@azure/identity 3.3.2-alpha.20231013.2 → 3.3.2

package/dist/index.js

@@ -1,9 +1,13 @@
 'use strict';
 
-var msalCommon = require('@azure/msal-node');
+Object.defineProperty(exports, '__esModule', { value: true });
+
+var msalNode = require('@azure/msal-node');
 var logger$o = require('@azure/logger');
+var msalCommon = require('@azure/msal-common');
 var abortController = require('@azure/abort-controller');
 var coreUtil = require('@azure/core-util');
+var uuid = require('uuid');
 var coreClient = require('@azure/core-client');
 var coreRestPipeline = require('@azure/core-rest-pipeline');
 var coreTracing = require('@azure/core-tracing');
@@ -15,9 +19,14 @@ var https = require('https');
 var child_process = require('child_process');
 var crypto = require('crypto');
 var util = require('util');
+var http = require('http');
 var open = require('open');
+var stoppable = require('stoppable');
+
+function _interopDefaultLegacy (e) { return e && typeof e === 'object' && 'default' in e ? e : { 'default': e }; }
 
-function _interopNamespaceDefault(e) {
+function _interopNamespace(e) {
+    if (e && e.__esModule) return e;
     var n = Object.create(null);
     if (e) {
         Object.keys(e).forEach(function (k) {
@@ -30,12 +39,21 @@ function _interopNamespaceDefault(e) {
             }
         });
     }
-    n.default = e;
+    n["default"] = e;
     return Object.freeze(n);
 }
 
-var msalCommon__namespace = /*#__PURE__*/_interopNamespaceDefault(msalCommon);
-var child_process__namespace = /*#__PURE__*/_interopNamespaceDefault(child_process);
+var msalNode__namespace = /*#__PURE__*/_interopNamespace(msalNode);
+var msalCommon__namespace = /*#__PURE__*/_interopNamespace(msalCommon);
+var fs__default = /*#__PURE__*/_interopDefaultLegacy(fs);
+var os__default = /*#__PURE__*/_interopDefaultLegacy(os);
+var path__default = /*#__PURE__*/_interopDefaultLegacy(path);
+var https__default = /*#__PURE__*/_interopDefaultLegacy(https);
+var child_process__default = /*#__PURE__*/_interopDefaultLegacy(child_process);
+var child_process__namespace = /*#__PURE__*/_interopNamespace(child_process);
+var http__default = /*#__PURE__*/_interopDefaultLegacy(http);
+var open__default = /*#__PURE__*/_interopDefaultLegacy(open);
+var stoppable__default = /*#__PURE__*/_interopDefaultLegacy(stoppable);
 
 // Copyright (c) Microsoft Corporation.
 // Licensed under the MIT license.
@@ -157,7 +175,6 @@ class AuthenticationRequiredError extends Error {
 }
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
 /**
  * The AzureLogger used for all clients within the identity package
  */
@@ -288,7 +305,6 @@ const CACHE_CAE_SUFFIX = ".cae";
 const CACHE_NON_CAE_SUFFIX = ".nocae";
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
 /**
  * Latest AuthenticationRecord version
  * @internal
@@ -407,7 +423,7 @@ class MsalBaseUtilities {
      * Generates a UUID
      */
     generateUuid() {
-        return coreUtil.randomUUID();
+        return uuid.v4();
     }
     /**
      * Handles the MSAL authentication result.
@@ -518,7 +534,6 @@ function deserializeAuthenticationRecord(serializedRecord) {
 }
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
 function createConfigurationErrorMessage(tenantId) {
     return `The current credential is not configured to acquire tokens for tenant ${tenantId}. To enable acquiring tokens for this tenant add it to the AdditionallyAllowedTenants on the credential options, or add "*" to AdditionallyAllowedTenants to allow acquiring tokens for any tenant.`;
 }
@@ -552,13 +567,12 @@ function processMultiTenantRequest(tenantId, getTokenOptions, additionallyAllowe
 }
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
 /**
  * @internal
  */
 function checkTenantId(logger, tenantId) {
-    if (!tenantId.match(/^[0-9a-zA-Z-.:/]+$/)) {
-        const error = new Error("Invalid tenant id provided. You can locate your tenant id by following the instructions listed here: https://docs.microsoft.com/partner-center/find-ids-and-domain-names.");
+    if (!tenantId.match(/^[0-9a-zA-Z-.]+$/)) {
+        const error = new Error("Invalid tenant id provided. You can locate your tenant id by following the instructions listed here: https://learn.microsoft.com/partner-center/find-ids-and-domain-names.");
         logger.info(formatError("", error));
         throw error;
     }
@@ -582,7 +596,7 @@ function resolveTenantId(logger, tenantId, clientId) {
 /**
  * @internal
  */
-function resolveAddionallyAllowedTenantIds(additionallyAllowedTenants) {
+function resolveAdditionallyAllowedTenantIds(additionallyAllowedTenants) {
     if (!additionallyAllowedTenants || additionallyAllowedTenants.length === 0) {
         return [];
     }
@@ -604,7 +618,6 @@ function getIdentityTokenEndpointSuffix(tenantId) {
 }
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
 /**
  * Creates a span using the global tracer.
  * @internal
@@ -625,7 +638,6 @@ const azureArcAPIVersion = "2019-11-01";
 const azureFabricVersion = "2019-07-01-preview";
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
 /**
  * Most MSIs send requests to the IMDS endpoint, or a similar endpoint.
  * These are GET requests that require sending a `resource` parameter on the query.
@@ -676,7 +688,6 @@ function parseExpirationTimestamp(body) {
 }
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
 const noCorrelationId = "noCorrelationId";
 /**
  * @internal
@@ -1021,7 +1032,6 @@ var RegionalAuthority;
 })(RegionalAuthority || (RegionalAuthority = {}));
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
 /**
  * The current persistence provider, undefined by default.
  * @internal
@@ -1058,7 +1068,7 @@ class MsalNode extends MsalBaseUtilities {
         this.requiresConfidential = false;
         this.msalConfig = this.defaultNodeMsalConfig(options);
         this.tenantId = resolveTenantId(options.logger, options.tenantId, options.clientId);
-        this.additionallyAllowedTenantIds = resolveAddionallyAllowedTenantIds((_a = options === null || options === void 0 ? void 0 : options.tokenCredentialOptions) === null || _a === void 0 ? void 0 : _a.additionallyAllowedTenants);
+        this.additionallyAllowedTenantIds = resolveAdditionallyAllowedTenantIds((_a = options === null || options === void 0 ? void 0 : options.tokenCredentialOptions) === null || _a === void 0 ? void 0 : _a.additionallyAllowedTenants);
         this.clientId = this.msalConfig.auth.clientId;
         if (options === null || options === void 0 ? void 0 : options.getAssertion) {
             this.getAssertion = options.getAssertion;
@@ -1156,10 +1166,10 @@ class MsalNode extends MsalBaseUtilities {
             };
         }
         if (options === null || options === void 0 ? void 0 : options.enableCae) {
-            this.caeApp.public = new msalCommon__namespace.PublicClientApplication(this.msalConfig);
+            this.caeApp.public = new msalNode__namespace.PublicClientApplication(this.msalConfig);
         }
         else {
-            this.app.public = new msalCommon__namespace.PublicClientApplication(this.msalConfig);
+            this.app.public = new msalNode__namespace.PublicClientApplication(this.msalConfig);
         }
         if (this.getAssertion) {
             this.msalConfig.auth.clientAssertion = await this.getAssertion();
@@ -1169,10 +1179,10 @@ class MsalNode extends MsalBaseUtilities {
             this.msalConfig.auth.clientAssertion ||
             this.msalConfig.auth.clientCertificate) {
             if (options === null || options === void 0 ? void 0 : options.enableCae) {
-                this.caeApp.confidential = new msalCommon__namespace.ConfidentialClientApplication(this.msalConfig);
+                this.caeApp.confidential = new msalNode__namespace.ConfidentialClientApplication(this.msalConfig);
             }
             else {
-                this.app.confidential = new msalCommon__namespace.ConfidentialClientApplication(this.msalConfig);
+                this.app.confidential = new msalNode__namespace.ConfidentialClientApplication(this.msalConfig);
             }
         }
         else {
@@ -1303,7 +1313,6 @@ To work with multiple accounts for the same Client ID and Tenant ID, please prov
 }
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
 const CommonTenantId = "common";
 const AzureAccountClientId = "aebc6443-996d-45c2-90f0-388ff96faa56"; // VSC: 'aebc6443-996d-45c2-90f0-388ff96faa56'
 const logger$m = credentialLogger("VisualStudioCodeCredential");
@@ -1338,10 +1347,10 @@ function getPropertyFromVSCode(property) {
     const settingsPath = ["User", "settings.json"];
     // Eventually we can add more folders for more versions of VSCode.
     const vsCodeFolder = "Code";
-    const homedir = os.homedir();
+    const homedir = os__default["default"].homedir();
     function loadProperty(...pathSegments) {
-        const fullPath = path.join(...pathSegments, vsCodeFolder, ...settingsPath);
-        const settings = JSON.parse(fs.readFileSync(fullPath, { encoding: "utf8" }));
+        const fullPath = path__default["default"].join(...pathSegments, vsCodeFolder, ...settingsPath);
+        const settings = JSON.parse(fs__default["default"].readFileSync(fullPath, { encoding: "utf8" }));
         return settings[property];
     }
     try {
@@ -1398,7 +1407,7 @@ class VisualStudioCodeCredential {
         else {
             this.tenantId = CommonTenantId;
         }
-        this.additionallyAllowedTenantIds = resolveAddionallyAllowedTenantIds(options === null || options === void 0 ? void 0 : options.additionallyAllowedTenants);
+        this.additionallyAllowedTenantIds = resolveAdditionallyAllowedTenantIds(options === null || options === void 0 ? void 0 : options.additionallyAllowedTenants);
         checkUnsupportedTenant(this.tenantId);
     }
     /**
@@ -1484,7 +1493,6 @@ class VisualStudioCodeCredential {
 }
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
 /**
  * The context passed to an Identity plugin. This contains objects that
  * plugins can use to set backend implementations.
@@ -1526,7 +1534,6 @@ function useIdentityPlugin(plugin) {
 }
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
 const msiName$6 = "ManagedIdentityCredential - AppServiceMSI 2017";
 const logger$l = credentialLogger(msiName$6);
 /**
@@ -1594,7 +1601,6 @@ const appServiceMsi2017 = {
 };
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
 const msiName$5 = "ManagedIdentityCredential - CloudShellMSI";
 const logger$k = credentialLogger(msiName$5);
 /**
@@ -1666,7 +1672,6 @@ const cloudShellMsi = {
 };
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
 const msiName$4 = "ManagedIdentityCredential - IMDS";
 const logger$j = credentialLogger(msiName$4);
 /**
@@ -1741,20 +1746,21 @@ const imdsMsi = {
             skipQuery: true,
         });
         return tracingClient.withSpan("ManagedIdentityCredential-pingImdsEndpoint", getTokenOptions, async (options) => {
-            var _a;
+            var _a, _b;
             requestOptions.tracingOptions = options.tracingOptions;
             // Create a request with a timeout since we expect that
             // not having a "Metadata" header should cause an error to be
             // returned quickly from the endpoint, proving its availability.
             const request = coreRestPipeline.createPipelineRequest(requestOptions);
-            // Default to 300 if the default of 0 is used.
+            // Default to 1000 if the default of 0 is used.
             // Negative values can still be used to disable the timeout.
-            request.timeout = ((_a = options.requestOptions) === null || _a === void 0 ? void 0 : _a.timeout) || 300;
+            request.timeout = ((_a = options.requestOptions) === null || _a === void 0 ? void 0 : _a.timeout) || 1000;
             // This MSI uses the imdsEndpoint to get the token, which only uses http://
             request.allowInsecureConnection = true;
+            let response;
             try {
                 logger$j.info(`${msiName$4}: Pinging the Azure IMDS endpoint`);
-                await identityClient.sendRequest(request);
+                response = await identityClient.sendRequest(request);
             }
             catch (err) {
                 // If the request failed, or Node.js was unable to establish a connection,
@@ -1762,9 +1768,18 @@ const imdsMsi = {
                 if (coreUtil.isError(err)) {
                     logger$j.verbose(`${msiName$4}: Caught error ${err.name}: ${err.message}`);
                 }
+                // This is a special case for Docker Desktop which responds with a 403 with a message that contains "A socket operation was attempted to an unreachable network"
+                // rather than just timing out, as expected.
                 logger$j.info(`${msiName$4}: The Azure IMDS endpoint is unavailable`);
                 return false;
             }
+            if (response.status === 403) {
+                if ((_b = response.bodyAsText) === null || _b === void 0 ? void 0 : _b.includes("A socket operation was attempted to an unreachable network")) {
+                    logger$j.info(`${msiName$4}: The Azure IMDS endpoint is unavailable`);
+                    logger$j.info(`${msiName$4}: ${response.bodyAsText}`);
+                    return false;
+                }
+            }
             // If we received any response, the endpoint is available
             logger$j.info(`${msiName$4}: The Azure IMDS endpoint is available`);
             return true;
@@ -1799,7 +1814,6 @@ const imdsMsi = {
 };
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
 const msiName$3 = "ManagedIdentityCredential - Azure Arc MSI";
 const logger$i = credentialLogger(msiName$3);
 /**
@@ -1910,7 +1924,6 @@ const arcMsi = {
 };
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
 /**
  * MSAL client assertion client. Calls to MSAL's confidential application's `acquireTokenByClientCredential` during `doGetToken`.
  * @internal
@@ -1950,7 +1963,6 @@ class MsalClientAssertion extends MsalNode {
 }
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
 const logger$h = credentialLogger("ClientAssertionCredential");
 /**
  * Authenticates a service principal with a JWT assertion.
@@ -1971,7 +1983,7 @@ class ClientAssertionCredential {
             throw new Error("ClientAssertionCredential: tenantId, clientId, and clientAssertion are required parameters.");
         }
         this.tenantId = tenantId;
-        this.additionallyAllowedTenantIds = resolveAddionallyAllowedTenantIds(options === null || options === void 0 ? void 0 : options.additionallyAllowedTenants);
+        this.additionallyAllowedTenantIds = resolveAdditionallyAllowedTenantIds(options === null || options === void 0 ? void 0 : options.additionallyAllowedTenants);
         this.clientId = clientId;
         this.options = options;
         this.msalFlow = new MsalClientAssertion(Object.assign(Object.assign({}, options), { logger: logger$h, clientId: this.clientId, tenantId: this.tenantId, tokenCredentialOptions: this.options, getAssertion }));
@@ -1994,7 +2006,6 @@ class ClientAssertionCredential {
 }
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
 const credentialName$3 = "WorkloadIdentityCredential";
 /**
  * Contains the list of all supported environment variable names so that an
@@ -2093,7 +2104,6 @@ class WorkloadIdentityCredential {
 }
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
 const msiName$2 = "ManagedIdentityCredential - Token Exchange";
 const logger$f = credentialLogger(msiName$2);
 /**
@@ -2123,7 +2133,6 @@ function tokenExchangeMsi() {
 }
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
 // This MSI can be easily tested by deploying a container to Azure Service Fabric with the Dockerfile:
 //
 //   FROM node:12
@@ -2202,7 +2211,7 @@ const fabricMsi = {
             "IDENTITY_SERVER_THUMBPRINT=[REDACTED].",
         ].join(" "));
         const request = coreRestPipeline.createPipelineRequest(Object.assign({ abortSignal: getTokenOptions.abortSignal }, prepareRequestOptions$1(scopes, clientId, resourceId)));
-        request.agent = new https.Agent({
+        request.agent = new https__default["default"].Agent({
             // This is necessary because Service Fabric provides a self-signed certificate.
             // The alternative path is to verify the certificate using the IDENTITY_SERVER_THUMBPRINT env variable.
             rejectUnauthorized: false,
@@ -2213,7 +2222,6 @@ const fabricMsi = {
 };
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
 const msiName = "ManagedIdentityCredential - AppServiceMSI 2019";
 const logger$d = credentialLogger(msiName);
 /**
@@ -2281,7 +2289,6 @@ const appServiceMsi2019 = {
 };
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
 const logger$c = credentialLogger("ManagedIdentityCredential");
 /**
  * Attempts authentication using a managed identity available at the deployment environment.
@@ -2289,7 +2296,7 @@ const logger$c = credentialLogger("ManagedIdentityCredential");
  * Azure Kubernetes Services, Azure Service Fabric instances and inside of the Azure Cloud Shell.
  *
  * More information about configuring managed identities can be found here:
- * https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview
+ * https://learn.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview
  */
 class ManagedIdentityCredential {
     /**
@@ -2321,9 +2328,8 @@ class ManagedIdentityCredential {
         /**  authority host validation and metadata discovery to be skipped in managed identity
          * since this wasn't done previously before adding token cache support
          */
-        this.confidentialApp = new msalCommon.ConfidentialClientApplication({
+        this.confidentialApp = new msalNode.ConfidentialClientApplication({
             auth: {
-                authority: "https://login.microsoftonline.com/managed_identity",
                 clientId: (_a = this.clientId) !== null && _a !== void 0 ? _a : DeveloperSignOnClientId,
                 clientSecret: "dummy-secret",
                 cloudDiscoveryMetadata: '{"tenant_discovery_endpoint":"https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration","api-version":"1.1","metadata":[{"preferred_network":"login.microsoftonline.com","preferred_cache":"login.windows.net","aliases":["login.microsoftonline.com","login.windows.net","login.microsoft.com","sts.windows.net"]},{"preferred_network":"login.partner.microsoftonline.cn","preferred_cache":"login.partner.microsoftonline.cn","aliases":["login.partner.microsoftonline.cn","login.chinacloudapi.cn"]},{"preferred_network":"login.microsoftonline.de","preferred_cache":"login.microsoftonline.de","aliases":["login.microsoftonline.de"]},{"preferred_network":"login.microsoftonline.us","preferred_cache":"login.microsoftonline.us","aliases":["login.microsoftonline.us","login.usgovcloudapi.net"]},{"preferred_network":"login-us.microsoftonline.com","preferred_cache":"login-us.microsoftonline.com","aliases":["login-us.microsoftonline.com"]}]}',
@@ -2411,7 +2417,7 @@ class ManagedIdentityCredential {
                 else {
                     const appTokenParameters = {
                         correlationId: this.identityClient.getCorrelationId(),
-                        tenantId: (options === null || options === void 0 ? void 0 : options.tenantId) || "managed_identity",
+                        tenantId: (options === null || options === void 0 ? void 0 : options.tenantId) || "organizations",
                         scopes: Array.isArray(scopes) ? scopes : [scopes],
                         claims: options === null || options === void 0 ? void 0 : options.claims,
                     };
@@ -2480,6 +2486,15 @@ class ManagedIdentityCredential {
             if (err.statusCode === 400) {
                 throw new CredentialUnavailableError(`${ManagedIdentityCredential.name}: The managed identity endpoint is indicating there's no available identity. Message: ${err.message}`);
             }
+            // This is a special case for Docker Desktop which responds with a 403 with a message that contains "A socket operation was attempted to an unreachable network"
+            // rather than just timing out, as expected.
+            if (err.statusCode === 403 || err.code === 403) {
+                if (err.message.includes("A socket operation was attempted to an unreachable network")) {
+                    const error = new CredentialUnavailableError(`${ManagedIdentityCredential.name}: Unavailable. Network unreachable. Message: ${err.message}`);
+                    logger$c.getToken.info(formatError(scopes, error));
+                    throw error;
+                }
+            }
             // If the error has no status code, we can assume there was no available identity.
             // This will throw silently during any ChainedTokenCredential.
             if (err.statusCode === undefined) {
@@ -2563,7 +2578,6 @@ class ManagedIdentityCredential {
 }
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
 /**
  * Ensures the scopes value is an array.
  * @internal
@@ -2576,7 +2590,7 @@ function ensureScopes(scopes) {
  * @internal
  */
 function ensureValidScopeForDevTimeCreds(scope, logger) {
-    if (!scope.match(/^[0-9a-zA-Z-.:/]+$/)) {
+    if (!scope.match(/^[0-9a-zA-Z-_.:/]+$/)) {
         const error = new Error("Invalid scope was specified by the user or calling client");
         logger.getToken.info(formatError(scope, error));
         throw error;
@@ -2591,7 +2605,6 @@ function getScopeResource(scope) {
 }
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
 /**
  * Mockable reference to the CLI credential cliCredentialFunctions
  * @internal
@@ -2623,7 +2636,7 @@ const cliCredentialInternals = {
         }
         return new Promise((resolve, reject) => {
             try {
-                child_process.execFile("az", [
+                child_process__default["default"].execFile("az", [
                     "account",
                     "get-access-token",
                     "--output",
@@ -2662,7 +2675,7 @@ class AzureCliCredential {
             checkTenantId(logger$b, options === null || options === void 0 ? void 0 : options.tenantId);
             this.tenantId = options === null || options === void 0 ? void 0 : options.tenantId;
         }
-        this.additionallyAllowedTenantIds = resolveAddionallyAllowedTenantIds(options === null || options === void 0 ? void 0 : options.additionallyAllowedTenants);
+        this.additionallyAllowedTenantIds = resolveAdditionallyAllowedTenantIds(options === null || options === void 0 ? void 0 : options.additionallyAllowedTenants);
         this.timeout = options === null || options === void 0 ? void 0 : options.processTimeoutInMs;
     }
     /**
@@ -2728,7 +2741,6 @@ class AzureCliCredential {
 }
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
 /**
  * Easy to mock childProcess utils.
  * @internal
@@ -2759,7 +2771,6 @@ const processUtils = {
 };
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
 const logger$a = credentialLogger("AzurePowerShellCredential");
 const isWindows = process.platform === "win32";
 /**
@@ -2844,7 +2855,7 @@ class AzurePowerShellCredential {
             checkTenantId(logger$a, options === null || options === void 0 ? void 0 : options.tenantId);
             this.tenantId = options === null || options === void 0 ? void 0 : options.tenantId;
         }
-        this.additionallyAllowedTenantIds = resolveAddionallyAllowedTenantIds(options === null || options === void 0 ? void 0 : options.additionallyAllowedTenants);
+        this.additionallyAllowedTenantIds = resolveAdditionallyAllowedTenantIds(options === null || options === void 0 ? void 0 : options.additionallyAllowedTenants);
         this.timeout = options === null || options === void 0 ? void 0 : options.processTimeoutInMs;
     }
     /**
@@ -2937,7 +2948,6 @@ class AzurePowerShellCredential {
 }
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
 /**
  * @internal
  */
@@ -3016,7 +3026,6 @@ class ChainedTokenCredential {
 }
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
 const readFileAsync = util.promisify(fs.readFile);
 /**
  * Tries to asynchronously load a certificate from the given path.
@@ -3122,7 +3131,6 @@ class MsalClientCertificate extends MsalNode {
 }
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
 const credentialName$2 = "ClientCertificateCredential";
 const logger$8 = credentialLogger(credentialName$2);
 /**
@@ -3130,7 +3138,7 @@ const logger$8 = credentialLogger(credentialName$2);
  * certificate that is assigned to an App Registration. More information
  * on how to configure certificate authentication can be found here:
  *
- * https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-certificate-credentials#register-your-certificate-with-azure-ad
+ * https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-certificate-credentials#register-your-certificate-with-azure-ad
  *
  */
 class ClientCertificateCredential {
@@ -3139,7 +3147,7 @@ class ClientCertificateCredential {
             throw new Error(`${credentialName$2}: tenantId and clientId are required parameters.`);
         }
         this.tenantId = tenantId;
-        this.additionallyAllowedTenantIds = resolveAddionallyAllowedTenantIds(options === null || options === void 0 ? void 0 : options.additionallyAllowedTenants);
+        this.additionallyAllowedTenantIds = resolveAdditionallyAllowedTenantIds(options === null || options === void 0 ? void 0 : options.additionallyAllowedTenants);
         const configuration = Object.assign({}, (typeof certificatePathOrConfiguration === "string"
             ? {
                 certificatePath: certificatePathOrConfiguration,
@@ -3177,7 +3185,6 @@ class ClientCertificateCredential {
 }
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
 /**
  * MSAL client secret client. Calls to MSAL's confidential application's `acquireTokenByClientCredential` during `doGetToken`.
  * @internal
@@ -3208,7 +3215,6 @@ class MsalClientSecret extends MsalNode {
 }
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
 const logger$7 = credentialLogger("ClientSecretCredential");
 /**
  * Enables authentication to Azure Active Directory using a client secret
@@ -3234,7 +3240,7 @@ class ClientSecretCredential {
             throw new Error("ClientSecretCredential: tenantId, clientId, and clientSecret are required parameters. To troubleshoot, visit https://aka.ms/azsdk/js/identity/serviceprincipalauthentication/troubleshoot.");
         }
         this.tenantId = tenantId;
-        this.additionallyAllowedTenantIds = resolveAddionallyAllowedTenantIds(options === null || options === void 0 ? void 0 : options.additionallyAllowedTenants);
+        this.additionallyAllowedTenantIds = resolveAdditionallyAllowedTenantIds(options === null || options === void 0 ? void 0 : options.additionallyAllowedTenants);
         this.msalFlow = new MsalClientSecret(Object.assign(Object.assign({}, options), { logger: logger$7,
             clientId,
             tenantId,
@@ -3258,7 +3264,6 @@ class ClientSecretCredential {
 }
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
 /**
  * MSAL username and password client. Calls to the MSAL's public application's `acquireTokenByUsernamePassword` during `doGetToken`.
  * @internal
@@ -3289,7 +3294,6 @@ class MsalUsernamePassword extends MsalNode {
 }
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
 const logger$6 = credentialLogger("UsernamePasswordCredential");
 /**
  * Enables authentication to Azure Active Directory with a user's
@@ -3314,7 +3318,7 @@ class UsernamePasswordCredential {
             throw new Error("UsernamePasswordCredential: tenantId, clientId, username and password are required parameters. To troubleshoot, visit https://aka.ms/azsdk/js/identity/usernamepasswordcredential/troubleshoot.");
         }
         this.tenantId = tenantId;
-        this.additionallyAllowedTenantIds = resolveAddionallyAllowedTenantIds(options === null || options === void 0 ? void 0 : options.additionallyAllowedTenants);
+        this.additionallyAllowedTenantIds = resolveAdditionallyAllowedTenantIds(options === null || options === void 0 ? void 0 : options.additionallyAllowedTenants);
         this.msalFlow = new MsalUsernamePassword(Object.assign(Object.assign({}, options), { logger: logger$6,
             clientId,
             tenantId,
@@ -3343,7 +3347,6 @@ class UsernamePasswordCredential {
 }
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
 /**
  * Contains the list of all supported environment variable names so that an
  * appropriate error message can be generated when no credentials can be
@@ -3456,7 +3459,6 @@ class EnvironmentCredential {
 }
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
 /**
  * Mockable reference to the Developer CLI credential cliCredentialFunctions
  * @internal
@@ -3488,7 +3490,7 @@ const developerCliCredentialInternals = {
         }
         return new Promise((resolve, reject) => {
             try {
-                child_process.execFile("azd", [
+                child_process__default["default"].execFile("azd", [
                     "auth",
                     "token",
                     "--output",
@@ -3548,7 +3550,7 @@ class AzureDeveloperCliCredential {
             checkTenantId(logger$4, options === null || options === void 0 ? void 0 : options.tenantId);
             this.tenantId = options === null || options === void 0 ? void 0 : options.tenantId;
         }
-        this.additionallyAllowedTenantIds = resolveAddionallyAllowedTenantIds(options === null || options === void 0 ? void 0 : options.additionallyAllowedTenants);
+        this.additionallyAllowedTenantIds = resolveAdditionallyAllowedTenantIds(options === null || options === void 0 ? void 0 : options.additionallyAllowedTenants);
         this.timeout = options === null || options === void 0 ? void 0 : options.processTimeoutInMs;
     }
     /**
@@ -3620,7 +3622,6 @@ class AzureDeveloperCliCredential {
 }
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
 /**
  * A shim around ManagedIdentityCredential that adapts it to accept
  * `DefaultAzureCredentialOptions`.
@@ -3717,13 +3718,12 @@ class DefaultAzureCredential extends ChainedTokenCredential {
 }
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
 /**
  * A call to open(), but mockable
  * @internal
  */
 const interactiveBrowserMockable = {
-    open,
+    open: open__default["default"],
 };
 /**
  * This MSAL client sets up a web server to listen for redirect callbacks, then calls to the MSAL's public application's `acquireTokenByDeviceCode` during `doGetToken`
@@ -3733,31 +3733,151 @@ const interactiveBrowserMockable = {
 class MsalOpenBrowser extends MsalNode {
     constructor(options) {
         super(options);
-        this.loginHint = options.loginHint;
         this.logger = credentialLogger("Node.js MSAL Open Browser");
+        this.redirectUri = options.redirectUri;
+        this.loginHint = options.loginHint;
+        const url = new URL(this.redirectUri);
+        this.port = parseInt(url.port);
+        if (isNaN(this.port)) {
+            this.port = 80;
+        }
+        this.hostname = url.hostname;
     }
-    async doGetToken(scopes, options) {
-        try {
-            const result = await this.getApp("public", options === null || options === void 0 ? void 0 : options.enableCae).acquireTokenInteractive({
-                openBrowser: async (url) => {
-                    await interactiveBrowserMockable.open(url, { wait: true, newInstance: true });
-                },
-                scopes,
-                authority: options === null || options === void 0 ? void 0 : options.authority,
-                claims: options === null || options === void 0 ? void 0 : options.claims,
-                correlationId: options === null || options === void 0 ? void 0 : options.correlationId,
-                loginHint: this.loginHint,
+    async acquireTokenByCode(request, enableCae) {
+        return this.getApp("public", enableCae).acquireTokenByCode(request);
+    }
+    doGetToken(scopes, options) {
+        return new Promise((resolve, reject) => {
+            const socketToDestroy = [];
+            const requestListener = (req, res) => {
+                var _a;
+                if (!req.url) {
+                    reject(new Error(`Interactive Browser Authentication Error "Did not receive token with a valid expiration"`));
+                    return;
+                }
+                let url;
+                try {
+                    url = new URL(req.url, this.redirectUri);
+                }
+                catch (e) {
+                    reject(new Error(`Interactive Browser Authentication Error "Did not receive token with a valid expiration"`));
+                    return;
+                }
+                const tokenRequest = {
+                    code: url.searchParams.get("code"),
+                    redirectUri: this.redirectUri,
+                    scopes: scopes,
+                    authority: options === null || options === void 0 ? void 0 : options.authority,
+                    codeVerifier: (_a = this.pkceCodes) === null || _a === void 0 ? void 0 : _a.verifier,
+                };
+                this.acquireTokenByCode(tokenRequest, options === null || options === void 0 ? void 0 : options.enableCae)
+                    .then((authResponse) => {
+                    if (authResponse === null || authResponse === void 0 ? void 0 : authResponse.account) {
+                        this.account = msalToPublic(this.clientId, authResponse.account);
+                    }
+                    const successMessage = `Authentication Complete. You can close the browser and return to the application.`;
+                    if (authResponse && authResponse.expiresOn) {
+                        const expiresOnTimestamp = authResponse === null || authResponse === void 0 ? void 0 : authResponse.expiresOn.valueOf();
+                        res.writeHead(200);
+                        res.end(successMessage);
+                        this.logger.getToken.info(formatSuccess(scopes));
+                        resolve({
+                            expiresOnTimestamp,
+                            token: authResponse.accessToken,
+                        });
+                    }
+                    else {
+                        const errorMessage = formatError(scopes, `${url.searchParams.get("error")}. ${url.searchParams.get("error_description")}`);
+                        res.writeHead(500);
+                        res.end(errorMessage);
+                        this.logger.getToken.info(errorMessage);
+                        reject(new Error(`Interactive Browser Authentication Error "Did not receive token with a valid expiration"`));
+                    }
+                    cleanup();
+                    return;
+                })
+                    .catch(() => {
+                    const errorMessage = formatError(scopes, `${url.searchParams.get("error")}. ${url.searchParams.get("error_description")}`);
+                    res.writeHead(500);
+                    res.end(errorMessage);
+                    this.logger.getToken.info(errorMessage);
+                    reject(new Error(`Interactive Browser Authentication Error "Did not receive token with a valid expiration"`));
+                    cleanup();
+                });
+            };
+            const app = http__default["default"].createServer(requestListener);
+            const server = stoppable__default["default"](app);
+            const listen = app.listen(this.port, this.hostname, () => this.logger.info(`InteractiveBrowserCredential listening on port ${this.port}!`));
+            function cleanup() {
+                if (listen) {
+                    listen.close();
+                }
+                for (const socket of socketToDestroy) {
+                    socket.destroy();
+                }
+                if (server) {
+                    server.close();
+                    server.stop();
+                }
+            }
+            app.on("connection", (socket) => socketToDestroy.push(socket));
+            app.on("error", (err) => {
+                cleanup();
+                const code = err.code;
+                if (code === "EACCES" || code === "EADDRINUSE") {
+                    reject(new CredentialUnavailableError([
+                        `InteractiveBrowserCredential: Access denied to port ${this.port}.`,
+                        `Try sending a redirect URI with a different port, as follows:`,
+                        '`new InteractiveBrowserCredential({ redirectUri: "http://localhost:1337" })`',
+                    ].join(" ")));
+                }
+                else {
+                    reject(new CredentialUnavailableError(`InteractiveBrowserCredential: Failed to start the necessary web server. Error: ${err.message}`));
+                }
             });
-            return this.handleResult(scopes, this.clientId, result || undefined);
+            app.on("listening", () => {
+                const openPromise = this.openAuthCodeUrl(scopes, options);
+                const abortSignal = options === null || options === void 0 ? void 0 : options.abortSignal;
+                if (abortSignal) {
+                    abortSignal.addEventListener("abort", () => {
+                        cleanup();
+                        reject(new Error("Aborted"));
+                    });
+                }
+                openPromise.catch((e) => {
+                    cleanup();
+                    reject(e);
+                });
+            });
+        });
+    }
+    async openAuthCodeUrl(scopeArray, options) {
+        // Initialize CryptoProvider instance
+        const cryptoProvider = new msalNode__namespace.CryptoProvider();
+        // Generate PKCE Codes before starting the authorization flow
+        this.pkceCodes = await cryptoProvider.generatePkceCodes();
+        const authCodeUrlParameters = {
+            scopes: scopeArray,
+            correlationId: options === null || options === void 0 ? void 0 : options.correlationId,
+            redirectUri: this.redirectUri,
+            authority: options === null || options === void 0 ? void 0 : options.authority,
+            claims: options === null || options === void 0 ? void 0 : options.claims,
+            loginHint: this.loginHint,
+            codeChallenge: this.pkceCodes.challenge,
+            codeChallengeMethod: "S256", // Use SHA256 Algorithm
+        };
+        const response = await this.getApp("public", options === null || options === void 0 ? void 0 : options.enableCae).getAuthCodeUrl(authCodeUrlParameters);
+        try {
+            // A new instance on macOS only which allows it to not hang, does not fix the issue on linux
+            await interactiveBrowserMockable.open(response, { wait: true, newInstance: true });
         }
-        catch (err) {
-            throw this.handleError(scopes, err, options);
+        catch (e) {
+            throw new CredentialUnavailableError(`InteractiveBrowserCredential: Could not open a browser window. Error: ${e.message}`);
         }
     }
 }
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
 const logger$3 = credentialLogger("InteractiveBrowserCredential");
 /**
  * Enables authentication to Azure Active Directory inside of the web browser
@@ -3781,7 +3901,7 @@ class InteractiveBrowserCredential {
             ? options.redirectUri()
             : options.redirectUri || "http://localhost";
         this.tenantId = options === null || options === void 0 ? void 0 : options.tenantId;
-        this.additionallyAllowedTenantIds = resolveAddionallyAllowedTenantIds(options === null || options === void 0 ? void 0 : options.additionallyAllowedTenants);
+        this.additionallyAllowedTenantIds = resolveAdditionallyAllowedTenantIds(options === null || options === void 0 ? void 0 : options.additionallyAllowedTenants);
         this.msalFlow = new MsalOpenBrowser(Object.assign(Object.assign({}, options), { tokenCredentialOptions: options, logger: logger$3,
             redirectUri }));
         this.disableAutomaticAuthentication = options === null || options === void 0 ? void 0 : options.disableAutomaticAuthentication;
@@ -3828,7 +3948,6 @@ class InteractiveBrowserCredential {
 }
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
 /**
  * MSAL device code client. Calls to the MSAL's public application's `acquireTokenByDeviceCode` during `doGetToken`.
  * @internal
@@ -3861,7 +3980,6 @@ class MsalDeviceCode extends MsalNode {
 }
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
 const logger$2 = credentialLogger("DeviceCodeCredential");
 /**
  * Method that logs the user code from the DeviceCodeCredential.
@@ -3897,7 +4015,7 @@ class DeviceCodeCredential {
      */
     constructor(options) {
         this.tenantId = options === null || options === void 0 ? void 0 : options.tenantId;
-        this.additionallyAllowedTenantIds = resolveAddionallyAllowedTenantIds(options === null || options === void 0 ? void 0 : options.additionallyAllowedTenants);
+        this.additionallyAllowedTenantIds = resolveAdditionallyAllowedTenantIds(options === null || options === void 0 ? void 0 : options.additionallyAllowedTenants);
         this.msalFlow = new MsalDeviceCode(Object.assign(Object.assign({}, options), { logger: logger$2, userPromptCallback: (options === null || options === void 0 ? void 0 : options.userPromptCallback) || defaultDeviceCodePromptCallback, tokenCredentialOptions: options || {} }));
         this.disableAutomaticAuthentication = options === null || options === void 0 ? void 0 : options.disableAutomaticAuthentication;
     }
@@ -3940,7 +4058,6 @@ class DeviceCodeCredential {
 }
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
 /**
  * This MSAL client sets up a web server to listen for redirect callbacks, then calls to the MSAL's public application's `acquireTokenByDeviceCode` during `doGetToken`
  * to trigger the authentication flow, and then respond based on the values obtained from the redirect callback
@@ -3984,7 +4101,6 @@ class MsalAuthorizationCode extends MsalNode {
 }
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
 const logger$1 = credentialLogger("AuthorizationCodeCredential");
 /**
  * Enables authentication to Azure Active Directory using an authorization code
@@ -4016,7 +4132,7 @@ class AuthorizationCodeCredential {
         }
         // TODO: Validate tenant if provided
         this.tenantId = tenantId;
-        this.additionallyAllowedTenantIds = resolveAddionallyAllowedTenantIds(options === null || options === void 0 ? void 0 : options.additionallyAllowedTenants);
+        this.additionallyAllowedTenantIds = resolveAdditionallyAllowedTenantIds(options === null || options === void 0 ? void 0 : options.additionallyAllowedTenants);
         this.msalFlow = new MsalAuthorizationCode(Object.assign(Object.assign({}, options), { clientSecret,
             clientId,
             tenantId, tokenCredentialOptions: options || {}, logger: logger$1, redirectUri: this.redirectUri, authorizationCode: this.authorizationCode }));
@@ -4040,7 +4156,6 @@ class AuthorizationCodeCredential {
 }
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
 /**
  * MSAL on behalf of flow. Calls to MSAL's confidential application's `acquireTokenOnBehalfOf` during `doGetToken`.
  * @internal
@@ -4094,11 +4209,10 @@ class MsalOnBehalfOf extends MsalNode {
 }
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
 const credentialName = "OnBehalfOfCredential";
 const logger = credentialLogger(credentialName);
 /**
- * Enables authentication to Azure Active Directory using the [On Behalf Of flow](https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-on-behalf-of-flow).
+ * Enables authentication to Microsoft Entra ID using the [On Behalf Of flow](https://learn.microsoft.com/azure/active-directory/develop/v2-oauth2-on-behalf-of-flow).
  */
 class OnBehalfOfCredential {
     constructor(options) {
@@ -4110,7 +4224,7 @@ class OnBehalfOfCredential {
             throw new Error(`${credentialName}: tenantId, clientId, clientSecret (or certificatePath) and userAssertionToken are required parameters.`);
         }
         this.tenantId = tenantId;
-        this.additionallyAllowedTenantIds = resolveAddionallyAllowedTenantIds(additionallyAllowedTenantIds);
+        this.additionallyAllowedTenantIds = resolveAdditionallyAllowedTenantIds(additionallyAllowedTenantIds);
         this.msalFlow = new MsalOnBehalfOf(Object.assign(Object.assign({}, this.options), { logger, tokenCredentialOptions: this.options }));
     }
     /**
@@ -4130,7 +4244,6 @@ class OnBehalfOfCredential {
 }
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
 /**
  * Returns a new instance of the {@link DefaultAzureCredential}.
  */