From 98a22eb8d4adb069706386c61b4bbb8370ecdf35 Mon Sep 17 00:00:00 2001 From: Jo Arroyo Date: Wed, 7 Jan 2026 12:55:44 -0800 Subject: [PATCH 1/7] Update requests --- .../src/request/AuthorizationCodeRequest.ts | 11 +++++++++++ lib/msal-browser/src/request/RedirectRequest.ts | 1 + lib/msal-browser/src/request/SilentRequest.ts | 1 + lib/msal-browser/src/request/SsoSilentRequest.ts | 1 + lib/msal-common/src/request/BaseAuthRequest.ts | 5 +++-- .../src/request/CommonAuthorizationCodeRequest.ts | 8 +++++--- .../src/request/CommonAuthorizationUrlRequest.ts | 2 ++ .../src/request/CommonRefreshTokenRequest.ts | 2 ++ .../src/request/CommonSilentFlowRequest.ts | 2 ++ lib/msal-node/src/request/AuthorizationUrlRequest.ts | 2 ++ .../src/request/CommonClientCredentialRequest.ts | 5 ++--- lib/msal-node/src/request/CommonDeviceCodeRequest.ts | 4 ++-- lib/msal-node/src/request/DeviceCodeRequest.ts | 1 + lib/msal-node/src/request/SilentFlowRequest.ts | 2 ++ 14 files changed, 37 insertions(+), 10 deletions(-) diff --git a/lib/msal-browser/src/request/AuthorizationCodeRequest.ts b/lib/msal-browser/src/request/AuthorizationCodeRequest.ts index dd0f281339..e46cdd2ba1 100644 --- a/lib/msal-browser/src/request/AuthorizationCodeRequest.ts +++ b/lib/msal-browser/src/request/AuthorizationCodeRequest.ts @@ -5,6 +5,17 @@ import { CommonAuthorizationCodeRequest } from "@azure/msal-common/browser"; +/** + * AuthorizationCodeRequest: Request object passed by browser clients to exchange an authorization code for tokens. + * + * - code - The authorization_code that the user acquired in the first leg of the flow. + * - nativeAccountId - Identifier for the native account when integrating with native or brokered experiences. + * - cloudGraphHostName - Hostname for the Microsoft Cloud instance's Graph endpoint (for example, graph.microsoft.com). + * - msGraphHost - Hostname for the Microsoft Graph endpoint when overriding defaults. + * - cloudInstanceHostName - Hostname for the Azure AD cloud instance that issued the authorization code. + * + * All other properties are inherited from CommonAuthorizationCodeRequest. + */ export type AuthorizationCodeRequest = Partial< Omit > & { diff --git a/lib/msal-browser/src/request/RedirectRequest.ts b/lib/msal-browser/src/request/RedirectRequest.ts index f0eb1757da..2e2d3af98c 100644 --- a/lib/msal-browser/src/request/RedirectRequest.ts +++ b/lib/msal-browser/src/request/RedirectRequest.ts @@ -10,6 +10,7 @@ import { CommonAuthorizationUrlRequest } from "@azure/msal-common/browser"; * server (first leg of authorization code grant flow) with a full page redirect. * * - scopes - Array of scopes the application is requesting access to. + * - account - AccountInfo obtained from a getAccount API. Will be used in certain scenarios to generate login_hint if both loginHint and sid params are not provided. * - authority - Url of the authority which the application acquires tokens from. * - correlationId - Unique GUID set per request to trace a request end-to-end for telemetry purposes. * - redirectUri - The redirect URI where authentication responses can be received by your application. It must exactly match one of the redirect URIs registered in the Azure portal. diff --git a/lib/msal-browser/src/request/SilentRequest.ts b/lib/msal-browser/src/request/SilentRequest.ts index 021c4ebb67..9028707d91 100644 --- a/lib/msal-browser/src/request/SilentRequest.ts +++ b/lib/msal-browser/src/request/SilentRequest.ts @@ -27,6 +27,7 @@ import { CacheLookupPolicy } from "../utils/BrowserConstants.js"; * - prompt - Indicates the type of user interaction that is required. * none: will ensure that the user isn't presented with any interactive prompt. if request can't be completed via single-sign on, the endpoint will return an interaction_required error * no_session: will not read existing session token when authenticating the user. Upon user being successfully authenticated, EVO won’t create a new session for the user. FOR INTERNAL USE ONLY. + * - state - A value included in the request that is also returned in the token response when a hidden iframe is used. */ export type SilentRequest = Omit< CommonSilentFlowRequest, diff --git a/lib/msal-browser/src/request/SsoSilentRequest.ts b/lib/msal-browser/src/request/SsoSilentRequest.ts index 10c664e45d..4d9c670685 100644 --- a/lib/msal-browser/src/request/SsoSilentRequest.ts +++ b/lib/msal-browser/src/request/SsoSilentRequest.ts @@ -12,6 +12,7 @@ import { CommonAuthorizationUrlRequest } from "@azure/msal-common/browser"; * - claims - A stringified claims request which will be added to all /authorize and /token calls * - authority - Url of the authority which the application acquires tokens from. * - correlationId - Unique GUID set per request to trace a request end-to-end for telemetry purposes. + * - account - AccountInfo obtained from a getAccount API. Will be used in certain scenarios to generate login_hint if both loginHint and sid params are not provided. * - redirectUri - The redirect URI where authentication responses can be received by your application. It must exactly match one of the redirect URIs registered in the Azure portal. * - extraScopesToConsent - Scopes for a different resource when the user needs consent upfront. * - state - A value included in the request that is also returned in the token response. A randomly generated unique value is typically used for preventing cross site request forgery attacks. The state is also used to encode information about the user's state in the app before the authentication request occurred. For security and privacy reasons, we do not recommend putting URLs or other sensitive data directly in the state parameter. Instead, use a key or identifier that corresponds to data stored in browser storage (e.g., localStorage, sessionStorage), allowing your app to securely reference the necessary data after authentication. diff --git a/lib/msal-common/src/request/BaseAuthRequest.ts b/lib/msal-common/src/request/BaseAuthRequest.ts index a87fb06812..c448553c88 100644 --- a/lib/msal-common/src/request/BaseAuthRequest.ts +++ b/lib/msal-common/src/request/BaseAuthRequest.ts @@ -24,13 +24,14 @@ import { ShrOptions } from "../crypto/SignedHttpRequest.js"; * - sshJwk - A stringified JSON Web Key representing a public key that can be signed by an SSH certificate. * - sshKid - Key ID that uniquely identifies the SSH public key mentioned above. * - azureCloudOptions - Convenience string enums for users to provide public/sovereign cloud ids + * - maxAge - Maximum allowed age, in milliseconds, of the user's authentication before a new sign-in is required. * - extraQueryParameters - String to string map of custom query parameters added to outgoing token service requests * - storeInCache - Object containing boolean values indicating whether to store tokens in the cache or not (default is true) * - scenarioId - Scenario id to track custom user prompts * - popKid - Key ID to identify the public key for PoP token request * - embeddedClientId - Embedded client id. When specified, broker client id (brk_client_id) and redirect uri (brk_redirect_uri) params are set with values from the config, overriding the corresponding extra parameters, if present. - * - httpMethod - HTTP method to use for the /authorize request. Defaults to GET, but can be set to POST if the request requires body parameters - * - extraParameters - String to string map of custom parameters added to outgoing token service requests + * - httpMethod - HTTP method to use for the /authorize request. Defaults to GET, but can be set to POST if the request requires body parameters. + * - extraParameters - String to string map of custom parameters added to outgoing token service requests. */ export type BaseAuthRequest = { authority: string; diff --git a/lib/msal-common/src/request/CommonAuthorizationCodeRequest.ts b/lib/msal-common/src/request/CommonAuthorizationCodeRequest.ts index 931d21cc23..ccbc0b8141 100644 --- a/lib/msal-common/src/request/CommonAuthorizationCodeRequest.ts +++ b/lib/msal-common/src/request/CommonAuthorizationCodeRequest.ts @@ -18,9 +18,11 @@ import { CcsCredential } from "../account/CcsCredential.js"; * - codeVerifier - The same code_verifier that was used to obtain the authorization_code. Required if PKCE was used in the authorization code grant request.For more information, see the PKCE RFC: https://tools.ietf.org/html/rfc7636 * - resourceRequestMethod - HTTP Request type used to request data from the resource (i.e. "GET", "POST", etc.). Used for proof-of-possession flows. * - resourceRequestUri - URI that token will be used for. Used for proof-of-possession flows. - * - enableSpaAuthCode - Enables the acqusition of a spa authorization code (confidential clients only) - * - extraQueryParameters - String to string map of custom query parameters added to outgoing token service requests - * - extraParameters - String to string map of custom query parameters added to outgoing token service requests + * - enableSpaAuthorizationCode - Enables the acquisition of a SPA authorization code (confidential clients only). + * - clientInfo - Encoded client_info returned with the authorization code, used to bind the token response to a specific account. + * - ccsCredential - Credential used to populate the CCS (Cache Credential Service) header. + * - extraQueryParameters - String to string map of custom query parameters added to outgoing token service requests. + * - extraParameters - String to string map of custom query parameters added to outgoing token service requests. */ export type CommonAuthorizationCodeRequest = BaseAuthRequest & { code: string; diff --git a/lib/msal-common/src/request/CommonAuthorizationUrlRequest.ts b/lib/msal-common/src/request/CommonAuthorizationUrlRequest.ts index ddc30647c8..71670191b4 100644 --- a/lib/msal-common/src/request/CommonAuthorizationUrlRequest.ts +++ b/lib/msal-common/src/request/CommonAuthorizationUrlRequest.ts @@ -28,6 +28,7 @@ import { AccountInfo } from "../account/AccountInfo.js"; * create: will direct the user to the account creation experience instead of the log in experience * no_session: will not read existing session token when authenticating the user. Upon user being successfully authenticated, EVO won’t create a new session for the user. FOR INTERNAL USE ONLY. * - account - AccountInfo obtained from a getAccount API. Will be used in certain scenarios to generate login_hint if both loginHint and sid params are not provided. + * - earJwk - JSON Web Key used when constructing External Authorization Request (EAR) parameters. * - loginHint - Can be used to pre-fill the username/email address field of the sign-in page for the user, if you know the username/email address ahead of time. Often apps use this parameter during re-authentication, having already extracted the username from a previous sign-in using the preferred_username claim. * - sid - Session ID, unique identifier for the session. Available as an optional claim on ID tokens. * - domainHint - Provides a hint about the tenant or domain that the user should use to sign in. The value of the domain hint is a registered domain for the tenant. @@ -36,6 +37,7 @@ import { AccountInfo } from "../account/AccountInfo.js"; * - nonce - A value included in the request that is returned in the id token. A randomly generated unique value is typically used to mitigate replay attacks. * - resourceRequestMethod - HTTP Request type used to request data from the resource (i.e. "GET", "POST", etc.). Used for proof-of-possession flows. * - resourceRequestUri - URI that token will be used for. Used for proof-of-possession flows. + * - platformBroker - Indicates whether this authorization request is being initiated by a platform authentication broker instead of a standard web flow. */ export type CommonAuthorizationUrlRequest = BaseAuthRequest & { redirectUri: string; diff --git a/lib/msal-common/src/request/CommonRefreshTokenRequest.ts b/lib/msal-common/src/request/CommonRefreshTokenRequest.ts index 76640992b9..0e4c555576 100644 --- a/lib/msal-common/src/request/CommonRefreshTokenRequest.ts +++ b/lib/msal-common/src/request/CommonRefreshTokenRequest.ts @@ -16,6 +16,8 @@ import { CcsCredential } from "../account/CcsCredential.js"; * - resourceRequestMethod - HTTP Request type used to request data from the resource (i.e. "GET", "POST", etc.). Used for proof-of-possession flows. * - resourceRequestUri - URI that token will be used for. Used for proof-of-possession flows. * - forceCache - Force MSAL to cache a refresh token flow response when there is no account in the cache. Used for migration scenarios. + * - ccsCredential - Credential used to populate the CCS (Cache Credential Service) header. + * - redirectUri - Redirect URI to send with the refresh token request. * - extraQueryParameters - String to string map of custom query parameters added to outgoing token service requests * - extraParameters - String to string map of custom query parameters added to outgoing token service requests */ diff --git a/lib/msal-common/src/request/CommonSilentFlowRequest.ts b/lib/msal-common/src/request/CommonSilentFlowRequest.ts index e8e4ef0747..dc95abb687 100644 --- a/lib/msal-common/src/request/CommonSilentFlowRequest.ts +++ b/lib/msal-common/src/request/CommonSilentFlowRequest.ts @@ -14,6 +14,8 @@ import { BaseAuthRequest } from "./BaseAuthRequest.js"; * - correlationId - Unique GUID set per request to trace a request end-to-end for telemetry purposes. * - account - Account entity to lookup the credentials. * - forceRefresh - Forces silent requests to make network calls if true. + * - redirectUri - Redirect URI registered on the app registration. + * - refreshTokenExpirationOffsetSeconds - Number of seconds before the refresh token expires. * - resourceRequestMethod - HTTP Request type used to request data from the resource (i.e. "GET", "POST", etc.). Used for proof-of-possession flows. * - resourceRequestUri - URI that token will be used for. Used for proof-of-possession flows. * - extraQueryParameters - String to string map of custom query parameters added to outgoing token service requests diff --git a/lib/msal-node/src/request/AuthorizationUrlRequest.ts b/lib/msal-node/src/request/AuthorizationUrlRequest.ts index 55a1fa8915..bac21b963f 100644 --- a/lib/msal-node/src/request/AuthorizationUrlRequest.ts +++ b/lib/msal-node/src/request/AuthorizationUrlRequest.ts @@ -18,6 +18,7 @@ import { CommonAuthorizationUrlRequest } from "@azure/msal-common/node"; * - codeChallenge - Used to secure authorization code grant via Proof of Key for Code Exchange (PKCE). For more information, see the PKCE RCF:https://tools.ietf.org/html/rfc7636 * - codeChallengeMethod - The method used to encode the code verifier for the code challenge parameter. Can be "plain" or "S256". If excluded, code challenge is assumed to be plaintext. For more information, see the PKCE RCF: https://tools.ietf.org/html/rfc7636 * - state - A value included in the request that is also returned in the token response. A randomly generated unique value is typically used for preventing cross site request forgery attacks. The state is also used to encode information about the user's state in the app before the authentication request occurred. + * - earJwk - JSON Web Key used when constructing External Authorization Request (EAR) parameters for this authorization request. * - prompt - Indicates the type of user interaction that is required. * login: will force the user to enter their credentials on that request, negating single-sign on * none: will ensure that the user isn't presented with any interactive prompt. if request can't be completed via single-sign on, the endpoint will return an interaction_required error @@ -31,6 +32,7 @@ import { CommonAuthorizationUrlRequest } from "@azure/msal-common/node"; * - extraQueryParameters - String to string map of custom query parameters added to outgoing token service requests * - extraParameters - String to string map of custom query parameters added to outgoing token service requests * - nonce - A value included in the request that is returned in the id token. A randomly generated unique value is typically used to mitigate replay attacks. + * - platformBroker - Indicates whether this authorization request is being initiated by a platform authentication broker instead of a standard web flow. * @public */ export type AuthorizationUrlRequest = Partial< diff --git a/lib/msal-node/src/request/CommonClientCredentialRequest.ts b/lib/msal-node/src/request/CommonClientCredentialRequest.ts index b3565fa3a8..95e89ef55d 100644 --- a/lib/msal-node/src/request/CommonClientCredentialRequest.ts +++ b/lib/msal-node/src/request/CommonClientCredentialRequest.ts @@ -15,9 +15,8 @@ import { * - authority - URL of the authority, the security token service (STS) from which MSAL will acquire tokens. * - correlationId - Unique GUID set per request to trace a request end-to-end for telemetry purposes. * - skipCache - Skip token cache lookup and force request to authority to get a a new token. Defaults to false. - * - preferredAzureRegionOptions - Options of the user's preferred azure region - * - clientAssertion - An assertion string or a callback function that returns an assertion string (both are Base64Url-encoded signed JWTs) used in the Client Credential flow - * - azureRegion - Azure region to be used for regional authentication + * - clientAssertion - An assertion string or a callback function that returns an assertion string (both are Base64Url-encoded signed JWTs) used in the Client Credential flow. + * - azureRegion - Azure region to be used for regional authentication. */ export type CommonClientCredentialRequest = Omit< BaseAuthRequest, diff --git a/lib/msal-node/src/request/CommonDeviceCodeRequest.ts b/lib/msal-node/src/request/CommonDeviceCodeRequest.ts index 1a5e2a1518..628a08aa03 100644 --- a/lib/msal-node/src/request/CommonDeviceCodeRequest.ts +++ b/lib/msal-node/src/request/CommonDeviceCodeRequest.ts @@ -19,8 +19,8 @@ import { * - resourceRequestMethod - HTTP Request type used to request data from the resource (i.e. "GET", "POST", etc.). Used for proof-of-possession flows. * - resourceRequestUri - URI that token will be used for. Used for proof-of-possession flows. * - timeout - Timeout period in seconds which the user explicitly configures for the polling of the device code endpoint. At the end of this period; assuming the device code has not expired yet; the device code polling is stopped and the request cancelled. The device code expiration window will always take precedence over this set period. - * - extraQueryParameters - String to string map of custom query parameters added to outgoing token service requests - * - extraParameters - String to string map of custom query parameters added to outgoing token service requests + * - extraQueryParameters - String to string map of custom query parameters added to outgoing token service requests. + * - extraParameters - String to string map of custom parameters added to outgoing token service requests. */ export type CommonDeviceCodeRequest = BaseAuthRequest & { deviceCodeCallback: (response: DeviceCodeResponse) => void; diff --git a/lib/msal-node/src/request/DeviceCodeRequest.ts b/lib/msal-node/src/request/DeviceCodeRequest.ts index af9ab93116..754d2ddd85 100644 --- a/lib/msal-node/src/request/DeviceCodeRequest.ts +++ b/lib/msal-node/src/request/DeviceCodeRequest.ts @@ -13,6 +13,7 @@ import { CommonDeviceCodeRequest } from "./CommonDeviceCodeRequest.js"; * - correlationId - Unique GUID set per request to trace a request end-to-end for telemetry purposes. * - deviceCodeCallback - Callback containing device code response. Message should be shown to end user. End user can then navigate to the verification_uri, input the user_code, and input credentials. * - cancel - Boolean to cancel polling of device code endpoint. While the user authenticates on a separate device, MSAL polls the the token endpoint of security token service for the interval specified in the device code response (usually 15 minutes). To stop polling and cancel the request, set cancel=true. + * - timeout - Timeout period in seconds which the user explicitly configures for the polling of the device code endpoint. At the end of this period, assuming the device code has not expired yet, polling is stopped and the request cancelled. * - extraQueryParameters - String to string map of custom query parameters added to the query string * @public */ diff --git a/lib/msal-node/src/request/SilentFlowRequest.ts b/lib/msal-node/src/request/SilentFlowRequest.ts index 0b3b993ecb..d8f00982ec 100644 --- a/lib/msal-node/src/request/SilentFlowRequest.ts +++ b/lib/msal-node/src/request/SilentFlowRequest.ts @@ -15,6 +15,8 @@ import { AccountInfo, CommonSilentFlowRequest } from "@azure/msal-common/node"; * - extraParameters - String to string map of custom query parameters added to outgoing token service requests * - account - Account entity to lookup the credentials. * - forceRefresh - Forces silent requests to make network calls if true. + * - redirectUri - Redirect URI registered on the app registration. + * - refreshTokenExpirationOffsetSeconds - Number of seconds before the refresh token expires. * @public */ export type SilentFlowRequest = Partial< From 948580a3446e9e7cd4e99eff0962f37708662aa9 Mon Sep 17 00:00:00 2001 From: Jo Arroyo Date: Wed, 7 Jan 2026 13:03:15 -0800 Subject: [PATCH 2/7] Change files --- ...-msal-browser-c77a5d91-8026-4a7c-9a4d-7c07f66d8208.json | 7 +++++++ ...e-msal-common-f13438e9-1b16-4fcf-a97c-5a48e5e6887b.json | 7 +++++++ ...ure-msal-node-ab1aea4a-e097-4a30-b835-20e7f6e88725.json | 7 +++++++ 3 files changed, 21 insertions(+) create mode 100644 change/@azure-msal-browser-c77a5d91-8026-4a7c-9a4d-7c07f66d8208.json create mode 100644 change/@azure-msal-common-f13438e9-1b16-4fcf-a97c-5a48e5e6887b.json create mode 100644 change/@azure-msal-node-ab1aea4a-e097-4a30-b835-20e7f6e88725.json diff --git a/change/@azure-msal-browser-c77a5d91-8026-4a7c-9a4d-7c07f66d8208.json b/change/@azure-msal-browser-c77a5d91-8026-4a7c-9a4d-7c07f66d8208.json new file mode 100644 index 0000000000..360f9a4dda --- /dev/null +++ b/change/@azure-msal-browser-c77a5d91-8026-4a7c-9a4d-7c07f66d8208.json @@ -0,0 +1,7 @@ +{ + "type": "none", + "comment": "Update typedoc comments for requests #8218", + "packageName": "@azure/msal-browser", + "email": "joarroyo@microsoft.com", + "dependentChangeType": "none" +} diff --git a/change/@azure-msal-common-f13438e9-1b16-4fcf-a97c-5a48e5e6887b.json b/change/@azure-msal-common-f13438e9-1b16-4fcf-a97c-5a48e5e6887b.json new file mode 100644 index 0000000000..09ac70c12f --- /dev/null +++ b/change/@azure-msal-common-f13438e9-1b16-4fcf-a97c-5a48e5e6887b.json @@ -0,0 +1,7 @@ +{ + "type": "none", + "comment": "Update typedoc comments for requests #8218", + "packageName": "@azure/msal-common", + "email": "joarroyo@microsoft.com", + "dependentChangeType": "none" +} diff --git a/change/@azure-msal-node-ab1aea4a-e097-4a30-b835-20e7f6e88725.json b/change/@azure-msal-node-ab1aea4a-e097-4a30-b835-20e7f6e88725.json new file mode 100644 index 0000000000..cf59901a22 --- /dev/null +++ b/change/@azure-msal-node-ab1aea4a-e097-4a30-b835-20e7f6e88725.json @@ -0,0 +1,7 @@ +{ + "type": "none", + "comment": "Update typedoc comments for requests #8218", + "packageName": "@azure/msal-node", + "email": "joarroyo@microsoft.com", + "dependentChangeType": "none" +} From ce53dae137eb188e44b0d9d5ee0c6214c9412548 Mon Sep 17 00:00:00 2001 From: Jo Arroyo Date: Wed, 7 Jan 2026 13:20:41 -0800 Subject: [PATCH 3/7] apiExtractor --- lib/msal-browser/apiReview/msal-browser.api.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/msal-browser/apiReview/msal-browser.api.md b/lib/msal-browser/apiReview/msal-browser.api.md index 6d26b05b6e..9c7c02c233 100644 --- a/lib/msal-browser/apiReview/msal-browser.api.md +++ b/lib/msal-browser/apiReview/msal-browser.api.md @@ -142,7 +142,7 @@ export { AuthErrorCodes } // Warning: (ae-missing-release-tag) "AuthorizationCodeRequest" is part of the package's API, but it is missing a release tag (@alpha, @beta, @public, or @internal) // -// @public (undocumented) +// @public export type AuthorizationCodeRequest = Partial> & { code?: string; nativeAccountId?: string; From fd1bc42d40598c25f2d4d85e91965f06371a48e8 Mon Sep 17 00:00:00 2001 From: Jo Arroyo Date: Wed, 7 Jan 2026 19:53:06 -0800 Subject: [PATCH 4/7] Update request comments per-parameter --- .../src/request/AuthorizationCodeRequest.ts | 23 +++-- .../src/request/ClearCacheRequest.ts | 8 +- .../src/request/EndSessionPopupRequest.ts | 21 +++-- .../src/request/EndSessionRequest.ts | 9 +- .../request/InitializeApplicationRequest.ts | 5 +- lib/msal-browser/src/request/PopupRequest.ts | 36 +++----- .../src/request/RedirectRequest.ts | 29 ++----- lib/msal-browser/src/request/SilentRequest.ts | 43 ++++++---- .../src/request/SsoSilentRequest.ts | 22 ----- .../src/request/BaseAuthRequest.ts | 84 ++++++++++++++----- .../request/CommonAuthorizationCodeRequest.ts | 33 ++++---- .../request/CommonAuthorizationUrlRequest.ts | 77 ++++++++++------- .../src/request/CommonEndSessionRequest.ts | 28 +++++-- .../src/request/CommonRefreshTokenRequest.ts | 24 +++--- .../src/request/CommonSilentFlowRequest.ts | 28 +++---- .../src/request/AuthorizationCodeRequest.ts | 23 ++--- .../src/request/AuthorizationUrlRequest.ts | 32 ++----- .../src/request/ClientCredentialRequest.ts | 8 +- .../request/CommonClientCredentialRequest.ts | 15 ++-- .../src/request/CommonDeviceCodeRequest.ts | 22 ++--- .../src/request/CommonOnBehalfOfRequest.ts | 12 +-- .../request/CommonUsernamePasswordRequest.ts | 15 ++-- .../src/request/DeviceCodeRequest.ts | 13 ++- .../src/request/InteractiveRequest.ts | 25 ++++-- .../src/request/ManagedIdentityRequest.ts | 8 +- .../request/ManagedIdentityRequestParams.ts | 12 ++- .../src/request/OnBehalfOfRequest.ts | 12 +-- .../src/request/RefreshTokenRequest.ts | 17 ++-- .../src/request/SilentFlowRequest.ts | 16 ++-- .../src/request/UsernamePasswordRequest.ts | 18 ++-- 30 files changed, 385 insertions(+), 333 deletions(-) diff --git a/lib/msal-browser/src/request/AuthorizationCodeRequest.ts b/lib/msal-browser/src/request/AuthorizationCodeRequest.ts index e46cdd2ba1..15ab797358 100644 --- a/lib/msal-browser/src/request/AuthorizationCodeRequest.ts +++ b/lib/msal-browser/src/request/AuthorizationCodeRequest.ts @@ -7,21 +7,28 @@ import { CommonAuthorizationCodeRequest } from "@azure/msal-common/browser"; /** * AuthorizationCodeRequest: Request object passed by browser clients to exchange an authorization code for tokens. - * - * - code - The authorization_code that the user acquired in the first leg of the flow. - * - nativeAccountId - Identifier for the native account when integrating with native or brokered experiences. - * - cloudGraphHostName - Hostname for the Microsoft Cloud instance's Graph endpoint (for example, graph.microsoft.com). - * - msGraphHost - Hostname for the Microsoft Graph endpoint when overriding defaults. - * - cloudInstanceHostName - Hostname for the Azure AD cloud instance that issued the authorization code. - * - * All other properties are inherited from CommonAuthorizationCodeRequest. */ export type AuthorizationCodeRequest = Partial< Omit > & { + /** + * The authorization_code that the user acquired in the first leg of the flow. + */ code?: string; + /** + * Identifier for the native account when integrating with native or brokered experiences. + */ nativeAccountId?: string; + /** + * Hostname for the Microsoft Cloud instance's Graph endpoint (for example, graph.microsoft.com). + */ cloudGraphHostName?: string; + /** + * Hostname for the Microsoft Graph endpoint when overriding defaults. + */ msGraphHost?: string; + /** + * Hostname for the Azure AD cloud instance that issued the authorization code. + */ cloudInstanceHostName?: string; }; diff --git a/lib/msal-browser/src/request/ClearCacheRequest.ts b/lib/msal-browser/src/request/ClearCacheRequest.ts index f5f8131e55..3685a36e68 100644 --- a/lib/msal-browser/src/request/ClearCacheRequest.ts +++ b/lib/msal-browser/src/request/ClearCacheRequest.ts @@ -7,10 +7,14 @@ import { AccountInfo } from "@azure/msal-common/browser"; /** * ClearCacheRequest - * - correlationId - Unique GUID set per request to trace a request end-to-end for telemetry purposes. - * - account - Account object that will be logged out of. All tokens tied to this account will be cleared. */ export type ClearCacheRequest = { + /** + * Unique GUID set per request to trace a request end-to-end for telemetry purposes. + */ correlationId?: string; + /** + * Account object that will be logged out of. All tokens tied to this account will be cleared. + */ account?: AccountInfo | null; }; diff --git a/lib/msal-browser/src/request/EndSessionPopupRequest.ts b/lib/msal-browser/src/request/EndSessionPopupRequest.ts index 18c08919ca..8aa588ea2a 100644 --- a/lib/msal-browser/src/request/EndSessionPopupRequest.ts +++ b/lib/msal-browser/src/request/EndSessionPopupRequest.ts @@ -8,19 +8,22 @@ import { PopupWindowAttributes } from "./PopupWindowAttributes.js"; /** * EndSessionPopupRequest - * - account - Account object that will be logged out of. All tokens tied to this account will be cleared. - * - postLogoutRedirectUri - URI to navigate to after logout page inside the popup. Required to ensure popup can be closed. - * - authority - Authority to send logout request to. - * - correlationId - Unique GUID set per request to trace a request end-to-end for telemetry purposes. - * - idTokenHint - ID Token used by B2C to validate logout if required by the policy - * - mainWindowRedirectUri - URI to navigate the main window to after logout is complete - * - popupWindowAttributes - Optional popup window attributes. popupSize with height and width, and popupPosition with top and left can be set. - * - logoutHint - A string that specifies the account that is being logged out in order to skip the server account picker on logout - * - popupWindowParent - Optional window object to use as the parent when opening popup windows. Uses global `window` if not given. */ export type EndSessionPopupRequest = Partial & { + /** + * Authority to send logout request to. + */ authority?: string; + /** + * URI to navigate the main window to after logout is complete + */ mainWindowRedirectUri?: string; + /** + * Optional popup window attributes. popupSize with height and width, and popupPosition with top and left can be set. + */ popupWindowAttributes?: PopupWindowAttributes; + /** + * Optional window object to use as the parent when opening popup windows. Uses global `window` if not given. + */ popupWindowParent?: Window; }; diff --git a/lib/msal-browser/src/request/EndSessionRequest.ts b/lib/msal-browser/src/request/EndSessionRequest.ts index 115ba59d05..e73d751574 100644 --- a/lib/msal-browser/src/request/EndSessionRequest.ts +++ b/lib/msal-browser/src/request/EndSessionRequest.ts @@ -7,13 +7,10 @@ import { CommonEndSessionRequest } from "@azure/msal-common/browser"; /** * EndSessionRequest - * - account - Account object that will be logged out of. All tokens tied to this account will be cleared. - * - postLogoutRedirectUri - URI to navigate to after logout page. - * - authority - Authority to send logout request to. - * - correlationId - Unique GUID set per request to trace a request end-to-end for telemetry purposes. - * - idTokenHint - ID Token used by B2C to validate logout if required by the policy - * - logoutHint - A string that specifies the account that is being logged out in order to skip the server account picker on logout */ export type EndSessionRequest = Partial & { + /** + * Authority to send logout request. + */ authority?: string; }; diff --git a/lib/msal-browser/src/request/InitializeApplicationRequest.ts b/lib/msal-browser/src/request/InitializeApplicationRequest.ts index 56d51014d6..8f9f78c26d 100644 --- a/lib/msal-browser/src/request/InitializeApplicationRequest.ts +++ b/lib/msal-browser/src/request/InitializeApplicationRequest.ts @@ -5,9 +5,10 @@ /** * InitializeApplicationRequest: Request object passed by user to initialize application - * - * - correlationId - Unique GUID set per request to trace a request end-to-end for telemetry purposes. */ export type InitializeApplicationRequest = { + /** + * Unique GUID set per request to trace a request end-to-end for telemetry purposes. + */ correlationId?: string; }; diff --git a/lib/msal-browser/src/request/PopupRequest.ts b/lib/msal-browser/src/request/PopupRequest.ts index 00a9a9daa2..564d380225 100644 --- a/lib/msal-browser/src/request/PopupRequest.ts +++ b/lib/msal-browser/src/request/PopupRequest.ts @@ -9,30 +9,6 @@ import { PopupWindowAttributes } from "./PopupWindowAttributes.js"; /** * PopupRequest: Request object passed by user to retrieve a Code from the * server (first leg of authorization code grant flow) with a popup window. - * - * - scopes - Array of scopes the application is requesting access to. - * - authority - Url of the authority which the application acquires tokens from. - * - correlationId - Unique GUID set per request to trace a request end-to-end for telemetry purposes. - * - redirectUri - The redirect URI where authentication responses can be received by your application. It must exactly match one of the redirect URIs registered in the Azure portal. - * - extraScopesToConsent - Scopes for a different resource when the user needs consent upfront. - * - state - A value included in the request that is also returned in the token response. A randomly generated unique value is typically used for preventing cross site request forgery attacks. The state is also used to encode information about the user's state in the app before the authentication request occurred. For security and privacy reasons, we do not recommend putting URLs or other sensitive data directly in the state parameter. Instead, use a key or identifier that corresponds to data stored in browser storage (e.g., localStorage, sessionStorage), allowing your app to securely reference the necessary data after authentication. - * - prompt - Indicates the type of user interaction that is required. - * login: will force the user to enter their credentials on that request, negating single-sign on - * none: will ensure that the user isn't presented with any interactive prompt. if request can't be completed via single-sign on, the endpoint will return an interaction_required error - * consent: will the trigger the OAuth consent dialog after the user signs in, asking the user to grant permissions to the app - * select_account: will interrupt single sign-=on providing account selection experience listing all the accounts in session or any remembered accounts or an option to choose to use a different account - * create: will direct the user to the account creation experience instead of the log in experience - * no_session: will not read existing session token when authenticating the user. Upon user being successfully authenticated, EVO won’t create a new session for the user. FOR INTERNAL USE ONLY. - * - loginHint - Can be used to pre-fill the username/email address field of the sign-in page for the user, if you know the username/email address ahead of time. Often apps use this parameter during re-authentication, having already extracted the username from a previous sign-in using the login_hint or preferred_username claim. - * - sid - Session ID, unique identifier for the session. Available as an optional claim on ID tokens. - * - domainHint - Provides a hint about the tenant or domain that the user should use to sign in. The value of the domain hint is a registered domain for the tenant. - * - extraQueryParameters - String to string map of custom query parameters added to outgoing token service requests - * - extraParameters - String to string map of custom query parameters added to outgoing token service requests - * - claims - In cases where Azure AD tenant admin has enabled conditional access policies, and the policy has not been met, exceptions will contain claims that need to be consented to. - * - nonce - A value included in the request that is returned in the id token. A randomly generated unique value is typically used to mitigate replay attacks. - * - popupWindowAttributes - Optional popup window attributes. popupSize with height and width, and popupPosition with top and left can be set. - * - popupWindowParent - Optional window object to use as the parent when opening popup windows. Uses global `window` if not given. - * - overrideInteractionInProgress - Optional flag to allow overriding an existing interaction_in_progress state for popup flows. **WARNING**: Use with caution! For usage details and examples, see the [login-user.md](../../../docs/login-user.md#handling-interaction_in_progress-errors) documentation. */ export type PopupRequest = Partial< @@ -46,8 +22,20 @@ export type PopupRequest = Partial< | "platformBroker" > > & { + /** + * Array of scopes the application is requesting access to. + */ scopes: Array; + /** + * Optional popup window attributes. popupSize with height and width, and popupPosition with top and left can be set. + */ popupWindowAttributes?: PopupWindowAttributes; + /** + * Optional window object to use as the parent when opening popup windows. Uses global `window` if not given. + */ popupWindowParent?: Window; + /** + * Optional flag to allow overriding an existing interaction_in_progress state for popup flows. **WARNING**: Use with caution! For usage details and examples, see the [login-user.md](../../../docs/login-user.md#handling-interaction_in_progress-errors) documentation. + */ overrideInteractionInProgress?: boolean; }; diff --git a/lib/msal-browser/src/request/RedirectRequest.ts b/lib/msal-browser/src/request/RedirectRequest.ts index 2e2d3af98c..004a82a271 100644 --- a/lib/msal-browser/src/request/RedirectRequest.ts +++ b/lib/msal-browser/src/request/RedirectRequest.ts @@ -8,29 +8,6 @@ import { CommonAuthorizationUrlRequest } from "@azure/msal-common/browser"; /** * RedirectRequest: Request object passed by user to retrieve a Code from the * server (first leg of authorization code grant flow) with a full page redirect. - * - * - scopes - Array of scopes the application is requesting access to. - * - account - AccountInfo obtained from a getAccount API. Will be used in certain scenarios to generate login_hint if both loginHint and sid params are not provided. - * - authority - Url of the authority which the application acquires tokens from. - * - correlationId - Unique GUID set per request to trace a request end-to-end for telemetry purposes. - * - redirectUri - The redirect URI where authentication responses can be received by your application. It must exactly match one of the redirect URIs registered in the Azure portal. - * - extraScopesToConsent - Scopes for a different resource when the user needs consent upfront. - * - state - A value included in the request that is also returned in the token response. A randomly generated unique value is typically used for preventing cross site request forgery attacks. The state is also used to encode information about the user's state in the app before the authentication request occurred. For security and privacy reasons, we do not recommend putting URLs or other sensitive data directly in the state parameter. Instead, use a key or identifier that corresponds to data stored in browser storage (e.g., localStorage, sessionStorage), allowing your app to securely reference the necessary data after authentication. - * - prompt - Indicates the type of user interaction that is required. - * login: will force the user to enter their credentials on that request, negating single-sign on - * none: will ensure that the user isn't presented with any interactive prompt. if request can't be completed via single-sign on, the endpoint will return an interaction_required error - * consent: will the trigger the OAuth consent dialog after the user signs in, asking the user to grant permissions to the app - * select_account: will interrupt single sign-=on providing account selection experience listing all the accounts in session or any remembered accounts or an option to choose to use a different account - * create: will direct the user to the account creation experience instead of the log in experience - * no_session: will not read existing session token when authenticating the user. Upon user being successfully authenticated, EVO won’t create a new session for the user. FOR INTERNAL USE ONLY. - * - loginHint - Can be used to pre-fill the username/email address field of the sign-in page for the user, if you know the username/email address ahead of time. Often apps use this parameter during re-authentication, having already extracted the username from a previous sign-in using the login_hint or preferred_username claim. - * - sid - Session ID, unique identifier for the session. Available as an optional claim on ID tokens. - * - domainHint - Provides a hint about the tenant or domain that the user should use to sign in. The value of the domain hint is a registered domain for the tenant. - * - extraQueryParameters - String to string map of custom query parameters added to outgoing token service requests - * - extraParameters - String to string map of custom query parameters added to outgoing token service requests - * - claims - In cases where Azure AD tenant admin has enabled conditional access policies, and the policy has not been met, exceptions will contain claims that need to be consented to. - * - nonce - A value included in the request that is returned in the id token. A randomly generated unique value is typically used to mitigate replay attacks. - * - redirectStartPage - The page that should be returned to after loginRedirect or acquireTokenRedirect. This should only be used if this is different from the redirectUri and will default to the page that initiates the request. When the navigateToLoginRequestUrl config option is set to false this parameter will be ignored. */ export type RedirectRequest = Partial< Omit< @@ -43,6 +20,12 @@ export type RedirectRequest = Partial< | "platformBroker" > > & { + /** + * Array of scopes the application is requesting access to. + */ scopes: Array; + /** + * The page that should be returned to after loginRedirect or acquireTokenRedirect. This should only be used if this is different from the redirectUri and will default to the page that initiates the request. When the navigateToLoginRequestUrl config option is set to false this parameter will be ignored. + */ redirectStartPage?: string; }; diff --git a/lib/msal-browser/src/request/SilentRequest.ts b/lib/msal-browser/src/request/SilentRequest.ts index 9028707d91..12c9b32b4d 100644 --- a/lib/msal-browser/src/request/SilentRequest.ts +++ b/lib/msal-browser/src/request/SilentRequest.ts @@ -14,32 +14,47 @@ import { CacheLookupPolicy } from "../utils/BrowserConstants.js"; * SilentRequest: Request object passed by user to retrieve tokens from the * cache, renew an expired token with a refresh token, or retrieve a code (first leg of authorization code grant flow) * in a hidden iframe. - * - * - scopes - Array of scopes the application is requesting access to. - * - authority - Url of the authority which the application acquires tokens from. - * - correlationId - Unique GUID set per request to trace a request end-to-end for telemetry purposes. - * - account - Account entity to lookup the credentials. - * - forceRefresh - Forces silent requests to make network calls if true. - * - extraQueryParameters - String to string map of custom query parameters added to outgoing token service requests. Only used when renewing access tokens. - * - extraParameters - String to string map of custom query parameters added to outgoing token service requests. only used when renewing access tokens. - * - redirectUri - The redirect URI where authentication responses can be received by your application. It must exactly match one of the redirect URIs registered in the Azure portal. Only used for cases where refresh token is expired. - * - cacheLookupPolicy - Enum of different ways the silent token can be retrieved. - * - prompt - Indicates the type of user interaction that is required. - * none: will ensure that the user isn't presented with any interactive prompt. if request can't be completed via single-sign on, the endpoint will return an interaction_required error - * no_session: will not read existing session token when authenticating the user. Upon user being successfully authenticated, EVO won’t create a new session for the user. FOR INTERNAL USE ONLY. - * - state - A value included in the request that is also returned in the token response when a hidden iframe is used. */ export type SilentRequest = Omit< CommonSilentFlowRequest, "authority" | "correlationId" | "forceRefresh" | "account" > & { + /** + * The redirect URI where authentication responses can be received by your application. It must exactly match one of the redirect URIs registered in the Azure portal. Only used for cases where refresh token is expired. + */ redirectUri?: string; + /** + * String to string map of custom query parameters added to outgoing token service requests. Only used when renewing access tokens + */ extraQueryParameters?: StringDict; + /** + * Url of the authority which the application acquires tokens from. + */ authority?: string; + /** + * Account entity to lookup the credentials. + */ account?: AccountInfo; + /** + * Unique GUID set per request to trace a request end-to-end for telemetry purposes. + */ correlationId?: string; + /** + * Forces silent requests to make network calls if true. + */ forceRefresh?: boolean; + /** + * Enum of different ways the silent token can be retrieved. + */ cacheLookupPolicy?: CacheLookupPolicy; + /** + * Indicates the type of user interaction that is required. + * none: will ensure that the user isn't presented with any interactive prompt. if request can't be completed via single-sign on, the endpoint will return an interaction_required error + * no_session: will not read existing session token when authenticating the user. Upon user being successfully authenticated, EVO won’t create a new session for the user. FOR INTERNAL USE ONLY. + */ prompt?: string; + /** + * A value included in the request that is also returned in the token response when a hidden iframe is used. + */ state?: string; }; diff --git a/lib/msal-browser/src/request/SsoSilentRequest.ts b/lib/msal-browser/src/request/SsoSilentRequest.ts index 4d9c670685..ba7801cd8a 100644 --- a/lib/msal-browser/src/request/SsoSilentRequest.ts +++ b/lib/msal-browser/src/request/SsoSilentRequest.ts @@ -7,28 +7,6 @@ import { CommonAuthorizationUrlRequest } from "@azure/msal-common/browser"; /** * Request object passed by user to ssoSilent to retrieve a Code from the server (first leg of authorization code grant flow) - * - * - scopes - Array of scopes the application is requesting access to (optional for ssoSilent calls) - * - claims - A stringified claims request which will be added to all /authorize and /token calls - * - authority - Url of the authority which the application acquires tokens from. - * - correlationId - Unique GUID set per request to trace a request end-to-end for telemetry purposes. - * - account - AccountInfo obtained from a getAccount API. Will be used in certain scenarios to generate login_hint if both loginHint and sid params are not provided. - * - redirectUri - The redirect URI where authentication responses can be received by your application. It must exactly match one of the redirect URIs registered in the Azure portal. - * - extraScopesToConsent - Scopes for a different resource when the user needs consent upfront. - * - state - A value included in the request that is also returned in the token response. A randomly generated unique value is typically used for preventing cross site request forgery attacks. The state is also used to encode information about the user's state in the app before the authentication request occurred. For security and privacy reasons, we do not recommend putting URLs or other sensitive data directly in the state parameter. Instead, use a key or identifier that corresponds to data stored in browser storage (e.g., localStorage, sessionStorage), allowing your app to securely reference the necessary data after authentication. - * - prompt - Indicates the type of user interaction that is required. - * login: will force the user to enter their credentials on that request, negating single-sign on - * none: will ensure that the user isn't presented with any interactive prompt. if request can't be completed via single-sign on, the endpoint will return an interaction_required error - * consent: will trigger the OAuth consent dialog after the user signs in, asking the user to grant permissions to the app - * select_account: will interrupt single sign-=on providing account selection experience listing all the accounts in session or any remembered accounts or an option to choose to use a different account - * create: will direct the user to the account creation experience instead of the log in experience - * no_session: will not read existing session token when authenticating the user. Upon user being successfully authenticated, EVO won’t create a new session for the user. FOR INTERNAL USE ONLY. - * - loginHint - Can be used to pre-fill the username/email address field of the sign-in page for the user, if you know the username/email address ahead of time. Often apps use this parameter during re-authentication, having already extracted the username from a previous sign-in using the login_hint or preferred_username claim. - * - sid - Session ID, unique identifier for the session. Available as an optional claim on ID tokens. - * - domainHint - Provides a hint about the tenant or domain that the user should use to sign in. The value of the domain hint is a registered domain for the tenant. - * - extraQueryParameters - String to string map of custom query parameters added to outgoing token service requests. Only used when renewing access tokens. - * - extraParameters - String to string map of custom query parameters added to outgoing token service requests. Only used when renewing access tokens. - * - nonce - A value included in the request that is returned in the id token. A randomly generated unique value is typically used to mitigate replay attacks. */ export type SsoSilentRequest = Partial< Omit< diff --git a/lib/msal-common/src/request/BaseAuthRequest.ts b/lib/msal-common/src/request/BaseAuthRequest.ts index c448553c88..d3c11c441e 100644 --- a/lib/msal-common/src/request/BaseAuthRequest.ts +++ b/lib/msal-common/src/request/BaseAuthRequest.ts @@ -11,48 +11,90 @@ import { ShrOptions } from "../crypto/SignedHttpRequest.js"; /** * BaseAuthRequest - * - authority - URL of the authority, the security token service (STS) from which MSAL will acquire tokens. Defaults to https://login.microsoftonline.com/common. If using the same authority for all request, authority should set on client application object and not request, to avoid resolving authority endpoints multiple times. - * - correlationId - Unique GUID set per request to trace a request end-to-end for telemetry purposes. - * - scopes - Array of scopes the application is requesting access to. - * - authenticationScheme - The type of token retrieved. Defaults to "Bearer". Can also be type "pop" or "SSH". - * - claims - A stringified claims request which will be added to all /authorize and /token calls - * - shrClaims - A stringified claims object which will be added to a Signed HTTP Request - * - shrNonce - A server-generated timestamp that has been encrypted and base64URL encoded, which will be added to a Signed HTTP Request. - * - shrOptions - An object containing options for the Signed HTTP Request - * - resourceRequestMethod - HTTP Request type used to request data from the resource (i.e. "GET", "POST", etc.). Used for proof-of-possession flows. - * - resourceRequestUri - URI that token will be used for. Used for proof-of-possession flows. - * - sshJwk - A stringified JSON Web Key representing a public key that can be signed by an SSH certificate. - * - sshKid - Key ID that uniquely identifies the SSH public key mentioned above. - * - azureCloudOptions - Convenience string enums for users to provide public/sovereign cloud ids - * - maxAge - Maximum allowed age, in milliseconds, of the user's authentication before a new sign-in is required. - * - extraQueryParameters - String to string map of custom query parameters added to outgoing token service requests - * - storeInCache - Object containing boolean values indicating whether to store tokens in the cache or not (default is true) - * - scenarioId - Scenario id to track custom user prompts - * - popKid - Key ID to identify the public key for PoP token request - * - embeddedClientId - Embedded client id. When specified, broker client id (brk_client_id) and redirect uri (brk_redirect_uri) params are set with values from the config, overriding the corresponding extra parameters, if present. - * - httpMethod - HTTP method to use for the /authorize request. Defaults to GET, but can be set to POST if the request requires body parameters. - * - extraParameters - String to string map of custom parameters added to outgoing token service requests. */ export type BaseAuthRequest = { + /** + * URL of the authority, the security token service (STS) from which MSAL will acquire tokens. Defaults to https://login.microsoftonline.com/common. If using the same authority for all request, authority should set on client application object and not request, to avoid resolving authority endpoints multiple times. + */ authority: string; + /** + * Unique GUID set per request to trace a request end-to-end for telemetry purposes. + */ correlationId: string; + /** + * Array of scopes the application is requesting access to. + */ scopes: Array; + /** + * The type of token retrieved. Defaults to "Bearer". Can also be type "pop" or "SSH". + */ authenticationScheme?: AuthenticationScheme; + /** + * A stringified claims request which will be added to all /authorize and /token calls + */ claims?: string; + /** + * A stringified claims object which will be added to a Signed HTTP Request + */ shrClaims?: string; + /** + * A server-generated timestamp that has been encrypted and base64URL encoded, which will be added to a Signed HTTP Request. + */ shrNonce?: string; + /** + * An object containing options for the Signed HTTP Request + */ shrOptions?: ShrOptions; + /** + * HTTP Request type used to request data from the resource (i.e. "GET", "POST", etc.). Used for proof-of-possession flows. + */ resourceRequestMethod?: string; + /** + * URI that token will be used for. Used for proof-of-possession flows. + */ resourceRequestUri?: string; + /** + * A stringified JSON Web Key representing a public key that can be signed by an SSH certificate. + */ sshJwk?: string; + /** + * Key ID that uniquely identifies the SSH public key mentioned above. + */ sshKid?: string; + /** + * Convenience string enums for users to provide public/sovereign cloud ids + */ azureCloudOptions?: AzureCloudOptions; + /** + * Maximum allowed age, in milliseconds, of the user's authentication before a new sign-in is required. + */ maxAge?: number; + /** + * Object containing boolean values indicating whether to store tokens in the cache or not (default is true) + */ storeInCache?: StoreInCache; + /** + * Scenario id to track custom user prompts + */ scenarioId?: string; + /** + * Key ID to identify the public key for PoP token request + */ popKid?: string; + /** + * Embedded client id. When specified, broker client id (brk_client_id) and redirect uri (brk_redirect_uri) params are set with values from the config, overriding the corresponding extra parameters, if present. + */ embeddedClientId?: string; + /** + * HTTP method to use for the /authorize request. Defaults to GET, but can be set to POST if the request requires body parameters. + */ httpMethod?: HttpMethod; + /** + * String to string map of custom query parameters added to outgoing token service requests + */ extraQueryParameters?: StringDict; + /** + * String to string map of custom parameters added to outgoing token service requests. + */ extraParameters?: StringDict; }; diff --git a/lib/msal-common/src/request/CommonAuthorizationCodeRequest.ts b/lib/msal-common/src/request/CommonAuthorizationCodeRequest.ts index ccbc0b8141..c93220ba78 100644 --- a/lib/msal-common/src/request/CommonAuthorizationCodeRequest.ts +++ b/lib/msal-common/src/request/CommonAuthorizationCodeRequest.ts @@ -8,27 +8,30 @@ import { CcsCredential } from "../account/CcsCredential.js"; /** * Request object passed by user to acquire a token from the server exchanging a valid authorization code (second leg of OAuth2.0 Authorization Code flow) - * - * - scopes - Array of scopes the application is requesting access to. - * - claims - A stringified claims request which will be added to all /authorize and /token calls - * - authority: - URL of the authority, the security token service (STS) from which MSAL will acquire tokens. If authority is set on client application object, this will override that value. Overriding the value will cause for authority validation to happen each time. If the same authority will be used for all request, set on the application object instead of the requests. - * - correlationId - Unique GUID set per request to trace a request end-to-end for telemetry purposes. - * - redirectUri - The redirect URI of your app, where the authority will redirect to after the user inputs credentials and consents. It must exactly match one of the redirect URIs you registered in the portal - * - code - The authorization_code that the user acquired in the first leg of the flow. - * - codeVerifier - The same code_verifier that was used to obtain the authorization_code. Required if PKCE was used in the authorization code grant request.For more information, see the PKCE RFC: https://tools.ietf.org/html/rfc7636 - * - resourceRequestMethod - HTTP Request type used to request data from the resource (i.e. "GET", "POST", etc.). Used for proof-of-possession flows. - * - resourceRequestUri - URI that token will be used for. Used for proof-of-possession flows. - * - enableSpaAuthorizationCode - Enables the acquisition of a SPA authorization code (confidential clients only). - * - clientInfo - Encoded client_info returned with the authorization code, used to bind the token response to a specific account. - * - ccsCredential - Credential used to populate the CCS (Cache Credential Service) header. - * - extraQueryParameters - String to string map of custom query parameters added to outgoing token service requests. - * - extraParameters - String to string map of custom query parameters added to outgoing token service requests. */ export type CommonAuthorizationCodeRequest = BaseAuthRequest & { + /** + * The authorization_code that the user acquired in the first leg of the flow. + */ code: string; + /** + * The redirect URI of your app, where the authority will redirect to after the user inputs credentials and consents. It must exactly match one of the redirect URIs you registered in the portal + */ redirectUri: string; + /** + * The same code_verifier that was used to obtain the authorization_code. Required if PKCE was used in the authorization code grant request.For more information, see the PKCE RFC: https://tools.ietf.org/html/rfc7636 + */ codeVerifier?: string; + /** + * Enables the acquisition of a SPA authorization code (confidential clients only). + */ enableSpaAuthorizationCode?: boolean; + /** + * Encoded client_info returned with the authorization code, used to bind the token response to a specific account. + */ clientInfo?: string; + /** + * Credential used to populate the CCS (Cache Credential Service) header. + */ ccsCredential?: CcsCredential; }; diff --git a/lib/msal-common/src/request/CommonAuthorizationUrlRequest.ts b/lib/msal-common/src/request/CommonAuthorizationUrlRequest.ts index 71670191b4..aa8d2b5a5d 100644 --- a/lib/msal-common/src/request/CommonAuthorizationUrlRequest.ts +++ b/lib/msal-common/src/request/CommonAuthorizationUrlRequest.ts @@ -9,49 +9,68 @@ import { AccountInfo } from "../account/AccountInfo.js"; /** * Request object passed by user to retrieve a Code from the server (first leg of authorization code grant flow) - * - * - scopes - Array of scopes the application is requesting access to. - * - claims - A stringified claims request which will be added to all /authorize and /token calls - * - authority - Url of the authority which the application acquires tokens from. - * - correlationId - Unique GUID set per request to trace a request end-to-end for telemetry purposes. - * - redirectUri - The redirect URI where authentication responses can be received by your application. It must exactly match one of the redirect URIs registered in the Azure portal. - * - extraScopesToConsent - Scopes for a different resource when the user needs consent upfront. - * - responseMode - Specifies the method that should be used to send the authentication result to your app. Can be query, form_post, or fragment. If no value is passed in, it defaults to query. - * - codeChallenge - Used to secure authorization code grant via Proof of Key for Code Exchange (PKCE). For more information, see the PKCE RCF:https://tools.ietf.org/html/rfc7636 - * - codeChallengeMethod - The method used to encode the code verifier for the code challenge parameter. Can be "plain" or "S256". If excluded, code challenge is assumed to be plaintext. For more information, see the PKCE RCF: https://tools.ietf.org/html/rfc7636 - * - state - A value included in the request that is also returned in the token response. A randomly generated unique value is typically used for preventing cross site request forgery attacks. The state is also used to encode information about the user's state in the app before the authentication request occurred. For security and privacy reasons, we do not recommend putting URLs or other sensitive data directly in the state parameter. Instead, use a key or identifier that corresponds to data stored in browser storage (e.g., localStorage, sessionStorage), allowing your app to securely reference the necessary data after authentication. - * - prompt - Indicates the type of user interaction that is required. - * login: will force the user to enter their credentials on that request, negating single-sign on - * none: will ensure that the user isn't presented with any interactive prompt. if request can't be completed via single-sign on, the endpoint will return an interaction_required error - * consent: will the trigger the OAuth consent dialog after the user signs in, asking the user to grant permissions to the app - * select_account: will interrupt single sign-=on providing account selection experience listing all the accounts in session or any remembered accounts or an option to choose to use a different account - * create: will direct the user to the account creation experience instead of the log in experience - * no_session: will not read existing session token when authenticating the user. Upon user being successfully authenticated, EVO won’t create a new session for the user. FOR INTERNAL USE ONLY. - * - account - AccountInfo obtained from a getAccount API. Will be used in certain scenarios to generate login_hint if both loginHint and sid params are not provided. - * - earJwk - JSON Web Key used when constructing External Authorization Request (EAR) parameters. - * - loginHint - Can be used to pre-fill the username/email address field of the sign-in page for the user, if you know the username/email address ahead of time. Often apps use this parameter during re-authentication, having already extracted the username from a previous sign-in using the preferred_username claim. - * - sid - Session ID, unique identifier for the session. Available as an optional claim on ID tokens. - * - domainHint - Provides a hint about the tenant or domain that the user should use to sign in. The value of the domain hint is a registered domain for the tenant. - * - extraQueryParameters - String to string map of custom query parameters added to outgoing token service requests - * - extraParameters - String to string map of custom query parameters added to outgoing token service requests - * - nonce - A value included in the request that is returned in the id token. A randomly generated unique value is typically used to mitigate replay attacks. - * - resourceRequestMethod - HTTP Request type used to request data from the resource (i.e. "GET", "POST", etc.). Used for proof-of-possession flows. - * - resourceRequestUri - URI that token will be used for. Used for proof-of-possession flows. - * - platformBroker - Indicates whether this authorization request is being initiated by a platform authentication broker instead of a standard web flow. */ export type CommonAuthorizationUrlRequest = BaseAuthRequest & { + /** + * The redirect URI where authentication responses can be received by your application. It must exactly match one of the redirect URIs registered in the Azure portal. + */ redirectUri: string; + /** + * Specifies the method that should be used to send the authentication result to your app. Can be query, form_post, or fragment. If no value is passed in, it defaults to query. + */ responseMode: ResponseMode; + /** + * AccountInfo obtained from a getAccount API. Will be used in certain scenarios to generate login_hint if both loginHint and sid params are not provided. + */ account?: AccountInfo; + /** + * JSON Web Key used when constructing External Authorization Request (EAR) parameters. + */ earJwk?: string; + /** + * Used to secure authorization code grant via Proof of Key for Code Exchange (PKCE). For more information, see the PKCE RCF:https://tools.ietf.org/html/rfc7636 + */ codeChallenge?: string; + /** + * The method used to encode the code verifier for the code challenge parameter. Can be "plain" or "S256". If excluded, code challenge is assumed to be plaintext. For more information, see the PKCE RCF: https://tools.ietf.org/html/rfc7636 + */ codeChallengeMethod?: string; + /** + * Provides a hint about the tenant or domain that the user should use to sign in. The value of the domain hint is a registered domain for the tenant. + */ domainHint?: string; + /** + * Scopes for a different resource when the user needs consent upfront. + */ extraScopesToConsent?: Array; + /** + * Can be used to pre-fill the username/email address field of the sign-in page for the user, if you know the username/email address ahead of time. Often apps use this parameter during re-authentication, having already extracted the username from a previous sign-in using the preferred_username claim. + */ loginHint?: string; + /** + * A value included in the request that is returned in the id token. A randomly generated unique value is typically used to mitigate replay attacks. + */ nonce: string; + /** + * Indicates the type of user interaction that is required. + * login: will force the user to enter their credentials on that request, negating single-sign on + * none: will ensure that the user isn't presented with any interactive prompt. if request can't be completed via single-sign on, the endpoint will return an interaction_required error + * consent: will the trigger the OAuth consent dialog after the user signs in, asking the user to grant permissions to the app + * select_account: will interrupt single sign-=on providing account selection experience listing all the accounts in session or any remembered accounts or an option to choose to use a different account + * create: will direct the user to the account creation experience instead of the log in experience + * no_session: will not read existing session token when authenticating the user. Upon user being successfully authenticated, EVO won’t create a new session for the user. FOR INTERNAL USE ONLY. + */ prompt?: string; + /** + * Session ID, unique identifier for the session. Available as an optional claim on ID tokens. + */ sid?: string; + /** + * A value included in the request that is also returned in the token response. A randomly generated unique value is typically used for preventing cross site request forgery attacks. The state is also used to encode information about the user's state in the app before the authentication request occurred. For security and privacy reasons, we do not recommend putting URLs or other sensitive data directly in the state parameter. Instead, use a key or identifier that corresponds to data stored in browser storage (e.g., localStorage, sessionStorage), allowing your app to securely reference the necessary data after authentication. + */ state: string; + /** + * Indicates whether this authorization request is being initiated by a platform authentication broker instead of a standard web flow. + */ platformBroker?: boolean; }; diff --git a/lib/msal-common/src/request/CommonEndSessionRequest.ts b/lib/msal-common/src/request/CommonEndSessionRequest.ts index 637b1d0c22..35b6e685d8 100644 --- a/lib/msal-common/src/request/CommonEndSessionRequest.ts +++ b/lib/msal-common/src/request/CommonEndSessionRequest.ts @@ -8,20 +8,34 @@ import { StringDict } from "../utils/MsalTypes.js"; /** * CommonEndSessionRequest - * - account - Account object that will be logged out of. All tokens tied to this account will be cleared. - * - postLogoutRedirectUri - URI to navigate to after logout page. - * - correlationId - Unique GUID set per request to trace a request end-to-end for telemetry purposes. - * - idTokenHint - ID Token used by B2C to validate logout if required by the policy - * - state - A value included in the request to the logout endpoint which will be returned in the query string upon post logout redirection. For security and privacy reasons, we do not recommend putting URLs or other sensitive data directly in the state parameter. Instead, use a key or identifier that corresponds to data stored in browser storage (e.g., localStorage, sessionStorage), allowing your app to securely reference the necessary data after logout. - * - logoutHint - A string that specifies the account that is being logged out in order to skip the server account picker on logout - * - extraQueryParameters - String to string map of custom query parameters added to the /authorize call */ export type CommonEndSessionRequest = { + /** + * Unique GUID set per request to trace a request end-to-end for telemetry purposes. + */ correlationId: string; + /** + * Account object that will be logged out of. All tokens tied to this account will be cleared. + */ account?: AccountInfo | null; + /** + * URI to navigate to after logout page. + */ postLogoutRedirectUri?: string | null; + /** + * ID Token used by B2C to validate logout if required by the policy + */ idTokenHint?: string; + /** + * A value included in the request to the logout endpoint which will be returned in the query string upon post logout redirection. For security and privacy reasons, we do not recommend putting URLs or other sensitive data directly in the state parameter. Instead, use a key or identifier that corresponds to data stored in browser storage (e.g., localStorage, sessionStorage), allowing your app to securely reference the necessary data after logout. + */ state?: string; + /** + * A string that specifies the account that is being logged out in order to skip the server account picker on logout + */ logoutHint?: string; + /** + * String to string map of custom query parameters added to the /authorize call + */ extraQueryParameters?: StringDict; }; diff --git a/lib/msal-common/src/request/CommonRefreshTokenRequest.ts b/lib/msal-common/src/request/CommonRefreshTokenRequest.ts index 0e4c555576..b8785fe8fb 100644 --- a/lib/msal-common/src/request/CommonRefreshTokenRequest.ts +++ b/lib/msal-common/src/request/CommonRefreshTokenRequest.ts @@ -8,22 +8,22 @@ import { CcsCredential } from "../account/CcsCredential.js"; /** * CommonRefreshTokenRequest - * - scopes - Array of scopes the application is requesting access to. - * - claims - A stringified claims request which will be added to all /authorize and /token calls - * - authority - URL of the authority, the security token service (STS) from which MSAL will acquire tokens. - * - correlationId - Unique GUID set per request to trace a request end-to-end for telemetry purposes. - * - refreshToken - A refresh token returned from a previous request to the Identity provider. - * - resourceRequestMethod - HTTP Request type used to request data from the resource (i.e. "GET", "POST", etc.). Used for proof-of-possession flows. - * - resourceRequestUri - URI that token will be used for. Used for proof-of-possession flows. - * - forceCache - Force MSAL to cache a refresh token flow response when there is no account in the cache. Used for migration scenarios. - * - ccsCredential - Credential used to populate the CCS (Cache Credential Service) header. - * - redirectUri - Redirect URI to send with the refresh token request. - * - extraQueryParameters - String to string map of custom query parameters added to outgoing token service requests - * - extraParameters - String to string map of custom query parameters added to outgoing token service requests */ export type CommonRefreshTokenRequest = BaseAuthRequest & { + /** + * A refresh token returned from a previous request to the Identity provider. + */ refreshToken: string; + /** + * Credential used to populate the CCS (Cache Credential Service) header. + */ ccsCredential?: CcsCredential; + /** + * Force MSAL to cache a refresh token flow response when there is no account in the cache. Used for migration scenarios. + */ forceCache?: boolean; + /** + * Redirect URI to send with the refresh token request. + */ redirectUri?: string; }; diff --git a/lib/msal-common/src/request/CommonSilentFlowRequest.ts b/lib/msal-common/src/request/CommonSilentFlowRequest.ts index dc95abb687..eab88cf351 100644 --- a/lib/msal-common/src/request/CommonSilentFlowRequest.ts +++ b/lib/msal-common/src/request/CommonSilentFlowRequest.ts @@ -8,26 +8,22 @@ import { BaseAuthRequest } from "./BaseAuthRequest.js"; /** * SilentFlow parameters passed by the user to retrieve credentials silently - * - scopes - Array of scopes the application is requesting access to. - * - claims - A stringified claims request which will be added to all /authorize and /token calls. When included on a silent request, cache lookup will be skipped and token will be refreshed. - * - authority - Url of the authority which the application acquires tokens from. - * - correlationId - Unique GUID set per request to trace a request end-to-end for telemetry purposes. - * - account - Account entity to lookup the credentials. - * - forceRefresh - Forces silent requests to make network calls if true. - * - redirectUri - Redirect URI registered on the app registration. - * - refreshTokenExpirationOffsetSeconds - Number of seconds before the refresh token expires. - * - resourceRequestMethod - HTTP Request type used to request data from the resource (i.e. "GET", "POST", etc.). Used for proof-of-possession flows. - * - resourceRequestUri - URI that token will be used for. Used for proof-of-possession flows. - * - extraQueryParameters - String to string map of custom query parameters added to outgoing token service requests - * - extraParameters - String to string map of custom query parameters added to outgoing token service requests */ export type CommonSilentFlowRequest = BaseAuthRequest & { - /** Account object to lookup the credentials */ + /** + * Account object to lookup the credentials + */ account: AccountInfo; - /** Skip cache lookup and forces network call(s) to get fresh tokens */ + /** + * Skip cache lookup and forces network call(s) to get fresh tokens + */ forceRefresh: boolean; - /** RedirectUri registered on the app registration - only required in brokering scenarios */ + /** + * RedirectUri registered on the app registration - only required in brokering scenarios + */ redirectUri?: string; - /** If refresh token will expire within the configured value, consider it already expired. Used to pre-emptively invoke interaction when cached refresh token is close to expiry. */ + /** + * If refresh token will expire within the configured value, consider it already expired. Used to pre-emptively invoke interaction when cached refresh token is close to expiry. + */ refreshTokenExpirationOffsetSeconds?: number; }; diff --git a/lib/msal-node/src/request/AuthorizationCodeRequest.ts b/lib/msal-node/src/request/AuthorizationCodeRequest.ts index b3c8467a95..6581a482b0 100644 --- a/lib/msal-node/src/request/AuthorizationCodeRequest.ts +++ b/lib/msal-node/src/request/AuthorizationCodeRequest.ts @@ -7,17 +7,6 @@ import { CommonAuthorizationCodeRequest } from "@azure/msal-common/node"; /** * Request object passed by user to acquire a token from the server exchanging a valid authorization code (second leg of OAuth2.0 Authorization Code flow) - * - * - scopes - Array of scopes the application is requesting access to. - * - claims - A stringified claims request which will be added to all /authorize and /token calls - * - authority: - URL of the authority, the security token service (STS) from which MSAL will acquire tokens. If authority is set on client application object, this will override that value. Overriding the value will cause for authority validation to happen each time. If the same authority will be used for all request, set on the application object instead of the requests. - * - correlationId - Unique GUID set per request to trace a request end-to-end for telemetry purposes. - * - redirectUri - The redirect URI of your app, where the authority will redirect to after the user inputs credentials and consents. It must exactly match one of the redirect URIs you registered in the portal. - * - extraQueryParameters - String to string map of custom query parameters added to outgoing token service requests - * - extraParameters - String to string map of custom query parameters added to outgoing token service requests - * - code - The authorization_code that the user acquired in the first leg of the flow. - * - codeVerifier - The same code_verifier that was used to obtain the authorization_code. Required if PKCE was used in the authorization code grant request.For more information, see the PKCE RFC: https://tools.ietf.org/html/rfc7636 - * - state - Unique GUID generated by the user that is cached by the user and sent to the server during the first leg of the flow. This string is sent back by the server with the authorization code. The user cached state is then compared with the state received from the server to mitigate the risk of CSRF attacks. See https://datatracker.ietf.org/doc/html/rfc6819#section-3.6. * @public */ export type AuthorizationCodeRequest = Partial< @@ -32,8 +21,20 @@ export type AuthorizationCodeRequest = Partial< | "storeInCache" > > & { + /** + * Array of scopes the application is requesting access to. + */ scopes: Array; + /** + * The redirect URI of your app, where the authority will redirect to after the user inputs credentials and consents. It must exactly match one of the redirect URIs you registered in the portal. + */ redirectUri: string; + /** + * The authorization_code that the user acquired in the first leg of the flow. + */ code: string; + /** + * Unique GUID generated by the user that is cached by the user and sent to the server during the first leg of the flow. This string is sent back by the server with the authorization code. The user cached state is then compared with the state received from the server to mitigate the risk of CSRF attacks. See https://datatracker.ietf.org/doc/html/rfc6819#section-3.6. + */ state?: string; }; diff --git a/lib/msal-node/src/request/AuthorizationUrlRequest.ts b/lib/msal-node/src/request/AuthorizationUrlRequest.ts index bac21b963f..81bb9c46c0 100644 --- a/lib/msal-node/src/request/AuthorizationUrlRequest.ts +++ b/lib/msal-node/src/request/AuthorizationUrlRequest.ts @@ -7,32 +7,6 @@ import { CommonAuthorizationUrlRequest } from "@azure/msal-common/node"; /** * Request object passed by user to retrieve a Code from the server (first leg of authorization code grant flow) - * - * - scopes - Array of scopes the application is requesting access to. - * - claims - A stringified claims request which will be added to all /authorize and /token calls - * - authority - Url of the authority which the application acquires tokens from. - * - correlationId - Unique GUID set per request to trace a request end-to-end for telemetry purposes. - * - redirectUri - The redirect URI where authentication responses can be received by your application. It must exactly match one of the redirect URIs registered in the Azure portal. - * - extraScopesToConsent - Scopes for a different resource when the user needs consent upfront. - * - responseMode - Specifies the method that should be used to send the authentication result to your app. Can be query, form_post, or fragment. If no value is passed in, it defaults to query. - * - codeChallenge - Used to secure authorization code grant via Proof of Key for Code Exchange (PKCE). For more information, see the PKCE RCF:https://tools.ietf.org/html/rfc7636 - * - codeChallengeMethod - The method used to encode the code verifier for the code challenge parameter. Can be "plain" or "S256". If excluded, code challenge is assumed to be plaintext. For more information, see the PKCE RCF: https://tools.ietf.org/html/rfc7636 - * - state - A value included in the request that is also returned in the token response. A randomly generated unique value is typically used for preventing cross site request forgery attacks. The state is also used to encode information about the user's state in the app before the authentication request occurred. - * - earJwk - JSON Web Key used when constructing External Authorization Request (EAR) parameters for this authorization request. - * - prompt - Indicates the type of user interaction that is required. - * login: will force the user to enter their credentials on that request, negating single-sign on - * none: will ensure that the user isn't presented with any interactive prompt. if request can't be completed via single-sign on, the endpoint will return an interaction_required error - * consent: will the trigger the OAuth consent dialog after the user signs in, asking the user to grant permissions to the app - * select_account: will interrupt single sign-=on providing account selection experience listing all the accounts in session or any remembered accounts or an option to choose to use a different account - * create: will direct the user to the account creation experience instead of the log in experience - * - account - AccountInfo obtained from a getAccount API. Will be used in certain scenarios to generate login_hint if both loginHint and sid params are not provided. - * - loginHint - Can be used to pre-fill the username/email address field of the sign-in page for the user, if you know the username/email address ahead of time. Often apps use this parameter during re-authentication, having already extracted the username from a previous sign-in using the preferred_username claim. - * - sid - Session ID, unique identifier for the session. Available as an optional claim on ID tokens. - * - domainHint - Provides a hint about the tenant or domain that the user should use to sign in. The value of the domain hint is a registered domain for the tenant. - * - extraQueryParameters - String to string map of custom query parameters added to outgoing token service requests - * - extraParameters - String to string map of custom query parameters added to outgoing token service requests - * - nonce - A value included in the request that is returned in the id token. A randomly generated unique value is typically used to mitigate replay attacks. - * - platformBroker - Indicates whether this authorization request is being initiated by a platform authentication broker instead of a standard web flow. * @public */ export type AuthorizationUrlRequest = Partial< @@ -46,6 +20,12 @@ export type AuthorizationUrlRequest = Partial< | "storeInCache" > > & { + /** + * Array of scopes the application is requesting access to. + */ scopes: Array; + /** + * The redirect URI where authentication responses can be received by your application. It must exactly match one of the redirect URIs registered in the Azure portal. + */ redirectUri: string; }; diff --git a/lib/msal-node/src/request/ClientCredentialRequest.ts b/lib/msal-node/src/request/ClientCredentialRequest.ts index d47c5bbc35..b04243fea3 100644 --- a/lib/msal-node/src/request/ClientCredentialRequest.ts +++ b/lib/msal-node/src/request/ClientCredentialRequest.ts @@ -8,11 +8,6 @@ import { CommonClientCredentialRequest } from "./CommonClientCredentialRequest.j /** * ClientCredentialRequest - * - scopes - Array of scopes the application is requesting access to. Typically contains only the .default scope for a single resource. See: https://learn.microsoft.com/azure/active-directory/develop/scopes-oidc#the-default-scope - * - authority - URL of the authority, the security token service (STS) from which MSAL will acquire tokens. - * - correlationId - Unique GUID set per request to trace a request end-to-end for telemetry purposes. - * - skipCache - Skip token cache lookup and force request to authority to get a a new token. Defaults to false. - * - clientAssertion - An assertion string or a callback function that returns an assertion string (both are Base64Url-encoded signed JWTs) used in the Client Credential flow * @public */ export type ClientCredentialRequest = Partial< @@ -24,5 +19,8 @@ export type ClientCredentialRequest = Partial< | "storeInCache" > > & { + /** + * An assertion string or a callback function that returns an assertion string (both are Base64Url-encoded signed JWTs) used in the Client Credential flow + */ clientAssertion?: string | ClientAssertionCallback; }; diff --git a/lib/msal-node/src/request/CommonClientCredentialRequest.ts b/lib/msal-node/src/request/CommonClientCredentialRequest.ts index 95e89ef55d..226ba783c8 100644 --- a/lib/msal-node/src/request/CommonClientCredentialRequest.ts +++ b/lib/msal-node/src/request/CommonClientCredentialRequest.ts @@ -11,18 +11,21 @@ import { /** * CommonClientCredentialRequest - * - scopes - Array of scopes the application is requesting access to. - * - authority - URL of the authority, the security token service (STS) from which MSAL will acquire tokens. - * - correlationId - Unique GUID set per request to trace a request end-to-end for telemetry purposes. - * - skipCache - Skip token cache lookup and force request to authority to get a a new token. Defaults to false. - * - clientAssertion - An assertion string or a callback function that returns an assertion string (both are Base64Url-encoded signed JWTs) used in the Client Credential flow. - * - azureRegion - Azure region to be used for regional authentication. */ export type CommonClientCredentialRequest = Omit< BaseAuthRequest, "extraQueryParameters" | "extraParameters" > & { + /** + * Skip token cache lookup and force request to authority to get a a new token. Defaults to false. + */ skipCache?: boolean; + /** + * Azure region to be used for regional authentication. + */ azureRegion?: AzureRegion; + /** + * An assertion string or a callback function that returns an assertion string (both are Base64Url-encoded signed JWTs) used in the Client Credential flow. + */ clientAssertion?: ClientAssertion; }; diff --git a/lib/msal-node/src/request/CommonDeviceCodeRequest.ts b/lib/msal-node/src/request/CommonDeviceCodeRequest.ts index 628a08aa03..491c70e9c9 100644 --- a/lib/msal-node/src/request/CommonDeviceCodeRequest.ts +++ b/lib/msal-node/src/request/CommonDeviceCodeRequest.ts @@ -11,20 +11,22 @@ import { /** * Parameters for Oauth2 device code flow. - * - scopes - Array of scopes the application is requesting access to. - * - authority: - URL of the authority, the security token service (STS) from which MSAL will acquire tokens. If authority is set on client application object, this will override that value. Overriding the value will cause for authority validation to happen each time. If the same authority will be used for all request, set on the application object instead of the requests. - * - correlationId - Unique GUID set per request to trace a request end-to-end for telemetry purposes. - * - deviceCodeCallback - Callback containing device code response. Message should be shown to end user. End user can then navigate to the verification_uri, input the user_code, and input credentials. - * - cancel - Boolean to cancel polling of device code endpoint. While the user authenticates on a separate device, MSAL polls the the token endpoint of security token service for the interval specified in the device code response (usually 15 minutes). To stop polling and cancel the request, set cancel=true. - * - resourceRequestMethod - HTTP Request type used to request data from the resource (i.e. "GET", "POST", etc.). Used for proof-of-possession flows. - * - resourceRequestUri - URI that token will be used for. Used for proof-of-possession flows. - * - timeout - Timeout period in seconds which the user explicitly configures for the polling of the device code endpoint. At the end of this period; assuming the device code has not expired yet; the device code polling is stopped and the request cancelled. The device code expiration window will always take precedence over this set period. - * - extraQueryParameters - String to string map of custom query parameters added to outgoing token service requests. - * - extraParameters - String to string map of custom parameters added to outgoing token service requests. */ export type CommonDeviceCodeRequest = BaseAuthRequest & { + /** + * Callback containing device code response. Message should be shown to end user. End user can then navigate to the verification_uri, input the user_code, and input credentials. + */ deviceCodeCallback: (response: DeviceCodeResponse) => void; + /** + * Boolean to cancel polling of device code endpoint. While the user authenticates on a separate device, MSAL polls the the token endpoint of security token service for the interval specified in the device code response (usually 15 minutes). To stop polling and cancel the request, set cancel=true. + */ cancel?: boolean; + /** + * Timeout period in seconds which the user explicitly configures for the polling of the device code endpoint. At the end of this period; assuming the device code has not expired yet; the device code polling is stopped and the request cancelled. The device code expiration window will always take precedence over this set period. + */ timeout?: number; + /** + * String to string map of custom query parameters added to outgoing token service requests. + */ extraQueryParameters?: StringDict; }; diff --git a/lib/msal-node/src/request/CommonOnBehalfOfRequest.ts b/lib/msal-node/src/request/CommonOnBehalfOfRequest.ts index c107ab48bb..1d011ae7ca 100644 --- a/lib/msal-node/src/request/CommonOnBehalfOfRequest.ts +++ b/lib/msal-node/src/request/CommonOnBehalfOfRequest.ts @@ -6,16 +6,18 @@ import { BaseAuthRequest } from "@azure/msal-common/node"; /** - * - scopes - Array of scopes the application is requesting access to. - * - authority - URL of the authority, the security token service (STS) from which MSAL will acquire tokens. - * - correlationId - Unique GUID set per request to trace a request end-to-end for telemetry purposes. - * - oboAssertion - The access token that was sent to the middle-tier API. This token must have an audience of the app making this OBO request. - * - skipCache - Skip token cache lookup and force request to authority to get a a new token. Defaults to false. + * CommonOnBehalfOfRequest */ export type CommonOnBehalfOfRequest = Omit< BaseAuthRequest, "extraQueryParameters" | "extraParameters" > & { + /** + * The access token that was sent to the middle-tier API. This token must have an audience of the app making this OBO request. + */ oboAssertion: string; + /** + * Skip token cache lookup and force request to authority to get a a new token. Defaults to false. + */ skipCache?: boolean; }; diff --git a/lib/msal-node/src/request/CommonUsernamePasswordRequest.ts b/lib/msal-node/src/request/CommonUsernamePasswordRequest.ts index f092fa6efe..90fe7a78f5 100644 --- a/lib/msal-node/src/request/CommonUsernamePasswordRequest.ts +++ b/lib/msal-node/src/request/CommonUsernamePasswordRequest.ts @@ -8,17 +8,14 @@ import { BaseAuthRequest } from "@azure/msal-common/node"; /** * CommonUsernamePassword parameters passed by the user to retrieve credentials * Note: The latest OAuth 2.0 Security Best Current Practice disallows the password grant entirely. This flow is added for internal testing. - * - * - scopes - Array of scopes the application is requesting access to. - * - claims - A stringified claims request which will be added to all /authorize and /token calls. When included on a silent request, cache lookup will be skipped and token will be refreshed. - * - authority - Url of the authority which the application acquires tokens from. - * - correlationId - Unique GUID set per request to trace a request end-to-end for telemetry purposes. - * - username - username of the client - * - password - credentials - * - extraQueryParameters - String to string map of custom query parameters added to outgoing token service requests - * - extraParameters - String to string map of custom query parameters added to outgoing token service requests */ export type CommonUsernamePasswordRequest = BaseAuthRequest & { + /** + * Username of the client + */ username: string; + /** + * Credentials + */ password: string; }; diff --git a/lib/msal-node/src/request/DeviceCodeRequest.ts b/lib/msal-node/src/request/DeviceCodeRequest.ts index 754d2ddd85..c7d6e2c4ae 100644 --- a/lib/msal-node/src/request/DeviceCodeRequest.ts +++ b/lib/msal-node/src/request/DeviceCodeRequest.ts @@ -8,13 +8,6 @@ import { CommonDeviceCodeRequest } from "./CommonDeviceCodeRequest.js"; /** * Parameters for Oauth2 device code flow. - * - scopes - Array of scopes the application is requesting access to. - * - authority: - URL of the authority, the security token service (STS) from which MSAL will acquire tokens. If authority is set on client application object, this will override that value. Overriding the value will cause for authority validation to happen each time. If the same authority will be used for all request, set on the application object instead of the requests. - * - correlationId - Unique GUID set per request to trace a request end-to-end for telemetry purposes. - * - deviceCodeCallback - Callback containing device code response. Message should be shown to end user. End user can then navigate to the verification_uri, input the user_code, and input credentials. - * - cancel - Boolean to cancel polling of device code endpoint. While the user authenticates on a separate device, MSAL polls the the token endpoint of security token service for the interval specified in the device code response (usually 15 minutes). To stop polling and cancel the request, set cancel=true. - * - timeout - Timeout period in seconds which the user explicitly configures for the polling of the device code endpoint. At the end of this period, assuming the device code has not expired yet, polling is stopped and the request cancelled. - * - extraQueryParameters - String to string map of custom query parameters added to the query string * @public */ export type DeviceCodeRequest = Partial< @@ -27,6 +20,12 @@ export type DeviceCodeRequest = Partial< | "storeInCache" > > & { + /** + * Array of scopes the application is requesting access to. + */ scopes: Array; + /** + * Callback containing device code response. Message should be shown to end user. End user can then navigate to the verification_uri, input the user_code, and input credentials. + */ deviceCodeCallback: (response: DeviceCodeResponse) => void; }; diff --git a/lib/msal-node/src/request/InteractiveRequest.ts b/lib/msal-node/src/request/InteractiveRequest.ts index 7ef27b0de8..cacdd604fe 100644 --- a/lib/msal-node/src/request/InteractiveRequest.ts +++ b/lib/msal-node/src/request/InteractiveRequest.ts @@ -8,22 +8,33 @@ import { ILoopbackClient } from "../network/ILoopbackClient.js"; /** * Request object passed by user to configure acquireTokenInteractive API - * - * - openBrowser - Function to open a browser instance on user's system. - * - scopes - Array of scopes the application is requesting access to. - * - successTemplate: - Template to be displayed on the opened browser instance upon successful token acquisition. - * - errorTemplate - Template to be displayed on the opened browser instance upon token acquisition failure. - * - windowHandle - Used in native broker flows to properly parent the native broker window - * - loopbackClient - Custom implementation for a loopback server to listen for authorization code response. * @public */ export type InteractiveRequest = Partial< Omit > & { + /** + * Function to open a browser instance on user's system. + */ openBrowser: (url: string) => Promise; + /** + * Array of scopes the application is requesting access to. + */ scopes?: Array; + /** + * Template to be displayed on the opened browser instance upon successful token acquisition. + */ successTemplate?: string; + /** + * Template to be displayed on the opened browser instance upon token acquisition failure. + */ errorTemplate?: string; + /** + * Used in native broker flows to properly parent the native broker window + */ windowHandle?: Buffer; // Relevant only to brokered requests + /** + * Custom implementation for a loopback server to listen for authorization code response. + */ loopbackClient?: ILoopbackClient; }; diff --git a/lib/msal-node/src/request/ManagedIdentityRequest.ts b/lib/msal-node/src/request/ManagedIdentityRequest.ts index 72b8f8171d..427ec0da30 100644 --- a/lib/msal-node/src/request/ManagedIdentityRequest.ts +++ b/lib/msal-node/src/request/ManagedIdentityRequest.ts @@ -8,11 +8,15 @@ import { ManagedIdentityRequestParams } from "./ManagedIdentityRequestParams.js" /** * ManagedIdentityRequest - * - clientCapabilities - an array of capabilities to be added to all network requests as part of the `xms_cc` claim - * - revokedTokenSha256Hash - a SHA256 hash of the token that was revoked. The managed identity will revoke the token based on the SHA256 hash of the token, not the token itself. This is to prevent the token from being leaked in transit. */ export type ManagedIdentityRequest = ManagedIdentityRequestParams & CommonClientCredentialRequest & { + /** + * An array of capabilities to be added to all network requests as part of the `xms_cc` claim + */ clientCapabilities?: Array; + /** + * A SHA256 hash of the token that was revoked. The managed identity will revoke the token based on the SHA256 hash of the token, not the token itself. This is to prevent the token from being leaked in transit. + */ revokedTokenSha256Hash?: string; }; diff --git a/lib/msal-node/src/request/ManagedIdentityRequestParams.ts b/lib/msal-node/src/request/ManagedIdentityRequestParams.ts index 9ba9ef4fcd..5b0692d4f1 100644 --- a/lib/msal-node/src/request/ManagedIdentityRequestParams.ts +++ b/lib/msal-node/src/request/ManagedIdentityRequestParams.ts @@ -5,13 +5,19 @@ /** * ManagedIdentityRequest - * - claims - a stringified claims request which will be used to determine whether or not the cache should be skipped - * - forceRefresh - forces managed identity requests to skip the cache and make network calls if true - * - resource - resource requested to access the protected API. It should be of the form "ResourceIdUri" or "ResourceIdUri/.default". For instance https://management.azure.net or, for Microsoft Graph, https://graph.microsoft.com/.default * @public */ export type ManagedIdentityRequestParams = { + /** + * A stringified claims request which will be used to determine whether or not the cache should be skipped + */ claims?: string; + /** + * Forces managed identity requests to skip the cache and make network calls if true + */ forceRefresh?: boolean; + /** + * Resource requested to access the protected API. It should be of the form "ResourceIdUri" or "ResourceIdUri/.default". For instance https://management.azure.net or, for Microsoft Graph, https://graph.microsoft.com/.default + */ resource: string; }; diff --git a/lib/msal-node/src/request/OnBehalfOfRequest.ts b/lib/msal-node/src/request/OnBehalfOfRequest.ts index 5ba1fb7876..abf94b741b 100644 --- a/lib/msal-node/src/request/OnBehalfOfRequest.ts +++ b/lib/msal-node/src/request/OnBehalfOfRequest.ts @@ -6,11 +6,7 @@ import { CommonOnBehalfOfRequest } from "./CommonOnBehalfOfRequest.js"; /** - * - scopes - Array of scopes the application is requesting access to. - * - authority - URL of the authority, the security token service (STS) from which MSAL will acquire tokens. - * - correlationId - Unique GUID set per request to trace a request end-to-end for telemetry purposes. - * - oboAssertion - The access token that was sent to the middle-tier API. This token must have an audience of the app making this OBO request. - * - skipCache - Skip token cache lookup and force request to authority to get a a new token. Defaults to false. + * OnBehalfOfRequest * @public */ export type OnBehalfOfRequest = Partial< @@ -23,6 +19,12 @@ export type OnBehalfOfRequest = Partial< | "storeInCache" > > & { + /** + * The access token that was sent to the middle-tier API. This token must have an audience of the app making this OBO request. + */ oboAssertion: string; + /** + * Array of scopes the application is requesting access to. + */ scopes: Array; }; diff --git a/lib/msal-node/src/request/RefreshTokenRequest.ts b/lib/msal-node/src/request/RefreshTokenRequest.ts index 6c11a6deec..551acd63c0 100644 --- a/lib/msal-node/src/request/RefreshTokenRequest.ts +++ b/lib/msal-node/src/request/RefreshTokenRequest.ts @@ -7,14 +7,6 @@ import { CommonRefreshTokenRequest } from "@azure/msal-common/node"; /** * CommonRefreshTokenRequest - * - scopes - Array of scopes the application is requesting access to. - * - claims - A stringified claims request which will be added to all /authorize and /token calls - * - authority - URL of the authority, the security token service (STS) from which MSAL will acquire tokens. - * - correlationId - Unique GUID set per request to trace a request end-to-end for telemetry purposes. - * - refreshToken - A refresh token returned from a previous request to the Identity provider. - * - extraQueryParameters - String to string map of custom query parameters added to outgoing token service requests - * - extraParameters - String to string map of custom query parameters added to outgoing token service requests - * - forceCache - Force MSAL to cache a refresh token flow response when there is no account in the cache. Used for migration scenarios. * @public */ export type RefreshTokenRequest = Partial< @@ -28,7 +20,16 @@ export type RefreshTokenRequest = Partial< | "storeInCache" > > & { + /** + * Array of scopes the application is requesting access to. + */ scopes: Array; + /** + * A refresh token returned from a previous request to the Identity provider. + */ refreshToken: string; + /** + * Force MSAL to cache a refresh token flow response when there is no account in the cache. Used for migration scenarios. + */ forceCache?: boolean; }; diff --git a/lib/msal-node/src/request/SilentFlowRequest.ts b/lib/msal-node/src/request/SilentFlowRequest.ts index d8f00982ec..067748976e 100644 --- a/lib/msal-node/src/request/SilentFlowRequest.ts +++ b/lib/msal-node/src/request/SilentFlowRequest.ts @@ -7,21 +7,17 @@ import { AccountInfo, CommonSilentFlowRequest } from "@azure/msal-common/node"; /** * SilentFlow parameters passed by the user to retrieve credentials silently - * - scopes - Array of scopes the application is requesting access to. - * - claims - A stringified claims request which will be added to all /authorize and /token calls. When included on a silent request, cache lookup will be skipped and token will be refreshed. - * - authority - Url of the authority which the application acquires tokens from. - * - correlationId - Unique GUID set per request to trace a request end-to-end for telemetry purposes. - * - extraQueryParameters - String to string map of custom query parameters added to outgoing token service requests - * - extraParameters - String to string map of custom query parameters added to outgoing token service requests - * - account - Account entity to lookup the credentials. - * - forceRefresh - Forces silent requests to make network calls if true. - * - redirectUri - Redirect URI registered on the app registration. - * - refreshTokenExpirationOffsetSeconds - Number of seconds before the refresh token expires. * @public */ export type SilentFlowRequest = Partial< Omit > & { + /** + * Account entity to lookup the credentials. + */ account: AccountInfo; + /** + * Array of scopes the application is requesting access to. + */ scopes: Array; }; diff --git a/lib/msal-node/src/request/UsernamePasswordRequest.ts b/lib/msal-node/src/request/UsernamePasswordRequest.ts index 37d562ea6a..e2ae578ed4 100644 --- a/lib/msal-node/src/request/UsernamePasswordRequest.ts +++ b/lib/msal-node/src/request/UsernamePasswordRequest.ts @@ -8,15 +8,6 @@ import { CommonUsernamePasswordRequest } from "./CommonUsernamePasswordRequest.j /** * UsernamePassword parameters passed by the user to retrieve credentials * Note: The latest OAuth 2.0 Security Best Current Practice disallows the password grant entirely. This flow is added for internal testing. - * - * - scopes - Array of scopes the application is requesting access to. - * - claims - A stringified claims request which will be added to all /authorize and /token calls. When included on a silent request, cache lookup will be skipped and token will be refreshed. - * - authority - Url of the authority which the application acquires tokens from. - * - correlationId - Unique GUID set per request to trace a request end-to-end for telemetry purposes. - * - username - username of the client - * - password - credentials - * - extraQueryParameters - String to string map of custom query parameters added to outgoing token service requests - * - extraParameters - String to string map of custom query parameters added to outgoing token service requests * @public */ export type UsernamePasswordRequest = Partial< @@ -30,7 +21,16 @@ export type UsernamePasswordRequest = Partial< | "storeInCache" > > & { + /** + * Array of scopes the application is requesting access to. + */ scopes: Array; + /** + * Username of the client + */ username: string; + /** + * Credentials + */ password: string; }; From a85f9462055c6869fcd3b02262d2115b08fc64e4 Mon Sep 17 00:00:00 2001 From: Jo Arroyo Date: Wed, 7 Jan 2026 20:05:40 -0800 Subject: [PATCH 5/7] format:fix --- .../src/request/CommonSilentFlowRequest.ts | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/lib/msal-common/src/request/CommonSilentFlowRequest.ts b/lib/msal-common/src/request/CommonSilentFlowRequest.ts index eab88cf351..31ec6c1313 100644 --- a/lib/msal-common/src/request/CommonSilentFlowRequest.ts +++ b/lib/msal-common/src/request/CommonSilentFlowRequest.ts @@ -10,19 +10,19 @@ import { BaseAuthRequest } from "./BaseAuthRequest.js"; * SilentFlow parameters passed by the user to retrieve credentials silently */ export type CommonSilentFlowRequest = BaseAuthRequest & { - /** + /** * Account object to lookup the credentials */ account: AccountInfo; - /** - * Skip cache lookup and forces network call(s) to get fresh tokens + /** + * Skip cache lookup and forces network call(s) to get fresh tokens */ forceRefresh: boolean; - /** - * RedirectUri registered on the app registration - only required in brokering scenarios + /** + * RedirectUri registered on the app registration - only required in brokering scenarios */ redirectUri?: string; - /** + /** * If refresh token will expire within the configured value, consider it already expired. Used to pre-emptively invoke interaction when cached refresh token is close to expiry. */ refreshTokenExpirationOffsetSeconds?: number; From 671fd376a67a5a5923acbfc6a5a5d5da016286e1 Mon Sep 17 00:00:00 2001 From: Jo Arroyo Date: Thu, 8 Jan 2026 16:29:32 -0800 Subject: [PATCH 6/7] Apply suggestions from code review Co-authored-by: Thomas Norling --- lib/msal-browser/src/request/SilentRequest.ts | 2 +- lib/msal-common/src/request/BaseAuthRequest.ts | 2 +- .../src/request/CommonAuthorizationUrlRequest.ts | 6 +++--- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/lib/msal-browser/src/request/SilentRequest.ts b/lib/msal-browser/src/request/SilentRequest.ts index 12c9b32b4d..6f35ec22fb 100644 --- a/lib/msal-browser/src/request/SilentRequest.ts +++ b/lib/msal-browser/src/request/SilentRequest.ts @@ -24,7 +24,7 @@ export type SilentRequest = Omit< */ redirectUri?: string; /** - * String to string map of custom query parameters added to outgoing token service requests. Only used when renewing access tokens + * String to string map of custom query parameters added to outgoing token service requests. Unless the parameter is ONLY supported on query string use extraParameters instead. */ extraQueryParameters?: StringDict; /** diff --git a/lib/msal-common/src/request/BaseAuthRequest.ts b/lib/msal-common/src/request/BaseAuthRequest.ts index d3c11c441e..fb918c7a4f 100644 --- a/lib/msal-common/src/request/BaseAuthRequest.ts +++ b/lib/msal-common/src/request/BaseAuthRequest.ts @@ -90,7 +90,7 @@ export type BaseAuthRequest = { */ httpMethod?: HttpMethod; /** - * String to string map of custom query parameters added to outgoing token service requests + * String to string map of custom query parameters added to outgoing token service requests. Unless the parameter is only supported on query strings use extraParameters instead */ extraQueryParameters?: StringDict; /** diff --git a/lib/msal-common/src/request/CommonAuthorizationUrlRequest.ts b/lib/msal-common/src/request/CommonAuthorizationUrlRequest.ts index aa8d2b5a5d..0672e975d7 100644 --- a/lib/msal-common/src/request/CommonAuthorizationUrlRequest.ts +++ b/lib/msal-common/src/request/CommonAuthorizationUrlRequest.ts @@ -24,7 +24,7 @@ export type CommonAuthorizationUrlRequest = BaseAuthRequest & { */ account?: AccountInfo; /** - * JSON Web Key used when constructing External Authorization Request (EAR) parameters. + * JSON Web Key used when constructing Encrypted Authorize Response (EAR) parameters. */ earJwk?: string; /** @@ -44,7 +44,7 @@ export type CommonAuthorizationUrlRequest = BaseAuthRequest & { */ extraScopesToConsent?: Array; /** - * Can be used to pre-fill the username/email address field of the sign-in page for the user, if you know the username/email address ahead of time. Often apps use this parameter during re-authentication, having already extracted the username from a previous sign-in using the preferred_username claim. + * Can be used to pre-fill the username/email address field of the sign-in page for the user, if you know the username/email address ahead of time. Can also be the string value extracted from the login_hint claim on an idToken obtained previously to provide SSO. */ loginHint?: string; /** @@ -62,7 +62,7 @@ export type CommonAuthorizationUrlRequest = BaseAuthRequest & { */ prompt?: string; /** - * Session ID, unique identifier for the session. Available as an optional claim on ID tokens. + * Session ID, unique identifier for the session. Available as an optional claim on ID tokens. Use login_hint optional claim provided on loginHint paramter instead, when available. */ sid?: string; /** From 075889073ae076f51e2b133c8acb64209e233535 Mon Sep 17 00:00:00 2001 From: Jo Arroyo Date: Thu, 8 Jan 2026 16:40:21 -0800 Subject: [PATCH 7/7] Update SilentRequest comment --- lib/msal-browser/src/request/SilentRequest.ts | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/lib/msal-browser/src/request/SilentRequest.ts b/lib/msal-browser/src/request/SilentRequest.ts index 12c9b32b4d..24b7566307 100644 --- a/lib/msal-browser/src/request/SilentRequest.ts +++ b/lib/msal-browser/src/request/SilentRequest.ts @@ -49,7 +49,11 @@ export type SilentRequest = Omit< cacheLookupPolicy?: CacheLookupPolicy; /** * Indicates the type of user interaction that is required. + * login: will force the user to enter their credentials on that request, negating single-sign on * none: will ensure that the user isn't presented with any interactive prompt. if request can't be completed via single-sign on, the endpoint will return an interaction_required error + * consent: will the trigger the OAuth consent dialog after the user signs in, asking the user to grant permissions to the app + * select_account: will interrupt single sign-=on providing account selection experience listing all the accounts in session or any remembered accounts or an option to choose to use a different account + * create: will direct the user to the account creation experience instead of the log in experience * no_session: will not read existing session token when authenticating the user. Upon user being successfully authenticated, EVO won’t create a new session for the user. FOR INTERNAL USE ONLY. */ prompt?: string;