Merge pull request #3773 from AzureAD/support-prompt-create

Add support for prompt=create

change/@azure-msal-browser-bf0e766c-c6d5-4ff6-a66d-d53d481f580c.json

@@ -0,0 +1,7 @@
+{
+  "type": "none",
+  "comment": "Add support for prompt=create #3773",
+  "packageName": "@azure/msal-browser",
+  "email": "joarroyo@microsoft.com",
+  "dependentChangeType": "none"
+}

change/@azure-msal-common-1e46607b-b77c-4acf-bcfa-7b69e8445136.json

@@ -0,0 +1,7 @@
+{
+  "type": "minor",
+  "comment": "Add support for prompt=create #3773",
+  "packageName": "@azure/msal-common",
+  "email": "joarroyo@microsoft.com",
+  "dependentChangeType": "patch"
+}

change/@azure-msal-node-e93b60f1-3b0f-4d5d-8e11-f68e45041dfb.json

@@ -0,0 +1,7 @@
+{
+  "type": "none",
+  "comment": "Add support for prompt=create #3773",
+  "packageName": "@azure/msal-node",
+  "email": "joarroyo@microsoft.com",
+  "dependentChangeType": "none"
+}

lib/msal-browser/FAQ.md

@@ -139,6 +139,9 @@ Simply set your `authority` in your MSAL app configuration to **consumers** tena
 
 Currently the msal-browser package is designed for Single-Page Applications that are handling all authentication through the browser client. We have not yet optimized this to work with server-side components. As such, requests to retrieve the authorization code from the first leg of the flow can't be met currently. We are currently working on an [implementation of msal that will run in node libraries](https://github.com/AzureAD/microsoft-authentication-library-for-js/projects/4), and as part of that we will explore options to make msal-browser work with server-side components.
 
+## How do I implement self-service sign-up?
+MSAL Browser supports self-service sign-up in the auth code flow. Please see our docs [here](https://azuread.github.io/microsoft-authentication-library-for-js/ref/modules/_azure_msal_browser.html#popuprequest) for supported prompt values in the request and their expected outcomes, and [here](http://aka.ms/s3u) for an overview of self-service sign-up and configuration changes that need to be made to your Azure tenant. Please note that that self-service sign-up is not available in B2C and test environments.
+
 # Single Sign-On
 
 ## How to get single sign-on in my application with MSAL.js?

lib/msal-browser/src/request/PopupRequest.ts

@@ -20,6 +20,7 @@ import { CommonAuthorizationUrlRequest } from "@azure/msal-common";
  *          none:  will ensure that the user isn't presented with any interactive prompt. if request can't be completed via single-sign on, the endpoint will return an interaction_required error
  *          consent: will the trigger the OAuth consent dialog after the user signs in, asking the user to grant permissions to the app
  *          select_account: will interrupt single sign-=on providing account selection experience listing all the accounts in session or any remembered accounts or an option to choose to use a different account
+ *          create: will direct the user to the account creation experience instead of the log in experience
  * - loginHint                  - Can be used to pre-fill the username/email address field of the sign-in page for the user, if you know the username/email address ahead of time. Often apps use this parameter during re-authentication, having already extracted the username from a previous sign-in using the preferred_username claim.
  * - sid                        - Session ID, unique identifier for the session. Available as an optional claim on ID tokens.
  * - domainHint                 - Provides a hint about the tenant or domain that the user should use to sign in. The value of the domain hint is a registered domain for the tenant.

lib/msal-browser/src/request/RedirectRequest.ts

@@ -20,6 +20,7 @@ import { CommonAuthorizationUrlRequest } from "@azure/msal-common";
  *          none:  will ensure that the user isn't presented with any interactive prompt. if request can't be completed via single-sign on, the endpoint will return an interaction_required error
  *          consent: will the trigger the OAuth consent dialog after the user signs in, asking the user to grant permissions to the app
  *          select_account: will interrupt single sign-=on providing account selection experience listing all the accounts in session or any remembered accounts or an option to choose to use a different account
+ *          create: will direct the user to the account creation experience instead of the log in experience
  * - loginHint                  - Can be used to pre-fill the username/email address field of the sign-in page for the user, if you know the username/email address ahead of time. Often apps use this parameter during re-authentication, having already extracted the username from a previous sign-in using the preferred_username claim.
  * - sid                        - Session ID, unique identifier for the session. Available as an optional claim on ID tokens.
  * - domainHint                 - Provides a hint about the tenant or domain that the user should use to sign in. The value of the domain hint is a registered domain for the tenant.

lib/msal-browser/src/request/SsoSilentRequest.ts

@@ -20,6 +20,7 @@ import { CommonAuthorizationUrlRequest } from "@azure/msal-common";
  *          none:  will ensure that the user isn't presented with any interactive prompt. if request can't be completed via single-sign on, the endpoint will return an interaction_required error
  *          consent: will the trigger the OAuth consent dialog after the user signs in, asking the user to grant permissions to the app
  *          select_account: will interrupt single sign-=on providing account selection experience listing all the accounts in session or any remembered accounts or an option to choose to use a different account
+ *          create: will direct the user to the account creation experience instead of the log in experience
  * - loginHint                  - Can be used to pre-fill the username/email address field of the sign-in page for the user, if you know the username/email address ahead of time. Often apps use this parameter during re-authentication, having already extracted the username from a previous sign-in using the preferred_username claim.
  * - sid                        - Session ID, unique identifier for the session. Available as an optional claim on ID tokens.
  * - domainHint                 - Provides a hint about the tenant or domain that the user should use to sign in. The value of the domain hint is a registered domain for the tenant.

lib/msal-common/src/error/ClientConfigurationError.ts

@@ -47,7 +47,7 @@ export const ClientConfigurationErrorMessage = {
     },
     invalidPrompt: {
         code: "invalid_prompt_value",
-        desc: "Supported prompt values are 'login', 'select_account', 'consent' and 'none'.  Please see here for valid configuration options: https://docs.microsoft.com/en-us/azure/active-directory/develop/msal-js-initializing-client-applications#configuration-options",
+        desc: "Supported prompt values are 'login', 'select_account', 'consent', 'create' and 'none'.  Please see here for valid configuration options: https://azuread.github.io/microsoft-authentication-library-for-js/ref/modules/_azure_msal_common.html#commonauthorizationurlrequest",
     },
     invalidClaimsRequest: {
         code: "invalid_claims",

lib/msal-common/src/request/CommonAuthorizationUrlRequest.ts

@@ -26,6 +26,7 @@ import { AccountInfo } from "../account/AccountInfo";
  *          none:  will ensure that the user isn't presented with any interactive prompt. if request can't be completed via single-sign on, the endpoint will return an interaction_required error
  *          consent: will the trigger the OAuth consent dialog after the user signs in, asking the user to grant permissions to the app
  *          select_account: will interrupt single sign-=on providing account selection experience listing all the accounts in session or any remembered accounts or an option to choose to use a different account
+ *          create: will direct the user to the account creation experience instead of the log in experience
  * - account                    - AccountInfo obtained from a getAccount API. Will be used in certain scenarios to generate login_hint if both loginHint and sid params are not provided.
  * - loginHint                  - Can be used to pre-fill the username/email address field of the sign-in page for the user, if you know the username/email address ahead of time. Often apps use this parameter during re-authentication, having already extracted the username from a previous sign-in using the preferred_username claim.
  * - sid                        - Session ID, unique identifier for the session. Available as an optional claim on ID tokens.

lib/msal-common/src/request/RequestValidator.ts

@@ -28,14 +28,13 @@ export class RequestValidator {
      * @param prompt
      */
     static validatePrompt(prompt: string) : void {
-        if (
-            [
-                PromptValue.LOGIN,
-                PromptValue.SELECT_ACCOUNT,
-                PromptValue.CONSENT,
-                PromptValue.NONE
-            ].indexOf(prompt) < 0
-        ) {
+        const promptValues = [];
+
+        for (const value in PromptValue) {
+            promptValues.push(PromptValue[value]);
+        }
+
+        if (promptValues.indexOf(prompt) < 0) {
             throw ClientConfigurationError.createInvalidPromptError(prompt);
         }
     }

lib/msal-common/src/utils/Constants.ts

@@ -155,6 +155,7 @@ export const PromptValue = {
     SELECT_ACCOUNT: "select_account",
     CONSENT: "consent",
     NONE: "none",
+    CREATE: "create"
 };
 
 /**

lib/msal-common/test/request/RequestValidator.spec.ts

@@ -26,6 +26,9 @@ describe("RequestValidator unit tests", () => {
         it("PromptValue none", () => {
             RequestValidator.validatePrompt(PromptValue.NONE);
         });
+        it("PromptValue create", () => {
+            RequestValidator.validatePrompt(PromptValue.CREATE);
+        });
         it("Throws InvalidPromptError if invalid prompt value passed in", () => {
             expect(function() { RequestValidator.validatePrompt("")}).toThrowError(ClientConfigurationError.createInvalidPromptError("").message);
         });

lib/msal-node/docs/faq.md

@@ -45,6 +45,9 @@ If you want to work around this, please note:
 - **Yarn**: Pass the `--ignore-engines` flag to the `yarn` command.
 - **npm**: Add `engine-strict=false` to your .npmrc file.
 
+### How do I implement self-service sign-up with MSAL Node?
+MSAL Node supports self-service sign-up in the auth code flow. Please see our docs [here](https://azuread.github.io/microsoft-authentication-library-for-js/ref/modules/_azure_msal_node.html#authorizationurlrequest) for supported prompt values in the request and their expected outcomes, and [here](http://aka.ms/s3u) for an overview of self-service sign-up and configuration changes that need to be made to your Azure tenant. Please note that that self-service sign-up is not available in B2C and test environments.
+
 ## B2C
 
 ### How do I handle the password-reset user-flow?
@@ -57,4 +60,4 @@ Our recommendation is to move to the new password reset experience since it simp
 
 ## Can I use MSAL Node with Microsoft Graph JavaScript SDK?
 
-Yes, MSAL Node can be used as a custom authentication provider for the [Microsoft Graph JavaScript SDK](https://github.com/microsoftgraph/msgraph-sdk-javascript). For an implementation, please refer to the sample: [Express Web App calling Graph API](https://github.com/Azure-Samples/ms-identity-javascript-nodejs-tutorial/tree/main/2-Authorization/1-call-graph).
+Yes, MSAL Node can be used as a custom authentication provider for the [Microsoft Graph JavaScript SDK](https://github.com/microsoftgraph/msgraph-sdk-javascript). For an implementation, please refer to the sample: [Express Web App calling Graph API](https://github.com/Azure-Samples/ms-identity-javascript-nodejs-tutorial/tree/main/2-Authorization/1-call-graph).

lib/msal-node/src/request/AuthorizationUrlRequest.ts

@@ -23,6 +23,7 @@ import { CommonAuthorizationUrlRequest } from "@azure/msal-common";
  *          none:  will ensure that the user isn't presented with any interactive prompt. if request can't be completed via single-sign on, the endpoint will return an interaction_required error
  *          consent: will the trigger the OAuth consent dialog after the user signs in, asking the user to grant permissions to the app
  *          select_account: will interrupt single sign-=on providing account selection experience listing all the accounts in session or any remembered accounts or an option to choose to use a different account
+ *          create: will direct the user to the account creation experience instead of the log in experience
  * - account                    - AccountInfo obtained from a getAccount API. Will be used in certain scenarios to generate login_hint if both loginHint and sid params are not provided.
  * - loginHint                  - Can be used to pre-fill the username/email address field of the sign-in page for the user, if you know the username/email address ahead of time. Often apps use this parameter during re-authentication, having already extracted the username from a previous sign-in using the preferred_username claim.
  * - sid                        - Session ID, unique identifier for the session. Available as an optional claim on ID tokens.