Options
All
  • Public
  • Public/Protected
  • All
Menu

Module @azure/msal-common

Index

References

Enumerations

Classes

Interfaces

Type aliases

Variables

References

IdToken

Renames and exports AuthToken

IdTokenClaims

Renames and exports TokenClaims

Type aliases

AccessTokenCache

AccessTokenCache: Record<string, AccessTokenEntity>

AccountCache

AccountCache: Record<string, AccountEntity>

AccountInfo

AccountInfo: { environment: string; homeAccountId: string; idTokenClaims?: object; localAccountId: string; name?: string; tenantId: string; username: string }

Account object with the following signature:

  • homeAccountId - Home account identifier for this account object
  • environment - Entity which issued the token represented by the domain of the issuer (e.g. login.microsoftonline.com)
  • tenantId - Full tenant or organizational id that this account belongs to
  • username - preferred_username claim of the id_token that represents this account
  • localAccountId - Local, tenant-specific account identifer for this account object, usually used in legacy cases
  • name - Full name for the account, including given name and family name
  • idTokenClaims - Object contains claims from ID token
  • localAccountId - The user's account ID

Type declaration

  • environment: string
  • homeAccountId: string
  • Optional idTokenClaims?: object
  • localAccountId: string
  • Optional name?: string
  • tenantId: string
  • username: string

AppMetadataCache

AppMetadataCache: Record<string, AppMetadataEntity>

AuthOptions

AuthOptions: { authority: Authority; clientCapabilities?: string[]; clientId: string }

Use this to configure the auth options in the ClientConfiguration object

  • clientId - Client ID of your app registered with our Application registration portal : https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/RegisteredAppsPreview in Microsoft Identity Platform
  • authority - You can configure a specific authority, defaults to " " or "https://login.microsoftonline.com/common"
  • knownAuthorities - An array of URIs that are known to be valid. Used in B2C scenarios.
  • cloudDiscoveryMetadata - A string containing the cloud discovery response. Used in AAD scenarios.
  • clientCapabilities - Array of capabilities which will be added to the claims.access_token.xms_cc request property on every network request.
  • protocolMode - Enum that represents the protocol that msal follows. Used for configuring proper endpoints.

Type declaration

  • authority: Authority
  • Optional clientCapabilities?: string[]
  • clientId: string

AuthenticationResult

AuthenticationResult: { accessToken: string; account: AccountInfo | null; authority: string; cloudGraphHostName?: string; code?: string; correlationId: string; expiresOn: Date | null; extExpiresOn?: Date; familyId?: string; fromCache: boolean; idToken: string; idTokenClaims: object; msGraphHost?: string; scopes: string[]; state?: string; tenantId: string; tokenType: string; uniqueId: string }

Result returned from the authority's token endpoint.

  • uniqueId - oid or sub claim from ID token
  • tenantId - tid claim from ID token
  • scopes - Scopes that are validated for the respective token
  • account - An account object representation of the currently signed-in user
  • idToken - Id token received as part of the response
  • idTokenClaims - MSAL-relevant ID token claims
  • accessToken - Access token or SSH certificate received as part of the response
  • fromCache - Boolean denoting whether token came from cache
  • expiresOn - Javascript Date object representing relative expiration of access token
  • extExpiresOn - Javascript Date object representing extended relative expiration of access token in case of server outage
  • state - Value passed in by user in request
  • familyId - Family ID identifier, usually only used for refresh tokens

Type declaration

  • accessToken: string
  • account: AccountInfo | null
  • authority: string
  • Optional cloudGraphHostName?: string
  • Optional code?: string
  • correlationId: string
  • expiresOn: Date | null
  • Optional extExpiresOn?: Date
  • Optional familyId?: string
  • fromCache: boolean
  • idToken: string
  • idTokenClaims: object
  • Optional msGraphHost?: string
  • scopes: string[]
  • Optional state?: string
  • tenantId: string
  • tokenType: string
  • uniqueId: string

AuthorityOptions

AuthorityOptions: { authorityMetadata: string; azureRegionConfiguration?: AzureRegionConfiguration; cloudDiscoveryMetadata: string; knownAuthorities: string[]; protocolMode: ProtocolMode }

Type declaration

AuthorizationCodePayload

AuthorizationCodePayload: { client_info?: string; cloud_graph_host_name?: string; cloud_instance_host_name?: string; cloud_instance_name?: string; code: string; msgraph_host?: string; nonce?: string; state?: string }

Response returned after processing the code response query string or fragment.

Type declaration

  • Optional client_info?: string
  • Optional cloud_graph_host_name?: string
  • Optional cloud_instance_host_name?: string
  • Optional cloud_instance_name?: string
  • code: string
  • Optional msgraph_host?: string
  • Optional nonce?: string
  • Optional state?: string

AzureRegion

AzureRegion: string

AzureRegionConfiguration

AzureRegionConfiguration: { azureRegion?: AzureRegion; environmentRegion: string | undefined }

Type declaration

  • Optional azureRegion?: AzureRegion
  • environmentRegion: string | undefined

BaseAuthRequest

BaseAuthRequest: { authenticationScheme?: AuthenticationScheme; authority: string; claims?: string; correlationId: string; requestedClaimsHash?: string; resourceRequestMethod?: string; resourceRequestUri?: string; scopes: string[]; shrClaims?: string; shrNonce?: string; sshJwk?: string; sshKid?: string }

BaseAuthRequest

  • authority - URL of the authority, the security token service (STS) from which MSAL will acquire tokens. Defaults to https://login.microsoftonline.com/common. If using the same authority for all request, authority should set on client application object and not request, to avoid resolving authority endpoints multiple times.
  • correlationId - Unique GUID set per request to trace a request end-to-end for telemetry purposes.
  • scopes - Array of scopes the application is requesting access to.
  • authenticationScheme - The type of token retrieved. Defaults to "Bearer". Can also be type "pop" or "SSH".
  • claims - A stringified claims request which will be added to all /authorize and /token calls
  • shrClaims - A stringified claims object which will be added to a Signed HTTP Request
  • shrNonce - A server-generated timestamp that has been encrypted and base64URL encoded, which will be added to a Signed HTTP Request.
  • resourceRequestMethod - HTTP Request type used to request data from the resource (i.e. "GET", "POST", etc.). Used for proof-of-possession flows.
  • resourceRequestUri - URI that token will be used for. Used for proof-of-possession flows.
  • sshJwk - A stringified JSON Web Key representing a public key that can be signed by an SSH certificate.
  • sshKid - Key ID that uniquely identifies the SSH public key mentioned above.
  • requestedClaimsHash - SHA 256 hash string of the requested claims string, used as part of an access token cache key so tokens can be filtered by requested claims

Type declaration

  • Optional authenticationScheme?: AuthenticationScheme
  • authority: string
  • Optional claims?: string
  • correlationId: string
  • Optional requestedClaimsHash?: string
  • Optional resourceRequestMethod?: string
  • Optional resourceRequestUri?: string
  • scopes: string[]
  • Optional shrClaims?: string
  • Optional shrNonce?: string
  • Optional sshJwk?: string
  • Optional sshKid?: string

CcsCredential

CcsCredential: { credential: string; type: CcsCredentialType }

Type declaration

ClientConfiguration

ClientConfiguration: { authOptions: AuthOptions; clientCredentials?: ClientCredentials; cryptoInterface?: ICrypto; libraryInfo?: LibraryInfo; loggerOptions?: LoggerOptions; networkInterface?: INetworkModule; persistencePlugin?: ICachePlugin | null; serializableCache?: ISerializableTokenCache | null; serverTelemetryManager?: ServerTelemetryManager | null; storageInterface?: CacheManager; systemOptions?: SystemOptions }

Use the configuration object to configure MSAL Modules and initialize the base interfaces for MSAL.

This object allows you to configure important elements of MSAL functionality:

  • authOptions - Authentication for application
  • cryptoInterface - Implementation of crypto functions
  • libraryInfo - Library metadata
  • loggerOptions - Logging for application
  • networkInterface - Network implementation
  • storageInterface - Storage implementation
  • systemOptions - Additional library options
  • clientCredentials - Credentials options for confidential clients

Type declaration

CommonAuthorizationCodeRequest

CommonAuthorizationCodeRequest: BaseAuthRequest & { ccsCredential?: CcsCredential; clientInfo?: string; code: string; codeVerifier?: string; enableSpaAuthorizationCode?: boolean; redirectUri: string; tokenBodyParameters?: StringDict; tokenQueryParameters?: StringDict }

Request object passed by user to acquire a token from the server exchanging a valid authorization code (second leg of OAuth2.0 Authorization Code flow)

  • scopes - Array of scopes the application is requesting access to.
  • claims - A stringified claims request which will be added to all /authorize and /token calls
  • authority: - URL of the authority, the security token service (STS) from which MSAL will acquire tokens. If authority is set on client application object, this will override that value. Overriding the value will cause for authority validation to happen each time. If the same authority will be used for all request, set on the application object instead of the requests.
  • correlationId - Unique GUID set per request to trace a request end-to-end for telemetry purposes.
  • redirectUri - The redirect URI of your app, where the authority will redirect to after the user inputs credentials and consents. It must exactly match one of the redirect URIs you registered in the portal
  • code - The authorization_code that the user acquired in the first leg of the flow.
  • codeVerifier - The same code_verifier that was used to obtain the authorization_code. Required if PKCE was used in the authorization code grant request.For more information, see the PKCE RFC: https://tools.ietf.org/html/rfc7636
  • resourceRequestMethod - HTTP Request type used to request data from the resource (i.e. "GET", "POST", etc.). Used for proof-of-possession flows.
  • resourceRequestUri - URI that token will be used for. Used for proof-of-possession flows.
  • enableSpaAuthCode - Enables the acqusition of a spa authorization code (confidential clients only)

CommonAuthorizationUrlRequest

CommonAuthorizationUrlRequest: BaseAuthRequest & { account?: AccountInfo; codeChallenge?: string; codeChallengeMethod?: string; domainHint?: string; extraQueryParameters?: StringDict; extraScopesToConsent?: string[]; loginHint?: string; nonce?: string; prompt?: string; redirectUri: string; responseMode: ResponseMode; sid?: string; state?: string; tokenQueryParameters?: StringDict }

Request object passed by user to retrieve a Code from the server (first leg of authorization code grant flow)

  • scopes - Array of scopes the application is requesting access to.
  • claims - A stringified claims request which will be added to all /authorize and /token calls
  • authority - Url of the authority which the application acquires tokens from.
  • correlationId - Unique GUID set per request to trace a request end-to-end for telemetry purposes.
  • redirectUri - The redirect URI where authentication responses can be received by your application. It must exactly match one of the redirect URIs registered in the Azure portal.
  • extraScopesToConsent - Scopes for a different resource when the user needs consent upfront.
  • responseMode - Specifies the method that should be used to send the authentication result to your app. Can be query, form_post, or fragment. If no value is passed in, it defaults to query.
  • codeChallenge - Used to secure authorization code grant via Proof of Key for Code Exchange (PKCE). For more information, see the PKCE RCF:https://tools.ietf.org/html/rfc7636
  • codeChallengeMethod - The method used to encode the code verifier for the code challenge parameter. Can be "plain" or "S256". If excluded, code challenge is assumed to be plaintext. For more information, see the PKCE RCF: https://tools.ietf.org/html/rfc7636
  • state - A value included in the request that is also returned in the token response. A randomly generated unique value is typically used for preventing cross site request forgery attacks. The state is also used to encode information about the user's state in the app before the authentication request occurred.
  • prompt - Indicates the type of user interaction that is required.
       login: will force the user to enter their credentials on that request, negating single-sign on
   none:  will ensure that the user isn't presented with any interactive prompt. if request can't be completed via single-sign on, the endpoint will return an interaction_required error
   consent: will the trigger the OAuth consent dialog after the user signs in, asking the user to grant permissions to the app
   select_account: will interrupt single sign-=on providing account selection experience listing all the accounts in session or any remembered accounts or an option to choose to use a different account
   create: will direct the user to the account creation experience instead of the log in experience
  • account - AccountInfo obtained from a getAccount API. Will be used in certain scenarios to generate login_hint if both loginHint and sid params are not provided.
  • loginHint - Can be used to pre-fill the username/email address field of the sign-in page for the user, if you know the username/email address ahead of time. Often apps use this parameter during re-authentication, having already extracted the username from a previous sign-in using the preferred_username claim.
  • sid - Session ID, unique identifier for the session. Available as an optional claim on ID tokens.
  • domainHint - Provides a hint about the tenant or domain that the user should use to sign in. The value of the domain hint is a registered domain for the tenant.
  • extraQueryParameters - String to string map of custom query parameters added to the /authorize call
  • tokenQueryParameters - String to string map of custom query parameters added to the /token call
  • nonce - A value included in the request that is returned in the id token. A randomly generated unique value is typically used to mitigate replay attacks.
  • resourceRequestMethod - HTTP Request type used to request data from the resource (i.e. "GET", "POST", etc.). Used for proof-of-possession flows.
  • resourceRequestUri - URI that token will be used for. Used for proof-of-possession flows.

CommonClientCredentialRequest

CommonClientCredentialRequest: BaseAuthRequest & { azureRegion?: AzureRegion; skipCache?: boolean }

CommonClientCredentialRequest

  • scopes - Array of scopes the application is requesting access to.
  • authority - URL of the authority, the security token service (STS) from which MSAL will acquire tokens.
  • correlationId - Unique GUID set per request to trace a request end-to-end for telemetry purposes.
  • skipCache - Skip token cache lookup and force request to authority to get a a new token. Defaults to false.
  • preferredAzureRegionOptions - Options of the user's preferred azure region

CommonDeviceCodeRequest

CommonDeviceCodeRequest: BaseAuthRequest & { cancel?: boolean; deviceCodeCallback: (response: DeviceCodeResponse) => void; timeout?: number }

Parameters for Oauth2 device code flow.

  • scopes - Array of scopes the application is requesting access to.
  • authority: - URL of the authority, the security token service (STS) from which MSAL will acquire tokens. If authority is set on client application object, this will override that value. Overriding the value will cause for authority validation to happen each time. If the same authority will be used for all request, set on the application object instead of the requests.
  • correlationId - Unique GUID set per request to trace a request end-to-end for telemetry purposes.
  • deviceCodeCallback - Callback containing device code response. Message should be shown to end user. End user can then navigate to the verification_uri, input the user_code, and input credentials.
  • cancel - Boolean to cancel polling of device code endpoint. While the user authenticates on a separate device, MSAL polls the the token endpoint of security token service for the interval specified in the device code response (usually 15 minutes). To stop polling and cancel the request, set cancel=true.
  • resourceRequestMethod - HTTP Request type used to request data from the resource (i.e. "GET", "POST", etc.). Used for proof-of-possession flows.
  • resourceRequestUri - URI that token will be used for. Used for proof-of-possession flows.
  • timeout - Timeout period in seconds which the user explicitly configures for the polling of the device code endpoint. At the end of this period; assuming the device code has not expired yet; the device code polling is stopped and the request cancelled. The device code expiration window will always take precedence over this set period.

CommonEndSessionRequest

CommonEndSessionRequest: { account?: AccountInfo | null; correlationId: string; extraQueryParameters?: StringDict; idTokenHint?: string; postLogoutRedirectUri?: string | null; state?: string }

CommonEndSessionRequest

  • account - Account object that will be logged out of. All tokens tied to this account will be cleared.
  • postLogoutRedirectUri - URI to navigate to after logout page.
  • correlationId - Unique GUID set per request to trace a request end-to-end for telemetry purposes.
  • idTokenHint - ID Token used by B2C to validate logout if required by the policy
  • state - A value included in the request to the logout endpoint which will be returned in the query string upon post logout redirection

Type declaration

  • Optional account?: AccountInfo | null
  • correlationId: string
  • Optional extraQueryParameters?: StringDict
  • Optional idTokenHint?: string
  • Optional postLogoutRedirectUri?: string | null
  • Optional state?: string

CommonOnBehalfOfRequest

CommonOnBehalfOfRequest: BaseAuthRequest & { oboAssertion: string; skipCache?: boolean }
  • scopes - Array of scopes the application is requesting access to.
  • authority - URL of the authority, the security token service (STS) from which MSAL will acquire tokens.
  • correlationId - Unique GUID set per request to trace a request end-to-end for telemetry purposes.
  • oboAssertion - The access token that was sent to the middle-tier API. This token must have an audience of the app making this OBO request.
  • skipCache - Skip token cache lookup and force request to authority to get a a new token. Defaults to false.

CommonRefreshTokenRequest

CommonRefreshTokenRequest: BaseAuthRequest & { ccsCredential?: CcsCredential; refreshToken: string; tokenQueryParameters?: StringDict }

CommonRefreshTokenRequest

  • scopes - Array of scopes the application is requesting access to.
  • claims - A stringified claims request which will be added to all /authorize and /token calls
  • authority - URL of the authority, the security token service (STS) from which MSAL will acquire tokens.
  • correlationId - Unique GUID set per request to trace a request end-to-end for telemetry purposes.
  • refreshToken - A refresh token returned from a previous request to the Identity provider.
  • resourceRequestMethod - HTTP Request type used to request data from the resource (i.e. "GET", "POST", etc.). Used for proof-of-possession flows.
  • resourceRequestUri - URI that token will be used for. Used for proof-of-possession flows.

CommonSilentFlowRequest

CommonSilentFlowRequest: BaseAuthRequest & { account: AccountInfo; forceRefresh: boolean; tokenQueryParameters?: StringDict }

SilentFlow parameters passed by the user to retrieve credentials silently

  • scopes - Array of scopes the application is requesting access to.
  • claims - A stringified claims request which will be added to all /authorize and /token calls. When included on a silent request, cache lookup will be skipped and token will be refreshed.
  • authority - Url of the authority which the application acquires tokens from.
  • correlationId - Unique GUID set per request to trace a request end-to-end for telemetry purposes.
  • account - Account entity to lookup the credentials.
  • forceRefresh - Forces silent requests to make network calls if true.
  • resourceRequestMethod - HTTP Request type used to request data from the resource (i.e. "GET", "POST", etc.). Used for proof-of-possession flows.
  • resourceRequestUri - URI that token will be used for. Used for proof-of-possession flows.

CommonUsernamePasswordRequest

CommonUsernamePasswordRequest: BaseAuthRequest & { password: string; username: string }

CommonUsernamePassword parameters passed by the user to retrieve credentials Note: The latest OAuth 2.0 Security Best Current Practice disallows the password grant entirely. This flow is added for internal testing.

  • scopes - Array of scopes the application is requesting access to.
  • claims - A stringified claims request which will be added to all /authorize and /token calls. When included on a silent request, cache lookup will be skipped and token will be refreshed.
  • authority - Url of the authority which the application acquires tokens from.
  • correlationId - Unique GUID set per request to trace a request end-to-end for telemetry purposes.
  • username - username of the client
  • password - credentials

DeviceCodeResponse

DeviceCodeResponse: { deviceCode: string; expiresIn: number; interval: number; message: string; userCode: string; verificationUri: string }

DeviceCode returned by the security token service device code endpoint containing information necessary for device code flow.

  • userCode: code which user needs to provide when authenticating at the verification URI
  • deviceCode: code which should be included in the request for the access token
  • verificationUri: URI where user can authenticate
  • expiresIn: expiration time of the device code in seconds
  • interval: interval at which the STS should be polled at
  • message: message which should be displayed to the user

Type declaration

  • deviceCode: string
  • expiresIn: number
  • interval: number
  • message: string
  • userCode: string
  • verificationUri: string

ExternalTokenResponse

ExternalTokenResponse: Pick<ServerAuthorizationTokenResponse, "token_type" | "scope" | "expires_in" | "id_token"> & { access_token?: string; client_info?: string }

Response object used for loading external tokens to cache.

  • token_type: Indicates the token type value. The only type that Azure AD supports is Bearer.
  • scope: The scopes that the access_token is valid for.
  • expires_in: How long the access token is valid (in seconds).
  • id_token: A JSON Web Token (JWT). The app can decode the segments of this token to request information about the user who signed in.
  • access_token: The requested access token. The app can use this token to authenticate to the secured resource, such as a web API.
  • client_info: Client info object

IdTokenCache

IdTokenCache: Record<string, IdTokenEntity>

LibraryStateObject

LibraryStateObject: { id: string; meta?: Record<string, string> }

Type which defines the object that is stringified, encoded and sent in the state value. Contains the following:

  • id - unique identifier for this request
  • ts - timestamp for the time the request was made. Used to ensure that token expiration is not calculated incorrectly.
  • platformState - string value sent from the platform.

Type declaration

  • id: string
  • Optional meta?: Record<string, string>

LoggerOptions

LoggerOptions: { correlationId?: string; logLevel?: LogLevel; loggerCallback?: ILoggerCallback; piiLoggingEnabled?: boolean }

Use this to configure the logging that MSAL does, by configuring logger options in the Configuration object

  • loggerCallback - Callback for logger
  • piiLoggingEnabled - Sets whether pii logging is enabled
  • logLevel - Sets the level at which logging happens
  • correlationId - Sets the correlationId printed by the logger

Type declaration

  • Optional correlationId?: string
  • Optional logLevel?: LogLevel
  • Optional loggerCallback?: ILoggerCallback
  • Optional piiLoggingEnabled?: boolean

NetworkRequestOptions

NetworkRequestOptions: { body?: string; headers?: Record<string, string> }

Options allowed by network request APIs.

Type declaration

  • Optional body?: string
  • Optional headers?: Record<string, string>

NetworkResponse

NetworkResponse<T>: { body: T; headers: Record<string, string>; status: number }

Type parameters

  • T

Type declaration

  • body: T
  • headers: Record<string, string>
  • status: number

PkceCodes

PkceCodes: { challenge: string; verifier: string }

The PkceCodes type describes the structure of objects that contain PKCE code challenge and verifier pairs

Type declaration

  • challenge: string
  • verifier: string

RefreshTokenCache

RefreshTokenCache: Record<string, RefreshTokenEntity>

RequestStateObject

RequestStateObject: { libraryState: LibraryStateObject; userRequestState: string }

Type which defines the stringified and encoded object sent to the service in the authorize request.

Type declaration

RequestThumbprint

RequestThumbprint: { authenticationScheme?: AuthenticationScheme; authority: string; claims?: string; clientId: string; homeAccountIdentifier?: string; resourceRequestMethod?: string; resourceRequestUri?: string; scopes: string[]; shrClaims?: string; sshKid?: string }

Type representing a unique request thumbprint.

Type declaration

  • Optional authenticationScheme?: AuthenticationScheme
  • authority: string
  • Optional claims?: string
  • clientId: string
  • Optional homeAccountIdentifier?: string
  • Optional resourceRequestMethod?: string
  • Optional resourceRequestUri?: string
  • scopes: string[]
  • Optional shrClaims?: string
  • Optional sshKid?: string

ServerAuthorizationCodeResponse

ServerAuthorizationCodeResponse: { client_info?: string; cloud_graph_host_name?: string; cloud_instance_host_name?: string; cloud_instance_name?: string; code?: string; error?: string; error_description?: string; msgraph_host?: string; state?: string; suberror?: string }

Deserialized response object from server authorization code request.

  • code: authorization code from server
  • client_info: client info object
  • state: OAuth2 request state
  • error: error sent back in hash
  • error: description

Type declaration

  • Optional client_info?: string
  • Optional cloud_graph_host_name?: string
  • Optional cloud_instance_host_name?: string
  • Optional cloud_instance_name?: string
  • Optional code?: string
  • Optional error?: string
  • Optional error_description?: string
  • Optional msgraph_host?: string
  • Optional state?: string
  • Optional suberror?: string

ServerAuthorizationTokenResponse

ServerAuthorizationTokenResponse: { access_token?: string; client_info?: string; correlation_id?: string; error?: string; error_codes?: string[]; error_description?: string; expires_in?: number; ext_expires_in?: number; foci?: string; id_token?: string; key_id?: string; refresh_in?: number; refresh_token?: string; scope?: string; spa_code?: string; suberror?: string; timestamp?: string; token_type?: AuthenticationScheme; trace_id?: string }

Deserialized response object from server authorization code request.

  • token_type: Indicates the token type value. Can be either Bearer or pop.
  • scope: The scopes that the access_token is valid for.
  • expires_in: How long the access token is valid (in seconds).
  • refresh_in: Duration afer which a token should be renewed, regardless of expiration.
  • ext_expires_in: How long the access token is valid (in seconds) if the server isn't responding.
  • access_token: The requested access token. The app can use this token to authenticate to the secured resource, such as a web API.
  • refresh_token: An OAuth 2.0 refresh token. The app can use this token acquire additional access tokens after the current access token expires.
  • id_token: A JSON Web Token (JWT). The app can decode the segments of this token to request information about the user who signed in.
  • key_id: A string that uniquely identifies a public key that the request is bound to.

In case of error:

  • error: An error code string that can be used to classify types of errors that occur, and can be used to react to errors.
  • error_description: A specific error message that can help a developer identify the root cause of an authentication error.
  • error_codes: A list of STS-specific error codes that can help in diagnostics.
  • timestamp: The time at which the error occurred.
  • trace_id: A unique identifier for the request that can help in diagnostics.
  • correlation_id: A unique identifier for the request that can help in diagnostics across components.

Type declaration

  • Optional access_token?: string
  • Optional client_info?: string
  • Optional correlation_id?: string
  • Optional error?: string
  • Optional error_codes?: string[]
  • Optional error_description?: string
  • Optional expires_in?: number
  • Optional ext_expires_in?: number
  • Optional foci?: string
  • Optional id_token?: string
  • Optional key_id?: string
  • Optional refresh_in?: number
  • Optional refresh_token?: string
  • Optional scope?: string
  • Optional spa_code?: string
  • Optional suberror?: string
  • Optional timestamp?: string
  • Optional token_type?: AuthenticationScheme
  • Optional trace_id?: string

ServerTelemetryRequest

ServerTelemetryRequest: { apiId: number; clientId: string; correlationId: string; forceRefresh?: boolean; wrapperSKU?: string; wrapperVer?: string }

Type declaration

  • apiId: number
  • clientId: string
  • correlationId: string
  • Optional forceRefresh?: boolean
  • Optional wrapperSKU?: string
  • Optional wrapperVer?: string

SignedHttpRequest

SignedHttpRequest: { at?: string; client_claims?: string; cnf?: object; m?: string; nonce?: string; p?: string; q?: [string[], string]; ts?: number; u?: string }

Type declaration

  • Optional at?: string
  • Optional client_claims?: string
  • Optional cnf?: object
  • Optional m?: string
  • Optional nonce?: string
  • Optional p?: string
  • Optional q?: [string[], string]
  • Optional ts?: number
  • Optional u?: string

SignedHttpRequestParameters

SignedHttpRequestParameters: Pick<BaseAuthRequest, "resourceRequestMethod" | "resourceRequestUri" | "shrClaims" | "shrNonce">

StringDict

StringDict: {}

Key-Value type to support queryParams, extraQueryParams and claims

Type declaration

  • [key: string]: string

SystemOptions

SystemOptions: { preventCorsPreflight?: boolean; tokenRenewalOffsetSeconds?: number }

Use this to configure token renewal info in the Configuration object

  • tokenRenewalOffsetSeconds - Sets the window of offset needed to renew the token before expiry

Type declaration

  • Optional preventCorsPreflight?: boolean
  • Optional tokenRenewalOffsetSeconds?: number

TokenClaims

TokenClaims: { at?: string; cloud_instance_host_name?: string; cnf?: { kid: string }; emails?: string[]; exp?: number; home_oid?: string; iat?: number; iss?: string; m?: string; name?: string; nonce?: string; oid?: string; p?: string; preferred_username?: string; sid?: string; sub?: string; tid?: string; ts?: number; u?: string; upn?: string; ver?: string; x5c_ca?: string }

Type which describes Id Token claims known by MSAL.

Type declaration

  • Optional at?: string
  • Optional cloud_instance_host_name?: string
  • Optional cnf?: { kid: string }
    • kid: string
  • Optional emails?: string[]
  • Optional exp?: number
  • Optional home_oid?: string
  • Optional iat?: number
  • Optional iss?: string
  • Optional m?: string
  • Optional name?: string
  • Optional nonce?: string
  • Optional oid?: string
  • Optional p?: string
  • Optional preferred_username?: string
  • Optional sid?: string
  • Optional sub?: string
  • Optional tid?: string
  • Optional ts?: number
  • Optional u?: string
  • Optional upn?: string
  • Optional ver?: string
  • Optional x5c_ca?: string

ValidCacheType

ValidCacheType: AccountEntity | IdTokenEntity | AccessTokenEntity | RefreshTokenEntity | AppMetadataEntity | AuthorityMetadataEntity | ServerTelemetryEntity | ThrottlingEntity | string

Object type of all accepted cache types

ValidCredentialType

ValidCredentialType: IdTokenEntity | AccessTokenEntity | RefreshTokenEntity

Object type of all credential types

Variables

Const AuthErrorMessage

AuthErrorMessage: { unexpectedError: { code: string; desc: string } } = ...

AuthErrorMessage class containing string constants used by error codes and messages.

Type declaration

  • unexpectedError: { code: string; desc: string }
    • code: string
    • desc: string

Const ClientAuthErrorMessage

ClientAuthErrorMessage: { CachePluginError: { code: string; desc: string }; DeviceCodeExpired: { code: string; desc: string }; DeviceCodePollingCancelled: { code: string; desc: string }; DeviceCodeUnknownError: { code: string; desc: string }; NoAccountInSilentRequest: { code: string; desc: string }; accessTokenEntityNullError: { code: string; desc: string }; appendEmptyScopeError: { code: string; desc: string }; appendScopeSetError: { code: string; desc: string }; bindingKeyNotRemovedError: { code: string; desc: string }; blankGuidGenerated: { code: string; desc: string }; clientInfoDecodingError: { code: string; desc: string }; clientInfoEmptyError: { code: string; desc: string }; emptyInputScopeSetError: { code: string; desc: string }; endpointResolutionError: { code: string; desc: string }; hashNotDeserialized: { code: string; desc: string }; invalidAssertion: { code: string; desc: string }; invalidCacheEnvironment: { code: string; desc: string }; invalidCacheRecord: { code: string; desc: string }; invalidCacheType: { code: string; desc: string }; invalidClientCredential: { code: string; desc: string }; invalidStateError: { code: string; desc: string }; logoutNotSupported: { code: string; desc: string }; multipleMatchingAccounts: { code: string; desc: string }; multipleMatchingAppMetadata: { code: string; desc: string }; multipleMatchingTokens: { code: string; desc: string }; networkError: { code: string; desc: string }; noAccountFound: { code: string; desc: string }; noAuthorizationCodeFromServer: { code: string; desc: string }; noAzureRegionDetected: { code: string; desc: string }; noCryptoObj: { code: string; desc: string }; noTokensFoundError: { code: string; desc: string }; nonceMismatchError: { code: string; desc: string }; nonceNotFoundError: { code: string; desc: string }; nullOrEmptyToken: { code: string; desc: string }; removeEmptyScopeError: { code: string; desc: string }; stateMismatchError: { code: string; desc: string }; stateNotFoundError: { code: string; desc: string }; tokenClaimsRequired: { code: string; desc: string }; tokenParsingError: { code: string; desc: string }; tokenRefreshRequired: { code: string; desc: string }; tokenRequestCannotBeMade: { code: string; desc: string }; unableToGetOpenidConfigError: { code: string; desc: string }; unexpectedAccountType: { code: string; desc: string }; unexpectedCredentialType: { code: string; desc: string }; userTimeoutReached: { code: string; desc: string } } = ...

ClientAuthErrorMessage class containing string constants used by error codes and messages.

Type declaration

  • CachePluginError: { code: string; desc: string }
    • code: string
    • desc: string
  • DeviceCodeExpired: { code: string; desc: string }
    • code: string
    • desc: string
  • DeviceCodePollingCancelled: { code: string; desc: string }
    • code: string
    • desc: string
  • DeviceCodeUnknownError: { code: string; desc: string }
    • code: string
    • desc: string
  • NoAccountInSilentRequest: { code: string; desc: string }
    • code: string
    • desc: string
  • accessTokenEntityNullError: { code: string; desc: string }
    • code: string
    • desc: string
  • appendEmptyScopeError: { code: string; desc: string }
    • code: string
    • desc: string
  • appendScopeSetError: { code: string; desc: string }
    • code: string
    • desc: string
  • bindingKeyNotRemovedError: { code: string; desc: string }
    • code: string
    • desc: string
  • blankGuidGenerated: { code: string; desc: string }
    • code: string
    • desc: string
  • clientInfoDecodingError: { code: string; desc: string }
    • code: string
    • desc: string
  • clientInfoEmptyError: { code: string; desc: string }
    • code: string
    • desc: string
  • emptyInputScopeSetError: { code: string; desc: string }
    • code: string
    • desc: string
  • endpointResolutionError: { code: string; desc: string }
    • code: string
    • desc: string
  • hashNotDeserialized: { code: string; desc: string }
    • code: string
    • desc: string
  • invalidAssertion: { code: string; desc: string }
    • code: string
    • desc: string
  • invalidCacheEnvironment: { code: string; desc: string }
    • code: string
    • desc: string
  • invalidCacheRecord: { code: string; desc: string }
    • code: string
    • desc: string
  • invalidCacheType: { code: string; desc: string }
    • code: string
    • desc: string
  • invalidClientCredential: { code: string; desc: string }
    • code: string
    • desc: string
  • invalidStateError: { code: string; desc: string }
    • code: string
    • desc: string
  • logoutNotSupported: { code: string; desc: string }
    • code: string
    • desc: string
  • multipleMatchingAccounts: { code: string; desc: string }
    • code: string
    • desc: string
  • multipleMatchingAppMetadata: { code: string; desc: string }
    • code: string
    • desc: string
  • multipleMatchingTokens: { code: string; desc: string }
    • code: string
    • desc: string
  • networkError: { code: string; desc: string }
    • code: string
    • desc: string
  • noAccountFound: { code: string; desc: string }
    • code: string
    • desc: string
  • noAuthorizationCodeFromServer: { code: string; desc: string }
    • code: string
    • desc: string
  • noAzureRegionDetected: { code: string; desc: string }
    • code: string
    • desc: string
  • noCryptoObj: { code: string; desc: string }
    • code: string
    • desc: string
  • noTokensFoundError: { code: string; desc: string }
    • code: string
    • desc: string
  • nonceMismatchError: { code: string; desc: string }
    • code: string
    • desc: string
  • nonceNotFoundError: { code: string; desc: string }
    • code: string
    • desc: string
  • nullOrEmptyToken: { code: string; desc: string }
    • code: string
    • desc: string
  • removeEmptyScopeError: { code: string; desc: string }
    • code: string
    • desc: string
  • stateMismatchError: { code: string; desc: string }
    • code: string
    • desc: string
  • stateNotFoundError: { code: string; desc: string }
    • code: string
    • desc: string
  • tokenClaimsRequired: { code: string; desc: string }
    • code: string
    • desc: string
  • tokenParsingError: { code: string; desc: string }
    • code: string
    • desc: string
  • tokenRefreshRequired: { code: string; desc: string }
    • code: string
    • desc: string
  • tokenRequestCannotBeMade: { code: string; desc: string }
    • code: string
    • desc: string
  • unableToGetOpenidConfigError: { code: string; desc: string }
    • code: string
    • desc: string
  • unexpectedAccountType: { code: string; desc: string }
    • code: string
    • desc: string
  • unexpectedCredentialType: { code: string; desc: string }
    • code: string
    • desc: string
  • userTimeoutReached: { code: string; desc: string }
    • code: string
    • desc: string

Const ClientConfigurationErrorMessage

ClientConfigurationErrorMessage: { authorityUriInsecure: { code: string; desc: string }; claimsRequestParsingError: { code: string; desc: string }; clientIdSingleScopeError: { code: string; desc: string }; emptyScopesError: { code: string; desc: string }; invalidAuthenticationHeader: { code: string; desc: string }; invalidAuthorityMetadata: { code: string; desc: string }; invalidClaimsRequest: { code: string; desc: string }; invalidCloudDiscoveryMetadata: { code: string; desc: string }; invalidCodeChallengeMethod: { code: string; desc: string }; invalidCodeChallengeParams: { code: string; desc: string }; invalidPrompt: { code: string; desc: string }; logoutRequestEmptyError: { code: string; desc: string }; missingNonceAuthenticationHeader: { code: string; desc: string }; missingSshJwk: { code: string; desc: string }; missingSshKid: { code: string; desc: string }; nonArrayScopesError: { code: string; desc: string }; postLogoutUriNotSet: { code: string; desc: string }; redirectUriNotSet: { code: string; desc: string }; tokenRequestEmptyError: { code: string; desc: string }; untrustedAuthority: { code: string; desc: string }; urlEmptyError: { code: string; desc: string }; urlParseError: { code: string; desc: string } } = ...

ClientConfigurationErrorMessage class containing string constants used by error codes and messages.

Type declaration

  • authorityUriInsecure: { code: string; desc: string }
    • code: string
    • desc: string
  • claimsRequestParsingError: { code: string; desc: string }
    • code: string
    • desc: string
  • clientIdSingleScopeError: { code: string; desc: string }
    • code: string
    • desc: string
  • emptyScopesError: { code: string; desc: string }
    • code: string
    • desc: string
  • invalidAuthenticationHeader: { code: string; desc: string }
    • code: string
    • desc: string
  • invalidAuthorityMetadata: { code: string; desc: string }
    • code: string
    • desc: string
  • invalidClaimsRequest: { code: string; desc: string }
    • code: string
    • desc: string
  • invalidCloudDiscoveryMetadata: { code: string; desc: string }
    • code: string
    • desc: string
  • invalidCodeChallengeMethod: { code: string; desc: string }
    • code: string
    • desc: string
  • invalidCodeChallengeParams: { code: string; desc: string }
    • code: string
    • desc: string
  • invalidPrompt: { code: string; desc: string }
    • code: string
    • desc: string
  • logoutRequestEmptyError: { code: string; desc: string }
    • code: string
    • desc: string
  • missingNonceAuthenticationHeader: { code: string; desc: string }
    • code: string
    • desc: string
  • missingSshJwk: { code: string; desc: string }
    • code: string
    • desc: string
  • missingSshKid: { code: string; desc: string }
    • code: string
    • desc: string
  • nonArrayScopesError: { code: string; desc: string }
    • code: string
    • desc: string
  • postLogoutUriNotSet: { code: string; desc: string }
    • code: string
    • desc: string
  • redirectUriNotSet: { code: string; desc: string }
    • code: string
    • desc: string
  • tokenRequestEmptyError: { code: string; desc: string }
    • code: string
    • desc: string
  • untrustedAuthority: { code: string; desc: string }
    • code: string
    • desc: string
  • urlEmptyError: { code: string; desc: string }
    • code: string
    • desc: string
  • urlParseError: { code: string; desc: string }
    • code: string
    • desc: string

Const Constants

Constants: { AAD_INSTANCE_DISCOVERY_ENDPT: string; ADFS: string; AUTHORIZATION_PENDING: string; AZURE_REGION_AUTO_DISCOVER_FLAG: string; CACHE_PREFIX: string; CLAIMS: string; CODE_GRANT_TYPE: string; CODE_RESPONSE_TYPE: string; CONSUMER_UTID: string; DEFAULT_AUTHORITY: string; DEFAULT_AUTHORITY_HOST: string; EMAIL_SCOPE: string; EMPTY_STRING: string; FORWARD_SLASH: string; FRAGMENT_RESPONSE_MODE: string; IMDS_ENDPOINT: string; IMDS_TIMEOUT: number; IMDS_VERSION: string; KNOWN_PUBLIC_CLOUDS: string[]; LIBRARY_NAME: string; NOT_DEFINED: string; NO_ACCOUNT: string; OFFLINE_ACCESS_SCOPE: string; OPENID_SCOPE: string; PROFILE_SCOPE: string; REGIONAL_AUTH_PUBLIC_CLOUD_SUFFIX: string; RESOURCE_DELIM: string; RT_GRANT_TYPE: string; S256_CODE_CHALLENGE_METHOD: string; SKU: string; URL_FORM_CONTENT_TYPE: string } = ...

Type declaration

  • AAD_INSTANCE_DISCOVERY_ENDPT: string
  • ADFS: string
  • AUTHORIZATION_PENDING: string
  • AZURE_REGION_AUTO_DISCOVER_FLAG: string
  • CACHE_PREFIX: string
  • CLAIMS: string
  • CODE_GRANT_TYPE: string
  • CODE_RESPONSE_TYPE: string
  • CONSUMER_UTID: string
  • DEFAULT_AUTHORITY: string
  • DEFAULT_AUTHORITY_HOST: string
  • EMAIL_SCOPE: string
  • EMPTY_STRING: string
  • FORWARD_SLASH: string
  • FRAGMENT_RESPONSE_MODE: string
  • IMDS_ENDPOINT: string
  • IMDS_TIMEOUT: number
  • IMDS_VERSION: string
  • KNOWN_PUBLIC_CLOUDS: string[]
  • LIBRARY_NAME: string
  • NOT_DEFINED: string
  • NO_ACCOUNT: string
  • OFFLINE_ACCESS_SCOPE: string
  • OPENID_SCOPE: string
  • PROFILE_SCOPE: string
  • REGIONAL_AUTH_PUBLIC_CLOUD_SUFFIX: string
  • RESOURCE_DELIM: string
  • RT_GRANT_TYPE: string
  • S256_CODE_CHALLENGE_METHOD: string
  • SKU: string
  • URL_FORM_CONTENT_TYPE: string

Const DEFAULT_CRYPTO_IMPLEMENTATION

DEFAULT_CRYPTO_IMPLEMENTATION: ICrypto = ...

Const DEFAULT_SYSTEM_OPTIONS

DEFAULT_SYSTEM_OPTIONS: Required<SystemOptions> = ...

Const InteractionRequiredAuthErrorMessage

InteractionRequiredAuthErrorMessage: { noTokensFoundError: { code: string; desc: string } } = ...

Interaction required errors defined by the SDK

Type declaration

  • noTokensFoundError: { code: string; desc: string }
    • code: string
    • desc: string

Const OIDC_DEFAULT_SCOPES

OIDC_DEFAULT_SCOPES: string[] = ...

Const PromptValue

PromptValue: { CONSENT: string; CREATE: string; LOGIN: string; NONE: string; SELECT_ACCOUNT: string } = ...

we considered making this "enum" in the request instead of string, however it looks like the allowed list of prompt values kept changing over past couple of years. There are some undocumented prompt values for some internal partners too, hence the choice of generic "string" type instead of the "enum"

Type declaration

  • CONSENT: string
  • CREATE: string
  • LOGIN: string
  • NONE: string
  • SELECT_ACCOUNT: string

Const StubbedNetworkModule

StubbedNetworkModule: INetworkModule = ...

Const version

version: "6.0.0" = "6.0.0"

Generated using TypeDoc