@azure/identity 2.0.0-beta.6 → 2.0.0

package/dist/index.js

@@ -18,6 +18,7 @@ var fs__default = _interopDefault(fs);
 var os = _interopDefault(require('os'));
 var path = _interopDefault(require('path'));
 var child_process = require('child_process');
+var child_process__default = _interopDefault(child_process);
 var crypto = require('crypto');
 var util = require('util');
 var http = _interopDefault(require('http'));
@@ -165,6 +166,21 @@ function convertOAuthErrorResponseToErrorResponse(errorBody) {
         traceId: errorBody.trace_id
     };
 }
+/**
+ * Error used to enforce authentication after trying to retrieve a token silently.
+ */
+class AuthenticationRequiredError extends Error {
+    constructor(
+    /**
+     * Optional parameters. A message can be specified. The {@link GetTokenOptions} of the request can also be specified to more easily associate the error with the received parameters.
+     */
+    options) {
+        super(options.message);
+        this.scopes = options.scopes;
+        this.getTokenOptions = options.getTokenOptions;
+        this.name = "AuthenticationRequiredError";
+    }
+}
 
 // Copyright (c) Microsoft Corporation.
 // Licensed under the MIT license.
@@ -183,7 +199,7 @@ function getIdentityTokenEndpointSuffix(tenantId) {
  * @internal
  */
 const createSpan = coreTracing.createSpanFunction({
-    packagePrefix: "Azure.Identity",
+    packagePrefix: "",
     namespace: "Microsoft.AAD"
 });
 /**
@@ -315,7 +331,7 @@ function getIdentityClientAuthorityHost(options) {
 class IdentityClient extends coreClient.ServiceClient {
     constructor(options) {
         var _a;
-        const packageDetails = `azsdk-js-identity/2.0.0-beta.6`;
+        const packageDetails = `azsdk-js-identity/2.0.0`;
         const userAgentPrefix = ((_a = options === null || options === void 0 ? void 0 : options.userAgentOptions) === null || _a === void 0 ? void 0 : _a.userAgentPrefix)
             ? `${options.userAgentOptions.userAgentPrefix} ${packageDetails}`
             : `${packageDetails}`;
@@ -511,28 +527,6 @@ function resolveTenantId(logger, tenantId, clientId) {
     return "organizations";
 }
 
-// Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
-/**
- * Error used to enforce authentication after trying to retrieve a token silently.
- */
-class AuthenticationRequiredError extends Error {
-    constructor(
-    /**
-     * The list of scopes for which the token will have access.
-     */
-    scopes, 
-    /**
-     * The options used to configure the getToken request.
-     */
-    getTokenOptions = {}, message) {
-        super(message);
-        this.scopes = scopes;
-        this.getTokenOptions = getTokenOptions;
-        this.name = "AuthenticationRequiredError";
-    }
-}
-
 // Copyright (c) Microsoft Corporation.
 /**
  * Latest AuthenticationRecord version
@@ -546,7 +540,11 @@ const LatestAuthenticationRecordVersion = "1.0";
 function ensureValidMsalToken(scopes, logger, msalToken, getTokenOptions) {
     const error = (message) => {
         logger.getToken.info(message);
-        return new AuthenticationRequiredError(Array.isArray(scopes) ? scopes : [scopes], getTokenOptions, message);
+        return new AuthenticationRequiredError({
+            scopes: Array.isArray(scopes) ? scopes : [scopes],
+            getTokenOptions,
+            message
+        });
     };
     if (!msalToken) {
         throw error("No response");
@@ -674,7 +672,7 @@ class MsalBaseUtilities {
             error.name === "AbortError") {
             return error;
         }
-        return new AuthenticationRequiredError(scopes, getTokenOptions, error.message);
+        return new AuthenticationRequiredError({ scopes, getTokenOptions, message: error.message });
     }
 }
 // transformations.ts
@@ -738,6 +736,40 @@ function deserializeAuthenticationRecord(serializedRecord) {
 }
 
 // Copyright (c) Microsoft Corporation.
+// Licensed under the MIT license.
+/**
+ * @internal
+ */
+const multiTenantDisabledErrorMessage = "A getToken request was attempted with a tenant different than the tenant configured at the initialization of the credential, but multi-tenant authentication has been disabled by the environment variable AZURE_IDENTITY_DISABLE_MULTITENANTAUTH.";
+/**
+ * @internal
+ */
+const multiTenantADFSErrorMessage = "A new tenant Id can't be assigned through the GetTokenOptions when a credential has been originally configured to use the tenant `adfs`.";
+/**
+ * Of getToken contains a tenantId, this functions allows picking this tenantId as the appropriate for authentication,
+ * unless multitenant authentication has been disabled through the AZURE_IDENTITY_DISABLE_MULTITENANTAUTH (on Node.js),
+ * or unless the original tenant Id is `adfs`.
+ * @internal
+ */
+function processMultiTenantRequest(tenantId, getTokenOptions) {
+    if (!(getTokenOptions === null || getTokenOptions === void 0 ? void 0 : getTokenOptions.tenantId)) {
+        return tenantId;
+    }
+    if (process.env.AZURE_IDENTITY_DISABLE_MULTITENANTAUTH) {
+        throw new Error(multiTenantDisabledErrorMessage);
+    }
+    if (tenantId === "adfs") {
+        throw new Error(multiTenantADFSErrorMessage);
+    }
+    return getTokenOptions === null || getTokenOptions === void 0 ? void 0 : getTokenOptions.tenantId;
+}
+
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT license.
+/**
+ * Helps specify a regional authority, or "AutoDiscoverRegion" to auto-detect the region.
+ */
+var RegionalAuthority;
 (function (RegionalAuthority) {
     /** Instructs MSAL to attempt to discover the region */
     RegionalAuthority["AutoDiscoverRegion"] = "AutoDiscoverRegion";
@@ -845,31 +877,7 @@ function deserializeAuthenticationRecord(serializedRecord) {
     RegionalAuthority["GovernmentUSDodEast"] = "usdodeast";
     /** Uses the {@link RegionalAuthority} for the Azure 'usdodcentral' region. */
     RegionalAuthority["GovernmentUSDodCentral"] = "usdodcentral";
-})(exports.RegionalAuthority || (exports.RegionalAuthority = {}));
-
-// Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
-/**
- * @internal
- */
-const multiTenantErrorMessage = "A getToken request was attempted with a tenant different than the tenant configured at the initialization of the credential, but multi-tenant authentication was not enabled in this credential instance.";
-/**
- * Verifies whether locally assigned tenants are equal to tenants received through getToken.
- * Returns the appropriate tenant.
- * @internal
- */
-function processMultiTenantRequest(tenantId, allowMultiTenantAuthentication, getTokenOptions) {
-    if (!allowMultiTenantAuthentication &&
-        (getTokenOptions === null || getTokenOptions === void 0 ? void 0 : getTokenOptions.tenantId) &&
-        tenantId &&
-        getTokenOptions.tenantId !== tenantId) {
-        throw new Error(multiTenantErrorMessage);
-    }
-    if (allowMultiTenantAuthentication && (getTokenOptions === null || getTokenOptions === void 0 ? void 0 : getTokenOptions.tenantId)) {
-        return getTokenOptions.tenantId;
-    }
-    return tenantId;
-}
+})(RegionalAuthority || (RegionalAuthority = {}));
 
 // Copyright (c) Microsoft Corporation.
 /**
@@ -902,7 +910,6 @@ class MsalNode extends MsalBaseUtilities {
         this.requiresConfidential = false;
         this.msalConfig = this.defaultNodeMsalConfig(options);
         this.tenantId = resolveTenantId(options.logger, options.tenantId, options.clientId);
-        this.allowMultiTenantAuthentication = options === null || options === void 0 ? void 0 : options.allowMultiTenantAuthentication;
         this.clientId = this.msalConfig.auth.clientId;
         // If persistence has been configured
         if (persistenceProvider !== undefined && ((_a = options.tokenCachePersistenceOptions) === null || _a === void 0 ? void 0 : _a.enabled)) {
@@ -917,7 +924,7 @@ class MsalNode extends MsalBaseUtilities {
             ].join(" "));
         }
         this.azureRegion = (_c = options.regionalAuthority) !== null && _c !== void 0 ? _c : process.env.AZURE_REGIONAL_AUTHORITY_NAME;
-        if (this.azureRegion === exports.RegionalAuthority.AutoDiscoverRegion) {
+        if (this.azureRegion === RegionalAuthority.AutoDiscoverRegion) {
             this.azureRegion = "AUTO_DISCOVER";
         }
     }
@@ -1033,7 +1040,11 @@ To work with multiple accounts for the same Client ID and Tenant ID, please prov
         var _a, _b;
         await this.getActiveAccount();
         if (!this.account) {
-            throw new AuthenticationRequiredError(scopes, options);
+            throw new AuthenticationRequiredError({
+                scopes,
+                getTokenOptions: options,
+                message: "Silent authentication failed. We couldn't retrieve an active account from the cache."
+            });
         }
         const silentRequest = {
             // To be able to re-use the account, the Token Cache must also have been provided.
@@ -1056,8 +1067,7 @@ To work with multiple accounts for the same Client ID and Tenant ID, please prov
      * If disableAutomaticAuthentication is sent through the constructor, it will prevent MSAL from requesting the user input.
      */
     async getToken(scopes, options = {}) {
-        const tenantId = processMultiTenantRequest(this.tenantId, this.allowMultiTenantAuthentication, options) ||
-            this.tenantId;
+        const tenantId = processMultiTenantRequest(this.tenantId, options) || this.tenantId;
         options.authority = getAuthority(tenantId, this.authorityHost);
         options.correlationId = (options === null || options === void 0 ? void 0 : options.correlationId) || this.generateUuid();
         await this.init(options);
@@ -1069,7 +1079,11 @@ To work with multiple accounts for the same Client ID and Tenant ID, please prov
                 throw err;
             }
             if (options === null || options === void 0 ? void 0 : options.disableAutomaticAuthentication) {
-                throw new AuthenticationRequiredError(scopes, options, "Automatic authentication has been disabled. You may call the authentication() method.");
+                throw new AuthenticationRequiredError({
+                    scopes,
+                    getTokenOptions: options,
+                    message: "Automatic authentication has been disabled. You may call the authentication() method."
+                });
             }
             this.logger.info(`Silent authentication failed, falling back to interactive method.`);
             return this.doGetToken(scopes, options);
@@ -1138,7 +1152,7 @@ function getPropertyFromVSCode(property) {
     }
 }
 /**
- * Connect to Azure using the credential provided by the VSCode extension 'Azure Account'.
+ * Connects to Azure using the credential provided by the VSCode extension 'Azure Account'.
  * Once the user has logged in via the extension, this credential can share the same refresh token
  * that is cached by the extension.
  */
@@ -1167,7 +1181,6 @@ class VisualStudioCodeCredential {
         else {
             this.tenantId = CommonTenantId;
         }
-        this.allowMultiTenantAuthentication = options === null || options === void 0 ? void 0 : options.allowMultiTenantAuthentication;
         checkUnsupportedTenant(this.tenantId);
     }
     /**
@@ -1201,8 +1214,7 @@ class VisualStudioCodeCredential {
     async getToken(scopes, options) {
         var _a, _b;
         await this.prepareOnce();
-        const tenantId = processMultiTenantRequest(this.tenantId, this.allowMultiTenantAuthentication, options) ||
-            this.tenantId;
+        const tenantId = processMultiTenantRequest(this.tenantId, options) || this.tenantId;
         if (findCredentials === undefined) {
             throw new CredentialUnavailableError([
                 "No implementation of `VisualStudioCodeCredential` is available.",
@@ -1239,13 +1251,13 @@ class VisualStudioCodeCredential {
                 return tokenResponse.accessToken;
             }
             else {
-                const error = new CredentialUnavailableError("Could not retrieve the token associated with Visual Studio Code. Have you connected using the 'Azure Account' extension recently?");
+                const error = new CredentialUnavailableError("Could not retrieve the token associated with Visual Studio Code. Have you connected using the 'Azure Account' extension recently? To troubleshoot, visit https://aka.ms/azsdk/js/identity/visualstudiocodecredential/troubleshoot.");
                 logger$1.getToken.info(formatError(scopes, error));
                 throw error;
             }
         }
         else {
-            const error = new CredentialUnavailableError("Could not retrieve the token associated with Visual Studio Code. Did you connect using the 'Azure Account' extension?");
+            const error = new CredentialUnavailableError("Could not retrieve the token associated with Visual Studio Code. Did you connect using the 'Azure Account' extension? To troubleshoot, visit https://aka.ms/azsdk/js/identity/visualstudiocodecredential/troubleshoot.");
             logger$1.getToken.info(formatError(scopes, error));
             throw error;
         }
@@ -1340,7 +1352,7 @@ class ChainedTokenCredential {
         let token = null;
         let successfulCredentialName = "";
         const errors = [];
-        const { span, updatedOptions } = createSpan("ChainedTokenCredential-getToken", options);
+        const { span, updatedOptions } = createSpan("ChainedTokenCredential.getToken", options);
         for (let i = 0; i < this._sources.length && token === null; i++) {
             try {
                 token = await this._sources[i].getToken(scopes, updatedOptions);
@@ -1427,14 +1439,14 @@ const cliCredentialInternals = {
         }
         return new Promise((resolve, reject) => {
             try {
-                child_process.execFile("az", [
+                child_process__default.execFile("az", [
                     "account",
                     "get-access-token",
                     "--output",
                     "json",
                     "--resource",
-                    ...tenantSection,
-                    resource
+                    resource,
+                    ...tenantSection
                 ], { cwd: cliCredentialInternals.getSafeWorkingDir() }, (error, stdout, stderr) => {
                     resolve({ stdout: stdout, stderr: stderr, error });
                 });
@@ -1451,18 +1463,18 @@ const logger$3 = credentialLogger("AzureCliCredential");
  * via the Azure CLI ('az') commandline tool.
  * To do so, it will read the user access token and expire time
  * with Azure CLI command "az account get-access-token".
- * To be able to use this credential, ensure that you have already logged
- * in via the 'az' tool using the command "az login" from the commandline.
  */
 class AzureCliCredential {
     /**
      * Creates an instance of the {@link AzureCliCredential}.
      *
+     * To use this credential, ensure that you have already logged
+     * in via the 'az' tool using the command "az login" from the commandline.
+     *
      * @param options - Options, to optionally allow multi-tenant requests.
      */
     constructor(options) {
         this.tenantId = options === null || options === void 0 ? void 0 : options.tenantId;
-        this.allowMultiTenantAuthentication = options === null || options === void 0 ? void 0 : options.allowMultiTenantAuthentication;
     }
     /**
      * Authenticates with Azure Active Directory and returns an access token if successful.
@@ -1473,7 +1485,7 @@ class AzureCliCredential {
      *                TokenCredential implementation might make.
      */
     async getToken(scopes, options) {
-        const tenantId = processMultiTenantRequest(this.tenantId, this.allowMultiTenantAuthentication, options);
+        const tenantId = processMultiTenantRequest(this.tenantId, options);
         if (tenantId) {
             checkTenantId(logger$3, tenantId);
         }
@@ -1482,7 +1494,7 @@ class AzureCliCredential {
         ensureValidScope(scope, logger$3);
         const resource = getScopeResource(scope);
         let responseData = "";
-        const { span } = createSpan("AzureCliCredential-getToken", options);
+        const { span } = createSpan("AzureCliCredential.getToken", options);
         try {
             const obj = await cliCredentialInternals.getAzureCliAccessToken(resource, tenantId);
             if (obj.stderr) {
@@ -1599,7 +1611,8 @@ const powerShellErrors = {
  */
 const powerShellPublicErrorMessages = {
     login: "Please run 'Connect-AzAccount' from PowerShell to authenticate before using this credential.",
-    installed: `The 'Az.Account' module >= 2.2.0 is not installed. Install the Azure Az PowerShell module with: "Install-Module -Name Az -Scope CurrentUser -Repository PSGallery -Force".`
+    installed: `The 'Az.Account' module >= 2.2.0 is not installed. Install the Azure Az PowerShell module with: "Install-Module -Name Az -Scope CurrentUser -Repository PSGallery -Force".`,
+    troubleshoot: `To troubleshoot, visit https://aka.ms/azsdk/js/identity/powershellcredential/troubleshoot.`
 };
 // PowerShell Azure User not logged in error check.
 const isLoginError = (err) => err.message.match(`(.*)${powerShellErrors.login}(.*)`);
@@ -1618,22 +1631,21 @@ if (isWindows) {
  * This credential will use the currently logged-in user information from the
  * Azure PowerShell module. To do so, it will read the user access token and
  * expire time with Azure PowerShell command `Get-AzAccessToken -ResourceUrl {ResourceScope}`
- *
- * To be able to use this credential:
- * - Install the Azure Az PowerShell module with:
- *   `Install-Module -Name Az -Scope CurrentUser -Repository PSGallery -Force`.
- * - You have already logged in to Azure PowerShell using the command
- * `Connect-AzAccount` from the command line.
  */
 class AzurePowerShellCredential {
     /**
-     * Creates an instance of the {@link AzurePowershellCredential}.
+     * Creates an instance of the {@link AzurePowerShellCredential}.
+     *
+     * To use this credential:
+     * - Install the Azure Az PowerShell module with:
+     *   `Install-Module -Name Az -Scope CurrentUser -Repository PSGallery -Force`.
+     * - You have already logged in to Azure PowerShell using the command
+     * `Connect-AzAccount` from the command line.
      *
      * @param options - Options, to optionally allow multi-tenant requests.
      */
     constructor(options) {
         this.tenantId = options === null || options === void 0 ? void 0 : options.tenantId;
-        this.allowMultiTenantAuthentication = options === null || options === void 0 ? void 0 : options.allowMultiTenantAuthentication;
     }
     /**
      * Gets the access token from Azure PowerShell
@@ -1674,7 +1686,7 @@ class AzurePowerShellCredential {
                 throw new Error(`Unable to parse the output of PowerShell. Received output: ${result}`);
             }
         }
-        throw new Error(`Unable to execute PowerShell. Ensure that it is installed in your system.`);
+        throw new Error(`Unable to execute PowerShell. Ensure that it is installed in your system`);
     }
     /**
      * Authenticates with Azure Active Directory and returns an access token if successful.
@@ -1685,7 +1697,7 @@ class AzurePowerShellCredential {
      */
     async getToken(scopes, options = {}) {
         return trace(`${this.constructor.name}.getToken`, options, async () => {
-            const tenantId = processMultiTenantRequest(this.tenantId, this.allowMultiTenantAuthentication, options);
+            const tenantId = processMultiTenantRequest(this.tenantId, options);
             if (tenantId) {
                 checkTenantId(logger$4, tenantId);
             }
@@ -1712,7 +1724,7 @@ class AzurePowerShellCredential {
                     logger$4.getToken.info(formatError(scope, error));
                     throw error;
                 }
-                const error = new CredentialUnavailableError(err);
+                const error = new CredentialUnavailableError(`${err}. ${powerShellPublicErrorMessages.troubleshoot}`);
                 logger$4.getToken.info(formatError(scope, error));
                 throw error;
             }
@@ -1772,7 +1784,7 @@ class ClientSecretCredential {
      */
     constructor(tenantId, clientId, clientSecret, options = {}) {
         if (!tenantId || !clientId || !clientSecret) {
-            throw new Error("ClientSecretCredential: tenantId, clientId, and clientSecret are required parameters.");
+            throw new Error("ClientSecretCredential: tenantId, clientId, and clientSecret are required parameters. To troubleshoot, visit https://aka.ms/azsdk/js/identity/serviceprincipalauthentication/troubleshoot.");
         }
         this.msalFlow = new MsalClientSecret(Object.assign(Object.assign({}, options), { logger: logger$5,
             clientId,
@@ -1800,14 +1812,15 @@ const readFileAsync = util.promisify(fs.readFile);
 /**
  * Tries to asynchronously load a certificate from the given path.
  *
- * @param certificatePath - Path to the certificate.
+ * @param configuration - Either the PEM value or the path to the certificate.
  * @param sendCertificateChain - Option to include x5c header for SubjectName and Issuer name authorization.
  * @returns - The certificate parts, or `undefined` if the certificate could not be loaded.
  * @internal
  */
-async function parseCertificate(certificatePath, sendCertificateChain) {
+async function parseCertificate(configuration, sendCertificateChain) {
     const certificateParts = {};
-    certificateParts.certificateContents = await readFileAsync(certificatePath, "utf8");
+    certificateParts.certificateContents =
+        configuration.certificate || (await readFileAsync(configuration.certificatePath, "utf8"));
     if (sendCertificateChain) {
         certificateParts.x5c = certificateParts.certificateContents;
     }
@@ -1838,13 +1851,13 @@ class MsalClientCertificate extends MsalNode {
     constructor(options) {
         super(options);
         this.requiresConfidential = true;
-        this.certificatePath = options.certificatePath;
+        this.configuration = options.configuration;
         this.sendCertificateChain = options.sendCertificateChain;
     }
     // Changing the MSAL configuration asynchronously
     async init(options) {
         try {
-            const parts = await parseCertificate(this.certificatePath, this.sendCertificateChain);
+            const parts = await parseCertificate(this.configuration, this.sendCertificateChain);
             this.msalConfig.auth.clientCertificate = {
                 thumbprint: parts.thumbprint,
                 privateKey: parts.certificateContents,
@@ -1877,7 +1890,8 @@ class MsalClientCertificate extends MsalNode {
 }
 
 // Copyright (c) Microsoft Corporation.
-const logger$6 = credentialLogger("ClientCertificateCredential");
+const credentialName = "ClientCertificateCredential";
+const logger$6 = credentialLogger(credentialName);
 /**
  * Enables authentication to Azure Active Directory using a PEM-encoded
  * certificate that is assigned to an App Registration. More information
@@ -1887,20 +1901,22 @@ const logger$6 = credentialLogger("ClientCertificateCredential");
  *
  */
 class ClientCertificateCredential {
-    /**
-     * Creates an instance of the ClientCertificateCredential with the details
-     * needed to authenticate against Azure Active Directory with a certificate.
-     *
-     * @param tenantId - The Azure Active Directory tenant (directory) ID.
-     * @param clientId - The client (application) ID of an App Registration in the tenant.
-     * @param certificatePath - The path to a PEM-encoded public/private key certificate on the filesystem.
-     * @param options - Options for configuring the client which makes the authentication request.
-     */
-    constructor(tenantId, clientId, certificatePath, options = {}) {
-        if (!tenantId || !clientId || !certificatePath) {
-            throw new Error("ClientCertificateCredential: tenantId, clientId, and certificatePath are required parameters.");
+    constructor(tenantId, clientId, certificatePathOrConfiguration, options = {}) {
+        if (!tenantId || !clientId) {
+            throw new Error(`${credentialName}: tenantId and clientId are required parameters.`);
+        }
+        const configuration = Object.assign({}, (typeof certificatePathOrConfiguration === "string"
+            ? {
+                certificatePath: certificatePathOrConfiguration
+            }
+            : certificatePathOrConfiguration));
+        if (!configuration || !(configuration.certificate || configuration.certificatePath)) {
+            throw new Error(`${credentialName}: Provide either a PEM certificate in string form, or the path to that certificate in the filesystem. To troubleshoot, visit https://aka.ms/azsdk/js/identity/serviceprincipalauthentication/troubleshoot.`);
         }
-        this.msalFlow = new MsalClientCertificate(Object.assign(Object.assign({}, options), { certificatePath,
+        if (configuration.certificate && configuration.certificatePath) {
+            throw new Error(`${credentialName}: To avoid unexpected behaviors, providing both the contents of a PEM certificate and the path to a PEM certificate is forbidden. To troubleshoot, visit https://aka.ms/azsdk/js/identity/serviceprincipalauthentication/troubleshoot.`);
+        }
+        this.msalFlow = new MsalClientCertificate(Object.assign(Object.assign({}, options), { configuration,
             logger: logger$6,
             clientId,
             tenantId, sendCertificateChain: options.sendCertificateChain, tokenCredentialOptions: options }));
@@ -1914,7 +1930,7 @@ class ClientCertificateCredential {
      *                TokenCredential implementation might make.
      */
     async getToken(scopes, options = {}) {
-        return trace(`${this.constructor.name}.getToken`, options, async (newOptions) => {
+        return trace(`${credentialName}.getToken`, options, async (newOptions) => {
             const arrayScopes = Array.isArray(scopes) ? scopes : [scopes];
             return this.msalFlow.getToken(arrayScopes, newOptions);
         });
@@ -1958,8 +1974,6 @@ const logger$7 = credentialLogger("UsernamePasswordCredential");
  * trust so you should only use it when other, more secure credential
  * types can't be used.
  */
-// We'll be using InteractiveCredential as the base of this class, which requires us to support authenticate(),
-// to reduce the number of times we send the password over the network.
 class UsernamePasswordCredential {
     /**
      * Creates an instance of the UsernamePasswordCredential with the details
@@ -1974,7 +1988,7 @@ class UsernamePasswordCredential {
      */
     constructor(tenantId, clientId, username, password, options = {}) {
         if (!tenantId || !clientId || !username || !password) {
-            throw new Error("UsernamePasswordCredential: tenantId, clientId, username and password are required parameters.");
+            throw new Error("UsernamePasswordCredential: tenantId, clientId, username and password are required parameters. To troubleshoot, visit https://aka.ms/azsdk/js/identity/usernamepasswordcredential/troubleshoot.");
         }
         this.msalFlow = new MsalUsernamePassword(Object.assign(Object.assign({}, options), { logger: logger$7,
             clientId,
@@ -2021,23 +2035,7 @@ const AllSupportedEnvironmentVariables = [
 const logger$8 = credentialLogger("EnvironmentCredential");
 /**
  * Enables authentication to Azure Active Directory using client secret
- * details configured in the following environment variables:
- *
- * Required environment variables:
- * - `AZURE_TENANT_ID`: The Azure Active Directory tenant (directory) ID.
- * - `AZURE_CLIENT_ID`: The client (application) ID of an App Registration in the tenant.
- *
- * Environment variables used for client credential authentication:
- * - `AZURE_CLIENT_SECRET`: A client secret that was generated for the App Registration.
- * - `AZURE_CLIENT_CERTIFICATE_PATH`: The path to a PEM certificate to use during the authentication, instead of the client secret.
- *
- * Alternatively, users can provide environment variables for username and password authentication:
- * - `AZURE_USERNAME`: Username to authenticate with.
- * - `AZURE_PASSWORD`: Password to authenticate with.
- *
- * This credential ultimately uses a {@link ClientSecretCredential} to
- * perform the authentication using these details.  Please consult the
- * documentation of that class for more details.
+ * details configured in environment variables
  */
 class EnvironmentCredential {
     /**
@@ -2077,7 +2075,7 @@ class EnvironmentCredential {
         const certificatePath = process.env.AZURE_CLIENT_CERTIFICATE_PATH;
         if (tenantId && clientId && certificatePath) {
             logger$8.info(`Invoking ClientCertificateCredential with tenant ID: ${tenantId}, clientId: ${clientId} and certificatePath: ${certificatePath}`);
-            this._credential = new ClientCertificateCredential(tenantId, clientId, certificatePath, options);
+            this._credential = new ClientCertificateCredential(tenantId, clientId, { certificatePath }, options);
             return;
         }
         const username = process.env.AZURE_USERNAME;
@@ -2103,7 +2101,7 @@ class EnvironmentCredential {
                 }
                 catch (err) {
                     const authenticationError = new AuthenticationError(400, {
-                        error: "EnvironmentCredential authentication failed.",
+                        error: "EnvironmentCredential authentication failed. To troubleshoot, visit https://aka.ms/azsdk/js/identity/environmentcredential/troubleshoot.",
                         error_description: err.message
                             .toString()
                             .split("More details:")
@@ -2113,7 +2111,7 @@ class EnvironmentCredential {
                     throw authenticationError;
                 }
             }
-            throw new CredentialUnavailableError("EnvironmentCredential is unavailable. No underlying credential could be used.");
+            throw new CredentialUnavailableError("EnvironmentCredential is unavailable. No underlying credential could be used. To troubleshoot, visit https://aka.ms/azsdk/js/identity/environmentcredential/troubleshoot.");
         });
     }
 }
@@ -2274,7 +2272,7 @@ function expiresInParser$2(requestBody) {
     if (requestBody.expires_on) {
         // Use the expires_on timestamp if it's available
         const expires = +requestBody.expires_on * 1000;
-        logger$b.info(`${msiName$2}: IMDS using expires_on: ${expires} (original value: ${requestBody.expires_on})`);
+        logger$b.info(`${msiName$2}: Using expires_on: ${expires} (original value: ${requestBody.expires_on})`);
         return expires;
     }
     else {
@@ -2284,29 +2282,41 @@ function expiresInParser$2(requestBody) {
         return expires;
     }
 }
-function prepareRequestOptions$2(scopes, clientId) {
+function prepareRequestOptions$2(scopes, clientId, options) {
     var _a;
     const resource = mapScopesToResource(scopes);
     if (!resource) {
         throw new Error(`${msiName$2}: Multiple scopes are not supported.`);
     }
-    const queryParameters = {
-        resource,
-        "api-version": imdsApiVersion
-    };
-    if (clientId) {
-        queryParameters.client_id = clientId;
+    const { skipQuery, skipMetadataHeader } = options || {};
+    let query = "";
+    // Pod Identity will try to process this request even if the Metadata header is missing.
+    // We can exclude the request query to ensure no IMDS endpoint tries to process the ping request.
+    if (!skipQuery) {
+        const queryParameters = {
+            resource,
+            "api-version": imdsApiVersion
+        };
+        if (clientId) {
+            queryParameters.client_id = clientId;
+        }
+        const params = new URLSearchParams(queryParameters);
+        query = `?${params.toString()}`;
     }
-    const params = new URLSearchParams(queryParameters);
-    const query = params.toString();
     const url = new URL(imdsEndpointPath, (_a = process.env.AZURE_POD_IDENTITY_AUTHORITY_HOST) !== null && _a !== void 0 ? _a : imdsHost);
+    const rawHeaders = {
+        Accept: "application/json",
+        Metadata: "true"
+    };
+    // Remove the Metadata header to invoke a request error from some IMDS endpoints.
+    if (skipMetadataHeader) {
+        delete rawHeaders.Metadata;
+    }
     return {
-        url: `${url}?${query}`,
+        // In this case, the `?` should be added in the "query" variable `skipQuery` is not set.
+        url: `${url}${query}`,
         method: "GET",
-        headers: coreRestPipeline.createHttpHeaders({
-            Accept: "application/json",
-            Metadata: "true"
-        })
+        headers: coreRestPipeline.createHttpHeaders(rawHeaders)
     };
 }
 // 800ms -> 1600ms -> 3200ms
@@ -2328,13 +2338,10 @@ const imdsMsi = {
         if (process.env.AZURE_POD_IDENTITY_AUTHORITY_HOST) {
             return true;
         }
-        const requestOptions = prepareRequestOptions$2(resource, clientId);
-        // This will always be populated, but let's make TypeScript happy
-        if (requestOptions.headers) {
-            // Remove the Metadata header to invoke a request error from
-            // IMDS endpoint
-            requestOptions.headers.delete("Metadata");
-        }
+        const requestOptions = prepareRequestOptions$2(resource, clientId, {
+            skipMetadataHeader: true,
+            skipQuery: true
+        });
         requestOptions.tracingOptions = options.tracingOptions;
         try {
             // Create a request with a timeout since we expect that
@@ -2641,7 +2648,7 @@ class ManagedIdentityCredential {
      */
     async getToken(scopes, options) {
         let result = null;
-        const { span, updatedOptions } = createSpan("ManagedIdentityCredential-getToken", options);
+        const { span, updatedOptions } = createSpan("ManagedIdentityCredential.getToken", options);
         try {
             // isEndpointAvailable can be true, false, or null,
             // If it's null, it means we don't yet know whether
@@ -2754,22 +2761,26 @@ const defaultCredentials = [
 ];
 /**
  * Provides a default {@link ChainedTokenCredential} configuration that should
- * work for most applications that use the Azure SDK.  The following credential
- * types will be tried, in order:
- *
- * - {@link EnvironmentCredential}
- * - {@link ManagedIdentityCredential}
- * - {@link VisualStudioCodeCredential}
- * - {@link AzureCliCredential}
- * - {@link AzurePowerShellCredential}
- *
- * Consult the documentation of these credential types for more information
- * on how they attempt authentication.
+ * work for most applications that use the Azure SDK.
  */
 class DefaultAzureCredential extends ChainedTokenCredential {
     /**
      * Creates an instance of the DefaultAzureCredential class.
      *
+     * This credential provides a default {@link ChainedTokenCredential} configuration that should
+     * work for most applications that use the Azure SDK.
+     *
+     * The following credential types will be tried, in order:
+     *
+     * - {@link EnvironmentCredential}
+     * - {@link ManagedIdentityCredential}
+     * - {@link VisualStudioCodeCredential}
+     * - {@link AzureCliCredential}
+     * - {@link AzurePowerShellCredential}
+     *
+     * Consult the documentation of these credential types for more information
+     * on how they attempt authentication.
+     *
      * **Note**: `VisualStudioCodeCredential` is provided by a plugin package:
      * `@azure/identity-vscode`. If this package is not installed and registered
      * using the plugin API (`useIdentityPlugin`), then authentication using
@@ -2780,7 +2791,7 @@ class DefaultAzureCredential extends ChainedTokenCredential {
     constructor(options) {
         super(...defaultCredentials.map((ctor) => new ctor(options)));
         this.UnavailableMessage =
-            "DefaultAzureCredential => failed to retrieve a token from the included credentials";
+            "DefaultAzureCredential => failed to retrieve a token from the included credentials. To troubleshoot, visit https://aka.ms/azsdk/js/identity/defaultazurecredential/troubleshoot.";
     }
 }
 
@@ -2932,18 +2943,18 @@ const logger$f = credentialLogger("InteractiveBrowserCredential");
 /**
  * Enables authentication to Azure Active Directory inside of the web browser
  * using the interactive login flow.
- *
- * This credential uses the [Authorization Code Flow](https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-auth-code-flow).
- * On Node.js, it will open a browser window while it listens for a redirect response from the authentication service.
- * On browsers, it authenticates via popups. The `loginStyle` optional parameter can be set to `redirect` to authenticate by redirecting the user to an Azure secure login page, which then will redirect the user back to the web application where the authentication started.
- *
- * For Node.js, if a `clientId` is provided, the Azure Active Directory application will need to be configured to have a "Mobile and desktop applications" redirect endpoint.
- * Follow our guide on [setting up Redirect URIs for Desktop apps that calls to web APIs](https://docs.microsoft.com/azure/active-directory/develop/scenario-desktop-app-registration#redirect-uris).
  */
 class InteractiveBrowserCredential {
     /**
      * Creates an instance of InteractiveBrowserCredential with the details needed.
      *
+     * This credential uses the [Authorization Code Flow](https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-auth-code-flow).
+     * On Node.js, it will open a browser window while it listens for a redirect response from the authentication service.
+     * On browsers, it authenticates via popups. The `loginStyle` optional parameter can be set to `redirect` to authenticate by redirecting the user to an Azure secure login page, which then will redirect the user back to the web application where the authentication started.
+     *
+     * For Node.js, if a `clientId` is provided, the Azure Active Directory application will need to be configured to have a "Mobile and desktop applications" redirect endpoint.
+     * Follow our guide on [setting up Redirect URIs for Desktop apps that calls to web APIs](https://docs.microsoft.com/azure/active-directory/develop/scenario-desktop-app-registration#redirect-uris).
+     *
      * @param options - Options for configuring the client which makes the authentication requests.
      */
     constructor(options = {}) {
@@ -3045,6 +3056,20 @@ class DeviceCodeCredential {
      * Creates an instance of DeviceCodeCredential with the details needed
      * to initiate the device code authorization flow with Azure Active Directory.
      *
+     * A message will be logged, giving users a code that they can use to authenticate once they go to https://microsoft.com/devicelogin
+     *
+     * Developers can configure how this message is shown by passing a custom `userPromptCallback`:
+     *
+     * ```js
+     * const credential = new DeviceCodeCredential({
+     *   tenantId: env.AZURE_TENANT_ID,
+     *   clientId: env.AZURE_CLIENT_ID,
+     *   userPromptCallback: (info) => {
+     *     console.log("CUSTOMIZED PROMPT CALLBACK", info.message);
+     *   }
+     * });
+     * ```
+     *
      * @param options - Options for configuring the client which makes the authentication requests.
      */
     constructor(options) {
@@ -3097,7 +3122,7 @@ class DeviceCodeCredential {
 class MsalAuthorizationCode extends MsalNode {
     constructor(options) {
         super(options);
-        this.logger = credentialLogger("NodeJS MSAL Authorization Code");
+        this.logger = credentialLogger("Node.js MSAL Authorization Code");
         this.redirectUri = options.redirectUri;
         this.authorizationCode = options.authorizationCode;
         if (options.clientSecret) {
@@ -3175,36 +3200,6 @@ class AuthorizationCodeCredential {
     }
 }
 
-// Copyright (c) Microsoft Corporation.
-const ApplicationCredentials = [
-    EnvironmentCredential,
-    DefaultManagedIdentityCredential
-];
-/**
- * Provides a default {@link ChainedTokenCredential} configuration that should
- * work for most applications that use the Azure SDK.  The following credential
- * types will be tried, in order:
- *
- * - {@link EnvironmentCredential}
- * - {@link ManagedIdentityCredential}
-
- *
- * Consult the documentation of these credential types for more information
- * on how they attempt authentication.
- */
-class ApplicationCredential extends ChainedTokenCredential {
-    /**
-     * Creates an instance of the ApplicationCredential class.
-     *
-     * @param options - Optional parameters. See {@link ApplicationCredentialOptions}.
-     */
-    constructor(options) {
-        super(...ApplicationCredentials.map((ctor) => new ctor(options)));
-        this.UnavailableMessage =
-            "ApplicationCredential => failed to retrieve a token from the included credentials";
-    }
-}
-
 // Copyright (c) Microsoft Corporation.
 /**
  * MSAL on behalf of flow. Calls to MSAL's confidential application's `acquireTokenOnBehalfOf` during `doGetToken`.
@@ -3224,7 +3219,7 @@ class MsalOnBehalfOf extends MsalNode {
     async init(options) {
         if (this.certificatePath) {
             try {
-                const parts = await parseCertificate(this.certificatePath, this.sendCertificateChain);
+                const parts = await parseCertificate({ certificatePath: this.certificatePath }, this.sendCertificateChain);
                 this.msalConfig.auth.clientCertificate = {
                     thumbprint: parts.thumbprint,
                     privateKey: parts.certificateContents,
@@ -3258,8 +3253,8 @@ class MsalOnBehalfOf extends MsalNode {
 }
 
 // Copyright (c) Microsoft Corporation.
-const credentialName = "OnBehalfOfCredential";
-const logger$i = credentialLogger(credentialName);
+const credentialName$1 = "OnBehalfOfCredential";
+const logger$i = credentialLogger(credentialName$1);
 /**
  * Enables authentication to Azure Active Directory using the [On Behalf Of flow](https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-on-behalf-of-flow).
  */
@@ -3283,22 +3278,17 @@ class OnBehalfOfCredential {
      * await client.getKey("key-name");
      * ```
      *
-     * @param configuration - Configuration specific to this credential.
      * @param options - Optional parameters, generally common across credentials.
      */
-    constructor(configuration, options = {}) {
-        this.configuration = configuration;
+    constructor(options) {
         this.options = options;
-        const { tenantId, clientId, userAssertionToken } = configuration;
-        const secretConfiguration = configuration;
-        const certificateConfiguration = configuration;
-        if (!tenantId ||
-            !clientId ||
-            !(secretConfiguration.clientSecret || certificateConfiguration.certificatePath) ||
-            !userAssertionToken) {
-            throw new Error(`${credentialName}: tenantId, clientId, clientSecret (or certificatePath) and userAssertionToken are required parameters.`);
+        const { clientSecret } = options;
+        const { certificatePath } = options;
+        const { tenantId, clientId, userAssertionToken } = options;
+        if (!tenantId || !clientId || !(clientSecret || certificatePath) || !userAssertionToken) {
+            throw new Error(`${credentialName$1}: tenantId, clientId, clientSecret (or certificatePath) and userAssertionToken are required parameters.`);
         }
-        this.msalFlow = new MsalOnBehalfOf(Object.assign(Object.assign(Object.assign({}, this.options), this.configuration), { logger: logger$i, tokenCredentialOptions: this.options }));
+        this.msalFlow = new MsalOnBehalfOf(Object.assign(Object.assign({}, this.options), { logger: logger$i, tokenCredentialOptions: this.options }));
     }
     /**
      * Authenticates with Azure Active Directory and returns an access token if successful.
@@ -3308,7 +3298,7 @@ class OnBehalfOfCredential {
      * @param options - The options used to configure the underlying network requests.
      */
     async getToken(scopes, options = {}) {
-        return trace(`${credentialName}.getToken`, options, async (newOptions) => {
+        return trace(`${credentialName$1}.getToken`, options, async (newOptions) => {
             const arrayScopes = Array.isArray(scopes) ? scopes : [scopes];
             return this.msalFlow.getToken(arrayScopes, newOptions);
         });
@@ -3325,7 +3315,6 @@ function getDefaultAzureCredential() {
 
 exports.AggregateAuthenticationError = AggregateAuthenticationError;
 exports.AggregateAuthenticationErrorName = AggregateAuthenticationErrorName;
-exports.ApplicationCredential = ApplicationCredential;
 exports.AuthenticationError = AuthenticationError;
 exports.AuthenticationErrorName = AuthenticationErrorName;
 exports.AuthenticationRequiredError = AuthenticationRequiredError;