@azure/msal-node package

General error class thrown by the MSAL.js library.

Client assertion of type jwt-bearer used in confidential client flows

Error thrown when there is an error in the client code running on the browser.

Error thrown when there is an error in configuration of the MSAL.js library.

This class is to be used to acquire tokens for confidential client applications (webApp, webAPI). Confidential client applications will configure application secrets, client certificates/assertions as applicable

Cache plugin that serializes data to the cache and deserializes data from the cache

Error thrown when user interaction is required.

Class which facilitates logging of messages to a specific place.

Class to initialize a managed identity and identify the service

This class is to be used to acquire tokens for public client applications (desktop, mobile). Public client applications are not trusted to safely store application secrets, and therefore can only request tokens in the name of an user.

Error thrown when there is an error with the server code, for example, unavailability.

In-memory token cache manager

This class instance helps track the memory changes facilitating decisions to read from and write to the persistent cache

Interface for the cache that defines a getter and setter

Interface for the ConfidentialClientApplication class defining the public API signatures

Interface for LoopbackClient allowing to replace the default loopback server with a custom implementation.

Client network interface to send backend requests.

Interface that defines getter methods to get keys used to identity data in the cache

Interface for the PublicClientApplication class defining the public API signatures

Token cache interface for the client, giving access to cache APIs

Account object with the following signature:

• homeAccountId - Home account identifier for this account object
• environment - Entity which issued the token represented by the domain of the issuer (e.g. login.microsoftonline.com)
• tenantId - Full tenant or organizational id that this account belongs to
• username - preferred_username claim of the id_token that represents this account
• localAccountId - Local, tenant-specific account identifer for this account object, usually used in legacy cases
• name - Full name for the account, including given name and family name
• idToken - raw ID token
• idTokenClaims - Object contains claims from ID token
• nativeAccountId - The user's native account ID
• tenantProfiles - Map of tenant profile objects for each tenant that the account has authenticated with in the browser
• dataBoundary - Data boundary extracted from clientInfo

Input object for the IAppTokenProvider extensiblity. MSAL will create this object, which can be used to help create an AppTokenProviderResult.

• correlationId - the correlation Id associated with the request
• tenantId - the tenant Id for which the token must be provided
• scopes - the scopes for which the token must be provided
• claims - any extra claims that the token must satisfy

Output object for IAppTokenProvider extensiblity.

• accessToken - the actual access token, typically in JWT format, that satisfies the request data AppTokenProviderParameters
• expiresInSeconds - how long the tokens has before expiry, in seconds. Similar to the "expires_in" field in an AAD token response.
• refreshInSeconds - how long the token has before it should be proactively refreshed. Similar to the "refresh_in" field in an AAD token response.

Result returned from the authority's token endpoint.

• uniqueId - oid or sub claim from ID token
• tenantId - tid claim from ID token
• scopes - Scopes that are validated for the respective token
• account - An account object representation of the currently signed-in user
• idToken - Id token received as part of the response
• idTokenClaims - MSAL-relevant ID token claims
• accessToken - Access token or SSH certificate received as part of the response
• fromCache - Boolean denoting whether token came from cache
• expiresOn - Javascript Date object representing relative expiration of access token
• extExpiresOn - Javascript Date object representing extended relative expiration of access token in case of server outage
• refreshOn - Javascript Date object representing relative time until an access token must be refreshed
• state - Value passed in by user in request
• familyId - Family ID identifier, usually only used for refresh tokens
• requestId - Request ID returned as part of the response

Response returned after processing the code response query string or fragment.

Request object passed by user to acquire a token from the server exchanging a valid authorization code (second leg of OAuth2.0 Authorization Code flow)

Request object passed by user to retrieve a Code from the server (first leg of authorization code grant flow)

Response properties that may be returned by the /authorize endpoint

AzureCloudInstance specific options

• azureCloudInstance - string enum providing short notation for soverign and public cloud authorities
• tenant - provision to provide the tenant info

Use this to configure the below broker options:

• nativeBrokerPlugin - Native broker implementation (should be imported from msal-node-extensions)

Note: These options are only available for PublicClientApplications using the Authorization Code Flow

Key value store for in-memory cache

Use this to configure the below cache configuration options:

• cachePlugin - Plugin for reading and writing token cache to disk.

ClientCredentialRequest

Use the configuration object to configure MSAL and initialize the client application object

• auth: this is where you configure auth elements like clientID, authority used for authenticating against the Microsoft Identity Platform
• broker: this is where you configure broker options
• cache: this is where you configure cache location
• system: this is where you can configure the network client, logger
• telemetry: this is where you can configure telemetry options

Parameters for Oauth2 device code flow.

Type which describes Id Token claims known by MSAL.

Intermittent type to handle in-memory data objects with defined types

Request object passed by user to configure acquireTokenInteractive API

Cache format read from the cache blob provided to the configuration during app instantiation

ManagedIdentityRequest

Options allowed by network request APIs.

• clientId - Client id of the application.
• authority - Url of the authority. If no value is set, defaults to https://login.microsoftonline.com/common.
• knownAuthorities - Needed for Azure B2C and ADFS. All authorities that will be used in the client application. Only the host of the authority should be passed in.
• clientSecret - Secret string that the application uses when requesting a token. Only used in confidential client applications. Can be created in the Azure app registration portal.
• clientAssertion - A ClientAssertion object containing an assertion string or a callback function that returns an assertion string that the application uses when requesting a token, as well as the assertion's type (urn:ietf:params:oauth:client-assertion-type:jwt-bearer). Only used in confidential client applications.
• clientCertificate - Certificate that the application uses when requesting a token. Only used in confidential client applications. Requires hex encoded X.509 SHA-1 or SHA-256 thumbprint of the certificate, and the PEM encoded private key (string should contain -----BEGIN PRIVATE KEY----- ... -----END PRIVATE KEY----- )

Type for configuring logger and http client options

• logger - Used to initialize the Logger object; TODO: Expand on logger details or link to the documentation on logger
• networkClient - Http client used for all http get and post calls. Defaults to using MSAL's default http client.
• protocolMode - Enum that represents the protocol that msal follows. Used for configuring proper endpoints.

OnBehalfOfRequest

CommonRefreshTokenRequest

Access token credential type

Account type

AppMetadata type

Idtoken credential type

Refresh token credential type

SilentFlow parameters passed by the user to retrieve credentials silently

UsernamePassword parameters passed by the user to retrieve credentials Note: The latest OAuth 2.0 Security Best Current Practice disallows the password grant entirely. This flow is added for internal testing.

Log message level.

Managed Identity Source Names

Protocol modes supported by MSAL.