@azure/identity 2.0.0-beta.2 → 2.0.0-beta.6

package/dist/index.js

@@ -4,26 +4,64 @@ Object.defineProperty(exports, '__esModule', { value: true });
 
 function _interopDefault (ex) { return (ex && (typeof ex === 'object') && 'default' in ex) ? ex['default'] : ex; }
 
-var tslib = require('tslib');
-var coreTracing = require('@azure/core-tracing');
-var logger$g = require('@azure/logger');
 var msalNode = require('@azure/msal-node');
-var qs = _interopDefault(require('qs'));
-var coreHttp = require('@azure/core-http');
+var coreClient = require('@azure/core-client');
+var coreTracing = require('@azure/core-tracing');
+var coreUtil = require('@azure/core-util');
+var coreRestPipeline = require('@azure/core-rest-pipeline');
 var abortController = require('@azure/abort-controller');
-var path = require('path');
-var path__default = _interopDefault(path);
+var logger$j = require('@azure/logger');
 var msalCommon = require('@azure/msal-common');
 var uuid = require('uuid');
 var fs = require('fs');
 var fs__default = _interopDefault(fs);
-var crypto = require('crypto');
-var child_process = require('child_process');
 var os = _interopDefault(require('os'));
+var path = _interopDefault(require('path'));
+var child_process = require('child_process');
+var crypto = require('crypto');
+var util = require('util');
 var http = _interopDefault(require('http'));
 var open = _interopDefault(require('open'));
 var stoppable = _interopDefault(require('stoppable'));
 
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT license.
+/**
+ * The default client ID for authentication
+ * @internal
+ */
+// TODO: temporary - this is the Azure CLI clientID - we'll replace it when
+// Developer Sign On application is available
+// https://github.com/Azure/azure-sdk-for-net/blob/main/sdk/identity/Azure.Identity/src/Constants.cs#L9
+const DeveloperSignOnClientId = "04b07795-8ddb-461a-bbee-02f9e1bf7b46";
+/**
+ * The default tenant for authentication
+ * @internal
+ */
+const DefaultTenantId = "common";
+(function (AzureAuthorityHosts) {
+    /**
+     * China-based Azure Authority Host
+     */
+    AzureAuthorityHosts["AzureChina"] = "https://login.chinacloudapi.cn";
+    /**
+     * Germany-based Azure Authority Host
+     */
+    AzureAuthorityHosts["AzureGermany"] = "https://login.microsoftonline.de";
+    /**
+     * US Government Azure Authority Host
+     */
+    AzureAuthorityHosts["AzureGovernment"] = "https://login.microsoftonline.us";
+    /**
+     * Public Cloud Azure Authority Host
+     */
+    AzureAuthorityHosts["AzurePublicCloud"] = "https://login.microsoftonline.com";
+})(exports.AzureAuthorityHosts || (exports.AzureAuthorityHosts = {}));
+/**
+ * The default authority host.
+ */
+const DefaultAuthorityHost = exports.AzureAuthorityHosts.AzurePublicCloud;
+
 // Copyright (c) Microsoft Corporation.
 // Licensed under the MIT license.
 function isErrorResponse(errorResponse) {
@@ -111,7 +149,7 @@ const AggregateAuthenticationErrorName = "AggregateAuthenticationError";
 class AggregateAuthenticationError extends Error {
     constructor(errors, errorMessage) {
         const errorDetail = errors.join("\n");
-        super(`${errorMessage}\n\n${errorDetail}`);
+        super(`${errorMessage}\n${errorDetail}`);
         this.errors = errors;
         // Ensure that this type reports the correct name
         this.name = AggregateAuthenticationErrorName;
@@ -128,6 +166,17 @@ function convertOAuthErrorResponseToErrorResponse(errorBody) {
     };
 }
 
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT license.
+function getIdentityTokenEndpointSuffix(tenantId) {
+    if (tenantId === "adfs") {
+        return "oauth2/token";
+    }
+    else {
+        return "oauth2/v2.0/token";
+    }
+}
+
 // Copyright (c) Microsoft Corporation.
 /**
  * Creates a span using the global tracer.
@@ -142,42 +191,40 @@ const createSpan = coreTracing.createSpanFunction({
  * Traces an operation and properly handles reporting start, end and errors for a given span
  *
  * @param operationName - Name of a method in the TClient type
- * @param options - An options class, typically derived from \@azure/core-http/RequestOptionsBase
+ * @param options - An options class, typically derived from \@azure/core-rest-pipeline/RequestOptionsBase
  * @param fn - The function to call with an options class that properly propagates the span context
  *
  * @internal
  */
-function trace(operationName, options, fn, createSpanFn = createSpan) {
-    return tslib.__awaiter(this, void 0, void 0, function* () {
-        const { updatedOptions, span } = createSpanFn(operationName, options);
-        try {
-            // NOTE: we really do need to await on this function here so we can handle any exceptions thrown and properly
-            // close the span.
-            const result = yield fn(updatedOptions, span);
-            // otel 0.16+ needs this or else the code ends up being set as UNSET
-            span.setStatus({
-                code: coreTracing.SpanStatusCode.OK
-            });
-            return result;
-        }
-        catch (err) {
-            span.setStatus({
-                code: coreTracing.SpanStatusCode.ERROR,
-                message: err.message
-            });
-            throw err;
-        }
-        finally {
-            span.end();
-        }
-    });
+async function trace(operationName, options, fn, createSpanFn = createSpan) {
+    const { updatedOptions, span } = createSpanFn(operationName, options);
+    try {
+        // NOTE: we really do need to await on this function here so we can handle any exceptions thrown and properly
+        // close the span.
+        const result = await fn(updatedOptions, span);
+        // otel 0.16+ needs this or else the code ends up being set as UNSET
+        span.setStatus({
+            code: coreTracing.SpanStatusCode.OK
+        });
+        return result;
+    }
+    catch (err) {
+        span.setStatus({
+            code: coreTracing.SpanStatusCode.ERROR,
+            message: err.message
+        });
+        throw err;
+    }
+    finally {
+        span.end();
+    }
 }
 
 // Copyright (c) Microsoft Corporation.
 /**
  * The AzureLogger used for all clients within the identity package
  */
-const logger = logger$g.createClientLogger("identity");
+const logger = logger$j.createClientLogger("identity");
 /**
  * Separates a list of environment variable names into a plain object with two arrays: an array of missing environment variables and another array with assigned environment variables.
  * @param supportedEnvVars - List of environment variable names
@@ -240,284 +287,153 @@ function credentialLoggerInstance(title, parent, log = logger) {
  */
 function credentialLogger(title, log = logger) {
     const credLogger = credentialLoggerInstance(title, undefined, log);
-    return Object.assign(Object.assign({}, credLogger), { getToken: credentialLoggerInstance("=> getToken()", credLogger, log) });
-}
-
-// Copyright (c) Microsoft Corporation.
-const logger$1 = credentialLogger("ChainedTokenCredential");
-/**
- * Enables multiple `TokenCredential` implementations to be tried in order
- * until one of the getToken methods returns an access token.
- */
-class ChainedTokenCredential {
-    /**
-     * Creates an instance of ChainedTokenCredential using the given credentials.
-     *
-     * @param sources - `TokenCredential` implementations to be tried in order.
-     *
-     * Example usage:
-     * ```javascript
-     * const firstCredential = new ClientSecretCredential(tenantId, clientId, clientSecret);
-     * const secondCredential = new ClientSecretCredential(tenantId, anotherClientId, anotherSecret);
-     * const credentialChain = new ChainedTokenCredential(firstCredential, secondCredential);
-     * ```
-     */
-    constructor(...sources) {
-        /**
-         * The message to use when the chained token fails to get a token
-         */
-        this.UnavailableMessage = "ChainedTokenCredential => failed to retrieve a token from the included credentials";
-        this._sources = [];
-        this._sources = sources;
-    }
-    /**
-     * Returns the first access token returned by one of the chained
-     * `TokenCredential` implementations.  Throws an {@link AggregateAuthenticationError}
-     * when one or more credentials throws an {@link AuthenticationError} and
-     * no credentials have returned an access token.
-     *
-     * This method is called automatically by Azure SDK client libraries. You may call this method
-     * directly, but you must also handle token caching and token refreshing.
-     *
-     * @param scopes - The list of scopes for which the token will have access.
-     * @param options - The options used to configure any requests this
-     *                `TokenCredential` implementation might make.
-     */
-    getToken(scopes, options) {
-        return tslib.__awaiter(this, void 0, void 0, function* () {
-            let token = null;
-            const errors = [];
-            const { span, updatedOptions } = createSpan("ChainedTokenCredential-getToken", options);
-            for (let i = 0; i < this._sources.length && token === null; i++) {
-                try {
-                    token = yield this._sources[i].getToken(scopes, updatedOptions);
-                }
-                catch (err) {
-                    if (err.name === "CredentialUnavailableError") {
-                        errors.push(err);
-                    }
-                    else {
-                        logger$1.getToken.info(formatError(scopes, err));
-                        throw err;
-                    }
-                }
-            }
-            if (!token && errors.length > 0) {
-                const err = new AggregateAuthenticationError(errors);
-                span.setStatus({
-                    code: coreTracing.SpanStatusCode.ERROR,
-                    message: err.message
-                });
-                logger$1.getToken.info(formatError(scopes, err));
-                throw err;
-            }
-            span.end();
-            logger$1.getToken.info(formatSuccess(scopes));
-            if (token === null) {
-                throw new CredentialUnavailableError("Failed to retrieve a valid token");
-            }
-            return token;
-        });
-    }
+    return Object.assign(Object.assign({}, credLogger), { parent: log, getToken: credentialLoggerInstance("=> getToken()", credLogger, log) });
 }
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
-/**
- * The default client ID for authentication
- * @internal
- */
-// TODO: temporary - this is the Azure CLI clientID - we'll replace it when
-// Developer Sign On application is available
-// https://github.com/Azure/azure-sdk-for-net/blob/master/sdk/identity/Azure.Identity/src/Constants.cs#L9
-const DeveloperSignOnClientId = "04b07795-8ddb-461a-bbee-02f9e1bf7b46";
+const noCorrelationId = "noCorrelationId";
 /**
- * The default tenant for authentication
  * @internal
  */
-const DefaultTenantId = "common";
-(function (AzureAuthorityHosts) {
-    /**
-     * China-based Azure Authority Host
-     */
-    AzureAuthorityHosts["AzureChina"] = "https://login.chinacloudapi.cn";
-    /**
-     * Germany-based Azure Authority Host
-     */
-    AzureAuthorityHosts["AzureGermany"] = "https://login.microsoftonline.de";
-    /**
-     * US Government Azure Authority Host
-     */
-    AzureAuthorityHosts["AzureGovernment"] = "https://login.microsoftonline.us";
-    /**
-     * Public Cloud Azure Authority Host
-     */
-    AzureAuthorityHosts["AzurePublicCloud"] = "https://login.microsoftonline.com";
-})(exports.AzureAuthorityHosts || (exports.AzureAuthorityHosts = {}));
-/**
- * The default authority host.
- */
-const DefaultAuthorityHost = exports.AzureAuthorityHosts.AzurePublicCloud;
-
-// Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
-function getAuthorityHostEnvironment() {
-    if (process.env.AZURE_AUTHORITY_HOST) {
-        return {
-            authorityHost: process.env.AZURE_AUTHORITY_HOST
-        };
-    }
-    else {
-        return undefined;
-    }
-}
-
-// Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
-function getIdentityTokenEndpointSuffix(tenantId) {
-    if (tenantId === "adfs") {
-        return "oauth2/token";
-    }
-    else {
-        return "oauth2/v2.0/token";
-    }
+function getIdentityClientAuthorityHost(options) {
+    // The authorityHost can come from options or from the AZURE_AUTHORITY_HOST environment variable.
+    let authorityHost = options === null || options === void 0 ? void 0 : options.authorityHost;
+    // The AZURE_AUTHORITY_HOST environment variable can only be provided in Node.js.
+    if (coreUtil.isNode) {
+        authorityHost = authorityHost !== null && authorityHost !== void 0 ? authorityHost : process.env.AZURE_AUTHORITY_HOST;
+    }
+    // If the authorityHost is not provided, we use the default one from the public cloud: https://login.microsoftonline.com
+    return authorityHost !== null && authorityHost !== void 0 ? authorityHost : DefaultAuthorityHost;
 }
-
-// Copyright (c) Microsoft Corporation.
-const noCorrelationId = "noCorrelationId";
 /**
  * The network module used by the Identity credentials.
  *
  * It allows for credentials to abort any pending request independently of the MSAL flow,
  * by calling to the `abortRequests()` method.
  *
- * @internal
  */
-class IdentityClient extends coreHttp.ServiceClient {
+class IdentityClient extends coreClient.ServiceClient {
     constructor(options) {
-        {
-            options = options || getAuthorityHostEnvironment();
-        }
-        // Only if the authorityHost is not provided, we use the default one.
-        options = Object.assign({ authorityHost: DefaultAuthorityHost }, options);
-        super(undefined, coreHttp.createPipelineFromOptions(Object.assign(Object.assign({}, options), { deserializationOptions: {
-                expectedContentTypes: {
-                    json: ["application/json", "text/json", "text/plain"]
-                }
-            } })));
-        this.baseUri = this.authorityHost = options.authorityHost || DefaultAuthorityHost;
-        if (!this.baseUri.startsWith("https:")) {
+        var _a;
+        const packageDetails = `azsdk-js-identity/2.0.0-beta.6`;
+        const userAgentPrefix = ((_a = options === null || options === void 0 ? void 0 : options.userAgentOptions) === null || _a === void 0 ? void 0 : _a.userAgentPrefix)
+            ? `${options.userAgentOptions.userAgentPrefix} ${packageDetails}`
+            : `${packageDetails}`;
+        const baseUri = getIdentityClientAuthorityHost(options);
+        if (!baseUri.startsWith("https:")) {
             throw new Error("The authorityHost address must use the 'https' protocol.");
         }
+        super(Object.assign(Object.assign({ requestContentType: "application/json; charset=utf-8" }, options), { userAgentOptions: {
+                userAgentPrefix
+            }, baseUri }));
+        this.authorityHost = baseUri;
         this.abortControllers = new Map();
     }
-    createWebResource(requestOptions) {
-        const webResource = new coreHttp.WebResource();
-        webResource.prepare(requestOptions);
-        return webResource;
-    }
-    sendTokenRequest(webResource, expiresOnParser) {
-        return tslib.__awaiter(this, void 0, void 0, function* () {
-            logger.info(`IdentityClient: sending token request to [${webResource.url}]`);
-            const response = yield this.sendRequest(webResource);
-            expiresOnParser =
-                expiresOnParser ||
-                    ((responseBody) => {
-                        return Date.now() + responseBody.expires_in * 1000;
-                    });
-            if (response.status === 200 || response.status === 201) {
-                const token = {
-                    accessToken: {
-                        token: response.parsedBody.access_token,
-                        expiresOnTimestamp: expiresOnParser(response.parsedBody)
-                    },
-                    refreshToken: response.parsedBody.refresh_token
-                };
-                logger.info(`IdentityClient: [${webResource.url}] token acquired, expires on ${token.accessToken.expiresOnTimestamp}`);
-                return token;
-            }
-            else {
-                const error = new AuthenticationError(response.status, response.parsedBody || response.bodyAsText);
-                logger.warning(`IdentityClient: authentication error. HTTP status: ${response.status}, ${error.errorResponse.errorDescription}`);
-                throw error;
-            }
-        });
-    }
-    refreshAccessToken(tenantId, clientId, scopes, refreshToken, clientSecret, expiresOnParser, options) {
-        var _a, _b;
-        return tslib.__awaiter(this, void 0, void 0, function* () {
-            if (refreshToken === undefined) {
+    async sendTokenRequest(request, expiresOnParser) {
+        logger.info(`IdentityClient: sending token request to [${request.url}]`);
+        const response = await this.sendRequest(request);
+        expiresOnParser =
+            expiresOnParser ||
+                ((responseBody) => {
+                    return Date.now() + responseBody.expires_in * 1000;
+                });
+        if (response.bodyAsText && (response.status === 200 || response.status === 201)) {
+            const parsedBody = JSON.parse(response.bodyAsText);
+            if (!parsedBody.access_token) {
                 return null;
             }
-            logger.info(`IdentityClient: refreshing access token with client ID: ${clientId}, scopes: ${scopes} started`);
-            const { span, updatedOptions } = createSpan("IdentityClient-refreshAccessToken", options);
-            const refreshParams = {
-                grant_type: "refresh_token",
-                client_id: clientId,
-                refresh_token: refreshToken,
-                scope: scopes
+            const token = {
+                accessToken: {
+                    token: parsedBody.access_token,
+                    expiresOnTimestamp: expiresOnParser(parsedBody)
+                },
+                refreshToken: parsedBody.refresh_token
             };
-            if (clientSecret !== undefined) {
-                refreshParams.client_secret = clientSecret;
-            }
-            try {
-                const urlSuffix = getIdentityTokenEndpointSuffix(tenantId);
-                const webResource = this.createWebResource({
-                    url: `${this.authorityHost}/${tenantId}/${urlSuffix}`,
-                    method: "POST",
-                    disableJsonStringifyOnBody: true,
-                    deserializationMapper: undefined,
-                    body: qs.stringify(refreshParams),
-                    headers: {
-                        Accept: "application/json",
-                        "Content-Type": "application/x-www-form-urlencoded"
-                    },
-                    spanOptions: (_a = updatedOptions === null || updatedOptions === void 0 ? void 0 : updatedOptions.tracingOptions) === null || _a === void 0 ? void 0 : _a.spanOptions,
-                    tracingContext: (_b = updatedOptions === null || updatedOptions === void 0 ? void 0 : updatedOptions.tracingOptions) === null || _b === void 0 ? void 0 : _b.tracingContext,
-                    abortSignal: options && options.abortSignal
+            logger.info(`IdentityClient: [${request.url}] token acquired, expires on ${token.accessToken.expiresOnTimestamp}`);
+            return token;
+        }
+        else {
+            const error = new AuthenticationError(response.status, response.bodyAsText);
+            logger.warning(`IdentityClient: authentication error. HTTP status: ${response.status}, ${error.errorResponse.errorDescription}`);
+            throw error;
+        }
+    }
+    async refreshAccessToken(tenantId, clientId, scopes, refreshToken, clientSecret, expiresOnParser, options) {
+        if (refreshToken === undefined) {
+            return null;
+        }
+        logger.info(`IdentityClient: refreshing access token with client ID: ${clientId}, scopes: ${scopes} started`);
+        const { span, updatedOptions } = createSpan("IdentityClient-refreshAccessToken", options);
+        const refreshParams = {
+            grant_type: "refresh_token",
+            client_id: clientId,
+            refresh_token: refreshToken,
+            scope: scopes
+        };
+        if (clientSecret !== undefined) {
+            refreshParams.client_secret = clientSecret;
+        }
+        const query = new URLSearchParams(refreshParams);
+        try {
+            const urlSuffix = getIdentityTokenEndpointSuffix(tenantId);
+            const request = coreRestPipeline.createPipelineRequest({
+                url: `${this.authorityHost}/${tenantId}/${urlSuffix}`,
+                method: "POST",
+                body: query.toString(),
+                abortSignal: options && options.abortSignal,
+                headers: coreRestPipeline.createHttpHeaders({
+                    Accept: "application/json",
+                    "Content-Type": "application/x-www-form-urlencoded"
+                }),
+                tracingOptions: updatedOptions === null || updatedOptions === void 0 ? void 0 : updatedOptions.tracingOptions
+            });
+            const response = await this.sendTokenRequest(request, expiresOnParser);
+            logger.info(`IdentityClient: refreshed token for client ID: ${clientId}`);
+            return response;
+        }
+        catch (err) {
+            if (err.name === AuthenticationErrorName &&
+                err.errorResponse.error === "interaction_required") {
+                // It's likely that the refresh token has expired, so
+                // return null so that the credential implementation will
+                // initiate the authentication flow again.
+                logger.info(`IdentityClient: interaction required for client ID: ${clientId}`);
+                span.setStatus({
+                    code: coreTracing.SpanStatusCode.ERROR,
+                    message: err.message
                 });
-                const response = yield this.sendTokenRequest(webResource, expiresOnParser);
-                logger.info(`IdentityClient: refreshed token for client ID: ${clientId}`);
-                return response;
-            }
-            catch (err) {
-                if (err.name === AuthenticationErrorName &&
-                    err.errorResponse.error === "interaction_required") {
-                    // It's likely that the refresh token has expired, so
-                    // return null so that the credential implementation will
-                    // initiate the authentication flow again.
-                    logger.info(`IdentityClient: interaction required for client ID: ${clientId}`);
-                    span.setStatus({
-                        code: coreTracing.SpanStatusCode.ERROR,
-                        message: err.message
-                    });
-                    return null;
-                }
-                else {
-                    logger.warning(`IdentityClient: failed refreshing token for client ID: ${clientId}: ${err}`);
-                    span.setStatus({
-                        code: coreTracing.SpanStatusCode.ERROR,
-                        message: err.message
-                    });
-                    throw err;
-                }
+                return null;
             }
-            finally {
-                span.end();
+            else {
+                logger.warning(`IdentityClient: failed refreshing token for client ID: ${clientId}: ${err}`);
+                span.setStatus({
+                    code: coreTracing.SpanStatusCode.ERROR,
+                    message: err.message
+                });
+                throw err;
             }
-        });
+        }
+        finally {
+            span.end();
+        }
     }
     // Here is a custom layer that allows us to abort requests that go through MSAL,
     // since MSAL doesn't allow us to pass options all the way through.
     generateAbortSignal(correlationId) {
         const controller = new abortController.AbortController();
-        const key = correlationId || noCorrelationId;
-        const controllers = this.abortControllers.get(key) || [];
+        const controllers = this.abortControllers.get(correlationId) || [];
         controllers.push(controller);
-        this.abortControllers.set(key, controllers);
+        this.abortControllers.set(correlationId, controllers);
+        const existingOnAbort = controller.signal.onabort;
+        controller.signal.onabort = (...params) => {
+            this.abortControllers.set(correlationId, undefined);
+            if (existingOnAbort) {
+                existingOnAbort(...params);
+            }
+        };
         return controller.signal;
     }
-    abortRequests(correlationId = noCorrelationId) {
+    abortRequests(correlationId) {
         const key = correlationId || noCorrelationId;
         const controllers = [
             ...(this.abortControllers.get(key) || []),
@@ -531,238 +447,43 @@ class IdentityClient extends coreHttp.ServiceClient {
             controller.abort();
         }
         this.abortControllers.set(key, undefined);
-        this.abortControllers.set(noCorrelationId, undefined);
     }
     getCorrelationId(options) {
         var _a;
         const parameter = (_a = options === null || options === void 0 ? void 0 : options.body) === null || _a === void 0 ? void 0 : _a.split("&").map((part) => part.split("=")).find(([key]) => key === "client-request-id");
-        return parameter && parameter.length ? parameter[1] : noCorrelationId;
+        return parameter && parameter.length ? parameter[1] || noCorrelationId : noCorrelationId;
     }
     // The MSAL network module methods follow
-    sendGetRequestAsync(url, options) {
-        const webResource = new coreHttp.WebResource(url, "GET", options === null || options === void 0 ? void 0 : options.body, {}, options === null || options === void 0 ? void 0 : options.headers, false, false, 
-        // MSAL doesn't send the correlation ID on the get requests.
-        this.generateAbortSignal());
-        return this.sendRequest(webResource).then((response) => {
-            return {
-                body: response.parsedBody,
-                headers: response.headers.rawHeaders(),
-                status: response.status
-            };
+    async sendGetRequestAsync(url, options) {
+        const request = coreRestPipeline.createPipelineRequest({
+            url,
+            method: "GET",
+            body: options === null || options === void 0 ? void 0 : options.body,
+            headers: coreRestPipeline.createHttpHeaders(options === null || options === void 0 ? void 0 : options.headers),
+            abortSignal: this.generateAbortSignal(noCorrelationId)
         });
+        const response = await this.sendRequest(request);
+        return {
+            body: response.bodyAsText ? JSON.parse(response.bodyAsText) : undefined,
+            headers: response.headers.toJSON(),
+            status: response.status
+        };
     }
-    sendPostRequestAsync(url, options) {
-        const webResource = new coreHttp.WebResource(url, "POST", options === null || options === void 0 ? void 0 : options.body, {}, options === null || options === void 0 ? void 0 : options.headers, false, false, 
-        // MSAL doesn't send the correlation ID on the get requests.
-        this.generateAbortSignal(this.getCorrelationId(options)));
-        return this.sendRequest(webResource).then((response) => {
-            return {
-                body: response.parsedBody,
-                headers: response.headers.rawHeaders(),
-                status: response.status
-            };
-        });
-    }
-}
-
-// Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
-// TODO:
-// Either drop Node 8 or re-enable it.
-// Also TODO, re-enable Node 15 asap.
-const isNode8 = process.versions.node[0] === "8";
-const Node8NotSupportedError = new Error("Node 8 does not support persistence caching.");
-const isNode15 = process.versions.node.slice(0, 2) === "15";
-const Node15NotSupportedError = new Error("Node 15 does not support persistence caching.");
-
-// Copyright (c) Microsoft Corporation.
-/**
- * Local application data folder
- * Expected values:
- * - Darwin: '/Users/user/'
- * - Windows 8: 'C:\Users\user\AppData\Local'
- * - Windows XP: 'C:\Documents and Settings\user\Application Data\Local'
- * - Linux: '/home/user/.local/share'
- * @internal
- */
-const localApplicationDataFolder = process.env.APPDATA
-    ? process.env.APPDATA.replace(/(.Roaming)*$/, "\\Local")
-    : (process.platform === "darwin" ? process.env.HOME : process.env.HOME);
-/**
- * Dictionary of values that we use as default as we discover, pick and enable the persistence layer.
- * @internal
- */
-const defaultMsalValues = {
-    tokenCache: {
-        name: "msal.cache",
-        // Expected values:
-        // - Darwin: '/Users/user/.IdentityService'
-        // - Windows 8: 'C:\Users\user\AppData\Local\.IdentityService'
-        // - Windows XP: 'C:\Documents and Settings\user\Application Data\Local\.IdentityService'
-        // - Linux: '/home/user/.IdentityService'
-        directory: path.join(localApplicationDataFolder, ".IdentityService")
-    },
-    keyRing: {
-        label: "MSALCache",
-        schema: "msal.cache",
-        collection: "default",
-        attributes: {
-            MsalClientID: "Microsoft.Developer.IdentityService",
-            "Microsoft.Developer.IdentityService": "1.0.0.0"
-        },
-        service: "Microsoft.Developer.IdentityService",
-        account: "MSALCache"
-    },
-    keyChain: {
-        service: "Microsoft.Developer.IdentityService",
-        account: "MSALCache"
-    }
-};
-/**
- * Expected responses:
- * - Darwin: '/Users/user/.IdentityService/<name>'
- * - Windows 8: 'C:\Users\user\AppData\Local\.IdentityService\<name>'
- * - Windows XP: 'C:\Documents and Settings\user\Application Data\Local\.IdentityService\<name>'
- * - Linux: '/home/user/.IdentityService/<name>'
- * @internal
- */
-function getPersistencePath(name) {
-    return path.join(defaultMsalValues.tokenCache.directory, name);
-}
-/**
- * Set of the platforms we attempt to deliver persistence on.
- *
- * - On Windows we use DPAPI.
- * - On OSX (Darwin), we try to use the system's Keychain, otherwise if the property `allowUnencryptedStorage` is set to true, we use an unencrypted file.
- * - On Linux, we try to use the system's Keyring, otherwise if the property `allowUnencryptedStorage` is set to true, we use an unencrypted file.
- *
- * @internal
- */
-const msalPersistencePlatforms = {
-    win32: {
-        name: "win32",
-        isAvailable: () => process.platform === "win32",
-        persistence: ({ name = defaultMsalValues.tokenCache.name } = {}) => {
-            if (isNode8 || isNode15) {
-                throw isNode8 ? Node8NotSupportedError : Node15NotSupportedError;
-            }
-            else {
-                const { FilePersistenceWithDataProtection, DataProtectionScope
-                /* eslint-disable-next-line @typescript-eslint/no-require-imports */
-                 } = require("@azure/msal-node-extensions");
-                return FilePersistenceWithDataProtection.create(getPersistencePath(name), DataProtectionScope.CurrentUser);
-            }
-        }
-    },
-    darwin: {
-        name: "darwin",
-        isAvailable: () => process.platform === "darwin",
-        persistence(options = {}) {
-            return tslib.__awaiter(this, void 0, void 0, function* () {
-                const { name, allowUnencryptedStorage } = options;
-                const { service, account } = defaultMsalValues.keyChain;
-                const persistencePath = getPersistencePath(name || defaultMsalValues.tokenCache.name);
-                if (isNode8 || isNode15) {
-                    throw isNode8 ? Node8NotSupportedError : Node15NotSupportedError;
-                }
-                else {
-                    /* eslint-disable-next-line @typescript-eslint/no-require-imports */
-                    const { KeychainPersistence, FilePersistence } = require("@azure/msal-node-extensions");
-                    try {
-                        const persistence = yield KeychainPersistence.create(persistencePath, service, account);
-                        // If we don't encounter an error when trying to read from the keychain, then we should be good to go.
-                        yield persistence.load();
-                        return persistence;
-                    }
-                    catch (e) {
-                        // If we got an error while trying to read from the keyring,
-                        // we will proceed only if the user has specified that unencrypted storage is allowed.
-                        if (!allowUnencryptedStorage) {
-                            throw new Error("MSAL was unable to read from the system's keyring.");
-                        }
-                        return FilePersistence.create(persistencePath);
-                    }
-                }
-            });
-        }
-    },
-    linux: {
-        name: "linux",
-        isAvailable: () => process.platform === "linux",
-        persistence(options = {}) {
-            return tslib.__awaiter(this, void 0, void 0, function* () {
-                const { name, allowUnencryptedStorage } = options;
-                const { service, account } = defaultMsalValues.keyRing;
-                const persistencePath = getPersistencePath(name || defaultMsalValues.tokenCache.name);
-                if (isNode8 || isNode15) {
-                    throw isNode8 ? Node8NotSupportedError : Node15NotSupportedError;
-                }
-                else {
-                    /* eslint-disable-next-line @typescript-eslint/no-require-imports */
-                    const { LibSecretPersistence, FilePersistence } = require("@azure/msal-node-extensions");
-                    try {
-                        const persistence = yield LibSecretPersistence.create(persistencePath, service, account);
-                        // If we don't encounter an error when trying to read from the keyring, then we should be good to go.
-                        yield persistence.load();
-                        return persistence;
-                    }
-                    catch (e) {
-                        // If we got an error while trying to read from the keyring,
-                        // we will proceed only if the user has specified that unencrypted storage is allowed.
-                        if (!allowUnencryptedStorage) {
-                            throw new Error("MSAL was unable to read from the system's keyring.");
-                        }
-                        return FilePersistence.create(persistencePath);
-                    }
-                }
-            });
-        }
-    }
-};
-
-// Copyright (c) Microsoft Corporation.
-/**
- * Determines which platform we can trust to deliver a persistence layer for MSAL,
- * and also provides a way to extract a CachePlugin that can be sent to MSAL through the MSAL applications' configurations.
- * @internal
- */
-class TokenCachePersistence {
-    constructor(options = {}) {
-        this.options = options;
-    }
-    getPersistence() {
-        return tslib.__awaiter(this, void 0, void 0, function* () {
-            const { win32, darwin, linux } = msalPersistencePlatforms;
-            const availablePlatform = [win32, darwin, linux].find((platform) => platform.isAvailable());
-            return availablePlatform === null || availablePlatform === void 0 ? void 0 : availablePlatform.persistence(this.options);
-        });
-    }
-    register(_options) {
-        return tslib.__awaiter(this, void 0, void 0, function* () {
-            const lockOptions = {
-                retryNumber: 100,
-                retryDelay: 50
-            };
-            let extensions;
-            try {
-                /* eslint-disable-next-line @typescript-eslint/no-require-imports */
-                extensions = require("@azure/msal-node-extensions");
-            }
-            catch (e) {
-                throw new CredentialUnavailableError("To use the token cache persistence feature, please install the package '@azure/msal-node-extensions@1.0.0-alpha.6'.");
-            }
-            if (isNode8 || isNode15) {
-                throw isNode8 ? Node8NotSupportedError : Node15NotSupportedError;
-            }
-            else {
-                const { PersistenceCachePlugin } = extensions;
-                const persistence = yield this.getPersistence();
-                if (!persistence) {
-                    throw new Error("No persistence implementations available.");
-                }
-                return new PersistenceCachePlugin(persistence, lockOptions);
-            }
+    async sendPostRequestAsync(url, options) {
+        const request = coreRestPipeline.createPipelineRequest({
+            url,
+            method: "POST",
+            body: options === null || options === void 0 ? void 0 : options.body,
+            headers: coreRestPipeline.createHttpHeaders(options === null || options === void 0 ? void 0 : options.headers),
+            // MSAL doesn't send the correlation ID on the get requests.
+            abortSignal: this.generateAbortSignal(this.getCorrelationId(options))
         });
+        const response = await this.sendRequest(request);
+        return {
+            body: response.bodyAsText ? JSON.parse(response.bodyAsText) : undefined,
+            headers: response.headers.toJSON(),
+            status: response.status
+        };
     }
 }
 
@@ -791,10 +512,11 @@ function resolveTenantId(logger, tenantId, clientId) {
 }
 
 // Copyright (c) Microsoft Corporation.
+// Licensed under the MIT license.
 /**
  * Error used to enforce authentication after trying to retrieve a token silently.
  */
-class AuthenticationRequiredError extends CredentialUnavailableError {
+class AuthenticationRequiredError extends Error {
     constructor(
     /**
      * The list of scopes for which the token will have access.
@@ -837,10 +559,13 @@ function ensureValidMsalToken(scopes, logger, msalToken, getTokenOptions) {
     }
 }
 /**
- * Generates a valid authorityHost by combining a host with a tenantId.
+ * Generates a valid authority by combining a host with a tenantId.
  * @internal
  */
-function getAuthorityHost(tenantId, host = DefaultAuthorityHost) {
+function getAuthority(tenantId, host) {
+    if (!host) {
+        host = DefaultAuthorityHost;
+    }
     if (host.endsWith("/")) {
         return host + tenantId;
     }
@@ -850,8 +575,9 @@ function getAuthorityHost(tenantId, host = DefaultAuthorityHost) {
 }
 /**
  * Generates the known authorities.
- * If the tenantId is "adfs", we will return an array with the authorityHost as the only known authority.
- * Otherwise, it is safe to return an empty array.
+ * If the Tenant Id is `adfs`, the authority can't be validated since the format won't match the expected one.
+ * For that reason, we have to force MSAL to disable validating the authority
+ * by sending it within the known authorities in the MSAL configuration.
  * @internal
  */
 function getKnownAuthorities(tenantId, authorityHost) {
@@ -865,22 +591,22 @@ function getKnownAuthorities(tenantId, authorityHost) {
  * @param logger - The logger of the credential.
  * @internal
  */
-const defaultLoggerCallback = (logger) => (level, message, containsPii) => {
+const defaultLoggerCallback = (logger, platform = coreUtil.isNode ? "Node" : "Browser") => (level, message, containsPii) => {
     if (containsPii) {
         return;
     }
     switch (level) {
-        case msalNode.LogLevel.Error:
-            logger.info(`MSAL Browser V2 error: ${message}`);
+        case msalCommon.LogLevel.Error:
+            logger.info(`MSAL ${platform} V2 error: ${message}`);
             return;
-        case msalNode.LogLevel.Info:
-            logger.info(`MSAL Browser V2 info message: ${message}`);
+        case msalCommon.LogLevel.Info:
+            logger.info(`MSAL ${platform} V2 info message: ${message}`);
             return;
-        case msalNode.LogLevel.Verbose:
-            logger.info(`MSAL Browser V2 verbose message: ${message}`);
+        case msalCommon.LogLevel.Verbose:
+            logger.info(`MSAL ${platform} V2 verbose message: ${message}`);
             return;
-        case msalNode.LogLevel.Warning:
-            logger.info(`MSAL Browser V2 warning: ${message}`);
+        case msalCommon.LogLevel.Warning:
+            logger.info(`MSAL ${platform} V2 warning: ${message}`);
             return;
     }
 };
@@ -923,25 +649,29 @@ class MsalBaseUtilities {
      * Handles MSAL errors.
      */
     handleError(scopes, error, getTokenOptions) {
-        if (error instanceof msalCommon.AuthError) {
-            switch (error.errorCode) {
+        if (error.name === "AuthError" ||
+            error.name === "ClientAuthError" ||
+            error.name === "BrowserAuthError") {
+            const msalError = error;
+            switch (msalError.errorCode) {
                 case "endpoints_resolution_error":
                     this.logger.info(formatError(scopes, error.message));
                     return new CredentialUnavailableError(error.message);
+                case "device_code_polling_cancelled":
+                    return new abortController.AbortError("The authentication has been aborted by the caller.");
                 case "consent_required":
                 case "interaction_required":
                 case "login_required":
-                    this.logger.info(formatError(scopes, `Authentication returned errorCode ${error.errorCode}`));
+                    this.logger.info(formatError(scopes, `Authentication returned errorCode ${msalError.errorCode}`));
                     break;
                 default:
                     this.logger.info(formatError(scopes, `Failed to acquire token: ${error.message}`));
                     break;
             }
         }
-        if (error instanceof msalCommon.ClientConfigurationError) {
-            return error;
-        }
-        if (error.name === "AbortError") {
+        if (error.name === "ClientConfigurationError" ||
+            error.name === "BrowserConfigurationAuthError" ||
+            error.name === "AbortError") {
             return error;
         }
         return new AuthenticationRequiredError(scopes, getTokenOptions, error.message);
@@ -954,7 +684,7 @@ function publicToMsal(account) {
 }
 function msalToPublic(clientId, account) {
     const record = {
-        authority: getAuthorityHost(account.tenantId, account.environment),
+        authority: getAuthority(account.tenantId, account.environment),
         homeAccountId: account.homeAccountId,
         tenantId: account.tenantId || DefaultTenantId,
         username: account.username,
@@ -1008,8 +738,156 @@ function deserializeAuthenticationRecord(serializedRecord) {
 }
 
 // Copyright (c) Microsoft Corporation.
+(function (RegionalAuthority) {
+    /** Instructs MSAL to attempt to discover the region */
+    RegionalAuthority["AutoDiscoverRegion"] = "AutoDiscoverRegion";
+    /** Uses the {@link RegionalAuthority} for the Azure 'westus' region. */
+    RegionalAuthority["USWest"] = "westus";
+    /** Uses the {@link RegionalAuthority} for the Azure 'westus2' region. */
+    RegionalAuthority["USWest2"] = "westus2";
+    /** Uses the {@link RegionalAuthority} for the Azure 'centralus' region. */
+    RegionalAuthority["USCentral"] = "centralus";
+    /** Uses the {@link RegionalAuthority} for the Azure 'eastus' region. */
+    RegionalAuthority["USEast"] = "eastus";
+    /** Uses the {@link RegionalAuthority} for the Azure 'eastus2' region. */
+    RegionalAuthority["USEast2"] = "eastus2";
+    /** Uses the {@link RegionalAuthority} for the Azure 'northcentralus' region. */
+    RegionalAuthority["USNorthCentral"] = "northcentralus";
+    /** Uses the {@link RegionalAuthority} for the Azure 'southcentralus' region. */
+    RegionalAuthority["USSouthCentral"] = "southcentralus";
+    /** Uses the {@link RegionalAuthority} for the Azure 'westcentralus' region. */
+    RegionalAuthority["USWestCentral"] = "westcentralus";
+    /** Uses the {@link RegionalAuthority} for the Azure 'canadacentral' region. */
+    RegionalAuthority["CanadaCentral"] = "canadacentral";
+    /** Uses the {@link RegionalAuthority} for the Azure 'canadaeast' region. */
+    RegionalAuthority["CanadaEast"] = "canadaeast";
+    /** Uses the {@link RegionalAuthority} for the Azure 'brazilsouth' region. */
+    RegionalAuthority["BrazilSouth"] = "brazilsouth";
+    /** Uses the {@link RegionalAuthority} for the Azure 'northeurope' region. */
+    RegionalAuthority["EuropeNorth"] = "northeurope";
+    /** Uses the {@link RegionalAuthority} for the Azure 'westeurope' region. */
+    RegionalAuthority["EuropeWest"] = "westeurope";
+    /** Uses the {@link RegionalAuthority} for the Azure 'uksouth' region. */
+    RegionalAuthority["UKSouth"] = "uksouth";
+    /** Uses the {@link RegionalAuthority} for the Azure 'ukwest' region. */
+    RegionalAuthority["UKWest"] = "ukwest";
+    /** Uses the {@link RegionalAuthority} for the Azure 'francecentral' region. */
+    RegionalAuthority["FranceCentral"] = "francecentral";
+    /** Uses the {@link RegionalAuthority} for the Azure 'francesouth' region. */
+    RegionalAuthority["FranceSouth"] = "francesouth";
+    /** Uses the {@link RegionalAuthority} for the Azure 'switzerlandnorth' region. */
+    RegionalAuthority["SwitzerlandNorth"] = "switzerlandnorth";
+    /** Uses the {@link RegionalAuthority} for the Azure 'switzerlandwest' region. */
+    RegionalAuthority["SwitzerlandWest"] = "switzerlandwest";
+    /** Uses the {@link RegionalAuthority} for the Azure 'germanynorth' region. */
+    RegionalAuthority["GermanyNorth"] = "germanynorth";
+    /** Uses the {@link RegionalAuthority} for the Azure 'germanywestcentral' region. */
+    RegionalAuthority["GermanyWestCentral"] = "germanywestcentral";
+    /** Uses the {@link RegionalAuthority} for the Azure 'norwaywest' region. */
+    RegionalAuthority["NorwayWest"] = "norwaywest";
+    /** Uses the {@link RegionalAuthority} for the Azure 'norwayeast' region. */
+    RegionalAuthority["NorwayEast"] = "norwayeast";
+    /** Uses the {@link RegionalAuthority} for the Azure 'eastasia' region. */
+    RegionalAuthority["AsiaEast"] = "eastasia";
+    /** Uses the {@link RegionalAuthority} for the Azure 'southeastasia' region. */
+    RegionalAuthority["AsiaSouthEast"] = "southeastasia";
+    /** Uses the {@link RegionalAuthority} for the Azure 'japaneast' region. */
+    RegionalAuthority["JapanEast"] = "japaneast";
+    /** Uses the {@link RegionalAuthority} for the Azure 'japanwest' region. */
+    RegionalAuthority["JapanWest"] = "japanwest";
+    /** Uses the {@link RegionalAuthority} for the Azure 'australiaeast' region. */
+    RegionalAuthority["AustraliaEast"] = "australiaeast";
+    /** Uses the {@link RegionalAuthority} for the Azure 'australiasoutheast' region. */
+    RegionalAuthority["AustraliaSouthEast"] = "australiasoutheast";
+    /** Uses the {@link RegionalAuthority} for the Azure 'australiacentral' region. */
+    RegionalAuthority["AustraliaCentral"] = "australiacentral";
+    /** Uses the {@link RegionalAuthority} for the Azure 'australiacentral2' region. */
+    RegionalAuthority["AustraliaCentral2"] = "australiacentral2";
+    /** Uses the {@link RegionalAuthority} for the Azure 'centralindia' region. */
+    RegionalAuthority["IndiaCentral"] = "centralindia";
+    /** Uses the {@link RegionalAuthority} for the Azure 'southindia' region. */
+    RegionalAuthority["IndiaSouth"] = "southindia";
+    /** Uses the {@link RegionalAuthority} for the Azure 'westindia' region. */
+    RegionalAuthority["IndiaWest"] = "westindia";
+    /** Uses the {@link RegionalAuthority} for the Azure 'koreasouth' region. */
+    RegionalAuthority["KoreaSouth"] = "koreasouth";
+    /** Uses the {@link RegionalAuthority} for the Azure 'koreacentral' region. */
+    RegionalAuthority["KoreaCentral"] = "koreacentral";
+    /** Uses the {@link RegionalAuthority} for the Azure 'uaecentral' region. */
+    RegionalAuthority["UAECentral"] = "uaecentral";
+    /** Uses the {@link RegionalAuthority} for the Azure 'uaenorth' region. */
+    RegionalAuthority["UAENorth"] = "uaenorth";
+    /** Uses the {@link RegionalAuthority} for the Azure 'southafricanorth' region. */
+    RegionalAuthority["SouthAfricaNorth"] = "southafricanorth";
+    /** Uses the {@link RegionalAuthority} for the Azure 'southafricawest' region. */
+    RegionalAuthority["SouthAfricaWest"] = "southafricawest";
+    /** Uses the {@link RegionalAuthority} for the Azure 'chinanorth' region. */
+    RegionalAuthority["ChinaNorth"] = "chinanorth";
+    /** Uses the {@link RegionalAuthority} for the Azure 'chinaeast' region. */
+    RegionalAuthority["ChinaEast"] = "chinaeast";
+    /** Uses the {@link RegionalAuthority} for the Azure 'chinanorth2' region. */
+    RegionalAuthority["ChinaNorth2"] = "chinanorth2";
+    /** Uses the {@link RegionalAuthority} for the Azure 'chinaeast2' region. */
+    RegionalAuthority["ChinaEast2"] = "chinaeast2";
+    /** Uses the {@link RegionalAuthority} for the Azure 'germanycentral' region. */
+    RegionalAuthority["GermanyCentral"] = "germanycentral";
+    /** Uses the {@link RegionalAuthority} for the Azure 'germanynortheast' region. */
+    RegionalAuthority["GermanyNorthEast"] = "germanynortheast";
+    /** Uses the {@link RegionalAuthority} for the Azure 'usgovvirginia' region. */
+    RegionalAuthority["GovernmentUSVirginia"] = "usgovvirginia";
+    /** Uses the {@link RegionalAuthority} for the Azure 'usgoviowa' region. */
+    RegionalAuthority["GovernmentUSIowa"] = "usgoviowa";
+    /** Uses the {@link RegionalAuthority} for the Azure 'usgovarizona' region. */
+    RegionalAuthority["GovernmentUSArizona"] = "usgovarizona";
+    /** Uses the {@link RegionalAuthority} for the Azure 'usgovtexas' region. */
+    RegionalAuthority["GovernmentUSTexas"] = "usgovtexas";
+    /** Uses the {@link RegionalAuthority} for the Azure 'usdodeast' region. */
+    RegionalAuthority["GovernmentUSDodEast"] = "usdodeast";
+    /** Uses the {@link RegionalAuthority} for the Azure 'usdodcentral' region. */
+    RegionalAuthority["GovernmentUSDodCentral"] = "usdodcentral";
+})(exports.RegionalAuthority || (exports.RegionalAuthority = {}));
+
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT license.
+/**
+ * @internal
+ */
+const multiTenantErrorMessage = "A getToken request was attempted with a tenant different than the tenant configured at the initialization of the credential, but multi-tenant authentication was not enabled in this credential instance.";
+/**
+ * Verifies whether locally assigned tenants are equal to tenants received through getToken.
+ * Returns the appropriate tenant.
+ * @internal
+ */
+function processMultiTenantRequest(tenantId, allowMultiTenantAuthentication, getTokenOptions) {
+    if (!allowMultiTenantAuthentication &&
+        (getTokenOptions === null || getTokenOptions === void 0 ? void 0 : getTokenOptions.tenantId) &&
+        tenantId &&
+        getTokenOptions.tenantId !== tenantId) {
+        throw new Error(multiTenantErrorMessage);
+    }
+    if (allowMultiTenantAuthentication && (getTokenOptions === null || getTokenOptions === void 0 ? void 0 : getTokenOptions.tenantId)) {
+        return getTokenOptions.tenantId;
+    }
+    return tenantId;
+}
+
+// Copyright (c) Microsoft Corporation.
+/**
+ * The current persistence provider, undefined by default.
+ * @internal
+ */
+let persistenceProvider = undefined;
+/**
+ * An object that allows setting the persistence provider.
+ * @internal
+ */
+const msalNodeFlowCacheControl = {
+    setPersistence(pluginProvider) {
+        persistenceProvider = pluginProvider;
+    }
+};
 /**
- * MSAL partial base client for NodeJS.
+ * MSAL partial base client for Node.js.
  *
  * It completes the input configuration with some default values.
  * It also provides with utility protected methods that can be used from any of the clients,
@@ -1019,27 +897,49 @@ function deserializeAuthenticationRecord(serializedRecord) {
  */
 class MsalNode extends MsalBaseUtilities {
     constructor(options) {
+        var _a, _b, _c;
         super(options);
         this.requiresConfidential = false;
         this.msalConfig = this.defaultNodeMsalConfig(options);
+        this.tenantId = resolveTenantId(options.logger, options.tenantId, options.clientId);
+        this.allowMultiTenantAuthentication = options === null || options === void 0 ? void 0 : options.allowMultiTenantAuthentication;
         this.clientId = this.msalConfig.auth.clientId;
-        if (options.tokenCachePersistenceOptions) {
-            this.tokenCache = new TokenCachePersistence(options.tokenCachePersistenceOptions);
+        // If persistence has been configured
+        if (persistenceProvider !== undefined && ((_a = options.tokenCachePersistenceOptions) === null || _a === void 0 ? void 0 : _a.enabled)) {
+            this.createCachePlugin = () => persistenceProvider(options.tokenCachePersistenceOptions);
+        }
+        else if ((_b = options.tokenCachePersistenceOptions) === null || _b === void 0 ? void 0 : _b.enabled) {
+            throw new Error([
+                "Persistent token caching was requested, but no persistence provider was configured.",
+                "You must install the identity-cache-persistence plugin package (`npm install --save @azure/identity-cache-persistence`)",
+                "and enable it by importing `useIdentityPlugin` from `@azure/identity` and calling",
+                "`useIdentityPlugin(cachePersistencePlugin)` before using `tokenCachePersistenceOptions`."
+            ].join(" "));
+        }
+        this.azureRegion = (_c = options.regionalAuthority) !== null && _c !== void 0 ? _c : process.env.AZURE_REGIONAL_AUTHORITY_NAME;
+        if (this.azureRegion === exports.RegionalAuthority.AutoDiscoverRegion) {
+            this.azureRegion = "AUTO_DISCOVER";
         }
     }
     /**
-     * Generates a MSAL configuration that generally works for NodeJS
+     * Generates a MSAL configuration that generally works for Node.js
      */
     defaultNodeMsalConfig(options) {
         const clientId = options.clientId || DeveloperSignOnClientId;
         const tenantId = resolveTenantId(options.logger, options.tenantId, options.clientId);
-        const authorityHost = getAuthorityHost(tenantId, options.authorityHost);
-        this.identityClient = new IdentityClient(Object.assign(Object.assign({}, options.tokenCredentialOptions), { authorityHost }));
+        this.authorityHost = options.authorityHost || process.env.AZURE_AUTHORITY_HOST;
+        const authority = getAuthority(tenantId, this.authorityHost);
+        this.identityClient = new IdentityClient(Object.assign(Object.assign({}, options.tokenCredentialOptions), { authorityHost: authority }));
+        let clientCapabilities = ["CP1"];
+        if (process.env.AZURE_IDENTITY_DISABLE_CP1) {
+            clientCapabilities = [];
+        }
         return {
             auth: {
                 clientId,
-                authority: authorityHost,
-                knownAuthorities: getKnownAuthorities(tenantId, authorityHost)
+                authority,
+                knownAuthorities: getKnownAuthorities(tenantId, authority),
+                clientCapabilities
             },
             // Cache is defined in this.prepare();
             system: {
@@ -1053,36 +953,34 @@ class MsalNode extends MsalBaseUtilities {
     /**
      * Prepares the MSAL applications.
      */
-    init(options) {
-        return tslib.__awaiter(this, void 0, void 0, function* () {
-            if (options === null || options === void 0 ? void 0 : options.abortSignal) {
-                options.abortSignal.addEventListener("abort", () => {
-                    // This will abort any pending request in the IdentityClient,
-                    // based on the received or generated correlationId
-                    this.identityClient.abortRequests(options.correlationId);
-                });
-            }
-            if (this.publicApp || this.confidentialApp) {
-                return;
-            }
-            if (this.tokenCache) {
-                this.msalConfig.cache = {
-                    cachePlugin: yield this.tokenCache.register()
-                };
-            }
-            this.publicApp = new msalNode.PublicClientApplication(this.msalConfig);
-            // The confidential client requires either a secret, assertion or certificate.
-            if (this.msalConfig.auth.clientSecret ||
-                this.msalConfig.auth.clientAssertion ||
-                this.msalConfig.auth.clientCertificate) {
-                this.confidentialApp = new msalNode.ConfidentialClientApplication(this.msalConfig);
-            }
-            else {
-                if (this.requiresConfidential) {
-                    throw new Error("Unable to generate the MSAL confidential client. Missing either the client's secret, certificate or assertion.");
-                }
+    async init(options) {
+        if (options === null || options === void 0 ? void 0 : options.abortSignal) {
+            options.abortSignal.addEventListener("abort", () => {
+                // This will abort any pending request in the IdentityClient,
+                // based on the received or generated correlationId
+                this.identityClient.abortRequests(options.correlationId);
+            });
+        }
+        if (this.publicApp || this.confidentialApp) {
+            return;
+        }
+        if (this.createCachePlugin !== undefined) {
+            this.msalConfig.cache = {
+                cachePlugin: await this.createCachePlugin()
+            };
+        }
+        this.publicApp = new msalNode.PublicClientApplication(this.msalConfig);
+        // The confidential client requires either a secret, assertion or certificate.
+        if (this.msalConfig.auth.clientSecret ||
+            this.msalConfig.auth.clientAssertion ||
+            this.msalConfig.auth.clientCertificate) {
+            this.confidentialApp = new msalNode.ConfidentialClientApplication(this.msalConfig);
+        }
+        else {
+            if (this.requiresConfidential) {
+                throw new Error("Unable to generate the MSAL confidential client. Missing either the client's secret, certificate or assertion.");
             }
-        });
+        }
     }
     /**
      * Allows the cancellation of a MSAL request.
@@ -1104,406 +1002,1038 @@ class MsalNode extends MsalBaseUtilities {
     /**
      * Returns the existing account, attempts to load the account from MSAL.
      */
-    getActiveAccount() {
-        var _a;
-        return tslib.__awaiter(this, void 0, void 0, function* () {
-            if (this.account) {
-                return this.account;
-            }
-            const cache = (_a = this.publicApp) === null || _a === void 0 ? void 0 : _a.getTokenCache();
-            const accountsByTenant = yield (cache === null || cache === void 0 ? void 0 : cache.getAllAccounts());
-            if (!accountsByTenant) {
-                return;
-            }
-            if (accountsByTenant.length === 1) {
-                this.account = msalToPublic(this.clientId, accountsByTenant[0]);
-            }
-            else {
-                this.logger
-                    .info(`More than one account was found authenticated for this Client ID and Tenant ID.
+    async getActiveAccount() {
+        var _a, _b, _c;
+        if (this.account) {
+            return this.account;
+        }
+        const cache = (_b = (_a = this.confidentialApp) === null || _a === void 0 ? void 0 : _a.getTokenCache()) !== null && _b !== void 0 ? _b : (_c = this.publicApp) === null || _c === void 0 ? void 0 : _c.getTokenCache();
+        const accountsByTenant = await (cache === null || cache === void 0 ? void 0 : cache.getAllAccounts());
+        if (!accountsByTenant) {
+            return;
+        }
+        if (accountsByTenant.length === 1) {
+            this.account = msalToPublic(this.clientId, accountsByTenant[0]);
+        }
+        else {
+            this.logger
+                .info(`More than one account was found authenticated for this Client ID and Tenant ID.
 However, no "authenticationRecord" has been provided for this credential,
 therefore we're unable to pick between these accounts.
 A new login attempt will be requested, to ensure the correct account is picked.
 To work with multiple accounts for the same Client ID and Tenant ID, please provide an "authenticationRecord" when initializing a credential to prevent this from happening.`);
-                return;
-            }
-            return this.account;
-        });
-    }
-    /**
-     * Clears MSAL's cache.
-     */
-    logout() {
-        var _a;
-        return tslib.__awaiter(this, void 0, void 0, function* () {
-            const cache = yield ((_a = this.publicApp) === null || _a === void 0 ? void 0 : _a.getTokenCache());
-            if (!this.account || !cache) {
-                return;
-            }
-            cache.removeAccount(publicToMsal(this.account));
-        });
+            return;
+        }
+        return this.account;
     }
     /**
      * Attempts to retrieve a token from cache.
      */
-    getTokenSilent(scopes, options) {
-        return tslib.__awaiter(this, void 0, void 0, function* () {
-            yield this.getActiveAccount();
-            if (!this.account) {
-                throw new AuthenticationRequiredError(scopes, options);
-            }
-            const silentRequest = {
-                // To be able to re-use the account, the Token Cache must also have been provided.
-                account: publicToMsal(this.account),
-                correlationId: options === null || options === void 0 ? void 0 : options.correlationId,
-                scopes
-            };
-            try {
-                this.logger.info("Attempting to acquire token silently");
-                const response = yield this.publicApp.acquireTokenSilent(silentRequest);
-                return this.handleResult(scopes, this.clientId, response || undefined);
-            }
-            catch (err) {
-                throw this.handleError(scopes, err, options);
-            }
-        });
+    async getTokenSilent(scopes, options) {
+        var _a, _b;
+        await this.getActiveAccount();
+        if (!this.account) {
+            throw new AuthenticationRequiredError(scopes, options);
+        }
+        const silentRequest = {
+            // To be able to re-use the account, the Token Cache must also have been provided.
+            account: publicToMsal(this.account),
+            correlationId: options === null || options === void 0 ? void 0 : options.correlationId,
+            scopes,
+            authority: options === null || options === void 0 ? void 0 : options.authority
+        };
+        try {
+            this.logger.info("Attempting to acquire token silently");
+            const response = (_b = (await ((_a = this.confidentialApp) === null || _a === void 0 ? void 0 : _a.acquireTokenSilent(silentRequest)))) !== null && _b !== void 0 ? _b : (await this.publicApp.acquireTokenSilent(silentRequest));
+            return this.handleResult(scopes, this.clientId, response || undefined);
+        }
+        catch (err) {
+            throw this.handleError(scopes, err, options);
+        }
     }
     /**
      * Wrapper around each MSAL flow get token operation: doGetToken.
      * If disableAutomaticAuthentication is sent through the constructor, it will prevent MSAL from requesting the user input.
      */
-    getToken(scopes, options = {}) {
-        return tslib.__awaiter(this, void 0, void 0, function* () {
-            options.correlationId = (options === null || options === void 0 ? void 0 : options.correlationId) || this.generateUuid();
-            yield this.init(options);
-            return this.getTokenSilent(scopes, options).catch((err) => {
-                if (err.name !== "AuthenticationRequiredError") {
-                    throw err;
-                }
-                if (options === null || options === void 0 ? void 0 : options.disableAutomaticAuthentication) {
-                    throw new AuthenticationRequiredError(scopes, options, "Automatic authentication has been disabled. You may call the authentication() method.");
-                }
-                this.logger.info(`Silent authentication failed, falling back to interactive method.`);
-                return this.doGetToken(scopes, options);
-            });
-        });
+    async getToken(scopes, options = {}) {
+        const tenantId = processMultiTenantRequest(this.tenantId, this.allowMultiTenantAuthentication, options) ||
+            this.tenantId;
+        options.authority = getAuthority(tenantId, this.authorityHost);
+        options.correlationId = (options === null || options === void 0 ? void 0 : options.correlationId) || this.generateUuid();
+        await this.init(options);
+        try {
+            return await this.getTokenSilent(scopes, options);
+        }
+        catch (err) {
+            if (err.name !== "AuthenticationRequiredError") {
+                throw err;
+            }
+            if (options === null || options === void 0 ? void 0 : options.disableAutomaticAuthentication) {
+                throw new AuthenticationRequiredError(scopes, options, "Automatic authentication has been disabled. You may call the authentication() method.");
+            }
+            this.logger.info(`Silent authentication failed, falling back to interactive method.`);
+            return this.doGetToken(scopes, options);
+        }
     }
 }
 
 // Copyright (c) Microsoft Corporation.
+const CommonTenantId = "common";
+const AzureAccountClientId = "aebc6443-996d-45c2-90f0-388ff96faa56"; // VSC: 'aebc6443-996d-45c2-90f0-388ff96faa56'
+const logger$1 = credentialLogger("VisualStudioCodeCredential");
+let findCredentials = undefined;
+const vsCodeCredentialControl = {
+    setVsCodeCredentialFinder(finder) {
+        findCredentials = finder;
+    }
+};
+// Map of unsupported Tenant IDs and the errors we will be throwing.
+const unsupportedTenantIds = {
+    adfs: "The VisualStudioCodeCredential does not support authentication with ADFS tenants."
+};
+function checkUnsupportedTenant(tenantId) {
+    // If the Tenant ID isn't supported, we throw.
+    const unsupportedTenantError = unsupportedTenantIds[tenantId];
+    if (unsupportedTenantError) {
+        throw new CredentialUnavailableError(unsupportedTenantError);
+    }
+}
+const mapVSCodeAuthorityHosts = {
+    AzureCloud: exports.AzureAuthorityHosts.AzurePublicCloud,
+    AzureChina: exports.AzureAuthorityHosts.AzureChina,
+    AzureGermanCloud: exports.AzureAuthorityHosts.AzureGermany,
+    AzureUSGovernment: exports.AzureAuthorityHosts.AzureGovernment
+};
 /**
- * MSAL client secret client. Calls to MSAL's confidential application's `acquireTokenByClientCredential` during `doGetToken`.
- * @internal
+ * Attempts to load a specific property from the VSCode configurations of the current OS.
+ * If it fails at any point, returns undefined.
  */
-class MsalClientSecret extends MsalNode {
-    constructor(options) {
-        super(options);
-        this.requiresConfidential = true;
-        this.msalConfig.auth.clientSecret = options.clientSecret;
+function getPropertyFromVSCode(property) {
+    const settingsPath = ["User", "settings.json"];
+    // Eventually we can add more folders for more versions of VSCode.
+    const vsCodeFolder = "Code";
+    const homedir = os.homedir();
+    function loadProperty(...pathSegments) {
+        const fullPath = path.join(...pathSegments, vsCodeFolder, ...settingsPath);
+        const settings = JSON.parse(fs__default.readFileSync(fullPath, { encoding: "utf8" }));
+        return settings[property];
     }
-    doGetToken(scopes, options = {}) {
-        return tslib.__awaiter(this, void 0, void 0, function* () {
-            try {
-                const result = yield this.confidentialApp.acquireTokenByClientCredential({
-                    scopes,
-                    correlationId: options.correlationId
-                });
-                // The Client Credential flow does not return an account,
-                // so each time getToken gets called, we will have to acquire a new token through the service.
-                return this.handleResult(scopes, this.clientId, result || undefined);
-            }
-            catch (err) {
-                throw this.handleError(scopes, err, options);
-            }
-        });
+    try {
+        let appData;
+        switch (process.platform) {
+            case "win32":
+                appData = process.env.APPDATA;
+                return appData ? loadProperty(appData) : undefined;
+            case "darwin":
+                return loadProperty(homedir, "Library", "Application Support");
+            case "linux":
+                return loadProperty(homedir, ".config");
+            default:
+                return;
+        }
+    }
+    catch (e) {
+        logger$1.info(`Failed to load the Visual Studio Code configuration file. Error: ${e.message}`);
+        return;
     }
 }
-
-// Copyright (c) Microsoft Corporation.
-const logger$2 = credentialLogger("ClientSecretCredential");
 /**
- * Enables authentication to Azure Active Directory using a client secret
- * that was generated for an App Registration. More information on how
- * to configure a client secret can be found here:
- *
- * https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-configure-app-access-web-apis#add-credentials-to-your-web-application
- *
+ * Connect to Azure using the credential provided by the VSCode extension 'Azure Account'.
+ * Once the user has logged in via the extension, this credential can share the same refresh token
+ * that is cached by the extension.
  */
-class ClientSecretCredential {
+class VisualStudioCodeCredential {
     /**
-     * Creates an instance of the ClientSecretCredential with the details
-     * needed to authenticate against Azure Active Directory with a client
-     * secret.
+     * Creates an instance of VisualStudioCodeCredential to use for automatically authenticating via VSCode.
+     *
+     * **Note**: `VisualStudioCodeCredential` is provided by a plugin package:
+     * `@azure/identity-vscode`. If this package is not installed and registered
+     * using the plugin API (`useIdentityPlugin`), then authentication using
+     * `VisualStudioCodeCredential` will not be available.
      *
-     * @param tenantId - The Azure Active Directory tenant (directory) ID.
-     * @param clientId - The client (application) ID of an App Registration in the tenant.
-     * @param clientSecret - A client secret that was generated for the App Registration.
      * @param options - Options for configuring the client which makes the authentication request.
      */
-    constructor(tenantId, clientId, clientSecret, options = {}) {
-        this.msalFlow = new MsalClientSecret(Object.assign(Object.assign({}, options), { logger: logger$2,
-            clientId,
-            tenantId,
-            clientSecret, tokenCredentialOptions: options }));
+    constructor(options) {
+        // We want to make sure we use the one assigned by the user on the VSCode settings.
+        // Or just `AzureCloud` by default.
+        this.cloudName = (getPropertyFromVSCode("azure.cloud") || "AzureCloud");
+        // Picking an authority host based on the cloud name.
+        const authorityHost = mapVSCodeAuthorityHosts[this.cloudName];
+        this.identityClient = new IdentityClient(Object.assign({ authorityHost }, options));
+        if (options && options.tenantId) {
+            checkTenantId(logger$1, options.tenantId);
+            this.tenantId = options.tenantId;
+        }
+        else {
+            this.tenantId = CommonTenantId;
+        }
+        this.allowMultiTenantAuthentication = options === null || options === void 0 ? void 0 : options.allowMultiTenantAuthentication;
+        checkUnsupportedTenant(this.tenantId);
+    }
+    /**
+     * Runs preparations for any further getToken request.
+     */
+    async prepare() {
+        // Attempts to load the tenant from the VSCode configuration file.
+        const settingsTenant = getPropertyFromVSCode("azure.tenant");
+        if (settingsTenant) {
+            this.tenantId = settingsTenant;
+        }
+        checkUnsupportedTenant(this.tenantId);
+    }
+    /**
+     * Runs preparations for any further getToken, but only once.
+     */
+    prepareOnce() {
+        if (!this.preparePromise) {
+            this.preparePromise = this.prepare();
+        }
+        return this.preparePromise;
     }
     /**
-     * Authenticates with Azure Active Directory and returns an access token if
-     * successful.  If authentication cannot be performed at this time, this method may
-     * return null.  If an error occurs during authentication, an {@link AuthenticationError}
-     * containing failure details will be thrown.
+     * Returns the token found by searching VSCode's authentication cache or
+     * returns null if no token could be found.
      *
      * @param scopes - The list of scopes for which the token will have access.
      * @param options - The options used to configure any requests this
-     *                TokenCredential implementation might make.
+     *                `TokenCredential` implementation might make.
      */
-    getToken(scopes, options = {}) {
-        return tslib.__awaiter(this, void 0, void 0, function* () {
-            return trace(`${this.constructor.name}.getToken`, options, (newOptions) => tslib.__awaiter(this, void 0, void 0, function* () {
-                const arrayScopes = Array.isArray(scopes) ? scopes : [scopes];
-                return this.msalFlow.getToken(arrayScopes, newOptions);
-            }));
-        });
-    }
-}
-
-// Copyright (c) Microsoft Corporation.
-/**
- * MSAL client certificate client. Calls to MSAL's confidential application's `acquireTokenByClientCredential` during `doGetToken`.
- * @internal
- */
-class MsalClientCertificate extends MsalNode {
-    constructor(options) {
-        super(options);
-        this.requiresConfidential = true;
-        this.sendCertificateChain = options.sendCertificateChain;
-        const parts = this.parseCertificate(options.certificatePath);
-        this.msalConfig.auth.clientCertificate = {
-            thumbprint: parts.thumbprint,
-            privateKey: parts.certificateContents,
-            x5c: parts.x5c
-        };
-    }
-    parseCertificate(certificatePath) {
-        const certificateParts = {};
-        certificateParts.certificateContents = fs.readFileSync(certificatePath, "utf8");
-        if (this.sendCertificateChain) {
-            certificateParts.x5c = certificateParts.certificateContents;
-        }
-        const certificatePattern = /(-+BEGIN CERTIFICATE-+)(\n\r?|\r\n?)([A-Za-z0-9+/\n\r]+=*)(\n\r?|\r\n?)(-+END CERTIFICATE-+)/g;
-        const publicKeys = [];
-        // Match all possible certificates, in the order they are in the file. These will form the chain that is used for x5c
-        let match;
-        do {
-            match = certificatePattern.exec(certificateParts.certificateContents);
-            if (match) {
-                publicKeys.push(match[3]);
-            }
-        } while (match);
-        if (publicKeys.length === 0) {
-            const error = new Error("The file at the specified path does not contain a PEM-encoded certificate.");
-            this.logger.info(formatError("", error));
+    async getToken(scopes, options) {
+        var _a, _b;
+        await this.prepareOnce();
+        const tenantId = processMultiTenantRequest(this.tenantId, this.allowMultiTenantAuthentication, options) ||
+            this.tenantId;
+        if (findCredentials === undefined) {
+            throw new CredentialUnavailableError([
+                "No implementation of `VisualStudioCodeCredential` is available.",
+                "You must install the identity-vscode plugin package (`npm install --save-dev @azure/identity-vscode`)",
+                "and enable it by importing `useIdentityPlugin` from `@azure/identity` and calling",
+                "`useIdentityPlugin(vsCodePlugin)` before creating a `VisualStudioCodeCredential`."
+            ].join(" "));
+        }
+        let scopeString = typeof scopes === "string" ? scopes : scopes.join(" ");
+        // Check to make sure the scope we get back is a valid scope
+        if (!scopeString.match(/^[0-9a-zA-Z-.:/]+$/)) {
+            const error = new Error("Invalid scope was specified by the user or calling client");
+            logger$1.getToken.info(formatError(scopes, error));
             throw error;
         }
-        certificateParts.thumbprint = crypto.createHash("sha1")
-            .update(Buffer.from(publicKeys[0], "base64"))
-            .digest("hex")
-            .toUpperCase();
-        return certificateParts;
-    }
-    doGetToken(scopes, options = {}) {
-        return tslib.__awaiter(this, void 0, void 0, function* () {
-            try {
-                const result = yield this.confidentialApp.acquireTokenByClientCredential({
-                    scopes,
-                    correlationId: options.correlationId
-                });
-                // Even though we're providing the same default in memory persistence cache that we use for DeviceCodeCredential,
-                // The Client Credential flow does not return the account information from the authentication service,
-                // so each time getToken gets called, we will have to acquire a new token through the service.
-                return this.handleResult(scopes, this.clientId, result || undefined);
+        if (scopeString.indexOf("offline_access") < 0) {
+            scopeString += " offline_access";
+        }
+        // findCredentials returns an array similar to:
+        // [
+        //   {
+        //     account: "",
+        //     password: "",
+        //   },
+        //   /* ... */
+        // ]
+        const credentials = await findCredentials();
+        // If we can't find the credential based on the name, we'll pick the first one available.
+        const { password: refreshToken } = (_b = (_a = credentials.find(({ account }) => account === this.cloudName)) !== null && _a !== void 0 ? _a : credentials[0]) !== null && _b !== void 0 ? _b : {};
+        if (refreshToken) {
+            const tokenResponse = await this.identityClient.refreshAccessToken(tenantId, AzureAccountClientId, scopeString, refreshToken, undefined);
+            if (tokenResponse) {
+                logger$1.getToken.info(formatSuccess(scopes));
+                return tokenResponse.accessToken;
             }
-            catch (err) {
-                throw this.handleError(scopes, err, options);
+            else {
+                const error = new CredentialUnavailableError("Could not retrieve the token associated with Visual Studio Code. Have you connected using the 'Azure Account' extension recently?");
+                logger$1.getToken.info(formatError(scopes, error));
+                throw error;
             }
-        });
+        }
+        else {
+            const error = new CredentialUnavailableError("Could not retrieve the token associated with Visual Studio Code. Did you connect using the 'Azure Account' extension?");
+            logger$1.getToken.info(formatError(scopes, error));
+            throw error;
+        }
     }
 }
 
 // Copyright (c) Microsoft Corporation.
-const logger$3 = credentialLogger("ClientCertificateCredential");
 /**
- * Enables authentication to Azure Active Directory using a PEM-encoded
- * certificate that is assigned to an App Registration. More information
- * on how to configure certificate authentication can be found here:
+ * The context passed to an Identity plugin. This contains objects that
+ * plugins can use to set backend implementations.
+ * @internal
+ */
+const pluginContext = {
+    cachePluginControl: msalNodeFlowCacheControl,
+    vsCodeCredentialControl: vsCodeCredentialControl
+};
+/**
+ * Extend Azure Identity with additional functionality. Pass a plugin from
+ * a plugin package, such as:
  *
- * https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-certificate-credentials#register-your-certificate-with-azure-ad
+ * - `@azure/identity-cache-persistence`: provides persistent token caching
+ * - `@azure/identity-vscode`: provides the dependencies of
+ *   `VisualStudioCodeCredential` and enables it
+ *
+ * Example:
+ *
+ * ```javascript
+ * import { cachePersistencePlugin } from "@azure/identity-cache-persistence";
+ *
+ * import { useIdentityPlugin, DefaultAzureCredential } from "@azure/identity";
+ * useIdentityPlugin(cachePersistencePlugin);
  *
+ * // The plugin has the capability to extend `DefaultAzureCredential` and to
+ * // add middleware to the underlying credentials, such as persistence.
+ * const credential = new DefaultAzureCredential({
+ *   tokenCachePersistenceOptions: {
+ *     enabled: true
+ *   }
+ * });
+ * ```
+ *
+ * @param plugin - the plugin to register
  */
-class ClientCertificateCredential {
+function useIdentityPlugin(plugin) {
+    plugin(pluginContext);
+}
+
+// Copyright (c) Microsoft Corporation.
+/**
+ * @internal
+ */
+const logger$2 = credentialLogger("ChainedTokenCredential");
+/**
+ * Enables multiple `TokenCredential` implementations to be tried in order
+ * until one of the getToken methods returns an access token.
+ */
+class ChainedTokenCredential {
     /**
-     * Creates an instance of the ClientCertificateCredential with the details
-     * needed to authenticate against Azure Active Directory with a certificate.
+     * Creates an instance of ChainedTokenCredential using the given credentials.
      *
-     * @param tenantId - The Azure Active Directory tenant (directory) ID.
-     * @param clientId - The client (application) ID of an App Registration in the tenant.
-     * @param certificatePath - The path to a PEM-encoded public/private key certificate on the filesystem.
-     * @param options - Options for configuring the client which makes the authentication request.
+     * @param sources - `TokenCredential` implementations to be tried in order.
+     *
+     * Example usage:
+     * ```javascript
+     * const firstCredential = new ClientSecretCredential(tenantId, clientId, clientSecret);
+     * const secondCredential = new ClientSecretCredential(tenantId, anotherClientId, anotherSecret);
+     * const credentialChain = new ChainedTokenCredential(firstCredential, secondCredential);
+     * ```
      */
-    constructor(tenantId, clientId, certificatePath, options = {}) {
-        this.msalFlow = new MsalClientCertificate(Object.assign(Object.assign({}, options), { certificatePath,
-            logger: logger$3,
-            clientId,
-            tenantId, sendCertificateChain: options.sendCertificateChain, tokenCredentialOptions: options }));
+    constructor(...sources) {
+        /**
+         * The message to use when the chained token fails to get a token
+         */
+        this.UnavailableMessage = "ChainedTokenCredential => failed to retrieve a token from the included credentials";
+        this._sources = [];
+        this._sources = sources;
     }
     /**
-     * Authenticates with Azure Active Directory and returns an access token if
-     * successful.  If authentication cannot be performed at this time, this method may
-     * return null.  If an error occurs during authentication, an {@link AuthenticationError}
-     * containing failure details will be thrown.
+     * Returns the first access token returned by one of the chained
+     * `TokenCredential` implementations.  Throws an {@link AggregateAuthenticationError}
+     * when one or more credentials throws an {@link AuthenticationError} and
+     * no credentials have returned an access token.
+     *
+     * This method is called automatically by Azure SDK client libraries. You may call this method
+     * directly, but you must also handle token caching and token refreshing.
      *
      * @param scopes - The list of scopes for which the token will have access.
      * @param options - The options used to configure any requests this
-     *                TokenCredential implementation might make.
+     *                `TokenCredential` implementation might make.
      */
-    getToken(scopes, options = {}) {
-        return tslib.__awaiter(this, void 0, void 0, function* () {
-            return trace(`${this.constructor.name}.getToken`, options, (newOptions) => tslib.__awaiter(this, void 0, void 0, function* () {
-                const arrayScopes = Array.isArray(scopes) ? scopes : [scopes];
-                return this.msalFlow.getToken(arrayScopes, newOptions);
-            }));
-        });
+    async getToken(scopes, options) {
+        let token = null;
+        let successfulCredentialName = "";
+        const errors = [];
+        const { span, updatedOptions } = createSpan("ChainedTokenCredential-getToken", options);
+        for (let i = 0; i < this._sources.length && token === null; i++) {
+            try {
+                token = await this._sources[i].getToken(scopes, updatedOptions);
+                successfulCredentialName = this._sources[i].constructor.name;
+            }
+            catch (err) {
+                if (err.name === "CredentialUnavailableError" ||
+                    err.name === "AuthenticationRequiredError") {
+                    errors.push(err);
+                }
+                else {
+                    logger$2.getToken.info(formatError(scopes, err));
+                    throw err;
+                }
+            }
+        }
+        if (!token && errors.length > 0) {
+            const err = new AggregateAuthenticationError(errors, "ChainedTokenCredential authentication failed.");
+            span.setStatus({
+                code: coreTracing.SpanStatusCode.ERROR,
+                message: err.message
+            });
+            logger$2.getToken.info(formatError(scopes, err));
+            throw err;
+        }
+        span.end();
+        logger$2.getToken.info(`Result for ${successfulCredentialName}: ${formatSuccess(scopes)}`);
+        if (token === null) {
+            throw new CredentialUnavailableError("Failed to retrieve a valid token");
+        }
+        return token;
     }
 }
 
 // Copyright (c) Microsoft Corporation.
 /**
- * MSAL username and password client. Calls to the MSAL's public application's `acquireTokenByUsernamePassword` during `doGetToken`.
+ * Throws if the received scope is not valid.
  * @internal
  */
-class MsalUsernamePassword extends MsalNode {
-    constructor(options) {
-        super(options);
-        this.username = options.username;
-        this.password = options.password;
-    }
-    doGetToken(scopes, options) {
-        return tslib.__awaiter(this, void 0, void 0, function* () {
-            try {
-                const requestOptions = {
-                    scopes,
-                    username: this.username,
-                    password: this.password,
-                    correlationId: options === null || options === void 0 ? void 0 : options.correlationId
-                };
-                const result = yield this.publicApp.acquireTokenByUsernamePassword(requestOptions);
-                return this.handleResult(scopes, this.clientId, result || undefined);
-            }
-            catch (error) {
-                throw this.handleError(scopes, error, options);
-            }
-        });
+function ensureValidScope(scope, logger) {
+    if (!scope.match(/^[0-9a-zA-Z-.:/]+$/)) {
+        const error = new Error("Invalid scope was specified by the user or calling client");
+        logger.getToken.info(formatError(scope, error));
+        throw error;
     }
 }
+/**
+ * Returns the resource out of a scope.
+ * @internal
+ */
+function getScopeResource(scope) {
+    return scope.replace(/\/.default$/, "");
+}
 
 // Copyright (c) Microsoft Corporation.
-const logger$4 = credentialLogger("UsernamePasswordCredential");
 /**
- * Enables authentication to Azure Active Directory with a user's
- * username and password. This credential requires a high degree of
- * trust so you should only use it when other, more secure credential
- * types can't be used.
+ * Mockable reference to the CLI credential cliCredentialFunctions
+ * @internal
  */
-// We'll be using InteractiveCredential as the base of this class, which requires us to support authenticate(),
-// to reduce the number of times we send the password over the network.
-class UsernamePasswordCredential {
+const cliCredentialInternals = {
     /**
-     * Creates an instance of the UsernamePasswordCredential with the details
-     * needed to authenticate against Azure Active Directory with a username
-     * and password.
-     *
-     * @param tenantId - The Azure Active Directory tenant (directory).
-     * @param clientId - The client (application) ID of an App Registration in the tenant.
-     * @param username - The user account's e-mail address (user name).
-     * @param password - The user account's account password
-     * @param options - Options for configuring the client which makes the authentication request.
+     * @internal
      */
-    constructor(tenantId, clientId, username, password, options = {}) {
-        this.msalFlow = new MsalUsernamePassword(Object.assign(Object.assign({}, options), { logger: logger$4,
-            clientId,
-            tenantId,
-            username,
-            password, tokenCredentialOptions: options || {} }));
-        this.disableAutomaticAuthentication = options === null || options === void 0 ? void 0 : options.disableAutomaticAuthentication;
-    }
+    getSafeWorkingDir() {
+        if (process.platform === "win32") {
+            if (!process.env.SystemRoot) {
+                throw new Error("Azure CLI credential expects a 'SystemRoot' environment variable");
+            }
+            return process.env.SystemRoot;
+        }
+        else {
+            return "/bin";
+        }
+    },
     /**
-     * Authenticates with Azure Active Directory and returns an access token if
-     * successful.  If authentication cannot be performed at this time, this method may
-     * return null.  If an error occurs during authentication, an {@link AuthenticationError}
-     * containing failure details will be thrown.
-     *
-     * If the user provided the option `disableAutomaticAuthentication`,
-     * once the token can't be retrieved silently,
-     * this method won't attempt to request user interaction to retrieve the token.
-     *
-     * @param scopes - The list of scopes for which the token will have access.
-     * @param options - The options used to configure any requests this
-     *                TokenCredential implementation might make.
+     * Gets the access token from Azure CLI
+     * @param resource - The resource to use when getting the token
+     * @internal
      */
-    getToken(scopes, options = {}) {
-        return tslib.__awaiter(this, void 0, void 0, function* () {
-            return trace(`${this.constructor.name}.getToken`, options, (newOptions) => tslib.__awaiter(this, void 0, void 0, function* () {
-                const arrayScopes = Array.isArray(scopes) ? scopes : [scopes];
-                return this.msalFlow.getToken(arrayScopes, Object.assign(Object.assign({}, newOptions), { disableAutomaticAuthentication: this.disableAutomaticAuthentication }));
-            }));
+    async getAzureCliAccessToken(resource, tenantId) {
+        let tenantSection = [];
+        if (tenantId) {
+            tenantSection = ["--tenant", tenantId];
+        }
+        return new Promise((resolve, reject) => {
+            try {
+                child_process.execFile("az", [
+                    "account",
+                    "get-access-token",
+                    "--output",
+                    "json",
+                    "--resource",
+                    ...tenantSection,
+                    resource
+                ], { cwd: cliCredentialInternals.getSafeWorkingDir() }, (error, stdout, stderr) => {
+                    resolve({ stdout: stdout, stderr: stderr, error });
+                });
+            }
+            catch (err) {
+                reject(err);
+            }
         });
     }
+};
+const logger$3 = credentialLogger("AzureCliCredential");
+/**
+ * This credential will use the currently logged-in user login information
+ * via the Azure CLI ('az') commandline tool.
+ * To do so, it will read the user access token and expire time
+ * with Azure CLI command "az account get-access-token".
+ * To be able to use this credential, ensure that you have already logged
+ * in via the 'az' tool using the command "az login" from the commandline.
+ */
+class AzureCliCredential {
     /**
-     * Authenticates with Azure Active Directory and returns an access token if
-     * successful.  If authentication cannot be performed at this time, this method may
-     * return null.  If an error occurs during authentication, an {@link AuthenticationError}
-     * containing failure details will be thrown.
+     * Creates an instance of the {@link AzureCliCredential}.
      *
-     * If the token can't be retrieved silently, this method will require user interaction to retrieve the token.
+     * @param options - Options, to optionally allow multi-tenant requests.
+     */
+    constructor(options) {
+        this.tenantId = options === null || options === void 0 ? void 0 : options.tenantId;
+        this.allowMultiTenantAuthentication = options === null || options === void 0 ? void 0 : options.allowMultiTenantAuthentication;
+    }
+    /**
+     * Authenticates with Azure Active Directory and returns an access token if successful.
+     * If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.
      *
      * @param scopes - The list of scopes for which the token will have access.
      * @param options - The options used to configure any requests this
-     *                  TokenCredential implementation might make.
+     *                TokenCredential implementation might make.
      */
-    authenticate(scopes, options = {}) {
-        return tslib.__awaiter(this, void 0, void 0, function* () {
-            return trace(`${this.constructor.name}.authenticate`, options, (newOptions) => tslib.__awaiter(this, void 0, void 0, function* () {
-                const arrayScopes = Array.isArray(scopes) ? scopes : [scopes];
-                yield this.msalFlow.getToken(arrayScopes, newOptions);
-                return this.msalFlow.getActiveAccount();
-            }));
-        });
+    async getToken(scopes, options) {
+        const tenantId = processMultiTenantRequest(this.tenantId, this.allowMultiTenantAuthentication, options);
+        if (tenantId) {
+            checkTenantId(logger$3, tenantId);
+        }
+        const scope = typeof scopes === "string" ? scopes : scopes[0];
+        logger$3.getToken.info(`Using the scope ${scope}`);
+        ensureValidScope(scope, logger$3);
+        const resource = getScopeResource(scope);
+        let responseData = "";
+        const { span } = createSpan("AzureCliCredential-getToken", options);
+        try {
+            const obj = await cliCredentialInternals.getAzureCliAccessToken(resource, tenantId);
+            if (obj.stderr) {
+                const isLoginError = obj.stderr.match("(.*)az login(.*)");
+                const isNotInstallError = obj.stderr.match("az:(.*)not found") || obj.stderr.startsWith("'az' is not recognized");
+                if (isNotInstallError) {
+                    const error = new CredentialUnavailableError("Azure CLI could not be found.  Please visit https://aka.ms/azure-cli for installation instructions and then, once installed, authenticate to your Azure account using 'az login'.");
+                    logger$3.getToken.info(formatError(scopes, error));
+                    throw error;
+                }
+                else if (isLoginError) {
+                    const error = new CredentialUnavailableError("Please run 'az login' from a command prompt to authenticate before using this credential.");
+                    logger$3.getToken.info(formatError(scopes, error));
+                    throw error;
+                }
+                const error = new CredentialUnavailableError(obj.stderr);
+                logger$3.getToken.info(formatError(scopes, error));
+                throw error;
+            }
+            else {
+                responseData = obj.stdout;
+                const response = JSON.parse(responseData);
+                logger$3.getToken.info(formatSuccess(scopes));
+                const returnValue = {
+                    token: response.accessToken,
+                    expiresOnTimestamp: new Date(response.expiresOn).getTime()
+                };
+                return returnValue;
+            }
+        }
+        catch (err) {
+            const error = new Error(err.message || "Unknown error while trying to retrieve the access token");
+            span.setStatus({
+                code: coreTracing.SpanStatusCode.ERROR,
+                message: error.message
+            });
+            logger$3.getToken.info(formatError(scopes, error));
+            throw error;
+        }
     }
 }
 
 // Copyright (c) Microsoft Corporation.
 /**
- * Contains the list of all supported environment variable names so that an
- * appropriate error message can be generated when no credentials can be
- * configured.
- *
+ * Easy to mock childProcess utils.
  * @internal
  */
-const AllSupportedEnvironmentVariables = [
-    "AZURE_TENANT_ID",
+const processUtils = {
+    /**
+     * Promisifying childProcess.execFile
+     * @internal
+     */
+    execFile(file, params, options) {
+        return new Promise((resolve, reject) => {
+            child_process.execFile(file, params, options, (error, stdout, stderr) => {
+                if (Buffer.isBuffer(stdout)) {
+                    stdout = stdout.toString("utf8");
+                }
+                if (Buffer.isBuffer(stderr)) {
+                    stderr = stderr.toString("utf8");
+                }
+                if (stderr || error) {
+                    reject(stderr ? new Error(stderr) : error);
+                }
+                else {
+                    resolve(stdout);
+                }
+            });
+        });
+    }
+};
+
+// Copyright (c) Microsoft Corporation.
+const logger$4 = credentialLogger("AzurePowerShellCredential");
+const isWindows = process.platform === "win32";
+/**
+ * Returns a platform-appropriate command name by appending ".exe" on Windows.
+ *
+ * @internal
+ */
+function formatCommand(commandName) {
+    if (isWindows) {
+        return `${commandName}.exe`;
+    }
+    else {
+        return commandName;
+    }
+}
+/**
+ * Receives a list of commands to run, executes them, then returns the outputs.
+ * If anything fails, an error is thrown.
+ * @internal
+ */
+async function runCommands(commands) {
+    const results = [];
+    for (const command of commands) {
+        const [file, ...parameters] = command;
+        const result = (await processUtils.execFile(file, parameters, { encoding: "utf8" }));
+        results.push(result);
+    }
+    return results;
+}
+/**
+ * Known PowerShell errors
+ * @internal
+ */
+const powerShellErrors = {
+    login: "Run Connect-AzAccount to login",
+    installed: "The specified module 'Az.Accounts' with version '2.2.0' was not loaded because no valid module file was found in any module directory"
+};
+/**
+ * Messages to use when throwing in this credential.
+ * @internal
+ */
+const powerShellPublicErrorMessages = {
+    login: "Please run 'Connect-AzAccount' from PowerShell to authenticate before using this credential.",
+    installed: `The 'Az.Account' module >= 2.2.0 is not installed. Install the Azure Az PowerShell module with: "Install-Module -Name Az -Scope CurrentUser -Repository PSGallery -Force".`
+};
+// PowerShell Azure User not logged in error check.
+const isLoginError = (err) => err.message.match(`(.*)${powerShellErrors.login}(.*)`);
+// Az Module not Installed in Azure PowerShell check.
+const isNotInstalledError = (err) => err.message.match(powerShellErrors.installed);
+/**
+ * The PowerShell commands to be tried, in order.
+ *
+ * @internal
+ */
+const commandStack = [formatCommand("pwsh")];
+if (isWindows) {
+    commandStack.push(formatCommand("powershell"));
+}
+/**
+ * This credential will use the currently logged-in user information from the
+ * Azure PowerShell module. To do so, it will read the user access token and
+ * expire time with Azure PowerShell command `Get-AzAccessToken -ResourceUrl {ResourceScope}`
+ *
+ * To be able to use this credential:
+ * - Install the Azure Az PowerShell module with:
+ *   `Install-Module -Name Az -Scope CurrentUser -Repository PSGallery -Force`.
+ * - You have already logged in to Azure PowerShell using the command
+ * `Connect-AzAccount` from the command line.
+ */
+class AzurePowerShellCredential {
+    /**
+     * Creates an instance of the {@link AzurePowershellCredential}.
+     *
+     * @param options - Options, to optionally allow multi-tenant requests.
+     */
+    constructor(options) {
+        this.tenantId = options === null || options === void 0 ? void 0 : options.tenantId;
+        this.allowMultiTenantAuthentication = options === null || options === void 0 ? void 0 : options.allowMultiTenantAuthentication;
+    }
+    /**
+     * Gets the access token from Azure PowerShell
+     * @param resource - The resource to use when getting the token
+     */
+    async getAzurePowerShellAccessToken(resource, tenantId) {
+        // Clone the stack to avoid mutating it while iterating
+        for (const powerShellCommand of [...commandStack]) {
+            try {
+                await runCommands([[powerShellCommand, "/?"]]);
+            }
+            catch (e) {
+                // Remove this credential from the original stack so that we don't try it again.
+                commandStack.shift();
+                continue;
+            }
+            let tenantSection = "";
+            if (tenantId) {
+                tenantSection = `-TenantId "${tenantId}"`;
+            }
+            const results = await runCommands([
+                [
+                    powerShellCommand,
+                    "-Command",
+                    "Import-Module Az.Accounts -MinimumVersion 2.2.0 -PassThru"
+                ],
+                [
+                    powerShellCommand,
+                    "-Command",
+                    `Get-AzAccessToken ${tenantSection} -ResourceUrl "${resource}" | ConvertTo-Json`
+                ]
+            ]);
+            const result = results[1];
+            try {
+                return JSON.parse(result);
+            }
+            catch (e) {
+                throw new Error(`Unable to parse the output of PowerShell. Received output: ${result}`);
+            }
+        }
+        throw new Error(`Unable to execute PowerShell. Ensure that it is installed in your system.`);
+    }
+    /**
+     * Authenticates with Azure Active Directory and returns an access token if successful.
+     * If the authentication cannot be performed through PowerShell, a {@link CredentialUnavailableError} will be thrown.
+     *
+     * @param scopes - The list of scopes for which the token will have access.
+     * @param options - The options used to configure any requests this TokenCredential implementation might make.
+     */
+    async getToken(scopes, options = {}) {
+        return trace(`${this.constructor.name}.getToken`, options, async () => {
+            const tenantId = processMultiTenantRequest(this.tenantId, this.allowMultiTenantAuthentication, options);
+            if (tenantId) {
+                checkTenantId(logger$4, tenantId);
+            }
+            const scope = typeof scopes === "string" ? scopes : scopes[0];
+            ensureValidScope(scope, logger$4);
+            logger$4.getToken.info(`Using the scope ${scope}`);
+            const resource = getScopeResource(scope);
+            try {
+                const response = await this.getAzurePowerShellAccessToken(resource, tenantId);
+                logger$4.getToken.info(formatSuccess(scopes));
+                return {
+                    token: response.Token,
+                    expiresOnTimestamp: new Date(response.ExpiresOn).getTime()
+                };
+            }
+            catch (err) {
+                if (isNotInstalledError(err)) {
+                    const error = new CredentialUnavailableError(powerShellPublicErrorMessages.installed);
+                    logger$4.getToken.info(formatError(scope, error));
+                    throw error;
+                }
+                else if (isLoginError(err)) {
+                    const error = new CredentialUnavailableError(powerShellPublicErrorMessages.login);
+                    logger$4.getToken.info(formatError(scope, error));
+                    throw error;
+                }
+                const error = new CredentialUnavailableError(err);
+                logger$4.getToken.info(formatError(scope, error));
+                throw error;
+            }
+        });
+    }
+}
+
+// Copyright (c) Microsoft Corporation.
+/**
+ * MSAL client secret client. Calls to MSAL's confidential application's `acquireTokenByClientCredential` during `doGetToken`.
+ * @internal
+ */
+class MsalClientSecret extends MsalNode {
+    constructor(options) {
+        super(options);
+        this.requiresConfidential = true;
+        this.msalConfig.auth.clientSecret = options.clientSecret;
+    }
+    async doGetToken(scopes, options = {}) {
+        try {
+            const result = await this.confidentialApp.acquireTokenByClientCredential({
+                scopes,
+                correlationId: options.correlationId,
+                azureRegion: this.azureRegion,
+                authority: options.authority
+            });
+            // The Client Credential flow does not return an account,
+            // so each time getToken gets called, we will have to acquire a new token through the service.
+            return this.handleResult(scopes, this.clientId, result || undefined);
+        }
+        catch (err) {
+            throw this.handleError(scopes, err, options);
+        }
+    }
+}
+
+// Copyright (c) Microsoft Corporation.
+const logger$5 = credentialLogger("ClientSecretCredential");
+/**
+ * Enables authentication to Azure Active Directory using a client secret
+ * that was generated for an App Registration. More information on how
+ * to configure a client secret can be found here:
+ *
+ * https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-configure-app-access-web-apis#add-credentials-to-your-web-application
+ *
+ */
+class ClientSecretCredential {
+    /**
+     * Creates an instance of the ClientSecretCredential with the details
+     * needed to authenticate against Azure Active Directory with a client
+     * secret.
+     *
+     * @param tenantId - The Azure Active Directory tenant (directory) ID.
+     * @param clientId - The client (application) ID of an App Registration in the tenant.
+     * @param clientSecret - A client secret that was generated for the App Registration.
+     * @param options - Options for configuring the client which makes the authentication request.
+     */
+    constructor(tenantId, clientId, clientSecret, options = {}) {
+        if (!tenantId || !clientId || !clientSecret) {
+            throw new Error("ClientSecretCredential: tenantId, clientId, and clientSecret are required parameters.");
+        }
+        this.msalFlow = new MsalClientSecret(Object.assign(Object.assign({}, options), { logger: logger$5,
+            clientId,
+            tenantId,
+            clientSecret, tokenCredentialOptions: options }));
+    }
+    /**
+     * Authenticates with Azure Active Directory and returns an access token if successful.
+     * If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.
+     *
+     * @param scopes - The list of scopes for which the token will have access.
+     * @param options - The options used to configure any requests this
+     *                TokenCredential implementation might make.
+     */
+    async getToken(scopes, options = {}) {
+        return trace(`${this.constructor.name}.getToken`, options, async (newOptions) => {
+            const arrayScopes = Array.isArray(scopes) ? scopes : [scopes];
+            return this.msalFlow.getToken(arrayScopes, newOptions);
+        });
+    }
+}
+
+// Copyright (c) Microsoft Corporation.
+const readFileAsync = util.promisify(fs.readFile);
+/**
+ * Tries to asynchronously load a certificate from the given path.
+ *
+ * @param certificatePath - Path to the certificate.
+ * @param sendCertificateChain - Option to include x5c header for SubjectName and Issuer name authorization.
+ * @returns - The certificate parts, or `undefined` if the certificate could not be loaded.
+ * @internal
+ */
+async function parseCertificate(certificatePath, sendCertificateChain) {
+    const certificateParts = {};
+    certificateParts.certificateContents = await readFileAsync(certificatePath, "utf8");
+    if (sendCertificateChain) {
+        certificateParts.x5c = certificateParts.certificateContents;
+    }
+    const certificatePattern = /(-+BEGIN CERTIFICATE-+)(\n\r?|\r\n?)([A-Za-z0-9+/\n\r]+=*)(\n\r?|\r\n?)(-+END CERTIFICATE-+)/g;
+    const publicKeys = [];
+    // Match all possible certificates, in the order they are in the file. These will form the chain that is used for x5c
+    let match;
+    do {
+        match = certificatePattern.exec(certificateParts.certificateContents);
+        if (match) {
+            publicKeys.push(match[3]);
+        }
+    } while (match);
+    if (publicKeys.length === 0) {
+        throw new Error("The file at the specified path does not contain a PEM-encoded certificate.");
+    }
+    certificateParts.thumbprint = crypto.createHash("sha1")
+        .update(Buffer.from(publicKeys[0], "base64"))
+        .digest("hex")
+        .toUpperCase();
+    return certificateParts;
+}
+/**
+ * MSAL client certificate client. Calls to MSAL's confidential application's `acquireTokenByClientCredential` during `doGetToken`.
+ * @internal
+ */
+class MsalClientCertificate extends MsalNode {
+    constructor(options) {
+        super(options);
+        this.requiresConfidential = true;
+        this.certificatePath = options.certificatePath;
+        this.sendCertificateChain = options.sendCertificateChain;
+    }
+    // Changing the MSAL configuration asynchronously
+    async init(options) {
+        try {
+            const parts = await parseCertificate(this.certificatePath, this.sendCertificateChain);
+            this.msalConfig.auth.clientCertificate = {
+                thumbprint: parts.thumbprint,
+                privateKey: parts.certificateContents,
+                x5c: parts.x5c
+            };
+        }
+        catch (error) {
+            this.logger.info(formatError("", error));
+            throw error;
+        }
+        return super.init(options);
+    }
+    async doGetToken(scopes, options = {}) {
+        try {
+            const result = await this.confidentialApp.acquireTokenByClientCredential({
+                scopes,
+                correlationId: options.correlationId,
+                azureRegion: this.azureRegion,
+                authority: options.authority
+            });
+            // Even though we're providing the same default in memory persistence cache that we use for DeviceCodeCredential,
+            // The Client Credential flow does not return the account information from the authentication service,
+            // so each time getToken gets called, we will have to acquire a new token through the service.
+            return this.handleResult(scopes, this.clientId, result || undefined);
+        }
+        catch (err) {
+            throw this.handleError(scopes, err, options);
+        }
+    }
+}
+
+// Copyright (c) Microsoft Corporation.
+const logger$6 = credentialLogger("ClientCertificateCredential");
+/**
+ * Enables authentication to Azure Active Directory using a PEM-encoded
+ * certificate that is assigned to an App Registration. More information
+ * on how to configure certificate authentication can be found here:
+ *
+ * https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-certificate-credentials#register-your-certificate-with-azure-ad
+ *
+ */
+class ClientCertificateCredential {
+    /**
+     * Creates an instance of the ClientCertificateCredential with the details
+     * needed to authenticate against Azure Active Directory with a certificate.
+     *
+     * @param tenantId - The Azure Active Directory tenant (directory) ID.
+     * @param clientId - The client (application) ID of an App Registration in the tenant.
+     * @param certificatePath - The path to a PEM-encoded public/private key certificate on the filesystem.
+     * @param options - Options for configuring the client which makes the authentication request.
+     */
+    constructor(tenantId, clientId, certificatePath, options = {}) {
+        if (!tenantId || !clientId || !certificatePath) {
+            throw new Error("ClientCertificateCredential: tenantId, clientId, and certificatePath are required parameters.");
+        }
+        this.msalFlow = new MsalClientCertificate(Object.assign(Object.assign({}, options), { certificatePath,
+            logger: logger$6,
+            clientId,
+            tenantId, sendCertificateChain: options.sendCertificateChain, tokenCredentialOptions: options }));
+    }
+    /**
+     * Authenticates with Azure Active Directory and returns an access token if successful.
+     * If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.
+     *
+     * @param scopes - The list of scopes for which the token will have access.
+     * @param options - The options used to configure any requests this
+     *                TokenCredential implementation might make.
+     */
+    async getToken(scopes, options = {}) {
+        return trace(`${this.constructor.name}.getToken`, options, async (newOptions) => {
+            const arrayScopes = Array.isArray(scopes) ? scopes : [scopes];
+            return this.msalFlow.getToken(arrayScopes, newOptions);
+        });
+    }
+}
+
+// Copyright (c) Microsoft Corporation.
+/**
+ * MSAL username and password client. Calls to the MSAL's public application's `acquireTokenByUsernamePassword` during `doGetToken`.
+ * @internal
+ */
+class MsalUsernamePassword extends MsalNode {
+    constructor(options) {
+        super(options);
+        this.username = options.username;
+        this.password = options.password;
+    }
+    async doGetToken(scopes, options) {
+        try {
+            const requestOptions = {
+                scopes,
+                username: this.username,
+                password: this.password,
+                correlationId: options === null || options === void 0 ? void 0 : options.correlationId,
+                authority: options === null || options === void 0 ? void 0 : options.authority
+            };
+            const result = await this.publicApp.acquireTokenByUsernamePassword(requestOptions);
+            return this.handleResult(scopes, this.clientId, result || undefined);
+        }
+        catch (error) {
+            throw this.handleError(scopes, error, options);
+        }
+    }
+}
+
+// Copyright (c) Microsoft Corporation.
+const logger$7 = credentialLogger("UsernamePasswordCredential");
+/**
+ * Enables authentication to Azure Active Directory with a user's
+ * username and password. This credential requires a high degree of
+ * trust so you should only use it when other, more secure credential
+ * types can't be used.
+ */
+// We'll be using InteractiveCredential as the base of this class, which requires us to support authenticate(),
+// to reduce the number of times we send the password over the network.
+class UsernamePasswordCredential {
+    /**
+     * Creates an instance of the UsernamePasswordCredential with the details
+     * needed to authenticate against Azure Active Directory with a username
+     * and password.
+     *
+     * @param tenantId - The Azure Active Directory tenant (directory).
+     * @param clientId - The client (application) ID of an App Registration in the tenant.
+     * @param username - The user account's e-mail address (user name).
+     * @param password - The user account's account password
+     * @param options - Options for configuring the client which makes the authentication request.
+     */
+    constructor(tenantId, clientId, username, password, options = {}) {
+        if (!tenantId || !clientId || !username || !password) {
+            throw new Error("UsernamePasswordCredential: tenantId, clientId, username and password are required parameters.");
+        }
+        this.msalFlow = new MsalUsernamePassword(Object.assign(Object.assign({}, options), { logger: logger$7,
+            clientId,
+            tenantId,
+            username,
+            password, tokenCredentialOptions: options || {} }));
+    }
+    /**
+     * Authenticates with Azure Active Directory and returns an access token if successful.
+     * If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.
+     *
+     * If the user provided the option `disableAutomaticAuthentication`,
+     * once the token can't be retrieved silently,
+     * this method won't attempt to request user interaction to retrieve the token.
+     *
+     * @param scopes - The list of scopes for which the token will have access.
+     * @param options - The options used to configure any requests this
+     *                TokenCredential implementation might make.
+     */
+    async getToken(scopes, options = {}) {
+        return trace(`${this.constructor.name}.getToken`, options, async (newOptions) => {
+            const arrayScopes = Array.isArray(scopes) ? scopes : [scopes];
+            return this.msalFlow.getToken(arrayScopes, newOptions);
+        });
+    }
+}
+
+// Copyright (c) Microsoft Corporation.
+/**
+ * Contains the list of all supported environment variable names so that an
+ * appropriate error message can be generated when no credentials can be
+ * configured.
+ *
+ * @internal
+ */
+const AllSupportedEnvironmentVariables = [
+    "AZURE_TENANT_ID",
     "AZURE_CLIENT_ID",
     "AZURE_CLIENT_SECRET",
     "AZURE_CLIENT_CERTIFICATE_PATH",
     "AZURE_USERNAME",
     "AZURE_PASSWORD"
 ];
-const logger$5 = credentialLogger("EnvironmentCredential");
+const logger$8 = credentialLogger("EnvironmentCredential");
 /**
  * Enables authentication to Azure Active Directory using client secret
  * details configured in the following environment variables:
  *
- * - AZURE_TENANT_ID: The Azure Active Directory tenant (directory) ID.
- * - AZURE_CLIENT_ID: The client (application) ID of an App Registration in the tenant.
- * - AZURE_CLIENT_SECRET: A client secret that was generated for the App Registration.
+ * Required environment variables:
+ * - `AZURE_TENANT_ID`: The Azure Active Directory tenant (directory) ID.
+ * - `AZURE_CLIENT_ID`: The client (application) ID of an App Registration in the tenant.
+ *
+ * Environment variables used for client credential authentication:
+ * - `AZURE_CLIENT_SECRET`: A client secret that was generated for the App Registration.
+ * - `AZURE_CLIENT_CERTIFICATE_PATH`: The path to a PEM certificate to use during the authentication, instead of the client secret.
+ *
+ * Alternatively, users can provide environment variables for username and password authentication:
+ * - `AZURE_USERNAME`: Username to authenticate with.
+ * - `AZURE_PASSWORD`: Password to authenticate with.
  *
  * This credential ultimately uses a {@link ClientSecretCredential} to
  * perform the authentication using these details.  Please consult the
@@ -1511,10 +2041,22 @@ const logger$5 = credentialLogger("EnvironmentCredential");
  */
 class EnvironmentCredential {
     /**
-     * Creates an instance of the EnvironmentCredential class and reads
-     * client secret details from environment variables.  If the expected
-     * environment variables are not found at this time, the getToken method
-     * will return null when invoked.
+     * Creates an instance of the EnvironmentCredential class and decides what credential to use depending on the available environment variables.
+     *
+     * Required environment variables:
+     * - `AZURE_TENANT_ID`: The Azure Active Directory tenant (directory) ID.
+     * - `AZURE_CLIENT_ID`: The client (application) ID of an App Registration in the tenant.
+     *
+     * Environment variables used for client credential authentication:
+     * - `AZURE_CLIENT_SECRET`: A client secret that was generated for the App Registration.
+     * - `AZURE_CLIENT_CERTIFICATE_PATH`: The path to a PEM certificate to use during the authentication, instead of the client secret.
+     *
+     * Alternatively, users can provide environment variables for username and password authentication:
+     * - `AZURE_USERNAME`: Username to authenticate with.
+     * - `AZURE_PASSWORD`: Password to authenticate with.
+     *
+     * If the environment variables required to perform the authentication are missing, a {@link CredentialUnavailableError} will be thrown.
+     * If the authentication fails, or if there's an unknown error, an {@link AuthenticationError} will be thrown.
      *
      * @param options - Options for configuring the client which makes the authentication request.
      */
@@ -1522,26 +2064,26 @@ class EnvironmentCredential {
         // Keep track of any missing environment variables for error details
         this._credential = undefined;
         const assigned = processEnvVars(AllSupportedEnvironmentVariables).assigned.join(", ");
-        logger$5.info(`Found the following environment variables: ${assigned}`);
+        logger$8.info(`Found the following environment variables: ${assigned}`);
         const tenantId = process.env.AZURE_TENANT_ID, clientId = process.env.AZURE_CLIENT_ID, clientSecret = process.env.AZURE_CLIENT_SECRET;
         if (tenantId) {
-            checkTenantId(logger$5, tenantId);
+            checkTenantId(logger$8, tenantId);
         }
         if (tenantId && clientId && clientSecret) {
-            logger$5.info(`Invoking ClientSecretCredential with tenant ID: ${tenantId}, clientId: ${clientId} and clientSecret: [REDACTED]`);
+            logger$8.info(`Invoking ClientSecretCredential with tenant ID: ${tenantId}, clientId: ${clientId} and clientSecret: [REDACTED]`);
             this._credential = new ClientSecretCredential(tenantId, clientId, clientSecret, options);
             return;
         }
         const certificatePath = process.env.AZURE_CLIENT_CERTIFICATE_PATH;
         if (tenantId && clientId && certificatePath) {
-            logger$5.info(`Invoking ClientCertificateCredential with tenant ID: ${tenantId}, clientId: ${clientId} and certificatePath: ${certificatePath}`);
+            logger$8.info(`Invoking ClientCertificateCredential with tenant ID: ${tenantId}, clientId: ${clientId} and certificatePath: ${certificatePath}`);
             this._credential = new ClientCertificateCredential(tenantId, clientId, certificatePath, options);
             return;
         }
         const username = process.env.AZURE_USERNAME;
         const password = process.env.AZURE_PASSWORD;
         if (tenantId && clientId && username && password) {
-            logger$5.info(`Invoking UsernamePasswordCredential with tenant ID: ${tenantId}, clientId: ${clientId} and username: ${username}`);
+            logger$8.info(`Invoking UsernamePasswordCredential with tenant ID: ${tenantId}, clientId: ${clientId} and username: ${username}`);
             this._credential = new UsernamePasswordCredential(tenantId, clientId, username, password, options);
         }
     }
@@ -1551,29 +2093,27 @@ class EnvironmentCredential {
      * @param scopes - The list of scopes for which the token will have access.
      * @param options - Optional parameters. See {@link GetTokenOptions}.
      */
-    getToken(scopes, options = {}) {
-        return tslib.__awaiter(this, void 0, void 0, function* () {
-            return trace("EnvironmentCredential.getToken", options, (newOptions) => tslib.__awaiter(this, void 0, void 0, function* () {
-                if (this._credential) {
-                    try {
-                        const result = yield this._credential.getToken(scopes, newOptions);
-                        logger$5.getToken.info(formatSuccess(scopes));
-                        return result;
-                    }
-                    catch (err) {
-                        const authenticationError = new AuthenticationError(400, {
-                            error: "EnvironmentCredential authentication failed.",
-                            error_description: err.message
-                                .toString()
-                                .split("More details:")
-                                .join("")
-                        });
-                        logger$5.getToken.info(formatError(scopes, authenticationError));
-                        throw authenticationError;
-                    }
+    async getToken(scopes, options = {}) {
+        return trace("EnvironmentCredential.getToken", options, async (newOptions) => {
+            if (this._credential) {
+                try {
+                    const result = await this._credential.getToken(scopes, newOptions);
+                    logger$8.getToken.info(formatSuccess(scopes));
+                    return result;
                 }
-                throw new CredentialUnavailableError("EnvironmentCredential is unavailable. No underlying credential could be used.");
-            }));
+                catch (err) {
+                    const authenticationError = new AuthenticationError(400, {
+                        error: "EnvironmentCredential authentication failed.",
+                        error_description: err.message
+                            .toString()
+                            .split("More details:")
+                            .join("")
+                    });
+                    logger$8.getToken.info(formatError(scopes, authenticationError));
+                    throw authenticationError;
+                }
+            }
+            throw new CredentialUnavailableError("EnvironmentCredential is unavailable. No underlying credential could be used.");
         });
     }
 }
@@ -1581,16 +2121,25 @@ class EnvironmentCredential {
 // Copyright (c) Microsoft Corporation.
 // Licensed under the MIT license.
 const DefaultScopeSuffix = "/.default";
-const imdsEndpoint = "http://169.254.169.254/metadata/identity/oauth2/token";
+const imdsHost = "http://169.254.169.254";
+const imdsEndpointPath = "/metadata/identity/oauth2/token";
 const imdsApiVersion = "2018-02-01";
 const azureArcAPIVersion = "2019-11-01";
 
 // Copyright (c) Microsoft Corporation.
+/**
+ * Most MSIs send requests to the IMDS endpoint, or a similar endpoint. These are GET requests that require sending a `resource` parameter on the query.
+ * This resource can be derived from the scopes received through the getToken call, as long as only one scope is received.
+ * Multiple scopes assume that the resulting token will have access to multiple resources, which won't be the case.
+ *
+ * For that reason, when we encounter multiple scopes, we return undefined.
+ * It's up to the individual MSI implementations to throw the errors (which helps us provide less generic errors).
+ */
 function mapScopesToResource(scopes) {
     let scope = "";
     if (Array.isArray(scopes)) {
         if (scopes.length !== 1) {
-            throw new Error("To convert to a resource string the specified array must be exactly length 1");
+            return;
         }
         scope = scopes[0];
     }
@@ -1602,215 +2151,290 @@ function mapScopesToResource(scopes) {
     }
     return scope.substr(0, scope.lastIndexOf(DefaultScopeSuffix));
 }
-function msiGenericGetToken(identityClient, requestOptions, expiresInParser, getTokenOptions = {}) {
-    return tslib.__awaiter(this, void 0, void 0, function* () {
-        const webResource = identityClient.createWebResource(Object.assign({ disableJsonStringifyOnBody: true, deserializationMapper: undefined, abortSignal: getTokenOptions.abortSignal, spanOptions: getTokenOptions.tracingOptions && getTokenOptions.tracingOptions.spanOptions, tracingContext: getTokenOptions.tracingOptions && getTokenOptions.tracingOptions.tracingContext }, requestOptions));
-        const tokenResponse = yield identityClient.sendTokenRequest(webResource, expiresInParser);
-        return (tokenResponse && tokenResponse.accessToken) || null;
-    });
+async function msiGenericGetToken(identityClient, requestOptions, expiresInParser, getTokenOptions = {}) {
+    const request = coreRestPipeline.createPipelineRequest(Object.assign(Object.assign({ abortSignal: getTokenOptions.abortSignal }, requestOptions), { allowInsecureConnection: true }));
+    const tokenResponse = await identityClient.sendTokenRequest(request, expiresInParser);
+    return (tokenResponse && tokenResponse.accessToken) || null;
+}
+
+// Copyright (c) Microsoft Corporation.
+const msiName = "ManagedIdentityCredential - AppServiceMSI 2017";
+const logger$9 = credentialLogger(msiName);
+function expiresInParser(requestBody) {
+    // Parse a date format like "06/20/2019 02:57:58 +00:00" and
+    // convert it into a JavaScript-formatted date
+    return Date.parse(requestBody.expires_on);
 }
+function prepareRequestOptions(scopes, clientId) {
+    const resource = mapScopesToResource(scopes);
+    if (!resource) {
+        throw new Error(`${msiName}: Multiple scopes are not supported.`);
+    }
+    const queryParameters = {
+        resource,
+        "api-version": "2017-09-01"
+    };
+    if (clientId) {
+        queryParameters.clientid = clientId;
+    }
+    const query = new URLSearchParams(queryParameters);
+    // This error should not bubble up, since we verify that this environment variable is defined in the isAvailable() method defined below.
+    if (!process.env.MSI_ENDPOINT) {
+        throw new Error(`${msiName}: Missing environment variable: MSI_ENDPOINT`);
+    }
+    if (!process.env.MSI_SECRET) {
+        throw new Error(`${msiName}: Missing environment variable: MSI_SECRET`);
+    }
+    return {
+        url: `${process.env.MSI_ENDPOINT}?${query.toString()}`,
+        method: "GET",
+        headers: coreRestPipeline.createHttpHeaders({
+            Accept: "application/json",
+            secret: process.env.MSI_SECRET
+        })
+    };
+}
+const appServiceMsi2017 = {
+    async isAvailable(scopes) {
+        const resource = mapScopesToResource(scopes);
+        if (!resource) {
+            logger$9.info(`${msiName}: Unavailable. Multiple scopes are not supported.`);
+            return false;
+        }
+        const env = process.env;
+        const result = Boolean(env.MSI_ENDPOINT && env.MSI_SECRET);
+        if (!result) {
+            logger$9.info(`${msiName}: Unavailable. The environment variables needed are: MSI_ENDPOINT and MSI_SECRET.`);
+        }
+        return result;
+    },
+    async getToken(configuration, getTokenOptions = {}) {
+        const { identityClient, scopes, clientId } = configuration;
+        logger$9.info(`${msiName}: Using the endpoint and the secret coming form the environment variables: MSI_ENDPOINT=${process.env.MSI_ENDPOINT} and MSI_SECRET=[REDACTED].`);
+        return msiGenericGetToken(identityClient, prepareRequestOptions(scopes, clientId), expiresInParser, getTokenOptions);
+    }
+};
 
 // Copyright (c) Microsoft Corporation.
-const logger$6 = credentialLogger("ManagedIdentityCredential - CloudShellMSI");
+const msiName$1 = "ManagedIdentityCredential - CloudShellMSI";
+const logger$a = credentialLogger(msiName$1);
 // Cloud Shell MSI doesn't have a special expiresIn parser.
-const expiresInParser = undefined;
-function prepareRequestOptions(resource, clientId) {
+const expiresInParser$1 = undefined;
+function prepareRequestOptions$1(scopes, clientId) {
+    const resource = mapScopesToResource(scopes);
+    if (!resource) {
+        throw new Error(`${msiName$1}: Multiple scopes are not supported.`);
+    }
     const body = {
         resource
     };
     if (clientId) {
         body.client_id = clientId;
     }
+    // This error should not bubble up, since we verify that this environment variable is defined in the isAvailable() method defined below.
+    if (!process.env.MSI_ENDPOINT) {
+        throw new Error(`${msiName$1}: Missing environment variable: MSI_ENDPOINT`);
+    }
+    const params = new URLSearchParams(body);
     return {
         url: process.env.MSI_ENDPOINT,
         method: "POST",
-        body: qs.stringify(body),
-        headers: {
+        body: params.toString(),
+        headers: coreRestPipeline.createHttpHeaders({
             Accept: "application/json",
-            Metadata: true,
+            Metadata: "true",
             "Content-Type": "application/x-www-form-urlencoded"
-        }
+        })
     };
 }
 const cloudShellMsi = {
-    isAvailable() {
-        return tslib.__awaiter(this, void 0, void 0, function* () {
-            return Boolean(process.env.MSI_ENDPOINT);
-        });
+    async isAvailable(scopes) {
+        const resource = mapScopesToResource(scopes);
+        if (!resource) {
+            logger$a.info(`${msiName$1}: Unavailable. Multiple scopes are not supported.`);
+            return false;
+        }
+        const result = Boolean(process.env.MSI_ENDPOINT);
+        if (!result) {
+            logger$a.info(`${msiName$1}: Unavailable. The environment variable MSI_ENDPOINT is needed.`);
+        }
+        return result;
     },
-    getToken(identityClient, resource, clientId, getTokenOptions = {}) {
-        return tslib.__awaiter(this, void 0, void 0, function* () {
-            logger$6.info(`Using the endpoint coming form the environment variable MSI_ENDPOINT=${process.env.MSI_ENDPOINT}, and using the Cloud Shell to proceed with the authentication.`);
-            return msiGenericGetToken(identityClient, prepareRequestOptions(resource, clientId), expiresInParser, getTokenOptions);
-        });
+    async getToken(configuration, getTokenOptions = {}) {
+        const { identityClient, scopes, clientId } = configuration;
+        logger$a.info(`${msiName$1}: Using the endpoint coming form the environment variable MSI_ENDPOINT = ${process.env.MSI_ENDPOINT}.`);
+        return msiGenericGetToken(identityClient, prepareRequestOptions$1(scopes, clientId), expiresInParser$1, getTokenOptions);
     }
 };
 
 // Copyright (c) Microsoft Corporation.
-const logger$7 = credentialLogger("ManagedIdentityCredential - IMDS");
-function expiresInParser$1(requestBody) {
+const msiName$2 = "ManagedIdentityCredential - IMDS";
+const logger$b = credentialLogger(msiName$2);
+function expiresInParser$2(requestBody) {
     if (requestBody.expires_on) {
         // Use the expires_on timestamp if it's available
         const expires = +requestBody.expires_on * 1000;
-        logger$7.info(`IMDS using expires_on: ${expires} (original value: ${requestBody.expires_on})`);
+        logger$b.info(`${msiName$2}: IMDS using expires_on: ${expires} (original value: ${requestBody.expires_on})`);
         return expires;
     }
     else {
         // If these aren't possible, use expires_in and calculate a timestamp
-        const expires = Date.now() + requestBody.expires_in * 1000;
-        logger$7.info(`IMDS using expires_in: ${expires} (original value: ${requestBody.expires_in})`);
-        return expires;
-    }
-}
-function prepareRequestOptions$1(resource, clientId) {
-    const queryParameters = {
-        resource,
-        "api-version": imdsApiVersion
-    };
-    if (clientId) {
-        queryParameters.client_id = clientId;
-    }
-    return {
-        url: imdsEndpoint,
-        method: "GET",
-        queryParameters,
-        headers: {
-            Accept: "application/json",
-            Metadata: true
-        }
-    };
-}
-const imdsMsi = {
-    isAvailable(identityClient, resource, clientId, getTokenOptions) {
-        var _a, _b, _c;
-        return tslib.__awaiter(this, void 0, void 0, function* () {
-            const { span, updatedOptions } = createSpan("ManagedIdentityCredential-pingImdsEndpoint", getTokenOptions);
-            const request = prepareRequestOptions$1(resource, clientId);
-            // This will always be populated, but let's make TypeScript happy
-            if (request.headers) {
-                // Remove the Metadata header to invoke a request error from
-                // IMDS endpoint
-                delete request.headers.Metadata;
-            }
-            request.spanOptions = (_a = updatedOptions === null || updatedOptions === void 0 ? void 0 : updatedOptions.tracingOptions) === null || _a === void 0 ? void 0 : _a.spanOptions;
-            request.tracingContext = (_b = updatedOptions === null || updatedOptions === void 0 ? void 0 : updatedOptions.tracingOptions) === null || _b === void 0 ? void 0 : _b.tracingContext;
-            try {
-                // Create a request with a timeout since we expect that
-                // not having a "Metadata" header should cause an error to be
-                // returned quickly from the endpoint, proving its availability.
-                const webResource = identityClient.createWebResource(request);
-                webResource.timeout = ((_c = updatedOptions === null || updatedOptions === void 0 ? void 0 : updatedOptions.requestOptions) === null || _c === void 0 ? void 0 : _c.timeout) || 500;
-                try {
-                    logger$7.info(`Pinging IMDS endpoint`);
-                    yield identityClient.sendRequest(webResource);
-                }
-                catch (err) {
-                    if ((err.name === "RestError" && err.code === coreHttp.RestError.REQUEST_SEND_ERROR) ||
-                        err.name === "AbortError" ||
-                        err.code === "ECONNREFUSED" || // connection refused
-                        err.code === "EHOSTDOWN" // host is down
-                    ) {
-                        // If the request failed, or NodeJS was unable to establish a connection,
-                        // or the host was down, we'll assume the IMDS endpoint isn't available.
-                        logger$7.info(`IMDS endpoint unavailable`);
-                        span.setStatus({
-                            code: coreTracing.SpanStatusCode.ERROR,
-                            message: err.message
-                        });
-                        // IMDS MSI unavailable.
-                        return false;
-                    }
-                }
-                // If we received any response, the endpoint is available
-                logger$7.info(`IMDS endpoint is available`);
-                // IMDS MSI available!
-                return true;
-            }
-            catch (err) {
-                // createWebResource failed.
-                // This error should bubble up to the user.
-                logger$7.info(`Error when creating the WebResource for the IMDS endpoint: ${err.message}`);
-                span.setStatus({
-                    code: coreTracing.SpanStatusCode.ERROR,
-                    message: err.message
-                });
-                throw err;
-            }
-            finally {
-                span.end();
-            }
-        });
-    },
-    getToken(identityClient, resource, clientId, getTokenOptions = {}) {
-        return tslib.__awaiter(this, void 0, void 0, function* () {
-            logger$7.info(`Using the IMDS endpoint coming form the environment variable MSI_ENDPOINT=${process.env.MSI_ENDPOINT}, and using the cloud shell to proceed with the authentication.`);
-            return msiGenericGetToken(identityClient, prepareRequestOptions$1(resource, clientId), expiresInParser$1, getTokenOptions);
-        });
+        const expires = Date.now() + requestBody.expires_in * 1000;
+        logger$b.info(`${msiName$2}: IMDS using expires_in: ${expires} (original value: ${requestBody.expires_in})`);
+        return expires;
     }
-};
-
-// Copyright (c) Microsoft Corporation.
-const logger$8 = credentialLogger("ManagedIdentityCredential - AppServiceMSI 2017");
-function expiresInParser$2(requestBody) {
-    // Parse a date format like "06/20/2019 02:57:58 +00:00" and
-    // convert it into a JavaScript-formatted date
-    return Date.parse(requestBody.expires_on);
 }
-function prepareRequestOptions$2(resource, clientId) {
+function prepareRequestOptions$2(scopes, clientId) {
+    var _a;
+    const resource = mapScopesToResource(scopes);
+    if (!resource) {
+        throw new Error(`${msiName$2}: Multiple scopes are not supported.`);
+    }
     const queryParameters = {
         resource,
-        "api-version": "2017-09-01"
+        "api-version": imdsApiVersion
     };
     if (clientId) {
-        queryParameters.clientid = clientId;
+        queryParameters.client_id = clientId;
     }
+    const params = new URLSearchParams(queryParameters);
+    const query = params.toString();
+    const url = new URL(imdsEndpointPath, (_a = process.env.AZURE_POD_IDENTITY_AUTHORITY_HOST) !== null && _a !== void 0 ? _a : imdsHost);
     return {
-        url: process.env.MSI_ENDPOINT,
+        url: `${url}?${query}`,
         method: "GET",
-        queryParameters,
-        headers: {
+        headers: coreRestPipeline.createHttpHeaders({
             Accept: "application/json",
-            secret: process.env.MSI_SECRET
-        }
+            Metadata: "true"
+        })
     };
 }
-const appServiceMsi2017 = {
-    isAvailable() {
-        return tslib.__awaiter(this, void 0, void 0, function* () {
-            const env = process.env;
-            return Boolean(env.MSI_ENDPOINT && env.MSI_SECRET);
-        });
+// 800ms -> 1600ms -> 3200ms
+const imdsMsiRetryConfig = {
+    maxRetries: 3,
+    startDelayInMs: 800,
+    intervalIncrement: 2
+};
+const imdsMsi = {
+    async isAvailable(scopes, identityClient, clientId, getTokenOptions) {
+        var _a, _b;
+        const resource = mapScopesToResource(scopes);
+        if (!resource) {
+            logger$b.info(`${msiName$2}: Unavailable. Multiple scopes are not supported.`);
+            return false;
+        }
+        const { span, updatedOptions: options } = createSpan("ManagedIdentityCredential-pingImdsEndpoint", getTokenOptions);
+        // if the PodIdenityEndpoint environment variable was set no need to probe the endpoint, it can be assumed to exist
+        if (process.env.AZURE_POD_IDENTITY_AUTHORITY_HOST) {
+            return true;
+        }
+        const requestOptions = prepareRequestOptions$2(resource, clientId);
+        // This will always be populated, but let's make TypeScript happy
+        if (requestOptions.headers) {
+            // Remove the Metadata header to invoke a request error from
+            // IMDS endpoint
+            requestOptions.headers.delete("Metadata");
+        }
+        requestOptions.tracingOptions = options.tracingOptions;
+        try {
+            // Create a request with a timeout since we expect that
+            // not having a "Metadata" header should cause an error to be
+            // returned quickly from the endpoint, proving its availability.
+            const request = coreRestPipeline.createPipelineRequest(requestOptions);
+            request.timeout = (_b = (_a = options.requestOptions) === null || _a === void 0 ? void 0 : _a.timeout) !== null && _b !== void 0 ? _b : 300;
+            // This MSI uses the imdsEndpoint to get the token, which only uses http://
+            request.allowInsecureConnection = true;
+            try {
+                logger$b.info(`${msiName$2}: Pinging the Azure IMDS endpoint`);
+                await identityClient.sendRequest(request);
+            }
+            catch (err) {
+                if ((err.name === "RestError" && err.code === coreRestPipeline.RestError.REQUEST_SEND_ERROR) ||
+                    err.name === "AbortError" ||
+                    err.code === "ENETUNREACH" || // Network unreachable
+                    err.code === "ECONNREFUSED" || // connection refused
+                    err.code === "EHOSTDOWN" // host is down
+                ) {
+                    // If the request failed, or Node.js was unable to establish a connection,
+                    // or the host was down, we'll assume the IMDS endpoint isn't available.
+                    logger$b.info(`${msiName$2}: The Azure IMDS endpoint is unavailable`);
+                    span.setStatus({
+                        code: coreTracing.SpanStatusCode.ERROR,
+                        message: err.message
+                    });
+                    return false;
+                }
+            }
+            // If we received any response, the endpoint is available
+            logger$b.info(`${msiName$2}: The Azure IMDS endpoint is available`);
+            return true;
+        }
+        catch (err) {
+            // createWebResource failed.
+            // This error should bubble up to the user.
+            logger$b.info(`${msiName$2}: Error when creating the WebResource for the Azure IMDS endpoint: ${err.message}`);
+            span.setStatus({
+                code: coreTracing.SpanStatusCode.ERROR,
+                message: err.message
+            });
+            throw err;
+        }
+        finally {
+            span.end();
+        }
     },
-    getToken(identityClient, resource, clientId, getTokenOptions = {}) {
-        return tslib.__awaiter(this, void 0, void 0, function* () {
-            logger$8.info(`Using the endpoint and the secret coming form the environment variables: MSI_ENDPOINT=${process.env.MSI_ENDPOINT} and MSI_SECRET=[REDACTED].`);
-            return msiGenericGetToken(identityClient, prepareRequestOptions$2(resource, clientId), expiresInParser$2, getTokenOptions);
-        });
+    async getToken(configuration, getTokenOptions = {}) {
+        const { identityClient, scopes, clientId } = configuration;
+        logger$b.info(`${msiName$2}: Using the Azure IMDS endpoint coming from the environment variable MSI_ENDPOINT=${process.env.MSI_ENDPOINT}, and using the cloud shell to proceed with the authentication.`);
+        let nextDelayInMs = imdsMsiRetryConfig.startDelayInMs;
+        for (let retries = 0; retries < imdsMsiRetryConfig.maxRetries; retries++) {
+            try {
+                return await msiGenericGetToken(identityClient, prepareRequestOptions$2(scopes, clientId), expiresInParser$2, getTokenOptions);
+            }
+            catch (error) {
+                if (error.statusCode === 404) {
+                    await coreUtil.delay(nextDelayInMs);
+                    nextDelayInMs *= imdsMsiRetryConfig.intervalIncrement;
+                    continue;
+                }
+                throw error;
+            }
+        }
+        throw new AuthenticationError(404, `${msiName$2}: Failed to retrieve IMDS token after ${imdsMsiRetryConfig.maxRetries} retries.`);
     }
 };
 
 // Copyright (c) Microsoft Corporation.
-const logger$9 = credentialLogger("ManagedIdentityCredential - ArcMSI");
+const msiName$3 = "ManagedIdentityCredential - Azure Arc MSI";
+const logger$c = credentialLogger(msiName$3);
 // Azure Arc MSI doesn't have a special expiresIn parser.
 const expiresInParser$3 = undefined;
-function prepareRequestOptions$3(resource) {
+function prepareRequestOptions$3(scopes) {
+    const resource = mapScopesToResource(scopes);
+    if (!resource) {
+        throw new Error(`${msiName$3}: Multiple scopes are not supported.`);
+    }
     const queryParameters = {
         resource,
         "api-version": azureArcAPIVersion
     };
-    return {
+    const query = new URLSearchParams(queryParameters);
+    // This error should not bubble up, since we verify that this environment variable is defined in the isAvailable() method defined below.
+    if (!process.env.IDENTITY_ENDPOINT) {
+        throw new Error(`${msiName$3}: Missing environment variable: IDENTITY_ENDPOINT`);
+    }
+    return coreRestPipeline.createPipelineRequest({
         // Should be similar to: http://localhost:40342/metadata/identity/oauth2/token
-        url: process.env.IDENTITY_ENDPOINT,
+        url: `${process.env.IDENTITY_ENDPOINT}?${query.toString()}`,
         method: "GET",
-        queryParameters,
-        headers: {
+        headers: coreRestPipeline.createHttpHeaders({
             Accept: "application/json",
-            Metadata: true
-        }
-    };
+            Metadata: "true"
+        })
+    });
 }
 // Since "fs"'s readFileSync locks the thread, and to avoid extra dependencies.
-function readFileAsync(path, options) {
+function readFileAsync$1(path, options) {
     return new Promise((resolve, reject) => fs.readFile(path, options, (err, data) => {
         if (err) {
             reject(err);
@@ -1818,500 +2442,326 @@ function readFileAsync(path, options) {
         resolve(data);
     }));
 }
-function filePathRequest(identityClient, requestPrepareOptions) {
-    return tslib.__awaiter(this, void 0, void 0, function* () {
-        const response = yield identityClient.sendRequest(identityClient.createWebResource(requestPrepareOptions));
-        if (response.status !== 401) {
-            let message = "";
-            if (response.bodyAsText) {
-                message = ` Response: ${response.bodyAsText}`;
-            }
-            throw new AuthenticationError(response.status, `To authenticate with Azure Arc MSI, status code 401 is expected on the first request.${message}`);
+async function filePathRequest(identityClient, requestPrepareOptions) {
+    const response = await identityClient.sendRequest(coreRestPipeline.createPipelineRequest(requestPrepareOptions));
+    if (response.status !== 401) {
+        let message = "";
+        if (response.bodyAsText) {
+            message = ` Response: ${response.bodyAsText}`;
         }
-        const authHeader = response.headers.get("www-authenticate") || "";
+        throw new AuthenticationError(response.status, `${msiName$3}: To authenticate with Azure Arc MSI, status code 401 is expected on the first request. ${message}`);
+    }
+    const authHeader = response.headers.get("www-authenticate") || "";
+    try {
         return authHeader.split("=").slice(1)[0];
-    });
+    }
+    catch (e) {
+        throw Error(`Invalid www-authenticate header format: ${authHeader}`);
+    }
 }
 const arcMsi = {
-    isAvailable() {
-        return tslib.__awaiter(this, void 0, void 0, function* () {
-            return Boolean(process.env.IMDS_ENDPOINT && process.env.IDENTITY_ENDPOINT);
-        });
+    async isAvailable(scopes) {
+        const resource = mapScopesToResource(scopes);
+        if (!resource) {
+            logger$c.info(`${msiName$3}: Unavailable. Multiple scopes are not supported.`);
+            return false;
+        }
+        const result = Boolean(process.env.IMDS_ENDPOINT && process.env.IDENTITY_ENDPOINT);
+        if (!result) {
+            logger$c.info(`${msiName$3}: The environment variables needed are: IMDS_ENDPOINT and IDENTITY_ENDPOINT`);
+        }
+        return result;
     },
-    getToken(identityClient, resource, clientId, getTokenOptions = {}) {
-        return tslib.__awaiter(this, void 0, void 0, function* () {
-            logger$9.info(`Using the Azure Arc MSI to authenticate.`);
-            if (clientId) {
-                throw new Error("User assigned identity is not supported by the Azure Arc Managed Identity Endpoint. To authenticate with the system assigned identity omit the client id when constructing the ManagedIdentityCredential, or if authenticating with the DefaultAzureCredential ensure the AZURE_CLIENT_ID environment variable is not set.");
-            }
-            const requestOptions = Object.assign({ disableJsonStringifyOnBody: true, deserializationMapper: undefined, abortSignal: getTokenOptions.abortSignal, spanOptions: getTokenOptions.tracingOptions && getTokenOptions.tracingOptions.spanOptions }, prepareRequestOptions$3(resource));
-            const filePath = yield filePathRequest(identityClient, requestOptions);
-            if (!filePath) {
-                throw new Error("Azure Arc MSI failed to find the token file.");
-            }
-            const key = yield readFileAsync(filePath, { encoding: "utf-8" });
-            requestOptions.headers["Authorization"] = `Basic ${key}`;
-            return msiGenericGetToken(identityClient, requestOptions, expiresInParser$3, getTokenOptions);
-        });
+    async getToken(configuration, getTokenOptions = {}) {
+        var _a;
+        const { identityClient, scopes, clientId } = configuration;
+        logger$c.info(`${msiName$3}: Authenticating.`);
+        if (clientId) {
+            throw new Error(`${msiName$3}: User assigned identity is not supported by the Azure Arc Managed Identity Endpoint. To authenticate with the system assigned identity, omit the client id when constructing the ManagedIdentityCredential, or if authenticating with the DefaultAzureCredential ensure the AZURE_CLIENT_ID environment variable is not set.`);
+        }
+        const requestOptions = Object.assign(Object.assign({ disableJsonStringifyOnBody: true, deserializationMapper: undefined, abortSignal: getTokenOptions.abortSignal }, prepareRequestOptions$3(scopes)), { allowInsecureConnection: true });
+        const filePath = await filePathRequest(identityClient, requestOptions);
+        if (!filePath) {
+            throw new Error(`${msiName$3}: Failed to find the token file.`);
+        }
+        const key = await readFileAsync$1(filePath, { encoding: "utf-8" });
+        (_a = requestOptions.headers) === null || _a === void 0 ? void 0 : _a.set("Authorization", `Basic ${key}`);
+        return msiGenericGetToken(identityClient, requestOptions, expiresInParser$3, getTokenOptions);
     }
 };
 
 // Copyright (c) Microsoft Corporation.
-const logger$a = credentialLogger("ManagedIdentityCredential");
-/**
- * Attempts authentication using a managed identity that has been assigned
- * to the deployment environment.  This authentication type works in Azure VMs,
- * App Service and Azure Functions applications, and inside of Azure Cloud Shell.
- *
- * More information about configuring managed identities can be found here:
- *
- * https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview
- */
-class ManagedIdentityCredential {
-    /**
-     * @internal
-     * @hidden
-     */
-    constructor(clientIdOrOptions, options) {
-        this.isEndpointUnavailable = null;
-        if (typeof clientIdOrOptions === "string") {
-            // clientId, options constructor
-            this.clientId = clientIdOrOptions;
-            this.identityClient = new IdentityClient(options);
-        }
-        else {
-            // options only constructor
-            this.identityClient = new IdentityClient(clientIdOrOptions);
+const msiName$4 = "ManagedIdentityCredential - Token Exchange";
+const logger$d = credentialLogger(msiName$4);
+const readFileAsync$2 = util.promisify(fs__default.readFile);
+function expiresInParser$4(requestBody) {
+    // Parses a string representation of the seconds since epoch into a number value
+    return Number(requestBody.expires_on);
+}
+function prepareRequestOptions$4(scopes, clientAssertion, clientId) {
+    var _a;
+    const bodyParams = {
+        scope: Array.isArray(scopes) ? scopes.join(" ") : scopes,
+        client_assertion: clientAssertion,
+        client_assertion_type: "urn:ietf:params:oauth:client-assertion-type:jwt-bearer",
+        client_id: clientId,
+        grant_type: "client_credentials"
+    };
+    const urlParams = new URLSearchParams(bodyParams);
+    const url = new URL(`${process.env.AZURE_TENANT_ID}/oauth2/v2.0/token`, (_a = process.env.AZURE_AUTHORITY_HOST) !== null && _a !== void 0 ? _a : DefaultAuthorityHost);
+    return {
+        url: url.toString(),
+        method: "POST",
+        body: urlParams.toString(),
+        headers: coreRestPipeline.createHttpHeaders({
+            Accept: "application/json"
+        })
+    };
+}
+function tokenExchangeMsi() {
+    const azureFederatedTokenFilePath = process.env.AZURE_FEDERATED_TOKEN_FILE;
+    let azureFederatedTokenFileContent = undefined;
+    let cacheDate = undefined;
+    // Only reads from the assertion file once every 5 minutes
+    async function readAssertion() {
+        // Cached assertions expire after 5 minutes
+        if (cacheDate !== undefined && Date.now() - cacheDate >= 1000 * 60 * 5) {
+            azureFederatedTokenFileContent = undefined;
         }
-    }
-    cachedAvailableMSI(resource, clientId, getTokenOptions) {
-        return tslib.__awaiter(this, void 0, void 0, function* () {
-            if (this.cachedMSI) {
-                return this.cachedMSI;
+        if (!azureFederatedTokenFileContent) {
+            const file = await readFileAsync$2(azureFederatedTokenFilePath, "utf8");
+            const value = file.trim();
+            if (!value) {
+                throw new Error(`No content on the file ${azureFederatedTokenFilePath}, indicated by the environment variable AZURE_FEDERATED_TOKEN_FILE`);
             }
-            // "fabricMsi" can't be added yet because our HTTPs pipeline doesn't allow skipping the SSL verification step,
-            // which is necessary since Service Fabric only provides self-signed certificates on their Identity Endpoint.
-            const MSIs = [appServiceMsi2017, cloudShellMsi, arcMsi, imdsMsi];
-            for (const msi of MSIs) {
-                if (yield msi.isAvailable(this.identityClient, resource, clientId, getTokenOptions)) {
-                    this.cachedMSI = msi;
-                    return msi;
-                }
+            else {
+                azureFederatedTokenFileContent = value;
+                cacheDate = Date.now();
             }
-            throw new CredentialUnavailableError("ManagedIdentityCredential - No MSI credential available");
-        });
+        }
+        return azureFederatedTokenFileContent;
     }
-    authenticateManagedIdentity(scopes, clientId, getTokenOptions) {
-        return tslib.__awaiter(this, void 0, void 0, function* () {
-            const resource = mapScopesToResource(scopes);
-            const { span, updatedOptions } = createSpan("ManagedIdentityCredential-authenticateManagedIdentity", getTokenOptions);
-            try {
-                // Determining the available MSI, and avoiding checking for other MSIs while the program is running.
-                const availableMSI = yield this.cachedAvailableMSI(resource, clientId, updatedOptions);
-                return availableMSI.getToken(this.identityClient, resource, clientId, updatedOptions);
-            }
-            catch (err) {
-                span.setStatus({
-                    code: coreTracing.SpanStatusCode.ERROR,
-                    message: err.message
-                });
-                throw err;
-            }
-            finally {
-                span.end();
+    return {
+        async isAvailable(_scopes, _identityClient, clientId) {
+            const env = process.env;
+            const result = Boolean((clientId || env.AZURE_CLIENT_ID) && env.AZURE_TENANT_ID && azureFederatedTokenFilePath);
+            if (!result) {
+                logger$d.info(`${msiName$4}: Unavailable. The environment variables needed are: AZURE_CLIENT_ID (or the client ID sent through the parameters), AZURE_TENANT_ID and AZURE_FEDERATED_TOKEN_FILE`);
             }
-        });
-    }
-    /**
-     * Authenticates with Azure Active Directory and returns an access token if
-     * successful.  If authentication cannot be performed at this time, this method may
-     * return null.  If an error occurs during authentication, an {@link AuthenticationError}
-     * containing failure details will be thrown.
-     *
-     * @param scopes - The list of scopes for which the token will have access.
-     * @param options - The options used to configure any requests this
-     *                TokenCredential implementation might make.
-     */
-    getToken(scopes, options) {
-        return tslib.__awaiter(this, void 0, void 0, function* () {
-            let result = null;
-            const { span, updatedOptions } = createSpan("ManagedIdentityCredential-getToken", options);
+            return result;
+        },
+        async getToken(configuration, getTokenOptions = {}) {
+            const { identityClient, scopes, clientId } = configuration;
+            logger$d.info(`${msiName$4}: Using the client assertion coming from environment variables.`);
+            let assertion;
             try {
-                // isEndpointAvailable can be true, false, or null,
-                // If it's null, it means we don't yet know whether
-                // the endpoint is available and need to check for it.
-                if (this.isEndpointUnavailable !== true) {
-                    result = yield this.authenticateManagedIdentity(scopes, this.clientId, updatedOptions);
-                    if (result === null) {
-                        // If authenticateManagedIdentity returns null,
-                        // it means no MSI endpoints are available.
-                        // If so, we avoid trying to reach to them in future requests.
-                        this.isEndpointUnavailable = true;
-                        // It also means that the endpoint answered with either 200 or 201 (see the sendTokenRequest method),
-                        // yet we had no access token. For this reason, we'll throw once with a specific message:
-                        const error = new CredentialUnavailableError("The managed identity endpoint was reached, yet no tokens were received.");
-                        logger$a.getToken.info(formatError(scopes, error));
-                        throw error;
-                    }
-                    // Since `authenticateManagedIdentity` didn't throw, and the result was not null,
-                    // We will assume that this endpoint is reachable from this point forward,
-                    // and avoid pinging again to it.
-                    this.isEndpointUnavailable = false;
-                }
-                else {
-                    // We've previously determined that the endpoint was unavailable,
-                    // either because it was unreachable or permanently unable to authenticate.
-                    const error = new CredentialUnavailableError("The managed identity endpoint is not currently available");
-                    logger$a.getToken.info(formatError(scopes, error));
-                    throw error;
-                }
-                logger$a.getToken.info(formatSuccess(scopes));
-                return result;
+                assertion = await readAssertion();
             }
             catch (err) {
-                // CredentialUnavailable errors are expected to reach here.
-                // We intend them to bubble up, so that DefaultAzureCredential can catch them.
-                if (err.name === "AuthenticationRequiredError") {
-                    throw err;
-                }
-                // Expected errors to reach this point:
-                // - Errors coming from a method unexpectedly breaking.
-                // - When identityClient.sendTokenRequest throws, in which case
-                //   if the status code was 400, it means that the endpoint is working,
-                //   but no identity is available.
-                span.setStatus({
-                    code: coreTracing.SpanStatusCode.ERROR,
-                    message: err.message
-                });
-                // If either the network is unreachable,
-                // we can safely assume the credential is unavailable.
-                if (err.code === "ENETUNREACH") {
-                    const error = new CredentialUnavailableError("ManagedIdentityCredential is unavailable. Network unreachable.");
-                    logger$a.getToken.info(formatError(scopes, error));
-                    throw error;
-                }
-                // If either the host was unreachable,
-                // we can safely assume the credential is unavailable.
-                if (err.code === "EHOSTUNREACH") {
-                    const error = new CredentialUnavailableError("ManagedIdentityCredential is unavailable. No managed identity endpoint found.");
-                    logger$a.getToken.info(formatError(scopes, error));
-                    throw error;
-                }
-                // If err.statusCode has a value of 400, it comes from sendTokenRequest,
-                // and it means that the endpoint is working, but that no identity is available.
-                if (err.statusCode === 400) {
-                    throw new CredentialUnavailableError("The managed identity endpoint is indicating there's no available identity");
-                }
-                // If the error has no status code, we can assume there was no available identity.
-                // This will throw silently during any ChainedTokenCredential.
-                if (err.statusCode === undefined) {
-                    throw new CredentialUnavailableError(`ManagedIdentityCredential authentication failed. Message ${err.message}`);
-                }
-                // Any other error should break the chain.
-                throw new AuthenticationError(err.statusCode, {
-                    error: "ManagedIdentityCredential authentication failed.",
-                    error_description: err.message
-                });
-            }
-            finally {
-                // Finally is always called, both if we return and if we throw in the above try/catch.
-                span.end();
+                throw new Error(`${msiName$4}: Failed to read ${azureFederatedTokenFilePath}, indicated by the environment variable AZURE_FEDERATED_TOKEN_FILE`);
             }
-        });
-    }
-}
-
-// Copyright (c) Microsoft Corporation.
-function getSafeWorkingDir() {
-    if (process.platform === "win32") {
-        if (!process.env.SystemRoot) {
-            throw new Error("Azure CLI credential expects a 'SystemRoot' environment variable");
-        }
-        return process.env.SystemRoot;
-    }
-    else {
-        return "/bin";
-    }
-}
-const logger$b = credentialLogger("AzureCliCredential");
-/**
- * This credential will use the currently logged-in user login information
- * via the Azure CLI ('az') commandline tool.
- * To do so, it will read the user access token and expire time
- * with Azure CLI command "az account get-access-token".
- * To be able to use this credential, ensure that you have already logged
- * in via the 'az' tool using the command "az login" from the commandline.
- */
-class AzureCliCredential {
-    /**
-     * Gets the access token from Azure CLI
-     * @param resource - The resource to use when getting the token
-     */
-    getAzureCliAccessToken(resource) {
-        return tslib.__awaiter(this, void 0, void 0, function* () {
-            return new Promise((resolve, reject) => {
-                try {
-                    child_process.execFile("az", ["account", "get-access-token", "--output", "json", "--resource", resource], { cwd: getSafeWorkingDir() }, (error, stdout, stderr) => {
-                        resolve({ stdout: stdout, stderr: stderr, error });
-                    });
-                }
-                catch (err) {
-                    reject(err);
-                }
-            });
-        });
-    }
-    /**
-     * Authenticates with Azure Active Directory and returns an access token if
-     * successful.  If authentication cannot be performed at this time, this method may
-     * return null.  If an error occurs during authentication, an {@link AuthenticationError}
-     * containing failure details will be thrown.
-     *
-     * @param scopes - The list of scopes for which the token will have access.
-     * @param options - The options used to configure any requests this
-     *                TokenCredential implementation might make.
-     */
-    getToken(scopes, options) {
-        return tslib.__awaiter(this, void 0, void 0, function* () {
-            return new Promise((resolve, reject) => {
-                const scope = typeof scopes === "string" ? scopes : scopes[0];
-                logger$b.getToken.info(`Using the scope ${scope}`);
-                const resource = scope.replace(/\/.default$/, "");
-                // Check to make sure the scope we get back is a valid scope
-                if (!scope.match(/^[0-9a-zA-Z-.:/]+$/)) {
-                    const error = new Error("Invalid scope was specified by the user or calling client");
-                    logger$b.getToken.info(formatError(scopes, error));
-                    throw error;
-                }
-                let responseData = "";
-                const { span } = createSpan("AzureCliCredential-getToken", options);
-                this.getAzureCliAccessToken(resource)
-                    .then((obj) => {
-                    if (obj.stderr) {
-                        const isLoginError = obj.stderr.match("(.*)az login(.*)");
-                        const isNotInstallError = obj.stderr.match("az:(.*)not found") ||
-                            obj.stderr.startsWith("'az' is not recognized");
-                        if (isNotInstallError) {
-                            const error = new CredentialUnavailableError("Azure CLI could not be found.  Please visit https://aka.ms/azure-cli for installation instructions and then, once installed, authenticate to your Azure account using 'az login'.");
-                            logger$b.getToken.info(formatError(scopes, error));
-                            throw error;
-                        }
-                        else if (isLoginError) {
-                            const error = new CredentialUnavailableError("Please run 'az login' from a command prompt to authenticate before using this credential.");
-                            logger$b.getToken.info(formatError(scopes, error));
-                            throw error;
-                        }
-                        const error = new CredentialUnavailableError(obj.stderr);
-                        logger$b.getToken.info(formatError(scopes, error));
-                        throw error;
-                    }
-                    else {
-                        responseData = obj.stdout;
-                        const response = JSON.parse(responseData);
-                        logger$b.getToken.info(formatSuccess(scopes));
-                        const returnValue = {
-                            token: response.accessToken,
-                            expiresOnTimestamp: new Date(response.expiresOn).getTime()
-                        };
-                        resolve(returnValue);
-                        return returnValue;
-                    }
-                })
-                    .catch((err) => {
-                    span.setStatus({
-                        code: coreTracing.SpanStatusCode.ERROR,
-                        message: err.message
-                    });
-                    logger$b.getToken.info(formatError(scopes, err));
-                    reject(err);
-                });
-            });
-        });
-    }
-}
-
-// Copyright (c) Microsoft Corporation.
-let keytar;
-try {
-    // eslint-disable-next-line @typescript-eslint/no-require-imports
-    keytar = require("keytar");
-}
-catch (er) {
-    keytar = null;
-}
-const CommonTenantId = "common";
-const AzureAccountClientId = "aebc6443-996d-45c2-90f0-388ff96faa56"; // VSC: 'aebc6443-996d-45c2-90f0-388ff96faa56'
-const VSCodeUserName = "VS Code Azure";
-const logger$c = credentialLogger("VisualStudioCodeCredential");
-// Map of unsupported Tenant IDs and the errors we will be throwing.
-const unsupportedTenantIds = {
-    adfs: "The VisualStudioCodeCredential does not support authentication with ADFS tenants."
-};
-function checkUnsupportedTenant(tenantId) {
-    // If the Tenant ID isn't supported, we throw.
-    const unsupportedTenantError = unsupportedTenantIds[tenantId];
-    if (unsupportedTenantError) {
-        throw new CredentialUnavailableError(unsupportedTenantError);
-    }
-}
-const mapVSCodeAuthorityHosts = {
-    AzureCloud: exports.AzureAuthorityHosts.AzurePublicCloud,
-    AzureChina: exports.AzureAuthorityHosts.AzureChina,
-    AzureGermanCloud: exports.AzureAuthorityHosts.AzureGermany,
-    AzureUSGovernment: exports.AzureAuthorityHosts.AzureGovernment
-};
-/**
- * Attempts to load a specific property from the VSCode configurations of the current OS.
- * If it fails at any point, returns undefined.
- */
-function getPropertyFromVSCode(property) {
-    const settingsPath = ["User", "settings.json"];
-    // Eventually we can add more folders for more versions of VSCode.
-    const vsCodeFolder = "Code";
-    const homedir = os.homedir();
-    function loadProperty(...pathSegments) {
-        const fullPath = path__default.join(...pathSegments, vsCodeFolder, ...settingsPath);
-        const settings = JSON.parse(fs__default.readFileSync(fullPath, { encoding: "utf8" }));
-        return settings[property];
-    }
-    try {
-        let appData;
-        switch (process.platform) {
-            case "win32":
-                appData = process.env.APPDATA;
-                return appData ? loadProperty(appData) : undefined;
-            case "darwin":
-                return loadProperty(homedir, "Library", "Application Support");
-            case "linux":
-                return loadProperty(homedir, ".config");
-            default:
-                return;
+            return msiGenericGetToken(identityClient, prepareRequestOptions$4(scopes, assertion, clientId || process.env.AZURE_CLIENT_ID), expiresInParser$4, getTokenOptions);
         }
-    }
-    catch (e) {
-        logger$c.info(`Failed to load the Visual Studio Code configuration file. Error: ${e.message}`);
-        return;
-    }
+    };
 }
+
+// Copyright (c) Microsoft Corporation.
+const logger$e = credentialLogger("ManagedIdentityCredential");
 /**
- * Connect to Azure using the credential provided by the VSCode extension 'Azure Account'.
- * Once the user has logged in via the extension, this credential can share the same refresh token
- * that is cached by the extension.
+ * Attempts authentication using a managed identity that has been assigned
+ * to the deployment environment.  This authentication type works in Azure VMs,
+ * App Service and Azure Functions applications, and inside of Azure Cloud Shell.
+ *
+ * More information about configuring managed identities can be found here:
+ *
+ * https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview
  */
-class VisualStudioCodeCredential {
+class ManagedIdentityCredential {
     /**
-     * Creates an instance of VisualStudioCodeCredential to use for automatically authenticating via VSCode.
-     *
-     * @param options - Options for configuring the client which makes the authentication request.
+     * @internal
+     * @hidden
      */
-    constructor(options) {
-        // We want to make sure we use the one assigned by the user on the VSCode settings.
-        // Or just `AzureCloud` by default.
-        this.cloudName = (getPropertyFromVSCode("azure.cloud") || "AzureCloud");
-        // Picking an authority host based on the cloud name.
-        const authorityHost = mapVSCodeAuthorityHosts[this.cloudName];
-        this.identityClient = new IdentityClient(Object.assign({ authorityHost }, options));
-        if (options && options.tenantId) {
-            checkTenantId(logger$c, options.tenantId);
-            this.tenantId = options.tenantId;
+    constructor(clientIdOrOptions, options) {
+        this.isEndpointUnavailable = null;
+        if (typeof clientIdOrOptions === "string") {
+            // clientId, options constructor
+            this.clientId = clientIdOrOptions;
+            this.identityClient = new IdentityClient(options);
         }
         else {
-            this.tenantId = CommonTenantId;
+            // options only constructor
+            this.identityClient = new IdentityClient(clientIdOrOptions);
         }
-        checkUnsupportedTenant(this.tenantId);
     }
-    /**
-     * Runs preparations for any further getToken request.
-     */
-    prepare() {
-        return tslib.__awaiter(this, void 0, void 0, function* () {
-            // Attempts to load the tenant from the VSCode configuration file.
-            const settingsTenant = getPropertyFromVSCode("azure.tenant");
-            if (settingsTenant) {
-                this.tenantId = settingsTenant;
+    async cachedAvailableMSI(scopes, clientId, getTokenOptions) {
+        if (this.cachedMSI) {
+            return this.cachedMSI;
+        }
+        // "fabricMsi" can't be added yet because our HTTPs pipeline doesn't allow skipping the SSL verification step,
+        // which is necessary since Service Fabric only provides self-signed certificates on their Identity Endpoint.
+        const MSIs = [appServiceMsi2017, cloudShellMsi, arcMsi, tokenExchangeMsi(), imdsMsi];
+        for (const msi of MSIs) {
+            if (await msi.isAvailable(scopes, this.identityClient, clientId, getTokenOptions)) {
+                this.cachedMSI = msi;
+                return msi;
             }
-            checkUnsupportedTenant(this.tenantId);
-        });
+        }
+        throw new CredentialUnavailableError("ManagedIdentityCredential - No MSI credential available");
     }
-    /**
-     * Runs preparations for any further getToken, but only once.
-     */
-    prepareOnce() {
-        if (this.preparePromise) {
-            return this.preparePromise;
+    async authenticateManagedIdentity(scopes, clientId, getTokenOptions) {
+        const { span, updatedOptions } = createSpan("ManagedIdentityCredential-authenticateManagedIdentity", getTokenOptions);
+        try {
+            // Determining the available MSI, and avoiding checking for other MSIs while the program is running.
+            const availableMSI = await this.cachedAvailableMSI(scopes, clientId, updatedOptions);
+            return availableMSI.getToken({
+                identityClient: this.identityClient,
+                scopes,
+                clientId
+            }, updatedOptions);
+        }
+        catch (err) {
+            span.setStatus({
+                code: coreTracing.SpanStatusCode.ERROR,
+                message: err.message
+            });
+            throw err;
+        }
+        finally {
+            span.end();
         }
-        this.preparePromise = this.prepare();
-        return this.preparePromise;
     }
     /**
-     * Returns the token found by searching VSCode's authentication cache or
-     * returns null if no token could be found.
+     * Authenticates with Azure Active Directory and returns an access token if successful.
+     * If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.
+     * If an unexpected error occurs, an {@link AuthenticationError} will be thrown with the details of the failure.
      *
      * @param scopes - The list of scopes for which the token will have access.
      * @param options - The options used to configure any requests this
-     *                `TokenCredential` implementation might make.
+     *                TokenCredential implementation might make.
      */
-    getToken(scopes, _options) {
-        return tslib.__awaiter(this, void 0, void 0, function* () {
-            yield this.prepareOnce();
-            if (!keytar) {
-                throw new CredentialUnavailableError("Visual Studio Code credential requires the optional dependency 'keytar' to work correctly");
+    async getToken(scopes, options) {
+        let result = null;
+        const { span, updatedOptions } = createSpan("ManagedIdentityCredential-getToken", options);
+        try {
+            // isEndpointAvailable can be true, false, or null,
+            // If it's null, it means we don't yet know whether
+            // the endpoint is available and need to check for it.
+            if (this.isEndpointUnavailable !== true) {
+                result = await this.authenticateManagedIdentity(scopes, this.clientId, updatedOptions);
+                if (result === null) {
+                    // If authenticateManagedIdentity returns null,
+                    // it means no MSI endpoints are available.
+                    // If so, we avoid trying to reach to them in future requests.
+                    this.isEndpointUnavailable = true;
+                    // It also means that the endpoint answered with either 200 or 201 (see the sendTokenRequest method),
+                    // yet we had no access token. For this reason, we'll throw once with a specific message:
+                    const error = new CredentialUnavailableError("The managed identity endpoint was reached, yet no tokens were received.");
+                    logger$e.getToken.info(formatError(scopes, error));
+                    throw error;
+                }
+                // Since `authenticateManagedIdentity` didn't throw, and the result was not null,
+                // We will assume that this endpoint is reachable from this point forward,
+                // and avoid pinging again to it.
+                this.isEndpointUnavailable = false;
             }
-            let scopeString = typeof scopes === "string" ? scopes : scopes.join(" ");
-            // Check to make sure the scope we get back is a valid scope
-            if (!scopeString.match(/^[0-9a-zA-Z-.:/]+$/)) {
-                const error = new Error("Invalid scope was specified by the user or calling client");
-                logger$c.getToken.info(formatError(scopes, error));
+            else {
+                // We've previously determined that the endpoint was unavailable,
+                // either because it was unreachable or permanently unable to authenticate.
+                const error = new CredentialUnavailableError("The managed identity endpoint is not currently available");
+                logger$e.getToken.info(formatError(scopes, error));
                 throw error;
             }
-            if (scopeString.indexOf("offline_access") < 0) {
-                scopeString += " offline_access";
+            logger$e.getToken.info(formatSuccess(scopes));
+            return result;
+        }
+        catch (err) {
+            // CredentialUnavailable errors are expected to reach here.
+            // We intend them to bubble up, so that DefaultAzureCredential can catch them.
+            if (err.name === "AuthenticationRequiredError") {
+                throw err;
             }
-            // findCredentials returns an array similar to:
-            // [
-            //   {
-            //     account: "",
-            //     password: "",
-            //   },
-            //   /* ... */
-            // ]
-            const credentials = yield keytar.findCredentials(VSCodeUserName);
-            // If we can't find the credential based on the name, we'll pick the first one available.
-            const { password } = credentials.find((cred) => cred.account === this.cloudName) ||
-                credentials[0] ||
-                {};
-            // Assuming we found something, the refresh token is the "password" property.
-            const refreshToken = password;
-            if (refreshToken) {
-                const tokenResponse = yield this.identityClient.refreshAccessToken(this.tenantId, AzureAccountClientId, scopeString, refreshToken, undefined);
-                if (tokenResponse) {
-                    logger$c.getToken.info(formatSuccess(scopes));
-                    return tokenResponse.accessToken;
-                }
-                else {
-                    const error = new CredentialUnavailableError("Could not retrieve the token associated with Visual Studio Code. Have you connected using the 'Azure Account' extension recently?");
-                    logger$c.getToken.info(formatError(scopes, error));
-                    throw error;
-                }
+            // Expected errors to reach this point:
+            // - Errors coming from a method unexpectedly breaking.
+            // - When identityClient.sendTokenRequest throws, in which case
+            //   if the status code was 400, it means that the endpoint is working,
+            //   but no identity is available.
+            span.setStatus({
+                code: coreTracing.SpanStatusCode.ERROR,
+                message: err.message
+            });
+            // If either the network is unreachable,
+            // we can safely assume the credential is unavailable.
+            if (err.code === "ENETUNREACH") {
+                const error = new CredentialUnavailableError(`ManagedIdentityCredential is unavailable. Network unreachable. Message: ${err.message}`);
+                logger$e.getToken.info(formatError(scopes, error));
+                throw error;
             }
-            else {
-                const error = new CredentialUnavailableError("Could not retrieve the token associated with Visual Studio Code. Did you connect using the 'Azure Account' extension?");
-                logger$c.getToken.info(formatError(scopes, error));
+            // If either the host was unreachable,
+            // we can safely assume the credential is unavailable.
+            if (err.code === "EHOSTUNREACH") {
+                const error = new CredentialUnavailableError(`ManagedIdentityCredential is unavailable. No managed identity endpoint found. Message: ${err.message}`);
+                logger$e.getToken.info(formatError(scopes, error));
                 throw error;
             }
-        });
+            // If err.statusCode has a value of 400, it comes from sendTokenRequest,
+            // and it means that the endpoint is working, but that no identity is available.
+            if (err.statusCode === 400) {
+                throw new CredentialUnavailableError(`ManagedIdentityCredential: The managed identity endpoint is indicating there's no available identity. Message: ${err.message}`);
+            }
+            // If the error has no status code, we can assume there was no available identity.
+            // This will throw silently during any ChainedTokenCredential.
+            if (err.statusCode === undefined) {
+                throw new CredentialUnavailableError(`ManagedIdentityCredential authentication failed. Message ${err.message}`);
+            }
+            // Any other error should break the chain.
+            throw new AuthenticationError(err.statusCode, {
+                error: "ManagedIdentityCredential authentication failed.",
+                error_description: err.message
+            });
+        }
+        finally {
+            // Finally is always called, both if we return and if we throw in the above try/catch.
+            span.end();
+        }
     }
 }
 
 // Copyright (c) Microsoft Corporation.
 /**
- * Provides a default {@link ChainedTokenCredential} configuration that should work for most applications that use the Azure SDK.
- * The following credential types will be tried, in order:
+ * A shim around ManagedIdentityCredential that adapts it to accept
+ * `DefaultAzureCredentialOptions`.
+ *
+ * @internal
+ */
+class DefaultManagedIdentityCredential extends ManagedIdentityCredential {
+    constructor(options) {
+        var _a;
+        const managedIdentityClientId = (_a = options === null || options === void 0 ? void 0 : options.managedIdentityClientId) !== null && _a !== void 0 ? _a : process.env.AZURE_CLIENT_ID;
+        if (managedIdentityClientId !== undefined) {
+            super(managedIdentityClientId, options);
+        }
+        else {
+            super(options);
+        }
+    }
+}
+const defaultCredentials = [
+    EnvironmentCredential,
+    DefaultManagedIdentityCredential,
+    VisualStudioCodeCredential,
+    AzureCliCredential,
+    AzurePowerShellCredential
+];
+/**
+ * Provides a default {@link ChainedTokenCredential} configuration that should
+ * work for most applications that use the Azure SDK.  The following credential
+ * types will be tried, in order:
  *
  * - {@link EnvironmentCredential}
  * - {@link ManagedIdentityCredential}
- * - {@link AzureCliCredential}
  * - {@link VisualStudioCodeCredential}
+ * - {@link AzureCliCredential}
+ * - {@link AzurePowerShellCredential}
  *
  * Consult the documentation of these credential types for more information
  * on how they attempt authentication.
@@ -2320,24 +2770,15 @@ class DefaultAzureCredential extends ChainedTokenCredential {
     /**
      * Creates an instance of the DefaultAzureCredential class.
      *
+     * **Note**: `VisualStudioCodeCredential` is provided by a plugin package:
+     * `@azure/identity-vscode`. If this package is not installed and registered
+     * using the plugin API (`useIdentityPlugin`), then authentication using
+     * `VisualStudioCodeCredential` will not be available.
+     *
      * @param options - Optional parameters. See {@link DefaultAzureCredentialOptions}.
      */
     constructor(options) {
-        const credentials = [];
-        credentials.push(new EnvironmentCredential(options));
-        // A client ID for the ManagedIdentityCredential
-        // can be provided either through the optional parameters or through the environment variables.
-        const managedIdentityClientId = (options === null || options === void 0 ? void 0 : options.managedIdentityClientId) || process.env.AZURE_CLIENT_ID;
-        // If a client ID is not provided, we will try with the system assigned ID.
-        if (managedIdentityClientId) {
-            credentials.push(new ManagedIdentityCredential(managedIdentityClientId, options));
-        }
-        else {
-            credentials.push(new ManagedIdentityCredential(options));
-        }
-        credentials.push(new AzureCliCredential());
-        credentials.push(new VisualStudioCodeCredential(options));
-        super(...credentials);
+        super(...defaultCredentials.map((ctor) => new ctor(options)));
         this.UnavailableMessage =
             "DefaultAzureCredential => failed to retrieve a token from the included credentials";
     }
@@ -2359,8 +2800,9 @@ const interactiveBrowserMockable = {
 class MsalOpenBrowser extends MsalNode {
     constructor(options) {
         super(options);
-        this.logger = credentialLogger("NodeJS MSAL Open Browser");
+        this.logger = credentialLogger("Node.js MSAL Open Browser");
         this.redirectUri = options.redirectUri;
+        this.loginHint = options.loginHint;
         const url = new URL(this.redirectUri);
         this.port = parseInt(url.port);
         if (isNaN(this.port)) {
@@ -2368,15 +2810,14 @@ class MsalOpenBrowser extends MsalNode {
         }
         this.hostname = url.hostname;
     }
-    acquireTokenByCode(request) {
-        return tslib.__awaiter(this, void 0, void 0, function* () {
-            return this.publicApp.acquireTokenByCode(request);
-        });
+    async acquireTokenByCode(request) {
+        return this.publicApp.acquireTokenByCode(request);
     }
     doGetToken(scopes, options) {
         return new Promise((resolve, reject) => {
             const socketToDestroy = [];
             const requestListener = (req, res) => {
+                var _a;
                 if (!req.url) {
                     reject(new Error(`Interactive Browser Authentication Error "Did not receive token with a valid expiration"`));
                     return;
@@ -2392,7 +2833,9 @@ class MsalOpenBrowser extends MsalNode {
                 const tokenRequest = {
                     code: url.searchParams.get("code"),
                     redirectUri: this.redirectUri,
-                    scopes: scopes
+                    scopes: scopes,
+                    authority: options === null || options === void 0 ? void 0 : options.authority,
+                    codeVerifier: (_a = this.pkceCodes) === null || _a === void 0 ? void 0 : _a.verifier
                 };
                 this.acquireTokenByCode(tokenRequest)
                     .then((authResponse) => {
@@ -2430,13 +2873,8 @@ class MsalOpenBrowser extends MsalNode {
                 });
             };
             const app = http.createServer(requestListener);
-            const listen = app.listen(this.port, this.hostname, () => this.logger.info(`InteractiveBrowserCredential listening on port ${this.port}!`));
-            app.on("connection", (socket) => socketToDestroy.push(socket));
             const server = stoppable(app);
-            this.openAuthCodeUrl(scopes).catch((e) => {
-                cleanup();
-                reject(e);
-            });
+            const listen = app.listen(this.port, this.hostname, () => this.logger.info(`InteractiveBrowserCredential listening on port ${this.port}!`));
             function cleanup() {
                 if (listen) {
                     listen.close();
@@ -2449,44 +2887,58 @@ class MsalOpenBrowser extends MsalNode {
                     server.stop();
                 }
             }
-            const abortSignal = options === null || options === void 0 ? void 0 : options.abortSignal;
-            if (abortSignal) {
-                abortSignal.addEventListener("abort", () => {
+            app.on("connection", (socket) => socketToDestroy.push(socket));
+            app.on("listening", () => {
+                const openPromise = this.openAuthCodeUrl(scopes, options);
+                const abortSignal = options === null || options === void 0 ? void 0 : options.abortSignal;
+                if (abortSignal) {
+                    abortSignal.addEventListener("abort", () => {
+                        cleanup();
+                        reject(new Error("Aborted"));
+                    });
+                }
+                openPromise.then().catch((e) => {
                     cleanup();
-                    reject(new Error("Aborted"));
+                    reject(e);
                 });
-            }
+            });
         });
     }
-    openAuthCodeUrl(scopeArray) {
-        return tslib.__awaiter(this, void 0, void 0, function* () {
-            const authCodeUrlParameters = {
-                scopes: scopeArray,
-                redirectUri: this.redirectUri
-            };
-            const response = yield this.publicApp.getAuthCodeUrl(authCodeUrlParameters);
-            try {
-                yield interactiveBrowserMockable.open(response, { wait: true });
-            }
-            catch (e) {
-                throw new CredentialUnavailableError(`Could not open a browser window. Error: ${e.message}`);
-            }
-        });
+    async openAuthCodeUrl(scopeArray, options) {
+        // Initialize CryptoProvider instance
+        const cryptoProvider = new msalNode.CryptoProvider();
+        // Generate PKCE Codes before starting the authorization flow
+        this.pkceCodes = await cryptoProvider.generatePkceCodes();
+        const authCodeUrlParameters = {
+            scopes: scopeArray,
+            redirectUri: this.redirectUri,
+            authority: options === null || options === void 0 ? void 0 : options.authority,
+            loginHint: this.loginHint,
+            codeChallenge: this.pkceCodes.challenge,
+            codeChallengeMethod: "S256" // Use SHA256 Algorithm
+        };
+        const response = await this.publicApp.getAuthCodeUrl(authCodeUrlParameters);
+        try {
+            await interactiveBrowserMockable.open(response, { wait: true });
+        }
+        catch (e) {
+            throw new CredentialUnavailableError(`Could not open a browser window. Error: ${e.message}`);
+        }
     }
 }
 
 // Copyright (c) Microsoft Corporation.
-const logger$d = credentialLogger("InteractiveBrowserCredential");
+const logger$f = credentialLogger("InteractiveBrowserCredential");
 /**
  * Enables authentication to Azure Active Directory inside of the web browser
  * using the interactive login flow.
  *
- * This credential uses the [Authorization Code Flow](https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow).
- * On NodeJS, it will open a browser window while it listens for a redirect response from the authentication service.
+ * This credential uses the [Authorization Code Flow](https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-auth-code-flow).
+ * On Node.js, it will open a browser window while it listens for a redirect response from the authentication service.
  * On browsers, it authenticates via popups. The `loginStyle` optional parameter can be set to `redirect` to authenticate by redirecting the user to an Azure secure login page, which then will redirect the user back to the web application where the authentication started.
  *
- * It's recommended that the AAD Applications used are configured to authenticate using Single Page Applications.
- * More information here: [link](https://docs.microsoft.com/en-us/azure/active-directory/develop/scenario-spa-app-registration#redirect-uri-msaljs-20-with-auth-code-flow).
+ * For Node.js, if a `clientId` is provided, the Azure Active Directory application will need to be configured to have a "Mobile and desktop applications" redirect endpoint.
+ * Follow our guide on [setting up Redirect URIs for Desktop apps that calls to web APIs](https://docs.microsoft.com/azure/active-directory/develop/scenario-desktop-app-registration#redirect-uris).
  */
 class InteractiveBrowserCredential {
     /**
@@ -2498,15 +2950,13 @@ class InteractiveBrowserCredential {
         const redirectUri = typeof options.redirectUri === "function"
             ? options.redirectUri()
             : options.redirectUri || "http://localhost";
-        this.msalFlow = new MsalOpenBrowser(Object.assign(Object.assign({}, options), { tokenCredentialOptions: options, logger: logger$d,
+        this.msalFlow = new MsalOpenBrowser(Object.assign(Object.assign({}, options), { tokenCredentialOptions: options, logger: logger$f,
             redirectUri }));
         this.disableAutomaticAuthentication = options === null || options === void 0 ? void 0 : options.disableAutomaticAuthentication;
     }
     /**
-     * Authenticates with Azure Active Directory and returns an access token if
-     * successful.  If authentication cannot be performed at this time, this method may
-     * return null.  If an error occurs during authentication, an {@link AuthenticationError}
-     * containing failure details will be thrown.
+     * Authenticates with Azure Active Directory and returns an access token if successful.
+     * If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.
      *
      * If the user provided the option `disableAutomaticAuthentication`,
      * once the token can't be retrieved silently,
@@ -2516,33 +2966,30 @@ class InteractiveBrowserCredential {
      * @param options - The options used to configure any requests this
      *                TokenCredential implementation might make.
      */
-    getToken(scopes, options = {}) {
-        return tslib.__awaiter(this, void 0, void 0, function* () {
-            return trace(`${this.constructor.name}.getToken`, options, (newOptions) => tslib.__awaiter(this, void 0, void 0, function* () {
-                const arrayScopes = Array.isArray(scopes) ? scopes : [scopes];
-                return this.msalFlow.getToken(arrayScopes, Object.assign(Object.assign({}, newOptions), { disableAutomaticAuthentication: this.disableAutomaticAuthentication }));
-            }));
+    async getToken(scopes, options = {}) {
+        return trace(`${this.constructor.name}.getToken`, options, async (newOptions) => {
+            const arrayScopes = Array.isArray(scopes) ? scopes : [scopes];
+            return this.msalFlow.getToken(arrayScopes, Object.assign(Object.assign({}, newOptions), { disableAutomaticAuthentication: this.disableAutomaticAuthentication }));
         });
     }
     /**
-     * Authenticates with Azure Active Directory and returns an access token if
-     * successful.  If authentication cannot be performed at this time, this method may
-     * return null.  If an error occurs during authentication, an {@link AuthenticationError}
-     * containing failure details will be thrown.
+     * Authenticates with Azure Active Directory and returns an access token if successful.
+     * If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.
      *
      * If the token can't be retrieved silently, this method will require user interaction to retrieve the token.
      *
+     * On Node.js, this credential has [Proof Key for Code Exchange (PKCE)](https://datatracker.ietf.org/doc/html/rfc7636) enabled by default.
+     * PKCE is a security feature that mitigates authentication code interception attacks.
+     *
      * @param scopes - The list of scopes for which the token will have access.
      * @param options - The options used to configure any requests this
      *                  TokenCredential implementation might make.
      */
-    authenticate(scopes, options = {}) {
-        return tslib.__awaiter(this, void 0, void 0, function* () {
-            return trace(`${this.constructor.name}.authenticate`, options, (newOptions) => tslib.__awaiter(this, void 0, void 0, function* () {
-                const arrayScopes = Array.isArray(scopes) ? scopes : [scopes];
-                yield this.msalFlow.getToken(arrayScopes, newOptions);
-                return this.msalFlow.getActiveAccount();
-            }));
+    async authenticate(scopes, options = {}) {
+        return trace(`${this.constructor.name}.authenticate`, options, async (newOptions) => {
+            const arrayScopes = Array.isArray(scopes) ? scopes : [scopes];
+            await this.msalFlow.getToken(arrayScopes, newOptions);
+            return this.msalFlow.getActiveAccount();
         });
     }
 }
@@ -2557,32 +3004,31 @@ class MsalDeviceCode extends MsalNode {
         super(options);
         this.userPromptCallback = options.userPromptCallback;
     }
-    doGetToken(scopes, options) {
-        return tslib.__awaiter(this, void 0, void 0, function* () {
-            try {
-                const requestOptions = {
-                    deviceCodeCallback: this.userPromptCallback,
-                    scopes,
-                    cancel: false,
-                    correlationId: options === null || options === void 0 ? void 0 : options.correlationId
-                };
-                const promise = this.publicApp.acquireTokenByDeviceCode(requestOptions);
-                // TODO:
-                // This should work, but it currently doesn't. I'm waiting for an answer from the MSAL team.
-                const deviceResponse = yield this.withCancellation(promise, options === null || options === void 0 ? void 0 : options.abortSignal, () => {
-                    requestOptions.cancel = true;
-                });
-                return this.handleResult(scopes, this.clientId, deviceResponse || undefined);
-            }
-            catch (error) {
-                throw this.handleError(scopes, error, options);
-            }
-        });
+    async doGetToken(scopes, options) {
+        try {
+            const requestOptions = {
+                deviceCodeCallback: this.userPromptCallback,
+                scopes,
+                cancel: false,
+                correlationId: options === null || options === void 0 ? void 0 : options.correlationId,
+                authority: options === null || options === void 0 ? void 0 : options.authority
+            };
+            const promise = this.publicApp.acquireTokenByDeviceCode(requestOptions);
+            // TODO:
+            // This should work, but it currently doesn't. I'm waiting for an answer from the MSAL team.
+            const deviceResponse = await this.withCancellation(promise, options === null || options === void 0 ? void 0 : options.abortSignal, () => {
+                requestOptions.cancel = true;
+            });
+            return this.handleResult(scopes, this.clientId, deviceResponse || undefined);
+        }
+        catch (error) {
+            throw this.handleError(scopes, error, options);
+        }
     }
 }
 
 // Copyright (c) Microsoft Corporation.
-const logger$e = credentialLogger("DeviceCodeCredential");
+const logger$g = credentialLogger("DeviceCodeCredential");
 /**
  * Method that logs the user code from the DeviceCodeCredential.
  * @param deviceCodeInfo - The device code.
@@ -2602,14 +3048,12 @@ class DeviceCodeCredential {
      * @param options - Options for configuring the client which makes the authentication requests.
      */
     constructor(options) {
-        this.msalFlow = new MsalDeviceCode(Object.assign(Object.assign({}, options), { logger: logger$e, userPromptCallback: (options === null || options === void 0 ? void 0 : options.userPromptCallback) || defaultDeviceCodePromptCallback, tokenCredentialOptions: options || {} }));
+        this.msalFlow = new MsalDeviceCode(Object.assign(Object.assign({}, options), { logger: logger$g, userPromptCallback: (options === null || options === void 0 ? void 0 : options.userPromptCallback) || defaultDeviceCodePromptCallback, tokenCredentialOptions: options || {} }));
         this.disableAutomaticAuthentication = options === null || options === void 0 ? void 0 : options.disableAutomaticAuthentication;
     }
     /**
-     * Authenticates with Azure Active Directory and returns an access token if
-     * successful.  If authentication cannot be performed at this time, this method may
-     * return null.  If an error occurs during authentication, an {@link AuthenticationError}
-     * containing failure details will be thrown.
+     * Authenticates with Azure Active Directory and returns an access token if successful.
+     * If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.
      *
      * If the user provided the option `disableAutomaticAuthentication`,
      * once the token can't be retrieved silently,
@@ -2619,19 +3063,15 @@ class DeviceCodeCredential {
      * @param options - The options used to configure any requests this
      *                TokenCredential implementation might make.
      */
-    getToken(scopes, options = {}) {
-        return tslib.__awaiter(this, void 0, void 0, function* () {
-            return trace(`${this.constructor.name}.getToken`, options, (newOptions) => tslib.__awaiter(this, void 0, void 0, function* () {
-                const arrayScopes = Array.isArray(scopes) ? scopes : [scopes];
-                return this.msalFlow.getToken(arrayScopes, Object.assign(Object.assign({}, newOptions), { disableAutomaticAuthentication: this.disableAutomaticAuthentication }));
-            }));
+    async getToken(scopes, options = {}) {
+        return trace(`${this.constructor.name}.getToken`, options, async (newOptions) => {
+            const arrayScopes = Array.isArray(scopes) ? scopes : [scopes];
+            return this.msalFlow.getToken(arrayScopes, Object.assign(Object.assign({}, newOptions), { disableAutomaticAuthentication: this.disableAutomaticAuthentication }));
         });
     }
     /**
-     * Authenticates with Azure Active Directory and returns an access token if
-     * successful.  If authentication cannot be performed at this time, this method may
-     * return null.  If an error occurs during authentication, an {@link AuthenticationError}
-     * containing failure details will be thrown.
+     * Authenticates with Azure Active Directory and returns an access token if successful.
+     * If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.
      *
      * If the token can't be retrieved silently, this method will require user interaction to retrieve the token.
      *
@@ -2639,19 +3079,55 @@ class DeviceCodeCredential {
      * @param options - The options used to configure any requests this
      *                  TokenCredential implementation might make.
      */
-    authenticate(scopes, options = {}) {
-        return tslib.__awaiter(this, void 0, void 0, function* () {
-            return trace(`${this.constructor.name}.authenticate`, options, (newOptions) => tslib.__awaiter(this, void 0, void 0, function* () {
-                const arrayScopes = Array.isArray(scopes) ? scopes : [scopes];
-                yield this.msalFlow.getToken(arrayScopes, newOptions);
-                return this.msalFlow.getActiveAccount();
-            }));
+    async authenticate(scopes, options = {}) {
+        return trace(`${this.constructor.name}.authenticate`, options, async (newOptions) => {
+            const arrayScopes = Array.isArray(scopes) ? scopes : [scopes];
+            await this.msalFlow.getToken(arrayScopes, newOptions);
+            return this.msalFlow.getActiveAccount();
         });
     }
 }
 
 // Copyright (c) Microsoft Corporation.
-const logger$f = credentialLogger("AuthorizationCodeCredential");
+/**
+ * This MSAL client sets up a web server to listen for redirect callbacks, then calls to the MSAL's public application's `acquireTokenByDeviceCode` during `doGetToken`
+ * to trigger the authentication flow, and then respond based on the values obtained from the redirect callback
+ * @internal
+ */
+class MsalAuthorizationCode extends MsalNode {
+    constructor(options) {
+        super(options);
+        this.logger = credentialLogger("NodeJS MSAL Authorization Code");
+        this.redirectUri = options.redirectUri;
+        this.authorizationCode = options.authorizationCode;
+        if (options.clientSecret) {
+            this.msalConfig.auth.clientSecret = options.clientSecret;
+        }
+    }
+    async getAuthCodeUrl(options) {
+        await this.init();
+        return this.confidentialApp.getAuthCodeUrl(options);
+    }
+    async doGetToken(scopes, options) {
+        var _a;
+        try {
+            const result = await ((_a = this.confidentialApp) === null || _a === void 0 ? void 0 : _a.acquireTokenByCode({
+                scopes,
+                redirectUri: this.redirectUri,
+                code: this.authorizationCode
+            }));
+            // The Client Credential flow does not return an account,
+            // so each time getToken gets called, we will have to acquire a new token through the service.
+            return this.handleResult(scopes, this.clientId, result || undefined);
+        }
+        catch (err) {
+            throw this.handleError(scopes, err, options);
+        }
+    }
+}
+
+// Copyright (c) Microsoft Corporation.
+const logger$h = credentialLogger("AuthorizationCodeCredential");
 /**
  * Enables authentication to Azure Active Directory using an authorization code
  * that was obtained through the authorization code flow, described in more detail
@@ -2665,94 +3141,176 @@ class AuthorizationCodeCredential {
      * @internal
      */
     constructor(tenantId, clientId, clientSecretOrAuthorizationCode, authorizationCodeOrRedirectUri, redirectUriOrOptions, options) {
-        this.lastTokenResponse = null;
-        checkTenantId(logger$f, tenantId);
-        this.clientId = clientId;
-        this.tenantId = tenantId;
+        checkTenantId(logger$h, tenantId);
+        let clientSecret = clientSecretOrAuthorizationCode;
         if (typeof redirectUriOrOptions === "string") {
             // the clientId+clientSecret constructor
-            this.clientSecret = clientSecretOrAuthorizationCode;
             this.authorizationCode = authorizationCodeOrRedirectUri;
             this.redirectUri = redirectUriOrOptions;
             // options okay
         }
         else {
             // clientId only
-            this.clientSecret = undefined;
             this.authorizationCode = clientSecretOrAuthorizationCode;
             this.redirectUri = authorizationCodeOrRedirectUri;
+            clientSecret = undefined;
             options = redirectUriOrOptions;
         }
-        this.identityClient = new IdentityClient(options);
+        this.msalFlow = new MsalAuthorizationCode(Object.assign(Object.assign({}, options), { clientSecret,
+            clientId, tokenCredentialOptions: options || {}, logger: logger$h, redirectUri: this.redirectUri, authorizationCode: this.authorizationCode }));
     }
     /**
-     * Authenticates with Azure Active Directory and returns an access token if
-     * successful.  If authentication cannot be performed at this time, this method may
-     * return null.  If an error occurs during authentication, an {@link AuthenticationError}
-     * containing failure details will be thrown.
+     * Authenticates with Azure Active Directory and returns an access token if successful.
+     * If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.
      *
      * @param scopes - The list of scopes for which the token will have access.
      * @param options - The options used to configure any requests this
      *                TokenCredential implementation might make.
      */
-    getToken(scopes, options) {
-        var _a, _b;
-        return tslib.__awaiter(this, void 0, void 0, function* () {
-            const { span, updatedOptions } = createSpan("AuthorizationCodeCredential-getToken", options);
+    async getToken(scopes, options = {}) {
+        return trace(`${this.constructor.name}.getToken`, options, async (newOptions) => {
+            const arrayScopes = Array.isArray(scopes) ? scopes : [scopes];
+            return this.msalFlow.getToken(arrayScopes, Object.assign(Object.assign({}, newOptions), { disableAutomaticAuthentication: this.disableAutomaticAuthentication }));
+        });
+    }
+}
+
+// Copyright (c) Microsoft Corporation.
+const ApplicationCredentials = [
+    EnvironmentCredential,
+    DefaultManagedIdentityCredential
+];
+/**
+ * Provides a default {@link ChainedTokenCredential} configuration that should
+ * work for most applications that use the Azure SDK.  The following credential
+ * types will be tried, in order:
+ *
+ * - {@link EnvironmentCredential}
+ * - {@link ManagedIdentityCredential}
+
+ *
+ * Consult the documentation of these credential types for more information
+ * on how they attempt authentication.
+ */
+class ApplicationCredential extends ChainedTokenCredential {
+    /**
+     * Creates an instance of the ApplicationCredential class.
+     *
+     * @param options - Optional parameters. See {@link ApplicationCredentialOptions}.
+     */
+    constructor(options) {
+        super(...ApplicationCredentials.map((ctor) => new ctor(options)));
+        this.UnavailableMessage =
+            "ApplicationCredential => failed to retrieve a token from the included credentials";
+    }
+}
+
+// Copyright (c) Microsoft Corporation.
+/**
+ * MSAL on behalf of flow. Calls to MSAL's confidential application's `acquireTokenOnBehalfOf` during `doGetToken`.
+ * @internal
+ */
+class MsalOnBehalfOf extends MsalNode {
+    constructor(options) {
+        super(options);
+        this.logger.info("Initialized MSAL's On-Behalf-Of flow");
+        this.requiresConfidential = true;
+        this.userAssertionToken = options.userAssertionToken;
+        this.certificatePath = options.certificatePath;
+        this.sendCertificateChain = options.sendCertificateChain;
+        this.clientSecret = options.clientSecret;
+    }
+    // Changing the MSAL configuration asynchronously
+    async init(options) {
+        if (this.certificatePath) {
             try {
-                let tokenResponse = null;
-                let scopeString = typeof scopes === "string" ? scopes : scopes.join(" ");
-                if (scopeString.indexOf("offline_access") < 0) {
-                    scopeString += " offline_access";
-                }
-                // Try to use the refresh token first
-                if (this.lastTokenResponse && this.lastTokenResponse.refreshToken) {
-                    tokenResponse = yield this.identityClient.refreshAccessToken(this.tenantId, this.clientId, scopeString, this.lastTokenResponse.refreshToken, this.clientSecret, undefined, updatedOptions);
-                }
-                if (tokenResponse === null) {
-                    const urlSuffix = getIdentityTokenEndpointSuffix(this.tenantId);
-                    const webResource = this.identityClient.createWebResource({
-                        url: `${this.identityClient.authorityHost}/${this.tenantId}/${urlSuffix}`,
-                        method: "POST",
-                        disableJsonStringifyOnBody: true,
-                        deserializationMapper: undefined,
-                        body: qs.stringify({
-                            client_id: this.clientId,
-                            grant_type: "authorization_code",
-                            scope: scopeString,
-                            code: this.authorizationCode,
-                            redirect_uri: this.redirectUri,
-                            client_secret: this.clientSecret
-                        }),
-                        headers: {
-                            Accept: "application/json",
-                            "Content-Type": "application/x-www-form-urlencoded"
-                        },
-                        abortSignal: options && options.abortSignal,
-                        spanOptions: (_a = updatedOptions === null || updatedOptions === void 0 ? void 0 : updatedOptions.tracingOptions) === null || _a === void 0 ? void 0 : _a.spanOptions,
-                        tracingContext: (_b = updatedOptions === null || updatedOptions === void 0 ? void 0 : updatedOptions.tracingOptions) === null || _b === void 0 ? void 0 : _b.tracingContext
-                    });
-                    tokenResponse = yield this.identityClient.sendTokenRequest(webResource);
-                }
-                this.lastTokenResponse = tokenResponse;
-                logger$f.getToken.info(formatSuccess(scopes));
-                const token = tokenResponse && tokenResponse.accessToken;
-                if (!token) {
-                    throw new CredentialUnavailableError("Failed to retrieve a valid token");
-                }
-                return token;
-            }
-            catch (err) {
-                span.setStatus({
-                    code: coreTracing.SpanStatusCode.ERROR,
-                    message: err.message
-                });
-                logger$f.getToken.info(formatError(scopes, err));
-                throw err;
+                const parts = await parseCertificate(this.certificatePath, this.sendCertificateChain);
+                this.msalConfig.auth.clientCertificate = {
+                    thumbprint: parts.thumbprint,
+                    privateKey: parts.certificateContents,
+                    x5c: parts.x5c
+                };
             }
-            finally {
-                span.end();
+            catch (error) {
+                this.logger.info(formatError("", error));
+                throw error;
             }
+        }
+        else {
+            this.msalConfig.auth.clientSecret = this.clientSecret;
+        }
+        return super.init(options);
+    }
+    async doGetToken(scopes, options = {}) {
+        try {
+            const result = await this.confidentialApp.acquireTokenOnBehalfOf({
+                scopes,
+                correlationId: options.correlationId,
+                authority: options.authority,
+                oboAssertion: this.userAssertionToken
+            });
+            return this.handleResult(scopes, this.clientId, result || undefined);
+        }
+        catch (err) {
+            throw this.handleError(scopes, err, options);
+        }
+    }
+}
+
+// Copyright (c) Microsoft Corporation.
+const credentialName = "OnBehalfOfCredential";
+const logger$i = credentialLogger(credentialName);
+/**
+ * Enables authentication to Azure Active Directory using the [On Behalf Of flow](https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-on-behalf-of-flow).
+ */
+class OnBehalfOfCredential {
+    /**
+     * Creates an instance of the {@link OnBehalfOfCredential} with the details
+     * needed to authenticate against Azure Active Directory with a client
+     * secret or a path to a PEM certificate, and an user assertion.
+     *
+     * Example using the `KeyClient` from [\@azure/keyvault-keys](https://www.npmjs.com/package/\@azure/keyvault-keys):
+     *
+     * ```ts
+     * const tokenCredential = new OnBehalfOfCredential({
+     *   tenantId,
+     *   clientId,
+     *   clientSecret, // or `certificatePath: "/path/to/certificate.pem"
+     *   userAssertionToken: "access-token"
+     * });
+     * const client = new KeyClient("vault-url", tokenCredential);
+     *
+     * await client.getKey("key-name");
+     * ```
+     *
+     * @param configuration - Configuration specific to this credential.
+     * @param options - Optional parameters, generally common across credentials.
+     */
+    constructor(configuration, options = {}) {
+        this.configuration = configuration;
+        this.options = options;
+        const { tenantId, clientId, userAssertionToken } = configuration;
+        const secretConfiguration = configuration;
+        const certificateConfiguration = configuration;
+        if (!tenantId ||
+            !clientId ||
+            !(secretConfiguration.clientSecret || certificateConfiguration.certificatePath) ||
+            !userAssertionToken) {
+            throw new Error(`${credentialName}: tenantId, clientId, clientSecret (or certificatePath) and userAssertionToken are required parameters.`);
+        }
+        this.msalFlow = new MsalOnBehalfOf(Object.assign(Object.assign(Object.assign({}, this.options), this.configuration), { logger: logger$i, tokenCredentialOptions: this.options }));
+    }
+    /**
+     * Authenticates with Azure Active Directory and returns an access token if successful.
+     * If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.
+     *
+     * @param scopes - The list of scopes for which the token will have access.
+     * @param options - The options used to configure the underlying network requests.
+     */
+    async getToken(scopes, options = {}) {
+        return trace(`${credentialName}.getToken`, options, async (newOptions) => {
+            const arrayScopes = Array.isArray(scopes) ? scopes : [scopes];
+            return this.msalFlow.getToken(arrayScopes, newOptions);
         });
     }
 }
@@ -2767,11 +3325,13 @@ function getDefaultAzureCredential() {
 
 exports.AggregateAuthenticationError = AggregateAuthenticationError;
 exports.AggregateAuthenticationErrorName = AggregateAuthenticationErrorName;
+exports.ApplicationCredential = ApplicationCredential;
 exports.AuthenticationError = AuthenticationError;
 exports.AuthenticationErrorName = AuthenticationErrorName;
 exports.AuthenticationRequiredError = AuthenticationRequiredError;
 exports.AuthorizationCodeCredential = AuthorizationCodeCredential;
 exports.AzureCliCredential = AzureCliCredential;
+exports.AzurePowerShellCredential = AzurePowerShellCredential;
 exports.ChainedTokenCredential = ChainedTokenCredential;
 exports.ClientCertificateCredential = ClientCertificateCredential;
 exports.ClientSecretCredential = ClientSecretCredential;
@@ -2782,10 +3342,12 @@ exports.DeviceCodeCredential = DeviceCodeCredential;
 exports.EnvironmentCredential = EnvironmentCredential;
 exports.InteractiveBrowserCredential = InteractiveBrowserCredential;
 exports.ManagedIdentityCredential = ManagedIdentityCredential;
+exports.OnBehalfOfCredential = OnBehalfOfCredential;
 exports.UsernamePasswordCredential = UsernamePasswordCredential;
 exports.VisualStudioCodeCredential = VisualStudioCodeCredential;
 exports.deserializeAuthenticationRecord = deserializeAuthenticationRecord;
 exports.getDefaultAzureCredential = getDefaultAzureCredential;
 exports.logger = logger;
 exports.serializeAuthenticationRecord = serializeAuthenticationRecord;
+exports.useIdentityPlugin = useIdentityPlugin;
 //# sourceMappingURL=index.js.map