npm - @azure/identity - Versions diffs - 2.0.0-beta.2 → 2.0.0-beta.6 - Mend

@azure/identity 2.0.0-beta.2 → 2.0.0-beta.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.

This version of @azure/identity might be problematic. Click here for more details.

Files changed (157) hide show

package/dist-esm/src/credentials/interactiveBrowserCredential.js CHANGED Viewed

@@ -1,6 +1,5 @@
 // Copyright (c) Microsoft Corporation.
 // Licensed under the MIT license.
-import { __awaiter } from "tslib";
 import { credentialLogger } from "../util/logging";
 import { trace } from "../util/tracing";
 import { MsalOpenBrowser } from "../msal/nodeFlows/msalOpenBrowser";
@@ -9,12 +8,12 @@ const logger = credentialLogger("InteractiveBrowserCredential");
  * Enables authentication to Azure Active Directory inside of the web browser
  * using the interactive login flow.
  *
- * This credential uses the [Authorization Code Flow](https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow).
- * On NodeJS, it will open a browser window while it listens for a redirect response from the authentication service.
+ * This credential uses the [Authorization Code Flow](https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-auth-code-flow).
+ * On Node.js, it will open a browser window while it listens for a redirect response from the authentication service.
  * On browsers, it authenticates via popups. The `loginStyle` optional parameter can be set to `redirect` to authenticate by redirecting the user to an Azure secure login page, which then will redirect the user back to the web application where the authentication started.
  *
- * It's recommended that the AAD Applications used are configured to authenticate using Single Page Applications.
- * More information here: [link](https://docs.microsoft.com/en-us/azure/active-directory/develop/scenario-spa-app-registration#redirect-uri-msaljs-20-with-auth-code-flow).
+ * For Node.js, if a `clientId` is provided, the Azure Active Directory application will need to be configured to have a "Mobile and desktop applications" redirect endpoint.
+ * Follow our guide on [setting up Redirect URIs for Desktop apps that calls to web APIs](https://docs.microsoft.com/azure/active-directory/develop/scenario-desktop-app-registration#redirect-uris).
  */
 export class InteractiveBrowserCredential {
     /**
@@ -31,10 +30,8 @@ export class InteractiveBrowserCredential {
         this.disableAutomaticAuthentication = options === null || options === void 0 ? void 0 : options.disableAutomaticAuthentication;
     }
     /**
-     * Authenticates with Azure Active Directory and returns an access token if
-     * successful.  If authentication cannot be performed at this time, this method may
-     * return null.  If an error occurs during authentication, an {@link AuthenticationError}
-     * containing failure details will be thrown.
+     * Authenticates with Azure Active Directory and returns an access token if successful.
+     * If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.
      *
      * If the user provided the option `disableAutomaticAuthentication`,
      * once the token can't be retrieved silently,
@@ -44,33 +41,30 @@ export class InteractiveBrowserCredential {
      * @param options - The options used to configure any requests this
      *                TokenCredential implementation might make.
      */
-    getToken(scopes, options = {}) {
-        return __awaiter(this, void 0, void 0, function* () {
-            return trace(`${this.constructor.name}.getToken`, options, (newOptions) => __awaiter(this, void 0, void 0, function* () {
-                const arrayScopes = Array.isArray(scopes) ? scopes : [scopes];
-                return this.msalFlow.getToken(arrayScopes, Object.assign(Object.assign({}, newOptions), { disableAutomaticAuthentication: this.disableAutomaticAuthentication }));
-            }));
+    async getToken(scopes, options = {}) {
+        return trace(`${this.constructor.name}.getToken`, options, async (newOptions) => {
+            const arrayScopes = Array.isArray(scopes) ? scopes : [scopes];
+            return this.msalFlow.getToken(arrayScopes, Object.assign(Object.assign({}, newOptions), { disableAutomaticAuthentication: this.disableAutomaticAuthentication }));
         });
     }
     /**
-     * Authenticates with Azure Active Directory and returns an access token if
-     * successful.  If authentication cannot be performed at this time, this method may
-     * return null.  If an error occurs during authentication, an {@link AuthenticationError}
-     * containing failure details will be thrown.
+     * Authenticates with Azure Active Directory and returns an access token if successful.
+     * If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.
      *
      * If the token can't be retrieved silently, this method will require user interaction to retrieve the token.
      *
+     * On Node.js, this credential has [Proof Key for Code Exchange (PKCE)](https://datatracker.ietf.org/doc/html/rfc7636) enabled by default.
+     * PKCE is a security feature that mitigates authentication code interception attacks.
+     *
      * @param scopes - The list of scopes for which the token will have access.
      * @param options - The options used to configure any requests this
      *                  TokenCredential implementation might make.
      */
-    authenticate(scopes, options = {}) {
-        return __awaiter(this, void 0, void 0, function* () {
-            return trace(`${this.constructor.name}.authenticate`, options, (newOptions) => __awaiter(this, void 0, void 0, function* () {
-                const arrayScopes = Array.isArray(scopes) ? scopes : [scopes];
-                yield this.msalFlow.getToken(arrayScopes, newOptions);
-                return this.msalFlow.getActiveAccount();
-            }));
+    async authenticate(scopes, options = {}) {
+        return trace(`${this.constructor.name}.authenticate`, options, async (newOptions) => {
+            const arrayScopes = Array.isArray(scopes) ? scopes : [scopes];
+            await this.msalFlow.getToken(arrayScopes, newOptions);
+            return this.msalFlow.getActiveAccount();
         });
     }
 }

package/dist-esm/src/credentials/interactiveBrowserCredential.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"interactiveBrowserCredential.js","sourceRoot":"","sources":["../../../src/credentials/interactiveBrowserCredential.ts"],"names":[],"mappings":"AAAA,uCAAuC;AACvC,kCAAkC~~;;AAKlC~~,OAAO,EAAE,gBAAgB,EAAE,MAAM,iBAAiB,CAAC;AACnD,OAAO,EAAE,KAAK,EAAE,MAAM,iBAAiB,CAAC;AAExC,OAAO,EAAE,eAAe,EAAE,MAAM,mCAAmC,CAAC;AAOpE,MAAM,MAAM,GAAG,gBAAgB,CAAC,8BAA8B,CAAC,CAAC;AAEhE;;;;;;;;;;GAUG;AACH,MAAM,OAAO,4BAA4B;IAIvC;;;;OAIG;IACH,YACE,UAA4F,EAAE;QAE9F,MAAM,WAAW,GACf,OAAO,OAAO,CAAC,WAAW,KAAK,UAAU;YACvC,CAAC,CAAC,OAAO,CAAC,WAAW,EAAE;YACvB,CAAC,CAAC,OAAO,CAAC,WAAW,IAAI,kBAAkB,CAAC;QAEhD,IAAI,CAAC,QAAQ,GAAG,IAAI,eAAe,iCAC9B,OAAO,KACV,sBAAsB,EAAE,OAAO,EAC/B,MAAM;YACN,WAAW,IACX,CAAC;QACH,IAAI,CAAC,8BAA8B,GAAG,OAAO,aAAP,OAAO,uBAAP,OAAO,CAAE,8BAA8B,CAAC;IAChF,CAAC;IAED~~;;;;;;;;;;;;;OAaG~~;~~IACG~~,QAAQ,CAAC,MAAyB,EAAE,UAA2B,EAAE~~;;YACrE~~,OAAO,KAAK,CAAC,GAAG,IAAI,CAAC,WAAW,CAAC,IAAI,WAAW,EAAE,OAAO,EAAE,~~CAAO~~,UAAU,EAAE,EAAE;~~gBAC9E~~,MAAM,WAAW,GAAG,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC;~~gBAC9D~~,OAAO,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,WAAW,kCACpC,UAAU,KACb,8BAA8B,EAAE,IAAI,CAAC,8BAA8B,IACnE,CAAC;~~YACL~~,CAAC,~~CAAA,~~CAAC,CAAC;~~QACL~~,CAAC;~~KAAA;~~IAED~~;;;;;;;;;;;OAWG~~;~~IACG~~,YAAY,CAChB,MAAyB,EACzB,UAA2B,EAAE~~;;YAE7B~~,OAAO,KAAK,CAAC,GAAG,IAAI,CAAC,WAAW,CAAC,IAAI,eAAe,EAAE,OAAO,EAAE,~~CAAO~~,UAAU,EAAE,EAAE;~~gBAClF~~,MAAM,WAAW,GAAG,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC;~~gBAC9D~~,MAAM,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,WAAW,EAAE,UAAU,CAAC,CAAC;~~gBACtD~~,OAAO,IAAI,CAAC,QAAQ,CAAC,gBAAgB,EAAE,CAAC;~~YAC1C~~,CAAC,~~CAAA,~~CAAC,CAAC;~~QACL~~,CAAC;~~KAAA;~~CACF","sourcesContent":["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT license.\n\n/* eslint-disable @typescript-eslint/no-unused-vars /\n\nimport { AccessToken, GetTokenOptions, TokenCredential } from \"@azure/core-~~http~~\";\nimport { credentialLogger } from \"../util/logging\";\nimport { trace } from \"../util/tracing\";\nimport { AuthenticationRecord } from \"../msal/types\";\nimport { MsalOpenBrowser } from \"../msal/nodeFlows/msalOpenBrowser\";\nimport { MsalFlow } from \"../msal/flows\";\nimport {\n InteractiveBrowserCredentialBrowserOptions,\n InteractiveBrowserCredentialOptions\n} from \"./interactiveBrowserCredentialOptions\";\n\nconst logger = credentialLogger(\"InteractiveBrowserCredential\");\n\n/\n Enables authentication to Azure Active Directory inside of the web browser\n * using the interactive login flow.\n \n This credential uses the [Authorization Code Flow](https://docs.microsoft.com/~~en-us/~~azure/active-directory/develop/v2-oauth2-auth-code-flow).\n * On ~~NodeJS~~, it will open a browser window while it listens for a redirect response from the authentication service.\n * On browsers, it authenticates via popups. The `loginStyle` optional parameter can be set to `redirect` to authenticate by redirecting the user to an Azure secure login page, which then will redirect the user back to the web application where the authentication started.\n \n ~~It's~~ ~~recommended~~ ~~that~~ the ~~AAD~~ ~~Applications~~ ~~used~~ ~~are~~ configured to ~~authenticate~~ ~~using~~ ~~Single~~ ~~Page~~ ~~Applications~~.\n * ~~More~~ ~~information~~ ~~here:~~ [~~link~~](https://docs.microsoft.com/~~en-us/~~azure/active-directory/develop/scenario-~~spa~~-app-registration#redirect-~~uri-msaljs-20-with-auth-code-flow~~).\n /\nexport class InteractiveBrowserCredential implements TokenCredential {\n private msalFlow: MsalFlow;\n private disableAutomaticAuthentication?: boolean;\n\n /\n Creates an instance of InteractiveBrowserCredential with the details needed.\n \n @param options - Options for configuring the client which makes the authentication requests.\n /\n constructor(\n options: InteractiveBrowserCredentialOptions \| InteractiveBrowserCredentialBrowserOptions = {}\n ) {\n const redirectUri =\n typeof options.redirectUri === \"function\"\n ? options.redirectUri()\n : options.redirectUri \|\| \"http://localhost\";\n\n this.msalFlow = new MsalOpenBrowser({\n ...options,\n tokenCredentialOptions: options,\n logger,\n redirectUri\n });\n this.disableAutomaticAuthentication = options?.disableAutomaticAuthentication;\n }\n\n /\n Authenticates with Azure Active Directory and returns an access token if\n * successful~~. If authentication cannot be performed at this time, this method may\~~n * ~~return null.~~ If an ~~error occurs during authentication~~, an {@link ~~AuthenticationError~~}\n * ~~containing~~ ~~failure~~ details ~~will~~ be ~~thrown~~.\n \n If the user provided the option `disableAutomaticAuthentication`,\n * once the token can't be retrieved silently,\n * this method won't attempt to request user interaction to retrieve the token.\n \n @param scopes - The list of scopes for which the token will have access.\n * @param options - The options used to configure any requests this\n * TokenCredential implementation might make.\n /\n async getToken(scopes: string \| string[], options: GetTokenOptions = {}): Promise<AccessToken> {\n return trace(`${this.constructor.name}.getToken`, options, async (newOptions) => {\n const arrayScopes = Array.isArray(scopes) ? scopes : [scopes];\n return this.msalFlow.getToken(arrayScopes, {\n ...newOptions,\n disableAutomaticAuthentication: this.disableAutomaticAuthentication\n });\n });\n }\n\n /\n Authenticates with Azure Active Directory and returns an access token if\n * successful~~. If authentication cannot be performed at this time, this method may\~~n * ~~return null.~~ If an ~~error occurs during authentication~~, an {@link ~~AuthenticationError~~}\n * ~~containing~~ ~~failure~~ details ~~will~~ be ~~thrown~~.\n \n If the token can't be retrieved silently, this method will require user interaction to retrieve the token.\n \n @param scopes - The list of scopes for which the token will have access.\n * @param options - The options used to configure any requests this\n * TokenCredential implementation might make.\n */\n async authenticate(\n scopes: string \| string[],\n options: GetTokenOptions = {}\n ): Promise<AuthenticationRecord \| undefined> {\n return trace(`${this.constructor.name}.authenticate`, options, async (newOptions) => {\n const arrayScopes = Array.isArray(scopes) ? scopes : [scopes];\n await this.msalFlow.getToken(arrayScopes, newOptions);\n return this.msalFlow.getActiveAccount();\n });\n }\n}\n"]}
1	+ {"version":3,"file":"interactiveBrowserCredential.js","sourceRoot":"","sources":["../../../src/credentials/interactiveBrowserCredential.ts"],"names":[],"mappings":"AAAA,uCAAuC;AACvC,kCAAkC;AAMlC,OAAO,EAAE,gBAAgB,EAAE,MAAM,iBAAiB,CAAC;AACnD,OAAO,EAAE,KAAK,EAAE,MAAM,iBAAiB,CAAC;AAExC,OAAO,EAAE,eAAe,EAAE,MAAM,mCAAmC,CAAC;AAOpE,MAAM,MAAM,GAAG,gBAAgB,CAAC,8BAA8B,CAAC,CAAC;AAEhE;;;;;;;;;;GAUG;AACH,MAAM,OAAO,4BAA4B;IAIvC;;;;OAIG;IACH,YACE,UAA4F,EAAE;QAE9F,MAAM,WAAW,GACf,OAAO,OAAO,CAAC,WAAW,KAAK,UAAU;YACvC,CAAC,CAAC,OAAO,CAAC,WAAW,EAAE;YACvB,CAAC,CAAC,OAAO,CAAC,WAAW,IAAI,kBAAkB,CAAC;QAEhD,IAAI,CAAC,QAAQ,GAAG,IAAI,eAAe,iCAC9B,OAAO,KACV,sBAAsB,EAAE,OAAO,EAC/B,MAAM;YACN,WAAW,IACX,CAAC;QACH,IAAI,CAAC,8BAA8B,GAAG,OAAO,aAAP,OAAO,uBAAP,OAAO,CAAE,8BAA8B,CAAC;IAChF,CAAC;IAED;;;;;;;;;;;OAWG;IACH,KAAK,CAAC,QAAQ,CAAC,MAAyB,EAAE,UAA2B,EAAE;QACrE,OAAO,KAAK,CAAC,GAAG,IAAI,CAAC,WAAW,CAAC,IAAI,WAAW,EAAE,OAAO,EAAE,KAAK,EAAE,UAAU,EAAE,EAAE;YAC9E,MAAM,WAAW,GAAG,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC;YAC9D,OAAO,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,WAAW,kCACpC,UAAU,KACb,8BAA8B,EAAE,IAAI,CAAC,8BAA8B,IACnE,CAAC;QACL,CAAC,CAAC,CAAC;IACL,CAAC;IAED;;;;;;;;;;;;OAYG;IACH,KAAK,CAAC,YAAY,CAChB,MAAyB,EACzB,UAA2B,EAAE;QAE7B,OAAO,KAAK,CAAC,GAAG,IAAI,CAAC,WAAW,CAAC,IAAI,eAAe,EAAE,OAAO,EAAE,KAAK,EAAE,UAAU,EAAE,EAAE;YAClF,MAAM,WAAW,GAAG,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC;YAC9D,MAAM,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,WAAW,EAAE,UAAU,CAAC,CAAC;YACtD,OAAO,IAAI,CAAC,QAAQ,CAAC,gBAAgB,EAAE,CAAC;QAC1C,CAAC,CAAC,CAAC;IACL,CAAC;CACF","sourcesContent":["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT license.\n\n/* eslint-disable @typescript-eslint/no-unused-vars /\n\nimport { AccessToken, GetTokenOptions, TokenCredential } from \"@azure/core-auth\";\n\nimport { credentialLogger } from \"../util/logging\";\nimport { trace } from \"../util/tracing\";\nimport { AuthenticationRecord } from \"../msal/types\";\nimport { MsalOpenBrowser } from \"../msal/nodeFlows/msalOpenBrowser\";\nimport { MsalFlow } from \"../msal/flows\";\nimport {\n InteractiveBrowserCredentialBrowserOptions,\n InteractiveBrowserCredentialOptions\n} from \"./interactiveBrowserCredentialOptions\";\n\nconst logger = credentialLogger(\"InteractiveBrowserCredential\");\n\n/\n Enables authentication to Azure Active Directory inside of the web browser\n * using the interactive login flow.\n \n This credential uses the [Authorization Code Flow](https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-auth-code-flow).\n * On Node.js, it will open a browser window while it listens for a redirect response from the authentication service.\n * On browsers, it authenticates via popups. The `loginStyle` optional parameter can be set to `redirect` to authenticate by redirecting the user to an Azure secure login page, which then will redirect the user back to the web application where the authentication started.\n \n For Node.js, if a `clientId` is provided, the Azure Active Directory application will need to be configured to have a \"Mobile and desktop applications\" redirect endpoint.\n * Follow our guide on [setting up Redirect URIs for Desktop apps that calls to web APIs](https://docs.microsoft.com/azure/active-directory/develop/scenario-desktop-app-registration#redirect-uris).\n /\nexport class InteractiveBrowserCredential implements TokenCredential {\n private msalFlow: MsalFlow;\n private disableAutomaticAuthentication?: boolean;\n\n /\n Creates an instance of InteractiveBrowserCredential with the details needed.\n \n @param options - Options for configuring the client which makes the authentication requests.\n /\n constructor(\n options: InteractiveBrowserCredentialOptions \| InteractiveBrowserCredentialBrowserOptions = {}\n ) {\n const redirectUri =\n typeof options.redirectUri === \"function\"\n ? options.redirectUri()\n : options.redirectUri \|\| \"http://localhost\";\n\n this.msalFlow = new MsalOpenBrowser({\n ...options,\n tokenCredentialOptions: options,\n logger,\n redirectUri\n });\n this.disableAutomaticAuthentication = options?.disableAutomaticAuthentication;\n }\n\n /\n Authenticates with Azure Active Directory and returns an access token if successful.\n * If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.\n \n If the user provided the option `disableAutomaticAuthentication`,\n * once the token can't be retrieved silently,\n * this method won't attempt to request user interaction to retrieve the token.\n \n @param scopes - The list of scopes for which the token will have access.\n * @param options - The options used to configure any requests this\n * TokenCredential implementation might make.\n /\n async getToken(scopes: string \| string[], options: GetTokenOptions = {}): Promise<AccessToken> {\n return trace(`${this.constructor.name}.getToken`, options, async (newOptions) => {\n const arrayScopes = Array.isArray(scopes) ? scopes : [scopes];\n return this.msalFlow.getToken(arrayScopes, {\n ...newOptions,\n disableAutomaticAuthentication: this.disableAutomaticAuthentication\n });\n });\n }\n\n /\n Authenticates with Azure Active Directory and returns an access token if successful.\n * If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.\n \n If the token can't be retrieved silently, this method will require user interaction to retrieve the token.\n \n On Node.js, this credential has [Proof Key for Code Exchange (PKCE)](https://datatracker.ietf.org/doc/html/rfc7636) enabled by default.\n * PKCE is a security feature that mitigates authentication code interception attacks.\n \n @param scopes - The list of scopes for which the token will have access.\n * @param options - The options used to configure any requests this\n * TokenCredential implementation might make.\n */\n async authenticate(\n scopes: string \| string[],\n options: GetTokenOptions = {}\n ): Promise<AuthenticationRecord \| undefined> {\n return trace(`${this.constructor.name}.authenticate`, options, async (newOptions) => {\n const arrayScopes = Array.isArray(scopes) ? scopes : [scopes];\n await this.msalFlow.getToken(arrayScopes, newOptions);\n return this.msalFlow.getActiveAccount();\n });\n }\n}\n"]}

package/dist-esm/src/credentials/interactiveBrowserCredentialOptions.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"interactiveBrowserCredentialOptions.js","sourceRoot":"","sources":["../../../src/credentials/interactiveBrowserCredentialOptions.ts"],"names":[],"mappings":"AAAA,uCAAuC;AACvC,kCAAkC","sourcesContent":["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT license.\n\nimport { ~~TokenCredentialOptions~~ } from \"~~../client/identityClient~~\";\nimport { ~~InteractiveCredentialOptions~~ } from \"./~~interactiveCredentialOptions~~\";\n\n/*\n (Browser-only feature)\n * The \"login style\" to use in the authentication flow:\n * - \"redirect\" redirects the user to the authentication page and then\n * redirects them back to the page once authentication is completed.\n * - \"popup\" opens a new browser window through with the redirect flow\n * is initiated. The user's existing browser window does not leave\n * the current page\n /\nexport type BrowserLoginStyle = \"redirect\" \| \"popup\";\n\n/\n Defines the common options for the InteractiveBrowserCredential class.\n /\nexport ~~type~~ InteractiveBrowserCredentialOptions ~~= TokenCredentialOptions &\~~n InteractiveCredentialOptions & {\n /\n Gets the redirect URI of the application. This should be same as the value\n * in the application registration portal. Defaults to `window.location.href`.\n /\n redirectUri?: string \| (() => string);\n\n /\n The Azure Active Directory tenant (directory) ID.\n /\n tenantId?: string;\n\n /\n The client (application) ID of an App Registration in the tenant.\n /\n clientId?: string;\n };\n\n/\n Defines the common options for the InteractiveBrowserCredential class.\n /\nexport ~~type~~ InteractiveBrowserCredentialBrowserOptions = ~~TokenCredentialOptions &\n~~ InteractiveCredentialOptions & {\n /\n Gets the redirect URI of the application. This should be same as the value\n * in the application registration portal. Defaults to `window.location.href`.\n /\n redirectUri?: string \| (() => string);\n\n /\n The Azure Active Directory tenant (directory) ID.\n /\n tenantId?: string;\n\n /\n The client (application) ID of an App Registration in the tenant.\n * This parameter is required on the browser.\n /\n clientId: string;\n\n /\n Specifies whether a redirect or a popup window should be used to\n * initiate the user authentication flow. Possible values are \"redirect\"\n * or \"popup\" (default) for browser and \"popup\" (default) for node.\n \n /\n loginStyle?: BrowserLoginStyle;\n };\n"]}
1	+ {"version":3,"file":"interactiveBrowserCredentialOptions.js","sourceRoot":"","sources":["../../../src/credentials/interactiveBrowserCredentialOptions.ts"],"names":[],"mappings":"AAAA,uCAAuC;AACvC,kCAAkC","sourcesContent":["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT license.\n\nimport { InteractiveCredentialOptions } from \"./interactiveCredentialOptions\";\nimport { CredentialPersistenceOptions } from \"./credentialPersistenceOptions\";\n\n/*\n (Browser-only feature)\n * The \"login style\" to use in the authentication flow:\n * - \"redirect\" redirects the user to the authentication page and then\n * redirects them back to the page once authentication is completed.\n * - \"popup\" opens a new browser window through with the redirect flow\n * is initiated. The user's existing browser window does not leave\n * the current page\n /\nexport type BrowserLoginStyle = \"redirect\" \| \"popup\";\n\n/\n Defines the common options for the InteractiveBrowserCredential class.\n /\nexport interface InteractiveBrowserCredentialOptions\n extends InteractiveCredentialOptions,\n CredentialPersistenceOptions {\n /\n Gets the redirect URI of the application. This should be same as the value\n * in the application registration portal. Defaults to `window.location.href`.\n /\n redirectUri?: string \| (() => string);\n\n /\n The Azure Active Directory tenant (directory) ID.\n /\n tenantId?: string;\n\n /\n The client (application) ID of an App Registration in the tenant.\n /\n clientId?: string;\n\n /\n loginHint allows a user name to be pre-selected for interactive logins.\n * Setting this option skips the account selection prompt and immediately attempts to login with the specified account.\n /\n loginHint?: string;\n}\n\n/\n Defines the common options for the InteractiveBrowserCredential class.\n /\nexport interface InteractiveBrowserCredentialBrowserOptions extends InteractiveCredentialOptions {\n /\n Gets the redirect URI of the application. This should be same as the value\n * in the application registration portal. Defaults to `window.location.href`.\n /\n redirectUri?: string \| (() => string);\n\n /\n The Azure Active Directory tenant (directory) ID.\n /\n tenantId?: string;\n\n /\n The client (application) ID of an App Registration in the tenant.\n * This parameter is required on the browser.\n /\n clientId: string;\n\n /\n Specifies whether a redirect or a popup window should be used to\n * initiate the user authentication flow. Possible values are \"redirect\"\n * or \"popup\" (default) for browser and \"popup\" (default) for node.\n \n /\n loginStyle?: BrowserLoginStyle;\n\n /*\n loginHint allows a user name to be pre-selected for interactive logins.\n * Setting this option skips the account selection prompt and immediately attempts to login with the specified account.\n */\n loginHint?: string;\n}\n"]}

package/dist-esm/src/credentials/interactiveCredentialOptions.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"interactiveCredentialOptions.js","sourceRoot":"","sources":["../../../src/credentials/interactiveCredentialOptions.ts"],"names":[],"mappings":"AAAA,uCAAuC;AACvC,kCAAkC","sourcesContent":["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT license.\n\nimport { TokenCredentialOptions } from \"../client/identityClient\";\nimport { AuthenticationRecord } from \"../msal/types\";\~~nimport { TokenCachePersistenceOptions } from \"../tokenCache/persistencePlatforms\";\~~n\n/*\n Common constructor options for the Identity credentials that requires user interaction.\n /\nexport interface InteractiveCredentialOptions extends TokenCredentialOptions {\n /\n Result of a previous authentication that can be used to retrieve the cached credentials of each individual account.\n * This is necessary to provide in case the application wants to work with more than one account per\n * Client ID and Tenant ID pair.\n \n This record can be retrieved by calling to the credential's `authenticate()` method, as follows:\n \n const authenticationRecord = await credential.authenticate();\n \n /\n authenticationRecord?: AuthenticationRecord;\n\n /*\n Makes getToken throw if a manual authentication is necessary.\n * Developers will need to call to `authenticate()` to control when to manually authenticate.\n /\n disableAutomaticAuthentication?: boolean;\n~~\n /\n To provide a persistence layer to store the credentials,\n * we allow users to optionally specify {@link TokenCachePersistenceOptions~~} for their credential.\n \n This feature is not currently available on Node 8 or earlier versions of Node JS.\n \n This persistence layer uses DPAPI on Windows.\n * On OSX (Darwin) it tries to use the system's Keychain, otherwise if the property `allowUnencryptedStorage` is set to true, it uses an unencrypted file.\n * On Linux it tries to use the system's Keyring, otherwise if the property `allowUnencryptedStorage` is set to true, it uses an unencrypted file.\n */\n tokenCachePersistenceOptions?: TokenCachePersistenceOptions;\n}\n"]}
1	+ {"version":3,"file":"interactiveCredentialOptions.js","sourceRoot":"","sources":["../../../src/credentials/interactiveCredentialOptions.ts"],"names":[],"mappings":"AAAA,uCAAuC;AACvC,kCAAkC","sourcesContent":["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT license.\n\nimport { TokenCredentialOptions } from \"../client/identityClient\";\nimport { AuthenticationRecord } from \"../msal/types\";\n\n/*\n Common constructor options for the Identity credentials that requires user interaction.\n /\nexport interface InteractiveCredentialOptions extends TokenCredentialOptions {\n /\n Result of a previous authentication that can be used to retrieve the cached credentials of each individual account.\n * This is necessary to provide in case the application wants to work with more than one account per\n * Client ID and Tenant ID pair.\n \n This record can be retrieved by calling to the credential's `authenticate()` method, as follows:\n \n const authenticationRecord = await credential.authenticate();\n \n /\n authenticationRecord?: AuthenticationRecord;\n\n /*\n Makes getToken throw if a manual authentication is necessary.\n * Developers will need to call to `authenticate()` to control when to manually authenticate.\n */\n disableAutomaticAuthentication?: boolean;\n}\n"]}

package/dist-esm/src/credentials/managedIdentityCredential/appServiceMsi2017.js CHANGED Viewed

@@ -1,15 +1,20 @@
 // Copyright (c) Microsoft Corporation.
 // Licensed under the MIT license.
-import { __awaiter } from "tslib";
+import { createHttpHeaders } from "@azure/core-rest-pipeline";
 import { credentialLogger } from "../../util/logging";
-import { msiGenericGetToken } from "./utils";
-const logger = credentialLogger("ManagedIdentityCredential - AppServiceMSI 2017");
+import { mapScopesToResource, msiGenericGetToken } from "./utils";
+const msiName = "ManagedIdentityCredential - AppServiceMSI 2017";
+const logger = credentialLogger(msiName);
 function expiresInParser(requestBody) {
     // Parse a date format like "06/20/2019 02:57:58 +00:00" and
     // convert it into a JavaScript-formatted date
     return Date.parse(requestBody.expires_on);
 }
-function prepareRequestOptions(resource, clientId) {
+function prepareRequestOptions(scopes, clientId) {
+    const resource = mapScopesToResource(scopes);
+    if (!resource) {
+        throw new Error(`${msiName}: Multiple scopes are not supported.`);
+    }
     const queryParameters = {
         resource,
         "api-version": "2017-09-01"
@@ -17,28 +22,41 @@ function prepareRequestOptions(resource, clientId) {
     if (clientId) {
         queryParameters.clientid = clientId;
     }
+    const query = new URLSearchParams(queryParameters);
+    // This error should not bubble up, since we verify that this environment variable is defined in the isAvailable() method defined below.
+    if (!process.env.MSI_ENDPOINT) {
+        throw new Error(`${msiName}: Missing environment variable: MSI_ENDPOINT`);
+    }
+    if (!process.env.MSI_SECRET) {
+        throw new Error(`${msiName}: Missing environment variable: MSI_SECRET`);
+    }
     return {
-        url: process.env.MSI_ENDPOINT,
+        url: `${process.env.MSI_ENDPOINT}?${query.toString()}`,
         method: "GET",
-        queryParameters,
-        headers: {
+        headers: createHttpHeaders({
             Accept: "application/json",
             secret: process.env.MSI_SECRET
-        }
+        })
     };
 }
 export const appServiceMsi2017 = {
-    isAvailable() {
-        return __awaiter(this, void 0, void 0, function* () {
-            const env = process.env;
-            return Boolean(env.MSI_ENDPOINT && env.MSI_SECRET);
-        });
+    async isAvailable(scopes) {
+        const resource = mapScopesToResource(scopes);
+        if (!resource) {
+            logger.info(`${msiName}: Unavailable. Multiple scopes are not supported.`);
+            return false;
+        }
+        const env = process.env;
+        const result = Boolean(env.MSI_ENDPOINT && env.MSI_SECRET);
+        if (!result) {
+            logger.info(`${msiName}: Unavailable. The environment variables needed are: MSI_ENDPOINT and MSI_SECRET.`);
+        }
+        return result;
     },
-    getToken(identityClient, resource, clientId, getTokenOptions = {}) {
-        return __awaiter(this, void 0, void 0, function* () {
-            logger.info(`Using the endpoint and the secret coming form the environment variables: MSI_ENDPOINT=${process.env.MSI_ENDPOINT} and MSI_SECRET=[REDACTED].`);
-            return msiGenericGetToken(identityClient, prepareRequestOptions(resource, clientId), expiresInParser, getTokenOptions);
-        });
+    async getToken(configuration, getTokenOptions = {}) {
+        const { identityClient, scopes, clientId } = configuration;
+        logger.info(`${msiName}: Using the endpoint and the secret coming form the environment variables: MSI_ENDPOINT=${process.env.MSI_ENDPOINT} and MSI_SECRET=[REDACTED].`);
+        return msiGenericGetToken(identityClient, prepareRequestOptions(scopes, clientId), expiresInParser, getTokenOptions);
     }
 };
 //# sourceMappingURL=appServiceMsi2017.js.map

package/dist-esm/src/credentials/managedIdentityCredential/appServiceMsi2017.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"appServiceMsi2017.js","sourceRoot":"","sources":["../../../../src/credentials/managedIdentityCredential/appServiceMsi2017.ts"],"names":[],"mappings":"AAAA,uCAAuC;AACvC,kCAAkC~~;;AAIlC~~,OAAO,EAAE,gBAAgB,EAAE,MAAM,oBAAoB,CAAC;AAEtD,OAAO,EAAE,kBAAkB,EAAE,MAAM,SAAS,CAAC;~~AAE7C~~,MAAM,MAAM,GAAG,gBAAgB,CAAC,~~gDAAgD~~,CAAC,CAAC;~~AAElF~~,SAAS,eAAe,CAAC,WAAgB;IACvC,4DAA4D;IAC5D,8CAA8C;IAC9C,OAAO,IAAI,CAAC,KAAK,CAAC,WAAW,CAAC,UAAU,CAAC,CAAC;AAC5C,CAAC;AAED,SAAS,qBAAqB,CAAC,~~QAAgB~~,EAAE,~~QAAiB~~;~~IAChE~~,MAAM,eAAe,GAAQ;QAC3B,QAAQ;QACR,aAAa,EAAE,YAAY;KAC5B,CAAC;IAEF,IAAI,QAAQ,EAAE;QACZ,eAAe,CAAC,QAAQ,GAAG,QAAQ,CAAC;KACrC;IAED,OAAO;QACL,GAAG,EAAE,OAAO,CAAC,GAAG,CAAC,YAAY;~~QAC7B~~,MAAM,EAAE,KAAK;QACb,~~eAAe;QACf,~~OAAO,EAAE;~~YACP~~,MAAM,EAAE,kBAAkB;YAC1B,MAAM,EAAE,OAAO,CAAC,GAAG,CAAC,UAAU;SAC/B;~~KACF~~,CAAC;AACJ,CAAC;AAED,MAAM,CAAC,MAAM,iBAAiB,GAAQ;~~IAC9B~~,WAAW~~;;YACf~~,MAAM,GAAG,GAAG,OAAO,CAAC,~~GAAG~~,CAAC;~~YACxB~~,OAAO,OAAO,CAAC,GAAG,CAAC,YAAY,IAAI,GAAG,CAAC,UAAU,CAAC,CAAC;~~QACrD~~,CAAC;~~KAAA~~;~~IACK~~,QAAQ,CACZ,~~cAA8B~~,~~EAC9B~~,~~QAAgB~~,~~EAChB~~,~~QAAiB~~,~~EACjB~~,~~kBAAmC~~,EAAE~~;;YAErC~~,MAAM,CAAC,IAAI,CACT,~~yFAAyF~~,OAAO,CAAC,GAAG,CAAC,YAAY,6BAA6B,~~CAC/I~~,CAAC;~~YAEF~~,OAAO,kBAAkB,CACvB,cAAc,EACd,qBAAqB,CAAC,~~QAAQ~~,EAAE,QAAQ,CAAC,~~EACzC~~,eAAe,EACf,eAAe,CAChB,CAAC;~~QACJ~~,CAAC;~~KAAA;~~CACF,CAAC","sourcesContent":["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT license.\n\nimport { ~~AccessToken~~, ~~GetTokenOptions,~~ ~~RequestPrepareOptions~~ } from \"@azure/core-~~http~~\";\nimport { ~~IdentityClient~~ } from \"~~../../client~~/~~identityClient~~\";\nimport { credentialLogger } from \"../../util/logging\";\nimport { MSI } from \"./models\";\nimport { msiGenericGetToken } from \"./utils\";\n\nconst ~~logger~~ = ~~credentialLogger(~~\"ManagedIdentityCredential - AppServiceMSI 2017\");\n\nfunction expiresInParser(requestBody: any): number {\n // Parse a date format like \"06/20/2019 02:57:58 +00:00\" and\n // convert it into a JavaScript-formatted date\n return Date.parse(requestBody.expires_on);\n}\n\nfunction prepareRequestOptions(~~resource~~: string, clientId?: string): ~~RequestPrepareOptions~~ {\n const queryParameters: any = {\n resource,\n \"api-version\": \"2017-09-01\"\n };\n\n if (clientId) {\n queryParameters.clientid = clientId;\n }\n\n return {\n url: process.env.MSI_ENDPOINT,\n method: \"GET\",\n ~~queryParameters,\n~~ headers: {\n Accept: \"application/json\",\n secret: process.env.MSI_SECRET\n }\n };\n}\n\nexport const appServiceMsi2017: MSI = {\n async isAvailable(): Promise<boolean> {\n const env = process.env;\n ~~return~~ Boolean(env.MSI_ENDPOINT && env.MSI_SECRET);\n },\n async getToken(\n ~~identityClient~~: ~~IdentityClient~~,\n ~~resource: string,\n clientId?: string,\n~~ getTokenOptions: GetTokenOptions = {}\n ): Promise<AccessToken \| null> {\n logger.info(\n `Using the endpoint and the secret coming form the environment variables: MSI_ENDPOINT=${process.env.MSI_ENDPOINT} and MSI_SECRET=[REDACTED].`\n );\n\n return msiGenericGetToken(\n identityClient,\n prepareRequestOptions(~~resource~~, clientId),\n expiresInParser,\n getTokenOptions\n );\n }\n};\n"]}
1	+ {"version":3,"file":"appServiceMsi2017.js","sourceRoot":"","sources":["../../../../src/credentials/managedIdentityCredential/appServiceMsi2017.ts"],"names":[],"mappings":"AAAA,uCAAuC;AACvC,kCAAkC;AAElC,OAAO,EAAE,iBAAiB,EAA0B,MAAM,2BAA2B,CAAC;AAEtF,OAAO,EAAE,gBAAgB,EAAE,MAAM,oBAAoB,CAAC;AAEtD,OAAO,EAAE,mBAAmB,EAAE,kBAAkB,EAAE,MAAM,SAAS,CAAC;AAElE,MAAM,OAAO,GAAG,gDAAgD,CAAC;AACjE,MAAM,MAAM,GAAG,gBAAgB,CAAC,OAAO,CAAC,CAAC;AAEzC,SAAS,eAAe,CAAC,WAAgB;IACvC,4DAA4D;IAC5D,8CAA8C;IAC9C,OAAO,IAAI,CAAC,KAAK,CAAC,WAAW,CAAC,UAAU,CAAC,CAAC;AAC5C,CAAC;AAED,SAAS,qBAAqB,CAC5B,MAAyB,EACzB,QAAiB;IAEjB,MAAM,QAAQ,GAAG,mBAAmB,CAAC,MAAM,CAAC,CAAC;IAC7C,IAAI,CAAC,QAAQ,EAAE;QACb,MAAM,IAAI,KAAK,CAAC,GAAG,OAAO,sCAAsC,CAAC,CAAC;KACnE;IAED,MAAM,eAAe,GAAQ;QAC3B,QAAQ;QACR,aAAa,EAAE,YAAY;KAC5B,CAAC;IAEF,IAAI,QAAQ,EAAE;QACZ,eAAe,CAAC,QAAQ,GAAG,QAAQ,CAAC;KACrC;IAED,MAAM,KAAK,GAAG,IAAI,eAAe,CAAC,eAAe,CAAC,CAAC;IAEnD,wIAAwI;IACxI,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,YAAY,EAAE;QAC7B,MAAM,IAAI,KAAK,CAAC,GAAG,OAAO,8CAA8C,CAAC,CAAC;KAC3E;IACD,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,UAAU,EAAE;QAC3B,MAAM,IAAI,KAAK,CAAC,GAAG,OAAO,4CAA4C,CAAC,CAAC;KACzE;IAED,OAAO;QACL,GAAG,EAAE,GAAG,OAAO,CAAC,GAAG,CAAC,YAAY,IAAI,KAAK,CAAC,QAAQ,EAAE,EAAE;QACtD,MAAM,EAAE,KAAK;QACb,OAAO,EAAE,iBAAiB,CAAC;YACzB,MAAM,EAAE,kBAAkB;YAC1B,MAAM,EAAE,OAAO,CAAC,GAAG,CAAC,UAAU;SAC/B,CAAC;KACH,CAAC;AACJ,CAAC;AAED,MAAM,CAAC,MAAM,iBAAiB,GAAQ;IACpC,KAAK,CAAC,WAAW,CAAC,MAAM;QACtB,MAAM,QAAQ,GAAG,mBAAmB,CAAC,MAAM,CAAC,CAAC;QAC7C,IAAI,CAAC,QAAQ,EAAE;YACb,MAAM,CAAC,IAAI,CAAC,GAAG,OAAO,mDAAmD,CAAC,CAAC;YAC3E,OAAO,KAAK,CAAC;SACd;QACD,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,CAAC;QACxB,MAAM,MAAM,GAAG,OAAO,CAAC,GAAG,CAAC,YAAY,IAAI,GAAG,CAAC,UAAU,CAAC,CAAC;QAC3D,IAAI,CAAC,MAAM,EAAE;YACX,MAAM,CAAC,IAAI,CACT,GAAG,OAAO,mFAAmF,CAC9F,CAAC;SACH;QACD,OAAO,MAAM,CAAC;IAChB,CAAC;IACD,KAAK,CAAC,QAAQ,CACZ,aAA+B,EAC/B,kBAAmC,EAAE;QAErC,MAAM,EAAE,cAAc,EAAE,MAAM,EAAE,QAAQ,EAAE,GAAG,aAAa,CAAC;QAE3D,MAAM,CAAC,IAAI,CACT,GAAG,OAAO,2FAA2F,OAAO,CAAC,GAAG,CAAC,YAAY,6BAA6B,CAC3J,CAAC;QAEF,OAAO,kBAAkB,CACvB,cAAc,EACd,qBAAqB,CAAC,MAAM,EAAE,QAAQ,CAAC,EACvC,eAAe,EACf,eAAe,CAChB,CAAC;IACJ,CAAC;CACF,CAAC","sourcesContent":["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT license.\n\nimport { createHttpHeaders, PipelineRequestOptions } from \"@azure/core-rest-pipeline\";\nimport { AccessToken, GetTokenOptions } from \"@azure/core-auth\";\nimport { credentialLogger } from \"../../util/logging\";\nimport { MSI, MSIConfiguration } from \"./models\";\nimport { mapScopesToResource, msiGenericGetToken } from \"./utils\";\n\nconst msiName = \"ManagedIdentityCredential - AppServiceMSI 2017\";\nconst logger = credentialLogger(msiName);\n\nfunction expiresInParser(requestBody: any): number {\n // Parse a date format like \"06/20/2019 02:57:58 +00:00\" and\n // convert it into a JavaScript-formatted date\n return Date.parse(requestBody.expires_on);\n}\n\nfunction prepareRequestOptions(\n scopes: string \| string[],\n clientId?: string\n): PipelineRequestOptions {\n const resource = mapScopesToResource(scopes);\n if (!resource) {\n throw new Error(`${msiName}: Multiple scopes are not supported.`);\n }\n\n const queryParameters: any = {\n resource,\n \"api-version\": \"2017-09-01\"\n };\n\n if (clientId) {\n queryParameters.clientid = clientId;\n }\n\n const query = new URLSearchParams(queryParameters);\n\n // This error should not bubble up, since we verify that this environment variable is defined in the isAvailable() method defined below.\n if (!process.env.MSI_ENDPOINT) {\n throw new Error(`${msiName}: Missing environment variable: MSI_ENDPOINT`);\n }\n if (!process.env.MSI_SECRET) {\n throw new Error(`${msiName}: Missing environment variable: MSI_SECRET`);\n }\n\n return {\n url: `${process.env.MSI_ENDPOINT}?${query.toString()}`,\n method: \"GET\",\n headers: createHttpHeaders({\n Accept: \"application/json\",\n secret: process.env.MSI_SECRET\n })\n };\n}\n\nexport const appServiceMsi2017: MSI = {\n async isAvailable(scopes): Promise<boolean> {\n const resource = mapScopesToResource(scopes);\n if (!resource) {\n logger.info(`${msiName}: Unavailable. Multiple scopes are not supported.`);\n return false;\n }\n const env = process.env;\n const result = Boolean(env.MSI_ENDPOINT && env.MSI_SECRET);\n if (!result) {\n logger.info(\n `${msiName}: Unavailable. The environment variables needed are: MSI_ENDPOINT and MSI_SECRET.`\n );\n }\n return result;\n },\n async getToken(\n configuration: MSIConfiguration,\n getTokenOptions: GetTokenOptions = {}\n ): Promise<AccessToken \| null> {\n const { identityClient, scopes, clientId } = configuration;\n\n logger.info(\n `${msiName}: Using the endpoint and the secret coming form the environment variables: MSI_ENDPOINT=${process.env.MSI_ENDPOINT} and MSI_SECRET=[REDACTED].`\n );\n\n return msiGenericGetToken(\n identityClient,\n prepareRequestOptions(scopes, clientId),\n expiresInParser,\n getTokenOptions\n );\n }\n};\n"]}

package/dist-esm/src/credentials/managedIdentityCredential/arcMsi.js CHANGED Viewed

@@ -1,29 +1,38 @@
 // Copyright (c) Microsoft Corporation.
 // Licensed under the MIT license.
-import { __awaiter } from "tslib";
+import { createHttpHeaders, createPipelineRequest } from "@azure/core-rest-pipeline";
+import { readFile } from "fs";
 import { credentialLogger } from "../../util/logging";
-import { msiGenericGetToken } from "./utils";
+import { mapScopesToResource, msiGenericGetToken } from "./utils";
 import { azureArcAPIVersion } from "./constants";
 import { AuthenticationError } from "../../client/errors";
-import { readFile } from "fs";
-const logger = credentialLogger("ManagedIdentityCredential - ArcMSI");
+const msiName = "ManagedIdentityCredential - Azure Arc MSI";
+const logger = credentialLogger(msiName);
 // Azure Arc MSI doesn't have a special expiresIn parser.
 const expiresInParser = undefined;
-function prepareRequestOptions(resource) {
+function prepareRequestOptions(scopes) {
+    const resource = mapScopesToResource(scopes);
+    if (!resource) {
+        throw new Error(`${msiName}: Multiple scopes are not supported.`);
+    }
     const queryParameters = {
         resource,
         "api-version": azureArcAPIVersion
     };
-    return {
+    const query = new URLSearchParams(queryParameters);
+    // This error should not bubble up, since we verify that this environment variable is defined in the isAvailable() method defined below.
+    if (!process.env.IDENTITY_ENDPOINT) {
+        throw new Error(`${msiName}: Missing environment variable: IDENTITY_ENDPOINT`);
+    }
+    return createPipelineRequest({
         // Should be similar to: http://localhost:40342/metadata/identity/oauth2/token
-        url: process.env.IDENTITY_ENDPOINT,
+        url: `${process.env.IDENTITY_ENDPOINT}?${query.toString()}`,
         method: "GET",
-        queryParameters,
-        headers: {
+        headers: createHttpHeaders({
             Accept: "application/json",
-            Metadata: true
-        }
-    };
+            Metadata: "true"
+        })
+    });
 }
 // Since "fs"'s readFileSync locks the thread, and to avoid extra dependencies.
 function readFileAsync(path, options) {
@@ -34,41 +43,51 @@ function readFileAsync(path, options) {
         resolve(data);
     }));
 }
-function filePathRequest(identityClient, requestPrepareOptions) {
-    return __awaiter(this, void 0, void 0, function* () {
-        const response = yield identityClient.sendRequest(identityClient.createWebResource(requestPrepareOptions));
-        if (response.status !== 401) {
-            let message = "";
-            if (response.bodyAsText) {
-                message = ` Response: ${response.bodyAsText}`;
-            }
-            throw new AuthenticationError(response.status, `To authenticate with Azure Arc MSI, status code 401 is expected on the first request.${message}`);
+async function filePathRequest(identityClient, requestPrepareOptions) {
+    const response = await identityClient.sendRequest(createPipelineRequest(requestPrepareOptions));
+    if (response.status !== 401) {
+        let message = "";
+        if (response.bodyAsText) {
+            message = ` Response: ${response.bodyAsText}`;
         }
-        const authHeader = response.headers.get("www-authenticate") || "";
+        throw new AuthenticationError(response.status, `${msiName}: To authenticate with Azure Arc MSI, status code 401 is expected on the first request. ${message}`);
+    }
+    const authHeader = response.headers.get("www-authenticate") || "";
+    try {
         return authHeader.split("=").slice(1)[0];
-    });
+    }
+    catch (e) {
+        throw Error(`Invalid www-authenticate header format: ${authHeader}`);
+    }
 }
 export const arcMsi = {
-    isAvailable() {
-        return __awaiter(this, void 0, void 0, function* () {
-            return Boolean(process.env.IMDS_ENDPOINT && process.env.IDENTITY_ENDPOINT);
-        });
+    async isAvailable(scopes) {
+        const resource = mapScopesToResource(scopes);
+        if (!resource) {
+            logger.info(`${msiName}: Unavailable. Multiple scopes are not supported.`);
+            return false;
+        }
+        const result = Boolean(process.env.IMDS_ENDPOINT && process.env.IDENTITY_ENDPOINT);
+        if (!result) {
+            logger.info(`${msiName}: The environment variables needed are: IMDS_ENDPOINT and IDENTITY_ENDPOINT`);
+        }
+        return result;
     },
-    getToken(identityClient, resource, clientId, getTokenOptions = {}) {
-        return __awaiter(this, void 0, void 0, function* () {
-            logger.info(`Using the Azure Arc MSI to authenticate.`);
-            if (clientId) {
-                throw new Error("User assigned identity is not supported by the Azure Arc Managed Identity Endpoint. To authenticate with the system assigned identity omit the client id when constructing the ManagedIdentityCredential, or if authenticating with the DefaultAzureCredential ensure the AZURE_CLIENT_ID environment variable is not set.");
-            }
-            const requestOptions = Object.assign({ disableJsonStringifyOnBody: true, deserializationMapper: undefined, abortSignal: getTokenOptions.abortSignal, spanOptions: getTokenOptions.tracingOptions && getTokenOptions.tracingOptions.spanOptions }, prepareRequestOptions(resource));
-            const filePath = yield filePathRequest(identityClient, requestOptions);
-            if (!filePath) {
-                throw new Error("Azure Arc MSI failed to find the token file.");
-            }
-            const key = yield readFileAsync(filePath, { encoding: "utf-8" });
-            requestOptions.headers["Authorization"] = `Basic ${key}`;
-            return msiGenericGetToken(identityClient, requestOptions, expiresInParser, getTokenOptions);
-        });
+    async getToken(configuration, getTokenOptions = {}) {
+        var _a;
+        const { identityClient, scopes, clientId } = configuration;
+        logger.info(`${msiName}: Authenticating.`);
+        if (clientId) {
+            throw new Error(`${msiName}: User assigned identity is not supported by the Azure Arc Managed Identity Endpoint. To authenticate with the system assigned identity, omit the client id when constructing the ManagedIdentityCredential, or if authenticating with the DefaultAzureCredential ensure the AZURE_CLIENT_ID environment variable is not set.`);
+        }
+        const requestOptions = Object.assign(Object.assign({ disableJsonStringifyOnBody: true, deserializationMapper: undefined, abortSignal: getTokenOptions.abortSignal }, prepareRequestOptions(scopes)), { allowInsecureConnection: true });
+        const filePath = await filePathRequest(identityClient, requestOptions);
+        if (!filePath) {
+            throw new Error(`${msiName}: Failed to find the token file.`);
+        }
+        const key = await readFileAsync(filePath, { encoding: "utf-8" });
+        (_a = requestOptions.headers) === null || _a === void 0 ? void 0 : _a.set("Authorization", `Basic ${key}`);
+        return msiGenericGetToken(identityClient, requestOptions, expiresInParser, getTokenOptions);
     }
 };
 //# sourceMappingURL=arcMsi.js.map

package/dist-esm/src/credentials/managedIdentityCredential/arcMsi.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"arcMsi.js","sourceRoot":"","sources":["../../../../src/credentials/managedIdentityCredential/arcMsi.ts"],"names":[],"mappings":"AAAA,uCAAuC;AACvC,kCAAkC~~;;AAIlC~~,OAAO,EAAE,gBAAgB,EAAE,MAAM,oBAAoB,CAAC;AAEtD,OAAO,EAAE,kBAAkB,EAAE,MAAM,SAAS,CAAC;~~AAC7C~~,OAAO,EAAE,kBAAkB,EAAE,MAAM,aAAa,CAAC;AACjD,OAAO,EAAE,mBAAmB,EAAE,MAAM,qBAAqB,CAAC;~~AAC1D~~,OAAO,~~EAAE~~,~~QAAQ~~,~~EAAE,MAAM,IAAI,~~CAAC;~~AAE9B~~,MAAM,MAAM,GAAG,gBAAgB,CAAC,~~oCAAoC~~,CAAC,CAAC;~~AAEtE~~,yDAAyD;AACzD,MAAM,eAAe,GAAG,SAAS,CAAC;AAElC,SAAS,qBAAqB,CAAC,~~QAAiB~~;~~IAC9C~~,MAAM,eAAe,GAAQ;QAC3B,QAAQ;QACR,aAAa,EAAE,kBAAkB;KAClC,CAAC;IAEF,OAAO;~~QACL~~,8EAA8E;QAC9E,GAAG,EAAE,OAAO,CAAC,GAAG,CAAC,iBAAiB;~~QAClC~~,MAAM,EAAE,KAAK;QACb,~~eAAe;QACf,~~OAAO,EAAE;~~YACP~~,MAAM,EAAE,kBAAkB;YAC1B,QAAQ,EAAE,~~IAAI~~;~~SACf~~;~~KACF~~,CAAC;~~AACJ~~,CAAC;AAED,+EAA+E;AAC/E,SAAS,aAAa,CAAC,IAAY,EAAE,OAA6B;IAChE,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE,CACrC,QAAQ,CAAC,IAAI,EAAE,OAAO,EAAE,CAAC,GAAG,EAAE,IAAI,EAAE,EAAE;QACpC,IAAI,GAAG,EAAE;YACP,MAAM,CAAC,GAAG,CAAC,CAAC;SACb;QACD,OAAO,CAAC,IAAI,CAAC,CAAC;IAChB,CAAC,CAAC,CACH,CAAC;AACJ,CAAC;AAED,~~SAAe~~,eAAe,CAC5B,cAA8B,EAC9B,~~qBAA4C;;QAE5C~~,MAAM,QAAQ,GAAG,MAAM,cAAc,CAAC,WAAW,~~CAC/C,cAAc,~~CAAC,~~iBAAiB~~,CAAC,qBAAqB,CAAC,~~CACxD~~,CAAC;~~QAEF~~,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE;~~YAC3B~~,IAAI,OAAO,GAAG,EAAE,CAAC;~~YACjB~~,IAAI,QAAQ,CAAC,UAAU,EAAE;~~gBACvB~~,OAAO,GAAG,cAAc,QAAQ,CAAC,UAAU,EAAE,CAAC;~~aAC~~/C;~~YACD~~,MAAM,IAAI,mBAAmB,CAC3B,QAAQ,CAAC,MAAM,EACf,~~wFAAwF~~,OAAO,EAAE,~~CAClG~~,CAAC;~~SACH~~;~~QAED~~,MAAM,UAAU,GAAG,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,kBAAkB,CAAC,IAAI,EAAE,CAAC;~~QAClE~~,OAAO,UAAU,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;~~IAC3C~~,CAAC;~~CAAA~~;AAED,MAAM,CAAC,MAAM,MAAM,GAAQ;~~IACnB~~,WAAW~~;;YACf~~,OAAO,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,aAAa,IAAI,OAAO,CAAC,GAAG,CAAC,iBAAiB,CAAC,CAAC;~~QAC7E~~,CAAC;~~KAAA~~;~~IACK~~,~~QAAQ~~,~~CACZ~~,~~cAA8B~~,~~EAC9B~~,~~QAAiB~~,~~EACjB~~,~~QAAiB~~,~~EACjB~~,kBAAmC,EAAE;;~~YAErC~~,MAAM,CAAC,IAAI,CAAC,~~0CAA0C~~,CAAC,CAAC;~~YAExD~~,IAAI,QAAQ,EAAE;~~gBACZ~~,MAAM,IAAI,KAAK,CACb,~~4TAA4T~~,~~CAC7T~~,CAAC;~~aACH~~;~~YAED~~,MAAM,cAAc,~~mBAClB~~,0BAA0B,EAAE,IAAI,EAChC,qBAAqB,EAAE,SAAS,EAChC,WAAW,EAAE,eAAe,CAAC,WAAW,~~EACxC~~,~~WAAW~~,~~EAAE,eAAe,~~CAAC,~~cAAc~~,~~IAAI,eAAe,~~CAAC,~~cAAc~~,~~CAAC~~,~~WAAW~~,~~IACtF~~,~~qBAAqB~~,CAAC~~,QAAQ,CAAC,CACnC,CAAC~~;~~YAEF~~,MAAM,QAAQ,GAAG,MAAM,eAAe,CAAC,cAAc,EAAE,cAAc,CAAC,CAAC;~~YAEvE~~,IAAI,CAAC,QAAQ,EAAE;~~gBACb~~,MAAM,IAAI,KAAK,CAAC,~~8CAA8C~~,CAAC,CAAC;~~aACjE~~;~~YAED~~,MAAM,GAAG,GAAG,MAAM,aAAa,CAAC,QAAQ,EAAE,EAAE,QAAQ,EAAE,OAAO,EAAE,CAAC,CAAC;~~YACjE~~,cAAc,CAAC,~~OAAQ~~,CAAC,eAAe,~~CAAC~~,~~GAAG,~~SAAS,GAAG,EAAE,CAAC;~~YAE1D~~,OAAO,kBAAkB,CAAC,cAAc,EAAE,cAAc,EAAE,eAAe,EAAE,eAAe,CAAC,CAAC;~~QAC9F~~,CAAC;~~KAAA;~~CACF,CAAC","sourcesContent":["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT license.\n\nimport { AccessToken, GetTokenOptions, ~~RequestPrepareOptions~~ } from \"@azure/core-~~http~~\";\nimport { MSI } from \"./models\";\nimport { credentialLogger } from \"../../util/logging\";\nimport { IdentityClient } from \"../../client/identityClient\";\nimport { msiGenericGetToken } from \"./utils\";\nimport { azureArcAPIVersion } from \"./constants\";\nimport { AuthenticationError } from \"../../client/errors\";\~~nimport~~ { ~~readFile~~ } ~~from~~ \"~~fs\"~~;\n\nconst logger = credentialLogger(~~\"ManagedIdentityCredential - ArcMSI\"~~);\n\n// Azure Arc MSI doesn't have a special expiresIn parser.\nconst expiresInParser = undefined;\n\nfunction prepareRequestOptions(~~resource?:~~ string): ~~RequestPrepareOptions~~ {\n const queryParameters: any = {\n resource,\n \"api-version\": azureArcAPIVersion\n };\n\n return {\n // Should be similar to: http://localhost:40342/metadata/identity/oauth2/token\n url: process.env.IDENTITY_ENDPOINT,\n method: \"GET\",\n ~~queryParameters,\n~~ headers: {\n Accept: \"application/json\",\n Metadata: true\n }\n };\n}\n\n// Since \"fs\"'s readFileSync locks the thread, and to avoid extra dependencies.\nfunction readFileAsync(path: string, options: { encoding: string }): Promise<string> {\n return new Promise((resolve, reject) =>\n readFile(path, options, (err, data) => {\n if (err) {\n reject(err);\n }\n resolve(data);\n })\n );\n}\n\nasync function filePathRequest(\n identityClient: IdentityClient,\n requestPrepareOptions: ~~RequestPrepareOptions~~\n): Promise<string \| undefined> {\n const response = await identityClient.sendRequest(~~\n identityClient.createWebResource~~(requestPrepareOptions)\n );\n\n if (response.status !== 401) {\n let message = \"\";\n if (response.bodyAsText) {\n message = ` Response: ${response.bodyAsText}`;\n }\n throw new AuthenticationError(\n response.status,\n `To authenticate with Azure Arc MSI, status code 401 is expected on the first request.${message}`\n );\n }\n\n const authHeader = response.headers.get(\"www-authenticate\") \|\| \"\";\n return authHeader.split(\"=\").slice(1)[0];\n}\n\nexport const arcMsi: MSI = {\n async isAvailable(): Promise<boolean> {\n return Boolean(process.env.IMDS_ENDPOINT && process.env.IDENTITY_ENDPOINT);\n },\n async getToken(\n ~~identityClient~~: ~~IdentityClient~~,\n ~~resource?: string,\n clientId?: string,\n~~ getTokenOptions: GetTokenOptions = {}\n ): Promise<AccessToken \| null> {\n ~~logger.info(`Using~~ ~~the~~ ~~Azure~~ ~~Arc~~ ~~MSI~~ to ~~authenticate~~.`);\n\n if (clientId) {\n throw new Error(\n \"User assigned identity is not supported by the Azure Arc Managed Identity Endpoint. To authenticate with the system assigned identity omit the client id when constructing the ManagedIdentityCredential, or if authenticating with the DefaultAzureCredential ensure the AZURE_CLIENT_ID environment variable is not set~~.\"\~~n );\n }\n\n const requestOptions = {\n disableJsonStringifyOnBody: true,\n deserializationMapper: undefined,\n abortSignal: getTokenOptions.abortSignal,\n ~~spanOptions: getTokenOptions.tracingOptions && getTokenOptions.tracingOptions.spanOptions,\n~~ ...prepareRequestOptions(~~resource~~)\n };\n\n const filePath = await filePathRequest(identityClient, requestOptions);\n\n if (!filePath) {\n throw new Error(~~\"Azure~~ ~~Arc~~ ~~MSI failed~~ to find the token file~~.\"~~);\n }\n\n const key = await readFileAsync(filePath, { encoding: \"utf-8\" });\n requestOptions.headers![\"Authorization\"] = `Basic ${key}~~`;\~~n\n return msiGenericGetToken(identityClient, requestOptions, expiresInParser, getTokenOptions);\n }\n};\n"]}
1	+ {"version":3,"file":"arcMsi.js","sourceRoot":"","sources":["../../../../src/credentials/managedIdentityCredential/arcMsi.ts"],"names":[],"mappings":"AAAA,uCAAuC;AACvC,kCAAkC;AAElC,OAAO,EACL,iBAAiB,EACjB,qBAAqB,EAEtB,MAAM,2BAA2B,CAAC;AAEnC,OAAO,EAAE,QAAQ,EAAE,MAAM,IAAI,CAAC;AAE9B,OAAO,EAAE,gBAAgB,EAAE,MAAM,oBAAoB,CAAC;AAEtD,OAAO,EAAE,mBAAmB,EAAE,kBAAkB,EAAE,MAAM,SAAS,CAAC;AAClE,OAAO,EAAE,kBAAkB,EAAE,MAAM,aAAa,CAAC;AACjD,OAAO,EAAE,mBAAmB,EAAE,MAAM,qBAAqB,CAAC;AAE1D,MAAM,OAAO,GAAG,2CAA2C,CAAC;AAC5D,MAAM,MAAM,GAAG,gBAAgB,CAAC,OAAO,CAAC,CAAC;AAEzC,yDAAyD;AACzD,MAAM,eAAe,GAAG,SAAS,CAAC;AAElC,SAAS,qBAAqB,CAAC,MAAyB;IACtD,MAAM,QAAQ,GAAG,mBAAmB,CAAC,MAAM,CAAC,CAAC;IAC7C,IAAI,CAAC,QAAQ,EAAE;QACb,MAAM,IAAI,KAAK,CAAC,GAAG,OAAO,sCAAsC,CAAC,CAAC;KACnE;IACD,MAAM,eAAe,GAAQ;QAC3B,QAAQ;QACR,aAAa,EAAE,kBAAkB;KAClC,CAAC;IAEF,MAAM,KAAK,GAAG,IAAI,eAAe,CAAC,eAAe,CAAC,CAAC;IAEnD,wIAAwI;IACxI,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,iBAAiB,EAAE;QAClC,MAAM,IAAI,KAAK,CAAC,GAAG,OAAO,mDAAmD,CAAC,CAAC;KAChF;IAED,OAAO,qBAAqB,CAAC;QAC3B,8EAA8E;QAC9E,GAAG,EAAE,GAAG,OAAO,CAAC,GAAG,CAAC,iBAAiB,IAAI,KAAK,CAAC,QAAQ,EAAE,EAAE;QAC3D,MAAM,EAAE,KAAK;QACb,OAAO,EAAE,iBAAiB,CAAC;YACzB,MAAM,EAAE,kBAAkB;YAC1B,QAAQ,EAAE,MAAM;SACjB,CAAC;KACH,CAAC,CAAC;AACL,CAAC;AAED,+EAA+E;AAC/E,SAAS,aAAa,CAAC,IAAY,EAAE,OAA6B;IAChE,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE,CACrC,QAAQ,CAAC,IAAI,EAAE,OAAO,EAAE,CAAC,GAAG,EAAE,IAAI,EAAE,EAAE;QACpC,IAAI,GAAG,EAAE;YACP,MAAM,CAAC,GAAG,CAAC,CAAC;SACb;QACD,OAAO,CAAC,IAAI,CAAC,CAAC;IAChB,CAAC,CAAC,CACH,CAAC;AACJ,CAAC;AAED,KAAK,UAAU,eAAe,CAC5B,cAA8B,EAC9B,qBAA6C;IAE7C,MAAM,QAAQ,GAAG,MAAM,cAAc,CAAC,WAAW,CAAC,qBAAqB,CAAC,qBAAqB,CAAC,CAAC,CAAC;IAEhG,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE;QAC3B,IAAI,OAAO,GAAG,EAAE,CAAC;QACjB,IAAI,QAAQ,CAAC,UAAU,EAAE;YACvB,OAAO,GAAG,cAAc,QAAQ,CAAC,UAAU,EAAE,CAAC;SAC/C;QACD,MAAM,IAAI,mBAAmB,CAC3B,QAAQ,CAAC,MAAM,EACf,GAAG,OAAO,2FAA2F,OAAO,EAAE,CAC/G,CAAC;KACH;IAED,MAAM,UAAU,GAAG,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,kBAAkB,CAAC,IAAI,EAAE,CAAC;IAClE,IAAI;QACF,OAAO,UAAU,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;KAC1C;IAAC,OAAO,CAAC,EAAE;QACV,MAAM,KAAK,CAAC,2CAA2C,UAAU,EAAE,CAAC,CAAC;KACtE;AACH,CAAC;AAED,MAAM,CAAC,MAAM,MAAM,GAAQ;IACzB,KAAK,CAAC,WAAW,CAAC,MAAM;QACtB,MAAM,QAAQ,GAAG,mBAAmB,CAAC,MAAM,CAAC,CAAC;QAC7C,IAAI,CAAC,QAAQ,EAAE;YACb,MAAM,CAAC,IAAI,CAAC,GAAG,OAAO,mDAAmD,CAAC,CAAC;YAC3E,OAAO,KAAK,CAAC;SACd;QACD,MAAM,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,aAAa,IAAI,OAAO,CAAC,GAAG,CAAC,iBAAiB,CAAC,CAAC;QACnF,IAAI,CAAC,MAAM,EAAE;YACX,MAAM,CAAC,IAAI,CACT,GAAG,OAAO,6EAA6E,CACxF,CAAC;SACH;QACD,OAAO,MAAM,CAAC;IAChB,CAAC;IACD,KAAK,CAAC,QAAQ,CACZ,aAA+B,EAC/B,kBAAmC,EAAE;;QAErC,MAAM,EAAE,cAAc,EAAE,MAAM,EAAE,QAAQ,EAAE,GAAG,aAAa,CAAC;QAE3D,MAAM,CAAC,IAAI,CAAC,GAAG,OAAO,mBAAmB,CAAC,CAAC;QAE3C,IAAI,QAAQ,EAAE;YACZ,MAAM,IAAI,KAAK,CACb,GAAG,OAAO,+TAA+T,CAC1U,CAAC;SACH;QAED,MAAM,cAAc,iCAClB,0BAA0B,EAAE,IAAI,EAChC,qBAAqB,EAAE,SAAS,EAChC,WAAW,EAAE,eAAe,CAAC,WAAW,IACrC,qBAAqB,CAAC,MAAM,CAAC,KAChC,uBAAuB,EAAE,IAAI,GAC9B,CAAC;QAEF,MAAM,QAAQ,GAAG,MAAM,eAAe,CAAC,cAAc,EAAE,cAAc,CAAC,CAAC;QAEvE,IAAI,CAAC,QAAQ,EAAE;YACb,MAAM,IAAI,KAAK,CAAC,GAAG,OAAO,kCAAkC,CAAC,CAAC;SAC/D;QAED,MAAM,GAAG,GAAG,MAAM,aAAa,CAAC,QAAQ,EAAE,EAAE,QAAQ,EAAE,OAAO,EAAE,CAAC,CAAC;QACjE,MAAA,cAAc,CAAC,OAAO,0CAAE,GAAG,CAAC,eAAe,EAAE,SAAS,GAAG,EAAE,CAAC,CAAC;QAE7D,OAAO,kBAAkB,CAAC,cAAc,EAAE,cAAc,EAAE,eAAe,EAAE,eAAe,CAAC,CAAC;IAC9F,CAAC;CACF,CAAC","sourcesContent":["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT license.\n\nimport {\n createHttpHeaders,\n createPipelineRequest,\n PipelineRequestOptions\n} from \"@azure/core-rest-pipeline\";\nimport { AccessToken, GetTokenOptions } from \"@azure/core-auth\";\nimport { readFile } from \"fs\";\nimport { MSI, MSIConfiguration } from \"./models\";\nimport { credentialLogger } from \"../../util/logging\";\nimport { IdentityClient } from \"../../client/identityClient\";\nimport { mapScopesToResource, msiGenericGetToken } from \"./utils\";\nimport { azureArcAPIVersion } from \"./constants\";\nimport { AuthenticationError } from \"../../client/errors\";\n\nconst msiName = \"ManagedIdentityCredential - Azure Arc MSI\";\nconst logger = credentialLogger(msiName);\n\n// Azure Arc MSI doesn't have a special expiresIn parser.\nconst expiresInParser = undefined;\n\nfunction prepareRequestOptions(scopes: string \| string[]): PipelineRequestOptions {\n const resource = mapScopesToResource(scopes);\n if (!resource) {\n throw new Error(`${msiName}: Multiple scopes are not supported.`);\n }\n const queryParameters: any = {\n resource,\n \"api-version\": azureArcAPIVersion\n };\n\n const query = new URLSearchParams(queryParameters);\n\n // This error should not bubble up, since we verify that this environment variable is defined in the isAvailable() method defined below.\n if (!process.env.IDENTITY_ENDPOINT) {\n throw new Error(`${msiName}: Missing environment variable: IDENTITY_ENDPOINT`);\n }\n\n return createPipelineRequest({\n // Should be similar to: http://localhost:40342/metadata/identity/oauth2/token\n url: `${process.env.IDENTITY_ENDPOINT}?${query.toString()}`,\n method: \"GET\",\n headers: createHttpHeaders({\n Accept: \"application/json\",\n Metadata: \"true\"\n })\n });\n}\n\n// Since \"fs\"'s readFileSync locks the thread, and to avoid extra dependencies.\nfunction readFileAsync(path: string, options: { encoding: string }): Promise<string> {\n return new Promise((resolve, reject) =>\n readFile(path, options, (err, data) => {\n if (err) {\n reject(err);\n }\n resolve(data);\n })\n );\n}\n\nasync function filePathRequest(\n identityClient: IdentityClient,\n requestPrepareOptions: PipelineRequestOptions\n): Promise<string \| undefined> {\n const response = await identityClient.sendRequest(createPipelineRequest(requestPrepareOptions));\n\n if (response.status !== 401) {\n let message = \"\";\n if (response.bodyAsText) {\n message = ` Response: ${response.bodyAsText}`;\n }\n throw new AuthenticationError(\n response.status,\n `${msiName}: To authenticate with Azure Arc MSI, status code 401 is expected on the first request. ${message}`\n );\n }\n\n const authHeader = response.headers.get(\"www-authenticate\") \|\| \"\";\n try {\n return authHeader.split(\"=\").slice(1)[0];\n } catch (e) {\n throw Error(`Invalid www-authenticate header format: ${authHeader}`);\n }\n}\n\nexport const arcMsi: MSI = {\n async isAvailable(scopes): Promise<boolean> {\n const resource = mapScopesToResource(scopes);\n if (!resource) {\n logger.info(`${msiName}: Unavailable. Multiple scopes are not supported.`);\n return false;\n }\n const result = Boolean(process.env.IMDS_ENDPOINT && process.env.IDENTITY_ENDPOINT);\n if (!result) {\n logger.info(\n `${msiName}: The environment variables needed are: IMDS_ENDPOINT and IDENTITY_ENDPOINT`\n );\n }\n return result;\n },\n async getToken(\n configuration: MSIConfiguration,\n getTokenOptions: GetTokenOptions = {}\n ): Promise<AccessToken \| null> {\n const { identityClient, scopes, clientId } = configuration;\n\n logger.info(`${msiName}: Authenticating.`);\n\n if (clientId) {\n throw new Error(\n `${msiName}: User assigned identity is not supported by the Azure Arc Managed Identity Endpoint. To authenticate with the system assigned identity, omit the client id when constructing the ManagedIdentityCredential, or if authenticating with the DefaultAzureCredential ensure the AZURE_CLIENT_ID environment variable is not set.`\n );\n }\n\n const requestOptions = {\n disableJsonStringifyOnBody: true,\n deserializationMapper: undefined,\n abortSignal: getTokenOptions.abortSignal,\n ...prepareRequestOptions(scopes),\n allowInsecureConnection: true\n };\n\n const filePath = await filePathRequest(identityClient, requestOptions);\n\n if (!filePath) {\n throw new Error(`${msiName}: Failed to find the token file.`);\n }\n\n const key = await readFileAsync(filePath, { encoding: \"utf-8\" });\n requestOptions.headers?.set(\"Authorization\", `Basic ${key}`);\n\n return msiGenericGetToken(identityClient, requestOptions, expiresInParser, getTokenOptions);\n }\n};\n"]}

package/dist-esm/src/credentials/managedIdentityCredential/cloudShellMsi.js CHANGED Viewed

@@ -1,41 +1,56 @@
 // Copyright (c) Microsoft Corporation.
 // Licensed under the MIT license.
-import { __awaiter } from "tslib";
-import qs from "qs";
+import { createHttpHeaders } from "@azure/core-rest-pipeline";
 import { credentialLogger } from "../../util/logging";
-import { msiGenericGetToken } from "./utils";
-const logger = credentialLogger("ManagedIdentityCredential - CloudShellMSI");
+import { mapScopesToResource, msiGenericGetToken } from "./utils";
+const msiName = "ManagedIdentityCredential - CloudShellMSI";
+const logger = credentialLogger(msiName);
 // Cloud Shell MSI doesn't have a special expiresIn parser.
 const expiresInParser = undefined;
-function prepareRequestOptions(resource, clientId) {
+function prepareRequestOptions(scopes, clientId) {
+    const resource = mapScopesToResource(scopes);
+    if (!resource) {
+        throw new Error(`${msiName}: Multiple scopes are not supported.`);
+    }
     const body = {
         resource
     };
     if (clientId) {
         body.client_id = clientId;
     }
+    // This error should not bubble up, since we verify that this environment variable is defined in the isAvailable() method defined below.
+    if (!process.env.MSI_ENDPOINT) {
+        throw new Error(`${msiName}: Missing environment variable: MSI_ENDPOINT`);
+    }
+    const params = new URLSearchParams(body);
     return {
         url: process.env.MSI_ENDPOINT,
         method: "POST",
-        body: qs.stringify(body),
-        headers: {
+        body: params.toString(),
+        headers: createHttpHeaders({
             Accept: "application/json",
-            Metadata: true,
+            Metadata: "true",
             "Content-Type": "application/x-www-form-urlencoded"
-        }
+        })
     };
 }
 export const cloudShellMsi = {
-    isAvailable() {
-        return __awaiter(this, void 0, void 0, function* () {
-            return Boolean(process.env.MSI_ENDPOINT);
-        });
+    async isAvailable(scopes) {
+        const resource = mapScopesToResource(scopes);
+        if (!resource) {
+            logger.info(`${msiName}: Unavailable. Multiple scopes are not supported.`);
+            return false;
+        }
+        const result = Boolean(process.env.MSI_ENDPOINT);
+        if (!result) {
+            logger.info(`${msiName}: Unavailable. The environment variable MSI_ENDPOINT is needed.`);
+        }
+        return result;
     },
-    getToken(identityClient, resource, clientId, getTokenOptions = {}) {
-        return __awaiter(this, void 0, void 0, function* () {
-            logger.info(`Using the endpoint coming form the environment variable MSI_ENDPOINT=${process.env.MSI_ENDPOINT}, and using the Cloud Shell to proceed with the authentication.`);
-            return msiGenericGetToken(identityClient, prepareRequestOptions(resource, clientId), expiresInParser, getTokenOptions);
-        });
+    async getToken(configuration, getTokenOptions = {}) {
+        const { identityClient, scopes, clientId } = configuration;
+        logger.info(`${msiName}: Using the endpoint coming form the environment variable MSI_ENDPOINT = ${process.env.MSI_ENDPOINT}.`);
+        return msiGenericGetToken(identityClient, prepareRequestOptions(scopes, clientId), expiresInParser, getTokenOptions);
     }
 };
 //# sourceMappingURL=cloudShellMsi.js.map

package/dist-esm/src/credentials/managedIdentityCredential/cloudShellMsi.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"cloudShellMsi.js","sourceRoot":"","sources":["../../../../src/credentials/managedIdentityCredential/cloudShellMsi.ts"],"names":[],"mappings":"AAAA,uCAAuC;AACvC,kCAAkC;;AAElC,OAAO,EAAE,MAAM,~~IAAI~~,CAAC;~~AAGpB~~,OAAO,EAAE,gBAAgB,EAAE,MAAM,oBAAoB,CAAC;~~AAEtD~~,OAAO,EAAE,kBAAkB,EAAE,MAAM,SAAS,CAAC;~~AAE7C~~,MAAM,MAAM,GAAG,gBAAgB,CAAC,~~2CAA2C~~,CAAC,CAAC;~~AAE7E~~,2DAA2D;AAC3D,MAAM,eAAe,GAAG,SAAS,CAAC;AAElC,SAAS,qBAAqB,CAAC,~~QAAgB~~,EAAE,~~QAAiB~~;~~IAChE~~,MAAM,IAAI,GAAQ;QAChB,QAAQ;KACT,CAAC;IAEF,IAAI,QAAQ,EAAE;QACZ,IAAI,CAAC,SAAS,GAAG,QAAQ,CAAC;KAC3B;IAED,OAAO;QACL,GAAG,EAAE,OAAO,CAAC,GAAG,CAAC,YAAY;QAC7B,MAAM,EAAE,MAAM;QACd,IAAI,EAAE,~~EAAE~~,CAAC,~~SAAS~~,~~CAAC,IAAI,CAAC~~;~~QACxB~~,OAAO,EAAE;~~YACP~~,MAAM,EAAE,kBAAkB;YAC1B,QAAQ,EAAE,~~IAAI~~;~~YACd~~,cAAc,EAAE,mCAAmC;SACpD;~~KACF~~,CAAC;AACJ,CAAC;AAED,MAAM,CAAC,MAAM,aAAa,GAAQ;~~IAC1B~~,WAAW~~;;YACf~~,OAAO,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC;~~QAC3C~~,CAAC;~~KAAA~~;~~IACK~~,QAAQ,CACZ,~~cAA8B~~,~~EAC9B~~,~~QAAgB~~,~~EAChB~~,~~QAAiB~~,~~EACjB~~,~~kBAAmC~~,EAAE~~;;YAErC~~,MAAM,CAAC,IAAI,CACT,~~wEAAwE~~,OAAO,CAAC,GAAG,CAAC,YAAY,~~iEAAiE~~,~~CAClK~~,CAAC;~~YAEF~~,OAAO,kBAAkB,CACvB,cAAc,EACd,qBAAqB,CAAC,~~QAAQ~~,EAAE,QAAQ,CAAC,~~EACzC~~,eAAe,EACf,eAAe,CAChB,CAAC;~~QACJ~~,CAAC;~~KAAA;~~CACF,CAAC","sourcesContent":["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT license.\n\nimport qs from \"qs\";\nimport { AccessToken, GetTokenOptions, ~~RequestPrepareOptions~~ } from \"@azure/core-~~http~~\";\nimport { MSI } from \"./models\";\nimport { credentialLogger } from \"../../util/logging\";\nimport { ~~IdentityClient~~ ~~} from \"../../client/identityClient\";\nimport {~~ msiGenericGetToken } from \"./utils\";\n\nconst ~~logger~~ = ~~credentialLogger(~~\"ManagedIdentityCredential - CloudShellMSI\");\n\n// Cloud Shell MSI doesn't have a special expiresIn parser.\nconst expiresInParser = undefined;\n\nfunction prepareRequestOptions(~~resource~~: string, clientId?: string): ~~RequestPrepareOptions~~ {\n const body: any = {\n resource\n };\n\n if (clientId) {\n body.client_id = clientId;\n }\n\n return {\n url: process.env.MSI_ENDPOINT,\n method: \"POST\",\n body: qs.~~stringify~~(~~body~~),\n headers: {\n Accept: \"application/json\",\n Metadata: true,\n \"Content-Type\": \"application/x-www-form-urlencoded\"\n }\n };\n}\n\nexport const cloudShellMsi: MSI = {\n async isAvailable(): Promise<boolean> {\n return Boolean(process.env.MSI_ENDPOINT);\n },\n async getToken(\n ~~identityClient~~: ~~IdentityClient~~,\n ~~resource: string,\n clientId?: string,\n~~ getTokenOptions: GetTokenOptions = {}\n ): Promise<AccessToken \| null> {\n logger.info(\n `Using the endpoint coming form the environment variable MSI_ENDPOINT=${process.env.MSI_ENDPOINT}~~, and using the Cloud Shell to proceed with the authentication~~.`\n );\n\n return msiGenericGetToken(\n identityClient,\n prepareRequestOptions(~~resource~~, clientId),\n expiresInParser,\n getTokenOptions\n );\n }\n};\n"]}
1	+ {"version":3,"file":"cloudShellMsi.js","sourceRoot":"","sources":["../../../../src/credentials/managedIdentityCredential/cloudShellMsi.ts"],"names":[],"mappings":"AAAA,uCAAuC;AACvC,kCAAkC;AAElC,OAAO,EAAE,iBAAiB,EAA0B,MAAM,2BAA2B,CAAC;AAGtF,OAAO,EAAE,gBAAgB,EAAE,MAAM,oBAAoB,CAAC;AACtD,OAAO,EAAE,mBAAmB,EAAE,kBAAkB,EAAE,MAAM,SAAS,CAAC;AAElE,MAAM,OAAO,GAAG,2CAA2C,CAAC;AAC5D,MAAM,MAAM,GAAG,gBAAgB,CAAC,OAAO,CAAC,CAAC;AAEzC,2DAA2D;AAC3D,MAAM,eAAe,GAAG,SAAS,CAAC;AAElC,SAAS,qBAAqB,CAC5B,MAAyB,EACzB,QAAiB;IAEjB,MAAM,QAAQ,GAAG,mBAAmB,CAAC,MAAM,CAAC,CAAC;IAC7C,IAAI,CAAC,QAAQ,EAAE;QACb,MAAM,IAAI,KAAK,CAAC,GAAG,OAAO,sCAAsC,CAAC,CAAC;KACnE;IAED,MAAM,IAAI,GAAQ;QAChB,QAAQ;KACT,CAAC;IAEF,IAAI,QAAQ,EAAE;QACZ,IAAI,CAAC,SAAS,GAAG,QAAQ,CAAC;KAC3B;IAED,wIAAwI;IACxI,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,YAAY,EAAE;QAC7B,MAAM,IAAI,KAAK,CAAC,GAAG,OAAO,8CAA8C,CAAC,CAAC;KAC3E;IACD,MAAM,MAAM,GAAG,IAAI,eAAe,CAAC,IAAI,CAAC,CAAC;IACzC,OAAO;QACL,GAAG,EAAE,OAAO,CAAC,GAAG,CAAC,YAAY;QAC7B,MAAM,EAAE,MAAM;QACd,IAAI,EAAE,MAAM,CAAC,QAAQ,EAAE;QACvB,OAAO,EAAE,iBAAiB,CAAC;YACzB,MAAM,EAAE,kBAAkB;YAC1B,QAAQ,EAAE,MAAM;YAChB,cAAc,EAAE,mCAAmC;SACpD,CAAC;KACH,CAAC;AACJ,CAAC;AAED,MAAM,CAAC,MAAM,aAAa,GAAQ;IAChC,KAAK,CAAC,WAAW,CAAC,MAAM;QACtB,MAAM,QAAQ,GAAG,mBAAmB,CAAC,MAAM,CAAC,CAAC;QAC7C,IAAI,CAAC,QAAQ,EAAE;YACb,MAAM,CAAC,IAAI,CAAC,GAAG,OAAO,mDAAmD,CAAC,CAAC;YAC3E,OAAO,KAAK,CAAC;SACd;QACD,MAAM,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC;QACjD,IAAI,CAAC,MAAM,EAAE;YACX,MAAM,CAAC,IAAI,CAAC,GAAG,OAAO,iEAAiE,CAAC,CAAC;SAC1F;QACD,OAAO,MAAM,CAAC;IAChB,CAAC;IACD,KAAK,CAAC,QAAQ,CACZ,aAA+B,EAC/B,kBAAmC,EAAE;QAErC,MAAM,EAAE,cAAc,EAAE,MAAM,EAAE,QAAQ,EAAE,GAAG,aAAa,CAAC;QAE3D,MAAM,CAAC,IAAI,CACT,GAAG,OAAO,4EAA4E,OAAO,CAAC,GAAG,CAAC,YAAY,GAAG,CAClH,CAAC;QAEF,OAAO,kBAAkB,CACvB,cAAc,EACd,qBAAqB,CAAC,MAAM,EAAE,QAAQ,CAAC,EACvC,eAAe,EACf,eAAe,CAChB,CAAC;IACJ,CAAC;CACF,CAAC","sourcesContent":["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT license.\n\nimport { createHttpHeaders, PipelineRequestOptions } from \"@azure/core-rest-pipeline\";\nimport { AccessToken, GetTokenOptions } from \"@azure/core-auth\";\nimport { MSI, MSIConfiguration } from \"./models\";\nimport { credentialLogger } from \"../../util/logging\";\nimport { mapScopesToResource, msiGenericGetToken } from \"./utils\";\n\nconst msiName = \"ManagedIdentityCredential - CloudShellMSI\";\nconst logger = credentialLogger(msiName);\n\n// Cloud Shell MSI doesn't have a special expiresIn parser.\nconst expiresInParser = undefined;\n\nfunction prepareRequestOptions(\n scopes: string \| string[],\n clientId?: string\n): PipelineRequestOptions {\n const resource = mapScopesToResource(scopes);\n if (!resource) {\n throw new Error(`${msiName}: Multiple scopes are not supported.`);\n }\n\n const body: any = {\n resource\n };\n\n if (clientId) {\n body.client_id = clientId;\n }\n\n // This error should not bubble up, since we verify that this environment variable is defined in the isAvailable() method defined below.\n if (!process.env.MSI_ENDPOINT) {\n throw new Error(`${msiName}: Missing environment variable: MSI_ENDPOINT`);\n }\n const params = new URLSearchParams(body);\n return {\n url: process.env.MSI_ENDPOINT,\n method: \"POST\",\n body: params.toString(),\n headers: createHttpHeaders({\n Accept: \"application/json\",\n Metadata: \"true\",\n \"Content-Type\": \"application/x-www-form-urlencoded\"\n })\n };\n}\n\nexport const cloudShellMsi: MSI = {\n async isAvailable(scopes): Promise<boolean> {\n const resource = mapScopesToResource(scopes);\n if (!resource) {\n logger.info(`${msiName}: Unavailable. Multiple scopes are not supported.`);\n return false;\n }\n const result = Boolean(process.env.MSI_ENDPOINT);\n if (!result) {\n logger.info(`${msiName}: Unavailable. The environment variable MSI_ENDPOINT is needed.`);\n }\n return result;\n },\n async getToken(\n configuration: MSIConfiguration,\n getTokenOptions: GetTokenOptions = {}\n ): Promise<AccessToken \| null> {\n const { identityClient, scopes, clientId } = configuration;\n\n logger.info(\n `${msiName}: Using the endpoint coming form the environment variable MSI_ENDPOINT = ${process.env.MSI_ENDPOINT}.`\n );\n\n return msiGenericGetToken(\n identityClient,\n prepareRequestOptions(scopes, clientId),\n expiresInParser,\n getTokenOptions\n );\n }\n};\n"]}

package/dist-esm/src/credentials/managedIdentityCredential/constants.js CHANGED Viewed

@@ -1,7 +1,8 @@
 // Copyright (c) Microsoft Corporation.
 // Licensed under the MIT license.
 export const DefaultScopeSuffix = "/.default";
-export const imdsEndpoint = "http://169.254.169.254/metadata/identity/oauth2/token";
+export const imdsHost = "http://169.254.169.254";
+export const imdsEndpointPath = "/metadata/identity/oauth2/token";
 export const imdsApiVersion = "2018-02-01";
 export const azureArcAPIVersion = "2019-11-01";
 export const azureFabricVersion = "2019-07-01-preview";

package/dist-esm/src/credentials/managedIdentityCredential/constants.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"constants.js","sourceRoot":"","sources":["../../../../src/credentials/managedIdentityCredential/constants.ts"],"names":[],"mappings":"AAAA,uCAAuC;AACvC,kCAAkC;AAElC,MAAM,CAAC,MAAM,kBAAkB,GAAG,WAAW,CAAC;AAE9C,MAAM,CAAC,MAAM,~~YAAY~~,GAAG,~~uDAAuD~~,CAAC;~~AACpF~~,MAAM,CAAC,MAAM,cAAc,GAAG,YAAY,CAAC;AAC3C,MAAM,CAAC,MAAM,kBAAkB,GAAG,YAAY,CAAC;AAC/C,MAAM,CAAC,MAAM,kBAAkB,GAAG,oBAAoB,CAAC","sourcesContent":["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT license.\n\nexport const DefaultScopeSuffix = \"/.default\";\n\nexport const ~~imdsEndpoint~~ = \"http://169.254.169.254/metadata/identity/oauth2/token\";\nexport const imdsApiVersion = \"2018-02-01\";\nexport const azureArcAPIVersion = \"2019-11-01\";\nexport const azureFabricVersion = \"2019-07-01-preview\";\n"]}
1	+ {"version":3,"file":"constants.js","sourceRoot":"","sources":["../../../../src/credentials/managedIdentityCredential/constants.ts"],"names":[],"mappings":"AAAA,uCAAuC;AACvC,kCAAkC;AAElC,MAAM,CAAC,MAAM,kBAAkB,GAAG,WAAW,CAAC;AAE9C,MAAM,CAAC,MAAM,QAAQ,GAAG,wBAAwB,CAAC;AACjD,MAAM,CAAC,MAAM,gBAAgB,GAAG,iCAAiC,CAAC;AAClE,MAAM,CAAC,MAAM,cAAc,GAAG,YAAY,CAAC;AAC3C,MAAM,CAAC,MAAM,kBAAkB,GAAG,YAAY,CAAC;AAC/C,MAAM,CAAC,MAAM,kBAAkB,GAAG,oBAAoB,CAAC","sourcesContent":["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT license.\n\nexport const DefaultScopeSuffix = \"/.default\";\n\nexport const imdsHost = \"http://169.254.169.254\";\nexport const imdsEndpointPath = \"/metadata/identity/oauth2/token\";\nexport const imdsApiVersion = \"2018-02-01\";\nexport const azureArcAPIVersion = \"2019-11-01\";\nexport const azureFabricVersion = \"2019-07-01-preview\";\n"]}