@azure/msal-common package

General error class thrown by the MSAL.js library.

This is a helper class that parses supported HTTP response authentication headers to extract and return header challenge values that can be used outside the basic authorization flows.

Error thrown when there is an error with the cache

Error thrown when there is an error in the client code running on the browser.

Error thrown when there is an error in configuration of the MSAL.js library.

Error thrown when user interaction is required.

Class which facilitates logging of messages to a specific place.

Represents network related errors

Class which provides helpers for OAuth 2.0 protocol specific values

The ScopeSet class creates a set of scopes. Scopes are case-insensitive, unique values, so the Set object in JS makes the most sense to implement for this class. All scopes are trimmed and converted to lower case strings in intersection and union functions to ensure uniqueness of strings.

Error thrown when there is an error with the server code, for example, unavailability.

Url object class which can perform various transformations on url strings.

This class instance helps track the memory changes facilitating decisions to read from and write to the persistent cache

Interface for crypto functions used by library

Client network interface to send backend requests.

Interface which describes URI components.

Access token cache type

Account: <home_account_id>-<environment>-<realm*>

Account object with the following signature:

• homeAccountId - Home account identifier for this account object
• environment - Entity which issued the token represented by the domain of the issuer (e.g. login.microsoftonline.com)
• tenantId - Full tenant or organizational id that this account belongs to
• username - preferred_username claim of the id_token that represents this account
• localAccountId - Local, tenant-specific account identifer for this account object, usually used in legacy cases
• name - Full name for the account, including given name and family name
• idToken - raw ID token
• idTokenClaims - Object contains claims from ID token
• nativeAccountId - The user's native account ID
• tenantProfiles - Map of tenant profile objects for each tenant that the account has authenticated with in the browser
• dataBoundary - Data boundary extracted from clientInfo

App Metadata Cache Type

Telemetry information sent on request

• appName: Unique string name of an application
• appVersion: Version of the application using MSAL

Result returned from the authority's token endpoint.

• uniqueId - oid or sub claim from ID token
• tenantId - tid claim from ID token
• scopes - Scopes that are validated for the respective token
• account - An account object representation of the currently signed-in user
• idToken - Id token received as part of the response
• idTokenClaims - MSAL-relevant ID token claims
• accessToken - Access token or SSH certificate received as part of the response
• fromCache - Boolean denoting whether token came from cache
• expiresOn - Javascript Date object representing relative expiration of access token
• extExpiresOn - Javascript Date object representing extended relative expiration of access token in case of server outage
• refreshOn - Javascript Date object representing relative time until an access token must be refreshed
• state - Value passed in by user in request
• familyId - Family ID identifier, usually only used for refresh tokens
• requestId - Request ID returned as part of the response

Response returned after processing the code response query string or fragment.

Response properties that may be returned by the /authorize endpoint

AzureCloudInstance specific options

• azureCloudInstance - string enum providing short notation for soverign and public cloud authorities
• tenant - provision to provide the tenant info

BaseAuthRequest

• authority - URL of the authority, the security token service (STS) from which MSAL will acquire tokens. Defaults to https://login.microsoftonline.com/common. If using the same authority for all request, authority should set on client application object and not request, to avoid resolving authority endpoints multiple times.
• correlationId - Unique GUID set per request to trace a request end-to-end for telemetry purposes.
• scopes - Array of scopes the application is requesting access to.
• authenticationScheme - The type of token retrieved. Defaults to "Bearer". Can also be type "pop" or "SSH".
• claims - A stringified claims request which will be added to all /authorize and /token calls
• shrClaims - A stringified claims object which will be added to a Signed HTTP Request
• shrNonce - A server-generated timestamp that has been encrypted and base64URL encoded, which will be added to a Signed HTTP Request.
• shrOptions - An object containing options for the Signed HTTP Request
• resourceRequestMethod - HTTP Request type used to request data from the resource (i.e. "GET", "POST", etc.). Used for proof-of-possession flows.
• resourceRequestUri - URI that token will be used for. Used for proof-of-possession flows.
• sshJwk - A stringified JSON Web Key representing a public key that can be signed by an SSH certificate.
• sshKid - Key ID that uniquely identifies the SSH public key mentioned above.
• azureCloudOptions - Convenience string enums for users to provide public/sovereign cloud ids
• requestedClaimsHash - SHA 256 hash string of the requested claims string, used as part of an access token cache key so tokens can be filtered by requested claims
• tokenQueryParameters - String to string map of custom query parameters added to the /token call
• tokenBodyParameters - String to string map of custom parameters added to the body of the /token call
• storeInCache - Object containing boolean values indicating whether to store tokens in the cache or not (default is true)
• scenarioId - Scenario id to track custom user prompts
• popKid - Key ID to identify the public key for PoP token request
• embeddedClientId - Embedded client id. When specified, broker client id (brk_client_id) and redirect uri (brk_redirect_uri) params are set with values from the config, overriding the corresponding extra parameters, if present.
• httpMethod - HTTP method to use for the /authorize request. Defaults to GET, but can be set to POST if the request requires body parameters
• authorizePostBodyParameters - String to string map of custom parameters added to the body of the /authorize call when httpMethod is set to POST

Use this to configure credential cache preferences in the ClientConfiguration object

• claimsBasedCachingEnabled - Sets whether tokens should be cached based on the claims hash. Default is false.

Client info object which consists of: uid: user id utid: tenant id xms_tdbr: optional, only for non-US tenants

Request object passed by user to acquire a token from the server exchanging a valid authorization code (second leg of OAuth2.0 Authorization Code flow)

• scopes - Array of scopes the application is requesting access to.
• claims - A stringified claims request which will be added to all /authorize and /token calls
• authority: - URL of the authority, the security token service (STS) from which MSAL will acquire tokens. If authority is set on client application object, this will override that value. Overriding the value will cause for authority validation to happen each time. If the same authority will be used for all request, set on the application object instead of the requests.
• correlationId - Unique GUID set per request to trace a request end-to-end for telemetry purposes.
• redirectUri - The redirect URI of your app, where the authority will redirect to after the user inputs credentials and consents. It must exactly match one of the redirect URIs you registered in the portal
• code - The authorization_code that the user acquired in the first leg of the flow.
• codeVerifier - The same code_verifier that was used to obtain the authorization_code. Required if PKCE was used in the authorization code grant request.For more information, see the PKCE RFC: https://tools.ietf.org/html/rfc7636
• resourceRequestMethod - HTTP Request type used to request data from the resource (i.e. "GET", "POST", etc.). Used for proof-of-possession flows.
• resourceRequestUri - URI that token will be used for. Used for proof-of-possession flows.
• enableSpaAuthCode - Enables the acqusition of a spa authorization code (confidential clients only)
• tokenQueryParameters - String to string map of custom query parameters added to the /token call

Request object passed by user to retrieve a Code from the server (first leg of authorization code grant flow)

• scopes - Array of scopes the application is requesting access to.
• claims - A stringified claims request which will be added to all /authorize and /token calls
• authority - Url of the authority which the application acquires tokens from.
• correlationId - Unique GUID set per request to trace a request end-to-end for telemetry purposes.
• redirectUri - The redirect URI where authentication responses can be received by your application. It must exactly match one of the redirect URIs registered in the Azure portal.
• extraScopesToConsent - Scopes for a different resource when the user needs consent upfront.
• responseMode - Specifies the method that should be used to send the authentication result to your app. Can be query, form_post, or fragment. If no value is passed in, it defaults to query.
• codeChallenge - Used to secure authorization code grant via Proof of Key for Code Exchange (PKCE). For more information, see the PKCE RCF:https://tools.ietf.org/html/rfc7636
• codeChallengeMethod - The method used to encode the code verifier for the code challenge parameter. Can be "plain" or "S256". If excluded, code challenge is assumed to be plaintext. For more information, see the PKCE RCF: https://tools.ietf.org/html/rfc7636
• state - A value included in the request that is also returned in the token response. A randomly generated unique value is typically used for preventing cross site request forgery attacks. The state is also used to encode information about the user's state in the app before the authentication request occurred.
• prompt - Indicates the type of user interaction that is required. login: will force the user to enter their credentials on that request, negating single-sign on none: will ensure that the user isn't presented with any interactive prompt. if request can't be completed via single-sign on, the endpoint will return an interaction_required error consent: will the trigger the OAuth consent dialog after the user signs in, asking the user to grant permissions to the app select_account: will interrupt single sign-=on providing account selection experience listing all the accounts in session or any remembered accounts or an option to choose to use a different account create: will direct the user to the account creation experience instead of the log in experience no_session: will not read existing session token when authenticating the user. Upon user being successfully authenticated, EVO won’t create a new session for the user. FOR INTERNAL USE ONLY.
• account - AccountInfo obtained from a getAccount API. Will be used in certain scenarios to generate login_hint if both loginHint and sid params are not provided.
• loginHint - Can be used to pre-fill the username/email address field of the sign-in page for the user, if you know the username/email address ahead of time. Often apps use this parameter during re-authentication, having already extracted the username from a previous sign-in using the preferred_username claim.
• sid - Session ID, unique identifier for the session. Available as an optional claim on ID tokens.
• domainHint - Provides a hint about the tenant or domain that the user should use to sign in. The value of the domain hint is a registered domain for the tenant.
• extraQueryParameters - String to string map of custom query parameters added to the /authorize call
• tokenQueryParameters - String to string map of custom query parameters added to the /token call
• nonce - A value included in the request that is returned in the id token. A randomly generated unique value is typically used to mitigate replay attacks.
• resourceRequestMethod - HTTP Request type used to request data from the resource (i.e. "GET", "POST", etc.). Used for proof-of-possession flows.
• resourceRequestUri - URI that token will be used for. Used for proof-of-possession flows.

CommonEndSessionRequest

• account - Account object that will be logged out of. All tokens tied to this account will be cleared.
• postLogoutRedirectUri - URI to navigate to after logout page.
• correlationId - Unique GUID set per request to trace a request end-to-end for telemetry purposes.
• idTokenHint - ID Token used by B2C to validate logout if required by the policy
• state - A value included in the request to the logout endpoint which will be returned in the query string upon post logout redirection
• logoutHint - A string that specifies the account that is being logged out in order to skip the server account picker on logout
• extraQueryParameters - String to string map of custom query parameters added to the /authorize call

CommonRefreshTokenRequest

• scopes - Array of scopes the application is requesting access to.
• claims - A stringified claims request which will be added to all /authorize and /token calls
• authority - URL of the authority, the security token service (STS) from which MSAL will acquire tokens.
• correlationId - Unique GUID set per request to trace a request end-to-end for telemetry purposes.
• refreshToken - A refresh token returned from a previous request to the Identity provider.
• resourceRequestMethod - HTTP Request type used to request data from the resource (i.e. "GET", "POST", etc.). Used for proof-of-possession flows.
• resourceRequestUri - URI that token will be used for. Used for proof-of-possession flows.
• forceCache - Force MSAL to cache a refresh token flow response when there is no account in the cache. Used for migration scenarios.
• tokenQueryParameters - String to string map of custom query parameters added to the /token call

SilentFlow parameters passed by the user to retrieve credentials silently

• scopes - Array of scopes the application is requesting access to.
• claims - A stringified claims request which will be added to all /authorize and /token calls. When included on a silent request, cache lookup will be skipped and token will be refreshed.
• authority - Url of the authority which the application acquires tokens from.
• correlationId - Unique GUID set per request to trace a request end-to-end for telemetry purposes.
• account - Account entity to lookup the credentials.
• forceRefresh - Forces silent requests to make network calls if true.
• resourceRequestMethod - HTTP Request type used to request data from the resource (i.e. "GET", "POST", etc.). Used for proof-of-possession flows.
• resourceRequestUri - URI that token will be used for. Used for proof-of-possession flows.
• tokenQueryParameters - String to string map of custom query parameters added to the /token call

Credential Cache Type

Credential: <home_account_id*>-<environment>-<credential_type>-<client_id>-<realm*>-<target*>-<scheme*>

Response object used for loading external tokens to cache.

• token_type: Indicates the token type value. The only type that Azure AD supports is Bearer.
• scope: The scopes that the access_token is valid for.
• expires_in: How long the access token is valid (in seconds).
• id_token: A JSON Web Token (JWT). The app can decode the segments of this token to request information about the user who signed in.
• refresh_token: An OAuth 2.0 refresh token. The app can use this token acquire additional access tokens after the current access token expires.
• access_token: The requested access token. The app can use this token to authenticate to the secured resource, such as a web API.
• client_info: Client info object

Id Token Cache Type

Type which defines the object that is stringified, encoded and sent in the state value. Contains the following:

• id - unique identifier for this request
• ts - timestamp for the time the request was made. Used to ensure that token expiration is not calculated incorrectly.
• platformState - string value sent from the platform.

Use this to configure the logging that MSAL does, by configuring logger options in the Configuration object

• loggerCallback - Callback for logger
• piiLoggingEnabled - Sets whether pii logging is enabled
• logLevel - Sets the level at which logging happens
• correlationId - Sets the correlationId printed by the logger

Options allowed by network request APIs.

Options for the OIDC protocol mode.

Performance measurement taken by the library, including metadata about the request and application.

The PkceCodes type describes the structure of objects that contain PKCE code challenge and verifier pairs

Queue measurement type

Refresh Token Cache Type

Type which defines the stringified and encoded object sent to the service in the authorize request.

Type representing a unique request thumbprint.

Deserialized response object from server authorization code request.

• token_type: Indicates the token type value. Can be either Bearer or pop.
• scope: The scopes that the access_token is valid for.
• expires_in: How long the access token is valid (in seconds).
• refresh_in: Duration afer which a token should be renewed, regardless of expiration.
• ext_expires_in: How long the access token is valid (in seconds) if the server isn't responding.
• access_token: The requested access token. The app can use this token to authenticate to the secured resource, such as a web API.
• refresh_token: An OAuth 2.0 refresh token. The app can use this token acquire additional access tokens after the current access token expires.
• id_token: A JSON Web Token (JWT). The app can decode the segments of this token to request information about the user who signed in.
• key_id: A string that uniquely identifies a public key that the request is bound to.

In case of error:

• error: An error code string that can be used to classify types of errors that occur, and can be used to react to errors.
• error_description: A specific error message that can help a developer identify the root cause of an authentication error.
• error_codes: A list of STS-specific error codes that can help in diagnostics.
• timestamp: The time at which the error occurred.
• trace_id: A unique identifier for the request that can help in diagnostics.
• correlation_id: A unique identifier for the request that can help in diagnostics across components.
• status: the network request's response status

Controls whether tokens should be stored in the cache or not. If set to false, tokens may still be acquired and returned but will not be cached for later retrieval.

Key-Value type to support queryParams, extraQueryParams and claims

Use this to configure token renewal info in the Configuration object

• tokenRenewalOffsetSeconds - Sets the window of offset needed to renew the token before expiry

Account details that vary across tenants for the same user

Type which describes Id Token claims known by MSAL.

Input object for the IAppTokenProvider extensiblity. MSAL will create this object, which can be used to help create an AppTokenProviderResult.

• correlationId - the correlation Id associated with the request
• tenantId - the tenant Id for which the token must be provided
• scopes - the scopes for which the token must be provided
• claims - any extra claims that the token must satisfy

Output object for IAppTokenProvider extensiblity.

• accessToken - the actual access token, typically in JWT format, that satisfies the request data AppTokenProviderParameters
• expiresInSeconds - how long the tokens has before expiry, in seconds. Similar to the "expires_in" field in an AAD token response.
• refreshInSeconds - how long the token has before it should be proactively refreshed. Similar to the "refresh_in" field in an AAD token response.

Client Assertion credential for Confidential Clients

CommonClientCredentialRequest

• scopes - Array of scopes the application is requesting access to.
• authority - URL of the authority, the security token service (STS) from which MSAL will acquire tokens.
• correlationId - Unique GUID set per request to trace a request end-to-end for telemetry purposes.
• skipCache - Skip token cache lookup and force request to authority to get a a new token. Defaults to false.
• preferredAzureRegionOptions - Options of the user's preferred azure region
• tokenQueryParameters - String to string map of custom query parameters added to the /token call

Parameters for Oauth2 device code flow.

• scopes - Array of scopes the application is requesting access to.
• authority: - URL of the authority, the security token service (STS) from which MSAL will acquire tokens. If authority is set on client application object, this will override that value. Overriding the value will cause for authority validation to happen each time. If the same authority will be used for all request, set on the application object instead of the requests.
• correlationId - Unique GUID set per request to trace a request end-to-end for telemetry purposes.
• deviceCodeCallback - Callback containing device code response. Message should be shown to end user. End user can then navigate to the verification_uri, input the user_code, and input credentials.
• cancel - Boolean to cancel polling of device code endpoint. While the user authenticates on a separate device, MSAL polls the the token endpoint of security token service for the interval specified in the device code response (usually 15 minutes). To stop polling and cancel the request, set cancel=true.
• resourceRequestMethod - HTTP Request type used to request data from the resource (i.e. "GET", "POST", etc.). Used for proof-of-possession flows.
• resourceRequestUri - URI that token will be used for. Used for proof-of-possession flows.
• timeout - Timeout period in seconds which the user explicitly configures for the polling of the device code endpoint. At the end of this period; assuming the device code has not expired yet; the device code polling is stopped and the request cancelled. The device code expiration window will always take precedence over this set period.
• extraQueryParameters - String to string map of custom query parameters added to the query string

• scopes - Array of scopes the application is requesting access to.
• authority - URL of the authority, the security token service (STS) from which MSAL will acquire tokens.
• correlationId - Unique GUID set per request to trace a request end-to-end for telemetry purposes.
• oboAssertion - The access token that was sent to the middle-tier API. This token must have an audience of the app making this OBO request.
• skipCache - Skip token cache lookup and force request to authority to get a a new token. Defaults to false.
• tokenQueryParameters - String to string map of custom query parameters added to the /token call

CommonUsernamePassword parameters passed by the user to retrieve credentials Note: The latest OAuth 2.0 Security Best Current Practice disallows the password grant entirely. This flow is added for internal testing.

• scopes - Array of scopes the application is requesting access to.
• claims - A stringified claims request which will be added to all /authorize and /token calls. When included on a silent request, cache lookup will be skipped and token will be refreshed.
• authority - Url of the authority which the application acquires tokens from.
• correlationId - Unique GUID set per request to trace a request end-to-end for telemetry purposes.
• username - username of the client
• password - credentials
• tokenQueryParameters - String to string map of custom query parameters added to the /token call

DeviceCode returned by the security token service device code endpoint containing information necessary for device code flow.

• userCode: code which user needs to provide when authenticating at the verification URI
• deviceCode: code which should be included in the request for the access token
• verificationUri: URI where user can authenticate
• expiresIn: expiration time of the device code in seconds
• interval: interval at which the STS should be polled at
• message: message which should be displayed to the user

Log message level.

State of the performance event.

Enumeration of operations that are instrumented by have their performance measured by the PerformanceClient.

Function to build a client info object from server clientInfo string

Function to build a client info object from cached homeAccountId string

Build tenant profile

Helper function to wrap browser errors in a CacheError object

Creates an InteractionRequiredAuthError

Creates NetworkError object for a failed network request

Gets tenantId from available ID token claims to set as credential realm with the following precedence:

1. tid - if the token is acquired from an Azure AD tenant tid will be present
2. tfp - if the token is acquired from a modern B2C tenant tfp should be present
3. acr - if the token is acquired from a legacy B2C tenant acr should be present Downcased to match the realm case-insensitive comparison requirements

Returns true if tenantId matches the utid portion of homeAccountId

Replaces account info that varies by tenant profile sourced from the ID token claims passed in with the tenant-specific account info