@azure/msal-common - npm Package Compare versions

dist/cache/utils/CacheHelpers.d.ts

dist/cache/utils/CacheHelpers.d.ts.map

dist/cache/utils/CacheHelpers.mjs

dist/cache/utils/CacheHelpers.mjs.map

src/cache/utils/CacheHelpers.ts

201

dist/authority/AuthorityMetadata.d.ts

		@@ -0,1 +1,4 @@
		import { Logger } from "../logger/Logger";
		import { AuthorityMetadataSource } from "../utils/Constants";
		import { StaticAuthorityOptions } from "./AuthorityOptions";
		import { CloudDiscoveryMetadata } from "./CloudDiscoveryMetadata";
		@@ -231,83 +234,9 @@ export declare const rawMetdataJSON: {
		instanceDiscoveryMetadata: {
		"https://login.microsoftonline.com/common/": {
		tenant_discovery_endpoint: string;
		"api-version": string;
		metadata: {
		preferred_network: string;
		preferred_cache: string;
		aliases: string[];
		}[];
		};
		"https://login.chinacloudapi.cn/common/": {
		tenant_discovery_endpoint: string;
		"api-version": string;
		metadata: {
		preferred_network: string;
		preferred_cache: string;
		aliases: string[];
		}[];
		};
		"https://login.microsoftonline.us/common/": {
		tenant_discovery_endpoint: string;
		"api-version": string;
		metadata: {
		preferred_network: string;
		preferred_cache: string;
		aliases: string[];
		}[];
		};
		"https://login.microsoftonline.com/consumers/": {
		tenant_discovery_endpoint: string;
		"api-version": string;
		metadata: {
		preferred_network: string;
		preferred_cache: string;
		aliases: string[];
		}[];
		};
		"https://login.chinacloudapi.cn/consumers/": {
		tenant_discovery_endpoint: string;
		"api-version": string;
		metadata: {
		preferred_network: string;
		preferred_cache: string;
		aliases: string[];
		}[];
		};
		"https://login.microsoftonline.us/consumers/": {
		tenant_discovery_endpoint: string;
		"api-version": string;
		metadata: {
		preferred_network: string;
		preferred_cache: string;
		aliases: string[];
		}[];
		};
		"https://login.microsoftonline.com/organizations/": {
		tenant_discovery_endpoint: string;
		"api-version": string;
		metadata: {
		preferred_network: string;
		preferred_cache: string;
		aliases: string[];
		}[];
		};
		"https://login.chinacloudapi.cn/organizations/": {
		tenant_discovery_endpoint: string;
		"api-version": string;
		metadata: {
		preferred_network: string;
		preferred_cache: string;
		aliases: string[];
		}[];
		};
		"https://login.microsoftonline.us/organizations/": {
		tenant_discovery_endpoint: string;
		"api-version": string;
		metadata: {
		preferred_network: string;
		preferred_cache: string;
		aliases: string[];
		}[];
		};
		tenant_discovery_endpoint: string;
		"api-version": string;
		metadata: {
		preferred_network: string;
		preferred_cache: string;
		aliases: string[];
		}[];
		};
		@@ -543,98 +472,30 @@ };
		export declare const InstanceDiscoveryMetadata: {
		"https://login.microsoftonline.com/common/": {
		tenant_discovery_endpoint: string;
		"api-version": string;
		metadata: {
		preferred_network: string;
		preferred_cache: string;
		aliases: string[];
		}[];
		};
		"https://login.chinacloudapi.cn/common/": {
		tenant_discovery_endpoint: string;
		"api-version": string;
		metadata: {
		preferred_network: string;
		preferred_cache: string;
		aliases: string[];
		}[];
		};
		"https://login.microsoftonline.us/common/": {
		tenant_discovery_endpoint: string;
		"api-version": string;
		metadata: {
		preferred_network: string;
		preferred_cache: string;
		aliases: string[];
		}[];
		};
		"https://login.microsoftonline.com/consumers/": {
		tenant_discovery_endpoint: string;
		"api-version": string;
		metadata: {
		preferred_network: string;
		preferred_cache: string;
		aliases: string[];
		}[];
		};
		"https://login.chinacloudapi.cn/consumers/": {
		tenant_discovery_endpoint: string;
		"api-version": string;
		metadata: {
		preferred_network: string;
		preferred_cache: string;
		aliases: string[];
		}[];
		};
		"https://login.microsoftonline.us/consumers/": {
		tenant_discovery_endpoint: string;
		"api-version": string;
		metadata: {
		preferred_network: string;
		preferred_cache: string;
		aliases: string[];
		}[];
		};
		"https://login.microsoftonline.com/organizations/": {
		tenant_discovery_endpoint: string;
		"api-version": string;
		metadata: {
		preferred_network: string;
		preferred_cache: string;
		aliases: string[];
		}[];
		};
		"https://login.chinacloudapi.cn/organizations/": {
		tenant_discovery_endpoint: string;
		"api-version": string;
		metadata: {
		preferred_network: string;
		preferred_cache: string;
		aliases: string[];
		}[];
		};
		"https://login.microsoftonline.us/organizations/": {
		tenant_discovery_endpoint: string;
		"api-version": string;
		metadata: {
		preferred_network: string;
		preferred_cache: string;
		aliases: string[];
		}[];
		};
		tenant_discovery_endpoint: string;
		"api-version": string;
		metadata: {
		preferred_network: string;
		preferred_cache: string;
		aliases: string[];
		}[];
		};
		export declare const InstanceDiscoveryMetadataAliases: Set<String>;
		/**
		* Returns aliases for the given canonical authority if found in hardcoded Instance Discovery Metadata or null if not found
		* @param canonicalAuthority
		* Attempts to get an aliases array from the static authority metadata sources based on the canonical authority host
		* @param staticAuthorityOptions
		* @param logger
		* @returns
		*/
		export declare function getHardcodedAliasesForCanonicalAuthority(canonicalAuthority?: string): string[] \| null;
		export declare function getAliasesFromStaticSources(staticAuthorityOptions: StaticAuthorityOptions, logger?: Logger): string[];
		/**
		* Returns aliases for from the raw cloud discovery metadata given in configuration or null if no configuration was provided
		* Returns aliases for from the raw cloud discovery metadata passed in
		* @param authorityHost
		* @param rawCloudDiscoveryMetadata
		* @returns
		*/
		export declare function getAliasesFromConfigMetadata(canonicalAuthority?: string, cloudDiscoveryMetadata?: CloudDiscoveryMetadata[]): string[] \| null;
		export declare function getAliasesFromMetadata(authorityHost?: string, cloudDiscoveryMetadata?: CloudDiscoveryMetadata[], source?: AuthorityMetadataSource, logger?: Logger): string[] \| null;
		/**
		* Get cloud discovery metadata for common authorities
		*/
		export declare function getCloudDiscoveryMetadataFromHardcodedValues(authorityHost: string): CloudDiscoveryMetadata \| null;
		/**
		* Searches instance discovery network response for the entry that contains the host in the aliases list
		@@ -644,7 +505,3 @@ * @param response
		*/
		export declare function getCloudDiscoveryMetadataFromNetworkResponse(response: CloudDiscoveryMetadata[], authority: string): CloudDiscoveryMetadata \| null;
		/**
		* Get cloud discovery metadata for common authorities
		*/
		export declare function getCloudDiscoveryMetadataFromHardcodedValues(canonicalAuthority: string): CloudDiscoveryMetadata \| null;
		export declare function getCloudDiscoveryMetadataFromNetworkResponse(response: CloudDiscoveryMetadata[], authorityHost: string): CloudDiscoveryMetadata \| null;
		//# sourceMappingURL=AuthorityMetadata.d.ts.map

4

dist/authority/AuthorityOptions.d.ts

		import { ProtocolMode } from "./ProtocolMode";
		import { OIDCOptions } from "./OIDCOptions";
		import { AzureRegionConfiguration } from "./AzureRegionConfiguration";
		import { CloudDiscoveryMetadata } from "./CloudDiscoveryMetadata";
		import { CloudInstanceDiscoveryResponse } from "./CloudInstanceDiscoveryResponse";
		export type AuthorityOptions = {
		@@ -17,3 +17,3 @@ protocolMode: ProtocolMode;
		canonicalAuthority?: string;
		cloudDiscoveryMetadata?: CloudDiscoveryMetadata[];
		cloudDiscoveryMetadata?: CloudInstanceDiscoveryResponse;
		};
		@@ -20,0 +20,0 @@ export declare const AzureCloudInstance: {

55

dist/cache/entities/AccessTokenEntity.d.ts

		import { CredentialEntity } from "./CredentialEntity";
		import { AuthenticationScheme } from "../../utils/Constants";
		import { ICrypto } from "../../crypto/ICrypto";
		/**
		* ACCESS_TOKEN Credential Type
		*
		* Key:Value Schema:
		*
		* Key Example: uid.utid-login.microsoftonline.com-accesstoken-clientId-contoso.com-user.read
		*
		* Value Schema:
		* {
		* homeAccountId: home account identifier for the auth scheme,
		* environment: entity that issued the token, represented as a full host
		* credentialType: Type of credential as a string, can be one of the following: RefreshToken, AccessToken, IdToken, Password, Cookie, Certificate, Other
		* clientId: client ID of the application
		* secret: Actual credential as a string
		* familyId: Family ID identifier, usually only used for refresh tokens
		* realm: Full tenant or organizational identifier that the account belongs to
		* target: Permissions that are included in the token, or for refresh tokens, the resource identifier.
		* cachedAt: Absolute device time when entry was created in the cache.
		* expiresOn: Token expiry time, calculated based on current UTC time in seconds. Represented as a string.
		* extendedExpiresOn: Additional extended expiry time until when token is valid in case of server-side outage. Represented as string in UTC seconds.
		* keyId: used for POP and SSH tokenTypes
		* tokenType: Type of the token issued. Usually "Bearer"
		* }
		* Access token cache type
		*/
		export declare class AccessTokenEntity extends CredentialEntity {
		export type AccessTokenEntity = CredentialEntity & {
		/** Full tenant or organizational identifier that the account belongs to */
		realm: string;
		/** Permissions that are included in the token, or for refresh tokens, the resource identifier. */
		target: string;
		/** Absolute device time when entry was created in the cache. */
		cachedAt: string;
		/** Token expiry time, calculated based on current UTC time in seconds. Represented as a string. */
		expiresOn: string;
		/** Additional extended expiry time until when token is valid in case of server-side outage. Represented as string in UTC seconds. */
		extendedExpiresOn?: string;
		/** Used for proactive refresh */
		refreshOn?: string;
		keyId?: string;
		/** Matches the authentication scheme for which the token was issued (i.e. Bearer or pop) */
		tokenType?: AuthenticationScheme;
		/** Stringified claims object */
		requestedClaims?: string;
		/** Matches the SHA 256 hash of the claims object included in the token request */
		requestedClaimsHash?: string;
		/**
		* Create AccessTokenEntity
		* @param homeAccountId
		* @param environment
		* @param accessToken
		* @param clientId
		* @param tenantId
		* @param scopes
		* @param expiresOn
		* @param extExpiresOn
		*/
		static createAccessTokenEntity(homeAccountId: string, environment: string, accessToken: string, clientId: string, tenantId: string, scopes: string, expiresOn: number, extExpiresOn: number, cryptoUtils: ICrypto, refreshOn?: number, tokenType?: AuthenticationScheme, userAssertionHash?: string, keyId?: string, requestedClaims?: string, requestedClaimsHash?: string): AccessTokenEntity;
		/**
		* Validates an entity: checks for all expected params
		* @param entity
		*/
		static isAccessTokenEntity(entity: object): boolean;
		}
		};
		//# sourceMappingURL=AccessTokenEntity.d.ts.map

88

dist/cache/entities/CredentialEntity.d.ts

		import { CredentialType, AuthenticationScheme } from "../../utils/Constants";
		/**
		* Base type for credentials to be stored in the cache: eg: ACCESS_TOKEN, ID_TOKEN etc
		*
		* Key:Value Schema:
		*
		* Key: <home_account_id>-<environment>-<credential_type>-<client_id>-<realm>-<target>-<requestedClaims>-<scheme*>
		*
		* Value Schema:
		* {
		* homeAccountId: home account identifier for the auth scheme,
		* environment: entity that issued the token, represented as a full host
		* credentialType: Type of credential as a string, can be one of the following: RefreshToken, AccessToken, IdToken, Password, Cookie, Certificate, Other
		* clientId: client ID of the application
		* secret: Actual credential as a string
		* familyId: Family ID identifier, usually only used for refresh tokens
		* realm: Full tenant or organizational identifier that the account belongs to
		* target: Permissions that are included in the token, or for refresh tokens, the resource identifier.
		* tokenType: Matches the authentication scheme for which the token was issued (i.e. Bearer or pop)
		* requestedClaimsHash: Matches the SHA 256 hash of the claims object included in the token request
		* userAssertionHash: Matches the SHA 256 hash of the obo_assertion for the OBO flow
		* }
		* Credential Cache Type
		*/
		export declare class CredentialEntity {
		export type CredentialEntity = {
		/** Identifier for the user in their home tenant*/
		homeAccountId: string;
		/** Entity that issued the token, represented as a full host */
		environment: string;
		/** Type of credential */
		credentialType: CredentialType;
		/** Client ID of the application */
		clientId: string;
		/** Actual credential as a string */
		secret: string;
		/** Family ID identifier, usually only used for refresh tokens */
		familyId?: string;
		/** Full tenant or organizational identifier that the account belongs to */
		realm?: string;
		/** Permissions that are included in the token, or for refresh tokens, the resource identifier. */
		target?: string;
		/** Matches the SHA 256 hash of the obo_assertion for the OBO flow */
		userAssertionHash?: string;
		/** Matches the authentication scheme for which the token was issued (i.e. Bearer or pop) */
		tokenType?: AuthenticationScheme;
		/** KeyId for PoP and SSH tokens stored in the kid claim */
		keyId?: string;
		/** Matches the SHA 256 hash of the claims object included in the token request */
		requestedClaimsHash?: string;
		/**
		* Generate Account Id key component as per the schema: <home_account_id>-<environment>
		*/
		generateAccountId(): string;
		/**
		* Generate Credential Id key component as per the schema: <credential_type>-<client_id>-<realm>
		*/
		generateCredentialId(): string;
		/**
		* Generate target key component as per schema: <target>
		*/
		generateTarget(): string;
		/**
		* generates credential key
		*/
		generateCredentialKey(): string;
		/**
		* returns the type of the cache (in this case credential)
		*/
		generateType(): number;
		/**
		* generates credential key
		* <home_account_id>-\<environment>-<credential_type>-<client_id>-<realm\>-<target\>-<scheme\>
		*/
		static generateCredentialCacheKey(homeAccountId: string, environment: string, credentialType: CredentialType, clientId: string, realm?: string, target?: string, familyId?: string, tokenType?: AuthenticationScheme, requestedClaimsHash?: string): string;
		/**
		* generates Account Id for keys
		* @param homeAccountId
		* @param environment
		*/
		private static generateAccountIdForCacheKey;
		/**
		* Generates Credential Id for keys
		* @param credentialType
		* @param realm
		* @param clientId
		* @param familyId
		*/
		private static generateCredentialIdForCacheKey;
		/**
		* Generate target key component as per schema: <target>
		*/
		private static generateTargetForCacheKey;
		/**
		* Generate requested claims key component as per schema: <requestedClaims>
		*/
		private static generateClaimsHashForCacheKey;
		/**
		* Generate scheme key componenet as per schema: <scheme>
		*/
		private static generateSchemeForCacheKey;
		}
		};
		//# sourceMappingURL=CredentialEntity.d.ts.map

34

dist/cache/entities/IdTokenEntity.d.ts

		import { CredentialEntity } from "./CredentialEntity";
		/**
		* ID_TOKEN Cache
		*
		* Key:Value Schema:
		*
		* Key Example: uid.utid-login.microsoftonline.com-idtoken-clientId-contoso.com-
		*
		* Value Schema:
		* {
		* homeAccountId: home account identifier for the auth scheme,
		* environment: entity that issued the token, represented as a full host
		* credentialType: Type of credential as a string, can be one of the following: RefreshToken, AccessToken, IdToken, Password, Cookie, Certificate, Other
		* clientId: client ID of the application
		* secret: Actual credential as a string
		* realm: Full tenant or organizational identifier that the account belongs to
		* }
		* Id Token Cache Type
		*/
		export declare class IdTokenEntity extends CredentialEntity {
		export type IdTokenEntity = CredentialEntity & {
		/** Full tenant or organizational identifier that the account belongs to */
		realm: string;
		/**
		* Create IdTokenEntity
		* @param homeAccountId
		* @param authenticationResult
		* @param clientId
		* @param authority
		*/
		static createIdTokenEntity(homeAccountId: string, environment: string, idToken: string, clientId: string, tenantId: string): IdTokenEntity;
		/**
		* Validates an entity: checks for all expected params
		* @param entity
		*/
		static isIdTokenEntity(entity: object): boolean;
		}
		};
		//# sourceMappingURL=IdTokenEntity.d.ts.map

35

dist/cache/entities/RefreshTokenEntity.d.ts

		import { CredentialEntity } from "./CredentialEntity";
		/**
		* REFRESH_TOKEN Cache
		*
		* Key:Value Schema:
		*
		* Key Example: uid.utid-login.microsoftonline.com-refreshtoken-clientId--
		*
		* Value:
		* {
		* homeAccountId: home account identifier for the auth scheme,
		* environment: entity that issued the token, represented as a full host
		* credentialType: Type of credential as a string, can be one of the following: RefreshToken, AccessToken, IdToken, Password, Cookie, Certificate, Other
		* clientId: client ID of the application
		* secret: Actual credential as a string
		* familyId: Family ID identifier, '1' represents Microsoft Family
		* realm: Full tenant or organizational identifier that the account belongs to
		* target: Permissions that are included in the token, or for refresh tokens, the resource identifier.
		* }
		* Refresh Token Cache Type
		*/
		export declare class RefreshTokenEntity extends CredentialEntity {
		familyId?: string;
		/**
		* Create RefreshTokenEntity
		* @param homeAccountId
		* @param authenticationResult
		* @param clientId
		* @param authority
		*/
		static createRefreshTokenEntity(homeAccountId: string, environment: string, refreshToken: string, clientId: string, familyId?: string, userAssertionHash?: string): RefreshTokenEntity;
		/**
		* Validates an entity: checks for all expected params
		* @param entity
		*/
		static isRefreshTokenEntity(entity: object): boolean;
		}
		export type RefreshTokenEntity = CredentialEntity;
		//# sourceMappingURL=RefreshTokenEntity.d.ts.map

2

dist/client/BaseClient.d.ts

		@@ -45,3 +45,3 @@ import { ClientConfiguration, CommonClientConfiguration } from "../config/ClientConfiguration";
		*/
		updateAuthority(updatedAuthority: Authority): void;
		updateAuthority(cloudInstanceHostname: string, correlationId: string): Promise<void>;
		/**
		@@ -48,0 +48,0 @@ * Creates query string for the /token request

1

dist/index.d.ts

		@@ -29,2 +29,3 @@ /**
		export { CredentialEntity } from "./cache/entities/CredentialEntity";
		export * as CacheHelpers from "./cache/utils/CacheHelpers";
		export { AppMetadataEntity } from "./cache/entities/AppMetadataEntity";
		@@ -31,0 +32,0 @@ export { AccountEntity } from "./cache/entities/AccountEntity";

2

dist/packageMetadata.d.ts

		export declare const name = "@azure/msal-common";
		export declare const version = "14.2.0";
		export declare const version = "14.3.0";
		//# sourceMappingURL=packageMetadata.d.ts.map

4

dist/response/ResponseHandler.d.ts

		@@ -33,6 +33,6 @@ import { ServerAuthorizationTokenResponse } from "./ServerAuthorizationTokenResponse";
		* @param serverResponseHash
		* @param cachedState
		* @param requestState
		* @param cryptoObj
		*/
		validateServerAuthorizationCodeResponse(serverResponseHash: ServerAuthorizationCodeResponse, cachedState: string, cryptoObj: ICrypto): void;
		validateServerAuthorizationCodeResponse(serverResponse: ServerAuthorizationCodeResponse, requestState: string): void;
		/**
		@@ -39,0 +39,0 @@ * Function which validates server authorization token response.

2

package.json

		@@ -13,3 +13,3 @@ {
		},
		"version": "14.2.0",
		"version": "14.3.0",
		"description": "Microsoft Authentication Library for js",
		@@ -16,0 +16,0 @@ "keywords": [

8

src/authority/Authority.ts

		@@ -858,3 +858,3 @@ /*
		getCloudDiscoveryMetadataFromHardcodedValues(
		this.canonicalAuthority
		this.hostnameAndPort
		);
		@@ -1268,9 +1268,7 @@ if (hardcodedMetadata) {
		const rawCloudDiscoveryMetadata = authOptions.cloudDiscoveryMetadata;
		let cloudDiscoveryMetadata: CloudDiscoveryMetadata[] \| undefined =
		let cloudDiscoveryMetadata: CloudInstanceDiscoveryResponse \| undefined =
		undefined;
		if (rawCloudDiscoveryMetadata) {
		try {
		cloudDiscoveryMetadata = JSON.parse(
		rawCloudDiscoveryMetadata
		).metadata;
		cloudDiscoveryMetadata = JSON.parse(rawCloudDiscoveryMetadata);
		} catch (e) {
		@@ -1277,0 +1275,0 @@ throw createClientConfigurationError(

544

src/authority/AuthorityMetadata.ts

		@@ -6,3 +6,6 @@ /*

		import { Logger } from "../logger/Logger";
		import { UrlString } from "../url/UrlString";
		import { AuthorityMetadataSource } from "../utils/Constants";
		import { StaticAuthorityOptions } from "./AuthorityOptions";
		import { CloudDiscoveryMetadata } from "./CloudDiscoveryMetadata";
		@@ -556,389 +559,43 @@
		instanceDiscoveryMetadata: {
		"https://login.microsoftonline.com/common/": {
		tenant_discovery_endpoint:
		"https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration",
		"api-version": "1.1",
		metadata: [
		{
		preferred_network: "login.microsoftonline.com",
		preferred_cache: "login.windows.net",
		aliases: [
		"login.microsoftonline.com",
		"login.windows.net",
		"login.microsoft.com",
		"sts.windows.net",
		],
		},
		{
		preferred_network: "login.partner.microsoftonline.cn",
		preferred_cache: "login.partner.microsoftonline.cn",
		aliases: [
		"login.partner.microsoftonline.cn",
		"login.chinacloudapi.cn",
		],
		},
		{
		preferred_network: "login.microsoftonline.de",
		preferred_cache: "login.microsoftonline.de",
		aliases: ["login.microsoftonline.de"],
		},
		{
		preferred_network: "login.microsoftonline.us",
		preferred_cache: "login.microsoftonline.us",
		aliases: [
		"login.microsoftonline.us",
		"login.usgovcloudapi.net",
		],
		},
		{
		preferred_network: "login-us.microsoftonline.com",
		preferred_cache: "login-us.microsoftonline.com",
		aliases: ["login-us.microsoftonline.com"],
		},
		],
		},
		"https://login.chinacloudapi.cn/common/": {
		tenant_discovery_endpoint:
		"https://login.chinacloudapi.cn/common/v2.0/.well-known/openid-configuration",
		"api-version": "1.1",
		metadata: [
		{
		preferred_network: "login.microsoftonline.com",
		preferred_cache: "login.windows.net",
		aliases: [
		"login.microsoftonline.com",
		"login.windows.net",
		"login.microsoft.com",
		"sts.windows.net",
		],
		},
		{
		preferred_network: "login.partner.microsoftonline.cn",
		preferred_cache: "login.partner.microsoftonline.cn",
		aliases: [
		"login.partner.microsoftonline.cn",
		"login.chinacloudapi.cn",
		],
		},
		{
		preferred_network: "login.microsoftonline.de",
		preferred_cache: "login.microsoftonline.de",
		aliases: ["login.microsoftonline.de"],
		},
		{
		preferred_network: "login.microsoftonline.us",
		preferred_cache: "login.microsoftonline.us",
		aliases: [
		"login.microsoftonline.us",
		"login.usgovcloudapi.net",
		],
		},
		{
		preferred_network: "login-us.microsoftonline.com",
		preferred_cache: "login-us.microsoftonline.com",
		aliases: ["login-us.microsoftonline.com"],
		},
		],
		},
		"https://login.microsoftonline.us/common/": {
		tenant_discovery_endpoint:
		"https://login.microsoftonline.us/common/v2.0/.well-known/openid-configuration",
		"api-version": "1.1",
		metadata: [
		{
		preferred_network: "login.microsoftonline.com",
		preferred_cache: "login.windows.net",
		aliases: [
		"login.microsoftonline.com",
		"login.windows.net",
		"login.microsoft.com",
		"sts.windows.net",
		],
		},
		{
		preferred_network: "login.partner.microsoftonline.cn",
		preferred_cache: "login.partner.microsoftonline.cn",
		aliases: [
		"login.partner.microsoftonline.cn",
		"login.chinacloudapi.cn",
		],
		},
		{
		preferred_network: "login.microsoftonline.de",
		preferred_cache: "login.microsoftonline.de",
		aliases: ["login.microsoftonline.de"],
		},
		{
		preferred_network: "login.microsoftonline.us",
		preferred_cache: "login.microsoftonline.us",
		aliases: [
		"login.microsoftonline.us",
		"login.usgovcloudapi.net",
		],
		},
		{
		preferred_network: "login-us.microsoftonline.com",
		preferred_cache: "login-us.microsoftonline.com",
		aliases: ["login-us.microsoftonline.com"],
		},
		],
		},
		"https://login.microsoftonline.com/consumers/": {
		tenant_discovery_endpoint:
		"https://login.microsoftonline.com/consumers/v2.0/.well-known/openid-configuration",
		"api-version": "1.1",
		metadata: [
		{
		preferred_network: "login.microsoftonline.com",
		preferred_cache: "login.windows.net",
		aliases: [
		"login.microsoftonline.com",
		"login.windows.net",
		"login.microsoft.com",
		"sts.windows.net",
		],
		},
		{
		preferred_network: "login.partner.microsoftonline.cn",
		preferred_cache: "login.partner.microsoftonline.cn",
		aliases: [
		"login.partner.microsoftonline.cn",
		"login.chinacloudapi.cn",
		],
		},
		{
		preferred_network: "login.microsoftonline.de",
		preferred_cache: "login.microsoftonline.de",
		aliases: ["login.microsoftonline.de"],
		},
		{
		preferred_network: "login.microsoftonline.us",
		preferred_cache: "login.microsoftonline.us",
		aliases: [
		"login.microsoftonline.us",
		"login.usgovcloudapi.net",
		],
		},
		{
		preferred_network: "login-us.microsoftonline.com",
		preferred_cache: "login-us.microsoftonline.com",
		aliases: ["login-us.microsoftonline.com"],
		},
		],
		},
		"https://login.chinacloudapi.cn/consumers/": {
		tenant_discovery_endpoint:
		"https://login.chinacloudapi.cn/consumers/v2.0/.well-known/openid-configuration",
		"api-version": "1.1",
		metadata: [
		{
		preferred_network: "login.microsoftonline.com",
		preferred_cache: "login.windows.net",
		aliases: [
		"login.microsoftonline.com",
		"login.windows.net",
		"login.microsoft.com",
		"sts.windows.net",
		],
		},
		{
		preferred_network: "login.partner.microsoftonline.cn",
		preferred_cache: "login.partner.microsoftonline.cn",
		aliases: [
		"login.partner.microsoftonline.cn",
		"login.chinacloudapi.cn",
		],
		},
		{
		preferred_network: "login.microsoftonline.de",
		preferred_cache: "login.microsoftonline.de",
		aliases: ["login.microsoftonline.de"],
		},
		{
		preferred_network: "login.microsoftonline.us",
		preferred_cache: "login.microsoftonline.us",
		aliases: [
		"login.microsoftonline.us",
		"login.usgovcloudapi.net",
		],
		},
		{
		preferred_network: "login-us.microsoftonline.com",
		preferred_cache: "login-us.microsoftonline.com",
		aliases: ["login-us.microsoftonline.com"],
		},
		],
		},
		"https://login.microsoftonline.us/consumers/": {
		tenant_discovery_endpoint:
		"https://login.microsoftonline.us/consumers/v2.0/.well-known/openid-configuration",
		"api-version": "1.1",
		metadata: [
		{
		preferred_network: "login.microsoftonline.com",
		preferred_cache: "login.windows.net",
		aliases: [
		"login.microsoftonline.com",
		"login.windows.net",
		"login.microsoft.com",
		"sts.windows.net",
		],
		},
		{
		preferred_network: "login.partner.microsoftonline.cn",
		preferred_cache: "login.partner.microsoftonline.cn",
		aliases: [
		"login.partner.microsoftonline.cn",
		"login.chinacloudapi.cn",
		],
		},
		{
		preferred_network: "login.microsoftonline.de",
		preferred_cache: "login.microsoftonline.de",
		aliases: ["login.microsoftonline.de"],
		},
		{
		preferred_network: "login.microsoftonline.us",
		preferred_cache: "login.microsoftonline.us",
		aliases: [
		"login.microsoftonline.us",
		"login.usgovcloudapi.net",
		],
		},
		{
		preferred_network: "login-us.microsoftonline.com",
		preferred_cache: "login-us.microsoftonline.com",
		aliases: ["login-us.microsoftonline.com"],
		},
		],
		},
		"https://login.microsoftonline.com/organizations/": {
		tenant_discovery_endpoint:
		"https://login.microsoftonline.com/organizations/v2.0/.well-known/openid-configuration",
		"api-version": "1.1",
		metadata: [
		{
		preferred_network: "login.microsoftonline.com",
		preferred_cache: "login.windows.net",
		aliases: [
		"login.microsoftonline.com",
		"login.windows.net",
		"login.microsoft.com",
		"sts.windows.net",
		],
		},
		{
		preferred_network: "login.partner.microsoftonline.cn",
		preferred_cache: "login.partner.microsoftonline.cn",
		aliases: [
		"login.partner.microsoftonline.cn",
		"login.chinacloudapi.cn",
		],
		},
		{
		preferred_network: "login.microsoftonline.de",
		preferred_cache: "login.microsoftonline.de",
		aliases: ["login.microsoftonline.de"],
		},
		{
		preferred_network: "login.microsoftonline.us",
		preferred_cache: "login.microsoftonline.us",
		aliases: [
		"login.microsoftonline.us",
		"login.usgovcloudapi.net",
		],
		},
		{
		preferred_network: "login-us.microsoftonline.com",
		preferred_cache: "login-us.microsoftonline.com",
		aliases: ["login-us.microsoftonline.com"],
		},
		],
		},
		"https://login.chinacloudapi.cn/organizations/": {
		tenant_discovery_endpoint:
		"https://login.chinacloudapi.cn/organizations/v2.0/.well-known/openid-configuration",
		"api-version": "1.1",
		metadata: [
		{
		preferred_network: "login.microsoftonline.com",
		preferred_cache: "login.windows.net",
		aliases: [
		"login.microsoftonline.com",
		"login.windows.net",
		"login.microsoft.com",
		"sts.windows.net",
		],
		},
		{
		preferred_network: "login.partner.microsoftonline.cn",
		preferred_cache: "login.partner.microsoftonline.cn",
		aliases: [
		"login.partner.microsoftonline.cn",
		"login.chinacloudapi.cn",
		],
		},
		{
		preferred_network: "login.microsoftonline.de",
		preferred_cache: "login.microsoftonline.de",
		aliases: ["login.microsoftonline.de"],
		},
		{
		preferred_network: "login.microsoftonline.us",
		preferred_cache: "login.microsoftonline.us",
		aliases: [
		"login.microsoftonline.us",
		"login.usgovcloudapi.net",
		],
		},
		{
		preferred_network: "login-us.microsoftonline.com",
		preferred_cache: "login-us.microsoftonline.com",
		aliases: ["login-us.microsoftonline.com"],
		},
		],
		},
		"https://login.microsoftonline.us/organizations/": {
		tenant_discovery_endpoint:
		"https://login.microsoftonline.us/organizations/v2.0/.well-known/openid-configuration",
		"api-version": "1.1",
		metadata: [
		{
		preferred_network: "login.microsoftonline.com",
		preferred_cache: "login.windows.net",
		aliases: [
		"login.microsoftonline.com",
		"login.windows.net",
		"login.microsoft.com",
		"sts.windows.net",
		],
		},
		{
		preferred_network: "login.partner.microsoftonline.cn",
		preferred_cache: "login.partner.microsoftonline.cn",
		aliases: [
		"login.partner.microsoftonline.cn",
		"login.chinacloudapi.cn",
		],
		},
		{
		preferred_network: "login.microsoftonline.de",
		preferred_cache: "login.microsoftonline.de",
		aliases: ["login.microsoftonline.de"],
		},
		{
		preferred_network: "login.microsoftonline.us",
		preferred_cache: "login.microsoftonline.us",
		aliases: [
		"login.microsoftonline.us",
		"login.usgovcloudapi.net",
		],
		},
		{
		preferred_network: "login-us.microsoftonline.com",
		preferred_cache: "login-us.microsoftonline.com",
		aliases: ["login-us.microsoftonline.com"],
		},
		],
		},
		tenant_discovery_endpoint:
		"https://{canonicalAuthority}/v2.0/.well-known/openid-configuration",
		"api-version": "1.1",
		metadata: [
		{
		preferred_network: "login.microsoftonline.com",
		preferred_cache: "login.windows.net",
		aliases: [
		"login.microsoftonline.com",
		"login.windows.net",
		"login.microsoft.com",
		"sts.windows.net",
		],
		},
		{
		preferred_network: "login.partner.microsoftonline.cn",
		preferred_cache: "login.partner.microsoftonline.cn",
		aliases: [
		"login.partner.microsoftonline.cn",
		"login.chinacloudapi.cn",
		],
		},
		{
		preferred_network: "login.microsoftonline.de",
		preferred_cache: "login.microsoftonline.de",
		aliases: ["login.microsoftonline.de"],
		},
		{
		preferred_network: "login.microsoftonline.us",
		preferred_cache: "login.microsoftonline.us",
		aliases: [
		"login.microsoftonline.us",
		"login.usgovcloudapi.net",
		],
		},
		{
		preferred_network: "login-us.microsoftonline.com",
		preferred_cache: "login-us.microsoftonline.com",
		aliases: ["login-us.microsoftonline.com"],
		},
		],
		},
		@@ -952,48 +609,73 @@ };
		export const InstanceDiscoveryMetadataAliases: Set<String> = new Set();
		for (const key in InstanceDiscoveryMetadata) {
		for (const metadata of InstanceDiscoveryMetadata[key].metadata) {
		for (const alias of metadata.aliases) {
		InstanceDiscoveryMetadata.metadata.forEach(
		(metadataEntry: CloudDiscoveryMetadata) => {
		metadataEntry.aliases.forEach((alias: string) => {
		InstanceDiscoveryMetadataAliases.add(alias);
		}
		});
		}
		}
		);

		/**
		* Returns aliases for the given canonical authority if found in hardcoded Instance Discovery Metadata or null if not found
		* @param canonicalAuthority
		* Attempts to get an aliases array from the static authority metadata sources based on the canonical authority host
		* @param staticAuthorityOptions
		* @param logger
		* @returns
		*/
		export function getHardcodedAliasesForCanonicalAuthority(
		canonicalAuthority?: string
		): string[] \| null {
		export function getAliasesFromStaticSources(
		staticAuthorityOptions: StaticAuthorityOptions,
		logger?: Logger
		): string[] {
		let staticAliases: string[] \| undefined;
		const canonicalAuthority = staticAuthorityOptions.canonicalAuthority;
		if (canonicalAuthority) {
		const instanceDiscoveryMetadata =
		getCloudDiscoveryMetadataFromHardcodedValues(canonicalAuthority);
		if (instanceDiscoveryMetadata) {
		return instanceDiscoveryMetadata.aliases;
		}
		const authorityHost = new UrlString(
		canonicalAuthority
		).getUrlComponents().HostNameAndPort;
		staticAliases =
		getAliasesFromMetadata(
		authorityHost,
		staticAuthorityOptions.cloudDiscoveryMetadata?.metadata,
		AuthorityMetadataSource.CONFIG,
		logger
		) \|\|
		getAliasesFromMetadata(
		authorityHost,
		InstanceDiscoveryMetadata.metadata,
		AuthorityMetadataSource.HARDCODED_VALUES,
		logger
		) \|\|
		staticAuthorityOptions.knownAuthorities;
		}
		return null;

		return staticAliases \|\| [];
		}

		/**
		* Returns aliases for from the raw cloud discovery metadata given in configuration or null if no configuration was provided
		* Returns aliases for from the raw cloud discovery metadata passed in
		* @param authorityHost
		* @param rawCloudDiscoveryMetadata
		* @returns
		*/
		export function getAliasesFromConfigMetadata(
		canonicalAuthority?: string,
		cloudDiscoveryMetadata?: CloudDiscoveryMetadata[]
		export function getAliasesFromMetadata(
		authorityHost?: string,
		cloudDiscoveryMetadata?: CloudDiscoveryMetadata[],
		source?: AuthorityMetadataSource,
		logger?: Logger
		): string[] \| null {
		if (canonicalAuthority && cloudDiscoveryMetadata) {
		const canonicalAuthorityUrlComponents = new UrlString(
		canonicalAuthority
		).getUrlComponents();
		logger?.trace(`getAliasesFromMetadata called with source: ${source}`);
		if (authorityHost && cloudDiscoveryMetadata) {
		const metadata = getCloudDiscoveryMetadataFromNetworkResponse(
		cloudDiscoveryMetadata,
		canonicalAuthorityUrlComponents.HostNameAndPort
		authorityHost
		);

		if (metadata) {
		logger?.trace(
		`getAliasesFromMetadata: found cloud discovery metadata in ${source}, returning aliases`
		);
		return metadata.aliases;
		} else {
		logger?.trace(
		`getAliasesFromMetadata: did not find cloud discovery metadata in ${source}`
		);
		}
		@@ -1006,2 +688,15 @@ }
		/**
		* Get cloud discovery metadata for common authorities
		*/
		export function getCloudDiscoveryMetadataFromHardcodedValues(
		authorityHost: string
		): CloudDiscoveryMetadata \| null {
		const metadata = getCloudDiscoveryMetadataFromNetworkResponse(
		InstanceDiscoveryMetadata.metadata,
		authorityHost
		);
		return metadata;
		}

		/**
		* Searches instance discovery network response for the entry that contains the host in the aliases list
		@@ -1013,7 +708,7 @@ * @param response
		response: CloudDiscoveryMetadata[],
		authority: string
		authorityHost: string
		): CloudDiscoveryMetadata \| null {
		for (let i = 0; i < response.length; i++) {
		const metadata = response[i];
		if (metadata.aliases.includes(authority)) {
		if (metadata.aliases.includes(authorityHost)) {
		return metadata;
		@@ -1025,22 +720,1 @@ }
		}

		/**
		* Get cloud discovery metadata for common authorities
		*/
		export function getCloudDiscoveryMetadataFromHardcodedValues(
		canonicalAuthority: string
		): CloudDiscoveryMetadata \| null {
		const canonicalAuthorityUrlComponents = new UrlString(
		canonicalAuthority
		).getUrlComponents();

		if (canonicalAuthority in InstanceDiscoveryMetadata) {
		const metadata = getCloudDiscoveryMetadataFromNetworkResponse(
		InstanceDiscoveryMetadata[canonicalAuthority].metadata,
		canonicalAuthorityUrlComponents.HostNameAndPort
		);
		return metadata;
		}

		return null;
		}

4

src/authority/AuthorityOptions.ts

		@@ -9,3 +9,3 @@ /*
		import { AzureRegionConfiguration } from "./AzureRegionConfiguration";
		import { CloudDiscoveryMetadata } from "./CloudDiscoveryMetadata";
		import { CloudInstanceDiscoveryResponse } from "./CloudInstanceDiscoveryResponse";

		@@ -27,3 +27,3 @@ export type AuthorityOptions = {
		canonicalAuthority?: string;
		cloudDiscoveryMetadata?: CloudDiscoveryMetadata[];
		cloudDiscoveryMetadata?: CloudInstanceDiscoveryResponse;
		};
		@@ -30,0 +30,0 @@

36

src/cache/CacheManager.ts

		@@ -24,2 +24,3 @@ /*
		import { CredentialEntity } from "./entities/CredentialEntity";
		import { generateCredentialKey } from "./utils/CacheHelpers";
		import { ScopeSet } from "../request/ScopeSet";
		@@ -46,6 +47,3 @@ import { AccountEntity } from "./entities/AccountEntity";
		import { StoreInCache } from "../request/StoreInCache";
		import {
		getAliasesFromConfigMetadata,
		getHardcodedAliasesForCanonicalAuthority,
		} from "../authority/AuthorityMetadata";
		import { getAliasesFromStaticSources } from "../authority/AuthorityMetadata";
		import { StaticAuthorityOptions } from "../authority/AuthorityOptions";
		@@ -264,3 +262,9 @@ import { TokenClaims } from "../account/TokenClaims";
		const allAccounts = this.getAllAccounts(accountFilter);
		if (allAccounts.length > 0) {
		if (allAccounts.length > 1) {
		// If one or more accounts are found, further filter to the first account that has an ID token
		return allAccounts.filter((account) => {
		return !!account.idTokenClaims;
		})[0];
		} else if (allAccounts.length === 1) {
		// If only one account is found, return it regardless of whether a matching ID token was found
		return allAccounts[0];
		@@ -309,3 +313,3 @@ } else {
		}
		return null;
		return accountInfo;
		}
		@@ -964,3 +968,3 @@
		idTokens.forEach((idToken) => {
		this.removeIdToken(idToken.generateCredentialKey());
		this.removeIdToken(generateCredentialKey(idToken));
		});
		@@ -1121,5 +1125,3 @@ return null;
		accessTokens.forEach((accessToken) => {
		void this.removeAccessToken(
		accessToken.generateCredentialKey()
		);
		void this.removeAccessToken(generateCredentialKey(accessToken));
		});
		@@ -1432,13 +1434,7 @@ return null;
		if (this.staticAuthorityOptions) {
		const staticAliases =
		getAliasesFromConfigMetadata(
		this.staticAuthorityOptions.canonicalAuthority,
		this.staticAuthorityOptions.cloudDiscoveryMetadata
		) \|\|
		getHardcodedAliasesForCanonicalAuthority(
		this.staticAuthorityOptions.canonicalAuthority
		) \|\|
		this.staticAuthorityOptions.knownAuthorities;
		const staticAliases = getAliasesFromStaticSources(
		this.staticAuthorityOptions,
		this.commonLogger
		);
		if (
		staticAliases &&
		staticAliases.includes(environment) &&
		@@ -1445,0 +1441,0 @@ staticAliases.includes(entity.environment)

162

src/cache/entities/AccessTokenEntity.ts

		@@ -7,162 +7,26 @@ /*
		import { CredentialEntity } from "./CredentialEntity";
		import { CredentialType, AuthenticationScheme } from "../../utils/Constants";
		import { TimeUtils } from "../../utils/TimeUtils";
		import { ICrypto } from "../../crypto/ICrypto";
		import { TokenClaims } from "../../account/TokenClaims";
		import {
		createClientAuthError,
		ClientAuthErrorCodes,
		} from "../../error/ClientAuthError";
		import { extractTokenClaims } from "../../account/AuthToken";
		import { AuthenticationScheme } from "../../utils/Constants";

		/**
		* ACCESS_TOKEN Credential Type
		*
		* Key:Value Schema:
		*
		* Key Example: uid.utid-login.microsoftonline.com-accesstoken-clientId-contoso.com-user.read
		*
		* Value Schema:
		* {
		* homeAccountId: home account identifier for the auth scheme,
		* environment: entity that issued the token, represented as a full host
		* credentialType: Type of credential as a string, can be one of the following: RefreshToken, AccessToken, IdToken, Password, Cookie, Certificate, Other
		* clientId: client ID of the application
		* secret: Actual credential as a string
		* familyId: Family ID identifier, usually only used for refresh tokens
		* realm: Full tenant or organizational identifier that the account belongs to
		* target: Permissions that are included in the token, or for refresh tokens, the resource identifier.
		* cachedAt: Absolute device time when entry was created in the cache.
		* expiresOn: Token expiry time, calculated based on current UTC time in seconds. Represented as a string.
		* extendedExpiresOn: Additional extended expiry time until when token is valid in case of server-side outage. Represented as string in UTC seconds.
		* keyId: used for POP and SSH tokenTypes
		* tokenType: Type of the token issued. Usually "Bearer"
		* }
		* Access token cache type
		*/
		export class AccessTokenEntity extends CredentialEntity {
		export type AccessTokenEntity = CredentialEntity & {
		/** Full tenant or organizational identifier that the account belongs to */
		realm: string;
		/** Permissions that are included in the token, or for refresh tokens, the resource identifier. */
		target: string;
		/** Absolute device time when entry was created in the cache. */
		cachedAt: string;
		/** Token expiry time, calculated based on current UTC time in seconds. Represented as a string. */
		expiresOn: string;
		/** Additional extended expiry time until when token is valid in case of server-side outage. Represented as string in UTC seconds. */
		extendedExpiresOn?: string;
		/** Used for proactive refresh */
		refreshOn?: string;
		keyId?: string; // for POP and SSH tokenTypes
		/** Matches the authentication scheme for which the token was issued (i.e. Bearer or pop) */
		tokenType?: AuthenticationScheme;
		/** Stringified claims object */
		requestedClaims?: string;
		/** Matches the SHA 256 hash of the claims object included in the token request */
		requestedClaimsHash?: string;

		/**
		* Create AccessTokenEntity
		* @param homeAccountId
		* @param environment
		* @param accessToken
		* @param clientId
		* @param tenantId
		* @param scopes
		* @param expiresOn
		* @param extExpiresOn
		*/
		static createAccessTokenEntity(
		homeAccountId: string,
		environment: string,
		accessToken: string,
		clientId: string,
		tenantId: string,
		scopes: string,
		expiresOn: number,
		extExpiresOn: number,
		cryptoUtils: ICrypto,
		refreshOn?: number,
		tokenType?: AuthenticationScheme,
		userAssertionHash?: string,
		keyId?: string,
		requestedClaims?: string,
		requestedClaimsHash?: string
		): AccessTokenEntity {
		const atEntity: AccessTokenEntity = new AccessTokenEntity();

		atEntity.homeAccountId = homeAccountId;
		atEntity.credentialType = CredentialType.ACCESS_TOKEN;
		atEntity.secret = accessToken;

		const currentTime = TimeUtils.nowSeconds();
		atEntity.cachedAt = currentTime.toString();

		/*
		* Token expiry time.
		* This value should be  calculated based on the current UTC time measured locally and the value  expires_in Represented as a string in JSON.
		*/
		atEntity.expiresOn = expiresOn.toString();
		atEntity.extendedExpiresOn = extExpiresOn.toString();
		if (refreshOn) {
		atEntity.refreshOn = refreshOn.toString();
		}

		atEntity.environment = environment;
		atEntity.clientId = clientId;
		atEntity.realm = tenantId;
		atEntity.target = scopes;
		atEntity.userAssertionHash = userAssertionHash;

		atEntity.tokenType = tokenType \|\| AuthenticationScheme.BEARER;

		if (requestedClaims) {
		atEntity.requestedClaims = requestedClaims;
		atEntity.requestedClaimsHash = requestedClaimsHash;
		}

		/*
		* Create Access Token With Auth Scheme instead of regular access token
		* Cast to lower to handle "bearer" from ADFS
		*/
		if (
		atEntity.tokenType?.toLowerCase() !==
		AuthenticationScheme.BEARER.toLowerCase()
		) {
		atEntity.credentialType =
		CredentialType.ACCESS_TOKEN_WITH_AUTH_SCHEME;
		switch (atEntity.tokenType) {
		case AuthenticationScheme.POP:
		// Make sure keyId is present and add it to credential
		const tokenClaims: TokenClaims \| null = extractTokenClaims(
		accessToken,
		cryptoUtils.base64Decode
		);
		if (!tokenClaims?.cnf?.kid) {
		throw createClientAuthError(
		ClientAuthErrorCodes.tokenClaimsCnfRequiredForSignedJwt
		);
		}
		atEntity.keyId = tokenClaims.cnf.kid;
		break;
		case AuthenticationScheme.SSH:
		atEntity.keyId = keyId;
		}
		}

		return atEntity;
		}

		/**
		* Validates an entity: checks for all expected params
		* @param entity
		*/
		static isAccessTokenEntity(entity: object): boolean {
		if (!entity) {
		return false;
		}

		return (
		entity.hasOwnProperty("homeAccountId") &&
		entity.hasOwnProperty("environment") &&
		entity.hasOwnProperty("credentialType") &&
		entity.hasOwnProperty("realm") &&
		entity.hasOwnProperty("clientId") &&
		entity.hasOwnProperty("secret") &&
		entity.hasOwnProperty("target") &&
		(entity["credentialType"] === CredentialType.ACCESS_TOKEN \|\|
		entity["credentialType"] ===
		CredentialType.ACCESS_TOKEN_WITH_AUTH_SCHEME)
		);
		}
		}
		};

216

src/cache/entities/CredentialEntity.ts

		@@ -6,216 +6,32 @@ /*

		import {
		Separators,
		CredentialType,
		CacheType,
		Constants,
		AuthenticationScheme,
		} from "../../utils/Constants";
		import {
		ClientAuthErrorCodes,
		createClientAuthError,
		} from "../../error/ClientAuthError";
		import { CredentialType, AuthenticationScheme } from "../../utils/Constants";

		/**
		* Base type for credentials to be stored in the cache: eg: ACCESS_TOKEN, ID_TOKEN etc
		*
		* Key:Value Schema:
		*
		* Key: <home_account_id>-<environment>-<credential_type>-<client_id>-<realm>-<target>-<requestedClaims>-<scheme*>
		*
		* Value Schema:
		* {
		* homeAccountId: home account identifier for the auth scheme,
		* environment: entity that issued the token, represented as a full host
		* credentialType: Type of credential as a string, can be one of the following: RefreshToken, AccessToken, IdToken, Password, Cookie, Certificate, Other
		* clientId: client ID of the application
		* secret: Actual credential as a string
		* familyId: Family ID identifier, usually only used for refresh tokens
		* realm: Full tenant or organizational identifier that the account belongs to
		* target: Permissions that are included in the token, or for refresh tokens, the resource identifier.
		* tokenType: Matches the authentication scheme for which the token was issued (i.e. Bearer or pop)
		* requestedClaimsHash: Matches the SHA 256 hash of the claims object included in the token request
		* userAssertionHash: Matches the SHA 256 hash of the obo_assertion for the OBO flow
		* }
		* Credential Cache Type
		*/
		export class CredentialEntity {
		export type CredentialEntity = {
		/** Identifier for the user in their home tenant*/
		homeAccountId: string;
		/** Entity that issued the token, represented as a full host */
		environment: string;
		/** Type of credential */
		credentialType: CredentialType;
		/** Client ID of the application */
		clientId: string;
		/** Actual credential as a string */
		secret: string;
		/** Family ID identifier, usually only used for refresh tokens */
		familyId?: string;
		/** Full tenant or organizational identifier that the account belongs to */
		realm?: string;
		/** Permissions that are included in the token, or for refresh tokens, the resource identifier. */
		target?: string;
		/** Matches the SHA 256 hash of the obo_assertion for the OBO flow */
		userAssertionHash?: string;
		/** Matches the authentication scheme for which the token was issued (i.e. Bearer or pop) */
		tokenType?: AuthenticationScheme;
		/** KeyId for PoP and SSH tokens stored in the kid claim */
		keyId?: string;
		/** Matches the SHA 256 hash of the claims object included in the token request */
		requestedClaimsHash?: string;

		/**
		* Generate Account Id key component as per the schema: <home_account_id>-<environment>
		*/
		generateAccountId(): string {
		return CredentialEntity.generateAccountIdForCacheKey(
		this.homeAccountId,
		this.environment
		);
		}

		/**
		* Generate Credential Id key component as per the schema: <credential_type>-<client_id>-<realm>
		*/
		generateCredentialId(): string {
		return CredentialEntity.generateCredentialIdForCacheKey(
		this.credentialType,
		this.clientId,
		this.realm,
		this.familyId
		);
		}

		/**
		* Generate target key component as per schema: <target>
		*/
		generateTarget(): string {
		return CredentialEntity.generateTargetForCacheKey(this.target);
		}

		/**
		* generates credential key
		*/
		generateCredentialKey(): string {
		return CredentialEntity.generateCredentialCacheKey(
		this.homeAccountId,
		this.environment,
		this.credentialType,
		this.clientId,
		this.realm,
		this.target,
		this.familyId,
		this.tokenType,
		this.requestedClaimsHash
		);
		}

		/**
		* returns the type of the cache (in this case credential)
		*/
		generateType(): number {
		switch (this.credentialType) {
		case CredentialType.ID_TOKEN:
		return CacheType.ID_TOKEN;
		case CredentialType.ACCESS_TOKEN:
		case CredentialType.ACCESS_TOKEN_WITH_AUTH_SCHEME:
		return CacheType.ACCESS_TOKEN;
		case CredentialType.REFRESH_TOKEN:
		return CacheType.REFRESH_TOKEN;
		default: {
		throw createClientAuthError(
		ClientAuthErrorCodes.unexpectedCredentialType
		);
		}
		}
		}

		/**
		* generates credential key
		* <home_account_id>-\<environment>-<credential_type>-<client_id>-<realm\>-<target\>-<scheme\>
		*/
		static generateCredentialCacheKey(
		homeAccountId: string,
		environment: string,
		credentialType: CredentialType,
		clientId: string,
		realm?: string,
		target?: string,
		familyId?: string,
		tokenType?: AuthenticationScheme,
		requestedClaimsHash?: string
		): string {
		const credentialKey = [
		this.generateAccountIdForCacheKey(homeAccountId, environment),
		this.generateCredentialIdForCacheKey(
		credentialType,
		clientId,
		realm,
		familyId
		),
		this.generateTargetForCacheKey(target),
		this.generateClaimsHashForCacheKey(requestedClaimsHash),
		this.generateSchemeForCacheKey(tokenType),
		];

		return credentialKey.join(Separators.CACHE_KEY_SEPARATOR).toLowerCase();
		}

		/**
		* generates Account Id for keys
		* @param homeAccountId
		* @param environment
		*/
		private static generateAccountIdForCacheKey(
		homeAccountId: string,
		environment: string
		): string {
		const accountId: Array<string> = [homeAccountId, environment];
		return accountId.join(Separators.CACHE_KEY_SEPARATOR).toLowerCase();
		}

		/**
		* Generates Credential Id for keys
		* @param credentialType
		* @param realm
		* @param clientId
		* @param familyId
		*/
		private static generateCredentialIdForCacheKey(
		credentialType: CredentialType,
		clientId: string,
		realm?: string,
		familyId?: string
		): string {
		const clientOrFamilyId =
		credentialType === CredentialType.REFRESH_TOKEN
		? familyId \|\| clientId
		: clientId;
		const credentialId: Array<string> = [
		credentialType,
		clientOrFamilyId,
		realm \|\| Constants.EMPTY_STRING,
		];

		return credentialId.join(Separators.CACHE_KEY_SEPARATOR).toLowerCase();
		}

		/**
		* Generate target key component as per schema: <target>
		*/
		private static generateTargetForCacheKey(scopes?: string): string {
		return (scopes \|\| Constants.EMPTY_STRING).toLowerCase();
		}

		/**
		* Generate requested claims key component as per schema: <requestedClaims>
		*/
		private static generateClaimsHashForCacheKey(
		requestedClaimsHash?: string
		): string {
		return (requestedClaimsHash \|\| Constants.EMPTY_STRING).toLowerCase();
		}

		/**
		* Generate scheme key componenet as per schema: <scheme>
		*/
		private static generateSchemeForCacheKey(tokenType?: string): string {
		/*
		* PoP Tokens and SSH certs include scheme in cache key
		* Cast to lowercase to handle "bearer" from ADFS
		*/
		return tokenType &&
		tokenType.toLowerCase() !==
		AuthenticationScheme.BEARER.toLowerCase()
		? tokenType.toLowerCase()
		: Constants.EMPTY_STRING;
		}
		}
		};

68

src/cache/entities/IdTokenEntity.ts

		@@ -7,69 +7,9 @@ /*
		import { CredentialEntity } from "./CredentialEntity";
		import { CredentialType } from "../../utils/Constants";

		/**
		* ID_TOKEN Cache
		*
		* Key:Value Schema:
		*
		* Key Example: uid.utid-login.microsoftonline.com-idtoken-clientId-contoso.com-
		*
		* Value Schema:
		* {
		* homeAccountId: home account identifier for the auth scheme,
		* environment: entity that issued the token, represented as a full host
		* credentialType: Type of credential as a string, can be one of the following: RefreshToken, AccessToken, IdToken, Password, Cookie, Certificate, Other
		* clientId: client ID of the application
		* secret: Actual credential as a string
		* realm: Full tenant or organizational identifier that the account belongs to
		* }
		* Id Token Cache Type
		*/
		export class IdTokenEntity extends CredentialEntity {
		export type IdTokenEntity = CredentialEntity & {
		/** Full tenant or organizational identifier that the account belongs to */
		realm: string;

		/**
		* Create IdTokenEntity
		* @param homeAccountId
		* @param authenticationResult
		* @param clientId
		* @param authority
		*/
		static createIdTokenEntity(
		homeAccountId: string,
		environment: string,
		idToken: string,
		clientId: string,
		tenantId: string
		): IdTokenEntity {
		const idTokenEntity = new IdTokenEntity();

		idTokenEntity.credentialType = CredentialType.ID_TOKEN;
		idTokenEntity.homeAccountId = homeAccountId;
		idTokenEntity.environment = environment;
		idTokenEntity.clientId = clientId;
		idTokenEntity.secret = idToken;
		idTokenEntity.realm = tenantId;

		return idTokenEntity;
		}

		/**
		* Validates an entity: checks for all expected params
		* @param entity
		*/
		static isIdTokenEntity(entity: object): boolean {
		if (!entity) {
		return false;
		}

		return (
		entity.hasOwnProperty("homeAccountId") &&
		entity.hasOwnProperty("environment") &&
		entity.hasOwnProperty("credentialType") &&
		entity.hasOwnProperty("realm") &&
		entity.hasOwnProperty("clientId") &&
		entity.hasOwnProperty("secret") &&
		entity["credentialType"] === CredentialType.ID_TOKEN
		);
		}
		}
		};

71

src/cache/entities/RefreshTokenEntity.ts

		@@ -7,73 +7,6 @@ /*
		import { CredentialEntity } from "./CredentialEntity";
		import { CredentialType } from "../../utils/Constants";

		/**
		* REFRESH_TOKEN Cache
		*
		* Key:Value Schema:
		*
		* Key Example: uid.utid-login.microsoftonline.com-refreshtoken-clientId--
		*
		* Value:
		* {
		* homeAccountId: home account identifier for the auth scheme,
		* environment: entity that issued the token, represented as a full host
		* credentialType: Type of credential as a string, can be one of the following: RefreshToken, AccessToken, IdToken, Password, Cookie, Certificate, Other
		* clientId: client ID of the application
		* secret: Actual credential as a string
		* familyId: Family ID identifier, '1' represents Microsoft Family
		* realm: Full tenant or organizational identifier that the account belongs to
		* target: Permissions that are included in the token, or for refresh tokens, the resource identifier.
		* }
		* Refresh Token Cache Type
		*/
		export class RefreshTokenEntity extends CredentialEntity {
		familyId?: string;

		/**
		* Create RefreshTokenEntity
		* @param homeAccountId
		* @param authenticationResult
		* @param clientId
		* @param authority
		*/
		static createRefreshTokenEntity(
		homeAccountId: string,
		environment: string,
		refreshToken: string,
		clientId: string,
		familyId?: string,
		userAssertionHash?: string
		): RefreshTokenEntity {
		const rtEntity = new RefreshTokenEntity();

		rtEntity.clientId = clientId;
		rtEntity.credentialType = CredentialType.REFRESH_TOKEN;
		rtEntity.environment = environment;
		rtEntity.homeAccountId = homeAccountId;
		rtEntity.secret = refreshToken;
		rtEntity.userAssertionHash = userAssertionHash;

		if (familyId) rtEntity.familyId = familyId;

		return rtEntity;
		}

		/**
		* Validates an entity: checks for all expected params
		* @param entity
		*/
		static isRefreshTokenEntity(entity: object): boolean {
		if (!entity) {
		return false;
		}

		return (
		entity.hasOwnProperty("homeAccountId") &&
		entity.hasOwnProperty("environment") &&
		entity.hasOwnProperty("credentialType") &&
		entity.hasOwnProperty("clientId") &&
		entity.hasOwnProperty("secret") &&
		entity["credentialType"] === CredentialType.REFRESH_TOKEN
		);
		}
		}
		export type RefreshTokenEntity = CredentialEntity;

3

src/client/AuthorizationCodeClient.ts

		@@ -197,4 +197,3 @@ /*
		serverParams,
		cachedState,
		this.cryptoUtils
		cachedState
		);
		@@ -201,0 +200,0 @@

31

src/client/BaseClient.ts

		@@ -22,6 +22,2 @@ /*
		import { version, name } from "../packageMetadata";
		import {
		createClientAuthError,
		ClientAuthErrorCodes,
		} from "../error/ClientAuthError";
		import { CcsCredential, CcsCredentialType } from "../account/CcsCredential";
		@@ -32,2 +28,4 @@ import { buildClientInfoFromHomeAccountId } from "../account/ClientInfo";
		import { BaseAuthRequest } from "../request/BaseAuthRequest";
		import { AuthorityFactory } from "../authority/AuthorityFactory";
		import { PerformanceEvents } from "../telemetry/performance/PerformanceEvent";

		@@ -189,9 +187,22 @@ /**
		*/
		updateAuthority(updatedAuthority: Authority): void {
		if (!updatedAuthority.discoveryComplete()) {
		throw createClientAuthError(
		ClientAuthErrorCodes.endpointResolutionError
		async updateAuthority(
		cloudInstanceHostname: string,
		correlationId: string
		): Promise<void> {
		this.performanceClient?.addQueueMeasurement(
		PerformanceEvents.UpdateTokenEndpointAuthority,
		correlationId
		);
		const cloudInstanceAuthorityUri = `https://${cloudInstanceHostname}/${this.authority.tenant}/`;
		const cloudInstanceAuthority =
		await AuthorityFactory.createDiscoveredInstance(
		cloudInstanceAuthorityUri,
		this.networkClient,
		this.cacheManager,
		this.authority.options,
		this.logger,
		this.performanceClient,
		correlationId
		);
		}
		this.authority = updatedAuthority;
		this.authority = cloudInstanceAuthority;
		}
		@@ -198,0 +209,0 @@

1

src/index.ts

		@@ -74,2 +74,3 @@ /*
		export { CredentialEntity } from "./cache/entities/CredentialEntity";
		export * as CacheHelpers from "./cache/utils/CacheHelpers";
		export { AppMetadataEntity } from "./cache/entities/AppMetadataEntity";
		@@ -76,0 +77,0 @@ export { AccountEntity } from "./cache/entities/AccountEntity";

2

src/packageMetadata.ts

		/* eslint-disable header/header */
		export const name = "@azure/msal-common";
		export const version = "14.2.0";
		export const version = "14.3.0";

77

src/response/ResponseHandler.ts

		@@ -7,3 +7,2 @@ /*
		import { ServerAuthorizationTokenResponse } from "./ServerAuthorizationTokenResponse";
		import { buildClientInfo } from "../account/ClientInfo";
		import { ICrypto } from "../crypto/ICrypto";
		@@ -49,2 +48,3 @@ import {
		import { AccountInfo } from "../account/AccountInfo";
		import * as CacheHelpers from "../cache/utils/CacheHelpers";

		@@ -86,12 +86,11 @@ /**
		* @param serverResponseHash
		* @param cachedState
		* @param requestState
		* @param cryptoObj
		*/
		validateServerAuthorizationCodeResponse(
		serverResponseHash: ServerAuthorizationCodeResponse,
		cachedState: string,
		cryptoObj: ICrypto
		serverResponse: ServerAuthorizationCodeResponse,
		requestState: string
		): void {
		if (!serverResponseHash.state \|\| !cachedState) {
		throw serverResponseHash.state
		if (!serverResponse.state \|\| !requestState) {
		throw serverResponse.state
		? createClientAuthError(
		@@ -107,8 +106,8 @@ ClientAuthErrorCodes.stateNotFound,

		let decodedServerResponseHash: string;
		let decodedCachedState: string;
		let decodedServerResponseState: string;
		let decodedRequestState: string;

		try {
		decodedServerResponseHash = decodeURIComponent(
		serverResponseHash.state
		decodedServerResponseState = decodeURIComponent(
		serverResponse.state
		);
		@@ -118,3 +117,3 @@ } catch (e) {
		ClientAuthErrorCodes.invalidState,
		serverResponseHash.state
		serverResponse.state
		);
		@@ -124,11 +123,11 @@ }
		try {
		decodedCachedState = decodeURIComponent(cachedState);
		decodedRequestState = decodeURIComponent(requestState);
		} catch (e) {
		throw createClientAuthError(
		ClientAuthErrorCodes.invalidState,
		serverResponseHash.state
		serverResponse.state
		);
		}

		if (decodedServerResponseHash !== decodedCachedState) {
		if (decodedServerResponseState !== decodedRequestState) {
		throw createClientAuthError(ClientAuthErrorCodes.stateMismatch);
		@@ -139,21 +138,21 @@ }
		if (
		serverResponseHash.error \|\|
		serverResponseHash.error_description \|\|
		serverResponseHash.suberror
		serverResponse.error \|\|
		serverResponse.error_description \|\|
		serverResponse.suberror
		) {
		if (
		isInteractionRequiredError(
		serverResponseHash.error,
		serverResponseHash.error_description,
		serverResponseHash.suberror
		serverResponse.error,
		serverResponse.error_description,
		serverResponse.suberror
		)
		) {
		throw new InteractionRequiredAuthError(
		serverResponseHash.error \|\| Constants.EMPTY_STRING,
		serverResponseHash.error_description,
		serverResponseHash.suberror,
		serverResponseHash.timestamp \|\| Constants.EMPTY_STRING,
		serverResponseHash.trace_id \|\| Constants.EMPTY_STRING,
		serverResponseHash.correlation_id \|\| Constants.EMPTY_STRING,
		serverResponseHash.claims \|\| Constants.EMPTY_STRING
		serverResponse.error \|\| "",
		serverResponse.error_description,
		serverResponse.suberror,
		serverResponse.timestamp \|\| "",
		serverResponse.trace_id \|\| "",
		serverResponse.correlation_id \|\| "",
		serverResponse.claims \|\| ""
		);
		@@ -163,11 +162,7 @@ }
		throw new ServerError(
		serverResponseHash.error \|\| Constants.EMPTY_STRING,
		serverResponseHash.error_description,
		serverResponseHash.suberror
		serverResponse.error \|\| "",
		serverResponse.error_description,
		serverResponse.suberror
		);
		}

		if (serverResponseHash.client_info) {
		buildClientInfo(serverResponseHash.client_info, cryptoObj);
		}
		}
		@@ -426,3 +421,3 @@
		if (serverTokenResponse.id_token && !!idTokenClaims) {
		cachedIdToken = IdTokenEntity.createIdTokenEntity(
		cachedIdToken = CacheHelpers.createIdTokenEntity(
		this.homeAccountIdentifier,
		@@ -480,6 +475,6 @@ env,
		// non AAD scenarios can have empty realm
		cachedAccessToken = AccessTokenEntity.createAccessTokenEntity(
		cachedAccessToken = CacheHelpers.createAccessTokenEntity(
		this.homeAccountIdentifier,
		env,
		serverTokenResponse.access_token \|\| Constants.EMPTY_STRING,
		serverTokenResponse.access_token,
		this.clientId,
		@@ -490,3 +485,3 @@ idTokenClaims?.tid \|\| authority.tenant,
		extendedTokenExpirationSeconds,
		this.cryptoObj,
		this.cryptoObj.base64Decode,
		refreshOnSeconds,
		@@ -504,6 +499,6 @@ serverTokenResponse.token_type,
		if (serverTokenResponse.refresh_token) {
		cachedRefreshToken = RefreshTokenEntity.createRefreshTokenEntity(
		cachedRefreshToken = CacheHelpers.createRefreshTokenEntity(
		this.homeAccountIdentifier,
		env,
		serverTokenResponse.refresh_token \|\| Constants.EMPTY_STRING,
		serverTokenResponse.refresh_token,
		this.clientId,
		@@ -510,0 +505,0 @@ serverTokenResponse.foci,

dist/cache/entities/AccessTokenEntity.mjs

dist/cache/entities/AccessTokenEntity.mjs.map

dist/cache/entities/CredentialEntity.mjs

dist/cache/entities/CredentialEntity.mjs.map

dist/cache/entities/IdTokenEntity.mjs

dist/cache/entities/IdTokenEntity.mjs.map

dist/cache/entities/RefreshTokenEntity.mjs

dist/cache/entities/RefreshTokenEntity.mjs.map

dist/account/AuthToken.mjs