Merge pull request #2157 from AzureAD/msal-node/on-behalf-of

[msal-node][msal-common] Support for On-behalf-of flow

.gitignore

@@ -232,6 +232,9 @@ FakesAssemblies/
 # Visual Studio 6 workspace options file
 *.opt
 
+# VS Code History Plugin
+.history
+
 # Visual Studio LightSwitch build output
 **/*.HTMLClient/GeneratedArtifacts
 **/*.DesktopClient/GeneratedArtifacts

change/@azure-msal-common-2020-08-20-12-22-16-msal-node-on-behalf-of.json

@@ -0,0 +1,8 @@
+{
+  "type": "minor",
+  "comment": "Add support for On-behalf-of flow",
+  "packageName": "@azure/msal-common",
+  "email": "sagonzal@microsoft.com",
+  "dependentChangeType": "patch",
+  "date": "2020-08-20T19:21:21.628Z"
+}

change/@azure-msal-node-2020-08-20-12-22-16-msal-node-on-behalf-of.json

@@ -0,0 +1,8 @@
+{
+  "type": "prerelease",
+  "comment": "Add support for on-behalf-of flow",
+  "packageName": "@azure/msal-node",
+  "email": "sagonzal@microsoft.com",
+  "dependentChangeType": "patch",
+  "date": "2020-08-20T19:21:33.794Z"
+}

change/msal-node-on-behal-of-web-api-2020-08-20-12-22-16-msal-node-on-behalf-of.json

@@ -0,0 +1,8 @@
+{
+  "type": "none",
+  "comment": "Add on-behalf-of sample",
+  "packageName": "msal-node-on-behal-of-web-api",
+  "email": "sagonzal@microsoft.com",
+  "dependentChangeType": "none",
+  "date": "2020-08-20T19:22:16.698Z"
+}

change/msal-node-on-behal-of-web-app-2020-08-20-12-22-16-msal-node-on-behalf-of.json

@@ -0,0 +1,8 @@
+{
+  "type": "none",
+  "comment": "Add on-behalf-of sample",
+  "packageName": "msal-node-on-behal-of-web-app",
+  "email": "sagonzal@microsoft.com",
+  "dependentChangeType": "none",
+  "date": "2020-08-20T19:21:58.954Z"
+}

lib/msal-common/src/cache/CacheManager.ts

@@ -226,10 +226,12 @@ export abstract class CacheManager implements ICacheManager {
         };
         const credentialCache: CredentialCache = this.getCredentialsFilteredBy(accessTokenFilter);
         const accessTokens = Object.keys(credentialCache.accessTokens).map(key => credentialCache.accessTokens[key]);
-        if (accessTokens.length > 1) {
-            // TODO: Figure out what to throw or return here.
-        } else if (accessTokens.length < 1) {
+
+        const numAccessTokens = accessTokens.length;
+        if (numAccessTokens < 1) {
             return null;
+        } else if (numAccessTokens > 1) {
+            throw ClientAuthError.createMultipleMatchingTokensInCacheError();
         }
 
         return accessTokens[0] as AccessTokenEntity;
@@ -322,7 +324,8 @@ export abstract class CacheManager implements ICacheManager {
             filter.credentialType,
             filter.clientId,
             filter.realm,
-            filter.target
+            filter.target,
+            filter.oboAssertion,
         );
     }
 
@@ -341,7 +344,8 @@ export abstract class CacheManager implements ICacheManager {
         credentialType?: string,
         clientId?: string,
         realm?: string,
-        target?: string
+        target?: string,
+        oboAssertion?: string
     ): CredentialCache {
         const allCacheKeys = this.getKeys();
         const matchingCredentials: CredentialCache = {
@@ -365,6 +369,10 @@ export abstract class CacheManager implements ICacheManager {
                 return;
             }
 
+            if (!StringUtils.isEmpty(oboAssertion) && !this.matchOboAssertion(entity, oboAssertion)) {
+                return;
+            }
+
             if (!StringUtils.isEmpty(homeAccountId) && !this.matchHomeAccountId(entity, homeAccountId)) {
                 return;
             }
@@ -496,6 +504,17 @@ export abstract class CacheManager implements ICacheManager {
         return entity.homeAccountId && homeAccountId === entity.homeAccountId;
     }
 
+    /**
+     * @param value
+     * @param oboAssertion
+     */
+    private matchOboAssertion(
+        entity: AccountEntity | CredentialEntity,
+        oboAssertion: string
+    ): boolean {
+        return entity.oboAssertion && oboAssertion === entity.oboAssertion;
+    }
+
     /**
      *
      * @param value

lib/msal-common/src/cache/entities/AccessTokenEntity.ts

@@ -60,7 +60,8 @@ export class AccessTokenEntity extends CredentialEntity {
         tenantId: string,
         scopes: string,
         expiresOn: number,
-        extExpiresOn: number
+        extExpiresOn: number,
+        oboAssertion?: string
     ): AccessTokenEntity {
         const atEntity: AccessTokenEntity = new AccessTokenEntity();
 
@@ -82,6 +83,7 @@ export class AccessTokenEntity extends CredentialEntity {
         atEntity.clientId = clientId;
         atEntity.realm = tenantId;
         atEntity.target = scopes;
+        atEntity.oboAssertion = oboAssertion;
 
         return atEntity;
     }

lib/msal-common/src/cache/entities/AccountEntity.ts

@@ -35,7 +35,8 @@ import { ClientAuthError } from "../../error/ClientAuthError";
  *      name: Full name for the account, including given name and family name,
  *      clientInfo: Full base64 encoded client info received from ESTS
  *      lastModificationTime: last time this entity was modified in the cache
- *      lastModificationApp:
+ *      lastModificationApp: 
+ *      oboAssertion: access token passed in as part of OBO request
  * }
  */
 export class AccountEntity {
@@ -49,6 +50,7 @@ export class AccountEntity {
     clientInfo?: string;
     lastModificationTime?: string;
     lastModificationApp?: string;
+    oboAssertion?: string;
 
     /**
      * Generate Account Id key component as per the schema: <home_account_id>-<environment>
@@ -114,7 +116,7 @@ export class AccountEntity {
 
         return accountKey.join(Separators.CACHE_KEY_SEPARATOR).toLowerCase();
     }
-
+    
     /**
      * Build Account cache from IdToken, clientInfo and authority/policy
      * @param clientInfo
@@ -126,7 +128,8 @@ export class AccountEntity {
         clientInfo: string,
         authority: Authority,
         idToken: IdToken,
-        crypto: ICrypto
+        crypto: ICrypto,
+        oboAssertion?: string
     ): AccountEntity {
         const account: AccountEntity = new AccountEntity();
 
@@ -143,6 +146,7 @@ export class AccountEntity {
 
         account.environment = env;
         account.realm = idToken.claims.tid;
+        account.oboAssertion = oboAssertion;
 
         if (idToken) {
             // How do you account for MSA CID here?
@@ -169,12 +173,14 @@ export class AccountEntity {
      */
     static createADFSAccount(
         authority: Authority,
-        idToken: IdToken
+        idToken: IdToken,
+        oboAssertion?: string
     ): AccountEntity {
         const account: AccountEntity = new AccountEntity();
 
         account.authorityType = CacheAccountType.ADFS_ACCOUNT_TYPE;
         account.homeAccountId = idToken.claims.sub;
+        account.oboAssertion = oboAssertion;
 
         const reqEnvironment = authority.canonicalAuthorityUrlComponents.HostNameAndPort;
         const env = TrustedAuthority.getCloudDiscoveryMetadata(reqEnvironment) ? TrustedAuthority.getCloudDiscoveryMetadata(reqEnvironment).preferred_cache : "";

lib/msal-common/src/cache/entities/CredentialEntity.ts

@@ -23,6 +23,7 @@ import { ClientAuthError } from "../../error/ClientAuthError";
  *      familyId: Family ID identifier, usually only used for refresh tokens
  *      realm: Full tenant or organizational identifier that the account belongs to
  *      target: Permissions that are included in the token, or for refresh tokens, the resource identifier.
+ *      oboAssertion: access token passed in as part of OBO request
  * }
  */
 export class CredentialEntity {
@@ -34,6 +35,7 @@ export class CredentialEntity {
     familyId?: string;
     realm?: string;
     target?: string;
+    oboAssertion?: string;
 
     /**
      * Generate Account Id key component as per the schema: <home_account_id>-<environment>

lib/msal-common/src/cache/entities/IdTokenEntity.ts

@@ -38,7 +38,8 @@ export class IdTokenEntity extends CredentialEntity {
         environment: string,
         idToken: string,
         clientId: string,
-        tenantId: string
+        tenantId: string,
+        oboAssertion?: string
     ): IdTokenEntity {
         const idTokenEntity = new IdTokenEntity();
 
@@ -48,6 +49,7 @@ export class IdTokenEntity extends CredentialEntity {
         idTokenEntity.clientId = clientId;
         idTokenEntity.secret = idToken;
         idTokenEntity.realm = tenantId;
+        idTokenEntity.oboAssertion = oboAssertion;
 
         return idTokenEntity;
     }

lib/msal-common/src/cache/entities/RefreshTokenEntity.ts

@@ -40,7 +40,8 @@ export class RefreshTokenEntity extends CredentialEntity {
         environment: string,
         refreshToken: string,
         clientId: string,
-        familyId?: string
+        familyId?: string,
+        oboAssertion?: string
     ): RefreshTokenEntity {
         const rtEntity = new RefreshTokenEntity();
 
@@ -49,6 +50,7 @@ export class RefreshTokenEntity extends CredentialEntity {
         rtEntity.environment = environment;
         rtEntity.homeAccountId = homeAccountId;
         rtEntity.secret = refreshToken;
+        rtEntity.oboAssertion = oboAssertion;
 
         if (familyId)
             rtEntity.familyId = familyId;

lib/msal-common/src/cache/utils/CacheTypes.ts

@@ -43,4 +43,5 @@ export type CredentialFilter = {
     clientId?: string;
     realm?: string;
     target?: string;
+    oboAssertion?: string;
 };

lib/msal-common/src/client/ClientCredentialClient.ts

@@ -18,6 +18,7 @@ import { AccessTokenEntity } from "../cache/entities/AccessTokenEntity";
 import { TimeUtils } from "../utils/TimeUtils";
 import { StringUtils } from "../utils/StringUtils";
 import { RequestThumbprint } from "../network/RequestThumbprint";
+import { ClientAuthError } from "../error/ClientAuthError";
 
 /**
  * OAuth2.0 client credential grant
@@ -73,6 +74,8 @@ export class ClientCredentialClient extends BaseClient {
         const accessTokens = Object.keys(credentialCache.accessTokens).map(key => credentialCache.accessTokens[key]);
         if (accessTokens.length < 1) {
             return null;
+        } else if (accessTokens.length > 1) {
+            throw ClientAuthError.createMultipleMatchingTokensInCacheError();
         }
         return accessTokens[0] as AccessTokenEntity;
     }