@azure/identity 4.10.3-alpha.20250708.2 → 4.11.0-alpha.20250717.4

package/dist/commonjs/msal/nodeFlows/msalClient.js

@@ -27,11 +27,14 @@ const msalLogger = (0, logging_js_1.credentialLogger)("MsalClient");
  * @returns  The MSAL configuration object.
  */
 function generateMsalConfiguration(clientId, tenantId, msalClientOptions = {}) {
-    var _a, _b, _c;
-    const resolvedTenant = (0, tenantIdUtils_js_1.resolveTenantId)((_a = msalClientOptions.logger) !== null && _a !== void 0 ? _a : msalLogger, tenantId, clientId);
+    const resolvedTenant = (0, tenantIdUtils_js_1.resolveTenantId)(msalClientOptions.logger ?? msalLogger, tenantId, clientId);
     // TODO: move and reuse getIdentityClientAuthorityHost
     const authority = (0, utils_js_1.getAuthority)(resolvedTenant, (0, utils_js_1.getAuthorityHost)(msalClientOptions));
-    const httpClient = new identityClient_js_1.IdentityClient(Object.assign(Object.assign({}, msalClientOptions.tokenCredentialOptions), { authorityHost: authority, loggingOptions: msalClientOptions.loggingOptions }));
+    const httpClient = new identityClient_js_1.IdentityClient({
+        ...msalClientOptions.tokenCredentialOptions,
+        authorityHost: authority,
+        loggingOptions: msalClientOptions.loggingOptions,
+    });
     const msalConfig = {
         auth: {
             clientId,
@@ -41,9 +44,9 @@ function generateMsalConfiguration(clientId, tenantId, msalClientOptions = {}) {
         system: {
             networkClient: httpClient,
             loggerOptions: {
-                loggerCallback: (0, utils_js_1.defaultLoggerCallback)((_b = msalClientOptions.logger) !== null && _b !== void 0 ? _b : msalLogger),
+                loggerCallback: (0, utils_js_1.defaultLoggerCallback)(msalClientOptions.logger ?? msalLogger),
                 logLevel: (0, utils_js_1.getMSALLogLevel)((0, logger_1.getLogLevel)()),
-                piiLoggingEnabled: (_c = msalClientOptions.loggingOptions) === null || _c === void 0 ? void 0 : _c.enableUnsafeSupportLogging,
+                piiLoggingEnabled: msalClientOptions.loggingOptions?.enableUnsafeSupportLogging,
             },
         },
     };
@@ -60,14 +63,13 @@ function generateMsalConfiguration(clientId, tenantId, msalClientOptions = {}) {
  * @public
  */
 function createMsalClient(clientId, tenantId, createMsalClientOptions = {}) {
-    var _a;
     const state = {
         msalConfig: generateMsalConfiguration(clientId, tenantId, createMsalClientOptions),
         cachedAccount: createMsalClientOptions.authenticationRecord
             ? (0, utils_js_1.publicToMsal)(createMsalClientOptions.authenticationRecord)
             : null,
         pluginConfiguration: msalPlugins_js_1.msalPlugins.generatePluginConfiguration(createMsalClientOptions),
-        logger: (_a = createMsalClientOptions.logger) !== null && _a !== void 0 ? _a : msalLogger,
+        logger: createMsalClientOptions.logger ?? msalLogger,
     };
     const publicApps = new Map();
     async function getPublicApp(options = {}) {
@@ -83,7 +85,11 @@ function createMsalClient(clientId, tenantId, createMsalClientOptions = {}) {
             ? state.pluginConfiguration.cache.cachePluginCae
             : state.pluginConfiguration.cache.cachePlugin;
         state.msalConfig.auth.clientCapabilities = options.enableCae ? ["cp1"] : undefined;
-        publicClientApp = new msal.PublicClientApplication(Object.assign(Object.assign({}, state.msalConfig), { broker: { nativeBrokerPlugin: state.pluginConfiguration.broker.nativeBrokerPlugin }, cache: { cachePlugin: await cachePlugin } }));
+        publicClientApp = new msal.PublicClientApplication({
+            ...state.msalConfig,
+            broker: { nativeBrokerPlugin: state.pluginConfiguration.broker.nativeBrokerPlugin },
+            cache: { cachePlugin: await cachePlugin },
+        });
         publicApps.set(appKey, publicClientApp);
         return publicClientApp;
     }
@@ -101,7 +107,11 @@ function createMsalClient(clientId, tenantId, createMsalClientOptions = {}) {
             ? state.pluginConfiguration.cache.cachePluginCae
             : state.pluginConfiguration.cache.cachePlugin;
         state.msalConfig.auth.clientCapabilities = options.enableCae ? ["cp1"] : undefined;
-        confidentialClientApp = new msal.ConfidentialClientApplication(Object.assign(Object.assign({}, state.msalConfig), { broker: { nativeBrokerPlugin: state.pluginConfiguration.broker.nativeBrokerPlugin }, cache: { cachePlugin: await cachePlugin } }));
+        confidentialClientApp = new msal.ConfidentialClientApplication({
+            ...state.msalConfig,
+            broker: { nativeBrokerPlugin: state.pluginConfiguration.broker.nativeBrokerPlugin },
+            cache: { cachePlugin: await cachePlugin },
+        });
         confidentialApps.set(appKey, confidentialClientApp);
         return confidentialClientApp;
     }
@@ -120,7 +130,7 @@ function createMsalClient(clientId, tenantId, createMsalClientOptions = {}) {
             claims: state.cachedClaims,
         };
         if (state.pluginConfiguration.broker.isEnabled) {
-            silentRequest.tokenQueryParameters || (silentRequest.tokenQueryParameters = {});
+            silentRequest.tokenQueryParameters ||= {};
             if (state.pluginConfiguration.broker.enableMsaPassthrough) {
                 silentRequest.tokenQueryParameters["msal_request_type"] = "consumer_passthrough";
             }
@@ -144,7 +154,7 @@ function createMsalClient(clientId, tenantId, createMsalClientOptions = {}) {
      * if the user is creating cross-tenant requests
      */
     function calculateRequestAuthority(options) {
-        if (options === null || options === void 0 ? void 0 : options.tenantId) {
+        if (options?.tenantId) {
             return (0, utils_js_1.getAuthority)(options.tenantId, (0, utils_js_1.getAuthorityHost)(createMsalClientOptions));
         }
         return state.msalConfig.auth.authority;
@@ -160,7 +170,6 @@ function createMsalClient(clientId, tenantId, createMsalClientOptions = {}) {
      * @returns A promise that resolves to an AccessToken object containing the access token and its expiration timestamp.
      */
     async function withSilentAuthentication(msalApp, scopes, options, onAuthenticationRequired) {
-        var _a, _b;
         let response = null;
         try {
             response = await getTokenSilent(msalApp, scopes, options);
@@ -188,17 +197,16 @@ function createMsalClient(clientId, tenantId, createMsalClientOptions = {}) {
         }
         // At this point we should have a token, process it
         (0, utils_js_1.ensureValidMsalToken)(scopes, response, options);
-        state.cachedAccount = (_a = response === null || response === void 0 ? void 0 : response.account) !== null && _a !== void 0 ? _a : null;
+        state.cachedAccount = response?.account ?? null;
         state.logger.getToken.info((0, logging_js_1.formatSuccess)(scopes));
         return {
             token: response.accessToken,
             expiresOnTimestamp: response.expiresOn.getTime(),
-            refreshAfterTimestamp: (_b = response.refreshOn) === null || _b === void 0 ? void 0 : _b.getTime(),
+            refreshAfterTimestamp: response.refreshOn?.getTime(),
             tokenType: response.tokenType,
         };
     }
     async function getTokenByClientSecret(scopes, clientSecret, options = {}) {
-        var _a;
         state.logger.getToken.info(`Attempting to acquire token using client secret`);
         state.msalConfig.auth.clientSecret = clientSecret;
         const msalApp = await getConfidentialApp(options);
@@ -207,14 +215,14 @@ function createMsalClient(clientId, tenantId, createMsalClientOptions = {}) {
                 scopes,
                 authority: calculateRequestAuthority(options),
                 azureRegion: (0, regionalAuthority_js_1.calculateRegionalAuthority)(),
-                claims: options === null || options === void 0 ? void 0 : options.claims,
+                claims: options?.claims,
             });
             (0, utils_js_1.ensureValidMsalToken)(scopes, response, options);
             state.logger.getToken.info((0, logging_js_1.formatSuccess)(scopes));
             return {
                 token: response.accessToken,
                 expiresOnTimestamp: response.expiresOn.getTime(),
-                refreshAfterTimestamp: (_a = response.refreshOn) === null || _a === void 0 ? void 0 : _a.getTime(),
+                refreshAfterTimestamp: response.refreshOn?.getTime(),
                 tokenType: response.tokenType,
             };
         }
@@ -223,7 +231,6 @@ function createMsalClient(clientId, tenantId, createMsalClientOptions = {}) {
         }
     }
     async function getTokenByClientAssertion(scopes, clientAssertion, options = {}) {
-        var _a;
         state.logger.getToken.info(`Attempting to acquire token using client assertion`);
         state.msalConfig.auth.clientAssertion = clientAssertion;
         const msalApp = await getConfidentialApp(options);
@@ -232,7 +239,7 @@ function createMsalClient(clientId, tenantId, createMsalClientOptions = {}) {
                 scopes,
                 authority: calculateRequestAuthority(options),
                 azureRegion: (0, regionalAuthority_js_1.calculateRegionalAuthority)(),
-                claims: options === null || options === void 0 ? void 0 : options.claims,
+                claims: options?.claims,
                 clientAssertion,
             });
             (0, utils_js_1.ensureValidMsalToken)(scopes, response, options);
@@ -240,7 +247,7 @@ function createMsalClient(clientId, tenantId, createMsalClientOptions = {}) {
             return {
                 token: response.accessToken,
                 expiresOnTimestamp: response.expiresOn.getTime(),
-                refreshAfterTimestamp: (_a = response.refreshOn) === null || _a === void 0 ? void 0 : _a.getTime(),
+                refreshAfterTimestamp: response.refreshOn?.getTime(),
                 tokenType: response.tokenType,
             };
         }
@@ -249,7 +256,6 @@ function createMsalClient(clientId, tenantId, createMsalClientOptions = {}) {
         }
     }
     async function getTokenByClientCertificate(scopes, certificate, options = {}) {
-        var _a;
         state.logger.getToken.info(`Attempting to acquire token using client certificate`);
         state.msalConfig.auth.clientCertificate = certificate;
         const msalApp = await getConfidentialApp(options);
@@ -258,14 +264,14 @@ function createMsalClient(clientId, tenantId, createMsalClientOptions = {}) {
                 scopes,
                 authority: calculateRequestAuthority(options),
                 azureRegion: (0, regionalAuthority_js_1.calculateRegionalAuthority)(),
-                claims: options === null || options === void 0 ? void 0 : options.claims,
+                claims: options?.claims,
             });
             (0, utils_js_1.ensureValidMsalToken)(scopes, response, options);
             state.logger.getToken.info((0, logging_js_1.formatSuccess)(scopes));
             return {
                 token: response.accessToken,
                 expiresOnTimestamp: response.expiresOn.getTime(),
-                refreshAfterTimestamp: (_a = response.refreshOn) === null || _a === void 0 ? void 0 : _a.getTime(),
+                refreshAfterTimestamp: response.refreshOn?.getTime(),
                 tokenType: response.tokenType,
             };
         }
@@ -277,13 +283,12 @@ function createMsalClient(clientId, tenantId, createMsalClientOptions = {}) {
         state.logger.getToken.info(`Attempting to acquire token using device code`);
         const msalApp = await getPublicApp(options);
         return withSilentAuthentication(msalApp, scopes, options, () => {
-            var _a, _b;
             const requestOptions = {
                 scopes,
-                cancel: (_b = (_a = options === null || options === void 0 ? void 0 : options.abortSignal) === null || _a === void 0 ? void 0 : _a.aborted) !== null && _b !== void 0 ? _b : false,
+                cancel: options?.abortSignal?.aborted ?? false,
                 deviceCodeCallback,
                 authority: calculateRequestAuthority(options),
-                claims: options === null || options === void 0 ? void 0 : options.claims,
+                claims: options?.claims,
             };
             const deviceCodeRequest = msalApp.acquireTokenByDeviceCode(requestOptions);
             if (options.abortSignal) {
@@ -303,7 +308,7 @@ function createMsalClient(clientId, tenantId, createMsalClientOptions = {}) {
                 username,
                 password,
                 authority: calculateRequestAuthority(options),
-                claims: options === null || options === void 0 ? void 0 : options.claims,
+                claims: options?.claims,
             };
             return msalApp.acquireTokenByUsernamePassword(requestOptions);
         });
@@ -332,12 +337,11 @@ function createMsalClient(clientId, tenantId, createMsalClientOptions = {}) {
                 redirectUri,
                 code: authorizationCode,
                 authority: calculateRequestAuthority(options),
-                claims: options === null || options === void 0 ? void 0 : options.claims,
+                claims: options?.claims,
             });
         });
     }
     async function getTokenOnBehalfOf(scopes, userAssertionToken, clientCredentials, options = {}) {
-        var _a;
         msalLogger.getToken.info(`Attempting to acquire token on behalf of another user`);
         if (typeof clientCredentials === "string") {
             // Client secret
@@ -367,7 +371,7 @@ function createMsalClient(clientId, tenantId, createMsalClientOptions = {}) {
             return {
                 token: response.accessToken,
                 expiresOnTimestamp: response.expiresOn.getTime(),
-                refreshAfterTimestamp: (_a = response.refreshOn) === null || _a === void 0 ? void 0 : _a.getTime(),
+                refreshAfterTimestamp: response.refreshOn?.getTime(),
                 tokenType: response.tokenType,
             };
         }
@@ -375,79 +379,107 @@ function createMsalClient(clientId, tenantId, createMsalClientOptions = {}) {
             throw (0, utils_js_1.handleMsalError)(scopes, err, options);
         }
     }
-    async function getTokenByInteractiveRequest(scopes, options = {}) {
-        msalLogger.getToken.info(`Attempting to acquire token interactively`);
+    /**
+     * Creates a base interactive request configuration for MSAL interactive authentication.
+     * This is shared between interactive and brokered authentication flows.
+     *
+     * @internal
+     */
+    function createBaseInteractiveRequest(scopes, options) {
+        return {
+            openBrowser: async (url) => {
+                const open = await import("open");
+                await open.default(url, { wait: true, newInstance: true });
+            },
+            scopes,
+            authority: calculateRequestAuthority(options),
+            claims: options?.claims,
+            loginHint: options?.loginHint,
+            errorTemplate: options?.browserCustomizationOptions?.errorMessage,
+            successTemplate: options?.browserCustomizationOptions?.successMessage,
+            prompt: options?.loginHint ? "login" : "select_account",
+        };
+    }
+    /**
+     * @internal
+     */
+    async function getBrokeredTokenInternal(scopes, useDefaultBrokerAccount, options = {}) {
+        msalLogger.verbose("Authentication will resume through the broker");
         const app = await getPublicApp(options);
-        /**
-         * A helper function that supports brokered authentication through the MSAL's public application.
-         *
-         * When options.useDefaultBrokerAccount is true, the method will attempt to authenticate using the default broker account.
-         * If the default broker account is not available, the method will fall back to interactive authentication.
-         */
-        async function getBrokeredToken(useDefaultBrokerAccount) {
-            var _a;
-            msalLogger.verbose("Authentication will resume through the broker");
-            const interactiveRequest = createBaseInteractiveRequest();
-            if (state.pluginConfiguration.broker.parentWindowHandle) {
-                interactiveRequest.windowHandle = Buffer.from(state.pluginConfiguration.broker.parentWindowHandle);
-            }
-            else {
-                // this is a bug, as the pluginConfiguration handler should validate this case.
-                msalLogger.warning("Parent window handle is not specified for the broker. This may cause unexpected behavior. Please provide the parentWindowHandle.");
-            }
-            if (state.pluginConfiguration.broker.enableMsaPassthrough) {
-                ((_a = interactiveRequest.tokenQueryParameters) !== null && _a !== void 0 ? _a : (interactiveRequest.tokenQueryParameters = {}))["msal_request_type"] =
-                    "consumer_passthrough";
+        const interactiveRequest = createBaseInteractiveRequest(scopes, options);
+        if (state.pluginConfiguration.broker.parentWindowHandle) {
+            interactiveRequest.windowHandle = Buffer.from(state.pluginConfiguration.broker.parentWindowHandle);
+        }
+        else {
+            // this is a bug, as the pluginConfiguration handler should validate this case.
+            msalLogger.warning("Parent window handle is not specified for the broker. This may cause unexpected behavior. Please provide the parentWindowHandle.");
+        }
+        if (state.pluginConfiguration.broker.enableMsaPassthrough) {
+            (interactiveRequest.tokenQueryParameters ??= {})["msal_request_type"] =
+                "consumer_passthrough";
+        }
+        if (useDefaultBrokerAccount) {
+            interactiveRequest.prompt = "none";
+            msalLogger.verbose("Attempting broker authentication using the default broker account");
+        }
+        else {
+            msalLogger.verbose("Attempting broker authentication without the default broker account");
+        }
+        if (options.proofOfPossessionOptions) {
+            interactiveRequest.shrNonce = options.proofOfPossessionOptions.nonce;
+            interactiveRequest.authenticationScheme = "pop";
+            interactiveRequest.resourceRequestMethod =
+                options.proofOfPossessionOptions.resourceRequestMethod;
+            interactiveRequest.resourceRequestUri = options.proofOfPossessionOptions.resourceRequestUrl;
+        }
+        try {
+            return await app.acquireTokenInteractive(interactiveRequest);
+        }
+        catch (e) {
+            msalLogger.verbose(`Failed to authenticate through the broker: ${e.message}`);
+            if (options.disableAutomaticAuthentication) {
+                throw new errors_js_1.AuthenticationRequiredError({
+                    scopes,
+                    getTokenOptions: options,
+                    message: "Cannot silently authenticate with default broker account.",
+                });
             }
+            // If we tried to use the default broker account and failed, fall back to interactive authentication
             if (useDefaultBrokerAccount) {
-                interactiveRequest.prompt = "none";
-                msalLogger.verbose("Attempting broker authentication using the default broker account");
+                return getBrokeredTokenInternal(scopes, false, options);
             }
             else {
-                msalLogger.verbose("Attempting broker authentication without the default broker account");
-            }
-            if (options.proofOfPossessionOptions) {
-                interactiveRequest.shrNonce = options.proofOfPossessionOptions.nonce;
-                interactiveRequest.authenticationScheme = "pop";
-                interactiveRequest.resourceRequestMethod =
-                    options.proofOfPossessionOptions.resourceRequestMethod;
-                interactiveRequest.resourceRequestUri = options.proofOfPossessionOptions.resourceRequestUrl;
-            }
-            try {
-                return await app.acquireTokenInteractive(interactiveRequest);
-            }
-            catch (e) {
-                msalLogger.verbose(`Failed to authenticate through the broker: ${e.message}`);
-                // If we tried to use the default broker account and failed, fall back to interactive authentication
-                if (useDefaultBrokerAccount) {
-                    return getBrokeredToken(/* useDefaultBrokerAccount: */ false);
-                }
-                else {
-                    throw e;
-                }
+                throw e;
             }
         }
-        function createBaseInteractiveRequest() {
-            var _a, _b;
-            return {
-                openBrowser: async (url) => {
-                    const open = await import("open");
-                    await open.default(url, { wait: true, newInstance: true });
-                },
-                scopes,
-                authority: calculateRequestAuthority(options),
-                claims: options === null || options === void 0 ? void 0 : options.claims,
-                loginHint: options === null || options === void 0 ? void 0 : options.loginHint,
-                errorTemplate: (_a = options === null || options === void 0 ? void 0 : options.browserCustomizationOptions) === null || _a === void 0 ? void 0 : _a.errorMessage,
-                successTemplate: (_b = options === null || options === void 0 ? void 0 : options.browserCustomizationOptions) === null || _b === void 0 ? void 0 : _b.successMessage,
-                prompt: (options === null || options === void 0 ? void 0 : options.loginHint) ? "login" : "select_account",
-            };
-        }
+    }
+    /**
+     * A helper function that supports brokered authentication through the MSAL's public application.
+     *
+     * When useDefaultBrokerAccount is true, the method will attempt to authenticate using the default broker account.
+     * If the default broker account is not available, the method will fall back to interactive authentication.
+     */
+    async function getBrokeredToken(scopes, useDefaultBrokerAccount, options = {}) {
+        msalLogger.getToken.info(`Attempting to acquire token using brokered authentication with useDefaultBrokerAccount: ${useDefaultBrokerAccount}`);
+        const response = await getBrokeredTokenInternal(scopes, useDefaultBrokerAccount, options);
+        (0, utils_js_1.ensureValidMsalToken)(scopes, response, options);
+        (0, utils_js_1.ensureValidMsalToken)(scopes, response, options);
+        state.cachedAccount = response?.account ?? null;
+        state.logger.getToken.info((0, logging_js_1.formatSuccess)(scopes));
+        return {
+            token: response.accessToken,
+            expiresOnTimestamp: response.expiresOn.getTime(),
+            refreshAfterTimestamp: response.refreshOn?.getTime(),
+            tokenType: response.tokenType,
+        };
+    }
+    async function getTokenByInteractiveRequest(scopes, options = {}) {
+        msalLogger.getToken.info(`Attempting to acquire token interactively`);
+        const app = await getPublicApp(options);
         return withSilentAuthentication(app, scopes, options, async () => {
-            var _a;
-            const interactiveRequest = createBaseInteractiveRequest();
+            const interactiveRequest = createBaseInteractiveRequest(scopes, options);
             if (state.pluginConfiguration.broker.isEnabled) {
-                return getBrokeredToken((_a = state.pluginConfiguration.broker.useDefaultBrokerAccount) !== null && _a !== void 0 ? _a : false);
+                return getBrokeredTokenInternal(scopes, state.pluginConfiguration.broker.useDefaultBrokerAccount ?? false, options);
             }
             if (options.proofOfPossessionOptions) {
                 interactiveRequest.shrNonce = options.proofOfPossessionOptions.nonce;
@@ -461,6 +493,7 @@ function createMsalClient(clientId, tenantId, createMsalClientOptions = {}) {
     }
     return {
         getActiveAccount,
+        getBrokeredToken,
         getTokenByClientSecret,
         getTokenByClientAssertion,
         getTokenByClientCertificate,