Merge branch 'authority-metadata-openid-perf' of https://github.com/A…

…zureAD/microsoft-authentication-library-for-js into cloud-discovery
AzureAD · tnorling · Jun 15, 2020 · May 1, 2020 · May 13, 2020 · May 19, 2020
commit c75b9614270499a841bd8afe7d5322e629d1c73e
diff --git a/lib/msal-core/docs/performance.md b/lib/msal-core/docs/performance.md
@@ -0,0 +1,28 @@
+# Performance
+
+This document will outline techniques your application can use to improve the performance of acquire tokens using MSAL.js.
+
+## Bypass authority metadata resolution
+
+By default, during the process of retrieving a token MSAL.js will make two network requests to retrieve metadata from the authority configured for the request. If you would like to skip those network requests, you can provide the required metadata in the configuration of `UserAgentApplication`.
+
+**Important:** It is your application's responsibility to ensure it is using correct, up-to-date authority metadata. Failure to do so may result in your application not working correctly.
+
+Instructions:
+
+1. Determine the authorize endpoint for your authority. For example, if you are using `https://login.microsoftonline.com/common/`, the authorize endpoint is `https://login.microsoftonline.com/common/oauth2/v2.0/authorize`.
+2. Determine the instance discovery endpoint for your authority. The instance discovery API is located at `https://login.microsoftonline.com/common/discovery/instance?api-version=1.0&authorization_endpoint={authorizeEndpoint}`. If you are using the `common` endpoint, this url is `https://login.microsoftonline.com/common/discovery/instance?api-version=1.0&authorization_endpoint=https://login.microsoftonline.com/common/oauth2/v2.0/authorize`.
+3. Make a request to the instance discovery endpoint.
+4. Parse the `tenant_discovery_endpoint` property from the response.
+5. Make a request to the url for the `tenant_discovery_endpoint` property.
+6. Take the **entire** response and provide the raw JSON string as the `auth.authorityMetadata` property for `UserAgentApplication`. It can also be passed per-request as a part of `AuthenticationParameters`.
+
+Example:
+
+```js
+const msalInstance = new msal.UserAgentApplication({
+    auth: {
+        authorityMetadata: '{"token_endpoint":"https://login.microsoftonline.com/common/oauth2/v2.0/token","token_endpoint_auth_methods_supported":["client_secret_post","private_key_jwt","client_secret_basic"],"jwks_uri":"https://login.microsoftonline.com/common/discovery/v2.0/keys","response_modes_supported":["query","fragment","form_post"],"subject_types_supported":["pairwise"],"id_token_signing_alg_values_supported":["RS256"],"response_types_supported":["code","id_token","code id_token","id_token token"],"scopes_supported":["openid","profile","email","offline_access"],"issuer":"https://login.microsoftonline.com/{tenantid}/v2.0","request_uri_parameter_supported":false,"userinfo_endpoint":"https://graph.microsoft.com/oidc/userinfo","authorization_endpoint":"https://login.microsoftonline.com/common/oauth2/v2.0/authorize","http_logout_supported":true,"frontchannel_logout_supported":true,"end_session_endpoint":"https://login.microsoftonline.com/common/oauth2/v2.0/logout","claims_supported":["sub","iss","cloud_instance_name","cloud_instance_host_name","cloud_graph_host_name","msgraph_host","aud","exp","iat","auth_time","acr","nonce","preferred_username","name","tid","ver","at_hash","c_hash","email"],"tenant_region_scope":null,"cloud_instance_name":"microsoftonline.com","cloud_graph_host_name":"graph.windows.net","msgraph_host":"graph.microsoft.com","rbac_url":"https://pas.windows.net"}'
+    }
+});
+```
@@ -220,7 +220,7 @@ export class UserAgentApplication {
         this.telemetryManager = this.getTelemetryManagerFromConfig(this.config.system.telemetry, this.clientId);
 
         AuthorityFactory.setKnownAuthorities(this.config.auth.validateAuthority, this.config.auth.knownAuthorities, this.telemetryManager);
-        AuthorityFactory.parseAuthorityMetadata(this.config.auth.authority, this.config.auth.authorityMetadata);
+        AuthorityFactory.saveMetadataFromConfig(this.config.auth.authority, this.config.auth.authorityMetadata);
 
         // if no authority is passed, set the default: "https://login.microsoftonline.com/common"
         this.authority = this.config.auth.authority || DEFAULT_AUTHORITY;
@@ -518,7 +518,7 @@ export class UserAgentApplication {
         try {
             if (!acquireTokenAuthority.hasCachedMetadata()) {
                 this.logger.verbose("No cached metadata for authority");
-                await AuthorityFactory.resolveAuthorityAsync(acquireTokenAuthority, this.telemetryManager, request.correlationId);
+                await AuthorityFactory.saveMetadataFromNetwork(acquireTokenAuthority, this.telemetryManager, request.correlationId);
             } else {
                 this.logger.verbose("Cached metadata found for authority");
             }
@@ -748,18 +748,21 @@ export class UserAgentApplication {
                     serverAuthenticationRequest.authorityInstance = request.authority ? AuthorityFactory.CreateInstance(request.authority, this.config.auth.validateAuthority, request.authorityMetadata) : this.authorityInstance;
                 }
 
+                this.logger.verbosePii(`Authority instance: ${serverAuthenticationRequest.authority}`);
+
                 try {
                     if (!serverAuthenticationRequest.authorityInstance.hasCachedMetadata()) {
                         this.logger.verbose("No cached metadata for authority");
-                        await AuthorityFactory.resolveAuthorityAsync(serverAuthenticationRequest.authorityInstance, this.telemetryManager, request.correlationId);
+                        await AuthorityFactory.saveMetadataFromNetwork(serverAuthenticationRequest.authorityInstance, this.telemetryManager, request.correlationId);
+                        this.logger.verbose("Authority has been updated with endpoint discovery response");
                     } else {
                         this.logger.verbose("Cached metadata found for authority");
                     }
 
                     /*
-                    * refresh attempt with iframe
-                    * Already renewing for this scope, callback when we get the token.
-                    */
+                     * refresh attempt with iframe
+                     * Already renewing for this scope, callback when we get the token.
+                     */
                     if (window.activeRenewals[requestSignature]) {
                         this.logger.verbose("Renew token for scope and authority: " + requestSignature + " is in progress. Registering callback");
                         // Active renewals contains the state for each renewal.
@@ -768,15 +771,15 @@ export class UserAgentApplication {
                     else {
                         if (request.scopes && request.scopes.indexOf(this.clientId) > -1 && request.scopes.length === 1) {
                             /*
-                            * App uses idToken to send to api endpoints
-                            * Default scope is tracked as clientId to store this token
-                            */
-                            this.logger.verbose("renewing idToken");
+                             * App uses idToken to send to api endpoints
+                             * Default scope is tracked as clientId to store this token
+                             */
+                            this.logger.verbose("Renewing idToken");
                             this.silentLogin = true;
                             this.renewIdToken(requestSignature, resolve, reject, account, serverAuthenticationRequest);
                         } else {
                             // renew access token
-                            this.logger.verbose("renewing accesstoken");
+                            this.logger.verbose("Renewing accesstoken");
                             this.renewToken(requestSignature, resolve, reject, account, serverAuthenticationRequest);
                         }
                     }
@@ -991,12 +994,12 @@ export class UserAgentApplication {
         try {
             if (!this.authorityInstance.hasCachedMetadata()) {
                 this.logger.verbose("No cached metadata for authority");
-                await AuthorityFactory.resolveAuthorityAsync(this.authorityInstance, this.telemetryManager, correlationId);
+                await AuthorityFactory.saveMetadataFromNetwork(this.authorityInstance, this.telemetryManager, correlationId);
             } else {
                 this.logger.verbose("Cached metadata found for authority");
             }
 
-            const correlationIdParam = `client-request-id=${requestCorrelationId}`
+            const correlationIdParam = `client-request-id=${requestCorrelationId}`;
 
             const postLogoutQueryParam = this.getPostLogoutRedirectUri()
                 ? `&post_logout_redirect_uri=${encodeURIComponent(this.getPostLogoutRedirectUri())}`

@@ -17,17 +17,17 @@ import HttpEvent from '../telemetry/HttpEvent';
 export class AuthorityFactory {
     private static metadataMap = new Map<string, ITenantDiscoveryResponse>();
 
-    public static async resolveAuthorityAsync(authorityInstance: Authority, telemetryManager: TelemetryManager, correlationId: string): Promise<ITenantDiscoveryResponse> {
+    public static async saveMetadataFromNetwork(authorityInstance: Authority, telemetryManager: TelemetryManager, correlationId: string): Promise<ITenantDiscoveryResponse> {
         const metadata = await authorityInstance.resolveEndpointsAsync(telemetryManager, correlationId);
         this.metadataMap.set(authorityInstance.CanonicalAuthority, metadata);
         return metadata;
     }
 
-    public static getAuthorityMetadata(authorityUrl: string) {
+    public static getMetadata(authorityUrl: string) {
         return this.metadataMap.get(authorityUrl);
     }
 
-    public static parseAuthorityMetadata(authorityUrl: string, authorityMetadataJson: string) {
+    public static saveMetadataFromConfig(authorityUrl: string, authorityMetadataJson: string) {
         try {
             if (authorityMetadataJson) {
                 const parsedMetadata = JSON.parse(authorityMetadataJson) as OpenIdConfiguration;
@@ -101,7 +101,7 @@ export class AuthorityFactory {
 
         if (authorityMetadata) {
             // todo: log statements
-            this.parseAuthorityMetadata(authorityUrl, authorityMetadata);
+            this.saveMetadataFromConfig(authorityUrl, authorityMetadata);
         }
 
         return new Authority(authorityUrl, validateAuthority, this.metadataMap.get(authorityUrl));

diff --git a/lib/msal-core/src/authority/ITenantDiscoveryResponse.ts b/lib/msal-core/src/authority/ITenantDiscoveryResponse.ts
@@ -19,4 +19,4 @@ export type OpenIdConfiguration = {
     authorization_endpoint: string,
     end_session_endpoint: string,
     issuer: string
-}
+};
@@ -60,15 +60,15 @@ describe("AuthorityFactory.ts Class", function () {
         expect(stubbedHostList).to.have.length(3);
     });
 
-    describe("parseAuthorityMetadata", () => {
+    describe("saveMetadataFromConfig", () => {
         it("does nothing if json is falsey", () => {
-            AuthorityFactory.parseAuthorityMetadata(TEST_CONFIG.validAuthority, "");
-            expect(AuthorityFactory.getAuthorityMetadata(TEST_CONFIG.validAuthority)).to.be.undefined;
+            AuthorityFactory.saveMetadataFromConfig(TEST_CONFIG.validAuthority, "");
+            expect(AuthorityFactory.getMetadata(TEST_CONFIG.validAuthority)).to.be.undefined;
         });
 
         it("throws if invalid json is provided", done => {
             try {
-                AuthorityFactory.parseAuthorityMetadata(TEST_CONFIG.validAuthority, "invalid-json");
+                AuthorityFactory.saveMetadataFromConfig(TEST_CONFIG.validAuthority, "invalid-json");
             } catch (e) {
                 expect(e).instanceOf(ClientConfigurationError);
                 expect((e as ClientConfigurationError).errorCode).to.equal("authority_metadata_error");
@@ -80,7 +80,7 @@ describe("AuthorityFactory.ts Class", function () {
 
         it("throws if json is missing required keys", done => {
             try {
-                AuthorityFactory.parseAuthorityMetadata(TEST_CONFIG.validAuthority, "{}");
+                AuthorityFactory.saveMetadataFromConfig(TEST_CONFIG.validAuthority, "{}");
             } catch (e) {
                 expect(e).instanceOf(ClientConfigurationError);
                 expect((e as ClientConfigurationError).errorCode).to.equal("authority_metadata_error");
@@ -91,9 +91,9 @@ describe("AuthorityFactory.ts Class", function () {
         });
 
         it("parses and stores metadata", () => {
-            AuthorityFactory.parseAuthorityMetadata(TEST_CONFIG.validAuthority, JSON.stringify(OPENID_CONFIGURATION));
+            AuthorityFactory.saveMetadataFromConfig(TEST_CONFIG.validAuthority, JSON.stringify(OPENID_CONFIGURATION));
 
-            expect(AuthorityFactory.getAuthorityMetadata(TEST_CONFIG.validAuthority)).to.deep.equal(TENANT_DISCOVERY_RESPONSE);
+            expect(AuthorityFactory.getMetadata(TEST_CONFIG.validAuthority)).to.deep.equal(TENANT_DISCOVERY_RESPONSE);
         });
     });
 });