@azure/identity 4.3.0-alpha.20240507.1 → 4.3.0-alpha.20240508.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +15 -13
- package/dist/index.js +116 -65
- package/dist/index.js.map +1 -1
- package/dist-esm/src/credentials/azurePipelinesCredential.browser.js +23 -0
- package/dist-esm/src/credentials/azurePipelinesCredential.browser.js.map +1 -0
- package/dist-esm/src/credentials/{azurePipelinesServiceConnectionCredential.js → azurePipelinesCredential.js} +10 -9
- package/dist-esm/src/credentials/azurePipelinesCredential.js.map +1 -0
- package/dist-esm/src/credentials/{azurePipelinesServiceConnectionCredentialOptions.js → azurePipelinesCredentialOptions.js} +1 -1
- package/dist-esm/src/credentials/azurePipelinesCredentialOptions.js.map +1 -0
- package/dist-esm/src/credentials/deviceCodeCredential.js +11 -6
- package/dist-esm/src/credentials/deviceCodeCredential.js.map +1 -1
- package/dist-esm/src/index.js +1 -1
- package/dist-esm/src/index.js.map +1 -1
- package/dist-esm/src/msal/nodeFlows/msalClient.js +101 -21
- package/dist-esm/src/msal/nodeFlows/msalClient.js.map +1 -1
- package/package.json +3 -2
- package/types/identity.d.ts +8 -6
- package/dist-esm/src/credentials/azurePipelinesServiceConnectionCredential.js.map +0 -1
- package/dist-esm/src/credentials/azurePipelinesServiceConnectionCredentialOptions.js.map +0 -1
package/README.md
CHANGED
|
@@ -237,22 +237,24 @@ Not all credentials require this configuration. Credentials that authenticate th
|
|
|
237
237
|
|
|
238
238
|
### Authenticate Azure-hosted applications
|
|
239
239
|
|
|
240
|
-
| Credential | Usage
|
|
241
|
-
| -------------------------------------------------------------------------------------------------------------------------------------------- |
|
|
242
|
-
| [`DefaultAzureCredential`](https://learn.microsoft.com/javascript/api/@azure/identity/defaultazurecredential?view=azure-node-latest) | Provides a simplified authentication experience to quickly start developing applications run in Azure.
|
|
243
|
-
| [`ChainedTokenCredential`](https://learn.microsoft.com/javascript/api/@azure/identity/chainedtokencredential?view=azure-node-latest) | Allows users to define custom authentication flows composing multiple credentials.
|
|
244
|
-
| [`EnvironmentCredential`](https://learn.microsoft.com/javascript/api/@azure/identity/environmentcredential?view=azure-node-latest) | Authenticates a service principal or user via credential information specified in environment variables.
|
|
245
|
-
| [`ManagedIdentityCredential`](https://learn.microsoft.com/javascript/api/@azure/identity/managedidentitycredential?view=azure-node-latest) | Authenticates the managed identity of an Azure resource.
|
|
246
|
-
| [`WorkloadIdentityCredential`](https://learn.microsoft.com/javascript/api/@azure/identity/workloadidentitycredential?view=azure-node-latest) | Supports [Microsoft Entra Workload ID](https://learn.microsoft.com/azure/aks/workload-identity-overview) on Kubernetes.
|
|
247
|
-
|
|
|
240
|
+
| Credential | Usage | Example |
|
|
241
|
+
| -------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
|
|
242
|
+
| [`DefaultAzureCredential`](https://learn.microsoft.com/javascript/api/@azure/identity/defaultazurecredential?view=azure-node-latest) | Provides a simplified authentication experience to quickly start developing applications run in Azure. | [example](https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/identity/identity/samples/AzureIdentityExamples.md#authenticating-with-defaultazurecredential) |
|
|
243
|
+
| [`ChainedTokenCredential`](https://learn.microsoft.com/javascript/api/@azure/identity/chainedtokencredential?view=azure-node-latest) | Allows users to define custom authentication flows composing multiple credentials. | [example](https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/identity/identity/samples/AzureIdentityExamples.md#chaining-credentials) |
|
|
244
|
+
| [`EnvironmentCredential`](https://learn.microsoft.com/javascript/api/@azure/identity/environmentcredential?view=azure-node-latest) | Authenticates a service principal or user via credential information specified in environment variables. | [example](https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/identity/identity/samples/AzureIdentityExamples.md#authenticating-a-service-principal-with-environment-credentials) |
|
|
245
|
+
| [`ManagedIdentityCredential`](https://learn.microsoft.com/javascript/api/@azure/identity/managedidentitycredential?view=azure-node-latest) | Authenticates the managed identity of an Azure resource. | [example](https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/identity/identity/samples/AzureIdentityExamples.md#authenticating-in-azure-with-managed-identity) |
|
|
246
|
+
| [`WorkloadIdentityCredential`](https://learn.microsoft.com/javascript/api/@azure/identity/workloadidentitycredential?view=azure-node-latest) | Supports [Microsoft Entra Workload ID](https://learn.microsoft.com/azure/aks/workload-identity-overview) on Kubernetes. | [example](https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/identity/identity/samples/AzureIdentityExamples.md#authenticating-in-azure-with-workload-identity) |
|
|
247
|
+
| |
|
|
248
248
|
|
|
249
249
|
### Authenticate service principals
|
|
250
250
|
|
|
251
|
-
| Credential | Usage
|
|
252
|
-
| ---------------------------------------------------------------------------------------------------------------------------------------------- |
|
|
253
|
-
|
|
|
254
|
-
| [`
|
|
255
|
-
| [`
|
|
251
|
+
| Credential | Usage | Example | Reference |
|
|
252
|
+
| ---------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------- |
|
|
253
|
+
| `AzurePipelinesCredential` | Supports [Microsoft Entra Workload ID](https://learn.microsoft.com/azure/devops/pipelines/release/configure-workload-identity?view=azure-devops) on Azure Pipelines. | [example](https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/identity/identity/samples/AzureIdentityExamples.md#authenticating-in-azure-pipelines-with-service-connections) |
|
|
254
|
+
| [`ClientAssertionCredential`](https://learn.microsoft.com/javascript/api/@azure/identity/clientassertioncredential?view=azure-node-latest) | Authenticates a service principal using a signed client assertion. | [example](https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/identity/identity/samples/AzureIdentityExamples.md#authenticating-a-service-principal-with-a-client-assertion) | [Service principal authentication](https://learn.microsoft.com/entra/identity-platform/app-objects-and-service-principals) |
|
|
255
|
+
| [`ClientCertificateCredential`](https://learn.microsoft.com/javascript/api/@azure/identity/clientcertificatecredential?view=azure-node-latest) | Authenticates a service principal using a certificate. | [example](https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/identity/identity/samples/AzureIdentityExamples.md#authenticating-a-service-principal-with-a-client-certificate) | [Service principal authentication](https://learn.microsoft.com/entra/identity-platform/app-objects-and-service-principals) |
|
|
256
|
+
| [`ClientSecretCredential`](https://learn.microsoft.com/javascript/api/@azure/identity/clientsecretcredential?view=azure-node-latest) | Authenticates a service principal using a secret. | [example](https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/identity/identity/samples/AzureIdentityExamples.md#authenticating-a-service-principal-with-a-client-secret) | [Service principal authentication](https://learn.microsoft.com/entra/identity-platform/app-objects-and-service-principals) |
|
|
257
|
+
|
|
256
258
|
|
|
257
259
|
### Authenticate users
|
|
258
260
|
|
package/dist/index.js
CHANGED
|
@@ -1959,6 +1959,24 @@ function createMsalClient(clientId, tenantId, createMsalClientOptions = {}) {
|
|
|
1959
1959
|
: null,
|
|
1960
1960
|
pluginConfiguration: msalPlugins.generatePluginConfiguration(createMsalClientOptions),
|
|
1961
1961
|
};
|
|
1962
|
+
const publicApps = new Map();
|
|
1963
|
+
async function getPublicApp(options = {}) {
|
|
1964
|
+
const appKey = options.enableCae ? "CAE" : "default";
|
|
1965
|
+
let publicClientApp = publicApps.get(appKey);
|
|
1966
|
+
if (publicClientApp) {
|
|
1967
|
+
msalLogger.getToken.info("Existing PublicClientApplication found in cache, returning it.");
|
|
1968
|
+
return publicClientApp;
|
|
1969
|
+
}
|
|
1970
|
+
// Initialize a new app and cache it
|
|
1971
|
+
msalLogger.getToken.info(`Creating new PublicClientApplication with CAE ${options.enableCae ? "enabled" : "disabled"}.`);
|
|
1972
|
+
const cachePlugin = options.enableCae
|
|
1973
|
+
? state.pluginConfiguration.cache.cachePluginCae
|
|
1974
|
+
: state.pluginConfiguration.cache.cachePlugin;
|
|
1975
|
+
state.msalConfig.auth.clientCapabilities = options.enableCae ? ["cp1"] : undefined;
|
|
1976
|
+
publicClientApp = new msalCommon__namespace.PublicClientApplication(Object.assign(Object.assign({}, state.msalConfig), { broker: { nativeBrokerPlugin: state.pluginConfiguration.broker.nativeBrokerPlugin }, cache: { cachePlugin: await cachePlugin } }));
|
|
1977
|
+
publicApps.set(appKey, publicClientApp);
|
|
1978
|
+
return publicClientApp;
|
|
1979
|
+
}
|
|
1962
1980
|
const confidentialApps = new Map();
|
|
1963
1981
|
async function getConfidentialApp(options = {}) {
|
|
1964
1982
|
const appKey = options.enableCae ? "CAE" : "default";
|
|
@@ -2033,7 +2051,7 @@ To work with multiple accounts for the same Client ID and Tenant ID, please prov
|
|
|
2033
2051
|
if (e.name !== "AuthenticationRequiredError") {
|
|
2034
2052
|
throw e;
|
|
2035
2053
|
}
|
|
2036
|
-
if (
|
|
2054
|
+
if (options.disableAutomaticAuthentication) {
|
|
2037
2055
|
throw new AuthenticationRequiredError({
|
|
2038
2056
|
scopes,
|
|
2039
2057
|
getTokenOptions: options,
|
|
@@ -2063,40 +2081,102 @@ To work with multiple accounts for the same Client ID and Tenant ID, please prov
|
|
|
2063
2081
|
msalLogger.getToken.info(`Attempting to acquire token using client secret`);
|
|
2064
2082
|
state.msalConfig.auth.clientSecret = clientSecret;
|
|
2065
2083
|
const msalApp = await getConfidentialApp(options);
|
|
2066
|
-
|
|
2067
|
-
|
|
2068
|
-
|
|
2069
|
-
|
|
2070
|
-
|
|
2071
|
-
|
|
2084
|
+
try {
|
|
2085
|
+
const response = await msalApp.acquireTokenByClientCredential({
|
|
2086
|
+
scopes,
|
|
2087
|
+
authority: state.msalConfig.auth.authority,
|
|
2088
|
+
azureRegion: calculateRegionalAuthority(),
|
|
2089
|
+
claims: options === null || options === void 0 ? void 0 : options.claims,
|
|
2090
|
+
});
|
|
2091
|
+
ensureValidMsalToken(scopes, response, options);
|
|
2092
|
+
msalLogger.getToken.info(formatSuccess(scopes));
|
|
2093
|
+
return {
|
|
2094
|
+
token: response.accessToken,
|
|
2095
|
+
expiresOnTimestamp: response.expiresOn.getTime(),
|
|
2096
|
+
};
|
|
2097
|
+
}
|
|
2098
|
+
catch (err) {
|
|
2099
|
+
throw handleMsalError(scopes, err, options);
|
|
2100
|
+
}
|
|
2072
2101
|
}
|
|
2073
2102
|
async function getTokenByClientAssertion(scopes, clientAssertion, options = {}) {
|
|
2074
2103
|
msalLogger.getToken.info(`Attempting to acquire token using client assertion`);
|
|
2075
2104
|
state.msalConfig.auth.clientAssertion = clientAssertion;
|
|
2076
2105
|
const msalApp = await getConfidentialApp(options);
|
|
2077
|
-
|
|
2078
|
-
|
|
2079
|
-
|
|
2080
|
-
|
|
2081
|
-
|
|
2082
|
-
|
|
2083
|
-
|
|
2106
|
+
try {
|
|
2107
|
+
const response = await msalApp.acquireTokenByClientCredential({
|
|
2108
|
+
scopes,
|
|
2109
|
+
authority: state.msalConfig.auth.authority,
|
|
2110
|
+
azureRegion: calculateRegionalAuthority(),
|
|
2111
|
+
claims: options === null || options === void 0 ? void 0 : options.claims,
|
|
2112
|
+
clientAssertion,
|
|
2113
|
+
});
|
|
2114
|
+
ensureValidMsalToken(scopes, response, options);
|
|
2115
|
+
msalLogger.getToken.info(formatSuccess(scopes));
|
|
2116
|
+
return {
|
|
2117
|
+
token: response.accessToken,
|
|
2118
|
+
expiresOnTimestamp: response.expiresOn.getTime(),
|
|
2119
|
+
};
|
|
2120
|
+
}
|
|
2121
|
+
catch (err) {
|
|
2122
|
+
throw handleMsalError(scopes, err, options);
|
|
2123
|
+
}
|
|
2084
2124
|
}
|
|
2085
2125
|
async function getTokenByClientCertificate(scopes, certificate, options = {}) {
|
|
2086
2126
|
msalLogger.getToken.info(`Attempting to acquire token using client certificate`);
|
|
2087
2127
|
state.msalConfig.auth.clientCertificate = certificate;
|
|
2088
2128
|
const msalApp = await getConfidentialApp(options);
|
|
2089
|
-
|
|
2090
|
-
|
|
2091
|
-
|
|
2092
|
-
|
|
2093
|
-
|
|
2094
|
-
|
|
2129
|
+
try {
|
|
2130
|
+
const response = await msalApp.acquireTokenByClientCredential({
|
|
2131
|
+
scopes,
|
|
2132
|
+
authority: state.msalConfig.auth.authority,
|
|
2133
|
+
azureRegion: calculateRegionalAuthority(),
|
|
2134
|
+
claims: options === null || options === void 0 ? void 0 : options.claims,
|
|
2135
|
+
});
|
|
2136
|
+
ensureValidMsalToken(scopes, response, options);
|
|
2137
|
+
msalLogger.getToken.info(formatSuccess(scopes));
|
|
2138
|
+
return {
|
|
2139
|
+
token: response.accessToken,
|
|
2140
|
+
expiresOnTimestamp: response.expiresOn.getTime(),
|
|
2141
|
+
};
|
|
2142
|
+
}
|
|
2143
|
+
catch (err) {
|
|
2144
|
+
throw handleMsalError(scopes, err, options);
|
|
2145
|
+
}
|
|
2146
|
+
}
|
|
2147
|
+
async function getTokenByDeviceCode(scopes, deviceCodeCallback, options = {}) {
|
|
2148
|
+
msalLogger.getToken.info(`Attempting to acquire token using device code`);
|
|
2149
|
+
const msalApp = await getPublicApp(options);
|
|
2150
|
+
return withSilentAuthentication(msalApp, scopes, options, () => {
|
|
2151
|
+
var _a, _b;
|
|
2152
|
+
const requestOptions = {
|
|
2153
|
+
scopes,
|
|
2154
|
+
cancel: (_b = (_a = options === null || options === void 0 ? void 0 : options.abortSignal) === null || _a === void 0 ? void 0 : _a.aborted) !== null && _b !== void 0 ? _b : false,
|
|
2155
|
+
deviceCodeCallback,
|
|
2156
|
+
authority: state.msalConfig.auth.authority,
|
|
2157
|
+
claims: options === null || options === void 0 ? void 0 : options.claims,
|
|
2158
|
+
};
|
|
2159
|
+
const deviceCodeRequest = msalApp.acquireTokenByDeviceCode(requestOptions);
|
|
2160
|
+
if (options.abortSignal) {
|
|
2161
|
+
options.abortSignal.addEventListener("abort", () => {
|
|
2162
|
+
requestOptions.cancel = true;
|
|
2163
|
+
});
|
|
2164
|
+
}
|
|
2165
|
+
return deviceCodeRequest;
|
|
2166
|
+
});
|
|
2167
|
+
}
|
|
2168
|
+
function getActiveAccount() {
|
|
2169
|
+
if (!state.cachedAccount) {
|
|
2170
|
+
return undefined;
|
|
2171
|
+
}
|
|
2172
|
+
return msalToPublic(clientId, state.cachedAccount);
|
|
2095
2173
|
}
|
|
2096
2174
|
return {
|
|
2175
|
+
getActiveAccount,
|
|
2097
2176
|
getTokenByClientSecret,
|
|
2098
2177
|
getTokenByClientAssertion,
|
|
2099
2178
|
getTokenByClientCertificate,
|
|
2179
|
+
getTokenByDeviceCode,
|
|
2100
2180
|
};
|
|
2101
2181
|
}
|
|
2102
2182
|
|
|
@@ -4222,39 +4302,6 @@ class InteractiveBrowserCredential {
|
|
|
4222
4302
|
}
|
|
4223
4303
|
}
|
|
4224
4304
|
|
|
4225
|
-
// Copyright (c) Microsoft Corporation.
|
|
4226
|
-
// Licensed under the MIT license.
|
|
4227
|
-
/**
|
|
4228
|
-
* MSAL device code client. Calls to the MSAL's public application's `acquireTokenByDeviceCode` during `doGetToken`.
|
|
4229
|
-
* @internal
|
|
4230
|
-
*/
|
|
4231
|
-
class MsalDeviceCode extends MsalNode {
|
|
4232
|
-
constructor(options) {
|
|
4233
|
-
super(options);
|
|
4234
|
-
this.userPromptCallback = options.userPromptCallback;
|
|
4235
|
-
}
|
|
4236
|
-
async doGetToken(scopes, options) {
|
|
4237
|
-
try {
|
|
4238
|
-
const requestOptions = {
|
|
4239
|
-
deviceCodeCallback: this.userPromptCallback,
|
|
4240
|
-
scopes,
|
|
4241
|
-
cancel: false,
|
|
4242
|
-
correlationId: options === null || options === void 0 ? void 0 : options.correlationId,
|
|
4243
|
-
authority: options === null || options === void 0 ? void 0 : options.authority,
|
|
4244
|
-
claims: options === null || options === void 0 ? void 0 : options.claims,
|
|
4245
|
-
};
|
|
4246
|
-
const promise = this.getApp("public", options === null || options === void 0 ? void 0 : options.enableCae).acquireTokenByDeviceCode(requestOptions);
|
|
4247
|
-
const deviceResponse = await this.withCancellation(promise, options === null || options === void 0 ? void 0 : options.abortSignal, () => {
|
|
4248
|
-
requestOptions.cancel = true;
|
|
4249
|
-
});
|
|
4250
|
-
return this.handleResult(scopes, deviceResponse || undefined);
|
|
4251
|
-
}
|
|
4252
|
-
catch (error) {
|
|
4253
|
-
throw handleMsalError(scopes, error, options);
|
|
4254
|
-
}
|
|
4255
|
-
}
|
|
4256
|
-
}
|
|
4257
|
-
|
|
4258
4305
|
// Copyright (c) Microsoft Corporation.
|
|
4259
4306
|
// Licensed under the MIT license.
|
|
4260
4307
|
const logger$3 = credentialLogger("DeviceCodeCredential");
|
|
@@ -4291,9 +4338,13 @@ class DeviceCodeCredential {
|
|
|
4291
4338
|
* @param options - Options for configuring the client which makes the authentication requests.
|
|
4292
4339
|
*/
|
|
4293
4340
|
constructor(options) {
|
|
4341
|
+
var _a, _b;
|
|
4294
4342
|
this.tenantId = options === null || options === void 0 ? void 0 : options.tenantId;
|
|
4295
4343
|
this.additionallyAllowedTenantIds = resolveAdditionallyAllowedTenantIds(options === null || options === void 0 ? void 0 : options.additionallyAllowedTenants);
|
|
4296
|
-
|
|
4344
|
+
const clientId = (_a = options === null || options === void 0 ? void 0 : options.clientId) !== null && _a !== void 0 ? _a : DeveloperSignOnClientId;
|
|
4345
|
+
const tenantId = resolveTenantId(logger$3, options === null || options === void 0 ? void 0 : options.tenantId, clientId);
|
|
4346
|
+
this.userPromptCallback = (_b = options === null || options === void 0 ? void 0 : options.userPromptCallback) !== null && _b !== void 0 ? _b : defaultDeviceCodePromptCallback;
|
|
4347
|
+
this.msalClient = createMsalClient(clientId, tenantId, Object.assign(Object.assign({}, options), { tokenCredentialOptions: options || {} }));
|
|
4297
4348
|
this.disableAutomaticAuthentication = options === null || options === void 0 ? void 0 : options.disableAutomaticAuthentication;
|
|
4298
4349
|
}
|
|
4299
4350
|
/**
|
|
@@ -4312,7 +4363,7 @@ class DeviceCodeCredential {
|
|
|
4312
4363
|
return tracingClient.withSpan(`${this.constructor.name}.getToken`, options, async (newOptions) => {
|
|
4313
4364
|
newOptions.tenantId = processMultiTenantRequest(this.tenantId, newOptions, this.additionallyAllowedTenantIds, logger$3);
|
|
4314
4365
|
const arrayScopes = ensureScopes(scopes);
|
|
4315
|
-
return this.
|
|
4366
|
+
return this.msalClient.getTokenByDeviceCode(arrayScopes, this.userPromptCallback, Object.assign(Object.assign({}, newOptions), { disableAutomaticAuthentication: this.disableAutomaticAuthentication }));
|
|
4316
4367
|
});
|
|
4317
4368
|
}
|
|
4318
4369
|
/**
|
|
@@ -4328,24 +4379,24 @@ class DeviceCodeCredential {
|
|
|
4328
4379
|
async authenticate(scopes, options = {}) {
|
|
4329
4380
|
return tracingClient.withSpan(`${this.constructor.name}.authenticate`, options, async (newOptions) => {
|
|
4330
4381
|
const arrayScopes = Array.isArray(scopes) ? scopes : [scopes];
|
|
4331
|
-
await this.
|
|
4332
|
-
return this.
|
|
4382
|
+
await this.msalClient.getTokenByDeviceCode(arrayScopes, this.userPromptCallback, Object.assign(Object.assign({}, newOptions), { disableAutomaticAuthentication: false }));
|
|
4383
|
+
return this.msalClient.getActiveAccount();
|
|
4333
4384
|
});
|
|
4334
4385
|
}
|
|
4335
4386
|
}
|
|
4336
4387
|
|
|
4337
4388
|
// Copyright (c) Microsoft Corporation.
|
|
4338
4389
|
// Licensed under the MIT license.
|
|
4339
|
-
const credentialName$1 = "
|
|
4390
|
+
const credentialName$1 = "AzurePipelinesCredential";
|
|
4340
4391
|
const logger$2 = credentialLogger(credentialName$1);
|
|
4341
|
-
const OIDC_API_VERSION = "7.1
|
|
4392
|
+
const OIDC_API_VERSION = "7.1";
|
|
4342
4393
|
/**
|
|
4343
4394
|
* This credential is designed to be used in Azure Pipelines with service connections
|
|
4344
4395
|
* as a setup for workload identity federation.
|
|
4345
4396
|
*/
|
|
4346
|
-
class
|
|
4397
|
+
class AzurePipelinesCredential {
|
|
4347
4398
|
/**
|
|
4348
|
-
*
|
|
4399
|
+
* AzurePipelinesCredential supports Federated Identity on Azure Pipelines through Service Connections.
|
|
4349
4400
|
* @param tenantId - tenantId associated with the service connection
|
|
4350
4401
|
* @param clientId - clientId associated with the service connection
|
|
4351
4402
|
* @param serviceConnectionId - id for the service connection, as found in the querystring's resourceId key
|
|
@@ -4355,8 +4406,9 @@ class AzurePipelinesServiceConnectionCredential {
|
|
|
4355
4406
|
if (!clientId || !tenantId || !serviceConnectionId) {
|
|
4356
4407
|
throw new CredentialUnavailableError(`${credentialName$1}: is unavailable. tenantId, clientId, and serviceConnectionId are required parameters.`);
|
|
4357
4408
|
}
|
|
4409
|
+
this.identityClient = new IdentityClient(options);
|
|
4358
4410
|
checkTenantId(logger$2, tenantId);
|
|
4359
|
-
logger$2.info(`Invoking
|
|
4411
|
+
logger$2.info(`Invoking AzurePipelinesCredential with tenant ID: ${tenantId}, clientId: ${clientId} and service connection id: ${serviceConnectionId}`);
|
|
4360
4412
|
if (clientId && tenantId && serviceConnectionId) {
|
|
4361
4413
|
this.ensurePipelinesSystemVars();
|
|
4362
4414
|
const oidcRequestUrl = `${process.env.SYSTEM_TEAMFOUNDATIONCOLLECTIONURI}${process.env.SYSTEM_TEAMPROJECTID}/_apis/distributedtask/hubs/build/plans/${process.env.SYSTEM_PLANID}/jobs/${process.env.SYSTEM_JOBID}/oidctoken?api-version=${OIDC_API_VERSION}&serviceConnectionId=${serviceConnectionId}`;
|
|
@@ -4400,7 +4452,6 @@ class AzurePipelinesServiceConnectionCredential {
|
|
|
4400
4452
|
async requestOidcToken(oidcRequestUrl, systemAccessToken) {
|
|
4401
4453
|
logger$2.info("Requesting OIDC token from Azure Pipelines...");
|
|
4402
4454
|
logger$2.info(oidcRequestUrl);
|
|
4403
|
-
const httpClient = coreRestPipeline.createDefaultHttpClient();
|
|
4404
4455
|
const request = coreRestPipeline.createPipelineRequest({
|
|
4405
4456
|
url: oidcRequestUrl,
|
|
4406
4457
|
method: "POST",
|
|
@@ -4409,7 +4460,7 @@ class AzurePipelinesServiceConnectionCredential {
|
|
|
4409
4460
|
Authorization: `Bearer ${systemAccessToken}`,
|
|
4410
4461
|
}),
|
|
4411
4462
|
});
|
|
4412
|
-
const response = await
|
|
4463
|
+
const response = await this.identityClient.sendRequest(request);
|
|
4413
4464
|
const text = response.bodyAsText;
|
|
4414
4465
|
if (!text) {
|
|
4415
4466
|
logger$2.error(`${credentialName$1}: Authenticated Failed. Received null token from OIDC request. Response status- ${response.status}. Complete response - ${JSON.stringify(response)}`);
|
|
@@ -4759,7 +4810,7 @@ exports.AuthenticationRequiredError = AuthenticationRequiredError;
|
|
|
4759
4810
|
exports.AuthorizationCodeCredential = AuthorizationCodeCredential;
|
|
4760
4811
|
exports.AzureCliCredential = AzureCliCredential;
|
|
4761
4812
|
exports.AzureDeveloperCliCredential = AzureDeveloperCliCredential;
|
|
4762
|
-
exports.
|
|
4813
|
+
exports.AzurePipelinesCredential = AzurePipelinesCredential;
|
|
4763
4814
|
exports.AzurePowerShellCredential = AzurePowerShellCredential;
|
|
4764
4815
|
exports.ChainedTokenCredential = ChainedTokenCredential;
|
|
4765
4816
|
exports.ClientAssertionCredential = ClientAssertionCredential;
|