@azure/msal-node - npm Package Compare versions

Comparing version 2.10.0 to 2.11.0

dist/client/ClientAssertion.d.ts

@@ -10,2 +10,3 @@ import { CryptoProvider } from "../crypto/CryptoProvider.js";
     private thumbprint;
+    private useSha256;
     private expirationTime;
@@ -21,2 +22,3 @@ private issuer;
     /**
+     * @deprecated Use fromCertificateWithSha256Thumbprint instead, with a SHA-256 thumprint
      * Initialize the ClientAssertion class from the certificate passed by the user
@@ -29,2 +31,9 @@ * @param thumbprint - identifier of a certificate
     /**
+     * Initialize the ClientAssertion class from the certificate passed by the user
+     * @param thumbprint - identifier of a certificate
+     * @param privateKey - secret key
+     * @param publicCertificate - electronic document provided to prove the ownership of the public key
+     */
+    static fromCertificateWithSha256Thumbprint(thumbprint: string, privateKey: string, publicCertificate?: string): ClientAssertion;
+    /**
      * Update JWT for certificate based clientAssertion, if passed by the user, uses it as is
@@ -31,0 +40,0 @@ * @param cryptoProvider - library's crypto helper

dist/config/Configuration.d.ts

@@ -13,3 +13,3 @@ /// <reference types="node" />
  * - clientAssertion        - A ClientAssertion object containing an assertion string or a callback function that returns an assertion string that the application uses when requesting a token, as well as the assertion's type (urn:ietf:params:oauth:client-assertion-type:jwt-bearer). Only used in confidential client applications.
- * - clientCertificate      - Certificate that the application uses when requesting a token. Only used in confidential client applications. Requires hex encoded X.509 SHA-1 thumbprint of the certificiate, and the PEM encoded private key (string should contain -----BEGIN PRIVATE KEY----- ... -----END PRIVATE KEY----- )
+ * - clientCertificate      - Certificate that the application uses when requesting a token. Only used in confidential client applications. Requires hex encoded X.509 SHA-1 or SHA-256 thumbprint of the certificate, and the PEM encoded private key (string should contain -----BEGIN PRIVATE KEY----- ... -----END PRIVATE KEY----- )
  * - protocolMode           - Enum that represents the protocol that msal follows. Used for configuring proper endpoints.
@@ -25,3 +25,8 @@ * - skipAuthorityMetadataCache - A flag to choose whether to use or not use the local metadata cache during authority initialization. Defaults to false.
     clientCertificate?: {
-        thumbprint: string;
+        /**
+         * @deprecated Use thumbprintSha2 property instead. Thumbprint needs to be computed with SHA-256 algorithm.
+         * SHA-1 is only needed for backwards compatibility with older versions of ADFS.
+         */
+        thumbprint?: string;
+        thumbprintSha256?: string;
         privateKey: string;
@@ -28,0 +33,0 @@ x5c?: string;

dist/error/NodeAuthError.d.ts

@@ -34,2 +34,6 @@ import { AuthError } from "@azure/msal-common";
     };
+    thumbprintMissing: {
+        code: string;
+        desc: string;
+    };
 };
@@ -66,3 +70,7 @@ export declare class NodeAuthError extends AuthError {
     static createStateNotFoundError(): NodeAuthError;
+    /**
+     * Creates an error thrown when client certificate was provided, but neither the SHA-1 or SHA-256 thumbprints were provided
+     */
+    static createThumbprintMissingError(): NodeAuthError;
 }
 //# sourceMappingURL=NodeAuthError.d.ts.map

dist/packageMetadata.d.ts

 export declare const name = "@azure/msal-node";
-export declare const version = "2.10.0";
+export declare const version = "2.11.0";
 //# sourceMappingURL=packageMetadata.d.ts.map

dist/utils/Constants.d.ts

@@ -123,2 +123,3 @@ export declare const AUTHORIZATION_HEADER_NAME: string;
     RSA_256: string;
+    X5T_256: string;
     X5T: string;
@@ -125,0 +126,0 @@ X5C: string;

package.json

 {
   "$schema": "https://json.schemastore.org/package.json",
   "name": "@azure/msal-node",
-  "version": "2.10.0",
+  "version": "2.11.0",
   "author": {
@@ -6,0 +6,0 @@ "name": "Microsoft",

src/client/ClientAssertion.ts

@@ -25,2 +25,3 @@ /*
     private thumbprint: string;
+    private useSha256: boolean;
     private expirationTime: number;
@@ -42,2 +43,3 @@ private issuer: string;
     /**
+     * @deprecated Use fromCertificateWithSha256Thumbprint instead, with a SHA-256 thumprint
      * Initialize the ClientAssertion class from the certificate passed by the user
@@ -56,2 +58,3 @@ * @param thumbprint - identifier of a certificate
         clientAssertion.thumbprint = thumbprint;
+        clientAssertion.useSha256 = false;
         if (publicCertificate) {
@@ -65,2 +68,24 @@ clientAssertion.publicCertificate =
     /**
+     * Initialize the ClientAssertion class from the certificate passed by the user
+     * @param thumbprint - identifier of a certificate
+     * @param privateKey - secret key
+     * @param publicCertificate - electronic document provided to prove the ownership of the public key
+     */
+    public static fromCertificateWithSha256Thumbprint(
+        thumbprint: string,
+        privateKey: string,
+        publicCertificate?: string
+    ): ClientAssertion {
+        const clientAssertion = new ClientAssertion();
+        clientAssertion.privateKey = privateKey;
+        clientAssertion.thumbprint = thumbprint;
+        clientAssertion.useSha256 = true;
+        if (publicCertificate) {
+            clientAssertion.publicCertificate =
+                this.parseCertificate(publicCertificate);
+        }
+        return clientAssertion;
+    }
+
+    /**
      * Update JWT for certificate based clientAssertion, if passed by the user, uses it as is
@@ -116,8 +141,17 @@ * @param cryptoProvider - library's crypto helper
             alg: JwtConstants.RSA_256,
-            x5t: EncodingUtils.base64EncodeUrl(this.thumbprint, "hex"),
         };
 
+        const thumbprintHeader = this.useSha256
+            ? JwtConstants.X5T_256
+            : JwtConstants.X5T;
+        Object.assign(header, {
+            [thumbprintHeader]: EncodingUtils.base64EncodeUrl(
+                this.thumbprint,
+                "hex"
+            ),
+        } as Partial<jwt.JwtHeader>);
+
         if (this.publicCertificate) {
             Object.assign(header, {
-                x5c: this.publicCertificate,
+                [JwtConstants.X5C]: this.publicCertificate,
             } as Partial<jwt.JwtHeader>);
@@ -124,0 +158,0 @@ }

src/client/ConfidentialClientApplication.ts

@@ -22,3 +22,2 @@ /*
     AuthError,
-    Constants,
     IAppTokenProvider,
@@ -71,3 +70,3 @@ OIDC_DEFAULT_SCOPES,
         super(configuration);
-        this.setClientCredential(this.config);
+        this.setClientCredential();
         this.appTokenProvider = undefined;
@@ -223,11 +222,9 @@ }
 
-    private setClientCredential(configuration: Configuration): void {
-        const clientSecretNotEmpty = !!configuration.auth.clientSecret;
-        const clientAssertionNotEmpty = !!configuration.auth.clientAssertion;
-        const certificate = configuration.auth.clientCertificate || {
-            thumbprint: Constants.EMPTY_STRING,
-            privateKey: Constants.EMPTY_STRING,
-        };
+    private setClientCredential(): void {
+        const clientSecretNotEmpty = !!this.config.auth.clientSecret;
+        const clientAssertionNotEmpty = !!this.config.auth.clientAssertion;
         const certificateNotEmpty =
-            !!certificate.thumbprint || !!certificate.privateKey;
+            (!!this.config.auth.clientCertificate.thumbprint ||
+                !!this.config.auth.clientCertificate.thumbprintSha256) &&
+            !!this.config.auth.clientCertificate.privateKey;
 
@@ -253,10 +250,10 @@ /*
 
-        if (configuration.auth.clientSecret) {
-            this.clientSecret = configuration.auth.clientSecret;
+        if (this.config.auth.clientSecret) {
+            this.clientSecret = this.config.auth.clientSecret;
             return;
         }
 
-        if (configuration.auth.clientAssertion) {
+        if (this.config.auth.clientAssertion) {
             this.developerProvidedClientAssertion =
-                configuration.auth.clientAssertion;
+                this.config.auth.clientAssertion;
             return;
@@ -270,9 +267,17 @@ }
         } else {
-            this.clientAssertion = ClientAssertion.fromCertificate(
-                certificate.thumbprint,
-                certificate.privateKey,
-                configuration.auth.clientCertificate?.x5c
-            );
+            this.clientAssertion = !!this.config.auth.clientCertificate
+                .thumbprintSha256
+                ? ClientAssertion.fromCertificateWithSha256Thumbprint(
+                      this.config.auth.clientCertificate.thumbprintSha256,
+                      this.config.auth.clientCertificate.privateKey,
+                      this.config.auth.clientCertificate.x5c
+                  )
+                : ClientAssertion.fromCertificate(
+                      // guaranteed to be a string, due to prior error checking in this function
+                      this.config.auth.clientCertificate.thumbprint as string,
+                      this.config.auth.clientCertificate.privateKey,
+                      this.config.auth.clientCertificate.x5c
+                  );
         }
     }
 }

src/config/Configuration.ts

@@ -30,2 +30,3 @@ /*
 import { HttpClientWithRetries } from "../network/HttpClientWithRetries.js";
+import { NodeAuthError } from "../error/NodeAuthError.js";
 
@@ -38,3 +39,3 @@ /**
  * - clientAssertion        - A ClientAssertion object containing an assertion string or a callback function that returns an assertion string that the application uses when requesting a token, as well as the assertion's type (urn:ietf:params:oauth:client-assertion-type:jwt-bearer). Only used in confidential client applications.
- * - clientCertificate      - Certificate that the application uses when requesting a token. Only used in confidential client applications. Requires hex encoded X.509 SHA-1 thumbprint of the certificiate, and the PEM encoded private key (string should contain -----BEGIN PRIVATE KEY----- ... -----END PRIVATE KEY----- )
+ * - clientCertificate      - Certificate that the application uses when requesting a token. Only used in confidential client applications. Requires hex encoded X.509 SHA-1 or SHA-256 thumbprint of the certificate, and the PEM encoded private key (string should contain -----BEGIN PRIVATE KEY----- ... -----END PRIVATE KEY----- )
  * - protocolMode           - Enum that represents the protocol that msal follows. Used for configuring proper endpoints.
@@ -50,3 +51,8 @@ * - skipAuthorityMetadataCache - A flag to choose whether to use or not use the local metadata cache during authority initialization. Defaults to false.
     clientCertificate?: {
-        thumbprint: string;
+        /**
+         * @deprecated Use thumbprintSha2 property instead. Thumbprint needs to be computed with SHA-256 algorithm.
+         * SHA-1 is only needed for backwards compatibility with older versions of ADFS.
+         */
+        thumbprint?: string;
+        thumbprintSha256?: string;
         privateKey: string;
@@ -144,2 +150,3 @@ x5c?: string;
         thumbprint: Constants.EMPTY_STRING,
+        thumbprintSha256: Constants.EMPTY_STRING,
         privateKey: Constants.EMPTY_STRING,
@@ -224,2 +231,11 @@ x5c: Constants.EMPTY_STRING,
 
+    // if client certificate was provided, ensure that at least one of the SHA-1 or SHA-256 thumbprints were provided
+    if (
+        !!auth.clientCertificate &&
+        !!!auth.clientCertificate.thumbprint &&
+        !!!auth.clientCertificate.thumbprintSha256
+    ) {
+        throw NodeAuthError.createStateNotFoundError();
+    }
+
     return {
@@ -226,0 +242,0 @@ auth: { ...DEFAULT_AUTH_OPTIONS, ...auth },

src/error/NodeAuthError.ts

@@ -40,2 +40,6 @@ /*
     },
+    thumbprintMissing: {
+        code: "thumbprint_missing_from_client_certificate",
+        desc: "Client certificate does not contain a SHA-1 or SHA-256 thumbprint.",
+    },
 };
@@ -118,2 +122,12 @@
     }
+
+    /**
+     * Creates an error thrown when client certificate was provided, but neither the SHA-1 or SHA-256 thumbprints were provided
+     */
+    static createThumbprintMissingError(): NodeAuthError {
+        return new NodeAuthError(
+            NodeAuthErrorMessage.thumbprintMissing.code,
+            NodeAuthErrorMessage.thumbprintMissing.desc
+        );
+    }
 }

src/packageMetadata.ts

 /* eslint-disable header/header */
 export const name = "@azure/msal-node";
-export const version = "2.10.0";
+export const version = "2.11.0";

src/utils/Constants.ts

@@ -149,2 +149,3 @@ /*
     RSA_256: "RS256",
+    X5T_256: "x5t#S256",
     X5T: "x5t",
@@ -151,0 +152,0 @@ X5C: "x5c",

New alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Fixed alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Improved metrics

Total package byte prevSize

1173321

increased by1.05%

Lines of code

19209

increased by0.95%

No dependency changes