@azure/identity 2.0.0 → 2.0.2-alpha.20211105.2

package/CHANGELOG.md

@@ -1,5 +1,27 @@
 # Release History
 
+## 2.0.2 (Unreleased)
+
+### Features Added
+
+### Breaking Changes
+
+### Bugs Fixed
+
+- Challenge claims now are properly being passed through to the outgoing token requests.
+
+### Other Changes
+
+## 2.0.1 (2021-10-28)
+
+### Features Added
+
+- The `ManagedIdentityCredential` now supports the Service Fabric environment.
+
+### Bugs Fixed
+
+- Fixed a bug that caused the `AzureCliCredential` to fail on Windows. Issue [18268](https://github.com/Azure/azure-sdk-for-js/issues/18268).
+
 ## 2.0.0 (2021-10-15)
 
 After multiple beta releases over the past year, we're proud to announce the general availability of version 2 of the `@azure/identity` package. This version includes the best parts of v1, plus several improvements.
@@ -156,6 +178,15 @@ Identity v2 for JavaScript now also depends on the latest available versions of
 
 - The errors thrown by the `ManagedIdentityCredential` have been improved.
 
+## 1.5.2 (2021-09-01)
+
+- Fixed a bug introduced on 1.5.0 that caused the `ManagedIdentityCredential` to fail authenticating in Arc environments. Since our new core disables unsafe requests by default, we had to change the security settings for the first request of the Arc MSI, which retrieves the file path where the authentication value is stored since this request generally happens through an HTTP endpoint.
+
+## 1.5.1 (2021-08-12)
+
+- Fixed how we verify the IMDS endpoint is available. Now, besides skipping the `Metadata` header, we skip the URL query. Both will ensure that all the known IMDS endpoints return as early as possible.
+- Added support for the `AZURE_POD_IDENTITY_AUTHORITY_HOST` environment variable. If present, the IMDS endpoint initial verification will be skipped.
+
 ## 2.0.0-beta.5 (2021-08-10)
 
 ### Features Added
@@ -175,15 +206,6 @@ Identity v2 for JavaScript now also depends on the latest available versions of
 
 - With this release, we've migrated from using `@azure/core-http` to `@azure/core-rest-pipeline` for the handling of HTTP requests. See [Azure Core v1 vs v2](https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/core/core-rest-pipeline/documentation/core2.md) for more on the difference and benefits of the move. This removes our dependency on `node-fetch` and along with it issues we have seen in using this dependency in specific environments like Kubernetes pods.
 
-## 1.5.2 (2021-09-01)
-
-- Fixed a bug introduced on 1.5.0 that caused the `ManagedIdentityCredential` to fail authenticating in Arc environments. Since our new core disables unsafe requests by default, we had to change the security settings for the first request of the Arc MSI, which retrieves the file path where the authentication value is stored since this request generally happens through an HTTP endpoint.
-
-## 1.5.1 (2021-08-12)
-
-- Fixed how we verify the IMDS endpoint is available. Now, besides skipping the `Metadata` header, we skip the URL query. Both will ensure that all the known IMDS endpoints return as early as possible.
-- Added support for the `AZURE_POD_IDENTITY_AUTHORITY_HOST` environment variable. If present, the IMDS endpoint initial verification will be skipped.
-
 ## 1.5.0 (2021-07-19)
 
 - With this release, we've migrated from using `@azure/core-http` to `@azure/core-rest-pipeline` for the handling of HTTP requests. See [Azure Core v1 vs v2](https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/core/core-rest-pipeline/documentation/core2.md) for more on the difference and benefits of the move. This removes our dependency on `node-fetch` and along with it issues we have seen in using this dependency in specific environments like Kubernetes pods.

package/dist/index.js

@@ -10,7 +10,7 @@ var coreTracing = require('@azure/core-tracing');
 var coreUtil = require('@azure/core-util');
 var coreRestPipeline = require('@azure/core-rest-pipeline');
 var abortController = require('@azure/abort-controller');
-var logger$j = require('@azure/logger');
+var logger$k = require('@azure/logger');
 var msalCommon = require('@azure/msal-common');
 var uuid = require('uuid');
 var fs = require('fs');
@@ -21,6 +21,7 @@ var child_process = require('child_process');
 var child_process__default = _interopDefault(child_process);
 var crypto = require('crypto');
 var util = require('util');
+var https = _interopDefault(require('https'));
 var http = _interopDefault(require('http'));
 var open = _interopDefault(require('open'));
 var stoppable = _interopDefault(require('stoppable'));
@@ -240,7 +241,7 @@ async function trace(operationName, options, fn, createSpanFn = createSpan) {
 /**
  * The AzureLogger used for all clients within the identity package
  */
-const logger = logger$j.createClientLogger("identity");
+const logger = logger$k.createClientLogger("identity");
 /**
  * Separates a list of environment variable names into a plain object with two arrays: an array of missing environment variables and another array with assigned environment variables.
  * @param supportedEnvVars - List of environment variable names
@@ -331,7 +332,7 @@ function getIdentityClientAuthorityHost(options) {
 class IdentityClient extends coreClient.ServiceClient {
     constructor(options) {
         var _a;
-        const packageDetails = `azsdk-js-identity/2.0.0`;
+        const packageDetails = `azsdk-js-identity/2.0.2`;
         const userAgentPrefix = ((_a = options === null || options === void 0 ? void 0 : options.userAgentOptions) === null || _a === void 0 ? void 0 : _a.userAgentPrefix)
             ? `${options.userAgentOptions.userAgentPrefix} ${packageDetails}`
             : `${packageDetails}`;
@@ -937,7 +938,7 @@ class MsalNode extends MsalBaseUtilities {
         this.authorityHost = options.authorityHost || process.env.AZURE_AUTHORITY_HOST;
         const authority = getAuthority(tenantId, this.authorityHost);
         this.identityClient = new IdentityClient(Object.assign(Object.assign({}, options.tokenCredentialOptions), { authorityHost: authority }));
-        let clientCapabilities = ["CP1"];
+        let clientCapabilities = ["cp1"];
         if (process.env.AZURE_IDENTITY_DISABLE_CP1) {
             clientCapabilities = [];
         }
@@ -1051,7 +1052,8 @@ To work with multiple accounts for the same Client ID and Tenant ID, please prov
             account: publicToMsal(this.account),
             correlationId: options === null || options === void 0 ? void 0 : options.correlationId,
             scopes,
-            authority: options === null || options === void 0 ? void 0 : options.authority
+            authority: options === null || options === void 0 ? void 0 : options.authority,
+            claims: options === null || options === void 0 ? void 0 : options.claims
         };
         try {
             this.logger.info("Attempting to acquire token silently");
@@ -1447,7 +1449,7 @@ const cliCredentialInternals = {
                     "--resource",
                     resource,
                     ...tenantSection
-                ], { cwd: cliCredentialInternals.getSafeWorkingDir() }, (error, stdout, stderr) => {
+                ], { cwd: cliCredentialInternals.getSafeWorkingDir(), shell: true }, (error, stdout, stderr) => {
                     resolve({ stdout: stdout, stderr: stderr, error });
                 });
             }
@@ -1749,7 +1751,8 @@ class MsalClientSecret extends MsalNode {
                 scopes,
                 correlationId: options.correlationId,
                 azureRegion: this.azureRegion,
-                authority: options.authority
+                authority: options.authority,
+                claims: options.claims
             });
             // The Client Credential flow does not return an account,
             // so each time getToken gets called, we will have to acquire a new token through the service.
@@ -1876,7 +1879,8 @@ class MsalClientCertificate extends MsalNode {
                 scopes,
                 correlationId: options.correlationId,
                 azureRegion: this.azureRegion,
-                authority: options.authority
+                authority: options.authority,
+                claims: options.claims
             });
             // Even though we're providing the same default in memory persistence cache that we use for DeviceCodeCredential,
             // The Client Credential flow does not return the account information from the authentication service,
@@ -1955,7 +1959,8 @@ class MsalUsernamePassword extends MsalNode {
                 username: this.username,
                 password: this.password,
                 correlationId: options === null || options === void 0 ? void 0 : options.correlationId,
-                authority: options === null || options === void 0 ? void 0 : options.authority
+                authority: options === null || options === void 0 ? void 0 : options.authority,
+                claims: options === null || options === void 0 ? void 0 : options.claims
             };
             const result = await this.publicApp.acquireTokenByUsernamePassword(requestOptions);
             return this.handleResult(scopes, this.clientId, result || undefined);
@@ -2123,6 +2128,7 @@ const imdsHost = "http://169.254.169.254";
 const imdsEndpointPath = "/metadata/identity/oauth2/token";
 const imdsApiVersion = "2018-02-01";
 const azureArcAPIVersion = "2019-11-01";
+const azureFabricVersion = "2019-07-01-preview";
 
 // Copyright (c) Microsoft Corporation.
 /**
@@ -2149,8 +2155,11 @@ function mapScopesToResource(scopes) {
     }
     return scope.substr(0, scope.lastIndexOf(DefaultScopeSuffix));
 }
-async function msiGenericGetToken(identityClient, requestOptions, expiresInParser, getTokenOptions = {}) {
+async function msiGenericGetToken(identityClient, requestOptions, expiresInParser, getTokenOptions = {}, agent) {
     const request = coreRestPipeline.createPipelineRequest(Object.assign(Object.assign({ abortSignal: getTokenOptions.abortSignal }, requestOptions), { allowInsecureConnection: true }));
+    if (agent) {
+        request.agent = agent;
+    }
     const tokenResponse = await identityClient.sendTokenRequest(request, expiresInParser);
     return (tokenResponse && tokenResponse.accessToken) || null;
 }
@@ -2573,7 +2582,84 @@ function tokenExchangeMsi() {
 }
 
 // Copyright (c) Microsoft Corporation.
-const logger$e = credentialLogger("ManagedIdentityCredential");
+const msiName$5 = "ManagedIdentityCredential - Fabric MSI";
+const logger$e = credentialLogger(msiName$5);
+function expiresInParser$5(requestBody) {
+    // Parses a string representation of the seconds since epoch into a number value
+    return Number(requestBody.expires_on);
+}
+function prepareRequestOptions$5(scopes, clientId) {
+    const resource = mapScopesToResource(scopes);
+    if (!resource) {
+        throw new Error(`${msiName$5}: Multiple scopes are not supported.`);
+    }
+    const queryParameters = {
+        resource,
+        "api-version": azureFabricVersion
+    };
+    if (clientId) {
+        queryParameters.client_id = clientId;
+    }
+    const query = new URLSearchParams(queryParameters);
+    // This error should not bubble up, since we verify that this environment variable is defined in the isAvailable() method defined below.
+    if (!process.env.IDENTITY_ENDPOINT) {
+        throw new Error("Missing environment variable: IDENTITY_ENDPOINT");
+    }
+    if (!process.env.IDENTITY_HEADER) {
+        throw new Error("Missing environment variable: IDENTITY_HEADER");
+    }
+    return {
+        url: `${process.env.IDENTITY_ENDPOINT}?${query.toString()}`,
+        method: "GET",
+        headers: coreRestPipeline.createHttpHeaders({
+            Accept: "application/json",
+            Secret: process.env.IDENTITY_HEADER
+        })
+    };
+}
+// This credential can be easily tested by deploying a container to Azure Service Fabric with the Dockerfile:
+//
+//   FROM node:12
+//   RUN wget https://host.any/path/bash.sh
+//   CMD ["bash", "bash.sh"]
+//
+// Where the bash script contains:
+//
+//   curl --insecure $IDENTITY_ENDPOINT'?api-version=2019-07-01-preview&resource=https://vault.azure.net/' -H "Secret: $IDENTITY_HEADER"
+//
+const fabricMsi = {
+    async isAvailable(scopes) {
+        const resource = mapScopesToResource(scopes);
+        if (!resource) {
+            logger$e.info(`${msiName$5}: Unavailable. Multiple scopes are not supported.`);
+            return false;
+        }
+        const env = process.env;
+        const result = Boolean(env.IDENTITY_ENDPOINT && env.IDENTITY_HEADER && env.IDENTITY_SERVER_THUMBPRINT);
+        if (!result) {
+            logger$e.info(`${msiName$5}: Unavailable. The environment variables needed are: IDENTITY_ENDPOINT, IDENTITY_HEADER and IDENTITY_SERVER_THUMBPRINT`);
+        }
+        return result;
+    },
+    async getToken(configuration, getTokenOptions = {}) {
+        const { scopes, identityClient, clientId } = configuration;
+        logger$e.info([
+            `${msiName$5}:`,
+            "Using the endpoint and the secret coming from the environment variables:",
+            `IDENTITY_ENDPOINT=${process.env.IDENTITY_ENDPOINT},`,
+            "IDENTITY_HEADER=[REDACTED] and",
+            "IDENTITY_SERVER_THUMBPRINT=[REDACTED]."
+        ].join(" "));
+        return msiGenericGetToken(identityClient, prepareRequestOptions$5(scopes, clientId), expiresInParser$5, getTokenOptions, new https.Agent({
+            // This is necessary because Service Fabric provides a self-signed certificate.
+            // The alternative path is to verify the certificate using the IDENTITY_SERVER_THUMBPRINT env variable.
+            rejectUnauthorized: false
+        }));
+    }
+};
+
+// Copyright (c) Microsoft Corporation.
+const logger$f = credentialLogger("ManagedIdentityCredential");
 /**
  * Attempts authentication using a managed identity that has been assigned
  * to the deployment environment.  This authentication type works in Azure VMs,
@@ -2604,9 +2690,7 @@ class ManagedIdentityCredential {
         if (this.cachedMSI) {
             return this.cachedMSI;
         }
-        // "fabricMsi" can't be added yet because our HTTPs pipeline doesn't allow skipping the SSL verification step,
-        // which is necessary since Service Fabric only provides self-signed certificates on their Identity Endpoint.
-        const MSIs = [appServiceMsi2017, cloudShellMsi, arcMsi, tokenExchangeMsi(), imdsMsi];
+        const MSIs = [fabricMsi, appServiceMsi2017, cloudShellMsi, arcMsi, tokenExchangeMsi(), imdsMsi];
         for (const msi of MSIs) {
             if (await msi.isAvailable(scopes, this.identityClient, clientId, getTokenOptions)) {
                 this.cachedMSI = msi;
@@ -2663,7 +2747,7 @@ class ManagedIdentityCredential {
                     // It also means that the endpoint answered with either 200 or 201 (see the sendTokenRequest method),
                     // yet we had no access token. For this reason, we'll throw once with a specific message:
                     const error = new CredentialUnavailableError("The managed identity endpoint was reached, yet no tokens were received.");
-                    logger$e.getToken.info(formatError(scopes, error));
+                    logger$f.getToken.info(formatError(scopes, error));
                     throw error;
                 }
                 // Since `authenticateManagedIdentity` didn't throw, and the result was not null,
@@ -2675,10 +2759,10 @@ class ManagedIdentityCredential {
                 // We've previously determined that the endpoint was unavailable,
                 // either because it was unreachable or permanently unable to authenticate.
                 const error = new CredentialUnavailableError("The managed identity endpoint is not currently available");
-                logger$e.getToken.info(formatError(scopes, error));
+                logger$f.getToken.info(formatError(scopes, error));
                 throw error;
             }
-            logger$e.getToken.info(formatSuccess(scopes));
+            logger$f.getToken.info(formatSuccess(scopes));
             return result;
         }
         catch (err) {
@@ -2700,14 +2784,14 @@ class ManagedIdentityCredential {
             // we can safely assume the credential is unavailable.
             if (err.code === "ENETUNREACH") {
                 const error = new CredentialUnavailableError(`ManagedIdentityCredential is unavailable. Network unreachable. Message: ${err.message}`);
-                logger$e.getToken.info(formatError(scopes, error));
+                logger$f.getToken.info(formatError(scopes, error));
                 throw error;
             }
             // If either the host was unreachable,
             // we can safely assume the credential is unavailable.
             if (err.code === "EHOSTUNREACH") {
                 const error = new CredentialUnavailableError(`ManagedIdentityCredential is unavailable. No managed identity endpoint found. Message: ${err.message}`);
-                logger$e.getToken.info(formatError(scopes, error));
+                logger$f.getToken.info(formatError(scopes, error));
                 throw error;
             }
             // If err.statusCode has a value of 400, it comes from sendTokenRequest,
@@ -2922,8 +3006,10 @@ class MsalOpenBrowser extends MsalNode {
         this.pkceCodes = await cryptoProvider.generatePkceCodes();
         const authCodeUrlParameters = {
             scopes: scopeArray,
+            correlationId: options === null || options === void 0 ? void 0 : options.correlationId,
             redirectUri: this.redirectUri,
             authority: options === null || options === void 0 ? void 0 : options.authority,
+            claims: options === null || options === void 0 ? void 0 : options.claims,
             loginHint: this.loginHint,
             codeChallenge: this.pkceCodes.challenge,
             codeChallengeMethod: "S256" // Use SHA256 Algorithm
@@ -2939,7 +3025,7 @@ class MsalOpenBrowser extends MsalNode {
 }
 
 // Copyright (c) Microsoft Corporation.
-const logger$f = credentialLogger("InteractiveBrowserCredential");
+const logger$g = credentialLogger("InteractiveBrowserCredential");
 /**
  * Enables authentication to Azure Active Directory inside of the web browser
  * using the interactive login flow.
@@ -2961,7 +3047,7 @@ class InteractiveBrowserCredential {
         const redirectUri = typeof options.redirectUri === "function"
             ? options.redirectUri()
             : options.redirectUri || "http://localhost";
-        this.msalFlow = new MsalOpenBrowser(Object.assign(Object.assign({}, options), { tokenCredentialOptions: options, logger: logger$f,
+        this.msalFlow = new MsalOpenBrowser(Object.assign(Object.assign({}, options), { tokenCredentialOptions: options, logger: logger$g,
             redirectUri }));
         this.disableAutomaticAuthentication = options === null || options === void 0 ? void 0 : options.disableAutomaticAuthentication;
     }
@@ -3022,7 +3108,8 @@ class MsalDeviceCode extends MsalNode {
                 scopes,
                 cancel: false,
                 correlationId: options === null || options === void 0 ? void 0 : options.correlationId,
-                authority: options === null || options === void 0 ? void 0 : options.authority
+                authority: options === null || options === void 0 ? void 0 : options.authority,
+                claims: options === null || options === void 0 ? void 0 : options.claims
             };
             const promise = this.publicApp.acquireTokenByDeviceCode(requestOptions);
             // TODO:
@@ -3039,7 +3126,7 @@ class MsalDeviceCode extends MsalNode {
 }
 
 // Copyright (c) Microsoft Corporation.
-const logger$g = credentialLogger("DeviceCodeCredential");
+const logger$h = credentialLogger("DeviceCodeCredential");
 /**
  * Method that logs the user code from the DeviceCodeCredential.
  * @param deviceCodeInfo - The device code.
@@ -3073,7 +3160,7 @@ class DeviceCodeCredential {
      * @param options - Options for configuring the client which makes the authentication requests.
      */
     constructor(options) {
-        this.msalFlow = new MsalDeviceCode(Object.assign(Object.assign({}, options), { logger: logger$g, userPromptCallback: (options === null || options === void 0 ? void 0 : options.userPromptCallback) || defaultDeviceCodePromptCallback, tokenCredentialOptions: options || {} }));
+        this.msalFlow = new MsalDeviceCode(Object.assign(Object.assign({}, options), { logger: logger$h, userPromptCallback: (options === null || options === void 0 ? void 0 : options.userPromptCallback) || defaultDeviceCodePromptCallback, tokenCredentialOptions: options || {} }));
         this.disableAutomaticAuthentication = options === null || options === void 0 ? void 0 : options.disableAutomaticAuthentication;
     }
     /**
@@ -3139,7 +3226,10 @@ class MsalAuthorizationCode extends MsalNode {
             const result = await ((_a = this.confidentialApp) === null || _a === void 0 ? void 0 : _a.acquireTokenByCode({
                 scopes,
                 redirectUri: this.redirectUri,
-                code: this.authorizationCode
+                code: this.authorizationCode,
+                correlationId: options === null || options === void 0 ? void 0 : options.correlationId,
+                authority: options === null || options === void 0 ? void 0 : options.authority,
+                claims: options === null || options === void 0 ? void 0 : options.claims
             }));
             // The Client Credential flow does not return an account,
             // so each time getToken gets called, we will have to acquire a new token through the service.
@@ -3152,7 +3242,7 @@ class MsalAuthorizationCode extends MsalNode {
 }
 
 // Copyright (c) Microsoft Corporation.
-const logger$h = credentialLogger("AuthorizationCodeCredential");
+const logger$i = credentialLogger("AuthorizationCodeCredential");
 /**
  * Enables authentication to Azure Active Directory using an authorization code
  * that was obtained through the authorization code flow, described in more detail
@@ -3166,7 +3256,7 @@ class AuthorizationCodeCredential {
      * @internal
      */
     constructor(tenantId, clientId, clientSecretOrAuthorizationCode, authorizationCodeOrRedirectUri, redirectUriOrOptions, options) {
-        checkTenantId(logger$h, tenantId);
+        checkTenantId(logger$i, tenantId);
         let clientSecret = clientSecretOrAuthorizationCode;
         if (typeof redirectUriOrOptions === "string") {
             // the clientId+clientSecret constructor
@@ -3182,7 +3272,7 @@ class AuthorizationCodeCredential {
             options = redirectUriOrOptions;
         }
         this.msalFlow = new MsalAuthorizationCode(Object.assign(Object.assign({}, options), { clientSecret,
-            clientId, tokenCredentialOptions: options || {}, logger: logger$h, redirectUri: this.redirectUri, authorizationCode: this.authorizationCode }));
+            clientId, tokenCredentialOptions: options || {}, logger: logger$i, redirectUri: this.redirectUri, authorizationCode: this.authorizationCode }));
     }
     /**
      * Authenticates with Azure Active Directory and returns an access token if successful.
@@ -3242,6 +3332,7 @@ class MsalOnBehalfOf extends MsalNode {
                 scopes,
                 correlationId: options.correlationId,
                 authority: options.authority,
+                claims: options.claims,
                 oboAssertion: this.userAssertionToken
             });
             return this.handleResult(scopes, this.clientId, result || undefined);
@@ -3254,7 +3345,7 @@ class MsalOnBehalfOf extends MsalNode {
 
 // Copyright (c) Microsoft Corporation.
 const credentialName$1 = "OnBehalfOfCredential";
-const logger$i = credentialLogger(credentialName$1);
+const logger$j = credentialLogger(credentialName$1);
 /**
  * Enables authentication to Azure Active Directory using the [On Behalf Of flow](https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-on-behalf-of-flow).
  */
@@ -3288,7 +3379,7 @@ class OnBehalfOfCredential {
         if (!tenantId || !clientId || !(clientSecret || certificatePath) || !userAssertionToken) {
             throw new Error(`${credentialName$1}: tenantId, clientId, clientSecret (or certificatePath) and userAssertionToken are required parameters.`);
         }
-        this.msalFlow = new MsalOnBehalfOf(Object.assign(Object.assign({}, this.options), { logger: logger$i, tokenCredentialOptions: this.options }));
+        this.msalFlow = new MsalOnBehalfOf(Object.assign(Object.assign({}, this.options), { logger: logger$j, tokenCredentialOptions: this.options }));
     }
     /**
      * Authenticates with Azure Active Directory and returns an access token if successful.