@azure/identity 2.0.0-beta.2 → 2.0.0-beta.6

package/types/identity.d.ts

@@ -1,8 +1,8 @@
-import { AccessToken } from '@azure/core-http';
+import { AccessToken } from '@azure/core-auth';
 import { AzureLogger } from '@azure/logger';
-import { GetTokenOptions } from '@azure/core-http';
-import { PipelineOptions } from '@azure/core-http';
-import { TokenCredential } from '@azure/core-http';
+import { CommonClientOptions } from '@azure/core-client';
+import { GetTokenOptions } from '@azure/core-auth';
+import { TokenCredential } from '@azure/core-auth';
 export { AccessToken }
 
 /**
@@ -23,6 +23,38 @@ export declare class AggregateAuthenticationError extends Error {
  */
 export declare const AggregateAuthenticationErrorName = "AggregateAuthenticationError";
 
+/**
+ * Provides a default {@link ChainedTokenCredential} configuration that should
+ * work for most applications that use the Azure SDK.  The following credential
+ * types will be tried, in order:
+ *
+ * - {@link EnvironmentCredential}
+ * - {@link ManagedIdentityCredential}
+
+ *
+ * Consult the documentation of these credential types for more information
+ * on how they attempt authentication.
+ */
+export declare class ApplicationCredential extends ChainedTokenCredential {
+    /**
+     * Creates an instance of the ApplicationCredential class.
+     *
+     * @param options - Optional parameters. See {@link ApplicationCredentialOptions}.
+     */
+    constructor(options?: ApplicationCredentialOptions);
+}
+
+/**
+ * Provides options to configure the {@link ApplicationCredential} class.
+ */
+export declare interface ApplicationCredentialOptions extends TokenCredentialOptions, CredentialPersistenceOptions {
+    /**
+     * Optionally pass in a user assigned client ID to be used by the {@link ManagedIdentityCredential}.
+     * This client ID can also be passed through to the {@link ManagedIdentityCredential} through the environment variable: AZURE_CLIENT_ID.
+     */
+    managedIdentityClientId?: string;
+}
+
 /**
  * Provides details about a failure to authenticate with Azure Active
  * Directory.  The `errorResponse` field contains more details about
@@ -74,7 +106,7 @@ export declare interface AuthenticationRecord {
 /**
  * Error used to enforce authentication after trying to retrieve a token silently.
  */
-export declare class AuthenticationRequiredError extends CredentialUnavailableError {
+export declare class AuthenticationRequiredError extends Error {
     /**
      * The list of scopes for which the token will have access.
      */
@@ -102,13 +134,10 @@ export declare class AuthenticationRequiredError extends CredentialUnavailableEr
  * https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow
  */
 export declare class AuthorizationCodeCredential implements TokenCredential {
-    private identityClient;
-    private tenantId;
-    private clientId;
-    private clientSecret;
+    private msalFlow;
+    private disableAutomaticAuthentication?;
     private authorizationCode;
     private redirectUri;
-    private lastTokenResponse;
     /**
      * Creates an instance of CodeFlowCredential with the details needed
      * to request an access token using an authentication that was obtained
@@ -118,7 +147,7 @@ export declare class AuthorizationCodeCredential implements TokenCredential {
      * the authorization code flow to obtain an authorization code to be used
      * with this credential.  A full example of this flow is provided here:
      *
-     * https://github.com/Azure/azure-sdk-for-js/blob/master/sdk/identity/identity/samples/manual/authorizationCodeSample.ts
+     * https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/identity/identity/samples/manual/authorizationCodeSample.ts
      *
      * @param tenantId - The Azure Active Directory tenant (directory) ID or name.
      *                 'common' may be used when dealing with multi-tenant scenarios.
@@ -141,7 +170,7 @@ export declare class AuthorizationCodeCredential implements TokenCredential {
      * the authorization code flow to obtain an authorization code to be used
      * with this credential.  A full example of this flow is provided here:
      *
-     * https://github.com/Azure/azure-sdk-for-js/blob/master/sdk/identity/identity/samples/manual/authorizationCodeSample.ts
+     * https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/identity/identity/samples/manual/authorizationCodeSample.ts
      *
      * @param tenantId - The Azure Active Directory tenant (directory) ID or name.
      *                 'common' may be used when dealing with multi-tenant scenarios.
@@ -155,10 +184,8 @@ export declare class AuthorizationCodeCredential implements TokenCredential {
      */
     constructor(tenantId: string | "common", clientId: string, authorizationCode: string, redirectUri: string, options?: TokenCredentialOptions);
     /**
-     * Authenticates with Azure Active Directory and returns an access token if
-     * successful.  If authentication cannot be performed at this time, this method may
-     * return null.  If an error occurs during authentication, an {@link AuthenticationError}
-     * containing failure details will be thrown.
+     * Authenticates with Azure Active Directory and returns an access token if successful.
+     * If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.
      *
      * @param scopes - The list of scopes for which the token will have access.
      * @param options - The options used to configure any requests this
@@ -198,20 +225,17 @@ export declare enum AzureAuthorityHosts {
  * in via the 'az' tool using the command "az login" from the commandline.
  */
 export declare class AzureCliCredential implements TokenCredential {
+    private tenantId?;
+    private allowMultiTenantAuthentication?;
     /**
-     * Gets the access token from Azure CLI
-     * @param resource - The resource to use when getting the token
+     * Creates an instance of the {@link AzureCliCredential}.
+     *
+     * @param options - Options, to optionally allow multi-tenant requests.
      */
-    protected getAzureCliAccessToken(resource: string): Promise<{
-        stdout: string;
-        stderr: string;
-        error: Error | null;
-    }>;
+    constructor(options?: AzureCliCredentialOptions);
     /**
-     * Authenticates with Azure Active Directory and returns an access token if
-     * successful.  If authentication cannot be performed at this time, this method may
-     * return null.  If an error occurs during authentication, an {@link AuthenticationError}
-     * containing failure details will be thrown.
+     * Authenticates with Azure Active Directory and returns an access token if successful.
+     * If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.
      *
      * @param scopes - The list of scopes for which the token will have access.
      * @param options - The options used to configure any requests this
@@ -220,6 +244,61 @@ export declare class AzureCliCredential implements TokenCredential {
     getToken(scopes: string | string[], options?: GetTokenOptions): Promise<AccessToken>;
 }
 
+/**
+ * Options for the {@link AzureCliCredential}
+ */
+export declare interface AzureCliCredentialOptions extends TokenCredentialOptions {
+    /**
+     * Allows specifying a tenant ID
+     */
+    tenantId?: string;
+}
+
+/**
+ * This credential will use the currently logged-in user information from the
+ * Azure PowerShell module. To do so, it will read the user access token and
+ * expire time with Azure PowerShell command `Get-AzAccessToken -ResourceUrl {ResourceScope}`
+ *
+ * To be able to use this credential:
+ * - Install the Azure Az PowerShell module with:
+ *   `Install-Module -Name Az -Scope CurrentUser -Repository PSGallery -Force`.
+ * - You have already logged in to Azure PowerShell using the command
+ * `Connect-AzAccount` from the command line.
+ */
+export declare class AzurePowerShellCredential implements TokenCredential {
+    private tenantId?;
+    private allowMultiTenantAuthentication?;
+    /**
+     * Creates an instance of the {@link AzurePowershellCredential}.
+     *
+     * @param options - Options, to optionally allow multi-tenant requests.
+     */
+    constructor(options?: AzurePowerShellCredentialOptions);
+    /**
+     * Gets the access token from Azure PowerShell
+     * @param resource - The resource to use when getting the token
+     */
+    private getAzurePowerShellAccessToken;
+    /**
+     * Authenticates with Azure Active Directory and returns an access token if successful.
+     * If the authentication cannot be performed through PowerShell, a {@link CredentialUnavailableError} will be thrown.
+     *
+     * @param scopes - The list of scopes for which the token will have access.
+     * @param options - The options used to configure any requests this TokenCredential implementation might make.
+     */
+    getToken(scopes: string | string[], options?: GetTokenOptions): Promise<AccessToken | null>;
+}
+
+/**
+ * Options for the {@link AzurePowerShellCredential}
+ */
+export declare interface AzurePowerShellCredentialOptions extends TokenCredentialOptions {
+    /**
+     * Allows specifying a tenant ID
+     */
+    tenantId?: string;
+}
+
 /**
  * (Browser-only feature)
  * The "login style" to use in the authentication flow:
@@ -291,10 +370,8 @@ export declare class ClientCertificateCredential implements TokenCredential {
      */
     constructor(tenantId: string, clientId: string, certificatePath: string, options?: ClientCertificateCredentialOptions);
     /**
-     * Authenticates with Azure Active Directory and returns an access token if
-     * successful.  If authentication cannot be performed at this time, this method may
-     * return null.  If an error occurs during authentication, an {@link AuthenticationError}
-     * containing failure details will be thrown.
+     * Authenticates with Azure Active Directory and returns an access token if successful.
+     * If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.
      *
      * @param scopes - The list of scopes for which the token will have access.
      * @param options - The options used to configure any requests this
@@ -306,23 +383,18 @@ export declare class ClientCertificateCredential implements TokenCredential {
 /**
  * Optional parameters for the {@link ClientCertificateCredential} class.
  */
-export declare interface ClientCertificateCredentialOptions extends TokenCredentialOptions {
+export declare interface ClientCertificateCredentialOptions extends TokenCredentialOptions, CredentialPersistenceOptions {
     /**
      * Option to include x5c header for SubjectName and Issuer name authorization.
      * Set this option to send base64 encoded public certificate in the client assertion header as an x5c claim
      */
     sendCertificateChain?: boolean;
     /**
-     * To provide a persistence layer to store the credentials,
-     * we allow users to optionally specify {@link TokenCachePersistenceOptions} for their credential.
-     *
-     * This feature is not currently available on Node 8 or earlier versions of Node JS.
-     *
-     * This persistence layer uses DPAPI on Windows.
-     * On OSX (Darwin) it tries to use the system's Keychain, otherwise if the property `allowUnencryptedStorage` is set to true, it uses an unencrypted file.
-     * On Linux it tries to use the system's Keyring, otherwise if the property `allowUnencryptedStorage` is set to true, it uses an unencrypted file.
+     * Specifies a regional authority. Please refer to the {@link RegionalAuthority} type for the accepted values.
+     * If {@link RegionalAuthority.AutoDiscoverRegion} is specified, we will try to discover the regional authority endpoint.
+     * If the property is not specified, the credential uses the global authority endpoint.
      */
-    tokenCachePersistenceOptions?: TokenCachePersistenceOptions;
+    regionalAuthority?: string;
 }
 
 /**
@@ -347,10 +419,8 @@ export declare class ClientSecretCredential implements TokenCredential {
      */
     constructor(tenantId: string, clientId: string, clientSecret: string, options?: ClientSecretCredentialOptions);
     /**
-     * Authenticates with Azure Active Directory and returns an access token if
-     * successful.  If authentication cannot be performed at this time, this method may
-     * return null.  If an error occurs during authentication, an {@link AuthenticationError}
-     * containing failure details will be thrown.
+     * Authenticates with Azure Active Directory and returns an access token if successful.
+     * If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.
      *
      * @param scopes - The list of scopes for which the token will have access.
      * @param options - The options used to configure any requests this
@@ -362,16 +432,48 @@ export declare class ClientSecretCredential implements TokenCredential {
 /**
  * Optional parameters for the {@link ClientSecretCredential} class.
  */
-export declare interface ClientSecretCredentialOptions extends TokenCredentialOptions {
+export declare interface ClientSecretCredentialOptions extends TokenCredentialOptions, CredentialPersistenceOptions {
     /**
-     * To provide a persistence layer to store the credentials,
-     * we allow users to optionally specify {@link TokenCachePersistenceOptions} for their credential.
+     * Specifies a regional authority. Please refer to the {@link RegionalAuthority} type for the accepted values.
+     * If {@link RegionalAuthority.AutoDiscoverRegion} is specified, we will try to discover the regional authority endpoint.
+     * If the property is not specified, the credential uses the global authority endpoint.
+     */
+    regionalAuthority?: string;
+}
+
+/**
+ * Shared configuration options for credentials that support persistent token
+ * caching.
+ */
+export declare interface CredentialPersistenceOptions {
+    /**
+     * Options to provide to the persistence layer (if one is available) when
+     * storing credentials.
+     *
+     * You must first register a persistence provider plugin. See the
+     * `@azure/identity-cache-persistence` package on NPM.
+     *
+     * Example:
+     *
+     * ```javascript
+     * import { cachePersistencePlugin } from "@azure/identity-cache-persistence";
+     * import { useIdentityPlugin, DeviceCodeCredential } from "@azure/identity";
      *
-     * This feature is not currently available on Node 8 or earlier versions of Node JS.
+     * useIdentityPlugin(cachePersistencePlugin);
      *
-     * This persistence layer uses DPAPI on Windows.
-     * On OSX (Darwin) it tries to use the system's Keychain, otherwise if the property `allowUnencryptedStorage` is set to true, it uses an unencrypted file.
-     * On Linux it tries to use the system's Keyring, otherwise if the property `allowUnencryptedStorage` is set to true, it uses an unencrypted file.
+     * async function main() {
+     *   const credential = new DeviceCodeCredential({
+     *     tokenCachePersistenceOptions: {
+     *       enabled: true
+     *     }
+     *   });
+     * }
+     *
+     * main().catch((error) => {
+     *   console.error("An error occured:", error);
+     *   process.exit(1);
+     * });
+     * ```
      */
     tokenCachePersistenceOptions?: TokenCachePersistenceOptions;
 }
@@ -391,13 +493,15 @@ export declare class CredentialUnavailableError extends Error {
 export declare const CredentialUnavailableErrorName = "CredentialUnavailableError";
 
 /**
- * Provides a default {@link ChainedTokenCredential} configuration that should work for most applications that use the Azure SDK.
- * The following credential types will be tried, in order:
+ * Provides a default {@link ChainedTokenCredential} configuration that should
+ * work for most applications that use the Azure SDK.  The following credential
+ * types will be tried, in order:
  *
  * - {@link EnvironmentCredential}
  * - {@link ManagedIdentityCredential}
- * - {@link AzureCliCredential}
  * - {@link VisualStudioCodeCredential}
+ * - {@link AzureCliCredential}
+ * - {@link AzurePowerShellCredential}
  *
  * Consult the documentation of these credential types for more information
  * on how they attempt authentication.
@@ -406,6 +510,11 @@ export declare class DefaultAzureCredential extends ChainedTokenCredential {
     /**
      * Creates an instance of the DefaultAzureCredential class.
      *
+     * **Note**: `VisualStudioCodeCredential` is provided by a plugin package:
+     * `@azure/identity-vscode`. If this package is not installed and registered
+     * using the plugin API (`useIdentityPlugin`), then authentication using
+     * `VisualStudioCodeCredential` will not be available.
+     *
      * @param options - Optional parameters. See {@link DefaultAzureCredentialOptions}.
      */
     constructor(options?: DefaultAzureCredentialOptions);
@@ -414,7 +523,7 @@ export declare class DefaultAzureCredential extends ChainedTokenCredential {
 /**
  * Provides options to configure the {@link DefaultAzureCredential} class.
  */
-export declare interface DefaultAzureCredentialOptions extends TokenCredentialOptions {
+export declare interface DefaultAzureCredentialOptions extends TokenCredentialOptions, CredentialPersistenceOptions {
     /**
      * Optionally pass in a Tenant ID to be used as part of the credential.
      * By default it may use a generic tenant ID depending on the underlying credential.
@@ -463,10 +572,8 @@ export declare class DeviceCodeCredential implements TokenCredential {
      */
     constructor(options?: DeviceCodeCredentialOptions);
     /**
-     * Authenticates with Azure Active Directory and returns an access token if
-     * successful.  If authentication cannot be performed at this time, this method may
-     * return null.  If an error occurs during authentication, an {@link AuthenticationError}
-     * containing failure details will be thrown.
+     * Authenticates with Azure Active Directory and returns an access token if successful.
+     * If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.
      *
      * If the user provided the option `disableAutomaticAuthentication`,
      * once the token can't be retrieved silently,
@@ -478,10 +585,8 @@ export declare class DeviceCodeCredential implements TokenCredential {
      */
     getToken(scopes: string | string[], options?: GetTokenOptions): Promise<AccessToken>;
     /**
-     * Authenticates with Azure Active Directory and returns an access token if
-     * successful.  If authentication cannot be performed at this time, this method may
-     * return null.  If an error occurs during authentication, an {@link AuthenticationError}
-     * containing failure details will be thrown.
+     * Authenticates with Azure Active Directory and returns an access token if successful.
+     * If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.
      *
      * If the token can't be retrieved silently, this method will require user interaction to retrieve the token.
      *
@@ -493,9 +598,9 @@ export declare class DeviceCodeCredential implements TokenCredential {
 }
 
 /**
- * Defines options for the InteractiveBrowserCredential class for NodeJS.
+ * Defines options for the InteractiveBrowserCredential class for Node.js.
  */
-export declare interface DeviceCodeCredentialOptions extends InteractiveCredentialOptions {
+export declare interface DeviceCodeCredentialOptions extends InteractiveCredentialOptions, CredentialPersistenceOptions {
     /**
      * The Azure Active Directory tenant (directory) ID.
      */
@@ -545,9 +650,17 @@ export declare type DeviceCodePromptCallback = (deviceCodeInfo: DeviceCodeInfo)
  * Enables authentication to Azure Active Directory using client secret
  * details configured in the following environment variables:
  *
- * - AZURE_TENANT_ID: The Azure Active Directory tenant (directory) ID.
- * - AZURE_CLIENT_ID: The client (application) ID of an App Registration in the tenant.
- * - AZURE_CLIENT_SECRET: A client secret that was generated for the App Registration.
+ * Required environment variables:
+ * - `AZURE_TENANT_ID`: The Azure Active Directory tenant (directory) ID.
+ * - `AZURE_CLIENT_ID`: The client (application) ID of an App Registration in the tenant.
+ *
+ * Environment variables used for client credential authentication:
+ * - `AZURE_CLIENT_SECRET`: A client secret that was generated for the App Registration.
+ * - `AZURE_CLIENT_CERTIFICATE_PATH`: The path to a PEM certificate to use during the authentication, instead of the client secret.
+ *
+ * Alternatively, users can provide environment variables for username and password authentication:
+ * - `AZURE_USERNAME`: Username to authenticate with.
+ * - `AZURE_PASSWORD`: Password to authenticate with.
  *
  * This credential ultimately uses a {@link ClientSecretCredential} to
  * perform the authentication using these details.  Please consult the
@@ -556,14 +669,26 @@ export declare type DeviceCodePromptCallback = (deviceCodeInfo: DeviceCodeInfo)
 export declare class EnvironmentCredential implements TokenCredential {
     private _credential?;
     /**
-     * Creates an instance of the EnvironmentCredential class and reads
-     * client secret details from environment variables.  If the expected
-     * environment variables are not found at this time, the getToken method
-     * will return null when invoked.
+     * Creates an instance of the EnvironmentCredential class and decides what credential to use depending on the available environment variables.
+     *
+     * Required environment variables:
+     * - `AZURE_TENANT_ID`: The Azure Active Directory tenant (directory) ID.
+     * - `AZURE_CLIENT_ID`: The client (application) ID of an App Registration in the tenant.
+     *
+     * Environment variables used for client credential authentication:
+     * - `AZURE_CLIENT_SECRET`: A client secret that was generated for the App Registration.
+     * - `AZURE_CLIENT_CERTIFICATE_PATH`: The path to a PEM certificate to use during the authentication, instead of the client secret.
+     *
+     * Alternatively, users can provide environment variables for username and password authentication:
+     * - `AZURE_USERNAME`: Username to authenticate with.
+     * - `AZURE_PASSWORD`: Password to authenticate with.
+     *
+     * If the environment variables required to perform the authentication are missing, a {@link CredentialUnavailableError} will be thrown.
+     * If the authentication fails, or if there's an unknown error, an {@link AuthenticationError} will be thrown.
      *
      * @param options - Options for configuring the client which makes the authentication request.
      */
-    constructor(options?: TokenCredentialOptions);
+    constructor(options?: EnvironmentCredentialOptions);
     /**
      * Authenticates with Azure Active Directory and returns an access token if successful.
      *
@@ -573,6 +698,13 @@ export declare class EnvironmentCredential implements TokenCredential {
     getToken(scopes: string | string[], options?: GetTokenOptions): Promise<AccessToken>;
 }
 
+/**
+ * Enables authentication to Azure Active Directory depending on the available environment variables.
+ * Defines options for the EnvironmentCredential class.
+ */
+export declare interface EnvironmentCredentialOptions extends TokenCredentialOptions, CredentialPersistenceOptions {
+}
+
 /**
  * See the official documentation for more details:
  *
@@ -614,16 +746,22 @@ export declare interface ErrorResponse {
 export declare function getDefaultAzureCredential(): TokenCredential;
 export { GetTokenOptions }
 
+/**
+ * The type of an Azure Identity plugin, a function accepting a plugin
+ * context.
+ */
+export declare type IdentityPlugin = (context: unknown) => void;
+
 /**
  * Enables authentication to Azure Active Directory inside of the web browser
  * using the interactive login flow.
  *
- * This credential uses the [Authorization Code Flow](https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow).
- * On NodeJS, it will open a browser window while it listens for a redirect response from the authentication service.
+ * This credential uses the [Authorization Code Flow](https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-auth-code-flow).
+ * On Node.js, it will open a browser window while it listens for a redirect response from the authentication service.
  * On browsers, it authenticates via popups. The `loginStyle` optional parameter can be set to `redirect` to authenticate by redirecting the user to an Azure secure login page, which then will redirect the user back to the web application where the authentication started.
  *
- * It's recommended that the AAD Applications used are configured to authenticate using Single Page Applications.
- * More information here: [link](https://docs.microsoft.com/en-us/azure/active-directory/develop/scenario-spa-app-registration#redirect-uri-msaljs-20-with-auth-code-flow).
+ * For Node.js, if a `clientId` is provided, the Azure Active Directory application will need to be configured to have a "Mobile and desktop applications" redirect endpoint.
+ * Follow our guide on [setting up Redirect URIs for Desktop apps that calls to web APIs](https://docs.microsoft.com/azure/active-directory/develop/scenario-desktop-app-registration#redirect-uris).
  */
 export declare class InteractiveBrowserCredential implements TokenCredential {
     private msalFlow;
@@ -635,10 +773,8 @@ export declare class InteractiveBrowserCredential implements TokenCredential {
      */
     constructor(options?: InteractiveBrowserCredentialOptions | InteractiveBrowserCredentialBrowserOptions);
     /**
-     * Authenticates with Azure Active Directory and returns an access token if
-     * successful.  If authentication cannot be performed at this time, this method may
-     * return null.  If an error occurs during authentication, an {@link AuthenticationError}
-     * containing failure details will be thrown.
+     * Authenticates with Azure Active Directory and returns an access token if successful.
+     * If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.
      *
      * If the user provided the option `disableAutomaticAuthentication`,
      * once the token can't be retrieved silently,
@@ -650,13 +786,14 @@ export declare class InteractiveBrowserCredential implements TokenCredential {
      */
     getToken(scopes: string | string[], options?: GetTokenOptions): Promise<AccessToken>;
     /**
-     * Authenticates with Azure Active Directory and returns an access token if
-     * successful.  If authentication cannot be performed at this time, this method may
-     * return null.  If an error occurs during authentication, an {@link AuthenticationError}
-     * containing failure details will be thrown.
+     * Authenticates with Azure Active Directory and returns an access token if successful.
+     * If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.
      *
      * If the token can't be retrieved silently, this method will require user interaction to retrieve the token.
      *
+     * On Node.js, this credential has [Proof Key for Code Exchange (PKCE)](https://datatracker.ietf.org/doc/html/rfc7636) enabled by default.
+     * PKCE is a security feature that mitigates authentication code interception attacks.
+     *
      * @param scopes - The list of scopes for which the token will have access.
      * @param options - The options used to configure any requests this
      *                  TokenCredential implementation might make.
@@ -667,7 +804,7 @@ export declare class InteractiveBrowserCredential implements TokenCredential {
 /**
  * Defines the common options for the InteractiveBrowserCredential class.
  */
-export declare type InteractiveBrowserCredentialBrowserOptions = TokenCredentialOptions & InteractiveCredentialOptions & {
+export declare interface InteractiveBrowserCredentialBrowserOptions extends InteractiveCredentialOptions {
     /**
      * Gets the redirect URI of the application. This should be same as the value
      * in the application registration portal.  Defaults to `window.location.href`.
@@ -689,12 +826,17 @@ export declare type InteractiveBrowserCredentialBrowserOptions = TokenCredential
      *
      */
     loginStyle?: BrowserLoginStyle;
-};
+    /**
+     * loginHint allows a user name to be pre-selected for interactive logins.
+     * Setting this option skips the account selection prompt and immediately attempts to login with the specified account.
+     */
+    loginHint?: string;
+}
 
 /**
  * Defines the common options for the InteractiveBrowserCredential class.
  */
-export declare type InteractiveBrowserCredentialOptions = TokenCredentialOptions & InteractiveCredentialOptions & {
+export declare interface InteractiveBrowserCredentialOptions extends InteractiveCredentialOptions, CredentialPersistenceOptions {
     /**
      * Gets the redirect URI of the application. This should be same as the value
      * in the application registration portal.  Defaults to `window.location.href`.
@@ -708,7 +850,12 @@ export declare type InteractiveBrowserCredentialOptions = TokenCredentialOptions
      * The client (application) ID of an App Registration in the tenant.
      */
     clientId?: string;
-};
+    /**
+     * loginHint allows a user name to be pre-selected for interactive logins.
+     * Setting this option skips the account selection prompt and immediately attempts to login with the specified account.
+     */
+    loginHint?: string;
+}
 
 /**
  * Common constructor options for the Identity credentials that requires user interaction.
@@ -730,17 +877,6 @@ export declare interface InteractiveCredentialOptions extends TokenCredentialOpt
      * Developers will need to call to `authenticate()` to control when to manually authenticate.
      */
     disableAutomaticAuthentication?: boolean;
-    /**
-     * To provide a persistence layer to store the credentials,
-     * we allow users to optionally specify {@link TokenCachePersistenceOptions} for their credential.
-     *
-     * This feature is not currently available on Node 8 or earlier versions of Node JS.
-     *
-     * This persistence layer uses DPAPI on Windows.
-     * On OSX (Darwin) it tries to use the system's Keychain, otherwise if the property `allowUnencryptedStorage` is set to true, it uses an unencrypted file.
-     * On Linux it tries to use the system's Keyring, otherwise if the property `allowUnencryptedStorage` is set to true, it uses an unencrypted file.
-     */
-    tokenCachePersistenceOptions?: TokenCachePersistenceOptions;
 }
 
 /**
@@ -763,9 +899,9 @@ export declare class ManagedIdentityCredential implements TokenCredential {
     private isEndpointUnavailable;
     /**
      * Creates an instance of ManagedIdentityCredential with the client ID of a
-     * user-assigned identity.
+     * user-assigned identity, or app registration (when working with AKS pod-identity).
      *
-     * @param clientId - The client ID of the user-assigned identity.
+     * @param clientId - The client ID of the user-assigned identity, or app registration (when working with AKS pod-identity).
      * @param options - Options for configuring the client which makes the access token request.
      */
     constructor(clientId: string, options?: TokenCredentialOptions);
@@ -779,10 +915,9 @@ export declare class ManagedIdentityCredential implements TokenCredential {
     private cachedAvailableMSI;
     private authenticateManagedIdentity;
     /**
-     * Authenticates with Azure Active Directory and returns an access token if
-     * successful.  If authentication cannot be performed at this time, this method may
-     * return null.  If an error occurs during authentication, an {@link AuthenticationError}
-     * containing failure details will be thrown.
+     * Authenticates with Azure Active Directory and returns an access token if successful.
+     * If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.
+     * If an unexpected error occurs, an {@link AuthenticationError} will be thrown with the details of the failure.
      *
      * @param scopes - The list of scopes for which the token will have access.
      * @param options - The options used to configure any requests this
@@ -791,6 +926,213 @@ export declare class ManagedIdentityCredential implements TokenCredential {
     getToken(scopes: string | string[], options?: GetTokenOptions): Promise<AccessToken>;
 }
 
+/**
+ * Enables authentication to Azure Active Directory using the [On Behalf Of flow](https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-on-behalf-of-flow).
+ */
+export declare class OnBehalfOfCredential implements TokenCredential {
+    private configuration;
+    private options;
+    private msalFlow;
+    /**
+     * Creates an instance of the {@link OnBehalfOfCredential} with the details
+     * needed to authenticate against Azure Active Directory with a client
+     * secret or a path to a PEM certificate, and an user assertion.
+     *
+     * Example using the `KeyClient` from [\@azure/keyvault-keys](https://www.npmjs.com/package/\@azure/keyvault-keys):
+     *
+     * ```ts
+     * const tokenCredential = new OnBehalfOfCredential({
+     *   tenantId,
+     *   clientId,
+     *   clientSecret, // or `certificatePath: "/path/to/certificate.pem"
+     *   userAssertionToken: "access-token"
+     * });
+     * const client = new KeyClient("vault-url", tokenCredential);
+     *
+     * await client.getKey("key-name");
+     * ```
+     *
+     * @param configuration - Configuration specific to this credential.
+     * @param options - Optional parameters, generally common across credentials.
+     */
+    constructor(configuration: OnBehalfOfCredentialSecretConfiguration | OnBehalfOfCredentialCertificateConfiguration, options?: OnBehalfOfCredentialOptions);
+    /**
+     * Authenticates with Azure Active Directory and returns an access token if successful.
+     * If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.
+     *
+     * @param scopes - The list of scopes for which the token will have access.
+     * @param options - The options used to configure the underlying network requests.
+     */
+    getToken(scopes: string | string[], options?: GetTokenOptions): Promise<AccessToken>;
+}
+
+/**
+ * Defines the configuration parameters to authenticate the {@link OnBehalfOfCredential} with a certificate.
+ */
+export declare interface OnBehalfOfCredentialCertificateConfiguration {
+    /**
+     * The Azure Active Directory tenant (directory) ID.
+     */
+    tenantId: string;
+    /**
+     * The client (application) ID of an App Registration in the tenant.
+     */
+    clientId: string;
+    /**
+     * The path to a PEM-encoded public/private key certificate on the filesystem.
+     */
+    certificatePath: string;
+    /**
+     * Option to include x5c header for SubjectName and Issuer name authorization.
+     * Set this option to send base64 encoded public certificate in the client assertion header as an x5c claim
+     */
+    sendCertificateChain?: boolean;
+    /**
+     * The user assertion for the On-Behalf-Of flow.
+     */
+    userAssertionToken: string;
+}
+
+/**
+ * Optional parameters for the {@link OnBehalfOfCredential} class.
+ */
+export declare interface OnBehalfOfCredentialOptions extends TokenCredentialOptions, CredentialPersistenceOptions {
+}
+
+/**
+ * Defines the configuration parameters to authenticate the {@link OnBehalfOfCredential} with a secret.
+ */
+export declare interface OnBehalfOfCredentialSecretConfiguration {
+    /**
+     * The Azure Active Directory tenant (directory) ID.
+     */
+    tenantId: string;
+    /**
+     * The client (application) ID of an App Registration in the tenant.
+     */
+    clientId: string;
+    /**
+     * A client secret that was generated for the App Registration.
+     */
+    clientSecret: string;
+    /**
+     * The user assertion for the On-Behalf-Of flow.
+     */
+    userAssertionToken: string;
+}
+
+/**
+ * Helps specify a regional authority, or "AutoDiscoverRegion" to auto-detect the region.
+ */
+export declare enum RegionalAuthority {
+    /** Instructs MSAL to attempt to discover the region */
+    AutoDiscoverRegion = "AutoDiscoverRegion",
+    /** Uses the {@link RegionalAuthority} for the Azure 'westus' region. */
+    USWest = "westus",
+    /** Uses the {@link RegionalAuthority} for the Azure 'westus2' region. */
+    USWest2 = "westus2",
+    /** Uses the {@link RegionalAuthority} for the Azure 'centralus' region. */
+    USCentral = "centralus",
+    /** Uses the {@link RegionalAuthority} for the Azure 'eastus' region. */
+    USEast = "eastus",
+    /** Uses the {@link RegionalAuthority} for the Azure 'eastus2' region. */
+    USEast2 = "eastus2",
+    /** Uses the {@link RegionalAuthority} for the Azure 'northcentralus' region. */
+    USNorthCentral = "northcentralus",
+    /** Uses the {@link RegionalAuthority} for the Azure 'southcentralus' region. */
+    USSouthCentral = "southcentralus",
+    /** Uses the {@link RegionalAuthority} for the Azure 'westcentralus' region. */
+    USWestCentral = "westcentralus",
+    /** Uses the {@link RegionalAuthority} for the Azure 'canadacentral' region. */
+    CanadaCentral = "canadacentral",
+    /** Uses the {@link RegionalAuthority} for the Azure 'canadaeast' region. */
+    CanadaEast = "canadaeast",
+    /** Uses the {@link RegionalAuthority} for the Azure 'brazilsouth' region. */
+    BrazilSouth = "brazilsouth",
+    /** Uses the {@link RegionalAuthority} for the Azure 'northeurope' region. */
+    EuropeNorth = "northeurope",
+    /** Uses the {@link RegionalAuthority} for the Azure 'westeurope' region. */
+    EuropeWest = "westeurope",
+    /** Uses the {@link RegionalAuthority} for the Azure 'uksouth' region. */
+    UKSouth = "uksouth",
+    /** Uses the {@link RegionalAuthority} for the Azure 'ukwest' region. */
+    UKWest = "ukwest",
+    /** Uses the {@link RegionalAuthority} for the Azure 'francecentral' region. */
+    FranceCentral = "francecentral",
+    /** Uses the {@link RegionalAuthority} for the Azure 'francesouth' region. */
+    FranceSouth = "francesouth",
+    /** Uses the {@link RegionalAuthority} for the Azure 'switzerlandnorth' region. */
+    SwitzerlandNorth = "switzerlandnorth",
+    /** Uses the {@link RegionalAuthority} for the Azure 'switzerlandwest' region. */
+    SwitzerlandWest = "switzerlandwest",
+    /** Uses the {@link RegionalAuthority} for the Azure 'germanynorth' region. */
+    GermanyNorth = "germanynorth",
+    /** Uses the {@link RegionalAuthority} for the Azure 'germanywestcentral' region. */
+    GermanyWestCentral = "germanywestcentral",
+    /** Uses the {@link RegionalAuthority} for the Azure 'norwaywest' region. */
+    NorwayWest = "norwaywest",
+    /** Uses the {@link RegionalAuthority} for the Azure 'norwayeast' region. */
+    NorwayEast = "norwayeast",
+    /** Uses the {@link RegionalAuthority} for the Azure 'eastasia' region. */
+    AsiaEast = "eastasia",
+    /** Uses the {@link RegionalAuthority} for the Azure 'southeastasia' region. */
+    AsiaSouthEast = "southeastasia",
+    /** Uses the {@link RegionalAuthority} for the Azure 'japaneast' region. */
+    JapanEast = "japaneast",
+    /** Uses the {@link RegionalAuthority} for the Azure 'japanwest' region. */
+    JapanWest = "japanwest",
+    /** Uses the {@link RegionalAuthority} for the Azure 'australiaeast' region. */
+    AustraliaEast = "australiaeast",
+    /** Uses the {@link RegionalAuthority} for the Azure 'australiasoutheast' region. */
+    AustraliaSouthEast = "australiasoutheast",
+    /** Uses the {@link RegionalAuthority} for the Azure 'australiacentral' region. */
+    AustraliaCentral = "australiacentral",
+    /** Uses the {@link RegionalAuthority} for the Azure 'australiacentral2' region. */
+    AustraliaCentral2 = "australiacentral2",
+    /** Uses the {@link RegionalAuthority} for the Azure 'centralindia' region. */
+    IndiaCentral = "centralindia",
+    /** Uses the {@link RegionalAuthority} for the Azure 'southindia' region. */
+    IndiaSouth = "southindia",
+    /** Uses the {@link RegionalAuthority} for the Azure 'westindia' region. */
+    IndiaWest = "westindia",
+    /** Uses the {@link RegionalAuthority} for the Azure 'koreasouth' region. */
+    KoreaSouth = "koreasouth",
+    /** Uses the {@link RegionalAuthority} for the Azure 'koreacentral' region. */
+    KoreaCentral = "koreacentral",
+    /** Uses the {@link RegionalAuthority} for the Azure 'uaecentral' region. */
+    UAECentral = "uaecentral",
+    /** Uses the {@link RegionalAuthority} for the Azure 'uaenorth' region. */
+    UAENorth = "uaenorth",
+    /** Uses the {@link RegionalAuthority} for the Azure 'southafricanorth' region. */
+    SouthAfricaNorth = "southafricanorth",
+    /** Uses the {@link RegionalAuthority} for the Azure 'southafricawest' region. */
+    SouthAfricaWest = "southafricawest",
+    /** Uses the {@link RegionalAuthority} for the Azure 'chinanorth' region. */
+    ChinaNorth = "chinanorth",
+    /** Uses the {@link RegionalAuthority} for the Azure 'chinaeast' region. */
+    ChinaEast = "chinaeast",
+    /** Uses the {@link RegionalAuthority} for the Azure 'chinanorth2' region. */
+    ChinaNorth2 = "chinanorth2",
+    /** Uses the {@link RegionalAuthority} for the Azure 'chinaeast2' region. */
+    ChinaEast2 = "chinaeast2",
+    /** Uses the {@link RegionalAuthority} for the Azure 'germanycentral' region. */
+    GermanyCentral = "germanycentral",
+    /** Uses the {@link RegionalAuthority} for the Azure 'germanynortheast' region. */
+    GermanyNorthEast = "germanynortheast",
+    /** Uses the {@link RegionalAuthority} for the Azure 'usgovvirginia' region. */
+    GovernmentUSVirginia = "usgovvirginia",
+    /** Uses the {@link RegionalAuthority} for the Azure 'usgoviowa' region. */
+    GovernmentUSIowa = "usgoviowa",
+    /** Uses the {@link RegionalAuthority} for the Azure 'usgovarizona' region. */
+    GovernmentUSArizona = "usgovarizona",
+    /** Uses the {@link RegionalAuthority} for the Azure 'usgovtexas' region. */
+    GovernmentUSTexas = "usgovtexas",
+    /** Uses the {@link RegionalAuthority} for the Azure 'usdodeast' region. */
+    GovernmentUSDodEast = "usdodeast",
+    /** Uses the {@link RegionalAuthority} for the Azure 'usdodcentral' region. */
+    GovernmentUSDodCentral = "usdodcentral"
+}
+
 /**
  * Serializes an `AuthenticationRecord` into a string.
  *
@@ -811,13 +1153,16 @@ export declare function serializeAuthenticationRecord(record: AuthenticationReco
  * Parameters that enable token cache persistence in the Identity credentials.
  */
 export declare interface TokenCachePersistenceOptions {
+    /**
+     * If set to true, persistent token caching will be enabled for this credential instance.
+     */
+    enabled: boolean;
     /**
      * Unique identifier for the persistent token cache.
      *
      * Based on this identifier, the persistence file will be located in any of the following places:
      * - Darwin: '/Users/user/.IdentityService/<name>'
-     * - Windows 8: 'C:\Users\user\AppData\Local\.IdentityService\<name>'
-     * - Windows XP: 'C:\Documents and Settings\user\Application Data\Local\.IdentityService\<name>'
+     * - Windows 8+: 'C:\\Users\\user\\AppData\\Local\\.IdentityService\\<name>'
      * - Linux: '/home/user/.IdentityService/<name>'
      */
     name?: string;
@@ -825,7 +1170,7 @@ export declare interface TokenCachePersistenceOptions {
      * If set to true, the cache will be stored without encryption if no OS level user encryption is available.
      * When set to false, the PersistentTokenCache will throw an error if no OS level user encryption is available.
      */
-    allowUnencryptedStorage?: boolean;
+    unsafeAllowUnencryptedStorage?: boolean;
 }
 export { TokenCredential }
 
@@ -833,14 +1178,48 @@ export { TokenCredential }
  * Provides options to configure how the Identity library makes authentication
  * requests to Azure Active Directory.
  */
-export declare interface TokenCredentialOptions extends PipelineOptions {
+export declare interface TokenCredentialOptions extends CommonClientOptions {
     /**
      * The authority host to use for authentication requests.
+     * Possible values are available through {@link AzureAuthorityHosts}.
      * The default is "https://login.microsoftonline.com".
      */
     authorityHost?: string;
+    /**
+     * If set to true, allows authentication flows to change the tenantId of the request if a different tenantId is received from a challenge or through a direct getToken call.
+     */
+    allowMultiTenantAuthentication?: boolean;
 }
 
+/**
+ * Extend Azure Identity with additional functionality. Pass a plugin from
+ * a plugin package, such as:
+ *
+ * - `@azure/identity-cache-persistence`: provides persistent token caching
+ * - `@azure/identity-vscode`: provides the dependencies of
+ *   `VisualStudioCodeCredential` and enables it
+ *
+ * Example:
+ *
+ * ```javascript
+ * import { cachePersistencePlugin } from "@azure/identity-cache-persistence";
+ *
+ * import { useIdentityPlugin, DefaultAzureCredential } from "@azure/identity";
+ * useIdentityPlugin(cachePersistencePlugin);
+ *
+ * // The plugin has the capability to extend `DefaultAzureCredential` and to
+ * // add middleware to the underlying credentials, such as persistence.
+ * const credential = new DefaultAzureCredential({
+ *   tokenCachePersistenceOptions: {
+ *     enabled: true
+ *   }
+ * });
+ * ```
+ *
+ * @param plugin - the plugin to register
+ */
+export declare function useIdentityPlugin(plugin: IdentityPlugin): void;
+
 /**
  * Enables authentication to Azure Active Directory with a user's
  * username and password. This credential requires a high degree of
@@ -849,7 +1228,6 @@ export declare interface TokenCredentialOptions extends PipelineOptions {
  */
 export declare class UsernamePasswordCredential implements TokenCredential {
     private msalFlow;
-    private disableAutomaticAuthentication?;
     /**
      * Creates an instance of the UsernamePasswordCredential with the details
      * needed to authenticate against Azure Active Directory with a username
@@ -863,10 +1241,8 @@ export declare class UsernamePasswordCredential implements TokenCredential {
      */
     constructor(tenantId: string, clientId: string, username: string, password: string, options?: UsernamePasswordCredentialOptions);
     /**
-     * Authenticates with Azure Active Directory and returns an access token if
-     * successful.  If authentication cannot be performed at this time, this method may
-     * return null.  If an error occurs during authentication, an {@link AuthenticationError}
-     * containing failure details will be thrown.
+     * Authenticates with Azure Active Directory and returns an access token if successful.
+     * If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.
      *
      * If the user provided the option `disableAutomaticAuthentication`,
      * once the token can't be retrieved silently,
@@ -877,25 +1253,12 @@ export declare class UsernamePasswordCredential implements TokenCredential {
      *                TokenCredential implementation might make.
      */
     getToken(scopes: string | string[], options?: GetTokenOptions): Promise<AccessToken>;
-    /**
-     * Authenticates with Azure Active Directory and returns an access token if
-     * successful.  If authentication cannot be performed at this time, this method may
-     * return null.  If an error occurs during authentication, an {@link AuthenticationError}
-     * containing failure details will be thrown.
-     *
-     * If the token can't be retrieved silently, this method will require user interaction to retrieve the token.
-     *
-     * @param scopes - The list of scopes for which the token will have access.
-     * @param options - The options used to configure any requests this
-     *                  TokenCredential implementation might make.
-     */
-    authenticate(scopes: string | string[], options?: GetTokenOptions): Promise<AuthenticationRecord | undefined>;
 }
 
 /**
  * Defines options for the {@link UsernamePasswordCredential} class.
  */
-export declare interface UsernamePasswordCredentialOptions extends InteractiveCredentialOptions {
+export declare interface UsernamePasswordCredentialOptions extends TokenCredentialOptions, CredentialPersistenceOptions {
 }
 
 /**
@@ -907,9 +1270,15 @@ export declare class VisualStudioCodeCredential implements TokenCredential {
     private identityClient;
     private tenantId;
     private cloudName;
+    private allowMultiTenantAuthentication?;
     /**
      * Creates an instance of VisualStudioCodeCredential to use for automatically authenticating via VSCode.
      *
+     * **Note**: `VisualStudioCodeCredential` is provided by a plugin package:
+     * `@azure/identity-vscode`. If this package is not installed and registered
+     * using the plugin API (`useIdentityPlugin`), then authentication using
+     * `VisualStudioCodeCredential` will not be available.
+     *
      * @param options - Options for configuring the client which makes the authentication request.
      */
     constructor(options?: VisualStudioCodeCredentialOptions);
@@ -933,7 +1302,7 @@ export declare class VisualStudioCodeCredential implements TokenCredential {
      * @param options - The options used to configure any requests this
      *                `TokenCredential` implementation might make.
      */
-    getToken(scopes: string | string[], _options?: GetTokenOptions): Promise<AccessToken>;
+    getToken(scopes: string | string[], options?: GetTokenOptions): Promise<AccessToken>;
 }
 
 /**