@azure/identity 2.0.0-beta.5 → 2.0.1

package/dist/index.js

@@ -10,7 +10,7 @@ var coreTracing = require('@azure/core-tracing');
 var coreUtil = require('@azure/core-util');
 var coreRestPipeline = require('@azure/core-rest-pipeline');
 var abortController = require('@azure/abort-controller');
-var logger$h = require('@azure/logger');
+var logger$k = require('@azure/logger');
 var msalCommon = require('@azure/msal-common');
 var uuid = require('uuid');
 var fs = require('fs');
@@ -18,8 +18,10 @@ var fs__default = _interopDefault(fs);
 var os = _interopDefault(require('os'));
 var path = _interopDefault(require('path'));
 var child_process = require('child_process');
+var child_process__default = _interopDefault(child_process);
 var crypto = require('crypto');
-var qs = _interopDefault(require('qs'));
+var util = require('util');
+var https = _interopDefault(require('https'));
 var http = _interopDefault(require('http'));
 var open = _interopDefault(require('open'));
 var stoppable = _interopDefault(require('stoppable'));
@@ -149,7 +151,7 @@ const AggregateAuthenticationErrorName = "AggregateAuthenticationError";
 class AggregateAuthenticationError extends Error {
     constructor(errors, errorMessage) {
         const errorDetail = errors.join("\n");
-        super(`${errorMessage}\n\n${errorDetail}`);
+        super(`${errorMessage}\n${errorDetail}`);
         this.errors = errors;
         // Ensure that this type reports the correct name
         this.name = AggregateAuthenticationErrorName;
@@ -165,6 +167,21 @@ function convertOAuthErrorResponseToErrorResponse(errorBody) {
         traceId: errorBody.trace_id
     };
 }
+/**
+ * Error used to enforce authentication after trying to retrieve a token silently.
+ */
+class AuthenticationRequiredError extends Error {
+    constructor(
+    /**
+     * Optional parameters. A message can be specified. The {@link GetTokenOptions} of the request can also be specified to more easily associate the error with the received parameters.
+     */
+    options) {
+        super(options.message);
+        this.scopes = options.scopes;
+        this.getTokenOptions = options.getTokenOptions;
+        this.name = "AuthenticationRequiredError";
+    }
+}
 
 // Copyright (c) Microsoft Corporation.
 // Licensed under the MIT license.
@@ -183,7 +200,7 @@ function getIdentityTokenEndpointSuffix(tenantId) {
  * @internal
  */
 const createSpan = coreTracing.createSpanFunction({
-    packagePrefix: "Azure.Identity",
+    packagePrefix: "",
     namespace: "Microsoft.AAD"
 });
 /**
@@ -224,7 +241,7 @@ async function trace(operationName, options, fn, createSpanFn = createSpan) {
 /**
  * The AzureLogger used for all clients within the identity package
  */
-const logger = logger$h.createClientLogger("identity");
+const logger = logger$k.createClientLogger("identity");
 /**
  * Separates a list of environment variable names into a plain object with two arrays: an array of missing environment variables and another array with assigned environment variables.
  * @param supportedEnvVars - List of environment variable names
@@ -315,7 +332,7 @@ function getIdentityClientAuthorityHost(options) {
 class IdentityClient extends coreClient.ServiceClient {
     constructor(options) {
         var _a;
-        const packageDetails = `azsdk-js-identity/2.0.0-beta.5`;
+        const packageDetails = `azsdk-js-identity/2.0.1`;
         const userAgentPrefix = ((_a = options === null || options === void 0 ? void 0 : options.userAgentOptions) === null || _a === void 0 ? void 0 : _a.userAgentPrefix)
             ? `${options.userAgentOptions.userAgentPrefix} ${packageDetails}`
             : `${packageDetails}`;
@@ -359,7 +376,6 @@ class IdentityClient extends coreClient.ServiceClient {
         }
     }
     async refreshAccessToken(tenantId, clientId, scopes, refreshToken, clientSecret, expiresOnParser, options) {
-        var _a, _b;
         if (refreshToken === undefined) {
             return null;
         }
@@ -386,10 +402,7 @@ class IdentityClient extends coreClient.ServiceClient {
                     Accept: "application/json",
                     "Content-Type": "application/x-www-form-urlencoded"
                 }),
-                tracingOptions: {
-                    spanOptions: (_a = updatedOptions === null || updatedOptions === void 0 ? void 0 : updatedOptions.tracingOptions) === null || _a === void 0 ? void 0 : _a.spanOptions,
-                    tracingContext: (_b = updatedOptions === null || updatedOptions === void 0 ? void 0 : updatedOptions.tracingOptions) === null || _b === void 0 ? void 0 : _b.tracingContext
-                }
+                tracingOptions: updatedOptions === null || updatedOptions === void 0 ? void 0 : updatedOptions.tracingOptions
             });
             const response = await this.sendTokenRequest(request, expiresOnParser);
             logger.info(`IdentityClient: refreshed token for client ID: ${clientId}`);
@@ -515,28 +528,6 @@ function resolveTenantId(logger, tenantId, clientId) {
     return "organizations";
 }
 
-// Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
-/**
- * Error used to enforce authentication after trying to retrieve a token silently.
- */
-class AuthenticationRequiredError extends Error {
-    constructor(
-    /**
-     * The list of scopes for which the token will have access.
-     */
-    scopes, 
-    /**
-     * The options used to configure the getToken request.
-     */
-    getTokenOptions = {}, message) {
-        super(message);
-        this.scopes = scopes;
-        this.getTokenOptions = getTokenOptions;
-        this.name = "AuthenticationRequiredError";
-    }
-}
-
 // Copyright (c) Microsoft Corporation.
 /**
  * Latest AuthenticationRecord version
@@ -550,7 +541,11 @@ const LatestAuthenticationRecordVersion = "1.0";
 function ensureValidMsalToken(scopes, logger, msalToken, getTokenOptions) {
     const error = (message) => {
         logger.getToken.info(message);
-        return new AuthenticationRequiredError(Array.isArray(scopes) ? scopes : [scopes], getTokenOptions, message);
+        return new AuthenticationRequiredError({
+            scopes: Array.isArray(scopes) ? scopes : [scopes],
+            getTokenOptions,
+            message
+        });
     };
     if (!msalToken) {
         throw error("No response");
@@ -678,7 +673,7 @@ class MsalBaseUtilities {
             error.name === "AbortError") {
             return error;
         }
-        return new AuthenticationRequiredError(scopes, getTokenOptions, error.message);
+        return new AuthenticationRequiredError({ scopes, getTokenOptions, message: error.message });
     }
 }
 // transformations.ts
@@ -742,6 +737,40 @@ function deserializeAuthenticationRecord(serializedRecord) {
 }
 
 // Copyright (c) Microsoft Corporation.
+// Licensed under the MIT license.
+/**
+ * @internal
+ */
+const multiTenantDisabledErrorMessage = "A getToken request was attempted with a tenant different than the tenant configured at the initialization of the credential, but multi-tenant authentication has been disabled by the environment variable AZURE_IDENTITY_DISABLE_MULTITENANTAUTH.";
+/**
+ * @internal
+ */
+const multiTenantADFSErrorMessage = "A new tenant Id can't be assigned through the GetTokenOptions when a credential has been originally configured to use the tenant `adfs`.";
+/**
+ * Of getToken contains a tenantId, this functions allows picking this tenantId as the appropriate for authentication,
+ * unless multitenant authentication has been disabled through the AZURE_IDENTITY_DISABLE_MULTITENANTAUTH (on Node.js),
+ * or unless the original tenant Id is `adfs`.
+ * @internal
+ */
+function processMultiTenantRequest(tenantId, getTokenOptions) {
+    if (!(getTokenOptions === null || getTokenOptions === void 0 ? void 0 : getTokenOptions.tenantId)) {
+        return tenantId;
+    }
+    if (process.env.AZURE_IDENTITY_DISABLE_MULTITENANTAUTH) {
+        throw new Error(multiTenantDisabledErrorMessage);
+    }
+    if (tenantId === "adfs") {
+        throw new Error(multiTenantADFSErrorMessage);
+    }
+    return getTokenOptions === null || getTokenOptions === void 0 ? void 0 : getTokenOptions.tenantId;
+}
+
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT license.
+/**
+ * Helps specify a regional authority, or "AutoDiscoverRegion" to auto-detect the region.
+ */
+var RegionalAuthority;
 (function (RegionalAuthority) {
     /** Instructs MSAL to attempt to discover the region */
     RegionalAuthority["AutoDiscoverRegion"] = "AutoDiscoverRegion";
@@ -849,31 +878,7 @@ function deserializeAuthenticationRecord(serializedRecord) {
     RegionalAuthority["GovernmentUSDodEast"] = "usdodeast";
     /** Uses the {@link RegionalAuthority} for the Azure 'usdodcentral' region. */
     RegionalAuthority["GovernmentUSDodCentral"] = "usdodcentral";
-})(exports.RegionalAuthority || (exports.RegionalAuthority = {}));
-
-// Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
-/**
- * @internal
- */
-const multiTenantErrorMessage = "A getToken request was attempted with a tenant different than the tenant configured at the initialization of the credential, but multi-tenant authentication was not enabled in this credential instance.";
-/**
- * Verifies whether locally assigned tenants are equal to tenants received through getToken.
- * Returns the appropriate tenant.
- * @internal
- */
-function processMultiTenantRequest(tenantId, allowMultiTenantAuthentication, getTokenOptions) {
-    if (!allowMultiTenantAuthentication &&
-        (getTokenOptions === null || getTokenOptions === void 0 ? void 0 : getTokenOptions.tenantId) &&
-        tenantId &&
-        getTokenOptions.tenantId !== tenantId) {
-        throw new Error(multiTenantErrorMessage);
-    }
-    if (allowMultiTenantAuthentication && (getTokenOptions === null || getTokenOptions === void 0 ? void 0 : getTokenOptions.tenantId)) {
-        return getTokenOptions.tenantId;
-    }
-    return tenantId;
-}
+})(RegionalAuthority || (RegionalAuthority = {}));
 
 // Copyright (c) Microsoft Corporation.
 /**
@@ -906,17 +911,21 @@ class MsalNode extends MsalBaseUtilities {
         this.requiresConfidential = false;
         this.msalConfig = this.defaultNodeMsalConfig(options);
         this.tenantId = resolveTenantId(options.logger, options.tenantId, options.clientId);
-        this.allowMultiTenantAuthentication = options === null || options === void 0 ? void 0 : options.allowMultiTenantAuthentication;
         this.clientId = this.msalConfig.auth.clientId;
         // If persistence has been configured
         if (persistenceProvider !== undefined && ((_a = options.tokenCachePersistenceOptions) === null || _a === void 0 ? void 0 : _a.enabled)) {
             this.createCachePlugin = () => persistenceProvider(options.tokenCachePersistenceOptions);
         }
         else if ((_b = options.tokenCachePersistenceOptions) === null || _b === void 0 ? void 0 : _b.enabled) {
-            throw new Error("Persistent token caching was requested, but no persistence provider was configured (do you need to use the `@azure/identity-cache-persistence` package?)");
+            throw new Error([
+                "Persistent token caching was requested, but no persistence provider was configured.",
+                "You must install the identity-cache-persistence plugin package (`npm install --save @azure/identity-cache-persistence`)",
+                "and enable it by importing `useIdentityPlugin` from `@azure/identity` and calling",
+                "`useIdentityPlugin(cachePersistencePlugin)` before using `tokenCachePersistenceOptions`."
+            ].join(" "));
         }
         this.azureRegion = (_c = options.regionalAuthority) !== null && _c !== void 0 ? _c : process.env.AZURE_REGIONAL_AUTHORITY_NAME;
-        if (this.azureRegion === exports.RegionalAuthority.AutoDiscoverRegion) {
+        if (this.azureRegion === RegionalAuthority.AutoDiscoverRegion) {
             this.azureRegion = "AUTO_DISCOVER";
         }
     }
@@ -1032,7 +1041,11 @@ To work with multiple accounts for the same Client ID and Tenant ID, please prov
         var _a, _b;
         await this.getActiveAccount();
         if (!this.account) {
-            throw new AuthenticationRequiredError(scopes, options);
+            throw new AuthenticationRequiredError({
+                scopes,
+                getTokenOptions: options,
+                message: "Silent authentication failed. We couldn't retrieve an active account from the cache."
+            });
         }
         const silentRequest = {
             // To be able to re-use the account, the Token Cache must also have been provided.
@@ -1055,8 +1068,7 @@ To work with multiple accounts for the same Client ID and Tenant ID, please prov
      * If disableAutomaticAuthentication is sent through the constructor, it will prevent MSAL from requesting the user input.
      */
     async getToken(scopes, options = {}) {
-        const tenantId = processMultiTenantRequest(this.tenantId, this.allowMultiTenantAuthentication, options) ||
-            this.tenantId;
+        const tenantId = processMultiTenantRequest(this.tenantId, options) || this.tenantId;
         options.authority = getAuthority(tenantId, this.authorityHost);
         options.correlationId = (options === null || options === void 0 ? void 0 : options.correlationId) || this.generateUuid();
         await this.init(options);
@@ -1068,7 +1080,11 @@ To work with multiple accounts for the same Client ID and Tenant ID, please prov
                 throw err;
             }
             if (options === null || options === void 0 ? void 0 : options.disableAutomaticAuthentication) {
-                throw new AuthenticationRequiredError(scopes, options, "Automatic authentication has been disabled. You may call the authentication() method.");
+                throw new AuthenticationRequiredError({
+                    scopes,
+                    getTokenOptions: options,
+                    message: "Automatic authentication has been disabled. You may call the authentication() method."
+                });
             }
             this.logger.info(`Silent authentication failed, falling back to interactive method.`);
             return this.doGetToken(scopes, options);
@@ -1137,7 +1153,7 @@ function getPropertyFromVSCode(property) {
     }
 }
 /**
- * Connect to Azure using the credential provided by the VSCode extension 'Azure Account'.
+ * Connects to Azure using the credential provided by the VSCode extension 'Azure Account'.
  * Once the user has logged in via the extension, this credential can share the same refresh token
  * that is cached by the extension.
  */
@@ -1145,6 +1161,11 @@ class VisualStudioCodeCredential {
     /**
      * Creates an instance of VisualStudioCodeCredential to use for automatically authenticating via VSCode.
      *
+     * **Note**: `VisualStudioCodeCredential` is provided by a plugin package:
+     * `@azure/identity-vscode`. If this package is not installed and registered
+     * using the plugin API (`useIdentityPlugin`), then authentication using
+     * `VisualStudioCodeCredential` will not be available.
+     *
      * @param options - Options for configuring the client which makes the authentication request.
      */
     constructor(options) {
@@ -1161,7 +1182,6 @@ class VisualStudioCodeCredential {
         else {
             this.tenantId = CommonTenantId;
         }
-        this.allowMultiTenantAuthentication = options === null || options === void 0 ? void 0 : options.allowMultiTenantAuthentication;
         checkUnsupportedTenant(this.tenantId);
     }
     /**
@@ -1195,10 +1215,14 @@ class VisualStudioCodeCredential {
     async getToken(scopes, options) {
         var _a, _b;
         await this.prepareOnce();
-        const tenantId = processMultiTenantRequest(this.tenantId, this.allowMultiTenantAuthentication, options) ||
-            this.tenantId;
+        const tenantId = processMultiTenantRequest(this.tenantId, options) || this.tenantId;
         if (findCredentials === undefined) {
-            throw new CredentialUnavailableError("No implementation of VisualStudioCodeCredential is available (do you need to install and use the `@azure/identity-vscode` extension package?)");
+            throw new CredentialUnavailableError([
+                "No implementation of `VisualStudioCodeCredential` is available.",
+                "You must install the identity-vscode plugin package (`npm install --save-dev @azure/identity-vscode`)",
+                "and enable it by importing `useIdentityPlugin` from `@azure/identity` and calling",
+                "`useIdentityPlugin(vsCodePlugin)` before creating a `VisualStudioCodeCredential`."
+            ].join(" "));
         }
         let scopeString = typeof scopes === "string" ? scopes : scopes.join(" ");
         // Check to make sure the scope we get back is a valid scope
@@ -1228,13 +1252,13 @@ class VisualStudioCodeCredential {
                 return tokenResponse.accessToken;
             }
             else {
-                const error = new CredentialUnavailableError("Could not retrieve the token associated with Visual Studio Code. Have you connected using the 'Azure Account' extension recently?");
+                const error = new CredentialUnavailableError("Could not retrieve the token associated with Visual Studio Code. Have you connected using the 'Azure Account' extension recently? To troubleshoot, visit https://aka.ms/azsdk/js/identity/visualstudiocodecredential/troubleshoot.");
                 logger$1.getToken.info(formatError(scopes, error));
                 throw error;
             }
         }
         else {
-            const error = new CredentialUnavailableError("Could not retrieve the token associated with Visual Studio Code. Did you connect using the 'Azure Account' extension?");
+            const error = new CredentialUnavailableError("Could not retrieve the token associated with Visual Studio Code. Did you connect using the 'Azure Account' extension? To troubleshoot, visit https://aka.ms/azsdk/js/identity/visualstudiocodecredential/troubleshoot.");
             logger$1.getToken.info(formatError(scopes, error));
             throw error;
         }
@@ -1243,17 +1267,17 @@ class VisualStudioCodeCredential {
 
 // Copyright (c) Microsoft Corporation.
 /**
- * The context passed to an Identity Extension. This contains objects that
- * extensions can use to set backend implementations.
+ * The context passed to an Identity plugin. This contains objects that
+ * plugins can use to set backend implementations.
  * @internal
  */
-const extensionContext = {
+const pluginContext = {
     cachePluginControl: msalNodeFlowCacheControl,
     vsCodeCredentialControl: vsCodeCredentialControl
 };
 /**
- * Extend Azure Identity with additional functionality. Pass an extension from
- * an extension package, such as:
+ * Extend Azure Identity with additional functionality. Pass a plugin from
+ * a plugin package, such as:
  *
  * - `@azure/identity-cache-persistence`: provides persistent token caching
  * - `@azure/identity-vscode`: provides the dependencies of
@@ -1262,12 +1286,12 @@ const extensionContext = {
  * Example:
  *
  * ```javascript
- * import { cachePersistenceExtension } from "@azure/identity-cache-persistence";
+ * import { cachePersistencePlugin } from "@azure/identity-cache-persistence";
  *
- * import { useIdentityExtension, DefaultAzureCredential } from "@azure/identity";
- * useIdentityExtension(persistence);
+ * import { useIdentityPlugin, DefaultAzureCredential } from "@azure/identity";
+ * useIdentityPlugin(cachePersistencePlugin);
  *
- * // The extension has the capability to extend `DefaultAzureCredential` and to
+ * // The plugin has the capability to extend `DefaultAzureCredential` and to
  * // add middleware to the underlying credentials, such as persistence.
  * const credential = new DefaultAzureCredential({
  *   tokenCachePersistenceOptions: {
@@ -1276,10 +1300,10 @@ const extensionContext = {
  * });
  * ```
  *
- * @param extension - the extension to register
+ * @param plugin - the plugin to register
  */
-function useIdentityExtension(extension) {
-    extension(extensionContext);
+function useIdentityPlugin(plugin) {
+    plugin(pluginContext);
 }
 
 // Copyright (c) Microsoft Corporation.
@@ -1327,12 +1351,13 @@ class ChainedTokenCredential {
      */
     async getToken(scopes, options) {
         let token = null;
+        let successfulCredentialName = "";
         const errors = [];
-        const { span, updatedOptions } = createSpan("ChainedTokenCredential-getToken", options);
+        const { span, updatedOptions } = createSpan("ChainedTokenCredential.getToken", options);
         for (let i = 0; i < this._sources.length && token === null; i++) {
             try {
                 token = await this._sources[i].getToken(scopes, updatedOptions);
-                this.selectedCredential = this._sources[i];
+                successfulCredentialName = this._sources[i].constructor.name;
             }
             catch (err) {
                 if (err.name === "CredentialUnavailableError" ||
@@ -1346,7 +1371,7 @@ class ChainedTokenCredential {
             }
         }
         if (!token && errors.length > 0) {
-            const err = new AggregateAuthenticationError(errors);
+            const err = new AggregateAuthenticationError(errors, "ChainedTokenCredential authentication failed.");
             span.setStatus({
                 code: coreTracing.SpanStatusCode.ERROR,
                 message: err.message
@@ -1355,7 +1380,7 @@ class ChainedTokenCredential {
             throw err;
         }
         span.end();
-        logger$2.getToken.info(`Result for ${this.selectedCredential.constructor.name}: ${formatSuccess(scopes)}`);
+        logger$2.getToken.info(`Result for ${successfulCredentialName}: ${formatSuccess(scopes)}`);
         if (token === null) {
             throw new CredentialUnavailableError("Failed to retrieve a valid token");
         }
@@ -1415,15 +1440,15 @@ const cliCredentialInternals = {
         }
         return new Promise((resolve, reject) => {
             try {
-                child_process.execFile("az", [
+                child_process__default.execFile("az", [
                     "account",
                     "get-access-token",
                     "--output",
                     "json",
                     "--resource",
-                    ...tenantSection,
-                    resource
-                ], { cwd: cliCredentialInternals.getSafeWorkingDir() }, (error, stdout, stderr) => {
+                    resource,
+                    ...tenantSection
+                ], { cwd: cliCredentialInternals.getSafeWorkingDir(), shell: true }, (error, stdout, stderr) => {
                     resolve({ stdout: stdout, stderr: stderr, error });
                 });
             }
@@ -1439,18 +1464,18 @@ const logger$3 = credentialLogger("AzureCliCredential");
  * via the Azure CLI ('az') commandline tool.
  * To do so, it will read the user access token and expire time
  * with Azure CLI command "az account get-access-token".
- * To be able to use this credential, ensure that you have already logged
- * in via the 'az' tool using the command "az login" from the commandline.
  */
 class AzureCliCredential {
     /**
      * Creates an instance of the {@link AzureCliCredential}.
      *
+     * To use this credential, ensure that you have already logged
+     * in via the 'az' tool using the command "az login" from the commandline.
+     *
      * @param options - Options, to optionally allow multi-tenant requests.
      */
     constructor(options) {
         this.tenantId = options === null || options === void 0 ? void 0 : options.tenantId;
-        this.allowMultiTenantAuthentication = options === null || options === void 0 ? void 0 : options.allowMultiTenantAuthentication;
     }
     /**
      * Authenticates with Azure Active Directory and returns an access token if successful.
@@ -1461,7 +1486,7 @@ class AzureCliCredential {
      *                TokenCredential implementation might make.
      */
     async getToken(scopes, options) {
-        const tenantId = processMultiTenantRequest(this.tenantId, this.allowMultiTenantAuthentication, options);
+        const tenantId = processMultiTenantRequest(this.tenantId, options);
         if (tenantId) {
             checkTenantId(logger$3, tenantId);
         }
@@ -1470,7 +1495,7 @@ class AzureCliCredential {
         ensureValidScope(scope, logger$3);
         const resource = getScopeResource(scope);
         let responseData = "";
-        const { span } = createSpan("AzureCliCredential-getToken", options);
+        const { span } = createSpan("AzureCliCredential.getToken", options);
         try {
             const obj = await cliCredentialInternals.getAzureCliAccessToken(resource, tenantId);
             if (obj.stderr) {
@@ -1587,7 +1612,8 @@ const powerShellErrors = {
  */
 const powerShellPublicErrorMessages = {
     login: "Please run 'Connect-AzAccount' from PowerShell to authenticate before using this credential.",
-    installed: `The 'Az.Account' module >= 2.2.0 is not installed. Install the Azure Az PowerShell module with: "Install-Module -Name Az -Scope CurrentUser -Repository PSGallery -Force".`
+    installed: `The 'Az.Account' module >= 2.2.0 is not installed. Install the Azure Az PowerShell module with: "Install-Module -Name Az -Scope CurrentUser -Repository PSGallery -Force".`,
+    troubleshoot: `To troubleshoot, visit https://aka.ms/azsdk/js/identity/powershellcredential/troubleshoot.`
 };
 // PowerShell Azure User not logged in error check.
 const isLoginError = (err) => err.message.match(`(.*)${powerShellErrors.login}(.*)`);
@@ -1606,22 +1632,21 @@ if (isWindows) {
  * This credential will use the currently logged-in user information from the
  * Azure PowerShell module. To do so, it will read the user access token and
  * expire time with Azure PowerShell command `Get-AzAccessToken -ResourceUrl {ResourceScope}`
- *
- * To be able to use this credential:
- * - Install the Azure Az PowerShell module with:
- *   `Install-Module -Name Az -Scope CurrentUser -Repository PSGallery -Force`.
- * - You have already logged in to Azure PowerShell using the command
- * `Connect-AzAccount` from the command line.
  */
 class AzurePowerShellCredential {
     /**
-     * Creates an instance of the {@link AzurePowershellCredential}.
+     * Creates an instance of the {@link AzurePowerShellCredential}.
+     *
+     * To use this credential:
+     * - Install the Azure Az PowerShell module with:
+     *   `Install-Module -Name Az -Scope CurrentUser -Repository PSGallery -Force`.
+     * - You have already logged in to Azure PowerShell using the command
+     * `Connect-AzAccount` from the command line.
      *
      * @param options - Options, to optionally allow multi-tenant requests.
      */
     constructor(options) {
         this.tenantId = options === null || options === void 0 ? void 0 : options.tenantId;
-        this.allowMultiTenantAuthentication = options === null || options === void 0 ? void 0 : options.allowMultiTenantAuthentication;
     }
     /**
      * Gets the access token from Azure PowerShell
@@ -1662,7 +1687,7 @@ class AzurePowerShellCredential {
                 throw new Error(`Unable to parse the output of PowerShell. Received output: ${result}`);
             }
         }
-        throw new Error(`Unable to execute PowerShell. Ensure that it is installed in your system.`);
+        throw new Error(`Unable to execute PowerShell. Ensure that it is installed in your system`);
     }
     /**
      * Authenticates with Azure Active Directory and returns an access token if successful.
@@ -1673,7 +1698,7 @@ class AzurePowerShellCredential {
      */
     async getToken(scopes, options = {}) {
         return trace(`${this.constructor.name}.getToken`, options, async () => {
-            const tenantId = processMultiTenantRequest(this.tenantId, this.allowMultiTenantAuthentication, options);
+            const tenantId = processMultiTenantRequest(this.tenantId, options);
             if (tenantId) {
                 checkTenantId(logger$4, tenantId);
             }
@@ -1700,7 +1725,7 @@ class AzurePowerShellCredential {
                     logger$4.getToken.info(formatError(scope, error));
                     throw error;
                 }
-                const error = new CredentialUnavailableError(err);
+                const error = new CredentialUnavailableError(`${err}. ${powerShellPublicErrorMessages.troubleshoot}`);
                 logger$4.getToken.info(formatError(scope, error));
                 throw error;
             }
@@ -1759,6 +1784,9 @@ class ClientSecretCredential {
      * @param options - Options for configuring the client which makes the authentication request.
      */
     constructor(tenantId, clientId, clientSecret, options = {}) {
+        if (!tenantId || !clientId || !clientSecret) {
+            throw new Error("ClientSecretCredential: tenantId, clientId, and clientSecret are required parameters. To troubleshoot, visit https://aka.ms/azsdk/js/identity/serviceprincipalauthentication/troubleshoot.");
+        }
         this.msalFlow = new MsalClientSecret(Object.assign(Object.assign({}, options), { logger: logger$5,
             clientId,
             tenantId,
@@ -1781,6 +1809,41 @@ class ClientSecretCredential {
 }
 
 // Copyright (c) Microsoft Corporation.
+const readFileAsync = util.promisify(fs.readFile);
+/**
+ * Tries to asynchronously load a certificate from the given path.
+ *
+ * @param configuration - Either the PEM value or the path to the certificate.
+ * @param sendCertificateChain - Option to include x5c header for SubjectName and Issuer name authorization.
+ * @returns - The certificate parts, or `undefined` if the certificate could not be loaded.
+ * @internal
+ */
+async function parseCertificate(configuration, sendCertificateChain) {
+    const certificateParts = {};
+    certificateParts.certificateContents =
+        configuration.certificate || (await readFileAsync(configuration.certificatePath, "utf8"));
+    if (sendCertificateChain) {
+        certificateParts.x5c = certificateParts.certificateContents;
+    }
+    const certificatePattern = /(-+BEGIN CERTIFICATE-+)(\n\r?|\r\n?)([A-Za-z0-9+/\n\r]+=*)(\n\r?|\r\n?)(-+END CERTIFICATE-+)/g;
+    const publicKeys = [];
+    // Match all possible certificates, in the order they are in the file. These will form the chain that is used for x5c
+    let match;
+    do {
+        match = certificatePattern.exec(certificateParts.certificateContents);
+        if (match) {
+            publicKeys.push(match[3]);
+        }
+    } while (match);
+    if (publicKeys.length === 0) {
+        throw new Error("The file at the specified path does not contain a PEM-encoded certificate.");
+    }
+    certificateParts.thumbprint = crypto.createHash("sha1")
+        .update(Buffer.from(publicKeys[0], "base64"))
+        .digest("hex")
+        .toUpperCase();
+    return certificateParts;
+}
 /**
  * MSAL client certificate client. Calls to MSAL's confidential application's `acquireTokenByClientCredential` during `doGetToken`.
  * @internal
@@ -1789,40 +1852,24 @@ class MsalClientCertificate extends MsalNode {
     constructor(options) {
         super(options);
         this.requiresConfidential = true;
+        this.configuration = options.configuration;
         this.sendCertificateChain = options.sendCertificateChain;
-        const parts = this.parseCertificate(options.certificatePath);
-        this.msalConfig.auth.clientCertificate = {
-            thumbprint: parts.thumbprint,
-            privateKey: parts.certificateContents,
-            x5c: parts.x5c
-        };
     }
-    parseCertificate(certificatePath) {
-        const certificateParts = {};
-        certificateParts.certificateContents = fs.readFileSync(certificatePath, "utf8");
-        if (this.sendCertificateChain) {
-            certificateParts.x5c = certificateParts.certificateContents;
-        }
-        const certificatePattern = /(-+BEGIN CERTIFICATE-+)(\n\r?|\r\n?)([A-Za-z0-9+/\n\r]+=*)(\n\r?|\r\n?)(-+END CERTIFICATE-+)/g;
-        const publicKeys = [];
-        // Match all possible certificates, in the order they are in the file. These will form the chain that is used for x5c
-        let match;
-        do {
-            match = certificatePattern.exec(certificateParts.certificateContents);
-            if (match) {
-                publicKeys.push(match[3]);
-            }
-        } while (match);
-        if (publicKeys.length === 0) {
-            const error = new Error("The file at the specified path does not contain a PEM-encoded certificate.");
+    // Changing the MSAL configuration asynchronously
+    async init(options) {
+        try {
+            const parts = await parseCertificate(this.configuration, this.sendCertificateChain);
+            this.msalConfig.auth.clientCertificate = {
+                thumbprint: parts.thumbprint,
+                privateKey: parts.certificateContents,
+                x5c: parts.x5c
+            };
+        }
+        catch (error) {
             this.logger.info(formatError("", error));
             throw error;
         }
-        certificateParts.thumbprint = crypto.createHash("sha1")
-            .update(Buffer.from(publicKeys[0], "base64"))
-            .digest("hex")
-            .toUpperCase();
-        return certificateParts;
+        return super.init(options);
     }
     async doGetToken(scopes, options = {}) {
         try {
@@ -1844,7 +1891,8 @@ class MsalClientCertificate extends MsalNode {
 }
 
 // Copyright (c) Microsoft Corporation.
-const logger$6 = credentialLogger("ClientCertificateCredential");
+const credentialName = "ClientCertificateCredential";
+const logger$6 = credentialLogger(credentialName);
 /**
  * Enables authentication to Azure Active Directory using a PEM-encoded
  * certificate that is assigned to an App Registration. More information
@@ -1854,17 +1902,22 @@ const logger$6 = credentialLogger("ClientCertificateCredential");
  *
  */
 class ClientCertificateCredential {
-    /**
-     * Creates an instance of the ClientCertificateCredential with the details
-     * needed to authenticate against Azure Active Directory with a certificate.
-     *
-     * @param tenantId - The Azure Active Directory tenant (directory) ID.
-     * @param clientId - The client (application) ID of an App Registration in the tenant.
-     * @param certificatePath - The path to a PEM-encoded public/private key certificate on the filesystem.
-     * @param options - Options for configuring the client which makes the authentication request.
-     */
-    constructor(tenantId, clientId, certificatePath, options = {}) {
-        this.msalFlow = new MsalClientCertificate(Object.assign(Object.assign({}, options), { certificatePath,
+    constructor(tenantId, clientId, certificatePathOrConfiguration, options = {}) {
+        if (!tenantId || !clientId) {
+            throw new Error(`${credentialName}: tenantId and clientId are required parameters.`);
+        }
+        const configuration = Object.assign({}, (typeof certificatePathOrConfiguration === "string"
+            ? {
+                certificatePath: certificatePathOrConfiguration
+            }
+            : certificatePathOrConfiguration));
+        if (!configuration || !(configuration.certificate || configuration.certificatePath)) {
+            throw new Error(`${credentialName}: Provide either a PEM certificate in string form, or the path to that certificate in the filesystem. To troubleshoot, visit https://aka.ms/azsdk/js/identity/serviceprincipalauthentication/troubleshoot.`);
+        }
+        if (configuration.certificate && configuration.certificatePath) {
+            throw new Error(`${credentialName}: To avoid unexpected behaviors, providing both the contents of a PEM certificate and the path to a PEM certificate is forbidden. To troubleshoot, visit https://aka.ms/azsdk/js/identity/serviceprincipalauthentication/troubleshoot.`);
+        }
+        this.msalFlow = new MsalClientCertificate(Object.assign(Object.assign({}, options), { configuration,
             logger: logger$6,
             clientId,
             tenantId, sendCertificateChain: options.sendCertificateChain, tokenCredentialOptions: options }));
@@ -1878,7 +1931,7 @@ class ClientCertificateCredential {
      *                TokenCredential implementation might make.
      */
     async getToken(scopes, options = {}) {
-        return trace(`${this.constructor.name}.getToken`, options, async (newOptions) => {
+        return trace(`${credentialName}.getToken`, options, async (newOptions) => {
             const arrayScopes = Array.isArray(scopes) ? scopes : [scopes];
             return this.msalFlow.getToken(arrayScopes, newOptions);
         });
@@ -1922,8 +1975,6 @@ const logger$7 = credentialLogger("UsernamePasswordCredential");
  * trust so you should only use it when other, more secure credential
  * types can't be used.
  */
-// We'll be using InteractiveCredential as the base of this class, which requires us to support authenticate(),
-// to reduce the number of times we send the password over the network.
 class UsernamePasswordCredential {
     /**
      * Creates an instance of the UsernamePasswordCredential with the details
@@ -1937,6 +1988,9 @@ class UsernamePasswordCredential {
      * @param options - Options for configuring the client which makes the authentication request.
      */
     constructor(tenantId, clientId, username, password, options = {}) {
+        if (!tenantId || !clientId || !username || !password) {
+            throw new Error("UsernamePasswordCredential: tenantId, clientId, username and password are required parameters. To troubleshoot, visit https://aka.ms/azsdk/js/identity/usernamepasswordcredential/troubleshoot.");
+        }
         this.msalFlow = new MsalUsernamePassword(Object.assign(Object.assign({}, options), { logger: logger$7,
             clientId,
             tenantId,
@@ -1982,23 +2036,7 @@ const AllSupportedEnvironmentVariables = [
 const logger$8 = credentialLogger("EnvironmentCredential");
 /**
  * Enables authentication to Azure Active Directory using client secret
- * details configured in the following environment variables:
- *
- * Required environment variables:
- * - `AZURE_TENANT_ID`: The Azure Active Directory tenant (directory) ID.
- * - `AZURE_CLIENT_ID`: The client (application) ID of an App Registration in the tenant.
- *
- * Environment variables used for client credential authentication:
- * - `AZURE_CLIENT_SECRET`: A client secret that was generated for the App Registration.
- * - `AZURE_CLIENT_CERTIFICATE_PATH`: The path to a PEM certificate to use during the authentication, instead of the client secret.
- *
- * Alternatively, users can provide environment variables for username and password authentication:
- * - `AZURE_USERNAME`: Username to authenticate with.
- * - `AZURE_PASSWORD`: Password to authenticate with.
- *
- * This credential ultimately uses a {@link ClientSecretCredential} to
- * perform the authentication using these details.  Please consult the
- * documentation of that class for more details.
+ * details configured in environment variables
  */
 class EnvironmentCredential {
     /**
@@ -2038,7 +2076,7 @@ class EnvironmentCredential {
         const certificatePath = process.env.AZURE_CLIENT_CERTIFICATE_PATH;
         if (tenantId && clientId && certificatePath) {
             logger$8.info(`Invoking ClientCertificateCredential with tenant ID: ${tenantId}, clientId: ${clientId} and certificatePath: ${certificatePath}`);
-            this._credential = new ClientCertificateCredential(tenantId, clientId, certificatePath, options);
+            this._credential = new ClientCertificateCredential(tenantId, clientId, { certificatePath }, options);
             return;
         }
         const username = process.env.AZURE_USERNAME;
@@ -2064,7 +2102,7 @@ class EnvironmentCredential {
                 }
                 catch (err) {
                     const authenticationError = new AuthenticationError(400, {
-                        error: "EnvironmentCredential authentication failed.",
+                        error: "EnvironmentCredential authentication failed. To troubleshoot, visit https://aka.ms/azsdk/js/identity/environmentcredential/troubleshoot.",
                         error_description: err.message
                             .toString()
                             .split("More details:")
@@ -2074,7 +2112,7 @@ class EnvironmentCredential {
                     throw authenticationError;
                 }
             }
-            throw new CredentialUnavailableError("EnvironmentCredential is unavailable. No underlying credential could be used.");
+            throw new CredentialUnavailableError("EnvironmentCredential is unavailable. No underlying credential could be used. To troubleshoot, visit https://aka.ms/azsdk/js/identity/environmentcredential/troubleshoot.");
         });
     }
 }
@@ -2086,13 +2124,22 @@ const imdsHost = "http://169.254.169.254";
 const imdsEndpointPath = "/metadata/identity/oauth2/token";
 const imdsApiVersion = "2018-02-01";
 const azureArcAPIVersion = "2019-11-01";
+const azureFabricVersion = "2019-07-01-preview";
 
 // Copyright (c) Microsoft Corporation.
+/**
+ * Most MSIs send requests to the IMDS endpoint, or a similar endpoint. These are GET requests that require sending a `resource` parameter on the query.
+ * This resource can be derived from the scopes received through the getToken call, as long as only one scope is received.
+ * Multiple scopes assume that the resulting token will have access to multiple resources, which won't be the case.
+ *
+ * For that reason, when we encounter multiple scopes, we return undefined.
+ * It's up to the individual MSI implementations to throw the errors (which helps us provide less generic errors).
+ */
 function mapScopesToResource(scopes) {
     let scope = "";
     if (Array.isArray(scopes)) {
         if (scopes.length !== 1) {
-            throw new Error("To convert to a resource string the specified array must be exactly length 1");
+            return;
         }
         scope = scopes[0];
     }
@@ -2104,23 +2151,28 @@ function mapScopesToResource(scopes) {
     }
     return scope.substr(0, scope.lastIndexOf(DefaultScopeSuffix));
 }
-async function msiGenericGetToken(identityClient, requestOptions, expiresInParser, getTokenOptions = {}) {
-    const request = coreRestPipeline.createPipelineRequest(Object.assign(Object.assign({ abortSignal: getTokenOptions.abortSignal, tracingOptions: {
-            spanOptions: getTokenOptions.tracingOptions && getTokenOptions.tracingOptions.spanOptions,
-            tracingContext: getTokenOptions.tracingOptions && getTokenOptions.tracingOptions.tracingContext
-        } }, requestOptions), { allowInsecureConnection: true }));
+async function msiGenericGetToken(identityClient, requestOptions, expiresInParser, getTokenOptions = {}, agent) {
+    const request = coreRestPipeline.createPipelineRequest(Object.assign(Object.assign({ abortSignal: getTokenOptions.abortSignal }, requestOptions), { allowInsecureConnection: true }));
+    if (agent) {
+        request.agent = agent;
+    }
     const tokenResponse = await identityClient.sendTokenRequest(request, expiresInParser);
     return (tokenResponse && tokenResponse.accessToken) || null;
 }
 
 // Copyright (c) Microsoft Corporation.
-const logger$9 = credentialLogger("ManagedIdentityCredential - AppServiceMSI 2017");
+const msiName = "ManagedIdentityCredential - AppServiceMSI 2017";
+const logger$9 = credentialLogger(msiName);
 function expiresInParser(requestBody) {
     // Parse a date format like "06/20/2019 02:57:58 +00:00" and
     // convert it into a JavaScript-formatted date
     return Date.parse(requestBody.expires_on);
 }
-function prepareRequestOptions(resource, clientId) {
+function prepareRequestOptions(scopes, clientId) {
+    const resource = mapScopesToResource(scopes);
+    if (!resource) {
+        throw new Error(`${msiName}: Multiple scopes are not supported.`);
+    }
     const queryParameters = {
         resource,
         "api-version": "2017-09-01"
@@ -2131,10 +2183,10 @@ function prepareRequestOptions(resource, clientId) {
     const query = new URLSearchParams(queryParameters);
     // This error should not bubble up, since we verify that this environment variable is defined in the isAvailable() method defined below.
     if (!process.env.MSI_ENDPOINT) {
-        throw new Error("Missing environment variable: MSI_ENDPOINT");
+        throw new Error(`${msiName}: Missing environment variable: MSI_ENDPOINT`);
     }
     if (!process.env.MSI_SECRET) {
-        throw new Error("Missing environment variable: MSI_SECRET");
+        throw new Error(`${msiName}: Missing environment variable: MSI_SECRET`);
     }
     return {
         url: `${process.env.MSI_ENDPOINT}?${query.toString()}`,
@@ -2146,25 +2198,36 @@ function prepareRequestOptions(resource, clientId) {
     };
 }
 const appServiceMsi2017 = {
-    async isAvailable() {
+    async isAvailable(scopes) {
+        const resource = mapScopesToResource(scopes);
+        if (!resource) {
+            logger$9.info(`${msiName}: Unavailable. Multiple scopes are not supported.`);
+            return false;
+        }
         const env = process.env;
         const result = Boolean(env.MSI_ENDPOINT && env.MSI_SECRET);
         if (!result) {
-            logger$9.info("The Azure App Service MSI 2017 is unavailable.");
+            logger$9.info(`${msiName}: Unavailable. The environment variables needed are: MSI_ENDPOINT and MSI_SECRET.`);
         }
         return result;
     },
-    async getToken(identityClient, resource, clientId, getTokenOptions = {}) {
-        logger$9.info(`Using the endpoint and the secret coming form the environment variables: MSI_ENDPOINT=${process.env.MSI_ENDPOINT} and MSI_SECRET=[REDACTED].`);
-        return msiGenericGetToken(identityClient, prepareRequestOptions(resource, clientId), expiresInParser, getTokenOptions);
+    async getToken(configuration, getTokenOptions = {}) {
+        const { identityClient, scopes, clientId } = configuration;
+        logger$9.info(`${msiName}: Using the endpoint and the secret coming form the environment variables: MSI_ENDPOINT=${process.env.MSI_ENDPOINT} and MSI_SECRET=[REDACTED].`);
+        return msiGenericGetToken(identityClient, prepareRequestOptions(scopes, clientId), expiresInParser, getTokenOptions);
     }
 };
 
 // Copyright (c) Microsoft Corporation.
-const logger$a = credentialLogger("ManagedIdentityCredential - CloudShellMSI");
+const msiName$1 = "ManagedIdentityCredential - CloudShellMSI";
+const logger$a = credentialLogger(msiName$1);
 // Cloud Shell MSI doesn't have a special expiresIn parser.
 const expiresInParser$1 = undefined;
-function prepareRequestOptions$1(resource, clientId) {
+function prepareRequestOptions$1(scopes, clientId) {
+    const resource = mapScopesToResource(scopes);
+    if (!resource) {
+        throw new Error(`${msiName$1}: Multiple scopes are not supported.`);
+    }
     const body = {
         resource
     };
@@ -2173,12 +2236,13 @@ function prepareRequestOptions$1(resource, clientId) {
     }
     // This error should not bubble up, since we verify that this environment variable is defined in the isAvailable() method defined below.
     if (!process.env.MSI_ENDPOINT) {
-        throw new Error("Missing environment variable: MSI_ENDPOINT");
+        throw new Error(`${msiName$1}: Missing environment variable: MSI_ENDPOINT`);
     }
+    const params = new URLSearchParams(body);
     return {
         url: process.env.MSI_ENDPOINT,
         method: "POST",
-        body: qs.stringify(body),
+        body: params.toString(),
         headers: coreRestPipeline.createHttpHeaders({
             Accept: "application/json",
             Metadata: "true",
@@ -2187,53 +2251,77 @@ function prepareRequestOptions$1(resource, clientId) {
     };
 }
 const cloudShellMsi = {
-    async isAvailable() {
+    async isAvailable(scopes) {
+        const resource = mapScopesToResource(scopes);
+        if (!resource) {
+            logger$a.info(`${msiName$1}: Unavailable. Multiple scopes are not supported.`);
+            return false;
+        }
         const result = Boolean(process.env.MSI_ENDPOINT);
         if (!result) {
-            logger$a.info("The Azure Cloud Shell MSI is unavailable.");
+            logger$a.info(`${msiName$1}: Unavailable. The environment variable MSI_ENDPOINT is needed.`);
         }
         return result;
     },
-    async getToken(identityClient, resource, clientId, getTokenOptions = {}) {
-        logger$a.info(`Using the endpoint coming form the environment variable MSI_ENDPOINT=${process.env.MSI_ENDPOINT}, and using the Cloud Shell to proceed with the authentication.`);
-        return msiGenericGetToken(identityClient, prepareRequestOptions$1(resource, clientId), expiresInParser$1, getTokenOptions);
+    async getToken(configuration, getTokenOptions = {}) {
+        const { identityClient, scopes, clientId } = configuration;
+        logger$a.info(`${msiName$1}: Using the endpoint coming form the environment variable MSI_ENDPOINT = ${process.env.MSI_ENDPOINT}.`);
+        return msiGenericGetToken(identityClient, prepareRequestOptions$1(scopes, clientId), expiresInParser$1, getTokenOptions);
     }
 };
 
 // Copyright (c) Microsoft Corporation.
-const logger$b = credentialLogger("ManagedIdentityCredential - IMDS");
+const msiName$2 = "ManagedIdentityCredential - IMDS";
+const logger$b = credentialLogger(msiName$2);
 function expiresInParser$2(requestBody) {
     if (requestBody.expires_on) {
         // Use the expires_on timestamp if it's available
         const expires = +requestBody.expires_on * 1000;
-        logger$b.info(`IMDS using expires_on: ${expires} (original value: ${requestBody.expires_on})`);
+        logger$b.info(`${msiName$2}: Using expires_on: ${expires} (original value: ${requestBody.expires_on})`);
         return expires;
     }
     else {
         // If these aren't possible, use expires_in and calculate a timestamp
         const expires = Date.now() + requestBody.expires_in * 1000;
-        logger$b.info(`IMDS using expires_in: ${expires} (original value: ${requestBody.expires_in})`);
+        logger$b.info(`${msiName$2}: IMDS using expires_in: ${expires} (original value: ${requestBody.expires_in})`);
         return expires;
     }
 }
-function prepareRequestOptions$2(resource, clientId) {
+function prepareRequestOptions$2(scopes, clientId, options) {
     var _a;
-    const queryParameters = {
-        resource,
-        "api-version": imdsApiVersion
-    };
-    if (clientId) {
-        queryParameters.client_id = clientId;
+    const resource = mapScopesToResource(scopes);
+    if (!resource) {
+        throw new Error(`${msiName$2}: Multiple scopes are not supported.`);
+    }
+    const { skipQuery, skipMetadataHeader } = options || {};
+    let query = "";
+    // Pod Identity will try to process this request even if the Metadata header is missing.
+    // We can exclude the request query to ensure no IMDS endpoint tries to process the ping request.
+    if (!skipQuery) {
+        const queryParameters = {
+            resource,
+            "api-version": imdsApiVersion
+        };
+        if (clientId) {
+            queryParameters.client_id = clientId;
+        }
+        const params = new URLSearchParams(queryParameters);
+        query = `?${params.toString()}`;
     }
-    const query = qs.stringify(queryParameters);
     const url = new URL(imdsEndpointPath, (_a = process.env.AZURE_POD_IDENTITY_AUTHORITY_HOST) !== null && _a !== void 0 ? _a : imdsHost);
+    const rawHeaders = {
+        Accept: "application/json",
+        Metadata: "true"
+    };
+    // Remove the Metadata header to invoke a request error from some IMDS endpoints.
+    if (skipMetadataHeader) {
+        delete rawHeaders.Metadata;
+    }
     return {
-        url: `${url}?${query}`,
+        // In this case, the `?` should be added in the "query" variable `skipQuery` is not set.
+        url: `${url}${query}`,
         method: "GET",
-        headers: coreRestPipeline.createHttpHeaders({
-            Accept: "application/json",
-            Metadata: "true"
-        })
+        headers: coreRestPipeline.createHttpHeaders(rawHeaders)
     };
 }
 // 800ms -> 1600ms -> 3200ms
@@ -2243,24 +2331,23 @@ const imdsMsiRetryConfig = {
     intervalIncrement: 2
 };
 const imdsMsi = {
-    async isAvailable(identityClient, resource, clientId, getTokenOptions) {
+    async isAvailable(scopes, identityClient, clientId, getTokenOptions) {
         var _a, _b;
+        const resource = mapScopesToResource(scopes);
+        if (!resource) {
+            logger$b.info(`${msiName$2}: Unavailable. Multiple scopes are not supported.`);
+            return false;
+        }
         const { span, updatedOptions: options } = createSpan("ManagedIdentityCredential-pingImdsEndpoint", getTokenOptions);
         // if the PodIdenityEndpoint environment variable was set no need to probe the endpoint, it can be assumed to exist
         if (process.env.AZURE_POD_IDENTITY_AUTHORITY_HOST) {
             return true;
         }
-        const requestOptions = prepareRequestOptions$2(resource, clientId);
-        // This will always be populated, but let's make TypeScript happy
-        if (requestOptions.headers) {
-            // Remove the Metadata header to invoke a request error from
-            // IMDS endpoint
-            requestOptions.headers.delete("Metadata");
-        }
-        requestOptions.tracingOptions = {
-            spanOptions: options.tracingOptions && options.tracingOptions.spanOptions,
-            tracingContext: options.tracingOptions && options.tracingOptions.tracingContext
-        };
+        const requestOptions = prepareRequestOptions$2(resource, clientId, {
+            skipMetadataHeader: true,
+            skipQuery: true
+        });
+        requestOptions.tracingOptions = options.tracingOptions;
         try {
             // Create a request with a timeout since we expect that
             // not having a "Metadata" header should cause an error to be
@@ -2270,18 +2357,19 @@ const imdsMsi = {
             // This MSI uses the imdsEndpoint to get the token, which only uses http://
             request.allowInsecureConnection = true;
             try {
-                logger$b.info(`Pinging the Azure IMDS endpoint`);
+                logger$b.info(`${msiName$2}: Pinging the Azure IMDS endpoint`);
                 await identityClient.sendRequest(request);
             }
             catch (err) {
                 if ((err.name === "RestError" && err.code === coreRestPipeline.RestError.REQUEST_SEND_ERROR) ||
                     err.name === "AbortError" ||
+                    err.code === "ENETUNREACH" || // Network unreachable
                     err.code === "ECONNREFUSED" || // connection refused
                     err.code === "EHOSTDOWN" // host is down
                 ) {
                     // If the request failed, or Node.js was unable to establish a connection,
                     // or the host was down, we'll assume the IMDS endpoint isn't available.
-                    logger$b.info(`The Azure IMDS endpoint is unavailable`);
+                    logger$b.info(`${msiName$2}: The Azure IMDS endpoint is unavailable`);
                     span.setStatus({
                         code: coreTracing.SpanStatusCode.ERROR,
                         message: err.message
@@ -2290,13 +2378,13 @@ const imdsMsi = {
                 }
             }
             // If we received any response, the endpoint is available
-            logger$b.info(`The Azure IMDS endpoint is available`);
+            logger$b.info(`${msiName$2}: The Azure IMDS endpoint is available`);
             return true;
         }
         catch (err) {
             // createWebResource failed.
             // This error should bubble up to the user.
-            logger$b.info(`Error when creating the WebResource for the Azure IMDS endpoint: ${err.message}`);
+            logger$b.info(`${msiName$2}: Error when creating the WebResource for the Azure IMDS endpoint: ${err.message}`);
             span.setStatus({
                 code: coreTracing.SpanStatusCode.ERROR,
                 message: err.message
@@ -2307,12 +2395,13 @@ const imdsMsi = {
             span.end();
         }
     },
-    async getToken(identityClient, resource, clientId, getTokenOptions = {}) {
-        logger$b.info(`Using the Azure IMDS endpoint coming from the environment variable MSI_ENDPOINT=${process.env.MSI_ENDPOINT}, and using the cloud shell to proceed with the authentication.`);
+    async getToken(configuration, getTokenOptions = {}) {
+        const { identityClient, scopes, clientId } = configuration;
+        logger$b.info(`${msiName$2}: Using the Azure IMDS endpoint coming from the environment variable MSI_ENDPOINT=${process.env.MSI_ENDPOINT}, and using the cloud shell to proceed with the authentication.`);
         let nextDelayInMs = imdsMsiRetryConfig.startDelayInMs;
         for (let retries = 0; retries < imdsMsiRetryConfig.maxRetries; retries++) {
             try {
-                return await msiGenericGetToken(identityClient, prepareRequestOptions$2(resource, clientId), expiresInParser$2, getTokenOptions);
+                return await msiGenericGetToken(identityClient, prepareRequestOptions$2(scopes, clientId), expiresInParser$2, getTokenOptions);
             }
             catch (error) {
                 if (error.statusCode === 404) {
@@ -2323,15 +2412,20 @@ const imdsMsi = {
                 throw error;
             }
         }
-        throw new AuthenticationError(404, `Failed to retrieve IMDS token after ${imdsMsiRetryConfig.maxRetries} retries.`);
+        throw new AuthenticationError(404, `${msiName$2}: Failed to retrieve IMDS token after ${imdsMsiRetryConfig.maxRetries} retries.`);
     }
 };
 
 // Copyright (c) Microsoft Corporation.
-const logger$c = credentialLogger("ManagedIdentityCredential - ArcMSI");
+const msiName$3 = "ManagedIdentityCredential - Azure Arc MSI";
+const logger$c = credentialLogger(msiName$3);
 // Azure Arc MSI doesn't have a special expiresIn parser.
 const expiresInParser$3 = undefined;
-function prepareRequestOptions$3(resource) {
+function prepareRequestOptions$3(scopes) {
+    const resource = mapScopesToResource(scopes);
+    if (!resource) {
+        throw new Error(`${msiName$3}: Multiple scopes are not supported.`);
+    }
     const queryParameters = {
         resource,
         "api-version": azureArcAPIVersion
@@ -2339,7 +2433,7 @@ function prepareRequestOptions$3(resource) {
     const query = new URLSearchParams(queryParameters);
     // This error should not bubble up, since we verify that this environment variable is defined in the isAvailable() method defined below.
     if (!process.env.IDENTITY_ENDPOINT) {
-        throw new Error("Missing environment variable: IDENTITY_ENDPOINT");
+        throw new Error(`${msiName$3}: Missing environment variable: IDENTITY_ENDPOINT`);
     }
     return coreRestPipeline.createPipelineRequest({
         // Should be similar to: http://localhost:40342/metadata/identity/oauth2/token
@@ -2352,7 +2446,7 @@ function prepareRequestOptions$3(resource) {
     });
 }
 // Since "fs"'s readFileSync locks the thread, and to avoid extra dependencies.
-function readFileAsync(path, options) {
+function readFileAsync$1(path, options) {
     return new Promise((resolve, reject) => fs.readFile(path, options, (err, data) => {
         if (err) {
             reject(err);
@@ -2367,7 +2461,7 @@ async function filePathRequest(identityClient, requestPrepareOptions) {
         if (response.bodyAsText) {
             message = ` Response: ${response.bodyAsText}`;
         }
-        throw new AuthenticationError(response.status, `To authenticate with Azure Arc MSI, status code 401 is expected on the first request.${message}`);
+        throw new AuthenticationError(response.status, `${msiName$3}: To authenticate with Azure Arc MSI, status code 401 is expected on the first request. ${message}`);
     }
     const authHeader = response.headers.get("www-authenticate") || "";
     try {
@@ -2378,32 +2472,190 @@ async function filePathRequest(identityClient, requestPrepareOptions) {
     }
 }
 const arcMsi = {
-    async isAvailable() {
+    async isAvailable(scopes) {
+        const resource = mapScopesToResource(scopes);
+        if (!resource) {
+            logger$c.info(`${msiName$3}: Unavailable. Multiple scopes are not supported.`);
+            return false;
+        }
         const result = Boolean(process.env.IMDS_ENDPOINT && process.env.IDENTITY_ENDPOINT);
         if (!result) {
-            logger$c.info("The Azure Arc MSI is unavailable.");
+            logger$c.info(`${msiName$3}: The environment variables needed are: IMDS_ENDPOINT and IDENTITY_ENDPOINT`);
         }
         return result;
     },
-    async getToken(identityClient, resource, clientId, getTokenOptions = {}) {
+    async getToken(configuration, getTokenOptions = {}) {
         var _a;
-        logger$c.info(`Using the Azure Arc MSI to authenticate.`);
+        const { identityClient, scopes, clientId } = configuration;
+        logger$c.info(`${msiName$3}: Authenticating.`);
         if (clientId) {
-            throw new Error("User assigned identity is not supported by the Azure Arc Managed Identity Endpoint. To authenticate with the system assigned identity omit the client id when constructing the ManagedIdentityCredential, or if authenticating with the DefaultAzureCredential ensure the AZURE_CLIENT_ID environment variable is not set.");
+            throw new Error(`${msiName$3}: User assigned identity is not supported by the Azure Arc Managed Identity Endpoint. To authenticate with the system assigned identity, omit the client id when constructing the ManagedIdentityCredential, or if authenticating with the DefaultAzureCredential ensure the AZURE_CLIENT_ID environment variable is not set.`);
         }
-        const requestOptions = Object.assign({ disableJsonStringifyOnBody: true, deserializationMapper: undefined, abortSignal: getTokenOptions.abortSignal, spanOptions: getTokenOptions.tracingOptions && getTokenOptions.tracingOptions.spanOptions }, prepareRequestOptions$3(resource));
+        const requestOptions = Object.assign(Object.assign({ disableJsonStringifyOnBody: true, deserializationMapper: undefined, abortSignal: getTokenOptions.abortSignal }, prepareRequestOptions$3(scopes)), { allowInsecureConnection: true });
         const filePath = await filePathRequest(identityClient, requestOptions);
         if (!filePath) {
-            throw new Error("Azure Arc MSI failed to find the token file.");
+            throw new Error(`${msiName$3}: Failed to find the token file.`);
         }
-        const key = await readFileAsync(filePath, { encoding: "utf-8" });
+        const key = await readFileAsync$1(filePath, { encoding: "utf-8" });
         (_a = requestOptions.headers) === null || _a === void 0 ? void 0 : _a.set("Authorization", `Basic ${key}`);
         return msiGenericGetToken(identityClient, requestOptions, expiresInParser$3, getTokenOptions);
     }
 };
 
 // Copyright (c) Microsoft Corporation.
-const logger$d = credentialLogger("ManagedIdentityCredential");
+const msiName$4 = "ManagedIdentityCredential - Token Exchange";
+const logger$d = credentialLogger(msiName$4);
+const readFileAsync$2 = util.promisify(fs__default.readFile);
+function expiresInParser$4(requestBody) {
+    // Parses a string representation of the seconds since epoch into a number value
+    return Number(requestBody.expires_on);
+}
+function prepareRequestOptions$4(scopes, clientAssertion, clientId) {
+    var _a;
+    const bodyParams = {
+        scope: Array.isArray(scopes) ? scopes.join(" ") : scopes,
+        client_assertion: clientAssertion,
+        client_assertion_type: "urn:ietf:params:oauth:client-assertion-type:jwt-bearer",
+        client_id: clientId,
+        grant_type: "client_credentials"
+    };
+    const urlParams = new URLSearchParams(bodyParams);
+    const url = new URL(`${process.env.AZURE_TENANT_ID}/oauth2/v2.0/token`, (_a = process.env.AZURE_AUTHORITY_HOST) !== null && _a !== void 0 ? _a : DefaultAuthorityHost);
+    return {
+        url: url.toString(),
+        method: "POST",
+        body: urlParams.toString(),
+        headers: coreRestPipeline.createHttpHeaders({
+            Accept: "application/json"
+        })
+    };
+}
+function tokenExchangeMsi() {
+    const azureFederatedTokenFilePath = process.env.AZURE_FEDERATED_TOKEN_FILE;
+    let azureFederatedTokenFileContent = undefined;
+    let cacheDate = undefined;
+    // Only reads from the assertion file once every 5 minutes
+    async function readAssertion() {
+        // Cached assertions expire after 5 minutes
+        if (cacheDate !== undefined && Date.now() - cacheDate >= 1000 * 60 * 5) {
+            azureFederatedTokenFileContent = undefined;
+        }
+        if (!azureFederatedTokenFileContent) {
+            const file = await readFileAsync$2(azureFederatedTokenFilePath, "utf8");
+            const value = file.trim();
+            if (!value) {
+                throw new Error(`No content on the file ${azureFederatedTokenFilePath}, indicated by the environment variable AZURE_FEDERATED_TOKEN_FILE`);
+            }
+            else {
+                azureFederatedTokenFileContent = value;
+                cacheDate = Date.now();
+            }
+        }
+        return azureFederatedTokenFileContent;
+    }
+    return {
+        async isAvailable(_scopes, _identityClient, clientId) {
+            const env = process.env;
+            const result = Boolean((clientId || env.AZURE_CLIENT_ID) && env.AZURE_TENANT_ID && azureFederatedTokenFilePath);
+            if (!result) {
+                logger$d.info(`${msiName$4}: Unavailable. The environment variables needed are: AZURE_CLIENT_ID (or the client ID sent through the parameters), AZURE_TENANT_ID and AZURE_FEDERATED_TOKEN_FILE`);
+            }
+            return result;
+        },
+        async getToken(configuration, getTokenOptions = {}) {
+            const { identityClient, scopes, clientId } = configuration;
+            logger$d.info(`${msiName$4}: Using the client assertion coming from environment variables.`);
+            let assertion;
+            try {
+                assertion = await readAssertion();
+            }
+            catch (err) {
+                throw new Error(`${msiName$4}: Failed to read ${azureFederatedTokenFilePath}, indicated by the environment variable AZURE_FEDERATED_TOKEN_FILE`);
+            }
+            return msiGenericGetToken(identityClient, prepareRequestOptions$4(scopes, assertion, clientId || process.env.AZURE_CLIENT_ID), expiresInParser$4, getTokenOptions);
+        }
+    };
+}
+
+// Copyright (c) Microsoft Corporation.
+const msiName$5 = "ManagedIdentityCredential - Fabric MSI";
+const logger$e = credentialLogger(msiName$5);
+function expiresInParser$5(requestBody) {
+    // Parses a string representation of the seconds since epoch into a number value
+    return Number(requestBody.expires_on);
+}
+function prepareRequestOptions$5(scopes, clientId) {
+    const resource = mapScopesToResource(scopes);
+    if (!resource) {
+        throw new Error(`${msiName$5}: Multiple scopes are not supported.`);
+    }
+    const queryParameters = {
+        resource,
+        "api-version": azureFabricVersion
+    };
+    if (clientId) {
+        queryParameters.client_id = clientId;
+    }
+    const query = new URLSearchParams(queryParameters);
+    // This error should not bubble up, since we verify that this environment variable is defined in the isAvailable() method defined below.
+    if (!process.env.IDENTITY_ENDPOINT) {
+        throw new Error("Missing environment variable: IDENTITY_ENDPOINT");
+    }
+    if (!process.env.IDENTITY_HEADER) {
+        throw new Error("Missing environment variable: IDENTITY_HEADER");
+    }
+    return {
+        url: `${process.env.IDENTITY_ENDPOINT}?${query.toString()}`,
+        method: "GET",
+        headers: coreRestPipeline.createHttpHeaders({
+            Accept: "application/json",
+            Secret: process.env.IDENTITY_HEADER
+        })
+    };
+}
+// This credential can be easily tested by deploying a container to Azure Service Fabric with the Dockerfile:
+//
+//   FROM node:12
+//   RUN wget https://host.any/path/bash.sh
+//   CMD ["bash", "bash.sh"]
+//
+// Where the bash script contains:
+//
+//   curl --insecure $IDENTITY_ENDPOINT'?api-version=2019-07-01-preview&resource=https://vault.azure.net/' -H "Secret: $IDENTITY_HEADER"
+//
+const fabricMsi = {
+    async isAvailable(scopes) {
+        const resource = mapScopesToResource(scopes);
+        if (!resource) {
+            logger$e.info(`${msiName$5}: Unavailable. Multiple scopes are not supported.`);
+            return false;
+        }
+        const env = process.env;
+        const result = Boolean(env.IDENTITY_ENDPOINT && env.IDENTITY_HEADER && env.IDENTITY_SERVER_THUMBPRINT);
+        if (!result) {
+            logger$e.info(`${msiName$5}: Unavailable. The environment variables needed are: IDENTITY_ENDPOINT, IDENTITY_HEADER and IDENTITY_SERVER_THUMBPRINT`);
+        }
+        return result;
+    },
+    async getToken(configuration, getTokenOptions = {}) {
+        const { scopes, identityClient, clientId } = configuration;
+        logger$e.info([
+            `${msiName$5}:`,
+            "Using the endpoint and the secret coming from the environment variables:",
+            `IDENTITY_ENDPOINT=${process.env.IDENTITY_ENDPOINT},`,
+            "IDENTITY_HEADER=[REDACTED] and",
+            "IDENTITY_SERVER_THUMBPRINT=[REDACTED]."
+        ].join(" "));
+        return msiGenericGetToken(identityClient, prepareRequestOptions$5(scopes, clientId), expiresInParser$5, getTokenOptions, new https.Agent({
+            // This is necessary because Service Fabric provides a self-signed certificate.
+            // The alternative path is to verify the certificate using the IDENTITY_SERVER_THUMBPRINT env variable.
+            rejectUnauthorized: false
+        }));
+    }
+};
+
+// Copyright (c) Microsoft Corporation.
+const logger$f = credentialLogger("ManagedIdentityCredential");
 /**
  * Attempts authentication using a managed identity that has been assigned
  * to the deployment environment.  This authentication type works in Azure VMs,
@@ -2430,15 +2682,13 @@ class ManagedIdentityCredential {
             this.identityClient = new IdentityClient(clientIdOrOptions);
         }
     }
-    async cachedAvailableMSI(resource, clientId, getTokenOptions) {
+    async cachedAvailableMSI(scopes, clientId, getTokenOptions) {
         if (this.cachedMSI) {
             return this.cachedMSI;
         }
-        // "fabricMsi" can't be added yet because our HTTPs pipeline doesn't allow skipping the SSL verification step,
-        // which is necessary since Service Fabric only provides self-signed certificates on their Identity Endpoint.
-        const MSIs = [appServiceMsi2017, cloudShellMsi, arcMsi, imdsMsi];
+        const MSIs = [fabricMsi, appServiceMsi2017, cloudShellMsi, arcMsi, tokenExchangeMsi(), imdsMsi];
         for (const msi of MSIs) {
-            if (await msi.isAvailable(this.identityClient, resource, clientId, getTokenOptions)) {
+            if (await msi.isAvailable(scopes, this.identityClient, clientId, getTokenOptions)) {
                 this.cachedMSI = msi;
                 return msi;
             }
@@ -2446,12 +2696,15 @@ class ManagedIdentityCredential {
         throw new CredentialUnavailableError("ManagedIdentityCredential - No MSI credential available");
     }
     async authenticateManagedIdentity(scopes, clientId, getTokenOptions) {
-        const resource = mapScopesToResource(scopes);
         const { span, updatedOptions } = createSpan("ManagedIdentityCredential-authenticateManagedIdentity", getTokenOptions);
         try {
             // Determining the available MSI, and avoiding checking for other MSIs while the program is running.
-            const availableMSI = await this.cachedAvailableMSI(resource, clientId, updatedOptions);
-            return availableMSI.getToken(this.identityClient, resource, clientId, updatedOptions);
+            const availableMSI = await this.cachedAvailableMSI(scopes, clientId, updatedOptions);
+            return availableMSI.getToken({
+                identityClient: this.identityClient,
+                scopes,
+                clientId
+            }, updatedOptions);
         }
         catch (err) {
             span.setStatus({
@@ -2475,7 +2728,7 @@ class ManagedIdentityCredential {
      */
     async getToken(scopes, options) {
         let result = null;
-        const { span, updatedOptions } = createSpan("ManagedIdentityCredential-getToken", options);
+        const { span, updatedOptions } = createSpan("ManagedIdentityCredential.getToken", options);
         try {
             // isEndpointAvailable can be true, false, or null,
             // If it's null, it means we don't yet know whether
@@ -2490,7 +2743,7 @@ class ManagedIdentityCredential {
                     // It also means that the endpoint answered with either 200 or 201 (see the sendTokenRequest method),
                     // yet we had no access token. For this reason, we'll throw once with a specific message:
                     const error = new CredentialUnavailableError("The managed identity endpoint was reached, yet no tokens were received.");
-                    logger$d.getToken.info(formatError(scopes, error));
+                    logger$f.getToken.info(formatError(scopes, error));
                     throw error;
                 }
                 // Since `authenticateManagedIdentity` didn't throw, and the result was not null,
@@ -2502,10 +2755,10 @@ class ManagedIdentityCredential {
                 // We've previously determined that the endpoint was unavailable,
                 // either because it was unreachable or permanently unable to authenticate.
                 const error = new CredentialUnavailableError("The managed identity endpoint is not currently available");
-                logger$d.getToken.info(formatError(scopes, error));
+                logger$f.getToken.info(formatError(scopes, error));
                 throw error;
             }
-            logger$d.getToken.info(formatSuccess(scopes));
+            logger$f.getToken.info(formatSuccess(scopes));
             return result;
         }
         catch (err) {
@@ -2526,21 +2779,21 @@ class ManagedIdentityCredential {
             // If either the network is unreachable,
             // we can safely assume the credential is unavailable.
             if (err.code === "ENETUNREACH") {
-                const error = new CredentialUnavailableError("ManagedIdentityCredential is unavailable. Network unreachable.");
-                logger$d.getToken.info(formatError(scopes, error));
+                const error = new CredentialUnavailableError(`ManagedIdentityCredential is unavailable. Network unreachable. Message: ${err.message}`);
+                logger$f.getToken.info(formatError(scopes, error));
                 throw error;
             }
             // If either the host was unreachable,
             // we can safely assume the credential is unavailable.
             if (err.code === "EHOSTUNREACH") {
-                const error = new CredentialUnavailableError("ManagedIdentityCredential is unavailable. No managed identity endpoint found.");
-                logger$d.getToken.info(formatError(scopes, error));
+                const error = new CredentialUnavailableError(`ManagedIdentityCredential is unavailable. No managed identity endpoint found. Message: ${err.message}`);
+                logger$f.getToken.info(formatError(scopes, error));
                 throw error;
             }
             // If err.statusCode has a value of 400, it comes from sendTokenRequest,
             // and it means that the endpoint is working, but that no identity is available.
             if (err.statusCode === 400) {
-                throw new CredentialUnavailableError("The managed identity endpoint is indicating there's no available identity");
+                throw new CredentialUnavailableError(`ManagedIdentityCredential: The managed identity endpoint is indicating there's no available identity. Message: ${err.message}`);
             }
             // If the error has no status code, we can assume there was no available identity.
             // This will throw silently during any ChainedTokenCredential.
@@ -2588,36 +2841,37 @@ const defaultCredentials = [
 ];
 /**
  * Provides a default {@link ChainedTokenCredential} configuration that should
- * work for most applications that use the Azure SDK.  The following credential
- * types will be tried, in order:
- *
- * - {@link EnvironmentCredential}
- * - {@link ManagedIdentityCredential}
- * - {@link VisualStudioCodeCredential}
- * - {@link AzureCliCredential}
- * - {@link AzurePowerShellCredential}
- *
- * Consult the documentation of these credential types for more information
- * on how they attempt authentication.
- *
- * **Note**: `VisualStudioCodeCredential` is provided by an extension package:
- * `@azure/identity-vscode`. If this package is not installed and registered
- * using the extension API (`useIdentityExtension`), then authentication using
- * `VisualStudioCodeCredential` will not be available.
- *
- * Azure Identity extensions may add credential types to the default credential
- * stack.
+ * work for most applications that use the Azure SDK.
  */
 class DefaultAzureCredential extends ChainedTokenCredential {
     /**
      * Creates an instance of the DefaultAzureCredential class.
      *
+     * This credential provides a default {@link ChainedTokenCredential} configuration that should
+     * work for most applications that use the Azure SDK.
+     *
+     * The following credential types will be tried, in order:
+     *
+     * - {@link EnvironmentCredential}
+     * - {@link ManagedIdentityCredential}
+     * - {@link VisualStudioCodeCredential}
+     * - {@link AzureCliCredential}
+     * - {@link AzurePowerShellCredential}
+     *
+     * Consult the documentation of these credential types for more information
+     * on how they attempt authentication.
+     *
+     * **Note**: `VisualStudioCodeCredential` is provided by a plugin package:
+     * `@azure/identity-vscode`. If this package is not installed and registered
+     * using the plugin API (`useIdentityPlugin`), then authentication using
+     * `VisualStudioCodeCredential` will not be available.
+     *
      * @param options - Optional parameters. See {@link DefaultAzureCredentialOptions}.
      */
     constructor(options) {
         super(...defaultCredentials.map((ctor) => new ctor(options)));
         this.UnavailableMessage =
-            "DefaultAzureCredential => failed to retrieve a token from the included credentials";
+            "DefaultAzureCredential => failed to retrieve a token from the included credentials. To troubleshoot, visit https://aka.ms/azsdk/js/identity/defaultazurecredential/troubleshoot.";
     }
 }
 
@@ -2765,29 +3019,29 @@ class MsalOpenBrowser extends MsalNode {
 }
 
 // Copyright (c) Microsoft Corporation.
-const logger$e = credentialLogger("InteractiveBrowserCredential");
+const logger$g = credentialLogger("InteractiveBrowserCredential");
 /**
  * Enables authentication to Azure Active Directory inside of the web browser
  * using the interactive login flow.
- *
- * This credential uses the [Authorization Code Flow](https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-auth-code-flow).
- * On Node.js, it will open a browser window while it listens for a redirect response from the authentication service.
- * On browsers, it authenticates via popups. The `loginStyle` optional parameter can be set to `redirect` to authenticate by redirecting the user to an Azure secure login page, which then will redirect the user back to the web application where the authentication started.
- *
- * For Node.js, if a `clientId` is provided, the Azure Active Directory application will need to be configured to have a "Mobile and desktop applications" redirect endpoint.
- * Follow our guide on [setting up Redirect URIs for Desktop apps that calls to web APIs](https://docs.microsoft.com/azure/active-directory/develop/scenario-desktop-app-registration#redirect-uris).
  */
 class InteractiveBrowserCredential {
     /**
      * Creates an instance of InteractiveBrowserCredential with the details needed.
      *
+     * This credential uses the [Authorization Code Flow](https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-auth-code-flow).
+     * On Node.js, it will open a browser window while it listens for a redirect response from the authentication service.
+     * On browsers, it authenticates via popups. The `loginStyle` optional parameter can be set to `redirect` to authenticate by redirecting the user to an Azure secure login page, which then will redirect the user back to the web application where the authentication started.
+     *
+     * For Node.js, if a `clientId` is provided, the Azure Active Directory application will need to be configured to have a "Mobile and desktop applications" redirect endpoint.
+     * Follow our guide on [setting up Redirect URIs for Desktop apps that calls to web APIs](https://docs.microsoft.com/azure/active-directory/develop/scenario-desktop-app-registration#redirect-uris).
+     *
      * @param options - Options for configuring the client which makes the authentication requests.
      */
     constructor(options = {}) {
         const redirectUri = typeof options.redirectUri === "function"
             ? options.redirectUri()
             : options.redirectUri || "http://localhost";
-        this.msalFlow = new MsalOpenBrowser(Object.assign(Object.assign({}, options), { tokenCredentialOptions: options, logger: logger$e,
+        this.msalFlow = new MsalOpenBrowser(Object.assign(Object.assign({}, options), { tokenCredentialOptions: options, logger: logger$g,
             redirectUri }));
         this.disableAutomaticAuthentication = options === null || options === void 0 ? void 0 : options.disableAutomaticAuthentication;
     }
@@ -2865,7 +3119,7 @@ class MsalDeviceCode extends MsalNode {
 }
 
 // Copyright (c) Microsoft Corporation.
-const logger$f = credentialLogger("DeviceCodeCredential");
+const logger$h = credentialLogger("DeviceCodeCredential");
 /**
  * Method that logs the user code from the DeviceCodeCredential.
  * @param deviceCodeInfo - The device code.
@@ -2882,10 +3136,24 @@ class DeviceCodeCredential {
      * Creates an instance of DeviceCodeCredential with the details needed
      * to initiate the device code authorization flow with Azure Active Directory.
      *
+     * A message will be logged, giving users a code that they can use to authenticate once they go to https://microsoft.com/devicelogin
+     *
+     * Developers can configure how this message is shown by passing a custom `userPromptCallback`:
+     *
+     * ```js
+     * const credential = new DeviceCodeCredential({
+     *   tenantId: env.AZURE_TENANT_ID,
+     *   clientId: env.AZURE_CLIENT_ID,
+     *   userPromptCallback: (info) => {
+     *     console.log("CUSTOMIZED PROMPT CALLBACK", info.message);
+     *   }
+     * });
+     * ```
+     *
      * @param options - Options for configuring the client which makes the authentication requests.
      */
     constructor(options) {
-        this.msalFlow = new MsalDeviceCode(Object.assign(Object.assign({}, options), { logger: logger$f, userPromptCallback: (options === null || options === void 0 ? void 0 : options.userPromptCallback) || defaultDeviceCodePromptCallback, tokenCredentialOptions: options || {} }));
+        this.msalFlow = new MsalDeviceCode(Object.assign(Object.assign({}, options), { logger: logger$h, userPromptCallback: (options === null || options === void 0 ? void 0 : options.userPromptCallback) || defaultDeviceCodePromptCallback, tokenCredentialOptions: options || {} }));
         this.disableAutomaticAuthentication = options === null || options === void 0 ? void 0 : options.disableAutomaticAuthentication;
     }
     /**
@@ -2926,7 +3194,45 @@ class DeviceCodeCredential {
 }
 
 // Copyright (c) Microsoft Corporation.
-const logger$g = credentialLogger("AuthorizationCodeCredential");
+/**
+ * This MSAL client sets up a web server to listen for redirect callbacks, then calls to the MSAL's public application's `acquireTokenByDeviceCode` during `doGetToken`
+ * to trigger the authentication flow, and then respond based on the values obtained from the redirect callback
+ * @internal
+ */
+class MsalAuthorizationCode extends MsalNode {
+    constructor(options) {
+        super(options);
+        this.logger = credentialLogger("Node.js MSAL Authorization Code");
+        this.redirectUri = options.redirectUri;
+        this.authorizationCode = options.authorizationCode;
+        if (options.clientSecret) {
+            this.msalConfig.auth.clientSecret = options.clientSecret;
+        }
+    }
+    async getAuthCodeUrl(options) {
+        await this.init();
+        return this.confidentialApp.getAuthCodeUrl(options);
+    }
+    async doGetToken(scopes, options) {
+        var _a;
+        try {
+            const result = await ((_a = this.confidentialApp) === null || _a === void 0 ? void 0 : _a.acquireTokenByCode({
+                scopes,
+                redirectUri: this.redirectUri,
+                code: this.authorizationCode
+            }));
+            // The Client Credential flow does not return an account,
+            // so each time getToken gets called, we will have to acquire a new token through the service.
+            return this.handleResult(scopes, this.clientId, result || undefined);
+        }
+        catch (err) {
+            throw this.handleError(scopes, err, options);
+        }
+    }
+}
+
+// Copyright (c) Microsoft Corporation.
+const logger$i = credentialLogger("AuthorizationCodeCredential");
 /**
  * Enables authentication to Azure Active Directory using an authorization code
  * that was obtained through the authorization code flow, described in more detail
@@ -2940,26 +3246,23 @@ class AuthorizationCodeCredential {
      * @internal
      */
     constructor(tenantId, clientId, clientSecretOrAuthorizationCode, authorizationCodeOrRedirectUri, redirectUriOrOptions, options) {
-        this.lastTokenResponse = null;
-        checkTenantId(logger$g, tenantId);
-        this.clientId = clientId;
-        this.tenantId = tenantId;
+        checkTenantId(logger$i, tenantId);
+        let clientSecret = clientSecretOrAuthorizationCode;
         if (typeof redirectUriOrOptions === "string") {
             // the clientId+clientSecret constructor
-            this.clientSecret = clientSecretOrAuthorizationCode;
             this.authorizationCode = authorizationCodeOrRedirectUri;
             this.redirectUri = redirectUriOrOptions;
             // options okay
         }
         else {
             // clientId only
-            this.clientSecret = undefined;
             this.authorizationCode = clientSecretOrAuthorizationCode;
             this.redirectUri = authorizationCodeOrRedirectUri;
+            clientSecret = undefined;
             options = redirectUriOrOptions;
         }
-        this.allowMultiTenantAuthentication = options === null || options === void 0 ? void 0 : options.allowMultiTenantAuthentication;
-        this.identityClient = new IdentityClient(options);
+        this.msalFlow = new MsalAuthorizationCode(Object.assign(Object.assign({}, options), { clientSecret,
+            clientId, tokenCredentialOptions: options || {}, logger: logger$i, redirectUri: this.redirectUri, authorizationCode: this.authorizationCode }));
     }
     /**
      * Authenticates with Azure Active Directory and returns an access token if successful.
@@ -2969,100 +3272,116 @@ class AuthorizationCodeCredential {
      * @param options - The options used to configure any requests this
      *                TokenCredential implementation might make.
      */
-    async getToken(scopes, options) {
-        var _a, _b;
-        const tenantId = processMultiTenantRequest(this.tenantId, this.allowMultiTenantAuthentication, options) ||
-            this.tenantId;
-        const { span, updatedOptions } = createSpan("AuthorizationCodeCredential-getToken", options);
-        try {
-            let tokenResponse = null;
-            let scopeString = typeof scopes === "string" ? scopes : scopes.join(" ");
-            if (scopeString.indexOf("offline_access") < 0) {
-                scopeString += " offline_access";
-            }
-            // Try to use the refresh token first
-            if (this.lastTokenResponse && this.lastTokenResponse.refreshToken) {
-                tokenResponse = await this.identityClient.refreshAccessToken(tenantId, this.clientId, scopeString, this.lastTokenResponse.refreshToken, this.clientSecret, undefined, updatedOptions);
-            }
-            const query = new URLSearchParams({
-                client_id: this.clientId,
-                grant_type: "authorization_code",
-                scope: scopeString,
-                code: this.authorizationCode,
-                redirect_uri: this.redirectUri
-            });
-            if (this.clientSecret) {
-                query.set("client_secret", this.clientSecret);
-            }
-            if (tokenResponse === null) {
-                const urlSuffix = getIdentityTokenEndpointSuffix(tenantId);
-                const pipelineRequest = coreRestPipeline.createPipelineRequest({
-                    url: `${this.identityClient.authorityHost}/${tenantId}/${urlSuffix}`,
-                    method: "POST",
-                    body: query.toString(),
-                    headers: coreRestPipeline.createHttpHeaders({
-                        Accept: "application/json",
-                        "Content-Type": "application/x-www-form-urlencoded"
-                    }),
-                    tracingOptions: {
-                        spanOptions: (_a = updatedOptions === null || updatedOptions === void 0 ? void 0 : updatedOptions.tracingOptions) === null || _a === void 0 ? void 0 : _a.spanOptions,
-                        tracingContext: (_b = updatedOptions === null || updatedOptions === void 0 ? void 0 : updatedOptions.tracingOptions) === null || _b === void 0 ? void 0 : _b.tracingContext
-                    }
-                });
-                tokenResponse = await this.identityClient.sendTokenRequest(pipelineRequest, (response) => new Date(response === null || response === void 0 ? void 0 : response.expires_on).getTime());
+    async getToken(scopes, options = {}) {
+        return trace(`${this.constructor.name}.getToken`, options, async (newOptions) => {
+            const arrayScopes = Array.isArray(scopes) ? scopes : [scopes];
+            return this.msalFlow.getToken(arrayScopes, Object.assign(Object.assign({}, newOptions), { disableAutomaticAuthentication: this.disableAutomaticAuthentication }));
+        });
+    }
+}
+
+// Copyright (c) Microsoft Corporation.
+/**
+ * MSAL on behalf of flow. Calls to MSAL's confidential application's `acquireTokenOnBehalfOf` during `doGetToken`.
+ * @internal
+ */
+class MsalOnBehalfOf extends MsalNode {
+    constructor(options) {
+        super(options);
+        this.logger.info("Initialized MSAL's On-Behalf-Of flow");
+        this.requiresConfidential = true;
+        this.userAssertionToken = options.userAssertionToken;
+        this.certificatePath = options.certificatePath;
+        this.sendCertificateChain = options.sendCertificateChain;
+        this.clientSecret = options.clientSecret;
+    }
+    // Changing the MSAL configuration asynchronously
+    async init(options) {
+        if (this.certificatePath) {
+            try {
+                const parts = await parseCertificate({ certificatePath: this.certificatePath }, this.sendCertificateChain);
+                this.msalConfig.auth.clientCertificate = {
+                    thumbprint: parts.thumbprint,
+                    privateKey: parts.certificateContents,
+                    x5c: parts.x5c
+                };
             }
-            this.lastTokenResponse = tokenResponse;
-            logger$g.getToken.info(formatSuccess(scopes));
-            const token = tokenResponse && tokenResponse.accessToken;
-            if (!token) {
-                throw new CredentialUnavailableError("Failed to retrieve a valid token");
+            catch (error) {
+                this.logger.info(formatError("", error));
+                throw error;
             }
-            return token;
         }
-        catch (err) {
-            span.setStatus({
-                code: coreTracing.SpanStatusCode.ERROR,
-                message: err.message
+        else {
+            this.msalConfig.auth.clientSecret = this.clientSecret;
+        }
+        return super.init(options);
+    }
+    async doGetToken(scopes, options = {}) {
+        try {
+            const result = await this.confidentialApp.acquireTokenOnBehalfOf({
+                scopes,
+                correlationId: options.correlationId,
+                authority: options.authority,
+                oboAssertion: this.userAssertionToken
             });
-            logger$g.getToken.info(formatError(scopes, err));
-            throw err;
+            return this.handleResult(scopes, this.clientId, result || undefined);
         }
-        finally {
-            span.end();
+        catch (err) {
+            throw this.handleError(scopes, err, options);
         }
     }
 }
 
 // Copyright (c) Microsoft Corporation.
-const ApplicationCredentials = [
-    EnvironmentCredential,
-    DefaultManagedIdentityCredential
-];
+const credentialName$1 = "OnBehalfOfCredential";
+const logger$j = credentialLogger(credentialName$1);
 /**
- * Provides a default {@link ChainedTokenCredential} configuration that should
- * work for most applications that use the Azure SDK.  The following credential
- * types will be tried, in order:
- *
- * - {@link EnvironmentCredential}
- * - {@link ManagedIdentityCredential}
-
- *
- * Consult the documentation of these credential types for more information
- * on how they attempt authentication.
- *
- * Azure Identity extensions may add credential types to the default credential
- * stack.
+ * Enables authentication to Azure Active Directory using the [On Behalf Of flow](https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-on-behalf-of-flow).
  */
-class ApplicationCredential extends ChainedTokenCredential {
+class OnBehalfOfCredential {
     /**
-     * Creates an instance of the ApplicationCredential class.
+     * Creates an instance of the {@link OnBehalfOfCredential} with the details
+     * needed to authenticate against Azure Active Directory with a client
+     * secret or a path to a PEM certificate, and an user assertion.
+     *
+     * Example using the `KeyClient` from [\@azure/keyvault-keys](https://www.npmjs.com/package/\@azure/keyvault-keys):
+     *
+     * ```ts
+     * const tokenCredential = new OnBehalfOfCredential({
+     *   tenantId,
+     *   clientId,
+     *   clientSecret, // or `certificatePath: "/path/to/certificate.pem"
+     *   userAssertionToken: "access-token"
+     * });
+     * const client = new KeyClient("vault-url", tokenCredential);
+     *
+     * await client.getKey("key-name");
+     * ```
      *
-     * @param options - Optional parameters. See {@link ApplicationCredentialOptions}.
+     * @param options - Optional parameters, generally common across credentials.
      */
     constructor(options) {
-        super(...ApplicationCredentials.map((ctor) => new ctor(options)));
-        this.UnavailableMessage =
-            "ApplicationCredential => failed to retrieve a token from the included credentials";
+        this.options = options;
+        const { clientSecret } = options;
+        const { certificatePath } = options;
+        const { tenantId, clientId, userAssertionToken } = options;
+        if (!tenantId || !clientId || !(clientSecret || certificatePath) || !userAssertionToken) {
+            throw new Error(`${credentialName$1}: tenantId, clientId, clientSecret (or certificatePath) and userAssertionToken are required parameters.`);
+        }
+        this.msalFlow = new MsalOnBehalfOf(Object.assign(Object.assign({}, this.options), { logger: logger$j, tokenCredentialOptions: this.options }));
+    }
+    /**
+     * Authenticates with Azure Active Directory and returns an access token if successful.
+     * If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.
+     *
+     * @param scopes - The list of scopes for which the token will have access.
+     * @param options - The options used to configure the underlying network requests.
+     */
+    async getToken(scopes, options = {}) {
+        return trace(`${credentialName$1}.getToken`, options, async (newOptions) => {
+            const arrayScopes = Array.isArray(scopes) ? scopes : [scopes];
+            return this.msalFlow.getToken(arrayScopes, newOptions);
+        });
     }
 }
 
@@ -3076,7 +3395,6 @@ function getDefaultAzureCredential() {
 
 exports.AggregateAuthenticationError = AggregateAuthenticationError;
 exports.AggregateAuthenticationErrorName = AggregateAuthenticationErrorName;
-exports.ApplicationCredential = ApplicationCredential;
 exports.AuthenticationError = AuthenticationError;
 exports.AuthenticationErrorName = AuthenticationErrorName;
 exports.AuthenticationRequiredError = AuthenticationRequiredError;
@@ -3093,11 +3411,12 @@ exports.DeviceCodeCredential = DeviceCodeCredential;
 exports.EnvironmentCredential = EnvironmentCredential;
 exports.InteractiveBrowserCredential = InteractiveBrowserCredential;
 exports.ManagedIdentityCredential = ManagedIdentityCredential;
+exports.OnBehalfOfCredential = OnBehalfOfCredential;
 exports.UsernamePasswordCredential = UsernamePasswordCredential;
 exports.VisualStudioCodeCredential = VisualStudioCodeCredential;
 exports.deserializeAuthenticationRecord = deserializeAuthenticationRecord;
 exports.getDefaultAzureCredential = getDefaultAzureCredential;
 exports.logger = logger;
 exports.serializeAuthenticationRecord = serializeAuthenticationRecord;
-exports.useIdentityExtension = useIdentityExtension;
+exports.useIdentityPlugin = useIdentityPlugin;
 //# sourceMappingURL=index.js.map