@azure/identity 4.5.1-alpha.20241112.1 → 4.5.1-alpha.20241113.2
Sign up to get free protection for your applications and to get access to all the features.
- package/dist/browser/client/identityClient.d.ts +65 -0
- package/dist/browser/client/identityClient.d.ts.map +1 -0
- package/dist/browser/client/identityClient.js +248 -0
- package/dist/browser/client/identityClient.js.map +1 -0
- package/dist/browser/constants.d.ts +64 -0
- package/dist/browser/constants.d.ts.map +1 -0
- package/dist/browser/credentials/authorityValidationOptions.d.ts +16 -0
- package/dist/browser/credentials/authorityValidationOptions.d.ts.map +1 -0
- package/dist/browser/credentials/authorizationCodeCredential-browser.d.mts.map +1 -0
- package/dist/browser/credentials/authorizationCodeCredential-browser.mjs.map +1 -0
- package/dist/browser/credentials/authorizationCodeCredential.d.ts +11 -0
- package/dist/browser/credentials/authorizationCodeCredential.js +16 -0
- package/dist/browser/credentials/authorizationCodeCredentialOptions.d.ts +8 -0
- package/dist/browser/credentials/authorizationCodeCredentialOptions.d.ts.map +1 -0
- package/dist/browser/credentials/authorizationCodeCredentialOptions.js.map +1 -0
- package/dist/browser/credentials/azureApplicationCredential-browser.d.mts.map +1 -0
- package/dist/browser/credentials/azureApplicationCredential-browser.mjs.map +1 -0
- package/dist/browser/credentials/azureApplicationCredential.d.ts +24 -0
- package/dist/browser/credentials/azureApplicationCredential.js +34 -0
- package/dist/browser/credentials/azureApplicationCredentialOptions.d.ts +13 -0
- package/dist/browser/credentials/azureApplicationCredentialOptions.d.ts.map +1 -0
- package/dist/browser/credentials/azureApplicationCredentialOptions.js.map +1 -0
- package/dist/browser/credentials/azureCliCredential-browser.d.mts.map +1 -0
- package/dist/browser/credentials/azureCliCredential-browser.mjs.map +1 -0
- package/dist/browser/credentials/azureCliCredential.d.ts +13 -0
- package/dist/browser/credentials/azureCliCredential.js +23 -0
- package/dist/browser/credentials/azureCliCredentialOptions.d.ts +20 -0
- package/dist/browser/credentials/azureCliCredentialOptions.d.ts.map +1 -0
- package/dist/browser/credentials/azureCliCredentialOptions.js.map +1 -0
- package/dist/browser/credentials/azureDeveloperCliCredential-browser.d.mts.map +1 -0
- package/dist/browser/credentials/azureDeveloperCliCredential-browser.mjs.map +1 -0
- package/dist/browser/credentials/azureDeveloperCliCredential.d.ts +13 -0
- package/dist/browser/credentials/azureDeveloperCliCredential.js +23 -0
- package/dist/browser/credentials/azureDeveloperCliCredentialOptions.d.ts +15 -0
- package/dist/browser/credentials/azureDeveloperCliCredentialOptions.d.ts.map +1 -0
- package/dist/browser/credentials/azureDeveloperCliCredentialOptions.js.map +1 -0
- package/dist/browser/credentials/azurePipelinesCredential-browser.d.mts.map +1 -0
- package/dist/browser/credentials/azurePipelinesCredential-browser.mjs.map +1 -0
- package/dist/browser/credentials/azurePipelinesCredential.d.ts +13 -0
- package/dist/browser/credentials/azurePipelinesCredential.js +23 -0
- package/dist/browser/credentials/azurePipelinesCredentialOptions.d.ts +9 -0
- package/dist/browser/credentials/azurePipelinesCredentialOptions.d.ts.map +1 -0
- package/dist/browser/credentials/azurePipelinesCredentialOptions.js.map +1 -0
- package/dist/browser/credentials/azurePowerShellCredential-browser.d.mts.map +1 -0
- package/dist/browser/credentials/azurePowerShellCredential-browser.mjs.map +1 -0
- package/dist/browser/credentials/azurePowerShellCredential.d.ts +12 -0
- package/dist/browser/credentials/azurePowerShellCredential.js +22 -0
- package/dist/browser/credentials/azurePowerShellCredentialOptions.d.ts +15 -0
- package/dist/browser/credentials/azurePowerShellCredentialOptions.d.ts.map +1 -0
- package/dist/browser/credentials/azurePowerShellCredentialOptions.js.map +1 -0
- package/dist/browser/credentials/brokerAuthOptions.d.ts +13 -0
- package/dist/browser/credentials/brokerAuthOptions.d.ts.map +1 -0
- package/dist/browser/credentials/brokerAuthOptions.js.map +1 -0
- package/dist/browser/credentials/browserCustomizationOptions.d.ts +19 -0
- package/dist/browser/credentials/browserCustomizationOptions.d.ts.map +1 -0
- package/dist/browser/credentials/chainedTokenCredential.d.ts +49 -0
- package/dist/browser/credentials/chainedTokenCredential.d.ts.map +1 -0
- package/dist/browser/credentials/chainedTokenCredential.js +90 -0
- package/dist/browser/credentials/chainedTokenCredential.js.map +1 -0
- package/dist/browser/credentials/clientAssertionCredential-browser.d.mts.map +1 -0
- package/dist/browser/credentials/clientAssertionCredential-browser.mjs.map +1 -0
- package/dist/browser/credentials/clientAssertionCredential.d.ts +12 -0
- package/dist/browser/credentials/clientAssertionCredential.js +22 -0
- package/dist/browser/credentials/clientAssertionCredentialOptions.d.ts +9 -0
- package/dist/browser/credentials/clientAssertionCredentialOptions.d.ts.map +1 -0
- package/dist/browser/credentials/clientAssertionCredentialOptions.js.map +1 -0
- package/dist/browser/credentials/clientCertificateCredential-browser.d.mts.map +1 -0
- package/dist/browser/credentials/clientCertificateCredential-browser.mjs.map +1 -0
- package/dist/browser/credentials/clientCertificateCredential.d.ts +13 -0
- package/dist/browser/credentials/clientCertificateCredential.js +23 -0
- package/dist/browser/credentials/clientCertificateCredentialOptions.d.ts +14 -0
- package/dist/browser/credentials/clientCertificateCredentialOptions.d.ts.map +1 -0
- package/dist/browser/credentials/clientCertificateCredentialOptions.js.map +1 -0
- package/dist/browser/credentials/clientSecretCredential-browser.d.mts.map +1 -0
- package/dist/browser/credentials/clientSecretCredential-browser.mjs.map +1 -0
- package/dist/browser/credentials/clientSecretCredential.d.ts +40 -0
- package/dist/browser/credentials/clientSecretCredential.js +83 -0
- package/dist/browser/credentials/clientSecretCredentialOptions.d.ts +9 -0
- package/dist/browser/credentials/clientSecretCredentialOptions.d.ts.map +1 -0
- package/dist/browser/credentials/clientSecretCredentialOptions.js.map +1 -0
- package/dist/browser/credentials/credentialPersistenceOptions.d.ts +29 -0
- package/dist/browser/credentials/credentialPersistenceOptions.d.ts.map +1 -0
- package/dist/browser/credentials/credentialPersistenceOptions.js.map +1 -0
- package/dist/browser/credentials/defaultAzureCredential-browser.d.mts.map +1 -0
- package/dist/browser/credentials/defaultAzureCredential-browser.mjs.map +1 -0
- package/dist/browser/credentials/defaultAzureCredential.d.ts +19 -0
- package/dist/browser/credentials/defaultAzureCredential.js +29 -0
- package/dist/browser/credentials/defaultAzureCredentialOptions.d.ts +49 -0
- package/dist/browser/credentials/defaultAzureCredentialOptions.d.ts.map +1 -0
- package/dist/browser/credentials/defaultAzureCredentialOptions.js.map +1 -0
- package/dist/browser/credentials/deviceCodeCredential-browser.d.mts.map +1 -0
- package/dist/browser/credentials/deviceCodeCredential-browser.mjs.map +1 -0
- package/dist/browser/credentials/deviceCodeCredential.d.ts +13 -0
- package/dist/browser/credentials/deviceCodeCredential.js +23 -0
- package/dist/browser/credentials/deviceCodeCredentialOptions.d.ts +53 -0
- package/dist/browser/credentials/deviceCodeCredentialOptions.d.ts.map +1 -0
- package/dist/browser/credentials/deviceCodeCredentialOptions.js.map +1 -0
- package/dist/browser/credentials/environmentCredential-browser.d.mts.map +1 -0
- package/dist/browser/credentials/environmentCredential-browser.mjs.map +1 -0
- package/dist/browser/credentials/environmentCredential.d.ts +13 -0
- package/dist/browser/credentials/environmentCredential.js +23 -0
- package/dist/browser/credentials/environmentCredentialOptions.d.ts +9 -0
- package/dist/browser/credentials/environmentCredentialOptions.d.ts.map +1 -0
- package/dist/browser/credentials/environmentCredentialOptions.js.map +1 -0
- package/dist/browser/credentials/interactiveBrowserCredential-browser.d.mts.map +1 -0
- package/dist/browser/credentials/interactiveBrowserCredential-browser.mjs.map +1 -0
- package/dist/browser/credentials/interactiveBrowserCredential.d.ts +53 -0
- package/dist/browser/credentials/interactiveBrowserCredential.js +86 -0
- package/dist/browser/credentials/interactiveBrowserCredentialOptions.d.ts +77 -0
- package/dist/browser/credentials/interactiveBrowserCredentialOptions.d.ts.map +1 -0
- package/dist/browser/credentials/interactiveBrowserCredentialOptions.js.map +1 -0
- package/dist/browser/credentials/interactiveCredentialOptions.d.ts +25 -0
- package/dist/browser/credentials/interactiveCredentialOptions.d.ts.map +1 -0
- package/dist/browser/credentials/interactiveCredentialOptions.js.map +1 -0
- package/dist/browser/credentials/managedIdentityCredential/imdsMsi.d.ts +18 -0
- package/dist/browser/credentials/managedIdentityCredential/imdsMsi.d.ts.map +1 -0
- package/dist/browser/credentials/managedIdentityCredential/imdsMsi.js +122 -0
- package/dist/browser/credentials/managedIdentityCredential/imdsMsi.js.map +1 -0
- package/dist/browser/credentials/managedIdentityCredential/imdsRetryPolicy.d.ts +12 -0
- package/dist/browser/credentials/managedIdentityCredential/imdsRetryPolicy.d.ts.map +1 -0
- package/dist/browser/credentials/managedIdentityCredential/imdsRetryPolicy.js.map +1 -0
- package/dist/browser/credentials/managedIdentityCredential/index-browser.d.mts.map +1 -0
- package/dist/browser/credentials/managedIdentityCredential/index-browser.mjs.map +1 -0
- package/dist/browser/credentials/managedIdentityCredential/index.d.ts +6 -0
- package/dist/browser/credentials/managedIdentityCredential/index.js +16 -0
- package/dist/browser/credentials/managedIdentityCredential/models.d.ts +24 -0
- package/dist/browser/credentials/managedIdentityCredential/models.d.ts.map +1 -0
- package/dist/browser/credentials/managedIdentityCredential/models.js.map +1 -0
- package/dist/browser/credentials/managedIdentityCredential/tokenExchangeMsi.d.ts +14 -0
- package/dist/browser/credentials/managedIdentityCredential/tokenExchangeMsi.d.ts.map +1 -0
- package/dist/browser/credentials/managedIdentityCredential/tokenExchangeMsi.js +32 -0
- package/dist/browser/credentials/managedIdentityCredential/tokenExchangeMsi.js.map +1 -0
- package/dist/browser/credentials/managedIdentityCredential/utils.d.ts +33 -0
- package/dist/browser/credentials/managedIdentityCredential/utils.d.ts.map +1 -0
- package/dist/browser/credentials/multiTenantTokenCredentialOptions.d.ts +12 -0
- package/dist/browser/credentials/multiTenantTokenCredentialOptions.d.ts.map +1 -0
- package/dist/browser/credentials/multiTenantTokenCredentialOptions.js.map +1 -0
- package/dist/browser/credentials/onBehalfOfCredential-browser.d.mts.map +1 -0
- package/dist/browser/credentials/onBehalfOfCredential-browser.mjs.map +1 -0
- package/dist/browser/credentials/onBehalfOfCredential.d.ts +12 -0
- package/dist/browser/credentials/onBehalfOfCredential.js +23 -0
- package/dist/browser/credentials/onBehalfOfCredentialOptions.d.ts +76 -0
- package/dist/browser/credentials/onBehalfOfCredentialOptions.d.ts.map +1 -0
- package/dist/browser/credentials/onBehalfOfCredentialOptions.js.map +1 -0
- package/dist/browser/credentials/usernamePasswordCredential-browser.d.mts.map +1 -0
- package/dist/browser/credentials/usernamePasswordCredential-browser.mjs.map +1 -0
- package/dist/browser/credentials/usernamePasswordCredential.d.ts +40 -0
- package/dist/browser/credentials/usernamePasswordCredential.js +77 -0
- package/dist/browser/credentials/usernamePasswordCredentialOptions.d.ts +9 -0
- package/dist/browser/credentials/usernamePasswordCredentialOptions.d.ts.map +1 -0
- package/dist/browser/credentials/usernamePasswordCredentialOptions.js.map +1 -0
- package/dist/browser/credentials/visualStudioCodeCredential-browser.d.mts.map +1 -0
- package/dist/browser/credentials/visualStudioCodeCredential-browser.mjs.map +1 -0
- package/dist/browser/credentials/visualStudioCodeCredential.d.ts +15 -0
- package/dist/browser/credentials/visualStudioCodeCredential.js +27 -0
- package/dist/browser/credentials/visualStudioCodeCredentialOptions.d.ts +11 -0
- package/dist/browser/credentials/visualStudioCodeCredentialOptions.d.ts.map +1 -0
- package/dist/browser/credentials/visualStudioCodeCredentialOptions.js.map +1 -0
- package/dist/browser/credentials/visualStudioCodeCredentialPlugin.d.ts +11 -0
- package/dist/browser/credentials/visualStudioCodeCredentialPlugin.d.ts.map +1 -0
- package/dist/browser/credentials/workloadIdentityCredential-browser.d.mts.map +1 -0
- package/dist/browser/credentials/workloadIdentityCredential-browser.mjs.map +1 -0
- package/dist/browser/credentials/workloadIdentityCredential.d.ts +17 -0
- package/dist/browser/credentials/workloadIdentityCredential.js +27 -0
- package/dist/browser/credentials/workloadIdentityCredentialOptions.d.ts +20 -0
- package/dist/browser/credentials/workloadIdentityCredentialOptions.d.ts.map +1 -0
- package/dist/browser/credentials/workloadIdentityCredentialOptions.js.map +1 -0
- package/dist/browser/errors.d.ts +139 -0
- package/dist/browser/errors.d.ts.map +1 -0
- package/dist/browser/index.d.ts +59 -0
- package/dist/browser/index.d.ts.map +1 -0
- package/dist/browser/index.js +34 -0
- package/dist/browser/index.js.map +1 -0
- package/dist/browser/msal/browserFlows/flows.d.ts +42 -0
- package/dist/browser/msal/browserFlows/flows.d.ts.map +1 -0
- package/dist/browser/msal/browserFlows/flows.js.map +1 -0
- package/dist/browser/msal/browserFlows/msalAuthCode.d.ts +50 -0
- package/dist/browser/msal/browserFlows/msalAuthCode.d.ts.map +1 -0
- package/dist/browser/msal/browserFlows/msalAuthCode.js +203 -0
- package/dist/browser/msal/browserFlows/msalAuthCode.js.map +1 -0
- package/dist/browser/msal/browserFlows/msalBrowserCommon.d.ts +106 -0
- package/dist/browser/msal/browserFlows/msalBrowserCommon.d.ts.map +1 -0
- package/dist/browser/msal/browserFlows/msalBrowserCommon.js +116 -0
- package/dist/browser/msal/browserFlows/msalBrowserCommon.js.map +1 -0
- package/dist/browser/msal/credentials.d.ts +52 -0
- package/dist/browser/msal/credentials.d.ts.map +1 -0
- package/dist/browser/msal/credentials.js.map +1 -0
- package/dist/browser/msal/msal-browser.d.mts.map +1 -0
- package/dist/browser/msal/msal-browser.mjs.map +1 -0
- package/dist/browser/msal/msal.d.ts +3 -0
- package/dist/browser/msal/msal.js +5 -0
- package/dist/browser/msal/nodeFlows/brokerOptions.d.ts +44 -0
- package/dist/browser/msal/nodeFlows/brokerOptions.d.ts.map +1 -0
- package/dist/browser/msal/nodeFlows/msalClient.d.ts +186 -0
- package/dist/browser/msal/nodeFlows/msalClient.d.ts.map +1 -0
- package/dist/browser/msal/nodeFlows/msalClient.js +477 -0
- package/dist/browser/msal/nodeFlows/msalClient.js.map +1 -0
- package/dist/browser/msal/nodeFlows/msalPlugins.d.ts +91 -0
- package/dist/browser/msal/nodeFlows/msalPlugins.d.ts.map +1 -0
- package/dist/browser/msal/nodeFlows/msalPlugins.js +87 -0
- package/dist/browser/msal/nodeFlows/msalPlugins.js.map +1 -0
- package/dist/browser/msal/nodeFlows/tokenCachePersistenceOptions.d.ts +24 -0
- package/dist/browser/msal/nodeFlows/tokenCachePersistenceOptions.d.ts.map +1 -0
- package/dist/browser/msal/types.d.ts +87 -0
- package/dist/browser/msal/types.d.ts.map +1 -0
- package/dist/browser/msal/utils.d.ts +95 -0
- package/dist/browser/msal/utils.d.ts.map +1 -0
- package/dist/browser/msal/utils.js +232 -0
- package/dist/browser/msal/utils.js.map +1 -0
- package/dist/browser/package.json +3 -0
- package/dist/browser/plugins/consumer-browser.d.mts.map +1 -0
- package/dist/browser/plugins/consumer-browser.mjs.map +1 -0
- package/dist/browser/plugins/consumer.d.ts +2 -0
- package/dist/browser/plugins/consumer.js +7 -0
- package/dist/browser/plugins/provider.d.ts +36 -0
- package/dist/browser/plugins/provider.d.ts.map +1 -0
- package/dist/browser/plugins/provider.js.map +1 -0
- package/dist/browser/regionalAuthority.d.ts +122 -0
- package/dist/browser/regionalAuthority.d.ts.map +1 -0
- package/dist/browser/tokenCredentialOptions.d.ts +28 -0
- package/dist/browser/tokenCredentialOptions.d.ts.map +1 -0
- package/dist/browser/tokenProvider.d.ts +38 -0
- package/dist/browser/tokenProvider.d.ts.map +1 -0
- package/dist/browser/util/authHostEnv-browser.d.mts +4 -0
- package/dist/browser/util/authHostEnv-browser.d.mts.map +1 -0
- package/dist/browser/util/authHostEnv-browser.mjs +7 -0
- package/dist/browser/util/authHostEnv-browser.mjs.map +1 -0
- package/dist/browser/util/identityTokenEndpoint.d.ts +2 -0
- package/dist/browser/util/identityTokenEndpoint.d.ts.map +1 -0
- package/dist/browser/util/logging.d.ts +70 -0
- package/dist/browser/util/logging.d.ts.map +1 -0
- package/dist/browser/util/processMultiTenantRequest-browser.d.mts.map +1 -0
- package/dist/browser/util/processMultiTenantRequest-browser.mjs.map +1 -0
- package/dist/browser/util/processMultiTenantRequest.d.ts +9 -0
- package/dist/browser/util/processMultiTenantRequest.js +29 -0
- package/dist/browser/util/processUtils.d.ts +13 -0
- package/dist/browser/util/processUtils.d.ts.map +1 -0
- package/dist/browser/util/scopeUtils.d.ts +17 -0
- package/dist/browser/util/scopeUtils.d.ts.map +1 -0
- package/dist/browser/util/scopeUtils.js +29 -0
- package/dist/browser/util/scopeUtils.js.map +1 -0
- package/dist/browser/util/subscriptionUtils.d.ts +6 -0
- package/dist/browser/util/subscriptionUtils.d.ts.map +1 -0
- package/dist/browser/util/subscriptionUtils.js +14 -0
- package/dist/browser/util/subscriptionUtils.js.map +1 -0
- package/dist/browser/util/tenantIdUtils.d.ts +15 -0
- package/dist/browser/util/tenantIdUtils.d.ts.map +1 -0
- package/dist/browser/util/tenantIdUtils.js +44 -0
- package/dist/browser/util/tenantIdUtils.js.map +1 -0
- package/dist/browser/util/tracing.d.ts +6 -0
- package/dist/browser/util/tracing.d.ts.map +1 -0
- package/dist/browser/util/tracing.js +14 -0
- package/dist/browser/util/tracing.js.map +1 -0
- package/dist/commonjs/client/identityClient.d.ts +65 -0
- package/dist/commonjs/client/identityClient.d.ts.map +1 -0
- package/dist/commonjs/client/identityClient.js +253 -0
- package/dist/commonjs/client/identityClient.js.map +1 -0
- package/dist/commonjs/constants.d.ts +64 -0
- package/dist/commonjs/constants.d.ts.map +1 -0
- package/dist/commonjs/constants.js +73 -0
- package/dist/commonjs/constants.js.map +1 -0
- package/dist/commonjs/credentials/authorityValidationOptions.d.ts +16 -0
- package/dist/commonjs/credentials/authorityValidationOptions.d.ts.map +1 -0
- package/dist/commonjs/credentials/authorityValidationOptions.js +5 -0
- package/dist/commonjs/credentials/authorityValidationOptions.js.map +1 -0
- package/dist/commonjs/credentials/authorizationCodeCredential.d.ts +73 -0
- package/dist/commonjs/credentials/authorizationCodeCredential.d.ts.map +1 -0
- package/dist/commonjs/credentials/authorizationCodeCredential.js +64 -0
- package/dist/commonjs/credentials/authorizationCodeCredential.js.map +1 -0
- package/dist/commonjs/credentials/authorizationCodeCredentialOptions.d.ts +8 -0
- package/dist/commonjs/credentials/authorizationCodeCredentialOptions.d.ts.map +1 -0
- package/dist/commonjs/credentials/authorizationCodeCredentialOptions.js +5 -0
- package/dist/commonjs/credentials/authorizationCodeCredentialOptions.js.map +1 -0
- package/dist/commonjs/credentials/azureApplicationCredential.d.ts +24 -0
- package/dist/commonjs/credentials/azureApplicationCredential.d.ts.map +1 -0
- package/dist/commonjs/credentials/azureApplicationCredential.js +36 -0
- package/dist/commonjs/credentials/azureApplicationCredential.js.map +1 -0
- package/dist/commonjs/credentials/azureApplicationCredentialOptions.d.ts +13 -0
- package/dist/commonjs/credentials/azureApplicationCredentialOptions.d.ts.map +1 -0
- package/dist/commonjs/credentials/azureApplicationCredentialOptions.js +5 -0
- package/dist/commonjs/credentials/azureApplicationCredentialOptions.js.map +1 -0
- package/dist/commonjs/credentials/azureCliCredential.d.ts +64 -0
- package/dist/commonjs/credentials/azureCliCredential.d.ts.map +1 -0
- package/dist/commonjs/credentials/azureCliCredential.js +194 -0
- package/dist/commonjs/credentials/azureCliCredential.js.map +1 -0
- package/dist/commonjs/credentials/azureCliCredentialOptions.d.ts +20 -0
- package/dist/commonjs/credentials/azureCliCredentialOptions.d.ts.map +1 -0
- package/dist/commonjs/credentials/azureCliCredentialOptions.js +5 -0
- package/dist/commonjs/credentials/azureCliCredentialOptions.js.map +1 -0
- package/dist/commonjs/credentials/azureDeveloperCliCredential.d.ts +71 -0
- package/dist/commonjs/credentials/azureDeveloperCliCredential.d.ts.map +1 -0
- package/dist/commonjs/credentials/azureDeveloperCliCredential.js +176 -0
- package/dist/commonjs/credentials/azureDeveloperCliCredential.js.map +1 -0
- package/dist/commonjs/credentials/azureDeveloperCliCredentialOptions.d.ts +15 -0
- package/dist/commonjs/credentials/azureDeveloperCliCredentialOptions.d.ts.map +1 -0
- package/dist/commonjs/credentials/azureDeveloperCliCredentialOptions.js +5 -0
- package/dist/commonjs/credentials/azureDeveloperCliCredentialOptions.js.map +1 -0
- package/dist/commonjs/credentials/azurePipelinesCredential.d.ts +38 -0
- package/dist/commonjs/credentials/azurePipelinesCredential.d.ts.map +1 -0
- package/dist/commonjs/credentials/azurePipelinesCredential.js +146 -0
- package/dist/commonjs/credentials/azurePipelinesCredential.js.map +1 -0
- package/dist/commonjs/credentials/azurePipelinesCredentialOptions.d.ts +9 -0
- package/dist/commonjs/credentials/azurePipelinesCredentialOptions.d.ts.map +1 -0
- package/dist/commonjs/credentials/azurePipelinesCredentialOptions.js +5 -0
- package/dist/commonjs/credentials/azurePipelinesCredentialOptions.js.map +1 -0
- package/dist/commonjs/credentials/azurePowerShellCredential.d.ts +75 -0
- package/dist/commonjs/credentials/azurePowerShellCredential.d.ts.map +1 -0
- package/dist/commonjs/credentials/azurePowerShellCredential.js +235 -0
- package/dist/commonjs/credentials/azurePowerShellCredential.js.map +1 -0
- package/dist/commonjs/credentials/azurePowerShellCredentialOptions.d.ts +15 -0
- package/dist/commonjs/credentials/azurePowerShellCredentialOptions.d.ts.map +1 -0
- package/dist/commonjs/credentials/azurePowerShellCredentialOptions.js +5 -0
- package/dist/commonjs/credentials/azurePowerShellCredentialOptions.js.map +1 -0
- package/dist/commonjs/credentials/brokerAuthOptions.d.ts +13 -0
- package/dist/commonjs/credentials/brokerAuthOptions.d.ts.map +1 -0
- package/dist/commonjs/credentials/brokerAuthOptions.js +3 -0
- package/dist/commonjs/credentials/brokerAuthOptions.js.map +1 -0
- package/dist/commonjs/credentials/browserCustomizationOptions.d.ts +19 -0
- package/dist/commonjs/credentials/browserCustomizationOptions.d.ts.map +1 -0
- package/dist/commonjs/credentials/browserCustomizationOptions.js +5 -0
- package/dist/commonjs/credentials/browserCustomizationOptions.js.map +1 -0
- package/dist/commonjs/credentials/chainedTokenCredential.d.ts +49 -0
- package/dist/commonjs/credentials/chainedTokenCredential.d.ts.map +1 -0
- package/dist/commonjs/credentials/chainedTokenCredential.js +94 -0
- package/dist/commonjs/credentials/chainedTokenCredential.js.map +1 -0
- package/dist/commonjs/credentials/clientAssertionCredential.d.ts +33 -0
- package/dist/commonjs/credentials/clientAssertionCredential.d.ts.map +1 -0
- package/dist/commonjs/credentials/clientAssertionCredential.js +59 -0
- package/dist/commonjs/credentials/clientAssertionCredential.js.map +1 -0
- package/dist/commonjs/credentials/clientAssertionCredentialOptions.d.ts +9 -0
- package/dist/commonjs/credentials/clientAssertionCredentialOptions.d.ts.map +1 -0
- package/dist/commonjs/credentials/clientAssertionCredentialOptions.js +5 -0
- package/dist/commonjs/credentials/clientAssertionCredentialOptions.js.map +1 -0
- package/dist/commonjs/credentials/clientCertificateCredential.d.ts +101 -0
- package/dist/commonjs/credentials/clientCertificateCredential.d.ts.map +1 -0
- package/dist/commonjs/credentials/clientCertificateCredential.js +124 -0
- package/dist/commonjs/credentials/clientCertificateCredential.js.map +1 -0
- package/dist/commonjs/credentials/clientCertificateCredentialOptions.d.ts +14 -0
- package/dist/commonjs/credentials/clientCertificateCredentialOptions.d.ts.map +1 -0
- package/dist/commonjs/credentials/clientCertificateCredentialOptions.js +5 -0
- package/dist/commonjs/credentials/clientCertificateCredentialOptions.js.map +1 -0
- package/dist/commonjs/credentials/clientSecretCredential.d.ts +37 -0
- package/dist/commonjs/credentials/clientSecretCredential.d.ts.map +1 -0
- package/dist/commonjs/credentials/clientSecretCredential.js +64 -0
- package/dist/commonjs/credentials/clientSecretCredential.js.map +1 -0
- package/dist/commonjs/credentials/clientSecretCredentialOptions.d.ts +9 -0
- package/dist/commonjs/credentials/clientSecretCredentialOptions.d.ts.map +1 -0
- package/dist/commonjs/credentials/clientSecretCredentialOptions.js +5 -0
- package/dist/commonjs/credentials/clientSecretCredentialOptions.js.map +1 -0
- package/dist/commonjs/credentials/credentialPersistenceOptions.d.ts +29 -0
- package/dist/commonjs/credentials/credentialPersistenceOptions.d.ts.map +1 -0
- package/dist/commonjs/credentials/credentialPersistenceOptions.js +5 -0
- package/dist/commonjs/credentials/credentialPersistenceOptions.js.map +1 -0
- package/dist/commonjs/credentials/defaultAzureCredential.d.ts +65 -0
- package/dist/commonjs/credentials/defaultAzureCredential.d.ts.map +1 -0
- package/dist/commonjs/credentials/defaultAzureCredential.js +171 -0
- package/dist/commonjs/credentials/defaultAzureCredential.js.map +1 -0
- package/dist/commonjs/credentials/defaultAzureCredentialOptions.d.ts +49 -0
- package/dist/commonjs/credentials/defaultAzureCredentialOptions.d.ts.map +1 -0
- package/dist/commonjs/credentials/defaultAzureCredentialOptions.js +5 -0
- package/dist/commonjs/credentials/defaultAzureCredentialOptions.js.map +1 -0
- package/dist/commonjs/credentials/deviceCodeCredential.d.ts +67 -0
- package/dist/commonjs/credentials/deviceCodeCredential.d.ts.map +1 -0
- package/dist/commonjs/credentials/deviceCodeCredential.js +96 -0
- package/dist/commonjs/credentials/deviceCodeCredential.js.map +1 -0
- package/dist/commonjs/credentials/deviceCodeCredentialOptions.d.ts +53 -0
- package/dist/commonjs/credentials/deviceCodeCredentialOptions.d.ts.map +1 -0
- package/dist/commonjs/credentials/deviceCodeCredentialOptions.js +5 -0
- package/dist/commonjs/credentials/deviceCodeCredentialOptions.js.map +1 -0
- package/dist/commonjs/credentials/environmentCredential.d.ts +52 -0
- package/dist/commonjs/credentials/environmentCredential.d.ts.map +1 -0
- package/dist/commonjs/credentials/environmentCredential.js +135 -0
- package/dist/commonjs/credentials/environmentCredential.js.map +1 -0
- package/dist/commonjs/credentials/environmentCredentialOptions.d.ts +9 -0
- package/dist/commonjs/credentials/environmentCredentialOptions.d.ts.map +1 -0
- package/dist/commonjs/credentials/environmentCredentialOptions.js +5 -0
- package/dist/commonjs/credentials/environmentCredentialOptions.js.map +1 -0
- package/dist/commonjs/credentials/interactiveBrowserCredential.d.ts +56 -0
- package/dist/commonjs/credentials/interactiveBrowserCredential.d.ts.map +1 -0
- package/dist/commonjs/credentials/interactiveBrowserCredential.js +95 -0
- package/dist/commonjs/credentials/interactiveBrowserCredential.js.map +1 -0
- package/dist/commonjs/credentials/interactiveBrowserCredentialOptions.d.ts +77 -0
- package/dist/commonjs/credentials/interactiveBrowserCredentialOptions.d.ts.map +1 -0
- package/dist/commonjs/credentials/interactiveBrowserCredentialOptions.js +5 -0
- package/dist/commonjs/credentials/interactiveBrowserCredentialOptions.js.map +1 -0
- package/dist/commonjs/credentials/interactiveCredentialOptions.d.ts +25 -0
- package/dist/commonjs/credentials/interactiveCredentialOptions.d.ts.map +1 -0
- package/dist/commonjs/credentials/interactiveCredentialOptions.js +5 -0
- package/dist/commonjs/credentials/interactiveCredentialOptions.js.map +1 -0
- package/dist/commonjs/credentials/managedIdentityCredential/imdsMsi.d.ts +18 -0
- package/dist/commonjs/credentials/managedIdentityCredential/imdsMsi.d.ts.map +1 -0
- package/dist/commonjs/credentials/managedIdentityCredential/imdsMsi.js +125 -0
- package/dist/commonjs/credentials/managedIdentityCredential/imdsMsi.js.map +1 -0
- package/dist/commonjs/credentials/managedIdentityCredential/imdsRetryPolicy.d.ts +12 -0
- package/dist/commonjs/credentials/managedIdentityCredential/imdsRetryPolicy.d.ts.map +1 -0
- package/dist/commonjs/credentials/managedIdentityCredential/imdsRetryPolicy.js +36 -0
- package/dist/commonjs/credentials/managedIdentityCredential/imdsRetryPolicy.js.map +1 -0
- package/dist/commonjs/credentials/managedIdentityCredential/index.d.ts +95 -0
- package/dist/commonjs/credentials/managedIdentityCredential/index.d.ts.map +1 -0
- package/dist/commonjs/credentials/managedIdentityCredential/index.js +221 -0
- package/dist/commonjs/credentials/managedIdentityCredential/index.js.map +1 -0
- package/dist/commonjs/credentials/managedIdentityCredential/models.d.ts +24 -0
- package/dist/commonjs/credentials/managedIdentityCredential/models.d.ts.map +1 -0
- package/dist/commonjs/credentials/managedIdentityCredential/models.js +5 -0
- package/dist/commonjs/credentials/managedIdentityCredential/models.js.map +1 -0
- package/dist/commonjs/credentials/managedIdentityCredential/tokenExchangeMsi.d.ts +14 -0
- package/dist/commonjs/credentials/managedIdentityCredential/tokenExchangeMsi.d.ts.map +1 -0
- package/dist/commonjs/credentials/managedIdentityCredential/tokenExchangeMsi.js +35 -0
- package/dist/commonjs/credentials/managedIdentityCredential/tokenExchangeMsi.js.map +1 -0
- package/dist/commonjs/credentials/managedIdentityCredential/utils.d.ts +33 -0
- package/dist/commonjs/credentials/managedIdentityCredential/utils.d.ts.map +1 -0
- package/dist/commonjs/credentials/managedIdentityCredential/utils.js +82 -0
- package/dist/commonjs/credentials/managedIdentityCredential/utils.js.map +1 -0
- package/dist/commonjs/credentials/multiTenantTokenCredentialOptions.d.ts +12 -0
- package/dist/commonjs/credentials/multiTenantTokenCredentialOptions.d.ts.map +1 -0
- package/dist/commonjs/credentials/multiTenantTokenCredentialOptions.js +5 -0
- package/dist/commonjs/credentials/multiTenantTokenCredentialOptions.js.map +1 -0
- package/dist/commonjs/credentials/onBehalfOfCredential.d.ts +102 -0
- package/dist/commonjs/credentials/onBehalfOfCredential.d.ts.map +1 -0
- package/dist/commonjs/credentials/onBehalfOfCredential.js +116 -0
- package/dist/commonjs/credentials/onBehalfOfCredential.js.map +1 -0
- package/dist/commonjs/credentials/onBehalfOfCredentialOptions.d.ts +76 -0
- package/dist/commonjs/credentials/onBehalfOfCredentialOptions.d.ts.map +1 -0
- package/dist/commonjs/credentials/onBehalfOfCredentialOptions.js +5 -0
- package/dist/commonjs/credentials/onBehalfOfCredentialOptions.js.map +1 -0
- package/dist/commonjs/credentials/usernamePasswordCredential.d.ts +41 -0
- package/dist/commonjs/credentials/usernamePasswordCredential.d.ts.map +1 -0
- package/dist/commonjs/credentials/usernamePasswordCredential.js +71 -0
- package/dist/commonjs/credentials/usernamePasswordCredential.js.map +1 -0
- package/dist/commonjs/credentials/usernamePasswordCredentialOptions.d.ts +9 -0
- package/dist/commonjs/credentials/usernamePasswordCredentialOptions.d.ts.map +1 -0
- package/dist/commonjs/credentials/usernamePasswordCredentialOptions.js +5 -0
- package/dist/commonjs/credentials/usernamePasswordCredentialOptions.js.map +1 -0
- package/dist/commonjs/credentials/visualStudioCodeCredential.d.ts +60 -0
- package/dist/commonjs/credentials/visualStudioCodeCredential.d.ts.map +1 -0
- package/dist/commonjs/credentials/visualStudioCodeCredential.js +196 -0
- package/dist/commonjs/credentials/visualStudioCodeCredential.js.map +1 -0
- package/dist/commonjs/credentials/visualStudioCodeCredentialOptions.d.ts +11 -0
- package/dist/commonjs/credentials/visualStudioCodeCredentialOptions.d.ts.map +1 -0
- package/dist/commonjs/credentials/visualStudioCodeCredentialOptions.js +5 -0
- package/dist/commonjs/credentials/visualStudioCodeCredentialOptions.js.map +1 -0
- package/dist/commonjs/credentials/visualStudioCodeCredentialPlugin.d.ts +11 -0
- package/dist/commonjs/credentials/visualStudioCodeCredentialPlugin.d.ts.map +1 -0
- package/dist/commonjs/credentials/visualStudioCodeCredentialPlugin.js +5 -0
- package/dist/commonjs/credentials/visualStudioCodeCredentialPlugin.js.map +1 -0
- package/dist/commonjs/credentials/workloadIdentityCredential.d.ts +47 -0
- package/dist/commonjs/credentials/workloadIdentityCredential.d.ts.map +1 -0
- package/dist/commonjs/credentials/workloadIdentityCredential.js +118 -0
- package/dist/commonjs/credentials/workloadIdentityCredential.js.map +1 -0
- package/dist/commonjs/credentials/workloadIdentityCredentialOptions.d.ts +20 -0
- package/dist/commonjs/credentials/workloadIdentityCredentialOptions.d.ts.map +1 -0
- package/dist/commonjs/credentials/workloadIdentityCredentialOptions.js +5 -0
- package/dist/commonjs/credentials/workloadIdentityCredentialOptions.js.map +1 -0
- package/dist/commonjs/errors.d.ts +139 -0
- package/dist/commonjs/errors.d.ts.map +1 -0
- package/dist/commonjs/errors.js +130 -0
- package/dist/commonjs/errors.js.map +1 -0
- package/dist/commonjs/index.d.ts +59 -0
- package/dist/commonjs/index.d.ts.map +1 -0
- package/dist/commonjs/index.js +69 -0
- package/dist/commonjs/index.js.map +1 -0
- package/dist/commonjs/msal/browserFlows/flows.d.ts +42 -0
- package/dist/commonjs/msal/browserFlows/flows.d.ts.map +1 -0
- package/dist/commonjs/msal/browserFlows/flows.js +5 -0
- package/dist/commonjs/msal/browserFlows/flows.js.map +1 -0
- package/dist/commonjs/msal/browserFlows/msalAuthCode.d.ts +50 -0
- package/dist/commonjs/msal/browserFlows/msalAuthCode.d.ts.map +1 -0
- package/dist/commonjs/msal/browserFlows/msalAuthCode.js +208 -0
- package/dist/commonjs/msal/browserFlows/msalAuthCode.js.map +1 -0
- package/dist/commonjs/msal/browserFlows/msalBrowserCommon.d.ts +106 -0
- package/dist/commonjs/msal/browserFlows/msalBrowserCommon.d.ts.map +1 -0
- package/dist/commonjs/msal/browserFlows/msalBrowserCommon.js +121 -0
- package/dist/commonjs/msal/browserFlows/msalBrowserCommon.js.map +1 -0
- package/dist/commonjs/msal/credentials.d.ts +52 -0
- package/dist/commonjs/msal/credentials.d.ts.map +1 -0
- package/dist/commonjs/msal/credentials.js +5 -0
- package/dist/commonjs/msal/credentials.js.map +1 -0
- package/dist/commonjs/msal/msal.d.ts +3 -0
- package/dist/commonjs/msal/msal.d.ts.map +1 -0
- package/dist/commonjs/msal/msal.js +9 -0
- package/dist/commonjs/msal/msal.js.map +1 -0
- package/dist/commonjs/msal/nodeFlows/brokerOptions.d.ts +44 -0
- package/dist/commonjs/msal/nodeFlows/brokerOptions.d.ts.map +1 -0
- package/dist/commonjs/msal/nodeFlows/brokerOptions.js +3 -0
- package/dist/commonjs/msal/nodeFlows/brokerOptions.js.map +1 -0
- package/dist/commonjs/msal/nodeFlows/msalClient.d.ts +186 -0
- package/dist/commonjs/msal/nodeFlows/msalClient.d.ts.map +1 -0
- package/dist/commonjs/msal/nodeFlows/msalClient.js +482 -0
- package/dist/commonjs/msal/nodeFlows/msalClient.js.map +1 -0
- package/dist/commonjs/msal/nodeFlows/msalPlugins.d.ts +91 -0
- package/dist/commonjs/msal/nodeFlows/msalPlugins.d.ts.map +1 -0
- package/dist/commonjs/msal/nodeFlows/msalPlugins.js +91 -0
- package/dist/commonjs/msal/nodeFlows/msalPlugins.js.map +1 -0
- package/dist/commonjs/msal/nodeFlows/tokenCachePersistenceOptions.d.ts +24 -0
- package/dist/commonjs/msal/nodeFlows/tokenCachePersistenceOptions.d.ts.map +1 -0
- package/dist/commonjs/msal/nodeFlows/tokenCachePersistenceOptions.js +5 -0
- package/dist/commonjs/msal/nodeFlows/tokenCachePersistenceOptions.js.map +1 -0
- package/dist/commonjs/msal/types.d.ts +87 -0
- package/dist/commonjs/msal/types.d.ts.map +1 -0
- package/dist/commonjs/msal/types.js +5 -0
- package/dist/commonjs/msal/types.js.map +1 -0
- package/dist/commonjs/msal/utils.d.ts +95 -0
- package/dist/commonjs/msal/utils.d.ts.map +1 -0
- package/dist/commonjs/msal/utils.js +247 -0
- package/dist/commonjs/msal/utils.js.map +1 -0
- package/dist/commonjs/package.json +3 -0
- package/dist/commonjs/plugins/consumer.d.ts +28 -0
- package/dist/commonjs/plugins/consumer.d.ts.map +1 -0
- package/dist/commonjs/plugins/consumer.js +46 -0
- package/dist/commonjs/plugins/consumer.js.map +1 -0
- package/dist/commonjs/plugins/provider.d.ts +36 -0
- package/dist/commonjs/plugins/provider.d.ts.map +1 -0
- package/dist/commonjs/plugins/provider.js +5 -0
- package/dist/commonjs/plugins/provider.js.map +1 -0
- package/dist/commonjs/regionalAuthority.d.ts +122 -0
- package/dist/commonjs/regionalAuthority.d.ts.map +1 -0
- package/dist/commonjs/regionalAuthority.js +144 -0
- package/dist/commonjs/regionalAuthority.js.map +1 -0
- package/dist/commonjs/tokenCredentialOptions.d.ts +28 -0
- package/dist/commonjs/tokenCredentialOptions.d.ts.map +1 -0
- package/dist/commonjs/tokenCredentialOptions.js +5 -0
- package/dist/commonjs/tokenCredentialOptions.js.map +1 -0
- package/dist/commonjs/tokenProvider.d.ts +38 -0
- package/dist/commonjs/tokenProvider.d.ts.map +1 -0
- package/dist/commonjs/tokenProvider.js +55 -0
- package/dist/commonjs/tokenProvider.js.map +1 -0
- package/dist/commonjs/tsdoc-metadata.json +11 -0
- package/dist/commonjs/util/identityTokenEndpoint.d.ts +2 -0
- package/dist/commonjs/util/identityTokenEndpoint.d.ts.map +1 -0
- package/dist/commonjs/util/identityTokenEndpoint.js +14 -0
- package/dist/commonjs/util/identityTokenEndpoint.js.map +1 -0
- package/dist/commonjs/util/logging.d.ts +70 -0
- package/dist/commonjs/util/logging.d.ts.map +1 -0
- package/dist/commonjs/util/logging.js +103 -0
- package/dist/commonjs/util/logging.js.map +1 -0
- package/dist/commonjs/util/processMultiTenantRequest.d.ts +10 -0
- package/dist/commonjs/util/processMultiTenantRequest.d.ts.map +1 -0
- package/dist/commonjs/util/processMultiTenantRequest.js +38 -0
- package/dist/commonjs/util/processMultiTenantRequest.js.map +1 -0
- package/dist/commonjs/util/processUtils.d.ts +13 -0
- package/dist/commonjs/util/processUtils.d.ts.map +1 -0
- package/dist/commonjs/util/processUtils.js +36 -0
- package/dist/commonjs/util/processUtils.js.map +1 -0
- package/dist/commonjs/util/scopeUtils.d.ts +17 -0
- package/dist/commonjs/util/scopeUtils.d.ts.map +1 -0
- package/dist/commonjs/util/scopeUtils.js +34 -0
- package/dist/commonjs/util/scopeUtils.js.map +1 -0
- package/dist/commonjs/util/subscriptionUtils.d.ts +6 -0
- package/dist/commonjs/util/subscriptionUtils.d.ts.map +1 -0
- package/dist/commonjs/util/subscriptionUtils.js +17 -0
- package/dist/commonjs/util/subscriptionUtils.js.map +1 -0
- package/dist/commonjs/util/tenantIdUtils.d.ts +15 -0
- package/dist/commonjs/util/tenantIdUtils.d.ts.map +1 -0
- package/dist/commonjs/util/tenantIdUtils.js +51 -0
- package/dist/commonjs/util/tenantIdUtils.js.map +1 -0
- package/dist/commonjs/util/tracing.d.ts +6 -0
- package/dist/commonjs/util/tracing.d.ts.map +1 -0
- package/dist/commonjs/util/tracing.js +17 -0
- package/dist/commonjs/util/tracing.js.map +1 -0
- package/dist/esm/client/identityClient.d.ts +65 -0
- package/dist/esm/client/identityClient.d.ts.map +1 -0
- package/dist/esm/client/identityClient.js +248 -0
- package/dist/esm/client/identityClient.js.map +1 -0
- package/dist/esm/constants.d.ts +64 -0
- package/dist/esm/constants.d.ts.map +1 -0
- package/dist/esm/constants.js +70 -0
- package/dist/esm/constants.js.map +1 -0
- package/dist/esm/credentials/authorityValidationOptions.d.ts +16 -0
- package/dist/esm/credentials/authorityValidationOptions.d.ts.map +1 -0
- package/dist/esm/credentials/authorityValidationOptions.js +4 -0
- package/dist/esm/credentials/authorityValidationOptions.js.map +1 -0
- package/dist/esm/credentials/authorizationCodeCredential.d.ts +73 -0
- package/dist/esm/credentials/authorizationCodeCredential.d.ts.map +1 -0
- package/dist/esm/credentials/authorizationCodeCredential.js +60 -0
- package/dist/esm/credentials/authorizationCodeCredential.js.map +1 -0
- package/dist/esm/credentials/authorizationCodeCredentialOptions.d.ts +8 -0
- package/dist/esm/credentials/authorizationCodeCredentialOptions.d.ts.map +1 -0
- package/dist/esm/credentials/authorizationCodeCredentialOptions.js +4 -0
- package/dist/esm/credentials/authorizationCodeCredentialOptions.js.map +1 -0
- package/dist/esm/credentials/azureApplicationCredential.d.ts +24 -0
- package/dist/esm/credentials/azureApplicationCredential.d.ts.map +1 -0
- package/dist/esm/credentials/azureApplicationCredential.js +32 -0
- package/dist/esm/credentials/azureApplicationCredential.js.map +1 -0
- package/dist/esm/credentials/azureApplicationCredentialOptions.d.ts +13 -0
- package/dist/esm/credentials/azureApplicationCredentialOptions.d.ts.map +1 -0
- package/dist/esm/credentials/azureApplicationCredentialOptions.js +4 -0
- package/dist/esm/credentials/azureApplicationCredentialOptions.js.map +1 -0
- package/dist/esm/credentials/azureCliCredential.d.ts +64 -0
- package/dist/esm/credentials/azureCliCredential.d.ts.map +1 -0
- package/dist/esm/credentials/azureCliCredential.js +189 -0
- package/dist/esm/credentials/azureCliCredential.js.map +1 -0
- package/dist/esm/credentials/azureCliCredentialOptions.d.ts +20 -0
- package/dist/esm/credentials/azureCliCredentialOptions.d.ts.map +1 -0
- package/dist/esm/credentials/azureCliCredentialOptions.js +4 -0
- package/dist/esm/credentials/azureCliCredentialOptions.js.map +1 -0
- package/dist/esm/credentials/azureDeveloperCliCredential.d.ts +71 -0
- package/dist/esm/credentials/azureDeveloperCliCredential.d.ts.map +1 -0
- package/dist/esm/credentials/azureDeveloperCliCredential.js +171 -0
- package/dist/esm/credentials/azureDeveloperCliCredential.js.map +1 -0
- package/dist/esm/credentials/azureDeveloperCliCredentialOptions.d.ts +15 -0
- package/dist/esm/credentials/azureDeveloperCliCredentialOptions.d.ts.map +1 -0
- package/dist/esm/credentials/azureDeveloperCliCredentialOptions.js +4 -0
- package/dist/esm/credentials/azureDeveloperCliCredentialOptions.js.map +1 -0
- package/dist/esm/credentials/azurePipelinesCredential.d.ts +38 -0
- package/dist/esm/credentials/azurePipelinesCredential.d.ts.map +1 -0
- package/dist/esm/credentials/azurePipelinesCredential.js +141 -0
- package/dist/esm/credentials/azurePipelinesCredential.js.map +1 -0
- package/dist/esm/credentials/azurePipelinesCredentialOptions.d.ts +9 -0
- package/dist/esm/credentials/azurePipelinesCredentialOptions.d.ts.map +1 -0
- package/dist/esm/credentials/azurePipelinesCredentialOptions.js +4 -0
- package/dist/esm/credentials/azurePipelinesCredentialOptions.js.map +1 -0
- package/dist/esm/credentials/azurePowerShellCredential.d.ts +75 -0
- package/dist/esm/credentials/azurePowerShellCredential.d.ts.map +1 -0
- package/dist/esm/credentials/azurePowerShellCredential.js +229 -0
- package/dist/esm/credentials/azurePowerShellCredential.js.map +1 -0
- package/dist/esm/credentials/azurePowerShellCredentialOptions.d.ts +15 -0
- package/dist/esm/credentials/azurePowerShellCredentialOptions.d.ts.map +1 -0
- package/dist/esm/credentials/azurePowerShellCredentialOptions.js +4 -0
- package/dist/esm/credentials/azurePowerShellCredentialOptions.js.map +1 -0
- package/dist/esm/credentials/brokerAuthOptions.d.ts +13 -0
- package/dist/esm/credentials/brokerAuthOptions.d.ts.map +1 -0
- package/dist/esm/credentials/brokerAuthOptions.js +2 -0
- package/dist/esm/credentials/brokerAuthOptions.js.map +1 -0
- package/dist/esm/credentials/browserCustomizationOptions.d.ts +19 -0
- package/dist/esm/credentials/browserCustomizationOptions.d.ts.map +1 -0
- package/dist/esm/credentials/browserCustomizationOptions.js +4 -0
- package/dist/esm/credentials/browserCustomizationOptions.js.map +1 -0
- package/dist/esm/credentials/chainedTokenCredential.d.ts +49 -0
- package/dist/esm/credentials/chainedTokenCredential.d.ts.map +1 -0
- package/dist/esm/credentials/chainedTokenCredential.js +90 -0
- package/dist/esm/credentials/chainedTokenCredential.js.map +1 -0
- package/dist/esm/credentials/clientAssertionCredential.d.ts +33 -0
- package/dist/esm/credentials/clientAssertionCredential.d.ts.map +1 -0
- package/dist/esm/credentials/clientAssertionCredential.js +55 -0
- package/dist/esm/credentials/clientAssertionCredential.js.map +1 -0
- package/dist/esm/credentials/clientAssertionCredentialOptions.d.ts +9 -0
- package/dist/esm/credentials/clientAssertionCredentialOptions.d.ts.map +1 -0
- package/dist/esm/credentials/clientAssertionCredentialOptions.js +4 -0
- package/dist/esm/credentials/clientAssertionCredentialOptions.js.map +1 -0
- package/dist/esm/credentials/clientCertificateCredential.d.ts +101 -0
- package/dist/esm/credentials/clientCertificateCredential.d.ts.map +1 -0
- package/dist/esm/credentials/clientCertificateCredential.js +119 -0
- package/dist/esm/credentials/clientCertificateCredential.js.map +1 -0
- package/dist/esm/credentials/clientCertificateCredentialOptions.d.ts +14 -0
- package/dist/esm/credentials/clientCertificateCredentialOptions.d.ts.map +1 -0
- package/dist/esm/credentials/clientCertificateCredentialOptions.js +4 -0
- package/dist/esm/credentials/clientCertificateCredentialOptions.js.map +1 -0
- package/dist/esm/credentials/clientSecretCredential.d.ts +37 -0
- package/dist/esm/credentials/clientSecretCredential.d.ts.map +1 -0
- package/dist/esm/credentials/clientSecretCredential.js +60 -0
- package/dist/esm/credentials/clientSecretCredential.js.map +1 -0
- package/dist/esm/credentials/clientSecretCredentialOptions.d.ts +9 -0
- package/dist/esm/credentials/clientSecretCredentialOptions.d.ts.map +1 -0
- package/dist/esm/credentials/clientSecretCredentialOptions.js +4 -0
- package/dist/esm/credentials/clientSecretCredentialOptions.js.map +1 -0
- package/dist/esm/credentials/credentialPersistenceOptions.d.ts +29 -0
- package/dist/esm/credentials/credentialPersistenceOptions.d.ts.map +1 -0
- package/dist/esm/credentials/credentialPersistenceOptions.js +4 -0
- package/dist/esm/credentials/credentialPersistenceOptions.js.map +1 -0
- package/dist/esm/credentials/defaultAzureCredential.d.ts +65 -0
- package/dist/esm/credentials/defaultAzureCredential.d.ts.map +1 -0
- package/dist/esm/credentials/defaultAzureCredential.js +164 -0
- package/dist/esm/credentials/defaultAzureCredential.js.map +1 -0
- package/dist/esm/credentials/defaultAzureCredentialOptions.d.ts +49 -0
- package/dist/esm/credentials/defaultAzureCredentialOptions.d.ts.map +1 -0
- package/dist/esm/credentials/defaultAzureCredentialOptions.js +4 -0
- package/dist/esm/credentials/defaultAzureCredentialOptions.js.map +1 -0
- package/dist/esm/credentials/deviceCodeCredential.d.ts +67 -0
- package/dist/esm/credentials/deviceCodeCredential.d.ts.map +1 -0
- package/dist/esm/credentials/deviceCodeCredential.js +91 -0
- package/dist/esm/credentials/deviceCodeCredential.js.map +1 -0
- package/dist/esm/credentials/deviceCodeCredentialOptions.d.ts +53 -0
- package/dist/esm/credentials/deviceCodeCredentialOptions.d.ts.map +1 -0
- package/dist/esm/credentials/deviceCodeCredentialOptions.js +4 -0
- package/dist/esm/credentials/deviceCodeCredentialOptions.js.map +1 -0
- package/dist/esm/credentials/environmentCredential.d.ts +52 -0
- package/dist/esm/credentials/environmentCredential.d.ts.map +1 -0
- package/dist/esm/credentials/environmentCredential.js +130 -0
- package/dist/esm/credentials/environmentCredential.js.map +1 -0
- package/dist/esm/credentials/environmentCredentialOptions.d.ts +9 -0
- package/dist/esm/credentials/environmentCredentialOptions.d.ts.map +1 -0
- package/dist/esm/credentials/environmentCredentialOptions.js +4 -0
- package/dist/esm/credentials/environmentCredentialOptions.js.map +1 -0
- package/dist/esm/credentials/interactiveBrowserCredential.d.ts +56 -0
- package/dist/esm/credentials/interactiveBrowserCredential.d.ts.map +1 -0
- package/dist/esm/credentials/interactiveBrowserCredential.js +91 -0
- package/dist/esm/credentials/interactiveBrowserCredential.js.map +1 -0
- package/dist/esm/credentials/interactiveBrowserCredentialOptions.d.ts +77 -0
- package/dist/esm/credentials/interactiveBrowserCredentialOptions.d.ts.map +1 -0
- package/dist/esm/credentials/interactiveBrowserCredentialOptions.js +4 -0
- package/dist/esm/credentials/interactiveBrowserCredentialOptions.js.map +1 -0
- package/dist/esm/credentials/interactiveCredentialOptions.d.ts +25 -0
- package/dist/esm/credentials/interactiveCredentialOptions.d.ts.map +1 -0
- package/dist/esm/credentials/interactiveCredentialOptions.js +4 -0
- package/dist/esm/credentials/interactiveCredentialOptions.js.map +1 -0
- package/dist/esm/credentials/managedIdentityCredential/imdsMsi.d.ts +18 -0
- package/dist/esm/credentials/managedIdentityCredential/imdsMsi.d.ts.map +1 -0
- package/dist/esm/credentials/managedIdentityCredential/imdsMsi.js +122 -0
- package/dist/esm/credentials/managedIdentityCredential/imdsMsi.js.map +1 -0
- package/dist/esm/credentials/managedIdentityCredential/imdsRetryPolicy.d.ts +12 -0
- package/dist/esm/credentials/managedIdentityCredential/imdsRetryPolicy.d.ts.map +1 -0
- package/dist/esm/credentials/managedIdentityCredential/imdsRetryPolicy.js +33 -0
- package/dist/esm/credentials/managedIdentityCredential/imdsRetryPolicy.js.map +1 -0
- package/dist/esm/credentials/managedIdentityCredential/index.d.ts +95 -0
- package/dist/esm/credentials/managedIdentityCredential/index.d.ts.map +1 -0
- package/dist/esm/credentials/managedIdentityCredential/index.js +217 -0
- package/dist/esm/credentials/managedIdentityCredential/index.js.map +1 -0
- package/dist/esm/credentials/managedIdentityCredential/models.d.ts +24 -0
- package/dist/esm/credentials/managedIdentityCredential/models.d.ts.map +1 -0
- package/dist/esm/credentials/managedIdentityCredential/models.js +4 -0
- package/dist/esm/credentials/managedIdentityCredential/models.js.map +1 -0
- package/dist/esm/credentials/managedIdentityCredential/tokenExchangeMsi.d.ts +14 -0
- package/dist/esm/credentials/managedIdentityCredential/tokenExchangeMsi.d.ts.map +1 -0
- package/dist/esm/credentials/managedIdentityCredential/tokenExchangeMsi.js +32 -0
- package/dist/esm/credentials/managedIdentityCredential/tokenExchangeMsi.js.map +1 -0
- package/dist/esm/credentials/managedIdentityCredential/utils.d.ts +33 -0
- package/dist/esm/credentials/managedIdentityCredential/utils.d.ts.map +1 -0
- package/dist/esm/credentials/managedIdentityCredential/utils.js +77 -0
- package/dist/esm/credentials/managedIdentityCredential/utils.js.map +1 -0
- package/dist/esm/credentials/multiTenantTokenCredentialOptions.d.ts +12 -0
- package/dist/esm/credentials/multiTenantTokenCredentialOptions.d.ts.map +1 -0
- package/dist/esm/credentials/multiTenantTokenCredentialOptions.js +4 -0
- package/dist/esm/credentials/multiTenantTokenCredentialOptions.js.map +1 -0
- package/dist/esm/credentials/onBehalfOfCredential.d.ts +102 -0
- package/dist/esm/credentials/onBehalfOfCredential.d.ts.map +1 -0
- package/dist/esm/credentials/onBehalfOfCredential.js +112 -0
- package/dist/esm/credentials/onBehalfOfCredential.js.map +1 -0
- package/dist/esm/credentials/onBehalfOfCredentialOptions.d.ts +76 -0
- package/dist/esm/credentials/onBehalfOfCredentialOptions.d.ts.map +1 -0
- package/dist/esm/credentials/onBehalfOfCredentialOptions.js +4 -0
- package/dist/esm/credentials/onBehalfOfCredentialOptions.js.map +1 -0
- package/dist/esm/credentials/usernamePasswordCredential.d.ts +41 -0
- package/dist/esm/credentials/usernamePasswordCredential.d.ts.map +1 -0
- package/dist/esm/credentials/usernamePasswordCredential.js +67 -0
- package/dist/esm/credentials/usernamePasswordCredential.js.map +1 -0
- package/dist/esm/credentials/usernamePasswordCredentialOptions.d.ts +9 -0
- package/dist/esm/credentials/usernamePasswordCredentialOptions.d.ts.map +1 -0
- package/dist/esm/credentials/usernamePasswordCredentialOptions.js +4 -0
- package/dist/esm/credentials/usernamePasswordCredentialOptions.js.map +1 -0
- package/dist/esm/credentials/visualStudioCodeCredential.d.ts +60 -0
- package/dist/esm/credentials/visualStudioCodeCredential.d.ts.map +1 -0
- package/dist/esm/credentials/visualStudioCodeCredential.js +190 -0
- package/dist/esm/credentials/visualStudioCodeCredential.js.map +1 -0
- package/dist/esm/credentials/visualStudioCodeCredentialOptions.d.ts +11 -0
- package/dist/esm/credentials/visualStudioCodeCredentialOptions.d.ts.map +1 -0
- package/dist/esm/credentials/visualStudioCodeCredentialOptions.js +4 -0
- package/dist/esm/credentials/visualStudioCodeCredentialOptions.js.map +1 -0
- package/dist/esm/credentials/visualStudioCodeCredentialPlugin.d.ts +11 -0
- package/dist/esm/credentials/visualStudioCodeCredentialPlugin.d.ts.map +1 -0
- package/dist/esm/credentials/visualStudioCodeCredentialPlugin.js +4 -0
- package/dist/esm/credentials/visualStudioCodeCredentialPlugin.js.map +1 -0
- package/dist/esm/credentials/workloadIdentityCredential.d.ts +47 -0
- package/dist/esm/credentials/workloadIdentityCredential.d.ts.map +1 -0
- package/dist/esm/credentials/workloadIdentityCredential.js +114 -0
- package/dist/esm/credentials/workloadIdentityCredential.js.map +1 -0
- package/dist/esm/credentials/workloadIdentityCredentialOptions.d.ts +20 -0
- package/dist/esm/credentials/workloadIdentityCredentialOptions.d.ts.map +1 -0
- package/dist/esm/credentials/workloadIdentityCredentialOptions.js +4 -0
- package/dist/esm/credentials/workloadIdentityCredentialOptions.js.map +1 -0
- package/dist/esm/errors.d.ts +139 -0
- package/dist/esm/errors.d.ts.map +1 -0
- package/dist/esm/errors.js +123 -0
- package/dist/esm/errors.js.map +1 -0
- package/dist/esm/index.d.ts +59 -0
- package/dist/esm/index.d.ts.map +1 -0
- package/dist/esm/index.js +34 -0
- package/dist/esm/index.js.map +1 -0
- package/dist/esm/msal/browserFlows/flows.d.ts +42 -0
- package/dist/esm/msal/browserFlows/flows.d.ts.map +1 -0
- package/dist/esm/msal/browserFlows/flows.js +4 -0
- package/dist/esm/msal/browserFlows/flows.js.map +1 -0
- package/dist/esm/msal/browserFlows/msalAuthCode.d.ts +50 -0
- package/dist/esm/msal/browserFlows/msalAuthCode.d.ts.map +1 -0
- package/dist/esm/msal/browserFlows/msalAuthCode.js +203 -0
- package/dist/esm/msal/browserFlows/msalAuthCode.js.map +1 -0
- package/dist/esm/msal/browserFlows/msalBrowserCommon.d.ts +106 -0
- package/dist/esm/msal/browserFlows/msalBrowserCommon.d.ts.map +1 -0
- package/dist/esm/msal/browserFlows/msalBrowserCommon.js +116 -0
- package/dist/esm/msal/browserFlows/msalBrowserCommon.js.map +1 -0
- package/dist/esm/msal/credentials.d.ts +52 -0
- package/dist/esm/msal/credentials.d.ts.map +1 -0
- package/dist/esm/msal/credentials.js +4 -0
- package/dist/esm/msal/credentials.js.map +1 -0
- package/dist/esm/msal/msal.d.ts +3 -0
- package/dist/esm/msal/msal.d.ts.map +1 -0
- package/dist/esm/msal/nodeFlows/brokerOptions.d.ts +44 -0
- package/dist/esm/msal/nodeFlows/brokerOptions.d.ts.map +1 -0
- package/dist/esm/msal/nodeFlows/brokerOptions.js +2 -0
- package/dist/esm/msal/nodeFlows/brokerOptions.js.map +1 -0
- package/dist/esm/msal/nodeFlows/msalClient.d.ts +186 -0
- package/dist/esm/msal/nodeFlows/msalClient.d.ts.map +1 -0
- package/dist/esm/msal/nodeFlows/msalClient.js +477 -0
- package/dist/esm/msal/nodeFlows/msalClient.js.map +1 -0
- package/dist/esm/msal/nodeFlows/msalPlugins.d.ts +91 -0
- package/dist/esm/msal/nodeFlows/msalPlugins.d.ts.map +1 -0
- package/dist/esm/msal/nodeFlows/msalPlugins.js +87 -0
- package/dist/esm/msal/nodeFlows/msalPlugins.js.map +1 -0
- package/dist/esm/msal/nodeFlows/tokenCachePersistenceOptions.d.ts +24 -0
- package/dist/esm/msal/nodeFlows/tokenCachePersistenceOptions.d.ts.map +1 -0
- package/dist/esm/msal/nodeFlows/tokenCachePersistenceOptions.js +4 -0
- package/dist/esm/msal/nodeFlows/tokenCachePersistenceOptions.js.map +1 -0
- package/dist/esm/msal/types.d.ts +87 -0
- package/dist/esm/msal/types.d.ts.map +1 -0
- package/dist/esm/msal/types.js +4 -0
- package/dist/esm/msal/types.js.map +1 -0
- package/dist/esm/msal/utils.d.ts +95 -0
- package/dist/esm/msal/utils.d.ts.map +1 -0
- package/dist/esm/msal/utils.js +232 -0
- package/dist/esm/msal/utils.js.map +1 -0
- package/dist/esm/package.json +3 -0
- package/dist/esm/plugins/consumer.d.ts +28 -0
- package/dist/esm/plugins/consumer.d.ts.map +1 -0
- package/dist/esm/plugins/consumer.js +43 -0
- package/dist/esm/plugins/consumer.js.map +1 -0
- package/dist/esm/plugins/provider.d.ts +36 -0
- package/dist/esm/plugins/provider.d.ts.map +1 -0
- package/dist/esm/plugins/provider.js +4 -0
- package/dist/esm/plugins/provider.js.map +1 -0
- package/dist/esm/regionalAuthority.d.ts +122 -0
- package/dist/esm/regionalAuthority.d.ts.map +1 -0
- package/dist/esm/regionalAuthority.js +140 -0
- package/dist/esm/regionalAuthority.js.map +1 -0
- package/dist/esm/tokenCredentialOptions.d.ts +28 -0
- package/dist/esm/tokenCredentialOptions.d.ts.map +1 -0
- package/dist/esm/tokenCredentialOptions.js +4 -0
- package/dist/esm/tokenCredentialOptions.js.map +1 -0
- package/dist/esm/tokenProvider.d.ts +38 -0
- package/dist/esm/tokenProvider.d.ts.map +1 -0
- package/dist/esm/tokenProvider.js +52 -0
- package/dist/esm/tokenProvider.js.map +1 -0
- package/dist/esm/util/authHostEnv-browser.d.mts +4 -0
- package/dist/esm/util/authHostEnv-browser.d.mts.map +1 -0
- package/dist/esm/util/authHostEnv-browser.mjs +7 -0
- package/dist/esm/util/authHostEnv-browser.mjs.map +1 -0
- package/dist/esm/util/identityTokenEndpoint.d.ts +2 -0
- package/dist/esm/util/identityTokenEndpoint.d.ts.map +1 -0
- package/dist/esm/util/identityTokenEndpoint.js +11 -0
- package/dist/esm/util/identityTokenEndpoint.js.map +1 -0
- package/dist/esm/util/logging.d.ts +70 -0
- package/dist/esm/util/logging.d.ts.map +1 -0
- package/dist/esm/util/logging.js +94 -0
- package/dist/esm/util/logging.js.map +1 -0
- package/dist/esm/util/processMultiTenantRequest.d.ts +10 -0
- package/dist/esm/util/processMultiTenantRequest.d.ts.map +1 -0
- package/dist/esm/util/processMultiTenantRequest.js +35 -0
- package/dist/esm/util/processMultiTenantRequest.js.map +1 -0
- package/dist/esm/util/processUtils.d.ts +13 -0
- package/dist/esm/util/processUtils.d.ts.map +1 -0
- package/dist/esm/util/processUtils.js +32 -0
- package/dist/esm/util/processUtils.js.map +1 -0
- package/dist/esm/util/scopeUtils.d.ts +17 -0
- package/dist/esm/util/scopeUtils.d.ts.map +1 -0
- package/dist/esm/util/scopeUtils.js +29 -0
- package/dist/esm/util/scopeUtils.js.map +1 -0
- package/dist/esm/util/subscriptionUtils.d.ts +6 -0
- package/dist/esm/util/subscriptionUtils.d.ts.map +1 -0
- package/dist/esm/util/subscriptionUtils.js +14 -0
- package/dist/esm/util/subscriptionUtils.js.map +1 -0
- package/dist/esm/util/tenantIdUtils.d.ts +15 -0
- package/dist/esm/util/tenantIdUtils.d.ts.map +1 -0
- package/dist/esm/util/tenantIdUtils.js +44 -0
- package/dist/esm/util/tenantIdUtils.js.map +1 -0
- package/dist/esm/util/tracing.d.ts +6 -0
- package/dist/esm/util/tracing.d.ts.map +1 -0
- package/dist/esm/util/tracing.js +14 -0
- package/dist/esm/util/tracing.js.map +1 -0
- package/package.json +52 -63
- package/dist/index.js +0 -4200
- package/dist/index.js.map +0 -1
- package/dist-esm/src/client/identityClient.js +0 -248
- package/dist-esm/src/client/identityClient.js.map +0 -1
- package/dist-esm/src/credentials/authorizationCodeCredential.browser.js +0 -16
- package/dist-esm/src/credentials/authorizationCodeCredential.browser.js.map +0 -1
- package/dist-esm/src/credentials/authorizationCodeCredential.js +0 -60
- package/dist-esm/src/credentials/authorizationCodeCredential.js.map +0 -1
- package/dist-esm/src/credentials/authorizationCodeCredentialOptions.js.map +0 -1
- package/dist-esm/src/credentials/azureApplicationCredential.browser.js +0 -34
- package/dist-esm/src/credentials/azureApplicationCredential.browser.js.map +0 -1
- package/dist-esm/src/credentials/azureApplicationCredential.js +0 -32
- package/dist-esm/src/credentials/azureApplicationCredential.js.map +0 -1
- package/dist-esm/src/credentials/azureApplicationCredentialOptions.js.map +0 -1
- package/dist-esm/src/credentials/azureCliCredential.browser.js +0 -23
- package/dist-esm/src/credentials/azureCliCredential.browser.js.map +0 -1
- package/dist-esm/src/credentials/azureCliCredential.js +0 -189
- package/dist-esm/src/credentials/azureCliCredential.js.map +0 -1
- package/dist-esm/src/credentials/azureCliCredentialOptions.js.map +0 -1
- package/dist-esm/src/credentials/azureDeveloperCliCredential.browser.js +0 -23
- package/dist-esm/src/credentials/azureDeveloperCliCredential.browser.js.map +0 -1
- package/dist-esm/src/credentials/azureDeveloperCliCredential.js +0 -171
- package/dist-esm/src/credentials/azureDeveloperCliCredential.js.map +0 -1
- package/dist-esm/src/credentials/azureDeveloperCliCredentialOptions.js.map +0 -1
- package/dist-esm/src/credentials/azurePipelinesCredential.browser.js +0 -23
- package/dist-esm/src/credentials/azurePipelinesCredential.browser.js.map +0 -1
- package/dist-esm/src/credentials/azurePipelinesCredential.js +0 -141
- package/dist-esm/src/credentials/azurePipelinesCredential.js.map +0 -1
- package/dist-esm/src/credentials/azurePipelinesCredentialOptions.js.map +0 -1
- package/dist-esm/src/credentials/azurePowerShellCredential.browser.js +0 -22
- package/dist-esm/src/credentials/azurePowerShellCredential.browser.js.map +0 -1
- package/dist-esm/src/credentials/azurePowerShellCredential.js +0 -229
- package/dist-esm/src/credentials/azurePowerShellCredential.js.map +0 -1
- package/dist-esm/src/credentials/azurePowerShellCredentialOptions.js.map +0 -1
- package/dist-esm/src/credentials/brokerAuthOptions.js.map +0 -1
- package/dist-esm/src/credentials/chainedTokenCredential.js +0 -90
- package/dist-esm/src/credentials/chainedTokenCredential.js.map +0 -1
- package/dist-esm/src/credentials/clientAssertionCredential.browser.js +0 -22
- package/dist-esm/src/credentials/clientAssertionCredential.browser.js.map +0 -1
- package/dist-esm/src/credentials/clientAssertionCredential.js +0 -55
- package/dist-esm/src/credentials/clientAssertionCredential.js.map +0 -1
- package/dist-esm/src/credentials/clientAssertionCredentialOptions.js.map +0 -1
- package/dist-esm/src/credentials/clientCertificateCredential.browser.js +0 -23
- package/dist-esm/src/credentials/clientCertificateCredential.browser.js.map +0 -1
- package/dist-esm/src/credentials/clientCertificateCredential.js +0 -119
- package/dist-esm/src/credentials/clientCertificateCredential.js.map +0 -1
- package/dist-esm/src/credentials/clientCertificateCredentialOptions.js.map +0 -1
- package/dist-esm/src/credentials/clientSecretCredential.browser.js +0 -83
- package/dist-esm/src/credentials/clientSecretCredential.browser.js.map +0 -1
- package/dist-esm/src/credentials/clientSecretCredential.js +0 -60
- package/dist-esm/src/credentials/clientSecretCredential.js.map +0 -1
- package/dist-esm/src/credentials/clientSecretCredentialOptions.js.map +0 -1
- package/dist-esm/src/credentials/credentialPersistenceOptions.js.map +0 -1
- package/dist-esm/src/credentials/defaultAzureCredential.browser.js +0 -29
- package/dist-esm/src/credentials/defaultAzureCredential.browser.js.map +0 -1
- package/dist-esm/src/credentials/defaultAzureCredential.js +0 -164
- package/dist-esm/src/credentials/defaultAzureCredential.js.map +0 -1
- package/dist-esm/src/credentials/defaultAzureCredentialOptions.js.map +0 -1
- package/dist-esm/src/credentials/deviceCodeCredential.browser.js +0 -23
- package/dist-esm/src/credentials/deviceCodeCredential.browser.js.map +0 -1
- package/dist-esm/src/credentials/deviceCodeCredential.js +0 -91
- package/dist-esm/src/credentials/deviceCodeCredential.js.map +0 -1
- package/dist-esm/src/credentials/deviceCodeCredentialOptions.js.map +0 -1
- package/dist-esm/src/credentials/environmentCredential.browser.js +0 -23
- package/dist-esm/src/credentials/environmentCredential.browser.js.map +0 -1
- package/dist-esm/src/credentials/environmentCredential.js +0 -130
- package/dist-esm/src/credentials/environmentCredential.js.map +0 -1
- package/dist-esm/src/credentials/environmentCredentialOptions.js.map +0 -1
- package/dist-esm/src/credentials/interactiveBrowserCredential.browser.js +0 -86
- package/dist-esm/src/credentials/interactiveBrowserCredential.browser.js.map +0 -1
- package/dist-esm/src/credentials/interactiveBrowserCredential.js +0 -91
- package/dist-esm/src/credentials/interactiveBrowserCredential.js.map +0 -1
- package/dist-esm/src/credentials/interactiveBrowserCredentialOptions.js.map +0 -1
- package/dist-esm/src/credentials/interactiveCredentialOptions.js.map +0 -1
- package/dist-esm/src/credentials/managedIdentityCredential/imdsMsi.js +0 -122
- package/dist-esm/src/credentials/managedIdentityCredential/imdsMsi.js.map +0 -1
- package/dist-esm/src/credentials/managedIdentityCredential/imdsRetryPolicy.js.map +0 -1
- package/dist-esm/src/credentials/managedIdentityCredential/index.browser.js +0 -16
- package/dist-esm/src/credentials/managedIdentityCredential/index.browser.js.map +0 -1
- package/dist-esm/src/credentials/managedIdentityCredential/index.js +0 -217
- package/dist-esm/src/credentials/managedIdentityCredential/index.js.map +0 -1
- package/dist-esm/src/credentials/managedIdentityCredential/models.js.map +0 -1
- package/dist-esm/src/credentials/managedIdentityCredential/tokenExchangeMsi.js +0 -32
- package/dist-esm/src/credentials/managedIdentityCredential/tokenExchangeMsi.js.map +0 -1
- package/dist-esm/src/credentials/multiTenantTokenCredentialOptions.js.map +0 -1
- package/dist-esm/src/credentials/onBehalfOfCredential.browser.js +0 -23
- package/dist-esm/src/credentials/onBehalfOfCredential.browser.js.map +0 -1
- package/dist-esm/src/credentials/onBehalfOfCredential.js +0 -112
- package/dist-esm/src/credentials/onBehalfOfCredential.js.map +0 -1
- package/dist-esm/src/credentials/onBehalfOfCredentialOptions.js.map +0 -1
- package/dist-esm/src/credentials/usernamePasswordCredential.browser.js +0 -77
- package/dist-esm/src/credentials/usernamePasswordCredential.browser.js.map +0 -1
- package/dist-esm/src/credentials/usernamePasswordCredential.js +0 -67
- package/dist-esm/src/credentials/usernamePasswordCredential.js.map +0 -1
- package/dist-esm/src/credentials/usernamePasswordCredentialOptions.js.map +0 -1
- package/dist-esm/src/credentials/visualStudioCodeCredential.browser.js +0 -27
- package/dist-esm/src/credentials/visualStudioCodeCredential.browser.js.map +0 -1
- package/dist-esm/src/credentials/visualStudioCodeCredential.js +0 -190
- package/dist-esm/src/credentials/visualStudioCodeCredential.js.map +0 -1
- package/dist-esm/src/credentials/visualStudioCodeCredentialOptions.js.map +0 -1
- package/dist-esm/src/credentials/workloadIdentityCredential.browser.js +0 -27
- package/dist-esm/src/credentials/workloadIdentityCredential.browser.js.map +0 -1
- package/dist-esm/src/credentials/workloadIdentityCredential.js +0 -114
- package/dist-esm/src/credentials/workloadIdentityCredential.js.map +0 -1
- package/dist-esm/src/credentials/workloadIdentityCredentialOptions.js.map +0 -1
- package/dist-esm/src/index.js +0 -34
- package/dist-esm/src/index.js.map +0 -1
- package/dist-esm/src/msal/browserFlows/flows.js.map +0 -1
- package/dist-esm/src/msal/browserFlows/msalAuthCode.js +0 -203
- package/dist-esm/src/msal/browserFlows/msalAuthCode.js.map +0 -1
- package/dist-esm/src/msal/browserFlows/msalBrowserCommon.js +0 -116
- package/dist-esm/src/msal/browserFlows/msalBrowserCommon.js.map +0 -1
- package/dist-esm/src/msal/credentials.js.map +0 -1
- package/dist-esm/src/msal/msal.browser.js +0 -5
- package/dist-esm/src/msal/msal.browser.js.map +0 -1
- package/dist-esm/src/msal/nodeFlows/msalClient.js +0 -484
- package/dist-esm/src/msal/nodeFlows/msalClient.js.map +0 -1
- package/dist-esm/src/msal/nodeFlows/msalPlugins.js +0 -87
- package/dist-esm/src/msal/nodeFlows/msalPlugins.js.map +0 -1
- package/dist-esm/src/msal/utils.js +0 -232
- package/dist-esm/src/msal/utils.js.map +0 -1
- package/dist-esm/src/plugins/consumer.browser.js +0 -7
- package/dist-esm/src/plugins/consumer.browser.js.map +0 -1
- package/dist-esm/src/plugins/consumer.js +0 -43
- package/dist-esm/src/plugins/consumer.js.map +0 -1
- package/dist-esm/src/plugins/provider.js.map +0 -1
- package/dist-esm/src/util/authHostEnv.browser.js +0 -7
- package/dist-esm/src/util/authHostEnv.browser.js.map +0 -1
- package/dist-esm/src/util/processMultiTenantRequest.browser.js +0 -29
- package/dist-esm/src/util/processMultiTenantRequest.browser.js.map +0 -1
- package/dist-esm/src/util/processMultiTenantRequest.js +0 -35
- package/dist-esm/src/util/processMultiTenantRequest.js.map +0 -1
- package/dist-esm/src/util/scopeUtils.js +0 -29
- package/dist-esm/src/util/scopeUtils.js.map +0 -1
- package/dist-esm/src/util/subscriptionUtils.js +0 -14
- package/dist-esm/src/util/subscriptionUtils.js.map +0 -1
- package/dist-esm/src/util/tenantIdUtils.js +0 -44
- package/dist-esm/src/util/tenantIdUtils.js.map +0 -1
- package/dist-esm/src/util/tracing.js +0 -14
- package/dist-esm/src/util/tracing.js.map +0 -1
- /package/{dist-esm/src → dist/browser}/constants.js +0 -0
- /package/{dist-esm/src → dist/browser}/constants.js.map +0 -0
- /package/{dist-esm/src → dist/browser}/credentials/authorityValidationOptions.js +0 -0
- /package/{dist-esm/src → dist/browser}/credentials/authorityValidationOptions.js.map +0 -0
- /package/{dist-esm/src → dist/browser}/credentials/authorizationCodeCredentialOptions.js +0 -0
- /package/{dist-esm/src → dist/browser}/credentials/azureApplicationCredentialOptions.js +0 -0
- /package/{dist-esm/src → dist/browser}/credentials/azureCliCredentialOptions.js +0 -0
- /package/{dist-esm/src → dist/browser}/credentials/azureDeveloperCliCredentialOptions.js +0 -0
- /package/{dist-esm/src → dist/browser}/credentials/azurePipelinesCredentialOptions.js +0 -0
- /package/{dist-esm/src → dist/browser}/credentials/azurePowerShellCredentialOptions.js +0 -0
- /package/{dist-esm/src → dist/browser}/credentials/brokerAuthOptions.js +0 -0
- /package/{dist-esm/src → dist/browser}/credentials/browserCustomizationOptions.js +0 -0
- /package/{dist-esm/src → dist/browser}/credentials/browserCustomizationOptions.js.map +0 -0
- /package/{dist-esm/src → dist/browser}/credentials/clientAssertionCredentialOptions.js +0 -0
- /package/{dist-esm/src → dist/browser}/credentials/clientCertificateCredentialOptions.js +0 -0
- /package/{dist-esm/src → dist/browser}/credentials/clientSecretCredentialOptions.js +0 -0
- /package/{dist-esm/src → dist/browser}/credentials/credentialPersistenceOptions.js +0 -0
- /package/{dist-esm/src → dist/browser}/credentials/defaultAzureCredentialOptions.js +0 -0
- /package/{dist-esm/src → dist/browser}/credentials/deviceCodeCredentialOptions.js +0 -0
- /package/{dist-esm/src → dist/browser}/credentials/environmentCredentialOptions.js +0 -0
- /package/{dist-esm/src → dist/browser}/credentials/interactiveBrowserCredentialOptions.js +0 -0
- /package/{dist-esm/src → dist/browser}/credentials/interactiveCredentialOptions.js +0 -0
- /package/{dist-esm/src → dist/browser}/credentials/managedIdentityCredential/imdsRetryPolicy.js +0 -0
- /package/{dist-esm/src → dist/browser}/credentials/managedIdentityCredential/models.js +0 -0
- /package/{dist-esm/src → dist/browser}/credentials/managedIdentityCredential/utils.js +0 -0
- /package/{dist-esm/src → dist/browser}/credentials/managedIdentityCredential/utils.js.map +0 -0
- /package/{dist-esm/src → dist/browser}/credentials/multiTenantTokenCredentialOptions.js +0 -0
- /package/{dist-esm/src → dist/browser}/credentials/onBehalfOfCredentialOptions.js +0 -0
- /package/{dist-esm/src → dist/browser}/credentials/usernamePasswordCredentialOptions.js +0 -0
- /package/{dist-esm/src → dist/browser}/credentials/visualStudioCodeCredentialOptions.js +0 -0
- /package/{dist-esm/src → dist/browser}/credentials/visualStudioCodeCredentialPlugin.js +0 -0
- /package/{dist-esm/src → dist/browser}/credentials/visualStudioCodeCredentialPlugin.js.map +0 -0
- /package/{dist-esm/src → dist/browser}/credentials/workloadIdentityCredentialOptions.js +0 -0
- /package/{dist-esm/src → dist/browser}/errors.js +0 -0
- /package/{dist-esm/src → dist/browser}/errors.js.map +0 -0
- /package/{dist-esm/src → dist/browser}/msal/browserFlows/flows.js +0 -0
- /package/{dist-esm/src → dist/browser}/msal/credentials.js +0 -0
- /package/{dist-esm/src → dist/browser}/msal/nodeFlows/brokerOptions.js +0 -0
- /package/{dist-esm/src → dist/browser}/msal/nodeFlows/brokerOptions.js.map +0 -0
- /package/{dist-esm/src → dist/browser}/msal/nodeFlows/tokenCachePersistenceOptions.js +0 -0
- /package/{dist-esm/src → dist/browser}/msal/nodeFlows/tokenCachePersistenceOptions.js.map +0 -0
- /package/{dist-esm/src → dist/browser}/msal/types.js +0 -0
- /package/{dist-esm/src → dist/browser}/msal/types.js.map +0 -0
- /package/{dist-esm/src → dist/browser}/plugins/provider.js +0 -0
- /package/{dist-esm/src → dist/browser}/regionalAuthority.js +0 -0
- /package/{dist-esm/src → dist/browser}/regionalAuthority.js.map +0 -0
- /package/{dist-esm/src → dist/browser}/tokenCredentialOptions.js +0 -0
- /package/{dist-esm/src → dist/browser}/tokenCredentialOptions.js.map +0 -0
- /package/{dist-esm/src → dist/browser}/tokenProvider.js +0 -0
- /package/{dist-esm/src → dist/browser}/tokenProvider.js.map +0 -0
- /package/{dist-esm/src → dist/browser}/util/identityTokenEndpoint.js +0 -0
- /package/{dist-esm/src → dist/browser}/util/identityTokenEndpoint.js.map +0 -0
- /package/{dist-esm/src → dist/browser}/util/logging.js +0 -0
- /package/{dist-esm/src → dist/browser}/util/logging.js.map +0 -0
- /package/{dist-esm/src → dist/browser}/util/processUtils.js +0 -0
- /package/{dist-esm/src → dist/browser}/util/processUtils.js.map +0 -0
- /package/{dist-esm/src → dist/esm}/msal/msal.js +0 -0
- /package/{dist-esm/src → dist/esm}/msal/msal.js.map +0 -0
- /package/{types → dist}/identity.d.ts +0 -0
package/dist/index.js
DELETED
@@ -1,4200 +0,0 @@
|
|
1
|
-
'use strict';
|
2
|
-
|
3
|
-
Object.defineProperty(exports, '__esModule', { value: true });
|
4
|
-
|
5
|
-
var logger$m = require('@azure/logger');
|
6
|
-
var coreClient = require('@azure/core-client');
|
7
|
-
var coreUtil = require('@azure/core-util');
|
8
|
-
var coreRestPipeline = require('@azure/core-rest-pipeline');
|
9
|
-
var coreTracing = require('@azure/core-tracing');
|
10
|
-
var fs = require('fs');
|
11
|
-
var os = require('os');
|
12
|
-
var path = require('path');
|
13
|
-
var msalCommon = require('@azure/msal-node');
|
14
|
-
var abortController = require('@azure/abort-controller');
|
15
|
-
var open = require('open');
|
16
|
-
var promises = require('fs/promises');
|
17
|
-
var child_process = require('child_process');
|
18
|
-
var crypto = require('crypto');
|
19
|
-
var node_crypto = require('node:crypto');
|
20
|
-
var promises$1 = require('node:fs/promises');
|
21
|
-
|
22
|
-
function _interopNamespaceDefault(e) {
|
23
|
-
var n = Object.create(null);
|
24
|
-
if (e) {
|
25
|
-
Object.keys(e).forEach(function (k) {
|
26
|
-
if (k !== 'default') {
|
27
|
-
var d = Object.getOwnPropertyDescriptor(e, k);
|
28
|
-
Object.defineProperty(n, k, d.get ? d : {
|
29
|
-
enumerable: true,
|
30
|
-
get: function () { return e[k]; }
|
31
|
-
});
|
32
|
-
}
|
33
|
-
});
|
34
|
-
}
|
35
|
-
n.default = e;
|
36
|
-
return Object.freeze(n);
|
37
|
-
}
|
38
|
-
|
39
|
-
var msalCommon__namespace = /*#__PURE__*/_interopNamespaceDefault(msalCommon);
|
40
|
-
var child_process__namespace = /*#__PURE__*/_interopNamespaceDefault(child_process);
|
41
|
-
|
42
|
-
// Copyright (c) Microsoft Corporation.
|
43
|
-
// Licensed under the MIT License.
|
44
|
-
/**
|
45
|
-
* Current version of the `@azure/identity` package.
|
46
|
-
*/
|
47
|
-
const SDK_VERSION = `4.5.1`;
|
48
|
-
/**
|
49
|
-
* The default client ID for authentication
|
50
|
-
* @internal
|
51
|
-
*/
|
52
|
-
// TODO: temporary - this is the Azure CLI clientID - we'll replace it when
|
53
|
-
// Developer Sign On application is available
|
54
|
-
// https://github.com/Azure/azure-sdk-for-net/blob/main/sdk/identity/Azure.Identity/src/Constants.cs#L9
|
55
|
-
const DeveloperSignOnClientId = "04b07795-8ddb-461a-bbee-02f9e1bf7b46";
|
56
|
-
/**
|
57
|
-
* The default tenant for authentication
|
58
|
-
* @internal
|
59
|
-
*/
|
60
|
-
const DefaultTenantId = "common";
|
61
|
-
/**
|
62
|
-
* A list of known Azure authority hosts
|
63
|
-
*/
|
64
|
-
exports.AzureAuthorityHosts = void 0;
|
65
|
-
(function (AzureAuthorityHosts) {
|
66
|
-
/**
|
67
|
-
* China-based Azure Authority Host
|
68
|
-
*/
|
69
|
-
AzureAuthorityHosts["AzureChina"] = "https://login.chinacloudapi.cn";
|
70
|
-
/**
|
71
|
-
* Germany-based Azure Authority Host
|
72
|
-
*
|
73
|
-
* @deprecated Microsoft Cloud Germany was closed on October 29th, 2021.
|
74
|
-
*
|
75
|
-
* */
|
76
|
-
AzureAuthorityHosts["AzureGermany"] = "https://login.microsoftonline.de";
|
77
|
-
/**
|
78
|
-
* US Government Azure Authority Host
|
79
|
-
*/
|
80
|
-
AzureAuthorityHosts["AzureGovernment"] = "https://login.microsoftonline.us";
|
81
|
-
/**
|
82
|
-
* Public Cloud Azure Authority Host
|
83
|
-
*/
|
84
|
-
AzureAuthorityHosts["AzurePublicCloud"] = "https://login.microsoftonline.com";
|
85
|
-
})(exports.AzureAuthorityHosts || (exports.AzureAuthorityHosts = {}));
|
86
|
-
/**
|
87
|
-
* @internal
|
88
|
-
* The default authority host.
|
89
|
-
*/
|
90
|
-
const DefaultAuthorityHost = exports.AzureAuthorityHosts.AzurePublicCloud;
|
91
|
-
/**
|
92
|
-
* @internal
|
93
|
-
* Allow acquiring tokens for any tenant for multi-tentant auth.
|
94
|
-
*/
|
95
|
-
const ALL_TENANTS = ["*"];
|
96
|
-
/**
|
97
|
-
* @internal
|
98
|
-
*/
|
99
|
-
const CACHE_CAE_SUFFIX = "cae";
|
100
|
-
/**
|
101
|
-
* @internal
|
102
|
-
*/
|
103
|
-
const CACHE_NON_CAE_SUFFIX = "nocae";
|
104
|
-
/**
|
105
|
-
* @internal
|
106
|
-
*
|
107
|
-
* The default name for the cache persistence plugin.
|
108
|
-
* Matches the constant defined in the cache persistence package.
|
109
|
-
*/
|
110
|
-
const DEFAULT_TOKEN_CACHE_NAME = "msal.cache";
|
111
|
-
|
112
|
-
// Copyright (c) Microsoft Corporation.
|
113
|
-
// Licensed under the MIT License.
|
114
|
-
/**
|
115
|
-
* The current persistence provider, undefined by default.
|
116
|
-
* @internal
|
117
|
-
*/
|
118
|
-
let persistenceProvider = undefined;
|
119
|
-
/**
|
120
|
-
* An object that allows setting the persistence provider.
|
121
|
-
* @internal
|
122
|
-
*/
|
123
|
-
const msalNodeFlowCacheControl = {
|
124
|
-
setPersistence(pluginProvider) {
|
125
|
-
persistenceProvider = pluginProvider;
|
126
|
-
},
|
127
|
-
};
|
128
|
-
/**
|
129
|
-
* The current native broker provider, undefined by default.
|
130
|
-
* @internal
|
131
|
-
*/
|
132
|
-
let nativeBrokerInfo = undefined;
|
133
|
-
/**
|
134
|
-
* An object that allows setting the native broker provider.
|
135
|
-
* @internal
|
136
|
-
*/
|
137
|
-
const msalNodeFlowNativeBrokerControl = {
|
138
|
-
setNativeBroker(broker) {
|
139
|
-
nativeBrokerInfo = {
|
140
|
-
broker,
|
141
|
-
};
|
142
|
-
},
|
143
|
-
};
|
144
|
-
/**
|
145
|
-
* Configures plugins, validating that required plugins are available and enabled.
|
146
|
-
*
|
147
|
-
* Does not create the plugins themselves, but rather returns the configuration that will be used to create them.
|
148
|
-
*
|
149
|
-
* @param options - options for creating the MSAL client
|
150
|
-
* @returns plugin configuration
|
151
|
-
*/
|
152
|
-
function generatePluginConfiguration(options) {
|
153
|
-
var _a, _b, _c, _d, _e, _f, _g;
|
154
|
-
const config = {
|
155
|
-
cache: {},
|
156
|
-
broker: {
|
157
|
-
isEnabled: (_b = (_a = options.brokerOptions) === null || _a === void 0 ? void 0 : _a.enabled) !== null && _b !== void 0 ? _b : false,
|
158
|
-
enableMsaPassthrough: (_d = (_c = options.brokerOptions) === null || _c === void 0 ? void 0 : _c.legacyEnableMsaPassthrough) !== null && _d !== void 0 ? _d : false,
|
159
|
-
parentWindowHandle: (_e = options.brokerOptions) === null || _e === void 0 ? void 0 : _e.parentWindowHandle,
|
160
|
-
},
|
161
|
-
};
|
162
|
-
if ((_f = options.tokenCachePersistenceOptions) === null || _f === void 0 ? void 0 : _f.enabled) {
|
163
|
-
if (persistenceProvider === undefined) {
|
164
|
-
throw new Error([
|
165
|
-
"Persistent token caching was requested, but no persistence provider was configured.",
|
166
|
-
"You must install the identity-cache-persistence plugin package (`npm install --save @azure/identity-cache-persistence`)",
|
167
|
-
"and enable it by importing `useIdentityPlugin` from `@azure/identity` and calling",
|
168
|
-
"`useIdentityPlugin(cachePersistencePlugin)` before using `tokenCachePersistenceOptions`.",
|
169
|
-
].join(" "));
|
170
|
-
}
|
171
|
-
const cacheBaseName = options.tokenCachePersistenceOptions.name || DEFAULT_TOKEN_CACHE_NAME;
|
172
|
-
config.cache.cachePlugin = persistenceProvider(Object.assign({ name: `${cacheBaseName}.${CACHE_NON_CAE_SUFFIX}` }, options.tokenCachePersistenceOptions));
|
173
|
-
config.cache.cachePluginCae = persistenceProvider(Object.assign({ name: `${cacheBaseName}.${CACHE_CAE_SUFFIX}` }, options.tokenCachePersistenceOptions));
|
174
|
-
}
|
175
|
-
if ((_g = options.brokerOptions) === null || _g === void 0 ? void 0 : _g.enabled) {
|
176
|
-
if (nativeBrokerInfo === undefined) {
|
177
|
-
throw new Error([
|
178
|
-
"Broker for WAM was requested to be enabled, but no native broker was configured.",
|
179
|
-
"You must install the identity-broker plugin package (`npm install --save @azure/identity-broker`)",
|
180
|
-
"and enable it by importing `useIdentityPlugin` from `@azure/identity` and calling",
|
181
|
-
"`useIdentityPlugin(createNativeBrokerPlugin())` before using `enableBroker`.",
|
182
|
-
].join(" "));
|
183
|
-
}
|
184
|
-
config.broker.nativeBrokerPlugin = nativeBrokerInfo.broker;
|
185
|
-
}
|
186
|
-
return config;
|
187
|
-
}
|
188
|
-
/**
|
189
|
-
* Wraps generatePluginConfiguration as a writeable property for test stubbing purposes.
|
190
|
-
*/
|
191
|
-
const msalPlugins = {
|
192
|
-
generatePluginConfiguration,
|
193
|
-
};
|
194
|
-
|
195
|
-
// Copyright (c) Microsoft Corporation.
|
196
|
-
// Licensed under the MIT License.
|
197
|
-
/**
|
198
|
-
* The AzureLogger used for all clients within the identity package
|
199
|
-
*/
|
200
|
-
const logger$l = logger$m.createClientLogger("identity");
|
201
|
-
/**
|
202
|
-
* Separates a list of environment variable names into a plain object with two arrays: an array of missing environment variables and another array with assigned environment variables.
|
203
|
-
* @param supportedEnvVars - List of environment variable names
|
204
|
-
*/
|
205
|
-
function processEnvVars(supportedEnvVars) {
|
206
|
-
return supportedEnvVars.reduce((acc, envVariable) => {
|
207
|
-
if (process.env[envVariable]) {
|
208
|
-
acc.assigned.push(envVariable);
|
209
|
-
}
|
210
|
-
else {
|
211
|
-
acc.missing.push(envVariable);
|
212
|
-
}
|
213
|
-
return acc;
|
214
|
-
}, { missing: [], assigned: [] });
|
215
|
-
}
|
216
|
-
/**
|
217
|
-
* Formatting the success event on the credentials
|
218
|
-
*/
|
219
|
-
function formatSuccess(scope) {
|
220
|
-
return `SUCCESS. Scopes: ${Array.isArray(scope) ? scope.join(", ") : scope}.`;
|
221
|
-
}
|
222
|
-
/**
|
223
|
-
* Formatting the success event on the credentials
|
224
|
-
*/
|
225
|
-
function formatError(scope, error) {
|
226
|
-
let message = "ERROR.";
|
227
|
-
if (scope === null || scope === void 0 ? void 0 : scope.length) {
|
228
|
-
message += ` Scopes: ${Array.isArray(scope) ? scope.join(", ") : scope}.`;
|
229
|
-
}
|
230
|
-
return `${message} Error message: ${typeof error === "string" ? error : error.message}.`;
|
231
|
-
}
|
232
|
-
/**
|
233
|
-
* Generates a CredentialLoggerInstance.
|
234
|
-
*
|
235
|
-
* It logs with the format:
|
236
|
-
*
|
237
|
-
* `[title] => [message]`
|
238
|
-
*
|
239
|
-
*/
|
240
|
-
function credentialLoggerInstance(title, parent, log = logger$l) {
|
241
|
-
const fullTitle = parent ? `${parent.fullTitle} ${title}` : title;
|
242
|
-
function info(message) {
|
243
|
-
log.info(`${fullTitle} =>`, message);
|
244
|
-
}
|
245
|
-
function warning(message) {
|
246
|
-
log.warning(`${fullTitle} =>`, message);
|
247
|
-
}
|
248
|
-
function verbose(message) {
|
249
|
-
log.verbose(`${fullTitle} =>`, message);
|
250
|
-
}
|
251
|
-
function error(message) {
|
252
|
-
log.error(`${fullTitle} =>`, message);
|
253
|
-
}
|
254
|
-
return {
|
255
|
-
title,
|
256
|
-
fullTitle,
|
257
|
-
info,
|
258
|
-
warning,
|
259
|
-
verbose,
|
260
|
-
error,
|
261
|
-
};
|
262
|
-
}
|
263
|
-
/**
|
264
|
-
* Generates a CredentialLogger, which is a logger declared at the credential's constructor, and used at any point in the credential.
|
265
|
-
* It has all the properties of a CredentialLoggerInstance, plus other logger instances, one per method.
|
266
|
-
*
|
267
|
-
* It logs with the format:
|
268
|
-
*
|
269
|
-
* `[title] => [message]`
|
270
|
-
* `[title] => getToken() => [message]`
|
271
|
-
*
|
272
|
-
*/
|
273
|
-
function credentialLogger(title, log = logger$l) {
|
274
|
-
const credLogger = credentialLoggerInstance(title, undefined, log);
|
275
|
-
return Object.assign(Object.assign({}, credLogger), { parent: log, getToken: credentialLoggerInstance("=> getToken()", credLogger, log) });
|
276
|
-
}
|
277
|
-
|
278
|
-
// Copyright (c) Microsoft Corporation.
|
279
|
-
// Licensed under the MIT License.
|
280
|
-
function isErrorResponse(errorResponse) {
|
281
|
-
return (errorResponse &&
|
282
|
-
typeof errorResponse.error === "string" &&
|
283
|
-
typeof errorResponse.error_description === "string");
|
284
|
-
}
|
285
|
-
/**
|
286
|
-
* The Error.name value of an CredentialUnavailable
|
287
|
-
*/
|
288
|
-
const CredentialUnavailableErrorName = "CredentialUnavailableError";
|
289
|
-
/**
|
290
|
-
* This signifies that the credential that was tried in a chained credential
|
291
|
-
* was not available to be used as the credential. Rather than treating this as
|
292
|
-
* an error that should halt the chain, it's caught and the chain continues
|
293
|
-
*/
|
294
|
-
class CredentialUnavailableError extends Error {
|
295
|
-
constructor(message, options) {
|
296
|
-
// @ts-expect-error - TypeScript does not recognize this until we use ES2022 as the target; however, all our major runtimes do support the `cause` property
|
297
|
-
super(message, options);
|
298
|
-
this.name = CredentialUnavailableErrorName;
|
299
|
-
}
|
300
|
-
}
|
301
|
-
/**
|
302
|
-
* The Error.name value of an AuthenticationError
|
303
|
-
*/
|
304
|
-
const AuthenticationErrorName = "AuthenticationError";
|
305
|
-
/**
|
306
|
-
* Provides details about a failure to authenticate with Azure Active
|
307
|
-
* Directory. The `errorResponse` field contains more details about
|
308
|
-
* the specific failure.
|
309
|
-
*/
|
310
|
-
class AuthenticationError extends Error {
|
311
|
-
constructor(statusCode, errorBody, options) {
|
312
|
-
let errorResponse = {
|
313
|
-
error: "unknown",
|
314
|
-
errorDescription: "An unknown error occurred and no additional details are available.",
|
315
|
-
};
|
316
|
-
if (isErrorResponse(errorBody)) {
|
317
|
-
errorResponse = convertOAuthErrorResponseToErrorResponse(errorBody);
|
318
|
-
}
|
319
|
-
else if (typeof errorBody === "string") {
|
320
|
-
try {
|
321
|
-
// Most error responses will contain JSON-formatted error details
|
322
|
-
// in the response body
|
323
|
-
const oauthErrorResponse = JSON.parse(errorBody);
|
324
|
-
errorResponse = convertOAuthErrorResponseToErrorResponse(oauthErrorResponse);
|
325
|
-
}
|
326
|
-
catch (e) {
|
327
|
-
if (statusCode === 400) {
|
328
|
-
errorResponse = {
|
329
|
-
error: "invalid_request",
|
330
|
-
errorDescription: `The service indicated that the request was invalid.\n\n${errorBody}`,
|
331
|
-
};
|
332
|
-
}
|
333
|
-
else {
|
334
|
-
errorResponse = {
|
335
|
-
error: "unknown_error",
|
336
|
-
errorDescription: `An unknown error has occurred. Response body:\n\n${errorBody}`,
|
337
|
-
};
|
338
|
-
}
|
339
|
-
}
|
340
|
-
}
|
341
|
-
else {
|
342
|
-
errorResponse = {
|
343
|
-
error: "unknown_error",
|
344
|
-
errorDescription: "An unknown error occurred and no additional details are available.",
|
345
|
-
};
|
346
|
-
}
|
347
|
-
super(`${errorResponse.error} Status code: ${statusCode}\nMore details:\n${errorResponse.errorDescription},`,
|
348
|
-
// @ts-expect-error - TypeScript does not recognize this until we use ES2022 as the target; however, all our major runtimes do support the `cause` property
|
349
|
-
options);
|
350
|
-
this.statusCode = statusCode;
|
351
|
-
this.errorResponse = errorResponse;
|
352
|
-
// Ensure that this type reports the correct name
|
353
|
-
this.name = AuthenticationErrorName;
|
354
|
-
}
|
355
|
-
}
|
356
|
-
/**
|
357
|
-
* The Error.name value of an AggregateAuthenticationError
|
358
|
-
*/
|
359
|
-
const AggregateAuthenticationErrorName = "AggregateAuthenticationError";
|
360
|
-
/**
|
361
|
-
* Provides an `errors` array containing {@link AuthenticationError} instance
|
362
|
-
* for authentication failures from credentials in a {@link ChainedTokenCredential}.
|
363
|
-
*/
|
364
|
-
class AggregateAuthenticationError extends Error {
|
365
|
-
constructor(errors, errorMessage) {
|
366
|
-
const errorDetail = errors.join("\n");
|
367
|
-
super(`${errorMessage}\n${errorDetail}`);
|
368
|
-
this.errors = errors;
|
369
|
-
// Ensure that this type reports the correct name
|
370
|
-
this.name = AggregateAuthenticationErrorName;
|
371
|
-
}
|
372
|
-
}
|
373
|
-
function convertOAuthErrorResponseToErrorResponse(errorBody) {
|
374
|
-
return {
|
375
|
-
error: errorBody.error,
|
376
|
-
errorDescription: errorBody.error_description,
|
377
|
-
correlationId: errorBody.correlation_id,
|
378
|
-
errorCodes: errorBody.error_codes,
|
379
|
-
timestamp: errorBody.timestamp,
|
380
|
-
traceId: errorBody.trace_id,
|
381
|
-
};
|
382
|
-
}
|
383
|
-
/**
|
384
|
-
* Error used to enforce authentication after trying to retrieve a token silently.
|
385
|
-
*/
|
386
|
-
class AuthenticationRequiredError extends Error {
|
387
|
-
constructor(
|
388
|
-
/**
|
389
|
-
* Optional parameters. A message can be specified. The {@link GetTokenOptions} of the request can also be specified to more easily associate the error with the received parameters.
|
390
|
-
*/
|
391
|
-
options) {
|
392
|
-
super(options.message,
|
393
|
-
// @ts-expect-error - TypeScript does not recognize this until we use ES2022 as the target; however, all our major runtimes do support the `cause` property
|
394
|
-
options.cause ? { cause: options.cause } : undefined);
|
395
|
-
this.scopes = options.scopes;
|
396
|
-
this.getTokenOptions = options.getTokenOptions;
|
397
|
-
this.name = "AuthenticationRequiredError";
|
398
|
-
}
|
399
|
-
}
|
400
|
-
|
401
|
-
// Copyright (c) Microsoft Corporation.
|
402
|
-
// Licensed under the MIT License.
|
403
|
-
function createConfigurationErrorMessage(tenantId) {
|
404
|
-
return `The current credential is not configured to acquire tokens for tenant ${tenantId}. To enable acquiring tokens for this tenant add it to the AdditionallyAllowedTenants on the credential options, or add "*" to AdditionallyAllowedTenants to allow acquiring tokens for any tenant.`;
|
405
|
-
}
|
406
|
-
/**
|
407
|
-
* Of getToken contains a tenantId, this functions allows picking this tenantId as the appropriate for authentication,
|
408
|
-
* unless multitenant authentication has been disabled through the AZURE_IDENTITY_DISABLE_MULTITENANTAUTH (on Node.js),
|
409
|
-
* or unless the original tenant Id is `adfs`.
|
410
|
-
* @internal
|
411
|
-
*/
|
412
|
-
function processMultiTenantRequest(tenantId, getTokenOptions, additionallyAllowedTenantIds = [], logger) {
|
413
|
-
var _a;
|
414
|
-
let resolvedTenantId;
|
415
|
-
if (process.env.AZURE_IDENTITY_DISABLE_MULTITENANTAUTH) {
|
416
|
-
resolvedTenantId = tenantId;
|
417
|
-
}
|
418
|
-
else if (tenantId === "adfs") {
|
419
|
-
resolvedTenantId = tenantId;
|
420
|
-
}
|
421
|
-
else {
|
422
|
-
resolvedTenantId = (_a = getTokenOptions === null || getTokenOptions === void 0 ? void 0 : getTokenOptions.tenantId) !== null && _a !== void 0 ? _a : tenantId;
|
423
|
-
}
|
424
|
-
if (tenantId &&
|
425
|
-
resolvedTenantId !== tenantId &&
|
426
|
-
!additionallyAllowedTenantIds.includes("*") &&
|
427
|
-
!additionallyAllowedTenantIds.some((t) => t.localeCompare(resolvedTenantId) === 0)) {
|
428
|
-
const message = createConfigurationErrorMessage(tenantId);
|
429
|
-
logger === null || logger === void 0 ? void 0 : logger.info(message);
|
430
|
-
throw new CredentialUnavailableError(message);
|
431
|
-
}
|
432
|
-
return resolvedTenantId;
|
433
|
-
}
|
434
|
-
|
435
|
-
// Copyright (c) Microsoft Corporation.
|
436
|
-
// Licensed under the MIT License.
|
437
|
-
/**
|
438
|
-
* @internal
|
439
|
-
*/
|
440
|
-
function checkTenantId(logger, tenantId) {
|
441
|
-
if (!tenantId.match(/^[0-9a-zA-Z-.]+$/)) {
|
442
|
-
const error = new Error("Invalid tenant id provided. You can locate your tenant id by following the instructions listed here: https://learn.microsoft.com/partner-center/find-ids-and-domain-names.");
|
443
|
-
logger.info(formatError("", error));
|
444
|
-
throw error;
|
445
|
-
}
|
446
|
-
}
|
447
|
-
/**
|
448
|
-
* @internal
|
449
|
-
*/
|
450
|
-
function resolveTenantId(logger, tenantId, clientId) {
|
451
|
-
if (tenantId) {
|
452
|
-
checkTenantId(logger, tenantId);
|
453
|
-
return tenantId;
|
454
|
-
}
|
455
|
-
if (!clientId) {
|
456
|
-
clientId = DeveloperSignOnClientId;
|
457
|
-
}
|
458
|
-
if (clientId !== DeveloperSignOnClientId) {
|
459
|
-
return "common";
|
460
|
-
}
|
461
|
-
return "organizations";
|
462
|
-
}
|
463
|
-
/**
|
464
|
-
* @internal
|
465
|
-
*/
|
466
|
-
function resolveAdditionallyAllowedTenantIds(additionallyAllowedTenants) {
|
467
|
-
if (!additionallyAllowedTenants || additionallyAllowedTenants.length === 0) {
|
468
|
-
return [];
|
469
|
-
}
|
470
|
-
if (additionallyAllowedTenants.includes("*")) {
|
471
|
-
return ALL_TENANTS;
|
472
|
-
}
|
473
|
-
return additionallyAllowedTenants;
|
474
|
-
}
|
475
|
-
|
476
|
-
// Copyright (c) Microsoft Corporation.
|
477
|
-
// Licensed under the MIT License.
|
478
|
-
function getIdentityTokenEndpointSuffix(tenantId) {
|
479
|
-
if (tenantId === "adfs") {
|
480
|
-
return "oauth2/token";
|
481
|
-
}
|
482
|
-
else {
|
483
|
-
return "oauth2/v2.0/token";
|
484
|
-
}
|
485
|
-
}
|
486
|
-
|
487
|
-
// Copyright (c) Microsoft Corporation.
|
488
|
-
// Licensed under the MIT License.
|
489
|
-
/**
|
490
|
-
* Creates a span using the global tracer.
|
491
|
-
* @internal
|
492
|
-
*/
|
493
|
-
const tracingClient = coreTracing.createTracingClient({
|
494
|
-
namespace: "Microsoft.AAD",
|
495
|
-
packageName: "@azure/identity",
|
496
|
-
packageVersion: SDK_VERSION,
|
497
|
-
});
|
498
|
-
|
499
|
-
// Copyright (c) Microsoft Corporation.
|
500
|
-
// Licensed under the MIT License.
|
501
|
-
const DefaultScopeSuffix = "/.default";
|
502
|
-
/**
|
503
|
-
* Most MSIs send requests to the IMDS endpoint, or a similar endpoint.
|
504
|
-
* These are GET requests that require sending a `resource` parameter on the query.
|
505
|
-
* This resource can be derived from the scopes received through the getToken call, as long as only one scope is received.
|
506
|
-
* Multiple scopes assume that the resulting token will have access to multiple resources, which won't be the case.
|
507
|
-
*
|
508
|
-
* For that reason, when we encounter multiple scopes, we return undefined.
|
509
|
-
* It's up to the individual MSI implementations to throw the errors (which helps us provide less generic errors).
|
510
|
-
*/
|
511
|
-
function mapScopesToResource(scopes) {
|
512
|
-
let scope = "";
|
513
|
-
if (Array.isArray(scopes)) {
|
514
|
-
if (scopes.length !== 1) {
|
515
|
-
return;
|
516
|
-
}
|
517
|
-
scope = scopes[0];
|
518
|
-
}
|
519
|
-
else if (typeof scopes === "string") {
|
520
|
-
scope = scopes;
|
521
|
-
}
|
522
|
-
if (!scope.endsWith(DefaultScopeSuffix)) {
|
523
|
-
return scope;
|
524
|
-
}
|
525
|
-
return scope.substr(0, scope.lastIndexOf(DefaultScopeSuffix));
|
526
|
-
}
|
527
|
-
/**
|
528
|
-
* Given a token response, return the expiration timestamp as the number of milliseconds from the Unix epoch.
|
529
|
-
* @param body - A parsed response body from the authentication endpoint.
|
530
|
-
*/
|
531
|
-
function parseExpirationTimestamp(body) {
|
532
|
-
if (typeof body.expires_on === "number") {
|
533
|
-
return body.expires_on * 1000;
|
534
|
-
}
|
535
|
-
if (typeof body.expires_on === "string") {
|
536
|
-
const asNumber = +body.expires_on;
|
537
|
-
if (!isNaN(asNumber)) {
|
538
|
-
return asNumber * 1000;
|
539
|
-
}
|
540
|
-
const asDate = Date.parse(body.expires_on);
|
541
|
-
if (!isNaN(asDate)) {
|
542
|
-
return asDate;
|
543
|
-
}
|
544
|
-
}
|
545
|
-
if (typeof body.expires_in === "number") {
|
546
|
-
return Date.now() + body.expires_in * 1000;
|
547
|
-
}
|
548
|
-
throw new Error(`Failed to parse token expiration from body. expires_in="${body.expires_in}", expires_on="${body.expires_on}"`);
|
549
|
-
}
|
550
|
-
/**
|
551
|
-
* Given a token response, return the expiration timestamp as the number of milliseconds from the Unix epoch.
|
552
|
-
* @param body - A parsed response body from the authentication endpoint.
|
553
|
-
*/
|
554
|
-
function parseRefreshTimestamp(body) {
|
555
|
-
if (body.refresh_on) {
|
556
|
-
if (typeof body.refresh_on === "number") {
|
557
|
-
return body.refresh_on * 1000;
|
558
|
-
}
|
559
|
-
if (typeof body.refresh_on === "string") {
|
560
|
-
const asNumber = +body.refresh_on;
|
561
|
-
if (!isNaN(asNumber)) {
|
562
|
-
return asNumber * 1000;
|
563
|
-
}
|
564
|
-
const asDate = Date.parse(body.refresh_on);
|
565
|
-
if (!isNaN(asDate)) {
|
566
|
-
return asDate;
|
567
|
-
}
|
568
|
-
}
|
569
|
-
throw new Error(`Failed to parse refresh_on from body. refresh_on="${body.refresh_on}"`);
|
570
|
-
}
|
571
|
-
else {
|
572
|
-
return undefined;
|
573
|
-
}
|
574
|
-
}
|
575
|
-
|
576
|
-
// Copyright (c) Microsoft Corporation.
|
577
|
-
// Licensed under the MIT License.
|
578
|
-
const noCorrelationId = "noCorrelationId";
|
579
|
-
/**
|
580
|
-
* @internal
|
581
|
-
*/
|
582
|
-
function getIdentityClientAuthorityHost(options) {
|
583
|
-
// The authorityHost can come from options or from the AZURE_AUTHORITY_HOST environment variable.
|
584
|
-
let authorityHost = options === null || options === void 0 ? void 0 : options.authorityHost;
|
585
|
-
// The AZURE_AUTHORITY_HOST environment variable can only be provided in Node.js.
|
586
|
-
if (coreUtil.isNode) {
|
587
|
-
authorityHost = authorityHost !== null && authorityHost !== void 0 ? authorityHost : process.env.AZURE_AUTHORITY_HOST;
|
588
|
-
}
|
589
|
-
// If the authorityHost is not provided, we use the default one from the public cloud: https://login.microsoftonline.com
|
590
|
-
return authorityHost !== null && authorityHost !== void 0 ? authorityHost : DefaultAuthorityHost;
|
591
|
-
}
|
592
|
-
/**
|
593
|
-
* The network module used by the Identity credentials.
|
594
|
-
*
|
595
|
-
* It allows for credentials to abort any pending request independently of the MSAL flow,
|
596
|
-
* by calling to the `abortRequests()` method.
|
597
|
-
*
|
598
|
-
*/
|
599
|
-
class IdentityClient extends coreClient.ServiceClient {
|
600
|
-
constructor(options) {
|
601
|
-
var _a, _b;
|
602
|
-
const packageDetails = `azsdk-js-identity/${SDK_VERSION}`;
|
603
|
-
const userAgentPrefix = ((_a = options === null || options === void 0 ? void 0 : options.userAgentOptions) === null || _a === void 0 ? void 0 : _a.userAgentPrefix)
|
604
|
-
? `${options.userAgentOptions.userAgentPrefix} ${packageDetails}`
|
605
|
-
: `${packageDetails}`;
|
606
|
-
const baseUri = getIdentityClientAuthorityHost(options);
|
607
|
-
if (!baseUri.startsWith("https:")) {
|
608
|
-
throw new Error("The authorityHost address must use the 'https' protocol.");
|
609
|
-
}
|
610
|
-
super(Object.assign(Object.assign({ requestContentType: "application/json; charset=utf-8", retryOptions: {
|
611
|
-
maxRetries: 3,
|
612
|
-
} }, options), { userAgentOptions: {
|
613
|
-
userAgentPrefix,
|
614
|
-
}, baseUri }));
|
615
|
-
this.allowInsecureConnection = false;
|
616
|
-
this.authorityHost = baseUri;
|
617
|
-
this.abortControllers = new Map();
|
618
|
-
this.allowLoggingAccountIdentifiers = (_b = options === null || options === void 0 ? void 0 : options.loggingOptions) === null || _b === void 0 ? void 0 : _b.allowLoggingAccountIdentifiers;
|
619
|
-
// used for WorkloadIdentity
|
620
|
-
this.tokenCredentialOptions = Object.assign({}, options);
|
621
|
-
// used for ManagedIdentity
|
622
|
-
if (options === null || options === void 0 ? void 0 : options.allowInsecureConnection) {
|
623
|
-
this.allowInsecureConnection = options.allowInsecureConnection;
|
624
|
-
}
|
625
|
-
}
|
626
|
-
async sendTokenRequest(request) {
|
627
|
-
logger$l.info(`IdentityClient: sending token request to [${request.url}]`);
|
628
|
-
const response = await this.sendRequest(request);
|
629
|
-
if (response.bodyAsText && (response.status === 200 || response.status === 201)) {
|
630
|
-
const parsedBody = JSON.parse(response.bodyAsText);
|
631
|
-
if (!parsedBody.access_token) {
|
632
|
-
return null;
|
633
|
-
}
|
634
|
-
this.logIdentifiers(response);
|
635
|
-
const token = {
|
636
|
-
accessToken: {
|
637
|
-
token: parsedBody.access_token,
|
638
|
-
expiresOnTimestamp: parseExpirationTimestamp(parsedBody),
|
639
|
-
refreshAfterTimestamp: parseRefreshTimestamp(parsedBody),
|
640
|
-
tokenType: "Bearer",
|
641
|
-
},
|
642
|
-
refreshToken: parsedBody.refresh_token,
|
643
|
-
};
|
644
|
-
logger$l.info(`IdentityClient: [${request.url}] token acquired, expires on ${token.accessToken.expiresOnTimestamp}`);
|
645
|
-
return token;
|
646
|
-
}
|
647
|
-
else {
|
648
|
-
const error = new AuthenticationError(response.status, response.bodyAsText);
|
649
|
-
logger$l.warning(`IdentityClient: authentication error. HTTP status: ${response.status}, ${error.errorResponse.errorDescription}`);
|
650
|
-
throw error;
|
651
|
-
}
|
652
|
-
}
|
653
|
-
async refreshAccessToken(tenantId, clientId, scopes, refreshToken, clientSecret, options = {}) {
|
654
|
-
if (refreshToken === undefined) {
|
655
|
-
return null;
|
656
|
-
}
|
657
|
-
logger$l.info(`IdentityClient: refreshing access token with client ID: ${clientId}, scopes: ${scopes} started`);
|
658
|
-
const refreshParams = {
|
659
|
-
grant_type: "refresh_token",
|
660
|
-
client_id: clientId,
|
661
|
-
refresh_token: refreshToken,
|
662
|
-
scope: scopes,
|
663
|
-
};
|
664
|
-
if (clientSecret !== undefined) {
|
665
|
-
refreshParams.client_secret = clientSecret;
|
666
|
-
}
|
667
|
-
const query = new URLSearchParams(refreshParams);
|
668
|
-
return tracingClient.withSpan("IdentityClient.refreshAccessToken", options, async (updatedOptions) => {
|
669
|
-
try {
|
670
|
-
const urlSuffix = getIdentityTokenEndpointSuffix(tenantId);
|
671
|
-
const request = coreRestPipeline.createPipelineRequest({
|
672
|
-
url: `${this.authorityHost}/${tenantId}/${urlSuffix}`,
|
673
|
-
method: "POST",
|
674
|
-
body: query.toString(),
|
675
|
-
abortSignal: options.abortSignal,
|
676
|
-
headers: coreRestPipeline.createHttpHeaders({
|
677
|
-
Accept: "application/json",
|
678
|
-
"Content-Type": "application/x-www-form-urlencoded",
|
679
|
-
}),
|
680
|
-
tracingOptions: updatedOptions.tracingOptions,
|
681
|
-
});
|
682
|
-
const response = await this.sendTokenRequest(request);
|
683
|
-
logger$l.info(`IdentityClient: refreshed token for client ID: ${clientId}`);
|
684
|
-
return response;
|
685
|
-
}
|
686
|
-
catch (err) {
|
687
|
-
if (err.name === AuthenticationErrorName &&
|
688
|
-
err.errorResponse.error === "interaction_required") {
|
689
|
-
// It's likely that the refresh token has expired, so
|
690
|
-
// return null so that the credential implementation will
|
691
|
-
// initiate the authentication flow again.
|
692
|
-
logger$l.info(`IdentityClient: interaction required for client ID: ${clientId}`);
|
693
|
-
return null;
|
694
|
-
}
|
695
|
-
else {
|
696
|
-
logger$l.warning(`IdentityClient: failed refreshing token for client ID: ${clientId}: ${err}`);
|
697
|
-
throw err;
|
698
|
-
}
|
699
|
-
}
|
700
|
-
});
|
701
|
-
}
|
702
|
-
// Here is a custom layer that allows us to abort requests that go through MSAL,
|
703
|
-
// since MSAL doesn't allow us to pass options all the way through.
|
704
|
-
generateAbortSignal(correlationId) {
|
705
|
-
const controller = new AbortController();
|
706
|
-
const controllers = this.abortControllers.get(correlationId) || [];
|
707
|
-
controllers.push(controller);
|
708
|
-
this.abortControllers.set(correlationId, controllers);
|
709
|
-
const existingOnAbort = controller.signal.onabort;
|
710
|
-
controller.signal.onabort = (...params) => {
|
711
|
-
this.abortControllers.set(correlationId, undefined);
|
712
|
-
if (existingOnAbort) {
|
713
|
-
existingOnAbort.apply(controller.signal, params);
|
714
|
-
}
|
715
|
-
};
|
716
|
-
return controller.signal;
|
717
|
-
}
|
718
|
-
abortRequests(correlationId) {
|
719
|
-
const key = correlationId || noCorrelationId;
|
720
|
-
const controllers = [
|
721
|
-
...(this.abortControllers.get(key) || []),
|
722
|
-
// MSAL passes no correlation ID to the get requests...
|
723
|
-
...(this.abortControllers.get(noCorrelationId) || []),
|
724
|
-
];
|
725
|
-
if (!controllers.length) {
|
726
|
-
return;
|
727
|
-
}
|
728
|
-
for (const controller of controllers) {
|
729
|
-
controller.abort();
|
730
|
-
}
|
731
|
-
this.abortControllers.set(key, undefined);
|
732
|
-
}
|
733
|
-
getCorrelationId(options) {
|
734
|
-
var _a;
|
735
|
-
const parameter = (_a = options === null || options === void 0 ? void 0 : options.body) === null || _a === void 0 ? void 0 : _a.split("&").map((part) => part.split("=")).find(([key]) => key === "client-request-id");
|
736
|
-
return parameter && parameter.length ? parameter[1] || noCorrelationId : noCorrelationId;
|
737
|
-
}
|
738
|
-
// The MSAL network module methods follow
|
739
|
-
async sendGetRequestAsync(url, options) {
|
740
|
-
const request = coreRestPipeline.createPipelineRequest({
|
741
|
-
url,
|
742
|
-
method: "GET",
|
743
|
-
body: options === null || options === void 0 ? void 0 : options.body,
|
744
|
-
allowInsecureConnection: this.allowInsecureConnection,
|
745
|
-
headers: coreRestPipeline.createHttpHeaders(options === null || options === void 0 ? void 0 : options.headers),
|
746
|
-
abortSignal: this.generateAbortSignal(noCorrelationId),
|
747
|
-
});
|
748
|
-
const response = await this.sendRequest(request);
|
749
|
-
this.logIdentifiers(response);
|
750
|
-
return {
|
751
|
-
body: response.bodyAsText ? JSON.parse(response.bodyAsText) : undefined,
|
752
|
-
headers: response.headers.toJSON(),
|
753
|
-
status: response.status,
|
754
|
-
};
|
755
|
-
}
|
756
|
-
async sendPostRequestAsync(url, options) {
|
757
|
-
const request = coreRestPipeline.createPipelineRequest({
|
758
|
-
url,
|
759
|
-
method: "POST",
|
760
|
-
body: options === null || options === void 0 ? void 0 : options.body,
|
761
|
-
headers: coreRestPipeline.createHttpHeaders(options === null || options === void 0 ? void 0 : options.headers),
|
762
|
-
allowInsecureConnection: this.allowInsecureConnection,
|
763
|
-
// MSAL doesn't send the correlation ID on the get requests.
|
764
|
-
abortSignal: this.generateAbortSignal(this.getCorrelationId(options)),
|
765
|
-
});
|
766
|
-
const response = await this.sendRequest(request);
|
767
|
-
this.logIdentifiers(response);
|
768
|
-
return {
|
769
|
-
body: response.bodyAsText ? JSON.parse(response.bodyAsText) : undefined,
|
770
|
-
headers: response.headers.toJSON(),
|
771
|
-
status: response.status,
|
772
|
-
};
|
773
|
-
}
|
774
|
-
/**
|
775
|
-
*
|
776
|
-
* @internal
|
777
|
-
*/
|
778
|
-
getTokenCredentialOptions() {
|
779
|
-
return this.tokenCredentialOptions;
|
780
|
-
}
|
781
|
-
/**
|
782
|
-
* If allowLoggingAccountIdentifiers was set on the constructor options
|
783
|
-
* we try to log the account identifiers by parsing the received access token.
|
784
|
-
*
|
785
|
-
* The account identifiers we try to log are:
|
786
|
-
* - `appid`: The application or Client Identifier.
|
787
|
-
* - `upn`: User Principal Name.
|
788
|
-
* - It might not be available in some authentication scenarios.
|
789
|
-
* - If it's not available, we put a placeholder: "No User Principal Name available".
|
790
|
-
* - `tid`: Tenant Identifier.
|
791
|
-
* - `oid`: Object Identifier of the authenticated user.
|
792
|
-
*/
|
793
|
-
logIdentifiers(response) {
|
794
|
-
if (!this.allowLoggingAccountIdentifiers || !response.bodyAsText) {
|
795
|
-
return;
|
796
|
-
}
|
797
|
-
const unavailableUpn = "No User Principal Name available";
|
798
|
-
try {
|
799
|
-
const parsed = response.parsedBody || JSON.parse(response.bodyAsText);
|
800
|
-
const accessToken = parsed.access_token;
|
801
|
-
if (!accessToken) {
|
802
|
-
// Without an access token allowLoggingAccountIdentifiers isn't useful.
|
803
|
-
return;
|
804
|
-
}
|
805
|
-
const base64Metadata = accessToken.split(".")[1];
|
806
|
-
const { appid, upn, tid, oid } = JSON.parse(Buffer.from(base64Metadata, "base64").toString("utf8"));
|
807
|
-
logger$l.info(`[Authenticated account] Client ID: ${appid}. Tenant ID: ${tid}. User Principal Name: ${upn || unavailableUpn}. Object ID (user): ${oid}`);
|
808
|
-
}
|
809
|
-
catch (e) {
|
810
|
-
logger$l.warning("allowLoggingAccountIdentifiers was set, but we couldn't log the account information. Error:", e.message);
|
811
|
-
}
|
812
|
-
}
|
813
|
-
}
|
814
|
-
|
815
|
-
// Copyright (c) Microsoft Corporation.
|
816
|
-
// Licensed under the MIT License.
|
817
|
-
const CommonTenantId = "common";
|
818
|
-
const AzureAccountClientId = "aebc6443-996d-45c2-90f0-388ff96faa56"; // VSC: 'aebc6443-996d-45c2-90f0-388ff96faa56'
|
819
|
-
const logger$k = credentialLogger("VisualStudioCodeCredential");
|
820
|
-
let findCredentials = undefined;
|
821
|
-
const vsCodeCredentialControl = {
|
822
|
-
setVsCodeCredentialFinder(finder) {
|
823
|
-
findCredentials = finder;
|
824
|
-
},
|
825
|
-
};
|
826
|
-
// Map of unsupported Tenant IDs and the errors we will be throwing.
|
827
|
-
const unsupportedTenantIds = {
|
828
|
-
adfs: "The VisualStudioCodeCredential does not support authentication with ADFS tenants.",
|
829
|
-
};
|
830
|
-
function checkUnsupportedTenant(tenantId) {
|
831
|
-
// If the Tenant ID isn't supported, we throw.
|
832
|
-
const unsupportedTenantError = unsupportedTenantIds[tenantId];
|
833
|
-
if (unsupportedTenantError) {
|
834
|
-
throw new CredentialUnavailableError(unsupportedTenantError);
|
835
|
-
}
|
836
|
-
}
|
837
|
-
const mapVSCodeAuthorityHosts = {
|
838
|
-
AzureCloud: exports.AzureAuthorityHosts.AzurePublicCloud,
|
839
|
-
AzureChina: exports.AzureAuthorityHosts.AzureChina,
|
840
|
-
AzureGermanCloud: exports.AzureAuthorityHosts.AzureGermany,
|
841
|
-
AzureUSGovernment: exports.AzureAuthorityHosts.AzureGovernment,
|
842
|
-
};
|
843
|
-
/**
|
844
|
-
* Attempts to load a specific property from the VSCode configurations of the current OS.
|
845
|
-
* If it fails at any point, returns undefined.
|
846
|
-
*/
|
847
|
-
function getPropertyFromVSCode(property) {
|
848
|
-
const settingsPath = ["User", "settings.json"];
|
849
|
-
// Eventually we can add more folders for more versions of VSCode.
|
850
|
-
const vsCodeFolder = "Code";
|
851
|
-
const homedir = os.homedir();
|
852
|
-
function loadProperty(...pathSegments) {
|
853
|
-
const fullPath = path.join(...pathSegments, vsCodeFolder, ...settingsPath);
|
854
|
-
const settings = JSON.parse(fs.readFileSync(fullPath, { encoding: "utf8" }));
|
855
|
-
return settings[property];
|
856
|
-
}
|
857
|
-
try {
|
858
|
-
let appData;
|
859
|
-
switch (process.platform) {
|
860
|
-
case "win32":
|
861
|
-
appData = process.env.APPDATA;
|
862
|
-
return appData ? loadProperty(appData) : undefined;
|
863
|
-
case "darwin":
|
864
|
-
return loadProperty(homedir, "Library", "Application Support");
|
865
|
-
case "linux":
|
866
|
-
return loadProperty(homedir, ".config");
|
867
|
-
default:
|
868
|
-
return;
|
869
|
-
}
|
870
|
-
}
|
871
|
-
catch (e) {
|
872
|
-
logger$k.info(`Failed to load the Visual Studio Code configuration file. Error: ${e.message}`);
|
873
|
-
return;
|
874
|
-
}
|
875
|
-
}
|
876
|
-
/**
|
877
|
-
* Connects to Azure using the credential provided by the VSCode extension 'Azure Account'.
|
878
|
-
* Once the user has logged in via the extension, this credential can share the same refresh token
|
879
|
-
* that is cached by the extension.
|
880
|
-
*
|
881
|
-
* It's a [known issue](https://github.com/Azure/azure-sdk-for-js/issues/20500) that this credential doesn't
|
882
|
-
* work with [Azure Account extension](https://marketplace.visualstudio.com/items?itemName=ms-vscode.azure-account)
|
883
|
-
* versions newer than **0.9.11**. A long-term fix to this problem is in progress. In the meantime, consider
|
884
|
-
* authenticating with {@link AzureCliCredential}.
|
885
|
-
*/
|
886
|
-
class VisualStudioCodeCredential {
|
887
|
-
/**
|
888
|
-
* Creates an instance of VisualStudioCodeCredential to use for automatically authenticating via VSCode.
|
889
|
-
*
|
890
|
-
* **Note**: `VisualStudioCodeCredential` is provided by a plugin package:
|
891
|
-
* `@azure/identity-vscode`. If this package is not installed and registered
|
892
|
-
* using the plugin API (`useIdentityPlugin`), then authentication using
|
893
|
-
* `VisualStudioCodeCredential` will not be available.
|
894
|
-
*
|
895
|
-
* @param options - Options for configuring the client which makes the authentication request.
|
896
|
-
*/
|
897
|
-
constructor(options) {
|
898
|
-
// We want to make sure we use the one assigned by the user on the VSCode settings.
|
899
|
-
// Or just `AzureCloud` by default.
|
900
|
-
this.cloudName = (getPropertyFromVSCode("azure.cloud") || "AzureCloud");
|
901
|
-
// Picking an authority host based on the cloud name.
|
902
|
-
const authorityHost = mapVSCodeAuthorityHosts[this.cloudName];
|
903
|
-
this.identityClient = new IdentityClient(Object.assign({ authorityHost }, options));
|
904
|
-
if (options && options.tenantId) {
|
905
|
-
checkTenantId(logger$k, options.tenantId);
|
906
|
-
this.tenantId = options.tenantId;
|
907
|
-
}
|
908
|
-
else {
|
909
|
-
this.tenantId = CommonTenantId;
|
910
|
-
}
|
911
|
-
this.additionallyAllowedTenantIds = resolveAdditionallyAllowedTenantIds(options === null || options === void 0 ? void 0 : options.additionallyAllowedTenants);
|
912
|
-
checkUnsupportedTenant(this.tenantId);
|
913
|
-
}
|
914
|
-
/**
|
915
|
-
* Runs preparations for any further getToken request.
|
916
|
-
*/
|
917
|
-
async prepare() {
|
918
|
-
// Attempts to load the tenant from the VSCode configuration file.
|
919
|
-
const settingsTenant = getPropertyFromVSCode("azure.tenant");
|
920
|
-
if (settingsTenant) {
|
921
|
-
this.tenantId = settingsTenant;
|
922
|
-
}
|
923
|
-
checkUnsupportedTenant(this.tenantId);
|
924
|
-
}
|
925
|
-
/**
|
926
|
-
* Runs preparations for any further getToken, but only once.
|
927
|
-
*/
|
928
|
-
prepareOnce() {
|
929
|
-
if (!this.preparePromise) {
|
930
|
-
this.preparePromise = this.prepare();
|
931
|
-
}
|
932
|
-
return this.preparePromise;
|
933
|
-
}
|
934
|
-
/**
|
935
|
-
* Returns the token found by searching VSCode's authentication cache or
|
936
|
-
* returns null if no token could be found.
|
937
|
-
*
|
938
|
-
* @param scopes - The list of scopes for which the token will have access.
|
939
|
-
* @param options - The options used to configure any requests this
|
940
|
-
* `TokenCredential` implementation might make.
|
941
|
-
*/
|
942
|
-
async getToken(scopes, options) {
|
943
|
-
var _a, _b;
|
944
|
-
await this.prepareOnce();
|
945
|
-
const tenantId = processMultiTenantRequest(this.tenantId, options, this.additionallyAllowedTenantIds, logger$k) || this.tenantId;
|
946
|
-
if (findCredentials === undefined) {
|
947
|
-
throw new CredentialUnavailableError([
|
948
|
-
"No implementation of `VisualStudioCodeCredential` is available.",
|
949
|
-
"You must install the identity-vscode plugin package (`npm install --save-dev @azure/identity-vscode`)",
|
950
|
-
"and enable it by importing `useIdentityPlugin` from `@azure/identity` and calling",
|
951
|
-
"`useIdentityPlugin(vsCodePlugin)` before creating a `VisualStudioCodeCredential`.",
|
952
|
-
"To troubleshoot, visit https://aka.ms/azsdk/js/identity/vscodecredential/troubleshoot.",
|
953
|
-
].join(" "));
|
954
|
-
}
|
955
|
-
let scopeString = typeof scopes === "string" ? scopes : scopes.join(" ");
|
956
|
-
// Check to make sure the scope we get back is a valid scope
|
957
|
-
if (!scopeString.match(/^[0-9a-zA-Z-.:/]+$/)) {
|
958
|
-
const error = new Error("Invalid scope was specified by the user or calling client");
|
959
|
-
logger$k.getToken.info(formatError(scopes, error));
|
960
|
-
throw error;
|
961
|
-
}
|
962
|
-
if (scopeString.indexOf("offline_access") < 0) {
|
963
|
-
scopeString += " offline_access";
|
964
|
-
}
|
965
|
-
// findCredentials returns an array similar to:
|
966
|
-
// [
|
967
|
-
// {
|
968
|
-
// account: "",
|
969
|
-
// password: "",
|
970
|
-
// },
|
971
|
-
// /* ... */
|
972
|
-
// ]
|
973
|
-
const credentials = await findCredentials();
|
974
|
-
// If we can't find the credential based on the name, we'll pick the first one available.
|
975
|
-
const { password: refreshToken } = (_b = (_a = credentials.find(({ account }) => account === this.cloudName)) !== null && _a !== void 0 ? _a : credentials[0]) !== null && _b !== void 0 ? _b : {};
|
976
|
-
if (refreshToken) {
|
977
|
-
const tokenResponse = await this.identityClient.refreshAccessToken(tenantId, AzureAccountClientId, scopeString, refreshToken, undefined);
|
978
|
-
if (tokenResponse) {
|
979
|
-
logger$k.getToken.info(formatSuccess(scopes));
|
980
|
-
return tokenResponse.accessToken;
|
981
|
-
}
|
982
|
-
else {
|
983
|
-
const error = new CredentialUnavailableError("Could not retrieve the token associated with Visual Studio Code. Have you connected using the 'Azure Account' extension recently? To troubleshoot, visit https://aka.ms/azsdk/js/identity/vscodecredential/troubleshoot.");
|
984
|
-
logger$k.getToken.info(formatError(scopes, error));
|
985
|
-
throw error;
|
986
|
-
}
|
987
|
-
}
|
988
|
-
else {
|
989
|
-
const error = new CredentialUnavailableError("Could not retrieve the token associated with Visual Studio Code. Did you connect using the 'Azure Account' extension? To troubleshoot, visit https://aka.ms/azsdk/js/identity/vscodecredential/troubleshoot.");
|
990
|
-
logger$k.getToken.info(formatError(scopes, error));
|
991
|
-
throw error;
|
992
|
-
}
|
993
|
-
}
|
994
|
-
}
|
995
|
-
|
996
|
-
// Copyright (c) Microsoft Corporation.
|
997
|
-
// Licensed under the MIT License.
|
998
|
-
/**
|
999
|
-
* The context passed to an Identity plugin. This contains objects that
|
1000
|
-
* plugins can use to set backend implementations.
|
1001
|
-
* @internal
|
1002
|
-
*/
|
1003
|
-
const pluginContext = {
|
1004
|
-
cachePluginControl: msalNodeFlowCacheControl,
|
1005
|
-
nativeBrokerPluginControl: msalNodeFlowNativeBrokerControl,
|
1006
|
-
vsCodeCredentialControl: vsCodeCredentialControl,
|
1007
|
-
};
|
1008
|
-
/**
|
1009
|
-
* Extend Azure Identity with additional functionality. Pass a plugin from
|
1010
|
-
* a plugin package, such as:
|
1011
|
-
*
|
1012
|
-
* - `@azure/identity-cache-persistence`: provides persistent token caching
|
1013
|
-
* - `@azure/identity-vscode`: provides the dependencies of
|
1014
|
-
* `VisualStudioCodeCredential` and enables it
|
1015
|
-
*
|
1016
|
-
* Example:
|
1017
|
-
*
|
1018
|
-
* ```ts snippet:consumer_example
|
1019
|
-
* import { useIdentityPlugin, DeviceCodeCredential } from "@azure/identity";
|
1020
|
-
*
|
1021
|
-
* useIdentityPlugin(cachePersistencePlugin);
|
1022
|
-
* // The plugin has the capability to extend `DeviceCodeCredential` and to
|
1023
|
-
* // add middleware to the underlying credentials, such as persistence.
|
1024
|
-
* const credential = new DeviceCodeCredential({
|
1025
|
-
* tokenCachePersistenceOptions: {
|
1026
|
-
* enabled: true,
|
1027
|
-
* },
|
1028
|
-
* });
|
1029
|
-
* ```
|
1030
|
-
*
|
1031
|
-
* @param plugin - the plugin to register
|
1032
|
-
*/
|
1033
|
-
function useIdentityPlugin(plugin) {
|
1034
|
-
plugin(pluginContext);
|
1035
|
-
}
|
1036
|
-
|
1037
|
-
// Copyright (c) Microsoft Corporation.
|
1038
|
-
// Licensed under the MIT License.
|
1039
|
-
/**
|
1040
|
-
* @internal
|
1041
|
-
*/
|
1042
|
-
const logger$j = credentialLogger("IdentityUtils");
|
1043
|
-
/**
|
1044
|
-
* Latest AuthenticationRecord version
|
1045
|
-
* @internal
|
1046
|
-
*/
|
1047
|
-
const LatestAuthenticationRecordVersion = "1.0";
|
1048
|
-
/**
|
1049
|
-
* Ensures the validity of the MSAL token
|
1050
|
-
* @internal
|
1051
|
-
*/
|
1052
|
-
function ensureValidMsalToken(scopes, msalToken, getTokenOptions) {
|
1053
|
-
const error = (message) => {
|
1054
|
-
logger$j.getToken.info(message);
|
1055
|
-
return new AuthenticationRequiredError({
|
1056
|
-
scopes: Array.isArray(scopes) ? scopes : [scopes],
|
1057
|
-
getTokenOptions,
|
1058
|
-
message,
|
1059
|
-
});
|
1060
|
-
};
|
1061
|
-
if (!msalToken) {
|
1062
|
-
throw error("No response");
|
1063
|
-
}
|
1064
|
-
if (!msalToken.expiresOn) {
|
1065
|
-
throw error(`Response had no "expiresOn" property.`);
|
1066
|
-
}
|
1067
|
-
if (!msalToken.accessToken) {
|
1068
|
-
throw error(`Response had no "accessToken" property.`);
|
1069
|
-
}
|
1070
|
-
}
|
1071
|
-
/**
|
1072
|
-
* Returns the authority host from either the options bag or the AZURE_AUTHORITY_HOST environment variable.
|
1073
|
-
*
|
1074
|
-
* Defaults to {@link DefaultAuthorityHost}.
|
1075
|
-
* @internal
|
1076
|
-
*/
|
1077
|
-
function getAuthorityHost(options) {
|
1078
|
-
let authorityHost = options === null || options === void 0 ? void 0 : options.authorityHost;
|
1079
|
-
if (!authorityHost && coreUtil.isNodeLike) {
|
1080
|
-
authorityHost = process.env.AZURE_AUTHORITY_HOST;
|
1081
|
-
}
|
1082
|
-
return authorityHost !== null && authorityHost !== void 0 ? authorityHost : DefaultAuthorityHost;
|
1083
|
-
}
|
1084
|
-
/**
|
1085
|
-
* Generates a valid authority by combining a host with a tenantId.
|
1086
|
-
* @internal
|
1087
|
-
*/
|
1088
|
-
function getAuthority(tenantId, host) {
|
1089
|
-
if (!host) {
|
1090
|
-
host = DefaultAuthorityHost;
|
1091
|
-
}
|
1092
|
-
if (new RegExp(`${tenantId}/?$`).test(host)) {
|
1093
|
-
return host;
|
1094
|
-
}
|
1095
|
-
if (host.endsWith("/")) {
|
1096
|
-
return host + tenantId;
|
1097
|
-
}
|
1098
|
-
else {
|
1099
|
-
return `${host}/${tenantId}`;
|
1100
|
-
}
|
1101
|
-
}
|
1102
|
-
/**
|
1103
|
-
* Generates the known authorities.
|
1104
|
-
* If the Tenant Id is `adfs`, the authority can't be validated since the format won't match the expected one.
|
1105
|
-
* For that reason, we have to force MSAL to disable validating the authority
|
1106
|
-
* by sending it within the known authorities in the MSAL configuration.
|
1107
|
-
* @internal
|
1108
|
-
*/
|
1109
|
-
function getKnownAuthorities(tenantId, authorityHost, disableInstanceDiscovery) {
|
1110
|
-
if ((tenantId === "adfs" && authorityHost) || disableInstanceDiscovery) {
|
1111
|
-
return [authorityHost];
|
1112
|
-
}
|
1113
|
-
return [];
|
1114
|
-
}
|
1115
|
-
/**
|
1116
|
-
* Generates a logger that can be passed to the MSAL clients.
|
1117
|
-
* @param credLogger - The logger of the credential.
|
1118
|
-
* @internal
|
1119
|
-
*/
|
1120
|
-
const defaultLoggerCallback = (credLogger, platform = coreUtil.isNode ? "Node" : "Browser") => (level, message, containsPii) => {
|
1121
|
-
if (containsPii) {
|
1122
|
-
return;
|
1123
|
-
}
|
1124
|
-
switch (level) {
|
1125
|
-
case msalCommon__namespace.LogLevel.Error:
|
1126
|
-
credLogger.info(`MSAL ${platform} V2 error: ${message}`);
|
1127
|
-
return;
|
1128
|
-
case msalCommon__namespace.LogLevel.Info:
|
1129
|
-
credLogger.info(`MSAL ${platform} V2 info message: ${message}`);
|
1130
|
-
return;
|
1131
|
-
case msalCommon__namespace.LogLevel.Verbose:
|
1132
|
-
credLogger.info(`MSAL ${platform} V2 verbose message: ${message}`);
|
1133
|
-
return;
|
1134
|
-
case msalCommon__namespace.LogLevel.Warning:
|
1135
|
-
credLogger.info(`MSAL ${platform} V2 warning: ${message}`);
|
1136
|
-
return;
|
1137
|
-
}
|
1138
|
-
};
|
1139
|
-
/**
|
1140
|
-
* @internal
|
1141
|
-
*/
|
1142
|
-
function getMSALLogLevel(logLevel) {
|
1143
|
-
switch (logLevel) {
|
1144
|
-
case "error":
|
1145
|
-
return msalCommon__namespace.LogLevel.Error;
|
1146
|
-
case "info":
|
1147
|
-
return msalCommon__namespace.LogLevel.Info;
|
1148
|
-
case "verbose":
|
1149
|
-
return msalCommon__namespace.LogLevel.Verbose;
|
1150
|
-
case "warning":
|
1151
|
-
return msalCommon__namespace.LogLevel.Warning;
|
1152
|
-
default:
|
1153
|
-
// default msal logging level should be Info
|
1154
|
-
return msalCommon__namespace.LogLevel.Info;
|
1155
|
-
}
|
1156
|
-
}
|
1157
|
-
/**
|
1158
|
-
* Handles MSAL errors.
|
1159
|
-
*/
|
1160
|
-
function handleMsalError(scopes, error, getTokenOptions) {
|
1161
|
-
if (error.name === "AuthError" ||
|
1162
|
-
error.name === "ClientAuthError" ||
|
1163
|
-
error.name === "BrowserAuthError") {
|
1164
|
-
const msalError = error;
|
1165
|
-
switch (msalError.errorCode) {
|
1166
|
-
case "endpoints_resolution_error":
|
1167
|
-
logger$j.info(formatError(scopes, error.message));
|
1168
|
-
return new CredentialUnavailableError(error.message);
|
1169
|
-
case "device_code_polling_cancelled":
|
1170
|
-
return new abortController.AbortError("The authentication has been aborted by the caller.");
|
1171
|
-
case "consent_required":
|
1172
|
-
case "interaction_required":
|
1173
|
-
case "login_required":
|
1174
|
-
logger$j.info(formatError(scopes, `Authentication returned errorCode ${msalError.errorCode}`));
|
1175
|
-
break;
|
1176
|
-
default:
|
1177
|
-
logger$j.info(formatError(scopes, `Failed to acquire token: ${error.message}`));
|
1178
|
-
break;
|
1179
|
-
}
|
1180
|
-
}
|
1181
|
-
if (error.name === "ClientConfigurationError" ||
|
1182
|
-
error.name === "BrowserConfigurationAuthError" ||
|
1183
|
-
error.name === "AbortError" ||
|
1184
|
-
error.name === "AuthenticationError") {
|
1185
|
-
return error;
|
1186
|
-
}
|
1187
|
-
if (error.name === "NativeAuthError") {
|
1188
|
-
logger$j.info(formatError(scopes, `Error from the native broker: ${error.message} with status code: ${error.statusCode}`));
|
1189
|
-
return error;
|
1190
|
-
}
|
1191
|
-
return new AuthenticationRequiredError({ scopes, getTokenOptions, message: error.message });
|
1192
|
-
}
|
1193
|
-
// transformations.ts
|
1194
|
-
function publicToMsal(account) {
|
1195
|
-
const [environment] = account.authority.match(/([a-z]*\.[a-z]*\.[a-z]*)/) || [""];
|
1196
|
-
return Object.assign(Object.assign({}, account), { localAccountId: account.homeAccountId, environment });
|
1197
|
-
}
|
1198
|
-
function msalToPublic(clientId, account) {
|
1199
|
-
const record = {
|
1200
|
-
authority: getAuthority(account.tenantId, account.environment),
|
1201
|
-
homeAccountId: account.homeAccountId,
|
1202
|
-
tenantId: account.tenantId || DefaultTenantId,
|
1203
|
-
username: account.username,
|
1204
|
-
clientId,
|
1205
|
-
version: LatestAuthenticationRecordVersion,
|
1206
|
-
};
|
1207
|
-
return record;
|
1208
|
-
}
|
1209
|
-
/**
|
1210
|
-
* Serializes an `AuthenticationRecord` into a string.
|
1211
|
-
*
|
1212
|
-
* The output of a serialized authentication record will contain the following properties:
|
1213
|
-
*
|
1214
|
-
* - "authority"
|
1215
|
-
* - "homeAccountId"
|
1216
|
-
* - "clientId"
|
1217
|
-
* - "tenantId"
|
1218
|
-
* - "username"
|
1219
|
-
* - "version"
|
1220
|
-
*
|
1221
|
-
* To later convert this string to a serialized `AuthenticationRecord`, please use the exported function `deserializeAuthenticationRecord()`.
|
1222
|
-
*/
|
1223
|
-
function serializeAuthenticationRecord(record) {
|
1224
|
-
return JSON.stringify(record);
|
1225
|
-
}
|
1226
|
-
/**
|
1227
|
-
* Deserializes a previously serialized authentication record from a string into an object.
|
1228
|
-
*
|
1229
|
-
* The input string must contain the following properties:
|
1230
|
-
*
|
1231
|
-
* - "authority"
|
1232
|
-
* - "homeAccountId"
|
1233
|
-
* - "clientId"
|
1234
|
-
* - "tenantId"
|
1235
|
-
* - "username"
|
1236
|
-
* - "version"
|
1237
|
-
*
|
1238
|
-
* If the version we receive is unsupported, an error will be thrown.
|
1239
|
-
*
|
1240
|
-
* At the moment, the only available version is: "1.0", which is always set when the authentication record is serialized.
|
1241
|
-
*
|
1242
|
-
* @param serializedRecord - Authentication record previously serialized into string.
|
1243
|
-
* @returns AuthenticationRecord.
|
1244
|
-
*/
|
1245
|
-
function deserializeAuthenticationRecord(serializedRecord) {
|
1246
|
-
const parsed = JSON.parse(serializedRecord);
|
1247
|
-
if (parsed.version && parsed.version !== LatestAuthenticationRecordVersion) {
|
1248
|
-
throw Error("Unsupported AuthenticationRecord version");
|
1249
|
-
}
|
1250
|
-
return parsed;
|
1251
|
-
}
|
1252
|
-
|
1253
|
-
// Copyright (c) Microsoft Corporation.
|
1254
|
-
// Licensed under the MIT License.
|
1255
|
-
// Matches the default retry configuration in expontentialRetryStrategy.ts
|
1256
|
-
const DEFAULT_CLIENT_MAX_RETRY_INTERVAL = 1000 * 64;
|
1257
|
-
/**
|
1258
|
-
* An additional policy that retries on 404 errors. The default retry policy does not retry on
|
1259
|
-
* 404s, but the IMDS endpoint can return 404s when the token is not yet available. This policy
|
1260
|
-
* will retry on 404s with an exponential backoff.
|
1261
|
-
*
|
1262
|
-
* @param msiRetryConfig - The retry configuration for the MSI credential.
|
1263
|
-
* @returns - The policy that will retry on 404s.
|
1264
|
-
*/
|
1265
|
-
function imdsRetryPolicy(msiRetryConfig) {
|
1266
|
-
return coreRestPipeline.retryPolicy([
|
1267
|
-
{
|
1268
|
-
name: "imdsRetryPolicy",
|
1269
|
-
retry: ({ retryCount, response }) => {
|
1270
|
-
if ((response === null || response === void 0 ? void 0 : response.status) !== 404) {
|
1271
|
-
return { skipStrategy: true };
|
1272
|
-
}
|
1273
|
-
return coreUtil.calculateRetryDelay(retryCount, {
|
1274
|
-
retryDelayInMs: msiRetryConfig.startDelayInMs,
|
1275
|
-
maxRetryDelayInMs: DEFAULT_CLIENT_MAX_RETRY_INTERVAL,
|
1276
|
-
});
|
1277
|
-
},
|
1278
|
-
},
|
1279
|
-
], {
|
1280
|
-
maxRetries: msiRetryConfig.maxRetries,
|
1281
|
-
});
|
1282
|
-
}
|
1283
|
-
|
1284
|
-
// Copyright (c) Microsoft Corporation.
|
1285
|
-
// Licensed under the MIT License.
|
1286
|
-
const msiName$1 = "ManagedIdentityCredential - IMDS";
|
1287
|
-
const logger$i = credentialLogger(msiName$1);
|
1288
|
-
const imdsHost = "http://169.254.169.254";
|
1289
|
-
const imdsEndpointPath = "/metadata/identity/oauth2/token";
|
1290
|
-
const imdsApiVersion = "2018-02-01";
|
1291
|
-
/**
|
1292
|
-
* Generates the options used on the request for an access token.
|
1293
|
-
*/
|
1294
|
-
function prepareRequestOptions(scopes, clientId, resourceId, options) {
|
1295
|
-
var _a;
|
1296
|
-
const resource = mapScopesToResource(scopes);
|
1297
|
-
if (!resource) {
|
1298
|
-
throw new Error(`${msiName$1}: Multiple scopes are not supported.`);
|
1299
|
-
}
|
1300
|
-
const { skipQuery, skipMetadataHeader } = options || {};
|
1301
|
-
let query = "";
|
1302
|
-
// Pod Identity will try to process this request even if the Metadata header is missing.
|
1303
|
-
// We can exclude the request query to ensure no IMDS endpoint tries to process the ping request.
|
1304
|
-
if (!skipQuery) {
|
1305
|
-
const queryParameters = {
|
1306
|
-
resource,
|
1307
|
-
"api-version": imdsApiVersion,
|
1308
|
-
};
|
1309
|
-
if (clientId) {
|
1310
|
-
queryParameters.client_id = clientId;
|
1311
|
-
}
|
1312
|
-
if (resourceId) {
|
1313
|
-
queryParameters.msi_res_id = resourceId;
|
1314
|
-
}
|
1315
|
-
const params = new URLSearchParams(queryParameters);
|
1316
|
-
query = `?${params.toString()}`;
|
1317
|
-
}
|
1318
|
-
const url = new URL(imdsEndpointPath, (_a = process.env.AZURE_POD_IDENTITY_AUTHORITY_HOST) !== null && _a !== void 0 ? _a : imdsHost);
|
1319
|
-
const rawHeaders = {
|
1320
|
-
Accept: "application/json",
|
1321
|
-
Metadata: "true",
|
1322
|
-
};
|
1323
|
-
// Remove the Metadata header to invoke a request error from some IMDS endpoints.
|
1324
|
-
if (skipMetadataHeader) {
|
1325
|
-
delete rawHeaders.Metadata;
|
1326
|
-
}
|
1327
|
-
return {
|
1328
|
-
// In this case, the `?` should be added in the "query" variable `skipQuery` is not set.
|
1329
|
-
url: `${url}${query}`,
|
1330
|
-
method: "GET",
|
1331
|
-
headers: coreRestPipeline.createHttpHeaders(rawHeaders),
|
1332
|
-
};
|
1333
|
-
}
|
1334
|
-
/**
|
1335
|
-
* Defines how to determine whether the Azure IMDS MSI is available.
|
1336
|
-
*
|
1337
|
-
* Actually getting the token once we determine IMDS is available is handled by MSAL.
|
1338
|
-
*/
|
1339
|
-
const imdsMsi = {
|
1340
|
-
name: "imdsMsi",
|
1341
|
-
async isAvailable(options) {
|
1342
|
-
const { scopes, identityClient, clientId, resourceId, getTokenOptions } = options;
|
1343
|
-
const resource = mapScopesToResource(scopes);
|
1344
|
-
if (!resource) {
|
1345
|
-
logger$i.info(`${msiName$1}: Unavailable. Multiple scopes are not supported.`);
|
1346
|
-
return false;
|
1347
|
-
}
|
1348
|
-
// if the PodIdentityEndpoint environment variable was set no need to probe the endpoint, it can be assumed to exist
|
1349
|
-
if (process.env.AZURE_POD_IDENTITY_AUTHORITY_HOST) {
|
1350
|
-
return true;
|
1351
|
-
}
|
1352
|
-
if (!identityClient) {
|
1353
|
-
throw new Error("Missing IdentityClient");
|
1354
|
-
}
|
1355
|
-
const requestOptions = prepareRequestOptions(resource, clientId, resourceId, {
|
1356
|
-
skipMetadataHeader: true,
|
1357
|
-
skipQuery: true,
|
1358
|
-
});
|
1359
|
-
return tracingClient.withSpan("ManagedIdentityCredential-pingImdsEndpoint", getTokenOptions !== null && getTokenOptions !== void 0 ? getTokenOptions : {}, async (updatedOptions) => {
|
1360
|
-
var _a, _b;
|
1361
|
-
requestOptions.tracingOptions = updatedOptions.tracingOptions;
|
1362
|
-
// Create a request with a timeout since we expect that
|
1363
|
-
// not having a "Metadata" header should cause an error to be
|
1364
|
-
// returned quickly from the endpoint, proving its availability.
|
1365
|
-
const request = coreRestPipeline.createPipelineRequest(requestOptions);
|
1366
|
-
// Default to 1000 if the default of 0 is used.
|
1367
|
-
// Negative values can still be used to disable the timeout.
|
1368
|
-
request.timeout = ((_a = updatedOptions.requestOptions) === null || _a === void 0 ? void 0 : _a.timeout) || 1000;
|
1369
|
-
// This MSI uses the imdsEndpoint to get the token, which only uses http://
|
1370
|
-
request.allowInsecureConnection = true;
|
1371
|
-
let response;
|
1372
|
-
try {
|
1373
|
-
logger$i.info(`${msiName$1}: Pinging the Azure IMDS endpoint`);
|
1374
|
-
response = await identityClient.sendRequest(request);
|
1375
|
-
}
|
1376
|
-
catch (err) {
|
1377
|
-
// If the request failed, or Node.js was unable to establish a connection,
|
1378
|
-
// or the host was down, we'll assume the IMDS endpoint isn't available.
|
1379
|
-
if (coreUtil.isError(err)) {
|
1380
|
-
logger$i.verbose(`${msiName$1}: Caught error ${err.name}: ${err.message}`);
|
1381
|
-
}
|
1382
|
-
// This is a special case for Docker Desktop which responds with a 403 with a message that contains "A socket operation was attempted to an unreachable network" or "A socket operation was attempted to an unreachable host"
|
1383
|
-
// rather than just timing out, as expected.
|
1384
|
-
logger$i.info(`${msiName$1}: The Azure IMDS endpoint is unavailable`);
|
1385
|
-
return false;
|
1386
|
-
}
|
1387
|
-
if (response.status === 403) {
|
1388
|
-
if ((_b = response.bodyAsText) === null || _b === void 0 ? void 0 : _b.includes("unreachable")) {
|
1389
|
-
logger$i.info(`${msiName$1}: The Azure IMDS endpoint is unavailable`);
|
1390
|
-
logger$i.info(`${msiName$1}: ${response.bodyAsText}`);
|
1391
|
-
return false;
|
1392
|
-
}
|
1393
|
-
}
|
1394
|
-
// If we received any response, the endpoint is available
|
1395
|
-
logger$i.info(`${msiName$1}: The Azure IMDS endpoint is available`);
|
1396
|
-
return true;
|
1397
|
-
});
|
1398
|
-
},
|
1399
|
-
};
|
1400
|
-
|
1401
|
-
// Copyright (c) Microsoft Corporation.
|
1402
|
-
// Licensed under the MIT License.
|
1403
|
-
/**
|
1404
|
-
* Helps specify a regional authority, or "AutoDiscoverRegion" to auto-detect the region.
|
1405
|
-
*/
|
1406
|
-
var RegionalAuthority;
|
1407
|
-
(function (RegionalAuthority) {
|
1408
|
-
/** Instructs MSAL to attempt to discover the region */
|
1409
|
-
RegionalAuthority["AutoDiscoverRegion"] = "AutoDiscoverRegion";
|
1410
|
-
/** Uses the {@link RegionalAuthority} for the Azure 'westus' region. */
|
1411
|
-
RegionalAuthority["USWest"] = "westus";
|
1412
|
-
/** Uses the {@link RegionalAuthority} for the Azure 'westus2' region. */
|
1413
|
-
RegionalAuthority["USWest2"] = "westus2";
|
1414
|
-
/** Uses the {@link RegionalAuthority} for the Azure 'centralus' region. */
|
1415
|
-
RegionalAuthority["USCentral"] = "centralus";
|
1416
|
-
/** Uses the {@link RegionalAuthority} for the Azure 'eastus' region. */
|
1417
|
-
RegionalAuthority["USEast"] = "eastus";
|
1418
|
-
/** Uses the {@link RegionalAuthority} for the Azure 'eastus2' region. */
|
1419
|
-
RegionalAuthority["USEast2"] = "eastus2";
|
1420
|
-
/** Uses the {@link RegionalAuthority} for the Azure 'northcentralus' region. */
|
1421
|
-
RegionalAuthority["USNorthCentral"] = "northcentralus";
|
1422
|
-
/** Uses the {@link RegionalAuthority} for the Azure 'southcentralus' region. */
|
1423
|
-
RegionalAuthority["USSouthCentral"] = "southcentralus";
|
1424
|
-
/** Uses the {@link RegionalAuthority} for the Azure 'westcentralus' region. */
|
1425
|
-
RegionalAuthority["USWestCentral"] = "westcentralus";
|
1426
|
-
/** Uses the {@link RegionalAuthority} for the Azure 'canadacentral' region. */
|
1427
|
-
RegionalAuthority["CanadaCentral"] = "canadacentral";
|
1428
|
-
/** Uses the {@link RegionalAuthority} for the Azure 'canadaeast' region. */
|
1429
|
-
RegionalAuthority["CanadaEast"] = "canadaeast";
|
1430
|
-
/** Uses the {@link RegionalAuthority} for the Azure 'brazilsouth' region. */
|
1431
|
-
RegionalAuthority["BrazilSouth"] = "brazilsouth";
|
1432
|
-
/** Uses the {@link RegionalAuthority} for the Azure 'northeurope' region. */
|
1433
|
-
RegionalAuthority["EuropeNorth"] = "northeurope";
|
1434
|
-
/** Uses the {@link RegionalAuthority} for the Azure 'westeurope' region. */
|
1435
|
-
RegionalAuthority["EuropeWest"] = "westeurope";
|
1436
|
-
/** Uses the {@link RegionalAuthority} for the Azure 'uksouth' region. */
|
1437
|
-
RegionalAuthority["UKSouth"] = "uksouth";
|
1438
|
-
/** Uses the {@link RegionalAuthority} for the Azure 'ukwest' region. */
|
1439
|
-
RegionalAuthority["UKWest"] = "ukwest";
|
1440
|
-
/** Uses the {@link RegionalAuthority} for the Azure 'francecentral' region. */
|
1441
|
-
RegionalAuthority["FranceCentral"] = "francecentral";
|
1442
|
-
/** Uses the {@link RegionalAuthority} for the Azure 'francesouth' region. */
|
1443
|
-
RegionalAuthority["FranceSouth"] = "francesouth";
|
1444
|
-
/** Uses the {@link RegionalAuthority} for the Azure 'switzerlandnorth' region. */
|
1445
|
-
RegionalAuthority["SwitzerlandNorth"] = "switzerlandnorth";
|
1446
|
-
/** Uses the {@link RegionalAuthority} for the Azure 'switzerlandwest' region. */
|
1447
|
-
RegionalAuthority["SwitzerlandWest"] = "switzerlandwest";
|
1448
|
-
/** Uses the {@link RegionalAuthority} for the Azure 'germanynorth' region. */
|
1449
|
-
RegionalAuthority["GermanyNorth"] = "germanynorth";
|
1450
|
-
/** Uses the {@link RegionalAuthority} for the Azure 'germanywestcentral' region. */
|
1451
|
-
RegionalAuthority["GermanyWestCentral"] = "germanywestcentral";
|
1452
|
-
/** Uses the {@link RegionalAuthority} for the Azure 'norwaywest' region. */
|
1453
|
-
RegionalAuthority["NorwayWest"] = "norwaywest";
|
1454
|
-
/** Uses the {@link RegionalAuthority} for the Azure 'norwayeast' region. */
|
1455
|
-
RegionalAuthority["NorwayEast"] = "norwayeast";
|
1456
|
-
/** Uses the {@link RegionalAuthority} for the Azure 'eastasia' region. */
|
1457
|
-
RegionalAuthority["AsiaEast"] = "eastasia";
|
1458
|
-
/** Uses the {@link RegionalAuthority} for the Azure 'southeastasia' region. */
|
1459
|
-
RegionalAuthority["AsiaSouthEast"] = "southeastasia";
|
1460
|
-
/** Uses the {@link RegionalAuthority} for the Azure 'japaneast' region. */
|
1461
|
-
RegionalAuthority["JapanEast"] = "japaneast";
|
1462
|
-
/** Uses the {@link RegionalAuthority} for the Azure 'japanwest' region. */
|
1463
|
-
RegionalAuthority["JapanWest"] = "japanwest";
|
1464
|
-
/** Uses the {@link RegionalAuthority} for the Azure 'australiaeast' region. */
|
1465
|
-
RegionalAuthority["AustraliaEast"] = "australiaeast";
|
1466
|
-
/** Uses the {@link RegionalAuthority} for the Azure 'australiasoutheast' region. */
|
1467
|
-
RegionalAuthority["AustraliaSouthEast"] = "australiasoutheast";
|
1468
|
-
/** Uses the {@link RegionalAuthority} for the Azure 'australiacentral' region. */
|
1469
|
-
RegionalAuthority["AustraliaCentral"] = "australiacentral";
|
1470
|
-
/** Uses the {@link RegionalAuthority} for the Azure 'australiacentral2' region. */
|
1471
|
-
RegionalAuthority["AustraliaCentral2"] = "australiacentral2";
|
1472
|
-
/** Uses the {@link RegionalAuthority} for the Azure 'centralindia' region. */
|
1473
|
-
RegionalAuthority["IndiaCentral"] = "centralindia";
|
1474
|
-
/** Uses the {@link RegionalAuthority} for the Azure 'southindia' region. */
|
1475
|
-
RegionalAuthority["IndiaSouth"] = "southindia";
|
1476
|
-
/** Uses the {@link RegionalAuthority} for the Azure 'westindia' region. */
|
1477
|
-
RegionalAuthority["IndiaWest"] = "westindia";
|
1478
|
-
/** Uses the {@link RegionalAuthority} for the Azure 'koreasouth' region. */
|
1479
|
-
RegionalAuthority["KoreaSouth"] = "koreasouth";
|
1480
|
-
/** Uses the {@link RegionalAuthority} for the Azure 'koreacentral' region. */
|
1481
|
-
RegionalAuthority["KoreaCentral"] = "koreacentral";
|
1482
|
-
/** Uses the {@link RegionalAuthority} for the Azure 'uaecentral' region. */
|
1483
|
-
RegionalAuthority["UAECentral"] = "uaecentral";
|
1484
|
-
/** Uses the {@link RegionalAuthority} for the Azure 'uaenorth' region. */
|
1485
|
-
RegionalAuthority["UAENorth"] = "uaenorth";
|
1486
|
-
/** Uses the {@link RegionalAuthority} for the Azure 'southafricanorth' region. */
|
1487
|
-
RegionalAuthority["SouthAfricaNorth"] = "southafricanorth";
|
1488
|
-
/** Uses the {@link RegionalAuthority} for the Azure 'southafricawest' region. */
|
1489
|
-
RegionalAuthority["SouthAfricaWest"] = "southafricawest";
|
1490
|
-
/** Uses the {@link RegionalAuthority} for the Azure 'chinanorth' region. */
|
1491
|
-
RegionalAuthority["ChinaNorth"] = "chinanorth";
|
1492
|
-
/** Uses the {@link RegionalAuthority} for the Azure 'chinaeast' region. */
|
1493
|
-
RegionalAuthority["ChinaEast"] = "chinaeast";
|
1494
|
-
/** Uses the {@link RegionalAuthority} for the Azure 'chinanorth2' region. */
|
1495
|
-
RegionalAuthority["ChinaNorth2"] = "chinanorth2";
|
1496
|
-
/** Uses the {@link RegionalAuthority} for the Azure 'chinaeast2' region. */
|
1497
|
-
RegionalAuthority["ChinaEast2"] = "chinaeast2";
|
1498
|
-
/** Uses the {@link RegionalAuthority} for the Azure 'germanycentral' region. */
|
1499
|
-
RegionalAuthority["GermanyCentral"] = "germanycentral";
|
1500
|
-
/** Uses the {@link RegionalAuthority} for the Azure 'germanynortheast' region. */
|
1501
|
-
RegionalAuthority["GermanyNorthEast"] = "germanynortheast";
|
1502
|
-
/** Uses the {@link RegionalAuthority} for the Azure 'usgovvirginia' region. */
|
1503
|
-
RegionalAuthority["GovernmentUSVirginia"] = "usgovvirginia";
|
1504
|
-
/** Uses the {@link RegionalAuthority} for the Azure 'usgoviowa' region. */
|
1505
|
-
RegionalAuthority["GovernmentUSIowa"] = "usgoviowa";
|
1506
|
-
/** Uses the {@link RegionalAuthority} for the Azure 'usgovarizona' region. */
|
1507
|
-
RegionalAuthority["GovernmentUSArizona"] = "usgovarizona";
|
1508
|
-
/** Uses the {@link RegionalAuthority} for the Azure 'usgovtexas' region. */
|
1509
|
-
RegionalAuthority["GovernmentUSTexas"] = "usgovtexas";
|
1510
|
-
/** Uses the {@link RegionalAuthority} for the Azure 'usdodeast' region. */
|
1511
|
-
RegionalAuthority["GovernmentUSDodEast"] = "usdodeast";
|
1512
|
-
/** Uses the {@link RegionalAuthority} for the Azure 'usdodcentral' region. */
|
1513
|
-
RegionalAuthority["GovernmentUSDodCentral"] = "usdodcentral";
|
1514
|
-
})(RegionalAuthority || (RegionalAuthority = {}));
|
1515
|
-
/**
|
1516
|
-
* Calculates the correct regional authority based on the supplied value
|
1517
|
-
* and the AZURE_REGIONAL_AUTHORITY_NAME environment variable.
|
1518
|
-
*
|
1519
|
-
* Values will be returned verbatim, except for {@link RegionalAuthority.AutoDiscoverRegion}
|
1520
|
-
* which is mapped to a value MSAL can understand.
|
1521
|
-
*
|
1522
|
-
* @internal
|
1523
|
-
*/
|
1524
|
-
function calculateRegionalAuthority(regionalAuthority) {
|
1525
|
-
// Note: as of today only 3 credentials support regional authority, and the parameter
|
1526
|
-
// is not exposed via the public API. Regional Authority is _only_ supported
|
1527
|
-
// via the AZURE_REGIONAL_AUTHORITY_NAME env var and _only_ for: ClientSecretCredential, ClientCertificateCredential, and ClientAssertionCredential.
|
1528
|
-
var _a, _b;
|
1529
|
-
// Accepting the regionalAuthority parameter will allow us to support it in the future.
|
1530
|
-
let azureRegion = regionalAuthority;
|
1531
|
-
if (azureRegion === undefined &&
|
1532
|
-
((_b = (_a = globalThis.process) === null || _a === void 0 ? void 0 : _a.env) === null || _b === void 0 ? void 0 : _b.AZURE_REGIONAL_AUTHORITY_NAME) !== undefined) {
|
1533
|
-
azureRegion = process.env.AZURE_REGIONAL_AUTHORITY_NAME;
|
1534
|
-
}
|
1535
|
-
if (azureRegion === RegionalAuthority.AutoDiscoverRegion) {
|
1536
|
-
return "AUTO_DISCOVER";
|
1537
|
-
}
|
1538
|
-
return azureRegion;
|
1539
|
-
}
|
1540
|
-
|
1541
|
-
// Copyright (c) Microsoft Corporation.
|
1542
|
-
// Licensed under the MIT License.
|
1543
|
-
/**
|
1544
|
-
* The default logger used if no logger was passed in by the credential.
|
1545
|
-
*/
|
1546
|
-
const msalLogger = credentialLogger("MsalClient");
|
1547
|
-
/**
|
1548
|
-
* A call to open(), but mockable
|
1549
|
-
* @internal
|
1550
|
-
*/
|
1551
|
-
const interactiveBrowserMockable = {
|
1552
|
-
open,
|
1553
|
-
};
|
1554
|
-
/**
|
1555
|
-
* Generates the configuration for MSAL (Microsoft Authentication Library).
|
1556
|
-
*
|
1557
|
-
* @param clientId - The client ID of the application.
|
1558
|
-
* @param tenantId - The tenant ID of the Azure Active Directory.
|
1559
|
-
* @param msalClientOptions - Optional. Additional options for creating the MSAL client.
|
1560
|
-
* @returns The MSAL configuration object.
|
1561
|
-
*/
|
1562
|
-
function generateMsalConfiguration(clientId, tenantId, msalClientOptions = {}) {
|
1563
|
-
var _a, _b, _c;
|
1564
|
-
const resolvedTenant = resolveTenantId((_a = msalClientOptions.logger) !== null && _a !== void 0 ? _a : msalLogger, tenantId, clientId);
|
1565
|
-
// TODO: move and reuse getIdentityClientAuthorityHost
|
1566
|
-
const authority = getAuthority(resolvedTenant, getAuthorityHost(msalClientOptions));
|
1567
|
-
const httpClient = new IdentityClient(Object.assign(Object.assign({}, msalClientOptions.tokenCredentialOptions), { authorityHost: authority, loggingOptions: msalClientOptions.loggingOptions }));
|
1568
|
-
const msalConfig = {
|
1569
|
-
auth: {
|
1570
|
-
clientId,
|
1571
|
-
authority,
|
1572
|
-
knownAuthorities: getKnownAuthorities(resolvedTenant, authority, msalClientOptions.disableInstanceDiscovery),
|
1573
|
-
},
|
1574
|
-
system: {
|
1575
|
-
networkClient: httpClient,
|
1576
|
-
loggerOptions: {
|
1577
|
-
loggerCallback: defaultLoggerCallback((_b = msalClientOptions.logger) !== null && _b !== void 0 ? _b : msalLogger),
|
1578
|
-
logLevel: getMSALLogLevel(logger$m.getLogLevel()),
|
1579
|
-
piiLoggingEnabled: (_c = msalClientOptions.loggingOptions) === null || _c === void 0 ? void 0 : _c.enableUnsafeSupportLogging,
|
1580
|
-
},
|
1581
|
-
},
|
1582
|
-
};
|
1583
|
-
return msalConfig;
|
1584
|
-
}
|
1585
|
-
/**
|
1586
|
-
* Creates an instance of the MSAL (Microsoft Authentication Library) client.
|
1587
|
-
*
|
1588
|
-
* @param clientId - The client ID of the application.
|
1589
|
-
* @param tenantId - The tenant ID of the Azure Active Directory.
|
1590
|
-
* @param createMsalClientOptions - Optional. Additional options for creating the MSAL client.
|
1591
|
-
* @returns An instance of the MSAL client.
|
1592
|
-
*
|
1593
|
-
* @public
|
1594
|
-
*/
|
1595
|
-
function createMsalClient(clientId, tenantId, createMsalClientOptions = {}) {
|
1596
|
-
var _a;
|
1597
|
-
const state = {
|
1598
|
-
msalConfig: generateMsalConfiguration(clientId, tenantId, createMsalClientOptions),
|
1599
|
-
cachedAccount: createMsalClientOptions.authenticationRecord
|
1600
|
-
? publicToMsal(createMsalClientOptions.authenticationRecord)
|
1601
|
-
: null,
|
1602
|
-
pluginConfiguration: msalPlugins.generatePluginConfiguration(createMsalClientOptions),
|
1603
|
-
logger: (_a = createMsalClientOptions.logger) !== null && _a !== void 0 ? _a : msalLogger,
|
1604
|
-
};
|
1605
|
-
const publicApps = new Map();
|
1606
|
-
async function getPublicApp(options = {}) {
|
1607
|
-
const appKey = options.enableCae ? "CAE" : "default";
|
1608
|
-
let publicClientApp = publicApps.get(appKey);
|
1609
|
-
if (publicClientApp) {
|
1610
|
-
state.logger.getToken.info("Existing PublicClientApplication found in cache, returning it.");
|
1611
|
-
return publicClientApp;
|
1612
|
-
}
|
1613
|
-
// Initialize a new app and cache it
|
1614
|
-
state.logger.getToken.info(`Creating new PublicClientApplication with CAE ${options.enableCae ? "enabled" : "disabled"}.`);
|
1615
|
-
const cachePlugin = options.enableCae
|
1616
|
-
? state.pluginConfiguration.cache.cachePluginCae
|
1617
|
-
: state.pluginConfiguration.cache.cachePlugin;
|
1618
|
-
state.msalConfig.auth.clientCapabilities = options.enableCae ? ["cp1"] : undefined;
|
1619
|
-
publicClientApp = new msalCommon__namespace.PublicClientApplication(Object.assign(Object.assign({}, state.msalConfig), { broker: { nativeBrokerPlugin: state.pluginConfiguration.broker.nativeBrokerPlugin }, cache: { cachePlugin: await cachePlugin } }));
|
1620
|
-
publicApps.set(appKey, publicClientApp);
|
1621
|
-
return publicClientApp;
|
1622
|
-
}
|
1623
|
-
const confidentialApps = new Map();
|
1624
|
-
async function getConfidentialApp(options = {}) {
|
1625
|
-
const appKey = options.enableCae ? "CAE" : "default";
|
1626
|
-
let confidentialClientApp = confidentialApps.get(appKey);
|
1627
|
-
if (confidentialClientApp) {
|
1628
|
-
state.logger.getToken.info("Existing ConfidentialClientApplication found in cache, returning it.");
|
1629
|
-
return confidentialClientApp;
|
1630
|
-
}
|
1631
|
-
// Initialize a new app and cache it
|
1632
|
-
state.logger.getToken.info(`Creating new ConfidentialClientApplication with CAE ${options.enableCae ? "enabled" : "disabled"}.`);
|
1633
|
-
const cachePlugin = options.enableCae
|
1634
|
-
? state.pluginConfiguration.cache.cachePluginCae
|
1635
|
-
: state.pluginConfiguration.cache.cachePlugin;
|
1636
|
-
state.msalConfig.auth.clientCapabilities = options.enableCae ? ["cp1"] : undefined;
|
1637
|
-
confidentialClientApp = new msalCommon__namespace.ConfidentialClientApplication(Object.assign(Object.assign({}, state.msalConfig), { broker: { nativeBrokerPlugin: state.pluginConfiguration.broker.nativeBrokerPlugin }, cache: { cachePlugin: await cachePlugin } }));
|
1638
|
-
confidentialApps.set(appKey, confidentialClientApp);
|
1639
|
-
return confidentialClientApp;
|
1640
|
-
}
|
1641
|
-
async function getTokenSilent(app, scopes, options = {}) {
|
1642
|
-
if (state.cachedAccount === null) {
|
1643
|
-
state.logger.getToken.info("No cached account found in local state, attempting to load it from MSAL cache.");
|
1644
|
-
const cache = app.getTokenCache();
|
1645
|
-
const accounts = await cache.getAllAccounts();
|
1646
|
-
if (accounts === undefined || accounts.length === 0) {
|
1647
|
-
throw new AuthenticationRequiredError({ scopes });
|
1648
|
-
}
|
1649
|
-
if (accounts.length > 1) {
|
1650
|
-
state.logger
|
1651
|
-
.info(`More than one account was found authenticated for this Client ID and Tenant ID.
|
1652
|
-
However, no "authenticationRecord" has been provided for this credential,
|
1653
|
-
therefore we're unable to pick between these accounts.
|
1654
|
-
A new login attempt will be requested, to ensure the correct account is picked.
|
1655
|
-
To work with multiple accounts for the same Client ID and Tenant ID, please provide an "authenticationRecord" when initializing a credential to prevent this from happening.`);
|
1656
|
-
throw new AuthenticationRequiredError({ scopes });
|
1657
|
-
}
|
1658
|
-
state.cachedAccount = accounts[0];
|
1659
|
-
}
|
1660
|
-
// Keep track and reuse the claims we received across challenges
|
1661
|
-
if (options.claims) {
|
1662
|
-
state.cachedClaims = options.claims;
|
1663
|
-
}
|
1664
|
-
const silentRequest = {
|
1665
|
-
account: state.cachedAccount,
|
1666
|
-
scopes,
|
1667
|
-
claims: state.cachedClaims,
|
1668
|
-
};
|
1669
|
-
if (state.pluginConfiguration.broker.isEnabled) {
|
1670
|
-
silentRequest.tokenQueryParameters || (silentRequest.tokenQueryParameters = {});
|
1671
|
-
if (state.pluginConfiguration.broker.enableMsaPassthrough) {
|
1672
|
-
silentRequest.tokenQueryParameters["msal_request_type"] = "consumer_passthrough";
|
1673
|
-
}
|
1674
|
-
}
|
1675
|
-
if (options.proofOfPossessionOptions) {
|
1676
|
-
silentRequest.shrNonce = options.proofOfPossessionOptions.nonce;
|
1677
|
-
silentRequest.authenticationScheme = "pop";
|
1678
|
-
silentRequest.resourceRequestMethod = options.proofOfPossessionOptions.resourceRequestMethod;
|
1679
|
-
silentRequest.resourceRequestUri = options.proofOfPossessionOptions.resourceRequestUrl;
|
1680
|
-
}
|
1681
|
-
state.logger.getToken.info("Attempting to acquire token silently");
|
1682
|
-
return app.acquireTokenSilent(silentRequest);
|
1683
|
-
}
|
1684
|
-
/**
|
1685
|
-
* Builds an authority URL for the given request. The authority may be different than the one used when creating the MSAL client
|
1686
|
-
* if the user is creating cross-tenant requests
|
1687
|
-
*/
|
1688
|
-
function calculateRequestAuthority(options) {
|
1689
|
-
if (options === null || options === void 0 ? void 0 : options.tenantId) {
|
1690
|
-
return getAuthority(options.tenantId, getAuthorityHost(createMsalClientOptions));
|
1691
|
-
}
|
1692
|
-
return state.msalConfig.auth.authority;
|
1693
|
-
}
|
1694
|
-
/**
|
1695
|
-
* Performs silent authentication using MSAL to acquire an access token.
|
1696
|
-
* If silent authentication fails, falls back to interactive authentication.
|
1697
|
-
*
|
1698
|
-
* @param msalApp - The MSAL application instance.
|
1699
|
-
* @param scopes - The scopes for which to acquire the access token.
|
1700
|
-
* @param options - The options for acquiring the access token.
|
1701
|
-
* @param onAuthenticationRequired - A callback function to handle interactive authentication when silent authentication fails.
|
1702
|
-
* @returns A promise that resolves to an AccessToken object containing the access token and its expiration timestamp.
|
1703
|
-
*/
|
1704
|
-
async function withSilentAuthentication(msalApp, scopes, options, onAuthenticationRequired) {
|
1705
|
-
var _a, _b;
|
1706
|
-
let response = null;
|
1707
|
-
try {
|
1708
|
-
response = await getTokenSilent(msalApp, scopes, options);
|
1709
|
-
}
|
1710
|
-
catch (e) {
|
1711
|
-
if (e.name !== "AuthenticationRequiredError") {
|
1712
|
-
throw e;
|
1713
|
-
}
|
1714
|
-
if (options.disableAutomaticAuthentication) {
|
1715
|
-
throw new AuthenticationRequiredError({
|
1716
|
-
scopes,
|
1717
|
-
getTokenOptions: options,
|
1718
|
-
message: "Automatic authentication has been disabled. You may call the authentication() method.",
|
1719
|
-
});
|
1720
|
-
}
|
1721
|
-
}
|
1722
|
-
// Silent authentication failed
|
1723
|
-
if (response === null) {
|
1724
|
-
try {
|
1725
|
-
response = await onAuthenticationRequired();
|
1726
|
-
}
|
1727
|
-
catch (err) {
|
1728
|
-
throw handleMsalError(scopes, err, options);
|
1729
|
-
}
|
1730
|
-
}
|
1731
|
-
// At this point we should have a token, process it
|
1732
|
-
ensureValidMsalToken(scopes, response, options);
|
1733
|
-
state.cachedAccount = (_a = response === null || response === void 0 ? void 0 : response.account) !== null && _a !== void 0 ? _a : null;
|
1734
|
-
state.logger.getToken.info(formatSuccess(scopes));
|
1735
|
-
return {
|
1736
|
-
token: response.accessToken,
|
1737
|
-
expiresOnTimestamp: response.expiresOn.getTime(),
|
1738
|
-
refreshAfterTimestamp: (_b = response.refreshOn) === null || _b === void 0 ? void 0 : _b.getTime(),
|
1739
|
-
tokenType: response.tokenType,
|
1740
|
-
};
|
1741
|
-
}
|
1742
|
-
async function getTokenByClientSecret(scopes, clientSecret, options = {}) {
|
1743
|
-
var _a;
|
1744
|
-
state.logger.getToken.info(`Attempting to acquire token using client secret`);
|
1745
|
-
state.msalConfig.auth.clientSecret = clientSecret;
|
1746
|
-
const msalApp = await getConfidentialApp(options);
|
1747
|
-
try {
|
1748
|
-
const response = await msalApp.acquireTokenByClientCredential({
|
1749
|
-
scopes,
|
1750
|
-
authority: calculateRequestAuthority(options),
|
1751
|
-
azureRegion: calculateRegionalAuthority(),
|
1752
|
-
claims: options === null || options === void 0 ? void 0 : options.claims,
|
1753
|
-
});
|
1754
|
-
ensureValidMsalToken(scopes, response, options);
|
1755
|
-
state.logger.getToken.info(formatSuccess(scopes));
|
1756
|
-
return {
|
1757
|
-
token: response.accessToken,
|
1758
|
-
expiresOnTimestamp: response.expiresOn.getTime(),
|
1759
|
-
refreshAfterTimestamp: (_a = response.refreshOn) === null || _a === void 0 ? void 0 : _a.getTime(),
|
1760
|
-
tokenType: response.tokenType,
|
1761
|
-
};
|
1762
|
-
}
|
1763
|
-
catch (err) {
|
1764
|
-
throw handleMsalError(scopes, err, options);
|
1765
|
-
}
|
1766
|
-
}
|
1767
|
-
async function getTokenByClientAssertion(scopes, clientAssertion, options = {}) {
|
1768
|
-
var _a;
|
1769
|
-
state.logger.getToken.info(`Attempting to acquire token using client assertion`);
|
1770
|
-
state.msalConfig.auth.clientAssertion = clientAssertion;
|
1771
|
-
const msalApp = await getConfidentialApp(options);
|
1772
|
-
try {
|
1773
|
-
const response = await msalApp.acquireTokenByClientCredential({
|
1774
|
-
scopes,
|
1775
|
-
authority: calculateRequestAuthority(options),
|
1776
|
-
azureRegion: calculateRegionalAuthority(),
|
1777
|
-
claims: options === null || options === void 0 ? void 0 : options.claims,
|
1778
|
-
clientAssertion,
|
1779
|
-
});
|
1780
|
-
ensureValidMsalToken(scopes, response, options);
|
1781
|
-
state.logger.getToken.info(formatSuccess(scopes));
|
1782
|
-
return {
|
1783
|
-
token: response.accessToken,
|
1784
|
-
expiresOnTimestamp: response.expiresOn.getTime(),
|
1785
|
-
refreshAfterTimestamp: (_a = response.refreshOn) === null || _a === void 0 ? void 0 : _a.getTime(),
|
1786
|
-
tokenType: response.tokenType,
|
1787
|
-
};
|
1788
|
-
}
|
1789
|
-
catch (err) {
|
1790
|
-
throw handleMsalError(scopes, err, options);
|
1791
|
-
}
|
1792
|
-
}
|
1793
|
-
async function getTokenByClientCertificate(scopes, certificate, options = {}) {
|
1794
|
-
var _a;
|
1795
|
-
state.logger.getToken.info(`Attempting to acquire token using client certificate`);
|
1796
|
-
state.msalConfig.auth.clientCertificate = certificate;
|
1797
|
-
const msalApp = await getConfidentialApp(options);
|
1798
|
-
try {
|
1799
|
-
const response = await msalApp.acquireTokenByClientCredential({
|
1800
|
-
scopes,
|
1801
|
-
authority: calculateRequestAuthority(options),
|
1802
|
-
azureRegion: calculateRegionalAuthority(),
|
1803
|
-
claims: options === null || options === void 0 ? void 0 : options.claims,
|
1804
|
-
});
|
1805
|
-
ensureValidMsalToken(scopes, response, options);
|
1806
|
-
state.logger.getToken.info(formatSuccess(scopes));
|
1807
|
-
return {
|
1808
|
-
token: response.accessToken,
|
1809
|
-
expiresOnTimestamp: response.expiresOn.getTime(),
|
1810
|
-
refreshAfterTimestamp: (_a = response.refreshOn) === null || _a === void 0 ? void 0 : _a.getTime(),
|
1811
|
-
tokenType: response.tokenType,
|
1812
|
-
};
|
1813
|
-
}
|
1814
|
-
catch (err) {
|
1815
|
-
throw handleMsalError(scopes, err, options);
|
1816
|
-
}
|
1817
|
-
}
|
1818
|
-
async function getTokenByDeviceCode(scopes, deviceCodeCallback, options = {}) {
|
1819
|
-
state.logger.getToken.info(`Attempting to acquire token using device code`);
|
1820
|
-
const msalApp = await getPublicApp(options);
|
1821
|
-
return withSilentAuthentication(msalApp, scopes, options, () => {
|
1822
|
-
var _a, _b;
|
1823
|
-
const requestOptions = {
|
1824
|
-
scopes,
|
1825
|
-
cancel: (_b = (_a = options === null || options === void 0 ? void 0 : options.abortSignal) === null || _a === void 0 ? void 0 : _a.aborted) !== null && _b !== void 0 ? _b : false,
|
1826
|
-
deviceCodeCallback,
|
1827
|
-
authority: calculateRequestAuthority(options),
|
1828
|
-
claims: options === null || options === void 0 ? void 0 : options.claims,
|
1829
|
-
};
|
1830
|
-
const deviceCodeRequest = msalApp.acquireTokenByDeviceCode(requestOptions);
|
1831
|
-
if (options.abortSignal) {
|
1832
|
-
options.abortSignal.addEventListener("abort", () => {
|
1833
|
-
requestOptions.cancel = true;
|
1834
|
-
});
|
1835
|
-
}
|
1836
|
-
return deviceCodeRequest;
|
1837
|
-
});
|
1838
|
-
}
|
1839
|
-
async function getTokenByUsernamePassword(scopes, username, password, options = {}) {
|
1840
|
-
state.logger.getToken.info(`Attempting to acquire token using username and password`);
|
1841
|
-
const msalApp = await getPublicApp(options);
|
1842
|
-
return withSilentAuthentication(msalApp, scopes, options, () => {
|
1843
|
-
const requestOptions = {
|
1844
|
-
scopes,
|
1845
|
-
username,
|
1846
|
-
password,
|
1847
|
-
authority: calculateRequestAuthority(options),
|
1848
|
-
claims: options === null || options === void 0 ? void 0 : options.claims,
|
1849
|
-
};
|
1850
|
-
return msalApp.acquireTokenByUsernamePassword(requestOptions);
|
1851
|
-
});
|
1852
|
-
}
|
1853
|
-
function getActiveAccount() {
|
1854
|
-
if (!state.cachedAccount) {
|
1855
|
-
return undefined;
|
1856
|
-
}
|
1857
|
-
return msalToPublic(clientId, state.cachedAccount);
|
1858
|
-
}
|
1859
|
-
async function getTokenByAuthorizationCode(scopes, redirectUri, authorizationCode, clientSecret, options = {}) {
|
1860
|
-
state.logger.getToken.info(`Attempting to acquire token using authorization code`);
|
1861
|
-
let msalApp;
|
1862
|
-
if (clientSecret) {
|
1863
|
-
// If a client secret is provided, we need to use a confidential client application
|
1864
|
-
// See https://learn.microsoft.com/entra/identity-platform/v2-oauth2-auth-code-flow#request-an-access-token-with-a-client_secret
|
1865
|
-
state.msalConfig.auth.clientSecret = clientSecret;
|
1866
|
-
msalApp = await getConfidentialApp(options);
|
1867
|
-
}
|
1868
|
-
else {
|
1869
|
-
msalApp = await getPublicApp(options);
|
1870
|
-
}
|
1871
|
-
return withSilentAuthentication(msalApp, scopes, options, () => {
|
1872
|
-
return msalApp.acquireTokenByCode({
|
1873
|
-
scopes,
|
1874
|
-
redirectUri,
|
1875
|
-
code: authorizationCode,
|
1876
|
-
authority: calculateRequestAuthority(options),
|
1877
|
-
claims: options === null || options === void 0 ? void 0 : options.claims,
|
1878
|
-
});
|
1879
|
-
});
|
1880
|
-
}
|
1881
|
-
async function getTokenOnBehalfOf(scopes, userAssertionToken, clientCredentials, options = {}) {
|
1882
|
-
var _a;
|
1883
|
-
msalLogger.getToken.info(`Attempting to acquire token on behalf of another user`);
|
1884
|
-
if (typeof clientCredentials === "string") {
|
1885
|
-
// Client secret
|
1886
|
-
msalLogger.getToken.info(`Using client secret for on behalf of flow`);
|
1887
|
-
state.msalConfig.auth.clientSecret = clientCredentials;
|
1888
|
-
}
|
1889
|
-
else if (typeof clientCredentials === "function") {
|
1890
|
-
// Client Assertion
|
1891
|
-
msalLogger.getToken.info(`Using client assertion callback for on behalf of flow`);
|
1892
|
-
state.msalConfig.auth.clientAssertion = clientCredentials;
|
1893
|
-
}
|
1894
|
-
else {
|
1895
|
-
// Client certificate
|
1896
|
-
msalLogger.getToken.info(`Using client certificate for on behalf of flow`);
|
1897
|
-
state.msalConfig.auth.clientCertificate = clientCredentials;
|
1898
|
-
}
|
1899
|
-
const msalApp = await getConfidentialApp(options);
|
1900
|
-
try {
|
1901
|
-
const response = await msalApp.acquireTokenOnBehalfOf({
|
1902
|
-
scopes,
|
1903
|
-
authority: calculateRequestAuthority(options),
|
1904
|
-
claims: options.claims,
|
1905
|
-
oboAssertion: userAssertionToken,
|
1906
|
-
});
|
1907
|
-
ensureValidMsalToken(scopes, response, options);
|
1908
|
-
msalLogger.getToken.info(formatSuccess(scopes));
|
1909
|
-
return {
|
1910
|
-
token: response.accessToken,
|
1911
|
-
expiresOnTimestamp: response.expiresOn.getTime(),
|
1912
|
-
refreshAfterTimestamp: (_a = response.refreshOn) === null || _a === void 0 ? void 0 : _a.getTime(),
|
1913
|
-
tokenType: response.tokenType,
|
1914
|
-
};
|
1915
|
-
}
|
1916
|
-
catch (err) {
|
1917
|
-
throw handleMsalError(scopes, err, options);
|
1918
|
-
}
|
1919
|
-
}
|
1920
|
-
async function getTokenByInteractiveRequest(scopes, options = {}) {
|
1921
|
-
msalLogger.getToken.info(`Attempting to acquire token interactively`);
|
1922
|
-
const app = await getPublicApp(options);
|
1923
|
-
/**
|
1924
|
-
* A helper function that supports brokered authentication through the MSAL's public application.
|
1925
|
-
*
|
1926
|
-
* When options.useDefaultBrokerAccount is true, the method will attempt to authenticate using the default broker account.
|
1927
|
-
* If the default broker account is not available, the method will fall back to interactive authentication.
|
1928
|
-
*/
|
1929
|
-
async function getBrokeredToken(useDefaultBrokerAccount) {
|
1930
|
-
var _a;
|
1931
|
-
msalLogger.verbose("Authentication will resume through the broker");
|
1932
|
-
const interactiveRequest = createBaseInteractiveRequest();
|
1933
|
-
if (state.pluginConfiguration.broker.parentWindowHandle) {
|
1934
|
-
interactiveRequest.windowHandle = Buffer.from(state.pluginConfiguration.broker.parentWindowHandle);
|
1935
|
-
}
|
1936
|
-
else {
|
1937
|
-
// this is a bug, as the pluginConfiguration handler should validate this case.
|
1938
|
-
msalLogger.warning("Parent window handle is not specified for the broker. This may cause unexpected behavior. Please provide the parentWindowHandle.");
|
1939
|
-
}
|
1940
|
-
if (state.pluginConfiguration.broker.enableMsaPassthrough) {
|
1941
|
-
((_a = interactiveRequest.tokenQueryParameters) !== null && _a !== void 0 ? _a : (interactiveRequest.tokenQueryParameters = {}))["msal_request_type"] =
|
1942
|
-
"consumer_passthrough";
|
1943
|
-
}
|
1944
|
-
if (useDefaultBrokerAccount) {
|
1945
|
-
interactiveRequest.prompt = "none";
|
1946
|
-
msalLogger.verbose("Attempting broker authentication using the default broker account");
|
1947
|
-
}
|
1948
|
-
else {
|
1949
|
-
msalLogger.verbose("Attempting broker authentication without the default broker account");
|
1950
|
-
}
|
1951
|
-
if (options.proofOfPossessionOptions) {
|
1952
|
-
interactiveRequest.shrNonce = options.proofOfPossessionOptions.nonce;
|
1953
|
-
interactiveRequest.authenticationScheme = "pop";
|
1954
|
-
interactiveRequest.resourceRequestMethod =
|
1955
|
-
options.proofOfPossessionOptions.resourceRequestMethod;
|
1956
|
-
interactiveRequest.resourceRequestUri = options.proofOfPossessionOptions.resourceRequestUrl;
|
1957
|
-
}
|
1958
|
-
try {
|
1959
|
-
return await app.acquireTokenInteractive(interactiveRequest);
|
1960
|
-
}
|
1961
|
-
catch (e) {
|
1962
|
-
msalLogger.verbose(`Failed to authenticate through the broker: ${e.message}`);
|
1963
|
-
// If we tried to use the default broker account and failed, fall back to interactive authentication
|
1964
|
-
if (useDefaultBrokerAccount) {
|
1965
|
-
return getBrokeredToken(/* useDefaultBrokerAccount: */ false);
|
1966
|
-
}
|
1967
|
-
else {
|
1968
|
-
throw e;
|
1969
|
-
}
|
1970
|
-
}
|
1971
|
-
}
|
1972
|
-
function createBaseInteractiveRequest() {
|
1973
|
-
var _a, _b;
|
1974
|
-
return {
|
1975
|
-
openBrowser: async (url) => {
|
1976
|
-
await interactiveBrowserMockable.open(url, { wait: true, newInstance: true });
|
1977
|
-
},
|
1978
|
-
scopes,
|
1979
|
-
authority: calculateRequestAuthority(options),
|
1980
|
-
claims: options === null || options === void 0 ? void 0 : options.claims,
|
1981
|
-
loginHint: options === null || options === void 0 ? void 0 : options.loginHint,
|
1982
|
-
errorTemplate: (_a = options === null || options === void 0 ? void 0 : options.browserCustomizationOptions) === null || _a === void 0 ? void 0 : _a.errorMessage,
|
1983
|
-
successTemplate: (_b = options === null || options === void 0 ? void 0 : options.browserCustomizationOptions) === null || _b === void 0 ? void 0 : _b.successMessage,
|
1984
|
-
};
|
1985
|
-
}
|
1986
|
-
return withSilentAuthentication(app, scopes, options, async () => {
|
1987
|
-
var _a;
|
1988
|
-
const interactiveRequest = createBaseInteractiveRequest();
|
1989
|
-
if (state.pluginConfiguration.broker.isEnabled) {
|
1990
|
-
return getBrokeredToken((_a = state.pluginConfiguration.broker.useDefaultBrokerAccount) !== null && _a !== void 0 ? _a : false);
|
1991
|
-
}
|
1992
|
-
if (options.proofOfPossessionOptions) {
|
1993
|
-
interactiveRequest.shrNonce = options.proofOfPossessionOptions.nonce;
|
1994
|
-
interactiveRequest.authenticationScheme = "pop";
|
1995
|
-
interactiveRequest.resourceRequestMethod =
|
1996
|
-
options.proofOfPossessionOptions.resourceRequestMethod;
|
1997
|
-
interactiveRequest.resourceRequestUri = options.proofOfPossessionOptions.resourceRequestUrl;
|
1998
|
-
}
|
1999
|
-
return app.acquireTokenInteractive(interactiveRequest);
|
2000
|
-
});
|
2001
|
-
}
|
2002
|
-
return {
|
2003
|
-
getActiveAccount,
|
2004
|
-
getTokenByClientSecret,
|
2005
|
-
getTokenByClientAssertion,
|
2006
|
-
getTokenByClientCertificate,
|
2007
|
-
getTokenByDeviceCode,
|
2008
|
-
getTokenByUsernamePassword,
|
2009
|
-
getTokenByAuthorizationCode,
|
2010
|
-
getTokenOnBehalfOf,
|
2011
|
-
getTokenByInteractiveRequest,
|
2012
|
-
};
|
2013
|
-
}
|
2014
|
-
|
2015
|
-
// Copyright (c) Microsoft Corporation.
|
2016
|
-
// Licensed under the MIT License.
|
2017
|
-
const logger$h = credentialLogger("ClientAssertionCredential");
|
2018
|
-
/**
|
2019
|
-
* Authenticates a service principal with a JWT assertion.
|
2020
|
-
*/
|
2021
|
-
class ClientAssertionCredential {
|
2022
|
-
/**
|
2023
|
-
* Creates an instance of the ClientAssertionCredential with the details
|
2024
|
-
* needed to authenticate against Microsoft Entra ID with a client
|
2025
|
-
* assertion provided by the developer through the `getAssertion` function parameter.
|
2026
|
-
*
|
2027
|
-
* @param tenantId - The Microsoft Entra tenant (directory) ID.
|
2028
|
-
* @param clientId - The client (application) ID of an App Registration in the tenant.
|
2029
|
-
* @param getAssertion - A function that retrieves the assertion for the credential to use.
|
2030
|
-
* @param options - Options for configuring the client which makes the authentication request.
|
2031
|
-
*/
|
2032
|
-
constructor(tenantId, clientId, getAssertion, options = {}) {
|
2033
|
-
if (!tenantId) {
|
2034
|
-
throw new CredentialUnavailableError("ClientAssertionCredential: tenantId is a required parameter.");
|
2035
|
-
}
|
2036
|
-
if (!clientId) {
|
2037
|
-
throw new CredentialUnavailableError("ClientAssertionCredential: clientId is a required parameter.");
|
2038
|
-
}
|
2039
|
-
if (!getAssertion) {
|
2040
|
-
throw new CredentialUnavailableError("ClientAssertionCredential: clientAssertion is a required parameter.");
|
2041
|
-
}
|
2042
|
-
this.tenantId = tenantId;
|
2043
|
-
this.additionallyAllowedTenantIds = resolveAdditionallyAllowedTenantIds(options === null || options === void 0 ? void 0 : options.additionallyAllowedTenants);
|
2044
|
-
this.options = options;
|
2045
|
-
this.getAssertion = getAssertion;
|
2046
|
-
this.msalClient = createMsalClient(clientId, tenantId, Object.assign(Object.assign({}, options), { logger: logger$h, tokenCredentialOptions: this.options }));
|
2047
|
-
}
|
2048
|
-
/**
|
2049
|
-
* Authenticates with Microsoft Entra ID and returns an access token if successful.
|
2050
|
-
* If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.
|
2051
|
-
*
|
2052
|
-
* @param scopes - The list of scopes for which the token will have access.
|
2053
|
-
* @param options - The options used to configure any requests this
|
2054
|
-
* TokenCredential implementation might make.
|
2055
|
-
*/
|
2056
|
-
async getToken(scopes, options = {}) {
|
2057
|
-
return tracingClient.withSpan(`${this.constructor.name}.getToken`, options, async (newOptions) => {
|
2058
|
-
newOptions.tenantId = processMultiTenantRequest(this.tenantId, newOptions, this.additionallyAllowedTenantIds, logger$h);
|
2059
|
-
const arrayScopes = Array.isArray(scopes) ? scopes : [scopes];
|
2060
|
-
return this.msalClient.getTokenByClientAssertion(arrayScopes, this.getAssertion, newOptions);
|
2061
|
-
});
|
2062
|
-
}
|
2063
|
-
}
|
2064
|
-
|
2065
|
-
// Copyright (c) Microsoft Corporation.
|
2066
|
-
// Licensed under the MIT License.
|
2067
|
-
const credentialName$4 = "WorkloadIdentityCredential";
|
2068
|
-
/**
|
2069
|
-
* Contains the list of all supported environment variable names so that an
|
2070
|
-
* appropriate error message can be generated when no credentials can be
|
2071
|
-
* configured.
|
2072
|
-
*
|
2073
|
-
* @internal
|
2074
|
-
*/
|
2075
|
-
const SupportedWorkloadEnvironmentVariables = [
|
2076
|
-
"AZURE_TENANT_ID",
|
2077
|
-
"AZURE_CLIENT_ID",
|
2078
|
-
"AZURE_FEDERATED_TOKEN_FILE",
|
2079
|
-
];
|
2080
|
-
const logger$g = credentialLogger(credentialName$4);
|
2081
|
-
/**
|
2082
|
-
* Workload Identity authentication is a feature in Azure that allows applications running on virtual machines (VMs)
|
2083
|
-
* to access other Azure resources without the need for a service principal or managed identity. With Workload Identity
|
2084
|
-
* authentication, applications authenticate themselves using their own identity, rather than using a shared service
|
2085
|
-
* principal or managed identity. Under the hood, Workload Identity authentication uses the concept of Service Account
|
2086
|
-
* Credentials (SACs), which are automatically created by Azure and stored securely in the VM. By using Workload
|
2087
|
-
* Identity authentication, you can avoid the need to manage and rotate service principals or managed identities for
|
2088
|
-
* each application on each VM. Additionally, because SACs are created automatically and managed by Azure, you don't
|
2089
|
-
* need to worry about storing and securing sensitive credentials themselves.
|
2090
|
-
* The WorkloadIdentityCredential supports Microsoft Entra Workload ID authentication on Azure Kubernetes and acquires
|
2091
|
-
* a token using the SACs available in the Azure Kubernetes environment.
|
2092
|
-
* Refer to <a href="https://learn.microsoft.com/azure/aks/workload-identity-overview">Microsoft Entra
|
2093
|
-
* Workload ID</a> for more information.
|
2094
|
-
*/
|
2095
|
-
class WorkloadIdentityCredential {
|
2096
|
-
/**
|
2097
|
-
* WorkloadIdentityCredential supports Microsoft Entra Workload ID on Kubernetes.
|
2098
|
-
*
|
2099
|
-
* @param options - The identity client options to use for authentication.
|
2100
|
-
*/
|
2101
|
-
constructor(options) {
|
2102
|
-
this.azureFederatedTokenFileContent = undefined;
|
2103
|
-
this.cacheDate = undefined;
|
2104
|
-
// Logging environment variables for error details
|
2105
|
-
const assignedEnv = processEnvVars(SupportedWorkloadEnvironmentVariables).assigned.join(", ");
|
2106
|
-
logger$g.info(`Found the following environment variables: ${assignedEnv}`);
|
2107
|
-
const workloadIdentityCredentialOptions = options !== null && options !== void 0 ? options : {};
|
2108
|
-
const tenantId = workloadIdentityCredentialOptions.tenantId || process.env.AZURE_TENANT_ID;
|
2109
|
-
const clientId = workloadIdentityCredentialOptions.clientId || process.env.AZURE_CLIENT_ID;
|
2110
|
-
this.federatedTokenFilePath =
|
2111
|
-
workloadIdentityCredentialOptions.tokenFilePath || process.env.AZURE_FEDERATED_TOKEN_FILE;
|
2112
|
-
if (tenantId) {
|
2113
|
-
checkTenantId(logger$g, tenantId);
|
2114
|
-
}
|
2115
|
-
if (!clientId) {
|
2116
|
-
throw new CredentialUnavailableError(`${credentialName$4}: is unavailable. clientId is a required parameter. In DefaultAzureCredential and ManagedIdentityCredential, this can be provided as an environment variable - "AZURE_CLIENT_ID".
|
2117
|
-
See the troubleshooting guide for more information: https://aka.ms/azsdk/js/identity/workloadidentitycredential/troubleshoot`);
|
2118
|
-
}
|
2119
|
-
if (!tenantId) {
|
2120
|
-
throw new CredentialUnavailableError(`${credentialName$4}: is unavailable. tenantId is a required parameter. In DefaultAzureCredential and ManagedIdentityCredential, this can be provided as an environment variable - "AZURE_TENANT_ID".
|
2121
|
-
See the troubleshooting guide for more information: https://aka.ms/azsdk/js/identity/workloadidentitycredential/troubleshoot`);
|
2122
|
-
}
|
2123
|
-
if (!this.federatedTokenFilePath) {
|
2124
|
-
throw new CredentialUnavailableError(`${credentialName$4}: is unavailable. federatedTokenFilePath is a required parameter. In DefaultAzureCredential and ManagedIdentityCredential, this can be provided as an environment variable - "AZURE_FEDERATED_TOKEN_FILE".
|
2125
|
-
See the troubleshooting guide for more information: https://aka.ms/azsdk/js/identity/workloadidentitycredential/troubleshoot`);
|
2126
|
-
}
|
2127
|
-
logger$g.info(`Invoking ClientAssertionCredential with tenant ID: ${tenantId}, clientId: ${workloadIdentityCredentialOptions.clientId} and federated token path: [REDACTED]`);
|
2128
|
-
this.client = new ClientAssertionCredential(tenantId, clientId, this.readFileContents.bind(this), options);
|
2129
|
-
}
|
2130
|
-
/**
|
2131
|
-
* Authenticates with Microsoft Entra ID and returns an access token if successful.
|
2132
|
-
* If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.
|
2133
|
-
*
|
2134
|
-
* @param scopes - The list of scopes for which the token will have access.
|
2135
|
-
* @param options - The options used to configure any requests this
|
2136
|
-
* TokenCredential implementation might make.
|
2137
|
-
*/
|
2138
|
-
async getToken(scopes, options) {
|
2139
|
-
if (!this.client) {
|
2140
|
-
const errorMessage = `${credentialName$4}: is unavailable. tenantId, clientId, and federatedTokenFilePath are required parameters.
|
2141
|
-
In DefaultAzureCredential and ManagedIdentityCredential, these can be provided as environment variables -
|
2142
|
-
"AZURE_TENANT_ID",
|
2143
|
-
"AZURE_CLIENT_ID",
|
2144
|
-
"AZURE_FEDERATED_TOKEN_FILE". See the troubleshooting guide for more information: https://aka.ms/azsdk/js/identity/workloadidentitycredential/troubleshoot`;
|
2145
|
-
logger$g.info(errorMessage);
|
2146
|
-
throw new CredentialUnavailableError(errorMessage);
|
2147
|
-
}
|
2148
|
-
logger$g.info("Invoking getToken() of Client Assertion Credential");
|
2149
|
-
return this.client.getToken(scopes, options);
|
2150
|
-
}
|
2151
|
-
async readFileContents() {
|
2152
|
-
// Cached assertions expire after 5 minutes
|
2153
|
-
if (this.cacheDate !== undefined && Date.now() - this.cacheDate >= 1000 * 60 * 5) {
|
2154
|
-
this.azureFederatedTokenFileContent = undefined;
|
2155
|
-
}
|
2156
|
-
if (!this.federatedTokenFilePath) {
|
2157
|
-
throw new CredentialUnavailableError(`${credentialName$4}: is unavailable. Invalid file path provided ${this.federatedTokenFilePath}.`);
|
2158
|
-
}
|
2159
|
-
if (!this.azureFederatedTokenFileContent) {
|
2160
|
-
const file = await promises.readFile(this.federatedTokenFilePath, "utf8");
|
2161
|
-
const value = file.trim();
|
2162
|
-
if (!value) {
|
2163
|
-
throw new CredentialUnavailableError(`${credentialName$4}: is unavailable. No content on the file ${this.federatedTokenFilePath}.`);
|
2164
|
-
}
|
2165
|
-
else {
|
2166
|
-
this.azureFederatedTokenFileContent = value;
|
2167
|
-
this.cacheDate = Date.now();
|
2168
|
-
}
|
2169
|
-
}
|
2170
|
-
return this.azureFederatedTokenFileContent;
|
2171
|
-
}
|
2172
|
-
}
|
2173
|
-
|
2174
|
-
// Copyright (c) Microsoft Corporation.
|
2175
|
-
// Licensed under the MIT License.
|
2176
|
-
const msiName = "ManagedIdentityCredential - Token Exchange";
|
2177
|
-
const logger$f = credentialLogger(msiName);
|
2178
|
-
/**
|
2179
|
-
* Defines how to determine whether the token exchange MSI is available, and also how to retrieve a token from the token exchange MSI.
|
2180
|
-
*
|
2181
|
-
* Token exchange MSI (used by AKS) is the only MSI implementation handled entirely by Azure Identity.
|
2182
|
-
* The rest have been migrated to MSAL.
|
2183
|
-
*/
|
2184
|
-
const tokenExchangeMsi = {
|
2185
|
-
name: "tokenExchangeMsi",
|
2186
|
-
async isAvailable(clientId) {
|
2187
|
-
const env = process.env;
|
2188
|
-
const result = Boolean((clientId || env.AZURE_CLIENT_ID) &&
|
2189
|
-
env.AZURE_TENANT_ID &&
|
2190
|
-
process.env.AZURE_FEDERATED_TOKEN_FILE);
|
2191
|
-
if (!result) {
|
2192
|
-
logger$f.info(`${msiName}: Unavailable. The environment variables needed are: AZURE_CLIENT_ID (or the client ID sent through the parameters), AZURE_TENANT_ID and AZURE_FEDERATED_TOKEN_FILE`);
|
2193
|
-
}
|
2194
|
-
return result;
|
2195
|
-
},
|
2196
|
-
async getToken(configuration, getTokenOptions = {}) {
|
2197
|
-
const { scopes, clientId } = configuration;
|
2198
|
-
const identityClientTokenCredentialOptions = {};
|
2199
|
-
const workloadIdentityCredential = new WorkloadIdentityCredential(Object.assign(Object.assign({ clientId, tenantId: process.env.AZURE_TENANT_ID, tokenFilePath: process.env.AZURE_FEDERATED_TOKEN_FILE }, identityClientTokenCredentialOptions), { disableInstanceDiscovery: true }));
|
2200
|
-
return workloadIdentityCredential.getToken(scopes, getTokenOptions);
|
2201
|
-
},
|
2202
|
-
};
|
2203
|
-
|
2204
|
-
// Copyright (c) Microsoft Corporation.
|
2205
|
-
// Licensed under the MIT License.
|
2206
|
-
const logger$e = credentialLogger("ManagedIdentityCredential");
|
2207
|
-
/**
|
2208
|
-
* Attempts authentication using a managed identity available at the deployment environment.
|
2209
|
-
* This authentication type works in Azure VMs, App Service instances, Azure Functions applications,
|
2210
|
-
* Azure Kubernetes Services, Azure Service Fabric instances and inside of the Azure Cloud Shell.
|
2211
|
-
*
|
2212
|
-
* More information about configuring managed identities can be found here:
|
2213
|
-
* https://learn.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview
|
2214
|
-
*/
|
2215
|
-
class ManagedIdentityCredential {
|
2216
|
-
/**
|
2217
|
-
* @internal
|
2218
|
-
* @hidden
|
2219
|
-
*/
|
2220
|
-
constructor(clientIdOrOptions, options) {
|
2221
|
-
var _a, _b;
|
2222
|
-
this.msiRetryConfig = {
|
2223
|
-
maxRetries: 5,
|
2224
|
-
startDelayInMs: 800,
|
2225
|
-
intervalIncrement: 2,
|
2226
|
-
};
|
2227
|
-
let _options;
|
2228
|
-
if (typeof clientIdOrOptions === "string") {
|
2229
|
-
this.clientId = clientIdOrOptions;
|
2230
|
-
_options = options !== null && options !== void 0 ? options : {};
|
2231
|
-
}
|
2232
|
-
else {
|
2233
|
-
this.clientId = clientIdOrOptions === null || clientIdOrOptions === void 0 ? void 0 : clientIdOrOptions.clientId;
|
2234
|
-
_options = clientIdOrOptions !== null && clientIdOrOptions !== void 0 ? clientIdOrOptions : {};
|
2235
|
-
}
|
2236
|
-
this.resourceId = _options === null || _options === void 0 ? void 0 : _options.resourceId;
|
2237
|
-
this.objectId = _options === null || _options === void 0 ? void 0 : _options.objectId;
|
2238
|
-
// For JavaScript users.
|
2239
|
-
const providedIds = [this.clientId, this.resourceId, this.objectId].filter(Boolean);
|
2240
|
-
if (providedIds.length > 1) {
|
2241
|
-
throw new Error(`ManagedIdentityCredential: only one of 'clientId', 'resourceId', or 'objectId' can be provided. Received values: ${JSON.stringify({ clientId: this.clientId, resourceId: this.resourceId, objectId: this.objectId })}`);
|
2242
|
-
}
|
2243
|
-
// ManagedIdentity uses http for local requests
|
2244
|
-
_options.allowInsecureConnection = true;
|
2245
|
-
if (((_a = _options.retryOptions) === null || _a === void 0 ? void 0 : _a.maxRetries) !== undefined) {
|
2246
|
-
this.msiRetryConfig.maxRetries = _options.retryOptions.maxRetries;
|
2247
|
-
}
|
2248
|
-
this.identityClient = new IdentityClient(Object.assign(Object.assign({}, _options), { additionalPolicies: [{ policy: imdsRetryPolicy(this.msiRetryConfig), position: "perCall" }] }));
|
2249
|
-
this.managedIdentityApp = new msalCommon.ManagedIdentityApplication({
|
2250
|
-
managedIdentityIdParams: {
|
2251
|
-
userAssignedClientId: this.clientId,
|
2252
|
-
userAssignedResourceId: this.resourceId,
|
2253
|
-
userAssignedObjectId: this.objectId,
|
2254
|
-
},
|
2255
|
-
system: {
|
2256
|
-
disableInternalRetries: true,
|
2257
|
-
networkClient: this.identityClient,
|
2258
|
-
loggerOptions: {
|
2259
|
-
logLevel: getMSALLogLevel(logger$m.getLogLevel()),
|
2260
|
-
piiLoggingEnabled: (_b = _options.loggingOptions) === null || _b === void 0 ? void 0 : _b.enableUnsafeSupportLogging,
|
2261
|
-
loggerCallback: defaultLoggerCallback(logger$e),
|
2262
|
-
},
|
2263
|
-
},
|
2264
|
-
});
|
2265
|
-
this.isAvailableIdentityClient = new IdentityClient(Object.assign(Object.assign({}, _options), { retryOptions: {
|
2266
|
-
maxRetries: 0,
|
2267
|
-
} }));
|
2268
|
-
// CloudShell MSI will ignore any user-assigned identity passed as parameters. To avoid confusion, we prevent this from happening as early as possible.
|
2269
|
-
if (this.managedIdentityApp.getManagedIdentitySource() === "CloudShell") {
|
2270
|
-
if (this.clientId || this.resourceId || this.objectId) {
|
2271
|
-
logger$e.warning(`CloudShell MSI detected with user-provided IDs - throwing. Received values: ${JSON.stringify({
|
2272
|
-
clientId: this.clientId,
|
2273
|
-
resourceId: this.resourceId,
|
2274
|
-
objectId: this.objectId,
|
2275
|
-
})}.`);
|
2276
|
-
throw new CredentialUnavailableError("ManagedIdentityCredential: Specifying a user-assigned managed identity is not supported for CloudShell at runtime. When using Managed Identity in CloudShell, omit the clientId, resourceId, and objectId parameters.");
|
2277
|
-
}
|
2278
|
-
}
|
2279
|
-
}
|
2280
|
-
/**
|
2281
|
-
* Authenticates with Microsoft Entra ID and returns an access token if successful.
|
2282
|
-
* If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.
|
2283
|
-
* If an unexpected error occurs, an {@link AuthenticationError} will be thrown with the details of the failure.
|
2284
|
-
*
|
2285
|
-
* @param scopes - The list of scopes for which the token will have access.
|
2286
|
-
* @param options - The options used to configure any requests this
|
2287
|
-
* TokenCredential implementation might make.
|
2288
|
-
*/
|
2289
|
-
async getToken(scopes, options = {}) {
|
2290
|
-
logger$e.getToken.info("Using the MSAL provider for Managed Identity.");
|
2291
|
-
const resource = mapScopesToResource(scopes);
|
2292
|
-
if (!resource) {
|
2293
|
-
throw new CredentialUnavailableError(`ManagedIdentityCredential: Multiple scopes are not supported. Scopes: ${JSON.stringify(scopes)}`);
|
2294
|
-
}
|
2295
|
-
return tracingClient.withSpan("ManagedIdentityCredential.getToken", options, async () => {
|
2296
|
-
var _a;
|
2297
|
-
try {
|
2298
|
-
const isTokenExchangeMsi = await tokenExchangeMsi.isAvailable(this.clientId);
|
2299
|
-
// Most scenarios are handled by MSAL except for two:
|
2300
|
-
// AKS pod identity - MSAL does not implement the token exchange flow.
|
2301
|
-
// IMDS Endpoint probing - MSAL does not do any probing before trying to get a token.
|
2302
|
-
// As a DefaultAzureCredential optimization we probe the IMDS endpoint with a short timeout and no retries before actually trying to get a token
|
2303
|
-
// We will continue to implement these features in the Identity library.
|
2304
|
-
const identitySource = this.managedIdentityApp.getManagedIdentitySource();
|
2305
|
-
const isImdsMsi = identitySource === "DefaultToImds" || identitySource === "Imds"; // Neither actually checks that IMDS endpoint is available, just that it's the source the MSAL _would_ try to use.
|
2306
|
-
logger$e.getToken.info(`MSAL Identity source: ${identitySource}`);
|
2307
|
-
if (isTokenExchangeMsi) {
|
2308
|
-
// In the AKS scenario we will use the existing tokenExchangeMsi indefinitely.
|
2309
|
-
logger$e.getToken.info("Using the token exchange managed identity.");
|
2310
|
-
const result = await tokenExchangeMsi.getToken({
|
2311
|
-
scopes,
|
2312
|
-
clientId: this.clientId,
|
2313
|
-
identityClient: this.identityClient,
|
2314
|
-
retryConfig: this.msiRetryConfig,
|
2315
|
-
resourceId: this.resourceId,
|
2316
|
-
});
|
2317
|
-
if (result === null) {
|
2318
|
-
throw new CredentialUnavailableError("Attempted to use the token exchange managed identity, but received a null response.");
|
2319
|
-
}
|
2320
|
-
return result;
|
2321
|
-
}
|
2322
|
-
else if (isImdsMsi) {
|
2323
|
-
// In the IMDS scenario we will probe the IMDS endpoint to ensure it's available before trying to get a token.
|
2324
|
-
// If the IMDS endpoint is not available and this is the source that MSAL will use, we will fail-fast with an error that tells DAC to move to the next credential.
|
2325
|
-
logger$e.getToken.info("Using the IMDS endpoint to probe for availability.");
|
2326
|
-
const isAvailable = await imdsMsi.isAvailable({
|
2327
|
-
scopes,
|
2328
|
-
clientId: this.clientId,
|
2329
|
-
getTokenOptions: options,
|
2330
|
-
identityClient: this.isAvailableIdentityClient,
|
2331
|
-
resourceId: this.resourceId,
|
2332
|
-
});
|
2333
|
-
if (!isAvailable) {
|
2334
|
-
throw new CredentialUnavailableError(`Attempted to use the IMDS endpoint, but it is not available.`);
|
2335
|
-
}
|
2336
|
-
}
|
2337
|
-
// If we got this far, it means:
|
2338
|
-
// - This is not a tokenExchangeMsi,
|
2339
|
-
// - We already probed for IMDS endpoint availability and failed-fast if it's unreachable.
|
2340
|
-
// We can proceed normally by calling MSAL for a token.
|
2341
|
-
logger$e.getToken.info("Calling into MSAL for managed identity token.");
|
2342
|
-
const token = await this.managedIdentityApp.acquireToken({
|
2343
|
-
resource,
|
2344
|
-
});
|
2345
|
-
this.ensureValidMsalToken(scopes, token, options);
|
2346
|
-
logger$e.getToken.info(formatSuccess(scopes));
|
2347
|
-
return {
|
2348
|
-
expiresOnTimestamp: token.expiresOn.getTime(),
|
2349
|
-
token: token.accessToken,
|
2350
|
-
refreshAfterTimestamp: (_a = token.refreshOn) === null || _a === void 0 ? void 0 : _a.getTime(),
|
2351
|
-
tokenType: "Bearer",
|
2352
|
-
};
|
2353
|
-
}
|
2354
|
-
catch (err) {
|
2355
|
-
logger$e.getToken.error(formatError(scopes, err));
|
2356
|
-
// AuthenticationRequiredError described as Error to enforce authentication after trying to retrieve a token silently.
|
2357
|
-
// TODO: why would this _ever_ happen considering we're not trying the silent request in this flow?
|
2358
|
-
if (err.name === "AuthenticationRequiredError") {
|
2359
|
-
throw err;
|
2360
|
-
}
|
2361
|
-
if (isNetworkError(err)) {
|
2362
|
-
throw new CredentialUnavailableError(`ManagedIdentityCredential: Network unreachable. Message: ${err.message}`, { cause: err });
|
2363
|
-
}
|
2364
|
-
throw new CredentialUnavailableError(`ManagedIdentityCredential: Authentication failed. Message ${err.message}`, { cause: err });
|
2365
|
-
}
|
2366
|
-
});
|
2367
|
-
}
|
2368
|
-
/**
|
2369
|
-
* Ensures the validity of the MSAL token
|
2370
|
-
*/
|
2371
|
-
ensureValidMsalToken(scopes, msalToken, getTokenOptions) {
|
2372
|
-
const createError = (message) => {
|
2373
|
-
logger$e.getToken.info(message);
|
2374
|
-
return new AuthenticationRequiredError({
|
2375
|
-
scopes: Array.isArray(scopes) ? scopes : [scopes],
|
2376
|
-
getTokenOptions,
|
2377
|
-
message,
|
2378
|
-
});
|
2379
|
-
};
|
2380
|
-
if (!msalToken) {
|
2381
|
-
throw createError("No response.");
|
2382
|
-
}
|
2383
|
-
if (!msalToken.expiresOn) {
|
2384
|
-
throw createError(`Response had no "expiresOn" property.`);
|
2385
|
-
}
|
2386
|
-
if (!msalToken.accessToken) {
|
2387
|
-
throw createError(`Response had no "accessToken" property.`);
|
2388
|
-
}
|
2389
|
-
}
|
2390
|
-
}
|
2391
|
-
function isNetworkError(err) {
|
2392
|
-
// MSAL error
|
2393
|
-
if (err.errorCode === "network_error") {
|
2394
|
-
return true;
|
2395
|
-
}
|
2396
|
-
// Probe errors
|
2397
|
-
if (err.code === "ENETUNREACH" || err.code === "EHOSTUNREACH") {
|
2398
|
-
return true;
|
2399
|
-
}
|
2400
|
-
// This is a special case for Docker Desktop which responds with a 403 with a message that contains "A socket operation was attempted to an unreachable network" or "A socket operation was attempted to an unreachable host"
|
2401
|
-
// rather than just timing out, as expected.
|
2402
|
-
if (err.statusCode === 403 || err.code === 403) {
|
2403
|
-
if (err.message.includes("unreachable")) {
|
2404
|
-
return true;
|
2405
|
-
}
|
2406
|
-
}
|
2407
|
-
return false;
|
2408
|
-
}
|
2409
|
-
|
2410
|
-
// Copyright (c) Microsoft Corporation.
|
2411
|
-
// Licensed under the MIT License.
|
2412
|
-
/**
|
2413
|
-
* Ensures the scopes value is an array.
|
2414
|
-
* @internal
|
2415
|
-
*/
|
2416
|
-
function ensureScopes(scopes) {
|
2417
|
-
return Array.isArray(scopes) ? scopes : [scopes];
|
2418
|
-
}
|
2419
|
-
/**
|
2420
|
-
* Throws if the received scope is not valid.
|
2421
|
-
* @internal
|
2422
|
-
*/
|
2423
|
-
function ensureValidScopeForDevTimeCreds(scope, logger) {
|
2424
|
-
if (!scope.match(/^[0-9a-zA-Z-_.:/]+$/)) {
|
2425
|
-
const error = new Error("Invalid scope was specified by the user or calling client");
|
2426
|
-
logger.getToken.info(formatError(scope, error));
|
2427
|
-
throw error;
|
2428
|
-
}
|
2429
|
-
}
|
2430
|
-
/**
|
2431
|
-
* Returns the resource out of a scope.
|
2432
|
-
* @internal
|
2433
|
-
*/
|
2434
|
-
function getScopeResource(scope) {
|
2435
|
-
return scope.replace(/\/.default$/, "");
|
2436
|
-
}
|
2437
|
-
|
2438
|
-
// Copyright (c) Microsoft Corporation.
|
2439
|
-
// Licensed under the MIT License.
|
2440
|
-
/**
|
2441
|
-
* @internal
|
2442
|
-
*/
|
2443
|
-
function checkSubscription(logger, subscription) {
|
2444
|
-
if (!subscription.match(/^[0-9a-zA-Z-._ ]+$/)) {
|
2445
|
-
const error = new Error("Invalid subscription provided. You can locate your subscription by following the instructions listed here: https://learn.microsoft.com/azure/azure-portal/get-subscription-tenant-id.");
|
2446
|
-
logger.info(formatError("", error));
|
2447
|
-
throw error;
|
2448
|
-
}
|
2449
|
-
}
|
2450
|
-
|
2451
|
-
// Copyright (c) Microsoft Corporation.
|
2452
|
-
// Licensed under the MIT License.
|
2453
|
-
/**
|
2454
|
-
* Mockable reference to the CLI credential cliCredentialFunctions
|
2455
|
-
* @internal
|
2456
|
-
*/
|
2457
|
-
const cliCredentialInternals = {
|
2458
|
-
/**
|
2459
|
-
* @internal
|
2460
|
-
*/
|
2461
|
-
getSafeWorkingDir() {
|
2462
|
-
if (process.platform === "win32") {
|
2463
|
-
if (!process.env.SystemRoot) {
|
2464
|
-
throw new Error("Azure CLI credential expects a 'SystemRoot' environment variable");
|
2465
|
-
}
|
2466
|
-
return process.env.SystemRoot;
|
2467
|
-
}
|
2468
|
-
else {
|
2469
|
-
return "/bin";
|
2470
|
-
}
|
2471
|
-
},
|
2472
|
-
/**
|
2473
|
-
* Gets the access token from Azure CLI
|
2474
|
-
* @param resource - The resource to use when getting the token
|
2475
|
-
* @internal
|
2476
|
-
*/
|
2477
|
-
async getAzureCliAccessToken(resource, tenantId, subscription, timeout) {
|
2478
|
-
let tenantSection = [];
|
2479
|
-
let subscriptionSection = [];
|
2480
|
-
if (tenantId) {
|
2481
|
-
tenantSection = ["--tenant", tenantId];
|
2482
|
-
}
|
2483
|
-
if (subscription) {
|
2484
|
-
// Add quotes around the subscription to handle subscriptions with spaces
|
2485
|
-
subscriptionSection = ["--subscription", `"${subscription}"`];
|
2486
|
-
}
|
2487
|
-
return new Promise((resolve, reject) => {
|
2488
|
-
try {
|
2489
|
-
child_process.execFile("az", [
|
2490
|
-
"account",
|
2491
|
-
"get-access-token",
|
2492
|
-
"--output",
|
2493
|
-
"json",
|
2494
|
-
"--resource",
|
2495
|
-
resource,
|
2496
|
-
...tenantSection,
|
2497
|
-
...subscriptionSection,
|
2498
|
-
], { cwd: cliCredentialInternals.getSafeWorkingDir(), shell: true, timeout }, (error, stdout, stderr) => {
|
2499
|
-
resolve({ stdout: stdout, stderr: stderr, error });
|
2500
|
-
});
|
2501
|
-
}
|
2502
|
-
catch (err) {
|
2503
|
-
reject(err);
|
2504
|
-
}
|
2505
|
-
});
|
2506
|
-
},
|
2507
|
-
};
|
2508
|
-
const logger$d = credentialLogger("AzureCliCredential");
|
2509
|
-
/**
|
2510
|
-
* This credential will use the currently logged-in user login information
|
2511
|
-
* via the Azure CLI ('az') commandline tool.
|
2512
|
-
* To do so, it will read the user access token and expire time
|
2513
|
-
* with Azure CLI command "az account get-access-token".
|
2514
|
-
*/
|
2515
|
-
class AzureCliCredential {
|
2516
|
-
/**
|
2517
|
-
* Creates an instance of the {@link AzureCliCredential}.
|
2518
|
-
*
|
2519
|
-
* To use this credential, ensure that you have already logged
|
2520
|
-
* in via the 'az' tool using the command "az login" from the commandline.
|
2521
|
-
*
|
2522
|
-
* @param options - Options, to optionally allow multi-tenant requests.
|
2523
|
-
*/
|
2524
|
-
constructor(options) {
|
2525
|
-
if (options === null || options === void 0 ? void 0 : options.tenantId) {
|
2526
|
-
checkTenantId(logger$d, options === null || options === void 0 ? void 0 : options.tenantId);
|
2527
|
-
this.tenantId = options === null || options === void 0 ? void 0 : options.tenantId;
|
2528
|
-
}
|
2529
|
-
if (options === null || options === void 0 ? void 0 : options.subscription) {
|
2530
|
-
checkSubscription(logger$d, options === null || options === void 0 ? void 0 : options.subscription);
|
2531
|
-
this.subscription = options === null || options === void 0 ? void 0 : options.subscription;
|
2532
|
-
}
|
2533
|
-
this.additionallyAllowedTenantIds = resolveAdditionallyAllowedTenantIds(options === null || options === void 0 ? void 0 : options.additionallyAllowedTenants);
|
2534
|
-
this.timeout = options === null || options === void 0 ? void 0 : options.processTimeoutInMs;
|
2535
|
-
}
|
2536
|
-
/**
|
2537
|
-
* Authenticates with Microsoft Entra ID and returns an access token if successful.
|
2538
|
-
* If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.
|
2539
|
-
*
|
2540
|
-
* @param scopes - The list of scopes for which the token will have access.
|
2541
|
-
* @param options - The options used to configure any requests this
|
2542
|
-
* TokenCredential implementation might make.
|
2543
|
-
*/
|
2544
|
-
async getToken(scopes, options = {}) {
|
2545
|
-
const tenantId = processMultiTenantRequest(this.tenantId, options, this.additionallyAllowedTenantIds);
|
2546
|
-
if (tenantId) {
|
2547
|
-
checkTenantId(logger$d, tenantId);
|
2548
|
-
}
|
2549
|
-
if (this.subscription) {
|
2550
|
-
checkSubscription(logger$d, this.subscription);
|
2551
|
-
}
|
2552
|
-
const scope = typeof scopes === "string" ? scopes : scopes[0];
|
2553
|
-
logger$d.getToken.info(`Using the scope ${scope}`);
|
2554
|
-
return tracingClient.withSpan(`${this.constructor.name}.getToken`, options, async () => {
|
2555
|
-
var _a, _b, _c, _d;
|
2556
|
-
try {
|
2557
|
-
ensureValidScopeForDevTimeCreds(scope, logger$d);
|
2558
|
-
const resource = getScopeResource(scope);
|
2559
|
-
const obj = await cliCredentialInternals.getAzureCliAccessToken(resource, tenantId, this.subscription, this.timeout);
|
2560
|
-
const specificScope = (_a = obj.stderr) === null || _a === void 0 ? void 0 : _a.match("(.*)az login --scope(.*)");
|
2561
|
-
const isLoginError = ((_b = obj.stderr) === null || _b === void 0 ? void 0 : _b.match("(.*)az login(.*)")) && !specificScope;
|
2562
|
-
const isNotInstallError = ((_c = obj.stderr) === null || _c === void 0 ? void 0 : _c.match("az:(.*)not found")) || ((_d = obj.stderr) === null || _d === void 0 ? void 0 : _d.startsWith("'az' is not recognized"));
|
2563
|
-
if (isNotInstallError) {
|
2564
|
-
const error = new CredentialUnavailableError("Azure CLI could not be found. Please visit https://aka.ms/azure-cli for installation instructions and then, once installed, authenticate to your Azure account using 'az login'.");
|
2565
|
-
logger$d.getToken.info(formatError(scopes, error));
|
2566
|
-
throw error;
|
2567
|
-
}
|
2568
|
-
if (isLoginError) {
|
2569
|
-
const error = new CredentialUnavailableError("Please run 'az login' from a command prompt to authenticate before using this credential.");
|
2570
|
-
logger$d.getToken.info(formatError(scopes, error));
|
2571
|
-
throw error;
|
2572
|
-
}
|
2573
|
-
try {
|
2574
|
-
const responseData = obj.stdout;
|
2575
|
-
const response = this.parseRawResponse(responseData);
|
2576
|
-
logger$d.getToken.info(formatSuccess(scopes));
|
2577
|
-
return response;
|
2578
|
-
}
|
2579
|
-
catch (e) {
|
2580
|
-
if (obj.stderr) {
|
2581
|
-
throw new CredentialUnavailableError(obj.stderr);
|
2582
|
-
}
|
2583
|
-
throw e;
|
2584
|
-
}
|
2585
|
-
}
|
2586
|
-
catch (err) {
|
2587
|
-
const error = err.name === "CredentialUnavailableError"
|
2588
|
-
? err
|
2589
|
-
: new CredentialUnavailableError(err.message || "Unknown error while trying to retrieve the access token");
|
2590
|
-
logger$d.getToken.info(formatError(scopes, error));
|
2591
|
-
throw error;
|
2592
|
-
}
|
2593
|
-
});
|
2594
|
-
}
|
2595
|
-
/**
|
2596
|
-
* Parses the raw JSON response from the Azure CLI into a usable AccessToken object
|
2597
|
-
*
|
2598
|
-
* @param rawResponse - The raw JSON response from the Azure CLI
|
2599
|
-
* @returns An access token with the expiry time parsed from the raw response
|
2600
|
-
*
|
2601
|
-
* The expiryTime of the credential's access token, in milliseconds, is calculated as follows:
|
2602
|
-
*
|
2603
|
-
* When available, expires_on (introduced in Azure CLI v2.54.0) will be preferred. Otherwise falls back to expiresOn.
|
2604
|
-
*/
|
2605
|
-
parseRawResponse(rawResponse) {
|
2606
|
-
const response = JSON.parse(rawResponse);
|
2607
|
-
const token = response.accessToken;
|
2608
|
-
// if available, expires_on will be a number representing seconds since epoch.
|
2609
|
-
// ensure it's a number or NaN
|
2610
|
-
let expiresOnTimestamp = Number.parseInt(response.expires_on, 10) * 1000;
|
2611
|
-
if (!isNaN(expiresOnTimestamp)) {
|
2612
|
-
logger$d.getToken.info("expires_on is available and is valid, using it");
|
2613
|
-
return {
|
2614
|
-
token,
|
2615
|
-
expiresOnTimestamp,
|
2616
|
-
tokenType: "Bearer",
|
2617
|
-
};
|
2618
|
-
}
|
2619
|
-
// fallback to the older expiresOn - an RFC3339 date string
|
2620
|
-
expiresOnTimestamp = new Date(response.expiresOn).getTime();
|
2621
|
-
// ensure expiresOn is well-formatted
|
2622
|
-
if (isNaN(expiresOnTimestamp)) {
|
2623
|
-
throw new CredentialUnavailableError(`Unexpected response from Azure CLI when getting token. Expected "expiresOn" to be a RFC3339 date string. Got: "${response.expiresOn}"`);
|
2624
|
-
}
|
2625
|
-
return {
|
2626
|
-
token,
|
2627
|
-
expiresOnTimestamp,
|
2628
|
-
tokenType: "Bearer",
|
2629
|
-
};
|
2630
|
-
}
|
2631
|
-
}
|
2632
|
-
|
2633
|
-
// Copyright (c) Microsoft Corporation.
|
2634
|
-
// Licensed under the MIT License.
|
2635
|
-
/**
|
2636
|
-
* Mockable reference to the Developer CLI credential cliCredentialFunctions
|
2637
|
-
* @internal
|
2638
|
-
*/
|
2639
|
-
const developerCliCredentialInternals = {
|
2640
|
-
/**
|
2641
|
-
* @internal
|
2642
|
-
*/
|
2643
|
-
getSafeWorkingDir() {
|
2644
|
-
if (process.platform === "win32") {
|
2645
|
-
if (!process.env.SystemRoot) {
|
2646
|
-
throw new Error("Azure Developer CLI credential expects a 'SystemRoot' environment variable");
|
2647
|
-
}
|
2648
|
-
return process.env.SystemRoot;
|
2649
|
-
}
|
2650
|
-
else {
|
2651
|
-
return "/bin";
|
2652
|
-
}
|
2653
|
-
},
|
2654
|
-
/**
|
2655
|
-
* Gets the access token from Azure Developer CLI
|
2656
|
-
* @param scopes - The scopes to use when getting the token
|
2657
|
-
* @internal
|
2658
|
-
*/
|
2659
|
-
async getAzdAccessToken(scopes, tenantId, timeout) {
|
2660
|
-
let tenantSection = [];
|
2661
|
-
if (tenantId) {
|
2662
|
-
tenantSection = ["--tenant-id", tenantId];
|
2663
|
-
}
|
2664
|
-
return new Promise((resolve, reject) => {
|
2665
|
-
try {
|
2666
|
-
child_process.execFile("azd", [
|
2667
|
-
"auth",
|
2668
|
-
"token",
|
2669
|
-
"--output",
|
2670
|
-
"json",
|
2671
|
-
...scopes.reduce((previous, current) => previous.concat("--scope", current), []),
|
2672
|
-
...tenantSection,
|
2673
|
-
], {
|
2674
|
-
cwd: developerCliCredentialInternals.getSafeWorkingDir(),
|
2675
|
-
timeout,
|
2676
|
-
}, (error, stdout, stderr) => {
|
2677
|
-
resolve({ stdout, stderr, error });
|
2678
|
-
});
|
2679
|
-
}
|
2680
|
-
catch (err) {
|
2681
|
-
reject(err);
|
2682
|
-
}
|
2683
|
-
});
|
2684
|
-
},
|
2685
|
-
};
|
2686
|
-
const logger$c = credentialLogger("AzureDeveloperCliCredential");
|
2687
|
-
/**
|
2688
|
-
* Azure Developer CLI is a command-line interface tool that allows developers to create, manage, and deploy
|
2689
|
-
* resources in Azure. It's built on top of the Azure CLI and provides additional functionality specific
|
2690
|
-
* to Azure developers. It allows users to authenticate as a user and/or a service principal against
|
2691
|
-
* <a href="https://learn.microsoft.com/entra/fundamentals/">Microsoft Entra ID</a>. The
|
2692
|
-
* AzureDeveloperCliCredential authenticates in a development environment and acquires a token on behalf of
|
2693
|
-
* the logged-in user or service principal in the Azure Developer CLI. It acts as the Azure Developer CLI logged in user or
|
2694
|
-
* service principal and executes an Azure CLI command underneath to authenticate the application against
|
2695
|
-
* Microsoft Entra ID.
|
2696
|
-
*
|
2697
|
-
* <h2> Configure AzureDeveloperCliCredential </h2>
|
2698
|
-
*
|
2699
|
-
* To use this credential, the developer needs to authenticate locally in Azure Developer CLI using one of the
|
2700
|
-
* commands below:
|
2701
|
-
*
|
2702
|
-
* <ol>
|
2703
|
-
* <li>Run "azd auth login" in Azure Developer CLI to authenticate interactively as a user.</li>
|
2704
|
-
* <li>Run "azd auth login --client-id clientID --client-secret clientSecret
|
2705
|
-
* --tenant-id tenantID" to authenticate as a service principal.</li>
|
2706
|
-
* </ol>
|
2707
|
-
*
|
2708
|
-
* You may need to repeat this process after a certain time period, depending on the refresh token validity in your
|
2709
|
-
* organization. Generally, the refresh token validity period is a few weeks to a few months.
|
2710
|
-
* AzureDeveloperCliCredential will prompt you to sign in again.
|
2711
|
-
*/
|
2712
|
-
class AzureDeveloperCliCredential {
|
2713
|
-
/**
|
2714
|
-
* Creates an instance of the {@link AzureDeveloperCliCredential}.
|
2715
|
-
*
|
2716
|
-
* To use this credential, ensure that you have already logged
|
2717
|
-
* in via the 'azd' tool using the command "azd auth login" from the commandline.
|
2718
|
-
*
|
2719
|
-
* @param options - Options, to optionally allow multi-tenant requests.
|
2720
|
-
*/
|
2721
|
-
constructor(options) {
|
2722
|
-
if (options === null || options === void 0 ? void 0 : options.tenantId) {
|
2723
|
-
checkTenantId(logger$c, options === null || options === void 0 ? void 0 : options.tenantId);
|
2724
|
-
this.tenantId = options === null || options === void 0 ? void 0 : options.tenantId;
|
2725
|
-
}
|
2726
|
-
this.additionallyAllowedTenantIds = resolveAdditionallyAllowedTenantIds(options === null || options === void 0 ? void 0 : options.additionallyAllowedTenants);
|
2727
|
-
this.timeout = options === null || options === void 0 ? void 0 : options.processTimeoutInMs;
|
2728
|
-
}
|
2729
|
-
/**
|
2730
|
-
* Authenticates with Microsoft Entra ID and returns an access token if successful.
|
2731
|
-
* If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.
|
2732
|
-
*
|
2733
|
-
* @param scopes - The list of scopes for which the token will have access.
|
2734
|
-
* @param options - The options used to configure any requests this
|
2735
|
-
* TokenCredential implementation might make.
|
2736
|
-
*/
|
2737
|
-
async getToken(scopes, options = {}) {
|
2738
|
-
const tenantId = processMultiTenantRequest(this.tenantId, options, this.additionallyAllowedTenantIds);
|
2739
|
-
if (tenantId) {
|
2740
|
-
checkTenantId(logger$c, tenantId);
|
2741
|
-
}
|
2742
|
-
let scopeList;
|
2743
|
-
if (typeof scopes === "string") {
|
2744
|
-
scopeList = [scopes];
|
2745
|
-
}
|
2746
|
-
else {
|
2747
|
-
scopeList = scopes;
|
2748
|
-
}
|
2749
|
-
logger$c.getToken.info(`Using the scopes ${scopes}`);
|
2750
|
-
return tracingClient.withSpan(`${this.constructor.name}.getToken`, options, async () => {
|
2751
|
-
var _a, _b, _c, _d;
|
2752
|
-
try {
|
2753
|
-
scopeList.forEach((scope) => {
|
2754
|
-
ensureValidScopeForDevTimeCreds(scope, logger$c);
|
2755
|
-
});
|
2756
|
-
const obj = await developerCliCredentialInternals.getAzdAccessToken(scopeList, tenantId, this.timeout);
|
2757
|
-
const isNotLoggedInError = ((_a = obj.stderr) === null || _a === void 0 ? void 0 : _a.match("not logged in, run `azd login` to login")) ||
|
2758
|
-
((_b = obj.stderr) === null || _b === void 0 ? void 0 : _b.match("not logged in, run `azd auth login` to login"));
|
2759
|
-
const isNotInstallError = ((_c = obj.stderr) === null || _c === void 0 ? void 0 : _c.match("azd:(.*)not found")) ||
|
2760
|
-
((_d = obj.stderr) === null || _d === void 0 ? void 0 : _d.startsWith("'azd' is not recognized"));
|
2761
|
-
if (isNotInstallError || (obj.error && obj.error.code === "ENOENT")) {
|
2762
|
-
const error = new CredentialUnavailableError("Azure Developer CLI couldn't be found. To mitigate this issue, see the troubleshooting guidelines at https://aka.ms/azsdk/js/identity/azdevclicredential/troubleshoot.");
|
2763
|
-
logger$c.getToken.info(formatError(scopes, error));
|
2764
|
-
throw error;
|
2765
|
-
}
|
2766
|
-
if (isNotLoggedInError) {
|
2767
|
-
const error = new CredentialUnavailableError("Please run 'azd auth login' from a command prompt to authenticate before using this credential. For more information, see the troubleshooting guidelines at https://aka.ms/azsdk/js/identity/azdevclicredential/troubleshoot.");
|
2768
|
-
logger$c.getToken.info(formatError(scopes, error));
|
2769
|
-
throw error;
|
2770
|
-
}
|
2771
|
-
try {
|
2772
|
-
const resp = JSON.parse(obj.stdout);
|
2773
|
-
logger$c.getToken.info(formatSuccess(scopes));
|
2774
|
-
return {
|
2775
|
-
token: resp.token,
|
2776
|
-
expiresOnTimestamp: new Date(resp.expiresOn).getTime(),
|
2777
|
-
tokenType: "Bearer",
|
2778
|
-
};
|
2779
|
-
}
|
2780
|
-
catch (e) {
|
2781
|
-
if (obj.stderr) {
|
2782
|
-
throw new CredentialUnavailableError(obj.stderr);
|
2783
|
-
}
|
2784
|
-
throw e;
|
2785
|
-
}
|
2786
|
-
}
|
2787
|
-
catch (err) {
|
2788
|
-
const error = err.name === "CredentialUnavailableError"
|
2789
|
-
? err
|
2790
|
-
: new CredentialUnavailableError(err.message || "Unknown error while trying to retrieve the access token");
|
2791
|
-
logger$c.getToken.info(formatError(scopes, error));
|
2792
|
-
throw error;
|
2793
|
-
}
|
2794
|
-
});
|
2795
|
-
}
|
2796
|
-
}
|
2797
|
-
|
2798
|
-
// Copyright (c) Microsoft Corporation.
|
2799
|
-
// Licensed under the MIT License.
|
2800
|
-
/**
|
2801
|
-
* Easy to mock childProcess utils.
|
2802
|
-
* @internal
|
2803
|
-
*/
|
2804
|
-
const processUtils = {
|
2805
|
-
/**
|
2806
|
-
* Promisifying childProcess.execFile
|
2807
|
-
* @internal
|
2808
|
-
*/
|
2809
|
-
execFile(file, params, options) {
|
2810
|
-
return new Promise((resolve, reject) => {
|
2811
|
-
child_process__namespace.execFile(file, params, options, (error, stdout, stderr) => {
|
2812
|
-
if (Buffer.isBuffer(stdout)) {
|
2813
|
-
stdout = stdout.toString("utf8");
|
2814
|
-
}
|
2815
|
-
if (Buffer.isBuffer(stderr)) {
|
2816
|
-
stderr = stderr.toString("utf8");
|
2817
|
-
}
|
2818
|
-
if (stderr || error) {
|
2819
|
-
reject(stderr ? new Error(stderr) : error);
|
2820
|
-
}
|
2821
|
-
else {
|
2822
|
-
resolve(stdout);
|
2823
|
-
}
|
2824
|
-
});
|
2825
|
-
});
|
2826
|
-
},
|
2827
|
-
};
|
2828
|
-
|
2829
|
-
// Copyright (c) Microsoft Corporation.
|
2830
|
-
// Licensed under the MIT License.
|
2831
|
-
const logger$b = credentialLogger("AzurePowerShellCredential");
|
2832
|
-
const isWindows = process.platform === "win32";
|
2833
|
-
/**
|
2834
|
-
* Returns a platform-appropriate command name by appending ".exe" on Windows.
|
2835
|
-
*
|
2836
|
-
* @internal
|
2837
|
-
*/
|
2838
|
-
function formatCommand(commandName) {
|
2839
|
-
if (isWindows) {
|
2840
|
-
return `${commandName}.exe`;
|
2841
|
-
}
|
2842
|
-
else {
|
2843
|
-
return commandName;
|
2844
|
-
}
|
2845
|
-
}
|
2846
|
-
/**
|
2847
|
-
* Receives a list of commands to run, executes them, then returns the outputs.
|
2848
|
-
* If anything fails, an error is thrown.
|
2849
|
-
* @internal
|
2850
|
-
*/
|
2851
|
-
async function runCommands(commands, timeout) {
|
2852
|
-
const results = [];
|
2853
|
-
for (const command of commands) {
|
2854
|
-
const [file, ...parameters] = command;
|
2855
|
-
const result = (await processUtils.execFile(file, parameters, {
|
2856
|
-
encoding: "utf8",
|
2857
|
-
timeout,
|
2858
|
-
}));
|
2859
|
-
results.push(result);
|
2860
|
-
}
|
2861
|
-
return results;
|
2862
|
-
}
|
2863
|
-
/**
|
2864
|
-
* Known PowerShell errors
|
2865
|
-
* @internal
|
2866
|
-
*/
|
2867
|
-
const powerShellErrors = {
|
2868
|
-
login: "Run Connect-AzAccount to login",
|
2869
|
-
installed: "The specified module 'Az.Accounts' with version '2.2.0' was not loaded because no valid module file was found in any module directory",
|
2870
|
-
};
|
2871
|
-
/**
|
2872
|
-
* Messages to use when throwing in this credential.
|
2873
|
-
* @internal
|
2874
|
-
*/
|
2875
|
-
const powerShellPublicErrorMessages = {
|
2876
|
-
login: "Please run 'Connect-AzAccount' from PowerShell to authenticate before using this credential.",
|
2877
|
-
installed: `The 'Az.Account' module >= 2.2.0 is not installed. Install the Azure Az PowerShell module with: "Install-Module -Name Az -Scope CurrentUser -Repository PSGallery -Force".`,
|
2878
|
-
troubleshoot: `To troubleshoot, visit https://aka.ms/azsdk/js/identity/powershellcredential/troubleshoot.`,
|
2879
|
-
};
|
2880
|
-
// PowerShell Azure User not logged in error check.
|
2881
|
-
const isLoginError = (err) => err.message.match(`(.*)${powerShellErrors.login}(.*)`);
|
2882
|
-
// Az Module not Installed in Azure PowerShell check.
|
2883
|
-
const isNotInstalledError = (err) => err.message.match(powerShellErrors.installed);
|
2884
|
-
/**
|
2885
|
-
* The PowerShell commands to be tried, in order.
|
2886
|
-
*
|
2887
|
-
* @internal
|
2888
|
-
*/
|
2889
|
-
const commandStack = [formatCommand("pwsh")];
|
2890
|
-
if (isWindows) {
|
2891
|
-
commandStack.push(formatCommand("powershell"));
|
2892
|
-
}
|
2893
|
-
/**
|
2894
|
-
* This credential will use the currently logged-in user information from the
|
2895
|
-
* Azure PowerShell module. To do so, it will read the user access token and
|
2896
|
-
* expire time with Azure PowerShell command `Get-AzAccessToken -ResourceUrl {ResourceScope}`
|
2897
|
-
*/
|
2898
|
-
class AzurePowerShellCredential {
|
2899
|
-
/**
|
2900
|
-
* Creates an instance of the {@link AzurePowerShellCredential}.
|
2901
|
-
*
|
2902
|
-
* To use this credential:
|
2903
|
-
* - Install the Azure Az PowerShell module with:
|
2904
|
-
* `Install-Module -Name Az -Scope CurrentUser -Repository PSGallery -Force`.
|
2905
|
-
* - You have already logged in to Azure PowerShell using the command
|
2906
|
-
* `Connect-AzAccount` from the command line.
|
2907
|
-
*
|
2908
|
-
* @param options - Options, to optionally allow multi-tenant requests.
|
2909
|
-
*/
|
2910
|
-
constructor(options) {
|
2911
|
-
if (options === null || options === void 0 ? void 0 : options.tenantId) {
|
2912
|
-
checkTenantId(logger$b, options === null || options === void 0 ? void 0 : options.tenantId);
|
2913
|
-
this.tenantId = options === null || options === void 0 ? void 0 : options.tenantId;
|
2914
|
-
}
|
2915
|
-
this.additionallyAllowedTenantIds = resolveAdditionallyAllowedTenantIds(options === null || options === void 0 ? void 0 : options.additionallyAllowedTenants);
|
2916
|
-
this.timeout = options === null || options === void 0 ? void 0 : options.processTimeoutInMs;
|
2917
|
-
}
|
2918
|
-
/**
|
2919
|
-
* Gets the access token from Azure PowerShell
|
2920
|
-
* @param resource - The resource to use when getting the token
|
2921
|
-
*/
|
2922
|
-
async getAzurePowerShellAccessToken(resource, tenantId, timeout) {
|
2923
|
-
// Clone the stack to avoid mutating it while iterating
|
2924
|
-
for (const powerShellCommand of [...commandStack]) {
|
2925
|
-
try {
|
2926
|
-
await runCommands([[powerShellCommand, "/?"]], timeout);
|
2927
|
-
}
|
2928
|
-
catch (e) {
|
2929
|
-
// Remove this credential from the original stack so that we don't try it again.
|
2930
|
-
commandStack.shift();
|
2931
|
-
continue;
|
2932
|
-
}
|
2933
|
-
const results = await runCommands([
|
2934
|
-
[
|
2935
|
-
powerShellCommand,
|
2936
|
-
"-NoProfile",
|
2937
|
-
"-NonInteractive",
|
2938
|
-
"-Command",
|
2939
|
-
`
|
2940
|
-
$tenantId = "${tenantId !== null && tenantId !== void 0 ? tenantId : ""}"
|
2941
|
-
$m = Import-Module Az.Accounts -MinimumVersion 2.2.0 -PassThru
|
2942
|
-
$useSecureString = $m.Version -ge [version]'2.17.0'
|
2943
|
-
|
2944
|
-
$params = @{
|
2945
|
-
ResourceUrl = "${resource}"
|
2946
|
-
}
|
2947
|
-
|
2948
|
-
if ($tenantId.Length -gt 0) {
|
2949
|
-
$params["TenantId"] = $tenantId
|
2950
|
-
}
|
2951
|
-
|
2952
|
-
if ($useSecureString) {
|
2953
|
-
$params["AsSecureString"] = $true
|
2954
|
-
}
|
2955
|
-
|
2956
|
-
$token = Get-AzAccessToken @params
|
2957
|
-
|
2958
|
-
$result = New-Object -TypeName PSObject
|
2959
|
-
$result | Add-Member -MemberType NoteProperty -Name ExpiresOn -Value $token.ExpiresOn
|
2960
|
-
if ($useSecureString) {
|
2961
|
-
$result | Add-Member -MemberType NoteProperty -Name Token -Value (ConvertFrom-SecureString -AsPlainText $token.Token)
|
2962
|
-
} else {
|
2963
|
-
$result | Add-Member -MemberType NoteProperty -Name Token -Value $token.Token
|
2964
|
-
}
|
2965
|
-
|
2966
|
-
Write-Output (ConvertTo-Json $result)
|
2967
|
-
`,
|
2968
|
-
],
|
2969
|
-
]);
|
2970
|
-
const result = results[0];
|
2971
|
-
return parseJsonToken(result);
|
2972
|
-
}
|
2973
|
-
throw new Error(`Unable to execute PowerShell. Ensure that it is installed in your system`);
|
2974
|
-
}
|
2975
|
-
/**
|
2976
|
-
* Authenticates with Microsoft Entra ID and returns an access token if successful.
|
2977
|
-
* If the authentication cannot be performed through PowerShell, a {@link CredentialUnavailableError} will be thrown.
|
2978
|
-
*
|
2979
|
-
* @param scopes - The list of scopes for which the token will have access.
|
2980
|
-
* @param options - The options used to configure any requests this TokenCredential implementation might make.
|
2981
|
-
*/
|
2982
|
-
async getToken(scopes, options = {}) {
|
2983
|
-
return tracingClient.withSpan(`${this.constructor.name}.getToken`, options, async () => {
|
2984
|
-
const tenantId = processMultiTenantRequest(this.tenantId, options, this.additionallyAllowedTenantIds);
|
2985
|
-
const scope = typeof scopes === "string" ? scopes : scopes[0];
|
2986
|
-
if (tenantId) {
|
2987
|
-
checkTenantId(logger$b, tenantId);
|
2988
|
-
}
|
2989
|
-
try {
|
2990
|
-
ensureValidScopeForDevTimeCreds(scope, logger$b);
|
2991
|
-
logger$b.getToken.info(`Using the scope ${scope}`);
|
2992
|
-
const resource = getScopeResource(scope);
|
2993
|
-
const response = await this.getAzurePowerShellAccessToken(resource, tenantId, this.timeout);
|
2994
|
-
logger$b.getToken.info(formatSuccess(scopes));
|
2995
|
-
return {
|
2996
|
-
token: response.Token,
|
2997
|
-
expiresOnTimestamp: new Date(response.ExpiresOn).getTime(),
|
2998
|
-
tokenType: "Bearer",
|
2999
|
-
};
|
3000
|
-
}
|
3001
|
-
catch (err) {
|
3002
|
-
if (isNotInstalledError(err)) {
|
3003
|
-
const error = new CredentialUnavailableError(powerShellPublicErrorMessages.installed);
|
3004
|
-
logger$b.getToken.info(formatError(scope, error));
|
3005
|
-
throw error;
|
3006
|
-
}
|
3007
|
-
else if (isLoginError(err)) {
|
3008
|
-
const error = new CredentialUnavailableError(powerShellPublicErrorMessages.login);
|
3009
|
-
logger$b.getToken.info(formatError(scope, error));
|
3010
|
-
throw error;
|
3011
|
-
}
|
3012
|
-
const error = new CredentialUnavailableError(`${err}. ${powerShellPublicErrorMessages.troubleshoot}`);
|
3013
|
-
logger$b.getToken.info(formatError(scope, error));
|
3014
|
-
throw error;
|
3015
|
-
}
|
3016
|
-
});
|
3017
|
-
}
|
3018
|
-
}
|
3019
|
-
/**
|
3020
|
-
*
|
3021
|
-
* @internal
|
3022
|
-
*/
|
3023
|
-
async function parseJsonToken(result) {
|
3024
|
-
const jsonRegex = /{[^{}]*}/g;
|
3025
|
-
const matches = result.match(jsonRegex);
|
3026
|
-
let resultWithoutToken = result;
|
3027
|
-
if (matches) {
|
3028
|
-
try {
|
3029
|
-
for (const item of matches) {
|
3030
|
-
try {
|
3031
|
-
const jsonContent = JSON.parse(item);
|
3032
|
-
if (jsonContent === null || jsonContent === void 0 ? void 0 : jsonContent.Token) {
|
3033
|
-
resultWithoutToken = resultWithoutToken.replace(item, "");
|
3034
|
-
if (resultWithoutToken) {
|
3035
|
-
logger$b.getToken.warning(resultWithoutToken);
|
3036
|
-
}
|
3037
|
-
return jsonContent;
|
3038
|
-
}
|
3039
|
-
}
|
3040
|
-
catch (e) {
|
3041
|
-
continue;
|
3042
|
-
}
|
3043
|
-
}
|
3044
|
-
}
|
3045
|
-
catch (e) {
|
3046
|
-
throw new Error(`Unable to parse the output of PowerShell. Received output: ${result}`);
|
3047
|
-
}
|
3048
|
-
}
|
3049
|
-
throw new Error(`No access token found in the output. Received output: ${result}`);
|
3050
|
-
}
|
3051
|
-
|
3052
|
-
// Copyright (c) Microsoft Corporation.
|
3053
|
-
// Licensed under the MIT License.
|
3054
|
-
/**
|
3055
|
-
* @internal
|
3056
|
-
*/
|
3057
|
-
const logger$a = credentialLogger("ChainedTokenCredential");
|
3058
|
-
/**
|
3059
|
-
* Enables multiple `TokenCredential` implementations to be tried in order until
|
3060
|
-
* one of the getToken methods returns an access token. For more information, see
|
3061
|
-
* [ChainedTokenCredential overview](https://aka.ms/azsdk/js/identity/credential-chains#use-chainedtokencredential-for-granularity).
|
3062
|
-
*/
|
3063
|
-
class ChainedTokenCredential {
|
3064
|
-
/**
|
3065
|
-
* Creates an instance of ChainedTokenCredential using the given credentials.
|
3066
|
-
*
|
3067
|
-
* @param sources - `TokenCredential` implementations to be tried in order.
|
3068
|
-
*
|
3069
|
-
* Example usage:
|
3070
|
-
* ```ts snippet:chained_token_credential_example
|
3071
|
-
* import { ClientSecretCredential, ChainedTokenCredential } from "@azure/identity";
|
3072
|
-
*
|
3073
|
-
* const tenantId = "<tenant-id>";
|
3074
|
-
* const clientId = "<client-id>";
|
3075
|
-
* const clientSecret = "<client-secret>";
|
3076
|
-
* const anotherClientId = "<another-client-id>";
|
3077
|
-
* const anotherSecret = "<another-client-secret>";
|
3078
|
-
* const firstCredential = new ClientSecretCredential(tenantId, clientId, clientSecret);
|
3079
|
-
* const secondCredential = new ClientSecretCredential(tenantId, anotherClientId, anotherSecret);
|
3080
|
-
* const credentialChain = new ChainedTokenCredential(firstCredential, secondCredential);
|
3081
|
-
* ```
|
3082
|
-
*/
|
3083
|
-
constructor(...sources) {
|
3084
|
-
this._sources = [];
|
3085
|
-
this._sources = sources;
|
3086
|
-
}
|
3087
|
-
/**
|
3088
|
-
* Returns the first access token returned by one of the chained
|
3089
|
-
* `TokenCredential` implementations. Throws an {@link AggregateAuthenticationError}
|
3090
|
-
* when one or more credentials throws an {@link AuthenticationError} and
|
3091
|
-
* no credentials have returned an access token.
|
3092
|
-
*
|
3093
|
-
* This method is called automatically by Azure SDK client libraries. You may call this method
|
3094
|
-
* directly, but you must also handle token caching and token refreshing.
|
3095
|
-
*
|
3096
|
-
* @param scopes - The list of scopes for which the token will have access.
|
3097
|
-
* @param options - The options used to configure any requests this
|
3098
|
-
* `TokenCredential` implementation might make.
|
3099
|
-
*/
|
3100
|
-
async getToken(scopes, options = {}) {
|
3101
|
-
const { token } = await this.getTokenInternal(scopes, options);
|
3102
|
-
return token;
|
3103
|
-
}
|
3104
|
-
async getTokenInternal(scopes, options = {}) {
|
3105
|
-
let token = null;
|
3106
|
-
let successfulCredential;
|
3107
|
-
const errors = [];
|
3108
|
-
return tracingClient.withSpan("ChainedTokenCredential.getToken", options, async (updatedOptions) => {
|
3109
|
-
for (let i = 0; i < this._sources.length && token === null; i++) {
|
3110
|
-
try {
|
3111
|
-
token = await this._sources[i].getToken(scopes, updatedOptions);
|
3112
|
-
successfulCredential = this._sources[i];
|
3113
|
-
}
|
3114
|
-
catch (err) {
|
3115
|
-
if (err.name === "CredentialUnavailableError" ||
|
3116
|
-
err.name === "AuthenticationRequiredError") {
|
3117
|
-
errors.push(err);
|
3118
|
-
}
|
3119
|
-
else {
|
3120
|
-
logger$a.getToken.info(formatError(scopes, err));
|
3121
|
-
throw err;
|
3122
|
-
}
|
3123
|
-
}
|
3124
|
-
}
|
3125
|
-
if (!token && errors.length > 0) {
|
3126
|
-
const err = new AggregateAuthenticationError(errors, "ChainedTokenCredential authentication failed.");
|
3127
|
-
logger$a.getToken.info(formatError(scopes, err));
|
3128
|
-
throw err;
|
3129
|
-
}
|
3130
|
-
logger$a.getToken.info(`Result for ${successfulCredential.constructor.name}: ${formatSuccess(scopes)}`);
|
3131
|
-
if (token === null) {
|
3132
|
-
throw new CredentialUnavailableError("Failed to retrieve a valid token");
|
3133
|
-
}
|
3134
|
-
return { token, successfulCredential };
|
3135
|
-
});
|
3136
|
-
}
|
3137
|
-
}
|
3138
|
-
|
3139
|
-
// Copyright (c) Microsoft Corporation.
|
3140
|
-
// Licensed under the MIT License.
|
3141
|
-
const credentialName$3 = "ClientCertificateCredential";
|
3142
|
-
const logger$9 = credentialLogger(credentialName$3);
|
3143
|
-
/**
|
3144
|
-
* Enables authentication to Microsoft Entra ID using a PEM-encoded
|
3145
|
-
* certificate that is assigned to an App Registration. More information
|
3146
|
-
* on how to configure certificate authentication can be found here:
|
3147
|
-
*
|
3148
|
-
* https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-certificate-credentials#register-your-certificate-with-azure-ad
|
3149
|
-
*
|
3150
|
-
*/
|
3151
|
-
class ClientCertificateCredential {
|
3152
|
-
constructor(tenantId, clientId, certificatePathOrConfiguration, options = {}) {
|
3153
|
-
if (!tenantId || !clientId) {
|
3154
|
-
throw new Error(`${credentialName$3}: tenantId and clientId are required parameters.`);
|
3155
|
-
}
|
3156
|
-
this.tenantId = tenantId;
|
3157
|
-
this.additionallyAllowedTenantIds = resolveAdditionallyAllowedTenantIds(options === null || options === void 0 ? void 0 : options.additionallyAllowedTenants);
|
3158
|
-
this.sendCertificateChain = options.sendCertificateChain;
|
3159
|
-
this.certificateConfiguration = Object.assign({}, (typeof certificatePathOrConfiguration === "string"
|
3160
|
-
? {
|
3161
|
-
certificatePath: certificatePathOrConfiguration,
|
3162
|
-
}
|
3163
|
-
: certificatePathOrConfiguration));
|
3164
|
-
const certificate = this.certificateConfiguration.certificate;
|
3165
|
-
const certificatePath = this.certificateConfiguration.certificatePath;
|
3166
|
-
if (!this.certificateConfiguration || !(certificate || certificatePath)) {
|
3167
|
-
throw new Error(`${credentialName$3}: Provide either a PEM certificate in string form, or the path to that certificate in the filesystem. To troubleshoot, visit https://aka.ms/azsdk/js/identity/serviceprincipalauthentication/troubleshoot.`);
|
3168
|
-
}
|
3169
|
-
if (certificate && certificatePath) {
|
3170
|
-
throw new Error(`${credentialName$3}: To avoid unexpected behaviors, providing both the contents of a PEM certificate and the path to a PEM certificate is forbidden. To troubleshoot, visit https://aka.ms/azsdk/js/identity/serviceprincipalauthentication/troubleshoot.`);
|
3171
|
-
}
|
3172
|
-
this.msalClient = createMsalClient(clientId, tenantId, Object.assign(Object.assign({}, options), { logger: logger$9, tokenCredentialOptions: options }));
|
3173
|
-
}
|
3174
|
-
/**
|
3175
|
-
* Authenticates with Microsoft Entra ID and returns an access token if successful.
|
3176
|
-
* If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.
|
3177
|
-
*
|
3178
|
-
* @param scopes - The list of scopes for which the token will have access.
|
3179
|
-
* @param options - The options used to configure any requests this
|
3180
|
-
* TokenCredential implementation might make.
|
3181
|
-
*/
|
3182
|
-
async getToken(scopes, options = {}) {
|
3183
|
-
return tracingClient.withSpan(`${credentialName$3}.getToken`, options, async (newOptions) => {
|
3184
|
-
newOptions.tenantId = processMultiTenantRequest(this.tenantId, newOptions, this.additionallyAllowedTenantIds, logger$9);
|
3185
|
-
const arrayScopes = Array.isArray(scopes) ? scopes : [scopes];
|
3186
|
-
const certificate = await this.buildClientCertificate();
|
3187
|
-
return this.msalClient.getTokenByClientCertificate(arrayScopes, certificate, newOptions);
|
3188
|
-
});
|
3189
|
-
}
|
3190
|
-
async buildClientCertificate() {
|
3191
|
-
var _a;
|
3192
|
-
const parts = await parseCertificate(this.certificateConfiguration, (_a = this.sendCertificateChain) !== null && _a !== void 0 ? _a : false);
|
3193
|
-
let privateKey;
|
3194
|
-
if (this.certificateConfiguration.certificatePassword !== undefined) {
|
3195
|
-
privateKey = crypto.createPrivateKey({
|
3196
|
-
key: parts.certificateContents,
|
3197
|
-
passphrase: this.certificateConfiguration.certificatePassword,
|
3198
|
-
format: "pem",
|
3199
|
-
})
|
3200
|
-
.export({
|
3201
|
-
format: "pem",
|
3202
|
-
type: "pkcs8",
|
3203
|
-
})
|
3204
|
-
.toString();
|
3205
|
-
}
|
3206
|
-
else {
|
3207
|
-
privateKey = parts.certificateContents;
|
3208
|
-
}
|
3209
|
-
return {
|
3210
|
-
thumbprint: parts.thumbprint,
|
3211
|
-
privateKey,
|
3212
|
-
x5c: parts.x5c,
|
3213
|
-
};
|
3214
|
-
}
|
3215
|
-
}
|
3216
|
-
/**
|
3217
|
-
* Parses a certificate into its relevant parts
|
3218
|
-
*
|
3219
|
-
* @param certificateConfiguration - The certificate contents or path to the certificate
|
3220
|
-
* @param sendCertificateChain - true if the entire certificate chain should be sent for SNI, false otherwise
|
3221
|
-
* @returns The parsed certificate parts and the certificate contents
|
3222
|
-
*/
|
3223
|
-
async function parseCertificate(certificateConfiguration, sendCertificateChain) {
|
3224
|
-
const certificate = certificateConfiguration.certificate;
|
3225
|
-
const certificatePath = certificateConfiguration.certificatePath;
|
3226
|
-
const certificateContents = certificate || (await promises.readFile(certificatePath, "utf8"));
|
3227
|
-
const x5c = sendCertificateChain ? certificateContents : undefined;
|
3228
|
-
const certificatePattern = /(-+BEGIN CERTIFICATE-+)(\n\r?|\r\n?)([A-Za-z0-9+/\n\r]+=*)(\n\r?|\r\n?)(-+END CERTIFICATE-+)/g;
|
3229
|
-
const publicKeys = [];
|
3230
|
-
// Match all possible certificates, in the order they are in the file. These will form the chain that is used for x5c
|
3231
|
-
let match;
|
3232
|
-
do {
|
3233
|
-
match = certificatePattern.exec(certificateContents);
|
3234
|
-
if (match) {
|
3235
|
-
publicKeys.push(match[3]);
|
3236
|
-
}
|
3237
|
-
} while (match);
|
3238
|
-
if (publicKeys.length === 0) {
|
3239
|
-
throw new Error("The file at the specified path does not contain a PEM-encoded certificate.");
|
3240
|
-
}
|
3241
|
-
const thumbprint = crypto.createHash("sha1")
|
3242
|
-
.update(Buffer.from(publicKeys[0], "base64"))
|
3243
|
-
.digest("hex")
|
3244
|
-
.toUpperCase();
|
3245
|
-
return {
|
3246
|
-
certificateContents,
|
3247
|
-
thumbprint,
|
3248
|
-
x5c,
|
3249
|
-
};
|
3250
|
-
}
|
3251
|
-
|
3252
|
-
// Copyright (c) Microsoft Corporation.
|
3253
|
-
// Licensed under the MIT License.
|
3254
|
-
const logger$8 = credentialLogger("ClientSecretCredential");
|
3255
|
-
/**
|
3256
|
-
* Enables authentication to Microsoft Entra ID using a client secret
|
3257
|
-
* that was generated for an App Registration. More information on how
|
3258
|
-
* to configure a client secret can be found here:
|
3259
|
-
*
|
3260
|
-
* https://learn.microsoft.com/entra/identity-platform/quickstart-configure-app-access-web-apis#add-credentials-to-your-web-application
|
3261
|
-
*
|
3262
|
-
*/
|
3263
|
-
class ClientSecretCredential {
|
3264
|
-
/**
|
3265
|
-
* Creates an instance of the ClientSecretCredential with the details
|
3266
|
-
* needed to authenticate against Microsoft Entra ID with a client
|
3267
|
-
* secret.
|
3268
|
-
*
|
3269
|
-
* @param tenantId - The Microsoft Entra tenant (directory) ID.
|
3270
|
-
* @param clientId - The client (application) ID of an App Registration in the tenant.
|
3271
|
-
* @param clientSecret - A client secret that was generated for the App Registration.
|
3272
|
-
* @param options - Options for configuring the client which makes the authentication request.
|
3273
|
-
*/
|
3274
|
-
constructor(tenantId, clientId, clientSecret, options = {}) {
|
3275
|
-
if (!tenantId) {
|
3276
|
-
throw new CredentialUnavailableError("ClientSecretCredential: tenantId is a required parameter. To troubleshoot, visit https://aka.ms/azsdk/js/identity/serviceprincipalauthentication/troubleshoot.");
|
3277
|
-
}
|
3278
|
-
if (!clientId) {
|
3279
|
-
throw new CredentialUnavailableError("ClientSecretCredential: clientId is a required parameter. To troubleshoot, visit https://aka.ms/azsdk/js/identity/serviceprincipalauthentication/troubleshoot.");
|
3280
|
-
}
|
3281
|
-
if (!clientSecret) {
|
3282
|
-
throw new CredentialUnavailableError("ClientSecretCredential: clientSecret is a required parameter. To troubleshoot, visit https://aka.ms/azsdk/js/identity/serviceprincipalauthentication/troubleshoot.");
|
3283
|
-
}
|
3284
|
-
this.clientSecret = clientSecret;
|
3285
|
-
this.tenantId = tenantId;
|
3286
|
-
this.additionallyAllowedTenantIds = resolveAdditionallyAllowedTenantIds(options === null || options === void 0 ? void 0 : options.additionallyAllowedTenants);
|
3287
|
-
this.msalClient = createMsalClient(clientId, tenantId, Object.assign(Object.assign({}, options), { logger: logger$8, tokenCredentialOptions: options }));
|
3288
|
-
}
|
3289
|
-
/**
|
3290
|
-
* Authenticates with Microsoft Entra ID and returns an access token if successful.
|
3291
|
-
* If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.
|
3292
|
-
*
|
3293
|
-
* @param scopes - The list of scopes for which the token will have access.
|
3294
|
-
* @param options - The options used to configure any requests this
|
3295
|
-
* TokenCredential implementation might make.
|
3296
|
-
*/
|
3297
|
-
async getToken(scopes, options = {}) {
|
3298
|
-
return tracingClient.withSpan(`${this.constructor.name}.getToken`, options, async (newOptions) => {
|
3299
|
-
newOptions.tenantId = processMultiTenantRequest(this.tenantId, newOptions, this.additionallyAllowedTenantIds, logger$8);
|
3300
|
-
const arrayScopes = ensureScopes(scopes);
|
3301
|
-
return this.msalClient.getTokenByClientSecret(arrayScopes, this.clientSecret, newOptions);
|
3302
|
-
});
|
3303
|
-
}
|
3304
|
-
}
|
3305
|
-
|
3306
|
-
// Copyright (c) Microsoft Corporation.
|
3307
|
-
// Licensed under the MIT License.
|
3308
|
-
const logger$7 = credentialLogger("UsernamePasswordCredential");
|
3309
|
-
/**
|
3310
|
-
* Enables authentication to Microsoft Entra ID with a user's
|
3311
|
-
* username and password. This credential requires a high degree of
|
3312
|
-
* trust so you should only use it when other, more secure credential
|
3313
|
-
* types can't be used.
|
3314
|
-
*/
|
3315
|
-
class UsernamePasswordCredential {
|
3316
|
-
/**
|
3317
|
-
* Creates an instance of the UsernamePasswordCredential with the details
|
3318
|
-
* needed to authenticate against Microsoft Entra ID with a username
|
3319
|
-
* and password.
|
3320
|
-
*
|
3321
|
-
* @param tenantId - The Microsoft Entra tenant (directory).
|
3322
|
-
* @param clientId - The client (application) ID of an App Registration in the tenant.
|
3323
|
-
* @param username - The user account's e-mail address (user name).
|
3324
|
-
* @param password - The user account's account password
|
3325
|
-
* @param options - Options for configuring the client which makes the authentication request.
|
3326
|
-
*/
|
3327
|
-
constructor(tenantId, clientId, username, password, options = {}) {
|
3328
|
-
if (!tenantId) {
|
3329
|
-
throw new CredentialUnavailableError("UsernamePasswordCredential: tenantId is a required parameter. To troubleshoot, visit https://aka.ms/azsdk/js/identity/usernamepasswordcredential/troubleshoot.");
|
3330
|
-
}
|
3331
|
-
if (!clientId) {
|
3332
|
-
throw new CredentialUnavailableError("UsernamePasswordCredential: clientId is a required parameter. To troubleshoot, visit https://aka.ms/azsdk/js/identity/usernamepasswordcredential/troubleshoot.");
|
3333
|
-
}
|
3334
|
-
if (!username) {
|
3335
|
-
throw new CredentialUnavailableError("UsernamePasswordCredential: username is a required parameter. To troubleshoot, visit https://aka.ms/azsdk/js/identity/usernamepasswordcredential/troubleshoot.");
|
3336
|
-
}
|
3337
|
-
if (!password) {
|
3338
|
-
throw new CredentialUnavailableError("UsernamePasswordCredential: password is a required parameter. To troubleshoot, visit https://aka.ms/azsdk/js/identity/usernamepasswordcredential/troubleshoot.");
|
3339
|
-
}
|
3340
|
-
this.tenantId = tenantId;
|
3341
|
-
this.additionallyAllowedTenantIds = resolveAdditionallyAllowedTenantIds(options === null || options === void 0 ? void 0 : options.additionallyAllowedTenants);
|
3342
|
-
this.username = username;
|
3343
|
-
this.password = password;
|
3344
|
-
this.msalClient = createMsalClient(clientId, this.tenantId, Object.assign(Object.assign({}, options), { tokenCredentialOptions: options !== null && options !== void 0 ? options : {} }));
|
3345
|
-
}
|
3346
|
-
/**
|
3347
|
-
* Authenticates with Microsoft Entra ID and returns an access token if successful.
|
3348
|
-
* If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.
|
3349
|
-
*
|
3350
|
-
* If the user provided the option `disableAutomaticAuthentication`,
|
3351
|
-
* once the token can't be retrieved silently,
|
3352
|
-
* this method won't attempt to request user interaction to retrieve the token.
|
3353
|
-
*
|
3354
|
-
* @param scopes - The list of scopes for which the token will have access.
|
3355
|
-
* @param options - The options used to configure any requests this
|
3356
|
-
* TokenCredential implementation might make.
|
3357
|
-
*/
|
3358
|
-
async getToken(scopes, options = {}) {
|
3359
|
-
return tracingClient.withSpan(`${this.constructor.name}.getToken`, options, async (newOptions) => {
|
3360
|
-
newOptions.tenantId = processMultiTenantRequest(this.tenantId, newOptions, this.additionallyAllowedTenantIds, logger$7);
|
3361
|
-
const arrayScopes = ensureScopes(scopes);
|
3362
|
-
return this.msalClient.getTokenByUsernamePassword(arrayScopes, this.username, this.password, newOptions);
|
3363
|
-
});
|
3364
|
-
}
|
3365
|
-
}
|
3366
|
-
|
3367
|
-
// Copyright (c) Microsoft Corporation.
|
3368
|
-
// Licensed under the MIT License.
|
3369
|
-
/**
|
3370
|
-
* Contains the list of all supported environment variable names so that an
|
3371
|
-
* appropriate error message can be generated when no credentials can be
|
3372
|
-
* configured.
|
3373
|
-
*
|
3374
|
-
* @internal
|
3375
|
-
*/
|
3376
|
-
const AllSupportedEnvironmentVariables = [
|
3377
|
-
"AZURE_TENANT_ID",
|
3378
|
-
"AZURE_CLIENT_ID",
|
3379
|
-
"AZURE_CLIENT_SECRET",
|
3380
|
-
"AZURE_CLIENT_CERTIFICATE_PATH",
|
3381
|
-
"AZURE_CLIENT_CERTIFICATE_PASSWORD",
|
3382
|
-
"AZURE_USERNAME",
|
3383
|
-
"AZURE_PASSWORD",
|
3384
|
-
"AZURE_ADDITIONALLY_ALLOWED_TENANTS",
|
3385
|
-
"AZURE_CLIENT_SEND_CERTIFICATE_CHAIN",
|
3386
|
-
];
|
3387
|
-
function getAdditionallyAllowedTenants() {
|
3388
|
-
var _a;
|
3389
|
-
const additionallyAllowedValues = (_a = process.env.AZURE_ADDITIONALLY_ALLOWED_TENANTS) !== null && _a !== void 0 ? _a : "";
|
3390
|
-
return additionallyAllowedValues.split(";");
|
3391
|
-
}
|
3392
|
-
const credentialName$2 = "EnvironmentCredential";
|
3393
|
-
const logger$6 = credentialLogger(credentialName$2);
|
3394
|
-
function getSendCertificateChain() {
|
3395
|
-
var _a;
|
3396
|
-
const sendCertificateChain = ((_a = process.env.AZURE_CLIENT_SEND_CERTIFICATE_CHAIN) !== null && _a !== void 0 ? _a : "").toLowerCase();
|
3397
|
-
const result = sendCertificateChain === "true" || sendCertificateChain === "1";
|
3398
|
-
logger$6.verbose(`AZURE_CLIENT_SEND_CERTIFICATE_CHAIN: ${process.env.AZURE_CLIENT_SEND_CERTIFICATE_CHAIN}; sendCertificateChain: ${result}`);
|
3399
|
-
return result;
|
3400
|
-
}
|
3401
|
-
/**
|
3402
|
-
* Enables authentication to Microsoft Entra ID using a client secret or certificate, or as a user
|
3403
|
-
* with a username and password.
|
3404
|
-
*/
|
3405
|
-
class EnvironmentCredential {
|
3406
|
-
/**
|
3407
|
-
* Creates an instance of the EnvironmentCredential class and decides what credential to use depending on the available environment variables.
|
3408
|
-
*
|
3409
|
-
* Required environment variables:
|
3410
|
-
* - `AZURE_TENANT_ID`: The Microsoft Entra tenant (directory) ID.
|
3411
|
-
* - `AZURE_CLIENT_ID`: The client (application) ID of an App Registration in the tenant.
|
3412
|
-
*
|
3413
|
-
* If setting the AZURE_TENANT_ID, then you can also set the additionally allowed tenants
|
3414
|
-
* - `AZURE_ADDITIONALLY_ALLOWED_TENANTS`: For multi-tenant applications, specifies additional tenants for which the credential may acquire tokens with a single semicolon delimited string. Use * to allow all tenants.
|
3415
|
-
*
|
3416
|
-
* Environment variables used for client credential authentication:
|
3417
|
-
* - `AZURE_CLIENT_SECRET`: A client secret that was generated for the App Registration.
|
3418
|
-
* - `AZURE_CLIENT_CERTIFICATE_PATH`: The path to a PEM certificate to use during the authentication, instead of the client secret.
|
3419
|
-
* - `AZURE_CLIENT_CERTIFICATE_PASSWORD`: (optional) password for the certificate file.
|
3420
|
-
* - `AZURE_CLIENT_SEND_CERTIFICATE_CHAIN`: (optional) indicates that the certificate chain should be set in x5c header to support subject name / issuer based authentication.
|
3421
|
-
*
|
3422
|
-
* Alternatively, users can provide environment variables for username and password authentication:
|
3423
|
-
* - `AZURE_USERNAME`: Username to authenticate with.
|
3424
|
-
* - `AZURE_PASSWORD`: Password to authenticate with.
|
3425
|
-
*
|
3426
|
-
* If the environment variables required to perform the authentication are missing, a {@link CredentialUnavailableError} will be thrown.
|
3427
|
-
* If the authentication fails, or if there's an unknown error, an {@link AuthenticationError} will be thrown.
|
3428
|
-
*
|
3429
|
-
* @param options - Options for configuring the client which makes the authentication request.
|
3430
|
-
*/
|
3431
|
-
constructor(options) {
|
3432
|
-
// Keep track of any missing environment variables for error details
|
3433
|
-
this._credential = undefined;
|
3434
|
-
const assigned = processEnvVars(AllSupportedEnvironmentVariables).assigned.join(", ");
|
3435
|
-
logger$6.info(`Found the following environment variables: ${assigned}`);
|
3436
|
-
const tenantId = process.env.AZURE_TENANT_ID, clientId = process.env.AZURE_CLIENT_ID, clientSecret = process.env.AZURE_CLIENT_SECRET;
|
3437
|
-
const additionallyAllowedTenantIds = getAdditionallyAllowedTenants();
|
3438
|
-
const sendCertificateChain = getSendCertificateChain();
|
3439
|
-
const newOptions = Object.assign(Object.assign({}, options), { additionallyAllowedTenantIds, sendCertificateChain });
|
3440
|
-
if (tenantId) {
|
3441
|
-
checkTenantId(logger$6, tenantId);
|
3442
|
-
}
|
3443
|
-
if (tenantId && clientId && clientSecret) {
|
3444
|
-
logger$6.info(`Invoking ClientSecretCredential with tenant ID: ${tenantId}, clientId: ${clientId} and clientSecret: [REDACTED]`);
|
3445
|
-
this._credential = new ClientSecretCredential(tenantId, clientId, clientSecret, newOptions);
|
3446
|
-
return;
|
3447
|
-
}
|
3448
|
-
const certificatePath = process.env.AZURE_CLIENT_CERTIFICATE_PATH;
|
3449
|
-
const certificatePassword = process.env.AZURE_CLIENT_CERTIFICATE_PASSWORD;
|
3450
|
-
if (tenantId && clientId && certificatePath) {
|
3451
|
-
logger$6.info(`Invoking ClientCertificateCredential with tenant ID: ${tenantId}, clientId: ${clientId} and certificatePath: ${certificatePath}`);
|
3452
|
-
this._credential = new ClientCertificateCredential(tenantId, clientId, { certificatePath, certificatePassword }, newOptions);
|
3453
|
-
return;
|
3454
|
-
}
|
3455
|
-
const username = process.env.AZURE_USERNAME;
|
3456
|
-
const password = process.env.AZURE_PASSWORD;
|
3457
|
-
if (tenantId && clientId && username && password) {
|
3458
|
-
logger$6.info(`Invoking UsernamePasswordCredential with tenant ID: ${tenantId}, clientId: ${clientId} and username: ${username}`);
|
3459
|
-
this._credential = new UsernamePasswordCredential(tenantId, clientId, username, password, newOptions);
|
3460
|
-
}
|
3461
|
-
}
|
3462
|
-
/**
|
3463
|
-
* Authenticates with Microsoft Entra ID and returns an access token if successful.
|
3464
|
-
*
|
3465
|
-
* @param scopes - The list of scopes for which the token will have access.
|
3466
|
-
* @param options - Optional parameters. See {@link GetTokenOptions}.
|
3467
|
-
*/
|
3468
|
-
async getToken(scopes, options = {}) {
|
3469
|
-
return tracingClient.withSpan(`${credentialName$2}.getToken`, options, async (newOptions) => {
|
3470
|
-
if (this._credential) {
|
3471
|
-
try {
|
3472
|
-
const result = await this._credential.getToken(scopes, newOptions);
|
3473
|
-
logger$6.getToken.info(formatSuccess(scopes));
|
3474
|
-
return result;
|
3475
|
-
}
|
3476
|
-
catch (err) {
|
3477
|
-
const authenticationError = new AuthenticationError(400, {
|
3478
|
-
error: `${credentialName$2} authentication failed. To troubleshoot, visit https://aka.ms/azsdk/js/identity/environmentcredential/troubleshoot.`,
|
3479
|
-
error_description: err.message.toString().split("More details:").join(""),
|
3480
|
-
});
|
3481
|
-
logger$6.getToken.info(formatError(scopes, authenticationError));
|
3482
|
-
throw authenticationError;
|
3483
|
-
}
|
3484
|
-
}
|
3485
|
-
throw new CredentialUnavailableError(`${credentialName$2} is unavailable. No underlying credential could be used. To troubleshoot, visit https://aka.ms/azsdk/js/identity/environmentcredential/troubleshoot.`);
|
3486
|
-
});
|
3487
|
-
}
|
3488
|
-
}
|
3489
|
-
|
3490
|
-
// Copyright (c) Microsoft Corporation.
|
3491
|
-
// Licensed under the MIT License.
|
3492
|
-
const logger$5 = credentialLogger("DefaultAzureCredential");
|
3493
|
-
/**
|
3494
|
-
* Creates a {@link ManagedIdentityCredential} from the provided options.
|
3495
|
-
* @param options - Options to configure the credential.
|
3496
|
-
*
|
3497
|
-
* @internal
|
3498
|
-
*/
|
3499
|
-
function createDefaultManagedIdentityCredential(options = {}) {
|
3500
|
-
var _a, _b, _c, _d;
|
3501
|
-
(_a = options.retryOptions) !== null && _a !== void 0 ? _a : (options.retryOptions = {
|
3502
|
-
maxRetries: 5,
|
3503
|
-
retryDelayInMs: 800,
|
3504
|
-
});
|
3505
|
-
const managedIdentityClientId = (_b = options === null || options === void 0 ? void 0 : options.managedIdentityClientId) !== null && _b !== void 0 ? _b : process.env.AZURE_CLIENT_ID;
|
3506
|
-
const workloadIdentityClientId = (_c = options === null || options === void 0 ? void 0 : options.workloadIdentityClientId) !== null && _c !== void 0 ? _c : managedIdentityClientId;
|
3507
|
-
const managedResourceId = options === null || options === void 0 ? void 0 : options.managedIdentityResourceId;
|
3508
|
-
const workloadFile = process.env.AZURE_FEDERATED_TOKEN_FILE;
|
3509
|
-
const tenantId = (_d = options === null || options === void 0 ? void 0 : options.tenantId) !== null && _d !== void 0 ? _d : process.env.AZURE_TENANT_ID;
|
3510
|
-
if (managedResourceId) {
|
3511
|
-
const managedIdentityResourceIdOptions = Object.assign(Object.assign({}, options), { resourceId: managedResourceId });
|
3512
|
-
return new ManagedIdentityCredential(managedIdentityResourceIdOptions);
|
3513
|
-
}
|
3514
|
-
if (workloadFile && workloadIdentityClientId) {
|
3515
|
-
const workloadIdentityCredentialOptions = Object.assign(Object.assign({}, options), { tenantId: tenantId });
|
3516
|
-
return new ManagedIdentityCredential(workloadIdentityClientId, workloadIdentityCredentialOptions);
|
3517
|
-
}
|
3518
|
-
if (managedIdentityClientId) {
|
3519
|
-
const managedIdentityClientOptions = Object.assign(Object.assign({}, options), { clientId: managedIdentityClientId });
|
3520
|
-
return new ManagedIdentityCredential(managedIdentityClientOptions);
|
3521
|
-
}
|
3522
|
-
// We may be able to return a UnavailableCredential here, but that may be a breaking change
|
3523
|
-
return new ManagedIdentityCredential(options);
|
3524
|
-
}
|
3525
|
-
/**
|
3526
|
-
* Creates a {@link WorkloadIdentityCredential} from the provided options.
|
3527
|
-
* @param options - Options to configure the credential.
|
3528
|
-
*
|
3529
|
-
* @internal
|
3530
|
-
*/
|
3531
|
-
function createDefaultWorkloadIdentityCredential(options) {
|
3532
|
-
var _a, _b, _c;
|
3533
|
-
const managedIdentityClientId = (_a = options === null || options === void 0 ? void 0 : options.managedIdentityClientId) !== null && _a !== void 0 ? _a : process.env.AZURE_CLIENT_ID;
|
3534
|
-
const workloadIdentityClientId = (_b = options === null || options === void 0 ? void 0 : options.workloadIdentityClientId) !== null && _b !== void 0 ? _b : managedIdentityClientId;
|
3535
|
-
const workloadFile = process.env.AZURE_FEDERATED_TOKEN_FILE;
|
3536
|
-
const tenantId = (_c = options === null || options === void 0 ? void 0 : options.tenantId) !== null && _c !== void 0 ? _c : process.env.AZURE_TENANT_ID;
|
3537
|
-
if (workloadFile && workloadIdentityClientId) {
|
3538
|
-
const workloadIdentityCredentialOptions = Object.assign(Object.assign({}, options), { tenantId, clientId: workloadIdentityClientId, tokenFilePath: workloadFile });
|
3539
|
-
return new WorkloadIdentityCredential(workloadIdentityCredentialOptions);
|
3540
|
-
}
|
3541
|
-
if (tenantId) {
|
3542
|
-
const workloadIdentityClientTenantOptions = Object.assign(Object.assign({}, options), { tenantId });
|
3543
|
-
return new WorkloadIdentityCredential(workloadIdentityClientTenantOptions);
|
3544
|
-
}
|
3545
|
-
// We may be able to return a UnavailableCredential here, but that may be a breaking change
|
3546
|
-
return new WorkloadIdentityCredential(options);
|
3547
|
-
}
|
3548
|
-
/**
|
3549
|
-
* Creates a {@link AzureDeveloperCliCredential} from the provided options.
|
3550
|
-
* @param options - Options to configure the credential.
|
3551
|
-
*
|
3552
|
-
* @internal
|
3553
|
-
*/
|
3554
|
-
function createDefaultAzureDeveloperCliCredential(options = {}) {
|
3555
|
-
const processTimeoutInMs = options.processTimeoutInMs;
|
3556
|
-
return new AzureDeveloperCliCredential(Object.assign({ processTimeoutInMs }, options));
|
3557
|
-
}
|
3558
|
-
/**
|
3559
|
-
* Creates a {@link AzureCliCredential} from the provided options.
|
3560
|
-
* @param options - Options to configure the credential.
|
3561
|
-
*
|
3562
|
-
* @internal
|
3563
|
-
*/
|
3564
|
-
function createDefaultAzureCliCredential(options = {}) {
|
3565
|
-
const processTimeoutInMs = options.processTimeoutInMs;
|
3566
|
-
return new AzureCliCredential(Object.assign({ processTimeoutInMs }, options));
|
3567
|
-
}
|
3568
|
-
/**
|
3569
|
-
* Creates a {@link AzurePowerShellCredential} from the provided options.
|
3570
|
-
* @param options - Options to configure the credential.
|
3571
|
-
*
|
3572
|
-
* @internal
|
3573
|
-
*/
|
3574
|
-
function createDefaultAzurePowershellCredential(options = {}) {
|
3575
|
-
const processTimeoutInMs = options.processTimeoutInMs;
|
3576
|
-
return new AzurePowerShellCredential(Object.assign({ processTimeoutInMs }, options));
|
3577
|
-
}
|
3578
|
-
/**
|
3579
|
-
* Creates an {@link EnvironmentCredential} from the provided options.
|
3580
|
-
* @param options - Options to configure the credential.
|
3581
|
-
*
|
3582
|
-
* @internal
|
3583
|
-
*/
|
3584
|
-
function createEnvironmentCredential(options = {}) {
|
3585
|
-
return new EnvironmentCredential(options);
|
3586
|
-
}
|
3587
|
-
/**
|
3588
|
-
* A no-op credential that logs the reason it was skipped if getToken is called.
|
3589
|
-
* @internal
|
3590
|
-
*/
|
3591
|
-
class UnavailableDefaultCredential {
|
3592
|
-
constructor(credentialName, message) {
|
3593
|
-
this.credentialName = credentialName;
|
3594
|
-
this.credentialUnavailableErrorMessage = message;
|
3595
|
-
}
|
3596
|
-
getToken() {
|
3597
|
-
logger$5.getToken.info(`Skipping ${this.credentialName}, reason: ${this.credentialUnavailableErrorMessage}`);
|
3598
|
-
return Promise.resolve(null);
|
3599
|
-
}
|
3600
|
-
}
|
3601
|
-
/**
|
3602
|
-
* Provides a default {@link ChainedTokenCredential} configuration that works for most
|
3603
|
-
* applications that use Azure SDK client libraries. For more information, see
|
3604
|
-
* [DefaultAzureCredential overview](https://aka.ms/azsdk/js/identity/credential-chains#use-defaultazurecredential-for-flexibility).
|
3605
|
-
*
|
3606
|
-
* The following credential types will be tried, in order:
|
3607
|
-
*
|
3608
|
-
* - {@link EnvironmentCredential}
|
3609
|
-
* - {@link WorkloadIdentityCredential}
|
3610
|
-
* - {@link ManagedIdentityCredential}
|
3611
|
-
* - {@link AzureCliCredential}
|
3612
|
-
* - {@link AzurePowerShellCredential}
|
3613
|
-
* - {@link AzureDeveloperCliCredential}
|
3614
|
-
*
|
3615
|
-
* Consult the documentation of these credential types for more information
|
3616
|
-
* on how they attempt authentication.
|
3617
|
-
*/
|
3618
|
-
class DefaultAzureCredential extends ChainedTokenCredential {
|
3619
|
-
constructor(options) {
|
3620
|
-
const credentialFunctions = [
|
3621
|
-
createEnvironmentCredential,
|
3622
|
-
createDefaultWorkloadIdentityCredential,
|
3623
|
-
createDefaultManagedIdentityCredential,
|
3624
|
-
createDefaultAzureCliCredential,
|
3625
|
-
createDefaultAzurePowershellCredential,
|
3626
|
-
createDefaultAzureDeveloperCliCredential,
|
3627
|
-
];
|
3628
|
-
// DefaultCredential constructors should not throw, instead throwing on getToken() which is handled by ChainedTokenCredential.
|
3629
|
-
// When adding new credentials to the default chain, consider:
|
3630
|
-
// 1. Making the constructor parameters required and explicit
|
3631
|
-
// 2. Validating any required parameters in the factory function
|
3632
|
-
// 3. Returning a UnavailableDefaultCredential from the factory function if a credential is unavailable for any reason
|
3633
|
-
const credentials = credentialFunctions.map((createCredentialFn) => {
|
3634
|
-
try {
|
3635
|
-
return createCredentialFn(options);
|
3636
|
-
}
|
3637
|
-
catch (err) {
|
3638
|
-
logger$5.warning(`Skipped ${createCredentialFn.name} because of an error creating the credential: ${err}`);
|
3639
|
-
return new UnavailableDefaultCredential(createCredentialFn.name, err.message);
|
3640
|
-
}
|
3641
|
-
});
|
3642
|
-
super(...credentials);
|
3643
|
-
}
|
3644
|
-
}
|
3645
|
-
|
3646
|
-
// Copyright (c) Microsoft Corporation.
|
3647
|
-
// Licensed under the MIT License.
|
3648
|
-
const logger$4 = credentialLogger("InteractiveBrowserCredential");
|
3649
|
-
/**
|
3650
|
-
* Enables authentication to Microsoft Entra ID inside of the web browser
|
3651
|
-
* using the interactive login flow.
|
3652
|
-
*/
|
3653
|
-
class InteractiveBrowserCredential {
|
3654
|
-
/**
|
3655
|
-
* Creates an instance of InteractiveBrowserCredential with the details needed.
|
3656
|
-
*
|
3657
|
-
* This credential uses the [Authorization Code Flow](https://learn.microsoft.com/entra/identity-platform/v2-oauth2-auth-code-flow).
|
3658
|
-
* On Node.js, it will open a browser window while it listens for a redirect response from the authentication service.
|
3659
|
-
* On browsers, it authenticates via popups. The `loginStyle` optional parameter can be set to `redirect` to authenticate by redirecting the user to an Azure secure login page, which then will redirect the user back to the web application where the authentication started.
|
3660
|
-
*
|
3661
|
-
* For Node.js, if a `clientId` is provided, the Microsoft Entra application will need to be configured to have a "Mobile and desktop applications" redirect endpoint.
|
3662
|
-
* Follow our guide on [setting up Redirect URIs for Desktop apps that calls to web APIs](https://learn.microsoft.com/entra/identity-platform/scenario-desktop-app-registration#redirect-uris).
|
3663
|
-
*
|
3664
|
-
* @param options - Options for configuring the client which makes the authentication requests.
|
3665
|
-
*/
|
3666
|
-
constructor(options) {
|
3667
|
-
var _a, _b, _c, _d, _e;
|
3668
|
-
this.tenantId = resolveTenantId(logger$4, options.tenantId, options.clientId);
|
3669
|
-
this.additionallyAllowedTenantIds = resolveAdditionallyAllowedTenantIds(options === null || options === void 0 ? void 0 : options.additionallyAllowedTenants);
|
3670
|
-
const msalClientOptions = Object.assign(Object.assign({}, options), { tokenCredentialOptions: options, logger: logger$4 });
|
3671
|
-
const ibcNodeOptions = options;
|
3672
|
-
this.browserCustomizationOptions = ibcNodeOptions.browserCustomizationOptions;
|
3673
|
-
this.loginHint = ibcNodeOptions.loginHint;
|
3674
|
-
if ((_a = ibcNodeOptions === null || ibcNodeOptions === void 0 ? void 0 : ibcNodeOptions.brokerOptions) === null || _a === void 0 ? void 0 : _a.enabled) {
|
3675
|
-
if (!((_b = ibcNodeOptions === null || ibcNodeOptions === void 0 ? void 0 : ibcNodeOptions.brokerOptions) === null || _b === void 0 ? void 0 : _b.parentWindowHandle)) {
|
3676
|
-
throw new Error("In order to do WAM authentication, `parentWindowHandle` under `brokerOptions` is a required parameter");
|
3677
|
-
}
|
3678
|
-
else {
|
3679
|
-
msalClientOptions.brokerOptions = {
|
3680
|
-
enabled: true,
|
3681
|
-
parentWindowHandle: ibcNodeOptions.brokerOptions.parentWindowHandle,
|
3682
|
-
legacyEnableMsaPassthrough: (_c = ibcNodeOptions.brokerOptions) === null || _c === void 0 ? void 0 : _c.legacyEnableMsaPassthrough,
|
3683
|
-
useDefaultBrokerAccount: (_d = ibcNodeOptions.brokerOptions) === null || _d === void 0 ? void 0 : _d.useDefaultBrokerAccount,
|
3684
|
-
};
|
3685
|
-
}
|
3686
|
-
}
|
3687
|
-
this.msalClient = createMsalClient((_e = options.clientId) !== null && _e !== void 0 ? _e : DeveloperSignOnClientId, this.tenantId, msalClientOptions);
|
3688
|
-
this.disableAutomaticAuthentication = options === null || options === void 0 ? void 0 : options.disableAutomaticAuthentication;
|
3689
|
-
}
|
3690
|
-
/**
|
3691
|
-
* Authenticates with Microsoft Entra ID and returns an access token if successful.
|
3692
|
-
* If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.
|
3693
|
-
*
|
3694
|
-
* If the user provided the option `disableAutomaticAuthentication`,
|
3695
|
-
* once the token can't be retrieved silently,
|
3696
|
-
* this method won't attempt to request user interaction to retrieve the token.
|
3697
|
-
*
|
3698
|
-
* @param scopes - The list of scopes for which the token will have access.
|
3699
|
-
* @param options - The options used to configure any requests this
|
3700
|
-
* TokenCredential implementation might make.
|
3701
|
-
*/
|
3702
|
-
async getToken(scopes, options = {}) {
|
3703
|
-
return tracingClient.withSpan(`${this.constructor.name}.getToken`, options, async (newOptions) => {
|
3704
|
-
newOptions.tenantId = processMultiTenantRequest(this.tenantId, newOptions, this.additionallyAllowedTenantIds, logger$4);
|
3705
|
-
const arrayScopes = ensureScopes(scopes);
|
3706
|
-
return this.msalClient.getTokenByInteractiveRequest(arrayScopes, Object.assign(Object.assign({}, newOptions), { disableAutomaticAuthentication: this.disableAutomaticAuthentication, browserCustomizationOptions: this.browserCustomizationOptions, loginHint: this.loginHint }));
|
3707
|
-
});
|
3708
|
-
}
|
3709
|
-
/**
|
3710
|
-
* Authenticates with Microsoft Entra ID and returns an access token if successful.
|
3711
|
-
* If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.
|
3712
|
-
*
|
3713
|
-
* If the token can't be retrieved silently, this method will always generate a challenge for the user.
|
3714
|
-
*
|
3715
|
-
* On Node.js, this credential has [Proof Key for Code Exchange (PKCE)](https://datatracker.ietf.org/doc/html/rfc7636) enabled by default.
|
3716
|
-
* PKCE is a security feature that mitigates authentication code interception attacks.
|
3717
|
-
*
|
3718
|
-
* @param scopes - The list of scopes for which the token will have access.
|
3719
|
-
* @param options - The options used to configure any requests this
|
3720
|
-
* TokenCredential implementation might make.
|
3721
|
-
*/
|
3722
|
-
async authenticate(scopes, options = {}) {
|
3723
|
-
return tracingClient.withSpan(`${this.constructor.name}.authenticate`, options, async (newOptions) => {
|
3724
|
-
const arrayScopes = ensureScopes(scopes);
|
3725
|
-
await this.msalClient.getTokenByInteractiveRequest(arrayScopes, Object.assign(Object.assign({}, newOptions), { disableAutomaticAuthentication: false, browserCustomizationOptions: this.browserCustomizationOptions, loginHint: this.loginHint }));
|
3726
|
-
return this.msalClient.getActiveAccount();
|
3727
|
-
});
|
3728
|
-
}
|
3729
|
-
}
|
3730
|
-
|
3731
|
-
// Copyright (c) Microsoft Corporation.
|
3732
|
-
// Licensed under the MIT License.
|
3733
|
-
const logger$3 = credentialLogger("DeviceCodeCredential");
|
3734
|
-
/**
|
3735
|
-
* Method that logs the user code from the DeviceCodeCredential.
|
3736
|
-
* @param deviceCodeInfo - The device code.
|
3737
|
-
*/
|
3738
|
-
function defaultDeviceCodePromptCallback(deviceCodeInfo) {
|
3739
|
-
console.log(deviceCodeInfo.message);
|
3740
|
-
}
|
3741
|
-
/**
|
3742
|
-
* Enables authentication to Microsoft Entra ID using a device code
|
3743
|
-
* that the user can enter into https://microsoft.com/devicelogin.
|
3744
|
-
*/
|
3745
|
-
class DeviceCodeCredential {
|
3746
|
-
/**
|
3747
|
-
* Creates an instance of DeviceCodeCredential with the details needed
|
3748
|
-
* to initiate the device code authorization flow with Microsoft Entra ID.
|
3749
|
-
*
|
3750
|
-
* A message will be logged, giving users a code that they can use to authenticate once they go to https://microsoft.com/devicelogin
|
3751
|
-
*
|
3752
|
-
* Developers can configure how this message is shown by passing a custom `userPromptCallback`:
|
3753
|
-
*
|
3754
|
-
* ```ts snippet:device_code_credential_example
|
3755
|
-
* import { DeviceCodeCredential } from "@azure/identity";
|
3756
|
-
*
|
3757
|
-
* const credential = new DeviceCodeCredential({
|
3758
|
-
* tenantId: process.env.AZURE_TENANT_ID,
|
3759
|
-
* clientId: process.env.AZURE_CLIENT_ID,
|
3760
|
-
* userPromptCallback: (info) => {
|
3761
|
-
* console.log("CUSTOMIZED PROMPT CALLBACK", info.message);
|
3762
|
-
* },
|
3763
|
-
* });
|
3764
|
-
* ```
|
3765
|
-
*
|
3766
|
-
* @param options - Options for configuring the client which makes the authentication requests.
|
3767
|
-
*/
|
3768
|
-
constructor(options) {
|
3769
|
-
var _a, _b;
|
3770
|
-
this.tenantId = options === null || options === void 0 ? void 0 : options.tenantId;
|
3771
|
-
this.additionallyAllowedTenantIds = resolveAdditionallyAllowedTenantIds(options === null || options === void 0 ? void 0 : options.additionallyAllowedTenants);
|
3772
|
-
const clientId = (_a = options === null || options === void 0 ? void 0 : options.clientId) !== null && _a !== void 0 ? _a : DeveloperSignOnClientId;
|
3773
|
-
const tenantId = resolveTenantId(logger$3, options === null || options === void 0 ? void 0 : options.tenantId, clientId);
|
3774
|
-
this.userPromptCallback = (_b = options === null || options === void 0 ? void 0 : options.userPromptCallback) !== null && _b !== void 0 ? _b : defaultDeviceCodePromptCallback;
|
3775
|
-
this.msalClient = createMsalClient(clientId, tenantId, Object.assign(Object.assign({}, options), { logger: logger$3, tokenCredentialOptions: options || {} }));
|
3776
|
-
this.disableAutomaticAuthentication = options === null || options === void 0 ? void 0 : options.disableAutomaticAuthentication;
|
3777
|
-
}
|
3778
|
-
/**
|
3779
|
-
* Authenticates with Microsoft Entra ID and returns an access token if successful.
|
3780
|
-
* If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.
|
3781
|
-
*
|
3782
|
-
* If the user provided the option `disableAutomaticAuthentication`,
|
3783
|
-
* once the token can't be retrieved silently,
|
3784
|
-
* this method won't attempt to request user interaction to retrieve the token.
|
3785
|
-
*
|
3786
|
-
* @param scopes - The list of scopes for which the token will have access.
|
3787
|
-
* @param options - The options used to configure any requests this
|
3788
|
-
* TokenCredential implementation might make.
|
3789
|
-
*/
|
3790
|
-
async getToken(scopes, options = {}) {
|
3791
|
-
return tracingClient.withSpan(`${this.constructor.name}.getToken`, options, async (newOptions) => {
|
3792
|
-
newOptions.tenantId = processMultiTenantRequest(this.tenantId, newOptions, this.additionallyAllowedTenantIds, logger$3);
|
3793
|
-
const arrayScopes = ensureScopes(scopes);
|
3794
|
-
return this.msalClient.getTokenByDeviceCode(arrayScopes, this.userPromptCallback, Object.assign(Object.assign({}, newOptions), { disableAutomaticAuthentication: this.disableAutomaticAuthentication }));
|
3795
|
-
});
|
3796
|
-
}
|
3797
|
-
/**
|
3798
|
-
* Authenticates with Microsoft Entra ID and returns an access token if successful.
|
3799
|
-
* If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.
|
3800
|
-
*
|
3801
|
-
* If the token can't be retrieved silently, this method will always generate a challenge for the user.
|
3802
|
-
*
|
3803
|
-
* @param scopes - The list of scopes for which the token will have access.
|
3804
|
-
* @param options - The options used to configure any requests this
|
3805
|
-
* TokenCredential implementation might make.
|
3806
|
-
*/
|
3807
|
-
async authenticate(scopes, options = {}) {
|
3808
|
-
return tracingClient.withSpan(`${this.constructor.name}.authenticate`, options, async (newOptions) => {
|
3809
|
-
const arrayScopes = Array.isArray(scopes) ? scopes : [scopes];
|
3810
|
-
await this.msalClient.getTokenByDeviceCode(arrayScopes, this.userPromptCallback, Object.assign(Object.assign({}, newOptions), { disableAutomaticAuthentication: false }));
|
3811
|
-
return this.msalClient.getActiveAccount();
|
3812
|
-
});
|
3813
|
-
}
|
3814
|
-
}
|
3815
|
-
|
3816
|
-
// Copyright (c) Microsoft Corporation.
|
3817
|
-
// Licensed under the MIT License.
|
3818
|
-
const credentialName$1 = "AzurePipelinesCredential";
|
3819
|
-
const logger$2 = credentialLogger(credentialName$1);
|
3820
|
-
const OIDC_API_VERSION = "7.1";
|
3821
|
-
/**
|
3822
|
-
* This credential is designed to be used in Azure Pipelines with service connections
|
3823
|
-
* as a setup for workload identity federation.
|
3824
|
-
*/
|
3825
|
-
class AzurePipelinesCredential {
|
3826
|
-
/**
|
3827
|
-
* AzurePipelinesCredential supports Federated Identity on Azure Pipelines through Service Connections.
|
3828
|
-
* @param tenantId - tenantId associated with the service connection
|
3829
|
-
* @param clientId - clientId associated with the service connection
|
3830
|
-
* @param serviceConnectionId - Unique ID for the service connection, as found in the querystring's resourceId key
|
3831
|
-
* @param systemAccessToken - The pipeline's <see href="https://learn.microsoft.com/azure/devops/pipelines/build/variables?view=azure-devops%26tabs=yaml#systemaccesstoken">System.AccessToken</see> value.
|
3832
|
-
* @param options - The identity client options to use for authentication.
|
3833
|
-
*/
|
3834
|
-
constructor(tenantId, clientId, serviceConnectionId, systemAccessToken, options = {}) {
|
3835
|
-
var _a, _b;
|
3836
|
-
if (!clientId) {
|
3837
|
-
throw new CredentialUnavailableError(`${credentialName$1}: is unavailable. clientId is a required parameter.`);
|
3838
|
-
}
|
3839
|
-
if (!tenantId) {
|
3840
|
-
throw new CredentialUnavailableError(`${credentialName$1}: is unavailable. tenantId is a required parameter.`);
|
3841
|
-
}
|
3842
|
-
if (!serviceConnectionId) {
|
3843
|
-
throw new CredentialUnavailableError(`${credentialName$1}: is unavailable. serviceConnectionId is a required parameter.`);
|
3844
|
-
}
|
3845
|
-
if (!systemAccessToken) {
|
3846
|
-
throw new CredentialUnavailableError(`${credentialName$1}: is unavailable. systemAccessToken is a required parameter.`);
|
3847
|
-
}
|
3848
|
-
// Allow these headers to be logged for troubleshooting by AzurePipelines.
|
3849
|
-
options.loggingOptions = Object.assign(Object.assign({}, options === null || options === void 0 ? void 0 : options.loggingOptions), { additionalAllowedHeaderNames: [
|
3850
|
-
...((_b = (_a = options.loggingOptions) === null || _a === void 0 ? void 0 : _a.additionalAllowedHeaderNames) !== null && _b !== void 0 ? _b : []),
|
3851
|
-
"x-vss-e2eid",
|
3852
|
-
"x-msedge-ref",
|
3853
|
-
] });
|
3854
|
-
this.identityClient = new IdentityClient(options);
|
3855
|
-
checkTenantId(logger$2, tenantId);
|
3856
|
-
logger$2.info(`Invoking AzurePipelinesCredential with tenant ID: ${tenantId}, client ID: ${clientId}, and service connection ID: ${serviceConnectionId}`);
|
3857
|
-
if (!process.env.SYSTEM_OIDCREQUESTURI) {
|
3858
|
-
throw new CredentialUnavailableError(`${credentialName$1}: is unavailable. Ensure that you're running this task in an Azure Pipeline, so that following missing system variable(s) can be defined- "SYSTEM_OIDCREQUESTURI"`);
|
3859
|
-
}
|
3860
|
-
const oidcRequestUrl = `${process.env.SYSTEM_OIDCREQUESTURI}?api-version=${OIDC_API_VERSION}&serviceConnectionId=${serviceConnectionId}`;
|
3861
|
-
logger$2.info(`Invoking ClientAssertionCredential with tenant ID: ${tenantId}, client ID: ${clientId} and service connection ID: ${serviceConnectionId}`);
|
3862
|
-
this.clientAssertionCredential = new ClientAssertionCredential(tenantId, clientId, this.requestOidcToken.bind(this, oidcRequestUrl, systemAccessToken), options);
|
3863
|
-
}
|
3864
|
-
/**
|
3865
|
-
* Authenticates with Microsoft Entra ID and returns an access token if successful.
|
3866
|
-
* If authentication fails, a {@link CredentialUnavailableError} or {@link AuthenticationError} will be thrown with the details of the failure.
|
3867
|
-
*
|
3868
|
-
* @param scopes - The list of scopes for which the token will have access.
|
3869
|
-
* @param options - The options used to configure any requests this
|
3870
|
-
* TokenCredential implementation might make.
|
3871
|
-
*/
|
3872
|
-
async getToken(scopes, options) {
|
3873
|
-
if (!this.clientAssertionCredential) {
|
3874
|
-
const errorMessage = `${credentialName$1}: is unavailable. To use Federation Identity in Azure Pipelines, the following parameters are required -
|
3875
|
-
tenantId,
|
3876
|
-
clientId,
|
3877
|
-
serviceConnectionId,
|
3878
|
-
systemAccessToken,
|
3879
|
-
"SYSTEM_OIDCREQUESTURI".
|
3880
|
-
See the troubleshooting guide for more information: https://aka.ms/azsdk/js/identity/azurepipelinescredential/troubleshoot`;
|
3881
|
-
logger$2.error(errorMessage);
|
3882
|
-
throw new CredentialUnavailableError(errorMessage);
|
3883
|
-
}
|
3884
|
-
logger$2.info("Invoking getToken() of Client Assertion Credential");
|
3885
|
-
return this.clientAssertionCredential.getToken(scopes, options);
|
3886
|
-
}
|
3887
|
-
/**
|
3888
|
-
*
|
3889
|
-
* @param oidcRequestUrl - oidc request url
|
3890
|
-
* @param systemAccessToken - system access token
|
3891
|
-
* @returns OIDC token from Azure Pipelines
|
3892
|
-
*/
|
3893
|
-
async requestOidcToken(oidcRequestUrl, systemAccessToken) {
|
3894
|
-
logger$2.info("Requesting OIDC token from Azure Pipelines...");
|
3895
|
-
logger$2.info(oidcRequestUrl);
|
3896
|
-
const request = coreRestPipeline.createPipelineRequest({
|
3897
|
-
url: oidcRequestUrl,
|
3898
|
-
method: "POST",
|
3899
|
-
headers: coreRestPipeline.createHttpHeaders({
|
3900
|
-
"Content-Type": "application/json",
|
3901
|
-
Authorization: `Bearer ${systemAccessToken}`,
|
3902
|
-
// Prevents the service from responding with a redirect HTTP status code (useful for automation).
|
3903
|
-
"X-TFS-FedAuthRedirect": "Suppress",
|
3904
|
-
}),
|
3905
|
-
});
|
3906
|
-
const response = await this.identityClient.sendRequest(request);
|
3907
|
-
return handleOidcResponse(response);
|
3908
|
-
}
|
3909
|
-
}
|
3910
|
-
function handleOidcResponse(response) {
|
3911
|
-
// OIDC token is present in `bodyAsText` field
|
3912
|
-
const text = response.bodyAsText;
|
3913
|
-
if (!text) {
|
3914
|
-
logger$2.error(`${credentialName$1}: Authentication Failed. Received null token from OIDC request. Response status- ${response.status}. Complete response - ${JSON.stringify(response)}`);
|
3915
|
-
throw new AuthenticationError(response.status, {
|
3916
|
-
error: `${credentialName$1}: Authentication Failed. Received null token from OIDC request.`,
|
3917
|
-
error_description: `${JSON.stringify(response)}. See the troubleshooting guide for more information: https://aka.ms/azsdk/js/identity/azurepipelinescredential/troubleshoot`,
|
3918
|
-
});
|
3919
|
-
}
|
3920
|
-
try {
|
3921
|
-
const result = JSON.parse(text);
|
3922
|
-
if (result === null || result === void 0 ? void 0 : result.oidcToken) {
|
3923
|
-
return result.oidcToken;
|
3924
|
-
}
|
3925
|
-
else {
|
3926
|
-
const errorMessage = `${credentialName$1}: Authentication Failed. oidcToken field not detected in the response.`;
|
3927
|
-
let errorDescription = ``;
|
3928
|
-
if (response.status !== 200) {
|
3929
|
-
errorDescription = `Response body = ${text}. Response Headers ["x-vss-e2eid"] = ${response.headers.get("x-vss-e2eid")} and ["x-msedge-ref"] = ${response.headers.get("x-msedge-ref")}. See the troubleshooting guide for more information: https://aka.ms/azsdk/js/identity/azurepipelinescredential/troubleshoot`;
|
3930
|
-
}
|
3931
|
-
logger$2.error(errorMessage);
|
3932
|
-
logger$2.error(errorDescription);
|
3933
|
-
throw new AuthenticationError(response.status, {
|
3934
|
-
error: errorMessage,
|
3935
|
-
error_description: errorDescription,
|
3936
|
-
});
|
3937
|
-
}
|
3938
|
-
}
|
3939
|
-
catch (e) {
|
3940
|
-
const errorDetails = `${credentialName$1}: Authentication Failed. oidcToken field not detected in the response.`;
|
3941
|
-
logger$2.error(`Response from service = ${text}, Response Headers ["x-vss-e2eid"] = ${response.headers.get("x-vss-e2eid")}
|
3942
|
-
and ["x-msedge-ref"] = ${response.headers.get("x-msedge-ref")}, error message = ${e.message}`);
|
3943
|
-
logger$2.error(errorDetails);
|
3944
|
-
throw new AuthenticationError(response.status, {
|
3945
|
-
error: errorDetails,
|
3946
|
-
error_description: `Response = ${text}. Response headers ["x-vss-e2eid"] = ${response.headers.get("x-vss-e2eid")} and ["x-msedge-ref"] = ${response.headers.get("x-msedge-ref")}. See the troubleshooting guide for more information: https://aka.ms/azsdk/js/identity/azurepipelinescredential/troubleshoot`,
|
3947
|
-
});
|
3948
|
-
}
|
3949
|
-
}
|
3950
|
-
|
3951
|
-
// Copyright (c) Microsoft Corporation.
|
3952
|
-
// Licensed under the MIT License.
|
3953
|
-
const logger$1 = credentialLogger("AuthorizationCodeCredential");
|
3954
|
-
/**
|
3955
|
-
* Enables authentication to Microsoft Entra ID using an authorization code
|
3956
|
-
* that was obtained through the authorization code flow, described in more detail
|
3957
|
-
* in the Microsoft Entra ID documentation:
|
3958
|
-
*
|
3959
|
-
* https://learn.microsoft.com/entra/identity-platform/v2-oauth2-auth-code-flow
|
3960
|
-
*/
|
3961
|
-
class AuthorizationCodeCredential {
|
3962
|
-
/**
|
3963
|
-
* @hidden
|
3964
|
-
* @internal
|
3965
|
-
*/
|
3966
|
-
constructor(tenantId, clientId, clientSecretOrAuthorizationCode, authorizationCodeOrRedirectUri, redirectUriOrOptions, options) {
|
3967
|
-
checkTenantId(logger$1, tenantId);
|
3968
|
-
this.clientSecret = clientSecretOrAuthorizationCode;
|
3969
|
-
if (typeof redirectUriOrOptions === "string") {
|
3970
|
-
// the clientId+clientSecret constructor
|
3971
|
-
this.authorizationCode = authorizationCodeOrRedirectUri;
|
3972
|
-
this.redirectUri = redirectUriOrOptions;
|
3973
|
-
// in this case, options are good as they come
|
3974
|
-
}
|
3975
|
-
else {
|
3976
|
-
// clientId only
|
3977
|
-
this.authorizationCode = clientSecretOrAuthorizationCode;
|
3978
|
-
this.redirectUri = authorizationCodeOrRedirectUri;
|
3979
|
-
this.clientSecret = undefined;
|
3980
|
-
options = redirectUriOrOptions;
|
3981
|
-
}
|
3982
|
-
// TODO: Validate tenant if provided
|
3983
|
-
this.tenantId = tenantId;
|
3984
|
-
this.additionallyAllowedTenantIds = resolveAdditionallyAllowedTenantIds(options === null || options === void 0 ? void 0 : options.additionallyAllowedTenants);
|
3985
|
-
this.msalClient = createMsalClient(clientId, tenantId, Object.assign(Object.assign({}, options), { logger: logger$1, tokenCredentialOptions: options !== null && options !== void 0 ? options : {} }));
|
3986
|
-
}
|
3987
|
-
/**
|
3988
|
-
* Authenticates with Microsoft Entra ID and returns an access token if successful.
|
3989
|
-
* If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.
|
3990
|
-
*
|
3991
|
-
* @param scopes - The list of scopes for which the token will have access.
|
3992
|
-
* @param options - The options used to configure any requests this
|
3993
|
-
* TokenCredential implementation might make.
|
3994
|
-
*/
|
3995
|
-
async getToken(scopes, options = {}) {
|
3996
|
-
return tracingClient.withSpan(`${this.constructor.name}.getToken`, options, async (newOptions) => {
|
3997
|
-
const tenantId = processMultiTenantRequest(this.tenantId, newOptions, this.additionallyAllowedTenantIds);
|
3998
|
-
newOptions.tenantId = tenantId;
|
3999
|
-
const arrayScopes = ensureScopes(scopes);
|
4000
|
-
return this.msalClient.getTokenByAuthorizationCode(arrayScopes, this.redirectUri, this.authorizationCode, this.clientSecret, Object.assign(Object.assign({}, newOptions), { disableAutomaticAuthentication: this.disableAutomaticAuthentication }));
|
4001
|
-
});
|
4002
|
-
}
|
4003
|
-
}
|
4004
|
-
|
4005
|
-
// Copyright (c) Microsoft Corporation.
|
4006
|
-
// Licensed under the MIT License.
|
4007
|
-
const credentialName = "OnBehalfOfCredential";
|
4008
|
-
const logger = credentialLogger(credentialName);
|
4009
|
-
/**
|
4010
|
-
* Enables authentication to Microsoft Entra ID using the [On Behalf Of flow](https://learn.microsoft.com/entra/identity-platform/v2-oauth2-on-behalf-of-flow).
|
4011
|
-
*/
|
4012
|
-
class OnBehalfOfCredential {
|
4013
|
-
constructor(options) {
|
4014
|
-
const { clientSecret } = options;
|
4015
|
-
const { certificatePath, sendCertificateChain } = options;
|
4016
|
-
const { getAssertion } = options;
|
4017
|
-
const { tenantId, clientId, userAssertionToken, additionallyAllowedTenants: additionallyAllowedTenantIds, } = options;
|
4018
|
-
if (!tenantId) {
|
4019
|
-
throw new CredentialUnavailableError(`${credentialName}: tenantId is a required parameter. To troubleshoot, visit https://aka.ms/azsdk/js/identity/serviceprincipalauthentication/troubleshoot.`);
|
4020
|
-
}
|
4021
|
-
if (!clientId) {
|
4022
|
-
throw new CredentialUnavailableError(`${credentialName}: clientId is a required parameter. To troubleshoot, visit https://aka.ms/azsdk/js/identity/serviceprincipalauthentication/troubleshoot.`);
|
4023
|
-
}
|
4024
|
-
if (!clientSecret && !certificatePath && !getAssertion) {
|
4025
|
-
throw new CredentialUnavailableError(`${credentialName}: You must provide one of clientSecret, certificatePath, or a getAssertion callback but none were provided. To troubleshoot, visit https://aka.ms/azsdk/js/identity/serviceprincipalauthentication/troubleshoot.`);
|
4026
|
-
}
|
4027
|
-
if (!userAssertionToken) {
|
4028
|
-
throw new CredentialUnavailableError(`${credentialName}: userAssertionToken is a required parameter. To troubleshoot, visit https://aka.ms/azsdk/js/identity/serviceprincipalauthentication/troubleshoot.`);
|
4029
|
-
}
|
4030
|
-
this.certificatePath = certificatePath;
|
4031
|
-
this.clientSecret = clientSecret;
|
4032
|
-
this.userAssertionToken = userAssertionToken;
|
4033
|
-
this.sendCertificateChain = sendCertificateChain;
|
4034
|
-
this.clientAssertion = getAssertion;
|
4035
|
-
this.tenantId = tenantId;
|
4036
|
-
this.additionallyAllowedTenantIds = resolveAdditionallyAllowedTenantIds(additionallyAllowedTenantIds);
|
4037
|
-
this.msalClient = createMsalClient(clientId, this.tenantId, Object.assign(Object.assign({}, options), { logger, tokenCredentialOptions: options }));
|
4038
|
-
}
|
4039
|
-
/**
|
4040
|
-
* Authenticates with Microsoft Entra ID and returns an access token if successful.
|
4041
|
-
* If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.
|
4042
|
-
*
|
4043
|
-
* @param scopes - The list of scopes for which the token will have access.
|
4044
|
-
* @param options - The options used to configure the underlying network requests.
|
4045
|
-
*/
|
4046
|
-
async getToken(scopes, options = {}) {
|
4047
|
-
return tracingClient.withSpan(`${credentialName}.getToken`, options, async (newOptions) => {
|
4048
|
-
newOptions.tenantId = processMultiTenantRequest(this.tenantId, newOptions, this.additionallyAllowedTenantIds, logger);
|
4049
|
-
const arrayScopes = ensureScopes(scopes);
|
4050
|
-
if (this.certificatePath) {
|
4051
|
-
const clientCertificate = await this.buildClientCertificate(this.certificatePath);
|
4052
|
-
return this.msalClient.getTokenOnBehalfOf(arrayScopes, this.userAssertionToken, clientCertificate, newOptions);
|
4053
|
-
}
|
4054
|
-
else if (this.clientSecret) {
|
4055
|
-
return this.msalClient.getTokenOnBehalfOf(arrayScopes, this.userAssertionToken, this.clientSecret, options);
|
4056
|
-
}
|
4057
|
-
else if (this.clientAssertion) {
|
4058
|
-
return this.msalClient.getTokenOnBehalfOf(arrayScopes, this.userAssertionToken, this.clientAssertion, options);
|
4059
|
-
}
|
4060
|
-
else {
|
4061
|
-
// this is an invalid scenario and is a bug, as the constructor should have thrown an error if neither clientSecret nor certificatePath nor clientAssertion were provided
|
4062
|
-
throw new Error("Expected either clientSecret or certificatePath or clientAssertion to be defined.");
|
4063
|
-
}
|
4064
|
-
});
|
4065
|
-
}
|
4066
|
-
async buildClientCertificate(certificatePath) {
|
4067
|
-
try {
|
4068
|
-
const parts = await this.parseCertificate({ certificatePath }, this.sendCertificateChain);
|
4069
|
-
return {
|
4070
|
-
thumbprint: parts.thumbprint,
|
4071
|
-
privateKey: parts.certificateContents,
|
4072
|
-
x5c: parts.x5c,
|
4073
|
-
};
|
4074
|
-
}
|
4075
|
-
catch (error) {
|
4076
|
-
logger.info(formatError("", error));
|
4077
|
-
throw error;
|
4078
|
-
}
|
4079
|
-
}
|
4080
|
-
async parseCertificate(configuration, sendCertificateChain) {
|
4081
|
-
const certificatePath = configuration.certificatePath;
|
4082
|
-
const certificateContents = await promises$1.readFile(certificatePath, "utf8");
|
4083
|
-
const x5c = sendCertificateChain ? certificateContents : undefined;
|
4084
|
-
const certificatePattern = /(-+BEGIN CERTIFICATE-+)(\n\r?|\r\n?)([A-Za-z0-9+/\n\r]+=*)(\n\r?|\r\n?)(-+END CERTIFICATE-+)/g;
|
4085
|
-
const publicKeys = [];
|
4086
|
-
// Match all possible certificates, in the order they are in the file. These will form the chain that is used for x5c
|
4087
|
-
let match;
|
4088
|
-
do {
|
4089
|
-
match = certificatePattern.exec(certificateContents);
|
4090
|
-
if (match) {
|
4091
|
-
publicKeys.push(match[3]);
|
4092
|
-
}
|
4093
|
-
} while (match);
|
4094
|
-
if (publicKeys.length === 0) {
|
4095
|
-
throw new Error("The file at the specified path does not contain a PEM-encoded certificate.");
|
4096
|
-
}
|
4097
|
-
const thumbprint = node_crypto.createHash("sha1")
|
4098
|
-
.update(Buffer.from(publicKeys[0], "base64"))
|
4099
|
-
.digest("hex")
|
4100
|
-
.toUpperCase();
|
4101
|
-
return {
|
4102
|
-
certificateContents,
|
4103
|
-
thumbprint,
|
4104
|
-
x5c,
|
4105
|
-
};
|
4106
|
-
}
|
4107
|
-
}
|
4108
|
-
|
4109
|
-
// Copyright (c) Microsoft Corporation.
|
4110
|
-
// Licensed under the MIT License.
|
4111
|
-
/**
|
4112
|
-
* Returns a callback that provides a bearer token.
|
4113
|
-
* For example, the bearer token can be used to authenticate a request as follows:
|
4114
|
-
* ```ts snippet:token_provider_example
|
4115
|
-
* import { DefaultAzureCredential, getBearerTokenProvider } from "@azure/identity";
|
4116
|
-
* import { createPipelineRequest } from "@azure/core-rest-pipeline";
|
4117
|
-
*
|
4118
|
-
* const credential = new DefaultAzureCredential();
|
4119
|
-
* const scope = "https://cognitiveservices.azure.com/.default";
|
4120
|
-
* const getAccessToken = getBearerTokenProvider(credential, scope);
|
4121
|
-
* const token = await getAccessToken();
|
4122
|
-
* // usage
|
4123
|
-
* const request = createPipelineRequest({ url: "https://example.com" });
|
4124
|
-
* request.headers.set("Authorization", `Bearer ${token}`);
|
4125
|
-
* ```
|
4126
|
-
*
|
4127
|
-
* @param credential - The credential used to authenticate the request.
|
4128
|
-
* @param scopes - The scopes required for the bearer token.
|
4129
|
-
* @param options - Options to configure the token provider.
|
4130
|
-
* @returns a callback that provides a bearer token.
|
4131
|
-
*/
|
4132
|
-
function getBearerTokenProvider(credential, scopes, options) {
|
4133
|
-
const { abortSignal, tracingOptions } = options || {};
|
4134
|
-
const pipeline = coreRestPipeline.createEmptyPipeline();
|
4135
|
-
pipeline.addPolicy(coreRestPipeline.bearerTokenAuthenticationPolicy({ credential, scopes }));
|
4136
|
-
async function getRefreshedToken() {
|
4137
|
-
var _a;
|
4138
|
-
// Create a pipeline with just the bearer token policy
|
4139
|
-
// and run a dummy request through it to get the token
|
4140
|
-
const res = await pipeline.sendRequest({
|
4141
|
-
sendRequest: (request) => Promise.resolve({
|
4142
|
-
request,
|
4143
|
-
status: 200,
|
4144
|
-
headers: request.headers,
|
4145
|
-
}),
|
4146
|
-
}, coreRestPipeline.createPipelineRequest({
|
4147
|
-
url: "https://example.com",
|
4148
|
-
abortSignal,
|
4149
|
-
tracingOptions,
|
4150
|
-
}));
|
4151
|
-
const accessToken = (_a = res.headers.get("authorization")) === null || _a === void 0 ? void 0 : _a.split(" ")[1];
|
4152
|
-
if (!accessToken) {
|
4153
|
-
throw new Error("Failed to get access token");
|
4154
|
-
}
|
4155
|
-
return accessToken;
|
4156
|
-
}
|
4157
|
-
return getRefreshedToken;
|
4158
|
-
}
|
4159
|
-
|
4160
|
-
// Copyright (c) Microsoft Corporation.
|
4161
|
-
// Licensed under the MIT License.
|
4162
|
-
/**
|
4163
|
-
* Returns a new instance of the {@link DefaultAzureCredential}.
|
4164
|
-
*/
|
4165
|
-
function getDefaultAzureCredential() {
|
4166
|
-
return new DefaultAzureCredential();
|
4167
|
-
}
|
4168
|
-
|
4169
|
-
exports.AggregateAuthenticationError = AggregateAuthenticationError;
|
4170
|
-
exports.AggregateAuthenticationErrorName = AggregateAuthenticationErrorName;
|
4171
|
-
exports.AuthenticationError = AuthenticationError;
|
4172
|
-
exports.AuthenticationErrorName = AuthenticationErrorName;
|
4173
|
-
exports.AuthenticationRequiredError = AuthenticationRequiredError;
|
4174
|
-
exports.AuthorizationCodeCredential = AuthorizationCodeCredential;
|
4175
|
-
exports.AzureCliCredential = AzureCliCredential;
|
4176
|
-
exports.AzureDeveloperCliCredential = AzureDeveloperCliCredential;
|
4177
|
-
exports.AzurePipelinesCredential = AzurePipelinesCredential;
|
4178
|
-
exports.AzurePowerShellCredential = AzurePowerShellCredential;
|
4179
|
-
exports.ChainedTokenCredential = ChainedTokenCredential;
|
4180
|
-
exports.ClientAssertionCredential = ClientAssertionCredential;
|
4181
|
-
exports.ClientCertificateCredential = ClientCertificateCredential;
|
4182
|
-
exports.ClientSecretCredential = ClientSecretCredential;
|
4183
|
-
exports.CredentialUnavailableError = CredentialUnavailableError;
|
4184
|
-
exports.CredentialUnavailableErrorName = CredentialUnavailableErrorName;
|
4185
|
-
exports.DefaultAzureCredential = DefaultAzureCredential;
|
4186
|
-
exports.DeviceCodeCredential = DeviceCodeCredential;
|
4187
|
-
exports.EnvironmentCredential = EnvironmentCredential;
|
4188
|
-
exports.InteractiveBrowserCredential = InteractiveBrowserCredential;
|
4189
|
-
exports.ManagedIdentityCredential = ManagedIdentityCredential;
|
4190
|
-
exports.OnBehalfOfCredential = OnBehalfOfCredential;
|
4191
|
-
exports.UsernamePasswordCredential = UsernamePasswordCredential;
|
4192
|
-
exports.VisualStudioCodeCredential = VisualStudioCodeCredential;
|
4193
|
-
exports.WorkloadIdentityCredential = WorkloadIdentityCredential;
|
4194
|
-
exports.deserializeAuthenticationRecord = deserializeAuthenticationRecord;
|
4195
|
-
exports.getBearerTokenProvider = getBearerTokenProvider;
|
4196
|
-
exports.getDefaultAzureCredential = getDefaultAzureCredential;
|
4197
|
-
exports.logger = logger$l;
|
4198
|
-
exports.serializeAuthenticationRecord = serializeAuthenticationRecord;
|
4199
|
-
exports.useIdentityPlugin = useIdentityPlugin;
|
4200
|
-
//# sourceMappingURL=index.js.map
|