@azure/identity 4.5.1-alpha.20241111.1 → 4.5.1-alpha.20241113.2

package/dist/esm/msal/nodeFlows/msalClient.d.ts

@@ -0,0 +1,186 @@
+import * as msal from "@azure/msal-node";
+import type { AccessToken, GetTokenOptions } from "@azure/core-auth";
+import type { AuthenticationRecord, CertificateParts } from "../types.js";
+import type { CredentialLogger } from "../../util/logging.js";
+import type { BrokerOptions } from "./brokerOptions.js";
+import type { DeviceCodePromptCallback } from "../../credentials/deviceCodeCredentialOptions.js";
+import { IdentityClient } from "../../client/identityClient.js";
+import type { InteractiveBrowserCredentialNodeOptions } from "../../credentials/interactiveBrowserCredentialOptions.js";
+import type { TokenCachePersistenceOptions } from "./tokenCachePersistenceOptions.js";
+/**
+ * Represents the options for acquiring a token using flows that support silent authentication.
+ */
+export interface GetTokenWithSilentAuthOptions extends GetTokenOptions {
+    /**
+     * Disables automatic authentication. If set to true, the method will throw an error if the user needs to authenticate.
+     *
+     * @remarks
+     *
+     * This option will be set to `false` when the user calls `authenticate` directly on a credential that supports it.
+     */
+    disableAutomaticAuthentication?: boolean;
+}
+/**
+ * Represents the options for acquiring a token interactively.
+ */
+export interface GetTokenInteractiveOptions extends GetTokenWithSilentAuthOptions {
+    /**
+     * Window handle for parent window, required for WAM authentication.
+     */
+    parentWindowHandle?: Buffer;
+    /**
+     * Shared configuration options for browser customization
+     */
+    browserCustomizationOptions?: InteractiveBrowserCredentialNodeOptions["browserCustomizationOptions"];
+    /**
+     * loginHint allows a user name to be pre-selected for interactive logins.
+     * Setting this option skips the account selection prompt and immediately attempts to login with the specified account.
+     */
+    loginHint?: string;
+}
+/**
+ * Represents a client for interacting with the Microsoft Authentication Library (MSAL).
+ */
+export interface MsalClient {
+    /**
+     *
+     * Retrieves an access token by using the on-behalf-of flow and a client assertion callback of the calling service.
+     *
+     * @param scopes - The scopes for which the access token is requested. These represent the resources that the application wants to access.
+     * @param userAssertionToken - The access token that was sent to the middle-tier API. This token must have an audience of the app making this OBO request.
+     * @param clientCredentials - The client secret OR client certificate OR client `getAssertion` callback.
+     * @param options - Additional options that may be provided to the method.
+     * @returns An access token.
+     */
+    getTokenOnBehalfOf(scopes: string[], userAssertionToken: string, clientCredentials: string | CertificateParts | (() => Promise<string>), options?: GetTokenOptions): Promise<AccessToken>;
+    /**
+     * Retrieves an access token by using an interactive prompt (InteractiveBrowserCredential).
+     * @param scopes - The scopes for which the access token is requested. These represent the resources that the application wants to access.
+     * @param options - Additional options that may be provided to the method.
+     * @returns An access token.
+     */
+    getTokenByInteractiveRequest(scopes: string[], options: GetTokenInteractiveOptions): Promise<AccessToken>;
+    /**
+     * Retrieves an access token by using a user's username and password.
+     *
+     * @param scopes - The scopes for which the access token is requested. These represent the resources that the application wants to access.
+     * @param username - The username provided by the developer.
+     * @param password - The user's password provided by the developer.
+     * @param options - Additional options that may be provided to the method.
+     * @returns An access token.
+     */
+    getTokenByUsernamePassword(scopes: string[], username: string, password: string, options?: GetTokenOptions): Promise<AccessToken>;
+    /**
+     * Retrieves an access token by prompting the user to authenticate using a device code.
+     *
+     * @param scopes - The scopes for which the access token is requested. These represent the resources that the application wants to access.
+     * @param userPromptCallback - The callback function that allows developers to customize the prompt message.
+     * @param options - Additional options that may be provided to the method.
+     * @returns An access token.
+     */
+    getTokenByDeviceCode(scopes: string[], userPromptCallback: DeviceCodePromptCallback, options?: GetTokenWithSilentAuthOptions): Promise<AccessToken>;
+    /**
+     * Retrieves an access token by using a client certificate.
+     *
+     * @param scopes - The scopes for which the access token is requested. These represent the resources that the application wants to access.
+     * @param certificate - The client certificate used for authentication.
+     * @param options - Additional options that may be provided to the method.
+     * @returns An access token.
+     */
+    getTokenByClientCertificate(scopes: string[], certificate: CertificateParts, options?: GetTokenOptions): Promise<AccessToken>;
+    /**
+     * Retrieves an access token by using a client assertion.
+     *
+     * @param scopes - The scopes for which the access token is requested. These represent the resources that the application wants to access.
+     * @param clientAssertion - The client `getAssertion` callback used for authentication.
+     * @param options - Additional options that may be provided to the method.
+     * @returns An access token.
+     */
+    getTokenByClientAssertion(scopes: string[], clientAssertion: () => Promise<string>, options?: GetTokenOptions): Promise<AccessToken>;
+    /**
+     * Retrieves an access token by using a client secret.
+     *
+     * @param scopes - The scopes for which the access token is requested. These represent the resources that the application wants to access.
+     * @param clientSecret - The client secret of the application. This is a credential that the application can use to authenticate itself.
+     * @param options - Additional options that may be provided to the method.
+     * @returns An access token.
+     */
+    getTokenByClientSecret(scopes: string[], clientSecret: string, options?: GetTokenOptions): Promise<AccessToken>;
+    /**
+     * Retrieves an access token by using an authorization code flow.
+     *
+     * @param scopes - The scopes for which the access token is requested. These represent the resources that the application wants to access.
+     * @param authorizationCode - An authorization code that was received from following the
+                                authorization code flow.  This authorization code must not
+                                have already been used to obtain an access token.
+     * @param redirectUri - The redirect URI that was used to request the authorization code.
+                          Must be the same URI that is configured for the App Registration.
+     * @param clientSecret - An optional client secret that was generated for the App Registration.
+     * @param options - Additional options that may be provided to the method.
+     */
+    getTokenByAuthorizationCode(scopes: string[], redirectUri: string, authorizationCode: string, clientSecret?: string, options?: GetTokenWithSilentAuthOptions): Promise<AccessToken>;
+    /**
+     * Retrieves the last authenticated account. This method expects an authentication record to have been previously loaded.
+     *
+     * An authentication record could be loaded by calling the `getToken` method, or by providing an `authenticationRecord` when creating a credential.
+     */
+    getActiveAccount(): AuthenticationRecord | undefined;
+}
+/**
+ * Represents the options for configuring the MsalClient.
+ */
+export interface MsalClientOptions {
+    /**
+     * Parameters that enable WAM broker authentication in the InteractiveBrowserCredential.
+     */
+    brokerOptions?: BrokerOptions;
+    /**
+     * Parameters that enable token cache persistence in the Identity credentials.
+     */
+    tokenCachePersistenceOptions?: TokenCachePersistenceOptions;
+    /**
+     * A custom authority host.
+     */
+    authorityHost?: IdentityClient["tokenCredentialOptions"]["authorityHost"];
+    /**
+     * Allows users to configure settings for logging policy options, allow logging account information and personally identifiable information for customer support.
+     */
+    loggingOptions?: IdentityClient["tokenCredentialOptions"]["loggingOptions"];
+    /**
+     * The token credential options for the MsalClient.
+     */
+    tokenCredentialOptions?: IdentityClient["tokenCredentialOptions"];
+    /**
+     * Determines whether instance discovery is disabled.
+     */
+    disableInstanceDiscovery?: boolean;
+    /**
+     * The logger for the MsalClient.
+     */
+    logger?: CredentialLogger;
+    /**
+     * The authentication record for the MsalClient.
+     */
+    authenticationRecord?: AuthenticationRecord;
+}
+/**
+ * Generates the configuration for MSAL (Microsoft Authentication Library).
+ *
+ * @param clientId - The client ID of the application.
+ * @param  tenantId - The tenant ID of the Azure Active Directory.
+ * @param  msalClientOptions - Optional. Additional options for creating the MSAL client.
+ * @returns  The MSAL configuration object.
+ */
+export declare function generateMsalConfiguration(clientId: string, tenantId: string, msalClientOptions?: MsalClientOptions): msal.Configuration;
+/**
+ * Creates an instance of the MSAL (Microsoft Authentication Library) client.
+ *
+ * @param clientId - The client ID of the application.
+ * @param tenantId - The tenant ID of the Azure Active Directory.
+ * @param createMsalClientOptions - Optional. Additional options for creating the MSAL client.
+ * @returns An instance of the MSAL client.
+ *
+ * @public
+ */
+export declare function createMsalClient(clientId: string, tenantId: string, createMsalClientOptions?: MsalClientOptions): MsalClient;
+//# sourceMappingURL=msalClient.d.ts.map

package/dist/esm/msal/nodeFlows/msalClient.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"msalClient.d.ts","sourceRoot":"","sources":["../../../../src/msal/nodeFlows/msalClient.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,IAAI,MAAM,kBAAkB,CAAC;AAEzC,OAAO,KAAK,EAAE,WAAW,EAAE,eAAe,EAAE,MAAM,kBAAkB,CAAC;AACrE,OAAO,KAAK,EAAE,oBAAoB,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AAC1E,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,uBAAuB,CAAC;AAiB9D,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,oBAAoB,CAAC;AACxD,OAAO,KAAK,EAAE,wBAAwB,EAAE,MAAM,kDAAkD,CAAC;AACjG,OAAO,EAAE,cAAc,EAAE,MAAM,gCAAgC,CAAC;AAChE,OAAO,KAAK,EAAE,uCAAuC,EAAE,MAAM,0DAA0D,CAAC;AACxH,OAAO,KAAK,EAAE,4BAA4B,EAAE,MAAM,mCAAmC,CAAC;AAUtF;;GAEG;AACH,MAAM,WAAW,6BAA8B,SAAQ,eAAe;IACpE;;;;;;OAMG;IACH,8BAA8B,CAAC,EAAE,OAAO,CAAC;CAC1C;AAED;;GAEG;AACH,MAAM,WAAW,0BAA2B,SAAQ,6BAA6B;IAC/E;;OAEG;IACH,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B;;OAEG;IACH,2BAA2B,CAAC,EAAE,uCAAuC,CAAC,6BAA6B,CAAC,CAAC;IACrG;;;OAGG;IACH,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAED;;GAEG;AACH,MAAM,WAAW,UAAU;IACzB;;;;;;;;;OASG;IACH,kBAAkB,CAChB,MAAM,EAAE,MAAM,EAAE,EAChB,kBAAkB,EAAE,MAAM,EAC1B,iBAAiB,EAAE,MAAM,GAAG,gBAAgB,GAAG,CAAC,MAAM,OAAO,CAAC,MAAM,CAAC,CAAC,EACtE,OAAO,CAAC,EAAE,eAAe,GACxB,OAAO,CAAC,WAAW,CAAC,CAAC;IAExB;;;;;OAKG;IACH,4BAA4B,CAC1B,MAAM,EAAE,MAAM,EAAE,EAChB,OAAO,EAAE,0BAA0B,GAClC,OAAO,CAAC,WAAW,CAAC,CAAC;IACxB;;;;;;;;OAQG;IACH,0BAA0B,CACxB,MAAM,EAAE,MAAM,EAAE,EAChB,QAAQ,EAAE,MAAM,EAChB,QAAQ,EAAE,MAAM,EAChB,OAAO,CAAC,EAAE,eAAe,GACxB,OAAO,CAAC,WAAW,CAAC,CAAC;IACxB;;;;;;;OAOG;IACH,oBAAoB,CAClB,MAAM,EAAE,MAAM,EAAE,EAChB,kBAAkB,EAAE,wBAAwB,EAC5C,OAAO,CAAC,EAAE,6BAA6B,GACtC,OAAO,CAAC,WAAW,CAAC,CAAC;IACxB;;;;;;;OAOG;IACH,2BAA2B,CACzB,MAAM,EAAE,MAAM,EAAE,EAChB,WAAW,EAAE,gBAAgB,EAC7B,OAAO,CAAC,EAAE,eAAe,GACxB,OAAO,CAAC,WAAW,CAAC,CAAC;IAExB;;;;;;;OAOG;IACH,yBAAyB,CACvB,MAAM,EAAE,MAAM,EAAE,EAChB,eAAe,EAAE,MAAM,OAAO,CAAC,MAAM,CAAC,EACtC,OAAO,CAAC,EAAE,eAAe,GACxB,OAAO,CAAC,WAAW,CAAC,CAAC;IAExB;;;;;;;OAOG;IACH,sBAAsB,CACpB,MAAM,EAAE,MAAM,EAAE,EAChB,YAAY,EAAE,MAAM,EACpB,OAAO,CAAC,EAAE,eAAe,GACxB,OAAO,CAAC,WAAW,CAAC,CAAC;IAExB;;;;;;;;;;;OAWG;IACH,2BAA2B,CACzB,MAAM,EAAE,MAAM,EAAE,EAChB,WAAW,EAAE,MAAM,EACnB,iBAAiB,EAAE,MAAM,EACzB,YAAY,CAAC,EAAE,MAAM,EACrB,OAAO,CAAC,EAAE,6BAA6B,GACtC,OAAO,CAAC,WAAW,CAAC,CAAC;IAExB;;;;OAIG;IACH,gBAAgB,IAAI,oBAAoB,GAAG,SAAS,CAAC;CACtD;AAED;;GAEG;AACH,MAAM,WAAW,iBAAiB;IAChC;;OAEG;IACH,aAAa,CAAC,EAAE,aAAa,CAAC;IAE9B;;OAEG;IACH,4BAA4B,CAAC,EAAE,4BAA4B,CAAC;IAE5D;;OAEG;IACH,aAAa,CAAC,EAAE,cAAc,CAAC,wBAAwB,CAAC,CAAC,eAAe,CAAC,CAAC;IAE1E;;OAEG;IACH,cAAc,CAAC,EAAE,cAAc,CAAC,wBAAwB,CAAC,CAAC,gBAAgB,CAAC,CAAC;IAE5E;;OAEG;IACH,sBAAsB,CAAC,EAAE,cAAc,CAAC,wBAAwB,CAAC,CAAC;IAElE;;OAEG;IACH,wBAAwB,CAAC,EAAE,OAAO,CAAC;IAEnC;;OAEG;IACH,MAAM,CAAC,EAAE,gBAAgB,CAAC;IAE1B;;OAEG;IACH,oBAAoB,CAAC,EAAE,oBAAoB,CAAC;CAC7C;AAED;;;;;;;GAOG;AACH,wBAAgB,yBAAyB,CACvC,QAAQ,EAAE,MAAM,EAChB,QAAQ,EAAE,MAAM,EAChB,iBAAiB,GAAE,iBAAsB,GACxC,IAAI,CAAC,aAAa,CAoCpB;AAyBD;;;;;;;;;GASG;AACH,wBAAgB,gBAAgB,CAC9B,QAAQ,EAAE,MAAM,EAChB,QAAQ,EAAE,MAAM,EAChB,uBAAuB,GAAE,iBAAsB,GAC9C,UAAU,CAwhBZ"}

package/dist/esm/msal/nodeFlows/msalClient.js

@@ -0,0 +1,477 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+import * as msal from "@azure/msal-node";
+import { credentialLogger, formatSuccess } from "../../util/logging.js";
+import { msalPlugins } from "./msalPlugins.js";
+import { defaultLoggerCallback, ensureValidMsalToken, getAuthority, getAuthorityHost, getKnownAuthorities, getMSALLogLevel, handleMsalError, msalToPublic, publicToMsal, } from "../utils.js";
+import { AuthenticationRequiredError } from "../../errors.js";
+import { IdentityClient } from "../../client/identityClient.js";
+import { calculateRegionalAuthority } from "../../regionalAuthority.js";
+import { getLogLevel } from "@azure/logger";
+import { resolveTenantId } from "../../util/tenantIdUtils.js";
+/**
+ * The default logger used if no logger was passed in by the credential.
+ */
+const msalLogger = credentialLogger("MsalClient");
+/**
+ * Generates the configuration for MSAL (Microsoft Authentication Library).
+ *
+ * @param clientId - The client ID of the application.
+ * @param  tenantId - The tenant ID of the Azure Active Directory.
+ * @param  msalClientOptions - Optional. Additional options for creating the MSAL client.
+ * @returns  The MSAL configuration object.
+ */
+export function generateMsalConfiguration(clientId, tenantId, msalClientOptions = {}) {
+    var _a, _b, _c;
+    const resolvedTenant = resolveTenantId((_a = msalClientOptions.logger) !== null && _a !== void 0 ? _a : msalLogger, tenantId, clientId);
+    // TODO: move and reuse getIdentityClientAuthorityHost
+    const authority = getAuthority(resolvedTenant, getAuthorityHost(msalClientOptions));
+    const httpClient = new IdentityClient(Object.assign(Object.assign({}, msalClientOptions.tokenCredentialOptions), { authorityHost: authority, loggingOptions: msalClientOptions.loggingOptions }));
+    const msalConfig = {
+        auth: {
+            clientId,
+            authority,
+            knownAuthorities: getKnownAuthorities(resolvedTenant, authority, msalClientOptions.disableInstanceDiscovery),
+        },
+        system: {
+            networkClient: httpClient,
+            loggerOptions: {
+                loggerCallback: defaultLoggerCallback((_b = msalClientOptions.logger) !== null && _b !== void 0 ? _b : msalLogger),
+                logLevel: getMSALLogLevel(getLogLevel()),
+                piiLoggingEnabled: (_c = msalClientOptions.loggingOptions) === null || _c === void 0 ? void 0 : _c.enableUnsafeSupportLogging,
+            },
+        },
+    };
+    return msalConfig;
+}
+/**
+ * Creates an instance of the MSAL (Microsoft Authentication Library) client.
+ *
+ * @param clientId - The client ID of the application.
+ * @param tenantId - The tenant ID of the Azure Active Directory.
+ * @param createMsalClientOptions - Optional. Additional options for creating the MSAL client.
+ * @returns An instance of the MSAL client.
+ *
+ * @public
+ */
+export function createMsalClient(clientId, tenantId, createMsalClientOptions = {}) {
+    var _a;
+    const state = {
+        msalConfig: generateMsalConfiguration(clientId, tenantId, createMsalClientOptions),
+        cachedAccount: createMsalClientOptions.authenticationRecord
+            ? publicToMsal(createMsalClientOptions.authenticationRecord)
+            : null,
+        pluginConfiguration: msalPlugins.generatePluginConfiguration(createMsalClientOptions),
+        logger: (_a = createMsalClientOptions.logger) !== null && _a !== void 0 ? _a : msalLogger,
+    };
+    const publicApps = new Map();
+    async function getPublicApp(options = {}) {
+        const appKey = options.enableCae ? "CAE" : "default";
+        let publicClientApp = publicApps.get(appKey);
+        if (publicClientApp) {
+            state.logger.getToken.info("Existing PublicClientApplication found in cache, returning it.");
+            return publicClientApp;
+        }
+        // Initialize a new app and cache it
+        state.logger.getToken.info(`Creating new PublicClientApplication with CAE ${options.enableCae ? "enabled" : "disabled"}.`);
+        const cachePlugin = options.enableCae
+            ? state.pluginConfiguration.cache.cachePluginCae
+            : state.pluginConfiguration.cache.cachePlugin;
+        state.msalConfig.auth.clientCapabilities = options.enableCae ? ["cp1"] : undefined;
+        publicClientApp = new msal.PublicClientApplication(Object.assign(Object.assign({}, state.msalConfig), { broker: { nativeBrokerPlugin: state.pluginConfiguration.broker.nativeBrokerPlugin }, cache: { cachePlugin: await cachePlugin } }));
+        publicApps.set(appKey, publicClientApp);
+        return publicClientApp;
+    }
+    const confidentialApps = new Map();
+    async function getConfidentialApp(options = {}) {
+        const appKey = options.enableCae ? "CAE" : "default";
+        let confidentialClientApp = confidentialApps.get(appKey);
+        if (confidentialClientApp) {
+            state.logger.getToken.info("Existing ConfidentialClientApplication found in cache, returning it.");
+            return confidentialClientApp;
+        }
+        // Initialize a new app and cache it
+        state.logger.getToken.info(`Creating new ConfidentialClientApplication with CAE ${options.enableCae ? "enabled" : "disabled"}.`);
+        const cachePlugin = options.enableCae
+            ? state.pluginConfiguration.cache.cachePluginCae
+            : state.pluginConfiguration.cache.cachePlugin;
+        state.msalConfig.auth.clientCapabilities = options.enableCae ? ["cp1"] : undefined;
+        confidentialClientApp = new msal.ConfidentialClientApplication(Object.assign(Object.assign({}, state.msalConfig), { broker: { nativeBrokerPlugin: state.pluginConfiguration.broker.nativeBrokerPlugin }, cache: { cachePlugin: await cachePlugin } }));
+        confidentialApps.set(appKey, confidentialClientApp);
+        return confidentialClientApp;
+    }
+    async function getTokenSilent(app, scopes, options = {}) {
+        if (state.cachedAccount === null) {
+            state.logger.getToken.info("No cached account found in local state, attempting to load it from MSAL cache.");
+            const cache = app.getTokenCache();
+            const accounts = await cache.getAllAccounts();
+            if (accounts === undefined || accounts.length === 0) {
+                throw new AuthenticationRequiredError({ scopes });
+            }
+            if (accounts.length > 1) {
+                state.logger
+                    .info(`More than one account was found authenticated for this Client ID and Tenant ID.
+However, no "authenticationRecord" has been provided for this credential,
+therefore we're unable to pick between these accounts.
+A new login attempt will be requested, to ensure the correct account is picked.
+To work with multiple accounts for the same Client ID and Tenant ID, please provide an "authenticationRecord" when initializing a credential to prevent this from happening.`);
+                throw new AuthenticationRequiredError({ scopes });
+            }
+            state.cachedAccount = accounts[0];
+        }
+        // Keep track and reuse the claims we received across challenges
+        if (options.claims) {
+            state.cachedClaims = options.claims;
+        }
+        const silentRequest = {
+            account: state.cachedAccount,
+            scopes,
+            claims: state.cachedClaims,
+        };
+        if (state.pluginConfiguration.broker.isEnabled) {
+            silentRequest.tokenQueryParameters || (silentRequest.tokenQueryParameters = {});
+            if (state.pluginConfiguration.broker.enableMsaPassthrough) {
+                silentRequest.tokenQueryParameters["msal_request_type"] = "consumer_passthrough";
+            }
+        }
+        if (options.proofOfPossessionOptions) {
+            silentRequest.shrNonce = options.proofOfPossessionOptions.nonce;
+            silentRequest.authenticationScheme = "pop";
+            silentRequest.resourceRequestMethod = options.proofOfPossessionOptions.resourceRequestMethod;
+            silentRequest.resourceRequestUri = options.proofOfPossessionOptions.resourceRequestUrl;
+        }
+        state.logger.getToken.info("Attempting to acquire token silently");
+        return app.acquireTokenSilent(silentRequest);
+    }
+    /**
+     * Builds an authority URL for the given request. The authority may be different than the one used when creating the MSAL client
+     * if the user is creating cross-tenant requests
+     */
+    function calculateRequestAuthority(options) {
+        if (options === null || options === void 0 ? void 0 : options.tenantId) {
+            return getAuthority(options.tenantId, getAuthorityHost(createMsalClientOptions));
+        }
+        return state.msalConfig.auth.authority;
+    }
+    /**
+     * Performs silent authentication using MSAL to acquire an access token.
+     * If silent authentication fails, falls back to interactive authentication.
+     *
+     * @param msalApp - The MSAL application instance.
+     * @param scopes - The scopes for which to acquire the access token.
+     * @param options - The options for acquiring the access token.
+     * @param onAuthenticationRequired - A callback function to handle interactive authentication when silent authentication fails.
+     * @returns A promise that resolves to an AccessToken object containing the access token and its expiration timestamp.
+     */
+    async function withSilentAuthentication(msalApp, scopes, options, onAuthenticationRequired) {
+        var _a, _b;
+        let response = null;
+        try {
+            response = await getTokenSilent(msalApp, scopes, options);
+        }
+        catch (e) {
+            if (e.name !== "AuthenticationRequiredError") {
+                throw e;
+            }
+            if (options.disableAutomaticAuthentication) {
+                throw new AuthenticationRequiredError({
+                    scopes,
+                    getTokenOptions: options,
+                    message: "Automatic authentication has been disabled. You may call the authentication() method.",
+                });
+            }
+        }
+        // Silent authentication failed
+        if (response === null) {
+            try {
+                response = await onAuthenticationRequired();
+            }
+            catch (err) {
+                throw handleMsalError(scopes, err, options);
+            }
+        }
+        // At this point we should have a token, process it
+        ensureValidMsalToken(scopes, response, options);
+        state.cachedAccount = (_a = response === null || response === void 0 ? void 0 : response.account) !== null && _a !== void 0 ? _a : null;
+        state.logger.getToken.info(formatSuccess(scopes));
+        return {
+            token: response.accessToken,
+            expiresOnTimestamp: response.expiresOn.getTime(),
+            refreshAfterTimestamp: (_b = response.refreshOn) === null || _b === void 0 ? void 0 : _b.getTime(),
+            tokenType: response.tokenType,
+        };
+    }
+    async function getTokenByClientSecret(scopes, clientSecret, options = {}) {
+        var _a;
+        state.logger.getToken.info(`Attempting to acquire token using client secret`);
+        state.msalConfig.auth.clientSecret = clientSecret;
+        const msalApp = await getConfidentialApp(options);
+        try {
+            const response = await msalApp.acquireTokenByClientCredential({
+                scopes,
+                authority: calculateRequestAuthority(options),
+                azureRegion: calculateRegionalAuthority(),
+                claims: options === null || options === void 0 ? void 0 : options.claims,
+            });
+            ensureValidMsalToken(scopes, response, options);
+            state.logger.getToken.info(formatSuccess(scopes));
+            return {
+                token: response.accessToken,
+                expiresOnTimestamp: response.expiresOn.getTime(),
+                refreshAfterTimestamp: (_a = response.refreshOn) === null || _a === void 0 ? void 0 : _a.getTime(),
+                tokenType: response.tokenType,
+            };
+        }
+        catch (err) {
+            throw handleMsalError(scopes, err, options);
+        }
+    }
+    async function getTokenByClientAssertion(scopes, clientAssertion, options = {}) {
+        var _a;
+        state.logger.getToken.info(`Attempting to acquire token using client assertion`);
+        state.msalConfig.auth.clientAssertion = clientAssertion;
+        const msalApp = await getConfidentialApp(options);
+        try {
+            const response = await msalApp.acquireTokenByClientCredential({
+                scopes,
+                authority: calculateRequestAuthority(options),
+                azureRegion: calculateRegionalAuthority(),
+                claims: options === null || options === void 0 ? void 0 : options.claims,
+                clientAssertion,
+            });
+            ensureValidMsalToken(scopes, response, options);
+            state.logger.getToken.info(formatSuccess(scopes));
+            return {
+                token: response.accessToken,
+                expiresOnTimestamp: response.expiresOn.getTime(),
+                refreshAfterTimestamp: (_a = response.refreshOn) === null || _a === void 0 ? void 0 : _a.getTime(),
+                tokenType: response.tokenType,
+            };
+        }
+        catch (err) {
+            throw handleMsalError(scopes, err, options);
+        }
+    }
+    async function getTokenByClientCertificate(scopes, certificate, options = {}) {
+        var _a;
+        state.logger.getToken.info(`Attempting to acquire token using client certificate`);
+        state.msalConfig.auth.clientCertificate = certificate;
+        const msalApp = await getConfidentialApp(options);
+        try {
+            const response = await msalApp.acquireTokenByClientCredential({
+                scopes,
+                authority: calculateRequestAuthority(options),
+                azureRegion: calculateRegionalAuthority(),
+                claims: options === null || options === void 0 ? void 0 : options.claims,
+            });
+            ensureValidMsalToken(scopes, response, options);
+            state.logger.getToken.info(formatSuccess(scopes));
+            return {
+                token: response.accessToken,
+                expiresOnTimestamp: response.expiresOn.getTime(),
+                refreshAfterTimestamp: (_a = response.refreshOn) === null || _a === void 0 ? void 0 : _a.getTime(),
+                tokenType: response.tokenType,
+            };
+        }
+        catch (err) {
+            throw handleMsalError(scopes, err, options);
+        }
+    }
+    async function getTokenByDeviceCode(scopes, deviceCodeCallback, options = {}) {
+        state.logger.getToken.info(`Attempting to acquire token using device code`);
+        const msalApp = await getPublicApp(options);
+        return withSilentAuthentication(msalApp, scopes, options, () => {
+            var _a, _b;
+            const requestOptions = {
+                scopes,
+                cancel: (_b = (_a = options === null || options === void 0 ? void 0 : options.abortSignal) === null || _a === void 0 ? void 0 : _a.aborted) !== null && _b !== void 0 ? _b : false,
+                deviceCodeCallback,
+                authority: calculateRequestAuthority(options),
+                claims: options === null || options === void 0 ? void 0 : options.claims,
+            };
+            const deviceCodeRequest = msalApp.acquireTokenByDeviceCode(requestOptions);
+            if (options.abortSignal) {
+                options.abortSignal.addEventListener("abort", () => {
+                    requestOptions.cancel = true;
+                });
+            }
+            return deviceCodeRequest;
+        });
+    }
+    async function getTokenByUsernamePassword(scopes, username, password, options = {}) {
+        state.logger.getToken.info(`Attempting to acquire token using username and password`);
+        const msalApp = await getPublicApp(options);
+        return withSilentAuthentication(msalApp, scopes, options, () => {
+            const requestOptions = {
+                scopes,
+                username,
+                password,
+                authority: calculateRequestAuthority(options),
+                claims: options === null || options === void 0 ? void 0 : options.claims,
+            };
+            return msalApp.acquireTokenByUsernamePassword(requestOptions);
+        });
+    }
+    function getActiveAccount() {
+        if (!state.cachedAccount) {
+            return undefined;
+        }
+        return msalToPublic(clientId, state.cachedAccount);
+    }
+    async function getTokenByAuthorizationCode(scopes, redirectUri, authorizationCode, clientSecret, options = {}) {
+        state.logger.getToken.info(`Attempting to acquire token using authorization code`);
+        let msalApp;
+        if (clientSecret) {
+            // If a client secret is provided, we need to use a confidential client application
+            // See https://learn.microsoft.com/entra/identity-platform/v2-oauth2-auth-code-flow#request-an-access-token-with-a-client_secret
+            state.msalConfig.auth.clientSecret = clientSecret;
+            msalApp = await getConfidentialApp(options);
+        }
+        else {
+            msalApp = await getPublicApp(options);
+        }
+        return withSilentAuthentication(msalApp, scopes, options, () => {
+            return msalApp.acquireTokenByCode({
+                scopes,
+                redirectUri,
+                code: authorizationCode,
+                authority: calculateRequestAuthority(options),
+                claims: options === null || options === void 0 ? void 0 : options.claims,
+            });
+        });
+    }
+    async function getTokenOnBehalfOf(scopes, userAssertionToken, clientCredentials, options = {}) {
+        var _a;
+        msalLogger.getToken.info(`Attempting to acquire token on behalf of another user`);
+        if (typeof clientCredentials === "string") {
+            // Client secret
+            msalLogger.getToken.info(`Using client secret for on behalf of flow`);
+            state.msalConfig.auth.clientSecret = clientCredentials;
+        }
+        else if (typeof clientCredentials === "function") {
+            // Client Assertion
+            msalLogger.getToken.info(`Using client assertion callback for on behalf of flow`);
+            state.msalConfig.auth.clientAssertion = clientCredentials;
+        }
+        else {
+            // Client certificate
+            msalLogger.getToken.info(`Using client certificate for on behalf of flow`);
+            state.msalConfig.auth.clientCertificate = clientCredentials;
+        }
+        const msalApp = await getConfidentialApp(options);
+        try {
+            const response = await msalApp.acquireTokenOnBehalfOf({
+                scopes,
+                authority: calculateRequestAuthority(options),
+                claims: options.claims,
+                oboAssertion: userAssertionToken,
+            });
+            ensureValidMsalToken(scopes, response, options);
+            msalLogger.getToken.info(formatSuccess(scopes));
+            return {
+                token: response.accessToken,
+                expiresOnTimestamp: response.expiresOn.getTime(),
+                refreshAfterTimestamp: (_a = response.refreshOn) === null || _a === void 0 ? void 0 : _a.getTime(),
+                tokenType: response.tokenType,
+            };
+        }
+        catch (err) {
+            throw handleMsalError(scopes, err, options);
+        }
+    }
+    async function getTokenByInteractiveRequest(scopes, options = {}) {
+        msalLogger.getToken.info(`Attempting to acquire token interactively`);
+        const app = await getPublicApp(options);
+        /**
+         * A helper function that supports brokered authentication through the MSAL's public application.
+         *
+         * When options.useDefaultBrokerAccount is true, the method will attempt to authenticate using the default broker account.
+         * If the default broker account is not available, the method will fall back to interactive authentication.
+         */
+        async function getBrokeredToken(useDefaultBrokerAccount) {
+            var _a;
+            msalLogger.verbose("Authentication will resume through the broker");
+            const interactiveRequest = createBaseInteractiveRequest();
+            if (state.pluginConfiguration.broker.parentWindowHandle) {
+                interactiveRequest.windowHandle = Buffer.from(state.pluginConfiguration.broker.parentWindowHandle);
+            }
+            else {
+                // this is a bug, as the pluginConfiguration handler should validate this case.
+                msalLogger.warning("Parent window handle is not specified for the broker. This may cause unexpected behavior. Please provide the parentWindowHandle.");
+            }
+            if (state.pluginConfiguration.broker.enableMsaPassthrough) {
+                ((_a = interactiveRequest.tokenQueryParameters) !== null && _a !== void 0 ? _a : (interactiveRequest.tokenQueryParameters = {}))["msal_request_type"] =
+                    "consumer_passthrough";
+            }
+            if (useDefaultBrokerAccount) {
+                interactiveRequest.prompt = "none";
+                msalLogger.verbose("Attempting broker authentication using the default broker account");
+            }
+            else {
+                msalLogger.verbose("Attempting broker authentication without the default broker account");
+            }
+            if (options.proofOfPossessionOptions) {
+                interactiveRequest.shrNonce = options.proofOfPossessionOptions.nonce;
+                interactiveRequest.authenticationScheme = "pop";
+                interactiveRequest.resourceRequestMethod =
+                    options.proofOfPossessionOptions.resourceRequestMethod;
+                interactiveRequest.resourceRequestUri = options.proofOfPossessionOptions.resourceRequestUrl;
+            }
+            try {
+                return await app.acquireTokenInteractive(interactiveRequest);
+            }
+            catch (e) {
+                msalLogger.verbose(`Failed to authenticate through the broker: ${e.message}`);
+                // If we tried to use the default broker account and failed, fall back to interactive authentication
+                if (useDefaultBrokerAccount) {
+                    return getBrokeredToken(/* useDefaultBrokerAccount: */ false);
+                }
+                else {
+                    throw e;
+                }
+            }
+        }
+        function createBaseInteractiveRequest() {
+            var _a, _b;
+            return {
+                openBrowser: async (url) => {
+                    const open = await import("open");
+                    await open.default(url, { wait: true, newInstance: true });
+                },
+                scopes,
+                authority: calculateRequestAuthority(options),
+                claims: options === null || options === void 0 ? void 0 : options.claims,
+                loginHint: options === null || options === void 0 ? void 0 : options.loginHint,
+                errorTemplate: (_a = options === null || options === void 0 ? void 0 : options.browserCustomizationOptions) === null || _a === void 0 ? void 0 : _a.errorMessage,
+                successTemplate: (_b = options === null || options === void 0 ? void 0 : options.browserCustomizationOptions) === null || _b === void 0 ? void 0 : _b.successMessage,
+            };
+        }
+        return withSilentAuthentication(app, scopes, options, async () => {
+            var _a;
+            const interactiveRequest = createBaseInteractiveRequest();
+            if (state.pluginConfiguration.broker.isEnabled) {
+                return getBrokeredToken((_a = state.pluginConfiguration.broker.useDefaultBrokerAccount) !== null && _a !== void 0 ? _a : false);
+            }
+            if (options.proofOfPossessionOptions) {
+                interactiveRequest.shrNonce = options.proofOfPossessionOptions.nonce;
+                interactiveRequest.authenticationScheme = "pop";
+                interactiveRequest.resourceRequestMethod =
+                    options.proofOfPossessionOptions.resourceRequestMethod;
+                interactiveRequest.resourceRequestUri = options.proofOfPossessionOptions.resourceRequestUrl;
+            }
+            return app.acquireTokenInteractive(interactiveRequest);
+        });
+    }
+    return {
+        getActiveAccount,
+        getTokenByClientSecret,
+        getTokenByClientAssertion,
+        getTokenByClientCertificate,
+        getTokenByDeviceCode,
+        getTokenByUsernamePassword,
+        getTokenByAuthorizationCode,
+        getTokenOnBehalfOf,
+        getTokenByInteractiveRequest,
+    };
+}
+//# sourceMappingURL=msalClient.js.map