@azure/identity 4.3.1-alpha.20240627.1 → 4.3.1-alpha.20240702.3

package/dist/index.js

@@ -2056,6 +2056,16 @@ To work with multiple accounts for the same Client ID and Tenant ID, please prov
         state.logger.getToken.info("Attempting to acquire token silently");
         return app.acquireTokenSilent(silentRequest);
     }
+    /**
+     * Builds an authority URL for the given request. The authority may be different than the one used when creating the MSAL client
+     * if the user is creating cross-tenant requests
+     */
+    function calculateRequestAuthority(options) {
+        if (options === null || options === void 0 ? void 0 : options.tenantId) {
+            return getAuthority(options.tenantId, createMsalClientOptions.authorityHost);
+        }
+        return state.msalConfig.auth.authority;
+    }
     /**
      * Performs silent authentication using MSAL to acquire an access token.
      * If silent authentication fails, falls back to interactive authentication.
@@ -2109,7 +2119,7 @@ To work with multiple accounts for the same Client ID and Tenant ID, please prov
         try {
             const response = await msalApp.acquireTokenByClientCredential({
                 scopes,
-                authority: state.msalConfig.auth.authority,
+                authority: calculateRequestAuthority(options),
                 azureRegion: calculateRegionalAuthority(),
                 claims: options === null || options === void 0 ? void 0 : options.claims,
             });
@@ -2131,7 +2141,7 @@ To work with multiple accounts for the same Client ID and Tenant ID, please prov
         try {
             const response = await msalApp.acquireTokenByClientCredential({
                 scopes,
-                authority: state.msalConfig.auth.authority,
+                authority: calculateRequestAuthority(options),
                 azureRegion: calculateRegionalAuthority(),
                 claims: options === null || options === void 0 ? void 0 : options.claims,
                 clientAssertion,
@@ -2154,7 +2164,7 @@ To work with multiple accounts for the same Client ID and Tenant ID, please prov
         try {
             const response = await msalApp.acquireTokenByClientCredential({
                 scopes,
-                authority: state.msalConfig.auth.authority,
+                authority: calculateRequestAuthority(options),
                 azureRegion: calculateRegionalAuthority(),
                 claims: options === null || options === void 0 ? void 0 : options.claims,
             });
@@ -2178,7 +2188,7 @@ To work with multiple accounts for the same Client ID and Tenant ID, please prov
                 scopes,
                 cancel: (_b = (_a = options === null || options === void 0 ? void 0 : options.abortSignal) === null || _a === void 0 ? void 0 : _a.aborted) !== null && _b !== void 0 ? _b : false,
                 deviceCodeCallback,
-                authority: state.msalConfig.auth.authority,
+                authority: calculateRequestAuthority(options),
                 claims: options === null || options === void 0 ? void 0 : options.claims,
             };
             const deviceCodeRequest = msalApp.acquireTokenByDeviceCode(requestOptions);
@@ -2198,7 +2208,7 @@ To work with multiple accounts for the same Client ID and Tenant ID, please prov
                 scopes,
                 username,
                 password,
-                authority: state.msalConfig.auth.authority,
+                authority: calculateRequestAuthority(options),
                 claims: options === null || options === void 0 ? void 0 : options.claims,
             };
             return msalApp.acquireTokenByUsernamePassword(requestOptions);
@@ -2227,28 +2237,33 @@ To work with multiple accounts for the same Client ID and Tenant ID, please prov
                 scopes,
                 redirectUri,
                 code: authorizationCode,
-                authority: state.msalConfig.auth.authority,
+                authority: calculateRequestAuthority(options),
                 claims: options === null || options === void 0 ? void 0 : options.claims,
             });
         });
     }
-    async function getTokenOnBehalfOf(scopes, userAssertionToken, clientSecretOrCertificate, options = {}) {
+    async function getTokenOnBehalfOf(scopes, userAssertionToken, clientCredentials, options = {}) {
         msalLogger.getToken.info(`Attempting to acquire token on behalf of another user`);
-        if (typeof clientSecretOrCertificate === "string") {
+        if (typeof clientCredentials === "string") {
             // Client secret
             msalLogger.getToken.info(`Using client secret for on behalf of flow`);
-            state.msalConfig.auth.clientSecret = clientSecretOrCertificate;
+            state.msalConfig.auth.clientSecret = clientCredentials;
+        }
+        else if (typeof clientCredentials === "function") {
+            // Client Assertion
+            msalLogger.getToken.info(`Using client assertion callback for on behalf of flow`);
+            state.msalConfig.auth.clientAssertion = clientCredentials;
         }
         else {
             // Client certificate
             msalLogger.getToken.info(`Using client certificate for on behalf of flow`);
-            state.msalConfig.auth.clientCertificate = clientSecretOrCertificate;
+            state.msalConfig.auth.clientCertificate = clientCredentials;
         }
         const msalApp = await getConfidentialApp(options);
         try {
             const response = await msalApp.acquireTokenOnBehalfOf({
                 scopes,
-                authority: state.msalConfig.auth.authority,
+                authority: calculateRequestAuthority(options),
                 claims: options.claims,
                 oboAssertion: userAssertionToken,
             });
@@ -2315,7 +2330,7 @@ To work with multiple accounts for the same Client ID and Tenant ID, please prov
                     await interactiveBrowserMockable.open(url, { wait: true, newInstance: true });
                 },
                 scopes,
-                authority: state.msalConfig.auth.authority,
+                authority: calculateRequestAuthority(options),
                 claims: options === null || options === void 0 ? void 0 : options.claims,
                 loginHint: options === null || options === void 0 ? void 0 : options.loginHint,
                 errorTemplate: (_a = options === null || options === void 0 ? void 0 : options.browserCustomizationOptions) === null || _a === void 0 ? void 0 : _a.errorMessage,
@@ -2382,9 +2397,8 @@ class ClientAssertionCredential {
     async getToken(scopes, options = {}) {
         return tracingClient.withSpan(`${this.constructor.name}.getToken`, options, async (newOptions) => {
             newOptions.tenantId = processMultiTenantRequest(this.tenantId, newOptions, this.additionallyAllowedTenantIds, logger$h);
-            const clientAssertion = await this.getAssertion();
             const arrayScopes = Array.isArray(scopes) ? scopes : [scopes];
-            return this.msalClient.getTokenByClientAssertion(arrayScopes, clientAssertion, newOptions);
+            return this.msalClient.getTokenByClientAssertion(arrayScopes, this.getAssertion, newOptions);
         });
     }
 }
@@ -4278,14 +4292,19 @@ class OnBehalfOfCredential {
     constructor(options) {
         const { clientSecret } = options;
         const { certificatePath, sendCertificateChain } = options;
+        const { getAssertion } = options;
         const { tenantId, clientId, userAssertionToken, additionallyAllowedTenants: additionallyAllowedTenantIds, } = options;
-        if (!tenantId || !clientId || !(clientSecret || certificatePath) || !userAssertionToken) {
-            throw new Error(`${credentialName}: tenantId, clientId, clientSecret (or certificatePath) and userAssertionToken are required parameters.`);
+        if (!tenantId ||
+            !clientId ||
+            !(clientSecret || certificatePath || getAssertion) ||
+            !userAssertionToken) {
+            throw new Error(`${credentialName}: tenantId, clientId, clientSecret (or certificatePath or getAssertion) and userAssertionToken are required parameters.`);
         }
         this.certificatePath = certificatePath;
         this.clientSecret = clientSecret;
         this.userAssertionToken = userAssertionToken;
         this.sendCertificateChain = sendCertificateChain;
+        this.clientAssertion = getAssertion;
         this.tenantId = tenantId;
         this.additionallyAllowedTenantIds = resolveAdditionallyAllowedTenantIds(additionallyAllowedTenantIds);
         this.msalClient = createMsalClient(clientId, this.tenantId, Object.assign(Object.assign({}, options), { logger, tokenCredentialOptions: options }));
@@ -4308,9 +4327,12 @@ class OnBehalfOfCredential {
             else if (this.clientSecret) {
                 return this.msalClient.getTokenOnBehalfOf(arrayScopes, this.userAssertionToken, this.clientSecret, options);
             }
+            else if (this.clientAssertion) {
+                return this.msalClient.getTokenOnBehalfOf(arrayScopes, this.userAssertionToken, this.clientAssertion, options);
+            }
             else {
-                // this is a bug, as the constructor should have thrown an error if neither clientSecret nor certificatePath were provided
-                throw new Error("Expected either clientSecret or certificatePath to be defined.");
+                // this is an invalid scenario and is a bug, as the constructor should have thrown an error if neither clientSecret nor certificatePath nor clientAssertion were provided
+                throw new Error("Expected either clientSecret or certificatePath or clientAssertion to be defined.");
             }
         });
     }