@azure/identity 2.0.4 → 2.1.0-beta.1

package/CHANGELOG.md

@@ -1,5 +1,15 @@
 # Release History
 
+## 2.1.0-beta.1 (2022-03-02)
+
+### Features Added
+
+- Added support for specifying a custom `resourceId` when creating a `ManagedIdentityCredential` or `DefaultAzureCredential`.
+  - In some scenarios where a user-assigned managed identity is required, the identity may be known by an ARM resource ID, but not a client ID (such as when user-assigned identities are created using an ARM template). The `resourceId` option allows an app to select its managed identity by its ARM resource ID to support such scenarios.
+  - If `resourceId` is provided, the managed identity providers for Azure App Service (2017), Azure Arc, Azure Cloud Shell, Azure Service Fabric and Token Exchange authentication will log a warning since this parameter is not supported by the identity endpoints in those services. The authentication attempts will be sent, but the parameter will be ignored by the service.
+- Added `clientId` to the optional parameters of the `ManagedIdentityCredential`.
+- Updated the Troubleshoot guide to have error codes and error messages for the Identity Customer Service Support.
+
 ## 2.0.4 (2022-02-18)
 
 ### Bugs Fixed
@@ -72,8 +82,8 @@ useIdentityPlugin(cachePersistencePlugin);
 async function main() {
   const credential = new DeviceCodeCredential({
     tokenCachePersistenceOptions: {
-      enabled: true
-    }
+      enabled: true,
+    },
   });
 }
 ```
@@ -139,6 +149,7 @@ Azure Service Fabric support hasn't been added on the initial version 2 of Ident
 - We have also renamed the error `CredentialUnavailable` to `CredentialUnavailableError`, to align with the naming convention used for error classes in the Azure SDKs in JavaScript.
 - In v1 of Identity some `getToken` calls could resolve with `null` in the case the authentication request succeeded with a malformed output. In v2, issues with the `getToken` method will always throw errors.
 - Breaking changes to InteractiveBrowserCredential
+
   - The `InteractiveBrowserCredential` will use the [Auth Code Flow](https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-auth-code-flow) with [PKCE](https://tools.ietf.org/html/rfc7636) rather than [Implicit Grant Flow](https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-implicit-grant-flow) to better support browsers with enhanced security restrictions. Learn how to migrate in the [migration guide](https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/identity/identity/migration-v1-v2.md). Read more about the latest `InteractiveBrowserCredential` [here](https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/identity/identity/interactive-browser-credential.md).
   - The default client ID used for `InteractiveBrowserCredential` was viable only in Node.js and not for the browser. Therefore, on v2 client ID is a required parameter when using this credential in browser apps.
   - Identity v2 also removes the `postLogoutRedirectUri` from the options to the constructor for `InteractiveBrowserCredential`. This option wasn't being used. Instead of using this option, use MSAL directly. For more information, see [Authenticating with the @azure/msal-browser Public Client](https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/identity/identity/samples/AzureIdentityExamples.md#authenticating-with-the-azuremsal-browser-public-client).

package/dist/index.js

@@ -368,7 +368,7 @@ function getIdentityClientAuthorityHost(options) {
 class IdentityClient extends coreClient.ServiceClient {
     constructor(options) {
         var _a;
-        const packageDetails = `azsdk-js-identity/2.0.4`;
+        const packageDetails = `azsdk-js-identity/2.1.0-beta.1`;
         const userAgentPrefix = ((_a = options === null || options === void 0 ? void 0 : options.userAgentOptions) === null || _a === void 0 ? void 0 : _a.userAgentPrefix)
             ? `${options.userAgentOptions.userAgentPrefix} ${packageDetails}`
             : `${packageDetails}`;
@@ -2242,7 +2242,7 @@ function prepareRequestOptions$5(scopes, clientId) {
  * Defines how to determine whether the Azure App Service MSI is available, and also how to retrieve a token from the Azure App Service MSI.
  */
 const appServiceMsi2017 = {
-    async isAvailable(scopes) {
+    async isAvailable({ scopes }) {
         const resource = mapScopesToResource(scopes);
         if (!resource) {
             logger$a.info(`${msiName$5}: Unavailable. Multiple scopes are not supported.`);
@@ -2256,7 +2256,10 @@ const appServiceMsi2017 = {
         return result;
     },
     async getToken(configuration, getTokenOptions = {}) {
-        const { identityClient, scopes, clientId } = configuration;
+        const { identityClient, scopes, clientId, resourceId } = configuration;
+        if (resourceId) {
+            logger$a.warning(`${msiName$5}: managed Identity by resource Id is not supported. Argument resourceId might be ignored by the service.`);
+        }
         logger$a.info(`${msiName$5}: Using the endpoint and the secret coming form the environment variables: MSI_ENDPOINT=${process.env.MSI_ENDPOINT} and MSI_SECRET=[REDACTED].`);
         const request = coreRestPipeline.createPipelineRequest(Object.assign(Object.assign({ abortSignal: getTokenOptions.abortSignal }, prepareRequestOptions$5(scopes, clientId)), { 
             // Generally, MSI endpoints use the HTTP protocol, without transport layer security (TLS).
@@ -2272,7 +2275,7 @@ const logger$9 = credentialLogger(msiName$4);
 /**
  * Generates the options used on the request for an access token.
  */
-function prepareRequestOptions$4(scopes, clientId) {
+function prepareRequestOptions$4(scopes, clientId, resourceId) {
     const resource = mapScopesToResource(scopes);
     if (!resource) {
         throw new Error(`${msiName$4}: Multiple scopes are not supported.`);
@@ -2283,6 +2286,9 @@ function prepareRequestOptions$4(scopes, clientId) {
     if (clientId) {
         body.client_id = clientId;
     }
+    if (resourceId) {
+        body.msi_res_id = resourceId;
+    }
     // This error should not bubble up, since we verify that this environment variable is defined in the isAvailable() method defined below.
     if (!process.env.MSI_ENDPOINT) {
         throw new Error(`${msiName$4}: Missing environment variable: MSI_ENDPOINT`);
@@ -2304,7 +2310,7 @@ function prepareRequestOptions$4(scopes, clientId) {
  * Since Azure Managed Identities aren't available in the Azure Cloud Shell, we log a warning for users that try to access cloud shell using user assigned identity.
  */
 const cloudShellMsi = {
-    async isAvailable(scopes) {
+    async isAvailable({ scopes }) {
         const resource = mapScopesToResource(scopes);
         if (!resource) {
             logger$9.info(`${msiName$4}: Unavailable. Multiple scopes are not supported.`);
@@ -2317,12 +2323,15 @@ const cloudShellMsi = {
         return result;
     },
     async getToken(configuration, getTokenOptions = {}) {
-        const { identityClient, scopes, clientId } = configuration;
+        const { identityClient, scopes, clientId, resourceId } = configuration;
         if (clientId) {
-            logger$9.warning(`${msiName$4}: does not support user-assigned identities in the Cloud Shell environment. Argument clientId will be ignored.`);
+            logger$9.warning(`${msiName$4}: user-assigned identities not supported. The argument clientId might be ignored by the service.`);
+        }
+        if (resourceId) {
+            logger$9.warning(`${msiName$4}: user defined managed Identity by resource Id not supported. The argument resourceId might be ignored by the service.`);
         }
         logger$9.info(`${msiName$4}: Using the endpoint coming form the environment variable MSI_ENDPOINT = ${process.env.MSI_ENDPOINT}.`);
-        const request = coreRestPipeline.createPipelineRequest(Object.assign(Object.assign({ abortSignal: getTokenOptions.abortSignal }, prepareRequestOptions$4(scopes, clientId)), { 
+        const request = coreRestPipeline.createPipelineRequest(Object.assign(Object.assign({ abortSignal: getTokenOptions.abortSignal }, prepareRequestOptions$4(scopes, clientId, resourceId)), { 
             // Generally, MSI endpoints use the HTTP protocol, without transport layer security (TLS).
             allowInsecureConnection: true }));
         const tokenResponse = await identityClient.sendTokenRequest(request);
@@ -2353,7 +2362,7 @@ function expiresOnParser$1(requestBody) {
 /**
  * Generates the options used on the request for an access token.
  */
-function prepareRequestOptions$3(scopes, clientId, options) {
+function prepareRequestOptions$3(scopes, clientId, resourceId, options) {
     var _a;
     const resource = mapScopesToResource(scopes);
     if (!resource) {
@@ -2371,6 +2380,9 @@ function prepareRequestOptions$3(scopes, clientId, options) {
         if (clientId) {
             queryParameters.client_id = clientId;
         }
+        if (resourceId) {
+            queryParameters.msi_res_id = resourceId;
+        }
         const params = new URLSearchParams(queryParameters);
         query = `?${params.toString()}`;
     }
@@ -2400,7 +2412,7 @@ const imdsMsiRetryConfig = {
  * Defines how to determine whether the Azure IMDS MSI is available, and also how to retrieve a token from the Azure IMDS MSI.
  */
 const imdsMsi = {
-    async isAvailable(scopes, identityClient, clientId, getTokenOptions) {
+    async isAvailable({ scopes, identityClient, clientId, resourceId, getTokenOptions, }) {
         var _a, _b;
         const resource = mapScopesToResource(scopes);
         if (!resource) {
@@ -2412,7 +2424,10 @@ const imdsMsi = {
         if (process.env.AZURE_POD_IDENTITY_AUTHORITY_HOST) {
             return true;
         }
-        const requestOptions = prepareRequestOptions$3(resource, clientId, {
+        if (!identityClient) {
+            throw new Error("Missing IdentityClient");
+        }
+        const requestOptions = prepareRequestOptions$3(resource, clientId, resourceId, {
             skipMetadataHeader: true,
             skipQuery: true,
         });
@@ -2465,12 +2480,12 @@ const imdsMsi = {
         }
     },
     async getToken(configuration, getTokenOptions = {}) {
-        const { identityClient, scopes, clientId } = configuration;
+        const { identityClient, scopes, clientId, resourceId } = configuration;
         logger$8.info(`${msiName$3}: Using the Azure IMDS endpoint coming from the environment variable MSI_ENDPOINT=${process.env.MSI_ENDPOINT}, and using the cloud shell to proceed with the authentication.`);
         let nextDelayInMs = imdsMsiRetryConfig.startDelayInMs;
         for (let retries = 0; retries < imdsMsiRetryConfig.maxRetries; retries++) {
             try {
-                const request = coreRestPipeline.createPipelineRequest(Object.assign(Object.assign({ abortSignal: getTokenOptions.abortSignal }, prepareRequestOptions$3(scopes, clientId)), { allowInsecureConnection: true }));
+                const request = coreRestPipeline.createPipelineRequest(Object.assign(Object.assign({ abortSignal: getTokenOptions.abortSignal }, prepareRequestOptions$3(scopes, clientId, resourceId)), { allowInsecureConnection: true }));
                 const tokenResponse = await identityClient.sendTokenRequest(request, expiresOnParser$1);
                 return (tokenResponse && tokenResponse.accessToken) || null;
             }
@@ -2493,7 +2508,7 @@ const logger$7 = credentialLogger(msiName$2);
 /**
  * Generates the options used on the request for an access token.
  */
-function prepareRequestOptions$2(scopes) {
+function prepareRequestOptions$2(scopes, clientId, resourceId) {
     const resource = mapScopesToResource(scopes);
     if (!resource) {
         throw new Error(`${msiName$2}: Multiple scopes are not supported.`);
@@ -2502,11 +2517,17 @@ function prepareRequestOptions$2(scopes) {
         resource,
         "api-version": azureArcAPIVersion,
     };
-    const query = new URLSearchParams(queryParameters);
+    if (clientId) {
+        queryParameters.client_id = clientId;
+    }
+    if (resourceId) {
+        queryParameters.msi_res_id = resourceId;
+    }
     // This error should not bubble up, since we verify that this environment variable is defined in the isAvailable() method defined below.
     if (!process.env.IDENTITY_ENDPOINT) {
         throw new Error(`${msiName$2}: Missing environment variable: IDENTITY_ENDPOINT`);
     }
+    const query = new URLSearchParams(queryParameters);
     return coreRestPipeline.createPipelineRequest({
         // Should be similar to: http://localhost:40342/metadata/identity/oauth2/token
         url: `${process.env.IDENTITY_ENDPOINT}?${query.toString()}`,
@@ -2553,7 +2574,7 @@ async function filePathRequest(identityClient, requestPrepareOptions) {
  * Defines how to determine whether the Azure Arc MSI is available, and also how to retrieve a token from the Azure Arc MSI.
  */
 const arcMsi = {
-    async isAvailable(scopes) {
+    async isAvailable({ scopes }) {
         const resource = mapScopesToResource(scopes);
         if (!resource) {
             logger$7.info(`${msiName$2}: Unavailable. Multiple scopes are not supported.`);
@@ -2567,12 +2588,15 @@ const arcMsi = {
     },
     async getToken(configuration, getTokenOptions = {}) {
         var _a;
-        const { identityClient, scopes, clientId } = configuration;
-        logger$7.info(`${msiName$2}: Authenticating.`);
+        const { identityClient, scopes, clientId, resourceId } = configuration;
         if (clientId) {
-            throw new Error(`${msiName$2}: User assigned identity is not supported by the Azure Arc Managed Identity Endpoint. To authenticate with the system assigned identity, omit the client id when constructing the ManagedIdentityCredential, or if authenticating with the DefaultAzureCredential ensure the AZURE_CLIENT_ID environment variable is not set.`);
+            logger$7.warning(`${msiName$2}: user-assigned identities not supported. The argument clientId might be ignored by the service.`);
+        }
+        if (resourceId) {
+            logger$7.warning(`${msiName$2}: user defined managed Identity by resource Id is not supported. Argument resourceId will be ignored.`);
         }
-        const requestOptions = Object.assign(Object.assign({ disableJsonStringifyOnBody: true, deserializationMapper: undefined, abortSignal: getTokenOptions.abortSignal }, prepareRequestOptions$2(scopes)), { allowInsecureConnection: true });
+        logger$7.info(`${msiName$2}: Authenticating.`);
+        const requestOptions = Object.assign(Object.assign({ disableJsonStringifyOnBody: true, deserializationMapper: undefined, abortSignal: getTokenOptions.abortSignal }, prepareRequestOptions$2(scopes, clientId, resourceId)), { allowInsecureConnection: true });
         const filePath = await filePathRequest(identityClient, requestOptions);
         if (!filePath) {
             throw new Error(`${msiName$2}: Failed to find the token file.`);
@@ -2641,7 +2665,7 @@ function tokenExchangeMsi() {
         return azureFederatedTokenFileContent;
     }
     return {
-        async isAvailable(_scopes, _identityClient, clientId) {
+        async isAvailable({ clientId }) {
             const env = process.env;
             const result = Boolean((clientId || env.AZURE_CLIENT_ID) && env.AZURE_TENANT_ID && azureFederatedTokenFilePath);
             if (!result) {
@@ -2691,7 +2715,7 @@ function expiresOnParser(requestBody) {
 /**
  * Generates the options used on the request for an access token.
  */
-function prepareRequestOptions(scopes, clientId) {
+function prepareRequestOptions(scopes, clientId, resourceId) {
     const resource = mapScopesToResource(scopes);
     if (!resource) {
         throw new Error(`${msiName}: Multiple scopes are not supported.`);
@@ -2703,6 +2727,9 @@ function prepareRequestOptions(scopes, clientId) {
     if (clientId) {
         queryParameters.client_id = clientId;
     }
+    if (resourceId) {
+        queryParameters.msi_res_id = resourceId;
+    }
     const query = new URLSearchParams(queryParameters);
     // This error should not bubble up, since we verify that this environment variable is defined in the isAvailable() method defined below.
     if (!process.env.IDENTITY_ENDPOINT) {
@@ -2724,7 +2751,7 @@ function prepareRequestOptions(scopes, clientId) {
  * Defines how to determine whether the Azure Service Fabric MSI is available, and also how to retrieve a token from the Azure Service Fabric MSI.
  */
 const fabricMsi = {
-    async isAvailable(scopes) {
+    async isAvailable({ scopes }) {
         const resource = mapScopesToResource(scopes);
         if (!resource) {
             logger$5.info(`${msiName}: Unavailable. Multiple scopes are not supported.`);
@@ -2738,7 +2765,10 @@ const fabricMsi = {
         return result;
     },
     async getToken(configuration, getTokenOptions = {}) {
-        const { scopes, identityClient, clientId } = configuration;
+        const { scopes, identityClient, clientId, resourceId } = configuration;
+        if (resourceId) {
+            logger$5.warning(`${msiName}: user defined managed Identity by resource Id is not supported. Argument resourceId might be ignored by the service.`);
+        }
         logger$5.info([
             `${msiName}:`,
             "Using the endpoint and the secret coming from the environment variables:",
@@ -2746,7 +2776,7 @@ const fabricMsi = {
             "IDENTITY_HEADER=[REDACTED] and",
             "IDENTITY_SERVER_THUMBPRINT=[REDACTED].",
         ].join(" "));
-        const request = coreRestPipeline.createPipelineRequest(Object.assign({ abortSignal: getTokenOptions.abortSignal }, prepareRequestOptions(scopes, clientId)));
+        const request = coreRestPipeline.createPipelineRequest(Object.assign({ abortSignal: getTokenOptions.abortSignal }, prepareRequestOptions(scopes, clientId, resourceId)));
         request.agent = new https__default["default"].Agent({
             // This is necessary because Service Fabric provides a self-signed certificate.
             // The alternative path is to verify the certificate using the IDENTITY_SERVER_THUMBPRINT env variable.
@@ -2773,44 +2803,56 @@ class ManagedIdentityCredential {
      * @hidden
      */
     constructor(clientIdOrOptions, options) {
+        var _a, _b;
         this.isEndpointUnavailable = null;
         let _options;
         if (typeof clientIdOrOptions === "string") {
-            // clientId, options constructor
             this.clientId = clientIdOrOptions;
             _options = options;
         }
         else {
-            // options only constructor
+            this.clientId = (_a = clientIdOrOptions) === null || _a === void 0 ? void 0 : _a.clientId;
             _options = clientIdOrOptions;
         }
+        this.resourceId = (_b = _options) === null || _b === void 0 ? void 0 : _b.resourceId;
+        // For JavaScript users.
+        if (this.clientId && this.resourceId) {
+            throw new Error(`${ManagedIdentityCredential.name} - Client Id and Resource Id can't be provided at the same time.`);
+        }
         this.identityClient = new IdentityClient(_options);
         this.isAvailableIdentityClient = new IdentityClient(Object.assign(Object.assign({}, _options), { retryOptions: {
                 maxRetries: 0,
             } }));
     }
-    async cachedAvailableMSI(scopes, clientId, getTokenOptions) {
+    async cachedAvailableMSI(scopes, getTokenOptions) {
         if (this.cachedMSI) {
             return this.cachedMSI;
         }
         const MSIs = [fabricMsi, appServiceMsi2017, cloudShellMsi, arcMsi, tokenExchangeMsi(), imdsMsi];
         for (const msi of MSIs) {
-            if (await msi.isAvailable(scopes, this.isAvailableIdentityClient, clientId, getTokenOptions)) {
+            if (await msi.isAvailable({
+                scopes,
+                identityClient: this.isAvailableIdentityClient,
+                clientId: this.clientId,
+                resourceId: this.resourceId,
+                getTokenOptions,
+            })) {
                 this.cachedMSI = msi;
                 return msi;
             }
         }
         throw new CredentialUnavailableError(`${ManagedIdentityCredential.name} - No MSI credential available`);
     }
-    async authenticateManagedIdentity(scopes, clientId, getTokenOptions) {
+    async authenticateManagedIdentity(scopes, getTokenOptions) {
         const { span, updatedOptions } = createSpan(`${ManagedIdentityCredential.name}.authenticateManagedIdentity`, getTokenOptions);
         try {
             // Determining the available MSI, and avoiding checking for other MSIs while the program is running.
-            const availableMSI = await this.cachedAvailableMSI(scopes, clientId, updatedOptions);
+            const availableMSI = await this.cachedAvailableMSI(scopes, updatedOptions);
             return availableMSI.getToken({
                 identityClient: this.identityClient,
                 scopes,
-                clientId,
+                clientId: this.clientId,
+                resourceId: this.resourceId,
             }, updatedOptions);
         }
         catch (err) {
@@ -2841,7 +2883,7 @@ class ManagedIdentityCredential {
             // If it's null, it means we don't yet know whether
             // the endpoint is available and need to check for it.
             if (this.isEndpointUnavailable !== true) {
-                result = await this.authenticateManagedIdentity(scopes, this.clientId, updatedOptions);
+                result = await this.authenticateManagedIdentity(scopes, updatedOptions);
                 if (result === null) {
                     // If authenticateManagedIdentity returns null,
                     // it means no MSI endpoints are available.
@@ -2929,14 +2971,12 @@ class ManagedIdentityCredential {
  */
 class DefaultManagedIdentityCredential extends ManagedIdentityCredential {
     constructor(options) {
-        var _a;
-        const managedIdentityClientId = (_a = options === null || options === void 0 ? void 0 : options.managedIdentityClientId) !== null && _a !== void 0 ? _a : process.env.AZURE_CLIENT_ID;
-        if (managedIdentityClientId !== undefined) {
-            super(managedIdentityClientId, options);
-        }
-        else {
-            super(options);
-        }
+        var _a, _b, _c;
+        const managedIdentityClientId = (_b = (_a = options) === null || _a === void 0 ? void 0 : _a.managedIdentityClientId) !== null && _b !== void 0 ? _b : process.env.AZURE_CLIENT_ID;
+        const managedResourceId = (_c = options) === null || _c === void 0 ? void 0 : _c.managedIdentityResourceId;
+        // ManagedIdentityCredential throws if both the resourceId and the clientId are provided.
+        const managedIdentityOptions = Object.assign({ resourceId: managedResourceId, clientId: managedIdentityClientId }, options);
+        super(managedIdentityOptions);
     }
 }
 const defaultCredentials = [