@azure/identity 4.3.0-beta.2 → 4.3.1-alpha.20240618.4

package/README.md

@@ -14,10 +14,6 @@ Key links:
 
 ## Getting started
 
-### Migrate from v1 to v2 of @azure/identity
-
-If you're using v1 of `@azure/identity`, see the [migration guide](https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/identity/identity/migration-v1-v2.md) to update to v2.
-
 ### Currently supported environments
 
 - [LTS versions of Node.js](https://github.com/nodejs/release#release-schedule)
@@ -62,7 +58,7 @@ For advanced authentication workflows in the browser, we have a section where we
 
 ### Authenticate the client in development environment
 
-While we recommend using managed identity or service principal authentication in your production application, it is typical for a developer to use their own account for authenticating calls to Azure services when debugging and executing code locally. There are several developer tools which can be used to perform this authentication in your development environment.
+While we recommend using managed identity in your Azure-hosted application, it is typical for a developer to use their own account for authenticating calls to Azure services when debugging and executing code locally. There are several developer tools which can be used to perform this authentication in your development environment.
 
 #### Authenticate via the Azure Developer CLI
 
@@ -88,7 +84,7 @@ For systems without a default web browser, the `az login` command will use the d
 
 Applications using the `AzurePowerShellCredential`, whether directly or via the `DefaultAzureCredential`, can use the account connected to Azure PowerShell to authenticate calls in the application when running locally.
 
-To authenticate with [Azure PowerShell][azure_powershell] users can run the `Connect-AzAccount` cmdlet. By default, ike the Azure CLI, `Connect-AzAccount` will launch the default web browser to authenticate a user account.
+To authenticate with [Azure PowerShell][azure_powershell] users can run the `Connect-AzAccount` cmdlet. By default, like the Azure CLI, `Connect-AzAccount` will launch the default web browser to authenticate a user account.
 
 ![Azure PowerShell Account Sign In][azurepowershelllogin_image]
 
@@ -151,8 +147,8 @@ Due to a [known issue](https://github.com/Azure/azure-sdk-for-js/issues/20500),
 
 Azure Identity for JavaScript provides a plugin API that allows us to provide certain functionality through separate _plugin packages_. The `@azure/identity` package exports a top-level function (`useIdentityPlugin`) that can be used to enable a plugin. We provide two plugin packages:
 
-- [`@azure/identity-broker`](https://github.com/Azure/azure-sdk-for-js/tree/main/sdk/identity/identity-broker), which provides brokered authentication support through a native broker, such as Web Account Manager.
-- [`@azure/identity-cache-persistence`](https://github.com/Azure/azure-sdk-for-js/tree/main/sdk/identity/identity-cache-persistence), which provides persistent token caching in Node.js using a native secure storage system provided by your operating system. This plugin allows cached `access_token` values to persist across sessions, meaning that an interactive login flow does not need to be repeated as long as a cached token is available.
+- [`@azure/identity-broker`](https://www.npmjs.com/package/@azure/identity-broker), which provides brokered authentication support through a native broker, such as Web Account Manager.
+- [`@azure/identity-cache-persistence`](https://www.npmjs.com/package/@azure/identity-cache-persistence), which provides persistent token caching in Node.js using a native secure storage system provided by your operating system. This plugin allows cached `access_token` values to persist across sessions, meaning that an interactive login flow does not need to be repeated as long as a cached token is available.
 
 ## Examples
 

package/dist/index.js

@@ -45,7 +45,7 @@ var child_process__namespace = /*#__PURE__*/_interopNamespaceDefault(child_proce
 /**
  * Current version of the `@azure/identity` package.
  */
-const SDK_VERSION = `4.3.0-beta.2`;
+const SDK_VERSION = `4.3.1`;
 /**
  * The default client ID for authentication
  * @internal
@@ -1931,7 +1931,7 @@ function calculateRegionalAuthority(regionalAuthority) {
 // Copyright (c) Microsoft Corporation.
 // Licensed under the MIT license.
 /**
- * The logger for all MsalClient instances.
+ * The default logger used if no logger was passed in by the credential.
  */
 const msalLogger = credentialLogger("MsalClient");
 /**
@@ -1943,10 +1943,10 @@ const msalLogger = credentialLogger("MsalClient");
  * @returns  The MSAL configuration object.
  */
 function generateMsalConfiguration(clientId, tenantId, msalClientOptions = {}) {
-    var _a, _b, _c;
-    const resolvedTenant = resolveTenantId(msalLogger, tenantId, clientId);
+    var _a, _b, _c, _d;
+    const resolvedTenant = resolveTenantId((_a = msalClientOptions.logger) !== null && _a !== void 0 ? _a : msalLogger, tenantId, clientId);
     // TODO: move and reuse getIdentityClientAuthorityHost
-    const authority = getAuthority(resolvedTenant, (_a = msalClientOptions.authorityHost) !== null && _a !== void 0 ? _a : process.env.AZURE_AUTHORITY_HOST);
+    const authority = getAuthority(resolvedTenant, (_b = msalClientOptions.authorityHost) !== null && _b !== void 0 ? _b : process.env.AZURE_AUTHORITY_HOST);
     const httpClient = new IdentityClient(Object.assign(Object.assign({}, msalClientOptions.tokenCredentialOptions), { authorityHost: authority, loggingOptions: msalClientOptions.loggingOptions }));
     const msalConfig = {
         auth: {
@@ -1957,9 +1957,9 @@ function generateMsalConfiguration(clientId, tenantId, msalClientOptions = {}) {
         system: {
             networkClient: httpClient,
             loggerOptions: {
-                loggerCallback: defaultLoggerCallback((_b = msalClientOptions.logger) !== null && _b !== void 0 ? _b : msalLogger),
+                loggerCallback: defaultLoggerCallback((_c = msalClientOptions.logger) !== null && _c !== void 0 ? _c : msalLogger),
                 logLevel: getMSALLogLevel(logger$r.getLogLevel()),
-                piiLoggingEnabled: (_c = msalClientOptions.loggingOptions) === null || _c === void 0 ? void 0 : _c.enableUnsafeSupportLogging,
+                piiLoggingEnabled: (_d = msalClientOptions.loggingOptions) === null || _d === void 0 ? void 0 : _d.enableUnsafeSupportLogging,
             },
         },
     };
@@ -1976,23 +1976,25 @@ function generateMsalConfiguration(clientId, tenantId, msalClientOptions = {}) {
  * @public
  */
 function createMsalClient(clientId, tenantId, createMsalClientOptions = {}) {
+    var _a;
     const state = {
         msalConfig: generateMsalConfiguration(clientId, tenantId, createMsalClientOptions),
         cachedAccount: createMsalClientOptions.authenticationRecord
             ? publicToMsal(createMsalClientOptions.authenticationRecord)
             : null,
         pluginConfiguration: msalPlugins.generatePluginConfiguration(createMsalClientOptions),
+        logger: (_a = createMsalClientOptions.logger) !== null && _a !== void 0 ? _a : msalLogger,
     };
     const publicApps = new Map();
     async function getPublicApp(options = {}) {
         const appKey = options.enableCae ? "CAE" : "default";
         let publicClientApp = publicApps.get(appKey);
         if (publicClientApp) {
-            msalLogger.getToken.info("Existing PublicClientApplication found in cache, returning it.");
+            state.logger.getToken.info("Existing PublicClientApplication found in cache, returning it.");
             return publicClientApp;
         }
         // Initialize a new app and cache it
-        msalLogger.getToken.info(`Creating new PublicClientApplication with CAE ${options.enableCae ? "enabled" : "disabled"}.`);
+        state.logger.getToken.info(`Creating new PublicClientApplication with CAE ${options.enableCae ? "enabled" : "disabled"}.`);
         const cachePlugin = options.enableCae
             ? state.pluginConfiguration.cache.cachePluginCae
             : state.pluginConfiguration.cache.cachePlugin;
@@ -2006,11 +2008,11 @@ function createMsalClient(clientId, tenantId, createMsalClientOptions = {}) {
         const appKey = options.enableCae ? "CAE" : "default";
         let confidentialClientApp = confidentialApps.get(appKey);
         if (confidentialClientApp) {
-            msalLogger.getToken.info("Existing ConfidentialClientApplication found in cache, returning it.");
+            state.logger.getToken.info("Existing ConfidentialClientApplication found in cache, returning it.");
             return confidentialClientApp;
         }
         // Initialize a new app and cache it
-        msalLogger.getToken.info(`Creating new ConfidentialClientApplication with CAE ${options.enableCae ? "enabled" : "disabled"}.`);
+        state.logger.getToken.info(`Creating new ConfidentialClientApplication with CAE ${options.enableCae ? "enabled" : "disabled"}.`);
         const cachePlugin = options.enableCae
             ? state.pluginConfiguration.cache.cachePluginCae
             : state.pluginConfiguration.cache.cachePlugin;
@@ -2021,14 +2023,15 @@ function createMsalClient(clientId, tenantId, createMsalClientOptions = {}) {
     }
     async function getTokenSilent(app, scopes, options = {}) {
         if (state.cachedAccount === null) {
-            msalLogger.getToken.info("No cached account found in local state, attempting to load it from MSAL cache.");
+            state.logger.getToken.info("No cached account found in local state, attempting to load it from MSAL cache.");
             const cache = app.getTokenCache();
             const accounts = await cache.getAllAccounts();
             if (accounts === undefined || accounts.length === 0) {
                 throw new AuthenticationRequiredError({ scopes });
             }
             if (accounts.length > 1) {
-                msalLogger.info(`More than one account was found authenticated for this Client ID and Tenant ID.
+                state.logger
+                    .info(`More than one account was found authenticated for this Client ID and Tenant ID.
 However, no "authenticationRecord" has been provided for this credential,
 therefore we're unable to pick between these accounts.
 A new login attempt will be requested, to ensure the correct account is picked.
@@ -2052,7 +2055,7 @@ To work with multiple accounts for the same Client ID and Tenant ID, please prov
                 silentRequest.tokenQueryParameters["msal_request_type"] = "consumer_passthrough";
             }
         }
-        msalLogger.getToken.info("Attempting to acquire token silently");
+        state.logger.getToken.info("Attempting to acquire token silently");
         return app.acquireTokenSilent(silentRequest);
     }
     /**
@@ -2095,14 +2098,14 @@ To work with multiple accounts for the same Client ID and Tenant ID, please prov
         // At this point we should have a token, process it
         ensureValidMsalToken(scopes, response, options);
         state.cachedAccount = (_a = response === null || response === void 0 ? void 0 : response.account) !== null && _a !== void 0 ? _a : null;
-        msalLogger.getToken.info(formatSuccess(scopes));
+        state.logger.getToken.info(formatSuccess(scopes));
         return {
             token: response.accessToken,
             expiresOnTimestamp: response.expiresOn.getTime(),
         };
     }
     async function getTokenByClientSecret(scopes, clientSecret, options = {}) {
-        msalLogger.getToken.info(`Attempting to acquire token using client secret`);
+        state.logger.getToken.info(`Attempting to acquire token using client secret`);
         state.msalConfig.auth.clientSecret = clientSecret;
         const msalApp = await getConfidentialApp(options);
         try {
@@ -2113,7 +2116,7 @@ To work with multiple accounts for the same Client ID and Tenant ID, please prov
                 claims: options === null || options === void 0 ? void 0 : options.claims,
             });
             ensureValidMsalToken(scopes, response, options);
-            msalLogger.getToken.info(formatSuccess(scopes));
+            state.logger.getToken.info(formatSuccess(scopes));
             return {
                 token: response.accessToken,
                 expiresOnTimestamp: response.expiresOn.getTime(),
@@ -2124,7 +2127,7 @@ To work with multiple accounts for the same Client ID and Tenant ID, please prov
         }
     }
     async function getTokenByClientAssertion(scopes, clientAssertion, options = {}) {
-        msalLogger.getToken.info(`Attempting to acquire token using client assertion`);
+        state.logger.getToken.info(`Attempting to acquire token using client assertion`);
         state.msalConfig.auth.clientAssertion = clientAssertion;
         const msalApp = await getConfidentialApp(options);
         try {
@@ -2136,7 +2139,7 @@ To work with multiple accounts for the same Client ID and Tenant ID, please prov
                 clientAssertion,
             });
             ensureValidMsalToken(scopes, response, options);
-            msalLogger.getToken.info(formatSuccess(scopes));
+            state.logger.getToken.info(formatSuccess(scopes));
             return {
                 token: response.accessToken,
                 expiresOnTimestamp: response.expiresOn.getTime(),
@@ -2147,7 +2150,7 @@ To work with multiple accounts for the same Client ID and Tenant ID, please prov
         }
     }
     async function getTokenByClientCertificate(scopes, certificate, options = {}) {
-        msalLogger.getToken.info(`Attempting to acquire token using client certificate`);
+        state.logger.getToken.info(`Attempting to acquire token using client certificate`);
         state.msalConfig.auth.clientCertificate = certificate;
         const msalApp = await getConfidentialApp(options);
         try {
@@ -2158,7 +2161,7 @@ To work with multiple accounts for the same Client ID and Tenant ID, please prov
                 claims: options === null || options === void 0 ? void 0 : options.claims,
             });
             ensureValidMsalToken(scopes, response, options);
-            msalLogger.getToken.info(formatSuccess(scopes));
+            state.logger.getToken.info(formatSuccess(scopes));
             return {
                 token: response.accessToken,
                 expiresOnTimestamp: response.expiresOn.getTime(),
@@ -2169,7 +2172,7 @@ To work with multiple accounts for the same Client ID and Tenant ID, please prov
         }
     }
     async function getTokenByDeviceCode(scopes, deviceCodeCallback, options = {}) {
-        msalLogger.getToken.info(`Attempting to acquire token using device code`);
+        state.logger.getToken.info(`Attempting to acquire token using device code`);
         const msalApp = await getPublicApp(options);
         return withSilentAuthentication(msalApp, scopes, options, () => {
             var _a, _b;
@@ -2190,7 +2193,7 @@ To work with multiple accounts for the same Client ID and Tenant ID, please prov
         });
     }
     async function getTokenByUsernamePassword(scopes, username, password, options = {}) {
-        msalLogger.getToken.info(`Attempting to acquire token using username and password`);
+        state.logger.getToken.info(`Attempting to acquire token using username and password`);
         const msalApp = await getPublicApp(options);
         return withSilentAuthentication(msalApp, scopes, options, () => {
             const requestOptions = {
@@ -2210,7 +2213,7 @@ To work with multiple accounts for the same Client ID and Tenant ID, please prov
         return msalToPublic(clientId, state.cachedAccount);
     }
     async function getTokenByAuthorizationCode(scopes, redirectUri, authorizationCode, clientSecret, options = {}) {
-        msalLogger.getToken.info(`Attempting to acquire token using authorization code`);
+        state.logger.getToken.info(`Attempting to acquire token using authorization code`);
         let msalApp;
         if (clientSecret) {
             // If a client secret is provided, we need to use a confidential client application
@@ -4418,7 +4421,7 @@ class DeviceCodeCredential {
 // Licensed under the MIT license.
 const credentialName$1 = "AzurePipelinesCredential";
 const logger$2 = credentialLogger(credentialName$1);
-const OIDC_API_VERSION = "7.1-preview.1";
+const OIDC_API_VERSION = "7.1";
 /**
  * This credential is designed to be used in Azure Pipelines with service connections
  * as a setup for workload identity federation.
@@ -4428,23 +4431,23 @@ class AzurePipelinesCredential {
      * AzurePipelinesCredential supports Federated Identity on Azure Pipelines through Service Connections.
      * @param tenantId - tenantId associated with the service connection
      * @param clientId - clientId associated with the service connection
-     * @param serviceConnectionId - id for the service connection, as found in the querystring's resourceId key
+     * @param serviceConnectionId - Unique ID for the service connection, as found in the querystring's resourceId key
+     * @param systemAccessToken - The pipeline's <see href="https://learn.microsoft.com/azure/devops/pipelines/build/variables?view=azure-devops%26tabs=yaml#systemaccesstoken">System.AccessToken</see> value.
      * @param options - The identity client options to use for authentication.
      */
-    constructor(tenantId, clientId, serviceConnectionId, options) {
-        if (!clientId || !tenantId || !serviceConnectionId) {
-            throw new CredentialUnavailableError(`${credentialName$1}: is unavailable. tenantId, clientId, and serviceConnectionId are required parameters.`);
+    constructor(tenantId, clientId, serviceConnectionId, systemAccessToken, options) {
+        if (!clientId || !tenantId || !serviceConnectionId || !systemAccessToken) {
+            throw new CredentialUnavailableError(`${credentialName$1}: is unavailable. tenantId, clientId, serviceConnectionId, and systemAccessToken are required parameters.`);
         }
         this.identityClient = new IdentityClient(options);
         checkTenantId(logger$2, tenantId);
-        logger$2.info(`Invoking AzurePipelinesCredential with tenant ID: ${tenantId}, clientId: ${clientId} and service connection id: ${serviceConnectionId}`);
-        if (clientId && tenantId && serviceConnectionId) {
-            this.ensurePipelinesSystemVars();
-            const oidcRequestUrl = `${process.env.SYSTEM_TEAMFOUNDATIONCOLLECTIONURI}${process.env.SYSTEM_TEAMPROJECTID}/_apis/distributedtask/hubs/build/plans/${process.env.SYSTEM_PLANID}/jobs/${process.env.SYSTEM_JOBID}/oidctoken?api-version=${OIDC_API_VERSION}&serviceConnectionId=${serviceConnectionId}`;
-            const systemAccessToken = `${process.env.SYSTEM_ACCESSTOKEN}`;
-            logger$2.info(`Invoking ClientAssertionCredential with tenant ID: ${tenantId}, clientId: ${clientId} and service connection id: ${serviceConnectionId}`);
-            this.clientAssertionCredential = new ClientAssertionCredential(tenantId, clientId, this.requestOidcToken.bind(this, oidcRequestUrl, systemAccessToken), options);
+        logger$2.info(`Invoking AzurePipelinesCredential with tenant ID: ${tenantId}, client ID: ${clientId}, and service connection ID: ${serviceConnectionId}`);
+        if (!process.env.SYSTEM_OIDCREQUESTURI) {
+            throw new CredentialUnavailableError(`${credentialName$1}: is unavailable. Ensure that you're running this task in an Azure Pipeline, so that following missing system variable(s) can be defined- "SYSTEM_OIDCREQUESTURI"`);
         }
+        const oidcRequestUrl = `${process.env.SYSTEM_OIDCREQUESTURI}?api-version=${OIDC_API_VERSION}&serviceConnectionId=${serviceConnectionId}`;
+        logger$2.info(`Invoking ClientAssertionCredential with tenant ID: ${tenantId}, client ID: ${clientId} and service connection ID: ${serviceConnectionId}`);
+        this.clientAssertionCredential = new ClientAssertionCredential(tenantId, clientId, this.requestOidcToken.bind(this, oidcRequestUrl, systemAccessToken), options);
     }
     /**
      * Authenticates with Microsoft Entra ID and returns an access token if successful.
@@ -4456,16 +4459,13 @@ class AzurePipelinesCredential {
      */
     async getToken(scopes, options) {
         if (!this.clientAssertionCredential) {
-            const errorMessage = `${credentialName$1}: is unavailable. To use Federation Identity in Azure Pipelines, these are required as input parameters / env variables - 
+            const errorMessage = `${credentialName$1}: is unavailable. To use Federation Identity in Azure Pipelines, the following parameters are required - 
       tenantId,
       clientId,
       serviceConnectionId,
-      "SYSTEM_TEAMFOUNDATIONCOLLECTIONURI" &&
-      "SYSTEM_TEAMPROJECTID" &&
-      "SYSTEM_PLANID" &&
-      "SYSTEM_JOBID" &&
-      "SYSTEM_ACCESSTOKEN"
-      See the troubleshooting guide for more information: https://aka.ms/azsdk/js/identity/troubleshoot`;
+      systemAccessToken,
+      "SYSTEM_OIDCREQUESTURI".      
+      See the troubleshooting guide for more information: https://aka.ms/azsdk/js/identity/azurepipelinescredential/troubleshoot`;
             logger$2.error(errorMessage);
             throw new CredentialUnavailableError(errorMessage);
         }
@@ -4493,48 +4493,26 @@ class AzurePipelinesCredential {
         const text = response.bodyAsText;
         if (!text) {
             logger$2.error(`${credentialName$1}: Authenticated Failed. Received null token from OIDC request. Response status- ${response.status}. Complete response - ${JSON.stringify(response)}`);
-            throw new CredentialUnavailableError(`${credentialName$1}: Authenticated Failed. Received null token from OIDC request. Response status- ${response.status}. Complete response - ${JSON.stringify(response)}`);
-        }
-        const result = JSON.parse(text);
-        if (result === null || result === void 0 ? void 0 : result.oidcToken) {
-            return result.oidcToken;
+            throw new AuthenticationError(response.status, `${credentialName$1}: Authenticated Failed. Received null token from OIDC request. Response status- ${response.status}. Complete response - ${JSON.stringify(response)}`);
         }
-        else {
-            logger$2.error(`${credentialName$1}: Authentication Failed. oidcToken field not detected in the response. Response = ${JSON.stringify(result)}`);
-            throw new CredentialUnavailableError(`${credentialName$1}: Authentication Failed. oidcToken field not detected in the response. Response = ${JSON.stringify(result)}`);
-        }
-    }
-    /**
-     * Ensures all system env vars are there to form the request uri for OIDC token
-     * @returns void
-     * @throws CredentialUnavailableError
-     */
-    ensurePipelinesSystemVars() {
-        if (process.env.SYSTEM_TEAMFOUNDATIONCOLLECTIONURI &&
-            process.env.SYSTEM_TEAMPROJECTID &&
-            process.env.SYSTEM_PLANID &&
-            process.env.SYSTEM_JOBID &&
-            process.env.SYSTEM_ACCESSTOKEN) {
-            return;
+        try {
+            const result = JSON.parse(text);
+            if (result === null || result === void 0 ? void 0 : result.oidcToken) {
+                return result.oidcToken;
+            }
+            else {
+                let errorMessage = `${credentialName$1}: Authentication Failed. oidcToken field not detected in the response.`;
+                if (response.status !== 200) {
+                    errorMessage += `Response = ${JSON.stringify(result)}`;
+                }
+                logger$2.error(errorMessage);
+                throw new AuthenticationError(response.status, errorMessage);
+            }
         }
-        const missingEnvVars = [];
-        let errorMessage = "";
-        if (!process.env.SYSTEM_TEAMFOUNDATIONCOLLECTIONURI) {
-            missingEnvVars.push("SYSTEM_TEAMFOUNDATIONCOLLECTIONURI");
-        }
-        if (!process.env.SYSTEM_TEAMPROJECTID)
-            missingEnvVars.push("SYSTEM_TEAMPROJECTID");
-        if (!process.env.SYSTEM_PLANID)
-            missingEnvVars.push("SYSTEM_PLANID");
-        if (!process.env.SYSTEM_JOBID)
-            missingEnvVars.push("SYSTEM_JOBID");
-        if (!process.env.SYSTEM_ACCESSTOKEN) {
-            errorMessage +=
-                "\nPlease ensure that the system access token is available in the SYSTEM_ACCESSTOKEN value; this is often most easily achieved by adding a block to the end of your pipeline yaml for the task with:\n env: \n- SYSTEM_ACCESSTOKEN: $(System.AccessToken)";
-            missingEnvVars.push("SYSTEM_ACCESSTOKEN");
-        }
-        if (missingEnvVars.length > 0) {
-            throw new CredentialUnavailableError(`${credentialName$1}: is unavailable. Ensure that you're running this task in an Azure Pipeline, so that following missing system variable(s) can be defined- ${missingEnvVars.join(", ")}.${errorMessage}`);
+        catch (e) {
+            logger$2.error(e.message);
+            logger$2.error(`${credentialName$1}: Authentication Failed. oidcToken field not detected in the response. Response = ${text}`);
+            throw new AuthenticationError(response.status, `${credentialName$1}: Authentication Failed. oidcToken field not detected in the response. Response = ${text}`);
         }
     }
 }