnlyOIDCScopes() {\r\n let defaultScopeCount = 0;\r\n OIDC_SCOPES.forEach((defaultScope) => {\r\n if (this.containsScope(defaultScope)) {\r\n defaultScopeCount += 1;\r\n }\r\n });\r\n return this.scopes.size === defaultScopeCount;\r\n }\r\n /**\r\n * Appends single scope if passed\r\n * @param newScope\r\n */\r\n appendScope(newScope) {\r\n if (newScope) {\r\n this.scopes.add(newScope.trim());\r\n }\r\n }\r\n /**\r\n * Appends multiple scopes if passed\r\n * @param newScopes\r\n */\r\n appendScopes(newScopes) {\r\n try {\r\n newScopes.forEach((newScope) => this.appendScope(newScope));\r\n }\r\n catch (e) {\r\n throw createClientAuthError(cannotAppendScopeSet);\r\n }\r\n }\r\n /**\r\n * Removes element from set of scopes.\r\n * @param scope\r\n */\r\n removeScope(scope) {\r\n if (!scope) {\r\n throw createClientAuthError(cannotRemoveEmptyScope);\r\n }\r\n this.scopes.delete(scope.trim());\r\n }\r\n /**\r\n * Removes default scopes from set of scopes\r\n * Primarily used to prevent cache misses if the default scopes are not returned from the server\r\n */\r\n removeOIDCScopes() {\r\n OIDC_SCOPES.forEach((defaultScope) => {\r\n this.scopes.delete(defaultScope);\r\n });\r\n }\r\n /**\r\n * Combines an array of scopes with the current set of scopes.\r\n * @param otherScopes\r\n */\r\n unionScopeSets(otherScopes) {\r\n if (!otherScopes) {\r\n throw createClientAuthError(emptyInputScopeSet);\r\n }\r\n const unionScopes = new Set(); // Iterator in constructor not supported in IE11\r\n otherScopes.scopes.forEach((scope) => unionScopes.add(scope.toLowerCase()));\r\n this.scopes.forEach((scope) => unionScopes.add(scope.toLowerCase()));\r\n return unionScopes;\r\n }\r\n /**\r\n * Check if scopes intersect between this set and another.\r\n * @param otherScopes\r\n */\r\n intersectingScopeSets(otherScopes) {\r\n if (!otherScopes) {\r\n throw createClientAuthError(emptyInputScopeSet);\r\n }\r\n // Do not allow OIDC scopes to be the only intersecting scopes\r\n if (!otherScopes.containsOnlyOIDCScopes()) {\r\n otherScopes.removeOIDCScopes();\r\n }\r\n const unionScopes = this.unionScopeSets(otherScopes);\r\n const sizeOtherScopes = otherScopes.getScopeCount();\r\n const sizeThisScopes = this.getScopeCount();\r\n const sizeUnionScopes = unionScopes.size;\r\n return sizeUnionScopes < sizeThisScopes + sizeOtherScopes;\r\n }\r\n /**\r\n * Returns size of set of scopes.\r\n */\r\n getScopeCount() {\r\n return this.scopes.size;\r\n }\r\n /**\r\n * Returns the scopes as an array of string values\r\n */\r\n asArray() {\r\n const array = [];\r\n this.scopes.forEach((val) => array.push(val));\r\n return array;\r\n }\r\n /**\r\n * Prints scopes into a space-delimited string\r\n */\r\n printScopes() {\r\n if (this.scopes) {\r\n const scopeArr = this.asArray();\r\n return scopeArr.join(\" \");\r\n }\r\n return \"\";\r\n }\r\n /**\r\n * Prints scopes into a space-delimited lower-case string (used for caching)\r\n */\r\n printScopesLowerCase() {\r\n return this.printScopes().toLowerCase();\r\n }\r\n}\n\nexport { ScopeSet };\n//# sourceMappingURL=ScopeSet.mjs.map\n","/*! @azure/msal-common v16.0.3 2026-01-28 */\n'use strict';\nimport { OIDC_DEFAULT_SCOPES, ResponseMode, HeaderNames, CLIENT_INFO, ClaimsRequestKeys, PasswordGrantConstants, AuthenticationScheme, X_MS_LIB_CAPABILITY_VALUE } from '../utils/Constants.mjs';\nimport { CLIENT_ID, BROKER_CLIENT_ID, REDIRECT_URI, RESPONSE_TYPE, RESPONSE_MODE, NATIVE_BROKER, SCOPE, POST_LOGOUT_URI, ID_TOKEN_HINT, DOMAIN_HINT, LOGIN_HINT, SID, CLAIMS, CLIENT_REQUEST_ID, X_CLIENT_SKU, X_CLIENT_VER, X_CLIENT_OS, X_CLIENT_CPU, X_APP_NAME, X_APP_VER, PROMPT, STATE, NONCE, CODE_CHALLENGE, CODE_CHALLENGE_METHOD, CODE, DEVICE_CODE, REFRESH_TOKEN, CODE_VERIFIER, CLIENT_SECRET, CLIENT_ASSERTION, CLIENT_ASSERTION_TYPE, OBO_ASSERTION, REQUESTED_TOKEN_USE, GRANT_TYPE, INSTANCE_AWARE, TOKEN_TYPE, REQ_CNF, X_CLIENT_CURR_TELEM, X_CLIENT_LAST_TELEM, X_MS_LIB_CAPABILITY, LOGOUT_HINT, BROKER_REDIRECT_URI, EAR_JWK, EAR_JWE_CRYPTO } from '../constants/AADServerParamKeys.mjs';\nimport { ScopeSet } from './ScopeSet.mjs';\nimport { createClientConfigurationError } from '../error/ClientConfigurationError.mjs';\nimport { invalidClaims, pkceParamsMissing } from '../error/ClientConfigurationErrorCodes.mjs';\n\n/*\r\n * Copyright (c) Microsoft Corporation. All rights reserved.\r\n * Licensed under the MIT License.\r\n */\r\nfunction instrumentBrokerParams(parameters, correlationId, performanceClient) {\r\n if (!correlationId) {\r\n return;\r\n }\r\n const clientId = parameters.get(CLIENT_ID);\r\n if (clientId && parameters.has(BROKER_CLIENT_ID)) {\r\n performanceClient?.addFields({\r\n embeddedClientId: clientId,\r\n embeddedRedirectUri: parameters.get(REDIRECT_URI),\r\n }, correlationId);\r\n }\r\n}\r\n/**\r\n * Add the given response_type\r\n * @param parameters\r\n * @param responseType\r\n */\r\nfunction addResponseType(parameters, responseType) {\r\n parameters.set(RESPONSE_TYPE, responseType);\r\n}\r\n/**\r\n * add response_mode. defaults to query.\r\n * @param responseMode\r\n */\r\nfunction addResponseMode(parameters, responseMode) {\r\n parameters.set(RESPONSE_MODE, responseMode ? responseMode : ResponseMode.QUERY);\r\n}\r\n/**\r\n * Add flag to indicate STS should attempt to use WAM if available\r\n */\r\nfunction addNativeBroker(parameters) {\r\n parameters.set(NATIVE_BROKER, \"1\");\r\n}\r\n/**\r\n * add scopes. set addOidcScopes to false to prevent default scopes in non-user scenarios\r\n * @param scopeSet\r\n * @param addOidcScopes\r\n */\r\nfunction addScopes(parameters, scopes, addOidcScopes = true, defaultScopes = OIDC_DEFAULT_SCOPES) {\r\n // Always add openid to the scopes when adding OIDC scopes\r\n if (addOidcScopes &&\r\n !defaultScopes.includes(\"openid\") &&\r\n !scopes.includes(\"openid\")) {\r\n defaultScopes.push(\"openid\");\r\n }\r\n const requestScopes = addOidcScopes\r\n ? [...(scopes || []), ...defaultScopes]\r\n : scopes || [];\r\n const scopeSet = new ScopeSet(requestScopes);\r\n parameters.set(SCOPE, scopeSet.printScopes());\r\n}\r\n/**\r\n * add clientId\r\n * @param clientId\r\n */\r\nfunction addClientId(parameters, clientId) {\r\n parameters.set(CLIENT_ID, clientId);\r\n}\r\n/**\r\n * add redirect_uri\r\n * @param redirectUri\r\n */\r\nfunction addRedirectUri(parameters, redirectUri) {\r\n parameters.set(REDIRECT_URI, redirectUri);\r\n}\r\n/**\r\n * add post logout redirectUri\r\n * @param redirectUri\r\n */\r\nfunction addPostLogoutRedirectUri(parameters, redirectUri) {\r\n parameters.set(POST_LOGOUT_URI, redirectUri);\r\n}\r\n/**\r\n * add id_token_hint to logout request\r\n * @param idTokenHint\r\n */\r\nfunction addIdTokenHint(parameters, idTokenHint) {\r\n parameters.set(ID_TOKEN_HINT, idTokenHint);\r\n}\r\n/**\r\n * add domain_hint\r\n * @param domainHint\r\n */\r\nfunction addDomainHint(parameters, domainHint) {\r\n parameters.set(DOMAIN_HINT, domainHint);\r\n}\r\n/**\r\n * add login_hint\r\n * @param loginHint\r\n */\r\nfunction addLoginHint(parameters, loginHint) {\r\n parameters.set(LOGIN_HINT, loginHint);\r\n}\r\n/**\r\n * Adds the CCS (Cache Credential Service) query parameter for login_hint\r\n * @param loginHint\r\n */\r\nfunction addCcsUpn(parameters, loginHint) {\r\n parameters.set(HeaderNames.CCS_HEADER, `UPN:${loginHint}`);\r\n}\r\n/**\r\n * Adds the CCS (Cache Credential Service) query parameter for account object\r\n * @param loginHint\r\n */\r\nfunction addCcsOid(parameters, clientInfo) {\r\n parameters.set(HeaderNames.CCS_HEADER, `Oid:${clientInfo.uid}@${clientInfo.utid}`);\r\n}\r\n/**\r\n * add sid\r\n * @param sid\r\n */\r\nfunction addSid(parameters, sid) {\r\n parameters.set(SID, sid);\r\n}\r\n/**\r\n * add claims\r\n * @param claims\r\n */\r\nfunction addClaims(parameters, claims, clientCapabilities) {\r\n const mergedClaims = addClientCapabilitiesToClaims(claims, clientCapabilities);\r\n try {\r\n JSON.parse(mergedClaims);\r\n }\r\n catch (e) {\r\n throw createClientConfigurationError(invalidClaims);\r\n }\r\n parameters.set(CLAIMS, mergedClaims);\r\n}\r\n/**\r\n * add correlationId\r\n * @param correlationId\r\n */\r\nfunction addCorrelationId(parameters, correlationId) {\r\n parameters.set(CLIENT_REQUEST_ID, correlationId);\r\n}\r\n/**\r\n * add library info query params\r\n * @param libraryInfo\r\n */\r\nfunction addLibraryInfo(parameters, libraryInfo) {\r\n // Telemetry Info\r\n parameters.set(X_CLIENT_SKU, libraryInfo.sku);\r\n parameters.set(X_CLIENT_VER, libraryInfo.version);\r\n if (libraryInfo.os) {\r\n parameters.set(X_CLIENT_OS, libraryInfo.os);\r\n }\r\n if (libraryInfo.cpu) {\r\n parameters.set(X_CLIENT_CPU, libraryInfo.cpu);\r\n }\r\n}\r\n/**\r\n * Add client telemetry parameters\r\n * @param appTelemetry\r\n */\r\nfunction addApplicationTelemetry(parameters, appTelemetry) {\r\n if (appTelemetry?.appName) {\r\n parameters.set(X_APP_NAME, appTelemetry.appName);\r\n }\r\n if (appTelemetry?.appVersion) {\r\n parameters.set(X_APP_VER, appTelemetry.appVersion);\r\n }\r\n}\r\n/**\r\n * add prompt\r\n * @param prompt\r\n */\r\nfunction addPrompt(parameters, prompt) {\r\n parameters.set(PROMPT, prompt);\r\n}\r\n/**\r\n * add state\r\n * @param state\r\n */\r\nfunction addState(parameters, state) {\r\n if (state) {\r\n parameters.set(STATE, state);\r\n }\r\n}\r\n/**\r\n * add nonce\r\n * @param nonce\r\n */\r\nfunction addNonce(parameters, nonce) {\r\n parameters.set(NONCE, nonce);\r\n}\r\n/**\r\n * add code_challenge and code_challenge_method\r\n * - throw if either of them are not passed\r\n * @param codeChallenge\r\n * @param codeChallengeMethod\r\n */\r\nfunction addCodeChallengeParams(parameters, codeChallenge, codeChallengeMethod) {\r\n if (codeChallenge && codeChallengeMethod) {\r\n parameters.set(CODE_CHALLENGE, codeChallenge);\r\n parameters.set(CODE_CHALLENGE_METHOD, codeChallengeMethod);\r\n }\r\n else {\r\n throw createClientConfigurationError(pkceParamsMissing);\r\n }\r\n}\r\n/**\r\n * add the `authorization_code` passed by the user to exchange for a token\r\n * @param code\r\n */\r\nfunction addAuthorizationCode(parameters, code) {\r\n parameters.set(CODE, code);\r\n}\r\n/**\r\n * add the `authorization_code` passed by the user to exchange for a token\r\n * @param code\r\n */\r\nfunction addDeviceCode(parameters, code) {\r\n parameters.set(DEVICE_CODE, code);\r\n}\r\n/**\r\n * add the `refreshToken` passed by the user\r\n * @param refreshToken\r\n */\r\nfunction addRefreshToken(parameters, refreshToken) {\r\n parameters.set(REFRESH_TOKEN, refreshToken);\r\n}\r\n/**\r\n * add the `code_verifier` passed by the user to exchange for a token\r\n * @param codeVerifier\r\n */\r\nfunction addCodeVerifier(parameters, codeVerifier) {\r\n parameters.set(CODE_VERIFIER, codeVerifier);\r\n}\r\n/**\r\n * add client_secret\r\n * @param clientSecret\r\n */\r\nfunction addClientSecret(parameters, clientSecret) {\r\n parameters.set(CLIENT_SECRET, clientSecret);\r\n}\r\n/**\r\n * add clientAssertion for confidential client flows\r\n * @param clientAssertion\r\n */\r\nfunction addClientAssertion(parameters, clientAssertion) {\r\n if (clientAssertion) {\r\n parameters.set(CLIENT_ASSERTION, clientAssertion);\r\n }\r\n}\r\n/**\r\n * add clientAssertionType for confidential client flows\r\n * @param clientAssertionType\r\n */\r\nfunction addClientAssertionType(parameters, clientAssertionType) {\r\n if (clientAssertionType) {\r\n parameters.set(CLIENT_ASSERTION_TYPE, clientAssertionType);\r\n }\r\n}\r\n/**\r\n * add OBO assertion for confidential client flows\r\n * @param clientAssertion\r\n */\r\nfunction addOboAssertion(parameters, oboAssertion) {\r\n parameters.set(OBO_ASSERTION, oboAssertion);\r\n}\r\n/**\r\n * add grant type\r\n * @param grantType\r\n */\r\nfunction addRequestTokenUse(parameters, tokenUse) {\r\n parameters.set(REQUESTED_TOKEN_USE, tokenUse);\r\n}\r\n/**\r\n * add grant type\r\n * @param grantType\r\n */\r\nfunction addGrantType(parameters, grantType) {\r\n parameters.set(GRANT_TYPE, grantType);\r\n}\r\n/**\r\n * add client info\r\n *\r\n */\r\nfunction addClientInfo(parameters) {\r\n parameters.set(CLIENT_INFO, \"1\");\r\n}\r\nfunction addInstanceAware(parameters) {\r\n if (!parameters.has(INSTANCE_AWARE)) {\r\n parameters.set(INSTANCE_AWARE, \"true\");\r\n }\r\n}\r\n/**\r\n * Add extraParameters\r\n * @param extraParams - String dictionary containing extra pa