@azure/identity 2.0.0-beta.5 → 2.0.0-beta.6

package/dist/index.js

@@ -10,7 +10,7 @@ var coreTracing = require('@azure/core-tracing');
 var coreUtil = require('@azure/core-util');
 var coreRestPipeline = require('@azure/core-rest-pipeline');
 var abortController = require('@azure/abort-controller');
-var logger$h = require('@azure/logger');
+var logger$j = require('@azure/logger');
 var msalCommon = require('@azure/msal-common');
 var uuid = require('uuid');
 var fs = require('fs');
@@ -19,7 +19,7 @@ var os = _interopDefault(require('os'));
 var path = _interopDefault(require('path'));
 var child_process = require('child_process');
 var crypto = require('crypto');
-var qs = _interopDefault(require('qs'));
+var util = require('util');
 var http = _interopDefault(require('http'));
 var open = _interopDefault(require('open'));
 var stoppable = _interopDefault(require('stoppable'));
@@ -149,7 +149,7 @@ const AggregateAuthenticationErrorName = "AggregateAuthenticationError";
 class AggregateAuthenticationError extends Error {
     constructor(errors, errorMessage) {
         const errorDetail = errors.join("\n");
-        super(`${errorMessage}\n\n${errorDetail}`);
+        super(`${errorMessage}\n${errorDetail}`);
         this.errors = errors;
         // Ensure that this type reports the correct name
         this.name = AggregateAuthenticationErrorName;
@@ -224,7 +224,7 @@ async function trace(operationName, options, fn, createSpanFn = createSpan) {
 /**
  * The AzureLogger used for all clients within the identity package
  */
-const logger = logger$h.createClientLogger("identity");
+const logger = logger$j.createClientLogger("identity");
 /**
  * Separates a list of environment variable names into a plain object with two arrays: an array of missing environment variables and another array with assigned environment variables.
  * @param supportedEnvVars - List of environment variable names
@@ -315,7 +315,7 @@ function getIdentityClientAuthorityHost(options) {
 class IdentityClient extends coreClient.ServiceClient {
     constructor(options) {
         var _a;
-        const packageDetails = `azsdk-js-identity/2.0.0-beta.5`;
+        const packageDetails = `azsdk-js-identity/2.0.0-beta.6`;
         const userAgentPrefix = ((_a = options === null || options === void 0 ? void 0 : options.userAgentOptions) === null || _a === void 0 ? void 0 : _a.userAgentPrefix)
             ? `${options.userAgentOptions.userAgentPrefix} ${packageDetails}`
             : `${packageDetails}`;
@@ -359,7 +359,6 @@ class IdentityClient extends coreClient.ServiceClient {
         }
     }
     async refreshAccessToken(tenantId, clientId, scopes, refreshToken, clientSecret, expiresOnParser, options) {
-        var _a, _b;
         if (refreshToken === undefined) {
             return null;
         }
@@ -386,10 +385,7 @@ class IdentityClient extends coreClient.ServiceClient {
                     Accept: "application/json",
                     "Content-Type": "application/x-www-form-urlencoded"
                 }),
-                tracingOptions: {
-                    spanOptions: (_a = updatedOptions === null || updatedOptions === void 0 ? void 0 : updatedOptions.tracingOptions) === null || _a === void 0 ? void 0 : _a.spanOptions,
-                    tracingContext: (_b = updatedOptions === null || updatedOptions === void 0 ? void 0 : updatedOptions.tracingOptions) === null || _b === void 0 ? void 0 : _b.tracingContext
-                }
+                tracingOptions: updatedOptions === null || updatedOptions === void 0 ? void 0 : updatedOptions.tracingOptions
             });
             const response = await this.sendTokenRequest(request, expiresOnParser);
             logger.info(`IdentityClient: refreshed token for client ID: ${clientId}`);
@@ -913,7 +909,12 @@ class MsalNode extends MsalBaseUtilities {
             this.createCachePlugin = () => persistenceProvider(options.tokenCachePersistenceOptions);
         }
         else if ((_b = options.tokenCachePersistenceOptions) === null || _b === void 0 ? void 0 : _b.enabled) {
-            throw new Error("Persistent token caching was requested, but no persistence provider was configured (do you need to use the `@azure/identity-cache-persistence` package?)");
+            throw new Error([
+                "Persistent token caching was requested, but no persistence provider was configured.",
+                "You must install the identity-cache-persistence plugin package (`npm install --save @azure/identity-cache-persistence`)",
+                "and enable it by importing `useIdentityPlugin` from `@azure/identity` and calling",
+                "`useIdentityPlugin(cachePersistencePlugin)` before using `tokenCachePersistenceOptions`."
+            ].join(" "));
         }
         this.azureRegion = (_c = options.regionalAuthority) !== null && _c !== void 0 ? _c : process.env.AZURE_REGIONAL_AUTHORITY_NAME;
         if (this.azureRegion === exports.RegionalAuthority.AutoDiscoverRegion) {
@@ -1145,6 +1146,11 @@ class VisualStudioCodeCredential {
     /**
      * Creates an instance of VisualStudioCodeCredential to use for automatically authenticating via VSCode.
      *
+     * **Note**: `VisualStudioCodeCredential` is provided by a plugin package:
+     * `@azure/identity-vscode`. If this package is not installed and registered
+     * using the plugin API (`useIdentityPlugin`), then authentication using
+     * `VisualStudioCodeCredential` will not be available.
+     *
      * @param options - Options for configuring the client which makes the authentication request.
      */
     constructor(options) {
@@ -1198,7 +1204,12 @@ class VisualStudioCodeCredential {
         const tenantId = processMultiTenantRequest(this.tenantId, this.allowMultiTenantAuthentication, options) ||
             this.tenantId;
         if (findCredentials === undefined) {
-            throw new CredentialUnavailableError("No implementation of VisualStudioCodeCredential is available (do you need to install and use the `@azure/identity-vscode` extension package?)");
+            throw new CredentialUnavailableError([
+                "No implementation of `VisualStudioCodeCredential` is available.",
+                "You must install the identity-vscode plugin package (`npm install --save-dev @azure/identity-vscode`)",
+                "and enable it by importing `useIdentityPlugin` from `@azure/identity` and calling",
+                "`useIdentityPlugin(vsCodePlugin)` before creating a `VisualStudioCodeCredential`."
+            ].join(" "));
         }
         let scopeString = typeof scopes === "string" ? scopes : scopes.join(" ");
         // Check to make sure the scope we get back is a valid scope
@@ -1243,17 +1254,17 @@ class VisualStudioCodeCredential {
 
 // Copyright (c) Microsoft Corporation.
 /**
- * The context passed to an Identity Extension. This contains objects that
- * extensions can use to set backend implementations.
+ * The context passed to an Identity plugin. This contains objects that
+ * plugins can use to set backend implementations.
  * @internal
  */
-const extensionContext = {
+const pluginContext = {
     cachePluginControl: msalNodeFlowCacheControl,
     vsCodeCredentialControl: vsCodeCredentialControl
 };
 /**
- * Extend Azure Identity with additional functionality. Pass an extension from
- * an extension package, such as:
+ * Extend Azure Identity with additional functionality. Pass a plugin from
+ * a plugin package, such as:
  *
  * - `@azure/identity-cache-persistence`: provides persistent token caching
  * - `@azure/identity-vscode`: provides the dependencies of
@@ -1262,12 +1273,12 @@ const extensionContext = {
  * Example:
  *
  * ```javascript
- * import { cachePersistenceExtension } from "@azure/identity-cache-persistence";
+ * import { cachePersistencePlugin } from "@azure/identity-cache-persistence";
  *
- * import { useIdentityExtension, DefaultAzureCredential } from "@azure/identity";
- * useIdentityExtension(persistence);
+ * import { useIdentityPlugin, DefaultAzureCredential } from "@azure/identity";
+ * useIdentityPlugin(cachePersistencePlugin);
  *
- * // The extension has the capability to extend `DefaultAzureCredential` and to
+ * // The plugin has the capability to extend `DefaultAzureCredential` and to
  * // add middleware to the underlying credentials, such as persistence.
  * const credential = new DefaultAzureCredential({
  *   tokenCachePersistenceOptions: {
@@ -1276,10 +1287,10 @@ const extensionContext = {
  * });
  * ```
  *
- * @param extension - the extension to register
+ * @param plugin - the plugin to register
  */
-function useIdentityExtension(extension) {
-    extension(extensionContext);
+function useIdentityPlugin(plugin) {
+    plugin(pluginContext);
 }
 
 // Copyright (c) Microsoft Corporation.
@@ -1327,12 +1338,13 @@ class ChainedTokenCredential {
      */
     async getToken(scopes, options) {
         let token = null;
+        let successfulCredentialName = "";
         const errors = [];
         const { span, updatedOptions } = createSpan("ChainedTokenCredential-getToken", options);
         for (let i = 0; i < this._sources.length && token === null; i++) {
             try {
                 token = await this._sources[i].getToken(scopes, updatedOptions);
-                this.selectedCredential = this._sources[i];
+                successfulCredentialName = this._sources[i].constructor.name;
             }
             catch (err) {
                 if (err.name === "CredentialUnavailableError" ||
@@ -1346,7 +1358,7 @@ class ChainedTokenCredential {
             }
         }
         if (!token && errors.length > 0) {
-            const err = new AggregateAuthenticationError(errors);
+            const err = new AggregateAuthenticationError(errors, "ChainedTokenCredential authentication failed.");
             span.setStatus({
                 code: coreTracing.SpanStatusCode.ERROR,
                 message: err.message
@@ -1355,7 +1367,7 @@ class ChainedTokenCredential {
             throw err;
         }
         span.end();
-        logger$2.getToken.info(`Result for ${this.selectedCredential.constructor.name}: ${formatSuccess(scopes)}`);
+        logger$2.getToken.info(`Result for ${successfulCredentialName}: ${formatSuccess(scopes)}`);
         if (token === null) {
             throw new CredentialUnavailableError("Failed to retrieve a valid token");
         }
@@ -1759,6 +1771,9 @@ class ClientSecretCredential {
      * @param options - Options for configuring the client which makes the authentication request.
      */
     constructor(tenantId, clientId, clientSecret, options = {}) {
+        if (!tenantId || !clientId || !clientSecret) {
+            throw new Error("ClientSecretCredential: tenantId, clientId, and clientSecret are required parameters.");
+        }
         this.msalFlow = new MsalClientSecret(Object.assign(Object.assign({}, options), { logger: logger$5,
             clientId,
             tenantId,
@@ -1781,6 +1796,40 @@ class ClientSecretCredential {
 }
 
 // Copyright (c) Microsoft Corporation.
+const readFileAsync = util.promisify(fs.readFile);
+/**
+ * Tries to asynchronously load a certificate from the given path.
+ *
+ * @param certificatePath - Path to the certificate.
+ * @param sendCertificateChain - Option to include x5c header for SubjectName and Issuer name authorization.
+ * @returns - The certificate parts, or `undefined` if the certificate could not be loaded.
+ * @internal
+ */
+async function parseCertificate(certificatePath, sendCertificateChain) {
+    const certificateParts = {};
+    certificateParts.certificateContents = await readFileAsync(certificatePath, "utf8");
+    if (sendCertificateChain) {
+        certificateParts.x5c = certificateParts.certificateContents;
+    }
+    const certificatePattern = /(-+BEGIN CERTIFICATE-+)(\n\r?|\r\n?)([A-Za-z0-9+/\n\r]+=*)(\n\r?|\r\n?)(-+END CERTIFICATE-+)/g;
+    const publicKeys = [];
+    // Match all possible certificates, in the order they are in the file. These will form the chain that is used for x5c
+    let match;
+    do {
+        match = certificatePattern.exec(certificateParts.certificateContents);
+        if (match) {
+            publicKeys.push(match[3]);
+        }
+    } while (match);
+    if (publicKeys.length === 0) {
+        throw new Error("The file at the specified path does not contain a PEM-encoded certificate.");
+    }
+    certificateParts.thumbprint = crypto.createHash("sha1")
+        .update(Buffer.from(publicKeys[0], "base64"))
+        .digest("hex")
+        .toUpperCase();
+    return certificateParts;
+}
 /**
  * MSAL client certificate client. Calls to MSAL's confidential application's `acquireTokenByClientCredential` during `doGetToken`.
  * @internal
@@ -1789,40 +1838,24 @@ class MsalClientCertificate extends MsalNode {
     constructor(options) {
         super(options);
         this.requiresConfidential = true;
+        this.certificatePath = options.certificatePath;
         this.sendCertificateChain = options.sendCertificateChain;
-        const parts = this.parseCertificate(options.certificatePath);
-        this.msalConfig.auth.clientCertificate = {
-            thumbprint: parts.thumbprint,
-            privateKey: parts.certificateContents,
-            x5c: parts.x5c
-        };
     }
-    parseCertificate(certificatePath) {
-        const certificateParts = {};
-        certificateParts.certificateContents = fs.readFileSync(certificatePath, "utf8");
-        if (this.sendCertificateChain) {
-            certificateParts.x5c = certificateParts.certificateContents;
-        }
-        const certificatePattern = /(-+BEGIN CERTIFICATE-+)(\n\r?|\r\n?)([A-Za-z0-9+/\n\r]+=*)(\n\r?|\r\n?)(-+END CERTIFICATE-+)/g;
-        const publicKeys = [];
-        // Match all possible certificates, in the order they are in the file. These will form the chain that is used for x5c
-        let match;
-        do {
-            match = certificatePattern.exec(certificateParts.certificateContents);
-            if (match) {
-                publicKeys.push(match[3]);
-            }
-        } while (match);
-        if (publicKeys.length === 0) {
-            const error = new Error("The file at the specified path does not contain a PEM-encoded certificate.");
+    // Changing the MSAL configuration asynchronously
+    async init(options) {
+        try {
+            const parts = await parseCertificate(this.certificatePath, this.sendCertificateChain);
+            this.msalConfig.auth.clientCertificate = {
+                thumbprint: parts.thumbprint,
+                privateKey: parts.certificateContents,
+                x5c: parts.x5c
+            };
+        }
+        catch (error) {
             this.logger.info(formatError("", error));
             throw error;
         }
-        certificateParts.thumbprint = crypto.createHash("sha1")
-            .update(Buffer.from(publicKeys[0], "base64"))
-            .digest("hex")
-            .toUpperCase();
-        return certificateParts;
+        return super.init(options);
     }
     async doGetToken(scopes, options = {}) {
         try {
@@ -1864,6 +1897,9 @@ class ClientCertificateCredential {
      * @param options - Options for configuring the client which makes the authentication request.
      */
     constructor(tenantId, clientId, certificatePath, options = {}) {
+        if (!tenantId || !clientId || !certificatePath) {
+            throw new Error("ClientCertificateCredential: tenantId, clientId, and certificatePath are required parameters.");
+        }
         this.msalFlow = new MsalClientCertificate(Object.assign(Object.assign({}, options), { certificatePath,
             logger: logger$6,
             clientId,
@@ -1937,6 +1973,9 @@ class UsernamePasswordCredential {
      * @param options - Options for configuring the client which makes the authentication request.
      */
     constructor(tenantId, clientId, username, password, options = {}) {
+        if (!tenantId || !clientId || !username || !password) {
+            throw new Error("UsernamePasswordCredential: tenantId, clientId, username and password are required parameters.");
+        }
         this.msalFlow = new MsalUsernamePassword(Object.assign(Object.assign({}, options), { logger: logger$7,
             clientId,
             tenantId,
@@ -2088,11 +2127,19 @@ const imdsApiVersion = "2018-02-01";
 const azureArcAPIVersion = "2019-11-01";
 
 // Copyright (c) Microsoft Corporation.
+/**
+ * Most MSIs send requests to the IMDS endpoint, or a similar endpoint. These are GET requests that require sending a `resource` parameter on the query.
+ * This resource can be derived from the scopes received through the getToken call, as long as only one scope is received.
+ * Multiple scopes assume that the resulting token will have access to multiple resources, which won't be the case.
+ *
+ * For that reason, when we encounter multiple scopes, we return undefined.
+ * It's up to the individual MSI implementations to throw the errors (which helps us provide less generic errors).
+ */
 function mapScopesToResource(scopes) {
     let scope = "";
     if (Array.isArray(scopes)) {
         if (scopes.length !== 1) {
-            throw new Error("To convert to a resource string the specified array must be exactly length 1");
+            return;
         }
         scope = scopes[0];
     }
@@ -2105,22 +2152,24 @@ function mapScopesToResource(scopes) {
     return scope.substr(0, scope.lastIndexOf(DefaultScopeSuffix));
 }
 async function msiGenericGetToken(identityClient, requestOptions, expiresInParser, getTokenOptions = {}) {
-    const request = coreRestPipeline.createPipelineRequest(Object.assign(Object.assign({ abortSignal: getTokenOptions.abortSignal, tracingOptions: {
-            spanOptions: getTokenOptions.tracingOptions && getTokenOptions.tracingOptions.spanOptions,
-            tracingContext: getTokenOptions.tracingOptions && getTokenOptions.tracingOptions.tracingContext
-        } }, requestOptions), { allowInsecureConnection: true }));
+    const request = coreRestPipeline.createPipelineRequest(Object.assign(Object.assign({ abortSignal: getTokenOptions.abortSignal }, requestOptions), { allowInsecureConnection: true }));
     const tokenResponse = await identityClient.sendTokenRequest(request, expiresInParser);
     return (tokenResponse && tokenResponse.accessToken) || null;
 }
 
 // Copyright (c) Microsoft Corporation.
-const logger$9 = credentialLogger("ManagedIdentityCredential - AppServiceMSI 2017");
+const msiName = "ManagedIdentityCredential - AppServiceMSI 2017";
+const logger$9 = credentialLogger(msiName);
 function expiresInParser(requestBody) {
     // Parse a date format like "06/20/2019 02:57:58 +00:00" and
     // convert it into a JavaScript-formatted date
     return Date.parse(requestBody.expires_on);
 }
-function prepareRequestOptions(resource, clientId) {
+function prepareRequestOptions(scopes, clientId) {
+    const resource = mapScopesToResource(scopes);
+    if (!resource) {
+        throw new Error(`${msiName}: Multiple scopes are not supported.`);
+    }
     const queryParameters = {
         resource,
         "api-version": "2017-09-01"
@@ -2131,10 +2180,10 @@ function prepareRequestOptions(resource, clientId) {
     const query = new URLSearchParams(queryParameters);
     // This error should not bubble up, since we verify that this environment variable is defined in the isAvailable() method defined below.
     if (!process.env.MSI_ENDPOINT) {
-        throw new Error("Missing environment variable: MSI_ENDPOINT");
+        throw new Error(`${msiName}: Missing environment variable: MSI_ENDPOINT`);
     }
     if (!process.env.MSI_SECRET) {
-        throw new Error("Missing environment variable: MSI_SECRET");
+        throw new Error(`${msiName}: Missing environment variable: MSI_SECRET`);
     }
     return {
         url: `${process.env.MSI_ENDPOINT}?${query.toString()}`,
@@ -2146,25 +2195,36 @@ function prepareRequestOptions(resource, clientId) {
     };
 }
 const appServiceMsi2017 = {
-    async isAvailable() {
+    async isAvailable(scopes) {
+        const resource = mapScopesToResource(scopes);
+        if (!resource) {
+            logger$9.info(`${msiName}: Unavailable. Multiple scopes are not supported.`);
+            return false;
+        }
         const env = process.env;
         const result = Boolean(env.MSI_ENDPOINT && env.MSI_SECRET);
         if (!result) {
-            logger$9.info("The Azure App Service MSI 2017 is unavailable.");
+            logger$9.info(`${msiName}: Unavailable. The environment variables needed are: MSI_ENDPOINT and MSI_SECRET.`);
         }
         return result;
     },
-    async getToken(identityClient, resource, clientId, getTokenOptions = {}) {
-        logger$9.info(`Using the endpoint and the secret coming form the environment variables: MSI_ENDPOINT=${process.env.MSI_ENDPOINT} and MSI_SECRET=[REDACTED].`);
-        return msiGenericGetToken(identityClient, prepareRequestOptions(resource, clientId), expiresInParser, getTokenOptions);
+    async getToken(configuration, getTokenOptions = {}) {
+        const { identityClient, scopes, clientId } = configuration;
+        logger$9.info(`${msiName}: Using the endpoint and the secret coming form the environment variables: MSI_ENDPOINT=${process.env.MSI_ENDPOINT} and MSI_SECRET=[REDACTED].`);
+        return msiGenericGetToken(identityClient, prepareRequestOptions(scopes, clientId), expiresInParser, getTokenOptions);
     }
 };
 
 // Copyright (c) Microsoft Corporation.
-const logger$a = credentialLogger("ManagedIdentityCredential - CloudShellMSI");
+const msiName$1 = "ManagedIdentityCredential - CloudShellMSI";
+const logger$a = credentialLogger(msiName$1);
 // Cloud Shell MSI doesn't have a special expiresIn parser.
 const expiresInParser$1 = undefined;
-function prepareRequestOptions$1(resource, clientId) {
+function prepareRequestOptions$1(scopes, clientId) {
+    const resource = mapScopesToResource(scopes);
+    if (!resource) {
+        throw new Error(`${msiName$1}: Multiple scopes are not supported.`);
+    }
     const body = {
         resource
     };
@@ -2173,12 +2233,13 @@ function prepareRequestOptions$1(resource, clientId) {
     }
     // This error should not bubble up, since we verify that this environment variable is defined in the isAvailable() method defined below.
     if (!process.env.MSI_ENDPOINT) {
-        throw new Error("Missing environment variable: MSI_ENDPOINT");
+        throw new Error(`${msiName$1}: Missing environment variable: MSI_ENDPOINT`);
     }
+    const params = new URLSearchParams(body);
     return {
         url: process.env.MSI_ENDPOINT,
         method: "POST",
-        body: qs.stringify(body),
+        body: params.toString(),
         headers: coreRestPipeline.createHttpHeaders({
             Accept: "application/json",
             Metadata: "true",
@@ -2187,37 +2248,48 @@ function prepareRequestOptions$1(resource, clientId) {
     };
 }
 const cloudShellMsi = {
-    async isAvailable() {
+    async isAvailable(scopes) {
+        const resource = mapScopesToResource(scopes);
+        if (!resource) {
+            logger$a.info(`${msiName$1}: Unavailable. Multiple scopes are not supported.`);
+            return false;
+        }
         const result = Boolean(process.env.MSI_ENDPOINT);
         if (!result) {
-            logger$a.info("The Azure Cloud Shell MSI is unavailable.");
+            logger$a.info(`${msiName$1}: Unavailable. The environment variable MSI_ENDPOINT is needed.`);
         }
         return result;
     },
-    async getToken(identityClient, resource, clientId, getTokenOptions = {}) {
-        logger$a.info(`Using the endpoint coming form the environment variable MSI_ENDPOINT=${process.env.MSI_ENDPOINT}, and using the Cloud Shell to proceed with the authentication.`);
-        return msiGenericGetToken(identityClient, prepareRequestOptions$1(resource, clientId), expiresInParser$1, getTokenOptions);
+    async getToken(configuration, getTokenOptions = {}) {
+        const { identityClient, scopes, clientId } = configuration;
+        logger$a.info(`${msiName$1}: Using the endpoint coming form the environment variable MSI_ENDPOINT = ${process.env.MSI_ENDPOINT}.`);
+        return msiGenericGetToken(identityClient, prepareRequestOptions$1(scopes, clientId), expiresInParser$1, getTokenOptions);
     }
 };
 
 // Copyright (c) Microsoft Corporation.
-const logger$b = credentialLogger("ManagedIdentityCredential - IMDS");
+const msiName$2 = "ManagedIdentityCredential - IMDS";
+const logger$b = credentialLogger(msiName$2);
 function expiresInParser$2(requestBody) {
     if (requestBody.expires_on) {
         // Use the expires_on timestamp if it's available
         const expires = +requestBody.expires_on * 1000;
-        logger$b.info(`IMDS using expires_on: ${expires} (original value: ${requestBody.expires_on})`);
+        logger$b.info(`${msiName$2}: IMDS using expires_on: ${expires} (original value: ${requestBody.expires_on})`);
         return expires;
     }
     else {
         // If these aren't possible, use expires_in and calculate a timestamp
         const expires = Date.now() + requestBody.expires_in * 1000;
-        logger$b.info(`IMDS using expires_in: ${expires} (original value: ${requestBody.expires_in})`);
+        logger$b.info(`${msiName$2}: IMDS using expires_in: ${expires} (original value: ${requestBody.expires_in})`);
         return expires;
     }
 }
-function prepareRequestOptions$2(resource, clientId) {
+function prepareRequestOptions$2(scopes, clientId) {
     var _a;
+    const resource = mapScopesToResource(scopes);
+    if (!resource) {
+        throw new Error(`${msiName$2}: Multiple scopes are not supported.`);
+    }
     const queryParameters = {
         resource,
         "api-version": imdsApiVersion
@@ -2225,7 +2297,8 @@ function prepareRequestOptions$2(resource, clientId) {
     if (clientId) {
         queryParameters.client_id = clientId;
     }
-    const query = qs.stringify(queryParameters);
+    const params = new URLSearchParams(queryParameters);
+    const query = params.toString();
     const url = new URL(imdsEndpointPath, (_a = process.env.AZURE_POD_IDENTITY_AUTHORITY_HOST) !== null && _a !== void 0 ? _a : imdsHost);
     return {
         url: `${url}?${query}`,
@@ -2243,8 +2316,13 @@ const imdsMsiRetryConfig = {
     intervalIncrement: 2
 };
 const imdsMsi = {
-    async isAvailable(identityClient, resource, clientId, getTokenOptions) {
+    async isAvailable(scopes, identityClient, clientId, getTokenOptions) {
         var _a, _b;
+        const resource = mapScopesToResource(scopes);
+        if (!resource) {
+            logger$b.info(`${msiName$2}: Unavailable. Multiple scopes are not supported.`);
+            return false;
+        }
         const { span, updatedOptions: options } = createSpan("ManagedIdentityCredential-pingImdsEndpoint", getTokenOptions);
         // if the PodIdenityEndpoint environment variable was set no need to probe the endpoint, it can be assumed to exist
         if (process.env.AZURE_POD_IDENTITY_AUTHORITY_HOST) {
@@ -2257,10 +2335,7 @@ const imdsMsi = {
             // IMDS endpoint
             requestOptions.headers.delete("Metadata");
         }
-        requestOptions.tracingOptions = {
-            spanOptions: options.tracingOptions && options.tracingOptions.spanOptions,
-            tracingContext: options.tracingOptions && options.tracingOptions.tracingContext
-        };
+        requestOptions.tracingOptions = options.tracingOptions;
         try {
             // Create a request with a timeout since we expect that
             // not having a "Metadata" header should cause an error to be
@@ -2270,18 +2345,19 @@ const imdsMsi = {
             // This MSI uses the imdsEndpoint to get the token, which only uses http://
             request.allowInsecureConnection = true;
             try {
-                logger$b.info(`Pinging the Azure IMDS endpoint`);
+                logger$b.info(`${msiName$2}: Pinging the Azure IMDS endpoint`);
                 await identityClient.sendRequest(request);
             }
             catch (err) {
                 if ((err.name === "RestError" && err.code === coreRestPipeline.RestError.REQUEST_SEND_ERROR) ||
                     err.name === "AbortError" ||
+                    err.code === "ENETUNREACH" || // Network unreachable
                     err.code === "ECONNREFUSED" || // connection refused
                     err.code === "EHOSTDOWN" // host is down
                 ) {
                     // If the request failed, or Node.js was unable to establish a connection,
                     // or the host was down, we'll assume the IMDS endpoint isn't available.
-                    logger$b.info(`The Azure IMDS endpoint is unavailable`);
+                    logger$b.info(`${msiName$2}: The Azure IMDS endpoint is unavailable`);
                     span.setStatus({
                         code: coreTracing.SpanStatusCode.ERROR,
                         message: err.message
@@ -2290,13 +2366,13 @@ const imdsMsi = {
                 }
             }
             // If we received any response, the endpoint is available
-            logger$b.info(`The Azure IMDS endpoint is available`);
+            logger$b.info(`${msiName$2}: The Azure IMDS endpoint is available`);
             return true;
         }
         catch (err) {
             // createWebResource failed.
             // This error should bubble up to the user.
-            logger$b.info(`Error when creating the WebResource for the Azure IMDS endpoint: ${err.message}`);
+            logger$b.info(`${msiName$2}: Error when creating the WebResource for the Azure IMDS endpoint: ${err.message}`);
             span.setStatus({
                 code: coreTracing.SpanStatusCode.ERROR,
                 message: err.message
@@ -2307,12 +2383,13 @@ const imdsMsi = {
             span.end();
         }
     },
-    async getToken(identityClient, resource, clientId, getTokenOptions = {}) {
-        logger$b.info(`Using the Azure IMDS endpoint coming from the environment variable MSI_ENDPOINT=${process.env.MSI_ENDPOINT}, and using the cloud shell to proceed with the authentication.`);
+    async getToken(configuration, getTokenOptions = {}) {
+        const { identityClient, scopes, clientId } = configuration;
+        logger$b.info(`${msiName$2}: Using the Azure IMDS endpoint coming from the environment variable MSI_ENDPOINT=${process.env.MSI_ENDPOINT}, and using the cloud shell to proceed with the authentication.`);
         let nextDelayInMs = imdsMsiRetryConfig.startDelayInMs;
         for (let retries = 0; retries < imdsMsiRetryConfig.maxRetries; retries++) {
             try {
-                return await msiGenericGetToken(identityClient, prepareRequestOptions$2(resource, clientId), expiresInParser$2, getTokenOptions);
+                return await msiGenericGetToken(identityClient, prepareRequestOptions$2(scopes, clientId), expiresInParser$2, getTokenOptions);
             }
             catch (error) {
                 if (error.statusCode === 404) {
@@ -2323,15 +2400,20 @@ const imdsMsi = {
                 throw error;
             }
         }
-        throw new AuthenticationError(404, `Failed to retrieve IMDS token after ${imdsMsiRetryConfig.maxRetries} retries.`);
+        throw new AuthenticationError(404, `${msiName$2}: Failed to retrieve IMDS token after ${imdsMsiRetryConfig.maxRetries} retries.`);
     }
 };
 
 // Copyright (c) Microsoft Corporation.
-const logger$c = credentialLogger("ManagedIdentityCredential - ArcMSI");
+const msiName$3 = "ManagedIdentityCredential - Azure Arc MSI";
+const logger$c = credentialLogger(msiName$3);
 // Azure Arc MSI doesn't have a special expiresIn parser.
 const expiresInParser$3 = undefined;
-function prepareRequestOptions$3(resource) {
+function prepareRequestOptions$3(scopes) {
+    const resource = mapScopesToResource(scopes);
+    if (!resource) {
+        throw new Error(`${msiName$3}: Multiple scopes are not supported.`);
+    }
     const queryParameters = {
         resource,
         "api-version": azureArcAPIVersion
@@ -2339,7 +2421,7 @@ function prepareRequestOptions$3(resource) {
     const query = new URLSearchParams(queryParameters);
     // This error should not bubble up, since we verify that this environment variable is defined in the isAvailable() method defined below.
     if (!process.env.IDENTITY_ENDPOINT) {
-        throw new Error("Missing environment variable: IDENTITY_ENDPOINT");
+        throw new Error(`${msiName$3}: Missing environment variable: IDENTITY_ENDPOINT`);
     }
     return coreRestPipeline.createPipelineRequest({
         // Should be similar to: http://localhost:40342/metadata/identity/oauth2/token
@@ -2352,7 +2434,7 @@ function prepareRequestOptions$3(resource) {
     });
 }
 // Since "fs"'s readFileSync locks the thread, and to avoid extra dependencies.
-function readFileAsync(path, options) {
+function readFileAsync$1(path, options) {
     return new Promise((resolve, reject) => fs.readFile(path, options, (err, data) => {
         if (err) {
             reject(err);
@@ -2367,7 +2449,7 @@ async function filePathRequest(identityClient, requestPrepareOptions) {
         if (response.bodyAsText) {
             message = ` Response: ${response.bodyAsText}`;
         }
-        throw new AuthenticationError(response.status, `To authenticate with Azure Arc MSI, status code 401 is expected on the first request.${message}`);
+        throw new AuthenticationError(response.status, `${msiName$3}: To authenticate with Azure Arc MSI, status code 401 is expected on the first request. ${message}`);
     }
     const authHeader = response.headers.get("www-authenticate") || "";
     try {
@@ -2378,32 +2460,113 @@ async function filePathRequest(identityClient, requestPrepareOptions) {
     }
 }
 const arcMsi = {
-    async isAvailable() {
+    async isAvailable(scopes) {
+        const resource = mapScopesToResource(scopes);
+        if (!resource) {
+            logger$c.info(`${msiName$3}: Unavailable. Multiple scopes are not supported.`);
+            return false;
+        }
         const result = Boolean(process.env.IMDS_ENDPOINT && process.env.IDENTITY_ENDPOINT);
         if (!result) {
-            logger$c.info("The Azure Arc MSI is unavailable.");
+            logger$c.info(`${msiName$3}: The environment variables needed are: IMDS_ENDPOINT and IDENTITY_ENDPOINT`);
         }
         return result;
     },
-    async getToken(identityClient, resource, clientId, getTokenOptions = {}) {
+    async getToken(configuration, getTokenOptions = {}) {
         var _a;
-        logger$c.info(`Using the Azure Arc MSI to authenticate.`);
+        const { identityClient, scopes, clientId } = configuration;
+        logger$c.info(`${msiName$3}: Authenticating.`);
         if (clientId) {
-            throw new Error("User assigned identity is not supported by the Azure Arc Managed Identity Endpoint. To authenticate with the system assigned identity omit the client id when constructing the ManagedIdentityCredential, or if authenticating with the DefaultAzureCredential ensure the AZURE_CLIENT_ID environment variable is not set.");
+            throw new Error(`${msiName$3}: User assigned identity is not supported by the Azure Arc Managed Identity Endpoint. To authenticate with the system assigned identity, omit the client id when constructing the ManagedIdentityCredential, or if authenticating with the DefaultAzureCredential ensure the AZURE_CLIENT_ID environment variable is not set.`);
         }
-        const requestOptions = Object.assign({ disableJsonStringifyOnBody: true, deserializationMapper: undefined, abortSignal: getTokenOptions.abortSignal, spanOptions: getTokenOptions.tracingOptions && getTokenOptions.tracingOptions.spanOptions }, prepareRequestOptions$3(resource));
+        const requestOptions = Object.assign(Object.assign({ disableJsonStringifyOnBody: true, deserializationMapper: undefined, abortSignal: getTokenOptions.abortSignal }, prepareRequestOptions$3(scopes)), { allowInsecureConnection: true });
         const filePath = await filePathRequest(identityClient, requestOptions);
         if (!filePath) {
-            throw new Error("Azure Arc MSI failed to find the token file.");
+            throw new Error(`${msiName$3}: Failed to find the token file.`);
         }
-        const key = await readFileAsync(filePath, { encoding: "utf-8" });
+        const key = await readFileAsync$1(filePath, { encoding: "utf-8" });
         (_a = requestOptions.headers) === null || _a === void 0 ? void 0 : _a.set("Authorization", `Basic ${key}`);
         return msiGenericGetToken(identityClient, requestOptions, expiresInParser$3, getTokenOptions);
     }
 };
 
 // Copyright (c) Microsoft Corporation.
-const logger$d = credentialLogger("ManagedIdentityCredential");
+const msiName$4 = "ManagedIdentityCredential - Token Exchange";
+const logger$d = credentialLogger(msiName$4);
+const readFileAsync$2 = util.promisify(fs__default.readFile);
+function expiresInParser$4(requestBody) {
+    // Parses a string representation of the seconds since epoch into a number value
+    return Number(requestBody.expires_on);
+}
+function prepareRequestOptions$4(scopes, clientAssertion, clientId) {
+    var _a;
+    const bodyParams = {
+        scope: Array.isArray(scopes) ? scopes.join(" ") : scopes,
+        client_assertion: clientAssertion,
+        client_assertion_type: "urn:ietf:params:oauth:client-assertion-type:jwt-bearer",
+        client_id: clientId,
+        grant_type: "client_credentials"
+    };
+    const urlParams = new URLSearchParams(bodyParams);
+    const url = new URL(`${process.env.AZURE_TENANT_ID}/oauth2/v2.0/token`, (_a = process.env.AZURE_AUTHORITY_HOST) !== null && _a !== void 0 ? _a : DefaultAuthorityHost);
+    return {
+        url: url.toString(),
+        method: "POST",
+        body: urlParams.toString(),
+        headers: coreRestPipeline.createHttpHeaders({
+            Accept: "application/json"
+        })
+    };
+}
+function tokenExchangeMsi() {
+    const azureFederatedTokenFilePath = process.env.AZURE_FEDERATED_TOKEN_FILE;
+    let azureFederatedTokenFileContent = undefined;
+    let cacheDate = undefined;
+    // Only reads from the assertion file once every 5 minutes
+    async function readAssertion() {
+        // Cached assertions expire after 5 minutes
+        if (cacheDate !== undefined && Date.now() - cacheDate >= 1000 * 60 * 5) {
+            azureFederatedTokenFileContent = undefined;
+        }
+        if (!azureFederatedTokenFileContent) {
+            const file = await readFileAsync$2(azureFederatedTokenFilePath, "utf8");
+            const value = file.trim();
+            if (!value) {
+                throw new Error(`No content on the file ${azureFederatedTokenFilePath}, indicated by the environment variable AZURE_FEDERATED_TOKEN_FILE`);
+            }
+            else {
+                azureFederatedTokenFileContent = value;
+                cacheDate = Date.now();
+            }
+        }
+        return azureFederatedTokenFileContent;
+    }
+    return {
+        async isAvailable(_scopes, _identityClient, clientId) {
+            const env = process.env;
+            const result = Boolean((clientId || env.AZURE_CLIENT_ID) && env.AZURE_TENANT_ID && azureFederatedTokenFilePath);
+            if (!result) {
+                logger$d.info(`${msiName$4}: Unavailable. The environment variables needed are: AZURE_CLIENT_ID (or the client ID sent through the parameters), AZURE_TENANT_ID and AZURE_FEDERATED_TOKEN_FILE`);
+            }
+            return result;
+        },
+        async getToken(configuration, getTokenOptions = {}) {
+            const { identityClient, scopes, clientId } = configuration;
+            logger$d.info(`${msiName$4}: Using the client assertion coming from environment variables.`);
+            let assertion;
+            try {
+                assertion = await readAssertion();
+            }
+            catch (err) {
+                throw new Error(`${msiName$4}: Failed to read ${azureFederatedTokenFilePath}, indicated by the environment variable AZURE_FEDERATED_TOKEN_FILE`);
+            }
+            return msiGenericGetToken(identityClient, prepareRequestOptions$4(scopes, assertion, clientId || process.env.AZURE_CLIENT_ID), expiresInParser$4, getTokenOptions);
+        }
+    };
+}
+
+// Copyright (c) Microsoft Corporation.
+const logger$e = credentialLogger("ManagedIdentityCredential");
 /**
  * Attempts authentication using a managed identity that has been assigned
  * to the deployment environment.  This authentication type works in Azure VMs,
@@ -2430,15 +2593,15 @@ class ManagedIdentityCredential {
             this.identityClient = new IdentityClient(clientIdOrOptions);
         }
     }
-    async cachedAvailableMSI(resource, clientId, getTokenOptions) {
+    async cachedAvailableMSI(scopes, clientId, getTokenOptions) {
         if (this.cachedMSI) {
             return this.cachedMSI;
         }
         // "fabricMsi" can't be added yet because our HTTPs pipeline doesn't allow skipping the SSL verification step,
         // which is necessary since Service Fabric only provides self-signed certificates on their Identity Endpoint.
-        const MSIs = [appServiceMsi2017, cloudShellMsi, arcMsi, imdsMsi];
+        const MSIs = [appServiceMsi2017, cloudShellMsi, arcMsi, tokenExchangeMsi(), imdsMsi];
         for (const msi of MSIs) {
-            if (await msi.isAvailable(this.identityClient, resource, clientId, getTokenOptions)) {
+            if (await msi.isAvailable(scopes, this.identityClient, clientId, getTokenOptions)) {
                 this.cachedMSI = msi;
                 return msi;
             }
@@ -2446,12 +2609,15 @@ class ManagedIdentityCredential {
         throw new CredentialUnavailableError("ManagedIdentityCredential - No MSI credential available");
     }
     async authenticateManagedIdentity(scopes, clientId, getTokenOptions) {
-        const resource = mapScopesToResource(scopes);
         const { span, updatedOptions } = createSpan("ManagedIdentityCredential-authenticateManagedIdentity", getTokenOptions);
         try {
             // Determining the available MSI, and avoiding checking for other MSIs while the program is running.
-            const availableMSI = await this.cachedAvailableMSI(resource, clientId, updatedOptions);
-            return availableMSI.getToken(this.identityClient, resource, clientId, updatedOptions);
+            const availableMSI = await this.cachedAvailableMSI(scopes, clientId, updatedOptions);
+            return availableMSI.getToken({
+                identityClient: this.identityClient,
+                scopes,
+                clientId
+            }, updatedOptions);
         }
         catch (err) {
             span.setStatus({
@@ -2490,7 +2656,7 @@ class ManagedIdentityCredential {
                     // It also means that the endpoint answered with either 200 or 201 (see the sendTokenRequest method),
                     // yet we had no access token. For this reason, we'll throw once with a specific message:
                     const error = new CredentialUnavailableError("The managed identity endpoint was reached, yet no tokens were received.");
-                    logger$d.getToken.info(formatError(scopes, error));
+                    logger$e.getToken.info(formatError(scopes, error));
                     throw error;
                 }
                 // Since `authenticateManagedIdentity` didn't throw, and the result was not null,
@@ -2502,10 +2668,10 @@ class ManagedIdentityCredential {
                 // We've previously determined that the endpoint was unavailable,
                 // either because it was unreachable or permanently unable to authenticate.
                 const error = new CredentialUnavailableError("The managed identity endpoint is not currently available");
-                logger$d.getToken.info(formatError(scopes, error));
+                logger$e.getToken.info(formatError(scopes, error));
                 throw error;
             }
-            logger$d.getToken.info(formatSuccess(scopes));
+            logger$e.getToken.info(formatSuccess(scopes));
             return result;
         }
         catch (err) {
@@ -2526,21 +2692,21 @@ class ManagedIdentityCredential {
             // If either the network is unreachable,
             // we can safely assume the credential is unavailable.
             if (err.code === "ENETUNREACH") {
-                const error = new CredentialUnavailableError("ManagedIdentityCredential is unavailable. Network unreachable.");
-                logger$d.getToken.info(formatError(scopes, error));
+                const error = new CredentialUnavailableError(`ManagedIdentityCredential is unavailable. Network unreachable. Message: ${err.message}`);
+                logger$e.getToken.info(formatError(scopes, error));
                 throw error;
             }
             // If either the host was unreachable,
             // we can safely assume the credential is unavailable.
             if (err.code === "EHOSTUNREACH") {
-                const error = new CredentialUnavailableError("ManagedIdentityCredential is unavailable. No managed identity endpoint found.");
-                logger$d.getToken.info(formatError(scopes, error));
+                const error = new CredentialUnavailableError(`ManagedIdentityCredential is unavailable. No managed identity endpoint found. Message: ${err.message}`);
+                logger$e.getToken.info(formatError(scopes, error));
                 throw error;
             }
             // If err.statusCode has a value of 400, it comes from sendTokenRequest,
             // and it means that the endpoint is working, but that no identity is available.
             if (err.statusCode === 400) {
-                throw new CredentialUnavailableError("The managed identity endpoint is indicating there's no available identity");
+                throw new CredentialUnavailableError(`ManagedIdentityCredential: The managed identity endpoint is indicating there's no available identity. Message: ${err.message}`);
             }
             // If the error has no status code, we can assume there was no available identity.
             // This will throw silently during any ChainedTokenCredential.
@@ -2599,19 +2765,16 @@ const defaultCredentials = [
  *
  * Consult the documentation of these credential types for more information
  * on how they attempt authentication.
- *
- * **Note**: `VisualStudioCodeCredential` is provided by an extension package:
- * `@azure/identity-vscode`. If this package is not installed and registered
- * using the extension API (`useIdentityExtension`), then authentication using
- * `VisualStudioCodeCredential` will not be available.
- *
- * Azure Identity extensions may add credential types to the default credential
- * stack.
  */
 class DefaultAzureCredential extends ChainedTokenCredential {
     /**
      * Creates an instance of the DefaultAzureCredential class.
      *
+     * **Note**: `VisualStudioCodeCredential` is provided by a plugin package:
+     * `@azure/identity-vscode`. If this package is not installed and registered
+     * using the plugin API (`useIdentityPlugin`), then authentication using
+     * `VisualStudioCodeCredential` will not be available.
+     *
      * @param options - Optional parameters. See {@link DefaultAzureCredentialOptions}.
      */
     constructor(options) {
@@ -2765,7 +2928,7 @@ class MsalOpenBrowser extends MsalNode {
 }
 
 // Copyright (c) Microsoft Corporation.
-const logger$e = credentialLogger("InteractiveBrowserCredential");
+const logger$f = credentialLogger("InteractiveBrowserCredential");
 /**
  * Enables authentication to Azure Active Directory inside of the web browser
  * using the interactive login flow.
@@ -2787,7 +2950,7 @@ class InteractiveBrowserCredential {
         const redirectUri = typeof options.redirectUri === "function"
             ? options.redirectUri()
             : options.redirectUri || "http://localhost";
-        this.msalFlow = new MsalOpenBrowser(Object.assign(Object.assign({}, options), { tokenCredentialOptions: options, logger: logger$e,
+        this.msalFlow = new MsalOpenBrowser(Object.assign(Object.assign({}, options), { tokenCredentialOptions: options, logger: logger$f,
             redirectUri }));
         this.disableAutomaticAuthentication = options === null || options === void 0 ? void 0 : options.disableAutomaticAuthentication;
     }
@@ -2865,7 +3028,7 @@ class MsalDeviceCode extends MsalNode {
 }
 
 // Copyright (c) Microsoft Corporation.
-const logger$f = credentialLogger("DeviceCodeCredential");
+const logger$g = credentialLogger("DeviceCodeCredential");
 /**
  * Method that logs the user code from the DeviceCodeCredential.
  * @param deviceCodeInfo - The device code.
@@ -2885,7 +3048,7 @@ class DeviceCodeCredential {
      * @param options - Options for configuring the client which makes the authentication requests.
      */
     constructor(options) {
-        this.msalFlow = new MsalDeviceCode(Object.assign(Object.assign({}, options), { logger: logger$f, userPromptCallback: (options === null || options === void 0 ? void 0 : options.userPromptCallback) || defaultDeviceCodePromptCallback, tokenCredentialOptions: options || {} }));
+        this.msalFlow = new MsalDeviceCode(Object.assign(Object.assign({}, options), { logger: logger$g, userPromptCallback: (options === null || options === void 0 ? void 0 : options.userPromptCallback) || defaultDeviceCodePromptCallback, tokenCredentialOptions: options || {} }));
         this.disableAutomaticAuthentication = options === null || options === void 0 ? void 0 : options.disableAutomaticAuthentication;
     }
     /**
@@ -2926,7 +3089,45 @@ class DeviceCodeCredential {
 }
 
 // Copyright (c) Microsoft Corporation.
-const logger$g = credentialLogger("AuthorizationCodeCredential");
+/**
+ * This MSAL client sets up a web server to listen for redirect callbacks, then calls to the MSAL's public application's `acquireTokenByDeviceCode` during `doGetToken`
+ * to trigger the authentication flow, and then respond based on the values obtained from the redirect callback
+ * @internal
+ */
+class MsalAuthorizationCode extends MsalNode {
+    constructor(options) {
+        super(options);
+        this.logger = credentialLogger("NodeJS MSAL Authorization Code");
+        this.redirectUri = options.redirectUri;
+        this.authorizationCode = options.authorizationCode;
+        if (options.clientSecret) {
+            this.msalConfig.auth.clientSecret = options.clientSecret;
+        }
+    }
+    async getAuthCodeUrl(options) {
+        await this.init();
+        return this.confidentialApp.getAuthCodeUrl(options);
+    }
+    async doGetToken(scopes, options) {
+        var _a;
+        try {
+            const result = await ((_a = this.confidentialApp) === null || _a === void 0 ? void 0 : _a.acquireTokenByCode({
+                scopes,
+                redirectUri: this.redirectUri,
+                code: this.authorizationCode
+            }));
+            // The Client Credential flow does not return an account,
+            // so each time getToken gets called, we will have to acquire a new token through the service.
+            return this.handleResult(scopes, this.clientId, result || undefined);
+        }
+        catch (err) {
+            throw this.handleError(scopes, err, options);
+        }
+    }
+}
+
+// Copyright (c) Microsoft Corporation.
+const logger$h = credentialLogger("AuthorizationCodeCredential");
 /**
  * Enables authentication to Azure Active Directory using an authorization code
  * that was obtained through the authorization code flow, described in more detail
@@ -2940,26 +3141,23 @@ class AuthorizationCodeCredential {
      * @internal
      */
     constructor(tenantId, clientId, clientSecretOrAuthorizationCode, authorizationCodeOrRedirectUri, redirectUriOrOptions, options) {
-        this.lastTokenResponse = null;
-        checkTenantId(logger$g, tenantId);
-        this.clientId = clientId;
-        this.tenantId = tenantId;
+        checkTenantId(logger$h, tenantId);
+        let clientSecret = clientSecretOrAuthorizationCode;
         if (typeof redirectUriOrOptions === "string") {
             // the clientId+clientSecret constructor
-            this.clientSecret = clientSecretOrAuthorizationCode;
             this.authorizationCode = authorizationCodeOrRedirectUri;
             this.redirectUri = redirectUriOrOptions;
             // options okay
         }
         else {
             // clientId only
-            this.clientSecret = undefined;
             this.authorizationCode = clientSecretOrAuthorizationCode;
             this.redirectUri = authorizationCodeOrRedirectUri;
+            clientSecret = undefined;
             options = redirectUriOrOptions;
         }
-        this.allowMultiTenantAuthentication = options === null || options === void 0 ? void 0 : options.allowMultiTenantAuthentication;
-        this.identityClient = new IdentityClient(options);
+        this.msalFlow = new MsalAuthorizationCode(Object.assign(Object.assign({}, options), { clientSecret,
+            clientId, tokenCredentialOptions: options || {}, logger: logger$h, redirectUri: this.redirectUri, authorizationCode: this.authorizationCode }));
     }
     /**
      * Authenticates with Azure Active Directory and returns an access token if successful.
@@ -2969,67 +3167,11 @@ class AuthorizationCodeCredential {
      * @param options - The options used to configure any requests this
      *                TokenCredential implementation might make.
      */
-    async getToken(scopes, options) {
-        var _a, _b;
-        const tenantId = processMultiTenantRequest(this.tenantId, this.allowMultiTenantAuthentication, options) ||
-            this.tenantId;
-        const { span, updatedOptions } = createSpan("AuthorizationCodeCredential-getToken", options);
-        try {
-            let tokenResponse = null;
-            let scopeString = typeof scopes === "string" ? scopes : scopes.join(" ");
-            if (scopeString.indexOf("offline_access") < 0) {
-                scopeString += " offline_access";
-            }
-            // Try to use the refresh token first
-            if (this.lastTokenResponse && this.lastTokenResponse.refreshToken) {
-                tokenResponse = await this.identityClient.refreshAccessToken(tenantId, this.clientId, scopeString, this.lastTokenResponse.refreshToken, this.clientSecret, undefined, updatedOptions);
-            }
-            const query = new URLSearchParams({
-                client_id: this.clientId,
-                grant_type: "authorization_code",
-                scope: scopeString,
-                code: this.authorizationCode,
-                redirect_uri: this.redirectUri
-            });
-            if (this.clientSecret) {
-                query.set("client_secret", this.clientSecret);
-            }
-            if (tokenResponse === null) {
-                const urlSuffix = getIdentityTokenEndpointSuffix(tenantId);
-                const pipelineRequest = coreRestPipeline.createPipelineRequest({
-                    url: `${this.identityClient.authorityHost}/${tenantId}/${urlSuffix}`,
-                    method: "POST",
-                    body: query.toString(),
-                    headers: coreRestPipeline.createHttpHeaders({
-                        Accept: "application/json",
-                        "Content-Type": "application/x-www-form-urlencoded"
-                    }),
-                    tracingOptions: {
-                        spanOptions: (_a = updatedOptions === null || updatedOptions === void 0 ? void 0 : updatedOptions.tracingOptions) === null || _a === void 0 ? void 0 : _a.spanOptions,
-                        tracingContext: (_b = updatedOptions === null || updatedOptions === void 0 ? void 0 : updatedOptions.tracingOptions) === null || _b === void 0 ? void 0 : _b.tracingContext
-                    }
-                });
-                tokenResponse = await this.identityClient.sendTokenRequest(pipelineRequest, (response) => new Date(response === null || response === void 0 ? void 0 : response.expires_on).getTime());
-            }
-            this.lastTokenResponse = tokenResponse;
-            logger$g.getToken.info(formatSuccess(scopes));
-            const token = tokenResponse && tokenResponse.accessToken;
-            if (!token) {
-                throw new CredentialUnavailableError("Failed to retrieve a valid token");
-            }
-            return token;
-        }
-        catch (err) {
-            span.setStatus({
-                code: coreTracing.SpanStatusCode.ERROR,
-                message: err.message
-            });
-            logger$g.getToken.info(formatError(scopes, err));
-            throw err;
-        }
-        finally {
-            span.end();
-        }
+    async getToken(scopes, options = {}) {
+        return trace(`${this.constructor.name}.getToken`, options, async (newOptions) => {
+            const arrayScopes = Array.isArray(scopes) ? scopes : [scopes];
+            return this.msalFlow.getToken(arrayScopes, Object.assign(Object.assign({}, newOptions), { disableAutomaticAuthentication: this.disableAutomaticAuthentication }));
+        });
     }
 }
 
@@ -3049,9 +3191,6 @@ const ApplicationCredentials = [
  *
  * Consult the documentation of these credential types for more information
  * on how they attempt authentication.
- *
- * Azure Identity extensions may add credential types to the default credential
- * stack.
  */
 class ApplicationCredential extends ChainedTokenCredential {
     /**
@@ -3066,6 +3205,116 @@ class ApplicationCredential extends ChainedTokenCredential {
     }
 }
 
+// Copyright (c) Microsoft Corporation.
+/**
+ * MSAL on behalf of flow. Calls to MSAL's confidential application's `acquireTokenOnBehalfOf` during `doGetToken`.
+ * @internal
+ */
+class MsalOnBehalfOf extends MsalNode {
+    constructor(options) {
+        super(options);
+        this.logger.info("Initialized MSAL's On-Behalf-Of flow");
+        this.requiresConfidential = true;
+        this.userAssertionToken = options.userAssertionToken;
+        this.certificatePath = options.certificatePath;
+        this.sendCertificateChain = options.sendCertificateChain;
+        this.clientSecret = options.clientSecret;
+    }
+    // Changing the MSAL configuration asynchronously
+    async init(options) {
+        if (this.certificatePath) {
+            try {
+                const parts = await parseCertificate(this.certificatePath, this.sendCertificateChain);
+                this.msalConfig.auth.clientCertificate = {
+                    thumbprint: parts.thumbprint,
+                    privateKey: parts.certificateContents,
+                    x5c: parts.x5c
+                };
+            }
+            catch (error) {
+                this.logger.info(formatError("", error));
+                throw error;
+            }
+        }
+        else {
+            this.msalConfig.auth.clientSecret = this.clientSecret;
+        }
+        return super.init(options);
+    }
+    async doGetToken(scopes, options = {}) {
+        try {
+            const result = await this.confidentialApp.acquireTokenOnBehalfOf({
+                scopes,
+                correlationId: options.correlationId,
+                authority: options.authority,
+                oboAssertion: this.userAssertionToken
+            });
+            return this.handleResult(scopes, this.clientId, result || undefined);
+        }
+        catch (err) {
+            throw this.handleError(scopes, err, options);
+        }
+    }
+}
+
+// Copyright (c) Microsoft Corporation.
+const credentialName = "OnBehalfOfCredential";
+const logger$i = credentialLogger(credentialName);
+/**
+ * Enables authentication to Azure Active Directory using the [On Behalf Of flow](https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-on-behalf-of-flow).
+ */
+class OnBehalfOfCredential {
+    /**
+     * Creates an instance of the {@link OnBehalfOfCredential} with the details
+     * needed to authenticate against Azure Active Directory with a client
+     * secret or a path to a PEM certificate, and an user assertion.
+     *
+     * Example using the `KeyClient` from [\@azure/keyvault-keys](https://www.npmjs.com/package/\@azure/keyvault-keys):
+     *
+     * ```ts
+     * const tokenCredential = new OnBehalfOfCredential({
+     *   tenantId,
+     *   clientId,
+     *   clientSecret, // or `certificatePath: "/path/to/certificate.pem"
+     *   userAssertionToken: "access-token"
+     * });
+     * const client = new KeyClient("vault-url", tokenCredential);
+     *
+     * await client.getKey("key-name");
+     * ```
+     *
+     * @param configuration - Configuration specific to this credential.
+     * @param options - Optional parameters, generally common across credentials.
+     */
+    constructor(configuration, options = {}) {
+        this.configuration = configuration;
+        this.options = options;
+        const { tenantId, clientId, userAssertionToken } = configuration;
+        const secretConfiguration = configuration;
+        const certificateConfiguration = configuration;
+        if (!tenantId ||
+            !clientId ||
+            !(secretConfiguration.clientSecret || certificateConfiguration.certificatePath) ||
+            !userAssertionToken) {
+            throw new Error(`${credentialName}: tenantId, clientId, clientSecret (or certificatePath) and userAssertionToken are required parameters.`);
+        }
+        this.msalFlow = new MsalOnBehalfOf(Object.assign(Object.assign(Object.assign({}, this.options), this.configuration), { logger: logger$i, tokenCredentialOptions: this.options }));
+    }
+    /**
+     * Authenticates with Azure Active Directory and returns an access token if successful.
+     * If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.
+     *
+     * @param scopes - The list of scopes for which the token will have access.
+     * @param options - The options used to configure the underlying network requests.
+     */
+    async getToken(scopes, options = {}) {
+        return trace(`${credentialName}.getToken`, options, async (newOptions) => {
+            const arrayScopes = Array.isArray(scopes) ? scopes : [scopes];
+            return this.msalFlow.getToken(arrayScopes, newOptions);
+        });
+    }
+}
+
 // Copyright (c) Microsoft Corporation.
 /**
  * Returns a new instance of the {@link DefaultAzureCredential}.
@@ -3093,11 +3342,12 @@ exports.DeviceCodeCredential = DeviceCodeCredential;
 exports.EnvironmentCredential = EnvironmentCredential;
 exports.InteractiveBrowserCredential = InteractiveBrowserCredential;
 exports.ManagedIdentityCredential = ManagedIdentityCredential;
+exports.OnBehalfOfCredential = OnBehalfOfCredential;
 exports.UsernamePasswordCredential = UsernamePasswordCredential;
 exports.VisualStudioCodeCredential = VisualStudioCodeCredential;
 exports.deserializeAuthenticationRecord = deserializeAuthenticationRecord;
 exports.getDefaultAzureCredential = getDefaultAzureCredential;
 exports.logger = logger;
 exports.serializeAuthenticationRecord = serializeAuthenticationRecord;
-exports.useIdentityExtension = useIdentityExtension;
+exports.useIdentityPlugin = useIdentityPlugin;
 //# sourceMappingURL=index.js.map