@azure/identity 1.2.0-beta.2 → 1.2.0

package/dist/index.js

@@ -7,7 +7,7 @@ function _interopDefault (ex) { return (ex && (typeof ex === 'object') && 'defau
 var tslib = require('tslib');
 var coreTracing = require('@azure/core-tracing');
 var api = require('@opentelemetry/api');
-var logger$c = require('@azure/logger');
+var logger$h = require('@azure/logger');
 var qs = _interopDefault(require('qs'));
 var coreHttp = require('@azure/core-http');
 var jws = _interopDefault(require('jws'));
@@ -19,6 +19,8 @@ var crypto__default = _interopDefault(crypto);
 var child_process = require('child_process');
 var os = _interopDefault(require('os'));
 var path$2 = _interopDefault(require('path'));
+var msalNode = require('@azure/msal-node');
+require('axios');
 var events = _interopDefault(require('events'));
 var util = _interopDefault(require('util'));
 var tty = _interopDefault(require('tty'));
@@ -30,7 +32,6 @@ var zlib = _interopDefault(require('zlib'));
 var querystring = _interopDefault(require('querystring'));
 var url = _interopDefault(require('url'));
 var http = _interopDefault(require('http'));
-var msalNode = require('@azure/msal-node');
 var open = _interopDefault(require('open'));
 
 // Copyright (c) Microsoft Corporation.
@@ -154,7 +155,7 @@ function createSpan(operationName, options = {}) {
 /**
  * The AzureLogger used for all clients within the identity package
  */
-const logger = logger$c.createClientLogger("identity");
+const logger = logger$h.createClientLogger("identity");
 /**
  * Separates a list of environment variable names into a plain object with two arrays: an array of missing environment variables and another array with assigned environment variables.
  * @param supportedEnvVars List of environment variable names
@@ -174,13 +175,17 @@ function processEnvVars(supportedEnvVars) {
  * Formatting the success event on the credentials
  */
 function formatSuccess(scope) {
-    return `SUCCESS: ${Array.isArray(scope) ? scope.join(", ") : scope}`;
+    return `SUCCESS. Scopes: ${Array.isArray(scope) ? scope.join(", ") : scope}.`;
 }
 /**
  * Formatting the success event on the credentials
  */
-function formatError(error) {
-    return `ERROR: ${typeof error === "string" ? error : error.message}`;
+function formatError(scope, error) {
+    let message = "ERROR.";
+    if (scope === null || scope === void 0 ? void 0 : scope.length) {
+        message += ` Scopes: ${Array.isArray(scope) ? scope.join(", ") : scope}.`;
+    }
+    return `${message} Error message: ${typeof error === "string" ? error : error.message}.`;
 }
 /**
  * Generates a CredentialLoggerInstance.
@@ -270,7 +275,7 @@ class ChainedTokenCredential {
                         errors.push(err);
                     }
                     else {
-                        logger$1.getToken.info(formatError(err));
+                        logger$1.getToken.info(formatError(scopes, err));
                         throw err;
                     }
                 }
@@ -281,7 +286,7 @@ class ChainedTokenCredential {
                     code: api.CanonicalCode.UNAUTHENTICATED,
                     message: err.message
                 });
-                logger$1.getToken.info(formatError(err));
+                logger$1.getToken.info(formatError(scopes, err));
                 throw err;
             }
             span.end();
@@ -527,7 +532,7 @@ class ClientSecretCredential {
                     code,
                     message: err.message
                 });
-                logger$2.getToken.info(err);
+                logger$2.getToken.info(formatError(scopes, err));
                 throw err;
             }
             finally {
@@ -537,6 +542,15 @@ class ClientSecretCredential {
     }
 }
 
+// Copyright (c) Microsoft Corporation.
+function checkTenantId(logger, tenantId) {
+    if (!tenantId.match(/^[0-9a-zA-Z-.:/]+$/)) {
+        const error = new Error("Invalid tenant id provided. You can locate your tenant id by following the instructions listed here: https://docs.microsoft.com/partner-center/find-ids-and-domain-names.");
+        logger.info(formatError("", error));
+        throw error;
+    }
+}
+
 // Copyright (c) Microsoft Corporation.
 const SelfSignedJwtLifetimeMins = 10;
 function timestampInSeconds(date) {
@@ -566,6 +580,7 @@ class ClientCertificateCredential {
      * @param options Options for configuring the client which makes the authentication request.
      */
     constructor(tenantId, clientId, certificatePath, options) {
+        checkTenantId(logger$3, tenantId);
         this.identityClient = new IdentityClient(options);
         this.tenantId = tenantId;
         this.clientId = clientId;
@@ -582,7 +597,7 @@ class ClientCertificateCredential {
         } while (match);
         if (publicKeys.length === 0) {
             const error = new Error("The file at the specified path does not contain a PEM-encoded certificate.");
-            logger$3.info(formatError(error));
+            logger$3.info(formatError("", error));
             throw error;
         }
         this.certificateThumbprint = crypto.createHash("sha1")
@@ -590,7 +605,7 @@ class ClientCertificateCredential {
             .digest("hex")
             .toUpperCase();
         this.certificateX5t = Buffer.from(this.certificateThumbprint, "hex").toString("base64");
-        if (options && options.includeX5c) {
+        if (options && options.sendCertificateChain) {
             this.certificateX5c = publicKeys;
         }
     }
@@ -672,7 +687,7 @@ class ClientCertificateCredential {
                     code,
                     message: err.message
                 });
-                logger$3.getToken.info(formatError(err));
+                logger$3.getToken.info(formatError("", err));
                 throw err;
             }
             finally {
@@ -703,6 +718,7 @@ class UsernamePasswordCredential {
      * @param options Options for configuring the client which makes the authentication request.
      */
     constructor(tenantIdOrName, clientId, username, password, options) {
+        checkTenantId(logger$4, tenantIdOrName);
         this.identityClient = new IdentityClient(options);
         this.tenantId = tenantIdOrName;
         this.clientId = clientId;
@@ -756,7 +772,7 @@ class UsernamePasswordCredential {
                     code,
                     message: err.message
                 });
-                logger$4.getToken.info(formatError(err));
+                logger$4.getToken.info(formatError(scopes, err));
                 throw err;
             }
             finally {
@@ -810,6 +826,9 @@ class EnvironmentCredential {
         const assigned = processEnvVars(AllSupportedEnvironmentVariables).assigned.join(", ");
         logger$5.info(`Found the following environment variables: ${assigned}`);
         const tenantId = process.env.AZURE_TENANT_ID, clientId = process.env.AZURE_CLIENT_ID, clientSecret = process.env.AZURE_CLIENT_SECRET;
+        if (tenantId) {
+            checkTenantId(logger$5, tenantId);
+        }
         if (tenantId && clientId && clientSecret) {
             logger$5.info(`Invoking ClientSecretCredential with tenant ID: ${tenantId}, clientId: ${clientId} and clientSecret: [REDACTED]`);
             this._credential = new ClientSecretCredential(tenantId, clientId, clientSecret, options);
@@ -862,7 +881,7 @@ class EnvironmentCredential {
                             .split("More details:")
                             .join("")
                     });
-                    logger$5.getToken.info(formatError(authenticationError));
+                    logger$5.getToken.info(formatError(scopes, authenticationError));
                     throw authenticationError;
                 }
                 finally {
@@ -874,137 +893,119 @@ class EnvironmentCredential {
             span.setStatus({ code: api.CanonicalCode.UNAUTHENTICATED });
             span.end();
             const error = new CredentialUnavailable("EnvironmentCredential is unavailable. Environment variables are not fully configured.");
-            logger$5.getToken.info(formatError(error));
+            logger$5.getToken.info(formatError(scopes, error));
             throw error;
         });
     }
 }
 
 // Copyright (c) Microsoft Corporation.
+// Licensed under the MIT license.
 const DefaultScopeSuffix = "/.default";
-const ImdsEndpoint = "http://169.254.169.254/metadata/identity/oauth2/token";
-const ImdsApiVersion = "2018-02-01";
-const AppServiceMsiApiVersion = "2017-09-01";
-const logger$6 = credentialLogger("ManagedIdentityCredential");
-/**
- * Attempts authentication using a managed identity that has been assigned
- * to the deployment environment.  This authentication type works in Azure VMs,
- * App Service and Azure Functions applications, and inside of Azure Cloud Shell.
- *
- * More information about configuring managed identities can be found here:
- *
- * https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview
- */
-class ManagedIdentityCredential {
-    /**
-     * @internal
-     * @ignore
-     */
-    constructor(clientIdOrOptions, options) {
-        this.isEndpointUnavailable = null;
-        if (typeof clientIdOrOptions === "string") {
-            // clientId, options constructor
-            this.clientId = clientIdOrOptions;
-            this.identityClient = new IdentityClient(options);
-        }
-        else {
-            // options only constructor
-            this.identityClient = new IdentityClient(clientIdOrOptions);
+const imdsEndpoint = "http://169.254.169.254/metadata/identity/oauth2/token";
+const imdsApiVersion = "2018-02-01";
+const azureArcAPIVersion = "2019-11-01";
+
+// Copyright (c) Microsoft Corporation.
+function mapScopesToResource(scopes) {
+    let scope = "";
+    if (Array.isArray(scopes)) {
+        if (scopes.length !== 1) {
+            throw new Error("To convert to a resource string the specified array must be exactly length 1");
         }
+        scope = scopes[0];
     }
-    mapScopesToResource(scopes) {
-        let scope = "";
-        if (Array.isArray(scopes)) {
-            if (scopes.length !== 1) {
-                throw new Error("To convert to a resource string the specified array must be exactly length 1");
-            }
-            scope = scopes[0];
-        }
-        else if (typeof scopes === "string") {
-            scope = scopes;
-        }
-        if (!scope.endsWith(DefaultScopeSuffix)) {
-            return scope;
-        }
-        return scope.substr(0, scope.lastIndexOf(DefaultScopeSuffix));
+    else if (typeof scopes === "string") {
+        scope = scopes;
     }
-    createImdsAuthRequest(resource, clientId) {
-        const queryParameters = {
-            resource,
-            "api-version": ImdsApiVersion
-        };
-        if (clientId) {
-            queryParameters.client_id = clientId;
-        }
-        return {
-            url: ImdsEndpoint,
-            method: "GET",
-            queryParameters,
-            headers: {
-                Accept: "application/json",
-                Metadata: true
-            }
-        };
+    if (!scope.endsWith(DefaultScopeSuffix)) {
+        return scope;
     }
-    createAppServiceMsiAuthRequest(resource, clientId, version) {
-        const queryParameters = {
-            resource,
-            "api-version": AppServiceMsiApiVersion
-        };
-        if (version === "2019-08-01") {
-            if (clientId) {
-                queryParameters.client_id = clientId;
-            }
-            return {
-                url: process.env.IDENTITY_ENDPOINT,
-                method: "GET",
-                queryParameters,
-                headers: {
-                    Accept: "application/json",
-                    "X-IDENTITY-HEADER": process.env.IDENTITY_HEADER
-                }
-            };
-        }
-        else if (version === "2017-09-01") {
-            if (clientId) {
-                queryParameters.clientid = clientId;
-            }
-            return {
-                url: process.env.MSI_ENDPOINT,
-                method: "GET",
-                queryParameters,
-                headers: {
-                    Accept: "application/json",
-                    secret: process.env.MSI_SECRET
-                }
-            };
-        }
-        else {
-            throw new Error(`Unsupported version ${version}. The supported versions are "2019-08-01" and "2017-09-01"`);
-        }
+    return scope.substr(0, scope.lastIndexOf(DefaultScopeSuffix));
+}
+function msiGenericGetToken(identityClient, requestOptions, expiresInParser, getTokenOptions = {}) {
+    return tslib.__awaiter(this, void 0, void 0, function* () {
+        const webResource = identityClient.createWebResource(Object.assign({ disableJsonStringifyOnBody: true, deserializationMapper: undefined, abortSignal: getTokenOptions.abortSignal, spanOptions: getTokenOptions.tracingOptions && getTokenOptions.tracingOptions.spanOptions }, requestOptions));
+        const tokenResponse = yield identityClient.sendTokenRequest(webResource, expiresInParser);
+        return (tokenResponse && tokenResponse.accessToken) || null;
+    });
+}
+
+// Copyright (c) Microsoft Corporation.
+const logger$6 = credentialLogger("ManagedIdentityCredential - CloudShellMSI");
+// Cloud Shell MSI doesn't have a special expiresIn parser.
+const expiresInParser = undefined;
+function prepareRequestOptions(resource, clientId) {
+    const body = {
+        resource
+    };
+    if (clientId) {
+        body.client_id = clientId;
     }
-    createCloudShellMsiAuthRequest(resource, clientId) {
-        const body = {
-            resource
-        };
-        if (clientId) {
-            body.client_id = clientId;
+    return {
+        url: process.env.MSI_ENDPOINT,
+        method: "POST",
+        body: qs.stringify(body),
+        headers: {
+            Accept: "application/json",
+            Metadata: true,
+            "Content-Type": "application/x-www-form-urlencoded"
         }
-        return {
-            url: process.env.MSI_ENDPOINT,
-            method: "POST",
-            body: qs.stringify(body),
-            headers: {
-                Accept: "application/json",
-                Metadata: true,
-                "Content-Type": "application/x-www-form-urlencoded"
-            }
-        };
+    };
+}
+const cloudShellMsi = {
+    isAvailable() {
+        return tslib.__awaiter(this, void 0, void 0, function* () {
+            return Boolean(process.env.MSI_ENDPOINT);
+        });
+    },
+    getToken(identityClient, resource, clientId, getTokenOptions = {}) {
+        return tslib.__awaiter(this, void 0, void 0, function* () {
+            logger$6.info(`Using the endpoint coming form the environment variable MSI_ENDPOINT=${process.env.MSI_ENDPOINT}, and using the Cloud Shell to proceed with the authentication.`);
+            return msiGenericGetToken(identityClient, prepareRequestOptions(resource, clientId), expiresInParser, getTokenOptions);
+        });
+    }
+};
+
+// Copyright (c) Microsoft Corporation.
+const logger$7 = credentialLogger("ManagedIdentityCredential - IMDS");
+function expiresInParser$1(requestBody) {
+    if (requestBody.expires_on) {
+        // Use the expires_on timestamp if it's available
+        const expires = +requestBody.expires_on * 1000;
+        logger$7.info(`IMDS using expires_on: ${expires} (original value: ${requestBody.expires_on})`);
+        return expires;
     }
-    pingImdsEndpoint(resource, clientId, getTokenOptions) {
+    else {
+        // If these aren't possible, use expires_in and calculate a timestamp
+        const expires = Date.now() + requestBody.expires_in * 1000;
+        logger$7.info(`IMDS using expires_in: ${expires} (original value: ${requestBody.expires_in})`);
+        return expires;
+    }
+}
+function prepareRequestOptions$1(resource, clientId) {
+    const queryParameters = {
+        resource,
+        "api-version": imdsApiVersion
+    };
+    if (clientId) {
+        queryParameters.client_id = clientId;
+    }
+    return {
+        url: imdsEndpoint,
+        method: "GET",
+        queryParameters,
+        headers: {
+            Accept: "application/json",
+            Metadata: true
+        }
+    };
+}
+const imdsMsi = {
+    isAvailable(identityClient, resource, clientId, getTokenOptions) {
         return tslib.__awaiter(this, void 0, void 0, function* () {
             const { span, options } = createSpan("ManagedIdentityCredential-pingImdsEndpoint", getTokenOptions);
-            const request = this.createImdsAuthRequest(resource, clientId);
+            const request = prepareRequestOptions$1(resource, clientId);
             // This will always be populated, but let's make TypeScript happy
             if (request.headers) {
                 // Remove the Metadata header to invoke a request error from
@@ -1016,11 +1017,11 @@ class ManagedIdentityCredential {
                 // Create a request with a timeout since we expect that
                 // not having a "Metadata" header should cause an error to be
                 // returned quickly from the endpoint, proving its availability.
-                const webResource = this.identityClient.createWebResource(request);
+                const webResource = identityClient.createWebResource(request);
                 webResource.timeout = (options.requestOptions && options.requestOptions.timeout) || 500;
                 try {
-                    logger$6.info(`Pinging IMDS endpoint`);
-                    yield this.identityClient.sendRequest(webResource);
+                    logger$7.info(`Pinging IMDS endpoint`);
+                    yield identityClient.sendRequest(webResource);
                 }
                 catch (err) {
                     if ((err instanceof coreHttp.RestError && err.code === coreHttp.RestError.REQUEST_SEND_ERROR) ||
@@ -1030,22 +1031,24 @@ class ManagedIdentityCredential {
                     ) {
                         // If the request failed, or NodeJS was unable to establish a connection,
                         // or the host was down, we'll assume the IMDS endpoint isn't available.
-                        logger$6.info(`IMDS endpoint unavailable`);
+                        logger$7.info(`IMDS endpoint unavailable`);
                         span.setStatus({
                             code: api.CanonicalCode.UNAVAILABLE,
                             message: err.message
                         });
+                        // IMDS MSI unavailable.
                         return false;
                     }
                 }
                 // If we received any response, the endpoint is available
-                logger$6.info(`IMDS endpoint is available`);
+                logger$7.info(`IMDS endpoint is available`);
+                // IMDS MSI available!
                 return true;
             }
             catch (err) {
                 // createWebResource failed.
                 // This error should bubble up to the user.
-                logger$6.info(formatError(`Error when creating the WebResource for the IMDS endpoint: ${err.message}`));
+                logger$7.info(`Error when creating the WebResource for the IMDS endpoint: ${err.message}`);
                 span.setStatus({
                     code: api.CanonicalCode.UNKNOWN,
                     message: err.message
@@ -1056,86 +1059,177 @@ class ManagedIdentityCredential {
                 span.end();
             }
         });
+    },
+    getToken(identityClient, resource, clientId, getTokenOptions = {}) {
+        return tslib.__awaiter(this, void 0, void 0, function* () {
+            logger$7.info(`Using the IMDS endpoint coming form the environment variable MSI_ENDPOINT=${process.env.MSI_ENDPOINT}, and using the cloud shell to proceed with the authentication.`);
+            return msiGenericGetToken(identityClient, prepareRequestOptions$1(resource, clientId), expiresInParser$1, getTokenOptions);
+        });
+    }
+};
+
+// Copyright (c) Microsoft Corporation.
+const logger$8 = credentialLogger("ManagedIdentityCredential - AppServiceMSI 2017");
+function expiresInParser$2(requestBody) {
+    // Parse a date format like "06/20/2019 02:57:58 +00:00" and
+    // convert it into a JavaScript-formatted date
+    return Date.parse(requestBody.expires_on);
+}
+function prepareRequestOptions$2(resource, clientId) {
+    const queryParameters = {
+        resource,
+        "api-version": "2017-09-01"
+    };
+    if (clientId) {
+        queryParameters.clientid = clientId;
     }
-    authenticateManagedIdentity(scopes, checkIfImdsEndpointAvailable, clientId, getTokenOptions) {
+    return {
+        url: process.env.MSI_ENDPOINT,
+        method: "GET",
+        queryParameters,
+        headers: {
+            Accept: "application/json",
+            secret: process.env.MSI_SECRET
+        }
+    };
+}
+const appServiceMsi2017 = {
+    isAvailable() {
+        return tslib.__awaiter(this, void 0, void 0, function* () {
+            const env = process.env;
+            return Boolean(env.MSI_ENDPOINT && env.MSI_SECRET);
+        });
+    },
+    getToken(identityClient, resource, clientId, getTokenOptions = {}) {
         return tslib.__awaiter(this, void 0, void 0, function* () {
-            let authRequestOptions;
-            const resource = this.mapScopesToResource(scopes);
-            let expiresInParser;
+            logger$8.info(`Using the endpoint and the secret coming form the environment variables: MSI_ENDPOINT=${process.env.MSI_ENDPOINT} and MSI_SECRET=[REDACTED].`);
+            return msiGenericGetToken(identityClient, prepareRequestOptions$2(resource, clientId), expiresInParser$2, getTokenOptions);
+        });
+    }
+};
+
+// Copyright (c) Microsoft Corporation.
+const logger$9 = credentialLogger("ManagedIdentityCredential - ArcMSI");
+// Azure Arc MSI doesn't have a special expiresIn parser.
+const expiresInParser$3 = undefined;
+function prepareRequestOptions$3(resource) {
+    const queryParameters = {
+        resource,
+        "api-version": azureArcAPIVersion
+    };
+    return {
+        // Should be similar to: http://localhost:40342/metadata/identity/oauth2/token
+        url: process.env.IDENTITY_ENDPOINT,
+        method: "GET",
+        queryParameters,
+        headers: {
+            Accept: "application/json",
+            Metadata: true
+        }
+    };
+}
+// Since "fs"'s readFileSync locks the thread, and to avoid extra dependencies.
+function readFileAsync(path, options) {
+    return new Promise((resolve, reject) => fs.readFile(path, options, (err, data) => {
+        if (err) {
+            reject(err);
+        }
+        resolve(data);
+    }));
+}
+function filePathRequest(identityClient, requestPrepareOptions) {
+    return tslib.__awaiter(this, void 0, void 0, function* () {
+        const response = yield identityClient.sendRequest(identityClient.createWebResource(requestPrepareOptions));
+        if (response.status !== 401) {
+            let message = "";
+            if (response.bodyAsText) {
+                message = ` Response: ${response.bodyAsText}`;
+            }
+            throw new AuthenticationError(response.status, `To authenticate with Azure Arc MSI, status code 401 is expected on the first request.${message}`);
+        }
+        const authHeader = response.headers.get("www-authenticate") || "";
+        return authHeader.split("=").slice(1)[0];
+    });
+}
+const arcMsi = {
+    isAvailable() {
+        return tslib.__awaiter(this, void 0, void 0, function* () {
+            return Boolean(process.env.IMDS_ENDPOINT && process.env.IDENTITY_ENDPOINT);
+        });
+    },
+    getToken(identityClient, resource, clientId, getTokenOptions = {}) {
+        return tslib.__awaiter(this, void 0, void 0, function* () {
+            logger$9.info(`Using the Azure Arc MSI to authenticate.`);
+            if (clientId) {
+                throw new Error("User assigned identity is not supported by the Azure Arc Managed Identity Endpoint. To authenticate with the system assigned identity omit the client id when constructing the ManagedIdentityCredential, or if authenticating with the DefaultAzureCredential ensure the AZURE_CLIENT_ID environment variable is not set.");
+            }
+            const requestOptions = Object.assign({ disableJsonStringifyOnBody: true, deserializationMapper: undefined, abortSignal: getTokenOptions.abortSignal, spanOptions: getTokenOptions.tracingOptions && getTokenOptions.tracingOptions.spanOptions }, prepareRequestOptions$3(resource));
+            const filePath = yield filePathRequest(identityClient, requestOptions);
+            if (!filePath) {
+                throw new Error("Azure Arc MSI failed to find the token file.");
+            }
+            const key = yield readFileAsync(filePath, { encoding: "utf-8" });
+            requestOptions.headers["Authorization"] = `Basic ${key}`;
+            return msiGenericGetToken(identityClient, requestOptions, expiresInParser$3, getTokenOptions);
+        });
+    }
+};
+
+// Copyright (c) Microsoft Corporation.
+const logger$a = credentialLogger("ManagedIdentityCredential");
+/**
+ * Attempts authentication using a managed identity that has been assigned
+ * to the deployment environment.  This authentication type works in Azure VMs,
+ * App Service and Azure Functions applications, and inside of Azure Cloud Shell.
+ *
+ * More information about configuring managed identities can be found here:
+ *
+ * https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview
+ */
+class ManagedIdentityCredential {
+    /**
+     * @internal
+     * @ignore
+     */
+    constructor(clientIdOrOptions, options) {
+        this.isEndpointUnavailable = null;
+        if (typeof clientIdOrOptions === "string") {
+            // clientId, options constructor
+            this.clientId = clientIdOrOptions;
+            this.identityClient = new IdentityClient(options);
+        }
+        else {
+            // options only constructor
+            this.identityClient = new IdentityClient(clientIdOrOptions);
+        }
+    }
+    cachedAvailableMSI(resource, clientId, getTokenOptions) {
+        return tslib.__awaiter(this, void 0, void 0, function* () {
+            if (this.cachedMSI) {
+                return this.cachedMSI;
+            }
+            // "fabricMsi" can't be added yet because our HTTPs pipeline doesn't allow skipping the SSL verification step,
+            // which is necessary since Service Fabric only provides self-signed certificates on their Identity Endpoint.
+            const MSIs = [appServiceMsi2017, cloudShellMsi, arcMsi, imdsMsi];
+            for (const msi of MSIs) {
+                if (yield msi.isAvailable(this.identityClient, resource, clientId, getTokenOptions)) {
+                    this.cachedMSI = msi;
+                    return msi;
+                }
+            }
+            throw new CredentialUnavailable("ManagedIdentityCredential - No MSI credential available");
+        });
+    }
+    authenticateManagedIdentity(scopes, clientId, getTokenOptions) {
+        return tslib.__awaiter(this, void 0, void 0, function* () {
+            const resource = mapScopesToResource(scopes);
             const { span, options } = createSpan("ManagedIdentityCredential-authenticateManagedIdentity", getTokenOptions);
             try {
-                // Detect which type of environment we are running in
-                if (process.env.IDENTITY_ENDPOINT && process.env.IDENTITY_HEADER) {
-                    // Running in App Service 2019-08-01
-                    authRequestOptions = this.createAppServiceMsiAuthRequest(resource, clientId, "2019-08-01");
-                    expiresInParser = (requestBody) => {
-                        // Parses a string representation of the seconds since epoch into a number value
-                        return Number(requestBody.expires_on);
-                    };
-                    logger$6.info(`Using the endpoint and the secret coming form the environment variables: IDENTITY_ENDPOINT=${process.env.IDENTITY_ENDPOINT} and IDENTITY_HEADER=[REDACTED].`);
-                }
-                else if (process.env.MSI_ENDPOINT) {
-                    if (process.env.MSI_SECRET) {
-                        // Running in App Service
-                        authRequestOptions = this.createAppServiceMsiAuthRequest(resource, clientId, "2017-09-01");
-                        expiresInParser = (requestBody) => {
-                            // Parse a date format like "06/20/2019 02:57:58 +00:00" and
-                            // convert it into a JavaScript-formatted date
-                            return Date.parse(requestBody.expires_on);
-                        };
-                        logger$6.info(`Using the endpoint and the secret coming form the environment variables: MSI_ENDPOINT=${process.env.MSI_ENDPOINT} and MSI_SECRET=[REDACTED].`);
-                    }
-                    else {
-                        logger$6.info(`Using the endpoint coming form the environment variable MSI_ENDPOINT=${process.env.MSI_ENDPOINT}, and using the cloud shell to proceed with the authentication.`);
-                        // Running in Cloud Shell
-                        authRequestOptions = this.createCloudShellMsiAuthRequest(resource, clientId);
-                    }
-                }
-                else {
-                    expiresInParser = (requestBody) => {
-                        if (requestBody.expires_on) {
-                            // Use the expires_on timestamp if it's available
-                            const expires = +requestBody.expires_on * 1000;
-                            logger$6.info(`IMDS using expires_on: ${expires} (original value: ${requestBody.expires_on})`);
-                            return expires;
-                        }
-                        else {
-                            // If these aren't possible, use expires_in and calculate a timestamp
-                            const expires = Date.now() + requestBody.expires_in * 1000;
-                            logger$6.info(`IMDS using expires_in: ${expires} (original value: ${requestBody.expires_in})`);
-                            return expires;
-                        }
-                    };
-                    logger$6.info(`Using the IMDS endpoint coming form the environment variable MSI_ENDPOINT=${process.env.MSI_ENDPOINT}, and using the cloud shell to proceed with the authentication.`);
-                    // Ping the IMDS endpoint to see if it's available
-                    if (!checkIfImdsEndpointAvailable ||
-                        (yield this.pingImdsEndpoint(resource, clientId, options))) {
-                        // Running in an Azure VM
-                        authRequestOptions = this.createImdsAuthRequest(resource, clientId);
-                    }
-                    else {
-                        // Returning null tells the ManagedIdentityCredential that
-                        // no MSI authentication endpoints are available
-                        return null;
-                    }
-                }
-                const webResource = this.identityClient.createWebResource(Object.assign({ disableJsonStringifyOnBody: true, deserializationMapper: undefined, abortSignal: options.abortSignal, spanOptions: options.tracingOptions && options.tracingOptions.spanOptions }, authRequestOptions));
-                const tokenResponse = yield this.identityClient.sendTokenRequest(webResource, expiresInParser);
-                return (tokenResponse && tokenResponse.accessToken) || null;
+                // Determining the available MSI, and avoiding checking for other MSIs while the program is running.
+                const availableMSI = yield this.cachedAvailableMSI(resource, clientId, options);
+                return availableMSI.getToken(this.identityClient, resource, clientId, options);
             }
             catch (err) {
-                // Expected errors to reach this point:
-                // - When we try call createWebResource and it fails (at any point).
-                // - When identityClient.sendTokenRequest throws.
-                //   If the status code was 400, it means that the endpoint is working,
-                //   but no identity is available.
-                //
-                // Errors that might reach this point, but shouldn't:
-                // - When createAppServiceMsiAuthRequest is called with an unsupported version.
-                //   We shouldn't see this happening, because we specify the version in the parameters.
-                //
-                // Errors that shouldn't reach this point at all:
-                // - If we tried to reach to the IMDS endpoint and it ends up being unavailable, we simply don't call to createImdsAuthRequest, so we return null.
                 const code = err.name === AuthenticationErrorName
                     ? api.CanonicalCode.UNAUTHENTICATED
                     : api.CanonicalCode.UNKNOWN;
@@ -1169,7 +1263,7 @@ class ManagedIdentityCredential {
                 // If it's null, it means we don't yet know whether
                 // the endpoint is available and need to check for it.
                 if (this.isEndpointUnavailable !== true) {
-                    result = yield this.authenticateManagedIdentity(scopes, this.isEndpointUnavailable === null, this.clientId, newOptions);
+                    result = yield this.authenticateManagedIdentity(scopes, this.clientId, newOptions);
                     if (result === null) {
                         // If authenticateManagedIdentity returns null,
                         // it means no MSI endpoints are available.
@@ -1178,35 +1272,22 @@ class ManagedIdentityCredential {
                         // It also means that the endpoint answered with either 200 or 201 (see the sendTokenRequest method),
                         // yet we had no access token. For this reason, we'll throw once with a specific message:
                         const error = new CredentialUnavailable("The managed identity endpoint was reached, yet no tokens were received.");
-                        logger$6.getToken.info(formatError(error));
+                        logger$a.getToken.info(formatError(scopes, error));
                         throw error;
                     }
                     // Since `authenticateManagedIdentity` didn't throw, and the result was not null,
                     // We will assume that this endpoint is reachable from this point forward,
                     // and avoid pinging again to it.
-                    // Details:
-                    // - If `isEndpointUnavailable` is not true, `authenticateManagedIdentity` is called.
-                    // - If `isEndpointUnavailable` is only set to false if `authenticateManagedIdentity` returns null.
-                    // - If `isEndpointUnavailable` is null, `authenticateManagedIdentity` wil be called with "true" as the second parameter.
-                    // - When `authenticateManagedIdentity` is called with `checkIfImdsEndpointAvailable` set to "true", `pingImdsEndpoint` is called.
-                    // - If `pingImdsEndpoint` returns false, `authenticateManagedIdentity` returns null, which sets `isEndpointUnavailable` to false.
-                    // - If `pingImdsEndpoint` returns true, `authenticateManagedIdentity` tries to authenticate with the IMDS endpoint.
-                    // - If `authenticateManagedIdentity` tries to authenticate, and throws, we move to the catch section of this function.
-                    // - If `authenticateManagedIdentity` manages to authenticate, `result` won't be null.
-                    // - If `result` isn't null at this point, the endpoint was in fact available at first.
-                    // - To avoid calling again to `pingImdsEndpoint`, we need to set `isEndpointUnavailable` to false,
-                    //   so that `authenticateManagedIdentity` gets to be called with `checkIfImdsEndpointAvailable` set to "false",
-                    //   thus skipping any further call to `pingImdsEndpoint`.
                     this.isEndpointUnavailable = false;
                 }
                 else {
                     // We've previously determined that the endpoint was unavailable,
                     // either because it was unreachable or permanently unable to authenticate.
                     const error = new CredentialUnavailable("The managed identity endpoint is not currently available");
-                    logger$6.getToken.info(formatError(error));
+                    logger$a.getToken.info(formatError(scopes, error));
                     throw error;
                 }
-                logger$6.getToken.info(formatSuccess(scopes));
+                logger$a.getToken.info(formatSuccess(scopes));
                 return result;
             }
             catch (err) {
@@ -1226,7 +1307,7 @@ class ManagedIdentityCredential {
                 });
                 if (err.code === "ENETUNREACH") {
                     const error = new CredentialUnavailable("ManagedIdentityCredential is unavailable. No managed identity endpoint found.");
-                    logger$6.getToken.info(formatError(error));
+                    logger$a.getToken.info(formatError(scopes, error));
                     throw error;
                 }
                 // If err.statusCode has a value of 400, it comes from sendTokenRequest,
@@ -1259,7 +1340,7 @@ function getSafeWorkingDir() {
         return "/bin";
     }
 }
-const logger$7 = credentialLogger("AzureCliCredential");
+const logger$b = credentialLogger("AzureCliCredential");
 /**
  * This credential will use the currently logged-in user login information
  * via the Azure CLI ('az') commandline tool.
@@ -1301,12 +1382,12 @@ class AzureCliCredential {
         return tslib.__awaiter(this, void 0, void 0, function* () {
             return new Promise((resolve, reject) => {
                 const scope = typeof scopes === "string" ? scopes : scopes[0];
-                logger$7.getToken.info(`Using the scope ${scope}`);
+                logger$b.getToken.info(`Using the scope ${scope}`);
                 const resource = scope.replace(/\/.default$/, "");
                 // Check to make sure the scope we get back is a valid scope
                 if (!scope.match(/^[0-9a-zA-Z-.:/]+$/)) {
                     const error = new Error("Invalid scope was specified by the user or calling client");
-                    logger$7.getToken.info(formatError(error));
+                    logger$b.getToken.info(formatError(scopes, error));
                     throw error;
                 }
                 let responseData = "";
@@ -1319,22 +1400,22 @@ class AzureCliCredential {
                             obj.stderr.startsWith("'az' is not recognized");
                         if (isNotInstallError) {
                             const error = new CredentialUnavailable("Azure CLI could not be found.  Please visit https://aka.ms/azure-cli for installation instructions and then, once installed, authenticate to your Azure account using 'az login'.");
-                            logger$7.getToken.info(formatError(error));
+                            logger$b.getToken.info(formatError(scopes, error));
                             throw error;
                         }
                         else if (isLoginError) {
                             const error = new CredentialUnavailable("Please run 'az login' from a command prompt to authenticate before using this credential.");
-                            logger$7.getToken.info(formatError(error));
+                            logger$b.getToken.info(formatError(scopes, error));
                             throw error;
                         }
                         const error = new CredentialUnavailable(obj.stderr);
-                        logger$7.getToken.info(formatError(error));
+                        logger$b.getToken.info(formatError(scopes, error));
                         throw error;
                     }
                     else {
                         responseData = obj.stdout;
                         const response = JSON.parse(responseData);
-                        logger$7.getToken.info(formatSuccess(scopes));
+                        logger$b.getToken.info(formatSuccess(scopes));
                         const returnValue = {
                             token: response.accessToken,
                             expiresOnTimestamp: new Date(response.expiresOn).getTime()
@@ -1351,7 +1432,7 @@ class AzureCliCredential {
                         code,
                         message: err.message
                     });
-                    logger$7.getToken.info(formatError(err));
+                    logger$b.getToken.info(formatError(scopes, err));
                     reject(err);
                 });
             });
@@ -1359,6 +1440,42 @@ class AzureCliCredential {
     }
 }
 
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT license.
+/**
+ * The default client ID for authentication
+ * @internal
+ * @ignore
+ */
+// TODO: temporary - this is the Azure CLI clientID - we'll replace it when
+// Developer Sign On application is available
+// https://github.com/Azure/azure-sdk-for-net/blob/master/sdk/identity/Azure.Identity/src/Constants.cs#L9
+const DeveloperSignOnClientId = "04b07795-8ddb-461a-bbee-02f9e1bf7b46";
+/**
+ * The default tenant for authentication
+ * @internal
+ * @ignore
+ */
+const DefaultTenantId = "common";
+(function (AzureAuthorityHosts) {
+    /**
+     * China-based Azure Authority Host
+     */
+    AzureAuthorityHosts["AzureChina"] = "https://login.chinacloudapi.cn";
+    /**
+     * Germany-based Azure Authority Host
+     */
+    AzureAuthorityHosts["AzureGermany"] = "https://login.microsoftonline.de";
+    /**
+     * US Government Azure Authority Host
+     */
+    AzureAuthorityHosts["AzureGovernment"] = "https://login.microsoftonline.us";
+    /**
+     * Public Cloud Azure Authority Host
+     */
+    AzureAuthorityHosts["AzurePublicCloud"] = "https://login.microsoftonline.com";
+})(exports.AzureAuthorityHosts || (exports.AzureAuthorityHosts = {}));
+
 // Copyright (c) Microsoft Corporation.
 let keytar;
 try {
@@ -1370,7 +1487,7 @@ catch (er) {
 const CommonTenantId = "common";
 const AzureAccountClientId = "aebc6443-996d-45c2-90f0-388ff96faa56"; // VSC: 'aebc6443-996d-45c2-90f0-388ff96faa56'
 const VSCodeUserName = "VS Code Azure";
-const logger$8 = credentialLogger("VisualStudioCodeCredential");
+const logger$c = credentialLogger("VisualStudioCodeCredential");
 // Map of unsupported Tenant IDs and the errors we will be throwing.
 const unsupportedTenantIds = {
     adfs: "The VisualStudioCodeCredential does not support authentication with ADFS tenants."
@@ -1382,6 +1499,12 @@ function checkUnsupportedTenant(tenantId) {
         throw new CredentialUnavailable(unsupportedTenantError);
     }
 }
+const mapVSCodeAuthorityHosts = {
+    AzureCloud: exports.AzureAuthorityHosts.AzurePublicCloud,
+    AzureChina: exports.AzureAuthorityHosts.AzureChina,
+    AzureGermanCloud: exports.AzureAuthorityHosts.AzureGermany,
+    AzureUSGovernment: exports.AzureAuthorityHosts.AzureGovernment
+};
 /**
  * Attempts to load a specific property from the VSCode configurations of the current OS.
  * If it fails at any point, returns undefined.
@@ -1411,7 +1534,7 @@ function getPropertyFromVSCode(property) {
         }
     }
     catch (e) {
-        logger$8.info(`Failed to load the Visual Studio Code configuration file. Error: ${e.message}`);
+        logger$c.info(`Failed to load the Visual Studio Code configuration file. Error: ${e.message}`);
         return;
     }
 }
@@ -1427,8 +1550,14 @@ class VisualStudioCodeCredential {
      * @param options Options for configuring the client which makes the authentication request.
      */
     constructor(options) {
-        this.identityClient = new IdentityClient(options);
+        // We want to make sure we use the one assigned by the user on the VSCode settings.
+        // Or just `AzureCloud` by default.
+        this.cloudName = (getPropertyFromVSCode("azure.cloud") || "AzureCloud");
+        // Picking an authority host based on the cloud name.
+        const authorityHost = mapVSCodeAuthorityHosts[this.cloudName];
+        this.identityClient = new IdentityClient(Object.assign({ authorityHost }, options));
         if (options && options.tenantId) {
+            checkTenantId(logger$c, options.tenantId);
             this.tenantId = options.tenantId;
         }
         else {
@@ -1477,7 +1606,7 @@ class VisualStudioCodeCredential {
             // Check to make sure the scope we get back is a valid scope
             if (!scopeString.match(/^[0-9a-zA-Z-.:/]+$/)) {
                 const error = new Error("Invalid scope was specified by the user or calling client");
-                logger$8.getToken.info(formatError(error));
+                logger$c.getToken.info(formatError(scopes, error));
                 throw error;
             }
             if (scopeString.indexOf("offline_access") < 0) {
@@ -1492,11 +1621,8 @@ class VisualStudioCodeCredential {
             //   /* ... */
             // ]
             const credentials = yield keytar.findCredentials(VSCodeUserName);
-            // We want to make sure we use the one assigned by the user on the VSCode settings.
-            // Or just `Azure` by default.
-            const cloudName = getPropertyFromVSCode("azure.cloud") || "Azure";
             // If we can't find the credential based on the name, we'll pick the first one available.
-            const { password } = credentials.find((cred) => cred.account === cloudName) ||
+            const { password } = credentials.find((cred) => cred.account === this.cloudName) ||
                 credentials[0] ||
                 {};
             // Assuming we found something, the refresh token is the "password" property.
@@ -1504,18 +1630,18 @@ class VisualStudioCodeCredential {
             if (refreshToken) {
                 const tokenResponse = yield this.identityClient.refreshAccessToken(this.tenantId, AzureAccountClientId, scopeString, refreshToken, undefined);
                 if (tokenResponse) {
-                    logger$8.getToken.info(formatSuccess(scopes));
+                    logger$c.getToken.info(formatSuccess(scopes));
                     return tokenResponse.accessToken;
                 }
                 else {
                     const error = new CredentialUnavailable("Could not retrieve the token associated with Visual Studio Code. Have you connected using the 'Azure Account' extension recently?");
-                    logger$8.getToken.info(formatError(error));
+                    logger$c.getToken.info(formatError(scopes, error));
                     throw error;
                 }
             }
             else {
                 const error = new CredentialUnavailable("Could not retrieve the token associated with Visual Studio Code. Did you connect using the 'Azure Account' extension?");
-                logger$8.getToken.info(formatError(error));
+                logger$c.getToken.info(formatError(scopes, error));
                 throw error;
             }
         });
@@ -1556,40 +1682,84 @@ class DefaultAzureCredential extends ChainedTokenCredential {
 }
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
-/**
- * The default client ID for authentication
- * @internal
- * @ignore
- */
-// TODO: temporary - this is the Azure CLI clientID - we'll replace it when
-// Developer Sign On application is available
-// https://github.com/Azure/azure-sdk-for-net/blob/master/sdk/identity/Azure.Identity/src/Constants.cs#L9
-const DeveloperSignOnClientId = "04b07795-8ddb-461a-bbee-02f9e1bf7b46";
-/**
- * The default tenant for authentication
- * @internal
- * @ignore
- */
-const DefaultTenantId = "common";
-(function (AzureAuthorityHosts) {
-    /**
-     * China-based Azure Authority Host
-     */
-    AzureAuthorityHosts["AzureChina"] = "https://login.chinacloudapi.cn";
-    /**
-     * Germany-based Azure Authority Host
-     */
-    AzureAuthorityHosts["AzureGermany"] = "https://login.microsoftonline.de";
-    /**
-     * US Government Azure Authority Host
-     */
-    AzureAuthorityHosts["AzureGovernment"] = "https://login.microsoftonline.us";
-    /**
-     * Public Cloud Azure Authority Host
-     */
-    AzureAuthorityHosts["AzurePublicCloud"] = "https://login.microsoftonline.com";
-})(exports.AzureAuthorityHosts || (exports.AzureAuthorityHosts = {}));
+const logger$d = credentialLogger("InteractiveBrowserCredential");
+class AuthenticationRequired extends CredentialUnavailable {
+}
+class MsalClient {
+    constructor(msalConfig, persistenceEnabled, authenticationRecord, options) {
+        this.identityClient = new IdentityClient(options);
+        this.msalConfig = msalConfig;
+        this.persistenceEnabled = persistenceEnabled;
+        this.authenticationRecord = authenticationRecord;
+    }
+    prepareClientApplications() {
+        return tslib.__awaiter(this, void 0, void 0, function* () {
+            // If we've already initialized the public client application, return
+            if (this.pca) {
+                return;
+            }
+            // Construct the public client application, since it hasn't been initialized, yet
+            const clientConfig = {
+                auth: this.msalConfig,
+                cache: undefined,
+                system: { networkClient: this.identityClient }
+            };
+            this.pca = new msalNode.PublicClientApplication(clientConfig);
+        });
+    }
+    acquireTokenFromCache(scopes) {
+        return tslib.__awaiter(this, void 0, void 0, function* () {
+            yield this.prepareClientApplications();
+            if (!this.persistenceEnabled || !this.authenticationRecord) {
+                throw new AuthenticationRequired();
+            }
+            const silentRequest = {
+                account: this.authenticationRecord,
+                scopes
+            };
+            try {
+                const response = yield this.pca.acquireTokenSilent(silentRequest);
+                logger$d.info("Successful silent token acquisition");
+                return {
+                    expiresOnTimestamp: response.expiresOn.getTime(),
+                    token: response.accessToken
+                };
+            }
+            catch (e) {
+                throw new AuthenticationRequired("Could not authenticate silently using the cache");
+            }
+        });
+    }
+    getAuthCodeUrl(request) {
+        return tslib.__awaiter(this, void 0, void 0, function* () {
+            yield this.prepareClientApplications();
+            return this.pca.getAuthCodeUrl(request);
+        });
+    }
+    acquireTokenByCode(request) {
+        return tslib.__awaiter(this, void 0, void 0, function* () {
+            yield this.prepareClientApplications();
+            return this.pca.acquireTokenByCode(request);
+        });
+    }
+    acquireTokenByDeviceCode(request) {
+        return tslib.__awaiter(this, void 0, void 0, function* () {
+            yield this.prepareClientApplications();
+            return this.pca.acquireTokenByDeviceCode(request);
+        });
+    }
+    acquireTokenByClientCredential(request) {
+        return tslib.__awaiter(this, void 0, void 0, function* () {
+            yield this.prepareClientApplications();
+            return this.cca.acquireTokenByClientCredential(request);
+        });
+    }
+}
+var HttpMethod;
+(function (HttpMethod) {
+    HttpMethod["GET"] = "get";
+    HttpMethod["POST"] = "post";
+})(HttpMethod || (HttpMethod = {}));
 
 var commonjsGlobal = typeof globalThis !== 'undefined' ? globalThis : typeof window !== 'undefined' ? window : typeof global !== 'undefined' ? global : typeof self !== 'undefined' ? self : {};
 
@@ -41113,9 +41283,7 @@ var express_10 = express.urlencoded;
 var express$1 = express;
 
 // Copyright (c) Microsoft Corporation.
-const logger$9 = credentialLogger("InteractiveBrowserCredential");
-class AuthenticationRequired extends CredentialUnavailable {
-}
+const logger$e = credentialLogger("InteractiveBrowserCredential");
 /**
  * Enables authentication to Azure Active Directory inside of the web browser
  * using the interactive login flow, either via browser redirects or a popup
@@ -41123,12 +41291,11 @@ class AuthenticationRequired extends CredentialUnavailable {
  */
 class InteractiveBrowserCredential {
     constructor(options) {
-        this.identityClient = new IdentityClient(options);
-        this.tenantId = (options && options.tenantId) || DefaultTenantId;
-        this.clientId = (options && options.clientId) || DeveloperSignOnClientId;
-        // Future update: this is for persistent caching
-        this.persistenceEnabled = this.persistenceEnabled = (options === null || options === void 0 ? void 0 : options.cacheOptions) !== undefined;
-        this.authenticationRecord = options === null || options === void 0 ? void 0 : options.authenticationRecord;
+        const tenantId = (options && options.tenantId) || DefaultTenantId;
+        const clientId = (options && options.clientId) || DeveloperSignOnClientId;
+        checkTenantId(logger$e, tenantId);
+        // const persistenceEnabled = options?.persistenceEnabled ? options?.persistenceEnabled : false;
+        // const authenticationRecord = options?.authenticationRecord;
         if (options && options.redirectUri) {
             if (typeof options.redirectUri === "string") {
                 this.redirectUri = options.redirectUri;
@@ -41145,29 +41312,19 @@ class InteractiveBrowserCredential {
         if (isNaN(this.port)) {
             this.port = 80;
         }
+        let authorityHost;
         if (options && options.authorityHost) {
             if (options.authorityHost.endsWith("/")) {
-                this.authorityHost = options.authorityHost + this.tenantId;
+                authorityHost = options.authorityHost + tenantId;
             }
             else {
-                this.authorityHost = options.authorityHost + "/" + this.tenantId;
+                authorityHost = options.authorityHost + "/" + tenantId;
             }
         }
         else {
-            this.authorityHost = "https://login.microsoftonline.com/" + this.tenantId;
+            authorityHost = "https://login.microsoftonline.com/" + tenantId;
         }
-        const knownAuthorities = this.tenantId === "adfs" ? [this.authorityHost] : [];
-        const publicClientConfig = {
-            auth: {
-                clientId: this.clientId,
-                authority: this.authorityHost,
-                knownAuthorities: knownAuthorities
-            },
-            cache: options === null || options === void 0 ? void 0 : options.cacheOptions,
-            system: { networkClient: this.identityClient }
-        };
-        this.pca = new msalNode.PublicClientApplication(publicClientConfig);
-        this.msalCacheManager = this.pca.getTokenCache();
+        this.msalClient = new MsalClient({ clientId, authority: authorityHost }, false, undefined, options);
     }
     /**
      * Authenticates with Azure Active Directory and returns an access token if
@@ -41181,37 +41338,13 @@ class InteractiveBrowserCredential {
      */
     getToken(scopes, _options) {
         const scopeArray = typeof scopes === "object" ? scopes : [scopes];
-        if (this.authenticationRecord && this.persistenceEnabled) {
-            return this.acquireTokenFromCache().catch((e) => {
-                if (e instanceof AuthenticationRequired) {
-                    return this.acquireTokenFromBrowser(scopeArray);
-                }
-                else {
-                    throw e;
-                }
-            });
-        }
-        else {
-            return this.acquireTokenFromBrowser(scopeArray);
-        }
-    }
-    acquireTokenFromCache() {
-        return tslib.__awaiter(this, void 0, void 0, function* () {
-            yield this.msalCacheManager.readFromPersistence();
-            const silentRequest = {
-                account: this.authenticationRecord,
-                scopes: ["https://vault.azure.net/user_impersonation", "https://vault.azure.net/.default"]
-            };
-            try {
-                const response = yield this.pca.acquireTokenSilent(silentRequest);
-                logger$9.info("Successful silent token acquisition");
-                return {
-                    expiresOnTimestamp: response.expiresOn.getTime(),
-                    token: response.accessToken
-                };
+        return this.msalClient.acquireTokenFromCache(scopeArray).catch((e) => {
+            if (e instanceof AuthenticationRequired) {
+                return this.acquireTokenFromBrowser(scopeArray);
             }
-            catch (e) {
-                throw new AuthenticationRequired("Could not authenticate silently using the cache");
+            else {
+                logger$e.getToken.info(formatError(scopes, e));
+                throw e;
             }
         });
     }
@@ -41221,11 +41354,8 @@ class InteractiveBrowserCredential {
                 scopes: scopeArray,
                 redirectUri: this.redirectUri
             };
-            const response = yield this.pca.getAuthCodeUrl(authCodeUrlParameters);
+            const response = yield this.msalClient.getAuthCodeUrl(authCodeUrlParameters);
             yield open(response);
-            if (this.persistenceEnabled) {
-                yield this.msalCacheManager.readFromPersistence();
-            }
         });
     }
     acquireTokenFromBrowser(scopeArray) {
@@ -41252,25 +41382,27 @@ class InteractiveBrowserCredential {
                         scopes: scopeArray
                     };
                     try {
-                        const authResponse = yield this.pca.acquireTokenByCode(tokenRequest);
-                        res.sendStatus(200);
-                        if (this.persistenceEnabled) {
-                            this.msalCacheManager.writeToPersistence();
-                        }
+                        const authResponse = yield this.msalClient.acquireTokenByCode(tokenRequest);
+                        const successMessage = `Authentication Complete. You can close the browser and return to the application.`;
+                        const expiresOnTimestamp = authResponse === null || authResponse === void 0 ? void 0 : authResponse.expiresOn.valueOf();
+                        res.status(200).send(successMessage);
+                        logger$e.getToken.info(formatSuccess(scopeArray));
                         resolve({
-                            expiresOnTimestamp: authResponse.expiresOn.valueOf(),
+                            expiresOnTimestamp,
                             token: authResponse.accessToken
                         });
                     }
                     catch (error) {
-                        res.status(500).send(error);
-                        reject(new Error(`Authentication Error "${req.query["error"]}":\n\n${req.query["error_description"]}`));
+                        const errorMessage = formatError(scopeArray, `${req.query["error"]}. ${req.query["error_description"]}`);
+                        res.status(500).send(errorMessage);
+                        logger$e.getToken.info(errorMessage);
+                        reject(new Error(errorMessage));
                     }
                     finally {
                         cleanup();
                     }
                 }));
-                listen = app.listen(this.port, () => logger$9.info(`Msal Node Auth Code Sample app listening on port ${this.port}!`));
+                listen = app.listen(this.port, () => logger$e.info(`Msal Node Auth Code Sample app listening on port ${this.port}!`));
                 listen.on("connection", (socket) => (socketToDestroy = socket));
                 try {
                     yield this.openAuthCodeUrl(scopeArray);
@@ -41284,7 +41416,7 @@ class InteractiveBrowserCredential {
     }
 }
 
-const logger$a = credentialLogger("DeviceCodeCredential");
+const logger$f = credentialLogger("DeviceCodeCredential");
 /**
  * Method that logs the user code from the DeviceCodeCredential.
  * @param deviceCodeInfo The device code.
@@ -41302,39 +41434,30 @@ class DeviceCodeCredential {
      * to initiate the device code authorization flow with Azure Active Directory.
      *
      * @param tenantId The Azure Active Directory tenant (directory) ID or name.
+     *                 The default value is 'organizations'.
      *                 'organizations' may be used when dealing with multi-tenant scenarios.
      * @param clientId The client (application) ID of an App Registration in the tenant.
+     *                 By default we will try to use the Azure CLI's client ID to authenticate.
      * @param userPromptCallback A callback function that will be invoked to show
                                  {@link DeviceCodeInfo} to the user. If left unassigned, we will automatically log the device code information and the authentication instructions in the console.
      * @param options Options for configuring the client which makes the authentication request.
      */
-    constructor(tenantId, clientId, userPromptCallback = defaultDeviceCodePromptCallback, options) {
-        this.tenantId = tenantId;
-        this.clientId = clientId;
+    constructor(tenantId = "organizations", clientId = DeveloperSignOnClientId, userPromptCallback = defaultDeviceCodePromptCallback, options) {
+        checkTenantId(logger$f, tenantId);
         this.userPromptCallback = userPromptCallback;
+        let authorityHost;
         if (options && options.authorityHost) {
             if (options.authorityHost.endsWith("/")) {
-                this.authorityHost = options.authorityHost + this.tenantId;
+                authorityHost = options.authorityHost + tenantId;
             }
             else {
-                this.authorityHost = options.authorityHost + "/" + this.tenantId;
+                authorityHost = options.authorityHost + "/" + tenantId;
             }
         }
         else {
-            this.authorityHost = "https://login.microsoftonline.com/" + this.tenantId;
+            authorityHost = "https://login.microsoftonline.com/" + tenantId;
         }
-        const knownAuthorities = this.tenantId === "adfs" ? [this.authorityHost] : [];
-        const publicClientConfig = {
-            auth: {
-                clientId: this.clientId,
-                authority: this.authorityHost,
-                knownAuthorities: knownAuthorities
-            },
-            cache: {
-                cachePlugin: undefined
-            }
-        };
-        this.pca = new msalNode.PublicClientApplication(publicClientConfig);
+        this.msalClient = new MsalClient({ clientId: clientId, authority: authorityHost }, false, undefined, options);
     }
     /**
      * Authenticates with Azure Active Directory and returns an access token if
@@ -41347,37 +41470,50 @@ class DeviceCodeCredential {
      *                TokenCredential implementation might make.
      */
     getToken(scopes, options) {
-        const { span } = createSpan("DeviceCodeCredential-getToken", options);
-        const scopeArray = typeof scopes === "object" ? scopes : [scopes];
-        const deviceCodeRequest = {
-            deviceCodeCallback: this.userPromptCallback,
-            scopes: scopeArray
-        };
-        logger$a.info("Sending devicecode request");
-        try {
-            return this.acquireTokenByDeviceCode(deviceCodeRequest);
-        }
-        catch (err) {
-            const code = err.name === AuthenticationErrorName
-                ? api.CanonicalCode.UNAUTHENTICATED
-                : api.CanonicalCode.UNKNOWN;
-            span.setStatus({
-                code,
-                message: err.message
-            });
-            logger$a.getToken.info(err);
-            throw err;
-        }
-        finally {
-            span.end();
-        }
+        return tslib.__awaiter(this, void 0, void 0, function* () {
+            const { span } = createSpan("DeviceCodeCredential-getToken", options);
+            const scopeArray = typeof scopes === "object" ? scopes : [scopes];
+            const deviceCodeRequest = {
+                deviceCodeCallback: this.userPromptCallback,
+                scopes: scopeArray
+            };
+            logger$f.info(`DeviceCodeCredential invoked. Scopes: ${scopeArray.join(", ")}`);
+            return this.msalClient.acquireTokenFromCache(scopeArray).catch((e) => tslib.__awaiter(this, void 0, void 0, function* () {
+                if (e instanceof AuthenticationRequired) {
+                    try {
+                        const token = yield this.acquireTokenByDeviceCode(deviceCodeRequest, scopeArray);
+                        logger$f.getToken.info(formatSuccess(scopeArray));
+                        return token;
+                    }
+                    catch (err) {
+                        const code = err.name === AuthenticationErrorName
+                            ? api.CanonicalCode.UNAUTHENTICATED
+                            : api.CanonicalCode.UNKNOWN;
+                        span.setStatus({
+                            code,
+                            message: err.message
+                        });
+                        logger$f.getToken.info(formatError(scopeArray, err));
+                        throw err;
+                    }
+                    finally {
+                        span.end();
+                    }
+                }
+                else {
+                    throw e;
+                }
+            }));
+        });
     }
-    acquireTokenByDeviceCode(deviceCodeRequest) {
+    acquireTokenByDeviceCode(deviceCodeRequest, scopes) {
         return tslib.__awaiter(this, void 0, void 0, function* () {
             try {
-                const deviceResponse = yield this.pca.acquireTokenByDeviceCode(deviceCodeRequest);
+                const deviceResponse = yield this.msalClient.acquireTokenByDeviceCode(deviceCodeRequest);
+                const expiresOnTimestamp = deviceResponse.expiresOn.getTime();
+                logger$f.getToken.info(formatSuccess(scopes));
                 return {
-                    expiresOnTimestamp: deviceResponse.expiresOn.getTime(),
+                    expiresOnTimestamp,
                     token: deviceResponse.accessToken
                 };
             }
@@ -41389,7 +41525,7 @@ class DeviceCodeCredential {
 }
 
 // Copyright (c) Microsoft Corporation.
-const logger$b = credentialLogger("AuthorizationCodeCredential");
+const logger$g = credentialLogger("AuthorizationCodeCredential");
 /**
  * Enables authentication to Azure Active Directory using an authorization code
  * that was obtained through the authorization code flow, described in more detail
@@ -41404,6 +41540,7 @@ class AuthorizationCodeCredential {
      */
     constructor(tenantId, clientId, clientSecretOrAuthorizationCode, authorizationCodeOrRedirectUri, redirectUriOrOptions, options) {
         this.lastTokenResponse = null;
+        checkTenantId(logger$g, tenantId);
         this.clientId = clientId;
         this.tenantId = tenantId;
         if (typeof redirectUriOrOptions === "string") {
@@ -41470,7 +41607,7 @@ class AuthorizationCodeCredential {
                     tokenResponse = yield this.identityClient.sendTokenRequest(webResource);
                 }
                 this.lastTokenResponse = tokenResponse;
-                logger$b.getToken.info(formatSuccess(scopes));
+                logger$g.getToken.info(formatSuccess(scopes));
                 return (tokenResponse && tokenResponse.accessToken) || null;
             }
             catch (err) {
@@ -41481,7 +41618,7 @@ class AuthorizationCodeCredential {
                     code,
                     message: err.message
                 });
-                logger$b.getToken.info(formatError(err));
+                logger$g.getToken.info(formatError(scopes, err));
                 throw err;
             }
             finally {