@azure/identity 4.5.0-alpha.20240823.1 → 4.5.0-alpha.20240827.2

package/dist/index.js

@@ -40,7 +40,7 @@ var msalCommon__namespace = /*#__PURE__*/_interopNamespaceDefault(msalCommon);
 var child_process__namespace = /*#__PURE__*/_interopNamespaceDefault(child_process);
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
+// Licensed under the MIT License.
 /**
  * Current version of the `@azure/identity` package.
  */
@@ -107,7 +107,7 @@ const CACHE_NON_CAE_SUFFIX = "nocae";
 const DEFAULT_TOKEN_CACHE_NAME = "msal.cache";
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
+// Licensed under the MIT License.
 /**
  * The current persistence provider, undefined by default.
  * @internal
@@ -190,7 +190,7 @@ const msalPlugins = {
 };
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
+// Licensed under the MIT License.
 /**
  * The AzureLogger used for all clients within the identity package
  */
@@ -273,7 +273,7 @@ function credentialLogger(title, log = logger$l) {
 }
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
+// Licensed under the MIT License.
 function isErrorResponse(errorResponse) {
     return (errorResponse &&
         typeof errorResponse.error === "string" &&
@@ -396,7 +396,7 @@ class AuthenticationRequiredError extends Error {
 }
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
+// Licensed under the MIT License.
 function createConfigurationErrorMessage(tenantId) {
     return `The current credential is not configured to acquire tokens for tenant ${tenantId}. To enable acquiring tokens for this tenant add it to the AdditionallyAllowedTenants on the credential options, or add "*" to AdditionallyAllowedTenants to allow acquiring tokens for any tenant.`;
 }
@@ -430,7 +430,7 @@ function processMultiTenantRequest(tenantId, getTokenOptions, additionallyAllowe
 }
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
+// Licensed under the MIT License.
 /**
  * @internal
  */
@@ -471,7 +471,7 @@ function resolveAdditionallyAllowedTenantIds(additionallyAllowedTenants) {
 }
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
+// Licensed under the MIT License.
 function getIdentityTokenEndpointSuffix(tenantId) {
     if (tenantId === "adfs") {
         return "oauth2/token";
@@ -482,7 +482,7 @@ function getIdentityTokenEndpointSuffix(tenantId) {
 }
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
+// Licensed under the MIT License.
 /**
  * Creates a span using the global tracer.
  * @internal
@@ -494,14 +494,14 @@ const tracingClient = coreTracing.createTracingClient({
 });
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
+// Licensed under the MIT License.
 const DefaultScopeSuffix = "/.default";
 const imdsHost = "http://169.254.169.254";
 const imdsEndpointPath = "/metadata/identity/oauth2/token";
 const imdsApiVersion = "2018-02-01";
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
+// Licensed under the MIT License.
 /**
  * Most MSIs send requests to the IMDS endpoint, or a similar endpoint.
  * These are GET requests that require sending a `resource` parameter on the query.
@@ -550,9 +550,34 @@ function parseExpirationTimestamp(body) {
     }
     throw new Error(`Failed to parse token expiration from body. expires_in="${body.expires_in}", expires_on="${body.expires_on}"`);
 }
+/**
+ * Given a token response, return the expiration timestamp as the number of milliseconds from the Unix epoch.
+ * @param body - A parsed response body from the authentication endpoint.
+ */
+function parseRefreshTimestamp(body) {
+    if (body.refresh_on) {
+        if (typeof body.refresh_on === "number") {
+            return body.refresh_on * 1000;
+        }
+        if (typeof body.refresh_on === "string") {
+            const asNumber = +body.refresh_on;
+            if (!isNaN(asNumber)) {
+                return asNumber * 1000;
+            }
+            const asDate = Date.parse(body.refresh_on);
+            if (!isNaN(asDate)) {
+                return asDate;
+            }
+        }
+        throw new Error(`Failed to parse refresh_on from body. refresh_on="${body.refresh_on}"`);
+    }
+    else {
+        return undefined;
+    }
+}
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
+// Licensed under the MIT License.
 const noCorrelationId = "noCorrelationId";
 /**
  * @internal
@@ -614,6 +639,7 @@ class IdentityClient extends coreClient.ServiceClient {
                 accessToken: {
                     token: parsedBody.access_token,
                     expiresOnTimestamp: parseExpirationTimestamp(parsedBody),
+                    refreshAfterTimestamp: parseRefreshTimestamp(parsedBody),
                 },
                 refreshToken: parsedBody.refresh_token,
             };
@@ -789,7 +815,7 @@ class IdentityClient extends coreClient.ServiceClient {
 }
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
+// Licensed under the MIT License.
 const CommonTenantId = "common";
 const AzureAccountClientId = "aebc6443-996d-45c2-90f0-388ff96faa56"; // VSC: 'aebc6443-996d-45c2-90f0-388ff96faa56'
 const logger$k = credentialLogger("VisualStudioCodeCredential");
@@ -970,7 +996,7 @@ class VisualStudioCodeCredential {
 }
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
+// Licensed under the MIT License.
 /**
  * The context passed to an Identity plugin. This contains objects that
  * plugins can use to set backend implementations.
@@ -1013,7 +1039,7 @@ function useIdentityPlugin(plugin) {
 }
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
+// Licensed under the MIT License.
 /**
  * @internal
  */
@@ -1215,7 +1241,7 @@ function deserializeAuthenticationRecord(serializedRecord) {
 }
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
+// Licensed under the MIT License.
 const msiName$1 = "ManagedIdentityCredential - IMDS";
 const logger$i = credentialLogger(msiName$1);
 /**
@@ -1352,7 +1378,7 @@ const imdsMsi = {
 };
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
+// Licensed under the MIT License.
 // Matches the default retry configuration in expontentialRetryStrategy.ts
 const DEFAULT_CLIENT_MAX_RETRY_INTERVAL = 1000 * 64;
 /**
@@ -1387,7 +1413,7 @@ function imdsRetryPolicy(msiRetryConfig) {
 }
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
+// Licensed under the MIT License.
 /**
  * Helps specify a regional authority, or "AutoDiscoverRegion" to auto-detect the region.
  */
@@ -1527,7 +1553,7 @@ function calculateRegionalAuthority(regionalAuthority) {
 }
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
+// Licensed under the MIT License.
 /**
  * The default logger used if no logger was passed in by the credential.
  */
@@ -1684,7 +1710,7 @@ To work with multiple accounts for the same Client ID and Tenant ID, please prov
      * @returns A promise that resolves to an AccessToken object containing the access token and its expiration timestamp.
      */
     async function withSilentAuthentication(msalApp, scopes, options, onAuthenticationRequired) {
-        var _a;
+        var _a, _b;
         let response = null;
         try {
             response = await getTokenSilent(msalApp, scopes, options);
@@ -1717,9 +1743,11 @@ To work with multiple accounts for the same Client ID and Tenant ID, please prov
         return {
             token: response.accessToken,
             expiresOnTimestamp: response.expiresOn.getTime(),
+            refreshAfterTimestamp: (_b = response.refreshOn) === null || _b === void 0 ? void 0 : _b.getTime(),
         };
     }
     async function getTokenByClientSecret(scopes, clientSecret, options = {}) {
+        var _a;
         state.logger.getToken.info(`Attempting to acquire token using client secret`);
         state.msalConfig.auth.clientSecret = clientSecret;
         const msalApp = await getConfidentialApp(options);
@@ -1735,6 +1763,7 @@ To work with multiple accounts for the same Client ID and Tenant ID, please prov
             return {
                 token: response.accessToken,
                 expiresOnTimestamp: response.expiresOn.getTime(),
+                refreshAfterTimestamp: (_a = response.refreshOn) === null || _a === void 0 ? void 0 : _a.getTime(),
             };
         }
         catch (err) {
@@ -1742,6 +1771,7 @@ To work with multiple accounts for the same Client ID and Tenant ID, please prov
         }
     }
     async function getTokenByClientAssertion(scopes, clientAssertion, options = {}) {
+        var _a;
         state.logger.getToken.info(`Attempting to acquire token using client assertion`);
         state.msalConfig.auth.clientAssertion = clientAssertion;
         const msalApp = await getConfidentialApp(options);
@@ -1758,6 +1788,7 @@ To work with multiple accounts for the same Client ID and Tenant ID, please prov
             return {
                 token: response.accessToken,
                 expiresOnTimestamp: response.expiresOn.getTime(),
+                refreshAfterTimestamp: (_a = response.refreshOn) === null || _a === void 0 ? void 0 : _a.getTime(),
             };
         }
         catch (err) {
@@ -1765,6 +1796,7 @@ To work with multiple accounts for the same Client ID and Tenant ID, please prov
         }
     }
     async function getTokenByClientCertificate(scopes, certificate, options = {}) {
+        var _a;
         state.logger.getToken.info(`Attempting to acquire token using client certificate`);
         state.msalConfig.auth.clientCertificate = certificate;
         const msalApp = await getConfidentialApp(options);
@@ -1780,6 +1812,7 @@ To work with multiple accounts for the same Client ID and Tenant ID, please prov
             return {
                 token: response.accessToken,
                 expiresOnTimestamp: response.expiresOn.getTime(),
+                refreshAfterTimestamp: (_a = response.refreshOn) === null || _a === void 0 ? void 0 : _a.getTime(),
             };
         }
         catch (err) {
@@ -1850,6 +1883,7 @@ To work with multiple accounts for the same Client ID and Tenant ID, please prov
         });
     }
     async function getTokenOnBehalfOf(scopes, userAssertionToken, clientCredentials, options = {}) {
+        var _a;
         msalLogger.getToken.info(`Attempting to acquire token on behalf of another user`);
         if (typeof clientCredentials === "string") {
             // Client secret
@@ -1879,6 +1913,7 @@ To work with multiple accounts for the same Client ID and Tenant ID, please prov
             return {
                 token: response.accessToken,
                 expiresOnTimestamp: response.expiresOn.getTime(),
+                refreshAfterTimestamp: (_a = response.refreshOn) === null || _a === void 0 ? void 0 : _a.getTime(),
             };
         }
         catch (err) {
@@ -1967,7 +2002,7 @@ To work with multiple accounts for the same Client ID and Tenant ID, please prov
 }
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
+// Licensed under the MIT License.
 const logger$h = credentialLogger("ClientAssertionCredential");
 /**
  * Authenticates a service principal with a JWT assertion.
@@ -2017,7 +2052,7 @@ class ClientAssertionCredential {
 }
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
+// Licensed under the MIT License.
 const credentialName$4 = "WorkloadIdentityCredential";
 /**
  * Contains the list of all supported environment variable names so that an
@@ -2126,7 +2161,7 @@ class WorkloadIdentityCredential {
 }
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
+// Licensed under the MIT License.
 const msiName = "ManagedIdentityCredential - Token Exchange";
 const logger$f = credentialLogger(msiName);
 /**
@@ -2153,7 +2188,7 @@ const tokenExchangeMsi = {
 };
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
+// Licensed under the MIT License.
 const logger$e = credentialLogger("ManagedIdentityCredential(MSAL)");
 class MsalMsiProvider {
     constructor(clientIdOrOptions, options = {}) {
@@ -2222,6 +2257,7 @@ class MsalMsiProvider {
             throw new CredentialUnavailableError(`ManagedIdentityCredential: Multiple scopes are not supported. Scopes: ${JSON.stringify(scopes)}`);
         }
         return tracingClient.withSpan("ManagedIdentityCredential.getToken", options, async () => {
+            var _a;
             try {
                 const isTokenExchangeMsi = await tokenExchangeMsi.isAvailable({
                     scopes,
@@ -2281,6 +2317,7 @@ class MsalMsiProvider {
                 return {
                     expiresOnTimestamp: token.expiresOn.getTime(),
                     token: token.accessToken,
+                    refreshAfterTimestamp: (_a = token.refreshOn) === null || _a === void 0 ? void 0 : _a.getTime(),
                 };
             }
             catch (err) {
@@ -2340,7 +2377,7 @@ function isNetworkError(err) {
 }
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
+// Licensed under the MIT License.
 /**
  * Attempts authentication using a managed identity available at the deployment environment.
  * This authentication type works in Azure VMs, App Service instances, Azure Functions applications,
@@ -2376,7 +2413,7 @@ class ManagedIdentityCredential {
 }
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
+// Licensed under the MIT License.
 /**
  * Ensures the scopes value is an array.
  * @internal
@@ -2404,7 +2441,7 @@ function getScopeResource(scope) {
 }
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
+// Licensed under the MIT License.
 /**
  * Mockable reference to the CLI credential cliCredentialFunctions
  * @internal
@@ -2571,7 +2608,7 @@ class AzureCliCredential {
 }
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
+// Licensed under the MIT License.
 /**
  * Mockable reference to the Developer CLI credential cliCredentialFunctions
  * @internal
@@ -2735,7 +2772,7 @@ class AzureDeveloperCliCredential {
 }
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
+// Licensed under the MIT License.
 /**
  * Easy to mock childProcess utils.
  * @internal
@@ -2766,7 +2803,7 @@ const processUtils = {
 };
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
+// Licensed under the MIT License.
 const logger$b = credentialLogger("AzurePowerShellCredential");
 const isWindows = process.platform === "win32";
 /**
@@ -2988,7 +3025,7 @@ async function parseJsonToken(result) {
 }
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
+// Licensed under the MIT License.
 /**
  * @internal
  */
@@ -3067,7 +3104,7 @@ class ChainedTokenCredential {
 }
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
+// Licensed under the MIT License.
 const credentialName$3 = "ClientCertificateCredential";
 const logger$9 = credentialLogger(credentialName$3);
 /**
@@ -3180,7 +3217,7 @@ async function parseCertificate(certificateConfiguration, sendCertificateChain)
 }
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
+// Licensed under the MIT License.
 const logger$8 = credentialLogger("ClientSecretCredential");
 /**
  * Enables authentication to Microsoft Entra ID using a client secret
@@ -3234,7 +3271,7 @@ class ClientSecretCredential {
 }
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
+// Licensed under the MIT License.
 const logger$7 = credentialLogger("UsernamePasswordCredential");
 /**
  * Enables authentication to Microsoft Entra ID with a user's
@@ -3295,7 +3332,7 @@ class UsernamePasswordCredential {
 }
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
+// Licensed under the MIT License.
 /**
  * Contains the list of all supported environment variable names so that an
  * appropriate error message can be generated when no credentials can be
@@ -3418,7 +3455,7 @@ class EnvironmentCredential {
 }
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
+// Licensed under the MIT License.
 const logger$5 = credentialLogger("DefaultAzureCredential");
 /**
  * Creates a {@link ManagedIdentityCredential} from the provided options.
@@ -3561,7 +3598,7 @@ class DefaultAzureCredential extends ChainedTokenCredential {
 }
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
+// Licensed under the MIT License.
 const logger$4 = credentialLogger("InteractiveBrowserCredential");
 /**
  * Enables authentication to Microsoft Entra ID inside of the web browser
@@ -3646,7 +3683,7 @@ class InteractiveBrowserCredential {
 }
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
+// Licensed under the MIT License.
 const logger$3 = credentialLogger("DeviceCodeCredential");
 /**
  * Method that logs the user code from the DeviceCodeCredential.
@@ -3729,7 +3766,7 @@ class DeviceCodeCredential {
 }
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
+// Licensed under the MIT License.
 const credentialName$1 = "AzurePipelinesCredential";
 const logger$2 = credentialLogger(credentialName$1);
 const OIDC_API_VERSION = "7.1";
@@ -3853,7 +3890,7 @@ function handleOidcResponse(response) {
 }
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
+// Licensed under the MIT License.
 const logger$1 = credentialLogger("AuthorizationCodeCredential");
 /**
  * Enables authentication to Microsoft Entra ID using an authorization code
@@ -3907,7 +3944,7 @@ class AuthorizationCodeCredential {
 }
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
+// Licensed under the MIT License.
 const credentialName = "OnBehalfOfCredential";
 const logger = credentialLogger(credentialName);
 /**
@@ -4011,7 +4048,7 @@ class OnBehalfOfCredential {
 }
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
+// Licensed under the MIT License.
 /**
  * Returns a callback that provides a bearer token.
  * For example, the bearer token can be used to authenticate a request as follows:
@@ -4062,7 +4099,7 @@ function getBearerTokenProvider(credential, scopes, options) {
 }
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
+// Licensed under the MIT License.
 /**
  * Returns a new instance of the {@link DefaultAzureCredential}.
  */