@azure/identity 1.3.0 → 1.5.2

package/dist/index.js

@@ -8,7 +8,8 @@ var tslib = require('tslib');
 var coreTracing = require('@azure/core-tracing');
 var logger$h = require('@azure/logger');
 var qs = _interopDefault(require('qs'));
-var coreHttp = require('@azure/core-http');
+var coreRestPipeline = require('@azure/core-rest-pipeline');
+var coreClient = require('@azure/core-client');
 var jws = _interopDefault(require('jws'));
 var uuid = require('uuid');
 var fs = require('fs');
@@ -274,19 +275,6 @@ class ChainedTokenCredential {
     }
 }
 
-// Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
-function getAuthorityHostEnvironment() {
-    if (process.env.AZURE_AUTHORITY_HOST) {
-        return {
-            authorityHost: process.env.AZURE_AUTHORITY_HOST
-        };
-    }
-    else {
-        return undefined;
-    }
-}
-
 // Copyright (c) Microsoft Corporation.
 // Licensed under the MIT license.
 function getIdentityTokenEndpointSuffix(tenantId) {
@@ -299,62 +287,132 @@ function getIdentityTokenEndpointSuffix(tenantId) {
 }
 
 // Copyright (c) Microsoft Corporation.
-const DefaultAuthorityHost = "https://login.microsoftonline.com";
-class IdentityClient extends coreHttp.ServiceClient {
+// Licensed under the MIT license.
+/**
+ * The default client ID for authentication
+ * @internal
+ */
+// TODO: temporary - this is the Azure CLI clientID - we'll replace it when
+// Developer Sign On application is available
+// https://github.com/Azure/azure-sdk-for-net/blob/master/sdk/identity/Azure.Identity/src/Constants.cs#L9
+const DeveloperSignOnClientId = "04b07795-8ddb-461a-bbee-02f9e1bf7b46";
+/**
+ * The default tenant for authentication
+ * @internal
+ */
+const DefaultTenantId = "common";
+(function (AzureAuthorityHosts) {
+    /**
+     * China-based Azure Authority Host
+     */
+    AzureAuthorityHosts["AzureChina"] = "https://login.chinacloudapi.cn";
+    /**
+     * Germany-based Azure Authority Host
+     */
+    AzureAuthorityHosts["AzureGermany"] = "https://login.microsoftonline.de";
+    /**
+     * US Government Azure Authority Host
+     */
+    AzureAuthorityHosts["AzureGovernment"] = "https://login.microsoftonline.us";
+    /**
+     * Public Cloud Azure Authority Host
+     */
+    AzureAuthorityHosts["AzurePublicCloud"] = "https://login.microsoftonline.com";
+})(exports.AzureAuthorityHosts || (exports.AzureAuthorityHosts = {}));
+/**
+ * The default authority host.
+ * @internal
+ */
+const DefaultAuthorityHost = exports.AzureAuthorityHosts.AzurePublicCloud;
+
+// Copyright (c) Microsoft Corporation.
+/**
+ * Safe JSON parse.
+ * @internal
+ */
+function parse(input) {
+    if (!input) {
+        return {};
+    }
+    try {
+        return JSON.parse(input);
+    }
+    catch (e) {
+        return {};
+    }
+}
+/**
+ * @internal
+ */
+function getIdentityClientAuthorityHost(options) {
+    // The authorityHost can come from options or from the AZURE_AUTHORITY_HOST environment variable.
+    let authorityHost = options === null || options === void 0 ? void 0 : options.authorityHost;
+    // The AZURE_AUTHORITY_HOST environment variable can only be provided in NodeJS.
+    {
+        authorityHost = authorityHost !== null && authorityHost !== void 0 ? authorityHost : process.env.AZURE_AUTHORITY_HOST;
+    }
+    // If the authorityHost is not provided, we use the default one from the public cloud: https://login.microsoftonline.com
+    return authorityHost !== null && authorityHost !== void 0 ? authorityHost : DefaultAuthorityHost;
+}
+/**
+ * The network module used by the Identity credentials.
+ *
+ * It allows for credentials to abort any pending request independently of the MSAL flow,
+ * by calling to the `abortRequests()` method.
+ *
+ */
+class IdentityClient extends coreClient.ServiceClient {
     constructor(options) {
-        {
-            options = options || getAuthorityHostEnvironment();
-        }
-        options = options || IdentityClient.getDefaultOptions();
-        super(undefined, coreHttp.createPipelineFromOptions(Object.assign(Object.assign({}, options), { deserializationOptions: {
-                expectedContentTypes: {
-                    json: ["application/json", "text/json", "text/plain"]
-                }
-            } })));
-        this.baseUri = this.authorityHost = options.authorityHost || DefaultAuthorityHost;
-        if (!this.baseUri.startsWith("https:")) {
+        var _a;
+        const packageDetails = `azsdk-js-identity/1.5.2`;
+        const userAgentPrefix = ((_a = options === null || options === void 0 ? void 0 : options.userAgentOptions) === null || _a === void 0 ? void 0 : _a.userAgentPrefix) ? `${options.userAgentOptions.userAgentPrefix} ${packageDetails}`
+            : `${packageDetails}`;
+        const baseUri = getIdentityClientAuthorityHost(options);
+        if (!baseUri.startsWith("https:")) {
             throw new Error("The authorityHost address must use the 'https' protocol.");
         }
+        super(Object.assign(Object.assign({ requestContentType: "application/json; charset=utf-8" }, options), { userAgentOptions: {
+                userAgentPrefix
+            }, baseUri }));
+        this.authorityHost = baseUri;
     }
-    createWebResource(requestOptions) {
-        const webResource = new coreHttp.WebResource();
-        webResource.prepare(requestOptions);
-        return webResource;
-    }
-    sendTokenRequest(webResource, expiresOnParser) {
+    sendTokenRequest(request, expiresOnParser) {
+        var _a;
         return tslib.__awaiter(this, void 0, void 0, function* () {
-            logger.info(`IdentityClient: sending token request to [${webResource.url}]`);
-            const response = yield this.sendRequest(webResource);
+            logger.info(`IdentityClient: sending token request to [${request.url}]`);
+            const response = yield this.sendRequest(request);
             expiresOnParser =
                 expiresOnParser ||
                     ((responseBody) => {
                         return Date.now() + responseBody.expires_in * 1000;
                     });
-            if (response.status === 200 || response.status === 201) {
+            if (response.bodyAsText && (response.status === 200 || response.status === 201)) {
+                const parsedBody = parse(response.bodyAsText);
                 const token = {
                     accessToken: {
-                        token: response.parsedBody.access_token,
-                        expiresOnTimestamp: expiresOnParser(response.parsedBody)
+                        token: (_a = parsedBody.token) !== null && _a !== void 0 ? _a : parsedBody.access_token,
+                        expiresOnTimestamp: expiresOnParser(parsedBody)
                     },
-                    refreshToken: response.parsedBody.refresh_token
+                    refreshToken: parsedBody.refresh_token
                 };
-                logger.info(`IdentityClient: [${webResource.url}] token acquired, expires on ${token.accessToken.expiresOnTimestamp}`);
+                logger.info(`IdentityClient: [${request.url}] token acquired, expires on ${token.accessToken.expiresOnTimestamp}`);
                 return token;
             }
             else {
-                const error = new AuthenticationError(response.status, response.parsedBody || response.bodyAsText);
+                const error = new AuthenticationError(response.status, response.bodyAsText);
                 logger.warning(`IdentityClient: authentication error. HTTP status: ${response.status}, ${error.errorResponse.errorDescription}`);
                 throw error;
             }
         });
     }
     refreshAccessToken(tenantId, clientId, scopes, refreshToken, clientSecret, expiresOnParser, options) {
+        var _a, _b;
         return tslib.__awaiter(this, void 0, void 0, function* () {
             if (refreshToken === undefined) {
                 return null;
             }
             logger.info(`IdentityClient: refreshing access token with client ID: ${clientId}, scopes: ${scopes} started`);
-            const { span, updatedOptions: newOptions } = createSpan("IdentityClient-refreshAccessToken", options);
+            const { span, updatedOptions } = createSpan("IdentityClient-refreshAccessToken", options);
             const refreshParams = {
                 grant_type: "refresh_token",
                 client_id: clientId,
@@ -366,19 +424,19 @@ class IdentityClient extends coreHttp.ServiceClient {
             }
             try {
                 const urlSuffix = getIdentityTokenEndpointSuffix(tenantId);
-                const webResource = this.createWebResource({
+                const webResource = coreRestPipeline.createPipelineRequest({
                     url: `${this.authorityHost}/${tenantId}/${urlSuffix}`,
                     method: "POST",
-                    disableJsonStringifyOnBody: true,
-                    deserializationMapper: undefined,
                     body: qs.stringify(refreshParams),
-                    headers: {
+                    abortSignal: options && options.abortSignal,
+                    headers: coreRestPipeline.createHttpHeaders({
                         Accept: "application/json",
                         "Content-Type": "application/x-www-form-urlencoded"
-                    },
-                    spanOptions: newOptions.tracingOptions && newOptions.tracingOptions.spanOptions,
-                    tracingContext: newOptions.tracingOptions && newOptions.tracingOptions.tracingContext,
-                    abortSignal: options && options.abortSignal
+                    }),
+                    tracingOptions: {
+                        spanOptions: (_a = updatedOptions === null || updatedOptions === void 0 ? void 0 : updatedOptions.tracingOptions) === null || _a === void 0 ? void 0 : _a.spanOptions,
+                        tracingContext: (_b = updatedOptions === null || updatedOptions === void 0 ? void 0 : updatedOptions.tracingOptions) === null || _b === void 0 ? void 0 : _b.tracingContext
+                    }
                 });
                 const response = yield this.sendTokenRequest(webResource, expiresOnParser);
                 logger.info(`IdentityClient: refreshed token for client ID: ${clientId}`);
@@ -411,31 +469,39 @@ class IdentityClient extends coreHttp.ServiceClient {
             }
         });
     }
+    // The MSAL network module methods follow
     sendGetRequestAsync(url, options) {
-        const webResource = new coreHttp.WebResource(url, "GET", options === null || options === void 0 ? void 0 : options.body, {}, options === null || options === void 0 ? void 0 : options.headers);
-        return this.sendRequest(webResource).then((response) => {
+        return tslib.__awaiter(this, void 0, void 0, function* () {
+            const request = coreRestPipeline.createPipelineRequest({
+                url,
+                method: "GET",
+                body: options === null || options === void 0 ? void 0 : options.body,
+                headers: coreRestPipeline.createHttpHeaders(options === null || options === void 0 ? void 0 : options.headers)
+            });
+            const response = yield this.sendRequest(request);
             return {
-                body: response.parsedBody,
-                headers: response.headers.rawHeaders(),
+                body: parse(response.bodyAsText),
+                headers: response.headers.toJSON(),
                 status: response.status
             };
         });
     }
     sendPostRequestAsync(url, options) {
-        const webResource = new coreHttp.WebResource(url, "POST", options === null || options === void 0 ? void 0 : options.body, {}, options === null || options === void 0 ? void 0 : options.headers);
-        return this.sendRequest(webResource).then((response) => {
+        return tslib.__awaiter(this, void 0, void 0, function* () {
+            const request = coreRestPipeline.createPipelineRequest({
+                url,
+                method: "POST",
+                body: options === null || options === void 0 ? void 0 : options.body,
+                headers: coreRestPipeline.createHttpHeaders(options === null || options === void 0 ? void 0 : options.headers)
+            });
+            const response = yield this.sendRequest(request);
             return {
-                body: response.parsedBody,
-                headers: response.headers.rawHeaders(),
+                body: parse(response.bodyAsText),
+                headers: response.headers.toJSON(),
                 status: response.status
             };
         });
     }
-    static getDefaultOptions() {
-        return {
-            authorityHost: DefaultAuthorityHost
-        };
-    }
 }
 
 // Copyright (c) Microsoft Corporation.
@@ -477,14 +543,12 @@ class ClientSecretCredential {
      */
     getToken(scopes, options) {
         return tslib.__awaiter(this, void 0, void 0, function* () {
-            const { span, updatedOptions: newOptions } = createSpan("ClientSecretCredential-getToken", options);
+            const { span, updatedOptions } = createSpan("ClientSecretCredential-getToken", options);
             try {
                 const urlSuffix = getIdentityTokenEndpointSuffix(this.tenantId);
-                const webResource = this.identityClient.createWebResource({
+                const request = coreRestPipeline.createPipelineRequest({
                     url: `${this.identityClient.authorityHost}/${this.tenantId}/${urlSuffix}`,
                     method: "POST",
-                    disableJsonStringifyOnBody: true,
-                    deserializationMapper: undefined,
                     body: qs.stringify({
                         response_type: "token",
                         grant_type: "client_credentials",
@@ -492,15 +556,17 @@ class ClientSecretCredential {
                         client_secret: this.clientSecret,
                         scope: typeof scopes === "string" ? scopes : scopes.join(" ")
                     }),
-                    headers: {
+                    headers: coreRestPipeline.createHttpHeaders({
                         Accept: "application/json",
                         "Content-Type": "application/x-www-form-urlencoded"
-                    },
+                    }),
                     abortSignal: options && options.abortSignal,
-                    spanOptions: newOptions.tracingOptions && newOptions.tracingOptions.spanOptions,
-                    tracingContext: newOptions.tracingOptions && newOptions.tracingOptions.tracingContext,
+                    tracingOptions: {
+                        spanOptions: updatedOptions.tracingOptions && updatedOptions.tracingOptions.spanOptions,
+                        tracingContext: updatedOptions.tracingOptions && updatedOptions.tracingOptions.tracingContext
+                    }
                 });
-                const tokenResponse = yield this.identityClient.sendTokenRequest(webResource);
+                const tokenResponse = yield this.identityClient.sendTokenRequest(request);
                 logger$2.getToken.info(formatSuccess(scopes));
                 return (tokenResponse && tokenResponse.accessToken) || null;
             }
@@ -632,11 +698,9 @@ class ClientCertificateCredential {
                     payload,
                     secret: this.certificateString
                 });
-                const webResource = this.identityClient.createWebResource({
+                const webResource = coreRestPipeline.createPipelineRequest({
                     url: audienceUrl,
                     method: "POST",
-                    disableJsonStringifyOnBody: true,
-                    deserializationMapper: undefined,
                     body: qs.stringify({
                         response_type: "token",
                         grant_type: "client_credentials",
@@ -645,13 +709,15 @@ class ClientCertificateCredential {
                         client_assertion: clientAssertion,
                         scope: typeof scopes === "string" ? scopes : scopes.join(" ")
                     }),
-                    headers: {
+                    headers: coreRestPipeline.createHttpHeaders({
                         Accept: "application/json",
                         "Content-Type": "application/x-www-form-urlencoded"
-                    },
+                    }),
                     abortSignal: options && options.abortSignal,
-                    spanOptions: newOptions.tracingOptions && newOptions.tracingOptions.spanOptions,
-                    tracingContext: newOptions.tracingOptions && newOptions.tracingOptions.tracingContext,
+                    tracingOptions: {
+                        spanOptions: newOptions.tracingOptions && newOptions.tracingOptions.spanOptions,
+                        tracingContext: newOptions.tracingOptions && newOptions.tracingOptions.tracingContext
+                    }
                 });
                 const tokenResponse = yield this.identityClient.sendTokenRequest(webResource);
                 logger$3.getToken.info(formatSuccess(scopes));
@@ -715,11 +781,9 @@ class UsernamePasswordCredential {
             const { span, updatedOptions: newOptions } = createSpan("UsernamePasswordCredential-getToken", options);
             try {
                 const urlSuffix = getIdentityTokenEndpointSuffix(this.tenantId);
-                const webResource = this.identityClient.createWebResource({
+                const webResource = coreRestPipeline.createPipelineRequest({
                     url: `${this.identityClient.authorityHost}/${this.tenantId}/${urlSuffix}`,
                     method: "POST",
-                    disableJsonStringifyOnBody: true,
-                    deserializationMapper: undefined,
                     body: qs.stringify({
                         response_type: "token",
                         grant_type: "password",
@@ -728,13 +792,15 @@ class UsernamePasswordCredential {
                         password: this.password,
                         scope: typeof scopes === "string" ? scopes : scopes.join(" ")
                     }),
-                    headers: {
+                    headers: coreRestPipeline.createHttpHeaders({
                         Accept: "application/json",
                         "Content-Type": "application/x-www-form-urlencoded"
-                    },
+                    }),
                     abortSignal: options && options.abortSignal,
-                    spanOptions: newOptions.tracingOptions && newOptions.tracingOptions.spanOptions,
-                    tracingContext: newOptions.tracingOptions && newOptions.tracingOptions.tracingContext,
+                    tracingOptions: {
+                        spanOptions: newOptions.tracingOptions && newOptions.tracingOptions.spanOptions,
+                        tracingContext: newOptions.tracingOptions && newOptions.tracingOptions.tracingContext
+                    }
                 });
                 const tokenResponse = yield this.identityClient.sendTokenRequest(webResource);
                 logger$4.getToken.info(formatSuccess(scopes));
@@ -872,7 +938,8 @@ class EnvironmentCredential {
 // Copyright (c) Microsoft Corporation.
 // Licensed under the MIT license.
 const DefaultScopeSuffix = "/.default";
-const imdsEndpoint = "http://169.254.169.254/metadata/identity/oauth2/token";
+const imdsHost = "http://169.254.169.254";
+const imdsEndpointPath = "/metadata/identity/oauth2/token";
 const imdsApiVersion = "2018-02-01";
 const azureArcAPIVersion = "2019-11-01";
 
@@ -895,8 +962,11 @@ function mapScopesToResource(scopes) {
 }
 function msiGenericGetToken(identityClient, requestOptions, expiresInParser, getTokenOptions = {}) {
     return tslib.__awaiter(this, void 0, void 0, function* () {
-        const webResource = identityClient.createWebResource(Object.assign({ disableJsonStringifyOnBody: true, deserializationMapper: undefined, abortSignal: getTokenOptions.abortSignal, spanOptions: getTokenOptions.tracingOptions && getTokenOptions.tracingOptions.spanOptions, tracingContext: getTokenOptions.tracingOptions && getTokenOptions.tracingOptions.tracingContext }, requestOptions));
-        const tokenResponse = yield identityClient.sendTokenRequest(webResource, expiresInParser);
+        const request = coreRestPipeline.createPipelineRequest(Object.assign(Object.assign({ abortSignal: getTokenOptions.abortSignal, tracingOptions: {
+                spanOptions: getTokenOptions.tracingOptions && getTokenOptions.tracingOptions.spanOptions,
+                tracingContext: getTokenOptions.tracingOptions && getTokenOptions.tracingOptions.tracingContext
+            } }, requestOptions), { allowInsecureConnection: true }));
+        const tokenResponse = yield identityClient.sendTokenRequest(request, expiresInParser);
         return (tokenResponse && tokenResponse.accessToken) || null;
     });
 }
@@ -916,11 +986,11 @@ function prepareRequestOptions(resource, clientId) {
         url: process.env.MSI_ENDPOINT,
         method: "POST",
         body: qs.stringify(body),
-        headers: {
+        headers: coreRestPipeline.createHttpHeaders({
             Accept: "application/json",
-            Metadata: true,
+            Metadata: "true",
             "Content-Type": "application/x-www-form-urlencoded"
-        }
+        })
     };
 }
 const cloudShellMsi = {
@@ -953,7 +1023,8 @@ function expiresInParser$1(requestBody) {
         return expires;
     }
 }
-function prepareRequestOptions$1(resource, clientId) {
+function prepareRequestOptions$1(resource, clientId, options) {
+    var _a;
     const queryParameters = {
         resource,
         "api-version": imdsApiVersion
@@ -961,41 +1032,60 @@ function prepareRequestOptions$1(resource, clientId) {
     if (clientId) {
         queryParameters.client_id = clientId;
     }
+    const url = new URL(imdsEndpointPath, (_a = process.env.AZURE_POD_IDENTITY_AUTHORITY_HOST) !== null && _a !== void 0 ? _a : imdsHost);
+    const { skipQuery, skipMetadataHeader } = options || {};
+    // Pod Identity will try to process this request even if the Metadata header is missing.
+    // We can exclude the request query to ensure no IMDS endpoint tries to process the ping request.
+    let query = "";
+    if (!skipQuery) {
+        query = `?${qs.stringify(queryParameters)}`;
+    }
+    const headersSource = {
+        Accept: "application/json",
+        Metadata: "true"
+    };
+    // Remove the Metadata header to invoke a request error from some IMDS endpoints.
+    if (skipMetadataHeader) {
+        delete headersSource.Metadata;
+    }
     return {
-        url: imdsEndpoint,
+        url: `${url}${query}`,
         method: "GET",
-        queryParameters,
-        headers: {
-            Accept: "application/json",
-            Metadata: true
-        }
+        headers: coreRestPipeline.createHttpHeaders(headersSource)
     };
 }
 const imdsMsi = {
     isAvailable(identityClient, resource, clientId, getTokenOptions) {
+        var _a, _b;
         return tslib.__awaiter(this, void 0, void 0, function* () {
-            const { span, updatedOptions: options } = createSpan("ManagedIdentityCredential-pingImdsEndpoint", getTokenOptions);
-            const request = prepareRequestOptions$1(resource, clientId);
-            // This will always be populated, but let's make TypeScript happy
-            if (request.headers) {
-                // Remove the Metadata header to invoke a request error from
-                // IMDS endpoint
-                delete request.headers.Metadata;
+            // if the PodIdenityEndpoint environment variable was set no need to probe the endpoint, it can be assumed to exist
+            if (process.env.AZURE_POD_IDENTITY_AUTHORITY_HOST) {
+                return true;
             }
-            request.spanOptions = options.tracingOptions && options.tracingOptions.spanOptions;
-            request.tracingContext = options.tracingOptions && options.tracingOptions.tracingContext;
+            const { span, updatedOptions: options } = createSpan("ManagedIdentityCredential-pingImdsEndpoint", getTokenOptions);
             try {
                 // Create a request with a timeout since we expect that
                 // not having a "Metadata" header should cause an error to be
                 // returned quickly from the endpoint, proving its availability.
-                const webResource = identityClient.createWebResource(request);
-                webResource.timeout = (options.requestOptions && options.requestOptions.timeout) || 500;
+                // Later we found that skipping the query parameters is also necessary in some cases.
+                const requestOptions = prepareRequestOptions$1(resource, clientId, {
+                    skipMetadataHeader: true,
+                    skipQuery: true
+                });
+                requestOptions.tracingOptions = {
+                    spanOptions: options.tracingOptions && options.tracingOptions.spanOptions,
+                    tracingContext: options.tracingOptions && options.tracingOptions.tracingContext
+                };
+                const request = coreRestPipeline.createPipelineRequest(requestOptions);
+                request.timeout = (_b = (_a = options.requestOptions) === null || _a === void 0 ? void 0 : _a.timeout) !== null && _b !== void 0 ? _b : 300;
+                // This MSI uses the imdsEndpoint to get the token, which only uses http://
+                request.allowInsecureConnection = true;
                 try {
                     logger$7.info(`Pinging IMDS endpoint`);
-                    yield identityClient.sendRequest(webResource);
+                    yield identityClient.sendRequest(request);
                 }
                 catch (err) {
-                    if ((err instanceof coreHttp.RestError && err.code === coreHttp.RestError.REQUEST_SEND_ERROR) ||
+                    if ((err instanceof coreRestPipeline.RestError && err.code === coreRestPipeline.RestError.REQUEST_SEND_ERROR) ||
                         err.name === "AbortError" ||
                         err.code === "ECONNREFUSED" || // connection refused
                         err.code === "EHOSTDOWN" // host is down
@@ -1054,21 +1144,25 @@ function prepareRequestOptions$2(resource, clientId) {
     if (clientId) {
         queryParameters.clientid = clientId;
     }
+    const query = qs.stringify(queryParameters);
     return {
-        url: process.env.MSI_ENDPOINT,
+        url: `${process.env.MSI_ENDPOINT}?${query}`,
         method: "GET",
-        queryParameters,
-        headers: {
+        headers: coreRestPipeline.createHttpHeaders({
             Accept: "application/json",
             secret: process.env.MSI_SECRET
-        }
+        })
     };
 }
 const appServiceMsi2017 = {
     isAvailable() {
         return tslib.__awaiter(this, void 0, void 0, function* () {
             const env = process.env;
-            return Boolean(env.MSI_ENDPOINT && env.MSI_SECRET);
+            const result = Boolean(env.MSI_ENDPOINT && env.MSI_SECRET);
+            if (!result) {
+                logger$8.info("The Azure App Service MSI 2017 is unavailable.");
+            }
+            return result;
         });
     },
     getToken(identityClient, resource, clientId, getTokenOptions = {}) {
@@ -1088,15 +1182,15 @@ function prepareRequestOptions$3(resource) {
         resource,
         "api-version": azureArcAPIVersion
     };
+    const query = qs.stringify(queryParameters);
     return {
         // Should be similar to: http://localhost:40342/metadata/identity/oauth2/token
-        url: process.env.IDENTITY_ENDPOINT,
+        url: `${process.env.IDENTITY_ENDPOINT}?${query}`,
         method: "GET",
-        queryParameters,
-        headers: {
+        headers: coreRestPipeline.createHttpHeaders({
             Accept: "application/json",
-            Metadata: true
-        }
+            Metadata: "true"
+        })
     };
 }
 // Since "fs"'s readFileSync locks the thread, and to avoid extra dependencies.
@@ -1110,7 +1204,7 @@ function readFileAsync(path, options) {
 }
 function filePathRequest(identityClient, requestPrepareOptions) {
     return tslib.__awaiter(this, void 0, void 0, function* () {
-        const response = yield identityClient.sendRequest(identityClient.createWebResource(requestPrepareOptions));
+        const response = yield identityClient.sendRequest(coreRestPipeline.createPipelineRequest(requestPrepareOptions));
         if (response.status !== 401) {
             let message = "";
             if (response.bodyAsText) {
@@ -1125,22 +1219,27 @@ function filePathRequest(identityClient, requestPrepareOptions) {
 const arcMsi = {
     isAvailable() {
         return tslib.__awaiter(this, void 0, void 0, function* () {
-            return Boolean(process.env.IMDS_ENDPOINT && process.env.IDENTITY_ENDPOINT);
+            const result = Boolean(process.env.IMDS_ENDPOINT && process.env.IDENTITY_ENDPOINT);
+            if (!result) {
+                logger$9.info("The Azure Arc MSI is unavailable.");
+            }
+            return result;
         });
     },
     getToken(identityClient, resource, clientId, getTokenOptions = {}) {
+        var _a;
         return tslib.__awaiter(this, void 0, void 0, function* () {
             logger$9.info(`Using the Azure Arc MSI to authenticate.`);
             if (clientId) {
                 throw new Error("User assigned identity is not supported by the Azure Arc Managed Identity Endpoint. To authenticate with the system assigned identity omit the client id when constructing the ManagedIdentityCredential, or if authenticating with the DefaultAzureCredential ensure the AZURE_CLIENT_ID environment variable is not set.");
             }
-            const requestOptions = Object.assign({ disableJsonStringifyOnBody: true, deserializationMapper: undefined, abortSignal: getTokenOptions.abortSignal, spanOptions: getTokenOptions.tracingOptions && getTokenOptions.tracingOptions.spanOptions, tracingContext: getTokenOptions.tracingOptions && getTokenOptions.tracingOptions.tracingContext }, prepareRequestOptions$3(resource));
+            const requestOptions = Object.assign({ allowInsecureConnection: true, disableJsonStringifyOnBody: true, deserializationMapper: undefined, abortSignal: getTokenOptions.abortSignal, spanOptions: getTokenOptions.tracingOptions && getTokenOptions.tracingOptions.spanOptions }, prepareRequestOptions$3(resource));
             const filePath = yield filePathRequest(identityClient, requestOptions);
             if (!filePath) {
                 throw new Error("Azure Arc MSI failed to find the token file.");
             }
             const key = yield readFileAsync(filePath, { encoding: "utf-8" });
-            requestOptions.headers["Authorization"] = `Basic ${key}`;
+            (_a = requestOptions.headers) === null || _a === void 0 ? void 0 : _a.set("Authorization", `Basic ${key}`);
             return msiGenericGetToken(identityClient, requestOptions, expiresInParser$3, getTokenOptions);
         });
     }
@@ -1167,7 +1266,7 @@ class ManagedIdentityCredential {
         if (typeof clientIdOrOptions === "string") {
             // clientId, options constructor
             this.clientId = clientIdOrOptions;
-            this.identityClient = new IdentityClient(options);
+            this.identityClient = new IdentityClient(Object.assign({}, options));
         }
         else {
             // options only constructor
@@ -1420,40 +1519,6 @@ class AzureCliCredential {
     }
 }
 
-// Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
-/**
- * The default client ID for authentication
- * @internal
- */
-// TODO: temporary - this is the Azure CLI clientID - we'll replace it when
-// Developer Sign On application is available
-// https://github.com/Azure/azure-sdk-for-net/blob/master/sdk/identity/Azure.Identity/src/Constants.cs#L9
-const DeveloperSignOnClientId = "04b07795-8ddb-461a-bbee-02f9e1bf7b46";
-/**
- * The default tenant for authentication
- * @internal
- */
-const DefaultTenantId = "common";
-(function (AzureAuthorityHosts) {
-    /**
-     * China-based Azure Authority Host
-     */
-    AzureAuthorityHosts["AzureChina"] = "https://login.chinacloudapi.cn";
-    /**
-     * Germany-based Azure Authority Host
-     */
-    AzureAuthorityHosts["AzureGermany"] = "https://login.microsoftonline.de";
-    /**
-     * US Government Azure Authority Host
-     */
-    AzureAuthorityHosts["AzureGovernment"] = "https://login.microsoftonline.us";
-    /**
-     * Public Cloud Azure Authority Host
-     */
-    AzureAuthorityHosts["AzurePublicCloud"] = "https://login.microsoftonline.com";
-})(exports.AzureAuthorityHosts || (exports.AzureAuthorityHosts = {}));
-
 // Copyright (c) Microsoft Corporation.
 let keytar;
 try {
@@ -2079,11 +2144,9 @@ class AuthorizationCodeCredential {
                 }
                 if (tokenResponse === null) {
                     const urlSuffix = getIdentityTokenEndpointSuffix(this.tenantId);
-                    const webResource = this.identityClient.createWebResource({
+                    const webResource = coreRestPipeline.createPipelineRequest({
                         url: `${this.identityClient.authorityHost}/${this.tenantId}/${urlSuffix}`,
                         method: "POST",
-                        disableJsonStringifyOnBody: true,
-                        deserializationMapper: undefined,
                         body: qs.stringify({
                             client_id: this.clientId,
                             grant_type: "authorization_code",
@@ -2092,13 +2155,15 @@ class AuthorizationCodeCredential {
                             redirect_uri: this.redirectUri,
                             client_secret: this.clientSecret
                         }),
-                        headers: {
+                        headers: coreRestPipeline.createHttpHeaders({
                             Accept: "application/json",
                             "Content-Type": "application/x-www-form-urlencoded"
-                        },
+                        }),
                         abortSignal: options && options.abortSignal,
-                        spanOptions: newOptions.tracingOptions && newOptions.tracingOptions.spanOptions,
-                        tracingContext: newOptions.tracingOptions && newOptions.tracingOptions.tracingContext,
+                        tracingOptions: {
+                            spanOptions: newOptions.tracingOptions && newOptions.tracingOptions.spanOptions,
+                            tracingContext: newOptions.tracingOptions && newOptions.tracingOptions.tracingContext
+                        }
                     });
                     tokenResponse = yield this.identityClient.sendTokenRequest(webResource);
                 }