npm - @azure/identity - Versions diffs - 2.1.0-alpha.20220311.2 → 2.1.0-alpha.20220321.2 - Mend

@azure/identity 2.1.0-alpha.20220311.2 → 2.1.0-alpha.20220321.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.

This version of @azure/identity might be problematic. Click here for more details.

Files changed (16) hide show

package/CHANGELOG.md +4 -0
package/README.md +2 -2
package/dist/index.js +46 -5
package/dist/index.js.map +1 -1
package/dist-esm/src/client/identityClient.js +37 -1
package/dist-esm/src/client/identityClient.js.map +1 -1
package/dist-esm/src/msal/browserFlows/msalBrowserCommon.js +1 -1
package/dist-esm/src/msal/browserFlows/msalBrowserCommon.js.map +1 -1
package/dist-esm/src/msal/flows.js.map +1 -1
package/dist-esm/src/msal/nodeFlows/msalNodeCommon.js +4 -3
package/dist-esm/src/msal/nodeFlows/msalNodeCommon.js.map +1 -1
package/dist-esm/src/msal/utils.js +5 -1
package/dist-esm/src/msal/utils.js.map +1 -1
package/dist-esm/src/tokenCredentialOptions.js.map +1 -1
package/package.json +1 -1
package/types/identity.d.ts +11 -0

package/CHANGELOG.md CHANGED Viewed

@@ -4,6 +4,10 @@
 ### Features Added
+- All of our credentials now support a new option on their constructor: `loggingOptions`, which allows configuring the logging options of the HTTP pipelines.
+- Within the new `loggingOptions` we have also added `allowLoggingAccountIdentifiers`, a property that if set to true logs information specific to the authenticated account after each successful authentication, including: the Client ID, the Tenant ID, the Object ID of the authenticated user, and if possible the User Principal Name.
+- Added `disableAuthorityValidation`, which allows passing any `authorityHost` regardless of whether it can be validated or not. This is specially useful in private clouds.
 ### Breaking Changes
 ### Bugs Fixed

package/README.md CHANGED Viewed

@@ -88,9 +88,9 @@ If interactive authentication cannot be supported in the session, then the `-Use
 #### Authenticate via Visual Studio Code
-Developers using Visual Studio Code can use the [Azure Account extension](https://marketplace.visualstudio.com/items?itemName=ms-vscode.azure-account) to authenticate via the IDE. Apps using `DefaultAzureCredential` or `VisualStudioCodeCredential` can then use this account to authenticate calls in their app when running locally.
+Developers using Visual Studio Code can use the [Azure Account extension](https://marketplace.visualstudio.com/items?itemName=ms-vscode.azure-account) to authenticate via the editor. Apps using `DefaultAzureCredential` or `VisualStudioCodeCredential` can then use this account to authenticate calls in their app when running locally.
-To authenticate in Visual Studio Code, first ensure the Azure Account extension is installed. Once the extension is installed, open the **Command Palette** and run the **Azure: Sign In** command.
+To authenticate in Visual Studio Code, ensure **version 0.9.11 or earlier** of the Azure Account extension is installed. Once installed, open the **Command Palette** and run the **Azure: Sign In** command.
 Additionally, use the [`@azure/identity-vscode`](https://github.com/Azure/azure-sdk-for-js/tree/main/sdk/identity/identity-vscode) plugin package. This package provides the dependencies of `VisualStudioCodeCredential` and enables it. See [Plugins](##plugins).

package/dist/index.js CHANGED Viewed

@@ -367,7 +367,7 @@ function getIdentityClientAuthorityHost(options) {
  */
 class IdentityClient extends coreClient.ServiceClient {
     constructor(options) {
-        var _a;
+        var _a, _b;
         const packageDetails = `azsdk-js-identity/2.1.0-beta.2`;
         const userAgentPrefix = ((_a = options === null || options === void 0 ? void 0 : options.userAgentOptions) === null || _a === void 0 ? void 0 : _a.userAgentPrefix)
             ? `${options.userAgentOptions.userAgentPrefix} ${packageDetails}`
@@ -383,6 +383,7 @@ class IdentityClient extends coreClient.ServiceClient {
             }, baseUri }));
         this.authorityHost = baseUri;
         this.abortControllers = new Map();
+        this.allowLoggingAccountIdentifiers = (_b = options === null || options === void 0 ? void 0 : options.loggingOptions) === null || _b === void 0 ? void 0 : _b.allowLoggingAccountIdentifiers;
     }
     async sendTokenRequest(request, expiresOnParser) {
         logger$j.info(`IdentityClient: sending token request to [${request.url}]`);
@@ -397,6 +398,7 @@ class IdentityClient extends coreClient.ServiceClient {
             if (!parsedBody.access_token) {
                 return null;
             }
+            this.logIdentifiers(response);
             const token = {
                 accessToken: {
                     token: parsedBody.access_token,
@@ -518,6 +520,7 @@ class IdentityClient extends coreClient.ServiceClient {
             abortSignal: this.generateAbortSignal(noCorrelationId),
         });
         const response = await this.sendRequest(request);
+        this.logIdentifiers(response);
         return {
             body: response.bodyAsText ? JSON.parse(response.bodyAsText) : undefined,
             headers: response.headers.toJSON(),
@@ -534,12 +537,45 @@ class IdentityClient extends coreClient.ServiceClient {
             abortSignal: this.generateAbortSignal(this.getCorrelationId(options)),
         });
         const response = await this.sendRequest(request);
+        this.logIdentifiers(response);
         return {
             body: response.bodyAsText ? JSON.parse(response.bodyAsText) : undefined,
             headers: response.headers.toJSON(),
             status: response.status,
         };
     }
+    /**
+     * If allowLoggingAccountIdentifiers was set on the constructor options
+     * we try to log the account identifiers by parsing the received access token.
+     *
+     * The account identifiers we try to log are:
+     * - `appid`: The application or Client Identifier.
+     * - `upn`: User Principal Name.
+     *   - It might not be available in some authentication scenarios.
+     *   - If it's not available, we put a placeholder: "No User Principal Name available".
+     * - `tid`: Tenant Identifier.
+     * - `oid`: Object Identifier of the authenticated user.
+     */
+    logIdentifiers(response) {
+        if (!this.allowLoggingAccountIdentifiers || !response.bodyAsText) {
+            return;
+        }
+        const unavailableUpn = "No User Principal Name available";
+        try {
+            const parsed = response.parsedBody || JSON.parse(response.bodyAsText);
+            const accessToken = parsed.access_token;
+            if (!accessToken) {
+                // Without an access token allowLoggingAccountIdentifiers isn't useful.
+                return;
+            }
+            const base64Metadata = accessToken.split(".")[1];
+            const { appid, upn, tid, oid } = JSON.parse(Buffer.from(base64Metadata, "base64").toString("utf8"));
+            logger$j.info(`[Authenticated account] Client ID: ${appid}. Tenant ID: ${tid}. User Principal Name: ${upn || unavailableUpn}. Object ID (user): ${oid}`);
+        }
+        catch (e) {
+            logger$j.warning("allowLoggingAccountIdentifiers was set, but we couldn't log the account information. Error:", e.message);
+        }
+    }
 }
 // Copyright (c) Microsoft Corporation.
@@ -615,12 +651,16 @@ function getAuthority(tenantId, host) {
 }
 /**
  * Generates the known authorities.
+ * If `disableAuthorityValidation` is passed, it returns the authority host as a known host, thus disabling the authority validation.
  * If the Tenant Id is `adfs`, the authority can't be validated since the format won't match the expected one.
  * For that reason, we have to force MSAL to disable validating the authority
  * by sending it within the known authorities in the MSAL configuration.
  * @internal
  */
-function getKnownAuthorities(tenantId, authorityHost) {
+function getKnownAuthorities(tenantId, authorityHost, disableAuthorityValidation) {
+    if (disableAuthorityValidation) {
+        return [authorityHost];
+    }
     if (tenantId === "adfs" && authorityHost) {
         return [authorityHost];
     }
@@ -978,17 +1018,17 @@ class MsalNode extends MsalBaseUtilities {
         const tenantId = resolveTenantId(options.logger, options.tenantId, options.clientId);
         this.authorityHost = options.authorityHost || process.env.AZURE_AUTHORITY_HOST;
         const authority = getAuthority(tenantId, this.authorityHost);
-        this.identityClient = new IdentityClient(Object.assign(Object.assign({}, options.tokenCredentialOptions), { authorityHost: authority }));
+        this.identityClient = new IdentityClient(Object.assign(Object.assign({}, options.tokenCredentialOptions), { authorityHost: authority, loggingOptions: options.loggingOptions }));
         let clientCapabilities = ["cp1"];
         if (process.env.AZURE_IDENTITY_DISABLE_CP1) {
             clientCapabilities = [];
         }
-        return {
+        const configuration = {
             auth: {
                 clientId,
                 authority,
-                knownAuthorities: getKnownAuthorities(tenantId, authority),
                 clientCapabilities,
+                knownAuthorities: getKnownAuthorities(tenantId, authority, options.disableAuthorityValidation),
             },
             // Cache is defined in this.prepare();
             system: {
@@ -998,6 +1038,7 @@ class MsalNode extends MsalBaseUtilities {
                 },
             },
         };
+        return configuration;
     }
     /**
      * Prepares the MSAL applications.