npm - @azure/identity - Versions diffs - 3.2.4 → 3.3.0 - Mend

@azure/identity 3.2.4 → 3.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.

This version of @azure/identity might be problematic. Click here for more details.

Files changed (39) hide show

package/README.md CHANGED Viewed

@@ -137,6 +137,12 @@ If used from Node.js, the `DefaultAzureCredential` will attempt to authenticate
 1. **Azure CLI** - If the developer has authenticated an account via the Azure CLI `az login` command, the `DefaultAzureCredential` will authenticate with that account.
 1. **Azure PowerShell** - If the developer has authenticated using the Azure PowerShell module `Connect-AzAccount` command, the `DefaultAzureCredential` will authenticate with that account.
+#### Continuation policy
+As of version 3.3.0, `DefaultAzureCredential` will attempt to authenticate with all developer credentials until one succeeds, regardless of any errors previous developer credentials experienced. For example, a developer credential may attempt to get a token and fail, so `DefaultAzureCredential` will continue to the next credential in the flow. Deployed service credentials will stop the flow with a thrown exception if they're able to attempt token retrieval, but don't receive one.
+This allows for trying all of the developer credentials on your machine while having predictable deployed behavior.
 #### Note about `VisualStudioCodeCredential`
 Due to a [known issue](https://github.com/Azure/azure-sdk-for-js/issues/20500), `VisualStudioCodeCredential` has been removed from the `DefaultAzureCredential` token chain. When the issue is resolved in a future release, this change will be reverted.
@@ -161,10 +167,10 @@ This example demonstrates authenticating the `KeyClient` from the [@azure/keyvau
 // If environment configuration is incomplete, it will try managed identity.
 // Azure Key Vault service to use
-const { KeyClient } = require("@azure/keyvault-keys");
+import { KeyClient } from "@azure/keyvault-keys";
 // Azure authentication library to access Azure Key Vault
-const { DefaultAzureCredential } = require("@azure/identity");
+import { DefaultAzureCredential } from "@azure/identity";
 // Azure SDK clients accept the credential as a parameter
 const credential = new DefaultAzureCredential();
@@ -181,8 +187,8 @@ A relatively common scenario involves authenticating using a user-assigned manag
 While the `DefaultAzureCredential` is generally the quickest way to get started developing applications for Azure, more advanced users may want to customize the credentials considered when authenticating. The `ChainedTokenCredential` enables users to combine multiple credential instances to define a customized chain of credentials. This example demonstrates creating a `ChainedTokenCredential` which will attempt to authenticate using two differently configured instances of `ClientSecretCredential`, to then authenticate the `KeyClient` from the [@azure/keyvault-keys](https://www.npmjs.com/package/@azure/keyvault-keys):
-```javascript
-const { ClientSecretCredential, ChainedTokenCredential } = require("@azure/identity");
+```typescript
+import { ClientSecretCredential, ChainedTokenCredential } from "@azure/identity";
 // When an access token is requested, the chain will try each
 // credential in order, stopping when one provides a token
@@ -191,7 +197,7 @@ const secondCredential = new ClientSecretCredential(tenantId, anotherClientId, a
 const credentialChain = new ChainedTokenCredential(firstCredential, secondCredential);
 // The chain can be used anywhere a credential is required
-const { KeyClient } = require("@azure/keyvault-keys");
+import { KeyClient } from "@azure/keyvault-keys";
 const client = new KeyClient(vaultUrl, credentialChain);
 ```
@@ -213,7 +219,7 @@ For examples of how to use managed identity for authentication, see [the example
 Credentials default to authenticating to the Azure AD endpoint for Azure Public Cloud. To access resources in other clouds, such as Azure Government or a private cloud, configure credentials with the `authorityHost` argument in the constructor. The `AzureAuthorityHosts` interface defines authorities for well-known clouds. For the US Government cloud, you could instantiate a credential this way:
-```ts
+```typescript
 import { AzureAuthorityHosts, ClientSecretCredential } from "@azure/identity";
 const credential = new ClientSecretCredential(
   "<YOUR_TENANT_ID>",
@@ -237,7 +243,7 @@ Not all credentials require this configuration. Credentials that authenticate th
 | [`ChainedTokenCredential`](https://learn.microsoft.com/javascript/api/@azure/identity/chainedtokencredential?view=azure-node-latest)       | Allows users to define custom authentication flows composing multiple credentials.                               | [example](https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/identity/identity/samples/AzureIdentityExamples.md#chaining-credentials)                                            |
 | [`EnvironmentCredential`](https://learn.microsoft.com/javascript/api/@azure/identity/environmentcredential?view=azure-node-latest)         | Authenticates a service principal or user via credential information specified in environment variables.         | [example](https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/identity/identity/samples/AzureIdentityExamples.md#authenticating-a-service-principal-with-environment-credentials) |
 | [`ManagedIdentityCredential`](https://learn.microsoft.com/javascript/api/@azure/identity/managedidentitycredential?view=azure-node-latest) | Authenticates the managed identity of an Azure resource.                                                         | [example](https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/identity/identity/samples/AzureIdentityExamples.md#authenticating-in-azure-with-managed-identity)                   |
-|`WorkloadIdentityCredential`| Supports [Azure AD workload identity](https://learn.microsoft.com/azure/aks/workload-identity-overview) on Kubernetes. | |
+| [`WorkloadIdentityCredential`](https://learn.microsoft.com/javascript/api/@azure/identity/workloadidentitycredential?view=azure-node-latest)| Supports [Azure AD workload identity](https://learn.microsoft.com/azure/aks/workload-identity-overview) on Kubernetes. | |
 ### Authenticate service principals
@@ -261,8 +267,8 @@ Not all credentials require this configuration. Credentials that authenticate th
 | Credential                                                                                                                                | Usage                                                             | Example                                                                                                                                                                   | Reference                                                                                           |
 | ----------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------- |
-| `AzureDeveloperCliCredential`        | Authenticate in a development environment with the enabled user or service principal in Azure Developer CLI.     |         | [Azure Developer CLI Reference](https://learn.microsoft.com/azure/developer/azure-developer-cli/reference)             |
 | [`AzureCliCredential`](https://learn.microsoft.com/javascript/api/@azure/identity/azureclicredential?view=azure-node-latest)               | Authenticate in a development environment with the Azure CLI.     | [example](https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/identity/identity/samples/AzureIdentityExamples.md#authenticating-a-user-account-with-azure-cli)        | [Azure CLI authentication](https://learn.microsoft.com/cli/azure/authenticate-azure-cli)             |
+| [`AzureDeveloperCliCredential`](https://learn.microsoft.com/javascript/api/@azure/identity/azuredeveloperclicredential?view=azure-node-latest)        | Authenticate in a development environment with the enabled user or service principal in Azure Developer CLI.     |         | [Azure Developer CLI Reference](https://learn.microsoft.com/azure/developer/azure-developer-cli/reference)             |
 | [`AzurePowerShellCredential`](https://learn.microsoft.com/javascript/api/@azure/identity/azurepowershellcredential?view=azure-node-latest) | Authenticate in a development environment using Azure PowerShell. | [example](https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/identity/identity/samples/AzureIdentityExamples.md#authenticating-a-user-account-with-azure-powershell) | [Azure PowerShell authentication](https://learn.microsoft.com/powershell/azure/authenticate-azureps) |
 | [`VisualStudioCodeCredential`](https://learn.microsoft.com/javascript/api/@azure/identity/visualstudiocodecredential?view=azure-node-latest)	| Authenticates as the user signed in to the Visual Studio Code Azure Account extension.|  |	[VS Code Azure Account extension](https://marketplace.visualstudio.com/items?itemName=ms-vscode.azure-account)
@@ -298,8 +304,14 @@ Not all credentials require this configuration. Credentials that authenticate th
 Configuration is attempted in the above order. For example, if values for a client secret and certificate are both present, the client secret will be used.
+## Continuous Access Evaluation
+As of version 3.3.0, accessing resources protected by [Continuous Access Evaluation](https://learn.microsoft.com/azure/active-directory/conditional-access/concept-continuous-access-evaluation) (CAE) is possible on a per-request basis. This can be enabled using the [`GetTokenOptions.enableCae(boolean)` API](https://learn.microsoft.com/javascript/api/@azure/core-auth/gettokenoptions?view=azure-node-latest#@azure-core-auth-gettokenoptions-enablecae). CAE isn't supported for developer credentials.
 ## Token caching
 Token caching is a feature provided by the Azure Identity library that allows apps to:
 - Cache tokens in memory (default) and on disk (opt-in).
 - Improve resilience and performance.
 - Reduce the number of requests made to Azure AD to obtain access tokens.
@@ -308,54 +320,6 @@ The Azure Identity library offers both in-memory and persistent disk caching. Fo
 ## Troubleshooting
-### Error handling
-Credentials raise `AuthenticationError` when they fail to authenticate. This class has a `message` field which describes why authentication failed. An `AggregateAuthenticationError` will be raised by `ChainedTokenCredential` with an `errors` field containing an array of errors from each credential in the chain.
-### Logging
-Enabling logging may help uncover useful information about failures.
-To see a log of HTTP requests and responses, set the `AZURE_LOG_LEVEL` environment variable to `info`.
-You can read this environment variable from the _.env_ file by explicitly specifying a file path:
-```javascript
-require("dotenv").config({ path: ".env" });
-```
-Alternatively, logging can be enabled at runtime by calling `setLogLevel` from the `@azure/logger` package:
-```javascript
-import { setLogLevel } from "@azure/logger";
-setLogLevel("info");
-```
-In cases where the authenticate code might be running in an environment with more than one credential available,
-the `@azure/identity` package offers a unique form of logging. On the optional parameters for every credential,
-developers can set `allowLoggingAccountIdentifiers` to true in the
-`loggingOptions` to log information specific to the authenticated account after
-each successful authentication, including the Client ID, the Tenant ID, the
-Object ID of the authenticated user, and if possible the User Principal Name.
-For example, using the `DefaultAzureCredential`:
-```js
-import { setLogLevel } from "@azure/logger";
-setLogLevel("info");
-const credential = new DefaultAzureCredential({
-  loggingOptions: { allowLoggingAccountIdentifiers: true },
-});
-```
-Once that credential authenticates, the following message will appear in the logs (with the real information instead of `HIDDEN`):
-```
-azure:identity:info [Authenticated account] Client ID: HIDDEN. Tenant ID: HIDDEN. User Principal Name: HIDDEN. Object ID (user): HIDDEN
-```
 For assistance with troubleshooting, see the [troubleshooting guide](https://aka.ms/azsdk/js/identity/troubleshoot).
 ## Next steps

package/dist/index.js CHANGED Viewed

@@ -257,7 +257,7 @@ function credentialLogger(title, log = logger$n) {
 /**
  * Current version of the `@azure/identity` package.
  */
-const SDK_VERSION = `3.2.4`;
+const SDK_VERSION = `3.3.0`;
 /**
  * The default client ID for authentication
  * @internal
@@ -301,6 +301,8 @@ const DefaultAuthorityHost = exports.AzureAuthorityHosts.AzurePublicCloud;
  * Allow acquiring tokens for any tenant for multi-tentant auth.
  */
 const ALL_TENANTS = ["*"];
+const CACHE_CAE_SUFFIX = ".cae";
+const CACHE_NON_CAE_SUFFIX = ".nocae";
 // Copyright (c) Microsoft Corporation.
 /**
@@ -1057,6 +1059,12 @@ class MsalNode extends MsalBaseUtilities {
     constructor(options) {
         var _a, _b, _c, _d;
         super(options);
+        // protected publicApp: msalNode.PublicClientApplication | undefined;
+        // protected publicAppCae: msalNode.PublicClientApplication | undefined;
+        // protected confidentialApp: msalNode.ConfidentialClientApplication | undefined;
+        // protected confidentialAppCae: msalNode.ConfidentialClientApplication | undefined;
+        this.app = {};
+        this.caeApp = {};
         this.requiresConfidential = false;
         this.msalConfig = this.defaultNodeMsalConfig(options);
         this.tenantId = resolveTenantId(options.logger, options.tenantId, options.clientId);
@@ -1067,7 +1075,10 @@ class MsalNode extends MsalBaseUtilities {
         }
         // If persistence has been configured
         if (persistenceProvider !== undefined && ((_b = options.tokenCachePersistenceOptions) === null || _b === void 0 ? void 0 : _b.enabled)) {
-            this.createCachePlugin = () => persistenceProvider(options.tokenCachePersistenceOptions);
+            const nonCaeOptions = Object.assign({ name: `${options.tokenCachePersistenceOptions.name}.${CACHE_NON_CAE_SUFFIX}` }, options.tokenCachePersistenceOptions);
+            const caeOptions = Object.assign({ name: `${options.tokenCachePersistenceOptions.name}.${CACHE_CAE_SUFFIX}` }, options.tokenCachePersistenceOptions);
+            this.createCachePlugin = () => persistenceProvider(nonCaeOptions);
+            this.createCachePluginCae = () => persistenceProvider(caeOptions);
         }
         else if ((_c = options.tokenCachePersistenceOptions) === null || _c === void 0 ? void 0 : _c.enabled) {
             throw new Error([
@@ -1086,15 +1097,13 @@ class MsalNode extends MsalBaseUtilities {
      * Generates a MSAL configuration that generally works for Node.js
      */
     defaultNodeMsalConfig(options) {
+        var _a;
         const clientId = options.clientId || DeveloperSignOnClientId;
         const tenantId = resolveTenantId(options.logger, options.tenantId, options.clientId);
         this.authorityHost = options.authorityHost || process.env.AZURE_AUTHORITY_HOST;
         const authority = getAuthority(tenantId, this.authorityHost);
         this.identityClient = new IdentityClient(Object.assign(Object.assign({}, options.tokenCredentialOptions), { authorityHost: authority, loggingOptions: options.loggingOptions }));
-        let clientCapabilities = ["cp1"];
-        if (process.env.AZURE_IDENTITY_DISABLE_CP1) {
-            clientCapabilities = [];
-        }
+        const clientCapabilities = [];
         return {
             auth: {
                 clientId,
@@ -1108,10 +1117,26 @@ class MsalNode extends MsalBaseUtilities {
                 loggerOptions: {
                     loggerCallback: defaultLoggerCallback(options.logger),
                     logLevel: getMSALLogLevel(logger$o.getLogLevel()),
+                    piiLoggingEnabled: (_a = options.loggingOptions) === null || _a === void 0 ? void 0 : _a.enableUnsafeSupportLogging,
                 },
             },
         };
     }
+    getApp(appType, enableCae) {
+        const app = enableCae ? this.caeApp : this.app;
+        if (appType === "publicFirst") {
+            return (app.public || app.confidential);
+        }
+        else if (appType === "confidentialFirst") {
+            return (app.confidential || app.public);
+        }
+        else if (appType === "confidential") {
+            return app.confidential;
+        }
+        else {
+            return app.public;
+        }
+    }
     /**
      * Prepares the MSAL applications.
      */
@@ -1123,15 +1148,29 @@ class MsalNode extends MsalBaseUtilities {
                 this.identityClient.abortRequests(options.correlationId);
             });
         }
-        if (this.publicApp || this.confidentialApp) {
+        const app = (options === null || options === void 0 ? void 0 : options.enableCae) ? this.caeApp : this.app;
+        if (options === null || options === void 0 ? void 0 : options.enableCae) {
+            this.msalConfig.auth.clientCapabilities = ["cp1"];
+        }
+        if (app.public || app.confidential) {
             return;
         }
+        if ((options === null || options === void 0 ? void 0 : options.enableCae) && this.createCachePluginCae !== undefined) {
+            this.msalConfig.cache = {
+                cachePlugin: await this.createCachePluginCae(),
+            };
+        }
         if (this.createCachePlugin !== undefined) {
             this.msalConfig.cache = {
                 cachePlugin: await this.createCachePlugin(),
             };
         }
-        this.publicApp = new msalNode__namespace.PublicClientApplication(this.msalConfig);
+        if (options === null || options === void 0 ? void 0 : options.enableCae) {
+            this.caeApp.public = new msalNode__namespace.PublicClientApplication(this.msalConfig);
+        }
+        else {
+            this.app.public = new msalNode__namespace.PublicClientApplication(this.msalConfig);
+        }
         if (this.getAssertion) {
             this.msalConfig.auth.clientAssertion = await this.getAssertion();
         }
@@ -1139,7 +1178,12 @@ class MsalNode extends MsalBaseUtilities {
         if (this.msalConfig.auth.clientSecret ||
             this.msalConfig.auth.clientAssertion ||
             this.msalConfig.auth.clientCertificate) {
-            this.confidentialApp = new msalNode__namespace.ConfidentialClientApplication(this.msalConfig);
+            if (options === null || options === void 0 ? void 0 : options.enableCae) {
+                this.caeApp.confidential = new msalNode__namespace.ConfidentialClientApplication(this.msalConfig);
+            }
+            else {
+                this.app.confidential = new msalNode__namespace.ConfidentialClientApplication(this.msalConfig);
+            }
         }
         else {
             if (this.requiresConfidential) {
@@ -1167,12 +1211,11 @@ class MsalNode extends MsalBaseUtilities {
     /**
      * Returns the existing account, attempts to load the account from MSAL.
      */
-    async getActiveAccount() {
-        var _a, _b, _c;
+    async getActiveAccount(enableCae = false) {
         if (this.account) {
             return this.account;
         }
-        const cache = (_b = (_a = this.confidentialApp) === null || _a === void 0 ? void 0 : _a.getTokenCache()) !== null && _b !== void 0 ? _b : (_c = this.publicApp) === null || _c === void 0 ? void 0 : _c.getTokenCache();
+        const cache = this.getApp("confidentialFirst", enableCae).getTokenCache();
         const accountsByTenant = await (cache === null || cache === void 0 ? void 0 : cache.getAllAccounts());
         if (!accountsByTenant) {
             return;
@@ -1196,7 +1239,7 @@ To work with multiple accounts for the same Client ID and Tenant ID, please prov
      */
     async getTokenSilent(scopes, options) {
         var _a, _b, _c;
-        await this.getActiveAccount();
+        await this.getActiveAccount(options === null || options === void 0 ? void 0 : options.enableCae);
         if (!this.account) {
             throw new AuthenticationRequiredError({
                 scopes,
@@ -1218,10 +1261,10 @@ To work with multiple accounts for the same Client ID and Tenant ID, please prov
              * The following code to retrieve all accounts is done as a workaround in an attempt to force the
              * refresh of the token cache with the token and the account passed in through the
              * `authenticationRecord` parameter. See issue - https://github.com/Azure/azure-sdk-for-js/issues/24349#issuecomment-1496715651
-             * This workaround serves as a workoaround for silent authentication not happening when authenticationRecord is passed.
+             * This workaround serves as a workaround for silent authentication not happening when authenticationRecord is passed.
              */
-            await ((_a = (this.publicApp || this.confidentialApp)) === null || _a === void 0 ? void 0 : _a.getTokenCache().getAllAccounts());
-            const response = (_c = (await ((_b = this.confidentialApp) === null || _b === void 0 ? void 0 : _b.acquireTokenSilent(silentRequest)))) !== null && _c !== void 0 ? _c : (await this.publicApp.acquireTokenSilent(silentRequest));
+            await ((_a = this.getApp("publicFirst", options === null || options === void 0 ? void 0 : options.enableCae)) === null || _a === void 0 ? void 0 : _a.getTokenCache().getAllAccounts());
+            const response = (_c = (await ((_b = this.getApp("confidential", options === null || options === void 0 ? void 0 : options.enableCae)) === null || _b === void 0 ? void 0 : _b.acquireTokenSilent(silentRequest)))) !== null && _c !== void 0 ? _c : (await this.getApp("public", options === null || options === void 0 ? void 0 : options.enableCae).acquireTokenSilent(silentRequest));
             return this.handleResult(scopes, this.clientId, response || undefined);
         }
         catch (err) {
@@ -1884,7 +1927,7 @@ class MsalClientAssertion extends MsalNode {
     async doGetToken(scopes, options = {}) {
         try {
             const assertion = await this.getAssertion();
-            const result = await this.confidentialApp.acquireTokenByClientCredential({
+            const result = await this.getApp("confidential", options.enableCae).acquireTokenByClientCredential({
                 scopes,
                 correlationId: options.correlationId,
                 azureRegion: this.azureRegion,
@@ -2281,6 +2324,7 @@ class ManagedIdentityCredential {
                 clientSecret: "dummy-secret",
                 cloudDiscoveryMetadata: '{"tenant_discovery_endpoint":"https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration","api-version":"1.1","metadata":[{"preferred_network":"login.microsoftonline.com","preferred_cache":"login.windows.net","aliases":["login.microsoftonline.com","login.windows.net","login.microsoft.com","sts.windows.net"]},{"preferred_network":"login.partner.microsoftonline.cn","preferred_cache":"login.partner.microsoftonline.cn","aliases":["login.partner.microsoftonline.cn","login.chinacloudapi.cn"]},{"preferred_network":"login.microsoftonline.de","preferred_cache":"login.microsoftonline.de","aliases":["login.microsoftonline.de"]},{"preferred_network":"login.microsoftonline.us","preferred_cache":"login.microsoftonline.us","aliases":["login.microsoftonline.us","login.usgovcloudapi.net"]},{"preferred_network":"login-us.microsoftonline.com","preferred_cache":"login-us.microsoftonline.com","aliases":["login-us.microsoftonline.com"]}]}',
                 authorityMetadata: '{"token_endpoint":"https://login.microsoftonline.com/common/oauth2/v2.0/token","token_endpoint_auth_methods_supported":["client_secret_post","private_key_jwt","client_secret_basic"],"jwks_uri":"https://login.microsoftonline.com/common/discovery/v2.0/keys","response_modes_supported":["query","fragment","form_post"],"subject_types_supported":["pairwise"],"id_token_signing_alg_values_supported":["RS256"],"response_types_supported":["code","id_token","code id_token","id_token token"],"scopes_supported":["openid","profile","email","offline_access"],"issuer":"https://login.microsoftonline.com/{tenantid}/v2.0","request_uri_parameter_supported":false,"userinfo_endpoint":"https://graph.microsoft.com/oidc/userinfo","authorization_endpoint":"https://login.microsoftonline.com/common/oauth2/v2.0/authorize","device_authorization_endpoint":"https://login.microsoftonline.com/common/oauth2/v2.0/devicecode","http_logout_supported":true,"frontchannel_logout_supported":true,"end_session_endpoint":"https://login.microsoftonline.com/common/oauth2/v2.0/logout","claims_supported":["sub","iss","cloud_instance_name","cloud_instance_host_name","cloud_graph_host_name","msgraph_host","aud","exp","iat","auth_time","acr","nonce","preferred_username","name","tid","ver","at_hash","c_hash","email"],"kerberos_endpoint":"https://login.microsoftonline.com/common/kerberos","tenant_region_scope":null,"cloud_instance_name":"microsoftonline.com","cloud_graph_host_name":"graph.windows.net","msgraph_host":"graph.microsoft.com","rbac_url":"https://pas.windows.net"}',
+                clientCapabilities: [],
             },
             system: {
                 loggerOptions: {
@@ -2526,7 +2570,7 @@ function ensureScopes(scopes) {
  * Throws if the received scope is not valid.
  * @internal
  */
-function ensureValidScope(scope, logger) {
+function ensureValidScopeForDevTimeCreds(scope, logger) {
     if (!scope.match(/^[0-9a-zA-Z-.:/]+$/)) {
         const error = new Error("Invalid scope was specified by the user or calling client");
         logger.getToken.info(formatError(scope, error));
@@ -2624,11 +2668,11 @@ class AzureCliCredential {
         const tenantId = processMultiTenantRequest(this.tenantId, options, this.additionallyAllowedTenantIds);
         const scope = typeof scopes === "string" ? scopes : scopes[0];
         logger$b.getToken.info(`Using the scope ${scope}`);
-        ensureValidScope(scope, logger$b);
-        const resource = getScopeResource(scope);
         return tracingClient.withSpan(`${this.constructor.name}.getToken`, options, async () => {
             var _a, _b, _c, _d;
             try {
+                ensureValidScopeForDevTimeCreds(scope, logger$b);
+                const resource = getScopeResource(scope);
                 const obj = await cliCredentialInternals.getAzureCliAccessToken(resource, tenantId, this.timeout);
                 const specificScope = (_a = obj.stderr) === null || _a === void 0 ? void 0 : _a.match("(.*)az login --scope(.*)");
                 const isLoginError = ((_b = obj.stderr) === null || _b === void 0 ? void 0 : _b.match("(.*)az login(.*)")) && !specificScope;
@@ -2838,10 +2882,10 @@ class AzurePowerShellCredential {
         return tracingClient.withSpan(`${this.constructor.name}.getToken`, options, async () => {
             const tenantId = processMultiTenantRequest(this.tenantId, options, this.additionallyAllowedTenantIds);
             const scope = typeof scopes === "string" ? scopes : scopes[0];
-            ensureValidScope(scope, logger$a);
-            logger$a.getToken.info(`Using the scope ${scope}`);
-            const resource = getScopeResource(scope);
             try {
+                ensureValidScopeForDevTimeCreds(scope, logger$a);
+                logger$a.getToken.info(`Using the scope ${scope}`);
+                const resource = getScopeResource(scope);
                 const response = await this.getAzurePowerShellAccessToken(resource, tenantId, this.timeout);
                 logger$a.getToken.info(formatSuccess(scopes));
                 return {
@@ -3039,7 +3083,7 @@ class MsalClientCertificate extends MsalNode {
                 authority: options.authority,
                 claims: options.claims,
             };
-            const result = await this.confidentialApp.acquireTokenByClientCredential(clientCredReq);
+            const result = await this.getApp("confidential", options.enableCae).acquireTokenByClientCredential(clientCredReq);
             // Even though we're providing the same default in memory persistence cache that we use for DeviceCodeCredential,
             // The Client Credential flow does not return the account information from the authentication service,
             // so each time getToken gets called, we will have to acquire a new token through the service.
@@ -3118,7 +3162,7 @@ class MsalClientSecret extends MsalNode {
     }
     async doGetToken(scopes, options = {}) {
         try {
-            const result = await this.confidentialApp.acquireTokenByClientCredential({
+            const result = await this.getApp("confidential", options.enableCae).acquireTokenByClientCredential({
                 scopes,
                 correlationId: options.correlationId,
                 azureRegion: this.azureRegion,
@@ -3205,7 +3249,7 @@ class MsalUsernamePassword extends MsalNode {
                 authority: options === null || options === void 0 ? void 0 : options.authority,
                 claims: options === null || options === void 0 ? void 0 : options.claims,
             };
-            const result = await this.publicApp.acquireTokenByUsernamePassword(requestOptions);
+            const result = await this.getApp("public", options === null || options === void 0 ? void 0 : options.enableCae).acquireTokenByUsernamePassword(requestOptions);
             return this.handleResult(scopes, this.clientId, result || undefined);
         }
         catch (error) {
@@ -3656,8 +3700,8 @@ class MsalOpenBrowser extends MsalNode {
         }
         this.hostname = url.hostname;
     }
-    async acquireTokenByCode(request) {
-        return this.publicApp.acquireTokenByCode(request);
+    async acquireTokenByCode(request, enableCae) {
+        return this.getApp("public", enableCae).acquireTokenByCode(request);
     }
     doGetToken(scopes, options) {
         return new Promise((resolve, reject) => {
@@ -3683,7 +3727,7 @@ class MsalOpenBrowser extends MsalNode {
                     authority: options === null || options === void 0 ? void 0 : options.authority,
                     codeVerifier: (_a = this.pkceCodes) === null || _a === void 0 ? void 0 : _a.verifier,
                 };
-                this.acquireTokenByCode(tokenRequest)
+                this.acquireTokenByCode(tokenRequest, options === null || options === void 0 ? void 0 : options.enableCae)
                     .then((authResponse) => {
                     if (authResponse === null || authResponse === void 0 ? void 0 : authResponse.account) {
                         this.account = msalToPublic(this.clientId, authResponse.account);
@@ -3779,7 +3823,7 @@ class MsalOpenBrowser extends MsalNode {
             codeChallenge: this.pkceCodes.challenge,
             codeChallengeMethod: "S256", // Use SHA256 Algorithm
         };
-        const response = await this.publicApp.getAuthCodeUrl(authCodeUrlParameters);
+        const response = await this.getApp("public", options === null || options === void 0 ? void 0 : options.enableCae).getAuthCodeUrl(authCodeUrlParameters);
         try {
             // A new instance on macOS only which allows it to not hang, does not fix the issue on linux
             await interactiveBrowserMockable.open(response, { wait: true, newInstance: true });
@@ -3880,7 +3924,7 @@ class MsalDeviceCode extends MsalNode {
                 authority: options === null || options === void 0 ? void 0 : options.authority,
                 claims: options === null || options === void 0 ? void 0 : options.claims,
             };
-            const promise = this.publicApp.acquireTokenByDeviceCode(requestOptions);
+            const promise = this.getApp("public", options === null || options === void 0 ? void 0 : options.enableCae).acquireTokenByDeviceCode(requestOptions);
             const deviceResponse = await this.withCancellation(promise, options === null || options === void 0 ? void 0 : options.abortSignal, () => {
                 requestOptions.cancel = true;
             });
@@ -3988,19 +4032,21 @@ class MsalAuthorizationCode extends MsalNode {
     }
     async getAuthCodeUrl(options) {
         await this.init();
-        return (this.confidentialApp || this.publicApp).getAuthCodeUrl(options);
+        return this.getApp("confidentialFirst", options.enableCae).getAuthCodeUrl({
+            scopes: options.scopes,
+            redirectUri: options.redirectUri,
+        });
     }
     async doGetToken(scopes, options) {
-        var _a;
         try {
-            const result = await ((_a = (this.confidentialApp || this.publicApp)) === null || _a === void 0 ? void 0 : _a.acquireTokenByCode({
+            const result = await this.getApp("confidentialFirst", options === null || options === void 0 ? void 0 : options.enableCae).acquireTokenByCode({
                 scopes,
                 redirectUri: this.redirectUri,
                 code: this.authorizationCode,
                 correlationId: options === null || options === void 0 ? void 0 : options.correlationId,
                 authority: options === null || options === void 0 ? void 0 : options.authority,
                 claims: options === null || options === void 0 ? void 0 : options.claims,
-            }));
+            });
             // The Client Credential flow does not return an account,
             // so each time getToken gets called, we will have to acquire a new token through the service.
             return this.handleResult(scopes, this.clientId, result || undefined);
@@ -4104,7 +4150,7 @@ class MsalOnBehalfOf extends MsalNode {
     }
     async doGetToken(scopes, options = {}) {
         try {
-            const result = await this.confidentialApp.acquireTokenOnBehalfOf({
+            const result = await this.getApp("confidential", options.enableCae).acquireTokenOnBehalfOf({
                 scopes,
                 correlationId: options.correlationId,
                 authority: options.authority,