AzureAD · lalimasharda · May 15, 2025 · Mar 11, 2025 · Mar 12, 2025 · Mar 12, 2025
diff --git a/change/@azure-msal-browser-a202c777-7916-40aa-a0fe-81b7a800d1c7.json b/change/@azure-msal-browser-a202c777-7916-40aa-a0fe-81b7a800d1c7.json
@@ -0,0 +1,7 @@
+{
+  "type": "minor",
+  "comment": "Add support for new platform broker flow via DOM API #7632",
+  "packageName": "@azure/msal-browser",
+  "email": "lalimasharda@microsoft.com",
+  "dependentChangeType": "patch"
+}
@@ -1143,6 +1143,13 @@ function isInIframe(): boolean;
 // @public
 function isInPopup(): boolean;
 
+// Warning: (tsdoc-param-tag-missing-hyphen) The @param block should be followed by a parameter name and then a hyphen
+// Warning: (tsdoc-param-tag-missing-hyphen) The @param block should be followed by a parameter name and then a hyphen
+// Warning: (ae-missing-release-tag) "isPlatformBrokerAvailable" is part of the package's API, but it is missing a release tag (@alpha, @beta, @public, or @internal)
+//
+// @public
+export function isPlatformBrokerAvailable(loggerOptions?: LoggerOptions, perfClient?: IPerformanceClient, correlationId?: string): Promise<boolean>;
+
 // Warning: (ae-missing-release-tag) "ITokenCache" is part of the package's API, but it is missing a release tag (@alpha, @beta, @public, or @internal)
 //
 // @public (undocumented)

@@ -0,0 +1,19 @@
+/*
+ * Copyright (c) Microsoft Corporation. All rights reserved.
+ * Licensed under the MIT License.
+ */
+
+import { PlatformBrokerRequest } from "./PlatformBrokerRequest.js";
+import { PlatformBrokerResponse } from "./PlatformBrokerResponse.js";
+
+/**
+ * Interface for the Platform Broker Handlers
+ */
+export interface IPlatformAuthHandler {
+    getExtensionId(): string | undefined;
+    getExtensionVersion(): string | undefined;
+    getExtensionName(): string | undefined;
+    sendMessage(
+        request: PlatformBrokerRequest
+    ): Promise<PlatformBrokerResponse>;
+}
@@ -0,0 +1,241 @@
+/*
+ * Copyright (c) Microsoft Corporation. All rights reserved.
+ * Licensed under the MIT License.
+ */
+
+import {
+    Logger,
+    createAuthError,
+    AuthErrorCodes,
+    IPerformanceClient,
+    StringDict,
+} from "@azure/msal-common/browser";
+import {
+    PlatformBrokerRequest,
+    PlatformDOMTokenRequest,
+} from "./PlatformBrokerRequest.js";
+import { PlatformAuthConstants } from "../../utils/BrowserConstants.js";
+import {
+    PlatformBrokerResponse,
+    PlatformDOMTokenResponse,
+} from "./PlatformBrokerResponse.js";
+import { createNativeAuthError } from "../../error/NativeAuthError.js";
+import { IPlatformAuthHandler } from "./IPlatformAuthHandler.js";
+
+export class PlatformAuthDOMHandler implements IPlatformAuthHandler {
+    protected logger: Logger;
+    protected performanceClient: IPerformanceClient;
+    protected correlationId: string;
+    platformAuthType: string;
+
+    constructor(
+        logger: Logger,
+        performanceClient: IPerformanceClient,
+        correlationId: string
+    ) {
+        this.logger = logger;
+        this.performanceClient = performanceClient;
+        this.correlationId = correlationId;
+        this.platformAuthType = PlatformAuthConstants.PLATFORM_DOM_PROVIDER;
+    }
+
+    static async createProvider(
+        logger: Logger,
+        performanceClient: IPerformanceClient,
+        correlationId: string
+    ): Promise<PlatformAuthDOMHandler | undefined> {
+        logger.trace("PlatformAuthDOMHandler: createProvider called");
+
+        // @ts-ignore
+        if (window.navigator?.platformAuthentication) {
+            const supportedContracts =
+                // @ts-ignore
+                await window.navigator.platformAuthentication.getSupportedContracts(
+                    PlatformAuthConstants.MICROSOFT_ENTRA_BROKERID
+                );
+            if (
+                supportedContracts?.includes(
+                    PlatformAuthConstants.PLATFORM_DOM_APIS
+                )
+            ) {
+                logger.trace("Platform auth api available in DOM");
+                return new PlatformAuthDOMHandler(
+                    logger,
+                    performanceClient,
+                    correlationId
+                );
+            }
+        }
+        return undefined;
+    }
+
+    /**
+     * Returns the Id for the broker extension this handler is communicating with
+     * @returns
+     */
+    getExtensionId(): string {
+        return PlatformAuthConstants.MICROSOFT_ENTRA_BROKERID;
+    }
+
+    getExtensionVersion(): string | undefined {
+        return "";
+    }
+
+    getExtensionName(): string | undefined {
+        return PlatformAuthConstants.DOM_API_NAME;
+    }
+
+    /**
+     * Send token request to platform broker via browser DOM API
+     * @param request
+     * @returns
+     */
+    async sendMessage(
+        request: PlatformBrokerRequest
+    ): Promise<PlatformBrokerResponse> {
+        this.logger.trace(
+            this.platformAuthType + " - Sending request to browser DOM API"
+        );
+
+        try {
+            const platformDOMRequest: PlatformDOMTokenRequest =
+                this.initializePlatformDOMRequest(request);
+            const response: object =
+                // @ts-ignore
+                await window.navigator.platformAuthentication.executeGetToken(
+                    platformDOMRequest
+                );
+            return this.validatePlatformBrokerResponse(response);
+        } catch (e) {
+            this.logger.error(
+                this.platformAuthType + " - executeGetToken DOM API error"
+            );
+            throw e;
+        }
+    }
+
+    private initializePlatformDOMRequest(
+        request: PlatformBrokerRequest
+    ): PlatformDOMTokenRequest {
+        this.logger.trace(
+            this.platformAuthType + " - initializeNativeDOMRequest called"
+        );
+
+        const {
+            accountId,
+            clientId,
+            authority,
+            scope,
+            redirectUri,
+            correlationId,
+            state,
+            storeInCache,
+            embeddedClientId,
+            extraParameters,
+            ...remainingProperties
+        } = request;
+
+        const validExtraParameters =
+            this.stringifyExtraParameters(remainingProperties);
+
+        const platformDOMRequest: PlatformDOMTokenRequest = {
+            accountId: accountId,
+            brokerId: this.getExtensionId(),
+            authority: authority,
+            clientId: clientId,
+            correlationId: correlationId || this.correlationId,
+            extraParameters: { ...extraParameters, ...validExtraParameters },
+            isSecurityTokenService: false,
+            redirectUri: redirectUri,
+            scope: scope,
+            state: state,
+            storeInCache: storeInCache,
+            embeddedClientId: embeddedClientId,
+        };
+
+        return platformDOMRequest;
+    }
+
+    private validatePlatformBrokerResponse(
+        response: object
+    ): PlatformBrokerResponse {
+        if (response.hasOwnProperty("isSuccess")) {
+            if (
+                response.hasOwnProperty("accessToken") &&
+                response.hasOwnProperty("idToken") &&
+                response.hasOwnProperty("clientInfo") &&
+                response.hasOwnProperty("account") &&
+                response.hasOwnProperty("scopes") &&
+                response.hasOwnProperty("expiresIn")
+            ) {
+                this.logger.trace(
+                    this.platformAuthType +
+                        " - platform broker returned successful and valid response"
+                );
+                return this.convertToPlatformBrokerResponse(
+                    response as PlatformDOMTokenResponse
+                );
+            } else if (response.hasOwnProperty("error")) {
+                const errorResponse = response as PlatformDOMTokenResponse;
+                if (
+                    errorResponse.isSuccess === false &&
+                    errorResponse.error &&
+                    errorResponse.error.code
+                ) {
+                    this.logger.trace(
+                        this.platformAuthType +
+                            " - platform broker returned error response"
+                    );
+                    throw createNativeAuthError(
+                        errorResponse.error.code,
+                        errorResponse.error.description,
+                        {
+                            error: parseInt(errorResponse.error.errorCode),
+                            protocol_error: errorResponse.error.protocolError,
+                            status: errorResponse.error.status,
+                            properties: errorResponse.error.properties,
+                        }
+                    );
+                }
+            }
+        }
+        throw createAuthError(
+            AuthErrorCodes.unexpectedError,
+            "Response missing expected properties."
+        );
+    }
+
+    private convertToPlatformBrokerResponse(
+        response: PlatformDOMTokenResponse
+    ): PlatformBrokerResponse {
+        this.logger.trace(
+            this.platformAuthType + " - convertToNativeResponse called"
+        );
+        const nativeResponse: PlatformBrokerResponse = {
+            access_token: response.accessToken,
+            id_token: response.idToken,
+            client_info: response.clientInfo,
+            account: response.account,
+            expires_in: response.expiresIn,
+            scope: response.scopes,
+            state: response.state || "",
+            properties: response.properties || {},
+            extendedLifetimeToken: response.extendedLifetimeToken ?? false,
+            shr: response.proofOfPossessionPayload,
+        };
+
+        return nativeResponse;
+    }
+
+    private stringifyExtraParameters(
+        extraParameters: Record<string, unknown>
+    ): StringDict {
+        return Object.entries(extraParameters).reduce(
+            (record, [key, value]) => {
+                record[key] = String(value);
+                return record;
+            },
+            {} as StringDict
+        );
+    }
+}