@azure/identity 4.1.0-alpha.20240328.2 → 4.1.0-alpha.20240409.1

package/dist/index.js

@@ -12,8 +12,8 @@ var fs = require('fs');
 var os = require('os');
 var path = require('path');
 var msalCommon = require('@azure/msal-node');
-var promises = require('fs/promises');
 var https = require('https');
+var promises = require('fs/promises');
 var child_process = require('child_process');
 var crypto = require('crypto');
 var util = require('util');
@@ -1022,7 +1022,7 @@ const appServiceMsi2017 = {
 
 // Copyright (c) Microsoft Corporation.
 // Licensed under the MIT license.
-const msiName$5 = "ManagedIdentityCredential - CloudShellMSI";
+const msiName$5 = "ManagedIdentityCredential - AppServiceMSI 2019";
 const logger$m = credentialLogger(msiName$5);
 /**
  * Generates the options used on the request for an access token.
@@ -1032,58 +1032,54 @@ function prepareRequestOptions$4(scopes, clientId, resourceId) {
     if (!resource) {
         throw new Error(`${msiName$5}: Multiple scopes are not supported.`);
     }
-    const body = {
+    const queryParameters = {
         resource,
+        "api-version": "2019-08-01",
     };
     if (clientId) {
-        body.client_id = clientId;
+        queryParameters.client_id = clientId;
     }
     if (resourceId) {
-        body.msi_res_id = resourceId;
+        queryParameters.mi_res_id = resourceId;
     }
+    const query = new URLSearchParams(queryParameters);
     // This error should not bubble up, since we verify that this environment variable is defined in the isAvailable() method defined below.
-    if (!process.env.MSI_ENDPOINT) {
-        throw new Error(`${msiName$5}: Missing environment variable: MSI_ENDPOINT`);
+    if (!process.env.IDENTITY_ENDPOINT) {
+        throw new Error(`${msiName$5}: Missing environment variable: IDENTITY_ENDPOINT`);
+    }
+    if (!process.env.IDENTITY_HEADER) {
+        throw new Error(`${msiName$5}: Missing environment variable: IDENTITY_HEADER`);
     }
-    const params = new URLSearchParams(body);
     return {
-        url: process.env.MSI_ENDPOINT,
-        method: "POST",
-        body: params.toString(),
+        url: `${process.env.IDENTITY_ENDPOINT}?${query.toString()}`,
+        method: "GET",
         headers: coreRestPipeline.createHttpHeaders({
             Accept: "application/json",
-            Metadata: "true",
-            "Content-Type": "application/x-www-form-urlencoded",
+            "X-IDENTITY-HEADER": process.env.IDENTITY_HEADER,
         }),
     };
 }
 /**
- * Defines how to determine whether the Azure Cloud Shell MSI is available, and also how to retrieve a token from the Azure Cloud Shell MSI.
- * Since Azure Managed Identities aren't available in the Azure Cloud Shell, we log a warning for users that try to access cloud shell using user assigned identity.
+ * Defines how to determine whether the Azure App Service MSI is available, and also how to retrieve a token from the Azure App Service MSI.
  */
-const cloudShellMsi = {
-    name: "cloudShellMsi",
+const appServiceMsi2019 = {
+    name: "appServiceMsi2019",
     async isAvailable({ scopes }) {
         const resource = mapScopesToResource(scopes);
         if (!resource) {
             logger$m.info(`${msiName$5}: Unavailable. Multiple scopes are not supported.`);
             return false;
         }
-        const result = Boolean(process.env.MSI_ENDPOINT);
+        const env = process.env;
+        const result = Boolean(env.IDENTITY_ENDPOINT && env.IDENTITY_HEADER);
         if (!result) {
-            logger$m.info(`${msiName$5}: Unavailable. The environment variable MSI_ENDPOINT is needed.`);
+            logger$m.info(`${msiName$5}: Unavailable. The environment variables needed are: IDENTITY_ENDPOINT and IDENTITY_HEADER.`);
         }
         return result;
     },
     async getToken(configuration, getTokenOptions = {}) {
         const { identityClient, scopes, clientId, resourceId } = configuration;
-        if (clientId) {
-            logger$m.warning(`${msiName$5}: user-assigned identities not supported. The argument clientId might be ignored by the service.`);
-        }
-        if (resourceId) {
-            logger$m.warning(`${msiName$5}: user defined managed Identity by resource Id not supported. The argument resourceId might be ignored by the service.`);
-        }
-        logger$m.info(`${msiName$5}: Using the endpoint coming form the environment variable MSI_ENDPOINT = ${process.env.MSI_ENDPOINT}.`);
+        logger$m.info(`${msiName$5}: Using the endpoint and the secret coming form the environment variables: IDENTITY_ENDPOINT=${process.env.IDENTITY_ENDPOINT} and IDENTITY_HEADER=[REDACTED].`);
         const request = coreRestPipeline.createPipelineRequest(Object.assign(Object.assign({ abortSignal: getTokenOptions.abortSignal }, prepareRequestOptions$4(scopes, clientId, resourceId)), { 
             // Generally, MSI endpoints use the HTTP protocol, without transport layer security (TLS).
             allowInsecureConnection: true }));
@@ -1094,159 +1090,16 @@ const cloudShellMsi = {
 
 // Copyright (c) Microsoft Corporation.
 // Licensed under the MIT license.
-const msiName$4 = "ManagedIdentityCredential - IMDS";
+const msiName$4 = "ManagedIdentityCredential - Azure Arc MSI";
 const logger$l = credentialLogger(msiName$4);
 /**
  * Generates the options used on the request for an access token.
  */
-function prepareRequestOptions$3(scopes, clientId, resourceId, options) {
-    var _a;
+function prepareRequestOptions$3(scopes, clientId, resourceId) {
     const resource = mapScopesToResource(scopes);
     if (!resource) {
         throw new Error(`${msiName$4}: Multiple scopes are not supported.`);
     }
-    const { skipQuery, skipMetadataHeader } = options || {};
-    let query = "";
-    // Pod Identity will try to process this request even if the Metadata header is missing.
-    // We can exclude the request query to ensure no IMDS endpoint tries to process the ping request.
-    if (!skipQuery) {
-        const queryParameters = {
-            resource,
-            "api-version": imdsApiVersion,
-        };
-        if (clientId) {
-            queryParameters.client_id = clientId;
-        }
-        if (resourceId) {
-            queryParameters.msi_res_id = resourceId;
-        }
-        const params = new URLSearchParams(queryParameters);
-        query = `?${params.toString()}`;
-    }
-    const url = new URL(imdsEndpointPath, (_a = process.env.AZURE_POD_IDENTITY_AUTHORITY_HOST) !== null && _a !== void 0 ? _a : imdsHost);
-    const rawHeaders = {
-        Accept: "application/json",
-        Metadata: "true",
-    };
-    // Remove the Metadata header to invoke a request error from some IMDS endpoints.
-    if (skipMetadataHeader) {
-        delete rawHeaders.Metadata;
-    }
-    return {
-        // In this case, the `?` should be added in the "query" variable `skipQuery` is not set.
-        url: `${url}${query}`,
-        method: "GET",
-        headers: coreRestPipeline.createHttpHeaders(rawHeaders),
-    };
-}
-// 800ms -> 1600ms -> 3200ms
-const imdsMsiRetryConfig = {
-    maxRetries: 3,
-    startDelayInMs: 800,
-    intervalIncrement: 2,
-};
-/**
- * Defines how to determine whether the Azure IMDS MSI is available, and also how to retrieve a token from the Azure IMDS MSI.
- */
-const imdsMsi = {
-    name: "imdsMsi",
-    async isAvailable({ scopes, identityClient, clientId, resourceId, getTokenOptions = {}, }) {
-        const resource = mapScopesToResource(scopes);
-        if (!resource) {
-            logger$l.info(`${msiName$4}: Unavailable. Multiple scopes are not supported.`);
-            return false;
-        }
-        // if the PodIdentityEndpoint environment variable was set no need to probe the endpoint, it can be assumed to exist
-        if (process.env.AZURE_POD_IDENTITY_AUTHORITY_HOST) {
-            return true;
-        }
-        if (!identityClient) {
-            throw new Error("Missing IdentityClient");
-        }
-        const requestOptions = prepareRequestOptions$3(resource, clientId, resourceId, {
-            skipMetadataHeader: true,
-            skipQuery: true,
-        });
-        return tracingClient.withSpan("ManagedIdentityCredential-pingImdsEndpoint", getTokenOptions, async (options) => {
-            var _a, _b;
-            requestOptions.tracingOptions = options.tracingOptions;
-            // Create a request with a timeout since we expect that
-            // not having a "Metadata" header should cause an error to be
-            // returned quickly from the endpoint, proving its availability.
-            const request = coreRestPipeline.createPipelineRequest(requestOptions);
-            // Default to 1000 if the default of 0 is used.
-            // Negative values can still be used to disable the timeout.
-            request.timeout = ((_a = options.requestOptions) === null || _a === void 0 ? void 0 : _a.timeout) || 1000;
-            // This MSI uses the imdsEndpoint to get the token, which only uses http://
-            request.allowInsecureConnection = true;
-            let response;
-            try {
-                logger$l.info(`${msiName$4}: Pinging the Azure IMDS endpoint`);
-                response = await identityClient.sendRequest(request);
-            }
-            catch (err) {
-                // If the request failed, or Node.js was unable to establish a connection,
-                // or the host was down, we'll assume the IMDS endpoint isn't available.
-                if (coreUtil.isError(err)) {
-                    logger$l.verbose(`${msiName$4}: Caught error ${err.name}: ${err.message}`);
-                }
-                // This is a special case for Docker Desktop which responds with a 403 with a message that contains "A socket operation was attempted to an unreachable network"
-                // rather than just timing out, as expected.
-                logger$l.info(`${msiName$4}: The Azure IMDS endpoint is unavailable`);
-                return false;
-            }
-            if (response.status === 403) {
-                if ((_b = response.bodyAsText) === null || _b === void 0 ? void 0 : _b.includes("A socket operation was attempted to an unreachable network")) {
-                    logger$l.info(`${msiName$4}: The Azure IMDS endpoint is unavailable`);
-                    logger$l.info(`${msiName$4}: ${response.bodyAsText}`);
-                    return false;
-                }
-            }
-            // If we received any response, the endpoint is available
-            logger$l.info(`${msiName$4}: The Azure IMDS endpoint is available`);
-            return true;
-        });
-    },
-    async getToken(configuration, getTokenOptions = {}) {
-        const { identityClient, scopes, clientId, resourceId } = configuration;
-        if (process.env.AZURE_POD_IDENTITY_AUTHORITY_HOST) {
-            logger$l.info(`${msiName$4}: Using the Azure IMDS endpoint coming from the environment variable AZURE_POD_IDENTITY_AUTHORITY_HOST=${process.env.AZURE_POD_IDENTITY_AUTHORITY_HOST}.`);
-        }
-        else {
-            logger$l.info(`${msiName$4}: Using the default Azure IMDS endpoint ${imdsHost}.`);
-        }
-        let nextDelayInMs = imdsMsiRetryConfig.startDelayInMs;
-        for (let retries = 0; retries < imdsMsiRetryConfig.maxRetries; retries++) {
-            try {
-                const request = coreRestPipeline.createPipelineRequest(Object.assign(Object.assign({ abortSignal: getTokenOptions.abortSignal }, prepareRequestOptions$3(scopes, clientId, resourceId)), { allowInsecureConnection: true }));
-                const tokenResponse = await identityClient.sendTokenRequest(request);
-                return (tokenResponse && tokenResponse.accessToken) || null;
-            }
-            catch (error) {
-                if (error.statusCode === 404) {
-                    await coreUtil.delay(nextDelayInMs);
-                    nextDelayInMs *= imdsMsiRetryConfig.intervalIncrement;
-                    continue;
-                }
-                throw error;
-            }
-        }
-        throw new AuthenticationError(404, `${msiName$4}: Failed to retrieve IMDS token after ${imdsMsiRetryConfig.maxRetries} retries.`);
-    },
-};
-
-// Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
-const msiName$3 = "ManagedIdentityCredential - Azure Arc MSI";
-const logger$k = credentialLogger(msiName$3);
-/**
- * Generates the options used on the request for an access token.
- */
-function prepareRequestOptions$2(scopes, clientId, resourceId) {
-    const resource = mapScopesToResource(scopes);
-    if (!resource) {
-        throw new Error(`${msiName$3}: Multiple scopes are not supported.`);
-    }
     const queryParameters = {
         resource,
         "api-version": azureArcAPIVersion,
@@ -1259,7 +1112,7 @@ function prepareRequestOptions$2(scopes, clientId, resourceId) {
     }
     // This error should not bubble up, since we verify that this environment variable is defined in the isAvailable() method defined below.
     if (!process.env.IDENTITY_ENDPOINT) {
-        throw new Error(`${msiName$3}: Missing environment variable: IDENTITY_ENDPOINT`);
+        throw new Error(`${msiName$4}: Missing environment variable: IDENTITY_ENDPOINT`);
     }
     const query = new URLSearchParams(queryParameters);
     return coreRestPipeline.createPipelineRequest({
@@ -1294,7 +1147,7 @@ async function filePathRequest(identityClient, requestPrepareOptions) {
         if (response.bodyAsText) {
             message = ` Response: ${response.bodyAsText}`;
         }
-        throw new AuthenticationError(response.status, `${msiName$3}: To authenticate with Azure Arc MSI, status code 401 is expected on the first request. ${message}`);
+        throw new AuthenticationError(response.status, `${msiName$4}: To authenticate with Azure Arc MSI, status code 401 is expected on the first request. ${message}`);
     }
     const authHeader = response.headers.get("www-authenticate") || "";
     try {
@@ -1312,12 +1165,12 @@ const arcMsi = {
     async isAvailable({ scopes }) {
         const resource = mapScopesToResource(scopes);
         if (!resource) {
-            logger$k.info(`${msiName$3}: Unavailable. Multiple scopes are not supported.`);
+            logger$l.info(`${msiName$4}: Unavailable. Multiple scopes are not supported.`);
             return false;
         }
         const result = Boolean(process.env.IMDS_ENDPOINT && process.env.IDENTITY_ENDPOINT);
         if (!result) {
-            logger$k.info(`${msiName$3}: The environment variables needed are: IMDS_ENDPOINT and IDENTITY_ENDPOINT`);
+            logger$l.info(`${msiName$4}: The environment variables needed are: IMDS_ENDPOINT and IDENTITY_ENDPOINT`);
         }
         return result;
     },
@@ -1325,16 +1178,16 @@ const arcMsi = {
         var _a;
         const { identityClient, scopes, clientId, resourceId } = configuration;
         if (clientId) {
-            logger$k.warning(`${msiName$3}: user-assigned identities not supported. The argument clientId might be ignored by the service.`);
+            logger$l.warning(`${msiName$4}: user-assigned identities not supported. The argument clientId might be ignored by the service.`);
         }
         if (resourceId) {
-            logger$k.warning(`${msiName$3}: user defined managed Identity by resource Id is not supported. Argument resourceId will be ignored.`);
+            logger$l.warning(`${msiName$4}: user defined managed Identity by resource Id is not supported. Argument resourceId will be ignored.`);
         }
-        logger$k.info(`${msiName$3}: Authenticating.`);
-        const requestOptions = Object.assign(Object.assign({ disableJsonStringifyOnBody: true, deserializationMapper: undefined, abortSignal: getTokenOptions.abortSignal }, prepareRequestOptions$2(scopes, clientId, resourceId)), { allowInsecureConnection: true });
+        logger$l.info(`${msiName$4}: Authenticating.`);
+        const requestOptions = Object.assign(Object.assign({ disableJsonStringifyOnBody: true, deserializationMapper: undefined, abortSignal: getTokenOptions.abortSignal }, prepareRequestOptions$3(scopes, clientId, resourceId)), { allowInsecureConnection: true });
         const filePath = await filePathRequest(identityClient, requestOptions);
         if (!filePath) {
-            throw new Error(`${msiName$3}: Failed to find the token file.`);
+            throw new Error(`${msiName$4}: Failed to find the token file.`);
         }
         const key = await readFileAsync$1(filePath, { encoding: "utf-8" });
         (_a = requestOptions.headers) === null || _a === void 0 ? void 0 : _a.set("Authorization", `Basic ${key}`);
@@ -1346,12 +1199,174 @@ const arcMsi = {
     },
 };
 
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT license.
+const msiName$3 = "ManagedIdentityCredential - CloudShellMSI";
+const logger$k = credentialLogger(msiName$3);
+/**
+ * Generates the options used on the request for an access token.
+ */
+function prepareRequestOptions$2(scopes, clientId, resourceId) {
+    const resource = mapScopesToResource(scopes);
+    if (!resource) {
+        throw new Error(`${msiName$3}: Multiple scopes are not supported.`);
+    }
+    const body = {
+        resource,
+    };
+    if (clientId) {
+        body.client_id = clientId;
+    }
+    if (resourceId) {
+        body.msi_res_id = resourceId;
+    }
+    // This error should not bubble up, since we verify that this environment variable is defined in the isAvailable() method defined below.
+    if (!process.env.MSI_ENDPOINT) {
+        throw new Error(`${msiName$3}: Missing environment variable: MSI_ENDPOINT`);
+    }
+    const params = new URLSearchParams(body);
+    return {
+        url: process.env.MSI_ENDPOINT,
+        method: "POST",
+        body: params.toString(),
+        headers: coreRestPipeline.createHttpHeaders({
+            Accept: "application/json",
+            Metadata: "true",
+            "Content-Type": "application/x-www-form-urlencoded",
+        }),
+    };
+}
+/**
+ * Defines how to determine whether the Azure Cloud Shell MSI is available, and also how to retrieve a token from the Azure Cloud Shell MSI.
+ * Since Azure Managed Identities aren't available in the Azure Cloud Shell, we log a warning for users that try to access cloud shell using user assigned identity.
+ */
+const cloudShellMsi = {
+    name: "cloudShellMsi",
+    async isAvailable({ scopes }) {
+        const resource = mapScopesToResource(scopes);
+        if (!resource) {
+            logger$k.info(`${msiName$3}: Unavailable. Multiple scopes are not supported.`);
+            return false;
+        }
+        const result = Boolean(process.env.MSI_ENDPOINT);
+        if (!result) {
+            logger$k.info(`${msiName$3}: Unavailable. The environment variable MSI_ENDPOINT is needed.`);
+        }
+        return result;
+    },
+    async getToken(configuration, getTokenOptions = {}) {
+        const { identityClient, scopes, clientId, resourceId } = configuration;
+        if (clientId) {
+            logger$k.warning(`${msiName$3}: user-assigned identities not supported. The argument clientId might be ignored by the service.`);
+        }
+        if (resourceId) {
+            logger$k.warning(`${msiName$3}: user defined managed Identity by resource Id not supported. The argument resourceId might be ignored by the service.`);
+        }
+        logger$k.info(`${msiName$3}: Using the endpoint coming form the environment variable MSI_ENDPOINT = ${process.env.MSI_ENDPOINT}.`);
+        const request = coreRestPipeline.createPipelineRequest(Object.assign(Object.assign({ abortSignal: getTokenOptions.abortSignal }, prepareRequestOptions$2(scopes, clientId, resourceId)), { 
+            // Generally, MSI endpoints use the HTTP protocol, without transport layer security (TLS).
+            allowInsecureConnection: true }));
+        const tokenResponse = await identityClient.sendTokenRequest(request);
+        return (tokenResponse && tokenResponse.accessToken) || null;
+    },
+};
+
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT license.
+// This MSI can be easily tested by deploying a container to Azure Service Fabric with the Dockerfile:
+//
+//   FROM node:12
+//   RUN wget https://host.any/path/bash.sh
+//   CMD ["bash", "bash.sh"]
+//
+// Where the bash script contains:
+//
+//   curl --insecure $IDENTITY_ENDPOINT'?api-version=2019-07-01-preview&resource=https://vault.azure.net/' -H "Secret: $IDENTITY_HEADER"
+//
+const msiName$2 = "ManagedIdentityCredential - Fabric MSI";
+const logger$j = credentialLogger(msiName$2);
+/**
+ * Generates the options used on the request for an access token.
+ */
+function prepareRequestOptions$1(scopes, clientId, resourceId) {
+    const resource = mapScopesToResource(scopes);
+    if (!resource) {
+        throw new Error(`${msiName$2}: Multiple scopes are not supported.`);
+    }
+    const queryParameters = {
+        resource,
+        "api-version": azureFabricVersion,
+    };
+    if (clientId) {
+        queryParameters.client_id = clientId;
+    }
+    if (resourceId) {
+        queryParameters.msi_res_id = resourceId;
+    }
+    const query = new URLSearchParams(queryParameters);
+    // This error should not bubble up, since we verify that this environment variable is defined in the isAvailable() method defined below.
+    if (!process.env.IDENTITY_ENDPOINT) {
+        throw new Error("Missing environment variable: IDENTITY_ENDPOINT");
+    }
+    if (!process.env.IDENTITY_HEADER) {
+        throw new Error("Missing environment variable: IDENTITY_HEADER");
+    }
+    return {
+        url: `${process.env.IDENTITY_ENDPOINT}?${query.toString()}`,
+        method: "GET",
+        headers: coreRestPipeline.createHttpHeaders({
+            Accept: "application/json",
+            secret: process.env.IDENTITY_HEADER,
+        }),
+    };
+}
+/**
+ * Defines how to determine whether the Azure Service Fabric MSI is available, and also how to retrieve a token from the Azure Service Fabric MSI.
+ */
+const fabricMsi = {
+    name: "fabricMsi",
+    async isAvailable({ scopes }) {
+        const resource = mapScopesToResource(scopes);
+        if (!resource) {
+            logger$j.info(`${msiName$2}: Unavailable. Multiple scopes are not supported.`);
+            return false;
+        }
+        const env = process.env;
+        const result = Boolean(env.IDENTITY_ENDPOINT && env.IDENTITY_HEADER && env.IDENTITY_SERVER_THUMBPRINT);
+        if (!result) {
+            logger$j.info(`${msiName$2}: Unavailable. The environment variables needed are: IDENTITY_ENDPOINT, IDENTITY_HEADER and IDENTITY_SERVER_THUMBPRINT`);
+        }
+        return result;
+    },
+    async getToken(configuration, getTokenOptions = {}) {
+        const { scopes, identityClient, clientId, resourceId } = configuration;
+        if (resourceId) {
+            logger$j.warning(`${msiName$2}: user defined managed Identity by resource Id is not supported. Argument resourceId might be ignored by the service.`);
+        }
+        logger$j.info([
+            `${msiName$2}:`,
+            "Using the endpoint and the secret coming from the environment variables:",
+            `IDENTITY_ENDPOINT=${process.env.IDENTITY_ENDPOINT},`,
+            "IDENTITY_HEADER=[REDACTED] and",
+            "IDENTITY_SERVER_THUMBPRINT=[REDACTED].",
+        ].join(" "));
+        const request = coreRestPipeline.createPipelineRequest(Object.assign({ abortSignal: getTokenOptions.abortSignal }, prepareRequestOptions$1(scopes, clientId, resourceId)));
+        request.agent = new https.Agent({
+            // This is necessary because Service Fabric provides a self-signed certificate.
+            // The alternative path is to verify the certificate using the IDENTITY_SERVER_THUMBPRINT env variable.
+            rejectUnauthorized: false,
+        });
+        const tokenResponse = await identityClient.sendTokenRequest(request);
+        return (tokenResponse && tokenResponse.accessToken) || null;
+    },
+};
+
 // Copyright (c) Microsoft Corporation.
 // Licensed under the MIT license.
 /**
  * @internal
  */
-const logger$j = credentialLogger("IdentityUtils");
+const logger$i = credentialLogger("IdentityUtils");
 /**
  * Latest AuthenticationRecord version
  * @internal
@@ -1363,7 +1378,7 @@ const LatestAuthenticationRecordVersion = "1.0";
  */
 function ensureValidMsalToken(scopes, msalToken, getTokenOptions) {
     const error = (message) => {
-        logger$j.getToken.info(message);
+        logger$i.getToken.info(message);
         return new AuthenticationRequiredError({
             scopes: Array.isArray(scopes) ? scopes : [scopes],
             getTokenOptions,
@@ -1473,17 +1488,17 @@ function handleMsalError(scopes, error, getTokenOptions) {
         const msalError = error;
         switch (msalError.errorCode) {
             case "endpoints_resolution_error":
-                logger$j.info(formatError(scopes, error.message));
+                logger$i.info(formatError(scopes, error.message));
                 return new CredentialUnavailableError(error.message);
             case "device_code_polling_cancelled":
                 return new abortController.AbortError("The authentication has been aborted by the caller.");
             case "consent_required":
             case "interaction_required":
             case "login_required":
-                logger$j.info(formatError(scopes, `Authentication returned errorCode ${msalError.errorCode}`));
+                logger$i.info(formatError(scopes, `Authentication returned errorCode ${msalError.errorCode}`));
                 break;
             default:
-                logger$j.info(formatError(scopes, `Failed to acquire token: ${error.message}`));
+                logger$i.info(formatError(scopes, `Failed to acquire token: ${error.message}`));
                 break;
         }
     }
@@ -1493,7 +1508,7 @@ function handleMsalError(scopes, error, getTokenOptions) {
         return error;
     }
     if (error.name === "NativeAuthError") {
-        logger$j.info(formatError(scopes, `Error from the native broker: ${error.message} with status code: ${error.statusCode}`));
+        logger$i.info(formatError(scopes, `Error from the native broker: ${error.message} with status code: ${error.statusCode}`));
         return error;
     }
     return new AuthenticationRequiredError({ scopes, getTokenOptions, message: error.message });
@@ -1532,31 +1547,168 @@ function serializeAuthenticationRecord(record) {
     return JSON.stringify(record);
 }
 /**
- * Deserializes a previously serialized authentication record from a string into an object.
- *
- * The input string must contain the following properties:
- *
- * - "authority"
- * - "homeAccountId"
- * - "clientId"
- * - "tenantId"
- * - "username"
- * - "version"
- *
- * If the version we receive is unsupported, an error will be thrown.
- *
- * At the moment, the only available version is: "1.0", which is always set when the authentication record is serialized.
- *
- * @param serializedRecord - Authentication record previously serialized into string.
- * @returns AuthenticationRecord.
+ * Deserializes a previously serialized authentication record from a string into an object.
+ *
+ * The input string must contain the following properties:
+ *
+ * - "authority"
+ * - "homeAccountId"
+ * - "clientId"
+ * - "tenantId"
+ * - "username"
+ * - "version"
+ *
+ * If the version we receive is unsupported, an error will be thrown.
+ *
+ * At the moment, the only available version is: "1.0", which is always set when the authentication record is serialized.
+ *
+ * @param serializedRecord - Authentication record previously serialized into string.
+ * @returns AuthenticationRecord.
+ */
+function deserializeAuthenticationRecord(serializedRecord) {
+    const parsed = JSON.parse(serializedRecord);
+    if (parsed.version && parsed.version !== LatestAuthenticationRecordVersion) {
+        throw Error("Unsupported AuthenticationRecord version");
+    }
+    return parsed;
+}
+
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT license.
+const msiName$1 = "ManagedIdentityCredential - IMDS";
+const logger$h = credentialLogger(msiName$1);
+/**
+ * Generates the options used on the request for an access token.
+ */
+function prepareRequestOptions(scopes, clientId, resourceId, options) {
+    var _a;
+    const resource = mapScopesToResource(scopes);
+    if (!resource) {
+        throw new Error(`${msiName$1}: Multiple scopes are not supported.`);
+    }
+    const { skipQuery, skipMetadataHeader } = options || {};
+    let query = "";
+    // Pod Identity will try to process this request even if the Metadata header is missing.
+    // We can exclude the request query to ensure no IMDS endpoint tries to process the ping request.
+    if (!skipQuery) {
+        const queryParameters = {
+            resource,
+            "api-version": imdsApiVersion,
+        };
+        if (clientId) {
+            queryParameters.client_id = clientId;
+        }
+        if (resourceId) {
+            queryParameters.msi_res_id = resourceId;
+        }
+        const params = new URLSearchParams(queryParameters);
+        query = `?${params.toString()}`;
+    }
+    const url = new URL(imdsEndpointPath, (_a = process.env.AZURE_POD_IDENTITY_AUTHORITY_HOST) !== null && _a !== void 0 ? _a : imdsHost);
+    const rawHeaders = {
+        Accept: "application/json",
+        Metadata: "true",
+    };
+    // Remove the Metadata header to invoke a request error from some IMDS endpoints.
+    if (skipMetadataHeader) {
+        delete rawHeaders.Metadata;
+    }
+    return {
+        // In this case, the `?` should be added in the "query" variable `skipQuery` is not set.
+        url: `${url}${query}`,
+        method: "GET",
+        headers: coreRestPipeline.createHttpHeaders(rawHeaders),
+    };
+}
+/**
+ * Defines how to determine whether the Azure IMDS MSI is available, and also how to retrieve a token from the Azure IMDS MSI.
  */
-function deserializeAuthenticationRecord(serializedRecord) {
-    const parsed = JSON.parse(serializedRecord);
-    if (parsed.version && parsed.version !== LatestAuthenticationRecordVersion) {
-        throw Error("Unsupported AuthenticationRecord version");
-    }
-    return parsed;
-}
+const imdsMsi = {
+    name: "imdsMsi",
+    async isAvailable({ scopes, identityClient, clientId, resourceId, getTokenOptions = {}, }) {
+        const resource = mapScopesToResource(scopes);
+        if (!resource) {
+            logger$h.info(`${msiName$1}: Unavailable. Multiple scopes are not supported.`);
+            return false;
+        }
+        // if the PodIdentityEndpoint environment variable was set no need to probe the endpoint, it can be assumed to exist
+        if (process.env.AZURE_POD_IDENTITY_AUTHORITY_HOST) {
+            return true;
+        }
+        if (!identityClient) {
+            throw new Error("Missing IdentityClient");
+        }
+        const requestOptions = prepareRequestOptions(resource, clientId, resourceId, {
+            skipMetadataHeader: true,
+            skipQuery: true,
+        });
+        return tracingClient.withSpan("ManagedIdentityCredential-pingImdsEndpoint", getTokenOptions, async (options) => {
+            var _a, _b;
+            requestOptions.tracingOptions = options.tracingOptions;
+            // Create a request with a timeout since we expect that
+            // not having a "Metadata" header should cause an error to be
+            // returned quickly from the endpoint, proving its availability.
+            const request = coreRestPipeline.createPipelineRequest(requestOptions);
+            // Default to 1000 if the default of 0 is used.
+            // Negative values can still be used to disable the timeout.
+            request.timeout = ((_a = options.requestOptions) === null || _a === void 0 ? void 0 : _a.timeout) || 1000;
+            // This MSI uses the imdsEndpoint to get the token, which only uses http://
+            request.allowInsecureConnection = true;
+            let response;
+            try {
+                logger$h.info(`${msiName$1}: Pinging the Azure IMDS endpoint`);
+                response = await identityClient.sendRequest(request);
+            }
+            catch (err) {
+                // If the request failed, or Node.js was unable to establish a connection,
+                // or the host was down, we'll assume the IMDS endpoint isn't available.
+                if (coreUtil.isError(err)) {
+                    logger$h.verbose(`${msiName$1}: Caught error ${err.name}: ${err.message}`);
+                }
+                // This is a special case for Docker Desktop which responds with a 403 with a message that contains "A socket operation was attempted to an unreachable network" or "A socket operation was attempted to an unreachable host"
+                // rather than just timing out, as expected.
+                logger$h.info(`${msiName$1}: The Azure IMDS endpoint is unavailable`);
+                return false;
+            }
+            if (response.status === 403) {
+                if ((_b = response.bodyAsText) === null || _b === void 0 ? void 0 : _b.includes("unreachable")) {
+                    logger$h.info(`${msiName$1}: The Azure IMDS endpoint is unavailable`);
+                    logger$h.info(`${msiName$1}: ${response.bodyAsText}`);
+                    return false;
+                }
+            }
+            // If we received any response, the endpoint is available
+            logger$h.info(`${msiName$1}: The Azure IMDS endpoint is available`);
+            return true;
+        });
+    },
+    async getToken(configuration, getTokenOptions = {}) {
+        const { identityClient, scopes, clientId, resourceId } = configuration;
+        if (process.env.AZURE_POD_IDENTITY_AUTHORITY_HOST) {
+            logger$h.info(`${msiName$1}: Using the Azure IMDS endpoint coming from the environment variable AZURE_POD_IDENTITY_AUTHORITY_HOST=${process.env.AZURE_POD_IDENTITY_AUTHORITY_HOST}.`);
+        }
+        else {
+            logger$h.info(`${msiName$1}: Using the default Azure IMDS endpoint ${imdsHost}.`);
+        }
+        let nextDelayInMs = configuration.retryConfig.startDelayInMs;
+        for (let retries = 0; retries < configuration.retryConfig.maxRetries; retries++) {
+            try {
+                const request = coreRestPipeline.createPipelineRequest(Object.assign(Object.assign({ abortSignal: getTokenOptions.abortSignal }, prepareRequestOptions(scopes, clientId, resourceId)), { allowInsecureConnection: true }));
+                const tokenResponse = await identityClient.sendTokenRequest(request);
+                return (tokenResponse && tokenResponse.accessToken) || null;
+            }
+            catch (error) {
+                if (error.statusCode === 404) {
+                    await coreUtil.delay(nextDelayInMs);
+                    nextDelayInMs *= configuration.retryConfig.intervalIncrement;
+                    continue;
+                }
+                throw error;
+            }
+        }
+        throw new AuthenticationError(404, `${msiName$1}: Failed to retrieve IMDS token after ${configuration.retryConfig.maxRetries} retries.`);
+    },
+};
 
 // Copyright (c) Microsoft Corporation.
 // Licensed under the MIT license.
@@ -2047,7 +2199,7 @@ class MsalClientAssertion extends MsalNode {
 
 // Copyright (c) Microsoft Corporation.
 // Licensed under the MIT license.
-const logger$i = credentialLogger("ClientAssertionCredential");
+const logger$g = credentialLogger("ClientAssertionCredential");
 /**
  * Authenticates a service principal with a JWT assertion.
  */
@@ -2070,7 +2222,7 @@ class ClientAssertionCredential {
         this.additionallyAllowedTenantIds = resolveAdditionallyAllowedTenantIds(options === null || options === void 0 ? void 0 : options.additionallyAllowedTenants);
         this.clientId = clientId;
         this.options = options;
-        this.msalFlow = new MsalClientAssertion(Object.assign(Object.assign({}, options), { logger: logger$i, clientId: this.clientId, tenantId: this.tenantId, tokenCredentialOptions: this.options, getAssertion }));
+        this.msalFlow = new MsalClientAssertion(Object.assign(Object.assign({}, options), { logger: logger$g, clientId: this.clientId, tenantId: this.tenantId, tokenCredentialOptions: this.options, getAssertion }));
     }
     /**
      * Authenticates with Microsoft Entra ID and returns an access token if successful.
@@ -2082,7 +2234,7 @@ class ClientAssertionCredential {
      */
     async getToken(scopes, options = {}) {
         return tracingClient.withSpan(`${this.constructor.name}.getToken`, options, async (newOptions) => {
-            newOptions.tenantId = processMultiTenantRequest(this.tenantId, newOptions, this.additionallyAllowedTenantIds, logger$i);
+            newOptions.tenantId = processMultiTenantRequest(this.tenantId, newOptions, this.additionallyAllowedTenantIds, logger$g);
             const arrayScopes = Array.isArray(scopes) ? scopes : [scopes];
             return this.msalFlow.getToken(arrayScopes, newOptions);
         });
@@ -2104,7 +2256,7 @@ const SupportedWorkloadEnvironmentVariables = [
     "AZURE_CLIENT_ID",
     "AZURE_FEDERATED_TOKEN_FILE",
 ];
-const logger$h = credentialLogger(credentialName$3);
+const logger$f = credentialLogger(credentialName$3);
 /**
  * Workload Identity authentication is a feature in Azure that allows applications running on virtual machines (VMs)
  * to access other Azure resources without the need for a service principal or managed identity. With Workload Identity
@@ -2130,17 +2282,17 @@ class WorkloadIdentityCredential {
         this.cacheDate = undefined;
         // Logging environment variables for error details
         const assignedEnv = processEnvVars(SupportedWorkloadEnvironmentVariables).assigned.join(", ");
-        logger$h.info(`Found the following environment variables: ${assignedEnv}`);
+        logger$f.info(`Found the following environment variables: ${assignedEnv}`);
         const workloadIdentityCredentialOptions = options !== null && options !== void 0 ? options : {};
         const tenantId = workloadIdentityCredentialOptions.tenantId || process.env.AZURE_TENANT_ID;
         const clientId = workloadIdentityCredentialOptions.clientId || process.env.AZURE_CLIENT_ID;
         this.federatedTokenFilePath =
             workloadIdentityCredentialOptions.tokenFilePath || process.env.AZURE_FEDERATED_TOKEN_FILE;
         if (tenantId) {
-            checkTenantId(logger$h, tenantId);
+            checkTenantId(logger$f, tenantId);
         }
         if (clientId && tenantId && this.federatedTokenFilePath) {
-            logger$h.info(`Invoking ClientAssertionCredential with tenant ID: ${tenantId}, clientId: ${workloadIdentityCredentialOptions.clientId} and federated token path: [REDACTED]`);
+            logger$f.info(`Invoking ClientAssertionCredential with tenant ID: ${tenantId}, clientId: ${workloadIdentityCredentialOptions.clientId} and federated token path: [REDACTED]`);
             this.client = new ClientAssertionCredential(tenantId, clientId, this.readFileContents.bind(this), options);
         }
     }
@@ -2159,10 +2311,10 @@ class WorkloadIdentityCredential {
       "AZURE_TENANT_ID",
       "AZURE_CLIENT_ID",
       "AZURE_FEDERATED_TOKEN_FILE". See the troubleshooting guide for more information: https://aka.ms/azsdk/js/identity/workloadidentitycredential/troubleshoot  `;
-            logger$h.info(errorMessage);
+            logger$f.info(errorMessage);
             throw new CredentialUnavailableError(errorMessage);
         }
-        logger$h.info("Invoking getToken() of Client Assertion Credential");
+        logger$f.info("Invoking getToken() of Client Assertion Credential");
         return this.client.getToken(scopes, options);
     }
     async readFileContents() {
@@ -2190,8 +2342,8 @@ class WorkloadIdentityCredential {
 
 // Copyright (c) Microsoft Corporation.
 // Licensed under the MIT license.
-const msiName$2 = "ManagedIdentityCredential - Token Exchange";
-const logger$g = credentialLogger(msiName$2);
+const msiName = "ManagedIdentityCredential - Token Exchange";
+const logger$e = credentialLogger(msiName);
 /**
  * Defines how to determine whether the token exchange MSI is available, and also how to retrieve a token from the token exchange MSI.
  */
@@ -2204,7 +2356,7 @@ function tokenExchangeMsi() {
                 env.AZURE_TENANT_ID &&
                 process.env.AZURE_FEDERATED_TOKEN_FILE);
             if (!result) {
-                logger$g.info(`${msiName$2}: Unavailable. The environment variables needed are: AZURE_CLIENT_ID (or the client ID sent through the parameters), AZURE_TENANT_ID and AZURE_FEDERATED_TOKEN_FILE`);
+                logger$e.info(`${msiName}: Unavailable. The environment variables needed are: AZURE_CLIENT_ID (or the client ID sent through the parameters), AZURE_TENANT_ID and AZURE_FEDERATED_TOKEN_FILE`);
             }
             return result;
         },
@@ -2218,164 +2370,6 @@ function tokenExchangeMsi() {
     };
 }
 
-// Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
-// This MSI can be easily tested by deploying a container to Azure Service Fabric with the Dockerfile:
-//
-//   FROM node:12
-//   RUN wget https://host.any/path/bash.sh
-//   CMD ["bash", "bash.sh"]
-//
-// Where the bash script contains:
-//
-//   curl --insecure $IDENTITY_ENDPOINT'?api-version=2019-07-01-preview&resource=https://vault.azure.net/' -H "Secret: $IDENTITY_HEADER"
-//
-const msiName$1 = "ManagedIdentityCredential - Fabric MSI";
-const logger$f = credentialLogger(msiName$1);
-/**
- * Generates the options used on the request for an access token.
- */
-function prepareRequestOptions$1(scopes, clientId, resourceId) {
-    const resource = mapScopesToResource(scopes);
-    if (!resource) {
-        throw new Error(`${msiName$1}: Multiple scopes are not supported.`);
-    }
-    const queryParameters = {
-        resource,
-        "api-version": azureFabricVersion,
-    };
-    if (clientId) {
-        queryParameters.client_id = clientId;
-    }
-    if (resourceId) {
-        queryParameters.msi_res_id = resourceId;
-    }
-    const query = new URLSearchParams(queryParameters);
-    // This error should not bubble up, since we verify that this environment variable is defined in the isAvailable() method defined below.
-    if (!process.env.IDENTITY_ENDPOINT) {
-        throw new Error("Missing environment variable: IDENTITY_ENDPOINT");
-    }
-    if (!process.env.IDENTITY_HEADER) {
-        throw new Error("Missing environment variable: IDENTITY_HEADER");
-    }
-    return {
-        url: `${process.env.IDENTITY_ENDPOINT}?${query.toString()}`,
-        method: "GET",
-        headers: coreRestPipeline.createHttpHeaders({
-            Accept: "application/json",
-            secret: process.env.IDENTITY_HEADER,
-        }),
-    };
-}
-/**
- * Defines how to determine whether the Azure Service Fabric MSI is available, and also how to retrieve a token from the Azure Service Fabric MSI.
- */
-const fabricMsi = {
-    name: "fabricMsi",
-    async isAvailable({ scopes }) {
-        const resource = mapScopesToResource(scopes);
-        if (!resource) {
-            logger$f.info(`${msiName$1}: Unavailable. Multiple scopes are not supported.`);
-            return false;
-        }
-        const env = process.env;
-        const result = Boolean(env.IDENTITY_ENDPOINT && env.IDENTITY_HEADER && env.IDENTITY_SERVER_THUMBPRINT);
-        if (!result) {
-            logger$f.info(`${msiName$1}: Unavailable. The environment variables needed are: IDENTITY_ENDPOINT, IDENTITY_HEADER and IDENTITY_SERVER_THUMBPRINT`);
-        }
-        return result;
-    },
-    async getToken(configuration, getTokenOptions = {}) {
-        const { scopes, identityClient, clientId, resourceId } = configuration;
-        if (resourceId) {
-            logger$f.warning(`${msiName$1}: user defined managed Identity by resource Id is not supported. Argument resourceId might be ignored by the service.`);
-        }
-        logger$f.info([
-            `${msiName$1}:`,
-            "Using the endpoint and the secret coming from the environment variables:",
-            `IDENTITY_ENDPOINT=${process.env.IDENTITY_ENDPOINT},`,
-            "IDENTITY_HEADER=[REDACTED] and",
-            "IDENTITY_SERVER_THUMBPRINT=[REDACTED].",
-        ].join(" "));
-        const request = coreRestPipeline.createPipelineRequest(Object.assign({ abortSignal: getTokenOptions.abortSignal }, prepareRequestOptions$1(scopes, clientId, resourceId)));
-        request.agent = new https.Agent({
-            // This is necessary because Service Fabric provides a self-signed certificate.
-            // The alternative path is to verify the certificate using the IDENTITY_SERVER_THUMBPRINT env variable.
-            rejectUnauthorized: false,
-        });
-        const tokenResponse = await identityClient.sendTokenRequest(request);
-        return (tokenResponse && tokenResponse.accessToken) || null;
-    },
-};
-
-// Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
-const msiName = "ManagedIdentityCredential - AppServiceMSI 2019";
-const logger$e = credentialLogger(msiName);
-/**
- * Generates the options used on the request for an access token.
- */
-function prepareRequestOptions(scopes, clientId, resourceId) {
-    const resource = mapScopesToResource(scopes);
-    if (!resource) {
-        throw new Error(`${msiName}: Multiple scopes are not supported.`);
-    }
-    const queryParameters = {
-        resource,
-        "api-version": "2019-08-01",
-    };
-    if (clientId) {
-        queryParameters.client_id = clientId;
-    }
-    if (resourceId) {
-        queryParameters.mi_res_id = resourceId;
-    }
-    const query = new URLSearchParams(queryParameters);
-    // This error should not bubble up, since we verify that this environment variable is defined in the isAvailable() method defined below.
-    if (!process.env.IDENTITY_ENDPOINT) {
-        throw new Error(`${msiName}: Missing environment variable: IDENTITY_ENDPOINT`);
-    }
-    if (!process.env.IDENTITY_HEADER) {
-        throw new Error(`${msiName}: Missing environment variable: IDENTITY_HEADER`);
-    }
-    return {
-        url: `${process.env.IDENTITY_ENDPOINT}?${query.toString()}`,
-        method: "GET",
-        headers: coreRestPipeline.createHttpHeaders({
-            Accept: "application/json",
-            "X-IDENTITY-HEADER": process.env.IDENTITY_HEADER,
-        }),
-    };
-}
-/**
- * Defines how to determine whether the Azure App Service MSI is available, and also how to retrieve a token from the Azure App Service MSI.
- */
-const appServiceMsi2019 = {
-    name: "appServiceMsi2019",
-    async isAvailable({ scopes }) {
-        const resource = mapScopesToResource(scopes);
-        if (!resource) {
-            logger$e.info(`${msiName}: Unavailable. Multiple scopes are not supported.`);
-            return false;
-        }
-        const env = process.env;
-        const result = Boolean(env.IDENTITY_ENDPOINT && env.IDENTITY_HEADER);
-        if (!result) {
-            logger$e.info(`${msiName}: Unavailable. The environment variables needed are: IDENTITY_ENDPOINT and IDENTITY_HEADER.`);
-        }
-        return result;
-    },
-    async getToken(configuration, getTokenOptions = {}) {
-        const { identityClient, scopes, clientId, resourceId } = configuration;
-        logger$e.info(`${msiName}: Using the endpoint and the secret coming form the environment variables: IDENTITY_ENDPOINT=${process.env.IDENTITY_ENDPOINT} and IDENTITY_HEADER=[REDACTED].`);
-        const request = coreRestPipeline.createPipelineRequest(Object.assign(Object.assign({ abortSignal: getTokenOptions.abortSignal }, prepareRequestOptions(scopes, clientId, resourceId)), { 
-            // Generally, MSI endpoints use the HTTP protocol, without transport layer security (TLS).
-            allowInsecureConnection: true }));
-        const tokenResponse = await identityClient.sendTokenRequest(request);
-        return (tokenResponse && tokenResponse.accessToken) || null;
-    },
-};
-
 // Copyright (c) Microsoft Corporation.
 // Licensed under the MIT license.
 const logger$d = credentialLogger("ManagedIdentityCredential");
@@ -2393,9 +2387,14 @@ class ManagedIdentityCredential {
      * @hidden
      */
     constructor(clientIdOrOptions, options) {
-        var _a;
+        var _a, _b;
         this.isEndpointUnavailable = null;
         this.isAppTokenProviderInitialized = false;
+        this.msiRetryConfig = {
+            maxRetries: 3,
+            startDelayInMs: 800,
+            intervalIncrement: 2,
+        };
         let _options;
         if (typeof clientIdOrOptions === "string") {
             this.clientId = clientIdOrOptions;
@@ -2410,6 +2409,9 @@ class ManagedIdentityCredential {
         if (this.clientId && this.resourceId) {
             throw new Error(`${ManagedIdentityCredential.name} - Client Id and Resource Id can't be provided at the same time.`);
         }
+        if (((_a = _options === null || _options === void 0 ? void 0 : _options.retryOptions) === null || _a === void 0 ? void 0 : _a.maxRetries) !== undefined) {
+            this.msiRetryConfig.maxRetries = _options.retryOptions.maxRetries;
+        }
         this.identityClient = new IdentityClient(_options);
         this.isAvailableIdentityClient = new IdentityClient(Object.assign(Object.assign({}, _options), { retryOptions: {
                 maxRetries: 0,
@@ -2420,7 +2422,7 @@ class ManagedIdentityCredential {
         this.confidentialApp = new msalCommon.ConfidentialClientApplication({
             auth: {
                 authority: "https://login.microsoftonline.com/managed_identity",
-                clientId: (_a = this.clientId) !== null && _a !== void 0 ? _a : DeveloperSignOnClientId,
+                clientId: (_b = this.clientId) !== null && _b !== void 0 ? _b : DeveloperSignOnClientId,
                 clientSecret: "dummy-secret",
                 cloudDiscoveryMetadata: '{"tenant_discovery_endpoint":"https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration","api-version":"1.1","metadata":[{"preferred_network":"login.microsoftonline.com","preferred_cache":"login.windows.net","aliases":["login.microsoftonline.com","login.windows.net","login.microsoft.com","sts.windows.net"]},{"preferred_network":"login.partner.microsoftonline.cn","preferred_cache":"login.partner.microsoftonline.cn","aliases":["login.partner.microsoftonline.cn","login.chinacloudapi.cn"]},{"preferred_network":"login.microsoftonline.de","preferred_cache":"login.microsoftonline.de","aliases":["login.microsoftonline.de"]},{"preferred_network":"login.microsoftonline.us","preferred_cache":"login.microsoftonline.us","aliases":["login.microsoftonline.us","login.usgovcloudapi.net"]},{"preferred_network":"login-us.microsoftonline.com","preferred_cache":"login-us.microsoftonline.com","aliases":["login-us.microsoftonline.com"]}]}',
                 authorityMetadata: '{"token_endpoint":"https://login.microsoftonline.com/common/oauth2/v2.0/token","token_endpoint_auth_methods_supported":["client_secret_post","private_key_jwt","client_secret_basic"],"jwks_uri":"https://login.microsoftonline.com/common/discovery/v2.0/keys","response_modes_supported":["query","fragment","form_post"],"subject_types_supported":["pairwise"],"id_token_signing_alg_values_supported":["RS256"],"response_types_supported":["code","id_token","code id_token","id_token token"],"scopes_supported":["openid","profile","email","offline_access"],"issuer":"https://login.microsoftonline.com/{tenantid}/v2.0","request_uri_parameter_supported":false,"userinfo_endpoint":"https://graph.microsoft.com/oidc/userinfo","authorization_endpoint":"https://login.microsoftonline.com/common/oauth2/v2.0/authorize","device_authorization_endpoint":"https://login.microsoftonline.com/common/oauth2/v2.0/devicecode","http_logout_supported":true,"frontchannel_logout_supported":true,"end_session_endpoint":"https://login.microsoftonline.com/common/oauth2/v2.0/logout","claims_supported":["sub","iss","cloud_instance_name","cloud_instance_host_name","cloud_graph_host_name","msgraph_host","aud","exp","iat","auth_time","acr","nonce","preferred_username","name","tid","ver","at_hash","c_hash","email"],"kerberos_endpoint":"https://login.microsoftonline.com/common/kerberos","tenant_region_scope":null,"cloud_instance_name":"microsoftonline.com","cloud_graph_host_name":"graph.windows.net","msgraph_host":"graph.microsoft.com","rbac_url":"https://pas.windows.net"}',
@@ -2470,6 +2472,7 @@ class ManagedIdentityCredential {
                 scopes,
                 clientId: this.clientId,
                 resourceId: this.resourceId,
+                retryConfig: this.msiRetryConfig,
             }, updatedOptions);
         }
         catch (err) {
@@ -2576,10 +2579,10 @@ class ManagedIdentityCredential {
             if (err.statusCode === 400) {
                 throw new CredentialUnavailableError(`${ManagedIdentityCredential.name}: The managed identity endpoint is indicating there's no available identity. Message: ${err.message}`);
             }
-            // This is a special case for Docker Desktop which responds with a 403 with a message that contains "A socket operation was attempted to an unreachable network"
+            // This is a special case for Docker Desktop which responds with a 403 with a message that contains "A socket operation was attempted to an unreachable network" or "A socket operation was attempted to an unreachable host"
             // rather than just timing out, as expected.
             if (err.statusCode === 403 || err.code === 403) {
-                if (err.message.includes("A socket operation was attempted to an unreachable network")) {
+                if (err.message.includes("unreachable")) {
                     const error = new CredentialUnavailableError(`${ManagedIdentityCredential.name}: Unavailable. Network unreachable. Message: ${err.message}`);
                     logger$d.getToken.info(formatError(scopes, error));
                     throw error;
@@ -3762,13 +3765,17 @@ const logger$4 = credentialLogger("DefaultAzureCredential");
  *
  * @internal
  */
-function createDefaultManagedIdentityCredential(options) {
-    var _a, _b, _c;
-    const managedIdentityClientId = (_a = options === null || options === void 0 ? void 0 : options.managedIdentityClientId) !== null && _a !== void 0 ? _a : process.env.AZURE_CLIENT_ID;
-    const workloadIdentityClientId = (_b = options === null || options === void 0 ? void 0 : options.workloadIdentityClientId) !== null && _b !== void 0 ? _b : managedIdentityClientId;
+function createDefaultManagedIdentityCredential(options = {}) {
+    var _a, _b, _c, _d;
+    (_a = options.retryOptions) !== null && _a !== void 0 ? _a : (options.retryOptions = {
+        maxRetries: 5,
+        retryDelayInMs: 800,
+    });
+    const managedIdentityClientId = (_b = options === null || options === void 0 ? void 0 : options.managedIdentityClientId) !== null && _b !== void 0 ? _b : process.env.AZURE_CLIENT_ID;
+    const workloadIdentityClientId = (_c = options === null || options === void 0 ? void 0 : options.workloadIdentityClientId) !== null && _c !== void 0 ? _c : managedIdentityClientId;
     const managedResourceId = options === null || options === void 0 ? void 0 : options.managedIdentityResourceId;
     const workloadFile = process.env.AZURE_FEDERATED_TOKEN_FILE;
-    const tenantId = (_c = options === null || options === void 0 ? void 0 : options.tenantId) !== null && _c !== void 0 ? _c : process.env.AZURE_TENANT_ID;
+    const tenantId = (_d = options === null || options === void 0 ? void 0 : options.tenantId) !== null && _d !== void 0 ? _d : process.env.AZURE_TENANT_ID;
     if (managedResourceId) {
         const managedIdentityResourceIdOptions = Object.assign(Object.assign({}, options), { resourceId: managedResourceId });
         return new ManagedIdentityCredential(managedIdentityResourceIdOptions);