@azure/identity 4.5.0-beta.1 → 4.5.0-beta.3

package/dist/index.js

@@ -6,18 +6,18 @@ var logger$m = require('@azure/logger');
 var coreClient = require('@azure/core-client');
 var coreUtil = require('@azure/core-util');
 var coreRestPipeline = require('@azure/core-rest-pipeline');
-var abortController = require('@azure/abort-controller');
 var coreTracing = require('@azure/core-tracing');
 var fs = require('fs');
 var os = require('os');
 var path = require('path');
+var abortController = require('@azure/abort-controller');
 var msalCommon = require('@azure/msal-node');
 var open = require('open');
 var promises = require('fs/promises');
 var child_process = require('child_process');
 var crypto = require('crypto');
-var promises$1 = require('node:fs/promises');
 var node_crypto = require('node:crypto');
+var promises$1 = require('node:fs/promises');
 
 function _interopNamespaceDefault(e) {
     var n = Object.create(null);
@@ -40,11 +40,11 @@ var msalCommon__namespace = /*#__PURE__*/_interopNamespaceDefault(msalCommon);
 var child_process__namespace = /*#__PURE__*/_interopNamespaceDefault(child_process);
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
+// Licensed under the MIT License.
 /**
  * Current version of the `@azure/identity` package.
  */
-const SDK_VERSION = `4.5.0-beta.1`;
+const SDK_VERSION = `4.5.0-beta.3`;
 /**
  * The default client ID for authentication
  * @internal
@@ -107,7 +107,7 @@ const CACHE_NON_CAE_SUFFIX = "nocae";
 const DEFAULT_TOKEN_CACHE_NAME = "msal.cache";
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
+// Licensed under the MIT License.
 /**
  * The current persistence provider, undefined by default.
  * @internal
@@ -190,7 +190,7 @@ const msalPlugins = {
 };
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
+// Licensed under the MIT License.
 /**
  * The AzureLogger used for all clients within the identity package
  */
@@ -273,7 +273,7 @@ function credentialLogger(title, log = logger$l) {
 }
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
+// Licensed under the MIT License.
 function isErrorResponse(errorResponse) {
     return (errorResponse &&
         typeof errorResponse.error === "string" &&
@@ -289,8 +289,9 @@ const CredentialUnavailableErrorName = "CredentialUnavailableError";
  * an error that should halt the chain, it's caught and the chain continues
  */
 class CredentialUnavailableError extends Error {
-    constructor(message) {
-        super(message);
+    constructor(message, options) {
+        // @ts-expect-error - TypeScript does not recognize this until we use ES2022 as the target; however, all our major runtimes do support the `cause` property
+        super(message, options);
         this.name = CredentialUnavailableErrorName;
     }
 }
@@ -304,8 +305,7 @@ const AuthenticationErrorName = "AuthenticationError";
  * the specific failure.
  */
 class AuthenticationError extends Error {
-    // eslint-disable-next-line @typescript-eslint/ban-types
-    constructor(statusCode, errorBody) {
+    constructor(statusCode, errorBody, options) {
         let errorResponse = {
             error: "unknown",
             errorDescription: "An unknown error occurred and no additional details are available.",
@@ -323,8 +323,8 @@ class AuthenticationError extends Error {
             catch (e) {
                 if (statusCode === 400) {
                     errorResponse = {
-                        error: "authority_not_found",
-                        errorDescription: "The specified authority URL was not found.",
+                        error: "invalid_request",
+                        errorDescription: `The service indicated that the request was invalid.\n\n${errorBody}`,
                     };
                 }
                 else {
@@ -341,7 +341,9 @@ class AuthenticationError extends Error {
                 errorDescription: "An unknown error occurred and no additional details are available.",
             };
         }
-        super(`${errorResponse.error} Status code: ${statusCode}\nMore details:\n${errorResponse.errorDescription}`);
+        super(`${errorResponse.error} Status code: ${statusCode}\nMore details:\n${errorResponse.errorDescription},`, 
+        // @ts-expect-error - TypeScript does not recognize this until we use ES2022 as the target; however, all our major runtimes do support the `cause` property
+        options);
         this.statusCode = statusCode;
         this.errorResponse = errorResponse;
         // Ensure that this type reports the correct name
@@ -384,7 +386,9 @@ class AuthenticationRequiredError extends Error {
      * Optional parameters. A message can be specified. The {@link GetTokenOptions} of the request can also be specified to more easily associate the error with the received parameters.
      */
     options) {
-        super(options.message);
+        super(options.message, 
+        // @ts-expect-error - TypeScript does not recognize this until we use ES2022 as the target; however, all our major runtimes do support the `cause` property
+        options.cause ? { cause: options.cause } : undefined);
         this.scopes = options.scopes;
         this.getTokenOptions = options.getTokenOptions;
         this.name = "AuthenticationRequiredError";
@@ -392,7 +396,7 @@ class AuthenticationRequiredError extends Error {
 }
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
+// Licensed under the MIT License.
 function createConfigurationErrorMessage(tenantId) {
     return `The current credential is not configured to acquire tokens for tenant ${tenantId}. To enable acquiring tokens for this tenant add it to the AdditionallyAllowedTenants on the credential options, or add "*" to AdditionallyAllowedTenants to allow acquiring tokens for any tenant.`;
 }
@@ -426,7 +430,7 @@ function processMultiTenantRequest(tenantId, getTokenOptions, additionallyAllowe
 }
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
+// Licensed under the MIT License.
 /**
  * @internal
  */
@@ -467,7 +471,7 @@ function resolveAdditionallyAllowedTenantIds(additionallyAllowedTenants) {
 }
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
+// Licensed under the MIT License.
 function getIdentityTokenEndpointSuffix(tenantId) {
     if (tenantId === "adfs") {
         return "oauth2/token";
@@ -478,7 +482,7 @@ function getIdentityTokenEndpointSuffix(tenantId) {
 }
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
+// Licensed under the MIT License.
 /**
  * Creates a span using the global tracer.
  * @internal
@@ -490,14 +494,14 @@ const tracingClient = coreTracing.createTracingClient({
 });
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
+// Licensed under the MIT License.
 const DefaultScopeSuffix = "/.default";
 const imdsHost = "http://169.254.169.254";
 const imdsEndpointPath = "/metadata/identity/oauth2/token";
 const imdsApiVersion = "2018-02-01";
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
+// Licensed under the MIT License.
 /**
  * Most MSIs send requests to the IMDS endpoint, or a similar endpoint.
  * These are GET requests that require sending a `resource` parameter on the query.
@@ -546,9 +550,34 @@ function parseExpirationTimestamp(body) {
     }
     throw new Error(`Failed to parse token expiration from body. expires_in="${body.expires_in}", expires_on="${body.expires_on}"`);
 }
+/**
+ * Given a token response, return the expiration timestamp as the number of milliseconds from the Unix epoch.
+ * @param body - A parsed response body from the authentication endpoint.
+ */
+function parseRefreshTimestamp(body) {
+    if (body.refresh_on) {
+        if (typeof body.refresh_on === "number") {
+            return body.refresh_on * 1000;
+        }
+        if (typeof body.refresh_on === "string") {
+            const asNumber = +body.refresh_on;
+            if (!isNaN(asNumber)) {
+                return asNumber * 1000;
+            }
+            const asDate = Date.parse(body.refresh_on);
+            if (!isNaN(asDate)) {
+                return asDate;
+            }
+        }
+        throw new Error(`Failed to parse refresh_on from body. refresh_on="${body.refresh_on}"`);
+    }
+    else {
+        return undefined;
+    }
+}
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
+// Licensed under the MIT License.
 const noCorrelationId = "noCorrelationId";
 /**
  * @internal
@@ -610,6 +639,7 @@ class IdentityClient extends coreClient.ServiceClient {
                 accessToken: {
                     token: parsedBody.access_token,
                     expiresOnTimestamp: parseExpirationTimestamp(parsedBody),
+                    refreshAfterTimestamp: parseRefreshTimestamp(parsedBody),
                 },
                 refreshToken: parsedBody.refresh_token,
             };
@@ -674,7 +704,7 @@ class IdentityClient extends coreClient.ServiceClient {
     // Here is a custom layer that allows us to abort requests that go through MSAL,
     // since MSAL doesn't allow us to pass options all the way through.
     generateAbortSignal(correlationId) {
-        const controller = new abortController.AbortController();
+        const controller = new AbortController();
         const controllers = this.abortControllers.get(correlationId) || [];
         controllers.push(controller);
         this.abortControllers.set(correlationId, controllers);
@@ -682,7 +712,7 @@ class IdentityClient extends coreClient.ServiceClient {
         controller.signal.onabort = (...params) => {
             this.abortControllers.set(correlationId, undefined);
             if (existingOnAbort) {
-                existingOnAbort(...params);
+                existingOnAbort.apply(controller.signal, params);
             }
         };
         return controller.signal;
@@ -785,7 +815,7 @@ class IdentityClient extends coreClient.ServiceClient {
 }
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
+// Licensed under the MIT License.
 const CommonTenantId = "common";
 const AzureAccountClientId = "aebc6443-996d-45c2-90f0-388ff96faa56"; // VSC: 'aebc6443-996d-45c2-90f0-388ff96faa56'
 const logger$k = credentialLogger("VisualStudioCodeCredential");
@@ -966,7 +996,7 @@ class VisualStudioCodeCredential {
 }
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
+// Licensed under the MIT License.
 /**
  * The context passed to an Identity plugin. This contains objects that
  * plugins can use to set backend implementations.
@@ -1009,7 +1039,7 @@ function useIdentityPlugin(plugin) {
 }
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
+// Licensed under the MIT License.
 /**
  * @internal
  */
@@ -1042,6 +1072,19 @@ function ensureValidMsalToken(scopes, msalToken, getTokenOptions) {
         throw error(`Response had no "accessToken" property.`);
     }
 }
+/**
+ * Returns the authority host from either the options bag or the AZURE_AUTHORITY_HOST environment variable.
+ *
+ * Defaults to {@link DefaultAuthorityHost}.
+ * @internal
+ */
+function getAuthorityHost(options) {
+    let authorityHost = options === null || options === void 0 ? void 0 : options.authorityHost;
+    if (!authorityHost && coreUtil.isNodeLike) {
+        authorityHost = process.env.AZURE_AUTHORITY_HOST;
+    }
+    return authorityHost !== null && authorityHost !== void 0 ? authorityHost : DefaultAuthorityHost;
+}
 /**
  * Generates a valid authority by combining a host with a tenantId.
  * @internal
@@ -1211,7 +1254,7 @@ function deserializeAuthenticationRecord(serializedRecord) {
 }
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
+// Licensed under the MIT License.
 const msiName$1 = "ManagedIdentityCredential - IMDS";
 const logger$i = credentialLogger(msiName$1);
 /**
@@ -1348,7 +1391,7 @@ const imdsMsi = {
 };
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
+// Licensed under the MIT License.
 // Matches the default retry configuration in expontentialRetryStrategy.ts
 const DEFAULT_CLIENT_MAX_RETRY_INTERVAL = 1000 * 64;
 /**
@@ -1367,14 +1410,10 @@ function imdsRetryPolicy(msiRetryConfig) {
                 if ((response === null || response === void 0 ? void 0 : response.status) !== 404) {
                     return { skipStrategy: true };
                 }
-                // Exponentially increase the delay each time
-                const exponentialDelay = msiRetryConfig.startDelayInMs * Math.pow(2, retryCount);
-                // Don't let the delay exceed the maximum
-                const clampedExponentialDelay = Math.min(DEFAULT_CLIENT_MAX_RETRY_INTERVAL, exponentialDelay);
-                // Allow the final value to have some "jitter" (within 50% of the delay size) so
-                // that retries across multiple clients don't occur simultaneously.
-                const retryAfterInMs = clampedExponentialDelay / 2 + coreUtil.getRandomIntegerInclusive(0, clampedExponentialDelay / 2);
-                return { retryAfterInMs };
+                return coreUtil.calculateRetryDelay(retryCount, {
+                    retryDelayInMs: msiRetryConfig.startDelayInMs,
+                    maxRetryDelayInMs: DEFAULT_CLIENT_MAX_RETRY_INTERVAL,
+                });
             },
         },
     ], {
@@ -1383,7 +1422,7 @@ function imdsRetryPolicy(msiRetryConfig) {
 }
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
+// Licensed under the MIT License.
 /**
  * Helps specify a regional authority, or "AutoDiscoverRegion" to auto-detect the region.
  */
@@ -1523,7 +1562,11 @@ function calculateRegionalAuthority(regionalAuthority) {
 }
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
+// Licensed under the MIT License.
+/**
+ * The default logger used if no logger was passed in by the credential.
+ */
+const msalLogger = credentialLogger("MsalClient");
 /**
  * A call to open(), but mockable
  * @internal
@@ -1531,13 +1574,6 @@ function calculateRegionalAuthority(regionalAuthority) {
 const interactiveBrowserMockable = {
     open,
 };
-
-// Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
-/**
- * The default logger used if no logger was passed in by the credential.
- */
-const msalLogger = credentialLogger("MsalClient");
 /**
  * Generates the configuration for MSAL (Microsoft Authentication Library).
  *
@@ -1547,10 +1583,10 @@ const msalLogger = credentialLogger("MsalClient");
  * @returns  The MSAL configuration object.
  */
 function generateMsalConfiguration(clientId, tenantId, msalClientOptions = {}) {
-    var _a, _b, _c, _d;
+    var _a, _b, _c;
     const resolvedTenant = resolveTenantId((_a = msalClientOptions.logger) !== null && _a !== void 0 ? _a : msalLogger, tenantId, clientId);
     // TODO: move and reuse getIdentityClientAuthorityHost
-    const authority = getAuthority(resolvedTenant, (_b = msalClientOptions.authorityHost) !== null && _b !== void 0 ? _b : process.env.AZURE_AUTHORITY_HOST);
+    const authority = getAuthority(resolvedTenant, getAuthorityHost(msalClientOptions));
     const httpClient = new IdentityClient(Object.assign(Object.assign({}, msalClientOptions.tokenCredentialOptions), { authorityHost: authority, loggingOptions: msalClientOptions.loggingOptions }));
     const msalConfig = {
         auth: {
@@ -1561,9 +1597,9 @@ function generateMsalConfiguration(clientId, tenantId, msalClientOptions = {}) {
         system: {
             networkClient: httpClient,
             loggerOptions: {
-                loggerCallback: defaultLoggerCallback((_c = msalClientOptions.logger) !== null && _c !== void 0 ? _c : msalLogger),
+                loggerCallback: defaultLoggerCallback((_b = msalClientOptions.logger) !== null && _b !== void 0 ? _b : msalLogger),
                 logLevel: getMSALLogLevel(logger$m.getLogLevel()),
-                piiLoggingEnabled: (_d = msalClientOptions.loggingOptions) === null || _d === void 0 ? void 0 : _d.enableUnsafeSupportLogging,
+                piiLoggingEnabled: (_c = msalClientOptions.loggingOptions) === null || _c === void 0 ? void 0 : _c.enableUnsafeSupportLogging,
             },
         },
     };
@@ -1668,7 +1704,7 @@ To work with multiple accounts for the same Client ID and Tenant ID, please prov
      */
     function calculateRequestAuthority(options) {
         if (options === null || options === void 0 ? void 0 : options.tenantId) {
-            return getAuthority(options.tenantId, createMsalClientOptions.authorityHost);
+            return getAuthority(options.tenantId, getAuthorityHost(createMsalClientOptions));
         }
         return state.msalConfig.auth.authority;
     }
@@ -1683,7 +1719,7 @@ To work with multiple accounts for the same Client ID and Tenant ID, please prov
      * @returns A promise that resolves to an AccessToken object containing the access token and its expiration timestamp.
      */
     async function withSilentAuthentication(msalApp, scopes, options, onAuthenticationRequired) {
-        var _a;
+        var _a, _b;
         let response = null;
         try {
             response = await getTokenSilent(msalApp, scopes, options);
@@ -1716,9 +1752,11 @@ To work with multiple accounts for the same Client ID and Tenant ID, please prov
         return {
             token: response.accessToken,
             expiresOnTimestamp: response.expiresOn.getTime(),
+            refreshAfterTimestamp: (_b = response.refreshOn) === null || _b === void 0 ? void 0 : _b.getTime(),
         };
     }
     async function getTokenByClientSecret(scopes, clientSecret, options = {}) {
+        var _a;
         state.logger.getToken.info(`Attempting to acquire token using client secret`);
         state.msalConfig.auth.clientSecret = clientSecret;
         const msalApp = await getConfidentialApp(options);
@@ -1734,6 +1772,7 @@ To work with multiple accounts for the same Client ID and Tenant ID, please prov
             return {
                 token: response.accessToken,
                 expiresOnTimestamp: response.expiresOn.getTime(),
+                refreshAfterTimestamp: (_a = response.refreshOn) === null || _a === void 0 ? void 0 : _a.getTime(),
             };
         }
         catch (err) {
@@ -1741,6 +1780,7 @@ To work with multiple accounts for the same Client ID and Tenant ID, please prov
         }
     }
     async function getTokenByClientAssertion(scopes, clientAssertion, options = {}) {
+        var _a;
         state.logger.getToken.info(`Attempting to acquire token using client assertion`);
         state.msalConfig.auth.clientAssertion = clientAssertion;
         const msalApp = await getConfidentialApp(options);
@@ -1757,6 +1797,7 @@ To work with multiple accounts for the same Client ID and Tenant ID, please prov
             return {
                 token: response.accessToken,
                 expiresOnTimestamp: response.expiresOn.getTime(),
+                refreshAfterTimestamp: (_a = response.refreshOn) === null || _a === void 0 ? void 0 : _a.getTime(),
             };
         }
         catch (err) {
@@ -1764,6 +1805,7 @@ To work with multiple accounts for the same Client ID and Tenant ID, please prov
         }
     }
     async function getTokenByClientCertificate(scopes, certificate, options = {}) {
+        var _a;
         state.logger.getToken.info(`Attempting to acquire token using client certificate`);
         state.msalConfig.auth.clientCertificate = certificate;
         const msalApp = await getConfidentialApp(options);
@@ -1779,6 +1821,7 @@ To work with multiple accounts for the same Client ID and Tenant ID, please prov
             return {
                 token: response.accessToken,
                 expiresOnTimestamp: response.expiresOn.getTime(),
+                refreshAfterTimestamp: (_a = response.refreshOn) === null || _a === void 0 ? void 0 : _a.getTime(),
             };
         }
         catch (err) {
@@ -1849,6 +1892,7 @@ To work with multiple accounts for the same Client ID and Tenant ID, please prov
         });
     }
     async function getTokenOnBehalfOf(scopes, userAssertionToken, clientCredentials, options = {}) {
+        var _a;
         msalLogger.getToken.info(`Attempting to acquire token on behalf of another user`);
         if (typeof clientCredentials === "string") {
             // Client secret
@@ -1878,6 +1922,7 @@ To work with multiple accounts for the same Client ID and Tenant ID, please prov
             return {
                 token: response.accessToken,
                 expiresOnTimestamp: response.expiresOn.getTime(),
+                refreshAfterTimestamp: (_a = response.refreshOn) === null || _a === void 0 ? void 0 : _a.getTime(),
             };
         }
         catch (err) {
@@ -1966,7 +2011,7 @@ To work with multiple accounts for the same Client ID and Tenant ID, please prov
 }
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
+// Licensed under the MIT License.
 const logger$h = credentialLogger("ClientAssertionCredential");
 /**
  * Authenticates a service principal with a JWT assertion.
@@ -1983,8 +2028,14 @@ class ClientAssertionCredential {
      * @param options - Options for configuring the client which makes the authentication request.
      */
     constructor(tenantId, clientId, getAssertion, options = {}) {
-        if (!tenantId || !clientId || !getAssertion) {
-            throw new Error("ClientAssertionCredential: tenantId, clientId, and clientAssertion are required parameters.");
+        if (!tenantId) {
+            throw new CredentialUnavailableError("ClientAssertionCredential: tenantId is a required parameter.");
+        }
+        if (!clientId) {
+            throw new CredentialUnavailableError("ClientAssertionCredential: clientId is a required parameter.");
+        }
+        if (!getAssertion) {
+            throw new CredentialUnavailableError("ClientAssertionCredential: clientAssertion is a required parameter.");
         }
         this.tenantId = tenantId;
         this.additionallyAllowedTenantIds = resolveAdditionallyAllowedTenantIds(options === null || options === void 0 ? void 0 : options.additionallyAllowedTenants);
@@ -2010,7 +2061,7 @@ class ClientAssertionCredential {
 }
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
+// Licensed under the MIT License.
 const credentialName$4 = "WorkloadIdentityCredential";
 /**
  * Contains the list of all supported environment variable names so that an
@@ -2059,10 +2110,20 @@ class WorkloadIdentityCredential {
         if (tenantId) {
             checkTenantId(logger$g, tenantId);
         }
-        if (clientId && tenantId && this.federatedTokenFilePath) {
-            logger$g.info(`Invoking ClientAssertionCredential with tenant ID: ${tenantId}, clientId: ${workloadIdentityCredentialOptions.clientId} and federated token path: [REDACTED]`);
-            this.client = new ClientAssertionCredential(tenantId, clientId, this.readFileContents.bind(this), options);
+        if (!clientId) {
+            throw new CredentialUnavailableError(`${credentialName$4}: is unavailable. clientId is a required parameter. In DefaultAzureCredential and ManagedIdentityCredential, this can be provided as an environment variable - "AZURE_CLIENT_ID".
+        See the troubleshooting guide for more information: https://aka.ms/azsdk/js/identity/workloadidentitycredential/troubleshoot`);
         }
+        if (!tenantId) {
+            throw new CredentialUnavailableError(`${credentialName$4}: is unavailable. tenantId is a required parameter. In DefaultAzureCredential and ManagedIdentityCredential, this can be provided as an environment variable - "AZURE_TENANT_ID".
+        See the troubleshooting guide for more information: https://aka.ms/azsdk/js/identity/workloadidentitycredential/troubleshoot`);
+        }
+        if (!this.federatedTokenFilePath) {
+            throw new CredentialUnavailableError(`${credentialName$4}: is unavailable. federatedTokenFilePath is a required parameter. In DefaultAzureCredential and ManagedIdentityCredential, this can be provided as an environment variable - "AZURE_FEDERATED_TOKEN_FILE".
+        See the troubleshooting guide for more information: https://aka.ms/azsdk/js/identity/workloadidentitycredential/troubleshoot`);
+        }
+        logger$g.info(`Invoking ClientAssertionCredential with tenant ID: ${tenantId}, clientId: ${workloadIdentityCredentialOptions.clientId} and federated token path: [REDACTED]`);
+        this.client = new ClientAssertionCredential(tenantId, clientId, this.readFileContents.bind(this), options);
     }
     /**
      * Authenticates with Microsoft Entra ID and returns an access token if successful.
@@ -2078,7 +2139,7 @@ class WorkloadIdentityCredential {
       In DefaultAzureCredential and ManagedIdentityCredential, these can be provided as environment variables - 
       "AZURE_TENANT_ID",
       "AZURE_CLIENT_ID",
-      "AZURE_FEDERATED_TOKEN_FILE". See the troubleshooting guide for more information: https://aka.ms/azsdk/js/identity/workloadidentitycredential/troubleshoot  `;
+      "AZURE_FEDERATED_TOKEN_FILE". See the troubleshooting guide for more information: https://aka.ms/azsdk/js/identity/workloadidentitycredential/troubleshoot`;
             logger$g.info(errorMessage);
             throw new CredentialUnavailableError(errorMessage);
         }
@@ -2109,7 +2170,7 @@ class WorkloadIdentityCredential {
 }
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
+// Licensed under the MIT License.
 const msiName = "ManagedIdentityCredential - Token Exchange";
 const logger$f = credentialLogger(msiName);
 /**
@@ -2136,7 +2197,7 @@ const tokenExchangeMsi = {
 };
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
+// Licensed under the MIT License.
 const logger$e = credentialLogger("ManagedIdentityCredential(MSAL)");
 class MsalMsiProvider {
     constructor(clientIdOrOptions, options = {}) {
@@ -2156,9 +2217,11 @@ class MsalMsiProvider {
             _options = clientIdOrOptions !== null && clientIdOrOptions !== void 0 ? clientIdOrOptions : {};
         }
         this.resourceId = _options === null || _options === void 0 ? void 0 : _options.resourceId;
+        this.objectId = _options === null || _options === void 0 ? void 0 : _options.objectId;
         // For JavaScript users.
-        if (this.clientId && this.resourceId) {
-            throw new Error(`ManagedIdentityCredential - Client Id and Resource Id can't be provided at the same time.`);
+        const providedIds = [this.clientId, this.resourceId, this.objectId].filter(Boolean);
+        if (providedIds.length > 1) {
+            throw new Error(`ManagedIdentityCredential: only one of 'clientId', 'resourceId', or 'objectId' can be provided. Received values: ${JSON.stringify({ clientId: this.clientId, resourceId: this.resourceId, objectId: this.objectId })}`);
         }
         // ManagedIdentity uses http for local requests
         _options.allowInsecureConnection = true;
@@ -2170,6 +2233,7 @@ class MsalMsiProvider {
             managedIdentityIdParams: {
                 userAssignedClientId: this.clientId,
                 userAssignedResourceId: this.resourceId,
+                userAssignedObjectId: this.objectId,
             },
             system: {
                 // todo: proxyUrl?
@@ -2185,6 +2249,17 @@ class MsalMsiProvider {
         this.isAvailableIdentityClient = new IdentityClient(Object.assign(Object.assign({}, _options), { retryOptions: {
                 maxRetries: 0,
             } }));
+        // CloudShell MSI will ignore any user-assigned identity passed as parameters. To avoid confusion, we prevent this from happening as early as possible.
+        if (this.managedIdentityApp.getManagedIdentitySource() === "CloudShell") {
+            if (this.clientId || this.resourceId || this.objectId) {
+                logger$e.warning(`CloudShell MSI detected with user-provided IDs - throwing. Received values: ${JSON.stringify({
+                    clientId: this.clientId,
+                    resourceId: this.resourceId,
+                    objectId: this.objectId,
+                })}.`);
+                throw new CredentialUnavailableError("ManagedIdentityCredential: Specifying a user-assigned managed identity is not supported for CloudShell at runtime. When using Managed Identity in CloudShell, omit the clientId, resourceId, and objectId parameters.");
+            }
+        }
     }
     /**
      * Authenticates with Microsoft Entra ID and returns an access token if successful.
@@ -2202,6 +2277,7 @@ class MsalMsiProvider {
             throw new CredentialUnavailableError(`ManagedIdentityCredential: Multiple scopes are not supported. Scopes: ${JSON.stringify(scopes)}`);
         }
         return tracingClient.withSpan("ManagedIdentityCredential.getToken", options, async () => {
+            var _a;
             try {
                 const isTokenExchangeMsi = await tokenExchangeMsi.isAvailable({
                     scopes,
@@ -2217,6 +2293,7 @@ class MsalMsiProvider {
                 // We will continue to implement these features in the Identity library.
                 const identitySource = this.managedIdentityApp.getManagedIdentitySource();
                 const isImdsMsi = identitySource === "DefaultToImds" || identitySource === "Imds"; // Neither actually checks that IMDS endpoint is available, just that it's the source the MSAL _would_ try to use.
+                logger$e.getToken.info(`MSAL Identity source: ${identitySource}`);
                 if (isTokenExchangeMsi) {
                     // In the AKS scenario we will use the existing tokenExchangeMsi indefinitely.
                     logger$e.getToken.info("Using the token exchange managed identity.");
@@ -2228,7 +2305,7 @@ class MsalMsiProvider {
                         resourceId: this.resourceId,
                     });
                     if (result === null) {
-                        throw new CredentialUnavailableError("The managed identity endpoint was reached, yet no tokens were received.");
+                        throw new CredentialUnavailableError("Attempted to use the token exchange managed identity, but received a null response.");
                     }
                     return result;
                 }
@@ -2244,7 +2321,7 @@ class MsalMsiProvider {
                         resourceId: this.resourceId,
                     });
                     if (!isAvailable) {
-                        throw new CredentialUnavailableError(`ManagedIdentityCredential: The managed identity endpoint is not available.`);
+                        throw new CredentialUnavailableError(`Attempted to use the IMDS endpoint, but it is not available.`);
                     }
                 }
                 // If we got this far, it means:
@@ -2260,6 +2337,7 @@ class MsalMsiProvider {
                 return {
                     expiresOnTimestamp: token.expiresOn.getTime(),
                     token: token.accessToken,
+                    refreshAfterTimestamp: (_a = token.refreshOn) === null || _a === void 0 ? void 0 : _a.getTime(),
                 };
             }
             catch (err) {
@@ -2270,9 +2348,9 @@ class MsalMsiProvider {
                     throw err;
                 }
                 if (isNetworkError(err)) {
-                    throw new CredentialUnavailableError(`ManagedIdentityCredential: Network unreachable. Message: ${err.message}`);
+                    throw new CredentialUnavailableError(`ManagedIdentityCredential: Network unreachable. Message: ${err.message}`, { cause: err });
                 }
-                throw new CredentialUnavailableError(`ManagedIdentityCredential: Authentication failed. Message ${err.message}`);
+                throw new CredentialUnavailableError(`ManagedIdentityCredential: Authentication failed. Message ${err.message}`, { cause: err });
             }
         });
     }
@@ -2289,7 +2367,7 @@ class MsalMsiProvider {
             });
         };
         if (!msalToken) {
-            throw createError("No response");
+            throw createError("No response.");
         }
         if (!msalToken.expiresOn) {
             throw createError(`Response had no "expiresOn" property.`);
@@ -2319,7 +2397,7 @@ function isNetworkError(err) {
 }
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
+// Licensed under the MIT License.
 /**
  * Attempts authentication using a managed identity available at the deployment environment.
  * This authentication type works in Azure VMs, App Service instances, Azure Functions applications,
@@ -2355,7 +2433,7 @@ class ManagedIdentityCredential {
 }
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
+// Licensed under the MIT License.
 /**
  * Ensures the scopes value is an array.
  * @internal
@@ -2383,7 +2461,7 @@ function getScopeResource(scope) {
 }
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
+// Licensed under the MIT License.
 /**
  * Mockable reference to the CLI credential cliCredentialFunctions
  * @internal
@@ -2550,7 +2628,7 @@ class AzureCliCredential {
 }
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
+// Licensed under the MIT License.
 /**
  * Mockable reference to the Developer CLI credential cliCredentialFunctions
  * @internal
@@ -2714,7 +2792,7 @@ class AzureDeveloperCliCredential {
 }
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
+// Licensed under the MIT License.
 /**
  * Easy to mock childProcess utils.
  * @internal
@@ -2745,7 +2823,7 @@ const processUtils = {
 };
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
+// Licensed under the MIT License.
 const logger$b = credentialLogger("AzurePowerShellCredential");
 const isWindows = process.platform === "win32";
 /**
@@ -2848,33 +2926,45 @@ class AzurePowerShellCredential {
                 commandStack.shift();
                 continue;
             }
-            let tenantSection = "";
-            if (tenantId) {
-                tenantSection = `-TenantId "${tenantId}"`;
-            }
             const results = await runCommands([
                 [
                     powerShellCommand,
                     "-NoProfile",
                     "-NonInteractive",
                     "-Command",
-                    "Import-Module Az.Accounts -MinimumVersion 2.2.0 -PassThru",
-                ],
-                [
-                    powerShellCommand,
-                    "-NoProfile",
-                    "-NonInteractive",
-                    "-Command",
-                    `Get-AzAccessToken ${tenantSection} -ResourceUrl "${resource}" | ConvertTo-Json`,
+                    `
+          $tenantId = "${tenantId !== null && tenantId !== void 0 ? tenantId : ""}"
+          $m = Import-Module Az.Accounts -MinimumVersion 2.2.0 -PassThru
+          $useSecureString = $m.Version -ge [version]'2.17.0'
+
+          $params = @{
+            ResourceUrl = "${resource}"
+          }
+
+          if ($tenantId.Length -gt 0) {
+            $params["TenantId"] = $tenantId
+          }
+
+          if ($useSecureString) {
+            $params["AsSecureString"] = $true
+          }
+
+          $token = Get-AzAccessToken @params
+
+          $result = New-Object -TypeName PSObject
+          $result | Add-Member -MemberType NoteProperty -Name ExpiresOn -Value $token.ExpiresOn
+          if ($useSecureString) {
+            $result | Add-Member -MemberType NoteProperty -Name Token -Value (ConvertFrom-SecureString -AsPlainText $token.Token)
+          } else {
+            $result | Add-Member -MemberType NoteProperty -Name Token -Value $token.Token
+          }
+
+          Write-Output (ConvertTo-Json $result)
+          `,
                 ],
             ]);
-            const result = results[1];
-            try {
-                return JSON.parse(result);
-            }
-            catch (e) {
-                throw new Error(`Unable to parse the output of PowerShell. Received output: ${result}`);
-            }
+            const result = results[0];
+            return parseJsonToken(result);
         }
         throw new Error(`Unable to execute PowerShell. Ensure that it is installed in your system`);
     }
@@ -2921,9 +3011,41 @@ class AzurePowerShellCredential {
         });
     }
 }
+/**
+ *
+ * @internal
+ */
+async function parseJsonToken(result) {
+    const jsonRegex = /{[^{}]*}/g;
+    const matches = result.match(jsonRegex);
+    let resultWithoutToken = result;
+    if (matches) {
+        try {
+            for (const item of matches) {
+                try {
+                    const jsonContent = JSON.parse(item);
+                    if (jsonContent === null || jsonContent === void 0 ? void 0 : jsonContent.Token) {
+                        resultWithoutToken = resultWithoutToken.replace(item, "");
+                        if (resultWithoutToken) {
+                            logger$b.getToken.warning(resultWithoutToken);
+                        }
+                        return jsonContent;
+                    }
+                }
+                catch (e) {
+                    continue;
+                }
+            }
+        }
+        catch (e) {
+            throw new Error(`Unable to parse the output of PowerShell. Received output: ${result}`);
+        }
+    }
+    throw new Error(`No access token found in the output. Received output: ${result}`);
+}
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
+// Licensed under the MIT License.
 /**
  * @internal
  */
@@ -3002,7 +3124,7 @@ class ChainedTokenCredential {
 }
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
+// Licensed under the MIT License.
 const credentialName$3 = "ClientCertificateCredential";
 const logger$9 = credentialLogger(credentialName$3);
 /**
@@ -3053,7 +3175,8 @@ class ClientCertificateCredential {
         });
     }
     async buildClientCertificate() {
-        const parts = await this.parseCertificate();
+        var _a;
+        const parts = await parseCertificate(this.certificateConfiguration, (_a = this.sendCertificateChain) !== null && _a !== void 0 ? _a : false);
         let privateKey;
         if (this.certificateConfiguration.certificatePassword !== undefined) {
             privateKey = crypto.createPrivateKey({
@@ -3076,38 +3199,45 @@ class ClientCertificateCredential {
             x5c: parts.x5c,
         };
     }
-    async parseCertificate() {
-        const certificate = this.certificateConfiguration.certificate;
-        const certificatePath = this.certificateConfiguration.certificatePath;
-        const certificateContents = certificate || (await promises.readFile(certificatePath, "utf8"));
-        const x5c = this.sendCertificateChain ? certificateContents : undefined;
-        const certificatePattern = /(-+BEGIN CERTIFICATE-+)(\n\r?|\r\n?)([A-Za-z0-9+/\n\r]+=*)(\n\r?|\r\n?)(-+END CERTIFICATE-+)/g;
-        const publicKeys = [];
-        // Match all possible certificates, in the order they are in the file. These will form the chain that is used for x5c
-        let match;
-        do {
-            match = certificatePattern.exec(certificateContents);
-            if (match) {
-                publicKeys.push(match[3]);
-            }
-        } while (match);
-        if (publicKeys.length === 0) {
-            throw new Error("The file at the specified path does not contain a PEM-encoded certificate.");
+}
+/**
+ * Parses a certificate into its relevant parts
+ *
+ * @param certificateConfiguration - The certificate contents or path to the certificate
+ * @param sendCertificateChain - true if the entire certificate chain should be sent for SNI, false otherwise
+ * @returns The parsed certificate parts and the certificate contents
+ */
+async function parseCertificate(certificateConfiguration, sendCertificateChain) {
+    const certificate = certificateConfiguration.certificate;
+    const certificatePath = certificateConfiguration.certificatePath;
+    const certificateContents = certificate || (await promises.readFile(certificatePath, "utf8"));
+    const x5c = sendCertificateChain ? certificateContents : undefined;
+    const certificatePattern = /(-+BEGIN CERTIFICATE-+)(\n\r?|\r\n?)([A-Za-z0-9+/\n\r]+=*)(\n\r?|\r\n?)(-+END CERTIFICATE-+)/g;
+    const publicKeys = [];
+    // Match all possible certificates, in the order they are in the file. These will form the chain that is used for x5c
+    let match;
+    do {
+        match = certificatePattern.exec(certificateContents);
+        if (match) {
+            publicKeys.push(match[3]);
         }
-        const thumbprint = crypto.createHash("sha1")
-            .update(Buffer.from(publicKeys[0], "base64"))
-            .digest("hex")
-            .toUpperCase();
-        return {
-            certificateContents,
-            thumbprint,
-            x5c,
-        };
-    }
+    } while (match);
+    if (publicKeys.length === 0) {
+        throw new Error("The file at the specified path does not contain a PEM-encoded certificate.");
+    }
+    const thumbprint = crypto.createHash("sha1")
+        .update(Buffer.from(publicKeys[0], "base64"))
+        .digest("hex")
+        .toUpperCase();
+    return {
+        certificateContents,
+        thumbprint,
+        x5c,
+    };
 }
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
+// Licensed under the MIT License.
 const logger$8 = credentialLogger("ClientSecretCredential");
 /**
  * Enables authentication to Microsoft Entra ID using a client secret
@@ -3129,8 +3259,14 @@ class ClientSecretCredential {
      * @param options - Options for configuring the client which makes the authentication request.
      */
     constructor(tenantId, clientId, clientSecret, options = {}) {
-        if (!tenantId || !clientId || !clientSecret) {
-            throw new Error("ClientSecretCredential: tenantId, clientId, and clientSecret are required parameters. To troubleshoot, visit https://aka.ms/azsdk/js/identity/serviceprincipalauthentication/troubleshoot.");
+        if (!tenantId) {
+            throw new CredentialUnavailableError("ClientSecretCredential: tenantId is a required parameter. To troubleshoot, visit https://aka.ms/azsdk/js/identity/serviceprincipalauthentication/troubleshoot.");
+        }
+        if (!clientId) {
+            throw new CredentialUnavailableError("ClientSecretCredential: clientId is a required parameter. To troubleshoot, visit https://aka.ms/azsdk/js/identity/serviceprincipalauthentication/troubleshoot.");
+        }
+        if (!clientSecret) {
+            throw new CredentialUnavailableError("ClientSecretCredential: clientSecret is a required parameter. To troubleshoot, visit https://aka.ms/azsdk/js/identity/serviceprincipalauthentication/troubleshoot.");
         }
         this.clientSecret = clientSecret;
         this.tenantId = tenantId;
@@ -3155,7 +3291,7 @@ class ClientSecretCredential {
 }
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
+// Licensed under the MIT License.
 const logger$7 = credentialLogger("UsernamePasswordCredential");
 /**
  * Enables authentication to Microsoft Entra ID with a user's
@@ -3176,8 +3312,17 @@ class UsernamePasswordCredential {
      * @param options - Options for configuring the client which makes the authentication request.
      */
     constructor(tenantId, clientId, username, password, options = {}) {
-        if (!tenantId || !clientId || !username || !password) {
-            throw new Error("UsernamePasswordCredential: tenantId, clientId, username and password are required parameters. To troubleshoot, visit https://aka.ms/azsdk/js/identity/usernamepasswordcredential/troubleshoot.");
+        if (!tenantId) {
+            throw new CredentialUnavailableError("UsernamePasswordCredential: tenantId is a required parameter. To troubleshoot, visit https://aka.ms/azsdk/js/identity/usernamepasswordcredential/troubleshoot.");
+        }
+        if (!clientId) {
+            throw new CredentialUnavailableError("UsernamePasswordCredential: clientId is a required parameter. To troubleshoot, visit https://aka.ms/azsdk/js/identity/usernamepasswordcredential/troubleshoot.");
+        }
+        if (!username) {
+            throw new CredentialUnavailableError("UsernamePasswordCredential: username is a required parameter. To troubleshoot, visit https://aka.ms/azsdk/js/identity/usernamepasswordcredential/troubleshoot.");
+        }
+        if (!password) {
+            throw new CredentialUnavailableError("UsernamePasswordCredential: password is a required parameter. To troubleshoot, visit https://aka.ms/azsdk/js/identity/usernamepasswordcredential/troubleshoot.");
         }
         this.tenantId = tenantId;
         this.additionallyAllowedTenantIds = resolveAdditionallyAllowedTenantIds(options === null || options === void 0 ? void 0 : options.additionallyAllowedTenants);
@@ -3207,7 +3352,7 @@ class UsernamePasswordCredential {
 }
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
+// Licensed under the MIT License.
 /**
  * Contains the list of all supported environment variable names so that an
  * appropriate error message can be generated when no credentials can be
@@ -3224,6 +3369,7 @@ const AllSupportedEnvironmentVariables = [
     "AZURE_USERNAME",
     "AZURE_PASSWORD",
     "AZURE_ADDITIONALLY_ALLOWED_TENANTS",
+    "AZURE_CLIENT_SEND_CERTIFICATE_CHAIN",
 ];
 function getAdditionallyAllowedTenants() {
     var _a;
@@ -3232,6 +3378,13 @@ function getAdditionallyAllowedTenants() {
 }
 const credentialName$2 = "EnvironmentCredential";
 const logger$6 = credentialLogger(credentialName$2);
+function getSendCertificateChain() {
+    var _a;
+    const sendCertificateChain = ((_a = process.env.AZURE_CLIENT_SEND_CERTIFICATE_CHAIN) !== null && _a !== void 0 ? _a : "").toLowerCase();
+    const result = sendCertificateChain === "true" || sendCertificateChain === "1";
+    logger$6.verbose(`AZURE_CLIENT_SEND_CERTIFICATE_CHAIN: ${process.env.AZURE_CLIENT_SEND_CERTIFICATE_CHAIN}; sendCertificateChain: ${result}`);
+    return result;
+}
 /**
  * Enables authentication to Microsoft Entra ID using a client secret or certificate, or as a user
  * with a username and password.
@@ -3251,6 +3404,7 @@ class EnvironmentCredential {
      * - `AZURE_CLIENT_SECRET`: A client secret that was generated for the App Registration.
      * - `AZURE_CLIENT_CERTIFICATE_PATH`: The path to a PEM certificate to use during the authentication, instead of the client secret.
      * - `AZURE_CLIENT_CERTIFICATE_PASSWORD`: (optional) password for the certificate file.
+     * - `AZURE_CLIENT_SEND_CERTIFICATE_CHAIN`: (optional) indicates that the certificate chain should be set in x5c header to support subject name / issuer based authentication.
      *
      * Alternatively, users can provide environment variables for username and password authentication:
      * - `AZURE_USERNAME`: Username to authenticate with.
@@ -3268,7 +3422,8 @@ class EnvironmentCredential {
         logger$6.info(`Found the following environment variables: ${assigned}`);
         const tenantId = process.env.AZURE_TENANT_ID, clientId = process.env.AZURE_CLIENT_ID, clientSecret = process.env.AZURE_CLIENT_SECRET;
         const additionallyAllowedTenantIds = getAdditionallyAllowedTenants();
-        const newOptions = Object.assign(Object.assign({}, options), { additionallyAllowedTenantIds });
+        const sendCertificateChain = getSendCertificateChain();
+        const newOptions = Object.assign(Object.assign({}, options), { additionallyAllowedTenantIds, sendCertificateChain });
         if (tenantId) {
             checkTenantId(logger$6, tenantId);
         }
@@ -3320,7 +3475,7 @@ class EnvironmentCredential {
 }
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
+// Licensed under the MIT License.
 const logger$5 = credentialLogger("DefaultAzureCredential");
 /**
  * Creates a {@link ManagedIdentityCredential} from the provided options.
@@ -3463,7 +3618,7 @@ class DefaultAzureCredential extends ChainedTokenCredential {
 }
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
+// Licensed under the MIT License.
 const logger$4 = credentialLogger("InteractiveBrowserCredential");
 /**
  * Enables authentication to Microsoft Entra ID inside of the web browser
@@ -3529,7 +3684,7 @@ class InteractiveBrowserCredential {
      * Authenticates with Microsoft Entra ID and returns an access token if successful.
      * If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.
      *
-     * If the token can't be retrieved silently, this method will require user interaction to retrieve the token.
+     * If the token can't be retrieved silently, this method will always generate a challenge for the user.
      *
      * On Node.js, this credential has [Proof Key for Code Exchange (PKCE)](https://datatracker.ietf.org/doc/html/rfc7636) enabled by default.
      * PKCE is a security feature that mitigates authentication code interception attacks.
@@ -3548,7 +3703,7 @@ class InteractiveBrowserCredential {
 }
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
+// Licensed under the MIT License.
 const logger$3 = credentialLogger("DeviceCodeCredential");
 /**
  * Method that logs the user code from the DeviceCodeCredential.
@@ -3615,7 +3770,7 @@ class DeviceCodeCredential {
      * Authenticates with Microsoft Entra ID and returns an access token if successful.
      * If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.
      *
-     * If the token can't be retrieved silently, this method will require user interaction to retrieve the token.
+     * If the token can't be retrieved silently, this method will always generate a challenge for the user.
      *
      * @param scopes - The list of scopes for which the token will have access.
      * @param options - The options used to configure any requests this
@@ -3631,7 +3786,7 @@ class DeviceCodeCredential {
 }
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
+// Licensed under the MIT License.
 const credentialName$1 = "AzurePipelinesCredential";
 const logger$2 = credentialLogger(credentialName$1);
 const OIDC_API_VERSION = "7.1";
@@ -3649,8 +3804,17 @@ class AzurePipelinesCredential {
      * @param options - The identity client options to use for authentication.
      */
     constructor(tenantId, clientId, serviceConnectionId, systemAccessToken, options) {
-        if (!clientId || !tenantId || !serviceConnectionId || !systemAccessToken) {
-            throw new CredentialUnavailableError(`${credentialName$1}: is unavailable. tenantId, clientId, serviceConnectionId, and systemAccessToken are required parameters.`);
+        if (!clientId) {
+            throw new CredentialUnavailableError(`${credentialName$1}: is unavailable. clientId is a required parameter.`);
+        }
+        if (!tenantId) {
+            throw new CredentialUnavailableError(`${credentialName$1}: is unavailable. tenantId is a required parameter.`);
+        }
+        if (!serviceConnectionId) {
+            throw new CredentialUnavailableError(`${credentialName$1}: is unavailable. serviceConnectionId is a required parameter.`);
+        }
+        if (!systemAccessToken) {
+            throw new CredentialUnavailableError(`${credentialName$1}: is unavailable. systemAccessToken is a required parameter.`);
         }
         this.identityClient = new IdentityClient(options);
         checkTenantId(logger$2, tenantId);
@@ -3703,35 +3867,50 @@ class AzurePipelinesCredential {
             }),
         });
         const response = await this.identityClient.sendRequest(request);
-        const text = response.bodyAsText;
-        if (!text) {
-            logger$2.error(`${credentialName$1}: Authenticated Failed. Received null token from OIDC request. Response status- ${response.status}. Complete response - ${JSON.stringify(response)}`);
-            throw new AuthenticationError(response.status, `${credentialName$1}: Authenticated Failed. Received null token from OIDC request. Response status- ${response.status}. Complete response - ${JSON.stringify(response)}`);
+        return handleOidcResponse(response);
+    }
+}
+function handleOidcResponse(response) {
+    const text = response.bodyAsText;
+    if (!text) {
+        logger$2.error(`${credentialName$1}: Authentication Failed. Received null token from OIDC request. Response status- ${response.status}. Complete response - ${JSON.stringify(response)}`);
+        throw new AuthenticationError(response.status, {
+            error: `${credentialName$1}: Authentication Failed. Received null token from OIDC request.`,
+            error_description: `${JSON.stringify(response)}. See the troubleshooting guide for more information: https://aka.ms/azsdk/js/identity/azurepipelinescredential/troubleshoot`,
+        });
+    }
+    try {
+        const result = JSON.parse(text);
+        if (result === null || result === void 0 ? void 0 : result.oidcToken) {
+            return result.oidcToken;
         }
-        try {
-            const result = JSON.parse(text);
-            if (result === null || result === void 0 ? void 0 : result.oidcToken) {
-                return result.oidcToken;
-            }
-            else {
-                let errorMessage = `${credentialName$1}: Authentication Failed. oidcToken field not detected in the response.`;
-                if (response.status !== 200) {
-                    errorMessage += `Response = ${JSON.stringify(result)}`;
-                }
-                logger$2.error(errorMessage);
-                throw new AuthenticationError(response.status, errorMessage);
+        else {
+            const errorMessage = `${credentialName$1}: Authentication Failed. oidcToken field not detected in the response.`;
+            let errorDescription = ``;
+            if (response.status !== 200) {
+                errorDescription = `Complete response - ${JSON.stringify(result)}. See the troubleshooting guide for more information: https://aka.ms/azsdk/js/identity/azurepipelinescredential/troubleshoot`;
             }
-        }
-        catch (e) {
-            logger$2.error(e.message);
-            logger$2.error(`${credentialName$1}: Authentication Failed. oidcToken field not detected in the response. Response = ${text}`);
-            throw new AuthenticationError(response.status, `${credentialName$1}: Authentication Failed. oidcToken field not detected in the response. Response = ${text}`);
+            logger$2.error(errorMessage);
+            logger$2.error(errorDescription);
+            throw new AuthenticationError(response.status, {
+                error: errorMessage,
+                error_description: errorDescription,
+            });
         }
     }
+    catch (e) {
+        const errorDetails = `${credentialName$1}: Authentication Failed. oidcToken field not detected in the response.`;
+        logger$2.error(`Response from service = ${text} and error message = ${e.message}`);
+        logger$2.error(errorDetails);
+        throw new AuthenticationError(response.status, {
+            error: errorDetails,
+            error_description: `Response = ${text}. See the troubleshooting guide for more information: https://aka.ms/azsdk/js/identity/azurepipelinescredential/troubleshoot`,
+        });
+    }
 }
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
+// Licensed under the MIT License.
 const logger$1 = credentialLogger("AuthorizationCodeCredential");
 /**
  * Enables authentication to Microsoft Entra ID using an authorization code
@@ -3785,7 +3964,7 @@ class AuthorizationCodeCredential {
 }
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
+// Licensed under the MIT License.
 const credentialName = "OnBehalfOfCredential";
 const logger = credentialLogger(credentialName);
 /**
@@ -3797,11 +3976,17 @@ class OnBehalfOfCredential {
         const { certificatePath, sendCertificateChain } = options;
         const { getAssertion } = options;
         const { tenantId, clientId, userAssertionToken, additionallyAllowedTenants: additionallyAllowedTenantIds, } = options;
-        if (!tenantId ||
-            !clientId ||
-            !(clientSecret || certificatePath || getAssertion) ||
-            !userAssertionToken) {
-            throw new Error(`${credentialName}: tenantId, clientId, clientSecret (or certificatePath or getAssertion) and userAssertionToken are required parameters.`);
+        if (!tenantId) {
+            throw new CredentialUnavailableError(`${credentialName}: tenantId is a required parameter. To troubleshoot, visit https://aka.ms/azsdk/js/identity/serviceprincipalauthentication/troubleshoot.`);
+        }
+        if (!clientId) {
+            throw new CredentialUnavailableError(`${credentialName}: clientId is a required parameter. To troubleshoot, visit https://aka.ms/azsdk/js/identity/serviceprincipalauthentication/troubleshoot.`);
+        }
+        if (!clientSecret && !certificatePath && !getAssertion) {
+            throw new CredentialUnavailableError(`${credentialName}: You must provide one of clientSecret, certificatePath, or a getAssertion callback but none were provided. To troubleshoot, visit https://aka.ms/azsdk/js/identity/serviceprincipalauthentication/troubleshoot.`);
+        }
+        if (!userAssertionToken) {
+            throw new CredentialUnavailableError(`${credentialName}: userAssertionToken is a required parameter. To troubleshoot, visit https://aka.ms/azsdk/js/identity/serviceprincipalauthentication/troubleshoot.`);
         }
         this.certificatePath = certificatePath;
         this.clientSecret = clientSecret;
@@ -3883,7 +4068,7 @@ class OnBehalfOfCredential {
 }
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
+// Licensed under the MIT License.
 /**
  * Returns a callback that provides a bearer token.
  * For example, the bearer token can be used to authenticate a request as follows:
@@ -3934,7 +4119,7 @@ function getBearerTokenProvider(credential, scopes, options) {
 }
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
+// Licensed under the MIT License.
 /**
  * Returns a new instance of the {@link DefaultAzureCredential}.
  */