AzureAD · Robbie-Microsoft · Apr 30, 2024 · Apr 9, 2024 · Apr 9, 2024 · Apr 9, 2024
diff --git a/change/@azure-msal-common-d9223c68-d959-4da8-8a74-caa4f751c48a.json b/change/@azure-msal-common-d9223c68-d959-4da8-8a74-caa4f751c48a.json
@@ -0,0 +1,7 @@
+{
+  "type": "minor",
+  "comment": "Client Assertion Implementation now accepts a callback instead of a string argument",
+  "packageName": "@azure/msal-common",
+  "email": "[email protected]",
+  "dependentChangeType": "patch"
+}
diff --git a/change/@azure-msal-node-93a9e21c-c628-4ae1-ad55-2e1217792f32.json b/change/@azure-msal-node-93a9e21c-c628-4ae1-ad55-2e1217792f32.json
@@ -0,0 +1,7 @@
+{
+  "type": "minor",
+  "comment": "Client Assertion Implementation now accepts a callback instead of a string argument",
+  "packageName": "@azure/msal-node",
+  "email": "[email protected]",
+  "dependentChangeType": "patch"
+}
@@ -3,11 +3,14 @@
  * Licensed under the MIT License.
  */
 
+// eslint-disable-next-line @typescript-eslint/no-explicit-any
+export type ClientAssertionCallbackFunction = (...args: any[]) => string;
+
 /**
  * Client Assertion credential for Confidential Clients
  */
 export type ClientAssertion = {
-    assertion: string;
+    assertion: ClientAssertionCallbackFunction;
     assertionType: string;
 };
 

@@ -50,6 +50,7 @@ import { RequestValidator } from "../request/RequestValidator";
 import { IPerformanceClient } from "../telemetry/performance/IPerformanceClient";
 import { PerformanceEvents } from "../telemetry/performance/PerformanceEvent";
 import { invokeAsync } from "../utils/FunctionWrappers";
+import { ClientAssertion } from "../account/ClientCredentials";
 
 /**
  * Oauth2.0 Authorization Code client
@@ -364,9 +365,9 @@ export class AuthorizationCodeClient extends BaseClient {
         }
 
         if (this.config.clientCredentials.clientAssertion) {
-            const clientAssertion =
+            const clientAssertion: ClientAssertion =
                 this.config.clientCredentials.clientAssertion;
-            parameterBuilder.addClientAssertion(clientAssertion.assertion);
+            parameterBuilder.addClientAssertion(clientAssertion.assertion());
             parameterBuilder.addClientAssertionType(
                 clientAssertion.assertionType
             );

@@ -48,6 +48,7 @@ import { PerformanceEvents } from "../telemetry/performance/PerformanceEvent";
 import { IPerformanceClient } from "../telemetry/performance/IPerformanceClient";
 import { invoke, invokeAsync } from "../utils/FunctionWrappers";
 import { generateCredentialKey } from "../cache/utils/CacheHelpers";
+import { ClientAssertion } from "../account/ClientCredentials";
 
 const DEFAULT_REFRESH_TOKEN_EXPIRATION_OFFSET_SECONDS = 300; // 5 Minutes
 
@@ -385,9 +386,9 @@ export class RefreshTokenClient extends BaseClient {
         }
 
         if (this.config.clientCredentials.clientAssertion) {
-            const clientAssertion =
+            const clientAssertion: ClientAssertion =
                 this.config.clientCredentials.clientAssertion;
-            parameterBuilder.addClientAssertion(clientAssertion.assertion);
+            parameterBuilder.addClientAssertion(clientAssertion.assertion());
             parameterBuilder.addClientAssertionType(
                 clientAssertion.assertionType
             );

@@ -133,7 +133,10 @@ export { NativeRequest } from "./request/NativeRequest";
 export { NativeSignOutRequest } from "./request/NativeSignOutRequest";
 export { RequestParameterBuilder } from "./request/RequestParameterBuilder";
 export { StoreInCache } from "./request/StoreInCache";
-export { ClientAssertion } from "./account/ClientCredentials";
+export {
+    ClientAssertion,
+    ClientAssertionCallbackFunction,
+} from "./account/ClientCredentials";
 // Response
 export { AzureRegion } from "./authority/AzureRegion";
 export { AzureRegionConfiguration } from "./authority/AzureRegionConfiguration";

@@ -23,6 +23,7 @@ import {
     ClientConfigurationErrorMessage,
     createClientConfigurationError,
 } from "../../src/error/ClientConfigurationError";
+import { ClientAssertion } from "../../src";
 
 describe("RequestParameterBuilder unit tests", () => {
     it("constructor", () => {
@@ -380,13 +381,13 @@ describe("RequestParameterBuilder unit tests", () => {
     });
 
     it("adds clientAssertion and assertionType if they are passed in as strings", () => {
-        const clientAssertion = {
-            assertion: "testAssertion",
+        const clientAssertion: ClientAssertion = {
+            assertion: () => "testAssertion",
             assertionType: "jwt-bearer",
         };
 
         const requestParameterBuilder = new RequestParameterBuilder();
-        requestParameterBuilder.addClientAssertion(clientAssertion.assertion);
+        requestParameterBuilder.addClientAssertion(clientAssertion.assertion());
         requestParameterBuilder.addClientAssertionType(
             clientAssertion.assertionType
         );
@@ -408,13 +409,13 @@ describe("RequestParameterBuilder unit tests", () => {
     });
 
     it("doesn't add client assertion and client assertion type if they are empty strings", () => {
-        const clientAssertion = {
-            assertion: "",
+        const clientAssertion: ClientAssertion = {
+            assertion: () => "",
             assertionType: "",
         };
 
         const requestParameterBuilder = new RequestParameterBuilder();
-        requestParameterBuilder.addClientAssertion(clientAssertion.assertion);
+        requestParameterBuilder.addClientAssertion(clientAssertion.assertion());
         requestParameterBuilder.addClientAssertionType(
             clientAssertion.assertionType
         );

diff --git a/lib/msal-node/api/msal-node.api.md b/lib/msal-node/api/msal-node.api.md
@@ -3,57 +3,60 @@
 > Do not edit this file. It is a report generated by [API Extractor](https://api-extractor.com/).
 
 ```ts
-import { AccessTokenCache } from "@azure/msal-common";
-import { AccessTokenEntity } from "@azure/msal-common";
-import { AccountCache } from "@azure/msal-common";
-import { AccountEntity } from "@azure/msal-common";
-import { AccountInfo } from "@azure/msal-common";
-import { AppMetadataCache } from "@azure/msal-common";
-import { AppMetadataEntity } from "@azure/msal-common";
-import { AuthenticationResult } from "@azure/msal-common";
-import { AuthError } from "@azure/msal-common";
-import { AuthErrorMessage } from "@azure/msal-common";
-import { AuthorityMetadataEntity } from "@azure/msal-common";
-import { BaseAuthRequest } from "@azure/msal-common";
-import { CacheManager } from "@azure/msal-common";
-import { ClientAuthError } from "@azure/msal-common";
-import { ClientAuthErrorMessage } from "@azure/msal-common";
-import { ClientConfiguration } from "@azure/msal-common";
-import { ClientConfigurationError } from "@azure/msal-common";
-import { ClientConfigurationErrorMessage } from "@azure/msal-common";
-import { CommonAuthorizationCodeRequest } from "@azure/msal-common";
-import { CommonAuthorizationUrlRequest } from "@azure/msal-common";
-import { CommonClientCredentialRequest } from "@azure/msal-common";
-import { CommonDeviceCodeRequest } from "@azure/msal-common";
-import { CommonOnBehalfOfRequest } from "@azure/msal-common";
-import { CommonRefreshTokenRequest } from "@azure/msal-common";
-import { CommonSilentFlowRequest } from "@azure/msal-common";
-import { CommonUsernamePasswordRequest } from "@azure/msal-common";
-import { DeviceCodeResponse } from "@azure/msal-common";
-import { ICachePlugin } from "@azure/msal-common";
-import { ICrypto } from "@azure/msal-common";
-import { IdTokenCache } from "@azure/msal-common";
-import { IdTokenEntity } from "@azure/msal-common";
-import { INetworkModule } from "@azure/msal-common";
-import { InteractionRequiredAuthError } from "@azure/msal-common";
-import { ISerializableTokenCache } from "@azure/msal-common";
-import { Logger } from "@azure/msal-common";
-import { LoggerOptions } from "@azure/msal-common";
-import { LogLevel } from "@azure/msal-common";
-import { NetworkRequestOptions } from "@azure/msal-common";
-import { NetworkResponse } from "@azure/msal-common";
-import { PkceCodes } from "@azure/msal-common";
-import { PromptValue } from "@azure/msal-common";
-import { ProtocolMode } from "@azure/msal-common";
-import { RefreshTokenCache } from "@azure/msal-common";
-import { RefreshTokenEntity } from "@azure/msal-common";
-import { ResponseMode } from "@azure/msal-common";
-import { ServerError } from "@azure/msal-common";
-import { ServerTelemetryEntity } from "@azure/msal-common";
-import { ServerTelemetryManager } from "@azure/msal-common";
-import { ThrottlingEntity } from "@azure/msal-common";
-import { TokenCacheContext } from "@azure/msal-common";
-import { ValidCacheType } from "@azure/msal-common";
+import {
+    AccessTokenCache,
+    AccessTokenEntity,
+    AccountCache,
+    AccountEntity,
+    AccountInfo,
+    AppMetadataCache,
+    AppMetadataEntity,
+    AuthenticationResult,
+    AuthError,
+    AuthErrorMessage,
+    AuthorityMetadataEntity,
+    BaseAuthRequest,
+    CacheManager,
+    ClientAssertionCallbackFunction,
+    ClientAuthError,
+    ClientAuthErrorMessage,
+    ClientConfiguration,
+    ClientConfigurationError,
+    ClientConfigurationErrorMessage,
+    CommonAuthorizationCodeRequest,
+    CommonAuthorizationUrlRequest,
+    CommonClientCredentialRequest,
+    CommonDeviceCodeRequest,
+    CommonOnBehalfOfRequest,
+    CommonRefreshTokenRequest,
+    CommonSilentFlowRequest,
+    CommonUsernamePasswordRequest,
+    DeviceCodeResponse,
+    ICachePlugin,
+    ICrypto,
+    IdTokenCache,
+    IdTokenEntity,
+    INetworkModule,
+    InteractionRequiredAuthError,
+    ISerializableTokenCache,
+    Logger,
+    LoggerOptions,
+    LogLevel,
+    NetworkRequestOptions,
+    NetworkResponse,
+    PkceCodes,
+    PromptValue,
+    ProtocolMode,
+    RefreshTokenCache,
+    RefreshTokenEntity,
+    ResponseMode,
+    ServerError,
+    ServerTelemetryEntity,
+    ServerTelemetryManager,
+    ThrottlingEntity,
+    TokenCacheContext,
+    ValidCacheType,
+} from "@azure/msal-common";
 
 export { AccountInfo };
 
@@ -318,7 +321,7 @@ export type NodeAuthOptions = {
     clientId: string;
     authority?: string;
     clientSecret?: string;
-    clientAssertion?: string;
+    clientAssertion?: ClientAssertionCallbackFunction;
     clientCertificate?: {
         thumbprint: string;
         privateKey: string;

@@ -29,6 +29,7 @@ See the MSAL sample: [auth-code-with-certs](../../../samples/msal-node-samples/a
 import * as msal from "@azure/msal-node";
 import "dotenv/config"; // process.env now has the values defined in a .env file
 
+const assertionCallback = (): string => "assertion";
 const clientConfig = {
     auth: {
         clientId: "your_client_id",
@@ -38,7 +39,7 @@ const clientConfig = {
             thumbprint: process.env.thumbprint,
             privateKey: process.env.privateKey,
         }, // OR
-        clientAssertion: "assertion",
+        clientAssertion: assertionCallback,
     },
 };
 const pca = new msal.ConfidentialClientApplication(clientConfig);
@@ -53,7 +54,7 @@ const pca = new msal.ConfidentialClientApplication(clientConfig);
 -   A Client credential is mandatory for confidential clients. Client credential can be a:
     -   `clientSecret` is secret string generated set on the app registration.
     -   `clientCertificate` is a certificate set on the app registration. The `thumbprint` is a X.509 SHA-1 thumbprint of the certificate, and the `privateKey` is the PEM encoded private key. `x5c` is the optional X.509 certificate chain used in [subject name/issuer auth scenarios](https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-node/docs/sni.md).
-    -   `clientAssertion` is string that the application uses when requesting a token. The certificate used to sign the assertion should be set on the app registration. Assertion should be of type urn:ietf:params:oauth:client-assertion-type:jwt-bearer.
+    -   `clientAssertion` is a callback function that returns a string that the application uses when requesting a token. The certificate used to sign the assertion should be set on the app registration. Assertion should be of type urn:ietf:params:oauth:client-assertion-type:jwt-bearer.
 
 ## Configure Authority
 

@@ -33,6 +33,7 @@ import {
     createClientAuthError,
     ClientAuthErrorCodes,
     buildStaticAuthorityOptions,
+    ClientAssertion as ClientAssertionType,
 } from "@azure/msal-common";
 import {
     Configuration,
@@ -469,16 +470,14 @@ export abstract class ClientApplication {
         return clientConfiguration;
     }
 
-    private getClientAssertion(authority: Authority): {
-        assertion: string;
-        assertionType: string;
-    } {
+    private getClientAssertion(authority: Authority): ClientAssertionType {
         return {
-            assertion: this.clientAssertion.getJwt(
-                this.cryptoProvider,
-                this.config.auth.clientId,
-                authority.tokenEndpoint
-            ),
+            assertion: () =>
+                this.clientAssertion.getJwt(
+                    this.cryptoProvider,
+                    this.config.auth.clientId,
+                    authority.tokenEndpoint
+                ),
             assertionType: NodeConstants.JWT_BEARER_ASSERTION_TYPE,
         };
     }

@@ -28,6 +28,7 @@ import {
     TokenCacheContext,
     UrlString,
     createClientAuthError,
+    ClientAssertion,
 } from "@azure/msal-common";
 
 /**
@@ -324,12 +325,12 @@ export class ClientCredentialClient extends BaseClient {
         }
 
         // Use clientAssertion from request, fallback to client assertion in base configuration
-        const clientAssertion =
+        const clientAssertion: ClientAssertion | undefined =
             request.clientAssertion ||
             this.config.clientCredentials.clientAssertion;
 
         if (clientAssertion) {
-            parameterBuilder.addClientAssertion(clientAssertion.assertion);
+            parameterBuilder.addClientAssertion(clientAssertion.assertion());
             parameterBuilder.addClientAssertionType(
                 clientAssertion.assertionType
             );

@@ -26,6 +26,7 @@ import {
     AADAuthorityConstants,
     createClientAuthError,
     ClientAuthErrorCodes,
+    ClientAssertion as ClientAssertionType,
 } from "@azure/msal-common";
 import { IConfidentialClientApplication } from "./IConfidentialClientApplication.js";
 import { OnBehalfOfRequest } from "../request/OnBehalfOfRequest.js";
@@ -91,7 +92,7 @@ export class ConfidentialClientApplication
         );
 
         // If there is a client assertion present in the request, it overrides the one present in the client configuration
-        let clientAssertion;
+        let clientAssertion: ClientAssertionType | undefined;
         if (request.clientAssertion) {
             clientAssertion = {
                 assertion: request.clientAssertion,
@@ -214,7 +215,10 @@ export class ConfidentialClientApplication
 
     private setClientCredential(configuration: Configuration): void {
         const clientSecretNotEmpty = !!configuration.auth.clientSecret;
-        const clientAssertionNotEmpty = !!configuration.auth.clientAssertion;
+        const clientAssertionNotEmpty = !!(
+            configuration.auth.clientAssertion &&
+            configuration.auth.clientAssertion()
+        );
         const certificate = configuration.auth.clientCertificate || {
             thumbprint: Constants.EMPTY_STRING,
             privateKey: Constants.EMPTY_STRING,
@@ -248,7 +252,7 @@ export class ConfidentialClientApplication
 
         if (configuration.auth.clientAssertion) {
             this.clientAssertion = ClientAssertion.fromAssertion(
-                configuration.auth.clientAssertion
+                configuration.auth.clientAssertion()
             );
             return;
         }

@@ -30,6 +30,7 @@ import {
     TimeUtils,
     TokenClaims,
     UrlString,
+    ClientAssertion,
 } from "@azure/msal-common";
 import { EncodingUtils } from "../utils/EncodingUtils";
 
@@ -344,9 +345,9 @@ export class OnBehalfOfClient extends BaseClient {
         }
 
         if (this.config.clientCredentials.clientAssertion) {
-            const clientAssertion =
+            const clientAssertion: ClientAssertion =
                 this.config.clientCredentials.clientAssertion;
-            parameterBuilder.addClientAssertion(clientAssertion.assertion);
+            parameterBuilder.addClientAssertion(clientAssertion.assertion());
             parameterBuilder.addClientAssertionType(
                 clientAssertion.assertionType
             );