[Identity] MSAL integration for interactive browser and device code

sdk/identity/identity/CHANGELOG.md

@@ -1,5 +1,12 @@
 # Release History
 
+## 1.2.0-beta.1 (2020-09-08)
+
+- A new `InteractiveBrowserCredential` for node which will spawn a web server, start a web browser, and allow the user to interactively authenticate with the browser.
+- With 1.2.0-beta.1, Identity will now use [MSAL](https://www.npmjs.com/package/@azure/msal-node) to perform authentication. With this beta, DeviceCodeCredential and a new InteractiveBrowserCredential for node are powered by MSAL.
+- Identity now supports Subject Name/Issuer (SNI) as part of authentication for ClientCertificateCredential
+- Upgraded App Services MSI API version
+
 ## 1.1.0 (2020-08-11)
 
 ### Changes since 1.0.*

sdk/identity/identity/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@azure/identity",
   "sdk-type": "client",
-  "version": "1.1.0",
+  "version": "1.2.0-beta.1",
   "description": "Provides credential implementations for Azure SDK libraries that can authenticate with Azure Active Directory",
   "main": "dist/index.js",
   "module": "dist-esm/src/index.js",
@@ -82,11 +82,15 @@
     "@azure/core-http": "^1.1.6",
     "@azure/core-tracing": "1.0.0-preview.9",
     "@azure/logger": "^1.0.0",
+    "@azure/msal-node": "^1.0.0-alpha.5",
     "@opentelemetry/api": "^0.10.2",
     "events": "^3.0.0",
     "jws": "^4.0.0",
     "msal": "^1.0.2",
+    "open": "^7.0.0",
     "qs": "^6.7.0",
+    "@rollup/plugin-json": "^4.0.0",
+    "axios": "^0.19.2",
     "tslib": "^2.0.0",
     "uuid": "^8.1.0"
   },
@@ -98,7 +102,6 @@
     "@azure/abort-controller": "^1.0.0",
     "@microsoft/api-extractor": "7.7.11",
     "@rollup/plugin-commonjs": "11.0.2",
-    "@rollup/plugin-json": "^4.0.0",
     "@rollup/plugin-multi-entry": "^3.0.0",
     "@rollup/plugin-node-resolve": "^8.0.0",
     "@rollup/plugin-replace": "^2.2.0",
@@ -125,7 +128,6 @@
     "karma-remap-istanbul": "^0.6.0",
     "mocha": "^7.1.1",
     "mocha-junit-reporter": "^1.18.0",
-    "open": "^7.0.0",
     "prettier": "^1.16.4",
     "puppeteer": "^3.3.0",
     "rimraf": "^3.0.0",

sdk/identity/identity/rollup.base.config.js

@@ -1,6 +1,7 @@
 import nodeResolve from "@rollup/plugin-node-resolve";
 import multiEntry from "@rollup/plugin-multi-entry";
 import cjs from "@rollup/plugin-commonjs";
+import json from "@rollup/plugin-json";
 import replace from "@rollup/plugin-replace";
 import { terser } from "rollup-plugin-terser";
 import sourcemaps from "rollup-plugin-sourcemaps";
@@ -27,6 +28,7 @@ export function nodeConfig(test = false) {
         "if (isNode)": "if (true)"
       }),
       nodeResolve({ preferBuiltins: true }),
+      json(),
       cjs()
     ]
   };

sdk/identity/identity/src/credentials/deviceCodeCredential.ts

@@ -1,28 +1,13 @@
 // Copyright (c) Microsoft Corporation.
 // Licensed under the MIT license.
-
-import qs from "qs";
-import { TokenCredential, GetTokenOptions, AccessToken } from "@azure/core-http";
-import * as coreHttp from "@azure/core-http";
-import { IdentityClient, TokenResponse, TokenCredentialOptions } from "../client/identityClient";
-import { AuthenticationError, AuthenticationErrorName } from "../client/errors";
+import { AccessToken, TokenCredential, GetTokenOptions, delay } from "@azure/core-http";
+import { TokenCredentialOptions, IdentityClient } from "../client/identityClient";
 import { createSpan } from "../util/tracing";
-import { CanonicalCode } from "@opentelemetry/api";
 import { credentialLogger, formatSuccess } from "../util/logging";
+import { AuthenticationError, AuthenticationErrorName } from "../client/errors";
+import { CanonicalCode } from "@opentelemetry/api";
 
-/**
- * An internal interface that contains the verbatim devicecode response.
- * This interface does not get exported from the public interface of the
- * library.
- */
-export interface DeviceCodeResponse {
-  device_code: string;
-  user_code: string;
-  verification_uri: string;
-  expires_in: number;
-  interval: number;
-  message: string;
-}
+import { PublicClientApplication, DeviceCodeRequest } from "@azure/msal-node";
 
 /**
  * Provides the user code and verification URI where the code must be
@@ -63,10 +48,11 @@ const logger = credentialLogger("DeviceCodeCredential");
  */
 export class DeviceCodeCredential implements TokenCredential {
   private identityClient: IdentityClient;
+  private pca: PublicClientApplication;
   private tenantId: string;
   private clientId: string;
   private userPromptCallback: DeviceCodePromptCallback;
-  private lastTokenResponse: TokenResponse | null = null;
+  private authorityHost: string;
 
   /**
    * Creates an instance of DeviceCodeCredential with the details needed
@@ -89,138 +75,27 @@ export class DeviceCodeCredential implements TokenCredential {
     this.tenantId = tenantId;
     this.clientId = clientId;
     this.userPromptCallback = userPromptCallback;
-  }
-
-  private async sendDeviceCodeRequest(
-    scope: string,
-    options?: GetTokenOptions
-  ): Promise<DeviceCodeResponse> {
-    const { span, options: newOptions } = createSpan(
-      "DeviceCodeCredential-sendDeviceCodeRequest",
-      options
-    );
-    try {
-      const webResource = this.identityClient.createWebResource({
-        url: `${this.identityClient.authorityHost}/${this.tenantId}/oauth2/v2.0/devicecode`,
-        method: "POST",
-        disableJsonStringifyOnBody: true,
-        deserializationMapper: undefined,
-        body: qs.stringify({
-          client_id: this.clientId,
-          scope
-        }),
-        headers: {
-          Accept: "application/json",
-          "Content-Type": "application/x-www-form-urlencoded"
-        },
-        abortSignal: options && options.abortSignal,
-        spanOptions: newOptions.tracingOptions && newOptions.tracingOptions.spanOptions
-      });
-
-      logger.info("Sending devicecode request");
-
-      const response = await this.identityClient.sendRequest(webResource);
-      if (!(response.status === 200 || response.status === 201)) {
-        throw new AuthenticationError(response.status, response.bodyAsText);
-      }
-
-      return response.parsedBody as DeviceCodeResponse;
-    } catch (err) {
-      const code =
-        err.name === AuthenticationErrorName
-          ? CanonicalCode.UNAUTHENTICATED
-          : CanonicalCode.UNKNOWN;
-
-      if (err.name === AuthenticationErrorName) {
-        logger.info(
-          `Failed to authenticate ${(err as AuthenticationError).errorResponse.errorDescription}`
-        );
+    if (options && options.authorityHost) {
+      if (options.authorityHost.endsWith("/")) {
+        this.authorityHost = options.authorityHost + this.tenantId;
       } else {
-        logger.info(`Failed to authenticate ${err}`);
+        this.authorityHost = options.authorityHost + "/" + this.tenantId;
       }
-
-      span.setStatus({
-        code,
-        message: err.message
-      });
-      throw err;
-    } finally {
-      span.end();
+    } else {
+      this.authorityHost = "https://login.microsoftonline.com/" + this.tenantId;
     }
-  }
 
-  private async pollForToken(
-    deviceCodeResponse: DeviceCodeResponse,
-    options?: GetTokenOptions
-  ): Promise<TokenResponse | null> {
-    let tokenResponse: TokenResponse | null = null;
-    const { span, options: newOptions } = createSpan("DeviceCodeCredential-pollForToken", options);
-
-    try {
-      const webResource = this.identityClient.createWebResource({
-        url: `${this.identityClient.authorityHost}/${this.tenantId}/oauth2/v2.0/token`,
-        method: "POST",
-        disableJsonStringifyOnBody: true,
-        deserializationMapper: undefined,
-        body: qs.stringify({
-          grant_type: "urn:ietf:params:oauth:grant-type:device_code",
-          client_id: this.clientId,
-          device_code: deviceCodeResponse.device_code
-        }),
-        headers: {
-          Accept: "application/json",
-          "Content-Type": "application/x-www-form-urlencoded"
-        },
-        abortSignal: options && options.abortSignal,
-        spanOptions: newOptions.tracingOptions && newOptions.tracingOptions.spanOptions
-      });
-
-      while (tokenResponse === null) {
-        try {
-          // Referencing delay from core-http this way for testing purposes.
-          await coreHttp.delay(deviceCodeResponse.interval * 1000);
-
-          // Check the abort signal before sending the request
-          if (options && options.abortSignal && options.abortSignal.aborted) {
-            return null;
-          }
-
-          tokenResponse = await this.identityClient.sendTokenRequest(webResource);
-        } catch (err) {
-          if (err.name === AuthenticationErrorName) {
-            switch (err.errorResponse.error) {
-              case "authorization_pending":
-                break;
-              case "authorization_declined":
-                return null;
-              case "expired_token":
-                throw err;
-              case "bad_verification_code":
-                throw err;
-              default:
-                // Any other error should be rethrown
-                throw err;
-            }
-          } else {
-            throw err;
-          }
-        }
-      }
-
-      return tokenResponse;
-    } catch (err) {
-      const code =
-        err.name === AuthenticationErrorName
-          ? CanonicalCode.UNAUTHENTICATED
-          : CanonicalCode.UNKNOWN;
-      span.setStatus({
-        code,
-        message: err.message
-      });
-      throw err;
-    } finally {
-      span.end();
-    }
+    const publicClientConfig = {
+      auth: {
+          clientId: this.clientId,
+          authority: this.authorityHost,
+      },
+      cache: {
+          cachePlugin: undefined
+      },
+    };
+
+    this.pca = new PublicClientApplication(publicClientConfig);
   }
 
   /**
@@ -233,46 +108,23 @@ export class DeviceCodeCredential implements TokenCredential {
    * @param options The options used to configure any requests this
    *                TokenCredential implementation might make.
    */
-  public async getToken(
+  getToken(
     scopes: string | string[],
     options?: GetTokenOptions
   ): Promise<AccessToken | null> {
     const { span, options: newOptions } = createSpan("DeviceCodeCredential-getToken", options);
-    try {
-      let tokenResponse: TokenResponse | null = null;
-      let scopeString = typeof scopes === "string" ? scopes : scopes.join(" ");
-      if (scopeString.indexOf("offline_access") < 0) {
-        scopeString += " offline_access";
-      }
-
-      // Try to use the refresh token first
-      if (this.lastTokenResponse && this.lastTokenResponse.refreshToken) {
-        tokenResponse = await this.identityClient.refreshAccessToken(
-          this.tenantId,
-          this.clientId,
-          scopeString,
-          this.lastTokenResponse.refreshToken,
-          undefined, // clientSecret not needed for device code auth
-          undefined,
-          newOptions
-        );
-      }
 
-      if (tokenResponse === null) {
-        const deviceCodeResponse = await this.sendDeviceCodeRequest(scopeString, newOptions);
+    const scopeArray = typeof scopes === "object" ? scopes : [scopes];
 
-        this.userPromptCallback({
-          userCode: deviceCodeResponse.user_code,
-          verificationUri: deviceCodeResponse.verification_uri,
-          message: deviceCodeResponse.message
-        });
+    const deviceCodeRequest = {
+      deviceCodeCallback: this.userPromptCallback,
+      scopes: scopeArray,
+    };
 
-        tokenResponse = await this.pollForToken(deviceCodeResponse, newOptions);
-      }
+    logger.info("Sending devicecode request");
 
-      this.lastTokenResponse = tokenResponse;
-      logger.getToken.info(formatSuccess(scopes));
-      return (tokenResponse && tokenResponse.accessToken) || null;
+    try {
+      return this.acquireTokenByDeviceCode(deviceCodeRequest);
     } catch (err) {
       const code =
         err.name === AuthenticationErrorName
@@ -288,4 +140,16 @@ export class DeviceCodeCredential implements TokenCredential {
       span.end();
     }
   }
+
+  private async acquireTokenByDeviceCode(deviceCodeRequest: DeviceCodeRequest): Promise<AccessToken | null> {
+    try {
+      const deviceResponse = await this.pca.acquireTokenByDeviceCode(deviceCodeRequest);
+      return({
+        expiresOnTimestamp: deviceResponse.expiresOn.getTime(),
+        token: deviceResponse.accessToken
+      });
+    } catch (error) {
+      throw new Error(`Device Authentication Error "${JSON.stringify(error)}"`);
+    }
+  }
 }