/
UserAgentApplication.ts
2409 lines (2115 loc) · 111 KB
/
UserAgentApplication.ts
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
/*
* Copyright (c) Microsoft Corporation. All rights reserved.
* Licensed under the MIT License.
*/
import { AccessTokenCacheItem } from "./cache/AccessTokenCacheItem";
import { AccessTokenKey } from "./cache/AccessTokenKey";
import { AccessTokenValue } from "./cache/AccessTokenValue";
import { ServerRequestParameters } from "./ServerRequestParameters";
import { Authority, AuthorityType } from "./authority/Authority";
import { ClientInfo } from "./ClientInfo";
import { IdToken } from "./IdToken";
import { Logger } from "./Logger";
import { AuthCache } from "./cache/AuthCache";
import { Account } from "./Account";
import { ScopeSet } from "./ScopeSet";
import { StringUtils } from "./utils/StringUtils";
import { WindowUtils } from "./utils/WindowUtils";
import { TokenUtils } from "./utils/TokenUtils";
import { TimeUtils } from "./utils/TimeUtils";
import { UrlUtils } from "./utils/UrlUtils";
import { RequestUtils } from "./utils/RequestUtils";
import { ResponseUtils } from "./utils/ResponseUtils";
import { AuthorityFactory } from "./authority/AuthorityFactory";
import { Configuration, buildConfiguration, TelemetryOptions } from "./Configuration";
import { AuthenticationParameters } from "./AuthenticationParameters";
import { ClientConfigurationError } from "./error/ClientConfigurationError";
import { AuthError } from "./error/AuthError";
import { ClientAuthError, ClientAuthErrorMessage } from "./error/ClientAuthError";
import { ServerError } from "./error/ServerError";
import { InteractionRequiredAuthError } from "./error/InteractionRequiredAuthError";
import { AuthResponse, buildResponseStateOnly } from "./AuthResponse";
import TelemetryManager from "./telemetry/TelemetryManager";
import { TelemetryPlatform, TelemetryConfig } from "./telemetry/TelemetryTypes";
import ApiEvent, { API_EVENT_IDENTIFIER } from "./telemetry/ApiEvent";
import { Constants,
ServerHashParamKeys,
InteractionType,
ResponseTypes,
TemporaryCacheKeys,
PersistentCacheKeys,
ErrorCacheKeys,
FramePrefix
} from "./utils/Constants";
import { CryptoUtils } from "./utils/CryptoUtils";
import { TrustedAuthority } from "./authority/TrustedAuthority";
import { AuthCacheUtils } from "./utils/AuthCacheUtils";
// default authority
const DEFAULT_AUTHORITY = "https://login.microsoftonline.com/common";
/**
* Interface to handle iFrame generation, Popup Window creation and redirect handling
*/
declare global {
// eslint-disable-next-line
interface Window {
msal: Object;
CustomEvent: CustomEvent;
Event: Event;
activeRenewals: {};
renewStates: Array<string>;
callbackMappedToRenewStates : {};
promiseMappedToRenewStates: {};
openedWindows: Array<Window>;
requestType: string;
}
}
/**
* @hidden
* @ignore
*/
export interface CacheResult {
errorDesc: string;
token: string;
error: string;
}
/**
* @hidden
* @ignore
* Data type to hold information about state returned from the server
*/
export type ResponseStateInfo = {
state: string;
timestamp: number,
method: string;
stateMatch: boolean;
requestType: string;
};
/**
* A type alias for an authResponseCallback function.
* {@link (authResponseCallback:type)}
* @param authErr error created for failure cases
* @param response response containing token strings in success cases, or just state value in error cases
*/
export type authResponseCallback = (authErr: AuthError, response?: AuthResponse) => void;
/**
* A type alias for a tokenReceivedCallback function.
* {@link (tokenReceivedCallback:type)}
* @returns response of type {@link (AuthResponse:type)}
* The function that will get the call back once this API is completed (either successfully or with a failure).
*/
export type tokenReceivedCallback = (response: AuthResponse) => void;
/**
* A type alias for a errorReceivedCallback function.
* {@link (errorReceivedCallback:type)}
* @returns response of type {@link (AuthError:class)}
* @returns {string} account state
*/
export type errorReceivedCallback = (authErr: AuthError, accountState: string) => void;
/**
* UserAgentApplication class
*
* Object Instance that the developer can use to make loginXX OR acquireTokenXX functions
*/
export class UserAgentApplication {
// input Configuration by the developer/user
private config: Configuration;
// callbacks for token/error
private authResponseCallback: authResponseCallback = null;
private tokenReceivedCallback: tokenReceivedCallback = null;
private errorReceivedCallback: errorReceivedCallback = null;
// Added for readability as these params are very frequently used
private logger: Logger;
private clientId: string;
private inCookie: boolean;
private telemetryManager: TelemetryManager;
// Cache and Account info referred across token grant flow
protected cacheStorage: AuthCache;
private account: Account;
// state variables
private silentAuthenticationState: string;
private silentLogin: boolean;
private redirectResponse: AuthResponse;
private redirectError: AuthError;
// Authority Functionality
protected authorityInstance: Authority;
/**
* setter for the authority URL
* @param {string} authority
*/
// If the developer passes an authority, create an instance
public set authority(val: string) {
this.authorityInstance = AuthorityFactory.CreateInstance(val, this.config.auth.validateAuthority);
}
/**
* Method to manage the authority URL.
*
* @returns {string} authority
*/
public get authority(): string {
return this.authorityInstance.CanonicalAuthority;
}
/**
* Get the current authority instance from the MSAL configuration object
*
* @returns {@link Authority} authority instance
*/
public getAuthorityInstance(): Authority {
return this.authorityInstance;
}
/**
* @constructor
* Constructor for the UserAgentApplication used to instantiate the UserAgentApplication object
*
* Important attributes in the Configuration object for auth are:
* - clientID: the application ID of your application.
* You can obtain one by registering your application with our Application registration portal : https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/RegisteredAppsPreview
* - authority: the authority URL for your application.
*
* In Azure AD, authority is a URL indicating the Azure active directory that MSAL uses to obtain tokens.
* It is of the form https://login.microsoftonline.com/<Enter_the_Tenant_Info_Here>.
* If your application supports Accounts in one organizational directory, replace "Enter_the_Tenant_Info_Here" value with the Tenant Id or Tenant name (for example, contoso.microsoft.com).
* If your application supports Accounts in any organizational directory, replace "Enter_the_Tenant_Info_Here" value with organizations.
* If your application supports Accounts in any organizational directory and personal Microsoft accounts, replace "Enter_the_Tenant_Info_Here" value with common.
* To restrict support to Personal Microsoft accounts only, replace "Enter_the_Tenant_Info_Here" value with consumers.
*
*
* In Azure B2C, authority is of the form https://<instance>/tfp/<tenant>/<policyName>/
*
* @param {@link (Configuration:type)} configuration object for the MSAL UserAgentApplication instance
*/
constructor(configuration: Configuration) {
// Set the Configuration
this.config = buildConfiguration(configuration);
this.logger = this.config.system.logger;
this.clientId = this.config.auth.clientId;
this.inCookie = this.config.cache.storeAuthStateInCookie;
this.telemetryManager = this.getTelemetryManagerFromConfig(this.config.system.telemetry, this.clientId);
TrustedAuthority.setTrustedAuthoritiesFromConfig(this.config.auth.validateAuthority, this.config.auth.knownAuthorities);
AuthorityFactory.saveMetadataFromConfig(this.config.auth.authority, this.config.auth.authorityMetadata);
// if no authority is passed, set the default: "https://login.microsoftonline.com/common"
this.authority = this.config.auth.authority || DEFAULT_AUTHORITY;
// cache keys msal - typescript throws an error if any value other than "localStorage" or "sessionStorage" is passed
this.cacheStorage = new AuthCache(this.clientId, this.config.cache.cacheLocation, this.inCookie);
// Initialize window handling code
if (!window.activeRenewals) {
window.activeRenewals = {};
}
if (!window.renewStates) {
window.renewStates = [];
}
if (!window.callbackMappedToRenewStates) {
window.callbackMappedToRenewStates = {};
}
if (!window.promiseMappedToRenewStates) {
window.promiseMappedToRenewStates = {};
}
window.msal = this;
const urlHash = window.location.hash;
const urlContainsHash = UrlUtils.urlContainsHash(urlHash);
// check if back button is pressed
WindowUtils.checkIfBackButtonIsPressed(this.cacheStorage);
// On the server 302 - Redirect, handle this
if (urlContainsHash && this.cacheStorage.isInteractionInProgress(true)) {
const stateInfo = this.getResponseState(urlHash);
if (stateInfo.method === Constants.interactionTypeRedirect) {
this.handleRedirectAuthenticationResponse(urlHash);
}
}
}
// #region Redirect Callbacks
/**
* @hidden
* @ignore
* Set the callback functions for the redirect flow to send back the success or error object.
* @param {@link (tokenReceivedCallback:type)} successCallback - Callback which contains the AuthResponse object, containing data from the server.
* @param {@link (errorReceivedCallback:type)} errorCallback - Callback which contains a AuthError object, containing error data from either the server
* or the library, depending on the origin of the error.
*/
handleRedirectCallback(tokenReceivedCallback: tokenReceivedCallback, errorReceivedCallback: errorReceivedCallback): void;
handleRedirectCallback(authCallback: authResponseCallback): void;
handleRedirectCallback(authOrTokenCallback: authResponseCallback | tokenReceivedCallback, errorReceivedCallback?: errorReceivedCallback): void {
if (!authOrTokenCallback) {
throw ClientConfigurationError.createInvalidCallbackObjectError(authOrTokenCallback);
}
// Set callbacks
if (errorReceivedCallback) {
this.tokenReceivedCallback = authOrTokenCallback as tokenReceivedCallback;
this.errorReceivedCallback = errorReceivedCallback;
this.logger.warning("This overload for callback is deprecated - please change the format of the callbacks to a single callback as shown: (err: AuthError, response: AuthResponse).");
} else {
this.authResponseCallback = authOrTokenCallback as authResponseCallback;
}
if (this.redirectError) {
this.authErrorHandler(Constants.interactionTypeRedirect, this.redirectError, this.redirectResponse);
} else if (this.redirectResponse) {
this.authResponseHandler(Constants.interactionTypeRedirect, this.redirectResponse);
}
}
/**
* Public API to verify if the URL contains the hash with known properties
* @param hash
*/
public urlContainsHash(hash: string): boolean {
this.logger.verbose("UrlContainsHash has been called");
return UrlUtils.urlContainsHash(hash);
}
private authResponseHandler(interactionType: InteractionType, response: AuthResponse, resolve?: Function) : void {
this.logger.verbose("AuthResponseHandler has been called");
if (interactionType === Constants.interactionTypeRedirect) {
this.logger.verbose("Interaction type is redirect");
if (this.errorReceivedCallback) {
this.logger.verbose("Two callbacks were provided to handleRedirectCallback, calling success callback with response");
this.tokenReceivedCallback(response);
} else if (this.authResponseCallback) {
this.logger.verbose("One callback was provided to handleRedirectCallback, calling authResponseCallback with response");
this.authResponseCallback(null, response);
}
} else if (interactionType === Constants.interactionTypePopup) {
this.logger.verbose("Interaction type is popup, resolving");
resolve(response);
} else {
throw ClientAuthError.createInvalidInteractionTypeError();
}
}
private authErrorHandler(interactionType: InteractionType, authErr: AuthError, response: AuthResponse, reject?: Function) : void {
this.logger.verbose("AuthErrorHandler has been called");
// set interaction_status to complete
this.cacheStorage.setInteractionInProgress(false);
if (interactionType === Constants.interactionTypeRedirect) {
this.logger.verbose("Interaction type is redirect");
if (this.errorReceivedCallback) {
this.logger.verbose("Two callbacks were provided to handleRedirectCallback, calling error callback");
this.errorReceivedCallback(authErr, response.accountState);
} else if (this.authResponseCallback) {
this.logger.verbose("One callback was provided to handleRedirectCallback, calling authResponseCallback with error");
this.authResponseCallback(authErr, response);
} else {
this.logger.verbose("handleRedirectCallback has not been called and no callbacks are registered, throwing error");
throw authErr;
}
} else if (interactionType === Constants.interactionTypePopup) {
this.logger.verbose("Interaction type is popup, rejecting");
reject(authErr);
} else {
throw ClientAuthError.createInvalidInteractionTypeError();
}
}
// #endregion
/**
* Use when initiating the login process by redirecting the user's browser to the authorization endpoint.
* @param {@link (AuthenticationParameters:type)}
*/
loginRedirect(userRequest?: AuthenticationParameters): void {
this.logger.verbose("LoginRedirect has been called");
// validate request
const request: AuthenticationParameters = RequestUtils.validateRequest(userRequest, true, this.clientId, Constants.interactionTypeRedirect);
this.acquireTokenInteractive(Constants.interactionTypeRedirect, true, request, null, null);
}
/**
* Use when you want to obtain an access_token for your API by redirecting the user's browser window to the authorization endpoint.
* @param {@link (AuthenticationParameters:type)}
*
* To renew idToken, please pass clientId as the only scope in the Authentication Parameters
*/
acquireTokenRedirect(userRequest: AuthenticationParameters): void {
this.logger.verbose("AcquireTokenRedirect has been called");
// validate request
const request: AuthenticationParameters = RequestUtils.validateRequest(userRequest, false, this.clientId, Constants.interactionTypeRedirect);
this.acquireTokenInteractive(Constants.interactionTypeRedirect, false, request, null, null);
}
/**
* Use when initiating the login process via opening a popup window in the user's browser
*
* @param {@link (AuthenticationParameters:type)}
*
* @returns {Promise.<AuthResponse>} - a promise that is fulfilled when this function has completed, or rejected if an error was raised. Returns the {@link AuthResponse} object
*/
loginPopup(userRequest?: AuthenticationParameters): Promise<AuthResponse> {
this.logger.verbose("LoginPopup has been called");
// validate request
const request: AuthenticationParameters = RequestUtils.validateRequest(userRequest, true, this.clientId, Constants.interactionTypePopup);
const apiEvent: ApiEvent = this.telemetryManager.createAndStartApiEvent(request.correlationId, API_EVENT_IDENTIFIER.LoginPopup);
return new Promise<AuthResponse>((resolve, reject) => {
this.acquireTokenInteractive(Constants.interactionTypePopup, true, request, resolve, reject);
})
.then((resp) => {
this.logger.verbose("Successfully logged in");
this.telemetryManager.stopAndFlushApiEvent(request.correlationId, apiEvent, true);
return resp;
})
.catch((error: AuthError) => {
this.cacheStorage.resetTempCacheItems(request.state);
this.telemetryManager.stopAndFlushApiEvent(request.correlationId, apiEvent, false, error.errorCode);
throw error;
});
}
/**
* Use when you want to obtain an access_token for your API via opening a popup window in the user's browser
* @param {@link AuthenticationParameters}
*
* To renew idToken, please pass clientId as the only scope in the Authentication Parameters
* @returns {Promise.<AuthResponse>} - a promise that is fulfilled when this function has completed, or rejected if an error was raised. Returns the {@link AuthResponse} object
*/
acquireTokenPopup(userRequest: AuthenticationParameters): Promise<AuthResponse> {
this.logger.verbose("AcquireTokenPopup has been called");
// validate request
const request: AuthenticationParameters = RequestUtils.validateRequest(userRequest, false, this.clientId, Constants.interactionTypePopup);
const apiEvent: ApiEvent = this.telemetryManager.createAndStartApiEvent(request.correlationId, API_EVENT_IDENTIFIER.AcquireTokenPopup);
return new Promise<AuthResponse>((resolve, reject) => {
this.acquireTokenInteractive(Constants.interactionTypePopup, false, request, resolve, reject);
})
.then((resp) => {
this.logger.verbose("Successfully acquired token");
this.telemetryManager.stopAndFlushApiEvent(request.correlationId, apiEvent, true);
return resp;
})
.catch((error: AuthError) => {
this.cacheStorage.resetTempCacheItems(request.state);
this.telemetryManager.stopAndFlushApiEvent(request.correlationId, apiEvent, false, error.errorCode);
throw error;
});
}
// #region Acquire Token
/**
* Use when initiating the login process or when you want to obtain an access_token for your API,
* either by redirecting the user's browser window to the authorization endpoint or via opening a popup window in the user's browser.
* @param {@link (AuthenticationParameters:type)}
*
* To renew idToken, please pass clientId as the only scope in the Authentication Parameters
*/
private acquireTokenInteractive(interactionType: InteractionType, isLoginCall: boolean, request: AuthenticationParameters, resolve?: Function, reject?: Function): void {
this.logger.verbose("AcquireTokenInteractive has been called");
// block the request if made from the hidden iframe
WindowUtils.blockReloadInHiddenIframes();
const interactionProgress = this.cacheStorage.isInteractionInProgress(false);
if(interactionType === Constants.interactionTypeRedirect) {
this.cacheStorage.setItem(TemporaryCacheKeys.REDIRECT_REQUEST, `${Constants.inProgress}${Constants.resourceDelimiter}${request.state}`);
}
// If already in progress, do not proceed
if (interactionProgress) {
const thrownError = isLoginCall ? ClientAuthError.createLoginInProgressError() : ClientAuthError.createAcquireTokenInProgressError();
const stateOnlyResponse = buildResponseStateOnly(this.getAccountState(request.state));
this.cacheStorage.resetTempCacheItems(request.state);
this.authErrorHandler(interactionType,
thrownError,
stateOnlyResponse,
reject);
return;
}
// Get the account object if a session exists
let account: Account;
if (request && request.account && !isLoginCall) {
account = request.account;
this.logger.verbose("Account set from request");
} else {
account = this.getAccount();
this.logger.verbose("Account set from MSAL Cache");
}
// If no session exists, prompt the user to login.
if (!account && !ServerRequestParameters.isSSOParam(request)) {
if (isLoginCall) {
// extract ADAL id_token if exists
const adalIdToken = this.extractADALIdToken();
// silent login if ADAL id_token is retrieved successfully - SSO
if (adalIdToken && !request.scopes) {
this.logger.info("ADAL's idToken exists. Extracting login information from ADAL's idToken");
const tokenRequest: AuthenticationParameters = this.buildIDTokenRequest(request);
this.silentLogin = true;
this.acquireTokenSilent(tokenRequest).then(response => {
this.silentLogin = false;
this.logger.info("Unified cache call is successful");
this.authResponseHandler(interactionType, response, resolve);
return;
}, (error) => {
this.silentLogin = false;
this.logger.error("Error occurred during unified cache ATS: " + error);
// proceed to login since ATS failed
this.acquireTokenHelper(null, interactionType, isLoginCall, request, resolve, reject);
});
}
// No ADAL token found, proceed to login
else {
this.logger.verbose("Login call but no token found, proceed to login");
this.acquireTokenHelper(null, interactionType, isLoginCall, request, resolve, reject);
}
}
// AcquireToken call, but no account or context given, so throw error
else {
this.logger.verbose("AcquireToken call, no context or account given");
this.logger.info("User login is required");
const stateOnlyResponse = buildResponseStateOnly(this.getAccountState(request.state));
this.cacheStorage.resetTempCacheItems(request.state);
this.authErrorHandler(interactionType,
ClientAuthError.createUserLoginRequiredError(),
stateOnlyResponse,
reject);
return;
}
}
// User session exists
else {
this.logger.verbose("User session exists, login not required");
this.acquireTokenHelper(account, interactionType, isLoginCall, request, resolve, reject);
}
}
/**
* @hidden
* @ignore
* Helper function to acquireToken
*
*/
private async acquireTokenHelper(account: Account, interactionType: InteractionType, isLoginCall: boolean, request: AuthenticationParameters, resolve?: Function, reject?: Function): Promise<void> {
this.logger.verbose("AcquireTokenHelper has been called");
this.logger.verbose(`Interaction type: ${interactionType}. isLoginCall: ${isLoginCall}`);
// Track the acquireToken progress
this.cacheStorage.setInteractionInProgress(true);
const requestSignature = request.scopes ? request.scopes.join(" ").toLowerCase() : Constants.oidcScopes.join(" ");
this.logger.verbosePii(`Request signature: ${requestSignature}`);
let serverAuthenticationRequest: ServerRequestParameters;
const acquireTokenAuthority = (request && request.authority) ? AuthorityFactory.CreateInstance(request.authority, this.config.auth.validateAuthority, request.authorityMetadata) : this.authorityInstance;
let popUpWindow: Window;
try {
if (!acquireTokenAuthority.hasCachedMetadata()) {
this.logger.verbose("No cached metadata for authority");
await AuthorityFactory.saveMetadataFromNetwork(acquireTokenAuthority, this.telemetryManager, request.correlationId);
} else {
this.logger.verbose("Cached metadata found for authority");
}
// On Fulfillment
const responseType: string = isLoginCall ? ResponseTypes.id_token : this.getTokenType(account, request.scopes);
const loginStartPage = request.redirectStartPage || window.location.href;
serverAuthenticationRequest = new ServerRequestParameters(
acquireTokenAuthority,
this.clientId,
responseType,
this.getRedirectUri(request && request.redirectUri),
request.scopes,
request.state,
request.correlationId
);
this.logger.verbose("Finished building server authentication request");
this.updateCacheEntries(serverAuthenticationRequest, account, isLoginCall, loginStartPage);
this.logger.verbose("Updating cache entries");
// populate QueryParameters (sid/login_hint) and any other extraQueryParameters set by the developer
serverAuthenticationRequest.populateQueryParams(account, request);
this.logger.verbose("Query parameters populated from account");
// Construct urlNavigate
const urlNavigate = UrlUtils.createNavigateUrl(serverAuthenticationRequest) + Constants.response_mode_fragment;
// set state in cache
if (interactionType === Constants.interactionTypeRedirect) {
if (!isLoginCall) {
this.cacheStorage.setItem(AuthCache.generateTemporaryCacheKey(TemporaryCacheKeys.STATE_ACQ_TOKEN, request.state), serverAuthenticationRequest.state, this.inCookie);
this.logger.verbose("State cached for redirect");
this.logger.verbosePii(`State cached: ${serverAuthenticationRequest.state}`);
} else {
this.logger.verbose("Interaction type redirect but login call is true. State not cached");
}
} else if (interactionType === Constants.interactionTypePopup) {
window.renewStates.push(serverAuthenticationRequest.state);
window.requestType = isLoginCall ? Constants.login : Constants.renewToken;
this.logger.verbose("State saved to window");
this.logger.verbosePii(`State saved: ${serverAuthenticationRequest.state}`);
// Register callback to capture results from server
this.registerCallback(serverAuthenticationRequest.state, requestSignature, resolve, reject);
} else {
this.logger.verbose("Invalid interaction error. State not cached");
throw ClientAuthError.createInvalidInteractionTypeError();
}
if (interactionType === Constants.interactionTypePopup) {
this.logger.verbose("Interaction type is popup. Generating popup window");
// Generate a popup window
try {
popUpWindow = this.openPopup(urlNavigate, "msal", Constants.popUpWidth, Constants.popUpHeight);
// Push popup window handle onto stack for tracking
WindowUtils.trackPopup(popUpWindow);
} catch (e) {
this.logger.info(ClientAuthErrorMessage.popUpWindowError.code + ":" + ClientAuthErrorMessage.popUpWindowError.desc);
this.cacheStorage.setItem(ErrorCacheKeys.ERROR, ClientAuthErrorMessage.popUpWindowError.code);
this.cacheStorage.setItem(ErrorCacheKeys.ERROR_DESC, ClientAuthErrorMessage.popUpWindowError.desc);
if (reject) {
reject(ClientAuthError.createPopupWindowError());
return;
}
}
// popUpWindow will be null for redirects, so we dont need to attempt to monitor the window
if (popUpWindow) {
try {
const hash = await WindowUtils.monitorPopupForHash(popUpWindow, this.config.system.loadFrameTimeout, urlNavigate, this.logger);
this.handleAuthenticationResponse(hash);
// Request completed successfully, set to completed
this.cacheStorage.setInteractionInProgress(false);
this.logger.info("Closing popup window");
// TODO: Check how this can be extracted for any framework specific code?
if (this.config.framework.isAngular) {
this.broadcast("msal:popUpHashChanged", hash);
}
WindowUtils.closePopups();
} catch (error) {
if (reject) {
reject(error);
}
if (this.config.framework.isAngular) {
this.broadcast("msal:popUpClosed", error.errorCode + Constants.resourceDelimiter + error.errorMessage);
} else {
// Request failed, set to canceled
this.cacheStorage.setInteractionInProgress(false);
popUpWindow.close();
}
}
}
} else {
// If onRedirectNavigate is implemented, invoke it and provide urlNavigate
if (request.onRedirectNavigate) {
this.logger.verbose("Invoking onRedirectNavigate callback");
const navigate = request.onRedirectNavigate(urlNavigate);
// Returning false from onRedirectNavigate will stop navigation
if (navigate !== false) {
this.logger.verbose("onRedirectNavigate did not return false, navigating");
this.navigateWindow(urlNavigate);
} else {
this.logger.verbose("onRedirectNavigate returned false, stopping navigation");
}
} else {
// Otherwise, perform navigation
this.logger.verbose("Navigating window to urlNavigate");
this.navigateWindow(urlNavigate);
}
}
} catch (err) {
this.logger.error(err);
this.cacheStorage.resetTempCacheItems(request.state);
this.authErrorHandler(interactionType, ClientAuthError.createEndpointResolutionError(err.toString), buildResponseStateOnly(request.state), reject);
if (popUpWindow) {
popUpWindow.close();
}
}
}
/**
* API interfacing idToken request when applications already have a session/hint acquired by authorization client applications
* @param request
*/
ssoSilent(request: AuthenticationParameters): Promise<AuthResponse> {
this.logger.verbose("ssoSilent has been called");
// throw an error on an empty request
if (!request) {
throw ClientConfigurationError.createEmptyRequestError();
}
// throw an error on no hints passed
if (!request.sid && !request.loginHint) {
throw ClientConfigurationError.createSsoSilentError();
}
return this.acquireTokenSilent({
...request,
scopes: Constants.oidcScopes
});
}
/**
* Use this function to obtain a token before every call to the API / resource provider
*
* MSAL return's a cached token when available
* Or it send's a request to the STS to obtain a new token using a hidden iframe.
*
* @param {@link AuthenticationParameters}
*
* To renew idToken, please pass clientId as the only scope in the Authentication Parameters
* @returns {Promise.<AuthResponse>} - a promise that is fulfilled when this function has completed, or rejected if an error was raised. Returns the {@link AuthResponse} object
*
*/
acquireTokenSilent(userRequest: AuthenticationParameters): Promise<AuthResponse> {
this.logger.verbose("AcquireTokenSilent has been called");
// validate the request
const request = RequestUtils.validateRequest(userRequest, false, this.clientId, Constants.interactionTypeSilent);
const apiEvent: ApiEvent = this.telemetryManager.createAndStartApiEvent(request.correlationId, API_EVENT_IDENTIFIER.AcquireTokenSilent);
const requestSignature = RequestUtils.createRequestSignature(request);
return new Promise<AuthResponse>(async (resolve, reject) => {
// block the request if made from the hidden iframe
WindowUtils.blockReloadInHiddenIframes();
const scope = request.scopes.join(" ").toLowerCase();
this.logger.verbosePii(`Serialized scopes: ${scope}`);
// if the developer passes an account, give that account the priority
let account: Account;
if (request.account) {
account = request.account;
this.logger.verbose("Account set from request");
} else {
account = this.getAccount();
this.logger.verbose("Account set from MSAL Cache");
}
// Extract adalIdToken if stashed in the cache to allow for seamless ADAL to MSAL migration
const adalIdToken = this.cacheStorage.getItem(Constants.adalIdToken);
// In the event of no account being passed in the config, no session id, and no pre-existing adalIdToken, user will need to log in
if (!account && !(request.sid || request.loginHint) && StringUtils.isEmpty(adalIdToken) ) {
this.logger.info("User login is required");
// The promise rejects with a UserLoginRequiredError, which should be caught and user should be prompted to log in interactively
return reject(ClientAuthError.createUserLoginRequiredError());
}
// set the response type based on the current cache status / scopes set
const responseType = this.getTokenType(account, request.scopes);
this.logger.verbose(`Response type: ${responseType}`);
// create a serverAuthenticationRequest populating the `queryParameters` to be sent to the Server
const serverAuthenticationRequest = new ServerRequestParameters(
AuthorityFactory.CreateInstance(request.authority, this.config.auth.validateAuthority, request.authorityMetadata),
this.clientId,
responseType,
this.getRedirectUri(request.redirectUri),
request.scopes,
request.state,
request.correlationId,
);
this.logger.verbose("Finished building server authentication request");
// populate QueryParameters (sid/login_hint) and any other extraQueryParameters set by the developer
if (ServerRequestParameters.isSSOParam(request) || account) {
serverAuthenticationRequest.populateQueryParams(account, request, null, true);
this.logger.verbose("Query parameters populated from existing SSO or account");
}
// if user didn't pass login_hint/sid and adal's idtoken is present, extract the login_hint from the adalIdToken
else if (!account && !StringUtils.isEmpty(adalIdToken)) {
// if adalIdToken exists, extract the SSO info from the same
const adalIdTokenObject = TokenUtils.extractIdToken(adalIdToken);
this.logger.verbose("ADAL's idToken exists. Extracting login information from ADAL's idToken to populate query parameters");
serverAuthenticationRequest.populateQueryParams(account, null, adalIdTokenObject, true);
}
else {
this.logger.verbose("No additional query parameters added");
}
const userContainedClaims = request.claimsRequest || serverAuthenticationRequest.claimsValue;
let authErr: AuthError;
let cacheResultResponse;
// If request.forceRefresh is set to true, force a request for a new token instead of getting it from the cache
if (!userContainedClaims && !request.forceRefresh) {
try {
cacheResultResponse = this.getCachedToken(serverAuthenticationRequest, account);
} catch (e) {
authErr = e;
}
}
// resolve/reject based on cacheResult
if (cacheResultResponse) {
this.logger.verbose("Token found in cache lookup");
this.logger.verbosePii(`Scopes found: ${JSON.stringify(cacheResultResponse.scopes)}`);
resolve(cacheResultResponse);
return null;
}
else if (authErr) {
this.logger.infoPii(authErr.errorCode + ":" + authErr.errorMessage);
reject(authErr);
return null;
}
// else proceed with login
else {
let logMessage;
if (userContainedClaims) {
logMessage = "Skipped cache lookup since claims were given";
} else if (request.forceRefresh) {
logMessage = "Skipped cache lookup since request.forceRefresh option was set to true";
} else {
logMessage = "No valid token found in cache lookup";
}
this.logger.verbose(logMessage);
// Cache result can return null if cache is empty. In that case, set authority to default value if no authority is passed to the API.
if (!serverAuthenticationRequest.authorityInstance) {
serverAuthenticationRequest.authorityInstance = request.authority ?
AuthorityFactory.CreateInstance(request.authority, this.config.auth.validateAuthority, request.authorityMetadata)
: this.authorityInstance;
}
this.logger.verbosePii(`Authority instance: ${serverAuthenticationRequest.authority}`);
try {
if (!serverAuthenticationRequest.authorityInstance.hasCachedMetadata()) {
this.logger.verbose("No cached metadata for authority");
await AuthorityFactory.saveMetadataFromNetwork(serverAuthenticationRequest.authorityInstance, this.telemetryManager, request.correlationId);
this.logger.verbose("Authority has been updated with endpoint discovery response");
} else {
this.logger.verbose("Cached metadata found for authority");
}
/*
* refresh attempt with iframe
* Already renewing for this scope, callback when we get the token.
*/
if (window.activeRenewals[requestSignature]) {
this.logger.verbose("Renewing token in progress. Registering callback");
// Active renewals contains the state for each renewal.
this.registerCallback(window.activeRenewals[requestSignature], requestSignature, resolve, reject);
}
else {
if (request.scopes && ScopeSet.onlyContainsOidcScopes(request.scopes)) {
/*
* App uses idToken to send to api endpoints
* Default scope is tracked as OIDC scopes to store this token
*/
this.logger.verbose("OpenID Connect scopes only, renewing idToken");
this.silentLogin = true;
this.renewIdToken(requestSignature, resolve, reject, account, serverAuthenticationRequest);
} else {
// renew access token
this.logger.verbose("Renewing access token");
this.renewToken(requestSignature, resolve, reject, account, serverAuthenticationRequest);
}
}
} catch (err) {
this.logger.error(err);
reject(ClientAuthError.createEndpointResolutionError(err.toString()));
return null;
}
}
})
.then(res => {
this.logger.verbose("Successfully acquired token");
this.telemetryManager.stopAndFlushApiEvent(request.correlationId, apiEvent, true);
return res;
})
.catch((error: AuthError) => {
this.cacheStorage.resetTempCacheItems(request.state);
this.telemetryManager.stopAndFlushApiEvent(request.correlationId, apiEvent, false, error.errorCode);
throw error;
});
}
// #endregion
// #region Popup Window Creation
/**
* @hidden
*
* Configures popup window for login.
*
* @param urlNavigate
* @param title
* @param popUpWidth
* @param popUpHeight
* @ignore
* @hidden
*/
private openPopup(urlNavigate: string, title: string, popUpWidth: number, popUpHeight: number) {
this.logger.verbose("OpenPopup has been called");
try {
/**
* adding winLeft and winTop to account for dual monitor
* using screenLeft and screenTop for IE8 and earlier
*/
const winLeft = window.screenLeft ? window.screenLeft : window.screenX;
const winTop = window.screenTop ? window.screenTop : window.screenY;
/**
* window.innerWidth displays browser window"s height and width excluding toolbars
* using document.documentElement.clientWidth for IE8 and earlier
*/
const width = window.innerWidth || document.documentElement.clientWidth || document.body.clientWidth;
const height = window.innerHeight || document.documentElement.clientHeight || document.body.clientHeight;
const left = ((width / 2) - (popUpWidth / 2)) + winLeft;
const top = ((height / 2) - (popUpHeight / 2)) + winTop;
// open the window
const popupWindow = window.open(urlNavigate, title, "width=" + popUpWidth + ", height=" + popUpHeight + ", top=" + top + ", left=" + left + ", scrollbars=yes");
if (!popupWindow) {
throw ClientAuthError.createPopupWindowError();
}
if (popupWindow.focus) {
popupWindow.focus();
}
return popupWindow;
} catch (e) {
this.cacheStorage.setInteractionInProgress(false);
throw ClientAuthError.createPopupWindowError(e.toString());
}
}
// #endregion
// #region Iframe Management
/**
* @hidden
* Calling _loadFrame but with a timeout to signal failure in loadframeStatus. Callbacks are left.
* registered when network errors occur and subsequent token requests for same resource are registered to the pending request.
* @ignore
*/
private async loadIframeTimeout(urlNavigate: string, frameName: string, requestSignature: string): Promise<void> {
// set iframe session to pending
const expectedState = window.activeRenewals[requestSignature];
this.logger.verbosePii("Set loading state to pending for: " + requestSignature + ":" + expectedState);
this.cacheStorage.setItem(AuthCache.generateTemporaryCacheKey(TemporaryCacheKeys.RENEW_STATUS, expectedState), Constants.inProgress);
// render the iframe synchronously if app chooses no timeout, else wait for the set timer to expire
const iframe: HTMLIFrameElement = this.config.system.navigateFrameWait ?
await WindowUtils.loadFrame(urlNavigate, frameName, this.config.system.navigateFrameWait, this.logger):
WindowUtils.loadFrameSync(urlNavigate, frameName, this.logger);
try {
const hash = await WindowUtils.monitorIframeForHash(iframe.contentWindow, this.config.system.loadFrameTimeout, urlNavigate, this.logger);
if (hash) {
this.handleAuthenticationResponse(hash);
}
} catch (error) {
if (this.cacheStorage.getItem(AuthCache.generateTemporaryCacheKey(TemporaryCacheKeys.RENEW_STATUS, expectedState)) === Constants.inProgress) {
// fail the iframe session if it's in pending state
this.logger.verbose("Loading frame has timed out after: " + (this.config.system.loadFrameTimeout / 1000) + " seconds for scope/authority " + requestSignature + ":" + expectedState);
// Error after timeout
if (expectedState && window.callbackMappedToRenewStates[expectedState]) {
window.callbackMappedToRenewStates[expectedState](null, error);
}
this.cacheStorage.removeItem(AuthCache.generateTemporaryCacheKey(TemporaryCacheKeys.RENEW_STATUS, expectedState));
}
WindowUtils.removeHiddenIframe(iframe);
throw error;
}
WindowUtils.removeHiddenIframe(iframe);
}
// #endregion
// #region General Helpers
/**
* @hidden
* Used to redirect the browser to the STS authorization endpoint
* @param {string} urlNavigate - URL of the authorization endpoint
*/
private navigateWindow(urlNavigate: string, popupWindow?: Window) {
// Navigate if valid URL
if (urlNavigate && !StringUtils.isEmpty(urlNavigate)) {
const navigateWindow: Window = popupWindow ? popupWindow : window;
const logMessage: string = popupWindow ? "Navigated Popup window to:" + urlNavigate : "Navigate to:" + urlNavigate;
this.logger.infoPii(logMessage);
navigateWindow.location.assign(urlNavigate);
}
else {
this.logger.info("Navigate url is empty");
throw AuthError.createUnexpectedError("Navigate url is empty");
}
}
/**
* @hidden
* Used to add the developer requested callback to the array of callbacks for the specified scopes. The updated array is stored on the window object
* @param {string} expectedState - Unique state identifier (guid).
* @param {string} scope - Developer requested permissions. Not all scopes are guaranteed to be included in the access token returned.
* @param {Function} resolve - The resolve function of the promise object.
* @param {Function} reject - The reject function of the promise object.
* @ignore
*/
private registerCallback(expectedState: string, requestSignature: string, resolve: Function, reject: Function): void {
// track active renewals
window.activeRenewals[requestSignature] = expectedState;
// initialize callbacks mapped array