@azure/identity 3.1.3 → 3.2.0-alpha.20230224.3

package/dist/index.js

@@ -3,7 +3,7 @@
 Object.defineProperty(exports, '__esModule', { value: true });
 
 var msalNode = require('@azure/msal-node');
-var logger$m = require('@azure/logger');
+var logger$n = require('@azure/logger');
 var msalCommon = require('@azure/msal-common');
 var abortController = require('@azure/abort-controller');
 var coreUtil = require('@azure/core-util');
@@ -14,10 +14,11 @@ var coreTracing = require('@azure/core-tracing');
 var fs = require('fs');
 var os = require('os');
 var path = require('path');
-var util = require('util');
+var promises = require('fs/promises');
 var https = require('https');
 var child_process = require('child_process');
 var crypto = require('crypto');
+var util = require('util');
 var http = require('http');
 var open = require('open');
 var stoppable = require('stoppable');
@@ -177,7 +178,7 @@ class AuthenticationRequiredError extends Error {
 /**
  * The AzureLogger used for all clients within the identity package
  */
-const logger$l = logger$m.createClientLogger("identity");
+const logger$m = logger$n.createClientLogger("identity");
 /**
  * Separates a list of environment variable names into a plain object with two arrays: an array of missing environment variables and another array with assigned environment variables.
  * @param supportedEnvVars - List of environment variable names
@@ -217,7 +218,7 @@ function formatError(scope, error) {
  *   `[title] => [message]`
  *
  */
-function credentialLoggerInstance(title, parent, log = logger$l) {
+function credentialLoggerInstance(title, parent, log = logger$m) {
     const fullTitle = parent ? `${parent.fullTitle} ${title}` : title;
     function info(message) {
         log.info(`${fullTitle} =>`, message);
@@ -246,7 +247,7 @@ function credentialLoggerInstance(title, parent, log = logger$l) {
  *   `[title] => getToken() => [message]`
  *
  */
-function credentialLogger(title, log = logger$l) {
+function credentialLogger(title, log = logger$m) {
     const credLogger = credentialLoggerInstance(title, undefined, log);
     return Object.assign(Object.assign({}, credLogger), { parent: log, getToken: credentialLoggerInstance("=> getToken()", credLogger, log) });
 }
@@ -256,7 +257,7 @@ function credentialLogger(title, log = logger$l) {
 /**
  * Current version of the `@azure/identity` package.
  */
-const SDK_VERSION = `3.1.2`;
+const SDK_VERSION = `3.2.0-beta.1`;
 /**
  * The default client ID for authentication
  * @internal
@@ -355,8 +356,8 @@ function getAuthority(tenantId, host) {
  * by sending it within the known authorities in the MSAL configuration.
  * @internal
  */
-function getKnownAuthorities(tenantId, authorityHost) {
-    if (tenantId === "adfs" && authorityHost) {
+function getKnownAuthorities(tenantId, authorityHost, disableInstanceDiscovery) {
+    if ((tenantId === "adfs" && authorityHost) || disableInstanceDiscovery) {
         return [authorityHost];
     }
     return [];
@@ -553,6 +554,7 @@ function processMultiTenantRequest(tenantId, getTokenOptions, additionallyAllowe
     else {
         resolvedTenantId = (_a = getTokenOptions === null || getTokenOptions === void 0 ? void 0 : getTokenOptions.tenantId) !== null && _a !== void 0 ? _a : tenantId;
     }
+    console.log(resolvedTenantId);
     if (tenantId &&
         resolvedTenantId !== tenantId &&
         !additionallyAllowedTenantIds.includes("*") &&
@@ -724,9 +726,11 @@ class IdentityClient extends coreClient.ServiceClient {
         this.authorityHost = baseUri;
         this.abortControllers = new Map();
         this.allowLoggingAccountIdentifiers = (_b = options === null || options === void 0 ? void 0 : options.loggingOptions) === null || _b === void 0 ? void 0 : _b.allowLoggingAccountIdentifiers;
+        // used for WorkloadIdentity
+        this.tokenCredentialOptions = Object.assign({}, options);
     }
     async sendTokenRequest(request) {
-        logger$l.info(`IdentityClient: sending token request to [${request.url}]`);
+        logger$m.info(`IdentityClient: sending token request to [${request.url}]`);
         const response = await this.sendRequest(request);
         if (response.bodyAsText && (response.status === 200 || response.status === 201)) {
             const parsedBody = JSON.parse(response.bodyAsText);
@@ -741,12 +745,12 @@ class IdentityClient extends coreClient.ServiceClient {
                 },
                 refreshToken: parsedBody.refresh_token,
             };
-            logger$l.info(`IdentityClient: [${request.url}] token acquired, expires on ${token.accessToken.expiresOnTimestamp}`);
+            logger$m.info(`IdentityClient: [${request.url}] token acquired, expires on ${token.accessToken.expiresOnTimestamp}`);
             return token;
         }
         else {
             const error = new AuthenticationError(response.status, response.bodyAsText);
-            logger$l.warning(`IdentityClient: authentication error. HTTP status: ${response.status}, ${error.errorResponse.errorDescription}`);
+            logger$m.warning(`IdentityClient: authentication error. HTTP status: ${response.status}, ${error.errorResponse.errorDescription}`);
             throw error;
         }
     }
@@ -754,7 +758,7 @@ class IdentityClient extends coreClient.ServiceClient {
         if (refreshToken === undefined) {
             return null;
         }
-        logger$l.info(`IdentityClient: refreshing access token with client ID: ${clientId}, scopes: ${scopes} started`);
+        logger$m.info(`IdentityClient: refreshing access token with client ID: ${clientId}, scopes: ${scopes} started`);
         const refreshParams = {
             grant_type: "refresh_token",
             client_id: clientId,
@@ -780,7 +784,7 @@ class IdentityClient extends coreClient.ServiceClient {
                     tracingOptions: updatedOptions.tracingOptions,
                 });
                 const response = await this.sendTokenRequest(request);
-                logger$l.info(`IdentityClient: refreshed token for client ID: ${clientId}`);
+                logger$m.info(`IdentityClient: refreshed token for client ID: ${clientId}`);
                 return response;
             }
             catch (err) {
@@ -789,11 +793,11 @@ class IdentityClient extends coreClient.ServiceClient {
                     // It's likely that the refresh token has expired, so
                     // return null so that the credential implementation will
                     // initiate the authentication flow again.
-                    logger$l.info(`IdentityClient: interaction required for client ID: ${clientId}`);
+                    logger$m.info(`IdentityClient: interaction required for client ID: ${clientId}`);
                     return null;
                 }
                 else {
-                    logger$l.warning(`IdentityClient: failed refreshing token for client ID: ${clientId}: ${err}`);
+                    logger$m.warning(`IdentityClient: failed refreshing token for client ID: ${clientId}: ${err}`);
                     throw err;
                 }
             }
@@ -869,6 +873,13 @@ class IdentityClient extends coreClient.ServiceClient {
             status: response.status,
         };
     }
+    /**
+     *
+     * @internal
+     */
+    getTokenCredentialOptions() {
+        return this.tokenCredentialOptions;
+    }
     /**
      * If allowLoggingAccountIdentifiers was set on the constructor options
      * we try to log the account identifiers by parsing the received access token.
@@ -895,10 +906,10 @@ class IdentityClient extends coreClient.ServiceClient {
             }
             const base64Metadata = accessToken.split(".")[1];
             const { appid, upn, tid, oid } = JSON.parse(Buffer.from(base64Metadata, "base64").toString("utf8"));
-            logger$l.info(`[Authenticated account] Client ID: ${appid}. Tenant ID: ${tid}. User Principal Name: ${upn || unavailableUpn}. Object ID (user): ${oid}`);
+            logger$m.info(`[Authenticated account] Client ID: ${appid}. Tenant ID: ${tid}. User Principal Name: ${upn || unavailableUpn}. Object ID (user): ${oid}`);
         }
         catch (e) {
-            logger$l.warning("allowLoggingAccountIdentifiers was set, but we couldn't log the account information. Error:", e.message);
+            logger$m.warning("allowLoggingAccountIdentifiers was set, but we couldn't log the account information. Error:", e.message);
         }
     }
 }
@@ -1088,7 +1099,7 @@ class MsalNode extends MsalBaseUtilities {
             auth: {
                 clientId,
                 authority,
-                knownAuthorities: getKnownAuthorities(tenantId, authority),
+                knownAuthorities: getKnownAuthorities(tenantId, authority, options.disableInstanceDiscovery),
                 clientCapabilities,
             },
             // Cache is defined in this.prepare();
@@ -1096,7 +1107,7 @@ class MsalNode extends MsalBaseUtilities {
                 networkClient: this.identityClient,
                 loggerOptions: {
                     loggerCallback: defaultLoggerCallback(options.logger),
-                    logLevel: getMSALLogLevel(logger$m.getLogLevel()),
+                    logLevel: getMSALLogLevel(logger$n.getLogLevel()),
                 },
             },
         };
@@ -1254,7 +1265,7 @@ To work with multiple accounts for the same Client ID and Tenant ID, please prov
 // Copyright (c) Microsoft Corporation.
 const CommonTenantId = "common";
 const AzureAccountClientId = "aebc6443-996d-45c2-90f0-388ff96faa56"; // VSC: 'aebc6443-996d-45c2-90f0-388ff96faa56'
-const logger$k = credentialLogger("VisualStudioCodeCredential");
+const logger$l = credentialLogger("VisualStudioCodeCredential");
 let findCredentials = undefined;
 const vsCodeCredentialControl = {
     setVsCodeCredentialFinder(finder) {
@@ -1307,7 +1318,7 @@ function getPropertyFromVSCode(property) {
         }
     }
     catch (e) {
-        logger$k.info(`Failed to load the Visual Studio Code configuration file. Error: ${e.message}`);
+        logger$l.info(`Failed to load the Visual Studio Code configuration file. Error: ${e.message}`);
         return;
     }
 }
@@ -1340,7 +1351,7 @@ class VisualStudioCodeCredential {
         const authorityHost = mapVSCodeAuthorityHosts[this.cloudName];
         this.identityClient = new IdentityClient(Object.assign({ authorityHost }, options));
         if (options && options.tenantId) {
-            checkTenantId(logger$k, options.tenantId);
+            checkTenantId(logger$l, options.tenantId);
             this.tenantId = options.tenantId;
         }
         else {
@@ -1395,7 +1406,7 @@ class VisualStudioCodeCredential {
         // Check to make sure the scope we get back is a valid scope
         if (!scopeString.match(/^[0-9a-zA-Z-.:/]+$/)) {
             const error = new Error("Invalid scope was specified by the user or calling client");
-            logger$k.getToken.info(formatError(scopes, error));
+            logger$l.getToken.info(formatError(scopes, error));
             throw error;
         }
         if (scopeString.indexOf("offline_access") < 0) {
@@ -1415,18 +1426,18 @@ class VisualStudioCodeCredential {
         if (refreshToken) {
             const tokenResponse = await this.identityClient.refreshAccessToken(tenantId, AzureAccountClientId, scopeString, refreshToken, undefined);
             if (tokenResponse) {
-                logger$k.getToken.info(formatSuccess(scopes));
+                logger$l.getToken.info(formatSuccess(scopes));
                 return tokenResponse.accessToken;
             }
             else {
                 const error = new CredentialUnavailableError("Could not retrieve the token associated with Visual Studio Code. Have you connected using the 'Azure Account' extension recently? To troubleshoot, visit https://aka.ms/azsdk/js/identity/vscodecredential/troubleshoot.");
-                logger$k.getToken.info(formatError(scopes, error));
+                logger$l.getToken.info(formatError(scopes, error));
                 throw error;
             }
         }
         else {
             const error = new CredentialUnavailableError("Could not retrieve the token associated with Visual Studio Code. Did you connect using the 'Azure Account' extension? To troubleshoot, visit https://aka.ms/azsdk/js/identity/vscodecredential/troubleshoot.");
-            logger$k.getToken.info(formatError(scopes, error));
+            logger$l.getToken.info(formatError(scopes, error));
             throw error;
         }
     }
@@ -1475,11 +1486,11 @@ function useIdentityPlugin(plugin) {
 
 // Copyright (c) Microsoft Corporation.
 const msiName$6 = "ManagedIdentityCredential - AppServiceMSI 2017";
-const logger$j = credentialLogger(msiName$6);
+const logger$k = credentialLogger(msiName$6);
 /**
  * Generates the options used on the request for an access token.
  */
-function prepareRequestOptions$6(scopes, clientId) {
+function prepareRequestOptions$5(scopes, clientId) {
     const resource = mapScopesToResource(scopes);
     if (!resource) {
         throw new Error(`${msiName$6}: Multiple scopes are not supported.`);
@@ -1512,26 +1523,27 @@ function prepareRequestOptions$6(scopes, clientId) {
  * Defines how to determine whether the Azure App Service MSI is available, and also how to retrieve a token from the Azure App Service MSI.
  */
 const appServiceMsi2017 = {
+    name: "appServiceMsi2017",
     async isAvailable({ scopes }) {
         const resource = mapScopesToResource(scopes);
         if (!resource) {
-            logger$j.info(`${msiName$6}: Unavailable. Multiple scopes are not supported.`);
+            logger$k.info(`${msiName$6}: Unavailable. Multiple scopes are not supported.`);
             return false;
         }
         const env = process.env;
         const result = Boolean(env.MSI_ENDPOINT && env.MSI_SECRET);
         if (!result) {
-            logger$j.info(`${msiName$6}: Unavailable. The environment variables needed are: MSI_ENDPOINT and MSI_SECRET.`);
+            logger$k.info(`${msiName$6}: Unavailable. The environment variables needed are: MSI_ENDPOINT and MSI_SECRET.`);
         }
         return result;
     },
     async getToken(configuration, getTokenOptions = {}) {
         const { identityClient, scopes, clientId, resourceId } = configuration;
         if (resourceId) {
-            logger$j.warning(`${msiName$6}: managed Identity by resource Id is not supported. Argument resourceId might be ignored by the service.`);
+            logger$k.warning(`${msiName$6}: managed Identity by resource Id is not supported. Argument resourceId might be ignored by the service.`);
         }
-        logger$j.info(`${msiName$6}: Using the endpoint and the secret coming form the environment variables: MSI_ENDPOINT=${process.env.MSI_ENDPOINT} and MSI_SECRET=[REDACTED].`);
-        const request = coreRestPipeline.createPipelineRequest(Object.assign(Object.assign({ abortSignal: getTokenOptions.abortSignal }, prepareRequestOptions$6(scopes, clientId)), { 
+        logger$k.info(`${msiName$6}: Using the endpoint and the secret coming form the environment variables: MSI_ENDPOINT=${process.env.MSI_ENDPOINT} and MSI_SECRET=[REDACTED].`);
+        const request = coreRestPipeline.createPipelineRequest(Object.assign(Object.assign({ abortSignal: getTokenOptions.abortSignal }, prepareRequestOptions$5(scopes, clientId)), { 
             // Generally, MSI endpoints use the HTTP protocol, without transport layer security (TLS).
             allowInsecureConnection: true }));
         const tokenResponse = await identityClient.sendTokenRequest(request);
@@ -1541,11 +1553,11 @@ const appServiceMsi2017 = {
 
 // Copyright (c) Microsoft Corporation.
 const msiName$5 = "ManagedIdentityCredential - CloudShellMSI";
-const logger$i = credentialLogger(msiName$5);
+const logger$j = credentialLogger(msiName$5);
 /**
  * Generates the options used on the request for an access token.
  */
-function prepareRequestOptions$5(scopes, clientId, resourceId) {
+function prepareRequestOptions$4(scopes, clientId, resourceId) {
     const resource = mapScopesToResource(scopes);
     if (!resource) {
         throw new Error(`${msiName$5}: Multiple scopes are not supported.`);
@@ -1580,28 +1592,29 @@ function prepareRequestOptions$5(scopes, clientId, resourceId) {
  * Since Azure Managed Identities aren't available in the Azure Cloud Shell, we log a warning for users that try to access cloud shell using user assigned identity.
  */
 const cloudShellMsi = {
+    name: "cloudShellMsi",
     async isAvailable({ scopes }) {
         const resource = mapScopesToResource(scopes);
         if (!resource) {
-            logger$i.info(`${msiName$5}: Unavailable. Multiple scopes are not supported.`);
+            logger$j.info(`${msiName$5}: Unavailable. Multiple scopes are not supported.`);
             return false;
         }
         const result = Boolean(process.env.MSI_ENDPOINT);
         if (!result) {
-            logger$i.info(`${msiName$5}: Unavailable. The environment variable MSI_ENDPOINT is needed.`);
+            logger$j.info(`${msiName$5}: Unavailable. The environment variable MSI_ENDPOINT is needed.`);
         }
         return result;
     },
     async getToken(configuration, getTokenOptions = {}) {
         const { identityClient, scopes, clientId, resourceId } = configuration;
         if (clientId) {
-            logger$i.warning(`${msiName$5}: user-assigned identities not supported. The argument clientId might be ignored by the service.`);
+            logger$j.warning(`${msiName$5}: user-assigned identities not supported. The argument clientId might be ignored by the service.`);
         }
         if (resourceId) {
-            logger$i.warning(`${msiName$5}: user defined managed Identity by resource Id not supported. The argument resourceId might be ignored by the service.`);
+            logger$j.warning(`${msiName$5}: user defined managed Identity by resource Id not supported. The argument resourceId might be ignored by the service.`);
         }
-        logger$i.info(`${msiName$5}: Using the endpoint coming form the environment variable MSI_ENDPOINT = ${process.env.MSI_ENDPOINT}.`);
-        const request = coreRestPipeline.createPipelineRequest(Object.assign(Object.assign({ abortSignal: getTokenOptions.abortSignal }, prepareRequestOptions$5(scopes, clientId, resourceId)), { 
+        logger$j.info(`${msiName$5}: Using the endpoint coming form the environment variable MSI_ENDPOINT = ${process.env.MSI_ENDPOINT}.`);
+        const request = coreRestPipeline.createPipelineRequest(Object.assign(Object.assign({ abortSignal: getTokenOptions.abortSignal }, prepareRequestOptions$4(scopes, clientId, resourceId)), { 
             // Generally, MSI endpoints use the HTTP protocol, without transport layer security (TLS).
             allowInsecureConnection: true }));
         const tokenResponse = await identityClient.sendTokenRequest(request);
@@ -1611,11 +1624,11 @@ const cloudShellMsi = {
 
 // Copyright (c) Microsoft Corporation.
 const msiName$4 = "ManagedIdentityCredential - IMDS";
-const logger$h = credentialLogger(msiName$4);
+const logger$i = credentialLogger(msiName$4);
 /**
  * Generates the options used on the request for an access token.
  */
-function prepareRequestOptions$4(scopes, clientId, resourceId, options) {
+function prepareRequestOptions$3(scopes, clientId, resourceId, options) {
     var _a;
     const resource = mapScopesToResource(scopes);
     if (!resource) {
@@ -1665,10 +1678,11 @@ const imdsMsiRetryConfig = {
  * Defines how to determine whether the Azure IMDS MSI is available, and also how to retrieve a token from the Azure IMDS MSI.
  */
 const imdsMsi = {
+    name: "imdsMsi",
     async isAvailable({ scopes, identityClient, clientId, resourceId, getTokenOptions = {}, }) {
         const resource = mapScopesToResource(scopes);
         if (!resource) {
-            logger$h.info(`${msiName$4}: Unavailable. Multiple scopes are not supported.`);
+            logger$i.info(`${msiName$4}: Unavailable. Multiple scopes are not supported.`);
             return false;
         }
         // if the PodIdentityEndpoint environment variable was set no need to probe the endpoint, it can be assumed to exist
@@ -1678,7 +1692,7 @@ const imdsMsi = {
         if (!identityClient) {
             throw new Error("Missing IdentityClient");
         }
-        const requestOptions = prepareRequestOptions$4(resource, clientId, resourceId, {
+        const requestOptions = prepareRequestOptions$3(resource, clientId, resourceId, {
             skipMetadataHeader: true,
             skipQuery: true,
         });
@@ -1695,35 +1709,35 @@ const imdsMsi = {
             // This MSI uses the imdsEndpoint to get the token, which only uses http://
             request.allowInsecureConnection = true;
             try {
-                logger$h.info(`${msiName$4}: Pinging the Azure IMDS endpoint`);
+                logger$i.info(`${msiName$4}: Pinging the Azure IMDS endpoint`);
                 await identityClient.sendRequest(request);
             }
             catch (err) {
                 // If the request failed, or Node.js was unable to establish a connection,
                 // or the host was down, we'll assume the IMDS endpoint isn't available.
                 if (coreUtil.isError(err)) {
-                    logger$h.verbose(`${msiName$4}: Caught error ${err.name}: ${err.message}`);
+                    logger$i.verbose(`${msiName$4}: Caught error ${err.name}: ${err.message}`);
                 }
-                logger$h.info(`${msiName$4}: The Azure IMDS endpoint is unavailable`);
+                logger$i.info(`${msiName$4}: The Azure IMDS endpoint is unavailable`);
                 return false;
             }
             // If we received any response, the endpoint is available
-            logger$h.info(`${msiName$4}: The Azure IMDS endpoint is available`);
+            logger$i.info(`${msiName$4}: The Azure IMDS endpoint is available`);
             return true;
         });
     },
     async getToken(configuration, getTokenOptions = {}) {
         const { identityClient, scopes, clientId, resourceId } = configuration;
         if (process.env.AZURE_POD_IDENTITY_AUTHORITY_HOST) {
-            logger$h.info(`${msiName$4}: Using the Azure IMDS endpoint coming from the environment variable AZURE_POD_IDENTITY_AUTHORITY_HOST=${process.env.AZURE_POD_IDENTITY_AUTHORITY_HOST}.`);
+            logger$i.info(`${msiName$4}: Using the Azure IMDS endpoint coming from the environment variable AZURE_POD_IDENTITY_AUTHORITY_HOST=${process.env.AZURE_POD_IDENTITY_AUTHORITY_HOST}.`);
         }
         else {
-            logger$h.info(`${msiName$4}: Using the default Azure IMDS endpoint ${imdsHost}.`);
+            logger$i.info(`${msiName$4}: Using the default Azure IMDS endpoint ${imdsHost}.`);
         }
         let nextDelayInMs = imdsMsiRetryConfig.startDelayInMs;
         for (let retries = 0; retries < imdsMsiRetryConfig.maxRetries; retries++) {
             try {
-                const request = coreRestPipeline.createPipelineRequest(Object.assign(Object.assign({ abortSignal: getTokenOptions.abortSignal }, prepareRequestOptions$4(scopes, clientId, resourceId)), { allowInsecureConnection: true }));
+                const request = coreRestPipeline.createPipelineRequest(Object.assign(Object.assign({ abortSignal: getTokenOptions.abortSignal }, prepareRequestOptions$3(scopes, clientId, resourceId)), { allowInsecureConnection: true }));
                 const tokenResponse = await identityClient.sendTokenRequest(request);
                 return (tokenResponse && tokenResponse.accessToken) || null;
             }
@@ -1742,11 +1756,11 @@ const imdsMsi = {
 
 // Copyright (c) Microsoft Corporation.
 const msiName$3 = "ManagedIdentityCredential - Azure Arc MSI";
-const logger$g = credentialLogger(msiName$3);
+const logger$h = credentialLogger(msiName$3);
 /**
  * Generates the options used on the request for an access token.
  */
-function prepareRequestOptions$3(scopes, clientId, resourceId) {
+function prepareRequestOptions$2(scopes, clientId, resourceId) {
     const resource = mapScopesToResource(scopes);
     if (!resource) {
         throw new Error(`${msiName$3}: Multiple scopes are not supported.`);
@@ -1780,7 +1794,7 @@ function prepareRequestOptions$3(scopes, clientId, resourceId) {
  * Retrieves the file contents at the given path using promises.
  * Useful since `fs`'s readFileSync locks the thread, and to avoid extra dependencies.
  */
-function readFileAsync$2(path, options) {
+function readFileAsync$1(path, options) {
     return new Promise((resolve, reject) => fs.readFile(path, options, (err, data) => {
         if (err) {
             reject(err);
@@ -1812,15 +1826,16 @@ async function filePathRequest(identityClient, requestPrepareOptions) {
  * Defines how to determine whether the Azure Arc MSI is available, and also how to retrieve a token from the Azure Arc MSI.
  */
 const arcMsi = {
+    name: "arc",
     async isAvailable({ scopes }) {
         const resource = mapScopesToResource(scopes);
         if (!resource) {
-            logger$g.info(`${msiName$3}: Unavailable. Multiple scopes are not supported.`);
+            logger$h.info(`${msiName$3}: Unavailable. Multiple scopes are not supported.`);
             return false;
         }
         const result = Boolean(process.env.IMDS_ENDPOINT && process.env.IDENTITY_ENDPOINT);
         if (!result) {
-            logger$g.info(`${msiName$3}: The environment variables needed are: IMDS_ENDPOINT and IDENTITY_ENDPOINT`);
+            logger$h.info(`${msiName$3}: The environment variables needed are: IMDS_ENDPOINT and IDENTITY_ENDPOINT`);
         }
         return result;
     },
@@ -1828,18 +1843,18 @@ const arcMsi = {
         var _a;
         const { identityClient, scopes, clientId, resourceId } = configuration;
         if (clientId) {
-            logger$g.warning(`${msiName$3}: user-assigned identities not supported. The argument clientId might be ignored by the service.`);
+            logger$h.warning(`${msiName$3}: user-assigned identities not supported. The argument clientId might be ignored by the service.`);
         }
         if (resourceId) {
-            logger$g.warning(`${msiName$3}: user defined managed Identity by resource Id is not supported. Argument resourceId will be ignored.`);
+            logger$h.warning(`${msiName$3}: user defined managed Identity by resource Id is not supported. Argument resourceId will be ignored.`);
         }
-        logger$g.info(`${msiName$3}: Authenticating.`);
-        const requestOptions = Object.assign(Object.assign({ disableJsonStringifyOnBody: true, deserializationMapper: undefined, abortSignal: getTokenOptions.abortSignal }, prepareRequestOptions$3(scopes, clientId, resourceId)), { allowInsecureConnection: true });
+        logger$h.info(`${msiName$3}: Authenticating.`);
+        const requestOptions = Object.assign(Object.assign({ disableJsonStringifyOnBody: true, deserializationMapper: undefined, abortSignal: getTokenOptions.abortSignal }, prepareRequestOptions$2(scopes, clientId, resourceId)), { allowInsecureConnection: true });
         const filePath = await filePathRequest(identityClient, requestOptions);
         if (!filePath) {
             throw new Error(`${msiName$3}: Failed to find the token file.`);
         }
-        const key = await readFileAsync$2(filePath, { encoding: "utf-8" });
+        const key = await readFileAsync$1(filePath, { encoding: "utf-8" });
         (_a = requestOptions.headers) === null || _a === void 0 ? void 0 : _a.set("Authorization", `Basic ${key}`);
         const request = coreRestPipeline.createPipelineRequest(Object.assign(Object.assign({}, requestOptions), { 
             // Generally, MSI endpoints use the HTTP protocol, without transport layer security (TLS).
@@ -1850,82 +1865,164 @@ const arcMsi = {
 };
 
 // Copyright (c) Microsoft Corporation.
-const msiName$2 = "ManagedIdentityCredential - Token Exchange";
-const logger$f = credentialLogger(msiName$2);
-const readFileAsync$1 = util.promisify(fs__default["default"].readFile);
 /**
- * Generates the options used on the request for an access token.
+ * MSAL client assertion client. Calls to MSAL's confidential application's `acquireTokenByClientCredential` during `doGetToken`.
+ * @internal
  */
-function prepareRequestOptions$2(scopes, clientAssertion, clientId) {
-    var _a;
-    const bodyParams = {
-        scope: Array.isArray(scopes) ? scopes.join(" ") : scopes,
-        client_assertion: clientAssertion,
-        client_assertion_type: "urn:ietf:params:oauth:client-assertion-type:jwt-bearer",
-        client_id: clientId,
-        grant_type: "client_credentials",
-    };
-    const urlParams = new URLSearchParams(bodyParams);
-    const url = new URL(`${process.env.AZURE_TENANT_ID}/oauth2/v2.0/token`, (_a = process.env.AZURE_AUTHORITY_HOST) !== null && _a !== void 0 ? _a : DefaultAuthorityHost);
-    return {
-        url: url.toString(),
-        method: "POST",
-        body: urlParams.toString(),
-        headers: coreRestPipeline.createHttpHeaders({
-            Accept: "application/json",
-        }),
-    };
+class MsalClientAssertion extends MsalNode {
+    constructor(options) {
+        super(options);
+        this.requiresConfidential = true;
+        this.getAssertion = options.getAssertion;
+    }
+    async doGetToken(scopes, options = {}) {
+        try {
+            const assertion = await this.getAssertion();
+            const result = await this.confidentialApp.acquireTokenByClientCredential({
+                scopes,
+                correlationId: options.correlationId,
+                azureRegion: this.azureRegion,
+                authority: options.authority,
+                claims: options.claims,
+                clientAssertion: assertion,
+            });
+            // The Client Credential flow does not return an account,
+            // so each time getToken gets called, we will have to acquire a new token through the service.
+            return this.handleResult(scopes, this.clientId, result || undefined);
+        }
+        catch (err) {
+            let err2 = err;
+            if (err === null || err === undefined) {
+                err2 = new Error(JSON.stringify(err));
+            }
+            else {
+                err2 = coreUtil.isError(err) ? err : new Error(String(err));
+            }
+            throw this.handleError(scopes, err2, options);
+        }
+    }
 }
+
+// Copyright (c) Microsoft Corporation.
+const logger$g = credentialLogger("ClientAssertionCredential");
 /**
- * Defines how to determine whether the token exchange MSI is available, and also how to retrieve a token from the token exchange MSI.
+ * Authenticates a service principal with a JWT assertion.
  */
-function tokenExchangeMsi() {
-    const azureFederatedTokenFilePath = process.env.AZURE_FEDERATED_TOKEN_FILE;
-    let azureFederatedTokenFileContent = undefined;
-    let cacheDate = undefined;
-    // Only reads from the assertion file once every 5 minutes
-    async function readAssertion() {
+class ClientAssertionCredential {
+    /**
+     * Creates an instance of the ClientAssertionCredential with the details
+     * needed to authenticate against Azure Active Directory with a client
+     * assertion provided by the developer through the `getAssertion` function parameter.
+     *
+     * @param tenantId - The Azure Active Directory tenant (directory) ID.
+     * @param clientId - The client (application) ID of an App Registration in the tenant.
+     * @param getAssertion - A function that retrieves the assertion for the credential to use.
+     * @param options - Options for configuring the client which makes the authentication request.
+     */
+    constructor(tenantId, clientId, getAssertion, options = {}) {
+        if (!tenantId || !clientId || !getAssertion) {
+            throw new Error("ClientAssertionCredential: tenantId, clientId, and clientAssertion are required parameters.");
+        }
+        this.tenantId = tenantId;
+        this.additionallyAllowedTenantIds = resolveAddionallyAllowedTenantIds(options === null || options === void 0 ? void 0 : options.additionallyAllowedTenants);
+        this.clientId = clientId;
+        this.options = options;
+        this.msalFlow = new MsalClientAssertion(Object.assign(Object.assign({}, options), { logger: logger$g, clientId: this.clientId, tenantId: this.tenantId, tokenCredentialOptions: this.options, getAssertion }));
+    }
+    /**
+     * Authenticates with Azure Active Directory and returns an access token if successful.
+     * If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.
+     *
+     * @param scopes - The list of scopes for which the token will have access.
+     * @param options - The options used to configure any requests this
+     *                TokenCredential implementation might make.
+     */
+    async getToken(scopes, options = {}) {
+        return tracingClient.withSpan(`${this.constructor.name}.getToken`, options, async (newOptions) => {
+            newOptions.tenantId = processMultiTenantRequest(this.tenantId, newOptions, this.additionallyAllowedTenantIds);
+            const arrayScopes = Array.isArray(scopes) ? scopes : [scopes];
+            return this.msalFlow.getToken(arrayScopes, newOptions);
+        });
+    }
+}
+
+// Copyright (c) Microsoft Corporation.
+/**
+ * WorkloadIdentityCredential supports Azure workload identity authentication on Kubernetes.
+ * Refer to <a href="https://learn.microsoft.com/azure/aks/workload-identity-overview">Azure Active Directory Workload Identity</a>
+ * for more information.
+ */
+class WorkloadIdentityCredential {
+    /**
+     * WorkloadIdentityCredential supports Azure workload identity on Kubernetes.
+     *
+     * @param options - The identity client options to use for authentication.
+     */
+    constructor(options = {}) {
+        this.azureFederatedTokenFileContent = undefined;
+        this.cacheDate = undefined;
+        if (!options.tenantId || !options.clientId || !options.federatedTokenFilePath) {
+            throw new Error("WorkloadIdentityCredential: tenantId, clientId, and federatedTokenFilePath are required parameters.");
+        }
+        this.federatedTokenFilePath = options.federatedTokenFilePath;
+        this.client = new ClientAssertionCredential(options.tenantId, options.clientId, this.readFileContents.bind(this), options);
+    }
+    /**
+     * Authenticates with Azure Active Directory and returns an access token if successful.
+     * If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.
+     *
+     * @param scopes - The list of scopes for which the token will have access.
+     * @param options - The options used to configure any requests this
+     *                TokenCredential implementation might make.
+     */
+    getToken(scopes, options) {
+        return this.client.getToken(scopes, options);
+    }
+    async readFileContents() {
         // Cached assertions expire after 5 minutes
-        if (cacheDate !== undefined && Date.now() - cacheDate >= 1000 * 60 * 5) {
-            azureFederatedTokenFileContent = undefined;
+        if (this.cacheDate !== undefined && Date.now() - this.cacheDate >= 1000 * 60 * 5) {
+            this.azureFederatedTokenFileContent = undefined;
         }
-        if (!azureFederatedTokenFileContent) {
-            const file = await readFileAsync$1(azureFederatedTokenFilePath, "utf8");
+        if (!this.azureFederatedTokenFileContent) {
+            const file = await promises.readFile(this.federatedTokenFilePath, "utf8");
             const value = file.trim();
             if (!value) {
-                throw new Error(`No content on the file ${azureFederatedTokenFilePath}, indicated by the environment variable AZURE_FEDERATED_TOKEN_FILE`);
+                throw new Error(`No content on the file ${this.federatedTokenFilePath}.`);
             }
             else {
-                azureFederatedTokenFileContent = value;
-                cacheDate = Date.now();
+                this.azureFederatedTokenFileContent = value;
+                this.cacheDate = Date.now();
             }
         }
-        return azureFederatedTokenFileContent;
+        return this.azureFederatedTokenFileContent;
     }
+}
+
+// Copyright (c) Microsoft Corporation.
+const msiName$2 = "ManagedIdentityCredential - Token Exchange";
+const logger$f = credentialLogger(msiName$2);
+/**
+ * Defines how to determine whether the token exchange MSI is available, and also how to retrieve a token from the token exchange MSI.
+ */
+function tokenExchangeMsi() {
     return {
+        name: "tokenExchangeMsi",
         async isAvailable({ clientId }) {
             const env = process.env;
-            const result = Boolean((clientId || env.AZURE_CLIENT_ID) && env.AZURE_TENANT_ID && azureFederatedTokenFilePath);
+            const result = Boolean((clientId || env.AZURE_CLIENT_ID) &&
+                env.AZURE_TENANT_ID &&
+                process.env.AZURE_FEDERATED_TOKEN_FILE);
             if (!result) {
                 logger$f.info(`${msiName$2}: Unavailable. The environment variables needed are: AZURE_CLIENT_ID (or the client ID sent through the parameters), AZURE_TENANT_ID and AZURE_FEDERATED_TOKEN_FILE`);
             }
             return result;
         },
         async getToken(configuration, getTokenOptions = {}) {
-            const { identityClient, scopes, clientId } = configuration;
-            logger$f.info(`${msiName$2}: Using the client assertion coming from environment variables.`);
-            let assertion;
-            try {
-                assertion = await readAssertion();
-            }
-            catch (err) {
-                throw new Error(`${msiName$2}: Failed to read ${azureFederatedTokenFilePath}, indicated by the environment variable AZURE_FEDERATED_TOKEN_FILE`);
-            }
-            const request = coreRestPipeline.createPipelineRequest(Object.assign(Object.assign({ abortSignal: getTokenOptions.abortSignal }, prepareRequestOptions$2(scopes, assertion, clientId || process.env.AZURE_CLIENT_ID)), { 
-                // Generally, MSI endpoints use the HTTP protocol, without transport layer security (TLS).
-                allowInsecureConnection: true }));
-            const tokenResponse = await identityClient.sendTokenRequest(request);
-            return (tokenResponse && tokenResponse.accessToken) || null;
+            const { scopes, clientId } = configuration;
+            const identityClientTokenCredentialOptions = {};
+            const workloadIdentityCredential = new WorkloadIdentityCredential(Object.assign(Object.assign({ clientId, tenantId: process.env.AZURE_TENANT_ID, federatedTokenFilePath: process.env.AZURE_FEDERATED_TOKEN_FILE }, identityClientTokenCredentialOptions), { disableInstanceDiscovery: true }));
+            const token = await workloadIdentityCredential.getToken(scopes, getTokenOptions);
+            return token;
         },
     };
 }
@@ -1982,6 +2079,7 @@ function prepareRequestOptions$1(scopes, clientId, resourceId) {
  * Defines how to determine whether the Azure Service Fabric MSI is available, and also how to retrieve a token from the Azure Service Fabric MSI.
  */
 const fabricMsi = {
+    name: "fabricMsi",
     async isAvailable({ scopes }) {
         const resource = mapScopesToResource(scopes);
         if (!resource) {
@@ -2060,6 +2158,7 @@ function prepareRequestOptions(scopes, clientId, resourceId) {
  * Defines how to determine whether the Azure App Service MSI is available, and also how to retrieve a token from the Azure App Service MSI.
  */
 const appServiceMsi2019 = {
+    name: "appServiceMsi2019",
     async isAvailable({ scopes }) {
         const resource = mapScopesToResource(scopes);
         if (!resource) {
@@ -2202,12 +2301,17 @@ class ManagedIdentityCredential {
                 const appTokenParameters = {
                     correlationId: this.identityClient.getCorrelationId(),
                     tenantId: (options === null || options === void 0 ? void 0 : options.tenantId) || "organizations",
-                    scopes: [...scopes],
+                    scopes: Array.isArray(scopes) ? scopes : [scopes],
                     claims: options === null || options === void 0 ? void 0 : options.claims,
                 };
                 this.confidentialApp.SetAppTokenProvider(async (appTokenProviderParameters = appTokenParameters) => {
                     logger$c.info(`SetAppTokenProvider invoked with parameters- ${JSON.stringify(appTokenProviderParameters)}`);
-                    const resultToken = await this.authenticateManagedIdentity(scopes, Object.assign(Object.assign({}, updatedOptions), appTokenProviderParameters));
+                    const availableMSI = await this.cachedAvailableMSI(scopes, updatedOptions);
+                    const appTokenParams = Object.assign({}, appTokenProviderParameters);
+                    if (availableMSI.name === "tokenExchangeMsi") {
+                        appTokenParams.tenantId = process.env.AZURE_TENANT_ID;
+                    }
+                    const resultToken = await this.authenticateManagedIdentity(scopes, Object.assign(Object.assign({}, updatedOptions), appTokenParams));
                     if (resultToken) {
                         logger$c.info(`SetAppTokenProvider has saved the token in cache`);
                         const expiresInSeconds = (resultToken === null || resultToken === void 0 ? void 0 : resultToken.expiresOnTimestamp)
@@ -2714,10 +2818,6 @@ class ChainedTokenCredential {
      * ```
      */
     constructor(...sources) {
-        /**
-         * The message to use when the chained token fails to get a token
-         */
-        this.UnavailableMessage = "ChainedTokenCredential => failed to retrieve a token from the included credentials";
         this._sources = [];
         this._sources = sources;
     }
@@ -3202,6 +3302,136 @@ class EnvironmentCredential {
     }
 }
 
+// Copyright (c) Microsoft Corporation.
+/**
+ * Mockable reference to the Developer CLI credential cliCredentialFunctions
+ * @internal
+ */
+const developerCliCredentialInternals = {
+    /**
+     * @internal
+     */
+    getSafeWorkingDir() {
+        if (process.platform === "win32") {
+            if (!process.env.SystemRoot) {
+                throw new Error("Azure Developer CLI credential expects a 'SystemRoot' environment variable");
+            }
+            return process.env.SystemRoot;
+        }
+        else {
+            return "/bin";
+        }
+    },
+    /**
+     * Gets the access token from Azure Developer CLI
+     * @param scopes - The scopes to use when getting the token
+     * @internal
+     */
+    async getAzdAccessToken(scopes, tenantId) {
+        let tenantSection = [];
+        if (tenantId) {
+            tenantSection = ["--tenant-id", tenantId];
+        }
+        return new Promise((resolve, reject) => {
+            try {
+                child_process__default["default"].execFile("azd", [
+                    "auth",
+                    "token",
+                    "--output",
+                    "json",
+                    ...scopes.reduce((previous, current) => previous.concat("--scope", current), []),
+                    ...tenantSection,
+                ], { cwd: developerCliCredentialInternals.getSafeWorkingDir(), shell: true }, (error, stdout, stderr) => {
+                    resolve({ stdout, stderr, error });
+                });
+            }
+            catch (err) {
+                reject(err);
+            }
+        });
+    },
+};
+const logger$4 = credentialLogger("AzureDeveloperCliCredential");
+/**
+ * This credential will use the currently logged-in user login information
+ * via the Azure Developer CLI ('az') commandline tool.
+ * To do so, it will read the user access token and expire time
+ * with Azure Developer CLI command "azd auth token".
+ */
+class AzureDeveloperCliCredential {
+    /**
+     * Creates an instance of the {@link AzureDeveloperCliCredential}.
+     *
+     * To use this credential, ensure that you have already logged
+     * in via the 'azd' tool using the command "azd login" from the commandline.
+     *
+     * @param options - Options, to optionally allow multi-tenant requests.
+     */
+    constructor(options) {
+        this.tenantId = options === null || options === void 0 ? void 0 : options.tenantId;
+        this.additionallyAllowedTenantIds = resolveAddionallyAllowedTenantIds(options === null || options === void 0 ? void 0 : options.additionallyAllowedTenants);
+    }
+    /**
+     * Authenticates with Azure Active Directory and returns an access token if successful.
+     * If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.
+     *
+     * @param scopes - The list of scopes for which the token will have access.
+     * @param options - The options used to configure any requests this
+     *                TokenCredential implementation might make.
+     */
+    async getToken(scopes, options = {}) {
+        const tenantId = processMultiTenantRequest(this.tenantId, options, this.additionallyAllowedTenantIds);
+        let scopeList;
+        if (typeof scopes === "string") {
+            scopeList = [scopes];
+        }
+        else {
+            scopeList = scopes;
+        }
+        logger$4.getToken.info(`Using the scopes ${scopes}`);
+        return tracingClient.withSpan(`${this.constructor.name}.getToken`, options, async () => {
+            var _a, _b, _c;
+            try {
+                const obj = await developerCliCredentialInternals.getAzdAccessToken(scopeList, tenantId);
+                const isNotLoggedInError = (_a = obj.stderr) === null || _a === void 0 ? void 0 : _a.match("not logged in, run `azd login` to login");
+                const isNotInstallError = ((_b = obj.stderr) === null || _b === void 0 ? void 0 : _b.match("azd:(.*)not found")) ||
+                    ((_c = obj.stderr) === null || _c === void 0 ? void 0 : _c.startsWith("'azd' is not recognized"));
+                if (isNotInstallError || (obj.error && obj.error.code === "ENOENT")) {
+                    const error = new CredentialUnavailableError("Azure Developer CLI could not be found. Please visit https://aka.ms/azure-dev for installation instructions and then, once installed, authenticate to your Azure account using 'azd login'.");
+                    logger$4.getToken.info(formatError(scopes, error));
+                    throw error;
+                }
+                if (isNotLoggedInError) {
+                    const error = new CredentialUnavailableError("Please run 'azd login' from a command prompt to authenticate before using this credential.");
+                    logger$4.getToken.info(formatError(scopes, error));
+                    throw error;
+                }
+                try {
+                    const resp = JSON.parse(obj.stdout);
+                    logger$4.getToken.info(formatSuccess(scopes));
+                    return {
+                        token: resp.token,
+                        expiresOnTimestamp: new Date(resp.expiresOn).getTime(),
+                    };
+                }
+                catch (e) {
+                    if (obj.stderr) {
+                        throw new CredentialUnavailableError(obj.stderr);
+                    }
+                    throw e;
+                }
+            }
+            catch (err) {
+                const error = err.name === "CredentialUnavailableError"
+                    ? err
+                    : new CredentialUnavailableError(err.message || "Unknown error while trying to retrieve the access token");
+                logger$4.getToken.info(formatError(scopes, error));
+                throw error;
+            }
+        });
+    }
+}
+
 // Copyright (c) Microsoft Corporation.
 /**
  * A shim around ManagedIdentityCredential that adapts it to accept
@@ -3216,11 +3446,16 @@ class DefaultManagedIdentityCredential extends ManagedIdentityCredential {
         var _a;
         const managedIdentityClientId = (_a = options === null || options === void 0 ? void 0 : options.managedIdentityClientId) !== null && _a !== void 0 ? _a : process.env.AZURE_CLIENT_ID;
         const managedResourceId = options === null || options === void 0 ? void 0 : options.managedIdentityResourceId;
+        const workloadFile = process.env.AZURE_FEDERATED_TOKEN_FILE;
         // ManagedIdentityCredential throws if both the resourceId and the clientId are provided.
         if (managedResourceId) {
             const managedIdentityResourceIdOptions = Object.assign(Object.assign({}, options), { resourceId: managedResourceId });
             super(managedIdentityResourceIdOptions);
         }
+        else if (workloadFile) {
+            const workloadIdentityCredentialOptions = Object.assign(Object.assign({}, options), { clientId: managedIdentityClientId, federatedTokenFilePath: workloadFile });
+            super(workloadIdentityCredentialOptions);
+        }
         else if (managedIdentityClientId) {
             const managedIdentityClientOptions = Object.assign(Object.assign({}, options), { clientId: managedIdentityClientId });
             super(managedIdentityClientOptions);
@@ -3232,7 +3467,9 @@ class DefaultManagedIdentityCredential extends ManagedIdentityCredential {
 }
 const defaultCredentials = [
     EnvironmentCredential,
+    WorkloadIdentityCredential,
     DefaultManagedIdentityCredential,
+    AzureDeveloperCliCredential,
     AzureCliCredential,
     AzurePowerShellCredential,
 ];
@@ -3243,90 +3480,6 @@ const defaultCredentials = [
 class DefaultAzureCredential extends ChainedTokenCredential {
     constructor(options) {
         super(...defaultCredentials.map((ctor) => new ctor(options)));
-        this.UnavailableMessage =
-            "DefaultAzureCredential => failed to retrieve a token from the included credentials. To troubleshoot, visit https://aka.ms/azsdk/js/identity/defaultazurecredential/troubleshoot.";
-    }
-}
-
-// Copyright (c) Microsoft Corporation.
-/**
- * MSAL client assertion client. Calls to MSAL's confidential application's `acquireTokenByClientCredential` during `doGetToken`.
- * @internal
- */
-class MsalClientAssertion extends MsalNode {
-    constructor(options) {
-        super(options);
-        this.requiresConfidential = true;
-        this.getAssertion = options.getAssertion;
-    }
-    async doGetToken(scopes, options = {}) {
-        try {
-            const assertion = await this.getAssertion();
-            const result = await this.confidentialApp.acquireTokenByClientCredential({
-                scopes,
-                correlationId: options.correlationId,
-                azureRegion: this.azureRegion,
-                authority: options.authority,
-                claims: options.claims,
-                clientAssertion: assertion,
-            });
-            // The Client Credential flow does not return an account,
-            // so each time getToken gets called, we will have to acquire a new token through the service.
-            return this.handleResult(scopes, this.clientId, result || undefined);
-        }
-        catch (err) {
-            let err2 = err;
-            if (err === null || err === undefined) {
-                err2 = new Error(JSON.stringify(err));
-            }
-            else {
-                err2 = coreUtil.isError(err) ? err : new Error(String(err));
-            }
-            throw this.handleError(scopes, err2, options);
-        }
-    }
-}
-
-// Copyright (c) Microsoft Corporation.
-const logger$4 = credentialLogger("ClientAssertionCredential");
-/**
- * Authenticates a service principal with a JWT assertion.
- */
-class ClientAssertionCredential {
-    /**
-     * Creates an instance of the ClientAssertionCredential with the details
-     * needed to authenticate against Azure Active Directory with a client
-     * assertion provided by the developer through the `getAssertion` function parameter.
-     *
-     * @param tenantId - The Azure Active Directory tenant (directory) ID.
-     * @param clientId - The client (application) ID of an App Registration in the tenant.
-     * @param getAssertion - A function that retrieves the assertion for the credential to use.
-     * @param options - Options for configuring the client which makes the authentication request.
-     */
-    constructor(tenantId, clientId, getAssertion, options = {}) {
-        if (!tenantId || !clientId || !getAssertion) {
-            throw new Error("ClientAssertionCredential: tenantId, clientId, and clientAssertion are required parameters.");
-        }
-        this.tenantId = tenantId;
-        this.additionallyAllowedTenantIds = resolveAddionallyAllowedTenantIds(options === null || options === void 0 ? void 0 : options.additionallyAllowedTenants);
-        this.clientId = clientId;
-        this.options = options;
-        this.msalFlow = new MsalClientAssertion(Object.assign(Object.assign({}, options), { logger: logger$4, clientId: this.clientId, tenantId: this.tenantId, tokenCredentialOptions: this.options, getAssertion }));
-    }
-    /**
-     * Authenticates with Azure Active Directory and returns an access token if successful.
-     * If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.
-     *
-     * @param scopes - The list of scopes for which the token will have access.
-     * @param options - The options used to configure any requests this
-     *                TokenCredential implementation might make.
-     */
-    async getToken(scopes, options = {}) {
-        return tracingClient.withSpan(`${this.constructor.name}.getToken`, options, async (newOptions) => {
-            newOptions.tenantId = processMultiTenantRequest(this.tenantId, newOptions, this.additionallyAllowedTenantIds);
-            const arrayScopes = Array.isArray(scopes) ? scopes : [scopes];
-            return this.msalFlow.getToken(arrayScopes, newOptions);
-        });
     }
 }
 
@@ -3884,9 +4037,10 @@ exports.ManagedIdentityCredential = ManagedIdentityCredential;
 exports.OnBehalfOfCredential = OnBehalfOfCredential;
 exports.UsernamePasswordCredential = UsernamePasswordCredential;
 exports.VisualStudioCodeCredential = VisualStudioCodeCredential;
+exports.WorkloadIdentityCredential = WorkloadIdentityCredential;
 exports.deserializeAuthenticationRecord = deserializeAuthenticationRecord;
 exports.getDefaultAzureCredential = getDefaultAzureCredential;
-exports.logger = logger$l;
+exports.logger = logger$m;
 exports.serializeAuthenticationRecord = serializeAuthenticationRecord;
 exports.useIdentityPlugin = useIdentityPlugin;
 //# sourceMappingURL=index.js.map