@azure/msal-common package

General error class thrown by the MSAL.js library.

This is a helper class that parses supported HTTP response authentication headers to extract and return header challenge values that can be used outside the basic authorization flows.

Error thrown when there is an error with the cache

Error thrown when there is an error in the client code running on the browser.

Error thrown when there is an error in configuration of the MSAL.js library.

Error thrown when user interaction is required.

Class which facilitates logging of messages to a specific place.

Represents network related errors

Error class for MSAL Runtime errors that preserves detailed broker information

The ScopeSet class creates a set of scopes. Scopes are case-insensitive, unique values, so the Set object in JS makes the most sense to implement for this class. All scopes are trimmed and converted to lower case strings in intersection and union functions to ensure uniqueness of strings.

Error thrown when there is an error with the server code, for example, unavailability.

Url object class which can perform various transformations on url strings.

This class instance helps track the memory changes facilitating decisions to read from and write to the persistent cache

Interface for crypto functions used by library

Client network interface to send backend requests.

Interface which describes URI components.

Response object used for loading external tokens to cache.

• token_type: Indicates the token type value. The only type that Azure AD supports is Bearer.
• scope: The scopes that the access_token is valid for.
• expires_in: How long the access token is valid (in seconds).
• id_token: A JSON Web Token (JWT). The app can decode the segments of this token to request information about the user who signed in.
• refresh_token: An OAuth 2.0 refresh token. The app can use this token acquire additional access tokens after the current access token expires.
• access_token: The requested access token. The app can use this token to authenticate to the secured resource, such as a web API.
• client_info: Client info object

Performance measurement taken by the library, including metadata about the request and application.

Access token cache type

Account: <home_account_id>-<environment>-<realm*>

Account object with the following signature:

• homeAccountId - Home account identifier for this account object
• environment - Entity which issued the token represented by the domain of the issuer (e.g. login.microsoftonline.com)
• tenantId - Full tenant or organizational id that this account belongs to
• username - preferred_username claim of the id_token that represents this account
• localAccountId - Local, tenant-specific account identifer for this account object, usually used in legacy cases
• name - Full name for the account, including given name and family name
• idToken - raw ID token
• idTokenClaims - Object contains claims from ID token
• nativeAccountId - The user's native account ID
• tenantProfiles - Map of tenant profile objects for each tenant that the account has authenticated with in the browser
• dataBoundary - Data boundary extracted from clientInfo

App Metadata Cache Type

Telemetry information sent on request

• appName: Unique string name of an application
• appVersion: Version of the application using MSAL

Result returned from the authority's token endpoint.

• uniqueId - oid or sub claim from ID token
• tenantId - tid claim from ID token
• scopes - Scopes that are validated for the respective token
• account - An account object representation of the currently signed-in user
• idToken - Id token received as part of the response
• idTokenClaims - MSAL-relevant ID token claims
• accessToken - Access token or SSH certificate received as part of the response
• fromCache - Boolean denoting whether token came from cache
• expiresOn - Javascript Date object representing relative expiration of access token
• extExpiresOn - Javascript Date object representing extended relative expiration of access token in case of server outage
• refreshOn - Javascript Date object representing relative time until an access token must be refreshed
• state - Value passed in by user in request
• familyId - Family ID identifier, usually only used for refresh tokens
• requestId - Request ID returned as part of the response

Response returned after processing the code response query string or fragment.

Response properties that may be returned by the /authorize endpoint

AzureCloudInstance specific options

• azureCloudInstance - string enum providing short notation for soverign and public cloud authorities
• tenant - provision to provide the tenant info

BaseAuthRequest

Client info object which consists of: uid: user id utid: tenant id xms_tdbr: optional, only for non-US tenants

Request object passed by user to acquire a token from the server exchanging a valid authorization code (second leg of OAuth2.0 Authorization Code flow)

Request object passed by user to retrieve a Code from the server (first leg of authorization code grant flow)

CommonEndSessionRequest

CommonRefreshTokenRequest

SilentFlow parameters passed by the user to retrieve credentials silently

Credential Cache Type

Credential: <home_account_id*>-<environment>-<credential_type>-<client_id>-<realm*>-<target*>-<scheme*>

Id Token Cache Type

Type which defines library state

Use this to configure the logging that MSAL does, by configuring logger options in the Configuration object

• loggerCallback - Callback for logger
• piiLoggingEnabled - Sets whether pii logging is enabled
• logLevel - Sets the level at which logging happens
• correlationId - Sets the correlationId printed by the logger

Options allowed by network request APIs.

Options for the OIDC protocol mode.

The PkceCodes type describes the structure of objects that contain PKCE code challenge and verifier pairs

Refresh Token Cache Type

Type which defines the stringified and encoded state object sent to the service in the authorize request.

Type representing a unique request thumbprint.

Deserialized response object from server authorization code request.

• token_type: Indicates the token type value. Can be either Bearer or pop.
• scope: The scopes that the access_token is valid for.
• expires_in: How long the access token is valid (in seconds).
• refresh_in: Duration afer which a token should be renewed, regardless of expiration.
• ext_expires_in: How long the access token is valid (in seconds) if the server isn't responding.
• access_token: The requested access token. The app can use this token to authenticate to the secured resource, such as a web API.
• refresh_token: An OAuth 2.0 refresh token. The app can use this token acquire additional access tokens after the current access token expires.
• id_token: A JSON Web Token (JWT). The app can decode the segments of this token to request information about the user who signed in.
• key_id: A string that uniquely identifies a public key that the request is bound to.

In case of error:

• error: An error code string that can be used to classify types of errors that occur, and can be used to react to errors.
• error_description: A specific error message that can help a developer identify the root cause of an authentication error.
• error_codes: A list of STS-specific error codes that can help in diagnostics.
• timestamp: The time at which the error occurred.
• trace_id: A unique identifier for the request that can help in diagnostics.
• correlation_id: A unique identifier for the request that can help in diagnostics across components.
• status: the network request's response status

Controls whether tokens should be stored in the cache or not. If set to false, tokens may still be acquired and returned but will not be cached for later retrieval.

Key-Value type to support queryParams, extraQueryParams and claims

Use this to configure token renewal info in the Configuration object

• tokenRenewalOffsetSeconds - Sets the window of offset needed to renew the token before expiry
• protocolMode - Enum that represents the protocol that msal follows. Used for configuring proper endpoints.

Account details that vary across tenants for the same user

Type which describes Id Token claims known by MSAL.

Input object for the IAppTokenProvider extensiblity. MSAL will create this object, which can be used to help create an AppTokenProviderResult.

• correlationId - the correlation Id associated with the request
• tenantId - the tenant Id for which the token must be provided
• scopes - the scopes for which the token must be provided
• claims - any extra claims that the token must satisfy

Output object for IAppTokenProvider extensiblity.

• accessToken - the actual access token, typically in JWT format, that satisfies the request data AppTokenProviderParameters
• expiresInSeconds - how long the tokens has before expiry, in seconds. Similar to the "expires_in" field in an AAD token response.
• refreshInSeconds - how long the token has before it should be proactively refreshed. Similar to the "refresh_in" field in an AAD token response.

Client Assertion credential for Confidential Clients

DeviceCode returned by the security token service device code endpoint containing information necessary for device code flow.

• userCode: code which user needs to provide when authenticating at the verification URI
• deviceCode: code which should be included in the request for the access token
• verificationUri: URI where user can authenticate
• expiresIn: expiration time of the device code in seconds
• interval: interval at which the STS should be polled at
• message: message which should be displayed to the user

State of the performance event.

Log message level.

Function to build a client info object from server clientInfo string

Function to build a client info object from cached homeAccountId string

Build tenant profile

Helper function to wrap browser errors in a CacheError object

Creates an InteractionRequiredAuthError

Creates NetworkError object for a failed network request

Gets tenantId from available ID token claims to set as credential realm with the following precedence:

1. tid - if the token is acquired from an Azure AD tenant tid will be present
2. tfp - if the token is acquired from a modern B2C tenant tfp should be present
3. acr - if the token is acquired from a legacy B2C tenant acr should be present Downcased to match the realm case-insensitive comparison requirements

Returns true if tenantId matches the utid portion of homeAccountId

Replaces account info that varies by tenant profile sourced from the ID token claims passed in with the tenant-specific account info

Function that sets the default options when not explicitly configured from app developer

Function to build a client info object from server clientInfo string

Function to build a client info object from cached homeAccountId string

Build tenant profile

Helper function to wrap browser errors in a CacheError object

Creates an InteractionRequiredAuthError

Creates NetworkError object for a failed network request

Gets tenantId from available ID token claims to set as credential realm with the following precedence:

1. tid - if the token is acquired from an Azure AD tenant tid will be present
2. tfp - if the token is acquired from a modern B2C tenant tfp should be present
3. acr - if the token is acquired from a legacy B2C tenant acr should be present Downcased to match the realm case-insensitive comparison requirements

Returns true if tenantId matches the utid portion of homeAccountId

Replaces account info that varies by tenant profile sourced from the ID token claims passed in with the tenant-specific account info

Authority types supported by MSAL.

Protocol modes supported by MSAL.