initial commit

Author: shylasummers

lib/msal-browser/src/config/Configuration.ts

@@ -108,6 +108,10 @@ export type BrowserAuthOptions = {
      * Flag of whether the STS will send back additional parameters to specify where the tokens should be retrieved from.
      */
     instanceAware?: boolean;
+    /**
+     * Flag of whether to encode query parameters
+     */
+    encodeExtraQueryParams?: boolean;
 };
 
 /** @internal */
@@ -296,6 +300,7 @@ export function buildConfiguration(
         skipAuthorityMetadataCache: false,
         supportsNestedAppAuth: false,
         instanceAware: false,
+        encodeExtraQueryParams: true,
     };
 
     // Default cache options for browser

lib/msal-browser/src/protocol/Authorize.ts

@@ -158,7 +158,12 @@ export async function getAuthCodeRequestUrl(
         request.extraQueryParameters || {}
     );
 
-    return AuthorizeProtocol.getAuthorizeUrl(authority, parameters);
+    return AuthorizeProtocol.getAuthorizeUrl(
+        authority,
+        parameters,
+        config.auth.encodeExtraQueryParams,
+        request.extraQueryParameters
+    );
 }
 
 /**
@@ -195,7 +200,12 @@ export async function getEARForm(
         queryParams,
         request.extraQueryParameters || {}
     );
-    const url = AuthorizeProtocol.getAuthorizeUrl(authority, queryParams);
+    const url = AuthorizeProtocol.getAuthorizeUrl(
+        authority,
+        queryParams,
+        config.auth.encodeExtraQueryParams,
+        request.extraQueryParameters
+    );
 
     return createForm(frame, url, parameters);
 }

lib/msal-common/src/client/AuthorizationCodeClient.ts

@@ -507,6 +507,10 @@ export class AuthorizationCodeClient extends BaseClient {
             RequestParameterBuilder.addInstanceAware(parameters);
         }
 
-        return UrlUtils.mapToQueryString(parameters);
+        return UrlUtils.mapToQueryString(
+            parameters,
+            this.config.authOptions.encodeExtraQueryParams,
+            request.extraQueryParameters
+        );
     }
 }

lib/msal-common/src/config/ClientConfiguration.ts

@@ -93,6 +93,7 @@ export type AuthOptions = {
     azureCloudOptions?: AzureCloudOptions;
     skipAuthorityMetadataCache?: boolean;
     instanceAware?: boolean;
+    encodeExtraQueryParams?: boolean;
 };
 
 /**
@@ -276,6 +277,7 @@ function buildAuthOptions(authOptions: AuthOptions): Required<AuthOptions> {
         azureCloudOptions: DEFAULT_AZURE_CLOUD_OPTIONS,
         skipAuthorityMetadataCache: false,
         instanceAware: false,
+        encodeExtraQueryParams: true,
         ...authOptions,
     };
 }

lib/msal-common/src/protocol/Authorize.ts

@@ -26,6 +26,7 @@ import {
     isInteractionRequiredError,
 } from "../error/InteractionRequiredAuthError.js";
 import { ServerError } from "../error/ServerError.js";
+import { StringDict } from "../utils/MsalTypes.js";
 
 /**
  * Returns map of parameters that are applicable to all calls to /authorize whether using PKCE or EAR
@@ -264,10 +265,15 @@ export function getStandardAuthorizeRequestParameters(
  */
 export function getAuthorizeUrl(
     authority: Authority,
-    requestParameters: Map<string, string>
+    requestParameters: Map<string, string>,
+    encodeParams?: boolean,
+    extraQueryParameters?: StringDict | undefined
 ): string {
-    const queryString = mapToQueryString(requestParameters);
-
+    const queryString = mapToQueryString(
+        requestParameters,
+        encodeParams,
+        extraQueryParameters
+    );
     return UrlString.appendQueryString(
         authority.authorizationEndpoint,
         queryString

lib/msal-common/src/utils/UrlUtils.ts

@@ -8,6 +8,7 @@ import {
     ClientAuthErrorCodes,
     createClientAuthError,
 } from "../error/ClientAuthError.js";
+import { StringDict } from "./MsalTypes.js";
 
 /**
  * Parses hash string from given string. Returns empty string if no hash symbol is found.
@@ -64,11 +65,23 @@ export function getDeserializedResponse(
 /**
  * Utility to create a URL from the params map
  */
-export function mapToQueryString(parameters: Map<string, string>): string {
+export function mapToQueryString(
+    parameters: Map<string, string>,
+    encodeExtraParams: boolean = true,
+    extraQueryParameters?: StringDict
+): string {
     const queryParameterArray: Array<string> = new Array<string>();
 
     parameters.forEach((value, key) => {
-        queryParameterArray.push(`${key}=${encodeURIComponent(value)}`);
+        if (
+            !encodeExtraParams &&
+            extraQueryParameters &&
+            key in extraQueryParameters
+        ) {
+            queryParameterArray.push(`${key}=${value}`);
+        } else {
+            queryParameterArray.push(`${key}=${encodeURIComponent(value)}`);
+        }
     });
 
     return queryParameterArray.join("&");

lib/msal-common/test/request/RequestParameterBuilder.spec.ts

@@ -230,6 +230,218 @@ describe("RequestParameterBuilder unit tests", () => {
         ).toBe(true);
     });
 
+    it("Doesn't encode extra params if encodeParams is false and extra params are passed in", () => {
+        const parameters = new Map<string, string>();
+        RequestParameterBuilder.addResponseType(
+            parameters,
+            OAuthResponseType.CODE
+        );
+        RequestParameterBuilder.addResponseMode(
+            parameters,
+            ResponseMode.FORM_POST
+        );
+        RequestParameterBuilder.addScopes(
+            parameters,
+            TEST_CONFIG.DEFAULT_SCOPES
+        );
+        RequestParameterBuilder.addClientId(
+            parameters,
+            TEST_CONFIG.MSAL_CLIENT_ID
+        );
+        RequestParameterBuilder.addRedirectUri(
+            parameters,
+            TEST_URIS.TEST_REDIRECT_URI_LOCALHOST
+        );
+        RequestParameterBuilder.addDomainHint(
+            parameters,
+            TEST_CONFIG.DOMAIN_HINT
+        );
+        RequestParameterBuilder.addLoginHint(
+            parameters,
+            TEST_CONFIG.LOGIN_HINT
+        );
+        RequestParameterBuilder.addClaims(parameters, TEST_CONFIG.CLAIMS, []);
+        RequestParameterBuilder.addCorrelationId(
+            parameters,
+            TEST_CONFIG.CORRELATION_ID
+        );
+        RequestParameterBuilder.addPrompt(
+            parameters,
+            PromptValue.SELECT_ACCOUNT
+        );
+        RequestParameterBuilder.addState(parameters, TEST_CONFIG.STATE);
+        RequestParameterBuilder.addNonce(parameters, TEST_CONFIG.NONCE);
+        RequestParameterBuilder.addCodeChallengeParams(
+            parameters,
+            TEST_CONFIG.TEST_CHALLENGE,
+            TEST_CONFIG.CODE_CHALLENGE_METHOD
+        );
+        RequestParameterBuilder.addAuthorizationCode(
+            parameters,
+            TEST_TOKENS.AUTHORIZATION_CODE
+        );
+        RequestParameterBuilder.addDeviceCode(
+            parameters,
+            DEVICE_CODE_RESPONSE.deviceCode
+        );
+        RequestParameterBuilder.addCodeVerifier(
+            parameters,
+            TEST_CONFIG.TEST_VERIFIER
+        );
+        RequestParameterBuilder.addGrantType(
+            parameters,
+            GrantType.DEVICE_CODE_GRANT
+        );
+        RequestParameterBuilder.addSid(parameters, TEST_CONFIG.SID);
+        RequestParameterBuilder.addLogoutHint(
+            parameters,
+            TEST_CONFIG.LOGIN_HINT
+        );
+        RequestParameterBuilder.addExtraQueryParameters(parameters, {
+            extra_params: "param1,param2",
+        });
+
+        const requestQueryString = UrlUtils.mapToQueryString(
+            parameters,
+            false,
+            {
+                extra_params: "param1,param2",
+            }
+        );
+        console.log(requestQueryString);
+        console.log(
+            `${AADServerParamKeys.REDIRECT_URI}=${TEST_URIS.TEST_REDIRECT_URI_LOCALHOST}`
+        );
+        expect(
+            requestQueryString.includes(
+                `${AADServerParamKeys.RESPONSE_TYPE}=${OAuthResponseType.CODE}`
+            )
+        ).toBe(true);
+        expect(
+            requestQueryString.includes(
+                `${AADServerParamKeys.RESPONSE_MODE}=${encodeURIComponent(
+                    ResponseMode.FORM_POST
+                )}`
+            )
+        ).toBe(true);
+        expect(
+            requestQueryString.includes(
+                `${AADServerParamKeys.SCOPE}=${Constants.OPENID_SCOPE}%20${Constants.PROFILE_SCOPE}%20${Constants.OFFLINE_ACCESS_SCOPE}`
+            )
+        ).toBe(true);
+        expect(
+            requestQueryString.includes(
+                `${AADServerParamKeys.CLIENT_ID}=${TEST_CONFIG.MSAL_CLIENT_ID}`
+            )
+        ).toBe(true);
+        expect(
+            requestQueryString.includes(
+                `${AADServerParamKeys.REDIRECT_URI}=${encodeURIComponent(
+                    TEST_URIS.TEST_REDIRECT_URI_LOCALHOST
+                )}`
+            )
+        ).toBe(true);
+        expect(
+            requestQueryString.includes(
+                `${AADServerParamKeys.DOMAIN_HINT}=${encodeURIComponent(
+                    TEST_CONFIG.DOMAIN_HINT
+                )}`
+            )
+        ).toBe(true);
+        expect(
+            requestQueryString.includes(
+                `${AADServerParamKeys.LOGIN_HINT}=${encodeURIComponent(
+                    TEST_CONFIG.LOGIN_HINT
+                )}`
+            )
+        ).toBe(true);
+        expect(
+            requestQueryString.includes(
+                `${AADServerParamKeys.CLAIMS}=${encodeURIComponent(
+                    TEST_CONFIG.CLAIMS
+                )}`
+            )
+        ).toBe(true);
+        expect(
+            requestQueryString.includes(
+                `${AADServerParamKeys.CLIENT_REQUEST_ID}=${encodeURIComponent(
+                    TEST_CONFIG.CORRELATION_ID
+                )}`
+            )
+        ).toBe(true);
+        expect(
+            requestQueryString.includes(
+                `${AADServerParamKeys.PROMPT}=${PromptValue.SELECT_ACCOUNT}`
+            )
+        ).toBe(true);
+        expect(
+            requestQueryString.includes(
+                `${AADServerParamKeys.STATE}=${encodeURIComponent(
+                    TEST_CONFIG.STATE
+                )}`
+            )
+        ).toBe(true);
+        expect(
+            requestQueryString.includes(
+                `${AADServerParamKeys.NONCE}=${encodeURIComponent(
+                    TEST_CONFIG.NONCE
+                )}`
+            )
+        ).toBe(true);
+        expect(
+            requestQueryString.includes(
+                `${AADServerParamKeys.CODE_CHALLENGE}=${encodeURIComponent(
+                    TEST_CONFIG.TEST_CHALLENGE
+                )}`
+            )
+        ).toBe(true);
+        expect(
+            requestQueryString.includes(
+                `${
+                    AADServerParamKeys.CODE_CHALLENGE_METHOD
+                }=${encodeURIComponent(TEST_CONFIG.CODE_CHALLENGE_METHOD)}`
+            )
+        ).toBe(true);
+        expect(
+            requestQueryString.includes(
+                `${AADServerParamKeys.CODE}=${encodeURIComponent(
+                    TEST_TOKENS.AUTHORIZATION_CODE
+                )}`
+            )
+        ).toBe(true);
+        expect(
+            requestQueryString.includes(
+                `${AADServerParamKeys.DEVICE_CODE}=${encodeURIComponent(
+                    DEVICE_CODE_RESPONSE.deviceCode
+                )}`
+            )
+        ).toBe(true);
+        expect(
+            requestQueryString.includes(
+                `${AADServerParamKeys.CODE_VERIFIER}=${encodeURIComponent(
+                    TEST_CONFIG.TEST_VERIFIER
+                )}`
+            )
+        ).toBe(true);
+        expect(
+            requestQueryString.includes(
+                `${AADServerParamKeys.SID}=${encodeURIComponent(
+                    TEST_CONFIG.SID
+                )}`
+            )
+        ).toBe(true);
+        expect(
+            requestQueryString.includes(
+                `${AADServerParamKeys.LOGOUT_HINT}=${encodeURIComponent(
+                    TEST_CONFIG.LOGIN_HINT
+                )}`
+            )
+        ).toBe(true);
+        expect(requestQueryString.includes(`extra_params=param1,param2`)).toBe(
+            true
+        );
+    });
+
     it("Adds token type and req_cnf correctly for proof-of-possession tokens", () => {
         const parameters = new Map<string, string>();
         RequestParameterBuilder.addPopToken(

lib/msal-node/src/config/Configuration.ts

@@ -55,6 +55,7 @@ export type NodeAuthOptions = {
     protocolMode?: ProtocolMode;
     azureCloudOptions?: AzureCloudOptions;
     skipAuthorityMetadataCache?: boolean;
+    encodeExtraQueryParams?: boolean;
 };
 
 /**
@@ -154,6 +155,7 @@ const DEFAULT_AUTH_OPTIONS: Required<NodeAuthOptions> = {
         tenant: Constants.EMPTY_STRING,
     },
     skipAuthorityMetadataCache: false,
+    encodeExtraQueryParams: true,
 };
 
 const DEFAULT_CACHE_OPTIONS: CacheOptions = {

lib/msal-node/src/protocol/Authorize.ts

@@ -65,5 +65,10 @@ export function getAuthCodeRequestUrl(
         request.extraQueryParameters || {}
     );
 
-    return AuthorizeProtocol.getAuthorizeUrl(authority, parameters);
+    return AuthorizeProtocol.getAuthorizeUrl(
+        authority,
+        parameters,
+        config.auth.encodeExtraQueryParams,
+        request.extraQueryParameters
+    );
 }