Enable passing of redirect uri for Nativebroker (#8005)

Current PCA requests don't allow the customer to pass in their own
redirecturi. This is an issue for signed MacOS apps because the customer
is forced to use the unsigned redirect URI which will hit a redirecturi
validation error in the Apple Broker
```
  errorMessage: 'Description: Error Domain=MSALErrorDomain Code=-50000 "(null)" UserInfo={MSALErrorDescriptionKey=MSAL redirectUri validation error: redirect uri has incorrect scheme - it must be in the form of msauth.<app_bundle_id>://auth\n' +
    'ADAL redirectUri validation error: Source application does not match redirect uri host. Invalid source app., MSALInternalErrorCodeKey=-42000, MSALBrokerVersionKey=5.2508.0}, Domain: MSALErrorDomain.Error was thrown in sourceArea: Broker (Error Code: -42000, Tag: 508638916)',

```
Solution:
Make providing a redirecturi optional. If the customer doesn't provide
one, we fallback to the default for each platform in broker scenarios
For non-broker scenarios, if redirecturi is provided, we warn them it
won't be used and use the default

Also added a function to convert error tags to their string version to
make error lookup quicker.

Author: Ugonnaak1

change/@azure-msal-node-118ac835-7803-4e30-81cd-91c4afe6bf9d.json

@@ -0,0 +1,7 @@
+{
+  "type": "patch",
+  "comment": "enable passing of redirect uri",
+  "packageName": "@azure/msal-node",
+  "email": "[email protected]",
+  "dependentChangeType": "patch"
+}

change/@azure-msal-node-extensions-bce3798f-5840-4955-a647-70f9009359fc.json

@@ -0,0 +1,7 @@
+{
+  "type": "patch",
+  "comment": "enable passing of redirect uri",
+  "packageName": "@azure/msal-node-extensions",
+  "email": "[email protected]",
+  "dependentChangeType": "patch"
+}

extensions/msal-node-extensions/src/broker/NativeBrokerPlugin.ts

@@ -38,6 +38,7 @@ import {
     LogLevel as MsalRuntimeLogLevel,
 } from "@azure/msal-node-runtime";
 import { ErrorCodes } from "../utils/Constants.js";
+import { StringUtils } from "../utils/StringUtils.js";
 import { NativeAuthError } from "../error/NativeAuthError.js";
 import { version, name } from "../packageMetadata.js";
 
@@ -193,10 +194,16 @@ export class NativeBrokerPlugin implements INativeBrokerPlugin {
             request.correlationId
         );
         const platformRequest = request;
+        if (!platformRequest.redirectUri) {
+            platformRequest.redirectUri =
+                this.chooseRedirectUriByPlatform(platformRequest);
+            this.logger.info(
+                "NativeBrokerPlugin - No Redirect URI provided, using default",
+                platformRequest.redirectUri
+            );
+        }
         const authParams = this.generateRequestParameters(platformRequest);
         const account = await this.getAccount(platformRequest);
-        platformRequest.redirectUri =
-            this.chooseRedirectUriByPlatform(platformRequest);
 
         return new Promise(
             (resolve: (value: AuthenticationResult) => void, reject) => {
@@ -251,9 +258,15 @@ export class NativeBrokerPlugin implements INativeBrokerPlugin {
             request.correlationId
         );
         const platformRequest = request;
+        if (!platformRequest.redirectUri) {
+            platformRequest.redirectUri =
+                this.chooseRedirectUriByPlatform(platformRequest);
+            this.logger.info(
+                "NativeBrokerPlugin - No Redirect URI provided, using default",
+                platformRequest.redirectUri
+            );
+        }
         const authParams = this.generateRequestParameters(platformRequest);
-        platformRequest.redirectUri =
-            this.chooseRedirectUriByPlatform(platformRequest);
         const account = await this.getAccount(platformRequest);
         const windowHandle = providedWindowHandle || Buffer.from([0]);
 
@@ -466,9 +479,7 @@ export class NativeBrokerPlugin implements INativeBrokerPlugin {
                 request.authority
             );
 
-            authParams.SetRedirectUri(
-                this.chooseRedirectUriByPlatform(request)
-            );
+            authParams.SetRedirectUri(request.redirectUri);
             authParams.SetRequestedScopes(request.scopes.join(" "));
 
             if (request.claims) {
@@ -645,9 +656,10 @@ export class NativeBrokerPlugin implements INativeBrokerPlugin {
         ) {
             const { errorCode, errorStatus, errorContext, errorTag } =
                 error as MsalRuntimeError;
+            const tagString = StringUtils.tagToString(errorTag);
             const enhancedErrorContext = errorContext
-                ? `${errorContext} (Error Code: ${errorCode}, Tag: ${errorTag})`
-                : `(Error Code: ${errorCode}, Tag: ${errorTag})`;
+                ? `${errorContext} (Error Code: ${errorCode}, Tag: ${tagString})`
+                : `(Error Code: ${errorCode}, Tag: ${tagString})`;
             switch (errorStatus) {
                 case ErrorStatus.InteractionRequired:
                 case ErrorStatus.AccountUnusable:

extensions/msal-node-extensions/src/error/NativeAuthError.ts

@@ -4,10 +4,11 @@
  */
 
 import { AuthError } from "@azure/msal-common/node";
+import { StringUtils } from "../utils/StringUtils.js";
 
 export class NativeAuthError extends AuthError {
     public statusCode: number;
-    public tag: number;
+    public tag: string;
 
     constructor(
         errorStatus: string,
@@ -18,7 +19,7 @@ export class NativeAuthError extends AuthError {
         super(errorStatus, errorContext);
         this.name = "NativeAuthError";
         this.statusCode = errorCode;
-        this.tag = errorTag;
+        this.tag = StringUtils.tagToString(errorTag);
         Object.setPrototypeOf(this, NativeAuthError.prototype);
     }
 }

extensions/msal-node-extensions/src/index.ts

@@ -14,4 +14,5 @@ export { CrossPlatformLockOptions } from "./lock/CrossPlatformLockOptions.js";
 export { PersistenceCreator } from "./persistence/PersistenceCreator.js";
 export { IPersistenceConfiguration } from "./persistence/IPersistenceConfiguration.js";
 export { Environment } from "./utils/Environment.js";
+export { StringUtils } from "./utils/StringUtils.js";
 export { NativeBrokerPlugin } from "./broker/NativeBrokerPlugin.js";

extensions/msal-node-extensions/src/utils/StringUtils.ts

@@ -0,0 +1,33 @@
+/*
+ * Copyright (c) Microsoft Corporation. All rights reserved.
+ * Licensed under the MIT License.
+ */
+
+export class StringUtils {
+    /**
+     * Converts a numeric tag to a string representation
+     * @param tag - The numeric tag to convert
+     * @returns The string representation of the tag
+     */
+    static tagToString(tag: number): string {
+        if (tag === 0) {
+            return "UNTAG";
+        }
+
+        const tagSymbolSpace =
+            "abcdefghijklmnopqrstuvwxyz0123456789****************************";
+        let tagBuffer = "*****";
+
+        const chars = [
+            tagSymbolSpace[(tag >> 24) & 0x3f],
+            tagSymbolSpace[(tag >> 18) & 0x3f],
+            tagSymbolSpace[(tag >> 12) & 0x3f],
+            tagSymbolSpace[(tag >> 6) & 0x3f],
+            tagSymbolSpace[(tag >> 0) & 0x3f],
+        ];
+
+        tagBuffer = chars.join("");
+
+        return tagBuffer;
+    }
+}

extensions/msal-node-extensions/test/broker/NativeBrokerPlugin.spec.ts

@@ -55,6 +55,7 @@ import {
 } from "@azure/msal-common";
 import { randomUUID } from "crypto";
 import { NativeAuthError } from "../../src/error/NativeAuthError";
+import { StringUtils } from "../../src/utils/StringUtils.js";
 import {
     testMsalRuntimeAccount,
     testAccountInfo,
@@ -87,8 +88,16 @@ function createMockAuthResult(
 if (process.platform === "win32") {
     describe("NativeBrokerPlugin", () => {
         const enhancedErrorContext = msalRuntimeExampleError.errorContext
-            ? `${msalRuntimeExampleError.errorContext} (Error Code: ${msalRuntimeExampleError.errorCode}, Tag: ${msalRuntimeExampleError.errorTag})`
-            : `(Error Code: ${msalRuntimeExampleError.errorCode}, Tag: ${msalRuntimeExampleError.errorTag})`;
+            ? `${msalRuntimeExampleError.errorContext} (Error Code: ${
+                  msalRuntimeExampleError.errorCode
+              }, Tag: ${StringUtils.tagToString(
+                  msalRuntimeExampleError.errorTag
+              )})`
+            : `(Error Code: ${
+                  msalRuntimeExampleError.errorCode
+              }, Tag: ${StringUtils.tagToString(
+                  msalRuntimeExampleError.errorTag
+              )})`;
         const testNativeAuthError = new NativeAuthError(
             ErrorStatus[msalRuntimeExampleError.errorStatus],
             enhancedErrorContext,
@@ -672,7 +681,7 @@ if (process.platform === "win32") {
                     scopes: testAuthenticationResult.scopes,
                     correlationId: testCorrelationId,
                     authority: testAuthenticationResult.authority,
-                    redirectUri: TEST_REDIRECTURI,
+                    redirectUri: "",
                 };
 
                 const chooseRedirectUriMock = jest.spyOn(
@@ -1509,7 +1518,7 @@ if (process.platform === "win32") {
                     scopes: testAuthenticationResult.scopes,
                     correlationId: testCorrelationId,
                     authority: testAuthenticationResult.authority,
-                    redirectUri: TEST_REDIRECTURI,
+                    redirectUri: "",
                 };
 
                 const chooseRedirectUriMock = jest.spyOn(
@@ -2287,7 +2296,7 @@ if (process.platform === "win32") {
                 scopes: testAuthenticationResult.scopes,
                 correlationId: testCorrelationId,
                 authority: testAuthenticationResult.authority,
-                redirectUri: TEST_REDIRECTURI,
+                redirectUri: "",
             };
 
             const chooseRedirectUriMock = jest.spyOn(
@@ -2332,7 +2341,7 @@ if (process.platform === "win32") {
                 scopes: testAuthenticationResult.scopes,
                 correlationId: testCorrelationId,
                 authority: testAuthenticationResult.authority,
-                redirectUri: TEST_REDIRECTURI,
+                redirectUri: "",
             };
 
             const chooseRedirectUriMock = jest.spyOn(
@@ -2385,7 +2394,7 @@ if (process.platform === "win32") {
                 scopes: testAuthenticationResult.scopes,
                 correlationId: testCorrelationId,
                 authority: testAuthenticationResult.authority,
-                redirectUri: TEST_REDIRECTURI,
+                redirectUri: "",
             };
 
             const chooseRedirectUriMock = jest.spyOn(
@@ -2430,7 +2439,7 @@ if (process.platform === "win32") {
                 scopes: testAuthenticationResult.scopes,
                 correlationId: testCorrelationId,
                 authority: testAuthenticationResult.authority,
-                redirectUri: TEST_REDIRECTURI,
+                redirectUri: "",
             };
 
             const chooseRedirectUriMock = jest.spyOn(

extensions/msal-node-extensions/test/utils/StringUtils.test.ts

@@ -0,0 +1,30 @@
+/*
+ * Copyright (c) Microsoft Corporation. All rights reserved.
+ * Licensed under the MIT License.
+ */
+
+import { StringUtils } from "../../src/utils/StringUtils.js";
+
+describe("StringUtils", () => {
+    describe("tagToString tests", () => {
+        it("Returns 'UNTAG' for tag value 0", () => {
+            expect(StringUtils.tagToString(0)).toBe("UNTAG");
+        });
+
+        it("Converts numeric tag to 5-character string", () => {
+            const tag = 0x01234567;
+            const result = StringUtils.tagToString(tag);
+
+            expect(result).toHaveLength(5);
+            expect(typeof result).toBe("string");
+        });
+
+        it("Produce same results for same input", () => {
+            const tag = 0x12345678;
+            const result1 = StringUtils.tagToString(tag);
+            const result2 = StringUtils.tagToString(tag);
+
+            expect(result1).toBe(result2);
+        });
+    });
+});

lib/msal-node/apiReview/msal-node.api.md

@@ -325,7 +325,7 @@ export { InteractionRequiredAuthErrorCodes }
 export { InteractionRequiredAuthErrorMessage }
 
 // @public
-export type InteractiveRequest = Partial<Omit<CommonAuthorizationUrlRequest, "scopes" | "redirectUri" | "requestedClaimsHash" | "storeInCache">> & {
+export type InteractiveRequest = Partial<Omit<CommonAuthorizationUrlRequest, "scopes" | "requestedClaimsHash" | "storeInCache">> & {
     openBrowser: (url: string) => Promise<void>;
     scopes?: Array<string>;
     successTemplate?: string;

lib/msal-node/src/client/PublicClientApplication.ts

@@ -163,7 +163,7 @@ export class PublicClientApplication
                 ...remainingProperties,
                 clientId: this.config.auth.clientId,
                 scopes: request.scopes || OIDC_DEFAULT_SCOPES,
-                redirectUri: `${Constants.HTTP_PROTOCOL}${Constants.LOCALHOST}`,
+                redirectUri: request.redirectUri || "",
                 authority: request.authority || this.config.auth.authority,
                 correlationId: correlationId,
                 extraParameters: {
@@ -179,6 +179,9 @@ export class PublicClientApplication
             );
         }
 
+        if (request.redirectUri) {
+            throw NodeAuthError.createRedirectUriNotSupportedError();
+        }
         const { verifier, challenge } =
             await this.cryptoProvider.generatePkceCodes();
 
@@ -258,7 +261,7 @@ export class PublicClientApplication
                 ...request,
                 clientId: this.config.auth.clientId,
                 scopes: request.scopes || OIDC_DEFAULT_SCOPES,
-                redirectUri: `${Constants.HTTP_PROTOCOL}${Constants.LOCALHOST}`,
+                redirectUri: request.redirectUri || "",
                 authority: request.authority || this.config.auth.authority,
                 correlationId: correlationId,
                 extraParameters: {
@@ -271,6 +274,10 @@ export class PublicClientApplication
             return this.nativeBrokerPlugin.acquireTokenSilent(brokerRequest);
         }
 
+        if (request.redirectUri) {
+            throw NodeAuthError.createRedirectUriNotSupportedError();
+        }
+
         return super.acquireTokenSilent(request);
     }