@azure/identity 2.1.0-beta.1 → 2.1.1-alpha.20220712.2

package/dist/index.js

@@ -3,12 +3,12 @@
 Object.defineProperty(exports, '__esModule', { value: true });
 
 var msalNode = require('@azure/msal-node');
-var coreTracing = require('@azure/core-tracing');
 var coreClient = require('@azure/core-client');
 var coreUtil = require('@azure/core-util');
 var coreRestPipeline = require('@azure/core-rest-pipeline');
 var abortController = require('@azure/abort-controller');
-var logger$k = require('@azure/logger');
+var coreTracing = require('@azure/core-tracing');
+var logger$m = require('@azure/logger');
 var msalCommon = require('@azure/msal-common');
 var uuid = require('uuid');
 var fs = require('fs');
@@ -186,6 +186,10 @@ function getIdentityTokenEndpointSuffix(tenantId) {
 
 // Copyright (c) Microsoft Corporation.
 // Licensed under the MIT license.
+/**
+ * Current version of the `@azure/identity` package.
+ */
+const SDK_VERSION = `2.1.1`;
 /**
  * The default client ID for authentication
  * @internal
@@ -231,49 +235,17 @@ const DefaultAuthorityHost = exports.AzureAuthorityHosts.AzurePublicCloud;
  * Creates a span using the global tracer.
  * @internal
  */
-const createSpan = coreTracing.createSpanFunction({
-    packagePrefix: "",
+const tracingClient = coreTracing.createTracingClient({
     namespace: "Microsoft.AAD",
+    packageName: "@azure/identity",
+    packageVersion: SDK_VERSION,
 });
-/**
- * From: https://github.com/Azure/azure-sdk-for-js/blob/46139daa3317a0d12e8b55b02b9d9cdf1b2e762a/sdk/appconfiguration/app-configuration/src/internal/tracingHelpers.ts
- * Traces an operation and properly handles reporting start, end and errors for a given span
- *
- * @param operationName - Name of a method in the TClient type
- * @param options - An options class, typically derived from \@azure/core-rest-pipeline/RequestOptionsBase
- * @param fn - The function to call with an options class that properly propagates the span context
- *
- * @internal
- */
-async function trace(operationName, options, fn, createSpanFn = createSpan) {
-    const { updatedOptions, span } = createSpanFn(operationName, options);
-    try {
-        // NOTE: we really do need to await on this function here so we can handle any exceptions thrown and properly
-        // close the span.
-        const result = await fn(updatedOptions, span);
-        // otel 0.16+ needs this or else the code ends up being set as UNSET
-        span.setStatus({
-            code: coreTracing.SpanStatusCode.OK,
-        });
-        return result;
-    }
-    catch (err) {
-        span.setStatus({
-            code: coreTracing.SpanStatusCode.ERROR,
-            message: err.message,
-        });
-        throw err;
-    }
-    finally {
-        span.end();
-    }
-}
 
 // Copyright (c) Microsoft Corporation.
 /**
  * The AzureLogger used for all clients within the identity package
  */
-const logger$j = logger$k.createClientLogger("identity");
+const logger$l = logger$m.createClientLogger("identity");
 /**
  * Separates a list of environment variable names into a plain object with two arrays: an array of missing environment variables and another array with assigned environment variables.
  * @param supportedEnvVars - List of environment variable names
@@ -313,7 +285,7 @@ function formatError(scope, error) {
  *   `[title] => [message]`
  *
  */
-function credentialLoggerInstance(title, parent, log = logger$j) {
+function credentialLoggerInstance(title, parent, log = logger$l) {
     const fullTitle = parent ? `${parent.fullTitle} ${title}` : title;
     function info(message) {
         log.info(`${fullTitle} =>`, message);
@@ -338,7 +310,7 @@ function credentialLoggerInstance(title, parent, log = logger$j) {
  *   `[title] => getToken() => [message]`
  *
  */
-function credentialLogger(title, log = logger$j) {
+function credentialLogger(title, log = logger$l) {
     const credLogger = credentialLoggerInstance(title, undefined, log);
     return Object.assign(Object.assign({}, credLogger), { parent: log, getToken: credentialLoggerInstance("=> getToken()", credLogger, log) });
 }
@@ -367,8 +339,8 @@ function getIdentityClientAuthorityHost(options) {
  */
 class IdentityClient extends coreClient.ServiceClient {
     constructor(options) {
-        var _a;
-        const packageDetails = `azsdk-js-identity/2.1.0-beta.1`;
+        var _a, _b;
+        const packageDetails = `azsdk-js-identity/${SDK_VERSION}`;
         const userAgentPrefix = ((_a = options === null || options === void 0 ? void 0 : options.userAgentOptions) === null || _a === void 0 ? void 0 : _a.userAgentPrefix)
             ? `${options.userAgentOptions.userAgentPrefix} ${packageDetails}`
             : `${packageDetails}`;
@@ -383,9 +355,10 @@ class IdentityClient extends coreClient.ServiceClient {
             }, baseUri }));
         this.authorityHost = baseUri;
         this.abortControllers = new Map();
+        this.allowLoggingAccountIdentifiers = (_b = options === null || options === void 0 ? void 0 : options.loggingOptions) === null || _b === void 0 ? void 0 : _b.allowLoggingAccountIdentifiers;
     }
     async sendTokenRequest(request, expiresOnParser) {
-        logger$j.info(`IdentityClient: sending token request to [${request.url}]`);
+        logger$l.info(`IdentityClient: sending token request to [${request.url}]`);
         const response = await this.sendRequest(request);
         expiresOnParser =
             expiresOnParser ||
@@ -397,6 +370,7 @@ class IdentityClient extends coreClient.ServiceClient {
             if (!parsedBody.access_token) {
                 return null;
             }
+            this.logIdentifiers(response);
             const token = {
                 accessToken: {
                     token: parsedBody.access_token,
@@ -404,21 +378,20 @@ class IdentityClient extends coreClient.ServiceClient {
                 },
                 refreshToken: parsedBody.refresh_token,
             };
-            logger$j.info(`IdentityClient: [${request.url}] token acquired, expires on ${token.accessToken.expiresOnTimestamp}`);
+            logger$l.info(`IdentityClient: [${request.url}] token acquired, expires on ${token.accessToken.expiresOnTimestamp}`);
             return token;
         }
         else {
             const error = new AuthenticationError(response.status, response.bodyAsText);
-            logger$j.warning(`IdentityClient: authentication error. HTTP status: ${response.status}, ${error.errorResponse.errorDescription}`);
+            logger$l.warning(`IdentityClient: authentication error. HTTP status: ${response.status}, ${error.errorResponse.errorDescription}`);
             throw error;
         }
     }
-    async refreshAccessToken(tenantId, clientId, scopes, refreshToken, clientSecret, expiresOnParser, options) {
+    async refreshAccessToken(tenantId, clientId, scopes, refreshToken, clientSecret, expiresOnParser, options = {}) {
         if (refreshToken === undefined) {
             return null;
         }
-        logger$j.info(`IdentityClient: refreshing access token with client ID: ${clientId}, scopes: ${scopes} started`);
-        const { span, updatedOptions } = createSpan("IdentityClient-refreshAccessToken", options);
+        logger$l.info(`IdentityClient: refreshing access token with client ID: ${clientId}, scopes: ${scopes} started`);
         const refreshParams = {
             grant_type: "refresh_token",
             client_id: clientId,
@@ -429,48 +402,39 @@ class IdentityClient extends coreClient.ServiceClient {
             refreshParams.client_secret = clientSecret;
         }
         const query = new URLSearchParams(refreshParams);
-        try {
-            const urlSuffix = getIdentityTokenEndpointSuffix(tenantId);
-            const request = coreRestPipeline.createPipelineRequest({
-                url: `${this.authorityHost}/${tenantId}/${urlSuffix}`,
-                method: "POST",
-                body: query.toString(),
-                abortSignal: options && options.abortSignal,
-                headers: coreRestPipeline.createHttpHeaders({
-                    Accept: "application/json",
-                    "Content-Type": "application/x-www-form-urlencoded",
-                }),
-                tracingOptions: updatedOptions === null || updatedOptions === void 0 ? void 0 : updatedOptions.tracingOptions,
-            });
-            const response = await this.sendTokenRequest(request, expiresOnParser);
-            logger$j.info(`IdentityClient: refreshed token for client ID: ${clientId}`);
-            return response;
-        }
-        catch (err) {
-            if (err.name === AuthenticationErrorName &&
-                err.errorResponse.error === "interaction_required") {
-                // It's likely that the refresh token has expired, so
-                // return null so that the credential implementation will
-                // initiate the authentication flow again.
-                logger$j.info(`IdentityClient: interaction required for client ID: ${clientId}`);
-                span.setStatus({
-                    code: coreTracing.SpanStatusCode.ERROR,
-                    message: err.message,
+        return tracingClient.withSpan("IdentityClient.refreshAccessToken", options, async (updatedOptions) => {
+            try {
+                const urlSuffix = getIdentityTokenEndpointSuffix(tenantId);
+                const request = coreRestPipeline.createPipelineRequest({
+                    url: `${this.authorityHost}/${tenantId}/${urlSuffix}`,
+                    method: "POST",
+                    body: query.toString(),
+                    abortSignal: options.abortSignal,
+                    headers: coreRestPipeline.createHttpHeaders({
+                        Accept: "application/json",
+                        "Content-Type": "application/x-www-form-urlencoded",
+                    }),
+                    tracingOptions: updatedOptions.tracingOptions,
                 });
-                return null;
+                const response = await this.sendTokenRequest(request, expiresOnParser);
+                logger$l.info(`IdentityClient: refreshed token for client ID: ${clientId}`);
+                return response;
             }
-            else {
-                logger$j.warning(`IdentityClient: failed refreshing token for client ID: ${clientId}: ${err}`);
-                span.setStatus({
-                    code: coreTracing.SpanStatusCode.ERROR,
-                    message: err.message,
-                });
-                throw err;
+            catch (err) {
+                if (err.name === AuthenticationErrorName &&
+                    err.errorResponse.error === "interaction_required") {
+                    // It's likely that the refresh token has expired, so
+                    // return null so that the credential implementation will
+                    // initiate the authentication flow again.
+                    logger$l.info(`IdentityClient: interaction required for client ID: ${clientId}`);
+                    return null;
+                }
+                else {
+                    logger$l.warning(`IdentityClient: failed refreshing token for client ID: ${clientId}: ${err}`);
+                    throw err;
+                }
             }
-        }
-        finally {
-            span.end();
-        }
+        });
     }
     // Here is a custom layer that allows us to abort requests that go through MSAL,
     // since MSAL doesn't allow us to pass options all the way through.
@@ -518,6 +482,7 @@ class IdentityClient extends coreClient.ServiceClient {
             abortSignal: this.generateAbortSignal(noCorrelationId),
         });
         const response = await this.sendRequest(request);
+        this.logIdentifiers(response);
         return {
             body: response.bodyAsText ? JSON.parse(response.bodyAsText) : undefined,
             headers: response.headers.toJSON(),
@@ -534,12 +499,45 @@ class IdentityClient extends coreClient.ServiceClient {
             abortSignal: this.generateAbortSignal(this.getCorrelationId(options)),
         });
         const response = await this.sendRequest(request);
+        this.logIdentifiers(response);
         return {
             body: response.bodyAsText ? JSON.parse(response.bodyAsText) : undefined,
             headers: response.headers.toJSON(),
             status: response.status,
         };
     }
+    /**
+     * If allowLoggingAccountIdentifiers was set on the constructor options
+     * we try to log the account identifiers by parsing the received access token.
+     *
+     * The account identifiers we try to log are:
+     * - `appid`: The application or Client Identifier.
+     * - `upn`: User Principal Name.
+     *   - It might not be available in some authentication scenarios.
+     *   - If it's not available, we put a placeholder: "No User Principal Name available".
+     * - `tid`: Tenant Identifier.
+     * - `oid`: Object Identifier of the authenticated user.
+     */
+    logIdentifiers(response) {
+        if (!this.allowLoggingAccountIdentifiers || !response.bodyAsText) {
+            return;
+        }
+        const unavailableUpn = "No User Principal Name available";
+        try {
+            const parsed = response.parsedBody || JSON.parse(response.bodyAsText);
+            const accessToken = parsed.access_token;
+            if (!accessToken) {
+                // Without an access token allowLoggingAccountIdentifiers isn't useful.
+                return;
+            }
+            const base64Metadata = accessToken.split(".")[1];
+            const { appid, upn, tid, oid } = JSON.parse(Buffer.from(base64Metadata, "base64").toString("utf8"));
+            logger$l.info(`[Authenticated account] Client ID: ${appid}. Tenant ID: ${tid}. User Principal Name: ${upn || unavailableUpn}. Object ID (user): ${oid}`);
+        }
+        catch (e) {
+            logger$l.warning("allowLoggingAccountIdentifiers was set, but we couldn't log the account information. Error:", e.message);
+        }
+    }
 }
 
 // Copyright (c) Microsoft Corporation.
@@ -953,6 +951,9 @@ class MsalNode extends MsalBaseUtilities {
         this.msalConfig = this.defaultNodeMsalConfig(options);
         this.tenantId = resolveTenantId(options.logger, options.tenantId, options.clientId);
         this.clientId = this.msalConfig.auth.clientId;
+        if (options === null || options === void 0 ? void 0 : options.getAssertion) {
+            this.getAssertion = options.getAssertion;
+        }
         // If persistence has been configured
         if (persistenceProvider !== undefined && ((_a = options.tokenCachePersistenceOptions) === null || _a === void 0 ? void 0 : _a.enabled)) {
             this.createCachePlugin = () => persistenceProvider(options.tokenCachePersistenceOptions);
@@ -978,7 +979,7 @@ class MsalNode extends MsalBaseUtilities {
         const tenantId = resolveTenantId(options.logger, options.tenantId, options.clientId);
         this.authorityHost = options.authorityHost || process.env.AZURE_AUTHORITY_HOST;
         const authority = getAuthority(tenantId, this.authorityHost);
-        this.identityClient = new IdentityClient(Object.assign(Object.assign({}, options.tokenCredentialOptions), { authorityHost: authority }));
+        this.identityClient = new IdentityClient(Object.assign(Object.assign({}, options.tokenCredentialOptions), { authorityHost: authority, loggingOptions: options.loggingOptions }));
         let clientCapabilities = ["cp1"];
         if (process.env.AZURE_IDENTITY_DISABLE_CP1) {
             clientCapabilities = [];
@@ -1019,6 +1020,9 @@ class MsalNode extends MsalBaseUtilities {
             };
         }
         this.publicApp = new msalNode__namespace.PublicClientApplication(this.msalConfig);
+        if (this.getAssertion) {
+            this.msalConfig.auth.clientAssertion = await this.getAssertion();
+        }
         // The confidential client requires either a secret, assertion or certificate.
         if (this.msalConfig.auth.clientSecret ||
             this.msalConfig.auth.clientAssertion ||
@@ -1115,6 +1119,17 @@ To work with multiple accounts for the same Client ID and Tenant ID, please prov
         options.correlationId = (options === null || options === void 0 ? void 0 : options.correlationId) || this.generateUuid();
         await this.init(options);
         try {
+            // MSAL now caches tokens based on their claims,
+            // so now one has to keep track fo claims in order to retrieve the newer tokens from acquireTokenSilent
+            // This update happened on PR: https://github.com/AzureAD/microsoft-authentication-library-for-js/pull/4533
+            const optionsClaims = options.claims;
+            if (optionsClaims) {
+                this.cachedClaims = optionsClaims;
+            }
+            if (this.cachedClaims && !optionsClaims) {
+                options.claims = this.cachedClaims;
+            }
+            // We don't return the promise since we want to catch errors right here.
             return await this.getTokenSilent(scopes, options);
         }
         catch (err) {
@@ -1137,7 +1152,7 @@ To work with multiple accounts for the same Client ID and Tenant ID, please prov
 // Copyright (c) Microsoft Corporation.
 const CommonTenantId = "common";
 const AzureAccountClientId = "aebc6443-996d-45c2-90f0-388ff96faa56"; // VSC: 'aebc6443-996d-45c2-90f0-388ff96faa56'
-const logger$i = credentialLogger("VisualStudioCodeCredential");
+const logger$k = credentialLogger("VisualStudioCodeCredential");
 let findCredentials = undefined;
 const vsCodeCredentialControl = {
     setVsCodeCredentialFinder(finder) {
@@ -1190,7 +1205,7 @@ function getPropertyFromVSCode(property) {
         }
     }
     catch (e) {
-        logger$i.info(`Failed to load the Visual Studio Code configuration file. Error: ${e.message}`);
+        logger$k.info(`Failed to load the Visual Studio Code configuration file. Error: ${e.message}`);
         return;
     }
 }
@@ -1218,7 +1233,7 @@ class VisualStudioCodeCredential {
         const authorityHost = mapVSCodeAuthorityHosts[this.cloudName];
         this.identityClient = new IdentityClient(Object.assign({ authorityHost }, options));
         if (options && options.tenantId) {
-            checkTenantId(logger$i, options.tenantId);
+            checkTenantId(logger$k, options.tenantId);
             this.tenantId = options.tenantId;
         }
         else {
@@ -1270,7 +1285,7 @@ class VisualStudioCodeCredential {
         // Check to make sure the scope we get back is a valid scope
         if (!scopeString.match(/^[0-9a-zA-Z-.:/]+$/)) {
             const error = new Error("Invalid scope was specified by the user or calling client");
-            logger$i.getToken.info(formatError(scopes, error));
+            logger$k.getToken.info(formatError(scopes, error));
             throw error;
         }
         if (scopeString.indexOf("offline_access") < 0) {
@@ -1290,18 +1305,18 @@ class VisualStudioCodeCredential {
         if (refreshToken) {
             const tokenResponse = await this.identityClient.refreshAccessToken(tenantId, AzureAccountClientId, scopeString, refreshToken, undefined);
             if (tokenResponse) {
-                logger$i.getToken.info(formatSuccess(scopes));
+                logger$k.getToken.info(formatSuccess(scopes));
                 return tokenResponse.accessToken;
             }
             else {
                 const error = new CredentialUnavailableError("Could not retrieve the token associated with Visual Studio Code. Have you connected using the 'Azure Account' extension recently? To troubleshoot, visit https://aka.ms/azsdk/js/identity/vscodecredential/troubleshoot.");
-                logger$i.getToken.info(formatError(scopes, error));
+                logger$k.getToken.info(formatError(scopes, error));
                 throw error;
             }
         }
         else {
             const error = new CredentialUnavailableError("Could not retrieve the token associated with Visual Studio Code. Did you connect using the 'Azure Account' extension? To troubleshoot, visit https://aka.ms/azsdk/js/identity/vscodecredential/troubleshoot.");
-            logger$i.getToken.info(formatError(scopes, error));
+            logger$k.getToken.info(formatError(scopes, error));
             throw error;
         }
     }
@@ -1352,7 +1367,7 @@ function useIdentityPlugin(plugin) {
 /**
  * @internal
  */
-const logger$h = credentialLogger("ChainedTokenCredential");
+const logger$j = credentialLogger("ChainedTokenCredential");
 /**
  * Enables multiple `TokenCredential` implementations to be tried in order
  * until one of the getToken methods returns an access token.
@@ -1391,42 +1406,38 @@ class ChainedTokenCredential {
      * @param options - The options used to configure any requests this
      *                `TokenCredential` implementation might make.
      */
-    async getToken(scopes, options) {
+    async getToken(scopes, options = {}) {
         let token = null;
         let successfulCredentialName = "";
         const errors = [];
-        const { span, updatedOptions } = createSpan("ChainedTokenCredential.getToken", options);
-        for (let i = 0; i < this._sources.length && token === null; i++) {
-            try {
-                token = await this._sources[i].getToken(scopes, updatedOptions);
-                successfulCredentialName = this._sources[i].constructor.name;
-            }
-            catch (err) {
-                if (err.name === "CredentialUnavailableError" ||
-                    err.name === "AuthenticationRequiredError") {
-                    errors.push(err);
+        return tracingClient.withSpan("ChainedTokenCredential.getToken", options, async (updatedOptions) => {
+            for (let i = 0; i < this._sources.length && token === null; i++) {
+                try {
+                    token = await this._sources[i].getToken(scopes, updatedOptions);
+                    successfulCredentialName = this._sources[i].constructor.name;
                 }
-                else {
-                    logger$h.getToken.info(formatError(scopes, err));
-                    throw err;
+                catch (err) {
+                    if (err.name === "CredentialUnavailableError" ||
+                        err.name === "AuthenticationRequiredError") {
+                        errors.push(err);
+                    }
+                    else {
+                        logger$j.getToken.info(formatError(scopes, err));
+                        throw err;
+                    }
                 }
             }
-        }
-        if (!token && errors.length > 0) {
-            const err = new AggregateAuthenticationError(errors, "ChainedTokenCredential authentication failed.");
-            span.setStatus({
-                code: coreTracing.SpanStatusCode.ERROR,
-                message: err.message,
-            });
-            logger$h.getToken.info(formatError(scopes, err));
-            throw err;
-        }
-        span.end();
-        logger$h.getToken.info(`Result for ${successfulCredentialName}: ${formatSuccess(scopes)}`);
-        if (token === null) {
-            throw new CredentialUnavailableError("Failed to retrieve a valid token");
-        }
-        return token;
+            if (!token && errors.length > 0) {
+                const err = new AggregateAuthenticationError(errors, "ChainedTokenCredential authentication failed.");
+                logger$j.getToken.info(formatError(scopes, err));
+                throw err;
+            }
+            logger$j.getToken.info(`Result for ${successfulCredentialName}: ${formatSuccess(scopes)}`);
+            if (token === null) {
+                throw new CredentialUnavailableError("Failed to retrieve a valid token");
+            }
+            return token;
+        });
     }
 }
 
@@ -1500,7 +1511,7 @@ const cliCredentialInternals = {
         });
     },
 };
-const logger$g = credentialLogger("AzureCliCredential");
+const logger$i = credentialLogger("AzureCliCredential");
 /**
  * This credential will use the currently logged-in user login information
  * via the Azure CLI ('az') commandline tool.
@@ -1527,56 +1538,57 @@ class AzureCliCredential {
      * @param options - The options used to configure any requests this
      *                TokenCredential implementation might make.
      */
-    async getToken(scopes, options) {
+    async getToken(scopes, options = {}) {
         const tenantId = processMultiTenantRequest(this.tenantId, options);
         if (tenantId) {
-            checkTenantId(logger$g, tenantId);
+            checkTenantId(logger$i, tenantId);
         }
         const scope = typeof scopes === "string" ? scopes : scopes[0];
-        logger$g.getToken.info(`Using the scope ${scope}`);
-        ensureValidScope(scope, logger$g);
+        logger$i.getToken.info(`Using the scope ${scope}`);
+        ensureValidScope(scope, logger$i);
         const resource = getScopeResource(scope);
-        let responseData = "";
-        const { span } = createSpan(`${this.constructor.name}.getToken`, options);
-        try {
-            const obj = await cliCredentialInternals.getAzureCliAccessToken(resource, tenantId);
-            if (obj.stderr) {
-                const isLoginError = obj.stderr.match("(.*)az login(.*)");
-                const isNotInstallError = obj.stderr.match("az:(.*)not found") || obj.stderr.startsWith("'az' is not recognized");
+        return tracingClient.withSpan(`${this.constructor.name}.getToken`, options, async () => {
+            var _a, _b, _c, _d;
+            try {
+                const obj = await cliCredentialInternals.getAzureCliAccessToken(resource, tenantId);
+                const specificScope = (_a = obj.stderr) === null || _a === void 0 ? void 0 : _a.match("(.*)az login --scope(.*)");
+                const isLoginError = ((_b = obj.stderr) === null || _b === void 0 ? void 0 : _b.match("(.*)az login(.*)")) && !specificScope;
+                const isNotInstallError = ((_c = obj.stderr) === null || _c === void 0 ? void 0 : _c.match("az:(.*)not found")) || ((_d = obj.stderr) === null || _d === void 0 ? void 0 : _d.startsWith("'az' is not recognized"));
                 if (isNotInstallError) {
-                    const error = new CredentialUnavailableError("Azure CLI could not be found.  Please visit https://aka.ms/azure-cli for installation instructions and then, once installed, authenticate to your Azure account using 'az login'.");
-                    logger$g.getToken.info(formatError(scopes, error));
+                    const error = new CredentialUnavailableError("Azure CLI could not be found. Please visit https://aka.ms/azure-cli for installation instructions and then, once installed, authenticate to your Azure account using 'az login'.");
+                    logger$i.getToken.info(formatError(scopes, error));
                     throw error;
                 }
-                else if (isLoginError) {
+                if (isLoginError) {
                     const error = new CredentialUnavailableError("Please run 'az login' from a command prompt to authenticate before using this credential.");
-                    logger$g.getToken.info(formatError(scopes, error));
+                    logger$i.getToken.info(formatError(scopes, error));
                     throw error;
                 }
-                const error = new CredentialUnavailableError(obj.stderr);
-                logger$g.getToken.info(formatError(scopes, error));
-                throw error;
+                try {
+                    const responseData = obj.stdout;
+                    const response = JSON.parse(responseData);
+                    logger$i.getToken.info(formatSuccess(scopes));
+                    const returnValue = {
+                        token: response.accessToken,
+                        expiresOnTimestamp: new Date(response.expiresOn).getTime(),
+                    };
+                    return returnValue;
+                }
+                catch (e) {
+                    if (obj.stderr) {
+                        throw new CredentialUnavailableError(obj.stderr);
+                    }
+                    throw e;
+                }
             }
-            else {
-                responseData = obj.stdout;
-                const response = JSON.parse(responseData);
-                logger$g.getToken.info(formatSuccess(scopes));
-                const returnValue = {
-                    token: response.accessToken,
-                    expiresOnTimestamp: new Date(response.expiresOn).getTime(),
-                };
-                return returnValue;
+            catch (err) {
+                const error = err.name === "CredentialUnavailableError"
+                    ? err
+                    : new CredentialUnavailableError(err.message || "Unknown error while trying to retrieve the access token");
+                logger$i.getToken.info(formatError(scopes, error));
+                throw error;
             }
-        }
-        catch (err) {
-            const error = new Error(err.message || "Unknown error while trying to retrieve the access token");
-            span.setStatus({
-                code: coreTracing.SpanStatusCode.ERROR,
-                message: error.message,
-            });
-            logger$g.getToken.info(formatError(scopes, error));
-            throw error;
-        }
+        });
     }
 }
 
@@ -1611,7 +1623,7 @@ const processUtils = {
 };
 
 // Copyright (c) Microsoft Corporation.
-const logger$f = credentialLogger("AzurePowerShellCredential");
+const logger$h = credentialLogger("AzurePowerShellCredential");
 const isWindows = process.platform === "win32";
 /**
  * Returns a platform-appropriate command name by appending ".exe" on Windows.
@@ -1739,18 +1751,18 @@ class AzurePowerShellCredential {
      * @param options - The options used to configure any requests this TokenCredential implementation might make.
      */
     async getToken(scopes, options = {}) {
-        return trace(`${this.constructor.name}.getToken`, options, async () => {
+        return tracingClient.withSpan(`${this.constructor.name}.getToken`, options, async () => {
             const tenantId = processMultiTenantRequest(this.tenantId, options);
             if (tenantId) {
-                checkTenantId(logger$f, tenantId);
+                checkTenantId(logger$h, tenantId);
             }
             const scope = typeof scopes === "string" ? scopes : scopes[0];
-            ensureValidScope(scope, logger$f);
-            logger$f.getToken.info(`Using the scope ${scope}`);
+            ensureValidScope(scope, logger$h);
+            logger$h.getToken.info(`Using the scope ${scope}`);
             const resource = getScopeResource(scope);
             try {
                 const response = await this.getAzurePowerShellAccessToken(resource, tenantId);
-                logger$f.getToken.info(formatSuccess(scopes));
+                logger$h.getToken.info(formatSuccess(scopes));
                 return {
                     token: response.Token,
                     expiresOnTimestamp: new Date(response.ExpiresOn).getTime(),
@@ -1759,16 +1771,16 @@ class AzurePowerShellCredential {
             catch (err) {
                 if (isNotInstalledError(err)) {
                     const error = new CredentialUnavailableError(powerShellPublicErrorMessages.installed);
-                    logger$f.getToken.info(formatError(scope, error));
+                    logger$h.getToken.info(formatError(scope, error));
                     throw error;
                 }
                 else if (isLoginError(err)) {
                     const error = new CredentialUnavailableError(powerShellPublicErrorMessages.login);
-                    logger$f.getToken.info(formatError(scope, error));
+                    logger$h.getToken.info(formatError(scope, error));
                     throw error;
                 }
                 const error = new CredentialUnavailableError(`${err}. ${powerShellPublicErrorMessages.troubleshoot}`);
-                logger$f.getToken.info(formatError(scope, error));
+                logger$h.getToken.info(formatError(scope, error));
                 throw error;
             }
         });
@@ -1806,7 +1818,7 @@ class MsalClientSecret extends MsalNode {
 }
 
 // Copyright (c) Microsoft Corporation.
-const logger$e = credentialLogger("ClientSecretCredential");
+const logger$g = credentialLogger("ClientSecretCredential");
 /**
  * Enables authentication to Azure Active Directory using a client secret
  * that was generated for an App Registration. More information on how
@@ -1830,7 +1842,7 @@ class ClientSecretCredential {
         if (!tenantId || !clientId || !clientSecret) {
             throw new Error("ClientSecretCredential: tenantId, clientId, and clientSecret are required parameters. To troubleshoot, visit https://aka.ms/azsdk/js/identity/serviceprincipalauthentication/troubleshoot.");
         }
-        this.msalFlow = new MsalClientSecret(Object.assign(Object.assign({}, options), { logger: logger$e,
+        this.msalFlow = new MsalClientSecret(Object.assign(Object.assign({}, options), { logger: logger$g,
             clientId,
             tenantId,
             clientSecret, tokenCredentialOptions: options }));
@@ -1844,7 +1856,7 @@ class ClientSecretCredential {
      *                TokenCredential implementation might make.
      */
     async getToken(scopes, options = {}) {
-        return trace(`${this.constructor.name}.getToken`, options, async (newOptions) => {
+        return tracingClient.withSpan(`${this.constructor.name}.getToken`, options, async (newOptions) => {
             const arrayScopes = Array.isArray(scopes) ? scopes : [scopes];
             return this.msalFlow.getToken(arrayScopes, newOptions);
         });
@@ -1863,8 +1875,12 @@ const readFileAsync$2 = util.promisify(fs.readFile);
  */
 async function parseCertificate(configuration, sendCertificateChain) {
     const certificateParts = {};
+    const certificate = configuration
+        .certificate;
+    const certificatePath = configuration
+        .certificatePath;
     certificateParts.certificateContents =
-        configuration.certificate || (await readFileAsync$2(configuration.certificatePath, "utf8"));
+        certificate || (await readFileAsync$2(certificatePath, "utf8"));
     if (sendCertificateChain) {
         certificateParts.x5c = certificateParts.certificateContents;
     }
@@ -1916,13 +1932,14 @@ class MsalClientCertificate extends MsalNode {
     }
     async doGetToken(scopes, options = {}) {
         try {
-            const result = await this.confidentialApp.acquireTokenByClientCredential({
+            const clientCredReq = {
                 scopes,
                 correlationId: options.correlationId,
                 azureRegion: this.azureRegion,
                 authority: options.authority,
                 claims: options.claims,
-            });
+            };
+            const result = await this.confidentialApp.acquireTokenByClientCredential(clientCredReq);
             // Even though we're providing the same default in memory persistence cache that we use for DeviceCodeCredential,
             // The Client Credential flow does not return the account information from the authentication service,
             // so each time getToken gets called, we will have to acquire a new token through the service.
@@ -1936,7 +1953,7 @@ class MsalClientCertificate extends MsalNode {
 
 // Copyright (c) Microsoft Corporation.
 const credentialName$2 = "ClientCertificateCredential";
-const logger$d = credentialLogger(credentialName$2);
+const logger$f = credentialLogger(credentialName$2);
 /**
  * Enables authentication to Azure Active Directory using a PEM-encoded
  * certificate that is assigned to an App Registration. More information
@@ -1955,14 +1972,17 @@ class ClientCertificateCredential {
                 certificatePath: certificatePathOrConfiguration,
             }
             : certificatePathOrConfiguration));
-        if (!configuration || !(configuration.certificate || configuration.certificatePath)) {
+        const certificate = configuration
+            .certificate;
+        const certificatePath = configuration.certificatePath;
+        if (!configuration || !(certificate || certificatePath)) {
             throw new Error(`${credentialName$2}: Provide either a PEM certificate in string form, or the path to that certificate in the filesystem. To troubleshoot, visit https://aka.ms/azsdk/js/identity/serviceprincipalauthentication/troubleshoot.`);
         }
-        if (configuration.certificate && configuration.certificatePath) {
+        if (certificate && certificatePath) {
             throw new Error(`${credentialName$2}: To avoid unexpected behaviors, providing both the contents of a PEM certificate and the path to a PEM certificate is forbidden. To troubleshoot, visit https://aka.ms/azsdk/js/identity/serviceprincipalauthentication/troubleshoot.`);
         }
         this.msalFlow = new MsalClientCertificate(Object.assign(Object.assign({}, options), { configuration,
-            logger: logger$d,
+            logger: logger$f,
             clientId,
             tenantId, sendCertificateChain: options.sendCertificateChain, tokenCredentialOptions: options }));
     }
@@ -1975,7 +1995,7 @@ class ClientCertificateCredential {
      *                TokenCredential implementation might make.
      */
     async getToken(scopes, options = {}) {
-        return trace(`${credentialName$2}.getToken`, options, async (newOptions) => {
+        return tracingClient.withSpan(`${credentialName$2}.getToken`, options, async (newOptions) => {
             const arrayScopes = Array.isArray(scopes) ? scopes : [scopes];
             return this.msalFlow.getToken(arrayScopes, newOptions);
         });
@@ -2013,7 +2033,7 @@ class MsalUsernamePassword extends MsalNode {
 }
 
 // Copyright (c) Microsoft Corporation.
-const logger$c = credentialLogger("UsernamePasswordCredential");
+const logger$e = credentialLogger("UsernamePasswordCredential");
 /**
  * Enables authentication to Azure Active Directory with a user's
  * username and password. This credential requires a high degree of
@@ -2036,7 +2056,7 @@ class UsernamePasswordCredential {
         if (!tenantId || !clientId || !username || !password) {
             throw new Error("UsernamePasswordCredential: tenantId, clientId, username and password are required parameters. To troubleshoot, visit https://aka.ms/azsdk/js/identity/usernamepasswordcredential/troubleshoot.");
         }
-        this.msalFlow = new MsalUsernamePassword(Object.assign(Object.assign({}, options), { logger: logger$c,
+        this.msalFlow = new MsalUsernamePassword(Object.assign(Object.assign({}, options), { logger: logger$e,
             clientId,
             tenantId,
             username,
@@ -2055,7 +2075,7 @@ class UsernamePasswordCredential {
      *                TokenCredential implementation might make.
      */
     async getToken(scopes, options = {}) {
-        return trace(`${this.constructor.name}.getToken`, options, async (newOptions) => {
+        return tracingClient.withSpan(`${this.constructor.name}.getToken`, options, async (newOptions) => {
             const arrayScopes = Array.isArray(scopes) ? scopes : [scopes];
             return this.msalFlow.getToken(arrayScopes, newOptions);
         });
@@ -2079,7 +2099,7 @@ const AllSupportedEnvironmentVariables = [
     "AZURE_PASSWORD",
 ];
 const credentialName$1 = "EnvironmentCredential";
-const logger$b = credentialLogger(credentialName$1);
+const logger$d = credentialLogger(credentialName$1);
 /**
  * Enables authentication to Azure Active Directory using client secret
  * details configured in environment variables
@@ -2109,26 +2129,26 @@ class EnvironmentCredential {
         // Keep track of any missing environment variables for error details
         this._credential = undefined;
         const assigned = processEnvVars(AllSupportedEnvironmentVariables).assigned.join(", ");
-        logger$b.info(`Found the following environment variables: ${assigned}`);
+        logger$d.info(`Found the following environment variables: ${assigned}`);
         const tenantId = process.env.AZURE_TENANT_ID, clientId = process.env.AZURE_CLIENT_ID, clientSecret = process.env.AZURE_CLIENT_SECRET;
         if (tenantId) {
-            checkTenantId(logger$b, tenantId);
+            checkTenantId(logger$d, tenantId);
         }
         if (tenantId && clientId && clientSecret) {
-            logger$b.info(`Invoking ClientSecretCredential with tenant ID: ${tenantId}, clientId: ${clientId} and clientSecret: [REDACTED]`);
+            logger$d.info(`Invoking ClientSecretCredential with tenant ID: ${tenantId}, clientId: ${clientId} and clientSecret: [REDACTED]`);
             this._credential = new ClientSecretCredential(tenantId, clientId, clientSecret, options);
             return;
         }
         const certificatePath = process.env.AZURE_CLIENT_CERTIFICATE_PATH;
         if (tenantId && clientId && certificatePath) {
-            logger$b.info(`Invoking ClientCertificateCredential with tenant ID: ${tenantId}, clientId: ${clientId} and certificatePath: ${certificatePath}`);
+            logger$d.info(`Invoking ClientCertificateCredential with tenant ID: ${tenantId}, clientId: ${clientId} and certificatePath: ${certificatePath}`);
             this._credential = new ClientCertificateCredential(tenantId, clientId, { certificatePath }, options);
             return;
         }
         const username = process.env.AZURE_USERNAME;
         const password = process.env.AZURE_PASSWORD;
         if (tenantId && clientId && username && password) {
-            logger$b.info(`Invoking UsernamePasswordCredential with tenant ID: ${tenantId}, clientId: ${clientId} and username: ${username}`);
+            logger$d.info(`Invoking UsernamePasswordCredential with tenant ID: ${tenantId}, clientId: ${clientId} and username: ${username}`);
             this._credential = new UsernamePasswordCredential(tenantId, clientId, username, password, options);
         }
     }
@@ -2139,11 +2159,11 @@ class EnvironmentCredential {
      * @param options - Optional parameters. See {@link GetTokenOptions}.
      */
     async getToken(scopes, options = {}) {
-        return trace(`${credentialName$1}.getToken`, options, async (newOptions) => {
+        return tracingClient.withSpan(`${credentialName$1}.getToken`, options, async (newOptions) => {
             if (this._credential) {
                 try {
                     const result = await this._credential.getToken(scopes, newOptions);
-                    logger$b.getToken.info(formatSuccess(scopes));
+                    logger$d.getToken.info(formatSuccess(scopes));
                     return result;
                 }
                 catch (err) {
@@ -2151,7 +2171,7 @@ class EnvironmentCredential {
                         error: `${credentialName$1} authentication failed. To troubleshoot, visit https://aka.ms/azsdk/js/identity/environmentcredential/troubleshoot.`,
                         error_description: err.message.toString().split("More details:").join(""),
                     });
-                    logger$b.getToken.info(formatError(scopes, authenticationError));
+                    logger$d.getToken.info(formatError(scopes, authenticationError));
                     throw authenticationError;
                 }
             }
@@ -2197,22 +2217,22 @@ function mapScopesToResource(scopes) {
 }
 
 // Copyright (c) Microsoft Corporation.
-const msiName$5 = "ManagedIdentityCredential - AppServiceMSI 2017";
-const logger$a = credentialLogger(msiName$5);
+const msiName$6 = "ManagedIdentityCredential - AppServiceMSI 2017";
+const logger$c = credentialLogger(msiName$6);
 /**
  * Formats the expiration date of the received token into the number of milliseconds between that date and midnight, January 1, 1970.
  */
-function expiresOnParser$2(requestBody) {
+function expiresOnParser$3(requestBody) {
     // App Service always returns string expires_on values.
     return Date.parse(requestBody.expires_on);
 }
 /**
  * Generates the options used on the request for an access token.
  */
-function prepareRequestOptions$5(scopes, clientId) {
+function prepareRequestOptions$6(scopes, clientId) {
     const resource = mapScopesToResource(scopes);
     if (!resource) {
-        throw new Error(`${msiName$5}: Multiple scopes are not supported.`);
+        throw new Error(`${msiName$6}: Multiple scopes are not supported.`);
     }
     const queryParameters = {
         resource,
@@ -2224,10 +2244,10 @@ function prepareRequestOptions$5(scopes, clientId) {
     const query = new URLSearchParams(queryParameters);
     // This error should not bubble up, since we verify that this environment variable is defined in the isAvailable() method defined below.
     if (!process.env.MSI_ENDPOINT) {
-        throw new Error(`${msiName$5}: Missing environment variable: MSI_ENDPOINT`);
+        throw new Error(`${msiName$6}: Missing environment variable: MSI_ENDPOINT`);
     }
     if (!process.env.MSI_SECRET) {
-        throw new Error(`${msiName$5}: Missing environment variable: MSI_SECRET`);
+        throw new Error(`${msiName$6}: Missing environment variable: MSI_SECRET`);
     }
     return {
         url: `${process.env.MSI_ENDPOINT}?${query.toString()}`,
@@ -2245,40 +2265,40 @@ const appServiceMsi2017 = {
     async isAvailable({ scopes }) {
         const resource = mapScopesToResource(scopes);
         if (!resource) {
-            logger$a.info(`${msiName$5}: Unavailable. Multiple scopes are not supported.`);
+            logger$c.info(`${msiName$6}: Unavailable. Multiple scopes are not supported.`);
             return false;
         }
         const env = process.env;
         const result = Boolean(env.MSI_ENDPOINT && env.MSI_SECRET);
         if (!result) {
-            logger$a.info(`${msiName$5}: Unavailable. The environment variables needed are: MSI_ENDPOINT and MSI_SECRET.`);
+            logger$c.info(`${msiName$6}: Unavailable. The environment variables needed are: MSI_ENDPOINT and MSI_SECRET.`);
         }
         return result;
     },
     async getToken(configuration, getTokenOptions = {}) {
         const { identityClient, scopes, clientId, resourceId } = configuration;
         if (resourceId) {
-            logger$a.warning(`${msiName$5}: managed Identity by resource Id is not supported. Argument resourceId might be ignored by the service.`);
+            logger$c.warning(`${msiName$6}: managed Identity by resource Id is not supported. Argument resourceId might be ignored by the service.`);
         }
-        logger$a.info(`${msiName$5}: Using the endpoint and the secret coming form the environment variables: MSI_ENDPOINT=${process.env.MSI_ENDPOINT} and MSI_SECRET=[REDACTED].`);
-        const request = coreRestPipeline.createPipelineRequest(Object.assign(Object.assign({ abortSignal: getTokenOptions.abortSignal }, prepareRequestOptions$5(scopes, clientId)), { 
+        logger$c.info(`${msiName$6}: Using the endpoint and the secret coming form the environment variables: MSI_ENDPOINT=${process.env.MSI_ENDPOINT} and MSI_SECRET=[REDACTED].`);
+        const request = coreRestPipeline.createPipelineRequest(Object.assign(Object.assign({ abortSignal: getTokenOptions.abortSignal }, prepareRequestOptions$6(scopes, clientId)), { 
             // Generally, MSI endpoints use the HTTP protocol, without transport layer security (TLS).
             allowInsecureConnection: true }));
-        const tokenResponse = await identityClient.sendTokenRequest(request, expiresOnParser$2);
+        const tokenResponse = await identityClient.sendTokenRequest(request, expiresOnParser$3);
         return (tokenResponse && tokenResponse.accessToken) || null;
     },
 };
 
 // Copyright (c) Microsoft Corporation.
-const msiName$4 = "ManagedIdentityCredential - CloudShellMSI";
-const logger$9 = credentialLogger(msiName$4);
+const msiName$5 = "ManagedIdentityCredential - CloudShellMSI";
+const logger$b = credentialLogger(msiName$5);
 /**
  * Generates the options used on the request for an access token.
  */
-function prepareRequestOptions$4(scopes, clientId, resourceId) {
+function prepareRequestOptions$5(scopes, clientId, resourceId) {
     const resource = mapScopesToResource(scopes);
     if (!resource) {
-        throw new Error(`${msiName$4}: Multiple scopes are not supported.`);
+        throw new Error(`${msiName$5}: Multiple scopes are not supported.`);
     }
     const body = {
         resource,
@@ -2291,7 +2311,7 @@ function prepareRequestOptions$4(scopes, clientId, resourceId) {
     }
     // This error should not bubble up, since we verify that this environment variable is defined in the isAvailable() method defined below.
     if (!process.env.MSI_ENDPOINT) {
-        throw new Error(`${msiName$4}: Missing environment variable: MSI_ENDPOINT`);
+        throw new Error(`${msiName$5}: Missing environment variable: MSI_ENDPOINT`);
     }
     const params = new URLSearchParams(body);
     return {
@@ -2313,25 +2333,25 @@ const cloudShellMsi = {
     async isAvailable({ scopes }) {
         const resource = mapScopesToResource(scopes);
         if (!resource) {
-            logger$9.info(`${msiName$4}: Unavailable. Multiple scopes are not supported.`);
+            logger$b.info(`${msiName$5}: Unavailable. Multiple scopes are not supported.`);
             return false;
         }
         const result = Boolean(process.env.MSI_ENDPOINT);
         if (!result) {
-            logger$9.info(`${msiName$4}: Unavailable. The environment variable MSI_ENDPOINT is needed.`);
+            logger$b.info(`${msiName$5}: Unavailable. The environment variable MSI_ENDPOINT is needed.`);
         }
         return result;
     },
     async getToken(configuration, getTokenOptions = {}) {
         const { identityClient, scopes, clientId, resourceId } = configuration;
         if (clientId) {
-            logger$9.warning(`${msiName$4}: user-assigned identities not supported. The argument clientId might be ignored by the service.`);
+            logger$b.warning(`${msiName$5}: user-assigned identities not supported. The argument clientId might be ignored by the service.`);
         }
         if (resourceId) {
-            logger$9.warning(`${msiName$4}: user defined managed Identity by resource Id not supported. The argument resourceId might be ignored by the service.`);
+            logger$b.warning(`${msiName$5}: user defined managed Identity by resource Id not supported. The argument resourceId might be ignored by the service.`);
         }
-        logger$9.info(`${msiName$4}: Using the endpoint coming form the environment variable MSI_ENDPOINT = ${process.env.MSI_ENDPOINT}.`);
-        const request = coreRestPipeline.createPipelineRequest(Object.assign(Object.assign({ abortSignal: getTokenOptions.abortSignal }, prepareRequestOptions$4(scopes, clientId, resourceId)), { 
+        logger$b.info(`${msiName$5}: Using the endpoint coming form the environment variable MSI_ENDPOINT = ${process.env.MSI_ENDPOINT}.`);
+        const request = coreRestPipeline.createPipelineRequest(Object.assign(Object.assign({ abortSignal: getTokenOptions.abortSignal }, prepareRequestOptions$5(scopes, clientId, resourceId)), { 
             // Generally, MSI endpoints use the HTTP protocol, without transport layer security (TLS).
             allowInsecureConnection: true }));
         const tokenResponse = await identityClient.sendTokenRequest(request);
@@ -2340,33 +2360,33 @@ const cloudShellMsi = {
 };
 
 // Copyright (c) Microsoft Corporation.
-const msiName$3 = "ManagedIdentityCredential - IMDS";
-const logger$8 = credentialLogger(msiName$3);
+const msiName$4 = "ManagedIdentityCredential - IMDS";
+const logger$a = credentialLogger(msiName$4);
 /**
  * Formats the expiration date of the received token into the number of milliseconds between that date and midnight, January 1, 1970.
  */
-function expiresOnParser$1(requestBody) {
+function expiresOnParser$2(requestBody) {
     if (requestBody.expires_on) {
         // Use the expires_on timestamp if it's available
         const expires = +requestBody.expires_on * 1000;
-        logger$8.info(`${msiName$3}: Using expires_on: ${expires} (original value: ${requestBody.expires_on})`);
+        logger$a.info(`${msiName$4}: Using expires_on: ${expires} (original value: ${requestBody.expires_on})`);
         return expires;
     }
     else {
         // If these aren't possible, use expires_in and calculate a timestamp
         const expires = Date.now() + requestBody.expires_in * 1000;
-        logger$8.info(`${msiName$3}: IMDS using expires_in: ${expires} (original value: ${requestBody.expires_in})`);
+        logger$a.info(`${msiName$4}: IMDS using expires_in: ${expires} (original value: ${requestBody.expires_in})`);
         return expires;
     }
 }
 /**
  * Generates the options used on the request for an access token.
  */
-function prepareRequestOptions$3(scopes, clientId, resourceId, options) {
+function prepareRequestOptions$4(scopes, clientId, resourceId, options) {
     var _a;
     const resource = mapScopesToResource(scopes);
     if (!resource) {
-        throw new Error(`${msiName$3}: Multiple scopes are not supported.`);
+        throw new Error(`${msiName$4}: Multiple scopes are not supported.`);
     }
     const { skipQuery, skipMetadataHeader } = options || {};
     let query = "";
@@ -2412,14 +2432,12 @@ const imdsMsiRetryConfig = {
  * Defines how to determine whether the Azure IMDS MSI is available, and also how to retrieve a token from the Azure IMDS MSI.
  */
 const imdsMsi = {
-    async isAvailable({ scopes, identityClient, clientId, resourceId, getTokenOptions, }) {
-        var _a, _b;
+    async isAvailable({ scopes, identityClient, clientId, resourceId, getTokenOptions = {}, }) {
         const resource = mapScopesToResource(scopes);
         if (!resource) {
-            logger$8.info(`${msiName$3}: Unavailable. Multiple scopes are not supported.`);
+            logger$a.info(`${msiName$4}: Unavailable. Multiple scopes are not supported.`);
             return false;
         }
-        const { span, updatedOptions: options } = createSpan("ManagedIdentityCredential-pingImdsEndpoint", getTokenOptions);
         // if the PodIdentityEndpoint environment variable was set no need to probe the endpoint, it can be assumed to exist
         if (process.env.AZURE_POD_IDENTITY_AUTHORITY_HOST) {
             return true;
@@ -2427,66 +2445,58 @@ const imdsMsi = {
         if (!identityClient) {
             throw new Error("Missing IdentityClient");
         }
-        const requestOptions = prepareRequestOptions$3(resource, clientId, resourceId, {
+        const requestOptions = prepareRequestOptions$4(resource, clientId, resourceId, {
             skipMetadataHeader: true,
             skipQuery: true,
         });
-        requestOptions.tracingOptions = options.tracingOptions;
-        try {
-            // Create a request with a timeout since we expect that
-            // not having a "Metadata" header should cause an error to be
-            // returned quickly from the endpoint, proving its availability.
-            const request = coreRestPipeline.createPipelineRequest(requestOptions);
-            request.timeout = (_b = (_a = options.requestOptions) === null || _a === void 0 ? void 0 : _a.timeout) !== null && _b !== void 0 ? _b : 300;
-            // This MSI uses the imdsEndpoint to get the token, which only uses http://
-            request.allowInsecureConnection = true;
+        return tracingClient.withSpan("ManagedIdentityCredential-pingImdsEndpoint", getTokenOptions, async (options) => {
+            var _a, _b;
+            requestOptions.tracingOptions = options.tracingOptions;
             try {
-                logger$8.info(`${msiName$3}: Pinging the Azure IMDS endpoint`);
-                await identityClient.sendRequest(request);
+                // Create a request with a timeout since we expect that
+                // not having a "Metadata" header should cause an error to be
+                // returned quickly from the endpoint, proving its availability.
+                const request = coreRestPipeline.createPipelineRequest(requestOptions);
+                request.timeout = (_b = (_a = options.requestOptions) === null || _a === void 0 ? void 0 : _a.timeout) !== null && _b !== void 0 ? _b : 300;
+                // This MSI uses the imdsEndpoint to get the token, which only uses http://
+                request.allowInsecureConnection = true;
+                try {
+                    logger$a.info(`${msiName$4}: Pinging the Azure IMDS endpoint`);
+                    await identityClient.sendRequest(request);
+                }
+                catch (err) {
+                    if ((err.name === "RestError" && err.code === coreRestPipeline.RestError.REQUEST_SEND_ERROR) ||
+                        err.name === "AbortError" ||
+                        err.code === "ENETUNREACH" || // Network unreachable
+                        err.code === "ECONNREFUSED" || // connection refused
+                        err.code === "EHOSTDOWN" // host is down
+                    ) {
+                        // If the request failed, or Node.js was unable to establish a connection,
+                        // or the host was down, we'll assume the IMDS endpoint isn't available.
+                        logger$a.info(`${msiName$4}: The Azure IMDS endpoint is unavailable`);
+                        return false;
+                    }
+                }
+                // If we received any response, the endpoint is available
+                logger$a.info(`${msiName$4}: The Azure IMDS endpoint is available`);
+                return true;
             }
             catch (err) {
-                if ((err.name === "RestError" && err.code === coreRestPipeline.RestError.REQUEST_SEND_ERROR) ||
-                    err.name === "AbortError" ||
-                    err.code === "ENETUNREACH" || // Network unreachable
-                    err.code === "ECONNREFUSED" || // connection refused
-                    err.code === "EHOSTDOWN" // host is down
-                ) {
-                    // If the request failed, or Node.js was unable to establish a connection,
-                    // or the host was down, we'll assume the IMDS endpoint isn't available.
-                    logger$8.info(`${msiName$3}: The Azure IMDS endpoint is unavailable`);
-                    span.setStatus({
-                        code: coreTracing.SpanStatusCode.ERROR,
-                        message: err.message,
-                    });
-                    return false;
-                }
+                // createWebResource failed.
+                // This error should bubble up to the user.
+                logger$a.info(`${msiName$4}: Error when creating the WebResource for the Azure IMDS endpoint: ${err.message}`);
+                throw err;
             }
-            // If we received any response, the endpoint is available
-            logger$8.info(`${msiName$3}: The Azure IMDS endpoint is available`);
-            return true;
-        }
-        catch (err) {
-            // createWebResource failed.
-            // This error should bubble up to the user.
-            logger$8.info(`${msiName$3}: Error when creating the WebResource for the Azure IMDS endpoint: ${err.message}`);
-            span.setStatus({
-                code: coreTracing.SpanStatusCode.ERROR,
-                message: err.message,
-            });
-            throw err;
-        }
-        finally {
-            span.end();
-        }
+        });
     },
     async getToken(configuration, getTokenOptions = {}) {
         const { identityClient, scopes, clientId, resourceId } = configuration;
-        logger$8.info(`${msiName$3}: Using the Azure IMDS endpoint coming from the environment variable MSI_ENDPOINT=${process.env.MSI_ENDPOINT}, and using the cloud shell to proceed with the authentication.`);
+        logger$a.info(`${msiName$4}: Using the Azure IMDS endpoint coming from the environment variable MSI_ENDPOINT=${process.env.MSI_ENDPOINT}, and using the cloud shell to proceed with the authentication.`);
         let nextDelayInMs = imdsMsiRetryConfig.startDelayInMs;
         for (let retries = 0; retries < imdsMsiRetryConfig.maxRetries; retries++) {
             try {
-                const request = coreRestPipeline.createPipelineRequest(Object.assign(Object.assign({ abortSignal: getTokenOptions.abortSignal }, prepareRequestOptions$3(scopes, clientId, resourceId)), { allowInsecureConnection: true }));
-                const tokenResponse = await identityClient.sendTokenRequest(request, expiresOnParser$1);
+                const request = coreRestPipeline.createPipelineRequest(Object.assign(Object.assign({ abortSignal: getTokenOptions.abortSignal }, prepareRequestOptions$4(scopes, clientId, resourceId)), { allowInsecureConnection: true }));
+                const tokenResponse = await identityClient.sendTokenRequest(request, expiresOnParser$2);
                 return (tokenResponse && tokenResponse.accessToken) || null;
             }
             catch (error) {
@@ -2498,20 +2508,20 @@ const imdsMsi = {
                 throw error;
             }
         }
-        throw new AuthenticationError(404, `${msiName$3}: Failed to retrieve IMDS token after ${imdsMsiRetryConfig.maxRetries} retries.`);
+        throw new AuthenticationError(404, `${msiName$4}: Failed to retrieve IMDS token after ${imdsMsiRetryConfig.maxRetries} retries.`);
     },
 };
 
 // Copyright (c) Microsoft Corporation.
-const msiName$2 = "ManagedIdentityCredential - Azure Arc MSI";
-const logger$7 = credentialLogger(msiName$2);
+const msiName$3 = "ManagedIdentityCredential - Azure Arc MSI";
+const logger$9 = credentialLogger(msiName$3);
 /**
  * Generates the options used on the request for an access token.
  */
-function prepareRequestOptions$2(scopes, clientId, resourceId) {
+function prepareRequestOptions$3(scopes, clientId, resourceId) {
     const resource = mapScopesToResource(scopes);
     if (!resource) {
-        throw new Error(`${msiName$2}: Multiple scopes are not supported.`);
+        throw new Error(`${msiName$3}: Multiple scopes are not supported.`);
     }
     const queryParameters = {
         resource,
@@ -2525,7 +2535,7 @@ function prepareRequestOptions$2(scopes, clientId, resourceId) {
     }
     // This error should not bubble up, since we verify that this environment variable is defined in the isAvailable() method defined below.
     if (!process.env.IDENTITY_ENDPOINT) {
-        throw new Error(`${msiName$2}: Missing environment variable: IDENTITY_ENDPOINT`);
+        throw new Error(`${msiName$3}: Missing environment variable: IDENTITY_ENDPOINT`);
     }
     const query = new URLSearchParams(queryParameters);
     return coreRestPipeline.createPipelineRequest({
@@ -2560,7 +2570,7 @@ async function filePathRequest(identityClient, requestPrepareOptions) {
         if (response.bodyAsText) {
             message = ` Response: ${response.bodyAsText}`;
         }
-        throw new AuthenticationError(response.status, `${msiName$2}: To authenticate with Azure Arc MSI, status code 401 is expected on the first request. ${message}`);
+        throw new AuthenticationError(response.status, `${msiName$3}: To authenticate with Azure Arc MSI, status code 401 is expected on the first request. ${message}`);
     }
     const authHeader = response.headers.get("www-authenticate") || "";
     try {
@@ -2577,12 +2587,12 @@ const arcMsi = {
     async isAvailable({ scopes }) {
         const resource = mapScopesToResource(scopes);
         if (!resource) {
-            logger$7.info(`${msiName$2}: Unavailable. Multiple scopes are not supported.`);
+            logger$9.info(`${msiName$3}: Unavailable. Multiple scopes are not supported.`);
             return false;
         }
         const result = Boolean(process.env.IMDS_ENDPOINT && process.env.IDENTITY_ENDPOINT);
         if (!result) {
-            logger$7.info(`${msiName$2}: The environment variables needed are: IMDS_ENDPOINT and IDENTITY_ENDPOINT`);
+            logger$9.info(`${msiName$3}: The environment variables needed are: IMDS_ENDPOINT and IDENTITY_ENDPOINT`);
         }
         return result;
     },
@@ -2590,16 +2600,16 @@ const arcMsi = {
         var _a;
         const { identityClient, scopes, clientId, resourceId } = configuration;
         if (clientId) {
-            logger$7.warning(`${msiName$2}: user-assigned identities not supported. The argument clientId might be ignored by the service.`);
+            logger$9.warning(`${msiName$3}: user-assigned identities not supported. The argument clientId might be ignored by the service.`);
         }
         if (resourceId) {
-            logger$7.warning(`${msiName$2}: user defined managed Identity by resource Id is not supported. Argument resourceId will be ignored.`);
+            logger$9.warning(`${msiName$3}: user defined managed Identity by resource Id is not supported. Argument resourceId will be ignored.`);
         }
-        logger$7.info(`${msiName$2}: Authenticating.`);
-        const requestOptions = Object.assign(Object.assign({ disableJsonStringifyOnBody: true, deserializationMapper: undefined, abortSignal: getTokenOptions.abortSignal }, prepareRequestOptions$2(scopes, clientId, resourceId)), { allowInsecureConnection: true });
+        logger$9.info(`${msiName$3}: Authenticating.`);
+        const requestOptions = Object.assign(Object.assign({ disableJsonStringifyOnBody: true, deserializationMapper: undefined, abortSignal: getTokenOptions.abortSignal }, prepareRequestOptions$3(scopes, clientId, resourceId)), { allowInsecureConnection: true });
         const filePath = await filePathRequest(identityClient, requestOptions);
         if (!filePath) {
-            throw new Error(`${msiName$2}: Failed to find the token file.`);
+            throw new Error(`${msiName$3}: Failed to find the token file.`);
         }
         const key = await readFileAsync$1(filePath, { encoding: "utf-8" });
         (_a = requestOptions.headers) === null || _a === void 0 ? void 0 : _a.set("Authorization", `Basic ${key}`);
@@ -2612,13 +2622,13 @@ const arcMsi = {
 };
 
 // Copyright (c) Microsoft Corporation.
-const msiName$1 = "ManagedIdentityCredential - Token Exchange";
-const logger$6 = credentialLogger(msiName$1);
+const msiName$2 = "ManagedIdentityCredential - Token Exchange";
+const logger$8 = credentialLogger(msiName$2);
 const readFileAsync = util.promisify(fs__default["default"].readFile);
 /**
  * Generates the options used on the request for an access token.
  */
-function prepareRequestOptions$1(scopes, clientAssertion, clientId) {
+function prepareRequestOptions$2(scopes, clientAssertion, clientId) {
     var _a;
     const bodyParams = {
         scope: Array.isArray(scopes) ? scopes.join(" ") : scopes,
@@ -2669,21 +2679,21 @@ function tokenExchangeMsi() {
             const env = process.env;
             const result = Boolean((clientId || env.AZURE_CLIENT_ID) && env.AZURE_TENANT_ID && azureFederatedTokenFilePath);
             if (!result) {
-                logger$6.info(`${msiName$1}: Unavailable. The environment variables needed are: AZURE_CLIENT_ID (or the client ID sent through the parameters), AZURE_TENANT_ID and AZURE_FEDERATED_TOKEN_FILE`);
+                logger$8.info(`${msiName$2}: Unavailable. The environment variables needed are: AZURE_CLIENT_ID (or the client ID sent through the parameters), AZURE_TENANT_ID and AZURE_FEDERATED_TOKEN_FILE`);
             }
             return result;
         },
         async getToken(configuration, getTokenOptions = {}) {
             const { identityClient, scopes, clientId } = configuration;
-            logger$6.info(`${msiName$1}: Using the client assertion coming from environment variables.`);
+            logger$8.info(`${msiName$2}: Using the client assertion coming from environment variables.`);
             let assertion;
             try {
                 assertion = await readAssertion();
             }
             catch (err) {
-                throw new Error(`${msiName$1}: Failed to read ${azureFederatedTokenFilePath}, indicated by the environment variable AZURE_FEDERATED_TOKEN_FILE`);
+                throw new Error(`${msiName$2}: Failed to read ${azureFederatedTokenFilePath}, indicated by the environment variable AZURE_FEDERATED_TOKEN_FILE`);
             }
-            const request = coreRestPipeline.createPipelineRequest(Object.assign(Object.assign({ abortSignal: getTokenOptions.abortSignal }, prepareRequestOptions$1(scopes, assertion, clientId || process.env.AZURE_CLIENT_ID)), { 
+            const request = coreRestPipeline.createPipelineRequest(Object.assign(Object.assign({ abortSignal: getTokenOptions.abortSignal }, prepareRequestOptions$2(scopes, assertion, clientId || process.env.AZURE_CLIENT_ID)), { 
                 // Generally, MSI endpoints use the HTTP protocol, without transport layer security (TLS).
                 allowInsecureConnection: true }));
             const tokenResponse = await identityClient.sendTokenRequest(request);
@@ -2703,22 +2713,22 @@ function tokenExchangeMsi() {
 //
 //   curl --insecure $IDENTITY_ENDPOINT'?api-version=2019-07-01-preview&resource=https://vault.azure.net/' -H "Secret: $IDENTITY_HEADER"
 //
-const msiName = "ManagedIdentityCredential - Fabric MSI";
-const logger$5 = credentialLogger(msiName);
+const msiName$1 = "ManagedIdentityCredential - Fabric MSI";
+const logger$7 = credentialLogger(msiName$1);
 /**
  * Formats the expiration date of the received token into the number of milliseconds between that date and midnight, January 1, 1970.
  */
-function expiresOnParser(requestBody) {
+function expiresOnParser$1(requestBody) {
     // Parses a string representation of the milliseconds since epoch into a number value
     return Number(requestBody.expires_on);
 }
 /**
  * Generates the options used on the request for an access token.
  */
-function prepareRequestOptions(scopes, clientId, resourceId) {
+function prepareRequestOptions$1(scopes, clientId, resourceId) {
     const resource = mapScopesToResource(scopes);
     if (!resource) {
-        throw new Error(`${msiName}: Multiple scopes are not supported.`);
+        throw new Error(`${msiName$1}: Multiple scopes are not supported.`);
     }
     const queryParameters = {
         resource,
@@ -2754,41 +2764,114 @@ const fabricMsi = {
     async isAvailable({ scopes }) {
         const resource = mapScopesToResource(scopes);
         if (!resource) {
-            logger$5.info(`${msiName}: Unavailable. Multiple scopes are not supported.`);
+            logger$7.info(`${msiName$1}: Unavailable. Multiple scopes are not supported.`);
             return false;
         }
         const env = process.env;
         const result = Boolean(env.IDENTITY_ENDPOINT && env.IDENTITY_HEADER && env.IDENTITY_SERVER_THUMBPRINT);
         if (!result) {
-            logger$5.info(`${msiName}: Unavailable. The environment variables needed are: IDENTITY_ENDPOINT, IDENTITY_HEADER and IDENTITY_SERVER_THUMBPRINT`);
+            logger$7.info(`${msiName$1}: Unavailable. The environment variables needed are: IDENTITY_ENDPOINT, IDENTITY_HEADER and IDENTITY_SERVER_THUMBPRINT`);
         }
         return result;
     },
     async getToken(configuration, getTokenOptions = {}) {
         const { scopes, identityClient, clientId, resourceId } = configuration;
         if (resourceId) {
-            logger$5.warning(`${msiName}: user defined managed Identity by resource Id is not supported. Argument resourceId might be ignored by the service.`);
+            logger$7.warning(`${msiName$1}: user defined managed Identity by resource Id is not supported. Argument resourceId might be ignored by the service.`);
         }
-        logger$5.info([
-            `${msiName}:`,
+        logger$7.info([
+            `${msiName$1}:`,
             "Using the endpoint and the secret coming from the environment variables:",
             `IDENTITY_ENDPOINT=${process.env.IDENTITY_ENDPOINT},`,
             "IDENTITY_HEADER=[REDACTED] and",
             "IDENTITY_SERVER_THUMBPRINT=[REDACTED].",
         ].join(" "));
-        const request = coreRestPipeline.createPipelineRequest(Object.assign({ abortSignal: getTokenOptions.abortSignal }, prepareRequestOptions(scopes, clientId, resourceId)));
+        const request = coreRestPipeline.createPipelineRequest(Object.assign({ abortSignal: getTokenOptions.abortSignal }, prepareRequestOptions$1(scopes, clientId, resourceId)));
         request.agent = new https__default["default"].Agent({
             // This is necessary because Service Fabric provides a self-signed certificate.
             // The alternative path is to verify the certificate using the IDENTITY_SERVER_THUMBPRINT env variable.
             rejectUnauthorized: false,
         });
+        const tokenResponse = await identityClient.sendTokenRequest(request, expiresOnParser$1);
+        return (tokenResponse && tokenResponse.accessToken) || null;
+    },
+};
+
+// Copyright (c) Microsoft Corporation.
+const msiName = "ManagedIdentityCredential - AppServiceMSI 2019";
+const logger$6 = credentialLogger(msiName);
+/**
+ * Formats the expiration date of the received token into the number of milliseconds between that date and midnight, January 1, 1970.
+ */
+function expiresOnParser(requestBody) {
+    // App Service always returns string expires_on values.
+    return Date.parse(requestBody.expires_on);
+}
+/**
+ * Generates the options used on the request for an access token.
+ */
+function prepareRequestOptions(scopes, clientId, resourceId) {
+    const resource = mapScopesToResource(scopes);
+    if (!resource) {
+        throw new Error(`${msiName}: Multiple scopes are not supported.`);
+    }
+    const queryParameters = {
+        resource,
+        "api-version": "2019-08-01",
+    };
+    if (clientId) {
+        queryParameters.client_id = clientId;
+    }
+    if (resourceId) {
+        queryParameters.mi_res_id = resourceId;
+    }
+    const query = new URLSearchParams(queryParameters);
+    // This error should not bubble up, since we verify that this environment variable is defined in the isAvailable() method defined below.
+    if (!process.env.IDENTITY_ENDPOINT) {
+        throw new Error(`${msiName}: Missing environment variable: IDENTITY_ENDPOINT`);
+    }
+    if (!process.env.IDENTITY_HEADER) {
+        throw new Error(`${msiName}: Missing environment variable: IDENTITY_HEADER`);
+    }
+    return {
+        url: `${process.env.IDENTITY_ENDPOINT}?${query.toString()}`,
+        method: "GET",
+        headers: coreRestPipeline.createHttpHeaders({
+            Accept: "application/json",
+            "X-IDENTITY-HEADER": process.env.IDENTITY_HEADER,
+        }),
+    };
+}
+/**
+ * Defines how to determine whether the Azure App Service MSI is available, and also how to retrieve a token from the Azure App Service MSI.
+ */
+const appServiceMsi2019 = {
+    async isAvailable({ scopes }) {
+        const resource = mapScopesToResource(scopes);
+        if (!resource) {
+            logger$6.info(`${msiName}: Unavailable. Multiple scopes are not supported.`);
+            return false;
+        }
+        const env = process.env;
+        const result = Boolean(env.IDENTITY_ENDPOINT && env.IDENTITY_HEADER);
+        if (!result) {
+            logger$6.info(`${msiName}: Unavailable. The environment variables needed are: IDENTITY_ENDPOINT and IDENTITY_HEADER.`);
+        }
+        return result;
+    },
+    async getToken(configuration, getTokenOptions = {}) {
+        const { identityClient, scopes, clientId, resourceId } = configuration;
+        logger$6.info(`${msiName}: Using the endpoint and the secret coming form the environment variables: IDENTITY_ENDPOINT=${process.env.IDENTITY_ENDPOINT} and IDENTITY_HEADER=[REDACTED].`);
+        const request = coreRestPipeline.createPipelineRequest(Object.assign(Object.assign({ abortSignal: getTokenOptions.abortSignal }, prepareRequestOptions(scopes, clientId, resourceId)), { 
+            // Generally, MSI endpoints use the HTTP protocol, without transport layer security (TLS).
+            allowInsecureConnection: true }));
         const tokenResponse = await identityClient.sendTokenRequest(request, expiresOnParser);
         return (tokenResponse && tokenResponse.accessToken) || null;
     },
 };
 
 // Copyright (c) Microsoft Corporation.
-const logger$4 = credentialLogger("ManagedIdentityCredential");
+const logger$5 = credentialLogger("ManagedIdentityCredential");
 /**
  * Attempts authentication using a managed identity available at the deployment environment.
  * This authentication type works in Azure VMs, App Service instances, Azure Functions applications,
@@ -2803,7 +2886,6 @@ class ManagedIdentityCredential {
      * @hidden
      */
     constructor(clientIdOrOptions, options) {
-        var _a, _b;
         this.isEndpointUnavailable = null;
         let _options;
         if (typeof clientIdOrOptions === "string") {
@@ -2811,10 +2893,10 @@ class ManagedIdentityCredential {
             _options = options;
         }
         else {
-            this.clientId = (_a = clientIdOrOptions) === null || _a === void 0 ? void 0 : _a.clientId;
+            this.clientId = clientIdOrOptions === null || clientIdOrOptions === void 0 ? void 0 : clientIdOrOptions.clientId;
             _options = clientIdOrOptions;
         }
-        this.resourceId = (_b = _options) === null || _b === void 0 ? void 0 : _b.resourceId;
+        this.resourceId = _options === null || _options === void 0 ? void 0 : _options.resourceId;
         // For JavaScript users.
         if (this.clientId && this.resourceId) {
             throw new Error(`${ManagedIdentityCredential.name} - Client Id and Resource Id can't be provided at the same time.`);
@@ -2828,7 +2910,15 @@ class ManagedIdentityCredential {
         if (this.cachedMSI) {
             return this.cachedMSI;
         }
-        const MSIs = [fabricMsi, appServiceMsi2017, cloudShellMsi, arcMsi, tokenExchangeMsi(), imdsMsi];
+        const MSIs = [
+            arcMsi,
+            fabricMsi,
+            appServiceMsi2019,
+            appServiceMsi2017,
+            cloudShellMsi,
+            tokenExchangeMsi(),
+            imdsMsi,
+        ];
         for (const msi of MSIs) {
             if (await msi.isAvailable({
                 scopes,
@@ -2844,7 +2934,7 @@ class ManagedIdentityCredential {
         throw new CredentialUnavailableError(`${ManagedIdentityCredential.name} - No MSI credential available`);
     }
     async authenticateManagedIdentity(scopes, getTokenOptions) {
-        const { span, updatedOptions } = createSpan(`${ManagedIdentityCredential.name}.authenticateManagedIdentity`, getTokenOptions);
+        const { span, updatedOptions } = tracingClient.startSpan(`${ManagedIdentityCredential.name}.authenticateManagedIdentity`, getTokenOptions);
         try {
             // Determining the available MSI, and avoiding checking for other MSIs while the program is running.
             const availableMSI = await this.cachedAvailableMSI(scopes, updatedOptions);
@@ -2857,8 +2947,8 @@ class ManagedIdentityCredential {
         }
         catch (err) {
             span.setStatus({
-                code: coreTracing.SpanStatusCode.ERROR,
-                message: err.message,
+                status: "error",
+                error: err,
             });
             throw err;
         }
@@ -2877,7 +2967,7 @@ class ManagedIdentityCredential {
      */
     async getToken(scopes, options) {
         let result = null;
-        const { span, updatedOptions } = createSpan(`${ManagedIdentityCredential.name}.getToken`, options);
+        const { span, updatedOptions } = tracingClient.startSpan(`${ManagedIdentityCredential.name}.getToken`, options);
         try {
             // isEndpointAvailable can be true, false, or null,
             // If it's null, it means we don't yet know whether
@@ -2892,7 +2982,7 @@ class ManagedIdentityCredential {
                     // It also means that the endpoint answered with either 200 or 201 (see the sendTokenRequest method),
                     // yet we had no access token. For this reason, we'll throw once with a specific message:
                     const error = new CredentialUnavailableError("The managed identity endpoint was reached, yet no tokens were received.");
-                    logger$4.getToken.info(formatError(scopes, error));
+                    logger$5.getToken.info(formatError(scopes, error));
                     throw error;
                 }
                 // Since `authenticateManagedIdentity` didn't throw, and the result was not null,
@@ -2904,10 +2994,10 @@ class ManagedIdentityCredential {
                 // We've previously determined that the endpoint was unavailable,
                 // either because it was unreachable or permanently unable to authenticate.
                 const error = new CredentialUnavailableError("The managed identity endpoint is not currently available");
-                logger$4.getToken.info(formatError(scopes, error));
+                logger$5.getToken.info(formatError(scopes, error));
                 throw error;
             }
-            logger$4.getToken.info(formatSuccess(scopes));
+            logger$5.getToken.info(formatSuccess(scopes));
             return result;
         }
         catch (err) {
@@ -2922,21 +3012,21 @@ class ManagedIdentityCredential {
             //   if the status code was 400, it means that the endpoint is working,
             //   but no identity is available.
             span.setStatus({
-                code: coreTracing.SpanStatusCode.ERROR,
-                message: err.message,
+                status: "error",
+                error: err,
             });
             // If either the network is unreachable,
             // we can safely assume the credential is unavailable.
             if (err.code === "ENETUNREACH") {
                 const error = new CredentialUnavailableError(`${ManagedIdentityCredential.name}: Unavailable. Network unreachable. Message: ${err.message}`);
-                logger$4.getToken.info(formatError(scopes, error));
+                logger$5.getToken.info(formatError(scopes, error));
                 throw error;
             }
             // If either the host was unreachable,
             // we can safely assume the credential is unavailable.
             if (err.code === "EHOSTUNREACH") {
                 const error = new CredentialUnavailableError(`${ManagedIdentityCredential.name}: Unavailable. No managed identity endpoint found. Message: ${err.message}`);
-                logger$4.getToken.info(formatError(scopes, error));
+                logger$5.getToken.info(formatError(scopes, error));
                 throw error;
             }
             // If err.statusCode has a value of 400, it comes from sendTokenRequest,
@@ -2970,13 +3060,24 @@ class ManagedIdentityCredential {
  * @internal
  */
 class DefaultManagedIdentityCredential extends ManagedIdentityCredential {
+    // Constructor overload with just the other default options
+    // Last constructor overload with Union of all options not required since the above two constructor overloads have optional properties
     constructor(options) {
-        var _a, _b, _c;
-        const managedIdentityClientId = (_b = (_a = options) === null || _a === void 0 ? void 0 : _a.managedIdentityClientId) !== null && _b !== void 0 ? _b : process.env.AZURE_CLIENT_ID;
-        const managedResourceId = (_c = options) === null || _c === void 0 ? void 0 : _c.managedIdentityResourceId;
+        var _a;
+        const managedIdentityClientId = (_a = options === null || options === void 0 ? void 0 : options.managedIdentityClientId) !== null && _a !== void 0 ? _a : process.env.AZURE_CLIENT_ID;
+        const managedResourceId = options === null || options === void 0 ? void 0 : options.managedIdentityResourceId;
         // ManagedIdentityCredential throws if both the resourceId and the clientId are provided.
-        const managedIdentityOptions = Object.assign({ resourceId: managedResourceId, clientId: managedIdentityClientId }, options);
-        super(managedIdentityOptions);
+        if (managedResourceId) {
+            const managedIdentityResourceIdOptions = Object.assign(Object.assign({}, options), { resourceId: managedResourceId });
+            super(managedIdentityResourceIdOptions);
+        }
+        else if (managedIdentityClientId) {
+            const managedIdentityClientOptions = Object.assign(Object.assign({}, options), { clientId: managedIdentityClientId });
+            super(managedIdentityClientOptions);
+        }
+        else {
+            super(options);
+        }
     }
 }
 const defaultCredentials = [
@@ -2991,30 +3092,6 @@ const defaultCredentials = [
  * work for most applications that use the Azure SDK.
  */
 class DefaultAzureCredential extends ChainedTokenCredential {
-    /**
-     * Creates an instance of the DefaultAzureCredential class.
-     *
-     * This credential provides a default {@link ChainedTokenCredential} configuration that should
-     * work for most applications that use the Azure SDK.
-     *
-     * The following credential types will be tried, in order:
-     *
-     * - {@link EnvironmentCredential}
-     * - {@link ManagedIdentityCredential}
-     * - {@link VisualStudioCodeCredential}
-     * - {@link AzureCliCredential}
-     * - {@link AzurePowerShellCredential}
-     *
-     * Consult the documentation of these credential types for more information
-     * on how they attempt authentication.
-     *
-     * **Note**: `VisualStudioCodeCredential` is provided by a plugin package:
-     * `@azure/identity-vscode`. If this package is not installed and registered
-     * using the plugin API (`useIdentityPlugin`), then authentication using
-     * `VisualStudioCodeCredential` will not be available.
-     *
-     * @param options - Optional parameters. See {@link DefaultAzureCredentialOptions}.
-     */
     constructor(options) {
         super(...defaultCredentials.map((ctor) => new ctor(options)));
         this.UnavailableMessage =
@@ -3022,6 +3099,86 @@ class DefaultAzureCredential extends ChainedTokenCredential {
     }
 }
 
+// Copyright (c) Microsoft Corporation.
+/**
+ * MSAL client assertion client. Calls to MSAL's confidential application's `acquireTokenByClientCredential` during `doGetToken`.
+ * @internal
+ */
+class MsalClientAssertion extends MsalNode {
+    constructor(options) {
+        super(options);
+        this.requiresConfidential = true;
+        this.getAssertion = options.getAssertion;
+    }
+    async doGetToken(scopes, options = {}) {
+        try {
+            const assertion = await this.getAssertion();
+            const result = await this.confidentialApp.acquireTokenByClientCredential({
+                scopes,
+                correlationId: options.correlationId,
+                azureRegion: this.azureRegion,
+                authority: options.authority,
+                claims: options.claims,
+                clientAssertion: assertion,
+            });
+            // The Client Credential flow does not return an account,
+            // so each time getToken gets called, we will have to acquire a new token through the service.
+            return this.handleResult(scopes, this.clientId, result || undefined);
+        }
+        catch (err) {
+            let err2 = err;
+            if (err === null || err === undefined) {
+                err2 = new Error(JSON.stringify(err));
+            }
+            else {
+                err2 = coreUtil.isError(err) ? err : new Error(String(err));
+            }
+            throw this.handleError(scopes, err2, options);
+        }
+    }
+}
+
+// Copyright (c) Microsoft Corporation.
+const logger$4 = credentialLogger("ClientAssertionCredential");
+/**
+ * Authenticates a service principal with a JWT assertion.
+ */
+class ClientAssertionCredential {
+    /**
+     * Creates an instance of the ClientAssertionCredential with the details
+     * needed to authenticate against Azure Active Directory with a client
+     * assertion provided by the developer through the `getAssertion` function parameter.
+     *
+     * @param tenantId - The Azure Active Directory tenant (directory) ID.
+     * @param clientId - The client (application) ID of an App Registration in the tenant.
+     * @param getAssertion - A function that retrieves the assertion for the credential to use.
+     * @param options - Options for configuring the client which makes the authentication request.
+     */
+    constructor(tenantId, clientId, getAssertion, options = {}) {
+        if (!tenantId || !clientId || !getAssertion) {
+            throw new Error("ClientAssertionCredential: tenantId, clientId, and clientAssertion are required parameters.");
+        }
+        this.tenantId = tenantId;
+        this.clientId = clientId;
+        this.options = options;
+        this.msalFlow = new MsalClientAssertion(Object.assign(Object.assign({}, options), { logger: logger$4, clientId: this.clientId, tenantId: this.tenantId, tokenCredentialOptions: this.options, getAssertion }));
+    }
+    /**
+     * Authenticates with Azure Active Directory and returns an access token if successful.
+     * If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.
+     *
+     * @param scopes - The list of scopes for which the token will have access.
+     * @param options - The options used to configure any requests this
+     *                TokenCredential implementation might make.
+     */
+    async getToken(scopes, options = {}) {
+        return tracingClient.withSpan(`${this.constructor.name}.getToken`, options, async (newOptions) => {
+            const arrayScopes = Array.isArray(scopes) ? scopes : [scopes];
+            return this.msalFlow.getToken(arrayScopes, newOptions);
+        });
+    }
+}
+
 // Copyright (c) Microsoft Corporation.
 /**
  * A call to open(), but mockable
@@ -3173,7 +3330,8 @@ class MsalOpenBrowser extends MsalNode {
         };
         const response = await this.publicApp.getAuthCodeUrl(authCodeUrlParameters);
         try {
-            await interactiveBrowserMockable.open(response, { wait: true });
+            // A new instance on macOS only which allows it to not hang, does not fix the issue on linux
+            await interactiveBrowserMockable.open(response, { wait: true, newInstance: true });
         }
         catch (e) {
             throw new CredentialUnavailableError(`InteractiveBrowserCredential: Could not open a browser window. Error: ${e.message}`);
@@ -3221,7 +3379,7 @@ class InteractiveBrowserCredential {
      *                TokenCredential implementation might make.
      */
     async getToken(scopes, options = {}) {
-        return trace(`${this.constructor.name}.getToken`, options, async (newOptions) => {
+        return tracingClient.withSpan(`${this.constructor.name}.getToken`, options, async (newOptions) => {
             const arrayScopes = Array.isArray(scopes) ? scopes : [scopes];
             return this.msalFlow.getToken(arrayScopes, Object.assign(Object.assign({}, newOptions), { disableAutomaticAuthentication: this.disableAutomaticAuthentication }));
         });
@@ -3240,7 +3398,7 @@ class InteractiveBrowserCredential {
      *                  TokenCredential implementation might make.
      */
     async authenticate(scopes, options = {}) {
-        return trace(`${this.constructor.name}.authenticate`, options, async (newOptions) => {
+        return tracingClient.withSpan(`${this.constructor.name}.authenticate`, options, async (newOptions) => {
             const arrayScopes = Array.isArray(scopes) ? scopes : [scopes];
             await this.msalFlow.getToken(arrayScopes, newOptions);
             return this.msalFlow.getActiveAccount();
@@ -3269,8 +3427,6 @@ class MsalDeviceCode extends MsalNode {
                 claims: options === null || options === void 0 ? void 0 : options.claims,
             };
             const promise = this.publicApp.acquireTokenByDeviceCode(requestOptions);
-            // TODO:
-            // This should work, but it currently doesn't. I'm waiting for an answer from the MSAL team.
             const deviceResponse = await this.withCancellation(promise, options === null || options === void 0 ? void 0 : options.abortSignal, () => {
                 requestOptions.cancel = true;
             });
@@ -3333,7 +3489,7 @@ class DeviceCodeCredential {
      *                TokenCredential implementation might make.
      */
     async getToken(scopes, options = {}) {
-        return trace(`${this.constructor.name}.getToken`, options, async (newOptions) => {
+        return tracingClient.withSpan(`${this.constructor.name}.getToken`, options, async (newOptions) => {
             const arrayScopes = Array.isArray(scopes) ? scopes : [scopes];
             return this.msalFlow.getToken(arrayScopes, Object.assign(Object.assign({}, newOptions), { disableAutomaticAuthentication: this.disableAutomaticAuthentication }));
         });
@@ -3349,7 +3505,7 @@ class DeviceCodeCredential {
      *                  TokenCredential implementation might make.
      */
     async authenticate(scopes, options = {}) {
-        return trace(`${this.constructor.name}.authenticate`, options, async (newOptions) => {
+        return tracingClient.withSpan(`${this.constructor.name}.authenticate`, options, async (newOptions) => {
             const arrayScopes = Array.isArray(scopes) ? scopes : [scopes];
             await this.msalFlow.getToken(arrayScopes, newOptions);
             return this.msalFlow.getActiveAccount();
@@ -3375,12 +3531,12 @@ class MsalAuthorizationCode extends MsalNode {
     }
     async getAuthCodeUrl(options) {
         await this.init();
-        return this.confidentialApp.getAuthCodeUrl(options);
+        return (this.confidentialApp || this.publicApp).getAuthCodeUrl(options);
     }
     async doGetToken(scopes, options) {
         var _a;
         try {
-            const result = await ((_a = this.confidentialApp) === null || _a === void 0 ? void 0 : _a.acquireTokenByCode({
+            const result = await ((_a = (this.confidentialApp || this.publicApp)) === null || _a === void 0 ? void 0 : _a.acquireTokenByCode({
                 scopes,
                 redirectUri: this.redirectUri,
                 code: this.authorizationCode,
@@ -3429,7 +3585,8 @@ class AuthorizationCodeCredential {
             options = redirectUriOrOptions;
         }
         this.msalFlow = new MsalAuthorizationCode(Object.assign(Object.assign({}, options), { clientSecret,
-            clientId, tokenCredentialOptions: options || {}, logger: logger$1, redirectUri: this.redirectUri, authorizationCode: this.authorizationCode }));
+            clientId,
+            tenantId, tokenCredentialOptions: options || {}, logger: logger$1, redirectUri: this.redirectUri, authorizationCode: this.authorizationCode }));
     }
     /**
      * Authenticates with Azure Active Directory and returns an access token if successful.
@@ -3440,7 +3597,7 @@ class AuthorizationCodeCredential {
      *                TokenCredential implementation might make.
      */
     async getToken(scopes, options = {}) {
-        return trace(`${this.constructor.name}.getToken`, options, async (newOptions) => {
+        return tracingClient.withSpan(`${this.constructor.name}.getToken`, options, async (newOptions) => {
             const arrayScopes = Array.isArray(scopes) ? scopes : [scopes];
             return this.msalFlow.getToken(arrayScopes, Object.assign(Object.assign({}, newOptions), { disableAutomaticAuthentication: this.disableAutomaticAuthentication }));
         });
@@ -3507,27 +3664,6 @@ const logger = credentialLogger(credentialName);
  * Enables authentication to Azure Active Directory using the [On Behalf Of flow](https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-on-behalf-of-flow).
  */
 class OnBehalfOfCredential {
-    /**
-     * Creates an instance of the {@link OnBehalfOfCredential} with the details
-     * needed to authenticate against Azure Active Directory with a client
-     * secret or a path to a PEM certificate, and an user assertion.
-     *
-     * Example using the `KeyClient` from [\@azure/keyvault-keys](https://www.npmjs.com/package/\@azure/keyvault-keys):
-     *
-     * ```ts
-     * const tokenCredential = new OnBehalfOfCredential({
-     *   tenantId,
-     *   clientId,
-     *   clientSecret, // or `certificatePath: "/path/to/certificate.pem"
-     *   userAssertionToken: "access-token"
-     * });
-     * const client = new KeyClient("vault-url", tokenCredential);
-     *
-     * await client.getKey("key-name");
-     * ```
-     *
-     * @param options - Optional parameters, generally common across credentials.
-     */
     constructor(options) {
         this.options = options;
         const { clientSecret } = options;
@@ -3546,7 +3682,7 @@ class OnBehalfOfCredential {
      * @param options - The options used to configure the underlying network requests.
      */
     async getToken(scopes, options = {}) {
-        return trace(`${credentialName}.getToken`, options, async (newOptions) => {
+        return tracingClient.withSpan(`${credentialName}.getToken`, options, async (newOptions) => {
             const arrayScopes = Array.isArray(scopes) ? scopes : [scopes];
             return this.msalFlow.getToken(arrayScopes, newOptions);
         });
@@ -3570,6 +3706,7 @@ exports.AuthorizationCodeCredential = AuthorizationCodeCredential;
 exports.AzureCliCredential = AzureCliCredential;
 exports.AzurePowerShellCredential = AzurePowerShellCredential;
 exports.ChainedTokenCredential = ChainedTokenCredential;
+exports.ClientAssertionCredential = ClientAssertionCredential;
 exports.ClientCertificateCredential = ClientCertificateCredential;
 exports.ClientSecretCredential = ClientSecretCredential;
 exports.CredentialUnavailableError = CredentialUnavailableError;
@@ -3584,7 +3721,7 @@ exports.UsernamePasswordCredential = UsernamePasswordCredential;
 exports.VisualStudioCodeCredential = VisualStudioCodeCredential;
 exports.deserializeAuthenticationRecord = deserializeAuthenticationRecord;
 exports.getDefaultAzureCredential = getDefaultAzureCredential;
-exports.logger = logger$j;
+exports.logger = logger$l;
 exports.serializeAuthenticationRecord = serializeAuthenticationRecord;
 exports.useIdentityPlugin = useIdentityPlugin;
 //# sourceMappingURL=index.js.map