@azure/identity 4.12.0 → 4.13.0-alpha.20251007.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (112) hide show
  1. package/README.md +1 -1
  2. package/dist/browser/constants.d.ts +1 -1
  3. package/dist/browser/constants.js +1 -1
  4. package/dist/browser/constants.js.map +1 -1
  5. package/dist/browser/credentials/defaultAzureCredentialFunctions.d.ts +3 -1
  6. package/dist/browser/credentials/defaultAzureCredentialFunctions.d.ts.map +1 -1
  7. package/dist/browser/credentials/defaultAzureCredentialFunctions.js +4 -0
  8. package/dist/browser/credentials/defaultAzureCredentialFunctions.js.map +1 -1
  9. package/dist/browser/credentials/managedIdentityCredential/options.d.ts +15 -0
  10. package/dist/browser/credentials/managedIdentityCredential/options.d.ts.map +1 -1
  11. package/dist/browser/credentials/managedIdentityCredential/options.js.map +1 -1
  12. package/dist/browser/msal/browserFlows/msalBrowserCommon.d.ts.map +1 -1
  13. package/dist/browser/msal/browserFlows/msalBrowserCommon.js +0 -1
  14. package/dist/browser/msal/browserFlows/msalBrowserCommon.js.map +1 -1
  15. package/dist/browser/msal/nodeFlows/msalClient.d.ts.map +1 -1
  16. package/dist/browser/msal/nodeFlows/msalClient.js +0 -2
  17. package/dist/browser/msal/nodeFlows/msalClient.js.map +1 -1
  18. package/dist/browser/msal/utils.d.ts.map +1 -1
  19. package/dist/browser/msal/utils.js +0 -4
  20. package/dist/browser/msal/utils.js.map +1 -1
  21. package/dist/commonjs/constants.d.ts +1 -1
  22. package/dist/commonjs/constants.js +1 -1
  23. package/dist/commonjs/constants.js.map +1 -1
  24. package/dist/commonjs/credentials/defaultAzureCredential.d.ts +1 -1
  25. package/dist/commonjs/credentials/defaultAzureCredential.d.ts.map +1 -1
  26. package/dist/commonjs/credentials/defaultAzureCredential.js +8 -4
  27. package/dist/commonjs/credentials/defaultAzureCredential.js.map +1 -1
  28. package/dist/commonjs/credentials/defaultAzureCredentialFunctions.d.ts +3 -1
  29. package/dist/commonjs/credentials/defaultAzureCredentialFunctions.d.ts.map +1 -1
  30. package/dist/commonjs/credentials/defaultAzureCredentialFunctions.js +4 -0
  31. package/dist/commonjs/credentials/defaultAzureCredentialFunctions.js.map +1 -1
  32. package/dist/commonjs/credentials/managedIdentityCredential/index.d.ts +1 -0
  33. package/dist/commonjs/credentials/managedIdentityCredential/index.d.ts.map +1 -1
  34. package/dist/commonjs/credentials/managedIdentityCredential/index.js +6 -2
  35. package/dist/commonjs/credentials/managedIdentityCredential/index.js.map +1 -1
  36. package/dist/commonjs/credentials/managedIdentityCredential/options.d.ts +15 -0
  37. package/dist/commonjs/credentials/managedIdentityCredential/options.d.ts.map +1 -1
  38. package/dist/commonjs/credentials/managedIdentityCredential/options.js.map +1 -1
  39. package/dist/commonjs/msal/browserFlows/msalBrowserCommon.d.ts.map +1 -1
  40. package/dist/commonjs/msal/browserFlows/msalBrowserCommon.js +0 -1
  41. package/dist/commonjs/msal/browserFlows/msalBrowserCommon.js.map +1 -1
  42. package/dist/commonjs/msal/nodeFlows/msalClient.d.ts.map +1 -1
  43. package/dist/commonjs/msal/nodeFlows/msalClient.js +0 -2
  44. package/dist/commonjs/msal/nodeFlows/msalClient.js.map +1 -1
  45. package/dist/commonjs/msal/utils.d.ts.map +1 -1
  46. package/dist/commonjs/msal/utils.js +0 -4
  47. package/dist/commonjs/msal/utils.js.map +1 -1
  48. package/dist/commonjs/plugins/consumer.d.ts.map +1 -1
  49. package/dist/commonjs/plugins/consumer.js +0 -1
  50. package/dist/commonjs/plugins/consumer.js.map +1 -1
  51. package/dist/commonjs/tsdoc-metadata.json +1 -1
  52. package/dist/esm/constants.d.ts +1 -1
  53. package/dist/esm/constants.js +1 -1
  54. package/dist/esm/constants.js.map +1 -1
  55. package/dist/esm/credentials/defaultAzureCredential.d.ts +1 -1
  56. package/dist/esm/credentials/defaultAzureCredential.d.ts.map +1 -1
  57. package/dist/esm/credentials/defaultAzureCredential.js +8 -4
  58. package/dist/esm/credentials/defaultAzureCredential.js.map +1 -1
  59. package/dist/esm/credentials/defaultAzureCredentialFunctions.d.ts +3 -1
  60. package/dist/esm/credentials/defaultAzureCredentialFunctions.d.ts.map +1 -1
  61. package/dist/esm/credentials/defaultAzureCredentialFunctions.js +4 -0
  62. package/dist/esm/credentials/defaultAzureCredentialFunctions.js.map +1 -1
  63. package/dist/esm/credentials/managedIdentityCredential/index.d.ts +1 -0
  64. package/dist/esm/credentials/managedIdentityCredential/index.d.ts.map +1 -1
  65. package/dist/esm/credentials/managedIdentityCredential/index.js +6 -2
  66. package/dist/esm/credentials/managedIdentityCredential/index.js.map +1 -1
  67. package/dist/esm/credentials/managedIdentityCredential/options.d.ts +15 -0
  68. package/dist/esm/credentials/managedIdentityCredential/options.d.ts.map +1 -1
  69. package/dist/esm/credentials/managedIdentityCredential/options.js.map +1 -1
  70. package/dist/esm/msal/browserFlows/msalBrowserCommon.d.ts.map +1 -1
  71. package/dist/esm/msal/browserFlows/msalBrowserCommon.js +0 -1
  72. package/dist/esm/msal/browserFlows/msalBrowserCommon.js.map +1 -1
  73. package/dist/esm/msal/nodeFlows/msalClient.d.ts.map +1 -1
  74. package/dist/esm/msal/nodeFlows/msalClient.js +0 -2
  75. package/dist/esm/msal/nodeFlows/msalClient.js.map +1 -1
  76. package/dist/esm/msal/utils.d.ts.map +1 -1
  77. package/dist/esm/msal/utils.js +0 -4
  78. package/dist/esm/msal/utils.js.map +1 -1
  79. package/dist/esm/plugins/consumer.d.ts.map +1 -1
  80. package/dist/esm/plugins/consumer.js +0 -1
  81. package/dist/esm/plugins/consumer.js.map +1 -1
  82. package/dist/workerd/constants.d.ts +1 -1
  83. package/dist/workerd/constants.js +1 -1
  84. package/dist/workerd/constants.js.map +1 -1
  85. package/dist/workerd/credentials/defaultAzureCredential.d.ts +1 -1
  86. package/dist/workerd/credentials/defaultAzureCredential.d.ts.map +1 -1
  87. package/dist/workerd/credentials/defaultAzureCredential.js +8 -4
  88. package/dist/workerd/credentials/defaultAzureCredential.js.map +1 -1
  89. package/dist/workerd/credentials/defaultAzureCredentialFunctions.d.ts +3 -1
  90. package/dist/workerd/credentials/defaultAzureCredentialFunctions.d.ts.map +1 -1
  91. package/dist/workerd/credentials/defaultAzureCredentialFunctions.js +4 -0
  92. package/dist/workerd/credentials/defaultAzureCredentialFunctions.js.map +1 -1
  93. package/dist/workerd/credentials/managedIdentityCredential/index.d.ts +1 -0
  94. package/dist/workerd/credentials/managedIdentityCredential/index.d.ts.map +1 -1
  95. package/dist/workerd/credentials/managedIdentityCredential/index.js +6 -2
  96. package/dist/workerd/credentials/managedIdentityCredential/index.js.map +1 -1
  97. package/dist/workerd/credentials/managedIdentityCredential/options.d.ts +15 -0
  98. package/dist/workerd/credentials/managedIdentityCredential/options.d.ts.map +1 -1
  99. package/dist/workerd/credentials/managedIdentityCredential/options.js.map +1 -1
  100. package/dist/workerd/msal/browserFlows/msalBrowserCommon.d.ts.map +1 -1
  101. package/dist/workerd/msal/browserFlows/msalBrowserCommon.js +0 -1
  102. package/dist/workerd/msal/browserFlows/msalBrowserCommon.js.map +1 -1
  103. package/dist/workerd/msal/nodeFlows/msalClient.d.ts.map +1 -1
  104. package/dist/workerd/msal/nodeFlows/msalClient.js +0 -2
  105. package/dist/workerd/msal/nodeFlows/msalClient.js.map +1 -1
  106. package/dist/workerd/msal/utils.d.ts.map +1 -1
  107. package/dist/workerd/msal/utils.js +0 -4
  108. package/dist/workerd/msal/utils.js.map +1 -1
  109. package/dist/workerd/plugins/consumer.d.ts.map +1 -1
  110. package/dist/workerd/plugins/consumer.js +0 -1
  111. package/dist/workerd/plugins/consumer.js.map +1 -1
  112. package/package.json +3 -3
package/dist/browser/msal/utils.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"utils.js","sourceRoot":"","sources":["../../../src/msal/utils.ts"],"names":[],"mappings":"AAAA,uCAAuC;AACvC,kCAAkC;AAGlC,OAAO,EAAE,2BAA2B,EAAE,0BAA0B,EAAE,MAAM,cAAc,CAAC;AAEvF,OAAO,EAAE,gBAAgB,EAAE,WAAW,EAAE,MAAM,oBAAoB,CAAC;AACnE,OAAO,EAAE,gBAAgB,EAAE,oBAAoB,EAAE,eAAe,EAAE,MAAM,iBAAiB,CAAC;AAC1F,OAAO,EAAE,UAAU,IAAI,cAAc,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAC;AAEpF,OAAO,EAAE,UAAU,EAAE,MAAM,yBAAyB,CAAC;AAGrD,OAAO,EAAE,UAAU,EAAE,MAAM,WAAW,CAAC;AAMvC;;GAEG;AACH,MAAM,MAAM,GAAG,gBAAgB,CAAC,eAAe,CAAC,CAAC;AAEjD;;;GAGG;AACH,MAAM,iCAAiC,GAAG,KAAK,CAAC;AAEhD;;;GAGG;AACH,MAAM,UAAU,oBAAoB,CAClC,MAAyB,EACzB,SAA4B,EAC5B,eAAiC;IAEjC,MAAM,KAAK,GAAG,CAAC,OAAe,EAAS,EAAE;QACvC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QAC9B,OAAO,IAAI,2BAA2B,CAAC;YACrC,MAAM,EAAE,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC;YACjD,eAAe;YACf,OAAO;SACR,CAAC,CAAC;IACL,CAAC,CAAC;IACF,IAAI,CAAC,SAAS,EAAE,CAAC;QACf,MAAM,KAAK,CAAC,aAAa,CAAC,CAAC;IAC7B,CAAC;IACD,IAAI,CAAC,SAAS,CAAC,SAAS,EAAE,CAAC;QACzB,MAAM,KAAK,CAAC,uCAAuC,CAAC,CAAC;IACvD,CAAC;IACD,IAAI,CAAC,SAAS,CAAC,WAAW,EAAE,CAAC;QAC3B,MAAM,KAAK,CAAC,yCAAyC,CAAC,CAAC;IACzD,CAAC;AACH,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,gBAAgB,CAAC,OAAoC;IACnE,IAAI,aAAa,GAAG,OAAO,EAAE,aAAa,CAAC;IAE3C,IAAI,CAAC,aAAa,IAAI,UAAU,EAAE,CAAC;QACjC,aAAa,GAAG,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC;IACnD,CAAC;IAED,OAAO,aAAa,IAAI,oBAAoB,CAAC;AAC/C,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,YAAY,CAAC,QAAgB,EAAE,IAAa;IAC1D,IAAI,CAAC,IAAI,EAAE,CAAC;QACV,IAAI,GAAG,oBAAoB,CAAC;IAC9B,CAAC;IACD,IAAI,IAAI,MAAM,CAAC,GAAG,QAAQ,KAAK,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;QAC5C,OAAO,IAAI,CAAC;IACd,CAAC;IACD,IAAI,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;QACvB,OAAO,IAAI,GAAG,QAAQ,CAAC;IACzB,CAAC;SAAM,CAAC;QACN,OAAO,GAAG,IAAI,IAAI,QAAQ,EAAE,CAAC;IAC/B,CAAC;AACH,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,mBAAmB,CACjC,QAAgB,EAChB,aAAqB,EACrB,wBAAkC;IAElC,IAAI,CAAC,QAAQ,KAAK,MAAM,IAAI,aAAa,CAAC,IAAI,wBAAwB,EAAE,CAAC;QACvE,OAAO,CAAC,aAAa,CAAC,CAAC;IACzB,CAAC;IACD,OAAO,EAAE,CAAC;AACZ,CAAC;AAED;;;;GAIG;AACH,MAAM,CAAC,MAAM,qBAAqB,GAIhC,CAAC,UAA4B,EAAE,WAA+B,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,SAAS,EAAE,EAAE,CAC7F,CAAC,KAAK,EAAE,OAAO,EAAE,WAAW,EAAQ,EAAE;IACpC,IAAI,WAAW,EAAE,CAAC;QAChB,OAAO;IACT,CAAC;IACD,QAAQ,KAAK,EAAE,CAAC;QACd,KAAK,UAAU,CAAC,QAAQ,CAAC,KAAK;YAC5B,UAAU,CAAC,IAAI,CAAC,QAAQ,QAAQ,cAAc,OAAO,EAAE,CAAC,CAAC;YACzD,OAAO;QACT,KAAK,UAAU,CAAC,QAAQ,CAAC,IAAI;YAC3B,UAAU,CAAC,IAAI,CAAC,QAAQ,QAAQ,qBAAqB,OAAO,EAAE,CAAC,CAAC;YAChE,OAAO;QACT,KAAK,UAAU,CAAC,QAAQ,CAAC,OAAO;YAC9B,UAAU,CAAC,IAAI,CAAC,QAAQ,QAAQ,wBAAwB,OAAO,EAAE,CAAC,CAAC;YACnE,OAAO;QACT,KAAK,UAAU,CAAC,QAAQ,CAAC,OAAO;YAC9B,UAAU,CAAC,IAAI,CAAC,QAAQ,QAAQ,gBAAgB,OAAO,EAAE,CAAC,CAAC;YAC3D,OAAO;IACX,CAAC;AACH,CAAC,CAAC;AAEJ;;GAEG;AACH,MAAM,UAAU,eAAe,CAAC,QAAmC;IACjE,QAAQ,QAAQ,EAAE,CAAC;QACjB,KAAK,OAAO;YACV,OAAO,UAAU,CAAC,QAAQ,CAAC,KAAK,CAAC;QACnC,KAAK,MAAM;YACT,OAAO,UAAU,CAAC,QAAQ,CAAC,IAAI,CAAC;QAClC,KAAK,SAAS;YACZ,OAAO,UAAU,CAAC,QAAQ,CAAC,OAAO,CAAC;QACrC,KAAK,SAAS;YACZ,OAAO,UAAU,CAAC,QAAQ,CAAC,OAAO,CAAC;QACrC;YACE,4CAA4C;YAC5C,OAAO,UAAU,CAAC,QAAQ,CAAC,IAAI,CAAC;IACpC,CAAC;AACH,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,UAAU;IACxB,OAAO,cAAc,EAAE,CAAC;AAC1B,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,eAAe,CAC7B,MAAgB,EAChB,KAAY,EACZ,eAAiC;IAEjC,IACE,KAAK,CAAC,IAAI,KAAK,WAAW;QAC1B,KAAK,CAAC,IAAI,KAAK,iBAAiB;QAChC,KAAK,CAAC,IAAI,KAAK,kBAAkB,EACjC,CAAC;QACD,MAAM,SAAS,GAAG,KAA6B,CAAC;QAChD,QAAQ,SAAS,CAAC,SAAS,EAAE,CAAC;YAC5B,KAAK,4BAA4B;gBAC/B,MAAM,CAAC,IAAI,CAAC,WAAW,CAAC,MAAM,EAAE,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC;gBAChD,OAAO,IAAI,0BAA0B,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;YACvD,KAAK,+BAA+B;gBAClC,OAAO,IAAI,UAAU,CAAC,oDAAoD,CAAC,CAAC;YAC9E,KAAK,kBAAkB,CAAC;YACxB,KAAK,sBAAsB,CAAC;YAC5B,KAAK,gBAAgB;gBACnB,MAAM,CAAC,IAAI,CACT,WAAW,CAAC,MAAM,EAAE,qCAAqC,SAAS,CAAC,SAAS,EAAE,CAAC,CAChF,CAAC;gBACF,MAAM;YACR;gBACE,MAAM,CAAC,IAAI,CAAC,WAAW,CAAC,MAAM,EAAE,4BAA4B,KAAK,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC;gBAC9E,MAAM;QACV,CAAC;IACH,CAAC;IACD,IACE,KAAK,CAAC,IAAI,KAAK,0BAA0B;QACzC,KAAK,CAAC,IAAI,KAAK,+BAA+B;QAC9C,KAAK,CAAC,IAAI,KAAK,YAAY;QAC3B,KAAK,CAAC,IAAI,KAAK,qBAAqB,EACpC,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC;IACD,IAAI,KAAK,CAAC,IAAI,KAAK,iBAAiB,EAAE,CAAC;QACrC,MAAM,CAAC,IAAI,CACT,WAAW,CACT,MAAM,EACN,iCAAiC,KAAK,CAAC,OAAO,sBAC3C,KAAa,CAAC,UACjB,EAAE,CACH,CACF,CAAC;QACF,OAAO,KAAK,CAAC;IACf,CAAC;IACD,OAAO,IAAI,2BAA2B,CAAC,EAAE,MAAM,EAAE,eAAe,EAAE,OAAO,EAAE,KAAK,CAAC,OAAO,EAAE,CAAC,CAAC;AAC9F,CAAC;AAED,kBAAkB;AAClB,MAAM,UAAU,YAAY,CAAC,OAA6B;IACxD,OAAO;QACL,cAAc,EAAE,OAAO,CAAC,aAAa;QACrC,WAAW,EAAE,OAAO,CAAC,SAAS;QAC9B,QAAQ,EAAE,OAAO,CAAC,QAAQ;QAC1B,aAAa,EAAE,OAAO,CAAC,aAAa;QACpC,QAAQ,EAAE,OAAO,CAAC,QAAQ;KAC3B,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,YAAY,CAAC,QAAgB,EAAE,OAAwB;IACrE,MAAM,MAAM,GAAG;QACb,SAAS,EAAE,OAAO,CAAC,WAAW,IAAI,gBAAgB;QAClD,aAAa,EAAE,OAAO,CAAC,aAAa;QACpC,QAAQ,EAAE,OAAO,CAAC,QAAQ,IAAI,eAAe;QAC7C,QAAQ,EAAE,OAAO,CAAC,QAAQ;QAC1B,QAAQ;QACR,OAAO,EAAE,iCAAiC;KAC3C,CAAC;IACF,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;;;;;;;;;;;;GAaG;AACH,MAAM,UAAU,6BAA6B,CAAC,MAA4B;IACxE,OAAO,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC;AAChC,CAAC;AAED;;;;;;;;;;;;;;;;;;GAkBG;AACH,MAAM,UAAU,+BAA+B,CAAC,gBAAwB;IACtE,MAAM,MAAM,GAAgD,IAAI,CAAC,KAAK,CAAC,gBAAgB,CAAC,CAAC;IAEzF,IAAI,MAAM,CAAC,OAAO,IAAI,MAAM,CAAC,OAAO,KAAK,iCAAiC,EAAE,CAAC;QAC3E,MAAM,KAAK,CAAC,0CAA0C,CAAC,CAAC;IAC1D,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC","sourcesContent":["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT License.\n\nimport type { AuthenticationRecord, MsalAccountInfo, MsalToken, ValidMsalToken } from \"./types.js\";\nimport { AuthenticationRequiredError, CredentialUnavailableError } from \"../errors.js\";\nimport type { CredentialLogger } from \"../util/logging.js\";\nimport { credentialLogger, formatError } from \"../util/logging.js\";\nimport { DefaultAuthority, DefaultAuthorityHost, DefaultTenantId } from \"../constants.js\";\nimport { randomUUID as coreRandomUUID, isNode, isNodeLike } from \"@azure/core-util\";\n\nimport { AbortError } from \"@azure/abort-controller\";\nimport type { AzureLogLevel } from \"@azure/logger\";\nimport type { GetTokenOptions } from \"@azure/core-auth\";\nimport { msalCommon } from \"./msal.js\";\n\nexport interface ILoggerCallback {\n (level: msalCommon.LogLevel, message: string, containsPii: boolean): void;\n}\n\n/**\n * @internal\n */\nconst logger = credentialLogger(\"IdentityUtils\");\n\n/**\n * Latest AuthenticationRecord version\n * @internal\n */\nconst LatestAuthenticationRecordVersion = \"1.0\";\n\n/**\n * Ensures the validity of the MSAL token\n * @internal\n */\nexport function ensureValidMsalToken(\n scopes: string | string[],\n msalToken?: MsalToken | null,\n getTokenOptions?: GetTokenOptions,\n): asserts msalToken is ValidMsalToken {\n const error = (message: string): Error => {\n logger.getToken.info(message);\n return new AuthenticationRequiredError({\n scopes: Array.isArray(scopes) ? scopes : [scopes],\n getTokenOptions,\n message,\n });\n };\n if (!msalToken) {\n throw error(\"No response\");\n }\n if (!msalToken.expiresOn) {\n throw error(`Response had no \"expiresOn\" property.`);\n }\n if (!msalToken.accessToken) {\n throw error(`Response had no \"accessToken\" property.`);\n }\n}\n\n/**\n * Returns the authority host from either the options bag or the AZURE_AUTHORITY_HOST environment variable.\n *\n * Defaults to {@link DefaultAuthorityHost}.\n * @internal\n */\nexport function getAuthorityHost(options?: { authorityHost?: string }): string {\n let authorityHost = options?.authorityHost;\n\n if (!authorityHost && isNodeLike) {\n authorityHost = process.env.AZURE_AUTHORITY_HOST;\n }\n\n return authorityHost ?? DefaultAuthorityHost;\n}\n\n/**\n * Generates a valid authority by combining a host with a tenantId.\n * @internal\n */\nexport function getAuthority(tenantId: string, host?: string): string {\n if (!host) {\n host = DefaultAuthorityHost;\n }\n if (new RegExp(`${tenantId}/?$`).test(host)) {\n return host;\n }\n if (host.endsWith(\"/\")) {\n return host + tenantId;\n } else {\n return `${host}/${tenantId}`;\n }\n}\n\n/**\n * Generates the known authorities.\n * If the Tenant Id is `adfs`, the authority can't be validated since the format won't match the expected one.\n * For that reason, we have to force MSAL to disable validating the authority\n * by sending it within the known authorities in the MSAL configuration.\n * @internal\n */\nexport function getKnownAuthorities(\n tenantId: string,\n authorityHost: string,\n disableInstanceDiscovery?: boolean,\n): string[] {\n if ((tenantId === \"adfs\" && authorityHost) || disableInstanceDiscovery) {\n return [authorityHost];\n }\n return [];\n}\n\n/**\n * Generates a logger that can be passed to the MSAL clients.\n * @param credLogger - The logger of the credential.\n * @internal\n */\nexport const defaultLoggerCallback: (\n logger: CredentialLogger,\n platform?: \"Node\" | \"Browser\",\n) => ILoggerCallback =\n (credLogger: CredentialLogger, platform: \"Node\" | \"Browser\" = isNode ? \"Node\" : \"Browser\") =>\n (level, message, containsPii): void => {\n if (containsPii) {\n return;\n }\n switch (level) {\n case msalCommon.LogLevel.Error:\n credLogger.info(`MSAL ${platform} V2 error: ${message}`);\n return;\n case msalCommon.LogLevel.Info:\n credLogger.info(`MSAL ${platform} V2 info message: ${message}`);\n return;\n case msalCommon.LogLevel.Verbose:\n credLogger.info(`MSAL ${platform} V2 verbose message: ${message}`);\n return;\n case msalCommon.LogLevel.Warning:\n credLogger.info(`MSAL ${platform} V2 warning: ${message}`);\n return;\n }\n };\n\n/**\n * @internal\n */\nexport function getMSALLogLevel(logLevel: AzureLogLevel | undefined): msalCommon.LogLevel {\n switch (logLevel) {\n case \"error\":\n return msalCommon.LogLevel.Error;\n case \"info\":\n return msalCommon.LogLevel.Info;\n case \"verbose\":\n return msalCommon.LogLevel.Verbose;\n case \"warning\":\n return msalCommon.LogLevel.Warning;\n default:\n // default msal logging level should be Info\n return msalCommon.LogLevel.Info;\n }\n}\n\n/**\n * Wraps core-util's randomUUID in order to allow for mocking in tests.\n * This prepares the library for the upcoming core-util update to ESM.\n *\n * @internal\n * @returns A string containing a random UUID\n */\nexport function randomUUID(): string {\n return coreRandomUUID();\n}\n\n/**\n * Handles MSAL errors.\n */\nexport function handleMsalError(\n scopes: string[],\n error: Error,\n getTokenOptions?: GetTokenOptions,\n): Error {\n if (\n error.name === \"AuthError\" ||\n error.name === \"ClientAuthError\" ||\n error.name === \"BrowserAuthError\"\n ) {\n const msalError = error as msalCommon.AuthError;\n switch (msalError.errorCode) {\n case \"endpoints_resolution_error\":\n logger.info(formatError(scopes, error.message));\n return new CredentialUnavailableError(error.message);\n case \"device_code_polling_cancelled\":\n return new AbortError(\"The authentication has been aborted by the caller.\");\n case \"consent_required\":\n case \"interaction_required\":\n case \"login_required\":\n logger.info(\n formatError(scopes, `Authentication returned errorCode ${msalError.errorCode}`),\n );\n break;\n default:\n logger.info(formatError(scopes, `Failed to acquire token: ${error.message}`));\n break;\n }\n }\n if (\n error.name === \"ClientConfigurationError\" ||\n error.name === \"BrowserConfigurationAuthError\" ||\n error.name === \"AbortError\" ||\n error.name === \"AuthenticationError\"\n ) {\n return error;\n }\n if (error.name === \"NativeAuthError\") {\n logger.info(\n formatError(\n scopes,\n `Error from the native broker: ${error.message} with status code: ${\n (error as any).statusCode\n }`,\n ),\n );\n return error;\n }\n return new AuthenticationRequiredError({ scopes, getTokenOptions, message: error.message });\n}\n\n// transformations\nexport function publicToMsal(account: AuthenticationRecord): msalCommon.AccountInfo {\n return {\n localAccountId: account.homeAccountId,\n environment: account.authority,\n username: account.username,\n homeAccountId: account.homeAccountId,\n tenantId: account.tenantId,\n };\n}\n\nexport function msalToPublic(clientId: string, account: MsalAccountInfo): AuthenticationRecord {\n const record = {\n authority: account.environment ?? DefaultAuthority,\n homeAccountId: account.homeAccountId,\n tenantId: account.tenantId || DefaultTenantId,\n username: account.username,\n clientId,\n version: LatestAuthenticationRecordVersion,\n };\n return record;\n}\n\n/**\n * Serializes an `AuthenticationRecord` into a string.\n *\n * The output of a serialized authentication record will contain the following properties:\n *\n * - \"authority\"\n * - \"homeAccountId\"\n * - \"clientId\"\n * - \"tenantId\"\n * - \"username\"\n * - \"version\"\n *\n * To later convert this string to a serialized `AuthenticationRecord`, please use the exported function `deserializeAuthenticationRecord()`.\n */\nexport function serializeAuthenticationRecord(record: AuthenticationRecord): string {\n return JSON.stringify(record);\n}\n\n/**\n * Deserializes a previously serialized authentication record from a string into an object.\n *\n * The input string must contain the following properties:\n *\n * - \"authority\"\n * - \"homeAccountId\"\n * - \"clientId\"\n * - \"tenantId\"\n * - \"username\"\n * - \"version\"\n *\n * If the version we receive is unsupported, an error will be thrown.\n *\n * At the moment, the only available version is: \"1.0\", which is always set when the authentication record is serialized.\n *\n * @param serializedRecord - Authentication record previously serialized into string.\n * @returns AuthenticationRecord.\n */\nexport function deserializeAuthenticationRecord(serializedRecord: string): AuthenticationRecord {\n const parsed: AuthenticationRecord & { version?: string } = JSON.parse(serializedRecord);\n\n if (parsed.version && parsed.version !== LatestAuthenticationRecordVersion) {\n throw Error(\"Unsupported AuthenticationRecord version\");\n }\n\n return parsed;\n}\n"]}
1
+ {"version":3,"file":"utils.js","sourceRoot":"","sources":["../../../src/msal/utils.ts"],"names":[],"mappings":"AAAA,uCAAuC;AACvC,kCAAkC;AAGlC,OAAO,EAAE,2BAA2B,EAAE,0BAA0B,EAAE,MAAM,cAAc,CAAC;AAEvF,OAAO,EAAE,gBAAgB,EAAE,WAAW,EAAE,MAAM,oBAAoB,CAAC;AACnE,OAAO,EAAE,gBAAgB,EAAE,oBAAoB,EAAE,eAAe,EAAE,MAAM,iBAAiB,CAAC;AAC1F,OAAO,EAAE,UAAU,IAAI,cAAc,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAC;AAEpF,OAAO,EAAE,UAAU,EAAE,MAAM,yBAAyB,CAAC;AAGrD,OAAO,EAAE,UAAU,EAAE,MAAM,WAAW,CAAC;AAMvC,MAAM,MAAM,GAAG,gBAAgB,CAAC,eAAe,CAAC,CAAC;AAEjD;;GAEG;AACH,MAAM,iCAAiC,GAAG,KAAK,CAAC;AAEhD;;;GAGG;AACH,MAAM,UAAU,oBAAoB,CAClC,MAAyB,EACzB,SAA4B,EAC5B,eAAiC;IAEjC,MAAM,KAAK,GAAG,CAAC,OAAe,EAAS,EAAE;QACvC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QAC9B,OAAO,IAAI,2BAA2B,CAAC;YACrC,MAAM,EAAE,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC;YACjD,eAAe;YACf,OAAO;SACR,CAAC,CAAC;IACL,CAAC,CAAC;IACF,IAAI,CAAC,SAAS,EAAE,CAAC;QACf,MAAM,KAAK,CAAC,aAAa,CAAC,CAAC;IAC7B,CAAC;IACD,IAAI,CAAC,SAAS,CAAC,SAAS,EAAE,CAAC;QACzB,MAAM,KAAK,CAAC,uCAAuC,CAAC,CAAC;IACvD,CAAC;IACD,IAAI,CAAC,SAAS,CAAC,WAAW,EAAE,CAAC;QAC3B,MAAM,KAAK,CAAC,yCAAyC,CAAC,CAAC;IACzD,CAAC;AACH,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,gBAAgB,CAAC,OAAoC;IACnE,IAAI,aAAa,GAAG,OAAO,EAAE,aAAa,CAAC;IAE3C,IAAI,CAAC,aAAa,IAAI,UAAU,EAAE,CAAC;QACjC,aAAa,GAAG,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC;IACnD,CAAC;IAED,OAAO,aAAa,IAAI,oBAAoB,CAAC;AAC/C,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,YAAY,CAAC,QAAgB,EAAE,IAAa;IAC1D,IAAI,CAAC,IAAI,EAAE,CAAC;QACV,IAAI,GAAG,oBAAoB,CAAC;IAC9B,CAAC;IACD,IAAI,IAAI,MAAM,CAAC,GAAG,QAAQ,KAAK,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;QAC5C,OAAO,IAAI,CAAC;IACd,CAAC;IACD,IAAI,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;QACvB,OAAO,IAAI,GAAG,QAAQ,CAAC;IACzB,CAAC;SAAM,CAAC;QACN,OAAO,GAAG,IAAI,IAAI,QAAQ,EAAE,CAAC;IAC/B,CAAC;AACH,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,mBAAmB,CACjC,QAAgB,EAChB,aAAqB,EACrB,wBAAkC;IAElC,IAAI,CAAC,QAAQ,KAAK,MAAM,IAAI,aAAa,CAAC,IAAI,wBAAwB,EAAE,CAAC;QACvE,OAAO,CAAC,aAAa,CAAC,CAAC;IACzB,CAAC;IACD,OAAO,EAAE,CAAC;AACZ,CAAC;AAED;;;;GAIG;AACH,MAAM,CAAC,MAAM,qBAAqB,GAIhC,CAAC,UAA4B,EAAE,WAA+B,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,SAAS,EAAE,EAAE,CAC7F,CAAC,KAAK,EAAE,OAAO,EAAE,WAAW,EAAQ,EAAE;IACpC,IAAI,WAAW,EAAE,CAAC;QAChB,OAAO;IACT,CAAC;IACD,QAAQ,KAAK,EAAE,CAAC;QACd,KAAK,UAAU,CAAC,QAAQ,CAAC,KAAK;YAC5B,UAAU,CAAC,IAAI,CAAC,QAAQ,QAAQ,cAAc,OAAO,EAAE,CAAC,CAAC;YACzD,OAAO;QACT,KAAK,UAAU,CAAC,QAAQ,CAAC,IAAI;YAC3B,UAAU,CAAC,IAAI,CAAC,QAAQ,QAAQ,qBAAqB,OAAO,EAAE,CAAC,CAAC;YAChE,OAAO;QACT,KAAK,UAAU,CAAC,QAAQ,CAAC,OAAO;YAC9B,UAAU,CAAC,IAAI,CAAC,QAAQ,QAAQ,wBAAwB,OAAO,EAAE,CAAC,CAAC;YACnE,OAAO;QACT,KAAK,UAAU,CAAC,QAAQ,CAAC,OAAO;YAC9B,UAAU,CAAC,IAAI,CAAC,QAAQ,QAAQ,gBAAgB,OAAO,EAAE,CAAC,CAAC;YAC3D,OAAO;IACX,CAAC;AACH,CAAC,CAAC;AAEJ;;GAEG;AACH,MAAM,UAAU,eAAe,CAAC,QAAmC;IACjE,QAAQ,QAAQ,EAAE,CAAC;QACjB,KAAK,OAAO;YACV,OAAO,UAAU,CAAC,QAAQ,CAAC,KAAK,CAAC;QACnC,KAAK,MAAM;YACT,OAAO,UAAU,CAAC,QAAQ,CAAC,IAAI,CAAC;QAClC,KAAK,SAAS;YACZ,OAAO,UAAU,CAAC,QAAQ,CAAC,OAAO,CAAC;QACrC,KAAK,SAAS;YACZ,OAAO,UAAU,CAAC,QAAQ,CAAC,OAAO,CAAC;QACrC;YACE,4CAA4C;YAC5C,OAAO,UAAU,CAAC,QAAQ,CAAC,IAAI,CAAC;IACpC,CAAC;AACH,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,UAAU;IACxB,OAAO,cAAc,EAAE,CAAC;AAC1B,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,eAAe,CAC7B,MAAgB,EAChB,KAAY,EACZ,eAAiC;IAEjC,IACE,KAAK,CAAC,IAAI,KAAK,WAAW;QAC1B,KAAK,CAAC,IAAI,KAAK,iBAAiB;QAChC,KAAK,CAAC,IAAI,KAAK,kBAAkB,EACjC,CAAC;QACD,MAAM,SAAS,GAAG,KAA6B,CAAC;QAChD,QAAQ,SAAS,CAAC,SAAS,EAAE,CAAC;YAC5B,KAAK,4BAA4B;gBAC/B,MAAM,CAAC,IAAI,CAAC,WAAW,CAAC,MAAM,EAAE,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC;gBAChD,OAAO,IAAI,0BAA0B,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;YACvD,KAAK,+BAA+B;gBAClC,OAAO,IAAI,UAAU,CAAC,oDAAoD,CAAC,CAAC;YAC9E,KAAK,kBAAkB,CAAC;YACxB,KAAK,sBAAsB,CAAC;YAC5B,KAAK,gBAAgB;gBACnB,MAAM,CAAC,IAAI,CACT,WAAW,CAAC,MAAM,EAAE,qCAAqC,SAAS,CAAC,SAAS,EAAE,CAAC,CAChF,CAAC;gBACF,MAAM;YACR;gBACE,MAAM,CAAC,IAAI,CAAC,WAAW,CAAC,MAAM,EAAE,4BAA4B,KAAK,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC;gBAC9E,MAAM;QACV,CAAC;IACH,CAAC;IACD,IACE,KAAK,CAAC,IAAI,KAAK,0BAA0B;QACzC,KAAK,CAAC,IAAI,KAAK,+BAA+B;QAC9C,KAAK,CAAC,IAAI,KAAK,YAAY;QAC3B,KAAK,CAAC,IAAI,KAAK,qBAAqB,EACpC,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC;IACD,IAAI,KAAK,CAAC,IAAI,KAAK,iBAAiB,EAAE,CAAC;QACrC,MAAM,CAAC,IAAI,CACT,WAAW,CACT,MAAM,EACN,iCAAiC,KAAK,CAAC,OAAO,sBAC3C,KAAa,CAAC,UACjB,EAAE,CACH,CACF,CAAC;QACF,OAAO,KAAK,CAAC;IACf,CAAC;IACD,OAAO,IAAI,2BAA2B,CAAC,EAAE,MAAM,EAAE,eAAe,EAAE,OAAO,EAAE,KAAK,CAAC,OAAO,EAAE,CAAC,CAAC;AAC9F,CAAC;AAED,kBAAkB;AAClB,MAAM,UAAU,YAAY,CAAC,OAA6B;IACxD,OAAO;QACL,cAAc,EAAE,OAAO,CAAC,aAAa;QACrC,WAAW,EAAE,OAAO,CAAC,SAAS;QAC9B,QAAQ,EAAE,OAAO,CAAC,QAAQ;QAC1B,aAAa,EAAE,OAAO,CAAC,aAAa;QACpC,QAAQ,EAAE,OAAO,CAAC,QAAQ;KAC3B,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,YAAY,CAAC,QAAgB,EAAE,OAAwB;IACrE,MAAM,MAAM,GAAG;QACb,SAAS,EAAE,OAAO,CAAC,WAAW,IAAI,gBAAgB;QAClD,aAAa,EAAE,OAAO,CAAC,aAAa;QACpC,QAAQ,EAAE,OAAO,CAAC,QAAQ,IAAI,eAAe;QAC7C,QAAQ,EAAE,OAAO,CAAC,QAAQ;QAC1B,QAAQ;QACR,OAAO,EAAE,iCAAiC;KAC3C,CAAC;IACF,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;;;;;;;;;;;;GAaG;AACH,MAAM,UAAU,6BAA6B,CAAC,MAA4B;IACxE,OAAO,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC;AAChC,CAAC;AAED;;;;;;;;;;;;;;;;;;GAkBG;AACH,MAAM,UAAU,+BAA+B,CAAC,gBAAwB;IACtE,MAAM,MAAM,GAAgD,IAAI,CAAC,KAAK,CAAC,gBAAgB,CAAC,CAAC;IAEzF,IAAI,MAAM,CAAC,OAAO,IAAI,MAAM,CAAC,OAAO,KAAK,iCAAiC,EAAE,CAAC;QAC3E,MAAM,KAAK,CAAC,0CAA0C,CAAC,CAAC;IAC1D,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC","sourcesContent":["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT License.\n\nimport type { AuthenticationRecord, MsalAccountInfo, MsalToken, ValidMsalToken } from \"./types.js\";\nimport { AuthenticationRequiredError, CredentialUnavailableError } from \"../errors.js\";\nimport type { CredentialLogger } from \"../util/logging.js\";\nimport { credentialLogger, formatError } from \"../util/logging.js\";\nimport { DefaultAuthority, DefaultAuthorityHost, DefaultTenantId } from \"../constants.js\";\nimport { randomUUID as coreRandomUUID, isNode, isNodeLike } from \"@azure/core-util\";\n\nimport { AbortError } from \"@azure/abort-controller\";\nimport type { AzureLogLevel } from \"@azure/logger\";\nimport type { GetTokenOptions } from \"@azure/core-auth\";\nimport { msalCommon } from \"./msal.js\";\n\nexport interface ILoggerCallback {\n (level: msalCommon.LogLevel, message: string, containsPii: boolean): void;\n}\n\nconst logger = credentialLogger(\"IdentityUtils\");\n\n/**\n * Latest AuthenticationRecord version\n */\nconst LatestAuthenticationRecordVersion = \"1.0\";\n\n/**\n * Ensures the validity of the MSAL token\n * @internal\n */\nexport function ensureValidMsalToken(\n scopes: string | string[],\n msalToken?: MsalToken | null,\n getTokenOptions?: GetTokenOptions,\n): asserts msalToken is ValidMsalToken {\n const error = (message: string): Error => {\n logger.getToken.info(message);\n return new AuthenticationRequiredError({\n scopes: Array.isArray(scopes) ? scopes : [scopes],\n getTokenOptions,\n message,\n });\n };\n if (!msalToken) {\n throw error(\"No response\");\n }\n if (!msalToken.expiresOn) {\n throw error(`Response had no \"expiresOn\" property.`);\n }\n if (!msalToken.accessToken) {\n throw error(`Response had no \"accessToken\" property.`);\n }\n}\n\n/**\n * Returns the authority host from either the options bag or the AZURE_AUTHORITY_HOST environment variable.\n *\n * Defaults to {@link DefaultAuthorityHost}.\n * @internal\n */\nexport function getAuthorityHost(options?: { authorityHost?: string }): string {\n let authorityHost = options?.authorityHost;\n\n if (!authorityHost && isNodeLike) {\n authorityHost = process.env.AZURE_AUTHORITY_HOST;\n }\n\n return authorityHost ?? DefaultAuthorityHost;\n}\n\n/**\n * Generates a valid authority by combining a host with a tenantId.\n * @internal\n */\nexport function getAuthority(tenantId: string, host?: string): string {\n if (!host) {\n host = DefaultAuthorityHost;\n }\n if (new RegExp(`${tenantId}/?$`).test(host)) {\n return host;\n }\n if (host.endsWith(\"/\")) {\n return host + tenantId;\n } else {\n return `${host}/${tenantId}`;\n }\n}\n\n/**\n * Generates the known authorities.\n * If the Tenant Id is `adfs`, the authority can't be validated since the format won't match the expected one.\n * For that reason, we have to force MSAL to disable validating the authority\n * by sending it within the known authorities in the MSAL configuration.\n * @internal\n */\nexport function getKnownAuthorities(\n tenantId: string,\n authorityHost: string,\n disableInstanceDiscovery?: boolean,\n): string[] {\n if ((tenantId === \"adfs\" && authorityHost) || disableInstanceDiscovery) {\n return [authorityHost];\n }\n return [];\n}\n\n/**\n * Generates a logger that can be passed to the MSAL clients.\n * @param credLogger - The logger of the credential.\n * @internal\n */\nexport const defaultLoggerCallback: (\n logger: CredentialLogger,\n platform?: \"Node\" | \"Browser\",\n) => ILoggerCallback =\n (credLogger: CredentialLogger, platform: \"Node\" | \"Browser\" = isNode ? \"Node\" : \"Browser\") =>\n (level, message, containsPii): void => {\n if (containsPii) {\n return;\n }\n switch (level) {\n case msalCommon.LogLevel.Error:\n credLogger.info(`MSAL ${platform} V2 error: ${message}`);\n return;\n case msalCommon.LogLevel.Info:\n credLogger.info(`MSAL ${platform} V2 info message: ${message}`);\n return;\n case msalCommon.LogLevel.Verbose:\n credLogger.info(`MSAL ${platform} V2 verbose message: ${message}`);\n return;\n case msalCommon.LogLevel.Warning:\n credLogger.info(`MSAL ${platform} V2 warning: ${message}`);\n return;\n }\n };\n\n/**\n * @internal\n */\nexport function getMSALLogLevel(logLevel: AzureLogLevel | undefined): msalCommon.LogLevel {\n switch (logLevel) {\n case \"error\":\n return msalCommon.LogLevel.Error;\n case \"info\":\n return msalCommon.LogLevel.Info;\n case \"verbose\":\n return msalCommon.LogLevel.Verbose;\n case \"warning\":\n return msalCommon.LogLevel.Warning;\n default:\n // default msal logging level should be Info\n return msalCommon.LogLevel.Info;\n }\n}\n\n/**\n * Wraps core-util's randomUUID in order to allow for mocking in tests.\n * This prepares the library for the upcoming core-util update to ESM.\n *\n * @internal\n * @returns A string containing a random UUID\n */\nexport function randomUUID(): string {\n return coreRandomUUID();\n}\n\n/**\n * Handles MSAL errors.\n */\nexport function handleMsalError(\n scopes: string[],\n error: Error,\n getTokenOptions?: GetTokenOptions,\n): Error {\n if (\n error.name === \"AuthError\" ||\n error.name === \"ClientAuthError\" ||\n error.name === \"BrowserAuthError\"\n ) {\n const msalError = error as msalCommon.AuthError;\n switch (msalError.errorCode) {\n case \"endpoints_resolution_error\":\n logger.info(formatError(scopes, error.message));\n return new CredentialUnavailableError(error.message);\n case \"device_code_polling_cancelled\":\n return new AbortError(\"The authentication has been aborted by the caller.\");\n case \"consent_required\":\n case \"interaction_required\":\n case \"login_required\":\n logger.info(\n formatError(scopes, `Authentication returned errorCode ${msalError.errorCode}`),\n );\n break;\n default:\n logger.info(formatError(scopes, `Failed to acquire token: ${error.message}`));\n break;\n }\n }\n if (\n error.name === \"ClientConfigurationError\" ||\n error.name === \"BrowserConfigurationAuthError\" ||\n error.name === \"AbortError\" ||\n error.name === \"AuthenticationError\"\n ) {\n return error;\n }\n if (error.name === \"NativeAuthError\") {\n logger.info(\n formatError(\n scopes,\n `Error from the native broker: ${error.message} with status code: ${\n (error as any).statusCode\n }`,\n ),\n );\n return error;\n }\n return new AuthenticationRequiredError({ scopes, getTokenOptions, message: error.message });\n}\n\n// transformations\nexport function publicToMsal(account: AuthenticationRecord): msalCommon.AccountInfo {\n return {\n localAccountId: account.homeAccountId,\n environment: account.authority,\n username: account.username,\n homeAccountId: account.homeAccountId,\n tenantId: account.tenantId,\n };\n}\n\nexport function msalToPublic(clientId: string, account: MsalAccountInfo): AuthenticationRecord {\n const record = {\n authority: account.environment ?? DefaultAuthority,\n homeAccountId: account.homeAccountId,\n tenantId: account.tenantId || DefaultTenantId,\n username: account.username,\n clientId,\n version: LatestAuthenticationRecordVersion,\n };\n return record;\n}\n\n/**\n * Serializes an `AuthenticationRecord` into a string.\n *\n * The output of a serialized authentication record will contain the following properties:\n *\n * - \"authority\"\n * - \"homeAccountId\"\n * - \"clientId\"\n * - \"tenantId\"\n * - \"username\"\n * - \"version\"\n *\n * To later convert this string to a serialized `AuthenticationRecord`, please use the exported function `deserializeAuthenticationRecord()`.\n */\nexport function serializeAuthenticationRecord(record: AuthenticationRecord): string {\n return JSON.stringify(record);\n}\n\n/**\n * Deserializes a previously serialized authentication record from a string into an object.\n *\n * The input string must contain the following properties:\n *\n * - \"authority\"\n * - \"homeAccountId\"\n * - \"clientId\"\n * - \"tenantId\"\n * - \"username\"\n * - \"version\"\n *\n * If the version we receive is unsupported, an error will be thrown.\n *\n * At the moment, the only available version is: \"1.0\", which is always set when the authentication record is serialized.\n *\n * @param serializedRecord - Authentication record previously serialized into string.\n * @returns AuthenticationRecord.\n */\nexport function deserializeAuthenticationRecord(serializedRecord: string): AuthenticationRecord {\n const parsed: AuthenticationRecord & { version?: string } = JSON.parse(serializedRecord);\n\n if (parsed.version && parsed.version !== LatestAuthenticationRecordVersion) {\n throw Error(\"Unsupported AuthenticationRecord version\");\n }\n\n return parsed;\n}\n"]}
package/dist/commonjs/constants.d.ts CHANGED
@@ -1,7 +1,7 @@
1
1
  /**
2
2
  * Current version of the `@azure/identity` package.
3
3
  */
4
- export declare const SDK_VERSION = "4.12.0";
4
+ export declare const SDK_VERSION = "4.13.0";
5
5
  /**
6
6
  * The default client ID for authentication
7
7
  * @internal
package/dist/commonjs/constants.js CHANGED
@@ -6,7 +6,7 @@ exports.DEFAULT_TOKEN_CACHE_NAME = exports.CACHE_NON_CAE_SUFFIX = exports.CACHE_
6
6
  /**
7
7
  * Current version of the `@azure/identity` package.
8
8
  */
9
- exports.SDK_VERSION = `4.12.0`;
9
+ exports.SDK_VERSION = `4.13.0`;
10
10
  /**
11
11
  * The default client ID for authentication
12
12
  * @internal
package/dist/commonjs/constants.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"constants.js","sourceRoot":"","sources":["../../src/constants.ts"],"names":[],"mappings":";AAAA,uCAAuC;AACvC,kCAAkC;;;AAElC;;GAEG;AACU,QAAA,WAAW,GAAG,QAAQ,CAAC;AAEpC;;;GAGG;AACH,2EAA2E;AAC3E,6CAA6C;AAC7C,uGAAuG;AAC1F,QAAA,uBAAuB,GAAG,sCAAsC,CAAC;AAE9E;;;GAGG;AACU,QAAA,eAAe,GAAG,QAAQ,CAAC;AAExC;;GAEG;AACH,IAAY,mBAoBX;AApBD,WAAY,mBAAmB;IAC7B;;OAEG;IACH,oEAA6C,CAAA;IAC7C;;;;;SAKK;IACL,wEAAiD,CAAA;IACjD;;OAEG;IACH,2EAAoD,CAAA;IACpD;;OAEG;IACH,6EAAsD,CAAA;AACxD,CAAC,EApBW,mBAAmB,mCAAnB,mBAAmB,QAoB9B;AAED;;;GAGG;AACU,QAAA,oBAAoB,GAAG,mBAAmB,CAAC,gBAAgB,CAAC;AAEzE;;;GAGG;AACU,QAAA,gBAAgB,GAAG,2BAA2B,CAAC;AAE5D;;;GAGG;AACU,QAAA,WAAW,GAAa,CAAC,GAAG,CAAC,CAAC;AAE3C;;GAEG;AACU,QAAA,gBAAgB,GAAG,KAAK,CAAC;AAEtC;;GAEG;AACU,QAAA,oBAAoB,GAAG,OAAO,CAAC;AAE5C;;;;;GAKG;AACU,QAAA,wBAAwB,GAAG,YAAY,CAAC","sourcesContent":["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT License.\n\n/**\n * Current version of the `@azure/identity` package.\n */\nexport const SDK_VERSION = `4.12.0`;\n\n/**\n * The default client ID for authentication\n * @internal\n */\n// TODO: temporary - this is the Azure CLI clientID - we'll replace it when\n// Developer Sign On application is available\n// https://github.com/Azure/azure-sdk-for-net/blob/main/sdk/identity/Azure.Identity/src/Constants.cs#L9\nexport const DeveloperSignOnClientId = \"04b07795-8ddb-461a-bbee-02f9e1bf7b46\";\n\n/**\n * The default tenant for authentication\n * @internal\n */\nexport const DefaultTenantId = \"common\";\n\n/**\n * A list of known Azure authority hosts\n */\nexport enum AzureAuthorityHosts {\n /**\n * China-based Azure Authority Host\n */\n AzureChina = \"https://login.chinacloudapi.cn\",\n /**\n * Germany-based Azure Authority Host\n *\n * @deprecated Microsoft Cloud Germany was closed on October 29th, 2021.\n *\n * */\n AzureGermany = \"https://login.microsoftonline.de\",\n /**\n * US Government Azure Authority Host\n */\n AzureGovernment = \"https://login.microsoftonline.us\",\n /**\n * Public Cloud Azure Authority Host\n */\n AzurePublicCloud = \"https://login.microsoftonline.com\",\n}\n\n/**\n * @internal\n * The default authority host.\n */\nexport const DefaultAuthorityHost = AzureAuthorityHosts.AzurePublicCloud;\n\n/**\n * @internal\n * The default environment host for Azure Public Cloud\n */\nexport const DefaultAuthority = \"login.microsoftonline.com\";\n\n/**\n * @internal\n * Allow acquiring tokens for any tenant for multi-tentant auth.\n */\nexport const ALL_TENANTS: string[] = [\"*\"];\n\n/**\n * @internal\n */\nexport const CACHE_CAE_SUFFIX = \"cae\";\n\n/**\n * @internal\n */\nexport const CACHE_NON_CAE_SUFFIX = \"nocae\";\n\n/**\n * @internal\n *\n * The default name for the cache persistence plugin.\n * Matches the constant defined in the cache persistence package.\n */\nexport const DEFAULT_TOKEN_CACHE_NAME = \"msal.cache\";\n"]}
1
+ {"version":3,"file":"constants.js","sourceRoot":"","sources":["../../src/constants.ts"],"names":[],"mappings":";AAAA,uCAAuC;AACvC,kCAAkC;;;AAElC;;GAEG;AACU,QAAA,WAAW,GAAG,QAAQ,CAAC;AAEpC;;;GAGG;AACH,2EAA2E;AAC3E,6CAA6C;AAC7C,uGAAuG;AAC1F,QAAA,uBAAuB,GAAG,sCAAsC,CAAC;AAE9E;;;GAGG;AACU,QAAA,eAAe,GAAG,QAAQ,CAAC;AAExC;;GAEG;AACH,IAAY,mBAoBX;AApBD,WAAY,mBAAmB;IAC7B;;OAEG;IACH,oEAA6C,CAAA;IAC7C;;;;;SAKK;IACL,wEAAiD,CAAA;IACjD;;OAEG;IACH,2EAAoD,CAAA;IACpD;;OAEG;IACH,6EAAsD,CAAA;AACxD,CAAC,EApBW,mBAAmB,mCAAnB,mBAAmB,QAoB9B;AAED;;;GAGG;AACU,QAAA,oBAAoB,GAAG,mBAAmB,CAAC,gBAAgB,CAAC;AAEzE;;;GAGG;AACU,QAAA,gBAAgB,GAAG,2BAA2B,CAAC;AAE5D;;;GAGG;AACU,QAAA,WAAW,GAAa,CAAC,GAAG,CAAC,CAAC;AAE3C;;GAEG;AACU,QAAA,gBAAgB,GAAG,KAAK,CAAC;AAEtC;;GAEG;AACU,QAAA,oBAAoB,GAAG,OAAO,CAAC;AAE5C;;;;;GAKG;AACU,QAAA,wBAAwB,GAAG,YAAY,CAAC","sourcesContent":["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT License.\n\n/**\n * Current version of the `@azure/identity` package.\n */\nexport const SDK_VERSION = `4.13.0`;\n\n/**\n * The default client ID for authentication\n * @internal\n */\n// TODO: temporary - this is the Azure CLI clientID - we'll replace it when\n// Developer Sign On application is available\n// https://github.com/Azure/azure-sdk-for-net/blob/main/sdk/identity/Azure.Identity/src/Constants.cs#L9\nexport const DeveloperSignOnClientId = \"04b07795-8ddb-461a-bbee-02f9e1bf7b46\";\n\n/**\n * The default tenant for authentication\n * @internal\n */\nexport const DefaultTenantId = \"common\";\n\n/**\n * A list of known Azure authority hosts\n */\nexport enum AzureAuthorityHosts {\n /**\n * China-based Azure Authority Host\n */\n AzureChina = \"https://login.chinacloudapi.cn\",\n /**\n * Germany-based Azure Authority Host\n *\n * @deprecated Microsoft Cloud Germany was closed on October 29th, 2021.\n *\n * */\n AzureGermany = \"https://login.microsoftonline.de\",\n /**\n * US Government Azure Authority Host\n */\n AzureGovernment = \"https://login.microsoftonline.us\",\n /**\n * Public Cloud Azure Authority Host\n */\n AzurePublicCloud = \"https://login.microsoftonline.com\",\n}\n\n/**\n * @internal\n * The default authority host.\n */\nexport const DefaultAuthorityHost = AzureAuthorityHosts.AzurePublicCloud;\n\n/**\n * @internal\n * The default environment host for Azure Public Cloud\n */\nexport const DefaultAuthority = \"login.microsoftonline.com\";\n\n/**\n * @internal\n * Allow acquiring tokens for any tenant for multi-tentant auth.\n */\nexport const ALL_TENANTS: string[] = [\"*\"];\n\n/**\n * @internal\n */\nexport const CACHE_CAE_SUFFIX = \"cae\";\n\n/**\n * @internal\n */\nexport const CACHE_NON_CAE_SUFFIX = \"nocae\";\n\n/**\n * @internal\n *\n * The default name for the cache persistence plugin.\n * Matches the constant defined in the cache persistence package.\n */\nexport const DEFAULT_TOKEN_CACHE_NAME = \"msal.cache\";\n"]}
package/dist/commonjs/credentials/defaultAzureCredential.d.ts CHANGED
@@ -25,7 +25,7 @@ export declare class UnavailableDefaultCredential implements TokenCredential {
25
25
  * - {@link AzureCliCredential}
26
26
  * - {@link AzurePowerShellCredential}
27
27
  * - {@link AzureDeveloperCliCredential}
28
- * - {@link BrokerCredential}
28
+ * - BrokerCredential (a broker-enabled credential that requires \@azure/identity-broker is installed)
29
29
  *
30
30
  * Consult the documentation of these credential types for more information
31
31
  * on how they attempt authentication.
package/dist/commonjs/credentials/defaultAzureCredential.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"defaultAzureCredential.d.ts","sourceRoot":"","sources":["../../../src/credentials/defaultAzureCredential.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EACV,qCAAqC,EACrC,6BAA6B,EAC7B,uCAAuC,EACxC,MAAM,oCAAoC,CAAC;AAO5C,OAAO,EAAE,sBAAsB,EAAE,MAAM,6BAA6B,CAAC;AAErE,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,kBAAkB,CAAC;AAgBxD;;;GAGG;AACH,qBAAa,4BAA6B,YAAW,eAAe;IAClE,iCAAiC,EAAE,MAAM,CAAC;IAC1C,cAAc,EAAE,MAAM,CAAC;gBAEX,cAAc,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM;IAKnD,QAAQ,IAAI,OAAO,CAAC,IAAI,CAAC;CAM1B;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAmCG;AACH,qBAAa,sBAAuB,SAAQ,sBAAsB;IAChE;;;;OAIG;gBACS,OAAO,CAAC,EAAE,qCAAqC;IAE3D;;;;OAIG;gBACS,OAAO,CAAC,EAAE,uCAAuC;IAE7D;;;;OAIG;gBACS,OAAO,CAAC,EAAE,6BAA6B;CAqFpD"}
1
+ {"version":3,"file":"defaultAzureCredential.d.ts","sourceRoot":"","sources":["../../../src/credentials/defaultAzureCredential.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EACV,qCAAqC,EACrC,6BAA6B,EAC7B,uCAAuC,EACxC,MAAM,oCAAoC,CAAC;AAO5C,OAAO,EAAE,sBAAsB,EAAE,MAAM,6BAA6B,CAAC;AAErE,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,kBAAkB,CAAC;AAgBxD;;;GAGG;AACH,qBAAa,4BAA6B,YAAW,eAAe;IAClE,iCAAiC,EAAE,MAAM,CAAC;IAC1C,cAAc,EAAE,MAAM,CAAC;gBAEX,cAAc,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM;IAKnD,QAAQ,IAAI,OAAO,CAAC,IAAI,CAAC;CAM1B;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAmCG;AACH,qBAAa,sBAAuB,SAAQ,sBAAsB;IAChE;;;;OAIG;gBACS,OAAO,CAAC,EAAE,qCAAqC;IAE3D;;;;OAIG;gBACS,OAAO,CAAC,EAAE,uCAAuC;IAE7D;;;;OAIG;gBACS,OAAO,CAAC,EAAE,6BAA6B;CAyFpD"}
package/dist/commonjs/credentials/defaultAzureCredential.js CHANGED
@@ -38,7 +38,7 @@ exports.UnavailableDefaultCredential = UnavailableDefaultCredential;
38
38
  * - {@link AzureCliCredential}
39
39
  * - {@link AzurePowerShellCredential}
40
40
  * - {@link AzureDeveloperCliCredential}
41
- * - {@link BrokerCredential}
41
+ * - BrokerCredential (a broker-enabled credential that requires \@azure/identity-broker is installed)
42
42
  *
43
43
  * Consult the documentation of these credential types for more information
44
44
  * on how they attempt authentication.
@@ -98,7 +98,11 @@ class DefaultAzureCredential extends chainedTokenCredential_js_1.ChainedTokenCre
98
98
  credentialFunctions = [defaultAzureCredentialFunctions_js_1.createDefaultWorkloadIdentityCredential];
99
99
  break;
100
100
  case "managedidentitycredential":
101
- credentialFunctions = [defaultAzureCredentialFunctions_js_1.createDefaultManagedIdentityCredential];
101
+ // Setting `sendProbeRequest` to false to ensure ManagedIdentityCredential behavior
102
+ // is consistent when used standalone in DAC chain or used directly.
103
+ credentialFunctions = [
104
+ () => (0, defaultAzureCredentialFunctions_js_1.createDefaultManagedIdentityCredential)({ sendProbeRequest: false }),
105
+ ];
102
106
  break;
103
107
  case "visualstudiocodecredential":
104
108
  credentialFunctions = [defaultAzureCredentialFunctions_js_1.createDefaultVisualStudioCodeCredential];
@@ -132,7 +136,7 @@ class DefaultAzureCredential extends chainedTokenCredential_js_1.ChainedTokenCre
132
136
  // 3. Returning a UnavailableDefaultCredential from the factory function if a credential is unavailable for any reason
133
137
  const credentials = credentialFunctions.map((createCredentialFn) => {
134
138
  try {
135
- return createCredentialFn(options);
139
+ return createCredentialFn(options ?? {});
136
140
  }
137
141
  catch (err) {
138
142
  logger.warning(`Skipped ${createCredentialFn.name} because of an error creating the credential: ${err}`);
@@ -144,7 +148,7 @@ class DefaultAzureCredential extends chainedTokenCredential_js_1.ChainedTokenCre
144
148
  }
145
149
  exports.DefaultAzureCredential = DefaultAzureCredential;
146
150
  /**
147
- * @internal This function checks that all environment variables in `options.requiredEnvVars` are set and non-empty.
151
+ * This function checks that all environment variables in `options.requiredEnvVars` are set and non-empty.
148
152
  * If any are missing or empty, it throws an error.
149
153
  */
150
154
  function validateRequiredEnvVars(options) {
package/dist/commonjs/credentials/defaultAzureCredential.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"defaultAzureCredential.js","sourceRoot":"","sources":["../../../src/credentials/defaultAzureCredential.ts"],"names":[],"mappings":";AAAA,uCAAuC;AACvC,kCAAkC;;;AAalC,2EAAqE;AAIrE,mDAAsD;AACtD,6FAS8C;AAE9C,MAAM,MAAM,GAAG,IAAA,6BAAgB,EAAC,wBAAwB,CAAC,CAAC;AAE1D;;;GAGG;AACH,MAAa,4BAA4B;IACvC,iCAAiC,CAAS;IAC1C,cAAc,CAAS;IAEvB,YAAY,cAAsB,EAAE,OAAe;QACjD,IAAI,CAAC,cAAc,GAAG,cAAc,CAAC;QACrC,IAAI,CAAC,iCAAiC,GAAG,OAAO,CAAC;IACnD,CAAC;IAED,QAAQ;QACN,MAAM,CAAC,QAAQ,CAAC,IAAI,CAClB,YAAY,IAAI,CAAC,cAAc,aAAa,IAAI,CAAC,iCAAiC,EAAE,CACrF,CAAC;QACF,OAAO,OAAO,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;IAC/B,CAAC;CACF;AAfD,oEAeC;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAmCG;AACH,MAAa,sBAAuB,SAAQ,kDAAsB;IAsBhE,YAAY,OAAuC;QACjD,uBAAuB,CAAC,OAAO,CAAC,CAAC;QACjC,2EAA2E;QAC3E,MAAM,qBAAqB,GAAG,OAAO,CAAC,GAAG,CAAC,uBAAuB;YAC/D,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,uBAAuB,CAAC,IAAI,EAAE,CAAC,WAAW,EAAE;YAC1D,CAAC,CAAC,SAAS,CAAC;QACd,MAAM,sBAAsB,GAAG;YAC7B,4EAAuC;YACvC,oEAA+B;YAC/B,2EAAsC;YACtC,6EAAwC;YACxC,kEAA6B;SAC9B,CAAC;QACF,MAAM,uBAAuB,GAAG;YAC9B,uEAAkC;YAClC,4EAAuC;YACvC,2EAAsC;SACvC,CAAC;QACF,IAAI,mBAAmB,GAAG,EAAE,CAAC;QAC7B,MAAM,oBAAoB,GACxB,sLAAsL,CAAC;QACzL,mFAAmF;QACnF,kIAAkI;QAClI,IAAI,qBAAqB,EAAE,CAAC;YAC1B,QAAQ,qBAAqB,EAAE,CAAC;gBAC9B,KAAK,KAAK;oBACR,mBAAmB,GAAG,sBAAsB,CAAC;oBAC7C,MAAM;gBACR,KAAK,MAAM;oBACT,mBAAmB,GAAG,uBAAuB,CAAC;oBAC9C,MAAM;gBACR,KAAK,uBAAuB;oBAC1B,mBAAmB,GAAG,CAAC,uEAAkC,CAAC,CAAC;oBAC3D,MAAM;gBACR,KAAK,4BAA4B;oBAC/B,mBAAmB,GAAG,CAAC,4EAAuC,CAAC,CAAC;oBAChE,MAAM;gBACR,KAAK,2BAA2B;oBAC9B,mBAAmB,GAAG,CAAC,2EAAsC,CAAC,CAAC;oBAC/D,MAAM;gBACR,KAAK,4BAA4B;oBAC/B,mBAAmB,GAAG,CAAC,4EAAuC,CAAC,CAAC;oBAChE,MAAM;gBACR,KAAK,oBAAoB;oBACvB,mBAAmB,GAAG,CAAC,oEAA+B,CAAC,CAAC;oBACxD,MAAM;gBACR,KAAK,2BAA2B;oBAC9B,mBAAmB,GAAG,CAAC,2EAAsC,CAAC,CAAC;oBAC/D,MAAM;gBACR,KAAK,6BAA6B;oBAChC,mBAAmB,GAAG,CAAC,6EAAwC,CAAC,CAAC;oBACjE,MAAM;gBACR,OAAO,CAAC,CAAC,CAAC;oBACR,6EAA6E;oBAC7E,gEAAgE;oBAChE,MAAM,YAAY,GAAG,+CAA+C,OAAO,CAAC,GAAG,CAAC,uBAAuB,oEAAoE,oBAAoB,GAAG,CAAC;oBACnM,MAAM,CAAC,OAAO,CAAC,YAAY,CAAC,CAAC;oBAC7B,MAAM,IAAI,KAAK,CAAC,YAAY,CAAC,CAAC;gBAChC,CAAC;YACH,CAAC;QACH,CAAC;aAAM,CAAC;YACN,2EAA2E;YAC3E,mBAAmB,GAAG,CAAC,GAAG,uBAAuB,EAAE,GAAG,sBAAsB,CAAC,CAAC;QAChF,CAAC;QAED,gLAAgL;QAChL,8DAA8D;QAC9D,6DAA6D;QAC7D,gEAAgE;QAChE,sHAAsH;QACtH,MAAM,WAAW,GAAsB,mBAAmB,CAAC,GAAG,CAAC,CAAC,kBAAkB,EAAE,EAAE;YACpF,IAAI,CAAC;gBACH,OAAO,kBAAkB,CAAC,OAAO,CAAC,CAAC;YACrC,CAAC;YAAC,OAAO,GAAQ,EAAE,CAAC;gBAClB,MAAM,CAAC,OAAO,CACZ,WAAW,kBAAkB,CAAC,IAAI,iDAAiD,GAAG,EAAE,CACzF,CAAC;gBACF,OAAO,IAAI,4BAA4B,CAAC,kBAAkB,CAAC,IAAI,EAAE,GAAG,CAAC,OAAO,CAAC,CAAC;YAChF,CAAC;QACH,CAAC,CAAC,CAAC;QAEH,KAAK,CAAC,GAAG,WAAW,CAAC,CAAC;IACxB,CAAC;CACF;AAzGD,wDAyGC;AAED;;;GAGG;AACH,SAAS,uBAAuB,CAAC,OAAuC;IACtE,IAAI,OAAO,EAAE,eAAe,EAAE,CAAC;QAC7B,MAAM,YAAY,GAAG,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,eAAe,CAAC;YACzD,CAAC,CAAC,OAAO,CAAC,eAAe;YACzB,CAAC,CAAC,CAAC,OAAO,CAAC,eAAe,CAAC,CAAC;QAC9B,MAAM,OAAO,GAAG,YAAY,CAAC,MAAM,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC;QACtE,IAAI,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACvB,MAAM,YAAY,GAAG,wBAAwB,OAAO,CAAC,MAAM,KAAK,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,WAAW,KAAK,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,gCAAgC,OAAO,CAAC,MAAM,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,KAAK,oBAAoB,CAAC;YAC3M,MAAM,CAAC,OAAO,CAAC,YAAY,CAAC,CAAC;YAC7B,MAAM,IAAI,KAAK,CAAC,YAAY,CAAC,CAAC;QAChC,CAAC;IACH,CAAC;AACH,CAAC","sourcesContent":["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT License.\n\nimport type {\n DefaultAzureCredentialClientIdOptions,\n DefaultAzureCredentialOptions,\n DefaultAzureCredentialResourceIdOptions,\n} from \"./defaultAzureCredentialOptions.js\";\n\nimport { ManagedIdentityCredential } from \"./managedIdentityCredential/index.js\";\nimport { VisualStudioCodeCredential } from \"./visualStudioCodeCredential.js\";\nimport { AzureCliCredential } from \"./azureCliCredential.js\";\nimport { AzureDeveloperCliCredential } from \"./azureDeveloperCliCredential.js\";\nimport { AzurePowerShellCredential } from \"./azurePowerShellCredential.js\";\nimport { ChainedTokenCredential } from \"./chainedTokenCredential.js\";\nimport { EnvironmentCredential } from \"./environmentCredential.js\";\nimport type { TokenCredential } from \"@azure/core-auth\";\nimport { WorkloadIdentityCredential } from \"./workloadIdentityCredential.js\";\nimport { credentialLogger } from \"../util/logging.js\";\nimport {\n createDefaultAzureCliCredential,\n createDefaultAzureDeveloperCliCredential,\n createDefaultAzurePowershellCredential,\n createDefaultBrokerCredential,\n createDefaultManagedIdentityCredential,\n createDefaultVisualStudioCodeCredential,\n createDefaultWorkloadIdentityCredential,\n createDefaultEnvironmentCredential,\n} from \"./defaultAzureCredentialFunctions.js\";\n\nconst logger = credentialLogger(\"DefaultAzureCredential\");\n\n/**\n * A no-op credential that logs the reason it was skipped if getToken is called.\n * @internal\n */\nexport class UnavailableDefaultCredential implements TokenCredential {\n credentialUnavailableErrorMessage: string;\n credentialName: string;\n\n constructor(credentialName: string, message: string) {\n this.credentialName = credentialName;\n this.credentialUnavailableErrorMessage = message;\n }\n\n getToken(): Promise<null> {\n logger.getToken.info(\n `Skipping ${this.credentialName}, reason: ${this.credentialUnavailableErrorMessage}`,\n );\n return Promise.resolve(null);\n }\n}\n\n/**\n * Provides a default {@link ChainedTokenCredential} configuration that works for most\n * applications that use Azure SDK client libraries. For more information, see\n * [DefaultAzureCredential overview](https://aka.ms/azsdk/js/identity/credential-chains#use-defaultazurecredential-for-flexibility).\n *\n * The following credential types will be tried, in order:\n *\n * - {@link EnvironmentCredential}\n * - {@link WorkloadIdentityCredential}\n * - {@link ManagedIdentityCredential}\n * - {@link VisualStudioCodeCredential}\n * - {@link AzureCliCredential}\n * - {@link AzurePowerShellCredential}\n * - {@link AzureDeveloperCliCredential}\n * - {@link BrokerCredential}\n *\n * Consult the documentation of these credential types for more information\n * on how they attempt authentication.\n *\n * The following example demonstrates how to use the `requiredEnvVars` option to ensure that certain environment variables are set before the `DefaultAzureCredential` is instantiated.\n * If any of the specified environment variables are missing or empty, an error will be thrown, preventing the application from continuing execution without the necessary configuration.\n * It also demonstrates how to set the `AZURE_TOKEN_CREDENTIALS` environment variable to control which credentials are included in the chain.\n \n * ```ts snippet:defaultazurecredential_requiredEnvVars\n * import { DefaultAzureCredential } from \"@azure/identity\";\n *\n * const credential = new DefaultAzureCredential({\n * requiredEnvVars: [\n * \"AZURE_CLIENT_ID\",\n * \"AZURE_TENANT_ID\",\n * \"AZURE_CLIENT_SECRET\",\n * \"AZURE_TOKEN_CREDENTIALS\",\n * ],\n * });\n * ```\n */\nexport class DefaultAzureCredential extends ChainedTokenCredential {\n /**\n * Creates an instance of the DefaultAzureCredential class with {@link DefaultAzureCredentialClientIdOptions}.\n *\n * @param options - Optional parameters. See {@link DefaultAzureCredentialClientIdOptions}.\n */\n constructor(options?: DefaultAzureCredentialClientIdOptions);\n\n /**\n * Creates an instance of the DefaultAzureCredential class with {@link DefaultAzureCredentialResourceIdOptions}.\n *\n * @param options - Optional parameters. See {@link DefaultAzureCredentialResourceIdOptions}.\n */\n constructor(options?: DefaultAzureCredentialResourceIdOptions);\n\n /**\n * Creates an instance of the DefaultAzureCredential class with {@link DefaultAzureCredentialOptions}.\n *\n * @param options - Optional parameters. See {@link DefaultAzureCredentialOptions}.\n */\n constructor(options?: DefaultAzureCredentialOptions);\n\n constructor(options?: DefaultAzureCredentialOptions) {\n validateRequiredEnvVars(options);\n // If AZURE_TOKEN_CREDENTIALS is not set, use the default credential chain.\n const azureTokenCredentials = process.env.AZURE_TOKEN_CREDENTIALS\n ? process.env.AZURE_TOKEN_CREDENTIALS.trim().toLowerCase()\n : undefined;\n const devCredentialFunctions = [\n createDefaultVisualStudioCodeCredential,\n createDefaultAzureCliCredential,\n createDefaultAzurePowershellCredential,\n createDefaultAzureDeveloperCliCredential,\n createDefaultBrokerCredential,\n ];\n const prodCredentialFunctions = [\n createDefaultEnvironmentCredential,\n createDefaultWorkloadIdentityCredential,\n createDefaultManagedIdentityCredential,\n ];\n let credentialFunctions = [];\n const validCredentialNames =\n \"EnvironmentCredential, WorkloadIdentityCredential, ManagedIdentityCredential, VisualStudioCodeCredential, AzureCliCredential, AzurePowerShellCredential, AzureDeveloperCliCredential\";\n // If AZURE_TOKEN_CREDENTIALS is set, use it to determine which credentials to use.\n // The value of AZURE_TOKEN_CREDENTIALS should be either \"dev\" or \"prod\" or any one of these credentials - {validCredentialNames}.\n if (azureTokenCredentials) {\n switch (azureTokenCredentials) {\n case \"dev\":\n credentialFunctions = devCredentialFunctions;\n break;\n case \"prod\":\n credentialFunctions = prodCredentialFunctions;\n break;\n case \"environmentcredential\":\n credentialFunctions = [createDefaultEnvironmentCredential];\n break;\n case \"workloadidentitycredential\":\n credentialFunctions = [createDefaultWorkloadIdentityCredential];\n break;\n case \"managedidentitycredential\":\n credentialFunctions = [createDefaultManagedIdentityCredential];\n break;\n case \"visualstudiocodecredential\":\n credentialFunctions = [createDefaultVisualStudioCodeCredential];\n break;\n case \"azureclicredential\":\n credentialFunctions = [createDefaultAzureCliCredential];\n break;\n case \"azurepowershellcredential\":\n credentialFunctions = [createDefaultAzurePowershellCredential];\n break;\n case \"azuredeveloperclicredential\":\n credentialFunctions = [createDefaultAzureDeveloperCliCredential];\n break;\n default: {\n // If AZURE_TOKEN_CREDENTIALS is set to an unsupported value, throw an error.\n // This will prevent the creation of the DefaultAzureCredential.\n const errorMessage = `Invalid value for AZURE_TOKEN_CREDENTIALS = ${process.env.AZURE_TOKEN_CREDENTIALS}. Valid values are 'prod' or 'dev' or any of these credentials - ${validCredentialNames}.`;\n logger.warning(errorMessage);\n throw new Error(errorMessage);\n }\n }\n } else {\n // If AZURE_TOKEN_CREDENTIALS is not set, use the default credential chain.\n credentialFunctions = [...prodCredentialFunctions, ...devCredentialFunctions];\n }\n\n // Errors from individual credentials should not be thrown in the DefaultAzureCredential constructor, instead throwing on getToken() which is handled by ChainedTokenCredential.\n // When adding new credentials to the default chain, consider:\n // 1. Making the constructor parameters required and explicit\n // 2. Validating any required parameters in the factory function\n // 3. Returning a UnavailableDefaultCredential from the factory function if a credential is unavailable for any reason\n const credentials: TokenCredential[] = credentialFunctions.map((createCredentialFn) => {\n try {\n return createCredentialFn(options);\n } catch (err: any) {\n logger.warning(\n `Skipped ${createCredentialFn.name} because of an error creating the credential: ${err}`,\n );\n return new UnavailableDefaultCredential(createCredentialFn.name, err.message);\n }\n });\n\n super(...credentials);\n }\n}\n\n/**\n * @internal This function checks that all environment variables in `options.requiredEnvVars` are set and non-empty.\n * If any are missing or empty, it throws an error.\n */\nfunction validateRequiredEnvVars(options?: DefaultAzureCredentialOptions) {\n if (options?.requiredEnvVars) {\n const requiredVars = Array.isArray(options.requiredEnvVars)\n ? options.requiredEnvVars\n : [options.requiredEnvVars];\n const missing = requiredVars.filter((envVar) => !process.env[envVar]);\n if (missing.length > 0) {\n const errorMessage = `Required environment ${missing.length === 1 ? \"variable\" : \"variables\"} '${missing.join(\", \")}' for DefaultAzureCredential ${missing.length === 1 ? \"is\" : \"are\"} not set or empty.`;\n logger.warning(errorMessage);\n throw new Error(errorMessage);\n }\n }\n}\n"]}
1
+ {"version":3,"file":"defaultAzureCredential.js","sourceRoot":"","sources":["../../../src/credentials/defaultAzureCredential.ts"],"names":[],"mappings":";AAAA,uCAAuC;AACvC,kCAAkC;;;AAalC,2EAAqE;AAIrE,mDAAsD;AACtD,6FAS8C;AAE9C,MAAM,MAAM,GAAG,IAAA,6BAAgB,EAAC,wBAAwB,CAAC,CAAC;AAE1D;;;GAGG;AACH,MAAa,4BAA4B;IACvC,iCAAiC,CAAS;IAC1C,cAAc,CAAS;IAEvB,YAAY,cAAsB,EAAE,OAAe;QACjD,IAAI,CAAC,cAAc,GAAG,cAAc,CAAC;QACrC,IAAI,CAAC,iCAAiC,GAAG,OAAO,CAAC;IACnD,CAAC;IAED,QAAQ;QACN,MAAM,CAAC,QAAQ,CAAC,IAAI,CAClB,YAAY,IAAI,CAAC,cAAc,aAAa,IAAI,CAAC,iCAAiC,EAAE,CACrF,CAAC;QACF,OAAO,OAAO,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;IAC/B,CAAC;CACF;AAfD,oEAeC;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAmCG;AACH,MAAa,sBAAuB,SAAQ,kDAAsB;IAsBhE,YAAY,OAAuC;QACjD,uBAAuB,CAAC,OAAO,CAAC,CAAC;QACjC,2EAA2E;QAC3E,MAAM,qBAAqB,GAAG,OAAO,CAAC,GAAG,CAAC,uBAAuB;YAC/D,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,uBAAuB,CAAC,IAAI,EAAE,CAAC,WAAW,EAAE;YAC1D,CAAC,CAAC,SAAS,CAAC;QACd,MAAM,sBAAsB,GAAG;YAC7B,4EAAuC;YACvC,oEAA+B;YAC/B,2EAAsC;YACtC,6EAAwC;YACxC,kEAA6B;SAC9B,CAAC;QACF,MAAM,uBAAuB,GAAG;YAC9B,uEAAkC;YAClC,4EAAuC;YACvC,2EAAsC;SACvC,CAAC;QACF,IAAI,mBAAmB,GAAG,EAAE,CAAC;QAC7B,MAAM,oBAAoB,GACxB,sLAAsL,CAAC;QACzL,mFAAmF;QACnF,kIAAkI;QAClI,IAAI,qBAAqB,EAAE,CAAC;YAC1B,QAAQ,qBAAqB,EAAE,CAAC;gBAC9B,KAAK,KAAK;oBACR,mBAAmB,GAAG,sBAAsB,CAAC;oBAC7C,MAAM;gBACR,KAAK,MAAM;oBACT,mBAAmB,GAAG,uBAAuB,CAAC;oBAC9C,MAAM;gBACR,KAAK,uBAAuB;oBAC1B,mBAAmB,GAAG,CAAC,uEAAkC,CAAC,CAAC;oBAC3D,MAAM;gBACR,KAAK,4BAA4B;oBAC/B,mBAAmB,GAAG,CAAC,4EAAuC,CAAC,CAAC;oBAChE,MAAM;gBACR,KAAK,2BAA2B;oBAC9B,mFAAmF;oBACnF,oEAAoE;oBACpE,mBAAmB,GAAG;wBACpB,GAAG,EAAE,CAAC,IAAA,2EAAsC,EAAC,EAAE,gBAAgB,EAAE,KAAK,EAAE,CAAC;qBAC1E,CAAC;oBACF,MAAM;gBACR,KAAK,4BAA4B;oBAC/B,mBAAmB,GAAG,CAAC,4EAAuC,CAAC,CAAC;oBAChE,MAAM;gBACR,KAAK,oBAAoB;oBACvB,mBAAmB,GAAG,CAAC,oEAA+B,CAAC,CAAC;oBACxD,MAAM;gBACR,KAAK,2BAA2B;oBAC9B,mBAAmB,GAAG,CAAC,2EAAsC,CAAC,CAAC;oBAC/D,MAAM;gBACR,KAAK,6BAA6B;oBAChC,mBAAmB,GAAG,CAAC,6EAAwC,CAAC,CAAC;oBACjE,MAAM;gBACR,OAAO,CAAC,CAAC,CAAC;oBACR,6EAA6E;oBAC7E,gEAAgE;oBAChE,MAAM,YAAY,GAAG,+CAA+C,OAAO,CAAC,GAAG,CAAC,uBAAuB,oEAAoE,oBAAoB,GAAG,CAAC;oBACnM,MAAM,CAAC,OAAO,CAAC,YAAY,CAAC,CAAC;oBAC7B,MAAM,IAAI,KAAK,CAAC,YAAY,CAAC,CAAC;gBAChC,CAAC;YACH,CAAC;QACH,CAAC;aAAM,CAAC;YACN,2EAA2E;YAC3E,mBAAmB,GAAG,CAAC,GAAG,uBAAuB,EAAE,GAAG,sBAAsB,CAAC,CAAC;QAChF,CAAC;QAED,gLAAgL;QAChL,8DAA8D;QAC9D,6DAA6D;QAC7D,gEAAgE;QAChE,sHAAsH;QACtH,MAAM,WAAW,GAAsB,mBAAmB,CAAC,GAAG,CAAC,CAAC,kBAAkB,EAAE,EAAE;YACpF,IAAI,CAAC;gBACH,OAAO,kBAAkB,CAAC,OAAO,IAAI,EAAE,CAAC,CAAC;YAC3C,CAAC;YAAC,OAAO,GAAQ,EAAE,CAAC;gBAClB,MAAM,CAAC,OAAO,CACZ,WAAW,kBAAkB,CAAC,IAAI,iDAAiD,GAAG,EAAE,CACzF,CAAC;gBACF,OAAO,IAAI,4BAA4B,CAAC,kBAAkB,CAAC,IAAI,EAAE,GAAG,CAAC,OAAO,CAAC,CAAC;YAChF,CAAC;QACH,CAAC,CAAC,CAAC;QAEH,KAAK,CAAC,GAAG,WAAW,CAAC,CAAC;IACxB,CAAC;CACF;AA7GD,wDA6GC;AAED;;;GAGG;AACH,SAAS,uBAAuB,CAAC,OAAuC;IACtE,IAAI,OAAO,EAAE,eAAe,EAAE,CAAC;QAC7B,MAAM,YAAY,GAAG,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,eAAe,CAAC;YACzD,CAAC,CAAC,OAAO,CAAC,eAAe;YACzB,CAAC,CAAC,CAAC,OAAO,CAAC,eAAe,CAAC,CAAC;QAC9B,MAAM,OAAO,GAAG,YAAY,CAAC,MAAM,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC;QACtE,IAAI,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACvB,MAAM,YAAY,GAAG,wBAAwB,OAAO,CAAC,MAAM,KAAK,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,WAAW,KAAK,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,gCAAgC,OAAO,CAAC,MAAM,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,KAAK,oBAAoB,CAAC;YAC3M,MAAM,CAAC,OAAO,CAAC,YAAY,CAAC,CAAC;YAC7B,MAAM,IAAI,KAAK,CAAC,YAAY,CAAC,CAAC;QAChC,CAAC;IACH,CAAC;AACH,CAAC","sourcesContent":["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT License.\n\nimport type {\n DefaultAzureCredentialClientIdOptions,\n DefaultAzureCredentialOptions,\n DefaultAzureCredentialResourceIdOptions,\n} from \"./defaultAzureCredentialOptions.js\";\n\nimport { ManagedIdentityCredential } from \"./managedIdentityCredential/index.js\";\nimport { VisualStudioCodeCredential } from \"./visualStudioCodeCredential.js\";\nimport { AzureCliCredential } from \"./azureCliCredential.js\";\nimport { AzureDeveloperCliCredential } from \"./azureDeveloperCliCredential.js\";\nimport { AzurePowerShellCredential } from \"./azurePowerShellCredential.js\";\nimport { ChainedTokenCredential } from \"./chainedTokenCredential.js\";\nimport { EnvironmentCredential } from \"./environmentCredential.js\";\nimport type { TokenCredential } from \"@azure/core-auth\";\nimport { WorkloadIdentityCredential } from \"./workloadIdentityCredential.js\";\nimport { credentialLogger } from \"../util/logging.js\";\nimport {\n createDefaultAzureCliCredential,\n createDefaultAzureDeveloperCliCredential,\n createDefaultAzurePowershellCredential,\n createDefaultBrokerCredential,\n createDefaultManagedIdentityCredential,\n createDefaultVisualStudioCodeCredential,\n createDefaultWorkloadIdentityCredential,\n createDefaultEnvironmentCredential,\n} from \"./defaultAzureCredentialFunctions.js\";\n\nconst logger = credentialLogger(\"DefaultAzureCredential\");\n\n/**\n * A no-op credential that logs the reason it was skipped if getToken is called.\n * @internal\n */\nexport class UnavailableDefaultCredential implements TokenCredential {\n credentialUnavailableErrorMessage: string;\n credentialName: string;\n\n constructor(credentialName: string, message: string) {\n this.credentialName = credentialName;\n this.credentialUnavailableErrorMessage = message;\n }\n\n getToken(): Promise<null> {\n logger.getToken.info(\n `Skipping ${this.credentialName}, reason: ${this.credentialUnavailableErrorMessage}`,\n );\n return Promise.resolve(null);\n }\n}\n\n/**\n * Provides a default {@link ChainedTokenCredential} configuration that works for most\n * applications that use Azure SDK client libraries. For more information, see\n * [DefaultAzureCredential overview](https://aka.ms/azsdk/js/identity/credential-chains#use-defaultazurecredential-for-flexibility).\n *\n * The following credential types will be tried, in order:\n *\n * - {@link EnvironmentCredential}\n * - {@link WorkloadIdentityCredential}\n * - {@link ManagedIdentityCredential}\n * - {@link VisualStudioCodeCredential}\n * - {@link AzureCliCredential}\n * - {@link AzurePowerShellCredential}\n * - {@link AzureDeveloperCliCredential}\n * - BrokerCredential (a broker-enabled credential that requires \\@azure/identity-broker is installed)\n *\n * Consult the documentation of these credential types for more information\n * on how they attempt authentication.\n *\n * The following example demonstrates how to use the `requiredEnvVars` option to ensure that certain environment variables are set before the `DefaultAzureCredential` is instantiated.\n * If any of the specified environment variables are missing or empty, an error will be thrown, preventing the application from continuing execution without the necessary configuration.\n * It also demonstrates how to set the `AZURE_TOKEN_CREDENTIALS` environment variable to control which credentials are included in the chain.\n \n * ```ts snippet:defaultazurecredential_requiredEnvVars\n * import { DefaultAzureCredential } from \"@azure/identity\";\n *\n * const credential = new DefaultAzureCredential({\n * requiredEnvVars: [\n * \"AZURE_CLIENT_ID\",\n * \"AZURE_TENANT_ID\",\n * \"AZURE_CLIENT_SECRET\",\n * \"AZURE_TOKEN_CREDENTIALS\",\n * ],\n * });\n * ```\n */\nexport class DefaultAzureCredential extends ChainedTokenCredential {\n /**\n * Creates an instance of the DefaultAzureCredential class with {@link DefaultAzureCredentialClientIdOptions}.\n *\n * @param options - Optional parameters. See {@link DefaultAzureCredentialClientIdOptions}.\n */\n constructor(options?: DefaultAzureCredentialClientIdOptions);\n\n /**\n * Creates an instance of the DefaultAzureCredential class with {@link DefaultAzureCredentialResourceIdOptions}.\n *\n * @param options - Optional parameters. See {@link DefaultAzureCredentialResourceIdOptions}.\n */\n constructor(options?: DefaultAzureCredentialResourceIdOptions);\n\n /**\n * Creates an instance of the DefaultAzureCredential class with {@link DefaultAzureCredentialOptions}.\n *\n * @param options - Optional parameters. See {@link DefaultAzureCredentialOptions}.\n */\n constructor(options?: DefaultAzureCredentialOptions);\n\n constructor(options?: DefaultAzureCredentialOptions) {\n validateRequiredEnvVars(options);\n // If AZURE_TOKEN_CREDENTIALS is not set, use the default credential chain.\n const azureTokenCredentials = process.env.AZURE_TOKEN_CREDENTIALS\n ? process.env.AZURE_TOKEN_CREDENTIALS.trim().toLowerCase()\n : undefined;\n const devCredentialFunctions = [\n createDefaultVisualStudioCodeCredential,\n createDefaultAzureCliCredential,\n createDefaultAzurePowershellCredential,\n createDefaultAzureDeveloperCliCredential,\n createDefaultBrokerCredential,\n ];\n const prodCredentialFunctions = [\n createDefaultEnvironmentCredential,\n createDefaultWorkloadIdentityCredential,\n createDefaultManagedIdentityCredential,\n ];\n let credentialFunctions = [];\n const validCredentialNames =\n \"EnvironmentCredential, WorkloadIdentityCredential, ManagedIdentityCredential, VisualStudioCodeCredential, AzureCliCredential, AzurePowerShellCredential, AzureDeveloperCliCredential\";\n // If AZURE_TOKEN_CREDENTIALS is set, use it to determine which credentials to use.\n // The value of AZURE_TOKEN_CREDENTIALS should be either \"dev\" or \"prod\" or any one of these credentials - {validCredentialNames}.\n if (azureTokenCredentials) {\n switch (azureTokenCredentials) {\n case \"dev\":\n credentialFunctions = devCredentialFunctions;\n break;\n case \"prod\":\n credentialFunctions = prodCredentialFunctions;\n break;\n case \"environmentcredential\":\n credentialFunctions = [createDefaultEnvironmentCredential];\n break;\n case \"workloadidentitycredential\":\n credentialFunctions = [createDefaultWorkloadIdentityCredential];\n break;\n case \"managedidentitycredential\":\n // Setting `sendProbeRequest` to false to ensure ManagedIdentityCredential behavior\n // is consistent when used standalone in DAC chain or used directly.\n credentialFunctions = [\n () => createDefaultManagedIdentityCredential({ sendProbeRequest: false }),\n ];\n break;\n case \"visualstudiocodecredential\":\n credentialFunctions = [createDefaultVisualStudioCodeCredential];\n break;\n case \"azureclicredential\":\n credentialFunctions = [createDefaultAzureCliCredential];\n break;\n case \"azurepowershellcredential\":\n credentialFunctions = [createDefaultAzurePowershellCredential];\n break;\n case \"azuredeveloperclicredential\":\n credentialFunctions = [createDefaultAzureDeveloperCliCredential];\n break;\n default: {\n // If AZURE_TOKEN_CREDENTIALS is set to an unsupported value, throw an error.\n // This will prevent the creation of the DefaultAzureCredential.\n const errorMessage = `Invalid value for AZURE_TOKEN_CREDENTIALS = ${process.env.AZURE_TOKEN_CREDENTIALS}. Valid values are 'prod' or 'dev' or any of these credentials - ${validCredentialNames}.`;\n logger.warning(errorMessage);\n throw new Error(errorMessage);\n }\n }\n } else {\n // If AZURE_TOKEN_CREDENTIALS is not set, use the default credential chain.\n credentialFunctions = [...prodCredentialFunctions, ...devCredentialFunctions];\n }\n\n // Errors from individual credentials should not be thrown in the DefaultAzureCredential constructor, instead throwing on getToken() which is handled by ChainedTokenCredential.\n // When adding new credentials to the default chain, consider:\n // 1. Making the constructor parameters required and explicit\n // 2. Validating any required parameters in the factory function\n // 3. Returning a UnavailableDefaultCredential from the factory function if a credential is unavailable for any reason\n const credentials: TokenCredential[] = credentialFunctions.map((createCredentialFn) => {\n try {\n return createCredentialFn(options ?? {});\n } catch (err: any) {\n logger.warning(\n `Skipped ${createCredentialFn.name} because of an error creating the credential: ${err}`,\n );\n return new UnavailableDefaultCredential(createCredentialFn.name, err.message);\n }\n });\n\n super(...credentials);\n }\n}\n\n/**\n * This function checks that all environment variables in `options.requiredEnvVars` are set and non-empty.\n * If any are missing or empty, it throws an error.\n */\nfunction validateRequiredEnvVars(options?: DefaultAzureCredentialOptions) {\n if (options?.requiredEnvVars) {\n const requiredVars = Array.isArray(options.requiredEnvVars)\n ? options.requiredEnvVars\n : [options.requiredEnvVars];\n const missing = requiredVars.filter((envVar) => !process.env[envVar]);\n if (missing.length > 0) {\n const errorMessage = `Required environment ${missing.length === 1 ? \"variable\" : \"variables\"} '${missing.join(\", \")}' for DefaultAzureCredential ${missing.length === 1 ? \"is\" : \"are\"} not set or empty.`;\n logger.warning(errorMessage);\n throw new Error(errorMessage);\n }\n }\n}\n"]}
package/dist/commonjs/credentials/defaultAzureCredentialFunctions.d.ts CHANGED
@@ -23,7 +23,9 @@ export declare function createDefaultVisualStudioCodeCredential(options?: Defaul
23
23
  *
24
24
  * @internal
25
25
  */
26
- export declare function createDefaultManagedIdentityCredential(options?: DefaultAzureCredentialOptions | DefaultAzureCredentialResourceIdOptions | DefaultAzureCredentialClientIdOptions): TokenCredential;
26
+ export declare function createDefaultManagedIdentityCredential(options?: (DefaultAzureCredentialOptions | DefaultAzureCredentialResourceIdOptions | DefaultAzureCredentialClientIdOptions) & {
27
+ sendProbeRequest?: boolean;
28
+ }): TokenCredential;
27
29
  /**
28
30
  * Creates a {@link WorkloadIdentityCredential} from the provided options.
29
31
  * @param options - Options to configure the credential.
package/dist/commonjs/credentials/defaultAzureCredentialFunctions.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"defaultAzureCredentialFunctions.d.ts","sourceRoot":"","sources":["../../../src/credentials/defaultAzureCredentialFunctions.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,kBAAkB,CAAC;AACxD,OAAO,KAAK,EACV,qCAAqC,EACrC,6BAA6B,EAC7B,uCAAuC,EACxC,MAAM,oCAAoC,CAAC;AAe5C;;;;;;;;GAQG;AACH,wBAAgB,6BAA6B,CAC3C,OAAO,GAAE,6BAAkC,GAC1C,eAAe,CAEjB;AAED;;;;;GAKG;AACH,wBAAgB,uCAAuC,CACrD,OAAO,GAAE,6BAAkC,GAC1C,eAAe,CAEjB;AAED;;;;;GAKG;AACH,wBAAgB,sCAAsC,CACpD,OAAO,GACH,6BAA6B,GAC7B,uCAAuC,GACvC,qCAA0C,GAC7C,eAAe,CA8CjB;AAED;;;;;GAKG;AACH,wBAAgB,uCAAuC,CACrD,OAAO,CAAC,EAAE,6BAA6B,GAAG,qCAAqC,GAC9E,eAAe,CA4BjB;AAED;;;;;GAKG;AACH,wBAAgB,wCAAwC,CACtD,OAAO,GAAE,6BAAkC,GAC1C,eAAe,CAEjB;AAED;;;;;GAKG;AACH,wBAAgB,+BAA+B,CAC7C,OAAO,GAAE,6BAAkC,GAC1C,eAAe,CAEjB;AAED;;;;;GAKG;AACH,wBAAgB,sCAAsC,CACpD,OAAO,GAAE,6BAAkC,GAC1C,eAAe,CAEjB;AAED;;;;;GAKG;AACH,wBAAgB,kCAAkC,CAChD,OAAO,GAAE,6BAAkC,GAC1C,eAAe,CAEjB"}
1
+ {"version":3,"file":"defaultAzureCredentialFunctions.d.ts","sourceRoot":"","sources":["../../../src/credentials/defaultAzureCredentialFunctions.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,kBAAkB,CAAC;AACxD,OAAO,KAAK,EACV,qCAAqC,EACrC,6BAA6B,EAC7B,uCAAuC,EACxC,MAAM,oCAAoC,CAAC;AAe5C;;;;;;;;GAQG;AACH,wBAAgB,6BAA6B,CAC3C,OAAO,GAAE,6BAAkC,GAC1C,eAAe,CAEjB;AAED;;;;;GAKG;AACH,wBAAgB,uCAAuC,CACrD,OAAO,GAAE,6BAAkC,GAC1C,eAAe,CAEjB;AAED;;;;;GAKG;AACH,wBAAgB,sCAAsC,CACpD,OAAO,GAAE,CACL,6BAA6B,GAC7B,uCAAuC,GACvC,qCAAqC,CACxC,GAAG;IAAE,gBAAgB,CAAC,EAAE,OAAO,CAAA;CAAO,GACtC,eAAe,CAkDjB;AAED;;;;;GAKG;AACH,wBAAgB,uCAAuC,CACrD,OAAO,CAAC,EAAE,6BAA6B,GAAG,qCAAqC,GAC9E,eAAe,CA4BjB;AAED;;;;;GAKG;AACH,wBAAgB,wCAAwC,CACtD,OAAO,GAAE,6BAAkC,GAC1C,eAAe,CAEjB;AAED;;;;;GAKG;AACH,wBAAgB,+BAA+B,CAC7C,OAAO,GAAE,6BAAkC,GAC1C,eAAe,CAEjB;AAED;;;;;GAKG;AACH,wBAAgB,sCAAsC,CACpD,OAAO,GAAE,6BAAkC,GAC1C,eAAe,CAEjB;AAED;;;;;GAKG;AACH,wBAAgB,kCAAkC,CAChD,OAAO,GAAE,6BAAkC,GAC1C,eAAe,CAEjB"}
package/dist/commonjs/credentials/defaultAzureCredentialFunctions.js CHANGED
@@ -50,6 +50,10 @@ function createDefaultManagedIdentityCredential(options = {}) {
50
50
  maxRetries: 5,
51
51
  retryDelayInMs: 800,
52
52
  };
53
+ // ManagedIdentityCredential inside DAC chain should send a probe request by default.
54
+ // This is different from standalone ManagedIdentityCredential behavior
55
+ // or when AZURE_TOKEN_CREDENTIALS is set to only ManagedIdentityCredential.
56
+ options.sendProbeRequest ??= true;
53
57
  const managedIdentityClientId = options?.managedIdentityClientId ??
54
58
  process.env.AZURE_CLIENT_ID;
55
59
  const workloadIdentityClientId = options?.workloadIdentityClientId ??
package/dist/commonjs/credentials/defaultAzureCredentialFunctions.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"defaultAzureCredentialFunctions.js","sourceRoot":"","sources":["../../../src/credentials/defaultAzureCredentialFunctions.ts"],"names":[],"mappings":";AAAA,uCAAuC;AACvC,kCAAkC;;AA+BlC,sEAIC;AAQD,0FAIC;AAQD,wFAmDC;AAQD,0FA8BC;AAQD,4FAIC;AAQD,0EAIC;AAQD,wFAIC;AAQD,gFAIC;AAxLD,yEAAmE;AAKnE,mEAAiF;AACjF,mFAA6E;AAC7E,qFAA+E;AAC/E,mEAA6D;AAC7D,iFAA2E;AAE3E,mFAA6E;AAC7E,+DAAyD;AAEzD;;;;;;;;GAQG;AACH,SAAgB,6BAA6B,CAC3C,UAAyC,EAAE;IAE3C,OAAO,IAAI,sCAAgB,CAAC,OAAO,CAAC,CAAC;AACvC,CAAC;AAED;;;;;GAKG;AACH,SAAgB,uCAAuC,CACrD,UAAyC,EAAE;IAE3C,OAAO,IAAI,0DAA0B,CAAC,OAAO,CAAC,CAAC;AACjD,CAAC;AAED;;;;;GAKG;AACH,SAAgB,sCAAsC,CACpD,UAG4C,EAAE;IAE9C,OAAO,CAAC,YAAY,KAAK;QACvB,UAAU,EAAE,CAAC;QACb,cAAc,EAAE,GAAG;KACpB,CAAC;IACF,MAAM,uBAAuB,GAC1B,OAAiD,EAAE,uBAAuB;QAC3E,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC;IAC9B,MAAM,wBAAwB,GAC3B,OAAiD,EAAE,wBAAwB;QAC5E,uBAAuB,CAAC;IAC1B,MAAM,iBAAiB,GAAI,OAAmD;QAC5E,EAAE,yBAAyB,CAAC;IAC9B,MAAM,YAAY,GAAG,OAAO,CAAC,GAAG,CAAC,0BAA0B,CAAC;IAC5D,MAAM,QAAQ,GAAG,OAAO,EAAE,QAAQ,IAAI,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC;IAClE,IAAI,iBAAiB,EAAE,CAAC;QACtB,MAAM,gCAAgC,GAA+C;YACnF,GAAG,OAAO;YACV,UAAU,EAAE,iBAAiB;SAC9B,CAAC;QACF,OAAO,IAAI,oCAAyB,CAAC,gCAAgC,CAAC,CAAC;IACzE,CAAC;IAED,IAAI,YAAY,IAAI,wBAAwB,EAAE,CAAC;QAC7C,MAAM,iCAAiC,GAAkC;YACvE,GAAG,OAAO;YACV,QAAQ,EAAE,QAAQ;SACnB,CAAC;QAEF,OAAO,IAAI,oCAAyB,CAClC,wBAAwB,EACxB,iCAAiC,CAClC,CAAC;IACJ,CAAC;IAED,IAAI,uBAAuB,EAAE,CAAC;QAC5B,MAAM,4BAA4B,GAA6C;YAC7E,GAAG,OAAO;YACV,QAAQ,EAAE,uBAAuB;SAClC,CAAC;QAEF,OAAO,IAAI,oCAAyB,CAAC,4BAA4B,CAAC,CAAC;IACrE,CAAC;IAED,2FAA2F;IAC3F,OAAO,IAAI,oCAAyB,CAAC,OAAO,CAAC,CAAC;AAChD,CAAC;AAED;;;;;GAKG;AACH,SAAgB,uCAAuC,CACrD,OAA+E;IAE/E,MAAM,uBAAuB,GAC1B,OAAiD,EAAE,uBAAuB;QAC3E,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC;IAC9B,MAAM,wBAAwB,GAC3B,OAAiD,EAAE,wBAAwB;QAC5E,uBAAuB,CAAC;IAC1B,MAAM,YAAY,GAAG,OAAO,CAAC,GAAG,CAAC,0BAA0B,CAAC;IAC5D,MAAM,QAAQ,GAAG,OAAO,EAAE,QAAQ,IAAI,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC;IAClE,IAAI,YAAY,IAAI,wBAAwB,EAAE,CAAC;QAC7C,MAAM,iCAAiC,GAAsC;YAC3E,GAAG,OAAO;YACV,QAAQ;YACR,QAAQ,EAAE,wBAAwB;YAClC,aAAa,EAAE,YAAY;SAC5B,CAAC;QACF,OAAO,IAAI,0DAA0B,CAAC,iCAAiC,CAAC,CAAC;IAC3E,CAAC;IACD,IAAI,QAAQ,EAAE,CAAC;QACb,MAAM,mCAAmC,GAAsC;YAC7E,GAAG,OAAO;YACV,QAAQ;SACT,CAAC;QACF,OAAO,IAAI,0DAA0B,CAAC,mCAAmC,CAAC,CAAC;IAC7E,CAAC;IAED,2FAA2F;IAC3F,OAAO,IAAI,0DAA0B,CAAC,OAAO,CAAC,CAAC;AACjD,CAAC;AAED;;;;;GAKG;AACH,SAAgB,wCAAwC,CACtD,UAAyC,EAAE;IAE3C,OAAO,IAAI,4DAA2B,CAAC,OAAO,CAAC,CAAC;AAClD,CAAC;AAED;;;;;GAKG;AACH,SAAgB,+BAA+B,CAC7C,UAAyC,EAAE;IAE3C,OAAO,IAAI,0CAAkB,CAAC,OAAO,CAAC,CAAC;AACzC,CAAC;AAED;;;;;GAKG;AACH,SAAgB,sCAAsC,CACpD,UAAyC,EAAE;IAE3C,OAAO,IAAI,wDAAyB,CAAC,OAAO,CAAC,CAAC;AAChD,CAAC;AAED;;;;;GAKG;AACH,SAAgB,kCAAkC,CAChD,UAAyC,EAAE;IAE3C,OAAO,IAAI,gDAAqB,CAAC,OAAO,CAAC,CAAC;AAC5C,CAAC","sourcesContent":["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT License.\n\nimport type { TokenCredential } from \"@azure/core-auth\";\nimport type {\n DefaultAzureCredentialClientIdOptions,\n DefaultAzureCredentialOptions,\n DefaultAzureCredentialResourceIdOptions,\n} from \"./defaultAzureCredentialOptions.js\";\nimport { EnvironmentCredential } from \"./environmentCredential.js\";\nimport type {\n ManagedIdentityCredentialClientIdOptions,\n ManagedIdentityCredentialResourceIdOptions,\n} from \"./managedIdentityCredential/options.js\";\nimport { ManagedIdentityCredential } from \"./managedIdentityCredential/index.js\";\nimport { WorkloadIdentityCredential } from \"./workloadIdentityCredential.js\";\nimport { AzureDeveloperCliCredential } from \"./azureDeveloperCliCredential.js\";\nimport { AzureCliCredential } from \"./azureCliCredential.js\";\nimport { AzurePowerShellCredential } from \"./azurePowerShellCredential.js\";\nimport type { WorkloadIdentityCredentialOptions } from \"./workloadIdentityCredentialOptions.js\";\nimport { VisualStudioCodeCredential } from \"./visualStudioCodeCredential.js\";\nimport { BrokerCredential } from \"./brokerCredential.js\";\n\n/**\n * Creates a {@link BrokerCredential} instance with the provided options.\n * This credential uses the Windows Authentication Manager (WAM) broker for authentication.\n * It will only attempt to authenticate silently using the default broker account\n *\n * @param options - Options for configuring the credential.\n *\n * @internal\n */\nexport function createDefaultBrokerCredential(\n options: DefaultAzureCredentialOptions = {},\n): TokenCredential {\n return new BrokerCredential(options);\n}\n\n/**\n * Creates a {@link VisualStudioCodeCredential} from the provided options.\n * @param options - Options to configure the credential.\n *\n * @internal\n */\nexport function createDefaultVisualStudioCodeCredential(\n options: DefaultAzureCredentialOptions = {},\n): TokenCredential {\n return new VisualStudioCodeCredential(options);\n}\n\n/**\n * Creates a {@link ManagedIdentityCredential} from the provided options.\n * @param options - Options to configure the credential.\n *\n * @internal\n */\nexport function createDefaultManagedIdentityCredential(\n options:\n | DefaultAzureCredentialOptions\n | DefaultAzureCredentialResourceIdOptions\n | DefaultAzureCredentialClientIdOptions = {},\n): TokenCredential {\n options.retryOptions ??= {\n maxRetries: 5,\n retryDelayInMs: 800,\n };\n const managedIdentityClientId =\n (options as DefaultAzureCredentialClientIdOptions)?.managedIdentityClientId ??\n process.env.AZURE_CLIENT_ID;\n const workloadIdentityClientId =\n (options as DefaultAzureCredentialClientIdOptions)?.workloadIdentityClientId ??\n managedIdentityClientId;\n const managedResourceId = (options as DefaultAzureCredentialResourceIdOptions)\n ?.managedIdentityResourceId;\n const workloadFile = process.env.AZURE_FEDERATED_TOKEN_FILE;\n const tenantId = options?.tenantId ?? process.env.AZURE_TENANT_ID;\n if (managedResourceId) {\n const managedIdentityResourceIdOptions: ManagedIdentityCredentialResourceIdOptions = {\n ...options,\n resourceId: managedResourceId,\n };\n return new ManagedIdentityCredential(managedIdentityResourceIdOptions);\n }\n\n if (workloadFile && workloadIdentityClientId) {\n const workloadIdentityCredentialOptions: DefaultAzureCredentialOptions = {\n ...options,\n tenantId: tenantId,\n };\n\n return new ManagedIdentityCredential(\n workloadIdentityClientId,\n workloadIdentityCredentialOptions,\n );\n }\n\n if (managedIdentityClientId) {\n const managedIdentityClientOptions: ManagedIdentityCredentialClientIdOptions = {\n ...options,\n clientId: managedIdentityClientId,\n };\n\n return new ManagedIdentityCredential(managedIdentityClientOptions);\n }\n\n // We may be able to return a UnavailableCredential here, but that may be a breaking change\n return new ManagedIdentityCredential(options);\n}\n\n/**\n * Creates a {@link WorkloadIdentityCredential} from the provided options.\n * @param options - Options to configure the credential.\n *\n * @internal\n */\nexport function createDefaultWorkloadIdentityCredential(\n options?: DefaultAzureCredentialOptions | DefaultAzureCredentialClientIdOptions,\n): TokenCredential {\n const managedIdentityClientId =\n (options as DefaultAzureCredentialClientIdOptions)?.managedIdentityClientId ??\n process.env.AZURE_CLIENT_ID;\n const workloadIdentityClientId =\n (options as DefaultAzureCredentialClientIdOptions)?.workloadIdentityClientId ??\n managedIdentityClientId;\n const workloadFile = process.env.AZURE_FEDERATED_TOKEN_FILE;\n const tenantId = options?.tenantId ?? process.env.AZURE_TENANT_ID;\n if (workloadFile && workloadIdentityClientId) {\n const workloadIdentityCredentialOptions: WorkloadIdentityCredentialOptions = {\n ...options,\n tenantId,\n clientId: workloadIdentityClientId,\n tokenFilePath: workloadFile,\n };\n return new WorkloadIdentityCredential(workloadIdentityCredentialOptions);\n }\n if (tenantId) {\n const workloadIdentityClientTenantOptions: WorkloadIdentityCredentialOptions = {\n ...options,\n tenantId,\n };\n return new WorkloadIdentityCredential(workloadIdentityClientTenantOptions);\n }\n\n // We may be able to return a UnavailableCredential here, but that may be a breaking change\n return new WorkloadIdentityCredential(options);\n}\n\n/**\n * Creates a {@link AzureDeveloperCliCredential} from the provided options.\n * @param options - Options to configure the credential.\n *\n * @internal\n */\nexport function createDefaultAzureDeveloperCliCredential(\n options: DefaultAzureCredentialOptions = {},\n): TokenCredential {\n return new AzureDeveloperCliCredential(options);\n}\n\n/**\n * Creates a {@link AzureCliCredential} from the provided options.\n * @param options - Options to configure the credential.\n *\n * @internal\n */\nexport function createDefaultAzureCliCredential(\n options: DefaultAzureCredentialOptions = {},\n): TokenCredential {\n return new AzureCliCredential(options);\n}\n\n/**\n * Creates a {@link AzurePowerShellCredential} from the provided options.\n * @param options - Options to configure the credential.\n *\n * @internal\n */\nexport function createDefaultAzurePowershellCredential(\n options: DefaultAzureCredentialOptions = {},\n): TokenCredential {\n return new AzurePowerShellCredential(options);\n}\n\n/**\n * Creates an {@link EnvironmentCredential} from the provided options.\n * @param options - Options to configure the credential.\n *\n * @internal\n */\nexport function createDefaultEnvironmentCredential(\n options: DefaultAzureCredentialOptions = {},\n): TokenCredential {\n return new EnvironmentCredential(options);\n}\n"]}
1
+ {"version":3,"file":"defaultAzureCredentialFunctions.js","sourceRoot":"","sources":["../../../src/credentials/defaultAzureCredentialFunctions.ts"],"names":[],"mappings":";AAAA,uCAAuC;AACvC,kCAAkC;;AA+BlC,sEAIC;AAQD,0FAIC;AAQD,wFAwDC;AAQD,0FA8BC;AAQD,4FAIC;AAQD,0EAIC;AAQD,wFAIC;AAQD,gFAIC;AA7LD,yEAAmE;AAKnE,mEAAiF;AACjF,mFAA6E;AAC7E,qFAA+E;AAC/E,mEAA6D;AAC7D,iFAA2E;AAE3E,mFAA6E;AAC7E,+DAAyD;AAEzD;;;;;;;;GAQG;AACH,SAAgB,6BAA6B,CAC3C,UAAyC,EAAE;IAE3C,OAAO,IAAI,sCAAgB,CAAC,OAAO,CAAC,CAAC;AACvC,CAAC;AAED;;;;;GAKG;AACH,SAAgB,uCAAuC,CACrD,UAAyC,EAAE;IAE3C,OAAO,IAAI,0DAA0B,CAAC,OAAO,CAAC,CAAC;AACjD,CAAC;AAED;;;;;GAKG;AACH,SAAgB,sCAAsC,CACpD,UAIqC,EAAE;IAEvC,OAAO,CAAC,YAAY,KAAK;QACvB,UAAU,EAAE,CAAC;QACb,cAAc,EAAE,GAAG;KACpB,CAAC;IACF,qFAAqF;IACrF,uEAAuE;IACvE,4EAA4E;IAC5E,OAAO,CAAC,gBAAgB,KAAK,IAAI,CAAC;IAClC,MAAM,uBAAuB,GAC1B,OAAiD,EAAE,uBAAuB;QAC3E,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC;IAC9B,MAAM,wBAAwB,GAC3B,OAAiD,EAAE,wBAAwB;QAC5E,uBAAuB,CAAC;IAC1B,MAAM,iBAAiB,GAAI,OAAmD;QAC5E,EAAE,yBAAyB,CAAC;IAC9B,MAAM,YAAY,GAAG,OAAO,CAAC,GAAG,CAAC,0BAA0B,CAAC;IAC5D,MAAM,QAAQ,GAAG,OAAO,EAAE,QAAQ,IAAI,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC;IAClE,IAAI,iBAAiB,EAAE,CAAC;QACtB,MAAM,gCAAgC,GAA+C;YACnF,GAAG,OAAO;YACV,UAAU,EAAE,iBAAiB;SAC9B,CAAC;QACF,OAAO,IAAI,oCAAyB,CAAC,gCAAgC,CAAC,CAAC;IACzE,CAAC;IAED,IAAI,YAAY,IAAI,wBAAwB,EAAE,CAAC;QAC7C,MAAM,iCAAiC,GAAkC;YACvE,GAAG,OAAO;YACV,QAAQ,EAAE,QAAQ;SACnB,CAAC;QAEF,OAAO,IAAI,oCAAyB,CAClC,wBAAwB,EACxB,iCAAiC,CAClC,CAAC;IACJ,CAAC;IAED,IAAI,uBAAuB,EAAE,CAAC;QAC5B,MAAM,4BAA4B,GAA6C;YAC7E,GAAG,OAAO;YACV,QAAQ,EAAE,uBAAuB;SAClC,CAAC;QAEF,OAAO,IAAI,oCAAyB,CAAC,4BAA4B,CAAC,CAAC;IACrE,CAAC;IAED,2FAA2F;IAC3F,OAAO,IAAI,oCAAyB,CAAC,OAAO,CAAC,CAAC;AAChD,CAAC;AAED;;;;;GAKG;AACH,SAAgB,uCAAuC,CACrD,OAA+E;IAE/E,MAAM,uBAAuB,GAC1B,OAAiD,EAAE,uBAAuB;QAC3E,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC;IAC9B,MAAM,wBAAwB,GAC3B,OAAiD,EAAE,wBAAwB;QAC5E,uBAAuB,CAAC;IAC1B,MAAM,YAAY,GAAG,OAAO,CAAC,GAAG,CAAC,0BAA0B,CAAC;IAC5D,MAAM,QAAQ,GAAG,OAAO,EAAE,QAAQ,IAAI,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC;IAClE,IAAI,YAAY,IAAI,wBAAwB,EAAE,CAAC;QAC7C,MAAM,iCAAiC,GAAsC;YAC3E,GAAG,OAAO;YACV,QAAQ;YACR,QAAQ,EAAE,wBAAwB;YAClC,aAAa,EAAE,YAAY;SAC5B,CAAC;QACF,OAAO,IAAI,0DAA0B,CAAC,iCAAiC,CAAC,CAAC;IAC3E,CAAC;IACD,IAAI,QAAQ,EAAE,CAAC;QACb,MAAM,mCAAmC,GAAsC;YAC7E,GAAG,OAAO;YACV,QAAQ;SACT,CAAC;QACF,OAAO,IAAI,0DAA0B,CAAC,mCAAmC,CAAC,CAAC;IAC7E,CAAC;IAED,2FAA2F;IAC3F,OAAO,IAAI,0DAA0B,CAAC,OAAO,CAAC,CAAC;AACjD,CAAC;AAED;;;;;GAKG;AACH,SAAgB,wCAAwC,CACtD,UAAyC,EAAE;IAE3C,OAAO,IAAI,4DAA2B,CAAC,OAAO,CAAC,CAAC;AAClD,CAAC;AAED;;;;;GAKG;AACH,SAAgB,+BAA+B,CAC7C,UAAyC,EAAE;IAE3C,OAAO,IAAI,0CAAkB,CAAC,OAAO,CAAC,CAAC;AACzC,CAAC;AAED;;;;;GAKG;AACH,SAAgB,sCAAsC,CACpD,UAAyC,EAAE;IAE3C,OAAO,IAAI,wDAAyB,CAAC,OAAO,CAAC,CAAC;AAChD,CAAC;AAED;;;;;GAKG;AACH,SAAgB,kCAAkC,CAChD,UAAyC,EAAE;IAE3C,OAAO,IAAI,gDAAqB,CAAC,OAAO,CAAC,CAAC;AAC5C,CAAC","sourcesContent":["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT License.\n\nimport type { TokenCredential } from \"@azure/core-auth\";\nimport type {\n DefaultAzureCredentialClientIdOptions,\n DefaultAzureCredentialOptions,\n DefaultAzureCredentialResourceIdOptions,\n} from \"./defaultAzureCredentialOptions.js\";\nimport { EnvironmentCredential } from \"./environmentCredential.js\";\nimport type {\n ManagedIdentityCredentialClientIdOptions,\n ManagedIdentityCredentialResourceIdOptions,\n} from \"./managedIdentityCredential/options.js\";\nimport { ManagedIdentityCredential } from \"./managedIdentityCredential/index.js\";\nimport { WorkloadIdentityCredential } from \"./workloadIdentityCredential.js\";\nimport { AzureDeveloperCliCredential } from \"./azureDeveloperCliCredential.js\";\nimport { AzureCliCredential } from \"./azureCliCredential.js\";\nimport { AzurePowerShellCredential } from \"./azurePowerShellCredential.js\";\nimport type { WorkloadIdentityCredentialOptions } from \"./workloadIdentityCredentialOptions.js\";\nimport { VisualStudioCodeCredential } from \"./visualStudioCodeCredential.js\";\nimport { BrokerCredential } from \"./brokerCredential.js\";\n\n/**\n * Creates a {@link BrokerCredential} instance with the provided options.\n * This credential uses the Windows Authentication Manager (WAM) broker for authentication.\n * It will only attempt to authenticate silently using the default broker account\n *\n * @param options - Options for configuring the credential.\n *\n * @internal\n */\nexport function createDefaultBrokerCredential(\n options: DefaultAzureCredentialOptions = {},\n): TokenCredential {\n return new BrokerCredential(options);\n}\n\n/**\n * Creates a {@link VisualStudioCodeCredential} from the provided options.\n * @param options - Options to configure the credential.\n *\n * @internal\n */\nexport function createDefaultVisualStudioCodeCredential(\n options: DefaultAzureCredentialOptions = {},\n): TokenCredential {\n return new VisualStudioCodeCredential(options);\n}\n\n/**\n * Creates a {@link ManagedIdentityCredential} from the provided options.\n * @param options - Options to configure the credential.\n *\n * @internal\n */\nexport function createDefaultManagedIdentityCredential(\n options: (\n | DefaultAzureCredentialOptions\n | DefaultAzureCredentialResourceIdOptions\n | DefaultAzureCredentialClientIdOptions\n ) & { sendProbeRequest?: boolean } = {},\n): TokenCredential {\n options.retryOptions ??= {\n maxRetries: 5,\n retryDelayInMs: 800,\n };\n // ManagedIdentityCredential inside DAC chain should send a probe request by default.\n // This is different from standalone ManagedIdentityCredential behavior\n // or when AZURE_TOKEN_CREDENTIALS is set to only ManagedIdentityCredential.\n options.sendProbeRequest ??= true;\n const managedIdentityClientId =\n (options as DefaultAzureCredentialClientIdOptions)?.managedIdentityClientId ??\n process.env.AZURE_CLIENT_ID;\n const workloadIdentityClientId =\n (options as DefaultAzureCredentialClientIdOptions)?.workloadIdentityClientId ??\n managedIdentityClientId;\n const managedResourceId = (options as DefaultAzureCredentialResourceIdOptions)\n ?.managedIdentityResourceId;\n const workloadFile = process.env.AZURE_FEDERATED_TOKEN_FILE;\n const tenantId = options?.tenantId ?? process.env.AZURE_TENANT_ID;\n if (managedResourceId) {\n const managedIdentityResourceIdOptions: ManagedIdentityCredentialResourceIdOptions = {\n ...options,\n resourceId: managedResourceId,\n };\n return new ManagedIdentityCredential(managedIdentityResourceIdOptions);\n }\n\n if (workloadFile && workloadIdentityClientId) {\n const workloadIdentityCredentialOptions: DefaultAzureCredentialOptions = {\n ...options,\n tenantId: tenantId,\n };\n\n return new ManagedIdentityCredential(\n workloadIdentityClientId,\n workloadIdentityCredentialOptions,\n );\n }\n\n if (managedIdentityClientId) {\n const managedIdentityClientOptions: ManagedIdentityCredentialClientIdOptions = {\n ...options,\n clientId: managedIdentityClientId,\n };\n\n return new ManagedIdentityCredential(managedIdentityClientOptions);\n }\n\n // We may be able to return a UnavailableCredential here, but that may be a breaking change\n return new ManagedIdentityCredential(options);\n}\n\n/**\n * Creates a {@link WorkloadIdentityCredential} from the provided options.\n * @param options - Options to configure the credential.\n *\n * @internal\n */\nexport function createDefaultWorkloadIdentityCredential(\n options?: DefaultAzureCredentialOptions | DefaultAzureCredentialClientIdOptions,\n): TokenCredential {\n const managedIdentityClientId =\n (options as DefaultAzureCredentialClientIdOptions)?.managedIdentityClientId ??\n process.env.AZURE_CLIENT_ID;\n const workloadIdentityClientId =\n (options as DefaultAzureCredentialClientIdOptions)?.workloadIdentityClientId ??\n managedIdentityClientId;\n const workloadFile = process.env.AZURE_FEDERATED_TOKEN_FILE;\n const tenantId = options?.tenantId ?? process.env.AZURE_TENANT_ID;\n if (workloadFile && workloadIdentityClientId) {\n const workloadIdentityCredentialOptions: WorkloadIdentityCredentialOptions = {\n ...options,\n tenantId,\n clientId: workloadIdentityClientId,\n tokenFilePath: workloadFile,\n };\n return new WorkloadIdentityCredential(workloadIdentityCredentialOptions);\n }\n if (tenantId) {\n const workloadIdentityClientTenantOptions: WorkloadIdentityCredentialOptions = {\n ...options,\n tenantId,\n };\n return new WorkloadIdentityCredential(workloadIdentityClientTenantOptions);\n }\n\n // We may be able to return a UnavailableCredential here, but that may be a breaking change\n return new WorkloadIdentityCredential(options);\n}\n\n/**\n * Creates a {@link AzureDeveloperCliCredential} from the provided options.\n * @param options - Options to configure the credential.\n *\n * @internal\n */\nexport function createDefaultAzureDeveloperCliCredential(\n options: DefaultAzureCredentialOptions = {},\n): TokenCredential {\n return new AzureDeveloperCliCredential(options);\n}\n\n/**\n * Creates a {@link AzureCliCredential} from the provided options.\n * @param options - Options to configure the credential.\n *\n * @internal\n */\nexport function createDefaultAzureCliCredential(\n options: DefaultAzureCredentialOptions = {},\n): TokenCredential {\n return new AzureCliCredential(options);\n}\n\n/**\n * Creates a {@link AzurePowerShellCredential} from the provided options.\n * @param options - Options to configure the credential.\n *\n * @internal\n */\nexport function createDefaultAzurePowershellCredential(\n options: DefaultAzureCredentialOptions = {},\n): TokenCredential {\n return new AzurePowerShellCredential(options);\n}\n\n/**\n * Creates an {@link EnvironmentCredential} from the provided options.\n * @param options - Options to configure the credential.\n *\n * @internal\n */\nexport function createDefaultEnvironmentCredential(\n options: DefaultAzureCredentialOptions = {},\n): TokenCredential {\n return new EnvironmentCredential(options);\n}\n"]}
package/dist/commonjs/credentials/managedIdentityCredential/index.d.ts CHANGED
@@ -17,6 +17,7 @@ export declare class ManagedIdentityCredential implements TokenCredential {
17
17
  private objectId?;
18
18
  private msiRetryConfig;
19
19
  private isAvailableIdentityClient;
20
+ private sendProbeRequest;
20
21
  /**
21
22
  * Creates an instance of ManagedIdentityCredential with the client ID of a
22
23
  * user-assigned identity, or app registration (when working with AKS pod-identity).
package/dist/commonjs/credentials/managedIdentityCredential/index.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../../src/credentials/managedIdentityCredential/index.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,WAAW,EAAE,eAAe,EAAE,eAAe,EAAE,MAAM,kBAAkB,CAAC;AAEtF,OAAO,KAAK,EAAE,sBAAsB,EAAE,MAAM,iCAAiC,CAAC;AAc9E,OAAO,KAAK,EACV,wCAAwC,EACxC,wCAAwC,EACxC,0CAA0C,EAC3C,MAAM,cAAc,CAAC;AAItB;;;;;;;GAOG;AACH,qBAAa,yBAA0B,YAAW,eAAe;IAC/D,OAAO,CAAC,kBAAkB,CAA6B;IACvD,OAAO,CAAC,cAAc,CAAiB;IACvC,OAAO,CAAC,QAAQ,CAAC,CAAS;IAC1B,OAAO,CAAC,UAAU,CAAC,CAAS;IAC5B,OAAO,CAAC,QAAQ,CAAC,CAAS;IAC1B,OAAO,CAAC,cAAc,CAIpB;IACF,OAAO,CAAC,yBAAyB,CAAiB;IAElD;;;;;;OAMG;gBACS,QAAQ,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,sBAAsB;IAC9D;;;;OAIG;gBACS,OAAO,CAAC,EAAE,wCAAwC;IAC9D;;;;OAIG;gBACS,OAAO,CAAC,EAAE,0CAA0C;IAChE;;;;OAIG;gBACS,OAAO,CAAC,EAAE,wCAAwC;IAwH9D;;;;;;;;OAQG;IACU,QAAQ,CACnB,MAAM,EAAE,MAAM,GAAG,MAAM,EAAE,EACzB,OAAO,GAAE,eAAoB,GAC5B,OAAO,CAAC,WAAW,CAAC;IAyGvB;;OAEG;IACH,OAAO,CAAC,oBAAoB;CAuB7B"}
1
+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../../src/credentials/managedIdentityCredential/index.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,WAAW,EAAE,eAAe,EAAE,eAAe,EAAE,MAAM,kBAAkB,CAAC;AAEtF,OAAO,KAAK,EAAE,sBAAsB,EAAE,MAAM,iCAAiC,CAAC;AAc9E,OAAO,KAAK,EAEV,wCAAwC,EACxC,wCAAwC,EACxC,0CAA0C,EAC3C,MAAM,cAAc,CAAC;AAItB;;;;;;;GAOG;AACH,qBAAa,yBAA0B,YAAW,eAAe;IAC/D,OAAO,CAAC,kBAAkB,CAA6B;IACvD,OAAO,CAAC,cAAc,CAAiB;IACvC,OAAO,CAAC,QAAQ,CAAC,CAAS;IAC1B,OAAO,CAAC,UAAU,CAAC,CAAS;IAC5B,OAAO,CAAC,QAAQ,CAAC,CAAS;IAC1B,OAAO,CAAC,cAAc,CAIpB;IACF,OAAO,CAAC,yBAAyB,CAAiB;IAClD,OAAO,CAAC,gBAAgB,CAAU;IAElC;;;;;;OAMG;gBACS,QAAQ,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,sBAAsB;IAC9D;;;;OAIG;gBACS,OAAO,CAAC,EAAE,wCAAwC;IAC9D;;;;OAIG;gBACS,OAAO,CAAC,EAAE,0CAA0C;IAChE;;;;OAIG;gBACS,OAAO,CAAC,EAAE,wCAAwC;IAyH9D;;;;;;;;OAQG;IACU,QAAQ,CACnB,MAAM,EAAE,MAAM,GAAG,MAAM,EAAE,EACzB,OAAO,GAAE,eAAoB,GAC5B,OAAO,CAAC,WAAW,CAAC;IA0GvB;;OAEG;IACH,OAAO,CAAC,oBAAoB;CAuB7B"}
package/dist/commonjs/credentials/managedIdentityCredential/index.js CHANGED
@@ -35,6 +35,7 @@ class ManagedIdentityCredential {
35
35
  intervalIncrement: 2,
36
36
  };
37
37
  isAvailableIdentityClient;
38
+ sendProbeRequest;
38
39
  /**
39
40
  * @internal
40
41
  * @hidden
@@ -51,6 +52,8 @@ class ManagedIdentityCredential {
51
52
  }
52
53
  this.resourceId = _options?.resourceId;
53
54
  this.objectId = _options?.objectId;
55
+ this.sendProbeRequest =
56
+ _options?.sendProbeRequest ?? false;
54
57
  // For JavaScript users.
55
58
  const providedIds = [
56
59
  { key: "clientId", value: this.clientId },
@@ -162,7 +165,7 @@ class ManagedIdentityCredential {
162
165
  }
163
166
  return result;
164
167
  }
165
- else if (isImdsMsi) {
168
+ else if (isImdsMsi && this.sendProbeRequest) {
166
169
  // In the IMDS scenario we will probe the IMDS endpoint to ensure it's available before trying to get a token.
167
170
  // If the IMDS endpoint is not available and this is the source that MSAL will use, we will fail-fast with an error that tells DAC to move to the next credential.
168
171
  logger.getToken.info("Using the IMDS endpoint to probe for availability.");
@@ -179,7 +182,8 @@ class ManagedIdentityCredential {
179
182
  }
180
183
  // If we got this far, it means:
181
184
  // - This is not a tokenExchangeMsi,
182
- // - We already probed for IMDS endpoint availability and failed-fast if it's unreachable.
185
+ // - We already probed for IMDS endpoint availability and failed-fast if it's unreachable,
186
+ // or we skip probing because the credential is set in DAC.
183
187
  // We can proceed normally by calling MSAL for a token.
184
188
  logger.getToken.info("Calling into MSAL for managed identity token.");
185
189
  const token = await this.managedIdentityApp.acquireToken({
package/dist/commonjs/credentials/managedIdentityCredential/index.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"index.js","sourceRoot":"","sources":["../../../../src/credentials/managedIdentityCredential/index.ts"],"names":[],"mappings":";AAAA,uCAAuC;AACvC,kCAAkC;;;AAKlC,0CAA4C;AAC5C,gDAA8D;AAC9D,sEAAgE;AAChE,+CAA0F;AAC1F,kDAA6E;AAC7E,6DAAuD;AAEvD,sDAAqF;AACrF,sDAAsD;AACtD,6CAAuC;AACvC,+DAAyD;AACzD,yCAA4E;AAQ5E,MAAM,MAAM,GAAG,IAAA,6BAAgB,EAAC,2BAA2B,CAAC,CAAC;AAE7D;;;;;;;GAOG;AACH,MAAa,yBAAyB;IAC5B,kBAAkB,CAA6B;IAC/C,cAAc,CAAiB;IAC/B,QAAQ,CAAU;IAClB,UAAU,CAAU;IACpB,QAAQ,CAAU;IAClB,cAAc,GAAoC;QACxD,UAAU,EAAE,CAAC;QACb,cAAc,EAAE,GAAG;QACnB,iBAAiB,EAAE,CAAC;KACrB,CAAC;IACM,yBAAyB,CAAiB;IA4BlD;;;OAGG;IACH,YACE,iBAI4C,EAC5C,OAAgC;QAEhC,IAAI,QAAgC,CAAC;QACrC,IAAI,OAAO,iBAAiB,KAAK,QAAQ,EAAE,CAAC;YAC1C,IAAI,CAAC,QAAQ,GAAG,iBAAiB,CAAC;YAClC,QAAQ,GAAG,OAAO,IAAI,EAAE,CAAC;QAC3B,CAAC;aAAM,CAAC;YACN,IAAI,CAAC,QAAQ,GAAI,iBAA8D,EAAE,QAAQ,CAAC;YAC1F,QAAQ,GAAG,iBAAiB,IAAI,EAAE,CAAC;QACrC,CAAC;QACD,IAAI,CAAC,UAAU,GAAI,QAAuD,EAAE,UAAU,CAAC;QACvF,IAAI,CAAC,QAAQ,GAAI,QAAqD,EAAE,QAAQ,CAAC;QAEjF,wBAAwB;QACxB,MAAM,WAAW,GAAG;YAClB,EAAE,GAAG,EAAE,UAAU,EAAE,KAAK,EAAE,IAAI,CAAC,QAAQ,EAAE;YACzC,EAAE,GAAG,EAAE,YAAY,EAAE,KAAK,EAAE,IAAI,CAAC,UAAU,EAAE;YAC7C,EAAE,GAAG,EAAE,UAAU,EAAE,KAAK,EAAE,IAAI,CAAC,QAAQ,EAAE;SAC1C,CAAC,MAAM,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,EAAE,CAAC,KAAK,CAAC,CAAC;QAC3B,IAAI,WAAW,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAC3B,MAAM,IAAI,KAAK,CACb,oHAAoH,IAAI,CAAC,SAAS,CAChI,EAAE,QAAQ,EAAE,IAAI,CAAC,QAAQ,EAAE,UAAU,EAAE,IAAI,CAAC,UAAU,EAAE,QAAQ,EAAE,IAAI,CAAC,QAAQ,EAAE,CAClF,EAAE,CACJ,CAAC;QACJ,CAAC;QAED,+CAA+C;QAC/C,QAAQ,CAAC,uBAAuB,GAAG,IAAI,CAAC;QAExC,IAAI,QAAQ,CAAC,YAAY,EAAE,UAAU,KAAK,SAAS,EAAE,CAAC;YACpD,IAAI,CAAC,cAAc,CAAC,UAAU,GAAG,QAAQ,CAAC,YAAY,CAAC,UAAU,CAAC;QACpE,CAAC;QAED,IAAI,CAAC,cAAc,GAAG,IAAI,kCAAc,CAAC;YACvC,GAAG,QAAQ;YACX,kBAAkB,EAAE,CAAC,EAAE,MAAM,EAAE,IAAA,oCAAe,EAAC,IAAI,CAAC,cAAc,CAAC,EAAE,QAAQ,EAAE,SAAS,EAAE,CAAC;SAC5F,CAAC,CAAC;QAEH,IAAI,CAAC,kBAAkB,GAAG,IAAI,sCAA0B,CAAC;YACvD,uBAAuB,EAAE;gBACvB,oBAAoB,EAAE,IAAI,CAAC,QAAQ;gBACnC,sBAAsB,EAAE,IAAI,CAAC,UAAU;gBACvC,oBAAoB,EAAE,IAAI,CAAC,QAAQ;aACpC;YACD,MAAM,EAAE;gBACN,sBAAsB,EAAE,IAAI;gBAC5B,aAAa,EAAE,IAAI,CAAC,cAAc;gBAClC,aAAa,EAAE;oBACb,QAAQ,EAAE,IAAA,0BAAe,EAAC,IAAA,oBAAW,GAAE,CAAC;oBACxC,iBAAiB,EAAE,QAAQ,CAAC,cAAc,EAAE,0BAA0B;oBACtE,cAAc,EAAE,IAAA,gCAAqB,EAAC,MAAM,CAAC;iBAC9C;aACF;SACF,CAAC,CAAC;QAEH,IAAI,CAAC,yBAAyB,GAAG,IAAI,kCAAc,CAAC;YAClD,GAAG,QAAQ;YACX,YAAY,EAAE;gBACZ,UAAU,EAAE,CAAC;aACd;SACF,CAAC,CAAC;QAEH,MAAM,qBAAqB,GAAG,IAAI,CAAC,kBAAkB,CAAC,wBAAwB,EAAE,CAAC;QACjF,uJAAuJ;QACvJ,IAAI,qBAAqB,KAAK,YAAY,EAAE,CAAC;YAC3C,IAAI,IAAI,CAAC,QAAQ,IAAI,IAAI,CAAC,UAAU,IAAI,IAAI,CAAC,QAAQ,EAAE,CAAC;gBACtD,MAAM,CAAC,OAAO,CACZ,+EAA+E,IAAI,CAAC,SAAS,CAC3F;oBACE,QAAQ,EAAE,IAAI,CAAC,QAAQ;oBACvB,UAAU,EAAE,IAAI,CAAC,UAAU;oBAC3B,QAAQ,EAAE,IAAI,CAAC,QAAQ;iBACxB,CACF,GAAG,CACL,CAAC;gBACF,MAAM,IAAI,sCAA0B,CAClC,uNAAuN,CACxN,CAAC;YACJ,CAAC;QACH,CAAC;QAED,8KAA8K;QAC9K,IAAI,qBAAqB,KAAK,eAAe,EAAE,CAAC;YAC9C,IAAI,IAAI,CAAC,QAAQ,IAAI,IAAI,CAAC,UAAU,IAAI,IAAI,CAAC,QAAQ,EAAE,CAAC;gBACtD,MAAM,CAAC,OAAO,CACZ,+EAA+E,IAAI,CAAC,SAAS,CAC3F;oBACE,QAAQ,EAAE,IAAI,CAAC,QAAQ;oBACvB,UAAU,EAAE,IAAI,CAAC,UAAU;oBAC3B,QAAQ,EAAE,IAAI,CAAC,QAAQ;iBACxB,CACF,GAAG,CACL,CAAC;gBACF,MAAM,IAAI,sCAA0B,CAClC,8BAA8B,oCAAyB,EAAE,CAC1D,CAAC;YACJ,CAAC;QACH,CAAC;QAED,MAAM,CAAC,IAAI,CAAC,SAAS,qBAAqB,oBAAoB,CAAC,CAAC;QAEhE,uFAAuF;QACvF,IAAI,WAAW,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAC7B,MAAM,EAAE,GAAG,EAAE,KAAK,EAAE,GAAG,WAAW,CAAC,CAAC,CAAC,CAAC;YACtC,MAAM,CAAC,IAAI,CAAC,GAAG,qBAAqB,SAAS,GAAG,KAAK,KAAK,EAAE,CAAC,CAAC;QAChE,CAAC;IACH,CAAC;IAED;;;;;;;;OAQG;IACI,KAAK,CAAC,QAAQ,CACnB,MAAyB,EACzB,UAA2B,EAAE;QAE7B,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,+CAA+C,CAAC,CAAC;QACtE,MAAM,QAAQ,GAAG,IAAA,8BAAmB,EAAC,MAAM,CAAC,CAAC;QAC7C,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,MAAM,IAAI,sCAA0B,CAClC,yEAAyE,IAAI,CAAC,SAAS,CACrF,MAAM,CACP,EAAE,CACJ,CAAC;QACJ,CAAC;QAED,OAAO,0BAAa,CAAC,QAAQ,CAAC,oCAAoC,EAAE,OAAO,EAAE,KAAK,IAAI,EAAE;YACtF,IAAI,CAAC;gBACH,MAAM,kBAAkB,GAAG,MAAM,sCAAgB,CAAC,WAAW,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;gBAE7E,qDAAqD;gBACrD,sEAAsE;gBACtE,qFAAqF;gBACrF,gJAAgJ;gBAChJ,wEAAwE;gBAExE,MAAM,cAAc,GAAG,IAAI,CAAC,kBAAkB,CAAC,wBAAwB,EAAE,CAAC;gBAC1E,MAAM,SAAS,GAAG,cAAc,KAAK,eAAe,IAAI,cAAc,KAAK,MAAM,CAAC,CAAC,kHAAkH;gBAErM,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,yBAAyB,cAAc,EAAE,CAAC,CAAC;gBAEhE,IAAI,kBAAkB,EAAE,CAAC;oBACvB,8EAA8E;oBAC9E,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,4CAA4C,CAAC,CAAC;oBACnE,MAAM,MAAM,GAAG,MAAM,sCAAgB,CAAC,QAAQ,CAAC;wBAC7C,MAAM;wBACN,QAAQ,EAAE,IAAI,CAAC,QAAQ;wBACvB,cAAc,EAAE,IAAI,CAAC,cAAc;wBACnC,WAAW,EAAE,IAAI,CAAC,cAAc;wBAChC,UAAU,EAAE,IAAI,CAAC,UAAU;qBAC5B,CAAC,CAAC;oBAEH,IAAI,MAAM,KAAK,IAAI,EAAE,CAAC;wBACpB,MAAM,IAAI,sCAA0B,CAClC,qFAAqF,CACtF,CAAC;oBACJ,CAAC;oBAED,OAAO,MAAM,CAAC;gBAChB,CAAC;qBAAM,IAAI,SAAS,EAAE,CAAC;oBACrB,8GAA8G;oBAC9G,kKAAkK;oBAClK,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,oDAAoD,CAAC,CAAC;oBAC3E,MAAM,WAAW,GAAG,MAAM,oBAAO,CAAC,WAAW,CAAC;wBAC5C,MAAM;wBACN,QAAQ,EAAE,IAAI,CAAC,QAAQ;wBACvB,eAAe,EAAE,OAAO;wBACxB,cAAc,EAAE,IAAI,CAAC,yBAAyB;wBAC9C,UAAU,EAAE,IAAI,CAAC,UAAU;qBAC5B,CAAC,CAAC;oBAEH,IAAI,CAAC,WAAW,EAAE,CAAC;wBACjB,MAAM,IAAI,sCAA0B,CAClC,8DAA8D,CAC/D,CAAC;oBACJ,CAAC;gBACH,CAAC;gBAED,gCAAgC;gBAChC,oCAAoC;gBACpC,0FAA0F;gBAC1F,uDAAuD;gBACvD,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,+CAA+C,CAAC,CAAC;gBACtE,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,kBAAkB,CAAC,YAAY,CAAC;oBACvD,QAAQ;iBACT,CAAC,CAAC;gBAEH,IAAI,CAAC,oBAAoB,CAAC,MAAM,EAAE,KAAK,EAAE,OAAO,CAAC,CAAC;gBAClD,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAA,0BAAa,EAAC,MAAM,CAAC,CAAC,CAAC;gBAE5C,OAAO;oBACL,kBAAkB,EAAE,KAAK,CAAC,SAAS,CAAC,OAAO,EAAE;oBAC7C,KAAK,EAAE,KAAK,CAAC,WAAW;oBACxB,qBAAqB,EAAE,KAAK,CAAC,SAAS,EAAE,OAAO,EAAE;oBACjD,SAAS,EAAE,QAAQ;iBACL,CAAC;YACnB,CAAC;YAAC,OAAO,GAAQ,EAAE,CAAC;gBAClB,MAAM,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAA,wBAAW,EAAC,MAAM,EAAE,GAAG,CAAC,CAAC,CAAC;gBAEhD,sHAAsH;gBACtH,mGAAmG;gBACnG,IAAI,GAAG,CAAC,IAAI,KAAK,6BAA6B,EAAE,CAAC;oBAC/C,MAAM,GAAG,CAAC;gBACZ,CAAC;gBAED,IAAI,cAAc,CAAC,GAAG,CAAC,EAAE,CAAC;oBACxB,MAAM,IAAI,sCAA0B,CAClC,4DAA4D,GAAG,CAAC,OAAO,EAAE,EACzE,EAAE,KAAK,EAAE,GAAG,EAAE,CACf,CAAC;gBACJ,CAAC;gBAED,MAAM,IAAI,sCAA0B,CAClC,6DAA6D,GAAG,CAAC,OAAO,EAAE,EAC1E,EAAE,KAAK,EAAE,GAAG,EAAE,CACf,CAAC;YACJ,CAAC;QACH,CAAC,CAAC,CAAC;IACL,CAAC;IAED;;OAEG;IACK,oBAAoB,CAC1B,MAAyB,EACzB,SAAqB,EACrB,eAAiC;QAEjC,MAAM,WAAW,GAAG,CAAC,OAAe,EAAS,EAAE;YAC7C,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;YAC9B,OAAO,IAAI,uCAA2B,CAAC;gBACrC,MAAM,EAAE,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC;gBACjD,eAAe;gBACf,OAAO;aACR,CAAC,CAAC;QACL,CAAC,CAAC;QACF,IAAI,CAAC,SAAS,EAAE,CAAC;YACf,MAAM,WAAW,CAAC,cAAc,CAAC,CAAC;QACpC,CAAC;QACD,IAAI,CAAC,SAAS,CAAC,SAAS,EAAE,CAAC;YACzB,MAAM,WAAW,CAAC,uCAAuC,CAAC,CAAC;QAC7D,CAAC;QACD,IAAI,CAAC,SAAS,CAAC,WAAW,EAAE,CAAC;YAC3B,MAAM,WAAW,CAAC,yCAAyC,CAAC,CAAC;QAC/D,CAAC;IACH,CAAC;CACF;AA7SD,8DA6SC;AAED,SAAS,cAAc,CAAC,GAAQ;IAC9B,aAAa;IACb,IAAI,GAAG,CAAC,SAAS,KAAK,eAAe,EAAE,CAAC;QACtC,OAAO,IAAI,CAAC;IACd,CAAC;IAED,eAAe;IACf,IAAI,GAAG,CAAC,IAAI,KAAK,aAAa,IAAI,GAAG,CAAC,IAAI,KAAK,cAAc,EAAE,CAAC;QAC9D,OAAO,IAAI,CAAC;IACd,CAAC;IAED,6NAA6N;IAC7N,4CAA4C;IAC5C,IAAI,GAAG,CAAC,UAAU,KAAK,GAAG,IAAI,GAAG,CAAC,IAAI,KAAK,GAAG,EAAE,CAAC;QAC/C,IAAI,GAAG,CAAC,OAAO,CAAC,QAAQ,CAAC,aAAa,CAAC,EAAE,CAAC;YACxC,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC","sourcesContent":["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT License.\n\nimport type { AccessToken, GetTokenOptions, TokenCredential } from \"@azure/core-auth\";\n\nimport type { TokenCredentialOptions } from \"../../tokenCredentialOptions.js\";\nimport { getLogLevel } from \"@azure/logger\";\nimport { ManagedIdentityApplication } from \"@azure/msal-node\";\nimport { IdentityClient } from \"../../client/identityClient.js\";\nimport { AuthenticationRequiredError, CredentialUnavailableError } from \"../../errors.js\";\nimport { getMSALLogLevel, defaultLoggerCallback } from \"../../msal/utils.js\";\nimport { imdsRetryPolicy } from \"./imdsRetryPolicy.js\";\nimport type { MSIConfiguration } from \"./models.js\";\nimport { formatSuccess, formatError, credentialLogger } from \"../../util/logging.js\";\nimport { tracingClient } from \"../../util/tracing.js\";\nimport { imdsMsi } from \"./imdsMsi.js\";\nimport { tokenExchangeMsi } from \"./tokenExchangeMsi.js\";\nimport { mapScopesToResource, serviceFabricErrorMessage } from \"./utils.js\";\nimport type { MsalToken, ValidMsalToken } from \"../../msal/types.js\";\nimport type {\n ManagedIdentityCredentialClientIdOptions,\n ManagedIdentityCredentialObjectIdOptions,\n ManagedIdentityCredentialResourceIdOptions,\n} from \"./options.js\";\n\nconst logger = credentialLogger(\"ManagedIdentityCredential\");\n\n/**\n * Attempts authentication using a managed identity available at the deployment environment.\n * This authentication type works in Azure VMs, App Service instances, Azure Functions applications,\n * Azure Kubernetes Services, Azure Service Fabric instances and inside of the Azure Cloud Shell.\n *\n * More information about configuring managed identities can be found here:\n * https://learn.microsoft.com/azure/active-directory/managed-identities-azure-resources/overview\n */\nexport class ManagedIdentityCredential implements TokenCredential {\n private managedIdentityApp: ManagedIdentityApplication;\n private identityClient: IdentityClient;\n private clientId?: string;\n private resourceId?: string;\n private objectId?: string;\n private msiRetryConfig: MSIConfiguration[\"retryConfig\"] = {\n maxRetries: 5,\n startDelayInMs: 800,\n intervalIncrement: 2,\n };\n private isAvailableIdentityClient: IdentityClient;\n\n /**\n * Creates an instance of ManagedIdentityCredential with the client ID of a\n * user-assigned identity, or app registration (when working with AKS pod-identity).\n *\n * @param clientId - The client ID of the user-assigned identity, or app registration (when working with AKS pod-identity).\n * @param options - Options for configuring the client which makes the access token request.\n */\n constructor(clientId: string, options?: TokenCredentialOptions);\n /**\n * Creates an instance of ManagedIdentityCredential with a client ID\n *\n * @param options - Options for configuring the client which makes the access token request.\n */\n constructor(options?: ManagedIdentityCredentialClientIdOptions);\n /**\n * Creates an instance of ManagedIdentityCredential with a resource ID\n *\n * @param options - Options for configuring the resource which makes the access token request.\n */\n constructor(options?: ManagedIdentityCredentialResourceIdOptions);\n /**\n * Creates an instance of ManagedIdentityCredential with an object ID\n *\n * @param options - Options for configuring the resource which makes the access token request.\n */\n constructor(options?: ManagedIdentityCredentialObjectIdOptions);\n /**\n * @internal\n * @hidden\n */\n constructor(\n clientIdOrOptions?:\n | string\n | ManagedIdentityCredentialClientIdOptions\n | ManagedIdentityCredentialResourceIdOptions\n | ManagedIdentityCredentialObjectIdOptions,\n options?: TokenCredentialOptions,\n ) {\n let _options: TokenCredentialOptions;\n if (typeof clientIdOrOptions === \"string\") {\n this.clientId = clientIdOrOptions;\n _options = options ?? {};\n } else {\n this.clientId = (clientIdOrOptions as ManagedIdentityCredentialClientIdOptions)?.clientId;\n _options = clientIdOrOptions ?? {};\n }\n this.resourceId = (_options as ManagedIdentityCredentialResourceIdOptions)?.resourceId;\n this.objectId = (_options as ManagedIdentityCredentialObjectIdOptions)?.objectId;\n\n // For JavaScript users.\n const providedIds = [\n { key: \"clientId\", value: this.clientId },\n { key: \"resourceId\", value: this.resourceId },\n { key: \"objectId\", value: this.objectId },\n ].filter((id) => id.value);\n if (providedIds.length > 1) {\n throw new Error(\n `ManagedIdentityCredential: only one of 'clientId', 'resourceId', or 'objectId' can be provided. Received values: ${JSON.stringify(\n { clientId: this.clientId, resourceId: this.resourceId, objectId: this.objectId },\n )}`,\n );\n }\n\n // ManagedIdentity uses http for local requests\n _options.allowInsecureConnection = true;\n\n if (_options.retryOptions?.maxRetries !== undefined) {\n this.msiRetryConfig.maxRetries = _options.retryOptions.maxRetries;\n }\n\n this.identityClient = new IdentityClient({\n ..._options,\n additionalPolicies: [{ policy: imdsRetryPolicy(this.msiRetryConfig), position: \"perCall\" }],\n });\n\n this.managedIdentityApp = new ManagedIdentityApplication({\n managedIdentityIdParams: {\n userAssignedClientId: this.clientId,\n userAssignedResourceId: this.resourceId,\n userAssignedObjectId: this.objectId,\n },\n system: {\n disableInternalRetries: true,\n networkClient: this.identityClient,\n loggerOptions: {\n logLevel: getMSALLogLevel(getLogLevel()),\n piiLoggingEnabled: _options.loggingOptions?.enableUnsafeSupportLogging,\n loggerCallback: defaultLoggerCallback(logger),\n },\n },\n });\n\n this.isAvailableIdentityClient = new IdentityClient({\n ..._options,\n retryOptions: {\n maxRetries: 0,\n },\n });\n\n const managedIdentitySource = this.managedIdentityApp.getManagedIdentitySource();\n // CloudShell MSI will ignore any user-assigned identity passed as parameters. To avoid confusion, we prevent this from happening as early as possible.\n if (managedIdentitySource === \"CloudShell\") {\n if (this.clientId || this.resourceId || this.objectId) {\n logger.warning(\n `CloudShell MSI detected with user-provided IDs - throwing. Received values: ${JSON.stringify(\n {\n clientId: this.clientId,\n resourceId: this.resourceId,\n objectId: this.objectId,\n },\n )}.`,\n );\n throw new CredentialUnavailableError(\n \"ManagedIdentityCredential: Specifying a user-assigned managed identity is not supported for CloudShell at runtime. When using Managed Identity in CloudShell, omit the clientId, resourceId, and objectId parameters.\",\n );\n }\n }\n\n // ServiceFabric does not support specifying user-assigned managed identity by client ID or resource ID. The managed identity selected is based on the resource configuration.\n if (managedIdentitySource === \"ServiceFabric\") {\n if (this.clientId || this.resourceId || this.objectId) {\n logger.warning(\n `Service Fabric detected with user-provided IDs - throwing. Received values: ${JSON.stringify(\n {\n clientId: this.clientId,\n resourceId: this.resourceId,\n objectId: this.objectId,\n },\n )}.`,\n );\n throw new CredentialUnavailableError(\n `ManagedIdentityCredential: ${serviceFabricErrorMessage}`,\n );\n }\n }\n\n logger.info(`Using ${managedIdentitySource} managed identity.`);\n\n // Check if either clientId, resourceId or objectId was provided and log the value used\n if (providedIds.length === 1) {\n const { key, value } = providedIds[0];\n logger.info(`${managedIdentitySource} with ${key}: ${value}`);\n }\n }\n\n /**\n * Authenticates with Microsoft Entra ID and returns an access token if successful.\n * If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.\n * If an unexpected error occurs, an {@link AuthenticationError} will be thrown with the details of the failure.\n *\n * @param scopes - The list of scopes for which the token will have access.\n * @param options - The options used to configure any requests this\n * TokenCredential implementation might make.\n */\n public async getToken(\n scopes: string | string[],\n options: GetTokenOptions = {},\n ): Promise<AccessToken> {\n logger.getToken.info(\"Using the MSAL provider for Managed Identity.\");\n const resource = mapScopesToResource(scopes);\n if (!resource) {\n throw new CredentialUnavailableError(\n `ManagedIdentityCredential: Multiple scopes are not supported. Scopes: ${JSON.stringify(\n scopes,\n )}`,\n );\n }\n\n return tracingClient.withSpan(\"ManagedIdentityCredential.getToken\", options, async () => {\n try {\n const isTokenExchangeMsi = await tokenExchangeMsi.isAvailable(this.clientId);\n\n // Most scenarios are handled by MSAL except for two:\n // AKS pod identity - MSAL does not implement the token exchange flow.\n // IMDS Endpoint probing - MSAL does not do any probing before trying to get a token.\n // As a DefaultAzureCredential optimization we probe the IMDS endpoint with a short timeout and no retries before actually trying to get a token\n // We will continue to implement these features in the Identity library.\n\n const identitySource = this.managedIdentityApp.getManagedIdentitySource();\n const isImdsMsi = identitySource === \"DefaultToImds\" || identitySource === \"Imds\"; // Neither actually checks that IMDS endpoint is available, just that it's the source the MSAL _would_ try to use.\n\n logger.getToken.info(`MSAL Identity source: ${identitySource}`);\n\n if (isTokenExchangeMsi) {\n // In the AKS scenario we will use the existing tokenExchangeMsi indefinitely.\n logger.getToken.info(\"Using the token exchange managed identity.\");\n const result = await tokenExchangeMsi.getToken({\n scopes,\n clientId: this.clientId,\n identityClient: this.identityClient,\n retryConfig: this.msiRetryConfig,\n resourceId: this.resourceId,\n });\n\n if (result === null) {\n throw new CredentialUnavailableError(\n \"Attempted to use the token exchange managed identity, but received a null response.\",\n );\n }\n\n return result;\n } else if (isImdsMsi) {\n // In the IMDS scenario we will probe the IMDS endpoint to ensure it's available before trying to get a token.\n // If the IMDS endpoint is not available and this is the source that MSAL will use, we will fail-fast with an error that tells DAC to move to the next credential.\n logger.getToken.info(\"Using the IMDS endpoint to probe for availability.\");\n const isAvailable = await imdsMsi.isAvailable({\n scopes,\n clientId: this.clientId,\n getTokenOptions: options,\n identityClient: this.isAvailableIdentityClient,\n resourceId: this.resourceId,\n });\n\n if (!isAvailable) {\n throw new CredentialUnavailableError(\n `Attempted to use the IMDS endpoint, but it is not available.`,\n );\n }\n }\n\n // If we got this far, it means:\n // - This is not a tokenExchangeMsi,\n // - We already probed for IMDS endpoint availability and failed-fast if it's unreachable.\n // We can proceed normally by calling MSAL for a token.\n logger.getToken.info(\"Calling into MSAL for managed identity token.\");\n const token = await this.managedIdentityApp.acquireToken({\n resource,\n });\n\n this.ensureValidMsalToken(scopes, token, options);\n logger.getToken.info(formatSuccess(scopes));\n\n return {\n expiresOnTimestamp: token.expiresOn.getTime(),\n token: token.accessToken,\n refreshAfterTimestamp: token.refreshOn?.getTime(),\n tokenType: \"Bearer\",\n } as AccessToken;\n } catch (err: any) {\n logger.getToken.error(formatError(scopes, err));\n\n // AuthenticationRequiredError described as Error to enforce authentication after trying to retrieve a token silently.\n // TODO: why would this _ever_ happen considering we're not trying the silent request in this flow?\n if (err.name === \"AuthenticationRequiredError\") {\n throw err;\n }\n\n if (isNetworkError(err)) {\n throw new CredentialUnavailableError(\n `ManagedIdentityCredential: Network unreachable. Message: ${err.message}`,\n { cause: err },\n );\n }\n\n throw new CredentialUnavailableError(\n `ManagedIdentityCredential: Authentication failed. Message ${err.message}`,\n { cause: err },\n );\n }\n });\n }\n\n /**\n * Ensures the validity of the MSAL token\n */\n private ensureValidMsalToken(\n scopes: string | string[],\n msalToken?: MsalToken,\n getTokenOptions?: GetTokenOptions,\n ): asserts msalToken is ValidMsalToken {\n const createError = (message: string): Error => {\n logger.getToken.info(message);\n return new AuthenticationRequiredError({\n scopes: Array.isArray(scopes) ? scopes : [scopes],\n getTokenOptions,\n message,\n });\n };\n if (!msalToken) {\n throw createError(\"No response.\");\n }\n if (!msalToken.expiresOn) {\n throw createError(`Response had no \"expiresOn\" property.`);\n }\n if (!msalToken.accessToken) {\n throw createError(`Response had no \"accessToken\" property.`);\n }\n }\n}\n\nfunction isNetworkError(err: any): boolean {\n // MSAL error\n if (err.errorCode === \"network_error\") {\n return true;\n }\n\n // Probe errors\n if (err.code === \"ENETUNREACH\" || err.code === \"EHOSTUNREACH\") {\n return true;\n }\n\n // This is a special case for Docker Desktop which responds with a 403 with a message that contains \"A socket operation was attempted to an unreachable network\" or \"A socket operation was attempted to an unreachable host\"\n // rather than just timing out, as expected.\n if (err.statusCode === 403 || err.code === 403) {\n if (err.message.includes(\"unreachable\")) {\n return true;\n }\n }\n\n return false;\n}\n"]}
1
+ {"version":3,"file":"index.js","sourceRoot":"","sources":["../../../../src/credentials/managedIdentityCredential/index.ts"],"names":[],"mappings":";AAAA,uCAAuC;AACvC,kCAAkC;;;AAKlC,0CAA4C;AAC5C,gDAA8D;AAC9D,sEAAgE;AAChE,+CAA0F;AAC1F,kDAA6E;AAC7E,6DAAuD;AAEvD,sDAAqF;AACrF,sDAAsD;AACtD,6CAAuC;AACvC,+DAAyD;AACzD,yCAA4E;AAS5E,MAAM,MAAM,GAAG,IAAA,6BAAgB,EAAC,2BAA2B,CAAC,CAAC;AAE7D;;;;;;;GAOG;AACH,MAAa,yBAAyB;IAC5B,kBAAkB,CAA6B;IAC/C,cAAc,CAAiB;IAC/B,QAAQ,CAAU;IAClB,UAAU,CAAU;IACpB,QAAQ,CAAU;IAClB,cAAc,GAAoC;QACxD,UAAU,EAAE,CAAC;QACb,cAAc,EAAE,GAAG;QACnB,iBAAiB,EAAE,CAAC;KACrB,CAAC;IACM,yBAAyB,CAAiB;IAC1C,gBAAgB,CAAU;IA4BlC;;;OAGG;IACH,YACE,iBAI4C,EAC5C,OAAgC;QAEhC,IAAI,QAAgC,CAAC;QACrC,IAAI,OAAO,iBAAiB,KAAK,QAAQ,EAAE,CAAC;YAC1C,IAAI,CAAC,QAAQ,GAAG,iBAAiB,CAAC;YAClC,QAAQ,GAAG,OAAO,IAAI,EAAE,CAAC;QAC3B,CAAC;aAAM,CAAC;YACN,IAAI,CAAC,QAAQ,GAAI,iBAA8D,EAAE,QAAQ,CAAC;YAC1F,QAAQ,GAAG,iBAAiB,IAAI,EAAE,CAAC;QACrC,CAAC;QACD,IAAI,CAAC,UAAU,GAAI,QAAuD,EAAE,UAAU,CAAC;QACvF,IAAI,CAAC,QAAQ,GAAI,QAAqD,EAAE,QAAQ,CAAC;QACjF,IAAI,CAAC,gBAAgB;YAClB,QAAqD,EAAE,gBAAgB,IAAI,KAAK,CAAC;QACpF,wBAAwB;QACxB,MAAM,WAAW,GAAG;YAClB,EAAE,GAAG,EAAE,UAAU,EAAE,KAAK,EAAE,IAAI,CAAC,QAAQ,EAAE;YACzC,EAAE,GAAG,EAAE,YAAY,EAAE,KAAK,EAAE,IAAI,CAAC,UAAU,EAAE;YAC7C,EAAE,GAAG,EAAE,UAAU,EAAE,KAAK,EAAE,IAAI,CAAC,QAAQ,EAAE;SAC1C,CAAC,MAAM,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,EAAE,CAAC,KAAK,CAAC,CAAC;QAC3B,IAAI,WAAW,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAC3B,MAAM,IAAI,KAAK,CACb,oHAAoH,IAAI,CAAC,SAAS,CAChI,EAAE,QAAQ,EAAE,IAAI,CAAC,QAAQ,EAAE,UAAU,EAAE,IAAI,CAAC,UAAU,EAAE,QAAQ,EAAE,IAAI,CAAC,QAAQ,EAAE,CAClF,EAAE,CACJ,CAAC;QACJ,CAAC;QAED,+CAA+C;QAC/C,QAAQ,CAAC,uBAAuB,GAAG,IAAI,CAAC;QAExC,IAAI,QAAQ,CAAC,YAAY,EAAE,UAAU,KAAK,SAAS,EAAE,CAAC;YACpD,IAAI,CAAC,cAAc,CAAC,UAAU,GAAG,QAAQ,CAAC,YAAY,CAAC,UAAU,CAAC;QACpE,CAAC;QAED,IAAI,CAAC,cAAc,GAAG,IAAI,kCAAc,CAAC;YACvC,GAAG,QAAQ;YACX,kBAAkB,EAAE,CAAC,EAAE,MAAM,EAAE,IAAA,oCAAe,EAAC,IAAI,CAAC,cAAc,CAAC,EAAE,QAAQ,EAAE,SAAS,EAAE,CAAC;SAC5F,CAAC,CAAC;QAEH,IAAI,CAAC,kBAAkB,GAAG,IAAI,sCAA0B,CAAC;YACvD,uBAAuB,EAAE;gBACvB,oBAAoB,EAAE,IAAI,CAAC,QAAQ;gBACnC,sBAAsB,EAAE,IAAI,CAAC,UAAU;gBACvC,oBAAoB,EAAE,IAAI,CAAC,QAAQ;aACpC;YACD,MAAM,EAAE;gBACN,sBAAsB,EAAE,IAAI;gBAC5B,aAAa,EAAE,IAAI,CAAC,cAAc;gBAClC,aAAa,EAAE;oBACb,QAAQ,EAAE,IAAA,0BAAe,EAAC,IAAA,oBAAW,GAAE,CAAC;oBACxC,iBAAiB,EAAE,QAAQ,CAAC,cAAc,EAAE,0BAA0B;oBACtE,cAAc,EAAE,IAAA,gCAAqB,EAAC,MAAM,CAAC;iBAC9C;aACF;SACF,CAAC,CAAC;QAEH,IAAI,CAAC,yBAAyB,GAAG,IAAI,kCAAc,CAAC;YAClD,GAAG,QAAQ;YACX,YAAY,EAAE;gBACZ,UAAU,EAAE,CAAC;aACd;SACF,CAAC,CAAC;QAEH,MAAM,qBAAqB,GAAG,IAAI,CAAC,kBAAkB,CAAC,wBAAwB,EAAE,CAAC;QACjF,uJAAuJ;QACvJ,IAAI,qBAAqB,KAAK,YAAY,EAAE,CAAC;YAC3C,IAAI,IAAI,CAAC,QAAQ,IAAI,IAAI,CAAC,UAAU,IAAI,IAAI,CAAC,QAAQ,EAAE,CAAC;gBACtD,MAAM,CAAC,OAAO,CACZ,+EAA+E,IAAI,CAAC,SAAS,CAC3F;oBACE,QAAQ,EAAE,IAAI,CAAC,QAAQ;oBACvB,UAAU,EAAE,IAAI,CAAC,UAAU;oBAC3B,QAAQ,EAAE,IAAI,CAAC,QAAQ;iBACxB,CACF,GAAG,CACL,CAAC;gBACF,MAAM,IAAI,sCAA0B,CAClC,uNAAuN,CACxN,CAAC;YACJ,CAAC;QACH,CAAC;QAED,8KAA8K;QAC9K,IAAI,qBAAqB,KAAK,eAAe,EAAE,CAAC;YAC9C,IAAI,IAAI,CAAC,QAAQ,IAAI,IAAI,CAAC,UAAU,IAAI,IAAI,CAAC,QAAQ,EAAE,CAAC;gBACtD,MAAM,CAAC,OAAO,CACZ,+EAA+E,IAAI,CAAC,SAAS,CAC3F;oBACE,QAAQ,EAAE,IAAI,CAAC,QAAQ;oBACvB,UAAU,EAAE,IAAI,CAAC,UAAU;oBAC3B,QAAQ,EAAE,IAAI,CAAC,QAAQ;iBACxB,CACF,GAAG,CACL,CAAC;gBACF,MAAM,IAAI,sCAA0B,CAClC,8BAA8B,oCAAyB,EAAE,CAC1D,CAAC;YACJ,CAAC;QACH,CAAC;QAED,MAAM,CAAC,IAAI,CAAC,SAAS,qBAAqB,oBAAoB,CAAC,CAAC;QAEhE,uFAAuF;QACvF,IAAI,WAAW,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAC7B,MAAM,EAAE,GAAG,EAAE,KAAK,EAAE,GAAG,WAAW,CAAC,CAAC,CAAC,CAAC;YACtC,MAAM,CAAC,IAAI,CAAC,GAAG,qBAAqB,SAAS,GAAG,KAAK,KAAK,EAAE,CAAC,CAAC;QAChE,CAAC;IACH,CAAC;IAED;;;;;;;;OAQG;IACI,KAAK,CAAC,QAAQ,CACnB,MAAyB,EACzB,UAA2B,EAAE;QAE7B,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,+CAA+C,CAAC,CAAC;QACtE,MAAM,QAAQ,GAAG,IAAA,8BAAmB,EAAC,MAAM,CAAC,CAAC;QAC7C,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,MAAM,IAAI,sCAA0B,CAClC,yEAAyE,IAAI,CAAC,SAAS,CACrF,MAAM,CACP,EAAE,CACJ,CAAC;QACJ,CAAC;QAED,OAAO,0BAAa,CAAC,QAAQ,CAAC,oCAAoC,EAAE,OAAO,EAAE,KAAK,IAAI,EAAE;YACtF,IAAI,CAAC;gBACH,MAAM,kBAAkB,GAAG,MAAM,sCAAgB,CAAC,WAAW,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;gBAE7E,qDAAqD;gBACrD,sEAAsE;gBACtE,qFAAqF;gBACrF,gJAAgJ;gBAChJ,wEAAwE;gBAExE,MAAM,cAAc,GAAG,IAAI,CAAC,kBAAkB,CAAC,wBAAwB,EAAE,CAAC;gBAC1E,MAAM,SAAS,GAAG,cAAc,KAAK,eAAe,IAAI,cAAc,KAAK,MAAM,CAAC,CAAC,kHAAkH;gBAErM,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,yBAAyB,cAAc,EAAE,CAAC,CAAC;gBAEhE,IAAI,kBAAkB,EAAE,CAAC;oBACvB,8EAA8E;oBAC9E,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,4CAA4C,CAAC,CAAC;oBACnE,MAAM,MAAM,GAAG,MAAM,sCAAgB,CAAC,QAAQ,CAAC;wBAC7C,MAAM;wBACN,QAAQ,EAAE,IAAI,CAAC,QAAQ;wBACvB,cAAc,EAAE,IAAI,CAAC,cAAc;wBACnC,WAAW,EAAE,IAAI,CAAC,cAAc;wBAChC,UAAU,EAAE,IAAI,CAAC,UAAU;qBAC5B,CAAC,CAAC;oBAEH,IAAI,MAAM,KAAK,IAAI,EAAE,CAAC;wBACpB,MAAM,IAAI,sCAA0B,CAClC,qFAAqF,CACtF,CAAC;oBACJ,CAAC;oBAED,OAAO,MAAM,CAAC;gBAChB,CAAC;qBAAM,IAAI,SAAS,IAAI,IAAI,CAAC,gBAAgB,EAAE,CAAC;oBAC9C,8GAA8G;oBAC9G,kKAAkK;oBAClK,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,oDAAoD,CAAC,CAAC;oBAC3E,MAAM,WAAW,GAAG,MAAM,oBAAO,CAAC,WAAW,CAAC;wBAC5C,MAAM;wBACN,QAAQ,EAAE,IAAI,CAAC,QAAQ;wBACvB,eAAe,EAAE,OAAO;wBACxB,cAAc,EAAE,IAAI,CAAC,yBAAyB;wBAC9C,UAAU,EAAE,IAAI,CAAC,UAAU;qBAC5B,CAAC,CAAC;oBAEH,IAAI,CAAC,WAAW,EAAE,CAAC;wBACjB,MAAM,IAAI,sCAA0B,CAClC,8DAA8D,CAC/D,CAAC;oBACJ,CAAC;gBACH,CAAC;gBAED,gCAAgC;gBAChC,oCAAoC;gBACpC,0FAA0F;gBAC1F,2DAA2D;gBAC3D,uDAAuD;gBACvD,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,+CAA+C,CAAC,CAAC;gBACtE,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,kBAAkB,CAAC,YAAY,CAAC;oBACvD,QAAQ;iBACT,CAAC,CAAC;gBAEH,IAAI,CAAC,oBAAoB,CAAC,MAAM,EAAE,KAAK,EAAE,OAAO,CAAC,CAAC;gBAClD,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAA,0BAAa,EAAC,MAAM,CAAC,CAAC,CAAC;gBAE5C,OAAO;oBACL,kBAAkB,EAAE,KAAK,CAAC,SAAS,CAAC,OAAO,EAAE;oBAC7C,KAAK,EAAE,KAAK,CAAC,WAAW;oBACxB,qBAAqB,EAAE,KAAK,CAAC,SAAS,EAAE,OAAO,EAAE;oBACjD,SAAS,EAAE,QAAQ;iBACL,CAAC;YACnB,CAAC;YAAC,OAAO,GAAQ,EAAE,CAAC;gBAClB,MAAM,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAA,wBAAW,EAAC,MAAM,EAAE,GAAG,CAAC,CAAC,CAAC;gBAEhD,sHAAsH;gBACtH,mGAAmG;gBACnG,IAAI,GAAG,CAAC,IAAI,KAAK,6BAA6B,EAAE,CAAC;oBAC/C,MAAM,GAAG,CAAC;gBACZ,CAAC;gBAED,IAAI,cAAc,CAAC,GAAG,CAAC,EAAE,CAAC;oBACxB,MAAM,IAAI,sCAA0B,CAClC,4DAA4D,GAAG,CAAC,OAAO,EAAE,EACzE,EAAE,KAAK,EAAE,GAAG,EAAE,CACf,CAAC;gBACJ,CAAC;gBAED,MAAM,IAAI,sCAA0B,CAClC,6DAA6D,GAAG,CAAC,OAAO,EAAE,EAC1E,EAAE,KAAK,EAAE,GAAG,EAAE,CACf,CAAC;YACJ,CAAC;QACH,CAAC,CAAC,CAAC;IACL,CAAC;IAED;;OAEG;IACK,oBAAoB,CAC1B,MAAyB,EACzB,SAAqB,EACrB,eAAiC;QAEjC,MAAM,WAAW,GAAG,CAAC,OAAe,EAAS,EAAE;YAC7C,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;YAC9B,OAAO,IAAI,uCAA2B,CAAC;gBACrC,MAAM,EAAE,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC;gBACjD,eAAe;gBACf,OAAO;aACR,CAAC,CAAC;QACL,CAAC,CAAC;QACF,IAAI,CAAC,SAAS,EAAE,CAAC;YACf,MAAM,WAAW,CAAC,cAAc,CAAC,CAAC;QACpC,CAAC;QACD,IAAI,CAAC,SAAS,CAAC,SAAS,EAAE,CAAC;YACzB,MAAM,WAAW,CAAC,uCAAuC,CAAC,CAAC;QAC7D,CAAC;QACD,IAAI,CAAC,SAAS,CAAC,WAAW,EAAE,CAAC;YAC3B,MAAM,WAAW,CAAC,yCAAyC,CAAC,CAAC;QAC/D,CAAC;IACH,CAAC;CACF;AAhTD,8DAgTC;AAED,SAAS,cAAc,CAAC,GAAQ;IAC9B,aAAa;IACb,IAAI,GAAG,CAAC,SAAS,KAAK,eAAe,EAAE,CAAC;QACtC,OAAO,IAAI,CAAC;IACd,CAAC;IAED,eAAe;IACf,IAAI,GAAG,CAAC,IAAI,KAAK,aAAa,IAAI,GAAG,CAAC,IAAI,KAAK,cAAc,EAAE,CAAC;QAC9D,OAAO,IAAI,CAAC;IACd,CAAC;IAED,6NAA6N;IAC7N,4CAA4C;IAC5C,IAAI,GAAG,CAAC,UAAU,KAAK,GAAG,IAAI,GAAG,CAAC,IAAI,KAAK,GAAG,EAAE,CAAC;QAC/C,IAAI,GAAG,CAAC,OAAO,CAAC,QAAQ,CAAC,aAAa,CAAC,EAAE,CAAC;YACxC,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC","sourcesContent":["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT License.\n\nimport type { AccessToken, GetTokenOptions, TokenCredential } from \"@azure/core-auth\";\n\nimport type { TokenCredentialOptions } from \"../../tokenCredentialOptions.js\";\nimport { getLogLevel } from \"@azure/logger\";\nimport { ManagedIdentityApplication } from \"@azure/msal-node\";\nimport { IdentityClient } from \"../../client/identityClient.js\";\nimport { AuthenticationRequiredError, CredentialUnavailableError } from \"../../errors.js\";\nimport { getMSALLogLevel, defaultLoggerCallback } from \"../../msal/utils.js\";\nimport { imdsRetryPolicy } from \"./imdsRetryPolicy.js\";\nimport type { MSIConfiguration } from \"./models.js\";\nimport { formatSuccess, formatError, credentialLogger } from \"../../util/logging.js\";\nimport { tracingClient } from \"../../util/tracing.js\";\nimport { imdsMsi } from \"./imdsMsi.js\";\nimport { tokenExchangeMsi } from \"./tokenExchangeMsi.js\";\nimport { mapScopesToResource, serviceFabricErrorMessage } from \"./utils.js\";\nimport type { MsalToken, ValidMsalToken } from \"../../msal/types.js\";\nimport type {\n InternalManagedIdentityCredentialOptions,\n ManagedIdentityCredentialClientIdOptions,\n ManagedIdentityCredentialObjectIdOptions,\n ManagedIdentityCredentialResourceIdOptions,\n} from \"./options.js\";\n\nconst logger = credentialLogger(\"ManagedIdentityCredential\");\n\n/**\n * Attempts authentication using a managed identity available at the deployment environment.\n * This authentication type works in Azure VMs, App Service instances, Azure Functions applications,\n * Azure Kubernetes Services, Azure Service Fabric instances and inside of the Azure Cloud Shell.\n *\n * More information about configuring managed identities can be found here:\n * https://learn.microsoft.com/azure/active-directory/managed-identities-azure-resources/overview\n */\nexport class ManagedIdentityCredential implements TokenCredential {\n private managedIdentityApp: ManagedIdentityApplication;\n private identityClient: IdentityClient;\n private clientId?: string;\n private resourceId?: string;\n private objectId?: string;\n private msiRetryConfig: MSIConfiguration[\"retryConfig\"] = {\n maxRetries: 5,\n startDelayInMs: 800,\n intervalIncrement: 2,\n };\n private isAvailableIdentityClient: IdentityClient;\n private sendProbeRequest: boolean;\n\n /**\n * Creates an instance of ManagedIdentityCredential with the client ID of a\n * user-assigned identity, or app registration (when working with AKS pod-identity).\n *\n * @param clientId - The client ID of the user-assigned identity, or app registration (when working with AKS pod-identity).\n * @param options - Options for configuring the client which makes the access token request.\n */\n constructor(clientId: string, options?: TokenCredentialOptions);\n /**\n * Creates an instance of ManagedIdentityCredential with a client ID\n *\n * @param options - Options for configuring the client which makes the access token request.\n */\n constructor(options?: ManagedIdentityCredentialClientIdOptions);\n /**\n * Creates an instance of ManagedIdentityCredential with a resource ID\n *\n * @param options - Options for configuring the resource which makes the access token request.\n */\n constructor(options?: ManagedIdentityCredentialResourceIdOptions);\n /**\n * Creates an instance of ManagedIdentityCredential with an object ID\n *\n * @param options - Options for configuring the resource which makes the access token request.\n */\n constructor(options?: ManagedIdentityCredentialObjectIdOptions);\n /**\n * @internal\n * @hidden\n */\n constructor(\n clientIdOrOptions?:\n | string\n | ManagedIdentityCredentialClientIdOptions\n | ManagedIdentityCredentialResourceIdOptions\n | ManagedIdentityCredentialObjectIdOptions,\n options?: TokenCredentialOptions,\n ) {\n let _options: TokenCredentialOptions;\n if (typeof clientIdOrOptions === \"string\") {\n this.clientId = clientIdOrOptions;\n _options = options ?? {};\n } else {\n this.clientId = (clientIdOrOptions as ManagedIdentityCredentialClientIdOptions)?.clientId;\n _options = clientIdOrOptions ?? {};\n }\n this.resourceId = (_options as ManagedIdentityCredentialResourceIdOptions)?.resourceId;\n this.objectId = (_options as ManagedIdentityCredentialObjectIdOptions)?.objectId;\n this.sendProbeRequest =\n (_options as InternalManagedIdentityCredentialOptions)?.sendProbeRequest ?? false;\n // For JavaScript users.\n const providedIds = [\n { key: \"clientId\", value: this.clientId },\n { key: \"resourceId\", value: this.resourceId },\n { key: \"objectId\", value: this.objectId },\n ].filter((id) => id.value);\n if (providedIds.length > 1) {\n throw new Error(\n `ManagedIdentityCredential: only one of 'clientId', 'resourceId', or 'objectId' can be provided. Received values: ${JSON.stringify(\n { clientId: this.clientId, resourceId: this.resourceId, objectId: this.objectId },\n )}`,\n );\n }\n\n // ManagedIdentity uses http for local requests\n _options.allowInsecureConnection = true;\n\n if (_options.retryOptions?.maxRetries !== undefined) {\n this.msiRetryConfig.maxRetries = _options.retryOptions.maxRetries;\n }\n\n this.identityClient = new IdentityClient({\n ..._options,\n additionalPolicies: [{ policy: imdsRetryPolicy(this.msiRetryConfig), position: \"perCall\" }],\n });\n\n this.managedIdentityApp = new ManagedIdentityApplication({\n managedIdentityIdParams: {\n userAssignedClientId: this.clientId,\n userAssignedResourceId: this.resourceId,\n userAssignedObjectId: this.objectId,\n },\n system: {\n disableInternalRetries: true,\n networkClient: this.identityClient,\n loggerOptions: {\n logLevel: getMSALLogLevel(getLogLevel()),\n piiLoggingEnabled: _options.loggingOptions?.enableUnsafeSupportLogging,\n loggerCallback: defaultLoggerCallback(logger),\n },\n },\n });\n\n this.isAvailableIdentityClient = new IdentityClient({\n ..._options,\n retryOptions: {\n maxRetries: 0,\n },\n });\n\n const managedIdentitySource = this.managedIdentityApp.getManagedIdentitySource();\n // CloudShell MSI will ignore any user-assigned identity passed as parameters. To avoid confusion, we prevent this from happening as early as possible.\n if (managedIdentitySource === \"CloudShell\") {\n if (this.clientId || this.resourceId || this.objectId) {\n logger.warning(\n `CloudShell MSI detected with user-provided IDs - throwing. Received values: ${JSON.stringify(\n {\n clientId: this.clientId,\n resourceId: this.resourceId,\n objectId: this.objectId,\n },\n )}.`,\n );\n throw new CredentialUnavailableError(\n \"ManagedIdentityCredential: Specifying a user-assigned managed identity is not supported for CloudShell at runtime. When using Managed Identity in CloudShell, omit the clientId, resourceId, and objectId parameters.\",\n );\n }\n }\n\n // ServiceFabric does not support specifying user-assigned managed identity by client ID or resource ID. The managed identity selected is based on the resource configuration.\n if (managedIdentitySource === \"ServiceFabric\") {\n if (this.clientId || this.resourceId || this.objectId) {\n logger.warning(\n `Service Fabric detected with user-provided IDs - throwing. Received values: ${JSON.stringify(\n {\n clientId: this.clientId,\n resourceId: this.resourceId,\n objectId: this.objectId,\n },\n )}.`,\n );\n throw new CredentialUnavailableError(\n `ManagedIdentityCredential: ${serviceFabricErrorMessage}`,\n );\n }\n }\n\n logger.info(`Using ${managedIdentitySource} managed identity.`);\n\n // Check if either clientId, resourceId or objectId was provided and log the value used\n if (providedIds.length === 1) {\n const { key, value } = providedIds[0];\n logger.info(`${managedIdentitySource} with ${key}: ${value}`);\n }\n }\n\n /**\n * Authenticates with Microsoft Entra ID and returns an access token if successful.\n * If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.\n * If an unexpected error occurs, an {@link AuthenticationError} will be thrown with the details of the failure.\n *\n * @param scopes - The list of scopes for which the token will have access.\n * @param options - The options used to configure any requests this\n * TokenCredential implementation might make.\n */\n public async getToken(\n scopes: string | string[],\n options: GetTokenOptions = {},\n ): Promise<AccessToken> {\n logger.getToken.info(\"Using the MSAL provider for Managed Identity.\");\n const resource = mapScopesToResource(scopes);\n if (!resource) {\n throw new CredentialUnavailableError(\n `ManagedIdentityCredential: Multiple scopes are not supported. Scopes: ${JSON.stringify(\n scopes,\n )}`,\n );\n }\n\n return tracingClient.withSpan(\"ManagedIdentityCredential.getToken\", options, async () => {\n try {\n const isTokenExchangeMsi = await tokenExchangeMsi.isAvailable(this.clientId);\n\n // Most scenarios are handled by MSAL except for two:\n // AKS pod identity - MSAL does not implement the token exchange flow.\n // IMDS Endpoint probing - MSAL does not do any probing before trying to get a token.\n // As a DefaultAzureCredential optimization we probe the IMDS endpoint with a short timeout and no retries before actually trying to get a token\n // We will continue to implement these features in the Identity library.\n\n const identitySource = this.managedIdentityApp.getManagedIdentitySource();\n const isImdsMsi = identitySource === \"DefaultToImds\" || identitySource === \"Imds\"; // Neither actually checks that IMDS endpoint is available, just that it's the source the MSAL _would_ try to use.\n\n logger.getToken.info(`MSAL Identity source: ${identitySource}`);\n\n if (isTokenExchangeMsi) {\n // In the AKS scenario we will use the existing tokenExchangeMsi indefinitely.\n logger.getToken.info(\"Using the token exchange managed identity.\");\n const result = await tokenExchangeMsi.getToken({\n scopes,\n clientId: this.clientId,\n identityClient: this.identityClient,\n retryConfig: this.msiRetryConfig,\n resourceId: this.resourceId,\n });\n\n if (result === null) {\n throw new CredentialUnavailableError(\n \"Attempted to use the token exchange managed identity, but received a null response.\",\n );\n }\n\n return result;\n } else if (isImdsMsi && this.sendProbeRequest) {\n // In the IMDS scenario we will probe the IMDS endpoint to ensure it's available before trying to get a token.\n // If the IMDS endpoint is not available and this is the source that MSAL will use, we will fail-fast with an error that tells DAC to move to the next credential.\n logger.getToken.info(\"Using the IMDS endpoint to probe for availability.\");\n const isAvailable = await imdsMsi.isAvailable({\n scopes,\n clientId: this.clientId,\n getTokenOptions: options,\n identityClient: this.isAvailableIdentityClient,\n resourceId: this.resourceId,\n });\n\n if (!isAvailable) {\n throw new CredentialUnavailableError(\n `Attempted to use the IMDS endpoint, but it is not available.`,\n );\n }\n }\n\n // If we got this far, it means:\n // - This is not a tokenExchangeMsi,\n // - We already probed for IMDS endpoint availability and failed-fast if it's unreachable,\n // or we skip probing because the credential is set in DAC.\n // We can proceed normally by calling MSAL for a token.\n logger.getToken.info(\"Calling into MSAL for managed identity token.\");\n const token = await this.managedIdentityApp.acquireToken({\n resource,\n });\n\n this.ensureValidMsalToken(scopes, token, options);\n logger.getToken.info(formatSuccess(scopes));\n\n return {\n expiresOnTimestamp: token.expiresOn.getTime(),\n token: token.accessToken,\n refreshAfterTimestamp: token.refreshOn?.getTime(),\n tokenType: \"Bearer\",\n } as AccessToken;\n } catch (err: any) {\n logger.getToken.error(formatError(scopes, err));\n\n // AuthenticationRequiredError described as Error to enforce authentication after trying to retrieve a token silently.\n // TODO: why would this _ever_ happen considering we're not trying the silent request in this flow?\n if (err.name === \"AuthenticationRequiredError\") {\n throw err;\n }\n\n if (isNetworkError(err)) {\n throw new CredentialUnavailableError(\n `ManagedIdentityCredential: Network unreachable. Message: ${err.message}`,\n { cause: err },\n );\n }\n\n throw new CredentialUnavailableError(\n `ManagedIdentityCredential: Authentication failed. Message ${err.message}`,\n { cause: err },\n );\n }\n });\n }\n\n /**\n * Ensures the validity of the MSAL token\n */\n private ensureValidMsalToken(\n scopes: string | string[],\n msalToken?: MsalToken,\n getTokenOptions?: GetTokenOptions,\n ): asserts msalToken is ValidMsalToken {\n const createError = (message: string): Error => {\n logger.getToken.info(message);\n return new AuthenticationRequiredError({\n scopes: Array.isArray(scopes) ? scopes : [scopes],\n getTokenOptions,\n message,\n });\n };\n if (!msalToken) {\n throw createError(\"No response.\");\n }\n if (!msalToken.expiresOn) {\n throw createError(`Response had no \"expiresOn\" property.`);\n }\n if (!msalToken.accessToken) {\n throw createError(`Response had no \"accessToken\" property.`);\n }\n }\n}\n\nfunction isNetworkError(err: any): boolean {\n // MSAL error\n if (err.errorCode === \"network_error\") {\n return true;\n }\n\n // Probe errors\n if (err.code === \"ENETUNREACH\" || err.code === \"EHOSTUNREACH\") {\n return true;\n }\n\n // This is a special case for Docker Desktop which responds with a 403 with a message that contains \"A socket operation was attempted to an unreachable network\" or \"A socket operation was attempted to an unreachable host\"\n // rather than just timing out, as expected.\n if (err.statusCode === 403 || err.code === 403) {\n if (err.message.includes(\"unreachable\")) {\n return true;\n }\n }\n\n return false;\n}\n"]}
package/dist/commonjs/credentials/managedIdentityCredential/options.d.ts CHANGED
@@ -34,4 +34,19 @@ export interface ManagedIdentityCredentialObjectIdOptions extends TokenCredentia
34
34
  */
35
35
  objectId: string;
36
36
  }
37
+ /**
38
+ * @internal
39
+ * Internal options for configuring the {@link ManagedIdentityCredential} with disable probe ability for DAC.
40
+ * This type ensures that we can use any of the credential options (clientId, resourceId, or objectId)
41
+ * along with the disableProbe flag for DefaultAzureCredential.
42
+ */
43
+ export type InternalManagedIdentityCredentialOptions = (ManagedIdentityCredentialClientIdOptions & ManagedIdentityDisableProbeOptions) | (ManagedIdentityCredentialResourceIdOptions & ManagedIdentityDisableProbeOptions) | (ManagedIdentityCredentialObjectIdOptions & ManagedIdentityDisableProbeOptions);
44
+ /**
45
+ * Options for configuring Managed Identity Credential with disable probe.
46
+ * This is only meant to use in DefaultAzureCredential when AZURE_TOKEN_CREDENTIALS is set to Managed Identity Credential.
47
+ */
48
+ type ManagedIdentityDisableProbeOptions = {
49
+ sendProbeRequest?: boolean;
50
+ };
51
+ export {};
37
52
  //# sourceMappingURL=options.d.ts.map
package/dist/commonjs/credentials/managedIdentityCredential/options.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"options.d.ts","sourceRoot":"","sources":["../../../../src/credentials/managedIdentityCredential/options.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,sBAAsB,EAAE,MAAM,iCAAiC,CAAC;AAE9E;;;GAGG;AACH,MAAM,WAAW,wCAAyC,SAAQ,sBAAsB;IACtF;;OAEG;IACH,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED;;;GAGG;AACH,MAAM,WAAW,0CAA2C,SAAQ,sBAAsB;IACxF;;;;;;OAMG;IACH,UAAU,EAAE,MAAM,CAAC;CACpB;AAED;;;GAGG;AACH,MAAM,WAAW,wCAAyC,SAAQ,sBAAsB;IACtF;;;OAGG;IACH,QAAQ,EAAE,MAAM,CAAC;CAClB"}
1
+ {"version":3,"file":"options.d.ts","sourceRoot":"","sources":["../../../../src/credentials/managedIdentityCredential/options.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,sBAAsB,EAAE,MAAM,iCAAiC,CAAC;AAE9E;;;GAGG;AACH,MAAM,WAAW,wCAAyC,SAAQ,sBAAsB;IACtF;;OAEG;IACH,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED;;;GAGG;AACH,MAAM,WAAW,0CAA2C,SAAQ,sBAAsB;IACxF;;;;;;OAMG;IACH,UAAU,EAAE,MAAM,CAAC;CACpB;AAED;;;GAGG;AACH,MAAM,WAAW,wCAAyC,SAAQ,sBAAsB;IACtF;;;OAGG;IACH,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED;;;;;GAKG;AACH,MAAM,MAAM,wCAAwC,GAChD,CAAC,wCAAwC,GAAG,kCAAkC,CAAC,GAC/E,CAAC,0CAA0C,GAAG,kCAAkC,CAAC,GACjF,CAAC,wCAAwC,GAAG,kCAAkC,CAAC,CAAC;AAEpF;;;GAGG;AACH,KAAK,kCAAkC,GAAG;IAAE,gBAAgB,CAAC,EAAE,OAAO,CAAA;CAAE,CAAC"}
package/dist/commonjs/credentials/managedIdentityCredential/options.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"options.js","sourceRoot":"","sources":["../../../../src/credentials/managedIdentityCredential/options.ts"],"names":[],"mappings":";AAAA,uCAAuC;AACvC,kCAAkC","sourcesContent":["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT License.\n\nimport type { TokenCredentialOptions } from \"../../tokenCredentialOptions.js\";\n\n/**\n * Options to send on the {@link ManagedIdentityCredential} constructor.\n * This variation supports `clientId` and not `resourceId`, since only one of both is supported.\n */\nexport interface ManagedIdentityCredentialClientIdOptions extends TokenCredentialOptions {\n /**\n * The client ID of the user - assigned identity, or app registration(when working with AKS pod - identity).\n */\n clientId?: string;\n}\n\n/**\n * Options to send on the {@link ManagedIdentityCredential} constructor.\n * This variation supports `resourceId` and not `clientId`, since only one of both is supported.\n */\nexport interface ManagedIdentityCredentialResourceIdOptions extends TokenCredentialOptions {\n /**\n * Allows specifying a custom resource Id.\n * In scenarios such as when user assigned identities are created using an ARM template,\n * where the resource Id of the identity is known but the client Id can't be known ahead of time,\n * this parameter allows programs to use these user assigned identities\n * without having to first determine the client Id of the created identity.\n */\n resourceId: string;\n}\n\n/**\n * Options to send on the {@link ManagedIdentityCredential} constructor.\n * This variation supports `objectId` as a constructor argument.\n */\nexport interface ManagedIdentityCredentialObjectIdOptions extends TokenCredentialOptions {\n /**\n * Allows specifying the object ID of the underlying service principal used to authenticate a user-assigned managed identity.\n * This is an alternative to providing a client ID or resource ID and is not required for system-assigned managed identities.\n */\n objectId: string;\n}\n"]}
1
+ {"version":3,"file":"options.js","sourceRoot":"","sources":["../../../../src/credentials/managedIdentityCredential/options.ts"],"names":[],"mappings":";AAAA,uCAAuC;AACvC,kCAAkC","sourcesContent":["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT License.\n\nimport type { TokenCredentialOptions } from \"../../tokenCredentialOptions.js\";\n\n/**\n * Options to send on the {@link ManagedIdentityCredential} constructor.\n * This variation supports `clientId` and not `resourceId`, since only one of both is supported.\n */\nexport interface ManagedIdentityCredentialClientIdOptions extends TokenCredentialOptions {\n /**\n * The client ID of the user - assigned identity, or app registration(when working with AKS pod - identity).\n */\n clientId?: string;\n}\n\n/**\n * Options to send on the {@link ManagedIdentityCredential} constructor.\n * This variation supports `resourceId` and not `clientId`, since only one of both is supported.\n */\nexport interface ManagedIdentityCredentialResourceIdOptions extends TokenCredentialOptions {\n /**\n * Allows specifying a custom resource Id.\n * In scenarios such as when user assigned identities are created using an ARM template,\n * where the resource Id of the identity is known but the client Id can't be known ahead of time,\n * this parameter allows programs to use these user assigned identities\n * without having to first determine the client Id of the created identity.\n */\n resourceId: string;\n}\n\n/**\n * Options to send on the {@link ManagedIdentityCredential} constructor.\n * This variation supports `objectId` as a constructor argument.\n */\nexport interface ManagedIdentityCredentialObjectIdOptions extends TokenCredentialOptions {\n /**\n * Allows specifying the object ID of the underlying service principal used to authenticate a user-assigned managed identity.\n * This is an alternative to providing a client ID or resource ID and is not required for system-assigned managed identities.\n */\n objectId: string;\n}\n\n/**\n * @internal\n * Internal options for configuring the {@link ManagedIdentityCredential} with disable probe ability for DAC.\n * This type ensures that we can use any of the credential options (clientId, resourceId, or objectId)\n * along with the disableProbe flag for DefaultAzureCredential.\n */\nexport type InternalManagedIdentityCredentialOptions =\n | (ManagedIdentityCredentialClientIdOptions & ManagedIdentityDisableProbeOptions)\n | (ManagedIdentityCredentialResourceIdOptions & ManagedIdentityDisableProbeOptions)\n | (ManagedIdentityCredentialObjectIdOptions & ManagedIdentityDisableProbeOptions);\n\n/**\n * Options for configuring Managed Identity Credential with disable probe.\n * This is only meant to use in DefaultAzureCredential when AZURE_TOKEN_CREDENTIALS is set to Managed Identity Credential.\n */\ntype ManagedIdentityDisableProbeOptions = { sendProbeRequest?: boolean };\n"]}
package/dist/commonjs/msal/browserFlows/msalBrowserCommon.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"msalBrowserCommon.d.ts","sourceRoot":"","sources":["../../../../src/msal/browserFlows/msalBrowserCommon.ts"],"names":[],"mappings":"AAKA,OAAO,KAAK,EAAE,sBAAsB,EAAE,MAAM,yBAAyB,CAAC;AAYtE,OAAO,KAAK,EAAE,WAAW,EAAmB,MAAM,kBAAkB,CAAC;AACrE,OAAO,KAAK,EAAE,oBAAoB,EAAc,MAAM,aAAa,CAAC;AAEpE,OAAO,KAAK,EAAE,6BAA6B,EAAE,MAAM,mBAAmB,CAAC;AA+CvE;;;GAGG;AACH,MAAM,WAAW,iBAAiB;IAChC,gBAAgB,IAAI,OAAO,CAAC,oBAAoB,GAAG,SAAS,CAAC,CAAC;IAC9D,QAAQ,CAAC,MAAM,EAAE,MAAM,EAAE,EAAE,OAAO,EAAE,6BAA6B,GAAG,OAAO,CAAC,WAAW,CAAC,CAAC;CAC1F;AAKD;;;;GAIG;AACH,wBAAgB,uBAAuB,CAAC,OAAO,EAAE,sBAAsB,GAAG,iBAAiB,CAyP1F"}
1
+ {"version":3,"file":"msalBrowserCommon.d.ts","sourceRoot":"","sources":["../../../../src/msal/browserFlows/msalBrowserCommon.ts"],"names":[],"mappings":"AAKA,OAAO,KAAK,EAAE,sBAAsB,EAAE,MAAM,yBAAyB,CAAC;AAYtE,OAAO,KAAK,EAAE,WAAW,EAAmB,MAAM,kBAAkB,CAAC;AACrE,OAAO,KAAK,EAAE,oBAAoB,EAAc,MAAM,aAAa,CAAC;AAEpE,OAAO,KAAK,EAAE,6BAA6B,EAAE,MAAM,mBAAmB,CAAC;AA8CvE;;;GAGG;AACH,MAAM,WAAW,iBAAiB;IAChC,gBAAgB,IAAI,OAAO,CAAC,oBAAoB,GAAG,SAAS,CAAC,CAAC;IAC9D,QAAQ,CAAC,MAAM,EAAE,MAAM,EAAE,EAAE,OAAO,EAAE,6BAA6B,GAAG,OAAO,CAAC,WAAW,CAAC,CAAC;CAC1F;AAKD;;;;GAIG;AACH,wBAAgB,uBAAuB,CAAC,OAAO,EAAE,sBAAsB,GAAG,iBAAiB,CAyP1F"}
package/dist/commonjs/msal/browserFlows/msalBrowserCommon.js CHANGED
@@ -16,7 +16,6 @@ const constants_js_1 = require("../../constants.js");
16
16
  const isLocationDefined = typeof self !== "undefined" && self.location !== undefined;
17
17
  /**
18
18
  * Generates a MSAL configuration that generally works for browsers
19
- * @internal
20
19
  */
21
20
  function generateMsalBrowserConfiguration(options) {
22
21
  const tenantId = options.tenantId || constants_js_1.DefaultTenantId;