Îõ³h&"| ù(      !"#$%&' Safe-Inferred"8;?ÑãA(ms-auth3Possible exception states of authentication request)ms-authìdecoded claims from the JWT token, valid (at least) for the Google OpenID implementation as of February 2021*ms-auth/intended audience of the token (== API key ID )ms-authsub field+ms-authDecode a string into a ,-ms-auth sub.ms-auth exp/ms-auth nbf0ms-auth email1ms-auth aud2ms-authDecode and validate the aud, 3 and nbf fields of the JWT4ms-auth Validate the aud, 3 and nbf fields5ms-auth Fails if the 3iry field is not at least nsecs seconds in the future6ms-auth(Fails if the current time is before the nbf time (= token is not yet valid)7ms-auth Fails if the aud4ience field is not equal to the supplied ApiAudience.ms-auth current time/ms-auth current time2ms-authÍintended token audience (its meaning depends on the OAuth identity provider )ms-authÊbuffer period to allow for API roundtrip delays (defaults to 0 if Nothing)ms-auth;JWT-encoded string, e.g. the contents of the id_token field4ms-authÍintended token audience (its meaning depends on the OAuth identity provider )5ms-authdefaults to 0 if Nothing7ms-auth/intended audience of the token (== API key ID )ms-authdecoded from the JWT(89:;<=*>?@A+-./01 Safe-Inferred"%&1;?ÌÑÚãèï Ü ms-auth Éhttps://learn.microsoft.com/en-us/azure/active-directory/develop/userinfoms-auth.Configuration object of the OAuth2 applicationms-authapplication namems-authOAuth2 and OIDC scopesms-authOAuth2 state (a random string,  4https://www.rfc-editor.org/rfc/rfc6749#section-10.12 )ms-authOAuth2 redirect URI ms-auth AZURE_CLIENT_ID ms-auth AZURE_TENANT_ID ms-auth AZURE_CLIENT_SECRETms-authAzure OAuth application NB : scope offline_access is ALWAYS requestedcreate app at /https://go.microsoft.com/fwlink/?linkid=20839080also be aware to find the right client id. see $https://stackoverflow.com/a/70670961Throws  if AZURE_CLIENT_ID and/or AZURE_CLIENT_SECRET- credentials are not found in the environmentms-authÑInitialize an Client Credentials token exchange application for the Bot FrameworkThrows  if AZURE_CLIENT_ID and/or AZURE_CLIENT_SECRET- credentials are not found in the environmentms-auth7Azure OAuth application (i.e. with user consent screen) NB : scopes openid and offline_accessÞ are ALWAYS requested since the library assumes we have access to refresh tokens and ID tokens+Reference on Microsoft Graph permissions : =https://learn.microsoft.com/en-us/graph/permissions-referencecreate app at /https://go.microsoft.com/fwlink/?linkid=20839080also be aware to find the right client id. see $https://stackoverflow.com/a/70670961Throws  if AZURE_CLIENT_ID and/or AZURE_CLIENT_SECRET- credentials are not found in the environmentBms-auth Îhttps://login.microsoftonline.com/common/v2.0/.well-known/openid-configurationms-authapplication namems-authscopesms-authapp namems-authOAuth configuration    Safe-Inferred "16;?ÌÑÚã žms-authtransactional token storems-auth%App has (at most) one token at a timeCms-auth The JWT identity token from the X-MS-TOKEN-AAD-ID-TOKENÃ header injected by App Service can be decoded for its claims e.g. sub0 (which is unique for each user for a given app) ähttps://bogdan.bynapse.com/azure/the-app-service-token-store-was-added-to-app-service-authentication-authorization-and-it-is-a-repository-of-oauth-tokens-associated-with-your-app-users-when-a-user-logs-into-your-app-via-an-iden/ Ðhttps://stackoverflow.com/questions/46757665/authentication-for-azure-functions/ms-auth'Decode the App Service ID token header X-MS-TOKEN-AAD-ID-TOKEN:, look its user up in the local token store, supply token t to continuation. If the user subÏ cannot be found in the token store the browser is redirected to the login URI.Special case of CDms-authCreate an empty  storems-authDelete the current tokenms-auth#Read the current value of the token ms-authÁForks a thread and keeps the OAuth token up to date inside a TVar!ms-auth6DefaultAzureCredential mechanism as in the Python SDK (https://pypi.org/project/azure-identity/!Order of authentication attempts:#1) token request with client secretÈ2) token request via managed identity (App Service and Azure Functions) øhttps://learn.microsoft.com/en-us/azure/app-service/overview-managed-identity?tabs=portal%2Chttp#rest-endpoint-referenceEms-authÒToken refresh loop for Client Credentials Grant scenarios (Bot Framework auth etc)ÖFetch an OAuth token and keep it updated. Should be called as a first thing in the app%NB : forks a thread in the background âhttps://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-client-creds-grant-flowFms-auth¢With its managed identity, an app can obtain tokens for Azure resources that are protected by Azure Active Directory, such as Azure SQL Database, Azure Key Vault, and Azure Storage. These tokens represent the application accessing the resource, and not any specific user of the application.äApp Service and Azure Functions provide an internally accessible REST endpoint for token retrieval.  øhttps://learn.microsoft.com/en-us/azure/app-service/overview-managed-identity?tabs=portal%2Chttp#rest-endpoint-reference"ms-authLogin endpointsee Gms-authlogin endpoint handler#ms-auth2The identity provider redirects the client to the reply& endpoint as part of the OAuth flow : éhttps://learn.microsoft.com/en-us/graph/auth-v2-user?view=graph-rest-1.0&tabs=http#authorization-responseÆNB : forks a thread per logged in user to keep their tokens up to dateHms-auth0Token refresh loop for Auth Code Grant scenarioså1) the ExchangeToken arrives with the redirect once the user has approved the scopes in the browser éhttps://learn.microsoft.com/en-us/graph/auth-v2-user?view=graph-rest-1.0&tabs=http#authorization-responseIms-auth72) fork a thread and start token refresh loop for user uidÚACG stands for "authorization code grant" flow, i.e. the user consent is in the auth loop.Jms-auth Insert or update a token in the  object$ms-auth?@ABCDEFGHIJKLMNOPQRSTÕ&ms-auth-0.4.0.0-2DrywkIkrjoDacHmUUoUWQMSAuthNetwork.OAuth2.Provider.AzureADNetwork.OAuth2.JWTNetwork.OAuth2.SessionUserSub AzureADUserOAuthCfg$sel:oacAppName:OAuthCfg$sel:oacScopes:OAuthCfg$sel:oacAuthState:OAuthCfg$sel:oacRedirectURI:OAuthCfgAzureADException AADNoEnvVarAzureAD envClientId envTenantIdenvClientSecret azureADAppazureBotFrameworkADAppazureOAuthADApp$fShowAzureADException$fExceptionAzureADException$fFromJSONAzureADUser$fEqAzureADUser$fOrdAzureADUser$fShowAzureADUser $fEqAzureAD $fShowAzureADTokensTokenScottyAction withAADUser expireToken readTokentokenUpdateLoopdefaultAzureCredential loginEndpoint replyEndpoint expireUser lookupUser tokensToList newTokens JWTException JWTClaims ApiAudience jwtClaims!jwt-0.11.0-6WOB1SE5zSw4WS6EDviRJLWeb.JWT JWTClaimsSet decValidSub decValidExp decValidNbf decValidEmail decValidAuddecodeValidateJWTbase GHC.Floatexp validateJWT validateExp validateNbf validateAudJEExpiredToken JENotYetValidJEAudienceNotFoundJEMalformedJWTJEClaimNotFound JENoToken apiAudience UserEmail userEmailuserSubdefaultAzureADIdpaadHeaderIdToken newNoTokenfetchUpdateTokenmanagedIdentityloginHfetchUpdateTokenACGrefreshLoopACG upsertTokendecValidIdTokenexcepttToActionM