EntraID: Add Origin header to requests

src/providers/microsoft-entra-id.ts

@@ -1,13 +1,19 @@
-import { CodeChallengeMethod, OAuth2Client } from "../client.js";
+import { createS256CodeChallenge } from "../oauth2.js";
+import {
+	createOAuth2Request,
+	encodeBasicCredentials,
+	joinURIAndPath,
+	sendTokenRequest
+} from "../request.js";
 
 import type { OAuth2Tokens } from "../oauth2.js";
-import { joinURIAndPath } from "../request.js";
 
 export class MicrosoftEntraId {
 	private authorizationEndpoint: string;
 	private tokenEndpoint: string;
-
-	private client: OAuth2Client;
+	private clientId: string;
+	private clientSecret: string | null;
+	private redirectURI: string;
 
 	constructor(tenant: string, clientId: string, clientSecret: string | null, redirectURI: string) {
 		this.authorizationEndpoint = joinURIAndPath(
@@ -20,34 +26,67 @@ export class MicrosoftEntraId {
 			tenant,
 			"/oauth2/v2.0/token"
 		);
-		this.client = new OAuth2Client(clientId, clientSecret, redirectURI);
+		this.clientId = clientId;
+		this.clientSecret = clientSecret;
+		this.redirectURI = redirectURI;
 	}
 
 	public createAuthorizationURL(state: string, codeVerifier: string, scopes: string[]): URL {
-		const url = this.client.createAuthorizationURLWithPKCE(
-			this.authorizationEndpoint,
-			state,
-			CodeChallengeMethod.S256,
-			codeVerifier,
-			scopes
-		);
+		const url = new URL(this.authorizationEndpoint);
+		url.searchParams.set("response_type", "code");
+		url.searchParams.set("client_id", this.clientId);
+		url.searchParams.set("redirect_uri", this.redirectURI);
+		url.searchParams.set("state", state);
+		const codeChallenge = createS256CodeChallenge(codeVerifier);
+		url.searchParams.set("code_challenge_method", "S256");
+		url.searchParams.set("code_challenge", codeChallenge);
+		if (scopes.length > 0) {
+			url.searchParams.set("scope", scopes.join(" "));
+		}
 		return url;
 	}
 
 	public async validateAuthorizationCode(
 		code: string,
 		codeVerifier: string
 	): Promise<OAuth2Tokens> {
-		const tokens = await this.client.validateAuthorizationCode(
-			this.tokenEndpoint,
-			code,
-			codeVerifier
-		);
+		const body = new URLSearchParams();
+		body.set("grant_type", "authorization_code");
+		body.set("code", code);
+		body.set("redirect_uri", this.redirectURI);
+		body.set("code_verifier", codeVerifier);
+		if (this.clientSecret === null) {
+			body.set("client_id", this.clientId);
+		}
+		const request = createOAuth2Request(this.tokenEndpoint, body);
+		// Origin header required for public clients. Value can be anything.
+		request.headers.set("Origin", "arctic");
+		if (this.clientSecret !== null) {
+			const encodedCredentials = encodeBasicCredentials(this.clientId, this.clientId);
+			request.headers.set("Authorization", `Basic ${encodedCredentials}`);
+		}
+		const tokens = await sendTokenRequest(request);
 		return tokens;
 	}
 
 	public async refreshAccessToken(refreshToken: string, scopes: string[]): Promise<OAuth2Tokens> {
-		const tokens = await this.client.refreshAccessToken(this.tokenEndpoint, refreshToken, scopes);
+		const body = new URLSearchParams();
+		body.set("grant_type", "refresh_token");
+		body.set("refresh_token", refreshToken);
+		if (this.clientSecret === null) {
+			body.set("client_id", this.clientId);
+		}
+		if (scopes.length > 0) {
+			body.set("scope", scopes.join(" "));
+		}
+		const request = createOAuth2Request(this.tokenEndpoint, body);
+		// Origin header required for public clients. Value can be anything.
+		request.headers.set("Origin", "arctic");
+		if (this.clientSecret !== null) {
+			const encodedCredentials = encodeBasicCredentials(this.clientId, this.clientSecret);
+			request.headers.set("Authorization", `Basic ${encodedCredentials}`);
+		}
+		const tokens = await sendTokenRequest(request);
 		return tokens;
 	}
 }