@azure/identity 2.1.0-alpha.20220321.2 → 2.1.0-alpha.20220404.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Potentially problematic release.
This version of @azure/identity might be problematic. Click here for more details.
- package/CHANGELOG.md +4 -6
- package/README.md +1 -1
- package/dist/index.js +236 -187
- package/dist/index.js.map +1 -1
- package/dist-esm/src/credentials/clientCertificateCredential.js +5 -2
- package/dist-esm/src/credentials/clientCertificateCredential.js.map +1 -1
- package/dist-esm/src/credentials/defaultAzureCredential.js +13 -26
- package/dist-esm/src/credentials/defaultAzureCredential.js.map +1 -1
- package/dist-esm/src/credentials/managedIdentityCredential/appServiceMsi2019.js +77 -0
- package/dist-esm/src/credentials/managedIdentityCredential/appServiceMsi2019.js.map +1 -0
- package/dist-esm/src/credentials/managedIdentityCredential/index.js +10 -1
- package/dist-esm/src/credentials/managedIdentityCredential/index.js.map +1 -1
- package/dist-esm/src/credentials/onBehalfOfCredential.js +0 -21
- package/dist-esm/src/credentials/onBehalfOfCredential.js.map +1 -1
- package/dist-esm/src/credentials/onBehalfOfCredentialOptions.js.map +1 -1
- package/dist-esm/src/index.js.map +1 -1
- package/dist-esm/src/msal/browserFlows/msalBrowserCommon.js +1 -1
- package/dist-esm/src/msal/browserFlows/msalBrowserCommon.js.map +1 -1
- package/dist-esm/src/msal/flows.js.map +1 -1
- package/dist-esm/src/msal/nodeFlows/msalClientCertificate.js +5 -1
- package/dist-esm/src/msal/nodeFlows/msalClientCertificate.js.map +1 -1
- package/dist-esm/src/msal/nodeFlows/msalNodeCommon.js +2 -3
- package/dist-esm/src/msal/nodeFlows/msalNodeCommon.js.map +1 -1
- package/dist-esm/src/msal/utils.js +1 -5
- package/dist-esm/src/msal/utils.js.map +1 -1
- package/dist-esm/src/tokenCredentialOptions.js.map +1 -1
- package/package.json +2 -2
- package/types/identity.d.ts +123 -59
package/dist/index.js
CHANGED
|
@@ -8,7 +8,7 @@ var coreClient = require('@azure/core-client');
|
|
|
8
8
|
var coreUtil = require('@azure/core-util');
|
|
9
9
|
var coreRestPipeline = require('@azure/core-rest-pipeline');
|
|
10
10
|
var abortController = require('@azure/abort-controller');
|
|
11
|
-
var logger$
|
|
11
|
+
var logger$l = require('@azure/logger');
|
|
12
12
|
var msalCommon = require('@azure/msal-common');
|
|
13
13
|
var uuid = require('uuid');
|
|
14
14
|
var fs = require('fs');
|
|
@@ -273,7 +273,7 @@ async function trace(operationName, options, fn, createSpanFn = createSpan) {
|
|
|
273
273
|
/**
|
|
274
274
|
* The AzureLogger used for all clients within the identity package
|
|
275
275
|
*/
|
|
276
|
-
const logger$
|
|
276
|
+
const logger$k = logger$l.createClientLogger("identity");
|
|
277
277
|
/**
|
|
278
278
|
* Separates a list of environment variable names into a plain object with two arrays: an array of missing environment variables and another array with assigned environment variables.
|
|
279
279
|
* @param supportedEnvVars - List of environment variable names
|
|
@@ -313,7 +313,7 @@ function formatError(scope, error) {
|
|
|
313
313
|
* `[title] => [message]`
|
|
314
314
|
*
|
|
315
315
|
*/
|
|
316
|
-
function credentialLoggerInstance(title, parent, log = logger$
|
|
316
|
+
function credentialLoggerInstance(title, parent, log = logger$k) {
|
|
317
317
|
const fullTitle = parent ? `${parent.fullTitle} ${title}` : title;
|
|
318
318
|
function info(message) {
|
|
319
319
|
log.info(`${fullTitle} =>`, message);
|
|
@@ -338,7 +338,7 @@ function credentialLoggerInstance(title, parent, log = logger$j) {
|
|
|
338
338
|
* `[title] => getToken() => [message]`
|
|
339
339
|
*
|
|
340
340
|
*/
|
|
341
|
-
function credentialLogger(title, log = logger$
|
|
341
|
+
function credentialLogger(title, log = logger$k) {
|
|
342
342
|
const credLogger = credentialLoggerInstance(title, undefined, log);
|
|
343
343
|
return Object.assign(Object.assign({}, credLogger), { parent: log, getToken: credentialLoggerInstance("=> getToken()", credLogger, log) });
|
|
344
344
|
}
|
|
@@ -386,7 +386,7 @@ class IdentityClient extends coreClient.ServiceClient {
|
|
|
386
386
|
this.allowLoggingAccountIdentifiers = (_b = options === null || options === void 0 ? void 0 : options.loggingOptions) === null || _b === void 0 ? void 0 : _b.allowLoggingAccountIdentifiers;
|
|
387
387
|
}
|
|
388
388
|
async sendTokenRequest(request, expiresOnParser) {
|
|
389
|
-
logger$
|
|
389
|
+
logger$k.info(`IdentityClient: sending token request to [${request.url}]`);
|
|
390
390
|
const response = await this.sendRequest(request);
|
|
391
391
|
expiresOnParser =
|
|
392
392
|
expiresOnParser ||
|
|
@@ -406,12 +406,12 @@ class IdentityClient extends coreClient.ServiceClient {
|
|
|
406
406
|
},
|
|
407
407
|
refreshToken: parsedBody.refresh_token,
|
|
408
408
|
};
|
|
409
|
-
logger$
|
|
409
|
+
logger$k.info(`IdentityClient: [${request.url}] token acquired, expires on ${token.accessToken.expiresOnTimestamp}`);
|
|
410
410
|
return token;
|
|
411
411
|
}
|
|
412
412
|
else {
|
|
413
413
|
const error = new AuthenticationError(response.status, response.bodyAsText);
|
|
414
|
-
logger$
|
|
414
|
+
logger$k.warning(`IdentityClient: authentication error. HTTP status: ${response.status}, ${error.errorResponse.errorDescription}`);
|
|
415
415
|
throw error;
|
|
416
416
|
}
|
|
417
417
|
}
|
|
@@ -419,7 +419,7 @@ class IdentityClient extends coreClient.ServiceClient {
|
|
|
419
419
|
if (refreshToken === undefined) {
|
|
420
420
|
return null;
|
|
421
421
|
}
|
|
422
|
-
logger$
|
|
422
|
+
logger$k.info(`IdentityClient: refreshing access token with client ID: ${clientId}, scopes: ${scopes} started`);
|
|
423
423
|
const { span, updatedOptions } = createSpan("IdentityClient-refreshAccessToken", options);
|
|
424
424
|
const refreshParams = {
|
|
425
425
|
grant_type: "refresh_token",
|
|
@@ -445,7 +445,7 @@ class IdentityClient extends coreClient.ServiceClient {
|
|
|
445
445
|
tracingOptions: updatedOptions === null || updatedOptions === void 0 ? void 0 : updatedOptions.tracingOptions,
|
|
446
446
|
});
|
|
447
447
|
const response = await this.sendTokenRequest(request, expiresOnParser);
|
|
448
|
-
logger$
|
|
448
|
+
logger$k.info(`IdentityClient: refreshed token for client ID: ${clientId}`);
|
|
449
449
|
return response;
|
|
450
450
|
}
|
|
451
451
|
catch (err) {
|
|
@@ -454,7 +454,7 @@ class IdentityClient extends coreClient.ServiceClient {
|
|
|
454
454
|
// It's likely that the refresh token has expired, so
|
|
455
455
|
// return null so that the credential implementation will
|
|
456
456
|
// initiate the authentication flow again.
|
|
457
|
-
logger$
|
|
457
|
+
logger$k.info(`IdentityClient: interaction required for client ID: ${clientId}`);
|
|
458
458
|
span.setStatus({
|
|
459
459
|
code: coreTracing.SpanStatusCode.ERROR,
|
|
460
460
|
message: err.message,
|
|
@@ -462,7 +462,7 @@ class IdentityClient extends coreClient.ServiceClient {
|
|
|
462
462
|
return null;
|
|
463
463
|
}
|
|
464
464
|
else {
|
|
465
|
-
logger$
|
|
465
|
+
logger$k.warning(`IdentityClient: failed refreshing token for client ID: ${clientId}: ${err}`);
|
|
466
466
|
span.setStatus({
|
|
467
467
|
code: coreTracing.SpanStatusCode.ERROR,
|
|
468
468
|
message: err.message,
|
|
@@ -570,10 +570,10 @@ class IdentityClient extends coreClient.ServiceClient {
|
|
|
570
570
|
}
|
|
571
571
|
const base64Metadata = accessToken.split(".")[1];
|
|
572
572
|
const { appid, upn, tid, oid } = JSON.parse(Buffer.from(base64Metadata, "base64").toString("utf8"));
|
|
573
|
-
logger$
|
|
573
|
+
logger$k.info(`[Authenticated account] Client ID: ${appid}. Tenant ID: ${tid}. User Principal Name: ${upn || unavailableUpn}. Object ID (user): ${oid}`);
|
|
574
574
|
}
|
|
575
575
|
catch (e) {
|
|
576
|
-
logger$
|
|
576
|
+
logger$k.warning("allowLoggingAccountIdentifiers was set, but we couldn't log the account information. Error:", e.message);
|
|
577
577
|
}
|
|
578
578
|
}
|
|
579
579
|
}
|
|
@@ -651,16 +651,12 @@ function getAuthority(tenantId, host) {
|
|
|
651
651
|
}
|
|
652
652
|
/**
|
|
653
653
|
* Generates the known authorities.
|
|
654
|
-
* If `disableAuthorityValidation` is passed, it returns the authority host as a known host, thus disabling the authority validation.
|
|
655
654
|
* If the Tenant Id is `adfs`, the authority can't be validated since the format won't match the expected one.
|
|
656
655
|
* For that reason, we have to force MSAL to disable validating the authority
|
|
657
656
|
* by sending it within the known authorities in the MSAL configuration.
|
|
658
657
|
* @internal
|
|
659
658
|
*/
|
|
660
|
-
function getKnownAuthorities(tenantId, authorityHost
|
|
661
|
-
if (disableAuthorityValidation) {
|
|
662
|
-
return [authorityHost];
|
|
663
|
-
}
|
|
659
|
+
function getKnownAuthorities(tenantId, authorityHost) {
|
|
664
660
|
if (tenantId === "adfs" && authorityHost) {
|
|
665
661
|
return [authorityHost];
|
|
666
662
|
}
|
|
@@ -1023,12 +1019,12 @@ class MsalNode extends MsalBaseUtilities {
|
|
|
1023
1019
|
if (process.env.AZURE_IDENTITY_DISABLE_CP1) {
|
|
1024
1020
|
clientCapabilities = [];
|
|
1025
1021
|
}
|
|
1026
|
-
|
|
1022
|
+
return {
|
|
1027
1023
|
auth: {
|
|
1028
1024
|
clientId,
|
|
1029
1025
|
authority,
|
|
1026
|
+
knownAuthorities: getKnownAuthorities(tenantId, authority),
|
|
1030
1027
|
clientCapabilities,
|
|
1031
|
-
knownAuthorities: getKnownAuthorities(tenantId, authority, options.disableAuthorityValidation),
|
|
1032
1028
|
},
|
|
1033
1029
|
// Cache is defined in this.prepare();
|
|
1034
1030
|
system: {
|
|
@@ -1038,7 +1034,6 @@ class MsalNode extends MsalBaseUtilities {
|
|
|
1038
1034
|
},
|
|
1039
1035
|
},
|
|
1040
1036
|
};
|
|
1041
|
-
return configuration;
|
|
1042
1037
|
}
|
|
1043
1038
|
/**
|
|
1044
1039
|
* Prepares the MSAL applications.
|
|
@@ -1189,7 +1184,7 @@ To work with multiple accounts for the same Client ID and Tenant ID, please prov
|
|
|
1189
1184
|
// Copyright (c) Microsoft Corporation.
|
|
1190
1185
|
const CommonTenantId = "common";
|
|
1191
1186
|
const AzureAccountClientId = "aebc6443-996d-45c2-90f0-388ff96faa56"; // VSC: 'aebc6443-996d-45c2-90f0-388ff96faa56'
|
|
1192
|
-
const logger$
|
|
1187
|
+
const logger$j = credentialLogger("VisualStudioCodeCredential");
|
|
1193
1188
|
let findCredentials = undefined;
|
|
1194
1189
|
const vsCodeCredentialControl = {
|
|
1195
1190
|
setVsCodeCredentialFinder(finder) {
|
|
@@ -1242,7 +1237,7 @@ function getPropertyFromVSCode(property) {
|
|
|
1242
1237
|
}
|
|
1243
1238
|
}
|
|
1244
1239
|
catch (e) {
|
|
1245
|
-
logger$
|
|
1240
|
+
logger$j.info(`Failed to load the Visual Studio Code configuration file. Error: ${e.message}`);
|
|
1246
1241
|
return;
|
|
1247
1242
|
}
|
|
1248
1243
|
}
|
|
@@ -1270,7 +1265,7 @@ class VisualStudioCodeCredential {
|
|
|
1270
1265
|
const authorityHost = mapVSCodeAuthorityHosts[this.cloudName];
|
|
1271
1266
|
this.identityClient = new IdentityClient(Object.assign({ authorityHost }, options));
|
|
1272
1267
|
if (options && options.tenantId) {
|
|
1273
|
-
checkTenantId(logger$
|
|
1268
|
+
checkTenantId(logger$j, options.tenantId);
|
|
1274
1269
|
this.tenantId = options.tenantId;
|
|
1275
1270
|
}
|
|
1276
1271
|
else {
|
|
@@ -1322,7 +1317,7 @@ class VisualStudioCodeCredential {
|
|
|
1322
1317
|
// Check to make sure the scope we get back is a valid scope
|
|
1323
1318
|
if (!scopeString.match(/^[0-9a-zA-Z-.:/]+$/)) {
|
|
1324
1319
|
const error = new Error("Invalid scope was specified by the user or calling client");
|
|
1325
|
-
logger$
|
|
1320
|
+
logger$j.getToken.info(formatError(scopes, error));
|
|
1326
1321
|
throw error;
|
|
1327
1322
|
}
|
|
1328
1323
|
if (scopeString.indexOf("offline_access") < 0) {
|
|
@@ -1342,18 +1337,18 @@ class VisualStudioCodeCredential {
|
|
|
1342
1337
|
if (refreshToken) {
|
|
1343
1338
|
const tokenResponse = await this.identityClient.refreshAccessToken(tenantId, AzureAccountClientId, scopeString, refreshToken, undefined);
|
|
1344
1339
|
if (tokenResponse) {
|
|
1345
|
-
logger$
|
|
1340
|
+
logger$j.getToken.info(formatSuccess(scopes));
|
|
1346
1341
|
return tokenResponse.accessToken;
|
|
1347
1342
|
}
|
|
1348
1343
|
else {
|
|
1349
1344
|
const error = new CredentialUnavailableError("Could not retrieve the token associated with Visual Studio Code. Have you connected using the 'Azure Account' extension recently? To troubleshoot, visit https://aka.ms/azsdk/js/identity/vscodecredential/troubleshoot.");
|
|
1350
|
-
logger$
|
|
1345
|
+
logger$j.getToken.info(formatError(scopes, error));
|
|
1351
1346
|
throw error;
|
|
1352
1347
|
}
|
|
1353
1348
|
}
|
|
1354
1349
|
else {
|
|
1355
1350
|
const error = new CredentialUnavailableError("Could not retrieve the token associated with Visual Studio Code. Did you connect using the 'Azure Account' extension? To troubleshoot, visit https://aka.ms/azsdk/js/identity/vscodecredential/troubleshoot.");
|
|
1356
|
-
logger$
|
|
1351
|
+
logger$j.getToken.info(formatError(scopes, error));
|
|
1357
1352
|
throw error;
|
|
1358
1353
|
}
|
|
1359
1354
|
}
|
|
@@ -1404,7 +1399,7 @@ function useIdentityPlugin(plugin) {
|
|
|
1404
1399
|
/**
|
|
1405
1400
|
* @internal
|
|
1406
1401
|
*/
|
|
1407
|
-
const logger$
|
|
1402
|
+
const logger$i = credentialLogger("ChainedTokenCredential");
|
|
1408
1403
|
/**
|
|
1409
1404
|
* Enables multiple `TokenCredential` implementations to be tried in order
|
|
1410
1405
|
* until one of the getToken methods returns an access token.
|
|
@@ -1459,7 +1454,7 @@ class ChainedTokenCredential {
|
|
|
1459
1454
|
errors.push(err);
|
|
1460
1455
|
}
|
|
1461
1456
|
else {
|
|
1462
|
-
logger$
|
|
1457
|
+
logger$i.getToken.info(formatError(scopes, err));
|
|
1463
1458
|
throw err;
|
|
1464
1459
|
}
|
|
1465
1460
|
}
|
|
@@ -1470,11 +1465,11 @@ class ChainedTokenCredential {
|
|
|
1470
1465
|
code: coreTracing.SpanStatusCode.ERROR,
|
|
1471
1466
|
message: err.message,
|
|
1472
1467
|
});
|
|
1473
|
-
logger$
|
|
1468
|
+
logger$i.getToken.info(formatError(scopes, err));
|
|
1474
1469
|
throw err;
|
|
1475
1470
|
}
|
|
1476
1471
|
span.end();
|
|
1477
|
-
logger$
|
|
1472
|
+
logger$i.getToken.info(`Result for ${successfulCredentialName}: ${formatSuccess(scopes)}`);
|
|
1478
1473
|
if (token === null) {
|
|
1479
1474
|
throw new CredentialUnavailableError("Failed to retrieve a valid token");
|
|
1480
1475
|
}
|
|
@@ -1552,7 +1547,7 @@ const cliCredentialInternals = {
|
|
|
1552
1547
|
});
|
|
1553
1548
|
},
|
|
1554
1549
|
};
|
|
1555
|
-
const logger$
|
|
1550
|
+
const logger$h = credentialLogger("AzureCliCredential");
|
|
1556
1551
|
/**
|
|
1557
1552
|
* This credential will use the currently logged-in user login information
|
|
1558
1553
|
* via the Azure CLI ('az') commandline tool.
|
|
@@ -1582,11 +1577,11 @@ class AzureCliCredential {
|
|
|
1582
1577
|
async getToken(scopes, options) {
|
|
1583
1578
|
const tenantId = processMultiTenantRequest(this.tenantId, options);
|
|
1584
1579
|
if (tenantId) {
|
|
1585
|
-
checkTenantId(logger$
|
|
1580
|
+
checkTenantId(logger$h, tenantId);
|
|
1586
1581
|
}
|
|
1587
1582
|
const scope = typeof scopes === "string" ? scopes : scopes[0];
|
|
1588
|
-
logger$
|
|
1589
|
-
ensureValidScope(scope, logger$
|
|
1583
|
+
logger$h.getToken.info(`Using the scope ${scope}`);
|
|
1584
|
+
ensureValidScope(scope, logger$h);
|
|
1590
1585
|
const resource = getScopeResource(scope);
|
|
1591
1586
|
let responseData = "";
|
|
1592
1587
|
const { span } = createSpan(`${this.constructor.name}.getToken`, options);
|
|
@@ -1597,22 +1592,22 @@ class AzureCliCredential {
|
|
|
1597
1592
|
const isNotInstallError = obj.stderr.match("az:(.*)not found") || obj.stderr.startsWith("'az' is not recognized");
|
|
1598
1593
|
if (isNotInstallError) {
|
|
1599
1594
|
const error = new CredentialUnavailableError("Azure CLI could not be found. Please visit https://aka.ms/azure-cli for installation instructions and then, once installed, authenticate to your Azure account using 'az login'.");
|
|
1600
|
-
logger$
|
|
1595
|
+
logger$h.getToken.info(formatError(scopes, error));
|
|
1601
1596
|
throw error;
|
|
1602
1597
|
}
|
|
1603
1598
|
else if (isLoginError) {
|
|
1604
1599
|
const error = new CredentialUnavailableError("Please run 'az login' from a command prompt to authenticate before using this credential.");
|
|
1605
|
-
logger$
|
|
1600
|
+
logger$h.getToken.info(formatError(scopes, error));
|
|
1606
1601
|
throw error;
|
|
1607
1602
|
}
|
|
1608
1603
|
const error = new CredentialUnavailableError(obj.stderr);
|
|
1609
|
-
logger$
|
|
1604
|
+
logger$h.getToken.info(formatError(scopes, error));
|
|
1610
1605
|
throw error;
|
|
1611
1606
|
}
|
|
1612
1607
|
else {
|
|
1613
1608
|
responseData = obj.stdout;
|
|
1614
1609
|
const response = JSON.parse(responseData);
|
|
1615
|
-
logger$
|
|
1610
|
+
logger$h.getToken.info(formatSuccess(scopes));
|
|
1616
1611
|
const returnValue = {
|
|
1617
1612
|
token: response.accessToken,
|
|
1618
1613
|
expiresOnTimestamp: new Date(response.expiresOn).getTime(),
|
|
@@ -1626,7 +1621,7 @@ class AzureCliCredential {
|
|
|
1626
1621
|
code: coreTracing.SpanStatusCode.ERROR,
|
|
1627
1622
|
message: error.message,
|
|
1628
1623
|
});
|
|
1629
|
-
logger$
|
|
1624
|
+
logger$h.getToken.info(formatError(scopes, error));
|
|
1630
1625
|
throw error;
|
|
1631
1626
|
}
|
|
1632
1627
|
}
|
|
@@ -1663,7 +1658,7 @@ const processUtils = {
|
|
|
1663
1658
|
};
|
|
1664
1659
|
|
|
1665
1660
|
// Copyright (c) Microsoft Corporation.
|
|
1666
|
-
const logger$
|
|
1661
|
+
const logger$g = credentialLogger("AzurePowerShellCredential");
|
|
1667
1662
|
const isWindows = process.platform === "win32";
|
|
1668
1663
|
/**
|
|
1669
1664
|
* Returns a platform-appropriate command name by appending ".exe" on Windows.
|
|
@@ -1794,15 +1789,15 @@ class AzurePowerShellCredential {
|
|
|
1794
1789
|
return trace(`${this.constructor.name}.getToken`, options, async () => {
|
|
1795
1790
|
const tenantId = processMultiTenantRequest(this.tenantId, options);
|
|
1796
1791
|
if (tenantId) {
|
|
1797
|
-
checkTenantId(logger$
|
|
1792
|
+
checkTenantId(logger$g, tenantId);
|
|
1798
1793
|
}
|
|
1799
1794
|
const scope = typeof scopes === "string" ? scopes : scopes[0];
|
|
1800
|
-
ensureValidScope(scope, logger$
|
|
1801
|
-
logger$
|
|
1795
|
+
ensureValidScope(scope, logger$g);
|
|
1796
|
+
logger$g.getToken.info(`Using the scope ${scope}`);
|
|
1802
1797
|
const resource = getScopeResource(scope);
|
|
1803
1798
|
try {
|
|
1804
1799
|
const response = await this.getAzurePowerShellAccessToken(resource, tenantId);
|
|
1805
|
-
logger$
|
|
1800
|
+
logger$g.getToken.info(formatSuccess(scopes));
|
|
1806
1801
|
return {
|
|
1807
1802
|
token: response.Token,
|
|
1808
1803
|
expiresOnTimestamp: new Date(response.ExpiresOn).getTime(),
|
|
@@ -1811,16 +1806,16 @@ class AzurePowerShellCredential {
|
|
|
1811
1806
|
catch (err) {
|
|
1812
1807
|
if (isNotInstalledError(err)) {
|
|
1813
1808
|
const error = new CredentialUnavailableError(powerShellPublicErrorMessages.installed);
|
|
1814
|
-
logger$
|
|
1809
|
+
logger$g.getToken.info(formatError(scope, error));
|
|
1815
1810
|
throw error;
|
|
1816
1811
|
}
|
|
1817
1812
|
else if (isLoginError(err)) {
|
|
1818
1813
|
const error = new CredentialUnavailableError(powerShellPublicErrorMessages.login);
|
|
1819
|
-
logger$
|
|
1814
|
+
logger$g.getToken.info(formatError(scope, error));
|
|
1820
1815
|
throw error;
|
|
1821
1816
|
}
|
|
1822
1817
|
const error = new CredentialUnavailableError(`${err}. ${powerShellPublicErrorMessages.troubleshoot}`);
|
|
1823
|
-
logger$
|
|
1818
|
+
logger$g.getToken.info(formatError(scope, error));
|
|
1824
1819
|
throw error;
|
|
1825
1820
|
}
|
|
1826
1821
|
});
|
|
@@ -1858,7 +1853,7 @@ class MsalClientSecret extends MsalNode {
|
|
|
1858
1853
|
}
|
|
1859
1854
|
|
|
1860
1855
|
// Copyright (c) Microsoft Corporation.
|
|
1861
|
-
const logger$
|
|
1856
|
+
const logger$f = credentialLogger("ClientSecretCredential");
|
|
1862
1857
|
/**
|
|
1863
1858
|
* Enables authentication to Azure Active Directory using a client secret
|
|
1864
1859
|
* that was generated for an App Registration. More information on how
|
|
@@ -1882,7 +1877,7 @@ class ClientSecretCredential {
|
|
|
1882
1877
|
if (!tenantId || !clientId || !clientSecret) {
|
|
1883
1878
|
throw new Error("ClientSecretCredential: tenantId, clientId, and clientSecret are required parameters. To troubleshoot, visit https://aka.ms/azsdk/js/identity/serviceprincipalauthentication/troubleshoot.");
|
|
1884
1879
|
}
|
|
1885
|
-
this.msalFlow = new MsalClientSecret(Object.assign(Object.assign({}, options), { logger: logger$
|
|
1880
|
+
this.msalFlow = new MsalClientSecret(Object.assign(Object.assign({}, options), { logger: logger$f,
|
|
1886
1881
|
clientId,
|
|
1887
1882
|
tenantId,
|
|
1888
1883
|
clientSecret, tokenCredentialOptions: options }));
|
|
@@ -1915,8 +1910,12 @@ const readFileAsync$2 = util.promisify(fs.readFile);
|
|
|
1915
1910
|
*/
|
|
1916
1911
|
async function parseCertificate(configuration, sendCertificateChain) {
|
|
1917
1912
|
const certificateParts = {};
|
|
1913
|
+
const certificate = configuration
|
|
1914
|
+
.certificate;
|
|
1915
|
+
const certificatePath = configuration
|
|
1916
|
+
.certificatePath;
|
|
1918
1917
|
certificateParts.certificateContents =
|
|
1919
|
-
|
|
1918
|
+
certificate || (await readFileAsync$2(certificatePath, "utf8"));
|
|
1920
1919
|
if (sendCertificateChain) {
|
|
1921
1920
|
certificateParts.x5c = certificateParts.certificateContents;
|
|
1922
1921
|
}
|
|
@@ -1988,7 +1987,7 @@ class MsalClientCertificate extends MsalNode {
|
|
|
1988
1987
|
|
|
1989
1988
|
// Copyright (c) Microsoft Corporation.
|
|
1990
1989
|
const credentialName$2 = "ClientCertificateCredential";
|
|
1991
|
-
const logger$
|
|
1990
|
+
const logger$e = credentialLogger(credentialName$2);
|
|
1992
1991
|
/**
|
|
1993
1992
|
* Enables authentication to Azure Active Directory using a PEM-encoded
|
|
1994
1993
|
* certificate that is assigned to an App Registration. More information
|
|
@@ -2007,14 +2006,17 @@ class ClientCertificateCredential {
|
|
|
2007
2006
|
certificatePath: certificatePathOrConfiguration,
|
|
2008
2007
|
}
|
|
2009
2008
|
: certificatePathOrConfiguration));
|
|
2010
|
-
|
|
2009
|
+
const certificate = configuration
|
|
2010
|
+
.certificate;
|
|
2011
|
+
const certificatePath = configuration.certificatePath;
|
|
2012
|
+
if (!configuration || !(certificate || certificatePath)) {
|
|
2011
2013
|
throw new Error(`${credentialName$2}: Provide either a PEM certificate in string form, or the path to that certificate in the filesystem. To troubleshoot, visit https://aka.ms/azsdk/js/identity/serviceprincipalauthentication/troubleshoot.`);
|
|
2012
2014
|
}
|
|
2013
|
-
if (
|
|
2015
|
+
if (certificate && certificatePath) {
|
|
2014
2016
|
throw new Error(`${credentialName$2}: To avoid unexpected behaviors, providing both the contents of a PEM certificate and the path to a PEM certificate is forbidden. To troubleshoot, visit https://aka.ms/azsdk/js/identity/serviceprincipalauthentication/troubleshoot.`);
|
|
2015
2017
|
}
|
|
2016
2018
|
this.msalFlow = new MsalClientCertificate(Object.assign(Object.assign({}, options), { configuration,
|
|
2017
|
-
logger: logger$
|
|
2019
|
+
logger: logger$e,
|
|
2018
2020
|
clientId,
|
|
2019
2021
|
tenantId, sendCertificateChain: options.sendCertificateChain, tokenCredentialOptions: options }));
|
|
2020
2022
|
}
|
|
@@ -2065,7 +2067,7 @@ class MsalUsernamePassword extends MsalNode {
|
|
|
2065
2067
|
}
|
|
2066
2068
|
|
|
2067
2069
|
// Copyright (c) Microsoft Corporation.
|
|
2068
|
-
const logger$
|
|
2070
|
+
const logger$d = credentialLogger("UsernamePasswordCredential");
|
|
2069
2071
|
/**
|
|
2070
2072
|
* Enables authentication to Azure Active Directory with a user's
|
|
2071
2073
|
* username and password. This credential requires a high degree of
|
|
@@ -2088,7 +2090,7 @@ class UsernamePasswordCredential {
|
|
|
2088
2090
|
if (!tenantId || !clientId || !username || !password) {
|
|
2089
2091
|
throw new Error("UsernamePasswordCredential: tenantId, clientId, username and password are required parameters. To troubleshoot, visit https://aka.ms/azsdk/js/identity/usernamepasswordcredential/troubleshoot.");
|
|
2090
2092
|
}
|
|
2091
|
-
this.msalFlow = new MsalUsernamePassword(Object.assign(Object.assign({}, options), { logger: logger$
|
|
2093
|
+
this.msalFlow = new MsalUsernamePassword(Object.assign(Object.assign({}, options), { logger: logger$d,
|
|
2092
2094
|
clientId,
|
|
2093
2095
|
tenantId,
|
|
2094
2096
|
username,
|
|
@@ -2131,7 +2133,7 @@ const AllSupportedEnvironmentVariables = [
|
|
|
2131
2133
|
"AZURE_PASSWORD",
|
|
2132
2134
|
];
|
|
2133
2135
|
const credentialName$1 = "EnvironmentCredential";
|
|
2134
|
-
const logger$
|
|
2136
|
+
const logger$c = credentialLogger(credentialName$1);
|
|
2135
2137
|
/**
|
|
2136
2138
|
* Enables authentication to Azure Active Directory using client secret
|
|
2137
2139
|
* details configured in environment variables
|
|
@@ -2161,26 +2163,26 @@ class EnvironmentCredential {
|
|
|
2161
2163
|
// Keep track of any missing environment variables for error details
|
|
2162
2164
|
this._credential = undefined;
|
|
2163
2165
|
const assigned = processEnvVars(AllSupportedEnvironmentVariables).assigned.join(", ");
|
|
2164
|
-
logger$
|
|
2166
|
+
logger$c.info(`Found the following environment variables: ${assigned}`);
|
|
2165
2167
|
const tenantId = process.env.AZURE_TENANT_ID, clientId = process.env.AZURE_CLIENT_ID, clientSecret = process.env.AZURE_CLIENT_SECRET;
|
|
2166
2168
|
if (tenantId) {
|
|
2167
|
-
checkTenantId(logger$
|
|
2169
|
+
checkTenantId(logger$c, tenantId);
|
|
2168
2170
|
}
|
|
2169
2171
|
if (tenantId && clientId && clientSecret) {
|
|
2170
|
-
logger$
|
|
2172
|
+
logger$c.info(`Invoking ClientSecretCredential with tenant ID: ${tenantId}, clientId: ${clientId} and clientSecret: [REDACTED]`);
|
|
2171
2173
|
this._credential = new ClientSecretCredential(tenantId, clientId, clientSecret, options);
|
|
2172
2174
|
return;
|
|
2173
2175
|
}
|
|
2174
2176
|
const certificatePath = process.env.AZURE_CLIENT_CERTIFICATE_PATH;
|
|
2175
2177
|
if (tenantId && clientId && certificatePath) {
|
|
2176
|
-
logger$
|
|
2178
|
+
logger$c.info(`Invoking ClientCertificateCredential with tenant ID: ${tenantId}, clientId: ${clientId} and certificatePath: ${certificatePath}`);
|
|
2177
2179
|
this._credential = new ClientCertificateCredential(tenantId, clientId, { certificatePath }, options);
|
|
2178
2180
|
return;
|
|
2179
2181
|
}
|
|
2180
2182
|
const username = process.env.AZURE_USERNAME;
|
|
2181
2183
|
const password = process.env.AZURE_PASSWORD;
|
|
2182
2184
|
if (tenantId && clientId && username && password) {
|
|
2183
|
-
logger$
|
|
2185
|
+
logger$c.info(`Invoking UsernamePasswordCredential with tenant ID: ${tenantId}, clientId: ${clientId} and username: ${username}`);
|
|
2184
2186
|
this._credential = new UsernamePasswordCredential(tenantId, clientId, username, password, options);
|
|
2185
2187
|
}
|
|
2186
2188
|
}
|
|
@@ -2195,7 +2197,7 @@ class EnvironmentCredential {
|
|
|
2195
2197
|
if (this._credential) {
|
|
2196
2198
|
try {
|
|
2197
2199
|
const result = await this._credential.getToken(scopes, newOptions);
|
|
2198
|
-
logger$
|
|
2200
|
+
logger$c.getToken.info(formatSuccess(scopes));
|
|
2199
2201
|
return result;
|
|
2200
2202
|
}
|
|
2201
2203
|
catch (err) {
|
|
@@ -2203,7 +2205,7 @@ class EnvironmentCredential {
|
|
|
2203
2205
|
error: `${credentialName$1} authentication failed. To troubleshoot, visit https://aka.ms/azsdk/js/identity/environmentcredential/troubleshoot.`,
|
|
2204
2206
|
error_description: err.message.toString().split("More details:").join(""),
|
|
2205
2207
|
});
|
|
2206
|
-
logger$
|
|
2208
|
+
logger$c.getToken.info(formatError(scopes, authenticationError));
|
|
2207
2209
|
throw authenticationError;
|
|
2208
2210
|
}
|
|
2209
2211
|
}
|
|
@@ -2249,22 +2251,22 @@ function mapScopesToResource(scopes) {
|
|
|
2249
2251
|
}
|
|
2250
2252
|
|
|
2251
2253
|
// Copyright (c) Microsoft Corporation.
|
|
2252
|
-
const msiName$
|
|
2253
|
-
const logger$
|
|
2254
|
+
const msiName$6 = "ManagedIdentityCredential - AppServiceMSI 2017";
|
|
2255
|
+
const logger$b = credentialLogger(msiName$6);
|
|
2254
2256
|
/**
|
|
2255
2257
|
* Formats the expiration date of the received token into the number of milliseconds between that date and midnight, January 1, 1970.
|
|
2256
2258
|
*/
|
|
2257
|
-
function expiresOnParser$
|
|
2259
|
+
function expiresOnParser$3(requestBody) {
|
|
2258
2260
|
// App Service always returns string expires_on values.
|
|
2259
2261
|
return Date.parse(requestBody.expires_on);
|
|
2260
2262
|
}
|
|
2261
2263
|
/**
|
|
2262
2264
|
* Generates the options used on the request for an access token.
|
|
2263
2265
|
*/
|
|
2264
|
-
function prepareRequestOptions$
|
|
2266
|
+
function prepareRequestOptions$6(scopes, clientId) {
|
|
2265
2267
|
const resource = mapScopesToResource(scopes);
|
|
2266
2268
|
if (!resource) {
|
|
2267
|
-
throw new Error(`${msiName$
|
|
2269
|
+
throw new Error(`${msiName$6}: Multiple scopes are not supported.`);
|
|
2268
2270
|
}
|
|
2269
2271
|
const queryParameters = {
|
|
2270
2272
|
resource,
|
|
@@ -2276,10 +2278,10 @@ function prepareRequestOptions$5(scopes, clientId) {
|
|
|
2276
2278
|
const query = new URLSearchParams(queryParameters);
|
|
2277
2279
|
// This error should not bubble up, since we verify that this environment variable is defined in the isAvailable() method defined below.
|
|
2278
2280
|
if (!process.env.MSI_ENDPOINT) {
|
|
2279
|
-
throw new Error(`${msiName$
|
|
2281
|
+
throw new Error(`${msiName$6}: Missing environment variable: MSI_ENDPOINT`);
|
|
2280
2282
|
}
|
|
2281
2283
|
if (!process.env.MSI_SECRET) {
|
|
2282
|
-
throw new Error(`${msiName$
|
|
2284
|
+
throw new Error(`${msiName$6}: Missing environment variable: MSI_SECRET`);
|
|
2283
2285
|
}
|
|
2284
2286
|
return {
|
|
2285
2287
|
url: `${process.env.MSI_ENDPOINT}?${query.toString()}`,
|
|
@@ -2297,40 +2299,40 @@ const appServiceMsi2017 = {
|
|
|
2297
2299
|
async isAvailable({ scopes }) {
|
|
2298
2300
|
const resource = mapScopesToResource(scopes);
|
|
2299
2301
|
if (!resource) {
|
|
2300
|
-
logger$
|
|
2302
|
+
logger$b.info(`${msiName$6}: Unavailable. Multiple scopes are not supported.`);
|
|
2301
2303
|
return false;
|
|
2302
2304
|
}
|
|
2303
2305
|
const env = process.env;
|
|
2304
2306
|
const result = Boolean(env.MSI_ENDPOINT && env.MSI_SECRET);
|
|
2305
2307
|
if (!result) {
|
|
2306
|
-
logger$
|
|
2308
|
+
logger$b.info(`${msiName$6}: Unavailable. The environment variables needed are: MSI_ENDPOINT and MSI_SECRET.`);
|
|
2307
2309
|
}
|
|
2308
2310
|
return result;
|
|
2309
2311
|
},
|
|
2310
2312
|
async getToken(configuration, getTokenOptions = {}) {
|
|
2311
2313
|
const { identityClient, scopes, clientId, resourceId } = configuration;
|
|
2312
2314
|
if (resourceId) {
|
|
2313
|
-
logger$
|
|
2315
|
+
logger$b.warning(`${msiName$6}: managed Identity by resource Id is not supported. Argument resourceId might be ignored by the service.`);
|
|
2314
2316
|
}
|
|
2315
|
-
logger$
|
|
2316
|
-
const request = coreRestPipeline.createPipelineRequest(Object.assign(Object.assign({ abortSignal: getTokenOptions.abortSignal }, prepareRequestOptions$
|
|
2317
|
+
logger$b.info(`${msiName$6}: Using the endpoint and the secret coming form the environment variables: MSI_ENDPOINT=${process.env.MSI_ENDPOINT} and MSI_SECRET=[REDACTED].`);
|
|
2318
|
+
const request = coreRestPipeline.createPipelineRequest(Object.assign(Object.assign({ abortSignal: getTokenOptions.abortSignal }, prepareRequestOptions$6(scopes, clientId)), {
|
|
2317
2319
|
// Generally, MSI endpoints use the HTTP protocol, without transport layer security (TLS).
|
|
2318
2320
|
allowInsecureConnection: true }));
|
|
2319
|
-
const tokenResponse = await identityClient.sendTokenRequest(request, expiresOnParser$
|
|
2321
|
+
const tokenResponse = await identityClient.sendTokenRequest(request, expiresOnParser$3);
|
|
2320
2322
|
return (tokenResponse && tokenResponse.accessToken) || null;
|
|
2321
2323
|
},
|
|
2322
2324
|
};
|
|
2323
2325
|
|
|
2324
2326
|
// Copyright (c) Microsoft Corporation.
|
|
2325
|
-
const msiName$
|
|
2326
|
-
const logger$
|
|
2327
|
+
const msiName$5 = "ManagedIdentityCredential - CloudShellMSI";
|
|
2328
|
+
const logger$a = credentialLogger(msiName$5);
|
|
2327
2329
|
/**
|
|
2328
2330
|
* Generates the options used on the request for an access token.
|
|
2329
2331
|
*/
|
|
2330
|
-
function prepareRequestOptions$
|
|
2332
|
+
function prepareRequestOptions$5(scopes, clientId, resourceId) {
|
|
2331
2333
|
const resource = mapScopesToResource(scopes);
|
|
2332
2334
|
if (!resource) {
|
|
2333
|
-
throw new Error(`${msiName$
|
|
2335
|
+
throw new Error(`${msiName$5}: Multiple scopes are not supported.`);
|
|
2334
2336
|
}
|
|
2335
2337
|
const body = {
|
|
2336
2338
|
resource,
|
|
@@ -2343,7 +2345,7 @@ function prepareRequestOptions$4(scopes, clientId, resourceId) {
|
|
|
2343
2345
|
}
|
|
2344
2346
|
// This error should not bubble up, since we verify that this environment variable is defined in the isAvailable() method defined below.
|
|
2345
2347
|
if (!process.env.MSI_ENDPOINT) {
|
|
2346
|
-
throw new Error(`${msiName$
|
|
2348
|
+
throw new Error(`${msiName$5}: Missing environment variable: MSI_ENDPOINT`);
|
|
2347
2349
|
}
|
|
2348
2350
|
const params = new URLSearchParams(body);
|
|
2349
2351
|
return {
|
|
@@ -2365,25 +2367,25 @@ const cloudShellMsi = {
|
|
|
2365
2367
|
async isAvailable({ scopes }) {
|
|
2366
2368
|
const resource = mapScopesToResource(scopes);
|
|
2367
2369
|
if (!resource) {
|
|
2368
|
-
logger$
|
|
2370
|
+
logger$a.info(`${msiName$5}: Unavailable. Multiple scopes are not supported.`);
|
|
2369
2371
|
return false;
|
|
2370
2372
|
}
|
|
2371
2373
|
const result = Boolean(process.env.MSI_ENDPOINT);
|
|
2372
2374
|
if (!result) {
|
|
2373
|
-
logger$
|
|
2375
|
+
logger$a.info(`${msiName$5}: Unavailable. The environment variable MSI_ENDPOINT is needed.`);
|
|
2374
2376
|
}
|
|
2375
2377
|
return result;
|
|
2376
2378
|
},
|
|
2377
2379
|
async getToken(configuration, getTokenOptions = {}) {
|
|
2378
2380
|
const { identityClient, scopes, clientId, resourceId } = configuration;
|
|
2379
2381
|
if (clientId) {
|
|
2380
|
-
logger$
|
|
2382
|
+
logger$a.warning(`${msiName$5}: user-assigned identities not supported. The argument clientId might be ignored by the service.`);
|
|
2381
2383
|
}
|
|
2382
2384
|
if (resourceId) {
|
|
2383
|
-
logger$
|
|
2385
|
+
logger$a.warning(`${msiName$5}: user defined managed Identity by resource Id not supported. The argument resourceId might be ignored by the service.`);
|
|
2384
2386
|
}
|
|
2385
|
-
logger$
|
|
2386
|
-
const request = coreRestPipeline.createPipelineRequest(Object.assign(Object.assign({ abortSignal: getTokenOptions.abortSignal }, prepareRequestOptions$
|
|
2387
|
+
logger$a.info(`${msiName$5}: Using the endpoint coming form the environment variable MSI_ENDPOINT = ${process.env.MSI_ENDPOINT}.`);
|
|
2388
|
+
const request = coreRestPipeline.createPipelineRequest(Object.assign(Object.assign({ abortSignal: getTokenOptions.abortSignal }, prepareRequestOptions$5(scopes, clientId, resourceId)), {
|
|
2387
2389
|
// Generally, MSI endpoints use the HTTP protocol, without transport layer security (TLS).
|
|
2388
2390
|
allowInsecureConnection: true }));
|
|
2389
2391
|
const tokenResponse = await identityClient.sendTokenRequest(request);
|
|
@@ -2392,33 +2394,33 @@ const cloudShellMsi = {
|
|
|
2392
2394
|
};
|
|
2393
2395
|
|
|
2394
2396
|
// Copyright (c) Microsoft Corporation.
|
|
2395
|
-
const msiName$
|
|
2396
|
-
const logger$
|
|
2397
|
+
const msiName$4 = "ManagedIdentityCredential - IMDS";
|
|
2398
|
+
const logger$9 = credentialLogger(msiName$4);
|
|
2397
2399
|
/**
|
|
2398
2400
|
* Formats the expiration date of the received token into the number of milliseconds between that date and midnight, January 1, 1970.
|
|
2399
2401
|
*/
|
|
2400
|
-
function expiresOnParser$
|
|
2402
|
+
function expiresOnParser$2(requestBody) {
|
|
2401
2403
|
if (requestBody.expires_on) {
|
|
2402
2404
|
// Use the expires_on timestamp if it's available
|
|
2403
2405
|
const expires = +requestBody.expires_on * 1000;
|
|
2404
|
-
logger$
|
|
2406
|
+
logger$9.info(`${msiName$4}: Using expires_on: ${expires} (original value: ${requestBody.expires_on})`);
|
|
2405
2407
|
return expires;
|
|
2406
2408
|
}
|
|
2407
2409
|
else {
|
|
2408
2410
|
// If these aren't possible, use expires_in and calculate a timestamp
|
|
2409
2411
|
const expires = Date.now() + requestBody.expires_in * 1000;
|
|
2410
|
-
logger$
|
|
2412
|
+
logger$9.info(`${msiName$4}: IMDS using expires_in: ${expires} (original value: ${requestBody.expires_in})`);
|
|
2411
2413
|
return expires;
|
|
2412
2414
|
}
|
|
2413
2415
|
}
|
|
2414
2416
|
/**
|
|
2415
2417
|
* Generates the options used on the request for an access token.
|
|
2416
2418
|
*/
|
|
2417
|
-
function prepareRequestOptions$
|
|
2419
|
+
function prepareRequestOptions$4(scopes, clientId, resourceId, options) {
|
|
2418
2420
|
var _a;
|
|
2419
2421
|
const resource = mapScopesToResource(scopes);
|
|
2420
2422
|
if (!resource) {
|
|
2421
|
-
throw new Error(`${msiName$
|
|
2423
|
+
throw new Error(`${msiName$4}: Multiple scopes are not supported.`);
|
|
2422
2424
|
}
|
|
2423
2425
|
const { skipQuery, skipMetadataHeader } = options || {};
|
|
2424
2426
|
let query = "";
|
|
@@ -2468,7 +2470,7 @@ const imdsMsi = {
|
|
|
2468
2470
|
var _a, _b;
|
|
2469
2471
|
const resource = mapScopesToResource(scopes);
|
|
2470
2472
|
if (!resource) {
|
|
2471
|
-
logger$
|
|
2473
|
+
logger$9.info(`${msiName$4}: Unavailable. Multiple scopes are not supported.`);
|
|
2472
2474
|
return false;
|
|
2473
2475
|
}
|
|
2474
2476
|
const { span, updatedOptions: options } = createSpan("ManagedIdentityCredential-pingImdsEndpoint", getTokenOptions);
|
|
@@ -2479,7 +2481,7 @@ const imdsMsi = {
|
|
|
2479
2481
|
if (!identityClient) {
|
|
2480
2482
|
throw new Error("Missing IdentityClient");
|
|
2481
2483
|
}
|
|
2482
|
-
const requestOptions = prepareRequestOptions$
|
|
2484
|
+
const requestOptions = prepareRequestOptions$4(resource, clientId, resourceId, {
|
|
2483
2485
|
skipMetadataHeader: true,
|
|
2484
2486
|
skipQuery: true,
|
|
2485
2487
|
});
|
|
@@ -2493,7 +2495,7 @@ const imdsMsi = {
|
|
|
2493
2495
|
// This MSI uses the imdsEndpoint to get the token, which only uses http://
|
|
2494
2496
|
request.allowInsecureConnection = true;
|
|
2495
2497
|
try {
|
|
2496
|
-
logger$
|
|
2498
|
+
logger$9.info(`${msiName$4}: Pinging the Azure IMDS endpoint`);
|
|
2497
2499
|
await identityClient.sendRequest(request);
|
|
2498
2500
|
}
|
|
2499
2501
|
catch (err) {
|
|
@@ -2505,7 +2507,7 @@ const imdsMsi = {
|
|
|
2505
2507
|
) {
|
|
2506
2508
|
// If the request failed, or Node.js was unable to establish a connection,
|
|
2507
2509
|
// or the host was down, we'll assume the IMDS endpoint isn't available.
|
|
2508
|
-
logger$
|
|
2510
|
+
logger$9.info(`${msiName$4}: The Azure IMDS endpoint is unavailable`);
|
|
2509
2511
|
span.setStatus({
|
|
2510
2512
|
code: coreTracing.SpanStatusCode.ERROR,
|
|
2511
2513
|
message: err.message,
|
|
@@ -2514,13 +2516,13 @@ const imdsMsi = {
|
|
|
2514
2516
|
}
|
|
2515
2517
|
}
|
|
2516
2518
|
// If we received any response, the endpoint is available
|
|
2517
|
-
logger$
|
|
2519
|
+
logger$9.info(`${msiName$4}: The Azure IMDS endpoint is available`);
|
|
2518
2520
|
return true;
|
|
2519
2521
|
}
|
|
2520
2522
|
catch (err) {
|
|
2521
2523
|
// createWebResource failed.
|
|
2522
2524
|
// This error should bubble up to the user.
|
|
2523
|
-
logger$
|
|
2525
|
+
logger$9.info(`${msiName$4}: Error when creating the WebResource for the Azure IMDS endpoint: ${err.message}`);
|
|
2524
2526
|
span.setStatus({
|
|
2525
2527
|
code: coreTracing.SpanStatusCode.ERROR,
|
|
2526
2528
|
message: err.message,
|
|
@@ -2533,12 +2535,12 @@ const imdsMsi = {
|
|
|
2533
2535
|
},
|
|
2534
2536
|
async getToken(configuration, getTokenOptions = {}) {
|
|
2535
2537
|
const { identityClient, scopes, clientId, resourceId } = configuration;
|
|
2536
|
-
logger$
|
|
2538
|
+
logger$9.info(`${msiName$4}: Using the Azure IMDS endpoint coming from the environment variable MSI_ENDPOINT=${process.env.MSI_ENDPOINT}, and using the cloud shell to proceed with the authentication.`);
|
|
2537
2539
|
let nextDelayInMs = imdsMsiRetryConfig.startDelayInMs;
|
|
2538
2540
|
for (let retries = 0; retries < imdsMsiRetryConfig.maxRetries; retries++) {
|
|
2539
2541
|
try {
|
|
2540
|
-
const request = coreRestPipeline.createPipelineRequest(Object.assign(Object.assign({ abortSignal: getTokenOptions.abortSignal }, prepareRequestOptions$
|
|
2541
|
-
const tokenResponse = await identityClient.sendTokenRequest(request, expiresOnParser$
|
|
2542
|
+
const request = coreRestPipeline.createPipelineRequest(Object.assign(Object.assign({ abortSignal: getTokenOptions.abortSignal }, prepareRequestOptions$4(scopes, clientId, resourceId)), { allowInsecureConnection: true }));
|
|
2543
|
+
const tokenResponse = await identityClient.sendTokenRequest(request, expiresOnParser$2);
|
|
2542
2544
|
return (tokenResponse && tokenResponse.accessToken) || null;
|
|
2543
2545
|
}
|
|
2544
2546
|
catch (error) {
|
|
@@ -2550,20 +2552,20 @@ const imdsMsi = {
|
|
|
2550
2552
|
throw error;
|
|
2551
2553
|
}
|
|
2552
2554
|
}
|
|
2553
|
-
throw new AuthenticationError(404, `${msiName$
|
|
2555
|
+
throw new AuthenticationError(404, `${msiName$4}: Failed to retrieve IMDS token after ${imdsMsiRetryConfig.maxRetries} retries.`);
|
|
2554
2556
|
},
|
|
2555
2557
|
};
|
|
2556
2558
|
|
|
2557
2559
|
// Copyright (c) Microsoft Corporation.
|
|
2558
|
-
const msiName$
|
|
2559
|
-
const logger$
|
|
2560
|
+
const msiName$3 = "ManagedIdentityCredential - Azure Arc MSI";
|
|
2561
|
+
const logger$8 = credentialLogger(msiName$3);
|
|
2560
2562
|
/**
|
|
2561
2563
|
* Generates the options used on the request for an access token.
|
|
2562
2564
|
*/
|
|
2563
|
-
function prepareRequestOptions$
|
|
2565
|
+
function prepareRequestOptions$3(scopes, clientId, resourceId) {
|
|
2564
2566
|
const resource = mapScopesToResource(scopes);
|
|
2565
2567
|
if (!resource) {
|
|
2566
|
-
throw new Error(`${msiName$
|
|
2568
|
+
throw new Error(`${msiName$3}: Multiple scopes are not supported.`);
|
|
2567
2569
|
}
|
|
2568
2570
|
const queryParameters = {
|
|
2569
2571
|
resource,
|
|
@@ -2577,7 +2579,7 @@ function prepareRequestOptions$2(scopes, clientId, resourceId) {
|
|
|
2577
2579
|
}
|
|
2578
2580
|
// This error should not bubble up, since we verify that this environment variable is defined in the isAvailable() method defined below.
|
|
2579
2581
|
if (!process.env.IDENTITY_ENDPOINT) {
|
|
2580
|
-
throw new Error(`${msiName$
|
|
2582
|
+
throw new Error(`${msiName$3}: Missing environment variable: IDENTITY_ENDPOINT`);
|
|
2581
2583
|
}
|
|
2582
2584
|
const query = new URLSearchParams(queryParameters);
|
|
2583
2585
|
return coreRestPipeline.createPipelineRequest({
|
|
@@ -2612,7 +2614,7 @@ async function filePathRequest(identityClient, requestPrepareOptions) {
|
|
|
2612
2614
|
if (response.bodyAsText) {
|
|
2613
2615
|
message = ` Response: ${response.bodyAsText}`;
|
|
2614
2616
|
}
|
|
2615
|
-
throw new AuthenticationError(response.status, `${msiName$
|
|
2617
|
+
throw new AuthenticationError(response.status, `${msiName$3}: To authenticate with Azure Arc MSI, status code 401 is expected on the first request. ${message}`);
|
|
2616
2618
|
}
|
|
2617
2619
|
const authHeader = response.headers.get("www-authenticate") || "";
|
|
2618
2620
|
try {
|
|
@@ -2629,12 +2631,12 @@ const arcMsi = {
|
|
|
2629
2631
|
async isAvailable({ scopes }) {
|
|
2630
2632
|
const resource = mapScopesToResource(scopes);
|
|
2631
2633
|
if (!resource) {
|
|
2632
|
-
logger$
|
|
2634
|
+
logger$8.info(`${msiName$3}: Unavailable. Multiple scopes are not supported.`);
|
|
2633
2635
|
return false;
|
|
2634
2636
|
}
|
|
2635
2637
|
const result = Boolean(process.env.IMDS_ENDPOINT && process.env.IDENTITY_ENDPOINT);
|
|
2636
2638
|
if (!result) {
|
|
2637
|
-
logger$
|
|
2639
|
+
logger$8.info(`${msiName$3}: The environment variables needed are: IMDS_ENDPOINT and IDENTITY_ENDPOINT`);
|
|
2638
2640
|
}
|
|
2639
2641
|
return result;
|
|
2640
2642
|
},
|
|
@@ -2642,16 +2644,16 @@ const arcMsi = {
|
|
|
2642
2644
|
var _a;
|
|
2643
2645
|
const { identityClient, scopes, clientId, resourceId } = configuration;
|
|
2644
2646
|
if (clientId) {
|
|
2645
|
-
logger$
|
|
2647
|
+
logger$8.warning(`${msiName$3}: user-assigned identities not supported. The argument clientId might be ignored by the service.`);
|
|
2646
2648
|
}
|
|
2647
2649
|
if (resourceId) {
|
|
2648
|
-
logger$
|
|
2650
|
+
logger$8.warning(`${msiName$3}: user defined managed Identity by resource Id is not supported. Argument resourceId will be ignored.`);
|
|
2649
2651
|
}
|
|
2650
|
-
logger$
|
|
2651
|
-
const requestOptions = Object.assign(Object.assign({ disableJsonStringifyOnBody: true, deserializationMapper: undefined, abortSignal: getTokenOptions.abortSignal }, prepareRequestOptions$
|
|
2652
|
+
logger$8.info(`${msiName$3}: Authenticating.`);
|
|
2653
|
+
const requestOptions = Object.assign(Object.assign({ disableJsonStringifyOnBody: true, deserializationMapper: undefined, abortSignal: getTokenOptions.abortSignal }, prepareRequestOptions$3(scopes, clientId, resourceId)), { allowInsecureConnection: true });
|
|
2652
2654
|
const filePath = await filePathRequest(identityClient, requestOptions);
|
|
2653
2655
|
if (!filePath) {
|
|
2654
|
-
throw new Error(`${msiName$
|
|
2656
|
+
throw new Error(`${msiName$3}: Failed to find the token file.`);
|
|
2655
2657
|
}
|
|
2656
2658
|
const key = await readFileAsync$1(filePath, { encoding: "utf-8" });
|
|
2657
2659
|
(_a = requestOptions.headers) === null || _a === void 0 ? void 0 : _a.set("Authorization", `Basic ${key}`);
|
|
@@ -2664,13 +2666,13 @@ const arcMsi = {
|
|
|
2664
2666
|
};
|
|
2665
2667
|
|
|
2666
2668
|
// Copyright (c) Microsoft Corporation.
|
|
2667
|
-
const msiName$
|
|
2668
|
-
const logger$
|
|
2669
|
+
const msiName$2 = "ManagedIdentityCredential - Token Exchange";
|
|
2670
|
+
const logger$7 = credentialLogger(msiName$2);
|
|
2669
2671
|
const readFileAsync = util.promisify(fs__default["default"].readFile);
|
|
2670
2672
|
/**
|
|
2671
2673
|
* Generates the options used on the request for an access token.
|
|
2672
2674
|
*/
|
|
2673
|
-
function prepareRequestOptions$
|
|
2675
|
+
function prepareRequestOptions$2(scopes, clientAssertion, clientId) {
|
|
2674
2676
|
var _a;
|
|
2675
2677
|
const bodyParams = {
|
|
2676
2678
|
scope: Array.isArray(scopes) ? scopes.join(" ") : scopes,
|
|
@@ -2721,21 +2723,21 @@ function tokenExchangeMsi() {
|
|
|
2721
2723
|
const env = process.env;
|
|
2722
2724
|
const result = Boolean((clientId || env.AZURE_CLIENT_ID) && env.AZURE_TENANT_ID && azureFederatedTokenFilePath);
|
|
2723
2725
|
if (!result) {
|
|
2724
|
-
logger$
|
|
2726
|
+
logger$7.info(`${msiName$2}: Unavailable. The environment variables needed are: AZURE_CLIENT_ID (or the client ID sent through the parameters), AZURE_TENANT_ID and AZURE_FEDERATED_TOKEN_FILE`);
|
|
2725
2727
|
}
|
|
2726
2728
|
return result;
|
|
2727
2729
|
},
|
|
2728
2730
|
async getToken(configuration, getTokenOptions = {}) {
|
|
2729
2731
|
const { identityClient, scopes, clientId } = configuration;
|
|
2730
|
-
logger$
|
|
2732
|
+
logger$7.info(`${msiName$2}: Using the client assertion coming from environment variables.`);
|
|
2731
2733
|
let assertion;
|
|
2732
2734
|
try {
|
|
2733
2735
|
assertion = await readAssertion();
|
|
2734
2736
|
}
|
|
2735
2737
|
catch (err) {
|
|
2736
|
-
throw new Error(`${msiName$
|
|
2738
|
+
throw new Error(`${msiName$2}: Failed to read ${azureFederatedTokenFilePath}, indicated by the environment variable AZURE_FEDERATED_TOKEN_FILE`);
|
|
2737
2739
|
}
|
|
2738
|
-
const request = coreRestPipeline.createPipelineRequest(Object.assign(Object.assign({ abortSignal: getTokenOptions.abortSignal }, prepareRequestOptions$
|
|
2740
|
+
const request = coreRestPipeline.createPipelineRequest(Object.assign(Object.assign({ abortSignal: getTokenOptions.abortSignal }, prepareRequestOptions$2(scopes, assertion, clientId || process.env.AZURE_CLIENT_ID)), {
|
|
2739
2741
|
// Generally, MSI endpoints use the HTTP protocol, without transport layer security (TLS).
|
|
2740
2742
|
allowInsecureConnection: true }));
|
|
2741
2743
|
const tokenResponse = await identityClient.sendTokenRequest(request);
|
|
@@ -2755,22 +2757,22 @@ function tokenExchangeMsi() {
|
|
|
2755
2757
|
//
|
|
2756
2758
|
// curl --insecure $IDENTITY_ENDPOINT'?api-version=2019-07-01-preview&resource=https://vault.azure.net/' -H "Secret: $IDENTITY_HEADER"
|
|
2757
2759
|
//
|
|
2758
|
-
const msiName = "ManagedIdentityCredential - Fabric MSI";
|
|
2759
|
-
const logger$
|
|
2760
|
+
const msiName$1 = "ManagedIdentityCredential - Fabric MSI";
|
|
2761
|
+
const logger$6 = credentialLogger(msiName$1);
|
|
2760
2762
|
/**
|
|
2761
2763
|
* Formats the expiration date of the received token into the number of milliseconds between that date and midnight, January 1, 1970.
|
|
2762
2764
|
*/
|
|
2763
|
-
function expiresOnParser(requestBody) {
|
|
2765
|
+
function expiresOnParser$1(requestBody) {
|
|
2764
2766
|
// Parses a string representation of the milliseconds since epoch into a number value
|
|
2765
2767
|
return Number(requestBody.expires_on);
|
|
2766
2768
|
}
|
|
2767
2769
|
/**
|
|
2768
2770
|
* Generates the options used on the request for an access token.
|
|
2769
2771
|
*/
|
|
2770
|
-
function prepareRequestOptions(scopes, clientId, resourceId) {
|
|
2772
|
+
function prepareRequestOptions$1(scopes, clientId, resourceId) {
|
|
2771
2773
|
const resource = mapScopesToResource(scopes);
|
|
2772
2774
|
if (!resource) {
|
|
2773
|
-
throw new Error(`${msiName}: Multiple scopes are not supported.`);
|
|
2775
|
+
throw new Error(`${msiName$1}: Multiple scopes are not supported.`);
|
|
2774
2776
|
}
|
|
2775
2777
|
const queryParameters = {
|
|
2776
2778
|
resource,
|
|
@@ -2806,34 +2808,107 @@ const fabricMsi = {
|
|
|
2806
2808
|
async isAvailable({ scopes }) {
|
|
2807
2809
|
const resource = mapScopesToResource(scopes);
|
|
2808
2810
|
if (!resource) {
|
|
2809
|
-
logger$
|
|
2811
|
+
logger$6.info(`${msiName$1}: Unavailable. Multiple scopes are not supported.`);
|
|
2810
2812
|
return false;
|
|
2811
2813
|
}
|
|
2812
2814
|
const env = process.env;
|
|
2813
2815
|
const result = Boolean(env.IDENTITY_ENDPOINT && env.IDENTITY_HEADER && env.IDENTITY_SERVER_THUMBPRINT);
|
|
2814
2816
|
if (!result) {
|
|
2815
|
-
logger$
|
|
2817
|
+
logger$6.info(`${msiName$1}: Unavailable. The environment variables needed are: IDENTITY_ENDPOINT, IDENTITY_HEADER and IDENTITY_SERVER_THUMBPRINT`);
|
|
2816
2818
|
}
|
|
2817
2819
|
return result;
|
|
2818
2820
|
},
|
|
2819
2821
|
async getToken(configuration, getTokenOptions = {}) {
|
|
2820
2822
|
const { scopes, identityClient, clientId, resourceId } = configuration;
|
|
2821
2823
|
if (resourceId) {
|
|
2822
|
-
logger$
|
|
2824
|
+
logger$6.warning(`${msiName$1}: user defined managed Identity by resource Id is not supported. Argument resourceId might be ignored by the service.`);
|
|
2823
2825
|
}
|
|
2824
|
-
logger$
|
|
2825
|
-
`${msiName}:`,
|
|
2826
|
+
logger$6.info([
|
|
2827
|
+
`${msiName$1}:`,
|
|
2826
2828
|
"Using the endpoint and the secret coming from the environment variables:",
|
|
2827
2829
|
`IDENTITY_ENDPOINT=${process.env.IDENTITY_ENDPOINT},`,
|
|
2828
2830
|
"IDENTITY_HEADER=[REDACTED] and",
|
|
2829
2831
|
"IDENTITY_SERVER_THUMBPRINT=[REDACTED].",
|
|
2830
2832
|
].join(" "));
|
|
2831
|
-
const request = coreRestPipeline.createPipelineRequest(Object.assign({ abortSignal: getTokenOptions.abortSignal }, prepareRequestOptions(scopes, clientId, resourceId)));
|
|
2833
|
+
const request = coreRestPipeline.createPipelineRequest(Object.assign({ abortSignal: getTokenOptions.abortSignal }, prepareRequestOptions$1(scopes, clientId, resourceId)));
|
|
2832
2834
|
request.agent = new https__default["default"].Agent({
|
|
2833
2835
|
// This is necessary because Service Fabric provides a self-signed certificate.
|
|
2834
2836
|
// The alternative path is to verify the certificate using the IDENTITY_SERVER_THUMBPRINT env variable.
|
|
2835
2837
|
rejectUnauthorized: false,
|
|
2836
2838
|
});
|
|
2839
|
+
const tokenResponse = await identityClient.sendTokenRequest(request, expiresOnParser$1);
|
|
2840
|
+
return (tokenResponse && tokenResponse.accessToken) || null;
|
|
2841
|
+
},
|
|
2842
|
+
};
|
|
2843
|
+
|
|
2844
|
+
// Copyright (c) Microsoft Corporation.
|
|
2845
|
+
const msiName = "ManagedIdentityCredential - AppServiceMSI 2019";
|
|
2846
|
+
const logger$5 = credentialLogger(msiName);
|
|
2847
|
+
/**
|
|
2848
|
+
* Formats the expiration date of the received token into the number of milliseconds between that date and midnight, January 1, 1970.
|
|
2849
|
+
*/
|
|
2850
|
+
function expiresOnParser(requestBody) {
|
|
2851
|
+
// App Service always returns string expires_on values.
|
|
2852
|
+
return Date.parse(requestBody.expires_on);
|
|
2853
|
+
}
|
|
2854
|
+
/**
|
|
2855
|
+
* Generates the options used on the request for an access token.
|
|
2856
|
+
*/
|
|
2857
|
+
function prepareRequestOptions(scopes, clientId, resourceId) {
|
|
2858
|
+
const resource = mapScopesToResource(scopes);
|
|
2859
|
+
if (!resource) {
|
|
2860
|
+
throw new Error(`${msiName}: Multiple scopes are not supported.`);
|
|
2861
|
+
}
|
|
2862
|
+
const queryParameters = {
|
|
2863
|
+
resource,
|
|
2864
|
+
"api-version": "2019-08-01",
|
|
2865
|
+
};
|
|
2866
|
+
if (clientId) {
|
|
2867
|
+
queryParameters.client_id = clientId;
|
|
2868
|
+
}
|
|
2869
|
+
if (resourceId) {
|
|
2870
|
+
queryParameters.mi_res_id = resourceId;
|
|
2871
|
+
}
|
|
2872
|
+
const query = new URLSearchParams(queryParameters);
|
|
2873
|
+
// This error should not bubble up, since we verify that this environment variable is defined in the isAvailable() method defined below.
|
|
2874
|
+
if (!process.env.IDENTITY_ENDPOINT) {
|
|
2875
|
+
throw new Error(`${msiName}: Missing environment variable: IDENTITY_ENDPOINT`);
|
|
2876
|
+
}
|
|
2877
|
+
if (!process.env.IDENTITY_HEADER) {
|
|
2878
|
+
throw new Error(`${msiName}: Missing environment variable: IDENTITY_HEADER`);
|
|
2879
|
+
}
|
|
2880
|
+
return {
|
|
2881
|
+
url: `${process.env.IDENTITY_ENDPOINT}?${query.toString()}`,
|
|
2882
|
+
method: "GET",
|
|
2883
|
+
headers: coreRestPipeline.createHttpHeaders({
|
|
2884
|
+
Accept: "application/json",
|
|
2885
|
+
"X-IDENTITY-HEADER": process.env.IDENTITY_HEADER,
|
|
2886
|
+
}),
|
|
2887
|
+
};
|
|
2888
|
+
}
|
|
2889
|
+
/**
|
|
2890
|
+
* Defines how to determine whether the Azure App Service MSI is available, and also how to retrieve a token from the Azure App Service MSI.
|
|
2891
|
+
*/
|
|
2892
|
+
const appServiceMsi2019 = {
|
|
2893
|
+
async isAvailable({ scopes }) {
|
|
2894
|
+
const resource = mapScopesToResource(scopes);
|
|
2895
|
+
if (!resource) {
|
|
2896
|
+
logger$5.info(`${msiName}: Unavailable. Multiple scopes are not supported.`);
|
|
2897
|
+
return false;
|
|
2898
|
+
}
|
|
2899
|
+
const env = process.env;
|
|
2900
|
+
const result = Boolean(env.IDENTITY_ENDPOINT && env.IDENTITY_HEADER);
|
|
2901
|
+
if (!result) {
|
|
2902
|
+
logger$5.info(`${msiName}: Unavailable. The environment variables needed are: IDENTITY_ENDPOINT and IDENTITY_HEADER.`);
|
|
2903
|
+
}
|
|
2904
|
+
return result;
|
|
2905
|
+
},
|
|
2906
|
+
async getToken(configuration, getTokenOptions = {}) {
|
|
2907
|
+
const { identityClient, scopes, clientId, resourceId } = configuration;
|
|
2908
|
+
logger$5.info(`${msiName}: Using the endpoint and the secret coming form the environment variables: IDENTITY_ENDPOINT=${process.env.IDENTITY_ENDPOINT} and IDENTITY_HEADER=[REDACTED].`);
|
|
2909
|
+
const request = coreRestPipeline.createPipelineRequest(Object.assign(Object.assign({ abortSignal: getTokenOptions.abortSignal }, prepareRequestOptions(scopes, clientId, resourceId)), {
|
|
2910
|
+
// Generally, MSI endpoints use the HTTP protocol, without transport layer security (TLS).
|
|
2911
|
+
allowInsecureConnection: true }));
|
|
2837
2912
|
const tokenResponse = await identityClient.sendTokenRequest(request, expiresOnParser);
|
|
2838
2913
|
return (tokenResponse && tokenResponse.accessToken) || null;
|
|
2839
2914
|
},
|
|
@@ -2880,7 +2955,15 @@ class ManagedIdentityCredential {
|
|
|
2880
2955
|
if (this.cachedMSI) {
|
|
2881
2956
|
return this.cachedMSI;
|
|
2882
2957
|
}
|
|
2883
|
-
const MSIs = [
|
|
2958
|
+
const MSIs = [
|
|
2959
|
+
fabricMsi,
|
|
2960
|
+
appServiceMsi2019,
|
|
2961
|
+
appServiceMsi2017,
|
|
2962
|
+
cloudShellMsi,
|
|
2963
|
+
arcMsi,
|
|
2964
|
+
tokenExchangeMsi(),
|
|
2965
|
+
imdsMsi,
|
|
2966
|
+
];
|
|
2884
2967
|
for (const msi of MSIs) {
|
|
2885
2968
|
if (await msi.isAvailable({
|
|
2886
2969
|
scopes,
|
|
@@ -3022,13 +3105,24 @@ class ManagedIdentityCredential {
|
|
|
3022
3105
|
* @internal
|
|
3023
3106
|
*/
|
|
3024
3107
|
class DefaultManagedIdentityCredential extends ManagedIdentityCredential {
|
|
3108
|
+
// Constructor overload with just the other default options
|
|
3109
|
+
// Last constructor overload with Union of all options not required since the above two constructor overloads have optional properties
|
|
3025
3110
|
constructor(options) {
|
|
3026
3111
|
var _a, _b, _c;
|
|
3027
3112
|
const managedIdentityClientId = (_b = (_a = options) === null || _a === void 0 ? void 0 : _a.managedIdentityClientId) !== null && _b !== void 0 ? _b : process.env.AZURE_CLIENT_ID;
|
|
3028
3113
|
const managedResourceId = (_c = options) === null || _c === void 0 ? void 0 : _c.managedIdentityResourceId;
|
|
3029
3114
|
// ManagedIdentityCredential throws if both the resourceId and the clientId are provided.
|
|
3030
|
-
|
|
3031
|
-
|
|
3115
|
+
if (managedResourceId) {
|
|
3116
|
+
const managedIdentityResourceIdOptions = Object.assign(Object.assign({}, options), { resourceId: managedResourceId });
|
|
3117
|
+
super(managedIdentityResourceIdOptions);
|
|
3118
|
+
}
|
|
3119
|
+
else if (managedIdentityClientId) {
|
|
3120
|
+
const managedIdentityClientOptions = Object.assign(Object.assign({}, options), { clientId: managedIdentityClientId });
|
|
3121
|
+
super(managedIdentityClientOptions);
|
|
3122
|
+
}
|
|
3123
|
+
else {
|
|
3124
|
+
super(options);
|
|
3125
|
+
}
|
|
3032
3126
|
}
|
|
3033
3127
|
}
|
|
3034
3128
|
const defaultCredentials = [
|
|
@@ -3043,30 +3137,6 @@ const defaultCredentials = [
|
|
|
3043
3137
|
* work for most applications that use the Azure SDK.
|
|
3044
3138
|
*/
|
|
3045
3139
|
class DefaultAzureCredential extends ChainedTokenCredential {
|
|
3046
|
-
/**
|
|
3047
|
-
* Creates an instance of the DefaultAzureCredential class.
|
|
3048
|
-
*
|
|
3049
|
-
* This credential provides a default {@link ChainedTokenCredential} configuration that should
|
|
3050
|
-
* work for most applications that use the Azure SDK.
|
|
3051
|
-
*
|
|
3052
|
-
* The following credential types will be tried, in order:
|
|
3053
|
-
*
|
|
3054
|
-
* - {@link EnvironmentCredential}
|
|
3055
|
-
* - {@link ManagedIdentityCredential}
|
|
3056
|
-
* - {@link VisualStudioCodeCredential}
|
|
3057
|
-
* - {@link AzureCliCredential}
|
|
3058
|
-
* - {@link AzurePowerShellCredential}
|
|
3059
|
-
*
|
|
3060
|
-
* Consult the documentation of these credential types for more information
|
|
3061
|
-
* on how they attempt authentication.
|
|
3062
|
-
*
|
|
3063
|
-
* **Note**: `VisualStudioCodeCredential` is provided by a plugin package:
|
|
3064
|
-
* `@azure/identity-vscode`. If this package is not installed and registered
|
|
3065
|
-
* using the plugin API (`useIdentityPlugin`), then authentication using
|
|
3066
|
-
* `VisualStudioCodeCredential` will not be available.
|
|
3067
|
-
*
|
|
3068
|
-
* @param options - Optional parameters. See {@link DefaultAzureCredentialOptions}.
|
|
3069
|
-
*/
|
|
3070
3140
|
constructor(options) {
|
|
3071
3141
|
super(...defaultCredentials.map((ctor) => new ctor(options)));
|
|
3072
3142
|
this.UnavailableMessage =
|
|
@@ -3557,27 +3627,6 @@ const logger = credentialLogger(credentialName);
|
|
|
3557
3627
|
* Enables authentication to Azure Active Directory using the [On Behalf Of flow](https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-on-behalf-of-flow).
|
|
3558
3628
|
*/
|
|
3559
3629
|
class OnBehalfOfCredential {
|
|
3560
|
-
/**
|
|
3561
|
-
* Creates an instance of the {@link OnBehalfOfCredential} with the details
|
|
3562
|
-
* needed to authenticate against Azure Active Directory with a client
|
|
3563
|
-
* secret or a path to a PEM certificate, and an user assertion.
|
|
3564
|
-
*
|
|
3565
|
-
* Example using the `KeyClient` from [\@azure/keyvault-keys](https://www.npmjs.com/package/\@azure/keyvault-keys):
|
|
3566
|
-
*
|
|
3567
|
-
* ```ts
|
|
3568
|
-
* const tokenCredential = new OnBehalfOfCredential({
|
|
3569
|
-
* tenantId,
|
|
3570
|
-
* clientId,
|
|
3571
|
-
* clientSecret, // or `certificatePath: "/path/to/certificate.pem"
|
|
3572
|
-
* userAssertionToken: "access-token"
|
|
3573
|
-
* });
|
|
3574
|
-
* const client = new KeyClient("vault-url", tokenCredential);
|
|
3575
|
-
*
|
|
3576
|
-
* await client.getKey("key-name");
|
|
3577
|
-
* ```
|
|
3578
|
-
*
|
|
3579
|
-
* @param options - Optional parameters, generally common across credentials.
|
|
3580
|
-
*/
|
|
3581
3630
|
constructor(options) {
|
|
3582
3631
|
this.options = options;
|
|
3583
3632
|
const { clientSecret } = options;
|
|
@@ -3634,7 +3683,7 @@ exports.UsernamePasswordCredential = UsernamePasswordCredential;
|
|
|
3634
3683
|
exports.VisualStudioCodeCredential = VisualStudioCodeCredential;
|
|
3635
3684
|
exports.deserializeAuthenticationRecord = deserializeAuthenticationRecord;
|
|
3636
3685
|
exports.getDefaultAzureCredential = getDefaultAzureCredential;
|
|
3637
|
-
exports.logger = logger$
|
|
3686
|
+
exports.logger = logger$k;
|
|
3638
3687
|
exports.serializeAuthenticationRecord = serializeAuthenticationRecord;
|
|
3639
3688
|
exports.useIdentityPlugin = useIdentityPlugin;
|
|
3640
3689
|
//# sourceMappingURL=index.js.map
|