EAR Protocol Request (#7633)

Adds protocol implementation (request properties and generation and
response properties) for the new EAR flow.

Response handling will be added in a separate PR as this one is already
fairly large

Author: tnorling

Diff for: change/@azure-msal-angular-8bdfd93f-3e29-4ca7-8a95-968015aff030.json

@@ -0,0 +1,7 @@
+{
+  "type": "patch",
+  "comment": "Fix request type for ssoSilent",
+  "packageName": "@azure/msal-angular",
+  "email": "[email protected]",
+  "dependentChangeType": "patch"
+}

Diff for: change/@azure-msal-browser-7f45ea83-42e4-4832-872c-65dc1b099a93.json

@@ -0,0 +1,7 @@
+{
+  "type": "minor",
+  "comment": "EAR protocol request support",
+  "packageName": "@azure/msal-browser",
+  "email": "[email protected]",
+  "dependentChangeType": "patch"
+}

Diff for: change/@azure-msal-common-9093e390-0b5c-4197-a5bc-a500a03b057d.json

@@ -0,0 +1,7 @@
+{
+  "type": "minor",
+  "comment": "EAR protocol request support",
+  "packageName": "@azure/msal-common",
+  "email": "[email protected]",
+  "dependentChangeType": "patch"
+}

Diff for: change/@azure-msal-node-fcbc3253-ce84-4b70-aa62-decb6d051638.json

@@ -0,0 +1,7 @@
+{
+  "type": "patch",
+  "comment": "Minor updates to Authorize query string generation",
+  "packageName": "@azure/msal-node",
+  "email": "[email protected]",
+  "dependentChangeType": "patch"
+}

Diff for: lib/msal-angular/src/IMsalService.ts

@@ -5,12 +5,12 @@
 
 import {
   EndSessionRequest,
-  AuthorizationUrlRequest,
   AuthenticationResult,
   PopupRequest,
   RedirectRequest,
   SilentRequest,
   Logger,
+  SsoSilentRequest,
 } from "@azure/msal-browser";
 import { Observable } from "rxjs";
 
@@ -25,7 +25,7 @@ export interface IMsalService {
   loginPopup(request?: PopupRequest): Observable<AuthenticationResult>;
   loginRedirect(request?: RedirectRequest): Observable<void>;
   logout(logoutRequest?: EndSessionRequest): Observable<void>;
-  ssoSilent(request: AuthorizationUrlRequest): Observable<AuthenticationResult>;
+  ssoSilent(request: SsoSilentRequest): Observable<AuthenticationResult>;
   getLogger(): Logger;
   setLogger(logger: Logger): void;
 }

Diff for: lib/msal-browser/apiReview/msal-browser.api.md

@@ -126,11 +126,8 @@ export type AuthorizationCodeRequest = Partial<Omit<CommonAuthorizationCodeReque
 
 // Warning: (ae-missing-release-tag) "AuthorizationUrlRequest" is part of the package's API, but it is missing a release tag (@alpha, @beta, @public, or @internal)
 //
-// @public
-export type AuthorizationUrlRequest = Omit<CommonAuthorizationUrlRequest, "state" | "nonce" | "requestedClaimsHash" | "platformBroker"> & {
-    state: string;
-    nonce: string;
-};
+// @public @deprecated
+export type AuthorizationUrlRequest = Omit<CommonAuthorizationUrlRequest, "requestedClaimsHash" | "platformBroker">;
 
 // Warning: (ae-missing-release-tag) "authRequestNotSetError" is part of the package's API, but it is missing a release tag (@alpha, @beta, @public, or @internal)
 //
@@ -190,6 +187,7 @@ export class BrowserAuthError extends AuthError {
 declare namespace BrowserAuthErrorCodes {
     export {
         pkceNotCreated,
+        earJwkEmpty,
         cryptoNonExistent,
         emptyNavigateUri,
         hashEmptyError,
@@ -718,6 +716,11 @@ const databaseUnavailable = "database_unavailable";
 // @public (undocumented)
 export const DEFAULT_IFRAME_TIMEOUT_MS = 10000;
 
+// Warning: (ae-missing-release-tag) "earJwkEmpty" is part of the package's API, but it is missing a release tag (@alpha, @beta, @public, or @internal)
+//
+// @public (undocumented)
+const earJwkEmpty = "ear_jwk_empty";
+
 // Warning: (ae-missing-release-tag) "emptyNavigateUri" is part of the package's API, but it is missing a release tag (@alpha, @beta, @public, or @internal)
 //
 // @public (undocumented)
@@ -1338,7 +1341,7 @@ export type PopupPosition = {
 // Warning: (ae-missing-release-tag) "PopupRequest" is part of the package's API, but it is missing a release tag (@alpha, @beta, @public, or @internal)
 //
 // @public
-export type PopupRequest = Partial<Omit<CommonAuthorizationUrlRequest, "responseMode" | "scopes" | "codeChallenge" | "codeChallengeMethod" | "requestedClaimsHash" | "platformBroker">> & {
+export type PopupRequest = Partial<Omit<CommonAuthorizationUrlRequest, "responseMode" | "scopes" | "earJwk" | "codeChallenge" | "codeChallengeMethod" | "requestedClaimsHash" | "platformBroker">> & {
     scopes: Array<string>;
     popupWindowAttributes?: PopupWindowAttributes;
     popupWindowParent?: Window;
@@ -1595,7 +1598,7 @@ function redirectPreflightCheck(initialized: boolean, config: BrowserConfigurati
 // Warning: (ae-missing-release-tag) "RedirectRequest" is part of the package's API, but it is missing a release tag (@alpha, @beta, @public, or @internal)
 //
 // @public
-export type RedirectRequest = Partial<Omit<CommonAuthorizationUrlRequest, "responseMode" | "scopes" | "codeChallenge" | "codeChallengeMethod" | "requestedClaimsHash" | "platformBroker">> & {
+export type RedirectRequest = Partial<Omit<CommonAuthorizationUrlRequest, "responseMode" | "scopes" | "earJwk" | "codeChallenge" | "codeChallengeMethod" | "requestedClaimsHash" | "platformBroker">> & {
     scopes: Array<string>;
     redirectStartPage?: string;
     onRedirectNavigate?: (url: string) => boolean | void;
@@ -1687,7 +1690,7 @@ const spaCodeAndNativeAccountIdPresent = "spa_code_and_nativeAccountId_present";
 // Warning: (ae-missing-release-tag) "SsoSilentRequest" is part of the package's API, but it is missing a release tag (@alpha, @beta, @public, or @internal)
 //
 // @public
-export type SsoSilentRequest = Partial<Omit<CommonAuthorizationUrlRequest, "responseMode" | "codeChallenge" | "codeChallengeMethod" | "requestedClaimsHash" | "platformBroker">>;
+export type SsoSilentRequest = Partial<Omit<CommonAuthorizationUrlRequest, "responseMode" | "earJwk" | "codeChallenge" | "codeChallengeMethod" | "requestedClaimsHash" | "platformBroker">>;
 
 // Warning: (ae-missing-release-tag) "stateInteractionTypeMismatch" is part of the package's API, but it is missing a release tag (@alpha, @beta, @public, or @internal)
 //

Diff for: lib/msal-browser/src/config/Configuration.ts

@@ -377,10 +377,10 @@ export function buildConfiguration(
         );
     }
 
-    // Throw an error if user has set allowPlatformBroker to true without being in AAD protocol mode
+    // Throw an error if user has set allowPlatformBroker to true with OIDC protocol mode
     if (
         userInputAuth?.protocolMode &&
-        userInputAuth.protocolMode !== ProtocolMode.AAD &&
+        userInputAuth.protocolMode === ProtocolMode.OIDC &&
         providedSystemOptions?.allowPlatformBroker
     ) {
         throw createClientConfigurationError(
@@ -402,5 +402,17 @@ export function buildConfiguration(
         telemetry: { ...DEFAULT_TELEMETRY_OPTIONS, ...userInputTelemetry },
     };
 
+    /**
+     * Temporarily disable EAR until implementation is complete
+     * TODO: Remove this
+     */
+    if (overlayedConfig.auth.protocolMode === ProtocolMode.EAR) {
+        const logger = new Logger(providedSystemOptions.loggerOptions);
+        logger.warning(
+            "EAR Protocol Mode is not yet supported. Overriding to use PKCE auth"
+        );
+        overlayedConfig.auth.protocolMode = ProtocolMode.AAD;
+    }
+
     return overlayedConfig;
 }

Diff for: lib/msal-browser/src/controllers/NestedAppAuthController.ts

@@ -599,6 +599,7 @@ export class NestedAppAuthController implements IController {
                       CommonAuthorizationUrlRequest,
                       | "requestedClaimsHash"
                       | "responseMode"
+                      | "earJwk"
                       | "codeChallenge"
                       | "codeChallengeMethod"
                       | "platformBroker"
@@ -792,6 +793,7 @@ export class NestedAppAuthController implements IController {
                 CommonAuthorizationUrlRequest,
                 | "requestedClaimsHash"
                 | "responseMode"
+                | "earJwk"
                 | "codeChallenge"
                 | "codeChallengeMethod"
                 | "platformBroker"

Diff for: lib/msal-browser/src/controllers/UnknownOperatingContextController.ts

@@ -186,6 +186,7 @@ export class UnknownOperatingContextController implements IController {
                   Omit<
                       CommonAuthorizationUrlRequest,
                       | "responseMode"
+                      | "earJwk"
                       | "codeChallenge"
                       | "codeChallengeMethod"
                       | "requestedClaimsHash"
@@ -293,6 +294,7 @@ export class UnknownOperatingContextController implements IController {
             Omit<
                 CommonAuthorizationUrlRequest,
                 | "responseMode"
+                | "earJwk"
                 | "codeChallenge"
                 | "codeChallengeMethod"
                 | "requestedClaimsHash"

Diff for: lib/msal-browser/src/crypto/BrowserCrypto.ts

@@ -12,7 +12,7 @@ import {
     PerformanceEvents,
 } from "@azure/msal-common/browser";
 import { KEY_FORMAT_JWK } from "../utils/BrowserConstants.js";
-import { urlEncodeArr } from "../encode/Base64Encode.js";
+import { base64Encode, urlEncodeArr } from "../encode/Base64Encode.js";
 import { base64DecToArr } from "../encode/Base64Decode.js";
 
 /**
@@ -226,6 +226,22 @@ export async function sign(
     ) as Promise<ArrayBuffer>;
 }
 
+/**
+ * Generates Base64 encoded jwk used in the Encrypted Authorize Response (EAR) flow
+ */
+export async function generateEarKey(): Promise<string> {
+    const key = await generateBaseKey();
+    const keyStr = urlEncodeArr(new Uint8Array(key));
+
+    const jwk = {
+        alg: "dir",
+        kty: "oct",
+        k: keyStr,
+    };
+
+    return base64Encode(JSON.stringify(jwk));
+}
+
 /**
  * Generates symmetric base encryption key. This may be stored as all encryption/decryption keys will be derived from this one.
  */

Diff for: lib/msal-browser/src/error/BrowserAuthError.ts

@@ -15,6 +15,8 @@ const ErrorLink = "For more visit: aka.ms/msaljs/browser-errors";
 export const BrowserAuthErrorMessages = {
     [BrowserAuthErrorCodes.pkceNotCreated]:
         "The PKCE code challenge and verifier could not be generated.",
+    [BrowserAuthErrorCodes.earJwkEmpty]:
+        "No EAR encryption key provided. This is unexpected.",
     [BrowserAuthErrorCodes.cryptoNonExistent]:
         "The crypto object or function is not available.",
     [BrowserAuthErrorCodes.emptyNavigateUri]:

Diff for: lib/msal-browser/src/error/BrowserAuthErrorCodes.ts

@@ -4,6 +4,7 @@
  */
 
 export const pkceNotCreated = "pkce_not_created";
+export const earJwkEmpty = "ear_jwk_empty";
 export const cryptoNonExistent = "crypto_nonexistent";
 export const emptyNavigateUri = "empty_navigate_uri";
 export const hashEmptyError = "hash_empty_error";