@azure/identity 4.5.0-beta.2 → 4.5.0

package/dist/index.js

@@ -40,11 +40,11 @@ var msalCommon__namespace = /*#__PURE__*/_interopNamespaceDefault(msalCommon);
 var child_process__namespace = /*#__PURE__*/_interopNamespaceDefault(child_process);
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
+// Licensed under the MIT License.
 /**
  * Current version of the `@azure/identity` package.
  */
-const SDK_VERSION = `4.5.0-beta.2`;
+const SDK_VERSION = `4.5.0`;
 /**
  * The default client ID for authentication
  * @internal
@@ -107,7 +107,7 @@ const CACHE_NON_CAE_SUFFIX = "nocae";
 const DEFAULT_TOKEN_CACHE_NAME = "msal.cache";
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
+// Licensed under the MIT License.
 /**
  * The current persistence provider, undefined by default.
  * @internal
@@ -190,7 +190,7 @@ const msalPlugins = {
 };
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
+// Licensed under the MIT License.
 /**
  * The AzureLogger used for all clients within the identity package
  */
@@ -273,7 +273,7 @@ function credentialLogger(title, log = logger$l) {
 }
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
+// Licensed under the MIT License.
 function isErrorResponse(errorResponse) {
     return (errorResponse &&
         typeof errorResponse.error === "string" &&
@@ -305,7 +305,6 @@ const AuthenticationErrorName = "AuthenticationError";
  * the specific failure.
  */
 class AuthenticationError extends Error {
-    // eslint-disable-next-line @typescript-eslint/ban-types
     constructor(statusCode, errorBody, options) {
         let errorResponse = {
             error: "unknown",
@@ -397,7 +396,7 @@ class AuthenticationRequiredError extends Error {
 }
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
+// Licensed under the MIT License.
 function createConfigurationErrorMessage(tenantId) {
     return `The current credential is not configured to acquire tokens for tenant ${tenantId}. To enable acquiring tokens for this tenant add it to the AdditionallyAllowedTenants on the credential options, or add "*" to AdditionallyAllowedTenants to allow acquiring tokens for any tenant.`;
 }
@@ -431,7 +430,7 @@ function processMultiTenantRequest(tenantId, getTokenOptions, additionallyAllowe
 }
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
+// Licensed under the MIT License.
 /**
  * @internal
  */
@@ -472,7 +471,7 @@ function resolveAdditionallyAllowedTenantIds(additionallyAllowedTenants) {
 }
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
+// Licensed under the MIT License.
 function getIdentityTokenEndpointSuffix(tenantId) {
     if (tenantId === "adfs") {
         return "oauth2/token";
@@ -483,7 +482,7 @@ function getIdentityTokenEndpointSuffix(tenantId) {
 }
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
+// Licensed under the MIT License.
 /**
  * Creates a span using the global tracer.
  * @internal
@@ -495,14 +494,14 @@ const tracingClient = coreTracing.createTracingClient({
 });
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
+// Licensed under the MIT License.
 const DefaultScopeSuffix = "/.default";
 const imdsHost = "http://169.254.169.254";
 const imdsEndpointPath = "/metadata/identity/oauth2/token";
 const imdsApiVersion = "2018-02-01";
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
+// Licensed under the MIT License.
 /**
  * Most MSIs send requests to the IMDS endpoint, or a similar endpoint.
  * These are GET requests that require sending a `resource` parameter on the query.
@@ -551,9 +550,34 @@ function parseExpirationTimestamp(body) {
     }
     throw new Error(`Failed to parse token expiration from body. expires_in="${body.expires_in}", expires_on="${body.expires_on}"`);
 }
+/**
+ * Given a token response, return the expiration timestamp as the number of milliseconds from the Unix epoch.
+ * @param body - A parsed response body from the authentication endpoint.
+ */
+function parseRefreshTimestamp(body) {
+    if (body.refresh_on) {
+        if (typeof body.refresh_on === "number") {
+            return body.refresh_on * 1000;
+        }
+        if (typeof body.refresh_on === "string") {
+            const asNumber = +body.refresh_on;
+            if (!isNaN(asNumber)) {
+                return asNumber * 1000;
+            }
+            const asDate = Date.parse(body.refresh_on);
+            if (!isNaN(asDate)) {
+                return asDate;
+            }
+        }
+        throw new Error(`Failed to parse refresh_on from body. refresh_on="${body.refresh_on}"`);
+    }
+    else {
+        return undefined;
+    }
+}
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
+// Licensed under the MIT License.
 const noCorrelationId = "noCorrelationId";
 /**
  * @internal
@@ -615,6 +639,8 @@ class IdentityClient extends coreClient.ServiceClient {
                 accessToken: {
                     token: parsedBody.access_token,
                     expiresOnTimestamp: parseExpirationTimestamp(parsedBody),
+                    refreshAfterTimestamp: parseRefreshTimestamp(parsedBody),
+                    tokenType: "Bearer",
                 },
                 refreshToken: parsedBody.refresh_token,
             };
@@ -790,7 +816,7 @@ class IdentityClient extends coreClient.ServiceClient {
 }
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
+// Licensed under the MIT License.
 const CommonTenantId = "common";
 const AzureAccountClientId = "aebc6443-996d-45c2-90f0-388ff96faa56"; // VSC: 'aebc6443-996d-45c2-90f0-388ff96faa56'
 const logger$k = credentialLogger("VisualStudioCodeCredential");
@@ -971,7 +997,7 @@ class VisualStudioCodeCredential {
 }
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
+// Licensed under the MIT License.
 /**
  * The context passed to an Identity plugin. This contains objects that
  * plugins can use to set backend implementations.
@@ -992,18 +1018,16 @@ const pluginContext = {
  *
  * Example:
  *
- * ```javascript
- * import { cachePersistencePlugin } from "@azure/identity-cache-persistence";
+ * ```ts snippet:consumer_example
+ * import { useIdentityPlugin, DeviceCodeCredential } from "@azure/identity";
  *
- * import { useIdentityPlugin, DefaultAzureCredential } from "@azure/identity";
  * useIdentityPlugin(cachePersistencePlugin);
- *
- * // The plugin has the capability to extend `DefaultAzureCredential` and to
+ * // The plugin has the capability to extend `DeviceCodeCredential` and to
  * // add middleware to the underlying credentials, such as persistence.
- * const credential = new DefaultAzureCredential({
+ * const credential = new DeviceCodeCredential({
  *   tokenCachePersistenceOptions: {
- *     enabled: true
- *   }
+ *     enabled: true,
+ *   },
  * });
  * ```
  *
@@ -1014,7 +1038,7 @@ function useIdentityPlugin(plugin) {
 }
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
+// Licensed under the MIT License.
 /**
  * @internal
  */
@@ -1047,6 +1071,19 @@ function ensureValidMsalToken(scopes, msalToken, getTokenOptions) {
         throw error(`Response had no "accessToken" property.`);
     }
 }
+/**
+ * Returns the authority host from either the options bag or the AZURE_AUTHORITY_HOST environment variable.
+ *
+ * Defaults to {@link DefaultAuthorityHost}.
+ * @internal
+ */
+function getAuthorityHost(options) {
+    let authorityHost = options === null || options === void 0 ? void 0 : options.authorityHost;
+    if (!authorityHost && coreUtil.isNodeLike) {
+        authorityHost = process.env.AZURE_AUTHORITY_HOST;
+    }
+    return authorityHost !== null && authorityHost !== void 0 ? authorityHost : DefaultAuthorityHost;
+}
 /**
  * Generates a valid authority by combining a host with a tenantId.
  * @internal
@@ -1146,7 +1183,8 @@ function handleMsalError(scopes, error, getTokenOptions) {
     }
     if (error.name === "ClientConfigurationError" ||
         error.name === "BrowserConfigurationAuthError" ||
-        error.name === "AbortError") {
+        error.name === "AbortError" ||
+        error.name === "AuthenticationError") {
         return error;
     }
     if (error.name === "NativeAuthError") {
@@ -1216,7 +1254,7 @@ function deserializeAuthenticationRecord(serializedRecord) {
 }
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
+// Licensed under the MIT License.
 const msiName$1 = "ManagedIdentityCredential - IMDS";
 const logger$i = credentialLogger(msiName$1);
 /**
@@ -1353,7 +1391,7 @@ const imdsMsi = {
 };
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
+// Licensed under the MIT License.
 // Matches the default retry configuration in expontentialRetryStrategy.ts
 const DEFAULT_CLIENT_MAX_RETRY_INTERVAL = 1000 * 64;
 /**
@@ -1372,14 +1410,10 @@ function imdsRetryPolicy(msiRetryConfig) {
                 if ((response === null || response === void 0 ? void 0 : response.status) !== 404) {
                     return { skipStrategy: true };
                 }
-                // Exponentially increase the delay each time
-                const exponentialDelay = msiRetryConfig.startDelayInMs * Math.pow(2, retryCount);
-                // Don't let the delay exceed the maximum
-                const clampedExponentialDelay = Math.min(DEFAULT_CLIENT_MAX_RETRY_INTERVAL, exponentialDelay);
-                // Allow the final value to have some "jitter" (within 50% of the delay size) so
-                // that retries across multiple clients don't occur simultaneously.
-                const retryAfterInMs = clampedExponentialDelay / 2 + coreUtil.getRandomIntegerInclusive(0, clampedExponentialDelay / 2);
-                return { retryAfterInMs };
+                return coreUtil.calculateRetryDelay(retryCount, {
+                    retryDelayInMs: msiRetryConfig.startDelayInMs,
+                    maxRetryDelayInMs: DEFAULT_CLIENT_MAX_RETRY_INTERVAL,
+                });
             },
         },
     ], {
@@ -1388,7 +1422,7 @@ function imdsRetryPolicy(msiRetryConfig) {
 }
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
+// Licensed under the MIT License.
 /**
  * Helps specify a regional authority, or "AutoDiscoverRegion" to auto-detect the region.
  */
@@ -1528,7 +1562,7 @@ function calculateRegionalAuthority(regionalAuthority) {
 }
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
+// Licensed under the MIT License.
 /**
  * The default logger used if no logger was passed in by the credential.
  */
@@ -1549,10 +1583,10 @@ const interactiveBrowserMockable = {
  * @returns  The MSAL configuration object.
  */
 function generateMsalConfiguration(clientId, tenantId, msalClientOptions = {}) {
-    var _a, _b, _c, _d;
+    var _a, _b, _c;
     const resolvedTenant = resolveTenantId((_a = msalClientOptions.logger) !== null && _a !== void 0 ? _a : msalLogger, tenantId, clientId);
     // TODO: move and reuse getIdentityClientAuthorityHost
-    const authority = getAuthority(resolvedTenant, (_b = msalClientOptions.authorityHost) !== null && _b !== void 0 ? _b : process.env.AZURE_AUTHORITY_HOST);
+    const authority = getAuthority(resolvedTenant, getAuthorityHost(msalClientOptions));
     const httpClient = new IdentityClient(Object.assign(Object.assign({}, msalClientOptions.tokenCredentialOptions), { authorityHost: authority, loggingOptions: msalClientOptions.loggingOptions }));
     const msalConfig = {
         auth: {
@@ -1563,9 +1597,9 @@ function generateMsalConfiguration(clientId, tenantId, msalClientOptions = {}) {
         system: {
             networkClient: httpClient,
             loggerOptions: {
-                loggerCallback: defaultLoggerCallback((_c = msalClientOptions.logger) !== null && _c !== void 0 ? _c : msalLogger),
+                loggerCallback: defaultLoggerCallback((_b = msalClientOptions.logger) !== null && _b !== void 0 ? _b : msalLogger),
                 logLevel: getMSALLogLevel(logger$m.getLogLevel()),
-                piiLoggingEnabled: (_d = msalClientOptions.loggingOptions) === null || _d === void 0 ? void 0 : _d.enableUnsafeSupportLogging,
+                piiLoggingEnabled: (_c = msalClientOptions.loggingOptions) === null || _c === void 0 ? void 0 : _c.enableUnsafeSupportLogging,
             },
         },
     };
@@ -1661,6 +1695,12 @@ To work with multiple accounts for the same Client ID and Tenant ID, please prov
                 silentRequest.tokenQueryParameters["msal_request_type"] = "consumer_passthrough";
             }
         }
+        if (options.proofOfPossessionOptions) {
+            silentRequest.shrNonce = options.proofOfPossessionOptions.nonce;
+            silentRequest.authenticationScheme = "pop";
+            silentRequest.resourceRequestMethod = options.proofOfPossessionOptions.resourceRequestMethod;
+            silentRequest.resourceRequestUri = options.proofOfPossessionOptions.resourceRequestUrl;
+        }
         state.logger.getToken.info("Attempting to acquire token silently");
         return app.acquireTokenSilent(silentRequest);
     }
@@ -1670,7 +1710,7 @@ To work with multiple accounts for the same Client ID and Tenant ID, please prov
      */
     function calculateRequestAuthority(options) {
         if (options === null || options === void 0 ? void 0 : options.tenantId) {
-            return getAuthority(options.tenantId, createMsalClientOptions.authorityHost);
+            return getAuthority(options.tenantId, getAuthorityHost(createMsalClientOptions));
         }
         return state.msalConfig.auth.authority;
     }
@@ -1685,7 +1725,7 @@ To work with multiple accounts for the same Client ID and Tenant ID, please prov
      * @returns A promise that resolves to an AccessToken object containing the access token and its expiration timestamp.
      */
     async function withSilentAuthentication(msalApp, scopes, options, onAuthenticationRequired) {
-        var _a;
+        var _a, _b;
         let response = null;
         try {
             response = await getTokenSilent(msalApp, scopes, options);
@@ -1718,9 +1758,12 @@ To work with multiple accounts for the same Client ID and Tenant ID, please prov
         return {
             token: response.accessToken,
             expiresOnTimestamp: response.expiresOn.getTime(),
+            refreshAfterTimestamp: (_b = response.refreshOn) === null || _b === void 0 ? void 0 : _b.getTime(),
+            tokenType: response.tokenType,
         };
     }
     async function getTokenByClientSecret(scopes, clientSecret, options = {}) {
+        var _a;
         state.logger.getToken.info(`Attempting to acquire token using client secret`);
         state.msalConfig.auth.clientSecret = clientSecret;
         const msalApp = await getConfidentialApp(options);
@@ -1736,6 +1779,8 @@ To work with multiple accounts for the same Client ID and Tenant ID, please prov
             return {
                 token: response.accessToken,
                 expiresOnTimestamp: response.expiresOn.getTime(),
+                refreshAfterTimestamp: (_a = response.refreshOn) === null || _a === void 0 ? void 0 : _a.getTime(),
+                tokenType: response.tokenType,
             };
         }
         catch (err) {
@@ -1743,6 +1788,7 @@ To work with multiple accounts for the same Client ID and Tenant ID, please prov
         }
     }
     async function getTokenByClientAssertion(scopes, clientAssertion, options = {}) {
+        var _a;
         state.logger.getToken.info(`Attempting to acquire token using client assertion`);
         state.msalConfig.auth.clientAssertion = clientAssertion;
         const msalApp = await getConfidentialApp(options);
@@ -1759,6 +1805,8 @@ To work with multiple accounts for the same Client ID and Tenant ID, please prov
             return {
                 token: response.accessToken,
                 expiresOnTimestamp: response.expiresOn.getTime(),
+                refreshAfterTimestamp: (_a = response.refreshOn) === null || _a === void 0 ? void 0 : _a.getTime(),
+                tokenType: response.tokenType,
             };
         }
         catch (err) {
@@ -1766,6 +1814,7 @@ To work with multiple accounts for the same Client ID and Tenant ID, please prov
         }
     }
     async function getTokenByClientCertificate(scopes, certificate, options = {}) {
+        var _a;
         state.logger.getToken.info(`Attempting to acquire token using client certificate`);
         state.msalConfig.auth.clientCertificate = certificate;
         const msalApp = await getConfidentialApp(options);
@@ -1781,6 +1830,8 @@ To work with multiple accounts for the same Client ID and Tenant ID, please prov
             return {
                 token: response.accessToken,
                 expiresOnTimestamp: response.expiresOn.getTime(),
+                refreshAfterTimestamp: (_a = response.refreshOn) === null || _a === void 0 ? void 0 : _a.getTime(),
+                tokenType: response.tokenType,
             };
         }
         catch (err) {
@@ -1851,6 +1902,7 @@ To work with multiple accounts for the same Client ID and Tenant ID, please prov
         });
     }
     async function getTokenOnBehalfOf(scopes, userAssertionToken, clientCredentials, options = {}) {
+        var _a;
         msalLogger.getToken.info(`Attempting to acquire token on behalf of another user`);
         if (typeof clientCredentials === "string") {
             // Client secret
@@ -1880,6 +1932,8 @@ To work with multiple accounts for the same Client ID and Tenant ID, please prov
             return {
                 token: response.accessToken,
                 expiresOnTimestamp: response.expiresOn.getTime(),
+                refreshAfterTimestamp: (_a = response.refreshOn) === null || _a === void 0 ? void 0 : _a.getTime(),
+                tokenType: response.tokenType,
             };
         }
         catch (err) {
@@ -1917,6 +1971,13 @@ To work with multiple accounts for the same Client ID and Tenant ID, please prov
             else {
                 msalLogger.verbose("Attempting broker authentication without the default broker account");
             }
+            if (options.proofOfPossessionOptions) {
+                interactiveRequest.shrNonce = options.proofOfPossessionOptions.nonce;
+                interactiveRequest.authenticationScheme = "pop";
+                interactiveRequest.resourceRequestMethod =
+                    options.proofOfPossessionOptions.resourceRequestMethod;
+                interactiveRequest.resourceRequestUri = options.proofOfPossessionOptions.resourceRequestUrl;
+            }
             try {
                 return await app.acquireTokenInteractive(interactiveRequest);
             }
@@ -1951,6 +2012,13 @@ To work with multiple accounts for the same Client ID and Tenant ID, please prov
             if (state.pluginConfiguration.broker.isEnabled) {
                 return getBrokeredToken((_a = state.pluginConfiguration.broker.useDefaultBrokerAccount) !== null && _a !== void 0 ? _a : false);
             }
+            if (options.proofOfPossessionOptions) {
+                interactiveRequest.shrNonce = options.proofOfPossessionOptions.nonce;
+                interactiveRequest.authenticationScheme = "pop";
+                interactiveRequest.resourceRequestMethod =
+                    options.proofOfPossessionOptions.resourceRequestMethod;
+                interactiveRequest.resourceRequestUri = options.proofOfPossessionOptions.resourceRequestUrl;
+            }
             return app.acquireTokenInteractive(interactiveRequest);
         });
     }
@@ -1968,7 +2036,7 @@ To work with multiple accounts for the same Client ID and Tenant ID, please prov
 }
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
+// Licensed under the MIT License.
 const logger$h = credentialLogger("ClientAssertionCredential");
 /**
  * Authenticates a service principal with a JWT assertion.
@@ -2018,7 +2086,7 @@ class ClientAssertionCredential {
 }
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
+// Licensed under the MIT License.
 const credentialName$4 = "WorkloadIdentityCredential";
 /**
  * Contains the list of all supported environment variable names so that an
@@ -2127,7 +2195,7 @@ class WorkloadIdentityCredential {
 }
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
+// Licensed under the MIT License.
 const msiName = "ManagedIdentityCredential - Token Exchange";
 const logger$f = credentialLogger(msiName);
 /**
@@ -2154,7 +2222,7 @@ const tokenExchangeMsi = {
 };
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
+// Licensed under the MIT License.
 const logger$e = credentialLogger("ManagedIdentityCredential(MSAL)");
 class MsalMsiProvider {
     constructor(clientIdOrOptions, options = {}) {
@@ -2174,9 +2242,11 @@ class MsalMsiProvider {
             _options = clientIdOrOptions !== null && clientIdOrOptions !== void 0 ? clientIdOrOptions : {};
         }
         this.resourceId = _options === null || _options === void 0 ? void 0 : _options.resourceId;
+        this.objectId = _options === null || _options === void 0 ? void 0 : _options.objectId;
         // For JavaScript users.
-        if (this.clientId && this.resourceId) {
-            throw new Error(`ManagedIdentityCredential - Client Id and Resource Id can't be provided at the same time.`);
+        const providedIds = [this.clientId, this.resourceId, this.objectId].filter(Boolean);
+        if (providedIds.length > 1) {
+            throw new Error(`ManagedIdentityCredential: only one of 'clientId', 'resourceId', or 'objectId' can be provided. Received values: ${JSON.stringify({ clientId: this.clientId, resourceId: this.resourceId, objectId: this.objectId })}`);
         }
         // ManagedIdentity uses http for local requests
         _options.allowInsecureConnection = true;
@@ -2188,6 +2258,7 @@ class MsalMsiProvider {
             managedIdentityIdParams: {
                 userAssignedClientId: this.clientId,
                 userAssignedResourceId: this.resourceId,
+                userAssignedObjectId: this.objectId,
             },
             system: {
                 // todo: proxyUrl?
@@ -2203,6 +2274,17 @@ class MsalMsiProvider {
         this.isAvailableIdentityClient = new IdentityClient(Object.assign(Object.assign({}, _options), { retryOptions: {
                 maxRetries: 0,
             } }));
+        // CloudShell MSI will ignore any user-assigned identity passed as parameters. To avoid confusion, we prevent this from happening as early as possible.
+        if (this.managedIdentityApp.getManagedIdentitySource() === "CloudShell") {
+            if (this.clientId || this.resourceId || this.objectId) {
+                logger$e.warning(`CloudShell MSI detected with user-provided IDs - throwing. Received values: ${JSON.stringify({
+                    clientId: this.clientId,
+                    resourceId: this.resourceId,
+                    objectId: this.objectId,
+                })}.`);
+                throw new CredentialUnavailableError("ManagedIdentityCredential: Specifying a user-assigned managed identity is not supported for CloudShell at runtime. When using Managed Identity in CloudShell, omit the clientId, resourceId, and objectId parameters.");
+            }
+        }
     }
     /**
      * Authenticates with Microsoft Entra ID and returns an access token if successful.
@@ -2220,6 +2302,7 @@ class MsalMsiProvider {
             throw new CredentialUnavailableError(`ManagedIdentityCredential: Multiple scopes are not supported. Scopes: ${JSON.stringify(scopes)}`);
         }
         return tracingClient.withSpan("ManagedIdentityCredential.getToken", options, async () => {
+            var _a;
             try {
                 const isTokenExchangeMsi = await tokenExchangeMsi.isAvailable({
                     scopes,
@@ -2263,7 +2346,7 @@ class MsalMsiProvider {
                         resourceId: this.resourceId,
                     });
                     if (!isAvailable) {
-                        throw new CredentialUnavailableError(`ManagedIdentityCredential: Attempted to use the IMDS endpoint, but it is not available.`);
+                        throw new CredentialUnavailableError(`Attempted to use the IMDS endpoint, but it is not available.`);
                     }
                 }
                 // If we got this far, it means:
@@ -2279,6 +2362,8 @@ class MsalMsiProvider {
                 return {
                     expiresOnTimestamp: token.expiresOn.getTime(),
                     token: token.accessToken,
+                    refreshAfterTimestamp: (_a = token.refreshOn) === null || _a === void 0 ? void 0 : _a.getTime(),
+                    tokenType: "Bearer",
                 };
             }
             catch (err) {
@@ -2338,7 +2423,7 @@ function isNetworkError(err) {
 }
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
+// Licensed under the MIT License.
 /**
  * Attempts authentication using a managed identity available at the deployment environment.
  * This authentication type works in Azure VMs, App Service instances, Azure Functions applications,
@@ -2374,7 +2459,7 @@ class ManagedIdentityCredential {
 }
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
+// Licensed under the MIT License.
 /**
  * Ensures the scopes value is an array.
  * @internal
@@ -2402,7 +2487,7 @@ function getScopeResource(scope) {
 }
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
+// Licensed under the MIT License.
 /**
  * Mockable reference to the CLI credential cliCredentialFunctions
  * @internal
@@ -2553,6 +2638,7 @@ class AzureCliCredential {
             return {
                 token,
                 expiresOnTimestamp,
+                tokenType: "Bearer",
             };
         }
         // fallback to the older expiresOn - an RFC3339 date string
@@ -2564,12 +2650,13 @@ class AzureCliCredential {
         return {
             token,
             expiresOnTimestamp,
+            tokenType: "Bearer",
         };
     }
 }
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
+// Licensed under the MIT License.
 /**
  * Mockable reference to the Developer CLI credential cliCredentialFunctions
  * @internal
@@ -2712,6 +2799,7 @@ class AzureDeveloperCliCredential {
                     return {
                         token: resp.token,
                         expiresOnTimestamp: new Date(resp.expiresOn).getTime(),
+                        tokenType: "Bearer",
                     };
                 }
                 catch (e) {
@@ -2733,7 +2821,7 @@ class AzureDeveloperCliCredential {
 }
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
+// Licensed under the MIT License.
 /**
  * Easy to mock childProcess utils.
  * @internal
@@ -2764,7 +2852,7 @@ const processUtils = {
 };
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
+// Licensed under the MIT License.
 const logger$b = credentialLogger("AzurePowerShellCredential");
 const isWindows = process.platform === "win32";
 /**
@@ -2932,6 +3020,7 @@ class AzurePowerShellCredential {
                 return {
                     token: response.Token,
                     expiresOnTimestamp: new Date(response.ExpiresOn).getTime(),
+                    tokenType: "Bearer",
                 };
             }
             catch (err) {
@@ -2986,7 +3075,7 @@ async function parseJsonToken(result) {
 }
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
+// Licensed under the MIT License.
 /**
  * @internal
  */
@@ -3002,7 +3091,14 @@ class ChainedTokenCredential {
      * @param sources - `TokenCredential` implementations to be tried in order.
      *
      * Example usage:
-     * ```javascript
+     * ```ts snippet:chained_token_credential_example
+     * import { ClientSecretCredential, ChainedTokenCredential } from "@azure/identity";
+     *
+     * const tenantId = "<tenant-id>";
+     * const clientId = "<client-id>";
+     * const clientSecret = "<client-secret>";
+     * const anotherClientId = "<another-client-id>";
+     * const anotherSecret = "<another-client-secret>";
      * const firstCredential = new ClientSecretCredential(tenantId, clientId, clientSecret);
      * const secondCredential = new ClientSecretCredential(tenantId, anotherClientId, anotherSecret);
      * const credentialChain = new ChainedTokenCredential(firstCredential, secondCredential);
@@ -3065,7 +3161,7 @@ class ChainedTokenCredential {
 }
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
+// Licensed under the MIT License.
 const credentialName$3 = "ClientCertificateCredential";
 const logger$9 = credentialLogger(credentialName$3);
 /**
@@ -3178,7 +3274,7 @@ async function parseCertificate(certificateConfiguration, sendCertificateChain)
 }
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
+// Licensed under the MIT License.
 const logger$8 = credentialLogger("ClientSecretCredential");
 /**
  * Enables authentication to Microsoft Entra ID using a client secret
@@ -3232,7 +3328,7 @@ class ClientSecretCredential {
 }
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
+// Licensed under the MIT License.
 const logger$7 = credentialLogger("UsernamePasswordCredential");
 /**
  * Enables authentication to Microsoft Entra ID with a user's
@@ -3293,7 +3389,7 @@ class UsernamePasswordCredential {
 }
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
+// Licensed under the MIT License.
 /**
  * Contains the list of all supported environment variable names so that an
  * appropriate error message can be generated when no credentials can be
@@ -3416,7 +3512,7 @@ class EnvironmentCredential {
 }
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
+// Licensed under the MIT License.
 const logger$5 = credentialLogger("DefaultAzureCredential");
 /**
  * Creates a {@link ManagedIdentityCredential} from the provided options.
@@ -3559,7 +3655,7 @@ class DefaultAzureCredential extends ChainedTokenCredential {
 }
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
+// Licensed under the MIT License.
 const logger$4 = credentialLogger("InteractiveBrowserCredential");
 /**
  * Enables authentication to Microsoft Entra ID inside of the web browser
@@ -3644,7 +3740,7 @@ class InteractiveBrowserCredential {
 }
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
+// Licensed under the MIT License.
 const logger$3 = credentialLogger("DeviceCodeCredential");
 /**
  * Method that logs the user code from the DeviceCodeCredential.
@@ -3666,13 +3762,15 @@ class DeviceCodeCredential {
      *
      * Developers can configure how this message is shown by passing a custom `userPromptCallback`:
      *
-     * ```js
+     * ```ts snippet:device_code_credential_example
+     * import { DeviceCodeCredential } from "@azure/identity";
+     *
      * const credential = new DeviceCodeCredential({
-     *   tenantId: env.AZURE_TENANT_ID,
-     *   clientId: env.AZURE_CLIENT_ID,
+     *   tenantId: process.env.AZURE_TENANT_ID,
+     *   clientId: process.env.AZURE_CLIENT_ID,
      *   userPromptCallback: (info) => {
      *     console.log("CUSTOMIZED PROMPT CALLBACK", info.message);
-     *   }
+     *   },
      * });
      * ```
      *
@@ -3727,7 +3825,7 @@ class DeviceCodeCredential {
 }
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
+// Licensed under the MIT License.
 const credentialName$1 = "AzurePipelinesCredential";
 const logger$2 = credentialLogger(credentialName$1);
 const OIDC_API_VERSION = "7.1";
@@ -3744,7 +3842,8 @@ class AzurePipelinesCredential {
      * @param systemAccessToken - The pipeline's <see href="https://learn.microsoft.com/azure/devops/pipelines/build/variables?view=azure-devops%26tabs=yaml#systemaccesstoken">System.AccessToken</see> value.
      * @param options - The identity client options to use for authentication.
      */
-    constructor(tenantId, clientId, serviceConnectionId, systemAccessToken, options) {
+    constructor(tenantId, clientId, serviceConnectionId, systemAccessToken, options = {}) {
+        var _a, _b;
         if (!clientId) {
             throw new CredentialUnavailableError(`${credentialName$1}: is unavailable. clientId is a required parameter.`);
         }
@@ -3757,6 +3856,12 @@ class AzurePipelinesCredential {
         if (!systemAccessToken) {
             throw new CredentialUnavailableError(`${credentialName$1}: is unavailable. systemAccessToken is a required parameter.`);
         }
+        // Allow these headers to be logged for troubleshooting by AzurePipelines.
+        options.loggingOptions = Object.assign(Object.assign({}, options === null || options === void 0 ? void 0 : options.loggingOptions), { additionalAllowedHeaderNames: [
+                ...((_b = (_a = options.loggingOptions) === null || _a === void 0 ? void 0 : _a.additionalAllowedHeaderNames) !== null && _b !== void 0 ? _b : []),
+                "x-vss-e2eid",
+                "x-msedge-ref",
+            ] });
         this.identityClient = new IdentityClient(options);
         checkTenantId(logger$2, tenantId);
         logger$2.info(`Invoking AzurePipelinesCredential with tenant ID: ${tenantId}, client ID: ${clientId}, and service connection ID: ${serviceConnectionId}`);
@@ -3805,6 +3910,8 @@ class AzurePipelinesCredential {
             headers: coreRestPipeline.createHttpHeaders({
                 "Content-Type": "application/json",
                 Authorization: `Bearer ${systemAccessToken}`,
+                // Prevents the service from responding with a redirect HTTP status code (useful for automation).
+                "X-TFS-FedAuthRedirect": "Suppress",
             }),
         });
         const response = await this.identityClient.sendRequest(request);
@@ -3812,6 +3919,7 @@ class AzurePipelinesCredential {
     }
 }
 function handleOidcResponse(response) {
+    // OIDC token is present in `bodyAsText` field
     const text = response.bodyAsText;
     if (!text) {
         logger$2.error(`${credentialName$1}: Authentication Failed. Received null token from OIDC request. Response status- ${response.status}. Complete response - ${JSON.stringify(response)}`);
@@ -3829,7 +3937,7 @@ function handleOidcResponse(response) {
             const errorMessage = `${credentialName$1}: Authentication Failed. oidcToken field not detected in the response.`;
             let errorDescription = ``;
             if (response.status !== 200) {
-                errorDescription = `Complete response - ${JSON.stringify(result)}. See the troubleshooting guide for more information: https://aka.ms/azsdk/js/identity/azurepipelinescredential/troubleshoot`;
+                errorDescription = `Response body = ${text}. Response Headers ["x-vss-e2eid"] = ${response.headers.get("x-vss-e2eid")} and ["x-msedge-ref"] = ${response.headers.get("x-msedge-ref")}. See the troubleshooting guide for more information: https://aka.ms/azsdk/js/identity/azurepipelinescredential/troubleshoot`;
             }
             logger$2.error(errorMessage);
             logger$2.error(errorDescription);
@@ -3841,17 +3949,18 @@ function handleOidcResponse(response) {
     }
     catch (e) {
         const errorDetails = `${credentialName$1}: Authentication Failed. oidcToken field not detected in the response.`;
-        logger$2.error(`Response from service = ${text} and error message = ${e.message}`);
+        logger$2.error(`Response from service = ${text}, Response Headers ["x-vss-e2eid"] = ${response.headers.get("x-vss-e2eid")} 
+      and ["x-msedge-ref"] = ${response.headers.get("x-msedge-ref")}, error message = ${e.message}`);
         logger$2.error(errorDetails);
         throw new AuthenticationError(response.status, {
             error: errorDetails,
-            error_description: `Response = ${text}. See the troubleshooting guide for more information: https://aka.ms/azsdk/js/identity/azurepipelinescredential/troubleshoot`,
+            error_description: `Response = ${text}. Response headers ["x-vss-e2eid"] = ${response.headers.get("x-vss-e2eid")} and ["x-msedge-ref"] =  ${response.headers.get("x-msedge-ref")}. See the troubleshooting guide for more information: https://aka.ms/azsdk/js/identity/azurepipelinescredential/troubleshoot`,
         });
     }
 }
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
+// Licensed under the MIT License.
 const logger$1 = credentialLogger("AuthorizationCodeCredential");
 /**
  * Enables authentication to Microsoft Entra ID using an authorization code
@@ -3905,7 +4014,7 @@ class AuthorizationCodeCredential {
 }
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
+// Licensed under the MIT License.
 const credentialName = "OnBehalfOfCredential";
 const logger = credentialLogger(credentialName);
 /**
@@ -4009,18 +4118,18 @@ class OnBehalfOfCredential {
 }
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
+// Licensed under the MIT License.
 /**
  * Returns a callback that provides a bearer token.
  * For example, the bearer token can be used to authenticate a request as follows:
- * ```js
- * import { DefaultAzureCredential } from "@azure/identity";
+ * ```ts snippet:token_provider_example
+ * import { DefaultAzureCredential, getBearerTokenProvider } from "@azure/identity";
+ * import { createPipelineRequest } from "@azure/core-rest-pipeline";
  *
  * const credential = new DefaultAzureCredential();
  * const scope = "https://cognitiveservices.azure.com/.default";
  * const getAccessToken = getBearerTokenProvider(credential, scope);
  * const token = await getAccessToken();
- *
  * // usage
  * const request = createPipelineRequest({ url: "https://example.com" });
  * request.headers.set("Authorization", `Bearer ${token}`);
@@ -4060,7 +4169,7 @@ function getBearerTokenProvider(credential, scopes, options) {
 }
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
+// Licensed under the MIT License.
 /**
  * Returns a new instance of the {@link DefaultAzureCredential}.
  */