@azure/identity 4.3.0-beta.1 → 4.3.0-beta.2

package/dist/index.js

@@ -12,6 +12,7 @@ var fs = require('fs');
 var os = require('os');
 var path = require('path');
 var msalCommon = require('@azure/msal-node');
+var fs$1 = require('node:fs');
 var https = require('https');
 var promises = require('fs/promises');
 var child_process = require('child_process');
@@ -44,7 +45,7 @@ var child_process__namespace = /*#__PURE__*/_interopNamespaceDefault(child_proce
 /**
  * Current version of the `@azure/identity` package.
  */
-const SDK_VERSION = `4.3.0-beta.1`;
+const SDK_VERSION = `4.3.0-beta.2`;
 /**
  * The default client ID for authentication
  * @internal
@@ -1179,18 +1180,6 @@ function prepareRequestOptions$3(scopes, clientId, resourceId) {
         }),
     });
 }
-/**
- * Retrieves the file contents at the given path using promises.
- * Useful since `fs`'s readFileSync locks the thread, and to avoid extra dependencies.
- */
-function readFileAsync$1(path, options) {
-    return new Promise((resolve, reject) => fs.readFile(path, options, (err, data) => {
-        if (err) {
-            reject(err);
-        }
-        resolve(data);
-    }));
-}
 /**
  * Does a request to the authentication provider that results in a file path.
  */
@@ -1211,6 +1200,43 @@ async function filePathRequest(identityClient, requestPrepareOptions) {
         throw Error(`Invalid www-authenticate header format: ${authHeader}`);
     }
 }
+function platformToFilePath() {
+    switch (process.platform) {
+        case "win32":
+            if (!process.env.PROGRAMDATA) {
+                throw new Error(`${msiName$4}: PROGRAMDATA environment variable has no value.`);
+            }
+            return `${process.env.PROGRAMDATA}\\AzureConnectedMachineAgent\\Tokens`;
+        case "linux":
+            return "/var/opt/azcmagent/tokens";
+        default:
+            throw new Error(`${msiName$4}: Unsupported platform ${process.platform}.`);
+    }
+}
+/**
+ * Validates that a given Azure Arc MSI file path is valid for use.
+ *
+ * A valid file will:
+ * 1. Be in the expected path for the current platform.
+ * 2. Have a `.key` extension.
+ * 3. Be at most 4096 bytes in size.
+ */
+function validateKeyFile(filePath) {
+    if (!filePath) {
+        throw new Error(`${msiName$4}: Failed to find the token file.`);
+    }
+    if (!filePath.endsWith(".key")) {
+        throw new Error(`${msiName$4}: unexpected file path from HIMDS service: ${filePath}.`);
+    }
+    const expectedPath = platformToFilePath();
+    if (!filePath.startsWith(expectedPath)) {
+        throw new Error(`${msiName$4}: unexpected file path from HIMDS service: ${filePath}.`);
+    }
+    const stats = fs$1.statSync(filePath);
+    if (stats.size > 4096) {
+        throw new Error(`${msiName$4}: The file at ${filePath} is larger than expected at ${stats.size} bytes.`);
+    }
+}
 /**
  * Defines how to determine whether the Azure Arc MSI is available, and also how to retrieve a token from the Azure Arc MSI.
  */
@@ -1240,10 +1266,8 @@ const arcMsi = {
         logger$m.info(`${msiName$4}: Authenticating.`);
         const requestOptions = Object.assign(Object.assign({ disableJsonStringifyOnBody: true, deserializationMapper: undefined, abortSignal: getTokenOptions.abortSignal }, prepareRequestOptions$3(scopes, clientId, resourceId)), { allowInsecureConnection: true });
         const filePath = await filePathRequest(identityClient, requestOptions);
-        if (!filePath) {
-            throw new Error(`${msiName$4}: Failed to find the token file.`);
-        }
-        const key = await readFileAsync$1(filePath, { encoding: "utf-8" });
+        validateKeyFile(filePath);
+        const key = await fs$1.promises.readFile(filePath, { encoding: "utf-8" });
         (_a = requestOptions.headers) === null || _a === void 0 ? void 0 : _a.set("Authorization", `Basic ${key}`);
         const request = coreRestPipeline.createPipelineRequest(Object.assign(Object.assign({}, requestOptions), { 
             // Generally, MSI endpoints use the HTTP protocol, without transport layer security (TLS).
@@ -2165,18 +2189,56 @@ To work with multiple accounts for the same Client ID and Tenant ID, please prov
             return deviceCodeRequest;
         });
     }
+    async function getTokenByUsernamePassword(scopes, username, password, options = {}) {
+        msalLogger.getToken.info(`Attempting to acquire token using username and password`);
+        const msalApp = await getPublicApp(options);
+        return withSilentAuthentication(msalApp, scopes, options, () => {
+            const requestOptions = {
+                scopes,
+                username,
+                password,
+                authority: state.msalConfig.auth.authority,
+                claims: options === null || options === void 0 ? void 0 : options.claims,
+            };
+            return msalApp.acquireTokenByUsernamePassword(requestOptions);
+        });
+    }
     function getActiveAccount() {
         if (!state.cachedAccount) {
             return undefined;
         }
         return msalToPublic(clientId, state.cachedAccount);
     }
+    async function getTokenByAuthorizationCode(scopes, redirectUri, authorizationCode, clientSecret, options = {}) {
+        msalLogger.getToken.info(`Attempting to acquire token using authorization code`);
+        let msalApp;
+        if (clientSecret) {
+            // If a client secret is provided, we need to use a confidential client application
+            // See https://learn.microsoft.com/entra/identity-platform/v2-oauth2-auth-code-flow#request-an-access-token-with-a-client_secret
+            state.msalConfig.auth.clientSecret = clientSecret;
+            msalApp = await getConfidentialApp(options);
+        }
+        else {
+            msalApp = await getPublicApp(options);
+        }
+        return withSilentAuthentication(msalApp, scopes, options, () => {
+            return msalApp.acquireTokenByCode({
+                scopes,
+                redirectUri,
+                code: authorizationCode,
+                authority: state.msalConfig.auth.authority,
+                claims: options === null || options === void 0 ? void 0 : options.claims,
+            });
+        });
+    }
     return {
         getActiveAccount,
         getTokenByClientSecret,
         getTokenByClientAssertion,
         getTokenByClientCertificate,
         getTokenByDeviceCode,
+        getTokenByUsernamePassword,
+        getTokenByAuthorizationCode,
     };
 }
 
@@ -3455,117 +3517,425 @@ class ClientSecretCredential {
 
 // Copyright (c) Microsoft Corporation.
 // Licensed under the MIT license.
+const logger$7 = credentialLogger("UsernamePasswordCredential");
 /**
- * MSAL partial base client for Node.js.
- *
- * It completes the input configuration with some default values.
- * It also provides with utility protected methods that can be used from any of the clients,
- * which includes handlers for successful responses and errors.
- *
- * @internal
+ * Enables authentication to Microsoft Entra ID with a user's
+ * username and password. This credential requires a high degree of
+ * trust so you should only use it when other, more secure credential
+ * types can't be used.
  */
-class MsalNode {
-    constructor(options) {
-        var _a, _b, _c, _d, _e, _f;
-        this.app = {};
-        this.caeApp = {};
-        this.requiresConfidential = false;
-        this.logger = options.logger;
-        this.msalConfig = this.defaultNodeMsalConfig(options);
-        this.tenantId = resolveTenantId(options.logger, options.tenantId, options.clientId);
-        this.additionallyAllowedTenantIds = resolveAdditionallyAllowedTenantIds((_a = options === null || options === void 0 ? void 0 : options.tokenCredentialOptions) === null || _a === void 0 ? void 0 : _a.additionallyAllowedTenants);
-        this.clientId = this.msalConfig.auth.clientId;
-        if (options === null || options === void 0 ? void 0 : options.getAssertion) {
-            this.getAssertion = options.getAssertion;
-        }
-        this.enableBroker = (_b = options === null || options === void 0 ? void 0 : options.brokerOptions) === null || _b === void 0 ? void 0 : _b.enabled;
-        this.enableMsaPassthrough = (_c = options === null || options === void 0 ? void 0 : options.brokerOptions) === null || _c === void 0 ? void 0 : _c.legacyEnableMsaPassthrough;
-        this.parentWindowHandle = (_d = options.brokerOptions) === null || _d === void 0 ? void 0 : _d.parentWindowHandle;
-        // If persistence has been configured
-        if (persistenceProvider !== undefined && ((_e = options.tokenCachePersistenceOptions) === null || _e === void 0 ? void 0 : _e.enabled)) {
-            const cacheBaseName = options.tokenCachePersistenceOptions.name || DEFAULT_TOKEN_CACHE_NAME;
-            const nonCaeOptions = Object.assign({ name: `${cacheBaseName}.${CACHE_NON_CAE_SUFFIX}` }, options.tokenCachePersistenceOptions);
-            const caeOptions = Object.assign({ name: `${cacheBaseName}.${CACHE_CAE_SUFFIX}` }, options.tokenCachePersistenceOptions);
-            this.createCachePlugin = () => persistenceProvider(nonCaeOptions);
-            this.createCachePluginCae = () => persistenceProvider(caeOptions);
-        }
-        else if ((_f = options.tokenCachePersistenceOptions) === null || _f === void 0 ? void 0 : _f.enabled) {
-            throw new Error([
-                "Persistent token caching was requested, but no persistence provider was configured.",
-                "You must install the identity-cache-persistence plugin package (`npm install --save @azure/identity-cache-persistence`)",
-                "and enable it by importing `useIdentityPlugin` from `@azure/identity` and calling",
-                "`useIdentityPlugin(cachePersistencePlugin)` before using `tokenCachePersistenceOptions`.",
-            ].join(" "));
-        }
-        // If broker has not been configured
-        if (!hasNativeBroker() && this.enableBroker) {
-            throw new Error([
-                "Broker for WAM was requested to be enabled, but no native broker was configured.",
-                "You must install the identity-broker plugin package (`npm install --save @azure/identity-broker`)",
-                "and enable it by importing `useIdentityPlugin` from `@azure/identity` and calling",
-                "`useIdentityPlugin(createNativeBrokerPlugin())` before using `enableBroker`.",
-            ].join(" "));
+class UsernamePasswordCredential {
+    /**
+     * Creates an instance of the UsernamePasswordCredential with the details
+     * needed to authenticate against Microsoft Entra ID with a username
+     * and password.
+     *
+     * @param tenantId - The Microsoft Entra tenant (directory).
+     * @param clientId - The client (application) ID of an App Registration in the tenant.
+     * @param username - The user account's e-mail address (user name).
+     * @param password - The user account's account password
+     * @param options - Options for configuring the client which makes the authentication request.
+     */
+    constructor(tenantId, clientId, username, password, options = {}) {
+        if (!tenantId || !clientId || !username || !password) {
+            throw new Error("UsernamePasswordCredential: tenantId, clientId, username and password are required parameters. To troubleshoot, visit https://aka.ms/azsdk/js/identity/usernamepasswordcredential/troubleshoot.");
         }
-        this.azureRegion = calculateRegionalAuthority(options.regionalAuthority);
+        this.tenantId = tenantId;
+        this.additionallyAllowedTenantIds = resolveAdditionallyAllowedTenantIds(options === null || options === void 0 ? void 0 : options.additionallyAllowedTenants);
+        this.username = username;
+        this.password = password;
+        this.msalClient = createMsalClient(clientId, this.tenantId, Object.assign(Object.assign({}, options), { tokenCredentialOptions: options !== null && options !== void 0 ? options : {} }));
     }
     /**
-     * Generates a MSAL configuration that generally works for Node.js
+     * Authenticates with Microsoft Entra ID and returns an access token if successful.
+     * If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.
+     *
+     * If the user provided the option `disableAutomaticAuthentication`,
+     * once the token can't be retrieved silently,
+     * this method won't attempt to request user interaction to retrieve the token.
+     *
+     * @param scopes - The list of scopes for which the token will have access.
+     * @param options - The options used to configure any requests this
+     *                TokenCredential implementation might make.
      */
-    defaultNodeMsalConfig(options) {
-        var _a;
-        const clientId = options.clientId || DeveloperSignOnClientId;
-        const tenantId = resolveTenantId(options.logger, options.tenantId, options.clientId);
-        this.authorityHost = options.authorityHost || process.env.AZURE_AUTHORITY_HOST;
-        const authority = getAuthority(tenantId, this.authorityHost);
-        this.identityClient = new IdentityClient(Object.assign(Object.assign({}, options.tokenCredentialOptions), { authorityHost: authority, loggingOptions: options.loggingOptions }));
-        const clientCapabilities = [];
-        return {
-            auth: {
-                clientId,
-                authority,
-                knownAuthorities: getKnownAuthorities(tenantId, authority, options.disableInstanceDiscovery),
-                clientCapabilities,
-            },
-            // Cache is defined in this.prepare();
-            system: {
-                networkClient: this.identityClient,
-                loggerOptions: {
-                    loggerCallback: defaultLoggerCallback(options.logger),
-                    logLevel: getMSALLogLevel(logger$r.getLogLevel()),
-                    piiLoggingEnabled: (_a = options.loggingOptions) === null || _a === void 0 ? void 0 : _a.enableUnsafeSupportLogging,
-                },
-            },
-        };
+    async getToken(scopes, options = {}) {
+        return tracingClient.withSpan(`${this.constructor.name}.getToken`, options, async (newOptions) => {
+            newOptions.tenantId = processMultiTenantRequest(this.tenantId, newOptions, this.additionallyAllowedTenantIds, logger$7);
+            const arrayScopes = ensureScopes(scopes);
+            return this.msalClient.getTokenByUsernamePassword(arrayScopes, this.username, this.password, newOptions);
+        });
     }
-    getApp(appType, enableCae) {
-        const app = enableCae ? this.caeApp : this.app;
-        if (appType === "publicFirst") {
-            return (app.public || app.confidential);
+}
+
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT license.
+/**
+ * Contains the list of all supported environment variable names so that an
+ * appropriate error message can be generated when no credentials can be
+ * configured.
+ *
+ * @internal
+ */
+const AllSupportedEnvironmentVariables = [
+    "AZURE_TENANT_ID",
+    "AZURE_CLIENT_ID",
+    "AZURE_CLIENT_SECRET",
+    "AZURE_CLIENT_CERTIFICATE_PATH",
+    "AZURE_CLIENT_CERTIFICATE_PASSWORD",
+    "AZURE_USERNAME",
+    "AZURE_PASSWORD",
+    "AZURE_ADDITIONALLY_ALLOWED_TENANTS",
+];
+function getAdditionallyAllowedTenants() {
+    var _a;
+    const additionallyAllowedValues = (_a = process.env.AZURE_ADDITIONALLY_ALLOWED_TENANTS) !== null && _a !== void 0 ? _a : "";
+    return additionallyAllowedValues.split(";");
+}
+const credentialName$2 = "EnvironmentCredential";
+const logger$6 = credentialLogger(credentialName$2);
+/**
+ * Enables authentication to Microsoft Entra ID using a client secret or certificate, or as a user
+ * with a username and password.
+ */
+class EnvironmentCredential {
+    /**
+     * Creates an instance of the EnvironmentCredential class and decides what credential to use depending on the available environment variables.
+     *
+     * Required environment variables:
+     * - `AZURE_TENANT_ID`: The Microsoft Entra tenant (directory) ID.
+     * - `AZURE_CLIENT_ID`: The client (application) ID of an App Registration in the tenant.
+     *
+     * If setting the AZURE_TENANT_ID, then you can also set the additionally allowed tenants
+     * - `AZURE_ADDITIONALLY_ALLOWED_TENANTS`: For multi-tenant applications, specifies additional tenants for which the credential may acquire tokens with a single semicolon delimited string. Use * to allow all tenants.
+     *
+     * Environment variables used for client credential authentication:
+     * - `AZURE_CLIENT_SECRET`: A client secret that was generated for the App Registration.
+     * - `AZURE_CLIENT_CERTIFICATE_PATH`: The path to a PEM certificate to use during the authentication, instead of the client secret.
+     * - `AZURE_CLIENT_CERTIFICATE_PASSWORD`: (optional) password for the certificate file.
+     *
+     * Alternatively, users can provide environment variables for username and password authentication:
+     * - `AZURE_USERNAME`: Username to authenticate with.
+     * - `AZURE_PASSWORD`: Password to authenticate with.
+     *
+     * If the environment variables required to perform the authentication are missing, a {@link CredentialUnavailableError} will be thrown.
+     * If the authentication fails, or if there's an unknown error, an {@link AuthenticationError} will be thrown.
+     *
+     * @param options - Options for configuring the client which makes the authentication request.
+     */
+    constructor(options) {
+        // Keep track of any missing environment variables for error details
+        this._credential = undefined;
+        const assigned = processEnvVars(AllSupportedEnvironmentVariables).assigned.join(", ");
+        logger$6.info(`Found the following environment variables: ${assigned}`);
+        const tenantId = process.env.AZURE_TENANT_ID, clientId = process.env.AZURE_CLIENT_ID, clientSecret = process.env.AZURE_CLIENT_SECRET;
+        const additionallyAllowedTenantIds = getAdditionallyAllowedTenants();
+        const newOptions = Object.assign(Object.assign({}, options), { additionallyAllowedTenantIds });
+        if (tenantId) {
+            checkTenantId(logger$6, tenantId);
         }
-        else if (appType === "confidentialFirst") {
-            return (app.confidential || app.public);
+        if (tenantId && clientId && clientSecret) {
+            logger$6.info(`Invoking ClientSecretCredential with tenant ID: ${tenantId}, clientId: ${clientId} and clientSecret: [REDACTED]`);
+            this._credential = new ClientSecretCredential(tenantId, clientId, clientSecret, newOptions);
+            return;
         }
-        else if (appType === "confidential") {
-            return app.confidential;
+        const certificatePath = process.env.AZURE_CLIENT_CERTIFICATE_PATH;
+        const certificatePassword = process.env.AZURE_CLIENT_CERTIFICATE_PASSWORD;
+        if (tenantId && clientId && certificatePath) {
+            logger$6.info(`Invoking ClientCertificateCredential with tenant ID: ${tenantId}, clientId: ${clientId} and certificatePath: ${certificatePath}`);
+            this._credential = new ClientCertificateCredential(tenantId, clientId, { certificatePath, certificatePassword }, newOptions);
+            return;
         }
-        else {
-            return app.public;
+        const username = process.env.AZURE_USERNAME;
+        const password = process.env.AZURE_PASSWORD;
+        if (tenantId && clientId && username && password) {
+            logger$6.info(`Invoking UsernamePasswordCredential with tenant ID: ${tenantId}, clientId: ${clientId} and username: ${username}`);
+            this._credential = new UsernamePasswordCredential(tenantId, clientId, username, password, newOptions);
         }
     }
     /**
-     * Prepares the MSAL applications.
+     * Authenticates with Microsoft Entra ID and returns an access token if successful.
+     *
+     * @param scopes - The list of scopes for which the token will have access.
+     * @param options - Optional parameters. See {@link GetTokenOptions}.
      */
-    async init(options) {
-        if (options === null || options === void 0 ? void 0 : options.abortSignal) {
-            options.abortSignal.addEventListener("abort", () => {
-                // This will abort any pending request in the IdentityClient,
-                // based on the received or generated correlationId
-                this.identityClient.abortRequests(options.correlationId);
-            });
-        }
-        const app = (options === null || options === void 0 ? void 0 : options.enableCae) ? this.caeApp : this.app;
-        if (options === null || options === void 0 ? void 0 : options.enableCae) {
-            this.msalConfig.auth.clientCapabilities = ["cp1"];
+    async getToken(scopes, options = {}) {
+        return tracingClient.withSpan(`${credentialName$2}.getToken`, options, async (newOptions) => {
+            if (this._credential) {
+                try {
+                    const result = await this._credential.getToken(scopes, newOptions);
+                    logger$6.getToken.info(formatSuccess(scopes));
+                    return result;
+                }
+                catch (err) {
+                    const authenticationError = new AuthenticationError(400, {
+                        error: `${credentialName$2} authentication failed. To troubleshoot, visit https://aka.ms/azsdk/js/identity/environmentcredential/troubleshoot.`,
+                        error_description: err.message.toString().split("More details:").join(""),
+                    });
+                    logger$6.getToken.info(formatError(scopes, authenticationError));
+                    throw authenticationError;
+                }
+            }
+            throw new CredentialUnavailableError(`${credentialName$2} is unavailable. No underlying credential could be used. To troubleshoot, visit https://aka.ms/azsdk/js/identity/environmentcredential/troubleshoot.`);
+        });
+    }
+}
+
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT license.
+const logger$5 = credentialLogger("DefaultAzureCredential");
+/**
+ * Creates a {@link ManagedIdentityCredential} from the provided options.
+ * @param options - Options to configure the credential.
+ *
+ * @internal
+ */
+function createDefaultManagedIdentityCredential(options = {}) {
+    var _a, _b, _c, _d;
+    (_a = options.retryOptions) !== null && _a !== void 0 ? _a : (options.retryOptions = {
+        maxRetries: 5,
+        retryDelayInMs: 800,
+    });
+    const managedIdentityClientId = (_b = options === null || options === void 0 ? void 0 : options.managedIdentityClientId) !== null && _b !== void 0 ? _b : process.env.AZURE_CLIENT_ID;
+    const workloadIdentityClientId = (_c = options === null || options === void 0 ? void 0 : options.workloadIdentityClientId) !== null && _c !== void 0 ? _c : managedIdentityClientId;
+    const managedResourceId = options === null || options === void 0 ? void 0 : options.managedIdentityResourceId;
+    const workloadFile = process.env.AZURE_FEDERATED_TOKEN_FILE;
+    const tenantId = (_d = options === null || options === void 0 ? void 0 : options.tenantId) !== null && _d !== void 0 ? _d : process.env.AZURE_TENANT_ID;
+    if (managedResourceId) {
+        const managedIdentityResourceIdOptions = Object.assign(Object.assign({}, options), { resourceId: managedResourceId });
+        return new ManagedIdentityCredential(managedIdentityResourceIdOptions);
+    }
+    if (workloadFile && workloadIdentityClientId) {
+        const workloadIdentityCredentialOptions = Object.assign(Object.assign({}, options), { tenantId: tenantId });
+        return new ManagedIdentityCredential(workloadIdentityClientId, workloadIdentityCredentialOptions);
+    }
+    if (managedIdentityClientId) {
+        const managedIdentityClientOptions = Object.assign(Object.assign({}, options), { clientId: managedIdentityClientId });
+        return new ManagedIdentityCredential(managedIdentityClientOptions);
+    }
+    // We may be able to return a UnavailableCredential here, but that may be a breaking change
+    return new ManagedIdentityCredential(options);
+}
+/**
+ * Creates a {@link WorkloadIdentityCredential} from the provided options.
+ * @param options - Options to configure the credential.
+ *
+ * @internal
+ */
+function createDefaultWorkloadIdentityCredential(options) {
+    var _a, _b, _c;
+    const managedIdentityClientId = (_a = options === null || options === void 0 ? void 0 : options.managedIdentityClientId) !== null && _a !== void 0 ? _a : process.env.AZURE_CLIENT_ID;
+    const workloadIdentityClientId = (_b = options === null || options === void 0 ? void 0 : options.workloadIdentityClientId) !== null && _b !== void 0 ? _b : managedIdentityClientId;
+    const workloadFile = process.env.AZURE_FEDERATED_TOKEN_FILE;
+    const tenantId = (_c = options === null || options === void 0 ? void 0 : options.tenantId) !== null && _c !== void 0 ? _c : process.env.AZURE_TENANT_ID;
+    if (workloadFile && workloadIdentityClientId) {
+        const workloadIdentityCredentialOptions = Object.assign(Object.assign({}, options), { tenantId, clientId: workloadIdentityClientId, tokenFilePath: workloadFile });
+        return new WorkloadIdentityCredential(workloadIdentityCredentialOptions);
+    }
+    if (tenantId) {
+        const workloadIdentityClientTenantOptions = Object.assign(Object.assign({}, options), { tenantId });
+        return new WorkloadIdentityCredential(workloadIdentityClientTenantOptions);
+    }
+    // We may be able to return a UnavailableCredential here, but that may be a breaking change
+    return new WorkloadIdentityCredential(options);
+}
+/**
+ * Creates a {@link AzureDeveloperCliCredential} from the provided options.
+ * @param options - Options to configure the credential.
+ *
+ * @internal
+ */
+function createDefaultAzureDeveloperCliCredential(options = {}) {
+    const processTimeoutInMs = options.processTimeoutInMs;
+    return new AzureDeveloperCliCredential(Object.assign({ processTimeoutInMs }, options));
+}
+/**
+ * Creates a {@link AzureCliCredential} from the provided options.
+ * @param options - Options to configure the credential.
+ *
+ * @internal
+ */
+function createDefaultAzureCliCredential(options = {}) {
+    const processTimeoutInMs = options.processTimeoutInMs;
+    return new AzureCliCredential(Object.assign({ processTimeoutInMs }, options));
+}
+/**
+ * Creates a {@link AzurePowerShellCredential} from the provided options.
+ * @param options - Options to configure the credential.
+ *
+ * @internal
+ */
+function createDefaultAzurePowershellCredential(options = {}) {
+    const processTimeoutInMs = options.processTimeoutInMs;
+    return new AzurePowerShellCredential(Object.assign({ processTimeoutInMs }, options));
+}
+/**
+ * Creates an {@link EnvironmentCredential} from the provided options.
+ * @param options - Options to configure the credential.
+ *
+ * @internal
+ */
+function createEnvironmentCredential(options = {}) {
+    return new EnvironmentCredential(options);
+}
+/**
+ * A no-op credential that logs the reason it was skipped if getToken is called.
+ * @internal
+ */
+class UnavailableDefaultCredential {
+    constructor(credentialName, message) {
+        this.credentialName = credentialName;
+        this.credentialUnavailableErrorMessage = message;
+    }
+    getToken() {
+        logger$5.getToken.info(`Skipping ${this.credentialName}, reason: ${this.credentialUnavailableErrorMessage}`);
+        return Promise.resolve(null);
+    }
+}
+/**
+ * Provides a default {@link ChainedTokenCredential} configuration that should
+ * work for most applications that use the Azure SDK.
+ */
+class DefaultAzureCredential extends ChainedTokenCredential {
+    constructor(options) {
+        const credentialFunctions = [
+            createEnvironmentCredential,
+            createDefaultWorkloadIdentityCredential,
+            createDefaultManagedIdentityCredential,
+            createDefaultAzureCliCredential,
+            createDefaultAzurePowershellCredential,
+            createDefaultAzureDeveloperCliCredential,
+        ];
+        // DefaultCredential constructors should not throw, instead throwing on getToken() which is handled by ChainedTokenCredential.
+        // When adding new credentials to the default chain, consider:
+        // 1. Making the constructor parameters required and explicit
+        // 2. Validating any required parameters in the factory function
+        // 3. Returning a UnavailableDefaultCredential from the factory function if a credential is unavailable for any reason
+        const credentials = credentialFunctions.map((createCredentialFn) => {
+            try {
+                return createCredentialFn(options);
+            }
+            catch (err) {
+                logger$5.warning(`Skipped ${createCredentialFn.name} because of an error creating the credential: ${err}`);
+                return new UnavailableDefaultCredential(createCredentialFn.name, err.message);
+            }
+        });
+        super(...credentials);
+    }
+}
+
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT license.
+/**
+ * MSAL partial base client for Node.js.
+ *
+ * It completes the input configuration with some default values.
+ * It also provides with utility protected methods that can be used from any of the clients,
+ * which includes handlers for successful responses and errors.
+ *
+ * @internal
+ */
+class MsalNode {
+    constructor(options) {
+        var _a, _b, _c, _d, _e, _f;
+        this.app = {};
+        this.caeApp = {};
+        this.requiresConfidential = false;
+        this.logger = options.logger;
+        this.msalConfig = this.defaultNodeMsalConfig(options);
+        this.tenantId = resolveTenantId(options.logger, options.tenantId, options.clientId);
+        this.additionallyAllowedTenantIds = resolveAdditionallyAllowedTenantIds((_a = options === null || options === void 0 ? void 0 : options.tokenCredentialOptions) === null || _a === void 0 ? void 0 : _a.additionallyAllowedTenants);
+        this.clientId = this.msalConfig.auth.clientId;
+        if (options === null || options === void 0 ? void 0 : options.getAssertion) {
+            this.getAssertion = options.getAssertion;
+        }
+        this.enableBroker = (_b = options === null || options === void 0 ? void 0 : options.brokerOptions) === null || _b === void 0 ? void 0 : _b.enabled;
+        this.enableMsaPassthrough = (_c = options === null || options === void 0 ? void 0 : options.brokerOptions) === null || _c === void 0 ? void 0 : _c.legacyEnableMsaPassthrough;
+        this.parentWindowHandle = (_d = options.brokerOptions) === null || _d === void 0 ? void 0 : _d.parentWindowHandle;
+        // If persistence has been configured
+        if (persistenceProvider !== undefined && ((_e = options.tokenCachePersistenceOptions) === null || _e === void 0 ? void 0 : _e.enabled)) {
+            const cacheBaseName = options.tokenCachePersistenceOptions.name || DEFAULT_TOKEN_CACHE_NAME;
+            const nonCaeOptions = Object.assign({ name: `${cacheBaseName}.${CACHE_NON_CAE_SUFFIX}` }, options.tokenCachePersistenceOptions);
+            const caeOptions = Object.assign({ name: `${cacheBaseName}.${CACHE_CAE_SUFFIX}` }, options.tokenCachePersistenceOptions);
+            this.createCachePlugin = () => persistenceProvider(nonCaeOptions);
+            this.createCachePluginCae = () => persistenceProvider(caeOptions);
+        }
+        else if ((_f = options.tokenCachePersistenceOptions) === null || _f === void 0 ? void 0 : _f.enabled) {
+            throw new Error([
+                "Persistent token caching was requested, but no persistence provider was configured.",
+                "You must install the identity-cache-persistence plugin package (`npm install --save @azure/identity-cache-persistence`)",
+                "and enable it by importing `useIdentityPlugin` from `@azure/identity` and calling",
+                "`useIdentityPlugin(cachePersistencePlugin)` before using `tokenCachePersistenceOptions`.",
+            ].join(" "));
+        }
+        // If broker has not been configured
+        if (!hasNativeBroker() && this.enableBroker) {
+            throw new Error([
+                "Broker for WAM was requested to be enabled, but no native broker was configured.",
+                "You must install the identity-broker plugin package (`npm install --save @azure/identity-broker`)",
+                "and enable it by importing `useIdentityPlugin` from `@azure/identity` and calling",
+                "`useIdentityPlugin(createNativeBrokerPlugin())` before using `enableBroker`.",
+            ].join(" "));
+        }
+        this.azureRegion = calculateRegionalAuthority(options.regionalAuthority);
+    }
+    /**
+     * Generates a MSAL configuration that generally works for Node.js
+     */
+    defaultNodeMsalConfig(options) {
+        var _a;
+        const clientId = options.clientId || DeveloperSignOnClientId;
+        const tenantId = resolveTenantId(options.logger, options.tenantId, options.clientId);
+        this.authorityHost = options.authorityHost || process.env.AZURE_AUTHORITY_HOST;
+        const authority = getAuthority(tenantId, this.authorityHost);
+        this.identityClient = new IdentityClient(Object.assign(Object.assign({}, options.tokenCredentialOptions), { authorityHost: authority, loggingOptions: options.loggingOptions }));
+        const clientCapabilities = [];
+        return {
+            auth: {
+                clientId,
+                authority,
+                knownAuthorities: getKnownAuthorities(tenantId, authority, options.disableInstanceDiscovery),
+                clientCapabilities,
+            },
+            // Cache is defined in this.prepare();
+            system: {
+                networkClient: this.identityClient,
+                loggerOptions: {
+                    loggerCallback: defaultLoggerCallback(options.logger),
+                    logLevel: getMSALLogLevel(logger$r.getLogLevel()),
+                    piiLoggingEnabled: (_a = options.loggingOptions) === null || _a === void 0 ? void 0 : _a.enableUnsafeSupportLogging,
+                },
+            },
+        };
+    }
+    getApp(appType, enableCae) {
+        const app = enableCae ? this.caeApp : this.app;
+        if (appType === "publicFirst") {
+            return (app.public || app.confidential);
+        }
+        else if (appType === "confidentialFirst") {
+            return (app.confidential || app.public);
+        }
+        else if (appType === "confidential") {
+            return app.confidential;
+        }
+        else {
+            return app.public;
+        }
+    }
+    /**
+     * Prepares the MSAL applications.
+     */
+    async init(options) {
+        if (options === null || options === void 0 ? void 0 : options.abortSignal) {
+            options.abortSignal.addEventListener("abort", () => {
+                // This will abort any pending request in the IdentityClient,
+                // based on the received or generated correlationId
+                this.identityClient.abortRequests(options.correlationId);
+            });
+        }
+        const app = (options === null || options === void 0 ? void 0 : options.enableCae) ? this.caeApp : this.app;
+        if (options === null || options === void 0 ? void 0 : options.enableCae) {
+            this.msalConfig.auth.clientCapabilities = ["cp1"];
         }
         if (app.public || app.confidential) {
             return;
@@ -3691,417 +4061,76 @@ To work with multiple accounts for the same Client ID and Tenant ID, please prov
                 silentRequest.tokenQueryParameters["msal_request_type"] = "consumer_passthrough";
             }
         }
-        try {
-            this.logger.info("Attempting to acquire token silently");
-            /**
-             * The following code to retrieve all accounts is done as a workaround in an attempt to force the
-             * refresh of the token cache with the token and the account passed in through the
-             * `authenticationRecord` parameter. See issue - https://github.com/Azure/azure-sdk-for-js/issues/24349#issuecomment-1496715651
-             * This workaround serves as a workaround for silent authentication not happening when authenticationRecord is passed.
-             */
-            await ((_a = this.getApp("publicFirst", options === null || options === void 0 ? void 0 : options.enableCae)) === null || _a === void 0 ? void 0 : _a.getTokenCache().getAllAccounts());
-            const response = (_c = (await ((_b = this.getApp("confidential", options === null || options === void 0 ? void 0 : options.enableCae)) === null || _b === void 0 ? void 0 : _b.acquireTokenSilent(silentRequest)))) !== null && _c !== void 0 ? _c : (await this.getApp("public", options === null || options === void 0 ? void 0 : options.enableCae).acquireTokenSilent(silentRequest));
-            return this.handleResult(scopes, response || undefined);
-        }
-        catch (err) {
-            throw handleMsalError(scopes, err, options);
-        }
-    }
-    /**
-     * Wrapper around each MSAL flow get token operation: doGetToken.
-     * If disableAutomaticAuthentication is sent through the constructor, it will prevent MSAL from requesting the user input.
-     */
-    async getToken(scopes, options = {}) {
-        const tenantId = processMultiTenantRequest(this.tenantId, options, this.additionallyAllowedTenantIds) ||
-            this.tenantId;
-        options.authority = getAuthority(tenantId, this.authorityHost);
-        options.correlationId = (options === null || options === void 0 ? void 0 : options.correlationId) || randomUUID();
-        await this.init(options);
-        try {
-            // MSAL now caches tokens based on their claims,
-            // so now one has to keep track fo claims in order to retrieve the newer tokens from acquireTokenSilent
-            // This update happened on PR: https://github.com/AzureAD/microsoft-authentication-library-for-js/pull/4533
-            const optionsClaims = options.claims;
-            if (optionsClaims) {
-                this.cachedClaims = optionsClaims;
-            }
-            if (this.cachedClaims && !optionsClaims) {
-                options.claims = this.cachedClaims;
-            }
-            // We don't return the promise since we want to catch errors right here.
-            return await this.getTokenSilent(scopes, options);
-        }
-        catch (err) {
-            if (err.name !== "AuthenticationRequiredError") {
-                throw err;
-            }
-            if (options === null || options === void 0 ? void 0 : options.disableAutomaticAuthentication) {
-                throw new AuthenticationRequiredError({
-                    scopes,
-                    getTokenOptions: options,
-                    message: "Automatic authentication has been disabled. You may call the authentication() method.",
-                });
-            }
-            this.logger.info(`Silent authentication failed, falling back to interactive method.`);
-            return this.doGetToken(scopes, options);
-        }
-    }
-    /**
-     * Handles the MSAL authentication result.
-     * If the result has an account, we update the local account reference.
-     * If the token received is invalid, an error will be thrown depending on what's missing.
-     */
-    handleResult(scopes, result, getTokenOptions) {
-        if (result === null || result === void 0 ? void 0 : result.account) {
-            this.account = msalToPublic(this.clientId, result.account);
-        }
-        ensureValidMsalToken(scopes, result, getTokenOptions);
-        this.logger.getToken.info(formatSuccess(scopes));
-        return {
-            token: result.accessToken,
-            expiresOnTimestamp: result.expiresOn.getTime(),
-        };
-    }
-}
-
-// Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
-/**
- * MSAL username and password client. Calls to the MSAL's public application's `acquireTokenByUsernamePassword` during `doGetToken`.
- * @internal
- */
-class MsalUsernamePassword extends MsalNode {
-    constructor(options) {
-        super(options);
-        this.username = options.username;
-        this.password = options.password;
-    }
-    async doGetToken(scopes, options) {
-        try {
-            const requestOptions = {
-                scopes,
-                username: this.username,
-                password: this.password,
-                correlationId: options === null || options === void 0 ? void 0 : options.correlationId,
-                authority: options === null || options === void 0 ? void 0 : options.authority,
-                claims: options === null || options === void 0 ? void 0 : options.claims,
-            };
-            const result = await this.getApp("public", options === null || options === void 0 ? void 0 : options.enableCae).acquireTokenByUsernamePassword(requestOptions);
-            return this.handleResult(scopes, result || undefined);
-        }
-        catch (error) {
-            throw handleMsalError(scopes, error, options);
-        }
-    }
-}
-
-// Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
-const logger$7 = credentialLogger("UsernamePasswordCredential");
-/**
- * Enables authentication to Microsoft Entra ID with a user's
- * username and password. This credential requires a high degree of
- * trust so you should only use it when other, more secure credential
- * types can't be used.
- */
-class UsernamePasswordCredential {
-    /**
-     * Creates an instance of the UsernamePasswordCredential with the details
-     * needed to authenticate against Microsoft Entra ID with a username
-     * and password.
-     *
-     * @param tenantId - The Microsoft Entra tenant (directory).
-     * @param clientId - The client (application) ID of an App Registration in the tenant.
-     * @param username - The user account's e-mail address (user name).
-     * @param password - The user account's account password
-     * @param options - Options for configuring the client which makes the authentication request.
-     */
-    constructor(tenantId, clientId, username, password, options = {}) {
-        if (!tenantId || !clientId || !username || !password) {
-            throw new Error("UsernamePasswordCredential: tenantId, clientId, username and password are required parameters. To troubleshoot, visit https://aka.ms/azsdk/js/identity/usernamepasswordcredential/troubleshoot.");
-        }
-        this.tenantId = tenantId;
-        this.additionallyAllowedTenantIds = resolveAdditionallyAllowedTenantIds(options === null || options === void 0 ? void 0 : options.additionallyAllowedTenants);
-        this.msalFlow = new MsalUsernamePassword(Object.assign(Object.assign({}, options), { logger: logger$7,
-            clientId,
-            tenantId,
-            username,
-            password, tokenCredentialOptions: options || {} }));
-    }
-    /**
-     * Authenticates with Microsoft Entra ID and returns an access token if successful.
-     * If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.
-     *
-     * If the user provided the option `disableAutomaticAuthentication`,
-     * once the token can't be retrieved silently,
-     * this method won't attempt to request user interaction to retrieve the token.
-     *
-     * @param scopes - The list of scopes for which the token will have access.
-     * @param options - The options used to configure any requests this
-     *                TokenCredential implementation might make.
-     */
-    async getToken(scopes, options = {}) {
-        return tracingClient.withSpan(`${this.constructor.name}.getToken`, options, async (newOptions) => {
-            newOptions.tenantId = processMultiTenantRequest(this.tenantId, newOptions, this.additionallyAllowedTenantIds, logger$7);
-            const arrayScopes = ensureScopes(scopes);
-            return this.msalFlow.getToken(arrayScopes, newOptions);
-        });
-    }
-}
-
-// Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
-/**
- * Contains the list of all supported environment variable names so that an
- * appropriate error message can be generated when no credentials can be
- * configured.
- *
- * @internal
- */
-const AllSupportedEnvironmentVariables = [
-    "AZURE_TENANT_ID",
-    "AZURE_CLIENT_ID",
-    "AZURE_CLIENT_SECRET",
-    "AZURE_CLIENT_CERTIFICATE_PATH",
-    "AZURE_CLIENT_CERTIFICATE_PASSWORD",
-    "AZURE_USERNAME",
-    "AZURE_PASSWORD",
-    "AZURE_ADDITIONALLY_ALLOWED_TENANTS",
-];
-function getAdditionallyAllowedTenants() {
-    var _a;
-    const additionallyAllowedValues = (_a = process.env.AZURE_ADDITIONALLY_ALLOWED_TENANTS) !== null && _a !== void 0 ? _a : "";
-    return additionallyAllowedValues.split(";");
-}
-const credentialName$2 = "EnvironmentCredential";
-const logger$6 = credentialLogger(credentialName$2);
-/**
- * Enables authentication to Microsoft Entra ID using a client secret or certificate, or as a user
- * with a username and password.
- */
-class EnvironmentCredential {
-    /**
-     * Creates an instance of the EnvironmentCredential class and decides what credential to use depending on the available environment variables.
-     *
-     * Required environment variables:
-     * - `AZURE_TENANT_ID`: The Microsoft Entra tenant (directory) ID.
-     * - `AZURE_CLIENT_ID`: The client (application) ID of an App Registration in the tenant.
-     *
-     * If setting the AZURE_TENANT_ID, then you can also set the additionally allowed tenants
-     * - `AZURE_ADDITIONALLY_ALLOWED_TENANTS`: For multi-tenant applications, specifies additional tenants for which the credential may acquire tokens with a single semicolon delimited string. Use * to allow all tenants.
-     *
-     * Environment variables used for client credential authentication:
-     * - `AZURE_CLIENT_SECRET`: A client secret that was generated for the App Registration.
-     * - `AZURE_CLIENT_CERTIFICATE_PATH`: The path to a PEM certificate to use during the authentication, instead of the client secret.
-     * - `AZURE_CLIENT_CERTIFICATE_PASSWORD`: (optional) password for the certificate file.
-     *
-     * Alternatively, users can provide environment variables for username and password authentication:
-     * - `AZURE_USERNAME`: Username to authenticate with.
-     * - `AZURE_PASSWORD`: Password to authenticate with.
-     *
-     * If the environment variables required to perform the authentication are missing, a {@link CredentialUnavailableError} will be thrown.
-     * If the authentication fails, or if there's an unknown error, an {@link AuthenticationError} will be thrown.
-     *
-     * @param options - Options for configuring the client which makes the authentication request.
-     */
-    constructor(options) {
-        // Keep track of any missing environment variables for error details
-        this._credential = undefined;
-        const assigned = processEnvVars(AllSupportedEnvironmentVariables).assigned.join(", ");
-        logger$6.info(`Found the following environment variables: ${assigned}`);
-        const tenantId = process.env.AZURE_TENANT_ID, clientId = process.env.AZURE_CLIENT_ID, clientSecret = process.env.AZURE_CLIENT_SECRET;
-        const additionallyAllowedTenantIds = getAdditionallyAllowedTenants();
-        const newOptions = Object.assign(Object.assign({}, options), { additionallyAllowedTenantIds });
-        if (tenantId) {
-            checkTenantId(logger$6, tenantId);
-        }
-        if (tenantId && clientId && clientSecret) {
-            logger$6.info(`Invoking ClientSecretCredential with tenant ID: ${tenantId}, clientId: ${clientId} and clientSecret: [REDACTED]`);
-            this._credential = new ClientSecretCredential(tenantId, clientId, clientSecret, newOptions);
-            return;
-        }
-        const certificatePath = process.env.AZURE_CLIENT_CERTIFICATE_PATH;
-        const certificatePassword = process.env.AZURE_CLIENT_CERTIFICATE_PASSWORD;
-        if (tenantId && clientId && certificatePath) {
-            logger$6.info(`Invoking ClientCertificateCredential with tenant ID: ${tenantId}, clientId: ${clientId} and certificatePath: ${certificatePath}`);
-            this._credential = new ClientCertificateCredential(tenantId, clientId, { certificatePath, certificatePassword }, newOptions);
-            return;
-        }
-        const username = process.env.AZURE_USERNAME;
-        const password = process.env.AZURE_PASSWORD;
-        if (tenantId && clientId && username && password) {
-            logger$6.info(`Invoking UsernamePasswordCredential with tenant ID: ${tenantId}, clientId: ${clientId} and username: ${username}`);
-            this._credential = new UsernamePasswordCredential(tenantId, clientId, username, password, newOptions);
+        try {
+            this.logger.info("Attempting to acquire token silently");
+            /**
+             * The following code to retrieve all accounts is done as a workaround in an attempt to force the
+             * refresh of the token cache with the token and the account passed in through the
+             * `authenticationRecord` parameter. See issue - https://github.com/Azure/azure-sdk-for-js/issues/24349#issuecomment-1496715651
+             * This workaround serves as a workaround for silent authentication not happening when authenticationRecord is passed.
+             */
+            await ((_a = this.getApp("publicFirst", options === null || options === void 0 ? void 0 : options.enableCae)) === null || _a === void 0 ? void 0 : _a.getTokenCache().getAllAccounts());
+            const response = (_c = (await ((_b = this.getApp("confidential", options === null || options === void 0 ? void 0 : options.enableCae)) === null || _b === void 0 ? void 0 : _b.acquireTokenSilent(silentRequest)))) !== null && _c !== void 0 ? _c : (await this.getApp("public", options === null || options === void 0 ? void 0 : options.enableCae).acquireTokenSilent(silentRequest));
+            return this.handleResult(scopes, response || undefined);
+        }
+        catch (err) {
+            throw handleMsalError(scopes, err, options);
         }
     }
     /**
-     * Authenticates with Microsoft Entra ID and returns an access token if successful.
-     *
-     * @param scopes - The list of scopes for which the token will have access.
-     * @param options - Optional parameters. See {@link GetTokenOptions}.
+     * Wrapper around each MSAL flow get token operation: doGetToken.
+     * If disableAutomaticAuthentication is sent through the constructor, it will prevent MSAL from requesting the user input.
      */
     async getToken(scopes, options = {}) {
-        return tracingClient.withSpan(`${credentialName$2}.getToken`, options, async (newOptions) => {
-            if (this._credential) {
-                try {
-                    const result = await this._credential.getToken(scopes, newOptions);
-                    logger$6.getToken.info(formatSuccess(scopes));
-                    return result;
-                }
-                catch (err) {
-                    const authenticationError = new AuthenticationError(400, {
-                        error: `${credentialName$2} authentication failed. To troubleshoot, visit https://aka.ms/azsdk/js/identity/environmentcredential/troubleshoot.`,
-                        error_description: err.message.toString().split("More details:").join(""),
-                    });
-                    logger$6.getToken.info(formatError(scopes, authenticationError));
-                    throw authenticationError;
-                }
+        const tenantId = processMultiTenantRequest(this.tenantId, options, this.additionallyAllowedTenantIds) ||
+            this.tenantId;
+        options.authority = getAuthority(tenantId, this.authorityHost);
+        options.correlationId = (options === null || options === void 0 ? void 0 : options.correlationId) || randomUUID();
+        await this.init(options);
+        try {
+            // MSAL now caches tokens based on their claims,
+            // so now one has to keep track fo claims in order to retrieve the newer tokens from acquireTokenSilent
+            // This update happened on PR: https://github.com/AzureAD/microsoft-authentication-library-for-js/pull/4533
+            const optionsClaims = options.claims;
+            if (optionsClaims) {
+                this.cachedClaims = optionsClaims;
             }
-            throw new CredentialUnavailableError(`${credentialName$2} is unavailable. No underlying credential could be used. To troubleshoot, visit https://aka.ms/azsdk/js/identity/environmentcredential/troubleshoot.`);
-        });
-    }
-}
-
-// Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
-const logger$5 = credentialLogger("DefaultAzureCredential");
-/**
- * Creates a {@link ManagedIdentityCredential} from the provided options.
- * @param options - Options to configure the credential.
- *
- * @internal
- */
-function createDefaultManagedIdentityCredential(options = {}) {
-    var _a, _b, _c, _d;
-    (_a = options.retryOptions) !== null && _a !== void 0 ? _a : (options.retryOptions = {
-        maxRetries: 5,
-        retryDelayInMs: 800,
-    });
-    const managedIdentityClientId = (_b = options === null || options === void 0 ? void 0 : options.managedIdentityClientId) !== null && _b !== void 0 ? _b : process.env.AZURE_CLIENT_ID;
-    const workloadIdentityClientId = (_c = options === null || options === void 0 ? void 0 : options.workloadIdentityClientId) !== null && _c !== void 0 ? _c : managedIdentityClientId;
-    const managedResourceId = options === null || options === void 0 ? void 0 : options.managedIdentityResourceId;
-    const workloadFile = process.env.AZURE_FEDERATED_TOKEN_FILE;
-    const tenantId = (_d = options === null || options === void 0 ? void 0 : options.tenantId) !== null && _d !== void 0 ? _d : process.env.AZURE_TENANT_ID;
-    if (managedResourceId) {
-        const managedIdentityResourceIdOptions = Object.assign(Object.assign({}, options), { resourceId: managedResourceId });
-        return new ManagedIdentityCredential(managedIdentityResourceIdOptions);
-    }
-    if (workloadFile && workloadIdentityClientId) {
-        const workloadIdentityCredentialOptions = Object.assign(Object.assign({}, options), { tenantId: tenantId });
-        return new ManagedIdentityCredential(workloadIdentityClientId, workloadIdentityCredentialOptions);
-    }
-    if (managedIdentityClientId) {
-        const managedIdentityClientOptions = Object.assign(Object.assign({}, options), { clientId: managedIdentityClientId });
-        return new ManagedIdentityCredential(managedIdentityClientOptions);
-    }
-    // We may be able to return a UnavailableCredential here, but that may be a breaking change
-    return new ManagedIdentityCredential(options);
-}
-/**
- * Creates a {@link WorkloadIdentityCredential} from the provided options.
- * @param options - Options to configure the credential.
- *
- * @internal
- */
-function createDefaultWorkloadIdentityCredential(options) {
-    var _a, _b, _c;
-    const managedIdentityClientId = (_a = options === null || options === void 0 ? void 0 : options.managedIdentityClientId) !== null && _a !== void 0 ? _a : process.env.AZURE_CLIENT_ID;
-    const workloadIdentityClientId = (_b = options === null || options === void 0 ? void 0 : options.workloadIdentityClientId) !== null && _b !== void 0 ? _b : managedIdentityClientId;
-    const workloadFile = process.env.AZURE_FEDERATED_TOKEN_FILE;
-    const tenantId = (_c = options === null || options === void 0 ? void 0 : options.tenantId) !== null && _c !== void 0 ? _c : process.env.AZURE_TENANT_ID;
-    if (workloadFile && workloadIdentityClientId) {
-        const workloadIdentityCredentialOptions = Object.assign(Object.assign({}, options), { tenantId, clientId: workloadIdentityClientId, tokenFilePath: workloadFile });
-        return new WorkloadIdentityCredential(workloadIdentityCredentialOptions);
-    }
-    if (tenantId) {
-        const workloadIdentityClientTenantOptions = Object.assign(Object.assign({}, options), { tenantId });
-        return new WorkloadIdentityCredential(workloadIdentityClientTenantOptions);
-    }
-    // We may be able to return a UnavailableCredential here, but that may be a breaking change
-    return new WorkloadIdentityCredential(options);
-}
-/**
- * Creates a {@link AzureDeveloperCliCredential} from the provided options.
- * @param options - Options to configure the credential.
- *
- * @internal
- */
-function createDefaultAzureDeveloperCliCredential(options = {}) {
-    const processTimeoutInMs = options.processTimeoutInMs;
-    return new AzureDeveloperCliCredential(Object.assign({ processTimeoutInMs }, options));
-}
-/**
- * Creates a {@link AzureCliCredential} from the provided options.
- * @param options - Options to configure the credential.
- *
- * @internal
- */
-function createDefaultAzureCliCredential(options = {}) {
-    const processTimeoutInMs = options.processTimeoutInMs;
-    return new AzureCliCredential(Object.assign({ processTimeoutInMs }, options));
-}
-/**
- * Creates a {@link AzurePowerShellCredential} from the provided options.
- * @param options - Options to configure the credential.
- *
- * @internal
- */
-function createDefaultAzurePowershellCredential(options = {}) {
-    const processTimeoutInMs = options.processTimeoutInMs;
-    return new AzurePowerShellCredential(Object.assign({ processTimeoutInMs }, options));
-}
-/**
- * Creates an {@link EnvironmentCredential} from the provided options.
- * @param options - Options to configure the credential.
- *
- * @internal
- */
-function createEnvironmentCredential(options = {}) {
-    return new EnvironmentCredential(options);
-}
-/**
- * A no-op credential that logs the reason it was skipped if getToken is called.
- * @internal
- */
-class UnavailableDefaultCredential {
-    constructor(credentialName, message) {
-        this.credentialName = credentialName;
-        this.credentialUnavailableErrorMessage = message;
-    }
-    getToken() {
-        logger$5.getToken.info(`Skipping ${this.credentialName}, reason: ${this.credentialUnavailableErrorMessage}`);
-        return Promise.resolve(null);
-    }
-}
-/**
- * Provides a default {@link ChainedTokenCredential} configuration that should
- * work for most applications that use the Azure SDK.
- */
-class DefaultAzureCredential extends ChainedTokenCredential {
-    constructor(options) {
-        const credentialFunctions = [
-            createEnvironmentCredential,
-            createDefaultWorkloadIdentityCredential,
-            createDefaultManagedIdentityCredential,
-            createDefaultAzureCliCredential,
-            createDefaultAzurePowershellCredential,
-            createDefaultAzureDeveloperCliCredential,
-        ];
-        // DefaultCredential constructors should not throw, instead throwing on getToken() which is handled by ChainedTokenCredential.
-        // When adding new credentials to the default chain, consider:
-        // 1. Making the constructor parameters required and explicit
-        // 2. Validating any required parameters in the factory function
-        // 3. Returning a UnavailableDefaultCredential from the factory function if a credential is unavailable for any reason
-        const credentials = credentialFunctions.map((createCredentialFn) => {
-            try {
-                return createCredentialFn(options);
+            if (this.cachedClaims && !optionsClaims) {
+                options.claims = this.cachedClaims;
             }
-            catch (err) {
-                logger$5.warning(`Skipped ${createCredentialFn.name} because of an error creating the credential: ${err}`);
-                return new UnavailableDefaultCredential(createCredentialFn.name, err.message);
+            // We don't return the promise since we want to catch errors right here.
+            return await this.getTokenSilent(scopes, options);
+        }
+        catch (err) {
+            if (err.name !== "AuthenticationRequiredError") {
+                throw err;
             }
-        });
-        super(...credentials);
+            if (options === null || options === void 0 ? void 0 : options.disableAutomaticAuthentication) {
+                throw new AuthenticationRequiredError({
+                    scopes,
+                    getTokenOptions: options,
+                    message: "Automatic authentication has been disabled. You may call the authentication() method.",
+                });
+            }
+            this.logger.info(`Silent authentication failed, falling back to interactive method.`);
+            return this.doGetToken(scopes, options);
+        }
+    }
+    /**
+     * Handles the MSAL authentication result.
+     * If the result has an account, we update the local account reference.
+     * If the token received is invalid, an error will be thrown depending on what's missing.
+     */
+    handleResult(scopes, result, getTokenOptions) {
+        if (result === null || result === void 0 ? void 0 : result.account) {
+            this.account = msalToPublic(this.clientId, result.account);
+        }
+        ensureValidMsalToken(scopes, result, getTokenOptions);
+        this.logger.getToken.info(formatSuccess(scopes));
+        return {
+            token: result.accessToken,
+            expiresOnTimestamp: result.expiresOn.getTime(),
+        };
     }
 }
 
@@ -4344,7 +4373,7 @@ class DeviceCodeCredential {
         const clientId = (_a = options === null || options === void 0 ? void 0 : options.clientId) !== null && _a !== void 0 ? _a : DeveloperSignOnClientId;
         const tenantId = resolveTenantId(logger$3, options === null || options === void 0 ? void 0 : options.tenantId, clientId);
         this.userPromptCallback = (_b = options === null || options === void 0 ? void 0 : options.userPromptCallback) !== null && _b !== void 0 ? _b : defaultDeviceCodePromptCallback;
-        this.msalClient = createMsalClient(clientId, tenantId, Object.assign(Object.assign({}, options), { tokenCredentialOptions: options || {} }));
+        this.msalClient = createMsalClient(clientId, tenantId, Object.assign(Object.assign({}, options), { logger: logger$3, tokenCredentialOptions: options || {} }));
         this.disableAutomaticAuthentication = options === null || options === void 0 ? void 0 : options.disableAutomaticAuthentication;
     }
     /**
@@ -4510,50 +4539,6 @@ class AzurePipelinesCredential {
     }
 }
 
-// Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
-/**
- * This MSAL client sets up a web server to listen for redirect callbacks, then calls to the MSAL's public application's `acquireTokenByDeviceCode` during `doGetToken`
- * to trigger the authentication flow, and then respond based on the values obtained from the redirect callback
- * @internal
- */
-class MsalAuthorizationCode extends MsalNode {
-    constructor(options) {
-        super(options);
-        this.logger = credentialLogger("Node.js MSAL Authorization Code");
-        this.redirectUri = options.redirectUri;
-        this.authorizationCode = options.authorizationCode;
-        if (options.clientSecret) {
-            this.msalConfig.auth.clientSecret = options.clientSecret;
-        }
-    }
-    async getAuthCodeUrl(options) {
-        await this.init();
-        return this.getApp("confidentialFirst", options.enableCae).getAuthCodeUrl({
-            scopes: options.scopes,
-            redirectUri: options.redirectUri,
-        });
-    }
-    async doGetToken(scopes, options) {
-        try {
-            const result = await this.getApp("confidentialFirst", options === null || options === void 0 ? void 0 : options.enableCae).acquireTokenByCode({
-                scopes,
-                redirectUri: this.redirectUri,
-                code: this.authorizationCode,
-                correlationId: options === null || options === void 0 ? void 0 : options.correlationId,
-                authority: options === null || options === void 0 ? void 0 : options.authority,
-                claims: options === null || options === void 0 ? void 0 : options.claims,
-            });
-            // The Client Credential flow does not return an account,
-            // so each time getToken gets called, we will have to acquire a new token through the service.
-            return this.handleResult(scopes, result || undefined);
-        }
-        catch (err) {
-            throw handleMsalError(scopes, err, options);
-        }
-    }
-}
-
 // Copyright (c) Microsoft Corporation.
 // Licensed under the MIT license.
 const logger$1 = credentialLogger("AuthorizationCodeCredential");
@@ -4571,7 +4556,7 @@ class AuthorizationCodeCredential {
      */
     constructor(tenantId, clientId, clientSecretOrAuthorizationCode, authorizationCodeOrRedirectUri, redirectUriOrOptions, options) {
         checkTenantId(logger$1, tenantId);
-        let clientSecret = clientSecretOrAuthorizationCode;
+        this.clientSecret = clientSecretOrAuthorizationCode;
         if (typeof redirectUriOrOptions === "string") {
             // the clientId+clientSecret constructor
             this.authorizationCode = authorizationCodeOrRedirectUri;
@@ -4582,15 +4567,13 @@ class AuthorizationCodeCredential {
             // clientId only
             this.authorizationCode = clientSecretOrAuthorizationCode;
             this.redirectUri = authorizationCodeOrRedirectUri;
-            clientSecret = undefined;
+            this.clientSecret = undefined;
             options = redirectUriOrOptions;
         }
         // TODO: Validate tenant if provided
         this.tenantId = tenantId;
         this.additionallyAllowedTenantIds = resolveAdditionallyAllowedTenantIds(options === null || options === void 0 ? void 0 : options.additionallyAllowedTenants);
-        this.msalFlow = new MsalAuthorizationCode(Object.assign(Object.assign({}, options), { clientSecret,
-            clientId,
-            tenantId, tokenCredentialOptions: options || {}, logger: logger$1, redirectUri: this.redirectUri, authorizationCode: this.authorizationCode }));
+        this.msalClient = createMsalClient(clientId, tenantId, Object.assign(Object.assign({}, options), { logger: logger$1, tokenCredentialOptions: options !== null && options !== void 0 ? options : {} }));
     }
     /**
      * Authenticates with Microsoft Entra ID and returns an access token if successful.
@@ -4605,7 +4588,7 @@ class AuthorizationCodeCredential {
             const tenantId = processMultiTenantRequest(this.tenantId, newOptions, this.additionallyAllowedTenantIds);
             newOptions.tenantId = tenantId;
             const arrayScopes = ensureScopes(scopes);
-            return this.msalFlow.getToken(arrayScopes, Object.assign(Object.assign({}, newOptions), { disableAutomaticAuthentication: this.disableAutomaticAuthentication }));
+            return this.msalClient.getTokenByAuthorizationCode(arrayScopes, this.redirectUri, this.authorizationCode, this.clientSecret, Object.assign(Object.assign({}, newOptions), { disableAutomaticAuthentication: this.disableAutomaticAuthentication }));
         });
     }
 }