diff --git a/change/@azure-msal-browser-bf0e766c-c6d5-4ff6-a66d-d53d481f580c.json b/change/@azure-msal-browser-bf0e766c-c6d5-4ff6-a66d-d53d481f580c.json new file mode 100644 index 0000000000..f33b3d21d5 --- /dev/null +++ b/change/@azure-msal-browser-bf0e766c-c6d5-4ff6-a66d-d53d481f580c.json @@ -0,0 +1,7 @@ +{ + "type": "none", + "comment": "Add support for prompt=create #3773", + "packageName": "@azure/msal-browser", + "email": "joarroyo@microsoft.com", + "dependentChangeType": "none" +} diff --git a/change/@azure-msal-common-1e46607b-b77c-4acf-bcfa-7b69e8445136.json b/change/@azure-msal-common-1e46607b-b77c-4acf-bcfa-7b69e8445136.json new file mode 100644 index 0000000000..e85d593b7c --- /dev/null +++ b/change/@azure-msal-common-1e46607b-b77c-4acf-bcfa-7b69e8445136.json @@ -0,0 +1,7 @@ +{ + "type": "minor", + "comment": "Add support for prompt=create #3773", + "packageName": "@azure/msal-common", + "email": "joarroyo@microsoft.com", + "dependentChangeType": "patch" +} diff --git a/change/@azure-msal-node-e93b60f1-3b0f-4d5d-8e11-f68e45041dfb.json b/change/@azure-msal-node-e93b60f1-3b0f-4d5d-8e11-f68e45041dfb.json new file mode 100644 index 0000000000..0deb9905be --- /dev/null +++ b/change/@azure-msal-node-e93b60f1-3b0f-4d5d-8e11-f68e45041dfb.json @@ -0,0 +1,7 @@ +{ + "type": "none", + "comment": "Add support for prompt=create #3773", + "packageName": "@azure/msal-node", + "email": "joarroyo@microsoft.com", + "dependentChangeType": "none" +} diff --git a/lib/msal-browser/FAQ.md b/lib/msal-browser/FAQ.md index e916f3c6a0..6befe25b4e 100644 --- a/lib/msal-browser/FAQ.md +++ b/lib/msal-browser/FAQ.md @@ -139,6 +139,9 @@ Simply set your `authority` in your MSAL app configuration to **consumers** tena Currently the msal-browser package is designed for Single-Page Applications that are handling all authentication through the browser client. We have not yet optimized this to work with server-side components. As such, requests to retrieve the authorization code from the first leg of the flow can't be met currently. We are currently working on an [implementation of msal that will run in node libraries](https://github.com/AzureAD/microsoft-authentication-library-for-js/projects/4), and as part of that we will explore options to make msal-browser work with server-side components. +## How do I implement self-service sign-up? +MSAL Browser supports self-service sign-up in the auth code flow. Please see our docs [here](https://azuread.github.io/microsoft-authentication-library-for-js/ref/modules/_azure_msal_browser.html#popuprequest) for supported prompt values in the request and their expected outcomes, and [here](http://aka.ms/s3u) for an overview of self-service sign-up and configuration changes that need to be made to your Azure tenant. Please note that that self-service sign-up is not available in B2C and test environments. + # Single Sign-On ## How to get single sign-on in my application with MSAL.js? diff --git a/lib/msal-browser/src/request/PopupRequest.ts b/lib/msal-browser/src/request/PopupRequest.ts index a37806d8e6..ec5394e6b5 100644 --- a/lib/msal-browser/src/request/PopupRequest.ts +++ b/lib/msal-browser/src/request/PopupRequest.ts @@ -20,6 +20,7 @@ import { CommonAuthorizationUrlRequest } from "@azure/msal-common"; * none: will ensure that the user isn't presented with any interactive prompt. if request can't be completed via single-sign on, the endpoint will return an interaction_required error * consent: will the trigger the OAuth consent dialog after the user signs in, asking the user to grant permissions to the app * select_account: will interrupt single sign-=on providing account selection experience listing all the accounts in session or any remembered accounts or an option to choose to use a different account + * create: will direct the user to the account creation experience instead of the log in experience * - loginHint - Can be used to pre-fill the username/email address field of the sign-in page for the user, if you know the username/email address ahead of time. Often apps use this parameter during re-authentication, having already extracted the username from a previous sign-in using the preferred_username claim. * - sid - Session ID, unique identifier for the session. Available as an optional claim on ID tokens. * - domainHint - Provides a hint about the tenant or domain that the user should use to sign in. The value of the domain hint is a registered domain for the tenant. diff --git a/lib/msal-browser/src/request/RedirectRequest.ts b/lib/msal-browser/src/request/RedirectRequest.ts index 6b1517d231..5c6356c86d 100644 --- a/lib/msal-browser/src/request/RedirectRequest.ts +++ b/lib/msal-browser/src/request/RedirectRequest.ts @@ -20,6 +20,7 @@ import { CommonAuthorizationUrlRequest } from "@azure/msal-common"; * none: will ensure that the user isn't presented with any interactive prompt. if request can't be completed via single-sign on, the endpoint will return an interaction_required error * consent: will the trigger the OAuth consent dialog after the user signs in, asking the user to grant permissions to the app * select_account: will interrupt single sign-=on providing account selection experience listing all the accounts in session or any remembered accounts or an option to choose to use a different account + * create: will direct the user to the account creation experience instead of the log in experience * - loginHint - Can be used to pre-fill the username/email address field of the sign-in page for the user, if you know the username/email address ahead of time. Often apps use this parameter during re-authentication, having already extracted the username from a previous sign-in using the preferred_username claim. * - sid - Session ID, unique identifier for the session. Available as an optional claim on ID tokens. * - domainHint - Provides a hint about the tenant or domain that the user should use to sign in. The value of the domain hint is a registered domain for the tenant. diff --git a/lib/msal-browser/src/request/SsoSilentRequest.ts b/lib/msal-browser/src/request/SsoSilentRequest.ts index 0252cf6bb2..3d74e5a62f 100644 --- a/lib/msal-browser/src/request/SsoSilentRequest.ts +++ b/lib/msal-browser/src/request/SsoSilentRequest.ts @@ -20,6 +20,7 @@ import { CommonAuthorizationUrlRequest } from "@azure/msal-common"; * none: will ensure that the user isn't presented with any interactive prompt. if request can't be completed via single-sign on, the endpoint will return an interaction_required error * consent: will the trigger the OAuth consent dialog after the user signs in, asking the user to grant permissions to the app * select_account: will interrupt single sign-=on providing account selection experience listing all the accounts in session or any remembered accounts or an option to choose to use a different account + * create: will direct the user to the account creation experience instead of the log in experience * - loginHint - Can be used to pre-fill the username/email address field of the sign-in page for the user, if you know the username/email address ahead of time. Often apps use this parameter during re-authentication, having already extracted the username from a previous sign-in using the preferred_username claim. * - sid - Session ID, unique identifier for the session. Available as an optional claim on ID tokens. * - domainHint - Provides a hint about the tenant or domain that the user should use to sign in. The value of the domain hint is a registered domain for the tenant. diff --git a/lib/msal-common/src/error/ClientConfigurationError.ts b/lib/msal-common/src/error/ClientConfigurationError.ts index d5cd578a99..df6420c7f6 100644 --- a/lib/msal-common/src/error/ClientConfigurationError.ts +++ b/lib/msal-common/src/error/ClientConfigurationError.ts @@ -47,7 +47,7 @@ export const ClientConfigurationErrorMessage = { }, invalidPrompt: { code: "invalid_prompt_value", - desc: "Supported prompt values are 'login', 'select_account', 'consent' and 'none'. Please see here for valid configuration options: https://docs.microsoft.com/en-us/azure/active-directory/develop/msal-js-initializing-client-applications#configuration-options", + desc: "Supported prompt values are 'login', 'select_account', 'consent', 'create' and 'none'. Please see here for valid configuration options: https://azuread.github.io/microsoft-authentication-library-for-js/ref/modules/_azure_msal_common.html#commonauthorizationurlrequest", }, invalidClaimsRequest: { code: "invalid_claims", diff --git a/lib/msal-common/src/request/CommonAuthorizationUrlRequest.ts b/lib/msal-common/src/request/CommonAuthorizationUrlRequest.ts index 2a5e583647..539591f90a 100644 --- a/lib/msal-common/src/request/CommonAuthorizationUrlRequest.ts +++ b/lib/msal-common/src/request/CommonAuthorizationUrlRequest.ts @@ -26,6 +26,7 @@ import { AccountInfo } from "../account/AccountInfo"; * none: will ensure that the user isn't presented with any interactive prompt. if request can't be completed via single-sign on, the endpoint will return an interaction_required error * consent: will the trigger the OAuth consent dialog after the user signs in, asking the user to grant permissions to the app * select_account: will interrupt single sign-=on providing account selection experience listing all the accounts in session or any remembered accounts or an option to choose to use a different account + * create: will direct the user to the account creation experience instead of the log in experience * - account - AccountInfo obtained from a getAccount API. Will be used in certain scenarios to generate login_hint if both loginHint and sid params are not provided. * - loginHint - Can be used to pre-fill the username/email address field of the sign-in page for the user, if you know the username/email address ahead of time. Often apps use this parameter during re-authentication, having already extracted the username from a previous sign-in using the preferred_username claim. * - sid - Session ID, unique identifier for the session. Available as an optional claim on ID tokens. diff --git a/lib/msal-common/src/request/RequestValidator.ts b/lib/msal-common/src/request/RequestValidator.ts index 46ba3f2116..3844023c43 100644 --- a/lib/msal-common/src/request/RequestValidator.ts +++ b/lib/msal-common/src/request/RequestValidator.ts @@ -28,14 +28,13 @@ export class RequestValidator { * @param prompt */ static validatePrompt(prompt: string) : void { - if ( - [ - PromptValue.LOGIN, - PromptValue.SELECT_ACCOUNT, - PromptValue.CONSENT, - PromptValue.NONE - ].indexOf(prompt) < 0 - ) { + const promptValues = []; + + for (const value in PromptValue) { + promptValues.push(PromptValue[value]); + } + + if (promptValues.indexOf(prompt) < 0) { throw ClientConfigurationError.createInvalidPromptError(prompt); } } diff --git a/lib/msal-common/src/utils/Constants.ts b/lib/msal-common/src/utils/Constants.ts index c72e2634e2..c859277ba1 100644 --- a/lib/msal-common/src/utils/Constants.ts +++ b/lib/msal-common/src/utils/Constants.ts @@ -155,6 +155,7 @@ export const PromptValue = { SELECT_ACCOUNT: "select_account", CONSENT: "consent", NONE: "none", + CREATE: "create" }; /** diff --git a/lib/msal-common/test/request/RequestValidator.spec.ts b/lib/msal-common/test/request/RequestValidator.spec.ts index 479870016e..c7eb0b35bc 100644 --- a/lib/msal-common/test/request/RequestValidator.spec.ts +++ b/lib/msal-common/test/request/RequestValidator.spec.ts @@ -26,6 +26,9 @@ describe("RequestValidator unit tests", () => { it("PromptValue none", () => { RequestValidator.validatePrompt(PromptValue.NONE); }); + it("PromptValue create", () => { + RequestValidator.validatePrompt(PromptValue.CREATE); + }); it("Throws InvalidPromptError if invalid prompt value passed in", () => { expect(function() { RequestValidator.validatePrompt("")}).toThrowError(ClientConfigurationError.createInvalidPromptError("").message); }); diff --git a/lib/msal-node/docs/faq.md b/lib/msal-node/docs/faq.md index c069ceceab..a3ed4c93d6 100644 --- a/lib/msal-node/docs/faq.md +++ b/lib/msal-node/docs/faq.md @@ -45,6 +45,9 @@ If you want to work around this, please note: - **Yarn**: Pass the `--ignore-engines` flag to the `yarn` command. - **npm**: Add `engine-strict=false` to your .npmrc file. +### How do I implement self-service sign-up with MSAL Node? +MSAL Node supports self-service sign-up in the auth code flow. Please see our docs [here](https://azuread.github.io/microsoft-authentication-library-for-js/ref/modules/_azure_msal_node.html#authorizationurlrequest) for supported prompt values in the request and their expected outcomes, and [here](http://aka.ms/s3u) for an overview of self-service sign-up and configuration changes that need to be made to your Azure tenant. Please note that that self-service sign-up is not available in B2C and test environments. + ## B2C ### How do I handle the password-reset user-flow? @@ -57,4 +60,4 @@ Our recommendation is to move to the new password reset experience since it simp ## Can I use MSAL Node with Microsoft Graph JavaScript SDK? -Yes, MSAL Node can be used as a custom authentication provider for the [Microsoft Graph JavaScript SDK](https://github.com/microsoftgraph/msgraph-sdk-javascript). For an implementation, please refer to the sample: [Express Web App calling Graph API](https://github.com/Azure-Samples/ms-identity-javascript-nodejs-tutorial/tree/main/2-Authorization/1-call-graph). \ No newline at end of file +Yes, MSAL Node can be used as a custom authentication provider for the [Microsoft Graph JavaScript SDK](https://github.com/microsoftgraph/msgraph-sdk-javascript). For an implementation, please refer to the sample: [Express Web App calling Graph API](https://github.com/Azure-Samples/ms-identity-javascript-nodejs-tutorial/tree/main/2-Authorization/1-call-graph). diff --git a/lib/msal-node/src/request/AuthorizationUrlRequest.ts b/lib/msal-node/src/request/AuthorizationUrlRequest.ts index 88f93c6ef9..3a01fcc22c 100644 --- a/lib/msal-node/src/request/AuthorizationUrlRequest.ts +++ b/lib/msal-node/src/request/AuthorizationUrlRequest.ts @@ -23,6 +23,7 @@ import { CommonAuthorizationUrlRequest } from "@azure/msal-common"; * none: will ensure that the user isn't presented with any interactive prompt. if request can't be completed via single-sign on, the endpoint will return an interaction_required error * consent: will the trigger the OAuth consent dialog after the user signs in, asking the user to grant permissions to the app * select_account: will interrupt single sign-=on providing account selection experience listing all the accounts in session or any remembered accounts or an option to choose to use a different account + * create: will direct the user to the account creation experience instead of the log in experience * - account - AccountInfo obtained from a getAccount API. Will be used in certain scenarios to generate login_hint if both loginHint and sid params are not provided. * - loginHint - Can be used to pre-fill the username/email address field of the sign-in page for the user, if you know the username/email address ahead of time. Often apps use this parameter during re-authentication, having already extracted the username from a previous sign-in using the preferred_username claim. * - sid - Session ID, unique identifier for the session. Available as an optional claim on ID tokens.