AzureAD · sameerag · Feb 8, 2022 · Oct 15, 2021 · Oct 18, 2021 · Nov 4, 2021
diff --git a/change/@azure-msal-common-c6e1491d-69c4-401a-993b-092a2fc5532a.json b/change/@azure-msal-common-c6e1491d-69c4-401a-993b-092a2fc5532a.json
@@ -0,0 +1,7 @@
+{
+  "type": "minor",
+  "comment": "Support proxy in msal-node(#4447)",
+  "packageName": "@azure/msal-common",
+  "email": "sameera.gajjarapu@microsoft.com",
+  "dependentChangeType": "patch"
+}
diff --git a/change/@azure-msal-node-7fea4c17-70fb-4abf-8a56-186d5023dce6.json b/change/@azure-msal-node-7fea4c17-70fb-4abf-8a56-186d5023dce6.json
@@ -0,0 +1,7 @@
+{
+  "type": "minor",
+  "comment": "Support proxy in msal-node(#4447)",
+  "packageName": "@azure/msal-node",
+  "email": "sameera.gajjarapu@microsoft.com",
+  "dependentChangeType": "patch"
+}
@@ -42,15 +42,18 @@ export class Authority {
     private regionDiscovery: RegionDiscovery;
     // Region discovery metadata
     public regionDiscoveryMetadata: RegionDiscoveryMetadata;
+    // Proxy url string
+    private proxyUrl: string;
 
-    constructor(authority: string, networkInterface: INetworkModule, cacheManager: ICacheManager, authorityOptions: AuthorityOptions) {
+    constructor(authority: string, networkInterface: INetworkModule, cacheManager: ICacheManager, authorityOptions: AuthorityOptions, proxyUrl: string) {
         this.canonicalAuthority = authority;
         this._canonicalAuthority.validateAsUri();
         this.networkInterface = networkInterface;
         this.cacheManager = cacheManager;
         this.authorityOptions = authorityOptions;
         this.regionDiscovery = new RegionDiscovery(networkInterface);
         this.regionDiscoveryMetadata = { region_used: undefined, region_source: undefined, region_outcome: undefined };
+        this.proxyUrl = proxyUrl;
     }
 
     // See above for AuthorityType
@@ -271,7 +274,7 @@ export class Authority {
         if (metadata) {
             // If the user prefers to use an azure region replace the global endpoints with regional information.
             if (this.authorityOptions.azureRegionConfiguration?.azureRegion) {
-                const autodetectedRegionName = await this.regionDiscovery.detectRegion(this.authorityOptions.azureRegionConfiguration.environmentRegion, this.regionDiscoveryMetadata);
+                const autodetectedRegionName = await this.regionDiscovery.detectRegion(this.authorityOptions.azureRegionConfiguration.environmentRegion, this.regionDiscoveryMetadata, this.proxyUrl);
 
                 const azureRegion = this.authorityOptions.azureRegionConfiguration.azureRegion === Constants.AZURE_REGION_AUTO_DISCOVER_FLAG 
                     ? autodetectedRegionName 
@@ -335,8 +338,13 @@ export class Authority {
      * Gets OAuth endpoints from the given OpenID configuration endpoint.
      */
     private async getEndpointMetadataFromNetwork(): Promise<OpenIdConfigResponse | null> {
+        const options = {};
+        if (this.proxyUrl.length) {
+            options["proxyUrl"] = this.proxyUrl;
+        }
+
         try {
-            const response = await this.networkInterface.sendGetRequestAsync<OpenIdConfigResponse>(this.defaultOpenIdConfigurationEndpoint);
+            const response = await this.networkInterface.sendGetRequestAsync<OpenIdConfigResponse>(this.defaultOpenIdConfigurationEndpoint, options);
             return isOpenIdConfigResponse(response.body) ? response.body : null;
         } catch (e) {
             return null;
@@ -402,9 +410,14 @@ export class Authority {
      */
     private async getCloudDiscoveryMetadataFromNetwork(): Promise<CloudDiscoveryMetadata | null> {
         const instanceDiscoveryEndpoint = `${Constants.AAD_INSTANCE_DISCOVERY_ENDPT}${this.canonicalAuthority}oauth2/v2.0/authorize`;
+        const options = {};
+        if (this.proxyUrl.length) {
+            options["proxyUrl"] = this.proxyUrl;
+        }
+
         let match = null;
         try {
-            const response = await this.networkInterface.sendGetRequestAsync<CloudInstanceDiscoveryResponse>(instanceDiscoveryEndpoint);
+            const response = await this.networkInterface.sendGetRequestAsync<CloudInstanceDiscoveryResponse>(instanceDiscoveryEndpoint, options);
             const metadata = isCloudInstanceDiscoveryResponse(response.body) ? response.body.metadata : [];
             if (metadata.length === 0) {
                 // If no metadata is returned, authority is untrusted

@@ -23,9 +23,9 @@ export class AuthorityFactory {
      * @param networkClient
      * @param protocolMode
      */
-    static async createDiscoveredInstance(authorityUri: string, networkClient: INetworkModule, cacheManager: ICacheManager, authorityOptions: AuthorityOptions): Promise<Authority> {
+    static async createDiscoveredInstance(authorityUri: string, networkClient: INetworkModule, cacheManager: ICacheManager, authorityOptions: AuthorityOptions, proxyUrl: string): Promise<Authority> {
         // Initialize authority and perform discovery endpoint check.
-        const acquireTokenAuthority: Authority = AuthorityFactory.createInstance(authorityUri, networkClient, cacheManager, authorityOptions);
+        const acquireTokenAuthority: Authority = AuthorityFactory.createInstance(authorityUri, networkClient, cacheManager, authorityOptions, proxyUrl);
 
         try {
             await acquireTokenAuthority.resolveEndpointsAsync();
@@ -45,12 +45,12 @@ export class AuthorityFactory {
      * @param networkInterface
      * @param protocolMode
      */
-    static createInstance(authorityUrl: string, networkInterface: INetworkModule, cacheManager: ICacheManager, authorityOptions: AuthorityOptions): Authority {
+    static createInstance(authorityUrl: string, networkInterface: INetworkModule, cacheManager: ICacheManager, authorityOptions: AuthorityOptions, proxyUrl: string): Authority {
         // Throw error if authority url is empty
         if (StringUtils.isEmpty(authorityUrl)) {
             throw ClientConfigurationError.createUrlEmptyError();
         }
 
-        return new Authority(authorityUrl, networkInterface, cacheManager, authorityOptions);
+        return new Authority(authorityUrl, networkInterface, cacheManager, authorityOptions, proxyUrl);
     }
 }
@@ -24,28 +24,33 @@ export class RegionDiscovery {
      * 
      * @returns Promise<string | null>
      */
-    public async detectRegion(environmentRegion: string | undefined, regionDiscoveryMetadata: RegionDiscoveryMetadata): Promise<string | null> {
+    public async detectRegion(environmentRegion: string | undefined, regionDiscoveryMetadata: RegionDiscoveryMetadata, proxyUrl: string): Promise<string | null> {
         // Initialize auto detected region with the region from the envrionment 
         let autodetectedRegionName = environmentRegion;
 
         // Check if a region was detected from the environment, if not, attempt to get the region from IMDS 
         if (!autodetectedRegionName) {
+            const options = RegionDiscovery.IMDS_OPTIONS;
+            if (proxyUrl.length) {
+                options["proxyUrl"] = proxyUrl;
+            }
+
             try {
-                const localIMDSVersionResponse = await this.getRegionFromIMDS(Constants.IMDS_VERSION);
+                const localIMDSVersionResponse = await this.getRegionFromIMDS(Constants.IMDS_VERSION, options);
                 if (localIMDSVersionResponse.status === ResponseCodes.httpSuccess) {
                     autodetectedRegionName = localIMDSVersionResponse.body;
                     regionDiscoveryMetadata.region_source = RegionDiscoverySources.IMDS;
                 } 
 
                 // If the response using the local IMDS version failed, try to fetch the current version of IMDS and retry. 
                 if (localIMDSVersionResponse.status === ResponseCodes.httpBadRequest) {
-                    const currentIMDSVersion = await this.getCurrentVersion();
+                    const currentIMDSVersion = await this.getCurrentVersion(options);
                     if (!currentIMDSVersion) {
                         regionDiscoveryMetadata.region_source = RegionDiscoverySources.FAILED_AUTO_DETECTION;
                         return null;
                     }
 
-                    const currentIMDSVersionResponse = await this.getRegionFromIMDS(currentIMDSVersion);
+                    const currentIMDSVersionResponse = await this.getRegionFromIMDS(currentIMDSVersion, options);
                     if (currentIMDSVersionResponse.status === ResponseCodes.httpSuccess) {
                         autodetectedRegionName = currentIMDSVersionResponse.body;
                         regionDiscoveryMetadata.region_source = RegionDiscoverySources.IMDS;
@@ -73,18 +78,18 @@ export class RegionDiscovery {
      * @param imdsEndpointUrl
      * @returns Promise<NetworkResponse<string>>
      */
-    private async getRegionFromIMDS(version: string): Promise<NetworkResponse<string>> {
-        return this.networkInterface.sendGetRequestAsync<string>(`${Constants.IMDS_ENDPOINT}?api-version=${version}&format=text`, RegionDiscovery.IMDS_OPTIONS, Constants.IMDS_TIMEOUT);
+    private async getRegionFromIMDS(version: string, options: object): Promise<NetworkResponse<string>> {
+        return this.networkInterface.sendGetRequestAsync<string>(`${Constants.IMDS_ENDPOINT}?api-version=${version}&format=text`, options, Constants.IMDS_TIMEOUT);
     }
 
     /**
      * Get the most recent version of the IMDS endpoint available
      *  
      * @returns Promise<string | null>
      */
-    private async getCurrentVersion(): Promise<string | null> {
+    private async getCurrentVersion(options: object): Promise<string | null> {
         try {
-            const response = await this.networkInterface.sendGetRequestAsync<IMDSBadResponse>(`${Constants.IMDS_ENDPOINT}?format=json`, RegionDiscovery.IMDS_OPTIONS);
+            const response = await this.networkInterface.sendGetRequestAsync<IMDSBadResponse>(`${Constants.IMDS_ENDPOINT}?format=json`, options);
 
             // When IMDS endpoint is called without the api version query param, bad request response comes back with latest version.
             if (response.status === ResponseCodes.httpBadRequest && response.body && response.body["newest-versions"] && response.body["newest-versions"].length > 0) {

@@ -109,7 +109,7 @@ export abstract class BaseClient {
         const response = await this.networkManager.sendPostRequest<ServerAuthorizationTokenResponse>(
             thumbprint,
             tokenEndpoint,
-            { body: queryString, headers: headers }
+            { body: queryString, headers: headers, proxyUrl: this.config.systemOptions.proxyUrl }
         );
 
         if (this.config.serverTelemetryManager && response.status < 500 && response.status !== 429) {
@@ -122,7 +122,7 @@ export abstract class BaseClient {
 
     /**
      * Updates the authority object of the client. Endpoint discovery must be completed.
-     * @param updatedAuthority 
+     * @param updatedAuthority
      */
     updateAuthority(updatedAuthority: Authority): void {
         if (!updatedAuthority.discoveryComplete()) {

@@ -106,7 +106,8 @@ export class DeviceCodeClient extends BaseClient {
             deviceCodeEndpoint,
             {
                 body: queryString,
-                headers: headers
+                headers: headers,
+                proxyUrl: this.config.systemOptions.proxyUrl
             });
 
         return {

@@ -83,6 +83,7 @@ export type AuthOptions = {
 export type SystemOptions = {
     tokenRenewalOffsetSeconds?: number;
     preventCorsPreflight?: boolean;
+    proxyUrl?: string;
 };
 
 /**
@@ -123,7 +124,8 @@ export type ClientCredentials = {
 
 export const DEFAULT_SYSTEM_OPTIONS: Required<SystemOptions> = {
     tokenRenewalOffsetSeconds: DEFAULT_TOKEN_RENEWAL_OFFSET_SEC,
-    preventCorsPreflight: false
+    preventCorsPreflight: false,
+    proxyUrl: "",
 };
 
 const DEFAULT_LOGGER_IMPLEMENTATION: Required<LoggerOptions> = {
@@ -179,9 +181,9 @@ export function buildClientConfiguration(
         persistencePlugin: persistencePlugin,
         serializableCache: serializableCache
     }: ClientConfiguration): CommonClientConfiguration {
-    
+
     const loggerOptions = { ...DEFAULT_LOGGER_IMPLEMENTATION, ...userLoggerOption };
-    
+
     return {
         authOptions: buildAuthOptions(userAuthOptions),
         systemOptions: { ...DEFAULT_SYSTEM_OPTIONS, ...userSystemOptions },

@@ -12,6 +12,7 @@ import { NetworkResponse } from "./NetworkManager";
 export type NetworkRequestOptions = {
     headers?: Record<string, string>,
     body?: string;
+    proxyUrl?: string;
 };
 
 /**

@@ -20,7 +20,7 @@ export class UrlString {
     public get urlString(): string {
         return this._urlString;
     }
-    
+
     constructor(url: string) {
         this._urlString = url;
         if (StringUtils.isEmpty(this._urlString)) {
@@ -35,7 +35,7 @@ export class UrlString {
 
     /**
      * Ensure urls are lower case and end with a / character.
-     * @param url 
+     * @param url
      */
     static canonicalizeUri(url: string): string {
         if (url) {
@@ -82,8 +82,8 @@ export class UrlString {
 
     /**
      * Given a url and a query string return the url with provided query string appended
-     * @param url 
-     * @param queryString 
+     * @param url
+     * @param queryString
      */
     static appendQueryString(url: string, queryString: string): string {
         if (StringUtils.isEmpty(queryString)) {
@@ -95,7 +95,7 @@ export class UrlString {
 
     /**
      * Returns a url with the hash removed
-     * @param url 
+     * @param url
      */
     static removeHashFromUrl(url: string): string {
         return UrlString.canonicalizeUri(url.split("#")[0]);
@@ -173,13 +173,13 @@ export class UrlString {
 
             return baseComponents.Protocol + "//" + baseComponents.HostNameAndPort + relativeUrl;
         }
-        
+
         return relativeUrl;
     }
-    
+
     /**
      * Parses hash string from given string. Returns empty string if no hash symbol is found.
-     * @param hashString 
+     * @param hashString
      */
     static parseHash(hashString: string): string {
         const hashIndex1 = hashString.indexOf("#");

@@ -60,6 +60,7 @@
   "dependencies": {
     "@azure/msal-common": "^6.0.0",
     "axios": "^0.21.4",
+    "https-proxy-agent": "^5.0.0",
     "jsonwebtoken": "^8.5.1",
     "uuid": "^8.3.0"
   },

@@ -301,6 +301,9 @@ export abstract class ClientApplication {
                 authority: discoveredAuthority,
                 clientCapabilities: this.config.auth.clientCapabilities
             },
+            systemOptions: {
+                proxyUrl: this.config.system.proxyUrl,
+            },
             loggerOptions: {
                 logLevel: this.config.system.loggerOptions.logLevel,
                 loggerCallback: this.config.system.loggerOptions
@@ -387,6 +390,6 @@ export abstract class ClientApplication {
             authorityMetadata: this.config.auth.authorityMetadata,
             azureRegionConfiguration
         };
-        return await AuthorityFactory.createDiscoveredInstance(authorityString, this.config.system.networkClient, this.storage, authorityOptions);
+        return await AuthorityFactory.createDiscoveredInstance(authorityString, this.config.system.networkClient, this.storage, authorityOptions, this.config.system.proxyUrl);
     }
 }
@@ -59,6 +59,7 @@ export type CacheOptions = {
 export type NodeSystemOptions = {
     loggerOptions?: LoggerOptions;
     networkClient?: INetworkModule;
+    proxyUrl?: string;
 };
 
 /**
@@ -105,6 +106,7 @@ const DEFAULT_LOGGER_OPTIONS: LoggerOptions = {
 const DEFAULT_SYSTEM_OPTIONS: Required<NodeSystemOptions> = {
     loggerOptions: DEFAULT_LOGGER_OPTIONS,
     networkClient: NetworkUtils.getNetworkClient(),
+    proxyUrl: "",
 };
 
 export type NodeConfiguration = {