npm - @azure/identity - Versions diffs - 3.2.4 → 3.3.0-alpha.20230811.1 - Mend

@azure/identity 3.2.4 → 3.3.0-alpha.20230811.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.

This version of @azure/identity might be problematic. Click here for more details.

Files changed (39) hide show

package/README.md CHANGED Viewed

@@ -161,10 +161,10 @@ This example demonstrates authenticating the `KeyClient` from the [@azure/keyvau
 // If environment configuration is incomplete, it will try managed identity.
 // Azure Key Vault service to use
-const { KeyClient } = require("@azure/keyvault-keys");
+import { KeyClient } from "@azure/keyvault-keys";
 // Azure authentication library to access Azure Key Vault
-const { DefaultAzureCredential } = require("@azure/identity");
+import { DefaultAzureCredential } from "@azure/identity";
 // Azure SDK clients accept the credential as a parameter
 const credential = new DefaultAzureCredential();
@@ -181,8 +181,8 @@ A relatively common scenario involves authenticating using a user-assigned manag
 While the `DefaultAzureCredential` is generally the quickest way to get started developing applications for Azure, more advanced users may want to customize the credentials considered when authenticating. The `ChainedTokenCredential` enables users to combine multiple credential instances to define a customized chain of credentials. This example demonstrates creating a `ChainedTokenCredential` which will attempt to authenticate using two differently configured instances of `ClientSecretCredential`, to then authenticate the `KeyClient` from the [@azure/keyvault-keys](https://www.npmjs.com/package/@azure/keyvault-keys):
-```javascript
-const { ClientSecretCredential, ChainedTokenCredential } = require("@azure/identity");
+```typescript
+import { ClientSecretCredential, ChainedTokenCredential } from "@azure/identity";
 // When an access token is requested, the chain will try each
 // credential in order, stopping when one provides a token
@@ -191,7 +191,7 @@ const secondCredential = new ClientSecretCredential(tenantId, anotherClientId, a
 const credentialChain = new ChainedTokenCredential(firstCredential, secondCredential);
 // The chain can be used anywhere a credential is required
-const { KeyClient } = require("@azure/keyvault-keys");
+import { KeyClient } from "@azure/keyvault-keys";
 const client = new KeyClient(vaultUrl, credentialChain);
 ```
@@ -213,7 +213,7 @@ For examples of how to use managed identity for authentication, see [the example
 Credentials default to authenticating to the Azure AD endpoint for Azure Public Cloud. To access resources in other clouds, such as Azure Government or a private cloud, configure credentials with the `authorityHost` argument in the constructor. The `AzureAuthorityHosts` interface defines authorities for well-known clouds. For the US Government cloud, you could instantiate a credential this way:
-```ts
+```typescript
 import { AzureAuthorityHosts, ClientSecretCredential } from "@azure/identity";
 const credential = new ClientSecretCredential(
   "<YOUR_TENANT_ID>",
@@ -237,7 +237,7 @@ Not all credentials require this configuration. Credentials that authenticate th
 | [`ChainedTokenCredential`](https://learn.microsoft.com/javascript/api/@azure/identity/chainedtokencredential?view=azure-node-latest)       | Allows users to define custom authentication flows composing multiple credentials.                               | [example](https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/identity/identity/samples/AzureIdentityExamples.md#chaining-credentials)                                            |
 | [`EnvironmentCredential`](https://learn.microsoft.com/javascript/api/@azure/identity/environmentcredential?view=azure-node-latest)         | Authenticates a service principal or user via credential information specified in environment variables.         | [example](https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/identity/identity/samples/AzureIdentityExamples.md#authenticating-a-service-principal-with-environment-credentials) |
 | [`ManagedIdentityCredential`](https://learn.microsoft.com/javascript/api/@azure/identity/managedidentitycredential?view=azure-node-latest) | Authenticates the managed identity of an Azure resource.                                                         | [example](https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/identity/identity/samples/AzureIdentityExamples.md#authenticating-in-azure-with-managed-identity)                   |
-|`WorkloadIdentityCredential`| Supports [Azure AD workload identity](https://learn.microsoft.com/azure/aks/workload-identity-overview) on Kubernetes. | |
+| [`WorkloadIdentityCredential`](https://learn.microsoft.com/javascript/api/@azure/identity/workloadidentitycredential?view=azure-node-latest)| Supports [Azure AD workload identity](https://learn.microsoft.com/azure/aks/workload-identity-overview) on Kubernetes. | |
 ### Authenticate service principals
@@ -261,8 +261,8 @@ Not all credentials require this configuration. Credentials that authenticate th
 | Credential                                                                                                                                | Usage                                                             | Example                                                                                                                                                                   | Reference                                                                                           |
 | ----------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------- |
-| `AzureDeveloperCliCredential`        | Authenticate in a development environment with the enabled user or service principal in Azure Developer CLI.     |         | [Azure Developer CLI Reference](https://learn.microsoft.com/azure/developer/azure-developer-cli/reference)             |
 | [`AzureCliCredential`](https://learn.microsoft.com/javascript/api/@azure/identity/azureclicredential?view=azure-node-latest)               | Authenticate in a development environment with the Azure CLI.     | [example](https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/identity/identity/samples/AzureIdentityExamples.md#authenticating-a-user-account-with-azure-cli)        | [Azure CLI authentication](https://learn.microsoft.com/cli/azure/authenticate-azure-cli)             |
+| [`AzureDeveloperCliCredential`](https://learn.microsoft.com/javascript/api/@azure/identity/azuredeveloperclicredential?view=azure-node-latest)        | Authenticate in a development environment with the enabled user or service principal in Azure Developer CLI.     |         | [Azure Developer CLI Reference](https://learn.microsoft.com/azure/developer/azure-developer-cli/reference)             |
 | [`AzurePowerShellCredential`](https://learn.microsoft.com/javascript/api/@azure/identity/azurepowershellcredential?view=azure-node-latest) | Authenticate in a development environment using Azure PowerShell. | [example](https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/identity/identity/samples/AzureIdentityExamples.md#authenticating-a-user-account-with-azure-powershell) | [Azure PowerShell authentication](https://learn.microsoft.com/powershell/azure/authenticate-azureps) |
 | [`VisualStudioCodeCredential`](https://learn.microsoft.com/javascript/api/@azure/identity/visualstudiocodecredential?view=azure-node-latest)	| Authenticates as the user signed in to the Visual Studio Code Azure Account extension.|  |	[VS Code Azure Account extension](https://marketplace.visualstudio.com/items?itemName=ms-vscode.azure-account)
@@ -299,7 +299,9 @@ Not all credentials require this configuration. Credentials that authenticate th
 Configuration is attempted in the above order. For example, if values for a client secret and certificate are both present, the client secret will be used.
 ## Token caching
 Token caching is a feature provided by the Azure Identity library that allows apps to:
 - Cache tokens in memory (default) and on disk (opt-in).
 - Improve resilience and performance.
 - Reduce the number of requests made to Azure AD to obtain access tokens.
@@ -325,7 +327,7 @@ require("dotenv").config({ path: ".env" });
 Alternatively, logging can be enabled at runtime by calling `setLogLevel` from the `@azure/logger` package:
-```javascript
+```typescript
 import { setLogLevel } from "@azure/logger";
 setLogLevel("info");
@@ -340,7 +342,7 @@ Object ID of the authenticated user, and if possible the User Principal Name.
 For example, using the `DefaultAzureCredential`:
-```js
+```ts
 import { setLogLevel } from "@azure/logger";
 setLogLevel("info");
@@ -356,6 +358,21 @@ Once that credential authenticates, the following message will appear in the log
 azure:identity:info [Authenticated account] Client ID: HIDDEN. Tenant ID: HIDDEN. User Principal Name: HIDDEN. Object ID (user): HIDDEN
 ```
+In cases where the user's [Personally Identifiable Information](https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/wiki/PII) needs to be logged for customer support, developers can set `enableSupportLogging` to true in the
+`loggingOptions`.
+For example, using the `DefaultAzureCredential`:
+```ts
+import { setLogLevel } from "@azure/logger";
+setLogLevel("info");
+const credential = new DefaultAzureCredential({
+  loggingOptions: { enableSupportLogging: true },
+});
+```
 For assistance with troubleshooting, see the [troubleshooting guide](https://aka.ms/azsdk/js/identity/troubleshoot).
 ## Next steps

package/dist/index.js CHANGED Viewed

@@ -257,7 +257,7 @@ function credentialLogger(title, log = logger$n) {
 /**
  * Current version of the `@azure/identity` package.
  */
-const SDK_VERSION = `3.2.4`;
+const SDK_VERSION = `3.3.0`;
 /**
  * The default client ID for authentication
  * @internal
@@ -301,6 +301,8 @@ const DefaultAuthorityHost = exports.AzureAuthorityHosts.AzurePublicCloud;
  * Allow acquiring tokens for any tenant for multi-tentant auth.
  */
 const ALL_TENANTS = ["*"];
+const CACHE_CAE_SUFFIX = ".cae";
+const CACHE_NON_CAE_SUFFIX = ".nocae";
 // Copyright (c) Microsoft Corporation.
 /**
@@ -1057,6 +1059,12 @@ class MsalNode extends MsalBaseUtilities {
     constructor(options) {
         var _a, _b, _c, _d;
         super(options);
+        // protected publicApp: msalNode.PublicClientApplication | undefined;
+        // protected publicAppCae: msalNode.PublicClientApplication | undefined;
+        // protected confidentialApp: msalNode.ConfidentialClientApplication | undefined;
+        // protected confidentialAppCae: msalNode.ConfidentialClientApplication | undefined;
+        this.app = {};
+        this.caeApp = {};
         this.requiresConfidential = false;
         this.msalConfig = this.defaultNodeMsalConfig(options);
         this.tenantId = resolveTenantId(options.logger, options.tenantId, options.clientId);
@@ -1067,7 +1075,10 @@ class MsalNode extends MsalBaseUtilities {
         }
         // If persistence has been configured
         if (persistenceProvider !== undefined && ((_b = options.tokenCachePersistenceOptions) === null || _b === void 0 ? void 0 : _b.enabled)) {
-            this.createCachePlugin = () => persistenceProvider(options.tokenCachePersistenceOptions);
+            const nonCaeOptions = Object.assign({ name: `${options.tokenCachePersistenceOptions.name}.${CACHE_NON_CAE_SUFFIX}` }, options.tokenCachePersistenceOptions);
+            const caeOptions = Object.assign({ name: `${options.tokenCachePersistenceOptions.name}.${CACHE_CAE_SUFFIX}` }, options.tokenCachePersistenceOptions);
+            this.createCachePlugin = () => persistenceProvider(nonCaeOptions);
+            this.createCachePluginCae = () => persistenceProvider(caeOptions);
         }
         else if ((_c = options.tokenCachePersistenceOptions) === null || _c === void 0 ? void 0 : _c.enabled) {
             throw new Error([
@@ -1086,15 +1097,13 @@ class MsalNode extends MsalBaseUtilities {
      * Generates a MSAL configuration that generally works for Node.js
      */
     defaultNodeMsalConfig(options) {
+        var _a;
         const clientId = options.clientId || DeveloperSignOnClientId;
         const tenantId = resolveTenantId(options.logger, options.tenantId, options.clientId);
         this.authorityHost = options.authorityHost || process.env.AZURE_AUTHORITY_HOST;
         const authority = getAuthority(tenantId, this.authorityHost);
         this.identityClient = new IdentityClient(Object.assign(Object.assign({}, options.tokenCredentialOptions), { authorityHost: authority, loggingOptions: options.loggingOptions }));
-        let clientCapabilities = ["cp1"];
-        if (process.env.AZURE_IDENTITY_DISABLE_CP1) {
-            clientCapabilities = [];
-        }
+        const clientCapabilities = [];
         return {
             auth: {
                 clientId,
@@ -1108,10 +1117,26 @@ class MsalNode extends MsalBaseUtilities {
                 loggerOptions: {
                     loggerCallback: defaultLoggerCallback(options.logger),
                     logLevel: getMSALLogLevel(logger$o.getLogLevel()),
+                    piiLoggingEnabled: (_a = options.loggingOptions) === null || _a === void 0 ? void 0 : _a.enableUnsafeSupportLogging,
                 },
             },
         };
     }
+    getApp(appType, enableCae) {
+        const app = enableCae ? this.caeApp : this.app;
+        if (appType === "publicFirst") {
+            return (app.public || app.confidential);
+        }
+        else if (appType === "confidentialFirst") {
+            return (app.confidential || app.public);
+        }
+        else if (appType === "confidential") {
+            return app.confidential;
+        }
+        else {
+            return app.public;
+        }
+    }
     /**
      * Prepares the MSAL applications.
      */
@@ -1123,15 +1148,29 @@ class MsalNode extends MsalBaseUtilities {
                 this.identityClient.abortRequests(options.correlationId);
             });
         }
-        if (this.publicApp || this.confidentialApp) {
+        const app = (options === null || options === void 0 ? void 0 : options.enableCae) ? this.caeApp : this.app;
+        if (options === null || options === void 0 ? void 0 : options.enableCae) {
+            this.msalConfig.auth.clientCapabilities = ["cp1"];
+        }
+        if (app.public || app.confidential) {
             return;
         }
+        if ((options === null || options === void 0 ? void 0 : options.enableCae) && this.createCachePluginCae !== undefined) {
+            this.msalConfig.cache = {
+                cachePlugin: await this.createCachePluginCae(),
+            };
+        }
         if (this.createCachePlugin !== undefined) {
             this.msalConfig.cache = {
                 cachePlugin: await this.createCachePlugin(),
             };
         }
-        this.publicApp = new msalNode__namespace.PublicClientApplication(this.msalConfig);
+        if (options === null || options === void 0 ? void 0 : options.enableCae) {
+            this.caeApp.public = new msalNode__namespace.PublicClientApplication(this.msalConfig);
+        }
+        else {
+            this.app.public = new msalNode__namespace.PublicClientApplication(this.msalConfig);
+        }
         if (this.getAssertion) {
             this.msalConfig.auth.clientAssertion = await this.getAssertion();
         }
@@ -1139,7 +1178,12 @@ class MsalNode extends MsalBaseUtilities {
         if (this.msalConfig.auth.clientSecret ||
             this.msalConfig.auth.clientAssertion ||
             this.msalConfig.auth.clientCertificate) {
-            this.confidentialApp = new msalNode__namespace.ConfidentialClientApplication(this.msalConfig);
+            if (options === null || options === void 0 ? void 0 : options.enableCae) {
+                this.caeApp.confidential = new msalNode__namespace.ConfidentialClientApplication(this.msalConfig);
+            }
+            else {
+                this.app.confidential = new msalNode__namespace.ConfidentialClientApplication(this.msalConfig);
+            }
         }
         else {
             if (this.requiresConfidential) {
@@ -1167,12 +1211,11 @@ class MsalNode extends MsalBaseUtilities {
     /**
      * Returns the existing account, attempts to load the account from MSAL.
      */
-    async getActiveAccount() {
-        var _a, _b, _c;
+    async getActiveAccount(enableCae = false) {
         if (this.account) {
             return this.account;
         }
-        const cache = (_b = (_a = this.confidentialApp) === null || _a === void 0 ? void 0 : _a.getTokenCache()) !== null && _b !== void 0 ? _b : (_c = this.publicApp) === null || _c === void 0 ? void 0 : _c.getTokenCache();
+        const cache = this.getApp("confidentialFirst", enableCae).getTokenCache();
         const accountsByTenant = await (cache === null || cache === void 0 ? void 0 : cache.getAllAccounts());
         if (!accountsByTenant) {
             return;
@@ -1196,7 +1239,7 @@ To work with multiple accounts for the same Client ID and Tenant ID, please prov
      */
     async getTokenSilent(scopes, options) {
         var _a, _b, _c;
-        await this.getActiveAccount();
+        await this.getActiveAccount(options === null || options === void 0 ? void 0 : options.enableCae);
         if (!this.account) {
             throw new AuthenticationRequiredError({
                 scopes,
@@ -1218,10 +1261,10 @@ To work with multiple accounts for the same Client ID and Tenant ID, please prov
              * The following code to retrieve all accounts is done as a workaround in an attempt to force the
              * refresh of the token cache with the token and the account passed in through the
              * `authenticationRecord` parameter. See issue - https://github.com/Azure/azure-sdk-for-js/issues/24349#issuecomment-1496715651
-             * This workaround serves as a workoaround for silent authentication not happening when authenticationRecord is passed.
+             * This workaround serves as a workaround for silent authentication not happening when authenticationRecord is passed.
              */
-            await ((_a = (this.publicApp || this.confidentialApp)) === null || _a === void 0 ? void 0 : _a.getTokenCache().getAllAccounts());
-            const response = (_c = (await ((_b = this.confidentialApp) === null || _b === void 0 ? void 0 : _b.acquireTokenSilent(silentRequest)))) !== null && _c !== void 0 ? _c : (await this.publicApp.acquireTokenSilent(silentRequest));
+            await ((_a = this.getApp("publicFirst", options === null || options === void 0 ? void 0 : options.enableCae)) === null || _a === void 0 ? void 0 : _a.getTokenCache().getAllAccounts());
+            const response = (_c = (await ((_b = this.getApp("confidential", options === null || options === void 0 ? void 0 : options.enableCae)) === null || _b === void 0 ? void 0 : _b.acquireTokenSilent(silentRequest)))) !== null && _c !== void 0 ? _c : (await this.getApp("public", options === null || options === void 0 ? void 0 : options.enableCae).acquireTokenSilent(silentRequest));
             return this.handleResult(scopes, this.clientId, response || undefined);
         }
         catch (err) {
@@ -1884,7 +1927,7 @@ class MsalClientAssertion extends MsalNode {
     async doGetToken(scopes, options = {}) {
         try {
             const assertion = await this.getAssertion();
-            const result = await this.confidentialApp.acquireTokenByClientCredential({
+            const result = await this.getApp("confidential", options.enableCae).acquireTokenByClientCredential({
                 scopes,
                 correlationId: options.correlationId,
                 azureRegion: this.azureRegion,
@@ -2281,6 +2324,7 @@ class ManagedIdentityCredential {
                 clientSecret: "dummy-secret",
                 cloudDiscoveryMetadata: '{"tenant_discovery_endpoint":"https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration","api-version":"1.1","metadata":[{"preferred_network":"login.microsoftonline.com","preferred_cache":"login.windows.net","aliases":["login.microsoftonline.com","login.windows.net","login.microsoft.com","sts.windows.net"]},{"preferred_network":"login.partner.microsoftonline.cn","preferred_cache":"login.partner.microsoftonline.cn","aliases":["login.partner.microsoftonline.cn","login.chinacloudapi.cn"]},{"preferred_network":"login.microsoftonline.de","preferred_cache":"login.microsoftonline.de","aliases":["login.microsoftonline.de"]},{"preferred_network":"login.microsoftonline.us","preferred_cache":"login.microsoftonline.us","aliases":["login.microsoftonline.us","login.usgovcloudapi.net"]},{"preferred_network":"login-us.microsoftonline.com","preferred_cache":"login-us.microsoftonline.com","aliases":["login-us.microsoftonline.com"]}]}',
                 authorityMetadata: '{"token_endpoint":"https://login.microsoftonline.com/common/oauth2/v2.0/token","token_endpoint_auth_methods_supported":["client_secret_post","private_key_jwt","client_secret_basic"],"jwks_uri":"https://login.microsoftonline.com/common/discovery/v2.0/keys","response_modes_supported":["query","fragment","form_post"],"subject_types_supported":["pairwise"],"id_token_signing_alg_values_supported":["RS256"],"response_types_supported":["code","id_token","code id_token","id_token token"],"scopes_supported":["openid","profile","email","offline_access"],"issuer":"https://login.microsoftonline.com/{tenantid}/v2.0","request_uri_parameter_supported":false,"userinfo_endpoint":"https://graph.microsoft.com/oidc/userinfo","authorization_endpoint":"https://login.microsoftonline.com/common/oauth2/v2.0/authorize","device_authorization_endpoint":"https://login.microsoftonline.com/common/oauth2/v2.0/devicecode","http_logout_supported":true,"frontchannel_logout_supported":true,"end_session_endpoint":"https://login.microsoftonline.com/common/oauth2/v2.0/logout","claims_supported":["sub","iss","cloud_instance_name","cloud_instance_host_name","cloud_graph_host_name","msgraph_host","aud","exp","iat","auth_time","acr","nonce","preferred_username","name","tid","ver","at_hash","c_hash","email"],"kerberos_endpoint":"https://login.microsoftonline.com/common/kerberos","tenant_region_scope":null,"cloud_instance_name":"microsoftonline.com","cloud_graph_host_name":"graph.windows.net","msgraph_host":"graph.microsoft.com","rbac_url":"https://pas.windows.net"}',
+                clientCapabilities: [],
             },
             system: {
                 loggerOptions: {
@@ -2526,7 +2570,7 @@ function ensureScopes(scopes) {
  * Throws if the received scope is not valid.
  * @internal
  */
-function ensureValidScope(scope, logger) {
+function ensureValidScopeForDevTimeCreds(scope, logger) {
     if (!scope.match(/^[0-9a-zA-Z-.:/]+$/)) {
         const error = new Error("Invalid scope was specified by the user or calling client");
         logger.getToken.info(formatError(scope, error));
@@ -2624,11 +2668,11 @@ class AzureCliCredential {
         const tenantId = processMultiTenantRequest(this.tenantId, options, this.additionallyAllowedTenantIds);
         const scope = typeof scopes === "string" ? scopes : scopes[0];
         logger$b.getToken.info(`Using the scope ${scope}`);
-        ensureValidScope(scope, logger$b);
-        const resource = getScopeResource(scope);
         return tracingClient.withSpan(`${this.constructor.name}.getToken`, options, async () => {
             var _a, _b, _c, _d;
             try {
+                ensureValidScopeForDevTimeCreds(scope, logger$b);
+                const resource = getScopeResource(scope);
                 const obj = await cliCredentialInternals.getAzureCliAccessToken(resource, tenantId, this.timeout);
                 const specificScope = (_a = obj.stderr) === null || _a === void 0 ? void 0 : _a.match("(.*)az login --scope(.*)");
                 const isLoginError = ((_b = obj.stderr) === null || _b === void 0 ? void 0 : _b.match("(.*)az login(.*)")) && !specificScope;
@@ -2838,10 +2882,10 @@ class AzurePowerShellCredential {
         return tracingClient.withSpan(`${this.constructor.name}.getToken`, options, async () => {
             const tenantId = processMultiTenantRequest(this.tenantId, options, this.additionallyAllowedTenantIds);
             const scope = typeof scopes === "string" ? scopes : scopes[0];
-            ensureValidScope(scope, logger$a);
-            logger$a.getToken.info(`Using the scope ${scope}`);
-            const resource = getScopeResource(scope);
             try {
+                ensureValidScopeForDevTimeCreds(scope, logger$a);
+                logger$a.getToken.info(`Using the scope ${scope}`);
+                const resource = getScopeResource(scope);
                 const response = await this.getAzurePowerShellAccessToken(resource, tenantId, this.timeout);
                 logger$a.getToken.info(formatSuccess(scopes));
                 return {
@@ -3039,7 +3083,7 @@ class MsalClientCertificate extends MsalNode {
                 authority: options.authority,
                 claims: options.claims,
             };
-            const result = await this.confidentialApp.acquireTokenByClientCredential(clientCredReq);
+            const result = await this.getApp("confidential", options.enableCae).acquireTokenByClientCredential(clientCredReq);
             // Even though we're providing the same default in memory persistence cache that we use for DeviceCodeCredential,
             // The Client Credential flow does not return the account information from the authentication service,
             // so each time getToken gets called, we will have to acquire a new token through the service.
@@ -3118,7 +3162,7 @@ class MsalClientSecret extends MsalNode {
     }
     async doGetToken(scopes, options = {}) {
         try {
-            const result = await this.confidentialApp.acquireTokenByClientCredential({
+            const result = await this.getApp("confidential", options.enableCae).acquireTokenByClientCredential({
                 scopes,
                 correlationId: options.correlationId,
                 azureRegion: this.azureRegion,
@@ -3205,7 +3249,7 @@ class MsalUsernamePassword extends MsalNode {
                 authority: options === null || options === void 0 ? void 0 : options.authority,
                 claims: options === null || options === void 0 ? void 0 : options.claims,
             };
-            const result = await this.publicApp.acquireTokenByUsernamePassword(requestOptions);
+            const result = await this.getApp("public", options === null || options === void 0 ? void 0 : options.enableCae).acquireTokenByUsernamePassword(requestOptions);
             return this.handleResult(scopes, this.clientId, result || undefined);
         }
         catch (error) {
@@ -3656,8 +3700,8 @@ class MsalOpenBrowser extends MsalNode {
         }
         this.hostname = url.hostname;
     }
-    async acquireTokenByCode(request) {
-        return this.publicApp.acquireTokenByCode(request);
+    async acquireTokenByCode(request, enableCae) {
+        return this.getApp("public", enableCae).acquireTokenByCode(request);
     }
     doGetToken(scopes, options) {
         return new Promise((resolve, reject) => {
@@ -3683,7 +3727,7 @@ class MsalOpenBrowser extends MsalNode {
                     authority: options === null || options === void 0 ? void 0 : options.authority,
                     codeVerifier: (_a = this.pkceCodes) === null || _a === void 0 ? void 0 : _a.verifier,
                 };
-                this.acquireTokenByCode(tokenRequest)
+                this.acquireTokenByCode(tokenRequest, options === null || options === void 0 ? void 0 : options.enableCae)
                     .then((authResponse) => {
                     if (authResponse === null || authResponse === void 0 ? void 0 : authResponse.account) {
                         this.account = msalToPublic(this.clientId, authResponse.account);
@@ -3779,7 +3823,7 @@ class MsalOpenBrowser extends MsalNode {
             codeChallenge: this.pkceCodes.challenge,
             codeChallengeMethod: "S256", // Use SHA256 Algorithm
         };
-        const response = await this.publicApp.getAuthCodeUrl(authCodeUrlParameters);
+        const response = await this.getApp("public", options === null || options === void 0 ? void 0 : options.enableCae).getAuthCodeUrl(authCodeUrlParameters);
         try {
             // A new instance on macOS only which allows it to not hang, does not fix the issue on linux
             await interactiveBrowserMockable.open(response, { wait: true, newInstance: true });
@@ -3880,7 +3924,7 @@ class MsalDeviceCode extends MsalNode {
                 authority: options === null || options === void 0 ? void 0 : options.authority,
                 claims: options === null || options === void 0 ? void 0 : options.claims,
             };
-            const promise = this.publicApp.acquireTokenByDeviceCode(requestOptions);
+            const promise = this.getApp("public", options === null || options === void 0 ? void 0 : options.enableCae).acquireTokenByDeviceCode(requestOptions);
             const deviceResponse = await this.withCancellation(promise, options === null || options === void 0 ? void 0 : options.abortSignal, () => {
                 requestOptions.cancel = true;
             });
@@ -3988,19 +4032,21 @@ class MsalAuthorizationCode extends MsalNode {
     }
     async getAuthCodeUrl(options) {
         await this.init();
-        return (this.confidentialApp || this.publicApp).getAuthCodeUrl(options);
+        return this.getApp("confidentialFirst", options.enableCae).getAuthCodeUrl({
+            scopes: options.scopes,
+            redirectUri: options.redirectUri,
+        });
     }
     async doGetToken(scopes, options) {
-        var _a;
         try {
-            const result = await ((_a = (this.confidentialApp || this.publicApp)) === null || _a === void 0 ? void 0 : _a.acquireTokenByCode({
+            const result = await this.getApp("confidentialFirst", options === null || options === void 0 ? void 0 : options.enableCae).acquireTokenByCode({
                 scopes,
                 redirectUri: this.redirectUri,
                 code: this.authorizationCode,
                 correlationId: options === null || options === void 0 ? void 0 : options.correlationId,
                 authority: options === null || options === void 0 ? void 0 : options.authority,
                 claims: options === null || options === void 0 ? void 0 : options.claims,
-            }));
+            });
             // The Client Credential flow does not return an account,
             // so each time getToken gets called, we will have to acquire a new token through the service.
             return this.handleResult(scopes, this.clientId, result || undefined);
@@ -4104,7 +4150,7 @@ class MsalOnBehalfOf extends MsalNode {
     }
     async doGetToken(scopes, options = {}) {
         try {
-            const result = await this.confidentialApp.acquireTokenOnBehalfOf({
+            const result = await this.getApp("confidential", options.enableCae).acquireTokenOnBehalfOf({
                 scopes,
                 correlationId: options.correlationId,
                 authority: options.authority,