@azure/identity 3.2.4-alpha.20230727.2 → 3.2.4-alpha.20230807.1

package/dist/index.js

@@ -301,6 +301,8 @@ const DefaultAuthorityHost = exports.AzureAuthorityHosts.AzurePublicCloud;
  * Allow acquiring tokens for any tenant for multi-tentant auth.
  */
 const ALL_TENANTS = ["*"];
+const CACHE_CAE_SUFFIX = ".cae";
+const CACHE_NON_CAE_SUFFIX = ".nocae";
 
 // Copyright (c) Microsoft Corporation.
 /**
@@ -1057,6 +1059,12 @@ class MsalNode extends MsalBaseUtilities {
     constructor(options) {
         var _a, _b, _c, _d;
         super(options);
+        // protected publicApp: msalNode.PublicClientApplication | undefined;
+        // protected publicAppCae: msalNode.PublicClientApplication | undefined;
+        // protected confidentialApp: msalNode.ConfidentialClientApplication | undefined;
+        // protected confidentialAppCae: msalNode.ConfidentialClientApplication | undefined;
+        this.app = {};
+        this.caeApp = {};
         this.requiresConfidential = false;
         this.msalConfig = this.defaultNodeMsalConfig(options);
         this.tenantId = resolveTenantId(options.logger, options.tenantId, options.clientId);
@@ -1067,7 +1075,10 @@ class MsalNode extends MsalBaseUtilities {
         }
         // If persistence has been configured
         if (persistenceProvider !== undefined && ((_b = options.tokenCachePersistenceOptions) === null || _b === void 0 ? void 0 : _b.enabled)) {
-            this.createCachePlugin = () => persistenceProvider(options.tokenCachePersistenceOptions);
+            const nonCaeOptions = Object.assign({ name: `${options.tokenCachePersistenceOptions.name}.${CACHE_NON_CAE_SUFFIX}` }, options.tokenCachePersistenceOptions);
+            const caeOptions = Object.assign({ name: `${options.tokenCachePersistenceOptions.name}.${CACHE_CAE_SUFFIX}` }, options.tokenCachePersistenceOptions);
+            this.createCachePlugin = () => persistenceProvider(nonCaeOptions);
+            this.createCachePluginCae = () => persistenceProvider(caeOptions);
         }
         else if ((_c = options.tokenCachePersistenceOptions) === null || _c === void 0 ? void 0 : _c.enabled) {
             throw new Error([
@@ -1091,10 +1102,7 @@ class MsalNode extends MsalBaseUtilities {
         this.authorityHost = options.authorityHost || process.env.AZURE_AUTHORITY_HOST;
         const authority = getAuthority(tenantId, this.authorityHost);
         this.identityClient = new IdentityClient(Object.assign(Object.assign({}, options.tokenCredentialOptions), { authorityHost: authority, loggingOptions: options.loggingOptions }));
-        let clientCapabilities = ["cp1"];
-        if (process.env.AZURE_IDENTITY_DISABLE_CP1) {
-            clientCapabilities = [];
-        }
+        const clientCapabilities = [];
         return {
             auth: {
                 clientId,
@@ -1112,6 +1120,21 @@ class MsalNode extends MsalBaseUtilities {
             },
         };
     }
+    getApp(appType, enableCae) {
+        const app = enableCae ? this.caeApp : this.app;
+        if (appType === "publicFirst") {
+            return (app.public || app.confidential);
+        }
+        else if (appType === "confidentialFirst") {
+            return (app.confidential || app.public);
+        }
+        else if (appType === "confidential") {
+            return app.confidential;
+        }
+        else {
+            return app.public;
+        }
+    }
     /**
      * Prepares the MSAL applications.
      */
@@ -1123,15 +1146,29 @@ class MsalNode extends MsalBaseUtilities {
                 this.identityClient.abortRequests(options.correlationId);
             });
         }
-        if (this.publicApp || this.confidentialApp) {
+        const app = (options === null || options === void 0 ? void 0 : options.enableCae) ? this.caeApp : this.app;
+        if (options === null || options === void 0 ? void 0 : options.enableCae) {
+            this.msalConfig.auth.clientCapabilities = ["cp1"];
+        }
+        if (app.public || app.confidential) {
             return;
         }
+        if ((options === null || options === void 0 ? void 0 : options.enableCae) && this.createCachePluginCae !== undefined) {
+            this.msalConfig.cache = {
+                cachePlugin: await this.createCachePluginCae(),
+            };
+        }
         if (this.createCachePlugin !== undefined) {
             this.msalConfig.cache = {
                 cachePlugin: await this.createCachePlugin(),
             };
         }
-        this.publicApp = new msalNode__namespace.PublicClientApplication(this.msalConfig);
+        if (options === null || options === void 0 ? void 0 : options.enableCae) {
+            this.caeApp.public = new msalNode__namespace.PublicClientApplication(this.msalConfig);
+        }
+        else {
+            this.app.public = new msalNode__namespace.PublicClientApplication(this.msalConfig);
+        }
         if (this.getAssertion) {
             this.msalConfig.auth.clientAssertion = await this.getAssertion();
         }
@@ -1139,7 +1176,12 @@ class MsalNode extends MsalBaseUtilities {
         if (this.msalConfig.auth.clientSecret ||
             this.msalConfig.auth.clientAssertion ||
             this.msalConfig.auth.clientCertificate) {
-            this.confidentialApp = new msalNode__namespace.ConfidentialClientApplication(this.msalConfig);
+            if (options === null || options === void 0 ? void 0 : options.enableCae) {
+                this.caeApp.confidential = new msalNode__namespace.ConfidentialClientApplication(this.msalConfig);
+            }
+            else {
+                this.app.confidential = new msalNode__namespace.ConfidentialClientApplication(this.msalConfig);
+            }
         }
         else {
             if (this.requiresConfidential) {
@@ -1167,12 +1209,11 @@ class MsalNode extends MsalBaseUtilities {
     /**
      * Returns the existing account, attempts to load the account from MSAL.
      */
-    async getActiveAccount() {
-        var _a, _b, _c;
+    async getActiveAccount(enableCae = false) {
         if (this.account) {
             return this.account;
         }
-        const cache = (_b = (_a = this.confidentialApp) === null || _a === void 0 ? void 0 : _a.getTokenCache()) !== null && _b !== void 0 ? _b : (_c = this.publicApp) === null || _c === void 0 ? void 0 : _c.getTokenCache();
+        const cache = this.getApp("confidentialFirst", enableCae).getTokenCache();
         const accountsByTenant = await (cache === null || cache === void 0 ? void 0 : cache.getAllAccounts());
         if (!accountsByTenant) {
             return;
@@ -1196,7 +1237,7 @@ To work with multiple accounts for the same Client ID and Tenant ID, please prov
      */
     async getTokenSilent(scopes, options) {
         var _a, _b, _c;
-        await this.getActiveAccount();
+        await this.getActiveAccount(options === null || options === void 0 ? void 0 : options.enableCae);
         if (!this.account) {
             throw new AuthenticationRequiredError({
                 scopes,
@@ -1218,10 +1259,10 @@ To work with multiple accounts for the same Client ID and Tenant ID, please prov
              * The following code to retrieve all accounts is done as a workaround in an attempt to force the
              * refresh of the token cache with the token and the account passed in through the
              * `authenticationRecord` parameter. See issue - https://github.com/Azure/azure-sdk-for-js/issues/24349#issuecomment-1496715651
-             * This workaround serves as a workoaround for silent authentication not happening when authenticationRecord is passed.
+             * This workaround serves as a workaround for silent authentication not happening when authenticationRecord is passed.
              */
-            await ((_a = (this.publicApp || this.confidentialApp)) === null || _a === void 0 ? void 0 : _a.getTokenCache().getAllAccounts());
-            const response = (_c = (await ((_b = this.confidentialApp) === null || _b === void 0 ? void 0 : _b.acquireTokenSilent(silentRequest)))) !== null && _c !== void 0 ? _c : (await this.publicApp.acquireTokenSilent(silentRequest));
+            await ((_a = this.getApp("publicFirst", options === null || options === void 0 ? void 0 : options.enableCae)) === null || _a === void 0 ? void 0 : _a.getTokenCache().getAllAccounts());
+            const response = (_c = (await ((_b = this.getApp("confidential", options === null || options === void 0 ? void 0 : options.enableCae)) === null || _b === void 0 ? void 0 : _b.acquireTokenSilent(silentRequest)))) !== null && _c !== void 0 ? _c : (await this.getApp("public", options === null || options === void 0 ? void 0 : options.enableCae).acquireTokenSilent(silentRequest));
             return this.handleResult(scopes, this.clientId, response || undefined);
         }
         catch (err) {
@@ -1884,7 +1925,7 @@ class MsalClientAssertion extends MsalNode {
     async doGetToken(scopes, options = {}) {
         try {
             const assertion = await this.getAssertion();
-            const result = await this.confidentialApp.acquireTokenByClientCredential({
+            const result = await this.getApp("confidential", options.enableCae).acquireTokenByClientCredential({
                 scopes,
                 correlationId: options.correlationId,
                 azureRegion: this.azureRegion,
@@ -2281,6 +2322,7 @@ class ManagedIdentityCredential {
                 clientSecret: "dummy-secret",
                 cloudDiscoveryMetadata: '{"tenant_discovery_endpoint":"https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration","api-version":"1.1","metadata":[{"preferred_network":"login.microsoftonline.com","preferred_cache":"login.windows.net","aliases":["login.microsoftonline.com","login.windows.net","login.microsoft.com","sts.windows.net"]},{"preferred_network":"login.partner.microsoftonline.cn","preferred_cache":"login.partner.microsoftonline.cn","aliases":["login.partner.microsoftonline.cn","login.chinacloudapi.cn"]},{"preferred_network":"login.microsoftonline.de","preferred_cache":"login.microsoftonline.de","aliases":["login.microsoftonline.de"]},{"preferred_network":"login.microsoftonline.us","preferred_cache":"login.microsoftonline.us","aliases":["login.microsoftonline.us","login.usgovcloudapi.net"]},{"preferred_network":"login-us.microsoftonline.com","preferred_cache":"login-us.microsoftonline.com","aliases":["login-us.microsoftonline.com"]}]}',
                 authorityMetadata: '{"token_endpoint":"https://login.microsoftonline.com/common/oauth2/v2.0/token","token_endpoint_auth_methods_supported":["client_secret_post","private_key_jwt","client_secret_basic"],"jwks_uri":"https://login.microsoftonline.com/common/discovery/v2.0/keys","response_modes_supported":["query","fragment","form_post"],"subject_types_supported":["pairwise"],"id_token_signing_alg_values_supported":["RS256"],"response_types_supported":["code","id_token","code id_token","id_token token"],"scopes_supported":["openid","profile","email","offline_access"],"issuer":"https://login.microsoftonline.com/{tenantid}/v2.0","request_uri_parameter_supported":false,"userinfo_endpoint":"https://graph.microsoft.com/oidc/userinfo","authorization_endpoint":"https://login.microsoftonline.com/common/oauth2/v2.0/authorize","device_authorization_endpoint":"https://login.microsoftonline.com/common/oauth2/v2.0/devicecode","http_logout_supported":true,"frontchannel_logout_supported":true,"end_session_endpoint":"https://login.microsoftonline.com/common/oauth2/v2.0/logout","claims_supported":["sub","iss","cloud_instance_name","cloud_instance_host_name","cloud_graph_host_name","msgraph_host","aud","exp","iat","auth_time","acr","nonce","preferred_username","name","tid","ver","at_hash","c_hash","email"],"kerberos_endpoint":"https://login.microsoftonline.com/common/kerberos","tenant_region_scope":null,"cloud_instance_name":"microsoftonline.com","cloud_graph_host_name":"graph.windows.net","msgraph_host":"graph.microsoft.com","rbac_url":"https://pas.windows.net"}',
+                clientCapabilities: [],
             },
             system: {
                 loggerOptions: {
@@ -2526,7 +2568,7 @@ function ensureScopes(scopes) {
  * Throws if the received scope is not valid.
  * @internal
  */
-function ensureValidScope(scope, logger) {
+function ensureValidScopeForDevTimeCreds(scope, logger) {
     if (!scope.match(/^[0-9a-zA-Z-.:/]+$/)) {
         const error = new Error("Invalid scope was specified by the user or calling client");
         logger.getToken.info(formatError(scope, error));
@@ -2624,11 +2666,11 @@ class AzureCliCredential {
         const tenantId = processMultiTenantRequest(this.tenantId, options, this.additionallyAllowedTenantIds);
         const scope = typeof scopes === "string" ? scopes : scopes[0];
         logger$b.getToken.info(`Using the scope ${scope}`);
-        ensureValidScope(scope, logger$b);
-        const resource = getScopeResource(scope);
         return tracingClient.withSpan(`${this.constructor.name}.getToken`, options, async () => {
             var _a, _b, _c, _d;
             try {
+                ensureValidScopeForDevTimeCreds(scope, logger$b);
+                const resource = getScopeResource(scope);
                 const obj = await cliCredentialInternals.getAzureCliAccessToken(resource, tenantId, this.timeout);
                 const specificScope = (_a = obj.stderr) === null || _a === void 0 ? void 0 : _a.match("(.*)az login --scope(.*)");
                 const isLoginError = ((_b = obj.stderr) === null || _b === void 0 ? void 0 : _b.match("(.*)az login(.*)")) && !specificScope;
@@ -2838,10 +2880,10 @@ class AzurePowerShellCredential {
         return tracingClient.withSpan(`${this.constructor.name}.getToken`, options, async () => {
             const tenantId = processMultiTenantRequest(this.tenantId, options, this.additionallyAllowedTenantIds);
             const scope = typeof scopes === "string" ? scopes : scopes[0];
-            ensureValidScope(scope, logger$a);
-            logger$a.getToken.info(`Using the scope ${scope}`);
-            const resource = getScopeResource(scope);
             try {
+                ensureValidScopeForDevTimeCreds(scope, logger$a);
+                logger$a.getToken.info(`Using the scope ${scope}`);
+                const resource = getScopeResource(scope);
                 const response = await this.getAzurePowerShellAccessToken(resource, tenantId, this.timeout);
                 logger$a.getToken.info(formatSuccess(scopes));
                 return {
@@ -3039,7 +3081,7 @@ class MsalClientCertificate extends MsalNode {
                 authority: options.authority,
                 claims: options.claims,
             };
-            const result = await this.confidentialApp.acquireTokenByClientCredential(clientCredReq);
+            const result = await this.getApp("confidential", options.enableCae).acquireTokenByClientCredential(clientCredReq);
             // Even though we're providing the same default in memory persistence cache that we use for DeviceCodeCredential,
             // The Client Credential flow does not return the account information from the authentication service,
             // so each time getToken gets called, we will have to acquire a new token through the service.
@@ -3118,7 +3160,7 @@ class MsalClientSecret extends MsalNode {
     }
     async doGetToken(scopes, options = {}) {
         try {
-            const result = await this.confidentialApp.acquireTokenByClientCredential({
+            const result = await this.getApp("confidential", options.enableCae).acquireTokenByClientCredential({
                 scopes,
                 correlationId: options.correlationId,
                 azureRegion: this.azureRegion,
@@ -3205,7 +3247,7 @@ class MsalUsernamePassword extends MsalNode {
                 authority: options === null || options === void 0 ? void 0 : options.authority,
                 claims: options === null || options === void 0 ? void 0 : options.claims,
             };
-            const result = await this.publicApp.acquireTokenByUsernamePassword(requestOptions);
+            const result = await this.getApp("public", options === null || options === void 0 ? void 0 : options.enableCae).acquireTokenByUsernamePassword(requestOptions);
             return this.handleResult(scopes, this.clientId, result || undefined);
         }
         catch (error) {
@@ -3656,8 +3698,8 @@ class MsalOpenBrowser extends MsalNode {
         }
         this.hostname = url.hostname;
     }
-    async acquireTokenByCode(request) {
-        return this.publicApp.acquireTokenByCode(request);
+    async acquireTokenByCode(request, enableCae) {
+        return this.getApp("public", enableCae).acquireTokenByCode(request);
     }
     doGetToken(scopes, options) {
         return new Promise((resolve, reject) => {
@@ -3683,7 +3725,7 @@ class MsalOpenBrowser extends MsalNode {
                     authority: options === null || options === void 0 ? void 0 : options.authority,
                     codeVerifier: (_a = this.pkceCodes) === null || _a === void 0 ? void 0 : _a.verifier,
                 };
-                this.acquireTokenByCode(tokenRequest)
+                this.acquireTokenByCode(tokenRequest, options === null || options === void 0 ? void 0 : options.enableCae)
                     .then((authResponse) => {
                     if (authResponse === null || authResponse === void 0 ? void 0 : authResponse.account) {
                         this.account = msalToPublic(this.clientId, authResponse.account);
@@ -3779,7 +3821,7 @@ class MsalOpenBrowser extends MsalNode {
             codeChallenge: this.pkceCodes.challenge,
             codeChallengeMethod: "S256", // Use SHA256 Algorithm
         };
-        const response = await this.publicApp.getAuthCodeUrl(authCodeUrlParameters);
+        const response = await this.getApp("public", options === null || options === void 0 ? void 0 : options.enableCae).getAuthCodeUrl(authCodeUrlParameters);
         try {
             // A new instance on macOS only which allows it to not hang, does not fix the issue on linux
             await interactiveBrowserMockable.open(response, { wait: true, newInstance: true });
@@ -3880,7 +3922,7 @@ class MsalDeviceCode extends MsalNode {
                 authority: options === null || options === void 0 ? void 0 : options.authority,
                 claims: options === null || options === void 0 ? void 0 : options.claims,
             };
-            const promise = this.publicApp.acquireTokenByDeviceCode(requestOptions);
+            const promise = this.getApp("public", options === null || options === void 0 ? void 0 : options.enableCae).acquireTokenByDeviceCode(requestOptions);
             const deviceResponse = await this.withCancellation(promise, options === null || options === void 0 ? void 0 : options.abortSignal, () => {
                 requestOptions.cancel = true;
             });
@@ -3988,19 +4030,21 @@ class MsalAuthorizationCode extends MsalNode {
     }
     async getAuthCodeUrl(options) {
         await this.init();
-        return (this.confidentialApp || this.publicApp).getAuthCodeUrl(options);
+        return this.getApp("confidentialFirst", options.enableCae).getAuthCodeUrl({
+            scopes: options.scopes,
+            redirectUri: options.redirectUri,
+        });
     }
     async doGetToken(scopes, options) {
-        var _a;
         try {
-            const result = await ((_a = (this.confidentialApp || this.publicApp)) === null || _a === void 0 ? void 0 : _a.acquireTokenByCode({
+            const result = await this.getApp("confidentialFirst", options === null || options === void 0 ? void 0 : options.enableCae).acquireTokenByCode({
                 scopes,
                 redirectUri: this.redirectUri,
                 code: this.authorizationCode,
                 correlationId: options === null || options === void 0 ? void 0 : options.correlationId,
                 authority: options === null || options === void 0 ? void 0 : options.authority,
                 claims: options === null || options === void 0 ? void 0 : options.claims,
-            }));
+            });
             // The Client Credential flow does not return an account,
             // so each time getToken gets called, we will have to acquire a new token through the service.
             return this.handleResult(scopes, this.clientId, result || undefined);
@@ -4104,7 +4148,7 @@ class MsalOnBehalfOf extends MsalNode {
     }
     async doGetToken(scopes, options = {}) {
         try {
-            const result = await this.confidentialApp.acquireTokenOnBehalfOf({
+            const result = await this.getApp("confidential", options.enableCae).acquireTokenOnBehalfOf({
                 scopes,
                 correlationId: options.correlationId,
                 authority: options.authority,