@azure/identity 2.0.0-beta.5 → 2.0.1

package/types/identity.d.ts

@@ -3,6 +3,7 @@ import { AzureLogger } from '@azure/logger';
 import { CommonClientOptions } from '@azure/core-client';
 import { GetTokenOptions } from '@azure/core-auth';
 import { TokenCredential } from '@azure/core-auth';
+
 export { AccessToken }
 
 /**
@@ -23,41 +24,6 @@ export declare class AggregateAuthenticationError extends Error {
  */
 export declare const AggregateAuthenticationErrorName = "AggregateAuthenticationError";
 
-/**
- * Provides a default {@link ChainedTokenCredential} configuration that should
- * work for most applications that use the Azure SDK.  The following credential
- * types will be tried, in order:
- *
- * - {@link EnvironmentCredential}
- * - {@link ManagedIdentityCredential}
-
- *
- * Consult the documentation of these credential types for more information
- * on how they attempt authentication.
- *
- * Azure Identity extensions may add credential types to the default credential
- * stack.
- */
-export declare class ApplicationCredential extends ChainedTokenCredential {
-    /**
-     * Creates an instance of the ApplicationCredential class.
-     *
-     * @param options - Optional parameters. See {@link ApplicationCredentialOptions}.
-     */
-    constructor(options?: ApplicationCredentialOptions);
-}
-
-/**
- * Provides options to configure the {@link ApplicationCredential} class.
- */
-export declare interface ApplicationCredentialOptions extends TokenCredentialOptions, CredentialPersistenceOptions {
-    /**
-     * Optionally pass in a user assigned client ID to be used by the {@link ManagedIdentityCredential}.
-     * This client ID can also be passed through to the {@link ManagedIdentityCredential} through the environment variable: AZURE_CLIENT_ID.
-     */
-    managedIdentityClientId?: string;
-}
-
 /**
  * Provides details about a failure to authenticate with Azure Active
  * Directory.  The `errorResponse` field contains more details about
@@ -115,18 +81,32 @@ export declare class AuthenticationRequiredError extends Error {
      */
     scopes: string[];
     /**
-     * The options used to configure the getToken request.
+     * The options passed to the getToken request.
      */
-    getTokenOptions: GetTokenOptions;
+    getTokenOptions?: GetTokenOptions;
     constructor(
+    /**
+     * Optional parameters. A message can be specified. The {@link GetTokenOptions} of the request can also be specified to more easily associate the error with the received parameters.
+     */
+    options: AuthenticationRequiredErrorOptions);
+}
+
+/**
+ * Optional parameters to the {@link AuthenticationRequiredError}
+ */
+export declare interface AuthenticationRequiredErrorOptions {
     /**
      * The list of scopes for which the token will have access.
      */
-    scopes: string[], 
+    scopes: string[];
     /**
-     * The options used to configure the getToken request.
+     * The options passed to the getToken request.
      */
-    getTokenOptions?: GetTokenOptions, message?: string);
+    getTokenOptions?: GetTokenOptions;
+    /**
+     * The message of the error.
+     */
+    message?: string;
 }
 
 /**
@@ -137,14 +117,10 @@ export declare class AuthenticationRequiredError extends Error {
  * https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow
  */
 export declare class AuthorizationCodeCredential implements TokenCredential {
-    private identityClient;
-    private tenantId;
-    private clientId;
-    private clientSecret;
+    private msalFlow;
+    private disableAutomaticAuthentication?;
     private authorizationCode;
     private redirectUri;
-    private lastTokenResponse;
-    private allowMultiTenantAuthentication?;
     /**
      * Creates an instance of CodeFlowCredential with the details needed
      * to request an access token using an authentication that was obtained
@@ -161,10 +137,10 @@ export declare class AuthorizationCodeCredential implements TokenCredential {
      * @param clientId - The client (application) ID of an App Registration in the tenant.
      * @param clientSecret - A client secret that was generated for the App Registration
      * @param authorizationCode - An authorization code that was received from following the
-                                authorization code flow.  This authorization code must not
-                                have already been used to obtain an access token.
+     authorization code flow.  This authorization code must not
+     have already been used to obtain an access token.
      * @param redirectUri - The redirect URI that was used to request the authorization code.
-                          Must be the same URI that is configured for the App Registration.
+     Must be the same URI that is configured for the App Registration.
      * @param options - Options for configuring the client which makes the access token request.
      */
     constructor(tenantId: string | "common", clientId: string, clientSecret: string, authorizationCode: string, redirectUri: string, options?: TokenCredentialOptions);
@@ -183,10 +159,10 @@ export declare class AuthorizationCodeCredential implements TokenCredential {
      *                 'common' may be used when dealing with multi-tenant scenarios.
      * @param clientId - The client (application) ID of an App Registration in the tenant.
      * @param authorizationCode - An authorization code that was received from following the
-                                authorization code flow.  This authorization code must not
-                                have already been used to obtain an access token.
+     authorization code flow.  This authorization code must not
+     have already been used to obtain an access token.
      * @param redirectUri - The redirect URI that was used to request the authorization code.
-                          Must be the same URI that is configured for the App Registration.
+     Must be the same URI that is configured for the App Registration.
      * @param options - Options for configuring the client which makes the access token request.
      */
     constructor(tenantId: string | "common", clientId: string, authorizationCode: string, redirectUri: string, options?: TokenCredentialOptions);
@@ -228,15 +204,15 @@ export declare enum AzureAuthorityHosts {
  * via the Azure CLI ('az') commandline tool.
  * To do so, it will read the user access token and expire time
  * with Azure CLI command "az account get-access-token".
- * To be able to use this credential, ensure that you have already logged
- * in via the 'az' tool using the command "az login" from the commandline.
  */
 export declare class AzureCliCredential implements TokenCredential {
     private tenantId?;
-    private allowMultiTenantAuthentication?;
     /**
      * Creates an instance of the {@link AzureCliCredential}.
      *
+     * To use this credential, ensure that you have already logged
+     * in via the 'az' tool using the command "az login" from the commandline.
+     *
      * @param options - Options, to optionally allow multi-tenant requests.
      */
     constructor(options?: AzureCliCredentialOptions);
@@ -265,18 +241,17 @@ export declare interface AzureCliCredentialOptions extends TokenCredentialOption
  * This credential will use the currently logged-in user information from the
  * Azure PowerShell module. To do so, it will read the user access token and
  * expire time with Azure PowerShell command `Get-AzAccessToken -ResourceUrl {ResourceScope}`
- *
- * To be able to use this credential:
- * - Install the Azure Az PowerShell module with:
- *   `Install-Module -Name Az -Scope CurrentUser -Repository PSGallery -Force`.
- * - You have already logged in to Azure PowerShell using the command
- * `Connect-AzAccount` from the command line.
  */
 export declare class AzurePowerShellCredential implements TokenCredential {
     private tenantId?;
-    private allowMultiTenantAuthentication?;
     /**
-     * Creates an instance of the {@link AzurePowershellCredential}.
+     * Creates an instance of the {@link AzurePowerShellCredential}.
+     *
+     * To use this credential:
+     * - Install the Azure Az PowerShell module with:
+     *   `Install-Module -Name Az -Scope CurrentUser -Repository PSGallery -Force`.
+     * - You have already logged in to Azure PowerShell using the command
+     * `Connect-AzAccount` from the command line.
      *
      * @param options - Options, to optionally allow multi-tenant requests.
      */
@@ -293,7 +268,7 @@ export declare class AzurePowerShellCredential implements TokenCredential {
      * @param scopes - The list of scopes for which the token will have access.
      * @param options - The options used to configure any requests this TokenCredential implementation might make.
      */
-    getToken(scopes: string | string[], options?: GetTokenOptions): Promise<AccessToken | null>;
+    getToken(scopes: string | string[], options?: GetTokenOptions): Promise<AccessToken>;
 }
 
 /**
@@ -327,10 +302,6 @@ export declare class ChainedTokenCredential implements TokenCredential {
      */
     protected UnavailableMessage: string;
     private _sources;
-    /**
-     * The selected credential, in case users want to read it or use it directly.
-     */
-    selectedCredential?: TokenCredential;
     /**
      * Creates an instance of ChainedTokenCredential using the given credentials.
      *
@@ -380,6 +351,17 @@ export declare class ClientCertificateCredential implements TokenCredential {
      * @param options - Options for configuring the client which makes the authentication request.
      */
     constructor(tenantId: string, clientId: string, certificatePath: string, options?: ClientCertificateCredentialOptions);
+    /**
+     * Creates an instance of the ClientCertificateCredential with the details
+     * needed to authenticate against Azure Active Directory with a certificate.
+     *
+     * @param tenantId - The Azure Active Directory tenant (directory) ID.
+     * @param clientId - The client (application) ID of an App Registration in the tenant.
+     * @param configuration - Other parameters required, including the PEM-encoded certificate as a string, or as a path on the filesystem.
+     *                        If the type is ignored, we will throw if both the value of the PEM certificate and the path to a PEM certificate are provided at the same time.
+     * @param options - Options for configuring the client which makes the authentication request.
+     */
+    constructor(tenantId: string, clientId: string, configuration: ClientCertificateCredentialPEMConfiguration, options?: ClientCertificateCredentialOptions);
     /**
      * Authenticates with Azure Active Directory and returns an access token if successful.
      * If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.
@@ -400,13 +382,30 @@ export declare interface ClientCertificateCredentialOptions extends TokenCredent
      * Set this option to send base64 encoded public certificate in the client assertion header as an x5c claim
      */
     sendCertificateChain?: boolean;
+}
+
+/**
+ * Required configuration options for the {@link ClientCertificateCredential}, with either the string contents of a PEM certificate, or the path to a PEM certificate.
+ */
+export declare type ClientCertificateCredentialPEMConfiguration = {
     /**
-     * Specifies a regional authority. Please refer to the {@link RegionalAuthority} type for the accepted values.
-     * If {@link RegionalAuthority.AutoDiscoverRegion} is specified, we will try to discover the regional authority endpoint.
-     * If the property is not specified, the credential uses the global authority endpoint.
+     * The PEM-encoded public/private key certificate on the filesystem.
      */
-    regionalAuthority?: string;
-}
+    certificate: string;
+    /**
+     * The PEM-encoded public/private key certificate on the filesystem     should not be provided if `certificate` is provided.
+     */
+    certificatePath?: never;
+} | {
+    /**
+     * The PEM-encoded public/private key certificate on the filesystem should not be provided if `certificatePath` is provided.
+     */
+    certificate?: never;
+    /**
+     * The path to the PEM-encoded public/private key certificate on the filesystem.
+     */
+    certificatePath: string;
+};
 
 /**
  * Enables authentication to Azure Active Directory using a client secret
@@ -444,12 +443,6 @@ export declare class ClientSecretCredential implements TokenCredential {
  * Optional parameters for the {@link ClientSecretCredential} class.
  */
 export declare interface ClientSecretCredentialOptions extends TokenCredentialOptions, CredentialPersistenceOptions {
-    /**
-     * Specifies a regional authority. Please refer to the {@link RegionalAuthority} type for the accepted values.
-     * If {@link RegionalAuthority.AutoDiscoverRegion} is specified, we will try to discover the regional authority endpoint.
-     * If the property is not specified, the credential uses the global authority endpoint.
-     */
-    regionalAuthority?: string;
 }
 
 /**
@@ -461,21 +454,21 @@ export declare interface CredentialPersistenceOptions {
      * Options to provide to the persistence layer (if one is available) when
      * storing credentials.
      *
-     * You must first register a persistence provider as an extension. See the
+     * You must first register a persistence provider plugin. See the
      * `@azure/identity-cache-persistence` package on NPM.
      *
      * Example:
      *
-     * ```typescript
-     * import persistence from "@azure/identity-cache-persistence";
-     * import { useIdentityExtension, DeviceCodeCredential } from "@azure/identity";
+     * ```javascript
+     * import { cachePersistencePlugin } from "@azure/identity-cache-persistence";
+     * import { useIdentityPlugin, DeviceCodeCredential } from "@azure/identity";
      *
-     * useIdentityExtension(persistence);
+     * useIdentityPlugin(cachePersistencePlugin);
      *
      * async function main() {
      *   const credential = new DeviceCodeCredential({
      *     tokenCachePersistenceOptions: {
-     *       name: "mycustomcachename"
+     *       enabled: true
      *     }
      *   });
      * }
@@ -485,7 +478,7 @@ export declare interface CredentialPersistenceOptions {
      *   process.exit(1);
      * });
      * ```
-  -  */
+     */
     tokenCachePersistenceOptions?: TokenCachePersistenceOptions;
 }
 
@@ -505,30 +498,31 @@ export declare const CredentialUnavailableErrorName = "CredentialUnavailableErro
 
 /**
  * Provides a default {@link ChainedTokenCredential} configuration that should
- * work for most applications that use the Azure SDK.  The following credential
- * types will be tried, in order:
- *
- * - {@link EnvironmentCredential}
- * - {@link ManagedIdentityCredential}
- * - {@link VisualStudioCodeCredential}
- * - {@link AzureCliCredential}
- * - {@link AzurePowerShellCredential}
- *
- * Consult the documentation of these credential types for more information
- * on how they attempt authentication.
- *
- * **Note**: `VisualStudioCodeCredential` is provided by an extension package:
- * `@azure/identity-vscode`. If this package is not installed and registered
- * using the extension API (`useIdentityExtension`), then authentication using
- * `VisualStudioCodeCredential` will not be available.
- *
- * Azure Identity extensions may add credential types to the default credential
- * stack.
+ * work for most applications that use the Azure SDK.
  */
 export declare class DefaultAzureCredential extends ChainedTokenCredential {
     /**
      * Creates an instance of the DefaultAzureCredential class.
      *
+     * This credential provides a default {@link ChainedTokenCredential} configuration that should
+     * work for most applications that use the Azure SDK.
+     *
+     * The following credential types will be tried, in order:
+     *
+     * - {@link EnvironmentCredential}
+     * - {@link ManagedIdentityCredential}
+     * - {@link VisualStudioCodeCredential}
+     * - {@link AzureCliCredential}
+     * - {@link AzurePowerShellCredential}
+     *
+     * Consult the documentation of these credential types for more information
+     * on how they attempt authentication.
+     *
+     * **Note**: `VisualStudioCodeCredential` is provided by a plugin package:
+     * `@azure/identity-vscode`. If this package is not installed and registered
+     * using the plugin API (`useIdentityPlugin`), then authentication using
+     * `VisualStudioCodeCredential` will not be available.
+     *
      * @param options - Optional parameters. See {@link DefaultAzureCredentialOptions}.
      */
     constructor(options?: DefaultAzureCredentialOptions);
@@ -537,7 +531,7 @@ export declare class DefaultAzureCredential extends ChainedTokenCredential {
 /**
  * Provides options to configure the {@link DefaultAzureCredential} class.
  */
-export declare interface DefaultAzureCredentialOptions extends TokenCredentialOptions, CredentialPersistenceOptions {
+export declare interface DefaultAzureCredentialOptions extends TokenCredentialOptions {
     /**
      * Optionally pass in a Tenant ID to be used as part of the credential.
      * By default it may use a generic tenant ID depending on the underlying credential.
@@ -582,6 +576,20 @@ export declare class DeviceCodeCredential implements TokenCredential {
      * Creates an instance of DeviceCodeCredential with the details needed
      * to initiate the device code authorization flow with Azure Active Directory.
      *
+     * A message will be logged, giving users a code that they can use to authenticate once they go to https://microsoft.com/devicelogin
+     *
+     * Developers can configure how this message is shown by passing a custom `userPromptCallback`:
+     *
+     * ```js
+     * const credential = new DeviceCodeCredential({
+     *   tenantId: env.AZURE_TENANT_ID,
+     *   clientId: env.AZURE_CLIENT_ID,
+     *   userPromptCallback: (info) => {
+     *     console.log("CUSTOMIZED PROMPT CALLBACK", info.message);
+     *   }
+     * });
+     * ```
+     *
      * @param options - Options for configuring the client which makes the authentication requests.
      */
     constructor(options?: DeviceCodeCredentialOptions);
@@ -662,23 +670,7 @@ export declare type DeviceCodePromptCallback = (deviceCodeInfo: DeviceCodeInfo)
 
 /**
  * Enables authentication to Azure Active Directory using client secret
- * details configured in the following environment variables:
- *
- * Required environment variables:
- * - `AZURE_TENANT_ID`: The Azure Active Directory tenant (directory) ID.
- * - `AZURE_CLIENT_ID`: The client (application) ID of an App Registration in the tenant.
- *
- * Environment variables used for client credential authentication:
- * - `AZURE_CLIENT_SECRET`: A client secret that was generated for the App Registration.
- * - `AZURE_CLIENT_CERTIFICATE_PATH`: The path to a PEM certificate to use during the authentication, instead of the client secret.
- *
- * Alternatively, users can provide environment variables for username and password authentication:
- * - `AZURE_USERNAME`: Username to authenticate with.
- * - `AZURE_PASSWORD`: Password to authenticate with.
- *
- * This credential ultimately uses a {@link ClientSecretCredential} to
- * perform the authentication using these details.  Please consult the
- * documentation of that class for more details.
+ * details configured in environment variables
  */
 export declare class EnvironmentCredential implements TokenCredential {
     private _credential?;
@@ -716,7 +708,7 @@ export declare class EnvironmentCredential implements TokenCredential {
  * Enables authentication to Azure Active Directory depending on the available environment variables.
  * Defines options for the EnvironmentCredential class.
  */
-export declare interface EnvironmentCredentialOptions extends TokenCredentialOptions, CredentialPersistenceOptions {
+export declare interface EnvironmentCredentialOptions extends TokenCredentialOptions {
 }
 
 /**
@@ -758,24 +750,18 @@ export declare interface ErrorResponse {
  * Returns a new instance of the {@link DefaultAzureCredential}.
  */
 export declare function getDefaultAzureCredential(): TokenCredential;
+
 export { GetTokenOptions }
 
 /**
- * The type of an Azure Identity Extension, a function accepting an extension
+ * The type of an Azure Identity plugin, a function accepting a plugin
  * context.
  */
-export declare type IdentityExtension = (context: unknown) => void;
+export declare type IdentityPlugin = (context: unknown) => void;
 
 /**
  * Enables authentication to Azure Active Directory inside of the web browser
  * using the interactive login flow.
- *
- * This credential uses the [Authorization Code Flow](https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-auth-code-flow).
- * On Node.js, it will open a browser window while it listens for a redirect response from the authentication service.
- * On browsers, it authenticates via popups. The `loginStyle` optional parameter can be set to `redirect` to authenticate by redirecting the user to an Azure secure login page, which then will redirect the user back to the web application where the authentication started.
- *
- * For Node.js, if a `clientId` is provided, the Azure Active Directory application will need to be configured to have a "Mobile and desktop applications" redirect endpoint.
- * Follow our guide on [setting up Redirect URIs for Desktop apps that calls to web APIs](https://docs.microsoft.com/azure/active-directory/develop/scenario-desktop-app-registration#redirect-uris).
  */
 export declare class InteractiveBrowserCredential implements TokenCredential {
     private msalFlow;
@@ -783,9 +769,16 @@ export declare class InteractiveBrowserCredential implements TokenCredential {
     /**
      * Creates an instance of InteractiveBrowserCredential with the details needed.
      *
+     * This credential uses the [Authorization Code Flow](https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-auth-code-flow).
+     * On Node.js, it will open a browser window while it listens for a redirect response from the authentication service.
+     * On browsers, it authenticates via popups. The `loginStyle` optional parameter can be set to `redirect` to authenticate by redirecting the user to an Azure secure login page, which then will redirect the user back to the web application where the authentication started.
+     *
+     * For Node.js, if a `clientId` is provided, the Azure Active Directory application will need to be configured to have a "Mobile and desktop applications" redirect endpoint.
+     * Follow our guide on [setting up Redirect URIs for Desktop apps that calls to web APIs](https://docs.microsoft.com/azure/active-directory/develop/scenario-desktop-app-registration#redirect-uris).
+     *
      * @param options - Options for configuring the client which makes the authentication requests.
      */
-    constructor(options?: InteractiveBrowserCredentialOptions | InteractiveBrowserCredentialBrowserOptions);
+    constructor(options?: InteractiveBrowserCredentialNodeOptions | InteractiveBrowserCredentialInBrowserOptions);
     /**
      * Authenticates with Azure Active Directory and returns an access token if successful.
      * If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.
@@ -818,7 +811,7 @@ export declare class InteractiveBrowserCredential implements TokenCredential {
 /**
  * Defines the common options for the InteractiveBrowserCredential class.
  */
-export declare interface InteractiveBrowserCredentialBrowserOptions extends InteractiveCredentialOptions {
+export declare interface InteractiveBrowserCredentialInBrowserOptions extends InteractiveCredentialOptions {
     /**
      * Gets the redirect URI of the application. This should be same as the value
      * in the application registration portal.  Defaults to `window.location.href`.
@@ -850,7 +843,7 @@ export declare interface InteractiveBrowserCredentialBrowserOptions extends Inte
 /**
  * Defines the common options for the InteractiveBrowserCredential class.
  */
-export declare interface InteractiveBrowserCredentialOptions extends InteractiveCredentialOptions, CredentialPersistenceOptions {
+export declare interface InteractiveBrowserCredentialNodeOptions extends InteractiveCredentialOptions, CredentialPersistenceOptions {
     /**
      * Gets the redirect URI of the application. This should be same as the value
      * in the application registration portal.  Defaults to `window.location.href`.
@@ -941,115 +934,107 @@ export declare class ManagedIdentityCredential implements TokenCredential {
 }
 
 /**
- * Helps specify a regional authority, or "AutoDiscoverRegion" to auto-detect the region.
+ * Enables authentication to Azure Active Directory using the [On Behalf Of flow](https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-on-behalf-of-flow).
  */
-export declare enum RegionalAuthority {
-    /** Instructs MSAL to attempt to discover the region */
-    AutoDiscoverRegion = "AutoDiscoverRegion",
-    /** Uses the {@link RegionalAuthority} for the Azure 'westus' region. */
-    USWest = "westus",
-    /** Uses the {@link RegionalAuthority} for the Azure 'westus2' region. */
-    USWest2 = "westus2",
-    /** Uses the {@link RegionalAuthority} for the Azure 'centralus' region. */
-    USCentral = "centralus",
-    /** Uses the {@link RegionalAuthority} for the Azure 'eastus' region. */
-    USEast = "eastus",
-    /** Uses the {@link RegionalAuthority} for the Azure 'eastus2' region. */
-    USEast2 = "eastus2",
-    /** Uses the {@link RegionalAuthority} for the Azure 'northcentralus' region. */
-    USNorthCentral = "northcentralus",
-    /** Uses the {@link RegionalAuthority} for the Azure 'southcentralus' region. */
-    USSouthCentral = "southcentralus",
-    /** Uses the {@link RegionalAuthority} for the Azure 'westcentralus' region. */
-    USWestCentral = "westcentralus",
-    /** Uses the {@link RegionalAuthority} for the Azure 'canadacentral' region. */
-    CanadaCentral = "canadacentral",
-    /** Uses the {@link RegionalAuthority} for the Azure 'canadaeast' region. */
-    CanadaEast = "canadaeast",
-    /** Uses the {@link RegionalAuthority} for the Azure 'brazilsouth' region. */
-    BrazilSouth = "brazilsouth",
-    /** Uses the {@link RegionalAuthority} for the Azure 'northeurope' region. */
-    EuropeNorth = "northeurope",
-    /** Uses the {@link RegionalAuthority} for the Azure 'westeurope' region. */
-    EuropeWest = "westeurope",
-    /** Uses the {@link RegionalAuthority} for the Azure 'uksouth' region. */
-    UKSouth = "uksouth",
-    /** Uses the {@link RegionalAuthority} for the Azure 'ukwest' region. */
-    UKWest = "ukwest",
-    /** Uses the {@link RegionalAuthority} for the Azure 'francecentral' region. */
-    FranceCentral = "francecentral",
-    /** Uses the {@link RegionalAuthority} for the Azure 'francesouth' region. */
-    FranceSouth = "francesouth",
-    /** Uses the {@link RegionalAuthority} for the Azure 'switzerlandnorth' region. */
-    SwitzerlandNorth = "switzerlandnorth",
-    /** Uses the {@link RegionalAuthority} for the Azure 'switzerlandwest' region. */
-    SwitzerlandWest = "switzerlandwest",
-    /** Uses the {@link RegionalAuthority} for the Azure 'germanynorth' region. */
-    GermanyNorth = "germanynorth",
-    /** Uses the {@link RegionalAuthority} for the Azure 'germanywestcentral' region. */
-    GermanyWestCentral = "germanywestcentral",
-    /** Uses the {@link RegionalAuthority} for the Azure 'norwaywest' region. */
-    NorwayWest = "norwaywest",
-    /** Uses the {@link RegionalAuthority} for the Azure 'norwayeast' region. */
-    NorwayEast = "norwayeast",
-    /** Uses the {@link RegionalAuthority} for the Azure 'eastasia' region. */
-    AsiaEast = "eastasia",
-    /** Uses the {@link RegionalAuthority} for the Azure 'southeastasia' region. */
-    AsiaSouthEast = "southeastasia",
-    /** Uses the {@link RegionalAuthority} for the Azure 'japaneast' region. */
-    JapanEast = "japaneast",
-    /** Uses the {@link RegionalAuthority} for the Azure 'japanwest' region. */
-    JapanWest = "japanwest",
-    /** Uses the {@link RegionalAuthority} for the Azure 'australiaeast' region. */
-    AustraliaEast = "australiaeast",
-    /** Uses the {@link RegionalAuthority} for the Azure 'australiasoutheast' region. */
-    AustraliaSouthEast = "australiasoutheast",
-    /** Uses the {@link RegionalAuthority} for the Azure 'australiacentral' region. */
-    AustraliaCentral = "australiacentral",
-    /** Uses the {@link RegionalAuthority} for the Azure 'australiacentral2' region. */
-    AustraliaCentral2 = "australiacentral2",
-    /** Uses the {@link RegionalAuthority} for the Azure 'centralindia' region. */
-    IndiaCentral = "centralindia",
-    /** Uses the {@link RegionalAuthority} for the Azure 'southindia' region. */
-    IndiaSouth = "southindia",
-    /** Uses the {@link RegionalAuthority} for the Azure 'westindia' region. */
-    IndiaWest = "westindia",
-    /** Uses the {@link RegionalAuthority} for the Azure 'koreasouth' region. */
-    KoreaSouth = "koreasouth",
-    /** Uses the {@link RegionalAuthority} for the Azure 'koreacentral' region. */
-    KoreaCentral = "koreacentral",
-    /** Uses the {@link RegionalAuthority} for the Azure 'uaecentral' region. */
-    UAECentral = "uaecentral",
-    /** Uses the {@link RegionalAuthority} for the Azure 'uaenorth' region. */
-    UAENorth = "uaenorth",
-    /** Uses the {@link RegionalAuthority} for the Azure 'southafricanorth' region. */
-    SouthAfricaNorth = "southafricanorth",
-    /** Uses the {@link RegionalAuthority} for the Azure 'southafricawest' region. */
-    SouthAfricaWest = "southafricawest",
-    /** Uses the {@link RegionalAuthority} for the Azure 'chinanorth' region. */
-    ChinaNorth = "chinanorth",
-    /** Uses the {@link RegionalAuthority} for the Azure 'chinaeast' region. */
-    ChinaEast = "chinaeast",
-    /** Uses the {@link RegionalAuthority} for the Azure 'chinanorth2' region. */
-    ChinaNorth2 = "chinanorth2",
-    /** Uses the {@link RegionalAuthority} for the Azure 'chinaeast2' region. */
-    ChinaEast2 = "chinaeast2",
-    /** Uses the {@link RegionalAuthority} for the Azure 'germanycentral' region. */
-    GermanyCentral = "germanycentral",
-    /** Uses the {@link RegionalAuthority} for the Azure 'germanynortheast' region. */
-    GermanyNorthEast = "germanynortheast",
-    /** Uses the {@link RegionalAuthority} for the Azure 'usgovvirginia' region. */
-    GovernmentUSVirginia = "usgovvirginia",
-    /** Uses the {@link RegionalAuthority} for the Azure 'usgoviowa' region. */
-    GovernmentUSIowa = "usgoviowa",
-    /** Uses the {@link RegionalAuthority} for the Azure 'usgovarizona' region. */
-    GovernmentUSArizona = "usgovarizona",
-    /** Uses the {@link RegionalAuthority} for the Azure 'usgovtexas' region. */
-    GovernmentUSTexas = "usgovtexas",
-    /** Uses the {@link RegionalAuthority} for the Azure 'usdodeast' region. */
-    GovernmentUSDodEast = "usdodeast",
-    /** Uses the {@link RegionalAuthority} for the Azure 'usdodcentral' region. */
-    GovernmentUSDodCentral = "usdodcentral"
+export declare class OnBehalfOfCredential implements TokenCredential {
+    private options;
+    private msalFlow;
+    /**
+     * Creates an instance of the {@link OnBehalfOfCredential} with the details
+     * needed to authenticate against Azure Active Directory with a client
+     * secret or a path to a PEM certificate, and an user assertion.
+     *
+     * Example using the `KeyClient` from [\@azure/keyvault-keys](https://www.npmjs.com/package/\@azure/keyvault-keys):
+     *
+     * ```ts
+     * const tokenCredential = new OnBehalfOfCredential({
+     *   tenantId,
+     *   clientId,
+     *   clientSecret, // or `certificatePath: "/path/to/certificate.pem"
+     *   userAssertionToken: "access-token"
+     * });
+     * const client = new KeyClient("vault-url", tokenCredential);
+     *
+     * await client.getKey("key-name");
+     * ```
+     *
+     * @param options - Optional parameters, generally common across credentials.
+     */
+    constructor(options: OnBehalfOfCredentialOptions);
+    /**
+     * Authenticates with Azure Active Directory and returns an access token if successful.
+     * If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.
+     *
+     * @param scopes - The list of scopes for which the token will have access.
+     * @param options - The options used to configure the underlying network requests.
+     */
+    getToken(scopes: string | string[], options?: GetTokenOptions): Promise<AccessToken>;
+}
+
+/**
+ * Defines the parameters to authenticate the {@link OnBehalfOfCredential} with a certificate.
+ */
+export declare interface OnBehalfOfCredentialCertificateOptions {
+    /**
+     * The Azure Active Directory tenant (directory) ID.
+     */
+    tenantId: string;
+    /**
+     * The client (application) ID of an App Registration in the tenant.
+     */
+    clientId: string;
+    /**
+     * The path to a PEM-encoded public/private key certificate on the filesystem.
+     */
+    certificatePath: string;
+    /**
+     * Option to include x5c header for SubjectName and Issuer name authorization.
+     * Set this option to send base64 encoded public certificate in the client assertion header as an x5c claim
+     */
+    sendCertificateChain?: boolean;
+    /**
+     * The user assertion for the On-Behalf-Of flow.
+     */
+    userAssertionToken: string;
+    /**
+     * Client secret should not be provided when certificate options are provided.
+     */
+    clientSecret?: never;
+}
+
+/**
+ * Optional parameters for the {@link OnBehalfOfCredential} class.
+ */
+export declare type OnBehalfOfCredentialOptions = (OnBehalfOfCredentialSecretOptions | OnBehalfOfCredentialCertificateOptions) & TokenCredentialOptions & CredentialPersistenceOptions;
+
+/**
+ * Defines the parameters to authenticate the {@link OnBehalfOfCredential} with a secret.
+ */
+export declare interface OnBehalfOfCredentialSecretOptions {
+    /**
+     * The Azure Active Directory tenant (directory) ID.
+     */
+    tenantId: string;
+    /**
+     * The client (application) ID of an App Registration in the tenant.
+     */
+    clientId: string;
+    /**
+     * A client secret that was generated for the App Registration.
+     */
+    clientSecret: string;
+    /**
+     * The user assertion for the On-Behalf-Of flow.
+     */
+    userAssertionToken: string;
+    /**
+     * The path to a PEM-encoded certificate should not be provided when the secret options are provided.
+     */
+    certificatePath?: never;
+    /**
+     * Option to include x5c header should not be provided when the secret options are provided.
+     */
+    sendCertificateChain?: never;
 }
 
 /**
@@ -1081,8 +1066,7 @@ export declare interface TokenCachePersistenceOptions {
      *
      * Based on this identifier, the persistence file will be located in any of the following places:
      * - Darwin: '/Users/user/.IdentityService/<name>'
-     * - Windows 8: 'C:\\Users\\user\\AppData\\Local\\.IdentityService\\<name>'
-     * - Windows XP: 'C:\\Documents and Settings\\user\\Application Data\\Local\\.IdentityService\\<name>'
+     * - Windows 8+: 'C:\\Users\\user\\AppData\\Local\\.IdentityService\\<name>'
      * - Linux: '/home/user/.IdentityService/<name>'
      */
     name?: string;
@@ -1090,8 +1074,9 @@ export declare interface TokenCachePersistenceOptions {
      * If set to true, the cache will be stored without encryption if no OS level user encryption is available.
      * When set to false, the PersistentTokenCache will throw an error if no OS level user encryption is available.
      */
-    allowUnencryptedStorage?: boolean;
+    unsafeAllowUnencryptedStorage?: boolean;
 }
+
 export { TokenCredential }
 
 /**
@@ -1105,15 +1090,11 @@ export declare interface TokenCredentialOptions extends CommonClientOptions {
      * The default is "https://login.microsoftonline.com".
      */
     authorityHost?: string;
-    /**
-     * If set to true, allows authentication flows to change the tenantId of the request if a different tenantId is received from a challenge or through a direct getToken call.
-     */
-    allowMultiTenantAuthentication?: boolean;
 }
 
 /**
- * Extend Azure Identity with additional functionality. Pass an extension from
- * an extension package, such as:
+ * Extend Azure Identity with additional functionality. Pass a plugin from
+ * a plugin package, such as:
  *
  * - `@azure/identity-cache-persistence`: provides persistent token caching
  * - `@azure/identity-vscode`: provides the dependencies of
@@ -1122,12 +1103,12 @@ export declare interface TokenCredentialOptions extends CommonClientOptions {
  * Example:
  *
  * ```javascript
- * import { cachePersistenceExtension } from "@azure/identity-cache-persistence";
+ * import { cachePersistencePlugin } from "@azure/identity-cache-persistence";
  *
- * import { useIdentityExtension, DefaultAzureCredential } from "@azure/identity";
- * useIdentityExtension(persistence);
+ * import { useIdentityPlugin, DefaultAzureCredential } from "@azure/identity";
+ * useIdentityPlugin(cachePersistencePlugin);
  *
- * // The extension has the capability to extend `DefaultAzureCredential` and to
+ * // The plugin has the capability to extend `DefaultAzureCredential` and to
  * // add middleware to the underlying credentials, such as persistence.
  * const credential = new DefaultAzureCredential({
  *   tokenCachePersistenceOptions: {
@@ -1136,9 +1117,9 @@ export declare interface TokenCredentialOptions extends CommonClientOptions {
  * });
  * ```
  *
- * @param extension - the extension to register
+ * @param plugin - the plugin to register
  */
-export declare function useIdentityExtension(extension: IdentityExtension): void;
+export declare function useIdentityPlugin(plugin: IdentityPlugin): void;
 
 /**
  * Enables authentication to Azure Active Directory with a user's
@@ -1182,7 +1163,7 @@ export declare interface UsernamePasswordCredentialOptions extends TokenCredenti
 }
 
 /**
- * Connect to Azure using the credential provided by the VSCode extension 'Azure Account'.
+ * Connects to Azure using the credential provided by the VSCode extension 'Azure Account'.
  * Once the user has logged in via the extension, this credential can share the same refresh token
  * that is cached by the extension.
  */
@@ -1190,10 +1171,14 @@ export declare class VisualStudioCodeCredential implements TokenCredential {
     private identityClient;
     private tenantId;
     private cloudName;
-    private allowMultiTenantAuthentication?;
     /**
      * Creates an instance of VisualStudioCodeCredential to use for automatically authenticating via VSCode.
      *
+     * **Note**: `VisualStudioCodeCredential` is provided by a plugin package:
+     * `@azure/identity-vscode`. If this package is not installed and registered
+     * using the plugin API (`useIdentityPlugin`), then authentication using
+     * `VisualStudioCodeCredential` will not be available.
+     *
      * @param options - Options for configuring the client which makes the authentication request.
      */
     constructor(options?: VisualStudioCodeCredentialOptions);