@azure/identity 4.0.2-alpha.20240122.4 → 4.1.0-alpha.20240124.2

package/dist/index.js

@@ -3,7 +3,7 @@
 Object.defineProperty(exports, '__esModule', { value: true });
 
 var msalCommon = require('@azure/msal-node');
-var logger$o = require('@azure/logger');
+var logger$p = require('@azure/logger');
 var abortController = require('@azure/abort-controller');
 var coreUtil = require('@azure/core-util');
 var coreClient = require('@azure/core-client');
@@ -39,6 +39,145 @@ function _interopNamespaceDefault(e) {
 var msalCommon__namespace = /*#__PURE__*/_interopNamespaceDefault(msalCommon);
 var child_process__namespace = /*#__PURE__*/_interopNamespaceDefault(child_process);
 
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT license.
+/**
+ * Current version of the `@azure/identity` package.
+ */
+const SDK_VERSION = `4.1.0-beta.1`;
+/**
+ * The default client ID for authentication
+ * @internal
+ */
+// TODO: temporary - this is the Azure CLI clientID - we'll replace it when
+// Developer Sign On application is available
+// https://github.com/Azure/azure-sdk-for-net/blob/main/sdk/identity/Azure.Identity/src/Constants.cs#L9
+const DeveloperSignOnClientId = "04b07795-8ddb-461a-bbee-02f9e1bf7b46";
+/**
+ * The default tenant for authentication
+ * @internal
+ */
+const DefaultTenantId = "common";
+/**
+ * A list of known Azure authority hosts
+ */
+exports.AzureAuthorityHosts = void 0;
+(function (AzureAuthorityHosts) {
+    /**
+     * China-based Azure Authority Host
+     */
+    AzureAuthorityHosts["AzureChina"] = "https://login.chinacloudapi.cn";
+    /**
+     * Germany-based Azure Authority Host
+     */
+    AzureAuthorityHosts["AzureGermany"] = "https://login.microsoftonline.de";
+    /**
+     * US Government Azure Authority Host
+     */
+    AzureAuthorityHosts["AzureGovernment"] = "https://login.microsoftonline.us";
+    /**
+     * Public Cloud Azure Authority Host
+     */
+    AzureAuthorityHosts["AzurePublicCloud"] = "https://login.microsoftonline.com";
+})(exports.AzureAuthorityHosts || (exports.AzureAuthorityHosts = {}));
+/**
+ * @internal
+ * The default authority host.
+ */
+const DefaultAuthorityHost = exports.AzureAuthorityHosts.AzurePublicCloud;
+/**
+ * @internal
+ * Allow acquiring tokens for any tenant for multi-tentant auth.
+ */
+const ALL_TENANTS = ["*"];
+/**
+ * @internal
+ */
+const CACHE_CAE_SUFFIX = ".cae";
+/**
+ * @internal
+ */
+const CACHE_NON_CAE_SUFFIX = ".nocae";
+
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT license.
+/**
+ * The AzureLogger used for all clients within the identity package
+ */
+const logger$o = logger$p.createClientLogger("identity");
+/**
+ * Separates a list of environment variable names into a plain object with two arrays: an array of missing environment variables and another array with assigned environment variables.
+ * @param supportedEnvVars - List of environment variable names
+ */
+function processEnvVars(supportedEnvVars) {
+    return supportedEnvVars.reduce((acc, envVariable) => {
+        if (process.env[envVariable]) {
+            acc.assigned.push(envVariable);
+        }
+        else {
+            acc.missing.push(envVariable);
+        }
+        return acc;
+    }, { missing: [], assigned: [] });
+}
+/**
+ * Formatting the success event on the credentials
+ */
+function formatSuccess(scope) {
+    return `SUCCESS. Scopes: ${Array.isArray(scope) ? scope.join(", ") : scope}.`;
+}
+/**
+ * Formatting the success event on the credentials
+ */
+function formatError(scope, error) {
+    let message = "ERROR.";
+    if (scope === null || scope === void 0 ? void 0 : scope.length) {
+        message += ` Scopes: ${Array.isArray(scope) ? scope.join(", ") : scope}.`;
+    }
+    return `${message} Error message: ${typeof error === "string" ? error : error.message}.`;
+}
+/**
+ * Generates a CredentialLoggerInstance.
+ *
+ * It logs with the format:
+ *
+ *   `[title] => [message]`
+ *
+ */
+function credentialLoggerInstance(title, parent, log = logger$o) {
+    const fullTitle = parent ? `${parent.fullTitle} ${title}` : title;
+    function info(message) {
+        log.info(`${fullTitle} =>`, message);
+    }
+    function warning(message) {
+        log.warning(`${fullTitle} =>`, message);
+    }
+    function verbose(message) {
+        log.verbose(`${fullTitle} =>`, message);
+    }
+    return {
+        title,
+        fullTitle,
+        info,
+        warning,
+        verbose,
+    };
+}
+/**
+ * Generates a CredentialLogger, which is a logger declared at the credential's constructor, and used at any point in the credential.
+ * It has all the properties of a CredentialLoggerInstance, plus other logger instances, one per method.
+ *
+ * It logs with the format:
+ *
+ *   `[title] => [message]`
+ *   `[title] => getToken() => [message]`
+ *
+ */
+function credentialLogger(title, log = logger$o) {
+    const credLogger = credentialLoggerInstance(title, undefined, log);
+    return Object.assign(Object.assign({}, credLogger), { parent: log, getToken: credentialLoggerInstance("=> getToken()", credLogger, log) });
+}
+
 // Copyright (c) Microsoft Corporation.
 // Licensed under the MIT license.
 function isErrorResponse(errorResponse) {
@@ -161,144 +300,9 @@ class AuthenticationRequiredError extends Error {
 // Copyright (c) Microsoft Corporation.
 // Licensed under the MIT license.
 /**
- * The AzureLogger used for all clients within the identity package
- */
-const logger$n = logger$o.createClientLogger("identity");
-/**
- * Separates a list of environment variable names into a plain object with two arrays: an array of missing environment variables and another array with assigned environment variables.
- * @param supportedEnvVars - List of environment variable names
- */
-function processEnvVars(supportedEnvVars) {
-    return supportedEnvVars.reduce((acc, envVariable) => {
-        if (process.env[envVariable]) {
-            acc.assigned.push(envVariable);
-        }
-        else {
-            acc.missing.push(envVariable);
-        }
-        return acc;
-    }, { missing: [], assigned: [] });
-}
-/**
- * Formatting the success event on the credentials
- */
-function formatSuccess(scope) {
-    return `SUCCESS. Scopes: ${Array.isArray(scope) ? scope.join(", ") : scope}.`;
-}
-/**
- * Formatting the success event on the credentials
- */
-function formatError(scope, error) {
-    let message = "ERROR.";
-    if (scope === null || scope === void 0 ? void 0 : scope.length) {
-        message += ` Scopes: ${Array.isArray(scope) ? scope.join(", ") : scope}.`;
-    }
-    return `${message} Error message: ${typeof error === "string" ? error : error.message}.`;
-}
-/**
- * Generates a CredentialLoggerInstance.
- *
- * It logs with the format:
- *
- *   `[title] => [message]`
- *
- */
-function credentialLoggerInstance(title, parent, log = logger$n) {
-    const fullTitle = parent ? `${parent.fullTitle} ${title}` : title;
-    function info(message) {
-        log.info(`${fullTitle} =>`, message);
-    }
-    function warning(message) {
-        log.warning(`${fullTitle} =>`, message);
-    }
-    function verbose(message) {
-        log.verbose(`${fullTitle} =>`, message);
-    }
-    return {
-        title,
-        fullTitle,
-        info,
-        warning,
-        verbose,
-    };
-}
-/**
- * Generates a CredentialLogger, which is a logger declared at the credential's constructor, and used at any point in the credential.
- * It has all the properties of a CredentialLoggerInstance, plus other logger instances, one per method.
- *
- * It logs with the format:
- *
- *   `[title] => [message]`
- *   `[title] => getToken() => [message]`
- *
- */
-function credentialLogger(title, log = logger$n) {
-    const credLogger = credentialLoggerInstance(title, undefined, log);
-    return Object.assign(Object.assign({}, credLogger), { parent: log, getToken: credentialLoggerInstance("=> getToken()", credLogger, log) });
-}
-
-// Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
-/**
- * Current version of the `@azure/identity` package.
- */
-const SDK_VERSION = `4.0.2`;
-/**
- * The default client ID for authentication
- * @internal
- */
-// TODO: temporary - this is the Azure CLI clientID - we'll replace it when
-// Developer Sign On application is available
-// https://github.com/Azure/azure-sdk-for-net/blob/main/sdk/identity/Azure.Identity/src/Constants.cs#L9
-const DeveloperSignOnClientId = "04b07795-8ddb-461a-bbee-02f9e1bf7b46";
-/**
- * The default tenant for authentication
  * @internal
  */
-const DefaultTenantId = "common";
-/**
- * A list of known Azure authority hosts
- */
-exports.AzureAuthorityHosts = void 0;
-(function (AzureAuthorityHosts) {
-    /**
-     * China-based Azure Authority Host
-     */
-    AzureAuthorityHosts["AzureChina"] = "https://login.chinacloudapi.cn";
-    /**
-     * Germany-based Azure Authority Host
-     */
-    AzureAuthorityHosts["AzureGermany"] = "https://login.microsoftonline.de";
-    /**
-     * US Government Azure Authority Host
-     */
-    AzureAuthorityHosts["AzureGovernment"] = "https://login.microsoftonline.us";
-    /**
-     * Public Cloud Azure Authority Host
-     */
-    AzureAuthorityHosts["AzurePublicCloud"] = "https://login.microsoftonline.com";
-})(exports.AzureAuthorityHosts || (exports.AzureAuthorityHosts = {}));
-/**
- * @internal
- * The default authority host.
- */
-const DefaultAuthorityHost = exports.AzureAuthorityHosts.AzurePublicCloud;
-/**
- * @internal
- * Allow acquiring tokens for any tenant for multi-tentant auth.
- */
-const ALL_TENANTS = ["*"];
-/**
- * @internal
- */
-const CACHE_CAE_SUFFIX = ".cae";
-/**
- * @internal
- */
-const CACHE_NON_CAE_SUFFIX = ".nocae";
-
-// Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
+const logger$n = credentialLogger("IdentityUtils");
 /**
  * Latest AuthenticationRecord version
  * @internal
@@ -308,9 +312,9 @@ const LatestAuthenticationRecordVersion = "1.0";
  * Ensures the validity of the MSAL token
  * @internal
  */
-function ensureValidMsalToken(scopes, logger, msalToken, getTokenOptions) {
+function ensureValidMsalToken(scopes, msalToken, getTokenOptions) {
     const error = (message) => {
-        logger.getToken.info(message);
+        logger$n.getToken.info(message);
         return new AuthenticationRequiredError({
             scopes: Array.isArray(scopes) ? scopes : [scopes],
             getTokenOptions,
@@ -360,25 +364,25 @@ function getKnownAuthorities(tenantId, authorityHost, disableInstanceDiscovery)
 }
 /**
  * Generates a logger that can be passed to the MSAL clients.
- * @param logger - The logger of the credential.
+ * @param credLogger - The logger of the credential.
  * @internal
  */
-const defaultLoggerCallback = (logger, platform = coreUtil.isNode ? "Node" : "Browser") => (level, message, containsPii) => {
+const defaultLoggerCallback = (credLogger, platform = coreUtil.isNode ? "Node" : "Browser") => (level, message, containsPii) => {
     if (containsPii) {
         return;
     }
     switch (level) {
         case msalCommon__namespace.LogLevel.Error:
-            logger.info(`MSAL ${platform} V2 error: ${message}`);
+            credLogger.info(`MSAL ${platform} V2 error: ${message}`);
             return;
         case msalCommon__namespace.LogLevel.Info:
-            logger.info(`MSAL ${platform} V2 info message: ${message}`);
+            credLogger.info(`MSAL ${platform} V2 info message: ${message}`);
             return;
         case msalCommon__namespace.LogLevel.Verbose:
-            logger.info(`MSAL ${platform} V2 verbose message: ${message}`);
+            credLogger.info(`MSAL ${platform} V2 verbose message: ${message}`);
             return;
         case msalCommon__namespace.LogLevel.Warning:
-            logger.info(`MSAL ${platform} V2 warning: ${message}`);
+            credLogger.info(`MSAL ${platform} V2 warning: ${message}`);
             return;
     }
 };
@@ -401,75 +405,39 @@ function getMSALLogLevel(logLevel) {
     }
 }
 /**
- * The common utility functions for the MSAL clients.
- * Defined as a class so that the classes extending this one can have access to its methods and protected properties.
- *
- * It keeps track of a logger and an in-memory copy of the AuthenticationRecord.
- *
- * @internal
+ * Handles MSAL errors.
  */
-class MsalBaseUtilities {
-    constructor(options) {
-        this.logger = options.logger;
-        this.account = options.authenticationRecord;
-    }
-    /**
-     * Generates a UUID
-     */
-    generateUuid() {
-        return coreUtil.randomUUID();
-    }
-    /**
-     * Handles the MSAL authentication result.
-     * If the result has an account, we update the local account reference.
-     * If the token received is invalid, an error will be thrown depending on what's missing.
-     */
-    handleResult(scopes, clientId, result, getTokenOptions) {
-        if (result === null || result === void 0 ? void 0 : result.account) {
-            this.account = msalToPublic(clientId, result.account);
+function handleMsalError(scopes, error, getTokenOptions) {
+    if (error.name === "AuthError" ||
+        error.name === "ClientAuthError" ||
+        error.name === "BrowserAuthError") {
+        const msalError = error;
+        switch (msalError.errorCode) {
+            case "endpoints_resolution_error":
+                logger$n.info(formatError(scopes, error.message));
+                return new CredentialUnavailableError(error.message);
+            case "device_code_polling_cancelled":
+                return new abortController.AbortError("The authentication has been aborted by the caller.");
+            case "consent_required":
+            case "interaction_required":
+            case "login_required":
+                logger$n.info(formatError(scopes, `Authentication returned errorCode ${msalError.errorCode}`));
+                break;
+            default:
+                logger$n.info(formatError(scopes, `Failed to acquire token: ${error.message}`));
+                break;
         }
-        ensureValidMsalToken(scopes, this.logger, result, getTokenOptions);
-        this.logger.getToken.info(formatSuccess(scopes));
-        return {
-            token: result.accessToken,
-            expiresOnTimestamp: result.expiresOn.getTime(),
-        };
     }
-    /**
-     * Handles MSAL errors.
-     */
-    handleError(scopes, error, getTokenOptions) {
-        if (error.name === "AuthError" ||
-            error.name === "ClientAuthError" ||
-            error.name === "BrowserAuthError") {
-            const msalError = error;
-            switch (msalError.errorCode) {
-                case "endpoints_resolution_error":
-                    this.logger.info(formatError(scopes, error.message));
-                    return new CredentialUnavailableError(error.message);
-                case "device_code_polling_cancelled":
-                    return new abortController.AbortError("The authentication has been aborted by the caller.");
-                case "consent_required":
-                case "interaction_required":
-                case "login_required":
-                    this.logger.info(formatError(scopes, `Authentication returned errorCode ${msalError.errorCode}`));
-                    break;
-                default:
-                    this.logger.info(formatError(scopes, `Failed to acquire token: ${error.message}`));
-                    break;
-            }
-        }
-        if (error.name === "ClientConfigurationError" ||
-            error.name === "BrowserConfigurationAuthError" ||
-            error.name === "AbortError") {
-            return error;
-        }
-        if (error.name === "NativeAuthError") {
-            this.logger.info(formatError(scopes, `Error from the native broker: ${error.message} with status code: ${error.statusCode}`));
-            return error;
-        }
-        return new AuthenticationRequiredError({ scopes, getTokenOptions, message: error.message });
+    if (error.name === "ClientConfigurationError" ||
+        error.name === "BrowserConfigurationAuthError" ||
+        error.name === "AbortError") {
+        return error;
+    }
+    if (error.name === "NativeAuthError") {
+        logger$n.info(formatError(scopes, `Error from the native broker: ${error.message} with status code: ${error.statusCode}`));
+        return error;
     }
+    return new AuthenticationRequiredError({ scopes, getTokenOptions, message: error.message });
 }
 // transformations.ts
 function publicToMsal(account) {
@@ -735,7 +703,7 @@ class IdentityClient extends coreClient.ServiceClient {
         this.tokenCredentialOptions = Object.assign({}, options);
     }
     async sendTokenRequest(request) {
-        logger$n.info(`IdentityClient: sending token request to [${request.url}]`);
+        logger$o.info(`IdentityClient: sending token request to [${request.url}]`);
         const response = await this.sendRequest(request);
         if (response.bodyAsText && (response.status === 200 || response.status === 201)) {
             const parsedBody = JSON.parse(response.bodyAsText);
@@ -750,12 +718,12 @@ class IdentityClient extends coreClient.ServiceClient {
                 },
                 refreshToken: parsedBody.refresh_token,
             };
-            logger$n.info(`IdentityClient: [${request.url}] token acquired, expires on ${token.accessToken.expiresOnTimestamp}`);
+            logger$o.info(`IdentityClient: [${request.url}] token acquired, expires on ${token.accessToken.expiresOnTimestamp}`);
             return token;
         }
         else {
             const error = new AuthenticationError(response.status, response.bodyAsText);
-            logger$n.warning(`IdentityClient: authentication error. HTTP status: ${response.status}, ${error.errorResponse.errorDescription}`);
+            logger$o.warning(`IdentityClient: authentication error. HTTP status: ${response.status}, ${error.errorResponse.errorDescription}`);
             throw error;
         }
     }
@@ -763,7 +731,7 @@ class IdentityClient extends coreClient.ServiceClient {
         if (refreshToken === undefined) {
             return null;
         }
-        logger$n.info(`IdentityClient: refreshing access token with client ID: ${clientId}, scopes: ${scopes} started`);
+        logger$o.info(`IdentityClient: refreshing access token with client ID: ${clientId}, scopes: ${scopes} started`);
         const refreshParams = {
             grant_type: "refresh_token",
             client_id: clientId,
@@ -789,7 +757,7 @@ class IdentityClient extends coreClient.ServiceClient {
                     tracingOptions: updatedOptions.tracingOptions,
                 });
                 const response = await this.sendTokenRequest(request);
-                logger$n.info(`IdentityClient: refreshed token for client ID: ${clientId}`);
+                logger$o.info(`IdentityClient: refreshed token for client ID: ${clientId}`);
                 return response;
             }
             catch (err) {
@@ -798,11 +766,11 @@ class IdentityClient extends coreClient.ServiceClient {
                     // It's likely that the refresh token has expired, so
                     // return null so that the credential implementation will
                     // initiate the authentication flow again.
-                    logger$n.info(`IdentityClient: interaction required for client ID: ${clientId}`);
+                    logger$o.info(`IdentityClient: interaction required for client ID: ${clientId}`);
                     return null;
                 }
                 else {
-                    logger$n.warning(`IdentityClient: failed refreshing token for client ID: ${clientId}: ${err}`);
+                    logger$o.warning(`IdentityClient: failed refreshing token for client ID: ${clientId}: ${err}`);
                     throw err;
                 }
             }
@@ -911,10 +879,10 @@ class IdentityClient extends coreClient.ServiceClient {
             }
             const base64Metadata = accessToken.split(".")[1];
             const { appid, upn, tid, oid } = JSON.parse(Buffer.from(base64Metadata, "base64").toString("utf8"));
-            logger$n.info(`[Authenticated account] Client ID: ${appid}. Tenant ID: ${tid}. User Principal Name: ${upn || unavailableUpn}. Object ID (user): ${oid}`);
+            logger$o.info(`[Authenticated account] Client ID: ${appid}. Tenant ID: ${tid}. User Principal Name: ${upn || unavailableUpn}. Object ID (user): ${oid}`);
         }
         catch (e) {
-            logger$n.warning("allowLoggingAccountIdentifiers was set, but we couldn't log the account information. Error:", e.message);
+            logger$o.warning("allowLoggingAccountIdentifiers was set, but we couldn't log the account information. Error:", e.message);
         }
     }
 }
@@ -1078,13 +1046,13 @@ const msalNodeFlowNativeBrokerControl = {
  *
  * @internal
  */
-class MsalNode extends MsalBaseUtilities {
+class MsalNode {
     constructor(options) {
         var _a, _b, _c, _d, _e, _f, _g;
-        super(options);
         this.app = {};
         this.caeApp = {};
         this.requiresConfidential = false;
+        this.logger = options.logger;
         this.msalConfig = this.defaultNodeMsalConfig(options);
         this.tenantId = resolveTenantId(options.logger, options.tenantId, options.clientId);
         this.additionallyAllowedTenantIds = resolveAdditionallyAllowedTenantIds((_a = options === null || options === void 0 ? void 0 : options.tokenCredentialOptions) === null || _a === void 0 ? void 0 : _a.additionallyAllowedTenants);
@@ -1147,7 +1115,7 @@ class MsalNode extends MsalBaseUtilities {
                 networkClient: this.identityClient,
                 loggerOptions: {
                     loggerCallback: defaultLoggerCallback(options.logger),
-                    logLevel: getMSALLogLevel(logger$o.getLogLevel()),
+                    logLevel: getMSALLogLevel(logger$p.getLogLevel()),
                     piiLoggingEnabled: (_a = options.loggingOptions) === null || _a === void 0 ? void 0 : _a.enableUnsafeSupportLogging,
                 },
             },
@@ -1317,10 +1285,10 @@ To work with multiple accounts for the same Client ID and Tenant ID, please prov
              */
             await ((_a = this.getApp("publicFirst", options === null || options === void 0 ? void 0 : options.enableCae)) === null || _a === void 0 ? void 0 : _a.getTokenCache().getAllAccounts());
             const response = (_c = (await ((_b = this.getApp("confidential", options === null || options === void 0 ? void 0 : options.enableCae)) === null || _b === void 0 ? void 0 : _b.acquireTokenSilent(silentRequest)))) !== null && _c !== void 0 ? _c : (await this.getApp("public", options === null || options === void 0 ? void 0 : options.enableCae).acquireTokenSilent(silentRequest));
-            return this.handleResult(scopes, this.clientId, response || undefined);
+            return this.handleResult(scopes, response || undefined);
         }
         catch (err) {
-            throw this.handleError(scopes, err, options);
+            throw handleMsalError(scopes, err, options);
         }
     }
     /**
@@ -1331,7 +1299,7 @@ To work with multiple accounts for the same Client ID and Tenant ID, please prov
         const tenantId = processMultiTenantRequest(this.tenantId, options, this.additionallyAllowedTenantIds) ||
             this.tenantId;
         options.authority = getAuthority(tenantId, this.authorityHost);
-        options.correlationId = (options === null || options === void 0 ? void 0 : options.correlationId) || this.generateUuid();
+        options.correlationId = (options === null || options === void 0 ? void 0 : options.correlationId) || coreUtil.randomUUID();
         await this.init(options);
         try {
             // MSAL now caches tokens based on their claims,
@@ -1362,6 +1330,22 @@ To work with multiple accounts for the same Client ID and Tenant ID, please prov
             return this.doGetToken(scopes, options);
         }
     }
+    /**
+     * Handles the MSAL authentication result.
+     * If the result has an account, we update the local account reference.
+     * If the token received is invalid, an error will be thrown depending on what's missing.
+     */
+    handleResult(scopes, result, getTokenOptions) {
+        if (result === null || result === void 0 ? void 0 : result.account) {
+            this.account = msalToPublic(this.clientId, result.account);
+        }
+        ensureValidMsalToken(scopes, result, getTokenOptions);
+        this.logger.getToken.info(formatSuccess(scopes));
+        return {
+            token: result.accessToken,
+            expiresOnTimestamp: result.expiresOn.getTime(),
+        };
+    }
 }
 
 // Copyright (c) Microsoft Corporation.
@@ -2007,7 +1991,7 @@ class MsalClientAssertion extends MsalNode {
             });
             // The Client Credential flow does not return an account,
             // so each time getToken gets called, we will have to acquire a new token through the service.
-            return this.handleResult(scopes, this.clientId, result || undefined);
+            return this.handleResult(scopes, result || undefined);
         }
         catch (err) {
             let err2 = err;
@@ -2017,7 +2001,7 @@ class MsalClientAssertion extends MsalNode {
             else {
                 err2 = coreUtil.isError(err) ? err : new Error(String(err));
             }
-            throw this.handleError(scopes, err2, options);
+            throw handleMsalError(scopes, err2, options);
         }
     }
 }
@@ -2405,7 +2389,7 @@ class ManagedIdentityCredential {
             },
             system: {
                 loggerOptions: {
-                    logLevel: getMSALLogLevel(logger$o.getLogLevel()),
+                    logLevel: getMSALLogLevel(logger$p.getLogLevel()),
                 },
             },
         });
@@ -2783,13 +2767,9 @@ class AzureCliCredential {
                 }
                 try {
                     const responseData = obj.stdout;
-                    const response = JSON.parse(responseData);
+                    const response = this.parseRawResponse(responseData);
                     logger$b.getToken.info(formatSuccess(scopes));
-                    const returnValue = {
-                        token: response.accessToken,
-                        expiresOnTimestamp: new Date(response.expiresOn).getTime(),
-                    };
-                    return returnValue;
+                    return response;
                 }
                 catch (e) {
                     if (obj.stderr) {
@@ -2807,6 +2787,40 @@ class AzureCliCredential {
             }
         });
     }
+    /**
+     * Parses the raw JSON response from the Azure CLI into a usable AccessToken object
+     *
+     * @param rawResponse - The raw JSON response from the Azure CLI
+     * @returns An access token with the expiry time parsed from the raw response
+     *
+     * The expiryTime of the credential's access token, in milliseconds, is calculated as follows:
+     *
+     * When available, expires_on (introduced in Azure CLI v2.54.0) will be preferred. Otherwise falls back to expiresOn.
+     */
+    parseRawResponse(rawResponse) {
+        const response = JSON.parse(rawResponse);
+        const token = response.accessToken;
+        // if available, expires_on will be a number representing seconds since epoch.
+        // ensure it's a number or NaN
+        let expiresOnTimestamp = Number.parseInt(response.expires_on, 10) * 1000;
+        if (!isNaN(expiresOnTimestamp)) {
+            logger$b.getToken.info("expires_on is available and is valid, using it");
+            return {
+                token,
+                expiresOnTimestamp,
+            };
+        }
+        // fallback to the older expiresOn - an RFC3339 date string
+        expiresOnTimestamp = new Date(response.expiresOn).getTime();
+        // ensure expiresOn is well-formatted
+        if (isNaN(expiresOnTimestamp)) {
+            throw new CredentialUnavailableError(`Unexpected response from Azure CLI when getting token. Expected "expiresOn" to be a RFC3339 date string. Got: "${response.expiresOn}"`);
+        }
+        return {
+            token,
+            expiresOnTimestamp,
+        };
+    }
 }
 
 // Copyright (c) Microsoft Corporation.
@@ -3195,10 +3209,10 @@ class MsalClientCertificate extends MsalNode {
             // Even though we're providing the same default in memory persistence cache that we use for DeviceCodeCredential,
             // The Client Credential flow does not return the account information from the authentication service,
             // so each time getToken gets called, we will have to acquire a new token through the service.
-            return this.handleResult(scopes, this.clientId, result || undefined);
+            return this.handleResult(scopes, result || undefined);
         }
         catch (err) {
-            throw this.handleError(scopes, err, options);
+            throw handleMsalError(scopes, err, options);
         }
     }
 }
@@ -3281,10 +3295,10 @@ class MsalClientSecret extends MsalNode {
             });
             // The Client Credential flow does not return an account,
             // so each time getToken gets called, we will have to acquire a new token through the service.
-            return this.handleResult(scopes, this.clientId, result || undefined);
+            return this.handleResult(scopes, result || undefined);
         }
         catch (err) {
-            throw this.handleError(scopes, err, options);
+            throw handleMsalError(scopes, err, options);
         }
     }
 }
@@ -3362,10 +3376,10 @@ class MsalUsernamePassword extends MsalNode {
                 claims: options === null || options === void 0 ? void 0 : options.claims,
             };
             const result = await this.getApp("public", options === null || options === void 0 ? void 0 : options.enableCae).acquireTokenByUsernamePassword(requestOptions);
-            return this.handleResult(scopes, this.clientId, result || undefined);
+            return this.handleResult(scopes, result || undefined);
         }
         catch (error) {
-            throw this.handleError(scopes, error, options);
+            throw handleMsalError(scopes, error, options);
         }
     }
 }
@@ -3857,10 +3871,10 @@ class MsalOpenBrowser extends MsalNode {
             if (result.fromNativeBroker) {
                 this.logger.verbose(`This result is returned from native broker`);
             }
-            return this.handleResult(scopes, this.clientId, result || undefined);
+            return this.handleResult(scopes, result || undefined);
         }
         catch (err) {
-            throw this.handleError(scopes, err, options);
+            throw handleMsalError(scopes, err, options);
         }
     }
 }
@@ -3978,10 +3992,10 @@ class MsalDeviceCode extends MsalNode {
             const deviceResponse = await this.withCancellation(promise, options === null || options === void 0 ? void 0 : options.abortSignal, () => {
                 requestOptions.cancel = true;
             });
-            return this.handleResult(scopes, this.clientId, deviceResponse || undefined);
+            return this.handleResult(scopes, deviceResponse || undefined);
         }
         catch (error) {
-            throw this.handleError(scopes, error, options);
+            throw handleMsalError(scopes, error, options);
         }
     }
 }
@@ -4101,10 +4115,10 @@ class MsalAuthorizationCode extends MsalNode {
             });
             // The Client Credential flow does not return an account,
             // so each time getToken gets called, we will have to acquire a new token through the service.
-            return this.handleResult(scopes, this.clientId, result || undefined);
+            return this.handleResult(scopes, result || undefined);
         }
         catch (err) {
-            throw this.handleError(scopes, err, options);
+            throw handleMsalError(scopes, err, options);
         }
     }
 }
@@ -4211,10 +4225,10 @@ class MsalOnBehalfOf extends MsalNode {
                 claims: options.claims,
                 oboAssertion: this.userAssertionToken,
             });
-            return this.handleResult(scopes, this.clientId, result || undefined);
+            return this.handleResult(scopes, result || undefined);
         }
         catch (err) {
-            throw this.handleError(scopes, err, options);
+            throw handleMsalError(scopes, err, options);
         }
     }
 }
@@ -4290,7 +4304,7 @@ exports.VisualStudioCodeCredential = VisualStudioCodeCredential;
 exports.WorkloadIdentityCredential = WorkloadIdentityCredential;
 exports.deserializeAuthenticationRecord = deserializeAuthenticationRecord;
 exports.getDefaultAzureCredential = getDefaultAzureCredential;
-exports.logger = logger$n;
+exports.logger = logger$o;
 exports.serializeAuthenticationRecord = serializeAuthenticationRecord;
 exports.useIdentityPlugin = useIdentityPlugin;
 //# sourceMappingURL=index.js.map