@azure/identity 1.0.0-preview.1 → 1.0.0-preview.2

package/dist/index.js

@@ -5,8 +5,8 @@ Object.defineProperty(exports, '__esModule', { value: true });
 function _interopDefault (ex) { return (ex && (typeof ex === 'object') && 'default' in ex) ? ex['default'] : ex; }
 
 var tslib_1 = require('tslib');
-var coreHttp = require('@azure/core-http');
 var qs = _interopDefault(require('qs'));
+var coreHttp = require('@azure/core-http');
 var jws = _interopDefault(require('jws'));
 var uuid = _interopDefault(require('uuid'));
 var fs = require('fs');
@@ -14,6 +14,11 @@ var crypto = require('crypto');
 
 // Copyright (c) Microsoft Corporation.
 // Licensed under the MIT License.
+function isErrorResponse(errorResponse) {
+    return errorResponse &&
+        typeof errorResponse.error === "string" &&
+        typeof errorResponse.error_description === "string";
+}
 /**
  * Provides details about a failure to authenticate with Azure Active
  * Directory.  The `errorResponse` field contains more details about
@@ -25,7 +30,10 @@ class AuthenticationError extends Error {
             error: "unknown",
             error_description: "An unknown error occurred and no additional details are available."
         };
-        if (errorBody) {
+        if (isErrorResponse(errorBody)) {
+            errorResponse = errorBody;
+        }
+        else if (typeof errorBody === "string") {
             try {
                 // Most error responses will contain JSON-formatted error details
                 // in the response body
@@ -113,17 +121,15 @@ class ChainedTokenCredential {
 }
 
 // Copyright (c) Microsoft Corporation.
-const SelfSignedJwtLifetimeMins = 10;
 const DefaultAuthorityHost = "https://login.microsoftonline.com";
-const DefaultScopeSuffix = "/.default";
-const ImdsEndpoint = "http://169.254.169.254/metadata/identity/oauth2/token";
-const ImdsApiVersion = "2018-02-01";
-const AppServiceMsiApiVersion = "2017-09-01";
 class IdentityClient extends coreHttp.ServiceClient {
     constructor(options) {
         options = options || IdentityClient.getDefaultOptions();
         super(undefined, options);
-        this.baseUri = options.authorityHost;
+        this.baseUri = this.authorityHost = options.authorityHost || DefaultAuthorityHost;
+        if (!this.baseUri.startsWith("https:")) {
+            throw new Error("The authorityHost address must use the 'https' protocol.");
+        }
     }
     createWebResource(requestOptions) {
         const webResource = new coreHttp.WebResource();
@@ -138,15 +144,196 @@ class IdentityClient extends coreHttp.ServiceClient {
             });
             if (response.status === 200 || response.status === 201) {
                 return {
-                    token: response.parsedBody.access_token,
-                    expiresOnTimestamp: expiresOnParser(response.parsedBody)
+                    accessToken: {
+                        token: response.parsedBody.access_token,
+                        expiresOnTimestamp: expiresOnParser(response.parsedBody)
+                    },
+                    refreshToken: response.parsedBody.refresh_token,
                 };
             }
             else {
-                throw new AuthenticationError(response.status, response.bodyAsText);
+                throw new AuthenticationError(response.status, response.parsedBody || response.bodyAsText);
             }
         });
     }
+    refreshAccessToken(tenantId, clientId, scopes, refreshToken, clientSecret, expiresOnParser, options) {
+        return tslib_1.__awaiter(this, void 0, void 0, function* () {
+            if (refreshToken === undefined) {
+                return null;
+            }
+            const refreshParams = {
+                grant_type: "refresh_token",
+                client_id: clientId,
+                refresh_token: refreshToken,
+                scope: scopes
+            };
+            if (clientSecret !== undefined) {
+                refreshParams.client_secret = clientSecret;
+            }
+            const webResource = this.createWebResource({
+                url: `${this.authorityHost}/${tenantId}/oauth2/v2.0/token`,
+                method: "POST",
+                disableJsonStringifyOnBody: true,
+                deserializationMapper: undefined,
+                body: qs.stringify(refreshParams),
+                headers: {
+                    Accept: "application/json",
+                    "Content-Type": "application/x-www-form-urlencoded"
+                },
+                abortSignal: options && options.abortSignal
+            });
+            try {
+                return yield this.sendTokenRequest(webResource, expiresOnParser);
+            }
+            catch (err) {
+                if (err instanceof AuthenticationError && err.errorResponse.error === "interaction_required") {
+                    // It's likely that the refresh token has expired, so
+                    // return null so that the credential implementation will
+                    // initiate the authentication flow again.
+                    return null;
+                }
+                else {
+                    throw err;
+                }
+            }
+        });
+    }
+    static getDefaultOptions() {
+        return {
+            authorityHost: DefaultAuthorityHost
+        };
+    }
+}
+
+// Copyright (c) Microsoft Corporation.
+/**
+ * Enables authentication to Azure Active Directory using a client secret
+ * that was generated for an App Registration.  More information on how
+ * to configure a client secret can be found here:
+ *
+ * https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-configure-app-access-web-apis#add-credentials-to-your-web-application
+ *
+ */
+class ClientSecretCredential {
+    /**
+     * Creates an instance of the ClientSecretCredential with the details
+     * needed to authenticate against Azure Active Directory with a client
+     * secret.
+     *
+     * @param tenantId The Azure Active Directory tenant (directory) ID.
+     * @param clientId The client (application) ID of an App Registration in the tenant.
+     * @param clientSecret A client secret that was generated for the App Registration.
+     * @param options Options for configuring the client which makes the authentication request.
+     */
+    constructor(tenantId, clientId, clientSecret, options) {
+        this.identityClient = new IdentityClient(options);
+        this.tenantId = tenantId;
+        this.clientId = clientId;
+        this.clientSecret = clientSecret;
+    }
+    /**
+     * Authenticates with Azure Active Directory and returns an {@link AccessToken} if
+     * successful.  If authentication cannot be performed at this time, this method may
+     * return null.  If an error occurs during authentication, an {@link AuthenticationError}
+     * containing failure details will be thrown.
+     *
+     * @param scopes The list of scopes for which the token will have access.
+     * @param options The options used to configure any requests this
+     *                TokenCredential implementation might make.
+     */
+    getToken(scopes, options) {
+        return tslib_1.__awaiter(this, void 0, void 0, function* () {
+            const webResource = this.identityClient.createWebResource({
+                url: `${this.identityClient.authorityHost}/${this.tenantId}/oauth2/v2.0/token`,
+                method: "POST",
+                disableJsonStringifyOnBody: true,
+                deserializationMapper: undefined,
+                body: qs.stringify({
+                    response_type: "token",
+                    grant_type: "client_credentials",
+                    client_id: this.clientId,
+                    client_secret: this.clientSecret,
+                    scope: typeof scopes === "string" ? scopes : scopes.join(" ")
+                }),
+                headers: {
+                    Accept: "application/json",
+                    "Content-Type": "application/x-www-form-urlencoded"
+                },
+                abortSignal: options && options.abortSignal
+            });
+            const tokenResponse = yield this.identityClient.sendTokenRequest(webResource);
+            return (tokenResponse && tokenResponse.accessToken) || null;
+        });
+    }
+}
+
+// Copyright (c) Microsoft Corporation.
+/**
+ * Enables authentication to Azure Active Directory using client secret
+ * details configured in the following environment variables:
+ *
+ * - AZURE_TENANT_ID: The Azure Active Directory tenant (directory) ID.
+ * - AZURE_CLIENT_ID: The client (application) ID of an App Registration in the tenant.
+ * - AZURE_CLIENT_SECRET: A client secret that was generated for the App Registration.
+ *
+ * This credential ultimately uses a {@link ClientSecretCredential} to
+ * perform the authentication using these details.  Please consult the
+ * documentation of that class for more details.
+ */
+class EnvironmentCredential {
+    /**
+     * Creates an instance of the EnvironmentCredential class and reads
+     * client secret details from environment variables.  If the expected
+     * environment variables are not found at this time, the getToken method
+     * will return null when invoked.
+     *
+     * @param options Options for configuring the client which makes the authentication request.
+     */
+    constructor(options) {
+        this._credential = undefined;
+        const tenantId = process.env.AZURE_TENANT_ID, clientId = process.env.AZURE_CLIENT_ID, clientSecret = process.env.AZURE_CLIENT_SECRET;
+        if (tenantId && clientId && clientSecret) {
+            this._credential = new ClientSecretCredential(tenantId, clientId, clientSecret, options);
+        }
+    }
+    /**
+     * Authenticates with Azure Active Directory and returns an {@link AccessToken} if
+     * successful.  If authentication cannot be performed at this time, this method may
+     * return null.  If an error occurs during authentication, an {@link AuthenticationError}
+     * containing failure details will be thrown.
+     *
+     * @param scopes The list of scopes for which the token will have access.
+     * @param options The options used to configure any requests this
+     *                TokenCredential implementation might make.
+     */
+    getToken(scopes, options) {
+        if (this._credential) {
+            return this._credential.getToken(scopes, options);
+        }
+        return Promise.resolve(null);
+    }
+}
+
+// Copyright (c) Microsoft Corporation.
+const DefaultScopeSuffix = "/.default";
+const ImdsEndpoint = "http://169.254.169.254/metadata/identity/oauth2/token";
+const ImdsApiVersion = "2018-02-01";
+const AppServiceMsiApiVersion = "2017-09-01";
+/**
+ * Attempts authentication using a managed identity that has been assigned
+ * to the deployment environment.  This authentication type works in Azure VMs,
+ * App Service and Azure Functions applications, and inside of Azure Cloud Shell.
+ *
+ * More information about configuring managed identities can be found here:
+ *
+ * https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview
+ */
+class ManagedIdentityCredential {
+    constructor(clientId, options) {
+        this.isEndpointUnavailable = null;
+        this.identityClient = new IdentityClient(options);
+        this.clientId = clientId;
+    }
     mapScopesToResource(scopes) {
         let scope = "";
         if (Array.isArray(scopes)) {
@@ -163,13 +350,6 @@ class IdentityClient extends coreHttp.ServiceClient {
         }
         return scope.substr(0, scope.lastIndexOf(DefaultScopeSuffix));
     }
-    dateInSeconds(date) {
-        return Math.floor(date.getTime() / 1000);
-    }
-    addMinutes(date, minutes) {
-        date.setMinutes(date.getMinutes() + minutes);
-        return date;
-    }
     createImdsAuthRequest(resource, clientId) {
         const queryParameters = {
             resource,
@@ -236,10 +416,10 @@ class IdentityClient extends coreHttp.ServiceClient {
             // Create a request with a 500 msec timeout since we expect that
             // not having a "Metadata" header should cause an error to be
             // returned quickly from the endpoint, proving its availability.
-            const webResource = this.createWebResource(request);
+            const webResource = this.identityClient.createWebResource(request);
             webResource.timeout = 500;
             try {
-                yield this.sendRequest(webResource);
+                yield this.identityClient.sendRequest(webResource);
             }
             catch (err) {
                 if (err instanceof coreHttp.RestError && err.code === coreHttp.RestError.REQUEST_SEND_ERROR) {
@@ -251,27 +431,6 @@ class IdentityClient extends coreHttp.ServiceClient {
             return true;
         });
     }
-    authenticateClientSecret(tenantId, clientId, clientSecret, scopes, getTokenOptions) {
-        const webResource = this.createWebResource({
-            url: `${this.baseUri}/${tenantId}/oauth2/v2.0/token`,
-            method: "POST",
-            disableJsonStringifyOnBody: true,
-            deserializationMapper: undefined,
-            body: qs.stringify({
-                response_type: "token",
-                grant_type: "client_credentials",
-                client_id: clientId,
-                client_secret: clientSecret,
-                scope: typeof scopes === "string" ? scopes : scopes.join(" ")
-            }),
-            headers: {
-                Accept: "application/json",
-                "Content-Type": "application/x-www-form-urlencoded"
-            },
-            abortSignal: getTokenOptions && getTokenOptions.abortSignal
-        });
-        return this.sendTokenRequest(webResource);
-    }
     authenticateManagedIdentity(scopes, checkIfImdsEndpointAvailable, clientId, getTokenOptions) {
         return tslib_1.__awaiter(this, void 0, void 0, function* () {
             let authRequestOptions;
@@ -306,165 +465,10 @@ class IdentityClient extends coreHttp.ServiceClient {
                     return null;
                 }
             }
-            const webResource = this.createWebResource(Object.assign({ disableJsonStringifyOnBody: true, deserializationMapper: undefined, abortSignal: getTokenOptions && getTokenOptions.abortSignal }, authRequestOptions));
-            return this.sendTokenRequest(webResource, expiresInParser);
-        });
-    }
-    authenticateClientCertificate(tenantId, clientId, certificateString, certificateX5t, scopes, getTokenOptions) {
-        const tokenId = uuid.v4();
-        const audienceUrl = `${this.baseUri}/${tenantId}/oauth2/v2.0/token`;
-        const header = {
-            typ: "JWT",
-            alg: "RS256",
-            x5t: certificateX5t
-        };
-        const payload = {
-            iss: clientId,
-            sub: clientId,
-            aud: audienceUrl,
-            jti: tokenId,
-            nbf: this.dateInSeconds(new Date()),
-            exp: this.dateInSeconds(this.addMinutes(new Date(), SelfSignedJwtLifetimeMins))
-        };
-        const clientAssertion = jws.sign({
-            header,
-            payload,
-            secret: certificateString
-        });
-        const webResource = this.createWebResource({
-            url: audienceUrl,
-            method: "POST",
-            disableJsonStringifyOnBody: true,
-            deserializationMapper: undefined,
-            body: qs.stringify({
-                response_type: "token",
-                grant_type: "client_credentials",
-                client_id: clientId,
-                client_assertion_type: "urn:ietf:params:oauth:client-assertion-type:jwt-bearer",
-                client_assertion: clientAssertion,
-                scope: typeof scopes === "string" ? scopes : scopes.join(" ")
-            }),
-            headers: {
-                Accept: "application/json",
-                "Content-Type": "application/x-www-form-urlencoded"
-            },
-            abortSignal: getTokenOptions && getTokenOptions.abortSignal
+            const webResource = this.identityClient.createWebResource(Object.assign({ disableJsonStringifyOnBody: true, deserializationMapper: undefined, abortSignal: getTokenOptions && getTokenOptions.abortSignal }, authRequestOptions));
+            const tokenResponse = yield this.identityClient.sendTokenRequest(webResource, expiresInParser);
+            return (tokenResponse && tokenResponse.accessToken) || null;
         });
-        return this.sendTokenRequest(webResource);
-    }
-    static getDefaultOptions() {
-        return {
-            authorityHost: DefaultAuthorityHost
-        };
-    }
-}
-
-// Copyright (c) Microsoft Corporation.
-/**
- * Enables authentication to Azure Active Directory using a client secret
- * that was generated for an App Registration.  More information on how
- * to configure a client secret can be found here:
- *
- * https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-configure-app-access-web-apis#add-credentials-to-your-web-application
- *
- */
-class ClientSecretCredential {
-    /**
-     * Creates an instance of the ClientSecretCredential with the details
-     * needed to authenticate against Azure Active Directory with a client
-     * secret.
-     *
-     * @param tenantId The Azure Active Directory tenant (directory) ID.
-     * @param clientId The client (application) ID of an App Registration in the tenant.
-     * @param clientSecret A client secret that was generated for the App Registration.
-     * @param options Options for configuring the client which makes the authentication request.
-     */
-    constructor(tenantId, clientId, clientSecret, options) {
-        this.identityClient = new IdentityClient(options);
-        this._tenantId = tenantId;
-        this._clientId = clientId;
-        this._clientSecret = clientSecret;
-    }
-    /**
-     * Authenticates with Azure Active Directory and returns an {@link AccessToken} if
-     * successful.  If authentication cannot be performed at this time, this method may
-     * return null.  If an error occurs during authentication, an {@link AuthenticationError}
-     * containing failure details will be thrown.
-     *
-     * @param scopes The list of scopes for which the token will have access.
-     * @param options The options used to configure any requests this
-     *                TokenCredential implementation might make.
-     */
-    getToken(scopes, options) {
-        return this.identityClient.authenticateClientSecret(this._tenantId, this._clientId, this._clientSecret, scopes, options);
-    }
-}
-
-// Copyright (c) Microsoft Corporation.
-/**
- * Enables authentication to Azure Active Directory using client secret
- * details configured in the following environment variables:
- *
- * - AZURE_TENANT_ID: The Azure Active Directory tenant (directory) ID.
- * - AZURE_CLIENT_ID: The client (application) ID of an App Registration in the tenant.
- * - AZURE_CLIENT_SECRET: A client secret that was generated for the App Registration.
- *
- * This credential ultimately uses a {@link ClientSecretCredential} to
- * perform the authentication using these details.  Please consult the
- * documentation of that class for more details.
- */
-class EnvironmentCredential {
-    /**
-     * Creates an instance of the EnvironmentCredential class and reads
-     * client secret details from environment variables.  If the expected
-     * environment variables are not found at this time, the getToken method
-     * will return null when invoked.
-     *
-     * @param options Options for configuring the client which makes the authentication request.
-     */
-    constructor(options) {
-        this._credential = undefined;
-        if (!coreHttp.isNode) {
-            throw "EnvironmentCredential is only supported when running in Node.js.";
-        }
-        const tenantId = process.env.AZURE_TENANT_ID, clientId = process.env.AZURE_CLIENT_ID, clientSecret = process.env.AZURE_CLIENT_SECRET;
-        if (tenantId && clientId && clientSecret) {
-            this._credential = new ClientSecretCredential(tenantId, clientId, clientSecret, options);
-        }
-    }
-    /**
-     * Authenticates with Azure Active Directory and returns an {@link AccessToken} if
-     * successful.  If authentication cannot be performed at this time, this method may
-     * return null.  If an error occurs during authentication, an {@link AuthenticationError}
-     * containing failure details will be thrown.
-     *
-     * @param scopes The list of scopes for which the token will have access.
-     * @param options The options used to configure any requests this
-     *                TokenCredential implementation might make.
-     */
-    getToken(scopes, options) {
-        if (this._credential) {
-            return this._credential.getToken(scopes, options);
-        }
-        return Promise.resolve(null);
-    }
-}
-
-// Copyright (c) Microsoft Corporation.
-/**
- * Attempts authentication using a managed identity that has been assigned
- * to the deployment environment.  This authentication type works in Azure VMs,
- * App Service and Azure Functions applications, and inside of Azure Cloud Shell.
- *
- * More information about configuring managed identities can be found here:
- *
- * https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview
- */
-class ManagedIdentityCredential {
-    constructor(clientId, options) {
-        this.isEndpointUnavailable = null;
-        this.identityClient = new IdentityClient(options);
-        this._clientId = clientId;
     }
     /**
      * Authenticates with Azure Active Directory and returns an {@link AccessToken} if
@@ -484,7 +488,7 @@ class ManagedIdentityCredential {
             // the endpoint is available and need to check for it.
             if (this.isEndpointUnavailable !== true) {
                 result =
-                    yield this.identityClient.authenticateManagedIdentity(scopes, this.isEndpointUnavailable === null, this._clientId, options);
+                    yield this.authenticateManagedIdentity(scopes, this.isEndpointUnavailable === null, this.clientId, options);
                 // If authenticateManagedIdentity returns null, it means no MSI
                 // endpoints are available.  In this case, don't try them in future
                 // requests.
@@ -519,6 +523,14 @@ class DefaultAzureCredential extends ChainedTokenCredential {
 }
 
 // Copyright (c) Microsoft Corporation.
+const SelfSignedJwtLifetimeMins = 10;
+function timestampInSeconds(date) {
+    return Math.floor(date.getTime() / 1000);
+}
+function addMinutes(date, minutes) {
+    date.setMinutes(date.getMinutes() + minutes);
+    return date;
+}
 /**
  * Enables authentication to Azure Active Directory using a PEM-encoded
  * certificate that is assigned to an App Registration.  More information
@@ -539,11 +551,11 @@ class ClientCertificateCredential {
      */
     constructor(tenantId, clientId, certificatePath, options) {
         this.identityClient = new IdentityClient(options);
-        this._tenantId = tenantId;
-        this._clientId = clientId;
-        this._certificateString = fs.readFileSync(certificatePath, "utf8");
+        this.tenantId = tenantId;
+        this.clientId = clientId;
+        this.certificateString = fs.readFileSync(certificatePath, "utf8");
         const certificatePattern = /(-+BEGIN CERTIFICATE-+)(\n\r?|\r\n?)([A-Za-z0-9+/\n\r]+=*)(\n\r?|\r\n?)(-+END CERTIFICATE-+)/;
-        const matchCert = this._certificateString.match(certificatePattern);
+        const matchCert = this.certificateString.match(certificatePattern);
         const publicKey = matchCert ? matchCert[3] : "";
         if (!publicKey) {
             throw new Error("The file at the specified path does not contain a PEM-encoded certificate.");
@@ -565,7 +577,262 @@ class ClientCertificateCredential {
      *                TokenCredential implementation might make.
      */
     getToken(scopes, options) {
-        return this.identityClient.authenticateClientCertificate(this._tenantId, this._clientId, this._certificateString, this.certificateX5t, scopes, options);
+        return tslib_1.__awaiter(this, void 0, void 0, function* () {
+            const tokenId = uuid.v4();
+            const audienceUrl = `${this.identityClient.authorityHost}/${this.tenantId}/oauth2/v2.0/token`;
+            const header = {
+                typ: "JWT",
+                alg: "RS256",
+                x5t: this.certificateX5t
+            };
+            const payload = {
+                iss: this.clientId,
+                sub: this.clientId,
+                aud: audienceUrl,
+                jti: tokenId,
+                nbf: timestampInSeconds(new Date()),
+                exp: timestampInSeconds(addMinutes(new Date(), SelfSignedJwtLifetimeMins))
+            };
+            const clientAssertion = jws.sign({
+                header,
+                payload,
+                secret: this.certificateString
+            });
+            const webResource = this.identityClient.createWebResource({
+                url: audienceUrl,
+                method: "POST",
+                disableJsonStringifyOnBody: true,
+                deserializationMapper: undefined,
+                body: qs.stringify({
+                    response_type: "token",
+                    grant_type: "client_credentials",
+                    client_id: this.clientId,
+                    client_assertion_type: "urn:ietf:params:oauth:client-assertion-type:jwt-bearer",
+                    client_assertion: clientAssertion,
+                    scope: typeof scopes === "string" ? scopes : scopes.join(" ")
+                }),
+                headers: {
+                    Accept: "application/json",
+                    "Content-Type": "application/x-www-form-urlencoded"
+                },
+                abortSignal: options && options.abortSignal
+            });
+            const tokenResponse = yield this.identityClient.sendTokenRequest(webResource);
+            return (tokenResponse && tokenResponse.accessToken) || null;
+        });
+    }
+}
+
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+const BrowserNotSupportedError = new Error("InteractiveBrowserCredential is not supported in Node.js.");
+/**
+ * Enables authentication to Azure Active Directory inside of the web browser
+ * using the interactive login flow, either via browser redirects or a popup
+ * window.  This credential is not currently supported in Node.js.
+ */
+class InteractiveBrowserCredential {
+    constructor(tenantId, clientId, options) {
+        throw BrowserNotSupportedError;
+    }
+    getToken(scopes, options) {
+        throw BrowserNotSupportedError;
+    }
+}
+
+// Copyright (c) Microsoft Corporation.
+/**
+ * Enables authentication to Azure Active Directory using a device code
+ * that the user can enter into https://microsoft.com/devicelogin.
+ */
+class DeviceCodeCredential {
+    /**
+     * Creates an instance of DeviceCodeCredential with the details needed
+     * to initiate the device code authorization flow with Azure Active Directory.
+     *
+     * @param tenantId The Azure Active Directory tenant (directory) ID or name.
+     * @param clientId The client (application) ID of an App Registration in the tenant.
+     * @param userPromptCallback A callback function that will be invoked to show
+                                 {@link DeviceCodeDetails} to the user.
+     * @param options Options for configuring the client which makes the authentication request.
+     */
+    constructor(tenantId, clientId, userPromptCallback, options) {
+        this.lastTokenResponse = null;
+        this.identityClient = new IdentityClient(options);
+        this.tenantId = tenantId;
+        this.clientId = clientId;
+        this.userPromptCallback = userPromptCallback;
+    }
+    sendDeviceCodeRequest(scope, options) {
+        return tslib_1.__awaiter(this, void 0, void 0, function* () {
+            const webResource = this.identityClient.createWebResource({
+                url: `${this.identityClient.authorityHost}/${this.tenantId}/oauth2/v2.0/devicecode`,
+                method: "POST",
+                disableJsonStringifyOnBody: true,
+                deserializationMapper: undefined,
+                body: qs.stringify({
+                    client_id: this.clientId,
+                    scope
+                }),
+                headers: {
+                    Accept: "application/json",
+                    "Content-Type": "application/x-www-form-urlencoded"
+                },
+                abortSignal: options && options.abortSignal
+            });
+            const response = yield this.identityClient.sendRequest(webResource);
+            if (!(response.status === 200 || response.status === 201)) {
+                throw new AuthenticationError(response.status, response.bodyAsText);
+            }
+            return response.parsedBody;
+        });
+    }
+    pollForToken(deviceCodeResponse, options) {
+        return tslib_1.__awaiter(this, void 0, void 0, function* () {
+            let tokenResponse = null;
+            const webResource = this.identityClient.createWebResource({
+                url: `${this.identityClient.authorityHost}/${this.tenantId}/oauth2/v2.0/token`,
+                method: "POST",
+                disableJsonStringifyOnBody: true,
+                deserializationMapper: undefined,
+                body: qs.stringify({
+                    grant_type: "urn:ietf:params:oauth:grant-type:device_code",
+                    client_id: this.clientId,
+                    device_code: deviceCodeResponse.device_code
+                }),
+                headers: {
+                    Accept: "application/json",
+                    "Content-Type": "application/x-www-form-urlencoded"
+                },
+                abortSignal: options && options.abortSignal
+            });
+            while (tokenResponse === null) {
+                try {
+                    yield coreHttp.delay(deviceCodeResponse.interval * 1000);
+                    // Check the abort signal before sending the request
+                    if (options && options.abortSignal && options.abortSignal.aborted) {
+                        return null;
+                    }
+                    tokenResponse = yield this.identityClient.sendTokenRequest(webResource);
+                }
+                catch (err) {
+                    if (err instanceof AuthenticationError) {
+                        switch (err.errorResponse.error) {
+                            case "authorization_pending":
+                                break;
+                            case "authorization_declined":
+                                return null;
+                            case "expired_token":
+                                throw err;
+                            case "bad_verification_code":
+                                throw err;
+                        }
+                    }
+                    else {
+                        throw err;
+                    }
+                }
+            }
+            return tokenResponse;
+        });
+    }
+    /**
+     * Authenticates with Azure Active Directory and returns an {@link AccessToken} if
+     * successful.  If authentication cannot be performed at this time, this method may
+     * return null.  If an error occurs during authentication, an {@link AuthenticationError}
+     * containing failure details will be thrown.
+     *
+     * @param scopes The list of scopes for which the token will have access.
+     * @param options The options used to configure any requests this
+     *                TokenCredential implementation might make.
+     */
+    getToken(scopes, options) {
+        return tslib_1.__awaiter(this, void 0, void 0, function* () {
+            let tokenResponse = null;
+            let scopeString = typeof scopes === "string" ? scopes : scopes.join(" ");
+            if (scopeString.indexOf("offline_access") < 0) {
+                scopeString += " offline_access";
+            }
+            // Try to use the refresh token first
+            if (this.lastTokenResponse && this.lastTokenResponse.refreshToken) {
+                tokenResponse = yield this.identityClient.refreshAccessToken(this.tenantId, this.clientId, scopeString, this.lastTokenResponse.refreshToken, undefined, // clientSecret not needed for device code auth
+                undefined, options);
+            }
+            if (tokenResponse === null) {
+                const deviceCodeResponse = yield this.sendDeviceCodeRequest(scopeString, options);
+                this.userPromptCallback({
+                    userCode: deviceCodeResponse.user_code,
+                    verificationUri: deviceCodeResponse.verification_uri,
+                    message: deviceCodeResponse.message
+                });
+                tokenResponse = yield this.pollForToken(deviceCodeResponse, options);
+            }
+            this.lastTokenResponse = tokenResponse;
+            return (tokenResponse && tokenResponse.accessToken) || null;
+        });
+    }
+}
+
+// Copyright (c) Microsoft Corporation.
+/**
+ * Enables authentication to Azure Active Directory with a user's
+ * username and password. This credential requires a high degree of
+ * trust so you should only use it when other, more secure credential
+ * types can't be used.
+ */
+class UsernamePasswordCredential {
+    /**
+     * Creates an instance of the UsernamePasswordCredential with the details
+     * needed to authenticate against Azure Active Directory with a username
+     * and password.
+     *
+     * @param tenantIdOrName The Azure Active Directory tenant (directory) ID or name.
+     * @param clientId The client (application) ID of an App Registration in the tenant.
+     * @param username The user account's e-mail address (user name).
+     * @param password The user account's account password
+     * @param options Options for configuring the client which makes the authentication request.
+     */
+    constructor(tenantIdOrName, clientId, username, password, options) {
+        this.identityClient = new IdentityClient(options);
+        this.tenantId = tenantIdOrName;
+        this.clientId = clientId;
+        this.username = username;
+        this.password = password;
+    }
+    /**
+     * Authenticates with Azure Active Directory and returns an {@link AccessToken} if
+     * successful.  If authentication cannot be performed at this time, this method may
+     * return null.  If an error occurs during authentication, an {@link AuthenticationError}
+     * containing failure details will be thrown.
+     *
+     * @param scopes The list of scopes for which the token will have access.
+     * @param options The options used to configure any requests this
+     *                TokenCredential implementation might make.
+     */
+    getToken(scopes, options) {
+        return tslib_1.__awaiter(this, void 0, void 0, function* () {
+            const webResource = this.identityClient.createWebResource({
+                url: `${this.identityClient.authorityHost}/${this.tenantId}/oauth2/v2.0/token`,
+                method: "POST",
+                disableJsonStringifyOnBody: true,
+                deserializationMapper: undefined,
+                body: qs.stringify({
+                    response_type: "token",
+                    grant_type: "password",
+                    client_id: this.clientId,
+                    username: this.username,
+                    password: this.password,
+                    scope: typeof scopes === "string" ? scopes : scopes.join(" ")
+                }),
+                headers: {
+                    Accept: "application/json",
+                    "Content-Type": "application/x-www-form-urlencoded"
+                },
+                abortSignal: options && options.abortSignal
+            });
+            const tokenResponse = yield this.identityClient.sendTokenRequest(webResource);
+            return (tokenResponse && tokenResponse.accessToken) || null;
+        });
     }
 }
 
@@ -580,7 +847,10 @@ exports.ChainedTokenCredential = ChainedTokenCredential;
 exports.ClientCertificateCredential = ClientCertificateCredential;
 exports.ClientSecretCredential = ClientSecretCredential;
 exports.DefaultAzureCredential = DefaultAzureCredential;
+exports.DeviceCodeCredential = DeviceCodeCredential;
 exports.EnvironmentCredential = EnvironmentCredential;
+exports.InteractiveBrowserCredential = InteractiveBrowserCredential;
 exports.ManagedIdentityCredential = ManagedIdentityCredential;
+exports.UsernamePasswordCredential = UsernamePasswordCredential;
 exports.getDefaultAzureCredential = getDefaultAzureCredential;
 //# sourceMappingURL=index.js.map