@azure/msal-node - npm Package Compare versions

Comparing version 1.0.0-alpha.3 to 1.0.0-alpha.4

changelog.md

@@ -0,1 +1,4 @@
+# 1.0.0-alpha.4
+- Add confidential client support (#2023)
+
 # 1.0.0-alpha.3
@@ -2,0 +5,0 @@ - Fix an issue where the types were not defined correctly in the package.json (#2014)

dist/client/ClientApplication.d.ts

 import { AuthorizationUrlRequest, AuthorizationCodeRequest, ClientConfiguration, RefreshTokenRequest, AuthenticationResult, BaseAuthRequest, SilentFlowRequest, Logger } from '@azure/msal-common';
 import { Configuration } from '../config/Configuration';
 import { TokenCache } from '../cache/TokenCache';
+import { ClientAssertion } from "../client/ClientAssertion";
 export declare abstract class ClientApplication {
-    private config;
     private _authority;
@@ -11,2 +11,5 @@ private readonly cryptoProvider;
     protected logger: Logger;
+    protected config: Configuration;
+    protected clientAssertion: ClientAssertion;
+    protected clientSecret: string;
     /**
@@ -57,2 +60,3 @@ * Constructor for the ClientApplication
     protected buildOauthClientConfiguration(authority?: string): Promise<ClientConfiguration>;
+    private getClientAssertion;
     /**
@@ -59,0 +63,0 @@ * Generates a request with the default scopes.

dist/client/ConfidentialClientApplication.d.ts

@@ -1,2 +0,26 @@
-export declare class ConfidentialClientApplication {
+import { ClientApplication } from './ClientApplication';
+import { Configuration } from "../config/Configuration";
+export declare class ConfidentialClientApplication extends ClientApplication {
+    /**
+     * @constructor
+     * Constructor for the ConfidentialClientApplication
+     *
+     * Required attributes in the Configuration object are:
+     * - clientID: the application ID of your application. You can obtain one by registering your application with our application registration portal
+     * - authority: the authority URL for your application.
+     * - client credential: Must set either client secret, certificate, or assertion for confidential clients. You can obtain a client secret from the application registration portal.
+     *
+     * In Azure AD, authority is a URL indicating of the form https://login.microsoftonline.com/{Enter_the_Tenant_Info_Here}.
+     * If your application supports Accounts in one organizational directory, replace "Enter_the_Tenant_Info_Here" value with the Tenant Id or Tenant name (for example, contoso.microsoft.com).
+     * If your application supports Accounts in any organizational directory, replace "Enter_the_Tenant_Info_Here" value with organizations.
+     * If your application supports Accounts in any organizational directory and personal Microsoft accounts, replace "Enter_the_Tenant_Info_Here" value with common.
+     * To restrict support to Personal Microsoft accounts only, replace "Enter_the_Tenant_Info_Here" value with consumers.
+     *
+     * In Azure B2C, authority is of the form https://{instance}/tfp/{tenant}/{policyName}/
+     * Full B2C functionality will be available in this library in future versions.
+     *
+     * @param {@link (Configuration:type)} configuration object for the MSAL ConfidentialClientApplication instance
+     */
+    constructor(configuration: Configuration);
+    private setClientCredential;
 }

dist/config/Configuration.d.ts

@@ -6,3 +6,6 @@ import { LoggerOptions, INetworkModule } from '@azure/msal-common';
  * - authority              - Url of the authority. If no value is set, defaults to https://login.microsoftonline.com/common.
- * - knownAuthorities       - Needed for Azure B2C. All authorities that will be used in the client application.
+ * - knownAuthorities       - Needed for Azure B2C and ADFS. All authorities that will be used in the client application. Only the host of the authority should be passed in.
+ * - clientSecret           - Secret string that the application uses when requesting a token. Only used in confidential client applications. Can be created in the Azure app registration portal.
+ * - clientAssertion        - Assertion string that the application uses when requesting a token. Only used in confidential client applications. Assertion should be of type urn:ietf:params:oauth:client-assertion-type:jwt-bearer.
+ * - clientCertificate      - Certificate that the application uses when requesting a token. Only used in confidential client applications. Requires hex encoded X.509 SHA-1 thumbprint of the certificiate, and the PEM encoded private key (string should contain -----BEGIN PRIVATE KEY----- ... -----END PRIVATE KEY----- )
  */
@@ -12,2 +15,8 @@ export declare type NodeAuthOptions = {
     authority?: string;
+    clientSecret?: string;
+    clientAssertion?: string;
+    clientCertificate?: {
+        thumbprint: string;
+        privateKey: string;
+    };
     knownAuthorities?: Array<string>;
@@ -14,0 +23,0 @@ cloudDiscoveryMetadata?: string;

dist/msal-node.cjs.development.js

@@ -12,2 +12,3 @@ 'use strict';
 var crypto = _interopDefault(require('crypto'));
+var jsonwebtoken = require('jsonwebtoken');
 
@@ -108,9 +109,25 @@ function _defineProperties(target, props) {
 /**
- * Constants for headers
+ * Constants
  */
 
 var Constants = {
-  MSAL_SKU: 'msal.js.node'
+  MSAL_SKU: 'msal.js.node',
+  JWT_BEARER_ASSERTION_TYPE: 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer'
 };
+/**
+ * JWT  constants
+ */
 
+var JwtConstants = {
+  ALGORITHM: 'alg',
+  RSA_256: 'RS256',
+  X5T: 'x5t',
+  AUDIENCE: 'aud',
+  EXPIRATION_TIME: 'exp',
+  ISSUER: "iss",
+  SUBJECT: "sub",
+  NOT_BEFORE: "nbf",
+  JWT_ID: "jti"
+};
+
 /*
@@ -207,2 +224,8 @@ * Copyright (c) Microsoft Corporation. All rights reserved.
   authority: '',
+  clientSecret: '',
+  clientAssertion: '',
+  clientCertificate: {
+    thumbprint: '',
+    privateKey: ''
+  },
   knownAuthorities: [],
@@ -286,4 +309,4 @@ cloudDiscoveryMetadata: ""
    */
-  EncodingUtils.base64Encode = function base64Encode(str) {
-    return Buffer.from(str, 'utf8').toString('base64');
+  EncodingUtils.base64Encode = function base64Encode(str, encoding) {
+    return Buffer.from(str, encoding).toString('base64');
   }
@@ -296,4 +319,4 @@ /**
 
-  EncodingUtils.base64EncodeUrl = function base64EncodeUrl(str) {
-    return EncodingUtils.base64Encode(str).replace(/=/g, '').replace(/\+/g, '-').replace(/\//g, '_');
+  EncodingUtils.base64EncodeUrl = function base64EncodeUrl(str, encoding) {
+    return EncodingUtils.base64Encode(str, encoding).replace(/=/g, '').replace(/\+/g, '-').replace(/\//g, '_');
   }
@@ -1141,3 +1164,3 @@ /**
 
-var version = "1.0.0-alpha.3";
+var version = "1.0.0-alpha.4";
 
@@ -1357,4 +1380,5 @@ var defaultSerializedCache = {
         var newValueIsNotArray = !Array.isArray(newValue);
+        var oldStateNotUndefinedOrNull = typeof oldState[newKey] !== 'undefined' && oldState[newKey] !== null;
 
-        if (newValueNotNull && newValueIsObject && newValueIsNotArray) {
+        if (newValueNotNull && newValueIsObject && newValueIsNotArray && oldStateNotUndefinedOrNull) {
           _this5.mergeUpdates(oldState[newKey], newValue);
@@ -1422,8 +1446,6 @@ } else {
   function ClientApplication(configuration) {
-    var _this$config$cache;
-
     this.config = buildAppConfiguration(configuration);
     this.logger = new msalCommon.Logger(this.config.system.loggerOptions);
     this.storage = new Storage(this.logger);
-    this.tokenCache = new TokenCache(this.storage, this.logger, (_this$config$cache = this.config.cache) === null || _this$config$cache === void 0 ? void 0 : _this$config$cache.cachePlugin);
+    this.tokenCache = new TokenCache(this.storage, this.logger, this.config.cache.cachePlugin);
     this.cryptoProvider = new CryptoProvider();
@@ -1567,2 +1589,6 @@ msalCommon.TrustedAuthority.setTrustedAuthoritiesFromConfig(this.config.auth.knownAuthorities, this.config.auth.cloudDiscoveryMetadata);
           storageInterface: _this10.storage,
+          clientCredentials: {
+            clientSecret: _this10.clientSecret,
+            clientAssertion: _this10.clientAssertion ? _this10.getClientAssertion() : undefined
+          },
           libraryInfo: {
@@ -1579,2 +1605,9 @@ sku: Constants.MSAL_SKU,
     }
+  };
+
+  _proto.getClientAssertion = function getClientAssertion() {
+    return {
+      assertion: this.clientAssertion.getJwt(this.cryptoProvider, this.config.auth.clientId, this._authority.tokenEndpoint),
+      assertionType: Constants.JWT_BEARER_ASSERTION_TYPE
+    };
   }
@@ -1641,3 +1674,2 @@ /**
 
-      this.logger.verbose("No authority set on application object. Defaulting to common authority");
       this._authority = msalCommon.AuthorityFactory.createInstance(this.config.auth.authority || msalCommon.Constants.DEFAULT_AUTHORITY, this.config.system.networkClient);
@@ -1712,4 +1744,135 @@ return this._authority;
 
-var ConfidentialClientApplication = function ConfidentialClientApplication() {};
+/*
+ * Copyright (c) Microsoft Corporation. All rights reserved.
+ * Licensed under the MIT License.
+ */
+/**
+ * Client assertion of type jwt-bearer used in confidential client flows
+ */
 
+var ClientAssertion = /*#__PURE__*/function () {
+  function ClientAssertion() {}
+
+  ClientAssertion.fromAssertion = function fromAssertion(assertion) {
+    var clientAssertion = new ClientAssertion();
+    clientAssertion.jwt = assertion;
+    return clientAssertion;
+  };
+
+  ClientAssertion.fromCertificate = function fromCertificate(thumbprint, privateKey) {
+    var clientAssertion = new ClientAssertion();
+    clientAssertion.privateKey = privateKey;
+    clientAssertion.thumbprint = thumbprint;
+    return clientAssertion;
+  };
+
+  var _proto = ClientAssertion.prototype;
+
+  _proto.getJwt = function getJwt(cryptoProvider, issuer, jwtAudience) {
+    // if assertion was created from certificate, check if jwt is expired and create new one.
+    if (this.privateKey != null && this.thumbprint != null) {
+      if (this.jwt != null && !this.isExpired() && issuer == this.issuer && jwtAudience == this.jwtAudience) {
+        return this.jwt;
+      }
+
+      return this.createJwt(cryptoProvider, issuer, jwtAudience);
+    } // if assertion was created by caller, then we just append it. It is up to the caller to
+    // ensure that it contains necessary claims and that it is not expired.
+
+
+    if (this.jwt != null) {
+      return this.jwt;
+    }
+
+    throw msalCommon.ClientAuthError.createInvalidAssertionError();
+  } // JWT format and required claims specified: https://tools.ietf.org/html/rfc7523#section-3
+  ;
+
+  _proto.createJwt = function createJwt(cryptoProvider, issuer, jwtAudience) {
+    var _header, _payload;
+
+    this.issuer = issuer;
+    this.jwtAudience = jwtAudience;
+    var issuedAt = msalCommon.TimeUtils.nowSeconds();
+    this.expirationTime = issuedAt + 600;
+    var header = (_header = {}, _header[JwtConstants.ALGORITHM] = JwtConstants.RSA_256, _header[JwtConstants.X5T] = EncodingUtils.base64EncodeUrl(this.thumbprint, "hex"), _header);
+    var payload = (_payload = {}, _payload[JwtConstants.AUDIENCE] = this.jwtAudience, _payload[JwtConstants.EXPIRATION_TIME] = this.expirationTime, _payload[JwtConstants.ISSUER] = this.issuer, _payload[JwtConstants.SUBJECT] = this.issuer, _payload[JwtConstants.NOT_BEFORE] = issuedAt, _payload[JwtConstants.JWT_ID] = cryptoProvider.createNewGuid(), _payload);
+    this.jwt = jsonwebtoken.sign(payload, this.privateKey, {
+      header: header
+    });
+    return this.jwt;
+  };
+
+  _proto.isExpired = function isExpired() {
+    return this.expirationTime < msalCommon.TimeUtils.nowSeconds();
+  };
+
+  return ClientAssertion;
+}();
+
+var ConfidentialClientApplication = /*#__PURE__*/function (_ClientApplication) {
+  _inheritsLoose(ConfidentialClientApplication, _ClientApplication);
+
+  /**
+   * @constructor
+   * Constructor for the ConfidentialClientApplication
+   *
+   * Required attributes in the Configuration object are:
+   * - clientID: the application ID of your application. You can obtain one by registering your application with our application registration portal
+   * - authority: the authority URL for your application.
+   * - client credential: Must set either client secret, certificate, or assertion for confidential clients. You can obtain a client secret from the application registration portal.
+   *
+   * In Azure AD, authority is a URL indicating of the form https://login.microsoftonline.com/{Enter_the_Tenant_Info_Here}.
+   * If your application supports Accounts in one organizational directory, replace "Enter_the_Tenant_Info_Here" value with the Tenant Id or Tenant name (for example, contoso.microsoft.com).
+   * If your application supports Accounts in any organizational directory, replace "Enter_the_Tenant_Info_Here" value with organizations.
+   * If your application supports Accounts in any organizational directory and personal Microsoft accounts, replace "Enter_the_Tenant_Info_Here" value with common.
+   * To restrict support to Personal Microsoft accounts only, replace "Enter_the_Tenant_Info_Here" value with consumers.
+   *
+   * In Azure B2C, authority is of the form https://{instance}/tfp/{tenant}/{policyName}/
+   * Full B2C functionality will be available in this library in future versions.
+   *
+   * @param {@link (Configuration:type)} configuration object for the MSAL ConfidentialClientApplication instance
+   */
+  function ConfidentialClientApplication(configuration) {
+    var _this;
+
+    _this = _ClientApplication.call(this, configuration) || this;
+
+    _this.setClientCredential(_this.config);
+
+    return _this;
+  }
+
+  var _proto = ConfidentialClientApplication.prototype;
+
+  _proto.setClientCredential = function setClientCredential(configuration) {
+    var clientSecretNotEmpty = !msalCommon.StringUtils.isEmpty(configuration.auth.clientSecret);
+    var clientAssertionNotEmpty = !msalCommon.StringUtils.isEmpty(configuration.auth.clientAssertion);
+    var certificate = configuration.auth.clientCertificate;
+    var certificateNotEmpty = !msalCommon.StringUtils.isEmpty(certificate.thumbprint) || !msalCommon.StringUtils.isEmpty(certificate.privateKey); // Check that at most one credential is set on the application 
+
+    if (clientSecretNotEmpty && clientAssertionNotEmpty || clientAssertionNotEmpty && certificateNotEmpty || clientSecretNotEmpty && certificateNotEmpty) {
+      throw msalCommon.ClientAuthError.createInvalidCredentialError();
+    }
+
+    if (clientSecretNotEmpty) {
+      this.clientSecret = configuration.auth.clientSecret;
+      return;
+    }
+
+    if (clientAssertionNotEmpty) {
+      this.clientAssertion = ClientAssertion.fromAssertion(configuration.auth.clientAssertion);
+      return;
+    }
+
+    if (!certificateNotEmpty) {
+      throw msalCommon.ClientAuthError.createInvalidCredentialError();
+    } else {
+      this.clientAssertion = ClientAssertion.fromCertificate(certificate.thumbprint, certificate.privateKey);
+    }
+  };
+
+  return ConfidentialClientApplication;
+}(ClientApplication);
+
 Object.defineProperty(exports, 'AuthError', {
@@ -1727,8 +1890,2 @@ enumerable: true,
 });
-Object.defineProperty(exports, 'AuthenticationResult', {
-  enumerable: true,
-  get: function () {
-    return msalCommon.AuthenticationResult;
-  }
-});
 Object.defineProperty(exports, 'LogLevel', {
@@ -1735,0 +1892,0 @@ enumerable: true,

dist/msal-node.cjs.production.min.js

@@ -1,2 +0,2 @@
-"use strict";function e(e){return e&&"object"==typeof e&&"default"in e?e.default:e}Object.defineProperty(exports,"__esModule",{value:!0});var t,r=require("@azure/msal-common"),n=e(require("axios")),o=e(require("debug")),i=require("uuid"),a=e(require("crypto"));function s(){return(s=Object.assign||function(e){for(var t=1;t<arguments.length;t++){var r=arguments[t];for(var n in r)Object.prototype.hasOwnProperty.call(r,n)&&(e[n]=r[n])}return e}).apply(this,arguments)}function c(e,t){e.prototype=Object.create(t.prototype),e.prototype.constructor=e,e.__proto__=t}"undefined"!=typeof Symbol&&(Symbol.iterator||(Symbol.iterator=Symbol("Symbol.iterator"))),"undefined"!=typeof Symbol&&(Symbol.asyncIterator||(Symbol.asyncIterator=Symbol("Symbol.asyncIterator"))),function(e){e.GET="get",e.POST="post"}(t||(t={}));var u="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-._~",l=function(){function e(){n.defaults.validateStatus=function(){return!0}}var r=e.prototype;return r.sendGetRequestAsync=function(e,r){try{return Promise.resolve(n({method:t.GET,url:e,headers:r&&r.headers})).then((function(e){return{headers:e.headers,body:e.data,status:e.status}}))}catch(e){return Promise.reject(e)}},r.sendPostRequestAsync=function(e,r){try{return Promise.resolve(n({method:t.POST,url:e,data:r&&r.body||"",headers:r&&r.headers})).then((function(e){return{headers:e.headers,body:e.data,status:e.status}}))}catch(e){return Promise.reject(e)}},e}(),h={clientId:"",authority:"",knownAuthorities:[],cloudDiscoveryMetadata:""},d={},g={loggerOptions:{loggerCallback:function(e,t,n){o("msal:"+r.LogLevel[e]+(n?"-Pii":""))(t)},piiLoggingEnabled:!1,logLevel:r.LogLevel.Info},networkClient:function(){function e(){}return e.getNetworkClient=function(){return new l},e}().getNetworkClient()};function f(e){var t=e.cache,r=e.system;return{auth:s({},h,{},e.auth),cache:s({},d,{},t),system:s({},g,{},r)}}var p=function(){function e(){}return e.generateGuid=function(){return i.v4()},e.isGuid=function(e){return/^[0-9a-f]{8}-[0-9a-f]{4}-[1-5][0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$/i.test(e)},e}(),y=function(){function e(){}return e.base64Encode=function(e){return Buffer.from(e,"utf8").toString("base64")},e.base64EncodeUrl=function(t){return e.base64Encode(t).replace(/=/g,"").replace(/\+/g,"-").replace(/\//g,"_")},e.base64Decode=function(e){return Buffer.from(e,"base64").toString("utf8")},e.base64DecodeUrl=function(t){for(var r=t.replace(/-/g,"+").replace(/_/g,"/");r.length%4;)r+="=";return e.base64Decode(r)},e}(),m=function(){function e(){}var t=e.prototype;return t.generatePkceCodes=function(){try{var e=this.generateCodeVerifier(),t=this.generateCodeChallengeFromVerifier(e);return Promise.resolve({verifier:e,challenge:t})}catch(e){return Promise.reject(e)}},t.generateCodeVerifier=function(){var e=a.randomBytes(32),t=this.bufferToCVString(e);return y.base64EncodeUrl(t)},t.generateCodeChallengeFromVerifier=function(e){return y.base64EncodeUrl(this.sha256(e).toString("ascii"))},t.sha256=function(e){return a.createHash("sha256").update(e).digest()},t.bufferToCVString=function(e){for(var t=[],r=0;r<e.byteLength;r+=1)t.push(u[e[r]%u.length]);return t.join("")},e}(),v=function(){function e(){this.pkceGenerator=new m}var t=e.prototype;return t.createNewGuid=function(){return p.generateGuid()},t.base64Encode=function(e){return y.base64Encode(e)},t.base64Decode=function(e){return y.base64Decode(e)},t.generatePkceCodes=function(){return this.pkceGenerator.generatePkceCodes()},e}(),C=function(){function e(){}return e.deserializeJSONBlob=function(e){return r.StringUtils.isEmpty(e)?{}:JSON.parse(e)},e.deserializeAccounts=function(e){var t={};return e&&Object.keys(e).map((function(n){var o=e[n],i={homeAccountId:o.home_account_id,environment:o.environment,realm:o.realm,localAccountId:o.local_account_id,username:o.username,authorityType:o.authority_type,name:o.name,clientInfo:o.client_info,lastModificationTime:o.last_modification_time,lastModificationApp:o.last_modification_app},a=new r.AccountEntity;r.CacheManager.toObject(a,i),t[n]=a})),t},e.deserializeIdTokens=function(e){var t={};return e&&Object.keys(e).map((function(n){var o=e[n],i={homeAccountId:o.home_account_id,environment:o.environment,credentialType:o.credential_type,clientId:o.client_id,secret:o.secret,realm:o.realm},a=new r.IdTokenEntity;r.CacheManager.toObject(a,i),t[n]=a})),t},e.deserializeAccessTokens=function(e){var t={};return e&&Object.keys(e).map((function(n){var o=e[n],i={homeAccountId:o.home_account_id,environment:o.environment,credentialType:o.credential_type,clientId:o.client_id,secret:o.secret,realm:o.realm,target:o.target,cachedAt:o.cached_at,expiresOn:o.expires_on,extendedExpiresOn:o.extended_expires_on,refreshOn:o.refresh_on,keyId:o.key_id,tokenType:o.token_type},a=new r.AccessTokenEntity;r.CacheManager.toObject(a,i),t[n]=a})),t},e.deserializeRefreshTokens=function(e){var t={};return e&&Object.keys(e).map((function(n){var o=e[n],i={homeAccountId:o.home_account_id,environment:o.environment,credentialType:o.credential_type,clientId:o.client_id,secret:o.secret,familyId:o.family_id,target:o.target,realm:o.realm},a=new r.RefreshTokenEntity;r.CacheManager.toObject(a,i),t[n]=a})),t},e.deserializeAppMetadata=function(e){var t={};return e&&Object.keys(e).map((function(n){var o=e[n],i={clientId:o.client_id,environment:o.environment,familyId:o.family_id},a=new r.AppMetadataEntity;r.CacheManager.toObject(a,i),t[n]=a})),t},e.deserializeAllCache=function(e){return{accounts:e.Account?this.deserializeAccounts(e.Account):{},idTokens:e.IdToken?this.deserializeIdTokens(e.IdToken):{},accessTokens:e.AccessToken?this.deserializeAccessTokens(e.AccessToken):{},refreshTokens:e.RefreshToken?this.deserializeRefreshTokens(e.RefreshToken):{},appMetadata:e.AppMetadata?this.deserializeAppMetadata(e.AppMetadata):{}}},e}(),T=function(){function e(){}return e.serializeJSONBlob=function(e){return JSON.stringify(e)},e.serializeAccounts=function(e){var t={};return Object.keys(e).map((function(r){var n=e[r];t[r]={home_account_id:n.homeAccountId,environment:n.environment,realm:n.realm,local_account_id:n.localAccountId,username:n.username,authority_type:n.authorityType,name:n.name,client_info:n.clientInfo,last_modification_time:n.lastModificationTime,last_modification_app:n.lastModificationApp}})),t},e.serializeIdTokens=function(e){var t={};return Object.keys(e).map((function(r){var n=e[r];t[r]={home_account_id:n.homeAccountId,environment:n.environment,credential_type:n.credentialType,client_id:n.clientId,secret:n.secret,realm:n.realm}})),t},e.serializeAccessTokens=function(e){var t={};return Object.keys(e).map((function(r){var n=e[r];t[r]={home_account_id:n.homeAccountId,environment:n.environment,credential_type:n.credentialType,client_id:n.clientId,secret:n.secret,realm:n.realm,target:n.target,cached_at:n.cachedAt,expires_on:n.expiresOn,extended_expires_on:n.extendedExpiresOn,refresh_on:n.refreshOn,key_id:n.keyId,token_type:n.tokenType}})),t},e.serializeRefreshTokens=function(e){var t={};return Object.keys(e).map((function(r){var n=e[r];t[r]={home_account_id:n.homeAccountId,environment:n.environment,credential_type:n.credentialType,client_id:n.clientId,secret:n.secret,family_id:n.familyId,target:n.target,realm:n.realm}})),t},e.serializeAppMetadata=function(e){var t={};return Object.keys(e).map((function(r){var n=e[r];t[r]={client_id:n.clientId,environment:n.environment,family_id:n.familyId}})),t},e.serializeAllCache=function(e){return{Account:this.serializeAccounts(e.accounts),IdToken:this.serializeIdTokens(e.idTokens),AccessToken:this.serializeAccessTokens(e.accessTokens),RefreshToken:this.serializeRefreshTokens(e.refreshTokens),AppMetadata:this.serializeAppMetadata(e.appMetadata)}},e}(),b=function(e){function t(t){var r;return(r=e.call(this)||this).inMemoryCache={accounts:{},accessTokens:{},refreshTokens:{},appMetadata:{},idTokens:{}},r.changeEmitters=[],r.logger=t,r}c(t,e);var n=t.prototype;return n.registerChangeEmitter=function(e){this.changeEmitters.push(e)},n.emitChange=function(){this.changeEmitters.forEach((function(e){return e.call(null)}))},n.getCache=function(){return this.logger.verbose("Getting in-memory cache"),this.inMemoryCache},n.setCache=function(e){this.logger.verbose("Setting in-memory cache"),this.inMemoryCache=e,this.emitChange()},n.setItem=function(e,t,n){this.logger.verbose("setItem called for item type: "+n),this.logger.verbosePii("Item key: "+e);var o=this.getCache();switch(n){case r.CacheSchemaType.ACCOUNT:o.accounts[e]=t;break;case r.CacheSchemaType.CREDENTIAL:switch(r.CredentialEntity.getCredentialType(e)){case r.CredentialType.ID_TOKEN:this.logger.verbose("Credential type: "+r.CredentialType.ID_TOKEN),o.idTokens[e]=t;break;case r.CredentialType.ACCESS_TOKEN:this.logger.verbose("Credential type: "+r.CredentialType.ACCESS_TOKEN),o.accessTokens[e]=t;break;case r.CredentialType.REFRESH_TOKEN:this.logger.verbose("Credential type: "+r.CredentialType.REFRESH_TOKEN),o.refreshTokens[e]=t}break;case r.CacheSchemaType.APP_META_DATA:o.appMetadata[e]=t;break;default:throw r.ClientAuthError.createInvalidCacheTypeError()}this.setCache(o),this.emitChange()},n.getItem=function(e,t){this.logger.verbose("getItem called for item type: "+t),this.logger.verbosePii("Item key: "+e);var n=this.getCache();switch(t){case r.CacheSchemaType.ACCOUNT:return n.accounts[e]||null;case r.CacheSchemaType.CREDENTIAL:var o=null;switch(r.CredentialEntity.getCredentialType(e)){case r.CredentialType.ID_TOKEN:this.logger.verbose("Credential type: "+r.CredentialType.ID_TOKEN),o=n.idTokens[e]||null;break;case r.CredentialType.ACCESS_TOKEN:this.logger.verbose("Credential type: "+r.CredentialType.ACCESS_TOKEN),o=n.accessTokens[e]||null;break;case r.CredentialType.REFRESH_TOKEN:this.logger.verbose("Credential type: "+r.CredentialType.REFRESH_TOKEN),o=n.refreshTokens[e]||null}return o;case r.CacheSchemaType.APP_META_DATA:return n.appMetadata[e]||null;default:throw r.ClientAuthError.createInvalidCacheTypeError()}},n.removeItem=function(e,t){this.logger.verbose("removeItem called for item type: "+t),this.logger.verbosePii("Item key: "+e);var n=this.getCache(),o=!1;switch(t){case r.CacheSchemaType.ACCOUNT:n.accounts[e]&&(delete n.accounts[e],o=!0);break;case r.CacheSchemaType.CREDENTIAL:switch(r.CredentialEntity.getCredentialType(e)){case r.CredentialType.ID_TOKEN:this.logger.verbose("Credential type: "+r.CredentialType.ID_TOKEN),n.idTokens[e]&&(delete n.idTokens[e],o=!0);break;case r.CredentialType.ACCESS_TOKEN:this.logger.verbose("Credential type: "+r.CredentialType.ACCESS_TOKEN),n.accessTokens[e]&&(delete n.accessTokens[e],o=!0);break;case r.CredentialType.REFRESH_TOKEN:this.logger.verbose("Credential type: "+r.CredentialType.REFRESH_TOKEN),n.refreshTokens[e]&&(delete n.refreshTokens[e],o=!0)}break;case r.CacheSchemaType.APP_META_DATA:n.appMetadata[e]&&(delete n.appMetadata[e],o=!0);break;default:throw r.ClientAuthError.createInvalidCacheTypeError()}return o&&(this.setCache(n),this.emitChange()),o},n.containsKey=function(e){return!!e},n.getKeys=function(){this.logger.verbose("Retrieving all cache keys");var e=this.getCache();return[].concat(Object.keys(e.accounts),Object.keys(e.idTokens),Object.keys(e.accessTokens),Object.keys(e.refreshTokens),Object.keys(e.appMetadata))},n.clear=function(){var e=this;this.logger.verbose("Clearing cache entries created by MSAL"),this.getKeys().forEach((function(t){e.removeItem(t)})),this.emitChange()},t.generateInMemoryCache=function(e){return C.deserializeAllCache(C.deserializeJSONBlob(e))},t.generateJsonCache=function(e){return T.serializeAllCache(e)},t}(r.CacheManager),k={},A={},E={},_={},O={},S=function(){function e(e,t,r){this.hasChanged=!1,this.storage=e,this.storage.registerChangeEmitter(this.handleChangeEvent.bind(this)),r&&(this.persistence=r),this.logger=t}var t=e.prototype;return t.cacheHasChanged=function(){return this.hasChanged},t.serialize=function(){this.logger.verbose("Serializing in-memory cache");var e=T.serializeAllCache(this.storage.getCache());return r.StringUtils.isEmpty(this.cacheSnapshot)?this.logger.verbose("No cache snapshot to merge"):(this.logger.verbose("Reading cache snapshot from disk"),e=this.mergeState(JSON.parse(this.cacheSnapshot),e)),this.hasChanged=!1,JSON.stringify(e)},t.deserialize=function(e){if(this.logger.verbose("Deserializing JSON to in-memory cache"),this.cacheSnapshot=e,r.StringUtils.isEmpty(this.cacheSnapshot))this.logger.verbose("No cache snapshot to deserialize");else{this.logger.verbose("Reading cache snapshot from disk");var t=C.deserializeAllCache(this.overlayDefaults(JSON.parse(this.cacheSnapshot)));this.storage.setCache(t)}},t.writeToPersistence=function(){try{var e=this;return e.logger.verbose("Writing to persistent cache"),Promise.resolve(function(){if(e.persistence){e.logger.verbose("cachePlugin (persistent cache) not set by the user");var t=T.serializeAllCache(e.storage.getCache());return Promise.resolve(e.persistence.writeToStorage((function(n){return r.StringUtils.isEmpty(n)?e.logger.verbose("No state from disk"):(e.logger.verbose("Reading state from disk"),e.cacheSnapshot=n,t=e.mergeState(JSON.parse(n),t)),JSON.stringify(t)}))).then((function(){e.hasChanged=!1}))}throw r.ClientAuthError.createCachePluginError()}())}catch(e){return Promise.reject(e)}},t.readFromPersistence=function(){try{var e=this;return e.logger.verbose("Reading from persistent cache"),Promise.resolve(function(){if(e.persistence)return e.logger.verbose("cachePlugin (persistent cache) not set by the user"),Promise.resolve(e.persistence.readFromStorage()).then((function(t){if(e.cacheSnapshot=t,r.StringUtils.isEmpty(e.cacheSnapshot))e.logger.verbose("No cache snapshot to overlay and deserialize");else{e.logger.verbose("Reading cache snapshot from disk");var n=e.overlayDefaults(JSON.parse(e.cacheSnapshot));e.logger.verbose("Deserializing JSON");var o=C.deserializeAllCache(n);e.storage.setCache(o)}}));throw r.ClientAuthError.createCachePluginError()}())}catch(e){return Promise.reject(e)}},t.getAllAccounts=function(){return this.logger.verbose("getAllAccounts called"),this.storage.getAllAccounts()},t.removeAccount=function(e){this.logger.verbose("removeAccount called"),this.storage.removeAccount(r.AccountEntity.generateAccountCacheKey(e))},t.handleChangeEvent=function(){this.hasChanged=!0},t.mergeState=function(e,t){this.logger.verbose("Merging in-memory cache with cache snapshot");var r=this.mergeRemovals(e,t);return this.mergeUpdates(r,t)},t.mergeUpdates=function(e,t){var r=this;return Object.keys(t).forEach((function(n){var o=t[n];if(e.hasOwnProperty(n)){var i=null!==o,a="object"==typeof o,s=!Array.isArray(o);i&&a&&s?r.mergeUpdates(e[n],o):e[n]=o}else null!==o&&(e[n]=o)})),e},t.mergeRemovals=function(e,t){return this.logger.verbose("Remove updated entries in cache"),s({Account:null!=e.Account?this.mergeRemovalsDict(e.Account,t.Account):e.Account,AccessToken:null!=e.AccessToken?this.mergeRemovalsDict(e.AccessToken,t.AccessToken):e.AccessToken,RefreshToken:null!=e.RefreshToken?this.mergeRemovalsDict(e.RefreshToken,t.RefreshToken):e.RefreshToken,IdToken:null!=e.IdToken?this.mergeRemovalsDict(e.IdToken,t.IdToken):e.IdToken,AppMetadata:null!=e.AppMetadata?this.mergeRemovalsDict(e.AppMetadata,t.AppMetadata):e.AppMetadata},e)},t.mergeRemovalsDict=function(e,t){var r=s({},e);return Object.keys(e).forEach((function(e){t&&t.hasOwnProperty(e)||delete r[e]})),r},t.overlayDefaults=function(e){return this.logger.verbose("Overlaying input cache with the default cache"),{Account:s({},k,{},e.Account),IdToken:s({},A,{},e.IdToken),AccessToken:s({},E,{},e.AccessToken),RefreshToken:s({},_,{},e.RefreshToken),AppMetadata:s({},O,{},e.AppMetadata)}},e}(),I=function(e){function t(t){return e.call(this,t)||this}return c(t,e),t.prototype.acquireTokenByDeviceCode=function(e){try{var t=this;return t.logger.info("acquireTokenByDeviceCode called"),Promise.resolve(t.buildOauthClientConfiguration(e.authority)).then((function(n){return t.logger.verbose("Auth client config generated"),new r.DeviceCodeClient(n).acquireToken(t.initializeRequestScopes(e))}))}catch(e){return Promise.reject(e)}},t}(function(){function e(e){var t;this.config=f(e),this.logger=new r.Logger(this.config.system.loggerOptions),this.storage=new b(this.logger),this.tokenCache=new S(this.storage,this.logger,null===(t=this.config.cache)||void 0===t?void 0:t.cachePlugin),this.cryptoProvider=new v,r.TrustedAuthority.setTrustedAuthoritiesFromConfig(this.config.auth.knownAuthorities,this.config.auth.cloudDiscoveryMetadata)}var t,n=e.prototype;return n.getAuthCodeUrl=function(e){try{var t=this;return t.logger.info("getAuthCodeUrl called"),Promise.resolve(t.buildOauthClientConfiguration(e.authority)).then((function(n){return t.logger.verbose("Auth client config generated"),new r.AuthorizationCodeClient(n).getAuthCodeUrl(t.initializeRequestScopes(e))}))}catch(e){return Promise.reject(e)}},n.acquireTokenByCode=function(e){try{var t=this;return t.logger.info("acquireTokenByCode called"),Promise.resolve(t.buildOauthClientConfiguration(e.authority)).then((function(n){return t.logger.verbose("Auth client config generated"),new r.AuthorizationCodeClient(n).acquireToken(t.initializeRequestScopes(e))}))}catch(e){return Promise.reject(e)}},n.acquireTokenByRefreshToken=function(e){try{var t=this;return t.logger.info("acquireTokenByRefreshToken called"),Promise.resolve(t.buildOauthClientConfiguration(e.authority)).then((function(n){return t.logger.verbose("Auth client config generated"),new r.RefreshTokenClient(n).acquireToken(t.initializeRequestScopes(e))}))}catch(e){return Promise.reject(e)}},n.acquireTokenSilent=function(e){try{var t=this;return Promise.resolve(t.buildOauthClientConfiguration(e.authority)).then((function(n){return new r.SilentFlowClient(n).acquireToken(t.initializeRequestScopes(e))}))}catch(e){return Promise.reject(e)}},n.getTokenCache=function(){return this.logger.info("getTokenCache called"),this.tokenCache},n.buildOauthClientConfiguration=function(e){try{var t=this;t.logger.verbose("buildOauthClientConfiguration called");var r=t.config.auth.clientId;return Promise.resolve(t.createAuthority(e)).then((function(e){return{authOptions:{clientId:r,authority:e,knownAuthorities:t.config.auth.knownAuthorities,cloudDiscoveryMetadata:t.config.auth.cloudDiscoveryMetadata},loggerOptions:{loggerCallback:t.config.system.loggerOptions.loggerCallback,piiLoggingEnabled:t.config.system.loggerOptions.piiLoggingEnabled},cryptoInterface:t.cryptoProvider,networkInterface:t.config.system.networkClient,storageInterface:t.storage,libraryInfo:{sku:"msal.js.node",version:"1.0.0-alpha.3",cpu:process.arch||"",os:process.platform||""}}}))}catch(e){return Promise.reject(e)}},n.initializeRequestScopes=function(e){return this.logger.verbose("initializeRequestScopes called"),s({},e,{scopes:[].concat(e&&e.scopes||[],[r.Constants.OPENID_SCOPE,r.Constants.PROFILE_SCOPE,r.Constants.OFFLINE_ACCESS_SCOPE])})},n.createAuthority=function(e){try{var t;return this.logger.verbose("createAuthority called"),e?(this.logger.verbose("Authority passed in, creating authority instance"),t=r.AuthorityFactory.createInstance(e,this.config.system.networkClient)):(this.logger.verbose("No authority passed in request, defaulting to authority set on application object"),t=this.authority),t.discoveryComplete()?Promise.resolve(t):Promise.resolve(function(e,r){try{var n=Promise.resolve(t.resolveEndpointsAsync()).then((function(){return t}))}catch(e){return r(e)}return n&&n.then?n.then(void 0,r):n}(0,(function(e){throw r.ClientAuthError.createEndpointDiscoveryIncompleteError(e)})))}catch(e){return Promise.reject(e)}},(t=[{key:"authority",get:function(){return this._authority||(this.logger.verbose("No authority set on application object. Defaulting to common authority"),this._authority=r.AuthorityFactory.createInstance(this.config.auth.authority||r.Constants.DEFAULT_AUTHORITY,this.config.system.networkClient)),this._authority}}])&&function(e,t){for(var r=0;r<t.length;r++){var n=t[r];n.enumerable=n.enumerable||!1,n.configurable=!0,"value"in n&&(n.writable=!0),Object.defineProperty(e,n.key,n)}}(e.prototype,t),e}());Object.defineProperty(exports,"AuthError",{enumerable:!0,get:function(){return r.AuthError}}),Object.defineProperty(exports,"AuthErrorMessage",{enumerable:!0,get:function(){return r.AuthErrorMessage}}),Object.defineProperty(exports,"AuthenticationResult",{enumerable:!0,get:function(){return r.AuthenticationResult}}),Object.defineProperty(exports,"LogLevel",{enumerable:!0,get:function(){return r.LogLevel}}),Object.defineProperty(exports,"PromptValue",{enumerable:!0,get:function(){return r.PromptValue}}),Object.defineProperty(exports,"ResponseMode",{enumerable:!0,get:function(){return r.ResponseMode}}),exports.ConfidentialClientApplication=function(){},exports.CryptoProvider=v,exports.PublicClientApplication=I,exports.Storage=b,exports.TokenCache=S,exports.buildAppConfiguration=f;
+"use strict";function e(e){return e&&"object"==typeof e&&"default"in e?e.default:e}Object.defineProperty(exports,"__esModule",{value:!0});var t,r=require("@azure/msal-common"),n=e(require("axios")),i=e(require("debug")),o=require("uuid"),a=e(require("crypto")),s=require("jsonwebtoken");function c(){return(c=Object.assign||function(e){for(var t=1;t<arguments.length;t++){var r=arguments[t];for(var n in r)Object.prototype.hasOwnProperty.call(r,n)&&(e[n]=r[n])}return e}).apply(this,arguments)}function l(e,t){e.prototype=Object.create(t.prototype),e.prototype.constructor=e,e.__proto__=t}"undefined"!=typeof Symbol&&(Symbol.iterator||(Symbol.iterator=Symbol("Symbol.iterator"))),"undefined"!=typeof Symbol&&(Symbol.asyncIterator||(Symbol.asyncIterator=Symbol("Symbol.asyncIterator"))),function(e){e.GET="get",e.POST="post"}(t||(t={}));var u="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-._~",h=function(){function e(){n.defaults.validateStatus=function(){return!0}}var r=e.prototype;return r.sendGetRequestAsync=function(e,r){try{return Promise.resolve(n({method:t.GET,url:e,headers:r&&r.headers})).then((function(e){return{headers:e.headers,body:e.data,status:e.status}}))}catch(e){return Promise.reject(e)}},r.sendPostRequestAsync=function(e,r){try{return Promise.resolve(n({method:t.POST,url:e,data:r&&r.body||"",headers:r&&r.headers})).then((function(e){return{headers:e.headers,body:e.data,status:e.status}}))}catch(e){return Promise.reject(e)}},e}(),d={clientId:"",authority:"",clientSecret:"",clientAssertion:"",clientCertificate:{thumbprint:"",privateKey:""},knownAuthorities:[],cloudDiscoveryMetadata:""},g={},f={loggerOptions:{loggerCallback:function(e,t,n){i("msal:"+r.LogLevel[e]+(n?"-Pii":""))(t)},piiLoggingEnabled:!1,logLevel:r.LogLevel.Info},networkClient:function(){function e(){}return e.getNetworkClient=function(){return new h},e}().getNetworkClient()};function p(e){var t=e.cache,r=e.system;return{auth:c({},d,{},e.auth),cache:c({},g,{},t),system:c({},f,{},r)}}var y=function(){function e(){}return e.generateGuid=function(){return o.v4()},e.isGuid=function(e){return/^[0-9a-f]{8}-[0-9a-f]{4}-[1-5][0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$/i.test(e)},e}(),m=function(){function e(){}return e.base64Encode=function(e,t){return Buffer.from(e,t).toString("base64")},e.base64EncodeUrl=function(t,r){return e.base64Encode(t,r).replace(/=/g,"").replace(/\+/g,"-").replace(/\//g,"_")},e.base64Decode=function(e){return Buffer.from(e,"base64").toString("utf8")},e.base64DecodeUrl=function(t){for(var r=t.replace(/-/g,"+").replace(/_/g,"/");r.length%4;)r+="=";return e.base64Decode(r)},e}(),v=function(){function e(){}var t=e.prototype;return t.generatePkceCodes=function(){try{var e=this.generateCodeVerifier(),t=this.generateCodeChallengeFromVerifier(e);return Promise.resolve({verifier:e,challenge:t})}catch(e){return Promise.reject(e)}},t.generateCodeVerifier=function(){var e=a.randomBytes(32),t=this.bufferToCVString(e);return m.base64EncodeUrl(t)},t.generateCodeChallengeFromVerifier=function(e){return m.base64EncodeUrl(this.sha256(e).toString("ascii"))},t.sha256=function(e){return a.createHash("sha256").update(e).digest()},t.bufferToCVString=function(e){for(var t=[],r=0;r<e.byteLength;r+=1)t.push(u[e[r]%u.length]);return t.join("")},e}(),C=function(){function e(){this.pkceGenerator=new v}var t=e.prototype;return t.createNewGuid=function(){return y.generateGuid()},t.base64Encode=function(e){return m.base64Encode(e)},t.base64Decode=function(e){return m.base64Decode(e)},t.generatePkceCodes=function(){return this.pkceGenerator.generatePkceCodes()},e}(),T=function(){function e(){}return e.deserializeJSONBlob=function(e){return r.StringUtils.isEmpty(e)?{}:JSON.parse(e)},e.deserializeAccounts=function(e){var t={};return e&&Object.keys(e).map((function(n){var i=e[n],o={homeAccountId:i.home_account_id,environment:i.environment,realm:i.realm,localAccountId:i.local_account_id,username:i.username,authorityType:i.authority_type,name:i.name,clientInfo:i.client_info,lastModificationTime:i.last_modification_time,lastModificationApp:i.last_modification_app},a=new r.AccountEntity;r.CacheManager.toObject(a,o),t[n]=a})),t},e.deserializeIdTokens=function(e){var t={};return e&&Object.keys(e).map((function(n){var i=e[n],o={homeAccountId:i.home_account_id,environment:i.environment,credentialType:i.credential_type,clientId:i.client_id,secret:i.secret,realm:i.realm},a=new r.IdTokenEntity;r.CacheManager.toObject(a,o),t[n]=a})),t},e.deserializeAccessTokens=function(e){var t={};return e&&Object.keys(e).map((function(n){var i=e[n],o={homeAccountId:i.home_account_id,environment:i.environment,credentialType:i.credential_type,clientId:i.client_id,secret:i.secret,realm:i.realm,target:i.target,cachedAt:i.cached_at,expiresOn:i.expires_on,extendedExpiresOn:i.extended_expires_on,refreshOn:i.refresh_on,keyId:i.key_id,tokenType:i.token_type},a=new r.AccessTokenEntity;r.CacheManager.toObject(a,o),t[n]=a})),t},e.deserializeRefreshTokens=function(e){var t={};return e&&Object.keys(e).map((function(n){var i=e[n],o={homeAccountId:i.home_account_id,environment:i.environment,credentialType:i.credential_type,clientId:i.client_id,secret:i.secret,familyId:i.family_id,target:i.target,realm:i.realm},a=new r.RefreshTokenEntity;r.CacheManager.toObject(a,o),t[n]=a})),t},e.deserializeAppMetadata=function(e){var t={};return e&&Object.keys(e).map((function(n){var i=e[n],o={clientId:i.client_id,environment:i.environment,familyId:i.family_id},a=new r.AppMetadataEntity;r.CacheManager.toObject(a,o),t[n]=a})),t},e.deserializeAllCache=function(e){return{accounts:e.Account?this.deserializeAccounts(e.Account):{},idTokens:e.IdToken?this.deserializeIdTokens(e.IdToken):{},accessTokens:e.AccessToken?this.deserializeAccessTokens(e.AccessToken):{},refreshTokens:e.RefreshToken?this.deserializeRefreshTokens(e.RefreshToken):{},appMetadata:e.AppMetadata?this.deserializeAppMetadata(e.AppMetadata):{}}},e}(),b=function(){function e(){}return e.serializeJSONBlob=function(e){return JSON.stringify(e)},e.serializeAccounts=function(e){var t={};return Object.keys(e).map((function(r){var n=e[r];t[r]={home_account_id:n.homeAccountId,environment:n.environment,realm:n.realm,local_account_id:n.localAccountId,username:n.username,authority_type:n.authorityType,name:n.name,client_info:n.clientInfo,last_modification_time:n.lastModificationTime,last_modification_app:n.lastModificationApp}})),t},e.serializeIdTokens=function(e){var t={};return Object.keys(e).map((function(r){var n=e[r];t[r]={home_account_id:n.homeAccountId,environment:n.environment,credential_type:n.credentialType,client_id:n.clientId,secret:n.secret,realm:n.realm}})),t},e.serializeAccessTokens=function(e){var t={};return Object.keys(e).map((function(r){var n=e[r];t[r]={home_account_id:n.homeAccountId,environment:n.environment,credential_type:n.credentialType,client_id:n.clientId,secret:n.secret,realm:n.realm,target:n.target,cached_at:n.cachedAt,expires_on:n.expiresOn,extended_expires_on:n.extendedExpiresOn,refresh_on:n.refreshOn,key_id:n.keyId,token_type:n.tokenType}})),t},e.serializeRefreshTokens=function(e){var t={};return Object.keys(e).map((function(r){var n=e[r];t[r]={home_account_id:n.homeAccountId,environment:n.environment,credential_type:n.credentialType,client_id:n.clientId,secret:n.secret,family_id:n.familyId,target:n.target,realm:n.realm}})),t},e.serializeAppMetadata=function(e){var t={};return Object.keys(e).map((function(r){var n=e[r];t[r]={client_id:n.clientId,environment:n.environment,family_id:n.familyId}})),t},e.serializeAllCache=function(e){return{Account:this.serializeAccounts(e.accounts),IdToken:this.serializeIdTokens(e.idTokens),AccessToken:this.serializeAccessTokens(e.accessTokens),RefreshToken:this.serializeRefreshTokens(e.refreshTokens),AppMetadata:this.serializeAppMetadata(e.appMetadata)}},e}(),A=function(e){function t(t){var r;return(r=e.call(this)||this).inMemoryCache={accounts:{},accessTokens:{},refreshTokens:{},appMetadata:{},idTokens:{}},r.changeEmitters=[],r.logger=t,r}l(t,e);var n=t.prototype;return n.registerChangeEmitter=function(e){this.changeEmitters.push(e)},n.emitChange=function(){this.changeEmitters.forEach((function(e){return e.call(null)}))},n.getCache=function(){return this.logger.verbose("Getting in-memory cache"),this.inMemoryCache},n.setCache=function(e){this.logger.verbose("Setting in-memory cache"),this.inMemoryCache=e,this.emitChange()},n.setItem=function(e,t,n){this.logger.verbose("setItem called for item type: "+n),this.logger.verbosePii("Item key: "+e);var i=this.getCache();switch(n){case r.CacheSchemaType.ACCOUNT:i.accounts[e]=t;break;case r.CacheSchemaType.CREDENTIAL:switch(r.CredentialEntity.getCredentialType(e)){case r.CredentialType.ID_TOKEN:this.logger.verbose("Credential type: "+r.CredentialType.ID_TOKEN),i.idTokens[e]=t;break;case r.CredentialType.ACCESS_TOKEN:this.logger.verbose("Credential type: "+r.CredentialType.ACCESS_TOKEN),i.accessTokens[e]=t;break;case r.CredentialType.REFRESH_TOKEN:this.logger.verbose("Credential type: "+r.CredentialType.REFRESH_TOKEN),i.refreshTokens[e]=t}break;case r.CacheSchemaType.APP_META_DATA:i.appMetadata[e]=t;break;default:throw r.ClientAuthError.createInvalidCacheTypeError()}this.setCache(i),this.emitChange()},n.getItem=function(e,t){this.logger.verbose("getItem called for item type: "+t),this.logger.verbosePii("Item key: "+e);var n=this.getCache();switch(t){case r.CacheSchemaType.ACCOUNT:return n.accounts[e]||null;case r.CacheSchemaType.CREDENTIAL:var i=null;switch(r.CredentialEntity.getCredentialType(e)){case r.CredentialType.ID_TOKEN:this.logger.verbose("Credential type: "+r.CredentialType.ID_TOKEN),i=n.idTokens[e]||null;break;case r.CredentialType.ACCESS_TOKEN:this.logger.verbose("Credential type: "+r.CredentialType.ACCESS_TOKEN),i=n.accessTokens[e]||null;break;case r.CredentialType.REFRESH_TOKEN:this.logger.verbose("Credential type: "+r.CredentialType.REFRESH_TOKEN),i=n.refreshTokens[e]||null}return i;case r.CacheSchemaType.APP_META_DATA:return n.appMetadata[e]||null;default:throw r.ClientAuthError.createInvalidCacheTypeError()}},n.removeItem=function(e,t){this.logger.verbose("removeItem called for item type: "+t),this.logger.verbosePii("Item key: "+e);var n=this.getCache(),i=!1;switch(t){case r.CacheSchemaType.ACCOUNT:n.accounts[e]&&(delete n.accounts[e],i=!0);break;case r.CacheSchemaType.CREDENTIAL:switch(r.CredentialEntity.getCredentialType(e)){case r.CredentialType.ID_TOKEN:this.logger.verbose("Credential type: "+r.CredentialType.ID_TOKEN),n.idTokens[e]&&(delete n.idTokens[e],i=!0);break;case r.CredentialType.ACCESS_TOKEN:this.logger.verbose("Credential type: "+r.CredentialType.ACCESS_TOKEN),n.accessTokens[e]&&(delete n.accessTokens[e],i=!0);break;case r.CredentialType.REFRESH_TOKEN:this.logger.verbose("Credential type: "+r.CredentialType.REFRESH_TOKEN),n.refreshTokens[e]&&(delete n.refreshTokens[e],i=!0)}break;case r.CacheSchemaType.APP_META_DATA:n.appMetadata[e]&&(delete n.appMetadata[e],i=!0);break;default:throw r.ClientAuthError.createInvalidCacheTypeError()}return i&&(this.setCache(n),this.emitChange()),i},n.containsKey=function(e){return!!e},n.getKeys=function(){this.logger.verbose("Retrieving all cache keys");var e=this.getCache();return[].concat(Object.keys(e.accounts),Object.keys(e.idTokens),Object.keys(e.accessTokens),Object.keys(e.refreshTokens),Object.keys(e.appMetadata))},n.clear=function(){var e=this;this.logger.verbose("Clearing cache entries created by MSAL"),this.getKeys().forEach((function(t){e.removeItem(t)})),this.emitChange()},t.generateInMemoryCache=function(e){return T.deserializeAllCache(T.deserializeJSONBlob(e))},t.generateJsonCache=function(e){return b.serializeAllCache(e)},t}(r.CacheManager),k={},E={},S={},_={},O={},I=function(){function e(e,t,r){this.hasChanged=!1,this.storage=e,this.storage.registerChangeEmitter(this.handleChangeEvent.bind(this)),r&&(this.persistence=r),this.logger=t}var t=e.prototype;return t.cacheHasChanged=function(){return this.hasChanged},t.serialize=function(){this.logger.verbose("Serializing in-memory cache");var e=b.serializeAllCache(this.storage.getCache());return r.StringUtils.isEmpty(this.cacheSnapshot)?this.logger.verbose("No cache snapshot to merge"):(this.logger.verbose("Reading cache snapshot from disk"),e=this.mergeState(JSON.parse(this.cacheSnapshot),e)),this.hasChanged=!1,JSON.stringify(e)},t.deserialize=function(e){if(this.logger.verbose("Deserializing JSON to in-memory cache"),this.cacheSnapshot=e,r.StringUtils.isEmpty(this.cacheSnapshot))this.logger.verbose("No cache snapshot to deserialize");else{this.logger.verbose("Reading cache snapshot from disk");var t=T.deserializeAllCache(this.overlayDefaults(JSON.parse(this.cacheSnapshot)));this.storage.setCache(t)}},t.writeToPersistence=function(){try{var e=this;return e.logger.verbose("Writing to persistent cache"),Promise.resolve(function(){if(e.persistence){e.logger.verbose("cachePlugin (persistent cache) not set by the user");var t=b.serializeAllCache(e.storage.getCache());return Promise.resolve(e.persistence.writeToStorage((function(n){return r.StringUtils.isEmpty(n)?e.logger.verbose("No state from disk"):(e.logger.verbose("Reading state from disk"),e.cacheSnapshot=n,t=e.mergeState(JSON.parse(n),t)),JSON.stringify(t)}))).then((function(){e.hasChanged=!1}))}throw r.ClientAuthError.createCachePluginError()}())}catch(e){return Promise.reject(e)}},t.readFromPersistence=function(){try{var e=this;return e.logger.verbose("Reading from persistent cache"),Promise.resolve(function(){if(e.persistence)return e.logger.verbose("cachePlugin (persistent cache) not set by the user"),Promise.resolve(e.persistence.readFromStorage()).then((function(t){if(e.cacheSnapshot=t,r.StringUtils.isEmpty(e.cacheSnapshot))e.logger.verbose("No cache snapshot to overlay and deserialize");else{e.logger.verbose("Reading cache snapshot from disk");var n=e.overlayDefaults(JSON.parse(e.cacheSnapshot));e.logger.verbose("Deserializing JSON");var i=T.deserializeAllCache(n);e.storage.setCache(i)}}));throw r.ClientAuthError.createCachePluginError()}())}catch(e){return Promise.reject(e)}},t.getAllAccounts=function(){return this.logger.verbose("getAllAccounts called"),this.storage.getAllAccounts()},t.removeAccount=function(e){this.logger.verbose("removeAccount called"),this.storage.removeAccount(r.AccountEntity.generateAccountCacheKey(e))},t.handleChangeEvent=function(){this.hasChanged=!0},t.mergeState=function(e,t){this.logger.verbose("Merging in-memory cache with cache snapshot");var r=this.mergeRemovals(e,t);return this.mergeUpdates(r,t)},t.mergeUpdates=function(e,t){var r=this;return Object.keys(t).forEach((function(n){var i=t[n];if(e.hasOwnProperty(n)){var o=null!==i,a="object"==typeof i,s=!Array.isArray(i);o&&a&&s&&null!=e[n]?r.mergeUpdates(e[n],i):e[n]=i}else null!==i&&(e[n]=i)})),e},t.mergeRemovals=function(e,t){return this.logger.verbose("Remove updated entries in cache"),c({Account:null!=e.Account?this.mergeRemovalsDict(e.Account,t.Account):e.Account,AccessToken:null!=e.AccessToken?this.mergeRemovalsDict(e.AccessToken,t.AccessToken):e.AccessToken,RefreshToken:null!=e.RefreshToken?this.mergeRemovalsDict(e.RefreshToken,t.RefreshToken):e.RefreshToken,IdToken:null!=e.IdToken?this.mergeRemovalsDict(e.IdToken,t.IdToken):e.IdToken,AppMetadata:null!=e.AppMetadata?this.mergeRemovalsDict(e.AppMetadata,t.AppMetadata):e.AppMetadata},e)},t.mergeRemovalsDict=function(e,t){var r=c({},e);return Object.keys(e).forEach((function(e){t&&t.hasOwnProperty(e)||delete r[e]})),r},t.overlayDefaults=function(e){return this.logger.verbose("Overlaying input cache with the default cache"),{Account:c({},k,{},e.Account),IdToken:c({},E,{},e.IdToken),AccessToken:c({},S,{},e.AccessToken),RefreshToken:c({},_,{},e.RefreshToken),AppMetadata:c({},O,{},e.AppMetadata)}},e}(),w=function(){function e(e){this.config=p(e),this.logger=new r.Logger(this.config.system.loggerOptions),this.storage=new A(this.logger),this.tokenCache=new I(this.storage,this.logger,this.config.cache.cachePlugin),this.cryptoProvider=new C,r.TrustedAuthority.setTrustedAuthoritiesFromConfig(this.config.auth.knownAuthorities,this.config.auth.cloudDiscoveryMetadata)}var t,n=e.prototype;return n.getAuthCodeUrl=function(e){try{var t=this;return t.logger.info("getAuthCodeUrl called"),Promise.resolve(t.buildOauthClientConfiguration(e.authority)).then((function(n){return t.logger.verbose("Auth client config generated"),new r.AuthorizationCodeClient(n).getAuthCodeUrl(t.initializeRequestScopes(e))}))}catch(e){return Promise.reject(e)}},n.acquireTokenByCode=function(e){try{var t=this;return t.logger.info("acquireTokenByCode called"),Promise.resolve(t.buildOauthClientConfiguration(e.authority)).then((function(n){return t.logger.verbose("Auth client config generated"),new r.AuthorizationCodeClient(n).acquireToken(t.initializeRequestScopes(e))}))}catch(e){return Promise.reject(e)}},n.acquireTokenByRefreshToken=function(e){try{var t=this;return t.logger.info("acquireTokenByRefreshToken called"),Promise.resolve(t.buildOauthClientConfiguration(e.authority)).then((function(n){return t.logger.verbose("Auth client config generated"),new r.RefreshTokenClient(n).acquireToken(t.initializeRequestScopes(e))}))}catch(e){return Promise.reject(e)}},n.acquireTokenSilent=function(e){try{var t=this;return Promise.resolve(t.buildOauthClientConfiguration(e.authority)).then((function(n){return new r.SilentFlowClient(n).acquireToken(t.initializeRequestScopes(e))}))}catch(e){return Promise.reject(e)}},n.getTokenCache=function(){return this.logger.info("getTokenCache called"),this.tokenCache},n.buildOauthClientConfiguration=function(e){try{var t=this;t.logger.verbose("buildOauthClientConfiguration called");var r=t.config.auth.clientId;return Promise.resolve(t.createAuthority(e)).then((function(e){return{authOptions:{clientId:r,authority:e,knownAuthorities:t.config.auth.knownAuthorities,cloudDiscoveryMetadata:t.config.auth.cloudDiscoveryMetadata},loggerOptions:{loggerCallback:t.config.system.loggerOptions.loggerCallback,piiLoggingEnabled:t.config.system.loggerOptions.piiLoggingEnabled},cryptoInterface:t.cryptoProvider,networkInterface:t.config.system.networkClient,storageInterface:t.storage,clientCredentials:{clientSecret:t.clientSecret,clientAssertion:t.clientAssertion?t.getClientAssertion():void 0},libraryInfo:{sku:"msal.js.node",version:"1.0.0-alpha.4",cpu:process.arch||"",os:process.platform||""}}}))}catch(e){return Promise.reject(e)}},n.getClientAssertion=function(){return{assertion:this.clientAssertion.getJwt(this.cryptoProvider,this.config.auth.clientId,this._authority.tokenEndpoint),assertionType:"urn:ietf:params:oauth:client-assertion-type:jwt-bearer"}},n.initializeRequestScopes=function(e){return this.logger.verbose("initializeRequestScopes called"),c({},e,{scopes:[].concat(e&&e.scopes||[],[r.Constants.OPENID_SCOPE,r.Constants.PROFILE_SCOPE,r.Constants.OFFLINE_ACCESS_SCOPE])})},n.createAuthority=function(e){try{var t;return this.logger.verbose("createAuthority called"),e?(this.logger.verbose("Authority passed in, creating authority instance"),t=r.AuthorityFactory.createInstance(e,this.config.system.networkClient)):(this.logger.verbose("No authority passed in request, defaulting to authority set on application object"),t=this.authority),t.discoveryComplete()?Promise.resolve(t):Promise.resolve(function(e,r){try{var n=Promise.resolve(t.resolveEndpointsAsync()).then((function(){return t}))}catch(e){return r(e)}return n&&n.then?n.then(void 0,r):n}(0,(function(e){throw r.ClientAuthError.createEndpointDiscoveryIncompleteError(e)})))}catch(e){return Promise.reject(e)}},(t=[{key:"authority",get:function(){return this._authority||(this._authority=r.AuthorityFactory.createInstance(this.config.auth.authority||r.Constants.DEFAULT_AUTHORITY,this.config.system.networkClient)),this._authority}}])&&function(e,t){for(var r=0;r<t.length;r++){var n=t[r];n.enumerable=n.enumerable||!1,n.configurable=!0,"value"in n&&(n.writable=!0),Object.defineProperty(e,n.key,n)}}(e.prototype,t),e}(),P=function(e){function t(t){return e.call(this,t)||this}return l(t,e),t.prototype.acquireTokenByDeviceCode=function(e){try{var t=this;return t.logger.info("acquireTokenByDeviceCode called"),Promise.resolve(t.buildOauthClientConfiguration(e.authority)).then((function(n){return t.logger.verbose("Auth client config generated"),new r.DeviceCodeClient(n).acquireToken(t.initializeRequestScopes(e))}))}catch(e){return Promise.reject(e)}},t}(w),j=function(){function e(){}e.fromAssertion=function(t){var r=new e;return r.jwt=t,r},e.fromCertificate=function(t,r){var n=new e;return n.privateKey=r,n.thumbprint=t,n};var t=e.prototype;return t.getJwt=function(e,t,n){if(null!=this.privateKey&&null!=this.thumbprint)return null==this.jwt||this.isExpired()||t!=this.issuer||n!=this.jwtAudience?this.createJwt(e,t,n):this.jwt;if(null!=this.jwt)return this.jwt;throw r.ClientAuthError.createInvalidAssertionError()},t.createJwt=function(e,t,n){var i,o;this.issuer=t,this.jwtAudience=n;var a=r.TimeUtils.nowSeconds();this.expirationTime=a+600;var c=((i={}).alg="RS256",i.x5t=m.base64EncodeUrl(this.thumbprint,"hex"),i),l=((o={}).aud=this.jwtAudience,o.exp=this.expirationTime,o.iss=this.issuer,o.sub=this.issuer,o.nbf=a,o.jti=e.createNewGuid(),o);return this.jwt=s.sign(l,this.privateKey,{header:c}),this.jwt},t.isExpired=function(){return this.expirationTime<r.TimeUtils.nowSeconds()},e}(),R=function(e){function t(t){var r;return(r=e.call(this,t)||this).setClientCredential(r.config),r}return l(t,e),t.prototype.setClientCredential=function(e){var t=!r.StringUtils.isEmpty(e.auth.clientSecret),n=!r.StringUtils.isEmpty(e.auth.clientAssertion),i=e.auth.clientCertificate,o=!r.StringUtils.isEmpty(i.thumbprint)||!r.StringUtils.isEmpty(i.privateKey);if(t&&n||n&&o||t&&o)throw r.ClientAuthError.createInvalidCredentialError();if(t)this.clientSecret=e.auth.clientSecret;else if(n)this.clientAssertion=j.fromAssertion(e.auth.clientAssertion);else{if(!o)throw r.ClientAuthError.createInvalidCredentialError();this.clientAssertion=j.fromCertificate(i.thumbprint,i.privateKey)}},t}(w);Object.defineProperty(exports,"AuthError",{enumerable:!0,get:function(){return r.AuthError}}),Object.defineProperty(exports,"AuthErrorMessage",{enumerable:!0,get:function(){return r.AuthErrorMessage}}),Object.defineProperty(exports,"LogLevel",{enumerable:!0,get:function(){return r.LogLevel}}),Object.defineProperty(exports,"PromptValue",{enumerable:!0,get:function(){return r.PromptValue}}),Object.defineProperty(exports,"ResponseMode",{enumerable:!0,get:function(){return r.ResponseMode}}),exports.ConfidentialClientApplication=R,exports.CryptoProvider=C,exports.PublicClientApplication=P,exports.Storage=A,exports.TokenCache=I,exports.buildAppConfiguration=p;
 //# sourceMappingURL=msal-node.cjs.production.min.js.map

dist/msal-node.esm.js

@@ -1,3 +0,3 @@
-import { LogLevel, StringUtils, AccountEntity, CacheManager, IdTokenEntity, AccessTokenEntity, RefreshTokenEntity, AppMetadataEntity, ClientAuthError, CacheSchemaType, CredentialEntity, CredentialType, AuthorizationCodeClient, RefreshTokenClient, SilentFlowClient, Constants as Constants$1, AuthorityFactory, Logger, TrustedAuthority, DeviceCodeClient } from '@azure/msal-common';
-export { AuthError, AuthErrorMessage, AuthenticationResult, LogLevel, PromptValue, ResponseMode } from '@azure/msal-common';
+import { LogLevel, StringUtils, AccountEntity, CacheManager, IdTokenEntity, AccessTokenEntity, RefreshTokenEntity, AppMetadataEntity, ClientAuthError, CacheSchemaType, CredentialEntity, CredentialType, AuthorizationCodeClient, RefreshTokenClient, SilentFlowClient, Constants as Constants$1, AuthorityFactory, Logger, TrustedAuthority, DeviceCodeClient, TimeUtils } from '@azure/msal-common';
+export { AuthError, AuthErrorMessage, LogLevel, PromptValue, ResponseMode } from '@azure/msal-common';
 import axios from 'axios';
@@ -7,2 +7,3 @@ import debug from 'debug';
 import crypto from 'crypto';
+import { sign } from 'jsonwebtoken';
 
@@ -103,9 +104,25 @@ function _defineProperties(target, props) {
 /**
- * Constants for headers
+ * Constants
  */
 
 var Constants = {
-  MSAL_SKU: 'msal.js.node'
+  MSAL_SKU: 'msal.js.node',
+  JWT_BEARER_ASSERTION_TYPE: 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer'
 };
+/**
+ * JWT  constants
+ */
 
+var JwtConstants = {
+  ALGORITHM: 'alg',
+  RSA_256: 'RS256',
+  X5T: 'x5t',
+  AUDIENCE: 'aud',
+  EXPIRATION_TIME: 'exp',
+  ISSUER: "iss",
+  SUBJECT: "sub",
+  NOT_BEFORE: "nbf",
+  JWT_ID: "jti"
+};
+
 /*
@@ -202,2 +219,8 @@ * Copyright (c) Microsoft Corporation. All rights reserved.
   authority: '',
+  clientSecret: '',
+  clientAssertion: '',
+  clientCertificate: {
+    thumbprint: '',
+    privateKey: ''
+  },
   knownAuthorities: [],
@@ -281,4 +304,4 @@ cloudDiscoveryMetadata: ""
    */
-  EncodingUtils.base64Encode = function base64Encode(str) {
-    return Buffer.from(str, 'utf8').toString('base64');
+  EncodingUtils.base64Encode = function base64Encode(str, encoding) {
+    return Buffer.from(str, encoding).toString('base64');
   }
@@ -291,4 +314,4 @@ /**
 
-  EncodingUtils.base64EncodeUrl = function base64EncodeUrl(str) {
-    return EncodingUtils.base64Encode(str).replace(/=/g, '').replace(/\+/g, '-').replace(/\//g, '_');
+  EncodingUtils.base64EncodeUrl = function base64EncodeUrl(str, encoding) {
+    return EncodingUtils.base64Encode(str, encoding).replace(/=/g, '').replace(/\+/g, '-').replace(/\//g, '_');
   }
@@ -1136,3 +1159,3 @@ /**
 
-var version = "1.0.0-alpha.3";
+var version = "1.0.0-alpha.4";
 
@@ -1352,4 +1375,5 @@ var defaultSerializedCache = {
         var newValueIsNotArray = !Array.isArray(newValue);
+        var oldStateNotUndefinedOrNull = typeof oldState[newKey] !== 'undefined' && oldState[newKey] !== null;
 
-        if (newValueNotNull && newValueIsObject && newValueIsNotArray) {
+        if (newValueNotNull && newValueIsObject && newValueIsNotArray && oldStateNotUndefinedOrNull) {
           _this5.mergeUpdates(oldState[newKey], newValue);
@@ -1417,8 +1441,6 @@ } else {
   function ClientApplication(configuration) {
-    var _this$config$cache;
-
     this.config = buildAppConfiguration(configuration);
     this.logger = new Logger(this.config.system.loggerOptions);
     this.storage = new Storage(this.logger);
-    this.tokenCache = new TokenCache(this.storage, this.logger, (_this$config$cache = this.config.cache) === null || _this$config$cache === void 0 ? void 0 : _this$config$cache.cachePlugin);
+    this.tokenCache = new TokenCache(this.storage, this.logger, this.config.cache.cachePlugin);
     this.cryptoProvider = new CryptoProvider();
@@ -1562,2 +1584,6 @@ TrustedAuthority.setTrustedAuthoritiesFromConfig(this.config.auth.knownAuthorities, this.config.auth.cloudDiscoveryMetadata);
           storageInterface: _this10.storage,
+          clientCredentials: {
+            clientSecret: _this10.clientSecret,
+            clientAssertion: _this10.clientAssertion ? _this10.getClientAssertion() : undefined
+          },
           libraryInfo: {
@@ -1574,2 +1600,9 @@ sku: Constants.MSAL_SKU,
     }
+  };
+
+  _proto.getClientAssertion = function getClientAssertion() {
+    return {
+      assertion: this.clientAssertion.getJwt(this.cryptoProvider, this.config.auth.clientId, this._authority.tokenEndpoint),
+      assertionType: Constants.JWT_BEARER_ASSERTION_TYPE
+    };
   }
@@ -1636,3 +1669,2 @@ /**
 
-      this.logger.verbose("No authority set on application object. Defaulting to common authority");
       this._authority = AuthorityFactory.createInstance(this.config.auth.authority || Constants$1.DEFAULT_AUTHORITY, this.config.system.networkClient);
@@ -1707,5 +1739,136 @@ return this._authority;
 
-var ConfidentialClientApplication = function ConfidentialClientApplication() {};
+/*
+ * Copyright (c) Microsoft Corporation. All rights reserved.
+ * Licensed under the MIT License.
+ */
+/**
+ * Client assertion of type jwt-bearer used in confidential client flows
+ */
 
+var ClientAssertion = /*#__PURE__*/function () {
+  function ClientAssertion() {}
+
+  ClientAssertion.fromAssertion = function fromAssertion(assertion) {
+    var clientAssertion = new ClientAssertion();
+    clientAssertion.jwt = assertion;
+    return clientAssertion;
+  };
+
+  ClientAssertion.fromCertificate = function fromCertificate(thumbprint, privateKey) {
+    var clientAssertion = new ClientAssertion();
+    clientAssertion.privateKey = privateKey;
+    clientAssertion.thumbprint = thumbprint;
+    return clientAssertion;
+  };
+
+  var _proto = ClientAssertion.prototype;
+
+  _proto.getJwt = function getJwt(cryptoProvider, issuer, jwtAudience) {
+    // if assertion was created from certificate, check if jwt is expired and create new one.
+    if (this.privateKey != null && this.thumbprint != null) {
+      if (this.jwt != null && !this.isExpired() && issuer == this.issuer && jwtAudience == this.jwtAudience) {
+        return this.jwt;
+      }
+
+      return this.createJwt(cryptoProvider, issuer, jwtAudience);
+    } // if assertion was created by caller, then we just append it. It is up to the caller to
+    // ensure that it contains necessary claims and that it is not expired.
+
+
+    if (this.jwt != null) {
+      return this.jwt;
+    }
+
+    throw ClientAuthError.createInvalidAssertionError();
+  } // JWT format and required claims specified: https://tools.ietf.org/html/rfc7523#section-3
+  ;
+
+  _proto.createJwt = function createJwt(cryptoProvider, issuer, jwtAudience) {
+    var _header, _payload;
+
+    this.issuer = issuer;
+    this.jwtAudience = jwtAudience;
+    var issuedAt = TimeUtils.nowSeconds();
+    this.expirationTime = issuedAt + 600;
+    var header = (_header = {}, _header[JwtConstants.ALGORITHM] = JwtConstants.RSA_256, _header[JwtConstants.X5T] = EncodingUtils.base64EncodeUrl(this.thumbprint, "hex"), _header);
+    var payload = (_payload = {}, _payload[JwtConstants.AUDIENCE] = this.jwtAudience, _payload[JwtConstants.EXPIRATION_TIME] = this.expirationTime, _payload[JwtConstants.ISSUER] = this.issuer, _payload[JwtConstants.SUBJECT] = this.issuer, _payload[JwtConstants.NOT_BEFORE] = issuedAt, _payload[JwtConstants.JWT_ID] = cryptoProvider.createNewGuid(), _payload);
+    this.jwt = sign(payload, this.privateKey, {
+      header: header
+    });
+    return this.jwt;
+  };
+
+  _proto.isExpired = function isExpired() {
+    return this.expirationTime < TimeUtils.nowSeconds();
+  };
+
+  return ClientAssertion;
+}();
+
+var ConfidentialClientApplication = /*#__PURE__*/function (_ClientApplication) {
+  _inheritsLoose(ConfidentialClientApplication, _ClientApplication);
+
+  /**
+   * @constructor
+   * Constructor for the ConfidentialClientApplication
+   *
+   * Required attributes in the Configuration object are:
+   * - clientID: the application ID of your application. You can obtain one by registering your application with our application registration portal
+   * - authority: the authority URL for your application.
+   * - client credential: Must set either client secret, certificate, or assertion for confidential clients. You can obtain a client secret from the application registration portal.
+   *
+   * In Azure AD, authority is a URL indicating of the form https://login.microsoftonline.com/{Enter_the_Tenant_Info_Here}.
+   * If your application supports Accounts in one organizational directory, replace "Enter_the_Tenant_Info_Here" value with the Tenant Id or Tenant name (for example, contoso.microsoft.com).
+   * If your application supports Accounts in any organizational directory, replace "Enter_the_Tenant_Info_Here" value with organizations.
+   * If your application supports Accounts in any organizational directory and personal Microsoft accounts, replace "Enter_the_Tenant_Info_Here" value with common.
+   * To restrict support to Personal Microsoft accounts only, replace "Enter_the_Tenant_Info_Here" value with consumers.
+   *
+   * In Azure B2C, authority is of the form https://{instance}/tfp/{tenant}/{policyName}/
+   * Full B2C functionality will be available in this library in future versions.
+   *
+   * @param {@link (Configuration:type)} configuration object for the MSAL ConfidentialClientApplication instance
+   */
+  function ConfidentialClientApplication(configuration) {
+    var _this;
+
+    _this = _ClientApplication.call(this, configuration) || this;
+
+    _this.setClientCredential(_this.config);
+
+    return _this;
+  }
+
+  var _proto = ConfidentialClientApplication.prototype;
+
+  _proto.setClientCredential = function setClientCredential(configuration) {
+    var clientSecretNotEmpty = !StringUtils.isEmpty(configuration.auth.clientSecret);
+    var clientAssertionNotEmpty = !StringUtils.isEmpty(configuration.auth.clientAssertion);
+    var certificate = configuration.auth.clientCertificate;
+    var certificateNotEmpty = !StringUtils.isEmpty(certificate.thumbprint) || !StringUtils.isEmpty(certificate.privateKey); // Check that at most one credential is set on the application 
+
+    if (clientSecretNotEmpty && clientAssertionNotEmpty || clientAssertionNotEmpty && certificateNotEmpty || clientSecretNotEmpty && certificateNotEmpty) {
+      throw ClientAuthError.createInvalidCredentialError();
+    }
+
+    if (clientSecretNotEmpty) {
+      this.clientSecret = configuration.auth.clientSecret;
+      return;
+    }
+
+    if (clientAssertionNotEmpty) {
+      this.clientAssertion = ClientAssertion.fromAssertion(configuration.auth.clientAssertion);
+      return;
+    }
+
+    if (!certificateNotEmpty) {
+      throw ClientAuthError.createInvalidCredentialError();
+    } else {
+      this.clientAssertion = ClientAssertion.fromCertificate(certificate.thumbprint, certificate.privateKey);
+    }
+  };
+
+  return ConfidentialClientApplication;
+}(ClientApplication);
+
 export { ConfidentialClientApplication, CryptoProvider, PublicClientApplication, Storage, TokenCache, buildAppConfiguration };
 //# sourceMappingURL=msal-node.esm.js.map

dist/test/utils/TestConstants.d.ts

@@ -9,2 +9,3 @@ /**
     REDIRECT_URI: string;
+    CLIENT_SECRET: string;
     DEFAULT_GRAPH_SCOPE: string[];
@@ -15,2 +16,5 @@ AUTHORIZATION_CODE: string;
     CACHE_LOCATION: string;
+    CLIENT_ASSERTION: string;
+    THUMBPRINT: string;
+    PRIVATE_KEY: string;
 };
@@ -17,0 +21,0 @@ export declare const AUTHENTICATION_RESULT: {

dist/utils/Constants.d.ts

@@ -32,6 +32,21 @@ /**
 /**
- * Constants for headers
+ * Constants
  */
 export declare const Constants: {
     MSAL_SKU: string;
+    JWT_BEARER_ASSERTION_TYPE: string;
 };
+/**
+ * JWT  constants
+ */
+export declare const JwtConstants: {
+    ALGORITHM: string;
+    RSA_256: string;
+    X5T: string;
+    AUDIENCE: string;
+    EXPIRATION_TIME: string;
+    ISSUER: string;
+    SUBJECT: string;
+    NOT_BEFORE: string;
+    JWT_ID: string;
+};

dist/utils/EncodingUtils.d.ts

@@ -0,1 +1,2 @@
+/// <reference types="node" />
 export declare class EncodingUtils {
@@ -8,3 +9,3 @@ /**
      */
-    static base64Encode(str: string): string;
+    static base64Encode(str: string, encoding?: BufferEncoding): string;
     /**
@@ -14,3 +15,3 @@ * encode a URL
      */
-    static base64EncodeUrl(str: string): string;
+    static base64EncodeUrl(str: string, encoding?: BufferEncoding): string;
     /**
@@ -17,0 +18,0 @@ * 'utf8': Multibyte encoded Unicode characters. Many web pages and other document formats use UTF-8.

package.json

 {
   "name": "@azure/msal-node",
-  "version": "1.0.0-alpha.3",
+  "version": "1.0.0-alpha.4",
   "author": {
@@ -40,3 +40,5 @@ "name": "Microsoft",
     "lint:fix": "tsdx lint --fix",
-    "prepack": "npm run build"
+    "build:all": "npm run build:common && npm run build",
+    "build:common": "cd ../msal-common && npm run build",
+    "prepack": "npm run build:all"
   },
@@ -71,2 +73,3 @@ "peerDependencies": {},
     "@types/uuid": "^7.0.0",
+    "@types/jsonwebtoken": "^8.5.0",
     "gh-pages": "^3.1.0",
@@ -80,6 +83,7 @@ "husky": "^4.2.3",
   "dependencies": {
-    "@azure/msal-common": "^1.0.0",
+    "@azure/msal-common": "^1.1.0",
     "axios": "^0.19.2",
-    "debug": "^4.1.1"
+    "debug": "^4.1.1",
+    "jsonwebtoken": "^8.5.1"
   }
 }

README.md

@@ -31,3 +31,4 @@ # Microsoft Authentication Library for Node (msal-node)
 
-- [Authorization Code Grant](https://oauth.net/2/grant-types/authorization-code/) with [PKCE](https://oauth.net/2/pkce/)
+#### Public Client: 
+- [Authorization Code Grant](https://oauth.net/2/grant-types/authorization-code/) with [PKCE](https://oauth.net/2/pkce/) 
 - [Device Code Grant](https://oauth.net/2/grant-types/device-code/)
@@ -37,5 +38,9 @@ - [Refresh Token Grant](https://oauth.net/2/grant-types/refresh-token/)
 
-[Coming Soon] In the upcoming quarters we plan to add support for:
+#### Confidential Client: 
+- [Authorization Code Grant](https://oauth.net/2/grant-types/authorization-code/) with a client credential
+- [Refresh Token Grant](https://oauth.net/2/grant-types/refresh-token/)
+- [Silent Flow](https://docs.microsoft.com/en-us/azure/active-directory/develop/msal-acquire-cache-tokens#acquiring-tokens-silently-from-the-cache)
 
-- [Authorization Code Grant (Confidential Client)](https://oauth.net/2/grant-types/authorization-code/)
+**[Coming Soon]** In the future we plan to add support for:
+
 - [Client Credential Grant](https://oauth.net/2/grant-types/client-credentials/)
@@ -52,3 +57,3 @@ - [On-behalf-of flow](https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-on-behalf-of-flow)
 - Destop app that calls web APIs
-- Web app that calls web APIs (upcoming)
+- Web app that calls web APIs 
 - Web APIs that call web APIs (upcoming)
@@ -63,16 +68,7 @@ - Daemon apps (upcoming)
 
-## Releases
-
-*Expect us to detail our major and minor releases moving forward, while leaving out our patch releases.  Patch release notes can be found in our change log.*
-
-| Date | Release | Announcement | Main features |
-| ------| ------- | ---------| --------- |
-| July 13th, 2020 (Tentative) | @azure/msal-node v1.0.0-alpha.1 | No release notes yet | Full version of the `@azure/msal-node` package; relies on `@azure/msal-common` v1.0.0 |
-| July 6th, 2020  | @azure/msal-node v1.0.0-alpha.0| No release notes yet | Full version of the `@azure/msal-node` package; relies on `@azure/msal-common` v1.0.0-beta.4 |
-
 ## Prerequisites
 
-Before using `@azure/msal-node` you will need to register your app in the azure portal to get a valid `clientId` for configuration, and to register the routes that your app will accept redirect traffic on if applicable. Currently we support the below app registrations for `@azure/msal-node`:
+Before using `@azure/msal-node` you will need to register your app in the azure portal:  
 
-- [Desktop app that calls web APIs: App registration](https://docs.microsoft.com/en-us/azure/active-directory/develop/scenario-desktop-app-registration)
+- [App registration](https://docs.microsoft.com/en-us/graph/auth-register-app-v2)
 
@@ -88,3 +84,5 @@ ## Installation
 ### MSAL basics
+- [Understand difference in between Public Client and Confidential Clients](https://docs.microsoft.com/en-us/azure/active-directory/develop/msal-client-applications)
 - [Initialize a Public Client Application](https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-node/docs/initialize-public-client-application.md)
+- [Initialize a Confidential Client Application](https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-node/docs/initialize-confidential-client-application.md)
 - [Configuration](https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-node/docs/configuration.md)
@@ -160,3 +158,1 @@ - [Request](https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-common/docs/request.md)
 
-
-

New alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Fixed alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Improved metrics

Total package byte prevSize

568967

increased by10.34%

Number of package files

32

increased by3.23%

Lines of code

4116

increased by9.38%

Worsened metrics

Dependency count

4

increased by33.33%

Dev dependency count

11

increased by10%

Number of lines in readme file

153

decreased by-2.55%

Dependency changes

• + Addedjsonwebtoken@^8.5.1

• + Addedbuffer-equal-constant-time@1.0.1(transitive)

• + Addedecdsa-sig-formatter@1.0.11(transitive)

• + Addedjsonwebtoken@8.5.1(transitive)

• + Addedjwa@1.4.1(transitive)

• + Addedjws@3.2.2(transitive)

• + Addedlodash.includes@4.3.0(transitive)

• + Addedlodash.isboolean@3.0.3(transitive)

• + Addedlodash.isinteger@4.0.4(transitive)

• + Addedlodash.isnumber@3.0.3(transitive)

• + Addedlodash.isplainobject@4.0.6(transitive)

• + Addedlodash.isstring@4.0.1(transitive)

• + Addedlodash.once@4.1.1(transitive)

• + Addedsafe-buffer@5.2.1(transitive)

• + Addedsemver@5.7.2(transitive)

• Updated@azure/msal-common@^1.1.0