Add support for authorize call using method POST (#7920)

This PR:
- Adds the `httpMethod` and `authorizePostBodyParameters` options to
`BaseAuthRequest`
- Enables calls to the `/authorize` endpoint using HTTP method "POST"
using the `Redirect`, `Popup`, and `SilentIFrame` flows
- Ensures `extraQueryParameters` are still encoded into the request URL
in `POST` flow
- Ensures `httpMethod` cannot be set to 'GET' when using the EAR
protocol mode (throws when the request is validated)
- Ensures request validation to make sure the combinations of
`httpMethod` and `authorizePostBodyParameters` as well as `httpMethod`
and protocol mode happens before synchronous popup is opened.

Author: hectormmg

change/@azure-msal-browser-b54b9d58-1218-4895-97e7-d537dd9ace79.json

@@ -0,0 +1,7 @@
+{
+  "type": "minor",
+  "comment": "Add support for authorize call using method POST #7920",
+  "packageName": "@azure/msal-browser",
+  "email": "hemoral@microsoft.com",
+  "dependentChangeType": "patch"
+}

change/@azure-msal-common-3bcd14ad-add2-4924-a692-6f80505e0c27.json

@@ -0,0 +1,7 @@
+{
+  "type": "minor",
+  "comment": "Add support for authorize call using method POST #7920",
+  "packageName": "@azure/msal-common",
+  "email": "hemoral@microsoft.com",
+  "dependentChangeType": "patch"
+}

lib/msal-browser/src/interaction_client/PopupClient.ts

@@ -19,6 +19,7 @@ import {
     invoke,
     PkceCodes,
     CommonAuthorizationUrlRequest,
+    HttpMethod,
 } from "@azure/msal-common/browser";
 import { StandardInteractionClient } from "./StandardInteractionClient.js";
 import { EventType } from "../event/EventType.js";
@@ -48,6 +49,7 @@ import { generatePkceCodes } from "../crypto/PkceGenerator.js";
 import { isPlatformAuthAllowed } from "../broker/nativeBroker/PlatformAuthProvider.js";
 import { generateEarKey } from "../crypto/BrowserCrypto.js";
 import { IPlatformAuthHandler } from "../broker/nativeBroker/IPlatformAuthHandler.js";
+import { validateRequestMethod } from "../request/RequestHelpers.js";
 
 export type PopupParams = {
     popup?: Window | null;
@@ -98,12 +100,13 @@ export class PopupClient extends StandardInteractionClient {
         request: PopupRequest,
         pkceCodes?: PkceCodes
     ): Promise<AuthenticationResult> {
+        let popupParams: PopupParams | undefined = undefined;
         try {
             const popupName = this.generatePopupName(
                 request.scopes || OIDC_DEFAULT_SCOPES,
                 request.authority || this.config.auth.authority
             );
-            const popupParams: PopupParams = {
+            popupParams = {
                 popupName,
                 popupWindowAttributes: request.popupWindowAttributes || {},
                 popupWindowParent: request.popupWindowParent ?? window,
@@ -124,6 +127,14 @@ export class PopupClient extends StandardInteractionClient {
                     pkceCodes
                 );
             } else {
+                // Pre-validate request method to avoid opening popup if the request is invalid
+                const validatedRequest: PopupRequest = {
+                    ...request,
+                    httpMethod: validateRequestMethod(
+                        request,
+                        this.config.auth.protocolMode
+                    ),
+                };
                 // asyncPopups flag is set to false. Opens popup before acquiring token.
                 this.logger.verbose(
                     "asyncPopup set to false, opening popup before acquiring token"
@@ -133,7 +144,7 @@ export class PopupClient extends StandardInteractionClient {
                     popupParams
                 );
                 return this.acquireTokenPopupAsync(
-                    request,
+                    validatedRequest,
                     popupParams,
                     pkceCodes
                 );
@@ -286,71 +297,80 @@ export class PopupClient extends StandardInteractionClient {
                 account: popupRequest.account,
             });
 
-            // Create acquire token url.
-            const navigateUrl = await invokeAsync(
-                Authorize.getAuthCodeRequestUrl,
-                PerformanceEvents.GetAuthCodeUrl,
-                this.logger,
-                this.performanceClient,
-                correlationId
-            )(
-                this.config,
-                authClient.authority,
-                popupRequest,
-                this.logger,
-                this.performanceClient
-            );
+            if (popupRequest.httpMethod === HttpMethod.POST) {
+                return await this.executeCodeFlowWithPost(
+                    popupRequest,
+                    popupParams,
+                    authClient,
+                    pkce.verifier
+                );
+            } else {
+                // Create acquire token url.
+                const navigateUrl = await invokeAsync(
+                    Authorize.getAuthCodeRequestUrl,
+                    PerformanceEvents.GetAuthCodeUrl,
+                    this.logger,
+                    this.performanceClient,
+                    correlationId
+                )(
+                    this.config,
+                    authClient.authority,
+                    popupRequest,
+                    this.logger,
+                    this.performanceClient
+                );
 
-            // Show the UI once the url has been created. Get the window handle for the popup.
-            const popupWindow: Window = this.initiateAuthRequest(
-                navigateUrl,
-                popupParams
-            );
-            this.eventHandler.emitEvent(
-                EventType.POPUP_OPENED,
-                InteractionType.Popup,
-                { popupWindow },
-                null
-            );
+                // Show the UI once the url has been created. Get the window handle for the popup.
+                const popupWindow: Window = this.initiateAuthRequest(
+                    navigateUrl,
+                    popupParams
+                );
+                this.eventHandler.emitEvent(
+                    EventType.POPUP_OPENED,
+                    InteractionType.Popup,
+                    { popupWindow },
+                    null
+                );
 
-            // Monitor the window for the hash. Return the string value and close the popup when the hash is received. Default timeout is 60 seconds.
-            const responseString = await this.monitorPopupForHash(
-                popupWindow,
-                popupParams.popupWindowParent
-            );
+                // Monitor the window for the hash. Return the string value and close the popup when the hash is received. Default timeout is 60 seconds.
+                const responseString = await this.monitorPopupForHash(
+                    popupWindow,
+                    popupParams.popupWindowParent
+                );
 
-            const serverParams = invoke(
-                ResponseHandler.deserializeResponse,
-                PerformanceEvents.DeserializeResponse,
-                this.logger,
-                this.performanceClient,
-                this.correlationId
-            )(
-                responseString,
-                this.config.auth.OIDCOptions.serverResponseType,
-                this.logger
-            );
+                const serverParams = invoke(
+                    ResponseHandler.deserializeResponse,
+                    PerformanceEvents.DeserializeResponse,
+                    this.logger,
+                    this.performanceClient,
+                    this.correlationId
+                )(
+                    responseString,
+                    this.config.auth.OIDCOptions.serverResponseType,
+                    this.logger
+                );
 
-            return await invokeAsync(
-                Authorize.handleResponseCode,
-                PerformanceEvents.HandleResponseCode,
-                this.logger,
-                this.performanceClient,
-                correlationId
-            )(
-                request,
-                serverParams,
-                pkce.verifier,
-                ApiId.acquireTokenPopup,
-                this.config,
-                authClient,
-                this.browserStorage,
-                this.nativeStorage,
-                this.eventHandler,
-                this.logger,
-                this.performanceClient,
-                this.platformAuthProvider
-            );
+                return await invokeAsync(
+                    Authorize.handleResponseCode,
+                    PerformanceEvents.HandleResponseCode,
+                    this.logger,
+                    this.performanceClient,
+                    correlationId
+                )(
+                    request,
+                    serverParams,
+                    pkce.verifier,
+                    ApiId.acquireTokenPopup,
+                    this.config,
+                    authClient,
+                    this.browserStorage,
+                    this.nativeStorage,
+                    this.eventHandler,
+                    this.logger,
+                    this.performanceClient,
+                    this.platformAuthProvider
+                );
+            }
         } catch (e) {
             // Close the synchronous popup if an error is thrown before the window unload event is registered
             popupParams.popup?.close();
@@ -452,6 +472,84 @@ export class PopupClient extends StandardInteractionClient {
         );
     }
 
+    async executeCodeFlowWithPost(
+        request: CommonAuthorizationUrlRequest,
+        popupParams: PopupParams,
+        authClient: AuthorizationCodeClient,
+        pkceVerifier: string
+    ): Promise<AuthenticationResult> {
+        const correlationId = request.correlationId;
+        // Get the frame handle for the silent request
+        const discoveredAuthority = await invokeAsync(
+            this.getDiscoveredAuthority.bind(this),
+            PerformanceEvents.StandardInteractionClientGetDiscoveredAuthority,
+            this.logger,
+            this.performanceClient,
+            correlationId
+        )({
+            requestAuthority: request.authority,
+            requestAzureCloudOptions: request.azureCloudOptions,
+            requestExtraQueryParameters: request.extraQueryParameters,
+            account: request.account,
+        });
+
+        const popupWindow =
+            popupParams.popup || this.openPopup("about:blank", popupParams);
+
+        const form = await Authorize.getCodeForm(
+            popupWindow.document,
+            this.config,
+            discoveredAuthority,
+            request,
+            this.logger,
+            this.performanceClient
+        );
+
+        form.submit();
+
+        // Monitor the popup for the hash. Return the string value and close the popup when the hash is received. Default timeout is 60 seconds.
+        const responseString = await invokeAsync(
+            this.monitorPopupForHash.bind(this),
+            PerformanceEvents.SilentHandlerMonitorIframeForHash,
+            this.logger,
+            this.performanceClient,
+            correlationId
+        )(popupWindow, popupParams.popupWindowParent);
+
+        const serverParams = invoke(
+            ResponseHandler.deserializeResponse,
+            PerformanceEvents.DeserializeResponse,
+            this.logger,
+            this.performanceClient,
+            this.correlationId
+        )(
+            responseString,
+            this.config.auth.OIDCOptions.serverResponseType,
+            this.logger
+        );
+
+        return invokeAsync(
+            Authorize.handleResponseCode,
+            PerformanceEvents.HandleResponseCode,
+            this.logger,
+            this.performanceClient,
+            correlationId
+        )(
+            request,
+            serverParams,
+            pkceVerifier,
+            ApiId.acquireTokenPopup,
+            this.config,
+            authClient,
+            this.browserStorage,
+            this.nativeStorage,
+            this.eventHandler,
+            this.logger,
+            this.performanceClient,
+            this.platformAuthProvider
+        );
+    }
+
     /**
      *
      * @param validRequest