@azure/identity 4.14.0-beta.2 → 4.14.0-beta.3

package/dist/commonjs/credentials/clientAssertionCredential.js

@@ -1,67 +1,105 @@
-"use strict";
-// Copyright (c) Microsoft Corporation.
-// Licensed under the MIT License.
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.ClientAssertionCredential = void 0;
-const msalClient_js_1 = require("../msal/nodeFlows/msalClient.js");
-const tenantIdUtils_js_1 = require("../util/tenantIdUtils.js");
-const errors_js_1 = require("../errors.js");
-const logging_js_1 = require("../util/logging.js");
-const tracing_js_1 = require("../util/tracing.js");
-const logger = (0, logging_js_1.credentialLogger)("ClientAssertionCredential");
-/**
- * Authenticates a service principal with a JWT assertion.
- */
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+var clientAssertionCredential_exports = {};
+__export(clientAssertionCredential_exports, {
+  ClientAssertionCredential: () => ClientAssertionCredential
+});
+module.exports = __toCommonJS(clientAssertionCredential_exports);
+var import_msalClient = require("../msal/nodeFlows/msalClient.js");
+var import_tenantIdUtils = require("../util/tenantIdUtils.js");
+var import_errors = require("../errors.js");
+var import_logging = require("../util/logging.js");
+var import_tracing = require("../util/tracing.js");
+const logger = (0, import_logging.credentialLogger)("ClientAssertionCredential");
 class ClientAssertionCredential {
-    msalClient;
-    tenantId;
-    additionallyAllowedTenantIds;
-    getAssertion;
-    options;
-    /**
-     * Creates an instance of the ClientAssertionCredential with the details
-     * needed to authenticate against Microsoft Entra ID with a client
-     * assertion provided by the developer through the `getAssertion` function parameter.
-     *
-     * @param tenantId - The Microsoft Entra tenant (directory) ID.
-     * @param clientId - The client (application) ID of an App Registration in the tenant.
-     * @param getAssertion - A function that retrieves the assertion for the credential to use.
-     * @param options - Options for configuring the client which makes the authentication request.
-     */
-    constructor(tenantId, clientId, getAssertion, options = {}) {
-        if (!tenantId) {
-            throw new errors_js_1.CredentialUnavailableError("ClientAssertionCredential: tenantId is a required parameter.");
-        }
-        if (!clientId) {
-            throw new errors_js_1.CredentialUnavailableError("ClientAssertionCredential: clientId is a required parameter.");
-        }
-        if (!getAssertion) {
-            throw new errors_js_1.CredentialUnavailableError("ClientAssertionCredential: clientAssertion is a required parameter.");
-        }
-        this.tenantId = tenantId;
-        this.additionallyAllowedTenantIds = (0, tenantIdUtils_js_1.resolveAdditionallyAllowedTenantIds)(options?.additionallyAllowedTenants);
-        this.options = options;
-        this.getAssertion = getAssertion;
-        this.msalClient = (0, msalClient_js_1.createMsalClient)(clientId, tenantId, {
-            ...this.options,
-            logger,
-        });
+  msalClient;
+  tenantId;
+  additionallyAllowedTenantIds;
+  getAssertion;
+  options;
+  /**
+   * Creates an instance of the ClientAssertionCredential with the details
+   * needed to authenticate against Microsoft Entra ID with a client
+   * assertion provided by the developer through the `getAssertion` function parameter.
+   *
+   * @param tenantId - The Microsoft Entra tenant (directory) ID.
+   * @param clientId - The client (application) ID of an App Registration in the tenant.
+   * @param getAssertion - A function that retrieves the assertion for the credential to use.
+   * @param options - Options for configuring the client which makes the authentication request.
+   */
+  constructor(tenantId, clientId, getAssertion, options = {}) {
+    if (!tenantId) {
+      throw new import_errors.CredentialUnavailableError(
+        "ClientAssertionCredential: tenantId is a required parameter."
+      );
     }
-    /**
-     * Authenticates with Microsoft Entra ID and returns an access token if successful.
-     * If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.
-     *
-     * @param scopes - The list of scopes for which the token will have access.
-     * @param options - The options used to configure any requests this
-     *                TokenCredential implementation might make.
-     */
-    async getToken(scopes, options = {}) {
-        return tracing_js_1.tracingClient.withSpan(`${this.constructor.name}.getToken`, options, async (newOptions) => {
-            newOptions.tenantId = (0, tenantIdUtils_js_1.processMultiTenantRequest)(this.tenantId, newOptions, this.additionallyAllowedTenantIds, logger);
-            const arrayScopes = Array.isArray(scopes) ? scopes : [scopes];
-            return this.msalClient.getTokenByClientAssertion(arrayScopes, this.getAssertion, newOptions);
-        });
+    if (!clientId) {
+      throw new import_errors.CredentialUnavailableError(
+        "ClientAssertionCredential: clientId is a required parameter."
+      );
     }
+    if (!getAssertion) {
+      throw new import_errors.CredentialUnavailableError(
+        "ClientAssertionCredential: clientAssertion is a required parameter."
+      );
+    }
+    this.tenantId = tenantId;
+    this.additionallyAllowedTenantIds = (0, import_tenantIdUtils.resolveAdditionallyAllowedTenantIds)(
+      options?.additionallyAllowedTenants
+    );
+    this.options = options;
+    this.getAssertion = getAssertion;
+    this.msalClient = (0, import_msalClient.createMsalClient)(clientId, tenantId, {
+      ...this.options,
+      logger
+    });
+  }
+  /**
+   * Authenticates with Microsoft Entra ID and returns an access token if successful.
+   * If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.
+   *
+   * @param scopes - The list of scopes for which the token will have access.
+   * @param options - The options used to configure any requests this
+   *                TokenCredential implementation might make.
+   */
+  async getToken(scopes, options = {}) {
+    return import_tracing.tracingClient.withSpan(
+      `${this.constructor.name}.getToken`,
+      options,
+      async (newOptions) => {
+        newOptions.tenantId = (0, import_tenantIdUtils.processMultiTenantRequest)(
+          this.tenantId,
+          newOptions,
+          this.additionallyAllowedTenantIds,
+          logger
+        );
+        const arrayScopes = Array.isArray(scopes) ? scopes : [scopes];
+        return this.msalClient.getTokenByClientAssertion(
+          arrayScopes,
+          this.getAssertion,
+          newOptions
+        );
+      }
+    );
+  }
 }
-exports.ClientAssertionCredential = ClientAssertionCredential;
-//# sourceMappingURL=clientAssertionCredential.js.map
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  ClientAssertionCredential
+});
+//# sourceMappingURL=clientAssertionCredential.js.map

package/dist/commonjs/credentials/clientAssertionCredential.js.map

@@ -1 +1,7 @@
-{"version":3,"file":"clientAssertionCredential.js","sourceRoot":"","sources":["../../../src/credentials/clientAssertionCredential.ts"],"names":[],"mappings":";AAAA,uCAAuC;AACvC,kCAAkC;;;AAIlC,mEAAmE;AACnE,+DAGkC;AAGlC,4CAA0D;AAC1D,mDAAsD;AACtD,mDAAmD;AAEnD,MAAM,MAAM,GAAG,IAAA,6BAAgB,EAAC,2BAA2B,CAAC,CAAC;AAE7D;;GAEG;AACH,MAAa,yBAAyB;IAC5B,UAAU,CAAa;IACvB,QAAQ,CAAS;IACjB,4BAA4B,CAAW;IACvC,YAAY,CAAwB;IACpC,OAAO,CAAmC;IAElD;;;;;;;;;OASG;IACH,YACE,QAAgB,EAChB,QAAgB,EAChB,YAAmC,EACnC,UAA4C,EAAE;QAE9C,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,MAAM,IAAI,sCAA0B,CAClC,8DAA8D,CAC/D,CAAC;QACJ,CAAC;QAED,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,MAAM,IAAI,sCAA0B,CAClC,8DAA8D,CAC/D,CAAC;QACJ,CAAC;QAED,IAAI,CAAC,YAAY,EAAE,CAAC;YAClB,MAAM,IAAI,sCAA0B,CAClC,qEAAqE,CACtE,CAAC;QACJ,CAAC;QACD,IAAI,CAAC,QAAQ,GAAG,QAAQ,CAAC;QACzB,IAAI,CAAC,4BAA4B,GAAG,IAAA,sDAAmC,EACrE,OAAO,EAAE,0BAA0B,CACpC,CAAC;QAEF,IAAI,CAAC,OAAO,GAAG,OAAO,CAAC;QACvB,IAAI,CAAC,YAAY,GAAG,YAAY,CAAC;QACjC,IAAI,CAAC,UAAU,GAAG,IAAA,gCAAgB,EAAC,QAAQ,EAAE,QAAQ,EAAE;YACrD,GAAG,IAAI,CAAC,OAAO;YACf,MAAM;SACP,CAAC,CAAC;IACL,CAAC;IAED;;;;;;;OAOG;IACH,KAAK,CAAC,QAAQ,CAAC,MAAyB,EAAE,UAA2B,EAAE;QACrE,OAAO,0BAAa,CAAC,QAAQ,CAC3B,GAAG,IAAI,CAAC,WAAW,CAAC,IAAI,WAAW,EACnC,OAAO,EACP,KAAK,EAAE,UAAU,EAAE,EAAE;YACnB,UAAU,CAAC,QAAQ,GAAG,IAAA,4CAAyB,EAC7C,IAAI,CAAC,QAAQ,EACb,UAAU,EACV,IAAI,CAAC,4BAA4B,EACjC,MAAM,CACP,CAAC;YAEF,MAAM,WAAW,GAAG,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC;YAC9D,OAAO,IAAI,CAAC,UAAU,CAAC,yBAAyB,CAC9C,WAAW,EACX,IAAI,CAAC,YAAY,EACjB,UAAU,CACX,CAAC;QACJ,CAAC,CACF,CAAC;IACJ,CAAC;CACF;AAlFD,8DAkFC","sourcesContent":["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT License.\n\nimport type { AccessToken, GetTokenOptions, TokenCredential } from \"@azure/core-auth\";\nimport type { MsalClient } from \"../msal/nodeFlows/msalClient.js\";\nimport { createMsalClient } from \"../msal/nodeFlows/msalClient.js\";\nimport {\n  processMultiTenantRequest,\n  resolveAdditionallyAllowedTenantIds,\n} from \"../util/tenantIdUtils.js\";\n\nimport type { ClientAssertionCredentialOptions } from \"./clientAssertionCredentialOptions.js\";\nimport { CredentialUnavailableError } from \"../errors.js\";\nimport { credentialLogger } from \"../util/logging.js\";\nimport { tracingClient } from \"../util/tracing.js\";\n\nconst logger = credentialLogger(\"ClientAssertionCredential\");\n\n/**\n * Authenticates a service principal with a JWT assertion.\n */\nexport class ClientAssertionCredential implements TokenCredential {\n  private msalClient: MsalClient;\n  private tenantId: string;\n  private additionallyAllowedTenantIds: string[];\n  private getAssertion: () => Promise<string>;\n  private options: ClientAssertionCredentialOptions;\n\n  /**\n   * Creates an instance of the ClientAssertionCredential with the details\n   * needed to authenticate against Microsoft Entra ID with a client\n   * assertion provided by the developer through the `getAssertion` function parameter.\n   *\n   * @param tenantId - The Microsoft Entra tenant (directory) ID.\n   * @param clientId - The client (application) ID of an App Registration in the tenant.\n   * @param getAssertion - A function that retrieves the assertion for the credential to use.\n   * @param options - Options for configuring the client which makes the authentication request.\n   */\n  constructor(\n    tenantId: string,\n    clientId: string,\n    getAssertion: () => Promise<string>,\n    options: ClientAssertionCredentialOptions = {},\n  ) {\n    if (!tenantId) {\n      throw new CredentialUnavailableError(\n        \"ClientAssertionCredential: tenantId is a required parameter.\",\n      );\n    }\n\n    if (!clientId) {\n      throw new CredentialUnavailableError(\n        \"ClientAssertionCredential: clientId is a required parameter.\",\n      );\n    }\n\n    if (!getAssertion) {\n      throw new CredentialUnavailableError(\n        \"ClientAssertionCredential: clientAssertion is a required parameter.\",\n      );\n    }\n    this.tenantId = tenantId;\n    this.additionallyAllowedTenantIds = resolveAdditionallyAllowedTenantIds(\n      options?.additionallyAllowedTenants,\n    );\n\n    this.options = options;\n    this.getAssertion = getAssertion;\n    this.msalClient = createMsalClient(clientId, tenantId, {\n      ...this.options,\n      logger,\n    });\n  }\n\n  /**\n   * Authenticates with Microsoft Entra ID and returns an access token if successful.\n   * If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.\n   *\n   * @param scopes - The list of scopes for which the token will have access.\n   * @param options - The options used to configure any requests this\n   *                TokenCredential implementation might make.\n   */\n  async getToken(scopes: string | string[], options: GetTokenOptions = {}): Promise<AccessToken> {\n    return tracingClient.withSpan(\n      `${this.constructor.name}.getToken`,\n      options,\n      async (newOptions) => {\n        newOptions.tenantId = processMultiTenantRequest(\n          this.tenantId,\n          newOptions,\n          this.additionallyAllowedTenantIds,\n          logger,\n        );\n\n        const arrayScopes = Array.isArray(scopes) ? scopes : [scopes];\n        return this.msalClient.getTokenByClientAssertion(\n          arrayScopes,\n          this.getAssertion,\n          newOptions,\n        );\n      },\n    );\n  }\n}\n"]}
+{
+  "version": 3,
+  "sources": ["../../../src/credentials/clientAssertionCredential.ts"],
+  "sourcesContent": ["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT License.\n\nimport type { AccessToken, GetTokenOptions, TokenCredential } from \"@azure/core-auth\";\nimport type { MsalClient } from \"../msal/nodeFlows/msalClient.js\";\nimport { createMsalClient } from \"../msal/nodeFlows/msalClient.js\";\nimport {\n  processMultiTenantRequest,\n  resolveAdditionallyAllowedTenantIds,\n} from \"../util/tenantIdUtils.js\";\n\nimport type { ClientAssertionCredentialOptions } from \"./clientAssertionCredentialOptions.js\";\nimport { CredentialUnavailableError } from \"../errors.js\";\nimport { credentialLogger } from \"../util/logging.js\";\nimport { tracingClient } from \"../util/tracing.js\";\n\nconst logger = credentialLogger(\"ClientAssertionCredential\");\n\n/**\n * Authenticates a service principal with a JWT assertion.\n */\nexport class ClientAssertionCredential implements TokenCredential {\n  private msalClient: MsalClient;\n  private tenantId: string;\n  private additionallyAllowedTenantIds: string[];\n  private getAssertion: () => Promise<string>;\n  private options: ClientAssertionCredentialOptions;\n\n  /**\n   * Creates an instance of the ClientAssertionCredential with the details\n   * needed to authenticate against Microsoft Entra ID with a client\n   * assertion provided by the developer through the `getAssertion` function parameter.\n   *\n   * @param tenantId - The Microsoft Entra tenant (directory) ID.\n   * @param clientId - The client (application) ID of an App Registration in the tenant.\n   * @param getAssertion - A function that retrieves the assertion for the credential to use.\n   * @param options - Options for configuring the client which makes the authentication request.\n   */\n  constructor(\n    tenantId: string,\n    clientId: string,\n    getAssertion: () => Promise<string>,\n    options: ClientAssertionCredentialOptions = {},\n  ) {\n    if (!tenantId) {\n      throw new CredentialUnavailableError(\n        \"ClientAssertionCredential: tenantId is a required parameter.\",\n      );\n    }\n\n    if (!clientId) {\n      throw new CredentialUnavailableError(\n        \"ClientAssertionCredential: clientId is a required parameter.\",\n      );\n    }\n\n    if (!getAssertion) {\n      throw new CredentialUnavailableError(\n        \"ClientAssertionCredential: clientAssertion is a required parameter.\",\n      );\n    }\n    this.tenantId = tenantId;\n    this.additionallyAllowedTenantIds = resolveAdditionallyAllowedTenantIds(\n      options?.additionallyAllowedTenants,\n    );\n\n    this.options = options;\n    this.getAssertion = getAssertion;\n    this.msalClient = createMsalClient(clientId, tenantId, {\n      ...this.options,\n      logger,\n    });\n  }\n\n  /**\n   * Authenticates with Microsoft Entra ID and returns an access token if successful.\n   * If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.\n   *\n   * @param scopes - The list of scopes for which the token will have access.\n   * @param options - The options used to configure any requests this\n   *                TokenCredential implementation might make.\n   */\n  async getToken(scopes: string | string[], options: GetTokenOptions = {}): Promise<AccessToken> {\n    return tracingClient.withSpan(\n      `${this.constructor.name}.getToken`,\n      options,\n      async (newOptions) => {\n        newOptions.tenantId = processMultiTenantRequest(\n          this.tenantId,\n          newOptions,\n          this.additionallyAllowedTenantIds,\n          logger,\n        );\n\n        const arrayScopes = Array.isArray(scopes) ? scopes : [scopes];\n        return this.msalClient.getTokenByClientAssertion(\n          arrayScopes,\n          this.getAssertion,\n          newOptions,\n        );\n      },\n    );\n  }\n}\n"],
+  "mappings": ";;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAKA,wBAAiC;AACjC,2BAGO;AAGP,oBAA2C;AAC3C,qBAAiC;AACjC,qBAA8B;AAE9B,MAAM,aAAS,iCAAiB,2BAA2B;AAKpD,MAAM,0BAAqD;AAAA,EACxD;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAYR,YACE,UACA,UACA,cACA,UAA4C,CAAC,GAC7C;AACA,QAAI,CAAC,UAAU;AACb,YAAM,IAAI;AAAA,QACR;AAAA,MACF;AAAA,IACF;AAEA,QAAI,CAAC,UAAU;AACb,YAAM,IAAI;AAAA,QACR;AAAA,MACF;AAAA,IACF;AAEA,QAAI,CAAC,cAAc;AACjB,YAAM,IAAI;AAAA,QACR;AAAA,MACF;AAAA,IACF;AACA,SAAK,WAAW;AAChB,SAAK,mCAA+B;AAAA,MAClC,SAAS;AAAA,IACX;AAEA,SAAK,UAAU;AACf,SAAK,eAAe;AACpB,SAAK,iBAAa,oCAAiB,UAAU,UAAU;AAAA,MACrD,GAAG,KAAK;AAAA,MACR;AAAA,IACF,CAAC;AAAA,EACH;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAUA,MAAM,SAAS,QAA2B,UAA2B,CAAC,GAAyB;AAC7F,WAAO,6BAAc;AAAA,MACnB,GAAG,KAAK,YAAY,IAAI;AAAA,MACxB;AAAA,MACA,OAAO,eAAe;AACpB,mBAAW,eAAW;AAAA,UACpB,KAAK;AAAA,UACL;AAAA,UACA,KAAK;AAAA,UACL;AAAA,QACF;AAEA,cAAM,cAAc,MAAM,QAAQ,MAAM,IAAI,SAAS,CAAC,MAAM;AAC5D,eAAO,KAAK,WAAW;AAAA,UACrB;AAAA,UACA,KAAK;AAAA,UACL;AAAA,QACF;AAAA,MACF;AAAA,IACF;AAAA,EACF;AACF;",
+  "names": []
+}

package/dist/commonjs/credentials/clientAssertionCredentialOptions.js

@@ -1,5 +1,16 @@
-"use strict";
-// Copyright (c) Microsoft Corporation.
-// Licensed under the MIT License.
-Object.defineProperty(exports, "__esModule", { value: true });
-//# sourceMappingURL=clientAssertionCredentialOptions.js.map
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+var clientAssertionCredentialOptions_exports = {};
+module.exports = __toCommonJS(clientAssertionCredentialOptions_exports);
+//# sourceMappingURL=clientAssertionCredentialOptions.js.map

package/dist/commonjs/credentials/clientAssertionCredentialOptions.js.map

@@ -1 +1,7 @@
-{"version":3,"file":"clientAssertionCredentialOptions.js","sourceRoot":"","sources":["../../../src/credentials/clientAssertionCredentialOptions.ts"],"names":[],"mappings":";AAAA,uCAAuC;AACvC,kCAAkC","sourcesContent":["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT License.\n\nimport type { AuthorityValidationOptions } from \"./authorityValidationOptions.js\";\nimport type { CredentialPersistenceOptions } from \"./credentialPersistenceOptions.js\";\nimport type { MultiTenantTokenCredentialOptions } from \"./multiTenantTokenCredentialOptions.js\";\n\n/**\n * Options for the {@link ClientAssertionCredential}\n */\nexport interface ClientAssertionCredentialOptions\n  extends\n    MultiTenantTokenCredentialOptions,\n    CredentialPersistenceOptions,\n    AuthorityValidationOptions {}\n"]}
+{
+  "version": 3,
+  "sources": ["../../../src/credentials/clientAssertionCredentialOptions.ts"],
+  "sourcesContent": ["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT License.\n\nimport type { AuthorityValidationOptions } from \"./authorityValidationOptions.js\";\nimport type { CredentialPersistenceOptions } from \"./credentialPersistenceOptions.js\";\nimport type { MultiTenantTokenCredentialOptions } from \"./multiTenantTokenCredentialOptions.js\";\n\n/**\n * Options for the {@link ClientAssertionCredential}\n */\nexport interface ClientAssertionCredentialOptions\n  extends\n    MultiTenantTokenCredentialOptions,\n    CredentialPersistenceOptions,\n    AuthorityValidationOptions {}\n"],
+  "mappings": ";;;;;;;;;;;;;AAAA;AAAA;",
+  "names": []
+}

package/dist/commonjs/credentials/clientCertificateCredential.js

@@ -1,131 +1,137 @@
-"use strict";
-// Copyright (c) Microsoft Corporation.
-// Licensed under the MIT License.
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.ClientCertificateCredential = void 0;
-exports.parseCertificate = parseCertificate;
-const msalClient_js_1 = require("../msal/nodeFlows/msalClient.js");
-const node_crypto_1 = require("node:crypto");
-const tenantIdUtils_js_1 = require("../util/tenantIdUtils.js");
-const logging_js_1 = require("../util/logging.js");
-const promises_1 = require("node:fs/promises");
-const tracing_js_1 = require("../util/tracing.js");
-const certificatesUtils_js_1 = require("../util/certificatesUtils.js");
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+var clientCertificateCredential_exports = {};
+__export(clientCertificateCredential_exports, {
+  ClientCertificateCredential: () => ClientCertificateCredential,
+  parseCertificate: () => parseCertificate
+});
+module.exports = __toCommonJS(clientCertificateCredential_exports);
+var import_msalClient = require("../msal/nodeFlows/msalClient.js");
+var import_node_crypto = require("node:crypto");
+var import_tenantIdUtils = require("../util/tenantIdUtils.js");
+var import_logging = require("../util/logging.js");
+var import_promises = require("node:fs/promises");
+var import_tracing = require("../util/tracing.js");
+var import_certificatesUtils = require("../util/certificatesUtils.js");
 const credentialName = "ClientCertificateCredential";
-const logger = (0, logging_js_1.credentialLogger)(credentialName);
-/**
- * Enables authentication to Microsoft Entra ID using a PEM-encoded
- * certificate that is assigned to an App Registration. More information
- * on how to configure certificate authentication can be found here:
- *
- * https://learn.microsoft.com/azure/active-directory/develop/active-directory-certificate-credentials#register-your-certificate-with-azure-ad
- *
- */
+const logger = (0, import_logging.credentialLogger)(credentialName);
 class ClientCertificateCredential {
-    tenantId;
-    additionallyAllowedTenantIds;
-    certificateConfiguration;
-    sendCertificateChain;
-    msalClient;
-    constructor(tenantId, clientId, certificatePathOrConfiguration, options = {}) {
-        if (!tenantId || !clientId) {
-            throw new Error(`${credentialName}: tenantId and clientId are required parameters.`);
-        }
-        this.tenantId = tenantId;
-        this.additionallyAllowedTenantIds = (0, tenantIdUtils_js_1.resolveAdditionallyAllowedTenantIds)(options?.additionallyAllowedTenants);
-        this.sendCertificateChain = options.sendCertificateChain;
-        this.certificateConfiguration = {
-            ...(typeof certificatePathOrConfiguration === "string"
-                ? {
-                    certificatePath: certificatePathOrConfiguration,
-                }
-                : certificatePathOrConfiguration),
-        };
-        const certificate = this.certificateConfiguration
-            .certificate;
-        const certificatePath = this.certificateConfiguration
-            .certificatePath;
-        if (!this.certificateConfiguration || !(certificate || certificatePath)) {
-            throw new Error(`${credentialName}: Provide either a PEM certificate in string form, or the path to that certificate in the filesystem. To troubleshoot, visit https://aka.ms/azsdk/js/identity/serviceprincipalauthentication/troubleshoot.`);
-        }
-        if (certificate && certificatePath) {
-            throw new Error(`${credentialName}: To avoid unexpected behaviors, providing both the contents of a PEM certificate and the path to a PEM certificate is forbidden. To troubleshoot, visit https://aka.ms/azsdk/js/identity/serviceprincipalauthentication/troubleshoot.`);
-        }
-        this.msalClient = (0, msalClient_js_1.createMsalClient)(clientId, tenantId, {
-            ...options,
-            logger,
-        });
+  tenantId;
+  additionallyAllowedTenantIds;
+  certificateConfiguration;
+  sendCertificateChain;
+  msalClient;
+  constructor(tenantId, clientId, certificatePathOrConfiguration, options = {}) {
+    if (!tenantId || !clientId) {
+      throw new Error(`${credentialName}: tenantId and clientId are required parameters.`);
     }
-    /**
-     * Authenticates with Microsoft Entra ID and returns an access token if successful.
-     * If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.
-     *
-     * @param scopes - The list of scopes for which the token will have access.
-     * @param options - The options used to configure any requests this
-     *                TokenCredential implementation might make.
-     */
-    async getToken(scopes, options = {}) {
-        return tracing_js_1.tracingClient.withSpan(`${credentialName}.getToken`, options, async (newOptions) => {
-            newOptions.tenantId = (0, tenantIdUtils_js_1.processMultiTenantRequest)(this.tenantId, newOptions, this.additionallyAllowedTenantIds, logger);
-            const arrayScopes = Array.isArray(scopes) ? scopes : [scopes];
-            const certificate = await this.buildClientCertificate();
-            return this.msalClient.getTokenByClientCertificate(arrayScopes, certificate, newOptions);
-        });
+    this.tenantId = tenantId;
+    this.additionallyAllowedTenantIds = (0, import_tenantIdUtils.resolveAdditionallyAllowedTenantIds)(
+      options?.additionallyAllowedTenants
+    );
+    this.sendCertificateChain = options.sendCertificateChain;
+    this.certificateConfiguration = {
+      ...typeof certificatePathOrConfiguration === "string" ? {
+        certificatePath: certificatePathOrConfiguration
+      } : certificatePathOrConfiguration
+    };
+    const certificate = this.certificateConfiguration.certificate;
+    const certificatePath = this.certificateConfiguration.certificatePath;
+    if (!this.certificateConfiguration || !(certificate || certificatePath)) {
+      throw new Error(
+        `${credentialName}: Provide either a PEM certificate in string form, or the path to that certificate in the filesystem. To troubleshoot, visit https://aka.ms/azsdk/js/identity/serviceprincipalauthentication/troubleshoot.`
+      );
     }
-    async buildClientCertificate() {
-        const parts = await parseCertificate(this.certificateConfiguration, this.sendCertificateChain ?? false);
-        let privateKey;
-        if (this.certificateConfiguration.certificatePassword !== undefined) {
-            privateKey = (0, node_crypto_1.createPrivateKey)({
-                key: parts.certificateContents,
-                passphrase: this.certificateConfiguration.certificatePassword,
-                format: "pem",
-            })
-                .export({
-                format: "pem",
-                type: "pkcs8",
-            })
-                .toString();
-        }
-        else {
-            privateKey = parts.certificateContents;
-        }
-        return {
-            thumbprint: parts.thumbprint,
-            thumbprintSha256: parts.thumbprintSha256,
-            privateKey,
-            x5c: parts.x5c,
-        };
+    if (certificate && certificatePath) {
+      throw new Error(
+        `${credentialName}: To avoid unexpected behaviors, providing both the contents of a PEM certificate and the path to a PEM certificate is forbidden. To troubleshoot, visit https://aka.ms/azsdk/js/identity/serviceprincipalauthentication/troubleshoot.`
+      );
+    }
+    this.msalClient = (0, import_msalClient.createMsalClient)(clientId, tenantId, {
+      ...options,
+      logger
+    });
+  }
+  /**
+   * Authenticates with Microsoft Entra ID and returns an access token if successful.
+   * If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.
+   *
+   * @param scopes - The list of scopes for which the token will have access.
+   * @param options - The options used to configure any requests this
+   *                TokenCredential implementation might make.
+   */
+  async getToken(scopes, options = {}) {
+    return import_tracing.tracingClient.withSpan(`${credentialName}.getToken`, options, async (newOptions) => {
+      newOptions.tenantId = (0, import_tenantIdUtils.processMultiTenantRequest)(
+        this.tenantId,
+        newOptions,
+        this.additionallyAllowedTenantIds,
+        logger
+      );
+      const arrayScopes = Array.isArray(scopes) ? scopes : [scopes];
+      const certificate = await this.buildClientCertificate();
+      return this.msalClient.getTokenByClientCertificate(arrayScopes, certificate, newOptions);
+    });
+  }
+  async buildClientCertificate() {
+    const parts = await parseCertificate(
+      this.certificateConfiguration,
+      this.sendCertificateChain ?? false
+    );
+    let privateKey;
+    if (this.certificateConfiguration.certificatePassword !== void 0) {
+      privateKey = (0, import_node_crypto.createPrivateKey)({
+        key: parts.certificateContents,
+        passphrase: this.certificateConfiguration.certificatePassword,
+        format: "pem"
+      }).export({
+        format: "pem",
+        type: "pkcs8"
+      }).toString();
+    } else {
+      privateKey = parts.certificateContents;
     }
-}
-exports.ClientCertificateCredential = ClientCertificateCredential;
-/**
- * Parses a certificate into its relevant parts
- *
- * @param certificateConfiguration - The certificate contents or path to the certificate
- * @param sendCertificateChain - true if the entire certificate chain should be sent for SNI, false otherwise
- * @returns The parsed certificate parts and the certificate contents
- */
-async function parseCertificate(certificateConfiguration, sendCertificateChain) {
-    const certificate = certificateConfiguration.certificate;
-    const certificatePath = certificateConfiguration
-        .certificatePath;
-    const certificateContents = certificate || (await (0, promises_1.readFile)(certificatePath, "utf8"));
-    const x5c = sendCertificateChain ? certificateContents : undefined;
-    const publicKeys = (0, certificatesUtils_js_1.extractPemCertificateKeys)(certificateContents);
-    const thumbprint = (0, node_crypto_1.createHash)("sha1") // CodeQL [SM04514] Needed for backward compatibility reason
-        .update(Buffer.from(publicKeys[0], "base64"))
-        .digest("hex")
-        .toUpperCase();
-    const thumbprintSha256 = (0, node_crypto_1.createHash)("sha256")
-        .update(Buffer.from(publicKeys[0], "base64"))
-        .digest("hex")
-        .toUpperCase();
     return {
-        certificateContents,
-        thumbprintSha256,
-        thumbprint,
-        x5c,
+      thumbprint: parts.thumbprint,
+      thumbprintSha256: parts.thumbprintSha256,
+      privateKey,
+      x5c: parts.x5c
     };
+  }
+}
+async function parseCertificate(certificateConfiguration, sendCertificateChain) {
+  const certificate = certificateConfiguration.certificate;
+  const certificatePath = certificateConfiguration.certificatePath;
+  const certificateContents = certificate || await (0, import_promises.readFile)(certificatePath, "utf8");
+  const x5c = sendCertificateChain ? certificateContents : void 0;
+  const publicKeys = (0, import_certificatesUtils.extractPemCertificateKeys)(certificateContents);
+  const thumbprint = (0, import_node_crypto.createHash)("sha1").update(Buffer.from(publicKeys[0], "base64")).digest("hex").toUpperCase();
+  const thumbprintSha256 = (0, import_node_crypto.createHash)("sha256").update(Buffer.from(publicKeys[0], "base64")).digest("hex").toUpperCase();
+  return {
+    certificateContents,
+    thumbprintSha256,
+    thumbprint,
+    x5c
+  };
 }
-//# sourceMappingURL=clientCertificateCredential.js.map
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  ClientCertificateCredential,
+  parseCertificate
+});
+//# sourceMappingURL=clientCertificateCredential.js.map

package/dist/commonjs/credentials/clientCertificateCredential.js.map

@@ -1 +1,7 @@
-{"version":3,"file":"clientCertificateCredential.js","sourceRoot":"","sources":["../../../src/credentials/clientCertificateCredential.ts"],"names":[],"mappings":";AAAA,uCAAuC;AACvC,kCAAkC;;;AAkMlC,4CA4BC;AA1ND,mEAAmE;AACnE,6CAA2D;AAC3D,+DAGkC;AAIlC,mDAAsD;AACtD,+CAA4C;AAC5C,mDAAmD;AAMnD,uEAAyE;AAEzE,MAAM,cAAc,GAAG,6BAA6B,CAAC;AACrD,MAAM,MAAM,GAAG,IAAA,6BAAgB,EAAC,cAAc,CAAC,CAAC;AAEhD;;;;;;;GAOG;AACH,MAAa,2BAA2B;IAC9B,QAAQ,CAAS;IACjB,4BAA4B,CAAW;IACvC,wBAAwB,CAA8C;IACtE,oBAAoB,CAAW;IAC/B,UAAU,CAAa;IAkD/B,YACE,QAAgB,EAChB,QAAgB,EAChB,8BAAoF,EACpF,UAA8C,EAAE;QAEhD,IAAI,CAAC,QAAQ,IAAI,CAAC,QAAQ,EAAE,CAAC;YAC3B,MAAM,IAAI,KAAK,CAAC,GAAG,cAAc,kDAAkD,CAAC,CAAC;QACvF,CAAC;QAED,IAAI,CAAC,QAAQ,GAAG,QAAQ,CAAC;QACzB,IAAI,CAAC,4BAA4B,GAAG,IAAA,sDAAmC,EACrE,OAAO,EAAE,0BAA0B,CACpC,CAAC;QAEF,IAAI,CAAC,oBAAoB,GAAG,OAAO,CAAC,oBAAoB,CAAC;QAEzD,IAAI,CAAC,wBAAwB,GAAG;YAC9B,GAAG,CAAC,OAAO,8BAA8B,KAAK,QAAQ;gBACpD,CAAC,CAAC;oBACE,eAAe,EAAE,8BAA8B;iBAChD;gBACH,CAAC,CAAC,8BAA8B,CAAC;SACpC,CAAC;QACF,MAAM,WAAW,GAAI,IAAI,CAAC,wBAA4D;aACnF,WAAW,CAAC;QACf,MAAM,eAAe,GAAI,IAAI,CAAC,wBAAgE;aAC3F,eAAe,CAAC;QACnB,IAAI,CAAC,IAAI,CAAC,wBAAwB,IAAI,CAAC,CAAC,WAAW,IAAI,eAAe,CAAC,EAAE,CAAC;YACxE,MAAM,IAAI,KAAK,CACb,GAAG,cAAc,4MAA4M,CAC9N,CAAC;QACJ,CAAC;QACD,IAAI,WAAW,IAAI,eAAe,EAAE,CAAC;YACnC,MAAM,IAAI,KAAK,CACb,GAAG,cAAc,wOAAwO,CAC1P,CAAC;QACJ,CAAC;QACD,IAAI,CAAC,UAAU,GAAG,IAAA,gCAAgB,EAAC,QAAQ,EAAE,QAAQ,EAAE;YACrD,GAAG,OAAO;YACV,MAAM;SACP,CAAC,CAAC;IACL,CAAC;IAED;;;;;;;OAOG;IACH,KAAK,CAAC,QAAQ,CAAC,MAAyB,EAAE,UAA2B,EAAE;QACrE,OAAO,0BAAa,CAAC,QAAQ,CAAC,GAAG,cAAc,WAAW,EAAE,OAAO,EAAE,KAAK,EAAE,UAAU,EAAE,EAAE;YACxF,UAAU,CAAC,QAAQ,GAAG,IAAA,4CAAyB,EAC7C,IAAI,CAAC,QAAQ,EACb,UAAU,EACV,IAAI,CAAC,4BAA4B,EACjC,MAAM,CACP,CAAC;YAEF,MAAM,WAAW,GAAG,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC;YAC9D,MAAM,WAAW,GAAG,MAAM,IAAI,CAAC,sBAAsB,EAAE,CAAC;YACxD,OAAO,IAAI,CAAC,UAAU,CAAC,2BAA2B,CAAC,WAAW,EAAE,WAAW,EAAE,UAAU,CAAC,CAAC;QAC3F,CAAC,CAAC,CAAC;IACL,CAAC;IAEO,KAAK,CAAC,sBAAsB;QAClC,MAAM,KAAK,GAAG,MAAM,gBAAgB,CAClC,IAAI,CAAC,wBAAwB,EAC7B,IAAI,CAAC,oBAAoB,IAAI,KAAK,CACnC,CAAC;QAEF,IAAI,UAAkB,CAAC;QACvB,IAAI,IAAI,CAAC,wBAAwB,CAAC,mBAAmB,KAAK,SAAS,EAAE,CAAC;YACpE,UAAU,GAAG,IAAA,8BAAgB,EAAC;gBAC5B,GAAG,EAAE,KAAK,CAAC,mBAAmB;gBAC9B,UAAU,EAAE,IAAI,CAAC,wBAAwB,CAAC,mBAAmB;gBAC7D,MAAM,EAAE,KAAK;aACd,CAAC;iBACC,MAAM,CAAC;gBACN,MAAM,EAAE,KAAK;gBACb,IAAI,EAAE,OAAO;aACd,CAAC;iBACD,QAAQ,EAAE,CAAC;QAChB,CAAC;aAAM,CAAC;YACN,UAAU,GAAG,KAAK,CAAC,mBAAmB,CAAC;QACzC,CAAC;QAED,OAAO;YACL,UAAU,EAAE,KAAK,CAAC,UAAU;YAC5B,gBAAgB,EAAE,KAAK,CAAC,gBAAgB;YACxC,UAAU;YACV,GAAG,EAAE,KAAK,CAAC,GAAG;SACf,CAAC;IACJ,CAAC;CACF;AAvJD,kEAuJC;AAED;;;;;;GAMG;AACI,KAAK,UAAU,gBAAgB,CACpC,wBAAqE,EACrE,oBAA6B;IAE7B,MAAM,WAAW,GAAI,wBAA4D,CAAC,WAAW,CAAC;IAC9F,MAAM,eAAe,GAAI,wBAAgE;SACtF,eAAe,CAAC;IACnB,MAAM,mBAAmB,GAAG,WAAW,IAAI,CAAC,MAAM,IAAA,mBAAQ,EAAC,eAAgB,EAAE,MAAM,CAAC,CAAC,CAAC;IACtF,MAAM,GAAG,GAAG,oBAAoB,CAAC,CAAC,CAAC,mBAAmB,CAAC,CAAC,CAAC,SAAS,CAAC;IAEnE,MAAM,UAAU,GAAG,IAAA,gDAAyB,EAAC,mBAAmB,CAAC,CAAC;IAElE,MAAM,UAAU,GAAG,IAAA,wBAAU,EAAC,MAAM,CAAC,CAAC,4DAA4D;SAC/F,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC,EAAE,QAAQ,CAAC,CAAC;SAC5C,MAAM,CAAC,KAAK,CAAC;SACb,WAAW,EAAE,CAAC;IAEjB,MAAM,gBAAgB,GAAG,IAAA,wBAAU,EAAC,QAAQ,CAAC;SAC1C,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC,EAAE,QAAQ,CAAC,CAAC;SAC5C,MAAM,CAAC,KAAK,CAAC;SACb,WAAW,EAAE,CAAC;IAEjB,OAAO;QACL,mBAAmB;QACnB,gBAAgB;QAChB,UAAU;QACV,GAAG;KACJ,CAAC;AACJ,CAAC","sourcesContent":["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT License.\n\nimport type { AccessToken, GetTokenOptions, TokenCredential } from \"@azure/core-auth\";\nimport type { MsalClient } from \"../msal/nodeFlows/msalClient.js\";\nimport { createMsalClient } from \"../msal/nodeFlows/msalClient.js\";\nimport { createHash, createPrivateKey } from \"node:crypto\";\nimport {\n  processMultiTenantRequest,\n  resolveAdditionallyAllowedTenantIds,\n} from \"../util/tenantIdUtils.js\";\n\nimport type { CertificateParts } from \"../msal/types.js\";\nimport type { ClientCertificateCredentialOptions } from \"./clientCertificateCredentialOptions.js\";\nimport { credentialLogger } from \"../util/logging.js\";\nimport { readFile } from \"node:fs/promises\";\nimport { tracingClient } from \"../util/tracing.js\";\nimport type {\n  ClientCertificateCredentialPEMConfiguration,\n  ClientCertificatePEMCertificate,\n  ClientCertificatePEMCertificatePath,\n} from \"./clientCertificateCredentialModels.js\";\nimport { extractPemCertificateKeys } from \"../util/certificatesUtils.js\";\n\nconst credentialName = \"ClientCertificateCredential\";\nconst logger = credentialLogger(credentialName);\n\n/**\n * Enables authentication to Microsoft Entra ID using a PEM-encoded\n * certificate that is assigned to an App Registration. More information\n * on how to configure certificate authentication can be found here:\n *\n * https://learn.microsoft.com/azure/active-directory/develop/active-directory-certificate-credentials#register-your-certificate-with-azure-ad\n *\n */\nexport class ClientCertificateCredential implements TokenCredential {\n  private tenantId: string;\n  private additionallyAllowedTenantIds: string[];\n  private certificateConfiguration: ClientCertificateCredentialPEMConfiguration;\n  private sendCertificateChain?: boolean;\n  private msalClient: MsalClient;\n\n  /**\n   * Creates an instance of the ClientCertificateCredential with the details\n   * needed to authenticate against Microsoft Entra ID with a certificate.\n   *\n   * @param tenantId - The Microsoft Entra tenant (directory) ID.\n   * @param clientId - The client (application) ID of an App Registration in the tenant.\n   * @param certificatePath - The path to a PEM-encoded public/private key certificate on the filesystem.\n   * Ensure that certificate is in PEM format and contains both the public and private keys.\n   * @param options - Options for configuring the client which makes the authentication request.\n   */\n  constructor(\n    tenantId: string,\n    clientId: string,\n    certificatePath: string,\n    options?: ClientCertificateCredentialOptions,\n  );\n  /**\n   * Creates an instance of the ClientCertificateCredential with the details\n   * needed to authenticate against Microsoft Entra ID with a certificate.\n   *\n   * @param tenantId - The Microsoft Entra tenant (directory) ID.\n   * @param clientId - The client (application) ID of an App Registration in the tenant.\n   * @param configuration - Other parameters required, including the path of the certificate on the filesystem.\n   *                        If the type is ignored, we will throw the value of the path to a PEM certificate.\n   * @param options - Options for configuring the client which makes the authentication request.\n   */\n  constructor(\n    tenantId: string,\n    clientId: string,\n    configuration: ClientCertificatePEMCertificatePath,\n    options?: ClientCertificateCredentialOptions,\n  );\n  /**\n   * Creates an instance of the ClientCertificateCredential with the details\n   * needed to authenticate against Microsoft Entra ID with a certificate.\n   *\n   * @param tenantId - The Microsoft Entra tenant (directory) ID.\n   * @param clientId - The client (application) ID of an App Registration in the tenant.\n   * @param configuration - Other parameters required, including the PEM-encoded certificate as a string.\n   *                        If the type is ignored, we will throw the value of the PEM-encoded certificate.\n   * @param options - Options for configuring the client which makes the authentication request.\n   */\n  constructor(\n    tenantId: string,\n    clientId: string,\n    configuration: ClientCertificatePEMCertificate,\n    options?: ClientCertificateCredentialOptions,\n  );\n  constructor(\n    tenantId: string,\n    clientId: string,\n    certificatePathOrConfiguration: string | ClientCertificateCredentialPEMConfiguration,\n    options: ClientCertificateCredentialOptions = {},\n  ) {\n    if (!tenantId || !clientId) {\n      throw new Error(`${credentialName}: tenantId and clientId are required parameters.`);\n    }\n\n    this.tenantId = tenantId;\n    this.additionallyAllowedTenantIds = resolveAdditionallyAllowedTenantIds(\n      options?.additionallyAllowedTenants,\n    );\n\n    this.sendCertificateChain = options.sendCertificateChain;\n\n    this.certificateConfiguration = {\n      ...(typeof certificatePathOrConfiguration === \"string\"\n        ? {\n            certificatePath: certificatePathOrConfiguration,\n          }\n        : certificatePathOrConfiguration),\n    };\n    const certificate = (this.certificateConfiguration as ClientCertificatePEMCertificate)\n      .certificate;\n    const certificatePath = (this.certificateConfiguration as ClientCertificatePEMCertificatePath)\n      .certificatePath;\n    if (!this.certificateConfiguration || !(certificate || certificatePath)) {\n      throw new Error(\n        `${credentialName}: Provide either a PEM certificate in string form, or the path to that certificate in the filesystem. To troubleshoot, visit https://aka.ms/azsdk/js/identity/serviceprincipalauthentication/troubleshoot.`,\n      );\n    }\n    if (certificate && certificatePath) {\n      throw new Error(\n        `${credentialName}: To avoid unexpected behaviors, providing both the contents of a PEM certificate and the path to a PEM certificate is forbidden. To troubleshoot, visit https://aka.ms/azsdk/js/identity/serviceprincipalauthentication/troubleshoot.`,\n      );\n    }\n    this.msalClient = createMsalClient(clientId, tenantId, {\n      ...options,\n      logger,\n    });\n  }\n\n  /**\n   * Authenticates with Microsoft Entra ID and returns an access token if successful.\n   * If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.\n   *\n   * @param scopes - The list of scopes for which the token will have access.\n   * @param options - The options used to configure any requests this\n   *                TokenCredential implementation might make.\n   */\n  async getToken(scopes: string | string[], options: GetTokenOptions = {}): Promise<AccessToken> {\n    return tracingClient.withSpan(`${credentialName}.getToken`, options, async (newOptions) => {\n      newOptions.tenantId = processMultiTenantRequest(\n        this.tenantId,\n        newOptions,\n        this.additionallyAllowedTenantIds,\n        logger,\n      );\n\n      const arrayScopes = Array.isArray(scopes) ? scopes : [scopes];\n      const certificate = await this.buildClientCertificate();\n      return this.msalClient.getTokenByClientCertificate(arrayScopes, certificate, newOptions);\n    });\n  }\n\n  private async buildClientCertificate(): Promise<CertificateParts> {\n    const parts = await parseCertificate(\n      this.certificateConfiguration,\n      this.sendCertificateChain ?? false,\n    );\n\n    let privateKey: string;\n    if (this.certificateConfiguration.certificatePassword !== undefined) {\n      privateKey = createPrivateKey({\n        key: parts.certificateContents,\n        passphrase: this.certificateConfiguration.certificatePassword,\n        format: \"pem\",\n      })\n        .export({\n          format: \"pem\",\n          type: \"pkcs8\",\n        })\n        .toString();\n    } else {\n      privateKey = parts.certificateContents;\n    }\n\n    return {\n      thumbprint: parts.thumbprint,\n      thumbprintSha256: parts.thumbprintSha256,\n      privateKey,\n      x5c: parts.x5c,\n    };\n  }\n}\n\n/**\n * Parses a certificate into its relevant parts\n *\n * @param certificateConfiguration - The certificate contents or path to the certificate\n * @param sendCertificateChain - true if the entire certificate chain should be sent for SNI, false otherwise\n * @returns The parsed certificate parts and the certificate contents\n */\nexport async function parseCertificate(\n  certificateConfiguration: ClientCertificateCredentialPEMConfiguration,\n  sendCertificateChain: boolean,\n): Promise<Omit<CertificateParts, \"privateKey\"> & { certificateContents: string }> {\n  const certificate = (certificateConfiguration as ClientCertificatePEMCertificate).certificate;\n  const certificatePath = (certificateConfiguration as ClientCertificatePEMCertificatePath)\n    .certificatePath;\n  const certificateContents = certificate || (await readFile(certificatePath!, \"utf8\"));\n  const x5c = sendCertificateChain ? certificateContents : undefined;\n\n  const publicKeys = extractPemCertificateKeys(certificateContents);\n\n  const thumbprint = createHash(\"sha1\") // CodeQL [SM04514] Needed for backward compatibility reason\n    .update(Buffer.from(publicKeys[0], \"base64\"))\n    .digest(\"hex\")\n    .toUpperCase();\n\n  const thumbprintSha256 = createHash(\"sha256\")\n    .update(Buffer.from(publicKeys[0], \"base64\"))\n    .digest(\"hex\")\n    .toUpperCase();\n\n  return {\n    certificateContents,\n    thumbprintSha256,\n    thumbprint,\n    x5c,\n  };\n}\n"]}
+{
+  "version": 3,
+  "sources": ["../../../src/credentials/clientCertificateCredential.ts"],
+  "sourcesContent": ["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT License.\n\nimport type { AccessToken, GetTokenOptions, TokenCredential } from \"@azure/core-auth\";\nimport type { MsalClient } from \"../msal/nodeFlows/msalClient.js\";\nimport { createMsalClient } from \"../msal/nodeFlows/msalClient.js\";\nimport { createHash, createPrivateKey } from \"node:crypto\";\nimport {\n  processMultiTenantRequest,\n  resolveAdditionallyAllowedTenantIds,\n} from \"../util/tenantIdUtils.js\";\n\nimport type { CertificateParts } from \"../msal/types.js\";\nimport type { ClientCertificateCredentialOptions } from \"./clientCertificateCredentialOptions.js\";\nimport { credentialLogger } from \"../util/logging.js\";\nimport { readFile } from \"node:fs/promises\";\nimport { tracingClient } from \"../util/tracing.js\";\nimport type {\n  ClientCertificateCredentialPEMConfiguration,\n  ClientCertificatePEMCertificate,\n  ClientCertificatePEMCertificatePath,\n} from \"./clientCertificateCredentialModels.js\";\nimport { extractPemCertificateKeys } from \"../util/certificatesUtils.js\";\n\nconst credentialName = \"ClientCertificateCredential\";\nconst logger = credentialLogger(credentialName);\n\n/**\n * Enables authentication to Microsoft Entra ID using a PEM-encoded\n * certificate that is assigned to an App Registration. More information\n * on how to configure certificate authentication can be found here:\n *\n * https://learn.microsoft.com/azure/active-directory/develop/active-directory-certificate-credentials#register-your-certificate-with-azure-ad\n *\n */\nexport class ClientCertificateCredential implements TokenCredential {\n  private tenantId: string;\n  private additionallyAllowedTenantIds: string[];\n  private certificateConfiguration: ClientCertificateCredentialPEMConfiguration;\n  private sendCertificateChain?: boolean;\n  private msalClient: MsalClient;\n\n  /**\n   * Creates an instance of the ClientCertificateCredential with the details\n   * needed to authenticate against Microsoft Entra ID with a certificate.\n   *\n   * @param tenantId - The Microsoft Entra tenant (directory) ID.\n   * @param clientId - The client (application) ID of an App Registration in the tenant.\n   * @param certificatePath - The path to a PEM-encoded public/private key certificate on the filesystem.\n   * Ensure that certificate is in PEM format and contains both the public and private keys.\n   * @param options - Options for configuring the client which makes the authentication request.\n   */\n  constructor(\n    tenantId: string,\n    clientId: string,\n    certificatePath: string,\n    options?: ClientCertificateCredentialOptions,\n  );\n  /**\n   * Creates an instance of the ClientCertificateCredential with the details\n   * needed to authenticate against Microsoft Entra ID with a certificate.\n   *\n   * @param tenantId - The Microsoft Entra tenant (directory) ID.\n   * @param clientId - The client (application) ID of an App Registration in the tenant.\n   * @param configuration - Other parameters required, including the path of the certificate on the filesystem.\n   *                        If the type is ignored, we will throw the value of the path to a PEM certificate.\n   * @param options - Options for configuring the client which makes the authentication request.\n   */\n  constructor(\n    tenantId: string,\n    clientId: string,\n    configuration: ClientCertificatePEMCertificatePath,\n    options?: ClientCertificateCredentialOptions,\n  );\n  /**\n   * Creates an instance of the ClientCertificateCredential with the details\n   * needed to authenticate against Microsoft Entra ID with a certificate.\n   *\n   * @param tenantId - The Microsoft Entra tenant (directory) ID.\n   * @param clientId - The client (application) ID of an App Registration in the tenant.\n   * @param configuration - Other parameters required, including the PEM-encoded certificate as a string.\n   *                        If the type is ignored, we will throw the value of the PEM-encoded certificate.\n   * @param options - Options for configuring the client which makes the authentication request.\n   */\n  constructor(\n    tenantId: string,\n    clientId: string,\n    configuration: ClientCertificatePEMCertificate,\n    options?: ClientCertificateCredentialOptions,\n  );\n  constructor(\n    tenantId: string,\n    clientId: string,\n    certificatePathOrConfiguration: string | ClientCertificateCredentialPEMConfiguration,\n    options: ClientCertificateCredentialOptions = {},\n  ) {\n    if (!tenantId || !clientId) {\n      throw new Error(`${credentialName}: tenantId and clientId are required parameters.`);\n    }\n\n    this.tenantId = tenantId;\n    this.additionallyAllowedTenantIds = resolveAdditionallyAllowedTenantIds(\n      options?.additionallyAllowedTenants,\n    );\n\n    this.sendCertificateChain = options.sendCertificateChain;\n\n    this.certificateConfiguration = {\n      ...(typeof certificatePathOrConfiguration === \"string\"\n        ? {\n            certificatePath: certificatePathOrConfiguration,\n          }\n        : certificatePathOrConfiguration),\n    };\n    const certificate = (this.certificateConfiguration as ClientCertificatePEMCertificate)\n      .certificate;\n    const certificatePath = (this.certificateConfiguration as ClientCertificatePEMCertificatePath)\n      .certificatePath;\n    if (!this.certificateConfiguration || !(certificate || certificatePath)) {\n      throw new Error(\n        `${credentialName}: Provide either a PEM certificate in string form, or the path to that certificate in the filesystem. To troubleshoot, visit https://aka.ms/azsdk/js/identity/serviceprincipalauthentication/troubleshoot.`,\n      );\n    }\n    if (certificate && certificatePath) {\n      throw new Error(\n        `${credentialName}: To avoid unexpected behaviors, providing both the contents of a PEM certificate and the path to a PEM certificate is forbidden. To troubleshoot, visit https://aka.ms/azsdk/js/identity/serviceprincipalauthentication/troubleshoot.`,\n      );\n    }\n    this.msalClient = createMsalClient(clientId, tenantId, {\n      ...options,\n      logger,\n    });\n  }\n\n  /**\n   * Authenticates with Microsoft Entra ID and returns an access token if successful.\n   * If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.\n   *\n   * @param scopes - The list of scopes for which the token will have access.\n   * @param options - The options used to configure any requests this\n   *                TokenCredential implementation might make.\n   */\n  async getToken(scopes: string | string[], options: GetTokenOptions = {}): Promise<AccessToken> {\n    return tracingClient.withSpan(`${credentialName}.getToken`, options, async (newOptions) => {\n      newOptions.tenantId = processMultiTenantRequest(\n        this.tenantId,\n        newOptions,\n        this.additionallyAllowedTenantIds,\n        logger,\n      );\n\n      const arrayScopes = Array.isArray(scopes) ? scopes : [scopes];\n      const certificate = await this.buildClientCertificate();\n      return this.msalClient.getTokenByClientCertificate(arrayScopes, certificate, newOptions);\n    });\n  }\n\n  private async buildClientCertificate(): Promise<CertificateParts> {\n    const parts = await parseCertificate(\n      this.certificateConfiguration,\n      this.sendCertificateChain ?? false,\n    );\n\n    let privateKey: string;\n    if (this.certificateConfiguration.certificatePassword !== undefined) {\n      privateKey = createPrivateKey({\n        key: parts.certificateContents,\n        passphrase: this.certificateConfiguration.certificatePassword,\n        format: \"pem\",\n      })\n        .export({\n          format: \"pem\",\n          type: \"pkcs8\",\n        })\n        .toString();\n    } else {\n      privateKey = parts.certificateContents;\n    }\n\n    return {\n      thumbprint: parts.thumbprint,\n      thumbprintSha256: parts.thumbprintSha256,\n      privateKey,\n      x5c: parts.x5c,\n    };\n  }\n}\n\n/**\n * Parses a certificate into its relevant parts\n *\n * @param certificateConfiguration - The certificate contents or path to the certificate\n * @param sendCertificateChain - true if the entire certificate chain should be sent for SNI, false otherwise\n * @returns The parsed certificate parts and the certificate contents\n */\nexport async function parseCertificate(\n  certificateConfiguration: ClientCertificateCredentialPEMConfiguration,\n  sendCertificateChain: boolean,\n): Promise<Omit<CertificateParts, \"privateKey\"> & { certificateContents: string }> {\n  const certificate = (certificateConfiguration as ClientCertificatePEMCertificate).certificate;\n  const certificatePath = (certificateConfiguration as ClientCertificatePEMCertificatePath)\n    .certificatePath;\n  const certificateContents = certificate || (await readFile(certificatePath!, \"utf8\"));\n  const x5c = sendCertificateChain ? certificateContents : undefined;\n\n  const publicKeys = extractPemCertificateKeys(certificateContents);\n\n  const thumbprint = createHash(\"sha1\") // CodeQL [SM04514] Needed for backward compatibility reason\n    .update(Buffer.from(publicKeys[0], \"base64\"))\n    .digest(\"hex\")\n    .toUpperCase();\n\n  const thumbprintSha256 = createHash(\"sha256\")\n    .update(Buffer.from(publicKeys[0], \"base64\"))\n    .digest(\"hex\")\n    .toUpperCase();\n\n  return {\n    certificateContents,\n    thumbprintSha256,\n    thumbprint,\n    x5c,\n  };\n}\n"],
+  "mappings": ";;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAKA,wBAAiC;AACjC,yBAA6C;AAC7C,2BAGO;AAIP,qBAAiC;AACjC,sBAAyB;AACzB,qBAA8B;AAM9B,+BAA0C;AAE1C,MAAM,iBAAiB;AACvB,MAAM,aAAS,iCAAiB,cAAc;AAUvC,MAAM,4BAAuD;AAAA,EAC1D;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EAkDR,YACE,UACA,UACA,gCACA,UAA8C,CAAC,GAC/C;AACA,QAAI,CAAC,YAAY,CAAC,UAAU;AAC1B,YAAM,IAAI,MAAM,GAAG,cAAc,kDAAkD;AAAA,IACrF;AAEA,SAAK,WAAW;AAChB,SAAK,mCAA+B;AAAA,MAClC,SAAS;AAAA,IACX;AAEA,SAAK,uBAAuB,QAAQ;AAEpC,SAAK,2BAA2B;AAAA,MAC9B,GAAI,OAAO,mCAAmC,WAC1C;AAAA,QACE,iBAAiB;AAAA,MACnB,IACA;AAAA,IACN;AACA,UAAM,cAAe,KAAK,yBACvB;AACH,UAAM,kBAAmB,KAAK,yBAC3B;AACH,QAAI,CAAC,KAAK,4BAA4B,EAAE,eAAe,kBAAkB;AACvE,YAAM,IAAI;AAAA,QACR,GAAG,cAAc;AAAA,MACnB;AAAA,IACF;AACA,QAAI,eAAe,iBAAiB;AAClC,YAAM,IAAI;AAAA,QACR,GAAG,cAAc;AAAA,MACnB;AAAA,IACF;AACA,SAAK,iBAAa,oCAAiB,UAAU,UAAU;AAAA,MACrD,GAAG;AAAA,MACH;AAAA,IACF,CAAC;AAAA,EACH;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAUA,MAAM,SAAS,QAA2B,UAA2B,CAAC,GAAyB;AAC7F,WAAO,6BAAc,SAAS,GAAG,cAAc,aAAa,SAAS,OAAO,eAAe;AACzF,iBAAW,eAAW;AAAA,QACpB,KAAK;AAAA,QACL;AAAA,QACA,KAAK;AAAA,QACL;AAAA,MACF;AAEA,YAAM,cAAc,MAAM,QAAQ,MAAM,IAAI,SAAS,CAAC,MAAM;AAC5D,YAAM,cAAc,MAAM,KAAK,uBAAuB;AACtD,aAAO,KAAK,WAAW,4BAA4B,aAAa,aAAa,UAAU;AAAA,IACzF,CAAC;AAAA,EACH;AAAA,EAEA,MAAc,yBAAoD;AAChE,UAAM,QAAQ,MAAM;AAAA,MAClB,KAAK;AAAA,MACL,KAAK,wBAAwB;AAAA,IAC/B;AAEA,QAAI;AACJ,QAAI,KAAK,yBAAyB,wBAAwB,QAAW;AACnE,uBAAa,qCAAiB;AAAA,QAC5B,KAAK,MAAM;AAAA,QACX,YAAY,KAAK,yBAAyB;AAAA,QAC1C,QAAQ;AAAA,MACV,CAAC,EACE,OAAO;AAAA,QACN,QAAQ;AAAA,QACR,MAAM;AAAA,MACR,CAAC,EACA,SAAS;AAAA,IACd,OAAO;AACL,mBAAa,MAAM;AAAA,IACrB;AAEA,WAAO;AAAA,MACL,YAAY,MAAM;AAAA,MAClB,kBAAkB,MAAM;AAAA,MACxB;AAAA,MACA,KAAK,MAAM;AAAA,IACb;AAAA,EACF;AACF;AASA,eAAsB,iBACpB,0BACA,sBACiF;AACjF,QAAM,cAAe,yBAA6D;AAClF,QAAM,kBAAmB,yBACtB;AACH,QAAM,sBAAsB,eAAgB,UAAM,0BAAS,iBAAkB,MAAM;AACnF,QAAM,MAAM,uBAAuB,sBAAsB;AAEzD,QAAM,iBAAa,oDAA0B,mBAAmB;AAEhE,QAAM,iBAAa,+BAAW,MAAM,EACjC,OAAO,OAAO,KAAK,WAAW,CAAC,GAAG,QAAQ,CAAC,EAC3C,OAAO,KAAK,EACZ,YAAY;AAEf,QAAM,uBAAmB,+BAAW,QAAQ,EACzC,OAAO,OAAO,KAAK,WAAW,CAAC,GAAG,QAAQ,CAAC,EAC3C,OAAO,KAAK,EACZ,YAAY;AAEf,SAAO;AAAA,IACL;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,EACF;AACF;",
+  "names": []
+}

package/dist/commonjs/credentials/clientCertificateCredentialModels.js

@@ -1,5 +1,16 @@
-"use strict";
-// Copyright (c) Microsoft Corporation.
-// Licensed under the MIT License.
-Object.defineProperty(exports, "__esModule", { value: true });
-//# sourceMappingURL=clientCertificateCredentialModels.js.map
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+var clientCertificateCredentialModels_exports = {};
+module.exports = __toCommonJS(clientCertificateCredentialModels_exports);
+//# sourceMappingURL=clientCertificateCredentialModels.js.map

package/dist/commonjs/credentials/clientCertificateCredentialModels.js.map

@@ -1 +1,7 @@
-{"version":3,"file":"clientCertificateCredentialModels.js","sourceRoot":"","sources":["../../../src/credentials/clientCertificateCredentialModels.ts"],"names":[],"mappings":";AAAA,uCAAuC;AACvC,kCAAkC","sourcesContent":["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT License.\n\n/**\n * Required configuration options for the {@link ClientCertificateCredential}, with the string contents of a PEM certificate\n */\nexport interface ClientCertificatePEMCertificate {\n  /**\n   * The PEM-encoded public/private key certificate on the filesystem.\n   * Ensure that certificate is in PEM format and contains both the public and private keys.\n   */\n  certificate: string;\n\n  /**\n   * The password for the certificate file.\n   */\n  certificatePassword?: string;\n}\n/**\n * Required configuration options for the {@link ClientCertificateCredential}, with the path to a PEM certificate.\n */\nexport interface ClientCertificatePEMCertificatePath {\n  /**\n   * The path to the PEM-encoded public/private key certificate on the filesystem.\n   */\n  certificatePath: string;\n\n  /**\n   * The password for the certificate file.\n   */\n  certificatePassword?: string;\n}\n/**\n * Required configuration options for the {@link ClientCertificateCredential}, with either the string contents of a PEM certificate, or the path to a PEM certificate.\n */\nexport type ClientCertificateCredentialPEMConfiguration =\n  | ClientCertificatePEMCertificate\n  | ClientCertificatePEMCertificatePath;\n"]}
+{
+  "version": 3,
+  "sources": ["../../../src/credentials/clientCertificateCredentialModels.ts"],
+  "sourcesContent": ["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT License.\n\n/**\n * Required configuration options for the {@link ClientCertificateCredential}, with the string contents of a PEM certificate\n */\nexport interface ClientCertificatePEMCertificate {\n  /**\n   * The PEM-encoded public/private key certificate on the filesystem.\n   * Ensure that certificate is in PEM format and contains both the public and private keys.\n   */\n  certificate: string;\n\n  /**\n   * The password for the certificate file.\n   */\n  certificatePassword?: string;\n}\n/**\n * Required configuration options for the {@link ClientCertificateCredential}, with the path to a PEM certificate.\n */\nexport interface ClientCertificatePEMCertificatePath {\n  /**\n   * The path to the PEM-encoded public/private key certificate on the filesystem.\n   */\n  certificatePath: string;\n\n  /**\n   * The password for the certificate file.\n   */\n  certificatePassword?: string;\n}\n/**\n * Required configuration options for the {@link ClientCertificateCredential}, with either the string contents of a PEM certificate, or the path to a PEM certificate.\n */\nexport type ClientCertificateCredentialPEMConfiguration =\n  | ClientCertificatePEMCertificate\n  | ClientCertificatePEMCertificatePath;\n"],
+  "mappings": ";;;;;;;;;;;;;AAAA;AAAA;",
+  "names": []
+}

package/dist/commonjs/credentials/clientCertificateCredentialOptions.js

@@ -1,5 +1,16 @@
-"use strict";
-// Copyright (c) Microsoft Corporation.
-// Licensed under the MIT License.
-Object.defineProperty(exports, "__esModule", { value: true });
-//# sourceMappingURL=clientCertificateCredentialOptions.js.map
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+var clientCertificateCredentialOptions_exports = {};
+module.exports = __toCommonJS(clientCertificateCredentialOptions_exports);
+//# sourceMappingURL=clientCertificateCredentialOptions.js.map