@azure/identity 4.3.0 → 4.3.1-alpha.20240619.4

package/dist/index.js

@@ -14,11 +14,12 @@ var path = require('path');
 var msalCommon = require('@azure/msal-node');
 var fs$1 = require('node:fs');
 var https = require('https');
+var open = require('open');
 var promises = require('fs/promises');
 var child_process = require('child_process');
 var crypto = require('crypto');
-var open = require('open');
-var util = require('util');
+var promises$1 = require('node:fs/promises');
+var node_crypto = require('node:crypto');
 
 function _interopNamespaceDefault(e) {
     var n = Object.create(null);
@@ -45,7 +46,7 @@ var child_process__namespace = /*#__PURE__*/_interopNamespaceDefault(child_proce
 /**
  * Current version of the `@azure/identity` package.
  */
-const SDK_VERSION = `4.3.0-beta.3`;
+const SDK_VERSION = `4.3.1`;
 /**
  * The default client ID for authentication
  * @internal
@@ -128,9 +129,6 @@ const msalNodeFlowCacheControl = {
  * @internal
  */
 let nativeBrokerInfo = undefined;
-function hasNativeBroker() {
-    return nativeBrokerInfo !== undefined;
-}
 /**
  * An object that allows setting the native broker provider.
  * @internal
@@ -1009,16 +1007,88 @@ function useIdentityPlugin(plugin) {
 
 // Copyright (c) Microsoft Corporation.
 // Licensed under the MIT license.
-const msiName$6 = "ManagedIdentityCredential - AppServiceMSI 2017";
+const msiName$6 = "ManagedIdentityCredential - CloudShellMSI";
 const logger$o = credentialLogger(msiName$6);
 /**
  * Generates the options used on the request for an access token.
  */
-function prepareRequestOptions$5(scopes, clientId) {
+function prepareRequestOptions$5(scopes, clientId, resourceId) {
     const resource = mapScopesToResource(scopes);
     if (!resource) {
         throw new Error(`${msiName$6}: Multiple scopes are not supported.`);
     }
+    const body = {
+        resource,
+    };
+    if (clientId) {
+        body.client_id = clientId;
+    }
+    if (resourceId) {
+        body.msi_res_id = resourceId;
+    }
+    // This error should not bubble up, since we verify that this environment variable is defined in the isAvailable() method defined below.
+    if (!process.env.MSI_ENDPOINT) {
+        throw new Error(`${msiName$6}: Missing environment variable: MSI_ENDPOINT`);
+    }
+    const params = new URLSearchParams(body);
+    return {
+        url: process.env.MSI_ENDPOINT,
+        method: "POST",
+        body: params.toString(),
+        headers: coreRestPipeline.createHttpHeaders({
+            Accept: "application/json",
+            Metadata: "true",
+            "Content-Type": "application/x-www-form-urlencoded",
+        }),
+    };
+}
+/**
+ * Defines how to determine whether the Azure Cloud Shell MSI is available, and also how to retrieve a token from the Azure Cloud Shell MSI.
+ * Since Azure Managed Identities aren't available in the Azure Cloud Shell, we log a warning for users that try to access cloud shell using user assigned identity.
+ */
+const cloudShellMsi = {
+    name: "cloudShellMsi",
+    async isAvailable({ scopes }) {
+        const resource = mapScopesToResource(scopes);
+        if (!resource) {
+            logger$o.info(`${msiName$6}: Unavailable. Multiple scopes are not supported.`);
+            return false;
+        }
+        const result = Boolean(process.env.MSI_ENDPOINT);
+        if (!result) {
+            logger$o.info(`${msiName$6}: Unavailable. The environment variable MSI_ENDPOINT is needed.`);
+        }
+        return result;
+    },
+    async getToken(configuration, getTokenOptions = {}) {
+        const { identityClient, scopes, clientId, resourceId } = configuration;
+        if (clientId) {
+            logger$o.warning(`${msiName$6}: user-assigned identities not supported. The argument clientId might be ignored by the service.`);
+        }
+        if (resourceId) {
+            logger$o.warning(`${msiName$6}: user defined managed Identity by resource Id not supported. The argument resourceId might be ignored by the service.`);
+        }
+        logger$o.info(`${msiName$6}: Using the endpoint coming form the environment variable MSI_ENDPOINT = ${process.env.MSI_ENDPOINT}.`);
+        const request = coreRestPipeline.createPipelineRequest(Object.assign(Object.assign({ abortSignal: getTokenOptions.abortSignal }, prepareRequestOptions$5(scopes, clientId, resourceId)), { 
+            // Generally, MSI endpoints use the HTTP protocol, without transport layer security (TLS).
+            allowInsecureConnection: true }));
+        const tokenResponse = await identityClient.sendTokenRequest(request);
+        return (tokenResponse && tokenResponse.accessToken) || null;
+    },
+};
+
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT license.
+const msiName$5 = "ManagedIdentityCredential - AppServiceMSI 2017";
+const logger$n = credentialLogger(msiName$5);
+/**
+ * Generates the options used on the request for an access token.
+ */
+function prepareRequestOptions$4(scopes, clientId) {
+    const resource = mapScopesToResource(scopes);
+    if (!resource) {
+        throw new Error(`${msiName$5}: Multiple scopes are not supported.`);
+    }
     const queryParameters = {
         resource,
         "api-version": "2017-09-01",
@@ -1029,10 +1099,10 @@ function prepareRequestOptions$5(scopes, clientId) {
     const query = new URLSearchParams(queryParameters);
     // This error should not bubble up, since we verify that this environment variable is defined in the isAvailable() method defined below.
     if (!process.env.MSI_ENDPOINT) {
-        throw new Error(`${msiName$6}: Missing environment variable: MSI_ENDPOINT`);
+        throw new Error(`${msiName$5}: Missing environment variable: MSI_ENDPOINT`);
     }
     if (!process.env.MSI_SECRET) {
-        throw new Error(`${msiName$6}: Missing environment variable: MSI_SECRET`);
+        throw new Error(`${msiName$5}: Missing environment variable: MSI_SECRET`);
     }
     return {
         url: `${process.env.MSI_ENDPOINT}?${query.toString()}`,
@@ -1051,23 +1121,23 @@ const appServiceMsi2017 = {
     async isAvailable({ scopes }) {
         const resource = mapScopesToResource(scopes);
         if (!resource) {
-            logger$o.info(`${msiName$6}: Unavailable. Multiple scopes are not supported.`);
+            logger$n.info(`${msiName$5}: Unavailable. Multiple scopes are not supported.`);
             return false;
         }
         const env = process.env;
         const result = Boolean(env.MSI_ENDPOINT && env.MSI_SECRET);
         if (!result) {
-            logger$o.info(`${msiName$6}: Unavailable. The environment variables needed are: MSI_ENDPOINT and MSI_SECRET.`);
+            logger$n.info(`${msiName$5}: Unavailable. The environment variables needed are: MSI_ENDPOINT and MSI_SECRET.`);
         }
         return result;
     },
     async getToken(configuration, getTokenOptions = {}) {
         const { identityClient, scopes, clientId, resourceId } = configuration;
         if (resourceId) {
-            logger$o.warning(`${msiName$6}: managed Identity by resource Id is not supported. Argument resourceId might be ignored by the service.`);
+            logger$n.warning(`${msiName$5}: managed Identity by resource Id is not supported. Argument resourceId might be ignored by the service.`);
         }
-        logger$o.info(`${msiName$6}: Using the endpoint and the secret coming form the environment variables: MSI_ENDPOINT=${process.env.MSI_ENDPOINT} and MSI_SECRET=[REDACTED].`);
-        const request = coreRestPipeline.createPipelineRequest(Object.assign(Object.assign({ abortSignal: getTokenOptions.abortSignal }, prepareRequestOptions$5(scopes, clientId)), { 
+        logger$n.info(`${msiName$5}: Using the endpoint and the secret coming form the environment variables: MSI_ENDPOINT=${process.env.MSI_ENDPOINT} and MSI_SECRET=[REDACTED].`);
+        const request = coreRestPipeline.createPipelineRequest(Object.assign(Object.assign({ abortSignal: getTokenOptions.abortSignal }, prepareRequestOptions$4(scopes, clientId)), { 
             // Generally, MSI endpoints use the HTTP protocol, without transport layer security (TLS).
             allowInsecureConnection: true }));
         const tokenResponse = await identityClient.sendTokenRequest(request);
@@ -1077,15 +1147,15 @@ const appServiceMsi2017 = {
 
 // Copyright (c) Microsoft Corporation.
 // Licensed under the MIT license.
-const msiName$5 = "ManagedIdentityCredential - AppServiceMSI 2019";
-const logger$n = credentialLogger(msiName$5);
+const msiName$4 = "ManagedIdentityCredential - AppServiceMSI 2019";
+const logger$m = credentialLogger(msiName$4);
 /**
  * Generates the options used on the request for an access token.
  */
-function prepareRequestOptions$4(scopes, clientId, resourceId) {
+function prepareRequestOptions$3(scopes, clientId, resourceId) {
     const resource = mapScopesToResource(scopes);
     if (!resource) {
-        throw new Error(`${msiName$5}: Multiple scopes are not supported.`);
+        throw new Error(`${msiName$4}: Multiple scopes are not supported.`);
     }
     const queryParameters = {
         resource,
@@ -1100,10 +1170,10 @@ function prepareRequestOptions$4(scopes, clientId, resourceId) {
     const query = new URLSearchParams(queryParameters);
     // This error should not bubble up, since we verify that this environment variable is defined in the isAvailable() method defined below.
     if (!process.env.IDENTITY_ENDPOINT) {
-        throw new Error(`${msiName$5}: Missing environment variable: IDENTITY_ENDPOINT`);
+        throw new Error(`${msiName$4}: Missing environment variable: IDENTITY_ENDPOINT`);
     }
     if (!process.env.IDENTITY_HEADER) {
-        throw new Error(`${msiName$5}: Missing environment variable: IDENTITY_HEADER`);
+        throw new Error(`${msiName$4}: Missing environment variable: IDENTITY_HEADER`);
     }
     return {
         url: `${process.env.IDENTITY_ENDPOINT}?${query.toString()}`,
@@ -1122,20 +1192,20 @@ const appServiceMsi2019 = {
     async isAvailable({ scopes }) {
         const resource = mapScopesToResource(scopes);
         if (!resource) {
-            logger$n.info(`${msiName$5}: Unavailable. Multiple scopes are not supported.`);
+            logger$m.info(`${msiName$4}: Unavailable. Multiple scopes are not supported.`);
             return false;
         }
         const env = process.env;
         const result = Boolean(env.IDENTITY_ENDPOINT && env.IDENTITY_HEADER);
         if (!result) {
-            logger$n.info(`${msiName$5}: Unavailable. The environment variables needed are: IDENTITY_ENDPOINT and IDENTITY_HEADER.`);
+            logger$m.info(`${msiName$4}: Unavailable. The environment variables needed are: IDENTITY_ENDPOINT and IDENTITY_HEADER.`);
         }
         return result;
     },
     async getToken(configuration, getTokenOptions = {}) {
         const { identityClient, scopes, clientId, resourceId } = configuration;
-        logger$n.info(`${msiName$5}: Using the endpoint and the secret coming form the environment variables: IDENTITY_ENDPOINT=${process.env.IDENTITY_ENDPOINT} and IDENTITY_HEADER=[REDACTED].`);
-        const request = coreRestPipeline.createPipelineRequest(Object.assign(Object.assign({ abortSignal: getTokenOptions.abortSignal }, prepareRequestOptions$4(scopes, clientId, resourceId)), { 
+        logger$m.info(`${msiName$4}: Using the endpoint and the secret coming form the environment variables: IDENTITY_ENDPOINT=${process.env.IDENTITY_ENDPOINT} and IDENTITY_HEADER=[REDACTED].`);
+        const request = coreRestPipeline.createPipelineRequest(Object.assign(Object.assign({ abortSignal: getTokenOptions.abortSignal }, prepareRequestOptions$3(scopes, clientId, resourceId)), { 
             // Generally, MSI endpoints use the HTTP protocol, without transport layer security (TLS).
             allowInsecureConnection: true }));
         const tokenResponse = await identityClient.sendTokenRequest(request);
@@ -1145,15 +1215,15 @@ const appServiceMsi2019 = {
 
 // Copyright (c) Microsoft Corporation.
 // Licensed under the MIT license.
-const msiName$4 = "ManagedIdentityCredential - Azure Arc MSI";
-const logger$m = credentialLogger(msiName$4);
+const msiName$3 = "ManagedIdentityCredential - Azure Arc MSI";
+const logger$l = credentialLogger(msiName$3);
 /**
  * Generates the options used on the request for an access token.
  */
-function prepareRequestOptions$3(scopes, clientId, resourceId) {
+function prepareRequestOptions$2(scopes, clientId, resourceId) {
     const resource = mapScopesToResource(scopes);
     if (!resource) {
-        throw new Error(`${msiName$4}: Multiple scopes are not supported.`);
+        throw new Error(`${msiName$3}: Multiple scopes are not supported.`);
     }
     const queryParameters = {
         resource,
@@ -1167,7 +1237,7 @@ function prepareRequestOptions$3(scopes, clientId, resourceId) {
     }
     // This error should not bubble up, since we verify that this environment variable is defined in the isAvailable() method defined below.
     if (!process.env.IDENTITY_ENDPOINT) {
-        throw new Error(`${msiName$4}: Missing environment variable: IDENTITY_ENDPOINT`);
+        throw new Error(`${msiName$3}: Missing environment variable: IDENTITY_ENDPOINT`);
     }
     const query = new URLSearchParams(queryParameters);
     return coreRestPipeline.createPipelineRequest({
@@ -1190,7 +1260,7 @@ async function filePathRequest(identityClient, requestPrepareOptions) {
         if (response.bodyAsText) {
             message = ` Response: ${response.bodyAsText}`;
         }
-        throw new AuthenticationError(response.status, `${msiName$4}: To authenticate with Azure Arc MSI, status code 401 is expected on the first request. ${message}`);
+        throw new AuthenticationError(response.status, `${msiName$3}: To authenticate with Azure Arc MSI, status code 401 is expected on the first request. ${message}`);
     }
     const authHeader = response.headers.get("www-authenticate") || "";
     try {
@@ -1204,13 +1274,13 @@ function platformToFilePath() {
     switch (process.platform) {
         case "win32":
             if (!process.env.PROGRAMDATA) {
-                throw new Error(`${msiName$4}: PROGRAMDATA environment variable has no value.`);
+                throw new Error(`${msiName$3}: PROGRAMDATA environment variable has no value.`);
             }
             return `${process.env.PROGRAMDATA}\\AzureConnectedMachineAgent\\Tokens`;
         case "linux":
             return "/var/opt/azcmagent/tokens";
         default:
-            throw new Error(`${msiName$4}: Unsupported platform ${process.platform}.`);
+            throw new Error(`${msiName$3}: Unsupported platform ${process.platform}.`);
     }
 }
 /**
@@ -1223,18 +1293,18 @@ function platformToFilePath() {
  */
 function validateKeyFile(filePath) {
     if (!filePath) {
-        throw new Error(`${msiName$4}: Failed to find the token file.`);
+        throw new Error(`${msiName$3}: Failed to find the token file.`);
     }
     if (!filePath.endsWith(".key")) {
-        throw new Error(`${msiName$4}: unexpected file path from HIMDS service: ${filePath}.`);
+        throw new Error(`${msiName$3}: unexpected file path from HIMDS service: ${filePath}.`);
     }
     const expectedPath = platformToFilePath();
     if (!filePath.startsWith(expectedPath)) {
-        throw new Error(`${msiName$4}: unexpected file path from HIMDS service: ${filePath}.`);
+        throw new Error(`${msiName$3}: unexpected file path from HIMDS service: ${filePath}.`);
     }
     const stats = fs$1.statSync(filePath);
     if (stats.size > 4096) {
-        throw new Error(`${msiName$4}: The file at ${filePath} is larger than expected at ${stats.size} bytes.`);
+        throw new Error(`${msiName$3}: The file at ${filePath} is larger than expected at ${stats.size} bytes.`);
     }
 }
 /**
@@ -1245,12 +1315,12 @@ const arcMsi = {
     async isAvailable({ scopes }) {
         const resource = mapScopesToResource(scopes);
         if (!resource) {
-            logger$m.info(`${msiName$4}: Unavailable. Multiple scopes are not supported.`);
+            logger$l.info(`${msiName$3}: Unavailable. Multiple scopes are not supported.`);
             return false;
         }
         const result = Boolean(process.env.IMDS_ENDPOINT && process.env.IDENTITY_ENDPOINT);
         if (!result) {
-            logger$m.info(`${msiName$4}: The environment variables needed are: IMDS_ENDPOINT and IDENTITY_ENDPOINT`);
+            logger$l.info(`${msiName$3}: The environment variables needed are: IMDS_ENDPOINT and IDENTITY_ENDPOINT`);
         }
         return result;
     },
@@ -1258,13 +1328,13 @@ const arcMsi = {
         var _a;
         const { identityClient, scopes, clientId, resourceId } = configuration;
         if (clientId) {
-            logger$m.warning(`${msiName$4}: user-assigned identities not supported. The argument clientId might be ignored by the service.`);
+            logger$l.warning(`${msiName$3}: user-assigned identities not supported. The argument clientId might be ignored by the service.`);
         }
         if (resourceId) {
-            logger$m.warning(`${msiName$4}: user defined managed Identity by resource Id is not supported. Argument resourceId will be ignored.`);
+            logger$l.warning(`${msiName$3}: user defined managed Identity by resource Id is not supported. Argument resourceId will be ignored.`);
         }
-        logger$m.info(`${msiName$4}: Authenticating.`);
-        const requestOptions = Object.assign(Object.assign({ disableJsonStringifyOnBody: true, deserializationMapper: undefined, abortSignal: getTokenOptions.abortSignal }, prepareRequestOptions$3(scopes, clientId, resourceId)), { allowInsecureConnection: true });
+        logger$l.info(`${msiName$3}: Authenticating.`);
+        const requestOptions = Object.assign(Object.assign({ disableJsonStringifyOnBody: true, deserializationMapper: undefined, abortSignal: getTokenOptions.abortSignal }, prepareRequestOptions$2(scopes, clientId, resourceId)), { allowInsecureConnection: true });
         const filePath = await filePathRequest(identityClient, requestOptions);
         validateKeyFile(filePath);
         const key = await fs$1.promises.readFile(filePath, { encoding: "utf-8" });
@@ -1277,78 +1347,6 @@ const arcMsi = {
     },
 };
 
-// Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
-const msiName$3 = "ManagedIdentityCredential - CloudShellMSI";
-const logger$l = credentialLogger(msiName$3);
-/**
- * Generates the options used on the request for an access token.
- */
-function prepareRequestOptions$2(scopes, clientId, resourceId) {
-    const resource = mapScopesToResource(scopes);
-    if (!resource) {
-        throw new Error(`${msiName$3}: Multiple scopes are not supported.`);
-    }
-    const body = {
-        resource,
-    };
-    if (clientId) {
-        body.client_id = clientId;
-    }
-    if (resourceId) {
-        body.msi_res_id = resourceId;
-    }
-    // This error should not bubble up, since we verify that this environment variable is defined in the isAvailable() method defined below.
-    if (!process.env.MSI_ENDPOINT) {
-        throw new Error(`${msiName$3}: Missing environment variable: MSI_ENDPOINT`);
-    }
-    const params = new URLSearchParams(body);
-    return {
-        url: process.env.MSI_ENDPOINT,
-        method: "POST",
-        body: params.toString(),
-        headers: coreRestPipeline.createHttpHeaders({
-            Accept: "application/json",
-            Metadata: "true",
-            "Content-Type": "application/x-www-form-urlencoded",
-        }),
-    };
-}
-/**
- * Defines how to determine whether the Azure Cloud Shell MSI is available, and also how to retrieve a token from the Azure Cloud Shell MSI.
- * Since Azure Managed Identities aren't available in the Azure Cloud Shell, we log a warning for users that try to access cloud shell using user assigned identity.
- */
-const cloudShellMsi = {
-    name: "cloudShellMsi",
-    async isAvailable({ scopes }) {
-        const resource = mapScopesToResource(scopes);
-        if (!resource) {
-            logger$l.info(`${msiName$3}: Unavailable. Multiple scopes are not supported.`);
-            return false;
-        }
-        const result = Boolean(process.env.MSI_ENDPOINT);
-        if (!result) {
-            logger$l.info(`${msiName$3}: Unavailable. The environment variable MSI_ENDPOINT is needed.`);
-        }
-        return result;
-    },
-    async getToken(configuration, getTokenOptions = {}) {
-        const { identityClient, scopes, clientId, resourceId } = configuration;
-        if (clientId) {
-            logger$l.warning(`${msiName$3}: user-assigned identities not supported. The argument clientId might be ignored by the service.`);
-        }
-        if (resourceId) {
-            logger$l.warning(`${msiName$3}: user defined managed Identity by resource Id not supported. The argument resourceId might be ignored by the service.`);
-        }
-        logger$l.info(`${msiName$3}: Using the endpoint coming form the environment variable MSI_ENDPOINT = ${process.env.MSI_ENDPOINT}.`);
-        const request = coreRestPipeline.createPipelineRequest(Object.assign(Object.assign({ abortSignal: getTokenOptions.abortSignal }, prepareRequestOptions$2(scopes, clientId, resourceId)), { 
-            // Generally, MSI endpoints use the HTTP protocol, without transport layer security (TLS).
-            allowInsecureConnection: true }));
-        const tokenResponse = await identityClient.sendTokenRequest(request);
-        return (tokenResponse && tokenResponse.accessToken) || null;
-    },
-};
-
 // Copyright (c) Microsoft Corporation.
 // Licensed under the MIT license.
 // This MSI can be easily tested by deploying a container to Azure Service Fabric with the Dockerfile:
@@ -1546,16 +1544,6 @@ function getMSALLogLevel(logLevel) {
             return msalCommon__namespace.LogLevel.Info;
     }
 }
-/**
- * Wraps core-util's randomUUID in order to allow for mocking in tests.
- * This prepares the library for the upcoming core-util update to ESM.
- *
- * @internal
- * @returns A string containing a random UUID
- */
-function randomUUID() {
-    return coreUtil.randomUUID();
-}
 /**
  * Handles MSAL errors.
  */
@@ -1928,6 +1916,16 @@ function calculateRegionalAuthority(regionalAuthority) {
     return azureRegion;
 }
 
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT license.
+/**
+ * A call to open(), but mockable
+ * @internal
+ */
+const interactiveBrowserMockable = {
+    open,
+};
+
 // Copyright (c) Microsoft Corporation.
 // Licensed under the MIT license.
 /**
@@ -2234,6 +2232,105 @@ To work with multiple accounts for the same Client ID and Tenant ID, please prov
             });
         });
     }
+    async function getTokenOnBehalfOf(scopes, userAssertionToken, clientSecretOrCertificate, options = {}) {
+        msalLogger.getToken.info(`Attempting to acquire token on behalf of another user`);
+        if (typeof clientSecretOrCertificate === "string") {
+            // Client secret
+            msalLogger.getToken.info(`Using client secret for on behalf of flow`);
+            state.msalConfig.auth.clientSecret = clientSecretOrCertificate;
+        }
+        else {
+            // Client certificate
+            msalLogger.getToken.info(`Using client certificate for on behalf of flow`);
+            state.msalConfig.auth.clientCertificate = clientSecretOrCertificate;
+        }
+        const msalApp = await getConfidentialApp(options);
+        try {
+            const response = await msalApp.acquireTokenOnBehalfOf({
+                scopes,
+                authority: state.msalConfig.auth.authority,
+                claims: options.claims,
+                oboAssertion: userAssertionToken,
+            });
+            ensureValidMsalToken(scopes, response, options);
+            msalLogger.getToken.info(formatSuccess(scopes));
+            return {
+                token: response.accessToken,
+                expiresOnTimestamp: response.expiresOn.getTime(),
+            };
+        }
+        catch (err) {
+            throw handleMsalError(scopes, err, options);
+        }
+    }
+    async function getTokenByInteractiveRequest(scopes, options = {}) {
+        msalLogger.getToken.info(`Attempting to acquire token interactively`);
+        const app = await getPublicApp(options);
+        /**
+         * A helper function that supports brokered authentication through the MSAL's public application.
+         *
+         * When options.useDefaultBrokerAccount is true, the method will attempt to authenticate using the default broker account.
+         * If the default broker account is not available, the method will fall back to interactive authentication.
+         */
+        async function getBrokeredToken(useDefaultBrokerAccount) {
+            var _a;
+            msalLogger.verbose("Authentication will resume through the broker");
+            const interactiveRequest = createBaseInteractiveRequest();
+            if (state.pluginConfiguration.broker.parentWindowHandle) {
+                interactiveRequest.windowHandle = Buffer.from(state.pluginConfiguration.broker.parentWindowHandle);
+            }
+            else {
+                // this is a bug, as the pluginConfiguration handler should validate this case.
+                msalLogger.warning("Parent window handle is not specified for the broker. This may cause unexpected behavior. Please provide the parentWindowHandle.");
+            }
+            if (state.pluginConfiguration.broker.enableMsaPassthrough) {
+                ((_a = interactiveRequest.tokenQueryParameters) !== null && _a !== void 0 ? _a : (interactiveRequest.tokenQueryParameters = {}))["msal_request_type"] =
+                    "consumer_passthrough";
+            }
+            if (useDefaultBrokerAccount) {
+                interactiveRequest.prompt = "none";
+                msalLogger.verbose("Attempting broker authentication using the default broker account");
+            }
+            else {
+                msalLogger.verbose("Attempting broker authentication without the default broker account");
+            }
+            try {
+                return await app.acquireTokenInteractive(interactiveRequest);
+            }
+            catch (e) {
+                msalLogger.verbose(`Failed to authenticate through the broker: ${e.message}`);
+                // If we tried to use the default broker account and failed, fall back to interactive authentication
+                if (useDefaultBrokerAccount) {
+                    return getBrokeredToken(/* useDefaultBrokerAccount: */ false);
+                }
+                else {
+                    throw e;
+                }
+            }
+        }
+        function createBaseInteractiveRequest() {
+            var _a, _b;
+            return {
+                openBrowser: async (url) => {
+                    await interactiveBrowserMockable.open(url, { wait: true, newInstance: true });
+                },
+                scopes,
+                authority: state.msalConfig.auth.authority,
+                claims: options === null || options === void 0 ? void 0 : options.claims,
+                loginHint: options === null || options === void 0 ? void 0 : options.loginHint,
+                errorTemplate: (_a = options === null || options === void 0 ? void 0 : options.browserCustomizationOptions) === null || _a === void 0 ? void 0 : _a.errorMessage,
+                successTemplate: (_b = options === null || options === void 0 ? void 0 : options.browserCustomizationOptions) === null || _b === void 0 ? void 0 : _b.successMessage,
+            };
+        }
+        return withSilentAuthentication(app, scopes, options, async () => {
+            var _a;
+            const interactiveRequest = createBaseInteractiveRequest();
+            if (state.pluginConfiguration.broker.isEnabled) {
+                return getBrokeredToken((_a = state.pluginConfiguration.broker.useDefaultBrokerAccount) !== null && _a !== void 0 ? _a : false);
+            }
+            return app.acquireTokenInteractive(interactiveRequest);
+        });
+    }
     return {
         getActiveAccount,
         getTokenByClientSecret,
@@ -2242,6 +2339,8 @@ To work with multiple accounts for the same Client ID and Tenant ID, please prov
         getTokenByDeviceCode,
         getTokenByUsernamePassword,
         getTokenByAuthorizationCode,
+        getTokenOnBehalfOf,
+        getTokenByInteractiveRequest,
     };
 }
 
@@ -2422,19 +2521,7 @@ function tokenExchangeMsi() {
 // Copyright (c) Microsoft Corporation.
 // Licensed under the MIT license.
 const logger$e = credentialLogger("ManagedIdentityCredential");
-/**
- * Attempts authentication using a managed identity available at the deployment environment.
- * This authentication type works in Azure VMs, App Service instances, Azure Functions applications,
- * Azure Kubernetes Services, Azure Service Fabric instances and inside of the Azure Cloud Shell.
- *
- * More information about configuring managed identities can be found here:
- * https://learn.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview
- */
-class ManagedIdentityCredential {
-    /**
-     * @internal
-     * @hidden
-     */
+class LegacyMsiProvider {
     constructor(clientIdOrOptions, options) {
         var _a, _b;
         this.isEndpointUnavailable = null;
@@ -2456,7 +2543,7 @@ class ManagedIdentityCredential {
         this.resourceId = _options === null || _options === void 0 ? void 0 : _options.resourceId;
         // For JavaScript users.
         if (this.clientId && this.resourceId) {
-            throw new Error(`${ManagedIdentityCredential.name} - Client Id and Resource Id can't be provided at the same time.`);
+            throw new Error(`ManagedIdentityCredential - Client Id and Resource Id can't be provided at the same time.`);
         }
         if (((_a = _options === null || _options === void 0 ? void 0 : _options.retryOptions) === null || _a === void 0 ? void 0 : _a.maxRetries) !== undefined) {
             this.msiRetryConfig.maxRetries = _options.retryOptions.maxRetries;
@@ -2509,10 +2596,10 @@ class ManagedIdentityCredential {
                 return msi;
             }
         }
-        throw new CredentialUnavailableError(`${ManagedIdentityCredential.name} - No MSI credential available`);
+        throw new CredentialUnavailableError(`ManagedIdentityCredential - No MSI credential available`);
     }
     async authenticateManagedIdentity(scopes, getTokenOptions) {
-        const { span, updatedOptions } = tracingClient.startSpan(`${ManagedIdentityCredential.name}.authenticateManagedIdentity`, getTokenOptions);
+        const { span, updatedOptions } = tracingClient.startSpan(`ManagedIdentityCredential.authenticateManagedIdentity`, getTokenOptions);
         try {
             // Determining the available MSI, and avoiding checking for other MSIs while the program is running.
             const availableMSI = await this.cachedAvailableMSI(scopes, updatedOptions);
@@ -2546,7 +2633,7 @@ class ManagedIdentityCredential {
      */
     async getToken(scopes, options) {
         let result = null;
-        const { span, updatedOptions } = tracingClient.startSpan(`${ManagedIdentityCredential.name}.getToken`, options);
+        const { span, updatedOptions } = tracingClient.startSpan(`ManagedIdentityCredential.getToken`, options);
         try {
             // isEndpointAvailable can be true, false, or null,
             // If it's null, it means we don't yet know whether
@@ -2612,27 +2699,27 @@ class ManagedIdentityCredential {
             // If either the network is unreachable,
             // we can safely assume the credential is unavailable.
             if (err.code === "ENETUNREACH") {
-                const error = new CredentialUnavailableError(`${ManagedIdentityCredential.name}: Unavailable. Network unreachable. Message: ${err.message}`);
+                const error = new CredentialUnavailableError(`ManagedIdentityCredential: Unavailable. Network unreachable. Message: ${err.message}`);
                 logger$e.getToken.info(formatError(scopes, error));
                 throw error;
             }
             // If either the host was unreachable,
             // we can safely assume the credential is unavailable.
             if (err.code === "EHOSTUNREACH") {
-                const error = new CredentialUnavailableError(`${ManagedIdentityCredential.name}: Unavailable. No managed identity endpoint found. Message: ${err.message}`);
+                const error = new CredentialUnavailableError(`ManagedIdentityCredential: Unavailable. No managed identity endpoint found. Message: ${err.message}`);
                 logger$e.getToken.info(formatError(scopes, error));
                 throw error;
             }
             // If err.statusCode has a value of 400, it comes from sendTokenRequest,
             // and it means that the endpoint is working, but that no identity is available.
             if (err.statusCode === 400) {
-                throw new CredentialUnavailableError(`${ManagedIdentityCredential.name}: The managed identity endpoint is indicating there's no available identity. Message: ${err.message}`);
+                throw new CredentialUnavailableError(`ManagedIdentityCredential: The managed identity endpoint is indicating there's no available identity. Message: ${err.message}`);
             }
             // This is a special case for Docker Desktop which responds with a 403 with a message that contains "A socket operation was attempted to an unreachable network" or "A socket operation was attempted to an unreachable host"
             // rather than just timing out, as expected.
             if (err.statusCode === 403 || err.code === 403) {
                 if (err.message.includes("unreachable")) {
-                    const error = new CredentialUnavailableError(`${ManagedIdentityCredential.name}: Unavailable. Network unreachable. Message: ${err.message}`);
+                    const error = new CredentialUnavailableError(`ManagedIdentityCredential: Unavailable. Network unreachable. Message: ${err.message}`);
                     logger$e.getToken.info(formatError(scopes, error));
                     throw error;
                 }
@@ -2640,11 +2727,11 @@ class ManagedIdentityCredential {
             // If the error has no status code, we can assume there was no available identity.
             // This will throw silently during any ChainedTokenCredential.
             if (err.statusCode === undefined) {
-                throw new CredentialUnavailableError(`${ManagedIdentityCredential.name}: Authentication failed. Message ${err.message}`);
+                throw new CredentialUnavailableError(`ManagedIdentityCredential: Authentication failed. Message ${err.message}`);
             }
             // Any other error should break the chain.
             throw new AuthenticationError(err.statusCode, {
-                error: `${ManagedIdentityCredential.name} authentication failed.`,
+                error: `ManagedIdentityCredential authentication failed.`,
                 error_description: err.message,
             });
         }
@@ -2721,24 +2808,56 @@ class ManagedIdentityCredential {
 // Copyright (c) Microsoft Corporation.
 // Licensed under the MIT license.
 /**
- * Ensures the scopes value is an array.
- * @internal
- */
-function ensureScopes(scopes) {
-    return Array.isArray(scopes) ? scopes : [scopes];
-}
-/**
- * Throws if the received scope is not valid.
- * @internal
+ * Attempts authentication using a managed identity available at the deployment environment.
+ * This authentication type works in Azure VMs, App Service instances, Azure Functions applications,
+ * Azure Kubernetes Services, Azure Service Fabric instances and inside of the Azure Cloud Shell.
+ *
+ * More information about configuring managed identities can be found here:
+ * https://learn.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview
  */
-function ensureValidScopeForDevTimeCreds(scope, logger) {
-    if (!scope.match(/^[0-9a-zA-Z-_.:/]+$/)) {
-        const error = new Error("Invalid scope was specified by the user or calling client");
-        logger.getToken.info(formatError(scope, error));
-        throw error;
-    }
-}
-/**
+class ManagedIdentityCredential {
+    /**
+     * @internal
+     * @hidden
+     */
+    constructor(clientIdOrOptions, options) {
+        this.implProvider = new LegacyMsiProvider(clientIdOrOptions, options);
+    }
+    /**
+     * Authenticates with Microsoft Entra ID and returns an access token if successful.
+     * If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.
+     * If an unexpected error occurs, an {@link AuthenticationError} will be thrown with the details of the failure.
+     *
+     * @param scopes - The list of scopes for which the token will have access.
+     * @param options - The options used to configure any requests this
+     *                TokenCredential implementation might make.
+     */
+    async getToken(scopes, options) {
+        return this.implProvider.getToken(scopes, options);
+    }
+}
+
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT license.
+/**
+ * Ensures the scopes value is an array.
+ * @internal
+ */
+function ensureScopes(scopes) {
+    return Array.isArray(scopes) ? scopes : [scopes];
+}
+/**
+ * Throws if the received scope is not valid.
+ * @internal
+ */
+function ensureValidScopeForDevTimeCreds(scope, logger) {
+    if (!scope.match(/^[0-9a-zA-Z-_.:/]+$/)) {
+        const error = new Error("Invalid scope was specified by the user or calling client");
+        logger.getToken.info(formatError(scope, error));
+        throw error;
+    }
+}
+/**
  * Returns the resource out of a scope.
  * @internal
  */
@@ -3826,425 +3945,6 @@ class DefaultAzureCredential extends ChainedTokenCredential {
     }
 }
 
-// Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
-/**
- * MSAL partial base client for Node.js.
- *
- * It completes the input configuration with some default values.
- * It also provides with utility protected methods that can be used from any of the clients,
- * which includes handlers for successful responses and errors.
- *
- * @internal
- */
-class MsalNode {
-    constructor(options) {
-        var _a, _b, _c, _d, _e, _f;
-        this.app = {};
-        this.caeApp = {};
-        this.requiresConfidential = false;
-        this.logger = options.logger;
-        this.msalConfig = this.defaultNodeMsalConfig(options);
-        this.tenantId = resolveTenantId(options.logger, options.tenantId, options.clientId);
-        this.additionallyAllowedTenantIds = resolveAdditionallyAllowedTenantIds((_a = options === null || options === void 0 ? void 0 : options.tokenCredentialOptions) === null || _a === void 0 ? void 0 : _a.additionallyAllowedTenants);
-        this.clientId = this.msalConfig.auth.clientId;
-        if (options === null || options === void 0 ? void 0 : options.getAssertion) {
-            this.getAssertion = options.getAssertion;
-        }
-        this.enableBroker = (_b = options === null || options === void 0 ? void 0 : options.brokerOptions) === null || _b === void 0 ? void 0 : _b.enabled;
-        this.enableMsaPassthrough = (_c = options === null || options === void 0 ? void 0 : options.brokerOptions) === null || _c === void 0 ? void 0 : _c.legacyEnableMsaPassthrough;
-        this.parentWindowHandle = (_d = options.brokerOptions) === null || _d === void 0 ? void 0 : _d.parentWindowHandle;
-        // If persistence has been configured
-        if (persistenceProvider !== undefined && ((_e = options.tokenCachePersistenceOptions) === null || _e === void 0 ? void 0 : _e.enabled)) {
-            const cacheBaseName = options.tokenCachePersistenceOptions.name || DEFAULT_TOKEN_CACHE_NAME;
-            const nonCaeOptions = Object.assign({ name: `${cacheBaseName}.${CACHE_NON_CAE_SUFFIX}` }, options.tokenCachePersistenceOptions);
-            const caeOptions = Object.assign({ name: `${cacheBaseName}.${CACHE_CAE_SUFFIX}` }, options.tokenCachePersistenceOptions);
-            this.createCachePlugin = () => persistenceProvider(nonCaeOptions);
-            this.createCachePluginCae = () => persistenceProvider(caeOptions);
-        }
-        else if ((_f = options.tokenCachePersistenceOptions) === null || _f === void 0 ? void 0 : _f.enabled) {
-            throw new Error([
-                "Persistent token caching was requested, but no persistence provider was configured.",
-                "You must install the identity-cache-persistence plugin package (`npm install --save @azure/identity-cache-persistence`)",
-                "and enable it by importing `useIdentityPlugin` from `@azure/identity` and calling",
-                "`useIdentityPlugin(cachePersistencePlugin)` before using `tokenCachePersistenceOptions`.",
-            ].join(" "));
-        }
-        // If broker has not been configured
-        if (!hasNativeBroker() && this.enableBroker) {
-            throw new Error([
-                "Broker for WAM was requested to be enabled, but no native broker was configured.",
-                "You must install the identity-broker plugin package (`npm install --save @azure/identity-broker`)",
-                "and enable it by importing `useIdentityPlugin` from `@azure/identity` and calling",
-                "`useIdentityPlugin(createNativeBrokerPlugin())` before using `enableBroker`.",
-            ].join(" "));
-        }
-        this.azureRegion = calculateRegionalAuthority(options.regionalAuthority);
-    }
-    /**
-     * Generates a MSAL configuration that generally works for Node.js
-     */
-    defaultNodeMsalConfig(options) {
-        var _a;
-        const clientId = options.clientId || DeveloperSignOnClientId;
-        const tenantId = resolveTenantId(options.logger, options.tenantId, options.clientId);
-        this.authorityHost = options.authorityHost || process.env.AZURE_AUTHORITY_HOST;
-        const authority = getAuthority(tenantId, this.authorityHost);
-        this.identityClient = new IdentityClient(Object.assign(Object.assign({}, options.tokenCredentialOptions), { authorityHost: authority, loggingOptions: options.loggingOptions }));
-        const clientCapabilities = [];
-        return {
-            auth: {
-                clientId,
-                authority,
-                knownAuthorities: getKnownAuthorities(tenantId, authority, options.disableInstanceDiscovery),
-                clientCapabilities,
-            },
-            // Cache is defined in this.prepare();
-            system: {
-                networkClient: this.identityClient,
-                loggerOptions: {
-                    loggerCallback: defaultLoggerCallback(options.logger),
-                    logLevel: getMSALLogLevel(logger$r.getLogLevel()),
-                    piiLoggingEnabled: (_a = options.loggingOptions) === null || _a === void 0 ? void 0 : _a.enableUnsafeSupportLogging,
-                },
-            },
-        };
-    }
-    getApp(appType, enableCae) {
-        const app = enableCae ? this.caeApp : this.app;
-        if (appType === "publicFirst") {
-            return (app.public || app.confidential);
-        }
-        else if (appType === "confidentialFirst") {
-            return (app.confidential || app.public);
-        }
-        else if (appType === "confidential") {
-            return app.confidential;
-        }
-        else {
-            return app.public;
-        }
-    }
-    /**
-     * Prepares the MSAL applications.
-     */
-    async init(options) {
-        if (options === null || options === void 0 ? void 0 : options.abortSignal) {
-            options.abortSignal.addEventListener("abort", () => {
-                // This will abort any pending request in the IdentityClient,
-                // based on the received or generated correlationId
-                this.identityClient.abortRequests(options.correlationId);
-            });
-        }
-        const app = (options === null || options === void 0 ? void 0 : options.enableCae) ? this.caeApp : this.app;
-        if (options === null || options === void 0 ? void 0 : options.enableCae) {
-            this.msalConfig.auth.clientCapabilities = ["cp1"];
-        }
-        if (app.public || app.confidential) {
-            return;
-        }
-        if ((options === null || options === void 0 ? void 0 : options.enableCae) && this.createCachePluginCae !== undefined) {
-            this.msalConfig.cache = {
-                cachePlugin: await this.createCachePluginCae(),
-            };
-        }
-        if (this.createCachePlugin !== undefined) {
-            this.msalConfig.cache = {
-                cachePlugin: await this.createCachePlugin(),
-            };
-        }
-        if (hasNativeBroker() && this.enableBroker) {
-            this.msalConfig.broker = {
-                nativeBrokerPlugin: nativeBrokerInfo.broker,
-            };
-            if (!this.parentWindowHandle) {
-                // error should have been thrown from within the constructor of InteractiveBrowserCredential
-                this.logger.warning("Parent window handle is not specified for the broker. This may cause unexpected behavior. Please provide the parentWindowHandle.");
-            }
-        }
-        if (options === null || options === void 0 ? void 0 : options.enableCae) {
-            this.caeApp.public = new msalCommon__namespace.PublicClientApplication(this.msalConfig);
-        }
-        else {
-            this.app.public = new msalCommon__namespace.PublicClientApplication(this.msalConfig);
-        }
-        if (this.getAssertion) {
-            this.msalConfig.auth.clientAssertion = await this.getAssertion();
-        }
-        // The confidential client requires either a secret, assertion or certificate.
-        if (this.msalConfig.auth.clientSecret ||
-            this.msalConfig.auth.clientAssertion ||
-            this.msalConfig.auth.clientCertificate) {
-            if (options === null || options === void 0 ? void 0 : options.enableCae) {
-                this.caeApp.confidential = new msalCommon__namespace.ConfidentialClientApplication(this.msalConfig);
-            }
-            else {
-                this.app.confidential = new msalCommon__namespace.ConfidentialClientApplication(this.msalConfig);
-            }
-        }
-        else {
-            if (this.requiresConfidential) {
-                throw new Error("Unable to generate the MSAL confidential client. Missing either the client's secret, certificate or assertion.");
-            }
-        }
-    }
-    /**
-     * Allows the cancellation of a MSAL request.
-     */
-    withCancellation(promise, abortSignal, onCancel) {
-        return new Promise((resolve, reject) => {
-            promise
-                .then((msalToken) => {
-                return resolve(msalToken);
-            })
-                .catch(reject);
-            if (abortSignal) {
-                abortSignal.addEventListener("abort", () => {
-                    onCancel === null || onCancel === void 0 ? void 0 : onCancel();
-                });
-            }
-        });
-    }
-    /**
-     * Returns the existing account, attempts to load the account from MSAL.
-     */
-    async getActiveAccount(enableCae = false) {
-        if (this.account) {
-            return this.account;
-        }
-        const cache = this.getApp("confidentialFirst", enableCae).getTokenCache();
-        const accountsByTenant = await (cache === null || cache === void 0 ? void 0 : cache.getAllAccounts());
-        if (!accountsByTenant) {
-            return;
-        }
-        if (accountsByTenant.length === 1) {
-            this.account = msalToPublic(this.clientId, accountsByTenant[0]);
-        }
-        else {
-            this.logger
-                .info(`More than one account was found authenticated for this Client ID and Tenant ID.
-However, no "authenticationRecord" has been provided for this credential,
-therefore we're unable to pick between these accounts.
-A new login attempt will be requested, to ensure the correct account is picked.
-To work with multiple accounts for the same Client ID and Tenant ID, please provide an "authenticationRecord" when initializing a credential to prevent this from happening.`);
-            return;
-        }
-        return this.account;
-    }
-    /**
-     * Attempts to retrieve a token from cache.
-     */
-    async getTokenSilent(scopes, options) {
-        var _a, _b, _c;
-        await this.getActiveAccount(options === null || options === void 0 ? void 0 : options.enableCae);
-        if (!this.account) {
-            throw new AuthenticationRequiredError({
-                scopes,
-                getTokenOptions: options,
-                message: "Silent authentication failed. We couldn't retrieve an active account from the cache.",
-            });
-        }
-        const silentRequest = {
-            // To be able to re-use the account, the Token Cache must also have been provided.
-            account: publicToMsal(this.account),
-            correlationId: options === null || options === void 0 ? void 0 : options.correlationId,
-            scopes,
-            authority: options === null || options === void 0 ? void 0 : options.authority,
-            claims: options === null || options === void 0 ? void 0 : options.claims,
-        };
-        if (hasNativeBroker() && this.enableBroker) {
-            if (!silentRequest.tokenQueryParameters) {
-                silentRequest.tokenQueryParameters = {};
-            }
-            if (!this.parentWindowHandle) {
-                // error should have been thrown from within the constructor of InteractiveBrowserCredential
-                this.logger.warning("Parent window handle is not specified for the broker. This may cause unexpected behavior. Please provide the parentWindowHandle.");
-            }
-            if (this.enableMsaPassthrough) {
-                silentRequest.tokenQueryParameters["msal_request_type"] = "consumer_passthrough";
-            }
-        }
-        try {
-            this.logger.info("Attempting to acquire token silently");
-            /**
-             * The following code to retrieve all accounts is done as a workaround in an attempt to force the
-             * refresh of the token cache with the token and the account passed in through the
-             * `authenticationRecord` parameter. See issue - https://github.com/Azure/azure-sdk-for-js/issues/24349#issuecomment-1496715651
-             * This workaround serves as a workaround for silent authentication not happening when authenticationRecord is passed.
-             */
-            await ((_a = this.getApp("publicFirst", options === null || options === void 0 ? void 0 : options.enableCae)) === null || _a === void 0 ? void 0 : _a.getTokenCache().getAllAccounts());
-            const response = (_c = (await ((_b = this.getApp("confidential", options === null || options === void 0 ? void 0 : options.enableCae)) === null || _b === void 0 ? void 0 : _b.acquireTokenSilent(silentRequest)))) !== null && _c !== void 0 ? _c : (await this.getApp("public", options === null || options === void 0 ? void 0 : options.enableCae).acquireTokenSilent(silentRequest));
-            return this.handleResult(scopes, response || undefined);
-        }
-        catch (err) {
-            throw handleMsalError(scopes, err, options);
-        }
-    }
-    /**
-     * Wrapper around each MSAL flow get token operation: doGetToken.
-     * If disableAutomaticAuthentication is sent through the constructor, it will prevent MSAL from requesting the user input.
-     */
-    async getToken(scopes, options = {}) {
-        const tenantId = processMultiTenantRequest(this.tenantId, options, this.additionallyAllowedTenantIds) ||
-            this.tenantId;
-        options.authority = getAuthority(tenantId, this.authorityHost);
-        options.correlationId = (options === null || options === void 0 ? void 0 : options.correlationId) || randomUUID();
-        await this.init(options);
-        try {
-            // MSAL now caches tokens based on their claims,
-            // so now one has to keep track fo claims in order to retrieve the newer tokens from acquireTokenSilent
-            // This update happened on PR: https://github.com/AzureAD/microsoft-authentication-library-for-js/pull/4533
-            const optionsClaims = options.claims;
-            if (optionsClaims) {
-                this.cachedClaims = optionsClaims;
-            }
-            if (this.cachedClaims && !optionsClaims) {
-                options.claims = this.cachedClaims;
-            }
-            // We don't return the promise since we want to catch errors right here.
-            return await this.getTokenSilent(scopes, options);
-        }
-        catch (err) {
-            if (err.name !== "AuthenticationRequiredError") {
-                throw err;
-            }
-            if (options === null || options === void 0 ? void 0 : options.disableAutomaticAuthentication) {
-                throw new AuthenticationRequiredError({
-                    scopes,
-                    getTokenOptions: options,
-                    message: "Automatic authentication has been disabled. You may call the authentication() method.",
-                });
-            }
-            this.logger.info(`Silent authentication failed, falling back to interactive method.`);
-            return this.doGetToken(scopes, options);
-        }
-    }
-    /**
-     * Handles the MSAL authentication result.
-     * If the result has an account, we update the local account reference.
-     * If the token received is invalid, an error will be thrown depending on what's missing.
-     */
-    handleResult(scopes, result, getTokenOptions) {
-        if (result === null || result === void 0 ? void 0 : result.account) {
-            this.account = msalToPublic(this.clientId, result.account);
-        }
-        ensureValidMsalToken(scopes, result, getTokenOptions);
-        this.logger.getToken.info(formatSuccess(scopes));
-        return {
-            token: result.accessToken,
-            expiresOnTimestamp: result.expiresOn.getTime(),
-        };
-    }
-}
-
-// Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
-/**
- * A call to open(), but mockable
- * @internal
- */
-const interactiveBrowserMockable = {
-    open,
-};
-/**
- * This MSAL client sets up a web server to listen for redirect callbacks, then calls to the MSAL's public application's `acquireTokenByDeviceCode` during `doGetToken`
- * to trigger the authentication flow, and then respond based on the values obtained from the redirect callback
- * @internal
- */
-class MsalOpenBrowser extends MsalNode {
-    constructor(options) {
-        var _a, _b, _c, _d;
-        super(options);
-        this.loginHint = options.loginHint;
-        this.errorTemplate = (_a = options.browserCustomizationOptions) === null || _a === void 0 ? void 0 : _a.errorMessage;
-        this.successTemplate = (_b = options.browserCustomizationOptions) === null || _b === void 0 ? void 0 : _b.successMessage;
-        this.logger = credentialLogger("Node.js MSAL Open Browser");
-        this.useDefaultBrokerAccount =
-            ((_c = options.brokerOptions) === null || _c === void 0 ? void 0 : _c.enabled) && ((_d = options.brokerOptions) === null || _d === void 0 ? void 0 : _d.useDefaultBrokerAccount);
-    }
-    async doGetToken(scopes, options = {}) {
-        try {
-            const interactiveRequest = {
-                openBrowser: async (url) => {
-                    await interactiveBrowserMockable.open(url, { wait: true, newInstance: true });
-                },
-                scopes,
-                authority: options === null || options === void 0 ? void 0 : options.authority,
-                claims: options === null || options === void 0 ? void 0 : options.claims,
-                correlationId: options === null || options === void 0 ? void 0 : options.correlationId,
-                loginHint: this.loginHint,
-                errorTemplate: this.errorTemplate,
-                successTemplate: this.successTemplate,
-            };
-            if (hasNativeBroker() && this.enableBroker) {
-                return this.doGetBrokeredToken(scopes, interactiveRequest, {
-                    enableCae: options.enableCae,
-                    useDefaultBrokerAccount: this.useDefaultBrokerAccount,
-                });
-            }
-            // If the broker is not enabled, we will fall back to interactive authentication
-            if (hasNativeBroker() && !this.enableBroker) {
-                this.logger.verbose("Authentication will resume normally without the broker, since it's not enabled");
-            }
-            const result = await this.getApp("public", options === null || options === void 0 ? void 0 : options.enableCae).acquireTokenInteractive(interactiveRequest);
-            return this.handleResult(scopes, result || undefined);
-        }
-        catch (err) {
-            throw handleMsalError(scopes, err, options);
-        }
-    }
-    /**
-     * A helper function that supports brokered authentication through the MSAL's public application.
-     *
-     * When options.useDefaultBrokerAccount is true, the method will attempt to authenticate using the default broker account.
-     * If the default broker account is not available, the method will fall back to interactive authentication.
-     */
-    async doGetBrokeredToken(scopes, interactiveRequest, options) {
-        var _a;
-        this.logger.verbose("Authentication will resume through the broker");
-        if (this.parentWindowHandle) {
-            interactiveRequest.windowHandle = Buffer.from(this.parentWindowHandle);
-        }
-        else {
-            // error should have been thrown from within the constructor of InteractiveBrowserCredential
-            this.logger.warning("Parent window handle is not specified for the broker. This may cause unexpected behavior. Please provide the parentWindowHandle.");
-        }
-        if (this.enableMsaPassthrough) {
-            ((_a = interactiveRequest.tokenQueryParameters) !== null && _a !== void 0 ? _a : (interactiveRequest.tokenQueryParameters = {}))["msal_request_type"] =
-                "consumer_passthrough";
-        }
-        if (options.useDefaultBrokerAccount) {
-            interactiveRequest.prompt = "none";
-            this.logger.verbose("Attempting broker authentication using the default broker account");
-        }
-        else {
-            interactiveRequest.prompt = undefined;
-            this.logger.verbose("Attempting broker authentication without the default broker account");
-        }
-        try {
-            const result = await this.getApp("public", options === null || options === void 0 ? void 0 : options.enableCae).acquireTokenInteractive(interactiveRequest);
-            if (result.fromNativeBroker) {
-                this.logger.verbose(`This result is returned from native broker`);
-            }
-            return this.handleResult(scopes, result || undefined);
-        }
-        catch (e) {
-            this.logger.verbose(`Failed to authenticate through the broker: ${e.message}`);
-            // If we tried to use the default broker account and failed, fall back to interactive authentication
-            if (options.useDefaultBrokerAccount) {
-                return this.doGetBrokeredToken(scopes, interactiveRequest, {
-                    enableCae: options.enableCae,
-                    useDefaultBrokerAccount: false,
-                });
-            }
-            else {
-                // If we're not using the default broker account, throw the error
-                throw handleMsalError(scopes, e);
-            }
-        }
-    }
-}
-
 // Copyright (c) Microsoft Corporation.
 // Licensed under the MIT license.
 const logger$4 = credentialLogger("InteractiveBrowserCredential");
@@ -4266,31 +3966,27 @@ class InteractiveBrowserCredential {
      * @param options - Options for configuring the client which makes the authentication requests.
      */
     constructor(options) {
-        var _a, _b, _c, _d;
-        const redirectUri = typeof options.redirectUri === "function"
-            ? options.redirectUri()
-            : options.redirectUri || "http://localhost";
-        this.tenantId = options === null || options === void 0 ? void 0 : options.tenantId;
+        var _a, _b, _c, _d, _e;
+        this.tenantId = resolveTenantId(logger$4, options.tenantId, options.clientId);
         this.additionallyAllowedTenantIds = resolveAdditionallyAllowedTenantIds(options === null || options === void 0 ? void 0 : options.additionallyAllowedTenants);
+        const msalClientOptions = Object.assign(Object.assign({}, options), { tokenCredentialOptions: options, logger: logger$4 });
         const ibcNodeOptions = options;
+        this.browserCustomizationOptions = ibcNodeOptions.browserCustomizationOptions;
+        this.loginHint = ibcNodeOptions.loginHint;
         if ((_a = ibcNodeOptions === null || ibcNodeOptions === void 0 ? void 0 : ibcNodeOptions.brokerOptions) === null || _a === void 0 ? void 0 : _a.enabled) {
             if (!((_b = ibcNodeOptions === null || ibcNodeOptions === void 0 ? void 0 : ibcNodeOptions.brokerOptions) === null || _b === void 0 ? void 0 : _b.parentWindowHandle)) {
                 throw new Error("In order to do WAM authentication, `parentWindowHandle` under `brokerOptions` is a required parameter");
             }
             else {
-                this.msalFlow = new MsalOpenBrowser(Object.assign(Object.assign({}, options), { tokenCredentialOptions: options, logger: logger$4,
-                    redirectUri, browserCustomizationOptions: ibcNodeOptions === null || ibcNodeOptions === void 0 ? void 0 : ibcNodeOptions.browserCustomizationOptions, brokerOptions: {
-                        enabled: true,
-                        parentWindowHandle: ibcNodeOptions.brokerOptions.parentWindowHandle,
-                        legacyEnableMsaPassthrough: (_c = ibcNodeOptions.brokerOptions) === null || _c === void 0 ? void 0 : _c.legacyEnableMsaPassthrough,
-                        useDefaultBrokerAccount: (_d = ibcNodeOptions.brokerOptions) === null || _d === void 0 ? void 0 : _d.useDefaultBrokerAccount,
-                    } }));
+                msalClientOptions.brokerOptions = {
+                    enabled: true,
+                    parentWindowHandle: ibcNodeOptions.brokerOptions.parentWindowHandle,
+                    legacyEnableMsaPassthrough: (_c = ibcNodeOptions.brokerOptions) === null || _c === void 0 ? void 0 : _c.legacyEnableMsaPassthrough,
+                    useDefaultBrokerAccount: (_d = ibcNodeOptions.brokerOptions) === null || _d === void 0 ? void 0 : _d.useDefaultBrokerAccount,
+                };
             }
         }
-        else {
-            this.msalFlow = new MsalOpenBrowser(Object.assign(Object.assign({}, options), { tokenCredentialOptions: options, logger: logger$4,
-                redirectUri, browserCustomizationOptions: ibcNodeOptions === null || ibcNodeOptions === void 0 ? void 0 : ibcNodeOptions.browserCustomizationOptions }));
-        }
+        this.msalClient = createMsalClient((_e = options.clientId) !== null && _e !== void 0 ? _e : DeveloperSignOnClientId, this.tenantId, msalClientOptions);
         this.disableAutomaticAuthentication = options === null || options === void 0 ? void 0 : options.disableAutomaticAuthentication;
     }
     /**
@@ -4309,7 +4005,7 @@ class InteractiveBrowserCredential {
         return tracingClient.withSpan(`${this.constructor.name}.getToken`, options, async (newOptions) => {
             newOptions.tenantId = processMultiTenantRequest(this.tenantId, newOptions, this.additionallyAllowedTenantIds, logger$4);
             const arrayScopes = ensureScopes(scopes);
-            return this.msalFlow.getToken(arrayScopes, Object.assign(Object.assign({}, newOptions), { disableAutomaticAuthentication: this.disableAutomaticAuthentication }));
+            return this.msalClient.getTokenByInteractiveRequest(arrayScopes, Object.assign(Object.assign({}, newOptions), { disableAutomaticAuthentication: this.disableAutomaticAuthentication, browserCustomizationOptions: this.browserCustomizationOptions, loginHint: this.loginHint }));
         });
     }
     /**
@@ -4328,8 +4024,8 @@ class InteractiveBrowserCredential {
     async authenticate(scopes, options = {}) {
         return tracingClient.withSpan(`${this.constructor.name}.authenticate`, options, async (newOptions) => {
             const arrayScopes = ensureScopes(scopes);
-            await this.msalFlow.getToken(arrayScopes, newOptions);
-            return this.msalFlow.getActiveAccount();
+            await this.msalClient.getTokenByInteractiveRequest(arrayScopes, Object.assign(Object.assign({}, newOptions), { disableAutomaticAuthentication: false, browserCustomizationOptions: this.browserCustomizationOptions, loginHint: this.loginHint }));
+            return this.msalClient.getActiveAccount();
         });
     }
 }
@@ -4571,102 +4267,6 @@ class AuthorizationCodeCredential {
     }
 }
 
-// Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
-const readFileAsync = util.promisify(fs.readFile);
-/**
- * Tries to asynchronously load a certificate from the given path.
- *
- * @param configuration - Either the PEM value or the path to the certificate.
- * @param sendCertificateChain - Option to include x5c header for SubjectName and Issuer name authorization.
- * @returns - The certificate parts, or `undefined` if the certificate could not be loaded.
- * @internal
- */
-async function parseCertificate(configuration, sendCertificateChain) {
-    const certificateParts = {};
-    const certificate = configuration
-        .certificate;
-    const certificatePath = configuration
-        .certificatePath;
-    certificateParts.certificateContents =
-        certificate || (await readFileAsync(certificatePath, "utf8"));
-    if (sendCertificateChain) {
-        certificateParts.x5c = certificateParts.certificateContents;
-    }
-    const certificatePattern = /(-+BEGIN CERTIFICATE-+)(\n\r?|\r\n?)([A-Za-z0-9+/\n\r]+=*)(\n\r?|\r\n?)(-+END CERTIFICATE-+)/g;
-    const publicKeys = [];
-    // Match all possible certificates, in the order they are in the file. These will form the chain that is used for x5c
-    let match;
-    do {
-        match = certificatePattern.exec(certificateParts.certificateContents);
-        if (match) {
-            publicKeys.push(match[3]);
-        }
-    } while (match);
-    if (publicKeys.length === 0) {
-        throw new Error("The file at the specified path does not contain a PEM-encoded certificate.");
-    }
-    certificateParts.thumbprint = crypto.createHash("sha1")
-        .update(Buffer.from(publicKeys[0], "base64"))
-        .digest("hex")
-        .toUpperCase();
-    return certificateParts;
-}
-
-// Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
-/**
- * MSAL on behalf of flow. Calls to MSAL's confidential application's `acquireTokenOnBehalfOf` during `doGetToken`.
- * @internal
- */
-class MsalOnBehalfOf extends MsalNode {
-    constructor(options) {
-        super(options);
-        this.logger.info("Initialized MSAL's On-Behalf-Of flow");
-        this.requiresConfidential = true;
-        this.userAssertionToken = options.userAssertionToken;
-        this.certificatePath = options.certificatePath;
-        this.sendCertificateChain = options.sendCertificateChain;
-        this.clientSecret = options.clientSecret;
-    }
-    // Changing the MSAL configuration asynchronously
-    async init(options) {
-        if (this.certificatePath) {
-            try {
-                const parts = await parseCertificate({ certificatePath: this.certificatePath }, this.sendCertificateChain);
-                this.msalConfig.auth.clientCertificate = {
-                    thumbprint: parts.thumbprint,
-                    privateKey: parts.certificateContents,
-                    x5c: parts.x5c,
-                };
-            }
-            catch (error) {
-                this.logger.info(formatError("", error));
-                throw error;
-            }
-        }
-        else {
-            this.msalConfig.auth.clientSecret = this.clientSecret;
-        }
-        return super.init(options);
-    }
-    async doGetToken(scopes, options = {}) {
-        try {
-            const result = await this.getApp("confidential", options.enableCae).acquireTokenOnBehalfOf({
-                scopes,
-                correlationId: options.correlationId,
-                authority: options.authority,
-                claims: options.claims,
-                oboAssertion: this.userAssertionToken,
-            });
-            return this.handleResult(scopes, result || undefined);
-        }
-        catch (err) {
-            throw handleMsalError(scopes, err, options);
-        }
-    }
-}
-
 // Copyright (c) Microsoft Corporation.
 // Licensed under the MIT license.
 const credentialName = "OnBehalfOfCredential";
@@ -4676,16 +4276,19 @@ const logger = credentialLogger(credentialName);
  */
 class OnBehalfOfCredential {
     constructor(options) {
-        this.options = options;
         const { clientSecret } = options;
-        const { certificatePath } = options;
+        const { certificatePath, sendCertificateChain } = options;
         const { tenantId, clientId, userAssertionToken, additionallyAllowedTenants: additionallyAllowedTenantIds, } = options;
         if (!tenantId || !clientId || !(clientSecret || certificatePath) || !userAssertionToken) {
             throw new Error(`${credentialName}: tenantId, clientId, clientSecret (or certificatePath) and userAssertionToken are required parameters.`);
         }
+        this.certificatePath = certificatePath;
+        this.clientSecret = clientSecret;
+        this.userAssertionToken = userAssertionToken;
+        this.sendCertificateChain = sendCertificateChain;
         this.tenantId = tenantId;
         this.additionallyAllowedTenantIds = resolveAdditionallyAllowedTenantIds(additionallyAllowedTenantIds);
-        this.msalFlow = new MsalOnBehalfOf(Object.assign(Object.assign({}, this.options), { logger, tokenCredentialOptions: this.options }));
+        this.msalClient = createMsalClient(clientId, this.tenantId, Object.assign(Object.assign({}, options), { logger, tokenCredentialOptions: options }));
     }
     /**
      * Authenticates with Microsoft Entra ID and returns an access token if successful.
@@ -4698,9 +4301,60 @@ class OnBehalfOfCredential {
         return tracingClient.withSpan(`${credentialName}.getToken`, options, async (newOptions) => {
             newOptions.tenantId = processMultiTenantRequest(this.tenantId, newOptions, this.additionallyAllowedTenantIds, logger);
             const arrayScopes = ensureScopes(scopes);
-            return this.msalFlow.getToken(arrayScopes, newOptions);
+            if (this.certificatePath) {
+                const clientCertificate = await this.buildClientCertificate(this.certificatePath);
+                return this.msalClient.getTokenOnBehalfOf(arrayScopes, this.userAssertionToken, clientCertificate, newOptions);
+            }
+            else if (this.clientSecret) {
+                return this.msalClient.getTokenOnBehalfOf(arrayScopes, this.userAssertionToken, this.clientSecret, options);
+            }
+            else {
+                // this is a bug, as the constructor should have thrown an error if neither clientSecret nor certificatePath were provided
+                throw new Error("Expected either clientSecret or certificatePath to be defined.");
+            }
         });
     }
+    async buildClientCertificate(certificatePath) {
+        try {
+            const parts = await this.parseCertificate({ certificatePath }, this.sendCertificateChain);
+            return {
+                thumbprint: parts.thumbprint,
+                privateKey: parts.certificateContents,
+                x5c: parts.x5c,
+            };
+        }
+        catch (error) {
+            logger.info(formatError("", error));
+            throw error;
+        }
+    }
+    async parseCertificate(configuration, sendCertificateChain) {
+        const certificatePath = configuration.certificatePath;
+        const certificateContents = await promises$1.readFile(certificatePath, "utf8");
+        const x5c = sendCertificateChain ? certificateContents : undefined;
+        const certificatePattern = /(-+BEGIN CERTIFICATE-+)(\n\r?|\r\n?)([A-Za-z0-9+/\n\r]+=*)(\n\r?|\r\n?)(-+END CERTIFICATE-+)/g;
+        const publicKeys = [];
+        // Match all possible certificates, in the order they are in the file. These will form the chain that is used for x5c
+        let match;
+        do {
+            match = certificatePattern.exec(certificateContents);
+            if (match) {
+                publicKeys.push(match[3]);
+            }
+        } while (match);
+        if (publicKeys.length === 0) {
+            throw new Error("The file at the specified path does not contain a PEM-encoded certificate.");
+        }
+        const thumbprint = node_crypto.createHash("sha1")
+            .update(Buffer.from(publicKeys[0], "base64"))
+            .digest("hex")
+            .toUpperCase();
+        return {
+            certificateContents,
+            thumbprint,
+            x5c,
+        };
+    }
 }
 
 // Copyright (c) Microsoft Corporation.