@azure/identity 2.0.2-alpha.20211028.2 → 2.0.2-alpha.20211123.3

package/dist/index.js

@@ -5,8 +5,8 @@ Object.defineProperty(exports, '__esModule', { value: true });
 function _interopDefault (ex) { return (ex && (typeof ex === 'object') && 'default' in ex) ? ex['default'] : ex; }
 
 var msalNode = require('@azure/msal-node');
-var coreClient = require('@azure/core-client');
 var coreTracing = require('@azure/core-tracing');
+var coreClient = require('@azure/core-client');
 var coreUtil = require('@azure/core-util');
 var coreRestPipeline = require('@azure/core-rest-pipeline');
 var abortController = require('@azure/abort-controller');
@@ -26,44 +26,6 @@ var http = _interopDefault(require('http'));
 var open = _interopDefault(require('open'));
 var stoppable = _interopDefault(require('stoppable'));
 
-// Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
-/**
- * The default client ID for authentication
- * @internal
- */
-// TODO: temporary - this is the Azure CLI clientID - we'll replace it when
-// Developer Sign On application is available
-// https://github.com/Azure/azure-sdk-for-net/blob/main/sdk/identity/Azure.Identity/src/Constants.cs#L9
-const DeveloperSignOnClientId = "04b07795-8ddb-461a-bbee-02f9e1bf7b46";
-/**
- * The default tenant for authentication
- * @internal
- */
-const DefaultTenantId = "common";
-(function (AzureAuthorityHosts) {
-    /**
-     * China-based Azure Authority Host
-     */
-    AzureAuthorityHosts["AzureChina"] = "https://login.chinacloudapi.cn";
-    /**
-     * Germany-based Azure Authority Host
-     */
-    AzureAuthorityHosts["AzureGermany"] = "https://login.microsoftonline.de";
-    /**
-     * US Government Azure Authority Host
-     */
-    AzureAuthorityHosts["AzureGovernment"] = "https://login.microsoftonline.us";
-    /**
-     * Public Cloud Azure Authority Host
-     */
-    AzureAuthorityHosts["AzurePublicCloud"] = "https://login.microsoftonline.com";
-})(exports.AzureAuthorityHosts || (exports.AzureAuthorityHosts = {}));
-/**
- * The default authority host.
- */
-const DefaultAuthorityHost = exports.AzureAuthorityHosts.AzurePublicCloud;
-
 // Copyright (c) Microsoft Corporation.
 // Licensed under the MIT license.
 function isErrorResponse(errorResponse) {
@@ -194,6 +156,44 @@ function getIdentityTokenEndpointSuffix(tenantId) {
     }
 }
 
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT license.
+/**
+ * The default client ID for authentication
+ * @internal
+ */
+// TODO: temporary - this is the Azure CLI clientID - we'll replace it when
+// Developer Sign On application is available
+// https://github.com/Azure/azure-sdk-for-net/blob/main/sdk/identity/Azure.Identity/src/Constants.cs#L9
+const DeveloperSignOnClientId = "04b07795-8ddb-461a-bbee-02f9e1bf7b46";
+/**
+ * The default tenant for authentication
+ * @internal
+ */
+const DefaultTenantId = "common";
+(function (AzureAuthorityHosts) {
+    /**
+     * China-based Azure Authority Host
+     */
+    AzureAuthorityHosts["AzureChina"] = "https://login.chinacloudapi.cn";
+    /**
+     * Germany-based Azure Authority Host
+     */
+    AzureAuthorityHosts["AzureGermany"] = "https://login.microsoftonline.de";
+    /**
+     * US Government Azure Authority Host
+     */
+    AzureAuthorityHosts["AzureGovernment"] = "https://login.microsoftonline.us";
+    /**
+     * Public Cloud Azure Authority Host
+     */
+    AzureAuthorityHosts["AzurePublicCloud"] = "https://login.microsoftonline.com";
+})(exports.AzureAuthorityHosts || (exports.AzureAuthorityHosts = {}));
+/**
+ * The default authority host.
+ */
+const DefaultAuthorityHost = exports.AzureAuthorityHosts.AzurePublicCloud;
+
 // Copyright (c) Microsoft Corporation.
 /**
  * Creates a span using the global tracer.
@@ -938,7 +938,7 @@ class MsalNode extends MsalBaseUtilities {
         this.authorityHost = options.authorityHost || process.env.AZURE_AUTHORITY_HOST;
         const authority = getAuthority(tenantId, this.authorityHost);
         this.identityClient = new IdentityClient(Object.assign(Object.assign({}, options.tokenCredentialOptions), { authorityHost: authority }));
-        let clientCapabilities = ["CP1"];
+        let clientCapabilities = ["cp1"];
         if (process.env.AZURE_IDENTITY_DISABLE_CP1) {
             clientCapabilities = [];
         }
@@ -1052,7 +1052,8 @@ To work with multiple accounts for the same Client ID and Tenant ID, please prov
             account: publicToMsal(this.account),
             correlationId: options === null || options === void 0 ? void 0 : options.correlationId,
             scopes,
-            authority: options === null || options === void 0 ? void 0 : options.authority
+            authority: options === null || options === void 0 ? void 0 : options.authority,
+            claims: options === null || options === void 0 ? void 0 : options.claims
         };
         try {
             this.logger.info("Attempting to acquire token silently");
@@ -1495,7 +1496,7 @@ class AzureCliCredential {
         ensureValidScope(scope, logger$3);
         const resource = getScopeResource(scope);
         let responseData = "";
-        const { span } = createSpan("AzureCliCredential.getToken", options);
+        const { span } = createSpan(`${this.constructor.name}.getToken`, options);
         try {
             const obj = await cliCredentialInternals.getAzureCliAccessToken(resource, tenantId);
             if (obj.stderr) {
@@ -1750,7 +1751,8 @@ class MsalClientSecret extends MsalNode {
                 scopes,
                 correlationId: options.correlationId,
                 azureRegion: this.azureRegion,
-                authority: options.authority
+                authority: options.authority,
+                claims: options.claims
             });
             // The Client Credential flow does not return an account,
             // so each time getToken gets called, we will have to acquire a new token through the service.
@@ -1877,7 +1879,8 @@ class MsalClientCertificate extends MsalNode {
                 scopes,
                 correlationId: options.correlationId,
                 azureRegion: this.azureRegion,
-                authority: options.authority
+                authority: options.authority,
+                claims: options.claims
             });
             // Even though we're providing the same default in memory persistence cache that we use for DeviceCodeCredential,
             // The Client Credential flow does not return the account information from the authentication service,
@@ -1956,7 +1959,8 @@ class MsalUsernamePassword extends MsalNode {
                 username: this.username,
                 password: this.password,
                 correlationId: options === null || options === void 0 ? void 0 : options.correlationId,
-                authority: options === null || options === void 0 ? void 0 : options.authority
+                authority: options === null || options === void 0 ? void 0 : options.authority,
+                claims: options === null || options === void 0 ? void 0 : options.claims
             };
             const result = await this.publicApp.acquireTokenByUsernamePassword(requestOptions);
             return this.handleResult(scopes, this.clientId, result || undefined);
@@ -2033,7 +2037,8 @@ const AllSupportedEnvironmentVariables = [
     "AZURE_USERNAME",
     "AZURE_PASSWORD"
 ];
-const logger$8 = credentialLogger("EnvironmentCredential");
+const credentialName$1 = "EnvironmentCredential";
+const logger$8 = credentialLogger(credentialName$1);
 /**
  * Enables authentication to Azure Active Directory using client secret
  * details configured in environment variables
@@ -2093,7 +2098,7 @@ class EnvironmentCredential {
      * @param options - Optional parameters. See {@link GetTokenOptions}.
      */
     async getToken(scopes, options = {}) {
-        return trace("EnvironmentCredential.getToken", options, async (newOptions) => {
+        return trace(`${credentialName$1}.getToken`, options, async (newOptions) => {
             if (this._credential) {
                 try {
                     const result = await this._credential.getToken(scopes, newOptions);
@@ -2102,7 +2107,7 @@ class EnvironmentCredential {
                 }
                 catch (err) {
                     const authenticationError = new AuthenticationError(400, {
-                        error: "EnvironmentCredential authentication failed. To troubleshoot, visit https://aka.ms/azsdk/js/identity/environmentcredential/troubleshoot.",
+                        error: `${credentialName$1} authentication failed. To troubleshoot, visit https://aka.ms/azsdk/js/identity/environmentcredential/troubleshoot.`,
                         error_description: err.message
                             .toString()
                             .split("More details:")
@@ -2112,7 +2117,7 @@ class EnvironmentCredential {
                     throw authenticationError;
                 }
             }
-            throw new CredentialUnavailableError("EnvironmentCredential is unavailable. No underlying credential could be used. To troubleshoot, visit https://aka.ms/azsdk/js/identity/environmentcredential/troubleshoot.");
+            throw new CredentialUnavailableError(`${credentialName$1} is unavailable. No underlying credential could be used. To troubleshoot, visit https://aka.ms/azsdk/js/identity/environmentcredential/troubleshoot.`);
         });
     }
 }
@@ -2128,7 +2133,8 @@ const azureFabricVersion = "2019-07-01-preview";
 
 // Copyright (c) Microsoft Corporation.
 /**
- * Most MSIs send requests to the IMDS endpoint, or a similar endpoint. These are GET requests that require sending a `resource` parameter on the query.
+ * Most MSIs send requests to the IMDS endpoint, or a similar endpoint.
+ * These are GET requests that require sending a `resource` parameter on the query.
  * This resource can be derived from the scopes received through the getToken call, as long as only one scope is received.
  * Multiple scopes assume that the resulting token will have access to multiple resources, which won't be the case.
  *
@@ -2151,23 +2157,20 @@ function mapScopesToResource(scopes) {
     }
     return scope.substr(0, scope.lastIndexOf(DefaultScopeSuffix));
 }
-async function msiGenericGetToken(identityClient, requestOptions, expiresInParser, getTokenOptions = {}, agent) {
-    const request = coreRestPipeline.createPipelineRequest(Object.assign(Object.assign({ abortSignal: getTokenOptions.abortSignal }, requestOptions), { allowInsecureConnection: true }));
-    if (agent) {
-        request.agent = agent;
-    }
-    const tokenResponse = await identityClient.sendTokenRequest(request, expiresInParser);
-    return (tokenResponse && tokenResponse.accessToken) || null;
-}
 
 // Copyright (c) Microsoft Corporation.
 const msiName = "ManagedIdentityCredential - AppServiceMSI 2017";
 const logger$9 = credentialLogger(msiName);
-function expiresInParser(requestBody) {
-    // Parse a date format like "06/20/2019 02:57:58 +00:00" and
-    // convert it into a JavaScript-formatted date
+/**
+ * Formats the expiration date of the received token into the number of milliseconds between that date and midnight, January 1, 1970.
+ */
+function expiresOnParser(requestBody) {
+    // App Service always returns string expires_on values.
     return Date.parse(requestBody.expires_on);
 }
+/**
+ * Generates the options used on the request for an access token.
+ */
 function prepareRequestOptions(scopes, clientId) {
     const resource = mapScopesToResource(scopes);
     if (!resource) {
@@ -2197,6 +2200,9 @@ function prepareRequestOptions(scopes, clientId) {
         })
     };
 }
+/**
+ * Defines how to determine whether the Azure App Service MSI is available, and also how to retrieve a token from the Azure App Service MSI.
+ */
 const appServiceMsi2017 = {
     async isAvailable(scopes) {
         const resource = mapScopesToResource(scopes);
@@ -2214,15 +2220,20 @@ const appServiceMsi2017 = {
     async getToken(configuration, getTokenOptions = {}) {
         const { identityClient, scopes, clientId } = configuration;
         logger$9.info(`${msiName}: Using the endpoint and the secret coming form the environment variables: MSI_ENDPOINT=${process.env.MSI_ENDPOINT} and MSI_SECRET=[REDACTED].`);
-        return msiGenericGetToken(identityClient, prepareRequestOptions(scopes, clientId), expiresInParser, getTokenOptions);
+        const request = coreRestPipeline.createPipelineRequest(Object.assign(Object.assign({ abortSignal: getTokenOptions.abortSignal }, prepareRequestOptions(scopes, clientId)), { 
+            // Generally, MSI endpoints use the HTTP protocol, without transport layer security (TLS).
+            allowInsecureConnection: true }));
+        const tokenResponse = await identityClient.sendTokenRequest(request, expiresOnParser);
+        return (tokenResponse && tokenResponse.accessToken) || null;
     }
 };
 
 // Copyright (c) Microsoft Corporation.
 const msiName$1 = "ManagedIdentityCredential - CloudShellMSI";
 const logger$a = credentialLogger(msiName$1);
-// Cloud Shell MSI doesn't have a special expiresIn parser.
-const expiresInParser$1 = undefined;
+/**
+ * Generates the options used on the request for an access token.
+ */
 function prepareRequestOptions$1(scopes, clientId) {
     const resource = mapScopesToResource(scopes);
     if (!resource) {
@@ -2250,6 +2261,9 @@ function prepareRequestOptions$1(scopes, clientId) {
         })
     };
 }
+/**
+ * Defines how to determine whether the Azure Cloud Shell MSI is available, and also how to retrieve a token from the Azure Cloud Shell MSI.
+ */
 const cloudShellMsi = {
     async isAvailable(scopes) {
         const resource = mapScopesToResource(scopes);
@@ -2266,14 +2280,21 @@ const cloudShellMsi = {
     async getToken(configuration, getTokenOptions = {}) {
         const { identityClient, scopes, clientId } = configuration;
         logger$a.info(`${msiName$1}: Using the endpoint coming form the environment variable MSI_ENDPOINT = ${process.env.MSI_ENDPOINT}.`);
-        return msiGenericGetToken(identityClient, prepareRequestOptions$1(scopes, clientId), expiresInParser$1, getTokenOptions);
+        const request = coreRestPipeline.createPipelineRequest(Object.assign(Object.assign({ abortSignal: getTokenOptions.abortSignal }, prepareRequestOptions$1(scopes, clientId)), { 
+            // Generally, MSI endpoints use the HTTP protocol, without transport layer security (TLS).
+            allowInsecureConnection: true }));
+        const tokenResponse = await identityClient.sendTokenRequest(request);
+        return (tokenResponse && tokenResponse.accessToken) || null;
     }
 };
 
 // Copyright (c) Microsoft Corporation.
 const msiName$2 = "ManagedIdentityCredential - IMDS";
 const logger$b = credentialLogger(msiName$2);
-function expiresInParser$2(requestBody) {
+/**
+ * Formats the expiration date of the received token into the number of milliseconds between that date and midnight, January 1, 1970.
+ */
+function expiresOnParser$1(requestBody) {
     if (requestBody.expires_on) {
         // Use the expires_on timestamp if it's available
         const expires = +requestBody.expires_on * 1000;
@@ -2287,6 +2308,9 @@ function expiresInParser$2(requestBody) {
         return expires;
     }
 }
+/**
+ * Generates the options used on the request for an access token.
+ */
 function prepareRequestOptions$2(scopes, clientId, options) {
     var _a;
     const resource = mapScopesToResource(scopes);
@@ -2330,6 +2354,9 @@ const imdsMsiRetryConfig = {
     startDelayInMs: 800,
     intervalIncrement: 2
 };
+/**
+ * Defines how to determine whether the Azure IMDS MSI is available, and also how to retrieve a token from the Azure IMDS MSI.
+ */
 const imdsMsi = {
     async isAvailable(scopes, identityClient, clientId, getTokenOptions) {
         var _a, _b;
@@ -2339,7 +2366,7 @@ const imdsMsi = {
             return false;
         }
         const { span, updatedOptions: options } = createSpan("ManagedIdentityCredential-pingImdsEndpoint", getTokenOptions);
-        // if the PodIdenityEndpoint environment variable was set no need to probe the endpoint, it can be assumed to exist
+        // if the PodIdentityEndpoint environment variable was set no need to probe the endpoint, it can be assumed to exist
         if (process.env.AZURE_POD_IDENTITY_AUTHORITY_HOST) {
             return true;
         }
@@ -2401,7 +2428,9 @@ const imdsMsi = {
         let nextDelayInMs = imdsMsiRetryConfig.startDelayInMs;
         for (let retries = 0; retries < imdsMsiRetryConfig.maxRetries; retries++) {
             try {
-                return await msiGenericGetToken(identityClient, prepareRequestOptions$2(scopes, clientId), expiresInParser$2, getTokenOptions);
+                const request = coreRestPipeline.createPipelineRequest(Object.assign(Object.assign({ abortSignal: getTokenOptions.abortSignal }, prepareRequestOptions$2(scopes, clientId)), { allowInsecureConnection: true }));
+                const tokenResponse = await identityClient.sendTokenRequest(request, expiresOnParser$1);
+                return (tokenResponse && tokenResponse.accessToken) || null;
             }
             catch (error) {
                 if (error.statusCode === 404) {
@@ -2419,8 +2448,9 @@ const imdsMsi = {
 // Copyright (c) Microsoft Corporation.
 const msiName$3 = "ManagedIdentityCredential - Azure Arc MSI";
 const logger$c = credentialLogger(msiName$3);
-// Azure Arc MSI doesn't have a special expiresIn parser.
-const expiresInParser$3 = undefined;
+/**
+ * Generates the options used on the request for an access token.
+ */
 function prepareRequestOptions$3(scopes) {
     const resource = mapScopesToResource(scopes);
     if (!resource) {
@@ -2445,7 +2475,10 @@ function prepareRequestOptions$3(scopes) {
         })
     });
 }
-// Since "fs"'s readFileSync locks the thread, and to avoid extra dependencies.
+/**
+ * Retrieves the file contents at the given path using promises.
+ * Useful since `fs`'s readFileSync locks the thread, and to avoid extra dependencies.
+ */
 function readFileAsync$1(path, options) {
     return new Promise((resolve, reject) => fs.readFile(path, options, (err, data) => {
         if (err) {
@@ -2454,6 +2487,9 @@ function readFileAsync$1(path, options) {
         resolve(data);
     }));
 }
+/**
+ * Does a request to the authentication provider that results in a file path.
+ */
 async function filePathRequest(identityClient, requestPrepareOptions) {
     const response = await identityClient.sendRequest(coreRestPipeline.createPipelineRequest(requestPrepareOptions));
     if (response.status !== 401) {
@@ -2471,6 +2507,9 @@ async function filePathRequest(identityClient, requestPrepareOptions) {
         throw Error(`Invalid www-authenticate header format: ${authHeader}`);
     }
 }
+/**
+ * Defines how to determine whether the Azure Arc MSI is available, and also how to retrieve a token from the Azure Arc MSI.
+ */
 const arcMsi = {
     async isAvailable(scopes) {
         const resource = mapScopesToResource(scopes);
@@ -2498,7 +2537,11 @@ const arcMsi = {
         }
         const key = await readFileAsync$1(filePath, { encoding: "utf-8" });
         (_a = requestOptions.headers) === null || _a === void 0 ? void 0 : _a.set("Authorization", `Basic ${key}`);
-        return msiGenericGetToken(identityClient, requestOptions, expiresInParser$3, getTokenOptions);
+        const request = coreRestPipeline.createPipelineRequest(Object.assign(Object.assign({}, requestOptions), { 
+            // Generally, MSI endpoints use the HTTP protocol, without transport layer security (TLS).
+            allowInsecureConnection: true }));
+        const tokenResponse = await identityClient.sendTokenRequest(request);
+        return (tokenResponse && tokenResponse.accessToken) || null;
     }
 };
 
@@ -2506,10 +2549,16 @@ const arcMsi = {
 const msiName$4 = "ManagedIdentityCredential - Token Exchange";
 const logger$d = credentialLogger(msiName$4);
 const readFileAsync$2 = util.promisify(fs__default.readFile);
-function expiresInParser$4(requestBody) {
+/**
+ * Formats the expiration date of the received token into the number of milliseconds between that date and midnight, January 1, 1970.
+ */
+function expiresOnParser$2(requestBody) {
     // Parses a string representation of the seconds since epoch into a number value
     return Number(requestBody.expires_on);
 }
+/**
+ * Generates the options used on the request for an access token.
+ */
 function prepareRequestOptions$4(scopes, clientAssertion, clientId) {
     var _a;
     const bodyParams = {
@@ -2530,6 +2579,9 @@ function prepareRequestOptions$4(scopes, clientAssertion, clientId) {
         })
     };
 }
+/**
+ * Defines how to determine whether the token exchange MSI is available, and also how to retrieve a token from the token exchange MSI.
+ */
 function tokenExchangeMsi() {
     const azureFederatedTokenFilePath = process.env.AZURE_FEDERATED_TOKEN_FILE;
     let azureFederatedTokenFileContent = undefined;
@@ -2572,18 +2624,38 @@ function tokenExchangeMsi() {
             catch (err) {
                 throw new Error(`${msiName$4}: Failed to read ${azureFederatedTokenFilePath}, indicated by the environment variable AZURE_FEDERATED_TOKEN_FILE`);
             }
-            return msiGenericGetToken(identityClient, prepareRequestOptions$4(scopes, assertion, clientId || process.env.AZURE_CLIENT_ID), expiresInParser$4, getTokenOptions);
+            const request = coreRestPipeline.createPipelineRequest(Object.assign(Object.assign({ abortSignal: getTokenOptions.abortSignal }, prepareRequestOptions$4(scopes, assertion, clientId || process.env.AZURE_CLIENT_ID)), { 
+                // Generally, MSI endpoints use the HTTP protocol, without transport layer security (TLS).
+                allowInsecureConnection: true }));
+            const tokenResponse = await identityClient.sendTokenRequest(request, expiresOnParser$2);
+            return (tokenResponse && tokenResponse.accessToken) || null;
         }
     };
 }
 
 // Copyright (c) Microsoft Corporation.
+// This MSI can be easily tested by deploying a container to Azure Service Fabric with the Dockerfile:
+//
+//   FROM node:12
+//   RUN wget https://host.any/path/bash.sh
+//   CMD ["bash", "bash.sh"]
+//
+// Where the bash script contains:
+//
+//   curl --insecure $IDENTITY_ENDPOINT'?api-version=2019-07-01-preview&resource=https://vault.azure.net/' -H "Secret: $IDENTITY_HEADER"
+//
 const msiName$5 = "ManagedIdentityCredential - Fabric MSI";
 const logger$e = credentialLogger(msiName$5);
-function expiresInParser$5(requestBody) {
-    // Parses a string representation of the seconds since epoch into a number value
+/**
+ * Formats the expiration date of the received token into the number of milliseconds between that date and midnight, January 1, 1970.
+ */
+function expiresOnParser$3(requestBody) {
+    // Parses a string representation of the milliseconds since epoch into a number value
     return Number(requestBody.expires_on);
 }
+/**
+ * Generates the options used on the request for an access token.
+ */
 function prepareRequestOptions$5(scopes, clientId) {
     const resource = mapScopesToResource(scopes);
     if (!resource) {
@@ -2609,20 +2681,13 @@ function prepareRequestOptions$5(scopes, clientId) {
         method: "GET",
         headers: coreRestPipeline.createHttpHeaders({
             Accept: "application/json",
-            Secret: process.env.IDENTITY_HEADER
+            secret: process.env.IDENTITY_HEADER
         })
     };
 }
-// This credential can be easily tested by deploying a container to Azure Service Fabric with the Dockerfile:
-//
-//   FROM node:12
-//   RUN wget https://host.any/path/bash.sh
-//   CMD ["bash", "bash.sh"]
-//
-// Where the bash script contains:
-//
-//   curl --insecure $IDENTITY_ENDPOINT'?api-version=2019-07-01-preview&resource=https://vault.azure.net/' -H "Secret: $IDENTITY_HEADER"
-//
+/**
+ * Defines how to determine whether the Azure Service Fabric MSI is available, and also how to retrieve a token from the Azure Service Fabric MSI.
+ */
 const fabricMsi = {
     async isAvailable(scopes) {
         const resource = mapScopesToResource(scopes);
@@ -2646,23 +2711,28 @@ const fabricMsi = {
             "IDENTITY_HEADER=[REDACTED] and",
             "IDENTITY_SERVER_THUMBPRINT=[REDACTED]."
         ].join(" "));
-        return msiGenericGetToken(identityClient, prepareRequestOptions$5(scopes, clientId), expiresInParser$5, getTokenOptions, new https.Agent({
+        const request = coreRestPipeline.createPipelineRequest(Object.assign({ abortSignal: getTokenOptions.abortSignal }, prepareRequestOptions$5(scopes, clientId)
+        // The service fabric MSI endpoint will be HTTPS (however, the certificate will be self-signed).
+        // allowInsecureConnection: true
+        ));
+        request.agent = new https.Agent({
             // This is necessary because Service Fabric provides a self-signed certificate.
             // The alternative path is to verify the certificate using the IDENTITY_SERVER_THUMBPRINT env variable.
             rejectUnauthorized: false
-        }));
+        });
+        const tokenResponse = await identityClient.sendTokenRequest(request, expiresOnParser$3);
+        return (tokenResponse && tokenResponse.accessToken) || null;
     }
 };
 
 // Copyright (c) Microsoft Corporation.
 const logger$f = credentialLogger("ManagedIdentityCredential");
 /**
- * Attempts authentication using a managed identity that has been assigned
- * to the deployment environment.  This authentication type works in Azure VMs,
- * App Service and Azure Functions applications, and inside of Azure Cloud Shell.
+ * Attempts authentication using a managed identity available at the deployment environment.
+ * This authentication type works in Azure VMs, App Service instances, Azure Functions applications,
+ * Azure Kubernetes Services, Azure Service Fabric instances and inside of the Azure Cloud Shell.
  *
  * More information about configuring managed identities can be found here:
- *
  * https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview
  */
 class ManagedIdentityCredential {
@@ -2693,10 +2763,10 @@ class ManagedIdentityCredential {
                 return msi;
             }
         }
-        throw new CredentialUnavailableError("ManagedIdentityCredential - No MSI credential available");
+        throw new CredentialUnavailableError(`${ManagedIdentityCredential.name} - No MSI credential available`);
     }
     async authenticateManagedIdentity(scopes, clientId, getTokenOptions) {
-        const { span, updatedOptions } = createSpan("ManagedIdentityCredential-authenticateManagedIdentity", getTokenOptions);
+        const { span, updatedOptions } = createSpan(`${ManagedIdentityCredential.name}.authenticateManagedIdentity`, getTokenOptions);
         try {
             // Determining the available MSI, and avoiding checking for other MSIs while the program is running.
             const availableMSI = await this.cachedAvailableMSI(scopes, clientId, updatedOptions);
@@ -2728,7 +2798,7 @@ class ManagedIdentityCredential {
      */
     async getToken(scopes, options) {
         let result = null;
-        const { span, updatedOptions } = createSpan("ManagedIdentityCredential.getToken", options);
+        const { span, updatedOptions } = createSpan(`${ManagedIdentityCredential.name}.getToken`, options);
         try {
             // isEndpointAvailable can be true, false, or null,
             // If it's null, it means we don't yet know whether
@@ -2779,30 +2849,30 @@ class ManagedIdentityCredential {
             // If either the network is unreachable,
             // we can safely assume the credential is unavailable.
             if (err.code === "ENETUNREACH") {
-                const error = new CredentialUnavailableError(`ManagedIdentityCredential is unavailable. Network unreachable. Message: ${err.message}`);
+                const error = new CredentialUnavailableError(`${ManagedIdentityCredential.name}: Unavailable. Network unreachable. Message: ${err.message}`);
                 logger$f.getToken.info(formatError(scopes, error));
                 throw error;
             }
             // If either the host was unreachable,
             // we can safely assume the credential is unavailable.
             if (err.code === "EHOSTUNREACH") {
-                const error = new CredentialUnavailableError(`ManagedIdentityCredential is unavailable. No managed identity endpoint found. Message: ${err.message}`);
+                const error = new CredentialUnavailableError(`${ManagedIdentityCredential.name}: Unavailable. No managed identity endpoint found. Message: ${err.message}`);
                 logger$f.getToken.info(formatError(scopes, error));
                 throw error;
             }
             // If err.statusCode has a value of 400, it comes from sendTokenRequest,
             // and it means that the endpoint is working, but that no identity is available.
             if (err.statusCode === 400) {
-                throw new CredentialUnavailableError(`ManagedIdentityCredential: The managed identity endpoint is indicating there's no available identity. Message: ${err.message}`);
+                throw new CredentialUnavailableError(`${ManagedIdentityCredential.name}: The managed identity endpoint is indicating there's no available identity. Message: ${err.message}`);
             }
             // If the error has no status code, we can assume there was no available identity.
             // This will throw silently during any ChainedTokenCredential.
             if (err.statusCode === undefined) {
-                throw new CredentialUnavailableError(`ManagedIdentityCredential authentication failed. Message ${err.message}`);
+                throw new CredentialUnavailableError(`${ManagedIdentityCredential.name}: Authentication failed. Message ${err.message}`);
             }
             // Any other error should break the chain.
             throw new AuthenticationError(err.statusCode, {
-                error: "ManagedIdentityCredential authentication failed.",
+                error: `${ManagedIdentityCredential.name} authentication failed.`,
                 error_description: err.message
             });
         }
@@ -2979,6 +3049,20 @@ class MsalOpenBrowser extends MsalNode {
                 }
             }
             app.on("connection", (socket) => socketToDestroy.push(socket));
+            app.on("error", (err) => {
+                cleanup();
+                const code = err.code;
+                if (code === "EACCES" || code === "EADDRINUSE") {
+                    reject(new CredentialUnavailableError([
+                        `InteractiveBrowserCredential: Access denied to port ${this.port}.`,
+                        `Try sending a redirect URI with a different port, as follows:`,
+                        '`new InteractiveBrowserCredential({ redirectUri: "http://localhost:1337" })`'
+                    ].join(" ")));
+                }
+                else {
+                    reject(new CredentialUnavailableError(`InteractiveBrowserCredential: Failed to start the necessary web server. Error: ${err.message}`));
+                }
+            });
             app.on("listening", () => {
                 const openPromise = this.openAuthCodeUrl(scopes, options);
                 const abortSignal = options === null || options === void 0 ? void 0 : options.abortSignal;
@@ -3002,8 +3086,10 @@ class MsalOpenBrowser extends MsalNode {
         this.pkceCodes = await cryptoProvider.generatePkceCodes();
         const authCodeUrlParameters = {
             scopes: scopeArray,
+            correlationId: options === null || options === void 0 ? void 0 : options.correlationId,
             redirectUri: this.redirectUri,
             authority: options === null || options === void 0 ? void 0 : options.authority,
+            claims: options === null || options === void 0 ? void 0 : options.claims,
             loginHint: this.loginHint,
             codeChallenge: this.pkceCodes.challenge,
             codeChallengeMethod: "S256" // Use SHA256 Algorithm
@@ -3013,7 +3099,7 @@ class MsalOpenBrowser extends MsalNode {
             await interactiveBrowserMockable.open(response, { wait: true });
         }
         catch (e) {
-            throw new CredentialUnavailableError(`Could not open a browser window. Error: ${e.message}`);
+            throw new CredentialUnavailableError(`InteractiveBrowserCredential: Could not open a browser window. Error: ${e.message}`);
         }
     }
 }
@@ -3102,7 +3188,8 @@ class MsalDeviceCode extends MsalNode {
                 scopes,
                 cancel: false,
                 correlationId: options === null || options === void 0 ? void 0 : options.correlationId,
-                authority: options === null || options === void 0 ? void 0 : options.authority
+                authority: options === null || options === void 0 ? void 0 : options.authority,
+                claims: options === null || options === void 0 ? void 0 : options.claims
             };
             const promise = this.publicApp.acquireTokenByDeviceCode(requestOptions);
             // TODO:
@@ -3219,7 +3306,10 @@ class MsalAuthorizationCode extends MsalNode {
             const result = await ((_a = this.confidentialApp) === null || _a === void 0 ? void 0 : _a.acquireTokenByCode({
                 scopes,
                 redirectUri: this.redirectUri,
-                code: this.authorizationCode
+                code: this.authorizationCode,
+                correlationId: options === null || options === void 0 ? void 0 : options.correlationId,
+                authority: options === null || options === void 0 ? void 0 : options.authority,
+                claims: options === null || options === void 0 ? void 0 : options.claims
             }));
             // The Client Credential flow does not return an account,
             // so each time getToken gets called, we will have to acquire a new token through the service.
@@ -3252,7 +3342,7 @@ class AuthorizationCodeCredential {
             // the clientId+clientSecret constructor
             this.authorizationCode = authorizationCodeOrRedirectUri;
             this.redirectUri = redirectUriOrOptions;
-            // options okay
+            // in this case, options are good as they come
         }
         else {
             // clientId only
@@ -3322,6 +3412,7 @@ class MsalOnBehalfOf extends MsalNode {
                 scopes,
                 correlationId: options.correlationId,
                 authority: options.authority,
+                claims: options.claims,
                 oboAssertion: this.userAssertionToken
             });
             return this.handleResult(scopes, this.clientId, result || undefined);
@@ -3333,8 +3424,8 @@ class MsalOnBehalfOf extends MsalNode {
 }
 
 // Copyright (c) Microsoft Corporation.
-const credentialName$1 = "OnBehalfOfCredential";
-const logger$j = credentialLogger(credentialName$1);
+const credentialName$2 = "OnBehalfOfCredential";
+const logger$j = credentialLogger(credentialName$2);
 /**
  * Enables authentication to Azure Active Directory using the [On Behalf Of flow](https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-on-behalf-of-flow).
  */
@@ -3366,7 +3457,7 @@ class OnBehalfOfCredential {
         const { certificatePath } = options;
         const { tenantId, clientId, userAssertionToken } = options;
         if (!tenantId || !clientId || !(clientSecret || certificatePath) || !userAssertionToken) {
-            throw new Error(`${credentialName$1}: tenantId, clientId, clientSecret (or certificatePath) and userAssertionToken are required parameters.`);
+            throw new Error(`${credentialName$2}: tenantId, clientId, clientSecret (or certificatePath) and userAssertionToken are required parameters.`);
         }
         this.msalFlow = new MsalOnBehalfOf(Object.assign(Object.assign({}, this.options), { logger: logger$j, tokenCredentialOptions: this.options }));
     }
@@ -3378,7 +3469,7 @@ class OnBehalfOfCredential {
      * @param options - The options used to configure the underlying network requests.
      */
     async getToken(scopes, options = {}) {
-        return trace(`${credentialName$1}.getToken`, options, async (newOptions) => {
+        return trace(`${credentialName$2}.getToken`, options, async (newOptions) => {
             const arrayScopes = Array.isArray(scopes) ? scopes : [scopes];
             return this.msalFlow.getToken(arrayScopes, newOptions);
         });