@azure/identity 2.0.0-beta.3 → 2.0.0

package/types/identity.d.ts

@@ -1,8 +1,9 @@
-import { AccessToken } from '@azure/core-http';
+import { AccessToken } from '@azure/core-auth';
 import { AzureLogger } from '@azure/logger';
-import { GetTokenOptions } from '@azure/core-http';
-import { PipelineOptions } from '@azure/core-http';
-import { TokenCredential } from '@azure/core-http';
+import { CommonClientOptions } from '@azure/core-client';
+import { GetTokenOptions } from '@azure/core-auth';
+import { TokenCredential } from '@azure/core-auth';
+
 export { AccessToken }
 
 /**
@@ -80,18 +81,32 @@ export declare class AuthenticationRequiredError extends Error {
      */
     scopes: string[];
     /**
-     * The options used to configure the getToken request.
+     * The options passed to the getToken request.
      */
-    getTokenOptions: GetTokenOptions;
+    getTokenOptions?: GetTokenOptions;
     constructor(
+    /**
+     * Optional parameters. A message can be specified. The {@link GetTokenOptions} of the request can also be specified to more easily associate the error with the received parameters.
+     */
+    options: AuthenticationRequiredErrorOptions);
+}
+
+/**
+ * Optional parameters to the {@link AuthenticationRequiredError}
+ */
+export declare interface AuthenticationRequiredErrorOptions {
     /**
      * The list of scopes for which the token will have access.
      */
-    scopes: string[], 
+    scopes: string[];
     /**
-     * The options used to configure the getToken request.
+     * The options passed to the getToken request.
      */
-    getTokenOptions?: GetTokenOptions, message?: string);
+    getTokenOptions?: GetTokenOptions;
+    /**
+     * The message of the error.
+     */
+    message?: string;
 }
 
 /**
@@ -102,13 +117,10 @@ export declare class AuthenticationRequiredError extends Error {
  * https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow
  */
 export declare class AuthorizationCodeCredential implements TokenCredential {
-    private identityClient;
-    private tenantId;
-    private clientId;
-    private clientSecret;
+    private msalFlow;
+    private disableAutomaticAuthentication?;
     private authorizationCode;
     private redirectUri;
-    private lastTokenResponse;
     /**
      * Creates an instance of CodeFlowCredential with the details needed
      * to request an access token using an authentication that was obtained
@@ -118,17 +130,17 @@ export declare class AuthorizationCodeCredential implements TokenCredential {
      * the authorization code flow to obtain an authorization code to be used
      * with this credential.  A full example of this flow is provided here:
      *
-     * https://github.com/Azure/azure-sdk-for-js/blob/master/sdk/identity/identity/samples/manual/authorizationCodeSample.ts
+     * https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/identity/identity/samples/manual/authorizationCodeSample.ts
      *
      * @param tenantId - The Azure Active Directory tenant (directory) ID or name.
      *                 'common' may be used when dealing with multi-tenant scenarios.
      * @param clientId - The client (application) ID of an App Registration in the tenant.
      * @param clientSecret - A client secret that was generated for the App Registration
      * @param authorizationCode - An authorization code that was received from following the
-                                authorization code flow.  This authorization code must not
-                                have already been used to obtain an access token.
+     authorization code flow.  This authorization code must not
+     have already been used to obtain an access token.
      * @param redirectUri - The redirect URI that was used to request the authorization code.
-                          Must be the same URI that is configured for the App Registration.
+     Must be the same URI that is configured for the App Registration.
      * @param options - Options for configuring the client which makes the access token request.
      */
     constructor(tenantId: string | "common", clientId: string, clientSecret: string, authorizationCode: string, redirectUri: string, options?: TokenCredentialOptions);
@@ -141,24 +153,22 @@ export declare class AuthorizationCodeCredential implements TokenCredential {
      * the authorization code flow to obtain an authorization code to be used
      * with this credential.  A full example of this flow is provided here:
      *
-     * https://github.com/Azure/azure-sdk-for-js/blob/master/sdk/identity/identity/samples/manual/authorizationCodeSample.ts
+     * https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/identity/identity/samples/manual/authorizationCodeSample.ts
      *
      * @param tenantId - The Azure Active Directory tenant (directory) ID or name.
      *                 'common' may be used when dealing with multi-tenant scenarios.
      * @param clientId - The client (application) ID of an App Registration in the tenant.
      * @param authorizationCode - An authorization code that was received from following the
-                                authorization code flow.  This authorization code must not
-                                have already been used to obtain an access token.
+     authorization code flow.  This authorization code must not
+     have already been used to obtain an access token.
      * @param redirectUri - The redirect URI that was used to request the authorization code.
-                          Must be the same URI that is configured for the App Registration.
+     Must be the same URI that is configured for the App Registration.
      * @param options - Options for configuring the client which makes the access token request.
      */
     constructor(tenantId: string | "common", clientId: string, authorizationCode: string, redirectUri: string, options?: TokenCredentialOptions);
     /**
-     * Authenticates with Azure Active Directory and returns an access token if
-     * successful.  If authentication cannot be performed at this time, this method may
-     * return null.  If an error occurs during authentication, an {@link AuthenticationError}
-     * containing failure details will be thrown.
+     * Authenticates with Azure Active Directory and returns an access token if successful.
+     * If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.
      *
      * @param scopes - The list of scopes for which the token will have access.
      * @param options - The options used to configure any requests this
@@ -194,24 +204,21 @@ export declare enum AzureAuthorityHosts {
  * via the Azure CLI ('az') commandline tool.
  * To do so, it will read the user access token and expire time
  * with Azure CLI command "az account get-access-token".
- * To be able to use this credential, ensure that you have already logged
- * in via the 'az' tool using the command "az login" from the commandline.
  */
 export declare class AzureCliCredential implements TokenCredential {
+    private tenantId?;
     /**
-     * Gets the access token from Azure CLI
-     * @param resource - The resource to use when getting the token
+     * Creates an instance of the {@link AzureCliCredential}.
+     *
+     * To use this credential, ensure that you have already logged
+     * in via the 'az' tool using the command "az login" from the commandline.
+     *
+     * @param options - Options, to optionally allow multi-tenant requests.
      */
-    protected getAzureCliAccessToken(resource: string): Promise<{
-        stdout: string;
-        stderr: string;
-        error: Error | null;
-    }>;
+    constructor(options?: AzureCliCredentialOptions);
     /**
-     * Authenticates with Azure Active Directory and returns an access token if
-     * successful.  If authentication cannot be performed at this time, this method may
-     * return null.  If an error occurs during authentication, an {@link AuthenticationError}
-     * containing failure details will be thrown.
+     * Authenticates with Azure Active Directory and returns an access token if successful.
+     * If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.
      *
      * @param scopes - The list of scopes for which the token will have access.
      * @param options - The options used to configure any requests this
@@ -220,33 +227,58 @@ export declare class AzureCliCredential implements TokenCredential {
     getToken(scopes: string | string[], options?: GetTokenOptions): Promise<AccessToken>;
 }
 
+/**
+ * Options for the {@link AzureCliCredential}
+ */
+export declare interface AzureCliCredentialOptions extends TokenCredentialOptions {
+    /**
+     * Allows specifying a tenant ID
+     */
+    tenantId?: string;
+}
+
 /**
  * This credential will use the currently logged-in user information from the
  * Azure PowerShell module. To do so, it will read the user access token and
  * expire time with Azure PowerShell command `Get-AzAccessToken -ResourceUrl {ResourceScope}`
- *
- * To be able to use this credential:
- * - Install the Azure Az PowerShell module with:
- *   `Install-Module -Name Az -Scope CurrentUser -Repository PSGallery -Force`.
- * - You have already logged in to Azure PowerShell using the command
- * `Connect-AzAccount` from the command line.
  */
 export declare class AzurePowerShellCredential implements TokenCredential {
+    private tenantId?;
+    /**
+     * Creates an instance of the {@link AzurePowerShellCredential}.
+     *
+     * To use this credential:
+     * - Install the Azure Az PowerShell module with:
+     *   `Install-Module -Name Az -Scope CurrentUser -Repository PSGallery -Force`.
+     * - You have already logged in to Azure PowerShell using the command
+     * `Connect-AzAccount` from the command line.
+     *
+     * @param options - Options, to optionally allow multi-tenant requests.
+     */
+    constructor(options?: AzurePowerShellCredentialOptions);
     /**
      * Gets the access token from Azure PowerShell
      * @param resource - The resource to use when getting the token
      */
     private getAzurePowerShellAccessToken;
     /**
-     * Authenticates with Azure Active Directory and returns an access token if
-     * successful. If authentication cannot be performed at this time, this method may
-     * return null. If an error occurs during authentication, an {@link AuthenticationError}
-     * containing failure details will be thrown.
+     * Authenticates with Azure Active Directory and returns an access token if successful.
+     * If the authentication cannot be performed through PowerShell, a {@link CredentialUnavailableError} will be thrown.
      *
      * @param scopes - The list of scopes for which the token will have access.
      * @param options - The options used to configure any requests this TokenCredential implementation might make.
      */
-    getToken(scopes: string | string[], options?: GetTokenOptions): Promise<AccessToken | null>;
+    getToken(scopes: string | string[], options?: GetTokenOptions): Promise<AccessToken>;
+}
+
+/**
+ * Options for the {@link AzurePowerShellCredential}
+ */
+export declare interface AzurePowerShellCredentialOptions extends TokenCredentialOptions {
+    /**
+     * Allows specifying a tenant ID
+     */
+    tenantId?: string;
 }
 
 /**
@@ -320,10 +352,19 @@ export declare class ClientCertificateCredential implements TokenCredential {
      */
     constructor(tenantId: string, clientId: string, certificatePath: string, options?: ClientCertificateCredentialOptions);
     /**
-     * Authenticates with Azure Active Directory and returns an access token if
-     * successful.  If authentication cannot be performed at this time, this method may
-     * return null.  If an error occurs during authentication, an {@link AuthenticationError}
-     * containing failure details will be thrown.
+     * Creates an instance of the ClientCertificateCredential with the details
+     * needed to authenticate against Azure Active Directory with a certificate.
+     *
+     * @param tenantId - The Azure Active Directory tenant (directory) ID.
+     * @param clientId - The client (application) ID of an App Registration in the tenant.
+     * @param configuration - Other parameters required, including the PEM-encoded certificate as a string, or as a path on the filesystem.
+     *                        If the type is ignored, we will throw if both the value of the PEM certificate and the path to a PEM certificate are provided at the same time.
+     * @param options - Options for configuring the client which makes the authentication request.
+     */
+    constructor(tenantId: string, clientId: string, configuration: ClientCertificateCredentialPEMConfiguration, options?: ClientCertificateCredentialOptions);
+    /**
+     * Authenticates with Azure Active Directory and returns an access token if successful.
+     * If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.
      *
      * @param scopes - The list of scopes for which the token will have access.
      * @param options - The options used to configure any requests this
@@ -335,7 +376,7 @@ export declare class ClientCertificateCredential implements TokenCredential {
 /**
  * Optional parameters for the {@link ClientCertificateCredential} class.
  */
-export declare interface ClientCertificateCredentialOptions extends TokenCredentialOptions {
+export declare interface ClientCertificateCredentialOptions extends TokenCredentialOptions, CredentialPersistenceOptions {
     /**
      * Option to include x5c header for SubjectName and Issuer name authorization.
      * Set this option to send base64 encoded public certificate in the client assertion header as an x5c claim
@@ -343,6 +384,29 @@ export declare interface ClientCertificateCredentialOptions extends TokenCredent
     sendCertificateChain?: boolean;
 }
 
+/**
+ * Required configuration options for the {@link ClientCertificateCredential}, with either the string contents of a PEM certificate, or the path to a PEM certificate.
+ */
+export declare type ClientCertificateCredentialPEMConfiguration = {
+    /**
+     * The PEM-encoded public/private key certificate on the filesystem.
+     */
+    certificate: string;
+    /**
+     * The PEM-encoded public/private key certificate on the filesystem     should not be provided if `certificate` is provided.
+     */
+    certificatePath?: never;
+} | {
+    /**
+     * The PEM-encoded public/private key certificate on the filesystem should not be provided if `certificatePath` is provided.
+     */
+    certificate?: never;
+    /**
+     * The path to the PEM-encoded public/private key certificate on the filesystem.
+     */
+    certificatePath: string;
+};
+
 /**
  * Enables authentication to Azure Active Directory using a client secret
  * that was generated for an App Registration. More information on how
@@ -365,10 +429,8 @@ export declare class ClientSecretCredential implements TokenCredential {
      */
     constructor(tenantId: string, clientId: string, clientSecret: string, options?: ClientSecretCredentialOptions);
     /**
-     * Authenticates with Azure Active Directory and returns an access token if
-     * successful.  If authentication cannot be performed at this time, this method may
-     * return null.  If an error occurs during authentication, an {@link AuthenticationError}
-     * containing failure details will be thrown.
+     * Authenticates with Azure Active Directory and returns an access token if successful.
+     * If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.
      *
      * @param scopes - The list of scopes for which the token will have access.
      * @param options - The options used to configure any requests this
@@ -380,7 +442,44 @@ export declare class ClientSecretCredential implements TokenCredential {
 /**
  * Optional parameters for the {@link ClientSecretCredential} class.
  */
-export declare interface ClientSecretCredentialOptions extends TokenCredentialOptions {
+export declare interface ClientSecretCredentialOptions extends TokenCredentialOptions, CredentialPersistenceOptions {
+}
+
+/**
+ * Shared configuration options for credentials that support persistent token
+ * caching.
+ */
+export declare interface CredentialPersistenceOptions {
+    /**
+     * Options to provide to the persistence layer (if one is available) when
+     * storing credentials.
+     *
+     * You must first register a persistence provider plugin. See the
+     * `@azure/identity-cache-persistence` package on NPM.
+     *
+     * Example:
+     *
+     * ```javascript
+     * import { cachePersistencePlugin } from "@azure/identity-cache-persistence";
+     * import { useIdentityPlugin, DeviceCodeCredential } from "@azure/identity";
+     *
+     * useIdentityPlugin(cachePersistencePlugin);
+     *
+     * async function main() {
+     *   const credential = new DeviceCodeCredential({
+     *     tokenCachePersistenceOptions: {
+     *       enabled: true
+     *     }
+     *   });
+     * }
+     *
+     * main().catch((error) => {
+     *   console.error("An error occured:", error);
+     *   process.exit(1);
+     * });
+     * ```
+     */
+    tokenCachePersistenceOptions?: TokenCachePersistenceOptions;
 }
 
 /**
@@ -398,21 +497,32 @@ export declare class CredentialUnavailableError extends Error {
 export declare const CredentialUnavailableErrorName = "CredentialUnavailableError";
 
 /**
- * Provides a default {@link ChainedTokenCredential} configuration that should work for most applications that use the Azure SDK.
- * The following credential types will be tried, in order:
- *
- * - {@link EnvironmentCredential}
- * - {@link ManagedIdentityCredential}
- * - {@link AzureCliCredential}
- * - {@link AzurePowerShellCredential}
- *
- * Consult the documentation of these credential types for more information
- * on how they attempt authentication.
+ * Provides a default {@link ChainedTokenCredential} configuration that should
+ * work for most applications that use the Azure SDK.
  */
 export declare class DefaultAzureCredential extends ChainedTokenCredential {
     /**
      * Creates an instance of the DefaultAzureCredential class.
      *
+     * This credential provides a default {@link ChainedTokenCredential} configuration that should
+     * work for most applications that use the Azure SDK.
+     *
+     * The following credential types will be tried, in order:
+     *
+     * - {@link EnvironmentCredential}
+     * - {@link ManagedIdentityCredential}
+     * - {@link VisualStudioCodeCredential}
+     * - {@link AzureCliCredential}
+     * - {@link AzurePowerShellCredential}
+     *
+     * Consult the documentation of these credential types for more information
+     * on how they attempt authentication.
+     *
+     * **Note**: `VisualStudioCodeCredential` is provided by a plugin package:
+     * `@azure/identity-vscode`. If this package is not installed and registered
+     * using the plugin API (`useIdentityPlugin`), then authentication using
+     * `VisualStudioCodeCredential` will not be available.
+     *
      * @param options - Optional parameters. See {@link DefaultAzureCredentialOptions}.
      */
     constructor(options?: DefaultAzureCredentialOptions);
@@ -466,14 +576,26 @@ export declare class DeviceCodeCredential implements TokenCredential {
      * Creates an instance of DeviceCodeCredential with the details needed
      * to initiate the device code authorization flow with Azure Active Directory.
      *
+     * A message will be logged, giving users a code that they can use to authenticate once they go to https://microsoft.com/devicelogin
+     *
+     * Developers can configure how this message is shown by passing a custom `userPromptCallback`:
+     *
+     * ```js
+     * const credential = new DeviceCodeCredential({
+     *   tenantId: env.AZURE_TENANT_ID,
+     *   clientId: env.AZURE_CLIENT_ID,
+     *   userPromptCallback: (info) => {
+     *     console.log("CUSTOMIZED PROMPT CALLBACK", info.message);
+     *   }
+     * });
+     * ```
+     *
      * @param options - Options for configuring the client which makes the authentication requests.
      */
     constructor(options?: DeviceCodeCredentialOptions);
     /**
-     * Authenticates with Azure Active Directory and returns an access token if
-     * successful.  If authentication cannot be performed at this time, this method may
-     * return null.  If an error occurs during authentication, an {@link AuthenticationError}
-     * containing failure details will be thrown.
+     * Authenticates with Azure Active Directory and returns an access token if successful.
+     * If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.
      *
      * If the user provided the option `disableAutomaticAuthentication`,
      * once the token can't be retrieved silently,
@@ -485,10 +607,8 @@ export declare class DeviceCodeCredential implements TokenCredential {
      */
     getToken(scopes: string | string[], options?: GetTokenOptions): Promise<AccessToken>;
     /**
-     * Authenticates with Azure Active Directory and returns an access token if
-     * successful.  If authentication cannot be performed at this time, this method may
-     * return null.  If an error occurs during authentication, an {@link AuthenticationError}
-     * containing failure details will be thrown.
+     * Authenticates with Azure Active Directory and returns an access token if successful.
+     * If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.
      *
      * If the token can't be retrieved silently, this method will require user interaction to retrieve the token.
      *
@@ -500,9 +620,9 @@ export declare class DeviceCodeCredential implements TokenCredential {
 }
 
 /**
- * Defines options for the InteractiveBrowserCredential class for NodeJS.
+ * Defines options for the InteractiveBrowserCredential class for Node.js.
  */
-export declare interface DeviceCodeCredentialOptions extends InteractiveCredentialOptions {
+export declare interface DeviceCodeCredentialOptions extends InteractiveCredentialOptions, CredentialPersistenceOptions {
     /**
      * The Azure Active Directory tenant (directory) ID.
      */
@@ -550,27 +670,31 @@ export declare type DeviceCodePromptCallback = (deviceCodeInfo: DeviceCodeInfo)
 
 /**
  * Enables authentication to Azure Active Directory using client secret
- * details configured in the following environment variables:
- *
- * - AZURE_TENANT_ID: The Azure Active Directory tenant (directory) ID.
- * - AZURE_CLIENT_ID: The client (application) ID of an App Registration in the tenant.
- * - AZURE_CLIENT_SECRET: A client secret that was generated for the App Registration.
- *
- * This credential ultimately uses a {@link ClientSecretCredential} to
- * perform the authentication using these details.  Please consult the
- * documentation of that class for more details.
+ * details configured in environment variables
  */
 export declare class EnvironmentCredential implements TokenCredential {
     private _credential?;
     /**
-     * Creates an instance of the EnvironmentCredential class and reads
-     * client secret details from environment variables.  If the expected
-     * environment variables are not found at this time, the getToken method
-     * will return null when invoked.
+     * Creates an instance of the EnvironmentCredential class and decides what credential to use depending on the available environment variables.
+     *
+     * Required environment variables:
+     * - `AZURE_TENANT_ID`: The Azure Active Directory tenant (directory) ID.
+     * - `AZURE_CLIENT_ID`: The client (application) ID of an App Registration in the tenant.
+     *
+     * Environment variables used for client credential authentication:
+     * - `AZURE_CLIENT_SECRET`: A client secret that was generated for the App Registration.
+     * - `AZURE_CLIENT_CERTIFICATE_PATH`: The path to a PEM certificate to use during the authentication, instead of the client secret.
+     *
+     * Alternatively, users can provide environment variables for username and password authentication:
+     * - `AZURE_USERNAME`: Username to authenticate with.
+     * - `AZURE_PASSWORD`: Password to authenticate with.
+     *
+     * If the environment variables required to perform the authentication are missing, a {@link CredentialUnavailableError} will be thrown.
+     * If the authentication fails, or if there's an unknown error, an {@link AuthenticationError} will be thrown.
      *
      * @param options - Options for configuring the client which makes the authentication request.
      */
-    constructor(options?: TokenCredentialOptions);
+    constructor(options?: EnvironmentCredentialOptions);
     /**
      * Authenticates with Azure Active Directory and returns an access token if successful.
      *
@@ -580,6 +704,13 @@ export declare class EnvironmentCredential implements TokenCredential {
     getToken(scopes: string | string[], options?: GetTokenOptions): Promise<AccessToken>;
 }
 
+/**
+ * Enables authentication to Azure Active Directory depending on the available environment variables.
+ * Defines options for the EnvironmentCredential class.
+ */
+export declare interface EnvironmentCredentialOptions extends TokenCredentialOptions {
+}
+
 /**
  * See the official documentation for more details:
  *
@@ -619,18 +750,18 @@ export declare interface ErrorResponse {
  * Returns a new instance of the {@link DefaultAzureCredential}.
  */
 export declare function getDefaultAzureCredential(): TokenCredential;
+
 export { GetTokenOptions }
 
+/**
+ * The type of an Azure Identity plugin, a function accepting a plugin
+ * context.
+ */
+export declare type IdentityPlugin = (context: unknown) => void;
+
 /**
  * Enables authentication to Azure Active Directory inside of the web browser
  * using the interactive login flow.
- *
- * This credential uses the [Authorization Code Flow](https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-auth-code-flow).
- * On NodeJS, it will open a browser window while it listens for a redirect response from the authentication service.
- * On browsers, it authenticates via popups. The `loginStyle` optional parameter can be set to `redirect` to authenticate by redirecting the user to an Azure secure login page, which then will redirect the user back to the web application where the authentication started.
- *
- * For Node.js, if a `clientId` is provided, the Azure Active Directory application will need to be configured to have a "Mobile and desktop applications" redirect endpoint.
- * Follow our guide on [setting up Redirect URIs for Desktop apps that calls to web APIs](https://docs.microsoft.com/azure/active-directory/develop/scenario-desktop-app-registration#redirect-uris).
  */
 export declare class InteractiveBrowserCredential implements TokenCredential {
     private msalFlow;
@@ -638,14 +769,19 @@ export declare class InteractiveBrowserCredential implements TokenCredential {
     /**
      * Creates an instance of InteractiveBrowserCredential with the details needed.
      *
+     * This credential uses the [Authorization Code Flow](https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-auth-code-flow).
+     * On Node.js, it will open a browser window while it listens for a redirect response from the authentication service.
+     * On browsers, it authenticates via popups. The `loginStyle` optional parameter can be set to `redirect` to authenticate by redirecting the user to an Azure secure login page, which then will redirect the user back to the web application where the authentication started.
+     *
+     * For Node.js, if a `clientId` is provided, the Azure Active Directory application will need to be configured to have a "Mobile and desktop applications" redirect endpoint.
+     * Follow our guide on [setting up Redirect URIs for Desktop apps that calls to web APIs](https://docs.microsoft.com/azure/active-directory/develop/scenario-desktop-app-registration#redirect-uris).
+     *
      * @param options - Options for configuring the client which makes the authentication requests.
      */
-    constructor(options?: InteractiveBrowserCredentialOptions | InteractiveBrowserCredentialBrowserOptions);
+    constructor(options?: InteractiveBrowserCredentialNodeOptions | InteractiveBrowserCredentialInBrowserOptions);
     /**
-     * Authenticates with Azure Active Directory and returns an access token if
-     * successful.  If authentication cannot be performed at this time, this method may
-     * return null.  If an error occurs during authentication, an {@link AuthenticationError}
-     * containing failure details will be thrown.
+     * Authenticates with Azure Active Directory and returns an access token if successful.
+     * If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.
      *
      * If the user provided the option `disableAutomaticAuthentication`,
      * once the token can't be retrieved silently,
@@ -657,13 +793,14 @@ export declare class InteractiveBrowserCredential implements TokenCredential {
      */
     getToken(scopes: string | string[], options?: GetTokenOptions): Promise<AccessToken>;
     /**
-     * Authenticates with Azure Active Directory and returns an access token if
-     * successful.  If authentication cannot be performed at this time, this method may
-     * return null.  If an error occurs during authentication, an {@link AuthenticationError}
-     * containing failure details will be thrown.
+     * Authenticates with Azure Active Directory and returns an access token if successful.
+     * If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.
      *
      * If the token can't be retrieved silently, this method will require user interaction to retrieve the token.
      *
+     * On Node.js, this credential has [Proof Key for Code Exchange (PKCE)](https://datatracker.ietf.org/doc/html/rfc7636) enabled by default.
+     * PKCE is a security feature that mitigates authentication code interception attacks.
+     *
      * @param scopes - The list of scopes for which the token will have access.
      * @param options - The options used to configure any requests this
      *                  TokenCredential implementation might make.
@@ -674,7 +811,7 @@ export declare class InteractiveBrowserCredential implements TokenCredential {
 /**
  * Defines the common options for the InteractiveBrowserCredential class.
  */
-export declare type InteractiveBrowserCredentialBrowserOptions = TokenCredentialOptions & InteractiveCredentialOptions & {
+export declare interface InteractiveBrowserCredentialInBrowserOptions extends InteractiveCredentialOptions {
     /**
      * Gets the redirect URI of the application. This should be same as the value
      * in the application registration portal.  Defaults to `window.location.href`.
@@ -696,12 +833,17 @@ export declare type InteractiveBrowserCredentialBrowserOptions = TokenCredential
      *
      */
     loginStyle?: BrowserLoginStyle;
-};
+    /**
+     * loginHint allows a user name to be pre-selected for interactive logins.
+     * Setting this option skips the account selection prompt and immediately attempts to login with the specified account.
+     */
+    loginHint?: string;
+}
 
 /**
  * Defines the common options for the InteractiveBrowserCredential class.
  */
-export declare type InteractiveBrowserCredentialOptions = TokenCredentialOptions & InteractiveCredentialOptions & {
+export declare interface InteractiveBrowserCredentialNodeOptions extends InteractiveCredentialOptions, CredentialPersistenceOptions {
     /**
      * Gets the redirect URI of the application. This should be same as the value
      * in the application registration portal.  Defaults to `window.location.href`.
@@ -715,7 +857,12 @@ export declare type InteractiveBrowserCredentialOptions = TokenCredentialOptions
      * The client (application) ID of an App Registration in the tenant.
      */
     clientId?: string;
-};
+    /**
+     * loginHint allows a user name to be pre-selected for interactive logins.
+     * Setting this option skips the account selection prompt and immediately attempts to login with the specified account.
+     */
+    loginHint?: string;
+}
 
 /**
  * Common constructor options for the Identity credentials that requires user interaction.
@@ -759,9 +906,9 @@ export declare class ManagedIdentityCredential implements TokenCredential {
     private isEndpointUnavailable;
     /**
      * Creates an instance of ManagedIdentityCredential with the client ID of a
-     * user-assigned identity.
+     * user-assigned identity, or app registration (when working with AKS pod-identity).
      *
-     * @param clientId - The client ID of the user-assigned identity.
+     * @param clientId - The client ID of the user-assigned identity, or app registration (when working with AKS pod-identity).
      * @param options - Options for configuring the client which makes the access token request.
      */
     constructor(clientId: string, options?: TokenCredentialOptions);
@@ -775,10 +922,9 @@ export declare class ManagedIdentityCredential implements TokenCredential {
     private cachedAvailableMSI;
     private authenticateManagedIdentity;
     /**
-     * Authenticates with Azure Active Directory and returns an access token if
-     * successful.  If authentication cannot be performed at this time, this method may
-     * return null.  If an error occurs during authentication, an {@link AuthenticationError}
-     * containing failure details will be thrown.
+     * Authenticates with Azure Active Directory and returns an access token if successful.
+     * If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.
+     * If an unexpected error occurs, an {@link AuthenticationError} will be thrown with the details of the failure.
      *
      * @param scopes - The list of scopes for which the token will have access.
      * @param options - The options used to configure any requests this
@@ -787,6 +933,110 @@ export declare class ManagedIdentityCredential implements TokenCredential {
     getToken(scopes: string | string[], options?: GetTokenOptions): Promise<AccessToken>;
 }
 
+/**
+ * Enables authentication to Azure Active Directory using the [On Behalf Of flow](https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-on-behalf-of-flow).
+ */
+export declare class OnBehalfOfCredential implements TokenCredential {
+    private options;
+    private msalFlow;
+    /**
+     * Creates an instance of the {@link OnBehalfOfCredential} with the details
+     * needed to authenticate against Azure Active Directory with a client
+     * secret or a path to a PEM certificate, and an user assertion.
+     *
+     * Example using the `KeyClient` from [\@azure/keyvault-keys](https://www.npmjs.com/package/\@azure/keyvault-keys):
+     *
+     * ```ts
+     * const tokenCredential = new OnBehalfOfCredential({
+     *   tenantId,
+     *   clientId,
+     *   clientSecret, // or `certificatePath: "/path/to/certificate.pem"
+     *   userAssertionToken: "access-token"
+     * });
+     * const client = new KeyClient("vault-url", tokenCredential);
+     *
+     * await client.getKey("key-name");
+     * ```
+     *
+     * @param options - Optional parameters, generally common across credentials.
+     */
+    constructor(options: OnBehalfOfCredentialOptions);
+    /**
+     * Authenticates with Azure Active Directory and returns an access token if successful.
+     * If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.
+     *
+     * @param scopes - The list of scopes for which the token will have access.
+     * @param options - The options used to configure the underlying network requests.
+     */
+    getToken(scopes: string | string[], options?: GetTokenOptions): Promise<AccessToken>;
+}
+
+/**
+ * Defines the parameters to authenticate the {@link OnBehalfOfCredential} with a certificate.
+ */
+export declare interface OnBehalfOfCredentialCertificateOptions {
+    /**
+     * The Azure Active Directory tenant (directory) ID.
+     */
+    tenantId: string;
+    /**
+     * The client (application) ID of an App Registration in the tenant.
+     */
+    clientId: string;
+    /**
+     * The path to a PEM-encoded public/private key certificate on the filesystem.
+     */
+    certificatePath: string;
+    /**
+     * Option to include x5c header for SubjectName and Issuer name authorization.
+     * Set this option to send base64 encoded public certificate in the client assertion header as an x5c claim
+     */
+    sendCertificateChain?: boolean;
+    /**
+     * The user assertion for the On-Behalf-Of flow.
+     */
+    userAssertionToken: string;
+    /**
+     * Client secret should not be provided when certificate options are provided.
+     */
+    clientSecret?: never;
+}
+
+/**
+ * Optional parameters for the {@link OnBehalfOfCredential} class.
+ */
+export declare type OnBehalfOfCredentialOptions = (OnBehalfOfCredentialSecretOptions | OnBehalfOfCredentialCertificateOptions) & TokenCredentialOptions & CredentialPersistenceOptions;
+
+/**
+ * Defines the parameters to authenticate the {@link OnBehalfOfCredential} with a secret.
+ */
+export declare interface OnBehalfOfCredentialSecretOptions {
+    /**
+     * The Azure Active Directory tenant (directory) ID.
+     */
+    tenantId: string;
+    /**
+     * The client (application) ID of an App Registration in the tenant.
+     */
+    clientId: string;
+    /**
+     * A client secret that was generated for the App Registration.
+     */
+    clientSecret: string;
+    /**
+     * The user assertion for the On-Behalf-Of flow.
+     */
+    userAssertionToken: string;
+    /**
+     * The path to a PEM-encoded certificate should not be provided when the secret options are provided.
+     */
+    certificatePath?: never;
+    /**
+     * Option to include x5c header should not be provided when the secret options are provided.
+     */
+    sendCertificateChain?: never;
+}
+
 /**
  * Serializes an `AuthenticationRecord` into a string.
  *
@@ -802,20 +1052,75 @@ export declare class ManagedIdentityCredential implements TokenCredential {
  * To later convert this string to a serialized `AuthenticationRecord`, please use the exported function `deserializeAuthenticationRecord()`.
  */
 export declare function serializeAuthenticationRecord(record: AuthenticationRecord): string;
+
+/**
+ * Parameters that enable token cache persistence in the Identity credentials.
+ */
+export declare interface TokenCachePersistenceOptions {
+    /**
+     * If set to true, persistent token caching will be enabled for this credential instance.
+     */
+    enabled: boolean;
+    /**
+     * Unique identifier for the persistent token cache.
+     *
+     * Based on this identifier, the persistence file will be located in any of the following places:
+     * - Darwin: '/Users/user/.IdentityService/<name>'
+     * - Windows 8+: 'C:\\Users\\user\\AppData\\Local\\.IdentityService\\<name>'
+     * - Linux: '/home/user/.IdentityService/<name>'
+     */
+    name?: string;
+    /**
+     * If set to true, the cache will be stored without encryption if no OS level user encryption is available.
+     * When set to false, the PersistentTokenCache will throw an error if no OS level user encryption is available.
+     */
+    unsafeAllowUnencryptedStorage?: boolean;
+}
+
 export { TokenCredential }
 
 /**
  * Provides options to configure how the Identity library makes authentication
  * requests to Azure Active Directory.
  */
-export declare interface TokenCredentialOptions extends PipelineOptions {
+export declare interface TokenCredentialOptions extends CommonClientOptions {
     /**
      * The authority host to use for authentication requests.
+     * Possible values are available through {@link AzureAuthorityHosts}.
      * The default is "https://login.microsoftonline.com".
      */
     authorityHost?: string;
 }
 
+/**
+ * Extend Azure Identity with additional functionality. Pass a plugin from
+ * a plugin package, such as:
+ *
+ * - `@azure/identity-cache-persistence`: provides persistent token caching
+ * - `@azure/identity-vscode`: provides the dependencies of
+ *   `VisualStudioCodeCredential` and enables it
+ *
+ * Example:
+ *
+ * ```javascript
+ * import { cachePersistencePlugin } from "@azure/identity-cache-persistence";
+ *
+ * import { useIdentityPlugin, DefaultAzureCredential } from "@azure/identity";
+ * useIdentityPlugin(cachePersistencePlugin);
+ *
+ * // The plugin has the capability to extend `DefaultAzureCredential` and to
+ * // add middleware to the underlying credentials, such as persistence.
+ * const credential = new DefaultAzureCredential({
+ *   tokenCachePersistenceOptions: {
+ *     enabled: true
+ *   }
+ * });
+ * ```
+ *
+ * @param plugin - the plugin to register
+ */
+export declare function useIdentityPlugin(plugin: IdentityPlugin): void;
+
 /**
  * Enables authentication to Azure Active Directory with a user's
  * username and password. This credential requires a high degree of
@@ -837,10 +1142,8 @@ export declare class UsernamePasswordCredential implements TokenCredential {
      */
     constructor(tenantId: string, clientId: string, username: string, password: string, options?: UsernamePasswordCredentialOptions);
     /**
-     * Authenticates with Azure Active Directory and returns an access token if
-     * successful.  If authentication cannot be performed at this time, this method may
-     * return null.  If an error occurs during authentication, an {@link AuthenticationError}
-     * containing failure details will be thrown.
+     * Authenticates with Azure Active Directory and returns an access token if successful.
+     * If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.
      *
      * If the user provided the option `disableAutomaticAuthentication`,
      * once the token can't be retrieved silently,
@@ -856,7 +1159,60 @@ export declare class UsernamePasswordCredential implements TokenCredential {
 /**
  * Defines options for the {@link UsernamePasswordCredential} class.
  */
-export declare interface UsernamePasswordCredentialOptions extends TokenCredentialOptions {
+export declare interface UsernamePasswordCredentialOptions extends TokenCredentialOptions, CredentialPersistenceOptions {
+}
+
+/**
+ * Connects to Azure using the credential provided by the VSCode extension 'Azure Account'.
+ * Once the user has logged in via the extension, this credential can share the same refresh token
+ * that is cached by the extension.
+ */
+export declare class VisualStudioCodeCredential implements TokenCredential {
+    private identityClient;
+    private tenantId;
+    private cloudName;
+    /**
+     * Creates an instance of VisualStudioCodeCredential to use for automatically authenticating via VSCode.
+     *
+     * **Note**: `VisualStudioCodeCredential` is provided by a plugin package:
+     * `@azure/identity-vscode`. If this package is not installed and registered
+     * using the plugin API (`useIdentityPlugin`), then authentication using
+     * `VisualStudioCodeCredential` will not be available.
+     *
+     * @param options - Options for configuring the client which makes the authentication request.
+     */
+    constructor(options?: VisualStudioCodeCredentialOptions);
+    /**
+     * Runs preparations for any further getToken request.
+     */
+    private prepare;
+    /**
+     * The promise of the single preparation that will be executed at the first getToken request for an instance of this class.
+     */
+    private preparePromise;
+    /**
+     * Runs preparations for any further getToken, but only once.
+     */
+    private prepareOnce;
+    /**
+     * Returns the token found by searching VSCode's authentication cache or
+     * returns null if no token could be found.
+     *
+     * @param scopes - The list of scopes for which the token will have access.
+     * @param options - The options used to configure any requests this
+     *                `TokenCredential` implementation might make.
+     */
+    getToken(scopes: string | string[], options?: GetTokenOptions): Promise<AccessToken>;
+}
+
+/**
+ * Provides options to configure the Visual Studio Code credential.
+ */
+export declare interface VisualStudioCodeCredentialOptions extends TokenCredentialOptions {
+    /**
+     * Optionally pass in a Tenant ID to be used as part of the credential
+     */
+    tenantId?: string;
 }
 
 export { }