Îõ³h&!L°.      !"#$%&'()*+,- Safe-Inferredms-authLoad, parse and apply a .env file(NB : overwrites any preexisting env vars NB2 : if the .envÕ file is not found the program continues (i.e. this function is a no-op in that case)ms-auth defaults to .env if Nothing.ms-authcontents of the .env file Safe-Inferred"8;?Ñã·/ms-auth3Possible exception states of authentication request0ms-authìdecoded claims from the JWT token, valid (at least) for the Google OpenID implementation as of February 20211ms-auth/intended audience of the token (== API key ID )ms-authsub field2ms-authDecode a string into a 34ms-auth sub5ms-auth exp6ms-auth nbf7ms-auth email8ms-auth aud9ms-authDecode and validate the aud, : and nbf fields of the JWT;ms-auth Validate the aud, : and nbf fields<ms-auth Fails if the :iry field is not at least nsecs seconds in the future=ms-auth(Fails if the current time is before the nbf time (= token is not yet valid)>ms-auth Fails if the aud4ience field is not equal to the supplied ApiAudience5ms-auth current time6ms-auth current time9ms-authÍintended token audience (its meaning depends on the OAuth identity provider )ms-authÊbuffer period to allow for API roundtrip delays (defaults to 0 if Nothing)ms-auth;JWT-encoded string, e.g. the contents of the id_token field;ms-authÍintended token audience (its meaning depends on the OAuth identity provider )<ms-authdefaults to 0 if Nothing>ms-auth/intended audience of the token (== API key ID )ms-authdecoded from the JWT/?@ABCD1EFGH245678 Safe-Inferred"%&1;?ÌÑÚãèï ms-auth Éhttps://learn.microsoft.com/en-us/azure/active-directory/develop/userinfoms-auth.Configuration object of the OAuth2 applicationms-authapplication namems-authOAuth2 and OIDC scopesms-authOAuth2 state (a random string,  4https://www.rfc-editor.org/rfc/rfc6749#section-10.12 )ms-authOAuth2 redirect URI ms-auth AZURE_CLIENT_ID ms-auth AZURE_TENANT_IDms-auth AZURE_CLIENT_SECRETms-auth7Azure OAuth application (i.e. with user consent screen) NB : scope offline_access is ALWAYS requestedcreate app at /https://go.microsoft.com/fwlink/?linkid=20839080also be aware to find the right client id. see $https://stackoverflow.com/a/70670961Throws   if AZURE_CLIENT_ID and/or AZURE_CLIENT_SECRET- credentials are not found in the environmentms-auth7Azure OAuth application (i.e. with user consent screen) NB : scopes openid and offline_accessÞ are ALWAYS requested since the library assumes we have access to refresh tokens and ID tokens+Reference on Microsoft Graph permissions : =https://learn.microsoft.com/en-us/graph/permissions-referencecreate app at /https://go.microsoft.com/fwlink/?linkid=20839080also be aware to find the right client id. see $https://stackoverflow.com/a/70670961Throws   if AZURE_CLIENT_ID and/or AZURE_CLIENT_SECRET- credentials are not found in the environmentIms-auth Îhttps://login.microsoftonline.com/common/v2.0/.well-known/openid-configurationms-authapplication namems-authscopesms-authOAuth configuration     Safe-Inferred "16;?ÌÑÚã@ms-authtransactional token storems-auth%App has (at most) one token at a timeJms-auth The JWT identity token from the X-MS-TOKEN-AAD-ID-TOKENÃ header injected by App Service can be decoded for its claims e.g. sub0 (which is unique for each user for a given app) ähttps://bogdan.bynapse.com/azure/the-app-service-token-store-was-added-to-app-service-authentication-authorization-and-it-is-a-repository-of-oauth-tokens-associated-with-your-app-users-when-a-user-logs-into-your-app-via-an-iden/ Ðhttps://stackoverflow.com/questions/46757665/authentication-for-azure-functions/ms-auth'Decode the App Service ID token header X-MS-TOKEN-AAD-ID-TOKEN:, look its user up in the local token store, supply token t to continuation. If the user subÏ cannot be found in the token store the browser is redirected to the login URI.Special case of Jms-authCreate an empty  storems-authDelete the current token ms-auth#Read the current value of the token!ms-auth6DefaultAzureCredential mechanism as in the Python SDK (https://pypi.org/project/azure-identity/!Order of authentication attempts:#1) token request with client secretÈ2) token request via managed identity (App Service and Azure Functions) øhttps://learn.microsoft.com/en-us/azure/app-service/overview-managed-identity?tabs=portal%2Chttp#rest-endpoint-reference"ms-authÖFetch an OAuth token and keep it updated. Should be called as a first thing in the app%NB : forks a thread in the background âhttps://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-client-creds-grant-flowKms-auth¢With its managed identity, an app can obtain tokens for Azure resources that are protected by Azure Active Directory, such as Azure SQL Database, Azure Key Vault, and Azure Storage. These tokens represent the application accessing the resource, and not any specific user of the application.äApp Service and Azure Functions provide an internally accessible REST endpoint for token retrieval.  øhttps://learn.microsoft.com/en-us/azure/app-service/overview-managed-identity?tabs=portal%2Chttp#rest-endpoint-reference#ms-authLogin endpointsee Lms-authlogin endpoint handler$ms-auth2The identity provider redirects the client to the reply& endpoint as part of the OAuth flow : éhttps://learn.microsoft.com/en-us/graph/auth-v2-user?view=graph-rest-1.0&tabs=http#authorization-responseÆNB : forks a thread per logged in user to keep their tokens up to dateMms-authå1) the ExchangeToken arrives with the redirect once the user has approved the scopes in the browser éhttps://learn.microsoft.com/en-us/graph/auth-v2-user?view=graph-rest-1.0&tabs=http#authorization-responseNms-auth72) fork a thread and start token refresh loop for user uidOms-auth Insert or update a token in the  object%ms-auth?@ABCDEFGHIJKLMNOPQRSTUVWXYZÛ&ms-auth-0.3.0.0-6i47r6vc8QODGHaMLdWuLDMSAuthNetwork.OAuth2.SessionNetwork.OAuth2.Provider.AzureADDotEnvNetwork.OAuth2.JWT applyDotEnvUserSub AzureADUserOAuthCfg$sel:oacAppName:OAuthCfg$sel:oacScopes:OAuthCfg$sel:oacAuthState:OAuthCfg$sel:oacRedirectURI:OAuthCfgAzureADException AADNoEnvVarAzureAD envClientId envTenantIdenvClientSecret azureADAppazureOAuthADApp$fShowAzureADException$fExceptionAzureADException$fFromJSONAzureADUser$fEqAzureADUser$fOrdAzureADUser$fShowAzureADUser $fEqAzureAD $fShowAzureADTokensTokenScottyAction withAADUser newNoToken expireToken readTokendefaultAzureCredentialfetchUpdateToken loginEndpoint replyEndpoint expireUser lookupUser tokensToList newTokens$fShowOAuthSessionError$fExceptionOAuthSessionError$fEqTokensData$fShowTokensData$fEqOAuthSessionError parseDotEnv JWTException JWTClaims ApiAudience jwtClaims!jwt-0.11.0-Blr3ExxBn1XCyqWp5Q3ywxWeb.JWT JWTClaimsSet decValidSub decValidExp decValidNbf decValidEmail decValidAuddecodeValidateJWTbase GHC.Floatexp validateJWT validateExp validateNbf validateAudJEExpiredToken JENotYetValidJEAudienceNotFoundJEMalformedJWTJEClaimNotFound JENoToken apiAudience UserEmail userEmailuserSubdefaultAzureADIdpaadHeaderIdTokenmanagedIdentityloginHfetchUpdateTokenACGrefreshLoopACG upsertTokendecValidIdTokenexcepttToActionM