@azure/identity 4.5.1-alpha.20241112.1 → 4.5.1-alpha.20241113.2

Sign up to get free protection for your applications and to get access to all the features.
Files changed (1066) hide show
  1. package/dist/browser/client/identityClient.d.ts +65 -0
  2. package/dist/browser/client/identityClient.d.ts.map +1 -0
  3. package/dist/browser/client/identityClient.js +248 -0
  4. package/dist/browser/client/identityClient.js.map +1 -0
  5. package/dist/browser/constants.d.ts +64 -0
  6. package/dist/browser/constants.d.ts.map +1 -0
  7. package/dist/browser/credentials/authorityValidationOptions.d.ts +16 -0
  8. package/dist/browser/credentials/authorityValidationOptions.d.ts.map +1 -0
  9. package/dist/browser/credentials/authorizationCodeCredential-browser.d.mts.map +1 -0
  10. package/dist/browser/credentials/authorizationCodeCredential-browser.mjs.map +1 -0
  11. package/dist/browser/credentials/authorizationCodeCredential.d.ts +11 -0
  12. package/dist/browser/credentials/authorizationCodeCredential.js +16 -0
  13. package/dist/browser/credentials/authorizationCodeCredentialOptions.d.ts +8 -0
  14. package/dist/browser/credentials/authorizationCodeCredentialOptions.d.ts.map +1 -0
  15. package/dist/browser/credentials/authorizationCodeCredentialOptions.js.map +1 -0
  16. package/dist/browser/credentials/azureApplicationCredential-browser.d.mts.map +1 -0
  17. package/dist/browser/credentials/azureApplicationCredential-browser.mjs.map +1 -0
  18. package/dist/browser/credentials/azureApplicationCredential.d.ts +24 -0
  19. package/dist/browser/credentials/azureApplicationCredential.js +34 -0
  20. package/dist/browser/credentials/azureApplicationCredentialOptions.d.ts +13 -0
  21. package/dist/browser/credentials/azureApplicationCredentialOptions.d.ts.map +1 -0
  22. package/dist/browser/credentials/azureApplicationCredentialOptions.js.map +1 -0
  23. package/dist/browser/credentials/azureCliCredential-browser.d.mts.map +1 -0
  24. package/dist/browser/credentials/azureCliCredential-browser.mjs.map +1 -0
  25. package/dist/browser/credentials/azureCliCredential.d.ts +13 -0
  26. package/dist/browser/credentials/azureCliCredential.js +23 -0
  27. package/dist/browser/credentials/azureCliCredentialOptions.d.ts +20 -0
  28. package/dist/browser/credentials/azureCliCredentialOptions.d.ts.map +1 -0
  29. package/dist/browser/credentials/azureCliCredentialOptions.js.map +1 -0
  30. package/dist/browser/credentials/azureDeveloperCliCredential-browser.d.mts.map +1 -0
  31. package/dist/browser/credentials/azureDeveloperCliCredential-browser.mjs.map +1 -0
  32. package/dist/browser/credentials/azureDeveloperCliCredential.d.ts +13 -0
  33. package/dist/browser/credentials/azureDeveloperCliCredential.js +23 -0
  34. package/dist/browser/credentials/azureDeveloperCliCredentialOptions.d.ts +15 -0
  35. package/dist/browser/credentials/azureDeveloperCliCredentialOptions.d.ts.map +1 -0
  36. package/dist/browser/credentials/azureDeveloperCliCredentialOptions.js.map +1 -0
  37. package/dist/browser/credentials/azurePipelinesCredential-browser.d.mts.map +1 -0
  38. package/dist/browser/credentials/azurePipelinesCredential-browser.mjs.map +1 -0
  39. package/dist/browser/credentials/azurePipelinesCredential.d.ts +13 -0
  40. package/dist/browser/credentials/azurePipelinesCredential.js +23 -0
  41. package/dist/browser/credentials/azurePipelinesCredentialOptions.d.ts +9 -0
  42. package/dist/browser/credentials/azurePipelinesCredentialOptions.d.ts.map +1 -0
  43. package/dist/browser/credentials/azurePipelinesCredentialOptions.js.map +1 -0
  44. package/dist/browser/credentials/azurePowerShellCredential-browser.d.mts.map +1 -0
  45. package/dist/browser/credentials/azurePowerShellCredential-browser.mjs.map +1 -0
  46. package/dist/browser/credentials/azurePowerShellCredential.d.ts +12 -0
  47. package/dist/browser/credentials/azurePowerShellCredential.js +22 -0
  48. package/dist/browser/credentials/azurePowerShellCredentialOptions.d.ts +15 -0
  49. package/dist/browser/credentials/azurePowerShellCredentialOptions.d.ts.map +1 -0
  50. package/dist/browser/credentials/azurePowerShellCredentialOptions.js.map +1 -0
  51. package/dist/browser/credentials/brokerAuthOptions.d.ts +13 -0
  52. package/dist/browser/credentials/brokerAuthOptions.d.ts.map +1 -0
  53. package/dist/browser/credentials/brokerAuthOptions.js.map +1 -0
  54. package/dist/browser/credentials/browserCustomizationOptions.d.ts +19 -0
  55. package/dist/browser/credentials/browserCustomizationOptions.d.ts.map +1 -0
  56. package/dist/browser/credentials/chainedTokenCredential.d.ts +49 -0
  57. package/dist/browser/credentials/chainedTokenCredential.d.ts.map +1 -0
  58. package/dist/browser/credentials/chainedTokenCredential.js +90 -0
  59. package/dist/browser/credentials/chainedTokenCredential.js.map +1 -0
  60. package/dist/browser/credentials/clientAssertionCredential-browser.d.mts.map +1 -0
  61. package/dist/browser/credentials/clientAssertionCredential-browser.mjs.map +1 -0
  62. package/dist/browser/credentials/clientAssertionCredential.d.ts +12 -0
  63. package/dist/browser/credentials/clientAssertionCredential.js +22 -0
  64. package/dist/browser/credentials/clientAssertionCredentialOptions.d.ts +9 -0
  65. package/dist/browser/credentials/clientAssertionCredentialOptions.d.ts.map +1 -0
  66. package/dist/browser/credentials/clientAssertionCredentialOptions.js.map +1 -0
  67. package/dist/browser/credentials/clientCertificateCredential-browser.d.mts.map +1 -0
  68. package/dist/browser/credentials/clientCertificateCredential-browser.mjs.map +1 -0
  69. package/dist/browser/credentials/clientCertificateCredential.d.ts +13 -0
  70. package/dist/browser/credentials/clientCertificateCredential.js +23 -0
  71. package/dist/browser/credentials/clientCertificateCredentialOptions.d.ts +14 -0
  72. package/dist/browser/credentials/clientCertificateCredentialOptions.d.ts.map +1 -0
  73. package/dist/browser/credentials/clientCertificateCredentialOptions.js.map +1 -0
  74. package/dist/browser/credentials/clientSecretCredential-browser.d.mts.map +1 -0
  75. package/dist/browser/credentials/clientSecretCredential-browser.mjs.map +1 -0
  76. package/dist/browser/credentials/clientSecretCredential.d.ts +40 -0
  77. package/dist/browser/credentials/clientSecretCredential.js +83 -0
  78. package/dist/browser/credentials/clientSecretCredentialOptions.d.ts +9 -0
  79. package/dist/browser/credentials/clientSecretCredentialOptions.d.ts.map +1 -0
  80. package/dist/browser/credentials/clientSecretCredentialOptions.js.map +1 -0
  81. package/dist/browser/credentials/credentialPersistenceOptions.d.ts +29 -0
  82. package/dist/browser/credentials/credentialPersistenceOptions.d.ts.map +1 -0
  83. package/dist/browser/credentials/credentialPersistenceOptions.js.map +1 -0
  84. package/dist/browser/credentials/defaultAzureCredential-browser.d.mts.map +1 -0
  85. package/dist/browser/credentials/defaultAzureCredential-browser.mjs.map +1 -0
  86. package/dist/browser/credentials/defaultAzureCredential.d.ts +19 -0
  87. package/dist/browser/credentials/defaultAzureCredential.js +29 -0
  88. package/dist/browser/credentials/defaultAzureCredentialOptions.d.ts +49 -0
  89. package/dist/browser/credentials/defaultAzureCredentialOptions.d.ts.map +1 -0
  90. package/dist/browser/credentials/defaultAzureCredentialOptions.js.map +1 -0
  91. package/dist/browser/credentials/deviceCodeCredential-browser.d.mts.map +1 -0
  92. package/dist/browser/credentials/deviceCodeCredential-browser.mjs.map +1 -0
  93. package/dist/browser/credentials/deviceCodeCredential.d.ts +13 -0
  94. package/dist/browser/credentials/deviceCodeCredential.js +23 -0
  95. package/dist/browser/credentials/deviceCodeCredentialOptions.d.ts +53 -0
  96. package/dist/browser/credentials/deviceCodeCredentialOptions.d.ts.map +1 -0
  97. package/dist/browser/credentials/deviceCodeCredentialOptions.js.map +1 -0
  98. package/dist/browser/credentials/environmentCredential-browser.d.mts.map +1 -0
  99. package/dist/browser/credentials/environmentCredential-browser.mjs.map +1 -0
  100. package/dist/browser/credentials/environmentCredential.d.ts +13 -0
  101. package/dist/browser/credentials/environmentCredential.js +23 -0
  102. package/dist/browser/credentials/environmentCredentialOptions.d.ts +9 -0
  103. package/dist/browser/credentials/environmentCredentialOptions.d.ts.map +1 -0
  104. package/dist/browser/credentials/environmentCredentialOptions.js.map +1 -0
  105. package/dist/browser/credentials/interactiveBrowserCredential-browser.d.mts.map +1 -0
  106. package/dist/browser/credentials/interactiveBrowserCredential-browser.mjs.map +1 -0
  107. package/dist/browser/credentials/interactiveBrowserCredential.d.ts +53 -0
  108. package/dist/browser/credentials/interactiveBrowserCredential.js +86 -0
  109. package/dist/browser/credentials/interactiveBrowserCredentialOptions.d.ts +77 -0
  110. package/dist/browser/credentials/interactiveBrowserCredentialOptions.d.ts.map +1 -0
  111. package/dist/browser/credentials/interactiveBrowserCredentialOptions.js.map +1 -0
  112. package/dist/browser/credentials/interactiveCredentialOptions.d.ts +25 -0
  113. package/dist/browser/credentials/interactiveCredentialOptions.d.ts.map +1 -0
  114. package/dist/browser/credentials/interactiveCredentialOptions.js.map +1 -0
  115. package/dist/browser/credentials/managedIdentityCredential/imdsMsi.d.ts +18 -0
  116. package/dist/browser/credentials/managedIdentityCredential/imdsMsi.d.ts.map +1 -0
  117. package/dist/browser/credentials/managedIdentityCredential/imdsMsi.js +122 -0
  118. package/dist/browser/credentials/managedIdentityCredential/imdsMsi.js.map +1 -0
  119. package/dist/browser/credentials/managedIdentityCredential/imdsRetryPolicy.d.ts +12 -0
  120. package/dist/browser/credentials/managedIdentityCredential/imdsRetryPolicy.d.ts.map +1 -0
  121. package/dist/browser/credentials/managedIdentityCredential/imdsRetryPolicy.js.map +1 -0
  122. package/dist/browser/credentials/managedIdentityCredential/index-browser.d.mts.map +1 -0
  123. package/dist/browser/credentials/managedIdentityCredential/index-browser.mjs.map +1 -0
  124. package/dist/browser/credentials/managedIdentityCredential/index.d.ts +6 -0
  125. package/dist/browser/credentials/managedIdentityCredential/index.js +16 -0
  126. package/dist/browser/credentials/managedIdentityCredential/models.d.ts +24 -0
  127. package/dist/browser/credentials/managedIdentityCredential/models.d.ts.map +1 -0
  128. package/dist/browser/credentials/managedIdentityCredential/models.js.map +1 -0
  129. package/dist/browser/credentials/managedIdentityCredential/tokenExchangeMsi.d.ts +14 -0
  130. package/dist/browser/credentials/managedIdentityCredential/tokenExchangeMsi.d.ts.map +1 -0
  131. package/dist/browser/credentials/managedIdentityCredential/tokenExchangeMsi.js +32 -0
  132. package/dist/browser/credentials/managedIdentityCredential/tokenExchangeMsi.js.map +1 -0
  133. package/dist/browser/credentials/managedIdentityCredential/utils.d.ts +33 -0
  134. package/dist/browser/credentials/managedIdentityCredential/utils.d.ts.map +1 -0
  135. package/dist/browser/credentials/multiTenantTokenCredentialOptions.d.ts +12 -0
  136. package/dist/browser/credentials/multiTenantTokenCredentialOptions.d.ts.map +1 -0
  137. package/dist/browser/credentials/multiTenantTokenCredentialOptions.js.map +1 -0
  138. package/dist/browser/credentials/onBehalfOfCredential-browser.d.mts.map +1 -0
  139. package/dist/browser/credentials/onBehalfOfCredential-browser.mjs.map +1 -0
  140. package/dist/browser/credentials/onBehalfOfCredential.d.ts +12 -0
  141. package/dist/browser/credentials/onBehalfOfCredential.js +23 -0
  142. package/dist/browser/credentials/onBehalfOfCredentialOptions.d.ts +76 -0
  143. package/dist/browser/credentials/onBehalfOfCredentialOptions.d.ts.map +1 -0
  144. package/dist/browser/credentials/onBehalfOfCredentialOptions.js.map +1 -0
  145. package/dist/browser/credentials/usernamePasswordCredential-browser.d.mts.map +1 -0
  146. package/dist/browser/credentials/usernamePasswordCredential-browser.mjs.map +1 -0
  147. package/dist/browser/credentials/usernamePasswordCredential.d.ts +40 -0
  148. package/dist/browser/credentials/usernamePasswordCredential.js +77 -0
  149. package/dist/browser/credentials/usernamePasswordCredentialOptions.d.ts +9 -0
  150. package/dist/browser/credentials/usernamePasswordCredentialOptions.d.ts.map +1 -0
  151. package/dist/browser/credentials/usernamePasswordCredentialOptions.js.map +1 -0
  152. package/dist/browser/credentials/visualStudioCodeCredential-browser.d.mts.map +1 -0
  153. package/dist/browser/credentials/visualStudioCodeCredential-browser.mjs.map +1 -0
  154. package/dist/browser/credentials/visualStudioCodeCredential.d.ts +15 -0
  155. package/dist/browser/credentials/visualStudioCodeCredential.js +27 -0
  156. package/dist/browser/credentials/visualStudioCodeCredentialOptions.d.ts +11 -0
  157. package/dist/browser/credentials/visualStudioCodeCredentialOptions.d.ts.map +1 -0
  158. package/dist/browser/credentials/visualStudioCodeCredentialOptions.js.map +1 -0
  159. package/dist/browser/credentials/visualStudioCodeCredentialPlugin.d.ts +11 -0
  160. package/dist/browser/credentials/visualStudioCodeCredentialPlugin.d.ts.map +1 -0
  161. package/dist/browser/credentials/workloadIdentityCredential-browser.d.mts.map +1 -0
  162. package/dist/browser/credentials/workloadIdentityCredential-browser.mjs.map +1 -0
  163. package/dist/browser/credentials/workloadIdentityCredential.d.ts +17 -0
  164. package/dist/browser/credentials/workloadIdentityCredential.js +27 -0
  165. package/dist/browser/credentials/workloadIdentityCredentialOptions.d.ts +20 -0
  166. package/dist/browser/credentials/workloadIdentityCredentialOptions.d.ts.map +1 -0
  167. package/dist/browser/credentials/workloadIdentityCredentialOptions.js.map +1 -0
  168. package/dist/browser/errors.d.ts +139 -0
  169. package/dist/browser/errors.d.ts.map +1 -0
  170. package/dist/browser/index.d.ts +59 -0
  171. package/dist/browser/index.d.ts.map +1 -0
  172. package/dist/browser/index.js +34 -0
  173. package/dist/browser/index.js.map +1 -0
  174. package/dist/browser/msal/browserFlows/flows.d.ts +42 -0
  175. package/dist/browser/msal/browserFlows/flows.d.ts.map +1 -0
  176. package/dist/browser/msal/browserFlows/flows.js.map +1 -0
  177. package/dist/browser/msal/browserFlows/msalAuthCode.d.ts +50 -0
  178. package/dist/browser/msal/browserFlows/msalAuthCode.d.ts.map +1 -0
  179. package/dist/browser/msal/browserFlows/msalAuthCode.js +203 -0
  180. package/dist/browser/msal/browserFlows/msalAuthCode.js.map +1 -0
  181. package/dist/browser/msal/browserFlows/msalBrowserCommon.d.ts +106 -0
  182. package/dist/browser/msal/browserFlows/msalBrowserCommon.d.ts.map +1 -0
  183. package/dist/browser/msal/browserFlows/msalBrowserCommon.js +116 -0
  184. package/dist/browser/msal/browserFlows/msalBrowserCommon.js.map +1 -0
  185. package/dist/browser/msal/credentials.d.ts +52 -0
  186. package/dist/browser/msal/credentials.d.ts.map +1 -0
  187. package/dist/browser/msal/credentials.js.map +1 -0
  188. package/dist/browser/msal/msal-browser.d.mts.map +1 -0
  189. package/dist/browser/msal/msal-browser.mjs.map +1 -0
  190. package/dist/browser/msal/msal.d.ts +3 -0
  191. package/dist/browser/msal/msal.js +5 -0
  192. package/dist/browser/msal/nodeFlows/brokerOptions.d.ts +44 -0
  193. package/dist/browser/msal/nodeFlows/brokerOptions.d.ts.map +1 -0
  194. package/dist/browser/msal/nodeFlows/msalClient.d.ts +186 -0
  195. package/dist/browser/msal/nodeFlows/msalClient.d.ts.map +1 -0
  196. package/dist/browser/msal/nodeFlows/msalClient.js +477 -0
  197. package/dist/browser/msal/nodeFlows/msalClient.js.map +1 -0
  198. package/dist/browser/msal/nodeFlows/msalPlugins.d.ts +91 -0
  199. package/dist/browser/msal/nodeFlows/msalPlugins.d.ts.map +1 -0
  200. package/dist/browser/msal/nodeFlows/msalPlugins.js +87 -0
  201. package/dist/browser/msal/nodeFlows/msalPlugins.js.map +1 -0
  202. package/dist/browser/msal/nodeFlows/tokenCachePersistenceOptions.d.ts +24 -0
  203. package/dist/browser/msal/nodeFlows/tokenCachePersistenceOptions.d.ts.map +1 -0
  204. package/dist/browser/msal/types.d.ts +87 -0
  205. package/dist/browser/msal/types.d.ts.map +1 -0
  206. package/dist/browser/msal/utils.d.ts +95 -0
  207. package/dist/browser/msal/utils.d.ts.map +1 -0
  208. package/dist/browser/msal/utils.js +232 -0
  209. package/dist/browser/msal/utils.js.map +1 -0
  210. package/dist/browser/package.json +3 -0
  211. package/dist/browser/plugins/consumer-browser.d.mts.map +1 -0
  212. package/dist/browser/plugins/consumer-browser.mjs.map +1 -0
  213. package/dist/browser/plugins/consumer.d.ts +2 -0
  214. package/dist/browser/plugins/consumer.js +7 -0
  215. package/dist/browser/plugins/provider.d.ts +36 -0
  216. package/dist/browser/plugins/provider.d.ts.map +1 -0
  217. package/dist/browser/plugins/provider.js.map +1 -0
  218. package/dist/browser/regionalAuthority.d.ts +122 -0
  219. package/dist/browser/regionalAuthority.d.ts.map +1 -0
  220. package/dist/browser/tokenCredentialOptions.d.ts +28 -0
  221. package/dist/browser/tokenCredentialOptions.d.ts.map +1 -0
  222. package/dist/browser/tokenProvider.d.ts +38 -0
  223. package/dist/browser/tokenProvider.d.ts.map +1 -0
  224. package/dist/browser/util/authHostEnv-browser.d.mts +4 -0
  225. package/dist/browser/util/authHostEnv-browser.d.mts.map +1 -0
  226. package/dist/browser/util/authHostEnv-browser.mjs +7 -0
  227. package/dist/browser/util/authHostEnv-browser.mjs.map +1 -0
  228. package/dist/browser/util/identityTokenEndpoint.d.ts +2 -0
  229. package/dist/browser/util/identityTokenEndpoint.d.ts.map +1 -0
  230. package/dist/browser/util/logging.d.ts +70 -0
  231. package/dist/browser/util/logging.d.ts.map +1 -0
  232. package/dist/browser/util/processMultiTenantRequest-browser.d.mts.map +1 -0
  233. package/dist/browser/util/processMultiTenantRequest-browser.mjs.map +1 -0
  234. package/dist/browser/util/processMultiTenantRequest.d.ts +9 -0
  235. package/dist/browser/util/processMultiTenantRequest.js +29 -0
  236. package/dist/browser/util/processUtils.d.ts +13 -0
  237. package/dist/browser/util/processUtils.d.ts.map +1 -0
  238. package/dist/browser/util/scopeUtils.d.ts +17 -0
  239. package/dist/browser/util/scopeUtils.d.ts.map +1 -0
  240. package/dist/browser/util/scopeUtils.js +29 -0
  241. package/dist/browser/util/scopeUtils.js.map +1 -0
  242. package/dist/browser/util/subscriptionUtils.d.ts +6 -0
  243. package/dist/browser/util/subscriptionUtils.d.ts.map +1 -0
  244. package/dist/browser/util/subscriptionUtils.js +14 -0
  245. package/dist/browser/util/subscriptionUtils.js.map +1 -0
  246. package/dist/browser/util/tenantIdUtils.d.ts +15 -0
  247. package/dist/browser/util/tenantIdUtils.d.ts.map +1 -0
  248. package/dist/browser/util/tenantIdUtils.js +44 -0
  249. package/dist/browser/util/tenantIdUtils.js.map +1 -0
  250. package/dist/browser/util/tracing.d.ts +6 -0
  251. package/dist/browser/util/tracing.d.ts.map +1 -0
  252. package/dist/browser/util/tracing.js +14 -0
  253. package/dist/browser/util/tracing.js.map +1 -0
  254. package/dist/commonjs/client/identityClient.d.ts +65 -0
  255. package/dist/commonjs/client/identityClient.d.ts.map +1 -0
  256. package/dist/commonjs/client/identityClient.js +253 -0
  257. package/dist/commonjs/client/identityClient.js.map +1 -0
  258. package/dist/commonjs/constants.d.ts +64 -0
  259. package/dist/commonjs/constants.d.ts.map +1 -0
  260. package/dist/commonjs/constants.js +73 -0
  261. package/dist/commonjs/constants.js.map +1 -0
  262. package/dist/commonjs/credentials/authorityValidationOptions.d.ts +16 -0
  263. package/dist/commonjs/credentials/authorityValidationOptions.d.ts.map +1 -0
  264. package/dist/commonjs/credentials/authorityValidationOptions.js +5 -0
  265. package/dist/commonjs/credentials/authorityValidationOptions.js.map +1 -0
  266. package/dist/commonjs/credentials/authorizationCodeCredential.d.ts +73 -0
  267. package/dist/commonjs/credentials/authorizationCodeCredential.d.ts.map +1 -0
  268. package/dist/commonjs/credentials/authorizationCodeCredential.js +64 -0
  269. package/dist/commonjs/credentials/authorizationCodeCredential.js.map +1 -0
  270. package/dist/commonjs/credentials/authorizationCodeCredentialOptions.d.ts +8 -0
  271. package/dist/commonjs/credentials/authorizationCodeCredentialOptions.d.ts.map +1 -0
  272. package/dist/commonjs/credentials/authorizationCodeCredentialOptions.js +5 -0
  273. package/dist/commonjs/credentials/authorizationCodeCredentialOptions.js.map +1 -0
  274. package/dist/commonjs/credentials/azureApplicationCredential.d.ts +24 -0
  275. package/dist/commonjs/credentials/azureApplicationCredential.d.ts.map +1 -0
  276. package/dist/commonjs/credentials/azureApplicationCredential.js +36 -0
  277. package/dist/commonjs/credentials/azureApplicationCredential.js.map +1 -0
  278. package/dist/commonjs/credentials/azureApplicationCredentialOptions.d.ts +13 -0
  279. package/dist/commonjs/credentials/azureApplicationCredentialOptions.d.ts.map +1 -0
  280. package/dist/commonjs/credentials/azureApplicationCredentialOptions.js +5 -0
  281. package/dist/commonjs/credentials/azureApplicationCredentialOptions.js.map +1 -0
  282. package/dist/commonjs/credentials/azureCliCredential.d.ts +64 -0
  283. package/dist/commonjs/credentials/azureCliCredential.d.ts.map +1 -0
  284. package/dist/commonjs/credentials/azureCliCredential.js +194 -0
  285. package/dist/commonjs/credentials/azureCliCredential.js.map +1 -0
  286. package/dist/commonjs/credentials/azureCliCredentialOptions.d.ts +20 -0
  287. package/dist/commonjs/credentials/azureCliCredentialOptions.d.ts.map +1 -0
  288. package/dist/commonjs/credentials/azureCliCredentialOptions.js +5 -0
  289. package/dist/commonjs/credentials/azureCliCredentialOptions.js.map +1 -0
  290. package/dist/commonjs/credentials/azureDeveloperCliCredential.d.ts +71 -0
  291. package/dist/commonjs/credentials/azureDeveloperCliCredential.d.ts.map +1 -0
  292. package/dist/commonjs/credentials/azureDeveloperCliCredential.js +176 -0
  293. package/dist/commonjs/credentials/azureDeveloperCliCredential.js.map +1 -0
  294. package/dist/commonjs/credentials/azureDeveloperCliCredentialOptions.d.ts +15 -0
  295. package/dist/commonjs/credentials/azureDeveloperCliCredentialOptions.d.ts.map +1 -0
  296. package/dist/commonjs/credentials/azureDeveloperCliCredentialOptions.js +5 -0
  297. package/dist/commonjs/credentials/azureDeveloperCliCredentialOptions.js.map +1 -0
  298. package/dist/commonjs/credentials/azurePipelinesCredential.d.ts +38 -0
  299. package/dist/commonjs/credentials/azurePipelinesCredential.d.ts.map +1 -0
  300. package/dist/commonjs/credentials/azurePipelinesCredential.js +146 -0
  301. package/dist/commonjs/credentials/azurePipelinesCredential.js.map +1 -0
  302. package/dist/commonjs/credentials/azurePipelinesCredentialOptions.d.ts +9 -0
  303. package/dist/commonjs/credentials/azurePipelinesCredentialOptions.d.ts.map +1 -0
  304. package/dist/commonjs/credentials/azurePipelinesCredentialOptions.js +5 -0
  305. package/dist/commonjs/credentials/azurePipelinesCredentialOptions.js.map +1 -0
  306. package/dist/commonjs/credentials/azurePowerShellCredential.d.ts +75 -0
  307. package/dist/commonjs/credentials/azurePowerShellCredential.d.ts.map +1 -0
  308. package/dist/commonjs/credentials/azurePowerShellCredential.js +235 -0
  309. package/dist/commonjs/credentials/azurePowerShellCredential.js.map +1 -0
  310. package/dist/commonjs/credentials/azurePowerShellCredentialOptions.d.ts +15 -0
  311. package/dist/commonjs/credentials/azurePowerShellCredentialOptions.d.ts.map +1 -0
  312. package/dist/commonjs/credentials/azurePowerShellCredentialOptions.js +5 -0
  313. package/dist/commonjs/credentials/azurePowerShellCredentialOptions.js.map +1 -0
  314. package/dist/commonjs/credentials/brokerAuthOptions.d.ts +13 -0
  315. package/dist/commonjs/credentials/brokerAuthOptions.d.ts.map +1 -0
  316. package/dist/commonjs/credentials/brokerAuthOptions.js +3 -0
  317. package/dist/commonjs/credentials/brokerAuthOptions.js.map +1 -0
  318. package/dist/commonjs/credentials/browserCustomizationOptions.d.ts +19 -0
  319. package/dist/commonjs/credentials/browserCustomizationOptions.d.ts.map +1 -0
  320. package/dist/commonjs/credentials/browserCustomizationOptions.js +5 -0
  321. package/dist/commonjs/credentials/browserCustomizationOptions.js.map +1 -0
  322. package/dist/commonjs/credentials/chainedTokenCredential.d.ts +49 -0
  323. package/dist/commonjs/credentials/chainedTokenCredential.d.ts.map +1 -0
  324. package/dist/commonjs/credentials/chainedTokenCredential.js +94 -0
  325. package/dist/commonjs/credentials/chainedTokenCredential.js.map +1 -0
  326. package/dist/commonjs/credentials/clientAssertionCredential.d.ts +33 -0
  327. package/dist/commonjs/credentials/clientAssertionCredential.d.ts.map +1 -0
  328. package/dist/commonjs/credentials/clientAssertionCredential.js +59 -0
  329. package/dist/commonjs/credentials/clientAssertionCredential.js.map +1 -0
  330. package/dist/commonjs/credentials/clientAssertionCredentialOptions.d.ts +9 -0
  331. package/dist/commonjs/credentials/clientAssertionCredentialOptions.d.ts.map +1 -0
  332. package/dist/commonjs/credentials/clientAssertionCredentialOptions.js +5 -0
  333. package/dist/commonjs/credentials/clientAssertionCredentialOptions.js.map +1 -0
  334. package/dist/commonjs/credentials/clientCertificateCredential.d.ts +101 -0
  335. package/dist/commonjs/credentials/clientCertificateCredential.d.ts.map +1 -0
  336. package/dist/commonjs/credentials/clientCertificateCredential.js +124 -0
  337. package/dist/commonjs/credentials/clientCertificateCredential.js.map +1 -0
  338. package/dist/commonjs/credentials/clientCertificateCredentialOptions.d.ts +14 -0
  339. package/dist/commonjs/credentials/clientCertificateCredentialOptions.d.ts.map +1 -0
  340. package/dist/commonjs/credentials/clientCertificateCredentialOptions.js +5 -0
  341. package/dist/commonjs/credentials/clientCertificateCredentialOptions.js.map +1 -0
  342. package/dist/commonjs/credentials/clientSecretCredential.d.ts +37 -0
  343. package/dist/commonjs/credentials/clientSecretCredential.d.ts.map +1 -0
  344. package/dist/commonjs/credentials/clientSecretCredential.js +64 -0
  345. package/dist/commonjs/credentials/clientSecretCredential.js.map +1 -0
  346. package/dist/commonjs/credentials/clientSecretCredentialOptions.d.ts +9 -0
  347. package/dist/commonjs/credentials/clientSecretCredentialOptions.d.ts.map +1 -0
  348. package/dist/commonjs/credentials/clientSecretCredentialOptions.js +5 -0
  349. package/dist/commonjs/credentials/clientSecretCredentialOptions.js.map +1 -0
  350. package/dist/commonjs/credentials/credentialPersistenceOptions.d.ts +29 -0
  351. package/dist/commonjs/credentials/credentialPersistenceOptions.d.ts.map +1 -0
  352. package/dist/commonjs/credentials/credentialPersistenceOptions.js +5 -0
  353. package/dist/commonjs/credentials/credentialPersistenceOptions.js.map +1 -0
  354. package/dist/commonjs/credentials/defaultAzureCredential.d.ts +65 -0
  355. package/dist/commonjs/credentials/defaultAzureCredential.d.ts.map +1 -0
  356. package/dist/commonjs/credentials/defaultAzureCredential.js +171 -0
  357. package/dist/commonjs/credentials/defaultAzureCredential.js.map +1 -0
  358. package/dist/commonjs/credentials/defaultAzureCredentialOptions.d.ts +49 -0
  359. package/dist/commonjs/credentials/defaultAzureCredentialOptions.d.ts.map +1 -0
  360. package/dist/commonjs/credentials/defaultAzureCredentialOptions.js +5 -0
  361. package/dist/commonjs/credentials/defaultAzureCredentialOptions.js.map +1 -0
  362. package/dist/commonjs/credentials/deviceCodeCredential.d.ts +67 -0
  363. package/dist/commonjs/credentials/deviceCodeCredential.d.ts.map +1 -0
  364. package/dist/commonjs/credentials/deviceCodeCredential.js +96 -0
  365. package/dist/commonjs/credentials/deviceCodeCredential.js.map +1 -0
  366. package/dist/commonjs/credentials/deviceCodeCredentialOptions.d.ts +53 -0
  367. package/dist/commonjs/credentials/deviceCodeCredentialOptions.d.ts.map +1 -0
  368. package/dist/commonjs/credentials/deviceCodeCredentialOptions.js +5 -0
  369. package/dist/commonjs/credentials/deviceCodeCredentialOptions.js.map +1 -0
  370. package/dist/commonjs/credentials/environmentCredential.d.ts +52 -0
  371. package/dist/commonjs/credentials/environmentCredential.d.ts.map +1 -0
  372. package/dist/commonjs/credentials/environmentCredential.js +135 -0
  373. package/dist/commonjs/credentials/environmentCredential.js.map +1 -0
  374. package/dist/commonjs/credentials/environmentCredentialOptions.d.ts +9 -0
  375. package/dist/commonjs/credentials/environmentCredentialOptions.d.ts.map +1 -0
  376. package/dist/commonjs/credentials/environmentCredentialOptions.js +5 -0
  377. package/dist/commonjs/credentials/environmentCredentialOptions.js.map +1 -0
  378. package/dist/commonjs/credentials/interactiveBrowserCredential.d.ts +56 -0
  379. package/dist/commonjs/credentials/interactiveBrowserCredential.d.ts.map +1 -0
  380. package/dist/commonjs/credentials/interactiveBrowserCredential.js +95 -0
  381. package/dist/commonjs/credentials/interactiveBrowserCredential.js.map +1 -0
  382. package/dist/commonjs/credentials/interactiveBrowserCredentialOptions.d.ts +77 -0
  383. package/dist/commonjs/credentials/interactiveBrowserCredentialOptions.d.ts.map +1 -0
  384. package/dist/commonjs/credentials/interactiveBrowserCredentialOptions.js +5 -0
  385. package/dist/commonjs/credentials/interactiveBrowserCredentialOptions.js.map +1 -0
  386. package/dist/commonjs/credentials/interactiveCredentialOptions.d.ts +25 -0
  387. package/dist/commonjs/credentials/interactiveCredentialOptions.d.ts.map +1 -0
  388. package/dist/commonjs/credentials/interactiveCredentialOptions.js +5 -0
  389. package/dist/commonjs/credentials/interactiveCredentialOptions.js.map +1 -0
  390. package/dist/commonjs/credentials/managedIdentityCredential/imdsMsi.d.ts +18 -0
  391. package/dist/commonjs/credentials/managedIdentityCredential/imdsMsi.d.ts.map +1 -0
  392. package/dist/commonjs/credentials/managedIdentityCredential/imdsMsi.js +125 -0
  393. package/dist/commonjs/credentials/managedIdentityCredential/imdsMsi.js.map +1 -0
  394. package/dist/commonjs/credentials/managedIdentityCredential/imdsRetryPolicy.d.ts +12 -0
  395. package/dist/commonjs/credentials/managedIdentityCredential/imdsRetryPolicy.d.ts.map +1 -0
  396. package/dist/commonjs/credentials/managedIdentityCredential/imdsRetryPolicy.js +36 -0
  397. package/dist/commonjs/credentials/managedIdentityCredential/imdsRetryPolicy.js.map +1 -0
  398. package/dist/commonjs/credentials/managedIdentityCredential/index.d.ts +95 -0
  399. package/dist/commonjs/credentials/managedIdentityCredential/index.d.ts.map +1 -0
  400. package/dist/commonjs/credentials/managedIdentityCredential/index.js +221 -0
  401. package/dist/commonjs/credentials/managedIdentityCredential/index.js.map +1 -0
  402. package/dist/commonjs/credentials/managedIdentityCredential/models.d.ts +24 -0
  403. package/dist/commonjs/credentials/managedIdentityCredential/models.d.ts.map +1 -0
  404. package/dist/commonjs/credentials/managedIdentityCredential/models.js +5 -0
  405. package/dist/commonjs/credentials/managedIdentityCredential/models.js.map +1 -0
  406. package/dist/commonjs/credentials/managedIdentityCredential/tokenExchangeMsi.d.ts +14 -0
  407. package/dist/commonjs/credentials/managedIdentityCredential/tokenExchangeMsi.d.ts.map +1 -0
  408. package/dist/commonjs/credentials/managedIdentityCredential/tokenExchangeMsi.js +35 -0
  409. package/dist/commonjs/credentials/managedIdentityCredential/tokenExchangeMsi.js.map +1 -0
  410. package/dist/commonjs/credentials/managedIdentityCredential/utils.d.ts +33 -0
  411. package/dist/commonjs/credentials/managedIdentityCredential/utils.d.ts.map +1 -0
  412. package/dist/commonjs/credentials/managedIdentityCredential/utils.js +82 -0
  413. package/dist/commonjs/credentials/managedIdentityCredential/utils.js.map +1 -0
  414. package/dist/commonjs/credentials/multiTenantTokenCredentialOptions.d.ts +12 -0
  415. package/dist/commonjs/credentials/multiTenantTokenCredentialOptions.d.ts.map +1 -0
  416. package/dist/commonjs/credentials/multiTenantTokenCredentialOptions.js +5 -0
  417. package/dist/commonjs/credentials/multiTenantTokenCredentialOptions.js.map +1 -0
  418. package/dist/commonjs/credentials/onBehalfOfCredential.d.ts +102 -0
  419. package/dist/commonjs/credentials/onBehalfOfCredential.d.ts.map +1 -0
  420. package/dist/commonjs/credentials/onBehalfOfCredential.js +116 -0
  421. package/dist/commonjs/credentials/onBehalfOfCredential.js.map +1 -0
  422. package/dist/commonjs/credentials/onBehalfOfCredentialOptions.d.ts +76 -0
  423. package/dist/commonjs/credentials/onBehalfOfCredentialOptions.d.ts.map +1 -0
  424. package/dist/commonjs/credentials/onBehalfOfCredentialOptions.js +5 -0
  425. package/dist/commonjs/credentials/onBehalfOfCredentialOptions.js.map +1 -0
  426. package/dist/commonjs/credentials/usernamePasswordCredential.d.ts +41 -0
  427. package/dist/commonjs/credentials/usernamePasswordCredential.d.ts.map +1 -0
  428. package/dist/commonjs/credentials/usernamePasswordCredential.js +71 -0
  429. package/dist/commonjs/credentials/usernamePasswordCredential.js.map +1 -0
  430. package/dist/commonjs/credentials/usernamePasswordCredentialOptions.d.ts +9 -0
  431. package/dist/commonjs/credentials/usernamePasswordCredentialOptions.d.ts.map +1 -0
  432. package/dist/commonjs/credentials/usernamePasswordCredentialOptions.js +5 -0
  433. package/dist/commonjs/credentials/usernamePasswordCredentialOptions.js.map +1 -0
  434. package/dist/commonjs/credentials/visualStudioCodeCredential.d.ts +60 -0
  435. package/dist/commonjs/credentials/visualStudioCodeCredential.d.ts.map +1 -0
  436. package/dist/commonjs/credentials/visualStudioCodeCredential.js +196 -0
  437. package/dist/commonjs/credentials/visualStudioCodeCredential.js.map +1 -0
  438. package/dist/commonjs/credentials/visualStudioCodeCredentialOptions.d.ts +11 -0
  439. package/dist/commonjs/credentials/visualStudioCodeCredentialOptions.d.ts.map +1 -0
  440. package/dist/commonjs/credentials/visualStudioCodeCredentialOptions.js +5 -0
  441. package/dist/commonjs/credentials/visualStudioCodeCredentialOptions.js.map +1 -0
  442. package/dist/commonjs/credentials/visualStudioCodeCredentialPlugin.d.ts +11 -0
  443. package/dist/commonjs/credentials/visualStudioCodeCredentialPlugin.d.ts.map +1 -0
  444. package/dist/commonjs/credentials/visualStudioCodeCredentialPlugin.js +5 -0
  445. package/dist/commonjs/credentials/visualStudioCodeCredentialPlugin.js.map +1 -0
  446. package/dist/commonjs/credentials/workloadIdentityCredential.d.ts +47 -0
  447. package/dist/commonjs/credentials/workloadIdentityCredential.d.ts.map +1 -0
  448. package/dist/commonjs/credentials/workloadIdentityCredential.js +118 -0
  449. package/dist/commonjs/credentials/workloadIdentityCredential.js.map +1 -0
  450. package/dist/commonjs/credentials/workloadIdentityCredentialOptions.d.ts +20 -0
  451. package/dist/commonjs/credentials/workloadIdentityCredentialOptions.d.ts.map +1 -0
  452. package/dist/commonjs/credentials/workloadIdentityCredentialOptions.js +5 -0
  453. package/dist/commonjs/credentials/workloadIdentityCredentialOptions.js.map +1 -0
  454. package/dist/commonjs/errors.d.ts +139 -0
  455. package/dist/commonjs/errors.d.ts.map +1 -0
  456. package/dist/commonjs/errors.js +130 -0
  457. package/dist/commonjs/errors.js.map +1 -0
  458. package/dist/commonjs/index.d.ts +59 -0
  459. package/dist/commonjs/index.d.ts.map +1 -0
  460. package/dist/commonjs/index.js +69 -0
  461. package/dist/commonjs/index.js.map +1 -0
  462. package/dist/commonjs/msal/browserFlows/flows.d.ts +42 -0
  463. package/dist/commonjs/msal/browserFlows/flows.d.ts.map +1 -0
  464. package/dist/commonjs/msal/browserFlows/flows.js +5 -0
  465. package/dist/commonjs/msal/browserFlows/flows.js.map +1 -0
  466. package/dist/commonjs/msal/browserFlows/msalAuthCode.d.ts +50 -0
  467. package/dist/commonjs/msal/browserFlows/msalAuthCode.d.ts.map +1 -0
  468. package/dist/commonjs/msal/browserFlows/msalAuthCode.js +208 -0
  469. package/dist/commonjs/msal/browserFlows/msalAuthCode.js.map +1 -0
  470. package/dist/commonjs/msal/browserFlows/msalBrowserCommon.d.ts +106 -0
  471. package/dist/commonjs/msal/browserFlows/msalBrowserCommon.d.ts.map +1 -0
  472. package/dist/commonjs/msal/browserFlows/msalBrowserCommon.js +121 -0
  473. package/dist/commonjs/msal/browserFlows/msalBrowserCommon.js.map +1 -0
  474. package/dist/commonjs/msal/credentials.d.ts +52 -0
  475. package/dist/commonjs/msal/credentials.d.ts.map +1 -0
  476. package/dist/commonjs/msal/credentials.js +5 -0
  477. package/dist/commonjs/msal/credentials.js.map +1 -0
  478. package/dist/commonjs/msal/msal.d.ts +3 -0
  479. package/dist/commonjs/msal/msal.d.ts.map +1 -0
  480. package/dist/commonjs/msal/msal.js +9 -0
  481. package/dist/commonjs/msal/msal.js.map +1 -0
  482. package/dist/commonjs/msal/nodeFlows/brokerOptions.d.ts +44 -0
  483. package/dist/commonjs/msal/nodeFlows/brokerOptions.d.ts.map +1 -0
  484. package/dist/commonjs/msal/nodeFlows/brokerOptions.js +3 -0
  485. package/dist/commonjs/msal/nodeFlows/brokerOptions.js.map +1 -0
  486. package/dist/commonjs/msal/nodeFlows/msalClient.d.ts +186 -0
  487. package/dist/commonjs/msal/nodeFlows/msalClient.d.ts.map +1 -0
  488. package/dist/commonjs/msal/nodeFlows/msalClient.js +482 -0
  489. package/dist/commonjs/msal/nodeFlows/msalClient.js.map +1 -0
  490. package/dist/commonjs/msal/nodeFlows/msalPlugins.d.ts +91 -0
  491. package/dist/commonjs/msal/nodeFlows/msalPlugins.d.ts.map +1 -0
  492. package/dist/commonjs/msal/nodeFlows/msalPlugins.js +91 -0
  493. package/dist/commonjs/msal/nodeFlows/msalPlugins.js.map +1 -0
  494. package/dist/commonjs/msal/nodeFlows/tokenCachePersistenceOptions.d.ts +24 -0
  495. package/dist/commonjs/msal/nodeFlows/tokenCachePersistenceOptions.d.ts.map +1 -0
  496. package/dist/commonjs/msal/nodeFlows/tokenCachePersistenceOptions.js +5 -0
  497. package/dist/commonjs/msal/nodeFlows/tokenCachePersistenceOptions.js.map +1 -0
  498. package/dist/commonjs/msal/types.d.ts +87 -0
  499. package/dist/commonjs/msal/types.d.ts.map +1 -0
  500. package/dist/commonjs/msal/types.js +5 -0
  501. package/dist/commonjs/msal/types.js.map +1 -0
  502. package/dist/commonjs/msal/utils.d.ts +95 -0
  503. package/dist/commonjs/msal/utils.d.ts.map +1 -0
  504. package/dist/commonjs/msal/utils.js +247 -0
  505. package/dist/commonjs/msal/utils.js.map +1 -0
  506. package/dist/commonjs/package.json +3 -0
  507. package/dist/commonjs/plugins/consumer.d.ts +28 -0
  508. package/dist/commonjs/plugins/consumer.d.ts.map +1 -0
  509. package/dist/commonjs/plugins/consumer.js +46 -0
  510. package/dist/commonjs/plugins/consumer.js.map +1 -0
  511. package/dist/commonjs/plugins/provider.d.ts +36 -0
  512. package/dist/commonjs/plugins/provider.d.ts.map +1 -0
  513. package/dist/commonjs/plugins/provider.js +5 -0
  514. package/dist/commonjs/plugins/provider.js.map +1 -0
  515. package/dist/commonjs/regionalAuthority.d.ts +122 -0
  516. package/dist/commonjs/regionalAuthority.d.ts.map +1 -0
  517. package/dist/commonjs/regionalAuthority.js +144 -0
  518. package/dist/commonjs/regionalAuthority.js.map +1 -0
  519. package/dist/commonjs/tokenCredentialOptions.d.ts +28 -0
  520. package/dist/commonjs/tokenCredentialOptions.d.ts.map +1 -0
  521. package/dist/commonjs/tokenCredentialOptions.js +5 -0
  522. package/dist/commonjs/tokenCredentialOptions.js.map +1 -0
  523. package/dist/commonjs/tokenProvider.d.ts +38 -0
  524. package/dist/commonjs/tokenProvider.d.ts.map +1 -0
  525. package/dist/commonjs/tokenProvider.js +55 -0
  526. package/dist/commonjs/tokenProvider.js.map +1 -0
  527. package/dist/commonjs/tsdoc-metadata.json +11 -0
  528. package/dist/commonjs/util/identityTokenEndpoint.d.ts +2 -0
  529. package/dist/commonjs/util/identityTokenEndpoint.d.ts.map +1 -0
  530. package/dist/commonjs/util/identityTokenEndpoint.js +14 -0
  531. package/dist/commonjs/util/identityTokenEndpoint.js.map +1 -0
  532. package/dist/commonjs/util/logging.d.ts +70 -0
  533. package/dist/commonjs/util/logging.d.ts.map +1 -0
  534. package/dist/commonjs/util/logging.js +103 -0
  535. package/dist/commonjs/util/logging.js.map +1 -0
  536. package/dist/commonjs/util/processMultiTenantRequest.d.ts +10 -0
  537. package/dist/commonjs/util/processMultiTenantRequest.d.ts.map +1 -0
  538. package/dist/commonjs/util/processMultiTenantRequest.js +38 -0
  539. package/dist/commonjs/util/processMultiTenantRequest.js.map +1 -0
  540. package/dist/commonjs/util/processUtils.d.ts +13 -0
  541. package/dist/commonjs/util/processUtils.d.ts.map +1 -0
  542. package/dist/commonjs/util/processUtils.js +36 -0
  543. package/dist/commonjs/util/processUtils.js.map +1 -0
  544. package/dist/commonjs/util/scopeUtils.d.ts +17 -0
  545. package/dist/commonjs/util/scopeUtils.d.ts.map +1 -0
  546. package/dist/commonjs/util/scopeUtils.js +34 -0
  547. package/dist/commonjs/util/scopeUtils.js.map +1 -0
  548. package/dist/commonjs/util/subscriptionUtils.d.ts +6 -0
  549. package/dist/commonjs/util/subscriptionUtils.d.ts.map +1 -0
  550. package/dist/commonjs/util/subscriptionUtils.js +17 -0
  551. package/dist/commonjs/util/subscriptionUtils.js.map +1 -0
  552. package/dist/commonjs/util/tenantIdUtils.d.ts +15 -0
  553. package/dist/commonjs/util/tenantIdUtils.d.ts.map +1 -0
  554. package/dist/commonjs/util/tenantIdUtils.js +51 -0
  555. package/dist/commonjs/util/tenantIdUtils.js.map +1 -0
  556. package/dist/commonjs/util/tracing.d.ts +6 -0
  557. package/dist/commonjs/util/tracing.d.ts.map +1 -0
  558. package/dist/commonjs/util/tracing.js +17 -0
  559. package/dist/commonjs/util/tracing.js.map +1 -0
  560. package/dist/esm/client/identityClient.d.ts +65 -0
  561. package/dist/esm/client/identityClient.d.ts.map +1 -0
  562. package/dist/esm/client/identityClient.js +248 -0
  563. package/dist/esm/client/identityClient.js.map +1 -0
  564. package/dist/esm/constants.d.ts +64 -0
  565. package/dist/esm/constants.d.ts.map +1 -0
  566. package/dist/esm/constants.js +70 -0
  567. package/dist/esm/constants.js.map +1 -0
  568. package/dist/esm/credentials/authorityValidationOptions.d.ts +16 -0
  569. package/dist/esm/credentials/authorityValidationOptions.d.ts.map +1 -0
  570. package/dist/esm/credentials/authorityValidationOptions.js +4 -0
  571. package/dist/esm/credentials/authorityValidationOptions.js.map +1 -0
  572. package/dist/esm/credentials/authorizationCodeCredential.d.ts +73 -0
  573. package/dist/esm/credentials/authorizationCodeCredential.d.ts.map +1 -0
  574. package/dist/esm/credentials/authorizationCodeCredential.js +60 -0
  575. package/dist/esm/credentials/authorizationCodeCredential.js.map +1 -0
  576. package/dist/esm/credentials/authorizationCodeCredentialOptions.d.ts +8 -0
  577. package/dist/esm/credentials/authorizationCodeCredentialOptions.d.ts.map +1 -0
  578. package/dist/esm/credentials/authorizationCodeCredentialOptions.js +4 -0
  579. package/dist/esm/credentials/authorizationCodeCredentialOptions.js.map +1 -0
  580. package/dist/esm/credentials/azureApplicationCredential.d.ts +24 -0
  581. package/dist/esm/credentials/azureApplicationCredential.d.ts.map +1 -0
  582. package/dist/esm/credentials/azureApplicationCredential.js +32 -0
  583. package/dist/esm/credentials/azureApplicationCredential.js.map +1 -0
  584. package/dist/esm/credentials/azureApplicationCredentialOptions.d.ts +13 -0
  585. package/dist/esm/credentials/azureApplicationCredentialOptions.d.ts.map +1 -0
  586. package/dist/esm/credentials/azureApplicationCredentialOptions.js +4 -0
  587. package/dist/esm/credentials/azureApplicationCredentialOptions.js.map +1 -0
  588. package/dist/esm/credentials/azureCliCredential.d.ts +64 -0
  589. package/dist/esm/credentials/azureCliCredential.d.ts.map +1 -0
  590. package/dist/esm/credentials/azureCliCredential.js +189 -0
  591. package/dist/esm/credentials/azureCliCredential.js.map +1 -0
  592. package/dist/esm/credentials/azureCliCredentialOptions.d.ts +20 -0
  593. package/dist/esm/credentials/azureCliCredentialOptions.d.ts.map +1 -0
  594. package/dist/esm/credentials/azureCliCredentialOptions.js +4 -0
  595. package/dist/esm/credentials/azureCliCredentialOptions.js.map +1 -0
  596. package/dist/esm/credentials/azureDeveloperCliCredential.d.ts +71 -0
  597. package/dist/esm/credentials/azureDeveloperCliCredential.d.ts.map +1 -0
  598. package/dist/esm/credentials/azureDeveloperCliCredential.js +171 -0
  599. package/dist/esm/credentials/azureDeveloperCliCredential.js.map +1 -0
  600. package/dist/esm/credentials/azureDeveloperCliCredentialOptions.d.ts +15 -0
  601. package/dist/esm/credentials/azureDeveloperCliCredentialOptions.d.ts.map +1 -0
  602. package/dist/esm/credentials/azureDeveloperCliCredentialOptions.js +4 -0
  603. package/dist/esm/credentials/azureDeveloperCliCredentialOptions.js.map +1 -0
  604. package/dist/esm/credentials/azurePipelinesCredential.d.ts +38 -0
  605. package/dist/esm/credentials/azurePipelinesCredential.d.ts.map +1 -0
  606. package/dist/esm/credentials/azurePipelinesCredential.js +141 -0
  607. package/dist/esm/credentials/azurePipelinesCredential.js.map +1 -0
  608. package/dist/esm/credentials/azurePipelinesCredentialOptions.d.ts +9 -0
  609. package/dist/esm/credentials/azurePipelinesCredentialOptions.d.ts.map +1 -0
  610. package/dist/esm/credentials/azurePipelinesCredentialOptions.js +4 -0
  611. package/dist/esm/credentials/azurePipelinesCredentialOptions.js.map +1 -0
  612. package/dist/esm/credentials/azurePowerShellCredential.d.ts +75 -0
  613. package/dist/esm/credentials/azurePowerShellCredential.d.ts.map +1 -0
  614. package/dist/esm/credentials/azurePowerShellCredential.js +229 -0
  615. package/dist/esm/credentials/azurePowerShellCredential.js.map +1 -0
  616. package/dist/esm/credentials/azurePowerShellCredentialOptions.d.ts +15 -0
  617. package/dist/esm/credentials/azurePowerShellCredentialOptions.d.ts.map +1 -0
  618. package/dist/esm/credentials/azurePowerShellCredentialOptions.js +4 -0
  619. package/dist/esm/credentials/azurePowerShellCredentialOptions.js.map +1 -0
  620. package/dist/esm/credentials/brokerAuthOptions.d.ts +13 -0
  621. package/dist/esm/credentials/brokerAuthOptions.d.ts.map +1 -0
  622. package/dist/esm/credentials/brokerAuthOptions.js +2 -0
  623. package/dist/esm/credentials/brokerAuthOptions.js.map +1 -0
  624. package/dist/esm/credentials/browserCustomizationOptions.d.ts +19 -0
  625. package/dist/esm/credentials/browserCustomizationOptions.d.ts.map +1 -0
  626. package/dist/esm/credentials/browserCustomizationOptions.js +4 -0
  627. package/dist/esm/credentials/browserCustomizationOptions.js.map +1 -0
  628. package/dist/esm/credentials/chainedTokenCredential.d.ts +49 -0
  629. package/dist/esm/credentials/chainedTokenCredential.d.ts.map +1 -0
  630. package/dist/esm/credentials/chainedTokenCredential.js +90 -0
  631. package/dist/esm/credentials/chainedTokenCredential.js.map +1 -0
  632. package/dist/esm/credentials/clientAssertionCredential.d.ts +33 -0
  633. package/dist/esm/credentials/clientAssertionCredential.d.ts.map +1 -0
  634. package/dist/esm/credentials/clientAssertionCredential.js +55 -0
  635. package/dist/esm/credentials/clientAssertionCredential.js.map +1 -0
  636. package/dist/esm/credentials/clientAssertionCredentialOptions.d.ts +9 -0
  637. package/dist/esm/credentials/clientAssertionCredentialOptions.d.ts.map +1 -0
  638. package/dist/esm/credentials/clientAssertionCredentialOptions.js +4 -0
  639. package/dist/esm/credentials/clientAssertionCredentialOptions.js.map +1 -0
  640. package/dist/esm/credentials/clientCertificateCredential.d.ts +101 -0
  641. package/dist/esm/credentials/clientCertificateCredential.d.ts.map +1 -0
  642. package/dist/esm/credentials/clientCertificateCredential.js +119 -0
  643. package/dist/esm/credentials/clientCertificateCredential.js.map +1 -0
  644. package/dist/esm/credentials/clientCertificateCredentialOptions.d.ts +14 -0
  645. package/dist/esm/credentials/clientCertificateCredentialOptions.d.ts.map +1 -0
  646. package/dist/esm/credentials/clientCertificateCredentialOptions.js +4 -0
  647. package/dist/esm/credentials/clientCertificateCredentialOptions.js.map +1 -0
  648. package/dist/esm/credentials/clientSecretCredential.d.ts +37 -0
  649. package/dist/esm/credentials/clientSecretCredential.d.ts.map +1 -0
  650. package/dist/esm/credentials/clientSecretCredential.js +60 -0
  651. package/dist/esm/credentials/clientSecretCredential.js.map +1 -0
  652. package/dist/esm/credentials/clientSecretCredentialOptions.d.ts +9 -0
  653. package/dist/esm/credentials/clientSecretCredentialOptions.d.ts.map +1 -0
  654. package/dist/esm/credentials/clientSecretCredentialOptions.js +4 -0
  655. package/dist/esm/credentials/clientSecretCredentialOptions.js.map +1 -0
  656. package/dist/esm/credentials/credentialPersistenceOptions.d.ts +29 -0
  657. package/dist/esm/credentials/credentialPersistenceOptions.d.ts.map +1 -0
  658. package/dist/esm/credentials/credentialPersistenceOptions.js +4 -0
  659. package/dist/esm/credentials/credentialPersistenceOptions.js.map +1 -0
  660. package/dist/esm/credentials/defaultAzureCredential.d.ts +65 -0
  661. package/dist/esm/credentials/defaultAzureCredential.d.ts.map +1 -0
  662. package/dist/esm/credentials/defaultAzureCredential.js +164 -0
  663. package/dist/esm/credentials/defaultAzureCredential.js.map +1 -0
  664. package/dist/esm/credentials/defaultAzureCredentialOptions.d.ts +49 -0
  665. package/dist/esm/credentials/defaultAzureCredentialOptions.d.ts.map +1 -0
  666. package/dist/esm/credentials/defaultAzureCredentialOptions.js +4 -0
  667. package/dist/esm/credentials/defaultAzureCredentialOptions.js.map +1 -0
  668. package/dist/esm/credentials/deviceCodeCredential.d.ts +67 -0
  669. package/dist/esm/credentials/deviceCodeCredential.d.ts.map +1 -0
  670. package/dist/esm/credentials/deviceCodeCredential.js +91 -0
  671. package/dist/esm/credentials/deviceCodeCredential.js.map +1 -0
  672. package/dist/esm/credentials/deviceCodeCredentialOptions.d.ts +53 -0
  673. package/dist/esm/credentials/deviceCodeCredentialOptions.d.ts.map +1 -0
  674. package/dist/esm/credentials/deviceCodeCredentialOptions.js +4 -0
  675. package/dist/esm/credentials/deviceCodeCredentialOptions.js.map +1 -0
  676. package/dist/esm/credentials/environmentCredential.d.ts +52 -0
  677. package/dist/esm/credentials/environmentCredential.d.ts.map +1 -0
  678. package/dist/esm/credentials/environmentCredential.js +130 -0
  679. package/dist/esm/credentials/environmentCredential.js.map +1 -0
  680. package/dist/esm/credentials/environmentCredentialOptions.d.ts +9 -0
  681. package/dist/esm/credentials/environmentCredentialOptions.d.ts.map +1 -0
  682. package/dist/esm/credentials/environmentCredentialOptions.js +4 -0
  683. package/dist/esm/credentials/environmentCredentialOptions.js.map +1 -0
  684. package/dist/esm/credentials/interactiveBrowserCredential.d.ts +56 -0
  685. package/dist/esm/credentials/interactiveBrowserCredential.d.ts.map +1 -0
  686. package/dist/esm/credentials/interactiveBrowserCredential.js +91 -0
  687. package/dist/esm/credentials/interactiveBrowserCredential.js.map +1 -0
  688. package/dist/esm/credentials/interactiveBrowserCredentialOptions.d.ts +77 -0
  689. package/dist/esm/credentials/interactiveBrowserCredentialOptions.d.ts.map +1 -0
  690. package/dist/esm/credentials/interactiveBrowserCredentialOptions.js +4 -0
  691. package/dist/esm/credentials/interactiveBrowserCredentialOptions.js.map +1 -0
  692. package/dist/esm/credentials/interactiveCredentialOptions.d.ts +25 -0
  693. package/dist/esm/credentials/interactiveCredentialOptions.d.ts.map +1 -0
  694. package/dist/esm/credentials/interactiveCredentialOptions.js +4 -0
  695. package/dist/esm/credentials/interactiveCredentialOptions.js.map +1 -0
  696. package/dist/esm/credentials/managedIdentityCredential/imdsMsi.d.ts +18 -0
  697. package/dist/esm/credentials/managedIdentityCredential/imdsMsi.d.ts.map +1 -0
  698. package/dist/esm/credentials/managedIdentityCredential/imdsMsi.js +122 -0
  699. package/dist/esm/credentials/managedIdentityCredential/imdsMsi.js.map +1 -0
  700. package/dist/esm/credentials/managedIdentityCredential/imdsRetryPolicy.d.ts +12 -0
  701. package/dist/esm/credentials/managedIdentityCredential/imdsRetryPolicy.d.ts.map +1 -0
  702. package/dist/esm/credentials/managedIdentityCredential/imdsRetryPolicy.js +33 -0
  703. package/dist/esm/credentials/managedIdentityCredential/imdsRetryPolicy.js.map +1 -0
  704. package/dist/esm/credentials/managedIdentityCredential/index.d.ts +95 -0
  705. package/dist/esm/credentials/managedIdentityCredential/index.d.ts.map +1 -0
  706. package/dist/esm/credentials/managedIdentityCredential/index.js +217 -0
  707. package/dist/esm/credentials/managedIdentityCredential/index.js.map +1 -0
  708. package/dist/esm/credentials/managedIdentityCredential/models.d.ts +24 -0
  709. package/dist/esm/credentials/managedIdentityCredential/models.d.ts.map +1 -0
  710. package/dist/esm/credentials/managedIdentityCredential/models.js +4 -0
  711. package/dist/esm/credentials/managedIdentityCredential/models.js.map +1 -0
  712. package/dist/esm/credentials/managedIdentityCredential/tokenExchangeMsi.d.ts +14 -0
  713. package/dist/esm/credentials/managedIdentityCredential/tokenExchangeMsi.d.ts.map +1 -0
  714. package/dist/esm/credentials/managedIdentityCredential/tokenExchangeMsi.js +32 -0
  715. package/dist/esm/credentials/managedIdentityCredential/tokenExchangeMsi.js.map +1 -0
  716. package/dist/esm/credentials/managedIdentityCredential/utils.d.ts +33 -0
  717. package/dist/esm/credentials/managedIdentityCredential/utils.d.ts.map +1 -0
  718. package/dist/esm/credentials/managedIdentityCredential/utils.js +77 -0
  719. package/dist/esm/credentials/managedIdentityCredential/utils.js.map +1 -0
  720. package/dist/esm/credentials/multiTenantTokenCredentialOptions.d.ts +12 -0
  721. package/dist/esm/credentials/multiTenantTokenCredentialOptions.d.ts.map +1 -0
  722. package/dist/esm/credentials/multiTenantTokenCredentialOptions.js +4 -0
  723. package/dist/esm/credentials/multiTenantTokenCredentialOptions.js.map +1 -0
  724. package/dist/esm/credentials/onBehalfOfCredential.d.ts +102 -0
  725. package/dist/esm/credentials/onBehalfOfCredential.d.ts.map +1 -0
  726. package/dist/esm/credentials/onBehalfOfCredential.js +112 -0
  727. package/dist/esm/credentials/onBehalfOfCredential.js.map +1 -0
  728. package/dist/esm/credentials/onBehalfOfCredentialOptions.d.ts +76 -0
  729. package/dist/esm/credentials/onBehalfOfCredentialOptions.d.ts.map +1 -0
  730. package/dist/esm/credentials/onBehalfOfCredentialOptions.js +4 -0
  731. package/dist/esm/credentials/onBehalfOfCredentialOptions.js.map +1 -0
  732. package/dist/esm/credentials/usernamePasswordCredential.d.ts +41 -0
  733. package/dist/esm/credentials/usernamePasswordCredential.d.ts.map +1 -0
  734. package/dist/esm/credentials/usernamePasswordCredential.js +67 -0
  735. package/dist/esm/credentials/usernamePasswordCredential.js.map +1 -0
  736. package/dist/esm/credentials/usernamePasswordCredentialOptions.d.ts +9 -0
  737. package/dist/esm/credentials/usernamePasswordCredentialOptions.d.ts.map +1 -0
  738. package/dist/esm/credentials/usernamePasswordCredentialOptions.js +4 -0
  739. package/dist/esm/credentials/usernamePasswordCredentialOptions.js.map +1 -0
  740. package/dist/esm/credentials/visualStudioCodeCredential.d.ts +60 -0
  741. package/dist/esm/credentials/visualStudioCodeCredential.d.ts.map +1 -0
  742. package/dist/esm/credentials/visualStudioCodeCredential.js +190 -0
  743. package/dist/esm/credentials/visualStudioCodeCredential.js.map +1 -0
  744. package/dist/esm/credentials/visualStudioCodeCredentialOptions.d.ts +11 -0
  745. package/dist/esm/credentials/visualStudioCodeCredentialOptions.d.ts.map +1 -0
  746. package/dist/esm/credentials/visualStudioCodeCredentialOptions.js +4 -0
  747. package/dist/esm/credentials/visualStudioCodeCredentialOptions.js.map +1 -0
  748. package/dist/esm/credentials/visualStudioCodeCredentialPlugin.d.ts +11 -0
  749. package/dist/esm/credentials/visualStudioCodeCredentialPlugin.d.ts.map +1 -0
  750. package/dist/esm/credentials/visualStudioCodeCredentialPlugin.js +4 -0
  751. package/dist/esm/credentials/visualStudioCodeCredentialPlugin.js.map +1 -0
  752. package/dist/esm/credentials/workloadIdentityCredential.d.ts +47 -0
  753. package/dist/esm/credentials/workloadIdentityCredential.d.ts.map +1 -0
  754. package/dist/esm/credentials/workloadIdentityCredential.js +114 -0
  755. package/dist/esm/credentials/workloadIdentityCredential.js.map +1 -0
  756. package/dist/esm/credentials/workloadIdentityCredentialOptions.d.ts +20 -0
  757. package/dist/esm/credentials/workloadIdentityCredentialOptions.d.ts.map +1 -0
  758. package/dist/esm/credentials/workloadIdentityCredentialOptions.js +4 -0
  759. package/dist/esm/credentials/workloadIdentityCredentialOptions.js.map +1 -0
  760. package/dist/esm/errors.d.ts +139 -0
  761. package/dist/esm/errors.d.ts.map +1 -0
  762. package/dist/esm/errors.js +123 -0
  763. package/dist/esm/errors.js.map +1 -0
  764. package/dist/esm/index.d.ts +59 -0
  765. package/dist/esm/index.d.ts.map +1 -0
  766. package/dist/esm/index.js +34 -0
  767. package/dist/esm/index.js.map +1 -0
  768. package/dist/esm/msal/browserFlows/flows.d.ts +42 -0
  769. package/dist/esm/msal/browserFlows/flows.d.ts.map +1 -0
  770. package/dist/esm/msal/browserFlows/flows.js +4 -0
  771. package/dist/esm/msal/browserFlows/flows.js.map +1 -0
  772. package/dist/esm/msal/browserFlows/msalAuthCode.d.ts +50 -0
  773. package/dist/esm/msal/browserFlows/msalAuthCode.d.ts.map +1 -0
  774. package/dist/esm/msal/browserFlows/msalAuthCode.js +203 -0
  775. package/dist/esm/msal/browserFlows/msalAuthCode.js.map +1 -0
  776. package/dist/esm/msal/browserFlows/msalBrowserCommon.d.ts +106 -0
  777. package/dist/esm/msal/browserFlows/msalBrowserCommon.d.ts.map +1 -0
  778. package/dist/esm/msal/browserFlows/msalBrowserCommon.js +116 -0
  779. package/dist/esm/msal/browserFlows/msalBrowserCommon.js.map +1 -0
  780. package/dist/esm/msal/credentials.d.ts +52 -0
  781. package/dist/esm/msal/credentials.d.ts.map +1 -0
  782. package/dist/esm/msal/credentials.js +4 -0
  783. package/dist/esm/msal/credentials.js.map +1 -0
  784. package/dist/esm/msal/msal.d.ts +3 -0
  785. package/dist/esm/msal/msal.d.ts.map +1 -0
  786. package/dist/esm/msal/nodeFlows/brokerOptions.d.ts +44 -0
  787. package/dist/esm/msal/nodeFlows/brokerOptions.d.ts.map +1 -0
  788. package/dist/esm/msal/nodeFlows/brokerOptions.js +2 -0
  789. package/dist/esm/msal/nodeFlows/brokerOptions.js.map +1 -0
  790. package/dist/esm/msal/nodeFlows/msalClient.d.ts +186 -0
  791. package/dist/esm/msal/nodeFlows/msalClient.d.ts.map +1 -0
  792. package/dist/esm/msal/nodeFlows/msalClient.js +477 -0
  793. package/dist/esm/msal/nodeFlows/msalClient.js.map +1 -0
  794. package/dist/esm/msal/nodeFlows/msalPlugins.d.ts +91 -0
  795. package/dist/esm/msal/nodeFlows/msalPlugins.d.ts.map +1 -0
  796. package/dist/esm/msal/nodeFlows/msalPlugins.js +87 -0
  797. package/dist/esm/msal/nodeFlows/msalPlugins.js.map +1 -0
  798. package/dist/esm/msal/nodeFlows/tokenCachePersistenceOptions.d.ts +24 -0
  799. package/dist/esm/msal/nodeFlows/tokenCachePersistenceOptions.d.ts.map +1 -0
  800. package/dist/esm/msal/nodeFlows/tokenCachePersistenceOptions.js +4 -0
  801. package/dist/esm/msal/nodeFlows/tokenCachePersistenceOptions.js.map +1 -0
  802. package/dist/esm/msal/types.d.ts +87 -0
  803. package/dist/esm/msal/types.d.ts.map +1 -0
  804. package/dist/esm/msal/types.js +4 -0
  805. package/dist/esm/msal/types.js.map +1 -0
  806. package/dist/esm/msal/utils.d.ts +95 -0
  807. package/dist/esm/msal/utils.d.ts.map +1 -0
  808. package/dist/esm/msal/utils.js +232 -0
  809. package/dist/esm/msal/utils.js.map +1 -0
  810. package/dist/esm/package.json +3 -0
  811. package/dist/esm/plugins/consumer.d.ts +28 -0
  812. package/dist/esm/plugins/consumer.d.ts.map +1 -0
  813. package/dist/esm/plugins/consumer.js +43 -0
  814. package/dist/esm/plugins/consumer.js.map +1 -0
  815. package/dist/esm/plugins/provider.d.ts +36 -0
  816. package/dist/esm/plugins/provider.d.ts.map +1 -0
  817. package/dist/esm/plugins/provider.js +4 -0
  818. package/dist/esm/plugins/provider.js.map +1 -0
  819. package/dist/esm/regionalAuthority.d.ts +122 -0
  820. package/dist/esm/regionalAuthority.d.ts.map +1 -0
  821. package/dist/esm/regionalAuthority.js +140 -0
  822. package/dist/esm/regionalAuthority.js.map +1 -0
  823. package/dist/esm/tokenCredentialOptions.d.ts +28 -0
  824. package/dist/esm/tokenCredentialOptions.d.ts.map +1 -0
  825. package/dist/esm/tokenCredentialOptions.js +4 -0
  826. package/dist/esm/tokenCredentialOptions.js.map +1 -0
  827. package/dist/esm/tokenProvider.d.ts +38 -0
  828. package/dist/esm/tokenProvider.d.ts.map +1 -0
  829. package/dist/esm/tokenProvider.js +52 -0
  830. package/dist/esm/tokenProvider.js.map +1 -0
  831. package/dist/esm/util/authHostEnv-browser.d.mts +4 -0
  832. package/dist/esm/util/authHostEnv-browser.d.mts.map +1 -0
  833. package/dist/esm/util/authHostEnv-browser.mjs +7 -0
  834. package/dist/esm/util/authHostEnv-browser.mjs.map +1 -0
  835. package/dist/esm/util/identityTokenEndpoint.d.ts +2 -0
  836. package/dist/esm/util/identityTokenEndpoint.d.ts.map +1 -0
  837. package/dist/esm/util/identityTokenEndpoint.js +11 -0
  838. package/dist/esm/util/identityTokenEndpoint.js.map +1 -0
  839. package/dist/esm/util/logging.d.ts +70 -0
  840. package/dist/esm/util/logging.d.ts.map +1 -0
  841. package/dist/esm/util/logging.js +94 -0
  842. package/dist/esm/util/logging.js.map +1 -0
  843. package/dist/esm/util/processMultiTenantRequest.d.ts +10 -0
  844. package/dist/esm/util/processMultiTenantRequest.d.ts.map +1 -0
  845. package/dist/esm/util/processMultiTenantRequest.js +35 -0
  846. package/dist/esm/util/processMultiTenantRequest.js.map +1 -0
  847. package/dist/esm/util/processUtils.d.ts +13 -0
  848. package/dist/esm/util/processUtils.d.ts.map +1 -0
  849. package/dist/esm/util/processUtils.js +32 -0
  850. package/dist/esm/util/processUtils.js.map +1 -0
  851. package/dist/esm/util/scopeUtils.d.ts +17 -0
  852. package/dist/esm/util/scopeUtils.d.ts.map +1 -0
  853. package/dist/esm/util/scopeUtils.js +29 -0
  854. package/dist/esm/util/scopeUtils.js.map +1 -0
  855. package/dist/esm/util/subscriptionUtils.d.ts +6 -0
  856. package/dist/esm/util/subscriptionUtils.d.ts.map +1 -0
  857. package/dist/esm/util/subscriptionUtils.js +14 -0
  858. package/dist/esm/util/subscriptionUtils.js.map +1 -0
  859. package/dist/esm/util/tenantIdUtils.d.ts +15 -0
  860. package/dist/esm/util/tenantIdUtils.d.ts.map +1 -0
  861. package/dist/esm/util/tenantIdUtils.js +44 -0
  862. package/dist/esm/util/tenantIdUtils.js.map +1 -0
  863. package/dist/esm/util/tracing.d.ts +6 -0
  864. package/dist/esm/util/tracing.d.ts.map +1 -0
  865. package/dist/esm/util/tracing.js +14 -0
  866. package/dist/esm/util/tracing.js.map +1 -0
  867. package/package.json +52 -63
  868. package/dist/index.js +0 -4200
  869. package/dist/index.js.map +0 -1
  870. package/dist-esm/src/client/identityClient.js +0 -248
  871. package/dist-esm/src/client/identityClient.js.map +0 -1
  872. package/dist-esm/src/credentials/authorizationCodeCredential.browser.js +0 -16
  873. package/dist-esm/src/credentials/authorizationCodeCredential.browser.js.map +0 -1
  874. package/dist-esm/src/credentials/authorizationCodeCredential.js +0 -60
  875. package/dist-esm/src/credentials/authorizationCodeCredential.js.map +0 -1
  876. package/dist-esm/src/credentials/authorizationCodeCredentialOptions.js.map +0 -1
  877. package/dist-esm/src/credentials/azureApplicationCredential.browser.js +0 -34
  878. package/dist-esm/src/credentials/azureApplicationCredential.browser.js.map +0 -1
  879. package/dist-esm/src/credentials/azureApplicationCredential.js +0 -32
  880. package/dist-esm/src/credentials/azureApplicationCredential.js.map +0 -1
  881. package/dist-esm/src/credentials/azureApplicationCredentialOptions.js.map +0 -1
  882. package/dist-esm/src/credentials/azureCliCredential.browser.js +0 -23
  883. package/dist-esm/src/credentials/azureCliCredential.browser.js.map +0 -1
  884. package/dist-esm/src/credentials/azureCliCredential.js +0 -189
  885. package/dist-esm/src/credentials/azureCliCredential.js.map +0 -1
  886. package/dist-esm/src/credentials/azureCliCredentialOptions.js.map +0 -1
  887. package/dist-esm/src/credentials/azureDeveloperCliCredential.browser.js +0 -23
  888. package/dist-esm/src/credentials/azureDeveloperCliCredential.browser.js.map +0 -1
  889. package/dist-esm/src/credentials/azureDeveloperCliCredential.js +0 -171
  890. package/dist-esm/src/credentials/azureDeveloperCliCredential.js.map +0 -1
  891. package/dist-esm/src/credentials/azureDeveloperCliCredentialOptions.js.map +0 -1
  892. package/dist-esm/src/credentials/azurePipelinesCredential.browser.js +0 -23
  893. package/dist-esm/src/credentials/azurePipelinesCredential.browser.js.map +0 -1
  894. package/dist-esm/src/credentials/azurePipelinesCredential.js +0 -141
  895. package/dist-esm/src/credentials/azurePipelinesCredential.js.map +0 -1
  896. package/dist-esm/src/credentials/azurePipelinesCredentialOptions.js.map +0 -1
  897. package/dist-esm/src/credentials/azurePowerShellCredential.browser.js +0 -22
  898. package/dist-esm/src/credentials/azurePowerShellCredential.browser.js.map +0 -1
  899. package/dist-esm/src/credentials/azurePowerShellCredential.js +0 -229
  900. package/dist-esm/src/credentials/azurePowerShellCredential.js.map +0 -1
  901. package/dist-esm/src/credentials/azurePowerShellCredentialOptions.js.map +0 -1
  902. package/dist-esm/src/credentials/brokerAuthOptions.js.map +0 -1
  903. package/dist-esm/src/credentials/chainedTokenCredential.js +0 -90
  904. package/dist-esm/src/credentials/chainedTokenCredential.js.map +0 -1
  905. package/dist-esm/src/credentials/clientAssertionCredential.browser.js +0 -22
  906. package/dist-esm/src/credentials/clientAssertionCredential.browser.js.map +0 -1
  907. package/dist-esm/src/credentials/clientAssertionCredential.js +0 -55
  908. package/dist-esm/src/credentials/clientAssertionCredential.js.map +0 -1
  909. package/dist-esm/src/credentials/clientAssertionCredentialOptions.js.map +0 -1
  910. package/dist-esm/src/credentials/clientCertificateCredential.browser.js +0 -23
  911. package/dist-esm/src/credentials/clientCertificateCredential.browser.js.map +0 -1
  912. package/dist-esm/src/credentials/clientCertificateCredential.js +0 -119
  913. package/dist-esm/src/credentials/clientCertificateCredential.js.map +0 -1
  914. package/dist-esm/src/credentials/clientCertificateCredentialOptions.js.map +0 -1
  915. package/dist-esm/src/credentials/clientSecretCredential.browser.js +0 -83
  916. package/dist-esm/src/credentials/clientSecretCredential.browser.js.map +0 -1
  917. package/dist-esm/src/credentials/clientSecretCredential.js +0 -60
  918. package/dist-esm/src/credentials/clientSecretCredential.js.map +0 -1
  919. package/dist-esm/src/credentials/clientSecretCredentialOptions.js.map +0 -1
  920. package/dist-esm/src/credentials/credentialPersistenceOptions.js.map +0 -1
  921. package/dist-esm/src/credentials/defaultAzureCredential.browser.js +0 -29
  922. package/dist-esm/src/credentials/defaultAzureCredential.browser.js.map +0 -1
  923. package/dist-esm/src/credentials/defaultAzureCredential.js +0 -164
  924. package/dist-esm/src/credentials/defaultAzureCredential.js.map +0 -1
  925. package/dist-esm/src/credentials/defaultAzureCredentialOptions.js.map +0 -1
  926. package/dist-esm/src/credentials/deviceCodeCredential.browser.js +0 -23
  927. package/dist-esm/src/credentials/deviceCodeCredential.browser.js.map +0 -1
  928. package/dist-esm/src/credentials/deviceCodeCredential.js +0 -91
  929. package/dist-esm/src/credentials/deviceCodeCredential.js.map +0 -1
  930. package/dist-esm/src/credentials/deviceCodeCredentialOptions.js.map +0 -1
  931. package/dist-esm/src/credentials/environmentCredential.browser.js +0 -23
  932. package/dist-esm/src/credentials/environmentCredential.browser.js.map +0 -1
  933. package/dist-esm/src/credentials/environmentCredential.js +0 -130
  934. package/dist-esm/src/credentials/environmentCredential.js.map +0 -1
  935. package/dist-esm/src/credentials/environmentCredentialOptions.js.map +0 -1
  936. package/dist-esm/src/credentials/interactiveBrowserCredential.browser.js +0 -86
  937. package/dist-esm/src/credentials/interactiveBrowserCredential.browser.js.map +0 -1
  938. package/dist-esm/src/credentials/interactiveBrowserCredential.js +0 -91
  939. package/dist-esm/src/credentials/interactiveBrowserCredential.js.map +0 -1
  940. package/dist-esm/src/credentials/interactiveBrowserCredentialOptions.js.map +0 -1
  941. package/dist-esm/src/credentials/interactiveCredentialOptions.js.map +0 -1
  942. package/dist-esm/src/credentials/managedIdentityCredential/imdsMsi.js +0 -122
  943. package/dist-esm/src/credentials/managedIdentityCredential/imdsMsi.js.map +0 -1
  944. package/dist-esm/src/credentials/managedIdentityCredential/imdsRetryPolicy.js.map +0 -1
  945. package/dist-esm/src/credentials/managedIdentityCredential/index.browser.js +0 -16
  946. package/dist-esm/src/credentials/managedIdentityCredential/index.browser.js.map +0 -1
  947. package/dist-esm/src/credentials/managedIdentityCredential/index.js +0 -217
  948. package/dist-esm/src/credentials/managedIdentityCredential/index.js.map +0 -1
  949. package/dist-esm/src/credentials/managedIdentityCredential/models.js.map +0 -1
  950. package/dist-esm/src/credentials/managedIdentityCredential/tokenExchangeMsi.js +0 -32
  951. package/dist-esm/src/credentials/managedIdentityCredential/tokenExchangeMsi.js.map +0 -1
  952. package/dist-esm/src/credentials/multiTenantTokenCredentialOptions.js.map +0 -1
  953. package/dist-esm/src/credentials/onBehalfOfCredential.browser.js +0 -23
  954. package/dist-esm/src/credentials/onBehalfOfCredential.browser.js.map +0 -1
  955. package/dist-esm/src/credentials/onBehalfOfCredential.js +0 -112
  956. package/dist-esm/src/credentials/onBehalfOfCredential.js.map +0 -1
  957. package/dist-esm/src/credentials/onBehalfOfCredentialOptions.js.map +0 -1
  958. package/dist-esm/src/credentials/usernamePasswordCredential.browser.js +0 -77
  959. package/dist-esm/src/credentials/usernamePasswordCredential.browser.js.map +0 -1
  960. package/dist-esm/src/credentials/usernamePasswordCredential.js +0 -67
  961. package/dist-esm/src/credentials/usernamePasswordCredential.js.map +0 -1
  962. package/dist-esm/src/credentials/usernamePasswordCredentialOptions.js.map +0 -1
  963. package/dist-esm/src/credentials/visualStudioCodeCredential.browser.js +0 -27
  964. package/dist-esm/src/credentials/visualStudioCodeCredential.browser.js.map +0 -1
  965. package/dist-esm/src/credentials/visualStudioCodeCredential.js +0 -190
  966. package/dist-esm/src/credentials/visualStudioCodeCredential.js.map +0 -1
  967. package/dist-esm/src/credentials/visualStudioCodeCredentialOptions.js.map +0 -1
  968. package/dist-esm/src/credentials/workloadIdentityCredential.browser.js +0 -27
  969. package/dist-esm/src/credentials/workloadIdentityCredential.browser.js.map +0 -1
  970. package/dist-esm/src/credentials/workloadIdentityCredential.js +0 -114
  971. package/dist-esm/src/credentials/workloadIdentityCredential.js.map +0 -1
  972. package/dist-esm/src/credentials/workloadIdentityCredentialOptions.js.map +0 -1
  973. package/dist-esm/src/index.js +0 -34
  974. package/dist-esm/src/index.js.map +0 -1
  975. package/dist-esm/src/msal/browserFlows/flows.js.map +0 -1
  976. package/dist-esm/src/msal/browserFlows/msalAuthCode.js +0 -203
  977. package/dist-esm/src/msal/browserFlows/msalAuthCode.js.map +0 -1
  978. package/dist-esm/src/msal/browserFlows/msalBrowserCommon.js +0 -116
  979. package/dist-esm/src/msal/browserFlows/msalBrowserCommon.js.map +0 -1
  980. package/dist-esm/src/msal/credentials.js.map +0 -1
  981. package/dist-esm/src/msal/msal.browser.js +0 -5
  982. package/dist-esm/src/msal/msal.browser.js.map +0 -1
  983. package/dist-esm/src/msal/nodeFlows/msalClient.js +0 -484
  984. package/dist-esm/src/msal/nodeFlows/msalClient.js.map +0 -1
  985. package/dist-esm/src/msal/nodeFlows/msalPlugins.js +0 -87
  986. package/dist-esm/src/msal/nodeFlows/msalPlugins.js.map +0 -1
  987. package/dist-esm/src/msal/utils.js +0 -232
  988. package/dist-esm/src/msal/utils.js.map +0 -1
  989. package/dist-esm/src/plugins/consumer.browser.js +0 -7
  990. package/dist-esm/src/plugins/consumer.browser.js.map +0 -1
  991. package/dist-esm/src/plugins/consumer.js +0 -43
  992. package/dist-esm/src/plugins/consumer.js.map +0 -1
  993. package/dist-esm/src/plugins/provider.js.map +0 -1
  994. package/dist-esm/src/util/authHostEnv.browser.js +0 -7
  995. package/dist-esm/src/util/authHostEnv.browser.js.map +0 -1
  996. package/dist-esm/src/util/processMultiTenantRequest.browser.js +0 -29
  997. package/dist-esm/src/util/processMultiTenantRequest.browser.js.map +0 -1
  998. package/dist-esm/src/util/processMultiTenantRequest.js +0 -35
  999. package/dist-esm/src/util/processMultiTenantRequest.js.map +0 -1
  1000. package/dist-esm/src/util/scopeUtils.js +0 -29
  1001. package/dist-esm/src/util/scopeUtils.js.map +0 -1
  1002. package/dist-esm/src/util/subscriptionUtils.js +0 -14
  1003. package/dist-esm/src/util/subscriptionUtils.js.map +0 -1
  1004. package/dist-esm/src/util/tenantIdUtils.js +0 -44
  1005. package/dist-esm/src/util/tenantIdUtils.js.map +0 -1
  1006. package/dist-esm/src/util/tracing.js +0 -14
  1007. package/dist-esm/src/util/tracing.js.map +0 -1
  1008. /package/{dist-esm/src → dist/browser}/constants.js +0 -0
  1009. /package/{dist-esm/src → dist/browser}/constants.js.map +0 -0
  1010. /package/{dist-esm/src → dist/browser}/credentials/authorityValidationOptions.js +0 -0
  1011. /package/{dist-esm/src → dist/browser}/credentials/authorityValidationOptions.js.map +0 -0
  1012. /package/{dist-esm/src → dist/browser}/credentials/authorizationCodeCredentialOptions.js +0 -0
  1013. /package/{dist-esm/src → dist/browser}/credentials/azureApplicationCredentialOptions.js +0 -0
  1014. /package/{dist-esm/src → dist/browser}/credentials/azureCliCredentialOptions.js +0 -0
  1015. /package/{dist-esm/src → dist/browser}/credentials/azureDeveloperCliCredentialOptions.js +0 -0
  1016. /package/{dist-esm/src → dist/browser}/credentials/azurePipelinesCredentialOptions.js +0 -0
  1017. /package/{dist-esm/src → dist/browser}/credentials/azurePowerShellCredentialOptions.js +0 -0
  1018. /package/{dist-esm/src → dist/browser}/credentials/brokerAuthOptions.js +0 -0
  1019. /package/{dist-esm/src → dist/browser}/credentials/browserCustomizationOptions.js +0 -0
  1020. /package/{dist-esm/src → dist/browser}/credentials/browserCustomizationOptions.js.map +0 -0
  1021. /package/{dist-esm/src → dist/browser}/credentials/clientAssertionCredentialOptions.js +0 -0
  1022. /package/{dist-esm/src → dist/browser}/credentials/clientCertificateCredentialOptions.js +0 -0
  1023. /package/{dist-esm/src → dist/browser}/credentials/clientSecretCredentialOptions.js +0 -0
  1024. /package/{dist-esm/src → dist/browser}/credentials/credentialPersistenceOptions.js +0 -0
  1025. /package/{dist-esm/src → dist/browser}/credentials/defaultAzureCredentialOptions.js +0 -0
  1026. /package/{dist-esm/src → dist/browser}/credentials/deviceCodeCredentialOptions.js +0 -0
  1027. /package/{dist-esm/src → dist/browser}/credentials/environmentCredentialOptions.js +0 -0
  1028. /package/{dist-esm/src → dist/browser}/credentials/interactiveBrowserCredentialOptions.js +0 -0
  1029. /package/{dist-esm/src → dist/browser}/credentials/interactiveCredentialOptions.js +0 -0
  1030. /package/{dist-esm/src → dist/browser}/credentials/managedIdentityCredential/imdsRetryPolicy.js +0 -0
  1031. /package/{dist-esm/src → dist/browser}/credentials/managedIdentityCredential/models.js +0 -0
  1032. /package/{dist-esm/src → dist/browser}/credentials/managedIdentityCredential/utils.js +0 -0
  1033. /package/{dist-esm/src → dist/browser}/credentials/managedIdentityCredential/utils.js.map +0 -0
  1034. /package/{dist-esm/src → dist/browser}/credentials/multiTenantTokenCredentialOptions.js +0 -0
  1035. /package/{dist-esm/src → dist/browser}/credentials/onBehalfOfCredentialOptions.js +0 -0
  1036. /package/{dist-esm/src → dist/browser}/credentials/usernamePasswordCredentialOptions.js +0 -0
  1037. /package/{dist-esm/src → dist/browser}/credentials/visualStudioCodeCredentialOptions.js +0 -0
  1038. /package/{dist-esm/src → dist/browser}/credentials/visualStudioCodeCredentialPlugin.js +0 -0
  1039. /package/{dist-esm/src → dist/browser}/credentials/visualStudioCodeCredentialPlugin.js.map +0 -0
  1040. /package/{dist-esm/src → dist/browser}/credentials/workloadIdentityCredentialOptions.js +0 -0
  1041. /package/{dist-esm/src → dist/browser}/errors.js +0 -0
  1042. /package/{dist-esm/src → dist/browser}/errors.js.map +0 -0
  1043. /package/{dist-esm/src → dist/browser}/msal/browserFlows/flows.js +0 -0
  1044. /package/{dist-esm/src → dist/browser}/msal/credentials.js +0 -0
  1045. /package/{dist-esm/src → dist/browser}/msal/nodeFlows/brokerOptions.js +0 -0
  1046. /package/{dist-esm/src → dist/browser}/msal/nodeFlows/brokerOptions.js.map +0 -0
  1047. /package/{dist-esm/src → dist/browser}/msal/nodeFlows/tokenCachePersistenceOptions.js +0 -0
  1048. /package/{dist-esm/src → dist/browser}/msal/nodeFlows/tokenCachePersistenceOptions.js.map +0 -0
  1049. /package/{dist-esm/src → dist/browser}/msal/types.js +0 -0
  1050. /package/{dist-esm/src → dist/browser}/msal/types.js.map +0 -0
  1051. /package/{dist-esm/src → dist/browser}/plugins/provider.js +0 -0
  1052. /package/{dist-esm/src → dist/browser}/regionalAuthority.js +0 -0
  1053. /package/{dist-esm/src → dist/browser}/regionalAuthority.js.map +0 -0
  1054. /package/{dist-esm/src → dist/browser}/tokenCredentialOptions.js +0 -0
  1055. /package/{dist-esm/src → dist/browser}/tokenCredentialOptions.js.map +0 -0
  1056. /package/{dist-esm/src → dist/browser}/tokenProvider.js +0 -0
  1057. /package/{dist-esm/src → dist/browser}/tokenProvider.js.map +0 -0
  1058. /package/{dist-esm/src → dist/browser}/util/identityTokenEndpoint.js +0 -0
  1059. /package/{dist-esm/src → dist/browser}/util/identityTokenEndpoint.js.map +0 -0
  1060. /package/{dist-esm/src → dist/browser}/util/logging.js +0 -0
  1061. /package/{dist-esm/src → dist/browser}/util/logging.js.map +0 -0
  1062. /package/{dist-esm/src → dist/browser}/util/processUtils.js +0 -0
  1063. /package/{dist-esm/src → dist/browser}/util/processUtils.js.map +0 -0
  1064. /package/{dist-esm/src → dist/esm}/msal/msal.js +0 -0
  1065. /package/{dist-esm/src → dist/esm}/msal/msal.js.map +0 -0
  1066. /package/{types → dist}/identity.d.ts +0 -0
package/dist/index.js DELETED
@@ -1,4200 +0,0 @@
1
- 'use strict';
2
-
3
- Object.defineProperty(exports, '__esModule', { value: true });
4
-
5
- var logger$m = require('@azure/logger');
6
- var coreClient = require('@azure/core-client');
7
- var coreUtil = require('@azure/core-util');
8
- var coreRestPipeline = require('@azure/core-rest-pipeline');
9
- var coreTracing = require('@azure/core-tracing');
10
- var fs = require('fs');
11
- var os = require('os');
12
- var path = require('path');
13
- var msalCommon = require('@azure/msal-node');
14
- var abortController = require('@azure/abort-controller');
15
- var open = require('open');
16
- var promises = require('fs/promises');
17
- var child_process = require('child_process');
18
- var crypto = require('crypto');
19
- var node_crypto = require('node:crypto');
20
- var promises$1 = require('node:fs/promises');
21
-
22
- function _interopNamespaceDefault(e) {
23
- var n = Object.create(null);
24
- if (e) {
25
- Object.keys(e).forEach(function (k) {
26
- if (k !== 'default') {
27
- var d = Object.getOwnPropertyDescriptor(e, k);
28
- Object.defineProperty(n, k, d.get ? d : {
29
- enumerable: true,
30
- get: function () { return e[k]; }
31
- });
32
- }
33
- });
34
- }
35
- n.default = e;
36
- return Object.freeze(n);
37
- }
38
-
39
- var msalCommon__namespace = /*#__PURE__*/_interopNamespaceDefault(msalCommon);
40
- var child_process__namespace = /*#__PURE__*/_interopNamespaceDefault(child_process);
41
-
42
- // Copyright (c) Microsoft Corporation.
43
- // Licensed under the MIT License.
44
- /**
45
- * Current version of the `@azure/identity` package.
46
- */
47
- const SDK_VERSION = `4.5.1`;
48
- /**
49
- * The default client ID for authentication
50
- * @internal
51
- */
52
- // TODO: temporary - this is the Azure CLI clientID - we'll replace it when
53
- // Developer Sign On application is available
54
- // https://github.com/Azure/azure-sdk-for-net/blob/main/sdk/identity/Azure.Identity/src/Constants.cs#L9
55
- const DeveloperSignOnClientId = "04b07795-8ddb-461a-bbee-02f9e1bf7b46";
56
- /**
57
- * The default tenant for authentication
58
- * @internal
59
- */
60
- const DefaultTenantId = "common";
61
- /**
62
- * A list of known Azure authority hosts
63
- */
64
- exports.AzureAuthorityHosts = void 0;
65
- (function (AzureAuthorityHosts) {
66
- /**
67
- * China-based Azure Authority Host
68
- */
69
- AzureAuthorityHosts["AzureChina"] = "https://login.chinacloudapi.cn";
70
- /**
71
- * Germany-based Azure Authority Host
72
- *
73
- * @deprecated Microsoft Cloud Germany was closed on October 29th, 2021.
74
- *
75
- * */
76
- AzureAuthorityHosts["AzureGermany"] = "https://login.microsoftonline.de";
77
- /**
78
- * US Government Azure Authority Host
79
- */
80
- AzureAuthorityHosts["AzureGovernment"] = "https://login.microsoftonline.us";
81
- /**
82
- * Public Cloud Azure Authority Host
83
- */
84
- AzureAuthorityHosts["AzurePublicCloud"] = "https://login.microsoftonline.com";
85
- })(exports.AzureAuthorityHosts || (exports.AzureAuthorityHosts = {}));
86
- /**
87
- * @internal
88
- * The default authority host.
89
- */
90
- const DefaultAuthorityHost = exports.AzureAuthorityHosts.AzurePublicCloud;
91
- /**
92
- * @internal
93
- * Allow acquiring tokens for any tenant for multi-tentant auth.
94
- */
95
- const ALL_TENANTS = ["*"];
96
- /**
97
- * @internal
98
- */
99
- const CACHE_CAE_SUFFIX = "cae";
100
- /**
101
- * @internal
102
- */
103
- const CACHE_NON_CAE_SUFFIX = "nocae";
104
- /**
105
- * @internal
106
- *
107
- * The default name for the cache persistence plugin.
108
- * Matches the constant defined in the cache persistence package.
109
- */
110
- const DEFAULT_TOKEN_CACHE_NAME = "msal.cache";
111
-
112
- // Copyright (c) Microsoft Corporation.
113
- // Licensed under the MIT License.
114
- /**
115
- * The current persistence provider, undefined by default.
116
- * @internal
117
- */
118
- let persistenceProvider = undefined;
119
- /**
120
- * An object that allows setting the persistence provider.
121
- * @internal
122
- */
123
- const msalNodeFlowCacheControl = {
124
- setPersistence(pluginProvider) {
125
- persistenceProvider = pluginProvider;
126
- },
127
- };
128
- /**
129
- * The current native broker provider, undefined by default.
130
- * @internal
131
- */
132
- let nativeBrokerInfo = undefined;
133
- /**
134
- * An object that allows setting the native broker provider.
135
- * @internal
136
- */
137
- const msalNodeFlowNativeBrokerControl = {
138
- setNativeBroker(broker) {
139
- nativeBrokerInfo = {
140
- broker,
141
- };
142
- },
143
- };
144
- /**
145
- * Configures plugins, validating that required plugins are available and enabled.
146
- *
147
- * Does not create the plugins themselves, but rather returns the configuration that will be used to create them.
148
- *
149
- * @param options - options for creating the MSAL client
150
- * @returns plugin configuration
151
- */
152
- function generatePluginConfiguration(options) {
153
- var _a, _b, _c, _d, _e, _f, _g;
154
- const config = {
155
- cache: {},
156
- broker: {
157
- isEnabled: (_b = (_a = options.brokerOptions) === null || _a === void 0 ? void 0 : _a.enabled) !== null && _b !== void 0 ? _b : false,
158
- enableMsaPassthrough: (_d = (_c = options.brokerOptions) === null || _c === void 0 ? void 0 : _c.legacyEnableMsaPassthrough) !== null && _d !== void 0 ? _d : false,
159
- parentWindowHandle: (_e = options.brokerOptions) === null || _e === void 0 ? void 0 : _e.parentWindowHandle,
160
- },
161
- };
162
- if ((_f = options.tokenCachePersistenceOptions) === null || _f === void 0 ? void 0 : _f.enabled) {
163
- if (persistenceProvider === undefined) {
164
- throw new Error([
165
- "Persistent token caching was requested, but no persistence provider was configured.",
166
- "You must install the identity-cache-persistence plugin package (`npm install --save @azure/identity-cache-persistence`)",
167
- "and enable it by importing `useIdentityPlugin` from `@azure/identity` and calling",
168
- "`useIdentityPlugin(cachePersistencePlugin)` before using `tokenCachePersistenceOptions`.",
169
- ].join(" "));
170
- }
171
- const cacheBaseName = options.tokenCachePersistenceOptions.name || DEFAULT_TOKEN_CACHE_NAME;
172
- config.cache.cachePlugin = persistenceProvider(Object.assign({ name: `${cacheBaseName}.${CACHE_NON_CAE_SUFFIX}` }, options.tokenCachePersistenceOptions));
173
- config.cache.cachePluginCae = persistenceProvider(Object.assign({ name: `${cacheBaseName}.${CACHE_CAE_SUFFIX}` }, options.tokenCachePersistenceOptions));
174
- }
175
- if ((_g = options.brokerOptions) === null || _g === void 0 ? void 0 : _g.enabled) {
176
- if (nativeBrokerInfo === undefined) {
177
- throw new Error([
178
- "Broker for WAM was requested to be enabled, but no native broker was configured.",
179
- "You must install the identity-broker plugin package (`npm install --save @azure/identity-broker`)",
180
- "and enable it by importing `useIdentityPlugin` from `@azure/identity` and calling",
181
- "`useIdentityPlugin(createNativeBrokerPlugin())` before using `enableBroker`.",
182
- ].join(" "));
183
- }
184
- config.broker.nativeBrokerPlugin = nativeBrokerInfo.broker;
185
- }
186
- return config;
187
- }
188
- /**
189
- * Wraps generatePluginConfiguration as a writeable property for test stubbing purposes.
190
- */
191
- const msalPlugins = {
192
- generatePluginConfiguration,
193
- };
194
-
195
- // Copyright (c) Microsoft Corporation.
196
- // Licensed under the MIT License.
197
- /**
198
- * The AzureLogger used for all clients within the identity package
199
- */
200
- const logger$l = logger$m.createClientLogger("identity");
201
- /**
202
- * Separates a list of environment variable names into a plain object with two arrays: an array of missing environment variables and another array with assigned environment variables.
203
- * @param supportedEnvVars - List of environment variable names
204
- */
205
- function processEnvVars(supportedEnvVars) {
206
- return supportedEnvVars.reduce((acc, envVariable) => {
207
- if (process.env[envVariable]) {
208
- acc.assigned.push(envVariable);
209
- }
210
- else {
211
- acc.missing.push(envVariable);
212
- }
213
- return acc;
214
- }, { missing: [], assigned: [] });
215
- }
216
- /**
217
- * Formatting the success event on the credentials
218
- */
219
- function formatSuccess(scope) {
220
- return `SUCCESS. Scopes: ${Array.isArray(scope) ? scope.join(", ") : scope}.`;
221
- }
222
- /**
223
- * Formatting the success event on the credentials
224
- */
225
- function formatError(scope, error) {
226
- let message = "ERROR.";
227
- if (scope === null || scope === void 0 ? void 0 : scope.length) {
228
- message += ` Scopes: ${Array.isArray(scope) ? scope.join(", ") : scope}.`;
229
- }
230
- return `${message} Error message: ${typeof error === "string" ? error : error.message}.`;
231
- }
232
- /**
233
- * Generates a CredentialLoggerInstance.
234
- *
235
- * It logs with the format:
236
- *
237
- * `[title] => [message]`
238
- *
239
- */
240
- function credentialLoggerInstance(title, parent, log = logger$l) {
241
- const fullTitle = parent ? `${parent.fullTitle} ${title}` : title;
242
- function info(message) {
243
- log.info(`${fullTitle} =>`, message);
244
- }
245
- function warning(message) {
246
- log.warning(`${fullTitle} =>`, message);
247
- }
248
- function verbose(message) {
249
- log.verbose(`${fullTitle} =>`, message);
250
- }
251
- function error(message) {
252
- log.error(`${fullTitle} =>`, message);
253
- }
254
- return {
255
- title,
256
- fullTitle,
257
- info,
258
- warning,
259
- verbose,
260
- error,
261
- };
262
- }
263
- /**
264
- * Generates a CredentialLogger, which is a logger declared at the credential's constructor, and used at any point in the credential.
265
- * It has all the properties of a CredentialLoggerInstance, plus other logger instances, one per method.
266
- *
267
- * It logs with the format:
268
- *
269
- * `[title] => [message]`
270
- * `[title] => getToken() => [message]`
271
- *
272
- */
273
- function credentialLogger(title, log = logger$l) {
274
- const credLogger = credentialLoggerInstance(title, undefined, log);
275
- return Object.assign(Object.assign({}, credLogger), { parent: log, getToken: credentialLoggerInstance("=> getToken()", credLogger, log) });
276
- }
277
-
278
- // Copyright (c) Microsoft Corporation.
279
- // Licensed under the MIT License.
280
- function isErrorResponse(errorResponse) {
281
- return (errorResponse &&
282
- typeof errorResponse.error === "string" &&
283
- typeof errorResponse.error_description === "string");
284
- }
285
- /**
286
- * The Error.name value of an CredentialUnavailable
287
- */
288
- const CredentialUnavailableErrorName = "CredentialUnavailableError";
289
- /**
290
- * This signifies that the credential that was tried in a chained credential
291
- * was not available to be used as the credential. Rather than treating this as
292
- * an error that should halt the chain, it's caught and the chain continues
293
- */
294
- class CredentialUnavailableError extends Error {
295
- constructor(message, options) {
296
- // @ts-expect-error - TypeScript does not recognize this until we use ES2022 as the target; however, all our major runtimes do support the `cause` property
297
- super(message, options);
298
- this.name = CredentialUnavailableErrorName;
299
- }
300
- }
301
- /**
302
- * The Error.name value of an AuthenticationError
303
- */
304
- const AuthenticationErrorName = "AuthenticationError";
305
- /**
306
- * Provides details about a failure to authenticate with Azure Active
307
- * Directory. The `errorResponse` field contains more details about
308
- * the specific failure.
309
- */
310
- class AuthenticationError extends Error {
311
- constructor(statusCode, errorBody, options) {
312
- let errorResponse = {
313
- error: "unknown",
314
- errorDescription: "An unknown error occurred and no additional details are available.",
315
- };
316
- if (isErrorResponse(errorBody)) {
317
- errorResponse = convertOAuthErrorResponseToErrorResponse(errorBody);
318
- }
319
- else if (typeof errorBody === "string") {
320
- try {
321
- // Most error responses will contain JSON-formatted error details
322
- // in the response body
323
- const oauthErrorResponse = JSON.parse(errorBody);
324
- errorResponse = convertOAuthErrorResponseToErrorResponse(oauthErrorResponse);
325
- }
326
- catch (e) {
327
- if (statusCode === 400) {
328
- errorResponse = {
329
- error: "invalid_request",
330
- errorDescription: `The service indicated that the request was invalid.\n\n${errorBody}`,
331
- };
332
- }
333
- else {
334
- errorResponse = {
335
- error: "unknown_error",
336
- errorDescription: `An unknown error has occurred. Response body:\n\n${errorBody}`,
337
- };
338
- }
339
- }
340
- }
341
- else {
342
- errorResponse = {
343
- error: "unknown_error",
344
- errorDescription: "An unknown error occurred and no additional details are available.",
345
- };
346
- }
347
- super(`${errorResponse.error} Status code: ${statusCode}\nMore details:\n${errorResponse.errorDescription},`,
348
- // @ts-expect-error - TypeScript does not recognize this until we use ES2022 as the target; however, all our major runtimes do support the `cause` property
349
- options);
350
- this.statusCode = statusCode;
351
- this.errorResponse = errorResponse;
352
- // Ensure that this type reports the correct name
353
- this.name = AuthenticationErrorName;
354
- }
355
- }
356
- /**
357
- * The Error.name value of an AggregateAuthenticationError
358
- */
359
- const AggregateAuthenticationErrorName = "AggregateAuthenticationError";
360
- /**
361
- * Provides an `errors` array containing {@link AuthenticationError} instance
362
- * for authentication failures from credentials in a {@link ChainedTokenCredential}.
363
- */
364
- class AggregateAuthenticationError extends Error {
365
- constructor(errors, errorMessage) {
366
- const errorDetail = errors.join("\n");
367
- super(`${errorMessage}\n${errorDetail}`);
368
- this.errors = errors;
369
- // Ensure that this type reports the correct name
370
- this.name = AggregateAuthenticationErrorName;
371
- }
372
- }
373
- function convertOAuthErrorResponseToErrorResponse(errorBody) {
374
- return {
375
- error: errorBody.error,
376
- errorDescription: errorBody.error_description,
377
- correlationId: errorBody.correlation_id,
378
- errorCodes: errorBody.error_codes,
379
- timestamp: errorBody.timestamp,
380
- traceId: errorBody.trace_id,
381
- };
382
- }
383
- /**
384
- * Error used to enforce authentication after trying to retrieve a token silently.
385
- */
386
- class AuthenticationRequiredError extends Error {
387
- constructor(
388
- /**
389
- * Optional parameters. A message can be specified. The {@link GetTokenOptions} of the request can also be specified to more easily associate the error with the received parameters.
390
- */
391
- options) {
392
- super(options.message,
393
- // @ts-expect-error - TypeScript does not recognize this until we use ES2022 as the target; however, all our major runtimes do support the `cause` property
394
- options.cause ? { cause: options.cause } : undefined);
395
- this.scopes = options.scopes;
396
- this.getTokenOptions = options.getTokenOptions;
397
- this.name = "AuthenticationRequiredError";
398
- }
399
- }
400
-
401
- // Copyright (c) Microsoft Corporation.
402
- // Licensed under the MIT License.
403
- function createConfigurationErrorMessage(tenantId) {
404
- return `The current credential is not configured to acquire tokens for tenant ${tenantId}. To enable acquiring tokens for this tenant add it to the AdditionallyAllowedTenants on the credential options, or add "*" to AdditionallyAllowedTenants to allow acquiring tokens for any tenant.`;
405
- }
406
- /**
407
- * Of getToken contains a tenantId, this functions allows picking this tenantId as the appropriate for authentication,
408
- * unless multitenant authentication has been disabled through the AZURE_IDENTITY_DISABLE_MULTITENANTAUTH (on Node.js),
409
- * or unless the original tenant Id is `adfs`.
410
- * @internal
411
- */
412
- function processMultiTenantRequest(tenantId, getTokenOptions, additionallyAllowedTenantIds = [], logger) {
413
- var _a;
414
- let resolvedTenantId;
415
- if (process.env.AZURE_IDENTITY_DISABLE_MULTITENANTAUTH) {
416
- resolvedTenantId = tenantId;
417
- }
418
- else if (tenantId === "adfs") {
419
- resolvedTenantId = tenantId;
420
- }
421
- else {
422
- resolvedTenantId = (_a = getTokenOptions === null || getTokenOptions === void 0 ? void 0 : getTokenOptions.tenantId) !== null && _a !== void 0 ? _a : tenantId;
423
- }
424
- if (tenantId &&
425
- resolvedTenantId !== tenantId &&
426
- !additionallyAllowedTenantIds.includes("*") &&
427
- !additionallyAllowedTenantIds.some((t) => t.localeCompare(resolvedTenantId) === 0)) {
428
- const message = createConfigurationErrorMessage(tenantId);
429
- logger === null || logger === void 0 ? void 0 : logger.info(message);
430
- throw new CredentialUnavailableError(message);
431
- }
432
- return resolvedTenantId;
433
- }
434
-
435
- // Copyright (c) Microsoft Corporation.
436
- // Licensed under the MIT License.
437
- /**
438
- * @internal
439
- */
440
- function checkTenantId(logger, tenantId) {
441
- if (!tenantId.match(/^[0-9a-zA-Z-.]+$/)) {
442
- const error = new Error("Invalid tenant id provided. You can locate your tenant id by following the instructions listed here: https://learn.microsoft.com/partner-center/find-ids-and-domain-names.");
443
- logger.info(formatError("", error));
444
- throw error;
445
- }
446
- }
447
- /**
448
- * @internal
449
- */
450
- function resolveTenantId(logger, tenantId, clientId) {
451
- if (tenantId) {
452
- checkTenantId(logger, tenantId);
453
- return tenantId;
454
- }
455
- if (!clientId) {
456
- clientId = DeveloperSignOnClientId;
457
- }
458
- if (clientId !== DeveloperSignOnClientId) {
459
- return "common";
460
- }
461
- return "organizations";
462
- }
463
- /**
464
- * @internal
465
- */
466
- function resolveAdditionallyAllowedTenantIds(additionallyAllowedTenants) {
467
- if (!additionallyAllowedTenants || additionallyAllowedTenants.length === 0) {
468
- return [];
469
- }
470
- if (additionallyAllowedTenants.includes("*")) {
471
- return ALL_TENANTS;
472
- }
473
- return additionallyAllowedTenants;
474
- }
475
-
476
- // Copyright (c) Microsoft Corporation.
477
- // Licensed under the MIT License.
478
- function getIdentityTokenEndpointSuffix(tenantId) {
479
- if (tenantId === "adfs") {
480
- return "oauth2/token";
481
- }
482
- else {
483
- return "oauth2/v2.0/token";
484
- }
485
- }
486
-
487
- // Copyright (c) Microsoft Corporation.
488
- // Licensed under the MIT License.
489
- /**
490
- * Creates a span using the global tracer.
491
- * @internal
492
- */
493
- const tracingClient = coreTracing.createTracingClient({
494
- namespace: "Microsoft.AAD",
495
- packageName: "@azure/identity",
496
- packageVersion: SDK_VERSION,
497
- });
498
-
499
- // Copyright (c) Microsoft Corporation.
500
- // Licensed under the MIT License.
501
- const DefaultScopeSuffix = "/.default";
502
- /**
503
- * Most MSIs send requests to the IMDS endpoint, or a similar endpoint.
504
- * These are GET requests that require sending a `resource` parameter on the query.
505
- * This resource can be derived from the scopes received through the getToken call, as long as only one scope is received.
506
- * Multiple scopes assume that the resulting token will have access to multiple resources, which won't be the case.
507
- *
508
- * For that reason, when we encounter multiple scopes, we return undefined.
509
- * It's up to the individual MSI implementations to throw the errors (which helps us provide less generic errors).
510
- */
511
- function mapScopesToResource(scopes) {
512
- let scope = "";
513
- if (Array.isArray(scopes)) {
514
- if (scopes.length !== 1) {
515
- return;
516
- }
517
- scope = scopes[0];
518
- }
519
- else if (typeof scopes === "string") {
520
- scope = scopes;
521
- }
522
- if (!scope.endsWith(DefaultScopeSuffix)) {
523
- return scope;
524
- }
525
- return scope.substr(0, scope.lastIndexOf(DefaultScopeSuffix));
526
- }
527
- /**
528
- * Given a token response, return the expiration timestamp as the number of milliseconds from the Unix epoch.
529
- * @param body - A parsed response body from the authentication endpoint.
530
- */
531
- function parseExpirationTimestamp(body) {
532
- if (typeof body.expires_on === "number") {
533
- return body.expires_on * 1000;
534
- }
535
- if (typeof body.expires_on === "string") {
536
- const asNumber = +body.expires_on;
537
- if (!isNaN(asNumber)) {
538
- return asNumber * 1000;
539
- }
540
- const asDate = Date.parse(body.expires_on);
541
- if (!isNaN(asDate)) {
542
- return asDate;
543
- }
544
- }
545
- if (typeof body.expires_in === "number") {
546
- return Date.now() + body.expires_in * 1000;
547
- }
548
- throw new Error(`Failed to parse token expiration from body. expires_in="${body.expires_in}", expires_on="${body.expires_on}"`);
549
- }
550
- /**
551
- * Given a token response, return the expiration timestamp as the number of milliseconds from the Unix epoch.
552
- * @param body - A parsed response body from the authentication endpoint.
553
- */
554
- function parseRefreshTimestamp(body) {
555
- if (body.refresh_on) {
556
- if (typeof body.refresh_on === "number") {
557
- return body.refresh_on * 1000;
558
- }
559
- if (typeof body.refresh_on === "string") {
560
- const asNumber = +body.refresh_on;
561
- if (!isNaN(asNumber)) {
562
- return asNumber * 1000;
563
- }
564
- const asDate = Date.parse(body.refresh_on);
565
- if (!isNaN(asDate)) {
566
- return asDate;
567
- }
568
- }
569
- throw new Error(`Failed to parse refresh_on from body. refresh_on="${body.refresh_on}"`);
570
- }
571
- else {
572
- return undefined;
573
- }
574
- }
575
-
576
- // Copyright (c) Microsoft Corporation.
577
- // Licensed under the MIT License.
578
- const noCorrelationId = "noCorrelationId";
579
- /**
580
- * @internal
581
- */
582
- function getIdentityClientAuthorityHost(options) {
583
- // The authorityHost can come from options or from the AZURE_AUTHORITY_HOST environment variable.
584
- let authorityHost = options === null || options === void 0 ? void 0 : options.authorityHost;
585
- // The AZURE_AUTHORITY_HOST environment variable can only be provided in Node.js.
586
- if (coreUtil.isNode) {
587
- authorityHost = authorityHost !== null && authorityHost !== void 0 ? authorityHost : process.env.AZURE_AUTHORITY_HOST;
588
- }
589
- // If the authorityHost is not provided, we use the default one from the public cloud: https://login.microsoftonline.com
590
- return authorityHost !== null && authorityHost !== void 0 ? authorityHost : DefaultAuthorityHost;
591
- }
592
- /**
593
- * The network module used by the Identity credentials.
594
- *
595
- * It allows for credentials to abort any pending request independently of the MSAL flow,
596
- * by calling to the `abortRequests()` method.
597
- *
598
- */
599
- class IdentityClient extends coreClient.ServiceClient {
600
- constructor(options) {
601
- var _a, _b;
602
- const packageDetails = `azsdk-js-identity/${SDK_VERSION}`;
603
- const userAgentPrefix = ((_a = options === null || options === void 0 ? void 0 : options.userAgentOptions) === null || _a === void 0 ? void 0 : _a.userAgentPrefix)
604
- ? `${options.userAgentOptions.userAgentPrefix} ${packageDetails}`
605
- : `${packageDetails}`;
606
- const baseUri = getIdentityClientAuthorityHost(options);
607
- if (!baseUri.startsWith("https:")) {
608
- throw new Error("The authorityHost address must use the 'https' protocol.");
609
- }
610
- super(Object.assign(Object.assign({ requestContentType: "application/json; charset=utf-8", retryOptions: {
611
- maxRetries: 3,
612
- } }, options), { userAgentOptions: {
613
- userAgentPrefix,
614
- }, baseUri }));
615
- this.allowInsecureConnection = false;
616
- this.authorityHost = baseUri;
617
- this.abortControllers = new Map();
618
- this.allowLoggingAccountIdentifiers = (_b = options === null || options === void 0 ? void 0 : options.loggingOptions) === null || _b === void 0 ? void 0 : _b.allowLoggingAccountIdentifiers;
619
- // used for WorkloadIdentity
620
- this.tokenCredentialOptions = Object.assign({}, options);
621
- // used for ManagedIdentity
622
- if (options === null || options === void 0 ? void 0 : options.allowInsecureConnection) {
623
- this.allowInsecureConnection = options.allowInsecureConnection;
624
- }
625
- }
626
- async sendTokenRequest(request) {
627
- logger$l.info(`IdentityClient: sending token request to [${request.url}]`);
628
- const response = await this.sendRequest(request);
629
- if (response.bodyAsText && (response.status === 200 || response.status === 201)) {
630
- const parsedBody = JSON.parse(response.bodyAsText);
631
- if (!parsedBody.access_token) {
632
- return null;
633
- }
634
- this.logIdentifiers(response);
635
- const token = {
636
- accessToken: {
637
- token: parsedBody.access_token,
638
- expiresOnTimestamp: parseExpirationTimestamp(parsedBody),
639
- refreshAfterTimestamp: parseRefreshTimestamp(parsedBody),
640
- tokenType: "Bearer",
641
- },
642
- refreshToken: parsedBody.refresh_token,
643
- };
644
- logger$l.info(`IdentityClient: [${request.url}] token acquired, expires on ${token.accessToken.expiresOnTimestamp}`);
645
- return token;
646
- }
647
- else {
648
- const error = new AuthenticationError(response.status, response.bodyAsText);
649
- logger$l.warning(`IdentityClient: authentication error. HTTP status: ${response.status}, ${error.errorResponse.errorDescription}`);
650
- throw error;
651
- }
652
- }
653
- async refreshAccessToken(tenantId, clientId, scopes, refreshToken, clientSecret, options = {}) {
654
- if (refreshToken === undefined) {
655
- return null;
656
- }
657
- logger$l.info(`IdentityClient: refreshing access token with client ID: ${clientId}, scopes: ${scopes} started`);
658
- const refreshParams = {
659
- grant_type: "refresh_token",
660
- client_id: clientId,
661
- refresh_token: refreshToken,
662
- scope: scopes,
663
- };
664
- if (clientSecret !== undefined) {
665
- refreshParams.client_secret = clientSecret;
666
- }
667
- const query = new URLSearchParams(refreshParams);
668
- return tracingClient.withSpan("IdentityClient.refreshAccessToken", options, async (updatedOptions) => {
669
- try {
670
- const urlSuffix = getIdentityTokenEndpointSuffix(tenantId);
671
- const request = coreRestPipeline.createPipelineRequest({
672
- url: `${this.authorityHost}/${tenantId}/${urlSuffix}`,
673
- method: "POST",
674
- body: query.toString(),
675
- abortSignal: options.abortSignal,
676
- headers: coreRestPipeline.createHttpHeaders({
677
- Accept: "application/json",
678
- "Content-Type": "application/x-www-form-urlencoded",
679
- }),
680
- tracingOptions: updatedOptions.tracingOptions,
681
- });
682
- const response = await this.sendTokenRequest(request);
683
- logger$l.info(`IdentityClient: refreshed token for client ID: ${clientId}`);
684
- return response;
685
- }
686
- catch (err) {
687
- if (err.name === AuthenticationErrorName &&
688
- err.errorResponse.error === "interaction_required") {
689
- // It's likely that the refresh token has expired, so
690
- // return null so that the credential implementation will
691
- // initiate the authentication flow again.
692
- logger$l.info(`IdentityClient: interaction required for client ID: ${clientId}`);
693
- return null;
694
- }
695
- else {
696
- logger$l.warning(`IdentityClient: failed refreshing token for client ID: ${clientId}: ${err}`);
697
- throw err;
698
- }
699
- }
700
- });
701
- }
702
- // Here is a custom layer that allows us to abort requests that go through MSAL,
703
- // since MSAL doesn't allow us to pass options all the way through.
704
- generateAbortSignal(correlationId) {
705
- const controller = new AbortController();
706
- const controllers = this.abortControllers.get(correlationId) || [];
707
- controllers.push(controller);
708
- this.abortControllers.set(correlationId, controllers);
709
- const existingOnAbort = controller.signal.onabort;
710
- controller.signal.onabort = (...params) => {
711
- this.abortControllers.set(correlationId, undefined);
712
- if (existingOnAbort) {
713
- existingOnAbort.apply(controller.signal, params);
714
- }
715
- };
716
- return controller.signal;
717
- }
718
- abortRequests(correlationId) {
719
- const key = correlationId || noCorrelationId;
720
- const controllers = [
721
- ...(this.abortControllers.get(key) || []),
722
- // MSAL passes no correlation ID to the get requests...
723
- ...(this.abortControllers.get(noCorrelationId) || []),
724
- ];
725
- if (!controllers.length) {
726
- return;
727
- }
728
- for (const controller of controllers) {
729
- controller.abort();
730
- }
731
- this.abortControllers.set(key, undefined);
732
- }
733
- getCorrelationId(options) {
734
- var _a;
735
- const parameter = (_a = options === null || options === void 0 ? void 0 : options.body) === null || _a === void 0 ? void 0 : _a.split("&").map((part) => part.split("=")).find(([key]) => key === "client-request-id");
736
- return parameter && parameter.length ? parameter[1] || noCorrelationId : noCorrelationId;
737
- }
738
- // The MSAL network module methods follow
739
- async sendGetRequestAsync(url, options) {
740
- const request = coreRestPipeline.createPipelineRequest({
741
- url,
742
- method: "GET",
743
- body: options === null || options === void 0 ? void 0 : options.body,
744
- allowInsecureConnection: this.allowInsecureConnection,
745
- headers: coreRestPipeline.createHttpHeaders(options === null || options === void 0 ? void 0 : options.headers),
746
- abortSignal: this.generateAbortSignal(noCorrelationId),
747
- });
748
- const response = await this.sendRequest(request);
749
- this.logIdentifiers(response);
750
- return {
751
- body: response.bodyAsText ? JSON.parse(response.bodyAsText) : undefined,
752
- headers: response.headers.toJSON(),
753
- status: response.status,
754
- };
755
- }
756
- async sendPostRequestAsync(url, options) {
757
- const request = coreRestPipeline.createPipelineRequest({
758
- url,
759
- method: "POST",
760
- body: options === null || options === void 0 ? void 0 : options.body,
761
- headers: coreRestPipeline.createHttpHeaders(options === null || options === void 0 ? void 0 : options.headers),
762
- allowInsecureConnection: this.allowInsecureConnection,
763
- // MSAL doesn't send the correlation ID on the get requests.
764
- abortSignal: this.generateAbortSignal(this.getCorrelationId(options)),
765
- });
766
- const response = await this.sendRequest(request);
767
- this.logIdentifiers(response);
768
- return {
769
- body: response.bodyAsText ? JSON.parse(response.bodyAsText) : undefined,
770
- headers: response.headers.toJSON(),
771
- status: response.status,
772
- };
773
- }
774
- /**
775
- *
776
- * @internal
777
- */
778
- getTokenCredentialOptions() {
779
- return this.tokenCredentialOptions;
780
- }
781
- /**
782
- * If allowLoggingAccountIdentifiers was set on the constructor options
783
- * we try to log the account identifiers by parsing the received access token.
784
- *
785
- * The account identifiers we try to log are:
786
- * - `appid`: The application or Client Identifier.
787
- * - `upn`: User Principal Name.
788
- * - It might not be available in some authentication scenarios.
789
- * - If it's not available, we put a placeholder: "No User Principal Name available".
790
- * - `tid`: Tenant Identifier.
791
- * - `oid`: Object Identifier of the authenticated user.
792
- */
793
- logIdentifiers(response) {
794
- if (!this.allowLoggingAccountIdentifiers || !response.bodyAsText) {
795
- return;
796
- }
797
- const unavailableUpn = "No User Principal Name available";
798
- try {
799
- const parsed = response.parsedBody || JSON.parse(response.bodyAsText);
800
- const accessToken = parsed.access_token;
801
- if (!accessToken) {
802
- // Without an access token allowLoggingAccountIdentifiers isn't useful.
803
- return;
804
- }
805
- const base64Metadata = accessToken.split(".")[1];
806
- const { appid, upn, tid, oid } = JSON.parse(Buffer.from(base64Metadata, "base64").toString("utf8"));
807
- logger$l.info(`[Authenticated account] Client ID: ${appid}. Tenant ID: ${tid}. User Principal Name: ${upn || unavailableUpn}. Object ID (user): ${oid}`);
808
- }
809
- catch (e) {
810
- logger$l.warning("allowLoggingAccountIdentifiers was set, but we couldn't log the account information. Error:", e.message);
811
- }
812
- }
813
- }
814
-
815
- // Copyright (c) Microsoft Corporation.
816
- // Licensed under the MIT License.
817
- const CommonTenantId = "common";
818
- const AzureAccountClientId = "aebc6443-996d-45c2-90f0-388ff96faa56"; // VSC: 'aebc6443-996d-45c2-90f0-388ff96faa56'
819
- const logger$k = credentialLogger("VisualStudioCodeCredential");
820
- let findCredentials = undefined;
821
- const vsCodeCredentialControl = {
822
- setVsCodeCredentialFinder(finder) {
823
- findCredentials = finder;
824
- },
825
- };
826
- // Map of unsupported Tenant IDs and the errors we will be throwing.
827
- const unsupportedTenantIds = {
828
- adfs: "The VisualStudioCodeCredential does not support authentication with ADFS tenants.",
829
- };
830
- function checkUnsupportedTenant(tenantId) {
831
- // If the Tenant ID isn't supported, we throw.
832
- const unsupportedTenantError = unsupportedTenantIds[tenantId];
833
- if (unsupportedTenantError) {
834
- throw new CredentialUnavailableError(unsupportedTenantError);
835
- }
836
- }
837
- const mapVSCodeAuthorityHosts = {
838
- AzureCloud: exports.AzureAuthorityHosts.AzurePublicCloud,
839
- AzureChina: exports.AzureAuthorityHosts.AzureChina,
840
- AzureGermanCloud: exports.AzureAuthorityHosts.AzureGermany,
841
- AzureUSGovernment: exports.AzureAuthorityHosts.AzureGovernment,
842
- };
843
- /**
844
- * Attempts to load a specific property from the VSCode configurations of the current OS.
845
- * If it fails at any point, returns undefined.
846
- */
847
- function getPropertyFromVSCode(property) {
848
- const settingsPath = ["User", "settings.json"];
849
- // Eventually we can add more folders for more versions of VSCode.
850
- const vsCodeFolder = "Code";
851
- const homedir = os.homedir();
852
- function loadProperty(...pathSegments) {
853
- const fullPath = path.join(...pathSegments, vsCodeFolder, ...settingsPath);
854
- const settings = JSON.parse(fs.readFileSync(fullPath, { encoding: "utf8" }));
855
- return settings[property];
856
- }
857
- try {
858
- let appData;
859
- switch (process.platform) {
860
- case "win32":
861
- appData = process.env.APPDATA;
862
- return appData ? loadProperty(appData) : undefined;
863
- case "darwin":
864
- return loadProperty(homedir, "Library", "Application Support");
865
- case "linux":
866
- return loadProperty(homedir, ".config");
867
- default:
868
- return;
869
- }
870
- }
871
- catch (e) {
872
- logger$k.info(`Failed to load the Visual Studio Code configuration file. Error: ${e.message}`);
873
- return;
874
- }
875
- }
876
- /**
877
- * Connects to Azure using the credential provided by the VSCode extension 'Azure Account'.
878
- * Once the user has logged in via the extension, this credential can share the same refresh token
879
- * that is cached by the extension.
880
- *
881
- * It's a [known issue](https://github.com/Azure/azure-sdk-for-js/issues/20500) that this credential doesn't
882
- * work with [Azure Account extension](https://marketplace.visualstudio.com/items?itemName=ms-vscode.azure-account)
883
- * versions newer than **0.9.11**. A long-term fix to this problem is in progress. In the meantime, consider
884
- * authenticating with {@link AzureCliCredential}.
885
- */
886
- class VisualStudioCodeCredential {
887
- /**
888
- * Creates an instance of VisualStudioCodeCredential to use for automatically authenticating via VSCode.
889
- *
890
- * **Note**: `VisualStudioCodeCredential` is provided by a plugin package:
891
- * `@azure/identity-vscode`. If this package is not installed and registered
892
- * using the plugin API (`useIdentityPlugin`), then authentication using
893
- * `VisualStudioCodeCredential` will not be available.
894
- *
895
- * @param options - Options for configuring the client which makes the authentication request.
896
- */
897
- constructor(options) {
898
- // We want to make sure we use the one assigned by the user on the VSCode settings.
899
- // Or just `AzureCloud` by default.
900
- this.cloudName = (getPropertyFromVSCode("azure.cloud") || "AzureCloud");
901
- // Picking an authority host based on the cloud name.
902
- const authorityHost = mapVSCodeAuthorityHosts[this.cloudName];
903
- this.identityClient = new IdentityClient(Object.assign({ authorityHost }, options));
904
- if (options && options.tenantId) {
905
- checkTenantId(logger$k, options.tenantId);
906
- this.tenantId = options.tenantId;
907
- }
908
- else {
909
- this.tenantId = CommonTenantId;
910
- }
911
- this.additionallyAllowedTenantIds = resolveAdditionallyAllowedTenantIds(options === null || options === void 0 ? void 0 : options.additionallyAllowedTenants);
912
- checkUnsupportedTenant(this.tenantId);
913
- }
914
- /**
915
- * Runs preparations for any further getToken request.
916
- */
917
- async prepare() {
918
- // Attempts to load the tenant from the VSCode configuration file.
919
- const settingsTenant = getPropertyFromVSCode("azure.tenant");
920
- if (settingsTenant) {
921
- this.tenantId = settingsTenant;
922
- }
923
- checkUnsupportedTenant(this.tenantId);
924
- }
925
- /**
926
- * Runs preparations for any further getToken, but only once.
927
- */
928
- prepareOnce() {
929
- if (!this.preparePromise) {
930
- this.preparePromise = this.prepare();
931
- }
932
- return this.preparePromise;
933
- }
934
- /**
935
- * Returns the token found by searching VSCode's authentication cache or
936
- * returns null if no token could be found.
937
- *
938
- * @param scopes - The list of scopes for which the token will have access.
939
- * @param options - The options used to configure any requests this
940
- * `TokenCredential` implementation might make.
941
- */
942
- async getToken(scopes, options) {
943
- var _a, _b;
944
- await this.prepareOnce();
945
- const tenantId = processMultiTenantRequest(this.tenantId, options, this.additionallyAllowedTenantIds, logger$k) || this.tenantId;
946
- if (findCredentials === undefined) {
947
- throw new CredentialUnavailableError([
948
- "No implementation of `VisualStudioCodeCredential` is available.",
949
- "You must install the identity-vscode plugin package (`npm install --save-dev @azure/identity-vscode`)",
950
- "and enable it by importing `useIdentityPlugin` from `@azure/identity` and calling",
951
- "`useIdentityPlugin(vsCodePlugin)` before creating a `VisualStudioCodeCredential`.",
952
- "To troubleshoot, visit https://aka.ms/azsdk/js/identity/vscodecredential/troubleshoot.",
953
- ].join(" "));
954
- }
955
- let scopeString = typeof scopes === "string" ? scopes : scopes.join(" ");
956
- // Check to make sure the scope we get back is a valid scope
957
- if (!scopeString.match(/^[0-9a-zA-Z-.:/]+$/)) {
958
- const error = new Error("Invalid scope was specified by the user or calling client");
959
- logger$k.getToken.info(formatError(scopes, error));
960
- throw error;
961
- }
962
- if (scopeString.indexOf("offline_access") < 0) {
963
- scopeString += " offline_access";
964
- }
965
- // findCredentials returns an array similar to:
966
- // [
967
- // {
968
- // account: "",
969
- // password: "",
970
- // },
971
- // /* ... */
972
- // ]
973
- const credentials = await findCredentials();
974
- // If we can't find the credential based on the name, we'll pick the first one available.
975
- const { password: refreshToken } = (_b = (_a = credentials.find(({ account }) => account === this.cloudName)) !== null && _a !== void 0 ? _a : credentials[0]) !== null && _b !== void 0 ? _b : {};
976
- if (refreshToken) {
977
- const tokenResponse = await this.identityClient.refreshAccessToken(tenantId, AzureAccountClientId, scopeString, refreshToken, undefined);
978
- if (tokenResponse) {
979
- logger$k.getToken.info(formatSuccess(scopes));
980
- return tokenResponse.accessToken;
981
- }
982
- else {
983
- const error = new CredentialUnavailableError("Could not retrieve the token associated with Visual Studio Code. Have you connected using the 'Azure Account' extension recently? To troubleshoot, visit https://aka.ms/azsdk/js/identity/vscodecredential/troubleshoot.");
984
- logger$k.getToken.info(formatError(scopes, error));
985
- throw error;
986
- }
987
- }
988
- else {
989
- const error = new CredentialUnavailableError("Could not retrieve the token associated with Visual Studio Code. Did you connect using the 'Azure Account' extension? To troubleshoot, visit https://aka.ms/azsdk/js/identity/vscodecredential/troubleshoot.");
990
- logger$k.getToken.info(formatError(scopes, error));
991
- throw error;
992
- }
993
- }
994
- }
995
-
996
- // Copyright (c) Microsoft Corporation.
997
- // Licensed under the MIT License.
998
- /**
999
- * The context passed to an Identity plugin. This contains objects that
1000
- * plugins can use to set backend implementations.
1001
- * @internal
1002
- */
1003
- const pluginContext = {
1004
- cachePluginControl: msalNodeFlowCacheControl,
1005
- nativeBrokerPluginControl: msalNodeFlowNativeBrokerControl,
1006
- vsCodeCredentialControl: vsCodeCredentialControl,
1007
- };
1008
- /**
1009
- * Extend Azure Identity with additional functionality. Pass a plugin from
1010
- * a plugin package, such as:
1011
- *
1012
- * - `@azure/identity-cache-persistence`: provides persistent token caching
1013
- * - `@azure/identity-vscode`: provides the dependencies of
1014
- * `VisualStudioCodeCredential` and enables it
1015
- *
1016
- * Example:
1017
- *
1018
- * ```ts snippet:consumer_example
1019
- * import { useIdentityPlugin, DeviceCodeCredential } from "@azure/identity";
1020
- *
1021
- * useIdentityPlugin(cachePersistencePlugin);
1022
- * // The plugin has the capability to extend `DeviceCodeCredential` and to
1023
- * // add middleware to the underlying credentials, such as persistence.
1024
- * const credential = new DeviceCodeCredential({
1025
- * tokenCachePersistenceOptions: {
1026
- * enabled: true,
1027
- * },
1028
- * });
1029
- * ```
1030
- *
1031
- * @param plugin - the plugin to register
1032
- */
1033
- function useIdentityPlugin(plugin) {
1034
- plugin(pluginContext);
1035
- }
1036
-
1037
- // Copyright (c) Microsoft Corporation.
1038
- // Licensed under the MIT License.
1039
- /**
1040
- * @internal
1041
- */
1042
- const logger$j = credentialLogger("IdentityUtils");
1043
- /**
1044
- * Latest AuthenticationRecord version
1045
- * @internal
1046
- */
1047
- const LatestAuthenticationRecordVersion = "1.0";
1048
- /**
1049
- * Ensures the validity of the MSAL token
1050
- * @internal
1051
- */
1052
- function ensureValidMsalToken(scopes, msalToken, getTokenOptions) {
1053
- const error = (message) => {
1054
- logger$j.getToken.info(message);
1055
- return new AuthenticationRequiredError({
1056
- scopes: Array.isArray(scopes) ? scopes : [scopes],
1057
- getTokenOptions,
1058
- message,
1059
- });
1060
- };
1061
- if (!msalToken) {
1062
- throw error("No response");
1063
- }
1064
- if (!msalToken.expiresOn) {
1065
- throw error(`Response had no "expiresOn" property.`);
1066
- }
1067
- if (!msalToken.accessToken) {
1068
- throw error(`Response had no "accessToken" property.`);
1069
- }
1070
- }
1071
- /**
1072
- * Returns the authority host from either the options bag or the AZURE_AUTHORITY_HOST environment variable.
1073
- *
1074
- * Defaults to {@link DefaultAuthorityHost}.
1075
- * @internal
1076
- */
1077
- function getAuthorityHost(options) {
1078
- let authorityHost = options === null || options === void 0 ? void 0 : options.authorityHost;
1079
- if (!authorityHost && coreUtil.isNodeLike) {
1080
- authorityHost = process.env.AZURE_AUTHORITY_HOST;
1081
- }
1082
- return authorityHost !== null && authorityHost !== void 0 ? authorityHost : DefaultAuthorityHost;
1083
- }
1084
- /**
1085
- * Generates a valid authority by combining a host with a tenantId.
1086
- * @internal
1087
- */
1088
- function getAuthority(tenantId, host) {
1089
- if (!host) {
1090
- host = DefaultAuthorityHost;
1091
- }
1092
- if (new RegExp(`${tenantId}/?$`).test(host)) {
1093
- return host;
1094
- }
1095
- if (host.endsWith("/")) {
1096
- return host + tenantId;
1097
- }
1098
- else {
1099
- return `${host}/${tenantId}`;
1100
- }
1101
- }
1102
- /**
1103
- * Generates the known authorities.
1104
- * If the Tenant Id is `adfs`, the authority can't be validated since the format won't match the expected one.
1105
- * For that reason, we have to force MSAL to disable validating the authority
1106
- * by sending it within the known authorities in the MSAL configuration.
1107
- * @internal
1108
- */
1109
- function getKnownAuthorities(tenantId, authorityHost, disableInstanceDiscovery) {
1110
- if ((tenantId === "adfs" && authorityHost) || disableInstanceDiscovery) {
1111
- return [authorityHost];
1112
- }
1113
- return [];
1114
- }
1115
- /**
1116
- * Generates a logger that can be passed to the MSAL clients.
1117
- * @param credLogger - The logger of the credential.
1118
- * @internal
1119
- */
1120
- const defaultLoggerCallback = (credLogger, platform = coreUtil.isNode ? "Node" : "Browser") => (level, message, containsPii) => {
1121
- if (containsPii) {
1122
- return;
1123
- }
1124
- switch (level) {
1125
- case msalCommon__namespace.LogLevel.Error:
1126
- credLogger.info(`MSAL ${platform} V2 error: ${message}`);
1127
- return;
1128
- case msalCommon__namespace.LogLevel.Info:
1129
- credLogger.info(`MSAL ${platform} V2 info message: ${message}`);
1130
- return;
1131
- case msalCommon__namespace.LogLevel.Verbose:
1132
- credLogger.info(`MSAL ${platform} V2 verbose message: ${message}`);
1133
- return;
1134
- case msalCommon__namespace.LogLevel.Warning:
1135
- credLogger.info(`MSAL ${platform} V2 warning: ${message}`);
1136
- return;
1137
- }
1138
- };
1139
- /**
1140
- * @internal
1141
- */
1142
- function getMSALLogLevel(logLevel) {
1143
- switch (logLevel) {
1144
- case "error":
1145
- return msalCommon__namespace.LogLevel.Error;
1146
- case "info":
1147
- return msalCommon__namespace.LogLevel.Info;
1148
- case "verbose":
1149
- return msalCommon__namespace.LogLevel.Verbose;
1150
- case "warning":
1151
- return msalCommon__namespace.LogLevel.Warning;
1152
- default:
1153
- // default msal logging level should be Info
1154
- return msalCommon__namespace.LogLevel.Info;
1155
- }
1156
- }
1157
- /**
1158
- * Handles MSAL errors.
1159
- */
1160
- function handleMsalError(scopes, error, getTokenOptions) {
1161
- if (error.name === "AuthError" ||
1162
- error.name === "ClientAuthError" ||
1163
- error.name === "BrowserAuthError") {
1164
- const msalError = error;
1165
- switch (msalError.errorCode) {
1166
- case "endpoints_resolution_error":
1167
- logger$j.info(formatError(scopes, error.message));
1168
- return new CredentialUnavailableError(error.message);
1169
- case "device_code_polling_cancelled":
1170
- return new abortController.AbortError("The authentication has been aborted by the caller.");
1171
- case "consent_required":
1172
- case "interaction_required":
1173
- case "login_required":
1174
- logger$j.info(formatError(scopes, `Authentication returned errorCode ${msalError.errorCode}`));
1175
- break;
1176
- default:
1177
- logger$j.info(formatError(scopes, `Failed to acquire token: ${error.message}`));
1178
- break;
1179
- }
1180
- }
1181
- if (error.name === "ClientConfigurationError" ||
1182
- error.name === "BrowserConfigurationAuthError" ||
1183
- error.name === "AbortError" ||
1184
- error.name === "AuthenticationError") {
1185
- return error;
1186
- }
1187
- if (error.name === "NativeAuthError") {
1188
- logger$j.info(formatError(scopes, `Error from the native broker: ${error.message} with status code: ${error.statusCode}`));
1189
- return error;
1190
- }
1191
- return new AuthenticationRequiredError({ scopes, getTokenOptions, message: error.message });
1192
- }
1193
- // transformations.ts
1194
- function publicToMsal(account) {
1195
- const [environment] = account.authority.match(/([a-z]*\.[a-z]*\.[a-z]*)/) || [""];
1196
- return Object.assign(Object.assign({}, account), { localAccountId: account.homeAccountId, environment });
1197
- }
1198
- function msalToPublic(clientId, account) {
1199
- const record = {
1200
- authority: getAuthority(account.tenantId, account.environment),
1201
- homeAccountId: account.homeAccountId,
1202
- tenantId: account.tenantId || DefaultTenantId,
1203
- username: account.username,
1204
- clientId,
1205
- version: LatestAuthenticationRecordVersion,
1206
- };
1207
- return record;
1208
- }
1209
- /**
1210
- * Serializes an `AuthenticationRecord` into a string.
1211
- *
1212
- * The output of a serialized authentication record will contain the following properties:
1213
- *
1214
- * - "authority"
1215
- * - "homeAccountId"
1216
- * - "clientId"
1217
- * - "tenantId"
1218
- * - "username"
1219
- * - "version"
1220
- *
1221
- * To later convert this string to a serialized `AuthenticationRecord`, please use the exported function `deserializeAuthenticationRecord()`.
1222
- */
1223
- function serializeAuthenticationRecord(record) {
1224
- return JSON.stringify(record);
1225
- }
1226
- /**
1227
- * Deserializes a previously serialized authentication record from a string into an object.
1228
- *
1229
- * The input string must contain the following properties:
1230
- *
1231
- * - "authority"
1232
- * - "homeAccountId"
1233
- * - "clientId"
1234
- * - "tenantId"
1235
- * - "username"
1236
- * - "version"
1237
- *
1238
- * If the version we receive is unsupported, an error will be thrown.
1239
- *
1240
- * At the moment, the only available version is: "1.0", which is always set when the authentication record is serialized.
1241
- *
1242
- * @param serializedRecord - Authentication record previously serialized into string.
1243
- * @returns AuthenticationRecord.
1244
- */
1245
- function deserializeAuthenticationRecord(serializedRecord) {
1246
- const parsed = JSON.parse(serializedRecord);
1247
- if (parsed.version && parsed.version !== LatestAuthenticationRecordVersion) {
1248
- throw Error("Unsupported AuthenticationRecord version");
1249
- }
1250
- return parsed;
1251
- }
1252
-
1253
- // Copyright (c) Microsoft Corporation.
1254
- // Licensed under the MIT License.
1255
- // Matches the default retry configuration in expontentialRetryStrategy.ts
1256
- const DEFAULT_CLIENT_MAX_RETRY_INTERVAL = 1000 * 64;
1257
- /**
1258
- * An additional policy that retries on 404 errors. The default retry policy does not retry on
1259
- * 404s, but the IMDS endpoint can return 404s when the token is not yet available. This policy
1260
- * will retry on 404s with an exponential backoff.
1261
- *
1262
- * @param msiRetryConfig - The retry configuration for the MSI credential.
1263
- * @returns - The policy that will retry on 404s.
1264
- */
1265
- function imdsRetryPolicy(msiRetryConfig) {
1266
- return coreRestPipeline.retryPolicy([
1267
- {
1268
- name: "imdsRetryPolicy",
1269
- retry: ({ retryCount, response }) => {
1270
- if ((response === null || response === void 0 ? void 0 : response.status) !== 404) {
1271
- return { skipStrategy: true };
1272
- }
1273
- return coreUtil.calculateRetryDelay(retryCount, {
1274
- retryDelayInMs: msiRetryConfig.startDelayInMs,
1275
- maxRetryDelayInMs: DEFAULT_CLIENT_MAX_RETRY_INTERVAL,
1276
- });
1277
- },
1278
- },
1279
- ], {
1280
- maxRetries: msiRetryConfig.maxRetries,
1281
- });
1282
- }
1283
-
1284
- // Copyright (c) Microsoft Corporation.
1285
- // Licensed under the MIT License.
1286
- const msiName$1 = "ManagedIdentityCredential - IMDS";
1287
- const logger$i = credentialLogger(msiName$1);
1288
- const imdsHost = "http://169.254.169.254";
1289
- const imdsEndpointPath = "/metadata/identity/oauth2/token";
1290
- const imdsApiVersion = "2018-02-01";
1291
- /**
1292
- * Generates the options used on the request for an access token.
1293
- */
1294
- function prepareRequestOptions(scopes, clientId, resourceId, options) {
1295
- var _a;
1296
- const resource = mapScopesToResource(scopes);
1297
- if (!resource) {
1298
- throw new Error(`${msiName$1}: Multiple scopes are not supported.`);
1299
- }
1300
- const { skipQuery, skipMetadataHeader } = options || {};
1301
- let query = "";
1302
- // Pod Identity will try to process this request even if the Metadata header is missing.
1303
- // We can exclude the request query to ensure no IMDS endpoint tries to process the ping request.
1304
- if (!skipQuery) {
1305
- const queryParameters = {
1306
- resource,
1307
- "api-version": imdsApiVersion,
1308
- };
1309
- if (clientId) {
1310
- queryParameters.client_id = clientId;
1311
- }
1312
- if (resourceId) {
1313
- queryParameters.msi_res_id = resourceId;
1314
- }
1315
- const params = new URLSearchParams(queryParameters);
1316
- query = `?${params.toString()}`;
1317
- }
1318
- const url = new URL(imdsEndpointPath, (_a = process.env.AZURE_POD_IDENTITY_AUTHORITY_HOST) !== null && _a !== void 0 ? _a : imdsHost);
1319
- const rawHeaders = {
1320
- Accept: "application/json",
1321
- Metadata: "true",
1322
- };
1323
- // Remove the Metadata header to invoke a request error from some IMDS endpoints.
1324
- if (skipMetadataHeader) {
1325
- delete rawHeaders.Metadata;
1326
- }
1327
- return {
1328
- // In this case, the `?` should be added in the "query" variable `skipQuery` is not set.
1329
- url: `${url}${query}`,
1330
- method: "GET",
1331
- headers: coreRestPipeline.createHttpHeaders(rawHeaders),
1332
- };
1333
- }
1334
- /**
1335
- * Defines how to determine whether the Azure IMDS MSI is available.
1336
- *
1337
- * Actually getting the token once we determine IMDS is available is handled by MSAL.
1338
- */
1339
- const imdsMsi = {
1340
- name: "imdsMsi",
1341
- async isAvailable(options) {
1342
- const { scopes, identityClient, clientId, resourceId, getTokenOptions } = options;
1343
- const resource = mapScopesToResource(scopes);
1344
- if (!resource) {
1345
- logger$i.info(`${msiName$1}: Unavailable. Multiple scopes are not supported.`);
1346
- return false;
1347
- }
1348
- // if the PodIdentityEndpoint environment variable was set no need to probe the endpoint, it can be assumed to exist
1349
- if (process.env.AZURE_POD_IDENTITY_AUTHORITY_HOST) {
1350
- return true;
1351
- }
1352
- if (!identityClient) {
1353
- throw new Error("Missing IdentityClient");
1354
- }
1355
- const requestOptions = prepareRequestOptions(resource, clientId, resourceId, {
1356
- skipMetadataHeader: true,
1357
- skipQuery: true,
1358
- });
1359
- return tracingClient.withSpan("ManagedIdentityCredential-pingImdsEndpoint", getTokenOptions !== null && getTokenOptions !== void 0 ? getTokenOptions : {}, async (updatedOptions) => {
1360
- var _a, _b;
1361
- requestOptions.tracingOptions = updatedOptions.tracingOptions;
1362
- // Create a request with a timeout since we expect that
1363
- // not having a "Metadata" header should cause an error to be
1364
- // returned quickly from the endpoint, proving its availability.
1365
- const request = coreRestPipeline.createPipelineRequest(requestOptions);
1366
- // Default to 1000 if the default of 0 is used.
1367
- // Negative values can still be used to disable the timeout.
1368
- request.timeout = ((_a = updatedOptions.requestOptions) === null || _a === void 0 ? void 0 : _a.timeout) || 1000;
1369
- // This MSI uses the imdsEndpoint to get the token, which only uses http://
1370
- request.allowInsecureConnection = true;
1371
- let response;
1372
- try {
1373
- logger$i.info(`${msiName$1}: Pinging the Azure IMDS endpoint`);
1374
- response = await identityClient.sendRequest(request);
1375
- }
1376
- catch (err) {
1377
- // If the request failed, or Node.js was unable to establish a connection,
1378
- // or the host was down, we'll assume the IMDS endpoint isn't available.
1379
- if (coreUtil.isError(err)) {
1380
- logger$i.verbose(`${msiName$1}: Caught error ${err.name}: ${err.message}`);
1381
- }
1382
- // This is a special case for Docker Desktop which responds with a 403 with a message that contains "A socket operation was attempted to an unreachable network" or "A socket operation was attempted to an unreachable host"
1383
- // rather than just timing out, as expected.
1384
- logger$i.info(`${msiName$1}: The Azure IMDS endpoint is unavailable`);
1385
- return false;
1386
- }
1387
- if (response.status === 403) {
1388
- if ((_b = response.bodyAsText) === null || _b === void 0 ? void 0 : _b.includes("unreachable")) {
1389
- logger$i.info(`${msiName$1}: The Azure IMDS endpoint is unavailable`);
1390
- logger$i.info(`${msiName$1}: ${response.bodyAsText}`);
1391
- return false;
1392
- }
1393
- }
1394
- // If we received any response, the endpoint is available
1395
- logger$i.info(`${msiName$1}: The Azure IMDS endpoint is available`);
1396
- return true;
1397
- });
1398
- },
1399
- };
1400
-
1401
- // Copyright (c) Microsoft Corporation.
1402
- // Licensed under the MIT License.
1403
- /**
1404
- * Helps specify a regional authority, or "AutoDiscoverRegion" to auto-detect the region.
1405
- */
1406
- var RegionalAuthority;
1407
- (function (RegionalAuthority) {
1408
- /** Instructs MSAL to attempt to discover the region */
1409
- RegionalAuthority["AutoDiscoverRegion"] = "AutoDiscoverRegion";
1410
- /** Uses the {@link RegionalAuthority} for the Azure 'westus' region. */
1411
- RegionalAuthority["USWest"] = "westus";
1412
- /** Uses the {@link RegionalAuthority} for the Azure 'westus2' region. */
1413
- RegionalAuthority["USWest2"] = "westus2";
1414
- /** Uses the {@link RegionalAuthority} for the Azure 'centralus' region. */
1415
- RegionalAuthority["USCentral"] = "centralus";
1416
- /** Uses the {@link RegionalAuthority} for the Azure 'eastus' region. */
1417
- RegionalAuthority["USEast"] = "eastus";
1418
- /** Uses the {@link RegionalAuthority} for the Azure 'eastus2' region. */
1419
- RegionalAuthority["USEast2"] = "eastus2";
1420
- /** Uses the {@link RegionalAuthority} for the Azure 'northcentralus' region. */
1421
- RegionalAuthority["USNorthCentral"] = "northcentralus";
1422
- /** Uses the {@link RegionalAuthority} for the Azure 'southcentralus' region. */
1423
- RegionalAuthority["USSouthCentral"] = "southcentralus";
1424
- /** Uses the {@link RegionalAuthority} for the Azure 'westcentralus' region. */
1425
- RegionalAuthority["USWestCentral"] = "westcentralus";
1426
- /** Uses the {@link RegionalAuthority} for the Azure 'canadacentral' region. */
1427
- RegionalAuthority["CanadaCentral"] = "canadacentral";
1428
- /** Uses the {@link RegionalAuthority} for the Azure 'canadaeast' region. */
1429
- RegionalAuthority["CanadaEast"] = "canadaeast";
1430
- /** Uses the {@link RegionalAuthority} for the Azure 'brazilsouth' region. */
1431
- RegionalAuthority["BrazilSouth"] = "brazilsouth";
1432
- /** Uses the {@link RegionalAuthority} for the Azure 'northeurope' region. */
1433
- RegionalAuthority["EuropeNorth"] = "northeurope";
1434
- /** Uses the {@link RegionalAuthority} for the Azure 'westeurope' region. */
1435
- RegionalAuthority["EuropeWest"] = "westeurope";
1436
- /** Uses the {@link RegionalAuthority} for the Azure 'uksouth' region. */
1437
- RegionalAuthority["UKSouth"] = "uksouth";
1438
- /** Uses the {@link RegionalAuthority} for the Azure 'ukwest' region. */
1439
- RegionalAuthority["UKWest"] = "ukwest";
1440
- /** Uses the {@link RegionalAuthority} for the Azure 'francecentral' region. */
1441
- RegionalAuthority["FranceCentral"] = "francecentral";
1442
- /** Uses the {@link RegionalAuthority} for the Azure 'francesouth' region. */
1443
- RegionalAuthority["FranceSouth"] = "francesouth";
1444
- /** Uses the {@link RegionalAuthority} for the Azure 'switzerlandnorth' region. */
1445
- RegionalAuthority["SwitzerlandNorth"] = "switzerlandnorth";
1446
- /** Uses the {@link RegionalAuthority} for the Azure 'switzerlandwest' region. */
1447
- RegionalAuthority["SwitzerlandWest"] = "switzerlandwest";
1448
- /** Uses the {@link RegionalAuthority} for the Azure 'germanynorth' region. */
1449
- RegionalAuthority["GermanyNorth"] = "germanynorth";
1450
- /** Uses the {@link RegionalAuthority} for the Azure 'germanywestcentral' region. */
1451
- RegionalAuthority["GermanyWestCentral"] = "germanywestcentral";
1452
- /** Uses the {@link RegionalAuthority} for the Azure 'norwaywest' region. */
1453
- RegionalAuthority["NorwayWest"] = "norwaywest";
1454
- /** Uses the {@link RegionalAuthority} for the Azure 'norwayeast' region. */
1455
- RegionalAuthority["NorwayEast"] = "norwayeast";
1456
- /** Uses the {@link RegionalAuthority} for the Azure 'eastasia' region. */
1457
- RegionalAuthority["AsiaEast"] = "eastasia";
1458
- /** Uses the {@link RegionalAuthority} for the Azure 'southeastasia' region. */
1459
- RegionalAuthority["AsiaSouthEast"] = "southeastasia";
1460
- /** Uses the {@link RegionalAuthority} for the Azure 'japaneast' region. */
1461
- RegionalAuthority["JapanEast"] = "japaneast";
1462
- /** Uses the {@link RegionalAuthority} for the Azure 'japanwest' region. */
1463
- RegionalAuthority["JapanWest"] = "japanwest";
1464
- /** Uses the {@link RegionalAuthority} for the Azure 'australiaeast' region. */
1465
- RegionalAuthority["AustraliaEast"] = "australiaeast";
1466
- /** Uses the {@link RegionalAuthority} for the Azure 'australiasoutheast' region. */
1467
- RegionalAuthority["AustraliaSouthEast"] = "australiasoutheast";
1468
- /** Uses the {@link RegionalAuthority} for the Azure 'australiacentral' region. */
1469
- RegionalAuthority["AustraliaCentral"] = "australiacentral";
1470
- /** Uses the {@link RegionalAuthority} for the Azure 'australiacentral2' region. */
1471
- RegionalAuthority["AustraliaCentral2"] = "australiacentral2";
1472
- /** Uses the {@link RegionalAuthority} for the Azure 'centralindia' region. */
1473
- RegionalAuthority["IndiaCentral"] = "centralindia";
1474
- /** Uses the {@link RegionalAuthority} for the Azure 'southindia' region. */
1475
- RegionalAuthority["IndiaSouth"] = "southindia";
1476
- /** Uses the {@link RegionalAuthority} for the Azure 'westindia' region. */
1477
- RegionalAuthority["IndiaWest"] = "westindia";
1478
- /** Uses the {@link RegionalAuthority} for the Azure 'koreasouth' region. */
1479
- RegionalAuthority["KoreaSouth"] = "koreasouth";
1480
- /** Uses the {@link RegionalAuthority} for the Azure 'koreacentral' region. */
1481
- RegionalAuthority["KoreaCentral"] = "koreacentral";
1482
- /** Uses the {@link RegionalAuthority} for the Azure 'uaecentral' region. */
1483
- RegionalAuthority["UAECentral"] = "uaecentral";
1484
- /** Uses the {@link RegionalAuthority} for the Azure 'uaenorth' region. */
1485
- RegionalAuthority["UAENorth"] = "uaenorth";
1486
- /** Uses the {@link RegionalAuthority} for the Azure 'southafricanorth' region. */
1487
- RegionalAuthority["SouthAfricaNorth"] = "southafricanorth";
1488
- /** Uses the {@link RegionalAuthority} for the Azure 'southafricawest' region. */
1489
- RegionalAuthority["SouthAfricaWest"] = "southafricawest";
1490
- /** Uses the {@link RegionalAuthority} for the Azure 'chinanorth' region. */
1491
- RegionalAuthority["ChinaNorth"] = "chinanorth";
1492
- /** Uses the {@link RegionalAuthority} for the Azure 'chinaeast' region. */
1493
- RegionalAuthority["ChinaEast"] = "chinaeast";
1494
- /** Uses the {@link RegionalAuthority} for the Azure 'chinanorth2' region. */
1495
- RegionalAuthority["ChinaNorth2"] = "chinanorth2";
1496
- /** Uses the {@link RegionalAuthority} for the Azure 'chinaeast2' region. */
1497
- RegionalAuthority["ChinaEast2"] = "chinaeast2";
1498
- /** Uses the {@link RegionalAuthority} for the Azure 'germanycentral' region. */
1499
- RegionalAuthority["GermanyCentral"] = "germanycentral";
1500
- /** Uses the {@link RegionalAuthority} for the Azure 'germanynortheast' region. */
1501
- RegionalAuthority["GermanyNorthEast"] = "germanynortheast";
1502
- /** Uses the {@link RegionalAuthority} for the Azure 'usgovvirginia' region. */
1503
- RegionalAuthority["GovernmentUSVirginia"] = "usgovvirginia";
1504
- /** Uses the {@link RegionalAuthority} for the Azure 'usgoviowa' region. */
1505
- RegionalAuthority["GovernmentUSIowa"] = "usgoviowa";
1506
- /** Uses the {@link RegionalAuthority} for the Azure 'usgovarizona' region. */
1507
- RegionalAuthority["GovernmentUSArizona"] = "usgovarizona";
1508
- /** Uses the {@link RegionalAuthority} for the Azure 'usgovtexas' region. */
1509
- RegionalAuthority["GovernmentUSTexas"] = "usgovtexas";
1510
- /** Uses the {@link RegionalAuthority} for the Azure 'usdodeast' region. */
1511
- RegionalAuthority["GovernmentUSDodEast"] = "usdodeast";
1512
- /** Uses the {@link RegionalAuthority} for the Azure 'usdodcentral' region. */
1513
- RegionalAuthority["GovernmentUSDodCentral"] = "usdodcentral";
1514
- })(RegionalAuthority || (RegionalAuthority = {}));
1515
- /**
1516
- * Calculates the correct regional authority based on the supplied value
1517
- * and the AZURE_REGIONAL_AUTHORITY_NAME environment variable.
1518
- *
1519
- * Values will be returned verbatim, except for {@link RegionalAuthority.AutoDiscoverRegion}
1520
- * which is mapped to a value MSAL can understand.
1521
- *
1522
- * @internal
1523
- */
1524
- function calculateRegionalAuthority(regionalAuthority) {
1525
- // Note: as of today only 3 credentials support regional authority, and the parameter
1526
- // is not exposed via the public API. Regional Authority is _only_ supported
1527
- // via the AZURE_REGIONAL_AUTHORITY_NAME env var and _only_ for: ClientSecretCredential, ClientCertificateCredential, and ClientAssertionCredential.
1528
- var _a, _b;
1529
- // Accepting the regionalAuthority parameter will allow us to support it in the future.
1530
- let azureRegion = regionalAuthority;
1531
- if (azureRegion === undefined &&
1532
- ((_b = (_a = globalThis.process) === null || _a === void 0 ? void 0 : _a.env) === null || _b === void 0 ? void 0 : _b.AZURE_REGIONAL_AUTHORITY_NAME) !== undefined) {
1533
- azureRegion = process.env.AZURE_REGIONAL_AUTHORITY_NAME;
1534
- }
1535
- if (azureRegion === RegionalAuthority.AutoDiscoverRegion) {
1536
- return "AUTO_DISCOVER";
1537
- }
1538
- return azureRegion;
1539
- }
1540
-
1541
- // Copyright (c) Microsoft Corporation.
1542
- // Licensed under the MIT License.
1543
- /**
1544
- * The default logger used if no logger was passed in by the credential.
1545
- */
1546
- const msalLogger = credentialLogger("MsalClient");
1547
- /**
1548
- * A call to open(), but mockable
1549
- * @internal
1550
- */
1551
- const interactiveBrowserMockable = {
1552
- open,
1553
- };
1554
- /**
1555
- * Generates the configuration for MSAL (Microsoft Authentication Library).
1556
- *
1557
- * @param clientId - The client ID of the application.
1558
- * @param tenantId - The tenant ID of the Azure Active Directory.
1559
- * @param msalClientOptions - Optional. Additional options for creating the MSAL client.
1560
- * @returns The MSAL configuration object.
1561
- */
1562
- function generateMsalConfiguration(clientId, tenantId, msalClientOptions = {}) {
1563
- var _a, _b, _c;
1564
- const resolvedTenant = resolveTenantId((_a = msalClientOptions.logger) !== null && _a !== void 0 ? _a : msalLogger, tenantId, clientId);
1565
- // TODO: move and reuse getIdentityClientAuthorityHost
1566
- const authority = getAuthority(resolvedTenant, getAuthorityHost(msalClientOptions));
1567
- const httpClient = new IdentityClient(Object.assign(Object.assign({}, msalClientOptions.tokenCredentialOptions), { authorityHost: authority, loggingOptions: msalClientOptions.loggingOptions }));
1568
- const msalConfig = {
1569
- auth: {
1570
- clientId,
1571
- authority,
1572
- knownAuthorities: getKnownAuthorities(resolvedTenant, authority, msalClientOptions.disableInstanceDiscovery),
1573
- },
1574
- system: {
1575
- networkClient: httpClient,
1576
- loggerOptions: {
1577
- loggerCallback: defaultLoggerCallback((_b = msalClientOptions.logger) !== null && _b !== void 0 ? _b : msalLogger),
1578
- logLevel: getMSALLogLevel(logger$m.getLogLevel()),
1579
- piiLoggingEnabled: (_c = msalClientOptions.loggingOptions) === null || _c === void 0 ? void 0 : _c.enableUnsafeSupportLogging,
1580
- },
1581
- },
1582
- };
1583
- return msalConfig;
1584
- }
1585
- /**
1586
- * Creates an instance of the MSAL (Microsoft Authentication Library) client.
1587
- *
1588
- * @param clientId - The client ID of the application.
1589
- * @param tenantId - The tenant ID of the Azure Active Directory.
1590
- * @param createMsalClientOptions - Optional. Additional options for creating the MSAL client.
1591
- * @returns An instance of the MSAL client.
1592
- *
1593
- * @public
1594
- */
1595
- function createMsalClient(clientId, tenantId, createMsalClientOptions = {}) {
1596
- var _a;
1597
- const state = {
1598
- msalConfig: generateMsalConfiguration(clientId, tenantId, createMsalClientOptions),
1599
- cachedAccount: createMsalClientOptions.authenticationRecord
1600
- ? publicToMsal(createMsalClientOptions.authenticationRecord)
1601
- : null,
1602
- pluginConfiguration: msalPlugins.generatePluginConfiguration(createMsalClientOptions),
1603
- logger: (_a = createMsalClientOptions.logger) !== null && _a !== void 0 ? _a : msalLogger,
1604
- };
1605
- const publicApps = new Map();
1606
- async function getPublicApp(options = {}) {
1607
- const appKey = options.enableCae ? "CAE" : "default";
1608
- let publicClientApp = publicApps.get(appKey);
1609
- if (publicClientApp) {
1610
- state.logger.getToken.info("Existing PublicClientApplication found in cache, returning it.");
1611
- return publicClientApp;
1612
- }
1613
- // Initialize a new app and cache it
1614
- state.logger.getToken.info(`Creating new PublicClientApplication with CAE ${options.enableCae ? "enabled" : "disabled"}.`);
1615
- const cachePlugin = options.enableCae
1616
- ? state.pluginConfiguration.cache.cachePluginCae
1617
- : state.pluginConfiguration.cache.cachePlugin;
1618
- state.msalConfig.auth.clientCapabilities = options.enableCae ? ["cp1"] : undefined;
1619
- publicClientApp = new msalCommon__namespace.PublicClientApplication(Object.assign(Object.assign({}, state.msalConfig), { broker: { nativeBrokerPlugin: state.pluginConfiguration.broker.nativeBrokerPlugin }, cache: { cachePlugin: await cachePlugin } }));
1620
- publicApps.set(appKey, publicClientApp);
1621
- return publicClientApp;
1622
- }
1623
- const confidentialApps = new Map();
1624
- async function getConfidentialApp(options = {}) {
1625
- const appKey = options.enableCae ? "CAE" : "default";
1626
- let confidentialClientApp = confidentialApps.get(appKey);
1627
- if (confidentialClientApp) {
1628
- state.logger.getToken.info("Existing ConfidentialClientApplication found in cache, returning it.");
1629
- return confidentialClientApp;
1630
- }
1631
- // Initialize a new app and cache it
1632
- state.logger.getToken.info(`Creating new ConfidentialClientApplication with CAE ${options.enableCae ? "enabled" : "disabled"}.`);
1633
- const cachePlugin = options.enableCae
1634
- ? state.pluginConfiguration.cache.cachePluginCae
1635
- : state.pluginConfiguration.cache.cachePlugin;
1636
- state.msalConfig.auth.clientCapabilities = options.enableCae ? ["cp1"] : undefined;
1637
- confidentialClientApp = new msalCommon__namespace.ConfidentialClientApplication(Object.assign(Object.assign({}, state.msalConfig), { broker: { nativeBrokerPlugin: state.pluginConfiguration.broker.nativeBrokerPlugin }, cache: { cachePlugin: await cachePlugin } }));
1638
- confidentialApps.set(appKey, confidentialClientApp);
1639
- return confidentialClientApp;
1640
- }
1641
- async function getTokenSilent(app, scopes, options = {}) {
1642
- if (state.cachedAccount === null) {
1643
- state.logger.getToken.info("No cached account found in local state, attempting to load it from MSAL cache.");
1644
- const cache = app.getTokenCache();
1645
- const accounts = await cache.getAllAccounts();
1646
- if (accounts === undefined || accounts.length === 0) {
1647
- throw new AuthenticationRequiredError({ scopes });
1648
- }
1649
- if (accounts.length > 1) {
1650
- state.logger
1651
- .info(`More than one account was found authenticated for this Client ID and Tenant ID.
1652
- However, no "authenticationRecord" has been provided for this credential,
1653
- therefore we're unable to pick between these accounts.
1654
- A new login attempt will be requested, to ensure the correct account is picked.
1655
- To work with multiple accounts for the same Client ID and Tenant ID, please provide an "authenticationRecord" when initializing a credential to prevent this from happening.`);
1656
- throw new AuthenticationRequiredError({ scopes });
1657
- }
1658
- state.cachedAccount = accounts[0];
1659
- }
1660
- // Keep track and reuse the claims we received across challenges
1661
- if (options.claims) {
1662
- state.cachedClaims = options.claims;
1663
- }
1664
- const silentRequest = {
1665
- account: state.cachedAccount,
1666
- scopes,
1667
- claims: state.cachedClaims,
1668
- };
1669
- if (state.pluginConfiguration.broker.isEnabled) {
1670
- silentRequest.tokenQueryParameters || (silentRequest.tokenQueryParameters = {});
1671
- if (state.pluginConfiguration.broker.enableMsaPassthrough) {
1672
- silentRequest.tokenQueryParameters["msal_request_type"] = "consumer_passthrough";
1673
- }
1674
- }
1675
- if (options.proofOfPossessionOptions) {
1676
- silentRequest.shrNonce = options.proofOfPossessionOptions.nonce;
1677
- silentRequest.authenticationScheme = "pop";
1678
- silentRequest.resourceRequestMethod = options.proofOfPossessionOptions.resourceRequestMethod;
1679
- silentRequest.resourceRequestUri = options.proofOfPossessionOptions.resourceRequestUrl;
1680
- }
1681
- state.logger.getToken.info("Attempting to acquire token silently");
1682
- return app.acquireTokenSilent(silentRequest);
1683
- }
1684
- /**
1685
- * Builds an authority URL for the given request. The authority may be different than the one used when creating the MSAL client
1686
- * if the user is creating cross-tenant requests
1687
- */
1688
- function calculateRequestAuthority(options) {
1689
- if (options === null || options === void 0 ? void 0 : options.tenantId) {
1690
- return getAuthority(options.tenantId, getAuthorityHost(createMsalClientOptions));
1691
- }
1692
- return state.msalConfig.auth.authority;
1693
- }
1694
- /**
1695
- * Performs silent authentication using MSAL to acquire an access token.
1696
- * If silent authentication fails, falls back to interactive authentication.
1697
- *
1698
- * @param msalApp - The MSAL application instance.
1699
- * @param scopes - The scopes for which to acquire the access token.
1700
- * @param options - The options for acquiring the access token.
1701
- * @param onAuthenticationRequired - A callback function to handle interactive authentication when silent authentication fails.
1702
- * @returns A promise that resolves to an AccessToken object containing the access token and its expiration timestamp.
1703
- */
1704
- async function withSilentAuthentication(msalApp, scopes, options, onAuthenticationRequired) {
1705
- var _a, _b;
1706
- let response = null;
1707
- try {
1708
- response = await getTokenSilent(msalApp, scopes, options);
1709
- }
1710
- catch (e) {
1711
- if (e.name !== "AuthenticationRequiredError") {
1712
- throw e;
1713
- }
1714
- if (options.disableAutomaticAuthentication) {
1715
- throw new AuthenticationRequiredError({
1716
- scopes,
1717
- getTokenOptions: options,
1718
- message: "Automatic authentication has been disabled. You may call the authentication() method.",
1719
- });
1720
- }
1721
- }
1722
- // Silent authentication failed
1723
- if (response === null) {
1724
- try {
1725
- response = await onAuthenticationRequired();
1726
- }
1727
- catch (err) {
1728
- throw handleMsalError(scopes, err, options);
1729
- }
1730
- }
1731
- // At this point we should have a token, process it
1732
- ensureValidMsalToken(scopes, response, options);
1733
- state.cachedAccount = (_a = response === null || response === void 0 ? void 0 : response.account) !== null && _a !== void 0 ? _a : null;
1734
- state.logger.getToken.info(formatSuccess(scopes));
1735
- return {
1736
- token: response.accessToken,
1737
- expiresOnTimestamp: response.expiresOn.getTime(),
1738
- refreshAfterTimestamp: (_b = response.refreshOn) === null || _b === void 0 ? void 0 : _b.getTime(),
1739
- tokenType: response.tokenType,
1740
- };
1741
- }
1742
- async function getTokenByClientSecret(scopes, clientSecret, options = {}) {
1743
- var _a;
1744
- state.logger.getToken.info(`Attempting to acquire token using client secret`);
1745
- state.msalConfig.auth.clientSecret = clientSecret;
1746
- const msalApp = await getConfidentialApp(options);
1747
- try {
1748
- const response = await msalApp.acquireTokenByClientCredential({
1749
- scopes,
1750
- authority: calculateRequestAuthority(options),
1751
- azureRegion: calculateRegionalAuthority(),
1752
- claims: options === null || options === void 0 ? void 0 : options.claims,
1753
- });
1754
- ensureValidMsalToken(scopes, response, options);
1755
- state.logger.getToken.info(formatSuccess(scopes));
1756
- return {
1757
- token: response.accessToken,
1758
- expiresOnTimestamp: response.expiresOn.getTime(),
1759
- refreshAfterTimestamp: (_a = response.refreshOn) === null || _a === void 0 ? void 0 : _a.getTime(),
1760
- tokenType: response.tokenType,
1761
- };
1762
- }
1763
- catch (err) {
1764
- throw handleMsalError(scopes, err, options);
1765
- }
1766
- }
1767
- async function getTokenByClientAssertion(scopes, clientAssertion, options = {}) {
1768
- var _a;
1769
- state.logger.getToken.info(`Attempting to acquire token using client assertion`);
1770
- state.msalConfig.auth.clientAssertion = clientAssertion;
1771
- const msalApp = await getConfidentialApp(options);
1772
- try {
1773
- const response = await msalApp.acquireTokenByClientCredential({
1774
- scopes,
1775
- authority: calculateRequestAuthority(options),
1776
- azureRegion: calculateRegionalAuthority(),
1777
- claims: options === null || options === void 0 ? void 0 : options.claims,
1778
- clientAssertion,
1779
- });
1780
- ensureValidMsalToken(scopes, response, options);
1781
- state.logger.getToken.info(formatSuccess(scopes));
1782
- return {
1783
- token: response.accessToken,
1784
- expiresOnTimestamp: response.expiresOn.getTime(),
1785
- refreshAfterTimestamp: (_a = response.refreshOn) === null || _a === void 0 ? void 0 : _a.getTime(),
1786
- tokenType: response.tokenType,
1787
- };
1788
- }
1789
- catch (err) {
1790
- throw handleMsalError(scopes, err, options);
1791
- }
1792
- }
1793
- async function getTokenByClientCertificate(scopes, certificate, options = {}) {
1794
- var _a;
1795
- state.logger.getToken.info(`Attempting to acquire token using client certificate`);
1796
- state.msalConfig.auth.clientCertificate = certificate;
1797
- const msalApp = await getConfidentialApp(options);
1798
- try {
1799
- const response = await msalApp.acquireTokenByClientCredential({
1800
- scopes,
1801
- authority: calculateRequestAuthority(options),
1802
- azureRegion: calculateRegionalAuthority(),
1803
- claims: options === null || options === void 0 ? void 0 : options.claims,
1804
- });
1805
- ensureValidMsalToken(scopes, response, options);
1806
- state.logger.getToken.info(formatSuccess(scopes));
1807
- return {
1808
- token: response.accessToken,
1809
- expiresOnTimestamp: response.expiresOn.getTime(),
1810
- refreshAfterTimestamp: (_a = response.refreshOn) === null || _a === void 0 ? void 0 : _a.getTime(),
1811
- tokenType: response.tokenType,
1812
- };
1813
- }
1814
- catch (err) {
1815
- throw handleMsalError(scopes, err, options);
1816
- }
1817
- }
1818
- async function getTokenByDeviceCode(scopes, deviceCodeCallback, options = {}) {
1819
- state.logger.getToken.info(`Attempting to acquire token using device code`);
1820
- const msalApp = await getPublicApp(options);
1821
- return withSilentAuthentication(msalApp, scopes, options, () => {
1822
- var _a, _b;
1823
- const requestOptions = {
1824
- scopes,
1825
- cancel: (_b = (_a = options === null || options === void 0 ? void 0 : options.abortSignal) === null || _a === void 0 ? void 0 : _a.aborted) !== null && _b !== void 0 ? _b : false,
1826
- deviceCodeCallback,
1827
- authority: calculateRequestAuthority(options),
1828
- claims: options === null || options === void 0 ? void 0 : options.claims,
1829
- };
1830
- const deviceCodeRequest = msalApp.acquireTokenByDeviceCode(requestOptions);
1831
- if (options.abortSignal) {
1832
- options.abortSignal.addEventListener("abort", () => {
1833
- requestOptions.cancel = true;
1834
- });
1835
- }
1836
- return deviceCodeRequest;
1837
- });
1838
- }
1839
- async function getTokenByUsernamePassword(scopes, username, password, options = {}) {
1840
- state.logger.getToken.info(`Attempting to acquire token using username and password`);
1841
- const msalApp = await getPublicApp(options);
1842
- return withSilentAuthentication(msalApp, scopes, options, () => {
1843
- const requestOptions = {
1844
- scopes,
1845
- username,
1846
- password,
1847
- authority: calculateRequestAuthority(options),
1848
- claims: options === null || options === void 0 ? void 0 : options.claims,
1849
- };
1850
- return msalApp.acquireTokenByUsernamePassword(requestOptions);
1851
- });
1852
- }
1853
- function getActiveAccount() {
1854
- if (!state.cachedAccount) {
1855
- return undefined;
1856
- }
1857
- return msalToPublic(clientId, state.cachedAccount);
1858
- }
1859
- async function getTokenByAuthorizationCode(scopes, redirectUri, authorizationCode, clientSecret, options = {}) {
1860
- state.logger.getToken.info(`Attempting to acquire token using authorization code`);
1861
- let msalApp;
1862
- if (clientSecret) {
1863
- // If a client secret is provided, we need to use a confidential client application
1864
- // See https://learn.microsoft.com/entra/identity-platform/v2-oauth2-auth-code-flow#request-an-access-token-with-a-client_secret
1865
- state.msalConfig.auth.clientSecret = clientSecret;
1866
- msalApp = await getConfidentialApp(options);
1867
- }
1868
- else {
1869
- msalApp = await getPublicApp(options);
1870
- }
1871
- return withSilentAuthentication(msalApp, scopes, options, () => {
1872
- return msalApp.acquireTokenByCode({
1873
- scopes,
1874
- redirectUri,
1875
- code: authorizationCode,
1876
- authority: calculateRequestAuthority(options),
1877
- claims: options === null || options === void 0 ? void 0 : options.claims,
1878
- });
1879
- });
1880
- }
1881
- async function getTokenOnBehalfOf(scopes, userAssertionToken, clientCredentials, options = {}) {
1882
- var _a;
1883
- msalLogger.getToken.info(`Attempting to acquire token on behalf of another user`);
1884
- if (typeof clientCredentials === "string") {
1885
- // Client secret
1886
- msalLogger.getToken.info(`Using client secret for on behalf of flow`);
1887
- state.msalConfig.auth.clientSecret = clientCredentials;
1888
- }
1889
- else if (typeof clientCredentials === "function") {
1890
- // Client Assertion
1891
- msalLogger.getToken.info(`Using client assertion callback for on behalf of flow`);
1892
- state.msalConfig.auth.clientAssertion = clientCredentials;
1893
- }
1894
- else {
1895
- // Client certificate
1896
- msalLogger.getToken.info(`Using client certificate for on behalf of flow`);
1897
- state.msalConfig.auth.clientCertificate = clientCredentials;
1898
- }
1899
- const msalApp = await getConfidentialApp(options);
1900
- try {
1901
- const response = await msalApp.acquireTokenOnBehalfOf({
1902
- scopes,
1903
- authority: calculateRequestAuthority(options),
1904
- claims: options.claims,
1905
- oboAssertion: userAssertionToken,
1906
- });
1907
- ensureValidMsalToken(scopes, response, options);
1908
- msalLogger.getToken.info(formatSuccess(scopes));
1909
- return {
1910
- token: response.accessToken,
1911
- expiresOnTimestamp: response.expiresOn.getTime(),
1912
- refreshAfterTimestamp: (_a = response.refreshOn) === null || _a === void 0 ? void 0 : _a.getTime(),
1913
- tokenType: response.tokenType,
1914
- };
1915
- }
1916
- catch (err) {
1917
- throw handleMsalError(scopes, err, options);
1918
- }
1919
- }
1920
- async function getTokenByInteractiveRequest(scopes, options = {}) {
1921
- msalLogger.getToken.info(`Attempting to acquire token interactively`);
1922
- const app = await getPublicApp(options);
1923
- /**
1924
- * A helper function that supports brokered authentication through the MSAL's public application.
1925
- *
1926
- * When options.useDefaultBrokerAccount is true, the method will attempt to authenticate using the default broker account.
1927
- * If the default broker account is not available, the method will fall back to interactive authentication.
1928
- */
1929
- async function getBrokeredToken(useDefaultBrokerAccount) {
1930
- var _a;
1931
- msalLogger.verbose("Authentication will resume through the broker");
1932
- const interactiveRequest = createBaseInteractiveRequest();
1933
- if (state.pluginConfiguration.broker.parentWindowHandle) {
1934
- interactiveRequest.windowHandle = Buffer.from(state.pluginConfiguration.broker.parentWindowHandle);
1935
- }
1936
- else {
1937
- // this is a bug, as the pluginConfiguration handler should validate this case.
1938
- msalLogger.warning("Parent window handle is not specified for the broker. This may cause unexpected behavior. Please provide the parentWindowHandle.");
1939
- }
1940
- if (state.pluginConfiguration.broker.enableMsaPassthrough) {
1941
- ((_a = interactiveRequest.tokenQueryParameters) !== null && _a !== void 0 ? _a : (interactiveRequest.tokenQueryParameters = {}))["msal_request_type"] =
1942
- "consumer_passthrough";
1943
- }
1944
- if (useDefaultBrokerAccount) {
1945
- interactiveRequest.prompt = "none";
1946
- msalLogger.verbose("Attempting broker authentication using the default broker account");
1947
- }
1948
- else {
1949
- msalLogger.verbose("Attempting broker authentication without the default broker account");
1950
- }
1951
- if (options.proofOfPossessionOptions) {
1952
- interactiveRequest.shrNonce = options.proofOfPossessionOptions.nonce;
1953
- interactiveRequest.authenticationScheme = "pop";
1954
- interactiveRequest.resourceRequestMethod =
1955
- options.proofOfPossessionOptions.resourceRequestMethod;
1956
- interactiveRequest.resourceRequestUri = options.proofOfPossessionOptions.resourceRequestUrl;
1957
- }
1958
- try {
1959
- return await app.acquireTokenInteractive(interactiveRequest);
1960
- }
1961
- catch (e) {
1962
- msalLogger.verbose(`Failed to authenticate through the broker: ${e.message}`);
1963
- // If we tried to use the default broker account and failed, fall back to interactive authentication
1964
- if (useDefaultBrokerAccount) {
1965
- return getBrokeredToken(/* useDefaultBrokerAccount: */ false);
1966
- }
1967
- else {
1968
- throw e;
1969
- }
1970
- }
1971
- }
1972
- function createBaseInteractiveRequest() {
1973
- var _a, _b;
1974
- return {
1975
- openBrowser: async (url) => {
1976
- await interactiveBrowserMockable.open(url, { wait: true, newInstance: true });
1977
- },
1978
- scopes,
1979
- authority: calculateRequestAuthority(options),
1980
- claims: options === null || options === void 0 ? void 0 : options.claims,
1981
- loginHint: options === null || options === void 0 ? void 0 : options.loginHint,
1982
- errorTemplate: (_a = options === null || options === void 0 ? void 0 : options.browserCustomizationOptions) === null || _a === void 0 ? void 0 : _a.errorMessage,
1983
- successTemplate: (_b = options === null || options === void 0 ? void 0 : options.browserCustomizationOptions) === null || _b === void 0 ? void 0 : _b.successMessage,
1984
- };
1985
- }
1986
- return withSilentAuthentication(app, scopes, options, async () => {
1987
- var _a;
1988
- const interactiveRequest = createBaseInteractiveRequest();
1989
- if (state.pluginConfiguration.broker.isEnabled) {
1990
- return getBrokeredToken((_a = state.pluginConfiguration.broker.useDefaultBrokerAccount) !== null && _a !== void 0 ? _a : false);
1991
- }
1992
- if (options.proofOfPossessionOptions) {
1993
- interactiveRequest.shrNonce = options.proofOfPossessionOptions.nonce;
1994
- interactiveRequest.authenticationScheme = "pop";
1995
- interactiveRequest.resourceRequestMethod =
1996
- options.proofOfPossessionOptions.resourceRequestMethod;
1997
- interactiveRequest.resourceRequestUri = options.proofOfPossessionOptions.resourceRequestUrl;
1998
- }
1999
- return app.acquireTokenInteractive(interactiveRequest);
2000
- });
2001
- }
2002
- return {
2003
- getActiveAccount,
2004
- getTokenByClientSecret,
2005
- getTokenByClientAssertion,
2006
- getTokenByClientCertificate,
2007
- getTokenByDeviceCode,
2008
- getTokenByUsernamePassword,
2009
- getTokenByAuthorizationCode,
2010
- getTokenOnBehalfOf,
2011
- getTokenByInteractiveRequest,
2012
- };
2013
- }
2014
-
2015
- // Copyright (c) Microsoft Corporation.
2016
- // Licensed under the MIT License.
2017
- const logger$h = credentialLogger("ClientAssertionCredential");
2018
- /**
2019
- * Authenticates a service principal with a JWT assertion.
2020
- */
2021
- class ClientAssertionCredential {
2022
- /**
2023
- * Creates an instance of the ClientAssertionCredential with the details
2024
- * needed to authenticate against Microsoft Entra ID with a client
2025
- * assertion provided by the developer through the `getAssertion` function parameter.
2026
- *
2027
- * @param tenantId - The Microsoft Entra tenant (directory) ID.
2028
- * @param clientId - The client (application) ID of an App Registration in the tenant.
2029
- * @param getAssertion - A function that retrieves the assertion for the credential to use.
2030
- * @param options - Options for configuring the client which makes the authentication request.
2031
- */
2032
- constructor(tenantId, clientId, getAssertion, options = {}) {
2033
- if (!tenantId) {
2034
- throw new CredentialUnavailableError("ClientAssertionCredential: tenantId is a required parameter.");
2035
- }
2036
- if (!clientId) {
2037
- throw new CredentialUnavailableError("ClientAssertionCredential: clientId is a required parameter.");
2038
- }
2039
- if (!getAssertion) {
2040
- throw new CredentialUnavailableError("ClientAssertionCredential: clientAssertion is a required parameter.");
2041
- }
2042
- this.tenantId = tenantId;
2043
- this.additionallyAllowedTenantIds = resolveAdditionallyAllowedTenantIds(options === null || options === void 0 ? void 0 : options.additionallyAllowedTenants);
2044
- this.options = options;
2045
- this.getAssertion = getAssertion;
2046
- this.msalClient = createMsalClient(clientId, tenantId, Object.assign(Object.assign({}, options), { logger: logger$h, tokenCredentialOptions: this.options }));
2047
- }
2048
- /**
2049
- * Authenticates with Microsoft Entra ID and returns an access token if successful.
2050
- * If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.
2051
- *
2052
- * @param scopes - The list of scopes for which the token will have access.
2053
- * @param options - The options used to configure any requests this
2054
- * TokenCredential implementation might make.
2055
- */
2056
- async getToken(scopes, options = {}) {
2057
- return tracingClient.withSpan(`${this.constructor.name}.getToken`, options, async (newOptions) => {
2058
- newOptions.tenantId = processMultiTenantRequest(this.tenantId, newOptions, this.additionallyAllowedTenantIds, logger$h);
2059
- const arrayScopes = Array.isArray(scopes) ? scopes : [scopes];
2060
- return this.msalClient.getTokenByClientAssertion(arrayScopes, this.getAssertion, newOptions);
2061
- });
2062
- }
2063
- }
2064
-
2065
- // Copyright (c) Microsoft Corporation.
2066
- // Licensed under the MIT License.
2067
- const credentialName$4 = "WorkloadIdentityCredential";
2068
- /**
2069
- * Contains the list of all supported environment variable names so that an
2070
- * appropriate error message can be generated when no credentials can be
2071
- * configured.
2072
- *
2073
- * @internal
2074
- */
2075
- const SupportedWorkloadEnvironmentVariables = [
2076
- "AZURE_TENANT_ID",
2077
- "AZURE_CLIENT_ID",
2078
- "AZURE_FEDERATED_TOKEN_FILE",
2079
- ];
2080
- const logger$g = credentialLogger(credentialName$4);
2081
- /**
2082
- * Workload Identity authentication is a feature in Azure that allows applications running on virtual machines (VMs)
2083
- * to access other Azure resources without the need for a service principal or managed identity. With Workload Identity
2084
- * authentication, applications authenticate themselves using their own identity, rather than using a shared service
2085
- * principal or managed identity. Under the hood, Workload Identity authentication uses the concept of Service Account
2086
- * Credentials (SACs), which are automatically created by Azure and stored securely in the VM. By using Workload
2087
- * Identity authentication, you can avoid the need to manage and rotate service principals or managed identities for
2088
- * each application on each VM. Additionally, because SACs are created automatically and managed by Azure, you don't
2089
- * need to worry about storing and securing sensitive credentials themselves.
2090
- * The WorkloadIdentityCredential supports Microsoft Entra Workload ID authentication on Azure Kubernetes and acquires
2091
- * a token using the SACs available in the Azure Kubernetes environment.
2092
- * Refer to <a href="https://learn.microsoft.com/azure/aks/workload-identity-overview">Microsoft Entra
2093
- * Workload ID</a> for more information.
2094
- */
2095
- class WorkloadIdentityCredential {
2096
- /**
2097
- * WorkloadIdentityCredential supports Microsoft Entra Workload ID on Kubernetes.
2098
- *
2099
- * @param options - The identity client options to use for authentication.
2100
- */
2101
- constructor(options) {
2102
- this.azureFederatedTokenFileContent = undefined;
2103
- this.cacheDate = undefined;
2104
- // Logging environment variables for error details
2105
- const assignedEnv = processEnvVars(SupportedWorkloadEnvironmentVariables).assigned.join(", ");
2106
- logger$g.info(`Found the following environment variables: ${assignedEnv}`);
2107
- const workloadIdentityCredentialOptions = options !== null && options !== void 0 ? options : {};
2108
- const tenantId = workloadIdentityCredentialOptions.tenantId || process.env.AZURE_TENANT_ID;
2109
- const clientId = workloadIdentityCredentialOptions.clientId || process.env.AZURE_CLIENT_ID;
2110
- this.federatedTokenFilePath =
2111
- workloadIdentityCredentialOptions.tokenFilePath || process.env.AZURE_FEDERATED_TOKEN_FILE;
2112
- if (tenantId) {
2113
- checkTenantId(logger$g, tenantId);
2114
- }
2115
- if (!clientId) {
2116
- throw new CredentialUnavailableError(`${credentialName$4}: is unavailable. clientId is a required parameter. In DefaultAzureCredential and ManagedIdentityCredential, this can be provided as an environment variable - "AZURE_CLIENT_ID".
2117
- See the troubleshooting guide for more information: https://aka.ms/azsdk/js/identity/workloadidentitycredential/troubleshoot`);
2118
- }
2119
- if (!tenantId) {
2120
- throw new CredentialUnavailableError(`${credentialName$4}: is unavailable. tenantId is a required parameter. In DefaultAzureCredential and ManagedIdentityCredential, this can be provided as an environment variable - "AZURE_TENANT_ID".
2121
- See the troubleshooting guide for more information: https://aka.ms/azsdk/js/identity/workloadidentitycredential/troubleshoot`);
2122
- }
2123
- if (!this.federatedTokenFilePath) {
2124
- throw new CredentialUnavailableError(`${credentialName$4}: is unavailable. federatedTokenFilePath is a required parameter. In DefaultAzureCredential and ManagedIdentityCredential, this can be provided as an environment variable - "AZURE_FEDERATED_TOKEN_FILE".
2125
- See the troubleshooting guide for more information: https://aka.ms/azsdk/js/identity/workloadidentitycredential/troubleshoot`);
2126
- }
2127
- logger$g.info(`Invoking ClientAssertionCredential with tenant ID: ${tenantId}, clientId: ${workloadIdentityCredentialOptions.clientId} and federated token path: [REDACTED]`);
2128
- this.client = new ClientAssertionCredential(tenantId, clientId, this.readFileContents.bind(this), options);
2129
- }
2130
- /**
2131
- * Authenticates with Microsoft Entra ID and returns an access token if successful.
2132
- * If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.
2133
- *
2134
- * @param scopes - The list of scopes for which the token will have access.
2135
- * @param options - The options used to configure any requests this
2136
- * TokenCredential implementation might make.
2137
- */
2138
- async getToken(scopes, options) {
2139
- if (!this.client) {
2140
- const errorMessage = `${credentialName$4}: is unavailable. tenantId, clientId, and federatedTokenFilePath are required parameters.
2141
- In DefaultAzureCredential and ManagedIdentityCredential, these can be provided as environment variables -
2142
- "AZURE_TENANT_ID",
2143
- "AZURE_CLIENT_ID",
2144
- "AZURE_FEDERATED_TOKEN_FILE". See the troubleshooting guide for more information: https://aka.ms/azsdk/js/identity/workloadidentitycredential/troubleshoot`;
2145
- logger$g.info(errorMessage);
2146
- throw new CredentialUnavailableError(errorMessage);
2147
- }
2148
- logger$g.info("Invoking getToken() of Client Assertion Credential");
2149
- return this.client.getToken(scopes, options);
2150
- }
2151
- async readFileContents() {
2152
- // Cached assertions expire after 5 minutes
2153
- if (this.cacheDate !== undefined && Date.now() - this.cacheDate >= 1000 * 60 * 5) {
2154
- this.azureFederatedTokenFileContent = undefined;
2155
- }
2156
- if (!this.federatedTokenFilePath) {
2157
- throw new CredentialUnavailableError(`${credentialName$4}: is unavailable. Invalid file path provided ${this.federatedTokenFilePath}.`);
2158
- }
2159
- if (!this.azureFederatedTokenFileContent) {
2160
- const file = await promises.readFile(this.federatedTokenFilePath, "utf8");
2161
- const value = file.trim();
2162
- if (!value) {
2163
- throw new CredentialUnavailableError(`${credentialName$4}: is unavailable. No content on the file ${this.federatedTokenFilePath}.`);
2164
- }
2165
- else {
2166
- this.azureFederatedTokenFileContent = value;
2167
- this.cacheDate = Date.now();
2168
- }
2169
- }
2170
- return this.azureFederatedTokenFileContent;
2171
- }
2172
- }
2173
-
2174
- // Copyright (c) Microsoft Corporation.
2175
- // Licensed under the MIT License.
2176
- const msiName = "ManagedIdentityCredential - Token Exchange";
2177
- const logger$f = credentialLogger(msiName);
2178
- /**
2179
- * Defines how to determine whether the token exchange MSI is available, and also how to retrieve a token from the token exchange MSI.
2180
- *
2181
- * Token exchange MSI (used by AKS) is the only MSI implementation handled entirely by Azure Identity.
2182
- * The rest have been migrated to MSAL.
2183
- */
2184
- const tokenExchangeMsi = {
2185
- name: "tokenExchangeMsi",
2186
- async isAvailable(clientId) {
2187
- const env = process.env;
2188
- const result = Boolean((clientId || env.AZURE_CLIENT_ID) &&
2189
- env.AZURE_TENANT_ID &&
2190
- process.env.AZURE_FEDERATED_TOKEN_FILE);
2191
- if (!result) {
2192
- logger$f.info(`${msiName}: Unavailable. The environment variables needed are: AZURE_CLIENT_ID (or the client ID sent through the parameters), AZURE_TENANT_ID and AZURE_FEDERATED_TOKEN_FILE`);
2193
- }
2194
- return result;
2195
- },
2196
- async getToken(configuration, getTokenOptions = {}) {
2197
- const { scopes, clientId } = configuration;
2198
- const identityClientTokenCredentialOptions = {};
2199
- const workloadIdentityCredential = new WorkloadIdentityCredential(Object.assign(Object.assign({ clientId, tenantId: process.env.AZURE_TENANT_ID, tokenFilePath: process.env.AZURE_FEDERATED_TOKEN_FILE }, identityClientTokenCredentialOptions), { disableInstanceDiscovery: true }));
2200
- return workloadIdentityCredential.getToken(scopes, getTokenOptions);
2201
- },
2202
- };
2203
-
2204
- // Copyright (c) Microsoft Corporation.
2205
- // Licensed under the MIT License.
2206
- const logger$e = credentialLogger("ManagedIdentityCredential");
2207
- /**
2208
- * Attempts authentication using a managed identity available at the deployment environment.
2209
- * This authentication type works in Azure VMs, App Service instances, Azure Functions applications,
2210
- * Azure Kubernetes Services, Azure Service Fabric instances and inside of the Azure Cloud Shell.
2211
- *
2212
- * More information about configuring managed identities can be found here:
2213
- * https://learn.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview
2214
- */
2215
- class ManagedIdentityCredential {
2216
- /**
2217
- * @internal
2218
- * @hidden
2219
- */
2220
- constructor(clientIdOrOptions, options) {
2221
- var _a, _b;
2222
- this.msiRetryConfig = {
2223
- maxRetries: 5,
2224
- startDelayInMs: 800,
2225
- intervalIncrement: 2,
2226
- };
2227
- let _options;
2228
- if (typeof clientIdOrOptions === "string") {
2229
- this.clientId = clientIdOrOptions;
2230
- _options = options !== null && options !== void 0 ? options : {};
2231
- }
2232
- else {
2233
- this.clientId = clientIdOrOptions === null || clientIdOrOptions === void 0 ? void 0 : clientIdOrOptions.clientId;
2234
- _options = clientIdOrOptions !== null && clientIdOrOptions !== void 0 ? clientIdOrOptions : {};
2235
- }
2236
- this.resourceId = _options === null || _options === void 0 ? void 0 : _options.resourceId;
2237
- this.objectId = _options === null || _options === void 0 ? void 0 : _options.objectId;
2238
- // For JavaScript users.
2239
- const providedIds = [this.clientId, this.resourceId, this.objectId].filter(Boolean);
2240
- if (providedIds.length > 1) {
2241
- throw new Error(`ManagedIdentityCredential: only one of 'clientId', 'resourceId', or 'objectId' can be provided. Received values: ${JSON.stringify({ clientId: this.clientId, resourceId: this.resourceId, objectId: this.objectId })}`);
2242
- }
2243
- // ManagedIdentity uses http for local requests
2244
- _options.allowInsecureConnection = true;
2245
- if (((_a = _options.retryOptions) === null || _a === void 0 ? void 0 : _a.maxRetries) !== undefined) {
2246
- this.msiRetryConfig.maxRetries = _options.retryOptions.maxRetries;
2247
- }
2248
- this.identityClient = new IdentityClient(Object.assign(Object.assign({}, _options), { additionalPolicies: [{ policy: imdsRetryPolicy(this.msiRetryConfig), position: "perCall" }] }));
2249
- this.managedIdentityApp = new msalCommon.ManagedIdentityApplication({
2250
- managedIdentityIdParams: {
2251
- userAssignedClientId: this.clientId,
2252
- userAssignedResourceId: this.resourceId,
2253
- userAssignedObjectId: this.objectId,
2254
- },
2255
- system: {
2256
- disableInternalRetries: true,
2257
- networkClient: this.identityClient,
2258
- loggerOptions: {
2259
- logLevel: getMSALLogLevel(logger$m.getLogLevel()),
2260
- piiLoggingEnabled: (_b = _options.loggingOptions) === null || _b === void 0 ? void 0 : _b.enableUnsafeSupportLogging,
2261
- loggerCallback: defaultLoggerCallback(logger$e),
2262
- },
2263
- },
2264
- });
2265
- this.isAvailableIdentityClient = new IdentityClient(Object.assign(Object.assign({}, _options), { retryOptions: {
2266
- maxRetries: 0,
2267
- } }));
2268
- // CloudShell MSI will ignore any user-assigned identity passed as parameters. To avoid confusion, we prevent this from happening as early as possible.
2269
- if (this.managedIdentityApp.getManagedIdentitySource() === "CloudShell") {
2270
- if (this.clientId || this.resourceId || this.objectId) {
2271
- logger$e.warning(`CloudShell MSI detected with user-provided IDs - throwing. Received values: ${JSON.stringify({
2272
- clientId: this.clientId,
2273
- resourceId: this.resourceId,
2274
- objectId: this.objectId,
2275
- })}.`);
2276
- throw new CredentialUnavailableError("ManagedIdentityCredential: Specifying a user-assigned managed identity is not supported for CloudShell at runtime. When using Managed Identity in CloudShell, omit the clientId, resourceId, and objectId parameters.");
2277
- }
2278
- }
2279
- }
2280
- /**
2281
- * Authenticates with Microsoft Entra ID and returns an access token if successful.
2282
- * If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.
2283
- * If an unexpected error occurs, an {@link AuthenticationError} will be thrown with the details of the failure.
2284
- *
2285
- * @param scopes - The list of scopes for which the token will have access.
2286
- * @param options - The options used to configure any requests this
2287
- * TokenCredential implementation might make.
2288
- */
2289
- async getToken(scopes, options = {}) {
2290
- logger$e.getToken.info("Using the MSAL provider for Managed Identity.");
2291
- const resource = mapScopesToResource(scopes);
2292
- if (!resource) {
2293
- throw new CredentialUnavailableError(`ManagedIdentityCredential: Multiple scopes are not supported. Scopes: ${JSON.stringify(scopes)}`);
2294
- }
2295
- return tracingClient.withSpan("ManagedIdentityCredential.getToken", options, async () => {
2296
- var _a;
2297
- try {
2298
- const isTokenExchangeMsi = await tokenExchangeMsi.isAvailable(this.clientId);
2299
- // Most scenarios are handled by MSAL except for two:
2300
- // AKS pod identity - MSAL does not implement the token exchange flow.
2301
- // IMDS Endpoint probing - MSAL does not do any probing before trying to get a token.
2302
- // As a DefaultAzureCredential optimization we probe the IMDS endpoint with a short timeout and no retries before actually trying to get a token
2303
- // We will continue to implement these features in the Identity library.
2304
- const identitySource = this.managedIdentityApp.getManagedIdentitySource();
2305
- const isImdsMsi = identitySource === "DefaultToImds" || identitySource === "Imds"; // Neither actually checks that IMDS endpoint is available, just that it's the source the MSAL _would_ try to use.
2306
- logger$e.getToken.info(`MSAL Identity source: ${identitySource}`);
2307
- if (isTokenExchangeMsi) {
2308
- // In the AKS scenario we will use the existing tokenExchangeMsi indefinitely.
2309
- logger$e.getToken.info("Using the token exchange managed identity.");
2310
- const result = await tokenExchangeMsi.getToken({
2311
- scopes,
2312
- clientId: this.clientId,
2313
- identityClient: this.identityClient,
2314
- retryConfig: this.msiRetryConfig,
2315
- resourceId: this.resourceId,
2316
- });
2317
- if (result === null) {
2318
- throw new CredentialUnavailableError("Attempted to use the token exchange managed identity, but received a null response.");
2319
- }
2320
- return result;
2321
- }
2322
- else if (isImdsMsi) {
2323
- // In the IMDS scenario we will probe the IMDS endpoint to ensure it's available before trying to get a token.
2324
- // If the IMDS endpoint is not available and this is the source that MSAL will use, we will fail-fast with an error that tells DAC to move to the next credential.
2325
- logger$e.getToken.info("Using the IMDS endpoint to probe for availability.");
2326
- const isAvailable = await imdsMsi.isAvailable({
2327
- scopes,
2328
- clientId: this.clientId,
2329
- getTokenOptions: options,
2330
- identityClient: this.isAvailableIdentityClient,
2331
- resourceId: this.resourceId,
2332
- });
2333
- if (!isAvailable) {
2334
- throw new CredentialUnavailableError(`Attempted to use the IMDS endpoint, but it is not available.`);
2335
- }
2336
- }
2337
- // If we got this far, it means:
2338
- // - This is not a tokenExchangeMsi,
2339
- // - We already probed for IMDS endpoint availability and failed-fast if it's unreachable.
2340
- // We can proceed normally by calling MSAL for a token.
2341
- logger$e.getToken.info("Calling into MSAL for managed identity token.");
2342
- const token = await this.managedIdentityApp.acquireToken({
2343
- resource,
2344
- });
2345
- this.ensureValidMsalToken(scopes, token, options);
2346
- logger$e.getToken.info(formatSuccess(scopes));
2347
- return {
2348
- expiresOnTimestamp: token.expiresOn.getTime(),
2349
- token: token.accessToken,
2350
- refreshAfterTimestamp: (_a = token.refreshOn) === null || _a === void 0 ? void 0 : _a.getTime(),
2351
- tokenType: "Bearer",
2352
- };
2353
- }
2354
- catch (err) {
2355
- logger$e.getToken.error(formatError(scopes, err));
2356
- // AuthenticationRequiredError described as Error to enforce authentication after trying to retrieve a token silently.
2357
- // TODO: why would this _ever_ happen considering we're not trying the silent request in this flow?
2358
- if (err.name === "AuthenticationRequiredError") {
2359
- throw err;
2360
- }
2361
- if (isNetworkError(err)) {
2362
- throw new CredentialUnavailableError(`ManagedIdentityCredential: Network unreachable. Message: ${err.message}`, { cause: err });
2363
- }
2364
- throw new CredentialUnavailableError(`ManagedIdentityCredential: Authentication failed. Message ${err.message}`, { cause: err });
2365
- }
2366
- });
2367
- }
2368
- /**
2369
- * Ensures the validity of the MSAL token
2370
- */
2371
- ensureValidMsalToken(scopes, msalToken, getTokenOptions) {
2372
- const createError = (message) => {
2373
- logger$e.getToken.info(message);
2374
- return new AuthenticationRequiredError({
2375
- scopes: Array.isArray(scopes) ? scopes : [scopes],
2376
- getTokenOptions,
2377
- message,
2378
- });
2379
- };
2380
- if (!msalToken) {
2381
- throw createError("No response.");
2382
- }
2383
- if (!msalToken.expiresOn) {
2384
- throw createError(`Response had no "expiresOn" property.`);
2385
- }
2386
- if (!msalToken.accessToken) {
2387
- throw createError(`Response had no "accessToken" property.`);
2388
- }
2389
- }
2390
- }
2391
- function isNetworkError(err) {
2392
- // MSAL error
2393
- if (err.errorCode === "network_error") {
2394
- return true;
2395
- }
2396
- // Probe errors
2397
- if (err.code === "ENETUNREACH" || err.code === "EHOSTUNREACH") {
2398
- return true;
2399
- }
2400
- // This is a special case for Docker Desktop which responds with a 403 with a message that contains "A socket operation was attempted to an unreachable network" or "A socket operation was attempted to an unreachable host"
2401
- // rather than just timing out, as expected.
2402
- if (err.statusCode === 403 || err.code === 403) {
2403
- if (err.message.includes("unreachable")) {
2404
- return true;
2405
- }
2406
- }
2407
- return false;
2408
- }
2409
-
2410
- // Copyright (c) Microsoft Corporation.
2411
- // Licensed under the MIT License.
2412
- /**
2413
- * Ensures the scopes value is an array.
2414
- * @internal
2415
- */
2416
- function ensureScopes(scopes) {
2417
- return Array.isArray(scopes) ? scopes : [scopes];
2418
- }
2419
- /**
2420
- * Throws if the received scope is not valid.
2421
- * @internal
2422
- */
2423
- function ensureValidScopeForDevTimeCreds(scope, logger) {
2424
- if (!scope.match(/^[0-9a-zA-Z-_.:/]+$/)) {
2425
- const error = new Error("Invalid scope was specified by the user or calling client");
2426
- logger.getToken.info(formatError(scope, error));
2427
- throw error;
2428
- }
2429
- }
2430
- /**
2431
- * Returns the resource out of a scope.
2432
- * @internal
2433
- */
2434
- function getScopeResource(scope) {
2435
- return scope.replace(/\/.default$/, "");
2436
- }
2437
-
2438
- // Copyright (c) Microsoft Corporation.
2439
- // Licensed under the MIT License.
2440
- /**
2441
- * @internal
2442
- */
2443
- function checkSubscription(logger, subscription) {
2444
- if (!subscription.match(/^[0-9a-zA-Z-._ ]+$/)) {
2445
- const error = new Error("Invalid subscription provided. You can locate your subscription by following the instructions listed here: https://learn.microsoft.com/azure/azure-portal/get-subscription-tenant-id.");
2446
- logger.info(formatError("", error));
2447
- throw error;
2448
- }
2449
- }
2450
-
2451
- // Copyright (c) Microsoft Corporation.
2452
- // Licensed under the MIT License.
2453
- /**
2454
- * Mockable reference to the CLI credential cliCredentialFunctions
2455
- * @internal
2456
- */
2457
- const cliCredentialInternals = {
2458
- /**
2459
- * @internal
2460
- */
2461
- getSafeWorkingDir() {
2462
- if (process.platform === "win32") {
2463
- if (!process.env.SystemRoot) {
2464
- throw new Error("Azure CLI credential expects a 'SystemRoot' environment variable");
2465
- }
2466
- return process.env.SystemRoot;
2467
- }
2468
- else {
2469
- return "/bin";
2470
- }
2471
- },
2472
- /**
2473
- * Gets the access token from Azure CLI
2474
- * @param resource - The resource to use when getting the token
2475
- * @internal
2476
- */
2477
- async getAzureCliAccessToken(resource, tenantId, subscription, timeout) {
2478
- let tenantSection = [];
2479
- let subscriptionSection = [];
2480
- if (tenantId) {
2481
- tenantSection = ["--tenant", tenantId];
2482
- }
2483
- if (subscription) {
2484
- // Add quotes around the subscription to handle subscriptions with spaces
2485
- subscriptionSection = ["--subscription", `"${subscription}"`];
2486
- }
2487
- return new Promise((resolve, reject) => {
2488
- try {
2489
- child_process.execFile("az", [
2490
- "account",
2491
- "get-access-token",
2492
- "--output",
2493
- "json",
2494
- "--resource",
2495
- resource,
2496
- ...tenantSection,
2497
- ...subscriptionSection,
2498
- ], { cwd: cliCredentialInternals.getSafeWorkingDir(), shell: true, timeout }, (error, stdout, stderr) => {
2499
- resolve({ stdout: stdout, stderr: stderr, error });
2500
- });
2501
- }
2502
- catch (err) {
2503
- reject(err);
2504
- }
2505
- });
2506
- },
2507
- };
2508
- const logger$d = credentialLogger("AzureCliCredential");
2509
- /**
2510
- * This credential will use the currently logged-in user login information
2511
- * via the Azure CLI ('az') commandline tool.
2512
- * To do so, it will read the user access token and expire time
2513
- * with Azure CLI command "az account get-access-token".
2514
- */
2515
- class AzureCliCredential {
2516
- /**
2517
- * Creates an instance of the {@link AzureCliCredential}.
2518
- *
2519
- * To use this credential, ensure that you have already logged
2520
- * in via the 'az' tool using the command "az login" from the commandline.
2521
- *
2522
- * @param options - Options, to optionally allow multi-tenant requests.
2523
- */
2524
- constructor(options) {
2525
- if (options === null || options === void 0 ? void 0 : options.tenantId) {
2526
- checkTenantId(logger$d, options === null || options === void 0 ? void 0 : options.tenantId);
2527
- this.tenantId = options === null || options === void 0 ? void 0 : options.tenantId;
2528
- }
2529
- if (options === null || options === void 0 ? void 0 : options.subscription) {
2530
- checkSubscription(logger$d, options === null || options === void 0 ? void 0 : options.subscription);
2531
- this.subscription = options === null || options === void 0 ? void 0 : options.subscription;
2532
- }
2533
- this.additionallyAllowedTenantIds = resolveAdditionallyAllowedTenantIds(options === null || options === void 0 ? void 0 : options.additionallyAllowedTenants);
2534
- this.timeout = options === null || options === void 0 ? void 0 : options.processTimeoutInMs;
2535
- }
2536
- /**
2537
- * Authenticates with Microsoft Entra ID and returns an access token if successful.
2538
- * If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.
2539
- *
2540
- * @param scopes - The list of scopes for which the token will have access.
2541
- * @param options - The options used to configure any requests this
2542
- * TokenCredential implementation might make.
2543
- */
2544
- async getToken(scopes, options = {}) {
2545
- const tenantId = processMultiTenantRequest(this.tenantId, options, this.additionallyAllowedTenantIds);
2546
- if (tenantId) {
2547
- checkTenantId(logger$d, tenantId);
2548
- }
2549
- if (this.subscription) {
2550
- checkSubscription(logger$d, this.subscription);
2551
- }
2552
- const scope = typeof scopes === "string" ? scopes : scopes[0];
2553
- logger$d.getToken.info(`Using the scope ${scope}`);
2554
- return tracingClient.withSpan(`${this.constructor.name}.getToken`, options, async () => {
2555
- var _a, _b, _c, _d;
2556
- try {
2557
- ensureValidScopeForDevTimeCreds(scope, logger$d);
2558
- const resource = getScopeResource(scope);
2559
- const obj = await cliCredentialInternals.getAzureCliAccessToken(resource, tenantId, this.subscription, this.timeout);
2560
- const specificScope = (_a = obj.stderr) === null || _a === void 0 ? void 0 : _a.match("(.*)az login --scope(.*)");
2561
- const isLoginError = ((_b = obj.stderr) === null || _b === void 0 ? void 0 : _b.match("(.*)az login(.*)")) && !specificScope;
2562
- const isNotInstallError = ((_c = obj.stderr) === null || _c === void 0 ? void 0 : _c.match("az:(.*)not found")) || ((_d = obj.stderr) === null || _d === void 0 ? void 0 : _d.startsWith("'az' is not recognized"));
2563
- if (isNotInstallError) {
2564
- const error = new CredentialUnavailableError("Azure CLI could not be found. Please visit https://aka.ms/azure-cli for installation instructions and then, once installed, authenticate to your Azure account using 'az login'.");
2565
- logger$d.getToken.info(formatError(scopes, error));
2566
- throw error;
2567
- }
2568
- if (isLoginError) {
2569
- const error = new CredentialUnavailableError("Please run 'az login' from a command prompt to authenticate before using this credential.");
2570
- logger$d.getToken.info(formatError(scopes, error));
2571
- throw error;
2572
- }
2573
- try {
2574
- const responseData = obj.stdout;
2575
- const response = this.parseRawResponse(responseData);
2576
- logger$d.getToken.info(formatSuccess(scopes));
2577
- return response;
2578
- }
2579
- catch (e) {
2580
- if (obj.stderr) {
2581
- throw new CredentialUnavailableError(obj.stderr);
2582
- }
2583
- throw e;
2584
- }
2585
- }
2586
- catch (err) {
2587
- const error = err.name === "CredentialUnavailableError"
2588
- ? err
2589
- : new CredentialUnavailableError(err.message || "Unknown error while trying to retrieve the access token");
2590
- logger$d.getToken.info(formatError(scopes, error));
2591
- throw error;
2592
- }
2593
- });
2594
- }
2595
- /**
2596
- * Parses the raw JSON response from the Azure CLI into a usable AccessToken object
2597
- *
2598
- * @param rawResponse - The raw JSON response from the Azure CLI
2599
- * @returns An access token with the expiry time parsed from the raw response
2600
- *
2601
- * The expiryTime of the credential's access token, in milliseconds, is calculated as follows:
2602
- *
2603
- * When available, expires_on (introduced in Azure CLI v2.54.0) will be preferred. Otherwise falls back to expiresOn.
2604
- */
2605
- parseRawResponse(rawResponse) {
2606
- const response = JSON.parse(rawResponse);
2607
- const token = response.accessToken;
2608
- // if available, expires_on will be a number representing seconds since epoch.
2609
- // ensure it's a number or NaN
2610
- let expiresOnTimestamp = Number.parseInt(response.expires_on, 10) * 1000;
2611
- if (!isNaN(expiresOnTimestamp)) {
2612
- logger$d.getToken.info("expires_on is available and is valid, using it");
2613
- return {
2614
- token,
2615
- expiresOnTimestamp,
2616
- tokenType: "Bearer",
2617
- };
2618
- }
2619
- // fallback to the older expiresOn - an RFC3339 date string
2620
- expiresOnTimestamp = new Date(response.expiresOn).getTime();
2621
- // ensure expiresOn is well-formatted
2622
- if (isNaN(expiresOnTimestamp)) {
2623
- throw new CredentialUnavailableError(`Unexpected response from Azure CLI when getting token. Expected "expiresOn" to be a RFC3339 date string. Got: "${response.expiresOn}"`);
2624
- }
2625
- return {
2626
- token,
2627
- expiresOnTimestamp,
2628
- tokenType: "Bearer",
2629
- };
2630
- }
2631
- }
2632
-
2633
- // Copyright (c) Microsoft Corporation.
2634
- // Licensed under the MIT License.
2635
- /**
2636
- * Mockable reference to the Developer CLI credential cliCredentialFunctions
2637
- * @internal
2638
- */
2639
- const developerCliCredentialInternals = {
2640
- /**
2641
- * @internal
2642
- */
2643
- getSafeWorkingDir() {
2644
- if (process.platform === "win32") {
2645
- if (!process.env.SystemRoot) {
2646
- throw new Error("Azure Developer CLI credential expects a 'SystemRoot' environment variable");
2647
- }
2648
- return process.env.SystemRoot;
2649
- }
2650
- else {
2651
- return "/bin";
2652
- }
2653
- },
2654
- /**
2655
- * Gets the access token from Azure Developer CLI
2656
- * @param scopes - The scopes to use when getting the token
2657
- * @internal
2658
- */
2659
- async getAzdAccessToken(scopes, tenantId, timeout) {
2660
- let tenantSection = [];
2661
- if (tenantId) {
2662
- tenantSection = ["--tenant-id", tenantId];
2663
- }
2664
- return new Promise((resolve, reject) => {
2665
- try {
2666
- child_process.execFile("azd", [
2667
- "auth",
2668
- "token",
2669
- "--output",
2670
- "json",
2671
- ...scopes.reduce((previous, current) => previous.concat("--scope", current), []),
2672
- ...tenantSection,
2673
- ], {
2674
- cwd: developerCliCredentialInternals.getSafeWorkingDir(),
2675
- timeout,
2676
- }, (error, stdout, stderr) => {
2677
- resolve({ stdout, stderr, error });
2678
- });
2679
- }
2680
- catch (err) {
2681
- reject(err);
2682
- }
2683
- });
2684
- },
2685
- };
2686
- const logger$c = credentialLogger("AzureDeveloperCliCredential");
2687
- /**
2688
- * Azure Developer CLI is a command-line interface tool that allows developers to create, manage, and deploy
2689
- * resources in Azure. It's built on top of the Azure CLI and provides additional functionality specific
2690
- * to Azure developers. It allows users to authenticate as a user and/or a service principal against
2691
- * <a href="https://learn.microsoft.com/entra/fundamentals/">Microsoft Entra ID</a>. The
2692
- * AzureDeveloperCliCredential authenticates in a development environment and acquires a token on behalf of
2693
- * the logged-in user or service principal in the Azure Developer CLI. It acts as the Azure Developer CLI logged in user or
2694
- * service principal and executes an Azure CLI command underneath to authenticate the application against
2695
- * Microsoft Entra ID.
2696
- *
2697
- * <h2> Configure AzureDeveloperCliCredential </h2>
2698
- *
2699
- * To use this credential, the developer needs to authenticate locally in Azure Developer CLI using one of the
2700
- * commands below:
2701
- *
2702
- * <ol>
2703
- * <li>Run "azd auth login" in Azure Developer CLI to authenticate interactively as a user.</li>
2704
- * <li>Run "azd auth login --client-id clientID --client-secret clientSecret
2705
- * --tenant-id tenantID" to authenticate as a service principal.</li>
2706
- * </ol>
2707
- *
2708
- * You may need to repeat this process after a certain time period, depending on the refresh token validity in your
2709
- * organization. Generally, the refresh token validity period is a few weeks to a few months.
2710
- * AzureDeveloperCliCredential will prompt you to sign in again.
2711
- */
2712
- class AzureDeveloperCliCredential {
2713
- /**
2714
- * Creates an instance of the {@link AzureDeveloperCliCredential}.
2715
- *
2716
- * To use this credential, ensure that you have already logged
2717
- * in via the 'azd' tool using the command "azd auth login" from the commandline.
2718
- *
2719
- * @param options - Options, to optionally allow multi-tenant requests.
2720
- */
2721
- constructor(options) {
2722
- if (options === null || options === void 0 ? void 0 : options.tenantId) {
2723
- checkTenantId(logger$c, options === null || options === void 0 ? void 0 : options.tenantId);
2724
- this.tenantId = options === null || options === void 0 ? void 0 : options.tenantId;
2725
- }
2726
- this.additionallyAllowedTenantIds = resolveAdditionallyAllowedTenantIds(options === null || options === void 0 ? void 0 : options.additionallyAllowedTenants);
2727
- this.timeout = options === null || options === void 0 ? void 0 : options.processTimeoutInMs;
2728
- }
2729
- /**
2730
- * Authenticates with Microsoft Entra ID and returns an access token if successful.
2731
- * If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.
2732
- *
2733
- * @param scopes - The list of scopes for which the token will have access.
2734
- * @param options - The options used to configure any requests this
2735
- * TokenCredential implementation might make.
2736
- */
2737
- async getToken(scopes, options = {}) {
2738
- const tenantId = processMultiTenantRequest(this.tenantId, options, this.additionallyAllowedTenantIds);
2739
- if (tenantId) {
2740
- checkTenantId(logger$c, tenantId);
2741
- }
2742
- let scopeList;
2743
- if (typeof scopes === "string") {
2744
- scopeList = [scopes];
2745
- }
2746
- else {
2747
- scopeList = scopes;
2748
- }
2749
- logger$c.getToken.info(`Using the scopes ${scopes}`);
2750
- return tracingClient.withSpan(`${this.constructor.name}.getToken`, options, async () => {
2751
- var _a, _b, _c, _d;
2752
- try {
2753
- scopeList.forEach((scope) => {
2754
- ensureValidScopeForDevTimeCreds(scope, logger$c);
2755
- });
2756
- const obj = await developerCliCredentialInternals.getAzdAccessToken(scopeList, tenantId, this.timeout);
2757
- const isNotLoggedInError = ((_a = obj.stderr) === null || _a === void 0 ? void 0 : _a.match("not logged in, run `azd login` to login")) ||
2758
- ((_b = obj.stderr) === null || _b === void 0 ? void 0 : _b.match("not logged in, run `azd auth login` to login"));
2759
- const isNotInstallError = ((_c = obj.stderr) === null || _c === void 0 ? void 0 : _c.match("azd:(.*)not found")) ||
2760
- ((_d = obj.stderr) === null || _d === void 0 ? void 0 : _d.startsWith("'azd' is not recognized"));
2761
- if (isNotInstallError || (obj.error && obj.error.code === "ENOENT")) {
2762
- const error = new CredentialUnavailableError("Azure Developer CLI couldn't be found. To mitigate this issue, see the troubleshooting guidelines at https://aka.ms/azsdk/js/identity/azdevclicredential/troubleshoot.");
2763
- logger$c.getToken.info(formatError(scopes, error));
2764
- throw error;
2765
- }
2766
- if (isNotLoggedInError) {
2767
- const error = new CredentialUnavailableError("Please run 'azd auth login' from a command prompt to authenticate before using this credential. For more information, see the troubleshooting guidelines at https://aka.ms/azsdk/js/identity/azdevclicredential/troubleshoot.");
2768
- logger$c.getToken.info(formatError(scopes, error));
2769
- throw error;
2770
- }
2771
- try {
2772
- const resp = JSON.parse(obj.stdout);
2773
- logger$c.getToken.info(formatSuccess(scopes));
2774
- return {
2775
- token: resp.token,
2776
- expiresOnTimestamp: new Date(resp.expiresOn).getTime(),
2777
- tokenType: "Bearer",
2778
- };
2779
- }
2780
- catch (e) {
2781
- if (obj.stderr) {
2782
- throw new CredentialUnavailableError(obj.stderr);
2783
- }
2784
- throw e;
2785
- }
2786
- }
2787
- catch (err) {
2788
- const error = err.name === "CredentialUnavailableError"
2789
- ? err
2790
- : new CredentialUnavailableError(err.message || "Unknown error while trying to retrieve the access token");
2791
- logger$c.getToken.info(formatError(scopes, error));
2792
- throw error;
2793
- }
2794
- });
2795
- }
2796
- }
2797
-
2798
- // Copyright (c) Microsoft Corporation.
2799
- // Licensed under the MIT License.
2800
- /**
2801
- * Easy to mock childProcess utils.
2802
- * @internal
2803
- */
2804
- const processUtils = {
2805
- /**
2806
- * Promisifying childProcess.execFile
2807
- * @internal
2808
- */
2809
- execFile(file, params, options) {
2810
- return new Promise((resolve, reject) => {
2811
- child_process__namespace.execFile(file, params, options, (error, stdout, stderr) => {
2812
- if (Buffer.isBuffer(stdout)) {
2813
- stdout = stdout.toString("utf8");
2814
- }
2815
- if (Buffer.isBuffer(stderr)) {
2816
- stderr = stderr.toString("utf8");
2817
- }
2818
- if (stderr || error) {
2819
- reject(stderr ? new Error(stderr) : error);
2820
- }
2821
- else {
2822
- resolve(stdout);
2823
- }
2824
- });
2825
- });
2826
- },
2827
- };
2828
-
2829
- // Copyright (c) Microsoft Corporation.
2830
- // Licensed under the MIT License.
2831
- const logger$b = credentialLogger("AzurePowerShellCredential");
2832
- const isWindows = process.platform === "win32";
2833
- /**
2834
- * Returns a platform-appropriate command name by appending ".exe" on Windows.
2835
- *
2836
- * @internal
2837
- */
2838
- function formatCommand(commandName) {
2839
- if (isWindows) {
2840
- return `${commandName}.exe`;
2841
- }
2842
- else {
2843
- return commandName;
2844
- }
2845
- }
2846
- /**
2847
- * Receives a list of commands to run, executes them, then returns the outputs.
2848
- * If anything fails, an error is thrown.
2849
- * @internal
2850
- */
2851
- async function runCommands(commands, timeout) {
2852
- const results = [];
2853
- for (const command of commands) {
2854
- const [file, ...parameters] = command;
2855
- const result = (await processUtils.execFile(file, parameters, {
2856
- encoding: "utf8",
2857
- timeout,
2858
- }));
2859
- results.push(result);
2860
- }
2861
- return results;
2862
- }
2863
- /**
2864
- * Known PowerShell errors
2865
- * @internal
2866
- */
2867
- const powerShellErrors = {
2868
- login: "Run Connect-AzAccount to login",
2869
- installed: "The specified module 'Az.Accounts' with version '2.2.0' was not loaded because no valid module file was found in any module directory",
2870
- };
2871
- /**
2872
- * Messages to use when throwing in this credential.
2873
- * @internal
2874
- */
2875
- const powerShellPublicErrorMessages = {
2876
- login: "Please run 'Connect-AzAccount' from PowerShell to authenticate before using this credential.",
2877
- installed: `The 'Az.Account' module >= 2.2.0 is not installed. Install the Azure Az PowerShell module with: "Install-Module -Name Az -Scope CurrentUser -Repository PSGallery -Force".`,
2878
- troubleshoot: `To troubleshoot, visit https://aka.ms/azsdk/js/identity/powershellcredential/troubleshoot.`,
2879
- };
2880
- // PowerShell Azure User not logged in error check.
2881
- const isLoginError = (err) => err.message.match(`(.*)${powerShellErrors.login}(.*)`);
2882
- // Az Module not Installed in Azure PowerShell check.
2883
- const isNotInstalledError = (err) => err.message.match(powerShellErrors.installed);
2884
- /**
2885
- * The PowerShell commands to be tried, in order.
2886
- *
2887
- * @internal
2888
- */
2889
- const commandStack = [formatCommand("pwsh")];
2890
- if (isWindows) {
2891
- commandStack.push(formatCommand("powershell"));
2892
- }
2893
- /**
2894
- * This credential will use the currently logged-in user information from the
2895
- * Azure PowerShell module. To do so, it will read the user access token and
2896
- * expire time with Azure PowerShell command `Get-AzAccessToken -ResourceUrl {ResourceScope}`
2897
- */
2898
- class AzurePowerShellCredential {
2899
- /**
2900
- * Creates an instance of the {@link AzurePowerShellCredential}.
2901
- *
2902
- * To use this credential:
2903
- * - Install the Azure Az PowerShell module with:
2904
- * `Install-Module -Name Az -Scope CurrentUser -Repository PSGallery -Force`.
2905
- * - You have already logged in to Azure PowerShell using the command
2906
- * `Connect-AzAccount` from the command line.
2907
- *
2908
- * @param options - Options, to optionally allow multi-tenant requests.
2909
- */
2910
- constructor(options) {
2911
- if (options === null || options === void 0 ? void 0 : options.tenantId) {
2912
- checkTenantId(logger$b, options === null || options === void 0 ? void 0 : options.tenantId);
2913
- this.tenantId = options === null || options === void 0 ? void 0 : options.tenantId;
2914
- }
2915
- this.additionallyAllowedTenantIds = resolveAdditionallyAllowedTenantIds(options === null || options === void 0 ? void 0 : options.additionallyAllowedTenants);
2916
- this.timeout = options === null || options === void 0 ? void 0 : options.processTimeoutInMs;
2917
- }
2918
- /**
2919
- * Gets the access token from Azure PowerShell
2920
- * @param resource - The resource to use when getting the token
2921
- */
2922
- async getAzurePowerShellAccessToken(resource, tenantId, timeout) {
2923
- // Clone the stack to avoid mutating it while iterating
2924
- for (const powerShellCommand of [...commandStack]) {
2925
- try {
2926
- await runCommands([[powerShellCommand, "/?"]], timeout);
2927
- }
2928
- catch (e) {
2929
- // Remove this credential from the original stack so that we don't try it again.
2930
- commandStack.shift();
2931
- continue;
2932
- }
2933
- const results = await runCommands([
2934
- [
2935
- powerShellCommand,
2936
- "-NoProfile",
2937
- "-NonInteractive",
2938
- "-Command",
2939
- `
2940
- $tenantId = "${tenantId !== null && tenantId !== void 0 ? tenantId : ""}"
2941
- $m = Import-Module Az.Accounts -MinimumVersion 2.2.0 -PassThru
2942
- $useSecureString = $m.Version -ge [version]'2.17.0'
2943
-
2944
- $params = @{
2945
- ResourceUrl = "${resource}"
2946
- }
2947
-
2948
- if ($tenantId.Length -gt 0) {
2949
- $params["TenantId"] = $tenantId
2950
- }
2951
-
2952
- if ($useSecureString) {
2953
- $params["AsSecureString"] = $true
2954
- }
2955
-
2956
- $token = Get-AzAccessToken @params
2957
-
2958
- $result = New-Object -TypeName PSObject
2959
- $result | Add-Member -MemberType NoteProperty -Name ExpiresOn -Value $token.ExpiresOn
2960
- if ($useSecureString) {
2961
- $result | Add-Member -MemberType NoteProperty -Name Token -Value (ConvertFrom-SecureString -AsPlainText $token.Token)
2962
- } else {
2963
- $result | Add-Member -MemberType NoteProperty -Name Token -Value $token.Token
2964
- }
2965
-
2966
- Write-Output (ConvertTo-Json $result)
2967
- `,
2968
- ],
2969
- ]);
2970
- const result = results[0];
2971
- return parseJsonToken(result);
2972
- }
2973
- throw new Error(`Unable to execute PowerShell. Ensure that it is installed in your system`);
2974
- }
2975
- /**
2976
- * Authenticates with Microsoft Entra ID and returns an access token if successful.
2977
- * If the authentication cannot be performed through PowerShell, a {@link CredentialUnavailableError} will be thrown.
2978
- *
2979
- * @param scopes - The list of scopes for which the token will have access.
2980
- * @param options - The options used to configure any requests this TokenCredential implementation might make.
2981
- */
2982
- async getToken(scopes, options = {}) {
2983
- return tracingClient.withSpan(`${this.constructor.name}.getToken`, options, async () => {
2984
- const tenantId = processMultiTenantRequest(this.tenantId, options, this.additionallyAllowedTenantIds);
2985
- const scope = typeof scopes === "string" ? scopes : scopes[0];
2986
- if (tenantId) {
2987
- checkTenantId(logger$b, tenantId);
2988
- }
2989
- try {
2990
- ensureValidScopeForDevTimeCreds(scope, logger$b);
2991
- logger$b.getToken.info(`Using the scope ${scope}`);
2992
- const resource = getScopeResource(scope);
2993
- const response = await this.getAzurePowerShellAccessToken(resource, tenantId, this.timeout);
2994
- logger$b.getToken.info(formatSuccess(scopes));
2995
- return {
2996
- token: response.Token,
2997
- expiresOnTimestamp: new Date(response.ExpiresOn).getTime(),
2998
- tokenType: "Bearer",
2999
- };
3000
- }
3001
- catch (err) {
3002
- if (isNotInstalledError(err)) {
3003
- const error = new CredentialUnavailableError(powerShellPublicErrorMessages.installed);
3004
- logger$b.getToken.info(formatError(scope, error));
3005
- throw error;
3006
- }
3007
- else if (isLoginError(err)) {
3008
- const error = new CredentialUnavailableError(powerShellPublicErrorMessages.login);
3009
- logger$b.getToken.info(formatError(scope, error));
3010
- throw error;
3011
- }
3012
- const error = new CredentialUnavailableError(`${err}. ${powerShellPublicErrorMessages.troubleshoot}`);
3013
- logger$b.getToken.info(formatError(scope, error));
3014
- throw error;
3015
- }
3016
- });
3017
- }
3018
- }
3019
- /**
3020
- *
3021
- * @internal
3022
- */
3023
- async function parseJsonToken(result) {
3024
- const jsonRegex = /{[^{}]*}/g;
3025
- const matches = result.match(jsonRegex);
3026
- let resultWithoutToken = result;
3027
- if (matches) {
3028
- try {
3029
- for (const item of matches) {
3030
- try {
3031
- const jsonContent = JSON.parse(item);
3032
- if (jsonContent === null || jsonContent === void 0 ? void 0 : jsonContent.Token) {
3033
- resultWithoutToken = resultWithoutToken.replace(item, "");
3034
- if (resultWithoutToken) {
3035
- logger$b.getToken.warning(resultWithoutToken);
3036
- }
3037
- return jsonContent;
3038
- }
3039
- }
3040
- catch (e) {
3041
- continue;
3042
- }
3043
- }
3044
- }
3045
- catch (e) {
3046
- throw new Error(`Unable to parse the output of PowerShell. Received output: ${result}`);
3047
- }
3048
- }
3049
- throw new Error(`No access token found in the output. Received output: ${result}`);
3050
- }
3051
-
3052
- // Copyright (c) Microsoft Corporation.
3053
- // Licensed under the MIT License.
3054
- /**
3055
- * @internal
3056
- */
3057
- const logger$a = credentialLogger("ChainedTokenCredential");
3058
- /**
3059
- * Enables multiple `TokenCredential` implementations to be tried in order until
3060
- * one of the getToken methods returns an access token. For more information, see
3061
- * [ChainedTokenCredential overview](https://aka.ms/azsdk/js/identity/credential-chains#use-chainedtokencredential-for-granularity).
3062
- */
3063
- class ChainedTokenCredential {
3064
- /**
3065
- * Creates an instance of ChainedTokenCredential using the given credentials.
3066
- *
3067
- * @param sources - `TokenCredential` implementations to be tried in order.
3068
- *
3069
- * Example usage:
3070
- * ```ts snippet:chained_token_credential_example
3071
- * import { ClientSecretCredential, ChainedTokenCredential } from "@azure/identity";
3072
- *
3073
- * const tenantId = "<tenant-id>";
3074
- * const clientId = "<client-id>";
3075
- * const clientSecret = "<client-secret>";
3076
- * const anotherClientId = "<another-client-id>";
3077
- * const anotherSecret = "<another-client-secret>";
3078
- * const firstCredential = new ClientSecretCredential(tenantId, clientId, clientSecret);
3079
- * const secondCredential = new ClientSecretCredential(tenantId, anotherClientId, anotherSecret);
3080
- * const credentialChain = new ChainedTokenCredential(firstCredential, secondCredential);
3081
- * ```
3082
- */
3083
- constructor(...sources) {
3084
- this._sources = [];
3085
- this._sources = sources;
3086
- }
3087
- /**
3088
- * Returns the first access token returned by one of the chained
3089
- * `TokenCredential` implementations. Throws an {@link AggregateAuthenticationError}
3090
- * when one or more credentials throws an {@link AuthenticationError} and
3091
- * no credentials have returned an access token.
3092
- *
3093
- * This method is called automatically by Azure SDK client libraries. You may call this method
3094
- * directly, but you must also handle token caching and token refreshing.
3095
- *
3096
- * @param scopes - The list of scopes for which the token will have access.
3097
- * @param options - The options used to configure any requests this
3098
- * `TokenCredential` implementation might make.
3099
- */
3100
- async getToken(scopes, options = {}) {
3101
- const { token } = await this.getTokenInternal(scopes, options);
3102
- return token;
3103
- }
3104
- async getTokenInternal(scopes, options = {}) {
3105
- let token = null;
3106
- let successfulCredential;
3107
- const errors = [];
3108
- return tracingClient.withSpan("ChainedTokenCredential.getToken", options, async (updatedOptions) => {
3109
- for (let i = 0; i < this._sources.length && token === null; i++) {
3110
- try {
3111
- token = await this._sources[i].getToken(scopes, updatedOptions);
3112
- successfulCredential = this._sources[i];
3113
- }
3114
- catch (err) {
3115
- if (err.name === "CredentialUnavailableError" ||
3116
- err.name === "AuthenticationRequiredError") {
3117
- errors.push(err);
3118
- }
3119
- else {
3120
- logger$a.getToken.info(formatError(scopes, err));
3121
- throw err;
3122
- }
3123
- }
3124
- }
3125
- if (!token && errors.length > 0) {
3126
- const err = new AggregateAuthenticationError(errors, "ChainedTokenCredential authentication failed.");
3127
- logger$a.getToken.info(formatError(scopes, err));
3128
- throw err;
3129
- }
3130
- logger$a.getToken.info(`Result for ${successfulCredential.constructor.name}: ${formatSuccess(scopes)}`);
3131
- if (token === null) {
3132
- throw new CredentialUnavailableError("Failed to retrieve a valid token");
3133
- }
3134
- return { token, successfulCredential };
3135
- });
3136
- }
3137
- }
3138
-
3139
- // Copyright (c) Microsoft Corporation.
3140
- // Licensed under the MIT License.
3141
- const credentialName$3 = "ClientCertificateCredential";
3142
- const logger$9 = credentialLogger(credentialName$3);
3143
- /**
3144
- * Enables authentication to Microsoft Entra ID using a PEM-encoded
3145
- * certificate that is assigned to an App Registration. More information
3146
- * on how to configure certificate authentication can be found here:
3147
- *
3148
- * https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-certificate-credentials#register-your-certificate-with-azure-ad
3149
- *
3150
- */
3151
- class ClientCertificateCredential {
3152
- constructor(tenantId, clientId, certificatePathOrConfiguration, options = {}) {
3153
- if (!tenantId || !clientId) {
3154
- throw new Error(`${credentialName$3}: tenantId and clientId are required parameters.`);
3155
- }
3156
- this.tenantId = tenantId;
3157
- this.additionallyAllowedTenantIds = resolveAdditionallyAllowedTenantIds(options === null || options === void 0 ? void 0 : options.additionallyAllowedTenants);
3158
- this.sendCertificateChain = options.sendCertificateChain;
3159
- this.certificateConfiguration = Object.assign({}, (typeof certificatePathOrConfiguration === "string"
3160
- ? {
3161
- certificatePath: certificatePathOrConfiguration,
3162
- }
3163
- : certificatePathOrConfiguration));
3164
- const certificate = this.certificateConfiguration.certificate;
3165
- const certificatePath = this.certificateConfiguration.certificatePath;
3166
- if (!this.certificateConfiguration || !(certificate || certificatePath)) {
3167
- throw new Error(`${credentialName$3}: Provide either a PEM certificate in string form, or the path to that certificate in the filesystem. To troubleshoot, visit https://aka.ms/azsdk/js/identity/serviceprincipalauthentication/troubleshoot.`);
3168
- }
3169
- if (certificate && certificatePath) {
3170
- throw new Error(`${credentialName$3}: To avoid unexpected behaviors, providing both the contents of a PEM certificate and the path to a PEM certificate is forbidden. To troubleshoot, visit https://aka.ms/azsdk/js/identity/serviceprincipalauthentication/troubleshoot.`);
3171
- }
3172
- this.msalClient = createMsalClient(clientId, tenantId, Object.assign(Object.assign({}, options), { logger: logger$9, tokenCredentialOptions: options }));
3173
- }
3174
- /**
3175
- * Authenticates with Microsoft Entra ID and returns an access token if successful.
3176
- * If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.
3177
- *
3178
- * @param scopes - The list of scopes for which the token will have access.
3179
- * @param options - The options used to configure any requests this
3180
- * TokenCredential implementation might make.
3181
- */
3182
- async getToken(scopes, options = {}) {
3183
- return tracingClient.withSpan(`${credentialName$3}.getToken`, options, async (newOptions) => {
3184
- newOptions.tenantId = processMultiTenantRequest(this.tenantId, newOptions, this.additionallyAllowedTenantIds, logger$9);
3185
- const arrayScopes = Array.isArray(scopes) ? scopes : [scopes];
3186
- const certificate = await this.buildClientCertificate();
3187
- return this.msalClient.getTokenByClientCertificate(arrayScopes, certificate, newOptions);
3188
- });
3189
- }
3190
- async buildClientCertificate() {
3191
- var _a;
3192
- const parts = await parseCertificate(this.certificateConfiguration, (_a = this.sendCertificateChain) !== null && _a !== void 0 ? _a : false);
3193
- let privateKey;
3194
- if (this.certificateConfiguration.certificatePassword !== undefined) {
3195
- privateKey = crypto.createPrivateKey({
3196
- key: parts.certificateContents,
3197
- passphrase: this.certificateConfiguration.certificatePassword,
3198
- format: "pem",
3199
- })
3200
- .export({
3201
- format: "pem",
3202
- type: "pkcs8",
3203
- })
3204
- .toString();
3205
- }
3206
- else {
3207
- privateKey = parts.certificateContents;
3208
- }
3209
- return {
3210
- thumbprint: parts.thumbprint,
3211
- privateKey,
3212
- x5c: parts.x5c,
3213
- };
3214
- }
3215
- }
3216
- /**
3217
- * Parses a certificate into its relevant parts
3218
- *
3219
- * @param certificateConfiguration - The certificate contents or path to the certificate
3220
- * @param sendCertificateChain - true if the entire certificate chain should be sent for SNI, false otherwise
3221
- * @returns The parsed certificate parts and the certificate contents
3222
- */
3223
- async function parseCertificate(certificateConfiguration, sendCertificateChain) {
3224
- const certificate = certificateConfiguration.certificate;
3225
- const certificatePath = certificateConfiguration.certificatePath;
3226
- const certificateContents = certificate || (await promises.readFile(certificatePath, "utf8"));
3227
- const x5c = sendCertificateChain ? certificateContents : undefined;
3228
- const certificatePattern = /(-+BEGIN CERTIFICATE-+)(\n\r?|\r\n?)([A-Za-z0-9+/\n\r]+=*)(\n\r?|\r\n?)(-+END CERTIFICATE-+)/g;
3229
- const publicKeys = [];
3230
- // Match all possible certificates, in the order they are in the file. These will form the chain that is used for x5c
3231
- let match;
3232
- do {
3233
- match = certificatePattern.exec(certificateContents);
3234
- if (match) {
3235
- publicKeys.push(match[3]);
3236
- }
3237
- } while (match);
3238
- if (publicKeys.length === 0) {
3239
- throw new Error("The file at the specified path does not contain a PEM-encoded certificate.");
3240
- }
3241
- const thumbprint = crypto.createHash("sha1")
3242
- .update(Buffer.from(publicKeys[0], "base64"))
3243
- .digest("hex")
3244
- .toUpperCase();
3245
- return {
3246
- certificateContents,
3247
- thumbprint,
3248
- x5c,
3249
- };
3250
- }
3251
-
3252
- // Copyright (c) Microsoft Corporation.
3253
- // Licensed under the MIT License.
3254
- const logger$8 = credentialLogger("ClientSecretCredential");
3255
- /**
3256
- * Enables authentication to Microsoft Entra ID using a client secret
3257
- * that was generated for an App Registration. More information on how
3258
- * to configure a client secret can be found here:
3259
- *
3260
- * https://learn.microsoft.com/entra/identity-platform/quickstart-configure-app-access-web-apis#add-credentials-to-your-web-application
3261
- *
3262
- */
3263
- class ClientSecretCredential {
3264
- /**
3265
- * Creates an instance of the ClientSecretCredential with the details
3266
- * needed to authenticate against Microsoft Entra ID with a client
3267
- * secret.
3268
- *
3269
- * @param tenantId - The Microsoft Entra tenant (directory) ID.
3270
- * @param clientId - The client (application) ID of an App Registration in the tenant.
3271
- * @param clientSecret - A client secret that was generated for the App Registration.
3272
- * @param options - Options for configuring the client which makes the authentication request.
3273
- */
3274
- constructor(tenantId, clientId, clientSecret, options = {}) {
3275
- if (!tenantId) {
3276
- throw new CredentialUnavailableError("ClientSecretCredential: tenantId is a required parameter. To troubleshoot, visit https://aka.ms/azsdk/js/identity/serviceprincipalauthentication/troubleshoot.");
3277
- }
3278
- if (!clientId) {
3279
- throw new CredentialUnavailableError("ClientSecretCredential: clientId is a required parameter. To troubleshoot, visit https://aka.ms/azsdk/js/identity/serviceprincipalauthentication/troubleshoot.");
3280
- }
3281
- if (!clientSecret) {
3282
- throw new CredentialUnavailableError("ClientSecretCredential: clientSecret is a required parameter. To troubleshoot, visit https://aka.ms/azsdk/js/identity/serviceprincipalauthentication/troubleshoot.");
3283
- }
3284
- this.clientSecret = clientSecret;
3285
- this.tenantId = tenantId;
3286
- this.additionallyAllowedTenantIds = resolveAdditionallyAllowedTenantIds(options === null || options === void 0 ? void 0 : options.additionallyAllowedTenants);
3287
- this.msalClient = createMsalClient(clientId, tenantId, Object.assign(Object.assign({}, options), { logger: logger$8, tokenCredentialOptions: options }));
3288
- }
3289
- /**
3290
- * Authenticates with Microsoft Entra ID and returns an access token if successful.
3291
- * If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.
3292
- *
3293
- * @param scopes - The list of scopes for which the token will have access.
3294
- * @param options - The options used to configure any requests this
3295
- * TokenCredential implementation might make.
3296
- */
3297
- async getToken(scopes, options = {}) {
3298
- return tracingClient.withSpan(`${this.constructor.name}.getToken`, options, async (newOptions) => {
3299
- newOptions.tenantId = processMultiTenantRequest(this.tenantId, newOptions, this.additionallyAllowedTenantIds, logger$8);
3300
- const arrayScopes = ensureScopes(scopes);
3301
- return this.msalClient.getTokenByClientSecret(arrayScopes, this.clientSecret, newOptions);
3302
- });
3303
- }
3304
- }
3305
-
3306
- // Copyright (c) Microsoft Corporation.
3307
- // Licensed under the MIT License.
3308
- const logger$7 = credentialLogger("UsernamePasswordCredential");
3309
- /**
3310
- * Enables authentication to Microsoft Entra ID with a user's
3311
- * username and password. This credential requires a high degree of
3312
- * trust so you should only use it when other, more secure credential
3313
- * types can't be used.
3314
- */
3315
- class UsernamePasswordCredential {
3316
- /**
3317
- * Creates an instance of the UsernamePasswordCredential with the details
3318
- * needed to authenticate against Microsoft Entra ID with a username
3319
- * and password.
3320
- *
3321
- * @param tenantId - The Microsoft Entra tenant (directory).
3322
- * @param clientId - The client (application) ID of an App Registration in the tenant.
3323
- * @param username - The user account's e-mail address (user name).
3324
- * @param password - The user account's account password
3325
- * @param options - Options for configuring the client which makes the authentication request.
3326
- */
3327
- constructor(tenantId, clientId, username, password, options = {}) {
3328
- if (!tenantId) {
3329
- throw new CredentialUnavailableError("UsernamePasswordCredential: tenantId is a required parameter. To troubleshoot, visit https://aka.ms/azsdk/js/identity/usernamepasswordcredential/troubleshoot.");
3330
- }
3331
- if (!clientId) {
3332
- throw new CredentialUnavailableError("UsernamePasswordCredential: clientId is a required parameter. To troubleshoot, visit https://aka.ms/azsdk/js/identity/usernamepasswordcredential/troubleshoot.");
3333
- }
3334
- if (!username) {
3335
- throw new CredentialUnavailableError("UsernamePasswordCredential: username is a required parameter. To troubleshoot, visit https://aka.ms/azsdk/js/identity/usernamepasswordcredential/troubleshoot.");
3336
- }
3337
- if (!password) {
3338
- throw new CredentialUnavailableError("UsernamePasswordCredential: password is a required parameter. To troubleshoot, visit https://aka.ms/azsdk/js/identity/usernamepasswordcredential/troubleshoot.");
3339
- }
3340
- this.tenantId = tenantId;
3341
- this.additionallyAllowedTenantIds = resolveAdditionallyAllowedTenantIds(options === null || options === void 0 ? void 0 : options.additionallyAllowedTenants);
3342
- this.username = username;
3343
- this.password = password;
3344
- this.msalClient = createMsalClient(clientId, this.tenantId, Object.assign(Object.assign({}, options), { tokenCredentialOptions: options !== null && options !== void 0 ? options : {} }));
3345
- }
3346
- /**
3347
- * Authenticates with Microsoft Entra ID and returns an access token if successful.
3348
- * If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.
3349
- *
3350
- * If the user provided the option `disableAutomaticAuthentication`,
3351
- * once the token can't be retrieved silently,
3352
- * this method won't attempt to request user interaction to retrieve the token.
3353
- *
3354
- * @param scopes - The list of scopes for which the token will have access.
3355
- * @param options - The options used to configure any requests this
3356
- * TokenCredential implementation might make.
3357
- */
3358
- async getToken(scopes, options = {}) {
3359
- return tracingClient.withSpan(`${this.constructor.name}.getToken`, options, async (newOptions) => {
3360
- newOptions.tenantId = processMultiTenantRequest(this.tenantId, newOptions, this.additionallyAllowedTenantIds, logger$7);
3361
- const arrayScopes = ensureScopes(scopes);
3362
- return this.msalClient.getTokenByUsernamePassword(arrayScopes, this.username, this.password, newOptions);
3363
- });
3364
- }
3365
- }
3366
-
3367
- // Copyright (c) Microsoft Corporation.
3368
- // Licensed under the MIT License.
3369
- /**
3370
- * Contains the list of all supported environment variable names so that an
3371
- * appropriate error message can be generated when no credentials can be
3372
- * configured.
3373
- *
3374
- * @internal
3375
- */
3376
- const AllSupportedEnvironmentVariables = [
3377
- "AZURE_TENANT_ID",
3378
- "AZURE_CLIENT_ID",
3379
- "AZURE_CLIENT_SECRET",
3380
- "AZURE_CLIENT_CERTIFICATE_PATH",
3381
- "AZURE_CLIENT_CERTIFICATE_PASSWORD",
3382
- "AZURE_USERNAME",
3383
- "AZURE_PASSWORD",
3384
- "AZURE_ADDITIONALLY_ALLOWED_TENANTS",
3385
- "AZURE_CLIENT_SEND_CERTIFICATE_CHAIN",
3386
- ];
3387
- function getAdditionallyAllowedTenants() {
3388
- var _a;
3389
- const additionallyAllowedValues = (_a = process.env.AZURE_ADDITIONALLY_ALLOWED_TENANTS) !== null && _a !== void 0 ? _a : "";
3390
- return additionallyAllowedValues.split(";");
3391
- }
3392
- const credentialName$2 = "EnvironmentCredential";
3393
- const logger$6 = credentialLogger(credentialName$2);
3394
- function getSendCertificateChain() {
3395
- var _a;
3396
- const sendCertificateChain = ((_a = process.env.AZURE_CLIENT_SEND_CERTIFICATE_CHAIN) !== null && _a !== void 0 ? _a : "").toLowerCase();
3397
- const result = sendCertificateChain === "true" || sendCertificateChain === "1";
3398
- logger$6.verbose(`AZURE_CLIENT_SEND_CERTIFICATE_CHAIN: ${process.env.AZURE_CLIENT_SEND_CERTIFICATE_CHAIN}; sendCertificateChain: ${result}`);
3399
- return result;
3400
- }
3401
- /**
3402
- * Enables authentication to Microsoft Entra ID using a client secret or certificate, or as a user
3403
- * with a username and password.
3404
- */
3405
- class EnvironmentCredential {
3406
- /**
3407
- * Creates an instance of the EnvironmentCredential class and decides what credential to use depending on the available environment variables.
3408
- *
3409
- * Required environment variables:
3410
- * - `AZURE_TENANT_ID`: The Microsoft Entra tenant (directory) ID.
3411
- * - `AZURE_CLIENT_ID`: The client (application) ID of an App Registration in the tenant.
3412
- *
3413
- * If setting the AZURE_TENANT_ID, then you can also set the additionally allowed tenants
3414
- * - `AZURE_ADDITIONALLY_ALLOWED_TENANTS`: For multi-tenant applications, specifies additional tenants for which the credential may acquire tokens with a single semicolon delimited string. Use * to allow all tenants.
3415
- *
3416
- * Environment variables used for client credential authentication:
3417
- * - `AZURE_CLIENT_SECRET`: A client secret that was generated for the App Registration.
3418
- * - `AZURE_CLIENT_CERTIFICATE_PATH`: The path to a PEM certificate to use during the authentication, instead of the client secret.
3419
- * - `AZURE_CLIENT_CERTIFICATE_PASSWORD`: (optional) password for the certificate file.
3420
- * - `AZURE_CLIENT_SEND_CERTIFICATE_CHAIN`: (optional) indicates that the certificate chain should be set in x5c header to support subject name / issuer based authentication.
3421
- *
3422
- * Alternatively, users can provide environment variables for username and password authentication:
3423
- * - `AZURE_USERNAME`: Username to authenticate with.
3424
- * - `AZURE_PASSWORD`: Password to authenticate with.
3425
- *
3426
- * If the environment variables required to perform the authentication are missing, a {@link CredentialUnavailableError} will be thrown.
3427
- * If the authentication fails, or if there's an unknown error, an {@link AuthenticationError} will be thrown.
3428
- *
3429
- * @param options - Options for configuring the client which makes the authentication request.
3430
- */
3431
- constructor(options) {
3432
- // Keep track of any missing environment variables for error details
3433
- this._credential = undefined;
3434
- const assigned = processEnvVars(AllSupportedEnvironmentVariables).assigned.join(", ");
3435
- logger$6.info(`Found the following environment variables: ${assigned}`);
3436
- const tenantId = process.env.AZURE_TENANT_ID, clientId = process.env.AZURE_CLIENT_ID, clientSecret = process.env.AZURE_CLIENT_SECRET;
3437
- const additionallyAllowedTenantIds = getAdditionallyAllowedTenants();
3438
- const sendCertificateChain = getSendCertificateChain();
3439
- const newOptions = Object.assign(Object.assign({}, options), { additionallyAllowedTenantIds, sendCertificateChain });
3440
- if (tenantId) {
3441
- checkTenantId(logger$6, tenantId);
3442
- }
3443
- if (tenantId && clientId && clientSecret) {
3444
- logger$6.info(`Invoking ClientSecretCredential with tenant ID: ${tenantId}, clientId: ${clientId} and clientSecret: [REDACTED]`);
3445
- this._credential = new ClientSecretCredential(tenantId, clientId, clientSecret, newOptions);
3446
- return;
3447
- }
3448
- const certificatePath = process.env.AZURE_CLIENT_CERTIFICATE_PATH;
3449
- const certificatePassword = process.env.AZURE_CLIENT_CERTIFICATE_PASSWORD;
3450
- if (tenantId && clientId && certificatePath) {
3451
- logger$6.info(`Invoking ClientCertificateCredential with tenant ID: ${tenantId}, clientId: ${clientId} and certificatePath: ${certificatePath}`);
3452
- this._credential = new ClientCertificateCredential(tenantId, clientId, { certificatePath, certificatePassword }, newOptions);
3453
- return;
3454
- }
3455
- const username = process.env.AZURE_USERNAME;
3456
- const password = process.env.AZURE_PASSWORD;
3457
- if (tenantId && clientId && username && password) {
3458
- logger$6.info(`Invoking UsernamePasswordCredential with tenant ID: ${tenantId}, clientId: ${clientId} and username: ${username}`);
3459
- this._credential = new UsernamePasswordCredential(tenantId, clientId, username, password, newOptions);
3460
- }
3461
- }
3462
- /**
3463
- * Authenticates with Microsoft Entra ID and returns an access token if successful.
3464
- *
3465
- * @param scopes - The list of scopes for which the token will have access.
3466
- * @param options - Optional parameters. See {@link GetTokenOptions}.
3467
- */
3468
- async getToken(scopes, options = {}) {
3469
- return tracingClient.withSpan(`${credentialName$2}.getToken`, options, async (newOptions) => {
3470
- if (this._credential) {
3471
- try {
3472
- const result = await this._credential.getToken(scopes, newOptions);
3473
- logger$6.getToken.info(formatSuccess(scopes));
3474
- return result;
3475
- }
3476
- catch (err) {
3477
- const authenticationError = new AuthenticationError(400, {
3478
- error: `${credentialName$2} authentication failed. To troubleshoot, visit https://aka.ms/azsdk/js/identity/environmentcredential/troubleshoot.`,
3479
- error_description: err.message.toString().split("More details:").join(""),
3480
- });
3481
- logger$6.getToken.info(formatError(scopes, authenticationError));
3482
- throw authenticationError;
3483
- }
3484
- }
3485
- throw new CredentialUnavailableError(`${credentialName$2} is unavailable. No underlying credential could be used. To troubleshoot, visit https://aka.ms/azsdk/js/identity/environmentcredential/troubleshoot.`);
3486
- });
3487
- }
3488
- }
3489
-
3490
- // Copyright (c) Microsoft Corporation.
3491
- // Licensed under the MIT License.
3492
- const logger$5 = credentialLogger("DefaultAzureCredential");
3493
- /**
3494
- * Creates a {@link ManagedIdentityCredential} from the provided options.
3495
- * @param options - Options to configure the credential.
3496
- *
3497
- * @internal
3498
- */
3499
- function createDefaultManagedIdentityCredential(options = {}) {
3500
- var _a, _b, _c, _d;
3501
- (_a = options.retryOptions) !== null && _a !== void 0 ? _a : (options.retryOptions = {
3502
- maxRetries: 5,
3503
- retryDelayInMs: 800,
3504
- });
3505
- const managedIdentityClientId = (_b = options === null || options === void 0 ? void 0 : options.managedIdentityClientId) !== null && _b !== void 0 ? _b : process.env.AZURE_CLIENT_ID;
3506
- const workloadIdentityClientId = (_c = options === null || options === void 0 ? void 0 : options.workloadIdentityClientId) !== null && _c !== void 0 ? _c : managedIdentityClientId;
3507
- const managedResourceId = options === null || options === void 0 ? void 0 : options.managedIdentityResourceId;
3508
- const workloadFile = process.env.AZURE_FEDERATED_TOKEN_FILE;
3509
- const tenantId = (_d = options === null || options === void 0 ? void 0 : options.tenantId) !== null && _d !== void 0 ? _d : process.env.AZURE_TENANT_ID;
3510
- if (managedResourceId) {
3511
- const managedIdentityResourceIdOptions = Object.assign(Object.assign({}, options), { resourceId: managedResourceId });
3512
- return new ManagedIdentityCredential(managedIdentityResourceIdOptions);
3513
- }
3514
- if (workloadFile && workloadIdentityClientId) {
3515
- const workloadIdentityCredentialOptions = Object.assign(Object.assign({}, options), { tenantId: tenantId });
3516
- return new ManagedIdentityCredential(workloadIdentityClientId, workloadIdentityCredentialOptions);
3517
- }
3518
- if (managedIdentityClientId) {
3519
- const managedIdentityClientOptions = Object.assign(Object.assign({}, options), { clientId: managedIdentityClientId });
3520
- return new ManagedIdentityCredential(managedIdentityClientOptions);
3521
- }
3522
- // We may be able to return a UnavailableCredential here, but that may be a breaking change
3523
- return new ManagedIdentityCredential(options);
3524
- }
3525
- /**
3526
- * Creates a {@link WorkloadIdentityCredential} from the provided options.
3527
- * @param options - Options to configure the credential.
3528
- *
3529
- * @internal
3530
- */
3531
- function createDefaultWorkloadIdentityCredential(options) {
3532
- var _a, _b, _c;
3533
- const managedIdentityClientId = (_a = options === null || options === void 0 ? void 0 : options.managedIdentityClientId) !== null && _a !== void 0 ? _a : process.env.AZURE_CLIENT_ID;
3534
- const workloadIdentityClientId = (_b = options === null || options === void 0 ? void 0 : options.workloadIdentityClientId) !== null && _b !== void 0 ? _b : managedIdentityClientId;
3535
- const workloadFile = process.env.AZURE_FEDERATED_TOKEN_FILE;
3536
- const tenantId = (_c = options === null || options === void 0 ? void 0 : options.tenantId) !== null && _c !== void 0 ? _c : process.env.AZURE_TENANT_ID;
3537
- if (workloadFile && workloadIdentityClientId) {
3538
- const workloadIdentityCredentialOptions = Object.assign(Object.assign({}, options), { tenantId, clientId: workloadIdentityClientId, tokenFilePath: workloadFile });
3539
- return new WorkloadIdentityCredential(workloadIdentityCredentialOptions);
3540
- }
3541
- if (tenantId) {
3542
- const workloadIdentityClientTenantOptions = Object.assign(Object.assign({}, options), { tenantId });
3543
- return new WorkloadIdentityCredential(workloadIdentityClientTenantOptions);
3544
- }
3545
- // We may be able to return a UnavailableCredential here, but that may be a breaking change
3546
- return new WorkloadIdentityCredential(options);
3547
- }
3548
- /**
3549
- * Creates a {@link AzureDeveloperCliCredential} from the provided options.
3550
- * @param options - Options to configure the credential.
3551
- *
3552
- * @internal
3553
- */
3554
- function createDefaultAzureDeveloperCliCredential(options = {}) {
3555
- const processTimeoutInMs = options.processTimeoutInMs;
3556
- return new AzureDeveloperCliCredential(Object.assign({ processTimeoutInMs }, options));
3557
- }
3558
- /**
3559
- * Creates a {@link AzureCliCredential} from the provided options.
3560
- * @param options - Options to configure the credential.
3561
- *
3562
- * @internal
3563
- */
3564
- function createDefaultAzureCliCredential(options = {}) {
3565
- const processTimeoutInMs = options.processTimeoutInMs;
3566
- return new AzureCliCredential(Object.assign({ processTimeoutInMs }, options));
3567
- }
3568
- /**
3569
- * Creates a {@link AzurePowerShellCredential} from the provided options.
3570
- * @param options - Options to configure the credential.
3571
- *
3572
- * @internal
3573
- */
3574
- function createDefaultAzurePowershellCredential(options = {}) {
3575
- const processTimeoutInMs = options.processTimeoutInMs;
3576
- return new AzurePowerShellCredential(Object.assign({ processTimeoutInMs }, options));
3577
- }
3578
- /**
3579
- * Creates an {@link EnvironmentCredential} from the provided options.
3580
- * @param options - Options to configure the credential.
3581
- *
3582
- * @internal
3583
- */
3584
- function createEnvironmentCredential(options = {}) {
3585
- return new EnvironmentCredential(options);
3586
- }
3587
- /**
3588
- * A no-op credential that logs the reason it was skipped if getToken is called.
3589
- * @internal
3590
- */
3591
- class UnavailableDefaultCredential {
3592
- constructor(credentialName, message) {
3593
- this.credentialName = credentialName;
3594
- this.credentialUnavailableErrorMessage = message;
3595
- }
3596
- getToken() {
3597
- logger$5.getToken.info(`Skipping ${this.credentialName}, reason: ${this.credentialUnavailableErrorMessage}`);
3598
- return Promise.resolve(null);
3599
- }
3600
- }
3601
- /**
3602
- * Provides a default {@link ChainedTokenCredential} configuration that works for most
3603
- * applications that use Azure SDK client libraries. For more information, see
3604
- * [DefaultAzureCredential overview](https://aka.ms/azsdk/js/identity/credential-chains#use-defaultazurecredential-for-flexibility).
3605
- *
3606
- * The following credential types will be tried, in order:
3607
- *
3608
- * - {@link EnvironmentCredential}
3609
- * - {@link WorkloadIdentityCredential}
3610
- * - {@link ManagedIdentityCredential}
3611
- * - {@link AzureCliCredential}
3612
- * - {@link AzurePowerShellCredential}
3613
- * - {@link AzureDeveloperCliCredential}
3614
- *
3615
- * Consult the documentation of these credential types for more information
3616
- * on how they attempt authentication.
3617
- */
3618
- class DefaultAzureCredential extends ChainedTokenCredential {
3619
- constructor(options) {
3620
- const credentialFunctions = [
3621
- createEnvironmentCredential,
3622
- createDefaultWorkloadIdentityCredential,
3623
- createDefaultManagedIdentityCredential,
3624
- createDefaultAzureCliCredential,
3625
- createDefaultAzurePowershellCredential,
3626
- createDefaultAzureDeveloperCliCredential,
3627
- ];
3628
- // DefaultCredential constructors should not throw, instead throwing on getToken() which is handled by ChainedTokenCredential.
3629
- // When adding new credentials to the default chain, consider:
3630
- // 1. Making the constructor parameters required and explicit
3631
- // 2. Validating any required parameters in the factory function
3632
- // 3. Returning a UnavailableDefaultCredential from the factory function if a credential is unavailable for any reason
3633
- const credentials = credentialFunctions.map((createCredentialFn) => {
3634
- try {
3635
- return createCredentialFn(options);
3636
- }
3637
- catch (err) {
3638
- logger$5.warning(`Skipped ${createCredentialFn.name} because of an error creating the credential: ${err}`);
3639
- return new UnavailableDefaultCredential(createCredentialFn.name, err.message);
3640
- }
3641
- });
3642
- super(...credentials);
3643
- }
3644
- }
3645
-
3646
- // Copyright (c) Microsoft Corporation.
3647
- // Licensed under the MIT License.
3648
- const logger$4 = credentialLogger("InteractiveBrowserCredential");
3649
- /**
3650
- * Enables authentication to Microsoft Entra ID inside of the web browser
3651
- * using the interactive login flow.
3652
- */
3653
- class InteractiveBrowserCredential {
3654
- /**
3655
- * Creates an instance of InteractiveBrowserCredential with the details needed.
3656
- *
3657
- * This credential uses the [Authorization Code Flow](https://learn.microsoft.com/entra/identity-platform/v2-oauth2-auth-code-flow).
3658
- * On Node.js, it will open a browser window while it listens for a redirect response from the authentication service.
3659
- * On browsers, it authenticates via popups. The `loginStyle` optional parameter can be set to `redirect` to authenticate by redirecting the user to an Azure secure login page, which then will redirect the user back to the web application where the authentication started.
3660
- *
3661
- * For Node.js, if a `clientId` is provided, the Microsoft Entra application will need to be configured to have a "Mobile and desktop applications" redirect endpoint.
3662
- * Follow our guide on [setting up Redirect URIs for Desktop apps that calls to web APIs](https://learn.microsoft.com/entra/identity-platform/scenario-desktop-app-registration#redirect-uris).
3663
- *
3664
- * @param options - Options for configuring the client which makes the authentication requests.
3665
- */
3666
- constructor(options) {
3667
- var _a, _b, _c, _d, _e;
3668
- this.tenantId = resolveTenantId(logger$4, options.tenantId, options.clientId);
3669
- this.additionallyAllowedTenantIds = resolveAdditionallyAllowedTenantIds(options === null || options === void 0 ? void 0 : options.additionallyAllowedTenants);
3670
- const msalClientOptions = Object.assign(Object.assign({}, options), { tokenCredentialOptions: options, logger: logger$4 });
3671
- const ibcNodeOptions = options;
3672
- this.browserCustomizationOptions = ibcNodeOptions.browserCustomizationOptions;
3673
- this.loginHint = ibcNodeOptions.loginHint;
3674
- if ((_a = ibcNodeOptions === null || ibcNodeOptions === void 0 ? void 0 : ibcNodeOptions.brokerOptions) === null || _a === void 0 ? void 0 : _a.enabled) {
3675
- if (!((_b = ibcNodeOptions === null || ibcNodeOptions === void 0 ? void 0 : ibcNodeOptions.brokerOptions) === null || _b === void 0 ? void 0 : _b.parentWindowHandle)) {
3676
- throw new Error("In order to do WAM authentication, `parentWindowHandle` under `brokerOptions` is a required parameter");
3677
- }
3678
- else {
3679
- msalClientOptions.brokerOptions = {
3680
- enabled: true,
3681
- parentWindowHandle: ibcNodeOptions.brokerOptions.parentWindowHandle,
3682
- legacyEnableMsaPassthrough: (_c = ibcNodeOptions.brokerOptions) === null || _c === void 0 ? void 0 : _c.legacyEnableMsaPassthrough,
3683
- useDefaultBrokerAccount: (_d = ibcNodeOptions.brokerOptions) === null || _d === void 0 ? void 0 : _d.useDefaultBrokerAccount,
3684
- };
3685
- }
3686
- }
3687
- this.msalClient = createMsalClient((_e = options.clientId) !== null && _e !== void 0 ? _e : DeveloperSignOnClientId, this.tenantId, msalClientOptions);
3688
- this.disableAutomaticAuthentication = options === null || options === void 0 ? void 0 : options.disableAutomaticAuthentication;
3689
- }
3690
- /**
3691
- * Authenticates with Microsoft Entra ID and returns an access token if successful.
3692
- * If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.
3693
- *
3694
- * If the user provided the option `disableAutomaticAuthentication`,
3695
- * once the token can't be retrieved silently,
3696
- * this method won't attempt to request user interaction to retrieve the token.
3697
- *
3698
- * @param scopes - The list of scopes for which the token will have access.
3699
- * @param options - The options used to configure any requests this
3700
- * TokenCredential implementation might make.
3701
- */
3702
- async getToken(scopes, options = {}) {
3703
- return tracingClient.withSpan(`${this.constructor.name}.getToken`, options, async (newOptions) => {
3704
- newOptions.tenantId = processMultiTenantRequest(this.tenantId, newOptions, this.additionallyAllowedTenantIds, logger$4);
3705
- const arrayScopes = ensureScopes(scopes);
3706
- return this.msalClient.getTokenByInteractiveRequest(arrayScopes, Object.assign(Object.assign({}, newOptions), { disableAutomaticAuthentication: this.disableAutomaticAuthentication, browserCustomizationOptions: this.browserCustomizationOptions, loginHint: this.loginHint }));
3707
- });
3708
- }
3709
- /**
3710
- * Authenticates with Microsoft Entra ID and returns an access token if successful.
3711
- * If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.
3712
- *
3713
- * If the token can't be retrieved silently, this method will always generate a challenge for the user.
3714
- *
3715
- * On Node.js, this credential has [Proof Key for Code Exchange (PKCE)](https://datatracker.ietf.org/doc/html/rfc7636) enabled by default.
3716
- * PKCE is a security feature that mitigates authentication code interception attacks.
3717
- *
3718
- * @param scopes - The list of scopes for which the token will have access.
3719
- * @param options - The options used to configure any requests this
3720
- * TokenCredential implementation might make.
3721
- */
3722
- async authenticate(scopes, options = {}) {
3723
- return tracingClient.withSpan(`${this.constructor.name}.authenticate`, options, async (newOptions) => {
3724
- const arrayScopes = ensureScopes(scopes);
3725
- await this.msalClient.getTokenByInteractiveRequest(arrayScopes, Object.assign(Object.assign({}, newOptions), { disableAutomaticAuthentication: false, browserCustomizationOptions: this.browserCustomizationOptions, loginHint: this.loginHint }));
3726
- return this.msalClient.getActiveAccount();
3727
- });
3728
- }
3729
- }
3730
-
3731
- // Copyright (c) Microsoft Corporation.
3732
- // Licensed under the MIT License.
3733
- const logger$3 = credentialLogger("DeviceCodeCredential");
3734
- /**
3735
- * Method that logs the user code from the DeviceCodeCredential.
3736
- * @param deviceCodeInfo - The device code.
3737
- */
3738
- function defaultDeviceCodePromptCallback(deviceCodeInfo) {
3739
- console.log(deviceCodeInfo.message);
3740
- }
3741
- /**
3742
- * Enables authentication to Microsoft Entra ID using a device code
3743
- * that the user can enter into https://microsoft.com/devicelogin.
3744
- */
3745
- class DeviceCodeCredential {
3746
- /**
3747
- * Creates an instance of DeviceCodeCredential with the details needed
3748
- * to initiate the device code authorization flow with Microsoft Entra ID.
3749
- *
3750
- * A message will be logged, giving users a code that they can use to authenticate once they go to https://microsoft.com/devicelogin
3751
- *
3752
- * Developers can configure how this message is shown by passing a custom `userPromptCallback`:
3753
- *
3754
- * ```ts snippet:device_code_credential_example
3755
- * import { DeviceCodeCredential } from "@azure/identity";
3756
- *
3757
- * const credential = new DeviceCodeCredential({
3758
- * tenantId: process.env.AZURE_TENANT_ID,
3759
- * clientId: process.env.AZURE_CLIENT_ID,
3760
- * userPromptCallback: (info) => {
3761
- * console.log("CUSTOMIZED PROMPT CALLBACK", info.message);
3762
- * },
3763
- * });
3764
- * ```
3765
- *
3766
- * @param options - Options for configuring the client which makes the authentication requests.
3767
- */
3768
- constructor(options) {
3769
- var _a, _b;
3770
- this.tenantId = options === null || options === void 0 ? void 0 : options.tenantId;
3771
- this.additionallyAllowedTenantIds = resolveAdditionallyAllowedTenantIds(options === null || options === void 0 ? void 0 : options.additionallyAllowedTenants);
3772
- const clientId = (_a = options === null || options === void 0 ? void 0 : options.clientId) !== null && _a !== void 0 ? _a : DeveloperSignOnClientId;
3773
- const tenantId = resolveTenantId(logger$3, options === null || options === void 0 ? void 0 : options.tenantId, clientId);
3774
- this.userPromptCallback = (_b = options === null || options === void 0 ? void 0 : options.userPromptCallback) !== null && _b !== void 0 ? _b : defaultDeviceCodePromptCallback;
3775
- this.msalClient = createMsalClient(clientId, tenantId, Object.assign(Object.assign({}, options), { logger: logger$3, tokenCredentialOptions: options || {} }));
3776
- this.disableAutomaticAuthentication = options === null || options === void 0 ? void 0 : options.disableAutomaticAuthentication;
3777
- }
3778
- /**
3779
- * Authenticates with Microsoft Entra ID and returns an access token if successful.
3780
- * If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.
3781
- *
3782
- * If the user provided the option `disableAutomaticAuthentication`,
3783
- * once the token can't be retrieved silently,
3784
- * this method won't attempt to request user interaction to retrieve the token.
3785
- *
3786
- * @param scopes - The list of scopes for which the token will have access.
3787
- * @param options - The options used to configure any requests this
3788
- * TokenCredential implementation might make.
3789
- */
3790
- async getToken(scopes, options = {}) {
3791
- return tracingClient.withSpan(`${this.constructor.name}.getToken`, options, async (newOptions) => {
3792
- newOptions.tenantId = processMultiTenantRequest(this.tenantId, newOptions, this.additionallyAllowedTenantIds, logger$3);
3793
- const arrayScopes = ensureScopes(scopes);
3794
- return this.msalClient.getTokenByDeviceCode(arrayScopes, this.userPromptCallback, Object.assign(Object.assign({}, newOptions), { disableAutomaticAuthentication: this.disableAutomaticAuthentication }));
3795
- });
3796
- }
3797
- /**
3798
- * Authenticates with Microsoft Entra ID and returns an access token if successful.
3799
- * If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.
3800
- *
3801
- * If the token can't be retrieved silently, this method will always generate a challenge for the user.
3802
- *
3803
- * @param scopes - The list of scopes for which the token will have access.
3804
- * @param options - The options used to configure any requests this
3805
- * TokenCredential implementation might make.
3806
- */
3807
- async authenticate(scopes, options = {}) {
3808
- return tracingClient.withSpan(`${this.constructor.name}.authenticate`, options, async (newOptions) => {
3809
- const arrayScopes = Array.isArray(scopes) ? scopes : [scopes];
3810
- await this.msalClient.getTokenByDeviceCode(arrayScopes, this.userPromptCallback, Object.assign(Object.assign({}, newOptions), { disableAutomaticAuthentication: false }));
3811
- return this.msalClient.getActiveAccount();
3812
- });
3813
- }
3814
- }
3815
-
3816
- // Copyright (c) Microsoft Corporation.
3817
- // Licensed under the MIT License.
3818
- const credentialName$1 = "AzurePipelinesCredential";
3819
- const logger$2 = credentialLogger(credentialName$1);
3820
- const OIDC_API_VERSION = "7.1";
3821
- /**
3822
- * This credential is designed to be used in Azure Pipelines with service connections
3823
- * as a setup for workload identity federation.
3824
- */
3825
- class AzurePipelinesCredential {
3826
- /**
3827
- * AzurePipelinesCredential supports Federated Identity on Azure Pipelines through Service Connections.
3828
- * @param tenantId - tenantId associated with the service connection
3829
- * @param clientId - clientId associated with the service connection
3830
- * @param serviceConnectionId - Unique ID for the service connection, as found in the querystring's resourceId key
3831
- * @param systemAccessToken - The pipeline's <see href="https://learn.microsoft.com/azure/devops/pipelines/build/variables?view=azure-devops%26tabs=yaml#systemaccesstoken">System.AccessToken</see> value.
3832
- * @param options - The identity client options to use for authentication.
3833
- */
3834
- constructor(tenantId, clientId, serviceConnectionId, systemAccessToken, options = {}) {
3835
- var _a, _b;
3836
- if (!clientId) {
3837
- throw new CredentialUnavailableError(`${credentialName$1}: is unavailable. clientId is a required parameter.`);
3838
- }
3839
- if (!tenantId) {
3840
- throw new CredentialUnavailableError(`${credentialName$1}: is unavailable. tenantId is a required parameter.`);
3841
- }
3842
- if (!serviceConnectionId) {
3843
- throw new CredentialUnavailableError(`${credentialName$1}: is unavailable. serviceConnectionId is a required parameter.`);
3844
- }
3845
- if (!systemAccessToken) {
3846
- throw new CredentialUnavailableError(`${credentialName$1}: is unavailable. systemAccessToken is a required parameter.`);
3847
- }
3848
- // Allow these headers to be logged for troubleshooting by AzurePipelines.
3849
- options.loggingOptions = Object.assign(Object.assign({}, options === null || options === void 0 ? void 0 : options.loggingOptions), { additionalAllowedHeaderNames: [
3850
- ...((_b = (_a = options.loggingOptions) === null || _a === void 0 ? void 0 : _a.additionalAllowedHeaderNames) !== null && _b !== void 0 ? _b : []),
3851
- "x-vss-e2eid",
3852
- "x-msedge-ref",
3853
- ] });
3854
- this.identityClient = new IdentityClient(options);
3855
- checkTenantId(logger$2, tenantId);
3856
- logger$2.info(`Invoking AzurePipelinesCredential with tenant ID: ${tenantId}, client ID: ${clientId}, and service connection ID: ${serviceConnectionId}`);
3857
- if (!process.env.SYSTEM_OIDCREQUESTURI) {
3858
- throw new CredentialUnavailableError(`${credentialName$1}: is unavailable. Ensure that you're running this task in an Azure Pipeline, so that following missing system variable(s) can be defined- "SYSTEM_OIDCREQUESTURI"`);
3859
- }
3860
- const oidcRequestUrl = `${process.env.SYSTEM_OIDCREQUESTURI}?api-version=${OIDC_API_VERSION}&serviceConnectionId=${serviceConnectionId}`;
3861
- logger$2.info(`Invoking ClientAssertionCredential with tenant ID: ${tenantId}, client ID: ${clientId} and service connection ID: ${serviceConnectionId}`);
3862
- this.clientAssertionCredential = new ClientAssertionCredential(tenantId, clientId, this.requestOidcToken.bind(this, oidcRequestUrl, systemAccessToken), options);
3863
- }
3864
- /**
3865
- * Authenticates with Microsoft Entra ID and returns an access token if successful.
3866
- * If authentication fails, a {@link CredentialUnavailableError} or {@link AuthenticationError} will be thrown with the details of the failure.
3867
- *
3868
- * @param scopes - The list of scopes for which the token will have access.
3869
- * @param options - The options used to configure any requests this
3870
- * TokenCredential implementation might make.
3871
- */
3872
- async getToken(scopes, options) {
3873
- if (!this.clientAssertionCredential) {
3874
- const errorMessage = `${credentialName$1}: is unavailable. To use Federation Identity in Azure Pipelines, the following parameters are required -
3875
- tenantId,
3876
- clientId,
3877
- serviceConnectionId,
3878
- systemAccessToken,
3879
- "SYSTEM_OIDCREQUESTURI".
3880
- See the troubleshooting guide for more information: https://aka.ms/azsdk/js/identity/azurepipelinescredential/troubleshoot`;
3881
- logger$2.error(errorMessage);
3882
- throw new CredentialUnavailableError(errorMessage);
3883
- }
3884
- logger$2.info("Invoking getToken() of Client Assertion Credential");
3885
- return this.clientAssertionCredential.getToken(scopes, options);
3886
- }
3887
- /**
3888
- *
3889
- * @param oidcRequestUrl - oidc request url
3890
- * @param systemAccessToken - system access token
3891
- * @returns OIDC token from Azure Pipelines
3892
- */
3893
- async requestOidcToken(oidcRequestUrl, systemAccessToken) {
3894
- logger$2.info("Requesting OIDC token from Azure Pipelines...");
3895
- logger$2.info(oidcRequestUrl);
3896
- const request = coreRestPipeline.createPipelineRequest({
3897
- url: oidcRequestUrl,
3898
- method: "POST",
3899
- headers: coreRestPipeline.createHttpHeaders({
3900
- "Content-Type": "application/json",
3901
- Authorization: `Bearer ${systemAccessToken}`,
3902
- // Prevents the service from responding with a redirect HTTP status code (useful for automation).
3903
- "X-TFS-FedAuthRedirect": "Suppress",
3904
- }),
3905
- });
3906
- const response = await this.identityClient.sendRequest(request);
3907
- return handleOidcResponse(response);
3908
- }
3909
- }
3910
- function handleOidcResponse(response) {
3911
- // OIDC token is present in `bodyAsText` field
3912
- const text = response.bodyAsText;
3913
- if (!text) {
3914
- logger$2.error(`${credentialName$1}: Authentication Failed. Received null token from OIDC request. Response status- ${response.status}. Complete response - ${JSON.stringify(response)}`);
3915
- throw new AuthenticationError(response.status, {
3916
- error: `${credentialName$1}: Authentication Failed. Received null token from OIDC request.`,
3917
- error_description: `${JSON.stringify(response)}. See the troubleshooting guide for more information: https://aka.ms/azsdk/js/identity/azurepipelinescredential/troubleshoot`,
3918
- });
3919
- }
3920
- try {
3921
- const result = JSON.parse(text);
3922
- if (result === null || result === void 0 ? void 0 : result.oidcToken) {
3923
- return result.oidcToken;
3924
- }
3925
- else {
3926
- const errorMessage = `${credentialName$1}: Authentication Failed. oidcToken field not detected in the response.`;
3927
- let errorDescription = ``;
3928
- if (response.status !== 200) {
3929
- errorDescription = `Response body = ${text}. Response Headers ["x-vss-e2eid"] = ${response.headers.get("x-vss-e2eid")} and ["x-msedge-ref"] = ${response.headers.get("x-msedge-ref")}. See the troubleshooting guide for more information: https://aka.ms/azsdk/js/identity/azurepipelinescredential/troubleshoot`;
3930
- }
3931
- logger$2.error(errorMessage);
3932
- logger$2.error(errorDescription);
3933
- throw new AuthenticationError(response.status, {
3934
- error: errorMessage,
3935
- error_description: errorDescription,
3936
- });
3937
- }
3938
- }
3939
- catch (e) {
3940
- const errorDetails = `${credentialName$1}: Authentication Failed. oidcToken field not detected in the response.`;
3941
- logger$2.error(`Response from service = ${text}, Response Headers ["x-vss-e2eid"] = ${response.headers.get("x-vss-e2eid")}
3942
- and ["x-msedge-ref"] = ${response.headers.get("x-msedge-ref")}, error message = ${e.message}`);
3943
- logger$2.error(errorDetails);
3944
- throw new AuthenticationError(response.status, {
3945
- error: errorDetails,
3946
- error_description: `Response = ${text}. Response headers ["x-vss-e2eid"] = ${response.headers.get("x-vss-e2eid")} and ["x-msedge-ref"] = ${response.headers.get("x-msedge-ref")}. See the troubleshooting guide for more information: https://aka.ms/azsdk/js/identity/azurepipelinescredential/troubleshoot`,
3947
- });
3948
- }
3949
- }
3950
-
3951
- // Copyright (c) Microsoft Corporation.
3952
- // Licensed under the MIT License.
3953
- const logger$1 = credentialLogger("AuthorizationCodeCredential");
3954
- /**
3955
- * Enables authentication to Microsoft Entra ID using an authorization code
3956
- * that was obtained through the authorization code flow, described in more detail
3957
- * in the Microsoft Entra ID documentation:
3958
- *
3959
- * https://learn.microsoft.com/entra/identity-platform/v2-oauth2-auth-code-flow
3960
- */
3961
- class AuthorizationCodeCredential {
3962
- /**
3963
- * @hidden
3964
- * @internal
3965
- */
3966
- constructor(tenantId, clientId, clientSecretOrAuthorizationCode, authorizationCodeOrRedirectUri, redirectUriOrOptions, options) {
3967
- checkTenantId(logger$1, tenantId);
3968
- this.clientSecret = clientSecretOrAuthorizationCode;
3969
- if (typeof redirectUriOrOptions === "string") {
3970
- // the clientId+clientSecret constructor
3971
- this.authorizationCode = authorizationCodeOrRedirectUri;
3972
- this.redirectUri = redirectUriOrOptions;
3973
- // in this case, options are good as they come
3974
- }
3975
- else {
3976
- // clientId only
3977
- this.authorizationCode = clientSecretOrAuthorizationCode;
3978
- this.redirectUri = authorizationCodeOrRedirectUri;
3979
- this.clientSecret = undefined;
3980
- options = redirectUriOrOptions;
3981
- }
3982
- // TODO: Validate tenant if provided
3983
- this.tenantId = tenantId;
3984
- this.additionallyAllowedTenantIds = resolveAdditionallyAllowedTenantIds(options === null || options === void 0 ? void 0 : options.additionallyAllowedTenants);
3985
- this.msalClient = createMsalClient(clientId, tenantId, Object.assign(Object.assign({}, options), { logger: logger$1, tokenCredentialOptions: options !== null && options !== void 0 ? options : {} }));
3986
- }
3987
- /**
3988
- * Authenticates with Microsoft Entra ID and returns an access token if successful.
3989
- * If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.
3990
- *
3991
- * @param scopes - The list of scopes for which the token will have access.
3992
- * @param options - The options used to configure any requests this
3993
- * TokenCredential implementation might make.
3994
- */
3995
- async getToken(scopes, options = {}) {
3996
- return tracingClient.withSpan(`${this.constructor.name}.getToken`, options, async (newOptions) => {
3997
- const tenantId = processMultiTenantRequest(this.tenantId, newOptions, this.additionallyAllowedTenantIds);
3998
- newOptions.tenantId = tenantId;
3999
- const arrayScopes = ensureScopes(scopes);
4000
- return this.msalClient.getTokenByAuthorizationCode(arrayScopes, this.redirectUri, this.authorizationCode, this.clientSecret, Object.assign(Object.assign({}, newOptions), { disableAutomaticAuthentication: this.disableAutomaticAuthentication }));
4001
- });
4002
- }
4003
- }
4004
-
4005
- // Copyright (c) Microsoft Corporation.
4006
- // Licensed under the MIT License.
4007
- const credentialName = "OnBehalfOfCredential";
4008
- const logger = credentialLogger(credentialName);
4009
- /**
4010
- * Enables authentication to Microsoft Entra ID using the [On Behalf Of flow](https://learn.microsoft.com/entra/identity-platform/v2-oauth2-on-behalf-of-flow).
4011
- */
4012
- class OnBehalfOfCredential {
4013
- constructor(options) {
4014
- const { clientSecret } = options;
4015
- const { certificatePath, sendCertificateChain } = options;
4016
- const { getAssertion } = options;
4017
- const { tenantId, clientId, userAssertionToken, additionallyAllowedTenants: additionallyAllowedTenantIds, } = options;
4018
- if (!tenantId) {
4019
- throw new CredentialUnavailableError(`${credentialName}: tenantId is a required parameter. To troubleshoot, visit https://aka.ms/azsdk/js/identity/serviceprincipalauthentication/troubleshoot.`);
4020
- }
4021
- if (!clientId) {
4022
- throw new CredentialUnavailableError(`${credentialName}: clientId is a required parameter. To troubleshoot, visit https://aka.ms/azsdk/js/identity/serviceprincipalauthentication/troubleshoot.`);
4023
- }
4024
- if (!clientSecret && !certificatePath && !getAssertion) {
4025
- throw new CredentialUnavailableError(`${credentialName}: You must provide one of clientSecret, certificatePath, or a getAssertion callback but none were provided. To troubleshoot, visit https://aka.ms/azsdk/js/identity/serviceprincipalauthentication/troubleshoot.`);
4026
- }
4027
- if (!userAssertionToken) {
4028
- throw new CredentialUnavailableError(`${credentialName}: userAssertionToken is a required parameter. To troubleshoot, visit https://aka.ms/azsdk/js/identity/serviceprincipalauthentication/troubleshoot.`);
4029
- }
4030
- this.certificatePath = certificatePath;
4031
- this.clientSecret = clientSecret;
4032
- this.userAssertionToken = userAssertionToken;
4033
- this.sendCertificateChain = sendCertificateChain;
4034
- this.clientAssertion = getAssertion;
4035
- this.tenantId = tenantId;
4036
- this.additionallyAllowedTenantIds = resolveAdditionallyAllowedTenantIds(additionallyAllowedTenantIds);
4037
- this.msalClient = createMsalClient(clientId, this.tenantId, Object.assign(Object.assign({}, options), { logger, tokenCredentialOptions: options }));
4038
- }
4039
- /**
4040
- * Authenticates with Microsoft Entra ID and returns an access token if successful.
4041
- * If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.
4042
- *
4043
- * @param scopes - The list of scopes for which the token will have access.
4044
- * @param options - The options used to configure the underlying network requests.
4045
- */
4046
- async getToken(scopes, options = {}) {
4047
- return tracingClient.withSpan(`${credentialName}.getToken`, options, async (newOptions) => {
4048
- newOptions.tenantId = processMultiTenantRequest(this.tenantId, newOptions, this.additionallyAllowedTenantIds, logger);
4049
- const arrayScopes = ensureScopes(scopes);
4050
- if (this.certificatePath) {
4051
- const clientCertificate = await this.buildClientCertificate(this.certificatePath);
4052
- return this.msalClient.getTokenOnBehalfOf(arrayScopes, this.userAssertionToken, clientCertificate, newOptions);
4053
- }
4054
- else if (this.clientSecret) {
4055
- return this.msalClient.getTokenOnBehalfOf(arrayScopes, this.userAssertionToken, this.clientSecret, options);
4056
- }
4057
- else if (this.clientAssertion) {
4058
- return this.msalClient.getTokenOnBehalfOf(arrayScopes, this.userAssertionToken, this.clientAssertion, options);
4059
- }
4060
- else {
4061
- // this is an invalid scenario and is a bug, as the constructor should have thrown an error if neither clientSecret nor certificatePath nor clientAssertion were provided
4062
- throw new Error("Expected either clientSecret or certificatePath or clientAssertion to be defined.");
4063
- }
4064
- });
4065
- }
4066
- async buildClientCertificate(certificatePath) {
4067
- try {
4068
- const parts = await this.parseCertificate({ certificatePath }, this.sendCertificateChain);
4069
- return {
4070
- thumbprint: parts.thumbprint,
4071
- privateKey: parts.certificateContents,
4072
- x5c: parts.x5c,
4073
- };
4074
- }
4075
- catch (error) {
4076
- logger.info(formatError("", error));
4077
- throw error;
4078
- }
4079
- }
4080
- async parseCertificate(configuration, sendCertificateChain) {
4081
- const certificatePath = configuration.certificatePath;
4082
- const certificateContents = await promises$1.readFile(certificatePath, "utf8");
4083
- const x5c = sendCertificateChain ? certificateContents : undefined;
4084
- const certificatePattern = /(-+BEGIN CERTIFICATE-+)(\n\r?|\r\n?)([A-Za-z0-9+/\n\r]+=*)(\n\r?|\r\n?)(-+END CERTIFICATE-+)/g;
4085
- const publicKeys = [];
4086
- // Match all possible certificates, in the order they are in the file. These will form the chain that is used for x5c
4087
- let match;
4088
- do {
4089
- match = certificatePattern.exec(certificateContents);
4090
- if (match) {
4091
- publicKeys.push(match[3]);
4092
- }
4093
- } while (match);
4094
- if (publicKeys.length === 0) {
4095
- throw new Error("The file at the specified path does not contain a PEM-encoded certificate.");
4096
- }
4097
- const thumbprint = node_crypto.createHash("sha1")
4098
- .update(Buffer.from(publicKeys[0], "base64"))
4099
- .digest("hex")
4100
- .toUpperCase();
4101
- return {
4102
- certificateContents,
4103
- thumbprint,
4104
- x5c,
4105
- };
4106
- }
4107
- }
4108
-
4109
- // Copyright (c) Microsoft Corporation.
4110
- // Licensed under the MIT License.
4111
- /**
4112
- * Returns a callback that provides a bearer token.
4113
- * For example, the bearer token can be used to authenticate a request as follows:
4114
- * ```ts snippet:token_provider_example
4115
- * import { DefaultAzureCredential, getBearerTokenProvider } from "@azure/identity";
4116
- * import { createPipelineRequest } from "@azure/core-rest-pipeline";
4117
- *
4118
- * const credential = new DefaultAzureCredential();
4119
- * const scope = "https://cognitiveservices.azure.com/.default";
4120
- * const getAccessToken = getBearerTokenProvider(credential, scope);
4121
- * const token = await getAccessToken();
4122
- * // usage
4123
- * const request = createPipelineRequest({ url: "https://example.com" });
4124
- * request.headers.set("Authorization", `Bearer ${token}`);
4125
- * ```
4126
- *
4127
- * @param credential - The credential used to authenticate the request.
4128
- * @param scopes - The scopes required for the bearer token.
4129
- * @param options - Options to configure the token provider.
4130
- * @returns a callback that provides a bearer token.
4131
- */
4132
- function getBearerTokenProvider(credential, scopes, options) {
4133
- const { abortSignal, tracingOptions } = options || {};
4134
- const pipeline = coreRestPipeline.createEmptyPipeline();
4135
- pipeline.addPolicy(coreRestPipeline.bearerTokenAuthenticationPolicy({ credential, scopes }));
4136
- async function getRefreshedToken() {
4137
- var _a;
4138
- // Create a pipeline with just the bearer token policy
4139
- // and run a dummy request through it to get the token
4140
- const res = await pipeline.sendRequest({
4141
- sendRequest: (request) => Promise.resolve({
4142
- request,
4143
- status: 200,
4144
- headers: request.headers,
4145
- }),
4146
- }, coreRestPipeline.createPipelineRequest({
4147
- url: "https://example.com",
4148
- abortSignal,
4149
- tracingOptions,
4150
- }));
4151
- const accessToken = (_a = res.headers.get("authorization")) === null || _a === void 0 ? void 0 : _a.split(" ")[1];
4152
- if (!accessToken) {
4153
- throw new Error("Failed to get access token");
4154
- }
4155
- return accessToken;
4156
- }
4157
- return getRefreshedToken;
4158
- }
4159
-
4160
- // Copyright (c) Microsoft Corporation.
4161
- // Licensed under the MIT License.
4162
- /**
4163
- * Returns a new instance of the {@link DefaultAzureCredential}.
4164
- */
4165
- function getDefaultAzureCredential() {
4166
- return new DefaultAzureCredential();
4167
- }
4168
-
4169
- exports.AggregateAuthenticationError = AggregateAuthenticationError;
4170
- exports.AggregateAuthenticationErrorName = AggregateAuthenticationErrorName;
4171
- exports.AuthenticationError = AuthenticationError;
4172
- exports.AuthenticationErrorName = AuthenticationErrorName;
4173
- exports.AuthenticationRequiredError = AuthenticationRequiredError;
4174
- exports.AuthorizationCodeCredential = AuthorizationCodeCredential;
4175
- exports.AzureCliCredential = AzureCliCredential;
4176
- exports.AzureDeveloperCliCredential = AzureDeveloperCliCredential;
4177
- exports.AzurePipelinesCredential = AzurePipelinesCredential;
4178
- exports.AzurePowerShellCredential = AzurePowerShellCredential;
4179
- exports.ChainedTokenCredential = ChainedTokenCredential;
4180
- exports.ClientAssertionCredential = ClientAssertionCredential;
4181
- exports.ClientCertificateCredential = ClientCertificateCredential;
4182
- exports.ClientSecretCredential = ClientSecretCredential;
4183
- exports.CredentialUnavailableError = CredentialUnavailableError;
4184
- exports.CredentialUnavailableErrorName = CredentialUnavailableErrorName;
4185
- exports.DefaultAzureCredential = DefaultAzureCredential;
4186
- exports.DeviceCodeCredential = DeviceCodeCredential;
4187
- exports.EnvironmentCredential = EnvironmentCredential;
4188
- exports.InteractiveBrowserCredential = InteractiveBrowserCredential;
4189
- exports.ManagedIdentityCredential = ManagedIdentityCredential;
4190
- exports.OnBehalfOfCredential = OnBehalfOfCredential;
4191
- exports.UsernamePasswordCredential = UsernamePasswordCredential;
4192
- exports.VisualStudioCodeCredential = VisualStudioCodeCredential;
4193
- exports.WorkloadIdentityCredential = WorkloadIdentityCredential;
4194
- exports.deserializeAuthenticationRecord = deserializeAuthenticationRecord;
4195
- exports.getBearerTokenProvider = getBearerTokenProvider;
4196
- exports.getDefaultAzureCredential = getDefaultAzureCredential;
4197
- exports.logger = logger$l;
4198
- exports.serializeAuthenticationRecord = serializeAuthenticationRecord;
4199
- exports.useIdentityPlugin = useIdentityPlugin;
4200
- //# sourceMappingURL=index.js.map