npm - @azure/identity - Versions diffs - 2.0.0-beta.3 → 2.0.0 - Mend

@azure/identity 2.0.0-beta.3 → 2.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.

This version of @azure/identity might be problematic. Click here for more details.

Files changed (149) hide show

package/dist-esm/src/credentials/managedIdentityCredential/index.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"index.js","sourceRoot":"","sources":["../../../../src/credentials/managedIdentityCredential/index.ts"],"names":[],"mappings":"AAAA,uCAAuC;AACvC,kCAAkC;;AAGlC,OAAO,EAAE,cAAc,EAA0B,MAAM,6BAA6B,CAAC;AACrF,OAAO,EAAE,UAAU,EAAE,MAAM,oBAAoB,CAAC;AAChD,OAAO,EAAE,mBAAmB,EAAE,0BAA0B,EAAE,MAAM,qBAAqB,CAAC;AACtF,OAAO,EAAE,cAAc,EAAE,MAAM,qBAAqB,CAAC;AACrD,OAAO,EAAE,gBAAgB,EAAE,aAAa,EAAE,WAAW,EAAE,MAAM,oBAAoB,CAAC;AAClF,OAAO,EAAE,mBAAmB,EAAE,MAAM,SAAS,CAAC;AAC9C,OAAO,EAAE,aAAa,EAAE,MAAM,iBAAiB,CAAC;AAChD,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAEpC,OAAO,EAAE,iBAAiB,EAAE,MAAM,qBAAqB,CAAC;AACxD,OAAO,EAAE,MAAM,EAAE,MAAM,UAAU,CAAC;AAElC,MAAM,MAAM,GAAG,gBAAgB,CAAC,2BAA2B,CAAC,CAAC;AAE7D;;;;;;;;GAQG;AACH,MAAM,OAAO,yBAAyB;IAmBpC;;;OAGG;IACH,YACE,iBAA8D,EAC9D,OAAgC;QAtB1B,0BAAqB,GAAmB,IAAI,CAAC;QAwBnD,IAAI,OAAO,iBAAiB,KAAK,QAAQ,EAAE;YACzC,gCAAgC;YAChC,IAAI,CAAC,QAAQ,GAAG,iBAAiB,CAAC;YAClC,IAAI,CAAC,cAAc,GAAG,IAAI,cAAc,CAAC,OAAO,CAAC,CAAC;SACnD;aAAM;YACL,2BAA2B;YAC3B,IAAI,CAAC,cAAc,GAAG,IAAI,cAAc,CAAC,iBAAiB,CAAC,CAAC;SAC7D;IACH,CAAC;IAIa,kBAAkB,CAC9B,QAAgB,EAChB,QAAiB,EACjB,eAAiC;;YAEjC,IAAI,IAAI,CAAC,SAAS,EAAE;gBAClB,OAAO,IAAI,CAAC,SAAS,CAAC;aACvB;YAED,8GAA8G;YAC9G,6GAA6G;YAC7G,MAAM,IAAI,GAAG,CAAC,iBAAiB,EAAE,aAAa,EAAE,MAAM,EAAE,OAAO,CAAC,CAAC;YAEjE,KAAK,MAAM,GAAG,IAAI,IAAI,EAAE;gBACtB,IAAI,MAAM,GAAG,CAAC,WAAW,CAAC,IAAI,CAAC,cAAc,EAAE,QAAQ,EAAE,QAAQ,EAAE,eAAe,CAAC,EAAE;oBACnF,IAAI,CAAC,SAAS,GAAG,GAAG,CAAC;oBACrB,OAAO,GAAG,CAAC;iBACZ;aACF;YAED,MAAM,IAAI,0BAA0B,CAAC,yDAAyD,CAAC,CAAC;QAClG,CAAC;KAAA;IAEa,2BAA2B,CACvC,MAAyB,EACzB,QAAiB,EACjB,eAAiC;;YAEjC,MAAM,QAAQ,GAAG,mBAAmB,CAAC,MAAM,CAAC,CAAC;YAC7C,MAAM,EAAE,IAAI,EAAE,cAAc,EAAE,GAAG,UAAU,CACzC,uDAAuD,EACvD,eAAe,CAChB,CAAC;YAEF,IAAI;gBACF,oGAAoG;gBACpG,MAAM,YAAY,GAAG,MAAM,IAAI,CAAC,kBAAkB,CAAC,QAAQ,EAAE,QAAQ,EAAE,cAAc,CAAC,CAAC;gBAEvF,OAAO,YAAY,CAAC,QAAQ,CAAC,IAAI,CAAC,cAAc,EAAE,QAAQ,EAAE,QAAQ,EAAE,cAAc,CAAC,CAAC;aACvF;YAAC,OAAO,GAAG,EAAE;gBACZ,IAAI,CAAC,SAAS,CAAC;oBACb,IAAI,EAAE,cAAc,CAAC,KAAK;oBAC1B,OAAO,EAAE,GAAG,CAAC,OAAO;iBACrB,CAAC,CAAC;gBACH,MAAM,GAAG,CAAC;aACX;oBAAS;gBACR,IAAI,CAAC,GAAG,EAAE,CAAC;aACZ;QACH,CAAC;KAAA;IAED;;;;;;;;;OASG;IACU,QAAQ,CACnB,MAAyB,EACzB,OAAyB;;YAEzB,IAAI,MAAM,GAAuB,IAAI,CAAC;YAEtC,MAAM,EAAE,IAAI,EAAE,cAAc,EAAE,GAAG,UAAU,CAAC,oCAAoC,EAAE,OAAO,CAAC,CAAC;YAE3F,IAAI;gBACF,mDAAmD;gBACnD,mDAAmD;gBACnD,sDAAsD;gBACtD,IAAI,IAAI,CAAC,qBAAqB,KAAK,IAAI,EAAE;oBACvC,MAAM,GAAG,MAAM,IAAI,CAAC,2BAA2B,CAAC,MAAM,EAAE,IAAI,CAAC,QAAQ,EAAE,cAAc,CAAC,CAAC;oBAEvF,IAAI,MAAM,KAAK,IAAI,EAAE;wBACnB,+CAA+C;wBAC/C,2CAA2C;wBAC3C,8DAA8D;wBAC9D,IAAI,CAAC,qBAAqB,GAAG,IAAI,CAAC;wBAElC,qGAAqG;wBACrG,yFAAyF;wBACzF,MAAM,KAAK,GAAG,IAAI,0BAA0B,CAC1C,yEAAyE,CAC1E,CAAC;wBACF,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,WAAW,CAAC,MAAM,EAAE,KAAK,CAAC,CAAC,CAAC;wBACjD,MAAM,KAAK,CAAC;qBACb;oBAED,iFAAiF;oBACjF,0EAA0E;oBAC1E,iCAAiC;oBACjC,IAAI,CAAC,qBAAqB,GAAG,KAAK,CAAC;iBACpC;qBAAM;oBACL,iEAAiE;oBACjE,2EAA2E;oBAC3E,MAAM,KAAK,GAAG,IAAI,0BAA0B,CAC1C,0DAA0D,CAC3D,CAAC;oBACF,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,WAAW,CAAC,MAAM,EAAE,KAAK,CAAC,CAAC,CAAC;oBACjD,MAAM,KAAK,CAAC;iBACb;gBAED,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,aAAa,CAAC,MAAM,CAAC,CAAC,CAAC;gBAC5C,OAAO,MAAM,CAAC;aACf;YAAC,OAAO,GAAG,EAAE;gBACZ,2DAA2D;gBAC3D,8EAA8E;gBAC9E,IAAI,GAAG,CAAC,IAAI,KAAK,6BAA6B,EAAE;oBAC9C,MAAM,GAAG,CAAC;iBACX;gBAED,uCAAuC;gBACvC,uDAAuD;gBACvD,+DAA+D;gBAC/D,uEAAuE;gBACvE,kCAAkC;gBAElC,IAAI,CAAC,SAAS,CAAC;oBACb,IAAI,EAAE,cAAc,CAAC,KAAK;oBAC1B,OAAO,EAAE,GAAG,CAAC,OAAO;iBACrB,CAAC,CAAC;gBAEH,wCAAwC;gBACxC,sDAAsD;gBACtD,IAAI,GAAG,CAAC,IAAI,KAAK,aAAa,EAAE;oBAC9B,MAAM,KAAK,GAAG,IAAI,0BAA0B,CAC1C,gEAAgE,CACjE,CAAC;oBAEF,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,WAAW,CAAC,MAAM,EAAE,KAAK,CAAC,CAAC,CAAC;oBACjD,MAAM,KAAK,CAAC;iBACb;gBAED,sCAAsC;gBACtC,sDAAsD;gBACtD,IAAI,GAAG,CAAC,IAAI,KAAK,cAAc,EAAE;oBAC/B,MAAM,KAAK,GAAG,IAAI,0BAA0B,CAC1C,+EAA+E,CAChF,CAAC;oBAEF,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,WAAW,CAAC,MAAM,EAAE,KAAK,CAAC,CAAC,CAAC;oBACjD,MAAM,KAAK,CAAC;iBACb;gBAED,wEAAwE;gBACxE,gFAAgF;gBAChF,IAAI,GAAG,CAAC,UAAU,KAAK,GAAG,EAAE;oBAC1B,MAAM,IAAI,0BAA0B,CAClC,2EAA2E,CAC5E,CAAC;iBACH;gBAED,kFAAkF;gBAClF,8DAA8D;gBAC9D,IAAI,GAAG,CAAC,UAAU,KAAK,SAAS,EAAE;oBAChC,MAAM,IAAI,0BAA0B,CAClC,4DAA4D,GAAG,CAAC,OAAO,EAAE,CAC1E,CAAC;iBACH;gBAED,0CAA0C;gBAC1C,MAAM,IAAI,mBAAmB,CAAC,GAAG,CAAC,UAAU,EAAE;oBAC5C,KAAK,EAAE,kDAAkD;oBACzD,iBAAiB,EAAE,GAAG,CAAC,OAAO;iBAC/B,CAAC,CAAC;aACJ;oBAAS;gBACR,sFAAsF;gBACtF,IAAI,CAAC,GAAG,EAAE,CAAC;aACZ;QACH,CAAC;KAAA;CACF","sourcesContent":["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT license.\n\nimport { AccessToken, GetTokenOptions, TokenCredential } from \"@azure/core-http\";\nimport { IdentityClient, TokenCredentialOptions } from \"../../client/identityClient\";\nimport { createSpan } from \"../../util/tracing\";\nimport { AuthenticationError, CredentialUnavailableError } from \"../../client/errors\";\nimport { SpanStatusCode } from \"@azure/core-tracing\";\nimport { credentialLogger, formatSuccess, formatError } from \"../../util/logging\";\nimport { mapScopesToResource } from \"./utils\";\nimport { cloudShellMsi } from \"./cloudShellMsi\";\nimport { imdsMsi } from \"./imdsMsi\";\nimport { MSI } from \"./models\";\nimport { appServiceMsi2017 } from \"./appServiceMsi2017\";\nimport { arcMsi } from \"./arcMsi\";\n\nconst logger = credentialLogger(\"ManagedIdentityCredential\");\n\n/*\n Attempts authentication using a managed identity that has been assigned\n * to the deployment environment. This authentication type works in Azure VMs,\n * App Service and Azure Functions applications, and inside of Azure Cloud Shell.\n \n More information about configuring managed identities can be found here:\n \n https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview\n /\nexport class ManagedIdentityCredential implements TokenCredential {\n private identityClient: IdentityClient;\n private clientId: string \| undefined;\n private isEndpointUnavailable: boolean \| null = null;\n\n /\n Creates an instance of ManagedIdentityCredential with the client ID of a\n * user-assigned identity.\n \n @param clientId - The client ID of the user-assigned identity.\n * @param options - Options for configuring the client which makes the access token request.\n /\n constructor(clientId: string, options?: TokenCredentialOptions);\n /\n Creates an instance of ManagedIdentityCredential\n \n @param options - Options for configuring the client which makes the access token request.\n /\n constructor(options?: TokenCredentialOptions);\n /\n @internal\n * @hidden\n /\n constructor(\n clientIdOrOptions: string \| TokenCredentialOptions \| undefined,\n options?: TokenCredentialOptions\n ) {\n if (typeof clientIdOrOptions === \"string\") {\n // clientId, options constructor\n this.clientId = clientIdOrOptions;\n this.identityClient = new IdentityClient(options);\n } else {\n // options only constructor\n this.identityClient = new IdentityClient(clientIdOrOptions);\n }\n }\n\n private cachedMSI: MSI \| undefined;\n\n private async cachedAvailableMSI(\n resource: string,\n clientId?: string,\n getTokenOptions?: GetTokenOptions\n ): Promise<MSI> {\n if (this.cachedMSI) {\n return this.cachedMSI;\n }\n\n // \"fabricMsi\" can't be added yet because our HTTPs pipeline doesn't allow skipping the SSL verification step,\n // which is necessary since Service Fabric only provides self-signed certificates on their Identity Endpoint.\n const MSIs = [appServiceMsi2017, cloudShellMsi, arcMsi, imdsMsi];\n\n for (const msi of MSIs) {\n if (await msi.isAvailable(this.identityClient, resource, clientId, getTokenOptions)) {\n this.cachedMSI = msi;\n return msi;\n }\n }\n\n throw new CredentialUnavailableError(\"ManagedIdentityCredential - No MSI credential available\");\n }\n\n private async authenticateManagedIdentity(\n scopes: string \| string[],\n clientId?: string,\n getTokenOptions?: GetTokenOptions\n ): Promise<AccessToken \| null> {\n const resource = mapScopesToResource(scopes);\n const { span, updatedOptions } = createSpan(\n \"ManagedIdentityCredential-authenticateManagedIdentity\",\n getTokenOptions\n );\n\n try {\n // Determining the available MSI, and avoiding checking for other MSIs while the program is running.\n const availableMSI = await this.cachedAvailableMSI(resource, clientId, updatedOptions);\n\n return availableMSI.getToken(this.identityClient, resource, clientId, updatedOptions);\n } catch (err) {\n span.setStatus({\n code: SpanStatusCode.ERROR,\n message: err.message\n });\n throw err;\n } finally {\n span.end();\n }\n }\n\n /\n Authenticates with Azure Active Directory and returns an access token if\n * successful. If authentication cannot be performed at this time, this method may\n * return null. If an error occurs during authentication, an {@link AuthenticationError}\n * containing failure details will be thrown.\n \n @param scopes - The list of scopes for which the token will have access.\n * @param options - The options used to configure any requests this\n * TokenCredential implementation might make.\n */\n public async getToken(\n scopes: string \| string[],\n options?: GetTokenOptions\n ): Promise<AccessToken> {\n let result: AccessToken \| null = null;\n\n const { span, updatedOptions } = createSpan(\"ManagedIdentityCredential-getToken\", options);\n\n try {\n // isEndpointAvailable can be true, false, or null,\n // If it's null, it means we don't yet know whether\n // the endpoint is available and need to check for it.\n if (this.isEndpointUnavailable !== true) {\n result = await this.authenticateManagedIdentity(scopes, this.clientId, updatedOptions);\n\n if (result === null) {\n // If authenticateManagedIdentity returns null,\n // it means no MSI endpoints are available.\n // If so, we avoid trying to reach to them in future requests.\n this.isEndpointUnavailable = true;\n\n // It also means that the endpoint answered with either 200 or 201 (see the sendTokenRequest method),\n // yet we had no access token. For this reason, we'll throw once with a specific message:\n const error = new CredentialUnavailableError(\n \"The managed identity endpoint was reached, yet no tokens were received.\"\n );\n logger.getToken.info(formatError(scopes, error));\n throw error;\n }\n\n // Since `authenticateManagedIdentity` didn't throw, and the result was not null,\n // We will assume that this endpoint is reachable from this point forward,\n // and avoid pinging again to it.\n this.isEndpointUnavailable = false;\n } else {\n // We've previously determined that the endpoint was unavailable,\n // either because it was unreachable or permanently unable to authenticate.\n const error = new CredentialUnavailableError(\n \"The managed identity endpoint is not currently available\"\n );\n logger.getToken.info(formatError(scopes, error));\n throw error;\n }\n\n logger.getToken.info(formatSuccess(scopes));\n return result;\n } catch (err) {\n // CredentialUnavailable errors are expected to reach here.\n // We intend them to bubble up, so that DefaultAzureCredential can catch them.\n if (err.name === \"AuthenticationRequiredError\") {\n throw err;\n }\n\n // Expected errors to reach this point:\n // - Errors coming from a method unexpectedly breaking.\n // - When identityClient.sendTokenRequest throws, in which case\n // if the status code was 400, it means that the endpoint is working,\n // but no identity is available.\n\n span.setStatus({\n code: SpanStatusCode.ERROR,\n message: err.message\n });\n\n // If either the network is unreachable,\n // we can safely assume the credential is unavailable.\n if (err.code === \"ENETUNREACH\") {\n const error = new CredentialUnavailableError(\n \"ManagedIdentityCredential is unavailable. Network unreachable.\"\n );\n\n logger.getToken.info(formatError(scopes, error));\n throw error;\n }\n\n // If either the host was unreachable,\n // we can safely assume the credential is unavailable.\n if (err.code === \"EHOSTUNREACH\") {\n const error = new CredentialUnavailableError(\n \"ManagedIdentityCredential is unavailable. No managed identity endpoint found.\"\n );\n\n logger.getToken.info(formatError(scopes, error));\n throw error;\n }\n\n // If err.statusCode has a value of 400, it comes from sendTokenRequest,\n // and it means that the endpoint is working, but that no identity is available.\n if (err.statusCode === 400) {\n throw new CredentialUnavailableError(\n \"The managed identity endpoint is indicating there's no available identity\"\n );\n }\n\n // If the error has no status code, we can assume there was no available identity.\n // This will throw silently during any ChainedTokenCredential.\n if (err.statusCode === undefined) {\n throw new CredentialUnavailableError(\n `ManagedIdentityCredential authentication failed. Message ${err.message}`\n );\n }\n\n // Any other error should break the chain.\n throw new AuthenticationError(err.statusCode, {\n error: \"ManagedIdentityCredential authentication failed.\",\n error_description: err.message\n });\n } finally {\n // Finally is always called, both if we return and if we throw in the above try/catch.\n span.end();\n }\n }\n}\n"]}
1	+ {"version":3,"file":"index.js","sourceRoot":"","sources":["../../../../src/credentials/managedIdentityCredential/index.ts"],"names":[],"mappings":"AAAA,uCAAuC;AACvC,kCAAkC;AAElC,OAAO,EAAE,cAAc,EAAE,MAAM,qBAAqB,CAAC;AAGrD,OAAO,EAAE,cAAc,EAA0B,MAAM,6BAA6B,CAAC;AACrF,OAAO,EAAE,mBAAmB,EAAE,0BAA0B,EAAE,MAAM,cAAc,CAAC;AAC/E,OAAO,EAAE,gBAAgB,EAAE,aAAa,EAAE,WAAW,EAAE,MAAM,oBAAoB,CAAC;AAClF,OAAO,EAAE,iBAAiB,EAAE,MAAM,qBAAqB,CAAC;AACxD,OAAO,EAAE,UAAU,EAAE,MAAM,oBAAoB,CAAC;AAChD,OAAO,EAAE,aAAa,EAAE,MAAM,iBAAiB,CAAC;AAChD,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAEpC,OAAO,EAAE,MAAM,EAAE,MAAM,UAAU,CAAC;AAClC,OAAO,EAAE,gBAAgB,EAAE,MAAM,oBAAoB,CAAC;AAEtD,MAAM,MAAM,GAAG,gBAAgB,CAAC,2BAA2B,CAAC,CAAC;AAE7D;;;;;;;;GAQG;AACH,MAAM,OAAO,yBAAyB;IAmBpC;;;OAGG;IACH,YACE,iBAA8D,EAC9D,OAAgC;QAtB1B,0BAAqB,GAAmB,IAAI,CAAC;QAwBnD,IAAI,OAAO,iBAAiB,KAAK,QAAQ,EAAE;YACzC,gCAAgC;YAChC,IAAI,CAAC,QAAQ,GAAG,iBAAiB,CAAC;YAClC,IAAI,CAAC,cAAc,GAAG,IAAI,cAAc,CAAC,OAAO,CAAC,CAAC;SACnD;aAAM;YACL,2BAA2B;YAC3B,IAAI,CAAC,cAAc,GAAG,IAAI,cAAc,CAAC,iBAAiB,CAAC,CAAC;SAC7D;IACH,CAAC;IAIO,KAAK,CAAC,kBAAkB,CAC9B,MAAyB,EACzB,QAAiB,EACjB,eAAiC;QAEjC,IAAI,IAAI,CAAC,SAAS,EAAE;YAClB,OAAO,IAAI,CAAC,SAAS,CAAC;SACvB;QAED,8GAA8G;QAC9G,6GAA6G;QAC7G,MAAM,IAAI,GAAG,CAAC,iBAAiB,EAAE,aAAa,EAAE,MAAM,EAAE,gBAAgB,EAAE,EAAE,OAAO,CAAC,CAAC;QAErF,KAAK,MAAM,GAAG,IAAI,IAAI,EAAE;YACtB,IAAI,MAAM,GAAG,CAAC,WAAW,CAAC,MAAM,EAAE,IAAI,CAAC,cAAc,EAAE,QAAQ,EAAE,eAAe,CAAC,EAAE;gBACjF,IAAI,CAAC,SAAS,GAAG,GAAG,CAAC;gBACrB,OAAO,GAAG,CAAC;aACZ;SACF;QAED,MAAM,IAAI,0BAA0B,CAAC,yDAAyD,CAAC,CAAC;IAClG,CAAC;IAEO,KAAK,CAAC,2BAA2B,CACvC,MAAyB,EACzB,QAAiB,EACjB,eAAiC;QAEjC,MAAM,EAAE,IAAI,EAAE,cAAc,EAAE,GAAG,UAAU,CACzC,uDAAuD,EACvD,eAAe,CAChB,CAAC;QAEF,IAAI;YACF,oGAAoG;YACpG,MAAM,YAAY,GAAG,MAAM,IAAI,CAAC,kBAAkB,CAAC,MAAM,EAAE,QAAQ,EAAE,cAAc,CAAC,CAAC;YAErF,OAAO,YAAY,CAAC,QAAQ,CAC1B;gBACE,cAAc,EAAE,IAAI,CAAC,cAAc;gBACnC,MAAM;gBACN,QAAQ;aACT,EACD,cAAc,CACf,CAAC;SACH;QAAC,OAAO,GAAG,EAAE;YACZ,IAAI,CAAC,SAAS,CAAC;gBACb,IAAI,EAAE,cAAc,CAAC,KAAK;gBAC1B,OAAO,EAAE,GAAG,CAAC,OAAO;aACrB,CAAC,CAAC;YACH,MAAM,GAAG,CAAC;SACX;gBAAS;YACR,IAAI,CAAC,GAAG,EAAE,CAAC;SACZ;IACH,CAAC;IAED;;;;;;;;OAQG;IACI,KAAK,CAAC,QAAQ,CACnB,MAAyB,EACzB,OAAyB;QAEzB,IAAI,MAAM,GAAuB,IAAI,CAAC;QAEtC,MAAM,EAAE,IAAI,EAAE,cAAc,EAAE,GAAG,UAAU,CAAC,oCAAoC,EAAE,OAAO,CAAC,CAAC;QAE3F,IAAI;YACF,mDAAmD;YACnD,mDAAmD;YACnD,sDAAsD;YACtD,IAAI,IAAI,CAAC,qBAAqB,KAAK,IAAI,EAAE;gBACvC,MAAM,GAAG,MAAM,IAAI,CAAC,2BAA2B,CAAC,MAAM,EAAE,IAAI,CAAC,QAAQ,EAAE,cAAc,CAAC,CAAC;gBAEvF,IAAI,MAAM,KAAK,IAAI,EAAE;oBACnB,+CAA+C;oBAC/C,2CAA2C;oBAC3C,8DAA8D;oBAC9D,IAAI,CAAC,qBAAqB,GAAG,IAAI,CAAC;oBAElC,qGAAqG;oBACrG,yFAAyF;oBACzF,MAAM,KAAK,GAAG,IAAI,0BAA0B,CAC1C,yEAAyE,CAC1E,CAAC;oBACF,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,WAAW,CAAC,MAAM,EAAE,KAAK,CAAC,CAAC,CAAC;oBACjD,MAAM,KAAK,CAAC;iBACb;gBAED,iFAAiF;gBACjF,0EAA0E;gBAC1E,iCAAiC;gBACjC,IAAI,CAAC,qBAAqB,GAAG,KAAK,CAAC;aACpC;iBAAM;gBACL,iEAAiE;gBACjE,2EAA2E;gBAC3E,MAAM,KAAK,GAAG,IAAI,0BAA0B,CAC1C,0DAA0D,CAC3D,CAAC;gBACF,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,WAAW,CAAC,MAAM,EAAE,KAAK,CAAC,CAAC,CAAC;gBACjD,MAAM,KAAK,CAAC;aACb;YAED,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,aAAa,CAAC,MAAM,CAAC,CAAC,CAAC;YAC5C,OAAO,MAAM,CAAC;SACf;QAAC,OAAO,GAAG,EAAE;YACZ,2DAA2D;YAC3D,8EAA8E;YAC9E,IAAI,GAAG,CAAC,IAAI,KAAK,6BAA6B,EAAE;gBAC9C,MAAM,GAAG,CAAC;aACX;YAED,uCAAuC;YACvC,uDAAuD;YACvD,+DAA+D;YAC/D,uEAAuE;YACvE,kCAAkC;YAElC,IAAI,CAAC,SAAS,CAAC;gBACb,IAAI,EAAE,cAAc,CAAC,KAAK;gBAC1B,OAAO,EAAE,GAAG,CAAC,OAAO;aACrB,CAAC,CAAC;YAEH,wCAAwC;YACxC,sDAAsD;YACtD,IAAI,GAAG,CAAC,IAAI,KAAK,aAAa,EAAE;gBAC9B,MAAM,KAAK,GAAG,IAAI,0BAA0B,CAC1C,2EAA2E,GAAG,CAAC,OAAO,EAAE,CACzF,CAAC;gBAEF,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,WAAW,CAAC,MAAM,EAAE,KAAK,CAAC,CAAC,CAAC;gBACjD,MAAM,KAAK,CAAC;aACb;YAED,sCAAsC;YACtC,sDAAsD;YACtD,IAAI,GAAG,CAAC,IAAI,KAAK,cAAc,EAAE;gBAC/B,MAAM,KAAK,GAAG,IAAI,0BAA0B,CAC1C,0FAA0F,GAAG,CAAC,OAAO,EAAE,CACxG,CAAC;gBAEF,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,WAAW,CAAC,MAAM,EAAE,KAAK,CAAC,CAAC,CAAC;gBACjD,MAAM,KAAK,CAAC;aACb;YAED,wEAAwE;YACxE,gFAAgF;YAChF,IAAI,GAAG,CAAC,UAAU,KAAK,GAAG,EAAE;gBAC1B,MAAM,IAAI,0BAA0B,CAClC,kHAAkH,GAAG,CAAC,OAAO,EAAE,CAChI,CAAC;aACH;YAED,kFAAkF;YAClF,8DAA8D;YAC9D,IAAI,GAAG,CAAC,UAAU,KAAK,SAAS,EAAE;gBAChC,MAAM,IAAI,0BAA0B,CAClC,4DAA4D,GAAG,CAAC,OAAO,EAAE,CAC1E,CAAC;aACH;YAED,0CAA0C;YAC1C,MAAM,IAAI,mBAAmB,CAAC,GAAG,CAAC,UAAU,EAAE;gBAC5C,KAAK,EAAE,kDAAkD;gBACzD,iBAAiB,EAAE,GAAG,CAAC,OAAO;aAC/B,CAAC,CAAC;SACJ;gBAAS;YACR,sFAAsF;YACtF,IAAI,CAAC,GAAG,EAAE,CAAC;SACZ;IACH,CAAC;CACF","sourcesContent":["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT license.\n\nimport { SpanStatusCode } from \"@azure/core-tracing\";\nimport { AccessToken, GetTokenOptions, TokenCredential } from \"@azure/core-auth\";\n\nimport { IdentityClient, TokenCredentialOptions } from \"../../client/identityClient\";\nimport { AuthenticationError, CredentialUnavailableError } from \"../../errors\";\nimport { credentialLogger, formatSuccess, formatError } from \"../../util/logging\";\nimport { appServiceMsi2017 } from \"./appServiceMsi2017\";\nimport { createSpan } from \"../../util/tracing\";\nimport { cloudShellMsi } from \"./cloudShellMsi\";\nimport { imdsMsi } from \"./imdsMsi\";\nimport { MSI } from \"./models\";\nimport { arcMsi } from \"./arcMsi\";\nimport { tokenExchangeMsi } from \"./tokenExchangeMsi\";\n\nconst logger = credentialLogger(\"ManagedIdentityCredential\");\n\n/*\n Attempts authentication using a managed identity that has been assigned\n * to the deployment environment. This authentication type works in Azure VMs,\n * App Service and Azure Functions applications, and inside of Azure Cloud Shell.\n \n More information about configuring managed identities can be found here:\n \n https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview\n /\nexport class ManagedIdentityCredential implements TokenCredential {\n private identityClient: IdentityClient;\n private clientId: string \| undefined;\n private isEndpointUnavailable: boolean \| null = null;\n\n /\n Creates an instance of ManagedIdentityCredential with the client ID of a\n * user-assigned identity, or app registration (when working with AKS pod-identity).\n \n @param clientId - The client ID of the user-assigned identity, or app registration (when working with AKS pod-identity).\n * @param options - Options for configuring the client which makes the access token request.\n /\n constructor(clientId: string, options?: TokenCredentialOptions);\n /\n Creates an instance of ManagedIdentityCredential\n \n @param options - Options for configuring the client which makes the access token request.\n /\n constructor(options?: TokenCredentialOptions);\n /\n @internal\n * @hidden\n /\n constructor(\n clientIdOrOptions: string \| TokenCredentialOptions \| undefined,\n options?: TokenCredentialOptions\n ) {\n if (typeof clientIdOrOptions === \"string\") {\n // clientId, options constructor\n this.clientId = clientIdOrOptions;\n this.identityClient = new IdentityClient(options);\n } else {\n // options only constructor\n this.identityClient = new IdentityClient(clientIdOrOptions);\n }\n }\n\n private cachedMSI: MSI \| undefined;\n\n private async cachedAvailableMSI(\n scopes: string \| string[],\n clientId?: string,\n getTokenOptions?: GetTokenOptions\n ): Promise<MSI> {\n if (this.cachedMSI) {\n return this.cachedMSI;\n }\n\n // \"fabricMsi\" can't be added yet because our HTTPs pipeline doesn't allow skipping the SSL verification step,\n // which is necessary since Service Fabric only provides self-signed certificates on their Identity Endpoint.\n const MSIs = [appServiceMsi2017, cloudShellMsi, arcMsi, tokenExchangeMsi(), imdsMsi];\n\n for (const msi of MSIs) {\n if (await msi.isAvailable(scopes, this.identityClient, clientId, getTokenOptions)) {\n this.cachedMSI = msi;\n return msi;\n }\n }\n\n throw new CredentialUnavailableError(\"ManagedIdentityCredential - No MSI credential available\");\n }\n\n private async authenticateManagedIdentity(\n scopes: string \| string[],\n clientId?: string,\n getTokenOptions?: GetTokenOptions\n ): Promise<AccessToken \| null> {\n const { span, updatedOptions } = createSpan(\n \"ManagedIdentityCredential-authenticateManagedIdentity\",\n getTokenOptions\n );\n\n try {\n // Determining the available MSI, and avoiding checking for other MSIs while the program is running.\n const availableMSI = await this.cachedAvailableMSI(scopes, clientId, updatedOptions);\n\n return availableMSI.getToken(\n {\n identityClient: this.identityClient,\n scopes,\n clientId\n },\n updatedOptions\n );\n } catch (err) {\n span.setStatus({\n code: SpanStatusCode.ERROR,\n message: err.message\n });\n throw err;\n } finally {\n span.end();\n }\n }\n\n /\n Authenticates with Azure Active Directory and returns an access token if successful.\n * If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.\n * If an unexpected error occurs, an {@link AuthenticationError} will be thrown with the details of the failure.\n \n @param scopes - The list of scopes for which the token will have access.\n * @param options - The options used to configure any requests this\n * TokenCredential implementation might make.\n */\n public async getToken(\n scopes: string \| string[],\n options?: GetTokenOptions\n ): Promise<AccessToken> {\n let result: AccessToken \| null = null;\n\n const { span, updatedOptions } = createSpan(\"ManagedIdentityCredential.getToken\", options);\n\n try {\n // isEndpointAvailable can be true, false, or null,\n // If it's null, it means we don't yet know whether\n // the endpoint is available and need to check for it.\n if (this.isEndpointUnavailable !== true) {\n result = await this.authenticateManagedIdentity(scopes, this.clientId, updatedOptions);\n\n if (result === null) {\n // If authenticateManagedIdentity returns null,\n // it means no MSI endpoints are available.\n // If so, we avoid trying to reach to them in future requests.\n this.isEndpointUnavailable = true;\n\n // It also means that the endpoint answered with either 200 or 201 (see the sendTokenRequest method),\n // yet we had no access token. For this reason, we'll throw once with a specific message:\n const error = new CredentialUnavailableError(\n \"The managed identity endpoint was reached, yet no tokens were received.\"\n );\n logger.getToken.info(formatError(scopes, error));\n throw error;\n }\n\n // Since `authenticateManagedIdentity` didn't throw, and the result was not null,\n // We will assume that this endpoint is reachable from this point forward,\n // and avoid pinging again to it.\n this.isEndpointUnavailable = false;\n } else {\n // We've previously determined that the endpoint was unavailable,\n // either because it was unreachable or permanently unable to authenticate.\n const error = new CredentialUnavailableError(\n \"The managed identity endpoint is not currently available\"\n );\n logger.getToken.info(formatError(scopes, error));\n throw error;\n }\n\n logger.getToken.info(formatSuccess(scopes));\n return result;\n } catch (err) {\n // CredentialUnavailable errors are expected to reach here.\n // We intend them to bubble up, so that DefaultAzureCredential can catch them.\n if (err.name === \"AuthenticationRequiredError\") {\n throw err;\n }\n\n // Expected errors to reach this point:\n // - Errors coming from a method unexpectedly breaking.\n // - When identityClient.sendTokenRequest throws, in which case\n // if the status code was 400, it means that the endpoint is working,\n // but no identity is available.\n\n span.setStatus({\n code: SpanStatusCode.ERROR,\n message: err.message\n });\n\n // If either the network is unreachable,\n // we can safely assume the credential is unavailable.\n if (err.code === \"ENETUNREACH\") {\n const error = new CredentialUnavailableError(\n `ManagedIdentityCredential is unavailable. Network unreachable. Message: ${err.message}`\n );\n\n logger.getToken.info(formatError(scopes, error));\n throw error;\n }\n\n // If either the host was unreachable,\n // we can safely assume the credential is unavailable.\n if (err.code === \"EHOSTUNREACH\") {\n const error = new CredentialUnavailableError(\n `ManagedIdentityCredential is unavailable. No managed identity endpoint found. Message: ${err.message}`\n );\n\n logger.getToken.info(formatError(scopes, error));\n throw error;\n }\n\n // If err.statusCode has a value of 400, it comes from sendTokenRequest,\n // and it means that the endpoint is working, but that no identity is available.\n if (err.statusCode === 400) {\n throw new CredentialUnavailableError(\n `ManagedIdentityCredential: The managed identity endpoint is indicating there's no available identity. Message: ${err.message}`\n );\n }\n\n // If the error has no status code, we can assume there was no available identity.\n // This will throw silently during any ChainedTokenCredential.\n if (err.statusCode === undefined) {\n throw new CredentialUnavailableError(\n `ManagedIdentityCredential authentication failed. Message ${err.message}`\n );\n }\n\n // Any other error should break the chain.\n throw new AuthenticationError(err.statusCode, {\n error: \"ManagedIdentityCredential authentication failed.\",\n error_description: err.message\n });\n } finally {\n // Finally is always called, both if we return and if we throw in the above try/catch.\n span.end();\n }\n }\n}\n"]}

package/dist-esm/src/credentials/managedIdentityCredential/models.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"models.js","sourceRoot":"","sources":["../../../../src/credentials/managedIdentityCredential/models.ts"],"names":[],"mappings":"AAAA,uCAAuC;AACvC,kCAAkC","sourcesContent":["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT license.\n\nimport { AccessToken, GetTokenOptions } from \"@azure/core-~~http~~\";\nimport { IdentityClient } from \"../../client/identityClient\";\n\nexport type MSIExpiresInParser = (requestBody: any) => number;\n\nexport interface MSI {\n isAvailable(\n ~~identityClient?:~~ ~~IdentityClient~~,\n ~~resource~~?: ~~string~~,\n clientId?: string,\n getTokenOptions?: GetTokenOptions\n ): Promise<boolean>;\n getToken(\n ~~identityClient~~: ~~IdentityClient~~,\n ~~resource: string,\n clientId?: string,\n~~ getTokenOptions?: GetTokenOptions\n ): Promise<AccessToken \| null>;\n}\n"]}
1	+ {"version":3,"file":"models.js","sourceRoot":"","sources":["../../../../src/credentials/managedIdentityCredential/models.ts"],"names":[],"mappings":"AAAA,uCAAuC;AACvC,kCAAkC","sourcesContent":["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT license.\n\nimport { AccessToken, GetTokenOptions } from \"@azure/core-auth\";\nimport { IdentityClient } from \"../../client/identityClient\";\n\n/*\n @internal\n /\nexport type MSIExpiresInParser = (requestBody: any) => number;\n\n/\n @internal\n /\nexport interface MSIConfiguration {\n identityClient: IdentityClient;\n scopes: string \| string[];\n clientId?: string;\n}\n\n/\n @internal\n */\nexport interface MSI {\n isAvailable(\n scopes: string \| string[],\n identityClient?: IdentityClient,\n clientId?: string,\n getTokenOptions?: GetTokenOptions\n ): Promise<boolean>;\n getToken(\n configuration: MSIConfiguration,\n getTokenOptions?: GetTokenOptions\n ): Promise<AccessToken \| null>;\n}\n"]}

package/dist-esm/src/credentials/managedIdentityCredential/tokenExchangeMsi.js ADDED Viewed

@@ -0,0 +1,82 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT license.
+import fs from "fs";
+import { createHttpHeaders } from "@azure/core-rest-pipeline";
+import { promisify } from "util";
+import { credentialLogger } from "../../util/logging";
+import { msiGenericGetToken } from "./utils";
+import { DefaultAuthorityHost } from "../../constants";
+const msiName = "ManagedIdentityCredential - Token Exchange";
+const logger = credentialLogger(msiName);
+const readFileAsync = promisify(fs.readFile);
+function expiresInParser(requestBody) {
+    // Parses a string representation of the seconds since epoch into a number value
+    return Number(requestBody.expires_on);
+}
+function prepareRequestOptions(scopes, clientAssertion, clientId) {
+    var _a;
+    const bodyParams = {
+        scope: Array.isArray(scopes) ? scopes.join(" ") : scopes,
+        client_assertion: clientAssertion,
+        client_assertion_type: "urn:ietf:params:oauth:client-assertion-type:jwt-bearer",
+        client_id: clientId,
+        grant_type: "client_credentials"
+    };
+    const urlParams = new URLSearchParams(bodyParams);
+    const url = new URL(`${process.env.AZURE_TENANT_ID}/oauth2/v2.0/token`, (_a = process.env.AZURE_AUTHORITY_HOST) !== null && _a !== void 0 ? _a : DefaultAuthorityHost);
+    return {
+        url: url.toString(),
+        method: "POST",
+        body: urlParams.toString(),
+        headers: createHttpHeaders({
+            Accept: "application/json"
+        })
+    };
+}
+export function tokenExchangeMsi() {
+    const azureFederatedTokenFilePath = process.env.AZURE_FEDERATED_TOKEN_FILE;
+    let azureFederatedTokenFileContent = undefined;
+    let cacheDate = undefined;
+    // Only reads from the assertion file once every 5 minutes
+    async function readAssertion() {
+        // Cached assertions expire after 5 minutes
+        if (cacheDate !== undefined && Date.now() - cacheDate >= 1000 * 60 * 5) {
+            azureFederatedTokenFileContent = undefined;
+        }
+        if (!azureFederatedTokenFileContent) {
+            const file = await readFileAsync(azureFederatedTokenFilePath, "utf8");
+            const value = file.trim();
+            if (!value) {
+                throw new Error(`No content on the file ${azureFederatedTokenFilePath}, indicated by the environment variable AZURE_FEDERATED_TOKEN_FILE`);
+            }
+            else {
+                azureFederatedTokenFileContent = value;
+                cacheDate = Date.now();
+            }
+        }
+        return azureFederatedTokenFileContent;
+    }
+    return {
+        async isAvailable(_scopes, _identityClient, clientId) {
+            const env = process.env;
+            const result = Boolean((clientId || env.AZURE_CLIENT_ID) && env.AZURE_TENANT_ID && azureFederatedTokenFilePath);
+            if (!result) {
+                logger.info(`${msiName}: Unavailable. The environment variables needed are: AZURE_CLIENT_ID (or the client ID sent through the parameters), AZURE_TENANT_ID and AZURE_FEDERATED_TOKEN_FILE`);
+            }
+            return result;
+        },
+        async getToken(configuration, getTokenOptions = {}) {
+            const { identityClient, scopes, clientId } = configuration;
+            logger.info(`${msiName}: Using the client assertion coming from environment variables.`);
+            let assertion;
+            try {
+                assertion = await readAssertion();
+            }
+            catch (err) {
+                throw new Error(`${msiName}: Failed to read ${azureFederatedTokenFilePath}, indicated by the environment variable AZURE_FEDERATED_TOKEN_FILE`);
+            }
+            return msiGenericGetToken(identityClient, prepareRequestOptions(scopes, assertion, clientId || process.env.AZURE_CLIENT_ID), expiresInParser, getTokenOptions);
+        }
+    };
+}
+//# sourceMappingURL=tokenExchangeMsi.js.map

package/dist-esm/src/credentials/managedIdentityCredential/tokenExchangeMsi.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"tokenExchangeMsi.js","sourceRoot":"","sources":["../../../../src/credentials/managedIdentityCredential/tokenExchangeMsi.ts"],"names":[],"mappings":"AAAA,uCAAuC;AACvC,kCAAkC;AAElC,OAAO,EAAE,MAAM,IAAI,CAAC;AACpB,OAAO,EAAE,iBAAiB,EAA0B,MAAM,2BAA2B,CAAC;AAEtF,OAAO,EAAE,SAAS,EAAE,MAAM,MAAM,CAAC;AACjC,OAAO,EAAE,gBAAgB,EAAE,MAAM,oBAAoB,CAAC;AAEtD,OAAO,EAAE,kBAAkB,EAAE,MAAM,SAAS,CAAC;AAC7C,OAAO,EAAE,oBAAoB,EAAE,MAAM,iBAAiB,CAAC;AAEvD,MAAM,OAAO,GAAG,4CAA4C,CAAC;AAC7D,MAAM,MAAM,GAAG,gBAAgB,CAAC,OAAO,CAAC,CAAC;AAEzC,MAAM,aAAa,GAAG,SAAS,CAAC,EAAE,CAAC,QAAQ,CAAC,CAAC;AAE7C,SAAS,eAAe,CAAC,WAAgB;IACvC,gFAAgF;IAChF,OAAO,MAAM,CAAC,WAAW,CAAC,UAAU,CAAC,CAAC;AACxC,CAAC;AAED,SAAS,qBAAqB,CAC5B,MAAyB,EACzB,eAAuB,EACvB,QAAiB;;IAEjB,MAAM,UAAU,GAAQ;QACtB,KAAK,EAAE,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,MAAM;QACxD,gBAAgB,EAAE,eAAe;QACjC,qBAAqB,EAAE,wDAAwD;QAC/E,SAAS,EAAE,QAAQ;QACnB,UAAU,EAAE,oBAAoB;KACjC,CAAC;IAEF,MAAM,SAAS,GAAG,IAAI,eAAe,CAAC,UAAU,CAAC,CAAC;IAClD,MAAM,GAAG,GAAG,IAAI,GAAG,CACjB,GAAG,OAAO,CAAC,GAAG,CAAC,eAAe,oBAAoB,EAClD,MAAA,OAAO,CAAC,GAAG,CAAC,oBAAoB,mCAAI,oBAAoB,CACzD,CAAC;IAEF,OAAO;QACL,GAAG,EAAE,GAAG,CAAC,QAAQ,EAAE;QACnB,MAAM,EAAE,MAAM;QACd,IAAI,EAAE,SAAS,CAAC,QAAQ,EAAE;QAC1B,OAAO,EAAE,iBAAiB,CAAC;YACzB,MAAM,EAAE,kBAAkB;SAC3B,CAAC;KACH,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,gBAAgB;IAC9B,MAAM,2BAA2B,GAAG,OAAO,CAAC,GAAG,CAAC,0BAA0B,CAAC;IAC3E,IAAI,8BAA8B,GAAuB,SAAS,CAAC;IACnE,IAAI,SAAS,GAAuB,SAAS,CAAC;IAE9C,0DAA0D;IAC1D,KAAK,UAAU,aAAa;QAC1B,2CAA2C;QAC3C,IAAI,SAAS,KAAK,SAAS,IAAI,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS,IAAI,IAAI,GAAG,EAAE,GAAG,CAAC,EAAE;YACtE,8BAA8B,GAAG,SAAS,CAAC;SAC5C;QACD,IAAI,CAAC,8BAA8B,EAAE;YACnC,MAAM,IAAI,GAAG,MAAM,aAAa,CAAC,2BAA4B,EAAE,MAAM,CAAC,CAAC;YACvE,MAAM,KAAK,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;YAC1B,IAAI,CAAC,KAAK,EAAE;gBACV,MAAM,IAAI,KAAK,CACb,0BAA0B,2BAA2B,oEAAoE,CAC1H,CAAC;aACH;iBAAM;gBACL,8BAA8B,GAAG,KAAK,CAAC;gBACvC,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;aACxB;SACF;QACD,OAAO,8BAA8B,CAAC;IACxC,CAAC;IAED,OAAO;QACL,KAAK,CAAC,WAAW,CAAC,OAAO,EAAE,eAAe,EAAE,QAAQ;YAClD,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,CAAC;YACxB,MAAM,MAAM,GAAG,OAAO,CACpB,CAAC,QAAQ,IAAI,GAAG,CAAC,eAAe,CAAC,IAAI,GAAG,CAAC,eAAe,IAAI,2BAA2B,CACxF,CAAC;YACF,IAAI,CAAC,MAAM,EAAE;gBACX,MAAM,CAAC,IAAI,CACT,GAAG,OAAO,qKAAqK,CAChL,CAAC;aACH;YACD,OAAO,MAAM,CAAC;QAChB,CAAC;QACD,KAAK,CAAC,QAAQ,CACZ,aAA+B,EAC/B,kBAAmC,EAAE;YAErC,MAAM,EAAE,cAAc,EAAE,MAAM,EAAE,QAAQ,EAAE,GAAG,aAAa,CAAC;YAC3D,MAAM,CAAC,IAAI,CAAC,GAAG,OAAO,iEAAiE,CAAC,CAAC;YAEzF,IAAI,SAAiB,CAAC;YAEtB,IAAI;gBACF,SAAS,GAAG,MAAM,aAAa,EAAE,CAAC;aACnC;YAAC,OAAO,GAAG,EAAE;gBACZ,MAAM,IAAI,KAAK,CACb,GAAG,OAAO,oBAAoB,2BAA2B,oEAAoE,CAC9H,CAAC;aACH;YAED,OAAO,kBAAkB,CACvB,cAAc,EACd,qBAAqB,CAAC,MAAM,EAAE,SAAS,EAAE,QAAQ,IAAI,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC,EACjF,eAAe,EACf,eAAe,CAChB,CAAC;QACJ,CAAC;KACF,CAAC;AACJ,CAAC","sourcesContent":["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT license.\n\nimport fs from \"fs\";\nimport { createHttpHeaders, PipelineRequestOptions } from \"@azure/core-rest-pipeline\";\nimport { AccessToken, GetTokenOptions } from \"@azure/core-auth\";\nimport { promisify } from \"util\";\nimport { credentialLogger } from \"../../util/logging\";\nimport { MSI, MSIConfiguration } from \"./models\";\nimport { msiGenericGetToken } from \"./utils\";\nimport { DefaultAuthorityHost } from \"../../constants\";\n\nconst msiName = \"ManagedIdentityCredential - Token Exchange\";\nconst logger = credentialLogger(msiName);\n\nconst readFileAsync = promisify(fs.readFile);\n\nfunction expiresInParser(requestBody: any): number {\n // Parses a string representation of the seconds since epoch into a number value\n return Number(requestBody.expires_on);\n}\n\nfunction prepareRequestOptions(\n scopes: string | string[],\n clientAssertion: string,\n clientId?: string\n): PipelineRequestOptions {\n const bodyParams: any = {\n scope: Array.isArray(scopes) ? scopes.join(\" \") : scopes,\n client_assertion: clientAssertion,\n client_assertion_type: \"urn:ietf:params:oauth:client-assertion-type:jwt-bearer\",\n client_id: clientId,\n grant_type: \"client_credentials\"\n };\n\n const urlParams = new URLSearchParams(bodyParams);\n const url = new URL(\n `${process.env.AZURE_TENANT_ID}/oauth2/v2.0/token`,\n process.env.AZURE_AUTHORITY_HOST ?? DefaultAuthorityHost\n );\n\n return {\n url: url.toString(),\n method: \"POST\",\n body: urlParams.toString(),\n headers: createHttpHeaders({\n Accept: \"application/json\"\n })\n };\n}\n\nexport function tokenExchangeMsi(): MSI {\n const azureFederatedTokenFilePath = process.env.AZURE_FEDERATED_TOKEN_FILE;\n let azureFederatedTokenFileContent: string | undefined = undefined;\n let cacheDate: number | undefined = undefined;\n\n // Only reads from the assertion file once every 5 minutes\n async function readAssertion(): Promise<string> {\n // Cached assertions expire after 5 minutes\n if (cacheDate !== undefined && Date.now() - cacheDate >= 1000 * 60 * 5) {\n azureFederatedTokenFileContent = undefined;\n }\n if (!azureFederatedTokenFileContent) {\n const file = await readFileAsync(azureFederatedTokenFilePath!, \"utf8\");\n const value = file.trim();\n if (!value) {\n throw new Error(\n `No content on the file ${azureFederatedTokenFilePath}, indicated by the environment variable AZURE_FEDERATED_TOKEN_FILE`\n );\n } else {\n azureFederatedTokenFileContent = value;\n cacheDate = Date.now();\n }\n }\n return azureFederatedTokenFileContent;\n }\n\n return {\n async isAvailable(_scopes, _identityClient, clientId): Promise<boolean> {\n const env = process.env;\n const result = Boolean(\n (clientId || env.AZURE_CLIENT_ID) && env.AZURE_TENANT_ID && azureFederatedTokenFilePath\n );\n if (!result) {\n logger.info(\n `${msiName}: Unavailable. The environment variables needed are: AZURE_CLIENT_ID (or the client ID sent through the parameters), AZURE_TENANT_ID and AZURE_FEDERATED_TOKEN_FILE`\n );\n }\n return result;\n },\n async getToken(\n configuration: MSIConfiguration,\n getTokenOptions: GetTokenOptions = {}\n ): Promise<AccessToken | null> {\n const { identityClient, scopes, clientId } = configuration;\n logger.info(`${msiName}: Using the client assertion coming from environment variables.`);\n\n let assertion: string;\n\n try {\n assertion = await readAssertion();\n } catch (err) {\n throw new Error(\n `${msiName}: Failed to read ${azureFederatedTokenFilePath}, indicated by the environment variable AZURE_FEDERATED_TOKEN_FILE`\n );\n }\n\n return msiGenericGetToken(\n identityClient,\n prepareRequestOptions(scopes, assertion, clientId || process.env.AZURE_CLIENT_ID),\n expiresInParser,\n getTokenOptions\n );\n }\n };\n}\n"]}

package/dist-esm/src/credentials/managedIdentityCredential/utils.js CHANGED Viewed

@@ -1,12 +1,20 @@
 // Copyright (c) Microsoft Corporation.
 // Licensed under the MIT license.
-import { __awaiter } from "tslib";
+import { createPipelineRequest } from "@azure/core-rest-pipeline";
 import { DefaultScopeSuffix } from "./constants";
+/**
+ * Most MSIs send requests to the IMDS endpoint, or a similar endpoint. These are GET requests that require sending a `resource` parameter on the query.
+ * This resource can be derived from the scopes received through the getToken call, as long as only one scope is received.
+ * Multiple scopes assume that the resulting token will have access to multiple resources, which won't be the case.
+ *
+ * For that reason, when we encounter multiple scopes, we return undefined.
+ * It's up to the individual MSI implementations to throw the errors (which helps us provide less generic errors).
+ */
 export function mapScopesToResource(scopes) {
     let scope = "";
     if (Array.isArray(scopes)) {
         if (scopes.length !== 1) {
-            throw new Error("To convert to a resource string the specified array must be exactly length 1");
+            return;
         }
         scope = scopes[0];
     }
@@ -18,11 +26,9 @@ export function mapScopesToResource(scopes) {
     }
     return scope.substr(0, scope.lastIndexOf(DefaultScopeSuffix));
 }
-export function msiGenericGetToken(identityClient, requestOptions, expiresInParser, getTokenOptions = {}) {
-    return __awaiter(this, void 0, void 0, function* () {
-        const webResource = identityClient.createWebResource(Object.assign({ disableJsonStringifyOnBody: true, deserializationMapper: undefined, abortSignal: getTokenOptions.abortSignal, spanOptions: getTokenOptions.tracingOptions && getTokenOptions.tracingOptions.spanOptions, tracingContext: getTokenOptions.tracingOptions && getTokenOptions.tracingOptions.tracingContext }, requestOptions));
-        const tokenResponse = yield identityClient.sendTokenRequest(webResource, expiresInParser);
-        return (tokenResponse && tokenResponse.accessToken) || null;
-    });
+export async function msiGenericGetToken(identityClient, requestOptions, expiresInParser, getTokenOptions = {}) {
+    const request = createPipelineRequest(Object.assign(Object.assign({ abortSignal: getTokenOptions.abortSignal }, requestOptions), { allowInsecureConnection: true }));
+    const tokenResponse = await identityClient.sendTokenRequest(request, expiresInParser);
+    return (tokenResponse && tokenResponse.accessToken) || null;
 }
 //# sourceMappingURL=utils.js.map

package/dist-esm/src/credentials/managedIdentityCredential/utils.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"utils.js","sourceRoot":"","sources":["../../../../src/credentials/managedIdentityCredential/utils.ts"],"names":[],"mappings":"AAAA,uCAAuC;AACvC,kCAAkC~~;;AAIlC~~,OAAO,EAAE,kBAAkB,EAAE,MAAM,aAAa,CAAC;AAGjD,MAAM,UAAU,mBAAmB,CAAC,MAAyB;IAC3D,IAAI,KAAK,GAAG,EAAE,CAAC;IACf,IAAI,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE;QACzB,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC,EAAE;YACvB,~~MAAM,IAAI,KAAK,CACb,8EAA8E,CAC/E,CAAC~~;~~SACH~~;QAED,KAAK,GAAG,MAAM,CAAC,CAAC,CAAC,CAAC;KACnB;SAAM,IAAI,OAAO,MAAM,KAAK,QAAQ,EAAE;QACrC,KAAK,GAAG,MAAM,CAAC;KAChB;IAED,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,kBAAkB,CAAC,EAAE;QACvC,OAAO,KAAK,CAAC;KACd;IAED,OAAO,KAAK,CAAC,MAAM,CAAC,CAAC,EAAE,KAAK,CAAC,WAAW,CAAC,kBAAkB,CAAC,CAAC,CAAC;AAChE,CAAC;AAED,MAAM,~~UAAgB~~,kBAAkB,CACtC,cAA8B,EAC9B,~~cAAqC~~,~~EACrC~~,eAA+C,EAC/C,kBAAmC,EAAE~~;;QAErC~~,MAAM,~~WAAW~~,GAAG,~~cAAc,CAAC,iBAAiB,iBAClD,0BAA0B,EAAE,IAAI,EAChC,~~qBAAqB,~~EAAE,SAAS,EAChC,~~WAAW,EAAE,eAAe,CAAC,WAAW,~~EACxC~~,~~WAAW,EAAE,eAAe,CAAC,~~cAAc,~~IAAI~~,~~eAAe~~,~~CAAC,cAAc,CAAC,WAAW,EACzF,cAAc,~~EAAE,~~eAAe,CAAC,cAAc,~~IAAI,~~eAAe~~,CAAC~~,cAAc,CAAC,cAAc,IAC5F,cAAc,EACjB,CAAC~~;~~QAEH~~,MAAM,aAAa,GAAG,MAAM,cAAc,CAAC,gBAAgB,CAAC,~~WAAW~~,EAAE,eAAe,CAAC,CAAC;~~QAE1F~~,OAAO,CAAC,aAAa,IAAI,aAAa,CAAC,WAAW,CAAC,IAAI,IAAI,CAAC;~~IAC9D~~,CAAC~~;CAAA~~","sourcesContent":["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT license.\n\nimport { AccessToken, GetTokenOptions, ~~RequestPrepareOptions~~ } from \"@azure/core-~~http~~\";\nimport { IdentityClient } from \"../../client/identityClient\";\nimport { DefaultScopeSuffix } from \"./constants\";\nimport { MSIExpiresInParser } from \"./models\";\n\nexport function mapScopesToResource(scopes: string \| string[]): string {\n let scope = \"\";\n if (Array.isArray(scopes)) {\n if (scopes.length !== 1) {\n ~~throw new Error(\n \"To convert to a resource string the specified array must be exactly length 1\"\n )~~;\n }\n\n scope = scopes[0];\n } else if (typeof scopes === \"string\") {\n scope = scopes;\n }\n\n if (!scope.endsWith(DefaultScopeSuffix)) {\n return scope;\n }\n\n return scope.substr(0, scope.lastIndexOf(DefaultScopeSuffix));\n}\n\nexport async function msiGenericGetToken(\n identityClient: IdentityClient,\n requestOptions: ~~RequestPrepareOptions~~,\n expiresInParser: MSIExpiresInParser \| undefined,\n getTokenOptions: GetTokenOptions = {}\n): Promise<AccessToken \| null> {\n const ~~webResource~~ = ~~identityClient.createWebResource~~({\n ~~disableJsonStringifyOnBody: true,\n deserializationMapper: undefined,\n~~ abortSignal: getTokenOptions.abortSignal,\n ~~spanOptions: getTokenOptions.tracingOptions && getTokenOptions.tracingOptions.spanOptions~~,\n ~~tracingContext~~: ~~getTokenOptions.tracingOptions && getTokenOptions.tracingOptions.tracingContext,\n ...requestOptions~~\n });\n\n const tokenResponse = await identityClient.sendTokenRequest(~~webResource~~, expiresInParser);\n\n return (tokenResponse && tokenResponse.accessToken) \|\| null;\n}\n"]}
1	+ {"version":3,"file":"utils.js","sourceRoot":"","sources":["../../../../src/credentials/managedIdentityCredential/utils.ts"],"names":[],"mappings":"AAAA,uCAAuC;AACvC,kCAAkC;AAGlC,OAAO,EAA0B,qBAAqB,EAAE,MAAM,2BAA2B,CAAC;AAE1F,OAAO,EAAE,kBAAkB,EAAE,MAAM,aAAa,CAAC;AAGjD;;;;;;;GAOG;AACH,MAAM,UAAU,mBAAmB,CAAC,MAAyB;IAC3D,IAAI,KAAK,GAAG,EAAE,CAAC;IACf,IAAI,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE;QACzB,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC,EAAE;YACvB,OAAO;SACR;QAED,KAAK,GAAG,MAAM,CAAC,CAAC,CAAC,CAAC;KACnB;SAAM,IAAI,OAAO,MAAM,KAAK,QAAQ,EAAE;QACrC,KAAK,GAAG,MAAM,CAAC;KAChB;IAED,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,kBAAkB,CAAC,EAAE;QACvC,OAAO,KAAK,CAAC;KACd;IAED,OAAO,KAAK,CAAC,MAAM,CAAC,CAAC,EAAE,KAAK,CAAC,WAAW,CAAC,kBAAkB,CAAC,CAAC,CAAC;AAChE,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,kBAAkB,CACtC,cAA8B,EAC9B,cAAsC,EACtC,eAA+C,EAC/C,kBAAmC,EAAE;IAErC,MAAM,OAAO,GAAG,qBAAqB,+BACnC,WAAW,EAAE,eAAe,CAAC,WAAW,IACrC,cAAc,KACjB,uBAAuB,EAAE,IAAI,IAC7B,CAAC;IAEH,MAAM,aAAa,GAAG,MAAM,cAAc,CAAC,gBAAgB,CAAC,OAAO,EAAE,eAAe,CAAC,CAAC;IACtF,OAAO,CAAC,aAAa,IAAI,aAAa,CAAC,WAAW,CAAC,IAAI,IAAI,CAAC;AAC9D,CAAC","sourcesContent":["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT license.\n\nimport { AccessToken, GetTokenOptions } from \"@azure/core-auth\";\nimport { PipelineRequestOptions, createPipelineRequest } from \"@azure/core-rest-pipeline\";\nimport { IdentityClient } from \"../../client/identityClient\";\nimport { DefaultScopeSuffix } from \"./constants\";\nimport { MSIExpiresInParser } from \"./models\";\n\n/*\n Most MSIs send requests to the IMDS endpoint, or a similar endpoint. These are GET requests that require sending a `resource` parameter on the query.\n * This resource can be derived from the scopes received through the getToken call, as long as only one scope is received.\n * Multiple scopes assume that the resulting token will have access to multiple resources, which won't be the case.\n \n For that reason, when we encounter multiple scopes, we return undefined.\n * It's up to the individual MSI implementations to throw the errors (which helps us provide less generic errors).\n */\nexport function mapScopesToResource(scopes: string \| string[]): string \| undefined {\n let scope = \"\";\n if (Array.isArray(scopes)) {\n if (scopes.length !== 1) {\n return;\n }\n\n scope = scopes[0];\n } else if (typeof scopes === \"string\") {\n scope = scopes;\n }\n\n if (!scope.endsWith(DefaultScopeSuffix)) {\n return scope;\n }\n\n return scope.substr(0, scope.lastIndexOf(DefaultScopeSuffix));\n}\n\nexport async function msiGenericGetToken(\n identityClient: IdentityClient,\n requestOptions: PipelineRequestOptions,\n expiresInParser: MSIExpiresInParser \| undefined,\n getTokenOptions: GetTokenOptions = {}\n): Promise<AccessToken \| null> {\n const request = createPipelineRequest({\n abortSignal: getTokenOptions.abortSignal,\n ...requestOptions,\n allowInsecureConnection: true\n });\n\n const tokenResponse = await identityClient.sendTokenRequest(request, expiresInParser);\n return (tokenResponse && tokenResponse.accessToken) \|\| null;\n}\n"]}

package/dist-esm/src/credentials/onBehalfOfCredential.browser.js ADDED Viewed

@@ -0,0 +1,23 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT license.
+import { credentialLogger, formatError } from "../util/logging";
+const credentialName = "OnBehalfOfCredential";
+const BrowserNotSupportedError = new Error(`${credentialName}: Not supported in the browser.`);
+const logger = credentialLogger(credentialName);
+/**
+ * Enables authentication to Azure Active Directory using the [On Behalf Of flow](https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-on-behalf-of-flow).
+ */
+export class OnBehalfOfCredential {
+    /**
+     * Only available in Node.js
+     */
+    constructor() {
+        logger.info(formatError("", BrowserNotSupportedError));
+        throw BrowserNotSupportedError;
+    }
+    getToken() {
+        logger.getToken.info(formatError("", BrowserNotSupportedError));
+        throw BrowserNotSupportedError;
+    }
+}
+//# sourceMappingURL=onBehalfOfCredential.browser.js.map

package/dist-esm/src/credentials/onBehalfOfCredential.browser.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"onBehalfOfCredential.browser.js","sourceRoot":"","sources":["../../../src/credentials/onBehalfOfCredential.browser.ts"],"names":[],"mappings":"AAAA,uCAAuC;AACvC,kCAAkC;AAGlC,OAAO,EAAE,gBAAgB,EAAE,WAAW,EAAE,MAAM,iBAAiB,CAAC;AAEhE,MAAM,cAAc,GAAG,sBAAsB,CAAC;AAC9C,MAAM,wBAAwB,GAAG,IAAI,KAAK,CAAC,GAAG,cAAc,iCAAiC,CAAC,CAAC;AAC/F,MAAM,MAAM,GAAG,gBAAgB,CAAC,cAAc,CAAC,CAAC;AAEhD;;GAEG;AACH,MAAM,OAAO,oBAAoB;IAC/B;;OAEG;IACH;QACE,MAAM,CAAC,IAAI,CAAC,WAAW,CAAC,EAAE,EAAE,wBAAwB,CAAC,CAAC,CAAC;QACvD,MAAM,wBAAwB,CAAC;IACjC,CAAC;IAEM,QAAQ;QACb,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,WAAW,CAAC,EAAE,EAAE,wBAAwB,CAAC,CAAC,CAAC;QAChE,MAAM,wBAAwB,CAAC;IACjC,CAAC;CACF","sourcesContent":["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT license.\n\nimport { TokenCredential, AccessToken } from \"@azure/core-auth\";\nimport { credentialLogger, formatError } from \"../util/logging\";\n\nconst credentialName = \"OnBehalfOfCredential\";\nconst BrowserNotSupportedError = new Error(`${credentialName}: Not supported in the browser.`);\nconst logger = credentialLogger(credentialName);\n\n/**\n * Enables authentication to Azure Active Directory using the [On Behalf Of flow](https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-on-behalf-of-flow).\n */\nexport class OnBehalfOfCredential implements TokenCredential {\n /**\n * Only available in Node.js\n */\n constructor() {\n logger.info(formatError(\"\", BrowserNotSupportedError));\n throw BrowserNotSupportedError;\n }\n\n public getToken(): Promise<AccessToken | null> {\n logger.getToken.info(formatError(\"\", BrowserNotSupportedError));\n throw BrowserNotSupportedError;\n }\n}\n"]}

package/dist-esm/src/credentials/onBehalfOfCredential.js ADDED Viewed

@@ -0,0 +1,57 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT license.
+import { MsalOnBehalfOf } from "../msal/nodeFlows/msalOnBehalfOf";
+import { credentialLogger } from "../util/logging";
+import { trace } from "../util/tracing";
+const credentialName = "OnBehalfOfCredential";
+const logger = credentialLogger(credentialName);
+/**
+ * Enables authentication to Azure Active Directory using the [On Behalf Of flow](https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-on-behalf-of-flow).
+ */
+export class OnBehalfOfCredential {
+    /**
+     * Creates an instance of the {@link OnBehalfOfCredential} with the details
+     * needed to authenticate against Azure Active Directory with a client
+     * secret or a path to a PEM certificate, and an user assertion.
+     *
+     * Example using the `KeyClient` from [\@azure/keyvault-keys](https://www.npmjs.com/package/\@azure/keyvault-keys):
+     *
+     * ```ts
+     * const tokenCredential = new OnBehalfOfCredential({
+     *   tenantId,
+     *   clientId,
+     *   clientSecret, // or `certificatePath: "/path/to/certificate.pem"
+     *   userAssertionToken: "access-token"
+     * });
+     * const client = new KeyClient("vault-url", tokenCredential);
+     *
+     * await client.getKey("key-name");
+     * ```
+     *
+     * @param options - Optional parameters, generally common across credentials.
+     */
+    constructor(options) {
+        this.options = options;
+        const { clientSecret } = options;
+        const { certificatePath } = options;
+        const { tenantId, clientId, userAssertionToken } = options;
+        if (!tenantId || !clientId || !(clientSecret || certificatePath) || !userAssertionToken) {
+            throw new Error(`${credentialName}: tenantId, clientId, clientSecret (or certificatePath) and userAssertionToken are required parameters.`);
+        }
+        this.msalFlow = new MsalOnBehalfOf(Object.assign(Object.assign({}, this.options), { logger, tokenCredentialOptions: this.options }));
+    }
+    /**
+     * Authenticates with Azure Active Directory and returns an access token if successful.
+     * If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.
+     *
+     * @param scopes - The list of scopes for which the token will have access.
+     * @param options - The options used to configure the underlying network requests.
+     */
+    async getToken(scopes, options = {}) {
+        return trace(`${credentialName}.getToken`, options, async (newOptions) => {
+            const arrayScopes = Array.isArray(scopes) ? scopes : [scopes];
+            return this.msalFlow.getToken(arrayScopes, newOptions);
+        });
+    }
+}
+//# sourceMappingURL=onBehalfOfCredential.js.map

package/dist-esm/src/credentials/onBehalfOfCredential.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"onBehalfOfCredential.js","sourceRoot":"","sources":["../../../src/credentials/onBehalfOfCredential.ts"],"names":[],"mappings":"AAAA,uCAAuC;AACvC,kCAAkC;AAIlC,OAAO,EAAE,cAAc,EAAE,MAAM,kCAAkC,CAAC;AAClE,OAAO,EAAE,gBAAgB,EAAE,MAAM,iBAAiB,CAAC;AACnD,OAAO,EAAE,KAAK,EAAE,MAAM,iBAAiB,CAAC;AAQxC,MAAM,cAAc,GAAG,sBAAsB,CAAC;AAC9C,MAAM,MAAM,GAAG,gBAAgB,CAAC,cAAc,CAAC,CAAC;AAEhD;;GAEG;AACH,MAAM,OAAO,oBAAoB;IAG/B;;;;;;;;;;;;;;;;;;;;OAoBG;IACH,YAAoB,OAAoC;QAApC,YAAO,GAAP,OAAO,CAA6B;QACtD,MAAM,EAAE,YAAY,EAAE,GAAG,OAA4C,CAAC;QACtE,MAAM,EAAE,eAAe,EAAE,GAAG,OAAiD,CAAC;QAC9E,MAAM,EAAE,QAAQ,EAAE,QAAQ,EAAE,kBAAkB,EAAE,GAAG,OAAO,CAAC;QAC3D,IAAI,CAAC,QAAQ,IAAI,CAAC,QAAQ,IAAI,CAAC,CAAC,YAAY,IAAI,eAAe,CAAC,IAAI,CAAC,kBAAkB,EAAE;YACvF,MAAM,IAAI,KAAK,CACb,GAAG,cAAc,yGAAyG,CAC3H,CAAC;SACH;QACD,IAAI,CAAC,QAAQ,GAAG,IAAI,cAAc,iCAC7B,IAAI,CAAC,OAAO,KACf,MAAM,EACN,sBAAsB,EAAE,IAAI,CAAC,OAAO,IACpC,CAAC;IACL,CAAC;IAED;;;;;;OAMG;IACH,KAAK,CAAC,QAAQ,CAAC,MAAyB,EAAE,UAA2B,EAAE;QACrE,OAAO,KAAK,CAAC,GAAG,cAAc,WAAW,EAAE,OAAO,EAAE,KAAK,EAAE,UAAU,EAAE,EAAE;YACvE,MAAM,WAAW,GAAG,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC;YAC9D,OAAO,IAAI,CAAC,QAAS,CAAC,QAAQ,CAAC,WAAW,EAAE,UAAU,CAAC,CAAC;QAC1D,CAAC,CAAC,CAAC;IACL,CAAC;CACF","sourcesContent":["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT license.\n\nimport { AccessToken, GetTokenOptions, TokenCredential } from \"@azure/core-auth\";\n\nimport { MsalOnBehalfOf } from \"../msal/nodeFlows/msalOnBehalfOf\";\nimport { credentialLogger } from \"../util/logging\";\nimport { trace } from \"../util/tracing\";\nimport { MsalFlow } from \"../msal/flows\";\nimport {\n OnBehalfOfCredentialCertificateOptions,\n OnBehalfOfCredentialOptions,\n OnBehalfOfCredentialSecretOptions\n} from \"./onBehalfOfCredentialOptions\";\n\nconst credentialName = \"OnBehalfOfCredential\";\nconst logger = credentialLogger(credentialName);\n\n/**\n * Enables authentication to Azure Active Directory using the [On Behalf Of flow](https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-on-behalf-of-flow).\n */\nexport class OnBehalfOfCredential implements TokenCredential {\n private msalFlow: MsalFlow;\n\n /**\n * Creates an instance of the {@link OnBehalfOfCredential} with the details\n * needed to authenticate against Azure Active Directory with a client\n * secret or a path to a PEM certificate, and an user assertion.\n *\n * Example using the `KeyClient` from [\\@azure/keyvault-keys](https://www.npmjs.com/package/\\@azure/keyvault-keys):\n *\n * ```ts\n * const tokenCredential = new OnBehalfOfCredential({\n * tenantId,\n * clientId,\n * clientSecret, // or `certificatePath: \"/path/to/certificate.pem\"\n * userAssertionToken: \"access-token\"\n * });\n * const client = new KeyClient(\"vault-url\", tokenCredential);\n *\n * await client.getKey(\"key-name\");\n * ```\n *\n * @param options - Optional parameters, generally common across credentials.\n */\n constructor(private options: OnBehalfOfCredentialOptions) {\n const { clientSecret } = options as OnBehalfOfCredentialSecretOptions;\n const { certificatePath } = options as OnBehalfOfCredentialCertificateOptions;\n const { tenantId, clientId, userAssertionToken } = options;\n if (!tenantId || !clientId || !(clientSecret || certificatePath) || !userAssertionToken) {\n throw new Error(\n `${credentialName}: tenantId, clientId, clientSecret (or certificatePath) and userAssertionToken are required parameters.`\n );\n }\n this.msalFlow = new MsalOnBehalfOf({\n ...this.options,\n logger,\n tokenCredentialOptions: this.options\n });\n }\n\n /**\n * Authenticates with Azure Active Directory and returns an access token if successful.\n * If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.\n *\n * @param scopes - The list of scopes for which the token will have access.\n * @param options - The options used to configure the underlying network requests.\n */\n async getToken(scopes: string | string[], options: GetTokenOptions = {}): Promise<AccessToken> {\n return trace(`${credentialName}.getToken`, options, async (newOptions) => {\n const arrayScopes = Array.isArray(scopes) ? scopes : [scopes];\n return this.msalFlow!.getToken(arrayScopes, newOptions);\n });\n }\n}\n"]}

package/dist-esm/src/credentials/onBehalfOfCredentialOptions.js ADDED Viewed

@@ -0,0 +1,4 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT license.
+export {};
+//# sourceMappingURL=onBehalfOfCredentialOptions.js.map

package/dist-esm/src/credentials/onBehalfOfCredentialOptions.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"onBehalfOfCredentialOptions.js","sourceRoot":"","sources":["../../../src/credentials/onBehalfOfCredentialOptions.ts"],"names":[],"mappings":"AAAA,uCAAuC;AACvC,kCAAkC","sourcesContent":["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT license.\n\nimport { TokenCredentialOptions } from \"../client/identityClient\";\nimport { CredentialPersistenceOptions } from \"./credentialPersistenceOptions\";\n\n/**\n * Defines the parameters to authenticate the {@link OnBehalfOfCredential} with a secret.\n */\nexport interface OnBehalfOfCredentialSecretOptions {\n /**\n * The Azure Active Directory tenant (directory) ID.\n */\n tenantId: string;\n /**\n * The client (application) ID of an App Registration in the tenant.\n */\n clientId: string;\n /**\n * A client secret that was generated for the App Registration.\n */\n clientSecret: string;\n /**\n * The user assertion for the On-Behalf-Of flow.\n */\n userAssertionToken: string;\n /**\n * The path to a PEM-encoded certificate should not be provided when the secret options are provided.\n */\n certificatePath?: never;\n /**\n * Option to include x5c header should not be provided when the secret options are provided.\n */\n sendCertificateChain?: never;\n}\n\n/**\n * Defines the parameters to authenticate the {@link OnBehalfOfCredential} with a certificate.\n */\nexport interface OnBehalfOfCredentialCertificateOptions {\n /**\n * The Azure Active Directory tenant (directory) ID.\n */\n tenantId: string;\n /**\n * The client (application) ID of an App Registration in the tenant.\n */\n clientId: string;\n /**\n * The path to a PEM-encoded public/private key certificate on the filesystem.\n */\n certificatePath: string;\n /**\n * Option to include x5c header for SubjectName and Issuer name authorization.\n * Set this option to send base64 encoded public certificate in the client assertion header as an x5c claim\n */\n sendCertificateChain?: boolean;\n /**\n * The user assertion for the On-Behalf-Of flow.\n */\n userAssertionToken: string;\n /**\n * Client secret should not be provided when certificate options are provided.\n */\n clientSecret?: never;\n}\n\n/**\n * Optional parameters for the {@link OnBehalfOfCredential} class.\n */\nexport type OnBehalfOfCredentialOptions = (\n | OnBehalfOfCredentialSecretOptions\n | OnBehalfOfCredentialCertificateOptions\n) &\n TokenCredentialOptions &\n CredentialPersistenceOptions;\n"]}

package/dist-esm/src/credentials/usernamePasswordCredential.browser.js CHANGED Viewed

@@ -1,12 +1,11 @@
 // Copyright (c) Microsoft Corporation.
 // Licensed under the MIT license.
-import { __awaiter } from "tslib";
-import qs from "qs";
-import { IdentityClient } from "../client/identityClient";
-import { createSpan } from "../util/tracing";
+import { createHttpHeaders, createPipelineRequest } from "@azure/core-rest-pipeline";
 import { SpanStatusCode } from "@azure/core-tracing";
+import { IdentityClient } from "../client/identityClient";
 import { credentialLogger, formatSuccess, formatError } from "../util/logging";
 import { getIdentityTokenEndpointSuffix } from "../util/identityTokenEndpoint";
+import { createSpan } from "../util/tracing";
 import { checkTenantId } from "../util/checkTenantId";
 const logger = credentialLogger("UsernamePasswordCredential");
 /**
@@ -45,48 +44,44 @@ export class UsernamePasswordCredential {
      * @param options - The options used to configure any requests this
      *                TokenCredential implementation might make.
      */
-    getToken(scopes, options) {
-        return __awaiter(this, void 0, void 0, function* () {
-            const { span, updatedOptions: newOptions } = createSpan("UsernamePasswordCredential-getToken", options);
-            try {
-                const urlSuffix = getIdentityTokenEndpointSuffix(this.tenantId);
-                const webResource = this.identityClient.createWebResource({
-                    url: `${this.identityClient.authorityHost}/${this.tenantId}/${urlSuffix}`,
-                    method: "POST",
-                    disableJsonStringifyOnBody: true,
-                    deserializationMapper: undefined,
-                    body: qs.stringify({
-                        response_type: "token",
-                        grant_type: "password",
-                        client_id: this.clientId,
-                        username: this.username,
-                        password: this.password,
-                        scope: typeof scopes === "string" ? scopes : scopes.join(" ")
-                    }),
-                    headers: {
-                        Accept: "application/json",
-                        "Content-Type": "application/x-www-form-urlencoded"
-                    },
-                    abortSignal: options && options.abortSignal,
-                    spanOptions: newOptions.tracingOptions && newOptions.tracingOptions.spanOptions,
-                    tracingContext: newOptions.tracingOptions && newOptions.tracingOptions.tracingContext
-                });
-                const tokenResponse = yield this.identityClient.sendTokenRequest(webResource);
-                logger.getToken.info(formatSuccess(scopes));
-                return (tokenResponse && tokenResponse.accessToken) || null;
-            }
-            catch (err) {
-                span.setStatus({
-                    code: SpanStatusCode.ERROR,
-                    message: err.message
-                });
-                logger.getToken.info(formatError(scopes, err));
-                throw err;
-            }
-            finally {
-                span.end();
-            }
-        });
+    async getToken(scopes, options) {
+        const { span, updatedOptions: newOptions } = createSpan("UsernamePasswordCredential.getToken", options);
+        try {
+            const urlSuffix = getIdentityTokenEndpointSuffix(this.tenantId);
+            const params = new URLSearchParams({
+                response_type: "token",
+                grant_type: "password",
+                client_id: this.clientId,
+                username: this.username,
+                password: this.password,
+                scope: typeof scopes === "string" ? scopes : scopes.join(" ")
+            });
+            const webResource = createPipelineRequest({
+                url: `${this.identityClient.authorityHost}/${this.tenantId}/${urlSuffix}`,
+                method: "POST",
+                body: params.toString(),
+                headers: createHttpHeaders({
+                    Accept: "application/json",
+                    "Content-Type": "application/x-www-form-urlencoded"
+                }),
+                abortSignal: options && options.abortSignal,
+                tracingOptions: newOptions.tracingOptions
+            });
+            const tokenResponse = await this.identityClient.sendTokenRequest(webResource);
+            logger.getToken.info(formatSuccess(scopes));
+            return (tokenResponse && tokenResponse.accessToken) || null;
+        }
+        catch (err) {
+            span.setStatus({
+                code: SpanStatusCode.ERROR,
+                message: err.message
+            });
+            logger.getToken.info(formatError(scopes, err));
+            throw err;
+        }
+        finally {
+            span.end();
+        }
     }
 }
 //# sourceMappingURL=usernamePasswordCredential.browser.js.map

package/dist-esm/src/credentials/usernamePasswordCredential.browser.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"usernamePasswordCredential.browser.js","sourceRoot":"","sources":["../../../src/credentials/usernamePasswordCredential.browser.ts"],"names":[],"mappings":"AAAA,uCAAuC;AACvC,kCAAkC~~;;AAElC~~,OAAO,EAAE,~~MAAM~~,~~IAAI~~,~~CAAC;AAEpB~~,~~OAAO,EAA0B,cAAc,~~EAAE,MAAM,~~0BAA0B~~,CAAC;~~AAClF~~,OAAO,EAAE,~~UAAU~~,EAAE,MAAM,~~iBAAiB~~,CAAC;~~AAC7C~~,OAAO,~~EAAE~~,cAAc,EAAE,MAAM,~~qBAAqB~~,CAAC;~~AACrD~~,OAAO,EAAE,gBAAgB,EAAE,aAAa,EAAE,WAAW,EAAE,MAAM,iBAAiB,CAAC;AAC/E,OAAO,EAAE,8BAA8B,EAAE,MAAM,+BAA+B,CAAC;AAC/E,OAAO,EAAE,aAAa,EAAE,MAAM,uBAAuB,CAAC;AAEtD,MAAM,MAAM,GAAG,gBAAgB,CAAC,4BAA4B,CAAC,CAAC;AAE9D;;;;;GAKG;AACH,MAAM,OAAO,0BAA0B;IAOrC;;;;;;;;;;OAUG;IACH,YACE,cAAsB,EACtB,QAAgB,EAChB,QAAgB,EAChB,QAAgB,EAChB,OAAgC;QAEhC,aAAa,CAAC,MAAM,EAAE,cAAc,CAAC,CAAC;QAEtC,IAAI,CAAC,cAAc,GAAG,IAAI,cAAc,CAAC,OAAO,CAAC,CAAC;QAClD,IAAI,CAAC,QAAQ,GAAG,cAAc,CAAC;QAC/B,IAAI,CAAC,QAAQ,GAAG,QAAQ,CAAC;QACzB,IAAI,CAAC,QAAQ,GAAG,QAAQ,CAAC;QACzB,IAAI,CAAC,QAAQ,GAAG,QAAQ,CAAC;IAC3B,CAAC;IAED;;;;;;;;;OASG;~~IACU~~,QAAQ,CACnB,MAAyB,EACzB,OAAyB~~;;YAEzB~~,MAAM,EAAE,IAAI,EAAE,cAAc,EAAE,UAAU,EAAE,GAAG,UAAU,CACrD,qCAAqC,EACrC,OAAO,CACR,CAAC;~~YACF~~,IAAI;~~gBACF~~,MAAM,SAAS,GAAG,8BAA8B,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;~~gBAChE~~,MAAM,~~WAAW~~,GAAG,IAAI,~~CAAC~~,~~cAAc,~~CAAC~~,iBAAiB,CAAC~~;~~oBACxD~~,~~GAAG,EAAE,GAAG,IAAI,CAAC,cAAc,CAAC,~~aAAa,~~IAAI,IAAI,CAAC,QAAQ,IAAI,SAAS,~~EAAE~~;oBACzE~~,~~MAAM,EAAE,MAAM;oBACd,0BAA0B,EAAE,IAAI;oBAChC,qBAAqB,EAAE,SAAS;oBAChC,IAAI,EAAE,EAAE,CAAC,SAAS,CAAC;wBACjB,aAAa,EAAE,~~OAAO;~~wBACtB~~,UAAU,EAAE,UAAU;~~wBACtB~~,SAAS,EAAE,IAAI,CAAC,QAAQ;~~wBACxB~~,QAAQ,EAAE,IAAI,CAAC,QAAQ;~~wBACvB~~,QAAQ,EAAE,IAAI,CAAC,QAAQ;~~wBACvB~~,KAAK,EAAE,OAAO,MAAM,KAAK,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC;~~qBAC9D~~,CAAC~~;oBACF~~,~~OAAO,EAAE~~;~~wBACP~~,MAAM,~~EAAE~~,~~kBAAkB~~;~~wBAC1B~~,~~cAAc~~,EAAE,~~mCAAmC;qBACpD;oBACD~~,~~WAAW~~,~~EAAE~~,~~OAAO~~,IAAI,~~OAAO~~,CAAC,~~WAAW;oBAC3C~~,~~WAAW~~,EAAE,~~UAAU~~,~~CAAC~~,~~cAAc~~,IAAI,~~UAAU~~,CAAC,~~cAAc~~,CAAC,~~WAAW~~;~~oBAC/E~~,cAAc,EAAE,~~UAAU~~,CAAC,~~cAAc~~,IAAI,~~UAAU~~,CAAC,cAAc,CAAC,cAAc;~~iBACtF~~,CAAC,CAAC;~~gBAEH~~,MAAM,aAAa,GAAG,MAAM,IAAI,CAAC,cAAc,CAAC,gBAAgB,CAAC,WAAW,CAAC,CAAC;~~gBAC9E~~,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,aAAa,CAAC,MAAM,CAAC,CAAC,CAAC;~~gBAC5C~~,OAAO,CAAC,aAAa,IAAI,aAAa,CAAC,WAAW,CAAC,IAAI,IAAI,CAAC;~~aAC7D~~;~~YAAC~~,OAAO,GAAG,EAAE;~~gBACZ~~,IAAI,CAAC,SAAS,CAAC;~~oBACb~~,IAAI,EAAE,cAAc,CAAC,KAAK;~~oBAC1B~~,OAAO,EAAE,GAAG,CAAC,OAAO;~~iBACrB~~,CAAC,CAAC;~~gBACH~~,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,WAAW,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC,CAAC;~~gBAC~~/C,MAAM,GAAG,CAAC;~~aACX~~;~~oBAAS~~;~~gBACR~~,IAAI,CAAC,GAAG,EAAE,CAAC;~~aACZ~~;~~QACH~~,CAAC;~~KAAA;~~CACF","sourcesContent":["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT license.\n\nimport ~~qs from \"qs\";\nimport~~ { TokenCredential, GetTokenOptions, AccessToken } from \"@azure/core-~~http~~\";\nimport { ~~TokenCredentialOptions~~, ~~IdentityClient~~ } from \"~~../client~~/~~identityClient~~\";\nimport { ~~createSpan~~ } from \"~~../util~~/tracing\";\nimport { ~~SpanStatusCode~~ } from \"~~@azure~~/~~core-tracing~~\";\nimport { credentialLogger, formatSuccess, formatError } from \"../util/logging\";\nimport { getIdentityTokenEndpointSuffix } from \"../util/identityTokenEndpoint\";\nimport { checkTenantId } from \"../util/checkTenantId\";\n\nconst logger = credentialLogger(\"UsernamePasswordCredential\");\n\n/*\n Enables authentication to Azure Active Directory with a user's\n * username and password. This credential requires a high degree of\n * trust so you should only use it when other, more secure credential\n * types can't be used.\n /\nexport class UsernamePasswordCredential implements TokenCredential {\n private identityClient: IdentityClient;\n private tenantId: string;\n private clientId: string;\n private username: string;\n private password: string;\n\n /\n Creates an instance of the UsernamePasswordCredential with the details\n * needed to authenticate against Azure Active Directory with a username\n * and password.\n \n @param tenantIdOrName - The Azure Active Directory tenant (directory) ID or name.\n * @param clientId - The client (application) ID of an App Registration in the tenant.\n * @param username - The user account's e-mail address (user name).\n * @param password - The user account's account password\n * @param options - Options for configuring the client which makes the authentication request.\n /\n constructor(\n tenantIdOrName: string,\n clientId: string,\n username: string,\n password: string,\n options?: TokenCredentialOptions\n ) {\n checkTenantId(logger, tenantIdOrName);\n\n this.identityClient = new IdentityClient(options);\n this.tenantId = tenantIdOrName;\n this.clientId = clientId;\n this.username = username;\n this.password = password;\n }\n\n /\n Authenticates with Azure Active Directory and returns an access token if\n * successful. If authentication cannot be performed at this time, this method may\n * return null. If an error occurs during authentication, an {@link AuthenticationError}\n * containing failure details will be thrown.\n \n @param scopes - The list of scopes for which the token will have access.\n * @param options - The options used to configure any requests this\n * TokenCredential implementation might make.\n */\n public async getToken(\n scopes: string \| string[],\n options?: GetTokenOptions\n ): Promise<AccessToken \| null> {\n const { span, updatedOptions: newOptions } = createSpan(\n \"UsernamePasswordCredential-getToken\",\n options\n );\n try {\n const urlSuffix = getIdentityTokenEndpointSuffix(this.tenantId);\n const ~~webResource~~ = ~~this.identityClient.createWebResource~~({\n url: `${this.identityClient.authorityHost}/${this.tenantId}/${urlSuffix}`,\n method: \"POST\",\n disableJsonStringifyOnBody: true,\n deserializationMapper: undefined,\n body: qs.stringify({\n response_type: \"token\",\n grant_type: \"password\",\n client_id: this.clientId,\n username: this.username,\n password: this.password,\n scope: typeof scopes === \"string\" ? scopes : scopes.join(\" \")\n }),\n headers: {\n Accept: \"application/json\",\n \"Content-Type\": \"application/x-www-form-urlencoded\"\n },\n abortSignal: options && options.abortSignal,\n ~~spanOptions: newOptions.~~tracingOptions ~~&& newOptions.tracingOptions.spanOptions,\n tracingContext~~: newOptions.tracingOptions ~~&& newOptions.tracingOptions.tracingContext~~\n });\n\n const tokenResponse = await this.identityClient.sendTokenRequest(webResource);\n logger.getToken.info(formatSuccess(scopes));\n return (tokenResponse && tokenResponse.accessToken) \|\| null;\n } catch (err) {\n span.setStatus({\n code: SpanStatusCode.ERROR,\n message: err.message\n });\n logger.getToken.info(formatError(scopes, err));\n throw err;\n } finally {\n span.end();\n }\n }\n}\n"]}
1	+ {"version":3,"file":"usernamePasswordCredential.browser.js","sourceRoot":"","sources":["../../../src/credentials/usernamePasswordCredential.browser.ts"],"names":[],"mappings":"AAAA,uCAAuC;AACvC,kCAAkC;AAGlC,OAAO,EAAE,iBAAiB,EAAE,qBAAqB,EAAE,MAAM,2BAA2B,CAAC;AACrF,OAAO,EAAE,cAAc,EAAE,MAAM,qBAAqB,CAAC;AACrD,OAAO,EAA0B,cAAc,EAAE,MAAM,0BAA0B,CAAC;AAClF,OAAO,EAAE,gBAAgB,EAAE,aAAa,EAAE,WAAW,EAAE,MAAM,iBAAiB,CAAC;AAC/E,OAAO,EAAE,8BAA8B,EAAE,MAAM,+BAA+B,CAAC;AAC/E,OAAO,EAAE,UAAU,EAAE,MAAM,iBAAiB,CAAC;AAC7C,OAAO,EAAE,aAAa,EAAE,MAAM,uBAAuB,CAAC;AAEtD,MAAM,MAAM,GAAG,gBAAgB,CAAC,4BAA4B,CAAC,CAAC;AAE9D;;;;;GAKG;AACH,MAAM,OAAO,0BAA0B;IAOrC;;;;;;;;;;OAUG;IACH,YACE,cAAsB,EACtB,QAAgB,EAChB,QAAgB,EAChB,QAAgB,EAChB,OAAgC;QAEhC,aAAa,CAAC,MAAM,EAAE,cAAc,CAAC,CAAC;QAEtC,IAAI,CAAC,cAAc,GAAG,IAAI,cAAc,CAAC,OAAO,CAAC,CAAC;QAClD,IAAI,CAAC,QAAQ,GAAG,cAAc,CAAC;QAC/B,IAAI,CAAC,QAAQ,GAAG,QAAQ,CAAC;QACzB,IAAI,CAAC,QAAQ,GAAG,QAAQ,CAAC;QACzB,IAAI,CAAC,QAAQ,GAAG,QAAQ,CAAC;IAC3B,CAAC;IAED;;;;;;;;;OASG;IACI,KAAK,CAAC,QAAQ,CACnB,MAAyB,EACzB,OAAyB;QAEzB,MAAM,EAAE,IAAI,EAAE,cAAc,EAAE,UAAU,EAAE,GAAG,UAAU,CACrD,qCAAqC,EACrC,OAAO,CACR,CAAC;QACF,IAAI;YACF,MAAM,SAAS,GAAG,8BAA8B,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;YAChE,MAAM,MAAM,GAAG,IAAI,eAAe,CAAC;gBACjC,aAAa,EAAE,OAAO;gBACtB,UAAU,EAAE,UAAU;gBACtB,SAAS,EAAE,IAAI,CAAC,QAAQ;gBACxB,QAAQ,EAAE,IAAI,CAAC,QAAQ;gBACvB,QAAQ,EAAE,IAAI,CAAC,QAAQ;gBACvB,KAAK,EAAE,OAAO,MAAM,KAAK,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC;aAC9D,CAAC,CAAC;YACH,MAAM,WAAW,GAAG,qBAAqB,CAAC;gBACxC,GAAG,EAAE,GAAG,IAAI,CAAC,cAAc,CAAC,aAAa,IAAI,IAAI,CAAC,QAAQ,IAAI,SAAS,EAAE;gBACzE,MAAM,EAAE,MAAM;gBACd,IAAI,EAAE,MAAM,CAAC,QAAQ,EAAE;gBACvB,OAAO,EAAE,iBAAiB,CAAC;oBACzB,MAAM,EAAE,kBAAkB;oBAC1B,cAAc,EAAE,mCAAmC;iBACpD,CAAC;gBACF,WAAW,EAAE,OAAO,IAAI,OAAO,CAAC,WAAW;gBAC3C,cAAc,EAAE,UAAU,CAAC,cAAc;aAC1C,CAAC,CAAC;YAEH,MAAM,aAAa,GAAG,MAAM,IAAI,CAAC,cAAc,CAAC,gBAAgB,CAAC,WAAW,CAAC,CAAC;YAC9E,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,aAAa,CAAC,MAAM,CAAC,CAAC,CAAC;YAC5C,OAAO,CAAC,aAAa,IAAI,aAAa,CAAC,WAAW,CAAC,IAAI,IAAI,CAAC;SAC7D;QAAC,OAAO,GAAG,EAAE;YACZ,IAAI,CAAC,SAAS,CAAC;gBACb,IAAI,EAAE,cAAc,CAAC,KAAK;gBAC1B,OAAO,EAAE,GAAG,CAAC,OAAO;aACrB,CAAC,CAAC;YACH,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,WAAW,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC,CAAC;YAC/C,MAAM,GAAG,CAAC;SACX;gBAAS;YACR,IAAI,CAAC,GAAG,EAAE,CAAC;SACZ;IACH,CAAC;CACF","sourcesContent":["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT license.\n\nimport { TokenCredential, GetTokenOptions, AccessToken } from \"@azure/core-auth\";\nimport { createHttpHeaders, createPipelineRequest } from \"@azure/core-rest-pipeline\";\nimport { SpanStatusCode } from \"@azure/core-tracing\";\nimport { TokenCredentialOptions, IdentityClient } from \"../client/identityClient\";\nimport { credentialLogger, formatSuccess, formatError } from \"../util/logging\";\nimport { getIdentityTokenEndpointSuffix } from \"../util/identityTokenEndpoint\";\nimport { createSpan } from \"../util/tracing\";\nimport { checkTenantId } from \"../util/checkTenantId\";\n\nconst logger = credentialLogger(\"UsernamePasswordCredential\");\n\n/*\n Enables authentication to Azure Active Directory with a user's\n * username and password. This credential requires a high degree of\n * trust so you should only use it when other, more secure credential\n * types can't be used.\n /\nexport class UsernamePasswordCredential implements TokenCredential {\n private identityClient: IdentityClient;\n private tenantId: string;\n private clientId: string;\n private username: string;\n private password: string;\n\n /\n Creates an instance of the UsernamePasswordCredential with the details\n * needed to authenticate against Azure Active Directory with a username\n * and password.\n \n @param tenantIdOrName - The Azure Active Directory tenant (directory) ID or name.\n * @param clientId - The client (application) ID of an App Registration in the tenant.\n * @param username - The user account's e-mail address (user name).\n * @param password - The user account's account password\n * @param options - Options for configuring the client which makes the authentication request.\n /\n constructor(\n tenantIdOrName: string,\n clientId: string,\n username: string,\n password: string,\n options?: TokenCredentialOptions\n ) {\n checkTenantId(logger, tenantIdOrName);\n\n this.identityClient = new IdentityClient(options);\n this.tenantId = tenantIdOrName;\n this.clientId = clientId;\n this.username = username;\n this.password = password;\n }\n\n /\n Authenticates with Azure Active Directory and returns an access token if\n * successful. If authentication cannot be performed at this time, this method may\n * return null. If an error occurs during authentication, an {@link AuthenticationError}\n * containing failure details will be thrown.\n \n @param scopes - The list of scopes for which the token will have access.\n * @param options - The options used to configure any requests this\n * TokenCredential implementation might make.\n */\n public async getToken(\n scopes: string \| string[],\n options?: GetTokenOptions\n ): Promise<AccessToken \| null> {\n const { span, updatedOptions: newOptions } = createSpan(\n \"UsernamePasswordCredential.getToken\",\n options\n );\n try {\n const urlSuffix = getIdentityTokenEndpointSuffix(this.tenantId);\n const params = new URLSearchParams({\n response_type: \"token\",\n grant_type: \"password\",\n client_id: this.clientId,\n username: this.username,\n password: this.password,\n scope: typeof scopes === \"string\" ? scopes : scopes.join(\" \")\n });\n const webResource = createPipelineRequest({\n url: `${this.identityClient.authorityHost}/${this.tenantId}/${urlSuffix}`,\n method: \"POST\",\n body: params.toString(),\n headers: createHttpHeaders({\n Accept: \"application/json\",\n \"Content-Type\": \"application/x-www-form-urlencoded\"\n }),\n abortSignal: options && options.abortSignal,\n tracingOptions: newOptions.tracingOptions\n });\n\n const tokenResponse = await this.identityClient.sendTokenRequest(webResource);\n logger.getToken.info(formatSuccess(scopes));\n return (tokenResponse && tokenResponse.accessToken) \|\| null;\n } catch (err) {\n span.setStatus({\n code: SpanStatusCode.ERROR,\n message: err.message\n });\n logger.getToken.info(formatError(scopes, err));\n throw err;\n } finally {\n span.end();\n }\n }\n}\n"]}

package/dist-esm/src/credentials/usernamePasswordCredential.js CHANGED Viewed

@@ -1,6 +1,5 @@
 // Copyright (c) Microsoft Corporation.
 // Licensed under the MIT license.
-import { __awaiter } from "tslib";
 import { credentialLogger } from "../util/logging";
 import { MsalUsernamePassword } from "../msal/nodeFlows/msalUsernamePassword";
 import { trace } from "../util/tracing";
@@ -11,8 +10,6 @@ const logger = credentialLogger("UsernamePasswordCredential");
  * trust so you should only use it when other, more secure credential
  * types can't be used.
  */
-// We'll be using InteractiveCredential as the base of this class, which requires us to support authenticate(),
-// to reduce the number of times we send the password over the network.
 export class UsernamePasswordCredential {
     /**
      * Creates an instance of the UsernamePasswordCredential with the details
@@ -26,6 +23,9 @@ export class UsernamePasswordCredential {
      * @param options - Options for configuring the client which makes the authentication request.
      */
     constructor(tenantId, clientId, username, password, options = {}) {
+        if (!tenantId || !clientId || !username || !password) {
+            throw new Error("UsernamePasswordCredential: tenantId, clientId, username and password are required parameters. To troubleshoot, visit https://aka.ms/azsdk/js/identity/usernamepasswordcredential/troubleshoot.");
+        }
         this.msalFlow = new MsalUsernamePassword(Object.assign(Object.assign({}, options), { logger,
             clientId,
             tenantId,
@@ -33,10 +33,8 @@ export class UsernamePasswordCredential {
             password, tokenCredentialOptions: options || {} }));
     }
     /**
-     * Authenticates with Azure Active Directory and returns an access token if
-     * successful.  If authentication cannot be performed at this time, this method may
-     * return null.  If an error occurs during authentication, an {@link AuthenticationError}
-     * containing failure details will be thrown.
+     * Authenticates with Azure Active Directory and returns an access token if successful.
+     * If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.
      *
      * If the user provided the option `disableAutomaticAuthentication`,
      * once the token can't be retrieved silently,
@@ -46,12 +44,10 @@ export class UsernamePasswordCredential {
      * @param options - The options used to configure any requests this
      *                TokenCredential implementation might make.
      */
-    getToken(scopes, options = {}) {
-        return __awaiter(this, void 0, void 0, function* () {
-            return trace(`${this.constructor.name}.getToken`, options, (newOptions) => __awaiter(this, void 0, void 0, function* () {
-                const arrayScopes = Array.isArray(scopes) ? scopes : [scopes];
-                return this.msalFlow.getToken(arrayScopes, newOptions);
-            }));
+    async getToken(scopes, options = {}) {
+        return trace(`${this.constructor.name}.getToken`, options, async (newOptions) => {
+            const arrayScopes = Array.isArray(scopes) ? scopes : [scopes];
+            return this.msalFlow.getToken(arrayScopes, newOptions);
         });
     }
 }

package/dist-esm/src/credentials/usernamePasswordCredential.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"usernamePasswordCredential.js","sourceRoot":"","sources":["../../../src/credentials/usernamePasswordCredential.ts"],"names":[],"mappings":"AAAA,uCAAuC;AACvC,kCAAkC~~;;AAGlC~~,OAAO,EAAE,gBAAgB,EAAE,MAAM,iBAAiB,CAAC;AACnD,OAAO,EAAE,oBAAoB,EAAE,MAAM,wCAAwC,CAAC;AAE9E,OAAO,EAAE,KAAK,EAAE,MAAM,iBAAiB,CAAC;AAGxC,MAAM,MAAM,GAAG,gBAAgB,CAAC,4BAA4B,CAAC,CAAC;AAE9D;;;;;GAKG;AACH~~,+GAA+G;AAC/G~~,~~uEAAuE;AACvE,~~MAAM,OAAO,0BAA0B;IAGrC;;;;;;;;;;OAUG;IACH,YACE,QAAgB,EAChB,QAAgB,EAChB,QAAgB,EAChB,QAAgB,EAChB,UAA6C,EAAE;QAE/C,IAAI,CAAC,QAAQ,GAAG,IAAI,oBAAoB,iCACnC,OAAO,KACV,MAAM;YACN,QAAQ;YACR,QAAQ;YACR,QAAQ;YACR,QAAQ,EACR,sBAAsB,EAAE,OAAO,IAAI,EAAE,IACrC,CAAC;IACL,CAAC;IAED~~;;;;;;;;;;;;;OAaG~~;~~IACG~~,QAAQ,CAAC,MAAyB,EAAE,UAA2B,EAAE~~;;YACrE~~,OAAO,KAAK,CAAC,GAAG,IAAI,CAAC,WAAW,CAAC,IAAI,WAAW,EAAE,OAAO,EAAE,~~CAAO~~,UAAU,EAAE,EAAE;~~gBAC9E~~,MAAM,WAAW,GAAG,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC;~~gBAC9D~~,OAAO,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,WAAW,EAAE,UAAU,CAAC,CAAC;~~YACzD~~,CAAC,~~CAAA,~~CAAC,CAAC;~~QACL~~,CAAC;~~KAAA;~~CACF","sourcesContent":["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT license.\n\nimport { AccessToken, GetTokenOptions, TokenCredential } from \"@azure/core-~~http~~\";\nimport { credentialLogger } from \"../util/logging\";\nimport { MsalUsernamePassword } from \"../msal/nodeFlows/msalUsernamePassword\";\nimport { MsalFlow } from \"../msal/flows\";\nimport { trace } from \"../util/tracing\";\nimport { UsernamePasswordCredentialOptions } from \"./usernamePasswordCredentialOptions\";\n\nconst logger = credentialLogger(\"UsernamePasswordCredential\");\n\n/*\n Enables authentication to Azure Active Directory with a user's\n * username and password. This credential requires a high degree of\n * trust so you should only use it when other, more secure credential\n * types can't be used.\n /\~~n// We'll be using InteractiveCredential as the base of this class, which requires us to support authenticate(),\n// to reduce the number of times we send the password over the network.\~~nexport class UsernamePasswordCredential implements TokenCredential {\n private msalFlow: MsalFlow;\n\n /\n Creates an instance of the UsernamePasswordCredential with the details\n * needed to authenticate against Azure Active Directory with a username\n * and password.\n \n @param tenantId - The Azure Active Directory tenant (directory).\n * @param clientId - The client (application) ID of an App Registration in the tenant.\n * @param username - The user account's e-mail address (user name).\n * @param password - The user account's account password\n * @param options - Options for configuring the client which makes the authentication request.\n /\n constructor(\n tenantId: string,\n clientId: string,\n username: string,\n password: string,\n options: UsernamePasswordCredentialOptions = {}\n ) {\n this.msalFlow = new MsalUsernamePassword({\n ...options,\n logger,\n clientId,\n tenantId,\n username,\n password,\n tokenCredentialOptions: options \|\| {}\n });\n }\n\n /\n Authenticates with Azure Active Directory and returns an access token if\n * successful~~. If authentication cannot be performed at this time, this method may\~~n * ~~return null.~~ If an ~~error occurs during authentication~~, an {@link ~~AuthenticationError~~}\n * ~~containing~~ ~~failure~~ details ~~will~~ be ~~thrown~~.\n \n If the user provided the option `disableAutomaticAuthentication`,\n * once the token can't be retrieved silently,\n * this method won't attempt to request user interaction to retrieve the token.\n \n @param scopes - The list of scopes for which the token will have access.\n * @param options - The options used to configure any requests this\n * TokenCredential implementation might make.\n */\n async getToken(scopes: string \| string[], options: GetTokenOptions = {}): Promise<AccessToken> {\n return trace(`${this.constructor.name}.getToken`, options, async (newOptions) => {\n const arrayScopes = Array.isArray(scopes) ? scopes : [scopes];\n return this.msalFlow.getToken(arrayScopes, newOptions);\n });\n }\n}\n"]}
1	+ {"version":3,"file":"usernamePasswordCredential.js","sourceRoot":"","sources":["../../../src/credentials/usernamePasswordCredential.ts"],"names":[],"mappings":"AAAA,uCAAuC;AACvC,kCAAkC;AAIlC,OAAO,EAAE,gBAAgB,EAAE,MAAM,iBAAiB,CAAC;AACnD,OAAO,EAAE,oBAAoB,EAAE,MAAM,wCAAwC,CAAC;AAE9E,OAAO,EAAE,KAAK,EAAE,MAAM,iBAAiB,CAAC;AAGxC,MAAM,MAAM,GAAG,gBAAgB,CAAC,4BAA4B,CAAC,CAAC;AAE9D;;;;;GAKG;AACH,MAAM,OAAO,0BAA0B;IAGrC;;;;;;;;;;OAUG;IACH,YACE,QAAgB,EAChB,QAAgB,EAChB,QAAgB,EAChB,QAAgB,EAChB,UAA6C,EAAE;QAE/C,IAAI,CAAC,QAAQ,IAAI,CAAC,QAAQ,IAAI,CAAC,QAAQ,IAAI,CAAC,QAAQ,EAAE;YACpD,MAAM,IAAI,KAAK,CACb,iMAAiM,CAClM,CAAC;SACH;QACD,IAAI,CAAC,QAAQ,GAAG,IAAI,oBAAoB,iCACnC,OAAO,KACV,MAAM;YACN,QAAQ;YACR,QAAQ;YACR,QAAQ;YACR,QAAQ,EACR,sBAAsB,EAAE,OAAO,IAAI,EAAE,IACrC,CAAC;IACL,CAAC;IAED;;;;;;;;;;;OAWG;IACH,KAAK,CAAC,QAAQ,CAAC,MAAyB,EAAE,UAA2B,EAAE;QACrE,OAAO,KAAK,CAAC,GAAG,IAAI,CAAC,WAAW,CAAC,IAAI,WAAW,EAAE,OAAO,EAAE,KAAK,EAAE,UAAU,EAAE,EAAE;YAC9E,MAAM,WAAW,GAAG,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC;YAC9D,OAAO,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,WAAW,EAAE,UAAU,CAAC,CAAC;QACzD,CAAC,CAAC,CAAC;IACL,CAAC;CACF","sourcesContent":["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT license.\n\nimport { AccessToken, GetTokenOptions, TokenCredential } from \"@azure/core-auth\";\n\nimport { credentialLogger } from \"../util/logging\";\nimport { MsalUsernamePassword } from \"../msal/nodeFlows/msalUsernamePassword\";\nimport { MsalFlow } from \"../msal/flows\";\nimport { trace } from \"../util/tracing\";\nimport { UsernamePasswordCredentialOptions } from \"./usernamePasswordCredentialOptions\";\n\nconst logger = credentialLogger(\"UsernamePasswordCredential\");\n\n/*\n Enables authentication to Azure Active Directory with a user's\n * username and password. This credential requires a high degree of\n * trust so you should only use it when other, more secure credential\n * types can't be used.\n /\nexport class UsernamePasswordCredential implements TokenCredential {\n private msalFlow: MsalFlow;\n\n /\n Creates an instance of the UsernamePasswordCredential with the details\n * needed to authenticate against Azure Active Directory with a username\n * and password.\n \n @param tenantId - The Azure Active Directory tenant (directory).\n * @param clientId - The client (application) ID of an App Registration in the tenant.\n * @param username - The user account's e-mail address (user name).\n * @param password - The user account's account password\n * @param options - Options for configuring the client which makes the authentication request.\n /\n constructor(\n tenantId: string,\n clientId: string,\n username: string,\n password: string,\n options: UsernamePasswordCredentialOptions = {}\n ) {\n if (!tenantId \|\| !clientId \|\| !username \|\| !password) {\n throw new Error(\n \"UsernamePasswordCredential: tenantId, clientId, username and password are required parameters. To troubleshoot, visit https://aka.ms/azsdk/js/identity/usernamepasswordcredential/troubleshoot.\"\n );\n }\n this.msalFlow = new MsalUsernamePassword({\n ...options,\n logger,\n clientId,\n tenantId,\n username,\n password,\n tokenCredentialOptions: options \|\| {}\n });\n }\n\n /\n Authenticates with Azure Active Directory and returns an access token if successful.\n * If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.\n \n If the user provided the option `disableAutomaticAuthentication`,\n * once the token can't be retrieved silently,\n * this method won't attempt to request user interaction to retrieve the token.\n \n @param scopes - The list of scopes for which the token will have access.\n * @param options - The options used to configure any requests this\n * TokenCredential implementation might make.\n */\n async getToken(scopes: string \| string[], options: GetTokenOptions = {}): Promise<AccessToken> {\n return trace(`${this.constructor.name}.getToken`, options, async (newOptions) => {\n const arrayScopes = Array.isArray(scopes) ? scopes : [scopes];\n return this.msalFlow.getToken(arrayScopes, newOptions);\n });\n }\n}\n"]}

package/dist-esm/src/credentials/usernamePasswordCredentialOptions.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"usernamePasswordCredentialOptions.js","sourceRoot":"","sources":["../../../src/credentials/usernamePasswordCredentialOptions.ts"],"names":[],"mappings":"AAAA,uCAAuC;AACvC,kCAAkC","sourcesContent":["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT license.\n\nimport { TokenCredentialOptions } from \"../client/identityClient\";\n\n/*\n Defines options for the {@link UsernamePasswordCredential} class.\n */\nexport interface UsernamePasswordCredentialOptions extends TokenCredentialOptions {}\n"]}
1	+ {"version":3,"file":"usernamePasswordCredentialOptions.js","sourceRoot":"","sources":["../../../src/credentials/usernamePasswordCredentialOptions.ts"],"names":[],"mappings":"AAAA,uCAAuC;AACvC,kCAAkC","sourcesContent":["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT license.\n\nimport { TokenCredentialOptions } from \"../client/identityClient\";\nimport { CredentialPersistenceOptions } from \"./credentialPersistenceOptions\";\n\n/*\n Defines options for the {@link UsernamePasswordCredential} class.\n */\nexport interface UsernamePasswordCredentialOptions\n extends TokenCredentialOptions,\n CredentialPersistenceOptions {}\n"]}