@azure/identity 3.0.0 → 3.1.0-alpha.20221010.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.

This version of @azure/identity might be problematic. Click here for more details.

Files changed (7) hide show
  1. package/dist/index.js +75 -1
  2. package/dist/index.js.map +1 -1
  3. package/dist-esm/src/client/identityClient.js.map +1 -1
  4. package/dist-esm/src/credentials/managedIdentityCredential/index.js +78 -2
  5. package/dist-esm/src/credentials/managedIdentityCredential/index.js.map +1 -1
  6. package/package.json +5 -5
  7. package/types/identity.d.ts +8 -0
package/dist/index.js CHANGED
@@ -2074,6 +2074,7 @@ class ManagedIdentityCredential {
2074
2074
  * @hidden
2075
2075
  */
2076
2076
  constructor(clientIdOrOptions, options) {
2077
+ var _a;
2077
2078
  this.isEndpointUnavailable = null;
2078
2079
  let _options;
2079
2080
  if (typeof clientIdOrOptions === "string") {
@@ -2093,6 +2094,17 @@ class ManagedIdentityCredential {
2093
2094
  this.isAvailableIdentityClient = new IdentityClient(Object.assign(Object.assign({}, _options), { retryOptions: {
2094
2095
  maxRetries: 0,
2095
2096
  } }));
2097
+ /** authority host validation and metadata discovery to be skipped in managed identity
2098
+ * since this wasn't done previously before adding token cache support
2099
+ */
2100
+ this.confidentialApp = new msalNode.ConfidentialClientApplication({
2101
+ auth: {
2102
+ clientId: (_a = this.clientId) !== null && _a !== void 0 ? _a : DeveloperSignOnClientId,
2103
+ clientSecret: "dummy-secret",
2104
+ cloudDiscoveryMetadata: '{"tenant_discovery_endpoint":"https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration","api-version":"1.1","metadata":[{"preferred_network":"login.microsoftonline.com","preferred_cache":"login.windows.net","aliases":["login.microsoftonline.com","login.windows.net","login.microsoft.com","sts.windows.net"]},{"preferred_network":"login.partner.microsoftonline.cn","preferred_cache":"login.partner.microsoftonline.cn","aliases":["login.partner.microsoftonline.cn","login.chinacloudapi.cn"]},{"preferred_network":"login.microsoftonline.de","preferred_cache":"login.microsoftonline.de","aliases":["login.microsoftonline.de"]},{"preferred_network":"login.microsoftonline.us","preferred_cache":"login.microsoftonline.us","aliases":["login.microsoftonline.us","login.usgovcloudapi.net"]},{"preferred_network":"login-us.microsoftonline.com","preferred_cache":"login-us.microsoftonline.com","aliases":["login-us.microsoftonline.com"]}]}',
2105
+ authorityMetadata: '{"token_endpoint":"https://login.microsoftonline.com/common/oauth2/v2.0/token","token_endpoint_auth_methods_supported":["client_secret_post","private_key_jwt","client_secret_basic"],"jwks_uri":"https://login.microsoftonline.com/common/discovery/v2.0/keys","response_modes_supported":["query","fragment","form_post"],"subject_types_supported":["pairwise"],"id_token_signing_alg_values_supported":["RS256"],"response_types_supported":["code","id_token","code id_token","id_token token"],"scopes_supported":["openid","profile","email","offline_access"],"issuer":"https://login.microsoftonline.com/{tenantid}/v2.0","request_uri_parameter_supported":false,"userinfo_endpoint":"https://graph.microsoft.com/oidc/userinfo","authorization_endpoint":"https://login.microsoftonline.com/common/oauth2/v2.0/authorize","device_authorization_endpoint":"https://login.microsoftonline.com/common/oauth2/v2.0/devicecode","http_logout_supported":true,"frontchannel_logout_supported":true,"end_session_endpoint":"https://login.microsoftonline.com/common/oauth2/v2.0/logout","claims_supported":["sub","iss","cloud_instance_name","cloud_instance_host_name","cloud_graph_host_name","msgraph_host","aud","exp","iat","auth_time","acr","nonce","preferred_username","name","tid","ver","at_hash","c_hash","email"],"kerberos_endpoint":"https://login.microsoftonline.com/common/kerberos","tenant_region_scope":null,"cloud_instance_name":"microsoftonline.com","cloud_graph_host_name":"graph.windows.net","msgraph_host":"graph.microsoft.com","rbac_url":"https://pas.windows.net"}',
2106
+ },
2107
+ });
2096
2108
  }
2097
2109
  async cachedAvailableMSI(scopes, getTokenOptions) {
2098
2110
  if (this.cachedMSI) {
@@ -2161,7 +2173,33 @@ class ManagedIdentityCredential {
2161
2173
  // If it's null, it means we don't yet know whether
2162
2174
  // the endpoint is available and need to check for it.
2163
2175
  if (this.isEndpointUnavailable !== true) {
2164
- result = await this.authenticateManagedIdentity(scopes, updatedOptions);
2176
+ const appTokenParameters = {
2177
+ correlationId: this.identityClient.getCorrelationId(),
2178
+ tenantId: (options === null || options === void 0 ? void 0 : options.tenantId) || "organizations",
2179
+ scopes: [...scopes],
2180
+ claims: options === null || options === void 0 ? void 0 : options.claims,
2181
+ };
2182
+ this.confidentialApp.SetAppTokenProvider(async (appTokenProviderParameters = appTokenParameters) => {
2183
+ logger$c.info(`SetAppTokenProvider invoked with parameters- ${JSON.stringify(appTokenProviderParameters)}`);
2184
+ const resultToken = await this.authenticateManagedIdentity(scopes, Object.assign(Object.assign({}, updatedOptions), appTokenProviderParameters));
2185
+ if (resultToken) {
2186
+ logger$c.info(`SetAppTokenProvider has saved the token in cache`);
2187
+ logger$c.info(`token = ${resultToken.token}`);
2188
+ return {
2189
+ accessToken: resultToken === null || resultToken === void 0 ? void 0 : resultToken.token,
2190
+ expiresInSeconds: resultToken === null || resultToken === void 0 ? void 0 : resultToken.expiresOnTimestamp,
2191
+ };
2192
+ }
2193
+ else {
2194
+ logger$c.info(`SetAppTokenProvider token has "no_access_token_returned" as the saved token`);
2195
+ return {
2196
+ accessToken: "no_access_token_returned",
2197
+ expiresInSeconds: 0,
2198
+ };
2199
+ }
2200
+ });
2201
+ const authenticationResult = await this.confidentialApp.acquireTokenByClientCredential(Object.assign({}, appTokenParameters));
2202
+ result = this.handleResult(scopes, authenticationResult || undefined);
2165
2203
  if (result === null) {
2166
2204
  // If authenticateManagedIdentity returns null,
2167
2205
  // it means no MSI endpoints are available.
@@ -2238,6 +2276,42 @@ class ManagedIdentityCredential {
2238
2276
  span.end();
2239
2277
  }
2240
2278
  }
2279
+ /**
2280
+ * Handles the MSAL authentication result.
2281
+ * If the result has an account, we update the local account reference.
2282
+ * If the token received is invalid, an error will be thrown depending on what's missing.
2283
+ */
2284
+ handleResult(scopes, result, getTokenOptions) {
2285
+ this.ensureValidMsalToken(scopes, result, getTokenOptions);
2286
+ logger$c.getToken.info(formatSuccess(scopes));
2287
+ return {
2288
+ token: result.accessToken,
2289
+ expiresOnTimestamp: result.expiresOn.getTime(),
2290
+ };
2291
+ }
2292
+ /**
2293
+ * Ensures the validity of the MSAL token
2294
+ * @internal
2295
+ */
2296
+ ensureValidMsalToken(scopes, msalToken, getTokenOptions) {
2297
+ const error = (message) => {
2298
+ logger$c.getToken.info(message);
2299
+ return new AuthenticationRequiredError({
2300
+ scopes: Array.isArray(scopes) ? scopes : [scopes],
2301
+ getTokenOptions,
2302
+ message,
2303
+ });
2304
+ };
2305
+ if (!msalToken) {
2306
+ throw error("No response");
2307
+ }
2308
+ if (!msalToken.expiresOn) {
2309
+ throw error(`Response had no "expiresOn" property.`);
2310
+ }
2311
+ if (!msalToken.accessToken) {
2312
+ throw error(`Response had no "accessToken" property.`);
2313
+ }
2314
+ }
2241
2315
  }
2242
2316
 
2243
2317
  // Copyright (c) Microsoft Corporation.