UNPKG

@sphereon/ssi-sdk.ms-authenticator

Version:

154 lines (137 loc) 6.62 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
import { AuthenticationResult, ConfidentialClientApplication, Configuration, LogLevel, NodeAuthOptions, PublicClientApplication, UsernamePasswordRequest, } from '@azure/msal-node' import fetch from 'cross-fetch' import { IMSClientCredentialAuthInfo, IMsAuthenticationClientCredentialArgs, IMsAuthenticationUsernamePasswordArgs } from '../index' import hash from 'object-hash' const EU = 'EU' const HTTP_METHOD_GET = 'GET' // Event though there are many regions, MS has only 2 DID identity host names (EU and NON_EU) // https://docs.microsoft.com/en-us/azure/active-directory/verifiable-credentials/whats-new#are-there-any-changes-to-the-way-that-we-use-the-request-api-as-a-result-of-this-move export const MS_DID_ENDPOINT_NON_EU = 'https://beta.did.msidentity.com/v1.0/' export const MS_DID_ENDPOINT_EU = 'https://beta.eu.did.msidentity.com/v1.0/' const MS_LOGIN_PREFIX = 'https://login.microsoftonline.com/' const MS_LOGIN_OPENID_CONFIG_POSTFIX = '/v2.0/.well-known/openid-configuration' const MS_CLIENT_CREDENTIAL_DEFAULT_SCOPE = '3db474b9-6a0c-4840-96ac-1fceb342124f/.default' const ERROR_CREDENTIAL_MANIFEST_REGION = `Error in config file. CredentialManifest URL configured for wrong tenant region. Should start with:` const ERROR_ACQUIRE_ACCESS_TOKEN_FOR_CLIENT = 'Could not acquire verifiableCredentials to access your Azure Key Vault:\n' const ERROR_FAILED_AUTHENTICATION = 'failed to authenticate: ' // todo: This is a pretty heavy operation. Getting all the OIDC discovery data from a fetch only to return the region. Probably wise to add some caching and refactor so we can do more with the other OIDC info as well export async function getMSOpenIDClientRegion(azTenantId: string): Promise<string> { return fetch(MS_LOGIN_PREFIX + azTenantId + MS_LOGIN_OPENID_CONFIG_POSTFIX, { method: HTTP_METHOD_GET }) .then((res) => res.json()) .then(async (resp) => { return resp.tenant_region_scope ?? EU }) } export async function getEntraDIDEndpoint(opts: { region?: string; azTenantId: string }) { const region = opts?.region ?? (await getMSOpenIDClientRegion(opts.azTenantId)) return region === EU ? MS_DID_ENDPOINT_EU : MS_DID_ENDPOINT_NON_EU } export async function assertEntraCredentialManifestUrlInCorrectRegion(authenticationArgs: IMsAuthenticationClientCredentialArgs): Promise<string> { const msDIDEndpoint = await getEntraDIDEndpoint(authenticationArgs) // Check that the Credential Manifest URL is in the same tenant Region and throw an error if it's not if (!authenticationArgs.credentialManifestUrl?.startsWith(msDIDEndpoint)) { throw new Error(ERROR_CREDENTIAL_MANIFEST_REGION + msDIDEndpoint + `. value: ${authenticationArgs.credentialManifestUrl}`) } return msDIDEndpoint } /** * necessary fields are: * azClientId: clientId of the application you're trying to login * azClientSecret: secret of the application you're trying to login * azTenantId: your MS Azure tenantId * optional fields: * credentialManifest: address of your credential manifest. usually in following format: * https://beta.eu.did.msidentity.com/v1.0/<tenant_id>/verifiableCredential/contracts/<verifiable_credential_schema> * @param authenticationArgs * @constructor */ export async function getMSClientCredentialAccessToken( authenticationArgs: IMsAuthenticationClientCredentialArgs, opts?: { confidentialClient?: ConfidentialClientApplication }, ): Promise<AuthenticationResult> { const confidentialClient = opts?.confidentialClient ?? (await newMSClientCredentialAuthenticator(authenticationArgs).then((cca) => cca.confidentialClient)) if (!confidentialClient) { throw Error('No Credential Client Authenticator could be constructed') } if (authenticationArgs?.credentialManifestUrl) { await assertEntraCredentialManifestUrlInCorrectRegion(authenticationArgs) } const msalClientCredentialRequest = { scopes: authenticationArgs.scopes ?? (authenticationArgs?.credentialManifestUrl ? [MS_CLIENT_CREDENTIAL_DEFAULT_SCOPE] : []), skipCache: authenticationArgs.skipCache ?? false, } // get the Access Token try { const result = await confidentialClient.acquireTokenByClientCredential(msalClientCredentialRequest) if (result) { return result } } catch (err) { throw { error: ERROR_ACQUIRE_ACCESS_TOKEN_FOR_CLIENT + err, } } throw { error: ERROR_ACQUIRE_ACCESS_TOKEN_FOR_CLIENT, } } export async function newMSClientCredentialAuthenticator( authenticationArgs: IMsAuthenticationClientCredentialArgs, ): Promise<IMSClientCredentialAuthInfo> { const didEndpoint = authenticationArgs?.credentialManifestUrl ? await assertEntraCredentialManifestUrlInCorrectRegion(authenticationArgs) : undefined const auth = authOptions(authenticationArgs) const id = hash(auth) const msalConfig: Configuration = { auth, system: { loggerOptions: { piiLoggingEnabled: authenticationArgs.piiLoggingEnabled ? authenticationArgs.piiLoggingEnabled : false, logLevel: authenticationArgs.logLevel ? authenticationArgs.logLevel : LogLevel.Verbose, }, }, } const confidentialClientApp = new ConfidentialClientApplication(msalConfig) return { confidentialClient: confidentialClientApp, msalConfig, authenticationArgs, didEndpoint, id } } /** * Logs in with provided authenticationArgs and returns access token * @param authenticationArgs * @constructor */ export async function UsernamePasswordAuthenticator(authenticationArgs: IMsAuthenticationUsernamePasswordArgs): Promise<string> { const msalConfig = { auth: authOptions(authenticationArgs), } const pca = new PublicClientApplication(msalConfig) return await pca .acquireTokenByUsernamePassword(authenticationArgs as UsernamePasswordRequest) .then((response: any) => { return response }) .catch((error: any) => { throw new Error(ERROR_FAILED_AUTHENTICATION + error) }) } function authOptions(authenticationArgs: IMsAuthenticationClientCredentialArgs | IMsAuthenticationUsernamePasswordArgs): NodeAuthOptions { return { clientId: authenticationArgs.azClientId, authority: authenticationArgs.authority ? authenticationArgs.authority : MS_LOGIN_PREFIX + authenticationArgs.azTenantId, ...(authenticationArgs && 'azClientSecret' in authenticationArgs && { clientSecret: authenticationArgs.azClientSecret }), } } export function determineMSAuthId(authenticationArgs: IMsAuthenticationClientCredentialArgs | IMsAuthenticationUsernamePasswordArgs): string { return hash(authOptions(authenticationArgs)) }