@azure/identity 4.0.1-alpha.20240109.1 → 4.0.1-alpha.20240112.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Potentially problematic release.
This version of @azure/identity might be problematic. Click here for more details.
- package/dist/index.js +344 -195
- package/dist/index.js.map +1 -1
- package/dist-esm/src/client/identityClient.js +23 -16
- package/dist-esm/src/client/identityClient.js.map +1 -1
- package/dist-esm/src/constants.js +8 -0
- package/dist-esm/src/constants.js.map +1 -1
- package/dist-esm/src/credentials/authorizationCodeCredential.browser.js.map +1 -1
- package/dist-esm/src/credentials/authorizationCodeCredential.js +14 -4
- package/dist-esm/src/credentials/authorizationCodeCredential.js.map +1 -1
- package/dist-esm/src/credentials/azureApplicationCredential.browser.js.map +1 -1
- package/dist-esm/src/credentials/azureCliCredential.js +8 -9
- package/dist-esm/src/credentials/azureCliCredential.js.map +1 -1
- package/dist-esm/src/credentials/azureDeveloperCliCredential.browser.js.map +1 -1
- package/dist-esm/src/credentials/azureDeveloperCliCredential.js +9 -10
- package/dist-esm/src/credentials/azureDeveloperCliCredential.js.map +1 -1
- package/dist-esm/src/credentials/azurePowerShellCredential.browser.js.map +1 -1
- package/dist-esm/src/credentials/azurePowerShellCredential.js +5 -5
- package/dist-esm/src/credentials/azurePowerShellCredential.js.map +1 -1
- package/dist-esm/src/credentials/chainedTokenCredential.js.map +1 -1
- package/dist-esm/src/credentials/clientAssertionCredential.browser.js.map +1 -1
- package/dist-esm/src/credentials/clientAssertionCredential.js +9 -2
- package/dist-esm/src/credentials/clientAssertionCredential.js.map +1 -1
- package/dist-esm/src/credentials/clientCertificateCredential.browser.js.map +1 -1
- package/dist-esm/src/credentials/clientCertificateCredential.js +15 -8
- package/dist-esm/src/credentials/clientCertificateCredential.js.map +1 -1
- package/dist-esm/src/credentials/clientSecretCredential.browser.js +2 -2
- package/dist-esm/src/credentials/clientSecretCredential.browser.js.map +1 -1
- package/dist-esm/src/credentials/clientSecretCredential.js +7 -3
- package/dist-esm/src/credentials/clientSecretCredential.js.map +1 -1
- package/dist-esm/src/credentials/defaultAzureCredential.browser.js.map +1 -1
- package/dist-esm/src/credentials/defaultAzureCredential.js +46 -17
- package/dist-esm/src/credentials/defaultAzureCredential.js.map +1 -1
- package/dist-esm/src/credentials/deviceCodeCredential.js +13 -5
- package/dist-esm/src/credentials/deviceCodeCredential.js.map +1 -1
- package/dist-esm/src/credentials/environmentCredential.browser.js.map +1 -1
- package/dist-esm/src/credentials/environmentCredential.js +2 -3
- package/dist-esm/src/credentials/environmentCredential.js.map +1 -1
- package/dist-esm/src/credentials/interactiveBrowserCredential.browser.js +15 -6
- package/dist-esm/src/credentials/interactiveBrowserCredential.browser.js.map +1 -1
- package/dist-esm/src/credentials/interactiveBrowserCredential.js +26 -13
- package/dist-esm/src/credentials/interactiveBrowserCredential.js.map +1 -1
- package/dist-esm/src/credentials/managedIdentityCredential/appServiceMsi2017.js +5 -2
- package/dist-esm/src/credentials/managedIdentityCredential/appServiceMsi2017.js.map +1 -1
- package/dist-esm/src/credentials/managedIdentityCredential/appServiceMsi2019.js +5 -2
- package/dist-esm/src/credentials/managedIdentityCredential/appServiceMsi2019.js.map +1 -1
- package/dist-esm/src/credentials/managedIdentityCredential/arcMsi.js +12 -5
- package/dist-esm/src/credentials/managedIdentityCredential/arcMsi.js.map +1 -1
- package/dist-esm/src/credentials/managedIdentityCredential/cloudShellMsi.js +5 -2
- package/dist-esm/src/credentials/managedIdentityCredential/cloudShellMsi.js.map +1 -1
- package/dist-esm/src/credentials/managedIdentityCredential/fabricMsi.js +6 -1
- package/dist-esm/src/credentials/managedIdentityCredential/fabricMsi.js.map +1 -1
- package/dist-esm/src/credentials/managedIdentityCredential/imdsMsi.js +8 -6
- package/dist-esm/src/credentials/managedIdentityCredential/imdsMsi.js.map +1 -1
- package/dist-esm/src/credentials/managedIdentityCredential/index.browser.js.map +1 -1
- package/dist-esm/src/credentials/managedIdentityCredential/index.js +18 -12
- package/dist-esm/src/credentials/managedIdentityCredential/index.js.map +1 -1
- package/dist-esm/src/credentials/managedIdentityCredential/models.js.map +1 -1
- package/dist-esm/src/credentials/managedIdentityCredential/tokenExchangeMsi.js +7 -1
- package/dist-esm/src/credentials/managedIdentityCredential/tokenExchangeMsi.js.map +1 -1
- package/dist-esm/src/credentials/managedIdentityCredential/utils.js.map +1 -1
- package/dist-esm/src/credentials/onBehalfOfCredential.js +5 -1
- package/dist-esm/src/credentials/onBehalfOfCredential.js.map +1 -1
- package/dist-esm/src/credentials/usernamePasswordCredential.browser.js +1 -1
- package/dist-esm/src/credentials/usernamePasswordCredential.browser.js.map +1 -1
- package/dist-esm/src/credentials/usernamePasswordCredential.js +7 -3
- package/dist-esm/src/credentials/usernamePasswordCredential.js.map +1 -1
- package/dist-esm/src/credentials/visualStudioCodeCredential.browser.js.map +1 -1
- package/dist-esm/src/credentials/visualStudioCodeCredential.js +6 -4
- package/dist-esm/src/credentials/visualStudioCodeCredential.js.map +1 -1
- package/dist-esm/src/credentials/workloadIdentityCredential.browser.js.map +1 -1
- package/dist-esm/src/credentials/workloadIdentityCredential.js +1 -1
- package/dist-esm/src/credentials/workloadIdentityCredential.js.map +1 -1
- package/dist-esm/src/errors.js.map +1 -1
- package/dist-esm/src/msal/browserFlows/msalAuthCode.js +7 -8
- package/dist-esm/src/msal/browserFlows/msalAuthCode.js.map +1 -1
- package/dist-esm/src/msal/browserFlows/msalBrowserCommon.js +7 -6
- package/dist-esm/src/msal/browserFlows/msalBrowserCommon.js.map +1 -1
- package/dist-esm/src/msal/nodeFlows/msalAuthorizationCode.js +4 -4
- package/dist-esm/src/msal/nodeFlows/msalAuthorizationCode.js.map +1 -1
- package/dist-esm/src/msal/nodeFlows/msalClientAssertion.js.map +1 -1
- package/dist-esm/src/msal/nodeFlows/msalClientCertificate.js.map +1 -1
- package/dist-esm/src/msal/nodeFlows/msalClientSecret.js.map +1 -1
- package/dist-esm/src/msal/nodeFlows/msalDeviceCode.js +5 -5
- package/dist-esm/src/msal/nodeFlows/msalDeviceCode.js.map +1 -1
- package/dist-esm/src/msal/nodeFlows/msalNodeCommon.js +40 -31
- package/dist-esm/src/msal/nodeFlows/msalNodeCommon.js.map +1 -1
- package/dist-esm/src/msal/nodeFlows/msalOnBehalfOf.js.map +1 -1
- package/dist-esm/src/msal/nodeFlows/msalOpenBrowser.js +7 -9
- package/dist-esm/src/msal/nodeFlows/msalOpenBrowser.js.map +1 -1
- package/dist-esm/src/msal/nodeFlows/msalUsernamePassword.js +4 -4
- package/dist-esm/src/msal/nodeFlows/msalUsernamePassword.js.map +1 -1
- package/dist-esm/src/msal/utils.browser.js +6 -2
- package/dist-esm/src/msal/utils.browser.js.map +1 -1
- package/dist-esm/src/msal/utils.js +6 -2
- package/dist-esm/src/msal/utils.js.map +1 -1
- package/dist-esm/src/plugins/provider.js.map +1 -1
- package/dist-esm/src/util/authHostEnv.browser.js.map +1 -1
- package/dist-esm/src/util/logging.js +6 -2
- package/dist-esm/src/util/logging.js.map +1 -1
- package/dist-esm/src/util/processMultiTenantRequest.browser.js +1 -2
- package/dist-esm/src/util/processMultiTenantRequest.browser.js.map +1 -1
- package/dist-esm/src/util/processMultiTenantRequest.js +2 -3
- package/dist-esm/src/util/processMultiTenantRequest.js.map +1 -1
- package/dist-esm/src/util/processUtils.js.map +1 -1
- package/dist-esm/src/util/tenantIdUtils.js.map +1 -1
- package/package.json +3 -4
package/dist/index.js
CHANGED
|
@@ -190,7 +190,7 @@ function formatSuccess(scope) {
|
|
|
190
190
|
*/
|
|
191
191
|
function formatError(scope, error) {
|
|
192
192
|
let message = "ERROR.";
|
|
193
|
-
if (scope
|
|
193
|
+
if (scope?.length) {
|
|
194
194
|
message += ` Scopes: ${Array.isArray(scope) ? scope.join(", ") : scope}.`;
|
|
195
195
|
}
|
|
196
196
|
return `${message} Error message: ${typeof error === "string" ? error : error.message}.`;
|
|
@@ -234,7 +234,11 @@ function credentialLoggerInstance(title, parent, log = logger$n) {
|
|
|
234
234
|
*/
|
|
235
235
|
function credentialLogger(title, log = logger$n) {
|
|
236
236
|
const credLogger = credentialLoggerInstance(title, undefined, log);
|
|
237
|
-
return
|
|
237
|
+
return {
|
|
238
|
+
...credLogger,
|
|
239
|
+
parent: log,
|
|
240
|
+
getToken: credentialLoggerInstance("=> getToken()", credLogger, log),
|
|
241
|
+
};
|
|
238
242
|
}
|
|
239
243
|
|
|
240
244
|
// Copyright (c) Microsoft Corporation.
|
|
@@ -279,14 +283,22 @@ exports.AzureAuthorityHosts = void 0;
|
|
|
279
283
|
AzureAuthorityHosts["AzurePublicCloud"] = "https://login.microsoftonline.com";
|
|
280
284
|
})(exports.AzureAuthorityHosts || (exports.AzureAuthorityHosts = {}));
|
|
281
285
|
/**
|
|
286
|
+
* @internal
|
|
282
287
|
* The default authority host.
|
|
283
288
|
*/
|
|
284
289
|
const DefaultAuthorityHost = exports.AzureAuthorityHosts.AzurePublicCloud;
|
|
285
290
|
/**
|
|
291
|
+
* @internal
|
|
286
292
|
* Allow acquiring tokens for any tenant for multi-tentant auth.
|
|
287
293
|
*/
|
|
288
294
|
const ALL_TENANTS = ["*"];
|
|
295
|
+
/**
|
|
296
|
+
* @internal
|
|
297
|
+
*/
|
|
289
298
|
const CACHE_CAE_SUFFIX = ".cae";
|
|
299
|
+
/**
|
|
300
|
+
* @internal
|
|
301
|
+
*/
|
|
290
302
|
const CACHE_NON_CAE_SUFFIX = ".nocae";
|
|
291
303
|
|
|
292
304
|
// Copyright (c) Microsoft Corporation.
|
|
@@ -417,7 +429,7 @@ class MsalBaseUtilities {
|
|
|
417
429
|
* If the token received is invalid, an error will be thrown depending on what's missing.
|
|
418
430
|
*/
|
|
419
431
|
handleResult(scopes, clientId, result, getTokenOptions) {
|
|
420
|
-
if (result
|
|
432
|
+
if (result?.account) {
|
|
421
433
|
this.account = msalToPublic(clientId, result.account);
|
|
422
434
|
}
|
|
423
435
|
ensureValidMsalToken(scopes, this.logger, result, getTokenOptions);
|
|
@@ -466,7 +478,11 @@ class MsalBaseUtilities {
|
|
|
466
478
|
// transformations.ts
|
|
467
479
|
function publicToMsal(account) {
|
|
468
480
|
const [environment] = account.authority.match(/([a-z]*\.[a-z]*\.[a-z]*)/) || [""];
|
|
469
|
-
return
|
|
481
|
+
return {
|
|
482
|
+
...account,
|
|
483
|
+
localAccountId: account.homeAccountId,
|
|
484
|
+
environment,
|
|
485
|
+
};
|
|
470
486
|
}
|
|
471
487
|
function msalToPublic(clientId, account) {
|
|
472
488
|
const record = {
|
|
@@ -535,7 +551,6 @@ function createConfigurationErrorMessage(tenantId) {
|
|
|
535
551
|
* @internal
|
|
536
552
|
*/
|
|
537
553
|
function processMultiTenantRequest(tenantId, getTokenOptions, additionallyAllowedTenantIds = [], logger) {
|
|
538
|
-
var _a;
|
|
539
554
|
let resolvedTenantId;
|
|
540
555
|
if (process.env.AZURE_IDENTITY_DISABLE_MULTITENANTAUTH) {
|
|
541
556
|
resolvedTenantId = tenantId;
|
|
@@ -544,14 +559,14 @@ function processMultiTenantRequest(tenantId, getTokenOptions, additionallyAllowe
|
|
|
544
559
|
resolvedTenantId = tenantId;
|
|
545
560
|
}
|
|
546
561
|
else {
|
|
547
|
-
resolvedTenantId =
|
|
562
|
+
resolvedTenantId = getTokenOptions?.tenantId ?? tenantId;
|
|
548
563
|
}
|
|
549
564
|
if (tenantId &&
|
|
550
565
|
resolvedTenantId !== tenantId &&
|
|
551
566
|
!additionallyAllowedTenantIds.includes("*") &&
|
|
552
567
|
!additionallyAllowedTenantIds.some((t) => t.localeCompare(resolvedTenantId) === 0)) {
|
|
553
568
|
const message = createConfigurationErrorMessage(tenantId);
|
|
554
|
-
logger
|
|
569
|
+
logger?.info(message);
|
|
555
570
|
throw new CredentialUnavailableError(message);
|
|
556
571
|
}
|
|
557
572
|
return resolvedTenantId;
|
|
@@ -689,13 +704,13 @@ const noCorrelationId = "noCorrelationId";
|
|
|
689
704
|
*/
|
|
690
705
|
function getIdentityClientAuthorityHost(options) {
|
|
691
706
|
// The authorityHost can come from options or from the AZURE_AUTHORITY_HOST environment variable.
|
|
692
|
-
let authorityHost = options
|
|
707
|
+
let authorityHost = options?.authorityHost;
|
|
693
708
|
// The AZURE_AUTHORITY_HOST environment variable can only be provided in Node.js.
|
|
694
709
|
if (coreUtil.isNode) {
|
|
695
|
-
authorityHost = authorityHost
|
|
710
|
+
authorityHost = authorityHost ?? process.env.AZURE_AUTHORITY_HOST;
|
|
696
711
|
}
|
|
697
712
|
// If the authorityHost is not provided, we use the default one from the public cloud: https://login.microsoftonline.com
|
|
698
|
-
return authorityHost
|
|
713
|
+
return authorityHost ?? DefaultAuthorityHost;
|
|
699
714
|
}
|
|
700
715
|
/**
|
|
701
716
|
* The network module used by the Identity credentials.
|
|
@@ -706,25 +721,30 @@ function getIdentityClientAuthorityHost(options) {
|
|
|
706
721
|
*/
|
|
707
722
|
class IdentityClient extends coreClient.ServiceClient {
|
|
708
723
|
constructor(options) {
|
|
709
|
-
var _a, _b;
|
|
710
724
|
const packageDetails = `azsdk-js-identity/${SDK_VERSION}`;
|
|
711
|
-
const userAgentPrefix =
|
|
725
|
+
const userAgentPrefix = options?.userAgentOptions?.userAgentPrefix
|
|
712
726
|
? `${options.userAgentOptions.userAgentPrefix} ${packageDetails}`
|
|
713
727
|
: `${packageDetails}`;
|
|
714
728
|
const baseUri = getIdentityClientAuthorityHost(options);
|
|
715
729
|
if (!baseUri.startsWith("https:")) {
|
|
716
730
|
throw new Error("The authorityHost address must use the 'https' protocol.");
|
|
717
731
|
}
|
|
718
|
-
super(
|
|
732
|
+
super({
|
|
733
|
+
requestContentType: "application/json; charset=utf-8",
|
|
734
|
+
retryOptions: {
|
|
719
735
|
maxRetries: 3,
|
|
720
|
-
}
|
|
736
|
+
},
|
|
737
|
+
...options,
|
|
738
|
+
userAgentOptions: {
|
|
721
739
|
userAgentPrefix,
|
|
722
|
-
},
|
|
740
|
+
},
|
|
741
|
+
baseUri,
|
|
742
|
+
});
|
|
723
743
|
this.authorityHost = baseUri;
|
|
724
744
|
this.abortControllers = new Map();
|
|
725
|
-
this.allowLoggingAccountIdentifiers =
|
|
745
|
+
this.allowLoggingAccountIdentifiers = options?.loggingOptions?.allowLoggingAccountIdentifiers;
|
|
726
746
|
// used for WorkloadIdentity
|
|
727
|
-
this.tokenCredentialOptions =
|
|
747
|
+
this.tokenCredentialOptions = { ...options };
|
|
728
748
|
}
|
|
729
749
|
async sendTokenRequest(request) {
|
|
730
750
|
logger$n.info(`IdentityClient: sending token request to [${request.url}]`);
|
|
@@ -832,8 +852,10 @@ class IdentityClient extends coreClient.ServiceClient {
|
|
|
832
852
|
this.abortControllers.set(key, undefined);
|
|
833
853
|
}
|
|
834
854
|
getCorrelationId(options) {
|
|
835
|
-
|
|
836
|
-
|
|
855
|
+
const parameter = options?.body
|
|
856
|
+
?.split("&")
|
|
857
|
+
.map((part) => part.split("="))
|
|
858
|
+
.find(([key]) => key === "client-request-id");
|
|
837
859
|
return parameter && parameter.length ? parameter[1] || noCorrelationId : noCorrelationId;
|
|
838
860
|
}
|
|
839
861
|
// The MSAL network module methods follow
|
|
@@ -841,8 +863,8 @@ class IdentityClient extends coreClient.ServiceClient {
|
|
|
841
863
|
const request = coreRestPipeline.createPipelineRequest({
|
|
842
864
|
url,
|
|
843
865
|
method: "GET",
|
|
844
|
-
body: options
|
|
845
|
-
headers: coreRestPipeline.createHttpHeaders(options
|
|
866
|
+
body: options?.body,
|
|
867
|
+
headers: coreRestPipeline.createHttpHeaders(options?.headers),
|
|
846
868
|
abortSignal: this.generateAbortSignal(noCorrelationId),
|
|
847
869
|
});
|
|
848
870
|
const response = await this.sendRequest(request);
|
|
@@ -857,8 +879,8 @@ class IdentityClient extends coreClient.ServiceClient {
|
|
|
857
879
|
const request = coreRestPipeline.createPipelineRequest({
|
|
858
880
|
url,
|
|
859
881
|
method: "POST",
|
|
860
|
-
body: options
|
|
861
|
-
headers: coreRestPipeline.createHttpHeaders(options
|
|
882
|
+
body: options?.body,
|
|
883
|
+
headers: coreRestPipeline.createHttpHeaders(options?.headers),
|
|
862
884
|
// MSAL doesn't send the correlation ID on the get requests.
|
|
863
885
|
abortSignal: this.generateAbortSignal(this.getCorrelationId(options)),
|
|
864
886
|
});
|
|
@@ -1072,29 +1094,34 @@ const msalNodeFlowNativeBrokerControl = {
|
|
|
1072
1094
|
*/
|
|
1073
1095
|
class MsalNode extends MsalBaseUtilities {
|
|
1074
1096
|
constructor(options) {
|
|
1075
|
-
var _a, _b, _c, _d, _e, _f, _g;
|
|
1076
1097
|
super(options);
|
|
1077
1098
|
this.app = {};
|
|
1078
1099
|
this.caeApp = {};
|
|
1079
1100
|
this.requiresConfidential = false;
|
|
1080
1101
|
this.msalConfig = this.defaultNodeMsalConfig(options);
|
|
1081
1102
|
this.tenantId = resolveTenantId(options.logger, options.tenantId, options.clientId);
|
|
1082
|
-
this.additionallyAllowedTenantIds = resolveAdditionallyAllowedTenantIds(
|
|
1103
|
+
this.additionallyAllowedTenantIds = resolveAdditionallyAllowedTenantIds(options?.tokenCredentialOptions?.additionallyAllowedTenants);
|
|
1083
1104
|
this.clientId = this.msalConfig.auth.clientId;
|
|
1084
|
-
if (options
|
|
1105
|
+
if (options?.getAssertion) {
|
|
1085
1106
|
this.getAssertion = options.getAssertion;
|
|
1086
1107
|
}
|
|
1087
|
-
this.enableBroker =
|
|
1088
|
-
this.enableMsaPassthrough =
|
|
1089
|
-
this.parentWindowHandle =
|
|
1108
|
+
this.enableBroker = options?.brokerOptions?.enabled;
|
|
1109
|
+
this.enableMsaPassthrough = options?.brokerOptions?.legacyEnableMsaPassthrough;
|
|
1110
|
+
this.parentWindowHandle = options.brokerOptions?.parentWindowHandle;
|
|
1090
1111
|
// If persistence has been configured
|
|
1091
|
-
if (persistenceProvider !== undefined &&
|
|
1092
|
-
const nonCaeOptions =
|
|
1093
|
-
|
|
1112
|
+
if (persistenceProvider !== undefined && options.tokenCachePersistenceOptions?.enabled) {
|
|
1113
|
+
const nonCaeOptions = {
|
|
1114
|
+
name: `${options.tokenCachePersistenceOptions.name}.${CACHE_NON_CAE_SUFFIX}`,
|
|
1115
|
+
...options.tokenCachePersistenceOptions,
|
|
1116
|
+
};
|
|
1117
|
+
const caeOptions = {
|
|
1118
|
+
name: `${options.tokenCachePersistenceOptions.name}.${CACHE_CAE_SUFFIX}`,
|
|
1119
|
+
...options.tokenCachePersistenceOptions,
|
|
1120
|
+
};
|
|
1094
1121
|
this.createCachePlugin = () => persistenceProvider(nonCaeOptions);
|
|
1095
1122
|
this.createCachePluginCae = () => persistenceProvider(caeOptions);
|
|
1096
1123
|
}
|
|
1097
|
-
else if (
|
|
1124
|
+
else if (options.tokenCachePersistenceOptions?.enabled) {
|
|
1098
1125
|
throw new Error([
|
|
1099
1126
|
"Persistent token caching was requested, but no persistence provider was configured.",
|
|
1100
1127
|
"You must install the identity-cache-persistence plugin package (`npm install --save @azure/identity-cache-persistence`)",
|
|
@@ -1111,7 +1138,7 @@ class MsalNode extends MsalBaseUtilities {
|
|
|
1111
1138
|
"`useIdentityPlugin(createNativeBrokerPlugin())` before using `enableBroker`.",
|
|
1112
1139
|
].join(" "));
|
|
1113
1140
|
}
|
|
1114
|
-
this.azureRegion =
|
|
1141
|
+
this.azureRegion = options.regionalAuthority ?? process.env.AZURE_REGIONAL_AUTHORITY_NAME;
|
|
1115
1142
|
if (this.azureRegion === RegionalAuthority.AutoDiscoverRegion) {
|
|
1116
1143
|
this.azureRegion = "AUTO_DISCOVER";
|
|
1117
1144
|
}
|
|
@@ -1120,12 +1147,15 @@ class MsalNode extends MsalBaseUtilities {
|
|
|
1120
1147
|
* Generates a MSAL configuration that generally works for Node.js
|
|
1121
1148
|
*/
|
|
1122
1149
|
defaultNodeMsalConfig(options) {
|
|
1123
|
-
var _a;
|
|
1124
1150
|
const clientId = options.clientId || DeveloperSignOnClientId;
|
|
1125
1151
|
const tenantId = resolveTenantId(options.logger, options.tenantId, options.clientId);
|
|
1126
1152
|
this.authorityHost = options.authorityHost || process.env.AZURE_AUTHORITY_HOST;
|
|
1127
1153
|
const authority = getAuthority(tenantId, this.authorityHost);
|
|
1128
|
-
this.identityClient = new IdentityClient(
|
|
1154
|
+
this.identityClient = new IdentityClient({
|
|
1155
|
+
...options.tokenCredentialOptions,
|
|
1156
|
+
authorityHost: authority,
|
|
1157
|
+
loggingOptions: options.loggingOptions,
|
|
1158
|
+
});
|
|
1129
1159
|
const clientCapabilities = [];
|
|
1130
1160
|
return {
|
|
1131
1161
|
auth: {
|
|
@@ -1140,7 +1170,7 @@ class MsalNode extends MsalBaseUtilities {
|
|
|
1140
1170
|
loggerOptions: {
|
|
1141
1171
|
loggerCallback: defaultLoggerCallback(options.logger),
|
|
1142
1172
|
logLevel: getMSALLogLevel(logger$o.getLogLevel()),
|
|
1143
|
-
piiLoggingEnabled:
|
|
1173
|
+
piiLoggingEnabled: options.loggingOptions?.enableUnsafeSupportLogging,
|
|
1144
1174
|
},
|
|
1145
1175
|
},
|
|
1146
1176
|
};
|
|
@@ -1164,21 +1194,21 @@ class MsalNode extends MsalBaseUtilities {
|
|
|
1164
1194
|
* Prepares the MSAL applications.
|
|
1165
1195
|
*/
|
|
1166
1196
|
async init(options) {
|
|
1167
|
-
if (options
|
|
1197
|
+
if (options?.abortSignal) {
|
|
1168
1198
|
options.abortSignal.addEventListener("abort", () => {
|
|
1169
1199
|
// This will abort any pending request in the IdentityClient,
|
|
1170
1200
|
// based on the received or generated correlationId
|
|
1171
1201
|
this.identityClient.abortRequests(options.correlationId);
|
|
1172
1202
|
});
|
|
1173
1203
|
}
|
|
1174
|
-
const app =
|
|
1175
|
-
if (options
|
|
1204
|
+
const app = options?.enableCae ? this.caeApp : this.app;
|
|
1205
|
+
if (options?.enableCae) {
|
|
1176
1206
|
this.msalConfig.auth.clientCapabilities = ["cp1"];
|
|
1177
1207
|
}
|
|
1178
1208
|
if (app.public || app.confidential) {
|
|
1179
1209
|
return;
|
|
1180
1210
|
}
|
|
1181
|
-
if (
|
|
1211
|
+
if (options?.enableCae && this.createCachePluginCae !== undefined) {
|
|
1182
1212
|
this.msalConfig.cache = {
|
|
1183
1213
|
cachePlugin: await this.createCachePluginCae(),
|
|
1184
1214
|
};
|
|
@@ -1197,7 +1227,7 @@ class MsalNode extends MsalBaseUtilities {
|
|
|
1197
1227
|
this.logger.warning("Parent window handle is not specified for the broker. This may cause unexpected behavior. Please provide the parentWindowHandle.");
|
|
1198
1228
|
}
|
|
1199
1229
|
}
|
|
1200
|
-
if (options
|
|
1230
|
+
if (options?.enableCae) {
|
|
1201
1231
|
this.caeApp.public = new msalCommon__namespace.PublicClientApplication(this.msalConfig);
|
|
1202
1232
|
}
|
|
1203
1233
|
else {
|
|
@@ -1210,7 +1240,7 @@ class MsalNode extends MsalBaseUtilities {
|
|
|
1210
1240
|
if (this.msalConfig.auth.clientSecret ||
|
|
1211
1241
|
this.msalConfig.auth.clientAssertion ||
|
|
1212
1242
|
this.msalConfig.auth.clientCertificate) {
|
|
1213
|
-
if (options
|
|
1243
|
+
if (options?.enableCae) {
|
|
1214
1244
|
this.caeApp.confidential = new msalCommon__namespace.ConfidentialClientApplication(this.msalConfig);
|
|
1215
1245
|
}
|
|
1216
1246
|
else {
|
|
@@ -1235,7 +1265,7 @@ class MsalNode extends MsalBaseUtilities {
|
|
|
1235
1265
|
.catch(reject);
|
|
1236
1266
|
if (abortSignal) {
|
|
1237
1267
|
abortSignal.addEventListener("abort", () => {
|
|
1238
|
-
onCancel
|
|
1268
|
+
onCancel?.();
|
|
1239
1269
|
});
|
|
1240
1270
|
}
|
|
1241
1271
|
});
|
|
@@ -1248,7 +1278,7 @@ class MsalNode extends MsalBaseUtilities {
|
|
|
1248
1278
|
return this.account;
|
|
1249
1279
|
}
|
|
1250
1280
|
const cache = this.getApp("confidentialFirst", enableCae).getTokenCache();
|
|
1251
|
-
const accountsByTenant = await
|
|
1281
|
+
const accountsByTenant = await cache?.getAllAccounts();
|
|
1252
1282
|
if (!accountsByTenant) {
|
|
1253
1283
|
return;
|
|
1254
1284
|
}
|
|
@@ -1270,8 +1300,7 @@ To work with multiple accounts for the same Client ID and Tenant ID, please prov
|
|
|
1270
1300
|
* Attempts to retrieve a token from cache.
|
|
1271
1301
|
*/
|
|
1272
1302
|
async getTokenSilent(scopes, options) {
|
|
1273
|
-
|
|
1274
|
-
await this.getActiveAccount(options === null || options === void 0 ? void 0 : options.enableCae);
|
|
1303
|
+
await this.getActiveAccount(options?.enableCae);
|
|
1275
1304
|
if (!this.account) {
|
|
1276
1305
|
throw new AuthenticationRequiredError({
|
|
1277
1306
|
scopes,
|
|
@@ -1282,10 +1311,10 @@ To work with multiple accounts for the same Client ID and Tenant ID, please prov
|
|
|
1282
1311
|
const silentRequest = {
|
|
1283
1312
|
// To be able to re-use the account, the Token Cache must also have been provided.
|
|
1284
1313
|
account: publicToMsal(this.account),
|
|
1285
|
-
correlationId: options
|
|
1314
|
+
correlationId: options?.correlationId,
|
|
1286
1315
|
scopes,
|
|
1287
|
-
authority: options
|
|
1288
|
-
claims: options
|
|
1316
|
+
authority: options?.authority,
|
|
1317
|
+
claims: options?.claims,
|
|
1289
1318
|
};
|
|
1290
1319
|
if (hasNativeBroker() && this.enableBroker) {
|
|
1291
1320
|
if (!silentRequest.tokenQueryParameters) {
|
|
@@ -1307,8 +1336,10 @@ To work with multiple accounts for the same Client ID and Tenant ID, please prov
|
|
|
1307
1336
|
* `authenticationRecord` parameter. See issue - https://github.com/Azure/azure-sdk-for-js/issues/24349#issuecomment-1496715651
|
|
1308
1337
|
* This workaround serves as a workaround for silent authentication not happening when authenticationRecord is passed.
|
|
1309
1338
|
*/
|
|
1310
|
-
await
|
|
1311
|
-
|
|
1339
|
+
await this.getApp("publicFirst", options?.enableCae)
|
|
1340
|
+
?.getTokenCache()
|
|
1341
|
+
.getAllAccounts();
|
|
1342
|
+
const response = (await this.getApp("confidential", options?.enableCae)?.acquireTokenSilent(silentRequest)) ?? (await this.getApp("public", options?.enableCae).acquireTokenSilent(silentRequest));
|
|
1312
1343
|
return this.handleResult(scopes, this.clientId, response || undefined);
|
|
1313
1344
|
}
|
|
1314
1345
|
catch (err) {
|
|
@@ -1323,7 +1354,7 @@ To work with multiple accounts for the same Client ID and Tenant ID, please prov
|
|
|
1323
1354
|
const tenantId = processMultiTenantRequest(this.tenantId, options, this.additionallyAllowedTenantIds) ||
|
|
1324
1355
|
this.tenantId;
|
|
1325
1356
|
options.authority = getAuthority(tenantId, this.authorityHost);
|
|
1326
|
-
options.correlationId =
|
|
1357
|
+
options.correlationId = options?.correlationId || this.generateUuid();
|
|
1327
1358
|
await this.init(options);
|
|
1328
1359
|
try {
|
|
1329
1360
|
// MSAL now caches tokens based on their claims,
|
|
@@ -1343,7 +1374,7 @@ To work with multiple accounts for the same Client ID and Tenant ID, please prov
|
|
|
1343
1374
|
if (err.name !== "AuthenticationRequiredError") {
|
|
1344
1375
|
throw err;
|
|
1345
1376
|
}
|
|
1346
|
-
if (options
|
|
1377
|
+
if (options?.disableAutomaticAuthentication) {
|
|
1347
1378
|
throw new AuthenticationRequiredError({
|
|
1348
1379
|
scopes,
|
|
1349
1380
|
getTokenOptions: options,
|
|
@@ -1444,7 +1475,10 @@ class VisualStudioCodeCredential {
|
|
|
1444
1475
|
this.cloudName = (getPropertyFromVSCode("azure.cloud") || "AzureCloud");
|
|
1445
1476
|
// Picking an authority host based on the cloud name.
|
|
1446
1477
|
const authorityHost = mapVSCodeAuthorityHosts[this.cloudName];
|
|
1447
|
-
this.identityClient = new IdentityClient(
|
|
1478
|
+
this.identityClient = new IdentityClient({
|
|
1479
|
+
authorityHost,
|
|
1480
|
+
...options,
|
|
1481
|
+
});
|
|
1448
1482
|
if (options && options.tenantId) {
|
|
1449
1483
|
checkTenantId(logger$m, options.tenantId);
|
|
1450
1484
|
this.tenantId = options.tenantId;
|
|
@@ -1452,7 +1486,7 @@ class VisualStudioCodeCredential {
|
|
|
1452
1486
|
else {
|
|
1453
1487
|
this.tenantId = CommonTenantId;
|
|
1454
1488
|
}
|
|
1455
|
-
this.additionallyAllowedTenantIds = resolveAdditionallyAllowedTenantIds(options
|
|
1489
|
+
this.additionallyAllowedTenantIds = resolveAdditionallyAllowedTenantIds(options?.additionallyAllowedTenants);
|
|
1456
1490
|
checkUnsupportedTenant(this.tenantId);
|
|
1457
1491
|
}
|
|
1458
1492
|
/**
|
|
@@ -1484,7 +1518,6 @@ class VisualStudioCodeCredential {
|
|
|
1484
1518
|
* `TokenCredential` implementation might make.
|
|
1485
1519
|
*/
|
|
1486
1520
|
async getToken(scopes, options) {
|
|
1487
|
-
var _a, _b;
|
|
1488
1521
|
await this.prepareOnce();
|
|
1489
1522
|
const tenantId = processMultiTenantRequest(this.tenantId, options, this.additionallyAllowedTenantIds, logger$m) || this.tenantId;
|
|
1490
1523
|
if (findCredentials === undefined) {
|
|
@@ -1516,7 +1549,7 @@ class VisualStudioCodeCredential {
|
|
|
1516
1549
|
// ]
|
|
1517
1550
|
const credentials = await findCredentials();
|
|
1518
1551
|
// If we can't find the credential based on the name, we'll pick the first one available.
|
|
1519
|
-
const { password: refreshToken } =
|
|
1552
|
+
const { password: refreshToken } = credentials.find(({ account }) => account === this.cloudName) ?? credentials[0] ?? {};
|
|
1520
1553
|
if (refreshToken) {
|
|
1521
1554
|
const tokenResponse = await this.identityClient.refreshAccessToken(tenantId, AzureAccountClientId, scopeString, refreshToken, undefined);
|
|
1522
1555
|
if (tokenResponse) {
|
|
@@ -1640,9 +1673,12 @@ const appServiceMsi2017 = {
|
|
|
1640
1673
|
logger$l.warning(`${msiName$6}: managed Identity by resource Id is not supported. Argument resourceId might be ignored by the service.`);
|
|
1641
1674
|
}
|
|
1642
1675
|
logger$l.info(`${msiName$6}: Using the endpoint and the secret coming form the environment variables: MSI_ENDPOINT=${process.env.MSI_ENDPOINT} and MSI_SECRET=[REDACTED].`);
|
|
1643
|
-
const request = coreRestPipeline.createPipelineRequest(
|
|
1676
|
+
const request = coreRestPipeline.createPipelineRequest({
|
|
1677
|
+
abortSignal: getTokenOptions.abortSignal,
|
|
1678
|
+
...prepareRequestOptions$5(scopes, clientId),
|
|
1644
1679
|
// Generally, MSI endpoints use the HTTP protocol, without transport layer security (TLS).
|
|
1645
|
-
allowInsecureConnection: true
|
|
1680
|
+
allowInsecureConnection: true,
|
|
1681
|
+
});
|
|
1646
1682
|
const tokenResponse = await identityClient.sendTokenRequest(request);
|
|
1647
1683
|
return (tokenResponse && tokenResponse.accessToken) || null;
|
|
1648
1684
|
},
|
|
@@ -1712,9 +1748,12 @@ const cloudShellMsi = {
|
|
|
1712
1748
|
logger$k.warning(`${msiName$5}: user defined managed Identity by resource Id not supported. The argument resourceId might be ignored by the service.`);
|
|
1713
1749
|
}
|
|
1714
1750
|
logger$k.info(`${msiName$5}: Using the endpoint coming form the environment variable MSI_ENDPOINT = ${process.env.MSI_ENDPOINT}.`);
|
|
1715
|
-
const request = coreRestPipeline.createPipelineRequest(
|
|
1751
|
+
const request = coreRestPipeline.createPipelineRequest({
|
|
1752
|
+
abortSignal: getTokenOptions.abortSignal,
|
|
1753
|
+
...prepareRequestOptions$4(scopes, clientId, resourceId),
|
|
1716
1754
|
// Generally, MSI endpoints use the HTTP protocol, without transport layer security (TLS).
|
|
1717
|
-
allowInsecureConnection: true
|
|
1755
|
+
allowInsecureConnection: true,
|
|
1756
|
+
});
|
|
1718
1757
|
const tokenResponse = await identityClient.sendTokenRequest(request);
|
|
1719
1758
|
return (tokenResponse && tokenResponse.accessToken) || null;
|
|
1720
1759
|
},
|
|
@@ -1728,7 +1767,6 @@ const logger$j = credentialLogger(msiName$4);
|
|
|
1728
1767
|
* Generates the options used on the request for an access token.
|
|
1729
1768
|
*/
|
|
1730
1769
|
function prepareRequestOptions$3(scopes, clientId, resourceId, options) {
|
|
1731
|
-
var _a;
|
|
1732
1770
|
const resource = mapScopesToResource(scopes);
|
|
1733
1771
|
if (!resource) {
|
|
1734
1772
|
throw new Error(`${msiName$4}: Multiple scopes are not supported.`);
|
|
@@ -1751,7 +1789,7 @@ function prepareRequestOptions$3(scopes, clientId, resourceId, options) {
|
|
|
1751
1789
|
const params = new URLSearchParams(queryParameters);
|
|
1752
1790
|
query = `?${params.toString()}`;
|
|
1753
1791
|
}
|
|
1754
|
-
const url = new URL(imdsEndpointPath,
|
|
1792
|
+
const url = new URL(imdsEndpointPath, process.env.AZURE_POD_IDENTITY_AUTHORITY_HOST ?? imdsHost);
|
|
1755
1793
|
const rawHeaders = {
|
|
1756
1794
|
Accept: "application/json",
|
|
1757
1795
|
Metadata: "true",
|
|
@@ -1796,7 +1834,6 @@ const imdsMsi = {
|
|
|
1796
1834
|
skipQuery: true,
|
|
1797
1835
|
});
|
|
1798
1836
|
return tracingClient.withSpan("ManagedIdentityCredential-pingImdsEndpoint", getTokenOptions, async (options) => {
|
|
1799
|
-
var _a, _b;
|
|
1800
1837
|
requestOptions.tracingOptions = options.tracingOptions;
|
|
1801
1838
|
// Create a request with a timeout since we expect that
|
|
1802
1839
|
// not having a "Metadata" header should cause an error to be
|
|
@@ -1804,7 +1841,7 @@ const imdsMsi = {
|
|
|
1804
1841
|
const request = coreRestPipeline.createPipelineRequest(requestOptions);
|
|
1805
1842
|
// Default to 1000 if the default of 0 is used.
|
|
1806
1843
|
// Negative values can still be used to disable the timeout.
|
|
1807
|
-
request.timeout =
|
|
1844
|
+
request.timeout = options.requestOptions?.timeout || 1000;
|
|
1808
1845
|
// This MSI uses the imdsEndpoint to get the token, which only uses http://
|
|
1809
1846
|
request.allowInsecureConnection = true;
|
|
1810
1847
|
let response;
|
|
@@ -1824,7 +1861,7 @@ const imdsMsi = {
|
|
|
1824
1861
|
return false;
|
|
1825
1862
|
}
|
|
1826
1863
|
if (response.status === 403) {
|
|
1827
|
-
if (
|
|
1864
|
+
if (response.bodyAsText?.includes("A socket operation was attempted to an unreachable network")) {
|
|
1828
1865
|
logger$j.info(`${msiName$4}: The Azure IMDS endpoint is unavailable`);
|
|
1829
1866
|
logger$j.info(`${msiName$4}: ${response.bodyAsText}`);
|
|
1830
1867
|
return false;
|
|
@@ -1846,7 +1883,11 @@ const imdsMsi = {
|
|
|
1846
1883
|
let nextDelayInMs = imdsMsiRetryConfig.startDelayInMs;
|
|
1847
1884
|
for (let retries = 0; retries < imdsMsiRetryConfig.maxRetries; retries++) {
|
|
1848
1885
|
try {
|
|
1849
|
-
const request = coreRestPipeline.createPipelineRequest(
|
|
1886
|
+
const request = coreRestPipeline.createPipelineRequest({
|
|
1887
|
+
abortSignal: getTokenOptions.abortSignal,
|
|
1888
|
+
...prepareRequestOptions$3(scopes, clientId, resourceId),
|
|
1889
|
+
allowInsecureConnection: true,
|
|
1890
|
+
});
|
|
1850
1891
|
const tokenResponse = await identityClient.sendTokenRequest(request);
|
|
1851
1892
|
return (tokenResponse && tokenResponse.accessToken) || null;
|
|
1852
1893
|
}
|
|
@@ -1950,7 +1991,6 @@ const arcMsi = {
|
|
|
1950
1991
|
return result;
|
|
1951
1992
|
},
|
|
1952
1993
|
async getToken(configuration, getTokenOptions = {}) {
|
|
1953
|
-
var _a;
|
|
1954
1994
|
const { identityClient, scopes, clientId, resourceId } = configuration;
|
|
1955
1995
|
if (clientId) {
|
|
1956
1996
|
logger$i.warning(`${msiName$3}: user-assigned identities not supported. The argument clientId might be ignored by the service.`);
|
|
@@ -1959,16 +1999,24 @@ const arcMsi = {
|
|
|
1959
1999
|
logger$i.warning(`${msiName$3}: user defined managed Identity by resource Id is not supported. Argument resourceId will be ignored.`);
|
|
1960
2000
|
}
|
|
1961
2001
|
logger$i.info(`${msiName$3}: Authenticating.`);
|
|
1962
|
-
const requestOptions =
|
|
2002
|
+
const requestOptions = {
|
|
2003
|
+
disableJsonStringifyOnBody: true,
|
|
2004
|
+
deserializationMapper: undefined,
|
|
2005
|
+
abortSignal: getTokenOptions.abortSignal,
|
|
2006
|
+
...prepareRequestOptions$2(scopes, clientId, resourceId),
|
|
2007
|
+
allowInsecureConnection: true,
|
|
2008
|
+
};
|
|
1963
2009
|
const filePath = await filePathRequest(identityClient, requestOptions);
|
|
1964
2010
|
if (!filePath) {
|
|
1965
2011
|
throw new Error(`${msiName$3}: Failed to find the token file.`);
|
|
1966
2012
|
}
|
|
1967
2013
|
const key = await readFileAsync$1(filePath, { encoding: "utf-8" });
|
|
1968
|
-
|
|
1969
|
-
const request = coreRestPipeline.createPipelineRequest(
|
|
2014
|
+
requestOptions.headers?.set("Authorization", `Basic ${key}`);
|
|
2015
|
+
const request = coreRestPipeline.createPipelineRequest({
|
|
2016
|
+
...requestOptions,
|
|
1970
2017
|
// Generally, MSI endpoints use the HTTP protocol, without transport layer security (TLS).
|
|
1971
|
-
allowInsecureConnection: true
|
|
2018
|
+
allowInsecureConnection: true,
|
|
2019
|
+
});
|
|
1972
2020
|
const tokenResponse = await identityClient.sendTokenRequest(request);
|
|
1973
2021
|
return (tokenResponse && tokenResponse.accessToken) || null;
|
|
1974
2022
|
},
|
|
@@ -2036,10 +2084,17 @@ class ClientAssertionCredential {
|
|
|
2036
2084
|
throw new Error("ClientAssertionCredential: tenantId, clientId, and clientAssertion are required parameters.");
|
|
2037
2085
|
}
|
|
2038
2086
|
this.tenantId = tenantId;
|
|
2039
|
-
this.additionallyAllowedTenantIds = resolveAdditionallyAllowedTenantIds(options
|
|
2087
|
+
this.additionallyAllowedTenantIds = resolveAdditionallyAllowedTenantIds(options?.additionallyAllowedTenants);
|
|
2040
2088
|
this.clientId = clientId;
|
|
2041
2089
|
this.options = options;
|
|
2042
|
-
this.msalFlow = new MsalClientAssertion(
|
|
2090
|
+
this.msalFlow = new MsalClientAssertion({
|
|
2091
|
+
...options,
|
|
2092
|
+
logger: logger$h,
|
|
2093
|
+
clientId: this.clientId,
|
|
2094
|
+
tenantId: this.tenantId,
|
|
2095
|
+
tokenCredentialOptions: this.options,
|
|
2096
|
+
getAssertion,
|
|
2097
|
+
});
|
|
2043
2098
|
}
|
|
2044
2099
|
/**
|
|
2045
2100
|
* Authenticates with Microsoft Entra ID and returns an access token if successful.
|
|
@@ -2100,7 +2155,7 @@ class WorkloadIdentityCredential {
|
|
|
2100
2155
|
// Logging environment variables for error details
|
|
2101
2156
|
const assignedEnv = processEnvVars(SupportedWorkloadEnvironmentVariables).assigned.join(", ");
|
|
2102
2157
|
logger$g.info(`Found the following environment variables: ${assignedEnv}`);
|
|
2103
|
-
const workloadIdentityCredentialOptions = options
|
|
2158
|
+
const workloadIdentityCredentialOptions = options ?? {};
|
|
2104
2159
|
const tenantId = workloadIdentityCredentialOptions.tenantId || process.env.AZURE_TENANT_ID;
|
|
2105
2160
|
const clientId = workloadIdentityCredentialOptions.clientId || process.env.AZURE_CLIENT_ID;
|
|
2106
2161
|
this.federatedTokenFilePath =
|
|
@@ -2180,7 +2235,13 @@ function tokenExchangeMsi() {
|
|
|
2180
2235
|
async getToken(configuration, getTokenOptions = {}) {
|
|
2181
2236
|
const { scopes, clientId } = configuration;
|
|
2182
2237
|
const identityClientTokenCredentialOptions = {};
|
|
2183
|
-
const workloadIdentityCredential = new WorkloadIdentityCredential(
|
|
2238
|
+
const workloadIdentityCredential = new WorkloadIdentityCredential({
|
|
2239
|
+
clientId,
|
|
2240
|
+
tenantId: process.env.AZURE_TENANT_ID,
|
|
2241
|
+
tokenFilePath: process.env.AZURE_FEDERATED_TOKEN_FILE,
|
|
2242
|
+
...identityClientTokenCredentialOptions,
|
|
2243
|
+
disableInstanceDiscovery: true,
|
|
2244
|
+
});
|
|
2184
2245
|
const token = await workloadIdentityCredential.getToken(scopes, getTokenOptions);
|
|
2185
2246
|
return token;
|
|
2186
2247
|
},
|
|
@@ -2266,7 +2327,12 @@ const fabricMsi = {
|
|
|
2266
2327
|
"IDENTITY_HEADER=[REDACTED] and",
|
|
2267
2328
|
"IDENTITY_SERVER_THUMBPRINT=[REDACTED].",
|
|
2268
2329
|
].join(" "));
|
|
2269
|
-
const request = coreRestPipeline.createPipelineRequest(
|
|
2330
|
+
const request = coreRestPipeline.createPipelineRequest({
|
|
2331
|
+
abortSignal: getTokenOptions.abortSignal,
|
|
2332
|
+
...prepareRequestOptions$1(scopes, clientId, resourceId),
|
|
2333
|
+
// The service fabric MSI endpoint will be HTTPS (however, the certificate will be self-signed).
|
|
2334
|
+
// allowInsecureConnection: true
|
|
2335
|
+
});
|
|
2270
2336
|
request.agent = new https.Agent({
|
|
2271
2337
|
// This is necessary because Service Fabric provides a self-signed certificate.
|
|
2272
2338
|
// The alternative path is to verify the certificate using the IDENTITY_SERVER_THUMBPRINT env variable.
|
|
@@ -2337,9 +2403,12 @@ const appServiceMsi2019 = {
|
|
|
2337
2403
|
async getToken(configuration, getTokenOptions = {}) {
|
|
2338
2404
|
const { identityClient, scopes, clientId, resourceId } = configuration;
|
|
2339
2405
|
logger$d.info(`${msiName}: Using the endpoint and the secret coming form the environment variables: IDENTITY_ENDPOINT=${process.env.IDENTITY_ENDPOINT} and IDENTITY_HEADER=[REDACTED].`);
|
|
2340
|
-
const request = coreRestPipeline.createPipelineRequest(
|
|
2406
|
+
const request = coreRestPipeline.createPipelineRequest({
|
|
2407
|
+
abortSignal: getTokenOptions.abortSignal,
|
|
2408
|
+
...prepareRequestOptions(scopes, clientId, resourceId),
|
|
2341
2409
|
// Generally, MSI endpoints use the HTTP protocol, without transport layer security (TLS).
|
|
2342
|
-
allowInsecureConnection: true
|
|
2410
|
+
allowInsecureConnection: true,
|
|
2411
|
+
});
|
|
2343
2412
|
const tokenResponse = await identityClient.sendTokenRequest(request);
|
|
2344
2413
|
return (tokenResponse && tokenResponse.accessToken) || null;
|
|
2345
2414
|
},
|
|
@@ -2362,7 +2431,6 @@ class ManagedIdentityCredential {
|
|
|
2362
2431
|
* @hidden
|
|
2363
2432
|
*/
|
|
2364
2433
|
constructor(clientIdOrOptions, options) {
|
|
2365
|
-
var _a;
|
|
2366
2434
|
this.isEndpointUnavailable = null;
|
|
2367
2435
|
this.isAppTokenProviderInitialized = false;
|
|
2368
2436
|
let _options;
|
|
@@ -2371,25 +2439,28 @@ class ManagedIdentityCredential {
|
|
|
2371
2439
|
_options = options;
|
|
2372
2440
|
}
|
|
2373
2441
|
else {
|
|
2374
|
-
this.clientId = clientIdOrOptions
|
|
2442
|
+
this.clientId = clientIdOrOptions?.clientId;
|
|
2375
2443
|
_options = clientIdOrOptions;
|
|
2376
2444
|
}
|
|
2377
|
-
this.resourceId = _options
|
|
2445
|
+
this.resourceId = _options?.resourceId;
|
|
2378
2446
|
// For JavaScript users.
|
|
2379
2447
|
if (this.clientId && this.resourceId) {
|
|
2380
2448
|
throw new Error(`${ManagedIdentityCredential.name} - Client Id and Resource Id can't be provided at the same time.`);
|
|
2381
2449
|
}
|
|
2382
2450
|
this.identityClient = new IdentityClient(_options);
|
|
2383
|
-
this.isAvailableIdentityClient = new IdentityClient(
|
|
2451
|
+
this.isAvailableIdentityClient = new IdentityClient({
|
|
2452
|
+
..._options,
|
|
2453
|
+
retryOptions: {
|
|
2384
2454
|
maxRetries: 0,
|
|
2385
|
-
}
|
|
2455
|
+
},
|
|
2456
|
+
});
|
|
2386
2457
|
/** authority host validation and metadata discovery to be skipped in managed identity
|
|
2387
2458
|
* since this wasn't done previously before adding token cache support
|
|
2388
2459
|
*/
|
|
2389
2460
|
this.confidentialApp = new msalCommon.ConfidentialClientApplication({
|
|
2390
2461
|
auth: {
|
|
2391
2462
|
authority: "https://login.microsoftonline.com/managed_identity",
|
|
2392
|
-
clientId:
|
|
2463
|
+
clientId: this.clientId ?? DeveloperSignOnClientId,
|
|
2393
2464
|
clientSecret: "dummy-secret",
|
|
2394
2465
|
cloudDiscoveryMetadata: '{"tenant_discovery_endpoint":"https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration","api-version":"1.1","metadata":[{"preferred_network":"login.microsoftonline.com","preferred_cache":"login.windows.net","aliases":["login.microsoftonline.com","login.windows.net","login.microsoft.com","sts.windows.net"]},{"preferred_network":"login.partner.microsoftonline.cn","preferred_cache":"login.partner.microsoftonline.cn","aliases":["login.partner.microsoftonline.cn","login.chinacloudapi.cn"]},{"preferred_network":"login.microsoftonline.de","preferred_cache":"login.microsoftonline.de","aliases":["login.microsoftonline.de"]},{"preferred_network":"login.microsoftonline.us","preferred_cache":"login.microsoftonline.us","aliases":["login.microsoftonline.us","login.usgovcloudapi.net"]},{"preferred_network":"login-us.microsoftonline.com","preferred_cache":"login-us.microsoftonline.com","aliases":["login-us.microsoftonline.com"]}]}',
|
|
2395
2466
|
authorityMetadata: '{"token_endpoint":"https://login.microsoftonline.com/common/oauth2/v2.0/token","token_endpoint_auth_methods_supported":["client_secret_post","private_key_jwt","client_secret_basic"],"jwks_uri":"https://login.microsoftonline.com/common/discovery/v2.0/keys","response_modes_supported":["query","fragment","form_post"],"subject_types_supported":["pairwise"],"id_token_signing_alg_values_supported":["RS256"],"response_types_supported":["code","id_token","code id_token","id_token token"],"scopes_supported":["openid","profile","email","offline_access"],"issuer":"https://login.microsoftonline.com/{tenantid}/v2.0","request_uri_parameter_supported":false,"userinfo_endpoint":"https://graph.microsoft.com/oidc/userinfo","authorization_endpoint":"https://login.microsoftonline.com/common/oauth2/v2.0/authorize","device_authorization_endpoint":"https://login.microsoftonline.com/common/oauth2/v2.0/devicecode","http_logout_supported":true,"frontchannel_logout_supported":true,"end_session_endpoint":"https://login.microsoftonline.com/common/oauth2/v2.0/logout","claims_supported":["sub","iss","cloud_instance_name","cloud_instance_host_name","cloud_graph_host_name","msgraph_host","aud","exp","iat","auth_time","acr","nonce","preferred_username","name","tid","ver","at_hash","c_hash","email"],"kerberos_endpoint":"https://login.microsoftonline.com/common/kerberos","tenant_region_scope":null,"cloud_instance_name":"microsoftonline.com","cloud_graph_host_name":"graph.windows.net","msgraph_host":"graph.microsoft.com","rbac_url":"https://pas.windows.net"}',
|
|
@@ -2476,13 +2547,15 @@ class ManagedIdentityCredential {
|
|
|
2476
2547
|
else {
|
|
2477
2548
|
const appTokenParameters = {
|
|
2478
2549
|
correlationId: this.identityClient.getCorrelationId(),
|
|
2479
|
-
tenantId:
|
|
2550
|
+
tenantId: options?.tenantId || "managed_identity",
|
|
2480
2551
|
scopes: Array.isArray(scopes) ? scopes : [scopes],
|
|
2481
|
-
claims: options
|
|
2552
|
+
claims: options?.claims,
|
|
2482
2553
|
};
|
|
2483
2554
|
// Added a check to see if SetAppTokenProvider was already defined.
|
|
2484
2555
|
this.initializeSetAppTokenProvider();
|
|
2485
|
-
const authenticationResult = await this.confidentialApp.acquireTokenByClientCredential(
|
|
2556
|
+
const authenticationResult = await this.confidentialApp.acquireTokenByClientCredential({
|
|
2557
|
+
...appTokenParameters,
|
|
2558
|
+
});
|
|
2486
2559
|
result = this.handleResult(scopes, authenticationResult || undefined);
|
|
2487
2560
|
}
|
|
2488
2561
|
if (result === null) {
|
|
@@ -2610,16 +2683,18 @@ class ManagedIdentityCredential {
|
|
|
2610
2683
|
if (!this.isAppTokenProviderInitialized) {
|
|
2611
2684
|
this.confidentialApp.SetAppTokenProvider(async (appTokenProviderParameters) => {
|
|
2612
2685
|
logger$c.info(`SetAppTokenProvider invoked with parameters- ${JSON.stringify(appTokenProviderParameters)}`);
|
|
2613
|
-
const getTokenOptions =
|
|
2686
|
+
const getTokenOptions = {
|
|
2687
|
+
...appTokenProviderParameters,
|
|
2688
|
+
};
|
|
2614
2689
|
logger$c.info(`authenticateManagedIdentity invoked with scopes- ${JSON.stringify(appTokenProviderParameters.scopes)} and getTokenOptions - ${JSON.stringify(getTokenOptions)}`);
|
|
2615
2690
|
const resultToken = await this.authenticateManagedIdentity(appTokenProviderParameters.scopes, getTokenOptions);
|
|
2616
2691
|
if (resultToken) {
|
|
2617
2692
|
logger$c.info(`SetAppTokenProvider will save the token in cache`);
|
|
2618
|
-
const expiresInSeconds =
|
|
2693
|
+
const expiresInSeconds = resultToken?.expiresOnTimestamp
|
|
2619
2694
|
? Math.floor((resultToken.expiresOnTimestamp - Date.now()) / 1000)
|
|
2620
2695
|
: 0;
|
|
2621
2696
|
return {
|
|
2622
|
-
accessToken: resultToken
|
|
2697
|
+
accessToken: resultToken?.token,
|
|
2623
2698
|
expiresInSeconds,
|
|
2624
2699
|
};
|
|
2625
2700
|
}
|
|
@@ -2732,12 +2807,12 @@ class AzureCliCredential {
|
|
|
2732
2807
|
* @param options - Options, to optionally allow multi-tenant requests.
|
|
2733
2808
|
*/
|
|
2734
2809
|
constructor(options) {
|
|
2735
|
-
if (options
|
|
2736
|
-
checkTenantId(logger$b, options
|
|
2737
|
-
this.tenantId = options
|
|
2810
|
+
if (options?.tenantId) {
|
|
2811
|
+
checkTenantId(logger$b, options?.tenantId);
|
|
2812
|
+
this.tenantId = options?.tenantId;
|
|
2738
2813
|
}
|
|
2739
|
-
this.additionallyAllowedTenantIds = resolveAdditionallyAllowedTenantIds(options
|
|
2740
|
-
this.timeout = options
|
|
2814
|
+
this.additionallyAllowedTenantIds = resolveAdditionallyAllowedTenantIds(options?.additionallyAllowedTenants);
|
|
2815
|
+
this.timeout = options?.processTimeoutInMs;
|
|
2741
2816
|
}
|
|
2742
2817
|
/**
|
|
2743
2818
|
* Authenticates with Microsoft Entra ID and returns an access token if successful.
|
|
@@ -2755,14 +2830,13 @@ class AzureCliCredential {
|
|
|
2755
2830
|
const scope = typeof scopes === "string" ? scopes : scopes[0];
|
|
2756
2831
|
logger$b.getToken.info(`Using the scope ${scope}`);
|
|
2757
2832
|
return tracingClient.withSpan(`${this.constructor.name}.getToken`, options, async () => {
|
|
2758
|
-
var _a, _b, _c, _d;
|
|
2759
2833
|
try {
|
|
2760
2834
|
ensureValidScopeForDevTimeCreds(scope, logger$b);
|
|
2761
2835
|
const resource = getScopeResource(scope);
|
|
2762
2836
|
const obj = await cliCredentialInternals.getAzureCliAccessToken(resource, tenantId, this.timeout);
|
|
2763
|
-
const specificScope =
|
|
2764
|
-
const isLoginError =
|
|
2765
|
-
const isNotInstallError =
|
|
2837
|
+
const specificScope = obj.stderr?.match("(.*)az login --scope(.*)");
|
|
2838
|
+
const isLoginError = obj.stderr?.match("(.*)az login(.*)") && !specificScope;
|
|
2839
|
+
const isNotInstallError = obj.stderr?.match("az:(.*)not found") || obj.stderr?.startsWith("'az' is not recognized");
|
|
2766
2840
|
if (isNotInstallError) {
|
|
2767
2841
|
const error = new CredentialUnavailableError("Azure CLI could not be found. Please visit https://aka.ms/azure-cli for installation instructions and then, once installed, authenticate to your Azure account using 'az login'.");
|
|
2768
2842
|
logger$b.getToken.info(formatError(scopes, error));
|
|
@@ -2914,12 +2988,12 @@ class AzurePowerShellCredential {
|
|
|
2914
2988
|
* @param options - Options, to optionally allow multi-tenant requests.
|
|
2915
2989
|
*/
|
|
2916
2990
|
constructor(options) {
|
|
2917
|
-
if (options
|
|
2918
|
-
checkTenantId(logger$a, options
|
|
2919
|
-
this.tenantId = options
|
|
2991
|
+
if (options?.tenantId) {
|
|
2992
|
+
checkTenantId(logger$a, options?.tenantId);
|
|
2993
|
+
this.tenantId = options?.tenantId;
|
|
2920
2994
|
}
|
|
2921
|
-
this.additionallyAllowedTenantIds = resolveAdditionallyAllowedTenantIds(options
|
|
2922
|
-
this.timeout = options
|
|
2995
|
+
this.additionallyAllowedTenantIds = resolveAdditionallyAllowedTenantIds(options?.additionallyAllowedTenants);
|
|
2996
|
+
this.timeout = options?.processTimeoutInMs;
|
|
2923
2997
|
}
|
|
2924
2998
|
/**
|
|
2925
2999
|
* Gets the access token from Azure PowerShell
|
|
@@ -3213,12 +3287,14 @@ class ClientCertificateCredential {
|
|
|
3213
3287
|
throw new Error(`${credentialName$2}: tenantId and clientId are required parameters.`);
|
|
3214
3288
|
}
|
|
3215
3289
|
this.tenantId = tenantId;
|
|
3216
|
-
this.additionallyAllowedTenantIds = resolveAdditionallyAllowedTenantIds(options
|
|
3217
|
-
const configuration =
|
|
3218
|
-
|
|
3219
|
-
|
|
3220
|
-
|
|
3221
|
-
|
|
3290
|
+
this.additionallyAllowedTenantIds = resolveAdditionallyAllowedTenantIds(options?.additionallyAllowedTenants);
|
|
3291
|
+
const configuration = {
|
|
3292
|
+
...(typeof certificatePathOrConfiguration === "string"
|
|
3293
|
+
? {
|
|
3294
|
+
certificatePath: certificatePathOrConfiguration,
|
|
3295
|
+
}
|
|
3296
|
+
: certificatePathOrConfiguration),
|
|
3297
|
+
};
|
|
3222
3298
|
const certificate = configuration
|
|
3223
3299
|
.certificate;
|
|
3224
3300
|
const certificatePath = configuration.certificatePath;
|
|
@@ -3228,10 +3304,15 @@ class ClientCertificateCredential {
|
|
|
3228
3304
|
if (certificate && certificatePath) {
|
|
3229
3305
|
throw new Error(`${credentialName$2}: To avoid unexpected behaviors, providing both the contents of a PEM certificate and the path to a PEM certificate is forbidden. To troubleshoot, visit https://aka.ms/azsdk/js/identity/serviceprincipalauthentication/troubleshoot.`);
|
|
3230
3306
|
}
|
|
3231
|
-
this.msalFlow = new MsalClientCertificate(
|
|
3307
|
+
this.msalFlow = new MsalClientCertificate({
|
|
3308
|
+
...options,
|
|
3309
|
+
configuration,
|
|
3232
3310
|
logger: logger$8,
|
|
3233
3311
|
clientId,
|
|
3234
|
-
tenantId,
|
|
3312
|
+
tenantId,
|
|
3313
|
+
sendCertificateChain: options.sendCertificateChain,
|
|
3314
|
+
tokenCredentialOptions: options,
|
|
3315
|
+
});
|
|
3235
3316
|
}
|
|
3236
3317
|
/**
|
|
3237
3318
|
* Authenticates with Microsoft Entra ID and returns an access token if successful.
|
|
@@ -3308,11 +3389,15 @@ class ClientSecretCredential {
|
|
|
3308
3389
|
throw new Error("ClientSecretCredential: tenantId, clientId, and clientSecret are required parameters. To troubleshoot, visit https://aka.ms/azsdk/js/identity/serviceprincipalauthentication/troubleshoot.");
|
|
3309
3390
|
}
|
|
3310
3391
|
this.tenantId = tenantId;
|
|
3311
|
-
this.additionallyAllowedTenantIds = resolveAdditionallyAllowedTenantIds(options
|
|
3312
|
-
this.msalFlow = new MsalClientSecret(
|
|
3392
|
+
this.additionallyAllowedTenantIds = resolveAdditionallyAllowedTenantIds(options?.additionallyAllowedTenants);
|
|
3393
|
+
this.msalFlow = new MsalClientSecret({
|
|
3394
|
+
...options,
|
|
3395
|
+
logger: logger$7,
|
|
3313
3396
|
clientId,
|
|
3314
3397
|
tenantId,
|
|
3315
|
-
clientSecret,
|
|
3398
|
+
clientSecret,
|
|
3399
|
+
tokenCredentialOptions: options,
|
|
3400
|
+
});
|
|
3316
3401
|
}
|
|
3317
3402
|
/**
|
|
3318
3403
|
* Authenticates with Microsoft Entra ID and returns an access token if successful.
|
|
@@ -3349,11 +3434,11 @@ class MsalUsernamePassword extends MsalNode {
|
|
|
3349
3434
|
scopes,
|
|
3350
3435
|
username: this.username,
|
|
3351
3436
|
password: this.password,
|
|
3352
|
-
correlationId: options
|
|
3353
|
-
authority: options
|
|
3354
|
-
claims: options
|
|
3437
|
+
correlationId: options?.correlationId,
|
|
3438
|
+
authority: options?.authority,
|
|
3439
|
+
claims: options?.claims,
|
|
3355
3440
|
};
|
|
3356
|
-
const result = await this.getApp("public", options
|
|
3441
|
+
const result = await this.getApp("public", options?.enableCae).acquireTokenByUsernamePassword(requestOptions);
|
|
3357
3442
|
return this.handleResult(scopes, this.clientId, result || undefined);
|
|
3358
3443
|
}
|
|
3359
3444
|
catch (error) {
|
|
@@ -3388,12 +3473,16 @@ class UsernamePasswordCredential {
|
|
|
3388
3473
|
throw new Error("UsernamePasswordCredential: tenantId, clientId, username and password are required parameters. To troubleshoot, visit https://aka.ms/azsdk/js/identity/usernamepasswordcredential/troubleshoot.");
|
|
3389
3474
|
}
|
|
3390
3475
|
this.tenantId = tenantId;
|
|
3391
|
-
this.additionallyAllowedTenantIds = resolveAdditionallyAllowedTenantIds(options
|
|
3392
|
-
this.msalFlow = new MsalUsernamePassword(
|
|
3476
|
+
this.additionallyAllowedTenantIds = resolveAdditionallyAllowedTenantIds(options?.additionallyAllowedTenants);
|
|
3477
|
+
this.msalFlow = new MsalUsernamePassword({
|
|
3478
|
+
...options,
|
|
3479
|
+
logger: logger$6,
|
|
3393
3480
|
clientId,
|
|
3394
3481
|
tenantId,
|
|
3395
3482
|
username,
|
|
3396
|
-
password,
|
|
3483
|
+
password,
|
|
3484
|
+
tokenCredentialOptions: options || {},
|
|
3485
|
+
});
|
|
3397
3486
|
}
|
|
3398
3487
|
/**
|
|
3399
3488
|
* Authenticates with Microsoft Entra ID and returns an access token if successful.
|
|
@@ -3436,8 +3525,7 @@ const AllSupportedEnvironmentVariables = [
|
|
|
3436
3525
|
"AZURE_ADDITIONALLY_ALLOWED_TENANTS",
|
|
3437
3526
|
];
|
|
3438
3527
|
function getAdditionallyAllowedTenants() {
|
|
3439
|
-
|
|
3440
|
-
const additionallyAllowedValues = (_a = process.env.AZURE_ADDITIONALLY_ALLOWED_TENANTS) !== null && _a !== void 0 ? _a : "";
|
|
3528
|
+
const additionallyAllowedValues = process.env.AZURE_ADDITIONALLY_ALLOWED_TENANTS ?? "";
|
|
3441
3529
|
return additionallyAllowedValues.split(";");
|
|
3442
3530
|
}
|
|
3443
3531
|
const credentialName$1 = "EnvironmentCredential";
|
|
@@ -3478,7 +3566,7 @@ class EnvironmentCredential {
|
|
|
3478
3566
|
logger$5.info(`Found the following environment variables: ${assigned}`);
|
|
3479
3567
|
const tenantId = process.env.AZURE_TENANT_ID, clientId = process.env.AZURE_CLIENT_ID, clientSecret = process.env.AZURE_CLIENT_SECRET;
|
|
3480
3568
|
const additionallyAllowedTenantIds = getAdditionallyAllowedTenants();
|
|
3481
|
-
const newOptions =
|
|
3569
|
+
const newOptions = { ...options, additionallyAllowedTenantIds };
|
|
3482
3570
|
if (tenantId) {
|
|
3483
3571
|
checkTenantId(logger$5, tenantId);
|
|
3484
3572
|
}
|
|
@@ -3618,12 +3706,12 @@ class AzureDeveloperCliCredential {
|
|
|
3618
3706
|
* @param options - Options, to optionally allow multi-tenant requests.
|
|
3619
3707
|
*/
|
|
3620
3708
|
constructor(options) {
|
|
3621
|
-
if (options
|
|
3622
|
-
checkTenantId(logger$4, options
|
|
3623
|
-
this.tenantId = options
|
|
3709
|
+
if (options?.tenantId) {
|
|
3710
|
+
checkTenantId(logger$4, options?.tenantId);
|
|
3711
|
+
this.tenantId = options?.tenantId;
|
|
3624
3712
|
}
|
|
3625
|
-
this.additionallyAllowedTenantIds = resolveAdditionallyAllowedTenantIds(options
|
|
3626
|
-
this.timeout = options
|
|
3713
|
+
this.additionallyAllowedTenantIds = resolveAdditionallyAllowedTenantIds(options?.additionallyAllowedTenants);
|
|
3714
|
+
this.timeout = options?.processTimeoutInMs;
|
|
3627
3715
|
}
|
|
3628
3716
|
/**
|
|
3629
3717
|
* Authenticates with Microsoft Entra ID and returns an access token if successful.
|
|
@@ -3647,16 +3735,15 @@ class AzureDeveloperCliCredential {
|
|
|
3647
3735
|
}
|
|
3648
3736
|
logger$4.getToken.info(`Using the scopes ${scopes}`);
|
|
3649
3737
|
return tracingClient.withSpan(`${this.constructor.name}.getToken`, options, async () => {
|
|
3650
|
-
var _a, _b, _c, _d;
|
|
3651
3738
|
try {
|
|
3652
3739
|
scopeList.forEach((scope) => {
|
|
3653
3740
|
ensureValidScopeForDevTimeCreds(scope, logger$4);
|
|
3654
3741
|
});
|
|
3655
3742
|
const obj = await developerCliCredentialInternals.getAzdAccessToken(scopeList, tenantId, this.timeout);
|
|
3656
|
-
const isNotLoggedInError =
|
|
3657
|
-
|
|
3658
|
-
const isNotInstallError =
|
|
3659
|
-
|
|
3743
|
+
const isNotLoggedInError = obj.stderr?.match("not logged in, run `azd login` to login") ||
|
|
3744
|
+
obj.stderr?.match("not logged in, run `azd auth login` to login");
|
|
3745
|
+
const isNotInstallError = obj.stderr?.match("azd:(.*)not found") ||
|
|
3746
|
+
obj.stderr?.startsWith("'azd' is not recognized");
|
|
3660
3747
|
if (isNotInstallError || (obj.error && obj.error.code === "ENOENT")) {
|
|
3661
3748
|
const error = new CredentialUnavailableError("Azure Developer CLI couldn't be found. To mitigate this issue, see the troubleshooting guidelines at https://aka.ms/azsdk/js/identity/azdevclicredential/troubleshoot.");
|
|
3662
3749
|
logger$4.getToken.info(formatError(scopes, error));
|
|
@@ -3705,23 +3792,34 @@ class DefaultManagedIdentityCredential extends ManagedIdentityCredential {
|
|
|
3705
3792
|
// Constructor overload with just the other default options
|
|
3706
3793
|
// Last constructor overload with Union of all options not required since the above two constructor overloads have optional properties
|
|
3707
3794
|
constructor(options) {
|
|
3708
|
-
|
|
3709
|
-
|
|
3710
|
-
const workloadIdentityClientId =
|
|
3711
|
-
|
|
3795
|
+
const managedIdentityClientId = options?.managedIdentityClientId ??
|
|
3796
|
+
process.env.AZURE_CLIENT_ID;
|
|
3797
|
+
const workloadIdentityClientId = options?.workloadIdentityClientId ??
|
|
3798
|
+
managedIdentityClientId;
|
|
3799
|
+
const managedResourceId = options
|
|
3800
|
+
?.managedIdentityResourceId;
|
|
3712
3801
|
const workloadFile = process.env.AZURE_FEDERATED_TOKEN_FILE;
|
|
3713
|
-
const tenantId =
|
|
3802
|
+
const tenantId = options?.tenantId ?? process.env.AZURE_TENANT_ID;
|
|
3714
3803
|
// ManagedIdentityCredential throws if both the resourceId and the clientId are provided.
|
|
3715
3804
|
if (managedResourceId) {
|
|
3716
|
-
const managedIdentityResourceIdOptions =
|
|
3805
|
+
const managedIdentityResourceIdOptions = {
|
|
3806
|
+
...options,
|
|
3807
|
+
resourceId: managedResourceId,
|
|
3808
|
+
};
|
|
3717
3809
|
super(managedIdentityResourceIdOptions);
|
|
3718
3810
|
}
|
|
3719
3811
|
else if (workloadFile && workloadIdentityClientId) {
|
|
3720
|
-
const workloadIdentityCredentialOptions =
|
|
3812
|
+
const workloadIdentityCredentialOptions = {
|
|
3813
|
+
...options,
|
|
3814
|
+
tenantId: tenantId,
|
|
3815
|
+
};
|
|
3721
3816
|
super(workloadIdentityClientId, workloadIdentityCredentialOptions);
|
|
3722
3817
|
}
|
|
3723
3818
|
else if (managedIdentityClientId) {
|
|
3724
|
-
const managedIdentityClientOptions =
|
|
3819
|
+
const managedIdentityClientOptions = {
|
|
3820
|
+
...options,
|
|
3821
|
+
clientId: managedIdentityClientId,
|
|
3822
|
+
};
|
|
3725
3823
|
super(managedIdentityClientOptions);
|
|
3726
3824
|
}
|
|
3727
3825
|
else {
|
|
@@ -3739,17 +3837,26 @@ class DefaultWorkloadIdentityCredential extends WorkloadIdentityCredential {
|
|
|
3739
3837
|
// Constructor overload with just the other default options
|
|
3740
3838
|
// Last constructor overload with Union of all options not required since the above two constructor overloads have optional properties
|
|
3741
3839
|
constructor(options) {
|
|
3742
|
-
|
|
3743
|
-
|
|
3744
|
-
const workloadIdentityClientId =
|
|
3840
|
+
const managedIdentityClientId = options?.managedIdentityClientId ??
|
|
3841
|
+
process.env.AZURE_CLIENT_ID;
|
|
3842
|
+
const workloadIdentityClientId = options?.workloadIdentityClientId ??
|
|
3843
|
+
managedIdentityClientId;
|
|
3745
3844
|
const workloadFile = process.env.AZURE_FEDERATED_TOKEN_FILE;
|
|
3746
|
-
const tenantId =
|
|
3845
|
+
const tenantId = options?.tenantId ?? process.env.AZURE_TENANT_ID;
|
|
3747
3846
|
if (workloadFile && workloadIdentityClientId) {
|
|
3748
|
-
const workloadIdentityCredentialOptions =
|
|
3847
|
+
const workloadIdentityCredentialOptions = {
|
|
3848
|
+
...options,
|
|
3849
|
+
tenantId,
|
|
3850
|
+
clientId: workloadIdentityClientId,
|
|
3851
|
+
tokenFilePath: workloadFile,
|
|
3852
|
+
};
|
|
3749
3853
|
super(workloadIdentityCredentialOptions);
|
|
3750
3854
|
}
|
|
3751
3855
|
else if (tenantId) {
|
|
3752
|
-
const workloadIdentityClientTenantOptions =
|
|
3856
|
+
const workloadIdentityClientTenantOptions = {
|
|
3857
|
+
...options,
|
|
3858
|
+
tenantId,
|
|
3859
|
+
};
|
|
3753
3860
|
super(workloadIdentityClientTenantOptions);
|
|
3754
3861
|
}
|
|
3755
3862
|
else {
|
|
@@ -3759,17 +3866,26 @@ class DefaultWorkloadIdentityCredential extends WorkloadIdentityCredential {
|
|
|
3759
3866
|
}
|
|
3760
3867
|
class DefaultAzureDeveloperCliCredential extends AzureDeveloperCliCredential {
|
|
3761
3868
|
constructor(options) {
|
|
3762
|
-
super(
|
|
3869
|
+
super({
|
|
3870
|
+
processTimeoutInMs: options?.processTimeoutInMs,
|
|
3871
|
+
...options,
|
|
3872
|
+
});
|
|
3763
3873
|
}
|
|
3764
3874
|
}
|
|
3765
3875
|
class DefaultAzureCliCredential extends AzureCliCredential {
|
|
3766
3876
|
constructor(options) {
|
|
3767
|
-
super(
|
|
3877
|
+
super({
|
|
3878
|
+
processTimeoutInMs: options?.processTimeoutInMs,
|
|
3879
|
+
...options,
|
|
3880
|
+
});
|
|
3768
3881
|
}
|
|
3769
3882
|
}
|
|
3770
3883
|
class DefaultAzurePowershellCredential extends AzurePowerShellCredential {
|
|
3771
3884
|
constructor(options) {
|
|
3772
|
-
super(
|
|
3885
|
+
super({
|
|
3886
|
+
processTimeoutInMs: options?.processTimeoutInMs,
|
|
3887
|
+
...options,
|
|
3888
|
+
});
|
|
3773
3889
|
}
|
|
3774
3890
|
}
|
|
3775
3891
|
const defaultCredentials = [
|
|
@@ -3806,24 +3922,22 @@ const interactiveBrowserMockable = {
|
|
|
3806
3922
|
*/
|
|
3807
3923
|
class MsalOpenBrowser extends MsalNode {
|
|
3808
3924
|
constructor(options) {
|
|
3809
|
-
var _a, _b;
|
|
3810
3925
|
super(options);
|
|
3811
3926
|
this.loginHint = options.loginHint;
|
|
3812
|
-
this.errorTemplate =
|
|
3813
|
-
this.successTemplate =
|
|
3927
|
+
this.errorTemplate = options.browserCustomizationOptions?.errorMessage;
|
|
3928
|
+
this.successTemplate = options.browserCustomizationOptions?.successMessage;
|
|
3814
3929
|
this.logger = credentialLogger("Node.js MSAL Open Browser");
|
|
3815
3930
|
}
|
|
3816
3931
|
async doGetToken(scopes, options) {
|
|
3817
|
-
var _a;
|
|
3818
3932
|
try {
|
|
3819
3933
|
const interactiveRequest = {
|
|
3820
3934
|
openBrowser: async (url) => {
|
|
3821
3935
|
await interactiveBrowserMockable.open(url, { wait: true, newInstance: true });
|
|
3822
3936
|
},
|
|
3823
3937
|
scopes,
|
|
3824
|
-
authority: options
|
|
3825
|
-
claims: options
|
|
3826
|
-
correlationId: options
|
|
3938
|
+
authority: options?.authority,
|
|
3939
|
+
claims: options?.claims,
|
|
3940
|
+
correlationId: options?.correlationId,
|
|
3827
3941
|
loginHint: this.loginHint,
|
|
3828
3942
|
errorTemplate: this.errorTemplate,
|
|
3829
3943
|
successTemplate: this.successTemplate,
|
|
@@ -3838,14 +3952,14 @@ class MsalOpenBrowser extends MsalNode {
|
|
|
3838
3952
|
this.logger.warning("Parent window handle is not specified for the broker. This may cause unexpected behavior. Please provide the parentWindowHandle.");
|
|
3839
3953
|
}
|
|
3840
3954
|
if (this.enableMsaPassthrough) {
|
|
3841
|
-
(
|
|
3955
|
+
(interactiveRequest.tokenQueryParameters ?? (interactiveRequest.tokenQueryParameters = {}))["msal_request_type"] =
|
|
3842
3956
|
"consumer_passthrough";
|
|
3843
3957
|
}
|
|
3844
3958
|
}
|
|
3845
3959
|
if (hasNativeBroker() && !this.enableBroker) {
|
|
3846
3960
|
this.logger.verbose("Authentication will resume normally without the broker, since it's not enabled");
|
|
3847
3961
|
}
|
|
3848
|
-
const result = await this.getApp("public", options
|
|
3962
|
+
const result = await this.getApp("public", options?.enableCae).acquireTokenInteractive(interactiveRequest);
|
|
3849
3963
|
if (result.fromNativeBroker) {
|
|
3850
3964
|
this.logger.verbose(`This result is returned from native broker`);
|
|
3851
3965
|
}
|
|
@@ -3878,31 +3992,41 @@ class InteractiveBrowserCredential {
|
|
|
3878
3992
|
* @param options - Options for configuring the client which makes the authentication requests.
|
|
3879
3993
|
*/
|
|
3880
3994
|
constructor(options) {
|
|
3881
|
-
var _a, _b, _c;
|
|
3882
3995
|
const redirectUri = typeof options.redirectUri === "function"
|
|
3883
3996
|
? options.redirectUri()
|
|
3884
3997
|
: options.redirectUri || "http://localhost";
|
|
3885
|
-
this.tenantId = options
|
|
3886
|
-
this.additionallyAllowedTenantIds = resolveAdditionallyAllowedTenantIds(options
|
|
3998
|
+
this.tenantId = options?.tenantId;
|
|
3999
|
+
this.additionallyAllowedTenantIds = resolveAdditionallyAllowedTenantIds(options?.additionallyAllowedTenants);
|
|
3887
4000
|
const ibcNodeOptions = options;
|
|
3888
|
-
if (
|
|
3889
|
-
if (!
|
|
4001
|
+
if (ibcNodeOptions?.brokerOptions?.enabled) {
|
|
4002
|
+
if (!ibcNodeOptions?.brokerOptions?.parentWindowHandle) {
|
|
3890
4003
|
throw new Error("In order to do WAM authentication, `parentWindowHandle` under `brokerOptions` is a required parameter");
|
|
3891
4004
|
}
|
|
3892
4005
|
else {
|
|
3893
|
-
this.msalFlow = new MsalOpenBrowser(
|
|
3894
|
-
|
|
4006
|
+
this.msalFlow = new MsalOpenBrowser({
|
|
4007
|
+
...options,
|
|
4008
|
+
tokenCredentialOptions: options,
|
|
4009
|
+
logger: logger$3,
|
|
4010
|
+
redirectUri,
|
|
4011
|
+
browserCustomizationOptions: ibcNodeOptions?.browserCustomizationOptions,
|
|
4012
|
+
brokerOptions: {
|
|
3895
4013
|
enabled: true,
|
|
3896
4014
|
parentWindowHandle: ibcNodeOptions.brokerOptions.parentWindowHandle,
|
|
3897
|
-
legacyEnableMsaPassthrough:
|
|
3898
|
-
}
|
|
4015
|
+
legacyEnableMsaPassthrough: ibcNodeOptions.brokerOptions?.legacyEnableMsaPassthrough,
|
|
4016
|
+
},
|
|
4017
|
+
});
|
|
3899
4018
|
}
|
|
3900
4019
|
}
|
|
3901
4020
|
else {
|
|
3902
|
-
this.msalFlow = new MsalOpenBrowser(
|
|
3903
|
-
|
|
4021
|
+
this.msalFlow = new MsalOpenBrowser({
|
|
4022
|
+
...options,
|
|
4023
|
+
tokenCredentialOptions: options,
|
|
4024
|
+
logger: logger$3,
|
|
4025
|
+
redirectUri,
|
|
4026
|
+
browserCustomizationOptions: ibcNodeOptions?.browserCustomizationOptions,
|
|
4027
|
+
});
|
|
3904
4028
|
}
|
|
3905
|
-
this.disableAutomaticAuthentication = options
|
|
4029
|
+
this.disableAutomaticAuthentication = options?.disableAutomaticAuthentication;
|
|
3906
4030
|
}
|
|
3907
4031
|
/**
|
|
3908
4032
|
* Authenticates with Microsoft Entra ID and returns an access token if successful.
|
|
@@ -3920,7 +4044,10 @@ class InteractiveBrowserCredential {
|
|
|
3920
4044
|
return tracingClient.withSpan(`${this.constructor.name}.getToken`, options, async (newOptions) => {
|
|
3921
4045
|
newOptions.tenantId = processMultiTenantRequest(this.tenantId, newOptions, this.additionallyAllowedTenantIds, logger$3);
|
|
3922
4046
|
const arrayScopes = ensureScopes(scopes);
|
|
3923
|
-
return this.msalFlow.getToken(arrayScopes,
|
|
4047
|
+
return this.msalFlow.getToken(arrayScopes, {
|
|
4048
|
+
...newOptions,
|
|
4049
|
+
disableAutomaticAuthentication: this.disableAutomaticAuthentication,
|
|
4050
|
+
});
|
|
3924
4051
|
});
|
|
3925
4052
|
}
|
|
3926
4053
|
/**
|
|
@@ -3962,12 +4089,12 @@ class MsalDeviceCode extends MsalNode {
|
|
|
3962
4089
|
deviceCodeCallback: this.userPromptCallback,
|
|
3963
4090
|
scopes,
|
|
3964
4091
|
cancel: false,
|
|
3965
|
-
correlationId: options
|
|
3966
|
-
authority: options
|
|
3967
|
-
claims: options
|
|
4092
|
+
correlationId: options?.correlationId,
|
|
4093
|
+
authority: options?.authority,
|
|
4094
|
+
claims: options?.claims,
|
|
3968
4095
|
};
|
|
3969
|
-
const promise = this.getApp("public", options
|
|
3970
|
-
const deviceResponse = await this.withCancellation(promise, options
|
|
4096
|
+
const promise = this.getApp("public", options?.enableCae).acquireTokenByDeviceCode(requestOptions);
|
|
4097
|
+
const deviceResponse = await this.withCancellation(promise, options?.abortSignal, () => {
|
|
3971
4098
|
requestOptions.cancel = true;
|
|
3972
4099
|
});
|
|
3973
4100
|
return this.handleResult(scopes, this.clientId, deviceResponse || undefined);
|
|
@@ -4014,10 +4141,15 @@ class DeviceCodeCredential {
|
|
|
4014
4141
|
* @param options - Options for configuring the client which makes the authentication requests.
|
|
4015
4142
|
*/
|
|
4016
4143
|
constructor(options) {
|
|
4017
|
-
this.tenantId = options
|
|
4018
|
-
this.additionallyAllowedTenantIds = resolveAdditionallyAllowedTenantIds(options
|
|
4019
|
-
this.msalFlow = new MsalDeviceCode(
|
|
4020
|
-
|
|
4144
|
+
this.tenantId = options?.tenantId;
|
|
4145
|
+
this.additionallyAllowedTenantIds = resolveAdditionallyAllowedTenantIds(options?.additionallyAllowedTenants);
|
|
4146
|
+
this.msalFlow = new MsalDeviceCode({
|
|
4147
|
+
...options,
|
|
4148
|
+
logger: logger$2,
|
|
4149
|
+
userPromptCallback: options?.userPromptCallback || defaultDeviceCodePromptCallback,
|
|
4150
|
+
tokenCredentialOptions: options || {},
|
|
4151
|
+
});
|
|
4152
|
+
this.disableAutomaticAuthentication = options?.disableAutomaticAuthentication;
|
|
4021
4153
|
}
|
|
4022
4154
|
/**
|
|
4023
4155
|
* Authenticates with Microsoft Entra ID and returns an access token if successful.
|
|
@@ -4035,7 +4167,10 @@ class DeviceCodeCredential {
|
|
|
4035
4167
|
return tracingClient.withSpan(`${this.constructor.name}.getToken`, options, async (newOptions) => {
|
|
4036
4168
|
newOptions.tenantId = processMultiTenantRequest(this.tenantId, newOptions, this.additionallyAllowedTenantIds, logger$2);
|
|
4037
4169
|
const arrayScopes = ensureScopes(scopes);
|
|
4038
|
-
return this.msalFlow.getToken(arrayScopes,
|
|
4170
|
+
return this.msalFlow.getToken(arrayScopes, {
|
|
4171
|
+
...newOptions,
|
|
4172
|
+
disableAutomaticAuthentication: this.disableAutomaticAuthentication,
|
|
4173
|
+
});
|
|
4039
4174
|
});
|
|
4040
4175
|
}
|
|
4041
4176
|
/**
|
|
@@ -4083,13 +4218,13 @@ class MsalAuthorizationCode extends MsalNode {
|
|
|
4083
4218
|
}
|
|
4084
4219
|
async doGetToken(scopes, options) {
|
|
4085
4220
|
try {
|
|
4086
|
-
const result = await this.getApp("confidentialFirst", options
|
|
4221
|
+
const result = await this.getApp("confidentialFirst", options?.enableCae).acquireTokenByCode({
|
|
4087
4222
|
scopes,
|
|
4088
4223
|
redirectUri: this.redirectUri,
|
|
4089
4224
|
code: this.authorizationCode,
|
|
4090
|
-
correlationId: options
|
|
4091
|
-
authority: options
|
|
4092
|
-
claims: options
|
|
4225
|
+
correlationId: options?.correlationId,
|
|
4226
|
+
authority: options?.authority,
|
|
4227
|
+
claims: options?.claims,
|
|
4093
4228
|
});
|
|
4094
4229
|
// The Client Credential flow does not return an account,
|
|
4095
4230
|
// so each time getToken gets called, we will have to acquire a new token through the service.
|
|
@@ -4134,10 +4269,17 @@ class AuthorizationCodeCredential {
|
|
|
4134
4269
|
}
|
|
4135
4270
|
// TODO: Validate tenant if provided
|
|
4136
4271
|
this.tenantId = tenantId;
|
|
4137
|
-
this.additionallyAllowedTenantIds = resolveAdditionallyAllowedTenantIds(options
|
|
4138
|
-
this.msalFlow = new MsalAuthorizationCode(
|
|
4272
|
+
this.additionallyAllowedTenantIds = resolveAdditionallyAllowedTenantIds(options?.additionallyAllowedTenants);
|
|
4273
|
+
this.msalFlow = new MsalAuthorizationCode({
|
|
4274
|
+
...options,
|
|
4275
|
+
clientSecret,
|
|
4139
4276
|
clientId,
|
|
4140
|
-
tenantId,
|
|
4277
|
+
tenantId,
|
|
4278
|
+
tokenCredentialOptions: options || {},
|
|
4279
|
+
logger: logger$1,
|
|
4280
|
+
redirectUri: this.redirectUri,
|
|
4281
|
+
authorizationCode: this.authorizationCode,
|
|
4282
|
+
});
|
|
4141
4283
|
}
|
|
4142
4284
|
/**
|
|
4143
4285
|
* Authenticates with Microsoft Entra ID and returns an access token if successful.
|
|
@@ -4152,7 +4294,10 @@ class AuthorizationCodeCredential {
|
|
|
4152
4294
|
const tenantId = processMultiTenantRequest(this.tenantId, newOptions, this.additionallyAllowedTenantIds);
|
|
4153
4295
|
newOptions.tenantId = tenantId;
|
|
4154
4296
|
const arrayScopes = ensureScopes(scopes);
|
|
4155
|
-
return this.msalFlow.getToken(arrayScopes,
|
|
4297
|
+
return this.msalFlow.getToken(arrayScopes, {
|
|
4298
|
+
...newOptions,
|
|
4299
|
+
disableAutomaticAuthentication: this.disableAutomaticAuthentication,
|
|
4300
|
+
});
|
|
4156
4301
|
});
|
|
4157
4302
|
}
|
|
4158
4303
|
}
|
|
@@ -4229,7 +4374,11 @@ class OnBehalfOfCredential {
|
|
|
4229
4374
|
}
|
|
4230
4375
|
this.tenantId = tenantId;
|
|
4231
4376
|
this.additionallyAllowedTenantIds = resolveAdditionallyAllowedTenantIds(additionallyAllowedTenantIds);
|
|
4232
|
-
this.msalFlow = new MsalOnBehalfOf(
|
|
4377
|
+
this.msalFlow = new MsalOnBehalfOf({
|
|
4378
|
+
...this.options,
|
|
4379
|
+
logger,
|
|
4380
|
+
tokenCredentialOptions: this.options,
|
|
4381
|
+
});
|
|
4233
4382
|
}
|
|
4234
4383
|
/**
|
|
4235
4384
|
* Authenticates with Microsoft Entra ID and returns an access token if successful.
|