編輯

共用方式為


@azure/msal-browser package

Classes

ClientApplication
PublicClientApplication

The PublicClientApplication class is the object exposed by the library to perform authentication and authorization functions in Single Page Applications to obtain JWT tokens as described in the OAuth 2.0 Authorization Code Flow with PKCE specification.

NativeMessageHandler
AsyncMemoryStorage

This class allows MSAL to store artifacts asynchronously using the DatabaseStorage IndexedDB wrapper, backed up with the more volatile MemoryStorage object for cases in which IndexedDB may be unavailable.

BrowserCacheManager

This class implements the cache storage interface for MSAL through browser local or session storage. Cookies are only used if storeAuthStateInCookie is true, and are only used for parameters such as state and nonce, generally.

BrowserStorage
CryptoKeyStore

MSAL CryptoKeyStore DB Version 2

DatabaseStorage

Storage wrapper for IndexedDB storage in browsers: https://developer.mozilla.org/en-US/docs/Web/API/IndexedDB_API

MemoryStorage
TokenCache

Token cache manager

BrowserCrypto

This class implements functions used by the browser library to perform cryptography operations such as hashing and encoding. It also has helper functions to validate the availability of specific APIs.

CryptoOps

This class implements MSAL's crypto interface, which allows it to perform base64 encoding and decoding, generating cryptographically random GUIDs and implementing Proof Key for Code Exchange specs for the OAuth Authorization Code Flow using PKCE (rfc here: https://tools.ietf.org/html/rfc7636).

GuidGenerator
ModernBrowserCrypto
MsBrowserCrypto
MsrBrowserCrypto
PkceGenerator

Class which exposes APIs to generate PKCE codes and code verifiers.

SignedHttpRequest
Base64Decode

Class which exposes APIs to decode base64 strings to plaintext. See here for implementation details: https://developer.mozilla.org/en-US/docs/Web/API/WindowBase64/Base64_encoding_and_decoding#Solution_2_%E2%80%93_JavaScript's_UTF-16_%3E_UTF-8_%3E_base64

Base64Encode

Class which exposes APIs to encode plaintext to base64 encoded string. See here for implementation details: https://developer.mozilla.org/en-US/docs/Web/API/WindowBase64/Base64_encoding_and_decoding#Solution_2_%E2%80%93_JavaScript's_UTF-16_%3E_UTF-8_%3E_base64

BrowserAuthError

Browser library error class thrown by the MSAL.js library for SPAs

BrowserConfigurationAuthError

Browser library error class thrown by the MSAL.js library for SPAs

NativeAuthError
EventHandler
EventMessageUtils
BaseInteractionClient
HybridSpaAuthorizationCodeClient
NativeInteractionClient
PopupClient
RedirectClient
SilentAuthCodeClient
SilentCacheClient
SilentIframeClient
SilentRefreshClient
StandardInteractionClient

Defines the class structure and helper functions used by the "standard", non-brokered auth flows (popup, redirect, silent (RT), silent (iframe))

InteractionHandler

Abstract class which defines operations for a browser interaction handling class.

RedirectHandler
SilentHandler
NavigationClient
FetchClient

This class implements the Fetch API for GET and POST requests. See more here: https://developer.mozilla.org/en-US/docs/Web/API/Fetch_API

XhrClient

This client implements the XMLHttpRequest class to send GET and POST requests.

BrowserPerformanceClient
BrowserPerformanceMeasurement
BrowserProtocolUtils
BrowserStringUtils

Utility functions for strings in a browser. See here for implementation details: https://developer.mozilla.org/en-US/docs/Web/API/WindowBase64/Base64_encoding_and_decoding#Solution_2_%E2%80%93_JavaScript's_UTF-16_%3E_UTF-8_%3E_base64

BrowserUtils

Utility class for browser specific functions

MathUtils

Utility class for math specific functions in browser.

Interfaces

IPublicClientApplication
IAsyncStorage
ITokenCache
IWindowStorage
ISubtleCrypto
INavigationClient

Type Aliases

NativeExtensionRequest

Browser extension request

NativeExtensionRequestBody

Request which will be forwarded to native broker by the browser extension

NativeTokenRequest

Token request which native broker will use to acquire tokens

MATS

The native token broker can optionally include additional information about operations it performs. If that data is returned, MSAL.js will include the following properties in the telemetry it collects.

NativeAccountInfo

Account properties returned by Native Platform e.g. WAM

NativeResponse

Token response returned by Native Platform e.g. WAM

NativeResponseProperties

Properties returned under "properties" of the NativeResponse

LoadTokenOptions
BrowserAuthOptions

Use this to configure the auth options in the Configuration object

BrowserConfiguration
BrowserSystemOptions
BrowserTelemetryOptions

Telemetry Options

CacheOptions

Use this to configure the below cache configuration options:

Configuration

This object allows you to configure important elements of MSAL functionality and is passed into the constructor of PublicClientApplication

CryptoOptions
CachedKeyPair
SignedHttpRequestOptions
OSError
EventCallbackFunction
EventError
EventMessage
EventPayload
PopupEvent
PopupParams
InteractionParams
RedirectParams
NavigationOptions

Additional information passed to the navigateInternal and navigateExternal functions

AuthorizationCodeRequest
AuthorizationUrlRequest

This type is deprecated and will be removed on the next major version update

EndSessionPopupRequest

EndSessionPopupRequest

  • account - Account object that will be logged out of. All tokens tied to this account will be cleared.
  • postLogoutRedirectUri - URI to navigate to after logout page inside the popup. Required to ensure popup can be closed.
  • authority - Authority to send logout request to.
  • correlationId - Unique GUID set per request to trace a request end-to-end for telemetry purposes.
  • idTokenHint - ID Token used by B2C to validate logout if required by the policy
  • mainWindowRedirectUri - URI to navigate the main window to after logout is complete
  • popupWindowAttributes - Optional popup window attributes. popupSize with height and width, and popupPosition with top and left can be set.
  • logoutHint - A string that specifies the account that is being logged out in order to skip the server account picker on logout
EndSessionRequest

EndSessionRequest

  • account - Account object that will be logged out of. All tokens tied to this account will be cleared.
  • postLogoutRedirectUri - URI to navigate to after logout page.
  • authority - Authority to send logout request to.
  • correlationId - Unique GUID set per request to trace a request end-to-end for telemetry purposes.
  • idTokenHint - ID Token used by B2C to validate logout if required by the policy
  • onRedirectNavigate - Callback that will be passed the url that MSAL will navigate to. Returning false in the callback will stop navigation.
  • logoutHint - A string that specifies the account that is being logged out in order to skip the server account picker on logout
PopupRequest

PopupRequest: Request object passed by user to retrieve a Code from the server (first leg of authorization code grant flow) with a popup window.

  • scopes - Array of scopes the application is requesting access to.
  • authority - Url of the authority which the application acquires tokens from.
  • correlationId - Unique GUID set per request to trace a request end-to-end for telemetry purposes.
  • redirectUri - The redirect URI where authentication responses can be received by your application. It must exactly match one of the redirect URIs registered in the Azure portal.
  • extraScopesToConsent - Scopes for a different resource when the user needs consent upfront.
  • state - A value included in the request that is also returned in the token response. A randomly generated unique value is typically used for preventing cross site request forgery attacks. The state is also used to encode information about the user's state in the app before the authentication request occurred.
  • prompt - Indicates the type of user interaction that is required. login: will force the user to enter their credentials on that request, negating single-sign on none: will ensure that the user isn't presented with any interactive prompt. if request can't be completed via single-sign on, the endpoint will return an interaction_required error consent: will the trigger the OAuth consent dialog after the user signs in, asking the user to grant permissions to the app select_account: will interrupt single sign-=on providing account selection experience listing all the accounts in session or any remembered accounts or an option to choose to use a different account create: will direct the user to the account creation experience instead of the log in experience no_session: will not read existing session token when authenticating the user. Upon user being successfully authenticated, EVO won’t create a new session for the user. FOR INTERNAL USE ONLY.
  • loginHint - Can be used to pre-fill the username/email address field of the sign-in page for the user, if you know the username/email address ahead of time. Often apps use this parameter during re-authentication, having already extracted the username from a previous sign-in using the login_hint or preferred_username claim.
  • sid - Session ID, unique identifier for the session. Available as an optional claim on ID tokens.
  • domainHint - Provides a hint about the tenant or domain that the user should use to sign in. The value of the domain hint is a registered domain for the tenant.
  • extraQueryParameters - String to string map of custom query parameters added to the /authorize call
  • tokenQueryParameters - String to string map of custom query parameters added to the /token call
  • claims - In cases where Azure AD tenant admin has enabled conditional access policies, and the policy has not been met, exceptions will contain claims that need to be consented to.
  • nonce - A value included in the request that is returned in the id token. A randomly generated unique value is typically used to mitigate replay attacks.
  • popupWindowAttributes - Optional popup window attributes. popupSize with height and width, and popupPosition with top and left can be set.
PopupPosition
PopupSize
PopupWindowAttributes

Popup configurations for setting dimensions and position of popup window

RedirectRequest

RedirectRequest: Request object passed by user to retrieve a Code from the server (first leg of authorization code grant flow) with a full page redirect.

  • scopes - Array of scopes the application is requesting access to.
  • authority - Url of the authority which the application acquires tokens from.
  • correlationId - Unique GUID set per request to trace a request end-to-end for telemetry purposes.
  • redirectUri - The redirect URI where authentication responses can be received by your application. It must exactly match one of the redirect URIs registered in the Azure portal.
  • extraScopesToConsent - Scopes for a different resource when the user needs consent upfront.
  • state - A value included in the request that is also returned in the token response. A randomly generated unique value is typically used for preventing cross site request forgery attacks. The state is also used to encode information about the user's state in the app before the authentication request occurred.
  • prompt - Indicates the type of user interaction that is required. login: will force the user to enter their credentials on that request, negating single-sign on none: will ensure that the user isn't presented with any interactive prompt. if request can't be completed via single-sign on, the endpoint will return an interaction_required error consent: will the trigger the OAuth consent dialog after the user signs in, asking the user to grant permissions to the app select_account: will interrupt single sign-=on providing account selection experience listing all the accounts in session or any remembered accounts or an option to choose to use a different account create: will direct the user to the account creation experience instead of the log in experience no_session: will not read existing session token when authenticating the user. Upon user being successfully authenticated, EVO won’t create a new session for the user. FOR INTERNAL USE ONLY.
  • loginHint - Can be used to pre-fill the username/email address field of the sign-in page for the user, if you know the username/email address ahead of time. Often apps use this parameter during re-authentication, having already extracted the username from a previous sign-in using the login_hint or preferred_username claim.
  • sid - Session ID, unique identifier for the session. Available as an optional claim on ID tokens.
  • domainHint - Provides a hint about the tenant or domain that the user should use to sign in. The value of the domain hint is a registered domain for the tenant.
  • extraQueryParameters - String to string map of custom query parameters added to the /authorize call
  • tokenQueryParameters - String to string map of custom query parameters added to the /token call
  • claims - In cases where Azure AD tenant admin has enabled conditional access policies, and the policy has not been met, exceptions will contain claims that need to be consented to.
  • nonce - A value included in the request that is returned in the id token. A randomly generated unique value is typically used to mitigate replay attacks.
  • redirectStartPage - The page that should be returned to after loginRedirect or acquireTokenRedirect. This should only be used if this is different from the redirectUri and will default to the page that initiates the request. When the navigateToLoginRequestUrl config option is set to false this parameter will be ignored.
  • onRedirectNavigate - Callback that will be passed the url that MSAL will navigate to. Returning false in the callback will stop navigation.
SilentRequest

SilentRequest: Request object passed by user to retrieve tokens from the cache, renew an expired token with a refresh token, or retrieve a code (first leg of authorization code grant flow) in a hidden iframe.

  • scopes - Array of scopes the application is requesting access to.
  • authority - Url of the authority which the application acquires tokens from.
  • correlationId - Unique GUID set per request to trace a request end-to-end for telemetry purposes.
  • account - Account entity to lookup the credentials.
  • forceRefresh - Forces silent requests to make network calls if true.
  • extraQueryParameters - String to string map of custom query parameters added to the /authorize call. Only used when renewing the refresh token.
  • tokenQueryParameters - String to string map of custom query parameters added to the /token call. Only used when renewing access tokens.
  • redirectUri - The redirect URI where authentication responses can be received by your application. It must exactly match one of the redirect URIs registered in the Azure portal. Only used for cases where refresh token is expired.
  • cacheLookupPolicy - Enum of different ways the silent token can be retrieved.
  • prompt - Indicates the type of user interaction that is required. none: will ensure that the user isn't presented with any interactive prompt. if request can't be completed via single-sign on, the endpoint will return an interaction_required error no_session: will not read existing session token when authenticating the user. Upon user being successfully authenticated, EVO won’t create a new session for the user. FOR INTERNAL USE ONLY.
SsoSilentRequest

Request object passed by user to ssoSilent to retrieve a Code from the server (first leg of authorization code grant flow)

  • scopes - Array of scopes the application is requesting access to (optional for ssoSilent calls)
  • claims - A stringified claims request which will be added to all /authorize and /token calls
  • authority - Url of the authority which the application acquires tokens from.
  • correlationId - Unique GUID set per request to trace a request end-to-end for telemetry purposes.
  • redirectUri - The redirect URI where authentication responses can be received by your application. It must exactly match one of the redirect URIs registered in the Azure portal.
  • extraScopesToConsent - Scopes for a different resource when the user needs consent upfront.
  • state - A value included in the request that is also returned in the token response. A randomly generated unique value is typically used for preventing cross site request forgery attacks. The state is also used to encode information about the user's state in the app before the authentication request occurred.
  • prompt - Indicates the type of user interaction that is required. login: will force the user to enter their credentials on that request, negating single-sign on none: will ensure that the user isn't presented with any interactive prompt. if request can't be completed via single-sign on, the endpoint will return an interaction_required error consent: will trigger the OAuth consent dialog after the user signs in, asking the user to grant permissions to the app select_account: will interrupt single sign-=on providing account selection experience listing all the accounts in session or any remembered accounts or an option to choose to use a different account create: will direct the user to the account creation experience instead of the log in experience no_session: will not read existing session token when authenticating the user. Upon user being successfully authenticated, EVO won’t create a new session for the user. FOR INTERNAL USE ONLY.
  • loginHint - Can be used to pre-fill the username/email address field of the sign-in page for the user, if you know the username/email address ahead of time. Often apps use this parameter during re-authentication, having already extracted the username from a previous sign-in using the login_hint or preferred_username claim.
  • sid - Session ID, unique identifier for the session. Available as an optional claim on ID tokens.
  • domainHint - Provides a hint about the tenant or domain that the user should use to sign in. The value of the domain hint is a registered domain for the tenant.
  • extraQueryParameters - String to string map of custom query parameters added to the /authorize call
  • tokenQueryParameters - String to string map of custom query parameters added to the /token call
  • nonce - A value included in the request that is returned in the id token. A randomly generated unique value is typically used to mitigate replay attacks.
BrowserStateObject

Enums

CryptoKeyStoreNames
NativeStatusCode
EventType
ApiId

API Codes for Telemetry purposes. Before adding a new code you must claim it in the MSAL Telemetry tracker as these number spaces are shared across all MSALs 0-99 Silent Flow 800-899 Auth Code Flow

BrowserCacheLocation
CacheLookupPolicy
HTTP_REQUEST_TYPE

HTTP Request types supported by MSAL.

InMemoryCacheKeys

Cache keys stored in-memory

InteractionStatus

Types of interaction currently in progress. Used in events in wrapper libraries to invoke functions when certain interaction is in progress or all interactions are complete.

InteractionType
NativeExtensionMethod
TemporaryCacheKeys

Temporary cache keys for MSAL, deleted after any request.

WrapperSKU

Functions

buildConfiguration({ userInputAuth: { authority?: string, authorityMetadata?: string, azureCloudOptions?: AzureCloudOptions, clientCapabilities?: Array<string>, clientId: string, cloudDiscoveryMetadata?: string, knownAuthorities?: Array<string>, navigateToLoginRequestUrl?: boolean, postLogoutRedirectUri?: string | null, protocolMode?: ProtocolMode, redirectUri?: string, skipAuthorityMetadataCache?: boolean }, userInputCache: { cacheLocation?: BrowserCacheLocation | string, secureCookies?: boolean, storeAuthStateInCookie?: boolean }, userInputSystem: { preventCorsPreflight?: boolean, proxyUrl?: string, tokenRenewalOffsetSeconds?: number } & { allowNativeBroker?: boolean, allowRedirectInIframe?: boolean, asyncPopups?: boolean, cryptoOptions?: CryptoOptions, iframeHashTimeout?: number, loadFrameTimeout?: number, loggerOptions?: LoggerOptions, nativeBrokerHandshakeTimeout?: number, navigateFrameWait?: number, navigationClient?: INavigationClient, networkClient?: INetworkModule, pollIntervalMilliseconds?: number, redirectNavigationTimeout?: number, windowHashTimeout?: number }, userInputTelemetry: { application?: ApplicationTelemetry } }, boolean)

MSAL function that sets the default options when not explicitly configured from app developer

Function Details

buildConfiguration({ userInputAuth: { authority?: string, authorityMetadata?: string, azureCloudOptions?: AzureCloudOptions, clientCapabilities?: Array<string>, clientId: string, cloudDiscoveryMetadata?: string, knownAuthorities?: Array<string>, navigateToLoginRequestUrl?: boolean, postLogoutRedirectUri?: string | null, protocolMode?: ProtocolMode, redirectUri?: string, skipAuthorityMetadataCache?: boolean }, userInputCache: { cacheLocation?: BrowserCacheLocation | string, secureCookies?: boolean, storeAuthStateInCookie?: boolean }, userInputSystem: { preventCorsPreflight?: boolean, proxyUrl?: string, tokenRenewalOffsetSeconds?: number } & { allowNativeBroker?: boolean, allowRedirectInIframe?: boolean, asyncPopups?: boolean, cryptoOptions?: CryptoOptions, iframeHashTimeout?: number, loadFrameTimeout?: number, loggerOptions?: LoggerOptions, nativeBrokerHandshakeTimeout?: number, navigateFrameWait?: number, navigationClient?: INavigationClient, networkClient?: INetworkModule, pollIntervalMilliseconds?: number, redirectNavigationTimeout?: number, windowHashTimeout?: number }, userInputTelemetry: { application?: ApplicationTelemetry } }, boolean)

MSAL function that sets the default options when not explicitly configured from app developer

function buildConfiguration(__namedParameters: { userInputAuth: { authority?: string, authorityMetadata?: string, azureCloudOptions?: AzureCloudOptions, clientCapabilities?: Array<string>, clientId: string, cloudDiscoveryMetadata?: string, knownAuthorities?: Array<string>, navigateToLoginRequestUrl?: boolean, postLogoutRedirectUri?: string | null, protocolMode?: ProtocolMode, redirectUri?: string, skipAuthorityMetadataCache?: boolean }, userInputCache: { cacheLocation?: BrowserCacheLocation | string, secureCookies?: boolean, storeAuthStateInCookie?: boolean }, userInputSystem: { preventCorsPreflight?: boolean, proxyUrl?: string, tokenRenewalOffsetSeconds?: number } & { allowNativeBroker?: boolean, allowRedirectInIframe?: boolean, asyncPopups?: boolean, cryptoOptions?: CryptoOptions, iframeHashTimeout?: number, loadFrameTimeout?: number, loggerOptions?: LoggerOptions, nativeBrokerHandshakeTimeout?: number, navigateFrameWait?: number, navigationClient?: INavigationClient, networkClient?: INetworkModule, pollIntervalMilliseconds?: number, redirectNavigationTimeout?: number, windowHashTimeout?: number }, userInputTelemetry: { application?: ApplicationTelemetry } }, isBrowserEnvironment: boolean): BrowserConfiguration

Parameters

__namedParameters

{ userInputAuth: { authority?: string, authorityMetadata?: string, azureCloudOptions?: AzureCloudOptions, clientCapabilities?: Array<string>, clientId: string, cloudDiscoveryMetadata?: string, knownAuthorities?: Array<string>, navigateToLoginRequestUrl?: boolean, postLogoutRedirectUri?: string | null, protocolMode?: ProtocolMode, redirectUri?: string, skipAuthorityMetadataCache?: boolean }, userInputCache: { cacheLocation?: BrowserCacheLocation | string, secureCookies?: boolean, storeAuthStateInCookie?: boolean }, userInputSystem: { preventCorsPreflight?: boolean, proxyUrl?: string, tokenRenewalOffsetSeconds?: number } & { allowNativeBroker?: boolean, allowRedirectInIframe?: boolean, asyncPopups?: boolean, cryptoOptions?: CryptoOptions, iframeHashTimeout?: number, loadFrameTimeout?: number, loggerOptions?: LoggerOptions, nativeBrokerHandshakeTimeout?: number, navigateFrameWait?: number, navigationClient?: INavigationClient, networkClient?: INetworkModule, pollIntervalMilliseconds?: number, redirectNavigationTimeout?: number, windowHashTimeout?: number }, userInputTelemetry: { application?: ApplicationTelemetry } }

isBrowserEnvironment

boolean

Returns

Configuration object