PoP Support for Node when brokered (#7360)

Fixes PoP support for Node when using the native broker
AzureAD · Oct 8, 2024 · 34c3970 · 34c3970
1 parent 367915c
commit 34c3970
Show file tree

Hide file tree

Showing 6 changed files with 212 additions and 11 deletions.
diff --git a/change/@azure-msal-node-extensions-d62fddd6-6196-4003-a391-7c4d7ee1abc5.json b/change/@azure-msal-node-extensions-d62fddd6-6196-4003-a391-7c4d7ee1abc5.json
@@ -0,0 +1,7 @@
+{
+  "type": "minor",
+  "comment": "Fix POP token acquisition via MsalRuntime",
+  "packageName": "@azure/msal-node-extensions",
+  "email": "[email protected]",
+  "dependentChangeType": "patch"
+}
diff --git a/extensions/msal-node-extensions/package.json b/extensions/msal-node-extensions/package.json
@@ -65,7 +65,7 @@
   },
   "dependencies": {
     "@azure/msal-common": "14.15.0",
-    "@azure/msal-node-runtime": "^0.13.6-alpha.0",
+    "@azure/msal-node-runtime": "^0.17.1",
     "keytar": "^7.8.0"
   },
   "devDependencies": {

diff --git a/extensions/msal-node-extensions/src/broker/NativeBrokerPlugin.ts b/extensions/msal-node-extensions/src/broker/NativeBrokerPlugin.ts
@@ -466,19 +466,18 @@ export class NativeBrokerPlugin implements INativeBrokerPlugin {
             if (request.authenticationScheme === AuthenticationScheme.POP) {
                 if (
                     !request.resourceRequestMethod ||
-                    !request.resourceRequestUri ||
-                    !request.shrNonce
+                    !request.resourceRequestUri
                 ) {
                     throw new Error(
-                        "Authentication Scheme set to POP but one or more of the following parameters are missing: resourceRequestMethod, resourceRequestUri, shrNonce"
+                        "Authentication Scheme set to POP but one or more of the following parameters are missing: resourceRequestMethod, resourceRequestUri"
                     );
                 }
                 const resourceUrl = new URL(request.resourceRequestUri);
                 authParams.SetPopParams(
                     request.resourceRequestMethod,
                     resourceUrl.host,
                     resourceUrl.pathname,
-                    request.shrNonce
+                    request.shrNonce || ""
                 );
             }
 
@@ -548,6 +547,17 @@ export class NativeBrokerPlugin implements INativeBrokerPlugin {
             idTokenClaims
         );
 
+        let accessToken;
+        let tokenType;
+        if (authResult.isPopAuthorization) {
+            // Header includes 'pop ' prefix
+            accessToken = authResult.authorizationHeader.split(" ")[1];
+            tokenType = AuthenticationScheme.POP;
+        } else {
+            accessToken = authResult.accessToken;
+            tokenType = AuthenticationScheme.BEARER;
+        }
+
         const result: AuthenticationResult = {
             authority: request.authority,
             uniqueId: idTokenClaims.oid || idTokenClaims.sub || "",
@@ -556,12 +566,10 @@ export class NativeBrokerPlugin implements INativeBrokerPlugin {
             account: accountInfo,
             idToken: authResult.rawIdToken,
             idTokenClaims: idTokenClaims,
-            accessToken: authResult.accessToken,
+            accessToken: accessToken,
             fromCache: fromCache,
             expiresOn: new Date(authResult.expiresOn),
-            tokenType: authResult.isPopAuthorization
-                ? AuthenticationScheme.POP
-                : AuthenticationScheme.BEARER,
+            tokenType: tokenType,
             correlationId: request.correlationId,
             fromNativeBroker: true,
         };