diff --git a/lib/msal-browser/src/app/IPublicClientApplication.ts b/lib/msal-browser/src/app/IPublicClientApplication.ts index aa8269f4d3..b966c7a834 100644 --- a/lib/msal-browser/src/app/IPublicClientApplication.ts +++ b/lib/msal-browser/src/app/IPublicClientApplication.ts @@ -1,19 +1,21 @@ -import { AuthenticationResult, AuthorizationUrlRequest } from "@azure/msal-common"; -import { SilentFlowRequest, EndSessionRequest, AccountInfo } from "../"; +import { AuthenticationResult, AuthorizationUrlRequest, SilentFlowRequest, AccountInfo, EndSessionRequest } from "@azure/msal-common"; +import { RedirectRequest } from "../request/RedirectRequest"; +import { PopupRequest } from "../request/PopupRequest"; +import { SilentRequest } from "../request/SilentRequest"; /* * Copyright (c) Microsoft Corporation. All rights reserved. * Licensed under the MIT License. */ export interface IPublicClientApplication { - acquireTokenPopup(request: AuthorizationUrlRequest): Promise; - acquireTokenRedirect(request: AuthorizationUrlRequest): Promise; - acquireTokenSilent(silentRequest: SilentFlowRequest): Promise; + acquireTokenPopup(request: PopupRequest): Promise; + acquireTokenRedirect(request: RedirectRequest): Promise; + acquireTokenSilent(silentRequest: SilentRequest): Promise; getAccountByUsername(userName: string): AccountInfo; getAllAccounts(): AccountInfo[]; handleRedirectPromise(): Promise; - loginPopup(request: AuthorizationUrlRequest): Promise; - loginRedirect(request: AuthorizationUrlRequest): Promise; + loginPopup(request: PopupRequest): Promise; + loginRedirect(request: RedirectRequest): Promise; logout(logoutRequest?: EndSessionRequest): Promise; ssoSilent(request: AuthorizationUrlRequest): Promise; } diff --git a/lib/msal-browser/src/app/PublicClientApplication.ts b/lib/msal-browser/src/app/PublicClientApplication.ts index 928e15bdbd..9a96c2a911 100644 --- a/lib/msal-browser/src/app/PublicClientApplication.ts +++ b/lib/msal-browser/src/app/PublicClientApplication.ts @@ -43,6 +43,7 @@ import { version } from "../../package.json"; import { IPublicClientApplication } from "./IPublicClientApplication"; import { RedirectRequest } from "../request/RedirectRequest"; import { PopupRequest } from "../request/PopupRequest"; +import { SilentRequest } from "../request/SilentRequest"; /** * The PublicClientApplication class is the object exposed by the library to perform authentication and authorization functions in Single Page Applications @@ -361,13 +362,14 @@ export class PublicClientApplication implements IPublicClientApplication { * @returns {Promise.} - a promise that is fulfilled when this function has completed, or rejected if an error was raised. Returns the {@link AuthResponse} object * */ - async acquireTokenSilent(request: SilentFlowRequest): Promise { + async acquireTokenSilent(request: SilentRequest): Promise { // block the reload if it occurred inside a hidden iframe BrowserUtils.blockReloadInHiddenIframes(); const silentRequest: SilentFlowRequest = { ...request, ...this.initializeBaseRequest(request) }; + try { const silentAuthClient = await this.createSilentFlowClient(silentRequest.authority); // Send request to renew token. Auth module will throw errors if token cannot be renewed. @@ -379,6 +381,7 @@ export class PublicClientApplication implements IPublicClientApplication { if (isServerError && isInvalidGrantError && !isInteractionRequiredError) { const silentAuthUrlRequest: AuthorizationUrlRequest = this.initializeAuthorizationRequest({ ...silentRequest, + redirectUri: request.redirectUri, prompt: PromptValue.NONE }); diff --git a/lib/msal-browser/src/index.ts b/lib/msal-browser/src/index.ts index 8ec3b414db..2005ac7451 100644 --- a/lib/msal-browser/src/index.ts +++ b/lib/msal-browser/src/index.ts @@ -10,6 +10,7 @@ export { BrowserConfigurationAuthError, BrowserConfigurationAuthErrorMessage } f export { IPublicClientApplication } from "./app/IPublicClientApplication"; export { PopupRequest } from "./request/PopupRequest"; export { RedirectRequest } from "./request/RedirectRequest"; +export { SilentRequest } from "./request/SilentRequest"; // Common Object Formats export { @@ -17,7 +18,6 @@ export { AccountInfo, // Request AuthorizationUrlRequest, - SilentFlowRequest, EndSessionRequest, // Response AuthenticationResult, diff --git a/lib/msal-browser/src/request/PopupRequest.ts b/lib/msal-browser/src/request/PopupRequest.ts index 4e30e79282..429254de85 100644 --- a/lib/msal-browser/src/request/PopupRequest.ts +++ b/lib/msal-browser/src/request/PopupRequest.ts @@ -7,6 +7,26 @@ import { AuthorizationUrlRequest } from "@azure/msal-common"; /** * @type PopupRequest: Request object passed by user to retrieve a Code from the - * server (first leg of authorization code grant flow) + * server (first leg of authorization code grant flow) with a popup window. + * + * - scopes - Array of scopes the application is requesting access to. + * - authority - Url of the authority which the application acquires tokens from. + * - correlationId - Unique GUID set per request to trace a request end-to-end for telemetry purposes. + * - redirectUri - The redirect URI where authentication responses can be received by your application. It must exactly match one of the redirect URIs registered in the Azure portal. + * - extraScopesToConsent - Scopes for a different resource when the user needs consent upfront. + * - responseMode - Specifies the method that should be used to send the authentication result to your app. Can be query, form_post, or fragment. If no value is passed in, it defaults to query. + * - codeChallenge - Used to secure authorization code grant via Proof of Key for Code Exchange (PKCE). For more information, see the PKCE RCF:https://tools.ietf.org/html/rfc7636 + * - codeChallengeMethod - The method used to encode the code verifier for the code challenge parameter. Can be "plain" or "S256". If excluded, code challenge is assumed to be plaintext. For more information, see the PKCE RCF: https://tools.ietf.org/html/rfc7636 + * - state - A value included in the request that is also returned in the token response. A randomly generated unique value is typically used for preventing cross site request forgery attacks. The state is also used to encode information about the user's state in the app before the authentication request occurred. + * - prompt - Indicates the type of user interaction that is required. + * login: will force the user to enter their credentials on that request, negating single-sign on + * none: will ensure that the user isn't presented with any interactive prompt. if request can't be completed via single-sign on, the endpoint will return an interaction_required error + * consent: will the trigger the OAuth consent dialog after the user signs in, asking the user to grant permissions to the app + * select_account: will interrupt single sign-=on providing account selection experience listing all the accounts in session or any remembered accounts or an option to choose to use a different account + * - loginHint - Can be used to pre-fill the username/email address field of the sign-in page for the user, if you know the username/email address ahead of time. Often apps use this parameter during re-authentication, having already extracted the username from a previous sign-in using the preferred_username claim. + * - domainHint - Provides a hint about the tenant or domain that the user should use to sign in. The value of the domain hint is a registered domain for the tenant. + * - extraQueryParameters - String to string map of custom query parameters. + * - claims - In cases where Azure AD tenant admin has enabled conditional access policies, and the policy has not been met, exceptions will contain claims that need to be consented to. + * - nonce - A value included in the request that is returned in the id token. A randomly generated unique value is typically used to mitigate replay attacks. */ export type PopupRequest = AuthorizationUrlRequest; diff --git a/lib/msal-browser/src/request/RedirectRequest.ts b/lib/msal-browser/src/request/RedirectRequest.ts index 7647926f8c..d00836f6e3 100644 --- a/lib/msal-browser/src/request/RedirectRequest.ts +++ b/lib/msal-browser/src/request/RedirectRequest.ts @@ -7,13 +7,29 @@ import { AuthorizationUrlRequest } from "@azure/msal-common"; /** * @type RedirectRequest: Request object passed by user to retrieve a Code from the - * server (first leg of authorization code grant flow) + * server (first leg of authorization code grant flow) with a full page redirect. + * + * - scopes - Array of scopes the application is requesting access to. + * - authority - Url of the authority which the application acquires tokens from. + * - correlationId - Unique GUID set per request to trace a request end-to-end for telemetry purposes. + * - redirectUri - The redirect URI where authentication responses can be received by your application. It must exactly match one of the redirect URIs registered in the Azure portal. + * - extraScopesToConsent - Scopes for a different resource when the user needs consent upfront. + * - responseMode - Specifies the method that should be used to send the authentication result to your app. Can be query, form_post, or fragment. If no value is passed in, it defaults to query. + * - codeChallenge - Used to secure authorization code grant via Proof of Key for Code Exchange (PKCE). For more information, see the PKCE RCF:https://tools.ietf.org/html/rfc7636 + * - codeChallengeMethod - The method used to encode the code verifier for the code challenge parameter. Can be "plain" or "S256". If excluded, code challenge is assumed to be plaintext. For more information, see the PKCE RCF: https://tools.ietf.org/html/rfc7636 + * - state - A value included in the request that is also returned in the token response. A randomly generated unique value is typically used for preventing cross site request forgery attacks. The state is also used to encode information about the user's state in the app before the authentication request occurred. + * - prompt - Indicates the type of user interaction that is required. + * login: will force the user to enter their credentials on that request, negating single-sign on + * none: will ensure that the user isn't presented with any interactive prompt. if request can't be completed via single-sign on, the endpoint will return an interaction_required error + * consent: will the trigger the OAuth consent dialog after the user signs in, asking the user to grant permissions to the app + * select_account: will interrupt single sign-=on providing account selection experience listing all the accounts in session or any remembered accounts or an option to choose to use a different account + * - loginHint - Can be used to pre-fill the username/email address field of the sign-in page for the user, if you know the username/email address ahead of time. Often apps use this parameter during re-authentication, having already extracted the username from a previous sign-in using the preferred_username claim. + * - domainHint - Provides a hint about the tenant or domain that the user should use to sign in. The value of the domain hint is a registered domain for the tenant. + * - extraQueryParameters - String to string map of custom query parameters. + * - claims - In cases where Azure AD tenant admin has enabled conditional access policies, and the policy has not been met, exceptions will contain claims that need to be consented to. + * - nonce - A value included in the request that is returned in the id token. A randomly generated unique value is typically used to mitigate replay attacks. + * - redirectStartPage - The page that should be returned to after loginRedirect or acquireTokenRedirect. This should only be used if this is different from the redirectUri and will default to the page that initiates the request. When the navigateToLoginRequestUrl config option is set to false this parameter will be ignored. */ export type RedirectRequest = AuthorizationUrlRequest & { - /** - * The page that should be returned to after loginRedirect or acquireTokenRedirect. This should only be used - * if this is different from the redirectUri and will default to the page that initiates the request. - * When the navigateToLoginRequestUrl config option is set to false this parameter will be ignored. - */ redirectStartPage?: string; }; diff --git a/lib/msal-browser/src/request/SilentRequest.ts b/lib/msal-browser/src/request/SilentRequest.ts new file mode 100644 index 0000000000..5cd119b58a --- /dev/null +++ b/lib/msal-browser/src/request/SilentRequest.ts @@ -0,0 +1,22 @@ +/* + * Copyright (c) Microsoft Corporation. All rights reserved. + * Licensed under the MIT License. + */ + +import { SilentFlowRequest } from "@azure/msal-common"; + +/** + * @type SilentRequest: Request object passed by user to retrieve tokens from the + * cache, renew an expired token with a refresh token, or retrieve a code (first leg of authorization code grant flow) + * in a hidden iframe. + * + * - scopes - Array of scopes the application is requesting access to. + * - authority - Url of the authority which the application acquires tokens from. + * - correlationId - Unique GUID set per request to trace a request end-to-end for telemetry purposes. + * - account - Account entity to lookup the credentials. + * - forceRefresh - Forces silent requests to make network calls if true. + * - redirectUri - The redirect URI where authentication responses can be received by your application. It must exactly match one of the redirect URIs registered in the Azure portal. + */ +export type SilentRequest = SilentFlowRequest & { + redirectUri?: string; +}; diff --git a/lib/msal-common/src/request/EndSessionRequest.ts b/lib/msal-common/src/request/EndSessionRequest.ts index 7f10faf8b4..91c078f6d9 100644 --- a/lib/msal-common/src/request/EndSessionRequest.ts +++ b/lib/msal-common/src/request/EndSessionRequest.ts @@ -5,6 +5,13 @@ import { AccountInfo } from "../account/AccountInfo"; +/** + * EndSessionRequest + * - account - Account object that will be logged out of. All tokens tied to this account will be cleared. + * - postLogoutRedirectUri - URI to navigate to after logout page. + * - authority - Authority to send logout request to. + * - correlationId - Unique GUID set per request to trace a request end-to-end for telemetry purposes. + */ export type EndSessionRequest = { account?: AccountInfo, postLogoutRedirectUri?: string, diff --git a/lib/msal-common/src/request/RefreshTokenRequest.ts b/lib/msal-common/src/request/RefreshTokenRequest.ts index b76ed3d64f..1e555f76b5 100644 --- a/lib/msal-common/src/request/RefreshTokenRequest.ts +++ b/lib/msal-common/src/request/RefreshTokenRequest.ts @@ -11,7 +11,6 @@ import { BaseAuthRequest } from "./BaseAuthRequest"; * - authority - URL of the authority, the security token service (STS) from which MSAL will acquire tokens. * - correlationId - Unique GUID set per request to trace a request end-to-end for telemetry purposes. * - refreshToken - A refresh token returned from a previous request to the Identity provider. - * - redirectUri - The redirect URI where authentication responses can be received by your application. It must exactly match one of the redirect URIs registered in the Azure portal. */ export type RefreshTokenRequest = BaseAuthRequest & { refreshToken: string; diff --git a/lib/msal-common/src/request/SilentFlowRequest.ts b/lib/msal-common/src/request/SilentFlowRequest.ts index 3f8ce34ff0..76985e9214 100644 --- a/lib/msal-common/src/request/SilentFlowRequest.ts +++ b/lib/msal-common/src/request/SilentFlowRequest.ts @@ -13,7 +13,6 @@ import { BaseAuthRequest } from "./BaseAuthRequest"; * - correlationId - Unique GUID set per request to trace a request end-to-end for telemetry purposes. * - account - Account entity to lookup the credentials. * - forceRefresh - Forces silent requests to make network calls if true. - * - redirectUri - The redirect URI where authentication responses can be received by your application. It must exactly match one of the redirect URIs registered in the Azure portal. */ export type SilentFlowRequest = BaseAuthRequest & { account: AccountInfo;