Options
All
  • Public
  • Public/Protected
  • All
Menu

Index

References

AccountInfo

Re-exports AccountInfo

AuthError

Re-exports AuthError

AuthErrorMessage

Re-exports AuthErrorMessage

AuthenticationResult

Re-exports AuthenticationResult

ClientAuthError

Re-exports ClientAuthError

ClientAuthErrorMessage

Re-exports ClientAuthErrorMessage

ClientConfigurationError

Re-exports ClientConfigurationError

ClientConfigurationErrorMessage

Re-exports ClientConfigurationErrorMessage

ICachePlugin

Re-exports ICachePlugin

INetworkModule

Re-exports INetworkModule

ISerializableTokenCache

Re-exports ISerializableTokenCache

InteractionRequiredAuthError

Re-exports InteractionRequiredAuthError

LogLevel

Re-exports LogLevel

Logger

Re-exports Logger

NetworkRequestOptions

Re-exports NetworkRequestOptions

NetworkResponse

Re-exports NetworkResponse

PromptValue

Re-exports PromptValue

ProtocolMode

Re-exports ProtocolMode

ResponseMode

Re-exports ResponseMode

ServerError

Re-exports ServerError

TokenCacheContext

Re-exports TokenCacheContext

ValidCacheType

Re-exports ValidCacheType

Type aliases

AuthorizationCodeRequest

AuthorizationCodeRequest: Partial<Omit<CommonAuthorizationCodeRequest, "scopes" | "redirectUri" | "code" | "authenticationScheme" | "resourceRequestMethod" | "resourceRequestUri">> & { code: string; redirectUri: string; scopes: string[] }

Request object passed by user to acquire a token from the server exchanging a valid authorization code (second leg of OAuth2.0 Authorization Code flow)

  • scopes - Array of scopes the application is requesting access to.
  • claims - A stringified claims request which will be added to all /authorize and /token calls
  • authority: - URL of the authority, the security token service (STS) from which MSAL will acquire tokens. If authority is set on client application object, this will override that value. Overriding the value will cause for authority validation to happen each time. If the same authority will be used for all request, set on the application object instead of the requests.
  • correlationId - Unique GUID set per request to trace a request end-to-end for telemetry purposes.
  • redirectUri - The redirect URI of your app, where the authority will redirect to after the user inputs credentials and consents. It must exactly match one of the redirect URIs you registered in the portal.
  • tokenQueryParameters - String to string map of custom query parameters added to the /token call
  • code - The authorization_code that the user acquired in the first leg of the flow.
  • codeVerifier - The same code_verifier that was used to obtain the authorization_code. Required if PKCE was used in the authorization code grant request.For more information, see the PKCE RFC: https://tools.ietf.org/html/rfc7636

AuthorizationUrlRequest

AuthorizationUrlRequest: Partial<Omit<CommonAuthorizationUrlRequest, "scopes" | "redirectUri" | "resourceRequestMethod" | "resourceRequestUri" | "authenticationScheme">> & { redirectUri: string; scopes: string[] }

Request object passed by user to retrieve a Code from the server (first leg of authorization code grant flow)

  • scopes - Array of scopes the application is requesting access to.
  • claims - A stringified claims request which will be added to all /authorize and /token calls
  • authority - Url of the authority which the application acquires tokens from.
  • correlationId - Unique GUID set per request to trace a request end-to-end for telemetry purposes.
  • redirectUri - The redirect URI where authentication responses can be received by your application. It must exactly match one of the redirect URIs registered in the Azure portal.
  • extraScopesToConsent - Scopes for a different resource when the user needs consent upfront.
  • responseMode - Specifies the method that should be used to send the authentication result to your app. Can be query, form_post, or fragment. If no value is passed in, it defaults to query.
  • codeChallenge - Used to secure authorization code grant via Proof of Key for Code Exchange (PKCE). For more information, see the PKCE RCF:https://tools.ietf.org/html/rfc7636
  • codeChallengeMethod - The method used to encode the code verifier for the code challenge parameter. Can be "plain" or "S256". If excluded, code challenge is assumed to be plaintext. For more information, see the PKCE RCF: https://tools.ietf.org/html/rfc7636
  • state - A value included in the request that is also returned in the token response. A randomly generated unique value is typically used for preventing cross site request forgery attacks. The state is also used to encode information about the user's state in the app before the authentication request occurred.
  • prompt - Indicates the type of user interaction that is required.
       login: will force the user to enter their credentials on that request, negating single-sign on
       none:  will ensure that the user isn't presented with any interactive prompt. if request can't be completed via single-sign on, the endpoint will return an interaction_required error
       consent: will the trigger the OAuth consent dialog after the user signs in, asking the user to grant permissions to the app
       select_account: will interrupt single sign-=on providing account selection experience listing all the accounts in session or any remembered accounts or an option to choose to use a different account
       create: will direct the user to the account creation experience instead of the log in experience
    
  • account - AccountInfo obtained from a getAccount API. Will be used in certain scenarios to generate login_hint if both loginHint and sid params are not provided.
  • loginHint - Can be used to pre-fill the username/email address field of the sign-in page for the user, if you know the username/email address ahead of time. Often apps use this parameter during re-authentication, having already extracted the username from a previous sign-in using the preferred_username claim.
  • sid - Session ID, unique identifier for the session. Available as an optional claim on ID tokens.
  • domainHint - Provides a hint about the tenant or domain that the user should use to sign in. The value of the domain hint is a registered domain for the tenant.
  • extraQueryParameters - String to string map of custom query parameters added to the /authorize call
  • tokenQueryParameters - String to string map of custom query parameters added to the /token call
  • nonce - A value included in the request that is returned in the id token. A randomly generated unique value is typically used to mitigate replay attacks.

CacheKVStore

CacheKVStore: Record<string, ValidCacheType>

Key value store for in-memory cache

CacheOptions

CacheOptions: { cachePlugin?: ICachePlugin }

Use this to configure the below cache configuration options:

  • cachePlugin - Plugin for reading and writing token cache to disk.

Type declaration

ClientCredentialRequest

ClientCredentialRequest: Partial<Omit<CommonClientCredentialRequest, "scopes" | "resourceRequestMethod" | "resourceRequestUri">> & { scopes: string[] }

CommonClientCredentialRequest

  • scopes - Array of scopes the application is requesting access to.
  • authority - URL of the authority, the security token service (STS) from which MSAL will acquire tokens.
  • correlationId - Unique GUID set per request to trace a request end-to-end for telemetry purposes.
  • skipCache - Skip token cache lookup and force request to authority to get a a new token. Defaults to false.

Configuration

Configuration: { auth: NodeAuthOptions; cache?: CacheOptions; system?: NodeSystemOptions }

Use the configuration object to configure MSAL and initialize the client application object

  • auth: this is where you configure auth elements like clientID, authority used for authenticating against the Microsoft Identity Platform
  • cache: this is where you configure cache location
  • system: this is where you can configure the network client, logger

Type declaration

DeviceCodeRequest

DeviceCodeRequest: Partial<Omit<CommonDeviceCodeRequest, "scopes" | "deviceCodeCallback" | "resourceRequestMethod" | "resourceRequestUri">> & { deviceCodeCallback: (response: DeviceCodeResponse) => void; scopes: string[] }

Parameters for Oauth2 device code flow.

  • scopes - Array of scopes the application is requesting access to.
  • authority: - URL of the authority, the security token service (STS) from which MSAL will acquire tokens. If authority is set on client application object, this will override that value. Overriding the value will cause for authority validation to happen each time. If the same authority will be used for all request, set on the application object instead of the requests.
  • correlationId - Unique GUID set per request to trace a request end-to-end for telemetry purposes.
  • deviceCodeCallback - Callback containing device code response. Message should be shown to end user. End user can then navigate to the verification_uri, input the user_code, and input credentials.
  • cancel - Boolean to cancel polling of device code endpoint. While the user authenticates on a separate device, MSAL polls the the token endpoint of security token service for the interval specified in the device code response (usually 15 minutes). To stop polling and cancel the request, set cancel=true.

InMemoryCache

InMemoryCache: { accessTokens: AccessTokenCache; accounts: AccountCache; appMetadata: AppMetadataCache; idTokens: IdTokenCache; refreshTokens: RefreshTokenCache }

Intermittent type to handle in-memory data objects with defined types

Type declaration

JsonCache

JsonCache: { AccessToken: Record<string, SerializedAccessTokenEntity>; Account: Record<string, SerializedAccountEntity>; AppMetadata: Record<string, SerializedAppMetadataEntity>; IdToken: Record<string, SerializedIdTokenEntity>; RefreshToken: Record<string, SerializedRefreshTokenEntity> }

Cache format read from the cache blob provided to the configuration during app instantiation

Type declaration

NodeAuthOptions

NodeAuthOptions: { authority?: string; authorityMetadata?: string; clientAssertion?: string; clientCapabilities?: string[]; clientCertificate?: { privateKey: string; thumbprint: string; x5c?: string }; clientId: string; clientSecret?: string; cloudDiscoveryMetadata?: string; knownAuthorities?: string[]; protocolMode?: ProtocolMode }
  • clientId - Client id of the application.
  • authority - Url of the authority. If no value is set, defaults to https://login.microsoftonline.com/common.
  • knownAuthorities - Needed for Azure B2C and ADFS. All authorities that will be used in the client application. Only the host of the authority should be passed in.
  • clientSecret - Secret string that the application uses when requesting a token. Only used in confidential client applications. Can be created in the Azure app registration portal.
  • clientAssertion - Assertion string that the application uses when requesting a token. Only used in confidential client applications. Assertion should be of type urn:ietf:params:oauth:client-assertion-type:jwt-bearer.
  • clientCertificate - Certificate that the application uses when requesting a token. Only used in confidential client applications. Requires hex encoded X.509 SHA-1 thumbprint of the certificiate, and the PEM encoded private key (string should contain -----BEGIN PRIVATE KEY----- ... -----END PRIVATE KEY----- )
  • protocolMode - Enum that represents the protocol that msal follows. Used for configuring proper endpoints.

Type declaration

  • Optional authority?: string
  • Optional authorityMetadata?: string
  • Optional clientAssertion?: string
  • Optional clientCapabilities?: string[]
  • Optional clientCertificate?: { privateKey: string; thumbprint: string; x5c?: string }
    • privateKey: string
    • thumbprint: string
    • Optional x5c?: string
  • clientId: string
  • Optional clientSecret?: string
  • Optional cloudDiscoveryMetadata?: string
  • Optional knownAuthorities?: string[]
  • Optional protocolMode?: ProtocolMode

NodeSystemOptions

NodeSystemOptions: { loggerOptions?: LoggerOptions; networkClient?: INetworkModule }

Type for configuring logger and http client options

  • logger - Used to initialize the Logger object; TODO: Expand on logger details or link to the documentation on logger
  • networkClient - Http client used for all http get and post calls. Defaults to using MSAL's default http client.

Type declaration

OnBehalfOfRequest

OnBehalfOfRequest: Partial<Omit<CommonOnBehalfOfRequest, "oboAssertion" | "scopes" | "resourceRequestMethod" | "resourceRequestUri">> & { oboAssertion: string; scopes: string[] }
  • scopes - Array of scopes the application is requesting access to.
  • authority - URL of the authority, the security token service (STS) from which MSAL will acquire tokens.
  • correlationId - Unique GUID set per request to trace a request end-to-end for telemetry purposes.
  • oboAssertion - The access token that was sent to the middle-tier API. This token must have an audience of the app making this OBO request.
  • skipCache - Skip token cache lookup and force request to authority to get a a new token. Defaults to false.

RefreshTokenRequest

RefreshTokenRequest: Partial<Omit<CommonRefreshTokenRequest, "scopes" | "refreshToken" | "authenticationScheme" | "resourceRequestMethod" | "resourceRequestUri">> & { refreshToken: string; scopes: string[] }

CommonRefreshTokenRequest

  • scopes - Array of scopes the application is requesting access to.
  • claims - A stringified claims request which will be added to all /authorize and /token calls
  • authority - URL of the authority, the security token service (STS) from which MSAL will acquire tokens.
  • correlationId - Unique GUID set per request to trace a request end-to-end for telemetry purposes.
  • refreshToken - A refresh token returned from a previous request to the Identity provider.
  • tokenQueryParameters - String to string map of custom query parameters added to the /token call

SerializedAccessTokenEntity

SerializedAccessTokenEntity: { cached_at: string; client_id: string; credential_type: string; environment: string; expires_on: string; extended_expires_on?: string; home_account_id: string; key_id?: string; realm: string; refresh_on?: string; secret: string; target: string; token_type?: string }

Access token credential type

Type declaration

  • cached_at: string
  • client_id: string
  • credential_type: string
  • environment: string
  • expires_on: string
  • Optional extended_expires_on?: string
  • home_account_id: string
  • Optional key_id?: string
  • realm: string
  • Optional refresh_on?: string
  • secret: string
  • target: string
  • Optional token_type?: string

SerializedAccountEntity

SerializedAccountEntity: { authority_type: string; client_info?: string; environment: string; home_account_id: string; last_modification_app?: string; last_modification_time?: string; local_account_id: string; name?: string; realm: string; username: string }

Account type

Type declaration

  • authority_type: string
  • Optional client_info?: string
  • environment: string
  • home_account_id: string
  • Optional last_modification_app?: string
  • Optional last_modification_time?: string
  • local_account_id: string
  • Optional name?: string
  • realm: string
  • username: string

SerializedAppMetadataEntity

SerializedAppMetadataEntity: { client_id: string; environment: string; family_id?: string }

AppMetadata type

Type declaration

  • client_id: string
  • environment: string
  • Optional family_id?: string

SerializedIdTokenEntity

SerializedIdTokenEntity: { client_id: string; credential_type: string; environment: string; home_account_id: string; realm: string; secret: string }

Idtoken credential type

Type declaration

  • client_id: string
  • credential_type: string
  • environment: string
  • home_account_id: string
  • realm: string
  • secret: string

SerializedRefreshTokenEntity

SerializedRefreshTokenEntity: { client_id: string; credential_type: string; environment: string; family_id?: string; home_account_id: string; realm?: string; secret: string; target?: string }

Refresh token credential type

Type declaration

  • client_id: string
  • credential_type: string
  • environment: string
  • Optional family_id?: string
  • home_account_id: string
  • Optional realm?: string
  • secret: string
  • Optional target?: string

SilentFlowRequest

SilentFlowRequest: Partial<Omit<CommonSilentFlowRequest, "account" | "scopes" | "resourceRequestMethod" | "resourceRequestUri">> & { account: AccountInfo; scopes: string[] }

SilentFlow parameters passed by the user to retrieve credentials silently

  • scopes - Array of scopes the application is requesting access to.
  • claims - A stringified claims request which will be added to all /authorize and /token calls. When included on a silent request, cache lookup will be skipped and token will be refreshed.
  • authority - Url of the authority which the application acquires tokens from.
  • correlationId - Unique GUID set per request to trace a request end-to-end for telemetry purposes.
  • tokenQueryParameters - String to string map of custom query parameters added to the /token call
  • account - Account entity to lookup the credentials.
  • forceRefresh - Forces silent requests to make network calls if true.

UsernamePasswordRequest

UsernamePasswordRequest: Partial<Omit<CommonUsernamePasswordRequest, "scopes" | "resourceRequestMethod" | "resourceRequestUri" | "username" | "password">> & { password: string; scopes: string[]; username: string }

UsernamePassword parameters passed by the user to retrieve credentials Note: The latest OAuth 2.0 Security Best Current Practice disallows the password grant entirely. This flow is added for internal testing.

  • scopes - Array of scopes the application is requesting access to.
  • claims - A stringified claims request which will be added to all /authorize and /token calls. When included on a silent request, cache lookup will be skipped and token will be refreshed.
  • authority - Url of the authority which the application acquires tokens from.
  • correlationId - Unique GUID set per request to trace a request end-to-end for telemetry purposes.
  • username - username of the client
  • password - credentials

Functions

buildAppConfiguration

  • buildAppConfiguration(__namedParameters: Configuration): NodeConfiguration

Generated using TypeDoc