AzureAD · Robbie-Microsoft · Apr 30, 2024 · Apr 9, 2024 · Apr 9, 2024 · Apr 9, 2024
diff --git a/change/@azure-msal-common-d9223c68-d959-4da8-8a74-caa4f751c48a.json b/change/@azure-msal-common-d9223c68-d959-4da8-8a74-caa4f751c48a.json
@@ -0,0 +1,7 @@
+{
+  "type": "minor",
+  "comment": "Client Assertion Implementation now accepts a callback instead of a string argument",
+  "packageName": "@azure/msal-common",
+  "email": "[email protected]",
+  "dependentChangeType": "patch"
+}
diff --git a/change/@azure-msal-node-93a9e21c-c628-4ae1-ad55-2e1217792f32.json b/change/@azure-msal-node-93a9e21c-c628-4ae1-ad55-2e1217792f32.json
@@ -0,0 +1,7 @@
+{
+  "type": "minor",
+  "comment": "Client Assertion Implementation now accepts a callback instead of a string argument",
+  "packageName": "@azure/msal-node",
+  "email": "[email protected]",
+  "dependentChangeType": "patch"
+}
@@ -3,11 +3,20 @@
  * Licensed under the MIT License.
  */
 
+export type ClientAssertionConfig = {
+    clientId: string;
+    tokenEndpoint?: string;
+};
+
+export type ClientAssertionCallbackFunction = (
+    config: ClientAssertionConfig
+) => Promise<string>;
+
 /**
  * Client Assertion credential for Confidential Clients
  */
 export type ClientAssertion = {
-    assertion: string;
+    assertion: string | ClientAssertionCallbackFunction;
     assertionType: string;
 };
 

@@ -50,6 +50,8 @@ import { RequestValidator } from "../request/RequestValidator";
 import { IPerformanceClient } from "../telemetry/performance/IPerformanceClient";
 import { PerformanceEvents } from "../telemetry/performance/PerformanceEvent";
 import { invokeAsync } from "../utils/FunctionWrappers";
+import { ClientAssertion } from "../account/ClientCredentials";
+import { getClientAssertion } from "../utils/ClientAssertionUtils";
 
 /**
  * Oauth2.0 Authorization Code client
@@ -364,9 +366,16 @@ export class AuthorizationCodeClient extends BaseClient {
         }
 
         if (this.config.clientCredentials.clientAssertion) {
-            const clientAssertion =
+            const clientAssertion: ClientAssertion =
                 this.config.clientCredentials.clientAssertion;
-            parameterBuilder.addClientAssertion(clientAssertion.assertion);
+
+            parameterBuilder.addClientAssertion(
+                await getClientAssertion(
+                    clientAssertion.assertion,
+                    this.config.authOptions.clientId,
+                    request.resourceRequestUri
+                )
+            );
             parameterBuilder.addClientAssertionType(
                 clientAssertion.assertionType
             );

@@ -48,6 +48,8 @@ import { PerformanceEvents } from "../telemetry/performance/PerformanceEvent";
 import { IPerformanceClient } from "../telemetry/performance/IPerformanceClient";
 import { invoke, invokeAsync } from "../utils/FunctionWrappers";
 import { generateCredentialKey } from "../cache/utils/CacheHelpers";
+import { ClientAssertion } from "../account/ClientCredentials";
+import { getClientAssertion } from "../utils/ClientAssertionUtils";
 
 const DEFAULT_REFRESH_TOKEN_EXPIRATION_OFFSET_SECONDS = 300; // 5 Minutes
 
@@ -385,9 +387,16 @@ export class RefreshTokenClient extends BaseClient {
         }
 
         if (this.config.clientCredentials.clientAssertion) {
-            const clientAssertion =
+            const clientAssertion: ClientAssertion =
                 this.config.clientCredentials.clientAssertion;
-            parameterBuilder.addClientAssertion(clientAssertion.assertion);
+
+            parameterBuilder.addClientAssertion(
+                await getClientAssertion(
+                    clientAssertion.assertion,
+                    this.config.authOptions.clientId,
+                    request.resourceRequestUri
+                )
+            );
             parameterBuilder.addClientAssertionType(
                 clientAssertion.assertionType
             );

@@ -133,7 +133,10 @@ export { NativeRequest } from "./request/NativeRequest";
 export { NativeSignOutRequest } from "./request/NativeSignOutRequest";
 export { RequestParameterBuilder } from "./request/RequestParameterBuilder";
 export { StoreInCache } from "./request/StoreInCache";
-export { ClientAssertion } from "./account/ClientCredentials";
+export {
+    ClientAssertion,
+    ClientAssertionCallbackFunction,
+} from "./account/ClientCredentials";
 // Response
 export { AzureRegion } from "./authority/AzureRegion";
 export { AzureRegionConfiguration } from "./authority/AzureRegionConfiguration";
@@ -182,6 +185,7 @@ export {
     createClientConfigurationError,
 } from "./error/ClientConfigurationError";
 // Constants and Utils
+export { getClientAssertion } from "./utils/ClientAssertionUtils";
 export {
     Constants,
     OIDC_DEFAULT_SCOPES,
@@ -218,6 +222,7 @@ export {
 } from "./utils/ProtocolUtils";
 export * as TimeUtils from "./utils/TimeUtils";
 export * as UrlUtils from "./utils/UrlUtils";
+export * as ClientAssertionUtils from "./utils/ClientAssertionUtils";
 export * from "./utils/FunctionWrappers";
 // Server Telemetry
 export { ServerTelemetryManager } from "./telemetry/server/ServerTelemetryManager";

@@ -0,0 +1,25 @@
+/*
+ * Copyright (c) Microsoft Corporation. All rights reserved.
+ * Licensed under the MIT License.
+ */
+
+import {
+    ClientAssertionCallbackFunction,
+    ClientAssertionConfig,
+} from "../account/ClientCredentials";
+
+export async function getClientAssertion(
+    clientAssertion: string | ClientAssertionCallbackFunction,
+    clientId: string,
+    tokenEndpoint?: string
+): Promise<string> {
+    if (typeof clientAssertion === "string") {
+        return clientAssertion;
+    } else {
+        const config: ClientAssertionConfig = {
+            clientId: clientId,
+            tokenEndpoint: tokenEndpoint,
+        };
+        return clientAssertion(config);
+    }
+}
@@ -23,6 +23,9 @@ import {
     ClientConfigurationErrorMessage,
     createClientConfigurationError,
 } from "../../src/error/ClientConfigurationError";
+import { ClientAssertion, ClientAssertionCallbackFunction } from "../../src";
+import { getClientAssertion } from "../../src/utils/ClientAssertionUtils";
+import { ClientAssertionConfig } from "../../src/account/ClientCredentials";
 
 describe("RequestParameterBuilder unit tests", () => {
     it("constructor", () => {
@@ -379,14 +382,20 @@ describe("RequestParameterBuilder unit tests", () => {
         sinon.restore();
     });
 
-    it("adds clientAssertion and assertionType if they are passed in as strings", () => {
-        const clientAssertion = {
+    it("adds clientAssertion (string) and assertionType if they are provided by the developer", async () => {
+        const clientAssertion: ClientAssertion = {
             assertion: "testAssertion",
             assertionType: "jwt-bearer",
         };
 
         const requestParameterBuilder = new RequestParameterBuilder();
-        requestParameterBuilder.addClientAssertion(clientAssertion.assertion);
+        requestParameterBuilder.addClientAssertion(
+            await getClientAssertion(
+                clientAssertion.assertion,
+                "client_id",
+                "optional_token_endpoint"
+            )
+        );
         requestParameterBuilder.addClientAssertionType(
             clientAssertion.assertionType
         );
@@ -407,14 +416,92 @@ describe("RequestParameterBuilder unit tests", () => {
         ).toBe(true);
     });
 
-    it("doesn't add client assertion and client assertion type if they are empty strings", () => {
-        const clientAssertion = {
+    it("doesn't add client assertion (string) and client assertion type if they are empty strings", async () => {
+        const clientAssertion: ClientAssertion = {
             assertion: "",
             assertionType: "",
         };
 
         const requestParameterBuilder = new RequestParameterBuilder();
-        requestParameterBuilder.addClientAssertion(clientAssertion.assertion);
+        requestParameterBuilder.addClientAssertion(
+            await getClientAssertion(
+                clientAssertion.assertion,
+                "client_id",
+                "optional_token_endpoint"
+            )
+        );
+        requestParameterBuilder.addClientAssertionType(
+            clientAssertion.assertionType
+        );
+        const requestQueryString = requestParameterBuilder.createQueryString();
+        expect(
+            requestQueryString.includes(AADServerParamKeys.CLIENT_ASSERTION)
+        ).toBe(false);
+        expect(
+            requestQueryString.includes(
+                AADServerParamKeys.CLIENT_ASSERTION_TYPE
+            )
+        ).toBe(false);
+    });
+
+    it("adds clientAssertion (ClientAssertionCallbackFunction) and assertionType if they are provided by the developer", async () => {
+        const clientAssertionCallbackFunction: ClientAssertionCallbackFunction =
+            (_config: ClientAssertionConfig) => {
+                return Promise.resolve("testAssertion");
+            };
+
+        const clientAssertion: ClientAssertion = {
+            assertion: clientAssertionCallbackFunction,
+            assertionType: "jwt-bearer",
+        };
+
+        const requestParameterBuilder = new RequestParameterBuilder();
+        requestParameterBuilder.addClientAssertion(
+            await getClientAssertion(
+                clientAssertion.assertion,
+                "client_id",
+                "optional_token_endpoint"
+            )
+        );
+        requestParameterBuilder.addClientAssertionType(
+            clientAssertion.assertionType
+        );
+        const requestQueryString = requestParameterBuilder.createQueryString();
+        expect(
+            requestQueryString.includes(
+                `${AADServerParamKeys.CLIENT_ASSERTION}=${encodeURIComponent(
+                    "testAssertion"
+                )}`
+            )
+        ).toBe(true);
+        expect(
+            requestQueryString.includes(
+                `${
+                    AADServerParamKeys.CLIENT_ASSERTION_TYPE
+                }=${encodeURIComponent("jwt-bearer")}`
+            )
+        ).toBe(true);
+    });
+
+    it("doesn't add client assertion (ClientAssertionCallbackFunction) and client assertion type if they are empty strings", async () => {
+        const clientAssertionCallbackFunction: ClientAssertionCallbackFunction =
+            (_config: ClientAssertionConfig) => {
+                return Promise.resolve("");
+            };
+
+        const clientAssertion: ClientAssertion = {
+            assertion: clientAssertionCallbackFunction,
+            assertionType: "",
+        };
+
+        const requestParameterBuilder = new RequestParameterBuilder();
+        requestParameterBuilder.addClientAssertion(
+            await getClientAssertion(
+                clientAssertion.assertion,
+                "client_id",
+                "optional_token_endpoint"
+            )
+        );
         requestParameterBuilder.addClientAssertionType(
             clientAssertion.assertionType
         );

diff --git a/lib/msal-node/api/msal-node.api.md b/lib/msal-node/api/msal-node.api.md
@@ -3,57 +3,61 @@
 > Do not edit this file. It is a report generated by [API Extractor](https://api-extractor.com/).
 
 ```ts
-import { AccessTokenCache } from "@azure/msal-common";
-import { AccessTokenEntity } from "@azure/msal-common";
-import { AccountCache } from "@azure/msal-common";
-import { AccountEntity } from "@azure/msal-common";
-import { AccountInfo } from "@azure/msal-common";
-import { AppMetadataCache } from "@azure/msal-common";
-import { AppMetadataEntity } from "@azure/msal-common";
-import { AuthenticationResult } from "@azure/msal-common";
-import { AuthError } from "@azure/msal-common";
-import { AuthErrorMessage } from "@azure/msal-common";
-import { AuthorityMetadataEntity } from "@azure/msal-common";
-import { BaseAuthRequest } from "@azure/msal-common";
-import { CacheManager } from "@azure/msal-common";
-import { ClientAuthError } from "@azure/msal-common";
-import { ClientAuthErrorMessage } from "@azure/msal-common";
-import { ClientConfiguration } from "@azure/msal-common";
-import { ClientConfigurationError } from "@azure/msal-common";
-import { ClientConfigurationErrorMessage } from "@azure/msal-common";
-import { CommonAuthorizationCodeRequest } from "@azure/msal-common";
-import { CommonAuthorizationUrlRequest } from "@azure/msal-common";
-import { CommonClientCredentialRequest } from "@azure/msal-common";
-import { CommonDeviceCodeRequest } from "@azure/msal-common";
-import { CommonOnBehalfOfRequest } from "@azure/msal-common";
-import { CommonRefreshTokenRequest } from "@azure/msal-common";
-import { CommonSilentFlowRequest } from "@azure/msal-common";
-import { CommonUsernamePasswordRequest } from "@azure/msal-common";
-import { DeviceCodeResponse } from "@azure/msal-common";
-import { ICachePlugin } from "@azure/msal-common";
-import { ICrypto } from "@azure/msal-common";
-import { IdTokenCache } from "@azure/msal-common";
-import { IdTokenEntity } from "@azure/msal-common";
-import { INetworkModule } from "@azure/msal-common";
-import { InteractionRequiredAuthError } from "@azure/msal-common";
-import { ISerializableTokenCache } from "@azure/msal-common";
-import { Logger } from "@azure/msal-common";
-import { LoggerOptions } from "@azure/msal-common";
-import { LogLevel } from "@azure/msal-common";
-import { NetworkRequestOptions } from "@azure/msal-common";
-import { NetworkResponse } from "@azure/msal-common";
-import { PkceCodes } from "@azure/msal-common";
-import { PromptValue } from "@azure/msal-common";
-import { ProtocolMode } from "@azure/msal-common";
-import { RefreshTokenCache } from "@azure/msal-common";
-import { RefreshTokenEntity } from "@azure/msal-common";
-import { ResponseMode } from "@azure/msal-common";
-import { ServerError } from "@azure/msal-common";
-import { ServerTelemetryEntity } from "@azure/msal-common";
-import { ServerTelemetryManager } from "@azure/msal-common";
-import { ThrottlingEntity } from "@azure/msal-common";
-import { TokenCacheContext } from "@azure/msal-common";
-import { ValidCacheType } from "@azure/msal-common";
+import {
+    AccessTokenCache,
+    AccessTokenEntity,
+    AccountCache,
+    AccountEntity,
+    AccountInfo,
+    AppMetadataCache,
+    AppMetadataEntity,
+    AuthenticationResult,
+    AuthError,
+    AuthErrorMessage,
+    AuthorityMetadataEntity,
+    BaseAuthRequest,
+    CacheManager,
+    ClientAssertion,
+    ClientAssertionCallbackFunction,
+    ClientAuthError,
+    ClientAuthErrorMessage,
+    ClientConfiguration,
+    ClientConfigurationError,
+    ClientConfigurationErrorMessage,
+    CommonAuthorizationCodeRequest,
+    CommonAuthorizationUrlRequest,
+    CommonClientCredentialRequest,
+    CommonDeviceCodeRequest,
+    CommonOnBehalfOfRequest,
+    CommonRefreshTokenRequest,
+    CommonSilentFlowRequest,
+    CommonUsernamePasswordRequest,
+    DeviceCodeResponse,
+    ICachePlugin,
+    ICrypto,
+    IdTokenCache,
+    IdTokenEntity,
+    INetworkModule,
+    InteractionRequiredAuthError,
+    ISerializableTokenCache,
+    Logger,
+    LoggerOptions,
+    LogLevel,
+    NetworkRequestOptions,
+    NetworkResponse,
+    PkceCodes,
+    PromptValue,
+    ProtocolMode,
+    RefreshTokenCache,
+    RefreshTokenEntity,
+    ResponseMode,
+    ServerError,
+    ServerTelemetryEntity,
+    ServerTelemetryManager,
+    ThrottlingEntity,
+    TokenCacheContext,
+    ValidCacheType,
+} from "@azure/msal-common";
 
 export { AccountInfo };
 
@@ -318,7 +322,7 @@ export type NodeAuthOptions = {
     clientId: string;
     authority?: string;
     clientSecret?: string;
-    clientAssertion?: string;
+    clientAssertion?: string | ClientAssertion;
     clientCertificate?: {
         thumbprint: string;
         privateKey: string;