@azure/identity 4.5.0-beta.1 → 4.5.0-beta.2

Sign up to get free protection for your applications and to get access to all the features.
Files changed (62) hide show
  1. package/README.md +22 -1
  2. package/dist/index.js +238 -112
  3. package/dist/index.js.map +1 -1
  4. package/dist-esm/src/client/identityClient.js +1 -2
  5. package/dist-esm/src/client/identityClient.js.map +1 -1
  6. package/dist-esm/src/constants.js +1 -1
  7. package/dist-esm/src/constants.js.map +1 -1
  8. package/dist-esm/src/credentials/azurePipelinesCredential.js +50 -26
  9. package/dist-esm/src/credentials/azurePipelinesCredential.js.map +1 -1
  10. package/dist-esm/src/credentials/azurePowerShellCredential.js +63 -19
  11. package/dist-esm/src/credentials/azurePowerShellCredential.js.map +1 -1
  12. package/dist-esm/src/credentials/clientAssertionCredential.js +9 -2
  13. package/dist-esm/src/credentials/clientAssertionCredential.js.map +1 -1
  14. package/dist-esm/src/credentials/clientCertificateCredential.js +35 -27
  15. package/dist-esm/src/credentials/clientCertificateCredential.js.map +1 -1
  16. package/dist-esm/src/credentials/clientSecretCredential.js +9 -2
  17. package/dist-esm/src/credentials/clientSecretCredential.js.map +1 -1
  18. package/dist-esm/src/credentials/deviceCodeCredential.js +1 -1
  19. package/dist-esm/src/credentials/deviceCodeCredential.js.map +1 -1
  20. package/dist-esm/src/credentials/deviceCodeCredentialOptions.js.map +1 -1
  21. package/dist-esm/src/credentials/environmentCredential.js +11 -1
  22. package/dist-esm/src/credentials/environmentCredential.js.map +1 -1
  23. package/dist-esm/src/credentials/interactiveBrowserCredential.browser.js.map +1 -1
  24. package/dist-esm/src/credentials/interactiveBrowserCredential.js +1 -1
  25. package/dist-esm/src/credentials/interactiveBrowserCredential.js.map +1 -1
  26. package/dist-esm/src/credentials/interactiveBrowserCredentialOptions.js.map +1 -1
  27. package/dist-esm/src/credentials/managedIdentityCredential/msalMsiProvider.js +6 -5
  28. package/dist-esm/src/credentials/managedIdentityCredential/msalMsiProvider.js.map +1 -1
  29. package/dist-esm/src/credentials/onBehalfOfCredential.js +16 -9
  30. package/dist-esm/src/credentials/onBehalfOfCredential.js.map +1 -1
  31. package/dist-esm/src/credentials/usernamePasswordCredential.js +13 -3
  32. package/dist-esm/src/credentials/usernamePasswordCredential.js.map +1 -1
  33. package/dist-esm/src/credentials/workloadIdentityCredential.js +16 -6
  34. package/dist-esm/src/credentials/workloadIdentityCredential.js.map +1 -1
  35. package/dist-esm/src/errors.js +12 -7
  36. package/dist-esm/src/errors.js.map +1 -1
  37. package/dist-esm/src/msal/browserFlows/flows.js.map +1 -0
  38. package/dist-esm/src/msal/browserFlows/msalBrowserCommon.js.map +1 -1
  39. package/dist-esm/src/msal/nodeFlows/msalClient.js +8 -1
  40. package/dist-esm/src/msal/nodeFlows/msalClient.js.map +1 -1
  41. package/package.json +3 -3
  42. package/types/identity.d.ts +26 -8
  43. package/dist-esm/src/msal/flows.js.map +0 -1
  44. package/dist-esm/src/msal/nodeFlows/msalAuthorizationCode.js +0 -47
  45. package/dist-esm/src/msal/nodeFlows/msalAuthorizationCode.js.map +0 -1
  46. package/dist-esm/src/msal/nodeFlows/msalClientAssertion.js +0 -42
  47. package/dist-esm/src/msal/nodeFlows/msalClientAssertion.js.map +0 -1
  48. package/dist-esm/src/msal/nodeFlows/msalClientCertificate.js +0 -112
  49. package/dist-esm/src/msal/nodeFlows/msalClientCertificate.js.map +0 -1
  50. package/dist-esm/src/msal/nodeFlows/msalClientSecret.js +0 -33
  51. package/dist-esm/src/msal/nodeFlows/msalClientSecret.js.map +0 -1
  52. package/dist-esm/src/msal/nodeFlows/msalDeviceCode.js +0 -35
  53. package/dist-esm/src/msal/nodeFlows/msalDeviceCode.js.map +0 -1
  54. package/dist-esm/src/msal/nodeFlows/msalNodeCommon.js +0 -323
  55. package/dist-esm/src/msal/nodeFlows/msalNodeCommon.js.map +0 -1
  56. package/dist-esm/src/msal/nodeFlows/msalOnBehalfOf.js +0 -58
  57. package/dist-esm/src/msal/nodeFlows/msalOnBehalfOf.js.map +0 -1
  58. package/dist-esm/src/msal/nodeFlows/msalOpenBrowser.js +0 -113
  59. package/dist-esm/src/msal/nodeFlows/msalOpenBrowser.js.map +0 -1
  60. package/dist-esm/src/msal/nodeFlows/msalUsernamePassword.js +0 -33
  61. package/dist-esm/src/msal/nodeFlows/msalUsernamePassword.js.map +0 -1
  62. /package/dist-esm/src/msal/{flows.js → browserFlows/flows.js} +0 -0
package/dist-esm/src/msal/nodeFlows/msalClient.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"msalClient.js","sourceRoot":"","sources":["../../../../src/msal/nodeFlows/msalClient.ts"],"names":[],"mappings":"AAAA,uCAAuC;AACvC,kCAAkC;AAElC,OAAO,KAAK,IAAI,MAAM,kBAAkB,CAAC;AAIzC,OAAO,EAAoB,gBAAgB,EAAE,aAAa,EAAE,MAAM,oBAAoB,CAAC;AACvF,OAAO,EAAuB,WAAW,EAAE,MAAM,eAAe,CAAC;AACjE,OAAO,EACL,qBAAqB,EACrB,oBAAoB,EACpB,YAAY,EACZ,mBAAmB,EACnB,eAAe,EACf,eAAe,EACf,YAAY,EACZ,YAAY,GACb,MAAM,UAAU,CAAC;AAElB,OAAO,EAAE,2BAA2B,EAAE,MAAM,cAAc,CAAC;AAG3D,OAAO,EAAE,cAAc,EAAE,MAAM,6BAA6B,CAAC;AAE7D,OAAO,EAAE,0BAA0B,EAAE,MAAM,yBAAyB,CAAC;AACrE,OAAO,EAAE,WAAW,EAAE,MAAM,eAAe,CAAC;AAC5C,OAAO,EAAE,eAAe,EAAE,MAAM,0BAA0B,CAAC;AAC3D,OAAO,EAAE,0BAA0B,EAAE,MAAM,mBAAmB,CAAC;AAG/D;;GAEG;AACH,MAAM,UAAU,GAAG,gBAAgB,CAAC,YAAY,CAAC,CAAC;AAiNlD;;;;;;;GAOG;AACH,MAAM,UAAU,yBAAyB,CACvC,QAAgB,EAChB,QAAgB,EAChB,oBAAuC,EAAE;;IAEzC,MAAM,cAAc,GAAG,eAAe,CACpC,MAAA,iBAAiB,CAAC,MAAM,mCAAI,UAAU,EACtC,QAAQ,EACR,QAAQ,CACT,CAAC;IAEF,sDAAsD;IACtD,MAAM,SAAS,GAAG,YAAY,CAC5B,cAAc,EACd,MAAA,iBAAiB,CAAC,aAAa,mCAAI,OAAO,CAAC,GAAG,CAAC,oBAAoB,CACpE,CAAC;IAEF,MAAM,UAAU,GAAG,IAAI,cAAc,iCAChC,iBAAiB,CAAC,sBAAsB,KAC3C,aAAa,EAAE,SAAS,EACxB,cAAc,EAAE,iBAAiB,CAAC,cAAc,IAChD,CAAC;IAEH,MAAM,UAAU,GAAuB;QACrC,IAAI,EAAE;YACJ,QAAQ;YACR,SAAS;YACT,gBAAgB,EAAE,mBAAmB,CACnC,cAAc,EACd,SAAS,EACT,iBAAiB,CAAC,wBAAwB,CAC3C;SACF;QACD,MAAM,EAAE;YACN,aAAa,EAAE,UAAU;YACzB,aAAa,EAAE;gBACb,cAAc,EAAE,qBAAqB,CAAC,MAAA,iBAAiB,CAAC,MAAM,mCAAI,UAAU,CAAC;gBAC7E,QAAQ,EAAE,eAAe,CAAC,WAAW,EAAE,CAAC;gBACxC,iBAAiB,EAAE,MAAA,iBAAiB,CAAC,cAAc,0CAAE,0BAA0B;aAChF;SACF;KACF,CAAC;IACF,OAAO,UAAU,CAAC;AACpB,CAAC;AAyBD;;;;;;;;;GASG;AACH,MAAM,UAAU,gBAAgB,CAC9B,QAAgB,EAChB,QAAgB,EAChB,0BAA6C,EAAE;;IAE/C,MAAM,KAAK,GAAoB;QAC7B,UAAU,EAAE,yBAAyB,CAAC,QAAQ,EAAE,QAAQ,EAAE,uBAAuB,CAAC;QAClF,aAAa,EAAE,uBAAuB,CAAC,oBAAoB;YACzD,CAAC,CAAC,YAAY,CAAC,uBAAuB,CAAC,oBAAoB,CAAC;YAC5D,CAAC,CAAC,IAAI;QACR,mBAAmB,EAAE,WAAW,CAAC,2BAA2B,CAAC,uBAAuB,CAAC;QACrF,MAAM,EAAE,MAAA,uBAAuB,CAAC,MAAM,mCAAI,UAAU;KACrD,CAAC;IAEF,MAAM,UAAU,GAA8C,IAAI,GAAG,EAAE,CAAC;IACxE,KAAK,UAAU,YAAY,CACzB,UAA2B,EAAE;QAE7B,MAAM,MAAM,GAAG,OAAO,CAAC,SAAS,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,SAAS,CAAC;QAErD,IAAI,eAAe,GAAG,UAAU,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;QAC7C,IAAI,eAAe,EAAE,CAAC;YACpB,KAAK,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,gEAAgE,CAAC,CAAC;YAC7F,OAAO,eAAe,CAAC;QACzB,CAAC;QAED,oCAAoC;QACpC,KAAK,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,CACxB,iDAAiD,OAAO,CAAC,SAAS,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,UAAU,GAAG,CAC/F,CAAC;QAEF,MAAM,WAAW,GAAG,OAAO,CAAC,SAAS;YACnC,CAAC,CAAC,KAAK,CAAC,mBAAmB,CAAC,KAAK,CAAC,cAAc;YAChD,CAAC,CAAC,KAAK,CAAC,mBAAmB,CAAC,KAAK,CAAC,WAAW,CAAC;QAEhD,KAAK,CAAC,UAAU,CAAC,IAAI,CAAC,kBAAkB,GAAG,OAAO,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;QAEnF,eAAe,GAAG,IAAI,IAAI,CAAC,uBAAuB,iCAC7C,KAAK,CAAC,UAAU,KACnB,MAAM,EAAE,EAAE,kBAAkB,EAAE,KAAK,CAAC,mBAAmB,CAAC,MAAM,CAAC,kBAAkB,EAAE,EACnF,KAAK,EAAE,EAAE,WAAW,EAAE,MAAM,WAAW,EAAE,IACzC,CAAC;QAEH,UAAU,CAAC,GAAG,CAAC,MAAM,EAAE,eAAe,CAAC,CAAC;QAExC,OAAO,eAAe,CAAC;IACzB,CAAC;IAED,MAAM,gBAAgB,GAAoD,IAAI,GAAG,EAAE,CAAC;IACpF,KAAK,UAAU,kBAAkB,CAC/B,UAA2B,EAAE;QAE7B,MAAM,MAAM,GAAG,OAAO,CAAC,SAAS,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,SAAS,CAAC;QAErD,IAAI,qBAAqB,GAAG,gBAAgB,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;QACzD,IAAI,qBAAqB,EAAE,CAAC;YAC1B,KAAK,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,CACxB,sEAAsE,CACvE,CAAC;YACF,OAAO,qBAAqB,CAAC;QAC/B,CAAC;QAED,oCAAoC;QACpC,KAAK,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,CACxB,uDACE,OAAO,CAAC,SAAS,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,UAClC,GAAG,CACJ,CAAC;QAEF,MAAM,WAAW,GAAG,OAAO,CAAC,SAAS;YACnC,CAAC,CAAC,KAAK,CAAC,mBAAmB,CAAC,KAAK,CAAC,cAAc;YAChD,CAAC,CAAC,KAAK,CAAC,mBAAmB,CAAC,KAAK,CAAC,WAAW,CAAC;QAEhD,KAAK,CAAC,UAAU,CAAC,IAAI,CAAC,kBAAkB,GAAG,OAAO,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;QAEnF,qBAAqB,GAAG,IAAI,IAAI,CAAC,6BAA6B,iCACzD,KAAK,CAAC,UAAU,KACnB,MAAM,EAAE,EAAE,kBAAkB,EAAE,KAAK,CAAC,mBAAmB,CAAC,MAAM,CAAC,kBAAkB,EAAE,EACnF,KAAK,EAAE,EAAE,WAAW,EAAE,MAAM,WAAW,EAAE,IACzC,CAAC;QAEH,gBAAgB,CAAC,GAAG,CAAC,MAAM,EAAE,qBAAqB,CAAC,CAAC;QAEpD,OAAO,qBAAqB,CAAC;IAC/B,CAAC;IAED,KAAK,UAAU,cAAc,CAC3B,GAAsE,EACtE,MAAgB,EAChB,UAA2B,EAAE;QAE7B,IAAI,KAAK,CAAC,aAAa,KAAK,IAAI,EAAE,CAAC;YACjC,KAAK,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,CACxB,gFAAgF,CACjF,CAAC;YACF,MAAM,KAAK,GAAG,GAAG,CAAC,aAAa,EAAE,CAAC;YAClC,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,cAAc,EAAE,CAAC;YAE9C,IAAI,QAAQ,KAAK,SAAS,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;gBACpD,MAAM,IAAI,2BAA2B,CAAC,EAAE,MAAM,EAAE,CAAC,CAAC;YACpD,CAAC;YAED,IAAI,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBACxB,KAAK,CAAC,MAAM;qBACT,IAAI,CAAC;;;;6KAI6J,CAAC,CAAC;gBACvK,MAAM,IAAI,2BAA2B,CAAC,EAAE,MAAM,EAAE,CAAC,CAAC;YACpD,CAAC;YAED,KAAK,CAAC,aAAa,GAAG,QAAQ,CAAC,CAAC,CAAC,CAAC;QACpC,CAAC;QAED,gEAAgE;QAChE,IAAI,OAAO,CAAC,MAAM,EAAE,CAAC;YACnB,KAAK,CAAC,YAAY,GAAG,OAAO,CAAC,MAAM,CAAC;QACtC,CAAC;QAED,MAAM,aAAa,GAA2B;YAC5C,OAAO,EAAE,KAAK,CAAC,aAAa;YAC5B,MAAM;YACN,MAAM,EAAE,KAAK,CAAC,YAAY;SAC3B,CAAC;QAEF,IAAI,KAAK,CAAC,mBAAmB,CAAC,MAAM,CAAC,SAAS,EAAE,CAAC;YAC/C,aAAa,CAAC,oBAAoB,KAAlC,aAAa,CAAC,oBAAoB,GAAK,EAAE,EAAC;YAC1C,IAAI,KAAK,CAAC,mBAAmB,CAAC,MAAM,CAAC,oBAAoB,EAAE,CAAC;gBAC1D,aAAa,CAAC,oBAAoB,CAAC,mBAAmB,CAAC,GAAG,sBAAsB,CAAC;YACnF,CAAC;QACH,CAAC;QAED,KAAK,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,sCAAsC,CAAC,CAAC;QACnE,OAAO,GAAG,CAAC,kBAAkB,CAAC,aAAa,CAAC,CAAC;IAC/C,CAAC;IAED;;;OAGG;IACH,SAAS,yBAAyB,CAAC,OAAyB;QAC1D,IAAI,OAAO,aAAP,OAAO,uBAAP,OAAO,CAAE,QAAQ,EAAE,CAAC;YACtB,OAAO,YAAY,CAAC,OAAO,CAAC,QAAQ,EAAE,uBAAuB,CAAC,aAAa,CAAC,CAAC;QAC/E,CAAC;QACD,OAAO,KAAK,CAAC,UAAU,CAAC,IAAI,CAAC,SAAS,CAAC;IACzC,CAAC;IAED;;;;;;;;;OASG;IACH,KAAK,UAAU,wBAAwB,CACrC,OAA0E,EAC1E,MAAqB,EACrB,OAAsC,EACtC,wBAAyE;;QAEzE,IAAI,QAAQ,GAAqC,IAAI,CAAC;QACtD,IAAI,CAAC;YACH,QAAQ,GAAG,MAAM,cAAc,CAAC,OAAO,EAAE,MAAM,EAAE,OAAO,CAAC,CAAC;QAC5D,CAAC;QAAC,OAAO,CAAM,EAAE,CAAC;YAChB,IAAI,CAAC,CAAC,IAAI,KAAK,6BAA6B,EAAE,CAAC;gBAC7C,MAAM,CAAC,CAAC;YACV,CAAC;YACD,IAAI,OAAO,CAAC,8BAA8B,EAAE,CAAC;gBAC3C,MAAM,IAAI,2BAA2B,CAAC;oBACpC,MAAM;oBACN,eAAe,EAAE,OAAO;oBACxB,OAAO,EACL,uFAAuF;iBAC1F,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,+BAA+B;QAC/B,IAAI,QAAQ,KAAK,IAAI,EAAE,CAAC;YACtB,IAAI,CAAC;gBACH,QAAQ,GAAG,MAAM,wBAAwB,EAAE,CAAC;YAC9C,CAAC;YAAC,OAAO,GAAQ,EAAE,CAAC;gBAClB,MAAM,eAAe,CAAC,MAAM,EAAE,GAAG,EAAE,OAAO,CAAC,CAAC;YAC9C,CAAC;QACH,CAAC;QAED,mDAAmD;QACnD,oBAAoB,CAAC,MAAM,EAAE,QAAQ,EAAE,OAAO,CAAC,CAAC;QAChD,KAAK,CAAC,aAAa,GAAG,MAAA,QAAQ,aAAR,QAAQ,uBAAR,QAAQ,CAAE,OAAO,mCAAI,IAAI,CAAC;QAEhD,KAAK,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,aAAa,CAAC,MAAM,CAAC,CAAC,CAAC;QAElD,OAAO;YACL,KAAK,EAAE,QAAQ,CAAC,WAAW;YAC3B,kBAAkB,EAAE,QAAQ,CAAC,SAAS,CAAC,OAAO,EAAE;SACjD,CAAC;IACJ,CAAC;IAED,KAAK,UAAU,sBAAsB,CACnC,MAAgB,EAChB,YAAoB,EACpB,UAA2B,EAAE;QAE7B,KAAK,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,iDAAiD,CAAC,CAAC;QAE9E,KAAK,CAAC,UAAU,CAAC,IAAI,CAAC,YAAY,GAAG,YAAY,CAAC;QAElD,MAAM,OAAO,GAAG,MAAM,kBAAkB,CAAC,OAAO,CAAC,CAAC;QAElD,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,MAAM,OAAO,CAAC,8BAA8B,CAAC;gBAC5D,MAAM;gBACN,SAAS,EAAE,yBAAyB,CAAC,OAAO,CAAC;gBAC7C,WAAW,EAAE,0BAA0B,EAAE;gBACzC,MAAM,EAAE,OAAO,aAAP,OAAO,uBAAP,OAAO,CAAE,MAAM;aACxB,CAAC,CAAC;YACH,oBAAoB,CAAC,MAAM,EAAE,QAAQ,EAAE,OAAO,CAAC,CAAC;YAEhD,KAAK,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,aAAa,CAAC,MAAM,CAAC,CAAC,CAAC;YAElD,OAAO;gBACL,KAAK,EAAE,QAAQ,CAAC,WAAW;gBAC3B,kBAAkB,EAAE,QAAQ,CAAC,SAAS,CAAC,OAAO,EAAE;aACjD,CAAC;QACJ,CAAC;QAAC,OAAO,GAAQ,EAAE,CAAC;YAClB,MAAM,eAAe,CAAC,MAAM,EAAE,GAAG,EAAE,OAAO,CAAC,CAAC;QAC9C,CAAC;IACH,CAAC;IAED,KAAK,UAAU,yBAAyB,CACtC,MAAgB,EAChB,eAAsC,EACtC,UAA2B,EAAE;QAE7B,KAAK,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,oDAAoD,CAAC,CAAC;QAEjF,KAAK,CAAC,UAAU,CAAC,IAAI,CAAC,eAAe,GAAG,eAAe,CAAC;QAExD,MAAM,OAAO,GAAG,MAAM,kBAAkB,CAAC,OAAO,CAAC,CAAC;QAElD,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,MAAM,OAAO,CAAC,8BAA8B,CAAC;gBAC5D,MAAM;gBACN,SAAS,EAAE,yBAAyB,CAAC,OAAO,CAAC;gBAC7C,WAAW,EAAE,0BAA0B,EAAE;gBACzC,MAAM,EAAE,OAAO,aAAP,OAAO,uBAAP,OAAO,CAAE,MAAM;gBACvB,eAAe;aAChB,CAAC,CAAC;YACH,oBAAoB,CAAC,MAAM,EAAE,QAAQ,EAAE,OAAO,CAAC,CAAC;YAEhD,KAAK,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,aAAa,CAAC,MAAM,CAAC,CAAC,CAAC;YAElD,OAAO;gBACL,KAAK,EAAE,QAAQ,CAAC,WAAW;gBAC3B,kBAAkB,EAAE,QAAQ,CAAC,SAAS,CAAC,OAAO,EAAE;aACjD,CAAC;QACJ,CAAC;QAAC,OAAO,GAAQ,EAAE,CAAC;YAClB,MAAM,eAAe,CAAC,MAAM,EAAE,GAAG,EAAE,OAAO,CAAC,CAAC;QAC9C,CAAC;IACH,CAAC;IAED,KAAK,UAAU,2BAA2B,CACxC,MAAgB,EAChB,WAA6B,EAC7B,UAA2B,EAAE;QAE7B,KAAK,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,sDAAsD,CAAC,CAAC;QAEnF,KAAK,CAAC,UAAU,CAAC,IAAI,CAAC,iBAAiB,GAAG,WAAW,CAAC;QAEtD,MAAM,OAAO,GAAG,MAAM,kBAAkB,CAAC,OAAO,CAAC,CAAC;QAClD,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,MAAM,OAAO,CAAC,8BAA8B,CAAC;gBAC5D,MAAM;gBACN,SAAS,EAAE,yBAAyB,CAAC,OAAO,CAAC;gBAC7C,WAAW,EAAE,0BAA0B,EAAE;gBACzC,MAAM,EAAE,OAAO,aAAP,OAAO,uBAAP,OAAO,CAAE,MAAM;aACxB,CAAC,CAAC;YACH,oBAAoB,CAAC,MAAM,EAAE,QAAQ,EAAE,OAAO,CAAC,CAAC;YAEhD,KAAK,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,aAAa,CAAC,MAAM,CAAC,CAAC,CAAC;YAElD,OAAO;gBACL,KAAK,EAAE,QAAQ,CAAC,WAAW;gBAC3B,kBAAkB,EAAE,QAAQ,CAAC,SAAS,CAAC,OAAO,EAAE;aACjD,CAAC;QACJ,CAAC;QAAC,OAAO,GAAQ,EAAE,CAAC;YAClB,MAAM,eAAe,CAAC,MAAM,EAAE,GAAG,EAAE,OAAO,CAAC,CAAC;QAC9C,CAAC;IACH,CAAC;IAED,KAAK,UAAU,oBAAoB,CACjC,MAAgB,EAChB,kBAA4C,EAC5C,UAAyC,EAAE;QAE3C,KAAK,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,+CAA+C,CAAC,CAAC;QAE5E,MAAM,OAAO,GAAG,MAAM,YAAY,CAAC,OAAO,CAAC,CAAC;QAE5C,OAAO,wBAAwB,CAAC,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,GAAG,EAAE;;YAC7D,MAAM,cAAc,GAA2B;gBAC7C,MAAM;gBACN,MAAM,EAAE,MAAA,MAAA,OAAO,aAAP,OAAO,uBAAP,OAAO,CAAE,WAAW,0CAAE,OAAO,mCAAI,KAAK;gBAC9C,kBAAkB;gBAClB,SAAS,EAAE,yBAAyB,CAAC,OAAO,CAAC;gBAC7C,MAAM,EAAE,OAAO,aAAP,OAAO,uBAAP,OAAO,CAAE,MAAM;aACxB,CAAC;YACF,MAAM,iBAAiB,GAAG,OAAO,CAAC,wBAAwB,CAAC,cAAc,CAAC,CAAC;YAC3E,IAAI,OAAO,CAAC,WAAW,EAAE,CAAC;gBACxB,OAAO,CAAC,WAAW,CAAC,gBAAgB,CAAC,OAAO,EAAE,GAAG,EAAE;oBACjD,cAAc,CAAC,MAAM,GAAG,IAAI,CAAC;gBAC/B,CAAC,CAAC,CAAC;YACL,CAAC;YAED,OAAO,iBAAiB,CAAC;QAC3B,CAAC,CAAC,CAAC;IACL,CAAC;IAED,KAAK,UAAU,0BAA0B,CACvC,MAAgB,EAChB,QAAgB,EAChB,QAAgB,EAChB,UAA2B,EAAE;QAE7B,KAAK,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,yDAAyD,CAAC,CAAC;QAEtF,MAAM,OAAO,GAAG,MAAM,YAAY,CAAC,OAAO,CAAC,CAAC;QAE5C,OAAO,wBAAwB,CAAC,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,GAAG,EAAE;YAC7D,MAAM,cAAc,GAAiC;gBACnD,MAAM;gBACN,QAAQ;gBACR,QAAQ;gBACR,SAAS,EAAE,yBAAyB,CAAC,OAAO,CAAC;gBAC7C,MAAM,EAAE,OAAO,aAAP,OAAO,uBAAP,OAAO,CAAE,MAAM;aACxB,CAAC;YAEF,OAAO,OAAO,CAAC,8BAA8B,CAAC,cAAc,CAAC,CAAC;QAChE,CAAC,CAAC,CAAC;IACL,CAAC;IAED,SAAS,gBAAgB;QACvB,IAAI,CAAC,KAAK,CAAC,aAAa,EAAE,CAAC;YACzB,OAAO,SAAS,CAAC;QACnB,CAAC;QACD,OAAO,YAAY,CAAC,QAAQ,EAAE,KAAK,CAAC,aAAa,CAAC,CAAC;IACrD,CAAC;IAED,KAAK,UAAU,2BAA2B,CACxC,MAAgB,EAChB,WAAmB,EACnB,iBAAyB,EACzB,YAAqB,EACrB,UAAyC,EAAE;QAE3C,KAAK,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,sDAAsD,CAAC,CAAC;QAEnF,IAAI,OAA0E,CAAC;QAC/E,IAAI,YAAY,EAAE,CAAC;YACjB,mFAAmF;YACnF,gIAAgI;YAChI,KAAK,CAAC,UAAU,CAAC,IAAI,CAAC,YAAY,GAAG,YAAY,CAAC;YAClD,OAAO,GAAG,MAAM,kBAAkB,CAAC,OAAO,CAAC,CAAC;QAC9C,CAAC;aAAM,CAAC;YACN,OAAO,GAAG,MAAM,YAAY,CAAC,OAAO,CAAC,CAAC;QACxC,CAAC;QAED,OAAO,wBAAwB,CAAC,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,GAAG,EAAE;YAC7D,OAAO,OAAO,CAAC,kBAAkB,CAAC;gBAChC,MAAM;gBACN,WAAW;gBACX,IAAI,EAAE,iBAAiB;gBACvB,SAAS,EAAE,yBAAyB,CAAC,OAAO,CAAC;gBAC7C,MAAM,EAAE,OAAO,aAAP,OAAO,uBAAP,OAAO,CAAE,MAAM;aACxB,CAAC,CAAC;QACL,CAAC,CAAC,CAAC;IACL,CAAC;IAED,KAAK,UAAU,kBAAkB,CAC/B,MAAgB,EAChB,kBAA0B,EAC1B,iBAAsE,EACtE,UAA2B,EAAE;QAE7B,UAAU,CAAC,QAAQ,CAAC,IAAI,CAAC,uDAAuD,CAAC,CAAC;QAElF,IAAI,OAAO,iBAAiB,KAAK,QAAQ,EAAE,CAAC;YAC1C,gBAAgB;YAChB,UAAU,CAAC,QAAQ,CAAC,IAAI,CAAC,2CAA2C,CAAC,CAAC;YACtE,KAAK,CAAC,UAAU,CAAC,IAAI,CAAC,YAAY,GAAG,iBAAiB,CAAC;QACzD,CAAC;aAAM,IAAI,OAAO,iBAAiB,KAAK,UAAU,EAAE,CAAC;YACnD,mBAAmB;YACnB,UAAU,CAAC,QAAQ,CAAC,IAAI,CAAC,uDAAuD,CAAC,CAAC;YAClF,KAAK,CAAC,UAAU,CAAC,IAAI,CAAC,eAAe,GAAG,iBAAiB,CAAC;QAC5D,CAAC;aAAM,CAAC;YACN,qBAAqB;YACrB,UAAU,CAAC,QAAQ,CAAC,IAAI,CAAC,gDAAgD,CAAC,CAAC;YAC3E,KAAK,CAAC,UAAU,CAAC,IAAI,CAAC,iBAAiB,GAAG,iBAAiB,CAAC;QAC9D,CAAC;QAED,MAAM,OAAO,GAAG,MAAM,kBAAkB,CAAC,OAAO,CAAC,CAAC;QAClD,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,MAAM,OAAO,CAAC,sBAAsB,CAAC;gBACpD,MAAM;gBACN,SAAS,EAAE,yBAAyB,CAAC,OAAO,CAAC;gBAC7C,MAAM,EAAE,OAAO,CAAC,MAAM;gBACtB,YAAY,EAAE,kBAAkB;aACjC,CAAC,CAAC;YACH,oBAAoB,CAAC,MAAM,EAAE,QAAQ,EAAE,OAAO,CAAC,CAAC;YAEhD,UAAU,CAAC,QAAQ,CAAC,IAAI,CAAC,aAAa,CAAC,MAAM,CAAC,CAAC,CAAC;YAEhD,OAAO;gBACL,KAAK,EAAE,QAAQ,CAAC,WAAW;gBAC3B,kBAAkB,EAAE,QAAQ,CAAC,SAAS,CAAC,OAAO,EAAE;aACjD,CAAC;QACJ,CAAC;QAAC,OAAO,GAAQ,EAAE,CAAC;YAClB,MAAM,eAAe,CAAC,MAAM,EAAE,GAAG,EAAE,OAAO,CAAC,CAAC;QAC9C,CAAC;IACH,CAAC;IAED,KAAK,UAAU,4BAA4B,CACzC,MAAgB,EAChB,UAAsC,EAAE;QAExC,UAAU,CAAC,QAAQ,CAAC,IAAI,CAAC,2CAA2C,CAAC,CAAC;QAEtE,MAAM,GAAG,GAAG,MAAM,YAAY,CAAC,OAAO,CAAC,CAAC;QAExC;;;;;WAKG;QACH,KAAK,UAAU,gBAAgB,CAC7B,uBAAgC;;YAEhC,UAAU,CAAC,OAAO,CAAC,+CAA+C,CAAC,CAAC;YACpE,MAAM,kBAAkB,GAAG,4BAA4B,EAAE,CAAC;YAC1D,IAAI,KAAK,CAAC,mBAAmB,CAAC,MAAM,CAAC,kBAAkB,EAAE,CAAC;gBACxD,kBAAkB,CAAC,YAAY,GAAG,MAAM,CAAC,IAAI,CAC3C,KAAK,CAAC,mBAAmB,CAAC,MAAM,CAAC,kBAAkB,CACpD,CAAC;YACJ,CAAC;iBAAM,CAAC;gBACN,+EAA+E;gBAC/E,UAAU,CAAC,OAAO,CAChB,kIAAkI,CACnI,CAAC;YACJ,CAAC;YAED,IAAI,KAAK,CAAC,mBAAmB,CAAC,MAAM,CAAC,oBAAoB,EAAE,CAAC;gBAC1D,OAAC,kBAAkB,CAAC,oBAAoB,oCAAvC,kBAAkB,CAAC,oBAAoB,GAAK,EAAE,EAAC,CAAC,mBAAmB,CAAC;oBACnE,sBAAsB,CAAC;YAC3B,CAAC;YACD,IAAI,uBAAuB,EAAE,CAAC;gBAC5B,kBAAkB,CAAC,MAAM,GAAG,MAAM,CAAC;gBACnC,UAAU,CAAC,OAAO,CAAC,mEAAmE,CAAC,CAAC;YAC1F,CAAC;iBAAM,CAAC;gBACN,UAAU,CAAC,OAAO,CAAC,qEAAqE,CAAC,CAAC;YAC5F,CAAC;YAED,IAAI,CAAC;gBACH,OAAO,MAAM,GAAG,CAAC,uBAAuB,CAAC,kBAAkB,CAAC,CAAC;YAC/D,CAAC;YAAC,OAAO,CAAM,EAAE,CAAC;gBAChB,UAAU,CAAC,OAAO,CAAC,8CAA8C,CAAC,CAAC,OAAO,EAAE,CAAC,CAAC;gBAC9E,oGAAoG;gBACpG,IAAI,uBAAuB,EAAE,CAAC;oBAC5B,OAAO,gBAAgB,CAAC,8BAA8B,CAAC,KAAK,CAAC,CAAC;gBAChE,CAAC;qBAAM,CAAC;oBACN,MAAM,CAAC,CAAC;gBACV,CAAC;YACH,CAAC;QACH,CAAC;QAED,SAAS,4BAA4B;;YACnC,OAAO;gBACL,WAAW,EAAE,KAAK,EAAE,GAAG,EAAE,EAAE;oBACzB,MAAM,0BAA0B,CAAC,IAAI,CAAC,GAAG,EAAE,EAAE,IAAI,EAAE,IAAI,EAAE,WAAW,EAAE,IAAI,EAAE,CAAC,CAAC;gBAChF,CAAC;gBACD,MAAM;gBACN,SAAS,EAAE,yBAAyB,CAAC,OAAO,CAAC;gBAC7C,MAAM,EAAE,OAAO,aAAP,OAAO,uBAAP,OAAO,CAAE,MAAM;gBACvB,SAAS,EAAE,OAAO,aAAP,OAAO,uBAAP,OAAO,CAAE,SAAS;gBAC7B,aAAa,EAAE,MAAA,OAAO,aAAP,OAAO,uBAAP,OAAO,CAAE,2BAA2B,0CAAE,YAAY;gBACjE,eAAe,EAAE,MAAA,OAAO,aAAP,OAAO,uBAAP,OAAO,CAAE,2BAA2B,0CAAE,cAAc;aACtE,CAAC;QACJ,CAAC;QAED,OAAO,wBAAwB,CAAC,GAAG,EAAE,MAAM,EAAE,OAAO,EAAE,KAAK,IAAI,EAAE;;YAC/D,MAAM,kBAAkB,GAAG,4BAA4B,EAAE,CAAC;YAE1D,IAAI,KAAK,CAAC,mBAAmB,CAAC,MAAM,CAAC,SAAS,EAAE,CAAC;gBAC/C,OAAO,gBAAgB,CAAC,MAAA,KAAK,CAAC,mBAAmB,CAAC,MAAM,CAAC,uBAAuB,mCAAI,KAAK,CAAC,CAAC;YAC7F,CAAC;YAED,OAAO,GAAG,CAAC,uBAAuB,CAAC,kBAAkB,CAAC,CAAC;QACzD,CAAC,CAAC,CAAC;IACL,CAAC;IAED,OAAO;QACL,gBAAgB;QAChB,sBAAsB;QACtB,yBAAyB;QACzB,2BAA2B;QAC3B,oBAAoB;QACpB,0BAA0B;QAC1B,2BAA2B;QAC3B,kBAAkB;QAClB,4BAA4B;KAC7B,CAAC;AACJ,CAAC","sourcesContent":["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT license.\n\nimport * as msal from \"@azure/msal-node\";\n\nimport { AccessToken, GetTokenOptions } from \"@azure/core-auth\";\nimport { AuthenticationRecord, CertificateParts } from \"../types\";\nimport { CredentialLogger, credentialLogger, formatSuccess } from \"../../util/logging\";\nimport { PluginConfiguration, msalPlugins } from \"./msalPlugins\";\nimport {\n defaultLoggerCallback,\n ensureValidMsalToken,\n getAuthority,\n getKnownAuthorities,\n getMSALLogLevel,\n handleMsalError,\n msalToPublic,\n publicToMsal,\n} from \"../utils\";\n\nimport { AuthenticationRequiredError } from \"../../errors\";\nimport { BrokerOptions } from \"./brokerOptions\";\nimport { DeviceCodePromptCallback } from \"../../credentials/deviceCodeCredentialOptions\";\nimport { IdentityClient } from \"../../client/identityClient\";\nimport { TokenCachePersistenceOptions } from \"./tokenCachePersistenceOptions\";\nimport { calculateRegionalAuthority } from \"../../regionalAuthority\";\nimport { getLogLevel } from \"@azure/logger\";\nimport { resolveTenantId } from \"../../util/tenantIdUtils\";\nimport { interactiveBrowserMockable } from \"./msalOpenBrowser\";\nimport { InteractiveBrowserCredentialNodeOptions } from \"../../credentials/interactiveBrowserCredentialOptions\";\n\n/**\n * The default logger used if no logger was passed in by the credential.\n */\nconst msalLogger = credentialLogger(\"MsalClient\");\n\n/**\n * Represents the options for acquiring a token using flows that support silent authentication.\n */\nexport interface GetTokenWithSilentAuthOptions extends GetTokenOptions {\n /**\n * Disables automatic authentication. If set to true, the method will throw an error if the user needs to authenticate.\n *\n * @remarks\n *\n * This option will be set to `false` when the user calls `authenticate` directly on a credential that supports it.\n */\n disableAutomaticAuthentication?: boolean;\n}\n\n/**\n * Represents the options for acquiring a token interactively.\n */\nexport interface GetTokenInteractiveOptions extends GetTokenWithSilentAuthOptions {\n /**\n * Window handle for parent window, required for WAM authentication.\n */\n parentWindowHandle?: Buffer;\n /**\n * Shared configuration options for browser customization\n */\n browserCustomizationOptions?: InteractiveBrowserCredentialNodeOptions[\"browserCustomizationOptions\"];\n /**\n * loginHint allows a user name to be pre-selected for interactive logins.\n * Setting this option skips the account selection prompt and immediately attempts to login with the specified account.\n */\n loginHint?: string;\n}\n\n/**\n * Represents a client for interacting with the Microsoft Authentication Library (MSAL).\n */\nexport interface MsalClient {\n /**\n *\n * Retrieves an access token by using the on-behalf-of flow and a client assertion callback of the calling service.\n *\n * @param scopes - The scopes for which the access token is requested. These represent the resources that the application wants to access.\n * @param userAssertionToken - The access token that was sent to the middle-tier API. This token must have an audience of the app making this OBO request.\n * @param clientCredentials - The client secret OR client certificate OR client `getAssertion` callback.\n * @param options - Additional options that may be provided to the method.\n * @returns An access token.\n */\n getTokenOnBehalfOf(\n scopes: string[],\n userAssertionToken: string,\n clientCredentials: string | CertificateParts | (() => Promise<string>),\n options?: GetTokenOptions,\n ): Promise<AccessToken>;\n\n /**\n * Retrieves an access token by using an interactive prompt (InteractiveBrowserCredential).\n * @param scopes - The scopes for which the access token is requested. These represent the resources that the application wants to access.\n * @param options - Additional options that may be provided to the method.\n * @returns An access token.\n */\n getTokenByInteractiveRequest(\n scopes: string[],\n options: GetTokenInteractiveOptions,\n ): Promise<AccessToken>;\n /**\n * Retrieves an access token by using a user's username and password.\n *\n * @param scopes - The scopes for which the access token is requested. These represent the resources that the application wants to access.\n * @param username - The username provided by the developer.\n * @param password - The user's password provided by the developer.\n * @param options - Additional options that may be provided to the method.\n * @returns An access token.\n */\n getTokenByUsernamePassword(\n scopes: string[],\n username: string,\n password: string,\n options?: GetTokenOptions,\n ): Promise<AccessToken>;\n /**\n * Retrieves an access token by prompting the user to authenticate using a device code.\n *\n * @param scopes - The scopes for which the access token is requested. These represent the resources that the application wants to access.\n * @param userPromptCallback - The callback function that allows developers to customize the prompt message.\n * @param options - Additional options that may be provided to the method.\n * @returns An access token.\n */\n getTokenByDeviceCode(\n scopes: string[],\n userPromptCallback: DeviceCodePromptCallback,\n options?: GetTokenWithSilentAuthOptions,\n ): Promise<AccessToken>;\n /**\n * Retrieves an access token by using a client certificate.\n *\n * @param scopes - The scopes for which the access token is requested. These represent the resources that the application wants to access.\n * @param certificate - The client certificate used for authentication.\n * @param options - Additional options that may be provided to the method.\n * @returns An access token.\n */\n getTokenByClientCertificate(\n scopes: string[],\n certificate: CertificateParts,\n options?: GetTokenOptions,\n ): Promise<AccessToken>;\n\n /**\n * Retrieves an access token by using a client assertion.\n *\n * @param scopes - The scopes for which the access token is requested. These represent the resources that the application wants to access.\n * @param clientAssertion - The client `getAssertion` callback used for authentication.\n * @param options - Additional options that may be provided to the method.\n * @returns An access token.\n */\n getTokenByClientAssertion(\n scopes: string[],\n clientAssertion: () => Promise<string>,\n options?: GetTokenOptions,\n ): Promise<AccessToken>;\n\n /**\n * Retrieves an access token by using a client secret.\n *\n * @param scopes - The scopes for which the access token is requested. These represent the resources that the application wants to access.\n * @param clientSecret - The client secret of the application. This is a credential that the application can use to authenticate itself.\n * @param options - Additional options that may be provided to the method.\n * @returns An access token.\n */\n getTokenByClientSecret(\n scopes: string[],\n clientSecret: string,\n options?: GetTokenOptions,\n ): Promise<AccessToken>;\n\n /**\n * Retrieves an access token by using an authorization code flow.\n *\n * @param scopes - The scopes for which the access token is requested. These represent the resources that the application wants to access.\n * @param authorizationCode - An authorization code that was received from following the\n authorization code flow. This authorization code must not\n have already been used to obtain an access token.\n * @param redirectUri - The redirect URI that was used to request the authorization code.\n Must be the same URI that is configured for the App Registration.\n * @param clientSecret - An optional client secret that was generated for the App Registration.\n * @param options - Additional options that may be provided to the method.\n */\n getTokenByAuthorizationCode(\n scopes: string[],\n redirectUri: string,\n authorizationCode: string,\n clientSecret?: string,\n options?: GetTokenWithSilentAuthOptions,\n ): Promise<AccessToken>;\n\n /**\n * Retrieves the last authenticated account. This method expects an authentication record to have been previously loaded.\n *\n * An authentication record could be loaded by calling the `getToken` method, or by providing an `authenticationRecord` when creating a credential.\n */\n getActiveAccount(): AuthenticationRecord | undefined;\n}\n\n/**\n * Represents the options for configuring the MsalClient.\n */\nexport interface MsalClientOptions {\n /**\n * Parameters that enable WAM broker authentication in the InteractiveBrowserCredential.\n */\n brokerOptions?: BrokerOptions;\n\n /**\n * Parameters that enable token cache persistence in the Identity credentials.\n */\n tokenCachePersistenceOptions?: TokenCachePersistenceOptions;\n\n /**\n * A custom authority host.\n */\n authorityHost?: IdentityClient[\"tokenCredentialOptions\"][\"authorityHost\"];\n\n /**\n * Allows users to configure settings for logging policy options, allow logging account information and personally identifiable information for customer support.\n */\n loggingOptions?: IdentityClient[\"tokenCredentialOptions\"][\"loggingOptions\"];\n\n /**\n * The token credential options for the MsalClient.\n */\n tokenCredentialOptions?: IdentityClient[\"tokenCredentialOptions\"];\n\n /**\n * Determines whether instance discovery is disabled.\n */\n disableInstanceDiscovery?: boolean;\n\n /**\n * The logger for the MsalClient.\n */\n logger?: CredentialLogger;\n\n /**\n * The authentication record for the MsalClient.\n */\n authenticationRecord?: AuthenticationRecord;\n}\n\n/**\n * Generates the configuration for MSAL (Microsoft Authentication Library).\n *\n * @param clientId - The client ID of the application.\n * @param tenantId - The tenant ID of the Azure Active Directory.\n * @param msalClientOptions - Optional. Additional options for creating the MSAL client.\n * @returns The MSAL configuration object.\n */\nexport function generateMsalConfiguration(\n clientId: string,\n tenantId: string,\n msalClientOptions: MsalClientOptions = {},\n): msal.Configuration {\n const resolvedTenant = resolveTenantId(\n msalClientOptions.logger ?? msalLogger,\n tenantId,\n clientId,\n );\n\n // TODO: move and reuse getIdentityClientAuthorityHost\n const authority = getAuthority(\n resolvedTenant,\n msalClientOptions.authorityHost ?? process.env.AZURE_AUTHORITY_HOST,\n );\n\n const httpClient = new IdentityClient({\n ...msalClientOptions.tokenCredentialOptions,\n authorityHost: authority,\n loggingOptions: msalClientOptions.loggingOptions,\n });\n\n const msalConfig: msal.Configuration = {\n auth: {\n clientId,\n authority,\n knownAuthorities: getKnownAuthorities(\n resolvedTenant,\n authority,\n msalClientOptions.disableInstanceDiscovery,\n ),\n },\n system: {\n networkClient: httpClient,\n loggerOptions: {\n loggerCallback: defaultLoggerCallback(msalClientOptions.logger ?? msalLogger),\n logLevel: getMSALLogLevel(getLogLevel()),\n piiLoggingEnabled: msalClientOptions.loggingOptions?.enableUnsafeSupportLogging,\n },\n },\n };\n return msalConfig;\n}\n\n/**\n * Represents the state necessary for the MSAL (Microsoft Authentication Library) client to operate.\n * This includes the MSAL configuration, cached account information, Azure region, and a flag to disable automatic authentication.\n *\n * @internal\n */\ninterface MsalClientState {\n /** The configuration for the MSAL client. */\n msalConfig: msal.Configuration;\n\n /** The cached account information, or null if no account information is cached. */\n cachedAccount: msal.AccountInfo | null;\n\n /** Configured plugins */\n pluginConfiguration: PluginConfiguration;\n\n /** Claims received from challenges, cached for the next request */\n cachedClaims?: string;\n\n /** The logger instance */\n logger: CredentialLogger;\n}\n\n/**\n * Creates an instance of the MSAL (Microsoft Authentication Library) client.\n *\n * @param clientId - The client ID of the application.\n * @param tenantId - The tenant ID of the Azure Active Directory.\n * @param createMsalClientOptions - Optional. Additional options for creating the MSAL client.\n * @returns An instance of the MSAL client.\n *\n * @public\n */\nexport function createMsalClient(\n clientId: string,\n tenantId: string,\n createMsalClientOptions: MsalClientOptions = {},\n): MsalClient {\n const state: MsalClientState = {\n msalConfig: generateMsalConfiguration(clientId, tenantId, createMsalClientOptions),\n cachedAccount: createMsalClientOptions.authenticationRecord\n ? publicToMsal(createMsalClientOptions.authenticationRecord)\n : null,\n pluginConfiguration: msalPlugins.generatePluginConfiguration(createMsalClientOptions),\n logger: createMsalClientOptions.logger ?? msalLogger,\n };\n\n const publicApps: Map<string, msal.PublicClientApplication> = new Map();\n async function getPublicApp(\n options: GetTokenOptions = {},\n ): Promise<msal.PublicClientApplication> {\n const appKey = options.enableCae ? \"CAE\" : \"default\";\n\n let publicClientApp = publicApps.get(appKey);\n if (publicClientApp) {\n state.logger.getToken.info(\"Existing PublicClientApplication found in cache, returning it.\");\n return publicClientApp;\n }\n\n // Initialize a new app and cache it\n state.logger.getToken.info(\n `Creating new PublicClientApplication with CAE ${options.enableCae ? \"enabled\" : \"disabled\"}.`,\n );\n\n const cachePlugin = options.enableCae\n ? state.pluginConfiguration.cache.cachePluginCae\n : state.pluginConfiguration.cache.cachePlugin;\n\n state.msalConfig.auth.clientCapabilities = options.enableCae ? [\"cp1\"] : undefined;\n\n publicClientApp = new msal.PublicClientApplication({\n ...state.msalConfig,\n broker: { nativeBrokerPlugin: state.pluginConfiguration.broker.nativeBrokerPlugin },\n cache: { cachePlugin: await cachePlugin },\n });\n\n publicApps.set(appKey, publicClientApp);\n\n return publicClientApp;\n }\n\n const confidentialApps: Map<string, msal.ConfidentialClientApplication> = new Map();\n async function getConfidentialApp(\n options: GetTokenOptions = {},\n ): Promise<msal.ConfidentialClientApplication> {\n const appKey = options.enableCae ? \"CAE\" : \"default\";\n\n let confidentialClientApp = confidentialApps.get(appKey);\n if (confidentialClientApp) {\n state.logger.getToken.info(\n \"Existing ConfidentialClientApplication found in cache, returning it.\",\n );\n return confidentialClientApp;\n }\n\n // Initialize a new app and cache it\n state.logger.getToken.info(\n `Creating new ConfidentialClientApplication with CAE ${\n options.enableCae ? \"enabled\" : \"disabled\"\n }.`,\n );\n\n const cachePlugin = options.enableCae\n ? state.pluginConfiguration.cache.cachePluginCae\n : state.pluginConfiguration.cache.cachePlugin;\n\n state.msalConfig.auth.clientCapabilities = options.enableCae ? [\"cp1\"] : undefined;\n\n confidentialClientApp = new msal.ConfidentialClientApplication({\n ...state.msalConfig,\n broker: { nativeBrokerPlugin: state.pluginConfiguration.broker.nativeBrokerPlugin },\n cache: { cachePlugin: await cachePlugin },\n });\n\n confidentialApps.set(appKey, confidentialClientApp);\n\n return confidentialClientApp;\n }\n\n async function getTokenSilent(\n app: msal.ConfidentialClientApplication | msal.PublicClientApplication,\n scopes: string[],\n options: GetTokenOptions = {},\n ): Promise<msal.AuthenticationResult> {\n if (state.cachedAccount === null) {\n state.logger.getToken.info(\n \"No cached account found in local state, attempting to load it from MSAL cache.\",\n );\n const cache = app.getTokenCache();\n const accounts = await cache.getAllAccounts();\n\n if (accounts === undefined || accounts.length === 0) {\n throw new AuthenticationRequiredError({ scopes });\n }\n\n if (accounts.length > 1) {\n state.logger\n .info(`More than one account was found authenticated for this Client ID and Tenant ID.\nHowever, no \"authenticationRecord\" has been provided for this credential,\ntherefore we're unable to pick between these accounts.\nA new login attempt will be requested, to ensure the correct account is picked.\nTo work with multiple accounts for the same Client ID and Tenant ID, please provide an \"authenticationRecord\" when initializing a credential to prevent this from happening.`);\n throw new AuthenticationRequiredError({ scopes });\n }\n\n state.cachedAccount = accounts[0];\n }\n\n // Keep track and reuse the claims we received across challenges\n if (options.claims) {\n state.cachedClaims = options.claims;\n }\n\n const silentRequest: msal.SilentFlowRequest = {\n account: state.cachedAccount,\n scopes,\n claims: state.cachedClaims,\n };\n\n if (state.pluginConfiguration.broker.isEnabled) {\n silentRequest.tokenQueryParameters ||= {};\n if (state.pluginConfiguration.broker.enableMsaPassthrough) {\n silentRequest.tokenQueryParameters[\"msal_request_type\"] = \"consumer_passthrough\";\n }\n }\n\n state.logger.getToken.info(\"Attempting to acquire token silently\");\n return app.acquireTokenSilent(silentRequest);\n }\n\n /**\n * Builds an authority URL for the given request. The authority may be different than the one used when creating the MSAL client\n * if the user is creating cross-tenant requests\n */\n function calculateRequestAuthority(options?: GetTokenOptions): string | undefined {\n if (options?.tenantId) {\n return getAuthority(options.tenantId, createMsalClientOptions.authorityHost);\n }\n return state.msalConfig.auth.authority;\n }\n\n /**\n * Performs silent authentication using MSAL to acquire an access token.\n * If silent authentication fails, falls back to interactive authentication.\n *\n * @param msalApp - The MSAL application instance.\n * @param scopes - The scopes for which to acquire the access token.\n * @param options - The options for acquiring the access token.\n * @param onAuthenticationRequired - A callback function to handle interactive authentication when silent authentication fails.\n * @returns A promise that resolves to an AccessToken object containing the access token and its expiration timestamp.\n */\n async function withSilentAuthentication(\n msalApp: msal.ConfidentialClientApplication | msal.PublicClientApplication,\n scopes: Array<string>,\n options: GetTokenWithSilentAuthOptions,\n onAuthenticationRequired: () => Promise<msal.AuthenticationResult | null>,\n ): Promise<AccessToken> {\n let response: msal.AuthenticationResult | null = null;\n try {\n response = await getTokenSilent(msalApp, scopes, options);\n } catch (e: any) {\n if (e.name !== \"AuthenticationRequiredError\") {\n throw e;\n }\n if (options.disableAutomaticAuthentication) {\n throw new AuthenticationRequiredError({\n scopes,\n getTokenOptions: options,\n message:\n \"Automatic authentication has been disabled. You may call the authentication() method.\",\n });\n }\n }\n\n // Silent authentication failed\n if (response === null) {\n try {\n response = await onAuthenticationRequired();\n } catch (err: any) {\n throw handleMsalError(scopes, err, options);\n }\n }\n\n // At this point we should have a token, process it\n ensureValidMsalToken(scopes, response, options);\n state.cachedAccount = response?.account ?? null;\n\n state.logger.getToken.info(formatSuccess(scopes));\n\n return {\n token: response.accessToken,\n expiresOnTimestamp: response.expiresOn.getTime(),\n };\n }\n\n async function getTokenByClientSecret(\n scopes: string[],\n clientSecret: string,\n options: GetTokenOptions = {},\n ): Promise<AccessToken> {\n state.logger.getToken.info(`Attempting to acquire token using client secret`);\n\n state.msalConfig.auth.clientSecret = clientSecret;\n\n const msalApp = await getConfidentialApp(options);\n\n try {\n const response = await msalApp.acquireTokenByClientCredential({\n scopes,\n authority: calculateRequestAuthority(options),\n azureRegion: calculateRegionalAuthority(),\n claims: options?.claims,\n });\n ensureValidMsalToken(scopes, response, options);\n\n state.logger.getToken.info(formatSuccess(scopes));\n\n return {\n token: response.accessToken,\n expiresOnTimestamp: response.expiresOn.getTime(),\n };\n } catch (err: any) {\n throw handleMsalError(scopes, err, options);\n }\n }\n\n async function getTokenByClientAssertion(\n scopes: string[],\n clientAssertion: () => Promise<string>,\n options: GetTokenOptions = {},\n ): Promise<AccessToken> {\n state.logger.getToken.info(`Attempting to acquire token using client assertion`);\n\n state.msalConfig.auth.clientAssertion = clientAssertion;\n\n const msalApp = await getConfidentialApp(options);\n\n try {\n const response = await msalApp.acquireTokenByClientCredential({\n scopes,\n authority: calculateRequestAuthority(options),\n azureRegion: calculateRegionalAuthority(),\n claims: options?.claims,\n clientAssertion,\n });\n ensureValidMsalToken(scopes, response, options);\n\n state.logger.getToken.info(formatSuccess(scopes));\n\n return {\n token: response.accessToken,\n expiresOnTimestamp: response.expiresOn.getTime(),\n };\n } catch (err: any) {\n throw handleMsalError(scopes, err, options);\n }\n }\n\n async function getTokenByClientCertificate(\n scopes: string[],\n certificate: CertificateParts,\n options: GetTokenOptions = {},\n ): Promise<AccessToken> {\n state.logger.getToken.info(`Attempting to acquire token using client certificate`);\n\n state.msalConfig.auth.clientCertificate = certificate;\n\n const msalApp = await getConfidentialApp(options);\n try {\n const response = await msalApp.acquireTokenByClientCredential({\n scopes,\n authority: calculateRequestAuthority(options),\n azureRegion: calculateRegionalAuthority(),\n claims: options?.claims,\n });\n ensureValidMsalToken(scopes, response, options);\n\n state.logger.getToken.info(formatSuccess(scopes));\n\n return {\n token: response.accessToken,\n expiresOnTimestamp: response.expiresOn.getTime(),\n };\n } catch (err: any) {\n throw handleMsalError(scopes, err, options);\n }\n }\n\n async function getTokenByDeviceCode(\n scopes: string[],\n deviceCodeCallback: DeviceCodePromptCallback,\n options: GetTokenWithSilentAuthOptions = {},\n ): Promise<AccessToken> {\n state.logger.getToken.info(`Attempting to acquire token using device code`);\n\n const msalApp = await getPublicApp(options);\n\n return withSilentAuthentication(msalApp, scopes, options, () => {\n const requestOptions: msal.DeviceCodeRequest = {\n scopes,\n cancel: options?.abortSignal?.aborted ?? false,\n deviceCodeCallback,\n authority: calculateRequestAuthority(options),\n claims: options?.claims,\n };\n const deviceCodeRequest = msalApp.acquireTokenByDeviceCode(requestOptions);\n if (options.abortSignal) {\n options.abortSignal.addEventListener(\"abort\", () => {\n requestOptions.cancel = true;\n });\n }\n\n return deviceCodeRequest;\n });\n }\n\n async function getTokenByUsernamePassword(\n scopes: string[],\n username: string,\n password: string,\n options: GetTokenOptions = {},\n ): Promise<AccessToken> {\n state.logger.getToken.info(`Attempting to acquire token using username and password`);\n\n const msalApp = await getPublicApp(options);\n\n return withSilentAuthentication(msalApp, scopes, options, () => {\n const requestOptions: msal.UsernamePasswordRequest = {\n scopes,\n username,\n password,\n authority: calculateRequestAuthority(options),\n claims: options?.claims,\n };\n\n return msalApp.acquireTokenByUsernamePassword(requestOptions);\n });\n }\n\n function getActiveAccount(): AuthenticationRecord | undefined {\n if (!state.cachedAccount) {\n return undefined;\n }\n return msalToPublic(clientId, state.cachedAccount);\n }\n\n async function getTokenByAuthorizationCode(\n scopes: string[],\n redirectUri: string,\n authorizationCode: string,\n clientSecret?: string,\n options: GetTokenWithSilentAuthOptions = {},\n ): Promise<AccessToken> {\n state.logger.getToken.info(`Attempting to acquire token using authorization code`);\n\n let msalApp: msal.ConfidentialClientApplication | msal.PublicClientApplication;\n if (clientSecret) {\n // If a client secret is provided, we need to use a confidential client application\n // See https://learn.microsoft.com/entra/identity-platform/v2-oauth2-auth-code-flow#request-an-access-token-with-a-client_secret\n state.msalConfig.auth.clientSecret = clientSecret;\n msalApp = await getConfidentialApp(options);\n } else {\n msalApp = await getPublicApp(options);\n }\n\n return withSilentAuthentication(msalApp, scopes, options, () => {\n return msalApp.acquireTokenByCode({\n scopes,\n redirectUri,\n code: authorizationCode,\n authority: calculateRequestAuthority(options),\n claims: options?.claims,\n });\n });\n }\n\n async function getTokenOnBehalfOf(\n scopes: string[],\n userAssertionToken: string,\n clientCredentials: string | CertificateParts | (() => Promise<string>),\n options: GetTokenOptions = {},\n ): Promise<AccessToken> {\n msalLogger.getToken.info(`Attempting to acquire token on behalf of another user`);\n\n if (typeof clientCredentials === \"string\") {\n // Client secret\n msalLogger.getToken.info(`Using client secret for on behalf of flow`);\n state.msalConfig.auth.clientSecret = clientCredentials;\n } else if (typeof clientCredentials === \"function\") {\n // Client Assertion\n msalLogger.getToken.info(`Using client assertion callback for on behalf of flow`);\n state.msalConfig.auth.clientAssertion = clientCredentials;\n } else {\n // Client certificate\n msalLogger.getToken.info(`Using client certificate for on behalf of flow`);\n state.msalConfig.auth.clientCertificate = clientCredentials;\n }\n\n const msalApp = await getConfidentialApp(options);\n try {\n const response = await msalApp.acquireTokenOnBehalfOf({\n scopes,\n authority: calculateRequestAuthority(options),\n claims: options.claims,\n oboAssertion: userAssertionToken,\n });\n ensureValidMsalToken(scopes, response, options);\n\n msalLogger.getToken.info(formatSuccess(scopes));\n\n return {\n token: response.accessToken,\n expiresOnTimestamp: response.expiresOn.getTime(),\n };\n } catch (err: any) {\n throw handleMsalError(scopes, err, options);\n }\n }\n\n async function getTokenByInteractiveRequest(\n scopes: string[],\n options: GetTokenInteractiveOptions = {},\n ): Promise<AccessToken> {\n msalLogger.getToken.info(`Attempting to acquire token interactively`);\n\n const app = await getPublicApp(options);\n\n /**\n * A helper function that supports brokered authentication through the MSAL's public application.\n *\n * When options.useDefaultBrokerAccount is true, the method will attempt to authenticate using the default broker account.\n * If the default broker account is not available, the method will fall back to interactive authentication.\n */\n async function getBrokeredToken(\n useDefaultBrokerAccount: boolean,\n ): Promise<msal.AuthenticationResult> {\n msalLogger.verbose(\"Authentication will resume through the broker\");\n const interactiveRequest = createBaseInteractiveRequest();\n if (state.pluginConfiguration.broker.parentWindowHandle) {\n interactiveRequest.windowHandle = Buffer.from(\n state.pluginConfiguration.broker.parentWindowHandle,\n );\n } else {\n // this is a bug, as the pluginConfiguration handler should validate this case.\n msalLogger.warning(\n \"Parent window handle is not specified for the broker. This may cause unexpected behavior. Please provide the parentWindowHandle.\",\n );\n }\n\n if (state.pluginConfiguration.broker.enableMsaPassthrough) {\n (interactiveRequest.tokenQueryParameters ??= {})[\"msal_request_type\"] =\n \"consumer_passthrough\";\n }\n if (useDefaultBrokerAccount) {\n interactiveRequest.prompt = \"none\";\n msalLogger.verbose(\"Attempting broker authentication using the default broker account\");\n } else {\n msalLogger.verbose(\"Attempting broker authentication without the default broker account\");\n }\n\n try {\n return await app.acquireTokenInteractive(interactiveRequest);\n } catch (e: any) {\n msalLogger.verbose(`Failed to authenticate through the broker: ${e.message}`);\n // If we tried to use the default broker account and failed, fall back to interactive authentication\n if (useDefaultBrokerAccount) {\n return getBrokeredToken(/* useDefaultBrokerAccount: */ false);\n } else {\n throw e;\n }\n }\n }\n\n function createBaseInteractiveRequest(): msal.InteractiveRequest {\n return {\n openBrowser: async (url) => {\n await interactiveBrowserMockable.open(url, { wait: true, newInstance: true });\n },\n scopes,\n authority: calculateRequestAuthority(options),\n claims: options?.claims,\n loginHint: options?.loginHint,\n errorTemplate: options?.browserCustomizationOptions?.errorMessage,\n successTemplate: options?.browserCustomizationOptions?.successMessage,\n };\n }\n\n return withSilentAuthentication(app, scopes, options, async () => {\n const interactiveRequest = createBaseInteractiveRequest();\n\n if (state.pluginConfiguration.broker.isEnabled) {\n return getBrokeredToken(state.pluginConfiguration.broker.useDefaultBrokerAccount ?? false);\n }\n\n return app.acquireTokenInteractive(interactiveRequest);\n });\n }\n\n return {\n getActiveAccount,\n getTokenByClientSecret,\n getTokenByClientAssertion,\n getTokenByClientCertificate,\n getTokenByDeviceCode,\n getTokenByUsernamePassword,\n getTokenByAuthorizationCode,\n getTokenOnBehalfOf,\n getTokenByInteractiveRequest,\n };\n}\n"]}
1
+ {"version":3,"file":"msalClient.js","sourceRoot":"","sources":["../../../../src/msal/nodeFlows/msalClient.ts"],"names":[],"mappings":"AAAA,uCAAuC;AACvC,kCAAkC;AAElC,OAAO,KAAK,IAAI,MAAM,kBAAkB,CAAC;AAIzC,OAAO,EAAoB,gBAAgB,EAAE,aAAa,EAAE,MAAM,oBAAoB,CAAC;AACvF,OAAO,EAAuB,WAAW,EAAE,MAAM,eAAe,CAAC;AACjE,OAAO,EACL,qBAAqB,EACrB,oBAAoB,EACpB,YAAY,EACZ,mBAAmB,EACnB,eAAe,EACf,eAAe,EACf,YAAY,EACZ,YAAY,GACb,MAAM,UAAU,CAAC;AAElB,OAAO,EAAE,2BAA2B,EAAE,MAAM,cAAc,CAAC;AAG3D,OAAO,EAAE,cAAc,EAAE,MAAM,6BAA6B,CAAC;AAG7D,OAAO,EAAE,0BAA0B,EAAE,MAAM,yBAAyB,CAAC;AACrE,OAAO,EAAE,WAAW,EAAE,MAAM,eAAe,CAAC;AAC5C,OAAO,IAAI,MAAM,MAAM,CAAC;AACxB,OAAO,EAAE,eAAe,EAAE,MAAM,0BAA0B,CAAC;AAE3D;;GAEG;AACH,MAAM,UAAU,GAAG,gBAAgB,CAAC,YAAY,CAAC,CAAC;AAiNlD;;;GAGG;AACH,MAAM,CAAC,MAAM,0BAA0B,GAAG;IACxC,IAAI;CACL,CAAC;AAEF;;;;;;;GAOG;AACH,MAAM,UAAU,yBAAyB,CACvC,QAAgB,EAChB,QAAgB,EAChB,oBAAuC,EAAE;;IAEzC,MAAM,cAAc,GAAG,eAAe,CACpC,MAAA,iBAAiB,CAAC,MAAM,mCAAI,UAAU,EACtC,QAAQ,EACR,QAAQ,CACT,CAAC;IAEF,sDAAsD;IACtD,MAAM,SAAS,GAAG,YAAY,CAC5B,cAAc,EACd,MAAA,iBAAiB,CAAC,aAAa,mCAAI,OAAO,CAAC,GAAG,CAAC,oBAAoB,CACpE,CAAC;IAEF,MAAM,UAAU,GAAG,IAAI,cAAc,iCAChC,iBAAiB,CAAC,sBAAsB,KAC3C,aAAa,EAAE,SAAS,EACxB,cAAc,EAAE,iBAAiB,CAAC,cAAc,IAChD,CAAC;IAEH,MAAM,UAAU,GAAuB;QACrC,IAAI,EAAE;YACJ,QAAQ;YACR,SAAS;YACT,gBAAgB,EAAE,mBAAmB,CACnC,cAAc,EACd,SAAS,EACT,iBAAiB,CAAC,wBAAwB,CAC3C;SACF;QACD,MAAM,EAAE;YACN,aAAa,EAAE,UAAU;YACzB,aAAa,EAAE;gBACb,cAAc,EAAE,qBAAqB,CAAC,MAAA,iBAAiB,CAAC,MAAM,mCAAI,UAAU,CAAC;gBAC7E,QAAQ,EAAE,eAAe,CAAC,WAAW,EAAE,CAAC;gBACxC,iBAAiB,EAAE,MAAA,iBAAiB,CAAC,cAAc,0CAAE,0BAA0B;aAChF;SACF;KACF,CAAC;IACF,OAAO,UAAU,CAAC;AACpB,CAAC;AAyBD;;;;;;;;;GASG;AACH,MAAM,UAAU,gBAAgB,CAC9B,QAAgB,EAChB,QAAgB,EAChB,0BAA6C,EAAE;;IAE/C,MAAM,KAAK,GAAoB;QAC7B,UAAU,EAAE,yBAAyB,CAAC,QAAQ,EAAE,QAAQ,EAAE,uBAAuB,CAAC;QAClF,aAAa,EAAE,uBAAuB,CAAC,oBAAoB;YACzD,CAAC,CAAC,YAAY,CAAC,uBAAuB,CAAC,oBAAoB,CAAC;YAC5D,CAAC,CAAC,IAAI;QACR,mBAAmB,EAAE,WAAW,CAAC,2BAA2B,CAAC,uBAAuB,CAAC;QACrF,MAAM,EAAE,MAAA,uBAAuB,CAAC,MAAM,mCAAI,UAAU;KACrD,CAAC;IAEF,MAAM,UAAU,GAA8C,IAAI,GAAG,EAAE,CAAC;IACxE,KAAK,UAAU,YAAY,CACzB,UAA2B,EAAE;QAE7B,MAAM,MAAM,GAAG,OAAO,CAAC,SAAS,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,SAAS,CAAC;QAErD,IAAI,eAAe,GAAG,UAAU,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;QAC7C,IAAI,eAAe,EAAE,CAAC;YACpB,KAAK,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,gEAAgE,CAAC,CAAC;YAC7F,OAAO,eAAe,CAAC;QACzB,CAAC;QAED,oCAAoC;QACpC,KAAK,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,CACxB,iDAAiD,OAAO,CAAC,SAAS,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,UAAU,GAAG,CAC/F,CAAC;QAEF,MAAM,WAAW,GAAG,OAAO,CAAC,SAAS;YACnC,CAAC,CAAC,KAAK,CAAC,mBAAmB,CAAC,KAAK,CAAC,cAAc;YAChD,CAAC,CAAC,KAAK,CAAC,mBAAmB,CAAC,KAAK,CAAC,WAAW,CAAC;QAEhD,KAAK,CAAC,UAAU,CAAC,IAAI,CAAC,kBAAkB,GAAG,OAAO,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;QAEnF,eAAe,GAAG,IAAI,IAAI,CAAC,uBAAuB,iCAC7C,KAAK,CAAC,UAAU,KACnB,MAAM,EAAE,EAAE,kBAAkB,EAAE,KAAK,CAAC,mBAAmB,CAAC,MAAM,CAAC,kBAAkB,EAAE,EACnF,KAAK,EAAE,EAAE,WAAW,EAAE,MAAM,WAAW,EAAE,IACzC,CAAC;QAEH,UAAU,CAAC,GAAG,CAAC,MAAM,EAAE,eAAe,CAAC,CAAC;QAExC,OAAO,eAAe,CAAC;IACzB,CAAC;IAED,MAAM,gBAAgB,GAAoD,IAAI,GAAG,EAAE,CAAC;IACpF,KAAK,UAAU,kBAAkB,CAC/B,UAA2B,EAAE;QAE7B,MAAM,MAAM,GAAG,OAAO,CAAC,SAAS,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,SAAS,CAAC;QAErD,IAAI,qBAAqB,GAAG,gBAAgB,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;QACzD,IAAI,qBAAqB,EAAE,CAAC;YAC1B,KAAK,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,CACxB,sEAAsE,CACvE,CAAC;YACF,OAAO,qBAAqB,CAAC;QAC/B,CAAC;QAED,oCAAoC;QACpC,KAAK,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,CACxB,uDACE,OAAO,CAAC,SAAS,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,UAClC,GAAG,CACJ,CAAC;QAEF,MAAM,WAAW,GAAG,OAAO,CAAC,SAAS;YACnC,CAAC,CAAC,KAAK,CAAC,mBAAmB,CAAC,KAAK,CAAC,cAAc;YAChD,CAAC,CAAC,KAAK,CAAC,mBAAmB,CAAC,KAAK,CAAC,WAAW,CAAC;QAEhD,KAAK,CAAC,UAAU,CAAC,IAAI,CAAC,kBAAkB,GAAG,OAAO,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;QAEnF,qBAAqB,GAAG,IAAI,IAAI,CAAC,6BAA6B,iCACzD,KAAK,CAAC,UAAU,KACnB,MAAM,EAAE,EAAE,kBAAkB,EAAE,KAAK,CAAC,mBAAmB,CAAC,MAAM,CAAC,kBAAkB,EAAE,EACnF,KAAK,EAAE,EAAE,WAAW,EAAE,MAAM,WAAW,EAAE,IACzC,CAAC;QAEH,gBAAgB,CAAC,GAAG,CAAC,MAAM,EAAE,qBAAqB,CAAC,CAAC;QAEpD,OAAO,qBAAqB,CAAC;IAC/B,CAAC;IAED,KAAK,UAAU,cAAc,CAC3B,GAAsE,EACtE,MAAgB,EAChB,UAA2B,EAAE;QAE7B,IAAI,KAAK,CAAC,aAAa,KAAK,IAAI,EAAE,CAAC;YACjC,KAAK,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,CACxB,gFAAgF,CACjF,CAAC;YACF,MAAM,KAAK,GAAG,GAAG,CAAC,aAAa,EAAE,CAAC;YAClC,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,cAAc,EAAE,CAAC;YAE9C,IAAI,QAAQ,KAAK,SAAS,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;gBACpD,MAAM,IAAI,2BAA2B,CAAC,EAAE,MAAM,EAAE,CAAC,CAAC;YACpD,CAAC;YAED,IAAI,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBACxB,KAAK,CAAC,MAAM;qBACT,IAAI,CAAC;;;;6KAI6J,CAAC,CAAC;gBACvK,MAAM,IAAI,2BAA2B,CAAC,EAAE,MAAM,EAAE,CAAC,CAAC;YACpD,CAAC;YAED,KAAK,CAAC,aAAa,GAAG,QAAQ,CAAC,CAAC,CAAC,CAAC;QACpC,CAAC;QAED,gEAAgE;QAChE,IAAI,OAAO,CAAC,MAAM,EAAE,CAAC;YACnB,KAAK,CAAC,YAAY,GAAG,OAAO,CAAC,MAAM,CAAC;QACtC,CAAC;QAED,MAAM,aAAa,GAA2B;YAC5C,OAAO,EAAE,KAAK,CAAC,aAAa;YAC5B,MAAM;YACN,MAAM,EAAE,KAAK,CAAC,YAAY;SAC3B,CAAC;QAEF,IAAI,KAAK,CAAC,mBAAmB,CAAC,MAAM,CAAC,SAAS,EAAE,CAAC;YAC/C,aAAa,CAAC,oBAAoB,KAAlC,aAAa,CAAC,oBAAoB,GAAK,EAAE,EAAC;YAC1C,IAAI,KAAK,CAAC,mBAAmB,CAAC,MAAM,CAAC,oBAAoB,EAAE,CAAC;gBAC1D,aAAa,CAAC,oBAAoB,CAAC,mBAAmB,CAAC,GAAG,sBAAsB,CAAC;YACnF,CAAC;QACH,CAAC;QAED,KAAK,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,sCAAsC,CAAC,CAAC;QACnE,OAAO,GAAG,CAAC,kBAAkB,CAAC,aAAa,CAAC,CAAC;IAC/C,CAAC;IAED;;;OAGG;IACH,SAAS,yBAAyB,CAAC,OAAyB;QAC1D,IAAI,OAAO,aAAP,OAAO,uBAAP,OAAO,CAAE,QAAQ,EAAE,CAAC;YACtB,OAAO,YAAY,CAAC,OAAO,CAAC,QAAQ,EAAE,uBAAuB,CAAC,aAAa,CAAC,CAAC;QAC/E,CAAC;QACD,OAAO,KAAK,CAAC,UAAU,CAAC,IAAI,CAAC,SAAS,CAAC;IACzC,CAAC;IAED;;;;;;;;;OASG;IACH,KAAK,UAAU,wBAAwB,CACrC,OAA0E,EAC1E,MAAqB,EACrB,OAAsC,EACtC,wBAAyE;;QAEzE,IAAI,QAAQ,GAAqC,IAAI,CAAC;QACtD,IAAI,CAAC;YACH,QAAQ,GAAG,MAAM,cAAc,CAAC,OAAO,EAAE,MAAM,EAAE,OAAO,CAAC,CAAC;QAC5D,CAAC;QAAC,OAAO,CAAM,EAAE,CAAC;YAChB,IAAI,CAAC,CAAC,IAAI,KAAK,6BAA6B,EAAE,CAAC;gBAC7C,MAAM,CAAC,CAAC;YACV,CAAC;YACD,IAAI,OAAO,CAAC,8BAA8B,EAAE,CAAC;gBAC3C,MAAM,IAAI,2BAA2B,CAAC;oBACpC,MAAM;oBACN,eAAe,EAAE,OAAO;oBACxB,OAAO,EACL,uFAAuF;iBAC1F,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,+BAA+B;QAC/B,IAAI,QAAQ,KAAK,IAAI,EAAE,CAAC;YACtB,IAAI,CAAC;gBACH,QAAQ,GAAG,MAAM,wBAAwB,EAAE,CAAC;YAC9C,CAAC;YAAC,OAAO,GAAQ,EAAE,CAAC;gBAClB,MAAM,eAAe,CAAC,MAAM,EAAE,GAAG,EAAE,OAAO,CAAC,CAAC;YAC9C,CAAC;QACH,CAAC;QAED,mDAAmD;QACnD,oBAAoB,CAAC,MAAM,EAAE,QAAQ,EAAE,OAAO,CAAC,CAAC;QAChD,KAAK,CAAC,aAAa,GAAG,MAAA,QAAQ,aAAR,QAAQ,uBAAR,QAAQ,CAAE,OAAO,mCAAI,IAAI,CAAC;QAEhD,KAAK,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,aAAa,CAAC,MAAM,CAAC,CAAC,CAAC;QAElD,OAAO;YACL,KAAK,EAAE,QAAQ,CAAC,WAAW;YAC3B,kBAAkB,EAAE,QAAQ,CAAC,SAAS,CAAC,OAAO,EAAE;SACjD,CAAC;IACJ,CAAC;IAED,KAAK,UAAU,sBAAsB,CACnC,MAAgB,EAChB,YAAoB,EACpB,UAA2B,EAAE;QAE7B,KAAK,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,iDAAiD,CAAC,CAAC;QAE9E,KAAK,CAAC,UAAU,CAAC,IAAI,CAAC,YAAY,GAAG,YAAY,CAAC;QAElD,MAAM,OAAO,GAAG,MAAM,kBAAkB,CAAC,OAAO,CAAC,CAAC;QAElD,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,MAAM,OAAO,CAAC,8BAA8B,CAAC;gBAC5D,MAAM;gBACN,SAAS,EAAE,yBAAyB,CAAC,OAAO,CAAC;gBAC7C,WAAW,EAAE,0BAA0B,EAAE;gBACzC,MAAM,EAAE,OAAO,aAAP,OAAO,uBAAP,OAAO,CAAE,MAAM;aACxB,CAAC,CAAC;YACH,oBAAoB,CAAC,MAAM,EAAE,QAAQ,EAAE,OAAO,CAAC,CAAC;YAEhD,KAAK,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,aAAa,CAAC,MAAM,CAAC,CAAC,CAAC;YAElD,OAAO;gBACL,KAAK,EAAE,QAAQ,CAAC,WAAW;gBAC3B,kBAAkB,EAAE,QAAQ,CAAC,SAAS,CAAC,OAAO,EAAE;aACjD,CAAC;QACJ,CAAC;QAAC,OAAO,GAAQ,EAAE,CAAC;YAClB,MAAM,eAAe,CAAC,MAAM,EAAE,GAAG,EAAE,OAAO,CAAC,CAAC;QAC9C,CAAC;IACH,CAAC;IAED,KAAK,UAAU,yBAAyB,CACtC,MAAgB,EAChB,eAAsC,EACtC,UAA2B,EAAE;QAE7B,KAAK,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,oDAAoD,CAAC,CAAC;QAEjF,KAAK,CAAC,UAAU,CAAC,IAAI,CAAC,eAAe,GAAG,eAAe,CAAC;QAExD,MAAM,OAAO,GAAG,MAAM,kBAAkB,CAAC,OAAO,CAAC,CAAC;QAElD,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,MAAM,OAAO,CAAC,8BAA8B,CAAC;gBAC5D,MAAM;gBACN,SAAS,EAAE,yBAAyB,CAAC,OAAO,CAAC;gBAC7C,WAAW,EAAE,0BAA0B,EAAE;gBACzC,MAAM,EAAE,OAAO,aAAP,OAAO,uBAAP,OAAO,CAAE,MAAM;gBACvB,eAAe;aAChB,CAAC,CAAC;YACH,oBAAoB,CAAC,MAAM,EAAE,QAAQ,EAAE,OAAO,CAAC,CAAC;YAEhD,KAAK,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,aAAa,CAAC,MAAM,CAAC,CAAC,CAAC;YAElD,OAAO;gBACL,KAAK,EAAE,QAAQ,CAAC,WAAW;gBAC3B,kBAAkB,EAAE,QAAQ,CAAC,SAAS,CAAC,OAAO,EAAE;aACjD,CAAC;QACJ,CAAC;QAAC,OAAO,GAAQ,EAAE,CAAC;YAClB,MAAM,eAAe,CAAC,MAAM,EAAE,GAAG,EAAE,OAAO,CAAC,CAAC;QAC9C,CAAC;IACH,CAAC;IAED,KAAK,UAAU,2BAA2B,CACxC,MAAgB,EAChB,WAA6B,EAC7B,UAA2B,EAAE;QAE7B,KAAK,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,sDAAsD,CAAC,CAAC;QAEnF,KAAK,CAAC,UAAU,CAAC,IAAI,CAAC,iBAAiB,GAAG,WAAW,CAAC;QAEtD,MAAM,OAAO,GAAG,MAAM,kBAAkB,CAAC,OAAO,CAAC,CAAC;QAClD,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,MAAM,OAAO,CAAC,8BAA8B,CAAC;gBAC5D,MAAM;gBACN,SAAS,EAAE,yBAAyB,CAAC,OAAO,CAAC;gBAC7C,WAAW,EAAE,0BAA0B,EAAE;gBACzC,MAAM,EAAE,OAAO,aAAP,OAAO,uBAAP,OAAO,CAAE,MAAM;aACxB,CAAC,CAAC;YACH,oBAAoB,CAAC,MAAM,EAAE,QAAQ,EAAE,OAAO,CAAC,CAAC;YAEhD,KAAK,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,aAAa,CAAC,MAAM,CAAC,CAAC,CAAC;YAElD,OAAO;gBACL,KAAK,EAAE,QAAQ,CAAC,WAAW;gBAC3B,kBAAkB,EAAE,QAAQ,CAAC,SAAS,CAAC,OAAO,EAAE;aACjD,CAAC;QACJ,CAAC;QAAC,OAAO,GAAQ,EAAE,CAAC;YAClB,MAAM,eAAe,CAAC,MAAM,EAAE,GAAG,EAAE,OAAO,CAAC,CAAC;QAC9C,CAAC;IACH,CAAC;IAED,KAAK,UAAU,oBAAoB,CACjC,MAAgB,EAChB,kBAA4C,EAC5C,UAAyC,EAAE;QAE3C,KAAK,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,+CAA+C,CAAC,CAAC;QAE5E,MAAM,OAAO,GAAG,MAAM,YAAY,CAAC,OAAO,CAAC,CAAC;QAE5C,OAAO,wBAAwB,CAAC,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,GAAG,EAAE;;YAC7D,MAAM,cAAc,GAA2B;gBAC7C,MAAM;gBACN,MAAM,EAAE,MAAA,MAAA,OAAO,aAAP,OAAO,uBAAP,OAAO,CAAE,WAAW,0CAAE,OAAO,mCAAI,KAAK;gBAC9C,kBAAkB;gBAClB,SAAS,EAAE,yBAAyB,CAAC,OAAO,CAAC;gBAC7C,MAAM,EAAE,OAAO,aAAP,OAAO,uBAAP,OAAO,CAAE,MAAM;aACxB,CAAC;YACF,MAAM,iBAAiB,GAAG,OAAO,CAAC,wBAAwB,CAAC,cAAc,CAAC,CAAC;YAC3E,IAAI,OAAO,CAAC,WAAW,EAAE,CAAC;gBACxB,OAAO,CAAC,WAAW,CAAC,gBAAgB,CAAC,OAAO,EAAE,GAAG,EAAE;oBACjD,cAAc,CAAC,MAAM,GAAG,IAAI,CAAC;gBAC/B,CAAC,CAAC,CAAC;YACL,CAAC;YAED,OAAO,iBAAiB,CAAC;QAC3B,CAAC,CAAC,CAAC;IACL,CAAC;IAED,KAAK,UAAU,0BAA0B,CACvC,MAAgB,EAChB,QAAgB,EAChB,QAAgB,EAChB,UAA2B,EAAE;QAE7B,KAAK,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,yDAAyD,CAAC,CAAC;QAEtF,MAAM,OAAO,GAAG,MAAM,YAAY,CAAC,OAAO,CAAC,CAAC;QAE5C,OAAO,wBAAwB,CAAC,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,GAAG,EAAE;YAC7D,MAAM,cAAc,GAAiC;gBACnD,MAAM;gBACN,QAAQ;gBACR,QAAQ;gBACR,SAAS,EAAE,yBAAyB,CAAC,OAAO,CAAC;gBAC7C,MAAM,EAAE,OAAO,aAAP,OAAO,uBAAP,OAAO,CAAE,MAAM;aACxB,CAAC;YAEF,OAAO,OAAO,CAAC,8BAA8B,CAAC,cAAc,CAAC,CAAC;QAChE,CAAC,CAAC,CAAC;IACL,CAAC;IAED,SAAS,gBAAgB;QACvB,IAAI,CAAC,KAAK,CAAC,aAAa,EAAE,CAAC;YACzB,OAAO,SAAS,CAAC;QACnB,CAAC;QACD,OAAO,YAAY,CAAC,QAAQ,EAAE,KAAK,CAAC,aAAa,CAAC,CAAC;IACrD,CAAC;IAED,KAAK,UAAU,2BAA2B,CACxC,MAAgB,EAChB,WAAmB,EACnB,iBAAyB,EACzB,YAAqB,EACrB,UAAyC,EAAE;QAE3C,KAAK,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,sDAAsD,CAAC,CAAC;QAEnF,IAAI,OAA0E,CAAC;QAC/E,IAAI,YAAY,EAAE,CAAC;YACjB,mFAAmF;YACnF,gIAAgI;YAChI,KAAK,CAAC,UAAU,CAAC,IAAI,CAAC,YAAY,GAAG,YAAY,CAAC;YAClD,OAAO,GAAG,MAAM,kBAAkB,CAAC,OAAO,CAAC,CAAC;QAC9C,CAAC;aAAM,CAAC;YACN,OAAO,GAAG,MAAM,YAAY,CAAC,OAAO,CAAC,CAAC;QACxC,CAAC;QAED,OAAO,wBAAwB,CAAC,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,GAAG,EAAE;YAC7D,OAAO,OAAO,CAAC,kBAAkB,CAAC;gBAChC,MAAM;gBACN,WAAW;gBACX,IAAI,EAAE,iBAAiB;gBACvB,SAAS,EAAE,yBAAyB,CAAC,OAAO,CAAC;gBAC7C,MAAM,EAAE,OAAO,aAAP,OAAO,uBAAP,OAAO,CAAE,MAAM;aACxB,CAAC,CAAC;QACL,CAAC,CAAC,CAAC;IACL,CAAC;IAED,KAAK,UAAU,kBAAkB,CAC/B,MAAgB,EAChB,kBAA0B,EAC1B,iBAAsE,EACtE,UAA2B,EAAE;QAE7B,UAAU,CAAC,QAAQ,CAAC,IAAI,CAAC,uDAAuD,CAAC,CAAC;QAElF,IAAI,OAAO,iBAAiB,KAAK,QAAQ,EAAE,CAAC;YAC1C,gBAAgB;YAChB,UAAU,CAAC,QAAQ,CAAC,IAAI,CAAC,2CAA2C,CAAC,CAAC;YACtE,KAAK,CAAC,UAAU,CAAC,IAAI,CAAC,YAAY,GAAG,iBAAiB,CAAC;QACzD,CAAC;aAAM,IAAI,OAAO,iBAAiB,KAAK,UAAU,EAAE,CAAC;YACnD,mBAAmB;YACnB,UAAU,CAAC,QAAQ,CAAC,IAAI,CAAC,uDAAuD,CAAC,CAAC;YAClF,KAAK,CAAC,UAAU,CAAC,IAAI,CAAC,eAAe,GAAG,iBAAiB,CAAC;QAC5D,CAAC;aAAM,CAAC;YACN,qBAAqB;YACrB,UAAU,CAAC,QAAQ,CAAC,IAAI,CAAC,gDAAgD,CAAC,CAAC;YAC3E,KAAK,CAAC,UAAU,CAAC,IAAI,CAAC,iBAAiB,GAAG,iBAAiB,CAAC;QAC9D,CAAC;QAED,MAAM,OAAO,GAAG,MAAM,kBAAkB,CAAC,OAAO,CAAC,CAAC;QAClD,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,MAAM,OAAO,CAAC,sBAAsB,CAAC;gBACpD,MAAM;gBACN,SAAS,EAAE,yBAAyB,CAAC,OAAO,CAAC;gBAC7C,MAAM,EAAE,OAAO,CAAC,MAAM;gBACtB,YAAY,EAAE,kBAAkB;aACjC,CAAC,CAAC;YACH,oBAAoB,CAAC,MAAM,EAAE,QAAQ,EAAE,OAAO,CAAC,CAAC;YAEhD,UAAU,CAAC,QAAQ,CAAC,IAAI,CAAC,aAAa,CAAC,MAAM,CAAC,CAAC,CAAC;YAEhD,OAAO;gBACL,KAAK,EAAE,QAAQ,CAAC,WAAW;gBAC3B,kBAAkB,EAAE,QAAQ,CAAC,SAAS,CAAC,OAAO,EAAE;aACjD,CAAC;QACJ,CAAC;QAAC,OAAO,GAAQ,EAAE,CAAC;YAClB,MAAM,eAAe,CAAC,MAAM,EAAE,GAAG,EAAE,OAAO,CAAC,CAAC;QAC9C,CAAC;IACH,CAAC;IAED,KAAK,UAAU,4BAA4B,CACzC,MAAgB,EAChB,UAAsC,EAAE;QAExC,UAAU,CAAC,QAAQ,CAAC,IAAI,CAAC,2CAA2C,CAAC,CAAC;QAEtE,MAAM,GAAG,GAAG,MAAM,YAAY,CAAC,OAAO,CAAC,CAAC;QAExC;;;;;WAKG;QACH,KAAK,UAAU,gBAAgB,CAC7B,uBAAgC;;YAEhC,UAAU,CAAC,OAAO,CAAC,+CAA+C,CAAC,CAAC;YACpE,MAAM,kBAAkB,GAAG,4BAA4B,EAAE,CAAC;YAC1D,IAAI,KAAK,CAAC,mBAAmB,CAAC,MAAM,CAAC,kBAAkB,EAAE,CAAC;gBACxD,kBAAkB,CAAC,YAAY,GAAG,MAAM,CAAC,IAAI,CAC3C,KAAK,CAAC,mBAAmB,CAAC,MAAM,CAAC,kBAAkB,CACpD,CAAC;YACJ,CAAC;iBAAM,CAAC;gBACN,+EAA+E;gBAC/E,UAAU,CAAC,OAAO,CAChB,kIAAkI,CACnI,CAAC;YACJ,CAAC;YAED,IAAI,KAAK,CAAC,mBAAmB,CAAC,MAAM,CAAC,oBAAoB,EAAE,CAAC;gBAC1D,OAAC,kBAAkB,CAAC,oBAAoB,oCAAvC,kBAAkB,CAAC,oBAAoB,GAAK,EAAE,EAAC,CAAC,mBAAmB,CAAC;oBACnE,sBAAsB,CAAC;YAC3B,CAAC;YACD,IAAI,uBAAuB,EAAE,CAAC;gBAC5B,kBAAkB,CAAC,MAAM,GAAG,MAAM,CAAC;gBACnC,UAAU,CAAC,OAAO,CAAC,mEAAmE,CAAC,CAAC;YAC1F,CAAC;iBAAM,CAAC;gBACN,UAAU,CAAC,OAAO,CAAC,qEAAqE,CAAC,CAAC;YAC5F,CAAC;YAED,IAAI,CAAC;gBACH,OAAO,MAAM,GAAG,CAAC,uBAAuB,CAAC,kBAAkB,CAAC,CAAC;YAC/D,CAAC;YAAC,OAAO,CAAM,EAAE,CAAC;gBAChB,UAAU,CAAC,OAAO,CAAC,8CAA8C,CAAC,CAAC,OAAO,EAAE,CAAC,CAAC;gBAC9E,oGAAoG;gBACpG,IAAI,uBAAuB,EAAE,CAAC;oBAC5B,OAAO,gBAAgB,CAAC,8BAA8B,CAAC,KAAK,CAAC,CAAC;gBAChE,CAAC;qBAAM,CAAC;oBACN,MAAM,CAAC,CAAC;gBACV,CAAC;YACH,CAAC;QACH,CAAC;QAED,SAAS,4BAA4B;;YACnC,OAAO;gBACL,WAAW,EAAE,KAAK,EAAE,GAAG,EAAE,EAAE;oBACzB,MAAM,0BAA0B,CAAC,IAAI,CAAC,GAAG,EAAE,EAAE,IAAI,EAAE,IAAI,EAAE,WAAW,EAAE,IAAI,EAAE,CAAC,CAAC;gBAChF,CAAC;gBACD,MAAM;gBACN,SAAS,EAAE,yBAAyB,CAAC,OAAO,CAAC;gBAC7C,MAAM,EAAE,OAAO,aAAP,OAAO,uBAAP,OAAO,CAAE,MAAM;gBACvB,SAAS,EAAE,OAAO,aAAP,OAAO,uBAAP,OAAO,CAAE,SAAS;gBAC7B,aAAa,EAAE,MAAA,OAAO,aAAP,OAAO,uBAAP,OAAO,CAAE,2BAA2B,0CAAE,YAAY;gBACjE,eAAe,EAAE,MAAA,OAAO,aAAP,OAAO,uBAAP,OAAO,CAAE,2BAA2B,0CAAE,cAAc;aACtE,CAAC;QACJ,CAAC;QAED,OAAO,wBAAwB,CAAC,GAAG,EAAE,MAAM,EAAE,OAAO,EAAE,KAAK,IAAI,EAAE;;YAC/D,MAAM,kBAAkB,GAAG,4BAA4B,EAAE,CAAC;YAE1D,IAAI,KAAK,CAAC,mBAAmB,CAAC,MAAM,CAAC,SAAS,EAAE,CAAC;gBAC/C,OAAO,gBAAgB,CAAC,MAAA,KAAK,CAAC,mBAAmB,CAAC,MAAM,CAAC,uBAAuB,mCAAI,KAAK,CAAC,CAAC;YAC7F,CAAC;YAED,OAAO,GAAG,CAAC,uBAAuB,CAAC,kBAAkB,CAAC,CAAC;QACzD,CAAC,CAAC,CAAC;IACL,CAAC;IAED,OAAO;QACL,gBAAgB;QAChB,sBAAsB;QACtB,yBAAyB;QACzB,2BAA2B;QAC3B,oBAAoB;QACpB,0BAA0B;QAC1B,2BAA2B;QAC3B,kBAAkB;QAClB,4BAA4B;KAC7B,CAAC;AACJ,CAAC","sourcesContent":["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT license.\n\nimport * as msal from \"@azure/msal-node\";\n\nimport { AccessToken, GetTokenOptions } from \"@azure/core-auth\";\nimport { AuthenticationRecord, CertificateParts } from \"../types\";\nimport { CredentialLogger, credentialLogger, formatSuccess } from \"../../util/logging\";\nimport { PluginConfiguration, msalPlugins } from \"./msalPlugins\";\nimport {\n defaultLoggerCallback,\n ensureValidMsalToken,\n getAuthority,\n getKnownAuthorities,\n getMSALLogLevel,\n handleMsalError,\n msalToPublic,\n publicToMsal,\n} from \"../utils\";\n\nimport { AuthenticationRequiredError } from \"../../errors\";\nimport { BrokerOptions } from \"./brokerOptions\";\nimport { DeviceCodePromptCallback } from \"../../credentials/deviceCodeCredentialOptions\";\nimport { IdentityClient } from \"../../client/identityClient\";\nimport { InteractiveBrowserCredentialNodeOptions } from \"../../credentials/interactiveBrowserCredentialOptions\";\nimport { TokenCachePersistenceOptions } from \"./tokenCachePersistenceOptions\";\nimport { calculateRegionalAuthority } from \"../../regionalAuthority\";\nimport { getLogLevel } from \"@azure/logger\";\nimport open from \"open\";\nimport { resolveTenantId } from \"../../util/tenantIdUtils\";\n\n/**\n * The default logger used if no logger was passed in by the credential.\n */\nconst msalLogger = credentialLogger(\"MsalClient\");\n\n/**\n * Represents the options for acquiring a token using flows that support silent authentication.\n */\nexport interface GetTokenWithSilentAuthOptions extends GetTokenOptions {\n /**\n * Disables automatic authentication. If set to true, the method will throw an error if the user needs to authenticate.\n *\n * @remarks\n *\n * This option will be set to `false` when the user calls `authenticate` directly on a credential that supports it.\n */\n disableAutomaticAuthentication?: boolean;\n}\n\n/**\n * Represents the options for acquiring a token interactively.\n */\nexport interface GetTokenInteractiveOptions extends GetTokenWithSilentAuthOptions {\n /**\n * Window handle for parent window, required for WAM authentication.\n */\n parentWindowHandle?: Buffer;\n /**\n * Shared configuration options for browser customization\n */\n browserCustomizationOptions?: InteractiveBrowserCredentialNodeOptions[\"browserCustomizationOptions\"];\n /**\n * loginHint allows a user name to be pre-selected for interactive logins.\n * Setting this option skips the account selection prompt and immediately attempts to login with the specified account.\n */\n loginHint?: string;\n}\n\n/**\n * Represents a client for interacting with the Microsoft Authentication Library (MSAL).\n */\nexport interface MsalClient {\n /**\n *\n * Retrieves an access token by using the on-behalf-of flow and a client assertion callback of the calling service.\n *\n * @param scopes - The scopes for which the access token is requested. These represent the resources that the application wants to access.\n * @param userAssertionToken - The access token that was sent to the middle-tier API. This token must have an audience of the app making this OBO request.\n * @param clientCredentials - The client secret OR client certificate OR client `getAssertion` callback.\n * @param options - Additional options that may be provided to the method.\n * @returns An access token.\n */\n getTokenOnBehalfOf(\n scopes: string[],\n userAssertionToken: string,\n clientCredentials: string | CertificateParts | (() => Promise<string>),\n options?: GetTokenOptions,\n ): Promise<AccessToken>;\n\n /**\n * Retrieves an access token by using an interactive prompt (InteractiveBrowserCredential).\n * @param scopes - The scopes for which the access token is requested. These represent the resources that the application wants to access.\n * @param options - Additional options that may be provided to the method.\n * @returns An access token.\n */\n getTokenByInteractiveRequest(\n scopes: string[],\n options: GetTokenInteractiveOptions,\n ): Promise<AccessToken>;\n /**\n * Retrieves an access token by using a user's username and password.\n *\n * @param scopes - The scopes for which the access token is requested. These represent the resources that the application wants to access.\n * @param username - The username provided by the developer.\n * @param password - The user's password provided by the developer.\n * @param options - Additional options that may be provided to the method.\n * @returns An access token.\n */\n getTokenByUsernamePassword(\n scopes: string[],\n username: string,\n password: string,\n options?: GetTokenOptions,\n ): Promise<AccessToken>;\n /**\n * Retrieves an access token by prompting the user to authenticate using a device code.\n *\n * @param scopes - The scopes for which the access token is requested. These represent the resources that the application wants to access.\n * @param userPromptCallback - The callback function that allows developers to customize the prompt message.\n * @param options - Additional options that may be provided to the method.\n * @returns An access token.\n */\n getTokenByDeviceCode(\n scopes: string[],\n userPromptCallback: DeviceCodePromptCallback,\n options?: GetTokenWithSilentAuthOptions,\n ): Promise<AccessToken>;\n /**\n * Retrieves an access token by using a client certificate.\n *\n * @param scopes - The scopes for which the access token is requested. These represent the resources that the application wants to access.\n * @param certificate - The client certificate used for authentication.\n * @param options - Additional options that may be provided to the method.\n * @returns An access token.\n */\n getTokenByClientCertificate(\n scopes: string[],\n certificate: CertificateParts,\n options?: GetTokenOptions,\n ): Promise<AccessToken>;\n\n /**\n * Retrieves an access token by using a client assertion.\n *\n * @param scopes - The scopes for which the access token is requested. These represent the resources that the application wants to access.\n * @param clientAssertion - The client `getAssertion` callback used for authentication.\n * @param options - Additional options that may be provided to the method.\n * @returns An access token.\n */\n getTokenByClientAssertion(\n scopes: string[],\n clientAssertion: () => Promise<string>,\n options?: GetTokenOptions,\n ): Promise<AccessToken>;\n\n /**\n * Retrieves an access token by using a client secret.\n *\n * @param scopes - The scopes for which the access token is requested. These represent the resources that the application wants to access.\n * @param clientSecret - The client secret of the application. This is a credential that the application can use to authenticate itself.\n * @param options - Additional options that may be provided to the method.\n * @returns An access token.\n */\n getTokenByClientSecret(\n scopes: string[],\n clientSecret: string,\n options?: GetTokenOptions,\n ): Promise<AccessToken>;\n\n /**\n * Retrieves an access token by using an authorization code flow.\n *\n * @param scopes - The scopes for which the access token is requested. These represent the resources that the application wants to access.\n * @param authorizationCode - An authorization code that was received from following the\n authorization code flow. This authorization code must not\n have already been used to obtain an access token.\n * @param redirectUri - The redirect URI that was used to request the authorization code.\n Must be the same URI that is configured for the App Registration.\n * @param clientSecret - An optional client secret that was generated for the App Registration.\n * @param options - Additional options that may be provided to the method.\n */\n getTokenByAuthorizationCode(\n scopes: string[],\n redirectUri: string,\n authorizationCode: string,\n clientSecret?: string,\n options?: GetTokenWithSilentAuthOptions,\n ): Promise<AccessToken>;\n\n /**\n * Retrieves the last authenticated account. This method expects an authentication record to have been previously loaded.\n *\n * An authentication record could be loaded by calling the `getToken` method, or by providing an `authenticationRecord` when creating a credential.\n */\n getActiveAccount(): AuthenticationRecord | undefined;\n}\n\n/**\n * Represents the options for configuring the MsalClient.\n */\nexport interface MsalClientOptions {\n /**\n * Parameters that enable WAM broker authentication in the InteractiveBrowserCredential.\n */\n brokerOptions?: BrokerOptions;\n\n /**\n * Parameters that enable token cache persistence in the Identity credentials.\n */\n tokenCachePersistenceOptions?: TokenCachePersistenceOptions;\n\n /**\n * A custom authority host.\n */\n authorityHost?: IdentityClient[\"tokenCredentialOptions\"][\"authorityHost\"];\n\n /**\n * Allows users to configure settings for logging policy options, allow logging account information and personally identifiable information for customer support.\n */\n loggingOptions?: IdentityClient[\"tokenCredentialOptions\"][\"loggingOptions\"];\n\n /**\n * The token credential options for the MsalClient.\n */\n tokenCredentialOptions?: IdentityClient[\"tokenCredentialOptions\"];\n\n /**\n * Determines whether instance discovery is disabled.\n */\n disableInstanceDiscovery?: boolean;\n\n /**\n * The logger for the MsalClient.\n */\n logger?: CredentialLogger;\n\n /**\n * The authentication record for the MsalClient.\n */\n authenticationRecord?: AuthenticationRecord;\n}\n\n/**\n * A call to open(), but mockable\n * @internal\n */\nexport const interactiveBrowserMockable = {\n open,\n};\n\n/**\n * Generates the configuration for MSAL (Microsoft Authentication Library).\n *\n * @param clientId - The client ID of the application.\n * @param tenantId - The tenant ID of the Azure Active Directory.\n * @param msalClientOptions - Optional. Additional options for creating the MSAL client.\n * @returns The MSAL configuration object.\n */\nexport function generateMsalConfiguration(\n clientId: string,\n tenantId: string,\n msalClientOptions: MsalClientOptions = {},\n): msal.Configuration {\n const resolvedTenant = resolveTenantId(\n msalClientOptions.logger ?? msalLogger,\n tenantId,\n clientId,\n );\n\n // TODO: move and reuse getIdentityClientAuthorityHost\n const authority = getAuthority(\n resolvedTenant,\n msalClientOptions.authorityHost ?? process.env.AZURE_AUTHORITY_HOST,\n );\n\n const httpClient = new IdentityClient({\n ...msalClientOptions.tokenCredentialOptions,\n authorityHost: authority,\n loggingOptions: msalClientOptions.loggingOptions,\n });\n\n const msalConfig: msal.Configuration = {\n auth: {\n clientId,\n authority,\n knownAuthorities: getKnownAuthorities(\n resolvedTenant,\n authority,\n msalClientOptions.disableInstanceDiscovery,\n ),\n },\n system: {\n networkClient: httpClient,\n loggerOptions: {\n loggerCallback: defaultLoggerCallback(msalClientOptions.logger ?? msalLogger),\n logLevel: getMSALLogLevel(getLogLevel()),\n piiLoggingEnabled: msalClientOptions.loggingOptions?.enableUnsafeSupportLogging,\n },\n },\n };\n return msalConfig;\n}\n\n/**\n * Represents the state necessary for the MSAL (Microsoft Authentication Library) client to operate.\n * This includes the MSAL configuration, cached account information, Azure region, and a flag to disable automatic authentication.\n *\n * @internal\n */\ninterface MsalClientState {\n /** The configuration for the MSAL client. */\n msalConfig: msal.Configuration;\n\n /** The cached account information, or null if no account information is cached. */\n cachedAccount: msal.AccountInfo | null;\n\n /** Configured plugins */\n pluginConfiguration: PluginConfiguration;\n\n /** Claims received from challenges, cached for the next request */\n cachedClaims?: string;\n\n /** The logger instance */\n logger: CredentialLogger;\n}\n\n/**\n * Creates an instance of the MSAL (Microsoft Authentication Library) client.\n *\n * @param clientId - The client ID of the application.\n * @param tenantId - The tenant ID of the Azure Active Directory.\n * @param createMsalClientOptions - Optional. Additional options for creating the MSAL client.\n * @returns An instance of the MSAL client.\n *\n * @public\n */\nexport function createMsalClient(\n clientId: string,\n tenantId: string,\n createMsalClientOptions: MsalClientOptions = {},\n): MsalClient {\n const state: MsalClientState = {\n msalConfig: generateMsalConfiguration(clientId, tenantId, createMsalClientOptions),\n cachedAccount: createMsalClientOptions.authenticationRecord\n ? publicToMsal(createMsalClientOptions.authenticationRecord)\n : null,\n pluginConfiguration: msalPlugins.generatePluginConfiguration(createMsalClientOptions),\n logger: createMsalClientOptions.logger ?? msalLogger,\n };\n\n const publicApps: Map<string, msal.PublicClientApplication> = new Map();\n async function getPublicApp(\n options: GetTokenOptions = {},\n ): Promise<msal.PublicClientApplication> {\n const appKey = options.enableCae ? \"CAE\" : \"default\";\n\n let publicClientApp = publicApps.get(appKey);\n if (publicClientApp) {\n state.logger.getToken.info(\"Existing PublicClientApplication found in cache, returning it.\");\n return publicClientApp;\n }\n\n // Initialize a new app and cache it\n state.logger.getToken.info(\n `Creating new PublicClientApplication with CAE ${options.enableCae ? \"enabled\" : \"disabled\"}.`,\n );\n\n const cachePlugin = options.enableCae\n ? state.pluginConfiguration.cache.cachePluginCae\n : state.pluginConfiguration.cache.cachePlugin;\n\n state.msalConfig.auth.clientCapabilities = options.enableCae ? [\"cp1\"] : undefined;\n\n publicClientApp = new msal.PublicClientApplication({\n ...state.msalConfig,\n broker: { nativeBrokerPlugin: state.pluginConfiguration.broker.nativeBrokerPlugin },\n cache: { cachePlugin: await cachePlugin },\n });\n\n publicApps.set(appKey, publicClientApp);\n\n return publicClientApp;\n }\n\n const confidentialApps: Map<string, msal.ConfidentialClientApplication> = new Map();\n async function getConfidentialApp(\n options: GetTokenOptions = {},\n ): Promise<msal.ConfidentialClientApplication> {\n const appKey = options.enableCae ? \"CAE\" : \"default\";\n\n let confidentialClientApp = confidentialApps.get(appKey);\n if (confidentialClientApp) {\n state.logger.getToken.info(\n \"Existing ConfidentialClientApplication found in cache, returning it.\",\n );\n return confidentialClientApp;\n }\n\n // Initialize a new app and cache it\n state.logger.getToken.info(\n `Creating new ConfidentialClientApplication with CAE ${\n options.enableCae ? \"enabled\" : \"disabled\"\n }.`,\n );\n\n const cachePlugin = options.enableCae\n ? state.pluginConfiguration.cache.cachePluginCae\n : state.pluginConfiguration.cache.cachePlugin;\n\n state.msalConfig.auth.clientCapabilities = options.enableCae ? [\"cp1\"] : undefined;\n\n confidentialClientApp = new msal.ConfidentialClientApplication({\n ...state.msalConfig,\n broker: { nativeBrokerPlugin: state.pluginConfiguration.broker.nativeBrokerPlugin },\n cache: { cachePlugin: await cachePlugin },\n });\n\n confidentialApps.set(appKey, confidentialClientApp);\n\n return confidentialClientApp;\n }\n\n async function getTokenSilent(\n app: msal.ConfidentialClientApplication | msal.PublicClientApplication,\n scopes: string[],\n options: GetTokenOptions = {},\n ): Promise<msal.AuthenticationResult> {\n if (state.cachedAccount === null) {\n state.logger.getToken.info(\n \"No cached account found in local state, attempting to load it from MSAL cache.\",\n );\n const cache = app.getTokenCache();\n const accounts = await cache.getAllAccounts();\n\n if (accounts === undefined || accounts.length === 0) {\n throw new AuthenticationRequiredError({ scopes });\n }\n\n if (accounts.length > 1) {\n state.logger\n .info(`More than one account was found authenticated for this Client ID and Tenant ID.\nHowever, no \"authenticationRecord\" has been provided for this credential,\ntherefore we're unable to pick between these accounts.\nA new login attempt will be requested, to ensure the correct account is picked.\nTo work with multiple accounts for the same Client ID and Tenant ID, please provide an \"authenticationRecord\" when initializing a credential to prevent this from happening.`);\n throw new AuthenticationRequiredError({ scopes });\n }\n\n state.cachedAccount = accounts[0];\n }\n\n // Keep track and reuse the claims we received across challenges\n if (options.claims) {\n state.cachedClaims = options.claims;\n }\n\n const silentRequest: msal.SilentFlowRequest = {\n account: state.cachedAccount,\n scopes,\n claims: state.cachedClaims,\n };\n\n if (state.pluginConfiguration.broker.isEnabled) {\n silentRequest.tokenQueryParameters ||= {};\n if (state.pluginConfiguration.broker.enableMsaPassthrough) {\n silentRequest.tokenQueryParameters[\"msal_request_type\"] = \"consumer_passthrough\";\n }\n }\n\n state.logger.getToken.info(\"Attempting to acquire token silently\");\n return app.acquireTokenSilent(silentRequest);\n }\n\n /**\n * Builds an authority URL for the given request. The authority may be different than the one used when creating the MSAL client\n * if the user is creating cross-tenant requests\n */\n function calculateRequestAuthority(options?: GetTokenOptions): string | undefined {\n if (options?.tenantId) {\n return getAuthority(options.tenantId, createMsalClientOptions.authorityHost);\n }\n return state.msalConfig.auth.authority;\n }\n\n /**\n * Performs silent authentication using MSAL to acquire an access token.\n * If silent authentication fails, falls back to interactive authentication.\n *\n * @param msalApp - The MSAL application instance.\n * @param scopes - The scopes for which to acquire the access token.\n * @param options - The options for acquiring the access token.\n * @param onAuthenticationRequired - A callback function to handle interactive authentication when silent authentication fails.\n * @returns A promise that resolves to an AccessToken object containing the access token and its expiration timestamp.\n */\n async function withSilentAuthentication(\n msalApp: msal.ConfidentialClientApplication | msal.PublicClientApplication,\n scopes: Array<string>,\n options: GetTokenWithSilentAuthOptions,\n onAuthenticationRequired: () => Promise<msal.AuthenticationResult | null>,\n ): Promise<AccessToken> {\n let response: msal.AuthenticationResult | null = null;\n try {\n response = await getTokenSilent(msalApp, scopes, options);\n } catch (e: any) {\n if (e.name !== \"AuthenticationRequiredError\") {\n throw e;\n }\n if (options.disableAutomaticAuthentication) {\n throw new AuthenticationRequiredError({\n scopes,\n getTokenOptions: options,\n message:\n \"Automatic authentication has been disabled. You may call the authentication() method.\",\n });\n }\n }\n\n // Silent authentication failed\n if (response === null) {\n try {\n response = await onAuthenticationRequired();\n } catch (err: any) {\n throw handleMsalError(scopes, err, options);\n }\n }\n\n // At this point we should have a token, process it\n ensureValidMsalToken(scopes, response, options);\n state.cachedAccount = response?.account ?? null;\n\n state.logger.getToken.info(formatSuccess(scopes));\n\n return {\n token: response.accessToken,\n expiresOnTimestamp: response.expiresOn.getTime(),\n };\n }\n\n async function getTokenByClientSecret(\n scopes: string[],\n clientSecret: string,\n options: GetTokenOptions = {},\n ): Promise<AccessToken> {\n state.logger.getToken.info(`Attempting to acquire token using client secret`);\n\n state.msalConfig.auth.clientSecret = clientSecret;\n\n const msalApp = await getConfidentialApp(options);\n\n try {\n const response = await msalApp.acquireTokenByClientCredential({\n scopes,\n authority: calculateRequestAuthority(options),\n azureRegion: calculateRegionalAuthority(),\n claims: options?.claims,\n });\n ensureValidMsalToken(scopes, response, options);\n\n state.logger.getToken.info(formatSuccess(scopes));\n\n return {\n token: response.accessToken,\n expiresOnTimestamp: response.expiresOn.getTime(),\n };\n } catch (err: any) {\n throw handleMsalError(scopes, err, options);\n }\n }\n\n async function getTokenByClientAssertion(\n scopes: string[],\n clientAssertion: () => Promise<string>,\n options: GetTokenOptions = {},\n ): Promise<AccessToken> {\n state.logger.getToken.info(`Attempting to acquire token using client assertion`);\n\n state.msalConfig.auth.clientAssertion = clientAssertion;\n\n const msalApp = await getConfidentialApp(options);\n\n try {\n const response = await msalApp.acquireTokenByClientCredential({\n scopes,\n authority: calculateRequestAuthority(options),\n azureRegion: calculateRegionalAuthority(),\n claims: options?.claims,\n clientAssertion,\n });\n ensureValidMsalToken(scopes, response, options);\n\n state.logger.getToken.info(formatSuccess(scopes));\n\n return {\n token: response.accessToken,\n expiresOnTimestamp: response.expiresOn.getTime(),\n };\n } catch (err: any) {\n throw handleMsalError(scopes, err, options);\n }\n }\n\n async function getTokenByClientCertificate(\n scopes: string[],\n certificate: CertificateParts,\n options: GetTokenOptions = {},\n ): Promise<AccessToken> {\n state.logger.getToken.info(`Attempting to acquire token using client certificate`);\n\n state.msalConfig.auth.clientCertificate = certificate;\n\n const msalApp = await getConfidentialApp(options);\n try {\n const response = await msalApp.acquireTokenByClientCredential({\n scopes,\n authority: calculateRequestAuthority(options),\n azureRegion: calculateRegionalAuthority(),\n claims: options?.claims,\n });\n ensureValidMsalToken(scopes, response, options);\n\n state.logger.getToken.info(formatSuccess(scopes));\n\n return {\n token: response.accessToken,\n expiresOnTimestamp: response.expiresOn.getTime(),\n };\n } catch (err: any) {\n throw handleMsalError(scopes, err, options);\n }\n }\n\n async function getTokenByDeviceCode(\n scopes: string[],\n deviceCodeCallback: DeviceCodePromptCallback,\n options: GetTokenWithSilentAuthOptions = {},\n ): Promise<AccessToken> {\n state.logger.getToken.info(`Attempting to acquire token using device code`);\n\n const msalApp = await getPublicApp(options);\n\n return withSilentAuthentication(msalApp, scopes, options, () => {\n const requestOptions: msal.DeviceCodeRequest = {\n scopes,\n cancel: options?.abortSignal?.aborted ?? false,\n deviceCodeCallback,\n authority: calculateRequestAuthority(options),\n claims: options?.claims,\n };\n const deviceCodeRequest = msalApp.acquireTokenByDeviceCode(requestOptions);\n if (options.abortSignal) {\n options.abortSignal.addEventListener(\"abort\", () => {\n requestOptions.cancel = true;\n });\n }\n\n return deviceCodeRequest;\n });\n }\n\n async function getTokenByUsernamePassword(\n scopes: string[],\n username: string,\n password: string,\n options: GetTokenOptions = {},\n ): Promise<AccessToken> {\n state.logger.getToken.info(`Attempting to acquire token using username and password`);\n\n const msalApp = await getPublicApp(options);\n\n return withSilentAuthentication(msalApp, scopes, options, () => {\n const requestOptions: msal.UsernamePasswordRequest = {\n scopes,\n username,\n password,\n authority: calculateRequestAuthority(options),\n claims: options?.claims,\n };\n\n return msalApp.acquireTokenByUsernamePassword(requestOptions);\n });\n }\n\n function getActiveAccount(): AuthenticationRecord | undefined {\n if (!state.cachedAccount) {\n return undefined;\n }\n return msalToPublic(clientId, state.cachedAccount);\n }\n\n async function getTokenByAuthorizationCode(\n scopes: string[],\n redirectUri: string,\n authorizationCode: string,\n clientSecret?: string,\n options: GetTokenWithSilentAuthOptions = {},\n ): Promise<AccessToken> {\n state.logger.getToken.info(`Attempting to acquire token using authorization code`);\n\n let msalApp: msal.ConfidentialClientApplication | msal.PublicClientApplication;\n if (clientSecret) {\n // If a client secret is provided, we need to use a confidential client application\n // See https://learn.microsoft.com/entra/identity-platform/v2-oauth2-auth-code-flow#request-an-access-token-with-a-client_secret\n state.msalConfig.auth.clientSecret = clientSecret;\n msalApp = await getConfidentialApp(options);\n } else {\n msalApp = await getPublicApp(options);\n }\n\n return withSilentAuthentication(msalApp, scopes, options, () => {\n return msalApp.acquireTokenByCode({\n scopes,\n redirectUri,\n code: authorizationCode,\n authority: calculateRequestAuthority(options),\n claims: options?.claims,\n });\n });\n }\n\n async function getTokenOnBehalfOf(\n scopes: string[],\n userAssertionToken: string,\n clientCredentials: string | CertificateParts | (() => Promise<string>),\n options: GetTokenOptions = {},\n ): Promise<AccessToken> {\n msalLogger.getToken.info(`Attempting to acquire token on behalf of another user`);\n\n if (typeof clientCredentials === \"string\") {\n // Client secret\n msalLogger.getToken.info(`Using client secret for on behalf of flow`);\n state.msalConfig.auth.clientSecret = clientCredentials;\n } else if (typeof clientCredentials === \"function\") {\n // Client Assertion\n msalLogger.getToken.info(`Using client assertion callback for on behalf of flow`);\n state.msalConfig.auth.clientAssertion = clientCredentials;\n } else {\n // Client certificate\n msalLogger.getToken.info(`Using client certificate for on behalf of flow`);\n state.msalConfig.auth.clientCertificate = clientCredentials;\n }\n\n const msalApp = await getConfidentialApp(options);\n try {\n const response = await msalApp.acquireTokenOnBehalfOf({\n scopes,\n authority: calculateRequestAuthority(options),\n claims: options.claims,\n oboAssertion: userAssertionToken,\n });\n ensureValidMsalToken(scopes, response, options);\n\n msalLogger.getToken.info(formatSuccess(scopes));\n\n return {\n token: response.accessToken,\n expiresOnTimestamp: response.expiresOn.getTime(),\n };\n } catch (err: any) {\n throw handleMsalError(scopes, err, options);\n }\n }\n\n async function getTokenByInteractiveRequest(\n scopes: string[],\n options: GetTokenInteractiveOptions = {},\n ): Promise<AccessToken> {\n msalLogger.getToken.info(`Attempting to acquire token interactively`);\n\n const app = await getPublicApp(options);\n\n /**\n * A helper function that supports brokered authentication through the MSAL's public application.\n *\n * When options.useDefaultBrokerAccount is true, the method will attempt to authenticate using the default broker account.\n * If the default broker account is not available, the method will fall back to interactive authentication.\n */\n async function getBrokeredToken(\n useDefaultBrokerAccount: boolean,\n ): Promise<msal.AuthenticationResult> {\n msalLogger.verbose(\"Authentication will resume through the broker\");\n const interactiveRequest = createBaseInteractiveRequest();\n if (state.pluginConfiguration.broker.parentWindowHandle) {\n interactiveRequest.windowHandle = Buffer.from(\n state.pluginConfiguration.broker.parentWindowHandle,\n );\n } else {\n // this is a bug, as the pluginConfiguration handler should validate this case.\n msalLogger.warning(\n \"Parent window handle is not specified for the broker. This may cause unexpected behavior. Please provide the parentWindowHandle.\",\n );\n }\n\n if (state.pluginConfiguration.broker.enableMsaPassthrough) {\n (interactiveRequest.tokenQueryParameters ??= {})[\"msal_request_type\"] =\n \"consumer_passthrough\";\n }\n if (useDefaultBrokerAccount) {\n interactiveRequest.prompt = \"none\";\n msalLogger.verbose(\"Attempting broker authentication using the default broker account\");\n } else {\n msalLogger.verbose(\"Attempting broker authentication without the default broker account\");\n }\n\n try {\n return await app.acquireTokenInteractive(interactiveRequest);\n } catch (e: any) {\n msalLogger.verbose(`Failed to authenticate through the broker: ${e.message}`);\n // If we tried to use the default broker account and failed, fall back to interactive authentication\n if (useDefaultBrokerAccount) {\n return getBrokeredToken(/* useDefaultBrokerAccount: */ false);\n } else {\n throw e;\n }\n }\n }\n\n function createBaseInteractiveRequest(): msal.InteractiveRequest {\n return {\n openBrowser: async (url) => {\n await interactiveBrowserMockable.open(url, { wait: true, newInstance: true });\n },\n scopes,\n authority: calculateRequestAuthority(options),\n claims: options?.claims,\n loginHint: options?.loginHint,\n errorTemplate: options?.browserCustomizationOptions?.errorMessage,\n successTemplate: options?.browserCustomizationOptions?.successMessage,\n };\n }\n\n return withSilentAuthentication(app, scopes, options, async () => {\n const interactiveRequest = createBaseInteractiveRequest();\n\n if (state.pluginConfiguration.broker.isEnabled) {\n return getBrokeredToken(state.pluginConfiguration.broker.useDefaultBrokerAccount ?? false);\n }\n\n return app.acquireTokenInteractive(interactiveRequest);\n });\n }\n\n return {\n getActiveAccount,\n getTokenByClientSecret,\n getTokenByClientAssertion,\n getTokenByClientCertificate,\n getTokenByDeviceCode,\n getTokenByUsernamePassword,\n getTokenByAuthorizationCode,\n getTokenOnBehalfOf,\n getTokenByInteractiveRequest,\n };\n}\n"]}
package/package.json CHANGED
@@ -1,7 +1,7 @@
1
1
  {
2
2
  "name": "@azure/identity",
3
3
  "sdk-type": "client",
4
- "version": "4.5.0-beta.1",
4
+ "version": "4.5.0-beta.2",
5
5
  "description": "Provides credential implementations for Azure SDK libraries that can authenticate with Microsoft Entra ID",
6
6
  "main": "dist/index.js",
7
7
  "module": "dist-esm/src/index.js",
@@ -108,7 +108,7 @@
108
108
  "homepage": "https://github.com/Azure/azure-sdk-for-js/tree/main/sdk/identity/identity/README.md",
109
109
  "sideEffects": false,
110
110
  "dependencies": {
111
- "@azure/abort-controller": "^1.0.0",
111
+ "@azure/abort-controller": "^2.0.0",
112
112
  "@azure/core-auth": "^1.5.0",
113
113
  "@azure/core-client": "^1.9.2",
114
114
  "@azure/core-rest-pipeline": "^1.1.0",
@@ -156,7 +156,7 @@
156
156
  "mocha": "^10.0.0",
157
157
  "ms": "^2.1.3",
158
158
  "nyc": "^17.0.0",
159
- "puppeteer": "^22.2.0",
159
+ "puppeteer": "^23.0.2",
160
160
  "rimraf": "^5.0.5",
161
161
  "sinon": "^17.0.0",
162
162
  "ts-node": "^10.0.0",
package/types/identity.d.ts CHANGED
@@ -40,7 +40,9 @@ export declare class AuthenticationError extends Error {
40
40
  * The error response details.
41
41
  */
42
42
  readonly errorResponse: ErrorResponse;
43
- constructor(statusCode: number, errorBody: object | string | undefined | null);
43
+ constructor(statusCode: number, errorBody: object | string | undefined | null, options?: {
44
+ cause?: unknown;
45
+ });
44
46
  }
45
47
 
46
48
  /**
@@ -109,6 +111,10 @@ export declare interface AuthenticationRequiredErrorOptions {
109
111
  * The message of the error.
110
112
  */
111
113
  message?: string;
114
+ /**
115
+ * The underlying cause, if any, that caused the authentication to fail.
116
+ */
117
+ cause?: unknown;
112
118
  }
113
119
 
114
120
  /**
@@ -651,7 +657,6 @@ export declare class ClientCertificateCredential implements TokenCredential {
651
657
  */
652
658
  getToken(scopes: string | string[], options?: GetTokenOptions): Promise<AccessToken>;
653
659
  private buildClientCertificate;
654
- private parseCertificate;
655
660
  }
656
661
 
657
662
  /**
@@ -782,7 +787,9 @@ export declare interface CredentialPersistenceOptions {
782
787
  * an error that should halt the chain, it's caught and the chain continues
783
788
  */
784
789
  export declare class CredentialUnavailableError extends Error {
785
- constructor(message?: string);
790
+ constructor(message?: string, options?: {
791
+ cause?: unknown;
792
+ });
786
793
  }
787
794
 
788
795
  /**
@@ -978,7 +985,7 @@ export declare class DeviceCodeCredential implements TokenCredential {
978
985
  * Authenticates with Microsoft Entra ID and returns an access token if successful.
979
986
  * If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.
980
987
  *
981
- * If the token can't be retrieved silently, this method will require user interaction to retrieve the token.
988
+ * If the token can't be retrieved silently, this method will always generate a challenge for the user.
982
989
  *
983
990
  * @param scopes - The list of scopes for which the token will have access.
984
991
  * @param options - The options used to configure any requests this
@@ -996,7 +1003,11 @@ export declare interface DeviceCodeCredentialOptions extends InteractiveCredenti
996
1003
  */
997
1004
  tenantId?: string;
998
1005
  /**
999
- * The client (application) ID of an App Registration in the tenant.
1006
+ * Client ID of the Microsoft Entra application that users will sign into.
1007
+ * It is recommended that developers register their applications and assign appropriate roles.
1008
+ * For more information, visit https://aka.ms/identity/AppRegistrationAndRoleAssignment.
1009
+ * If not specified, users will authenticate to an Azure development application,
1010
+ * which is not recommended for production scenarios.
1000
1011
  */
1001
1012
  clientId?: string;
1002
1013
  /**
@@ -1056,6 +1067,7 @@ export declare class EnvironmentCredential implements TokenCredential {
1056
1067
  * - `AZURE_CLIENT_SECRET`: A client secret that was generated for the App Registration.
1057
1068
  * - `AZURE_CLIENT_CERTIFICATE_PATH`: The path to a PEM certificate to use during the authentication, instead of the client secret.
1058
1069
  * - `AZURE_CLIENT_CERTIFICATE_PASSWORD`: (optional) password for the certificate file.
1070
+ * - `AZURE_CLIENT_SEND_CERTIFICATE_CHAIN`: (optional) indicates that the certificate chain should be set in x5c header to support subject name / issuer based authentication.
1059
1071
  *
1060
1072
  * Alternatively, users can provide environment variables for username and password authentication:
1061
1073
  * - `AZURE_USERNAME`: Username to authenticate with.
@@ -1210,7 +1222,7 @@ export declare class InteractiveBrowserCredential implements TokenCredential {
1210
1222
  * Authenticates with Microsoft Entra ID and returns an access token if successful.
1211
1223
  * If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.
1212
1224
  *
1213
- * If the token can't be retrieved silently, this method will require user interaction to retrieve the token.
1225
+ * If the token can't be retrieved silently, this method will always generate a challenge for the user.
1214
1226
  *
1215
1227
  * On Node.js, this credential has [Proof Key for Code Exchange (PKCE)](https://datatracker.ietf.org/doc/html/rfc7636) enabled by default.
1216
1228
  * PKCE is a security feature that mitigates authentication code interception attacks.
@@ -1237,8 +1249,10 @@ export declare interface InteractiveBrowserCredentialInBrowserOptions extends In
1237
1249
  */
1238
1250
  tenantId?: string;
1239
1251
  /**
1240
- * The client (application) ID of an App Registration in the tenant.
1252
+ * The Client ID of the Microsoft Entra application that users will sign into.
1241
1253
  * This parameter is required on the browser.
1254
+ * Developers need to register their applications and assign appropriate roles.
1255
+ * For more information, visit https://aka.ms/identity/AppRegistrationAndRoleAssignment.
1242
1256
  */
1243
1257
  clientId: string;
1244
1258
  /**
@@ -1270,7 +1284,11 @@ export declare interface InteractiveBrowserCredentialNodeOptions extends Interac
1270
1284
  */
1271
1285
  tenantId?: string;
1272
1286
  /**
1273
- * The client (application) ID of an App Registration in the tenant.
1287
+ * The Client ID of the Microsoft Entra application that users will sign into.
1288
+ * It is recommended that developers register their applications and assign appropriate roles.
1289
+ * For more information, visit https://aka.ms/identity/AppRegistrationAndRoleAssignment.
1290
+ * If not specified, users will authenticate to an Azure development application,
1291
+ * which is not recommended for production scenarios.
1274
1292
  */
1275
1293
  clientId?: string;
1276
1294
  /**
package/dist-esm/src/msal/flows.js.map DELETED
@@ -1 +0,0 @@
1
- {"version":3,"file":"flows.js","sourceRoot":"","sources":["../../../src/msal/flows.ts"],"names":[],"mappings":"AAAA,uCAAuC;AACvC,kCAAkC","sourcesContent":["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT license.\n\nimport { AccessToken } from \"@azure/core-auth\";\nimport { AuthenticationRecord } from \"./types\";\nimport { CredentialFlowGetTokenOptions } from \"./credentials\";\nimport { CredentialLogger } from \"../util/logging\";\n\n/**\n * Union of the constructor parameters that all MSAL flow types take.\n * @internal\n */\nexport interface MsalFlowOptions {\n logger: CredentialLogger;\n clientId?: string;\n tenantId?: string;\n authorityHost?: string;\n authenticationRecord?: AuthenticationRecord;\n disableAutomaticAuthentication?: boolean;\n disableInstanceDiscovery?: boolean;\n getAssertion?: () => Promise<string>;\n enableMsaPassthrough?: boolean;\n}\n\n/**\n * The common methods we use to work with the MSAL flows.\n * @internal\n */\nexport interface MsalFlow {\n /**\n * Allows for any setup before any request is processed.\n */\n init(options?: CredentialFlowGetTokenOptions): Promise<void>;\n /**\n * Tries to load the active account, either from memory or from MSAL.\n */\n getActiveAccount(): Promise<AuthenticationRecord | undefined>;\n /**\n * Tries to retrieve the token silently using MSAL.\n */\n getTokenSilent(scopes?: string[], options?: CredentialFlowGetTokenOptions): Promise<AccessToken>;\n /**\n * Calls to the implementation's doGetToken method.\n */\n getToken(scopes?: string[], options?: CredentialFlowGetTokenOptions): Promise<AccessToken>;\n}\n"]}
package/dist-esm/src/msal/nodeFlows/msalAuthorizationCode.js DELETED
@@ -1,47 +0,0 @@
1
- // Copyright (c) Microsoft Corporation.
2
- // Licensed under the MIT license.
3
- import { MsalNode } from "./msalNodeCommon";
4
- import { credentialLogger } from "../../util/logging";
5
- import { handleMsalError } from "../utils";
6
- /**
7
- * This MSAL client sets up a web server to listen for redirect callbacks, then calls to the MSAL's public application's `acquireTokenByDeviceCode` during `doGetToken`
8
- * to trigger the authentication flow, and then respond based on the values obtained from the redirect callback
9
- * @internal
10
- */
11
- export class MsalAuthorizationCode extends MsalNode {
12
- constructor(options) {
13
- super(options);
14
- this.logger = credentialLogger("Node.js MSAL Authorization Code");
15
- this.redirectUri = options.redirectUri;
16
- this.authorizationCode = options.authorizationCode;
17
- if (options.clientSecret) {
18
- this.msalConfig.auth.clientSecret = options.clientSecret;
19
- }
20
- }
21
- async getAuthCodeUrl(options) {
22
- await this.init();
23
- return this.getApp("confidentialFirst", options.enableCae).getAuthCodeUrl({
24
- scopes: options.scopes,
25
- redirectUri: options.redirectUri,
26
- });
27
- }
28
- async doGetToken(scopes, options) {
29
- try {
30
- const result = await this.getApp("confidentialFirst", options === null || options === void 0 ? void 0 : options.enableCae).acquireTokenByCode({
31
- scopes,
32
- redirectUri: this.redirectUri,
33
- code: this.authorizationCode,
34
- correlationId: options === null || options === void 0 ? void 0 : options.correlationId,
35
- authority: options === null || options === void 0 ? void 0 : options.authority,
36
- claims: options === null || options === void 0 ? void 0 : options.claims,
37
- });
38
- // The Client Credential flow does not return an account,
39
- // so each time getToken gets called, we will have to acquire a new token through the service.
40
- return this.handleResult(scopes, result || undefined);
41
- }
42
- catch (err) {
43
- throw handleMsalError(scopes, err, options);
44
- }
45
- }
46
- }
47
- //# sourceMappingURL=msalAuthorizationCode.js.map
package/dist-esm/src/msal/nodeFlows/msalAuthorizationCode.js.map DELETED
@@ -1 +0,0 @@
1
- {"version":3,"file":"msalAuthorizationCode.js","sourceRoot":"","sources":["../../../../src/msal/nodeFlows/msalAuthorizationCode.ts"],"names":[],"mappings":"AAAA,uCAAuC;AACvC,kCAAkC;AAElC,OAAO,EAAE,QAAQ,EAAmB,MAAM,kBAAkB,CAAC;AAI7D,OAAO,EAAE,gBAAgB,EAAE,MAAM,oBAAoB,CAAC;AACtD,OAAO,EAAE,eAAe,EAAE,MAAM,UAAU,CAAC;AAY3C;;;;GAIG;AACH,MAAM,OAAO,qBAAsB,SAAQ,QAAQ;IAIjD,YAAY,OAAqC;QAC/C,KAAK,CAAC,OAAO,CAAC,CAAC;QACf,IAAI,CAAC,MAAM,GAAG,gBAAgB,CAAC,iCAAiC,CAAC,CAAC;QAClE,IAAI,CAAC,WAAW,GAAG,OAAO,CAAC,WAAW,CAAC;QACvC,IAAI,CAAC,iBAAiB,GAAG,OAAO,CAAC,iBAAiB,CAAC;QACnD,IAAI,OAAO,CAAC,YAAY,EAAE,CAAC;YACzB,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,YAAY,GAAG,OAAO,CAAC,YAAY,CAAC;QAC3D,CAAC;IACH,CAAC;IAED,KAAK,CAAC,cAAc,CAAC,OAIpB;QACC,MAAM,IAAI,CAAC,IAAI,EAAE,CAAC;QAClB,OAAO,IAAI,CAAC,MAAM,CAAC,mBAAmB,EAAE,OAAO,CAAC,SAAS,CAAC,CAAC,cAAc,CAAC;YACxE,MAAM,EAAE,OAAO,CAAC,MAAM;YACtB,WAAW,EAAE,OAAO,CAAC,WAAW;SACjC,CAAC,CAAC;IACL,CAAC;IAES,KAAK,CAAC,UAAU,CACxB,MAAgB,EAChB,OAAuC;QAEvC,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,mBAAmB,EAAE,OAAO,aAAP,OAAO,uBAAP,OAAO,CAAE,SAAS,CAAC,CAAC,kBAAkB,CAAC;gBAC3F,MAAM;gBACN,WAAW,EAAE,IAAI,CAAC,WAAW;gBAC7B,IAAI,EAAE,IAAI,CAAC,iBAAiB;gBAC5B,aAAa,EAAE,OAAO,aAAP,OAAO,uBAAP,OAAO,CAAE,aAAa;gBACrC,SAAS,EAAE,OAAO,aAAP,OAAO,uBAAP,OAAO,CAAE,SAAS;gBAC7B,MAAM,EAAE,OAAO,aAAP,OAAO,uBAAP,OAAO,CAAE,MAAM;aACxB,CAAC,CAAC;YACH,yDAAyD;YACzD,8FAA8F;YAC9F,OAAO,IAAI,CAAC,YAAY,CAAC,MAAM,EAAE,MAAM,IAAI,SAAS,CAAC,CAAC;QACxD,CAAC;QAAC,OAAO,GAAQ,EAAE,CAAC;YAClB,MAAM,eAAe,CAAC,MAAM,EAAE,GAAG,EAAE,OAAO,CAAC,CAAC;QAC9C,CAAC;IACH,CAAC;CACF","sourcesContent":["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT license.\n\nimport { MsalNode, MsalNodeOptions } from \"./msalNodeCommon\";\n\nimport { AccessToken } from \"@azure/core-auth\";\nimport { CredentialFlowGetTokenOptions } from \"../credentials\";\nimport { credentialLogger } from \"../../util/logging\";\nimport { handleMsalError } from \"../utils\";\n\n/**\n * Options that can be passed to configure MSAL to handle authentication through opening a browser window.\n * @internal\n */\nexport interface MsalAuthorizationCodeOptions extends MsalNodeOptions {\n redirectUri: string;\n authorizationCode: string;\n clientSecret?: string;\n}\n\n/**\n * This MSAL client sets up a web server to listen for redirect callbacks, then calls to the MSAL's public application's `acquireTokenByDeviceCode` during `doGetToken`\n * to trigger the authentication flow, and then respond based on the values obtained from the redirect callback\n * @internal\n */\nexport class MsalAuthorizationCode extends MsalNode {\n private redirectUri: string;\n private authorizationCode: string;\n\n constructor(options: MsalAuthorizationCodeOptions) {\n super(options);\n this.logger = credentialLogger(\"Node.js MSAL Authorization Code\");\n this.redirectUri = options.redirectUri;\n this.authorizationCode = options.authorizationCode;\n if (options.clientSecret) {\n this.msalConfig.auth.clientSecret = options.clientSecret;\n }\n }\n\n async getAuthCodeUrl(options: {\n scopes: string[];\n redirectUri: string;\n enableCae?: boolean;\n }): Promise<string> {\n await this.init();\n return this.getApp(\"confidentialFirst\", options.enableCae).getAuthCodeUrl({\n scopes: options.scopes,\n redirectUri: options.redirectUri,\n });\n }\n\n protected async doGetToken(\n scopes: string[],\n options?: CredentialFlowGetTokenOptions,\n ): Promise<AccessToken> {\n try {\n const result = await this.getApp(\"confidentialFirst\", options?.enableCae).acquireTokenByCode({\n scopes,\n redirectUri: this.redirectUri,\n code: this.authorizationCode,\n correlationId: options?.correlationId,\n authority: options?.authority,\n claims: options?.claims,\n });\n // The Client Credential flow does not return an account,\n // so each time getToken gets called, we will have to acquire a new token through the service.\n return this.handleResult(scopes, result || undefined);\n } catch (err: any) {\n throw handleMsalError(scopes, err, options);\n }\n }\n}\n"]}
package/dist-esm/src/msal/nodeFlows/msalClientAssertion.js DELETED
@@ -1,42 +0,0 @@
1
- // Copyright (c) Microsoft Corporation.
2
- // Licensed under the MIT license.
3
- import { MsalNode } from "./msalNodeCommon";
4
- import { handleMsalError } from "../utils";
5
- import { isError } from "@azure/core-util";
6
- /**
7
- * MSAL client assertion client. Calls to MSAL's confidential application's `acquireTokenByClientCredential` during `doGetToken`.
8
- * @internal
9
- */
10
- export class MsalClientAssertion extends MsalNode {
11
- constructor(options) {
12
- super(options);
13
- this.requiresConfidential = true;
14
- this.getAssertion = options.getAssertion;
15
- }
16
- async doGetToken(scopes, options = {}) {
17
- try {
18
- const result = await this.getApp("confidential", options.enableCae).acquireTokenByClientCredential({
19
- scopes,
20
- correlationId: options.correlationId,
21
- azureRegion: this.azureRegion,
22
- authority: options.authority,
23
- claims: options.claims,
24
- clientAssertion: this.getAssertion,
25
- });
26
- // The Client Credential flow does not return an account,
27
- // so each time getToken gets called, we will have to acquire a new token through the service.
28
- return this.handleResult(scopes, result || undefined);
29
- }
30
- catch (err) {
31
- let err2 = err;
32
- if (err === null || err === undefined) {
33
- err2 = new Error(JSON.stringify(err));
34
- }
35
- else {
36
- err2 = isError(err) ? err : new Error(String(err));
37
- }
38
- throw handleMsalError(scopes, err2, options);
39
- }
40
- }
41
- }
42
- //# sourceMappingURL=msalClientAssertion.js.map
package/dist-esm/src/msal/nodeFlows/msalClientAssertion.js.map DELETED
@@ -1 +0,0 @@
1
- {"version":3,"file":"msalClientAssertion.js","sourceRoot":"","sources":["../../../../src/msal/nodeFlows/msalClientAssertion.ts"],"names":[],"mappings":"AAAA,uCAAuC;AACvC,kCAAkC;AAElC,OAAO,EAAE,QAAQ,EAAmB,MAAM,kBAAkB,CAAC;AAI7D,OAAO,EAAE,eAAe,EAAE,MAAM,UAAU,CAAC;AAC3C,OAAO,EAAE,OAAO,EAAE,MAAM,kBAAkB,CAAC;AAa3C;;;GAGG;AACH,MAAM,OAAO,mBAAoB,SAAQ,QAAQ;IAE/C,YAAY,OAAmC;QAC7C,KAAK,CAAC,OAAO,CAAC,CAAC;QACf,IAAI,CAAC,oBAAoB,GAAG,IAAI,CAAC;QACjC,IAAI,CAAC,YAAY,GAAG,OAAO,CAAC,YAAY,CAAC;IAC3C,CAAC;IAES,KAAK,CAAC,UAAU,CACxB,MAAgB,EAChB,UAAyC,EAAE;QAE3C,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,MAAM,CAC9B,cAAc,EACd,OAAO,CAAC,SAAS,CAClB,CAAC,8BAA8B,CAAC;gBAC/B,MAAM;gBACN,aAAa,EAAE,OAAO,CAAC,aAAa;gBACpC,WAAW,EAAE,IAAI,CAAC,WAAW;gBAC7B,SAAS,EAAE,OAAO,CAAC,SAAS;gBAC5B,MAAM,EAAE,OAAO,CAAC,MAAM;gBACtB,eAAe,EAAE,IAAI,CAAC,YAAY;aACnC,CAAC,CAAC;YACH,yDAAyD;YACzD,8FAA8F;YAC9F,OAAO,IAAI,CAAC,YAAY,CAAC,MAAM,EAAE,MAAM,IAAI,SAAS,CAAC,CAAC;QACxD,CAAC;QAAC,OAAO,GAAY,EAAE,CAAC;YACtB,IAAI,IAAI,GAAG,GAAG,CAAC;YACf,IAAI,GAAG,KAAK,IAAI,IAAI,GAAG,KAAK,SAAS,EAAE,CAAC;gBACtC,IAAI,GAAG,IAAI,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC,CAAC;YACxC,CAAC;iBAAM,CAAC;gBACN,IAAI,GAAG,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC;YACrD,CAAC;YACD,MAAM,eAAe,CAAC,MAAM,EAAE,IAAa,EAAE,OAAO,CAAC,CAAC;QACxD,CAAC;IACH,CAAC;CACF","sourcesContent":["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT license.\n\nimport { MsalNode, MsalNodeOptions } from \"./msalNodeCommon\";\n\nimport { AccessToken } from \"@azure/core-auth\";\nimport { CredentialFlowGetTokenOptions } from \"../credentials\";\nimport { handleMsalError } from \"../utils\";\nimport { isError } from \"@azure/core-util\";\n\n/**\n * Options that can be passed to configure MSAL to handle client assertions.\n * @internal\n */\nexport interface MsalClientAssertionOptions extends MsalNodeOptions {\n /**\n * A function that retrieves the assertion for the credential to use.\n */\n getAssertion: () => Promise<string>;\n}\n\n/**\n * MSAL client assertion client. Calls to MSAL's confidential application's `acquireTokenByClientCredential` during `doGetToken`.\n * @internal\n */\nexport class MsalClientAssertion extends MsalNode {\n getAssertion: () => Promise<string>;\n constructor(options: MsalClientAssertionOptions) {\n super(options);\n this.requiresConfidential = true;\n this.getAssertion = options.getAssertion;\n }\n\n protected async doGetToken(\n scopes: string[],\n options: CredentialFlowGetTokenOptions = {},\n ): Promise<AccessToken> {\n try {\n const result = await this.getApp(\n \"confidential\",\n options.enableCae,\n ).acquireTokenByClientCredential({\n scopes,\n correlationId: options.correlationId,\n azureRegion: this.azureRegion,\n authority: options.authority,\n claims: options.claims,\n clientAssertion: this.getAssertion,\n });\n // The Client Credential flow does not return an account,\n // so each time getToken gets called, we will have to acquire a new token through the service.\n return this.handleResult(scopes, result || undefined);\n } catch (err: unknown) {\n let err2 = err;\n if (err === null || err === undefined) {\n err2 = new Error(JSON.stringify(err));\n } else {\n err2 = isError(err) ? err : new Error(String(err));\n }\n throw handleMsalError(scopes, err2 as Error, options);\n }\n }\n}\n"]}
package/dist-esm/src/msal/nodeFlows/msalClientCertificate.js DELETED
@@ -1,112 +0,0 @@
1
- // Copyright (c) Microsoft Corporation.
2
- // Licensed under the MIT license.
3
- import { MsalNode } from "./msalNodeCommon";
4
- import { createHash, createPrivateKey } from "crypto";
5
- import { formatError } from "../../util/logging";
6
- import { handleMsalError } from "../utils";
7
- import { promisify } from "util";
8
- import { readFile } from "fs";
9
- const readFileAsync = promisify(readFile);
10
- /**
11
- * Tries to asynchronously load a certificate from the given path.
12
- *
13
- * @param configuration - Either the PEM value or the path to the certificate.
14
- * @param sendCertificateChain - Option to include x5c header for SubjectName and Issuer name authorization.
15
- * @returns - The certificate parts, or `undefined` if the certificate could not be loaded.
16
- * @internal
17
- */
18
- export async function parseCertificate(configuration, sendCertificateChain) {
19
- const certificateParts = {};
20
- const certificate = configuration
21
- .certificate;
22
- const certificatePath = configuration
23
- .certificatePath;
24
- certificateParts.certificateContents =
25
- certificate || (await readFileAsync(certificatePath, "utf8"));
26
- if (sendCertificateChain) {
27
- certificateParts.x5c = certificateParts.certificateContents;
28
- }
29
- const certificatePattern = /(-+BEGIN CERTIFICATE-+)(\n\r?|\r\n?)([A-Za-z0-9+/\n\r]+=*)(\n\r?|\r\n?)(-+END CERTIFICATE-+)/g;
30
- const publicKeys = [];
31
- // Match all possible certificates, in the order they are in the file. These will form the chain that is used for x5c
32
- let match;
33
- do {
34
- match = certificatePattern.exec(certificateParts.certificateContents);
35
- if (match) {
36
- publicKeys.push(match[3]);
37
- }
38
- } while (match);
39
- if (publicKeys.length === 0) {
40
- throw new Error("The file at the specified path does not contain a PEM-encoded certificate.");
41
- }
42
- certificateParts.thumbprint = createHash("sha1")
43
- .update(Buffer.from(publicKeys[0], "base64"))
44
- .digest("hex")
45
- .toUpperCase();
46
- return certificateParts;
47
- }
48
- /**
49
- * MSAL client certificate client. Calls to MSAL's confidential application's `acquireTokenByClientCredential` during `doGetToken`.
50
- * @internal
51
- */
52
- export class MsalClientCertificate extends MsalNode {
53
- constructor(options) {
54
- super(options);
55
- this.requiresConfidential = true;
56
- this.configuration = options.configuration;
57
- this.sendCertificateChain = options.sendCertificateChain;
58
- }
59
- // Changing the MSAL configuration asynchronously
60
- async init(options) {
61
- try {
62
- const parts = await parseCertificate(this.configuration, this.sendCertificateChain);
63
- let privateKey;
64
- if (this.configuration.certificatePassword !== undefined) {
65
- const privateKeyObject = createPrivateKey({
66
- key: parts.certificateContents,
67
- passphrase: this.configuration.certificatePassword,
68
- format: "pem",
69
- });
70
- privateKey = privateKeyObject
71
- .export({
72
- format: "pem",
73
- type: "pkcs8",
74
- })
75
- .toString();
76
- }
77
- else {
78
- privateKey = parts.certificateContents;
79
- }
80
- this.msalConfig.auth.clientCertificate = {
81
- thumbprint: parts.thumbprint,
82
- privateKey: privateKey,
83
- x5c: parts.x5c,
84
- };
85
- }
86
- catch (error) {
87
- this.logger.info(formatError("", error));
88
- throw error;
89
- }
90
- return super.init(options);
91
- }
92
- async doGetToken(scopes, options = {}) {
93
- try {
94
- const clientCredReq = {
95
- scopes,
96
- correlationId: options.correlationId,
97
- azureRegion: this.azureRegion,
98
- authority: options.authority,
99
- claims: options.claims,
100
- };
101
- const result = await this.getApp("confidential", options.enableCae).acquireTokenByClientCredential(clientCredReq);
102
- // Even though we're providing the same default in memory persistence cache that we use for DeviceCodeCredential,
103
- // The Client Credential flow does not return the account information from the authentication service,
104
- // so each time getToken gets called, we will have to acquire a new token through the service.
105
- return this.handleResult(scopes, result || undefined);
106
- }
107
- catch (err) {
108
- throw handleMsalError(scopes, err, options);
109
- }
110
- }
111
- }
112
- //# sourceMappingURL=msalClientCertificate.js.map
package/dist-esm/src/msal/nodeFlows/msalClientCertificate.js.map DELETED
@@ -1 +0,0 @@
1
- {"version":3,"file":"msalClientCertificate.js","sourceRoot":"","sources":["../../../../src/msal/nodeFlows/msalClientCertificate.ts"],"names":[],"mappings":"AAAA,uCAAuC;AACvC,kCAAkC;AAOlC,OAAO,EAAE,QAAQ,EAAmB,MAAM,kBAAkB,CAAC;AAC7D,OAAO,EAAE,UAAU,EAAE,gBAAgB,EAAE,MAAM,QAAQ,CAAC;AAKtD,OAAO,EAAE,WAAW,EAAE,MAAM,oBAAoB,CAAC;AACjD,OAAO,EAAE,eAAe,EAAE,MAAM,UAAU,CAAC;AAC3C,OAAO,EAAE,SAAS,EAAE,MAAM,MAAM,CAAC;AACjC,OAAO,EAAE,QAAQ,EAAE,MAAM,IAAI,CAAC;AAE9B,MAAM,aAAa,GAAG,SAAS,CAAC,QAAQ,CAAC,CAAC;AAqC1C;;;;;;;GAOG;AACH,MAAM,CAAC,KAAK,UAAU,gBAAgB,CACpC,aAA0D,EAC1D,oBAA8B;IAE9B,MAAM,gBAAgB,GAA8B,EAAE,CAAC;IAEvD,MAAM,WAAW,GAAwB,aAAiD;SACvF,WAAW,CAAC;IACf,MAAM,eAAe,GAAwB,aAAqD;SAC/F,eAAe,CAAC;IACnB,gBAAgB,CAAC,mBAAmB;QAClC,WAAW,IAAI,CAAC,MAAM,aAAa,CAAC,eAAgB,EAAE,MAAM,CAAC,CAAC,CAAC;IACjE,IAAI,oBAAoB,EAAE,CAAC;QACzB,gBAAgB,CAAC,GAAG,GAAG,gBAAgB,CAAC,mBAAmB,CAAC;IAC9D,CAAC;IAED,MAAM,kBAAkB,GACtB,+FAA+F,CAAC;IAClG,MAAM,UAAU,GAAa,EAAE,CAAC;IAEhC,qHAAqH;IACrH,IAAI,KAAK,CAAC;IACV,GAAG,CAAC;QACF,KAAK,GAAG,kBAAkB,CAAC,IAAI,CAAC,gBAAgB,CAAC,mBAAmB,CAAC,CAAC;QACtE,IAAI,KAAK,EAAE,CAAC;YACV,UAAU,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;QAC5B,CAAC;IACH,CAAC,QAAQ,KAAK,EAAE;IAEhB,IAAI,UAAU,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC5B,MAAM,IAAI,KAAK,CAAC,4EAA4E,CAAC,CAAC;IAChG,CAAC;IAED,gBAAgB,CAAC,UAAU,GAAG,UAAU,CAAC,MAAM,CAAC;SAC7C,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC,EAAE,QAAQ,CAAC,CAAC;SAC5C,MAAM,CAAC,KAAK,CAAC;SACb,WAAW,EAAE,CAAC;IAEjB,OAAO,gBAAoC,CAAC;AAC9C,CAAC;AAED;;;GAGG;AACH,MAAM,OAAO,qBAAsB,SAAQ,QAAQ;IAIjD,YAAY,OAAqC;QAC/C,KAAK,CAAC,OAAO,CAAC,CAAC;QACf,IAAI,CAAC,oBAAoB,GAAG,IAAI,CAAC;QACjC,IAAI,CAAC,aAAa,GAAG,OAAO,CAAC,aAAa,CAAC;QAC3C,IAAI,CAAC,oBAAoB,GAAG,OAAO,CAAC,oBAAoB,CAAC;IAC3D,CAAC;IAED,iDAAiD;IACjD,KAAK,CAAC,IAAI,CAAC,OAAuC;QAChD,IAAI,CAAC;YACH,MAAM,KAAK,GAAG,MAAM,gBAAgB,CAAC,IAAI,CAAC,aAAa,EAAE,IAAI,CAAC,oBAAoB,CAAC,CAAC;YAEpF,IAAI,UAA8B,CAAC;YACnC,IAAI,IAAI,CAAC,aAAa,CAAC,mBAAmB,KAAK,SAAS,EAAE,CAAC;gBACzD,MAAM,gBAAgB,GAAG,gBAAgB,CAAC;oBACxC,GAAG,EAAE,KAAK,CAAC,mBAAmB;oBAC9B,UAAU,EAAE,IAAI,CAAC,aAAa,CAAC,mBAAmB;oBAClD,MAAM,EAAE,KAAK;iBACd,CAAC,CAAC;gBAEH,UAAU,GAAG,gBAAgB;qBAC1B,MAAM,CAAC;oBACN,MAAM,EAAE,KAAK;oBACb,IAAI,EAAE,OAAO;iBACd,CAAC;qBACD,QAAQ,EAAE,CAAC;YAChB,CAAC;iBAAM,CAAC;gBACN,UAAU,GAAG,KAAK,CAAC,mBAAmB,CAAC;YACzC,CAAC;YAED,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,iBAAiB,GAAG;gBACvC,UAAU,EAAE,KAAK,CAAC,UAAU;gBAC5B,UAAU,EAAE,UAAU;gBACtB,GAAG,EAAE,KAAK,CAAC,GAAG;aACf,CAAC;QACJ,CAAC;QAAC,OAAO,KAAU,EAAE,CAAC;YACpB,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,WAAW,CAAC,EAAE,EAAE,KAAK,CAAC,CAAC,CAAC;YACzC,MAAM,KAAK,CAAC;QACd,CAAC;QACD,OAAO,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IAC7B,CAAC;IAES,KAAK,CAAC,UAAU,CACxB,MAAgB,EAChB,UAAyC,EAAE;QAE3C,IAAI,CAAC;YACH,MAAM,aAAa,GAA4B;gBAC7C,MAAM;gBACN,aAAa,EAAE,OAAO,CAAC,aAAa;gBACpC,WAAW,EAAE,IAAI,CAAC,WAAW;gBAC7B,SAAS,EAAE,OAAO,CAAC,SAAS;gBAC5B,MAAM,EAAE,OAAO,CAAC,MAAM;aACvB,CAAC;YACF,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,MAAM,CAC9B,cAAc,EACd,OAAO,CAAC,SAAS,CAClB,CAAC,8BAA8B,CAAC,aAAa,CAAC,CAAC;YAChD,iHAAiH;YACjH,sGAAsG;YACtG,8FAA8F;YAC9F,OAAO,IAAI,CAAC,YAAY,CAAC,MAAM,EAAE,MAAM,IAAI,SAAS,CAAC,CAAC;QACxD,CAAC;QAAC,OAAO,GAAQ,EAAE,CAAC;YAClB,MAAM,eAAe,CAAC,MAAM,EAAE,GAAG,EAAE,OAAO,CAAC,CAAC;QAC9C,CAAC;IACH,CAAC;CACF","sourcesContent":["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT license.\n\nimport {\n ClientCertificateCredentialPEMConfiguration,\n ClientCertificatePEMCertificate,\n ClientCertificatePEMCertificatePath,\n} from \"../../credentials/clientCertificateCredential\";\nimport { MsalNode, MsalNodeOptions } from \"./msalNodeCommon\";\nimport { createHash, createPrivateKey } from \"crypto\";\n\nimport { AccessToken } from \"@azure/core-auth\";\nimport { ClientCredentialRequest } from \"@azure/msal-node\";\nimport { CredentialFlowGetTokenOptions } from \"../credentials\";\nimport { formatError } from \"../../util/logging\";\nimport { handleMsalError } from \"../utils\";\nimport { promisify } from \"util\";\nimport { readFile } from \"fs\";\n\nconst readFileAsync = promisify(readFile);\n\n/**\n * Options that can be passed to configure MSAL to handle client certificates.\n * @internal\n */\nexport interface MsalClientCertificateOptions extends MsalNodeOptions {\n /**\n * Location of the PEM certificate.\n */\n configuration: ClientCertificateCredentialPEMConfiguration;\n /**\n * Option to include x5c header for SubjectName and Issuer name authorization.\n * Set this option to send base64 encoded public certificate in the client assertion header as an x5c claim\n */\n sendCertificateChain?: boolean;\n}\n\n/**\n * Parts of a certificate, as understood by MSAL.\n * @internal\n */\ninterface CertificateParts {\n /**\n * Hex encoded X.509 SHA-1 thumbprint of the certificate\n */\n thumbprint: string;\n /**\n * The PEM encoded private key (string should contain -----BEGIN PRIVATE KEY----- ... -----END PRIVATE KEY-----\n */\n certificateContents: string;\n /**\n * x5c header.\n */\n x5c: string;\n}\n\n/**\n * Tries to asynchronously load a certificate from the given path.\n *\n * @param configuration - Either the PEM value or the path to the certificate.\n * @param sendCertificateChain - Option to include x5c header for SubjectName and Issuer name authorization.\n * @returns - The certificate parts, or `undefined` if the certificate could not be loaded.\n * @internal\n */\nexport async function parseCertificate(\n configuration: ClientCertificateCredentialPEMConfiguration,\n sendCertificateChain?: boolean,\n): Promise<CertificateParts> {\n const certificateParts: Partial<CertificateParts> = {};\n\n const certificate: string | undefined = (configuration as ClientCertificatePEMCertificate)\n .certificate;\n const certificatePath: string | undefined = (configuration as ClientCertificatePEMCertificatePath)\n .certificatePath;\n certificateParts.certificateContents =\n certificate || (await readFileAsync(certificatePath!, \"utf8\"));\n if (sendCertificateChain) {\n certificateParts.x5c = certificateParts.certificateContents;\n }\n\n const certificatePattern =\n /(-+BEGIN CERTIFICATE-+)(\\n\\r?|\\r\\n?)([A-Za-z0-9+/\\n\\r]+=*)(\\n\\r?|\\r\\n?)(-+END CERTIFICATE-+)/g;\n const publicKeys: string[] = [];\n\n // Match all possible certificates, in the order they are in the file. These will form the chain that is used for x5c\n let match;\n do {\n match = certificatePattern.exec(certificateParts.certificateContents);\n if (match) {\n publicKeys.push(match[3]);\n }\n } while (match);\n\n if (publicKeys.length === 0) {\n throw new Error(\"The file at the specified path does not contain a PEM-encoded certificate.\");\n }\n\n certificateParts.thumbprint = createHash(\"sha1\")\n .update(Buffer.from(publicKeys[0], \"base64\"))\n .digest(\"hex\")\n .toUpperCase();\n\n return certificateParts as CertificateParts;\n}\n\n/**\n * MSAL client certificate client. Calls to MSAL's confidential application's `acquireTokenByClientCredential` during `doGetToken`.\n * @internal\n */\nexport class MsalClientCertificate extends MsalNode {\n private configuration: ClientCertificateCredentialPEMConfiguration;\n private sendCertificateChain?: boolean;\n\n constructor(options: MsalClientCertificateOptions) {\n super(options);\n this.requiresConfidential = true;\n this.configuration = options.configuration;\n this.sendCertificateChain = options.sendCertificateChain;\n }\n\n // Changing the MSAL configuration asynchronously\n async init(options?: CredentialFlowGetTokenOptions): Promise<void> {\n try {\n const parts = await parseCertificate(this.configuration, this.sendCertificateChain);\n\n let privateKey: string | undefined;\n if (this.configuration.certificatePassword !== undefined) {\n const privateKeyObject = createPrivateKey({\n key: parts.certificateContents,\n passphrase: this.configuration.certificatePassword,\n format: \"pem\",\n });\n\n privateKey = privateKeyObject\n .export({\n format: \"pem\",\n type: \"pkcs8\",\n })\n .toString();\n } else {\n privateKey = parts.certificateContents;\n }\n\n this.msalConfig.auth.clientCertificate = {\n thumbprint: parts.thumbprint,\n privateKey: privateKey,\n x5c: parts.x5c,\n };\n } catch (error: any) {\n this.logger.info(formatError(\"\", error));\n throw error;\n }\n return super.init(options);\n }\n\n protected async doGetToken(\n scopes: string[],\n options: CredentialFlowGetTokenOptions = {},\n ): Promise<AccessToken> {\n try {\n const clientCredReq: ClientCredentialRequest = {\n scopes,\n correlationId: options.correlationId,\n azureRegion: this.azureRegion,\n authority: options.authority,\n claims: options.claims,\n };\n const result = await this.getApp(\n \"confidential\",\n options.enableCae,\n ).acquireTokenByClientCredential(clientCredReq);\n // Even though we're providing the same default in memory persistence cache that we use for DeviceCodeCredential,\n // The Client Credential flow does not return the account information from the authentication service,\n // so each time getToken gets called, we will have to acquire a new token through the service.\n return this.handleResult(scopes, result || undefined);\n } catch (err: any) {\n throw handleMsalError(scopes, err, options);\n }\n }\n}\n"]}