@azure/identity 4.1.1-alpha.20240416.1 → 4.1.1-alpha.20240419.1

package/dist/index.js

@@ -16,8 +16,8 @@ var https = require('https');
 var promises = require('fs/promises');
 var child_process = require('child_process');
 var crypto = require('crypto');
-var util = require('util');
 var open = require('open');
+var util = require('util');
 
 function _interopNamespaceDefault(e) {
     var n = Object.create(null);
@@ -141,6 +141,55 @@ const msalNodeFlowNativeBrokerControl = {
         };
     },
 };
+/**
+ * Configures plugins, validating that required plugins are available and enabled.
+ *
+ * Does not create the plugins themselves, but rather returns the configuration that will be used to create them.
+ *
+ * @param options - options for creating the MSAL client
+ * @returns plugin configuration
+ */
+function generatePluginConfiguration(options) {
+    var _a, _b, _c, _d, _e;
+    const config = {
+        cache: {},
+        broker: {
+            enableMsaPassthrough: (_b = (_a = options.brokerOptions) === null || _a === void 0 ? void 0 : _a.legacyEnableMsaPassthrough) !== null && _b !== void 0 ? _b : false,
+            parentWindowHandle: (_c = options.brokerOptions) === null || _c === void 0 ? void 0 : _c.parentWindowHandle,
+        },
+    };
+    if ((_d = options.tokenCachePersistenceOptions) === null || _d === void 0 ? void 0 : _d.enabled) {
+        if (persistenceProvider === undefined) {
+            throw new Error([
+                "Persistent token caching was requested, but no persistence provider was configured.",
+                "You must install the identity-cache-persistence plugin package (`npm install --save @azure/identity-cache-persistence`)",
+                "and enable it by importing `useIdentityPlugin` from `@azure/identity` and calling",
+                "`useIdentityPlugin(cachePersistencePlugin)` before using `tokenCachePersistenceOptions`.",
+            ].join(" "));
+        }
+        const cacheBaseName = options.tokenCachePersistenceOptions.name || DEFAULT_TOKEN_CACHE_NAME;
+        config.cache.cachePlugin = persistenceProvider(Object.assign({ name: `${cacheBaseName}.${CACHE_NON_CAE_SUFFIX}` }, options.tokenCachePersistenceOptions));
+        config.cache.cachePluginCae = persistenceProvider(Object.assign({ name: `${cacheBaseName}.${CACHE_CAE_SUFFIX}` }, options.tokenCachePersistenceOptions));
+    }
+    if ((_e = options.brokerOptions) === null || _e === void 0 ? void 0 : _e.enabled) {
+        if (nativeBrokerInfo === undefined) {
+            throw new Error([
+                "Broker for WAM was requested to be enabled, but no native broker was configured.",
+                "You must install the identity-broker plugin package (`npm install --save @azure/identity-broker`)",
+                "and enable it by importing `useIdentityPlugin` from `@azure/identity` and calling",
+                "`useIdentityPlugin(createNativeBrokerPlugin())` before using `enableBroker`.",
+            ].join(" "));
+        }
+        config.broker.nativeBrokerPlugin = nativeBrokerInfo.broker;
+    }
+    return config;
+}
+/**
+ * Wraps generatePluginConfiguration as a writeable property for test stubbing purposes.
+ */
+const msalPlugins = {
+    generatePluginConfiguration,
+};
 
 // Copyright (c) Microsoft Corporation.
 // Licensed under the MIT license.
@@ -1713,488 +1762,186 @@ const imdsMsi = {
 // Copyright (c) Microsoft Corporation.
 // Licensed under the MIT license.
 /**
- * Helps specify a regional authority, or "AutoDiscoverRegion" to auto-detect the region.
+ * The logger for all MsalClient instances.
  */
-var RegionalAuthority;
-(function (RegionalAuthority) {
-    /** Instructs MSAL to attempt to discover the region */
-    RegionalAuthority["AutoDiscoverRegion"] = "AutoDiscoverRegion";
-    /** Uses the {@link RegionalAuthority} for the Azure 'westus' region. */
-    RegionalAuthority["USWest"] = "westus";
-    /** Uses the {@link RegionalAuthority} for the Azure 'westus2' region. */
-    RegionalAuthority["USWest2"] = "westus2";
-    /** Uses the {@link RegionalAuthority} for the Azure 'centralus' region. */
-    RegionalAuthority["USCentral"] = "centralus";
-    /** Uses the {@link RegionalAuthority} for the Azure 'eastus' region. */
-    RegionalAuthority["USEast"] = "eastus";
-    /** Uses the {@link RegionalAuthority} for the Azure 'eastus2' region. */
-    RegionalAuthority["USEast2"] = "eastus2";
-    /** Uses the {@link RegionalAuthority} for the Azure 'northcentralus' region. */
-    RegionalAuthority["USNorthCentral"] = "northcentralus";
-    /** Uses the {@link RegionalAuthority} for the Azure 'southcentralus' region. */
-    RegionalAuthority["USSouthCentral"] = "southcentralus";
-    /** Uses the {@link RegionalAuthority} for the Azure 'westcentralus' region. */
-    RegionalAuthority["USWestCentral"] = "westcentralus";
-    /** Uses the {@link RegionalAuthority} for the Azure 'canadacentral' region. */
-    RegionalAuthority["CanadaCentral"] = "canadacentral";
-    /** Uses the {@link RegionalAuthority} for the Azure 'canadaeast' region. */
-    RegionalAuthority["CanadaEast"] = "canadaeast";
-    /** Uses the {@link RegionalAuthority} for the Azure 'brazilsouth' region. */
-    RegionalAuthority["BrazilSouth"] = "brazilsouth";
-    /** Uses the {@link RegionalAuthority} for the Azure 'northeurope' region. */
-    RegionalAuthority["EuropeNorth"] = "northeurope";
-    /** Uses the {@link RegionalAuthority} for the Azure 'westeurope' region. */
-    RegionalAuthority["EuropeWest"] = "westeurope";
-    /** Uses the {@link RegionalAuthority} for the Azure 'uksouth' region. */
-    RegionalAuthority["UKSouth"] = "uksouth";
-    /** Uses the {@link RegionalAuthority} for the Azure 'ukwest' region. */
-    RegionalAuthority["UKWest"] = "ukwest";
-    /** Uses the {@link RegionalAuthority} for the Azure 'francecentral' region. */
-    RegionalAuthority["FranceCentral"] = "francecentral";
-    /** Uses the {@link RegionalAuthority} for the Azure 'francesouth' region. */
-    RegionalAuthority["FranceSouth"] = "francesouth";
-    /** Uses the {@link RegionalAuthority} for the Azure 'switzerlandnorth' region. */
-    RegionalAuthority["SwitzerlandNorth"] = "switzerlandnorth";
-    /** Uses the {@link RegionalAuthority} for the Azure 'switzerlandwest' region. */
-    RegionalAuthority["SwitzerlandWest"] = "switzerlandwest";
-    /** Uses the {@link RegionalAuthority} for the Azure 'germanynorth' region. */
-    RegionalAuthority["GermanyNorth"] = "germanynorth";
-    /** Uses the {@link RegionalAuthority} for the Azure 'germanywestcentral' region. */
-    RegionalAuthority["GermanyWestCentral"] = "germanywestcentral";
-    /** Uses the {@link RegionalAuthority} for the Azure 'norwaywest' region. */
-    RegionalAuthority["NorwayWest"] = "norwaywest";
-    /** Uses the {@link RegionalAuthority} for the Azure 'norwayeast' region. */
-    RegionalAuthority["NorwayEast"] = "norwayeast";
-    /** Uses the {@link RegionalAuthority} for the Azure 'eastasia' region. */
-    RegionalAuthority["AsiaEast"] = "eastasia";
-    /** Uses the {@link RegionalAuthority} for the Azure 'southeastasia' region. */
-    RegionalAuthority["AsiaSouthEast"] = "southeastasia";
-    /** Uses the {@link RegionalAuthority} for the Azure 'japaneast' region. */
-    RegionalAuthority["JapanEast"] = "japaneast";
-    /** Uses the {@link RegionalAuthority} for the Azure 'japanwest' region. */
-    RegionalAuthority["JapanWest"] = "japanwest";
-    /** Uses the {@link RegionalAuthority} for the Azure 'australiaeast' region. */
-    RegionalAuthority["AustraliaEast"] = "australiaeast";
-    /** Uses the {@link RegionalAuthority} for the Azure 'australiasoutheast' region. */
-    RegionalAuthority["AustraliaSouthEast"] = "australiasoutheast";
-    /** Uses the {@link RegionalAuthority} for the Azure 'australiacentral' region. */
-    RegionalAuthority["AustraliaCentral"] = "australiacentral";
-    /** Uses the {@link RegionalAuthority} for the Azure 'australiacentral2' region. */
-    RegionalAuthority["AustraliaCentral2"] = "australiacentral2";
-    /** Uses the {@link RegionalAuthority} for the Azure 'centralindia' region. */
-    RegionalAuthority["IndiaCentral"] = "centralindia";
-    /** Uses the {@link RegionalAuthority} for the Azure 'southindia' region. */
-    RegionalAuthority["IndiaSouth"] = "southindia";
-    /** Uses the {@link RegionalAuthority} for the Azure 'westindia' region. */
-    RegionalAuthority["IndiaWest"] = "westindia";
-    /** Uses the {@link RegionalAuthority} for the Azure 'koreasouth' region. */
-    RegionalAuthority["KoreaSouth"] = "koreasouth";
-    /** Uses the {@link RegionalAuthority} for the Azure 'koreacentral' region. */
-    RegionalAuthority["KoreaCentral"] = "koreacentral";
-    /** Uses the {@link RegionalAuthority} for the Azure 'uaecentral' region. */
-    RegionalAuthority["UAECentral"] = "uaecentral";
-    /** Uses the {@link RegionalAuthority} for the Azure 'uaenorth' region. */
-    RegionalAuthority["UAENorth"] = "uaenorth";
-    /** Uses the {@link RegionalAuthority} for the Azure 'southafricanorth' region. */
-    RegionalAuthority["SouthAfricaNorth"] = "southafricanorth";
-    /** Uses the {@link RegionalAuthority} for the Azure 'southafricawest' region. */
-    RegionalAuthority["SouthAfricaWest"] = "southafricawest";
-    /** Uses the {@link RegionalAuthority} for the Azure 'chinanorth' region. */
-    RegionalAuthority["ChinaNorth"] = "chinanorth";
-    /** Uses the {@link RegionalAuthority} for the Azure 'chinaeast' region. */
-    RegionalAuthority["ChinaEast"] = "chinaeast";
-    /** Uses the {@link RegionalAuthority} for the Azure 'chinanorth2' region. */
-    RegionalAuthority["ChinaNorth2"] = "chinanorth2";
-    /** Uses the {@link RegionalAuthority} for the Azure 'chinaeast2' region. */
-    RegionalAuthority["ChinaEast2"] = "chinaeast2";
-    /** Uses the {@link RegionalAuthority} for the Azure 'germanycentral' region. */
-    RegionalAuthority["GermanyCentral"] = "germanycentral";
-    /** Uses the {@link RegionalAuthority} for the Azure 'germanynortheast' region. */
-    RegionalAuthority["GermanyNorthEast"] = "germanynortheast";
-    /** Uses the {@link RegionalAuthority} for the Azure 'usgovvirginia' region. */
-    RegionalAuthority["GovernmentUSVirginia"] = "usgovvirginia";
-    /** Uses the {@link RegionalAuthority} for the Azure 'usgoviowa' region. */
-    RegionalAuthority["GovernmentUSIowa"] = "usgoviowa";
-    /** Uses the {@link RegionalAuthority} for the Azure 'usgovarizona' region. */
-    RegionalAuthority["GovernmentUSArizona"] = "usgovarizona";
-    /** Uses the {@link RegionalAuthority} for the Azure 'usgovtexas' region. */
-    RegionalAuthority["GovernmentUSTexas"] = "usgovtexas";
-    /** Uses the {@link RegionalAuthority} for the Azure 'usdodeast' region. */
-    RegionalAuthority["GovernmentUSDodEast"] = "usdodeast";
-    /** Uses the {@link RegionalAuthority} for the Azure 'usdodcentral' region. */
-    RegionalAuthority["GovernmentUSDodCentral"] = "usdodcentral";
-})(RegionalAuthority || (RegionalAuthority = {}));
+const msalLogger = credentialLogger("MsalClient");
 /**
- * Calculates the correct regional authority based on the supplied value
- * and the AZURE_REGIONAL_AUTHORITY_NAME environment variable.
+ * Generates the configuration for MSAL (Microsoft Authentication Library).
  *
- * Values will be returned verbatim, except for {@link RegionalAuthority.AutoDiscoverRegion}
- * which is mapped to a value MSAL can understand.
- *
- * @internal
+ * @param clientId - The client ID of the application.
+ * @param  tenantId - The tenant ID of the Azure Active Directory.
+ * @param  msalClientOptions - Optional. Additional options for creating the MSAL client.
+ * @returns  The MSAL configuration object.
  */
-function calculateRegionalAuthority(regionalAuthority) {
-    var _a, _b;
-    let azureRegion = regionalAuthority;
-    if (azureRegion === undefined &&
-        ((_b = (_a = globalThis.process) === null || _a === void 0 ? void 0 : _a.env) === null || _b === void 0 ? void 0 : _b.AZURE_REGIONAL_AUTHORITY_NAME) !== undefined) {
-        azureRegion = process.env.AZURE_REGIONAL_AUTHORITY_NAME;
-    }
-    if (azureRegion === RegionalAuthority.AutoDiscoverRegion) {
-        return "AUTO_DISCOVER";
-    }
-    return azureRegion;
+function generateMsalConfiguration(clientId, tenantId, msalClientOptions = {}) {
+    var _a, _b, _c;
+    const resolvedTenant = resolveTenantId(msalLogger, tenantId, clientId);
+    // TODO: move and reuse getIdentityClientAuthorityHost
+    const authority = getAuthority(resolvedTenant, (_a = msalClientOptions.authorityHost) !== null && _a !== void 0 ? _a : process.env.AZURE_AUTHORITY_HOST);
+    const httpClient = new IdentityClient(Object.assign(Object.assign({}, msalClientOptions.tokenCredentialOptions), { authorityHost: authority, loggingOptions: msalClientOptions.loggingOptions }));
+    const msalConfig = {
+        auth: {
+            clientId,
+            authority,
+            knownAuthorities: getKnownAuthorities(resolvedTenant, authority, msalClientOptions.disableInstanceDiscovery),
+        },
+        system: {
+            networkClient: httpClient,
+            loggerOptions: {
+                loggerCallback: defaultLoggerCallback((_b = msalClientOptions.logger) !== null && _b !== void 0 ? _b : msalLogger),
+                logLevel: getMSALLogLevel(logger$q.getLogLevel()),
+                piiLoggingEnabled: (_c = msalClientOptions.loggingOptions) === null || _c === void 0 ? void 0 : _c.enableUnsafeSupportLogging,
+            },
+        },
+    };
+    return msalConfig;
 }
-
-// Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
 /**
- * MSAL partial base client for Node.js.
+ * Creates an instance of the MSAL (Microsoft Authentication Library) client.
  *
- * It completes the input configuration with some default values.
- * It also provides with utility protected methods that can be used from any of the clients,
- * which includes handlers for successful responses and errors.
+ * @param clientId - The client ID of the application.
+ * @param tenantId - The tenant ID of the Azure Active Directory.
+ * @param createMsalClientOptions - Optional. Additional options for creating the MSAL client.
+ * @returns An instance of the MSAL client.
  *
- * @internal
+ * @public
  */
-class MsalNode {
-    constructor(options) {
-        var _a, _b, _c, _d, _e, _f;
-        this.app = {};
-        this.caeApp = {};
-        this.requiresConfidential = false;
-        this.logger = options.logger;
-        this.msalConfig = this.defaultNodeMsalConfig(options);
-        this.tenantId = resolveTenantId(options.logger, options.tenantId, options.clientId);
-        this.additionallyAllowedTenantIds = resolveAdditionallyAllowedTenantIds((_a = options === null || options === void 0 ? void 0 : options.tokenCredentialOptions) === null || _a === void 0 ? void 0 : _a.additionallyAllowedTenants);
-        this.clientId = this.msalConfig.auth.clientId;
-        if (options === null || options === void 0 ? void 0 : options.getAssertion) {
-            this.getAssertion = options.getAssertion;
-        }
-        this.enableBroker = (_b = options === null || options === void 0 ? void 0 : options.brokerOptions) === null || _b === void 0 ? void 0 : _b.enabled;
-        this.enableMsaPassthrough = (_c = options === null || options === void 0 ? void 0 : options.brokerOptions) === null || _c === void 0 ? void 0 : _c.legacyEnableMsaPassthrough;
-        this.parentWindowHandle = (_d = options.brokerOptions) === null || _d === void 0 ? void 0 : _d.parentWindowHandle;
-        // If persistence has been configured
-        if (persistenceProvider !== undefined && ((_e = options.tokenCachePersistenceOptions) === null || _e === void 0 ? void 0 : _e.enabled)) {
-            const cacheBaseName = options.tokenCachePersistenceOptions.name || DEFAULT_TOKEN_CACHE_NAME;
-            const nonCaeOptions = Object.assign({ name: `${cacheBaseName}.${CACHE_NON_CAE_SUFFIX}` }, options.tokenCachePersistenceOptions);
-            const caeOptions = Object.assign({ name: `${cacheBaseName}.${CACHE_CAE_SUFFIX}` }, options.tokenCachePersistenceOptions);
-            this.createCachePlugin = () => persistenceProvider(nonCaeOptions);
-            this.createCachePluginCae = () => persistenceProvider(caeOptions);
-        }
-        else if ((_f = options.tokenCachePersistenceOptions) === null || _f === void 0 ? void 0 : _f.enabled) {
-            throw new Error([
-                "Persistent token caching was requested, but no persistence provider was configured.",
-                "You must install the identity-cache-persistence plugin package (`npm install --save @azure/identity-cache-persistence`)",
-                "and enable it by importing `useIdentityPlugin` from `@azure/identity` and calling",
-                "`useIdentityPlugin(cachePersistencePlugin)` before using `tokenCachePersistenceOptions`.",
-            ].join(" "));
+function createMsalClient(clientId, tenantId, createMsalClientOptions = {}) {
+    const state = {
+        msalConfig: generateMsalConfiguration(clientId, tenantId, createMsalClientOptions),
+        cachedAccount: createMsalClientOptions.authenticationRecord
+            ? publicToMsal(createMsalClientOptions.authenticationRecord)
+            : null,
+        pluginConfiguration: msalPlugins.generatePluginConfiguration(createMsalClientOptions),
+    };
+    const confidentialApps = new Map();
+    async function getConfidentialApp(options = {}) {
+        const appKey = options.enableCae ? "CAE" : "default";
+        let confidentialClientApp = confidentialApps.get(appKey);
+        if (confidentialClientApp) {
+            return confidentialClientApp;
+        }
+        // Initialize a new app and cache it
+        const cachePlugin = options.enableCae
+            ? state.pluginConfiguration.cache.cachePluginCae
+            : state.pluginConfiguration.cache.cachePlugin;
+        state.msalConfig.auth.clientCapabilities = options.enableCae ? ["cp1"] : undefined;
+        confidentialClientApp = new msalCommon__namespace.ConfidentialClientApplication(Object.assign(Object.assign({}, state.msalConfig), { broker: { nativeBrokerPlugin: state.pluginConfiguration.broker.nativeBrokerPlugin }, cache: { cachePlugin: await cachePlugin } }));
+        confidentialApps.set(appKey, confidentialClientApp);
+        return confidentialClientApp;
+    }
+    async function getTokenSilent(app, scopes, options = {}) {
+        if (state.cachedAccount === null) {
+            const cache = app.getTokenCache();
+            const accounts = await cache.getAllAccounts();
+            if (accounts === undefined || accounts.length === 0) {
+                throw new AuthenticationRequiredError({ scopes });
+            }
+            if (accounts.length > 1) {
+                msalLogger.info(`More than one account was found authenticated for this Client ID and Tenant ID.
+However, no "authenticationRecord" has been provided for this credential,
+therefore we're unable to pick between these accounts.
+A new login attempt will be requested, to ensure the correct account is picked.
+To work with multiple accounts for the same Client ID and Tenant ID, please provide an "authenticationRecord" when initializing a credential to prevent this from happening.`);
+                throw new AuthenticationRequiredError({ scopes });
+            }
+            state.cachedAccount = accounts[0];
         }
-        // If broker has not been configured
-        if (!hasNativeBroker() && this.enableBroker) {
-            throw new Error([
-                "Broker for WAM was requested to be enabled, but no native broker was configured.",
-                "You must install the identity-broker plugin package (`npm install --save @azure/identity-broker`)",
-                "and enable it by importing `useIdentityPlugin` from `@azure/identity` and calling",
-                "`useIdentityPlugin(createNativeBrokerPlugin())` before using `enableBroker`.",
-            ].join(" "));
+        // Keep track and reuse the claims we received across challenges
+        if (options.claims) {
+            state.cachedClaims = options.claims;
         }
-        this.azureRegion = calculateRegionalAuthority(options.regionalAuthority);
+        // TODO: port over changes for broker
+        // https://github.com/Azure/azure-sdk-for-js/blob/727a7208251961b5036d8e1d86edaa944c42e3d6/sdk/identity/identity/src/msal/nodeFlows/msalNodeCommon.ts#L383-L395
+        msalLogger.getToken.info("Attempting to acquire token silently");
+        return app.acquireTokenSilent({
+            account: state.cachedAccount,
+            scopes,
+            claims: state.cachedClaims,
+        });
     }
     /**
-     * Generates a MSAL configuration that generally works for Node.js
+     * Performs silent authentication using MSAL to acquire an access token.
+     * If silent authentication fails, falls back to interactive authentication.
+     *
+     * @param msalApp - The MSAL application instance.
+     * @param scopes - The scopes for which to acquire the access token.
+     * @param options - The options for acquiring the access token.
+     * @param onAuthenticationRequired - A callback function to handle interactive authentication when silent authentication fails.
+     * @returns A promise that resolves to an AccessToken object containing the access token and its expiration timestamp.
      */
-    defaultNodeMsalConfig(options) {
+    async function withSilentAuthentication(msalApp, scopes, options, onAuthenticationRequired) {
         var _a;
-        const clientId = options.clientId || DeveloperSignOnClientId;
-        const tenantId = resolveTenantId(options.logger, options.tenantId, options.clientId);
-        this.authorityHost = options.authorityHost || process.env.AZURE_AUTHORITY_HOST;
-        const authority = getAuthority(tenantId, this.authorityHost);
-        this.identityClient = new IdentityClient(Object.assign(Object.assign({}, options.tokenCredentialOptions), { authorityHost: authority, loggingOptions: options.loggingOptions }));
-        const clientCapabilities = [];
-        return {
-            auth: {
-                clientId,
-                authority,
-                knownAuthorities: getKnownAuthorities(tenantId, authority, options.disableInstanceDiscovery),
-                clientCapabilities,
-            },
-            // Cache is defined in this.prepare();
-            system: {
-                networkClient: this.identityClient,
-                loggerOptions: {
-                    loggerCallback: defaultLoggerCallback(options.logger),
-                    logLevel: getMSALLogLevel(logger$q.getLogLevel()),
-                    piiLoggingEnabled: (_a = options.loggingOptions) === null || _a === void 0 ? void 0 : _a.enableUnsafeSupportLogging,
-                },
-            },
-        };
-    }
-    getApp(appType, enableCae) {
-        const app = enableCae ? this.caeApp : this.app;
-        if (appType === "publicFirst") {
-            return (app.public || app.confidential);
-        }
-        else if (appType === "confidentialFirst") {
-            return (app.confidential || app.public);
+        let response = null;
+        try {
+            response = await getTokenSilent(msalApp, scopes, options);
         }
-        else if (appType === "confidential") {
-            return app.confidential;
-        }
-        else {
-            return app.public;
-        }
-    }
-    /**
-     * Prepares the MSAL applications.
-     */
-    async init(options) {
-        if (options === null || options === void 0 ? void 0 : options.abortSignal) {
-            options.abortSignal.addEventListener("abort", () => {
-                // This will abort any pending request in the IdentityClient,
-                // based on the received or generated correlationId
-                this.identityClient.abortRequests(options.correlationId);
-            });
-        }
-        const app = (options === null || options === void 0 ? void 0 : options.enableCae) ? this.caeApp : this.app;
-        if (options === null || options === void 0 ? void 0 : options.enableCae) {
-            this.msalConfig.auth.clientCapabilities = ["cp1"];
-        }
-        if (app.public || app.confidential) {
-            return;
-        }
-        if ((options === null || options === void 0 ? void 0 : options.enableCae) && this.createCachePluginCae !== undefined) {
-            this.msalConfig.cache = {
-                cachePlugin: await this.createCachePluginCae(),
-            };
-        }
-        if (this.createCachePlugin !== undefined) {
-            this.msalConfig.cache = {
-                cachePlugin: await this.createCachePlugin(),
-            };
-        }
-        if (hasNativeBroker() && this.enableBroker) {
-            this.msalConfig.broker = {
-                nativeBrokerPlugin: nativeBrokerInfo.broker,
-            };
-            if (!this.parentWindowHandle) {
-                // error should have been thrown from within the constructor of InteractiveBrowserCredential
-                this.logger.warning("Parent window handle is not specified for the broker. This may cause unexpected behavior. Please provide the parentWindowHandle.");
-            }
-        }
-        if (options === null || options === void 0 ? void 0 : options.enableCae) {
-            this.caeApp.public = new msalCommon__namespace.PublicClientApplication(this.msalConfig);
-        }
-        else {
-            this.app.public = new msalCommon__namespace.PublicClientApplication(this.msalConfig);
-        }
-        if (this.getAssertion) {
-            this.msalConfig.auth.clientAssertion = await this.getAssertion();
-        }
-        // The confidential client requires either a secret, assertion or certificate.
-        if (this.msalConfig.auth.clientSecret ||
-            this.msalConfig.auth.clientAssertion ||
-            this.msalConfig.auth.clientCertificate) {
-            if (options === null || options === void 0 ? void 0 : options.enableCae) {
-                this.caeApp.confidential = new msalCommon__namespace.ConfidentialClientApplication(this.msalConfig);
-            }
-            else {
-                this.app.confidential = new msalCommon__namespace.ConfidentialClientApplication(this.msalConfig);
-            }
-        }
-        else {
-            if (this.requiresConfidential) {
-                throw new Error("Unable to generate the MSAL confidential client. Missing either the client's secret, certificate or assertion.");
-            }
-        }
-    }
-    /**
-     * Allows the cancellation of a MSAL request.
-     */
-    withCancellation(promise, abortSignal, onCancel) {
-        return new Promise((resolve, reject) => {
-            promise
-                .then((msalToken) => {
-                return resolve(msalToken);
-            })
-                .catch(reject);
-            if (abortSignal) {
-                abortSignal.addEventListener("abort", () => {
-                    onCancel === null || onCancel === void 0 ? void 0 : onCancel();
-                });
-            }
-        });
-    }
-    /**
-     * Returns the existing account, attempts to load the account from MSAL.
-     */
-    async getActiveAccount(enableCae = false) {
-        if (this.account) {
-            return this.account;
-        }
-        const cache = this.getApp("confidentialFirst", enableCae).getTokenCache();
-        const accountsByTenant = await (cache === null || cache === void 0 ? void 0 : cache.getAllAccounts());
-        if (!accountsByTenant) {
-            return;
-        }
-        if (accountsByTenant.length === 1) {
-            this.account = msalToPublic(this.clientId, accountsByTenant[0]);
-        }
-        else {
-            this.logger
-                .info(`More than one account was found authenticated for this Client ID and Tenant ID.
-However, no "authenticationRecord" has been provided for this credential,
-therefore we're unable to pick between these accounts.
-A new login attempt will be requested, to ensure the correct account is picked.
-To work with multiple accounts for the same Client ID and Tenant ID, please provide an "authenticationRecord" when initializing a credential to prevent this from happening.`);
-            return;
-        }
-        return this.account;
-    }
-    /**
-     * Attempts to retrieve a token from cache.
-     */
-    async getTokenSilent(scopes, options) {
-        var _a, _b, _c;
-        await this.getActiveAccount(options === null || options === void 0 ? void 0 : options.enableCae);
-        if (!this.account) {
-            throw new AuthenticationRequiredError({
-                scopes,
-                getTokenOptions: options,
-                message: "Silent authentication failed. We couldn't retrieve an active account from the cache.",
-            });
-        }
-        const silentRequest = {
-            // To be able to re-use the account, the Token Cache must also have been provided.
-            account: publicToMsal(this.account),
-            correlationId: options === null || options === void 0 ? void 0 : options.correlationId,
-            scopes,
-            authority: options === null || options === void 0 ? void 0 : options.authority,
-            claims: options === null || options === void 0 ? void 0 : options.claims,
-        };
-        if (hasNativeBroker() && this.enableBroker) {
-            if (!silentRequest.tokenQueryParameters) {
-                silentRequest.tokenQueryParameters = {};
-            }
-            if (!this.parentWindowHandle) {
-                // error should have been thrown from within the constructor of InteractiveBrowserCredential
-                this.logger.warning("Parent window handle is not specified for the broker. This may cause unexpected behavior. Please provide the parentWindowHandle.");
-            }
-            if (this.enableMsaPassthrough) {
-                silentRequest.tokenQueryParameters["msal_request_type"] = "consumer_passthrough";
-            }
-        }
-        try {
-            this.logger.info("Attempting to acquire token silently");
-            /**
-             * The following code to retrieve all accounts is done as a workaround in an attempt to force the
-             * refresh of the token cache with the token and the account passed in through the
-             * `authenticationRecord` parameter. See issue - https://github.com/Azure/azure-sdk-for-js/issues/24349#issuecomment-1496715651
-             * This workaround serves as a workaround for silent authentication not happening when authenticationRecord is passed.
-             */
-            await ((_a = this.getApp("publicFirst", options === null || options === void 0 ? void 0 : options.enableCae)) === null || _a === void 0 ? void 0 : _a.getTokenCache().getAllAccounts());
-            const response = (_c = (await ((_b = this.getApp("confidential", options === null || options === void 0 ? void 0 : options.enableCae)) === null || _b === void 0 ? void 0 : _b.acquireTokenSilent(silentRequest)))) !== null && _c !== void 0 ? _c : (await this.getApp("public", options === null || options === void 0 ? void 0 : options.enableCae).acquireTokenSilent(silentRequest));
-            return this.handleResult(scopes, response || undefined);
-        }
-        catch (err) {
-            throw handleMsalError(scopes, err, options);
-        }
-    }
-    /**
-     * Wrapper around each MSAL flow get token operation: doGetToken.
-     * If disableAutomaticAuthentication is sent through the constructor, it will prevent MSAL from requesting the user input.
-     */
-    async getToken(scopes, options = {}) {
-        const tenantId = processMultiTenantRequest(this.tenantId, options, this.additionallyAllowedTenantIds) ||
-            this.tenantId;
-        options.authority = getAuthority(tenantId, this.authorityHost);
-        options.correlationId = (options === null || options === void 0 ? void 0 : options.correlationId) || randomUUID();
-        await this.init(options);
-        try {
-            // MSAL now caches tokens based on their claims,
-            // so now one has to keep track fo claims in order to retrieve the newer tokens from acquireTokenSilent
-            // This update happened on PR: https://github.com/AzureAD/microsoft-authentication-library-for-js/pull/4533
-            const optionsClaims = options.claims;
-            if (optionsClaims) {
-                this.cachedClaims = optionsClaims;
-            }
-            if (this.cachedClaims && !optionsClaims) {
-                options.claims = this.cachedClaims;
-            }
-            // We don't return the promise since we want to catch errors right here.
-            return await this.getTokenSilent(scopes, options);
-        }
-        catch (err) {
-            if (err.name !== "AuthenticationRequiredError") {
-                throw err;
+        catch (e) {
+            if (e.name !== "AuthenticationRequiredError") {
+                throw e;
             }
-            if (options === null || options === void 0 ? void 0 : options.disableAutomaticAuthentication) {
+            if (createMsalClientOptions.disableAutomaticAuthentication) {
                 throw new AuthenticationRequiredError({
                     scopes,
                     getTokenOptions: options,
                     message: "Automatic authentication has been disabled. You may call the authentication() method.",
                 });
             }
-            this.logger.info(`Silent authentication failed, falling back to interactive method.`);
-            return this.doGetToken(scopes, options);
         }
-    }
-    /**
-     * Handles the MSAL authentication result.
-     * If the result has an account, we update the local account reference.
-     * If the token received is invalid, an error will be thrown depending on what's missing.
-     */
-    handleResult(scopes, result, getTokenOptions) {
-        if (result === null || result === void 0 ? void 0 : result.account) {
-            this.account = msalToPublic(this.clientId, result.account);
+        // Silent authentication failed
+        if (response === null) {
+            try {
+                response = await onAuthenticationRequired();
+            }
+            catch (err) {
+                throw handleMsalError(scopes, err, options);
+            }
         }
-        ensureValidMsalToken(scopes, result, getTokenOptions);
-        this.logger.getToken.info(formatSuccess(scopes));
+        // At this point we should have a token, process it
+        ensureValidMsalToken(scopes, response, options);
+        state.cachedAccount = (_a = response === null || response === void 0 ? void 0 : response.account) !== null && _a !== void 0 ? _a : null;
+        msalLogger.getToken.info(formatSuccess(scopes));
         return {
-            token: result.accessToken,
-            expiresOnTimestamp: result.expiresOn.getTime(),
+            token: response.accessToken,
+            expiresOnTimestamp: response.expiresOn.getTime(),
         };
     }
-}
-
-// Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
-/**
- * MSAL client assertion client. Calls to MSAL's confidential application's `acquireTokenByClientCredential` during `doGetToken`.
- * @internal
- */
-class MsalClientAssertion extends MsalNode {
-    constructor(options) {
-        super(options);
-        this.requiresConfidential = true;
-        this.getAssertion = options.getAssertion;
+    async function getTokenByClientSecret(scopes, clientSecret, options = {}) {
+        msalLogger.getToken.info(`Attempting to acquire token using client secret`);
+        state.msalConfig.auth.clientSecret = clientSecret;
+        const msalApp = await getConfidentialApp(options);
+        return withSilentAuthentication(msalApp, scopes, options, () => msalApp.acquireTokenByClientCredential({
+            scopes,
+            authority: state.msalConfig.auth.authority,
+            claims: options === null || options === void 0 ? void 0 : options.claims,
+        }));
     }
-    async doGetToken(scopes, options = {}) {
-        try {
-            const assertion = await this.getAssertion();
-            const result = await this.getApp("confidential", options.enableCae).acquireTokenByClientCredential({
-                scopes,
-                correlationId: options.correlationId,
-                azureRegion: this.azureRegion,
-                authority: options.authority,
-                claims: options.claims,
-                clientAssertion: assertion,
-            });
-            // The Client Credential flow does not return an account,
-            // so each time getToken gets called, we will have to acquire a new token through the service.
-            return this.handleResult(scopes, result || undefined);
-        }
-        catch (err) {
-            let err2 = err;
-            if (err === null || err === undefined) {
-                err2 = new Error(JSON.stringify(err));
-            }
-            else {
-                err2 = coreUtil.isError(err) ? err : new Error(String(err));
-            }
-            throw handleMsalError(scopes, err2, options);
-        }
+    async function getTokenByClientAssertion(scopes, clientAssertion, options = {}) {
+        msalLogger.getToken.info(`Attempting to acquire token using client assertion`);
+        state.msalConfig.auth.clientAssertion = clientAssertion;
+        const msalApp = await getConfidentialApp(options);
+        return withSilentAuthentication(msalApp, scopes, options, () => msalApp.acquireTokenByClientCredential({
+            scopes,
+            authority: state.msalConfig.auth.authority,
+            claims: options === null || options === void 0 ? void 0 : options.claims,
+            clientAssertion,
+        }));
     }
+    async function getTokenByClientCertificate(scopes, certificate, options = {}) {
+        msalLogger.getToken.info(`Attempting to acquire token using client certificate`);
+        state.msalConfig.auth.clientCertificate = certificate;
+        const msalApp = await getConfidentialApp(options);
+        return withSilentAuthentication(msalApp, scopes, options, () => msalApp.acquireTokenByClientCredential({
+            scopes,
+            authority: state.msalConfig.auth.authority,
+            claims: options === null || options === void 0 ? void 0 : options.claims,
+        }));
+    }
+    return {
+        getTokenByClientSecret,
+        getTokenByClientAssertion,
+        getTokenByClientCertificate,
+    };
 }
 
 // Copyright (c) Microsoft Corporation.
@@ -2220,9 +1967,9 @@ class ClientAssertionCredential {
         }
         this.tenantId = tenantId;
         this.additionallyAllowedTenantIds = resolveAdditionallyAllowedTenantIds(options === null || options === void 0 ? void 0 : options.additionallyAllowedTenants);
-        this.clientId = clientId;
         this.options = options;
-        this.msalFlow = new MsalClientAssertion(Object.assign(Object.assign({}, options), { logger: logger$g, clientId: this.clientId, tenantId: this.tenantId, tokenCredentialOptions: this.options, getAssertion }));
+        this.getAssertion = getAssertion;
+        this.msalClient = createMsalClient(clientId, tenantId, Object.assign(Object.assign({}, options), { logger: logger$g, tokenCredentialOptions: this.options }));
     }
     /**
      * Authenticates with Microsoft Entra ID and returns an access token if successful.
@@ -2235,8 +1982,9 @@ class ClientAssertionCredential {
     async getToken(scopes, options = {}) {
         return tracingClient.withSpan(`${this.constructor.name}.getToken`, options, async (newOptions) => {
             newOptions.tenantId = processMultiTenantRequest(this.tenantId, newOptions, this.additionallyAllowedTenantIds, logger$g);
+            const clientAssertion = await this.getAssertion();
             const arrayScopes = Array.isArray(scopes) ? scopes : [scopes];
-            return this.msalFlow.getToken(arrayScopes, newOptions);
+            return this.msalClient.getTokenByClientAssertion(arrayScopes, clientAssertion, newOptions);
         });
     }
 }
@@ -3318,243 +3066,601 @@ class ChainedTokenCredential {
 
 // Copyright (c) Microsoft Corporation.
 // Licensed under the MIT license.
-const readFileAsync = util.promisify(fs.readFile);
+const credentialName$2 = "ClientCertificateCredential";
+const logger$8 = credentialLogger(credentialName$2);
 /**
- * Tries to asynchronously load a certificate from the given path.
+ * Enables authentication to Microsoft Entra ID using a PEM-encoded
+ * certificate that is assigned to an App Registration. More information
+ * on how to configure certificate authentication can be found here:
+ *
+ * https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-certificate-credentials#register-your-certificate-with-azure-ad
  *
- * @param configuration - Either the PEM value or the path to the certificate.
- * @param sendCertificateChain - Option to include x5c header for SubjectName and Issuer name authorization.
- * @returns - The certificate parts, or `undefined` if the certificate could not be loaded.
- * @internal
  */
-async function parseCertificate(configuration, sendCertificateChain) {
-    const certificateParts = {};
-    const certificate = configuration
-        .certificate;
-    const certificatePath = configuration
-        .certificatePath;
-    certificateParts.certificateContents =
-        certificate || (await readFileAsync(certificatePath, "utf8"));
-    if (sendCertificateChain) {
-        certificateParts.x5c = certificateParts.certificateContents;
-    }
-    const certificatePattern = /(-+BEGIN CERTIFICATE-+)(\n\r?|\r\n?)([A-Za-z0-9+/\n\r]+=*)(\n\r?|\r\n?)(-+END CERTIFICATE-+)/g;
-    const publicKeys = [];
-    // Match all possible certificates, in the order they are in the file. These will form the chain that is used for x5c
-    let match;
-    do {
-        match = certificatePattern.exec(certificateParts.certificateContents);
-        if (match) {
-            publicKeys.push(match[3]);
+class ClientCertificateCredential {
+    constructor(tenantId, clientId, certificatePathOrConfiguration, options = {}) {
+        if (!tenantId || !clientId) {
+            throw new Error(`${credentialName$2}: tenantId and clientId are required parameters.`);
         }
-    } while (match);
-    if (publicKeys.length === 0) {
-        throw new Error("The file at the specified path does not contain a PEM-encoded certificate.");
-    }
-    certificateParts.thumbprint = crypto.createHash("sha1")
-        .update(Buffer.from(publicKeys[0], "base64"))
-        .digest("hex")
-        .toUpperCase();
-    return certificateParts;
-}
-/**
- * MSAL client certificate client. Calls to MSAL's confidential application's `acquireTokenByClientCredential` during `doGetToken`.
- * @internal
- */
-class MsalClientCertificate extends MsalNode {
-    constructor(options) {
-        super(options);
-        this.requiresConfidential = true;
-        this.configuration = options.configuration;
+        this.tenantId = tenantId;
+        this.additionallyAllowedTenantIds = resolveAdditionallyAllowedTenantIds(options === null || options === void 0 ? void 0 : options.additionallyAllowedTenants);
         this.sendCertificateChain = options.sendCertificateChain;
-    }
-    // Changing the MSAL configuration asynchronously
-    async init(options) {
-        try {
-            const parts = await parseCertificate(this.configuration, this.sendCertificateChain);
-            let privateKey;
-            if (this.configuration.certificatePassword !== undefined) {
-                const privateKeyObject = crypto.createPrivateKey({
-                    key: parts.certificateContents,
-                    passphrase: this.configuration.certificatePassword,
-                    format: "pem",
-                });
-                privateKey = privateKeyObject
-                    .export({
-                    format: "pem",
-                    type: "pkcs8",
-                })
-                    .toString();
-            }
-            else {
-                privateKey = parts.certificateContents;
+        this.certificateConfiguration = Object.assign({}, (typeof certificatePathOrConfiguration === "string"
+            ? {
+                certificatePath: certificatePathOrConfiguration,
             }
-            this.msalConfig.auth.clientCertificate = {
-                thumbprint: parts.thumbprint,
-                privateKey: privateKey,
-                x5c: parts.x5c,
-            };
+            : certificatePathOrConfiguration));
+        const certificate = this.certificateConfiguration.certificate;
+        const certificatePath = this.certificateConfiguration.certificatePath;
+        if (!this.certificateConfiguration || !(certificate || certificatePath)) {
+            throw new Error(`${credentialName$2}: Provide either a PEM certificate in string form, or the path to that certificate in the filesystem. To troubleshoot, visit https://aka.ms/azsdk/js/identity/serviceprincipalauthentication/troubleshoot.`);
         }
-        catch (error) {
-            this.logger.info(formatError("", error));
-            throw error;
+        if (certificate && certificatePath) {
+            throw new Error(`${credentialName$2}: To avoid unexpected behaviors, providing both the contents of a PEM certificate and the path to a PEM certificate is forbidden. To troubleshoot, visit https://aka.ms/azsdk/js/identity/serviceprincipalauthentication/troubleshoot.`);
         }
-        return super.init(options);
+        this.msalClient = createMsalClient(clientId, tenantId, Object.assign(Object.assign({}, options), { logger: logger$8, tokenCredentialOptions: options }));
     }
-    async doGetToken(scopes, options = {}) {
-        try {
-            const clientCredReq = {
-                scopes,
-                correlationId: options.correlationId,
-                azureRegion: this.azureRegion,
-                authority: options.authority,
-                claims: options.claims,
-            };
-            const result = await this.getApp("confidential", options.enableCae).acquireTokenByClientCredential(clientCredReq);
-            // Even though we're providing the same default in memory persistence cache that we use for DeviceCodeCredential,
-            // The Client Credential flow does not return the account information from the authentication service,
-            // so each time getToken gets called, we will have to acquire a new token through the service.
-            return this.handleResult(scopes, result || undefined);
+    /**
+     * Authenticates with Microsoft Entra ID and returns an access token if successful.
+     * If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.
+     *
+     * @param scopes - The list of scopes for which the token will have access.
+     * @param options - The options used to configure any requests this
+     *                TokenCredential implementation might make.
+     */
+    async getToken(scopes, options = {}) {
+        return tracingClient.withSpan(`${credentialName$2}.getToken`, options, async (newOptions) => {
+            newOptions.tenantId = processMultiTenantRequest(this.tenantId, newOptions, this.additionallyAllowedTenantIds, logger$8);
+            const arrayScopes = Array.isArray(scopes) ? scopes : [scopes];
+            const certificate = await this.buildClientCertificate();
+            return this.msalClient.getTokenByClientCertificate(arrayScopes, certificate, newOptions);
+        });
+    }
+    async buildClientCertificate() {
+        const parts = await this.parseCertificate();
+        let privateKey;
+        if (this.certificateConfiguration.certificatePassword !== undefined) {
+            privateKey = crypto.createPrivateKey({
+                key: parts.certificateContents,
+                passphrase: this.certificateConfiguration.certificatePassword,
+                format: "pem",
+            })
+                .export({
+                format: "pem",
+                type: "pkcs8",
+            })
+                .toString();
         }
-        catch (err) {
-            throw handleMsalError(scopes, err, options);
+        else {
+            privateKey = parts.certificateContents;
         }
+        return {
+            thumbprint: parts.thumbprint,
+            privateKey,
+            x5c: parts.x5c,
+        };
+    }
+    async parseCertificate() {
+        const certificate = this.certificateConfiguration.certificate;
+        const certificatePath = this.certificateConfiguration.certificatePath;
+        const certificateContents = certificate || (await promises.readFile(certificatePath, "utf8"));
+        const x5c = this.sendCertificateChain ? certificateContents : undefined;
+        const certificatePattern = /(-+BEGIN CERTIFICATE-+)(\n\r?|\r\n?)([A-Za-z0-9+/\n\r]+=*)(\n\r?|\r\n?)(-+END CERTIFICATE-+)/g;
+        const publicKeys = [];
+        // Match all possible certificates, in the order they are in the file. These will form the chain that is used for x5c
+        let match;
+        do {
+            match = certificatePattern.exec(certificateContents);
+            if (match) {
+                publicKeys.push(match[3]);
+            }
+        } while (match);
+        if (publicKeys.length === 0) {
+            throw new Error("The file at the specified path does not contain a PEM-encoded certificate.");
+        }
+        const thumbprint = crypto.createHash("sha1")
+            .update(Buffer.from(publicKeys[0], "base64"))
+            .digest("hex")
+            .toUpperCase();
+        return {
+            certificateContents,
+            thumbprint,
+            x5c,
+        };
     }
 }
 
 // Copyright (c) Microsoft Corporation.
 // Licensed under the MIT license.
-const credentialName$2 = "ClientCertificateCredential";
-const logger$8 = credentialLogger(credentialName$2);
+const logger$7 = credentialLogger("ClientSecretCredential");
 /**
- * Enables authentication to Microsoft Entra ID using a PEM-encoded
- * certificate that is assigned to an App Registration. More information
- * on how to configure certificate authentication can be found here:
+ * Enables authentication to Microsoft Entra ID using a client secret
+ * that was generated for an App Registration. More information on how
+ * to configure a client secret can be found here:
  *
- * https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-certificate-credentials#register-your-certificate-with-azure-ad
+ * https://learn.microsoft.com/entra/identity-platform/quickstart-configure-app-access-web-apis#add-credentials-to-your-web-application
  *
  */
-class ClientCertificateCredential {
-    constructor(tenantId, clientId, certificatePathOrConfiguration, options = {}) {
-        if (!tenantId || !clientId) {
-            throw new Error(`${credentialName$2}: tenantId and clientId are required parameters.`);
+class ClientSecretCredential {
+    /**
+     * Creates an instance of the ClientSecretCredential with the details
+     * needed to authenticate against Microsoft Entra ID with a client
+     * secret.
+     *
+     * @param tenantId - The Microsoft Entra tenant (directory) ID.
+     * @param clientId - The client (application) ID of an App Registration in the tenant.
+     * @param clientSecret - A client secret that was generated for the App Registration.
+     * @param options - Options for configuring the client which makes the authentication request.
+     */
+    constructor(tenantId, clientId, clientSecret, options = {}) {
+        if (!tenantId || !clientId || !clientSecret) {
+            throw new Error("ClientSecretCredential: tenantId, clientId, and clientSecret are required parameters. To troubleshoot, visit https://aka.ms/azsdk/js/identity/serviceprincipalauthentication/troubleshoot.");
         }
+        this.clientSecret = clientSecret;
         this.tenantId = tenantId;
         this.additionallyAllowedTenantIds = resolveAdditionallyAllowedTenantIds(options === null || options === void 0 ? void 0 : options.additionallyAllowedTenants);
-        const configuration = Object.assign({}, (typeof certificatePathOrConfiguration === "string"
-            ? {
-                certificatePath: certificatePathOrConfiguration,
+        this.msalClient = createMsalClient(clientId, tenantId, Object.assign(Object.assign({}, options), { logger: logger$7, tokenCredentialOptions: options }));
+    }
+    /**
+     * Authenticates with Microsoft Entra ID and returns an access token if successful.
+     * If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.
+     *
+     * @param scopes - The list of scopes for which the token will have access.
+     * @param options - The options used to configure any requests this
+     *                TokenCredential implementation might make.
+     */
+    async getToken(scopes, options = {}) {
+        return tracingClient.withSpan(`${this.constructor.name}.getToken`, options, async (newOptions) => {
+            newOptions.tenantId = processMultiTenantRequest(this.tenantId, newOptions, this.additionallyAllowedTenantIds, logger$7);
+            const arrayScopes = ensureScopes(scopes);
+            return this.msalClient.getTokenByClientSecret(arrayScopes, this.clientSecret, newOptions);
+        });
+    }
+}
+
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT license.
+/**
+ * Helps specify a regional authority, or "AutoDiscoverRegion" to auto-detect the region.
+ */
+var RegionalAuthority;
+(function (RegionalAuthority) {
+    /** Instructs MSAL to attempt to discover the region */
+    RegionalAuthority["AutoDiscoverRegion"] = "AutoDiscoverRegion";
+    /** Uses the {@link RegionalAuthority} for the Azure 'westus' region. */
+    RegionalAuthority["USWest"] = "westus";
+    /** Uses the {@link RegionalAuthority} for the Azure 'westus2' region. */
+    RegionalAuthority["USWest2"] = "westus2";
+    /** Uses the {@link RegionalAuthority} for the Azure 'centralus' region. */
+    RegionalAuthority["USCentral"] = "centralus";
+    /** Uses the {@link RegionalAuthority} for the Azure 'eastus' region. */
+    RegionalAuthority["USEast"] = "eastus";
+    /** Uses the {@link RegionalAuthority} for the Azure 'eastus2' region. */
+    RegionalAuthority["USEast2"] = "eastus2";
+    /** Uses the {@link RegionalAuthority} for the Azure 'northcentralus' region. */
+    RegionalAuthority["USNorthCentral"] = "northcentralus";
+    /** Uses the {@link RegionalAuthority} for the Azure 'southcentralus' region. */
+    RegionalAuthority["USSouthCentral"] = "southcentralus";
+    /** Uses the {@link RegionalAuthority} for the Azure 'westcentralus' region. */
+    RegionalAuthority["USWestCentral"] = "westcentralus";
+    /** Uses the {@link RegionalAuthority} for the Azure 'canadacentral' region. */
+    RegionalAuthority["CanadaCentral"] = "canadacentral";
+    /** Uses the {@link RegionalAuthority} for the Azure 'canadaeast' region. */
+    RegionalAuthority["CanadaEast"] = "canadaeast";
+    /** Uses the {@link RegionalAuthority} for the Azure 'brazilsouth' region. */
+    RegionalAuthority["BrazilSouth"] = "brazilsouth";
+    /** Uses the {@link RegionalAuthority} for the Azure 'northeurope' region. */
+    RegionalAuthority["EuropeNorth"] = "northeurope";
+    /** Uses the {@link RegionalAuthority} for the Azure 'westeurope' region. */
+    RegionalAuthority["EuropeWest"] = "westeurope";
+    /** Uses the {@link RegionalAuthority} for the Azure 'uksouth' region. */
+    RegionalAuthority["UKSouth"] = "uksouth";
+    /** Uses the {@link RegionalAuthority} for the Azure 'ukwest' region. */
+    RegionalAuthority["UKWest"] = "ukwest";
+    /** Uses the {@link RegionalAuthority} for the Azure 'francecentral' region. */
+    RegionalAuthority["FranceCentral"] = "francecentral";
+    /** Uses the {@link RegionalAuthority} for the Azure 'francesouth' region. */
+    RegionalAuthority["FranceSouth"] = "francesouth";
+    /** Uses the {@link RegionalAuthority} for the Azure 'switzerlandnorth' region. */
+    RegionalAuthority["SwitzerlandNorth"] = "switzerlandnorth";
+    /** Uses the {@link RegionalAuthority} for the Azure 'switzerlandwest' region. */
+    RegionalAuthority["SwitzerlandWest"] = "switzerlandwest";
+    /** Uses the {@link RegionalAuthority} for the Azure 'germanynorth' region. */
+    RegionalAuthority["GermanyNorth"] = "germanynorth";
+    /** Uses the {@link RegionalAuthority} for the Azure 'germanywestcentral' region. */
+    RegionalAuthority["GermanyWestCentral"] = "germanywestcentral";
+    /** Uses the {@link RegionalAuthority} for the Azure 'norwaywest' region. */
+    RegionalAuthority["NorwayWest"] = "norwaywest";
+    /** Uses the {@link RegionalAuthority} for the Azure 'norwayeast' region. */
+    RegionalAuthority["NorwayEast"] = "norwayeast";
+    /** Uses the {@link RegionalAuthority} for the Azure 'eastasia' region. */
+    RegionalAuthority["AsiaEast"] = "eastasia";
+    /** Uses the {@link RegionalAuthority} for the Azure 'southeastasia' region. */
+    RegionalAuthority["AsiaSouthEast"] = "southeastasia";
+    /** Uses the {@link RegionalAuthority} for the Azure 'japaneast' region. */
+    RegionalAuthority["JapanEast"] = "japaneast";
+    /** Uses the {@link RegionalAuthority} for the Azure 'japanwest' region. */
+    RegionalAuthority["JapanWest"] = "japanwest";
+    /** Uses the {@link RegionalAuthority} for the Azure 'australiaeast' region. */
+    RegionalAuthority["AustraliaEast"] = "australiaeast";
+    /** Uses the {@link RegionalAuthority} for the Azure 'australiasoutheast' region. */
+    RegionalAuthority["AustraliaSouthEast"] = "australiasoutheast";
+    /** Uses the {@link RegionalAuthority} for the Azure 'australiacentral' region. */
+    RegionalAuthority["AustraliaCentral"] = "australiacentral";
+    /** Uses the {@link RegionalAuthority} for the Azure 'australiacentral2' region. */
+    RegionalAuthority["AustraliaCentral2"] = "australiacentral2";
+    /** Uses the {@link RegionalAuthority} for the Azure 'centralindia' region. */
+    RegionalAuthority["IndiaCentral"] = "centralindia";
+    /** Uses the {@link RegionalAuthority} for the Azure 'southindia' region. */
+    RegionalAuthority["IndiaSouth"] = "southindia";
+    /** Uses the {@link RegionalAuthority} for the Azure 'westindia' region. */
+    RegionalAuthority["IndiaWest"] = "westindia";
+    /** Uses the {@link RegionalAuthority} for the Azure 'koreasouth' region. */
+    RegionalAuthority["KoreaSouth"] = "koreasouth";
+    /** Uses the {@link RegionalAuthority} for the Azure 'koreacentral' region. */
+    RegionalAuthority["KoreaCentral"] = "koreacentral";
+    /** Uses the {@link RegionalAuthority} for the Azure 'uaecentral' region. */
+    RegionalAuthority["UAECentral"] = "uaecentral";
+    /** Uses the {@link RegionalAuthority} for the Azure 'uaenorth' region. */
+    RegionalAuthority["UAENorth"] = "uaenorth";
+    /** Uses the {@link RegionalAuthority} for the Azure 'southafricanorth' region. */
+    RegionalAuthority["SouthAfricaNorth"] = "southafricanorth";
+    /** Uses the {@link RegionalAuthority} for the Azure 'southafricawest' region. */
+    RegionalAuthority["SouthAfricaWest"] = "southafricawest";
+    /** Uses the {@link RegionalAuthority} for the Azure 'chinanorth' region. */
+    RegionalAuthority["ChinaNorth"] = "chinanorth";
+    /** Uses the {@link RegionalAuthority} for the Azure 'chinaeast' region. */
+    RegionalAuthority["ChinaEast"] = "chinaeast";
+    /** Uses the {@link RegionalAuthority} for the Azure 'chinanorth2' region. */
+    RegionalAuthority["ChinaNorth2"] = "chinanorth2";
+    /** Uses the {@link RegionalAuthority} for the Azure 'chinaeast2' region. */
+    RegionalAuthority["ChinaEast2"] = "chinaeast2";
+    /** Uses the {@link RegionalAuthority} for the Azure 'germanycentral' region. */
+    RegionalAuthority["GermanyCentral"] = "germanycentral";
+    /** Uses the {@link RegionalAuthority} for the Azure 'germanynortheast' region. */
+    RegionalAuthority["GermanyNorthEast"] = "germanynortheast";
+    /** Uses the {@link RegionalAuthority} for the Azure 'usgovvirginia' region. */
+    RegionalAuthority["GovernmentUSVirginia"] = "usgovvirginia";
+    /** Uses the {@link RegionalAuthority} for the Azure 'usgoviowa' region. */
+    RegionalAuthority["GovernmentUSIowa"] = "usgoviowa";
+    /** Uses the {@link RegionalAuthority} for the Azure 'usgovarizona' region. */
+    RegionalAuthority["GovernmentUSArizona"] = "usgovarizona";
+    /** Uses the {@link RegionalAuthority} for the Azure 'usgovtexas' region. */
+    RegionalAuthority["GovernmentUSTexas"] = "usgovtexas";
+    /** Uses the {@link RegionalAuthority} for the Azure 'usdodeast' region. */
+    RegionalAuthority["GovernmentUSDodEast"] = "usdodeast";
+    /** Uses the {@link RegionalAuthority} for the Azure 'usdodcentral' region. */
+    RegionalAuthority["GovernmentUSDodCentral"] = "usdodcentral";
+})(RegionalAuthority || (RegionalAuthority = {}));
+/**
+ * Calculates the correct regional authority based on the supplied value
+ * and the AZURE_REGIONAL_AUTHORITY_NAME environment variable.
+ *
+ * Values will be returned verbatim, except for {@link RegionalAuthority.AutoDiscoverRegion}
+ * which is mapped to a value MSAL can understand.
+ *
+ * @internal
+ */
+function calculateRegionalAuthority(regionalAuthority) {
+    var _a, _b;
+    let azureRegion = regionalAuthority;
+    if (azureRegion === undefined &&
+        ((_b = (_a = globalThis.process) === null || _a === void 0 ? void 0 : _a.env) === null || _b === void 0 ? void 0 : _b.AZURE_REGIONAL_AUTHORITY_NAME) !== undefined) {
+        azureRegion = process.env.AZURE_REGIONAL_AUTHORITY_NAME;
+    }
+    if (azureRegion === RegionalAuthority.AutoDiscoverRegion) {
+        return "AUTO_DISCOVER";
+    }
+    return azureRegion;
+}
+
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT license.
+/**
+ * MSAL partial base client for Node.js.
+ *
+ * It completes the input configuration with some default values.
+ * It also provides with utility protected methods that can be used from any of the clients,
+ * which includes handlers for successful responses and errors.
+ *
+ * @internal
+ */
+class MsalNode {
+    constructor(options) {
+        var _a, _b, _c, _d, _e, _f;
+        this.app = {};
+        this.caeApp = {};
+        this.requiresConfidential = false;
+        this.logger = options.logger;
+        this.msalConfig = this.defaultNodeMsalConfig(options);
+        this.tenantId = resolveTenantId(options.logger, options.tenantId, options.clientId);
+        this.additionallyAllowedTenantIds = resolveAdditionallyAllowedTenantIds((_a = options === null || options === void 0 ? void 0 : options.tokenCredentialOptions) === null || _a === void 0 ? void 0 : _a.additionallyAllowedTenants);
+        this.clientId = this.msalConfig.auth.clientId;
+        if (options === null || options === void 0 ? void 0 : options.getAssertion) {
+            this.getAssertion = options.getAssertion;
+        }
+        this.enableBroker = (_b = options === null || options === void 0 ? void 0 : options.brokerOptions) === null || _b === void 0 ? void 0 : _b.enabled;
+        this.enableMsaPassthrough = (_c = options === null || options === void 0 ? void 0 : options.brokerOptions) === null || _c === void 0 ? void 0 : _c.legacyEnableMsaPassthrough;
+        this.parentWindowHandle = (_d = options.brokerOptions) === null || _d === void 0 ? void 0 : _d.parentWindowHandle;
+        // If persistence has been configured
+        if (persistenceProvider !== undefined && ((_e = options.tokenCachePersistenceOptions) === null || _e === void 0 ? void 0 : _e.enabled)) {
+            const cacheBaseName = options.tokenCachePersistenceOptions.name || DEFAULT_TOKEN_CACHE_NAME;
+            const nonCaeOptions = Object.assign({ name: `${cacheBaseName}.${CACHE_NON_CAE_SUFFIX}` }, options.tokenCachePersistenceOptions);
+            const caeOptions = Object.assign({ name: `${cacheBaseName}.${CACHE_CAE_SUFFIX}` }, options.tokenCachePersistenceOptions);
+            this.createCachePlugin = () => persistenceProvider(nonCaeOptions);
+            this.createCachePluginCae = () => persistenceProvider(caeOptions);
+        }
+        else if ((_f = options.tokenCachePersistenceOptions) === null || _f === void 0 ? void 0 : _f.enabled) {
+            throw new Error([
+                "Persistent token caching was requested, but no persistence provider was configured.",
+                "You must install the identity-cache-persistence plugin package (`npm install --save @azure/identity-cache-persistence`)",
+                "and enable it by importing `useIdentityPlugin` from `@azure/identity` and calling",
+                "`useIdentityPlugin(cachePersistencePlugin)` before using `tokenCachePersistenceOptions`.",
+            ].join(" "));
+        }
+        // If broker has not been configured
+        if (!hasNativeBroker() && this.enableBroker) {
+            throw new Error([
+                "Broker for WAM was requested to be enabled, but no native broker was configured.",
+                "You must install the identity-broker plugin package (`npm install --save @azure/identity-broker`)",
+                "and enable it by importing `useIdentityPlugin` from `@azure/identity` and calling",
+                "`useIdentityPlugin(createNativeBrokerPlugin())` before using `enableBroker`.",
+            ].join(" "));
+        }
+        this.azureRegion = calculateRegionalAuthority(options.regionalAuthority);
+    }
+    /**
+     * Generates a MSAL configuration that generally works for Node.js
+     */
+    defaultNodeMsalConfig(options) {
+        var _a;
+        const clientId = options.clientId || DeveloperSignOnClientId;
+        const tenantId = resolveTenantId(options.logger, options.tenantId, options.clientId);
+        this.authorityHost = options.authorityHost || process.env.AZURE_AUTHORITY_HOST;
+        const authority = getAuthority(tenantId, this.authorityHost);
+        this.identityClient = new IdentityClient(Object.assign(Object.assign({}, options.tokenCredentialOptions), { authorityHost: authority, loggingOptions: options.loggingOptions }));
+        const clientCapabilities = [];
+        return {
+            auth: {
+                clientId,
+                authority,
+                knownAuthorities: getKnownAuthorities(tenantId, authority, options.disableInstanceDiscovery),
+                clientCapabilities,
+            },
+            // Cache is defined in this.prepare();
+            system: {
+                networkClient: this.identityClient,
+                loggerOptions: {
+                    loggerCallback: defaultLoggerCallback(options.logger),
+                    logLevel: getMSALLogLevel(logger$q.getLogLevel()),
+                    piiLoggingEnabled: (_a = options.loggingOptions) === null || _a === void 0 ? void 0 : _a.enableUnsafeSupportLogging,
+                },
+            },
+        };
+    }
+    getApp(appType, enableCae) {
+        const app = enableCae ? this.caeApp : this.app;
+        if (appType === "publicFirst") {
+            return (app.public || app.confidential);
+        }
+        else if (appType === "confidentialFirst") {
+            return (app.confidential || app.public);
+        }
+        else if (appType === "confidential") {
+            return app.confidential;
+        }
+        else {
+            return app.public;
+        }
+    }
+    /**
+     * Prepares the MSAL applications.
+     */
+    async init(options) {
+        if (options === null || options === void 0 ? void 0 : options.abortSignal) {
+            options.abortSignal.addEventListener("abort", () => {
+                // This will abort any pending request in the IdentityClient,
+                // based on the received or generated correlationId
+                this.identityClient.abortRequests(options.correlationId);
+            });
+        }
+        const app = (options === null || options === void 0 ? void 0 : options.enableCae) ? this.caeApp : this.app;
+        if (options === null || options === void 0 ? void 0 : options.enableCae) {
+            this.msalConfig.auth.clientCapabilities = ["cp1"];
+        }
+        if (app.public || app.confidential) {
+            return;
+        }
+        if ((options === null || options === void 0 ? void 0 : options.enableCae) && this.createCachePluginCae !== undefined) {
+            this.msalConfig.cache = {
+                cachePlugin: await this.createCachePluginCae(),
+            };
+        }
+        if (this.createCachePlugin !== undefined) {
+            this.msalConfig.cache = {
+                cachePlugin: await this.createCachePlugin(),
+            };
+        }
+        if (hasNativeBroker() && this.enableBroker) {
+            this.msalConfig.broker = {
+                nativeBrokerPlugin: nativeBrokerInfo.broker,
+            };
+            if (!this.parentWindowHandle) {
+                // error should have been thrown from within the constructor of InteractiveBrowserCredential
+                this.logger.warning("Parent window handle is not specified for the broker. This may cause unexpected behavior. Please provide the parentWindowHandle.");
+            }
+        }
+        if (options === null || options === void 0 ? void 0 : options.enableCae) {
+            this.caeApp.public = new msalCommon__namespace.PublicClientApplication(this.msalConfig);
+        }
+        else {
+            this.app.public = new msalCommon__namespace.PublicClientApplication(this.msalConfig);
+        }
+        if (this.getAssertion) {
+            this.msalConfig.auth.clientAssertion = await this.getAssertion();
+        }
+        // The confidential client requires either a secret, assertion or certificate.
+        if (this.msalConfig.auth.clientSecret ||
+            this.msalConfig.auth.clientAssertion ||
+            this.msalConfig.auth.clientCertificate) {
+            if (options === null || options === void 0 ? void 0 : options.enableCae) {
+                this.caeApp.confidential = new msalCommon__namespace.ConfidentialClientApplication(this.msalConfig);
+            }
+            else {
+                this.app.confidential = new msalCommon__namespace.ConfidentialClientApplication(this.msalConfig);
             }
-            : certificatePathOrConfiguration));
-        const certificate = configuration
-            .certificate;
-        const certificatePath = configuration.certificatePath;
-        if (!configuration || !(certificate || certificatePath)) {
-            throw new Error(`${credentialName$2}: Provide either a PEM certificate in string form, or the path to that certificate in the filesystem. To troubleshoot, visit https://aka.ms/azsdk/js/identity/serviceprincipalauthentication/troubleshoot.`);
         }
-        if (certificate && certificatePath) {
-            throw new Error(`${credentialName$2}: To avoid unexpected behaviors, providing both the contents of a PEM certificate and the path to a PEM certificate is forbidden. To troubleshoot, visit https://aka.ms/azsdk/js/identity/serviceprincipalauthentication/troubleshoot.`);
+        else {
+            if (this.requiresConfidential) {
+                throw new Error("Unable to generate the MSAL confidential client. Missing either the client's secret, certificate or assertion.");
+            }
         }
-        this.msalFlow = new MsalClientCertificate(Object.assign(Object.assign({}, options), { configuration,
-            logger: logger$8,
-            clientId,
-            tenantId, sendCertificateChain: options.sendCertificateChain, tokenCredentialOptions: options }));
     }
     /**
-     * Authenticates with Microsoft Entra ID and returns an access token if successful.
-     * If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.
-     *
-     * @param scopes - The list of scopes for which the token will have access.
-     * @param options - The options used to configure any requests this
-     *                TokenCredential implementation might make.
+     * Allows the cancellation of a MSAL request.
      */
-    async getToken(scopes, options = {}) {
-        return tracingClient.withSpan(`${credentialName$2}.getToken`, options, async (newOptions) => {
-            newOptions.tenantId = processMultiTenantRequest(this.tenantId, newOptions, this.additionallyAllowedTenantIds, logger$8);
-            const arrayScopes = Array.isArray(scopes) ? scopes : [scopes];
-            return this.msalFlow.getToken(arrayScopes, newOptions);
+    withCancellation(promise, abortSignal, onCancel) {
+        return new Promise((resolve, reject) => {
+            promise
+                .then((msalToken) => {
+                return resolve(msalToken);
+            })
+                .catch(reject);
+            if (abortSignal) {
+                abortSignal.addEventListener("abort", () => {
+                    onCancel === null || onCancel === void 0 ? void 0 : onCancel();
+                });
+            }
         });
     }
-}
-
-// Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
-/**
- * MSAL client secret client. Calls to MSAL's confidential application's `acquireTokenByClientCredential` during `doGetToken`.
- * @internal
- */
-class MsalClientSecret extends MsalNode {
-    constructor(options) {
-        super(options);
-        this.requiresConfidential = true;
-        this.msalConfig.auth.clientSecret = options.clientSecret;
+    /**
+     * Returns the existing account, attempts to load the account from MSAL.
+     */
+    async getActiveAccount(enableCae = false) {
+        if (this.account) {
+            return this.account;
+        }
+        const cache = this.getApp("confidentialFirst", enableCae).getTokenCache();
+        const accountsByTenant = await (cache === null || cache === void 0 ? void 0 : cache.getAllAccounts());
+        if (!accountsByTenant) {
+            return;
+        }
+        if (accountsByTenant.length === 1) {
+            this.account = msalToPublic(this.clientId, accountsByTenant[0]);
+        }
+        else {
+            this.logger
+                .info(`More than one account was found authenticated for this Client ID and Tenant ID.
+However, no "authenticationRecord" has been provided for this credential,
+therefore we're unable to pick between these accounts.
+A new login attempt will be requested, to ensure the correct account is picked.
+To work with multiple accounts for the same Client ID and Tenant ID, please provide an "authenticationRecord" when initializing a credential to prevent this from happening.`);
+            return;
+        }
+        return this.account;
     }
-    async doGetToken(scopes, options = {}) {
-        try {
-            const result = await this.getApp("confidential", options.enableCae).acquireTokenByClientCredential({
+    /**
+     * Attempts to retrieve a token from cache.
+     */
+    async getTokenSilent(scopes, options) {
+        var _a, _b, _c;
+        await this.getActiveAccount(options === null || options === void 0 ? void 0 : options.enableCae);
+        if (!this.account) {
+            throw new AuthenticationRequiredError({
                 scopes,
-                correlationId: options.correlationId,
-                azureRegion: this.azureRegion,
-                authority: options.authority,
-                claims: options.claims,
+                getTokenOptions: options,
+                message: "Silent authentication failed. We couldn't retrieve an active account from the cache.",
             });
-            // The Client Credential flow does not return an account,
-            // so each time getToken gets called, we will have to acquire a new token through the service.
-            return this.handleResult(scopes, result || undefined);
+        }
+        const silentRequest = {
+            // To be able to re-use the account, the Token Cache must also have been provided.
+            account: publicToMsal(this.account),
+            correlationId: options === null || options === void 0 ? void 0 : options.correlationId,
+            scopes,
+            authority: options === null || options === void 0 ? void 0 : options.authority,
+            claims: options === null || options === void 0 ? void 0 : options.claims,
+        };
+        if (hasNativeBroker() && this.enableBroker) {
+            if (!silentRequest.tokenQueryParameters) {
+                silentRequest.tokenQueryParameters = {};
+            }
+            if (!this.parentWindowHandle) {
+                // error should have been thrown from within the constructor of InteractiveBrowserCredential
+                this.logger.warning("Parent window handle is not specified for the broker. This may cause unexpected behavior. Please provide the parentWindowHandle.");
+            }
+            if (this.enableMsaPassthrough) {
+                silentRequest.tokenQueryParameters["msal_request_type"] = "consumer_passthrough";
+            }
+        }
+        try {
+            this.logger.info("Attempting to acquire token silently");
+            /**
+             * The following code to retrieve all accounts is done as a workaround in an attempt to force the
+             * refresh of the token cache with the token and the account passed in through the
+             * `authenticationRecord` parameter. See issue - https://github.com/Azure/azure-sdk-for-js/issues/24349#issuecomment-1496715651
+             * This workaround serves as a workaround for silent authentication not happening when authenticationRecord is passed.
+             */
+            await ((_a = this.getApp("publicFirst", options === null || options === void 0 ? void 0 : options.enableCae)) === null || _a === void 0 ? void 0 : _a.getTokenCache().getAllAccounts());
+            const response = (_c = (await ((_b = this.getApp("confidential", options === null || options === void 0 ? void 0 : options.enableCae)) === null || _b === void 0 ? void 0 : _b.acquireTokenSilent(silentRequest)))) !== null && _c !== void 0 ? _c : (await this.getApp("public", options === null || options === void 0 ? void 0 : options.enableCae).acquireTokenSilent(silentRequest));
+            return this.handleResult(scopes, response || undefined);
         }
         catch (err) {
             throw handleMsalError(scopes, err, options);
         }
     }
-}
-
-// Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
-const logger$7 = credentialLogger("ClientSecretCredential");
-/**
- * Enables authentication to Microsoft Entra ID using a client secret
- * that was generated for an App Registration. More information on how
- * to configure a client secret can be found here:
- *
- * https://learn.microsoft.com/entra/identity-platform/quickstart-configure-app-access-web-apis#add-credentials-to-your-web-application
- *
- */
-class ClientSecretCredential {
     /**
-     * Creates an instance of the ClientSecretCredential with the details
-     * needed to authenticate against Microsoft Entra ID with a client
-     * secret.
-     *
-     * @param tenantId - The Microsoft Entra tenant (directory) ID.
-     * @param clientId - The client (application) ID of an App Registration in the tenant.
-     * @param clientSecret - A client secret that was generated for the App Registration.
-     * @param options - Options for configuring the client which makes the authentication request.
+     * Wrapper around each MSAL flow get token operation: doGetToken.
+     * If disableAutomaticAuthentication is sent through the constructor, it will prevent MSAL from requesting the user input.
      */
-    constructor(tenantId, clientId, clientSecret, options = {}) {
-        if (!tenantId || !clientId || !clientSecret) {
-            throw new Error("ClientSecretCredential: tenantId, clientId, and clientSecret are required parameters. To troubleshoot, visit https://aka.ms/azsdk/js/identity/serviceprincipalauthentication/troubleshoot.");
+    async getToken(scopes, options = {}) {
+        const tenantId = processMultiTenantRequest(this.tenantId, options, this.additionallyAllowedTenantIds) ||
+            this.tenantId;
+        options.authority = getAuthority(tenantId, this.authorityHost);
+        options.correlationId = (options === null || options === void 0 ? void 0 : options.correlationId) || randomUUID();
+        await this.init(options);
+        try {
+            // MSAL now caches tokens based on their claims,
+            // so now one has to keep track fo claims in order to retrieve the newer tokens from acquireTokenSilent
+            // This update happened on PR: https://github.com/AzureAD/microsoft-authentication-library-for-js/pull/4533
+            const optionsClaims = options.claims;
+            if (optionsClaims) {
+                this.cachedClaims = optionsClaims;
+            }
+            if (this.cachedClaims && !optionsClaims) {
+                options.claims = this.cachedClaims;
+            }
+            // We don't return the promise since we want to catch errors right here.
+            return await this.getTokenSilent(scopes, options);
+        }
+        catch (err) {
+            if (err.name !== "AuthenticationRequiredError") {
+                throw err;
+            }
+            if (options === null || options === void 0 ? void 0 : options.disableAutomaticAuthentication) {
+                throw new AuthenticationRequiredError({
+                    scopes,
+                    getTokenOptions: options,
+                    message: "Automatic authentication has been disabled. You may call the authentication() method.",
+                });
+            }
+            this.logger.info(`Silent authentication failed, falling back to interactive method.`);
+            return this.doGetToken(scopes, options);
         }
-        this.tenantId = tenantId;
-        this.additionallyAllowedTenantIds = resolveAdditionallyAllowedTenantIds(options === null || options === void 0 ? void 0 : options.additionallyAllowedTenants);
-        this.msalFlow = new MsalClientSecret(Object.assign(Object.assign({}, options), { logger: logger$7,
-            clientId,
-            tenantId,
-            clientSecret, tokenCredentialOptions: options }));
     }
     /**
-     * Authenticates with Microsoft Entra ID and returns an access token if successful.
-     * If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.
-     *
-     * @param scopes - The list of scopes for which the token will have access.
-     * @param options - The options used to configure any requests this
-     *                TokenCredential implementation might make.
+     * Handles the MSAL authentication result.
+     * If the result has an account, we update the local account reference.
+     * If the token received is invalid, an error will be thrown depending on what's missing.
      */
-    async getToken(scopes, options = {}) {
-        return tracingClient.withSpan(`${this.constructor.name}.getToken`, options, async (newOptions) => {
-            newOptions.tenantId = processMultiTenantRequest(this.tenantId, newOptions, this.additionallyAllowedTenantIds, logger$7);
-            const arrayScopes = ensureScopes(scopes);
-            return this.msalFlow.getToken(arrayScopes, newOptions);
-        });
+    handleResult(scopes, result, getTokenOptions) {
+        if (result === null || result === void 0 ? void 0 : result.account) {
+            this.account = msalToPublic(this.clientId, result.account);
+        }
+        ensureValidMsalToken(scopes, result, getTokenOptions);
+        this.logger.getToken.info(formatSuccess(scopes));
+        return {
+            token: result.accessToken,
+            expiresOnTimestamp: result.expiresOn.getTime(),
+        };
     }
 }
 
@@ -4308,6 +4414,48 @@ class AuthorizationCodeCredential {
     }
 }
 
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT license.
+const readFileAsync = util.promisify(fs.readFile);
+/**
+ * Tries to asynchronously load a certificate from the given path.
+ *
+ * @param configuration - Either the PEM value or the path to the certificate.
+ * @param sendCertificateChain - Option to include x5c header for SubjectName and Issuer name authorization.
+ * @returns - The certificate parts, or `undefined` if the certificate could not be loaded.
+ * @internal
+ */
+async function parseCertificate(configuration, sendCertificateChain) {
+    const certificateParts = {};
+    const certificate = configuration
+        .certificate;
+    const certificatePath = configuration
+        .certificatePath;
+    certificateParts.certificateContents =
+        certificate || (await readFileAsync(certificatePath, "utf8"));
+    if (sendCertificateChain) {
+        certificateParts.x5c = certificateParts.certificateContents;
+    }
+    const certificatePattern = /(-+BEGIN CERTIFICATE-+)(\n\r?|\r\n?)([A-Za-z0-9+/\n\r]+=*)(\n\r?|\r\n?)(-+END CERTIFICATE-+)/g;
+    const publicKeys = [];
+    // Match all possible certificates, in the order they are in the file. These will form the chain that is used for x5c
+    let match;
+    do {
+        match = certificatePattern.exec(certificateParts.certificateContents);
+        if (match) {
+            publicKeys.push(match[3]);
+        }
+    } while (match);
+    if (publicKeys.length === 0) {
+        throw new Error("The file at the specified path does not contain a PEM-encoded certificate.");
+    }
+    certificateParts.thumbprint = crypto.createHash("sha1")
+        .update(Buffer.from(publicKeys[0], "base64"))
+        .digest("hex")
+        .toUpperCase();
+    return certificateParts;
+}
+
 // Copyright (c) Microsoft Corporation.
 // Licensed under the MIT license.
 /**