@azure/identity 3.2.0-alpha.20230227.4 → 3.2.0-beta.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Potentially problematic release.
This version of @azure/identity might be problematic. Click here for more details.
- package/dist/index.js +126 -76
- package/dist/index.js.map +1 -1
- package/dist-esm/src/credentials/clientAssertionCredential.js +1 -1
- package/dist-esm/src/credentials/clientAssertionCredential.js.map +1 -1
- package/dist-esm/src/credentials/clientCertificateCredential.js +1 -1
- package/dist-esm/src/credentials/clientCertificateCredential.js.map +1 -1
- package/dist-esm/src/credentials/clientSecretCredential.js +1 -1
- package/dist-esm/src/credentials/clientSecretCredential.js.map +1 -1
- package/dist-esm/src/credentials/defaultAzureCredential.js +6 -4
- package/dist-esm/src/credentials/defaultAzureCredential.js.map +1 -1
- package/dist-esm/src/credentials/defaultAzureCredentialOptions.js.map +1 -1
- package/dist-esm/src/credentials/deviceCodeCredential.js +1 -1
- package/dist-esm/src/credentials/deviceCodeCredential.js.map +1 -1
- package/dist-esm/src/credentials/interactiveBrowserCredential.js +1 -1
- package/dist-esm/src/credentials/interactiveBrowserCredential.js.map +1 -1
- package/dist-esm/src/credentials/managedIdentityCredential/tokenExchangeMsi.js.map +1 -1
- package/dist-esm/src/credentials/onBehalfOfCredential.js +1 -1
- package/dist-esm/src/credentials/onBehalfOfCredential.js.map +1 -1
- package/dist-esm/src/credentials/usernamePasswordCredential.js +1 -1
- package/dist-esm/src/credentials/usernamePasswordCredential.js.map +1 -1
- package/dist-esm/src/credentials/visualStudioCodeCredential.js +1 -2
- package/dist-esm/src/credentials/visualStudioCodeCredential.js.map +1 -1
- package/dist-esm/src/credentials/workloadIdentityCredential.js +60 -10
- package/dist-esm/src/credentials/workloadIdentityCredential.js.map +1 -1
- package/dist-esm/src/credentials/workloadIdentityCredentialOptions.js.map +1 -1
- package/dist-esm/src/util/processMultiTenantRequest.js +7 -3
- package/dist-esm/src/util/processMultiTenantRequest.js.map +1 -1
- package/package.json +4 -4
- package/types/identity.d.ts +14 -6
package/dist/index.js
CHANGED
|
@@ -3,7 +3,7 @@
|
|
|
3
3
|
Object.defineProperty(exports, '__esModule', { value: true });
|
|
4
4
|
|
|
5
5
|
var msalNode = require('@azure/msal-node');
|
|
6
|
-
var logger$
|
|
6
|
+
var logger$o = require('@azure/logger');
|
|
7
7
|
var msalCommon = require('@azure/msal-common');
|
|
8
8
|
var abortController = require('@azure/abort-controller');
|
|
9
9
|
var coreUtil = require('@azure/core-util');
|
|
@@ -178,7 +178,7 @@ class AuthenticationRequiredError extends Error {
|
|
|
178
178
|
/**
|
|
179
179
|
* The AzureLogger used for all clients within the identity package
|
|
180
180
|
*/
|
|
181
|
-
const logger$
|
|
181
|
+
const logger$n = logger$o.createClientLogger("identity");
|
|
182
182
|
/**
|
|
183
183
|
* Separates a list of environment variable names into a plain object with two arrays: an array of missing environment variables and another array with assigned environment variables.
|
|
184
184
|
* @param supportedEnvVars - List of environment variable names
|
|
@@ -218,7 +218,7 @@ function formatError(scope, error) {
|
|
|
218
218
|
* `[title] => [message]`
|
|
219
219
|
*
|
|
220
220
|
*/
|
|
221
|
-
function credentialLoggerInstance(title, parent, log = logger$
|
|
221
|
+
function credentialLoggerInstance(title, parent, log = logger$n) {
|
|
222
222
|
const fullTitle = parent ? `${parent.fullTitle} ${title}` : title;
|
|
223
223
|
function info(message) {
|
|
224
224
|
log.info(`${fullTitle} =>`, message);
|
|
@@ -247,7 +247,7 @@ function credentialLoggerInstance(title, parent, log = logger$m) {
|
|
|
247
247
|
* `[title] => getToken() => [message]`
|
|
248
248
|
*
|
|
249
249
|
*/
|
|
250
|
-
function credentialLogger(title, log = logger$
|
|
250
|
+
function credentialLogger(title, log = logger$n) {
|
|
251
251
|
const credLogger = credentialLoggerInstance(title, undefined, log);
|
|
252
252
|
return Object.assign(Object.assign({}, credLogger), { parent: log, getToken: credentialLoggerInstance("=> getToken()", credLogger, log) });
|
|
253
253
|
}
|
|
@@ -532,7 +532,6 @@ function deserializeAuthenticationRecord(serializedRecord) {
|
|
|
532
532
|
}
|
|
533
533
|
|
|
534
534
|
// Copyright (c) Microsoft Corporation.
|
|
535
|
-
// Licensed under the MIT license.
|
|
536
535
|
function createConfigurationErrorMessage(tenantId) {
|
|
537
536
|
return `The current credential is not configured to acquire tokens for tenant ${tenantId}. To enable acquiring tokens for this tenant add it to the AdditionallyAllowedTenants on the credential options, or add "*" to AdditionallyAllowedTenants to allow acquiring tokens for any tenant.`;
|
|
538
537
|
}
|
|
@@ -542,7 +541,7 @@ function createConfigurationErrorMessage(tenantId) {
|
|
|
542
541
|
* or unless the original tenant Id is `adfs`.
|
|
543
542
|
* @internal
|
|
544
543
|
*/
|
|
545
|
-
function processMultiTenantRequest(tenantId, getTokenOptions, additionallyAllowedTenantIds = []) {
|
|
544
|
+
function processMultiTenantRequest(tenantId, getTokenOptions, additionallyAllowedTenantIds = [], logger) {
|
|
546
545
|
var _a;
|
|
547
546
|
let resolvedTenantId;
|
|
548
547
|
if (process.env.AZURE_IDENTITY_DISABLE_MULTITENANTAUTH) {
|
|
@@ -554,12 +553,15 @@ function processMultiTenantRequest(tenantId, getTokenOptions, additionallyAllowe
|
|
|
554
553
|
else {
|
|
555
554
|
resolvedTenantId = (_a = getTokenOptions === null || getTokenOptions === void 0 ? void 0 : getTokenOptions.tenantId) !== null && _a !== void 0 ? _a : tenantId;
|
|
556
555
|
}
|
|
557
|
-
console.log(resolvedTenantId);
|
|
556
|
+
console.log("resolved tenant =", resolvedTenantId);
|
|
557
|
+
console.log("tenantId =", tenantId);
|
|
558
558
|
if (tenantId &&
|
|
559
559
|
resolvedTenantId !== tenantId &&
|
|
560
560
|
!additionallyAllowedTenantIds.includes("*") &&
|
|
561
561
|
!additionallyAllowedTenantIds.some((t) => t.localeCompare(resolvedTenantId) === 0)) {
|
|
562
|
-
|
|
562
|
+
const message = createConfigurationErrorMessage(tenantId);
|
|
563
|
+
logger === null || logger === void 0 ? void 0 : logger.info(message);
|
|
564
|
+
throw new CredentialUnavailableError(message);
|
|
563
565
|
}
|
|
564
566
|
return resolvedTenantId;
|
|
565
567
|
}
|
|
@@ -730,7 +732,7 @@ class IdentityClient extends coreClient.ServiceClient {
|
|
|
730
732
|
this.tokenCredentialOptions = Object.assign({}, options);
|
|
731
733
|
}
|
|
732
734
|
async sendTokenRequest(request) {
|
|
733
|
-
logger$
|
|
735
|
+
logger$n.info(`IdentityClient: sending token request to [${request.url}]`);
|
|
734
736
|
const response = await this.sendRequest(request);
|
|
735
737
|
if (response.bodyAsText && (response.status === 200 || response.status === 201)) {
|
|
736
738
|
const parsedBody = JSON.parse(response.bodyAsText);
|
|
@@ -745,12 +747,12 @@ class IdentityClient extends coreClient.ServiceClient {
|
|
|
745
747
|
},
|
|
746
748
|
refreshToken: parsedBody.refresh_token,
|
|
747
749
|
};
|
|
748
|
-
logger$
|
|
750
|
+
logger$n.info(`IdentityClient: [${request.url}] token acquired, expires on ${token.accessToken.expiresOnTimestamp}`);
|
|
749
751
|
return token;
|
|
750
752
|
}
|
|
751
753
|
else {
|
|
752
754
|
const error = new AuthenticationError(response.status, response.bodyAsText);
|
|
753
|
-
logger$
|
|
755
|
+
logger$n.warning(`IdentityClient: authentication error. HTTP status: ${response.status}, ${error.errorResponse.errorDescription}`);
|
|
754
756
|
throw error;
|
|
755
757
|
}
|
|
756
758
|
}
|
|
@@ -758,7 +760,7 @@ class IdentityClient extends coreClient.ServiceClient {
|
|
|
758
760
|
if (refreshToken === undefined) {
|
|
759
761
|
return null;
|
|
760
762
|
}
|
|
761
|
-
logger$
|
|
763
|
+
logger$n.info(`IdentityClient: refreshing access token with client ID: ${clientId}, scopes: ${scopes} started`);
|
|
762
764
|
const refreshParams = {
|
|
763
765
|
grant_type: "refresh_token",
|
|
764
766
|
client_id: clientId,
|
|
@@ -784,7 +786,7 @@ class IdentityClient extends coreClient.ServiceClient {
|
|
|
784
786
|
tracingOptions: updatedOptions.tracingOptions,
|
|
785
787
|
});
|
|
786
788
|
const response = await this.sendTokenRequest(request);
|
|
787
|
-
logger$
|
|
789
|
+
logger$n.info(`IdentityClient: refreshed token for client ID: ${clientId}`);
|
|
788
790
|
return response;
|
|
789
791
|
}
|
|
790
792
|
catch (err) {
|
|
@@ -793,11 +795,11 @@ class IdentityClient extends coreClient.ServiceClient {
|
|
|
793
795
|
// It's likely that the refresh token has expired, so
|
|
794
796
|
// return null so that the credential implementation will
|
|
795
797
|
// initiate the authentication flow again.
|
|
796
|
-
logger$
|
|
798
|
+
logger$n.info(`IdentityClient: interaction required for client ID: ${clientId}`);
|
|
797
799
|
return null;
|
|
798
800
|
}
|
|
799
801
|
else {
|
|
800
|
-
logger$
|
|
802
|
+
logger$n.warning(`IdentityClient: failed refreshing token for client ID: ${clientId}: ${err}`);
|
|
801
803
|
throw err;
|
|
802
804
|
}
|
|
803
805
|
}
|
|
@@ -906,10 +908,10 @@ class IdentityClient extends coreClient.ServiceClient {
|
|
|
906
908
|
}
|
|
907
909
|
const base64Metadata = accessToken.split(".")[1];
|
|
908
910
|
const { appid, upn, tid, oid } = JSON.parse(Buffer.from(base64Metadata, "base64").toString("utf8"));
|
|
909
|
-
logger$
|
|
911
|
+
logger$n.info(`[Authenticated account] Client ID: ${appid}. Tenant ID: ${tid}. User Principal Name: ${upn || unavailableUpn}. Object ID (user): ${oid}`);
|
|
910
912
|
}
|
|
911
913
|
catch (e) {
|
|
912
|
-
logger$
|
|
914
|
+
logger$n.warning("allowLoggingAccountIdentifiers was set, but we couldn't log the account information. Error:", e.message);
|
|
913
915
|
}
|
|
914
916
|
}
|
|
915
917
|
}
|
|
@@ -1107,7 +1109,7 @@ class MsalNode extends MsalBaseUtilities {
|
|
|
1107
1109
|
networkClient: this.identityClient,
|
|
1108
1110
|
loggerOptions: {
|
|
1109
1111
|
loggerCallback: defaultLoggerCallback(options.logger),
|
|
1110
|
-
logLevel: getMSALLogLevel(logger$
|
|
1112
|
+
logLevel: getMSALLogLevel(logger$o.getLogLevel()),
|
|
1111
1113
|
},
|
|
1112
1114
|
},
|
|
1113
1115
|
};
|
|
@@ -1265,7 +1267,7 @@ To work with multiple accounts for the same Client ID and Tenant ID, please prov
|
|
|
1265
1267
|
// Copyright (c) Microsoft Corporation.
|
|
1266
1268
|
const CommonTenantId = "common";
|
|
1267
1269
|
const AzureAccountClientId = "aebc6443-996d-45c2-90f0-388ff96faa56"; // VSC: 'aebc6443-996d-45c2-90f0-388ff96faa56'
|
|
1268
|
-
const logger$
|
|
1270
|
+
const logger$m = credentialLogger("VisualStudioCodeCredential");
|
|
1269
1271
|
let findCredentials = undefined;
|
|
1270
1272
|
const vsCodeCredentialControl = {
|
|
1271
1273
|
setVsCodeCredentialFinder(finder) {
|
|
@@ -1318,7 +1320,7 @@ function getPropertyFromVSCode(property) {
|
|
|
1318
1320
|
}
|
|
1319
1321
|
}
|
|
1320
1322
|
catch (e) {
|
|
1321
|
-
logger$
|
|
1323
|
+
logger$m.info(`Failed to load the Visual Studio Code configuration file. Error: ${e.message}`);
|
|
1322
1324
|
return;
|
|
1323
1325
|
}
|
|
1324
1326
|
}
|
|
@@ -1351,7 +1353,7 @@ class VisualStudioCodeCredential {
|
|
|
1351
1353
|
const authorityHost = mapVSCodeAuthorityHosts[this.cloudName];
|
|
1352
1354
|
this.identityClient = new IdentityClient(Object.assign({ authorityHost }, options));
|
|
1353
1355
|
if (options && options.tenantId) {
|
|
1354
|
-
checkTenantId(logger$
|
|
1356
|
+
checkTenantId(logger$m, options.tenantId);
|
|
1355
1357
|
this.tenantId = options.tenantId;
|
|
1356
1358
|
}
|
|
1357
1359
|
else {
|
|
@@ -1391,8 +1393,7 @@ class VisualStudioCodeCredential {
|
|
|
1391
1393
|
async getToken(scopes, options) {
|
|
1392
1394
|
var _a, _b;
|
|
1393
1395
|
await this.prepareOnce();
|
|
1394
|
-
const tenantId = processMultiTenantRequest(this.tenantId, options, this.additionallyAllowedTenantIds) ||
|
|
1395
|
-
this.tenantId;
|
|
1396
|
+
const tenantId = processMultiTenantRequest(this.tenantId, options, this.additionallyAllowedTenantIds, logger$m) || this.tenantId;
|
|
1396
1397
|
if (findCredentials === undefined) {
|
|
1397
1398
|
throw new CredentialUnavailableError([
|
|
1398
1399
|
"No implementation of `VisualStudioCodeCredential` is available.",
|
|
@@ -1406,7 +1407,7 @@ class VisualStudioCodeCredential {
|
|
|
1406
1407
|
// Check to make sure the scope we get back is a valid scope
|
|
1407
1408
|
if (!scopeString.match(/^[0-9a-zA-Z-.:/]+$/)) {
|
|
1408
1409
|
const error = new Error("Invalid scope was specified by the user or calling client");
|
|
1409
|
-
logger$
|
|
1410
|
+
logger$m.getToken.info(formatError(scopes, error));
|
|
1410
1411
|
throw error;
|
|
1411
1412
|
}
|
|
1412
1413
|
if (scopeString.indexOf("offline_access") < 0) {
|
|
@@ -1426,18 +1427,18 @@ class VisualStudioCodeCredential {
|
|
|
1426
1427
|
if (refreshToken) {
|
|
1427
1428
|
const tokenResponse = await this.identityClient.refreshAccessToken(tenantId, AzureAccountClientId, scopeString, refreshToken, undefined);
|
|
1428
1429
|
if (tokenResponse) {
|
|
1429
|
-
logger$
|
|
1430
|
+
logger$m.getToken.info(formatSuccess(scopes));
|
|
1430
1431
|
return tokenResponse.accessToken;
|
|
1431
1432
|
}
|
|
1432
1433
|
else {
|
|
1433
1434
|
const error = new CredentialUnavailableError("Could not retrieve the token associated with Visual Studio Code. Have you connected using the 'Azure Account' extension recently? To troubleshoot, visit https://aka.ms/azsdk/js/identity/vscodecredential/troubleshoot.");
|
|
1434
|
-
logger$
|
|
1435
|
+
logger$m.getToken.info(formatError(scopes, error));
|
|
1435
1436
|
throw error;
|
|
1436
1437
|
}
|
|
1437
1438
|
}
|
|
1438
1439
|
else {
|
|
1439
1440
|
const error = new CredentialUnavailableError("Could not retrieve the token associated with Visual Studio Code. Did you connect using the 'Azure Account' extension? To troubleshoot, visit https://aka.ms/azsdk/js/identity/vscodecredential/troubleshoot.");
|
|
1440
|
-
logger$
|
|
1441
|
+
logger$m.getToken.info(formatError(scopes, error));
|
|
1441
1442
|
throw error;
|
|
1442
1443
|
}
|
|
1443
1444
|
}
|
|
@@ -1486,7 +1487,7 @@ function useIdentityPlugin(plugin) {
|
|
|
1486
1487
|
|
|
1487
1488
|
// Copyright (c) Microsoft Corporation.
|
|
1488
1489
|
const msiName$6 = "ManagedIdentityCredential - AppServiceMSI 2017";
|
|
1489
|
-
const logger$
|
|
1490
|
+
const logger$l = credentialLogger(msiName$6);
|
|
1490
1491
|
/**
|
|
1491
1492
|
* Generates the options used on the request for an access token.
|
|
1492
1493
|
*/
|
|
@@ -1527,22 +1528,22 @@ const appServiceMsi2017 = {
|
|
|
1527
1528
|
async isAvailable({ scopes }) {
|
|
1528
1529
|
const resource = mapScopesToResource(scopes);
|
|
1529
1530
|
if (!resource) {
|
|
1530
|
-
logger$
|
|
1531
|
+
logger$l.info(`${msiName$6}: Unavailable. Multiple scopes are not supported.`);
|
|
1531
1532
|
return false;
|
|
1532
1533
|
}
|
|
1533
1534
|
const env = process.env;
|
|
1534
1535
|
const result = Boolean(env.MSI_ENDPOINT && env.MSI_SECRET);
|
|
1535
1536
|
if (!result) {
|
|
1536
|
-
logger$
|
|
1537
|
+
logger$l.info(`${msiName$6}: Unavailable. The environment variables needed are: MSI_ENDPOINT and MSI_SECRET.`);
|
|
1537
1538
|
}
|
|
1538
1539
|
return result;
|
|
1539
1540
|
},
|
|
1540
1541
|
async getToken(configuration, getTokenOptions = {}) {
|
|
1541
1542
|
const { identityClient, scopes, clientId, resourceId } = configuration;
|
|
1542
1543
|
if (resourceId) {
|
|
1543
|
-
logger$
|
|
1544
|
+
logger$l.warning(`${msiName$6}: managed Identity by resource Id is not supported. Argument resourceId might be ignored by the service.`);
|
|
1544
1545
|
}
|
|
1545
|
-
logger$
|
|
1546
|
+
logger$l.info(`${msiName$6}: Using the endpoint and the secret coming form the environment variables: MSI_ENDPOINT=${process.env.MSI_ENDPOINT} and MSI_SECRET=[REDACTED].`);
|
|
1546
1547
|
const request = coreRestPipeline.createPipelineRequest(Object.assign(Object.assign({ abortSignal: getTokenOptions.abortSignal }, prepareRequestOptions$5(scopes, clientId)), {
|
|
1547
1548
|
// Generally, MSI endpoints use the HTTP protocol, without transport layer security (TLS).
|
|
1548
1549
|
allowInsecureConnection: true }));
|
|
@@ -1553,7 +1554,7 @@ const appServiceMsi2017 = {
|
|
|
1553
1554
|
|
|
1554
1555
|
// Copyright (c) Microsoft Corporation.
|
|
1555
1556
|
const msiName$5 = "ManagedIdentityCredential - CloudShellMSI";
|
|
1556
|
-
const logger$
|
|
1557
|
+
const logger$k = credentialLogger(msiName$5);
|
|
1557
1558
|
/**
|
|
1558
1559
|
* Generates the options used on the request for an access token.
|
|
1559
1560
|
*/
|
|
@@ -1596,24 +1597,24 @@ const cloudShellMsi = {
|
|
|
1596
1597
|
async isAvailable({ scopes }) {
|
|
1597
1598
|
const resource = mapScopesToResource(scopes);
|
|
1598
1599
|
if (!resource) {
|
|
1599
|
-
logger$
|
|
1600
|
+
logger$k.info(`${msiName$5}: Unavailable. Multiple scopes are not supported.`);
|
|
1600
1601
|
return false;
|
|
1601
1602
|
}
|
|
1602
1603
|
const result = Boolean(process.env.MSI_ENDPOINT);
|
|
1603
1604
|
if (!result) {
|
|
1604
|
-
logger$
|
|
1605
|
+
logger$k.info(`${msiName$5}: Unavailable. The environment variable MSI_ENDPOINT is needed.`);
|
|
1605
1606
|
}
|
|
1606
1607
|
return result;
|
|
1607
1608
|
},
|
|
1608
1609
|
async getToken(configuration, getTokenOptions = {}) {
|
|
1609
1610
|
const { identityClient, scopes, clientId, resourceId } = configuration;
|
|
1610
1611
|
if (clientId) {
|
|
1611
|
-
logger$
|
|
1612
|
+
logger$k.warning(`${msiName$5}: user-assigned identities not supported. The argument clientId might be ignored by the service.`);
|
|
1612
1613
|
}
|
|
1613
1614
|
if (resourceId) {
|
|
1614
|
-
logger$
|
|
1615
|
+
logger$k.warning(`${msiName$5}: user defined managed Identity by resource Id not supported. The argument resourceId might be ignored by the service.`);
|
|
1615
1616
|
}
|
|
1616
|
-
logger$
|
|
1617
|
+
logger$k.info(`${msiName$5}: Using the endpoint coming form the environment variable MSI_ENDPOINT = ${process.env.MSI_ENDPOINT}.`);
|
|
1617
1618
|
const request = coreRestPipeline.createPipelineRequest(Object.assign(Object.assign({ abortSignal: getTokenOptions.abortSignal }, prepareRequestOptions$4(scopes, clientId, resourceId)), {
|
|
1618
1619
|
// Generally, MSI endpoints use the HTTP protocol, without transport layer security (TLS).
|
|
1619
1620
|
allowInsecureConnection: true }));
|
|
@@ -1624,7 +1625,7 @@ const cloudShellMsi = {
|
|
|
1624
1625
|
|
|
1625
1626
|
// Copyright (c) Microsoft Corporation.
|
|
1626
1627
|
const msiName$4 = "ManagedIdentityCredential - IMDS";
|
|
1627
|
-
const logger$
|
|
1628
|
+
const logger$j = credentialLogger(msiName$4);
|
|
1628
1629
|
/**
|
|
1629
1630
|
* Generates the options used on the request for an access token.
|
|
1630
1631
|
*/
|
|
@@ -1682,7 +1683,7 @@ const imdsMsi = {
|
|
|
1682
1683
|
async isAvailable({ scopes, identityClient, clientId, resourceId, getTokenOptions = {}, }) {
|
|
1683
1684
|
const resource = mapScopesToResource(scopes);
|
|
1684
1685
|
if (!resource) {
|
|
1685
|
-
logger$
|
|
1686
|
+
logger$j.info(`${msiName$4}: Unavailable. Multiple scopes are not supported.`);
|
|
1686
1687
|
return false;
|
|
1687
1688
|
}
|
|
1688
1689
|
// if the PodIdentityEndpoint environment variable was set no need to probe the endpoint, it can be assumed to exist
|
|
@@ -1709,30 +1710,30 @@ const imdsMsi = {
|
|
|
1709
1710
|
// This MSI uses the imdsEndpoint to get the token, which only uses http://
|
|
1710
1711
|
request.allowInsecureConnection = true;
|
|
1711
1712
|
try {
|
|
1712
|
-
logger$
|
|
1713
|
+
logger$j.info(`${msiName$4}: Pinging the Azure IMDS endpoint`);
|
|
1713
1714
|
await identityClient.sendRequest(request);
|
|
1714
1715
|
}
|
|
1715
1716
|
catch (err) {
|
|
1716
1717
|
// If the request failed, or Node.js was unable to establish a connection,
|
|
1717
1718
|
// or the host was down, we'll assume the IMDS endpoint isn't available.
|
|
1718
1719
|
if (coreUtil.isError(err)) {
|
|
1719
|
-
logger$
|
|
1720
|
+
logger$j.verbose(`${msiName$4}: Caught error ${err.name}: ${err.message}`);
|
|
1720
1721
|
}
|
|
1721
|
-
logger$
|
|
1722
|
+
logger$j.info(`${msiName$4}: The Azure IMDS endpoint is unavailable`);
|
|
1722
1723
|
return false;
|
|
1723
1724
|
}
|
|
1724
1725
|
// If we received any response, the endpoint is available
|
|
1725
|
-
logger$
|
|
1726
|
+
logger$j.info(`${msiName$4}: The Azure IMDS endpoint is available`);
|
|
1726
1727
|
return true;
|
|
1727
1728
|
});
|
|
1728
1729
|
},
|
|
1729
1730
|
async getToken(configuration, getTokenOptions = {}) {
|
|
1730
1731
|
const { identityClient, scopes, clientId, resourceId } = configuration;
|
|
1731
1732
|
if (process.env.AZURE_POD_IDENTITY_AUTHORITY_HOST) {
|
|
1732
|
-
logger$
|
|
1733
|
+
logger$j.info(`${msiName$4}: Using the Azure IMDS endpoint coming from the environment variable AZURE_POD_IDENTITY_AUTHORITY_HOST=${process.env.AZURE_POD_IDENTITY_AUTHORITY_HOST}.`);
|
|
1733
1734
|
}
|
|
1734
1735
|
else {
|
|
1735
|
-
logger$
|
|
1736
|
+
logger$j.info(`${msiName$4}: Using the default Azure IMDS endpoint ${imdsHost}.`);
|
|
1736
1737
|
}
|
|
1737
1738
|
let nextDelayInMs = imdsMsiRetryConfig.startDelayInMs;
|
|
1738
1739
|
for (let retries = 0; retries < imdsMsiRetryConfig.maxRetries; retries++) {
|
|
@@ -1756,7 +1757,7 @@ const imdsMsi = {
|
|
|
1756
1757
|
|
|
1757
1758
|
// Copyright (c) Microsoft Corporation.
|
|
1758
1759
|
const msiName$3 = "ManagedIdentityCredential - Azure Arc MSI";
|
|
1759
|
-
const logger$
|
|
1760
|
+
const logger$i = credentialLogger(msiName$3);
|
|
1760
1761
|
/**
|
|
1761
1762
|
* Generates the options used on the request for an access token.
|
|
1762
1763
|
*/
|
|
@@ -1830,12 +1831,12 @@ const arcMsi = {
|
|
|
1830
1831
|
async isAvailable({ scopes }) {
|
|
1831
1832
|
const resource = mapScopesToResource(scopes);
|
|
1832
1833
|
if (!resource) {
|
|
1833
|
-
logger$
|
|
1834
|
+
logger$i.info(`${msiName$3}: Unavailable. Multiple scopes are not supported.`);
|
|
1834
1835
|
return false;
|
|
1835
1836
|
}
|
|
1836
1837
|
const result = Boolean(process.env.IMDS_ENDPOINT && process.env.IDENTITY_ENDPOINT);
|
|
1837
1838
|
if (!result) {
|
|
1838
|
-
logger$
|
|
1839
|
+
logger$i.info(`${msiName$3}: The environment variables needed are: IMDS_ENDPOINT and IDENTITY_ENDPOINT`);
|
|
1839
1840
|
}
|
|
1840
1841
|
return result;
|
|
1841
1842
|
},
|
|
@@ -1843,12 +1844,12 @@ const arcMsi = {
|
|
|
1843
1844
|
var _a;
|
|
1844
1845
|
const { identityClient, scopes, clientId, resourceId } = configuration;
|
|
1845
1846
|
if (clientId) {
|
|
1846
|
-
logger$
|
|
1847
|
+
logger$i.warning(`${msiName$3}: user-assigned identities not supported. The argument clientId might be ignored by the service.`);
|
|
1847
1848
|
}
|
|
1848
1849
|
if (resourceId) {
|
|
1849
|
-
logger$
|
|
1850
|
+
logger$i.warning(`${msiName$3}: user defined managed Identity by resource Id is not supported. Argument resourceId will be ignored.`);
|
|
1850
1851
|
}
|
|
1851
|
-
logger$
|
|
1852
|
+
logger$i.info(`${msiName$3}: Authenticating.`);
|
|
1852
1853
|
const requestOptions = Object.assign(Object.assign({ disableJsonStringifyOnBody: true, deserializationMapper: undefined, abortSignal: getTokenOptions.abortSignal }, prepareRequestOptions$2(scopes, clientId, resourceId)), { allowInsecureConnection: true });
|
|
1853
1854
|
const filePath = await filePathRequest(identityClient, requestOptions);
|
|
1854
1855
|
if (!filePath) {
|
|
@@ -1904,7 +1905,7 @@ class MsalClientAssertion extends MsalNode {
|
|
|
1904
1905
|
}
|
|
1905
1906
|
|
|
1906
1907
|
// Copyright (c) Microsoft Corporation.
|
|
1907
|
-
const logger$
|
|
1908
|
+
const logger$h = credentialLogger("ClientAssertionCredential");
|
|
1908
1909
|
/**
|
|
1909
1910
|
* Authenticates a service principal with a JWT assertion.
|
|
1910
1911
|
*/
|
|
@@ -1927,7 +1928,7 @@ class ClientAssertionCredential {
|
|
|
1927
1928
|
this.additionallyAllowedTenantIds = resolveAddionallyAllowedTenantIds(options === null || options === void 0 ? void 0 : options.additionallyAllowedTenants);
|
|
1928
1929
|
this.clientId = clientId;
|
|
1929
1930
|
this.options = options;
|
|
1930
|
-
this.msalFlow = new MsalClientAssertion(Object.assign(Object.assign({}, options), { logger: logger$
|
|
1931
|
+
this.msalFlow = new MsalClientAssertion(Object.assign(Object.assign({}, options), { logger: logger$h, clientId: this.clientId, tenantId: this.tenantId, tokenCredentialOptions: this.options, getAssertion }));
|
|
1931
1932
|
}
|
|
1932
1933
|
/**
|
|
1933
1934
|
* Authenticates with Azure Active Directory and returns an access token if successful.
|
|
@@ -1939,7 +1940,7 @@ class ClientAssertionCredential {
|
|
|
1939
1940
|
*/
|
|
1940
1941
|
async getToken(scopes, options = {}) {
|
|
1941
1942
|
return tracingClient.withSpan(`${this.constructor.name}.getToken`, options, async (newOptions) => {
|
|
1942
|
-
newOptions.tenantId = processMultiTenantRequest(this.tenantId, newOptions, this.additionallyAllowedTenantIds);
|
|
1943
|
+
newOptions.tenantId = processMultiTenantRequest(this.tenantId, newOptions, this.additionallyAllowedTenantIds, logger$h);
|
|
1943
1944
|
const arrayScopes = Array.isArray(scopes) ? scopes : [scopes];
|
|
1944
1945
|
return this.msalFlow.getToken(arrayScopes, newOptions);
|
|
1945
1946
|
});
|
|
@@ -1947,6 +1948,20 @@ class ClientAssertionCredential {
|
|
|
1947
1948
|
}
|
|
1948
1949
|
|
|
1949
1950
|
// Copyright (c) Microsoft Corporation.
|
|
1951
|
+
const credentialName$3 = "WorkloadIdentityCredential";
|
|
1952
|
+
/**
|
|
1953
|
+
* Contains the list of all supported environment variable names so that an
|
|
1954
|
+
* appropriate error message can be generated when no credentials can be
|
|
1955
|
+
* configured.
|
|
1956
|
+
*
|
|
1957
|
+
* @internal
|
|
1958
|
+
*/
|
|
1959
|
+
const SupportedWorkloadEnvironmentVariables = [
|
|
1960
|
+
"AZURE_TENANT_ID",
|
|
1961
|
+
"AZURE_CLIENT_ID",
|
|
1962
|
+
"AZURE_FEDERATED_TOKEN_FILE",
|
|
1963
|
+
];
|
|
1964
|
+
const logger$g = credentialLogger(credentialName$3);
|
|
1950
1965
|
/**
|
|
1951
1966
|
* WorkloadIdentityCredential supports Azure workload identity authentication on Kubernetes.
|
|
1952
1967
|
* Refer to <a href="https://learn.microsoft.com/azure/aks/workload-identity-overview">Azure Active Directory Workload Identity</a>
|
|
@@ -1954,18 +1969,38 @@ class ClientAssertionCredential {
|
|
|
1954
1969
|
*/
|
|
1955
1970
|
class WorkloadIdentityCredential {
|
|
1956
1971
|
/**
|
|
1957
|
-
*
|
|
1958
|
-
*
|
|
1959
|
-
* @param options - The identity client options to use for authentication.
|
|
1972
|
+
* @internal
|
|
1973
|
+
* @hidden
|
|
1960
1974
|
*/
|
|
1961
|
-
constructor(options
|
|
1975
|
+
constructor(options) {
|
|
1962
1976
|
this.azureFederatedTokenFileContent = undefined;
|
|
1963
1977
|
this.cacheDate = undefined;
|
|
1964
|
-
|
|
1965
|
-
|
|
1978
|
+
const workloadIdentityCredentialOptions = options;
|
|
1979
|
+
if (workloadIdentityCredentialOptions.clientId &&
|
|
1980
|
+
workloadIdentityCredentialOptions.tenantId &&
|
|
1981
|
+
workloadIdentityCredentialOptions.federatedTokenFilePath) {
|
|
1982
|
+
const tenantId = workloadIdentityCredentialOptions.tenantId;
|
|
1983
|
+
if (tenantId) {
|
|
1984
|
+
checkTenantId(logger$g, tenantId);
|
|
1985
|
+
}
|
|
1986
|
+
this.federatedTokenFilePath = workloadIdentityCredentialOptions.federatedTokenFilePath;
|
|
1987
|
+
logger$g.info(`Invoking ClientAssertionCredential with tenant ID: ${tenantId}, clientId: ${workloadIdentityCredentialOptions.clientId} and federated token path: [REDACTED]`);
|
|
1988
|
+
this.client = new ClientAssertionCredential(tenantId, workloadIdentityCredentialOptions.clientId, this.readFileContents.bind(this), options);
|
|
1989
|
+
}
|
|
1990
|
+
else {
|
|
1991
|
+
// Keep track of any missing environment variables for error details
|
|
1992
|
+
const assigned = processEnvVars(SupportedWorkloadEnvironmentVariables).assigned.join(", ");
|
|
1993
|
+
logger$g.info(`Found the following environment variables: ${assigned}`);
|
|
1994
|
+
const tenantId = process.env.AZURE_TENANT_ID, clientId = process.env.AZURE_CLIENT_ID, federatedTokenFilePath = process.env.AZURE_FEDERATED_TOKEN_FILE;
|
|
1995
|
+
this.federatedTokenFilePath = federatedTokenFilePath;
|
|
1996
|
+
if (tenantId) {
|
|
1997
|
+
checkTenantId(logger$g, tenantId);
|
|
1998
|
+
}
|
|
1999
|
+
if (tenantId && clientId && federatedTokenFilePath) {
|
|
2000
|
+
logger$g.info(`Invoking ClientAssertionCredential with the following environment variables tenant ID: ${tenantId}, clientId: ${clientId} and federatedTokenFilePath: [REDACTED]`);
|
|
2001
|
+
this.client = new ClientAssertionCredential(tenantId, clientId, this.readFileContents.bind(this), options);
|
|
2002
|
+
}
|
|
1966
2003
|
}
|
|
1967
|
-
this.federatedTokenFilePath = options.federatedTokenFilePath;
|
|
1968
|
-
this.client = new ClientAssertionCredential(options.tenantId, options.clientId, this.readFileContents.bind(this), options);
|
|
1969
2004
|
}
|
|
1970
2005
|
/**
|
|
1971
2006
|
* Authenticates with Azure Active Directory and returns an access token if successful.
|
|
@@ -1975,7 +2010,17 @@ class WorkloadIdentityCredential {
|
|
|
1975
2010
|
* @param options - The options used to configure any requests this
|
|
1976
2011
|
* TokenCredential implementation might make.
|
|
1977
2012
|
*/
|
|
1978
|
-
getToken(scopes, options) {
|
|
2013
|
+
async getToken(scopes, options) {
|
|
2014
|
+
if (!this.client) {
|
|
2015
|
+
const errorMessage = `${credentialName$3}: is unavailable. tenantId, clientId, and federatedTokenFilePath are required parameters.
|
|
2016
|
+
In DefaultAzureCredential and ManagedIdentityCredential, these can be provided as environment variables -
|
|
2017
|
+
"AZURE_TENANT_ID",
|
|
2018
|
+
"AZURE_CLIENT_ID",
|
|
2019
|
+
"AZURE_FEDERATED_TOKEN_FILE"`;
|
|
2020
|
+
logger$g.info(errorMessage);
|
|
2021
|
+
throw new CredentialUnavailableError(errorMessage);
|
|
2022
|
+
}
|
|
2023
|
+
logger$g.info("Invoking getToken() of Client Assertion Credential");
|
|
1979
2024
|
return this.client.getToken(scopes, options);
|
|
1980
2025
|
}
|
|
1981
2026
|
async readFileContents() {
|
|
@@ -1983,11 +2028,14 @@ class WorkloadIdentityCredential {
|
|
|
1983
2028
|
if (this.cacheDate !== undefined && Date.now() - this.cacheDate >= 1000 * 60 * 5) {
|
|
1984
2029
|
this.azureFederatedTokenFileContent = undefined;
|
|
1985
2030
|
}
|
|
2031
|
+
if (!this.federatedTokenFilePath) {
|
|
2032
|
+
throw new CredentialUnavailableError(`${credentialName$3}: is unavailable. Invalid file path provided ${this.federatedTokenFilePath}.`);
|
|
2033
|
+
}
|
|
1986
2034
|
if (!this.azureFederatedTokenFileContent) {
|
|
1987
2035
|
const file = await promises.readFile(this.federatedTokenFilePath, "utf8");
|
|
1988
2036
|
const value = file.trim();
|
|
1989
2037
|
if (!value) {
|
|
1990
|
-
throw new
|
|
2038
|
+
throw new CredentialUnavailableError(`${credentialName$3}: is unavailable. No content on the file ${this.federatedTokenFilePath}.`);
|
|
1991
2039
|
}
|
|
1992
2040
|
else {
|
|
1993
2041
|
this.azureFederatedTokenFileContent = value;
|
|
@@ -3022,7 +3070,7 @@ class ClientCertificateCredential {
|
|
|
3022
3070
|
*/
|
|
3023
3071
|
async getToken(scopes, options = {}) {
|
|
3024
3072
|
return tracingClient.withSpan(`${credentialName$2}.getToken`, options, async (newOptions) => {
|
|
3025
|
-
newOptions.tenantId = processMultiTenantRequest(this.tenantId, newOptions, this.additionallyAllowedTenantIds);
|
|
3073
|
+
newOptions.tenantId = processMultiTenantRequest(this.tenantId, newOptions, this.additionallyAllowedTenantIds, logger$8);
|
|
3026
3074
|
const arrayScopes = Array.isArray(scopes) ? scopes : [scopes];
|
|
3027
3075
|
return this.msalFlow.getToken(arrayScopes, newOptions);
|
|
3028
3076
|
});
|
|
@@ -3101,7 +3149,7 @@ class ClientSecretCredential {
|
|
|
3101
3149
|
*/
|
|
3102
3150
|
async getToken(scopes, options = {}) {
|
|
3103
3151
|
return tracingClient.withSpan(`${this.constructor.name}.getToken`, options, async (newOptions) => {
|
|
3104
|
-
newOptions.tenantId = processMultiTenantRequest(this.tenantId, newOptions, this.additionallyAllowedTenantIds);
|
|
3152
|
+
newOptions.tenantId = processMultiTenantRequest(this.tenantId, newOptions, this.additionallyAllowedTenantIds, logger$7);
|
|
3105
3153
|
const arrayScopes = ensureScopes(scopes);
|
|
3106
3154
|
return this.msalFlow.getToken(arrayScopes, newOptions);
|
|
3107
3155
|
});
|
|
@@ -3184,7 +3232,7 @@ class UsernamePasswordCredential {
|
|
|
3184
3232
|
*/
|
|
3185
3233
|
async getToken(scopes, options = {}) {
|
|
3186
3234
|
return tracingClient.withSpan(`${this.constructor.name}.getToken`, options, async (newOptions) => {
|
|
3187
|
-
newOptions.tenantId = processMultiTenantRequest(this.tenantId, newOptions, this.additionallyAllowedTenantIds);
|
|
3235
|
+
newOptions.tenantId = processMultiTenantRequest(this.tenantId, newOptions, this.additionallyAllowedTenantIds, logger$6);
|
|
3188
3236
|
const arrayScopes = ensureScopes(scopes);
|
|
3189
3237
|
return this.msalFlow.getToken(arrayScopes, newOptions);
|
|
3190
3238
|
});
|
|
@@ -3444,18 +3492,20 @@ class DefaultManagedIdentityCredential extends ManagedIdentityCredential {
|
|
|
3444
3492
|
// Constructor overload with just the other default options
|
|
3445
3493
|
// Last constructor overload with Union of all options not required since the above two constructor overloads have optional properties
|
|
3446
3494
|
constructor(options) {
|
|
3447
|
-
var _a;
|
|
3495
|
+
var _a, _b, _c;
|
|
3448
3496
|
const managedIdentityClientId = (_a = options === null || options === void 0 ? void 0 : options.managedIdentityClientId) !== null && _a !== void 0 ? _a : process.env.AZURE_CLIENT_ID;
|
|
3497
|
+
const workloadIdentityClientId = (_b = options === null || options === void 0 ? void 0 : options.workloadIdentityClientId) !== null && _b !== void 0 ? _b : managedIdentityClientId;
|
|
3449
3498
|
const managedResourceId = options === null || options === void 0 ? void 0 : options.managedIdentityResourceId;
|
|
3450
3499
|
const workloadFile = process.env.AZURE_FEDERATED_TOKEN_FILE;
|
|
3500
|
+
const tenantId = (_c = options === null || options === void 0 ? void 0 : options.tenantId) !== null && _c !== void 0 ? _c : process.env.AZURE_TENANT_ID;
|
|
3451
3501
|
// ManagedIdentityCredential throws if both the resourceId and the clientId are provided.
|
|
3452
3502
|
if (managedResourceId) {
|
|
3453
3503
|
const managedIdentityResourceIdOptions = Object.assign(Object.assign({}, options), { resourceId: managedResourceId });
|
|
3454
3504
|
super(managedIdentityResourceIdOptions);
|
|
3455
3505
|
}
|
|
3456
|
-
else if (workloadFile) {
|
|
3457
|
-
const workloadIdentityCredentialOptions = Object.assign(Object.assign({}, options), {
|
|
3458
|
-
super(workloadIdentityCredentialOptions);
|
|
3506
|
+
else if (workloadFile && workloadIdentityClientId) {
|
|
3507
|
+
const workloadIdentityCredentialOptions = Object.assign(Object.assign({}, options), { tenantId: tenantId });
|
|
3508
|
+
super(workloadIdentityClientId, workloadIdentityCredentialOptions);
|
|
3459
3509
|
}
|
|
3460
3510
|
else if (managedIdentityClientId) {
|
|
3461
3511
|
const managedIdentityClientOptions = Object.assign(Object.assign({}, options), { clientId: managedIdentityClientId });
|
|
@@ -3687,7 +3737,7 @@ class InteractiveBrowserCredential {
|
|
|
3687
3737
|
*/
|
|
3688
3738
|
async getToken(scopes, options = {}) {
|
|
3689
3739
|
return tracingClient.withSpan(`${this.constructor.name}.getToken`, options, async (newOptions) => {
|
|
3690
|
-
newOptions.tenantId = processMultiTenantRequest(this.tenantId, newOptions, this.additionallyAllowedTenantIds);
|
|
3740
|
+
newOptions.tenantId = processMultiTenantRequest(this.tenantId, newOptions, this.additionallyAllowedTenantIds, logger$3);
|
|
3691
3741
|
const arrayScopes = ensureScopes(scopes);
|
|
3692
3742
|
return this.msalFlow.getToken(arrayScopes, Object.assign(Object.assign({}, newOptions), { disableAutomaticAuthentication: this.disableAutomaticAuthentication }));
|
|
3693
3743
|
});
|
|
@@ -3800,7 +3850,7 @@ class DeviceCodeCredential {
|
|
|
3800
3850
|
*/
|
|
3801
3851
|
async getToken(scopes, options = {}) {
|
|
3802
3852
|
return tracingClient.withSpan(`${this.constructor.name}.getToken`, options, async (newOptions) => {
|
|
3803
|
-
newOptions.tenantId = processMultiTenantRequest(this.tenantId, newOptions, this.additionallyAllowedTenantIds);
|
|
3853
|
+
newOptions.tenantId = processMultiTenantRequest(this.tenantId, newOptions, this.additionallyAllowedTenantIds, logger$2);
|
|
3804
3854
|
const arrayScopes = ensureScopes(scopes);
|
|
3805
3855
|
return this.msalFlow.getToken(arrayScopes, Object.assign(Object.assign({}, newOptions), { disableAutomaticAuthentication: this.disableAutomaticAuthentication }));
|
|
3806
3856
|
});
|
|
@@ -4001,7 +4051,7 @@ class OnBehalfOfCredential {
|
|
|
4001
4051
|
*/
|
|
4002
4052
|
async getToken(scopes, options = {}) {
|
|
4003
4053
|
return tracingClient.withSpan(`${credentialName}.getToken`, options, async (newOptions) => {
|
|
4004
|
-
newOptions.tenantId = processMultiTenantRequest(this.tenantId, newOptions, this.additionallyAllowedTenantIds);
|
|
4054
|
+
newOptions.tenantId = processMultiTenantRequest(this.tenantId, newOptions, this.additionallyAllowedTenantIds, logger);
|
|
4005
4055
|
const arrayScopes = ensureScopes(scopes);
|
|
4006
4056
|
return this.msalFlow.getToken(arrayScopes, newOptions);
|
|
4007
4057
|
});
|
|
@@ -4041,7 +4091,7 @@ exports.VisualStudioCodeCredential = VisualStudioCodeCredential;
|
|
|
4041
4091
|
exports.WorkloadIdentityCredential = WorkloadIdentityCredential;
|
|
4042
4092
|
exports.deserializeAuthenticationRecord = deserializeAuthenticationRecord;
|
|
4043
4093
|
exports.getDefaultAzureCredential = getDefaultAzureCredential;
|
|
4044
|
-
exports.logger = logger$
|
|
4094
|
+
exports.logger = logger$n;
|
|
4045
4095
|
exports.serializeAuthenticationRecord = serializeAuthenticationRecord;
|
|
4046
4096
|
exports.useIdentityPlugin = useIdentityPlugin;
|
|
4047
4097
|
//# sourceMappingURL=index.js.map
|