@azure/identity 3.2.0-beta.1 → 3.2.0

package/README.md

@@ -68,9 +68,9 @@ While we recommend using managed identity or service principal authentication in
 
 Developers coding outside of an IDE can also use the [Azure Developer CLI][azure_developer_cli] to authenticate. Applications using the `DefaultAzureCredential` or the `AzureDeveloperCliCredential` can then use this account to authenticate calls in their application when running locally.
 
-To authenticate with the [Azure Developer CLI][azure_developer_cli], users can run the command `azd login`. For users running on a system with a default web browser, the Azure Developer CLI will launch the browser to authenticate the user.
+To authenticate with the [Azure Developer CLI][azure_developer_cli], users can run the command `azd auth login`. For users running on a system with a default web browser, the Azure Developer CLI will launch the browser to authenticate the user.
 
-For systems without a default web browser, the `azd login --use-device-code` command will use the device code authentication flow.
+For systems without a default web browser, the `azd auth login --use-device-code` command will use the device code authentication flow.
 
 #### Authenticate via the Azure CLI
 
@@ -133,7 +133,7 @@ If used from Node.js, the `DefaultAzureCredential` will attempt to authenticate
 1. **Environment** - The `DefaultAzureCredential` will read account information specified via [environment variables](#environment-variables) and use it to authenticate.
 1. **Workload Identity** - If the application is deployed to Azure Kubernetes Service with Managed Identity enabled, `DefaultAzureCredential` will authenticate with it.
 1. **Managed Identity** - If the application is deployed to an Azure host with Managed Identity enabled, the `DefaultAzureCredential` will authenticate with that account.
-1. **Azure Developer CLI** - If the developer has authenticated an account via the Azure Developer CLI `azd login` command, the `DefaultAzureCredential` will authenticate with that account.
+1. **Azure Developer CLI** - If the developer has authenticated an account via the Azure Developer CLI `azd auth login` command, the `DefaultAzureCredential` will authenticate with that account.
 1. **Azure CLI** - If the developer has authenticated an account via the Azure CLI `az login` command, the `DefaultAzureCredential` will authenticate with that account.
 1. **Azure PowerShell** - If the developer has authenticated using the Azure PowerShell module `Connect-AzAccount` command, the `DefaultAzureCredential` will authenticate with that account.
 
@@ -298,6 +298,14 @@ Not all credentials require this configuration. Credentials that authenticate th
 
 Configuration is attempted in the above order. For example, if values for a client secret and certificate are both present, the client secret will be used.
 
+## Token caching
+Token caching is a feature provided by the Azure Identity library that allows apps to:
+- Cache tokens in memory (default) and on disk (opt-in).
+- Improve resilience and performance.
+- Reduce the number of requests made to Azure AD to obtain access tokens.
+
+The Azure Identity library offers both in-memory and persistent disk caching. For more details, see the [token caching documentation](https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/identity/identity/TOKEN_CACHING.md).
+
 ## Troubleshooting
 
 ### Error handling

package/dist/index.js

@@ -257,7 +257,7 @@ function credentialLogger(title, log = logger$n) {
 /**
  * Current version of the `@azure/identity` package.
  */
-const SDK_VERSION = `3.2.0-beta.1`;
+const SDK_VERSION = `3.2.0`;
 /**
  * The default client ID for authentication
  * @internal
@@ -473,7 +473,7 @@ class MsalBaseUtilities {
 }
 // transformations.ts
 function publicToMsal(account) {
-    const [environment] = account.authority.match(/([a-z]*\.[a-z]*\.[a-z]*)/) || [];
+    const [environment] = account.authority.match(/([a-z]*\.[a-z]*\.[a-z]*)/) || [""];
     return Object.assign(Object.assign({}, account), { localAccountId: account.homeAccountId, environment });
 }
 function msalToPublic(clientId, account) {
@@ -667,7 +667,7 @@ function mapScopesToResource(scopes) {
  * Given a token response, return the expiration timestamp as the number of milliseconds from the Unix epoch.
  * @param body - A parsed response body from the authentication endpoint.
  */
-function parseExpiresOn(body) {
+function parseExpirationTimestamp(body) {
     if (typeof body.expires_on === "number") {
         return body.expires_on * 1000;
     }
@@ -743,7 +743,7 @@ class IdentityClient extends coreClient.ServiceClient {
             const token = {
                 accessToken: {
                     token: parsedBody.access_token,
-                    expiresOnTimestamp: parseExpiresOn(parsedBody),
+                    expiresOnTimestamp: parseExpirationTimestamp(parsedBody),
                 },
                 refreshToken: parsedBody.refresh_token,
             };
@@ -1197,7 +1197,7 @@ To work with multiple accounts for the same Client ID and Tenant ID, please prov
      * Attempts to retrieve a token from cache.
      */
     async getTokenSilent(scopes, options) {
-        var _a, _b;
+        var _a, _b, _c;
         await this.getActiveAccount();
         if (!this.account) {
             throw new AuthenticationRequiredError({
@@ -1216,7 +1216,14 @@ To work with multiple accounts for the same Client ID and Tenant ID, please prov
         };
         try {
             this.logger.info("Attempting to acquire token silently");
-            const response = (_b = (await ((_a = this.confidentialApp) === null || _a === void 0 ? void 0 : _a.acquireTokenSilent(silentRequest)))) !== null && _b !== void 0 ? _b : (await this.publicApp.acquireTokenSilent(silentRequest));
+            /**
+             * The following code to retrieve all accounts is done as a workaround in an attempt to force the
+             * refresh of the token cache with the token and the account passed in through the
+             * `authenticationRecord` parameter. See issue - https://github.com/Azure/azure-sdk-for-js/issues/24349#issuecomment-1496715651
+             * This workaround serves as a workoaround for silent authentication not happening when authenticationRecord is passed.
+             */
+            await ((_a = (this.publicApp || this.confidentialApp)) === null || _a === void 0 ? void 0 : _a.getTokenCache().getAllAccounts());
+            const response = (_c = (await ((_b = this.confidentialApp) === null || _b === void 0 ? void 0 : _b.acquireTokenSilent(silentRequest)))) !== null && _c !== void 0 ? _c : (await this.publicApp.acquireTokenSilent(silentRequest));
             return this.handleResult(scopes, this.clientId, response || undefined);
         }
         catch (err) {
@@ -1963,43 +1970,42 @@ const SupportedWorkloadEnvironmentVariables = [
 ];
 const logger$g = credentialLogger(credentialName$3);
 /**
- * WorkloadIdentityCredential supports Azure workload identity authentication on Kubernetes.
- * Refer to <a href="https://learn.microsoft.com/azure/aks/workload-identity-overview">Azure Active Directory Workload Identity</a>
- * for more information.
+ * Workload Identity authentication is a feature in Azure that allows applications running on virtual machines (VMs)
+ * to access other Azure resources without the need for a service principal or managed identity. With Workload Identity
+ * authentication, applications authenticate themselves using their own identity, rather than using a shared service
+ * principal or managed identity. Under the hood, Workload Identity authentication uses the concept of Service Account
+ * Credentials (SACs), which are automatically created by Azure and stored securely in the VM. By using Workload
+ * Identity authentication, you can avoid the need to manage and rotate service principals or managed identities for
+ * each application on each VM. Additionally, because SACs are created automatically and managed by Azure, you don't
+ * need to worry about storing and securing sensitive credentials themselves.
+ * The WorkloadIdentityCredential supports Azure workload identity authentication on Azure Kubernetes and acquires
+ * a token using the SACs available in the Azure Kubernetes environment.
+ * Refer to <a href="https://learn.microsoft.com/azure/aks/workload-identity-overview">Azure Active Directory
+ * Workload Identity</a> for more information.
  */
 class WorkloadIdentityCredential {
     /**
-     * @internal
-     * @hidden
+     * WorkloadIdentityCredential supports Azure workload identity on Kubernetes.
+     *
+     * @param options - The identity client options to use for authentication.
      */
     constructor(options) {
         this.azureFederatedTokenFileContent = undefined;
         this.cacheDate = undefined;
+        // Logging environment variables for error details
+        const assignedEnv = processEnvVars(SupportedWorkloadEnvironmentVariables).assigned.join(", ");
+        logger$g.info(`Found the following environment variables: ${assignedEnv}`);
         const workloadIdentityCredentialOptions = options;
-        if (workloadIdentityCredentialOptions.clientId &&
-            workloadIdentityCredentialOptions.tenantId &&
-            workloadIdentityCredentialOptions.federatedTokenFilePath) {
-            const tenantId = workloadIdentityCredentialOptions.tenantId;
-            if (tenantId) {
-                checkTenantId(logger$g, tenantId);
-            }
-            this.federatedTokenFilePath = workloadIdentityCredentialOptions.federatedTokenFilePath;
-            logger$g.info(`Invoking ClientAssertionCredential with tenant ID: ${tenantId}, clientId: ${workloadIdentityCredentialOptions.clientId} and federated token path: [REDACTED]`);
-            this.client = new ClientAssertionCredential(tenantId, workloadIdentityCredentialOptions.clientId, this.readFileContents.bind(this), options);
+        const tenantId = workloadIdentityCredentialOptions.tenantId || process.env.AZURE_TENANT_ID;
+        const clientId = workloadIdentityCredentialOptions.clientId || process.env.AZURE_CLIENT_ID;
+        this.federatedTokenFilePath =
+            workloadIdentityCredentialOptions.tokenFilePath || process.env.AZURE_FEDERATED_TOKEN_FILE;
+        if (tenantId) {
+            checkTenantId(logger$g, tenantId);
         }
-        else {
-            // Keep track of any missing environment variables for error details
-            const assigned = processEnvVars(SupportedWorkloadEnvironmentVariables).assigned.join(", ");
-            logger$g.info(`Found the following environment variables: ${assigned}`);
-            const tenantId = process.env.AZURE_TENANT_ID, clientId = process.env.AZURE_CLIENT_ID, federatedTokenFilePath = process.env.AZURE_FEDERATED_TOKEN_FILE;
-            this.federatedTokenFilePath = federatedTokenFilePath;
-            if (tenantId) {
-                checkTenantId(logger$g, tenantId);
-            }
-            if (tenantId && clientId && federatedTokenFilePath) {
-                logger$g.info(`Invoking ClientAssertionCredential with the following environment variables tenant ID: ${tenantId}, clientId: ${clientId} and federatedTokenFilePath: [REDACTED]`);
-                this.client = new ClientAssertionCredential(tenantId, clientId, this.readFileContents.bind(this), options);
-            }
+        if (clientId && tenantId && this.federatedTokenFilePath) {
+            logger$g.info(`Invoking ClientAssertionCredential with tenant ID: ${tenantId}, clientId: ${workloadIdentityCredentialOptions.clientId} and federated token path: [REDACTED]`);
+            this.client = new ClientAssertionCredential(tenantId, clientId, this.readFileContents.bind(this), options);
         }
     }
     /**
@@ -2016,7 +2022,7 @@ class WorkloadIdentityCredential {
       In DefaultAzureCredential and ManagedIdentityCredential, these can be provided as environment variables - 
       "AZURE_TENANT_ID",
       "AZURE_CLIENT_ID",
-      "AZURE_FEDERATED_TOKEN_FILE"`;
+      "AZURE_FEDERATED_TOKEN_FILE". See the troubleshooting guide for more information: https://aka.ms/azsdk/js/identity/workloadidentitycredential/troubleshoot  `;
             logger$g.info(errorMessage);
             throw new CredentialUnavailableError(errorMessage);
         }
@@ -2068,7 +2074,7 @@ function tokenExchangeMsi() {
         async getToken(configuration, getTokenOptions = {}) {
             const { scopes, clientId } = configuration;
             const identityClientTokenCredentialOptions = {};
-            const workloadIdentityCredential = new WorkloadIdentityCredential(Object.assign(Object.assign({ clientId, tenantId: process.env.AZURE_TENANT_ID, federatedTokenFilePath: process.env.AZURE_FEDERATED_TOKEN_FILE }, identityClientTokenCredentialOptions), { disableInstanceDiscovery: true }));
+            const workloadIdentityCredential = new WorkloadIdentityCredential(Object.assign(Object.assign({ clientId, tenantId: process.env.AZURE_TENANT_ID, tokenFilePath: process.env.AZURE_FEDERATED_TOKEN_FILE }, identityClientTokenCredentialOptions), { disableInstanceDiscovery: true }));
             const token = await workloadIdentityCredential.getToken(scopes, getTokenOptions);
             return token;
         },
@@ -2249,6 +2255,7 @@ class ManagedIdentityCredential {
     constructor(clientIdOrOptions, options) {
         var _a;
         this.isEndpointUnavailable = null;
+        this.isAppTokenProviderInitialized = false;
         let _options;
         if (typeof clientIdOrOptions === "string") {
             this.clientId = clientIdOrOptions;
@@ -2357,27 +2364,32 @@ class ManagedIdentityCredential {
                         scopes: Array.isArray(scopes) ? scopes : [scopes],
                         claims: options === null || options === void 0 ? void 0 : options.claims,
                     };
-                    this.confidentialApp.SetAppTokenProvider(async (appTokenProviderParameters = appTokenParameters) => {
-                        logger$c.info(`SetAppTokenProvider invoked with parameters- ${JSON.stringify(appTokenProviderParameters)}`);
-                        const resultToken = await this.authenticateManagedIdentity(scopes, Object.assign(Object.assign({}, updatedOptions), appTokenProviderParameters));
-                        if (resultToken) {
-                            logger$c.info(`SetAppTokenProvider has saved the token in cache`);
-                            const expiresInSeconds = (resultToken === null || resultToken === void 0 ? void 0 : resultToken.expiresOnTimestamp)
-                                ? Math.floor((resultToken.expiresOnTimestamp - Date.now()) / 1000)
-                                : 0;
-                            return {
-                                accessToken: resultToken === null || resultToken === void 0 ? void 0 : resultToken.token,
-                                expiresInSeconds,
-                            };
-                        }
-                        else {
-                            logger$c.info(`SetAppTokenProvider token has "no_access_token_returned" as the saved token`);
-                            return {
-                                accessToken: "no_access_token_returned",
-                                expiresInSeconds: 0,
-                            };
-                        }
-                    });
+                    // Added a check to see if SetAppTokenProvider was already defined.
+                    // Don't redefine it if it's already defined, since it should be static method.
+                    if (!this.isAppTokenProviderInitialized) {
+                        this.confidentialApp.SetAppTokenProvider(async (appTokenProviderParameters = appTokenParameters) => {
+                            logger$c.info(`SetAppTokenProvider invoked with parameters- ${JSON.stringify(appTokenProviderParameters)}`);
+                            const resultToken = await this.authenticateManagedIdentity(scopes, Object.assign(Object.assign({}, updatedOptions), appTokenProviderParameters));
+                            if (resultToken) {
+                                logger$c.info(`SetAppTokenProvider has saved the token in cache`);
+                                const expiresInSeconds = (resultToken === null || resultToken === void 0 ? void 0 : resultToken.expiresOnTimestamp)
+                                    ? Math.floor((resultToken.expiresOnTimestamp - Date.now()) / 1000)
+                                    : 0;
+                                return {
+                                    accessToken: resultToken === null || resultToken === void 0 ? void 0 : resultToken.token,
+                                    expiresInSeconds,
+                                };
+                            }
+                            else {
+                                logger$c.info(`SetAppTokenProvider token has "no_access_token_returned" as the saved token`);
+                                return {
+                                    accessToken: "no_access_token_returned",
+                                    expiresInSeconds: 0,
+                                };
+                            }
+                        });
+                        this.isAppTokenProviderInitialized = true;
+                    }
                     const authenticationResult = await this.confidentialApp.acquireTokenByClientCredential(Object.assign({}, appTokenParameters));
                     result = this.handleResult(scopes, authenticationResult || undefined);
                 }
@@ -2547,7 +2559,7 @@ const cliCredentialInternals = {
      * @param resource - The resource to use when getting the token
      * @internal
      */
-    async getAzureCliAccessToken(resource, tenantId) {
+    async getAzureCliAccessToken(resource, tenantId, timeout) {
         let tenantSection = [];
         if (tenantId) {
             tenantSection = ["--tenant", tenantId];
@@ -2562,7 +2574,7 @@ const cliCredentialInternals = {
                     "--resource",
                     resource,
                     ...tenantSection,
-                ], { cwd: cliCredentialInternals.getSafeWorkingDir(), shell: true }, (error, stdout, stderr) => {
+                ], { cwd: cliCredentialInternals.getSafeWorkingDir(), shell: true, timeout }, (error, stdout, stderr) => {
                     resolve({ stdout: stdout, stderr: stderr, error });
                 });
             }
@@ -2591,6 +2603,7 @@ class AzureCliCredential {
     constructor(options) {
         this.tenantId = options === null || options === void 0 ? void 0 : options.tenantId;
         this.additionallyAllowedTenantIds = resolveAddionallyAllowedTenantIds(options === null || options === void 0 ? void 0 : options.additionallyAllowedTenants);
+        this.timeout = options === null || options === void 0 ? void 0 : options.processTimeoutInMs;
     }
     /**
      * Authenticates with Azure Active Directory and returns an access token if successful.
@@ -2609,7 +2622,7 @@ class AzureCliCredential {
         return tracingClient.withSpan(`${this.constructor.name}.getToken`, options, async () => {
             var _a, _b, _c, _d;
             try {
-                const obj = await cliCredentialInternals.getAzureCliAccessToken(resource, tenantId);
+                const obj = await cliCredentialInternals.getAzureCliAccessToken(resource, tenantId, this.timeout);
                 const specificScope = (_a = obj.stderr) === null || _a === void 0 ? void 0 : _a.match("(.*)az login --scope(.*)");
                 const isLoginError = ((_b = obj.stderr) === null || _b === void 0 ? void 0 : _b.match("(.*)az login(.*)")) && !specificScope;
                 const isNotInstallError = ((_c = obj.stderr) === null || _c === void 0 ? void 0 : _c.match("az:(.*)not found")) || ((_d = obj.stderr) === null || _d === void 0 ? void 0 : _d.startsWith("'az' is not recognized"));
@@ -2702,11 +2715,14 @@ function formatCommand(commandName) {
  * If anything fails, an error is thrown.
  * @internal
  */
-async function runCommands(commands) {
+async function runCommands(commands, timeout) {
     const results = [];
     for (const command of commands) {
         const [file, ...parameters] = command;
-        const result = (await processUtils.execFile(file, parameters, { encoding: "utf8" }));
+        const result = (await processUtils.execFile(file, parameters, {
+            encoding: "utf8",
+            timeout,
+        }));
         results.push(result);
     }
     return results;
@@ -2761,16 +2777,17 @@ class AzurePowerShellCredential {
     constructor(options) {
         this.tenantId = options === null || options === void 0 ? void 0 : options.tenantId;
         this.additionallyAllowedTenantIds = resolveAddionallyAllowedTenantIds(options === null || options === void 0 ? void 0 : options.additionallyAllowedTenants);
+        this.timeout = options === null || options === void 0 ? void 0 : options.processTimeoutInMs;
     }
     /**
      * Gets the access token from Azure PowerShell
      * @param resource - The resource to use when getting the token
      */
-    async getAzurePowerShellAccessToken(resource, tenantId) {
+    async getAzurePowerShellAccessToken(resource, tenantId, timeout) {
         // Clone the stack to avoid mutating it while iterating
         for (const powerShellCommand of [...commandStack]) {
             try {
-                await runCommands([[powerShellCommand, "/?"]]);
+                await runCommands([[powerShellCommand, "/?"]], timeout);
             }
             catch (e) {
                 // Remove this credential from the original stack so that we don't try it again.
@@ -2818,7 +2835,7 @@ class AzurePowerShellCredential {
             logger$a.getToken.info(`Using the scope ${scope}`);
             const resource = getScopeResource(scope);
             try {
-                const response = await this.getAzurePowerShellAccessToken(resource, tenantId);
+                const response = await this.getAzurePowerShellAccessToken(resource, tenantId, this.timeout);
                 logger$a.getToken.info(formatSuccess(scopes));
                 return {
                     token: response.Token,
@@ -2884,14 +2901,18 @@ class ChainedTokenCredential {
      *                `TokenCredential` implementation might make.
      */
     async getToken(scopes, options = {}) {
+        const { token } = await this.getTokenInternal(scopes, options);
+        return token;
+    }
+    async getTokenInternal(scopes, options = {}) {
         let token = null;
-        let successfulCredentialName = "";
+        let successfulCredential;
         const errors = [];
         return tracingClient.withSpan("ChainedTokenCredential.getToken", options, async (updatedOptions) => {
             for (let i = 0; i < this._sources.length && token === null; i++) {
                 try {
                     token = await this._sources[i].getToken(scopes, updatedOptions);
-                    successfulCredentialName = this._sources[i].constructor.name;
+                    successfulCredential = this._sources[i];
                 }
                 catch (err) {
                     if (err.name === "CredentialUnavailableError" ||
@@ -2909,11 +2930,11 @@ class ChainedTokenCredential {
                 logger$9.getToken.info(formatError(scopes, err));
                 throw err;
             }
-            logger$9.getToken.info(`Result for ${successfulCredentialName}: ${formatSuccess(scopes)}`);
+            logger$9.getToken.info(`Result for ${successfulCredential.constructor.name}: ${formatSuccess(scopes)}`);
             if (token === null) {
                 throw new CredentialUnavailableError("Failed to retrieve a valid token");
             }
-            return token;
+            return { token, successfulCredential };
         });
     }
 }
@@ -3376,7 +3397,7 @@ const developerCliCredentialInternals = {
      * @param scopes - The scopes to use when getting the token
      * @internal
      */
-    async getAzdAccessToken(scopes, tenantId) {
+    async getAzdAccessToken(scopes, tenantId, timeout) {
         let tenantSection = [];
         if (tenantId) {
             tenantSection = ["--tenant-id", tenantId];
@@ -3390,7 +3411,11 @@ const developerCliCredentialInternals = {
                     "json",
                     ...scopes.reduce((previous, current) => previous.concat("--scope", current), []),
                     ...tenantSection,
-                ], { cwd: developerCliCredentialInternals.getSafeWorkingDir(), shell: true }, (error, stdout, stderr) => {
+                ], {
+                    cwd: developerCliCredentialInternals.getSafeWorkingDir(),
+                    shell: true,
+                    timeout,
+                }, (error, stdout, stderr) => {
                     resolve({ stdout, stderr, error });
                 });
             }
@@ -3402,23 +3427,43 @@ const developerCliCredentialInternals = {
 };
 const logger$4 = credentialLogger("AzureDeveloperCliCredential");
 /**
- * This credential will use the currently logged-in user login information
- * via the Azure Developer CLI ('az') commandline tool.
- * To do so, it will read the user access token and expire time
- * with Azure Developer CLI command "azd auth token".
+ * Azure Developer CLI is a command-line interface tool that allows developers to create, manage, and deploy
+ * resources in Azure. It's built on top of the Azure CLI and provides additional functionality specific
+ * to Azure developers. It allows users to authenticate as a user and/or a service principal against
+ * <a href="https://learn.microsoft.com/azure/active-directory/fundamentals/">Azure Active Directory (Azure AD)
+ * </a>. The AzureDeveloperCliCredential authenticates in a development environment and acquires a token on behalf of
+ * the logged-in user or service principal in the Azure Developer CLI. It acts as the Azure Developer CLI logged in user or
+ * service principal and executes an Azure CLI command underneath to authenticate the application against
+ * Azure Active Directory.
+ *
+ * <h2> Configure AzureDeveloperCliCredential </h2>
+ *
+ * To use this credential, the developer needs to authenticate locally in Azure Developer CLI using one of the
+ * commands below:
+ *
+ * <ol>
+ *     <li>Run "azd auth login" in Azure Developer CLI to authenticate interactively as a user.</li>
+ *     <li>Run "azd auth login --client-id clientID --client-secret clientSecret
+ *     --tenant-id tenantID" to authenticate as a service principal.</li>
+ * </ol>
+ *
+ * You may need to repeat this process after a certain time period, depending on the refresh token validity in your
+ * organization. Generally, the refresh token validity period is a few weeks to a few months.
+ * AzureDeveloperCliCredential will prompt you to sign in again.
  */
 class AzureDeveloperCliCredential {
     /**
      * Creates an instance of the {@link AzureDeveloperCliCredential}.
      *
      * To use this credential, ensure that you have already logged
-     * in via the 'azd' tool using the command "azd login" from the commandline.
+     * in via the 'azd' tool using the command "azd auth login" from the commandline.
      *
      * @param options - Options, to optionally allow multi-tenant requests.
      */
     constructor(options) {
         this.tenantId = options === null || options === void 0 ? void 0 : options.tenantId;
         this.additionallyAllowedTenantIds = resolveAddionallyAllowedTenantIds(options === null || options === void 0 ? void 0 : options.additionallyAllowedTenants);
+        this.timeout = options === null || options === void 0 ? void 0 : options.processTimeoutInMs;
     }
     /**
      * Authenticates with Azure Active Directory and returns an access token if successful.
@@ -3439,19 +3484,20 @@ class AzureDeveloperCliCredential {
         }
         logger$4.getToken.info(`Using the scopes ${scopes}`);
         return tracingClient.withSpan(`${this.constructor.name}.getToken`, options, async () => {
-            var _a, _b, _c;
+            var _a, _b, _c, _d;
             try {
-                const obj = await developerCliCredentialInternals.getAzdAccessToken(scopeList, tenantId);
-                const isNotLoggedInError = (_a = obj.stderr) === null || _a === void 0 ? void 0 : _a.match("not logged in, run `azd login` to login");
-                const isNotInstallError = ((_b = obj.stderr) === null || _b === void 0 ? void 0 : _b.match("azd:(.*)not found")) ||
-                    ((_c = obj.stderr) === null || _c === void 0 ? void 0 : _c.startsWith("'azd' is not recognized"));
+                const obj = await developerCliCredentialInternals.getAzdAccessToken(scopeList, tenantId, this.timeout);
+                const isNotLoggedInError = ((_a = obj.stderr) === null || _a === void 0 ? void 0 : _a.match("not logged in, run `azd login` to login")) ||
+                    ((_b = obj.stderr) === null || _b === void 0 ? void 0 : _b.match("not logged in, run `azd auth login` to login"));
+                const isNotInstallError = ((_c = obj.stderr) === null || _c === void 0 ? void 0 : _c.match("azd:(.*)not found")) ||
+                    ((_d = obj.stderr) === null || _d === void 0 ? void 0 : _d.startsWith("'azd' is not recognized"));
                 if (isNotInstallError || (obj.error && obj.error.code === "ENOENT")) {
-                    const error = new CredentialUnavailableError("Azure Developer CLI could not be found. Please visit https://aka.ms/azure-dev for installation instructions and then, once installed, authenticate to your Azure account using 'azd login'.");
+                    const error = new CredentialUnavailableError("Azure Developer CLI couldn't be found. To mitigate this issue, see the troubleshooting guidelines at https://aka.ms/azsdk/js/identity/azdevclicredential/troubleshoot.");
                     logger$4.getToken.info(formatError(scopes, error));
                     throw error;
                 }
                 if (isNotLoggedInError) {
-                    const error = new CredentialUnavailableError("Please run 'azd login' from a command prompt to authenticate before using this credential.");
+                    const error = new CredentialUnavailableError("Please run 'azd auth login' from a command prompt to authenticate before using this credential. For more information, see the troubleshooting guidelines at https://aka.ms/azsdk/js/identity/azdevclicredential/troubleshoot.");
                     logger$4.getToken.info(formatError(scopes, error));
                     throw error;
                 }
@@ -3516,13 +3562,56 @@ class DefaultManagedIdentityCredential extends ManagedIdentityCredential {
         }
     }
 }
+/**
+ * A shim around WorkloadIdentityCredential that adapts it to accept
+ * `DefaultAzureCredentialOptions`.
+ *
+ * @internal
+ */
+class DefaultWorkloadIdentityCredential extends WorkloadIdentityCredential {
+    // Constructor overload with just the other default options
+    // Last constructor overload with Union of all options not required since the above two constructor overloads have optional properties
+    constructor(options) {
+        var _a, _b, _c;
+        const managedIdentityClientId = (_a = options === null || options === void 0 ? void 0 : options.managedIdentityClientId) !== null && _a !== void 0 ? _a : process.env.AZURE_CLIENT_ID;
+        const workloadIdentityClientId = (_b = options === null || options === void 0 ? void 0 : options.workloadIdentityClientId) !== null && _b !== void 0 ? _b : managedIdentityClientId;
+        const workloadFile = process.env.AZURE_FEDERATED_TOKEN_FILE;
+        const tenantId = (_c = options === null || options === void 0 ? void 0 : options.tenantId) !== null && _c !== void 0 ? _c : process.env.AZURE_TENANT_ID;
+        if (workloadFile && workloadIdentityClientId) {
+            const workloadIdentityCredentialOptions = Object.assign(Object.assign({}, options), { tenantId, clientId: workloadIdentityClientId, tokenFilePath: workloadFile });
+            super(workloadIdentityCredentialOptions);
+        }
+        else if (tenantId) {
+            const workloadIdentityClientTenantOptions = Object.assign(Object.assign({}, options), { tenantId });
+            super(workloadIdentityClientTenantOptions);
+        }
+        else {
+            super(options);
+        }
+    }
+}
+class DefaultAzureDeveloperCliCredential extends AzureDeveloperCliCredential {
+    constructor(options) {
+        super(Object.assign({ processTimeoutInMs: options === null || options === void 0 ? void 0 : options.processTimeoutInMs }, options));
+    }
+}
+class DefaultAzureCliCredential extends AzureCliCredential {
+    constructor(options) {
+        super(Object.assign({ processTimeoutInMs: options === null || options === void 0 ? void 0 : options.processTimeoutInMs }, options));
+    }
+}
+class DefaultAzurePowershellCredential extends AzurePowerShellCredential {
+    constructor(options) {
+        super(Object.assign({ processTimeoutInMs: options === null || options === void 0 ? void 0 : options.processTimeoutInMs }, options));
+    }
+}
 const defaultCredentials = [
     EnvironmentCredential,
-    WorkloadIdentityCredential,
+    DefaultWorkloadIdentityCredential,
     DefaultManagedIdentityCredential,
-    AzureDeveloperCliCredential,
-    AzureCliCredential,
-    AzurePowerShellCredential,
+    DefaultAzureDeveloperCliCredential,
+    DefaultAzureCliCredential,
+    DefaultAzurePowershellCredential,
 ];
 /**
  * Provides a default {@link ChainedTokenCredential} configuration that should
@@ -4073,6 +4162,7 @@ exports.AuthenticationErrorName = AuthenticationErrorName;
 exports.AuthenticationRequiredError = AuthenticationRequiredError;
 exports.AuthorizationCodeCredential = AuthorizationCodeCredential;
 exports.AzureCliCredential = AzureCliCredential;
+exports.AzureDeveloperCliCredential = AzureDeveloperCliCredential;
 exports.AzurePowerShellCredential = AzurePowerShellCredential;
 exports.ChainedTokenCredential = ChainedTokenCredential;
 exports.ClientAssertionCredential = ClientAssertionCredential;