Merge branch 'dev' into msal-common-sub-errors

lib/msal-angular/changelog.md

@@ -4,7 +4,7 @@
 
 Stable release of MSAL Angular v1. See beta versions below for complete list of changes.
 
-Highlights:
+### Highlights:
 
 * Requires `msal@1.3.0`.
 * Requires `rxjs@6`.
@@ -20,6 +20,10 @@ Highlights:
 * Applications using `Redirect` methods can optionally implement the `handleRedirectCallback` method (and have it run on every page load), which will capture the result of redirect operations. See the [Angular sample](https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/samples/angular6-sample-app/src/app/app.component.ts) for an example of how to implement.
 * Add `ssoSilent` API. This API requires either a `loginHint` or `sid`, and is intended to be used when you want to SSO to an existing AAD session. Emits `msal:ssoSuccess` and `msal:ssoFailure` events.
 
+### Fixes
+
+* Ensure interceptor uses ID token property if response is of type id_token (#1528)
+
 ## 1.0.0-beta.5
 
 * Requires `msal@1.3.0-beta.0`.

lib/msal-browser/README.md

@@ -5,7 +5,7 @@
 | --- | --- | --- |
 
 1. [About](#about)
-2. [FAQ](./FAQ.md)
+2. [FAQ](https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-browser/FAQ.md)
 3. [Releases](#releases)
 4. [Prerequisites](#prerequisites)
 5. [Installation](#installation)
@@ -28,15 +28,15 @@ Want to join our Private Preview and test out the lastest changes to the Azure P
 
 The MSAL library for JavaScript enables client-side JavaScript applications to authenticate users using [Azure AD](https://docs.microsoft.com/azure/active-directory/develop/v2-overview) work and school accounts (AAD), Microsoft personal accounts (MSA) and social identity providers like Facebook, Google, LinkedIn, Microsoft accounts, etc. through [Azure AD B2C](https://docs.microsoft.com/azure/active-directory-b2c/active-directory-b2c-overview#identity-providers) service. It also enables your app to get tokens to access [Microsoft Cloud](https://www.microsoft.com/enterprise) services such as [Microsoft Graph](https://graph.microsoft.io).
 
-The `@azure/msal-browser` package described by the code in this folder uses the [`@azure/msal-common` package](../msal-common/) as a dependency to enable authentication in Javascript Single-Page Applications without backend servers. This version of the library uses the OAuth 2.0 Authorization Code Flow with PKCE. To read more about this protocol, as well as the differences between implicit flow and authorization code flow, see the section [below](#oauth-2.0-and-the-implicit-flow-vs-authorization-code-flow-with-pkce). If you are looking for the version of the library that uses the implicit flow, please see the [`msal-core` library](https://github.com/AzureAD/microsoft-authentication-library-for-js/tree/dev/lib/msal-core).
+The `@azure/msal-browser` package described by the code in this folder uses the [`@azure/msal-common` package](https://github.com/AzureAD/microsoft-authentication-library-for-js/tree/dev/lib/msal-common) as a dependency to enable authentication in Javascript Single-Page Applications without backend servers. This version of the library uses the OAuth 2.0 Authorization Code Flow with PKCE. To read more about this protocol, as well as the differences between implicit flow and authorization code flow, see the section [below](#oauth-2.0-and-the-implicit-flow-vs-authorization-code-flow-with-pkce). If you are looking for the version of the library that uses the implicit flow, please see the [`msal-core` library](https://github.com/AzureAD/microsoft-authentication-library-for-js/tree/dev/lib/msal-core).
 
 This is an improvement upon the current `msal-core` library which will utilize the authorization code flow in the browser. Most features available in the old library will be available in this one, but there are nuances to the authentication flow in both. The `@azure/msal-browser` package does NOT support the implicit flow.
 
 **IMPORTANT:** Please be aware that this is not a production ready library. We are making changes in the [Azure portal](https://azure.microsoft.com/en-us/features/azure-portal/) to ensure we can deliver a polished end-to-end experience.
 
 ## FAQ
 
-See [here](./FAQ.md).
+See [here](https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-browser/FAQ.md).
 
 ## Releases
 
@@ -56,7 +56,7 @@ See [here](./FAQ.md).
 - Once you have registered your application, you will need to do two things in order to ensure `@azure/msal-browser` will successfully retrieve tokens:
     1. Change your redirect URI type to enable CORS. You can do this by going to the manifest editor for your app registration in the portal, finding the `replyUrlsWithType` section and changing the type of your redirect URI to `SPA`. This may remove the affected redirect URIs from the Web platform Authentication tab - that's OK! We are working on getting UI set up for this.
 
-    ![Changing Redirect URI type](./docs/images/redirectURIRegistrationUpdate.png)
+    ![Changing Redirect URI type](https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-browser/docs/images/redirectURIRegistrationUpdate.png)
 
 ## Installation
 ### Via NPM:
@@ -69,33 +69,35 @@ npm install @azure/msal-browser
 
 ### Migrating from Previous MSAL Versions
 
-If you have MSAL v1.x currently running in your application, you can follow the instructions [here](./docs/v1-migration.md) to migrate your application to using the `@azure/msal-browser` package.
+If you have MSAL v1.x currently running in your application, you can follow the instructions [here](https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-browser/docs/v1-migration.md) to migrate your application to using the `@azure/msal-browser` package.
 
 ### MSAL Basics
 
-1. [Initialization](./docs/initialization.md)
-2. [Logging in a User](./docs/login-user.md)
-3. [Acquiring and Using an Access Token](./docs/acquire-token.md)
-4. [Managing Token Lifetimes](./docs/token-lifetimes.md)
-5. [Logging Out a User](./docs/logout.md)
+1. [Initialization](https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-browser/docs/initialization.md)
+2. [Logging in a User](https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-browser/docs/login-user.md)
+3. [Acquiring and Using an Access Token](https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-browser/docs/acquire-token.md)
+4. [Managing Token Lifetimes](https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-browser/docs/token-lifetimes.md)
+5. [Logging Out a User](https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-browser/docs/logout.md)
 
 ### Advanced Topics
 
-- [Configuration Options](./docs/configuration.md)
-- [Request and Response Details](./docs/request-response-object.md)
-- [Cache Storage](./docs/caching.md)
+- [Configuration Options](https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-browser/docs/configuration.md)
+- [Request and Response Details](https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-browser/docs/request-response-object.md)
+- [Cache Storage](https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-browser/docs/caching.md)
 
 ## Samples
 
-The [`VanillaJSTestApp2.0` folder](../../samples/VanillaJSTestApp2.0) contains sample applications for our libraries. You can run any sample by changing the `authConfig.js` file in the respective folder to match your app registration and running the `npm` command `npm start -- -s <sample-name> -p <port>`. 
+The [`VanillaJSTestApp2.0` folder](https://github.com/AzureAD/microsoft-authentication-library-for-js/tree/dev/samples) contains sample applications for our libraries. You can run any sample by changing the `authConfig.js` file in the respective folder to match your app registration and running the `npm` command `npm start -- -s <sample-name> -p <port>`. 
 
 Here is a complete list of samples for the MSAL.js 2.x library:
 
 | Sample | Description | How to Run |
 | ------ | ----------- | ---------- |
-| [Basic Auth Sample](../../samples/VanillaJSTestApp2.0/default) | A vanilla Javascript sample showing basic usage of the MSAL 2.0 library (`@azure/msal-browser` package) with the Microsoft Graph API. | `npm start -- -s default` |
+| [Basic Auth Sample](https://github.com/AzureAD/microsoft-authentication-library-for-js/tree/dev/samples/VanillaJSTestApp2.0/app/default) | A vanilla Javascript sample showing basic usage of the MSAL 2.0 library (`@azure/msal-browser` package) with the Microsoft Graph API. | `npm start -- -s default` |
+| [On Page Load Sample](https://github.com/AzureAD/microsoft-authentication-library-for-js/tree/dev/samples/VanillaJSTestApp2.0/app/onPageLoad) | A vanilla JS sample showing usage of MSAL 2.0 with authentication on page load with a redirect. | `npm start -- -s onPageLoad` |
+| [ssoSilent() Sample](https://github.com/AzureAD/microsoft-authentication-library-for-js/tree/dev/samples/VanillaJSTestApp2.0/app/ssoSilent) | A vanilla JS sample showing usage of the ssoSilent API, allowing you to sign in a user silently if a context exists on the authentication server. | `npm start -- -s ssoSilent` |
 
-More instructions to run the sample can be found in the [`README.md` file](../../samples/VanillaJSTestApp2.0/README.md) of the VanillaJSTestApp2.0 folder.
+More instructions to run the samples can be found in the [`README.md` file](https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/samples/VanillaJSTestApp2.0/Readme.md) of the VanillaJSTestApp2.0 folder.
 
 ## Build and Test
 
@@ -145,7 +147,7 @@ Our goal is that the library abstracts enough of the protocol away so that you c
 The MSAL library will now support the Authorization Code Flow with PKCE for Browser-Based Applications without a backend web server. 
 We plan to continue support for the implicit flow in the `msal-core` library.
 
-You can learn further details about `@azure/msal-browser` functionality documented in our [docs folder](./docs) and find complete [code samples](#samples).
+You can learn further details about `@azure/msal-browser` functionality documented in our [docs folder](https://github.com/AzureAD/microsoft-authentication-library-for-js/tree/dev/lib/msal-browser/docs) and find complete [code samples](#samples).
 
 ## Security Reporting
 

lib/msal-browser/changelog.md

@@ -1,3 +1,14 @@
+# 2.0.0-beta.1
+## Features
+* Added a silent iframe flow in the @azure/msal-browser package (#1451)
+    * Includes an ssoSilent() API to acquire tokens silently with a user context (loginHint)
+
+## Bugs
+* Fixed an issue where TokenResponse is not exported
+
+## Enhancements
+* handleRedirectCallback flow was modified, will be deprecated in favor of handleRedirectPromise(), added log message (#1490, #1543)
+
 # 2.0.0-beta.0
 ## Features
 * Removed client_secret from config and added docs for new registration experience (#1421)

lib/msal-browser/docs/acquire-token.md

@@ -17,7 +17,9 @@ MSAL uses a cache to store tokens based on specific parameters including scopes,
 It is best practice to attempt an `acquireTokenSilent` call before using the interactive APIs. This allows you to prevent unnecessary user interactions. 
 `acquireTokenSilent` will look for a valid token in the cache, and if it is close to expiring or does not exist, will automatically try to refresh it for you.
 
-If the `acquireTokenSilent` call fails, you need to initiate an interactive request. This could happen for many reasons including scopes that have been revoked, expired tokens, or password changes.
+If the `acquireTokenSilent` call attempts a refresh token call and the refresh token is expired, MSAL will attempt to make a silent request in an iframe for a new authorization code. If your session still exists, you will obtain a new authorization code silently, which will be immediately traded for an access token. 
+
+If the silent iframe call for a new authorization code fails, you need to initiate an interactive request. This could happen for many reasons including scopes that have been revoked, expired tokens, or password changes. MSAL will throw a specific InteractionRequiredAuthError error type when this error occurs.
 
 You can read more about using `acquireTokenSilent` [here](./token-lifetimes.md).
 
@@ -30,10 +32,12 @@ var request = {
 };
 
 const tokenResponse = await msalInstance.acquireTokenSilent(request).catch(async (error) => {
-    // fallback to interaction when silent call fails
-    return await myMSALObj.acquireTokenPopup(request).catch(error => {
-        console.log(error);
-    });
+    if (error instanceof InteractionRequiredAuthError) {
+        // fallback to interaction when silent call fails
+        return await myMSALObj.acquireTokenPopup(request).catch(error => {
+            console.log(error);
+        });
+    }
 });
 ```
 
@@ -44,9 +48,10 @@ var request = {
 };
 
 const tokenResponse = await msalInstance.acquireTokenSilent(request).catch(error => {
-    console.log("silent token acquisition fails. acquiring token using redirect");
-    // fallback to interaction when silent call fails
-    return myMSALObj.acquireTokenRedirect(request)
+    if (error instanceof InteractionRequiredAuthError) {
+        // fallback to interaction when silent call fails
+        return myMSALObj.acquireTokenRedirect(request)
+    }
 });
 ```
 

lib/msal-browser/docs/configuration.md

@@ -13,6 +13,7 @@ const msalConfig = {
     auth: {
         clientId: "enter_client_id_here",
         authority: "https://login.microsoftonline.com/common",
+        knownAuthorities: [],
         redirectUri: "enter_redirect_uri_here",
         postLogoutRedirectUri: "enter_postlogout_uri_here",
         navigateToLoginRequestUrl: true
@@ -44,7 +45,9 @@ const msalConfig = {
             },
             piiLoggingEnabled: false
         },
-        windowHashTimeout: 60000
+        windowHashTimeout: 60000,
+        iframeHashTimeout: 6000,
+        loadFrameTimeout: 0
     };
 }
 
@@ -58,6 +61,7 @@ const msalInstance = new PublicClientApplication(msalConfig);
 | ------ | ----------- | ------ | ------------- |
 | `clientId` | App ID of your application. Can be found in your [portal registration](../README#prerequisites). | UUID/GUID | None. This parameter is required in order for MSAL to perform any actions. |
 | `authority` | URI of the tenant to authenticate and authorize with. Usually takes the form of `https://{uri}/{tenantid}`. | String in URI format with tenant - `https://{uri}/{tenantid}` | `https://login.microsoftonline.com/common` |
+| `knownAuthorities` | An array of URIs that are known to be valid. Used in B2C scenarios. | Array of strings in URI format | Empty array `[]` |
 | `redirectUri` | URI where the authorization code response is sent back to. Whatever location is specified here must have the MSAL library available to handle the response. | String in URI format | Login request page (`window.location.href` of page which made auth request) |
 | `postLogoutRedirectUri` | URI that is redirected to after a logout() call is made. | String in URI format | Login request page (`window.location.href` of page which made auth request) |
 | `navigateToLoginRequestUrl` | If `true`, will navigate back to the original request location before processing the authorization code response. If the `redirectUri` is the same as the original request location, this flag should be set to false. | boolean | `true` |
@@ -72,7 +76,9 @@ const msalInstance = new PublicClientApplication(msalConfig);
 | Option | Description | Format | Default Value |
 | ------ | ----------- | ------ | ------------- |
 | `loggerOptions` | Config object for logger. | See [below](#logger-config-options). | See [below](#logger-config-options). |
-| `windowHashTimeout` | Timeout in milliseconds to wait for popup or iframe authentication to resolve. | integer (milliseconds) | `60000` |
+| `windowHashTimeout` | Timeout in milliseconds to wait for popup authentication to resolve. | integer (milliseconds) | `60000` |
+| `iframeHashTimeout` | Timeout in milliseconds to wait for iframe authentication to resolve | integer (milliseconds) | `6000` |
+| `loadFrameTimeout` | Timeout in milliseconds to wait for the iframe to load in the window. | integer (milliseconds) | In IE or Edge: `500`, in all other browsers: `0` |
 
 ### Logger Config Options
 | Option | Description | Format | Default Value |

lib/msal-browser/docs/initialization.md

@@ -83,13 +83,19 @@ The popup APIs use ES6 Promises that resolve when the authentication flow in the
 - `loginRedirect`
 - `acquireTokenRedirect`
 
-The redirect APIs do not use Promises, but are `void` functions which redirect the browser window after caching some basic info. If you choose to use the redirect APIs, you **MUST** call the following function **IMMEDIATELY** after the constructor in order to process the returning fragment containing the code and response and obtain an access token:
+The redirect APIs do not use Promises, but are `void` functions which redirect the browser window after caching some basic info. If you choose to use the redirect APIs, be aware that there is a small delay after loading the MSAL object where the exchanging of the auth code for the token is occurring. You can use the following function to perform an action when this token exchange is completed:
 ```javascript
-msalInstance.handleRedirectCallback((error, response) => {
-    // handle redirect response or error
+msalInstance.handleRedirectPromise()
+.then((tokenResponse) => {
+    // Check if the tokenResponse is null
+    // If the tokenResponse !== null, then you are coming back from a successful authentication redirect. 
+    // If the tokenResponse === null, you are not coming back from an auth redirect.
+})
+.catch((error) => {
+    // handle error, either in the library or coming back from the server
 });
 ```
-This will also allow you to retrieve tokens on page reload.
+This will also allow you to retrieve tokens on page reload. See the [onPageLoad sample](../../../samples/VanillaJSTestApp2.0/app/onPageLoad/) for more information on usage.
 
 It is not recommended to use both interaction types in a single application.
 

lib/msal-browser/docs/login-user.md

@@ -18,9 +18,11 @@ For login requests, all parameters are optional, so you can just send an empty o
 
 - Popup
 ```javascript
-const loginResponse = await msalInstance.loginPopup({}).catch(err => {
+try {
+    const loginResponse = await msalInstance.loginPopup({});
+} catch (err) {
     // handle error
-});
+}
 ```
 
 - Redirect
@@ -39,9 +41,11 @@ var loginRequest = {
     scopes: ["user.read", "mail.send"] // optional Array<string>
 };
 
-const loginResponse = await msalInstance.loginPopup(loginRequest).catch(err => {
+try {
+    const loginResponse = await msalInstance.loginPopup(loginRequest);
+} catch (err) {
     // handle error
-});
+}
 ```
 
 - Redirect
@@ -62,6 +66,29 @@ When a login call has succeeded, you can use the `getAccount()` function to retr
 const myAccount = msalInstance.getAccount();
 ```
 
+## Silent login with ssoSilent()
+
+If you already have a session that exists with the authentication server, you can use the ssoSilent() API to make request for tokens without interaction. You will need to pass a `login_hint` (usually the user's `upn`) in the request object in order to successfully obtain a token silently.
+
+```javascript
+const silentRequest = {
+    scopes: ["User.Read", "Mail.Read"],
+    loginHint: "user@contoso.com"
+};
+
+try {
+    const loginResponse = await msalInstance.ssoSilent(silentRequest);
+} catch (err) {
+    if (err instanceof InteractionRequiredAuthError) {
+        const loginResponse = await msalInstance.loginPopup(silentRequest).catch(error => {
+            // handle error
+        });
+    } else {
+        // handle error
+    }
+}
+```
+
 # Next Steps
 
 Learn how to [acquire and use an access token](./acquire-token.md)!