@azure/identity 4.3.0-alpha.20240520.1 → 4.3.0-beta.2

package/dist-esm/src/constants.js

@@ -3,7 +3,7 @@
 /**
  * Current version of the `@azure/identity` package.
  */
-export const SDK_VERSION = `4.3.0-beta.1`;
+export const SDK_VERSION = `4.3.0-beta.2`;
 /**
  * The default client ID for authentication
  * @internal

package/dist-esm/src/constants.js.map

@@ -1 +1 @@
-{"version":3,"file":"constants.js","sourceRoot":"","sources":["../../src/constants.ts"],"names":[],"mappings":"AAAA,uCAAuC;AACvC,kCAAkC;AAElC;;GAEG;AACH,MAAM,CAAC,MAAM,WAAW,GAAG,cAAc,CAAC;AAE1C;;;GAGG;AACH,2EAA2E;AAC3E,6CAA6C;AAC7C,uGAAuG;AACvG,MAAM,CAAC,MAAM,uBAAuB,GAAG,sCAAsC,CAAC;AAE9E;;;GAGG;AACH,MAAM,CAAC,MAAM,eAAe,GAAG,QAAQ,CAAC;AAExC;;GAEG;AACH,MAAM,CAAN,IAAY,mBAiBX;AAjBD,WAAY,mBAAmB;IAC7B;;OAEG;IACH,oEAA6C,CAAA;IAC7C;;OAEG;IACH,wEAAiD,CAAA;IACjD;;OAEG;IACH,2EAAoD,CAAA;IACpD;;OAEG;IACH,6EAAsD,CAAA;AACxD,CAAC,EAjBW,mBAAmB,KAAnB,mBAAmB,QAiB9B;AAED;;;GAGG;AACH,MAAM,CAAC,MAAM,oBAAoB,GAAG,mBAAmB,CAAC,gBAAgB,CAAC;AAEzE;;;GAGG;AACH,MAAM,CAAC,MAAM,WAAW,GAAa,CAAC,GAAG,CAAC,CAAC;AAE3C;;GAEG;AACH,MAAM,CAAC,MAAM,gBAAgB,GAAG,KAAK,CAAC;AAEtC;;GAEG;AACH,MAAM,CAAC,MAAM,oBAAoB,GAAG,OAAO,CAAC;AAE5C;;;;;GAKG;AACH,MAAM,CAAC,MAAM,wBAAwB,GAAG,YAAY,CAAC","sourcesContent":["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT license.\n\n/**\n * Current version of the `@azure/identity` package.\n */\nexport const SDK_VERSION = `4.3.0-beta.1`;\n\n/**\n * The default client ID for authentication\n * @internal\n */\n// TODO: temporary - this is the Azure CLI clientID - we'll replace it when\n// Developer Sign On application is available\n// https://github.com/Azure/azure-sdk-for-net/blob/main/sdk/identity/Azure.Identity/src/Constants.cs#L9\nexport const DeveloperSignOnClientId = \"04b07795-8ddb-461a-bbee-02f9e1bf7b46\";\n\n/**\n * The default tenant for authentication\n * @internal\n */\nexport const DefaultTenantId = \"common\";\n\n/**\n * A list of known Azure authority hosts\n */\nexport enum AzureAuthorityHosts {\n  /**\n   * China-based Azure Authority Host\n   */\n  AzureChina = \"https://login.chinacloudapi.cn\",\n  /**\n   * Germany-based Azure Authority Host\n   */\n  AzureGermany = \"https://login.microsoftonline.de\",\n  /**\n   * US Government Azure Authority Host\n   */\n  AzureGovernment = \"https://login.microsoftonline.us\",\n  /**\n   * Public Cloud Azure Authority Host\n   */\n  AzurePublicCloud = \"https://login.microsoftonline.com\",\n}\n\n/**\n * @internal\n * The default authority host.\n */\nexport const DefaultAuthorityHost = AzureAuthorityHosts.AzurePublicCloud;\n\n/**\n * @internal\n * Allow acquiring tokens for any tenant for multi-tentant auth.\n */\nexport const ALL_TENANTS: string[] = [\"*\"];\n\n/**\n * @internal\n */\nexport const CACHE_CAE_SUFFIX = \"cae\";\n\n/**\n * @internal\n */\nexport const CACHE_NON_CAE_SUFFIX = \"nocae\";\n\n/**\n * @internal\n *\n * The default name for the cache persistence plugin.\n * Matches the constant defined in the cache persistence package.\n */\nexport const DEFAULT_TOKEN_CACHE_NAME = \"msal.cache\";\n"]}
+{"version":3,"file":"constants.js","sourceRoot":"","sources":["../../src/constants.ts"],"names":[],"mappings":"AAAA,uCAAuC;AACvC,kCAAkC;AAElC;;GAEG;AACH,MAAM,CAAC,MAAM,WAAW,GAAG,cAAc,CAAC;AAE1C;;;GAGG;AACH,2EAA2E;AAC3E,6CAA6C;AAC7C,uGAAuG;AACvG,MAAM,CAAC,MAAM,uBAAuB,GAAG,sCAAsC,CAAC;AAE9E;;;GAGG;AACH,MAAM,CAAC,MAAM,eAAe,GAAG,QAAQ,CAAC;AAExC;;GAEG;AACH,MAAM,CAAN,IAAY,mBAiBX;AAjBD,WAAY,mBAAmB;IAC7B;;OAEG;IACH,oEAA6C,CAAA;IAC7C;;OAEG;IACH,wEAAiD,CAAA;IACjD;;OAEG;IACH,2EAAoD,CAAA;IACpD;;OAEG;IACH,6EAAsD,CAAA;AACxD,CAAC,EAjBW,mBAAmB,KAAnB,mBAAmB,QAiB9B;AAED;;;GAGG;AACH,MAAM,CAAC,MAAM,oBAAoB,GAAG,mBAAmB,CAAC,gBAAgB,CAAC;AAEzE;;;GAGG;AACH,MAAM,CAAC,MAAM,WAAW,GAAa,CAAC,GAAG,CAAC,CAAC;AAE3C;;GAEG;AACH,MAAM,CAAC,MAAM,gBAAgB,GAAG,KAAK,CAAC;AAEtC;;GAEG;AACH,MAAM,CAAC,MAAM,oBAAoB,GAAG,OAAO,CAAC;AAE5C;;;;;GAKG;AACH,MAAM,CAAC,MAAM,wBAAwB,GAAG,YAAY,CAAC","sourcesContent":["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT license.\n\n/**\n * Current version of the `@azure/identity` package.\n */\nexport const SDK_VERSION = `4.3.0-beta.2`;\n\n/**\n * The default client ID for authentication\n * @internal\n */\n// TODO: temporary - this is the Azure CLI clientID - we'll replace it when\n// Developer Sign On application is available\n// https://github.com/Azure/azure-sdk-for-net/blob/main/sdk/identity/Azure.Identity/src/Constants.cs#L9\nexport const DeveloperSignOnClientId = \"04b07795-8ddb-461a-bbee-02f9e1bf7b46\";\n\n/**\n * The default tenant for authentication\n * @internal\n */\nexport const DefaultTenantId = \"common\";\n\n/**\n * A list of known Azure authority hosts\n */\nexport enum AzureAuthorityHosts {\n  /**\n   * China-based Azure Authority Host\n   */\n  AzureChina = \"https://login.chinacloudapi.cn\",\n  /**\n   * Germany-based Azure Authority Host\n   */\n  AzureGermany = \"https://login.microsoftonline.de\",\n  /**\n   * US Government Azure Authority Host\n   */\n  AzureGovernment = \"https://login.microsoftonline.us\",\n  /**\n   * Public Cloud Azure Authority Host\n   */\n  AzurePublicCloud = \"https://login.microsoftonline.com\",\n}\n\n/**\n * @internal\n * The default authority host.\n */\nexport const DefaultAuthorityHost = AzureAuthorityHosts.AzurePublicCloud;\n\n/**\n * @internal\n * Allow acquiring tokens for any tenant for multi-tentant auth.\n */\nexport const ALL_TENANTS: string[] = [\"*\"];\n\n/**\n * @internal\n */\nexport const CACHE_CAE_SUFFIX = \"cae\";\n\n/**\n * @internal\n */\nexport const CACHE_NON_CAE_SUFFIX = \"nocae\";\n\n/**\n * @internal\n *\n * The default name for the cache persistence plugin.\n * Matches the constant defined in the cache persistence package.\n */\nexport const DEFAULT_TOKEN_CACHE_NAME = \"msal.cache\";\n"]}

package/dist-esm/src/credentials/authorizationCodeCredential.js

@@ -1,11 +1,11 @@
 // Copyright (c) Microsoft Corporation.
 // Licensed under the MIT license.
 import { processMultiTenantRequest, resolveAdditionallyAllowedTenantIds, } from "../util/tenantIdUtils";
-import { MsalAuthorizationCode } from "../msal/nodeFlows/msalAuthorizationCode";
 import { checkTenantId } from "../util/tenantIdUtils";
 import { credentialLogger } from "../util/logging";
 import { ensureScopes } from "../util/scopeUtils";
 import { tracingClient } from "../util/tracing";
+import { createMsalClient } from "../msal/nodeFlows/msalClient";
 const logger = credentialLogger("AuthorizationCodeCredential");
 /**
  * Enables authentication to Microsoft Entra ID using an authorization code
@@ -21,7 +21,7 @@ export class AuthorizationCodeCredential {
      */
     constructor(tenantId, clientId, clientSecretOrAuthorizationCode, authorizationCodeOrRedirectUri, redirectUriOrOptions, options) {
         checkTenantId(logger, tenantId);
-        let clientSecret = clientSecretOrAuthorizationCode;
+        this.clientSecret = clientSecretOrAuthorizationCode;
         if (typeof redirectUriOrOptions === "string") {
             // the clientId+clientSecret constructor
             this.authorizationCode = authorizationCodeOrRedirectUri;
@@ -32,15 +32,13 @@ export class AuthorizationCodeCredential {
             // clientId only
             this.authorizationCode = clientSecretOrAuthorizationCode;
             this.redirectUri = authorizationCodeOrRedirectUri;
-            clientSecret = undefined;
+            this.clientSecret = undefined;
             options = redirectUriOrOptions;
         }
         // TODO: Validate tenant if provided
         this.tenantId = tenantId;
         this.additionallyAllowedTenantIds = resolveAdditionallyAllowedTenantIds(options === null || options === void 0 ? void 0 : options.additionallyAllowedTenants);
-        this.msalFlow = new MsalAuthorizationCode(Object.assign(Object.assign({}, options), { clientSecret,
-            clientId,
-            tenantId, tokenCredentialOptions: options || {}, logger, redirectUri: this.redirectUri, authorizationCode: this.authorizationCode }));
+        this.msalClient = createMsalClient(clientId, tenantId, Object.assign(Object.assign({}, options), { logger, tokenCredentialOptions: options !== null && options !== void 0 ? options : {} }));
     }
     /**
      * Authenticates with Microsoft Entra ID and returns an access token if successful.
@@ -55,7 +53,7 @@ export class AuthorizationCodeCredential {
             const tenantId = processMultiTenantRequest(this.tenantId, newOptions, this.additionallyAllowedTenantIds);
             newOptions.tenantId = tenantId;
             const arrayScopes = ensureScopes(scopes);
-            return this.msalFlow.getToken(arrayScopes, Object.assign(Object.assign({}, newOptions), { disableAutomaticAuthentication: this.disableAutomaticAuthentication }));
+            return this.msalClient.getTokenByAuthorizationCode(arrayScopes, this.redirectUri, this.authorizationCode, this.clientSecret, Object.assign(Object.assign({}, newOptions), { disableAutomaticAuthentication: this.disableAutomaticAuthentication }));
         });
     }
 }

package/dist-esm/src/credentials/authorizationCodeCredential.js.map

@@ -1 +1 @@
-{"version":3,"file":"authorizationCodeCredential.js","sourceRoot":"","sources":["../../../src/credentials/authorizationCodeCredential.ts"],"names":[],"mappings":"AAAA,uCAAuC;AACvC,kCAAkC;AAGlC,OAAO,EACL,yBAAyB,EACzB,mCAAmC,GACpC,MAAM,uBAAuB,CAAC;AAE/B,OAAO,EAAE,qBAAqB,EAAE,MAAM,yCAAyC,CAAC;AAEhF,OAAO,EAAE,aAAa,EAAE,MAAM,uBAAuB,CAAC;AACtD,OAAO,EAAE,gBAAgB,EAAE,MAAM,iBAAiB,CAAC;AACnD,OAAO,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAClD,OAAO,EAAE,aAAa,EAAE,MAAM,iBAAiB,CAAC;AAEhD,MAAM,MAAM,GAAG,gBAAgB,CAAC,6BAA6B,CAAC,CAAC;AAE/D;;;;;;GAMG;AACH,MAAM,OAAO,2BAA2B;IAkEtC;;;OAGG;IACH,YACE,QAA2B,EAC3B,QAAgB,EAChB,+BAAuC,EACvC,8BAAsC,EACtC,oBAA6E,EAC7E,OAA4C;QAE5C,aAAa,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;QAChC,IAAI,YAAY,GAAuB,+BAA+B,CAAC;QAEvE,IAAI,OAAO,oBAAoB,KAAK,QAAQ,EAAE,CAAC;YAC7C,wCAAwC;YACxC,IAAI,CAAC,iBAAiB,GAAG,8BAA8B,CAAC;YACxD,IAAI,CAAC,WAAW,GAAG,oBAAoB,CAAC;YACxC,8CAA8C;QAChD,CAAC;aAAM,CAAC;YACN,gBAAgB;YAChB,IAAI,CAAC,iBAAiB,GAAG,+BAA+B,CAAC;YACzD,IAAI,CAAC,WAAW,GAAG,8BAAwC,CAAC;YAC5D,YAAY,GAAG,SAAS,CAAC;YACzB,OAAO,GAAG,oBAA0D,CAAC;QACvE,CAAC;QAED,oCAAoC;QACpC,IAAI,CAAC,QAAQ,GAAG,QAAQ,CAAC;QACzB,IAAI,CAAC,4BAA4B,GAAG,mCAAmC,CACrE,OAAO,aAAP,OAAO,uBAAP,OAAO,CAAE,0BAA0B,CACpC,CAAC;QAEF,IAAI,CAAC,QAAQ,GAAG,IAAI,qBAAqB,iCACpC,OAAO,KACV,YAAY;YACZ,QAAQ;YACR,QAAQ,EACR,sBAAsB,EAAE,OAAO,IAAI,EAAE,EACrC,MAAM,EACN,WAAW,EAAE,IAAI,CAAC,WAAW,EAC7B,iBAAiB,EAAE,IAAI,CAAC,iBAAiB,IACzC,CAAC;IACL,CAAC;IAED;;;;;;;OAOG;IACH,KAAK,CAAC,QAAQ,CAAC,MAAyB,EAAE,UAA2B,EAAE;QACrE,OAAO,aAAa,CAAC,QAAQ,CAC3B,GAAG,IAAI,CAAC,WAAW,CAAC,IAAI,WAAW,EACnC,OAAO,EACP,KAAK,EAAE,UAAU,EAAE,EAAE;YACnB,MAAM,QAAQ,GAAG,yBAAyB,CACxC,IAAI,CAAC,QAAQ,EACb,UAAU,EACV,IAAI,CAAC,4BAA4B,CAClC,CAAC;YACF,UAAU,CAAC,QAAQ,GAAG,QAAQ,CAAC;YAE/B,MAAM,WAAW,GAAG,YAAY,CAAC,MAAM,CAAC,CAAC;YACzC,OAAO,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,WAAW,kCACpC,UAAU,KACb,8BAA8B,EAAE,IAAI,CAAC,8BAA8B,IACnE,CAAC;QACL,CAAC,CACF,CAAC;IACJ,CAAC;CACF","sourcesContent":["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT license.\n\nimport { AccessToken, GetTokenOptions, TokenCredential } from \"@azure/core-auth\";\nimport {\n  processMultiTenantRequest,\n  resolveAdditionallyAllowedTenantIds,\n} from \"../util/tenantIdUtils\";\nimport { AuthorizationCodeCredentialOptions } from \"./authorizationCodeCredentialOptions\";\nimport { MsalAuthorizationCode } from \"../msal/nodeFlows/msalAuthorizationCode\";\nimport { MsalFlow } from \"../msal/flows\";\nimport { checkTenantId } from \"../util/tenantIdUtils\";\nimport { credentialLogger } from \"../util/logging\";\nimport { ensureScopes } from \"../util/scopeUtils\";\nimport { tracingClient } from \"../util/tracing\";\n\nconst logger = credentialLogger(\"AuthorizationCodeCredential\");\n\n/**\n * Enables authentication to Microsoft Entra ID using an authorization code\n * that was obtained through the authorization code flow, described in more detail\n * in the Microsoft Entra ID documentation:\n *\n * https://learn.microsoft.com/entra/identity-platform/v2-oauth2-auth-code-flow\n */\nexport class AuthorizationCodeCredential implements TokenCredential {\n  private msalFlow: MsalFlow;\n  private disableAutomaticAuthentication?: boolean;\n  private authorizationCode: string;\n  private redirectUri: string;\n  private tenantId?: string;\n  private additionallyAllowedTenantIds: string[];\n\n  /**\n   * Creates an instance of AuthorizationCodeCredential with the details needed\n   * to request an access token using an authentication that was obtained\n   * from Microsoft Entra ID.\n   *\n   * It is currently necessary for the user of this credential to initiate\n   * the authorization code flow to obtain an authorization code to be used\n   * with this credential.  A full example of this flow is provided here:\n   *\n   * https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/identity/identity/samples/v2/manual/authorizationCodeSample.ts\n   *\n   * @param tenantId - The Microsoft Entra tenant (directory) ID or name.\n   *                 'common' may be used when dealing with multi-tenant scenarios.\n   * @param clientId - The client (application) ID of an App Registration in the tenant.\n   * @param clientSecret - A client secret that was generated for the App Registration\n   * @param authorizationCode - An authorization code that was received from following the\n                              authorization code flow.  This authorization code must not\n                              have already been used to obtain an access token.\n   * @param redirectUri - The redirect URI that was used to request the authorization code.\n                        Must be the same URI that is configured for the App Registration.\n   * @param options - Options for configuring the client which makes the access token request.\n   */\n  constructor(\n    tenantId: string | \"common\",\n    clientId: string,\n    clientSecret: string,\n    authorizationCode: string,\n    redirectUri: string,\n    options?: AuthorizationCodeCredentialOptions,\n  );\n  /**\n   * Creates an instance of AuthorizationCodeCredential with the details needed\n   * to request an access token using an authentication that was obtained\n   * from Microsoft Entra ID.\n   *\n   * It is currently necessary for the user of this credential to initiate\n   * the authorization code flow to obtain an authorization code to be used\n   * with this credential.  A full example of this flow is provided here:\n   *\n   * https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/identity/identity/samples/v2/manual/authorizationCodeSample.ts\n   *\n   * @param tenantId - The Microsoft Entra tenant (directory) ID or name.\n   *                 'common' may be used when dealing with multi-tenant scenarios.\n   * @param clientId - The client (application) ID of an App Registration in the tenant.\n   * @param authorizationCode - An authorization code that was received from following the\n                              authorization code flow.  This authorization code must not\n                              have already been used to obtain an access token.\n   * @param redirectUri - The redirect URI that was used to request the authorization code.\n                        Must be the same URI that is configured for the App Registration.\n   * @param options - Options for configuring the client which makes the access token request.\n   */\n  constructor(\n    tenantId: string | \"common\",\n    clientId: string,\n    authorizationCode: string,\n    redirectUri: string,\n    options?: AuthorizationCodeCredentialOptions,\n  );\n  /**\n   * @hidden\n   * @internal\n   */\n  constructor(\n    tenantId: string | \"common\",\n    clientId: string,\n    clientSecretOrAuthorizationCode: string,\n    authorizationCodeOrRedirectUri: string,\n    redirectUriOrOptions: string | AuthorizationCodeCredentialOptions | undefined,\n    options?: AuthorizationCodeCredentialOptions,\n  ) {\n    checkTenantId(logger, tenantId);\n    let clientSecret: string | undefined = clientSecretOrAuthorizationCode;\n\n    if (typeof redirectUriOrOptions === \"string\") {\n      // the clientId+clientSecret constructor\n      this.authorizationCode = authorizationCodeOrRedirectUri;\n      this.redirectUri = redirectUriOrOptions;\n      // in this case, options are good as they come\n    } else {\n      // clientId only\n      this.authorizationCode = clientSecretOrAuthorizationCode;\n      this.redirectUri = authorizationCodeOrRedirectUri as string;\n      clientSecret = undefined;\n      options = redirectUriOrOptions as AuthorizationCodeCredentialOptions;\n    }\n\n    // TODO: Validate tenant if provided\n    this.tenantId = tenantId;\n    this.additionallyAllowedTenantIds = resolveAdditionallyAllowedTenantIds(\n      options?.additionallyAllowedTenants,\n    );\n\n    this.msalFlow = new MsalAuthorizationCode({\n      ...options,\n      clientSecret,\n      clientId,\n      tenantId,\n      tokenCredentialOptions: options || {},\n      logger,\n      redirectUri: this.redirectUri,\n      authorizationCode: this.authorizationCode,\n    });\n  }\n\n  /**\n   * Authenticates with Microsoft Entra ID and returns an access token if successful.\n   * If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.\n   *\n   * @param scopes - The list of scopes for which the token will have access.\n   * @param options - The options used to configure any requests this\n   *                TokenCredential implementation might make.\n   */\n  async getToken(scopes: string | string[], options: GetTokenOptions = {}): Promise<AccessToken> {\n    return tracingClient.withSpan(\n      `${this.constructor.name}.getToken`,\n      options,\n      async (newOptions) => {\n        const tenantId = processMultiTenantRequest(\n          this.tenantId,\n          newOptions,\n          this.additionallyAllowedTenantIds,\n        );\n        newOptions.tenantId = tenantId;\n\n        const arrayScopes = ensureScopes(scopes);\n        return this.msalFlow.getToken(arrayScopes, {\n          ...newOptions,\n          disableAutomaticAuthentication: this.disableAutomaticAuthentication,\n        });\n      },\n    );\n  }\n}\n"]}
+{"version":3,"file":"authorizationCodeCredential.js","sourceRoot":"","sources":["../../../src/credentials/authorizationCodeCredential.ts"],"names":[],"mappings":"AAAA,uCAAuC;AACvC,kCAAkC;AAGlC,OAAO,EACL,yBAAyB,EACzB,mCAAmC,GACpC,MAAM,uBAAuB,CAAC;AAE/B,OAAO,EAAE,aAAa,EAAE,MAAM,uBAAuB,CAAC;AACtD,OAAO,EAAE,gBAAgB,EAAE,MAAM,iBAAiB,CAAC;AACnD,OAAO,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAClD,OAAO,EAAE,aAAa,EAAE,MAAM,iBAAiB,CAAC;AAChD,OAAO,EAAc,gBAAgB,EAAE,MAAM,8BAA8B,CAAC;AAE5E,MAAM,MAAM,GAAG,gBAAgB,CAAC,6BAA6B,CAAC,CAAC;AAE/D;;;;;;GAMG;AACH,MAAM,OAAO,2BAA2B;IAmEtC;;;OAGG;IACH,YACE,QAA2B,EAC3B,QAAgB,EAChB,+BAAuC,EACvC,8BAAsC,EACtC,oBAA6E,EAC7E,OAA4C;QAE5C,aAAa,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;QAChC,IAAI,CAAC,YAAY,GAAG,+BAA+B,CAAC;QAEpD,IAAI,OAAO,oBAAoB,KAAK,QAAQ,EAAE,CAAC;YAC7C,wCAAwC;YACxC,IAAI,CAAC,iBAAiB,GAAG,8BAA8B,CAAC;YACxD,IAAI,CAAC,WAAW,GAAG,oBAAoB,CAAC;YACxC,8CAA8C;QAChD,CAAC;aAAM,CAAC;YACN,gBAAgB;YAChB,IAAI,CAAC,iBAAiB,GAAG,+BAA+B,CAAC;YACzD,IAAI,CAAC,WAAW,GAAG,8BAAwC,CAAC;YAC5D,IAAI,CAAC,YAAY,GAAG,SAAS,CAAC;YAC9B,OAAO,GAAG,oBAA0D,CAAC;QACvE,CAAC;QAED,oCAAoC;QACpC,IAAI,CAAC,QAAQ,GAAG,QAAQ,CAAC;QACzB,IAAI,CAAC,4BAA4B,GAAG,mCAAmC,CACrE,OAAO,aAAP,OAAO,uBAAP,OAAO,CAAE,0BAA0B,CACpC,CAAC;QAEF,IAAI,CAAC,UAAU,GAAG,gBAAgB,CAAC,QAAQ,EAAE,QAAQ,kCAChD,OAAO,KACV,MAAM,EACN,sBAAsB,EAAE,OAAO,aAAP,OAAO,cAAP,OAAO,GAAI,EAAE,IACrC,CAAC;IACL,CAAC;IAED;;;;;;;OAOG;IACH,KAAK,CAAC,QAAQ,CAAC,MAAyB,EAAE,UAA2B,EAAE;QACrE,OAAO,aAAa,CAAC,QAAQ,CAC3B,GAAG,IAAI,CAAC,WAAW,CAAC,IAAI,WAAW,EACnC,OAAO,EACP,KAAK,EAAE,UAAU,EAAE,EAAE;YACnB,MAAM,QAAQ,GAAG,yBAAyB,CACxC,IAAI,CAAC,QAAQ,EACb,UAAU,EACV,IAAI,CAAC,4BAA4B,CAClC,CAAC;YACF,UAAU,CAAC,QAAQ,GAAG,QAAQ,CAAC;YAE/B,MAAM,WAAW,GAAG,YAAY,CAAC,MAAM,CAAC,CAAC;YACzC,OAAO,IAAI,CAAC,UAAU,CAAC,2BAA2B,CAChD,WAAW,EACX,IAAI,CAAC,WAAW,EAChB,IAAI,CAAC,iBAAiB,EACtB,IAAI,CAAC,YAAY,kCAEZ,UAAU,KACb,8BAA8B,EAAE,IAAI,CAAC,8BAA8B,IAEtE,CAAC;QACJ,CAAC,CACF,CAAC;IACJ,CAAC;CACF","sourcesContent":["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT license.\n\nimport { AccessToken, GetTokenOptions, TokenCredential } from \"@azure/core-auth\";\nimport {\n  processMultiTenantRequest,\n  resolveAdditionallyAllowedTenantIds,\n} from \"../util/tenantIdUtils\";\nimport { AuthorizationCodeCredentialOptions } from \"./authorizationCodeCredentialOptions\";\nimport { checkTenantId } from \"../util/tenantIdUtils\";\nimport { credentialLogger } from \"../util/logging\";\nimport { ensureScopes } from \"../util/scopeUtils\";\nimport { tracingClient } from \"../util/tracing\";\nimport { MsalClient, createMsalClient } from \"../msal/nodeFlows/msalClient\";\n\nconst logger = credentialLogger(\"AuthorizationCodeCredential\");\n\n/**\n * Enables authentication to Microsoft Entra ID using an authorization code\n * that was obtained through the authorization code flow, described in more detail\n * in the Microsoft Entra ID documentation:\n *\n * https://learn.microsoft.com/entra/identity-platform/v2-oauth2-auth-code-flow\n */\nexport class AuthorizationCodeCredential implements TokenCredential {\n  private msalClient: MsalClient;\n  private disableAutomaticAuthentication?: boolean;\n  private authorizationCode: string;\n  private redirectUri: string;\n  private tenantId?: string;\n  private additionallyAllowedTenantIds: string[];\n  private clientSecret?: string;\n\n  /**\n   * Creates an instance of AuthorizationCodeCredential with the details needed\n   * to request an access token using an authentication that was obtained\n   * from Microsoft Entra ID.\n   *\n   * It is currently necessary for the user of this credential to initiate\n   * the authorization code flow to obtain an authorization code to be used\n   * with this credential.  A full example of this flow is provided here:\n   *\n   * https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/identity/identity/samples/v2/manual/authorizationCodeSample.ts\n   *\n   * @param tenantId - The Microsoft Entra tenant (directory) ID or name.\n   *                 'common' may be used when dealing with multi-tenant scenarios.\n   * @param clientId - The client (application) ID of an App Registration in the tenant.\n   * @param clientSecret - A client secret that was generated for the App Registration\n   * @param authorizationCode - An authorization code that was received from following the\n                              authorization code flow.  This authorization code must not\n                              have already been used to obtain an access token.\n   * @param redirectUri - The redirect URI that was used to request the authorization code.\n                        Must be the same URI that is configured for the App Registration.\n   * @param options - Options for configuring the client which makes the access token request.\n   */\n  constructor(\n    tenantId: string | \"common\",\n    clientId: string,\n    clientSecret: string,\n    authorizationCode: string,\n    redirectUri: string,\n    options?: AuthorizationCodeCredentialOptions,\n  );\n  /**\n   * Creates an instance of AuthorizationCodeCredential with the details needed\n   * to request an access token using an authentication that was obtained\n   * from Microsoft Entra ID.\n   *\n   * It is currently necessary for the user of this credential to initiate\n   * the authorization code flow to obtain an authorization code to be used\n   * with this credential.  A full example of this flow is provided here:\n   *\n   * https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/identity/identity/samples/v2/manual/authorizationCodeSample.ts\n   *\n   * @param tenantId - The Microsoft Entra tenant (directory) ID or name.\n   *                 'common' may be used when dealing with multi-tenant scenarios.\n   * @param clientId - The client (application) ID of an App Registration in the tenant.\n   * @param authorizationCode - An authorization code that was received from following the\n                              authorization code flow.  This authorization code must not\n                              have already been used to obtain an access token.\n   * @param redirectUri - The redirect URI that was used to request the authorization code.\n                        Must be the same URI that is configured for the App Registration.\n   * @param options - Options for configuring the client which makes the access token request.\n   */\n  constructor(\n    tenantId: string | \"common\",\n    clientId: string,\n    authorizationCode: string,\n    redirectUri: string,\n    options?: AuthorizationCodeCredentialOptions,\n  );\n  /**\n   * @hidden\n   * @internal\n   */\n  constructor(\n    tenantId: string | \"common\",\n    clientId: string,\n    clientSecretOrAuthorizationCode: string,\n    authorizationCodeOrRedirectUri: string,\n    redirectUriOrOptions: string | AuthorizationCodeCredentialOptions | undefined,\n    options?: AuthorizationCodeCredentialOptions,\n  ) {\n    checkTenantId(logger, tenantId);\n    this.clientSecret = clientSecretOrAuthorizationCode;\n\n    if (typeof redirectUriOrOptions === \"string\") {\n      // the clientId+clientSecret constructor\n      this.authorizationCode = authorizationCodeOrRedirectUri;\n      this.redirectUri = redirectUriOrOptions;\n      // in this case, options are good as they come\n    } else {\n      // clientId only\n      this.authorizationCode = clientSecretOrAuthorizationCode;\n      this.redirectUri = authorizationCodeOrRedirectUri as string;\n      this.clientSecret = undefined;\n      options = redirectUriOrOptions as AuthorizationCodeCredentialOptions;\n    }\n\n    // TODO: Validate tenant if provided\n    this.tenantId = tenantId;\n    this.additionallyAllowedTenantIds = resolveAdditionallyAllowedTenantIds(\n      options?.additionallyAllowedTenants,\n    );\n\n    this.msalClient = createMsalClient(clientId, tenantId, {\n      ...options,\n      logger,\n      tokenCredentialOptions: options ?? {},\n    });\n  }\n\n  /**\n   * Authenticates with Microsoft Entra ID and returns an access token if successful.\n   * If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.\n   *\n   * @param scopes - The list of scopes for which the token will have access.\n   * @param options - The options used to configure any requests this\n   *                TokenCredential implementation might make.\n   */\n  async getToken(scopes: string | string[], options: GetTokenOptions = {}): Promise<AccessToken> {\n    return tracingClient.withSpan(\n      `${this.constructor.name}.getToken`,\n      options,\n      async (newOptions) => {\n        const tenantId = processMultiTenantRequest(\n          this.tenantId,\n          newOptions,\n          this.additionallyAllowedTenantIds,\n        );\n        newOptions.tenantId = tenantId;\n\n        const arrayScopes = ensureScopes(scopes);\n        return this.msalClient.getTokenByAuthorizationCode(\n          arrayScopes,\n          this.redirectUri,\n          this.authorizationCode,\n          this.clientSecret,\n          {\n            ...newOptions,\n            disableAutomaticAuthentication: this.disableAutomaticAuthentication,\n          },\n        );\n      },\n    );\n  }\n}\n"]}

package/dist-esm/src/credentials/deviceCodeCredential.js

@@ -46,7 +46,7 @@ export class DeviceCodeCredential {
         const clientId = (_a = options === null || options === void 0 ? void 0 : options.clientId) !== null && _a !== void 0 ? _a : DeveloperSignOnClientId;
         const tenantId = resolveTenantId(logger, options === null || options === void 0 ? void 0 : options.tenantId, clientId);
         this.userPromptCallback = (_b = options === null || options === void 0 ? void 0 : options.userPromptCallback) !== null && _b !== void 0 ? _b : defaultDeviceCodePromptCallback;
-        this.msalClient = createMsalClient(clientId, tenantId, Object.assign(Object.assign({}, options), { tokenCredentialOptions: options || {} }));
+        this.msalClient = createMsalClient(clientId, tenantId, Object.assign(Object.assign({}, options), { logger, tokenCredentialOptions: options || {} }));
         this.disableAutomaticAuthentication = options === null || options === void 0 ? void 0 : options.disableAutomaticAuthentication;
     }
     /**

package/dist-esm/src/credentials/deviceCodeCredential.js.map

@@ -1 +1 @@
-{"version":3,"file":"deviceCodeCredential.js","sourceRoot":"","sources":["../../../src/credentials/deviceCodeCredential.ts"],"names":[],"mappings":"AAAA,uCAAuC;AACvC,kCAAkC;AAGlC,OAAO,EACL,yBAAyB,EACzB,mCAAmC,EACnC,eAAe,GAChB,MAAM,uBAAuB,CAAC;AAO/B,OAAO,EAAE,gBAAgB,EAAE,MAAM,iBAAiB,CAAC;AACnD,OAAO,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAClD,OAAO,EAAE,aAAa,EAAE,MAAM,iBAAiB,CAAC;AAChD,OAAO,EAAc,gBAAgB,EAAE,MAAM,8BAA8B,CAAC;AAC5E,OAAO,EAAE,uBAAuB,EAAE,MAAM,cAAc,CAAC;AAEvD,MAAM,MAAM,GAAG,gBAAgB,CAAC,sBAAsB,CAAC,CAAC;AAExD;;;GAGG;AACH,MAAM,UAAU,+BAA+B,CAAC,cAA8B;IAC5E,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC,OAAO,CAAC,CAAC;AACtC,CAAC;AAED;;;GAGG;AACH,MAAM,OAAO,oBAAoB;IAO/B;;;;;;;;;;;;;;;;;;;OAmBG;IACH,YAAY,OAAqC;;QAC/C,IAAI,CAAC,QAAQ,GAAG,OAAO,aAAP,OAAO,uBAAP,OAAO,CAAE,QAAQ,CAAC;QAClC,IAAI,CAAC,4BAA4B,GAAG,mCAAmC,CACrE,OAAO,aAAP,OAAO,uBAAP,OAAO,CAAE,0BAA0B,CACpC,CAAC;QACF,MAAM,QAAQ,GAAG,MAAA,OAAO,aAAP,OAAO,uBAAP,OAAO,CAAE,QAAQ,mCAAI,uBAAuB,CAAC;QAC9D,MAAM,QAAQ,GAAG,eAAe,CAAC,MAAM,EAAE,OAAO,aAAP,OAAO,uBAAP,OAAO,CAAE,QAAQ,EAAE,QAAQ,CAAC,CAAC;QACtE,IAAI,CAAC,kBAAkB,GAAG,MAAA,OAAO,aAAP,OAAO,uBAAP,OAAO,CAAE,kBAAkB,mCAAI,+BAA+B,CAAC;QACzF,IAAI,CAAC,UAAU,GAAG,gBAAgB,CAAC,QAAQ,EAAE,QAAQ,kCAChD,OAAO,KACV,sBAAsB,EAAE,OAAO,IAAI,EAAE,IACrC,CAAC;QACH,IAAI,CAAC,8BAA8B,GAAG,OAAO,aAAP,OAAO,uBAAP,OAAO,CAAE,8BAA8B,CAAC;IAChF,CAAC;IAED;;;;;;;;;;;OAWG;IACH,KAAK,CAAC,QAAQ,CAAC,MAAyB,EAAE,UAA2B,EAAE;QACrE,OAAO,aAAa,CAAC,QAAQ,CAC3B,GAAG,IAAI,CAAC,WAAW,CAAC,IAAI,WAAW,EACnC,OAAO,EACP,KAAK,EAAE,UAAU,EAAE,EAAE;YACnB,UAAU,CAAC,QAAQ,GAAG,yBAAyB,CAC7C,IAAI,CAAC,QAAQ,EACb,UAAU,EACV,IAAI,CAAC,4BAA4B,EACjC,MAAM,CACP,CAAC;YAEF,MAAM,WAAW,GAAG,YAAY,CAAC,MAAM,CAAC,CAAC;YACzC,OAAO,IAAI,CAAC,UAAU,CAAC,oBAAoB,CAAC,WAAW,EAAE,IAAI,CAAC,kBAAkB,kCAC3E,UAAU,KACb,8BAA8B,EAAE,IAAI,CAAC,8BAA8B,IACnE,CAAC;QACL,CAAC,CACF,CAAC;IACJ,CAAC;IAED;;;;;;;;;OASG;IACH,KAAK,CAAC,YAAY,CAChB,MAAyB,EACzB,UAA2B,EAAE;QAE7B,OAAO,aAAa,CAAC,QAAQ,CAC3B,GAAG,IAAI,CAAC,WAAW,CAAC,IAAI,eAAe,EACvC,OAAO,EACP,KAAK,EAAE,UAAU,EAAE,EAAE;YACnB,MAAM,WAAW,GAAG,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC;YAC9D,MAAM,IAAI,CAAC,UAAU,CAAC,oBAAoB,CAAC,WAAW,EAAE,IAAI,CAAC,kBAAkB,kCAC1E,UAAU,KACb,8BAA8B,EAAE,KAAK,IACrC,CAAC;YACH,OAAO,IAAI,CAAC,UAAU,CAAC,gBAAgB,EAAE,CAAC;QAC5C,CAAC,CACF,CAAC;IACJ,CAAC;CACF","sourcesContent":["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT license.\n\nimport { AccessToken, GetTokenOptions, TokenCredential } from \"@azure/core-auth\";\nimport {\n  processMultiTenantRequest,\n  resolveAdditionallyAllowedTenantIds,\n  resolveTenantId,\n} from \"../util/tenantIdUtils\";\nimport {\n  DeviceCodeCredentialOptions,\n  DeviceCodeInfo,\n  DeviceCodePromptCallback,\n} from \"./deviceCodeCredentialOptions\";\nimport { AuthenticationRecord } from \"../msal/types\";\nimport { credentialLogger } from \"../util/logging\";\nimport { ensureScopes } from \"../util/scopeUtils\";\nimport { tracingClient } from \"../util/tracing\";\nimport { MsalClient, createMsalClient } from \"../msal/nodeFlows/msalClient\";\nimport { DeveloperSignOnClientId } from \"../constants\";\n\nconst logger = credentialLogger(\"DeviceCodeCredential\");\n\n/**\n * Method that logs the user code from the DeviceCodeCredential.\n * @param deviceCodeInfo - The device code.\n */\nexport function defaultDeviceCodePromptCallback(deviceCodeInfo: DeviceCodeInfo): void {\n  console.log(deviceCodeInfo.message);\n}\n\n/**\n * Enables authentication to Microsoft Entra ID using a device code\n * that the user can enter into https://microsoft.com/devicelogin.\n */\nexport class DeviceCodeCredential implements TokenCredential {\n  private tenantId?: string;\n  private additionallyAllowedTenantIds: string[];\n  private disableAutomaticAuthentication?: boolean;\n  private msalClient: MsalClient;\n  private userPromptCallback: DeviceCodePromptCallback;\n\n  /**\n   * Creates an instance of DeviceCodeCredential with the details needed\n   * to initiate the device code authorization flow with Microsoft Entra ID.\n   *\n   * A message will be logged, giving users a code that they can use to authenticate once they go to https://microsoft.com/devicelogin\n   *\n   * Developers can configure how this message is shown by passing a custom `userPromptCallback`:\n   *\n   * ```js\n   * const credential = new DeviceCodeCredential({\n   *   tenantId: env.AZURE_TENANT_ID,\n   *   clientId: env.AZURE_CLIENT_ID,\n   *   userPromptCallback: (info) => {\n   *     console.log(\"CUSTOMIZED PROMPT CALLBACK\", info.message);\n   *   }\n   * });\n   * ```\n   *\n   * @param options - Options for configuring the client which makes the authentication requests.\n   */\n  constructor(options?: DeviceCodeCredentialOptions) {\n    this.tenantId = options?.tenantId;\n    this.additionallyAllowedTenantIds = resolveAdditionallyAllowedTenantIds(\n      options?.additionallyAllowedTenants,\n    );\n    const clientId = options?.clientId ?? DeveloperSignOnClientId;\n    const tenantId = resolveTenantId(logger, options?.tenantId, clientId);\n    this.userPromptCallback = options?.userPromptCallback ?? defaultDeviceCodePromptCallback;\n    this.msalClient = createMsalClient(clientId, tenantId, {\n      ...options,\n      tokenCredentialOptions: options || {},\n    });\n    this.disableAutomaticAuthentication = options?.disableAutomaticAuthentication;\n  }\n\n  /**\n   * Authenticates with Microsoft Entra ID and returns an access token if successful.\n   * If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.\n   *\n   * If the user provided the option `disableAutomaticAuthentication`,\n   * once the token can't be retrieved silently,\n   * this method won't attempt to request user interaction to retrieve the token.\n   *\n   * @param scopes - The list of scopes for which the token will have access.\n   * @param options - The options used to configure any requests this\n   *                TokenCredential implementation might make.\n   */\n  async getToken(scopes: string | string[], options: GetTokenOptions = {}): Promise<AccessToken> {\n    return tracingClient.withSpan(\n      `${this.constructor.name}.getToken`,\n      options,\n      async (newOptions) => {\n        newOptions.tenantId = processMultiTenantRequest(\n          this.tenantId,\n          newOptions,\n          this.additionallyAllowedTenantIds,\n          logger,\n        );\n\n        const arrayScopes = ensureScopes(scopes);\n        return this.msalClient.getTokenByDeviceCode(arrayScopes, this.userPromptCallback, {\n          ...newOptions,\n          disableAutomaticAuthentication: this.disableAutomaticAuthentication,\n        });\n      },\n    );\n  }\n\n  /**\n   * Authenticates with Microsoft Entra ID and returns an access token if successful.\n   * If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.\n   *\n   * If the token can't be retrieved silently, this method will require user interaction to retrieve the token.\n   *\n   * @param scopes - The list of scopes for which the token will have access.\n   * @param options - The options used to configure any requests this\n   *                  TokenCredential implementation might make.\n   */\n  async authenticate(\n    scopes: string | string[],\n    options: GetTokenOptions = {},\n  ): Promise<AuthenticationRecord | undefined> {\n    return tracingClient.withSpan(\n      `${this.constructor.name}.authenticate`,\n      options,\n      async (newOptions) => {\n        const arrayScopes = Array.isArray(scopes) ? scopes : [scopes];\n        await this.msalClient.getTokenByDeviceCode(arrayScopes, this.userPromptCallback, {\n          ...newOptions,\n          disableAutomaticAuthentication: false, // this method should always allow user interaction\n        });\n        return this.msalClient.getActiveAccount();\n      },\n    );\n  }\n}\n"]}
+{"version":3,"file":"deviceCodeCredential.js","sourceRoot":"","sources":["../../../src/credentials/deviceCodeCredential.ts"],"names":[],"mappings":"AAAA,uCAAuC;AACvC,kCAAkC;AAGlC,OAAO,EACL,yBAAyB,EACzB,mCAAmC,EACnC,eAAe,GAChB,MAAM,uBAAuB,CAAC;AAO/B,OAAO,EAAE,gBAAgB,EAAE,MAAM,iBAAiB,CAAC;AACnD,OAAO,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAClD,OAAO,EAAE,aAAa,EAAE,MAAM,iBAAiB,CAAC;AAChD,OAAO,EAAc,gBAAgB,EAAE,MAAM,8BAA8B,CAAC;AAC5E,OAAO,EAAE,uBAAuB,EAAE,MAAM,cAAc,CAAC;AAEvD,MAAM,MAAM,GAAG,gBAAgB,CAAC,sBAAsB,CAAC,CAAC;AAExD;;;GAGG;AACH,MAAM,UAAU,+BAA+B,CAAC,cAA8B;IAC5E,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC,OAAO,CAAC,CAAC;AACtC,CAAC;AAED;;;GAGG;AACH,MAAM,OAAO,oBAAoB;IAO/B;;;;;;;;;;;;;;;;;;;OAmBG;IACH,YAAY,OAAqC;;QAC/C,IAAI,CAAC,QAAQ,GAAG,OAAO,aAAP,OAAO,uBAAP,OAAO,CAAE,QAAQ,CAAC;QAClC,IAAI,CAAC,4BAA4B,GAAG,mCAAmC,CACrE,OAAO,aAAP,OAAO,uBAAP,OAAO,CAAE,0BAA0B,CACpC,CAAC;QACF,MAAM,QAAQ,GAAG,MAAA,OAAO,aAAP,OAAO,uBAAP,OAAO,CAAE,QAAQ,mCAAI,uBAAuB,CAAC;QAC9D,MAAM,QAAQ,GAAG,eAAe,CAAC,MAAM,EAAE,OAAO,aAAP,OAAO,uBAAP,OAAO,CAAE,QAAQ,EAAE,QAAQ,CAAC,CAAC;QACtE,IAAI,CAAC,kBAAkB,GAAG,MAAA,OAAO,aAAP,OAAO,uBAAP,OAAO,CAAE,kBAAkB,mCAAI,+BAA+B,CAAC;QACzF,IAAI,CAAC,UAAU,GAAG,gBAAgB,CAAC,QAAQ,EAAE,QAAQ,kCAChD,OAAO,KACV,MAAM,EACN,sBAAsB,EAAE,OAAO,IAAI,EAAE,IACrC,CAAC;QACH,IAAI,CAAC,8BAA8B,GAAG,OAAO,aAAP,OAAO,uBAAP,OAAO,CAAE,8BAA8B,CAAC;IAChF,CAAC;IAED;;;;;;;;;;;OAWG;IACH,KAAK,CAAC,QAAQ,CAAC,MAAyB,EAAE,UAA2B,EAAE;QACrE,OAAO,aAAa,CAAC,QAAQ,CAC3B,GAAG,IAAI,CAAC,WAAW,CAAC,IAAI,WAAW,EACnC,OAAO,EACP,KAAK,EAAE,UAAU,EAAE,EAAE;YACnB,UAAU,CAAC,QAAQ,GAAG,yBAAyB,CAC7C,IAAI,CAAC,QAAQ,EACb,UAAU,EACV,IAAI,CAAC,4BAA4B,EACjC,MAAM,CACP,CAAC;YAEF,MAAM,WAAW,GAAG,YAAY,CAAC,MAAM,CAAC,CAAC;YACzC,OAAO,IAAI,CAAC,UAAU,CAAC,oBAAoB,CAAC,WAAW,EAAE,IAAI,CAAC,kBAAkB,kCAC3E,UAAU,KACb,8BAA8B,EAAE,IAAI,CAAC,8BAA8B,IACnE,CAAC;QACL,CAAC,CACF,CAAC;IACJ,CAAC;IAED;;;;;;;;;OASG;IACH,KAAK,CAAC,YAAY,CAChB,MAAyB,EACzB,UAA2B,EAAE;QAE7B,OAAO,aAAa,CAAC,QAAQ,CAC3B,GAAG,IAAI,CAAC,WAAW,CAAC,IAAI,eAAe,EACvC,OAAO,EACP,KAAK,EAAE,UAAU,EAAE,EAAE;YACnB,MAAM,WAAW,GAAG,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC;YAC9D,MAAM,IAAI,CAAC,UAAU,CAAC,oBAAoB,CAAC,WAAW,EAAE,IAAI,CAAC,kBAAkB,kCAC1E,UAAU,KACb,8BAA8B,EAAE,KAAK,IACrC,CAAC;YACH,OAAO,IAAI,CAAC,UAAU,CAAC,gBAAgB,EAAE,CAAC;QAC5C,CAAC,CACF,CAAC;IACJ,CAAC;CACF","sourcesContent":["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT license.\n\nimport { AccessToken, GetTokenOptions, TokenCredential } from \"@azure/core-auth\";\nimport {\n  processMultiTenantRequest,\n  resolveAdditionallyAllowedTenantIds,\n  resolveTenantId,\n} from \"../util/tenantIdUtils\";\nimport {\n  DeviceCodeCredentialOptions,\n  DeviceCodeInfo,\n  DeviceCodePromptCallback,\n} from \"./deviceCodeCredentialOptions\";\nimport { AuthenticationRecord } from \"../msal/types\";\nimport { credentialLogger } from \"../util/logging\";\nimport { ensureScopes } from \"../util/scopeUtils\";\nimport { tracingClient } from \"../util/tracing\";\nimport { MsalClient, createMsalClient } from \"../msal/nodeFlows/msalClient\";\nimport { DeveloperSignOnClientId } from \"../constants\";\n\nconst logger = credentialLogger(\"DeviceCodeCredential\");\n\n/**\n * Method that logs the user code from the DeviceCodeCredential.\n * @param deviceCodeInfo - The device code.\n */\nexport function defaultDeviceCodePromptCallback(deviceCodeInfo: DeviceCodeInfo): void {\n  console.log(deviceCodeInfo.message);\n}\n\n/**\n * Enables authentication to Microsoft Entra ID using a device code\n * that the user can enter into https://microsoft.com/devicelogin.\n */\nexport class DeviceCodeCredential implements TokenCredential {\n  private tenantId?: string;\n  private additionallyAllowedTenantIds: string[];\n  private disableAutomaticAuthentication?: boolean;\n  private msalClient: MsalClient;\n  private userPromptCallback: DeviceCodePromptCallback;\n\n  /**\n   * Creates an instance of DeviceCodeCredential with the details needed\n   * to initiate the device code authorization flow with Microsoft Entra ID.\n   *\n   * A message will be logged, giving users a code that they can use to authenticate once they go to https://microsoft.com/devicelogin\n   *\n   * Developers can configure how this message is shown by passing a custom `userPromptCallback`:\n   *\n   * ```js\n   * const credential = new DeviceCodeCredential({\n   *   tenantId: env.AZURE_TENANT_ID,\n   *   clientId: env.AZURE_CLIENT_ID,\n   *   userPromptCallback: (info) => {\n   *     console.log(\"CUSTOMIZED PROMPT CALLBACK\", info.message);\n   *   }\n   * });\n   * ```\n   *\n   * @param options - Options for configuring the client which makes the authentication requests.\n   */\n  constructor(options?: DeviceCodeCredentialOptions) {\n    this.tenantId = options?.tenantId;\n    this.additionallyAllowedTenantIds = resolveAdditionallyAllowedTenantIds(\n      options?.additionallyAllowedTenants,\n    );\n    const clientId = options?.clientId ?? DeveloperSignOnClientId;\n    const tenantId = resolveTenantId(logger, options?.tenantId, clientId);\n    this.userPromptCallback = options?.userPromptCallback ?? defaultDeviceCodePromptCallback;\n    this.msalClient = createMsalClient(clientId, tenantId, {\n      ...options,\n      logger,\n      tokenCredentialOptions: options || {},\n    });\n    this.disableAutomaticAuthentication = options?.disableAutomaticAuthentication;\n  }\n\n  /**\n   * Authenticates with Microsoft Entra ID and returns an access token if successful.\n   * If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.\n   *\n   * If the user provided the option `disableAutomaticAuthentication`,\n   * once the token can't be retrieved silently,\n   * this method won't attempt to request user interaction to retrieve the token.\n   *\n   * @param scopes - The list of scopes for which the token will have access.\n   * @param options - The options used to configure any requests this\n   *                TokenCredential implementation might make.\n   */\n  async getToken(scopes: string | string[], options: GetTokenOptions = {}): Promise<AccessToken> {\n    return tracingClient.withSpan(\n      `${this.constructor.name}.getToken`,\n      options,\n      async (newOptions) => {\n        newOptions.tenantId = processMultiTenantRequest(\n          this.tenantId,\n          newOptions,\n          this.additionallyAllowedTenantIds,\n          logger,\n        );\n\n        const arrayScopes = ensureScopes(scopes);\n        return this.msalClient.getTokenByDeviceCode(arrayScopes, this.userPromptCallback, {\n          ...newOptions,\n          disableAutomaticAuthentication: this.disableAutomaticAuthentication,\n        });\n      },\n    );\n  }\n\n  /**\n   * Authenticates with Microsoft Entra ID and returns an access token if successful.\n   * If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.\n   *\n   * If the token can't be retrieved silently, this method will require user interaction to retrieve the token.\n   *\n   * @param scopes - The list of scopes for which the token will have access.\n   * @param options - The options used to configure any requests this\n   *                  TokenCredential implementation might make.\n   */\n  async authenticate(\n    scopes: string | string[],\n    options: GetTokenOptions = {},\n  ): Promise<AuthenticationRecord | undefined> {\n    return tracingClient.withSpan(\n      `${this.constructor.name}.authenticate`,\n      options,\n      async (newOptions) => {\n        const arrayScopes = Array.isArray(scopes) ? scopes : [scopes];\n        await this.msalClient.getTokenByDeviceCode(arrayScopes, this.userPromptCallback, {\n          ...newOptions,\n          disableAutomaticAuthentication: false, // this method should always allow user interaction\n        });\n        return this.msalClient.getActiveAccount();\n      },\n    );\n  }\n}\n"]}

package/dist-esm/src/credentials/managedIdentityCredential/arcMsi.js

@@ -1,11 +1,11 @@
 // Copyright (c) Microsoft Corporation.
 // Licensed under the MIT license.
 import { createHttpHeaders, createPipelineRequest, } from "@azure/core-rest-pipeline";
-import { readFile } from "fs";
 import { AuthenticationError } from "../../errors";
+import { azureArcAPIVersion } from "./constants";
 import { credentialLogger } from "../../util/logging";
+import fs from "node:fs";
 import { mapScopesToResource } from "./utils";
-import { azureArcAPIVersion } from "./constants";
 const msiName = "ManagedIdentityCredential - Azure Arc MSI";
 const logger = credentialLogger(msiName);
 /**
@@ -41,18 +41,6 @@ function prepareRequestOptions(scopes, clientId, resourceId) {
         }),
     });
 }
-/**
- * Retrieves the file contents at the given path using promises.
- * Useful since `fs`'s readFileSync locks the thread, and to avoid extra dependencies.
- */
-function readFileAsync(path, options) {
-    return new Promise((resolve, reject) => readFile(path, options, (err, data) => {
-        if (err) {
-            reject(err);
-        }
-        resolve(data);
-    }));
-}
 /**
  * Does a request to the authentication provider that results in a file path.
  */
@@ -73,6 +61,43 @@ async function filePathRequest(identityClient, requestPrepareOptions) {
         throw Error(`Invalid www-authenticate header format: ${authHeader}`);
     }
 }
+export function platformToFilePath() {
+    switch (process.platform) {
+        case "win32":
+            if (!process.env.PROGRAMDATA) {
+                throw new Error(`${msiName}: PROGRAMDATA environment variable has no value.`);
+            }
+            return `${process.env.PROGRAMDATA}\\AzureConnectedMachineAgent\\Tokens`;
+        case "linux":
+            return "/var/opt/azcmagent/tokens";
+        default:
+            throw new Error(`${msiName}: Unsupported platform ${process.platform}.`);
+    }
+}
+/**
+ * Validates that a given Azure Arc MSI file path is valid for use.
+ *
+ * A valid file will:
+ * 1. Be in the expected path for the current platform.
+ * 2. Have a `.key` extension.
+ * 3. Be at most 4096 bytes in size.
+ */
+export function validateKeyFile(filePath) {
+    if (!filePath) {
+        throw new Error(`${msiName}: Failed to find the token file.`);
+    }
+    if (!filePath.endsWith(".key")) {
+        throw new Error(`${msiName}: unexpected file path from HIMDS service: ${filePath}.`);
+    }
+    const expectedPath = platformToFilePath();
+    if (!filePath.startsWith(expectedPath)) {
+        throw new Error(`${msiName}: unexpected file path from HIMDS service: ${filePath}.`);
+    }
+    const stats = fs.statSync(filePath);
+    if (stats.size > 4096) {
+        throw new Error(`${msiName}: The file at ${filePath} is larger than expected at ${stats.size} bytes.`);
+    }
+}
 /**
  * Defines how to determine whether the Azure Arc MSI is available, and also how to retrieve a token from the Azure Arc MSI.
  */
@@ -102,10 +127,8 @@ export const arcMsi = {
         logger.info(`${msiName}: Authenticating.`);
         const requestOptions = Object.assign(Object.assign({ disableJsonStringifyOnBody: true, deserializationMapper: undefined, abortSignal: getTokenOptions.abortSignal }, prepareRequestOptions(scopes, clientId, resourceId)), { allowInsecureConnection: true });
         const filePath = await filePathRequest(identityClient, requestOptions);
-        if (!filePath) {
-            throw new Error(`${msiName}: Failed to find the token file.`);
-        }
-        const key = await readFileAsync(filePath, { encoding: "utf-8" });
+        validateKeyFile(filePath);
+        const key = await fs.promises.readFile(filePath, { encoding: "utf-8" });
         (_a = requestOptions.headers) === null || _a === void 0 ? void 0 : _a.set("Authorization", `Basic ${key}`);
         const request = createPipelineRequest(Object.assign(Object.assign({}, requestOptions), { 
             // Generally, MSI endpoints use the HTTP protocol, without transport layer security (TLS).

package/dist-esm/src/credentials/managedIdentityCredential/arcMsi.js.map

@@ -1 +1 @@
-{"version":3,"file":"arcMsi.js","sourceRoot":"","sources":["../../../../src/credentials/managedIdentityCredential/arcMsi.ts"],"names":[],"mappings":"AAAA,uCAAuC;AACvC,kCAAkC;AAElC,OAAO,EAEL,iBAAiB,EACjB,qBAAqB,GACtB,MAAM,2BAA2B,CAAC;AAEnC,OAAO,EAAE,QAAQ,EAAE,MAAM,IAAI,CAAC;AAC9B,OAAO,EAAE,mBAAmB,EAAE,MAAM,cAAc,CAAC;AACnD,OAAO,EAAE,gBAAgB,EAAE,MAAM,oBAAoB,CAAC;AAEtD,OAAO,EAAE,mBAAmB,EAAE,MAAM,SAAS,CAAC;AAE9C,OAAO,EAAE,kBAAkB,EAAE,MAAM,aAAa,CAAC;AAEjD,MAAM,OAAO,GAAG,2CAA2C,CAAC;AAC5D,MAAM,MAAM,GAAG,gBAAgB,CAAC,OAAO,CAAC,CAAC;AAEzC;;GAEG;AACH,SAAS,qBAAqB,CAC5B,MAAyB,EACzB,QAAiB,EACjB,UAAmB;IAEnB,MAAM,QAAQ,GAAG,mBAAmB,CAAC,MAAM,CAAC,CAAC;IAC7C,IAAI,CAAC,QAAQ,EAAE,CAAC;QACd,MAAM,IAAI,KAAK,CAAC,GAAG,OAAO,sCAAsC,CAAC,CAAC;IACpE,CAAC;IACD,MAAM,eAAe,GAA2B;QAC9C,QAAQ;QACR,aAAa,EAAE,kBAAkB;KAClC,CAAC;IAEF,IAAI,QAAQ,EAAE,CAAC;QACb,eAAe,CAAC,SAAS,GAAG,QAAQ,CAAC;IACvC,CAAC;IACD,IAAI,UAAU,EAAE,CAAC;QACf,eAAe,CAAC,UAAU,GAAG,UAAU,CAAC;IAC1C,CAAC;IAED,wIAAwI;IACxI,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,iBAAiB,EAAE,CAAC;QACnC,MAAM,IAAI,KAAK,CAAC,GAAG,OAAO,mDAAmD,CAAC,CAAC;IACjF,CAAC;IAED,MAAM,KAAK,GAAG,IAAI,eAAe,CAAC,eAAe,CAAC,CAAC;IAEnD,OAAO,qBAAqB,CAAC;QAC3B,8EAA8E;QAC9E,GAAG,EAAE,GAAG,OAAO,CAAC,GAAG,CAAC,iBAAiB,IAAI,KAAK,CAAC,QAAQ,EAAE,EAAE;QAC3D,MAAM,EAAE,KAAK;QACb,OAAO,EAAE,iBAAiB,CAAC;YACzB,MAAM,EAAE,kBAAkB;YAC1B,QAAQ,EAAE,MAAM;SACjB,CAAC;KACH,CAAC,CAAC;AACL,CAAC;AAED;;;GAGG;AACH,SAAS,aAAa,CAAC,IAAY,EAAE,OAAqC;IACxE,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE,CACrC,QAAQ,CAAC,IAAI,EAAE,OAAO,EAAE,CAAC,GAAG,EAAE,IAAI,EAAE,EAAE;QACpC,IAAI,GAAG,EAAE,CAAC;YACR,MAAM,CAAC,GAAG,CAAC,CAAC;QACd,CAAC;QACD,OAAO,CAAC,IAAI,CAAC,CAAC;IAChB,CAAC,CAAC,CACH,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,KAAK,UAAU,eAAe,CAC5B,cAA8B,EAC9B,qBAA6C;IAE7C,MAAM,QAAQ,GAAG,MAAM,cAAc,CAAC,WAAW,CAAC,qBAAqB,CAAC,qBAAqB,CAAC,CAAC,CAAC;IAEhG,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;QAC5B,IAAI,OAAO,GAAG,EAAE,CAAC;QACjB,IAAI,QAAQ,CAAC,UAAU,EAAE,CAAC;YACxB,OAAO,GAAG,cAAc,QAAQ,CAAC,UAAU,EAAE,CAAC;QAChD,CAAC;QACD,MAAM,IAAI,mBAAmB,CAC3B,QAAQ,CAAC,MAAM,EACf,GAAG,OAAO,2FAA2F,OAAO,EAAE,CAC/G,CAAC;IACJ,CAAC;IAED,MAAM,UAAU,GAAG,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,kBAAkB,CAAC,IAAI,EAAE,CAAC;IAClE,IAAI,CAAC;QACH,OAAO,UAAU,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IAC3C,CAAC;IAAC,OAAO,CAAM,EAAE,CAAC;QAChB,MAAM,KAAK,CAAC,2CAA2C,UAAU,EAAE,CAAC,CAAC;IACvE,CAAC;AACH,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,MAAM,MAAM,GAAQ;IACzB,IAAI,EAAE,KAAK;IACX,KAAK,CAAC,WAAW,CAAC,EAAE,MAAM,EAAE;QAC1B,MAAM,QAAQ,GAAG,mBAAmB,CAAC,MAAM,CAAC,CAAC;QAC7C,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,MAAM,CAAC,IAAI,CAAC,GAAG,OAAO,mDAAmD,CAAC,CAAC;YAC3E,OAAO,KAAK,CAAC;QACf,CAAC;QACD,MAAM,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,aAAa,IAAI,OAAO,CAAC,GAAG,CAAC,iBAAiB,CAAC,CAAC;QACnF,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,MAAM,CAAC,IAAI,CACT,GAAG,OAAO,6EAA6E,CACxF,CAAC;QACJ,CAAC;QACD,OAAO,MAAM,CAAC;IAChB,CAAC;IACD,KAAK,CAAC,QAAQ,CACZ,aAA+B,EAC/B,kBAAmC,EAAE;;QAErC,MAAM,EAAE,cAAc,EAAE,MAAM,EAAE,QAAQ,EAAE,UAAU,EAAE,GAAG,aAAa,CAAC;QAEvE,IAAI,QAAQ,EAAE,CAAC;YACb,MAAM,CAAC,OAAO,CACZ,GAAG,OAAO,kGAAkG,CAC7G,CAAC;QACJ,CAAC;QACD,IAAI,UAAU,EAAE,CAAC;YACf,MAAM,CAAC,OAAO,CACZ,GAAG,OAAO,uGAAuG,CAClH,CAAC;QACJ,CAAC;QAED,MAAM,CAAC,IAAI,CAAC,GAAG,OAAO,mBAAmB,CAAC,CAAC;QAE3C,MAAM,cAAc,iCAClB,0BAA0B,EAAE,IAAI,EAChC,qBAAqB,EAAE,SAAS,EAChC,WAAW,EAAE,eAAe,CAAC,WAAW,IACrC,qBAAqB,CAAC,MAAM,EAAE,QAAQ,EAAE,UAAU,CAAC,KACtD,uBAAuB,EAAE,IAAI,GAC9B,CAAC;QAEF,MAAM,QAAQ,GAAG,MAAM,eAAe,CAAC,cAAc,EAAE,cAAc,CAAC,CAAC;QAEvE,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,MAAM,IAAI,KAAK,CAAC,GAAG,OAAO,kCAAkC,CAAC,CAAC;QAChE,CAAC;QAED,MAAM,GAAG,GAAG,MAAM,aAAa,CAAC,QAAQ,EAAE,EAAE,QAAQ,EAAE,OAAO,EAAE,CAAC,CAAC;QACjE,MAAA,cAAc,CAAC,OAAO,0CAAE,GAAG,CAAC,eAAe,EAAE,SAAS,GAAG,EAAE,CAAC,CAAC;QAE7D,MAAM,OAAO,GAAG,qBAAqB,iCAChC,cAAc;YACjB,0FAA0F;YAC1F,uBAAuB,EAAE,IAAI,IAC7B,CAAC;QACH,MAAM,aAAa,GAAG,MAAM,cAAc,CAAC,gBAAgB,CAAC,OAAO,CAAC,CAAC;QACrE,OAAO,CAAC,aAAa,IAAI,aAAa,CAAC,WAAW,CAAC,IAAI,IAAI,CAAC;IAC9D,CAAC;CACF,CAAC","sourcesContent":["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT license.\n\nimport {\n  PipelineRequestOptions,\n  createHttpHeaders,\n  createPipelineRequest,\n} from \"@azure/core-rest-pipeline\";\nimport { GetTokenOptions } from \"@azure/core-auth\";\nimport { readFile } from \"fs\";\nimport { AuthenticationError } from \"../../errors\";\nimport { credentialLogger } from \"../../util/logging\";\nimport { IdentityClient } from \"../../client/identityClient\";\nimport { mapScopesToResource } from \"./utils\";\nimport { MSI, MSIConfiguration, MSIToken } from \"./models\";\nimport { azureArcAPIVersion } from \"./constants\";\n\nconst msiName = \"ManagedIdentityCredential - Azure Arc MSI\";\nconst logger = credentialLogger(msiName);\n\n/**\n * Generates the options used on the request for an access token.\n */\nfunction prepareRequestOptions(\n  scopes: string | string[],\n  clientId?: string,\n  resourceId?: string,\n): PipelineRequestOptions {\n  const resource = mapScopesToResource(scopes);\n  if (!resource) {\n    throw new Error(`${msiName}: Multiple scopes are not supported.`);\n  }\n  const queryParameters: Record<string, string> = {\n    resource,\n    \"api-version\": azureArcAPIVersion,\n  };\n\n  if (clientId) {\n    queryParameters.client_id = clientId;\n  }\n  if (resourceId) {\n    queryParameters.msi_res_id = resourceId;\n  }\n\n  // This error should not bubble up, since we verify that this environment variable is defined in the isAvailable() method defined below.\n  if (!process.env.IDENTITY_ENDPOINT) {\n    throw new Error(`${msiName}: Missing environment variable: IDENTITY_ENDPOINT`);\n  }\n\n  const query = new URLSearchParams(queryParameters);\n\n  return createPipelineRequest({\n    // Should be similar to: http://localhost:40342/metadata/identity/oauth2/token\n    url: `${process.env.IDENTITY_ENDPOINT}?${query.toString()}`,\n    method: \"GET\",\n    headers: createHttpHeaders({\n      Accept: \"application/json\",\n      Metadata: \"true\",\n    }),\n  });\n}\n\n/**\n * Retrieves the file contents at the given path using promises.\n * Useful since `fs`'s readFileSync locks the thread, and to avoid extra dependencies.\n */\nfunction readFileAsync(path: string, options: { encoding: BufferEncoding }): Promise<string> {\n  return new Promise((resolve, reject) =>\n    readFile(path, options, (err, data) => {\n      if (err) {\n        reject(err);\n      }\n      resolve(data);\n    }),\n  );\n}\n\n/**\n * Does a request to the authentication provider that results in a file path.\n */\nasync function filePathRequest(\n  identityClient: IdentityClient,\n  requestPrepareOptions: PipelineRequestOptions,\n): Promise<string | undefined> {\n  const response = await identityClient.sendRequest(createPipelineRequest(requestPrepareOptions));\n\n  if (response.status !== 401) {\n    let message = \"\";\n    if (response.bodyAsText) {\n      message = ` Response: ${response.bodyAsText}`;\n    }\n    throw new AuthenticationError(\n      response.status,\n      `${msiName}: To authenticate with Azure Arc MSI, status code 401 is expected on the first request. ${message}`,\n    );\n  }\n\n  const authHeader = response.headers.get(\"www-authenticate\") || \"\";\n  try {\n    return authHeader.split(\"=\").slice(1)[0];\n  } catch (e: any) {\n    throw Error(`Invalid www-authenticate header format: ${authHeader}`);\n  }\n}\n\n/**\n * Defines how to determine whether the Azure Arc MSI is available, and also how to retrieve a token from the Azure Arc MSI.\n */\nexport const arcMsi: MSI = {\n  name: \"arc\",\n  async isAvailable({ scopes }): Promise<boolean> {\n    const resource = mapScopesToResource(scopes);\n    if (!resource) {\n      logger.info(`${msiName}: Unavailable. Multiple scopes are not supported.`);\n      return false;\n    }\n    const result = Boolean(process.env.IMDS_ENDPOINT && process.env.IDENTITY_ENDPOINT);\n    if (!result) {\n      logger.info(\n        `${msiName}: The environment variables needed are: IMDS_ENDPOINT and IDENTITY_ENDPOINT`,\n      );\n    }\n    return result;\n  },\n  async getToken(\n    configuration: MSIConfiguration,\n    getTokenOptions: GetTokenOptions = {},\n  ): Promise<MSIToken | null> {\n    const { identityClient, scopes, clientId, resourceId } = configuration;\n\n    if (clientId) {\n      logger.warning(\n        `${msiName}: user-assigned identities not supported. The argument clientId might be ignored by the service.`,\n      );\n    }\n    if (resourceId) {\n      logger.warning(\n        `${msiName}: user defined managed Identity by resource Id is not supported. Argument resourceId will be ignored.`,\n      );\n    }\n\n    logger.info(`${msiName}: Authenticating.`);\n\n    const requestOptions = {\n      disableJsonStringifyOnBody: true,\n      deserializationMapper: undefined,\n      abortSignal: getTokenOptions.abortSignal,\n      ...prepareRequestOptions(scopes, clientId, resourceId),\n      allowInsecureConnection: true,\n    };\n\n    const filePath = await filePathRequest(identityClient, requestOptions);\n\n    if (!filePath) {\n      throw new Error(`${msiName}: Failed to find the token file.`);\n    }\n\n    const key = await readFileAsync(filePath, { encoding: \"utf-8\" });\n    requestOptions.headers?.set(\"Authorization\", `Basic ${key}`);\n\n    const request = createPipelineRequest({\n      ...requestOptions,\n      // Generally, MSI endpoints use the HTTP protocol, without transport layer security (TLS).\n      allowInsecureConnection: true,\n    });\n    const tokenResponse = await identityClient.sendTokenRequest(request);\n    return (tokenResponse && tokenResponse.accessToken) || null;\n  },\n};\n"]}
+{"version":3,"file":"arcMsi.js","sourceRoot":"","sources":["../../../../src/credentials/managedIdentityCredential/arcMsi.ts"],"names":[],"mappings":"AAAA,uCAAuC;AACvC,kCAAkC;AAGlC,OAAO,EAEL,iBAAiB,EACjB,qBAAqB,GACtB,MAAM,2BAA2B,CAAC;AAEnC,OAAO,EAAE,mBAAmB,EAAE,MAAM,cAAc,CAAC;AAGnD,OAAO,EAAE,kBAAkB,EAAE,MAAM,aAAa,CAAC;AACjD,OAAO,EAAE,gBAAgB,EAAE,MAAM,oBAAoB,CAAC;AACtD,OAAO,EAAE,MAAM,SAAS,CAAC;AACzB,OAAO,EAAE,mBAAmB,EAAE,MAAM,SAAS,CAAC;AAE9C,MAAM,OAAO,GAAG,2CAA2C,CAAC;AAC5D,MAAM,MAAM,GAAG,gBAAgB,CAAC,OAAO,CAAC,CAAC;AAEzC;;GAEG;AACH,SAAS,qBAAqB,CAC5B,MAAyB,EACzB,QAAiB,EACjB,UAAmB;IAEnB,MAAM,QAAQ,GAAG,mBAAmB,CAAC,MAAM,CAAC,CAAC;IAC7C,IAAI,CAAC,QAAQ,EAAE,CAAC;QACd,MAAM,IAAI,KAAK,CAAC,GAAG,OAAO,sCAAsC,CAAC,CAAC;IACpE,CAAC;IACD,MAAM,eAAe,GAA2B;QAC9C,QAAQ;QACR,aAAa,EAAE,kBAAkB;KAClC,CAAC;IAEF,IAAI,QAAQ,EAAE,CAAC;QACb,eAAe,CAAC,SAAS,GAAG,QAAQ,CAAC;IACvC,CAAC;IACD,IAAI,UAAU,EAAE,CAAC;QACf,eAAe,CAAC,UAAU,GAAG,UAAU,CAAC;IAC1C,CAAC;IAED,wIAAwI;IACxI,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,iBAAiB,EAAE,CAAC;QACnC,MAAM,IAAI,KAAK,CAAC,GAAG,OAAO,mDAAmD,CAAC,CAAC;IACjF,CAAC;IAED,MAAM,KAAK,GAAG,IAAI,eAAe,CAAC,eAAe,CAAC,CAAC;IAEnD,OAAO,qBAAqB,CAAC;QAC3B,8EAA8E;QAC9E,GAAG,EAAE,GAAG,OAAO,CAAC,GAAG,CAAC,iBAAiB,IAAI,KAAK,CAAC,QAAQ,EAAE,EAAE;QAC3D,MAAM,EAAE,KAAK;QACb,OAAO,EAAE,iBAAiB,CAAC;YACzB,MAAM,EAAE,kBAAkB;YAC1B,QAAQ,EAAE,MAAM;SACjB,CAAC;KACH,CAAC,CAAC;AACL,CAAC;AAED;;GAEG;AACH,KAAK,UAAU,eAAe,CAC5B,cAA8B,EAC9B,qBAA6C;IAE7C,MAAM,QAAQ,GAAG,MAAM,cAAc,CAAC,WAAW,CAAC,qBAAqB,CAAC,qBAAqB,CAAC,CAAC,CAAC;IAEhG,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;QAC5B,IAAI,OAAO,GAAG,EAAE,CAAC;QACjB,IAAI,QAAQ,CAAC,UAAU,EAAE,CAAC;YACxB,OAAO,GAAG,cAAc,QAAQ,CAAC,UAAU,EAAE,CAAC;QAChD,CAAC;QACD,MAAM,IAAI,mBAAmB,CAC3B,QAAQ,CAAC,MAAM,EACf,GAAG,OAAO,2FAA2F,OAAO,EAAE,CAC/G,CAAC;IACJ,CAAC;IAED,MAAM,UAAU,GAAG,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,kBAAkB,CAAC,IAAI,EAAE,CAAC;IAClE,IAAI,CAAC;QACH,OAAO,UAAU,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IAC3C,CAAC;IAAC,OAAO,CAAM,EAAE,CAAC;QAChB,MAAM,KAAK,CAAC,2CAA2C,UAAU,EAAE,CAAC,CAAC;IACvE,CAAC;AACH,CAAC;AAED,MAAM,UAAU,kBAAkB;IAChC,QAAQ,OAAO,CAAC,QAAQ,EAAE,CAAC;QACzB,KAAK,OAAO;YACV,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,WAAW,EAAE,CAAC;gBAC7B,MAAM,IAAI,KAAK,CAAC,GAAG,OAAO,kDAAkD,CAAC,CAAC;YAChF,CAAC;YACD,OAAO,GAAG,OAAO,CAAC,GAAG,CAAC,WAAW,sCAAsC,CAAC;QAC1E,KAAK,OAAO;YACV,OAAO,2BAA2B,CAAC;QACrC;YACE,MAAM,IAAI,KAAK,CAAC,GAAG,OAAO,0BAA0B,OAAO,CAAC,QAAQ,GAAG,CAAC,CAAC;IAC7E,CAAC;AACH,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,UAAU,eAAe,CAAC,QAAiB;IAC/C,IAAI,CAAC,QAAQ,EAAE,CAAC;QACd,MAAM,IAAI,KAAK,CAAC,GAAG,OAAO,kCAAkC,CAAC,CAAC;IAChE,CAAC;IAED,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC;QAC/B,MAAM,IAAI,KAAK,CAAC,GAAG,OAAO,8CAA8C,QAAQ,GAAG,CAAC,CAAC;IACvF,CAAC;IAED,MAAM,YAAY,GAAG,kBAAkB,EAAE,CAAC;IAC1C,IAAI,CAAC,QAAQ,CAAC,UAAU,CAAC,YAAY,CAAC,EAAE,CAAC;QACvC,MAAM,IAAI,KAAK,CAAC,GAAG,OAAO,8CAA8C,QAAQ,GAAG,CAAC,CAAC;IACvF,CAAC;IAED,MAAM,KAAK,GAAG,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;IACpC,IAAI,KAAK,CAAC,IAAI,GAAG,IAAI,EAAE,CAAC;QACtB,MAAM,IAAI,KAAK,CACb,GAAG,OAAO,iBAAiB,QAAQ,+BAA+B,KAAK,CAAC,IAAI,SAAS,CACtF,CAAC;IACJ,CAAC;AACH,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,MAAM,MAAM,GAAQ;IACzB,IAAI,EAAE,KAAK;IACX,KAAK,CAAC,WAAW,CAAC,EAAE,MAAM,EAAE;QAC1B,MAAM,QAAQ,GAAG,mBAAmB,CAAC,MAAM,CAAC,CAAC;QAC7C,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,MAAM,CAAC,IAAI,CAAC,GAAG,OAAO,mDAAmD,CAAC,CAAC;YAC3E,OAAO,KAAK,CAAC;QACf,CAAC;QACD,MAAM,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,aAAa,IAAI,OAAO,CAAC,GAAG,CAAC,iBAAiB,CAAC,CAAC;QACnF,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,MAAM,CAAC,IAAI,CACT,GAAG,OAAO,6EAA6E,CACxF,CAAC;QACJ,CAAC;QACD,OAAO,MAAM,CAAC;IAChB,CAAC;IACD,KAAK,CAAC,QAAQ,CACZ,aAA+B,EAC/B,kBAAmC,EAAE;;QAErC,MAAM,EAAE,cAAc,EAAE,MAAM,EAAE,QAAQ,EAAE,UAAU,EAAE,GAAG,aAAa,CAAC;QAEvE,IAAI,QAAQ,EAAE,CAAC;YACb,MAAM,CAAC,OAAO,CACZ,GAAG,OAAO,kGAAkG,CAC7G,CAAC;QACJ,CAAC;QACD,IAAI,UAAU,EAAE,CAAC;YACf,MAAM,CAAC,OAAO,CACZ,GAAG,OAAO,uGAAuG,CAClH,CAAC;QACJ,CAAC;QAED,MAAM,CAAC,IAAI,CAAC,GAAG,OAAO,mBAAmB,CAAC,CAAC;QAE3C,MAAM,cAAc,iCAClB,0BAA0B,EAAE,IAAI,EAChC,qBAAqB,EAAE,SAAS,EAChC,WAAW,EAAE,eAAe,CAAC,WAAW,IACrC,qBAAqB,CAAC,MAAM,EAAE,QAAQ,EAAE,UAAU,CAAC,KACtD,uBAAuB,EAAE,IAAI,GAC9B,CAAC;QAEF,MAAM,QAAQ,GAAG,MAAM,eAAe,CAAC,cAAc,EAAE,cAAc,CAAC,CAAC;QACvE,eAAe,CAAC,QAAQ,CAAC,CAAC;QAE1B,MAAM,GAAG,GAAG,MAAM,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC,QAAQ,EAAE,EAAE,QAAQ,EAAE,OAAO,EAAE,CAAC,CAAC;QACxE,MAAA,cAAc,CAAC,OAAO,0CAAE,GAAG,CAAC,eAAe,EAAE,SAAS,GAAG,EAAE,CAAC,CAAC;QAE7D,MAAM,OAAO,GAAG,qBAAqB,iCAChC,cAAc;YACjB,0FAA0F;YAC1F,uBAAuB,EAAE,IAAI,IAC7B,CAAC;QACH,MAAM,aAAa,GAAG,MAAM,cAAc,CAAC,gBAAgB,CAAC,OAAO,CAAC,CAAC;QACrE,OAAO,CAAC,aAAa,IAAI,aAAa,CAAC,WAAW,CAAC,IAAI,IAAI,CAAC;IAC9D,CAAC;CACF,CAAC","sourcesContent":["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT license.\n\nimport { MSI, MSIConfiguration, MSIToken } from \"./models\";\nimport {\n  PipelineRequestOptions,\n  createHttpHeaders,\n  createPipelineRequest,\n} from \"@azure/core-rest-pipeline\";\n\nimport { AuthenticationError } from \"../../errors\";\nimport { GetTokenOptions } from \"@azure/core-auth\";\nimport { IdentityClient } from \"../../client/identityClient\";\nimport { azureArcAPIVersion } from \"./constants\";\nimport { credentialLogger } from \"../../util/logging\";\nimport fs from \"node:fs\";\nimport { mapScopesToResource } from \"./utils\";\n\nconst msiName = \"ManagedIdentityCredential - Azure Arc MSI\";\nconst logger = credentialLogger(msiName);\n\n/**\n * Generates the options used on the request for an access token.\n */\nfunction prepareRequestOptions(\n  scopes: string | string[],\n  clientId?: string,\n  resourceId?: string,\n): PipelineRequestOptions {\n  const resource = mapScopesToResource(scopes);\n  if (!resource) {\n    throw new Error(`${msiName}: Multiple scopes are not supported.`);\n  }\n  const queryParameters: Record<string, string> = {\n    resource,\n    \"api-version\": azureArcAPIVersion,\n  };\n\n  if (clientId) {\n    queryParameters.client_id = clientId;\n  }\n  if (resourceId) {\n    queryParameters.msi_res_id = resourceId;\n  }\n\n  // This error should not bubble up, since we verify that this environment variable is defined in the isAvailable() method defined below.\n  if (!process.env.IDENTITY_ENDPOINT) {\n    throw new Error(`${msiName}: Missing environment variable: IDENTITY_ENDPOINT`);\n  }\n\n  const query = new URLSearchParams(queryParameters);\n\n  return createPipelineRequest({\n    // Should be similar to: http://localhost:40342/metadata/identity/oauth2/token\n    url: `${process.env.IDENTITY_ENDPOINT}?${query.toString()}`,\n    method: \"GET\",\n    headers: createHttpHeaders({\n      Accept: \"application/json\",\n      Metadata: \"true\",\n    }),\n  });\n}\n\n/**\n * Does a request to the authentication provider that results in a file path.\n */\nasync function filePathRequest(\n  identityClient: IdentityClient,\n  requestPrepareOptions: PipelineRequestOptions,\n): Promise<string | undefined> {\n  const response = await identityClient.sendRequest(createPipelineRequest(requestPrepareOptions));\n\n  if (response.status !== 401) {\n    let message = \"\";\n    if (response.bodyAsText) {\n      message = ` Response: ${response.bodyAsText}`;\n    }\n    throw new AuthenticationError(\n      response.status,\n      `${msiName}: To authenticate with Azure Arc MSI, status code 401 is expected on the first request. ${message}`,\n    );\n  }\n\n  const authHeader = response.headers.get(\"www-authenticate\") || \"\";\n  try {\n    return authHeader.split(\"=\").slice(1)[0];\n  } catch (e: any) {\n    throw Error(`Invalid www-authenticate header format: ${authHeader}`);\n  }\n}\n\nexport function platformToFilePath(): string {\n  switch (process.platform) {\n    case \"win32\":\n      if (!process.env.PROGRAMDATA) {\n        throw new Error(`${msiName}: PROGRAMDATA environment variable has no value.`);\n      }\n      return `${process.env.PROGRAMDATA}\\\\AzureConnectedMachineAgent\\\\Tokens`;\n    case \"linux\":\n      return \"/var/opt/azcmagent/tokens\";\n    default:\n      throw new Error(`${msiName}: Unsupported platform ${process.platform}.`);\n  }\n}\n\n/**\n * Validates that a given Azure Arc MSI file path is valid for use.\n *\n * A valid file will:\n * 1. Be in the expected path for the current platform.\n * 2. Have a `.key` extension.\n * 3. Be at most 4096 bytes in size.\n */\nexport function validateKeyFile(filePath?: string): asserts filePath is string {\n  if (!filePath) {\n    throw new Error(`${msiName}: Failed to find the token file.`);\n  }\n\n  if (!filePath.endsWith(\".key\")) {\n    throw new Error(`${msiName}: unexpected file path from HIMDS service: ${filePath}.`);\n  }\n\n  const expectedPath = platformToFilePath();\n  if (!filePath.startsWith(expectedPath)) {\n    throw new Error(`${msiName}: unexpected file path from HIMDS service: ${filePath}.`);\n  }\n\n  const stats = fs.statSync(filePath);\n  if (stats.size > 4096) {\n    throw new Error(\n      `${msiName}: The file at ${filePath} is larger than expected at ${stats.size} bytes.`,\n    );\n  }\n}\n\n/**\n * Defines how to determine whether the Azure Arc MSI is available, and also how to retrieve a token from the Azure Arc MSI.\n */\nexport const arcMsi: MSI = {\n  name: \"arc\",\n  async isAvailable({ scopes }): Promise<boolean> {\n    const resource = mapScopesToResource(scopes);\n    if (!resource) {\n      logger.info(`${msiName}: Unavailable. Multiple scopes are not supported.`);\n      return false;\n    }\n    const result = Boolean(process.env.IMDS_ENDPOINT && process.env.IDENTITY_ENDPOINT);\n    if (!result) {\n      logger.info(\n        `${msiName}: The environment variables needed are: IMDS_ENDPOINT and IDENTITY_ENDPOINT`,\n      );\n    }\n    return result;\n  },\n  async getToken(\n    configuration: MSIConfiguration,\n    getTokenOptions: GetTokenOptions = {},\n  ): Promise<MSIToken | null> {\n    const { identityClient, scopes, clientId, resourceId } = configuration;\n\n    if (clientId) {\n      logger.warning(\n        `${msiName}: user-assigned identities not supported. The argument clientId might be ignored by the service.`,\n      );\n    }\n    if (resourceId) {\n      logger.warning(\n        `${msiName}: user defined managed Identity by resource Id is not supported. Argument resourceId will be ignored.`,\n      );\n    }\n\n    logger.info(`${msiName}: Authenticating.`);\n\n    const requestOptions = {\n      disableJsonStringifyOnBody: true,\n      deserializationMapper: undefined,\n      abortSignal: getTokenOptions.abortSignal,\n      ...prepareRequestOptions(scopes, clientId, resourceId),\n      allowInsecureConnection: true,\n    };\n\n    const filePath = await filePathRequest(identityClient, requestOptions);\n    validateKeyFile(filePath);\n\n    const key = await fs.promises.readFile(filePath, { encoding: \"utf-8\" });\n    requestOptions.headers?.set(\"Authorization\", `Basic ${key}`);\n\n    const request = createPipelineRequest({\n      ...requestOptions,\n      // Generally, MSI endpoints use the HTTP protocol, without transport layer security (TLS).\n      allowInsecureConnection: true,\n    });\n    const tokenResponse = await identityClient.sendTokenRequest(request);\n    return (tokenResponse && tokenResponse.accessToken) || null;\n  },\n};\n"]}

package/dist-esm/src/msal/nodeFlows/msalClient.js

@@ -288,6 +288,28 @@ To work with multiple accounts for the same Client ID and Tenant ID, please prov
         }
         return msalToPublic(clientId, state.cachedAccount);
     }
+    async function getTokenByAuthorizationCode(scopes, redirectUri, authorizationCode, clientSecret, options = {}) {
+        msalLogger.getToken.info(`Attempting to acquire token using authorization code`);
+        let msalApp;
+        if (clientSecret) {
+            // If a client secret is provided, we need to use a confidential client application
+            // See https://learn.microsoft.com/entra/identity-platform/v2-oauth2-auth-code-flow#request-an-access-token-with-a-client_secret
+            state.msalConfig.auth.clientSecret = clientSecret;
+            msalApp = await getConfidentialApp(options);
+        }
+        else {
+            msalApp = await getPublicApp(options);
+        }
+        return withSilentAuthentication(msalApp, scopes, options, () => {
+            return msalApp.acquireTokenByCode({
+                scopes,
+                redirectUri,
+                code: authorizationCode,
+                authority: state.msalConfig.auth.authority,
+                claims: options === null || options === void 0 ? void 0 : options.claims,
+            });
+        });
+    }
     return {
         getActiveAccount,
         getTokenByClientSecret,
@@ -295,6 +317,7 @@ To work with multiple accounts for the same Client ID and Tenant ID, please prov
         getTokenByClientCertificate,
         getTokenByDeviceCode,
         getTokenByUsernamePassword,
+        getTokenByAuthorizationCode,
     };
 }
 //# sourceMappingURL=msalClient.js.map

package/dist-esm/src/msal/nodeFlows/msalClient.js.map

@@ -1 +1 @@
-{"version":3,"file":"msalClient.js","sourceRoot":"","sources":["../../../../src/msal/nodeFlows/msalClient.ts"],"names":[],"mappings":"AAAA,uCAAuC;AACvC,kCAAkC;AAElC,OAAO,KAAK,IAAI,MAAM,kBAAkB,CAAC;AAGzC,OAAO,EAAuB,WAAW,EAAE,MAAM,eAAe,CAAC;AACjE,OAAO,EAAE,gBAAgB,EAAE,aAAa,EAAE,MAAM,oBAAoB,CAAC;AACrE,OAAO,EACL,qBAAqB,EACrB,oBAAoB,EACpB,YAAY,EACZ,mBAAmB,EACnB,eAAe,EACf,eAAe,EACf,YAAY,EACZ,YAAY,GACb,MAAM,UAAU,CAAC;AAElB,OAAO,EAAE,2BAA2B,EAAE,MAAM,cAAc,CAAC;AAE3D,OAAO,EAAE,cAAc,EAAE,MAAM,6BAA6B,CAAC;AAE7D,OAAO,EAAE,0BAA0B,EAAE,MAAM,yBAAyB,CAAC;AACrE,OAAO,EAAE,WAAW,EAAE,MAAM,eAAe,CAAC;AAC5C,OAAO,EAAE,eAAe,EAAE,MAAM,0BAA0B,CAAC;AAG3D;;GAEG;AACH,MAAM,UAAU,GAAG,gBAAgB,CAAC,YAAY,CAAC,CAAC;AAsGlD;;;;;;;GAOG;AACH,MAAM,UAAU,yBAAyB,CACvC,QAAgB,EAChB,QAAgB,EAChB,oBAAuC,EAAE;;IAEzC,MAAM,cAAc,GAAG,eAAe,CAAC,UAAU,EAAE,QAAQ,EAAE,QAAQ,CAAC,CAAC;IAEvE,sDAAsD;IACtD,MAAM,SAAS,GAAG,YAAY,CAC5B,cAAc,EACd,MAAA,iBAAiB,CAAC,aAAa,mCAAI,OAAO,CAAC,GAAG,CAAC,oBAAoB,CACpE,CAAC;IAEF,MAAM,UAAU,GAAG,IAAI,cAAc,iCAChC,iBAAiB,CAAC,sBAAsB,KAC3C,aAAa,EAAE,SAAS,EACxB,cAAc,EAAE,iBAAiB,CAAC,cAAc,IAChD,CAAC;IAEH,MAAM,UAAU,GAAuB;QACrC,IAAI,EAAE;YACJ,QAAQ;YACR,SAAS;YACT,gBAAgB,EAAE,mBAAmB,CACnC,cAAc,EACd,SAAS,EACT,iBAAiB,CAAC,wBAAwB,CAC3C;SACF;QACD,MAAM,EAAE;YACN,aAAa,EAAE,UAAU;YACzB,aAAa,EAAE;gBACb,cAAc,EAAE,qBAAqB,CAAC,MAAA,iBAAiB,CAAC,MAAM,mCAAI,UAAU,CAAC;gBAC7E,QAAQ,EAAE,eAAe,CAAC,WAAW,EAAE,CAAC;gBACxC,iBAAiB,EAAE,MAAA,iBAAiB,CAAC,cAAc,0CAAE,0BAA0B;aAChF;SACF;KACF,CAAC;IACF,OAAO,UAAU,CAAC;AACpB,CAAC;AAsBD;;;;;;;;;GASG;AACH,MAAM,UAAU,gBAAgB,CAC9B,QAAgB,EAChB,QAAgB,EAChB,0BAA6C,EAAE;IAE/C,MAAM,KAAK,GAAoB;QAC7B,UAAU,EAAE,yBAAyB,CAAC,QAAQ,EAAE,QAAQ,EAAE,uBAAuB,CAAC;QAClF,aAAa,EAAE,uBAAuB,CAAC,oBAAoB;YACzD,CAAC,CAAC,YAAY,CAAC,uBAAuB,CAAC,oBAAoB,CAAC;YAC5D,CAAC,CAAC,IAAI;QACR,mBAAmB,EAAE,WAAW,CAAC,2BAA2B,CAAC,uBAAuB,CAAC;KACtF,CAAC;IAEF,MAAM,UAAU,GAA8C,IAAI,GAAG,EAAE,CAAC;IACxE,KAAK,UAAU,YAAY,CACzB,UAA2B,EAAE;QAE7B,MAAM,MAAM,GAAG,OAAO,CAAC,SAAS,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,SAAS,CAAC;QAErD,IAAI,eAAe,GAAG,UAAU,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;QAC7C,IAAI,eAAe,EAAE,CAAC;YACpB,UAAU,CAAC,QAAQ,CAAC,IAAI,CAAC,gEAAgE,CAAC,CAAC;YAC3F,OAAO,eAAe,CAAC;QACzB,CAAC;QAED,oCAAoC;QACpC,UAAU,CAAC,QAAQ,CAAC,IAAI,CACtB,iDAAiD,OAAO,CAAC,SAAS,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,UAAU,GAAG,CAC/F,CAAC;QAEF,MAAM,WAAW,GAAG,OAAO,CAAC,SAAS;YACnC,CAAC,CAAC,KAAK,CAAC,mBAAmB,CAAC,KAAK,CAAC,cAAc;YAChD,CAAC,CAAC,KAAK,CAAC,mBAAmB,CAAC,KAAK,CAAC,WAAW,CAAC;QAEhD,KAAK,CAAC,UAAU,CAAC,IAAI,CAAC,kBAAkB,GAAG,OAAO,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;QAEnF,eAAe,GAAG,IAAI,IAAI,CAAC,uBAAuB,iCAC7C,KAAK,CAAC,UAAU,KACnB,MAAM,EAAE,EAAE,kBAAkB,EAAE,KAAK,CAAC,mBAAmB,CAAC,MAAM,CAAC,kBAAkB,EAAE,EACnF,KAAK,EAAE,EAAE,WAAW,EAAE,MAAM,WAAW,EAAE,IACzC,CAAC;QAEH,UAAU,CAAC,GAAG,CAAC,MAAM,EAAE,eAAe,CAAC,CAAC;QAExC,OAAO,eAAe,CAAC;IACzB,CAAC;IAED,MAAM,gBAAgB,GAAoD,IAAI,GAAG,EAAE,CAAC;IACpF,KAAK,UAAU,kBAAkB,CAC/B,UAA2B,EAAE;QAE7B,MAAM,MAAM,GAAG,OAAO,CAAC,SAAS,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,SAAS,CAAC;QAErD,IAAI,qBAAqB,GAAG,gBAAgB,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;QACzD,IAAI,qBAAqB,EAAE,CAAC;YAC1B,UAAU,CAAC,QAAQ,CAAC,IAAI,CACtB,sEAAsE,CACvE,CAAC;YACF,OAAO,qBAAqB,CAAC;QAC/B,CAAC;QAED,oCAAoC;QACpC,UAAU,CAAC,QAAQ,CAAC,IAAI,CACtB,uDAAuD,OAAO,CAAC,SAAS,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,UAAU,GAAG,CACrG,CAAC;QAEF,MAAM,WAAW,GAAG,OAAO,CAAC,SAAS;YACnC,CAAC,CAAC,KAAK,CAAC,mBAAmB,CAAC,KAAK,CAAC,cAAc;YAChD,CAAC,CAAC,KAAK,CAAC,mBAAmB,CAAC,KAAK,CAAC,WAAW,CAAC;QAEhD,KAAK,CAAC,UAAU,CAAC,IAAI,CAAC,kBAAkB,GAAG,OAAO,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;QAEnF,qBAAqB,GAAG,IAAI,IAAI,CAAC,6BAA6B,iCACzD,KAAK,CAAC,UAAU,KACnB,MAAM,EAAE,EAAE,kBAAkB,EAAE,KAAK,CAAC,mBAAmB,CAAC,MAAM,CAAC,kBAAkB,EAAE,EACnF,KAAK,EAAE,EAAE,WAAW,EAAE,MAAM,WAAW,EAAE,IACzC,CAAC;QAEH,gBAAgB,CAAC,GAAG,CAAC,MAAM,EAAE,qBAAqB,CAAC,CAAC;QAEpD,OAAO,qBAAqB,CAAC;IAC/B,CAAC;IAED,KAAK,UAAU,cAAc,CAC3B,GAAsE,EACtE,MAAgB,EAChB,UAA2B,EAAE;QAE7B,IAAI,KAAK,CAAC,aAAa,KAAK,IAAI,EAAE,CAAC;YACjC,UAAU,CAAC,QAAQ,CAAC,IAAI,CACtB,gFAAgF,CACjF,CAAC;YACF,MAAM,KAAK,GAAG,GAAG,CAAC,aAAa,EAAE,CAAC;YAClC,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,cAAc,EAAE,CAAC;YAE9C,IAAI,QAAQ,KAAK,SAAS,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;gBACpD,MAAM,IAAI,2BAA2B,CAAC,EAAE,MAAM,EAAE,CAAC,CAAC;YACpD,CAAC;YAED,IAAI,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBACxB,UAAU,CAAC,IAAI,CAAC;;;;6KAIqJ,CAAC,CAAC;gBACvK,MAAM,IAAI,2BAA2B,CAAC,EAAE,MAAM,EAAE,CAAC,CAAC;YACpD,CAAC;YAED,KAAK,CAAC,aAAa,GAAG,QAAQ,CAAC,CAAC,CAAC,CAAC;QACpC,CAAC;QAED,gEAAgE;QAChE,IAAI,OAAO,CAAC,MAAM,EAAE,CAAC;YACnB,KAAK,CAAC,YAAY,GAAG,OAAO,CAAC,MAAM,CAAC;QACtC,CAAC;QAED,MAAM,aAAa,GAA2B;YAC5C,OAAO,EAAE,KAAK,CAAC,aAAa;YAC5B,MAAM;YACN,MAAM,EAAE,KAAK,CAAC,YAAY;SAC3B,CAAC;QAEF,IAAI,KAAK,CAAC,mBAAmB,CAAC,MAAM,CAAC,SAAS,EAAE,CAAC;YAC/C,aAAa,CAAC,oBAAoB,KAAlC,aAAa,CAAC,oBAAoB,GAAK,EAAE,EAAC;YAC1C,IAAI,KAAK,CAAC,mBAAmB,CAAC,MAAM,CAAC,oBAAoB,EAAE,CAAC;gBAC1D,aAAa,CAAC,oBAAoB,CAAC,mBAAmB,CAAC,GAAG,sBAAsB,CAAC;YACnF,CAAC;QACH,CAAC;QAED,UAAU,CAAC,QAAQ,CAAC,IAAI,CAAC,sCAAsC,CAAC,CAAC;QACjE,OAAO,GAAG,CAAC,kBAAkB,CAAC,aAAa,CAAC,CAAC;IAC/C,CAAC;IAED;;;;;;;;;OASG;IACH,KAAK,UAAU,wBAAwB,CACrC,OAA0E,EAC1E,MAAqB,EACrB,OAAsC,EACtC,wBAAyE;;QAEzE,IAAI,QAAQ,GAAqC,IAAI,CAAC;QACtD,IAAI,CAAC;YACH,QAAQ,GAAG,MAAM,cAAc,CAAC,OAAO,EAAE,MAAM,EAAE,OAAO,CAAC,CAAC;QAC5D,CAAC;QAAC,OAAO,CAAM,EAAE,CAAC;YAChB,IAAI,CAAC,CAAC,IAAI,KAAK,6BAA6B,EAAE,CAAC;gBAC7C,MAAM,CAAC,CAAC;YACV,CAAC;YACD,IAAI,OAAO,CAAC,8BAA8B,EAAE,CAAC;gBAC3C,MAAM,IAAI,2BAA2B,CAAC;oBACpC,MAAM;oBACN,eAAe,EAAE,OAAO;oBACxB,OAAO,EACL,uFAAuF;iBAC1F,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,+BAA+B;QAC/B,IAAI,QAAQ,KAAK,IAAI,EAAE,CAAC;YACtB,IAAI,CAAC;gBACH,QAAQ,GAAG,MAAM,wBAAwB,EAAE,CAAC;YAC9C,CAAC;YAAC,OAAO,GAAQ,EAAE,CAAC;gBAClB,MAAM,eAAe,CAAC,MAAM,EAAE,GAAG,EAAE,OAAO,CAAC,CAAC;YAC9C,CAAC;QACH,CAAC;QAED,mDAAmD;QACnD,oBAAoB,CAAC,MAAM,EAAE,QAAQ,EAAE,OAAO,CAAC,CAAC;QAChD,KAAK,CAAC,aAAa,GAAG,MAAA,QAAQ,aAAR,QAAQ,uBAAR,QAAQ,CAAE,OAAO,mCAAI,IAAI,CAAC;QAEhD,UAAU,CAAC,QAAQ,CAAC,IAAI,CAAC,aAAa,CAAC,MAAM,CAAC,CAAC,CAAC;QAEhD,OAAO;YACL,KAAK,EAAE,QAAQ,CAAC,WAAW;YAC3B,kBAAkB,EAAE,QAAQ,CAAC,SAAS,CAAC,OAAO,EAAE;SACjD,CAAC;IACJ,CAAC;IAED,KAAK,UAAU,sBAAsB,CACnC,MAAgB,EAChB,YAAoB,EACpB,UAA2B,EAAE;QAE7B,UAAU,CAAC,QAAQ,CAAC,IAAI,CAAC,iDAAiD,CAAC,CAAC;QAE5E,KAAK,CAAC,UAAU,CAAC,IAAI,CAAC,YAAY,GAAG,YAAY,CAAC;QAElD,MAAM,OAAO,GAAG,MAAM,kBAAkB,CAAC,OAAO,CAAC,CAAC;QAElD,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,MAAM,OAAO,CAAC,8BAA8B,CAAC;gBAC5D,MAAM;gBACN,SAAS,EAAE,KAAK,CAAC,UAAU,CAAC,IAAI,CAAC,SAAS;gBAC1C,WAAW,EAAE,0BAA0B,EAAE;gBACzC,MAAM,EAAE,OAAO,aAAP,OAAO,uBAAP,OAAO,CAAE,MAAM;aACxB,CAAC,CAAC;YACH,oBAAoB,CAAC,MAAM,EAAE,QAAQ,EAAE,OAAO,CAAC,CAAC;YAEhD,UAAU,CAAC,QAAQ,CAAC,IAAI,CAAC,aAAa,CAAC,MAAM,CAAC,CAAC,CAAC;YAEhD,OAAO;gBACL,KAAK,EAAE,QAAQ,CAAC,WAAW;gBAC3B,kBAAkB,EAAE,QAAQ,CAAC,SAAS,CAAC,OAAO,EAAE;aACjD,CAAC;QACJ,CAAC;QAAC,OAAO,GAAQ,EAAE,CAAC;YAClB,MAAM,eAAe,CAAC,MAAM,EAAE,GAAG,EAAE,OAAO,CAAC,CAAC;QAC9C,CAAC;IACH,CAAC;IAED,KAAK,UAAU,yBAAyB,CACtC,MAAgB,EAChB,eAAuB,EACvB,UAA2B,EAAE;QAE7B,UAAU,CAAC,QAAQ,CAAC,IAAI,CAAC,oDAAoD,CAAC,CAAC;QAE/E,KAAK,CAAC,UAAU,CAAC,IAAI,CAAC,eAAe,GAAG,eAAe,CAAC;QAExD,MAAM,OAAO,GAAG,MAAM,kBAAkB,CAAC,OAAO,CAAC,CAAC;QAElD,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,MAAM,OAAO,CAAC,8BAA8B,CAAC;gBAC5D,MAAM;gBACN,SAAS,EAAE,KAAK,CAAC,UAAU,CAAC,IAAI,CAAC,SAAS;gBAC1C,WAAW,EAAE,0BAA0B,EAAE;gBACzC,MAAM,EAAE,OAAO,aAAP,OAAO,uBAAP,OAAO,CAAE,MAAM;gBACvB,eAAe;aAChB,CAAC,CAAC;YACH,oBAAoB,CAAC,MAAM,EAAE,QAAQ,EAAE,OAAO,CAAC,CAAC;YAEhD,UAAU,CAAC,QAAQ,CAAC,IAAI,CAAC,aAAa,CAAC,MAAM,CAAC,CAAC,CAAC;YAEhD,OAAO;gBACL,KAAK,EAAE,QAAQ,CAAC,WAAW;gBAC3B,kBAAkB,EAAE,QAAQ,CAAC,SAAS,CAAC,OAAO,EAAE;aACjD,CAAC;QACJ,CAAC;QAAC,OAAO,GAAQ,EAAE,CAAC;YAClB,MAAM,eAAe,CAAC,MAAM,EAAE,GAAG,EAAE,OAAO,CAAC,CAAC;QAC9C,CAAC;IACH,CAAC;IAED,KAAK,UAAU,2BAA2B,CACxC,MAAgB,EAChB,WAA6B,EAC7B,UAA2B,EAAE;QAE7B,UAAU,CAAC,QAAQ,CAAC,IAAI,CAAC,sDAAsD,CAAC,CAAC;QAEjF,KAAK,CAAC,UAAU,CAAC,IAAI,CAAC,iBAAiB,GAAG,WAAW,CAAC;QAEtD,MAAM,OAAO,GAAG,MAAM,kBAAkB,CAAC,OAAO,CAAC,CAAC;QAClD,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,MAAM,OAAO,CAAC,8BAA8B,CAAC;gBAC5D,MAAM;gBACN,SAAS,EAAE,KAAK,CAAC,UAAU,CAAC,IAAI,CAAC,SAAS;gBAC1C,WAAW,EAAE,0BAA0B,EAAE;gBACzC,MAAM,EAAE,OAAO,aAAP,OAAO,uBAAP,OAAO,CAAE,MAAM;aACxB,CAAC,CAAC;YACH,oBAAoB,CAAC,MAAM,EAAE,QAAQ,EAAE,OAAO,CAAC,CAAC;YAEhD,UAAU,CAAC,QAAQ,CAAC,IAAI,CAAC,aAAa,CAAC,MAAM,CAAC,CAAC,CAAC;YAEhD,OAAO;gBACL,KAAK,EAAE,QAAQ,CAAC,WAAW;gBAC3B,kBAAkB,EAAE,QAAQ,CAAC,SAAS,CAAC,OAAO,EAAE;aACjD,CAAC;QACJ,CAAC;QAAC,OAAO,GAAQ,EAAE,CAAC;YAClB,MAAM,eAAe,CAAC,MAAM,EAAE,GAAG,EAAE,OAAO,CAAC,CAAC;QAC9C,CAAC;IACH,CAAC;IAED,KAAK,UAAU,oBAAoB,CACjC,MAAgB,EAChB,kBAA4C,EAC5C,UAAyC,EAAE;QAE3C,UAAU,CAAC,QAAQ,CAAC,IAAI,CAAC,+CAA+C,CAAC,CAAC;QAE1E,MAAM,OAAO,GAAG,MAAM,YAAY,CAAC,OAAO,CAAC,CAAC;QAE5C,OAAO,wBAAwB,CAAC,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,GAAG,EAAE;;YAC7D,MAAM,cAAc,GAA2B;gBAC7C,MAAM;gBACN,MAAM,EAAE,MAAA,MAAA,OAAO,aAAP,OAAO,uBAAP,OAAO,CAAE,WAAW,0CAAE,OAAO,mCAAI,KAAK;gBAC9C,kBAAkB;gBAClB,SAAS,EAAE,KAAK,CAAC,UAAU,CAAC,IAAI,CAAC,SAAS;gBAC1C,MAAM,EAAE,OAAO,aAAP,OAAO,uBAAP,OAAO,CAAE,MAAM;aACxB,CAAC;YACF,MAAM,iBAAiB,GAAG,OAAO,CAAC,wBAAwB,CAAC,cAAc,CAAC,CAAC;YAC3E,IAAI,OAAO,CAAC,WAAW,EAAE,CAAC;gBACxB,OAAO,CAAC,WAAW,CAAC,gBAAgB,CAAC,OAAO,EAAE,GAAG,EAAE;oBACjD,cAAc,CAAC,MAAM,GAAG,IAAI,CAAC;gBAC/B,CAAC,CAAC,CAAC;YACL,CAAC;YAED,OAAO,iBAAiB,CAAC;QAC3B,CAAC,CAAC,CAAC;IACL,CAAC;IAED,KAAK,UAAU,0BAA0B,CACvC,MAAgB,EAChB,QAAgB,EAChB,QAAgB,EAChB,UAA2B,EAAE;QAE7B,UAAU,CAAC,QAAQ,CAAC,IAAI,CAAC,yDAAyD,CAAC,CAAC;QAEpF,MAAM,OAAO,GAAG,MAAM,YAAY,CAAC,OAAO,CAAC,CAAC;QAE5C,OAAO,wBAAwB,CAAC,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,GAAG,EAAE;YAC7D,MAAM,cAAc,GAAiC;gBACnD,MAAM;gBACN,QAAQ;gBACR,QAAQ;gBACR,SAAS,EAAE,KAAK,CAAC,UAAU,CAAC,IAAI,CAAC,SAAS;gBAC1C,MAAM,EAAE,OAAO,aAAP,OAAO,uBAAP,OAAO,CAAE,MAAM;aACxB,CAAC;YAEF,OAAO,OAAO,CAAC,8BAA8B,CAAC,cAAc,CAAC,CAAC;QAChE,CAAC,CAAC,CAAC;IACL,CAAC;IAED,SAAS,gBAAgB;QACvB,IAAI,CAAC,KAAK,CAAC,aAAa,EAAE,CAAC;YACzB,OAAO,SAAS,CAAC;QACnB,CAAC;QACD,OAAO,YAAY,CAAC,QAAQ,EAAE,KAAK,CAAC,aAAa,CAAC,CAAC;IACrD,CAAC;IAED,OAAO;QACL,gBAAgB;QAChB,sBAAsB;QACtB,yBAAyB;QACzB,2BAA2B;QAC3B,oBAAoB;QACpB,0BAA0B;KAC3B,CAAC;AACJ,CAAC","sourcesContent":["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT license.\n\nimport * as msal from \"@azure/msal-node\";\n\nimport { AccessToken, GetTokenOptions } from \"@azure/core-auth\";\nimport { PluginConfiguration, msalPlugins } from \"./msalPlugins\";\nimport { credentialLogger, formatSuccess } from \"../../util/logging\";\nimport {\n  defaultLoggerCallback,\n  ensureValidMsalToken,\n  getAuthority,\n  getKnownAuthorities,\n  getMSALLogLevel,\n  handleMsalError,\n  msalToPublic,\n  publicToMsal,\n} from \"../utils\";\n\nimport { AuthenticationRequiredError } from \"../../errors\";\nimport { AuthenticationRecord, CertificateParts } from \"../types\";\nimport { IdentityClient } from \"../../client/identityClient\";\nimport { MsalNodeOptions } from \"./msalNodeCommon\";\nimport { calculateRegionalAuthority } from \"../../regionalAuthority\";\nimport { getLogLevel } from \"@azure/logger\";\nimport { resolveTenantId } from \"../../util/tenantIdUtils\";\nimport { DeviceCodePromptCallback } from \"../../credentials/deviceCodeCredentialOptions\";\n\n/**\n * The logger for all MsalClient instances.\n */\nconst msalLogger = credentialLogger(\"MsalClient\");\n\nexport interface GetTokenWithSilentAuthOptions extends GetTokenOptions {\n  /**\n   * Disables automatic authentication. If set to true, the method will throw an error if the user needs to authenticate.\n   *\n   * @remarks\n   *\n   * This option will be set to `false` when the user calls `authenticate` directly on a credential that supports it.\n   */\n  disableAutomaticAuthentication?: boolean;\n}\n\n/**\n * Represents a client for interacting with the Microsoft Authentication Library (MSAL).\n */\nexport interface MsalClient {\n  /**\n   * Retrieves an access token by using a user's username and password.\n   *\n   * @param scopes - The scopes for which the access token is requested. These represent the resources that the application wants to access.\n   * @param username - The username provided by the developer.\n   * @param password - The user's password provided by the developer.\n   * @param options - Additional options that may be provided to the method.\n   * @returns An access token.\n   */\n  getTokenByUsernamePassword(\n    scopes: string[],\n    username: string,\n    password: string,\n    options?: GetTokenOptions,\n  ): Promise<AccessToken>;\n  /**\n   * Retrieves an access token by prompting the user to authenticate using a device code.\n   *\n   * @param scopes - The scopes for which the access token is requested. These represent the resources that the application wants to access.\n   * @param userPromptCallback - The callback function that allows developers to customize the prompt message.\n   * @param options - Additional options that may be provided to the method.\n   * @returns An access token.\n   */\n  getTokenByDeviceCode(\n    scopes: string[],\n    userPromptCallback: DeviceCodePromptCallback,\n    options?: GetTokenWithSilentAuthOptions,\n  ): Promise<AccessToken>;\n  /**\n   * Retrieves an access token by using a client certificate.\n   *\n   * @param scopes - The scopes for which the access token is requested. These represent the resources that the application wants to access.\n   * @param certificate - The client certificate used for authentication.\n   * @param options - Additional options that may be provided to the method.\n   * @returns An access token.\n   */\n  getTokenByClientCertificate(\n    scopes: string[],\n    certificate: CertificateParts,\n    options?: GetTokenOptions,\n  ): Promise<AccessToken>;\n\n  /**\n   * Retrieves an access token by using a client assertion.\n   *\n   * @param scopes - The scopes for which the access token is requested. These represent the resources that the application wants to access.\n   * @param clientAssertion - The client assertion used for authentication.\n   * @param options - Additional options that may be provided to the method.\n   * @returns An access token.\n   */\n  getTokenByClientAssertion(\n    scopes: string[],\n    clientAssertion: string,\n    options?: GetTokenOptions,\n  ): Promise<AccessToken>;\n\n  /**\n   * Retrieves an access token by using a client secret.\n   *\n   * @param scopes - The scopes for which the access token is requested. These represent the resources that the application wants to access.\n   * @param clientSecret - The client secret of the application. This is a credential that the application can use to authenticate itself.\n   * @param options - Additional options that may be provided to the method.\n   * @returns An access token.\n   */\n  getTokenByClientSecret(\n    scopes: string[],\n    clientSecret: string,\n    options?: GetTokenOptions,\n  ): Promise<AccessToken>;\n\n  /**\n   * Retrieves the last authenticated account. This method expects an authentication record to have been previously loaded.\n   *\n   * An authentication record could be loaded by calling the `getToken` method, or by providing an `authenticationRecord` when creating a credential.\n   */\n  getActiveAccount(): AuthenticationRecord | undefined;\n}\n\n/**\n * Options for creating an instance of the MsalClient.\n */\nexport type MsalClientOptions = Partial<\n  Omit<MsalNodeOptions, \"clientId\" | \"tenantId\" | \"disableAutomaticAuthentication\">\n>;\n\n/**\n * Generates the configuration for MSAL (Microsoft Authentication Library).\n *\n * @param clientId - The client ID of the application.\n * @param  tenantId - The tenant ID of the Azure Active Directory.\n * @param  msalClientOptions - Optional. Additional options for creating the MSAL client.\n * @returns  The MSAL configuration object.\n */\nexport function generateMsalConfiguration(\n  clientId: string,\n  tenantId: string,\n  msalClientOptions: MsalClientOptions = {},\n): msal.Configuration {\n  const resolvedTenant = resolveTenantId(msalLogger, tenantId, clientId);\n\n  // TODO: move and reuse getIdentityClientAuthorityHost\n  const authority = getAuthority(\n    resolvedTenant,\n    msalClientOptions.authorityHost ?? process.env.AZURE_AUTHORITY_HOST,\n  );\n\n  const httpClient = new IdentityClient({\n    ...msalClientOptions.tokenCredentialOptions,\n    authorityHost: authority,\n    loggingOptions: msalClientOptions.loggingOptions,\n  });\n\n  const msalConfig: msal.Configuration = {\n    auth: {\n      clientId,\n      authority,\n      knownAuthorities: getKnownAuthorities(\n        resolvedTenant,\n        authority,\n        msalClientOptions.disableInstanceDiscovery,\n      ),\n    },\n    system: {\n      networkClient: httpClient,\n      loggerOptions: {\n        loggerCallback: defaultLoggerCallback(msalClientOptions.logger ?? msalLogger),\n        logLevel: getMSALLogLevel(getLogLevel()),\n        piiLoggingEnabled: msalClientOptions.loggingOptions?.enableUnsafeSupportLogging,\n      },\n    },\n  };\n  return msalConfig;\n}\n\n/**\n * Represents the state necessary for the MSAL (Microsoft Authentication Library) client to operate.\n * This includes the MSAL configuration, cached account information, Azure region, and a flag to disable automatic authentication.\n *\n * @internal\n */\ninterface MsalClientState {\n  /** The configuration for the MSAL client. */\n  msalConfig: msal.Configuration;\n\n  /** The cached account information, or null if no account information is cached. */\n  cachedAccount: msal.AccountInfo | null;\n\n  /** Configured plugins */\n  pluginConfiguration: PluginConfiguration;\n\n  /** Claims received from challenges, cached for the next request */\n  cachedClaims?: string;\n}\n\n/**\n * Creates an instance of the MSAL (Microsoft Authentication Library) client.\n *\n * @param clientId - The client ID of the application.\n * @param tenantId - The tenant ID of the Azure Active Directory.\n * @param createMsalClientOptions - Optional. Additional options for creating the MSAL client.\n * @returns An instance of the MSAL client.\n *\n * @public\n */\nexport function createMsalClient(\n  clientId: string,\n  tenantId: string,\n  createMsalClientOptions: MsalClientOptions = {},\n): MsalClient {\n  const state: MsalClientState = {\n    msalConfig: generateMsalConfiguration(clientId, tenantId, createMsalClientOptions),\n    cachedAccount: createMsalClientOptions.authenticationRecord\n      ? publicToMsal(createMsalClientOptions.authenticationRecord)\n      : null,\n    pluginConfiguration: msalPlugins.generatePluginConfiguration(createMsalClientOptions),\n  };\n\n  const publicApps: Map<string, msal.PublicClientApplication> = new Map();\n  async function getPublicApp(\n    options: GetTokenOptions = {},\n  ): Promise<msal.PublicClientApplication> {\n    const appKey = options.enableCae ? \"CAE\" : \"default\";\n\n    let publicClientApp = publicApps.get(appKey);\n    if (publicClientApp) {\n      msalLogger.getToken.info(\"Existing PublicClientApplication found in cache, returning it.\");\n      return publicClientApp;\n    }\n\n    // Initialize a new app and cache it\n    msalLogger.getToken.info(\n      `Creating new PublicClientApplication with CAE ${options.enableCae ? \"enabled\" : \"disabled\"}.`,\n    );\n\n    const cachePlugin = options.enableCae\n      ? state.pluginConfiguration.cache.cachePluginCae\n      : state.pluginConfiguration.cache.cachePlugin;\n\n    state.msalConfig.auth.clientCapabilities = options.enableCae ? [\"cp1\"] : undefined;\n\n    publicClientApp = new msal.PublicClientApplication({\n      ...state.msalConfig,\n      broker: { nativeBrokerPlugin: state.pluginConfiguration.broker.nativeBrokerPlugin },\n      cache: { cachePlugin: await cachePlugin },\n    });\n\n    publicApps.set(appKey, publicClientApp);\n\n    return publicClientApp;\n  }\n\n  const confidentialApps: Map<string, msal.ConfidentialClientApplication> = new Map();\n  async function getConfidentialApp(\n    options: GetTokenOptions = {},\n  ): Promise<msal.ConfidentialClientApplication> {\n    const appKey = options.enableCae ? \"CAE\" : \"default\";\n\n    let confidentialClientApp = confidentialApps.get(appKey);\n    if (confidentialClientApp) {\n      msalLogger.getToken.info(\n        \"Existing ConfidentialClientApplication found in cache, returning it.\",\n      );\n      return confidentialClientApp;\n    }\n\n    // Initialize a new app and cache it\n    msalLogger.getToken.info(\n      `Creating new ConfidentialClientApplication with CAE ${options.enableCae ? \"enabled\" : \"disabled\"}.`,\n    );\n\n    const cachePlugin = options.enableCae\n      ? state.pluginConfiguration.cache.cachePluginCae\n      : state.pluginConfiguration.cache.cachePlugin;\n\n    state.msalConfig.auth.clientCapabilities = options.enableCae ? [\"cp1\"] : undefined;\n\n    confidentialClientApp = new msal.ConfidentialClientApplication({\n      ...state.msalConfig,\n      broker: { nativeBrokerPlugin: state.pluginConfiguration.broker.nativeBrokerPlugin },\n      cache: { cachePlugin: await cachePlugin },\n    });\n\n    confidentialApps.set(appKey, confidentialClientApp);\n\n    return confidentialClientApp;\n  }\n\n  async function getTokenSilent(\n    app: msal.ConfidentialClientApplication | msal.PublicClientApplication,\n    scopes: string[],\n    options: GetTokenOptions = {},\n  ): Promise<msal.AuthenticationResult> {\n    if (state.cachedAccount === null) {\n      msalLogger.getToken.info(\n        \"No cached account found in local state, attempting to load it from MSAL cache.\",\n      );\n      const cache = app.getTokenCache();\n      const accounts = await cache.getAllAccounts();\n\n      if (accounts === undefined || accounts.length === 0) {\n        throw new AuthenticationRequiredError({ scopes });\n      }\n\n      if (accounts.length > 1) {\n        msalLogger.info(`More than one account was found authenticated for this Client ID and Tenant ID.\nHowever, no \"authenticationRecord\" has been provided for this credential,\ntherefore we're unable to pick between these accounts.\nA new login attempt will be requested, to ensure the correct account is picked.\nTo work with multiple accounts for the same Client ID and Tenant ID, please provide an \"authenticationRecord\" when initializing a credential to prevent this from happening.`);\n        throw new AuthenticationRequiredError({ scopes });\n      }\n\n      state.cachedAccount = accounts[0];\n    }\n\n    // Keep track and reuse the claims we received across challenges\n    if (options.claims) {\n      state.cachedClaims = options.claims;\n    }\n\n    const silentRequest: msal.SilentFlowRequest = {\n      account: state.cachedAccount,\n      scopes,\n      claims: state.cachedClaims,\n    };\n\n    if (state.pluginConfiguration.broker.isEnabled) {\n      silentRequest.tokenQueryParameters ||= {};\n      if (state.pluginConfiguration.broker.enableMsaPassthrough) {\n        silentRequest.tokenQueryParameters[\"msal_request_type\"] = \"consumer_passthrough\";\n      }\n    }\n\n    msalLogger.getToken.info(\"Attempting to acquire token silently\");\n    return app.acquireTokenSilent(silentRequest);\n  }\n\n  /**\n   * Performs silent authentication using MSAL to acquire an access token.\n   * If silent authentication fails, falls back to interactive authentication.\n   *\n   * @param msalApp - The MSAL application instance.\n   * @param scopes - The scopes for which to acquire the access token.\n   * @param options - The options for acquiring the access token.\n   * @param onAuthenticationRequired - A callback function to handle interactive authentication when silent authentication fails.\n   * @returns A promise that resolves to an AccessToken object containing the access token and its expiration timestamp.\n   */\n  async function withSilentAuthentication(\n    msalApp: msal.ConfidentialClientApplication | msal.PublicClientApplication,\n    scopes: Array<string>,\n    options: GetTokenWithSilentAuthOptions,\n    onAuthenticationRequired: () => Promise<msal.AuthenticationResult | null>,\n  ): Promise<AccessToken> {\n    let response: msal.AuthenticationResult | null = null;\n    try {\n      response = await getTokenSilent(msalApp, scopes, options);\n    } catch (e: any) {\n      if (e.name !== \"AuthenticationRequiredError\") {\n        throw e;\n      }\n      if (options.disableAutomaticAuthentication) {\n        throw new AuthenticationRequiredError({\n          scopes,\n          getTokenOptions: options,\n          message:\n            \"Automatic authentication has been disabled. You may call the authentication() method.\",\n        });\n      }\n    }\n\n    // Silent authentication failed\n    if (response === null) {\n      try {\n        response = await onAuthenticationRequired();\n      } catch (err: any) {\n        throw handleMsalError(scopes, err, options);\n      }\n    }\n\n    // At this point we should have a token, process it\n    ensureValidMsalToken(scopes, response, options);\n    state.cachedAccount = response?.account ?? null;\n\n    msalLogger.getToken.info(formatSuccess(scopes));\n\n    return {\n      token: response.accessToken,\n      expiresOnTimestamp: response.expiresOn.getTime(),\n    };\n  }\n\n  async function getTokenByClientSecret(\n    scopes: string[],\n    clientSecret: string,\n    options: GetTokenOptions = {},\n  ): Promise<AccessToken> {\n    msalLogger.getToken.info(`Attempting to acquire token using client secret`);\n\n    state.msalConfig.auth.clientSecret = clientSecret;\n\n    const msalApp = await getConfidentialApp(options);\n\n    try {\n      const response = await msalApp.acquireTokenByClientCredential({\n        scopes,\n        authority: state.msalConfig.auth.authority,\n        azureRegion: calculateRegionalAuthority(),\n        claims: options?.claims,\n      });\n      ensureValidMsalToken(scopes, response, options);\n\n      msalLogger.getToken.info(formatSuccess(scopes));\n\n      return {\n        token: response.accessToken,\n        expiresOnTimestamp: response.expiresOn.getTime(),\n      };\n    } catch (err: any) {\n      throw handleMsalError(scopes, err, options);\n    }\n  }\n\n  async function getTokenByClientAssertion(\n    scopes: string[],\n    clientAssertion: string,\n    options: GetTokenOptions = {},\n  ): Promise<AccessToken> {\n    msalLogger.getToken.info(`Attempting to acquire token using client assertion`);\n\n    state.msalConfig.auth.clientAssertion = clientAssertion;\n\n    const msalApp = await getConfidentialApp(options);\n\n    try {\n      const response = await msalApp.acquireTokenByClientCredential({\n        scopes,\n        authority: state.msalConfig.auth.authority,\n        azureRegion: calculateRegionalAuthority(),\n        claims: options?.claims,\n        clientAssertion,\n      });\n      ensureValidMsalToken(scopes, response, options);\n\n      msalLogger.getToken.info(formatSuccess(scopes));\n\n      return {\n        token: response.accessToken,\n        expiresOnTimestamp: response.expiresOn.getTime(),\n      };\n    } catch (err: any) {\n      throw handleMsalError(scopes, err, options);\n    }\n  }\n\n  async function getTokenByClientCertificate(\n    scopes: string[],\n    certificate: CertificateParts,\n    options: GetTokenOptions = {},\n  ): Promise<AccessToken> {\n    msalLogger.getToken.info(`Attempting to acquire token using client certificate`);\n\n    state.msalConfig.auth.clientCertificate = certificate;\n\n    const msalApp = await getConfidentialApp(options);\n    try {\n      const response = await msalApp.acquireTokenByClientCredential({\n        scopes,\n        authority: state.msalConfig.auth.authority,\n        azureRegion: calculateRegionalAuthority(),\n        claims: options?.claims,\n      });\n      ensureValidMsalToken(scopes, response, options);\n\n      msalLogger.getToken.info(formatSuccess(scopes));\n\n      return {\n        token: response.accessToken,\n        expiresOnTimestamp: response.expiresOn.getTime(),\n      };\n    } catch (err: any) {\n      throw handleMsalError(scopes, err, options);\n    }\n  }\n\n  async function getTokenByDeviceCode(\n    scopes: string[],\n    deviceCodeCallback: DeviceCodePromptCallback,\n    options: GetTokenWithSilentAuthOptions = {},\n  ): Promise<AccessToken> {\n    msalLogger.getToken.info(`Attempting to acquire token using device code`);\n\n    const msalApp = await getPublicApp(options);\n\n    return withSilentAuthentication(msalApp, scopes, options, () => {\n      const requestOptions: msal.DeviceCodeRequest = {\n        scopes,\n        cancel: options?.abortSignal?.aborted ?? false,\n        deviceCodeCallback,\n        authority: state.msalConfig.auth.authority,\n        claims: options?.claims,\n      };\n      const deviceCodeRequest = msalApp.acquireTokenByDeviceCode(requestOptions);\n      if (options.abortSignal) {\n        options.abortSignal.addEventListener(\"abort\", () => {\n          requestOptions.cancel = true;\n        });\n      }\n\n      return deviceCodeRequest;\n    });\n  }\n\n  async function getTokenByUsernamePassword(\n    scopes: string[],\n    username: string,\n    password: string,\n    options: GetTokenOptions = {},\n  ): Promise<AccessToken> {\n    msalLogger.getToken.info(`Attempting to acquire token using username and password`);\n\n    const msalApp = await getPublicApp(options);\n\n    return withSilentAuthentication(msalApp, scopes, options, () => {\n      const requestOptions: msal.UsernamePasswordRequest = {\n        scopes,\n        username,\n        password,\n        authority: state.msalConfig.auth.authority,\n        claims: options?.claims,\n      };\n\n      return msalApp.acquireTokenByUsernamePassword(requestOptions);\n    });\n  }\n\n  function getActiveAccount(): AuthenticationRecord | undefined {\n    if (!state.cachedAccount) {\n      return undefined;\n    }\n    return msalToPublic(clientId, state.cachedAccount);\n  }\n\n  return {\n    getActiveAccount,\n    getTokenByClientSecret,\n    getTokenByClientAssertion,\n    getTokenByClientCertificate,\n    getTokenByDeviceCode,\n    getTokenByUsernamePassword,\n  };\n}\n"]}
+{"version":3,"file":"msalClient.js","sourceRoot":"","sources":["../../../../src/msal/nodeFlows/msalClient.ts"],"names":[],"mappings":"AAAA,uCAAuC;AACvC,kCAAkC;AAElC,OAAO,KAAK,IAAI,MAAM,kBAAkB,CAAC;AAGzC,OAAO,EAAuB,WAAW,EAAE,MAAM,eAAe,CAAC;AACjE,OAAO,EAAE,gBAAgB,EAAE,aAAa,EAAE,MAAM,oBAAoB,CAAC;AACrE,OAAO,EACL,qBAAqB,EACrB,oBAAoB,EACpB,YAAY,EACZ,mBAAmB,EACnB,eAAe,EACf,eAAe,EACf,YAAY,EACZ,YAAY,GACb,MAAM,UAAU,CAAC;AAElB,OAAO,EAAE,2BAA2B,EAAE,MAAM,cAAc,CAAC;AAE3D,OAAO,EAAE,cAAc,EAAE,MAAM,6BAA6B,CAAC;AAE7D,OAAO,EAAE,0BAA0B,EAAE,MAAM,yBAAyB,CAAC;AACrE,OAAO,EAAE,WAAW,EAAE,MAAM,eAAe,CAAC;AAC5C,OAAO,EAAE,eAAe,EAAE,MAAM,0BAA0B,CAAC;AAG3D;;GAEG;AACH,MAAM,UAAU,GAAG,gBAAgB,CAAC,YAAY,CAAC,CAAC;AA0HlD;;;;;;;GAOG;AACH,MAAM,UAAU,yBAAyB,CACvC,QAAgB,EAChB,QAAgB,EAChB,oBAAuC,EAAE;;IAEzC,MAAM,cAAc,GAAG,eAAe,CAAC,UAAU,EAAE,QAAQ,EAAE,QAAQ,CAAC,CAAC;IAEvE,sDAAsD;IACtD,MAAM,SAAS,GAAG,YAAY,CAC5B,cAAc,EACd,MAAA,iBAAiB,CAAC,aAAa,mCAAI,OAAO,CAAC,GAAG,CAAC,oBAAoB,CACpE,CAAC;IAEF,MAAM,UAAU,GAAG,IAAI,cAAc,iCAChC,iBAAiB,CAAC,sBAAsB,KAC3C,aAAa,EAAE,SAAS,EACxB,cAAc,EAAE,iBAAiB,CAAC,cAAc,IAChD,CAAC;IAEH,MAAM,UAAU,GAAuB;QACrC,IAAI,EAAE;YACJ,QAAQ;YACR,SAAS;YACT,gBAAgB,EAAE,mBAAmB,CACnC,cAAc,EACd,SAAS,EACT,iBAAiB,CAAC,wBAAwB,CAC3C;SACF;QACD,MAAM,EAAE;YACN,aAAa,EAAE,UAAU;YACzB,aAAa,EAAE;gBACb,cAAc,EAAE,qBAAqB,CAAC,MAAA,iBAAiB,CAAC,MAAM,mCAAI,UAAU,CAAC;gBAC7E,QAAQ,EAAE,eAAe,CAAC,WAAW,EAAE,CAAC;gBACxC,iBAAiB,EAAE,MAAA,iBAAiB,CAAC,cAAc,0CAAE,0BAA0B;aAChF;SACF;KACF,CAAC;IACF,OAAO,UAAU,CAAC;AACpB,CAAC;AAsBD;;;;;;;;;GASG;AACH,MAAM,UAAU,gBAAgB,CAC9B,QAAgB,EAChB,QAAgB,EAChB,0BAA6C,EAAE;IAE/C,MAAM,KAAK,GAAoB;QAC7B,UAAU,EAAE,yBAAyB,CAAC,QAAQ,EAAE,QAAQ,EAAE,uBAAuB,CAAC;QAClF,aAAa,EAAE,uBAAuB,CAAC,oBAAoB;YACzD,CAAC,CAAC,YAAY,CAAC,uBAAuB,CAAC,oBAAoB,CAAC;YAC5D,CAAC,CAAC,IAAI;QACR,mBAAmB,EAAE,WAAW,CAAC,2BAA2B,CAAC,uBAAuB,CAAC;KACtF,CAAC;IAEF,MAAM,UAAU,GAA8C,IAAI,GAAG,EAAE,CAAC;IACxE,KAAK,UAAU,YAAY,CACzB,UAA2B,EAAE;QAE7B,MAAM,MAAM,GAAG,OAAO,CAAC,SAAS,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,SAAS,CAAC;QAErD,IAAI,eAAe,GAAG,UAAU,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;QAC7C,IAAI,eAAe,EAAE,CAAC;YACpB,UAAU,CAAC,QAAQ,CAAC,IAAI,CAAC,gEAAgE,CAAC,CAAC;YAC3F,OAAO,eAAe,CAAC;QACzB,CAAC;QAED,oCAAoC;QACpC,UAAU,CAAC,QAAQ,CAAC,IAAI,CACtB,iDAAiD,OAAO,CAAC,SAAS,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,UAAU,GAAG,CAC/F,CAAC;QAEF,MAAM,WAAW,GAAG,OAAO,CAAC,SAAS;YACnC,CAAC,CAAC,KAAK,CAAC,mBAAmB,CAAC,KAAK,CAAC,cAAc;YAChD,CAAC,CAAC,KAAK,CAAC,mBAAmB,CAAC,KAAK,CAAC,WAAW,CAAC;QAEhD,KAAK,CAAC,UAAU,CAAC,IAAI,CAAC,kBAAkB,GAAG,OAAO,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;QAEnF,eAAe,GAAG,IAAI,IAAI,CAAC,uBAAuB,iCAC7C,KAAK,CAAC,UAAU,KACnB,MAAM,EAAE,EAAE,kBAAkB,EAAE,KAAK,CAAC,mBAAmB,CAAC,MAAM,CAAC,kBAAkB,EAAE,EACnF,KAAK,EAAE,EAAE,WAAW,EAAE,MAAM,WAAW,EAAE,IACzC,CAAC;QAEH,UAAU,CAAC,GAAG,CAAC,MAAM,EAAE,eAAe,CAAC,CAAC;QAExC,OAAO,eAAe,CAAC;IACzB,CAAC;IAED,MAAM,gBAAgB,GAAoD,IAAI,GAAG,EAAE,CAAC;IACpF,KAAK,UAAU,kBAAkB,CAC/B,UAA2B,EAAE;QAE7B,MAAM,MAAM,GAAG,OAAO,CAAC,SAAS,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,SAAS,CAAC;QAErD,IAAI,qBAAqB,GAAG,gBAAgB,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;QACzD,IAAI,qBAAqB,EAAE,CAAC;YAC1B,UAAU,CAAC,QAAQ,CAAC,IAAI,CACtB,sEAAsE,CACvE,CAAC;YACF,OAAO,qBAAqB,CAAC;QAC/B,CAAC;QAED,oCAAoC;QACpC,UAAU,CAAC,QAAQ,CAAC,IAAI,CACtB,uDAAuD,OAAO,CAAC,SAAS,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,UAAU,GAAG,CACrG,CAAC;QAEF,MAAM,WAAW,GAAG,OAAO,CAAC,SAAS;YACnC,CAAC,CAAC,KAAK,CAAC,mBAAmB,CAAC,KAAK,CAAC,cAAc;YAChD,CAAC,CAAC,KAAK,CAAC,mBAAmB,CAAC,KAAK,CAAC,WAAW,CAAC;QAEhD,KAAK,CAAC,UAAU,CAAC,IAAI,CAAC,kBAAkB,GAAG,OAAO,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;QAEnF,qBAAqB,GAAG,IAAI,IAAI,CAAC,6BAA6B,iCACzD,KAAK,CAAC,UAAU,KACnB,MAAM,EAAE,EAAE,kBAAkB,EAAE,KAAK,CAAC,mBAAmB,CAAC,MAAM,CAAC,kBAAkB,EAAE,EACnF,KAAK,EAAE,EAAE,WAAW,EAAE,MAAM,WAAW,EAAE,IACzC,CAAC;QAEH,gBAAgB,CAAC,GAAG,CAAC,MAAM,EAAE,qBAAqB,CAAC,CAAC;QAEpD,OAAO,qBAAqB,CAAC;IAC/B,CAAC;IAED,KAAK,UAAU,cAAc,CAC3B,GAAsE,EACtE,MAAgB,EAChB,UAA2B,EAAE;QAE7B,IAAI,KAAK,CAAC,aAAa,KAAK,IAAI,EAAE,CAAC;YACjC,UAAU,CAAC,QAAQ,CAAC,IAAI,CACtB,gFAAgF,CACjF,CAAC;YACF,MAAM,KAAK,GAAG,GAAG,CAAC,aAAa,EAAE,CAAC;YAClC,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,cAAc,EAAE,CAAC;YAE9C,IAAI,QAAQ,KAAK,SAAS,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;gBACpD,MAAM,IAAI,2BAA2B,CAAC,EAAE,MAAM,EAAE,CAAC,CAAC;YACpD,CAAC;YAED,IAAI,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBACxB,UAAU,CAAC,IAAI,CAAC;;;;6KAIqJ,CAAC,CAAC;gBACvK,MAAM,IAAI,2BAA2B,CAAC,EAAE,MAAM,EAAE,CAAC,CAAC;YACpD,CAAC;YAED,KAAK,CAAC,aAAa,GAAG,QAAQ,CAAC,CAAC,CAAC,CAAC;QACpC,CAAC;QAED,gEAAgE;QAChE,IAAI,OAAO,CAAC,MAAM,EAAE,CAAC;YACnB,KAAK,CAAC,YAAY,GAAG,OAAO,CAAC,MAAM,CAAC;QACtC,CAAC;QAED,MAAM,aAAa,GAA2B;YAC5C,OAAO,EAAE,KAAK,CAAC,aAAa;YAC5B,MAAM;YACN,MAAM,EAAE,KAAK,CAAC,YAAY;SAC3B,CAAC;QAEF,IAAI,KAAK,CAAC,mBAAmB,CAAC,MAAM,CAAC,SAAS,EAAE,CAAC;YAC/C,aAAa,CAAC,oBAAoB,KAAlC,aAAa,CAAC,oBAAoB,GAAK,EAAE,EAAC;YAC1C,IAAI,KAAK,CAAC,mBAAmB,CAAC,MAAM,CAAC,oBAAoB,EAAE,CAAC;gBAC1D,aAAa,CAAC,oBAAoB,CAAC,mBAAmB,CAAC,GAAG,sBAAsB,CAAC;YACnF,CAAC;QACH,CAAC;QAED,UAAU,CAAC,QAAQ,CAAC,IAAI,CAAC,sCAAsC,CAAC,CAAC;QACjE,OAAO,GAAG,CAAC,kBAAkB,CAAC,aAAa,CAAC,CAAC;IAC/C,CAAC;IAED;;;;;;;;;OASG;IACH,KAAK,UAAU,wBAAwB,CACrC,OAA0E,EAC1E,MAAqB,EACrB,OAAsC,EACtC,wBAAyE;;QAEzE,IAAI,QAAQ,GAAqC,IAAI,CAAC;QACtD,IAAI,CAAC;YACH,QAAQ,GAAG,MAAM,cAAc,CAAC,OAAO,EAAE,MAAM,EAAE,OAAO,CAAC,CAAC;QAC5D,CAAC;QAAC,OAAO,CAAM,EAAE,CAAC;YAChB,IAAI,CAAC,CAAC,IAAI,KAAK,6BAA6B,EAAE,CAAC;gBAC7C,MAAM,CAAC,CAAC;YACV,CAAC;YACD,IAAI,OAAO,CAAC,8BAA8B,EAAE,CAAC;gBAC3C,MAAM,IAAI,2BAA2B,CAAC;oBACpC,MAAM;oBACN,eAAe,EAAE,OAAO;oBACxB,OAAO,EACL,uFAAuF;iBAC1F,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,+BAA+B;QAC/B,IAAI,QAAQ,KAAK,IAAI,EAAE,CAAC;YACtB,IAAI,CAAC;gBACH,QAAQ,GAAG,MAAM,wBAAwB,EAAE,CAAC;YAC9C,CAAC;YAAC,OAAO,GAAQ,EAAE,CAAC;gBAClB,MAAM,eAAe,CAAC,MAAM,EAAE,GAAG,EAAE,OAAO,CAAC,CAAC;YAC9C,CAAC;QACH,CAAC;QAED,mDAAmD;QACnD,oBAAoB,CAAC,MAAM,EAAE,QAAQ,EAAE,OAAO,CAAC,CAAC;QAChD,KAAK,CAAC,aAAa,GAAG,MAAA,QAAQ,aAAR,QAAQ,uBAAR,QAAQ,CAAE,OAAO,mCAAI,IAAI,CAAC;QAEhD,UAAU,CAAC,QAAQ,CAAC,IAAI,CAAC,aAAa,CAAC,MAAM,CAAC,CAAC,CAAC;QAEhD,OAAO;YACL,KAAK,EAAE,QAAQ,CAAC,WAAW;YAC3B,kBAAkB,EAAE,QAAQ,CAAC,SAAS,CAAC,OAAO,EAAE;SACjD,CAAC;IACJ,CAAC;IAED,KAAK,UAAU,sBAAsB,CACnC,MAAgB,EAChB,YAAoB,EACpB,UAA2B,EAAE;QAE7B,UAAU,CAAC,QAAQ,CAAC,IAAI,CAAC,iDAAiD,CAAC,CAAC;QAE5E,KAAK,CAAC,UAAU,CAAC,IAAI,CAAC,YAAY,GAAG,YAAY,CAAC;QAElD,MAAM,OAAO,GAAG,MAAM,kBAAkB,CAAC,OAAO,CAAC,CAAC;QAElD,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,MAAM,OAAO,CAAC,8BAA8B,CAAC;gBAC5D,MAAM;gBACN,SAAS,EAAE,KAAK,CAAC,UAAU,CAAC,IAAI,CAAC,SAAS;gBAC1C,WAAW,EAAE,0BAA0B,EAAE;gBACzC,MAAM,EAAE,OAAO,aAAP,OAAO,uBAAP,OAAO,CAAE,MAAM;aACxB,CAAC,CAAC;YACH,oBAAoB,CAAC,MAAM,EAAE,QAAQ,EAAE,OAAO,CAAC,CAAC;YAEhD,UAAU,CAAC,QAAQ,CAAC,IAAI,CAAC,aAAa,CAAC,MAAM,CAAC,CAAC,CAAC;YAEhD,OAAO;gBACL,KAAK,EAAE,QAAQ,CAAC,WAAW;gBAC3B,kBAAkB,EAAE,QAAQ,CAAC,SAAS,CAAC,OAAO,EAAE;aACjD,CAAC;QACJ,CAAC;QAAC,OAAO,GAAQ,EAAE,CAAC;YAClB,MAAM,eAAe,CAAC,MAAM,EAAE,GAAG,EAAE,OAAO,CAAC,CAAC;QAC9C,CAAC;IACH,CAAC;IAED,KAAK,UAAU,yBAAyB,CACtC,MAAgB,EAChB,eAAuB,EACvB,UAA2B,EAAE;QAE7B,UAAU,CAAC,QAAQ,CAAC,IAAI,CAAC,oDAAoD,CAAC,CAAC;QAE/E,KAAK,CAAC,UAAU,CAAC,IAAI,CAAC,eAAe,GAAG,eAAe,CAAC;QAExD,MAAM,OAAO,GAAG,MAAM,kBAAkB,CAAC,OAAO,CAAC,CAAC;QAElD,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,MAAM,OAAO,CAAC,8BAA8B,CAAC;gBAC5D,MAAM;gBACN,SAAS,EAAE,KAAK,CAAC,UAAU,CAAC,IAAI,CAAC,SAAS;gBAC1C,WAAW,EAAE,0BAA0B,EAAE;gBACzC,MAAM,EAAE,OAAO,aAAP,OAAO,uBAAP,OAAO,CAAE,MAAM;gBACvB,eAAe;aAChB,CAAC,CAAC;YACH,oBAAoB,CAAC,MAAM,EAAE,QAAQ,EAAE,OAAO,CAAC,CAAC;YAEhD,UAAU,CAAC,QAAQ,CAAC,IAAI,CAAC,aAAa,CAAC,MAAM,CAAC,CAAC,CAAC;YAEhD,OAAO;gBACL,KAAK,EAAE,QAAQ,CAAC,WAAW;gBAC3B,kBAAkB,EAAE,QAAQ,CAAC,SAAS,CAAC,OAAO,EAAE;aACjD,CAAC;QACJ,CAAC;QAAC,OAAO,GAAQ,EAAE,CAAC;YAClB,MAAM,eAAe,CAAC,MAAM,EAAE,GAAG,EAAE,OAAO,CAAC,CAAC;QAC9C,CAAC;IACH,CAAC;IAED,KAAK,UAAU,2BAA2B,CACxC,MAAgB,EAChB,WAA6B,EAC7B,UAA2B,EAAE;QAE7B,UAAU,CAAC,QAAQ,CAAC,IAAI,CAAC,sDAAsD,CAAC,CAAC;QAEjF,KAAK,CAAC,UAAU,CAAC,IAAI,CAAC,iBAAiB,GAAG,WAAW,CAAC;QAEtD,MAAM,OAAO,GAAG,MAAM,kBAAkB,CAAC,OAAO,CAAC,CAAC;QAClD,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,MAAM,OAAO,CAAC,8BAA8B,CAAC;gBAC5D,MAAM;gBACN,SAAS,EAAE,KAAK,CAAC,UAAU,CAAC,IAAI,CAAC,SAAS;gBAC1C,WAAW,EAAE,0BAA0B,EAAE;gBACzC,MAAM,EAAE,OAAO,aAAP,OAAO,uBAAP,OAAO,CAAE,MAAM;aACxB,CAAC,CAAC;YACH,oBAAoB,CAAC,MAAM,EAAE,QAAQ,EAAE,OAAO,CAAC,CAAC;YAEhD,UAAU,CAAC,QAAQ,CAAC,IAAI,CAAC,aAAa,CAAC,MAAM,CAAC,CAAC,CAAC;YAEhD,OAAO;gBACL,KAAK,EAAE,QAAQ,CAAC,WAAW;gBAC3B,kBAAkB,EAAE,QAAQ,CAAC,SAAS,CAAC,OAAO,EAAE;aACjD,CAAC;QACJ,CAAC;QAAC,OAAO,GAAQ,EAAE,CAAC;YAClB,MAAM,eAAe,CAAC,MAAM,EAAE,GAAG,EAAE,OAAO,CAAC,CAAC;QAC9C,CAAC;IACH,CAAC;IAED,KAAK,UAAU,oBAAoB,CACjC,MAAgB,EAChB,kBAA4C,EAC5C,UAAyC,EAAE;QAE3C,UAAU,CAAC,QAAQ,CAAC,IAAI,CAAC,+CAA+C,CAAC,CAAC;QAE1E,MAAM,OAAO,GAAG,MAAM,YAAY,CAAC,OAAO,CAAC,CAAC;QAE5C,OAAO,wBAAwB,CAAC,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,GAAG,EAAE;;YAC7D,MAAM,cAAc,GAA2B;gBAC7C,MAAM;gBACN,MAAM,EAAE,MAAA,MAAA,OAAO,aAAP,OAAO,uBAAP,OAAO,CAAE,WAAW,0CAAE,OAAO,mCAAI,KAAK;gBAC9C,kBAAkB;gBAClB,SAAS,EAAE,KAAK,CAAC,UAAU,CAAC,IAAI,CAAC,SAAS;gBAC1C,MAAM,EAAE,OAAO,aAAP,OAAO,uBAAP,OAAO,CAAE,MAAM;aACxB,CAAC;YACF,MAAM,iBAAiB,GAAG,OAAO,CAAC,wBAAwB,CAAC,cAAc,CAAC,CAAC;YAC3E,IAAI,OAAO,CAAC,WAAW,EAAE,CAAC;gBACxB,OAAO,CAAC,WAAW,CAAC,gBAAgB,CAAC,OAAO,EAAE,GAAG,EAAE;oBACjD,cAAc,CAAC,MAAM,GAAG,IAAI,CAAC;gBAC/B,CAAC,CAAC,CAAC;YACL,CAAC;YAED,OAAO,iBAAiB,CAAC;QAC3B,CAAC,CAAC,CAAC;IACL,CAAC;IAED,KAAK,UAAU,0BAA0B,CACvC,MAAgB,EAChB,QAAgB,EAChB,QAAgB,EAChB,UAA2B,EAAE;QAE7B,UAAU,CAAC,QAAQ,CAAC,IAAI,CAAC,yDAAyD,CAAC,CAAC;QAEpF,MAAM,OAAO,GAAG,MAAM,YAAY,CAAC,OAAO,CAAC,CAAC;QAE5C,OAAO,wBAAwB,CAAC,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,GAAG,EAAE;YAC7D,MAAM,cAAc,GAAiC;gBACnD,MAAM;gBACN,QAAQ;gBACR,QAAQ;gBACR,SAAS,EAAE,KAAK,CAAC,UAAU,CAAC,IAAI,CAAC,SAAS;gBAC1C,MAAM,EAAE,OAAO,aAAP,OAAO,uBAAP,OAAO,CAAE,MAAM;aACxB,CAAC;YAEF,OAAO,OAAO,CAAC,8BAA8B,CAAC,cAAc,CAAC,CAAC;QAChE,CAAC,CAAC,CAAC;IACL,CAAC;IAED,SAAS,gBAAgB;QACvB,IAAI,CAAC,KAAK,CAAC,aAAa,EAAE,CAAC;YACzB,OAAO,SAAS,CAAC;QACnB,CAAC;QACD,OAAO,YAAY,CAAC,QAAQ,EAAE,KAAK,CAAC,aAAa,CAAC,CAAC;IACrD,CAAC;IAED,KAAK,UAAU,2BAA2B,CACxC,MAAgB,EAChB,WAAmB,EACnB,iBAAyB,EACzB,YAAqB,EACrB,UAAyC,EAAE;QAE3C,UAAU,CAAC,QAAQ,CAAC,IAAI,CAAC,sDAAsD,CAAC,CAAC;QAEjF,IAAI,OAA0E,CAAC;QAC/E,IAAI,YAAY,EAAE,CAAC;YACjB,mFAAmF;YACnF,gIAAgI;YAChI,KAAK,CAAC,UAAU,CAAC,IAAI,CAAC,YAAY,GAAG,YAAY,CAAC;YAClD,OAAO,GAAG,MAAM,kBAAkB,CAAC,OAAO,CAAC,CAAC;QAC9C,CAAC;aAAM,CAAC;YACN,OAAO,GAAG,MAAM,YAAY,CAAC,OAAO,CAAC,CAAC;QACxC,CAAC;QAED,OAAO,wBAAwB,CAAC,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,GAAG,EAAE;YAC7D,OAAO,OAAO,CAAC,kBAAkB,CAAC;gBAChC,MAAM;gBACN,WAAW;gBACX,IAAI,EAAE,iBAAiB;gBACvB,SAAS,EAAE,KAAK,CAAC,UAAU,CAAC,IAAI,CAAC,SAAS;gBAC1C,MAAM,EAAE,OAAO,aAAP,OAAO,uBAAP,OAAO,CAAE,MAAM;aACxB,CAAC,CAAC;QACL,CAAC,CAAC,CAAC;IACL,CAAC;IAED,OAAO;QACL,gBAAgB;QAChB,sBAAsB;QACtB,yBAAyB;QACzB,2BAA2B;QAC3B,oBAAoB;QACpB,0BAA0B;QAC1B,2BAA2B;KAC5B,CAAC;AACJ,CAAC","sourcesContent":["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT license.\n\nimport * as msal from \"@azure/msal-node\";\n\nimport { AccessToken, GetTokenOptions } from \"@azure/core-auth\";\nimport { PluginConfiguration, msalPlugins } from \"./msalPlugins\";\nimport { credentialLogger, formatSuccess } from \"../../util/logging\";\nimport {\n  defaultLoggerCallback,\n  ensureValidMsalToken,\n  getAuthority,\n  getKnownAuthorities,\n  getMSALLogLevel,\n  handleMsalError,\n  msalToPublic,\n  publicToMsal,\n} from \"../utils\";\n\nimport { AuthenticationRequiredError } from \"../../errors\";\nimport { AuthenticationRecord, CertificateParts } from \"../types\";\nimport { IdentityClient } from \"../../client/identityClient\";\nimport { MsalNodeOptions } from \"./msalNodeCommon\";\nimport { calculateRegionalAuthority } from \"../../regionalAuthority\";\nimport { getLogLevel } from \"@azure/logger\";\nimport { resolveTenantId } from \"../../util/tenantIdUtils\";\nimport { DeviceCodePromptCallback } from \"../../credentials/deviceCodeCredentialOptions\";\n\n/**\n * The logger for all MsalClient instances.\n */\nconst msalLogger = credentialLogger(\"MsalClient\");\n\nexport interface GetTokenWithSilentAuthOptions extends GetTokenOptions {\n  /**\n   * Disables automatic authentication. If set to true, the method will throw an error if the user needs to authenticate.\n   *\n   * @remarks\n   *\n   * This option will be set to `false` when the user calls `authenticate` directly on a credential that supports it.\n   */\n  disableAutomaticAuthentication?: boolean;\n}\n\n/**\n * Represents a client for interacting with the Microsoft Authentication Library (MSAL).\n */\nexport interface MsalClient {\n  /**\n   * Retrieves an access token by using a user's username and password.\n   *\n   * @param scopes - The scopes for which the access token is requested. These represent the resources that the application wants to access.\n   * @param username - The username provided by the developer.\n   * @param password - The user's password provided by the developer.\n   * @param options - Additional options that may be provided to the method.\n   * @returns An access token.\n   */\n  getTokenByUsernamePassword(\n    scopes: string[],\n    username: string,\n    password: string,\n    options?: GetTokenOptions,\n  ): Promise<AccessToken>;\n  /**\n   * Retrieves an access token by prompting the user to authenticate using a device code.\n   *\n   * @param scopes - The scopes for which the access token is requested. These represent the resources that the application wants to access.\n   * @param userPromptCallback - The callback function that allows developers to customize the prompt message.\n   * @param options - Additional options that may be provided to the method.\n   * @returns An access token.\n   */\n  getTokenByDeviceCode(\n    scopes: string[],\n    userPromptCallback: DeviceCodePromptCallback,\n    options?: GetTokenWithSilentAuthOptions,\n  ): Promise<AccessToken>;\n  /**\n   * Retrieves an access token by using a client certificate.\n   *\n   * @param scopes - The scopes for which the access token is requested. These represent the resources that the application wants to access.\n   * @param certificate - The client certificate used for authentication.\n   * @param options - Additional options that may be provided to the method.\n   * @returns An access token.\n   */\n  getTokenByClientCertificate(\n    scopes: string[],\n    certificate: CertificateParts,\n    options?: GetTokenOptions,\n  ): Promise<AccessToken>;\n\n  /**\n   * Retrieves an access token by using a client assertion.\n   *\n   * @param scopes - The scopes for which the access token is requested. These represent the resources that the application wants to access.\n   * @param clientAssertion - The client assertion used for authentication.\n   * @param options - Additional options that may be provided to the method.\n   * @returns An access token.\n   */\n  getTokenByClientAssertion(\n    scopes: string[],\n    clientAssertion: string,\n    options?: GetTokenOptions,\n  ): Promise<AccessToken>;\n\n  /**\n   * Retrieves an access token by using a client secret.\n   *\n   * @param scopes - The scopes for which the access token is requested. These represent the resources that the application wants to access.\n   * @param clientSecret - The client secret of the application. This is a credential that the application can use to authenticate itself.\n   * @param options - Additional options that may be provided to the method.\n   * @returns An access token.\n   */\n  getTokenByClientSecret(\n    scopes: string[],\n    clientSecret: string,\n    options?: GetTokenOptions,\n  ): Promise<AccessToken>;\n\n  /**\n   * Retrieves an access token by using an authorization code flow.\n   *\n   * @param scopes - The scopes for which the access token is requested. These represent the resources that the application wants to access.\n   * @param authorizationCode - An authorization code that was received from following the\n                              authorization code flow.  This authorization code must not\n                              have already been used to obtain an access token.\n   * @param redirectUri - The redirect URI that was used to request the authorization code.\n                        Must be the same URI that is configured for the App Registration.\n   * @param clientSecret - An optional client secret that was generated for the App Registration.\n   * @param options - Additional options that may be provided to the method.\n   */\n  getTokenByAuthorizationCode(\n    scopes: string[],\n    redirectUri: string,\n    authorizationCode: string,\n    clientSecret?: string,\n    options?: GetTokenWithSilentAuthOptions,\n  ): Promise<AccessToken>;\n\n  /**\n   * Retrieves the last authenticated account. This method expects an authentication record to have been previously loaded.\n   *\n   * An authentication record could be loaded by calling the `getToken` method, or by providing an `authenticationRecord` when creating a credential.\n   */\n  getActiveAccount(): AuthenticationRecord | undefined;\n}\n\n/**\n * Options for creating an instance of the MsalClient.\n */\nexport type MsalClientOptions = Partial<\n  Omit<MsalNodeOptions, \"clientId\" | \"tenantId\" | \"disableAutomaticAuthentication\">\n>;\n\n/**\n * Generates the configuration for MSAL (Microsoft Authentication Library).\n *\n * @param clientId - The client ID of the application.\n * @param  tenantId - The tenant ID of the Azure Active Directory.\n * @param  msalClientOptions - Optional. Additional options for creating the MSAL client.\n * @returns  The MSAL configuration object.\n */\nexport function generateMsalConfiguration(\n  clientId: string,\n  tenantId: string,\n  msalClientOptions: MsalClientOptions = {},\n): msal.Configuration {\n  const resolvedTenant = resolveTenantId(msalLogger, tenantId, clientId);\n\n  // TODO: move and reuse getIdentityClientAuthorityHost\n  const authority = getAuthority(\n    resolvedTenant,\n    msalClientOptions.authorityHost ?? process.env.AZURE_AUTHORITY_HOST,\n  );\n\n  const httpClient = new IdentityClient({\n    ...msalClientOptions.tokenCredentialOptions,\n    authorityHost: authority,\n    loggingOptions: msalClientOptions.loggingOptions,\n  });\n\n  const msalConfig: msal.Configuration = {\n    auth: {\n      clientId,\n      authority,\n      knownAuthorities: getKnownAuthorities(\n        resolvedTenant,\n        authority,\n        msalClientOptions.disableInstanceDiscovery,\n      ),\n    },\n    system: {\n      networkClient: httpClient,\n      loggerOptions: {\n        loggerCallback: defaultLoggerCallback(msalClientOptions.logger ?? msalLogger),\n        logLevel: getMSALLogLevel(getLogLevel()),\n        piiLoggingEnabled: msalClientOptions.loggingOptions?.enableUnsafeSupportLogging,\n      },\n    },\n  };\n  return msalConfig;\n}\n\n/**\n * Represents the state necessary for the MSAL (Microsoft Authentication Library) client to operate.\n * This includes the MSAL configuration, cached account information, Azure region, and a flag to disable automatic authentication.\n *\n * @internal\n */\ninterface MsalClientState {\n  /** The configuration for the MSAL client. */\n  msalConfig: msal.Configuration;\n\n  /** The cached account information, or null if no account information is cached. */\n  cachedAccount: msal.AccountInfo | null;\n\n  /** Configured plugins */\n  pluginConfiguration: PluginConfiguration;\n\n  /** Claims received from challenges, cached for the next request */\n  cachedClaims?: string;\n}\n\n/**\n * Creates an instance of the MSAL (Microsoft Authentication Library) client.\n *\n * @param clientId - The client ID of the application.\n * @param tenantId - The tenant ID of the Azure Active Directory.\n * @param createMsalClientOptions - Optional. Additional options for creating the MSAL client.\n * @returns An instance of the MSAL client.\n *\n * @public\n */\nexport function createMsalClient(\n  clientId: string,\n  tenantId: string,\n  createMsalClientOptions: MsalClientOptions = {},\n): MsalClient {\n  const state: MsalClientState = {\n    msalConfig: generateMsalConfiguration(clientId, tenantId, createMsalClientOptions),\n    cachedAccount: createMsalClientOptions.authenticationRecord\n      ? publicToMsal(createMsalClientOptions.authenticationRecord)\n      : null,\n    pluginConfiguration: msalPlugins.generatePluginConfiguration(createMsalClientOptions),\n  };\n\n  const publicApps: Map<string, msal.PublicClientApplication> = new Map();\n  async function getPublicApp(\n    options: GetTokenOptions = {},\n  ): Promise<msal.PublicClientApplication> {\n    const appKey = options.enableCae ? \"CAE\" : \"default\";\n\n    let publicClientApp = publicApps.get(appKey);\n    if (publicClientApp) {\n      msalLogger.getToken.info(\"Existing PublicClientApplication found in cache, returning it.\");\n      return publicClientApp;\n    }\n\n    // Initialize a new app and cache it\n    msalLogger.getToken.info(\n      `Creating new PublicClientApplication with CAE ${options.enableCae ? \"enabled\" : \"disabled\"}.`,\n    );\n\n    const cachePlugin = options.enableCae\n      ? state.pluginConfiguration.cache.cachePluginCae\n      : state.pluginConfiguration.cache.cachePlugin;\n\n    state.msalConfig.auth.clientCapabilities = options.enableCae ? [\"cp1\"] : undefined;\n\n    publicClientApp = new msal.PublicClientApplication({\n      ...state.msalConfig,\n      broker: { nativeBrokerPlugin: state.pluginConfiguration.broker.nativeBrokerPlugin },\n      cache: { cachePlugin: await cachePlugin },\n    });\n\n    publicApps.set(appKey, publicClientApp);\n\n    return publicClientApp;\n  }\n\n  const confidentialApps: Map<string, msal.ConfidentialClientApplication> = new Map();\n  async function getConfidentialApp(\n    options: GetTokenOptions = {},\n  ): Promise<msal.ConfidentialClientApplication> {\n    const appKey = options.enableCae ? \"CAE\" : \"default\";\n\n    let confidentialClientApp = confidentialApps.get(appKey);\n    if (confidentialClientApp) {\n      msalLogger.getToken.info(\n        \"Existing ConfidentialClientApplication found in cache, returning it.\",\n      );\n      return confidentialClientApp;\n    }\n\n    // Initialize a new app and cache it\n    msalLogger.getToken.info(\n      `Creating new ConfidentialClientApplication with CAE ${options.enableCae ? \"enabled\" : \"disabled\"}.`,\n    );\n\n    const cachePlugin = options.enableCae\n      ? state.pluginConfiguration.cache.cachePluginCae\n      : state.pluginConfiguration.cache.cachePlugin;\n\n    state.msalConfig.auth.clientCapabilities = options.enableCae ? [\"cp1\"] : undefined;\n\n    confidentialClientApp = new msal.ConfidentialClientApplication({\n      ...state.msalConfig,\n      broker: { nativeBrokerPlugin: state.pluginConfiguration.broker.nativeBrokerPlugin },\n      cache: { cachePlugin: await cachePlugin },\n    });\n\n    confidentialApps.set(appKey, confidentialClientApp);\n\n    return confidentialClientApp;\n  }\n\n  async function getTokenSilent(\n    app: msal.ConfidentialClientApplication | msal.PublicClientApplication,\n    scopes: string[],\n    options: GetTokenOptions = {},\n  ): Promise<msal.AuthenticationResult> {\n    if (state.cachedAccount === null) {\n      msalLogger.getToken.info(\n        \"No cached account found in local state, attempting to load it from MSAL cache.\",\n      );\n      const cache = app.getTokenCache();\n      const accounts = await cache.getAllAccounts();\n\n      if (accounts === undefined || accounts.length === 0) {\n        throw new AuthenticationRequiredError({ scopes });\n      }\n\n      if (accounts.length > 1) {\n        msalLogger.info(`More than one account was found authenticated for this Client ID and Tenant ID.\nHowever, no \"authenticationRecord\" has been provided for this credential,\ntherefore we're unable to pick between these accounts.\nA new login attempt will be requested, to ensure the correct account is picked.\nTo work with multiple accounts for the same Client ID and Tenant ID, please provide an \"authenticationRecord\" when initializing a credential to prevent this from happening.`);\n        throw new AuthenticationRequiredError({ scopes });\n      }\n\n      state.cachedAccount = accounts[0];\n    }\n\n    // Keep track and reuse the claims we received across challenges\n    if (options.claims) {\n      state.cachedClaims = options.claims;\n    }\n\n    const silentRequest: msal.SilentFlowRequest = {\n      account: state.cachedAccount,\n      scopes,\n      claims: state.cachedClaims,\n    };\n\n    if (state.pluginConfiguration.broker.isEnabled) {\n      silentRequest.tokenQueryParameters ||= {};\n      if (state.pluginConfiguration.broker.enableMsaPassthrough) {\n        silentRequest.tokenQueryParameters[\"msal_request_type\"] = \"consumer_passthrough\";\n      }\n    }\n\n    msalLogger.getToken.info(\"Attempting to acquire token silently\");\n    return app.acquireTokenSilent(silentRequest);\n  }\n\n  /**\n   * Performs silent authentication using MSAL to acquire an access token.\n   * If silent authentication fails, falls back to interactive authentication.\n   *\n   * @param msalApp - The MSAL application instance.\n   * @param scopes - The scopes for which to acquire the access token.\n   * @param options - The options for acquiring the access token.\n   * @param onAuthenticationRequired - A callback function to handle interactive authentication when silent authentication fails.\n   * @returns A promise that resolves to an AccessToken object containing the access token and its expiration timestamp.\n   */\n  async function withSilentAuthentication(\n    msalApp: msal.ConfidentialClientApplication | msal.PublicClientApplication,\n    scopes: Array<string>,\n    options: GetTokenWithSilentAuthOptions,\n    onAuthenticationRequired: () => Promise<msal.AuthenticationResult | null>,\n  ): Promise<AccessToken> {\n    let response: msal.AuthenticationResult | null = null;\n    try {\n      response = await getTokenSilent(msalApp, scopes, options);\n    } catch (e: any) {\n      if (e.name !== \"AuthenticationRequiredError\") {\n        throw e;\n      }\n      if (options.disableAutomaticAuthentication) {\n        throw new AuthenticationRequiredError({\n          scopes,\n          getTokenOptions: options,\n          message:\n            \"Automatic authentication has been disabled. You may call the authentication() method.\",\n        });\n      }\n    }\n\n    // Silent authentication failed\n    if (response === null) {\n      try {\n        response = await onAuthenticationRequired();\n      } catch (err: any) {\n        throw handleMsalError(scopes, err, options);\n      }\n    }\n\n    // At this point we should have a token, process it\n    ensureValidMsalToken(scopes, response, options);\n    state.cachedAccount = response?.account ?? null;\n\n    msalLogger.getToken.info(formatSuccess(scopes));\n\n    return {\n      token: response.accessToken,\n      expiresOnTimestamp: response.expiresOn.getTime(),\n    };\n  }\n\n  async function getTokenByClientSecret(\n    scopes: string[],\n    clientSecret: string,\n    options: GetTokenOptions = {},\n  ): Promise<AccessToken> {\n    msalLogger.getToken.info(`Attempting to acquire token using client secret`);\n\n    state.msalConfig.auth.clientSecret = clientSecret;\n\n    const msalApp = await getConfidentialApp(options);\n\n    try {\n      const response = await msalApp.acquireTokenByClientCredential({\n        scopes,\n        authority: state.msalConfig.auth.authority,\n        azureRegion: calculateRegionalAuthority(),\n        claims: options?.claims,\n      });\n      ensureValidMsalToken(scopes, response, options);\n\n      msalLogger.getToken.info(formatSuccess(scopes));\n\n      return {\n        token: response.accessToken,\n        expiresOnTimestamp: response.expiresOn.getTime(),\n      };\n    } catch (err: any) {\n      throw handleMsalError(scopes, err, options);\n    }\n  }\n\n  async function getTokenByClientAssertion(\n    scopes: string[],\n    clientAssertion: string,\n    options: GetTokenOptions = {},\n  ): Promise<AccessToken> {\n    msalLogger.getToken.info(`Attempting to acquire token using client assertion`);\n\n    state.msalConfig.auth.clientAssertion = clientAssertion;\n\n    const msalApp = await getConfidentialApp(options);\n\n    try {\n      const response = await msalApp.acquireTokenByClientCredential({\n        scopes,\n        authority: state.msalConfig.auth.authority,\n        azureRegion: calculateRegionalAuthority(),\n        claims: options?.claims,\n        clientAssertion,\n      });\n      ensureValidMsalToken(scopes, response, options);\n\n      msalLogger.getToken.info(formatSuccess(scopes));\n\n      return {\n        token: response.accessToken,\n        expiresOnTimestamp: response.expiresOn.getTime(),\n      };\n    } catch (err: any) {\n      throw handleMsalError(scopes, err, options);\n    }\n  }\n\n  async function getTokenByClientCertificate(\n    scopes: string[],\n    certificate: CertificateParts,\n    options: GetTokenOptions = {},\n  ): Promise<AccessToken> {\n    msalLogger.getToken.info(`Attempting to acquire token using client certificate`);\n\n    state.msalConfig.auth.clientCertificate = certificate;\n\n    const msalApp = await getConfidentialApp(options);\n    try {\n      const response = await msalApp.acquireTokenByClientCredential({\n        scopes,\n        authority: state.msalConfig.auth.authority,\n        azureRegion: calculateRegionalAuthority(),\n        claims: options?.claims,\n      });\n      ensureValidMsalToken(scopes, response, options);\n\n      msalLogger.getToken.info(formatSuccess(scopes));\n\n      return {\n        token: response.accessToken,\n        expiresOnTimestamp: response.expiresOn.getTime(),\n      };\n    } catch (err: any) {\n      throw handleMsalError(scopes, err, options);\n    }\n  }\n\n  async function getTokenByDeviceCode(\n    scopes: string[],\n    deviceCodeCallback: DeviceCodePromptCallback,\n    options: GetTokenWithSilentAuthOptions = {},\n  ): Promise<AccessToken> {\n    msalLogger.getToken.info(`Attempting to acquire token using device code`);\n\n    const msalApp = await getPublicApp(options);\n\n    return withSilentAuthentication(msalApp, scopes, options, () => {\n      const requestOptions: msal.DeviceCodeRequest = {\n        scopes,\n        cancel: options?.abortSignal?.aborted ?? false,\n        deviceCodeCallback,\n        authority: state.msalConfig.auth.authority,\n        claims: options?.claims,\n      };\n      const deviceCodeRequest = msalApp.acquireTokenByDeviceCode(requestOptions);\n      if (options.abortSignal) {\n        options.abortSignal.addEventListener(\"abort\", () => {\n          requestOptions.cancel = true;\n        });\n      }\n\n      return deviceCodeRequest;\n    });\n  }\n\n  async function getTokenByUsernamePassword(\n    scopes: string[],\n    username: string,\n    password: string,\n    options: GetTokenOptions = {},\n  ): Promise<AccessToken> {\n    msalLogger.getToken.info(`Attempting to acquire token using username and password`);\n\n    const msalApp = await getPublicApp(options);\n\n    return withSilentAuthentication(msalApp, scopes, options, () => {\n      const requestOptions: msal.UsernamePasswordRequest = {\n        scopes,\n        username,\n        password,\n        authority: state.msalConfig.auth.authority,\n        claims: options?.claims,\n      };\n\n      return msalApp.acquireTokenByUsernamePassword(requestOptions);\n    });\n  }\n\n  function getActiveAccount(): AuthenticationRecord | undefined {\n    if (!state.cachedAccount) {\n      return undefined;\n    }\n    return msalToPublic(clientId, state.cachedAccount);\n  }\n\n  async function getTokenByAuthorizationCode(\n    scopes: string[],\n    redirectUri: string,\n    authorizationCode: string,\n    clientSecret?: string,\n    options: GetTokenWithSilentAuthOptions = {},\n  ): Promise<AccessToken> {\n    msalLogger.getToken.info(`Attempting to acquire token using authorization code`);\n\n    let msalApp: msal.ConfidentialClientApplication | msal.PublicClientApplication;\n    if (clientSecret) {\n      // If a client secret is provided, we need to use a confidential client application\n      // See https://learn.microsoft.com/entra/identity-platform/v2-oauth2-auth-code-flow#request-an-access-token-with-a-client_secret\n      state.msalConfig.auth.clientSecret = clientSecret;\n      msalApp = await getConfidentialApp(options);\n    } else {\n      msalApp = await getPublicApp(options);\n    }\n\n    return withSilentAuthentication(msalApp, scopes, options, () => {\n      return msalApp.acquireTokenByCode({\n        scopes,\n        redirectUri,\n        code: authorizationCode,\n        authority: state.msalConfig.auth.authority,\n        claims: options?.claims,\n      });\n    });\n  }\n\n  return {\n    getActiveAccount,\n    getTokenByClientSecret,\n    getTokenByClientAssertion,\n    getTokenByClientCertificate,\n    getTokenByDeviceCode,\n    getTokenByUsernamePassword,\n    getTokenByAuthorizationCode,\n  };\n}\n"]}

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@azure/identity",
   "sdk-type": "client",
-  "version": "4.3.0-alpha.20240520.1",
+  "version": "4.3.0-beta.2",
   "description": "Provides credential implementations for Azure SDK libraries that can authenticate with Microsoft Entra ID",
   "main": "dist/index.js",
   "module": "dist-esm/src/index.js",
@@ -66,7 +66,7 @@
     "test:node": "npm run clean && npm run unit-test:node && npm run integration-test:node",
     "test": "npm run clean && npm run build:test && npm run unit-test && npm run integration-test",
     "unit-test:browser": "dev-tool run test:browser",
-    "unit-test:node": "echo skipped",
+    "unit-test:node": "dev-tool run test:node-ts-input -- --timeout 300000 --exclude 'test/**/browser/**/*.spec.ts' --exclude 'test/integration/**/*.spec.ts' 'test/**/**/*.spec.ts'",
     "unit-test:node:no-timeouts": "dev-tool run test:node-ts-input -- --timeout Infinite --exclude 'test/**/browser/**/*.spec.ts' 'test/**/**/*.spec.ts'",
     "unit-test": "npm run unit-test:node && npm run unit-test:browser"
   },
@@ -110,13 +110,13 @@
   "dependencies": {
     "@azure/abort-controller": "^1.0.0",
     "@azure/core-auth": "^1.5.0",
-    "@azure/core-client": "^1.4.0",
+    "@azure/core-client": "^1.9.2",
     "@azure/core-rest-pipeline": "^1.1.0",
     "@azure/core-tracing": "^1.0.0",
     "@azure/core-util": "^1.3.0",
     "@azure/logger": "^1.0.0",
     "@azure/msal-browser": "^3.11.1",
-    "@azure/msal-node": "^2.6.6",
+    "@azure/msal-node": "^2.9.2",
     "events": "^3.0.0",
     "jws": "^4.0.0",
     "open": "^8.0.0",
@@ -125,10 +125,10 @@
   },
   "devDependencies": {
     "@azure-tools/test-recorder": "^3.0.0",
-    "@azure/dev-tool": ">=1.0.0-alpha <1.0.0-alphb",
-    "@azure/eslint-plugin-azure-sdk": ">=3.0.0-alpha <3.0.0-alphb",
+    "@azure/dev-tool": "^1.0.0",
+    "@azure/eslint-plugin-azure-sdk": "^3.0.0",
     "@azure/keyvault-keys": "^4.2.0",
-    "@azure-tools/test-utils": ">=1.0.1-alpha <1.0.1-alphb",
+    "@azure-tools/test-utils": "^1.0.1",
     "@microsoft/api-extractor": "^7.31.1",
     "@types/chai": "^4.1.6",
     "@types/jsonwebtoken": "^9.0.0",

package/types/identity.d.ts

@@ -135,12 +135,13 @@ export declare interface AuthorityValidationOptions {
  * https://learn.microsoft.com/entra/identity-platform/v2-oauth2-auth-code-flow
  */
 export declare class AuthorizationCodeCredential implements TokenCredential {
-    private msalFlow;
+    private msalClient;
     private disableAutomaticAuthentication?;
     private authorizationCode;
     private redirectUri;
     private tenantId?;
     private additionallyAllowedTenantIds;
+    private clientSecret?;
     /**
      * Creates an instance of AuthorizationCodeCredential with the details needed
      * to request an access token using an authentication that was obtained