AzureAD · Robbie-Microsoft · Apr 30, 2024 · Apr 9, 2024 · Apr 9, 2024 · Apr 9, 2024
diff --git a/change/@azure-msal-common-d9223c68-d959-4da8-8a74-caa4f751c48a.json b/change/@azure-msal-common-d9223c68-d959-4da8-8a74-caa4f751c48a.json
@@ -0,0 +1,7 @@
+{
+  "type": "minor",
+  "comment": "Client Assertion Implementation now accepts a callback instead of a string argument",
+  "packageName": "@azure/msal-common",
+  "email": "[email protected]",
+  "dependentChangeType": "patch"
+}
diff --git a/change/@azure-msal-node-93a9e21c-c628-4ae1-ad55-2e1217792f32.json b/change/@azure-msal-node-93a9e21c-c628-4ae1-ad55-2e1217792f32.json
@@ -0,0 +1,7 @@
+{
+  "type": "minor",
+  "comment": "Client Assertion Implementation now accepts a callback instead of a string argument",
+  "packageName": "@azure/msal-node",
+  "email": "[email protected]",
+  "dependentChangeType": "patch"
+}
@@ -3,11 +3,14 @@
  * Licensed under the MIT License.
  */
 
+// eslint-disable-next-line @typescript-eslint/no-explicit-any
+export type ClientAssertionCallbackFunction = (...args: any[]) => string;
+
 /**
  * Client Assertion credential for Confidential Clients
  */
 export type ClientAssertion = {
-    assertion: string;
+    assertion: ClientAssertionCallbackFunction;
     assertionType: string;
 };
 

@@ -50,6 +50,7 @@ import { RequestValidator } from "../request/RequestValidator";
 import { IPerformanceClient } from "../telemetry/performance/IPerformanceClient";
 import { PerformanceEvents } from "../telemetry/performance/PerformanceEvent";
 import { invokeAsync } from "../utils/FunctionWrappers";
+import { ClientAssertion } from "../account/ClientCredentials";
 
 /**
  * Oauth2.0 Authorization Code client
@@ -364,9 +365,9 @@ export class AuthorizationCodeClient extends BaseClient {
         }
 
         if (this.config.clientCredentials.clientAssertion) {
-            const clientAssertion =
+            const clientAssertion: ClientAssertion =
                 this.config.clientCredentials.clientAssertion;
-            parameterBuilder.addClientAssertion(clientAssertion.assertion);
+            parameterBuilder.addClientAssertion(clientAssertion.assertion());
             parameterBuilder.addClientAssertionType(
                 clientAssertion.assertionType
             );

@@ -48,6 +48,7 @@ import { PerformanceEvents } from "../telemetry/performance/PerformanceEvent";
 import { IPerformanceClient } from "../telemetry/performance/IPerformanceClient";
 import { invoke, invokeAsync } from "../utils/FunctionWrappers";
 import { generateCredentialKey } from "../cache/utils/CacheHelpers";
+import { ClientAssertion } from "../account/ClientCredentials";
 
 const DEFAULT_REFRESH_TOKEN_EXPIRATION_OFFSET_SECONDS = 300; // 5 Minutes
 
@@ -385,9 +386,9 @@ export class RefreshTokenClient extends BaseClient {
         }
 
         if (this.config.clientCredentials.clientAssertion) {
-            const clientAssertion =
+            const clientAssertion: ClientAssertion =
                 this.config.clientCredentials.clientAssertion;
-            parameterBuilder.addClientAssertion(clientAssertion.assertion);
+            parameterBuilder.addClientAssertion(clientAssertion.assertion());
             parameterBuilder.addClientAssertionType(
                 clientAssertion.assertionType
             );

@@ -133,7 +133,10 @@ export { NativeRequest } from "./request/NativeRequest";
 export { NativeSignOutRequest } from "./request/NativeSignOutRequest";
 export { RequestParameterBuilder } from "./request/RequestParameterBuilder";
 export { StoreInCache } from "./request/StoreInCache";
-export { ClientAssertion } from "./account/ClientCredentials";
+export {
+    ClientAssertion,
+    ClientAssertionCallbackFunction,
+} from "./account/ClientCredentials";
 // Response
 export { AzureRegion } from "./authority/AzureRegion";
 export { AzureRegionConfiguration } from "./authority/AzureRegionConfiguration";

@@ -23,6 +23,7 @@ import {
     ClientConfigurationErrorMessage,
     createClientConfigurationError,
 } from "../../src/error/ClientConfigurationError";
+import { ClientAssertion } from "../../src";
 
 describe("RequestParameterBuilder unit tests", () => {
     it("constructor", () => {
@@ -380,13 +381,13 @@ describe("RequestParameterBuilder unit tests", () => {
     });
 
     it("adds clientAssertion and assertionType if they are passed in as strings", () => {
-        const clientAssertion = {
-            assertion: "testAssertion",
+        const clientAssertion: ClientAssertion = {
+            assertion: () => "testAssertion",
             assertionType: "jwt-bearer",
         };
 
         const requestParameterBuilder = new RequestParameterBuilder();
-        requestParameterBuilder.addClientAssertion(clientAssertion.assertion);
+        requestParameterBuilder.addClientAssertion(clientAssertion.assertion());
         requestParameterBuilder.addClientAssertionType(
             clientAssertion.assertionType
         );
@@ -408,13 +409,13 @@ describe("RequestParameterBuilder unit tests", () => {
     });
 
     it("doesn't add client assertion and client assertion type if they are empty strings", () => {
-        const clientAssertion = {
-            assertion: "",
+        const clientAssertion: ClientAssertion = {
+            assertion: () => "",
             assertionType: "",
         };
 
         const requestParameterBuilder = new RequestParameterBuilder();
-        requestParameterBuilder.addClientAssertion(clientAssertion.assertion);
+        requestParameterBuilder.addClientAssertion(clientAssertion.assertion());
         requestParameterBuilder.addClientAssertionType(
             clientAssertion.assertionType
         );