@azure/identity 2.0.0-alpha.20210930.2 → 2.0.0-alpha.20211007.2

package/CHANGELOG.md

@@ -1,20 +1,122 @@
 # Release History
 
-## 2.0.0-beta.7 (Unreleased)
+## 2.0.0 (2021-10-12)
+
+After multiple beta releases over the past year, we're proud to announce the general availability of version 2 of the `@azure/identity` package. This version includes the best parts of v1, plus several improvements.
+
+This changelog entry showcases the changes that have been made from version 1 of this package. See the [v1-to-v2 migration guide](https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/identity/identity/migration-v1-v2.md) for details on how to upgrade your application to use the version 2 of `@azure/identity`.
 
 ### Features Added
 
-### Breaking Changes
+#### Plugin API
+
+Identity v2 provides a top-level `useIdentityPlugin` function, which allows using two new plugin packages:
+
+- [@azure/identity-vscode](https://www.npmjs.com/package/@azure/identity-vscode), which provides the dependencies of `VisualStudioCodeCredential` and enables it.
+  - If the `@azure/identity-vscode` plugin isn't used through the `useIdentityPlugin` function, the `VisualStudioCodeCredential` exposed by Identity v2 will throw a `CredentialUnavailableError`.
+- [@azure/identity-cache-persistence](https://www.npmjs.com/package/@azure/identity-cache-persistence), which provides persistent token caching.
+
+Most credentials on Identity v2 now support the persistent token caching feature. Such credentials include the property [tokenCachePersistenceOptions](https://docs.microsoft.com/javascript/api/@azure/identity/tokencachepersistenceoptions) in the constructor options which can be used to enable this feature.
+
+The following example showcases how to enable persistence caching by first enabling the `@azure/identity-cache-persistence` plugin with `useIdentityPlugin(cachePersistencePlugin)`, and then passing the `tokenCachePersistenceOptions` through the constructor of the `DeviceCodeCredential`:
+
+```ts
+import { cachePersistencePlugin } from "@azure/identity-cache-persistence";
+import { useIdentityPlugin, DeviceCodeCredential } from "@azure/identity";
+
+useIdentityPlugin(cachePersistencePlugin);
+
+async function main() {
+  const credential = new DeviceCodeCredential({
+    tokenCachePersistenceOptions: {
+      enabled: true
+    }
+  });
+}
+```
+
+#### New credentials
+
+Identity v2 includes three new credential types:
+
+- `AzurePowerShellCredential`, which re-uses any account previously authenticated with the `Az.Account` PowerShell module.
+- `ApplicationCredential`, which is a simplified `DefaultAzureCredential` that only includes `EnvironmentCredential` and `ManagedIdentityCredential`.
+- `OnBehalfOfCredential`, which enables the [On-Behalf-Of authentication flow](https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-on-behalf-of-flow).
+
+#### New features in all credentials
+
+Identity v2 enables:
+
+- Support for claims challenges resulting from [Continuous Access Enforcement (CAE)](https://docs.microsoft.com/azure/active-directory/conditional-access/concept-continuous-access-evaluation) and [Conditional Access authentication context](https://techcommunity.microsoft.com/t5/azure-active-directory-identity/granular-conditional-access-for-sensitive-data-and-actions/ba-p/1751775).
+  - By default, credentials of Identity v2 will produce tokens that can be used to trigger the challenge authentication flows. After these tokens expire, the next HTTP requests to Azure will fail, but the response will contain information to re-authenticate.
+  - To disable this behavior, set the environment variable `AZURE_IDENTITY_DISABLE_CP1` to any value. For more about claims challenges, see [Claims challenges, claims requests, and client capabilities](https://docs.microsoft.com/azure/active-directory/develop/claims-challenge).
+- Support for multi-tenant authentication on all credentials except `ManagedIdentityCredential`.
+  - At the moment, applications needing multi-tenancy support will need to call to the credentials' `getToken` directly, sending the new `tenantId` property.
+  - A sample with more context will be provided in a future date.
+  - To disable it, set the environment variable `AZURE_IDENTITY_DISABLE_MULTITENANTAUTH`. For more about multitenancy, see [Identity management in multitenant apps](https://docs.microsoft.com/azure/architecture/multitenant-identity/).
+
+#### New features in InteractiveBrowserCredential and DeviceCodeCredential
+
+You can now control when the credential requests user input with the new `disableAutomaticAuthentication` option added to the options you pass to the credential constructors.
+
+- When enabled, this option stops the `getToken()` method from requesting user input in case the credential is unable to authenticate silently.
+- If `getToken()` fails to authenticate without user interaction, and `disableAutomaticAuthentication` has been set to true, a new error will be thrown: `AuthenticationRequired`. You may use this error to identify scenarios when manual authentication needs to be triggered (with `authenticate()`, as described in the next point).
+
+A new method `authenticate()` is added to these credentials which is similar to `getToken()`, but it does not read the `disableAutomaticAuthentication` option described above.
+
+- Use this to get an `AuthenticationRecord` which you can then use to create new credentials that will re-use the token information.
+- The `AuthenticationRecord` object has a `serialize()` method that allows an authenticated account to be stored as a string and re-used in another credential at any time. Use the new helper function `deserializeAuthenticationRecord` to de-serialize this string.
+- `authenticate()` might succeed and still return `undefined` if we're unable to pick just one account record from the cache. This might happen if the cache is being used by more than one credential, or if multiple users have authenticated using the same Client ID and Tenant ID. To ensure consistency on a program with many users, please keep track of the `AuthenticationRecord` and provide them in the constructors of the credentials on initialization.
+
+Learn more via the below samples
+- [Samples around controlling user interaction](https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/identity/identity/samples/AzureIdentityExamples.md#control-user-interaction).
+- [Samples around persisting user authentication data](https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/identity/identity/samples/AzureIdentityExamples.md#persist-user-authentication-data).
+
+#### New features in ManagedIdentityCredential
+
+In Identity v2, the `ManagedIdentityCredential` retries with exponential back-off when a request for a token fails with a 404 status code. This change only applies to environments with available IMDS endpoints.
+
+Azure Service Fabric support hasn't been added on the initial version 2 of Identity. Subscribe to [issue #12420](https://github.com/Azure/azure-sdk-for-js/issues/12420) for updates on this feature.
+
+#### Other features
+
+- The Node.js version of `InteractiveBrowserCredential` has [Proof Key for Code Exchange (PKCE)](https://datatracker.ietf.org/doc/html/rfc7636) enabled by default.
+- `InteractiveBrowserCredential` has a new `loginHint` constructor option, which allows a username to be pre-selected for interactive logins.
+- In `AzureCliCredential`, we allow specifying a `tenantId` in the parameters through the `AzureCliCredentialOptions`.
+- A new error, named `AuthenticationRequiredError`, has been added. This error shows up when a credential fails to authenticate silently.
+- Errors and logged exceptions may point to the new [troubleshooting guidelines](https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/identity/identity/Troubleshooting.md).
+- On all of the credentials we're providing, the initial authentication attempt in the lifetime of your app will include an additional request to first discover relevant endpoint metadata information from Azure.
+
+### Breaking changes
+
+#### Breaking changes from v1
+
+- For `ClientCertificateCredential` specifically, the validity of the PEM certificate is evaluated on `getToken` and not on the constructor.
+- We have also renamed the error `CredentialUnavailable` to `CredentialUnavailableError`, to align with the naming convention used for error classes in the Azure SDKs in JavaScript.
+- In v1 of Identity some `getToken` calls could resolve with `null` in the case the authentication request succeeded with a malformed output. In v2, issues with the `getToken` method will always throw errors.
+- Breaking changes to InteractiveBrowserCredential
+  - The `InteractiveBrowserCredential` will use the [Auth Code Flow](https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-auth-code-flow) with [PKCE](https://tools.ietf.org/html/rfc7636) rather than [Implicit Grant Flow](https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-implicit-grant-flow) to better support browsers with enhanced security restrictions. Learn how to migrate in the [migration guide](https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/identity/identity/migration-v1-v2.md). Read more about the latest `InteractiveBrowserCredential` [here](https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/identity/identity/interactive-browser-credential.md).
+  - The default client ID used for `InteractiveBrowserCredential` was viable only in Node.js and not for the browser. Therefore, on v2 client ID is a required parameter when using this credential in browser apps.
+  - Identity v2 also removes the `postLogoutRedirectUri` from the options to the constructor for `InteractiveBrowserCredential`. This option wasn't being used. Instead of using this option, use MSAL directly. For more information, see [Authenticating with the @azure/msal-browser Public Client](https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/identity/identity/samples/AzureIdentityExamples.md#authenticating-with-the-azuremsal-browser-public-client).
+  - In Identity v2, `VisualStudioCodeCredential` throws a `CredentialUnavailableError` unless the new [@azure/identity-vscode](https://www.npmjs.com/package/@azure/identity-vscode) plugin is used.
 
 #### Breaking Changes from 2.0.0-beta.4
 
 - Removed the `allowMultiTenantAuthentication` option from all of the credentials. Multi-tenant authentication is now enabled by default. On Node.js, it can be disabled with the `AZURE_IDENTITY_DISABLE_MULTITENANTAUTH` environment variable.
-
+- Removed support for specific Azure regions on `ClientSecretCredential` and `ClientCertificateCredential. This feature will be added back on the next beta.
 
 ### Bugs Fixed
 
+- `ClientSecretCredential`, `ClientCertificateCredential`, and `UsernamePasswordCredential` throw if the required parameters aren't provided (even in JavaScript).
+- Fixed a bug that caused `AzureCliCredential` to fail when a custom tenant ID was provided.
+- Caught up with the bug fixes for Azure POD Identity that were implemented on version 1.5.1.
+
 ### Other Changes
 
+Identity v2 no longer includes native dependencies (neither ordinary, peer, nor optional dependencies). Previous distributions of `@azure/identity` included an optional dependency on `keytar`, which caused issues for some users in restrictive environments.
+
+Identity v2 for JavaScript now also depends on the latest available versions of `@azure/msal-common`, `@azure/msal-node`, and `@azure/msal-browser`. Our goal is to always be up-to-date with the MSAL versions.
+
 ## 2.0.0-beta.6 (2021-09-09)
 
 ### Features Added
@@ -172,7 +274,7 @@ This update marks the preview for the first major version update of the `@azure/
     - This feature uses DPAPI on Windows, it tries to use the Keychain on OSX and the Keyring on Linux.
     - To learn more on the usage, please refer to our docs on the `TokenCachePersistenceOptions` interface.
     - **IMPORTANT:** As part of this beta, this feature is only supported in Node 10, 12 and 14.
-- Changes to `InteractiveBrowserCredential`, `DeviceCodeCredential`, and `UsernamePasswordCredential`:
+- Changes to `InteractiveBrowserCredential` and `DeviceCodeCredential`:
   - You can now control when the credential requests user input with the new `disableAutomaticAuthentication` option added to the options you pass to the credential constructors.
     - When enabled, this option stops the `getToken()` method from requesting user input in case the credential is unable to authenticate silently.
     - If `getToken()` fails to authenticate without user interaction, and `disableAutomaticAuthentication` has been set to true, a new error will be thrown: `AuthenticationRequired`. You may use this error to identify scenarios when manual authentication needs to be triggered (with `authenticate()`, as described in the next point).

package/README.md

@@ -14,6 +14,10 @@ Key links:
 
 ## Getting started
 
+### Migrate from v1 to v2 of @azure/identity
+
+If you're using v1 of `@azure/identity`, see the [migration guide](https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/identity/identity/migration-v1-v2.md) to update to v2.
+
 ### Currently supported environments
 
 - [LTS versions of Node.js](https://nodejs.org/about/releases/)

package/dist/index.js

@@ -18,6 +18,7 @@ var fs__default = _interopDefault(fs);
 var os = _interopDefault(require('os'));
 var path = _interopDefault(require('path'));
 var child_process = require('child_process');
+var child_process__default = _interopDefault(child_process);
 var crypto = require('crypto');
 var util = require('util');
 var http = _interopDefault(require('http'));
@@ -315,7 +316,7 @@ function getIdentityClientAuthorityHost(options) {
 class IdentityClient extends coreClient.ServiceClient {
     constructor(options) {
         var _a;
-        const packageDetails = `azsdk-js-identity/2.0.0-beta.7`;
+        const packageDetails = `azsdk-js-identity/2.0.0`;
         const userAgentPrefix = ((_a = options === null || options === void 0 ? void 0 : options.userAgentOptions) === null || _a === void 0 ? void 0 : _a.userAgentPrefix)
             ? `${options.userAgentOptions.userAgentPrefix} ${packageDetails}`
             : `${packageDetails}`;
@@ -738,6 +739,40 @@ function deserializeAuthenticationRecord(serializedRecord) {
 }
 
 // Copyright (c) Microsoft Corporation.
+// Licensed under the MIT license.
+/**
+ * @internal
+ */
+const multiTenantDisabledErrorMessage = "A getToken request was attempted with a tenant different than the tenant configured at the initialization of the credential, but multi-tenant authentication has been disabled by the environment variable AZURE_IDENTITY_DISABLE_MULTITENANTAUTH.";
+/**
+ * @internal
+ */
+const multiTenantADFSErrorMessage = "A new tenant Id can't be assigned through the GetTokenOptions when a credential has been originally configured to use the tenant `adfs`.";
+/**
+ * Of getToken contains a tenantId, this functions allows picking this tenantId as the appropriate for authentication,
+ * unless multitenant authentication has been disabled through the AZURE_IDENTITY_DISABLE_MULTITENANTAUTH (on Node.js),
+ * or unless the original tenant Id is `adfs`.
+ * @internal
+ */
+function processMultiTenantRequest(tenantId, getTokenOptions) {
+    if (!(getTokenOptions === null || getTokenOptions === void 0 ? void 0 : getTokenOptions.tenantId)) {
+        return tenantId;
+    }
+    if (process.env.AZURE_IDENTITY_DISABLE_MULTITENANTAUTH) {
+        throw new Error(multiTenantDisabledErrorMessage);
+    }
+    if (tenantId === "adfs") {
+        throw new Error(multiTenantADFSErrorMessage);
+    }
+    return getTokenOptions === null || getTokenOptions === void 0 ? void 0 : getTokenOptions.tenantId;
+}
+
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT license.
+/**
+ * Helps specify a regional authority, or "AutoDiscoverRegion" to auto-detect the region.
+ */
+var RegionalAuthority;
 (function (RegionalAuthority) {
     /** Instructs MSAL to attempt to discover the region */
     RegionalAuthority["AutoDiscoverRegion"] = "AutoDiscoverRegion";
@@ -845,36 +880,7 @@ function deserializeAuthenticationRecord(serializedRecord) {
     RegionalAuthority["GovernmentUSDodEast"] = "usdodeast";
     /** Uses the {@link RegionalAuthority} for the Azure 'usdodcentral' region. */
     RegionalAuthority["GovernmentUSDodCentral"] = "usdodcentral";
-})(exports.RegionalAuthority || (exports.RegionalAuthority = {}));
-
-// Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
-/**
- * @internal
- */
-const multiTenantDisabledErrorMessage = "A getToken request was attempted with a tenant different than the tenant configured at the initialization of the credential, but multi-tenant authentication has been disabled by the environment variable AZURE_IDENTITY_DISABLE_MULTITENANTAUTH.";
-/**
- * @internal
- */
-const multiTenantADFSErrorMessage = "A new tenant Id can't be assigned through the GetTokenOptions when a credential has been originally configured to use the tenant `adfs`.";
-/**
- * Of getToken contains a tenantId, this functions allows picking this tenantId as the appropriate for authentication,
- * unless multitenant authentication has been disabled through the AZURE_IDENTITY_DISABLE_MULTITENANTAUTH (on Node.js),
- * or unless the original tenant Id is `adfs`.
- * @internal
- */
-function processMultiTenantRequest(tenantId, getTokenOptions) {
-    if (!(getTokenOptions === null || getTokenOptions === void 0 ? void 0 : getTokenOptions.tenantId)) {
-        return tenantId;
-    }
-    if (process.env.AZURE_IDENTITY_DISABLE_MULTITENANTAUTH) {
-        throw new Error(multiTenantDisabledErrorMessage);
-    }
-    if (tenantId === "adfs") {
-        throw new Error(multiTenantADFSErrorMessage);
-    }
-    return getTokenOptions === null || getTokenOptions === void 0 ? void 0 : getTokenOptions.tenantId;
-}
+})(RegionalAuthority || (RegionalAuthority = {}));
 
 // Copyright (c) Microsoft Corporation.
 /**
@@ -921,7 +927,7 @@ class MsalNode extends MsalBaseUtilities {
             ].join(" "));
         }
         this.azureRegion = (_c = options.regionalAuthority) !== null && _c !== void 0 ? _c : process.env.AZURE_REGIONAL_AUTHORITY_NAME;
-        if (this.azureRegion === exports.RegionalAuthority.AutoDiscoverRegion) {
+        if (this.azureRegion === RegionalAuthority.AutoDiscoverRegion) {
             this.azureRegion = "AUTO_DISCOVER";
         }
     }
@@ -1141,7 +1147,7 @@ function getPropertyFromVSCode(property) {
     }
 }
 /**
- * Connect to Azure using the credential provided by the VSCode extension 'Azure Account'.
+ * Connects to Azure using the credential provided by the VSCode extension 'Azure Account'.
  * Once the user has logged in via the extension, this credential can share the same refresh token
  * that is cached by the extension.
  */
@@ -1428,14 +1434,14 @@ const cliCredentialInternals = {
         }
         return new Promise((resolve, reject) => {
             try {
-                child_process.execFile("az", [
+                child_process__default.execFile("az", [
                     "account",
                     "get-access-token",
                     "--output",
                     "json",
                     "--resource",
-                    ...tenantSection,
-                    resource
+                    resource,
+                    ...tenantSection
                 ], { cwd: cliCredentialInternals.getSafeWorkingDir() }, (error, stdout, stderr) => {
                     resolve({ stdout: stdout, stderr: stderr, error });
                 });
@@ -1452,13 +1458,14 @@ const logger$3 = credentialLogger("AzureCliCredential");
  * via the Azure CLI ('az') commandline tool.
  * To do so, it will read the user access token and expire time
  * with Azure CLI command "az account get-access-token".
- * To be able to use this credential, ensure that you have already logged
- * in via the 'az' tool using the command "az login" from the commandline.
  */
 class AzureCliCredential {
     /**
      * Creates an instance of the {@link AzureCliCredential}.
      *
+     * To use this credential, ensure that you have already logged
+     * in via the 'az' tool using the command "az login" from the commandline.
+     *
      * @param options - Options, to optionally allow multi-tenant requests.
      */
     constructor(options) {
@@ -1618,17 +1625,17 @@ if (isWindows) {
  * This credential will use the currently logged-in user information from the
  * Azure PowerShell module. To do so, it will read the user access token and
  * expire time with Azure PowerShell command `Get-AzAccessToken -ResourceUrl {ResourceScope}`
- *
- * To be able to use this credential:
- * - Install the Azure Az PowerShell module with:
- *   `Install-Module -Name Az -Scope CurrentUser -Repository PSGallery -Force`.
- * - You have already logged in to Azure PowerShell using the command
- * `Connect-AzAccount` from the command line.
  */
 class AzurePowerShellCredential {
     /**
      * Creates an instance of the {@link AzurePowershellCredential}.
      *
+     * To use this credential:
+     * - Install the Azure Az PowerShell module with:
+     *   `Install-Module -Name Az -Scope CurrentUser -Repository PSGallery -Force`.
+     * - You have already logged in to Azure PowerShell using the command
+     * `Connect-AzAccount` from the command line.
+     *
      * @param options - Options, to optionally allow multi-tenant requests.
      */
     constructor(options) {
@@ -1957,8 +1964,6 @@ const logger$7 = credentialLogger("UsernamePasswordCredential");
  * trust so you should only use it when other, more secure credential
  * types can't be used.
  */
-// We'll be using InteractiveCredential as the base of this class, which requires us to support authenticate(),
-// to reduce the number of times we send the password over the network.
 class UsernamePasswordCredential {
     /**
      * Creates an instance of the UsernamePasswordCredential with the details
@@ -2020,23 +2025,7 @@ const AllSupportedEnvironmentVariables = [
 const logger$8 = credentialLogger("EnvironmentCredential");
 /**
  * Enables authentication to Azure Active Directory using client secret
- * details configured in the following environment variables:
- *
- * Required environment variables:
- * - `AZURE_TENANT_ID`: The Azure Active Directory tenant (directory) ID.
- * - `AZURE_CLIENT_ID`: The client (application) ID of an App Registration in the tenant.
- *
- * Environment variables used for client credential authentication:
- * - `AZURE_CLIENT_SECRET`: A client secret that was generated for the App Registration.
- * - `AZURE_CLIENT_CERTIFICATE_PATH`: The path to a PEM certificate to use during the authentication, instead of the client secret.
- *
- * Alternatively, users can provide environment variables for username and password authentication:
- * - `AZURE_USERNAME`: Username to authenticate with.
- * - `AZURE_PASSWORD`: Password to authenticate with.
- *
- * This credential ultimately uses a {@link ClientSecretCredential} to
- * perform the authentication using these details.  Please consult the
- * documentation of that class for more details.
+ * details configured in environment variables
  */
 class EnvironmentCredential {
     /**
@@ -2273,7 +2262,7 @@ function expiresInParser$2(requestBody) {
     if (requestBody.expires_on) {
         // Use the expires_on timestamp if it's available
         const expires = +requestBody.expires_on * 1000;
-        logger$b.info(`${msiName$2}: IMDS using expires_on: ${expires} (original value: ${requestBody.expires_on})`);
+        logger$b.info(`${msiName$2}: Using expires_on: ${expires} (original value: ${requestBody.expires_on})`);
         return expires;
     }
     else {
@@ -2283,29 +2272,41 @@ function expiresInParser$2(requestBody) {
         return expires;
     }
 }
-function prepareRequestOptions$2(scopes, clientId) {
+function prepareRequestOptions$2(scopes, clientId, options) {
     var _a;
     const resource = mapScopesToResource(scopes);
     if (!resource) {
         throw new Error(`${msiName$2}: Multiple scopes are not supported.`);
     }
-    const queryParameters = {
-        resource,
-        "api-version": imdsApiVersion
-    };
-    if (clientId) {
-        queryParameters.client_id = clientId;
+    const { skipQuery, skipMetadataHeader } = options || {};
+    let query = "";
+    // Pod Identity will try to process this request even if the Metadata header is missing.
+    // We can exclude the request query to ensure no IMDS endpoint tries to process the ping request.
+    if (!skipQuery) {
+        const queryParameters = {
+            resource,
+            "api-version": imdsApiVersion
+        };
+        if (clientId) {
+            queryParameters.client_id = clientId;
+        }
+        const params = new URLSearchParams(queryParameters);
+        query = `?${params.toString()}`;
     }
-    const params = new URLSearchParams(queryParameters);
-    const query = params.toString();
     const url = new URL(imdsEndpointPath, (_a = process.env.AZURE_POD_IDENTITY_AUTHORITY_HOST) !== null && _a !== void 0 ? _a : imdsHost);
+    const rawHeaders = {
+        Accept: "application/json",
+        Metadata: "true"
+    };
+    // Remove the Metadata header to invoke a request error from some IMDS endpoints.
+    if (skipMetadataHeader) {
+        delete rawHeaders.Metadata;
+    }
     return {
-        url: `${url}?${query}`,
+        // In this case, the `?` should be added in the "query" variable `skipQuery` is not set.
+        url: `${url}${query}`,
         method: "GET",
-        headers: coreRestPipeline.createHttpHeaders({
-            Accept: "application/json",
-            Metadata: "true"
-        })
+        headers: coreRestPipeline.createHttpHeaders(rawHeaders)
     };
 }
 // 800ms -> 1600ms -> 3200ms
@@ -2327,13 +2328,10 @@ const imdsMsi = {
         if (process.env.AZURE_POD_IDENTITY_AUTHORITY_HOST) {
             return true;
         }
-        const requestOptions = prepareRequestOptions$2(resource, clientId);
-        // This will always be populated, but let's make TypeScript happy
-        if (requestOptions.headers) {
-            // Remove the Metadata header to invoke a request error from
-            // IMDS endpoint
-            requestOptions.headers.delete("Metadata");
-        }
+        const requestOptions = prepareRequestOptions$2(resource, clientId, {
+            skipMetadataHeader: true,
+            skipQuery: true
+        });
         requestOptions.tracingOptions = options.tracingOptions;
         try {
             // Create a request with a timeout since we expect that
@@ -2753,22 +2751,26 @@ const defaultCredentials = [
 ];
 /**
  * Provides a default {@link ChainedTokenCredential} configuration that should
- * work for most applications that use the Azure SDK.  The following credential
- * types will be tried, in order:
- *
- * - {@link EnvironmentCredential}
- * - {@link ManagedIdentityCredential}
- * - {@link VisualStudioCodeCredential}
- * - {@link AzureCliCredential}
- * - {@link AzurePowerShellCredential}
- *
- * Consult the documentation of these credential types for more information
- * on how they attempt authentication.
+ * work for most applications that use the Azure SDK.
  */
 class DefaultAzureCredential extends ChainedTokenCredential {
     /**
      * Creates an instance of the DefaultAzureCredential class.
      *
+     * This credential provides a default {@link ChainedTokenCredential} configuration that should
+     * work for most applications that use the Azure SDK.
+     *
+     * The following credential types will be tried, in order:
+     *
+     * - {@link EnvironmentCredential}
+     * - {@link ManagedIdentityCredential}
+     * - {@link VisualStudioCodeCredential}
+     * - {@link AzureCliCredential}
+     * - {@link AzurePowerShellCredential}
+     *
+     * Consult the documentation of these credential types for more information
+     * on how they attempt authentication.
+     *
      * **Note**: `VisualStudioCodeCredential` is provided by a plugin package:
      * `@azure/identity-vscode`. If this package is not installed and registered
      * using the plugin API (`useIdentityPlugin`), then authentication using
@@ -2931,18 +2933,18 @@ const logger$f = credentialLogger("InteractiveBrowserCredential");
 /**
  * Enables authentication to Azure Active Directory inside of the web browser
  * using the interactive login flow.
- *
- * This credential uses the [Authorization Code Flow](https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-auth-code-flow).
- * On Node.js, it will open a browser window while it listens for a redirect response from the authentication service.
- * On browsers, it authenticates via popups. The `loginStyle` optional parameter can be set to `redirect` to authenticate by redirecting the user to an Azure secure login page, which then will redirect the user back to the web application where the authentication started.
- *
- * For Node.js, if a `clientId` is provided, the Azure Active Directory application will need to be configured to have a "Mobile and desktop applications" redirect endpoint.
- * Follow our guide on [setting up Redirect URIs for Desktop apps that calls to web APIs](https://docs.microsoft.com/azure/active-directory/develop/scenario-desktop-app-registration#redirect-uris).
  */
 class InteractiveBrowserCredential {
     /**
      * Creates an instance of InteractiveBrowserCredential with the details needed.
      *
+     * This credential uses the [Authorization Code Flow](https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-auth-code-flow).
+     * On Node.js, it will open a browser window while it listens for a redirect response from the authentication service.
+     * On browsers, it authenticates via popups. The `loginStyle` optional parameter can be set to `redirect` to authenticate by redirecting the user to an Azure secure login page, which then will redirect the user back to the web application where the authentication started.
+     *
+     * For Node.js, if a `clientId` is provided, the Azure Active Directory application will need to be configured to have a "Mobile and desktop applications" redirect endpoint.
+     * Follow our guide on [setting up Redirect URIs for Desktop apps that calls to web APIs](https://docs.microsoft.com/azure/active-directory/develop/scenario-desktop-app-registration#redirect-uris).
+     *
      * @param options - Options for configuring the client which makes the authentication requests.
      */
     constructor(options = {}) {
@@ -3044,6 +3046,20 @@ class DeviceCodeCredential {
      * Creates an instance of DeviceCodeCredential with the details needed
      * to initiate the device code authorization flow with Azure Active Directory.
      *
+     * A message will be logged, giving users a code that they can use to authenticate once they go to https://microsoft.com/devicelogin
+     *
+     * Developers can configure how this message is shown by passing a custom `userPromptCallback`:
+     *
+     * ```js
+     * const credential = new DeviceCodeCredential({
+     *   tenantId: env.AZURE_TENANT_ID,
+     *   clientId: env.AZURE_CLIENT_ID,
+     *   userPromptCallback: (info) => {
+     *     console.log("CUSTOMIZED PROMPT CALLBACK", info.message);
+     *   }
+     * });
+     * ```
+     *
      * @param options - Options for configuring the client which makes the authentication requests.
      */
     constructor(options) {
@@ -3096,7 +3112,7 @@ class DeviceCodeCredential {
 class MsalAuthorizationCode extends MsalNode {
     constructor(options) {
         super(options);
-        this.logger = credentialLogger("NodeJS MSAL Authorization Code");
+        this.logger = credentialLogger("Node.js MSAL Authorization Code");
         this.redirectUri = options.redirectUri;
         this.authorizationCode = options.authorizationCode;
         if (options.clientSecret) {
@@ -3181,20 +3197,22 @@ const ApplicationCredentials = [
 ];
 /**
  * Provides a default {@link ChainedTokenCredential} configuration that should
- * work for most applications that use the Azure SDK.  The following credential
- * types will be tried, in order:
- *
- * - {@link EnvironmentCredential}
- * - {@link ManagedIdentityCredential}
-
- *
- * Consult the documentation of these credential types for more information
- * on how they attempt authentication.
+ * work for most applications that use the Azure SDK.
  */
 class ApplicationCredential extends ChainedTokenCredential {
     /**
      * Creates an instance of the ApplicationCredential class.
      *
+     * The ApplicationCredential provides a default {@link ChainedTokenCredential} configuration that should
+     * work for most applications that use the Azure SDK.  The following credential
+     * types will be tried, in order:
+     *
+     * - {@link EnvironmentCredential}
+     * - {@link ManagedIdentityCredential}
+     *
+     * Consult the documentation of these credential types for more information
+     * on how they attempt authentication.
+     *
      * @param options - Optional parameters. See {@link ApplicationCredentialOptions}.
      */
     constructor(options) {