Merge branch 'dev' of https://github.com/AzureAD/microsoft-authentication-library-for-js into msal-core-adfs

Author: tnorling

build/sdl-tasks.yml

@@ -10,14 +10,14 @@ steps:
     optionsXS: 1
     optionsHMENABLE: 0
 
-- task: securedevelopmentteam.vss-secure-development-tools.build-task-credscan.CredScan@3
-  displayName: 'Run CredScan3'
-  inputs:
-    scanFolder: './'
-    debugMode: false
+# - task: securedevelopmentteam.vss-secure-development-tools.build-task-credscan.CredScan@3
+#   displayName: 'Run CredScan3'
+#   inputs:
+#     scanFolder: './'
+#     debugMode: false
 
 - task: securedevelopmentteam.vss-secure-development-tools.build-task-postanalysis.PostAnalysis@1
   displayName: 'Post Analysis'
   inputs:
-    CredScan: true
+    CredScan: false
     PoliCheck: true

lib/msal-browser/src/app/PublicClientApplication.ts

@@ -2,11 +2,11 @@
  * Copyright (c) Microsoft Corporation. All rights reserved.
  * Licensed under the MIT License.
  */
-import { ICacheStorage, Constants, PersistentCacheKeys, TemporaryCacheKeys, InMemoryCache } from "@azure/msal-common";
+import { ICacheStorage, Constants, PersistentCacheKeys, InMemoryCache, StringUtils, AuthorizationCodeRequest, ICrypto } from "@azure/msal-common";
 import { CacheOptions } from "../config/Configuration";
 import { BrowserAuthError } from "../error/BrowserAuthError";
 import { BrowserConfigurationAuthError } from "../error/BrowserConfigurationAuthError";
-import { BrowserConstants } from "../utils/BrowserConstants";
+import { BrowserConstants, TemporaryCacheKeys } from "../utils/BrowserConstants";
 
 // Cookie life calculation (hours * minutes * seconds * ms)
 const COOKIE_LIFE_MULTIPLIER = 24 * 60 * 60 * 1000;
@@ -152,12 +152,13 @@ export class BrowserStorage implements ICacheStorage {
      * Will also clear the cookie item if storeAuthStateInCookie is set to true.
      * @param key
      */
-    removeItem(key: string): void {
+    removeItem(key: string): boolean {
         const msalKey = this.generateCacheKey(key);
         this.windowStorage.removeItem(msalKey);
         if (this.cacheConfig.storeAuthStateInCookie) {
             this.clearItemCookie(msalKey);
         }
+        return true;
     }
 
     /**
@@ -268,7 +269,133 @@ export class BrowserStorage implements ICacheStorage {
     /**
      * Dummy implementation until browser cache is migrated
      */
-    setCache() {
+    setCache(): void {
         // sets nothing
     }
+
+    /**
+     * Create authorityKey to cache authority
+     * @param state
+     */
+    generateAuthorityKey(state: string): string {
+        return `${TemporaryCacheKeys.AUTHORITY}${Constants.RESOURCE_DELIM}${state}`;
+    }
+
+    /**
+     * Create Nonce key to cache nonce
+     * @param state
+     */
+    generateNonceKey(state: string): string {
+        return `${TemporaryCacheKeys.NONCE_IDTOKEN}${Constants.RESOURCE_DELIM}${state}`;
+    }
+
+    /**
+     * Sets the cacheKey for and stores the authority information in cache
+     * @param state
+     * @param authority
+     */
+    setAuthorityCache(authority: string, state: string): void {
+        // Cache authorityKey
+        const authorityKey = this.generateAuthorityKey(state);
+        this.setItem(authorityKey, authority);
+    }
+
+    /**
+     * Updates account, authority, and state in cache
+     * @param serverAuthenticationRequest
+     * @param account
+     */
+    updateCacheEntries(state: string, nonce: string, authorityInstance: string): void {
+        // Cache the request state
+        this.setItem(TemporaryCacheKeys.REQUEST_STATE, state);
+
+        // Cache the nonce
+        this.setItem(this.generateNonceKey(state), nonce);
+
+        // Cache authorityKey
+        this.setAuthorityCache(authorityInstance, state);
+    }
+
+    /**
+     * Reset all temporary cache items
+     * @param state
+     */
+    resetRequestCache(state: string): void {
+        // check state and remove associated cache items
+        this.getKeys().forEach(key => {
+            if (!StringUtils.isEmpty(state) && key.indexOf(state) !== -1) {
+                const splitKey = key.split(Constants.RESOURCE_DELIM);
+                const keyState = splitKey.length > 1 ? splitKey[splitKey.length-1]: null;
+                if (keyState === state) {
+                    this.removeItem(key);
+                }
+            }
+        });
+
+        // delete generic interactive request parameters
+        this.removeItem(TemporaryCacheKeys.REQUEST_STATE);
+        this.removeItem(TemporaryCacheKeys.REQUEST_PARAMS);
+        this.removeItem(TemporaryCacheKeys.ORIGIN_URI);
+    }
+
+    cleanRequest(): void {
+        // Interaction is completed - remove interaction status.
+        this.removeItem(BrowserConstants.INTERACTION_STATUS_KEY);
+        const cachedState = this.getItem(TemporaryCacheKeys.REQUEST_STATE);
+        this.resetRequestCache(cachedState || "");
+    }
+
+    cacheCodeRequest(authCodeRequest: AuthorizationCodeRequest, browserCrypto: ICrypto): void {
+        this.setItem(TemporaryCacheKeys.REQUEST_PARAMS, browserCrypto.base64Encode(JSON.stringify(authCodeRequest)));
+    }
+
+    /**
+     * Gets the token exchange parameters from the cache. Throws an error if nothing is found.
+     */
+    getCachedRequest(state: string, browserCrypto: ICrypto): AuthorizationCodeRequest {
+        try {
+            // Get token request from cache and parse as TokenExchangeParameters.
+            const encodedTokenRequest = this.getItem(TemporaryCacheKeys.REQUEST_PARAMS);
+            const parsedRequest = JSON.parse(browserCrypto.base64Decode(encodedTokenRequest)) as AuthorizationCodeRequest;
+            this.removeItem(TemporaryCacheKeys.REQUEST_PARAMS);
+            // Get cached authority and use if no authority is cached with request.
+            if (StringUtils.isEmpty(parsedRequest.authority)) {
+                const authorityKey: string = this.generateAuthorityKey(state);
+                const cachedAuthority: string = this.getItem(authorityKey);
+                parsedRequest.authority = cachedAuthority;
+            }
+            return parsedRequest;
+        } catch (err) {
+            throw BrowserAuthError.createTokenRequestCacheError(err);
+        }
+    }
+
+    /*
+     *  Dummy implementation for interface compat - will change after BrowserCacheMigration
+     * @param key
+     * @param value
+     * @param type
+     */
+    setItemInMemory(key: string, value: object, type?: string): void {
+        if (key && value && type)
+            return;
+    }
+
+    /**
+     *  Dummy implementation for interface compat - will change after BrowserCacheMigration
+     * @param key
+     * @param type
+     */
+    getItemFromMemory(key: string, type?: string): object {
+        return key && type ? {} : {};
+    };
+
+    /**
+     * Dummy implementation for interface compat - will change after BrowserCacheMigration
+     * @param key
+     * @param type
+     */
+    removeItemFromMemory(key: string, type?: string): boolean {
+        return key && type ? true : false;
+    };
 }

lib/msal-browser/src/cache/BrowserStorage.ts

@@ -2,7 +2,7 @@
  * Copyright (c) Microsoft Corporation. All rights reserved.
  * Licensed under the MIT License.
  */
-import { SystemOptions, LoggerOptions, INetworkModule, LogLevel, DEFAULT_SYSTEM_OPTIONS } from "@azure/msal-common";
+import { SystemOptions, LoggerOptions, INetworkModule, LogLevel, DEFAULT_SYSTEM_OPTIONS, Constants } from "@azure/msal-common";
 import { BrowserUtils } from "../utils/BrowserUtils";
 import { BrowserConstants } from "../utils/BrowserConstants";
 
@@ -64,7 +64,7 @@ export type Configuration = {
 // Default auth options for browser
 const DEFAULT_AUTH_OPTIONS: BrowserAuthOptions = {
     clientId: "",
-    authority: null,
+    authority: `${Constants.DEFAULT_AUTHORITY}/`,
     knownAuthorities: [],
     redirectUri: () => BrowserUtils.getCurrentUri(),
     postLogoutRedirectUri: () => BrowserUtils.getCurrentUri(),

lib/msal-browser/src/config/Configuration.ts

@@ -71,7 +71,11 @@ export const BrowserAuthErrorMessage = {
     silentPromptValueError: {
         code: "silent_prompt_value_error",
         desc: "The value given for the prompt value is not valid for silent requests - must be set to 'none'."
-    }
+    },
+    tokenRequestCacheError: {
+        code: "token_request_cache_error",
+        desc: "The token request could not be fetched from the cache correctly."
+    },
 };
 
 /**
@@ -215,4 +219,13 @@ export class BrowserAuthError extends AuthError {
     static createSilentPromptValueError(givenPrompt: string): BrowserAuthError {
         return new BrowserAuthError(BrowserAuthErrorMessage.silentPromptValueError.code, `${BrowserAuthErrorMessage.silentPromptValueError.desc} Given value: ${givenPrompt}`);
     }
+
+    /**
+     * Creates an error thrown when the token request could not be retrieved from the cache
+     * @param errDetail
+     */
+    static createTokenRequestCacheError(errDetail: string): BrowserAuthError {
+        return new BrowserAuthError(BrowserAuthErrorMessage.tokenRequestCacheError.code,
+            `${BrowserAuthErrorMessage.tokenRequestCacheError.desc} Error Detail: ${errDetail}`);
+    }
 }

lib/msal-browser/src/error/BrowserAuthError.ts

@@ -12,10 +12,8 @@ export type { AuthCallback } from "./types/AuthCallback";
 // Common Object Formats
 export {
     // Request
-    AuthenticationParameters,
-    TokenExchangeParameters,
+    TokenRenewParameters,
     // Response
-    AuthResponse,
     TokenResponse,
     // Error
     InteractionRequiredAuthError,

lib/msal-browser/src/index.ts

@@ -2,9 +2,10 @@
  * Copyright (c) Microsoft Corporation. All rights reserved.
  * Licensed under the MIT License.
  */
-import { SPAClient, TokenResponse, StringUtils } from "@azure/msal-common";
+import { SPAClient, TokenResponse, StringUtils, AuthorizationCodeRequest, ProtocolUtils } from "@azure/msal-common";
 import { BrowserStorage } from "../cache/BrowserStorage";
 import { BrowserAuthError } from "../error/BrowserAuthError";
+import { TemporaryCacheKeys } from "../utils/BrowserConstants";
 
 /**
  * Abstract class which defines operations for a browser interaction handling class.
@@ -13,6 +14,7 @@ export abstract class InteractionHandler {
 
     protected authModule: SPAClient;
     protected browserStorage: BrowserStorage;
+    protected authCodeRequest: AuthorizationCodeRequest;
 
     constructor(authCodeModule: SPAClient, storageImpl: BrowserStorage) {
         this.authModule = authCodeModule;
@@ -23,7 +25,7 @@ export abstract class InteractionHandler {
      * Function to enable user interaction.
      * @param requestUrl
      */
-    abstract initiateAuthRequest(requestUrl: string): Window | Promise<HTMLIFrameElement>;
+    abstract initiateAuthRequest(requestUrl: string, authCodeRequest: AuthorizationCodeRequest): Window | Promise<HTMLIFrameElement>;
 
     /**
      * Function to handle response parameters from hash.
@@ -35,10 +37,23 @@ export abstract class InteractionHandler {
             throw BrowserAuthError.createEmptyHashError(locationHash);
         }
 
+        // Get cached items
+        const requestState = this.browserStorage.getItem(TemporaryCacheKeys.REQUEST_STATE);
+        const cachedNonceKey = this.browserStorage.generateNonceKey(requestState);
+        const cachedNonce = this.browserStorage.getItem(cachedNonceKey);
+
         // Handle code response.
-        const codeResponse = this.authModule.handleFragmentResponse(locationHash);
-        
+        const authCode = this.authModule.handleFragmentResponse(locationHash, requestState);
+
+        // Assign code to request
+        this.authCodeRequest.code = authCode;
+
+        // Extract user state.
+        const userState = ProtocolUtils.getUserRequestState(requestState);
+
         // Acquire token with retrieved code.
-        return this.authModule.acquireToken(codeResponse);
+        const tokenResponse = await this.authModule.acquireToken(this.authCodeRequest, userState, cachedNonce);
+        this.browserStorage.cleanRequest();
+        return tokenResponse;
     }
 }

lib/msal-browser/src/interaction_handler/InteractionHandler.ts

@@ -2,7 +2,7 @@
  * Copyright (c) Microsoft Corporation. All rights reserved.
  * Licensed under the MIT License.
  */
-import { UrlString, StringUtils, Constants, SPAClient } from "@azure/msal-common";
+import { UrlString, StringUtils, Constants, SPAClient, AuthorizationCodeRequest } from "@azure/msal-common";
 import { InteractionHandler } from "./InteractionHandler";
 import { BrowserAuthError } from "../error/BrowserAuthError";
 import { BrowserConstants } from "../utils/BrowserConstants";
@@ -27,9 +27,11 @@ export class PopupHandler extends InteractionHandler {
      * Opens a popup window with given request Url.
      * @param requestUrl
      */
-    initiateAuthRequest(requestUrl: string): Window {
+    initiateAuthRequest(requestUrl: string, authCodeRequest: AuthorizationCodeRequest): Window {
         // Check that request url is not empty.
         if (!StringUtils.isEmpty(requestUrl)) {
+            // Save auth code request
+            this.authCodeRequest = authCodeRequest;
             // Set interaction status in the library.
             this.browserStorage.setItem(BrowserConstants.INTERACTION_STATUS_KEY, BrowserConstants.INTERACTION_IN_PROGRESS_VALUE);
             this.authModule.logger.infoPii("Navigate to:" + requestUrl);
@@ -150,8 +152,7 @@ export class PopupHandler extends InteractionHandler {
      * Event callback to unload main window.
      */
     unloadWindow(e: Event): void {
-        this.authModule.cancelRequest();
-        this.browserStorage.removeItem(BrowserConstants.INTERACTION_STATUS_KEY);
+        this.browserStorage.cleanRequest();
         this.currentWindow.close();
         // Guarantees browser unload will happen, so no other errors will be thrown.
         delete e["returnValue"];

lib/msal-browser/src/interaction_handler/PopupHandler.ts

@@ -2,10 +2,10 @@
  * Copyright (c) Microsoft Corporation. All rights reserved.
  * Licensed under the MIT License.
  */
-import { StringUtils, TemporaryCacheKeys, TokenResponse } from "@azure/msal-common";
+import { StringUtils, TokenResponse, AuthorizationCodeRequest, ICrypto, ProtocolUtils } from "@azure/msal-common";
 import { InteractionHandler } from "./InteractionHandler";
 import { BrowserAuthError } from "../error/BrowserAuthError";
-import { BrowserConstants } from "../utils/BrowserConstants";
+import { BrowserConstants, TemporaryCacheKeys } from "../utils/BrowserConstants";
 import { BrowserUtils } from "../utils/BrowserUtils";
 
 export class RedirectHandler extends InteractionHandler {
@@ -14,12 +14,13 @@ export class RedirectHandler extends InteractionHandler {
      * Redirects window to given URL.
      * @param urlNavigate
      */
-    initiateAuthRequest(requestUrl: string): Window {
+    initiateAuthRequest(requestUrl: string, authCodeRequest: AuthorizationCodeRequest, browserCrypto?: ICrypto): Window {
         // Navigate if valid URL
         if (!StringUtils.isEmpty(requestUrl)) {
             // Set interaction status in the library.
             this.browserStorage.setItem(TemporaryCacheKeys.ORIGIN_URI, BrowserUtils.getCurrentUri());
             this.browserStorage.setItem(BrowserConstants.INTERACTION_STATUS_KEY, BrowserConstants.INTERACTION_IN_PROGRESS_VALUE);
+            this.browserStorage.cacheCodeRequest(authCodeRequest, browserCrypto);
             this.authModule.logger.infoPii("Navigate to:" + requestUrl);
             const isIframedApp = BrowserUtils.isInIframe();
             if (isIframedApp) {
@@ -41,19 +42,34 @@ export class RedirectHandler extends InteractionHandler {
      * Handle authorization code response in the window.
      * @param hash
      */
-    async handleCodeResponse(locationHash: string): Promise<TokenResponse> {
+    async handleCodeResponse(locationHash: string, browserCrypto?: ICrypto): Promise<TokenResponse> {
         // Check that location hash isn't empty.
         if (StringUtils.isEmpty(locationHash)) {
             throw BrowserAuthError.createEmptyHashError(locationHash);
         }
 
         // Interaction is completed - remove interaction status.
         this.browserStorage.removeItem(BrowserConstants.INTERACTION_STATUS_KEY);
+
+        // Get cached items
+        const requestState = this.browserStorage.getItem(TemporaryCacheKeys.REQUEST_STATE);
+        const cachedNonceKey = this.browserStorage.generateNonceKey(requestState);
+        const cachedNonce = this.browserStorage.getItem(cachedNonceKey);
+        this.authCodeRequest = this.browserStorage.getCachedRequest(requestState, browserCrypto);
+
         // Handle code response.
-        const codeResponse = this.authModule.handleFragmentResponse(locationHash);
+        const authCode = this.authModule.handleFragmentResponse(locationHash, requestState);
+        this.authCodeRequest.code = authCode;
+
         // Hash was processed successfully - remove from cache
         this.browserStorage.removeItem(TemporaryCacheKeys.URL_HASH);
+
+        // Extract user state.
+        const userState = ProtocolUtils.getUserRequestState(requestState);
+
         // Acquire token with retrieved code.
-        return this.authModule.acquireToken(codeResponse);
+        const tokenResponse = await this.authModule.acquireToken(this.authCodeRequest, userState, cachedNonce);
+        this.browserStorage.cleanRequest();
+        return tokenResponse;
     }
 }