@azure/identity 4.14.0-beta.1 → 4.14.0-beta.3

package/dist/commonjs/client/identityClient.js

@@ -1,265 +1,308 @@
-"use strict";
-// Copyright (c) Microsoft Corporation.
-// Licensed under the MIT License.
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.IdentityClient = void 0;
-exports.getIdentityClientAuthorityHost = getIdentityClientAuthorityHost;
-const core_client_1 = require("@azure/core-client");
-const core_util_1 = require("@azure/core-util");
-const core_rest_pipeline_1 = require("@azure/core-rest-pipeline");
-const errors_js_1 = require("../errors.js");
-const identityTokenEndpoint_js_1 = require("../util/identityTokenEndpoint.js");
-const constants_js_1 = require("../constants.js");
-const tracing_js_1 = require("../util/tracing.js");
-const logging_js_1 = require("../util/logging.js");
-const utils_js_1 = require("../credentials/managedIdentityCredential/utils.js");
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+var identityClient_exports = {};
+__export(identityClient_exports, {
+  IdentityClient: () => IdentityClient
+});
+module.exports = __toCommonJS(identityClient_exports);
+var import_core_client = require("@azure/core-client");
+var import_core_rest_pipeline = require("@azure/core-rest-pipeline");
+var import_errors = require("../errors.js");
+var import_identityTokenEndpoint = require("../util/identityTokenEndpoint.js");
+var import_constants = require("../constants.js");
+var import_tracing = require("../util/tracing.js");
+var import_logging = require("../util/logging.js");
+var import_utils = require("../credentials/managedIdentityCredential/utils.js");
+var import_authorityHost = require("../util/authorityHost.js");
 const noCorrelationId = "noCorrelationId";
-/**
- * @internal
- */
-function getIdentityClientAuthorityHost(options) {
-    // The authorityHost can come from options or from the AZURE_AUTHORITY_HOST environment variable.
-    let authorityHost = options?.authorityHost;
-    // The AZURE_AUTHORITY_HOST environment variable can only be provided in Node.js.
-    if (core_util_1.isNode) {
-        authorityHost = authorityHost ?? process.env.AZURE_AUTHORITY_HOST;
+const HttpStatus = {
+  CLIENT_ERROR_RANGE_START: 400,
+  CLIENT_ERROR_RANGE_END: 499,
+  SERVER_ERROR_RANGE_START: 500,
+  SERVER_ERROR_RANGE_END: 599
+};
+class IdentityClient extends import_core_client.ServiceClient {
+  authorityHost;
+  allowLoggingAccountIdentifiers;
+  abortControllers;
+  allowInsecureConnection = false;
+  // used for WorkloadIdentity
+  tokenCredentialOptions;
+  constructor(options) {
+    const packageDetails = `azsdk-js-identity/${import_constants.SDK_VERSION}`;
+    const userAgentPrefix = options?.userAgentOptions?.userAgentPrefix ? `${options.userAgentOptions.userAgentPrefix} ${packageDetails}` : `${packageDetails}`;
+    const baseUri = (0, import_authorityHost.getAuthorityHost)(options);
+    if (!baseUri.startsWith("https:")) {
+      throw new Error("The authorityHost address must use the 'https' protocol.");
     }
-    // If the authorityHost is not provided, we use the default one from the public cloud: https://login.microsoftonline.com
-    return authorityHost ?? constants_js_1.DefaultAuthorityHost;
-}
-/**
- * The network module used by the Identity credentials.
- *
- * It allows for credentials to abort any pending request independently of the MSAL flow,
- * by calling to the `abortRequests()` method.
- *
- */
-class IdentityClient extends core_client_1.ServiceClient {
-    authorityHost;
-    allowLoggingAccountIdentifiers;
-    abortControllers;
-    allowInsecureConnection = false;
-    // used for WorkloadIdentity
-    tokenCredentialOptions;
-    constructor(options) {
-        const packageDetails = `azsdk-js-identity/${constants_js_1.SDK_VERSION}`;
-        const userAgentPrefix = options?.userAgentOptions?.userAgentPrefix
-            ? `${options.userAgentOptions.userAgentPrefix} ${packageDetails}`
-            : `${packageDetails}`;
-        const baseUri = getIdentityClientAuthorityHost(options);
-        if (!baseUri.startsWith("https:")) {
-            throw new Error("The authorityHost address must use the 'https' protocol.");
-        }
-        super({
-            requestContentType: "application/json; charset=utf-8",
-            retryOptions: {
-                maxRetries: 3,
-            },
-            ...options,
-            userAgentOptions: {
-                userAgentPrefix,
-            },
-            baseUri,
-        });
-        this.authorityHost = baseUri;
-        this.abortControllers = new Map();
-        this.allowLoggingAccountIdentifiers = options?.loggingOptions?.allowLoggingAccountIdentifiers;
-        // used for WorkloadIdentity
-        this.tokenCredentialOptions = { ...options };
-        // used for ManagedIdentity
-        if (options?.allowInsecureConnection) {
-            this.allowInsecureConnection = options.allowInsecureConnection;
-        }
+    super({
+      requestContentType: "application/json; charset=utf-8",
+      retryOptions: {
+        maxRetries: 3
+      },
+      ...options,
+      userAgentOptions: {
+        userAgentPrefix
+      },
+      baseUri
+    });
+    this.authorityHost = baseUri;
+    this.abortControllers = /* @__PURE__ */ new Map();
+    this.allowLoggingAccountIdentifiers = options?.loggingOptions?.allowLoggingAccountIdentifiers;
+    this.tokenCredentialOptions = { ...options };
+    if (options?.allowInsecureConnection) {
+      this.allowInsecureConnection = options.allowInsecureConnection;
     }
-    async sendTokenRequest(request) {
-        logging_js_1.logger.info(`IdentityClient: sending token request to [${request.url}]`);
-        const response = await this.sendRequest(request);
-        if (response.bodyAsText && (response.status === 200 || response.status === 201)) {
-            const parsedBody = JSON.parse(response.bodyAsText);
-            if (!parsedBody.access_token) {
-                return null;
-            }
-            this.logIdentifiers(response);
-            const token = {
-                accessToken: {
-                    token: parsedBody.access_token,
-                    expiresOnTimestamp: (0, utils_js_1.parseExpirationTimestamp)(parsedBody),
-                    refreshAfterTimestamp: (0, utils_js_1.parseRefreshTimestamp)(parsedBody),
-                    tokenType: "Bearer",
-                },
-                refreshToken: parsedBody.refresh_token,
-            };
-            logging_js_1.logger.info(`IdentityClient: [${request.url}] token acquired, expires on ${token.accessToken.expiresOnTimestamp}`);
-            return token;
-        }
-        else {
-            const error = new errors_js_1.AuthenticationError(response.status, response.bodyAsText);
-            logging_js_1.logger.warning(`IdentityClient: authentication error. HTTP status: ${response.status}, ${error.errorResponse.errorDescription}`);
-            throw error;
-        }
+  }
+  async sendTokenRequest(request) {
+    import_logging.logger.info(`IdentityClient: sending token request to [${request.url}]`);
+    const response = await this.sendRequest(request);
+    if (response.bodyAsText && (response.status === 200 || response.status === 201)) {
+      const parsedBody = JSON.parse(response.bodyAsText);
+      if (!parsedBody.access_token) {
+        return null;
+      }
+      this.logIdentifiers(response);
+      const token = {
+        accessToken: {
+          token: parsedBody.access_token,
+          expiresOnTimestamp: (0, import_utils.parseExpirationTimestamp)(parsedBody),
+          refreshAfterTimestamp: (0, import_utils.parseRefreshTimestamp)(parsedBody),
+          tokenType: "Bearer"
+        },
+        refreshToken: parsedBody.refresh_token
+      };
+      import_logging.logger.info(
+        `IdentityClient: [${request.url}] token acquired, expires on ${token.accessToken.expiresOnTimestamp}`
+      );
+      return token;
+    } else {
+      const error = new import_errors.AuthenticationError(response.status, response.bodyAsText);
+      import_logging.logger.warning(
+        `IdentityClient: authentication error. HTTP status: ${response.status}, ${error.errorResponse.errorDescription}`
+      );
+      throw error;
     }
-    async refreshAccessToken(tenantId, clientId, scopes, refreshToken, clientSecret, options = {}) {
-        if (refreshToken === undefined) {
-            return null;
-        }
-        logging_js_1.logger.info(`IdentityClient: refreshing access token with client ID: ${clientId}, scopes: ${scopes} started`);
-        const refreshParams = {
-            grant_type: "refresh_token",
-            client_id: clientId,
-            refresh_token: refreshToken,
-            scope: scopes,
-        };
-        if (clientSecret !== undefined) {
-            refreshParams.client_secret = clientSecret;
-        }
-        const query = new URLSearchParams(refreshParams);
-        return tracing_js_1.tracingClient.withSpan("IdentityClient.refreshAccessToken", options, async (updatedOptions) => {
-            try {
-                const urlSuffix = (0, identityTokenEndpoint_js_1.getIdentityTokenEndpointSuffix)(tenantId);
-                const request = (0, core_rest_pipeline_1.createPipelineRequest)({
-                    url: `${this.authorityHost}/${tenantId}/${urlSuffix}`,
-                    method: "POST",
-                    body: query.toString(),
-                    abortSignal: options.abortSignal,
-                    headers: (0, core_rest_pipeline_1.createHttpHeaders)({
-                        Accept: "application/json",
-                        "Content-Type": "application/x-www-form-urlencoded",
-                    }),
-                    tracingOptions: updatedOptions.tracingOptions,
-                });
-                const response = await this.sendTokenRequest(request);
-                logging_js_1.logger.info(`IdentityClient: refreshed token for client ID: ${clientId}`);
-                return response;
-            }
-            catch (err) {
-                if (err.name === errors_js_1.AuthenticationErrorName &&
-                    err.errorResponse.error === "interaction_required") {
-                    // It's likely that the refresh token has expired, so
-                    // return null so that the credential implementation will
-                    // initiate the authentication flow again.
-                    logging_js_1.logger.info(`IdentityClient: interaction required for client ID: ${clientId}`);
-                    return null;
-                }
-                else {
-                    logging_js_1.logger.warning(`IdentityClient: failed refreshing token for client ID: ${clientId}: ${err}`);
-                    throw err;
-                }
-            }
-        });
+  }
+  async refreshAccessToken(tenantId, clientId, scopes, refreshToken, clientSecret, options = {}) {
+    if (refreshToken === void 0) {
+      return null;
     }
-    // Here is a custom layer that allows us to abort requests that go through MSAL,
-    // since MSAL doesn't allow us to pass options all the way through.
-    generateAbortSignal(correlationId) {
-        const controller = new AbortController();
-        const controllers = this.abortControllers.get(correlationId) || [];
-        controllers.push(controller);
-        this.abortControllers.set(correlationId, controllers);
-        const existingOnAbort = controller.signal.onabort;
-        controller.signal.onabort = (...params) => {
-            this.abortControllers.set(correlationId, undefined);
-            if (existingOnAbort) {
-                existingOnAbort.apply(controller.signal, params);
-            }
-        };
-        return controller.signal;
+    import_logging.logger.info(
+      `IdentityClient: refreshing access token with client ID: ${clientId}, scopes: ${scopes} started`
+    );
+    const refreshParams = {
+      grant_type: "refresh_token",
+      client_id: clientId,
+      refresh_token: refreshToken,
+      scope: scopes
+    };
+    if (clientSecret !== void 0) {
+      refreshParams.client_secret = clientSecret;
     }
-    abortRequests(correlationId) {
-        const key = correlationId || noCorrelationId;
-        const controllers = [
-            ...(this.abortControllers.get(key) || []),
-            // MSAL passes no correlation ID to the get requests...
-            ...(this.abortControllers.get(noCorrelationId) || []),
-        ];
-        if (!controllers.length) {
-            return;
-        }
-        for (const controller of controllers) {
-            controller.abort();
+    const query = new URLSearchParams(refreshParams);
+    return import_tracing.tracingClient.withSpan(
+      "IdentityClient.refreshAccessToken",
+      options,
+      async (updatedOptions) => {
+        try {
+          const urlSuffix = (0, import_identityTokenEndpoint.getIdentityTokenEndpointSuffix)(tenantId);
+          const request = (0, import_core_rest_pipeline.createPipelineRequest)({
+            url: `${this.authorityHost}/${tenantId}/${urlSuffix}`,
+            method: "POST",
+            body: query.toString(),
+            abortSignal: options.abortSignal,
+            headers: (0, import_core_rest_pipeline.createHttpHeaders)({
+              Accept: "application/json",
+              "Content-Type": "application/x-www-form-urlencoded"
+            }),
+            tracingOptions: updatedOptions.tracingOptions
+          });
+          const response = await this.sendTokenRequest(request);
+          import_logging.logger.info(`IdentityClient: refreshed token for client ID: ${clientId}`);
+          return response;
+        } catch (err) {
+          if (err.name === import_errors.AuthenticationErrorName && err.errorResponse.error === "interaction_required") {
+            import_logging.logger.info(`IdentityClient: interaction required for client ID: ${clientId}`);
+            return null;
+          } else {
+            import_logging.logger.warning(
+              `IdentityClient: failed refreshing token for client ID: ${clientId}: ${err}`
+            );
+            throw err;
+          }
         }
-        this.abortControllers.set(key, undefined);
+      }
+    );
+  }
+  // Here is a custom layer that allows us to abort requests that go through MSAL,
+  // since MSAL doesn't allow us to pass options all the way through.
+  generateAbortSignal(correlationId) {
+    const controller = new AbortController();
+    const controllers = this.abortControllers.get(correlationId) || [];
+    controllers.push(controller);
+    this.abortControllers.set(correlationId, controllers);
+    const existingOnAbort = controller.signal.onabort;
+    controller.signal.onabort = (...params) => {
+      this.abortControllers.set(correlationId, void 0);
+      if (existingOnAbort) {
+        existingOnAbort.apply(controller.signal, params);
+      }
+    };
+    return controller.signal;
+  }
+  abortRequests(correlationId) {
+    const key = correlationId || noCorrelationId;
+    const controllers = [
+      ...this.abortControllers.get(key) || [],
+      // MSAL passes no correlation ID to the get requests...
+      ...this.abortControllers.get(noCorrelationId) || []
+    ];
+    if (!controllers.length) {
+      return;
     }
-    getCorrelationId(options) {
-        const parameter = options?.body
-            ?.split("&")
-            .map((part) => part.split("="))
-            .find(([key]) => key === "client-request-id");
-        return parameter && parameter.length ? parameter[1] || noCorrelationId : noCorrelationId;
+    for (const controller of controllers) {
+      controller.abort();
     }
-    // The MSAL network module methods follow
-    async sendGetRequestAsync(url, options) {
-        const request = (0, core_rest_pipeline_1.createPipelineRequest)({
-            url,
-            method: "GET",
-            body: options?.body,
-            allowInsecureConnection: this.allowInsecureConnection,
-            headers: (0, core_rest_pipeline_1.createHttpHeaders)(options?.headers),
-            abortSignal: this.generateAbortSignal(noCorrelationId),
-        });
-        const response = await this.sendRequest(request);
-        this.logIdentifiers(response);
-        return {
-            body: response.bodyAsText ? JSON.parse(response.bodyAsText) : undefined,
-            headers: response.headers.toJSON(),
-            status: response.status,
-        };
-    }
-    async sendPostRequestAsync(url, options) {
-        const request = (0, core_rest_pipeline_1.createPipelineRequest)({
-            url,
-            method: "POST",
-            body: options?.body,
-            headers: (0, core_rest_pipeline_1.createHttpHeaders)(options?.headers),
-            allowInsecureConnection: this.allowInsecureConnection,
-            // MSAL doesn't send the correlation ID on the get requests.
-            abortSignal: this.generateAbortSignal(this.getCorrelationId(options)),
-        });
-        const response = await this.sendRequest(request);
-        this.logIdentifiers(response);
-        return {
-            body: response.bodyAsText ? JSON.parse(response.bodyAsText) : undefined,
-            headers: response.headers.toJSON(),
-            status: response.status,
-        };
+    this.abortControllers.set(key, void 0);
+  }
+  getCorrelationId(options) {
+    const parameter = options?.body?.split("&").map((part) => part.split("=")).find(([key]) => key === "client-request-id");
+    return parameter && parameter.length ? parameter[1] || noCorrelationId : noCorrelationId;
+  }
+  // The MSAL network module methods follow
+  async sendGetRequestAsync(url, options) {
+    const request = (0, import_core_rest_pipeline.createPipelineRequest)({
+      url,
+      method: "GET",
+      body: options?.body,
+      allowInsecureConnection: this.allowInsecureConnection,
+      headers: (0, import_core_rest_pipeline.createHttpHeaders)(options?.headers),
+      abortSignal: this.generateAbortSignal(noCorrelationId)
+    });
+    const response = await this.sendRequest(request);
+    this.logIdentifiers(response);
+    return {
+      body: this.parseResponseBody(response),
+      headers: response.headers.toJSON(),
+      status: response.status
+    };
+  }
+  async sendPostRequestAsync(url, options) {
+    const request = (0, import_core_rest_pipeline.createPipelineRequest)({
+      url,
+      method: "POST",
+      body: options?.body,
+      headers: (0, import_core_rest_pipeline.createHttpHeaders)(options?.headers),
+      allowInsecureConnection: this.allowInsecureConnection,
+      // MSAL doesn't send the correlation ID on the get requests.
+      abortSignal: this.generateAbortSignal(this.getCorrelationId(options))
+    });
+    const response = await this.sendRequest(request);
+    this.logIdentifiers(response);
+    return {
+      body: this.parseResponseBody(response),
+      headers: response.headers.toJSON(),
+      status: response.status
+    };
+  }
+  /**
+   *
+   * @internal
+   */
+  getTokenCredentialOptions() {
+    return this.tokenCredentialOptions;
+  }
+  /**
+   * If allowLoggingAccountIdentifiers was set on the constructor options
+   * we try to log the account identifiers by parsing the received access token.
+   *
+   * The account identifiers we try to log are:
+   * - `appid`: The application or Client Identifier.
+   * - `upn`: User Principal Name.
+   *   - It might not be available in some authentication scenarios.
+   *   - If it's not available, we put a placeholder: "No User Principal Name available".
+   * - `tid`: Tenant Identifier.
+   * - `oid`: Object Identifier of the authenticated user.
+   */
+  logIdentifiers(response) {
+    if (!this.allowLoggingAccountIdentifiers || !response.bodyAsText) {
+      return;
     }
-    /**
-     *
-     * @internal
-     */
-    getTokenCredentialOptions() {
-        return this.tokenCredentialOptions;
+    const unavailableUpn = "No User Principal Name available";
+    try {
+      const parsed = response.parsedBody || JSON.parse(response.bodyAsText);
+      const accessToken = parsed.access_token;
+      if (!accessToken) {
+        return;
+      }
+      const base64Metadata = accessToken.split(".")[1];
+      const { appid, upn, tid, oid } = JSON.parse(
+        Buffer.from(base64Metadata, "base64").toString("utf8")
+      );
+      import_logging.logger.info(
+        `[Authenticated account] Client ID: ${appid}. Tenant ID: ${tid}. User Principal Name: ${upn || unavailableUpn}. Object ID (user): ${oid}`
+      );
+    } catch (e) {
+      import_logging.logger.warning(
+        "allowLoggingAccountIdentifiers was set, but we couldn't log the account information. Error:",
+        e.message
+      );
     }
-    /**
-     * If allowLoggingAccountIdentifiers was set on the constructor options
-     * we try to log the account identifiers by parsing the received access token.
-     *
-     * The account identifiers we try to log are:
-     * - `appid`: The application or Client Identifier.
-     * - `upn`: User Principal Name.
-     *   - It might not be available in some authentication scenarios.
-     *   - If it's not available, we put a placeholder: "No User Principal Name available".
-     * - `tid`: Tenant Identifier.
-     * - `oid`: Object Identifier of the authenticated user.
-     */
-    logIdentifiers(response) {
-        if (!this.allowLoggingAccountIdentifiers || !response.bodyAsText) {
-            return;
-        }
-        const unavailableUpn = "No User Principal Name available";
-        try {
-            const parsed = response.parsedBody || JSON.parse(response.bodyAsText);
-            const accessToken = parsed.access_token;
-            if (!accessToken) {
-                // Without an access token allowLoggingAccountIdentifiers isn't useful.
-                return;
-            }
-            const base64Metadata = accessToken.split(".")[1];
-            const { appid, upn, tid, oid } = JSON.parse(Buffer.from(base64Metadata, "base64").toString("utf8"));
-            logging_js_1.logger.info(`[Authenticated account] Client ID: ${appid}. Tenant ID: ${tid}. User Principal Name: ${upn || unavailableUpn}. Object ID (user): ${oid}`);
-        }
-        catch (e) {
-            logging_js_1.logger.warning("allowLoggingAccountIdentifiers was set, but we couldn't log the account information. Error:", e.message);
-        }
+  }
+  /**
+   * Parses the response body if possible. Add error properties if parsing fails.
+   * This follows MSAL INetworkModule behavior so the response is in expected format.
+   */
+  parseResponseBody(response) {
+    let parsedBody;
+    try {
+      parsedBody = JSON.parse(response.bodyAsText || "");
+    } catch (error) {
+      import_logging.logger.info(`IdentityClient: Could not parse response body: ${error}`);
+      let errorType;
+      let errorDescriptionHelper;
+      if (response.status >= HttpStatus.CLIENT_ERROR_RANGE_START && response.status <= HttpStatus.CLIENT_ERROR_RANGE_END) {
+        errorType = "client_error";
+        errorDescriptionHelper = "A client";
+      } else if (response.status >= HttpStatus.SERVER_ERROR_RANGE_START && response.status <= HttpStatus.SERVER_ERROR_RANGE_END) {
+        errorType = "server_error";
+        errorDescriptionHelper = "A server";
+      } else {
+        errorType = "unknown_error";
+        errorDescriptionHelper = "An unknown";
+      }
+      const errorDescriptionLines = [
+        `${errorDescriptionHelper} error occured.`,
+        `Http status code: ${response.status}`,
+        `Http status message: ${response.bodyAsText || "Unknown"}`,
+        `Headers: ${JSON.stringify(response.headers)}`
+      ];
+      parsedBody = {
+        error: errorType,
+        error_description: errorDescriptionLines.join("\n")
+      };
     }
+    return parsedBody;
+  }
 }
-exports.IdentityClient = IdentityClient;
-//# sourceMappingURL=identityClient.js.map
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  IdentityClient
+});
+//# sourceMappingURL=identityClient.js.map