@azure/identity 4.10.3-alpha.20250714.3 → 4.11.0-alpha.20250718.3

package/dist/workerd/msal/nodeFlows/msalClient.js

@@ -22,11 +22,14 @@ const msalLogger = credentialLogger("MsalClient");
  * @returns  The MSAL configuration object.
  */
 export function generateMsalConfiguration(clientId, tenantId, msalClientOptions = {}) {
-    var _a, _b, _c;
-    const resolvedTenant = resolveTenantId((_a = msalClientOptions.logger) !== null && _a !== void 0 ? _a : msalLogger, tenantId, clientId);
+    const resolvedTenant = resolveTenantId(msalClientOptions.logger ?? msalLogger, tenantId, clientId);
     // TODO: move and reuse getIdentityClientAuthorityHost
     const authority = getAuthority(resolvedTenant, getAuthorityHost(msalClientOptions));
-    const httpClient = new IdentityClient(Object.assign(Object.assign({}, msalClientOptions.tokenCredentialOptions), { authorityHost: authority, loggingOptions: msalClientOptions.loggingOptions }));
+    const httpClient = new IdentityClient({
+        ...msalClientOptions.tokenCredentialOptions,
+        authorityHost: authority,
+        loggingOptions: msalClientOptions.loggingOptions,
+    });
     const msalConfig = {
         auth: {
             clientId,
@@ -36,9 +39,9 @@ export function generateMsalConfiguration(clientId, tenantId, msalClientOptions
         system: {
             networkClient: httpClient,
             loggerOptions: {
-                loggerCallback: defaultLoggerCallback((_b = msalClientOptions.logger) !== null && _b !== void 0 ? _b : msalLogger),
+                loggerCallback: defaultLoggerCallback(msalClientOptions.logger ?? msalLogger),
                 logLevel: getMSALLogLevel(getLogLevel()),
-                piiLoggingEnabled: (_c = msalClientOptions.loggingOptions) === null || _c === void 0 ? void 0 : _c.enableUnsafeSupportLogging,
+                piiLoggingEnabled: msalClientOptions.loggingOptions?.enableUnsafeSupportLogging,
             },
         },
     };
@@ -55,14 +58,13 @@ export function generateMsalConfiguration(clientId, tenantId, msalClientOptions
  * @public
  */
 export function createMsalClient(clientId, tenantId, createMsalClientOptions = {}) {
-    var _a;
     const state = {
         msalConfig: generateMsalConfiguration(clientId, tenantId, createMsalClientOptions),
         cachedAccount: createMsalClientOptions.authenticationRecord
             ? publicToMsal(createMsalClientOptions.authenticationRecord)
             : null,
         pluginConfiguration: msalPlugins.generatePluginConfiguration(createMsalClientOptions),
-        logger: (_a = createMsalClientOptions.logger) !== null && _a !== void 0 ? _a : msalLogger,
+        logger: createMsalClientOptions.logger ?? msalLogger,
     };
     const publicApps = new Map();
     async function getPublicApp(options = {}) {
@@ -78,7 +80,11 @@ export function createMsalClient(clientId, tenantId, createMsalClientOptions = {
             ? state.pluginConfiguration.cache.cachePluginCae
             : state.pluginConfiguration.cache.cachePlugin;
         state.msalConfig.auth.clientCapabilities = options.enableCae ? ["cp1"] : undefined;
-        publicClientApp = new msal.PublicClientApplication(Object.assign(Object.assign({}, state.msalConfig), { broker: { nativeBrokerPlugin: state.pluginConfiguration.broker.nativeBrokerPlugin }, cache: { cachePlugin: await cachePlugin } }));
+        publicClientApp = new msal.PublicClientApplication({
+            ...state.msalConfig,
+            broker: { nativeBrokerPlugin: state.pluginConfiguration.broker.nativeBrokerPlugin },
+            cache: { cachePlugin: await cachePlugin },
+        });
         publicApps.set(appKey, publicClientApp);
         return publicClientApp;
     }
@@ -96,7 +102,11 @@ export function createMsalClient(clientId, tenantId, createMsalClientOptions = {
             ? state.pluginConfiguration.cache.cachePluginCae
             : state.pluginConfiguration.cache.cachePlugin;
         state.msalConfig.auth.clientCapabilities = options.enableCae ? ["cp1"] : undefined;
-        confidentialClientApp = new msal.ConfidentialClientApplication(Object.assign(Object.assign({}, state.msalConfig), { broker: { nativeBrokerPlugin: state.pluginConfiguration.broker.nativeBrokerPlugin }, cache: { cachePlugin: await cachePlugin } }));
+        confidentialClientApp = new msal.ConfidentialClientApplication({
+            ...state.msalConfig,
+            broker: { nativeBrokerPlugin: state.pluginConfiguration.broker.nativeBrokerPlugin },
+            cache: { cachePlugin: await cachePlugin },
+        });
         confidentialApps.set(appKey, confidentialClientApp);
         return confidentialClientApp;
     }
@@ -115,7 +125,7 @@ export function createMsalClient(clientId, tenantId, createMsalClientOptions = {
             claims: state.cachedClaims,
         };
         if (state.pluginConfiguration.broker.isEnabled) {
-            silentRequest.tokenQueryParameters || (silentRequest.tokenQueryParameters = {});
+            silentRequest.tokenQueryParameters ||= {};
             if (state.pluginConfiguration.broker.enableMsaPassthrough) {
                 silentRequest.tokenQueryParameters["msal_request_type"] = "consumer_passthrough";
             }
@@ -139,7 +149,7 @@ export function createMsalClient(clientId, tenantId, createMsalClientOptions = {
      * if the user is creating cross-tenant requests
      */
     function calculateRequestAuthority(options) {
-        if (options === null || options === void 0 ? void 0 : options.tenantId) {
+        if (options?.tenantId) {
             return getAuthority(options.tenantId, getAuthorityHost(createMsalClientOptions));
         }
         return state.msalConfig.auth.authority;
@@ -155,7 +165,6 @@ export function createMsalClient(clientId, tenantId, createMsalClientOptions = {
      * @returns A promise that resolves to an AccessToken object containing the access token and its expiration timestamp.
      */
     async function withSilentAuthentication(msalApp, scopes, options, onAuthenticationRequired) {
-        var _a, _b;
         let response = null;
         try {
             response = await getTokenSilent(msalApp, scopes, options);
@@ -183,17 +192,16 @@ export function createMsalClient(clientId, tenantId, createMsalClientOptions = {
         }
         // At this point we should have a token, process it
         ensureValidMsalToken(scopes, response, options);
-        state.cachedAccount = (_a = response === null || response === void 0 ? void 0 : response.account) !== null && _a !== void 0 ? _a : null;
+        state.cachedAccount = response?.account ?? null;
         state.logger.getToken.info(formatSuccess(scopes));
         return {
             token: response.accessToken,
             expiresOnTimestamp: response.expiresOn.getTime(),
-            refreshAfterTimestamp: (_b = response.refreshOn) === null || _b === void 0 ? void 0 : _b.getTime(),
+            refreshAfterTimestamp: response.refreshOn?.getTime(),
             tokenType: response.tokenType,
         };
     }
     async function getTokenByClientSecret(scopes, clientSecret, options = {}) {
-        var _a;
         state.logger.getToken.info(`Attempting to acquire token using client secret`);
         state.msalConfig.auth.clientSecret = clientSecret;
         const msalApp = await getConfidentialApp(options);
@@ -202,14 +210,14 @@ export function createMsalClient(clientId, tenantId, createMsalClientOptions = {
                 scopes,
                 authority: calculateRequestAuthority(options),
                 azureRegion: calculateRegionalAuthority(),
-                claims: options === null || options === void 0 ? void 0 : options.claims,
+                claims: options?.claims,
             });
             ensureValidMsalToken(scopes, response, options);
             state.logger.getToken.info(formatSuccess(scopes));
             return {
                 token: response.accessToken,
                 expiresOnTimestamp: response.expiresOn.getTime(),
-                refreshAfterTimestamp: (_a = response.refreshOn) === null || _a === void 0 ? void 0 : _a.getTime(),
+                refreshAfterTimestamp: response.refreshOn?.getTime(),
                 tokenType: response.tokenType,
             };
         }
@@ -218,7 +226,6 @@ export function createMsalClient(clientId, tenantId, createMsalClientOptions = {
         }
     }
     async function getTokenByClientAssertion(scopes, clientAssertion, options = {}) {
-        var _a;
         state.logger.getToken.info(`Attempting to acquire token using client assertion`);
         state.msalConfig.auth.clientAssertion = clientAssertion;
         const msalApp = await getConfidentialApp(options);
@@ -227,7 +234,7 @@ export function createMsalClient(clientId, tenantId, createMsalClientOptions = {
                 scopes,
                 authority: calculateRequestAuthority(options),
                 azureRegion: calculateRegionalAuthority(),
-                claims: options === null || options === void 0 ? void 0 : options.claims,
+                claims: options?.claims,
                 clientAssertion,
             });
             ensureValidMsalToken(scopes, response, options);
@@ -235,7 +242,7 @@ export function createMsalClient(clientId, tenantId, createMsalClientOptions = {
             return {
                 token: response.accessToken,
                 expiresOnTimestamp: response.expiresOn.getTime(),
-                refreshAfterTimestamp: (_a = response.refreshOn) === null || _a === void 0 ? void 0 : _a.getTime(),
+                refreshAfterTimestamp: response.refreshOn?.getTime(),
                 tokenType: response.tokenType,
             };
         }
@@ -244,7 +251,6 @@ export function createMsalClient(clientId, tenantId, createMsalClientOptions = {
         }
     }
     async function getTokenByClientCertificate(scopes, certificate, options = {}) {
-        var _a;
         state.logger.getToken.info(`Attempting to acquire token using client certificate`);
         state.msalConfig.auth.clientCertificate = certificate;
         const msalApp = await getConfidentialApp(options);
@@ -253,14 +259,14 @@ export function createMsalClient(clientId, tenantId, createMsalClientOptions = {
                 scopes,
                 authority: calculateRequestAuthority(options),
                 azureRegion: calculateRegionalAuthority(),
-                claims: options === null || options === void 0 ? void 0 : options.claims,
+                claims: options?.claims,
             });
             ensureValidMsalToken(scopes, response, options);
             state.logger.getToken.info(formatSuccess(scopes));
             return {
                 token: response.accessToken,
                 expiresOnTimestamp: response.expiresOn.getTime(),
-                refreshAfterTimestamp: (_a = response.refreshOn) === null || _a === void 0 ? void 0 : _a.getTime(),
+                refreshAfterTimestamp: response.refreshOn?.getTime(),
                 tokenType: response.tokenType,
             };
         }
@@ -272,13 +278,12 @@ export function createMsalClient(clientId, tenantId, createMsalClientOptions = {
         state.logger.getToken.info(`Attempting to acquire token using device code`);
         const msalApp = await getPublicApp(options);
         return withSilentAuthentication(msalApp, scopes, options, () => {
-            var _a, _b;
             const requestOptions = {
                 scopes,
-                cancel: (_b = (_a = options === null || options === void 0 ? void 0 : options.abortSignal) === null || _a === void 0 ? void 0 : _a.aborted) !== null && _b !== void 0 ? _b : false,
+                cancel: options?.abortSignal?.aborted ?? false,
                 deviceCodeCallback,
                 authority: calculateRequestAuthority(options),
-                claims: options === null || options === void 0 ? void 0 : options.claims,
+                claims: options?.claims,
             };
             const deviceCodeRequest = msalApp.acquireTokenByDeviceCode(requestOptions);
             if (options.abortSignal) {
@@ -298,7 +303,7 @@ export function createMsalClient(clientId, tenantId, createMsalClientOptions = {
                 username,
                 password,
                 authority: calculateRequestAuthority(options),
-                claims: options === null || options === void 0 ? void 0 : options.claims,
+                claims: options?.claims,
             };
             return msalApp.acquireTokenByUsernamePassword(requestOptions);
         });
@@ -327,12 +332,11 @@ export function createMsalClient(clientId, tenantId, createMsalClientOptions = {
                 redirectUri,
                 code: authorizationCode,
                 authority: calculateRequestAuthority(options),
-                claims: options === null || options === void 0 ? void 0 : options.claims,
+                claims: options?.claims,
             });
         });
     }
     async function getTokenOnBehalfOf(scopes, userAssertionToken, clientCredentials, options = {}) {
-        var _a;
         msalLogger.getToken.info(`Attempting to acquire token on behalf of another user`);
         if (typeof clientCredentials === "string") {
             // Client secret
@@ -362,7 +366,7 @@ export function createMsalClient(clientId, tenantId, createMsalClientOptions = {
             return {
                 token: response.accessToken,
                 expiresOnTimestamp: response.expiresOn.getTime(),
-                refreshAfterTimestamp: (_a = response.refreshOn) === null || _a === void 0 ? void 0 : _a.getTime(),
+                refreshAfterTimestamp: response.refreshOn?.getTime(),
                 tokenType: response.tokenType,
             };
         }
@@ -370,79 +374,107 @@ export function createMsalClient(clientId, tenantId, createMsalClientOptions = {
             throw handleMsalError(scopes, err, options);
         }
     }
-    async function getTokenByInteractiveRequest(scopes, options = {}) {
-        msalLogger.getToken.info(`Attempting to acquire token interactively`);
+    /**
+     * Creates a base interactive request configuration for MSAL interactive authentication.
+     * This is shared between interactive and brokered authentication flows.
+     *
+     * @internal
+     */
+    function createBaseInteractiveRequest(scopes, options) {
+        return {
+            openBrowser: async (url) => {
+                const open = await import("open");
+                await open.default(url, { wait: true, newInstance: true });
+            },
+            scopes,
+            authority: calculateRequestAuthority(options),
+            claims: options?.claims,
+            loginHint: options?.loginHint,
+            errorTemplate: options?.browserCustomizationOptions?.errorMessage,
+            successTemplate: options?.browserCustomizationOptions?.successMessage,
+            prompt: options?.loginHint ? "login" : "select_account",
+        };
+    }
+    /**
+     * @internal
+     */
+    async function getBrokeredTokenInternal(scopes, useDefaultBrokerAccount, options = {}) {
+        msalLogger.verbose("Authentication will resume through the broker");
         const app = await getPublicApp(options);
-        /**
-         * A helper function that supports brokered authentication through the MSAL's public application.
-         *
-         * When options.useDefaultBrokerAccount is true, the method will attempt to authenticate using the default broker account.
-         * If the default broker account is not available, the method will fall back to interactive authentication.
-         */
-        async function getBrokeredToken(useDefaultBrokerAccount) {
-            var _a;
-            msalLogger.verbose("Authentication will resume through the broker");
-            const interactiveRequest = createBaseInteractiveRequest();
-            if (state.pluginConfiguration.broker.parentWindowHandle) {
-                interactiveRequest.windowHandle = Buffer.from(state.pluginConfiguration.broker.parentWindowHandle);
-            }
-            else {
-                // this is a bug, as the pluginConfiguration handler should validate this case.
-                msalLogger.warning("Parent window handle is not specified for the broker. This may cause unexpected behavior. Please provide the parentWindowHandle.");
-            }
-            if (state.pluginConfiguration.broker.enableMsaPassthrough) {
-                ((_a = interactiveRequest.tokenQueryParameters) !== null && _a !== void 0 ? _a : (interactiveRequest.tokenQueryParameters = {}))["msal_request_type"] =
-                    "consumer_passthrough";
+        const interactiveRequest = createBaseInteractiveRequest(scopes, options);
+        if (state.pluginConfiguration.broker.parentWindowHandle) {
+            interactiveRequest.windowHandle = Buffer.from(state.pluginConfiguration.broker.parentWindowHandle);
+        }
+        else {
+            // this is a bug, as the pluginConfiguration handler should validate this case.
+            msalLogger.warning("Parent window handle is not specified for the broker. This may cause unexpected behavior. Please provide the parentWindowHandle.");
+        }
+        if (state.pluginConfiguration.broker.enableMsaPassthrough) {
+            (interactiveRequest.tokenQueryParameters ??= {})["msal_request_type"] =
+                "consumer_passthrough";
+        }
+        if (useDefaultBrokerAccount) {
+            interactiveRequest.prompt = "none";
+            msalLogger.verbose("Attempting broker authentication using the default broker account");
+        }
+        else {
+            msalLogger.verbose("Attempting broker authentication without the default broker account");
+        }
+        if (options.proofOfPossessionOptions) {
+            interactiveRequest.shrNonce = options.proofOfPossessionOptions.nonce;
+            interactiveRequest.authenticationScheme = "pop";
+            interactiveRequest.resourceRequestMethod =
+                options.proofOfPossessionOptions.resourceRequestMethod;
+            interactiveRequest.resourceRequestUri = options.proofOfPossessionOptions.resourceRequestUrl;
+        }
+        try {
+            return await app.acquireTokenInteractive(interactiveRequest);
+        }
+        catch (e) {
+            msalLogger.verbose(`Failed to authenticate through the broker: ${e.message}`);
+            if (options.disableAutomaticAuthentication) {
+                throw new AuthenticationRequiredError({
+                    scopes,
+                    getTokenOptions: options,
+                    message: "Cannot silently authenticate with default broker account.",
+                });
             }
+            // If we tried to use the default broker account and failed, fall back to interactive authentication
             if (useDefaultBrokerAccount) {
-                interactiveRequest.prompt = "none";
-                msalLogger.verbose("Attempting broker authentication using the default broker account");
+                return getBrokeredTokenInternal(scopes, false, options);
             }
             else {
-                msalLogger.verbose("Attempting broker authentication without the default broker account");
-            }
-            if (options.proofOfPossessionOptions) {
-                interactiveRequest.shrNonce = options.proofOfPossessionOptions.nonce;
-                interactiveRequest.authenticationScheme = "pop";
-                interactiveRequest.resourceRequestMethod =
-                    options.proofOfPossessionOptions.resourceRequestMethod;
-                interactiveRequest.resourceRequestUri = options.proofOfPossessionOptions.resourceRequestUrl;
-            }
-            try {
-                return await app.acquireTokenInteractive(interactiveRequest);
-            }
-            catch (e) {
-                msalLogger.verbose(`Failed to authenticate through the broker: ${e.message}`);
-                // If we tried to use the default broker account and failed, fall back to interactive authentication
-                if (useDefaultBrokerAccount) {
-                    return getBrokeredToken(/* useDefaultBrokerAccount: */ false);
-                }
-                else {
-                    throw e;
-                }
+                throw e;
             }
         }
-        function createBaseInteractiveRequest() {
-            var _a, _b;
-            return {
-                openBrowser: async (url) => {
-                    const open = await import("open");
-                    await open.default(url, { wait: true, newInstance: true });
-                },
-                scopes,
-                authority: calculateRequestAuthority(options),
-                claims: options === null || options === void 0 ? void 0 : options.claims,
-                loginHint: options === null || options === void 0 ? void 0 : options.loginHint,
-                errorTemplate: (_a = options === null || options === void 0 ? void 0 : options.browserCustomizationOptions) === null || _a === void 0 ? void 0 : _a.errorMessage,
-                successTemplate: (_b = options === null || options === void 0 ? void 0 : options.browserCustomizationOptions) === null || _b === void 0 ? void 0 : _b.successMessage,
-                prompt: (options === null || options === void 0 ? void 0 : options.loginHint) ? "login" : "select_account",
-            };
-        }
+    }
+    /**
+     * A helper function that supports brokered authentication through the MSAL's public application.
+     *
+     * When useDefaultBrokerAccount is true, the method will attempt to authenticate using the default broker account.
+     * If the default broker account is not available, the method will fall back to interactive authentication.
+     */
+    async function getBrokeredToken(scopes, useDefaultBrokerAccount, options = {}) {
+        msalLogger.getToken.info(`Attempting to acquire token using brokered authentication with useDefaultBrokerAccount: ${useDefaultBrokerAccount}`);
+        const response = await getBrokeredTokenInternal(scopes, useDefaultBrokerAccount, options);
+        ensureValidMsalToken(scopes, response, options);
+        ensureValidMsalToken(scopes, response, options);
+        state.cachedAccount = response?.account ?? null;
+        state.logger.getToken.info(formatSuccess(scopes));
+        return {
+            token: response.accessToken,
+            expiresOnTimestamp: response.expiresOn.getTime(),
+            refreshAfterTimestamp: response.refreshOn?.getTime(),
+            tokenType: response.tokenType,
+        };
+    }
+    async function getTokenByInteractiveRequest(scopes, options = {}) {
+        msalLogger.getToken.info(`Attempting to acquire token interactively`);
+        const app = await getPublicApp(options);
         return withSilentAuthentication(app, scopes, options, async () => {
-            var _a;
-            const interactiveRequest = createBaseInteractiveRequest();
+            const interactiveRequest = createBaseInteractiveRequest(scopes, options);
             if (state.pluginConfiguration.broker.isEnabled) {
-                return getBrokeredToken((_a = state.pluginConfiguration.broker.useDefaultBrokerAccount) !== null && _a !== void 0 ? _a : false);
+                return getBrokeredTokenInternal(scopes, state.pluginConfiguration.broker.useDefaultBrokerAccount ?? false, options);
             }
             if (options.proofOfPossessionOptions) {
                 interactiveRequest.shrNonce = options.proofOfPossessionOptions.nonce;
@@ -456,6 +488,7 @@ export function createMsalClient(clientId, tenantId, createMsalClientOptions = {
     }
     return {
         getActiveAccount,
+        getBrokeredToken,
         getTokenByClientSecret,
         getTokenByClientAssertion,
         getTokenByClientCertificate,