Îõ³h&  Ç  ¸Ù                    	  
                                               !  "  #  $  %  &  '  (  )  *  +  ,  -  .  /  0  1  2  3  4  5  6  7  8  9  :  ;  <  =  >  ?  @  A  B  C  D  E  F  G  H  I  J  K  L  M  N  O  P  Q  R  S  T  U  V  W  X           Safe-Inferred"8;?Ñ ã     ms-auth3Possible exception states of authentication requestY ms-authì decoded claims from the JWT token, valid (at least) for the Google OpenID implementation as of February 2021 ms-auth/intended audience of the token (== API key ID ) ms-authsub field ms-authDecode a string into a  Z ms-authsub ms-authexp ms-authnbf ms-authemail ms-authaud[ ms-authDecode and validate the aud,  \ and nbf fields of the JWT] ms-authValidate the aud,  \ and nbf fields^ ms-authFails if the  \iry field is not at least nsecs seconds in the future_ ms-auth(Fails if the current time is before the nbf  time (= token is not yet valid)` ms-authFails if the aud4ience field is not equal to the supplied ApiAudience ms-authcurrent time  ms-authcurrent time[  ms-authÍ intended token audience (its meaning depends on the OAuth identity provider ) ms-authÊ buffer period to allow for API roundtrip delays (defaults to 0 if Nothing) ms-auth;JWT-encoded string, e.g. the contents of the id_token field]  ms-authÍ intended token audience (its meaning depends on the OAuth identity provider )^  ms-authdefaults to 0 if Nothing`  ms-auth/intended audience of the token (== API key ID ) ms-authdecoded from the JWT 	
	
            Safe-Inferred"%&1;?Ì Ñ Ú è ï   ø3 ms-authÉ https://learn.microsoft.com/en-us/azure/active-directory/develop/userinfo 4 ms-auth.Configuration object of the OAuth2 application6 ms-authapplication name7 ms-authapp client ID : see $https://stackoverflow.com/a/70670961 8 ms-authapp client secret "9 ms-authOAuth2 and OIDC scopes: ms-authOAuth2 state (a random string, 4https://www.rfc-editor.org/rfc/rfc6749#section-10.12  ); ms-authOAuth2 redirect URI= ms-auth7Azure OAuth application (i.e. with user consent screen)NB : scope offline_access is ALWAYS requestedcreate app at /https://go.microsoft.com/fwlink/?linkid=2083908 0also be aware to find the right client id.
 see $https://stackoverflow.com/a/70670961 > ms-auth7Azure OAuth application (i.e. with user consent screen)NB : scopes openid and offline_accessÞ  are ALWAYS requested since the library assumes we have access to refresh tokens and ID tokens+Reference on Microsoft Graph permissions : =https://learn.microsoft.com/en-us/graph/permissions-reference create app at /https://go.microsoft.com/fwlink/?linkid=2083908 0also be aware to find the right client id.
 see $https://stackoverflow.com/a/70670961 a ms-authÎ https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration =  ms-authapplication name ms-authscopes>  ms-authOAuth configuration3456789:;<=><=456789:;3>           Safe-Inferred"16;?Ì Ñ Ú ã   ”E ms-authtransactional token storeb ms-auth The JWT identity token from the X-MS-TOKEN-AAD-ID-TOKENÃ  header injected by App Service can be decoded for its claims e.g. sub0 (which is unique for each user for a given app)ähttps://bogdan.bynapse.com/azure/the-app-service-token-store-was-added-to-app-service-authentication-authorization-and-it-is-a-repository-of-oauth-tokens-associated-with-your-app-users-when-a-user-logs-into-your-app-via-an-iden/ Ð https://stackoverflow.com/questions/46757665/authentication-for-azure-functions/ I ms-auth'Decode the App Service ID token header X-MS-TOKEN-AAD-ID-TOKEN:, look its user up in the local token store, supply token t to continuation. If the user subÏ  cannot be found in the token store the browser is redirected to the login URI.Special case of  bM ms-authÖ Fetch an OAuth token and keep it updated. Should be called as a first thing in the app%NB : forks a thread in the backgroundâ https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow N ms-authLogin endpointsee  =c ms-authlogin endpoint handlerO ms-auth2The identity provider redirects the client to the reply& endpoint as part of the OAuth flow : é https://learn.microsoft.com/en-us/graph/auth-v2-user?view=graph-rest-1.0&tabs=http#authorization-response Æ NB : forks a thread per logged in user to keep their tokens up to dated ms-authå 1) the ExchangeToken arrives with the redirect once the user has approved the scopes in the browser
 é https://learn.microsoft.com/en-us/graph/auth-v2-user?view=graph-rest-1.0&tabs=http#authorization-response e ms-auth72) fork a thread and start token refresh loop for user uidf ms-auth Insert or update a token in the  E objectP ms-auth<Remove a user, i.e. they will have to authenticate once moreQ ms-authÀ Look up a user identifier and return their current token, if anyR ms-auth$return a list representation of the  E objectS ms-authCreate an empty  E objectg ms-authDecode and validate ID token
 ì https://learn.microsoft.com/en-us/azure/active-directory/develop/userinfo#consider-using-an-id-token-instead h ms-authÇ Lift ExceptT to ActionM which is basically the handler Monad in Scotty.
b  ms-auth-look up the UserSub's token, do stuff with itI ms-auth	login URI ms-authcall MSGraph APIs with token t, etc.N ms-authe.g. "/login"O ms-authe.g. "/oauth/reply"d ms-authalso called code. Expires in 10 minutese ms-authuser IDf ms-authuser id ms-auth	new token ms-authtoken expires inP ms-authuser identifier e.g. subQ ms-authuser identifier e.g. subg  ms-auth-appears in the OAuth2Token if scopes include openid ms-auth(sub)EFGHIJKLMNOPQRSIFJKLMNOESQPRGH  é             	  
                                                                   !   "   #   $   %   &   '   (   )   *   +   ,   -   .   /   0   1   2   3   4   5   6  7  8  8   9   :   ;   <   =   >  ?   @   A   B   C   D   E   F   G  H  I  J  K   L   M   N   O   P   Q   R   S   T   U   V   W   X   Y   Z   [  \ ]^_   ` ab c   d   e   f   g   h   i   j   k   l   m   n   oð &ms-auth-0.1.0.0-EuTDDsRmOO22dXIsHerdJHNetwork.OAuth2.JWTNetwork.OAuth2.Provider.AzureADNetwork.OAuth2.SessionJWTExceptionJEMalformedJWTJEClaimNotFoundJEAudienceNotFoundJEExpiredTokenJENotYetValid	JENoTokenApiAudienceapiAudience	UserEmail	userEmailUserSubuserSub	jwtClaimsdecValidSubdecValidExpdecValidNbfdecValidEmaildecValidAud$fToJSONApiAudience$fToJSONJWTException$fExceptionJWTException$fShowJWTException$fEqJWTException$fOrdJWTException$fGenericJWTException$fEqJWTClaims$fShowJWTClaims$fEqApiAudience$fOrdApiAudience$fShowApiAudience$fGenericApiAudience$fIsStringApiAudience$fEqUserEmail$fOrdUserEmail$fGenericUserEmail$fIsStringUserEmail$fShowUserEmail$fToJSONUserEmail$fFromJSONUserEmail$fToJSONKeyUserEmail$fFromJSONKeyUserEmail$fEqUserSub$fOrdUserSub$fGenericUserSub$fIsStringUserSub$fShowUserSub$fToJSONUserSub$fFromJSONUserSub$fToJSONKeyUserSub$fFromJSONKeyUserSubAzureADUserOAuthCfg$sel:oacAppName:OAuthCfg$sel:oacClientId:OAuthCfg$sel:oacClientSecret:OAuthCfg$sel:oacScopes:OAuthCfg$sel:oacAuthState:OAuthCfg$sel:oacRedirectURI:OAuthCfgAzureAD
azureADAppazureOAuthADApp$fFromJSONAzureADUser$fEqAzureADUser$fOrdAzureADUser$fShowAzureADUser$fEqAzureAD$fShowAzureADTokensTokenScottyActionwithAADUser
newNoTokenexpireToken	readTokenfetchUpdateTokenloginEndpointreplyEndpoint
expireUser
lookupUsertokensToList	newTokens$fShowOAuthSessionError$fExceptionOAuthSessionError$fEqTokensData$fShowTokensData$fEqOAuthSessionError	JWTClaims!jwt-0.11.0-EQ9sh3Lfdp0EfTUWL0sI0OWeb.JWTJWTClaimsSetdecodeValidateJWTbase	GHC.FloatexpvalidateJWTvalidateExpvalidateNbfvalidateAuddefaultAzureADIdpaadHeaderIdTokenloginHfetchUpdateTokenDelegrefreshLoopDelegupsertTokendecValidIdTokenexcepttToActionM