UNPKG

@sphereon/ssi-sdk.ms-authenticator

Version:

159 lines (157 loc) • 7.38 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
"use strict"; var __create = Object.create; var __defProp = Object.defineProperty; var __getOwnPropDesc = Object.getOwnPropertyDescriptor; var __getOwnPropNames = Object.getOwnPropertyNames; var __getProtoOf = Object.getPrototypeOf; var __hasOwnProp = Object.prototype.hasOwnProperty; var __name = (target, value) => __defProp(target, "name", { value, configurable: true }); var __export = (target, all) => { for (var name in all) __defProp(target, name, { get: all[name], enumerable: true }); }; var __copyProps = (to, from, except, desc) => { if (from && typeof from === "object" || typeof from === "function") { for (let key of __getOwnPropNames(from)) if (!__hasOwnProp.call(to, key) && key !== except) __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable }); } return to; }; var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps( // If the importer is in node compatibility mode or this is not an ESM // file that has been converted to a CommonJS file using a Babel- // compatible transform (i.e. "__esModule" has not been set), then set // "default" to the CommonJS "module.exports" for node compatibility. isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target, mod )); var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod); // src/index.ts var index_exports = {}; __export(index_exports, { MS_DID_ENDPOINT_EU: () => MS_DID_ENDPOINT_EU, MS_DID_ENDPOINT_NON_EU: () => MS_DID_ENDPOINT_NON_EU, UsernamePasswordAuthenticator: () => UsernamePasswordAuthenticator, assertEntraCredentialManifestUrlInCorrectRegion: () => assertEntraCredentialManifestUrlInCorrectRegion, determineMSAuthId: () => determineMSAuthId, getEntraDIDEndpoint: () => getEntraDIDEndpoint, getMSClientCredentialAccessToken: () => getMSClientCredentialAccessToken, getMSOpenIDClientRegion: () => getMSOpenIDClientRegion, newMSClientCredentialAuthenticator: () => newMSClientCredentialAuthenticator }); module.exports = __toCommonJS(index_exports); // src/authenticators/MsAuthenticator.ts var import_msal_node = require("@azure/msal-node"); var import_cross_fetch = require("cross-fetch"); var import_object_hash = __toESM(require("object-hash"), 1); var EU = "EU"; var HTTP_METHOD_GET = "GET"; var MS_DID_ENDPOINT_NON_EU = "https://beta.did.msidentity.com/v1.0/"; var MS_DID_ENDPOINT_EU = "https://beta.eu.did.msidentity.com/v1.0/"; var MS_LOGIN_PREFIX = "https://login.microsoftonline.com/"; var MS_LOGIN_OPENID_CONFIG_POSTFIX = "/v2.0/.well-known/openid-configuration"; var MS_CLIENT_CREDENTIAL_DEFAULT_SCOPE = "3db474b9-6a0c-4840-96ac-1fceb342124f/.default"; var ERROR_CREDENTIAL_MANIFEST_REGION = `Error in config file. CredentialManifest URL configured for wrong tenant region. Should start with:`; var ERROR_ACQUIRE_ACCESS_TOKEN_FOR_CLIENT = "Could not acquire verifiableCredentials to access your Azure Key Vault:\n"; var ERROR_FAILED_AUTHENTICATION = "failed to authenticate: "; async function getMSOpenIDClientRegion(azTenantId) { return (0, import_cross_fetch.fetch)(MS_LOGIN_PREFIX + azTenantId + MS_LOGIN_OPENID_CONFIG_POSTFIX, { method: HTTP_METHOD_GET }).then((res) => res.json()).then(async (resp) => { return resp.tenant_region_scope ?? EU; }); } __name(getMSOpenIDClientRegion, "getMSOpenIDClientRegion"); async function getEntraDIDEndpoint(opts) { const region = opts?.region ?? await getMSOpenIDClientRegion(opts.azTenantId); return region === EU ? MS_DID_ENDPOINT_EU : MS_DID_ENDPOINT_NON_EU; } __name(getEntraDIDEndpoint, "getEntraDIDEndpoint"); async function assertEntraCredentialManifestUrlInCorrectRegion(authenticationArgs) { const msDIDEndpoint = await getEntraDIDEndpoint(authenticationArgs); if (!authenticationArgs.credentialManifestUrl?.startsWith(msDIDEndpoint)) { throw new Error(ERROR_CREDENTIAL_MANIFEST_REGION + msDIDEndpoint + `. value: ${authenticationArgs.credentialManifestUrl}`); } return msDIDEndpoint; } __name(assertEntraCredentialManifestUrlInCorrectRegion, "assertEntraCredentialManifestUrlInCorrectRegion"); async function getMSClientCredentialAccessToken(authenticationArgs, opts) { const confidentialClient = opts?.confidentialClient ?? await newMSClientCredentialAuthenticator(authenticationArgs).then((cca) => cca.confidentialClient); if (!confidentialClient) { throw Error("No Credential Client Authenticator could be constructed"); } if (authenticationArgs?.credentialManifestUrl) { await assertEntraCredentialManifestUrlInCorrectRegion(authenticationArgs); } const msalClientCredentialRequest = { scopes: authenticationArgs.scopes ?? (authenticationArgs?.credentialManifestUrl ? [ MS_CLIENT_CREDENTIAL_DEFAULT_SCOPE ] : []), skipCache: authenticationArgs.skipCache ?? false }; try { const result = await confidentialClient.acquireTokenByClientCredential(msalClientCredentialRequest); if (result) { return result; } } catch (err) { throw { error: ERROR_ACQUIRE_ACCESS_TOKEN_FOR_CLIENT + err }; } throw { error: ERROR_ACQUIRE_ACCESS_TOKEN_FOR_CLIENT }; } __name(getMSClientCredentialAccessToken, "getMSClientCredentialAccessToken"); async function newMSClientCredentialAuthenticator(authenticationArgs) { const didEndpoint = authenticationArgs?.credentialManifestUrl ? await assertEntraCredentialManifestUrlInCorrectRegion(authenticationArgs) : void 0; const auth = authOptions(authenticationArgs); const id = (0, import_object_hash.default)(auth); const msalConfig = { auth, system: { loggerOptions: { piiLoggingEnabled: authenticationArgs.piiLoggingEnabled ? authenticationArgs.piiLoggingEnabled : false, logLevel: authenticationArgs.logLevel ? authenticationArgs.logLevel : import_msal_node.LogLevel.Verbose } } }; const confidentialClientApp = new import_msal_node.ConfidentialClientApplication(msalConfig); return { confidentialClient: confidentialClientApp, msalConfig, authenticationArgs, didEndpoint, id }; } __name(newMSClientCredentialAuthenticator, "newMSClientCredentialAuthenticator"); async function UsernamePasswordAuthenticator(authenticationArgs) { const msalConfig = { auth: authOptions(authenticationArgs) }; const pca = new import_msal_node.PublicClientApplication(msalConfig); return await pca.acquireTokenByUsernamePassword(authenticationArgs).then((response) => { return response; }).catch((error) => { throw new Error(ERROR_FAILED_AUTHENTICATION + error); }); } __name(UsernamePasswordAuthenticator, "UsernamePasswordAuthenticator"); function authOptions(authenticationArgs) { return { clientId: authenticationArgs.azClientId, authority: authenticationArgs.authority ? authenticationArgs.authority : MS_LOGIN_PREFIX + authenticationArgs.azTenantId, ...authenticationArgs && "azClientSecret" in authenticationArgs && { clientSecret: authenticationArgs.azClientSecret } }; } __name(authOptions, "authOptions"); function determineMSAuthId(authenticationArgs) { return (0, import_object_hash.default)(authOptions(authenticationArgs)); } __name(determineMSAuthId, "determineMSAuthId"); //# sourceMappingURL=index.cjs.map