@azure/identity 4.3.0-alpha.20240509.1 → 4.3.0-alpha.20240513.2

package/dist/index.js

@@ -2165,6 +2165,20 @@ To work with multiple accounts for the same Client ID and Tenant ID, please prov
             return deviceCodeRequest;
         });
     }
+    async function getTokenByUsernamePassword(scopes, username, password, options = {}) {
+        msalLogger.getToken.info(`Attempting to acquire token using username and password`);
+        const msalApp = await getPublicApp(options);
+        return withSilentAuthentication(msalApp, scopes, options, () => {
+            const requestOptions = {
+                scopes,
+                username,
+                password,
+                authority: state.msalConfig.auth.authority,
+                claims: options === null || options === void 0 ? void 0 : options.claims,
+            };
+            return msalApp.acquireTokenByUsernamePassword(requestOptions);
+        });
+    }
     function getActiveAccount() {
         if (!state.cachedAccount) {
             return undefined;
@@ -2177,6 +2191,7 @@ To work with multiple accounts for the same Client ID and Tenant ID, please prov
         getTokenByClientAssertion,
         getTokenByClientCertificate,
         getTokenByDeviceCode,
+        getTokenByUsernamePassword,
     };
 }
 
@@ -3455,553 +3470,209 @@ class ClientSecretCredential {
 
 // Copyright (c) Microsoft Corporation.
 // Licensed under the MIT license.
+const logger$7 = credentialLogger("UsernamePasswordCredential");
 /**
- * MSAL partial base client for Node.js.
- *
- * It completes the input configuration with some default values.
- * It also provides with utility protected methods that can be used from any of the clients,
- * which includes handlers for successful responses and errors.
- *
- * @internal
+ * Enables authentication to Microsoft Entra ID with a user's
+ * username and password. This credential requires a high degree of
+ * trust so you should only use it when other, more secure credential
+ * types can't be used.
  */
-class MsalNode {
-    constructor(options) {
-        var _a, _b, _c, _d, _e, _f;
-        this.app = {};
-        this.caeApp = {};
-        this.requiresConfidential = false;
-        this.logger = options.logger;
-        this.msalConfig = this.defaultNodeMsalConfig(options);
-        this.tenantId = resolveTenantId(options.logger, options.tenantId, options.clientId);
-        this.additionallyAllowedTenantIds = resolveAdditionallyAllowedTenantIds((_a = options === null || options === void 0 ? void 0 : options.tokenCredentialOptions) === null || _a === void 0 ? void 0 : _a.additionallyAllowedTenants);
-        this.clientId = this.msalConfig.auth.clientId;
-        if (options === null || options === void 0 ? void 0 : options.getAssertion) {
-            this.getAssertion = options.getAssertion;
-        }
-        this.enableBroker = (_b = options === null || options === void 0 ? void 0 : options.brokerOptions) === null || _b === void 0 ? void 0 : _b.enabled;
-        this.enableMsaPassthrough = (_c = options === null || options === void 0 ? void 0 : options.brokerOptions) === null || _c === void 0 ? void 0 : _c.legacyEnableMsaPassthrough;
-        this.parentWindowHandle = (_d = options.brokerOptions) === null || _d === void 0 ? void 0 : _d.parentWindowHandle;
-        // If persistence has been configured
-        if (persistenceProvider !== undefined && ((_e = options.tokenCachePersistenceOptions) === null || _e === void 0 ? void 0 : _e.enabled)) {
-            const cacheBaseName = options.tokenCachePersistenceOptions.name || DEFAULT_TOKEN_CACHE_NAME;
-            const nonCaeOptions = Object.assign({ name: `${cacheBaseName}.${CACHE_NON_CAE_SUFFIX}` }, options.tokenCachePersistenceOptions);
-            const caeOptions = Object.assign({ name: `${cacheBaseName}.${CACHE_CAE_SUFFIX}` }, options.tokenCachePersistenceOptions);
-            this.createCachePlugin = () => persistenceProvider(nonCaeOptions);
-            this.createCachePluginCae = () => persistenceProvider(caeOptions);
-        }
-        else if ((_f = options.tokenCachePersistenceOptions) === null || _f === void 0 ? void 0 : _f.enabled) {
-            throw new Error([
-                "Persistent token caching was requested, but no persistence provider was configured.",
-                "You must install the identity-cache-persistence plugin package (`npm install --save @azure/identity-cache-persistence`)",
-                "and enable it by importing `useIdentityPlugin` from `@azure/identity` and calling",
-                "`useIdentityPlugin(cachePersistencePlugin)` before using `tokenCachePersistenceOptions`.",
-            ].join(" "));
-        }
-        // If broker has not been configured
-        if (!hasNativeBroker() && this.enableBroker) {
-            throw new Error([
-                "Broker for WAM was requested to be enabled, but no native broker was configured.",
-                "You must install the identity-broker plugin package (`npm install --save @azure/identity-broker`)",
-                "and enable it by importing `useIdentityPlugin` from `@azure/identity` and calling",
-                "`useIdentityPlugin(createNativeBrokerPlugin())` before using `enableBroker`.",
-            ].join(" "));
+class UsernamePasswordCredential {
+    /**
+     * Creates an instance of the UsernamePasswordCredential with the details
+     * needed to authenticate against Microsoft Entra ID with a username
+     * and password.
+     *
+     * @param tenantId - The Microsoft Entra tenant (directory).
+     * @param clientId - The client (application) ID of an App Registration in the tenant.
+     * @param username - The user account's e-mail address (user name).
+     * @param password - The user account's account password
+     * @param options - Options for configuring the client which makes the authentication request.
+     */
+    constructor(tenantId, clientId, username, password, options = {}) {
+        if (!tenantId || !clientId || !username || !password) {
+            throw new Error("UsernamePasswordCredential: tenantId, clientId, username and password are required parameters. To troubleshoot, visit https://aka.ms/azsdk/js/identity/usernamepasswordcredential/troubleshoot.");
         }
-        this.azureRegion = calculateRegionalAuthority(options.regionalAuthority);
+        this.tenantId = tenantId;
+        this.additionallyAllowedTenantIds = resolveAdditionallyAllowedTenantIds(options === null || options === void 0 ? void 0 : options.additionallyAllowedTenants);
+        this.username = username;
+        this.password = password;
+        this.msalClient = createMsalClient(clientId, this.tenantId, Object.assign(Object.assign({}, options), { tokenCredentialOptions: options !== null && options !== void 0 ? options : {} }));
     }
     /**
-     * Generates a MSAL configuration that generally works for Node.js
+     * Authenticates with Microsoft Entra ID and returns an access token if successful.
+     * If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.
+     *
+     * If the user provided the option `disableAutomaticAuthentication`,
+     * once the token can't be retrieved silently,
+     * this method won't attempt to request user interaction to retrieve the token.
+     *
+     * @param scopes - The list of scopes for which the token will have access.
+     * @param options - The options used to configure any requests this
+     *                TokenCredential implementation might make.
      */
-    defaultNodeMsalConfig(options) {
-        var _a;
-        const clientId = options.clientId || DeveloperSignOnClientId;
-        const tenantId = resolveTenantId(options.logger, options.tenantId, options.clientId);
-        this.authorityHost = options.authorityHost || process.env.AZURE_AUTHORITY_HOST;
-        const authority = getAuthority(tenantId, this.authorityHost);
-        this.identityClient = new IdentityClient(Object.assign(Object.assign({}, options.tokenCredentialOptions), { authorityHost: authority, loggingOptions: options.loggingOptions }));
-        const clientCapabilities = [];
-        return {
-            auth: {
-                clientId,
-                authority,
-                knownAuthorities: getKnownAuthorities(tenantId, authority, options.disableInstanceDiscovery),
-                clientCapabilities,
-            },
-            // Cache is defined in this.prepare();
-            system: {
-                networkClient: this.identityClient,
-                loggerOptions: {
-                    loggerCallback: defaultLoggerCallback(options.logger),
-                    logLevel: getMSALLogLevel(logger$r.getLogLevel()),
-                    piiLoggingEnabled: (_a = options.loggingOptions) === null || _a === void 0 ? void 0 : _a.enableUnsafeSupportLogging,
-                },
-            },
-        };
-    }
-    getApp(appType, enableCae) {
-        const app = enableCae ? this.caeApp : this.app;
-        if (appType === "publicFirst") {
-            return (app.public || app.confidential);
-        }
-        else if (appType === "confidentialFirst") {
-            return (app.confidential || app.public);
-        }
-        else if (appType === "confidential") {
-            return app.confidential;
-        }
-        else {
-            return app.public;
-        }
+    async getToken(scopes, options = {}) {
+        return tracingClient.withSpan(`${this.constructor.name}.getToken`, options, async (newOptions) => {
+            newOptions.tenantId = processMultiTenantRequest(this.tenantId, newOptions, this.additionallyAllowedTenantIds, logger$7);
+            const arrayScopes = ensureScopes(scopes);
+            return this.msalClient.getTokenByUsernamePassword(arrayScopes, this.username, this.password, newOptions);
+        });
     }
+}
+
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT license.
+/**
+ * Contains the list of all supported environment variable names so that an
+ * appropriate error message can be generated when no credentials can be
+ * configured.
+ *
+ * @internal
+ */
+const AllSupportedEnvironmentVariables = [
+    "AZURE_TENANT_ID",
+    "AZURE_CLIENT_ID",
+    "AZURE_CLIENT_SECRET",
+    "AZURE_CLIENT_CERTIFICATE_PATH",
+    "AZURE_CLIENT_CERTIFICATE_PASSWORD",
+    "AZURE_USERNAME",
+    "AZURE_PASSWORD",
+    "AZURE_ADDITIONALLY_ALLOWED_TENANTS",
+];
+function getAdditionallyAllowedTenants() {
+    var _a;
+    const additionallyAllowedValues = (_a = process.env.AZURE_ADDITIONALLY_ALLOWED_TENANTS) !== null && _a !== void 0 ? _a : "";
+    return additionallyAllowedValues.split(";");
+}
+const credentialName$2 = "EnvironmentCredential";
+const logger$6 = credentialLogger(credentialName$2);
+/**
+ * Enables authentication to Microsoft Entra ID using a client secret or certificate, or as a user
+ * with a username and password.
+ */
+class EnvironmentCredential {
     /**
-     * Prepares the MSAL applications.
+     * Creates an instance of the EnvironmentCredential class and decides what credential to use depending on the available environment variables.
+     *
+     * Required environment variables:
+     * - `AZURE_TENANT_ID`: The Microsoft Entra tenant (directory) ID.
+     * - `AZURE_CLIENT_ID`: The client (application) ID of an App Registration in the tenant.
+     *
+     * If setting the AZURE_TENANT_ID, then you can also set the additionally allowed tenants
+     * - `AZURE_ADDITIONALLY_ALLOWED_TENANTS`: For multi-tenant applications, specifies additional tenants for which the credential may acquire tokens with a single semicolon delimited string. Use * to allow all tenants.
+     *
+     * Environment variables used for client credential authentication:
+     * - `AZURE_CLIENT_SECRET`: A client secret that was generated for the App Registration.
+     * - `AZURE_CLIENT_CERTIFICATE_PATH`: The path to a PEM certificate to use during the authentication, instead of the client secret.
+     * - `AZURE_CLIENT_CERTIFICATE_PASSWORD`: (optional) password for the certificate file.
+     *
+     * Alternatively, users can provide environment variables for username and password authentication:
+     * - `AZURE_USERNAME`: Username to authenticate with.
+     * - `AZURE_PASSWORD`: Password to authenticate with.
+     *
+     * If the environment variables required to perform the authentication are missing, a {@link CredentialUnavailableError} will be thrown.
+     * If the authentication fails, or if there's an unknown error, an {@link AuthenticationError} will be thrown.
+     *
+     * @param options - Options for configuring the client which makes the authentication request.
      */
-    async init(options) {
-        if (options === null || options === void 0 ? void 0 : options.abortSignal) {
-            options.abortSignal.addEventListener("abort", () => {
-                // This will abort any pending request in the IdentityClient,
-                // based on the received or generated correlationId
-                this.identityClient.abortRequests(options.correlationId);
-            });
-        }
-        const app = (options === null || options === void 0 ? void 0 : options.enableCae) ? this.caeApp : this.app;
-        if (options === null || options === void 0 ? void 0 : options.enableCae) {
-            this.msalConfig.auth.clientCapabilities = ["cp1"];
+    constructor(options) {
+        // Keep track of any missing environment variables for error details
+        this._credential = undefined;
+        const assigned = processEnvVars(AllSupportedEnvironmentVariables).assigned.join(", ");
+        logger$6.info(`Found the following environment variables: ${assigned}`);
+        const tenantId = process.env.AZURE_TENANT_ID, clientId = process.env.AZURE_CLIENT_ID, clientSecret = process.env.AZURE_CLIENT_SECRET;
+        const additionallyAllowedTenantIds = getAdditionallyAllowedTenants();
+        const newOptions = Object.assign(Object.assign({}, options), { additionallyAllowedTenantIds });
+        if (tenantId) {
+            checkTenantId(logger$6, tenantId);
         }
-        if (app.public || app.confidential) {
+        if (tenantId && clientId && clientSecret) {
+            logger$6.info(`Invoking ClientSecretCredential with tenant ID: ${tenantId}, clientId: ${clientId} and clientSecret: [REDACTED]`);
+            this._credential = new ClientSecretCredential(tenantId, clientId, clientSecret, newOptions);
             return;
         }
-        if ((options === null || options === void 0 ? void 0 : options.enableCae) && this.createCachePluginCae !== undefined) {
-            this.msalConfig.cache = {
-                cachePlugin: await this.createCachePluginCae(),
-            };
-        }
-        if (this.createCachePlugin !== undefined) {
-            this.msalConfig.cache = {
-                cachePlugin: await this.createCachePlugin(),
-            };
-        }
-        if (hasNativeBroker() && this.enableBroker) {
-            this.msalConfig.broker = {
-                nativeBrokerPlugin: nativeBrokerInfo.broker,
-            };
-            if (!this.parentWindowHandle) {
-                // error should have been thrown from within the constructor of InteractiveBrowserCredential
-                this.logger.warning("Parent window handle is not specified for the broker. This may cause unexpected behavior. Please provide the parentWindowHandle.");
-            }
-        }
-        if (options === null || options === void 0 ? void 0 : options.enableCae) {
-            this.caeApp.public = new msalCommon__namespace.PublicClientApplication(this.msalConfig);
-        }
-        else {
-            this.app.public = new msalCommon__namespace.PublicClientApplication(this.msalConfig);
+        const certificatePath = process.env.AZURE_CLIENT_CERTIFICATE_PATH;
+        const certificatePassword = process.env.AZURE_CLIENT_CERTIFICATE_PASSWORD;
+        if (tenantId && clientId && certificatePath) {
+            logger$6.info(`Invoking ClientCertificateCredential with tenant ID: ${tenantId}, clientId: ${clientId} and certificatePath: ${certificatePath}`);
+            this._credential = new ClientCertificateCredential(tenantId, clientId, { certificatePath, certificatePassword }, newOptions);
+            return;
         }
-        if (this.getAssertion) {
-            this.msalConfig.auth.clientAssertion = await this.getAssertion();
-        }
-        // The confidential client requires either a secret, assertion or certificate.
-        if (this.msalConfig.auth.clientSecret ||
-            this.msalConfig.auth.clientAssertion ||
-            this.msalConfig.auth.clientCertificate) {
-            if (options === null || options === void 0 ? void 0 : options.enableCae) {
-                this.caeApp.confidential = new msalCommon__namespace.ConfidentialClientApplication(this.msalConfig);
-            }
-            else {
-                this.app.confidential = new msalCommon__namespace.ConfidentialClientApplication(this.msalConfig);
-            }
-        }
-        else {
-            if (this.requiresConfidential) {
-                throw new Error("Unable to generate the MSAL confidential client. Missing either the client's secret, certificate or assertion.");
-            }
-        }
-    }
-    /**
-     * Allows the cancellation of a MSAL request.
-     */
-    withCancellation(promise, abortSignal, onCancel) {
-        return new Promise((resolve, reject) => {
-            promise
-                .then((msalToken) => {
-                return resolve(msalToken);
-            })
-                .catch(reject);
-            if (abortSignal) {
-                abortSignal.addEventListener("abort", () => {
-                    onCancel === null || onCancel === void 0 ? void 0 : onCancel();
-                });
-            }
-        });
-    }
-    /**
-     * Returns the existing account, attempts to load the account from MSAL.
-     */
-    async getActiveAccount(enableCae = false) {
-        if (this.account) {
-            return this.account;
-        }
-        const cache = this.getApp("confidentialFirst", enableCae).getTokenCache();
-        const accountsByTenant = await (cache === null || cache === void 0 ? void 0 : cache.getAllAccounts());
-        if (!accountsByTenant) {
-            return;
-        }
-        if (accountsByTenant.length === 1) {
-            this.account = msalToPublic(this.clientId, accountsByTenant[0]);
-        }
-        else {
-            this.logger
-                .info(`More than one account was found authenticated for this Client ID and Tenant ID.
-However, no "authenticationRecord" has been provided for this credential,
-therefore we're unable to pick between these accounts.
-A new login attempt will be requested, to ensure the correct account is picked.
-To work with multiple accounts for the same Client ID and Tenant ID, please provide an "authenticationRecord" when initializing a credential to prevent this from happening.`);
-            return;
-        }
-        return this.account;
-    }
-    /**
-     * Attempts to retrieve a token from cache.
-     */
-    async getTokenSilent(scopes, options) {
-        var _a, _b, _c;
-        await this.getActiveAccount(options === null || options === void 0 ? void 0 : options.enableCae);
-        if (!this.account) {
-            throw new AuthenticationRequiredError({
-                scopes,
-                getTokenOptions: options,
-                message: "Silent authentication failed. We couldn't retrieve an active account from the cache.",
-            });
-        }
-        const silentRequest = {
-            // To be able to re-use the account, the Token Cache must also have been provided.
-            account: publicToMsal(this.account),
-            correlationId: options === null || options === void 0 ? void 0 : options.correlationId,
-            scopes,
-            authority: options === null || options === void 0 ? void 0 : options.authority,
-            claims: options === null || options === void 0 ? void 0 : options.claims,
-        };
-        if (hasNativeBroker() && this.enableBroker) {
-            if (!silentRequest.tokenQueryParameters) {
-                silentRequest.tokenQueryParameters = {};
-            }
-            if (!this.parentWindowHandle) {
-                // error should have been thrown from within the constructor of InteractiveBrowserCredential
-                this.logger.warning("Parent window handle is not specified for the broker. This may cause unexpected behavior. Please provide the parentWindowHandle.");
-            }
-            if (this.enableMsaPassthrough) {
-                silentRequest.tokenQueryParameters["msal_request_type"] = "consumer_passthrough";
-            }
-        }
-        try {
-            this.logger.info("Attempting to acquire token silently");
-            /**
-             * The following code to retrieve all accounts is done as a workaround in an attempt to force the
-             * refresh of the token cache with the token and the account passed in through the
-             * `authenticationRecord` parameter. See issue - https://github.com/Azure/azure-sdk-for-js/issues/24349#issuecomment-1496715651
-             * This workaround serves as a workaround for silent authentication not happening when authenticationRecord is passed.
-             */
-            await ((_a = this.getApp("publicFirst", options === null || options === void 0 ? void 0 : options.enableCae)) === null || _a === void 0 ? void 0 : _a.getTokenCache().getAllAccounts());
-            const response = (_c = (await ((_b = this.getApp("confidential", options === null || options === void 0 ? void 0 : options.enableCae)) === null || _b === void 0 ? void 0 : _b.acquireTokenSilent(silentRequest)))) !== null && _c !== void 0 ? _c : (await this.getApp("public", options === null || options === void 0 ? void 0 : options.enableCae).acquireTokenSilent(silentRequest));
-            return this.handleResult(scopes, response || undefined);
-        }
-        catch (err) {
-            throw handleMsalError(scopes, err, options);
+        const username = process.env.AZURE_USERNAME;
+        const password = process.env.AZURE_PASSWORD;
+        if (tenantId && clientId && username && password) {
+            logger$6.info(`Invoking UsernamePasswordCredential with tenant ID: ${tenantId}, clientId: ${clientId} and username: ${username}`);
+            this._credential = new UsernamePasswordCredential(tenantId, clientId, username, password, newOptions);
         }
     }
     /**
-     * Wrapper around each MSAL flow get token operation: doGetToken.
-     * If disableAutomaticAuthentication is sent through the constructor, it will prevent MSAL from requesting the user input.
+     * Authenticates with Microsoft Entra ID and returns an access token if successful.
+     *
+     * @param scopes - The list of scopes for which the token will have access.
+     * @param options - Optional parameters. See {@link GetTokenOptions}.
      */
     async getToken(scopes, options = {}) {
-        const tenantId = processMultiTenantRequest(this.tenantId, options, this.additionallyAllowedTenantIds) ||
-            this.tenantId;
-        options.authority = getAuthority(tenantId, this.authorityHost);
-        options.correlationId = (options === null || options === void 0 ? void 0 : options.correlationId) || randomUUID();
-        await this.init(options);
-        try {
-            // MSAL now caches tokens based on their claims,
-            // so now one has to keep track fo claims in order to retrieve the newer tokens from acquireTokenSilent
-            // This update happened on PR: https://github.com/AzureAD/microsoft-authentication-library-for-js/pull/4533
-            const optionsClaims = options.claims;
-            if (optionsClaims) {
-                this.cachedClaims = optionsClaims;
-            }
-            if (this.cachedClaims && !optionsClaims) {
-                options.claims = this.cachedClaims;
-            }
-            // We don't return the promise since we want to catch errors right here.
-            return await this.getTokenSilent(scopes, options);
-        }
-        catch (err) {
-            if (err.name !== "AuthenticationRequiredError") {
-                throw err;
-            }
-            if (options === null || options === void 0 ? void 0 : options.disableAutomaticAuthentication) {
-                throw new AuthenticationRequiredError({
-                    scopes,
-                    getTokenOptions: options,
-                    message: "Automatic authentication has been disabled. You may call the authentication() method.",
-                });
+        return tracingClient.withSpan(`${credentialName$2}.getToken`, options, async (newOptions) => {
+            if (this._credential) {
+                try {
+                    const result = await this._credential.getToken(scopes, newOptions);
+                    logger$6.getToken.info(formatSuccess(scopes));
+                    return result;
+                }
+                catch (err) {
+                    const authenticationError = new AuthenticationError(400, {
+                        error: `${credentialName$2} authentication failed. To troubleshoot, visit https://aka.ms/azsdk/js/identity/environmentcredential/troubleshoot.`,
+                        error_description: err.message.toString().split("More details:").join(""),
+                    });
+                    logger$6.getToken.info(formatError(scopes, authenticationError));
+                    throw authenticationError;
+                }
             }
-            this.logger.info(`Silent authentication failed, falling back to interactive method.`);
-            return this.doGetToken(scopes, options);
-        }
-    }
-    /**
-     * Handles the MSAL authentication result.
-     * If the result has an account, we update the local account reference.
-     * If the token received is invalid, an error will be thrown depending on what's missing.
-     */
-    handleResult(scopes, result, getTokenOptions) {
-        if (result === null || result === void 0 ? void 0 : result.account) {
-            this.account = msalToPublic(this.clientId, result.account);
-        }
-        ensureValidMsalToken(scopes, result, getTokenOptions);
-        this.logger.getToken.info(formatSuccess(scopes));
-        return {
-            token: result.accessToken,
-            expiresOnTimestamp: result.expiresOn.getTime(),
-        };
+            throw new CredentialUnavailableError(`${credentialName$2} is unavailable. No underlying credential could be used. To troubleshoot, visit https://aka.ms/azsdk/js/identity/environmentcredential/troubleshoot.`);
+        });
     }
 }
 
 // Copyright (c) Microsoft Corporation.
 // Licensed under the MIT license.
+const logger$5 = credentialLogger("DefaultAzureCredential");
 /**
- * MSAL username and password client. Calls to the MSAL's public application's `acquireTokenByUsernamePassword` during `doGetToken`.
+ * Creates a {@link ManagedIdentityCredential} from the provided options.
+ * @param options - Options to configure the credential.
+ *
  * @internal
  */
-class MsalUsernamePassword extends MsalNode {
-    constructor(options) {
-        super(options);
-        this.username = options.username;
-        this.password = options.password;
+function createDefaultManagedIdentityCredential(options = {}) {
+    var _a, _b, _c, _d;
+    (_a = options.retryOptions) !== null && _a !== void 0 ? _a : (options.retryOptions = {
+        maxRetries: 5,
+        retryDelayInMs: 800,
+    });
+    const managedIdentityClientId = (_b = options === null || options === void 0 ? void 0 : options.managedIdentityClientId) !== null && _b !== void 0 ? _b : process.env.AZURE_CLIENT_ID;
+    const workloadIdentityClientId = (_c = options === null || options === void 0 ? void 0 : options.workloadIdentityClientId) !== null && _c !== void 0 ? _c : managedIdentityClientId;
+    const managedResourceId = options === null || options === void 0 ? void 0 : options.managedIdentityResourceId;
+    const workloadFile = process.env.AZURE_FEDERATED_TOKEN_FILE;
+    const tenantId = (_d = options === null || options === void 0 ? void 0 : options.tenantId) !== null && _d !== void 0 ? _d : process.env.AZURE_TENANT_ID;
+    if (managedResourceId) {
+        const managedIdentityResourceIdOptions = Object.assign(Object.assign({}, options), { resourceId: managedResourceId });
+        return new ManagedIdentityCredential(managedIdentityResourceIdOptions);
     }
-    async doGetToken(scopes, options) {
-        try {
-            const requestOptions = {
-                scopes,
-                username: this.username,
-                password: this.password,
-                correlationId: options === null || options === void 0 ? void 0 : options.correlationId,
-                authority: options === null || options === void 0 ? void 0 : options.authority,
-                claims: options === null || options === void 0 ? void 0 : options.claims,
-            };
-            const result = await this.getApp("public", options === null || options === void 0 ? void 0 : options.enableCae).acquireTokenByUsernamePassword(requestOptions);
-            return this.handleResult(scopes, result || undefined);
-        }
-        catch (error) {
-            throw handleMsalError(scopes, error, options);
-        }
+    if (workloadFile && workloadIdentityClientId) {
+        const workloadIdentityCredentialOptions = Object.assign(Object.assign({}, options), { tenantId: tenantId });
+        return new ManagedIdentityCredential(workloadIdentityClientId, workloadIdentityCredentialOptions);
+    }
+    if (managedIdentityClientId) {
+        const managedIdentityClientOptions = Object.assign(Object.assign({}, options), { clientId: managedIdentityClientId });
+        return new ManagedIdentityCredential(managedIdentityClientOptions);
     }
+    // We may be able to return a UnavailableCredential here, but that may be a breaking change
+    return new ManagedIdentityCredential(options);
 }
-
-// Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
-const logger$7 = credentialLogger("UsernamePasswordCredential");
 /**
- * Enables authentication to Microsoft Entra ID with a user's
- * username and password. This credential requires a high degree of
- * trust so you should only use it when other, more secure credential
- * types can't be used.
- */
-class UsernamePasswordCredential {
-    /**
-     * Creates an instance of the UsernamePasswordCredential with the details
-     * needed to authenticate against Microsoft Entra ID with a username
-     * and password.
-     *
-     * @param tenantId - The Microsoft Entra tenant (directory).
-     * @param clientId - The client (application) ID of an App Registration in the tenant.
-     * @param username - The user account's e-mail address (user name).
-     * @param password - The user account's account password
-     * @param options - Options for configuring the client which makes the authentication request.
-     */
-    constructor(tenantId, clientId, username, password, options = {}) {
-        if (!tenantId || !clientId || !username || !password) {
-            throw new Error("UsernamePasswordCredential: tenantId, clientId, username and password are required parameters. To troubleshoot, visit https://aka.ms/azsdk/js/identity/usernamepasswordcredential/troubleshoot.");
-        }
-        this.tenantId = tenantId;
-        this.additionallyAllowedTenantIds = resolveAdditionallyAllowedTenantIds(options === null || options === void 0 ? void 0 : options.additionallyAllowedTenants);
-        this.msalFlow = new MsalUsernamePassword(Object.assign(Object.assign({}, options), { logger: logger$7,
-            clientId,
-            tenantId,
-            username,
-            password, tokenCredentialOptions: options || {} }));
-    }
-    /**
-     * Authenticates with Microsoft Entra ID and returns an access token if successful.
-     * If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.
-     *
-     * If the user provided the option `disableAutomaticAuthentication`,
-     * once the token can't be retrieved silently,
-     * this method won't attempt to request user interaction to retrieve the token.
-     *
-     * @param scopes - The list of scopes for which the token will have access.
-     * @param options - The options used to configure any requests this
-     *                TokenCredential implementation might make.
-     */
-    async getToken(scopes, options = {}) {
-        return tracingClient.withSpan(`${this.constructor.name}.getToken`, options, async (newOptions) => {
-            newOptions.tenantId = processMultiTenantRequest(this.tenantId, newOptions, this.additionallyAllowedTenantIds, logger$7);
-            const arrayScopes = ensureScopes(scopes);
-            return this.msalFlow.getToken(arrayScopes, newOptions);
-        });
-    }
-}
-
-// Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
-/**
- * Contains the list of all supported environment variable names so that an
- * appropriate error message can be generated when no credentials can be
- * configured.
- *
- * @internal
- */
-const AllSupportedEnvironmentVariables = [
-    "AZURE_TENANT_ID",
-    "AZURE_CLIENT_ID",
-    "AZURE_CLIENT_SECRET",
-    "AZURE_CLIENT_CERTIFICATE_PATH",
-    "AZURE_CLIENT_CERTIFICATE_PASSWORD",
-    "AZURE_USERNAME",
-    "AZURE_PASSWORD",
-    "AZURE_ADDITIONALLY_ALLOWED_TENANTS",
-];
-function getAdditionallyAllowedTenants() {
-    var _a;
-    const additionallyAllowedValues = (_a = process.env.AZURE_ADDITIONALLY_ALLOWED_TENANTS) !== null && _a !== void 0 ? _a : "";
-    return additionallyAllowedValues.split(";");
-}
-const credentialName$2 = "EnvironmentCredential";
-const logger$6 = credentialLogger(credentialName$2);
-/**
- * Enables authentication to Microsoft Entra ID using a client secret or certificate, or as a user
- * with a username and password.
- */
-class EnvironmentCredential {
-    /**
-     * Creates an instance of the EnvironmentCredential class and decides what credential to use depending on the available environment variables.
-     *
-     * Required environment variables:
-     * - `AZURE_TENANT_ID`: The Microsoft Entra tenant (directory) ID.
-     * - `AZURE_CLIENT_ID`: The client (application) ID of an App Registration in the tenant.
-     *
-     * If setting the AZURE_TENANT_ID, then you can also set the additionally allowed tenants
-     * - `AZURE_ADDITIONALLY_ALLOWED_TENANTS`: For multi-tenant applications, specifies additional tenants for which the credential may acquire tokens with a single semicolon delimited string. Use * to allow all tenants.
-     *
-     * Environment variables used for client credential authentication:
-     * - `AZURE_CLIENT_SECRET`: A client secret that was generated for the App Registration.
-     * - `AZURE_CLIENT_CERTIFICATE_PATH`: The path to a PEM certificate to use during the authentication, instead of the client secret.
-     * - `AZURE_CLIENT_CERTIFICATE_PASSWORD`: (optional) password for the certificate file.
-     *
-     * Alternatively, users can provide environment variables for username and password authentication:
-     * - `AZURE_USERNAME`: Username to authenticate with.
-     * - `AZURE_PASSWORD`: Password to authenticate with.
-     *
-     * If the environment variables required to perform the authentication are missing, a {@link CredentialUnavailableError} will be thrown.
-     * If the authentication fails, or if there's an unknown error, an {@link AuthenticationError} will be thrown.
-     *
-     * @param options - Options for configuring the client which makes the authentication request.
-     */
-    constructor(options) {
-        // Keep track of any missing environment variables for error details
-        this._credential = undefined;
-        const assigned = processEnvVars(AllSupportedEnvironmentVariables).assigned.join(", ");
-        logger$6.info(`Found the following environment variables: ${assigned}`);
-        const tenantId = process.env.AZURE_TENANT_ID, clientId = process.env.AZURE_CLIENT_ID, clientSecret = process.env.AZURE_CLIENT_SECRET;
-        const additionallyAllowedTenantIds = getAdditionallyAllowedTenants();
-        const newOptions = Object.assign(Object.assign({}, options), { additionallyAllowedTenantIds });
-        if (tenantId) {
-            checkTenantId(logger$6, tenantId);
-        }
-        if (tenantId && clientId && clientSecret) {
-            logger$6.info(`Invoking ClientSecretCredential with tenant ID: ${tenantId}, clientId: ${clientId} and clientSecret: [REDACTED]`);
-            this._credential = new ClientSecretCredential(tenantId, clientId, clientSecret, newOptions);
-            return;
-        }
-        const certificatePath = process.env.AZURE_CLIENT_CERTIFICATE_PATH;
-        const certificatePassword = process.env.AZURE_CLIENT_CERTIFICATE_PASSWORD;
-        if (tenantId && clientId && certificatePath) {
-            logger$6.info(`Invoking ClientCertificateCredential with tenant ID: ${tenantId}, clientId: ${clientId} and certificatePath: ${certificatePath}`);
-            this._credential = new ClientCertificateCredential(tenantId, clientId, { certificatePath, certificatePassword }, newOptions);
-            return;
-        }
-        const username = process.env.AZURE_USERNAME;
-        const password = process.env.AZURE_PASSWORD;
-        if (tenantId && clientId && username && password) {
-            logger$6.info(`Invoking UsernamePasswordCredential with tenant ID: ${tenantId}, clientId: ${clientId} and username: ${username}`);
-            this._credential = new UsernamePasswordCredential(tenantId, clientId, username, password, newOptions);
-        }
-    }
-    /**
-     * Authenticates with Microsoft Entra ID and returns an access token if successful.
-     *
-     * @param scopes - The list of scopes for which the token will have access.
-     * @param options - Optional parameters. See {@link GetTokenOptions}.
-     */
-    async getToken(scopes, options = {}) {
-        return tracingClient.withSpan(`${credentialName$2}.getToken`, options, async (newOptions) => {
-            if (this._credential) {
-                try {
-                    const result = await this._credential.getToken(scopes, newOptions);
-                    logger$6.getToken.info(formatSuccess(scopes));
-                    return result;
-                }
-                catch (err) {
-                    const authenticationError = new AuthenticationError(400, {
-                        error: `${credentialName$2} authentication failed. To troubleshoot, visit https://aka.ms/azsdk/js/identity/environmentcredential/troubleshoot.`,
-                        error_description: err.message.toString().split("More details:").join(""),
-                    });
-                    logger$6.getToken.info(formatError(scopes, authenticationError));
-                    throw authenticationError;
-                }
-            }
-            throw new CredentialUnavailableError(`${credentialName$2} is unavailable. No underlying credential could be used. To troubleshoot, visit https://aka.ms/azsdk/js/identity/environmentcredential/troubleshoot.`);
-        });
-    }
-}
-
-// Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
-const logger$5 = credentialLogger("DefaultAzureCredential");
-/**
- * Creates a {@link ManagedIdentityCredential} from the provided options.
- * @param options - Options to configure the credential.
- *
- * @internal
- */
-function createDefaultManagedIdentityCredential(options = {}) {
-    var _a, _b, _c, _d;
-    (_a = options.retryOptions) !== null && _a !== void 0 ? _a : (options.retryOptions = {
-        maxRetries: 5,
-        retryDelayInMs: 800,
-    });
-    const managedIdentityClientId = (_b = options === null || options === void 0 ? void 0 : options.managedIdentityClientId) !== null && _b !== void 0 ? _b : process.env.AZURE_CLIENT_ID;
-    const workloadIdentityClientId = (_c = options === null || options === void 0 ? void 0 : options.workloadIdentityClientId) !== null && _c !== void 0 ? _c : managedIdentityClientId;
-    const managedResourceId = options === null || options === void 0 ? void 0 : options.managedIdentityResourceId;
-    const workloadFile = process.env.AZURE_FEDERATED_TOKEN_FILE;
-    const tenantId = (_d = options === null || options === void 0 ? void 0 : options.tenantId) !== null && _d !== void 0 ? _d : process.env.AZURE_TENANT_ID;
-    if (managedResourceId) {
-        const managedIdentityResourceIdOptions = Object.assign(Object.assign({}, options), { resourceId: managedResourceId });
-        return new ManagedIdentityCredential(managedIdentityResourceIdOptions);
-    }
-    if (workloadFile && workloadIdentityClientId) {
-        const workloadIdentityCredentialOptions = Object.assign(Object.assign({}, options), { tenantId: tenantId });
-        return new ManagedIdentityCredential(workloadIdentityClientId, workloadIdentityCredentialOptions);
-    }
-    if (managedIdentityClientId) {
-        const managedIdentityClientOptions = Object.assign(Object.assign({}, options), { clientId: managedIdentityClientId });
-        return new ManagedIdentityCredential(managedIdentityClientOptions);
-    }
-    // We may be able to return a UnavailableCredential here, but that may be a breaking change
-    return new ManagedIdentityCredential(options);
-}
-/**
- * Creates a {@link WorkloadIdentityCredential} from the provided options.
- * @param options - Options to configure the credential.
- *
- * @internal
+ * Creates a {@link WorkloadIdentityCredential} from the provided options.
+ * @param options - Options to configure the credential.
+ *
+ * @internal
  */
 function createDefaultWorkloadIdentityCredential(options) {
     var _a, _b, _c;
@@ -4105,6 +3776,317 @@ class DefaultAzureCredential extends ChainedTokenCredential {
     }
 }
 
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT license.
+/**
+ * MSAL partial base client for Node.js.
+ *
+ * It completes the input configuration with some default values.
+ * It also provides with utility protected methods that can be used from any of the clients,
+ * which includes handlers for successful responses and errors.
+ *
+ * @internal
+ */
+class MsalNode {
+    constructor(options) {
+        var _a, _b, _c, _d, _e, _f;
+        this.app = {};
+        this.caeApp = {};
+        this.requiresConfidential = false;
+        this.logger = options.logger;
+        this.msalConfig = this.defaultNodeMsalConfig(options);
+        this.tenantId = resolveTenantId(options.logger, options.tenantId, options.clientId);
+        this.additionallyAllowedTenantIds = resolveAdditionallyAllowedTenantIds((_a = options === null || options === void 0 ? void 0 : options.tokenCredentialOptions) === null || _a === void 0 ? void 0 : _a.additionallyAllowedTenants);
+        this.clientId = this.msalConfig.auth.clientId;
+        if (options === null || options === void 0 ? void 0 : options.getAssertion) {
+            this.getAssertion = options.getAssertion;
+        }
+        this.enableBroker = (_b = options === null || options === void 0 ? void 0 : options.brokerOptions) === null || _b === void 0 ? void 0 : _b.enabled;
+        this.enableMsaPassthrough = (_c = options === null || options === void 0 ? void 0 : options.brokerOptions) === null || _c === void 0 ? void 0 : _c.legacyEnableMsaPassthrough;
+        this.parentWindowHandle = (_d = options.brokerOptions) === null || _d === void 0 ? void 0 : _d.parentWindowHandle;
+        // If persistence has been configured
+        if (persistenceProvider !== undefined && ((_e = options.tokenCachePersistenceOptions) === null || _e === void 0 ? void 0 : _e.enabled)) {
+            const cacheBaseName = options.tokenCachePersistenceOptions.name || DEFAULT_TOKEN_CACHE_NAME;
+            const nonCaeOptions = Object.assign({ name: `${cacheBaseName}.${CACHE_NON_CAE_SUFFIX}` }, options.tokenCachePersistenceOptions);
+            const caeOptions = Object.assign({ name: `${cacheBaseName}.${CACHE_CAE_SUFFIX}` }, options.tokenCachePersistenceOptions);
+            this.createCachePlugin = () => persistenceProvider(nonCaeOptions);
+            this.createCachePluginCae = () => persistenceProvider(caeOptions);
+        }
+        else if ((_f = options.tokenCachePersistenceOptions) === null || _f === void 0 ? void 0 : _f.enabled) {
+            throw new Error([
+                "Persistent token caching was requested, but no persistence provider was configured.",
+                "You must install the identity-cache-persistence plugin package (`npm install --save @azure/identity-cache-persistence`)",
+                "and enable it by importing `useIdentityPlugin` from `@azure/identity` and calling",
+                "`useIdentityPlugin(cachePersistencePlugin)` before using `tokenCachePersistenceOptions`.",
+            ].join(" "));
+        }
+        // If broker has not been configured
+        if (!hasNativeBroker() && this.enableBroker) {
+            throw new Error([
+                "Broker for WAM was requested to be enabled, but no native broker was configured.",
+                "You must install the identity-broker plugin package (`npm install --save @azure/identity-broker`)",
+                "and enable it by importing `useIdentityPlugin` from `@azure/identity` and calling",
+                "`useIdentityPlugin(createNativeBrokerPlugin())` before using `enableBroker`.",
+            ].join(" "));
+        }
+        this.azureRegion = calculateRegionalAuthority(options.regionalAuthority);
+    }
+    /**
+     * Generates a MSAL configuration that generally works for Node.js
+     */
+    defaultNodeMsalConfig(options) {
+        var _a;
+        const clientId = options.clientId || DeveloperSignOnClientId;
+        const tenantId = resolveTenantId(options.logger, options.tenantId, options.clientId);
+        this.authorityHost = options.authorityHost || process.env.AZURE_AUTHORITY_HOST;
+        const authority = getAuthority(tenantId, this.authorityHost);
+        this.identityClient = new IdentityClient(Object.assign(Object.assign({}, options.tokenCredentialOptions), { authorityHost: authority, loggingOptions: options.loggingOptions }));
+        const clientCapabilities = [];
+        return {
+            auth: {
+                clientId,
+                authority,
+                knownAuthorities: getKnownAuthorities(tenantId, authority, options.disableInstanceDiscovery),
+                clientCapabilities,
+            },
+            // Cache is defined in this.prepare();
+            system: {
+                networkClient: this.identityClient,
+                loggerOptions: {
+                    loggerCallback: defaultLoggerCallback(options.logger),
+                    logLevel: getMSALLogLevel(logger$r.getLogLevel()),
+                    piiLoggingEnabled: (_a = options.loggingOptions) === null || _a === void 0 ? void 0 : _a.enableUnsafeSupportLogging,
+                },
+            },
+        };
+    }
+    getApp(appType, enableCae) {
+        const app = enableCae ? this.caeApp : this.app;
+        if (appType === "publicFirst") {
+            return (app.public || app.confidential);
+        }
+        else if (appType === "confidentialFirst") {
+            return (app.confidential || app.public);
+        }
+        else if (appType === "confidential") {
+            return app.confidential;
+        }
+        else {
+            return app.public;
+        }
+    }
+    /**
+     * Prepares the MSAL applications.
+     */
+    async init(options) {
+        if (options === null || options === void 0 ? void 0 : options.abortSignal) {
+            options.abortSignal.addEventListener("abort", () => {
+                // This will abort any pending request in the IdentityClient,
+                // based on the received or generated correlationId
+                this.identityClient.abortRequests(options.correlationId);
+            });
+        }
+        const app = (options === null || options === void 0 ? void 0 : options.enableCae) ? this.caeApp : this.app;
+        if (options === null || options === void 0 ? void 0 : options.enableCae) {
+            this.msalConfig.auth.clientCapabilities = ["cp1"];
+        }
+        if (app.public || app.confidential) {
+            return;
+        }
+        if ((options === null || options === void 0 ? void 0 : options.enableCae) && this.createCachePluginCae !== undefined) {
+            this.msalConfig.cache = {
+                cachePlugin: await this.createCachePluginCae(),
+            };
+        }
+        if (this.createCachePlugin !== undefined) {
+            this.msalConfig.cache = {
+                cachePlugin: await this.createCachePlugin(),
+            };
+        }
+        if (hasNativeBroker() && this.enableBroker) {
+            this.msalConfig.broker = {
+                nativeBrokerPlugin: nativeBrokerInfo.broker,
+            };
+            if (!this.parentWindowHandle) {
+                // error should have been thrown from within the constructor of InteractiveBrowserCredential
+                this.logger.warning("Parent window handle is not specified for the broker. This may cause unexpected behavior. Please provide the parentWindowHandle.");
+            }
+        }
+        if (options === null || options === void 0 ? void 0 : options.enableCae) {
+            this.caeApp.public = new msalCommon__namespace.PublicClientApplication(this.msalConfig);
+        }
+        else {
+            this.app.public = new msalCommon__namespace.PublicClientApplication(this.msalConfig);
+        }
+        if (this.getAssertion) {
+            this.msalConfig.auth.clientAssertion = await this.getAssertion();
+        }
+        // The confidential client requires either a secret, assertion or certificate.
+        if (this.msalConfig.auth.clientSecret ||
+            this.msalConfig.auth.clientAssertion ||
+            this.msalConfig.auth.clientCertificate) {
+            if (options === null || options === void 0 ? void 0 : options.enableCae) {
+                this.caeApp.confidential = new msalCommon__namespace.ConfidentialClientApplication(this.msalConfig);
+            }
+            else {
+                this.app.confidential = new msalCommon__namespace.ConfidentialClientApplication(this.msalConfig);
+            }
+        }
+        else {
+            if (this.requiresConfidential) {
+                throw new Error("Unable to generate the MSAL confidential client. Missing either the client's secret, certificate or assertion.");
+            }
+        }
+    }
+    /**
+     * Allows the cancellation of a MSAL request.
+     */
+    withCancellation(promise, abortSignal, onCancel) {
+        return new Promise((resolve, reject) => {
+            promise
+                .then((msalToken) => {
+                return resolve(msalToken);
+            })
+                .catch(reject);
+            if (abortSignal) {
+                abortSignal.addEventListener("abort", () => {
+                    onCancel === null || onCancel === void 0 ? void 0 : onCancel();
+                });
+            }
+        });
+    }
+    /**
+     * Returns the existing account, attempts to load the account from MSAL.
+     */
+    async getActiveAccount(enableCae = false) {
+        if (this.account) {
+            return this.account;
+        }
+        const cache = this.getApp("confidentialFirst", enableCae).getTokenCache();
+        const accountsByTenant = await (cache === null || cache === void 0 ? void 0 : cache.getAllAccounts());
+        if (!accountsByTenant) {
+            return;
+        }
+        if (accountsByTenant.length === 1) {
+            this.account = msalToPublic(this.clientId, accountsByTenant[0]);
+        }
+        else {
+            this.logger
+                .info(`More than one account was found authenticated for this Client ID and Tenant ID.
+However, no "authenticationRecord" has been provided for this credential,
+therefore we're unable to pick between these accounts.
+A new login attempt will be requested, to ensure the correct account is picked.
+To work with multiple accounts for the same Client ID and Tenant ID, please provide an "authenticationRecord" when initializing a credential to prevent this from happening.`);
+            return;
+        }
+        return this.account;
+    }
+    /**
+     * Attempts to retrieve a token from cache.
+     */
+    async getTokenSilent(scopes, options) {
+        var _a, _b, _c;
+        await this.getActiveAccount(options === null || options === void 0 ? void 0 : options.enableCae);
+        if (!this.account) {
+            throw new AuthenticationRequiredError({
+                scopes,
+                getTokenOptions: options,
+                message: "Silent authentication failed. We couldn't retrieve an active account from the cache.",
+            });
+        }
+        const silentRequest = {
+            // To be able to re-use the account, the Token Cache must also have been provided.
+            account: publicToMsal(this.account),
+            correlationId: options === null || options === void 0 ? void 0 : options.correlationId,
+            scopes,
+            authority: options === null || options === void 0 ? void 0 : options.authority,
+            claims: options === null || options === void 0 ? void 0 : options.claims,
+        };
+        if (hasNativeBroker() && this.enableBroker) {
+            if (!silentRequest.tokenQueryParameters) {
+                silentRequest.tokenQueryParameters = {};
+            }
+            if (!this.parentWindowHandle) {
+                // error should have been thrown from within the constructor of InteractiveBrowserCredential
+                this.logger.warning("Parent window handle is not specified for the broker. This may cause unexpected behavior. Please provide the parentWindowHandle.");
+            }
+            if (this.enableMsaPassthrough) {
+                silentRequest.tokenQueryParameters["msal_request_type"] = "consumer_passthrough";
+            }
+        }
+        try {
+            this.logger.info("Attempting to acquire token silently");
+            /**
+             * The following code to retrieve all accounts is done as a workaround in an attempt to force the
+             * refresh of the token cache with the token and the account passed in through the
+             * `authenticationRecord` parameter. See issue - https://github.com/Azure/azure-sdk-for-js/issues/24349#issuecomment-1496715651
+             * This workaround serves as a workaround for silent authentication not happening when authenticationRecord is passed.
+             */
+            await ((_a = this.getApp("publicFirst", options === null || options === void 0 ? void 0 : options.enableCae)) === null || _a === void 0 ? void 0 : _a.getTokenCache().getAllAccounts());
+            const response = (_c = (await ((_b = this.getApp("confidential", options === null || options === void 0 ? void 0 : options.enableCae)) === null || _b === void 0 ? void 0 : _b.acquireTokenSilent(silentRequest)))) !== null && _c !== void 0 ? _c : (await this.getApp("public", options === null || options === void 0 ? void 0 : options.enableCae).acquireTokenSilent(silentRequest));
+            return this.handleResult(scopes, response || undefined);
+        }
+        catch (err) {
+            throw handleMsalError(scopes, err, options);
+        }
+    }
+    /**
+     * Wrapper around each MSAL flow get token operation: doGetToken.
+     * If disableAutomaticAuthentication is sent through the constructor, it will prevent MSAL from requesting the user input.
+     */
+    async getToken(scopes, options = {}) {
+        const tenantId = processMultiTenantRequest(this.tenantId, options, this.additionallyAllowedTenantIds) ||
+            this.tenantId;
+        options.authority = getAuthority(tenantId, this.authorityHost);
+        options.correlationId = (options === null || options === void 0 ? void 0 : options.correlationId) || randomUUID();
+        await this.init(options);
+        try {
+            // MSAL now caches tokens based on their claims,
+            // so now one has to keep track fo claims in order to retrieve the newer tokens from acquireTokenSilent
+            // This update happened on PR: https://github.com/AzureAD/microsoft-authentication-library-for-js/pull/4533
+            const optionsClaims = options.claims;
+            if (optionsClaims) {
+                this.cachedClaims = optionsClaims;
+            }
+            if (this.cachedClaims && !optionsClaims) {
+                options.claims = this.cachedClaims;
+            }
+            // We don't return the promise since we want to catch errors right here.
+            return await this.getTokenSilent(scopes, options);
+        }
+        catch (err) {
+            if (err.name !== "AuthenticationRequiredError") {
+                throw err;
+            }
+            if (options === null || options === void 0 ? void 0 : options.disableAutomaticAuthentication) {
+                throw new AuthenticationRequiredError({
+                    scopes,
+                    getTokenOptions: options,
+                    message: "Automatic authentication has been disabled. You may call the authentication() method.",
+                });
+            }
+            this.logger.info(`Silent authentication failed, falling back to interactive method.`);
+            return this.doGetToken(scopes, options);
+        }
+    }
+    /**
+     * Handles the MSAL authentication result.
+     * If the result has an account, we update the local account reference.
+     * If the token received is invalid, an error will be thrown depending on what's missing.
+     */
+    handleResult(scopes, result, getTokenOptions) {
+        if (result === null || result === void 0 ? void 0 : result.account) {
+            this.account = msalToPublic(this.clientId, result.account);
+        }
+        ensureValidMsalToken(scopes, result, getTokenOptions);
+        this.logger.getToken.info(formatSuccess(scopes));
+        return {
+            token: result.accessToken,
+            expiresOnTimestamp: result.expiresOn.getTime(),
+        };
+    }
+}
+
 // Copyright (c) Microsoft Corporation.
 // Licensed under the MIT license.
 /**