UNPKG

@sphereon/ssi-sdk.ms-authenticator

Version:

128 lines (127 loc) 5.48 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
var __defProp = Object.defineProperty; var __name = (target, value) => __defProp(target, "name", { value, configurable: true }); // src/authenticators/MsAuthenticator.ts import { ConfidentialClientApplication, LogLevel, PublicClientApplication } from "@azure/msal-node"; import { fetch } from "cross-fetch"; import hash from "object-hash"; var EU = "EU"; var HTTP_METHOD_GET = "GET"; var MS_DID_ENDPOINT_NON_EU = "https://beta.did.msidentity.com/v1.0/"; var MS_DID_ENDPOINT_EU = "https://beta.eu.did.msidentity.com/v1.0/"; var MS_LOGIN_PREFIX = "https://login.microsoftonline.com/"; var MS_LOGIN_OPENID_CONFIG_POSTFIX = "/v2.0/.well-known/openid-configuration"; var MS_CLIENT_CREDENTIAL_DEFAULT_SCOPE = "3db474b9-6a0c-4840-96ac-1fceb342124f/.default"; var ERROR_CREDENTIAL_MANIFEST_REGION = `Error in config file. CredentialManifest URL configured for wrong tenant region. Should start with:`; var ERROR_ACQUIRE_ACCESS_TOKEN_FOR_CLIENT = "Could not acquire verifiableCredentials to access your Azure Key Vault:\n"; var ERROR_FAILED_AUTHENTICATION = "failed to authenticate: "; async function getMSOpenIDClientRegion(azTenantId) { return fetch(MS_LOGIN_PREFIX + azTenantId + MS_LOGIN_OPENID_CONFIG_POSTFIX, { method: HTTP_METHOD_GET }).then((res) => res.json()).then(async (resp) => { return resp.tenant_region_scope ?? EU; }); } __name(getMSOpenIDClientRegion, "getMSOpenIDClientRegion"); async function getEntraDIDEndpoint(opts) { const region = opts?.region ?? await getMSOpenIDClientRegion(opts.azTenantId); return region === EU ? MS_DID_ENDPOINT_EU : MS_DID_ENDPOINT_NON_EU; } __name(getEntraDIDEndpoint, "getEntraDIDEndpoint"); async function assertEntraCredentialManifestUrlInCorrectRegion(authenticationArgs) { const msDIDEndpoint = await getEntraDIDEndpoint(authenticationArgs); if (!authenticationArgs.credentialManifestUrl?.startsWith(msDIDEndpoint)) { throw new Error(ERROR_CREDENTIAL_MANIFEST_REGION + msDIDEndpoint + `. value: ${authenticationArgs.credentialManifestUrl}`); } return msDIDEndpoint; } __name(assertEntraCredentialManifestUrlInCorrectRegion, "assertEntraCredentialManifestUrlInCorrectRegion"); async function getMSClientCredentialAccessToken(authenticationArgs, opts) { const confidentialClient = opts?.confidentialClient ?? await newMSClientCredentialAuthenticator(authenticationArgs).then((cca) => cca.confidentialClient); if (!confidentialClient) { throw Error("No Credential Client Authenticator could be constructed"); } if (authenticationArgs?.credentialManifestUrl) { await assertEntraCredentialManifestUrlInCorrectRegion(authenticationArgs); } const msalClientCredentialRequest = { scopes: authenticationArgs.scopes ?? (authenticationArgs?.credentialManifestUrl ? [ MS_CLIENT_CREDENTIAL_DEFAULT_SCOPE ] : []), skipCache: authenticationArgs.skipCache ?? false }; try { const result = await confidentialClient.acquireTokenByClientCredential(msalClientCredentialRequest); if (result) { return result; } } catch (err) { throw { error: ERROR_ACQUIRE_ACCESS_TOKEN_FOR_CLIENT + err }; } throw { error: ERROR_ACQUIRE_ACCESS_TOKEN_FOR_CLIENT }; } __name(getMSClientCredentialAccessToken, "getMSClientCredentialAccessToken"); async function newMSClientCredentialAuthenticator(authenticationArgs) { const didEndpoint = authenticationArgs?.credentialManifestUrl ? await assertEntraCredentialManifestUrlInCorrectRegion(authenticationArgs) : void 0; const auth = authOptions(authenticationArgs); const id = hash(auth); const msalConfig = { auth, system: { loggerOptions: { piiLoggingEnabled: authenticationArgs.piiLoggingEnabled ? authenticationArgs.piiLoggingEnabled : false, logLevel: authenticationArgs.logLevel ? authenticationArgs.logLevel : LogLevel.Verbose } } }; const confidentialClientApp = new ConfidentialClientApplication(msalConfig); return { confidentialClient: confidentialClientApp, msalConfig, authenticationArgs, didEndpoint, id }; } __name(newMSClientCredentialAuthenticator, "newMSClientCredentialAuthenticator"); async function UsernamePasswordAuthenticator(authenticationArgs) { const msalConfig = { auth: authOptions(authenticationArgs) }; const pca = new PublicClientApplication(msalConfig); return await pca.acquireTokenByUsernamePassword(authenticationArgs).then((response) => { return response; }).catch((error) => { throw new Error(ERROR_FAILED_AUTHENTICATION + error); }); } __name(UsernamePasswordAuthenticator, "UsernamePasswordAuthenticator"); function authOptions(authenticationArgs) { return { clientId: authenticationArgs.azClientId, authority: authenticationArgs.authority ? authenticationArgs.authority : MS_LOGIN_PREFIX + authenticationArgs.azTenantId, ...authenticationArgs && "azClientSecret" in authenticationArgs && { clientSecret: authenticationArgs.azClientSecret } }; } __name(authOptions, "authOptions"); function determineMSAuthId(authenticationArgs) { return hash(authOptions(authenticationArgs)); } __name(determineMSAuthId, "determineMSAuthId"); export { MS_DID_ENDPOINT_EU, MS_DID_ENDPOINT_NON_EU, UsernamePasswordAuthenticator, assertEntraCredentialManifestUrlInCorrectRegion, determineMSAuthId, getEntraDIDEndpoint, getMSClientCredentialAccessToken, getMSOpenIDClientRegion, newMSClientCredentialAuthenticator }; //# sourceMappingURL=index.js.map