@azure/identity 3.0.0 → 3.1.0-alpha.20221013.3

package/dist/index.js

@@ -256,7 +256,7 @@ function credentialLogger(title, log = logger$l) {
 /**
  * Current version of the `@azure/identity` package.
  */
-const SDK_VERSION = `3.0.0-beta.1`;
+const SDK_VERSION = `3.1.0-beta.1`;
 /**
  * The default client ID for authentication
  * @internal
@@ -2074,6 +2074,7 @@ class ManagedIdentityCredential {
      * @hidden
      */
     constructor(clientIdOrOptions, options) {
+        var _a;
         this.isEndpointUnavailable = null;
         let _options;
         if (typeof clientIdOrOptions === "string") {
@@ -2093,6 +2094,17 @@ class ManagedIdentityCredential {
         this.isAvailableIdentityClient = new IdentityClient(Object.assign(Object.assign({}, _options), { retryOptions: {
                 maxRetries: 0,
             } }));
+        /**  authority host validation and metadata discovery to be skipped in managed identity
+         * since this wasn't done previously before adding token cache support
+         */
+        this.confidentialApp = new msalNode.ConfidentialClientApplication({
+            auth: {
+                clientId: (_a = this.clientId) !== null && _a !== void 0 ? _a : DeveloperSignOnClientId,
+                clientSecret: "dummy-secret",
+                cloudDiscoveryMetadata: '{"tenant_discovery_endpoint":"https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration","api-version":"1.1","metadata":[{"preferred_network":"login.microsoftonline.com","preferred_cache":"login.windows.net","aliases":["login.microsoftonline.com","login.windows.net","login.microsoft.com","sts.windows.net"]},{"preferred_network":"login.partner.microsoftonline.cn","preferred_cache":"login.partner.microsoftonline.cn","aliases":["login.partner.microsoftonline.cn","login.chinacloudapi.cn"]},{"preferred_network":"login.microsoftonline.de","preferred_cache":"login.microsoftonline.de","aliases":["login.microsoftonline.de"]},{"preferred_network":"login.microsoftonline.us","preferred_cache":"login.microsoftonline.us","aliases":["login.microsoftonline.us","login.usgovcloudapi.net"]},{"preferred_network":"login-us.microsoftonline.com","preferred_cache":"login-us.microsoftonline.com","aliases":["login-us.microsoftonline.com"]}]}',
+                authorityMetadata: '{"token_endpoint":"https://login.microsoftonline.com/common/oauth2/v2.0/token","token_endpoint_auth_methods_supported":["client_secret_post","private_key_jwt","client_secret_basic"],"jwks_uri":"https://login.microsoftonline.com/common/discovery/v2.0/keys","response_modes_supported":["query","fragment","form_post"],"subject_types_supported":["pairwise"],"id_token_signing_alg_values_supported":["RS256"],"response_types_supported":["code","id_token","code id_token","id_token token"],"scopes_supported":["openid","profile","email","offline_access"],"issuer":"https://login.microsoftonline.com/{tenantid}/v2.0","request_uri_parameter_supported":false,"userinfo_endpoint":"https://graph.microsoft.com/oidc/userinfo","authorization_endpoint":"https://login.microsoftonline.com/common/oauth2/v2.0/authorize","device_authorization_endpoint":"https://login.microsoftonline.com/common/oauth2/v2.0/devicecode","http_logout_supported":true,"frontchannel_logout_supported":true,"end_session_endpoint":"https://login.microsoftonline.com/common/oauth2/v2.0/logout","claims_supported":["sub","iss","cloud_instance_name","cloud_instance_host_name","cloud_graph_host_name","msgraph_host","aud","exp","iat","auth_time","acr","nonce","preferred_username","name","tid","ver","at_hash","c_hash","email"],"kerberos_endpoint":"https://login.microsoftonline.com/common/kerberos","tenant_region_scope":null,"cloud_instance_name":"microsoftonline.com","cloud_graph_host_name":"graph.windows.net","msgraph_host":"graph.microsoft.com","rbac_url":"https://pas.windows.net"}',
+            },
+        });
     }
     async cachedAvailableMSI(scopes, getTokenOptions) {
         if (this.cachedMSI) {
@@ -2161,7 +2173,33 @@ class ManagedIdentityCredential {
             // If it's null, it means we don't yet know whether
             // the endpoint is available and need to check for it.
             if (this.isEndpointUnavailable !== true) {
-                result = await this.authenticateManagedIdentity(scopes, updatedOptions);
+                const appTokenParameters = {
+                    correlationId: this.identityClient.getCorrelationId(),
+                    tenantId: (options === null || options === void 0 ? void 0 : options.tenantId) || "organizations",
+                    scopes: [...scopes],
+                    claims: options === null || options === void 0 ? void 0 : options.claims,
+                };
+                this.confidentialApp.SetAppTokenProvider(async (appTokenProviderParameters = appTokenParameters) => {
+                    logger$c.info(`SetAppTokenProvider invoked with parameters- ${JSON.stringify(appTokenProviderParameters)}`);
+                    const resultToken = await this.authenticateManagedIdentity(scopes, Object.assign(Object.assign({}, updatedOptions), appTokenProviderParameters));
+                    if (resultToken) {
+                        logger$c.info(`SetAppTokenProvider has saved the token in cache`);
+                        logger$c.info(`token = ${resultToken.token}`);
+                        return {
+                            accessToken: resultToken === null || resultToken === void 0 ? void 0 : resultToken.token,
+                            expiresInSeconds: resultToken === null || resultToken === void 0 ? void 0 : resultToken.expiresOnTimestamp,
+                        };
+                    }
+                    else {
+                        logger$c.info(`SetAppTokenProvider token has "no_access_token_returned" as the saved token`);
+                        return {
+                            accessToken: "no_access_token_returned",
+                            expiresInSeconds: 0,
+                        };
+                    }
+                });
+                const authenticationResult = await this.confidentialApp.acquireTokenByClientCredential(Object.assign({}, appTokenParameters));
+                result = this.handleResult(scopes, authenticationResult || undefined);
                 if (result === null) {
                     // If authenticateManagedIdentity returns null,
                     // it means no MSI endpoints are available.
@@ -2238,6 +2276,42 @@ class ManagedIdentityCredential {
             span.end();
         }
     }
+    /**
+     * Handles the MSAL authentication result.
+     * If the result has an account, we update the local account reference.
+     * If the token received is invalid, an error will be thrown depending on what's missing.
+     */
+    handleResult(scopes, result, getTokenOptions) {
+        this.ensureValidMsalToken(scopes, result, getTokenOptions);
+        logger$c.getToken.info(formatSuccess(scopes));
+        return {
+            token: result.accessToken,
+            expiresOnTimestamp: result.expiresOn.getTime(),
+        };
+    }
+    /**
+     * Ensures the validity of the MSAL token
+     * @internal
+     */
+    ensureValidMsalToken(scopes, msalToken, getTokenOptions) {
+        const error = (message) => {
+            logger$c.getToken.info(message);
+            return new AuthenticationRequiredError({
+                scopes: Array.isArray(scopes) ? scopes : [scopes],
+                getTokenOptions,
+                message,
+            });
+        };
+        if (!msalToken) {
+            throw error("No response");
+        }
+        if (!msalToken.expiresOn) {
+            throw error(`Response had no "expiresOn" property.`);
+        }
+        if (!msalToken.accessToken) {
+            throw error(`Response had no "accessToken" property.`);
+        }
+    }
 }
 
 // Copyright (c) Microsoft Corporation.