@azure/identity 4.11.2-alpha.20250805.5 → 4.11.2-alpha.20250808.3

package/dist/browser/credentials/brokerCredential.d.ts

@@ -3,7 +3,7 @@ import { TokenCredentialOptions } from "../tokenCredentialOptions.js";
 import { MultiTenantTokenCredentialOptions } from "./multiTenantTokenCredentialOptions.js";
 /**
  * Enables authentication to Microsoft Entra ID using WAM (Web Account Manager) broker.
- * This credential extends InteractiveBrowserCredential and provides additional broker-specific functionality.
+ * This credential uses the default account logged into the OS via a broker.
  */
 export declare class BrokerCredential implements TokenCredential {
     private brokerMsalClient;

package/dist/browser/credentials/brokerCredential.js

@@ -10,7 +10,7 @@ import { CredentialUnavailableError } from "../errors.js";
 const logger = credentialLogger("BrokerCredential");
 /**
  * Enables authentication to Microsoft Entra ID using WAM (Web Account Manager) broker.
- * This credential extends InteractiveBrowserCredential and provides additional broker-specific functionality.
+ * This credential uses the default account logged into the OS via a broker.
  */
 export class BrokerCredential {
     brokerMsalClient;

package/dist/browser/credentials/brokerCredential.js.map

@@ -1 +1 @@
-{"version":3,"file":"brokerCredential.js","sourceRoot":"","sources":["../../../src/credentials/brokerCredential.ts"],"names":[],"mappings":"AAAA,uCAAuC;AACvC,kCAAkC;AAGlC,OAAO,EACL,yBAAyB,EACzB,mCAAmC,EACnC,eAAe,GAChB,MAAM,0BAA0B,CAAC;AAElC,OAAO,EAAE,gBAAgB,EAAE,WAAW,EAAE,MAAM,oBAAoB,CAAC;AACnE,OAAO,EAAE,YAAY,EAAE,MAAM,uBAAuB,CAAC;AACrD,OAAO,EAAE,aAAa,EAAE,MAAM,oBAAoB,CAAC;AAEnD,OAAO,EAAE,gBAAgB,EAAE,MAAM,iCAAiC,CAAC;AACnE,OAAO,EAAE,uBAAuB,EAAE,MAAM,iBAAiB,CAAC;AAG1D,OAAO,EAAE,0BAA0B,EAAE,MAAM,cAAc,CAAC;AAE1D,MAAM,MAAM,GAAG,gBAAgB,CAAC,kBAAkB,CAAC,CAAC;AAEpD;;;GAGG;AACH,MAAM,OAAO,gBAAgB;IACnB,gBAAgB,CAAa;IAC7B,cAAc,CAAU;IACxB,kCAAkC,CAAW;IAErD;;;;;;;OAOG;IACH,YACE,OAA2F;QAE3F,IAAI,CAAC,cAAc,GAAG,eAAe,CAAC,MAAM,EAAE,OAAO,CAAC,QAAQ,CAAC,CAAC;QAChE,IAAI,CAAC,kCAAkC,GAAG,mCAAmC,CAC3E,OAAO,EAAE,0BAA0B,CACpC,CAAC;QACF,MAAM,iBAAiB,GAAsB;YAC3C,GAAG,OAAO;YACV,sBAAsB,EAAE,OAAO;YAC/B,MAAM;YACN,aAAa,EAAE;gBACb,OAAO,EAAE,IAAI;gBACb,kBAAkB,EAAE,IAAI,UAAU,CAAC,CAAC,CAAC;gBACrC,uBAAuB,EAAE,IAAI;aAC9B;SACF,CAAC;QAEF,IAAI,CAAC,gBAAgB,GAAG,gBAAgB,CACtC,uBAAuB,EACvB,IAAI,CAAC,cAAc,EACnB,iBAAiB,CAClB,CAAC;IACJ,CAAC;IAED;;;;;;;;;OASG;IACH,KAAK,CAAC,QAAQ,CAAC,MAAyB,EAAE,UAA2B,EAAE;QACrE,OAAO,aAAa,CAAC,QAAQ,CAC3B,GAAG,IAAI,CAAC,WAAW,CAAC,IAAI,WAAW,EACnC,OAAO,EACP,KAAK,EAAE,UAAU,EAAE,EAAE;YACnB,UAAU,CAAC,QAAQ,GAAG,yBAAyB,CAC7C,IAAI,CAAC,cAAc,EACnB,UAAU,EACV,IAAI,CAAC,kCAAkC,EACvC,MAAM,CACP,CAAC;YAEF,MAAM,WAAW,GAAG,YAAY,CAAC,MAAM,CAAC,CAAC;YACzC,IAAI,CAAC;gBACH,OAAO,IAAI,CAAC,gBAAgB,CAAC,gBAAgB,CAAC,WAAW,EAAE,IAAI,EAAE;oBAC/D,GAAG,UAAU;oBACb,8BAA8B,EAAE,IAAI;iBACrC,CAAC,CAAC;YACL,CAAC;YAAC,OAAO,CAAM,EAAE,CAAC;gBAChB,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,WAAW,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC,CAAC;gBAClD,MAAM,IAAI,0BAA0B,CAClC,qDAAqD,EACrD,EAAE,KAAK,EAAE,CAAC,EAAE,CACb,CAAC;YACJ,CAAC;QACH,CAAC,CACF,CAAC;IACJ,CAAC;CACF","sourcesContent":["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT License.\n\nimport type { AccessToken, GetTokenOptions, TokenCredential } from \"@azure/core-auth\";\nimport {\n  processMultiTenantRequest,\n  resolveAdditionallyAllowedTenantIds,\n  resolveTenantId,\n} from \"../util/tenantIdUtils.js\";\n\nimport { credentialLogger, formatError } from \"../util/logging.js\";\nimport { ensureScopes } from \"../util/scopeUtils.js\";\nimport { tracingClient } from \"../util/tracing.js\";\nimport type { MsalClient, MsalClientOptions } from \"../msal/nodeFlows/msalClient.js\";\nimport { createMsalClient } from \"../msal/nodeFlows/msalClient.js\";\nimport { DeveloperSignOnClientId } from \"../constants.js\";\nimport { TokenCredentialOptions } from \"../tokenCredentialOptions.js\";\nimport { MultiTenantTokenCredentialOptions } from \"./multiTenantTokenCredentialOptions.js\";\nimport { CredentialUnavailableError } from \"../errors.js\";\n\nconst logger = credentialLogger(\"BrokerCredential\");\n\n/**\n * Enables authentication to Microsoft Entra ID using WAM (Web Account Manager) broker.\n * This credential extends InteractiveBrowserCredential and provides additional broker-specific functionality.\n */\nexport class BrokerCredential implements TokenCredential {\n  private brokerMsalClient: MsalClient;\n  private brokerTenantId?: string;\n  private brokerAdditionallyAllowedTenantIds: string[];\n\n  /**\n   * Creates an instance of BrokerCredential with the required broker options.\n   *\n   * This credential uses WAM (Web Account Manager) for authentication, which provides\n   * better security and user experience on Windows platforms.\n   *\n   * @param options - Options for configuring the broker credential, including required broker options.\n   */\n  constructor(\n    options: { tenantId?: string } & TokenCredentialOptions & MultiTenantTokenCredentialOptions,\n  ) {\n    this.brokerTenantId = resolveTenantId(logger, options.tenantId);\n    this.brokerAdditionallyAllowedTenantIds = resolveAdditionallyAllowedTenantIds(\n      options?.additionallyAllowedTenants,\n    );\n    const msalClientOptions: MsalClientOptions = {\n      ...options,\n      tokenCredentialOptions: options,\n      logger,\n      brokerOptions: {\n        enabled: true,\n        parentWindowHandle: new Uint8Array(0),\n        useDefaultBrokerAccount: true,\n      },\n    };\n\n    this.brokerMsalClient = createMsalClient(\n      DeveloperSignOnClientId,\n      this.brokerTenantId,\n      msalClientOptions,\n    );\n  }\n\n  /**\n   * Authenticates with Microsoft Entra ID using WAM broker and returns an access token if successful.\n   * If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.\n   *\n   * This method extends the base getToken method to support silentAuthenticationOnly option\n   * when using broker authentication.\n   *\n   * @param scopes - The list of scopes for which the token will have access.\n   * @param options - The options used to configure the token request, including silentAuthenticationOnly option.\n   */\n  async getToken(scopes: string | string[], options: GetTokenOptions = {}): Promise<AccessToken> {\n    return tracingClient.withSpan(\n      `${this.constructor.name}.getToken`,\n      options,\n      async (newOptions) => {\n        newOptions.tenantId = processMultiTenantRequest(\n          this.brokerTenantId,\n          newOptions,\n          this.brokerAdditionallyAllowedTenantIds,\n          logger,\n        );\n\n        const arrayScopes = ensureScopes(scopes);\n        try {\n          return this.brokerMsalClient.getBrokeredToken(arrayScopes, true, {\n            ...newOptions,\n            disableAutomaticAuthentication: true,\n          });\n        } catch (e: any) {\n          logger.getToken.info(formatError(arrayScopes, e));\n          throw new CredentialUnavailableError(\n            \"Failed to acquire token using broker authentication\",\n            { cause: e },\n          );\n        }\n      },\n    );\n  }\n}\n"]}
+{"version":3,"file":"brokerCredential.js","sourceRoot":"","sources":["../../../src/credentials/brokerCredential.ts"],"names":[],"mappings":"AAAA,uCAAuC;AACvC,kCAAkC;AAGlC,OAAO,EACL,yBAAyB,EACzB,mCAAmC,EACnC,eAAe,GAChB,MAAM,0BAA0B,CAAC;AAElC,OAAO,EAAE,gBAAgB,EAAE,WAAW,EAAE,MAAM,oBAAoB,CAAC;AACnE,OAAO,EAAE,YAAY,EAAE,MAAM,uBAAuB,CAAC;AACrD,OAAO,EAAE,aAAa,EAAE,MAAM,oBAAoB,CAAC;AAEnD,OAAO,EAAE,gBAAgB,EAAE,MAAM,iCAAiC,CAAC;AACnE,OAAO,EAAE,uBAAuB,EAAE,MAAM,iBAAiB,CAAC;AAG1D,OAAO,EAAE,0BAA0B,EAAE,MAAM,cAAc,CAAC;AAE1D,MAAM,MAAM,GAAG,gBAAgB,CAAC,kBAAkB,CAAC,CAAC;AAEpD;;;GAGG;AACH,MAAM,OAAO,gBAAgB;IACnB,gBAAgB,CAAa;IAC7B,cAAc,CAAU;IACxB,kCAAkC,CAAW;IAErD;;;;;;;OAOG;IACH,YACE,OAA2F;QAE3F,IAAI,CAAC,cAAc,GAAG,eAAe,CAAC,MAAM,EAAE,OAAO,CAAC,QAAQ,CAAC,CAAC;QAChE,IAAI,CAAC,kCAAkC,GAAG,mCAAmC,CAC3E,OAAO,EAAE,0BAA0B,CACpC,CAAC;QACF,MAAM,iBAAiB,GAAsB;YAC3C,GAAG,OAAO;YACV,sBAAsB,EAAE,OAAO;YAC/B,MAAM;YACN,aAAa,EAAE;gBACb,OAAO,EAAE,IAAI;gBACb,kBAAkB,EAAE,IAAI,UAAU,CAAC,CAAC,CAAC;gBACrC,uBAAuB,EAAE,IAAI;aAC9B;SACF,CAAC;QAEF,IAAI,CAAC,gBAAgB,GAAG,gBAAgB,CACtC,uBAAuB,EACvB,IAAI,CAAC,cAAc,EACnB,iBAAiB,CAClB,CAAC;IACJ,CAAC;IAED;;;;;;;;;OASG;IACH,KAAK,CAAC,QAAQ,CAAC,MAAyB,EAAE,UAA2B,EAAE;QACrE,OAAO,aAAa,CAAC,QAAQ,CAC3B,GAAG,IAAI,CAAC,WAAW,CAAC,IAAI,WAAW,EACnC,OAAO,EACP,KAAK,EAAE,UAAU,EAAE,EAAE;YACnB,UAAU,CAAC,QAAQ,GAAG,yBAAyB,CAC7C,IAAI,CAAC,cAAc,EACnB,UAAU,EACV,IAAI,CAAC,kCAAkC,EACvC,MAAM,CACP,CAAC;YAEF,MAAM,WAAW,GAAG,YAAY,CAAC,MAAM,CAAC,CAAC;YACzC,IAAI,CAAC;gBACH,OAAO,IAAI,CAAC,gBAAgB,CAAC,gBAAgB,CAAC,WAAW,EAAE,IAAI,EAAE;oBAC/D,GAAG,UAAU;oBACb,8BAA8B,EAAE,IAAI;iBACrC,CAAC,CAAC;YACL,CAAC;YAAC,OAAO,CAAM,EAAE,CAAC;gBAChB,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,WAAW,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC,CAAC;gBAClD,MAAM,IAAI,0BAA0B,CAClC,qDAAqD,EACrD,EAAE,KAAK,EAAE,CAAC,EAAE,CACb,CAAC;YACJ,CAAC;QACH,CAAC,CACF,CAAC;IACJ,CAAC;CACF","sourcesContent":["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT License.\n\nimport type { AccessToken, GetTokenOptions, TokenCredential } from \"@azure/core-auth\";\nimport {\n  processMultiTenantRequest,\n  resolveAdditionallyAllowedTenantIds,\n  resolveTenantId,\n} from \"../util/tenantIdUtils.js\";\n\nimport { credentialLogger, formatError } from \"../util/logging.js\";\nimport { ensureScopes } from \"../util/scopeUtils.js\";\nimport { tracingClient } from \"../util/tracing.js\";\nimport type { MsalClient, MsalClientOptions } from \"../msal/nodeFlows/msalClient.js\";\nimport { createMsalClient } from \"../msal/nodeFlows/msalClient.js\";\nimport { DeveloperSignOnClientId } from \"../constants.js\";\nimport { TokenCredentialOptions } from \"../tokenCredentialOptions.js\";\nimport { MultiTenantTokenCredentialOptions } from \"./multiTenantTokenCredentialOptions.js\";\nimport { CredentialUnavailableError } from \"../errors.js\";\n\nconst logger = credentialLogger(\"BrokerCredential\");\n\n/**\n * Enables authentication to Microsoft Entra ID using WAM (Web Account Manager) broker.\n * This credential uses the default account logged into the OS via a broker.\n */\nexport class BrokerCredential implements TokenCredential {\n  private brokerMsalClient: MsalClient;\n  private brokerTenantId?: string;\n  private brokerAdditionallyAllowedTenantIds: string[];\n\n  /**\n   * Creates an instance of BrokerCredential with the required broker options.\n   *\n   * This credential uses WAM (Web Account Manager) for authentication, which provides\n   * better security and user experience on Windows platforms.\n   *\n   * @param options - Options for configuring the broker credential, including required broker options.\n   */\n  constructor(\n    options: { tenantId?: string } & TokenCredentialOptions & MultiTenantTokenCredentialOptions,\n  ) {\n    this.brokerTenantId = resolveTenantId(logger, options.tenantId);\n    this.brokerAdditionallyAllowedTenantIds = resolveAdditionallyAllowedTenantIds(\n      options?.additionallyAllowedTenants,\n    );\n    const msalClientOptions: MsalClientOptions = {\n      ...options,\n      tokenCredentialOptions: options,\n      logger,\n      brokerOptions: {\n        enabled: true,\n        parentWindowHandle: new Uint8Array(0),\n        useDefaultBrokerAccount: true,\n      },\n    };\n\n    this.brokerMsalClient = createMsalClient(\n      DeveloperSignOnClientId,\n      this.brokerTenantId,\n      msalClientOptions,\n    );\n  }\n\n  /**\n   * Authenticates with Microsoft Entra ID using WAM broker and returns an access token if successful.\n   * If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.\n   *\n   * This method extends the base getToken method to support silentAuthenticationOnly option\n   * when using broker authentication.\n   *\n   * @param scopes - The list of scopes for which the token will have access.\n   * @param options - The options used to configure the token request, including silentAuthenticationOnly option.\n   */\n  async getToken(scopes: string | string[], options: GetTokenOptions = {}): Promise<AccessToken> {\n    return tracingClient.withSpan(\n      `${this.constructor.name}.getToken`,\n      options,\n      async (newOptions) => {\n        newOptions.tenantId = processMultiTenantRequest(\n          this.brokerTenantId,\n          newOptions,\n          this.brokerAdditionallyAllowedTenantIds,\n          logger,\n        );\n\n        const arrayScopes = ensureScopes(scopes);\n        try {\n          return this.brokerMsalClient.getBrokeredToken(arrayScopes, true, {\n            ...newOptions,\n            disableAutomaticAuthentication: true,\n          });\n        } catch (e: any) {\n          logger.getToken.info(formatError(arrayScopes, e));\n          throw new CredentialUnavailableError(\n            \"Failed to acquire token using broker authentication\",\n            { cause: e },\n          );\n        }\n      },\n    );\n  }\n}\n"]}

package/dist/commonjs/credentials/brokerCredential.d.ts

@@ -3,7 +3,7 @@ import { TokenCredentialOptions } from "../tokenCredentialOptions.js";
 import { MultiTenantTokenCredentialOptions } from "./multiTenantTokenCredentialOptions.js";
 /**
  * Enables authentication to Microsoft Entra ID using WAM (Web Account Manager) broker.
- * This credential extends InteractiveBrowserCredential and provides additional broker-specific functionality.
+ * This credential uses the default account logged into the OS via a broker.
  */
 export declare class BrokerCredential implements TokenCredential {
     private brokerMsalClient;

package/dist/commonjs/credentials/brokerCredential.js

@@ -13,7 +13,7 @@ const errors_js_1 = require("../errors.js");
 const logger = (0, logging_js_1.credentialLogger)("BrokerCredential");
 /**
  * Enables authentication to Microsoft Entra ID using WAM (Web Account Manager) broker.
- * This credential extends InteractiveBrowserCredential and provides additional broker-specific functionality.
+ * This credential uses the default account logged into the OS via a broker.
  */
 class BrokerCredential {
     brokerMsalClient;

package/dist/commonjs/credentials/brokerCredential.js.map

@@ -1 +1 @@
-{"version":3,"file":"brokerCredential.js","sourceRoot":"","sources":["../../../src/credentials/brokerCredential.ts"],"names":[],"mappings":";AAAA,uCAAuC;AACvC,kCAAkC;;;AAGlC,+DAIkC;AAElC,mDAAmE;AACnE,yDAAqD;AACrD,mDAAmD;AAEnD,mEAAmE;AACnE,kDAA0D;AAG1D,4CAA0D;AAE1D,MAAM,MAAM,GAAG,IAAA,6BAAgB,EAAC,kBAAkB,CAAC,CAAC;AAEpD;;;GAGG;AACH,MAAa,gBAAgB;IACnB,gBAAgB,CAAa;IAC7B,cAAc,CAAU;IACxB,kCAAkC,CAAW;IAErD;;;;;;;OAOG;IACH,YACE,OAA2F;QAE3F,IAAI,CAAC,cAAc,GAAG,IAAA,kCAAe,EAAC,MAAM,EAAE,OAAO,CAAC,QAAQ,CAAC,CAAC;QAChE,IAAI,CAAC,kCAAkC,GAAG,IAAA,sDAAmC,EAC3E,OAAO,EAAE,0BAA0B,CACpC,CAAC;QACF,MAAM,iBAAiB,GAAsB;YAC3C,GAAG,OAAO;YACV,sBAAsB,EAAE,OAAO;YAC/B,MAAM;YACN,aAAa,EAAE;gBACb,OAAO,EAAE,IAAI;gBACb,kBAAkB,EAAE,IAAI,UAAU,CAAC,CAAC,CAAC;gBACrC,uBAAuB,EAAE,IAAI;aAC9B;SACF,CAAC;QAEF,IAAI,CAAC,gBAAgB,GAAG,IAAA,gCAAgB,EACtC,sCAAuB,EACvB,IAAI,CAAC,cAAc,EACnB,iBAAiB,CAClB,CAAC;IACJ,CAAC;IAED;;;;;;;;;OASG;IACH,KAAK,CAAC,QAAQ,CAAC,MAAyB,EAAE,UAA2B,EAAE;QACrE,OAAO,0BAAa,CAAC,QAAQ,CAC3B,GAAG,IAAI,CAAC,WAAW,CAAC,IAAI,WAAW,EACnC,OAAO,EACP,KAAK,EAAE,UAAU,EAAE,EAAE;YACnB,UAAU,CAAC,QAAQ,GAAG,IAAA,4CAAyB,EAC7C,IAAI,CAAC,cAAc,EACnB,UAAU,EACV,IAAI,CAAC,kCAAkC,EACvC,MAAM,CACP,CAAC;YAEF,MAAM,WAAW,GAAG,IAAA,4BAAY,EAAC,MAAM,CAAC,CAAC;YACzC,IAAI,CAAC;gBACH,OAAO,IAAI,CAAC,gBAAgB,CAAC,gBAAgB,CAAC,WAAW,EAAE,IAAI,EAAE;oBAC/D,GAAG,UAAU;oBACb,8BAA8B,EAAE,IAAI;iBACrC,CAAC,CAAC;YACL,CAAC;YAAC,OAAO,CAAM,EAAE,CAAC;gBAChB,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAA,wBAAW,EAAC,WAAW,EAAE,CAAC,CAAC,CAAC,CAAC;gBAClD,MAAM,IAAI,sCAA0B,CAClC,qDAAqD,EACrD,EAAE,KAAK,EAAE,CAAC,EAAE,CACb,CAAC;YACJ,CAAC;QACH,CAAC,CACF,CAAC;IACJ,CAAC;CACF;AA5ED,4CA4EC","sourcesContent":["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT License.\n\nimport type { AccessToken, GetTokenOptions, TokenCredential } from \"@azure/core-auth\";\nimport {\n  processMultiTenantRequest,\n  resolveAdditionallyAllowedTenantIds,\n  resolveTenantId,\n} from \"../util/tenantIdUtils.js\";\n\nimport { credentialLogger, formatError } from \"../util/logging.js\";\nimport { ensureScopes } from \"../util/scopeUtils.js\";\nimport { tracingClient } from \"../util/tracing.js\";\nimport type { MsalClient, MsalClientOptions } from \"../msal/nodeFlows/msalClient.js\";\nimport { createMsalClient } from \"../msal/nodeFlows/msalClient.js\";\nimport { DeveloperSignOnClientId } from \"../constants.js\";\nimport { TokenCredentialOptions } from \"../tokenCredentialOptions.js\";\nimport { MultiTenantTokenCredentialOptions } from \"./multiTenantTokenCredentialOptions.js\";\nimport { CredentialUnavailableError } from \"../errors.js\";\n\nconst logger = credentialLogger(\"BrokerCredential\");\n\n/**\n * Enables authentication to Microsoft Entra ID using WAM (Web Account Manager) broker.\n * This credential extends InteractiveBrowserCredential and provides additional broker-specific functionality.\n */\nexport class BrokerCredential implements TokenCredential {\n  private brokerMsalClient: MsalClient;\n  private brokerTenantId?: string;\n  private brokerAdditionallyAllowedTenantIds: string[];\n\n  /**\n   * Creates an instance of BrokerCredential with the required broker options.\n   *\n   * This credential uses WAM (Web Account Manager) for authentication, which provides\n   * better security and user experience on Windows platforms.\n   *\n   * @param options - Options for configuring the broker credential, including required broker options.\n   */\n  constructor(\n    options: { tenantId?: string } & TokenCredentialOptions & MultiTenantTokenCredentialOptions,\n  ) {\n    this.brokerTenantId = resolveTenantId(logger, options.tenantId);\n    this.brokerAdditionallyAllowedTenantIds = resolveAdditionallyAllowedTenantIds(\n      options?.additionallyAllowedTenants,\n    );\n    const msalClientOptions: MsalClientOptions = {\n      ...options,\n      tokenCredentialOptions: options,\n      logger,\n      brokerOptions: {\n        enabled: true,\n        parentWindowHandle: new Uint8Array(0),\n        useDefaultBrokerAccount: true,\n      },\n    };\n\n    this.brokerMsalClient = createMsalClient(\n      DeveloperSignOnClientId,\n      this.brokerTenantId,\n      msalClientOptions,\n    );\n  }\n\n  /**\n   * Authenticates with Microsoft Entra ID using WAM broker and returns an access token if successful.\n   * If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.\n   *\n   * This method extends the base getToken method to support silentAuthenticationOnly option\n   * when using broker authentication.\n   *\n   * @param scopes - The list of scopes for which the token will have access.\n   * @param options - The options used to configure the token request, including silentAuthenticationOnly option.\n   */\n  async getToken(scopes: string | string[], options: GetTokenOptions = {}): Promise<AccessToken> {\n    return tracingClient.withSpan(\n      `${this.constructor.name}.getToken`,\n      options,\n      async (newOptions) => {\n        newOptions.tenantId = processMultiTenantRequest(\n          this.brokerTenantId,\n          newOptions,\n          this.brokerAdditionallyAllowedTenantIds,\n          logger,\n        );\n\n        const arrayScopes = ensureScopes(scopes);\n        try {\n          return this.brokerMsalClient.getBrokeredToken(arrayScopes, true, {\n            ...newOptions,\n            disableAutomaticAuthentication: true,\n          });\n        } catch (e: any) {\n          logger.getToken.info(formatError(arrayScopes, e));\n          throw new CredentialUnavailableError(\n            \"Failed to acquire token using broker authentication\",\n            { cause: e },\n          );\n        }\n      },\n    );\n  }\n}\n"]}
+{"version":3,"file":"brokerCredential.js","sourceRoot":"","sources":["../../../src/credentials/brokerCredential.ts"],"names":[],"mappings":";AAAA,uCAAuC;AACvC,kCAAkC;;;AAGlC,+DAIkC;AAElC,mDAAmE;AACnE,yDAAqD;AACrD,mDAAmD;AAEnD,mEAAmE;AACnE,kDAA0D;AAG1D,4CAA0D;AAE1D,MAAM,MAAM,GAAG,IAAA,6BAAgB,EAAC,kBAAkB,CAAC,CAAC;AAEpD;;;GAGG;AACH,MAAa,gBAAgB;IACnB,gBAAgB,CAAa;IAC7B,cAAc,CAAU;IACxB,kCAAkC,CAAW;IAErD;;;;;;;OAOG;IACH,YACE,OAA2F;QAE3F,IAAI,CAAC,cAAc,GAAG,IAAA,kCAAe,EAAC,MAAM,EAAE,OAAO,CAAC,QAAQ,CAAC,CAAC;QAChE,IAAI,CAAC,kCAAkC,GAAG,IAAA,sDAAmC,EAC3E,OAAO,EAAE,0BAA0B,CACpC,CAAC;QACF,MAAM,iBAAiB,GAAsB;YAC3C,GAAG,OAAO;YACV,sBAAsB,EAAE,OAAO;YAC/B,MAAM;YACN,aAAa,EAAE;gBACb,OAAO,EAAE,IAAI;gBACb,kBAAkB,EAAE,IAAI,UAAU,CAAC,CAAC,CAAC;gBACrC,uBAAuB,EAAE,IAAI;aAC9B;SACF,CAAC;QAEF,IAAI,CAAC,gBAAgB,GAAG,IAAA,gCAAgB,EACtC,sCAAuB,EACvB,IAAI,CAAC,cAAc,EACnB,iBAAiB,CAClB,CAAC;IACJ,CAAC;IAED;;;;;;;;;OASG;IACH,KAAK,CAAC,QAAQ,CAAC,MAAyB,EAAE,UAA2B,EAAE;QACrE,OAAO,0BAAa,CAAC,QAAQ,CAC3B,GAAG,IAAI,CAAC,WAAW,CAAC,IAAI,WAAW,EACnC,OAAO,EACP,KAAK,EAAE,UAAU,EAAE,EAAE;YACnB,UAAU,CAAC,QAAQ,GAAG,IAAA,4CAAyB,EAC7C,IAAI,CAAC,cAAc,EACnB,UAAU,EACV,IAAI,CAAC,kCAAkC,EACvC,MAAM,CACP,CAAC;YAEF,MAAM,WAAW,GAAG,IAAA,4BAAY,EAAC,MAAM,CAAC,CAAC;YACzC,IAAI,CAAC;gBACH,OAAO,IAAI,CAAC,gBAAgB,CAAC,gBAAgB,CAAC,WAAW,EAAE,IAAI,EAAE;oBAC/D,GAAG,UAAU;oBACb,8BAA8B,EAAE,IAAI;iBACrC,CAAC,CAAC;YACL,CAAC;YAAC,OAAO,CAAM,EAAE,CAAC;gBAChB,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAA,wBAAW,EAAC,WAAW,EAAE,CAAC,CAAC,CAAC,CAAC;gBAClD,MAAM,IAAI,sCAA0B,CAClC,qDAAqD,EACrD,EAAE,KAAK,EAAE,CAAC,EAAE,CACb,CAAC;YACJ,CAAC;QACH,CAAC,CACF,CAAC;IACJ,CAAC;CACF;AA5ED,4CA4EC","sourcesContent":["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT License.\n\nimport type { AccessToken, GetTokenOptions, TokenCredential } from \"@azure/core-auth\";\nimport {\n  processMultiTenantRequest,\n  resolveAdditionallyAllowedTenantIds,\n  resolveTenantId,\n} from \"../util/tenantIdUtils.js\";\n\nimport { credentialLogger, formatError } from \"../util/logging.js\";\nimport { ensureScopes } from \"../util/scopeUtils.js\";\nimport { tracingClient } from \"../util/tracing.js\";\nimport type { MsalClient, MsalClientOptions } from \"../msal/nodeFlows/msalClient.js\";\nimport { createMsalClient } from \"../msal/nodeFlows/msalClient.js\";\nimport { DeveloperSignOnClientId } from \"../constants.js\";\nimport { TokenCredentialOptions } from \"../tokenCredentialOptions.js\";\nimport { MultiTenantTokenCredentialOptions } from \"./multiTenantTokenCredentialOptions.js\";\nimport { CredentialUnavailableError } from \"../errors.js\";\n\nconst logger = credentialLogger(\"BrokerCredential\");\n\n/**\n * Enables authentication to Microsoft Entra ID using WAM (Web Account Manager) broker.\n * This credential uses the default account logged into the OS via a broker.\n */\nexport class BrokerCredential implements TokenCredential {\n  private brokerMsalClient: MsalClient;\n  private brokerTenantId?: string;\n  private brokerAdditionallyAllowedTenantIds: string[];\n\n  /**\n   * Creates an instance of BrokerCredential with the required broker options.\n   *\n   * This credential uses WAM (Web Account Manager) for authentication, which provides\n   * better security and user experience on Windows platforms.\n   *\n   * @param options - Options for configuring the broker credential, including required broker options.\n   */\n  constructor(\n    options: { tenantId?: string } & TokenCredentialOptions & MultiTenantTokenCredentialOptions,\n  ) {\n    this.brokerTenantId = resolveTenantId(logger, options.tenantId);\n    this.brokerAdditionallyAllowedTenantIds = resolveAdditionallyAllowedTenantIds(\n      options?.additionallyAllowedTenants,\n    );\n    const msalClientOptions: MsalClientOptions = {\n      ...options,\n      tokenCredentialOptions: options,\n      logger,\n      brokerOptions: {\n        enabled: true,\n        parentWindowHandle: new Uint8Array(0),\n        useDefaultBrokerAccount: true,\n      },\n    };\n\n    this.brokerMsalClient = createMsalClient(\n      DeveloperSignOnClientId,\n      this.brokerTenantId,\n      msalClientOptions,\n    );\n  }\n\n  /**\n   * Authenticates with Microsoft Entra ID using WAM broker and returns an access token if successful.\n   * If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.\n   *\n   * This method extends the base getToken method to support silentAuthenticationOnly option\n   * when using broker authentication.\n   *\n   * @param scopes - The list of scopes for which the token will have access.\n   * @param options - The options used to configure the token request, including silentAuthenticationOnly option.\n   */\n  async getToken(scopes: string | string[], options: GetTokenOptions = {}): Promise<AccessToken> {\n    return tracingClient.withSpan(\n      `${this.constructor.name}.getToken`,\n      options,\n      async (newOptions) => {\n        newOptions.tenantId = processMultiTenantRequest(\n          this.brokerTenantId,\n          newOptions,\n          this.brokerAdditionallyAllowedTenantIds,\n          logger,\n        );\n\n        const arrayScopes = ensureScopes(scopes);\n        try {\n          return this.brokerMsalClient.getBrokeredToken(arrayScopes, true, {\n            ...newOptions,\n            disableAutomaticAuthentication: true,\n          });\n        } catch (e: any) {\n          logger.getToken.info(formatError(arrayScopes, e));\n          throw new CredentialUnavailableError(\n            \"Failed to acquire token using broker authentication\",\n            { cause: e },\n          );\n        }\n      },\n    );\n  }\n}\n"]}

package/dist/commonjs/credentials/defaultAzureCredential.d.ts

@@ -25,20 +25,10 @@ export declare class UnavailableDefaultCredential implements TokenCredential {
  * - {@link AzureCliCredential}
  * - {@link AzurePowerShellCredential}
  * - {@link AzureDeveloperCliCredential}
+ * - {@link BrokerCredential}
  *
  * Consult the documentation of these credential types for more information
  * on how they attempt authentication.
- *
- * Selecting credentials
- *
- * Set environment variable AZURE_TOKEN_CREDENTIALS to select a subset of the credential chain.
- * DefaultAzureCredential will try only the specified credential(s), but its other behavior remains the same.
- * Valid values for AZURE_TOKEN_CREDENTIALS are the name of any single type in the above chain, for example
- * "EnvironmentCredential" or "AzureCliCredential", and these special values:
- *
- *   - "dev": try [VisualStudioCodeCredential], [AzureCliCredential], [AzurePowerShellCredential] and [AzureDeveloperCliCredential], in that order
- *   - "prod": try [EnvironmentCredential], [WorkloadIdentityCredential], and [ManagedIdentityCredential], in that order
- *
  */
 export declare class DefaultAzureCredential extends ChainedTokenCredential {
     /**

package/dist/commonjs/credentials/defaultAzureCredential.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"defaultAzureCredential.d.ts","sourceRoot":"","sources":["../../../src/credentials/defaultAzureCredential.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EACV,qCAAqC,EACrC,6BAA6B,EAC7B,uCAAuC,EACxC,MAAM,oCAAoC,CAAC;AAO5C,OAAO,EAAE,sBAAsB,EAAE,MAAM,6BAA6B,CAAC;AAErE,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,kBAAkB,CAAC;AAgBxD;;;GAGG;AACH,qBAAa,4BAA6B,YAAW,eAAe;IAClE,iCAAiC,EAAE,MAAM,CAAC;IAC1C,cAAc,EAAE,MAAM,CAAC;gBAEX,cAAc,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM;IAKnD,QAAQ,IAAI,OAAO,CAAC,IAAI,CAAC;CAM1B;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA4BG;AACH,qBAAa,sBAAuB,SAAQ,sBAAsB;IAChE;;;;OAIG;gBACS,OAAO,CAAC,EAAE,qCAAqC;IAE3D;;;;OAIG;gBACS,OAAO,CAAC,EAAE,uCAAuC;IAE7D;;;;OAIG;gBACS,OAAO,CAAC,EAAE,6BAA6B;CAoFpD"}
+{"version":3,"file":"defaultAzureCredential.d.ts","sourceRoot":"","sources":["../../../src/credentials/defaultAzureCredential.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EACV,qCAAqC,EACrC,6BAA6B,EAC7B,uCAAuC,EACxC,MAAM,oCAAoC,CAAC;AAO5C,OAAO,EAAE,sBAAsB,EAAE,MAAM,6BAA6B,CAAC;AAErE,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,kBAAkB,CAAC;AAgBxD;;;GAGG;AACH,qBAAa,4BAA6B,YAAW,eAAe;IAClE,iCAAiC,EAAE,MAAM,CAAC;IAC1C,cAAc,EAAE,MAAM,CAAC;gBAEX,cAAc,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM;IAKnD,QAAQ,IAAI,OAAO,CAAC,IAAI,CAAC;CAM1B;AAED;;;;;;;;;;;;;;;;;;GAkBG;AACH,qBAAa,sBAAuB,SAAQ,sBAAsB;IAChE;;;;OAIG;gBACS,OAAO,CAAC,EAAE,qCAAqC;IAE3D;;;;OAIG;gBACS,OAAO,CAAC,EAAE,uCAAuC;IAE7D;;;;OAIG;gBACS,OAAO,CAAC,EAAE,6BAA6B;CAoFpD"}

package/dist/commonjs/credentials/defaultAzureCredential.js

@@ -38,20 +38,10 @@ exports.UnavailableDefaultCredential = UnavailableDefaultCredential;
  * - {@link AzureCliCredential}
  * - {@link AzurePowerShellCredential}
  * - {@link AzureDeveloperCliCredential}
+ * - {@link BrokerCredential}
  *
  * Consult the documentation of these credential types for more information
  * on how they attempt authentication.
- *
- * Selecting credentials
- *
- * Set environment variable AZURE_TOKEN_CREDENTIALS to select a subset of the credential chain.
- * DefaultAzureCredential will try only the specified credential(s), but its other behavior remains the same.
- * Valid values for AZURE_TOKEN_CREDENTIALS are the name of any single type in the above chain, for example
- * "EnvironmentCredential" or "AzureCliCredential", and these special values:
- *
- *   - "dev": try [VisualStudioCodeCredential], [AzureCliCredential], [AzurePowerShellCredential] and [AzureDeveloperCliCredential], in that order
- *   - "prod": try [EnvironmentCredential], [WorkloadIdentityCredential], and [ManagedIdentityCredential], in that order
- *
  */
 class DefaultAzureCredential extends chainedTokenCredential_js_1.ChainedTokenCredential {
     constructor(options) {

package/dist/commonjs/credentials/defaultAzureCredential.js.map

@@ -1 +1 @@
-{"version":3,"file":"defaultAzureCredential.js","sourceRoot":"","sources":["../../../src/credentials/defaultAzureCredential.ts"],"names":[],"mappings":";AAAA,uCAAuC;AACvC,kCAAkC;;;AAalC,2EAAqE;AAIrE,mDAAsD;AACtD,6FAS8C;AAE9C,MAAM,MAAM,GAAG,IAAA,6BAAgB,EAAC,wBAAwB,CAAC,CAAC;AAE1D;;;GAGG;AACH,MAAa,4BAA4B;IACvC,iCAAiC,CAAS;IAC1C,cAAc,CAAS;IAEvB,YAAY,cAAsB,EAAE,OAAe;QACjD,IAAI,CAAC,cAAc,GAAG,cAAc,CAAC;QACrC,IAAI,CAAC,iCAAiC,GAAG,OAAO,CAAC;IACnD,CAAC;IAED,QAAQ;QACN,MAAM,CAAC,QAAQ,CAAC,IAAI,CAClB,YAAY,IAAI,CAAC,cAAc,aAAa,IAAI,CAAC,iCAAiC,EAAE,CACrF,CAAC;QACF,OAAO,OAAO,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;IAC/B,CAAC;CACF;AAfD,oEAeC;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA4BG;AACH,MAAa,sBAAuB,SAAQ,kDAAsB;IAsBhE,YAAY,OAAuC;QACjD,2EAA2E;QAC3E,MAAM,qBAAqB,GAAG,OAAO,CAAC,GAAG,CAAC,uBAAuB;YAC/D,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,uBAAuB,CAAC,IAAI,EAAE,CAAC,WAAW,EAAE;YAC1D,CAAC,CAAC,SAAS,CAAC;QACd,MAAM,sBAAsB,GAAG;YAC7B,4EAAuC;YACvC,oEAA+B;YAC/B,2EAAsC;YACtC,6EAAwC;YACxC,kEAA6B;SAC9B,CAAC;QACF,MAAM,uBAAuB,GAAG;YAC9B,uEAAkC;YAClC,4EAAuC;YACvC,2EAAsC;SACvC,CAAC;QACF,IAAI,mBAAmB,GAAG,EAAE,CAAC;QAC7B,MAAM,oBAAoB,GACxB,sLAAsL,CAAC;QACzL,mFAAmF;QACnF,kIAAkI;QAClI,IAAI,qBAAqB,EAAE,CAAC;YAC1B,QAAQ,qBAAqB,EAAE,CAAC;gBAC9B,KAAK,KAAK;oBACR,mBAAmB,GAAG,sBAAsB,CAAC;oBAC7C,MAAM;gBACR,KAAK,MAAM;oBACT,mBAAmB,GAAG,uBAAuB,CAAC;oBAC9C,MAAM;gBACR,KAAK,uBAAuB;oBAC1B,mBAAmB,GAAG,CAAC,uEAAkC,CAAC,CAAC;oBAC3D,MAAM;gBACR,KAAK,4BAA4B;oBAC/B,mBAAmB,GAAG,CAAC,4EAAuC,CAAC,CAAC;oBAChE,MAAM;gBACR,KAAK,2BAA2B;oBAC9B,mBAAmB,GAAG,CAAC,2EAAsC,CAAC,CAAC;oBAC/D,MAAM;gBACR,KAAK,4BAA4B;oBAC/B,mBAAmB,GAAG,CAAC,4EAAuC,CAAC,CAAC;oBAChE,MAAM;gBACR,KAAK,oBAAoB;oBACvB,mBAAmB,GAAG,CAAC,oEAA+B,CAAC,CAAC;oBACxD,MAAM;gBACR,KAAK,2BAA2B;oBAC9B,mBAAmB,GAAG,CAAC,2EAAsC,CAAC,CAAC;oBAC/D,MAAM;gBACR,KAAK,6BAA6B;oBAChC,mBAAmB,GAAG,CAAC,6EAAwC,CAAC,CAAC;oBACjE,MAAM;gBACR,OAAO,CAAC,CAAC,CAAC;oBACR,6EAA6E;oBAC7E,gEAAgE;oBAChE,MAAM,YAAY,GAAG,+CAA+C,OAAO,CAAC,GAAG,CAAC,uBAAuB,oEAAoE,oBAAoB,GAAG,CAAC;oBACnM,MAAM,CAAC,OAAO,CAAC,YAAY,CAAC,CAAC;oBAC7B,MAAM,IAAI,KAAK,CAAC,YAAY,CAAC,CAAC;gBAChC,CAAC;YACH,CAAC;QACH,CAAC;aAAM,CAAC;YACN,2EAA2E;YAC3E,mBAAmB,GAAG,CAAC,GAAG,uBAAuB,EAAE,GAAG,sBAAsB,CAAC,CAAC;QAChF,CAAC;QAED,gLAAgL;QAChL,8DAA8D;QAC9D,6DAA6D;QAC7D,gEAAgE;QAChE,sHAAsH;QACtH,MAAM,WAAW,GAAsB,mBAAmB,CAAC,GAAG,CAAC,CAAC,kBAAkB,EAAE,EAAE;YACpF,IAAI,CAAC;gBACH,OAAO,kBAAkB,CAAC,OAAO,CAAC,CAAC;YACrC,CAAC;YAAC,OAAO,GAAQ,EAAE,CAAC;gBAClB,MAAM,CAAC,OAAO,CACZ,WAAW,kBAAkB,CAAC,IAAI,iDAAiD,GAAG,EAAE,CACzF,CAAC;gBACF,OAAO,IAAI,4BAA4B,CAAC,kBAAkB,CAAC,IAAI,EAAE,GAAG,CAAC,OAAO,CAAC,CAAC;YAChF,CAAC;QACH,CAAC,CAAC,CAAC;QAEH,KAAK,CAAC,GAAG,WAAW,CAAC,CAAC;IACxB,CAAC;CACF;AAxGD,wDAwGC","sourcesContent":["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT License.\n\nimport type {\n  DefaultAzureCredentialClientIdOptions,\n  DefaultAzureCredentialOptions,\n  DefaultAzureCredentialResourceIdOptions,\n} from \"./defaultAzureCredentialOptions.js\";\n\nimport { ManagedIdentityCredential } from \"./managedIdentityCredential/index.js\";\nimport { VisualStudioCodeCredential } from \"./visualStudioCodeCredential.js\";\nimport { AzureCliCredential } from \"./azureCliCredential.js\";\nimport { AzureDeveloperCliCredential } from \"./azureDeveloperCliCredential.js\";\nimport { AzurePowerShellCredential } from \"./azurePowerShellCredential.js\";\nimport { ChainedTokenCredential } from \"./chainedTokenCredential.js\";\nimport { EnvironmentCredential } from \"./environmentCredential.js\";\nimport type { TokenCredential } from \"@azure/core-auth\";\nimport { WorkloadIdentityCredential } from \"./workloadIdentityCredential.js\";\nimport { credentialLogger } from \"../util/logging.js\";\nimport {\n  createDefaultAzureCliCredential,\n  createDefaultAzureDeveloperCliCredential,\n  createDefaultAzurePowershellCredential,\n  createDefaultBrokerCredential,\n  createDefaultManagedIdentityCredential,\n  createDefaultVisualStudioCodeCredential,\n  createDefaultWorkloadIdentityCredential,\n  createDefaultEnvironmentCredential,\n} from \"./defaultAzureCredentialFunctions.js\";\n\nconst logger = credentialLogger(\"DefaultAzureCredential\");\n\n/**\n * A no-op credential that logs the reason it was skipped if getToken is called.\n * @internal\n */\nexport class UnavailableDefaultCredential implements TokenCredential {\n  credentialUnavailableErrorMessage: string;\n  credentialName: string;\n\n  constructor(credentialName: string, message: string) {\n    this.credentialName = credentialName;\n    this.credentialUnavailableErrorMessage = message;\n  }\n\n  getToken(): Promise<null> {\n    logger.getToken.info(\n      `Skipping ${this.credentialName}, reason: ${this.credentialUnavailableErrorMessage}`,\n    );\n    return Promise.resolve(null);\n  }\n}\n\n/**\n * Provides a default {@link ChainedTokenCredential} configuration that works for most\n * applications that use Azure SDK client libraries. For more information, see\n * [DefaultAzureCredential overview](https://aka.ms/azsdk/js/identity/credential-chains#use-defaultazurecredential-for-flexibility).\n *\n * The following credential types will be tried, in order:\n *\n * - {@link EnvironmentCredential}\n * - {@link WorkloadIdentityCredential}\n * - {@link ManagedIdentityCredential}\n * - {@link VisualStudioCodeCredential}\n * - {@link AzureCliCredential}\n * - {@link AzurePowerShellCredential}\n * - {@link AzureDeveloperCliCredential}\n *\n * Consult the documentation of these credential types for more information\n * on how they attempt authentication.\n *\n * Selecting credentials\n *\n * Set environment variable AZURE_TOKEN_CREDENTIALS to select a subset of the credential chain.\n * DefaultAzureCredential will try only the specified credential(s), but its other behavior remains the same.\n * Valid values for AZURE_TOKEN_CREDENTIALS are the name of any single type in the above chain, for example\n * \"EnvironmentCredential\" or \"AzureCliCredential\", and these special values:\n *\n *   - \"dev\": try [VisualStudioCodeCredential], [AzureCliCredential], [AzurePowerShellCredential] and [AzureDeveloperCliCredential], in that order\n *   - \"prod\": try [EnvironmentCredential], [WorkloadIdentityCredential], and [ManagedIdentityCredential], in that order\n *\n */\nexport class DefaultAzureCredential extends ChainedTokenCredential {\n  /**\n   * Creates an instance of the DefaultAzureCredential class with {@link DefaultAzureCredentialClientIdOptions}.\n   *\n   * @param options - Optional parameters. See {@link DefaultAzureCredentialClientIdOptions}.\n   */\n  constructor(options?: DefaultAzureCredentialClientIdOptions);\n\n  /**\n   * Creates an instance of the DefaultAzureCredential class with {@link DefaultAzureCredentialResourceIdOptions}.\n   *\n   * @param options - Optional parameters. See {@link DefaultAzureCredentialResourceIdOptions}.\n   */\n  constructor(options?: DefaultAzureCredentialResourceIdOptions);\n\n  /**\n   * Creates an instance of the DefaultAzureCredential class with {@link DefaultAzureCredentialOptions}.\n   *\n   * @param options - Optional parameters. See {@link DefaultAzureCredentialOptions}.\n   */\n  constructor(options?: DefaultAzureCredentialOptions);\n\n  constructor(options?: DefaultAzureCredentialOptions) {\n    // If AZURE_TOKEN_CREDENTIALS is not set, use the default credential chain.\n    const azureTokenCredentials = process.env.AZURE_TOKEN_CREDENTIALS\n      ? process.env.AZURE_TOKEN_CREDENTIALS.trim().toLowerCase()\n      : undefined;\n    const devCredentialFunctions = [\n      createDefaultVisualStudioCodeCredential,\n      createDefaultAzureCliCredential,\n      createDefaultAzurePowershellCredential,\n      createDefaultAzureDeveloperCliCredential,\n      createDefaultBrokerCredential,\n    ];\n    const prodCredentialFunctions = [\n      createDefaultEnvironmentCredential,\n      createDefaultWorkloadIdentityCredential,\n      createDefaultManagedIdentityCredential,\n    ];\n    let credentialFunctions = [];\n    const validCredentialNames =\n      \"EnvironmentCredential, WorkloadIdentityCredential, ManagedIdentityCredential, VisualStudioCodeCredential, AzureCliCredential, AzurePowerShellCredential, AzureDeveloperCliCredential\";\n    // If AZURE_TOKEN_CREDENTIALS is set, use it to determine which credentials to use.\n    // The value of AZURE_TOKEN_CREDENTIALS should be either \"dev\" or \"prod\" or any one of these credentials - {validCredentialNames}.\n    if (azureTokenCredentials) {\n      switch (azureTokenCredentials) {\n        case \"dev\":\n          credentialFunctions = devCredentialFunctions;\n          break;\n        case \"prod\":\n          credentialFunctions = prodCredentialFunctions;\n          break;\n        case \"environmentcredential\":\n          credentialFunctions = [createDefaultEnvironmentCredential];\n          break;\n        case \"workloadidentitycredential\":\n          credentialFunctions = [createDefaultWorkloadIdentityCredential];\n          break;\n        case \"managedidentitycredential\":\n          credentialFunctions = [createDefaultManagedIdentityCredential];\n          break;\n        case \"visualstudiocodecredential\":\n          credentialFunctions = [createDefaultVisualStudioCodeCredential];\n          break;\n        case \"azureclicredential\":\n          credentialFunctions = [createDefaultAzureCliCredential];\n          break;\n        case \"azurepowershellcredential\":\n          credentialFunctions = [createDefaultAzurePowershellCredential];\n          break;\n        case \"azuredeveloperclicredential\":\n          credentialFunctions = [createDefaultAzureDeveloperCliCredential];\n          break;\n        default: {\n          // If AZURE_TOKEN_CREDENTIALS is set to an unsupported value, throw an error.\n          // This will prevent the creation of the DefaultAzureCredential.\n          const errorMessage = `Invalid value for AZURE_TOKEN_CREDENTIALS = ${process.env.AZURE_TOKEN_CREDENTIALS}. Valid values are 'prod' or 'dev' or any of these credentials - ${validCredentialNames}.`;\n          logger.warning(errorMessage);\n          throw new Error(errorMessage);\n        }\n      }\n    } else {\n      // If AZURE_TOKEN_CREDENTIALS is not set, use the default credential chain.\n      credentialFunctions = [...prodCredentialFunctions, ...devCredentialFunctions];\n    }\n\n    // Errors from individual credentials should not be thrown in the DefaultAzureCredential constructor, instead throwing on getToken() which is handled by ChainedTokenCredential.\n    // When adding new credentials to the default chain, consider:\n    // 1. Making the constructor parameters required and explicit\n    // 2. Validating any required parameters in the factory function\n    // 3. Returning a UnavailableDefaultCredential from the factory function if a credential is unavailable for any reason\n    const credentials: TokenCredential[] = credentialFunctions.map((createCredentialFn) => {\n      try {\n        return createCredentialFn(options);\n      } catch (err: any) {\n        logger.warning(\n          `Skipped ${createCredentialFn.name} because of an error creating the credential: ${err}`,\n        );\n        return new UnavailableDefaultCredential(createCredentialFn.name, err.message);\n      }\n    });\n\n    super(...credentials);\n  }\n}\n"]}
+{"version":3,"file":"defaultAzureCredential.js","sourceRoot":"","sources":["../../../src/credentials/defaultAzureCredential.ts"],"names":[],"mappings":";AAAA,uCAAuC;AACvC,kCAAkC;;;AAalC,2EAAqE;AAIrE,mDAAsD;AACtD,6FAS8C;AAE9C,MAAM,MAAM,GAAG,IAAA,6BAAgB,EAAC,wBAAwB,CAAC,CAAC;AAE1D;;;GAGG;AACH,MAAa,4BAA4B;IACvC,iCAAiC,CAAS;IAC1C,cAAc,CAAS;IAEvB,YAAY,cAAsB,EAAE,OAAe;QACjD,IAAI,CAAC,cAAc,GAAG,cAAc,CAAC;QACrC,IAAI,CAAC,iCAAiC,GAAG,OAAO,CAAC;IACnD,CAAC;IAED,QAAQ;QACN,MAAM,CAAC,QAAQ,CAAC,IAAI,CAClB,YAAY,IAAI,CAAC,cAAc,aAAa,IAAI,CAAC,iCAAiC,EAAE,CACrF,CAAC;QACF,OAAO,OAAO,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;IAC/B,CAAC;CACF;AAfD,oEAeC;AAED;;;;;;;;;;;;;;;;;;GAkBG;AACH,MAAa,sBAAuB,SAAQ,kDAAsB;IAsBhE,YAAY,OAAuC;QACjD,2EAA2E;QAC3E,MAAM,qBAAqB,GAAG,OAAO,CAAC,GAAG,CAAC,uBAAuB;YAC/D,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,uBAAuB,CAAC,IAAI,EAAE,CAAC,WAAW,EAAE;YAC1D,CAAC,CAAC,SAAS,CAAC;QACd,MAAM,sBAAsB,GAAG;YAC7B,4EAAuC;YACvC,oEAA+B;YAC/B,2EAAsC;YACtC,6EAAwC;YACxC,kEAA6B;SAC9B,CAAC;QACF,MAAM,uBAAuB,GAAG;YAC9B,uEAAkC;YAClC,4EAAuC;YACvC,2EAAsC;SACvC,CAAC;QACF,IAAI,mBAAmB,GAAG,EAAE,CAAC;QAC7B,MAAM,oBAAoB,GACxB,sLAAsL,CAAC;QACzL,mFAAmF;QACnF,kIAAkI;QAClI,IAAI,qBAAqB,EAAE,CAAC;YAC1B,QAAQ,qBAAqB,EAAE,CAAC;gBAC9B,KAAK,KAAK;oBACR,mBAAmB,GAAG,sBAAsB,CAAC;oBAC7C,MAAM;gBACR,KAAK,MAAM;oBACT,mBAAmB,GAAG,uBAAuB,CAAC;oBAC9C,MAAM;gBACR,KAAK,uBAAuB;oBAC1B,mBAAmB,GAAG,CAAC,uEAAkC,CAAC,CAAC;oBAC3D,MAAM;gBACR,KAAK,4BAA4B;oBAC/B,mBAAmB,GAAG,CAAC,4EAAuC,CAAC,CAAC;oBAChE,MAAM;gBACR,KAAK,2BAA2B;oBAC9B,mBAAmB,GAAG,CAAC,2EAAsC,CAAC,CAAC;oBAC/D,MAAM;gBACR,KAAK,4BAA4B;oBAC/B,mBAAmB,GAAG,CAAC,4EAAuC,CAAC,CAAC;oBAChE,MAAM;gBACR,KAAK,oBAAoB;oBACvB,mBAAmB,GAAG,CAAC,oEAA+B,CAAC,CAAC;oBACxD,MAAM;gBACR,KAAK,2BAA2B;oBAC9B,mBAAmB,GAAG,CAAC,2EAAsC,CAAC,CAAC;oBAC/D,MAAM;gBACR,KAAK,6BAA6B;oBAChC,mBAAmB,GAAG,CAAC,6EAAwC,CAAC,CAAC;oBACjE,MAAM;gBACR,OAAO,CAAC,CAAC,CAAC;oBACR,6EAA6E;oBAC7E,gEAAgE;oBAChE,MAAM,YAAY,GAAG,+CAA+C,OAAO,CAAC,GAAG,CAAC,uBAAuB,oEAAoE,oBAAoB,GAAG,CAAC;oBACnM,MAAM,CAAC,OAAO,CAAC,YAAY,CAAC,CAAC;oBAC7B,MAAM,IAAI,KAAK,CAAC,YAAY,CAAC,CAAC;gBAChC,CAAC;YACH,CAAC;QACH,CAAC;aAAM,CAAC;YACN,2EAA2E;YAC3E,mBAAmB,GAAG,CAAC,GAAG,uBAAuB,EAAE,GAAG,sBAAsB,CAAC,CAAC;QAChF,CAAC;QAED,gLAAgL;QAChL,8DAA8D;QAC9D,6DAA6D;QAC7D,gEAAgE;QAChE,sHAAsH;QACtH,MAAM,WAAW,GAAsB,mBAAmB,CAAC,GAAG,CAAC,CAAC,kBAAkB,EAAE,EAAE;YACpF,IAAI,CAAC;gBACH,OAAO,kBAAkB,CAAC,OAAO,CAAC,CAAC;YACrC,CAAC;YAAC,OAAO,GAAQ,EAAE,CAAC;gBAClB,MAAM,CAAC,OAAO,CACZ,WAAW,kBAAkB,CAAC,IAAI,iDAAiD,GAAG,EAAE,CACzF,CAAC;gBACF,OAAO,IAAI,4BAA4B,CAAC,kBAAkB,CAAC,IAAI,EAAE,GAAG,CAAC,OAAO,CAAC,CAAC;YAChF,CAAC;QACH,CAAC,CAAC,CAAC;QAEH,KAAK,CAAC,GAAG,WAAW,CAAC,CAAC;IACxB,CAAC;CACF;AAxGD,wDAwGC","sourcesContent":["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT License.\n\nimport type {\n  DefaultAzureCredentialClientIdOptions,\n  DefaultAzureCredentialOptions,\n  DefaultAzureCredentialResourceIdOptions,\n} from \"./defaultAzureCredentialOptions.js\";\n\nimport { ManagedIdentityCredential } from \"./managedIdentityCredential/index.js\";\nimport { VisualStudioCodeCredential } from \"./visualStudioCodeCredential.js\";\nimport { AzureCliCredential } from \"./azureCliCredential.js\";\nimport { AzureDeveloperCliCredential } from \"./azureDeveloperCliCredential.js\";\nimport { AzurePowerShellCredential } from \"./azurePowerShellCredential.js\";\nimport { ChainedTokenCredential } from \"./chainedTokenCredential.js\";\nimport { EnvironmentCredential } from \"./environmentCredential.js\";\nimport type { TokenCredential } from \"@azure/core-auth\";\nimport { WorkloadIdentityCredential } from \"./workloadIdentityCredential.js\";\nimport { credentialLogger } from \"../util/logging.js\";\nimport {\n  createDefaultAzureCliCredential,\n  createDefaultAzureDeveloperCliCredential,\n  createDefaultAzurePowershellCredential,\n  createDefaultBrokerCredential,\n  createDefaultManagedIdentityCredential,\n  createDefaultVisualStudioCodeCredential,\n  createDefaultWorkloadIdentityCredential,\n  createDefaultEnvironmentCredential,\n} from \"./defaultAzureCredentialFunctions.js\";\n\nconst logger = credentialLogger(\"DefaultAzureCredential\");\n\n/**\n * A no-op credential that logs the reason it was skipped if getToken is called.\n * @internal\n */\nexport class UnavailableDefaultCredential implements TokenCredential {\n  credentialUnavailableErrorMessage: string;\n  credentialName: string;\n\n  constructor(credentialName: string, message: string) {\n    this.credentialName = credentialName;\n    this.credentialUnavailableErrorMessage = message;\n  }\n\n  getToken(): Promise<null> {\n    logger.getToken.info(\n      `Skipping ${this.credentialName}, reason: ${this.credentialUnavailableErrorMessage}`,\n    );\n    return Promise.resolve(null);\n  }\n}\n\n/**\n * Provides a default {@link ChainedTokenCredential} configuration that works for most\n * applications that use Azure SDK client libraries. For more information, see\n * [DefaultAzureCredential overview](https://aka.ms/azsdk/js/identity/credential-chains#use-defaultazurecredential-for-flexibility).\n *\n * The following credential types will be tried, in order:\n *\n * - {@link EnvironmentCredential}\n * - {@link WorkloadIdentityCredential}\n * - {@link ManagedIdentityCredential}\n * - {@link VisualStudioCodeCredential}\n * - {@link AzureCliCredential}\n * - {@link AzurePowerShellCredential}\n * - {@link AzureDeveloperCliCredential}\n * - {@link BrokerCredential}\n *\n * Consult the documentation of these credential types for more information\n * on how they attempt authentication.\n */\nexport class DefaultAzureCredential extends ChainedTokenCredential {\n  /**\n   * Creates an instance of the DefaultAzureCredential class with {@link DefaultAzureCredentialClientIdOptions}.\n   *\n   * @param options - Optional parameters. See {@link DefaultAzureCredentialClientIdOptions}.\n   */\n  constructor(options?: DefaultAzureCredentialClientIdOptions);\n\n  /**\n   * Creates an instance of the DefaultAzureCredential class with {@link DefaultAzureCredentialResourceIdOptions}.\n   *\n   * @param options - Optional parameters. See {@link DefaultAzureCredentialResourceIdOptions}.\n   */\n  constructor(options?: DefaultAzureCredentialResourceIdOptions);\n\n  /**\n   * Creates an instance of the DefaultAzureCredential class with {@link DefaultAzureCredentialOptions}.\n   *\n   * @param options - Optional parameters. See {@link DefaultAzureCredentialOptions}.\n   */\n  constructor(options?: DefaultAzureCredentialOptions);\n\n  constructor(options?: DefaultAzureCredentialOptions) {\n    // If AZURE_TOKEN_CREDENTIALS is not set, use the default credential chain.\n    const azureTokenCredentials = process.env.AZURE_TOKEN_CREDENTIALS\n      ? process.env.AZURE_TOKEN_CREDENTIALS.trim().toLowerCase()\n      : undefined;\n    const devCredentialFunctions = [\n      createDefaultVisualStudioCodeCredential,\n      createDefaultAzureCliCredential,\n      createDefaultAzurePowershellCredential,\n      createDefaultAzureDeveloperCliCredential,\n      createDefaultBrokerCredential,\n    ];\n    const prodCredentialFunctions = [\n      createDefaultEnvironmentCredential,\n      createDefaultWorkloadIdentityCredential,\n      createDefaultManagedIdentityCredential,\n    ];\n    let credentialFunctions = [];\n    const validCredentialNames =\n      \"EnvironmentCredential, WorkloadIdentityCredential, ManagedIdentityCredential, VisualStudioCodeCredential, AzureCliCredential, AzurePowerShellCredential, AzureDeveloperCliCredential\";\n    // If AZURE_TOKEN_CREDENTIALS is set, use it to determine which credentials to use.\n    // The value of AZURE_TOKEN_CREDENTIALS should be either \"dev\" or \"prod\" or any one of these credentials - {validCredentialNames}.\n    if (azureTokenCredentials) {\n      switch (azureTokenCredentials) {\n        case \"dev\":\n          credentialFunctions = devCredentialFunctions;\n          break;\n        case \"prod\":\n          credentialFunctions = prodCredentialFunctions;\n          break;\n        case \"environmentcredential\":\n          credentialFunctions = [createDefaultEnvironmentCredential];\n          break;\n        case \"workloadidentitycredential\":\n          credentialFunctions = [createDefaultWorkloadIdentityCredential];\n          break;\n        case \"managedidentitycredential\":\n          credentialFunctions = [createDefaultManagedIdentityCredential];\n          break;\n        case \"visualstudiocodecredential\":\n          credentialFunctions = [createDefaultVisualStudioCodeCredential];\n          break;\n        case \"azureclicredential\":\n          credentialFunctions = [createDefaultAzureCliCredential];\n          break;\n        case \"azurepowershellcredential\":\n          credentialFunctions = [createDefaultAzurePowershellCredential];\n          break;\n        case \"azuredeveloperclicredential\":\n          credentialFunctions = [createDefaultAzureDeveloperCliCredential];\n          break;\n        default: {\n          // If AZURE_TOKEN_CREDENTIALS is set to an unsupported value, throw an error.\n          // This will prevent the creation of the DefaultAzureCredential.\n          const errorMessage = `Invalid value for AZURE_TOKEN_CREDENTIALS = ${process.env.AZURE_TOKEN_CREDENTIALS}. Valid values are 'prod' or 'dev' or any of these credentials - ${validCredentialNames}.`;\n          logger.warning(errorMessage);\n          throw new Error(errorMessage);\n        }\n      }\n    } else {\n      // If AZURE_TOKEN_CREDENTIALS is not set, use the default credential chain.\n      credentialFunctions = [...prodCredentialFunctions, ...devCredentialFunctions];\n    }\n\n    // Errors from individual credentials should not be thrown in the DefaultAzureCredential constructor, instead throwing on getToken() which is handled by ChainedTokenCredential.\n    // When adding new credentials to the default chain, consider:\n    // 1. Making the constructor parameters required and explicit\n    // 2. Validating any required parameters in the factory function\n    // 3. Returning a UnavailableDefaultCredential from the factory function if a credential is unavailable for any reason\n    const credentials: TokenCredential[] = credentialFunctions.map((createCredentialFn) => {\n      try {\n        return createCredentialFn(options);\n      } catch (err: any) {\n        logger.warning(\n          `Skipped ${createCredentialFn.name} because of an error creating the credential: ${err}`,\n        );\n        return new UnavailableDefaultCredential(createCredentialFn.name, err.message);\n      }\n    });\n\n    super(...credentials);\n  }\n}\n"]}

package/dist/esm/credentials/brokerCredential.d.ts

@@ -3,7 +3,7 @@ import { TokenCredentialOptions } from "../tokenCredentialOptions.js";
 import { MultiTenantTokenCredentialOptions } from "./multiTenantTokenCredentialOptions.js";
 /**
  * Enables authentication to Microsoft Entra ID using WAM (Web Account Manager) broker.
- * This credential extends InteractiveBrowserCredential and provides additional broker-specific functionality.
+ * This credential uses the default account logged into the OS via a broker.
  */
 export declare class BrokerCredential implements TokenCredential {
     private brokerMsalClient;

package/dist/esm/credentials/brokerCredential.js

@@ -10,7 +10,7 @@ import { CredentialUnavailableError } from "../errors.js";
 const logger = credentialLogger("BrokerCredential");
 /**
  * Enables authentication to Microsoft Entra ID using WAM (Web Account Manager) broker.
- * This credential extends InteractiveBrowserCredential and provides additional broker-specific functionality.
+ * This credential uses the default account logged into the OS via a broker.
  */
 export class BrokerCredential {
     brokerMsalClient;

package/dist/esm/credentials/brokerCredential.js.map

@@ -1 +1 @@
-{"version":3,"file":"brokerCredential.js","sourceRoot":"","sources":["../../../src/credentials/brokerCredential.ts"],"names":[],"mappings":"AAAA,uCAAuC;AACvC,kCAAkC;AAGlC,OAAO,EACL,yBAAyB,EACzB,mCAAmC,EACnC,eAAe,GAChB,MAAM,0BAA0B,CAAC;AAElC,OAAO,EAAE,gBAAgB,EAAE,WAAW,EAAE,MAAM,oBAAoB,CAAC;AACnE,OAAO,EAAE,YAAY,EAAE,MAAM,uBAAuB,CAAC;AACrD,OAAO,EAAE,aAAa,EAAE,MAAM,oBAAoB,CAAC;AAEnD,OAAO,EAAE,gBAAgB,EAAE,MAAM,iCAAiC,CAAC;AACnE,OAAO,EAAE,uBAAuB,EAAE,MAAM,iBAAiB,CAAC;AAG1D,OAAO,EAAE,0BAA0B,EAAE,MAAM,cAAc,CAAC;AAE1D,MAAM,MAAM,GAAG,gBAAgB,CAAC,kBAAkB,CAAC,CAAC;AAEpD;;;GAGG;AACH,MAAM,OAAO,gBAAgB;IACnB,gBAAgB,CAAa;IAC7B,cAAc,CAAU;IACxB,kCAAkC,CAAW;IAErD;;;;;;;OAOG;IACH,YACE,OAA2F;QAE3F,IAAI,CAAC,cAAc,GAAG,eAAe,CAAC,MAAM,EAAE,OAAO,CAAC,QAAQ,CAAC,CAAC;QAChE,IAAI,CAAC,kCAAkC,GAAG,mCAAmC,CAC3E,OAAO,EAAE,0BAA0B,CACpC,CAAC;QACF,MAAM,iBAAiB,GAAsB;YAC3C,GAAG,OAAO;YACV,sBAAsB,EAAE,OAAO;YAC/B,MAAM;YACN,aAAa,EAAE;gBACb,OAAO,EAAE,IAAI;gBACb,kBAAkB,EAAE,IAAI,UAAU,CAAC,CAAC,CAAC;gBACrC,uBAAuB,EAAE,IAAI;aAC9B;SACF,CAAC;QAEF,IAAI,CAAC,gBAAgB,GAAG,gBAAgB,CACtC,uBAAuB,EACvB,IAAI,CAAC,cAAc,EACnB,iBAAiB,CAClB,CAAC;IACJ,CAAC;IAED;;;;;;;;;OASG;IACH,KAAK,CAAC,QAAQ,CAAC,MAAyB,EAAE,UAA2B,EAAE;QACrE,OAAO,aAAa,CAAC,QAAQ,CAC3B,GAAG,IAAI,CAAC,WAAW,CAAC,IAAI,WAAW,EACnC,OAAO,EACP,KAAK,EAAE,UAAU,EAAE,EAAE;YACnB,UAAU,CAAC,QAAQ,GAAG,yBAAyB,CAC7C,IAAI,CAAC,cAAc,EACnB,UAAU,EACV,IAAI,CAAC,kCAAkC,EACvC,MAAM,CACP,CAAC;YAEF,MAAM,WAAW,GAAG,YAAY,CAAC,MAAM,CAAC,CAAC;YACzC,IAAI,CAAC;gBACH,OAAO,IAAI,CAAC,gBAAgB,CAAC,gBAAgB,CAAC,WAAW,EAAE,IAAI,EAAE;oBAC/D,GAAG,UAAU;oBACb,8BAA8B,EAAE,IAAI;iBACrC,CAAC,CAAC;YACL,CAAC;YAAC,OAAO,CAAM,EAAE,CAAC;gBAChB,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,WAAW,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC,CAAC;gBAClD,MAAM,IAAI,0BAA0B,CAClC,qDAAqD,EACrD,EAAE,KAAK,EAAE,CAAC,EAAE,CACb,CAAC;YACJ,CAAC;QACH,CAAC,CACF,CAAC;IACJ,CAAC;CACF","sourcesContent":["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT License.\n\nimport type { AccessToken, GetTokenOptions, TokenCredential } from \"@azure/core-auth\";\nimport {\n  processMultiTenantRequest,\n  resolveAdditionallyAllowedTenantIds,\n  resolveTenantId,\n} from \"../util/tenantIdUtils.js\";\n\nimport { credentialLogger, formatError } from \"../util/logging.js\";\nimport { ensureScopes } from \"../util/scopeUtils.js\";\nimport { tracingClient } from \"../util/tracing.js\";\nimport type { MsalClient, MsalClientOptions } from \"../msal/nodeFlows/msalClient.js\";\nimport { createMsalClient } from \"../msal/nodeFlows/msalClient.js\";\nimport { DeveloperSignOnClientId } from \"../constants.js\";\nimport { TokenCredentialOptions } from \"../tokenCredentialOptions.js\";\nimport { MultiTenantTokenCredentialOptions } from \"./multiTenantTokenCredentialOptions.js\";\nimport { CredentialUnavailableError } from \"../errors.js\";\n\nconst logger = credentialLogger(\"BrokerCredential\");\n\n/**\n * Enables authentication to Microsoft Entra ID using WAM (Web Account Manager) broker.\n * This credential extends InteractiveBrowserCredential and provides additional broker-specific functionality.\n */\nexport class BrokerCredential implements TokenCredential {\n  private brokerMsalClient: MsalClient;\n  private brokerTenantId?: string;\n  private brokerAdditionallyAllowedTenantIds: string[];\n\n  /**\n   * Creates an instance of BrokerCredential with the required broker options.\n   *\n   * This credential uses WAM (Web Account Manager) for authentication, which provides\n   * better security and user experience on Windows platforms.\n   *\n   * @param options - Options for configuring the broker credential, including required broker options.\n   */\n  constructor(\n    options: { tenantId?: string } & TokenCredentialOptions & MultiTenantTokenCredentialOptions,\n  ) {\n    this.brokerTenantId = resolveTenantId(logger, options.tenantId);\n    this.brokerAdditionallyAllowedTenantIds = resolveAdditionallyAllowedTenantIds(\n      options?.additionallyAllowedTenants,\n    );\n    const msalClientOptions: MsalClientOptions = {\n      ...options,\n      tokenCredentialOptions: options,\n      logger,\n      brokerOptions: {\n        enabled: true,\n        parentWindowHandle: new Uint8Array(0),\n        useDefaultBrokerAccount: true,\n      },\n    };\n\n    this.brokerMsalClient = createMsalClient(\n      DeveloperSignOnClientId,\n      this.brokerTenantId,\n      msalClientOptions,\n    );\n  }\n\n  /**\n   * Authenticates with Microsoft Entra ID using WAM broker and returns an access token if successful.\n   * If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.\n   *\n   * This method extends the base getToken method to support silentAuthenticationOnly option\n   * when using broker authentication.\n   *\n   * @param scopes - The list of scopes for which the token will have access.\n   * @param options - The options used to configure the token request, including silentAuthenticationOnly option.\n   */\n  async getToken(scopes: string | string[], options: GetTokenOptions = {}): Promise<AccessToken> {\n    return tracingClient.withSpan(\n      `${this.constructor.name}.getToken`,\n      options,\n      async (newOptions) => {\n        newOptions.tenantId = processMultiTenantRequest(\n          this.brokerTenantId,\n          newOptions,\n          this.brokerAdditionallyAllowedTenantIds,\n          logger,\n        );\n\n        const arrayScopes = ensureScopes(scopes);\n        try {\n          return this.brokerMsalClient.getBrokeredToken(arrayScopes, true, {\n            ...newOptions,\n            disableAutomaticAuthentication: true,\n          });\n        } catch (e: any) {\n          logger.getToken.info(formatError(arrayScopes, e));\n          throw new CredentialUnavailableError(\n            \"Failed to acquire token using broker authentication\",\n            { cause: e },\n          );\n        }\n      },\n    );\n  }\n}\n"]}
+{"version":3,"file":"brokerCredential.js","sourceRoot":"","sources":["../../../src/credentials/brokerCredential.ts"],"names":[],"mappings":"AAAA,uCAAuC;AACvC,kCAAkC;AAGlC,OAAO,EACL,yBAAyB,EACzB,mCAAmC,EACnC,eAAe,GAChB,MAAM,0BAA0B,CAAC;AAElC,OAAO,EAAE,gBAAgB,EAAE,WAAW,EAAE,MAAM,oBAAoB,CAAC;AACnE,OAAO,EAAE,YAAY,EAAE,MAAM,uBAAuB,CAAC;AACrD,OAAO,EAAE,aAAa,EAAE,MAAM,oBAAoB,CAAC;AAEnD,OAAO,EAAE,gBAAgB,EAAE,MAAM,iCAAiC,CAAC;AACnE,OAAO,EAAE,uBAAuB,EAAE,MAAM,iBAAiB,CAAC;AAG1D,OAAO,EAAE,0BAA0B,EAAE,MAAM,cAAc,CAAC;AAE1D,MAAM,MAAM,GAAG,gBAAgB,CAAC,kBAAkB,CAAC,CAAC;AAEpD;;;GAGG;AACH,MAAM,OAAO,gBAAgB;IACnB,gBAAgB,CAAa;IAC7B,cAAc,CAAU;IACxB,kCAAkC,CAAW;IAErD;;;;;;;OAOG;IACH,YACE,OAA2F;QAE3F,IAAI,CAAC,cAAc,GAAG,eAAe,CAAC,MAAM,EAAE,OAAO,CAAC,QAAQ,CAAC,CAAC;QAChE,IAAI,CAAC,kCAAkC,GAAG,mCAAmC,CAC3E,OAAO,EAAE,0BAA0B,CACpC,CAAC;QACF,MAAM,iBAAiB,GAAsB;YAC3C,GAAG,OAAO;YACV,sBAAsB,EAAE,OAAO;YAC/B,MAAM;YACN,aAAa,EAAE;gBACb,OAAO,EAAE,IAAI;gBACb,kBAAkB,EAAE,IAAI,UAAU,CAAC,CAAC,CAAC;gBACrC,uBAAuB,EAAE,IAAI;aAC9B;SACF,CAAC;QAEF,IAAI,CAAC,gBAAgB,GAAG,gBAAgB,CACtC,uBAAuB,EACvB,IAAI,CAAC,cAAc,EACnB,iBAAiB,CAClB,CAAC;IACJ,CAAC;IAED;;;;;;;;;OASG;IACH,KAAK,CAAC,QAAQ,CAAC,MAAyB,EAAE,UAA2B,EAAE;QACrE,OAAO,aAAa,CAAC,QAAQ,CAC3B,GAAG,IAAI,CAAC,WAAW,CAAC,IAAI,WAAW,EACnC,OAAO,EACP,KAAK,EAAE,UAAU,EAAE,EAAE;YACnB,UAAU,CAAC,QAAQ,GAAG,yBAAyB,CAC7C,IAAI,CAAC,cAAc,EACnB,UAAU,EACV,IAAI,CAAC,kCAAkC,EACvC,MAAM,CACP,CAAC;YAEF,MAAM,WAAW,GAAG,YAAY,CAAC,MAAM,CAAC,CAAC;YACzC,IAAI,CAAC;gBACH,OAAO,IAAI,CAAC,gBAAgB,CAAC,gBAAgB,CAAC,WAAW,EAAE,IAAI,EAAE;oBAC/D,GAAG,UAAU;oBACb,8BAA8B,EAAE,IAAI;iBACrC,CAAC,CAAC;YACL,CAAC;YAAC,OAAO,CAAM,EAAE,CAAC;gBAChB,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,WAAW,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC,CAAC;gBAClD,MAAM,IAAI,0BAA0B,CAClC,qDAAqD,EACrD,EAAE,KAAK,EAAE,CAAC,EAAE,CACb,CAAC;YACJ,CAAC;QACH,CAAC,CACF,CAAC;IACJ,CAAC;CACF","sourcesContent":["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT License.\n\nimport type { AccessToken, GetTokenOptions, TokenCredential } from \"@azure/core-auth\";\nimport {\n  processMultiTenantRequest,\n  resolveAdditionallyAllowedTenantIds,\n  resolveTenantId,\n} from \"../util/tenantIdUtils.js\";\n\nimport { credentialLogger, formatError } from \"../util/logging.js\";\nimport { ensureScopes } from \"../util/scopeUtils.js\";\nimport { tracingClient } from \"../util/tracing.js\";\nimport type { MsalClient, MsalClientOptions } from \"../msal/nodeFlows/msalClient.js\";\nimport { createMsalClient } from \"../msal/nodeFlows/msalClient.js\";\nimport { DeveloperSignOnClientId } from \"../constants.js\";\nimport { TokenCredentialOptions } from \"../tokenCredentialOptions.js\";\nimport { MultiTenantTokenCredentialOptions } from \"./multiTenantTokenCredentialOptions.js\";\nimport { CredentialUnavailableError } from \"../errors.js\";\n\nconst logger = credentialLogger(\"BrokerCredential\");\n\n/**\n * Enables authentication to Microsoft Entra ID using WAM (Web Account Manager) broker.\n * This credential uses the default account logged into the OS via a broker.\n */\nexport class BrokerCredential implements TokenCredential {\n  private brokerMsalClient: MsalClient;\n  private brokerTenantId?: string;\n  private brokerAdditionallyAllowedTenantIds: string[];\n\n  /**\n   * Creates an instance of BrokerCredential with the required broker options.\n   *\n   * This credential uses WAM (Web Account Manager) for authentication, which provides\n   * better security and user experience on Windows platforms.\n   *\n   * @param options - Options for configuring the broker credential, including required broker options.\n   */\n  constructor(\n    options: { tenantId?: string } & TokenCredentialOptions & MultiTenantTokenCredentialOptions,\n  ) {\n    this.brokerTenantId = resolveTenantId(logger, options.tenantId);\n    this.brokerAdditionallyAllowedTenantIds = resolveAdditionallyAllowedTenantIds(\n      options?.additionallyAllowedTenants,\n    );\n    const msalClientOptions: MsalClientOptions = {\n      ...options,\n      tokenCredentialOptions: options,\n      logger,\n      brokerOptions: {\n        enabled: true,\n        parentWindowHandle: new Uint8Array(0),\n        useDefaultBrokerAccount: true,\n      },\n    };\n\n    this.brokerMsalClient = createMsalClient(\n      DeveloperSignOnClientId,\n      this.brokerTenantId,\n      msalClientOptions,\n    );\n  }\n\n  /**\n   * Authenticates with Microsoft Entra ID using WAM broker and returns an access token if successful.\n   * If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.\n   *\n   * This method extends the base getToken method to support silentAuthenticationOnly option\n   * when using broker authentication.\n   *\n   * @param scopes - The list of scopes for which the token will have access.\n   * @param options - The options used to configure the token request, including silentAuthenticationOnly option.\n   */\n  async getToken(scopes: string | string[], options: GetTokenOptions = {}): Promise<AccessToken> {\n    return tracingClient.withSpan(\n      `${this.constructor.name}.getToken`,\n      options,\n      async (newOptions) => {\n        newOptions.tenantId = processMultiTenantRequest(\n          this.brokerTenantId,\n          newOptions,\n          this.brokerAdditionallyAllowedTenantIds,\n          logger,\n        );\n\n        const arrayScopes = ensureScopes(scopes);\n        try {\n          return this.brokerMsalClient.getBrokeredToken(arrayScopes, true, {\n            ...newOptions,\n            disableAutomaticAuthentication: true,\n          });\n        } catch (e: any) {\n          logger.getToken.info(formatError(arrayScopes, e));\n          throw new CredentialUnavailableError(\n            \"Failed to acquire token using broker authentication\",\n            { cause: e },\n          );\n        }\n      },\n    );\n  }\n}\n"]}

package/dist/esm/credentials/defaultAzureCredential.d.ts

@@ -25,20 +25,10 @@ export declare class UnavailableDefaultCredential implements TokenCredential {
  * - {@link AzureCliCredential}
  * - {@link AzurePowerShellCredential}
  * - {@link AzureDeveloperCliCredential}
+ * - {@link BrokerCredential}
  *
  * Consult the documentation of these credential types for more information
  * on how they attempt authentication.
- *
- * Selecting credentials
- *
- * Set environment variable AZURE_TOKEN_CREDENTIALS to select a subset of the credential chain.
- * DefaultAzureCredential will try only the specified credential(s), but its other behavior remains the same.
- * Valid values for AZURE_TOKEN_CREDENTIALS are the name of any single type in the above chain, for example
- * "EnvironmentCredential" or "AzureCliCredential", and these special values:
- *
- *   - "dev": try [VisualStudioCodeCredential], [AzureCliCredential], [AzurePowerShellCredential] and [AzureDeveloperCliCredential], in that order
- *   - "prod": try [EnvironmentCredential], [WorkloadIdentityCredential], and [ManagedIdentityCredential], in that order
- *
  */
 export declare class DefaultAzureCredential extends ChainedTokenCredential {
     /**

package/dist/esm/credentials/defaultAzureCredential.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"defaultAzureCredential.d.ts","sourceRoot":"","sources":["../../../src/credentials/defaultAzureCredential.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EACV,qCAAqC,EACrC,6BAA6B,EAC7B,uCAAuC,EACxC,MAAM,oCAAoC,CAAC;AAO5C,OAAO,EAAE,sBAAsB,EAAE,MAAM,6BAA6B,CAAC;AAErE,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,kBAAkB,CAAC;AAgBxD;;;GAGG;AACH,qBAAa,4BAA6B,YAAW,eAAe;IAClE,iCAAiC,EAAE,MAAM,CAAC;IAC1C,cAAc,EAAE,MAAM,CAAC;gBAEX,cAAc,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM;IAKnD,QAAQ,IAAI,OAAO,CAAC,IAAI,CAAC;CAM1B;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA4BG;AACH,qBAAa,sBAAuB,SAAQ,sBAAsB;IAChE;;;;OAIG;gBACS,OAAO,CAAC,EAAE,qCAAqC;IAE3D;;;;OAIG;gBACS,OAAO,CAAC,EAAE,uCAAuC;IAE7D;;;;OAIG;gBACS,OAAO,CAAC,EAAE,6BAA6B;CAoFpD"}
+{"version":3,"file":"defaultAzureCredential.d.ts","sourceRoot":"","sources":["../../../src/credentials/defaultAzureCredential.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EACV,qCAAqC,EACrC,6BAA6B,EAC7B,uCAAuC,EACxC,MAAM,oCAAoC,CAAC;AAO5C,OAAO,EAAE,sBAAsB,EAAE,MAAM,6BAA6B,CAAC;AAErE,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,kBAAkB,CAAC;AAgBxD;;;GAGG;AACH,qBAAa,4BAA6B,YAAW,eAAe;IAClE,iCAAiC,EAAE,MAAM,CAAC;IAC1C,cAAc,EAAE,MAAM,CAAC;gBAEX,cAAc,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM;IAKnD,QAAQ,IAAI,OAAO,CAAC,IAAI,CAAC;CAM1B;AAED;;;;;;;;;;;;;;;;;;GAkBG;AACH,qBAAa,sBAAuB,SAAQ,sBAAsB;IAChE;;;;OAIG;gBACS,OAAO,CAAC,EAAE,qCAAqC;IAE3D;;;;OAIG;gBACS,OAAO,CAAC,EAAE,uCAAuC;IAE7D;;;;OAIG;gBACS,OAAO,CAAC,EAAE,6BAA6B;CAoFpD"}

package/dist/esm/credentials/defaultAzureCredential.js

@@ -34,20 +34,10 @@ export class UnavailableDefaultCredential {
  * - {@link AzureCliCredential}
  * - {@link AzurePowerShellCredential}
  * - {@link AzureDeveloperCliCredential}
+ * - {@link BrokerCredential}
  *
  * Consult the documentation of these credential types for more information
  * on how they attempt authentication.
- *
- * Selecting credentials
- *
- * Set environment variable AZURE_TOKEN_CREDENTIALS to select a subset of the credential chain.
- * DefaultAzureCredential will try only the specified credential(s), but its other behavior remains the same.
- * Valid values for AZURE_TOKEN_CREDENTIALS are the name of any single type in the above chain, for example
- * "EnvironmentCredential" or "AzureCliCredential", and these special values:
- *
- *   - "dev": try [VisualStudioCodeCredential], [AzureCliCredential], [AzurePowerShellCredential] and [AzureDeveloperCliCredential], in that order
- *   - "prod": try [EnvironmentCredential], [WorkloadIdentityCredential], and [ManagedIdentityCredential], in that order
- *
  */
 export class DefaultAzureCredential extends ChainedTokenCredential {
     constructor(options) {

package/dist/esm/credentials/defaultAzureCredential.js.map

@@ -1 +1 @@
-{"version":3,"file":"defaultAzureCredential.js","sourceRoot":"","sources":["../../../src/credentials/defaultAzureCredential.ts"],"names":[],"mappings":"AAAA,uCAAuC;AACvC,kCAAkC;AAalC,OAAO,EAAE,sBAAsB,EAAE,MAAM,6BAA6B,CAAC;AAIrE,OAAO,EAAE,gBAAgB,EAAE,MAAM,oBAAoB,CAAC;AACtD,OAAO,EACL,+BAA+B,EAC/B,wCAAwC,EACxC,sCAAsC,EACtC,6BAA6B,EAC7B,sCAAsC,EACtC,uCAAuC,EACvC,uCAAuC,EACvC,kCAAkC,GACnC,MAAM,sCAAsC,CAAC;AAE9C,MAAM,MAAM,GAAG,gBAAgB,CAAC,wBAAwB,CAAC,CAAC;AAE1D;;;GAGG;AACH,MAAM,OAAO,4BAA4B;IACvC,iCAAiC,CAAS;IAC1C,cAAc,CAAS;IAEvB,YAAY,cAAsB,EAAE,OAAe;QACjD,IAAI,CAAC,cAAc,GAAG,cAAc,CAAC;QACrC,IAAI,CAAC,iCAAiC,GAAG,OAAO,CAAC;IACnD,CAAC;IAED,QAAQ;QACN,MAAM,CAAC,QAAQ,CAAC,IAAI,CAClB,YAAY,IAAI,CAAC,cAAc,aAAa,IAAI,CAAC,iCAAiC,EAAE,CACrF,CAAC;QACF,OAAO,OAAO,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;IAC/B,CAAC;CACF;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA4BG;AACH,MAAM,OAAO,sBAAuB,SAAQ,sBAAsB;IAsBhE,YAAY,OAAuC;QACjD,2EAA2E;QAC3E,MAAM,qBAAqB,GAAG,OAAO,CAAC,GAAG,CAAC,uBAAuB;YAC/D,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,uBAAuB,CAAC,IAAI,EAAE,CAAC,WAAW,EAAE;YAC1D,CAAC,CAAC,SAAS,CAAC;QACd,MAAM,sBAAsB,GAAG;YAC7B,uCAAuC;YACvC,+BAA+B;YAC/B,sCAAsC;YACtC,wCAAwC;YACxC,6BAA6B;SAC9B,CAAC;QACF,MAAM,uBAAuB,GAAG;YAC9B,kCAAkC;YAClC,uCAAuC;YACvC,sCAAsC;SACvC,CAAC;QACF,IAAI,mBAAmB,GAAG,EAAE,CAAC;QAC7B,MAAM,oBAAoB,GACxB,sLAAsL,CAAC;QACzL,mFAAmF;QACnF,kIAAkI;QAClI,IAAI,qBAAqB,EAAE,CAAC;YAC1B,QAAQ,qBAAqB,EAAE,CAAC;gBAC9B,KAAK,KAAK;oBACR,mBAAmB,GAAG,sBAAsB,CAAC;oBAC7C,MAAM;gBACR,KAAK,MAAM;oBACT,mBAAmB,GAAG,uBAAuB,CAAC;oBAC9C,MAAM;gBACR,KAAK,uBAAuB;oBAC1B,mBAAmB,GAAG,CAAC,kCAAkC,CAAC,CAAC;oBAC3D,MAAM;gBACR,KAAK,4BAA4B;oBAC/B,mBAAmB,GAAG,CAAC,uCAAuC,CAAC,CAAC;oBAChE,MAAM;gBACR,KAAK,2BAA2B;oBAC9B,mBAAmB,GAAG,CAAC,sCAAsC,CAAC,CAAC;oBAC/D,MAAM;gBACR,KAAK,4BAA4B;oBAC/B,mBAAmB,GAAG,CAAC,uCAAuC,CAAC,CAAC;oBAChE,MAAM;gBACR,KAAK,oBAAoB;oBACvB,mBAAmB,GAAG,CAAC,+BAA+B,CAAC,CAAC;oBACxD,MAAM;gBACR,KAAK,2BAA2B;oBAC9B,mBAAmB,GAAG,CAAC,sCAAsC,CAAC,CAAC;oBAC/D,MAAM;gBACR,KAAK,6BAA6B;oBAChC,mBAAmB,GAAG,CAAC,wCAAwC,CAAC,CAAC;oBACjE,MAAM;gBACR,OAAO,CAAC,CAAC,CAAC;oBACR,6EAA6E;oBAC7E,gEAAgE;oBAChE,MAAM,YAAY,GAAG,+CAA+C,OAAO,CAAC,GAAG,CAAC,uBAAuB,oEAAoE,oBAAoB,GAAG,CAAC;oBACnM,MAAM,CAAC,OAAO,CAAC,YAAY,CAAC,CAAC;oBAC7B,MAAM,IAAI,KAAK,CAAC,YAAY,CAAC,CAAC;gBAChC,CAAC;YACH,CAAC;QACH,CAAC;aAAM,CAAC;YACN,2EAA2E;YAC3E,mBAAmB,GAAG,CAAC,GAAG,uBAAuB,EAAE,GAAG,sBAAsB,CAAC,CAAC;QAChF,CAAC;QAED,gLAAgL;QAChL,8DAA8D;QAC9D,6DAA6D;QAC7D,gEAAgE;QAChE,sHAAsH;QACtH,MAAM,WAAW,GAAsB,mBAAmB,CAAC,GAAG,CAAC,CAAC,kBAAkB,EAAE,EAAE;YACpF,IAAI,CAAC;gBACH,OAAO,kBAAkB,CAAC,OAAO,CAAC,CAAC;YACrC,CAAC;YAAC,OAAO,GAAQ,EAAE,CAAC;gBAClB,MAAM,CAAC,OAAO,CACZ,WAAW,kBAAkB,CAAC,IAAI,iDAAiD,GAAG,EAAE,CACzF,CAAC;gBACF,OAAO,IAAI,4BAA4B,CAAC,kBAAkB,CAAC,IAAI,EAAE,GAAG,CAAC,OAAO,CAAC,CAAC;YAChF,CAAC;QACH,CAAC,CAAC,CAAC;QAEH,KAAK,CAAC,GAAG,WAAW,CAAC,CAAC;IACxB,CAAC;CACF","sourcesContent":["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT License.\n\nimport type {\n  DefaultAzureCredentialClientIdOptions,\n  DefaultAzureCredentialOptions,\n  DefaultAzureCredentialResourceIdOptions,\n} from \"./defaultAzureCredentialOptions.js\";\n\nimport { ManagedIdentityCredential } from \"./managedIdentityCredential/index.js\";\nimport { VisualStudioCodeCredential } from \"./visualStudioCodeCredential.js\";\nimport { AzureCliCredential } from \"./azureCliCredential.js\";\nimport { AzureDeveloperCliCredential } from \"./azureDeveloperCliCredential.js\";\nimport { AzurePowerShellCredential } from \"./azurePowerShellCredential.js\";\nimport { ChainedTokenCredential } from \"./chainedTokenCredential.js\";\nimport { EnvironmentCredential } from \"./environmentCredential.js\";\nimport type { TokenCredential } from \"@azure/core-auth\";\nimport { WorkloadIdentityCredential } from \"./workloadIdentityCredential.js\";\nimport { credentialLogger } from \"../util/logging.js\";\nimport {\n  createDefaultAzureCliCredential,\n  createDefaultAzureDeveloperCliCredential,\n  createDefaultAzurePowershellCredential,\n  createDefaultBrokerCredential,\n  createDefaultManagedIdentityCredential,\n  createDefaultVisualStudioCodeCredential,\n  createDefaultWorkloadIdentityCredential,\n  createDefaultEnvironmentCredential,\n} from \"./defaultAzureCredentialFunctions.js\";\n\nconst logger = credentialLogger(\"DefaultAzureCredential\");\n\n/**\n * A no-op credential that logs the reason it was skipped if getToken is called.\n * @internal\n */\nexport class UnavailableDefaultCredential implements TokenCredential {\n  credentialUnavailableErrorMessage: string;\n  credentialName: string;\n\n  constructor(credentialName: string, message: string) {\n    this.credentialName = credentialName;\n    this.credentialUnavailableErrorMessage = message;\n  }\n\n  getToken(): Promise<null> {\n    logger.getToken.info(\n      `Skipping ${this.credentialName}, reason: ${this.credentialUnavailableErrorMessage}`,\n    );\n    return Promise.resolve(null);\n  }\n}\n\n/**\n * Provides a default {@link ChainedTokenCredential} configuration that works for most\n * applications that use Azure SDK client libraries. For more information, see\n * [DefaultAzureCredential overview](https://aka.ms/azsdk/js/identity/credential-chains#use-defaultazurecredential-for-flexibility).\n *\n * The following credential types will be tried, in order:\n *\n * - {@link EnvironmentCredential}\n * - {@link WorkloadIdentityCredential}\n * - {@link ManagedIdentityCredential}\n * - {@link VisualStudioCodeCredential}\n * - {@link AzureCliCredential}\n * - {@link AzurePowerShellCredential}\n * - {@link AzureDeveloperCliCredential}\n *\n * Consult the documentation of these credential types for more information\n * on how they attempt authentication.\n *\n * Selecting credentials\n *\n * Set environment variable AZURE_TOKEN_CREDENTIALS to select a subset of the credential chain.\n * DefaultAzureCredential will try only the specified credential(s), but its other behavior remains the same.\n * Valid values for AZURE_TOKEN_CREDENTIALS are the name of any single type in the above chain, for example\n * \"EnvironmentCredential\" or \"AzureCliCredential\", and these special values:\n *\n *   - \"dev\": try [VisualStudioCodeCredential], [AzureCliCredential], [AzurePowerShellCredential] and [AzureDeveloperCliCredential], in that order\n *   - \"prod\": try [EnvironmentCredential], [WorkloadIdentityCredential], and [ManagedIdentityCredential], in that order\n *\n */\nexport class DefaultAzureCredential extends ChainedTokenCredential {\n  /**\n   * Creates an instance of the DefaultAzureCredential class with {@link DefaultAzureCredentialClientIdOptions}.\n   *\n   * @param options - Optional parameters. See {@link DefaultAzureCredentialClientIdOptions}.\n   */\n  constructor(options?: DefaultAzureCredentialClientIdOptions);\n\n  /**\n   * Creates an instance of the DefaultAzureCredential class with {@link DefaultAzureCredentialResourceIdOptions}.\n   *\n   * @param options - Optional parameters. See {@link DefaultAzureCredentialResourceIdOptions}.\n   */\n  constructor(options?: DefaultAzureCredentialResourceIdOptions);\n\n  /**\n   * Creates an instance of the DefaultAzureCredential class with {@link DefaultAzureCredentialOptions}.\n   *\n   * @param options - Optional parameters. See {@link DefaultAzureCredentialOptions}.\n   */\n  constructor(options?: DefaultAzureCredentialOptions);\n\n  constructor(options?: DefaultAzureCredentialOptions) {\n    // If AZURE_TOKEN_CREDENTIALS is not set, use the default credential chain.\n    const azureTokenCredentials = process.env.AZURE_TOKEN_CREDENTIALS\n      ? process.env.AZURE_TOKEN_CREDENTIALS.trim().toLowerCase()\n      : undefined;\n    const devCredentialFunctions = [\n      createDefaultVisualStudioCodeCredential,\n      createDefaultAzureCliCredential,\n      createDefaultAzurePowershellCredential,\n      createDefaultAzureDeveloperCliCredential,\n      createDefaultBrokerCredential,\n    ];\n    const prodCredentialFunctions = [\n      createDefaultEnvironmentCredential,\n      createDefaultWorkloadIdentityCredential,\n      createDefaultManagedIdentityCredential,\n    ];\n    let credentialFunctions = [];\n    const validCredentialNames =\n      \"EnvironmentCredential, WorkloadIdentityCredential, ManagedIdentityCredential, VisualStudioCodeCredential, AzureCliCredential, AzurePowerShellCredential, AzureDeveloperCliCredential\";\n    // If AZURE_TOKEN_CREDENTIALS is set, use it to determine which credentials to use.\n    // The value of AZURE_TOKEN_CREDENTIALS should be either \"dev\" or \"prod\" or any one of these credentials - {validCredentialNames}.\n    if (azureTokenCredentials) {\n      switch (azureTokenCredentials) {\n        case \"dev\":\n          credentialFunctions = devCredentialFunctions;\n          break;\n        case \"prod\":\n          credentialFunctions = prodCredentialFunctions;\n          break;\n        case \"environmentcredential\":\n          credentialFunctions = [createDefaultEnvironmentCredential];\n          break;\n        case \"workloadidentitycredential\":\n          credentialFunctions = [createDefaultWorkloadIdentityCredential];\n          break;\n        case \"managedidentitycredential\":\n          credentialFunctions = [createDefaultManagedIdentityCredential];\n          break;\n        case \"visualstudiocodecredential\":\n          credentialFunctions = [createDefaultVisualStudioCodeCredential];\n          break;\n        case \"azureclicredential\":\n          credentialFunctions = [createDefaultAzureCliCredential];\n          break;\n        case \"azurepowershellcredential\":\n          credentialFunctions = [createDefaultAzurePowershellCredential];\n          break;\n        case \"azuredeveloperclicredential\":\n          credentialFunctions = [createDefaultAzureDeveloperCliCredential];\n          break;\n        default: {\n          // If AZURE_TOKEN_CREDENTIALS is set to an unsupported value, throw an error.\n          // This will prevent the creation of the DefaultAzureCredential.\n          const errorMessage = `Invalid value for AZURE_TOKEN_CREDENTIALS = ${process.env.AZURE_TOKEN_CREDENTIALS}. Valid values are 'prod' or 'dev' or any of these credentials - ${validCredentialNames}.`;\n          logger.warning(errorMessage);\n          throw new Error(errorMessage);\n        }\n      }\n    } else {\n      // If AZURE_TOKEN_CREDENTIALS is not set, use the default credential chain.\n      credentialFunctions = [...prodCredentialFunctions, ...devCredentialFunctions];\n    }\n\n    // Errors from individual credentials should not be thrown in the DefaultAzureCredential constructor, instead throwing on getToken() which is handled by ChainedTokenCredential.\n    // When adding new credentials to the default chain, consider:\n    // 1. Making the constructor parameters required and explicit\n    // 2. Validating any required parameters in the factory function\n    // 3. Returning a UnavailableDefaultCredential from the factory function if a credential is unavailable for any reason\n    const credentials: TokenCredential[] = credentialFunctions.map((createCredentialFn) => {\n      try {\n        return createCredentialFn(options);\n      } catch (err: any) {\n        logger.warning(\n          `Skipped ${createCredentialFn.name} because of an error creating the credential: ${err}`,\n        );\n        return new UnavailableDefaultCredential(createCredentialFn.name, err.message);\n      }\n    });\n\n    super(...credentials);\n  }\n}\n"]}
+{"version":3,"file":"defaultAzureCredential.js","sourceRoot":"","sources":["../../../src/credentials/defaultAzureCredential.ts"],"names":[],"mappings":"AAAA,uCAAuC;AACvC,kCAAkC;AAalC,OAAO,EAAE,sBAAsB,EAAE,MAAM,6BAA6B,CAAC;AAIrE,OAAO,EAAE,gBAAgB,EAAE,MAAM,oBAAoB,CAAC;AACtD,OAAO,EACL,+BAA+B,EAC/B,wCAAwC,EACxC,sCAAsC,EACtC,6BAA6B,EAC7B,sCAAsC,EACtC,uCAAuC,EACvC,uCAAuC,EACvC,kCAAkC,GACnC,MAAM,sCAAsC,CAAC;AAE9C,MAAM,MAAM,GAAG,gBAAgB,CAAC,wBAAwB,CAAC,CAAC;AAE1D;;;GAGG;AACH,MAAM,OAAO,4BAA4B;IACvC,iCAAiC,CAAS;IAC1C,cAAc,CAAS;IAEvB,YAAY,cAAsB,EAAE,OAAe;QACjD,IAAI,CAAC,cAAc,GAAG,cAAc,CAAC;QACrC,IAAI,CAAC,iCAAiC,GAAG,OAAO,CAAC;IACnD,CAAC;IAED,QAAQ;QACN,MAAM,CAAC,QAAQ,CAAC,IAAI,CAClB,YAAY,IAAI,CAAC,cAAc,aAAa,IAAI,CAAC,iCAAiC,EAAE,CACrF,CAAC;QACF,OAAO,OAAO,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;IAC/B,CAAC;CACF;AAED;;;;;;;;;;;;;;;;;;GAkBG;AACH,MAAM,OAAO,sBAAuB,SAAQ,sBAAsB;IAsBhE,YAAY,OAAuC;QACjD,2EAA2E;QAC3E,MAAM,qBAAqB,GAAG,OAAO,CAAC,GAAG,CAAC,uBAAuB;YAC/D,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,uBAAuB,CAAC,IAAI,EAAE,CAAC,WAAW,EAAE;YAC1D,CAAC,CAAC,SAAS,CAAC;QACd,MAAM,sBAAsB,GAAG;YAC7B,uCAAuC;YACvC,+BAA+B;YAC/B,sCAAsC;YACtC,wCAAwC;YACxC,6BAA6B;SAC9B,CAAC;QACF,MAAM,uBAAuB,GAAG;YAC9B,kCAAkC;YAClC,uCAAuC;YACvC,sCAAsC;SACvC,CAAC;QACF,IAAI,mBAAmB,GAAG,EAAE,CAAC;QAC7B,MAAM,oBAAoB,GACxB,sLAAsL,CAAC;QACzL,mFAAmF;QACnF,kIAAkI;QAClI,IAAI,qBAAqB,EAAE,CAAC;YAC1B,QAAQ,qBAAqB,EAAE,CAAC;gBAC9B,KAAK,KAAK;oBACR,mBAAmB,GAAG,sBAAsB,CAAC;oBAC7C,MAAM;gBACR,KAAK,MAAM;oBACT,mBAAmB,GAAG,uBAAuB,CAAC;oBAC9C,MAAM;gBACR,KAAK,uBAAuB;oBAC1B,mBAAmB,GAAG,CAAC,kCAAkC,CAAC,CAAC;oBAC3D,MAAM;gBACR,KAAK,4BAA4B;oBAC/B,mBAAmB,GAAG,CAAC,uCAAuC,CAAC,CAAC;oBAChE,MAAM;gBACR,KAAK,2BAA2B;oBAC9B,mBAAmB,GAAG,CAAC,sCAAsC,CAAC,CAAC;oBAC/D,MAAM;gBACR,KAAK,4BAA4B;oBAC/B,mBAAmB,GAAG,CAAC,uCAAuC,CAAC,CAAC;oBAChE,MAAM;gBACR,KAAK,oBAAoB;oBACvB,mBAAmB,GAAG,CAAC,+BAA+B,CAAC,CAAC;oBACxD,MAAM;gBACR,KAAK,2BAA2B;oBAC9B,mBAAmB,GAAG,CAAC,sCAAsC,CAAC,CAAC;oBAC/D,MAAM;gBACR,KAAK,6BAA6B;oBAChC,mBAAmB,GAAG,CAAC,wCAAwC,CAAC,CAAC;oBACjE,MAAM;gBACR,OAAO,CAAC,CAAC,CAAC;oBACR,6EAA6E;oBAC7E,gEAAgE;oBAChE,MAAM,YAAY,GAAG,+CAA+C,OAAO,CAAC,GAAG,CAAC,uBAAuB,oEAAoE,oBAAoB,GAAG,CAAC;oBACnM,MAAM,CAAC,OAAO,CAAC,YAAY,CAAC,CAAC;oBAC7B,MAAM,IAAI,KAAK,CAAC,YAAY,CAAC,CAAC;gBAChC,CAAC;YACH,CAAC;QACH,CAAC;aAAM,CAAC;YACN,2EAA2E;YAC3E,mBAAmB,GAAG,CAAC,GAAG,uBAAuB,EAAE,GAAG,sBAAsB,CAAC,CAAC;QAChF,CAAC;QAED,gLAAgL;QAChL,8DAA8D;QAC9D,6DAA6D;QAC7D,gEAAgE;QAChE,sHAAsH;QACtH,MAAM,WAAW,GAAsB,mBAAmB,CAAC,GAAG,CAAC,CAAC,kBAAkB,EAAE,EAAE;YACpF,IAAI,CAAC;gBACH,OAAO,kBAAkB,CAAC,OAAO,CAAC,CAAC;YACrC,CAAC;YAAC,OAAO,GAAQ,EAAE,CAAC;gBAClB,MAAM,CAAC,OAAO,CACZ,WAAW,kBAAkB,CAAC,IAAI,iDAAiD,GAAG,EAAE,CACzF,CAAC;gBACF,OAAO,IAAI,4BAA4B,CAAC,kBAAkB,CAAC,IAAI,EAAE,GAAG,CAAC,OAAO,CAAC,CAAC;YAChF,CAAC;QACH,CAAC,CAAC,CAAC;QAEH,KAAK,CAAC,GAAG,WAAW,CAAC,CAAC;IACxB,CAAC;CACF","sourcesContent":["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT License.\n\nimport type {\n  DefaultAzureCredentialClientIdOptions,\n  DefaultAzureCredentialOptions,\n  DefaultAzureCredentialResourceIdOptions,\n} from \"./defaultAzureCredentialOptions.js\";\n\nimport { ManagedIdentityCredential } from \"./managedIdentityCredential/index.js\";\nimport { VisualStudioCodeCredential } from \"./visualStudioCodeCredential.js\";\nimport { AzureCliCredential } from \"./azureCliCredential.js\";\nimport { AzureDeveloperCliCredential } from \"./azureDeveloperCliCredential.js\";\nimport { AzurePowerShellCredential } from \"./azurePowerShellCredential.js\";\nimport { ChainedTokenCredential } from \"./chainedTokenCredential.js\";\nimport { EnvironmentCredential } from \"./environmentCredential.js\";\nimport type { TokenCredential } from \"@azure/core-auth\";\nimport { WorkloadIdentityCredential } from \"./workloadIdentityCredential.js\";\nimport { credentialLogger } from \"../util/logging.js\";\nimport {\n  createDefaultAzureCliCredential,\n  createDefaultAzureDeveloperCliCredential,\n  createDefaultAzurePowershellCredential,\n  createDefaultBrokerCredential,\n  createDefaultManagedIdentityCredential,\n  createDefaultVisualStudioCodeCredential,\n  createDefaultWorkloadIdentityCredential,\n  createDefaultEnvironmentCredential,\n} from \"./defaultAzureCredentialFunctions.js\";\n\nconst logger = credentialLogger(\"DefaultAzureCredential\");\n\n/**\n * A no-op credential that logs the reason it was skipped if getToken is called.\n * @internal\n */\nexport class UnavailableDefaultCredential implements TokenCredential {\n  credentialUnavailableErrorMessage: string;\n  credentialName: string;\n\n  constructor(credentialName: string, message: string) {\n    this.credentialName = credentialName;\n    this.credentialUnavailableErrorMessage = message;\n  }\n\n  getToken(): Promise<null> {\n    logger.getToken.info(\n      `Skipping ${this.credentialName}, reason: ${this.credentialUnavailableErrorMessage}`,\n    );\n    return Promise.resolve(null);\n  }\n}\n\n/**\n * Provides a default {@link ChainedTokenCredential} configuration that works for most\n * applications that use Azure SDK client libraries. For more information, see\n * [DefaultAzureCredential overview](https://aka.ms/azsdk/js/identity/credential-chains#use-defaultazurecredential-for-flexibility).\n *\n * The following credential types will be tried, in order:\n *\n * - {@link EnvironmentCredential}\n * - {@link WorkloadIdentityCredential}\n * - {@link ManagedIdentityCredential}\n * - {@link VisualStudioCodeCredential}\n * - {@link AzureCliCredential}\n * - {@link AzurePowerShellCredential}\n * - {@link AzureDeveloperCliCredential}\n * - {@link BrokerCredential}\n *\n * Consult the documentation of these credential types for more information\n * on how they attempt authentication.\n */\nexport class DefaultAzureCredential extends ChainedTokenCredential {\n  /**\n   * Creates an instance of the DefaultAzureCredential class with {@link DefaultAzureCredentialClientIdOptions}.\n   *\n   * @param options - Optional parameters. See {@link DefaultAzureCredentialClientIdOptions}.\n   */\n  constructor(options?: DefaultAzureCredentialClientIdOptions);\n\n  /**\n   * Creates an instance of the DefaultAzureCredential class with {@link DefaultAzureCredentialResourceIdOptions}.\n   *\n   * @param options - Optional parameters. See {@link DefaultAzureCredentialResourceIdOptions}.\n   */\n  constructor(options?: DefaultAzureCredentialResourceIdOptions);\n\n  /**\n   * Creates an instance of the DefaultAzureCredential class with {@link DefaultAzureCredentialOptions}.\n   *\n   * @param options - Optional parameters. See {@link DefaultAzureCredentialOptions}.\n   */\n  constructor(options?: DefaultAzureCredentialOptions);\n\n  constructor(options?: DefaultAzureCredentialOptions) {\n    // If AZURE_TOKEN_CREDENTIALS is not set, use the default credential chain.\n    const azureTokenCredentials = process.env.AZURE_TOKEN_CREDENTIALS\n      ? process.env.AZURE_TOKEN_CREDENTIALS.trim().toLowerCase()\n      : undefined;\n    const devCredentialFunctions = [\n      createDefaultVisualStudioCodeCredential,\n      createDefaultAzureCliCredential,\n      createDefaultAzurePowershellCredential,\n      createDefaultAzureDeveloperCliCredential,\n      createDefaultBrokerCredential,\n    ];\n    const prodCredentialFunctions = [\n      createDefaultEnvironmentCredential,\n      createDefaultWorkloadIdentityCredential,\n      createDefaultManagedIdentityCredential,\n    ];\n    let credentialFunctions = [];\n    const validCredentialNames =\n      \"EnvironmentCredential, WorkloadIdentityCredential, ManagedIdentityCredential, VisualStudioCodeCredential, AzureCliCredential, AzurePowerShellCredential, AzureDeveloperCliCredential\";\n    // If AZURE_TOKEN_CREDENTIALS is set, use it to determine which credentials to use.\n    // The value of AZURE_TOKEN_CREDENTIALS should be either \"dev\" or \"prod\" or any one of these credentials - {validCredentialNames}.\n    if (azureTokenCredentials) {\n      switch (azureTokenCredentials) {\n        case \"dev\":\n          credentialFunctions = devCredentialFunctions;\n          break;\n        case \"prod\":\n          credentialFunctions = prodCredentialFunctions;\n          break;\n        case \"environmentcredential\":\n          credentialFunctions = [createDefaultEnvironmentCredential];\n          break;\n        case \"workloadidentitycredential\":\n          credentialFunctions = [createDefaultWorkloadIdentityCredential];\n          break;\n        case \"managedidentitycredential\":\n          credentialFunctions = [createDefaultManagedIdentityCredential];\n          break;\n        case \"visualstudiocodecredential\":\n          credentialFunctions = [createDefaultVisualStudioCodeCredential];\n          break;\n        case \"azureclicredential\":\n          credentialFunctions = [createDefaultAzureCliCredential];\n          break;\n        case \"azurepowershellcredential\":\n          credentialFunctions = [createDefaultAzurePowershellCredential];\n          break;\n        case \"azuredeveloperclicredential\":\n          credentialFunctions = [createDefaultAzureDeveloperCliCredential];\n          break;\n        default: {\n          // If AZURE_TOKEN_CREDENTIALS is set to an unsupported value, throw an error.\n          // This will prevent the creation of the DefaultAzureCredential.\n          const errorMessage = `Invalid value for AZURE_TOKEN_CREDENTIALS = ${process.env.AZURE_TOKEN_CREDENTIALS}. Valid values are 'prod' or 'dev' or any of these credentials - ${validCredentialNames}.`;\n          logger.warning(errorMessage);\n          throw new Error(errorMessage);\n        }\n      }\n    } else {\n      // If AZURE_TOKEN_CREDENTIALS is not set, use the default credential chain.\n      credentialFunctions = [...prodCredentialFunctions, ...devCredentialFunctions];\n    }\n\n    // Errors from individual credentials should not be thrown in the DefaultAzureCredential constructor, instead throwing on getToken() which is handled by ChainedTokenCredential.\n    // When adding new credentials to the default chain, consider:\n    // 1. Making the constructor parameters required and explicit\n    // 2. Validating any required parameters in the factory function\n    // 3. Returning a UnavailableDefaultCredential from the factory function if a credential is unavailable for any reason\n    const credentials: TokenCredential[] = credentialFunctions.map((createCredentialFn) => {\n      try {\n        return createCredentialFn(options);\n      } catch (err: any) {\n        logger.warning(\n          `Skipped ${createCredentialFn.name} because of an error creating the credential: ${err}`,\n        );\n        return new UnavailableDefaultCredential(createCredentialFn.name, err.message);\n      }\n    });\n\n    super(...credentials);\n  }\n}\n"]}

package/dist/workerd/credentials/brokerCredential.d.ts

@@ -3,7 +3,7 @@ import { TokenCredentialOptions } from "../tokenCredentialOptions.js";
 import { MultiTenantTokenCredentialOptions } from "./multiTenantTokenCredentialOptions.js";
 /**
  * Enables authentication to Microsoft Entra ID using WAM (Web Account Manager) broker.
- * This credential extends InteractiveBrowserCredential and provides additional broker-specific functionality.
+ * This credential uses the default account logged into the OS via a broker.
  */
 export declare class BrokerCredential implements TokenCredential {
     private brokerMsalClient;

package/dist/workerd/credentials/brokerCredential.js

@@ -10,7 +10,7 @@ import { CredentialUnavailableError } from "../errors.js";
 const logger = credentialLogger("BrokerCredential");
 /**
  * Enables authentication to Microsoft Entra ID using WAM (Web Account Manager) broker.
- * This credential extends InteractiveBrowserCredential and provides additional broker-specific functionality.
+ * This credential uses the default account logged into the OS via a broker.
  */
 export class BrokerCredential {
     brokerMsalClient;

package/dist/workerd/credentials/brokerCredential.js.map

@@ -1 +1 @@
-{"version":3,"file":"brokerCredential.js","sourceRoot":"","sources":["../../../src/credentials/brokerCredential.ts"],"names":[],"mappings":"AAAA,uCAAuC;AACvC,kCAAkC;AAGlC,OAAO,EACL,yBAAyB,EACzB,mCAAmC,EACnC,eAAe,GAChB,MAAM,0BAA0B,CAAC;AAElC,OAAO,EAAE,gBAAgB,EAAE,WAAW,EAAE,MAAM,oBAAoB,CAAC;AACnE,OAAO,EAAE,YAAY,EAAE,MAAM,uBAAuB,CAAC;AACrD,OAAO,EAAE,aAAa,EAAE,MAAM,oBAAoB,CAAC;AAEnD,OAAO,EAAE,gBAAgB,EAAE,MAAM,iCAAiC,CAAC;AACnE,OAAO,EAAE,uBAAuB,EAAE,MAAM,iBAAiB,CAAC;AAG1D,OAAO,EAAE,0BAA0B,EAAE,MAAM,cAAc,CAAC;AAE1D,MAAM,MAAM,GAAG,gBAAgB,CAAC,kBAAkB,CAAC,CAAC;AAEpD;;;GAGG;AACH,MAAM,OAAO,gBAAgB;IACnB,gBAAgB,CAAa;IAC7B,cAAc,CAAU;IACxB,kCAAkC,CAAW;IAErD;;;;;;;OAOG;IACH,YACE,OAA2F;QAE3F,IAAI,CAAC,cAAc,GAAG,eAAe,CAAC,MAAM,EAAE,OAAO,CAAC,QAAQ,CAAC,CAAC;QAChE,IAAI,CAAC,kCAAkC,GAAG,mCAAmC,CAC3E,OAAO,EAAE,0BAA0B,CACpC,CAAC;QACF,MAAM,iBAAiB,GAAsB;YAC3C,GAAG,OAAO;YACV,sBAAsB,EAAE,OAAO;YAC/B,MAAM;YACN,aAAa,EAAE;gBACb,OAAO,EAAE,IAAI;gBACb,kBAAkB,EAAE,IAAI,UAAU,CAAC,CAAC,CAAC;gBACrC,uBAAuB,EAAE,IAAI;aAC9B;SACF,CAAC;QAEF,IAAI,CAAC,gBAAgB,GAAG,gBAAgB,CACtC,uBAAuB,EACvB,IAAI,CAAC,cAAc,EACnB,iBAAiB,CAClB,CAAC;IACJ,CAAC;IAED;;;;;;;;;OASG;IACH,KAAK,CAAC,QAAQ,CAAC,MAAyB,EAAE,UAA2B,EAAE;QACrE,OAAO,aAAa,CAAC,QAAQ,CAC3B,GAAG,IAAI,CAAC,WAAW,CAAC,IAAI,WAAW,EACnC,OAAO,EACP,KAAK,EAAE,UAAU,EAAE,EAAE;YACnB,UAAU,CAAC,QAAQ,GAAG,yBAAyB,CAC7C,IAAI,CAAC,cAAc,EACnB,UAAU,EACV,IAAI,CAAC,kCAAkC,EACvC,MAAM,CACP,CAAC;YAEF,MAAM,WAAW,GAAG,YAAY,CAAC,MAAM,CAAC,CAAC;YACzC,IAAI,CAAC;gBACH,OAAO,IAAI,CAAC,gBAAgB,CAAC,gBAAgB,CAAC,WAAW,EAAE,IAAI,EAAE;oBAC/D,GAAG,UAAU;oBACb,8BAA8B,EAAE,IAAI;iBACrC,CAAC,CAAC;YACL,CAAC;YAAC,OAAO,CAAM,EAAE,CAAC;gBAChB,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,WAAW,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC,CAAC;gBAClD,MAAM,IAAI,0BAA0B,CAClC,qDAAqD,EACrD,EAAE,KAAK,EAAE,CAAC,EAAE,CACb,CAAC;YACJ,CAAC;QACH,CAAC,CACF,CAAC;IACJ,CAAC;CACF","sourcesContent":["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT License.\n\nimport type { AccessToken, GetTokenOptions, TokenCredential } from \"@azure/core-auth\";\nimport {\n  processMultiTenantRequest,\n  resolveAdditionallyAllowedTenantIds,\n  resolveTenantId,\n} from \"../util/tenantIdUtils.js\";\n\nimport { credentialLogger, formatError } from \"../util/logging.js\";\nimport { ensureScopes } from \"../util/scopeUtils.js\";\nimport { tracingClient } from \"../util/tracing.js\";\nimport type { MsalClient, MsalClientOptions } from \"../msal/nodeFlows/msalClient.js\";\nimport { createMsalClient } from \"../msal/nodeFlows/msalClient.js\";\nimport { DeveloperSignOnClientId } from \"../constants.js\";\nimport { TokenCredentialOptions } from \"../tokenCredentialOptions.js\";\nimport { MultiTenantTokenCredentialOptions } from \"./multiTenantTokenCredentialOptions.js\";\nimport { CredentialUnavailableError } from \"../errors.js\";\n\nconst logger = credentialLogger(\"BrokerCredential\");\n\n/**\n * Enables authentication to Microsoft Entra ID using WAM (Web Account Manager) broker.\n * This credential extends InteractiveBrowserCredential and provides additional broker-specific functionality.\n */\nexport class BrokerCredential implements TokenCredential {\n  private brokerMsalClient: MsalClient;\n  private brokerTenantId?: string;\n  private brokerAdditionallyAllowedTenantIds: string[];\n\n  /**\n   * Creates an instance of BrokerCredential with the required broker options.\n   *\n   * This credential uses WAM (Web Account Manager) for authentication, which provides\n   * better security and user experience on Windows platforms.\n   *\n   * @param options - Options for configuring the broker credential, including required broker options.\n   */\n  constructor(\n    options: { tenantId?: string } & TokenCredentialOptions & MultiTenantTokenCredentialOptions,\n  ) {\n    this.brokerTenantId = resolveTenantId(logger, options.tenantId);\n    this.brokerAdditionallyAllowedTenantIds = resolveAdditionallyAllowedTenantIds(\n      options?.additionallyAllowedTenants,\n    );\n    const msalClientOptions: MsalClientOptions = {\n      ...options,\n      tokenCredentialOptions: options,\n      logger,\n      brokerOptions: {\n        enabled: true,\n        parentWindowHandle: new Uint8Array(0),\n        useDefaultBrokerAccount: true,\n      },\n    };\n\n    this.brokerMsalClient = createMsalClient(\n      DeveloperSignOnClientId,\n      this.brokerTenantId,\n      msalClientOptions,\n    );\n  }\n\n  /**\n   * Authenticates with Microsoft Entra ID using WAM broker and returns an access token if successful.\n   * If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.\n   *\n   * This method extends the base getToken method to support silentAuthenticationOnly option\n   * when using broker authentication.\n   *\n   * @param scopes - The list of scopes for which the token will have access.\n   * @param options - The options used to configure the token request, including silentAuthenticationOnly option.\n   */\n  async getToken(scopes: string | string[], options: GetTokenOptions = {}): Promise<AccessToken> {\n    return tracingClient.withSpan(\n      `${this.constructor.name}.getToken`,\n      options,\n      async (newOptions) => {\n        newOptions.tenantId = processMultiTenantRequest(\n          this.brokerTenantId,\n          newOptions,\n          this.brokerAdditionallyAllowedTenantIds,\n          logger,\n        );\n\n        const arrayScopes = ensureScopes(scopes);\n        try {\n          return this.brokerMsalClient.getBrokeredToken(arrayScopes, true, {\n            ...newOptions,\n            disableAutomaticAuthentication: true,\n          });\n        } catch (e: any) {\n          logger.getToken.info(formatError(arrayScopes, e));\n          throw new CredentialUnavailableError(\n            \"Failed to acquire token using broker authentication\",\n            { cause: e },\n          );\n        }\n      },\n    );\n  }\n}\n"]}
+{"version":3,"file":"brokerCredential.js","sourceRoot":"","sources":["../../../src/credentials/brokerCredential.ts"],"names":[],"mappings":"AAAA,uCAAuC;AACvC,kCAAkC;AAGlC,OAAO,EACL,yBAAyB,EACzB,mCAAmC,EACnC,eAAe,GAChB,MAAM,0BAA0B,CAAC;AAElC,OAAO,EAAE,gBAAgB,EAAE,WAAW,EAAE,MAAM,oBAAoB,CAAC;AACnE,OAAO,EAAE,YAAY,EAAE,MAAM,uBAAuB,CAAC;AACrD,OAAO,EAAE,aAAa,EAAE,MAAM,oBAAoB,CAAC;AAEnD,OAAO,EAAE,gBAAgB,EAAE,MAAM,iCAAiC,CAAC;AACnE,OAAO,EAAE,uBAAuB,EAAE,MAAM,iBAAiB,CAAC;AAG1D,OAAO,EAAE,0BAA0B,EAAE,MAAM,cAAc,CAAC;AAE1D,MAAM,MAAM,GAAG,gBAAgB,CAAC,kBAAkB,CAAC,CAAC;AAEpD;;;GAGG;AACH,MAAM,OAAO,gBAAgB;IACnB,gBAAgB,CAAa;IAC7B,cAAc,CAAU;IACxB,kCAAkC,CAAW;IAErD;;;;;;;OAOG;IACH,YACE,OAA2F;QAE3F,IAAI,CAAC,cAAc,GAAG,eAAe,CAAC,MAAM,EAAE,OAAO,CAAC,QAAQ,CAAC,CAAC;QAChE,IAAI,CAAC,kCAAkC,GAAG,mCAAmC,CAC3E,OAAO,EAAE,0BAA0B,CACpC,CAAC;QACF,MAAM,iBAAiB,GAAsB;YAC3C,GAAG,OAAO;YACV,sBAAsB,EAAE,OAAO;YAC/B,MAAM;YACN,aAAa,EAAE;gBACb,OAAO,EAAE,IAAI;gBACb,kBAAkB,EAAE,IAAI,UAAU,CAAC,CAAC,CAAC;gBACrC,uBAAuB,EAAE,IAAI;aAC9B;SACF,CAAC;QAEF,IAAI,CAAC,gBAAgB,GAAG,gBAAgB,CACtC,uBAAuB,EACvB,IAAI,CAAC,cAAc,EACnB,iBAAiB,CAClB,CAAC;IACJ,CAAC;IAED;;;;;;;;;OASG;IACH,KAAK,CAAC,QAAQ,CAAC,MAAyB,EAAE,UAA2B,EAAE;QACrE,OAAO,aAAa,CAAC,QAAQ,CAC3B,GAAG,IAAI,CAAC,WAAW,CAAC,IAAI,WAAW,EACnC,OAAO,EACP,KAAK,EAAE,UAAU,EAAE,EAAE;YACnB,UAAU,CAAC,QAAQ,GAAG,yBAAyB,CAC7C,IAAI,CAAC,cAAc,EACnB,UAAU,EACV,IAAI,CAAC,kCAAkC,EACvC,MAAM,CACP,CAAC;YAEF,MAAM,WAAW,GAAG,YAAY,CAAC,MAAM,CAAC,CAAC;YACzC,IAAI,CAAC;gBACH,OAAO,IAAI,CAAC,gBAAgB,CAAC,gBAAgB,CAAC,WAAW,EAAE,IAAI,EAAE;oBAC/D,GAAG,UAAU;oBACb,8BAA8B,EAAE,IAAI;iBACrC,CAAC,CAAC;YACL,CAAC;YAAC,OAAO,CAAM,EAAE,CAAC;gBAChB,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,WAAW,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC,CAAC;gBAClD,MAAM,IAAI,0BAA0B,CAClC,qDAAqD,EACrD,EAAE,KAAK,EAAE,CAAC,EAAE,CACb,CAAC;YACJ,CAAC;QACH,CAAC,CACF,CAAC;IACJ,CAAC;CACF","sourcesContent":["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT License.\n\nimport type { AccessToken, GetTokenOptions, TokenCredential } from \"@azure/core-auth\";\nimport {\n  processMultiTenantRequest,\n  resolveAdditionallyAllowedTenantIds,\n  resolveTenantId,\n} from \"../util/tenantIdUtils.js\";\n\nimport { credentialLogger, formatError } from \"../util/logging.js\";\nimport { ensureScopes } from \"../util/scopeUtils.js\";\nimport { tracingClient } from \"../util/tracing.js\";\nimport type { MsalClient, MsalClientOptions } from \"../msal/nodeFlows/msalClient.js\";\nimport { createMsalClient } from \"../msal/nodeFlows/msalClient.js\";\nimport { DeveloperSignOnClientId } from \"../constants.js\";\nimport { TokenCredentialOptions } from \"../tokenCredentialOptions.js\";\nimport { MultiTenantTokenCredentialOptions } from \"./multiTenantTokenCredentialOptions.js\";\nimport { CredentialUnavailableError } from \"../errors.js\";\n\nconst logger = credentialLogger(\"BrokerCredential\");\n\n/**\n * Enables authentication to Microsoft Entra ID using WAM (Web Account Manager) broker.\n * This credential uses the default account logged into the OS via a broker.\n */\nexport class BrokerCredential implements TokenCredential {\n  private brokerMsalClient: MsalClient;\n  private brokerTenantId?: string;\n  private brokerAdditionallyAllowedTenantIds: string[];\n\n  /**\n   * Creates an instance of BrokerCredential with the required broker options.\n   *\n   * This credential uses WAM (Web Account Manager) for authentication, which provides\n   * better security and user experience on Windows platforms.\n   *\n   * @param options - Options for configuring the broker credential, including required broker options.\n   */\n  constructor(\n    options: { tenantId?: string } & TokenCredentialOptions & MultiTenantTokenCredentialOptions,\n  ) {\n    this.brokerTenantId = resolveTenantId(logger, options.tenantId);\n    this.brokerAdditionallyAllowedTenantIds = resolveAdditionallyAllowedTenantIds(\n      options?.additionallyAllowedTenants,\n    );\n    const msalClientOptions: MsalClientOptions = {\n      ...options,\n      tokenCredentialOptions: options,\n      logger,\n      brokerOptions: {\n        enabled: true,\n        parentWindowHandle: new Uint8Array(0),\n        useDefaultBrokerAccount: true,\n      },\n    };\n\n    this.brokerMsalClient = createMsalClient(\n      DeveloperSignOnClientId,\n      this.brokerTenantId,\n      msalClientOptions,\n    );\n  }\n\n  /**\n   * Authenticates with Microsoft Entra ID using WAM broker and returns an access token if successful.\n   * If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.\n   *\n   * This method extends the base getToken method to support silentAuthenticationOnly option\n   * when using broker authentication.\n   *\n   * @param scopes - The list of scopes for which the token will have access.\n   * @param options - The options used to configure the token request, including silentAuthenticationOnly option.\n   */\n  async getToken(scopes: string | string[], options: GetTokenOptions = {}): Promise<AccessToken> {\n    return tracingClient.withSpan(\n      `${this.constructor.name}.getToken`,\n      options,\n      async (newOptions) => {\n        newOptions.tenantId = processMultiTenantRequest(\n          this.brokerTenantId,\n          newOptions,\n          this.brokerAdditionallyAllowedTenantIds,\n          logger,\n        );\n\n        const arrayScopes = ensureScopes(scopes);\n        try {\n          return this.brokerMsalClient.getBrokeredToken(arrayScopes, true, {\n            ...newOptions,\n            disableAutomaticAuthentication: true,\n          });\n        } catch (e: any) {\n          logger.getToken.info(formatError(arrayScopes, e));\n          throw new CredentialUnavailableError(\n            \"Failed to acquire token using broker authentication\",\n            { cause: e },\n          );\n        }\n      },\n    );\n  }\n}\n"]}

package/dist/workerd/credentials/defaultAzureCredential.d.ts

@@ -25,20 +25,10 @@ export declare class UnavailableDefaultCredential implements TokenCredential {
  * - {@link AzureCliCredential}
  * - {@link AzurePowerShellCredential}
  * - {@link AzureDeveloperCliCredential}
+ * - {@link BrokerCredential}
  *
  * Consult the documentation of these credential types for more information
  * on how they attempt authentication.
- *
- * Selecting credentials
- *
- * Set environment variable AZURE_TOKEN_CREDENTIALS to select a subset of the credential chain.
- * DefaultAzureCredential will try only the specified credential(s), but its other behavior remains the same.
- * Valid values for AZURE_TOKEN_CREDENTIALS are the name of any single type in the above chain, for example
- * "EnvironmentCredential" or "AzureCliCredential", and these special values:
- *
- *   - "dev": try [VisualStudioCodeCredential], [AzureCliCredential], [AzurePowerShellCredential] and [AzureDeveloperCliCredential], in that order
- *   - "prod": try [EnvironmentCredential], [WorkloadIdentityCredential], and [ManagedIdentityCredential], in that order
- *
  */
 export declare class DefaultAzureCredential extends ChainedTokenCredential {
     /**

package/dist/workerd/credentials/defaultAzureCredential.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"defaultAzureCredential.d.ts","sourceRoot":"","sources":["../../../src/credentials/defaultAzureCredential.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EACV,qCAAqC,EACrC,6BAA6B,EAC7B,uCAAuC,EACxC,MAAM,oCAAoC,CAAC;AAO5C,OAAO,EAAE,sBAAsB,EAAE,MAAM,6BAA6B,CAAC;AAErE,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,kBAAkB,CAAC;AAgBxD;;;GAGG;AACH,qBAAa,4BAA6B,YAAW,eAAe;IAClE,iCAAiC,EAAE,MAAM,CAAC;IAC1C,cAAc,EAAE,MAAM,CAAC;gBAEX,cAAc,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM;IAKnD,QAAQ,IAAI,OAAO,CAAC,IAAI,CAAC;CAM1B;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA4BG;AACH,qBAAa,sBAAuB,SAAQ,sBAAsB;IAChE;;;;OAIG;gBACS,OAAO,CAAC,EAAE,qCAAqC;IAE3D;;;;OAIG;gBACS,OAAO,CAAC,EAAE,uCAAuC;IAE7D;;;;OAIG;gBACS,OAAO,CAAC,EAAE,6BAA6B;CAoFpD"}
+{"version":3,"file":"defaultAzureCredential.d.ts","sourceRoot":"","sources":["../../../src/credentials/defaultAzureCredential.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EACV,qCAAqC,EACrC,6BAA6B,EAC7B,uCAAuC,EACxC,MAAM,oCAAoC,CAAC;AAO5C,OAAO,EAAE,sBAAsB,EAAE,MAAM,6BAA6B,CAAC;AAErE,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,kBAAkB,CAAC;AAgBxD;;;GAGG;AACH,qBAAa,4BAA6B,YAAW,eAAe;IAClE,iCAAiC,EAAE,MAAM,CAAC;IAC1C,cAAc,EAAE,MAAM,CAAC;gBAEX,cAAc,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM;IAKnD,QAAQ,IAAI,OAAO,CAAC,IAAI,CAAC;CAM1B;AAED;;;;;;;;;;;;;;;;;;GAkBG;AACH,qBAAa,sBAAuB,SAAQ,sBAAsB;IAChE;;;;OAIG;gBACS,OAAO,CAAC,EAAE,qCAAqC;IAE3D;;;;OAIG;gBACS,OAAO,CAAC,EAAE,uCAAuC;IAE7D;;;;OAIG;gBACS,OAAO,CAAC,EAAE,6BAA6B;CAoFpD"}

package/dist/workerd/credentials/defaultAzureCredential.js

@@ -34,20 +34,10 @@ export class UnavailableDefaultCredential {
  * - {@link AzureCliCredential}
  * - {@link AzurePowerShellCredential}
  * - {@link AzureDeveloperCliCredential}
+ * - {@link BrokerCredential}
  *
  * Consult the documentation of these credential types for more information
  * on how they attempt authentication.
- *
- * Selecting credentials
- *
- * Set environment variable AZURE_TOKEN_CREDENTIALS to select a subset of the credential chain.
- * DefaultAzureCredential will try only the specified credential(s), but its other behavior remains the same.
- * Valid values for AZURE_TOKEN_CREDENTIALS are the name of any single type in the above chain, for example
- * "EnvironmentCredential" or "AzureCliCredential", and these special values:
- *
- *   - "dev": try [VisualStudioCodeCredential], [AzureCliCredential], [AzurePowerShellCredential] and [AzureDeveloperCliCredential], in that order
- *   - "prod": try [EnvironmentCredential], [WorkloadIdentityCredential], and [ManagedIdentityCredential], in that order
- *
  */
 export class DefaultAzureCredential extends ChainedTokenCredential {
     constructor(options) {

package/dist/workerd/credentials/defaultAzureCredential.js.map

@@ -1 +1 @@
-{"version":3,"file":"defaultAzureCredential.js","sourceRoot":"","sources":["../../../src/credentials/defaultAzureCredential.ts"],"names":[],"mappings":"AAAA,uCAAuC;AACvC,kCAAkC;AAalC,OAAO,EAAE,sBAAsB,EAAE,MAAM,6BAA6B,CAAC;AAIrE,OAAO,EAAE,gBAAgB,EAAE,MAAM,oBAAoB,CAAC;AACtD,OAAO,EACL,+BAA+B,EAC/B,wCAAwC,EACxC,sCAAsC,EACtC,6BAA6B,EAC7B,sCAAsC,EACtC,uCAAuC,EACvC,uCAAuC,EACvC,kCAAkC,GACnC,MAAM,sCAAsC,CAAC;AAE9C,MAAM,MAAM,GAAG,gBAAgB,CAAC,wBAAwB,CAAC,CAAC;AAE1D;;;GAGG;AACH,MAAM,OAAO,4BAA4B;IACvC,iCAAiC,CAAS;IAC1C,cAAc,CAAS;IAEvB,YAAY,cAAsB,EAAE,OAAe;QACjD,IAAI,CAAC,cAAc,GAAG,cAAc,CAAC;QACrC,IAAI,CAAC,iCAAiC,GAAG,OAAO,CAAC;IACnD,CAAC;IAED,QAAQ;QACN,MAAM,CAAC,QAAQ,CAAC,IAAI,CAClB,YAAY,IAAI,CAAC,cAAc,aAAa,IAAI,CAAC,iCAAiC,EAAE,CACrF,CAAC;QACF,OAAO,OAAO,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;IAC/B,CAAC;CACF;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA4BG;AACH,MAAM,OAAO,sBAAuB,SAAQ,sBAAsB;IAsBhE,YAAY,OAAuC;QACjD,2EAA2E;QAC3E,MAAM,qBAAqB,GAAG,OAAO,CAAC,GAAG,CAAC,uBAAuB;YAC/D,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,uBAAuB,CAAC,IAAI,EAAE,CAAC,WAAW,EAAE;YAC1D,CAAC,CAAC,SAAS,CAAC;QACd,MAAM,sBAAsB,GAAG;YAC7B,uCAAuC;YACvC,+BAA+B;YAC/B,sCAAsC;YACtC,wCAAwC;YACxC,6BAA6B;SAC9B,CAAC;QACF,MAAM,uBAAuB,GAAG;YAC9B,kCAAkC;YAClC,uCAAuC;YACvC,sCAAsC;SACvC,CAAC;QACF,IAAI,mBAAmB,GAAG,EAAE,CAAC;QAC7B,MAAM,oBAAoB,GACxB,sLAAsL,CAAC;QACzL,mFAAmF;QACnF,kIAAkI;QAClI,IAAI,qBAAqB,EAAE,CAAC;YAC1B,QAAQ,qBAAqB,EAAE,CAAC;gBAC9B,KAAK,KAAK;oBACR,mBAAmB,GAAG,sBAAsB,CAAC;oBAC7C,MAAM;gBACR,KAAK,MAAM;oBACT,mBAAmB,GAAG,uBAAuB,CAAC;oBAC9C,MAAM;gBACR,KAAK,uBAAuB;oBAC1B,mBAAmB,GAAG,CAAC,kCAAkC,CAAC,CAAC;oBAC3D,MAAM;gBACR,KAAK,4BAA4B;oBAC/B,mBAAmB,GAAG,CAAC,uCAAuC,CAAC,CAAC;oBAChE,MAAM;gBACR,KAAK,2BAA2B;oBAC9B,mBAAmB,GAAG,CAAC,sCAAsC,CAAC,CAAC;oBAC/D,MAAM;gBACR,KAAK,4BAA4B;oBAC/B,mBAAmB,GAAG,CAAC,uCAAuC,CAAC,CAAC;oBAChE,MAAM;gBACR,KAAK,oBAAoB;oBACvB,mBAAmB,GAAG,CAAC,+BAA+B,CAAC,CAAC;oBACxD,MAAM;gBACR,KAAK,2BAA2B;oBAC9B,mBAAmB,GAAG,CAAC,sCAAsC,CAAC,CAAC;oBAC/D,MAAM;gBACR,KAAK,6BAA6B;oBAChC,mBAAmB,GAAG,CAAC,wCAAwC,CAAC,CAAC;oBACjE,MAAM;gBACR,OAAO,CAAC,CAAC,CAAC;oBACR,6EAA6E;oBAC7E,gEAAgE;oBAChE,MAAM,YAAY,GAAG,+CAA+C,OAAO,CAAC,GAAG,CAAC,uBAAuB,oEAAoE,oBAAoB,GAAG,CAAC;oBACnM,MAAM,CAAC,OAAO,CAAC,YAAY,CAAC,CAAC;oBAC7B,MAAM,IAAI,KAAK,CAAC,YAAY,CAAC,CAAC;gBAChC,CAAC;YACH,CAAC;QACH,CAAC;aAAM,CAAC;YACN,2EAA2E;YAC3E,mBAAmB,GAAG,CAAC,GAAG,uBAAuB,EAAE,GAAG,sBAAsB,CAAC,CAAC;QAChF,CAAC;QAED,gLAAgL;QAChL,8DAA8D;QAC9D,6DAA6D;QAC7D,gEAAgE;QAChE,sHAAsH;QACtH,MAAM,WAAW,GAAsB,mBAAmB,CAAC,GAAG,CAAC,CAAC,kBAAkB,EAAE,EAAE;YACpF,IAAI,CAAC;gBACH,OAAO,kBAAkB,CAAC,OAAO,CAAC,CAAC;YACrC,CAAC;YAAC,OAAO,GAAQ,EAAE,CAAC;gBAClB,MAAM,CAAC,OAAO,CACZ,WAAW,kBAAkB,CAAC,IAAI,iDAAiD,GAAG,EAAE,CACzF,CAAC;gBACF,OAAO,IAAI,4BAA4B,CAAC,kBAAkB,CAAC,IAAI,EAAE,GAAG,CAAC,OAAO,CAAC,CAAC;YAChF,CAAC;QACH,CAAC,CAAC,CAAC;QAEH,KAAK,CAAC,GAAG,WAAW,CAAC,CAAC;IACxB,CAAC;CACF","sourcesContent":["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT License.\n\nimport type {\n  DefaultAzureCredentialClientIdOptions,\n  DefaultAzureCredentialOptions,\n  DefaultAzureCredentialResourceIdOptions,\n} from \"./defaultAzureCredentialOptions.js\";\n\nimport { ManagedIdentityCredential } from \"./managedIdentityCredential/index.js\";\nimport { VisualStudioCodeCredential } from \"./visualStudioCodeCredential.js\";\nimport { AzureCliCredential } from \"./azureCliCredential.js\";\nimport { AzureDeveloperCliCredential } from \"./azureDeveloperCliCredential.js\";\nimport { AzurePowerShellCredential } from \"./azurePowerShellCredential.js\";\nimport { ChainedTokenCredential } from \"./chainedTokenCredential.js\";\nimport { EnvironmentCredential } from \"./environmentCredential.js\";\nimport type { TokenCredential } from \"@azure/core-auth\";\nimport { WorkloadIdentityCredential } from \"./workloadIdentityCredential.js\";\nimport { credentialLogger } from \"../util/logging.js\";\nimport {\n  createDefaultAzureCliCredential,\n  createDefaultAzureDeveloperCliCredential,\n  createDefaultAzurePowershellCredential,\n  createDefaultBrokerCredential,\n  createDefaultManagedIdentityCredential,\n  createDefaultVisualStudioCodeCredential,\n  createDefaultWorkloadIdentityCredential,\n  createDefaultEnvironmentCredential,\n} from \"./defaultAzureCredentialFunctions.js\";\n\nconst logger = credentialLogger(\"DefaultAzureCredential\");\n\n/**\n * A no-op credential that logs the reason it was skipped if getToken is called.\n * @internal\n */\nexport class UnavailableDefaultCredential implements TokenCredential {\n  credentialUnavailableErrorMessage: string;\n  credentialName: string;\n\n  constructor(credentialName: string, message: string) {\n    this.credentialName = credentialName;\n    this.credentialUnavailableErrorMessage = message;\n  }\n\n  getToken(): Promise<null> {\n    logger.getToken.info(\n      `Skipping ${this.credentialName}, reason: ${this.credentialUnavailableErrorMessage}`,\n    );\n    return Promise.resolve(null);\n  }\n}\n\n/**\n * Provides a default {@link ChainedTokenCredential} configuration that works for most\n * applications that use Azure SDK client libraries. For more information, see\n * [DefaultAzureCredential overview](https://aka.ms/azsdk/js/identity/credential-chains#use-defaultazurecredential-for-flexibility).\n *\n * The following credential types will be tried, in order:\n *\n * - {@link EnvironmentCredential}\n * - {@link WorkloadIdentityCredential}\n * - {@link ManagedIdentityCredential}\n * - {@link VisualStudioCodeCredential}\n * - {@link AzureCliCredential}\n * - {@link AzurePowerShellCredential}\n * - {@link AzureDeveloperCliCredential}\n *\n * Consult the documentation of these credential types for more information\n * on how they attempt authentication.\n *\n * Selecting credentials\n *\n * Set environment variable AZURE_TOKEN_CREDENTIALS to select a subset of the credential chain.\n * DefaultAzureCredential will try only the specified credential(s), but its other behavior remains the same.\n * Valid values for AZURE_TOKEN_CREDENTIALS are the name of any single type in the above chain, for example\n * \"EnvironmentCredential\" or \"AzureCliCredential\", and these special values:\n *\n *   - \"dev\": try [VisualStudioCodeCredential], [AzureCliCredential], [AzurePowerShellCredential] and [AzureDeveloperCliCredential], in that order\n *   - \"prod\": try [EnvironmentCredential], [WorkloadIdentityCredential], and [ManagedIdentityCredential], in that order\n *\n */\nexport class DefaultAzureCredential extends ChainedTokenCredential {\n  /**\n   * Creates an instance of the DefaultAzureCredential class with {@link DefaultAzureCredentialClientIdOptions}.\n   *\n   * @param options - Optional parameters. See {@link DefaultAzureCredentialClientIdOptions}.\n   */\n  constructor(options?: DefaultAzureCredentialClientIdOptions);\n\n  /**\n   * Creates an instance of the DefaultAzureCredential class with {@link DefaultAzureCredentialResourceIdOptions}.\n   *\n   * @param options - Optional parameters. See {@link DefaultAzureCredentialResourceIdOptions}.\n   */\n  constructor(options?: DefaultAzureCredentialResourceIdOptions);\n\n  /**\n   * Creates an instance of the DefaultAzureCredential class with {@link DefaultAzureCredentialOptions}.\n   *\n   * @param options - Optional parameters. See {@link DefaultAzureCredentialOptions}.\n   */\n  constructor(options?: DefaultAzureCredentialOptions);\n\n  constructor(options?: DefaultAzureCredentialOptions) {\n    // If AZURE_TOKEN_CREDENTIALS is not set, use the default credential chain.\n    const azureTokenCredentials = process.env.AZURE_TOKEN_CREDENTIALS\n      ? process.env.AZURE_TOKEN_CREDENTIALS.trim().toLowerCase()\n      : undefined;\n    const devCredentialFunctions = [\n      createDefaultVisualStudioCodeCredential,\n      createDefaultAzureCliCredential,\n      createDefaultAzurePowershellCredential,\n      createDefaultAzureDeveloperCliCredential,\n      createDefaultBrokerCredential,\n    ];\n    const prodCredentialFunctions = [\n      createDefaultEnvironmentCredential,\n      createDefaultWorkloadIdentityCredential,\n      createDefaultManagedIdentityCredential,\n    ];\n    let credentialFunctions = [];\n    const validCredentialNames =\n      \"EnvironmentCredential, WorkloadIdentityCredential, ManagedIdentityCredential, VisualStudioCodeCredential, AzureCliCredential, AzurePowerShellCredential, AzureDeveloperCliCredential\";\n    // If AZURE_TOKEN_CREDENTIALS is set, use it to determine which credentials to use.\n    // The value of AZURE_TOKEN_CREDENTIALS should be either \"dev\" or \"prod\" or any one of these credentials - {validCredentialNames}.\n    if (azureTokenCredentials) {\n      switch (azureTokenCredentials) {\n        case \"dev\":\n          credentialFunctions = devCredentialFunctions;\n          break;\n        case \"prod\":\n          credentialFunctions = prodCredentialFunctions;\n          break;\n        case \"environmentcredential\":\n          credentialFunctions = [createDefaultEnvironmentCredential];\n          break;\n        case \"workloadidentitycredential\":\n          credentialFunctions = [createDefaultWorkloadIdentityCredential];\n          break;\n        case \"managedidentitycredential\":\n          credentialFunctions = [createDefaultManagedIdentityCredential];\n          break;\n        case \"visualstudiocodecredential\":\n          credentialFunctions = [createDefaultVisualStudioCodeCredential];\n          break;\n        case \"azureclicredential\":\n          credentialFunctions = [createDefaultAzureCliCredential];\n          break;\n        case \"azurepowershellcredential\":\n          credentialFunctions = [createDefaultAzurePowershellCredential];\n          break;\n        case \"azuredeveloperclicredential\":\n          credentialFunctions = [createDefaultAzureDeveloperCliCredential];\n          break;\n        default: {\n          // If AZURE_TOKEN_CREDENTIALS is set to an unsupported value, throw an error.\n          // This will prevent the creation of the DefaultAzureCredential.\n          const errorMessage = `Invalid value for AZURE_TOKEN_CREDENTIALS = ${process.env.AZURE_TOKEN_CREDENTIALS}. Valid values are 'prod' or 'dev' or any of these credentials - ${validCredentialNames}.`;\n          logger.warning(errorMessage);\n          throw new Error(errorMessage);\n        }\n      }\n    } else {\n      // If AZURE_TOKEN_CREDENTIALS is not set, use the default credential chain.\n      credentialFunctions = [...prodCredentialFunctions, ...devCredentialFunctions];\n    }\n\n    // Errors from individual credentials should not be thrown in the DefaultAzureCredential constructor, instead throwing on getToken() which is handled by ChainedTokenCredential.\n    // When adding new credentials to the default chain, consider:\n    // 1. Making the constructor parameters required and explicit\n    // 2. Validating any required parameters in the factory function\n    // 3. Returning a UnavailableDefaultCredential from the factory function if a credential is unavailable for any reason\n    const credentials: TokenCredential[] = credentialFunctions.map((createCredentialFn) => {\n      try {\n        return createCredentialFn(options);\n      } catch (err: any) {\n        logger.warning(\n          `Skipped ${createCredentialFn.name} because of an error creating the credential: ${err}`,\n        );\n        return new UnavailableDefaultCredential(createCredentialFn.name, err.message);\n      }\n    });\n\n    super(...credentials);\n  }\n}\n"]}
+{"version":3,"file":"defaultAzureCredential.js","sourceRoot":"","sources":["../../../src/credentials/defaultAzureCredential.ts"],"names":[],"mappings":"AAAA,uCAAuC;AACvC,kCAAkC;AAalC,OAAO,EAAE,sBAAsB,EAAE,MAAM,6BAA6B,CAAC;AAIrE,OAAO,EAAE,gBAAgB,EAAE,MAAM,oBAAoB,CAAC;AACtD,OAAO,EACL,+BAA+B,EAC/B,wCAAwC,EACxC,sCAAsC,EACtC,6BAA6B,EAC7B,sCAAsC,EACtC,uCAAuC,EACvC,uCAAuC,EACvC,kCAAkC,GACnC,MAAM,sCAAsC,CAAC;AAE9C,MAAM,MAAM,GAAG,gBAAgB,CAAC,wBAAwB,CAAC,CAAC;AAE1D;;;GAGG;AACH,MAAM,OAAO,4BAA4B;IACvC,iCAAiC,CAAS;IAC1C,cAAc,CAAS;IAEvB,YAAY,cAAsB,EAAE,OAAe;QACjD,IAAI,CAAC,cAAc,GAAG,cAAc,CAAC;QACrC,IAAI,CAAC,iCAAiC,GAAG,OAAO,CAAC;IACnD,CAAC;IAED,QAAQ;QACN,MAAM,CAAC,QAAQ,CAAC,IAAI,CAClB,YAAY,IAAI,CAAC,cAAc,aAAa,IAAI,CAAC,iCAAiC,EAAE,CACrF,CAAC;QACF,OAAO,OAAO,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;IAC/B,CAAC;CACF;AAED;;;;;;;;;;;;;;;;;;GAkBG;AACH,MAAM,OAAO,sBAAuB,SAAQ,sBAAsB;IAsBhE,YAAY,OAAuC;QACjD,2EAA2E;QAC3E,MAAM,qBAAqB,GAAG,OAAO,CAAC,GAAG,CAAC,uBAAuB;YAC/D,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,uBAAuB,CAAC,IAAI,EAAE,CAAC,WAAW,EAAE;YAC1D,CAAC,CAAC,SAAS,CAAC;QACd,MAAM,sBAAsB,GAAG;YAC7B,uCAAuC;YACvC,+BAA+B;YAC/B,sCAAsC;YACtC,wCAAwC;YACxC,6BAA6B;SAC9B,CAAC;QACF,MAAM,uBAAuB,GAAG;YAC9B,kCAAkC;YAClC,uCAAuC;YACvC,sCAAsC;SACvC,CAAC;QACF,IAAI,mBAAmB,GAAG,EAAE,CAAC;QAC7B,MAAM,oBAAoB,GACxB,sLAAsL,CAAC;QACzL,mFAAmF;QACnF,kIAAkI;QAClI,IAAI,qBAAqB,EAAE,CAAC;YAC1B,QAAQ,qBAAqB,EAAE,CAAC;gBAC9B,KAAK,KAAK;oBACR,mBAAmB,GAAG,sBAAsB,CAAC;oBAC7C,MAAM;gBACR,KAAK,MAAM;oBACT,mBAAmB,GAAG,uBAAuB,CAAC;oBAC9C,MAAM;gBACR,KAAK,uBAAuB;oBAC1B,mBAAmB,GAAG,CAAC,kCAAkC,CAAC,CAAC;oBAC3D,MAAM;gBACR,KAAK,4BAA4B;oBAC/B,mBAAmB,GAAG,CAAC,uCAAuC,CAAC,CAAC;oBAChE,MAAM;gBACR,KAAK,2BAA2B;oBAC9B,mBAAmB,GAAG,CAAC,sCAAsC,CAAC,CAAC;oBAC/D,MAAM;gBACR,KAAK,4BAA4B;oBAC/B,mBAAmB,GAAG,CAAC,uCAAuC,CAAC,CAAC;oBAChE,MAAM;gBACR,KAAK,oBAAoB;oBACvB,mBAAmB,GAAG,CAAC,+BAA+B,CAAC,CAAC;oBACxD,MAAM;gBACR,KAAK,2BAA2B;oBAC9B,mBAAmB,GAAG,CAAC,sCAAsC,CAAC,CAAC;oBAC/D,MAAM;gBACR,KAAK,6BAA6B;oBAChC,mBAAmB,GAAG,CAAC,wCAAwC,CAAC,CAAC;oBACjE,MAAM;gBACR,OAAO,CAAC,CAAC,CAAC;oBACR,6EAA6E;oBAC7E,gEAAgE;oBAChE,MAAM,YAAY,GAAG,+CAA+C,OAAO,CAAC,GAAG,CAAC,uBAAuB,oEAAoE,oBAAoB,GAAG,CAAC;oBACnM,MAAM,CAAC,OAAO,CAAC,YAAY,CAAC,CAAC;oBAC7B,MAAM,IAAI,KAAK,CAAC,YAAY,CAAC,CAAC;gBAChC,CAAC;YACH,CAAC;QACH,CAAC;aAAM,CAAC;YACN,2EAA2E;YAC3E,mBAAmB,GAAG,CAAC,GAAG,uBAAuB,EAAE,GAAG,sBAAsB,CAAC,CAAC;QAChF,CAAC;QAED,gLAAgL;QAChL,8DAA8D;QAC9D,6DAA6D;QAC7D,gEAAgE;QAChE,sHAAsH;QACtH,MAAM,WAAW,GAAsB,mBAAmB,CAAC,GAAG,CAAC,CAAC,kBAAkB,EAAE,EAAE;YACpF,IAAI,CAAC;gBACH,OAAO,kBAAkB,CAAC,OAAO,CAAC,CAAC;YACrC,CAAC;YAAC,OAAO,GAAQ,EAAE,CAAC;gBAClB,MAAM,CAAC,OAAO,CACZ,WAAW,kBAAkB,CAAC,IAAI,iDAAiD,GAAG,EAAE,CACzF,CAAC;gBACF,OAAO,IAAI,4BAA4B,CAAC,kBAAkB,CAAC,IAAI,EAAE,GAAG,CAAC,OAAO,CAAC,CAAC;YAChF,CAAC;QACH,CAAC,CAAC,CAAC;QAEH,KAAK,CAAC,GAAG,WAAW,CAAC,CAAC;IACxB,CAAC;CACF","sourcesContent":["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT License.\n\nimport type {\n  DefaultAzureCredentialClientIdOptions,\n  DefaultAzureCredentialOptions,\n  DefaultAzureCredentialResourceIdOptions,\n} from \"./defaultAzureCredentialOptions.js\";\n\nimport { ManagedIdentityCredential } from \"./managedIdentityCredential/index.js\";\nimport { VisualStudioCodeCredential } from \"./visualStudioCodeCredential.js\";\nimport { AzureCliCredential } from \"./azureCliCredential.js\";\nimport { AzureDeveloperCliCredential } from \"./azureDeveloperCliCredential.js\";\nimport { AzurePowerShellCredential } from \"./azurePowerShellCredential.js\";\nimport { ChainedTokenCredential } from \"./chainedTokenCredential.js\";\nimport { EnvironmentCredential } from \"./environmentCredential.js\";\nimport type { TokenCredential } from \"@azure/core-auth\";\nimport { WorkloadIdentityCredential } from \"./workloadIdentityCredential.js\";\nimport { credentialLogger } from \"../util/logging.js\";\nimport {\n  createDefaultAzureCliCredential,\n  createDefaultAzureDeveloperCliCredential,\n  createDefaultAzurePowershellCredential,\n  createDefaultBrokerCredential,\n  createDefaultManagedIdentityCredential,\n  createDefaultVisualStudioCodeCredential,\n  createDefaultWorkloadIdentityCredential,\n  createDefaultEnvironmentCredential,\n} from \"./defaultAzureCredentialFunctions.js\";\n\nconst logger = credentialLogger(\"DefaultAzureCredential\");\n\n/**\n * A no-op credential that logs the reason it was skipped if getToken is called.\n * @internal\n */\nexport class UnavailableDefaultCredential implements TokenCredential {\n  credentialUnavailableErrorMessage: string;\n  credentialName: string;\n\n  constructor(credentialName: string, message: string) {\n    this.credentialName = credentialName;\n    this.credentialUnavailableErrorMessage = message;\n  }\n\n  getToken(): Promise<null> {\n    logger.getToken.info(\n      `Skipping ${this.credentialName}, reason: ${this.credentialUnavailableErrorMessage}`,\n    );\n    return Promise.resolve(null);\n  }\n}\n\n/**\n * Provides a default {@link ChainedTokenCredential} configuration that works for most\n * applications that use Azure SDK client libraries. For more information, see\n * [DefaultAzureCredential overview](https://aka.ms/azsdk/js/identity/credential-chains#use-defaultazurecredential-for-flexibility).\n *\n * The following credential types will be tried, in order:\n *\n * - {@link EnvironmentCredential}\n * - {@link WorkloadIdentityCredential}\n * - {@link ManagedIdentityCredential}\n * - {@link VisualStudioCodeCredential}\n * - {@link AzureCliCredential}\n * - {@link AzurePowerShellCredential}\n * - {@link AzureDeveloperCliCredential}\n * - {@link BrokerCredential}\n *\n * Consult the documentation of these credential types for more information\n * on how they attempt authentication.\n */\nexport class DefaultAzureCredential extends ChainedTokenCredential {\n  /**\n   * Creates an instance of the DefaultAzureCredential class with {@link DefaultAzureCredentialClientIdOptions}.\n   *\n   * @param options - Optional parameters. See {@link DefaultAzureCredentialClientIdOptions}.\n   */\n  constructor(options?: DefaultAzureCredentialClientIdOptions);\n\n  /**\n   * Creates an instance of the DefaultAzureCredential class with {@link DefaultAzureCredentialResourceIdOptions}.\n   *\n   * @param options - Optional parameters. See {@link DefaultAzureCredentialResourceIdOptions}.\n   */\n  constructor(options?: DefaultAzureCredentialResourceIdOptions);\n\n  /**\n   * Creates an instance of the DefaultAzureCredential class with {@link DefaultAzureCredentialOptions}.\n   *\n   * @param options - Optional parameters. See {@link DefaultAzureCredentialOptions}.\n   */\n  constructor(options?: DefaultAzureCredentialOptions);\n\n  constructor(options?: DefaultAzureCredentialOptions) {\n    // If AZURE_TOKEN_CREDENTIALS is not set, use the default credential chain.\n    const azureTokenCredentials = process.env.AZURE_TOKEN_CREDENTIALS\n      ? process.env.AZURE_TOKEN_CREDENTIALS.trim().toLowerCase()\n      : undefined;\n    const devCredentialFunctions = [\n      createDefaultVisualStudioCodeCredential,\n      createDefaultAzureCliCredential,\n      createDefaultAzurePowershellCredential,\n      createDefaultAzureDeveloperCliCredential,\n      createDefaultBrokerCredential,\n    ];\n    const prodCredentialFunctions = [\n      createDefaultEnvironmentCredential,\n      createDefaultWorkloadIdentityCredential,\n      createDefaultManagedIdentityCredential,\n    ];\n    let credentialFunctions = [];\n    const validCredentialNames =\n      \"EnvironmentCredential, WorkloadIdentityCredential, ManagedIdentityCredential, VisualStudioCodeCredential, AzureCliCredential, AzurePowerShellCredential, AzureDeveloperCliCredential\";\n    // If AZURE_TOKEN_CREDENTIALS is set, use it to determine which credentials to use.\n    // The value of AZURE_TOKEN_CREDENTIALS should be either \"dev\" or \"prod\" or any one of these credentials - {validCredentialNames}.\n    if (azureTokenCredentials) {\n      switch (azureTokenCredentials) {\n        case \"dev\":\n          credentialFunctions = devCredentialFunctions;\n          break;\n        case \"prod\":\n          credentialFunctions = prodCredentialFunctions;\n          break;\n        case \"environmentcredential\":\n          credentialFunctions = [createDefaultEnvironmentCredential];\n          break;\n        case \"workloadidentitycredential\":\n          credentialFunctions = [createDefaultWorkloadIdentityCredential];\n          break;\n        case \"managedidentitycredential\":\n          credentialFunctions = [createDefaultManagedIdentityCredential];\n          break;\n        case \"visualstudiocodecredential\":\n          credentialFunctions = [createDefaultVisualStudioCodeCredential];\n          break;\n        case \"azureclicredential\":\n          credentialFunctions = [createDefaultAzureCliCredential];\n          break;\n        case \"azurepowershellcredential\":\n          credentialFunctions = [createDefaultAzurePowershellCredential];\n          break;\n        case \"azuredeveloperclicredential\":\n          credentialFunctions = [createDefaultAzureDeveloperCliCredential];\n          break;\n        default: {\n          // If AZURE_TOKEN_CREDENTIALS is set to an unsupported value, throw an error.\n          // This will prevent the creation of the DefaultAzureCredential.\n          const errorMessage = `Invalid value for AZURE_TOKEN_CREDENTIALS = ${process.env.AZURE_TOKEN_CREDENTIALS}. Valid values are 'prod' or 'dev' or any of these credentials - ${validCredentialNames}.`;\n          logger.warning(errorMessage);\n          throw new Error(errorMessage);\n        }\n      }\n    } else {\n      // If AZURE_TOKEN_CREDENTIALS is not set, use the default credential chain.\n      credentialFunctions = [...prodCredentialFunctions, ...devCredentialFunctions];\n    }\n\n    // Errors from individual credentials should not be thrown in the DefaultAzureCredential constructor, instead throwing on getToken() which is handled by ChainedTokenCredential.\n    // When adding new credentials to the default chain, consider:\n    // 1. Making the constructor parameters required and explicit\n    // 2. Validating any required parameters in the factory function\n    // 3. Returning a UnavailableDefaultCredential from the factory function if a credential is unavailable for any reason\n    const credentials: TokenCredential[] = credentialFunctions.map((createCredentialFn) => {\n      try {\n        return createCredentialFn(options);\n      } catch (err: any) {\n        logger.warning(\n          `Skipped ${createCredentialFn.name} because of an error creating the credential: ${err}`,\n        );\n        return new UnavailableDefaultCredential(createCredentialFn.name, err.message);\n      }\n    });\n\n    super(...credentials);\n  }\n}\n"]}

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@azure/identity",
   "sdk-type": "client",
-  "version": "4.11.2-alpha.20250805.5",
+  "version": "4.11.2-alpha.20250808.3",
   "description": "Provides credential implementations for Azure SDK libraries that can authenticate with Microsoft Entra ID",
   "main": "./dist/commonjs/index.js",
   "module": "./dist/esm/index.js",
@@ -92,7 +92,7 @@
     "@azure-tools/test-utils-vitest": ">=1.0.0-alpha <1.0.0-alphb",
     "@azure/dev-tool": ">=1.0.0-alpha <1.0.0-alphb",
     "@azure/eslint-plugin-azure-sdk": ">=3.0.0-alpha <3.0.0-alphb",
-    "@azure/keyvault-keys": "^4.2.0",
+    "@azure/keyvault-keys": "4.10.0",
     "@types/jsonwebtoken": "^9.0.0",
     "@types/ms": "^2.1.0",
     "@types/node": "^20.0.0",