@azure/identity 4.5.1-alpha.20250115.7 → 4.6.0

package/dist/commonjs/credentials/managedIdentityCredential/options.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"options.js","sourceRoot":"","sources":["../../../../src/credentials/managedIdentityCredential/options.ts"],"names":[],"mappings":";AAAA,uCAAuC;AACvC,kCAAkC","sourcesContent":["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT License.\n\nimport type { TokenCredentialOptions } from \"../../tokenCredentialOptions.js\";\n\n/**\n * Options to send on the {@link ManagedIdentityCredential} constructor.\n * This variation supports `clientId` and not `resourceId`, since only one of both is supported.\n */\nexport interface ManagedIdentityCredentialClientIdOptions extends TokenCredentialOptions {\n  /**\n   * The client ID of the user - assigned identity, or app registration(when working with AKS pod - identity).\n   */\n  clientId?: string;\n}\n\n/**\n * Options to send on the {@link ManagedIdentityCredential} constructor.\n * This variation supports `resourceId` and not `clientId`, since only one of both is supported.\n */\nexport interface ManagedIdentityCredentialResourceIdOptions extends TokenCredentialOptions {\n  /**\n   * Allows specifying a custom resource Id.\n   * In scenarios such as when user assigned identities are created using an ARM template,\n   * where the resource Id of the identity is known but the client Id can't be known ahead of time,\n   * this parameter allows programs to use these user assigned identities\n   * without having to first determine the client Id of the created identity.\n   */\n  resourceId: string;\n}\n\n/**\n * Options to send on the {@link ManagedIdentityCredential} constructor.\n * This variation supports `objectId` as a constructor argument.\n */\nexport interface ManagedIdentityCredentialObjectIdOptions extends TokenCredentialOptions {\n  /**\n   * Allows specifying the object ID of the underlying service principal used to authenticate a user-assigned managed identity.\n   * This is an alternative to providing a client ID or resource ID and is not required for system-assigned managed identities.\n   */\n  objectId: string;\n}\n"]}

package/dist/commonjs/credentials/managedIdentityCredential/tokenExchangeMsi.d.ts

@@ -1,14 +0,0 @@
-import type { AccessToken, GetTokenOptions } from "@azure/core-auth";
-import type { MSIConfiguration } from "./models.js";
-/**
- * Defines how to determine whether the token exchange MSI is available, and also how to retrieve a token from the token exchange MSI.
- *
- * Token exchange MSI (used by AKS) is the only MSI implementation handled entirely by Azure Identity.
- * The rest have been migrated to MSAL.
- */
-export declare const tokenExchangeMsi: {
-    name: string;
-    isAvailable(clientId?: string): Promise<boolean>;
-    getToken(configuration: MSIConfiguration, getTokenOptions?: GetTokenOptions): Promise<AccessToken | null>;
-};
-//# sourceMappingURL=tokenExchangeMsi.d.ts.map

package/dist/commonjs/credentials/managedIdentityCredential/tokenExchangeMsi.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"tokenExchangeMsi.d.ts","sourceRoot":"","sources":["../../../../src/credentials/managedIdentityCredential/tokenExchangeMsi.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,WAAW,EAAE,eAAe,EAAE,MAAM,kBAAkB,CAAC;AACrE,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AAQpD;;;;;GAKG;AACH,eAAO,MAAM,gBAAgB;;2BAEE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;4BAerC,gBAAgB,oBACd,eAAe,GAC/B,OAAO,CAAC,WAAW,GAAG,IAAI,CAAC;CAY/B,CAAC"}

package/dist/commonjs/credentials/managedIdentityCredential/tokenExchangeMsi.js

@@ -1,35 +0,0 @@
-"use strict";
-// Copyright (c) Microsoft Corporation.
-// Licensed under the MIT License.
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.tokenExchangeMsi = void 0;
-const workloadIdentityCredential_js_1 = require("../workloadIdentityCredential.js");
-const logging_js_1 = require("../../util/logging.js");
-const msiName = "ManagedIdentityCredential - Token Exchange";
-const logger = (0, logging_js_1.credentialLogger)(msiName);
-/**
- * Defines how to determine whether the token exchange MSI is available, and also how to retrieve a token from the token exchange MSI.
- *
- * Token exchange MSI (used by AKS) is the only MSI implementation handled entirely by Azure Identity.
- * The rest have been migrated to MSAL.
- */
-exports.tokenExchangeMsi = {
-    name: "tokenExchangeMsi",
-    async isAvailable(clientId) {
-        const env = process.env;
-        const result = Boolean((clientId || env.AZURE_CLIENT_ID) &&
-            env.AZURE_TENANT_ID &&
-            process.env.AZURE_FEDERATED_TOKEN_FILE);
-        if (!result) {
-            logger.info(`${msiName}: Unavailable. The environment variables needed are: AZURE_CLIENT_ID (or the client ID sent through the parameters), AZURE_TENANT_ID and AZURE_FEDERATED_TOKEN_FILE`);
-        }
-        return result;
-    },
-    async getToken(configuration, getTokenOptions = {}) {
-        const { scopes, clientId } = configuration;
-        const identityClientTokenCredentialOptions = {};
-        const workloadIdentityCredential = new workloadIdentityCredential_js_1.WorkloadIdentityCredential(Object.assign(Object.assign({ clientId, tenantId: process.env.AZURE_TENANT_ID, tokenFilePath: process.env.AZURE_FEDERATED_TOKEN_FILE }, identityClientTokenCredentialOptions), { disableInstanceDiscovery: true }));
-        return workloadIdentityCredential.getToken(scopes, getTokenOptions);
-    },
-};
-//# sourceMappingURL=tokenExchangeMsi.js.map

package/dist/commonjs/credentials/managedIdentityCredential/tokenExchangeMsi.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"tokenExchangeMsi.js","sourceRoot":"","sources":["../../../../src/credentials/managedIdentityCredential/tokenExchangeMsi.ts"],"names":[],"mappings":";AAAA,uCAAuC;AACvC,kCAAkC;;;AAIlC,oFAA8E;AAC9E,sDAAyD;AAGzD,MAAM,OAAO,GAAG,4CAA4C,CAAC;AAC7D,MAAM,MAAM,GAAG,IAAA,6BAAgB,EAAC,OAAO,CAAC,CAAC;AAEzC;;;;;GAKG;AACU,QAAA,gBAAgB,GAAG;IAC9B,IAAI,EAAE,kBAAkB;IACxB,KAAK,CAAC,WAAW,CAAC,QAAiB;QACjC,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,CAAC;QACxB,MAAM,MAAM,GAAG,OAAO,CACpB,CAAC,QAAQ,IAAI,GAAG,CAAC,eAAe,CAAC;YAC/B,GAAG,CAAC,eAAe;YACnB,OAAO,CAAC,GAAG,CAAC,0BAA0B,CACzC,CAAC;QACF,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,MAAM,CAAC,IAAI,CACT,GAAG,OAAO,qKAAqK,CAChL,CAAC;QACJ,CAAC;QACD,OAAO,MAAM,CAAC;IAChB,CAAC;IACD,KAAK,CAAC,QAAQ,CACZ,aAA+B,EAC/B,kBAAmC,EAAE;QAErC,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,GAAG,aAAa,CAAC;QAC3C,MAAM,oCAAoC,GAAG,EAAE,CAAC;QAChD,MAAM,0BAA0B,GAAG,IAAI,0DAA0B,CAAC,8BAChE,QAAQ,EACR,QAAQ,EAAE,OAAO,CAAC,GAAG,CAAC,eAAe,EACrC,aAAa,EAAE,OAAO,CAAC,GAAG,CAAC,0BAA0B,IAClD,oCAAoC,KACvC,wBAAwB,EAAE,IAAI,GACM,CAAC,CAAC;QACxC,OAAO,0BAA0B,CAAC,QAAQ,CAAC,MAAM,EAAE,eAAe,CAAC,CAAC;IACtE,CAAC;CACF,CAAC","sourcesContent":["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT License.\n\nimport type { AccessToken, GetTokenOptions } from \"@azure/core-auth\";\nimport type { MSIConfiguration } from \"./models.js\";\nimport { WorkloadIdentityCredential } from \"../workloadIdentityCredential.js\";\nimport { credentialLogger } from \"../../util/logging.js\";\nimport type { WorkloadIdentityCredentialOptions } from \"../workloadIdentityCredentialOptions.js\";\n\nconst msiName = \"ManagedIdentityCredential - Token Exchange\";\nconst logger = credentialLogger(msiName);\n\n/**\n * Defines how to determine whether the token exchange MSI is available, and also how to retrieve a token from the token exchange MSI.\n *\n * Token exchange MSI (used by AKS) is the only MSI implementation handled entirely by Azure Identity.\n * The rest have been migrated to MSAL.\n */\nexport const tokenExchangeMsi = {\n  name: \"tokenExchangeMsi\",\n  async isAvailable(clientId?: string): Promise<boolean> {\n    const env = process.env;\n    const result = Boolean(\n      (clientId || env.AZURE_CLIENT_ID) &&\n        env.AZURE_TENANT_ID &&\n        process.env.AZURE_FEDERATED_TOKEN_FILE,\n    );\n    if (!result) {\n      logger.info(\n        `${msiName}: Unavailable. The environment variables needed are: AZURE_CLIENT_ID (or the client ID sent through the parameters), AZURE_TENANT_ID and AZURE_FEDERATED_TOKEN_FILE`,\n      );\n    }\n    return result;\n  },\n  async getToken(\n    configuration: MSIConfiguration,\n    getTokenOptions: GetTokenOptions = {},\n  ): Promise<AccessToken | null> {\n    const { scopes, clientId } = configuration;\n    const identityClientTokenCredentialOptions = {};\n    const workloadIdentityCredential = new WorkloadIdentityCredential({\n      clientId,\n      tenantId: process.env.AZURE_TENANT_ID,\n      tokenFilePath: process.env.AZURE_FEDERATED_TOKEN_FILE,\n      ...identityClientTokenCredentialOptions,\n      disableInstanceDiscovery: true,\n    } as WorkloadIdentityCredentialOptions);\n    return workloadIdentityCredential.getToken(scopes, getTokenOptions);\n  },\n};\n"]}

package/dist/commonjs/credentials/managedIdentityCredential/utils.d.ts

@@ -1,33 +0,0 @@
-/**
- * Most MSIs send requests to the IMDS endpoint, or a similar endpoint.
- * These are GET requests that require sending a `resource` parameter on the query.
- * This resource can be derived from the scopes received through the getToken call, as long as only one scope is received.
- * Multiple scopes assume that the resulting token will have access to multiple resources, which won't be the case.
- *
- * For that reason, when we encounter multiple scopes, we return undefined.
- * It's up to the individual MSI implementations to throw the errors (which helps us provide less generic errors).
- */
-export declare function mapScopesToResource(scopes: string | string[]): string | undefined;
-/**
- * Internal type roughly matching the raw responses of the authentication endpoints.
- *
- * @internal
- */
-export interface TokenResponseParsedBody {
-    access_token?: string;
-    refresh_token?: string;
-    expires_in: number;
-    expires_on?: number | string;
-    refresh_on?: number | string;
-}
-/**
- * Given a token response, return the expiration timestamp as the number of milliseconds from the Unix epoch.
- * @param body - A parsed response body from the authentication endpoint.
- */
-export declare function parseExpirationTimestamp(body: TokenResponseParsedBody): number;
-/**
- * Given a token response, return the expiration timestamp as the number of milliseconds from the Unix epoch.
- * @param body - A parsed response body from the authentication endpoint.
- */
-export declare function parseRefreshTimestamp(body: TokenResponseParsedBody): number | undefined;
-//# sourceMappingURL=utils.d.ts.map

package/dist/commonjs/credentials/managedIdentityCredential/utils.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"utils.d.ts","sourceRoot":"","sources":["../../../../src/credentials/managedIdentityCredential/utils.ts"],"names":[],"mappings":"AAKA;;;;;;;;GAQG;AACH,wBAAgB,mBAAmB,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,EAAE,GAAG,MAAM,GAAG,SAAS,CAiBjF;AAED;;;;GAIG;AACH,MAAM,WAAW,uBAAuB;IACtC,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,CAAC,EAAE,MAAM,GAAG,MAAM,CAAC;IAC7B,UAAU,CAAC,EAAE,MAAM,GAAG,MAAM,CAAC;CAC9B;AAED;;;GAGG;AACH,wBAAgB,wBAAwB,CAAC,IAAI,EAAE,uBAAuB,GAAG,MAAM,CAwB9E;AAED;;;GAGG;AACH,wBAAgB,qBAAqB,CAAC,IAAI,EAAE,uBAAuB,GAAG,MAAM,GAAG,SAAS,CAqBvF"}

package/dist/commonjs/credentials/managedIdentityCredential/utils.js

@@ -1,82 +0,0 @@
-"use strict";
-// Copyright (c) Microsoft Corporation.
-// Licensed under the MIT License.
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.mapScopesToResource = mapScopesToResource;
-exports.parseExpirationTimestamp = parseExpirationTimestamp;
-exports.parseRefreshTimestamp = parseRefreshTimestamp;
-const DefaultScopeSuffix = "/.default";
-/**
- * Most MSIs send requests to the IMDS endpoint, or a similar endpoint.
- * These are GET requests that require sending a `resource` parameter on the query.
- * This resource can be derived from the scopes received through the getToken call, as long as only one scope is received.
- * Multiple scopes assume that the resulting token will have access to multiple resources, which won't be the case.
- *
- * For that reason, when we encounter multiple scopes, we return undefined.
- * It's up to the individual MSI implementations to throw the errors (which helps us provide less generic errors).
- */
-function mapScopesToResource(scopes) {
-    let scope = "";
-    if (Array.isArray(scopes)) {
-        if (scopes.length !== 1) {
-            return;
-        }
-        scope = scopes[0];
-    }
-    else if (typeof scopes === "string") {
-        scope = scopes;
-    }
-    if (!scope.endsWith(DefaultScopeSuffix)) {
-        return scope;
-    }
-    return scope.substr(0, scope.lastIndexOf(DefaultScopeSuffix));
-}
-/**
- * Given a token response, return the expiration timestamp as the number of milliseconds from the Unix epoch.
- * @param body - A parsed response body from the authentication endpoint.
- */
-function parseExpirationTimestamp(body) {
-    if (typeof body.expires_on === "number") {
-        return body.expires_on * 1000;
-    }
-    if (typeof body.expires_on === "string") {
-        const asNumber = +body.expires_on;
-        if (!isNaN(asNumber)) {
-            return asNumber * 1000;
-        }
-        const asDate = Date.parse(body.expires_on);
-        if (!isNaN(asDate)) {
-            return asDate;
-        }
-    }
-    if (typeof body.expires_in === "number") {
-        return Date.now() + body.expires_in * 1000;
-    }
-    throw new Error(`Failed to parse token expiration from body. expires_in="${body.expires_in}", expires_on="${body.expires_on}"`);
-}
-/**
- * Given a token response, return the expiration timestamp as the number of milliseconds from the Unix epoch.
- * @param body - A parsed response body from the authentication endpoint.
- */
-function parseRefreshTimestamp(body) {
-    if (body.refresh_on) {
-        if (typeof body.refresh_on === "number") {
-            return body.refresh_on * 1000;
-        }
-        if (typeof body.refresh_on === "string") {
-            const asNumber = +body.refresh_on;
-            if (!isNaN(asNumber)) {
-                return asNumber * 1000;
-            }
-            const asDate = Date.parse(body.refresh_on);
-            if (!isNaN(asDate)) {
-                return asDate;
-            }
-        }
-        throw new Error(`Failed to parse refresh_on from body. refresh_on="${body.refresh_on}"`);
-    }
-    else {
-        return undefined;
-    }
-}
-//# sourceMappingURL=utils.js.map

package/dist/commonjs/credentials/managedIdentityCredential/utils.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"utils.js","sourceRoot":"","sources":["../../../../src/credentials/managedIdentityCredential/utils.ts"],"names":[],"mappings":";AAAA,uCAAuC;AACvC,kCAAkC;;AAalC,kDAiBC;AAmBD,4DAwBC;AAMD,sDAqBC;AAlGD,MAAM,kBAAkB,GAAG,WAAW,CAAC;AAEvC;;;;;;;;GAQG;AACH,SAAgB,mBAAmB,CAAC,MAAyB;IAC3D,IAAI,KAAK,GAAG,EAAE,CAAC;IACf,IAAI,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC;QAC1B,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACxB,OAAO;QACT,CAAC;QAED,KAAK,GAAG,MAAM,CAAC,CAAC,CAAC,CAAC;IACpB,CAAC;SAAM,IAAI,OAAO,MAAM,KAAK,QAAQ,EAAE,CAAC;QACtC,KAAK,GAAG,MAAM,CAAC;IACjB,CAAC;IAED,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,kBAAkB,CAAC,EAAE,CAAC;QACxC,OAAO,KAAK,CAAC;IACf,CAAC;IAED,OAAO,KAAK,CAAC,MAAM,CAAC,CAAC,EAAE,KAAK,CAAC,WAAW,CAAC,kBAAkB,CAAC,CAAC,CAAC;AAChE,CAAC;AAeD;;;GAGG;AACH,SAAgB,wBAAwB,CAAC,IAA6B;IACpE,IAAI,OAAO,IAAI,CAAC,UAAU,KAAK,QAAQ,EAAE,CAAC;QACxC,OAAO,IAAI,CAAC,UAAU,GAAG,IAAI,CAAC;IAChC,CAAC;IAED,IAAI,OAAO,IAAI,CAAC,UAAU,KAAK,QAAQ,EAAE,CAAC;QACxC,MAAM,QAAQ,GAAG,CAAC,IAAI,CAAC,UAAU,CAAC;QAClC,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,EAAE,CAAC;YACrB,OAAO,QAAQ,GAAG,IAAI,CAAC;QACzB,CAAC;QAED,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;QAC3C,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,EAAE,CAAC;YACnB,OAAO,MAAM,CAAC;QAChB,CAAC;IACH,CAAC;IAED,IAAI,OAAO,IAAI,CAAC,UAAU,KAAK,QAAQ,EAAE,CAAC;QACxC,OAAO,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,UAAU,GAAG,IAAI,CAAC;IAC7C,CAAC;IAED,MAAM,IAAI,KAAK,CACb,2DAA2D,IAAI,CAAC,UAAU,kBAAkB,IAAI,CAAC,UAAU,GAAG,CAC/G,CAAC;AACJ,CAAC;AAED;;;GAGG;AACH,SAAgB,qBAAqB,CAAC,IAA6B;IACjE,IAAI,IAAI,CAAC,UAAU,EAAE,CAAC;QACpB,IAAI,OAAO,IAAI,CAAC,UAAU,KAAK,QAAQ,EAAE,CAAC;YACxC,OAAO,IAAI,CAAC,UAAU,GAAG,IAAI,CAAC;QAChC,CAAC;QAED,IAAI,OAAO,IAAI,CAAC,UAAU,KAAK,QAAQ,EAAE,CAAC;YACxC,MAAM,QAAQ,GAAG,CAAC,IAAI,CAAC,UAAU,CAAC;YAClC,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,EAAE,CAAC;gBACrB,OAAO,QAAQ,GAAG,IAAI,CAAC;YACzB,CAAC;YAED,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;YAC3C,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,EAAE,CAAC;gBACnB,OAAO,MAAM,CAAC;YAChB,CAAC;QACH,CAAC;QACD,MAAM,IAAI,KAAK,CAAC,qDAAqD,IAAI,CAAC,UAAU,GAAG,CAAC,CAAC;IAC3F,CAAC;SAAM,CAAC;QACN,OAAO,SAAS,CAAC;IACnB,CAAC;AACH,CAAC","sourcesContent":["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT License.\n\nconst DefaultScopeSuffix = \"/.default\";\n\n/**\n * Most MSIs send requests to the IMDS endpoint, or a similar endpoint.\n * These are GET requests that require sending a `resource` parameter on the query.\n * This resource can be derived from the scopes received through the getToken call, as long as only one scope is received.\n * Multiple scopes assume that the resulting token will have access to multiple resources, which won't be the case.\n *\n * For that reason, when we encounter multiple scopes, we return undefined.\n * It's up to the individual MSI implementations to throw the errors (which helps us provide less generic errors).\n */\nexport function mapScopesToResource(scopes: string | string[]): string | undefined {\n  let scope = \"\";\n  if (Array.isArray(scopes)) {\n    if (scopes.length !== 1) {\n      return;\n    }\n\n    scope = scopes[0];\n  } else if (typeof scopes === \"string\") {\n    scope = scopes;\n  }\n\n  if (!scope.endsWith(DefaultScopeSuffix)) {\n    return scope;\n  }\n\n  return scope.substr(0, scope.lastIndexOf(DefaultScopeSuffix));\n}\n\n/**\n * Internal type roughly matching the raw responses of the authentication endpoints.\n *\n * @internal\n */\nexport interface TokenResponseParsedBody {\n  access_token?: string;\n  refresh_token?: string;\n  expires_in: number;\n  expires_on?: number | string;\n  refresh_on?: number | string;\n}\n\n/**\n * Given a token response, return the expiration timestamp as the number of milliseconds from the Unix epoch.\n * @param body - A parsed response body from the authentication endpoint.\n */\nexport function parseExpirationTimestamp(body: TokenResponseParsedBody): number {\n  if (typeof body.expires_on === \"number\") {\n    return body.expires_on * 1000;\n  }\n\n  if (typeof body.expires_on === \"string\") {\n    const asNumber = +body.expires_on;\n    if (!isNaN(asNumber)) {\n      return asNumber * 1000;\n    }\n\n    const asDate = Date.parse(body.expires_on);\n    if (!isNaN(asDate)) {\n      return asDate;\n    }\n  }\n\n  if (typeof body.expires_in === \"number\") {\n    return Date.now() + body.expires_in * 1000;\n  }\n\n  throw new Error(\n    `Failed to parse token expiration from body. expires_in=\"${body.expires_in}\", expires_on=\"${body.expires_on}\"`,\n  );\n}\n\n/**\n * Given a token response, return the expiration timestamp as the number of milliseconds from the Unix epoch.\n * @param body - A parsed response body from the authentication endpoint.\n */\nexport function parseRefreshTimestamp(body: TokenResponseParsedBody): number | undefined {\n  if (body.refresh_on) {\n    if (typeof body.refresh_on === \"number\") {\n      return body.refresh_on * 1000;\n    }\n\n    if (typeof body.refresh_on === \"string\") {\n      const asNumber = +body.refresh_on;\n      if (!isNaN(asNumber)) {\n        return asNumber * 1000;\n      }\n\n      const asDate = Date.parse(body.refresh_on);\n      if (!isNaN(asDate)) {\n        return asDate;\n      }\n    }\n    throw new Error(`Failed to parse refresh_on from body. refresh_on=\"${body.refresh_on}\"`);\n  } else {\n    return undefined;\n  }\n}\n"]}

package/dist/commonjs/credentials/multiTenantTokenCredentialOptions.d.ts

@@ -1,12 +0,0 @@
-import type { TokenCredentialOptions } from "../tokenCredentialOptions.js";
-/**
- * Options for multi-tenant applications which allows for additionally allowed tenants.
- */
-export interface MultiTenantTokenCredentialOptions extends TokenCredentialOptions {
-    /**
-     * For multi-tenant applications, specifies additional tenants for which the credential may acquire tokens.
-     * Add the wildcard value "*" to allow the credential to acquire tokens for any tenant the application is installed.
-     */
-    additionallyAllowedTenants?: string[];
-}
-//# sourceMappingURL=multiTenantTokenCredentialOptions.d.ts.map

package/dist/commonjs/credentials/multiTenantTokenCredentialOptions.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"multiTenantTokenCredentialOptions.d.ts","sourceRoot":"","sources":["../../../src/credentials/multiTenantTokenCredentialOptions.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,sBAAsB,EAAE,MAAM,8BAA8B,CAAC;AAE3E;;GAEG;AACH,MAAM,WAAW,iCAAkC,SAAQ,sBAAsB;IAC/E;;;OAGG;IACH,0BAA0B,CAAC,EAAE,MAAM,EAAE,CAAC;CACvC"}

package/dist/commonjs/credentials/multiTenantTokenCredentialOptions.js

@@ -1,5 +0,0 @@
-"use strict";
-// Copyright (c) Microsoft Corporation.
-// Licensed under the MIT License.
-Object.defineProperty(exports, "__esModule", { value: true });
-//# sourceMappingURL=multiTenantTokenCredentialOptions.js.map

package/dist/commonjs/credentials/multiTenantTokenCredentialOptions.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"multiTenantTokenCredentialOptions.js","sourceRoot":"","sources":["../../../src/credentials/multiTenantTokenCredentialOptions.ts"],"names":[],"mappings":";AAAA,uCAAuC;AACvC,kCAAkC","sourcesContent":["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT License.\n\nimport type { TokenCredentialOptions } from \"../tokenCredentialOptions.js\";\n\n/**\n * Options for multi-tenant applications which allows for additionally allowed tenants.\n */\nexport interface MultiTenantTokenCredentialOptions extends TokenCredentialOptions {\n  /**\n   * For multi-tenant applications, specifies additional tenants for which the credential may acquire tokens.\n   * Add the wildcard value \"*\" to allow the credential to acquire tokens for any tenant the application is installed.\n   */\n  additionallyAllowedTenants?: string[];\n}\n"]}

package/dist/commonjs/credentials/onBehalfOfCredential.d.ts

@@ -1,105 +0,0 @@
-import type { AccessToken, GetTokenOptions, TokenCredential } from "@azure/core-auth";
-import type { OnBehalfOfCredentialAssertionOptions, OnBehalfOfCredentialCertificateOptions, OnBehalfOfCredentialSecretOptions } from "./onBehalfOfCredentialOptions.js";
-import type { CredentialPersistenceOptions } from "./credentialPersistenceOptions.js";
-import type { MultiTenantTokenCredentialOptions } from "./multiTenantTokenCredentialOptions.js";
-/**
- * Enables authentication to Microsoft Entra ID using the [On Behalf Of flow](https://learn.microsoft.com/entra/identity-platform/v2-oauth2-on-behalf-of-flow).
- */
-export declare class OnBehalfOfCredential implements TokenCredential {
-    private tenantId;
-    private additionallyAllowedTenantIds;
-    private msalClient;
-    private sendCertificateChain?;
-    private certificatePath?;
-    private clientSecret?;
-    private userAssertionToken;
-    private clientAssertion?;
-    /**
-     * Creates an instance of the {@link OnBehalfOfCredential} with the details
-     * needed to authenticate against Microsoft Entra ID with path to a PEM certificate,
-     * and an user assertion.
-     *
-     * Example using the `KeyClient` from [\@azure/keyvault-keys](https://www.npmjs.com/package/\@azure/keyvault-keys):
-     *
-     * ```ts snippet:on_behalf_of_credential_pem_example
-     * import { OnBehalfOfCredential } from "@azure/identity";
-     * import { KeyClient } from "@azure/keyvault-keys";
-     *
-     * const tokenCredential = new OnBehalfOfCredential({
-     *   tenantId: "tenant-id",
-     *   clientId: "client-id",
-     *   certificatePath: "/path/to/certificate.pem",
-     *   userAssertionToken: "access-token",
-     * });
-     * const client = new KeyClient("vault-url", tokenCredential);
-     *
-     * await client.getKey("key-name");
-     * ```
-     *
-     * @param options - Optional parameters, generally common across credentials.
-     */
-    constructor(options: OnBehalfOfCredentialCertificateOptions & MultiTenantTokenCredentialOptions & CredentialPersistenceOptions);
-    /**
-     * Creates an instance of the {@link OnBehalfOfCredential} with the details
-     * needed to authenticate against Microsoft Entra ID with a client
-     * secret and an user assertion.
-     *
-     * Example using the `KeyClient` from [\@azure/keyvault-keys](https://www.npmjs.com/package/\@azure/keyvault-keys):
-     *
-     * ```ts snippet:on_behalf_of_credential_secret_example
-     * import { OnBehalfOfCredential } from "@azure/identity";
-     * import { KeyClient } from "@azure/keyvault-keys";
-     *
-     * const tokenCredential = new OnBehalfOfCredential({
-     *   tenantId: "tenant-id",
-     *   clientId: "client-id",
-     *   clientSecret: "client-secret",
-     *   userAssertionToken: "access-token",
-     * });
-     * const client = new KeyClient("vault-url", tokenCredential);
-     *
-     * await client.getKey("key-name");
-     * ```
-     *
-     * @param options - Optional parameters, generally common across credentials.
-     */
-    constructor(options: OnBehalfOfCredentialSecretOptions & MultiTenantTokenCredentialOptions & CredentialPersistenceOptions);
-    /**
-     * Creates an instance of the {@link OnBehalfOfCredential} with the details
-     * needed to authenticate against Microsoft Entra ID with a client `getAssertion`
-     * and an user assertion.
-     *
-     * Example using the `KeyClient` from [\@azure/keyvault-keys](https://www.npmjs.com/package/\@azure/keyvault-keys):
-     *
-     * ```ts snippet:on_behalf_of_credential_assertion_example
-     * import { OnBehalfOfCredential } from "@azure/identity";
-     * import { KeyClient } from "@azure/keyvault-keys";
-     *
-     * const tokenCredential = new OnBehalfOfCredential({
-     *   tenantId: "tenant-id",
-     *   clientId: "client-id",
-     *   getAssertion: () => {
-     *     return Promise.resolve("my-jwt");
-     *   },
-     *   userAssertionToken: "access-token",
-     * });
-     * const client = new KeyClient("vault-url", tokenCredential);
-     *
-     * await client.getKey("key-name");
-     * ```
-     *
-     * @param options - Optional parameters, generally common across credentials.
-     */
-    constructor(options: OnBehalfOfCredentialAssertionOptions & MultiTenantTokenCredentialOptions & CredentialPersistenceOptions);
-    /**
-     * Authenticates with Microsoft Entra ID and returns an access token if successful.
-     * If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.
-     *
-     * @param scopes - The list of scopes for which the token will have access.
-     * @param options - The options used to configure the underlying network requests.
-     */
-    getToken(scopes: string | string[], options?: GetTokenOptions): Promise<AccessToken>;
-    private buildClientCertificate;
-    private parseCertificate;
-}
-//# sourceMappingURL=onBehalfOfCredential.d.ts.map

package/dist/commonjs/credentials/onBehalfOfCredential.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"onBehalfOfCredential.d.ts","sourceRoot":"","sources":["../../../src/credentials/onBehalfOfCredential.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,WAAW,EAAE,eAAe,EAAE,eAAe,EAAE,MAAM,kBAAkB,CAAC;AAGtF,OAAO,KAAK,EACV,oCAAoC,EACpC,sCAAsC,EAEtC,iCAAiC,EAClC,MAAM,kCAAkC,CAAC;AAS1C,OAAO,KAAK,EAAE,4BAA4B,EAAE,MAAM,mCAAmC,CAAC;AAEtF,OAAO,KAAK,EAAE,iCAAiC,EAAE,MAAM,wCAAwC,CAAC;AAShG;;GAEG;AACH,qBAAa,oBAAqB,YAAW,eAAe;IAC1D,OAAO,CAAC,QAAQ,CAAS;IACzB,OAAO,CAAC,4BAA4B,CAAW;IAC/C,OAAO,CAAC,UAAU,CAAa;IAC/B,OAAO,CAAC,oBAAoB,CAAC,CAAU;IACvC,OAAO,CAAC,eAAe,CAAC,CAAS;IACjC,OAAO,CAAC,YAAY,CAAC,CAAS;IAC9B,OAAO,CAAC,kBAAkB,CAAS;IACnC,OAAO,CAAC,eAAe,CAAC,CAAwB;IAEhD;;;;;;;;;;;;;;;;;;;;;;;OAuBG;gBAED,OAAO,EAAE,sCAAsC,GAC7C,iCAAiC,GACjC,4BAA4B;IAEhC;;;;;;;;;;;;;;;;;;;;;;;OAuBG;gBAED,OAAO,EAAE,iCAAiC,GACxC,iCAAiC,GACjC,4BAA4B;IAGhC;;;;;;;;;;;;;;;;;;;;;;;;;OAyBG;gBAED,OAAO,EAAE,oCAAoC,GAC3C,iCAAiC,GACjC,4BAA4B;IAuDhC;;;;;;OAMG;IACG,QAAQ,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,EAAE,EAAE,OAAO,GAAE,eAAoB,GAAG,OAAO,CAAC,WAAW,CAAC;YA0ChF,sBAAsB;YActB,gBAAgB;CAoC/B"}

package/dist/commonjs/credentials/onBehalfOfCredential.js

@@ -1,116 +0,0 @@
-"use strict";
-// Copyright (c) Microsoft Corporation.
-// Licensed under the MIT License.
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.OnBehalfOfCredential = void 0;
-const msalClient_js_1 = require("../msal/nodeFlows/msalClient.js");
-const logging_js_1 = require("../util/logging.js");
-const tenantIdUtils_js_1 = require("../util/tenantIdUtils.js");
-const errors_js_1 = require("../errors.js");
-const node_crypto_1 = require("node:crypto");
-const scopeUtils_js_1 = require("../util/scopeUtils.js");
-const promises_1 = require("node:fs/promises");
-const tracing_js_1 = require("../util/tracing.js");
-const credentialName = "OnBehalfOfCredential";
-const logger = (0, logging_js_1.credentialLogger)(credentialName);
-/**
- * Enables authentication to Microsoft Entra ID using the [On Behalf Of flow](https://learn.microsoft.com/entra/identity-platform/v2-oauth2-on-behalf-of-flow).
- */
-class OnBehalfOfCredential {
-    constructor(options) {
-        const { clientSecret } = options;
-        const { certificatePath, sendCertificateChain } = options;
-        const { getAssertion } = options;
-        const { tenantId, clientId, userAssertionToken, additionallyAllowedTenants: additionallyAllowedTenantIds, } = options;
-        if (!tenantId) {
-            throw new errors_js_1.CredentialUnavailableError(`${credentialName}: tenantId is a required parameter. To troubleshoot, visit https://aka.ms/azsdk/js/identity/serviceprincipalauthentication/troubleshoot.`);
-        }
-        if (!clientId) {
-            throw new errors_js_1.CredentialUnavailableError(`${credentialName}: clientId is a required parameter. To troubleshoot, visit https://aka.ms/azsdk/js/identity/serviceprincipalauthentication/troubleshoot.`);
-        }
-        if (!clientSecret && !certificatePath && !getAssertion) {
-            throw new errors_js_1.CredentialUnavailableError(`${credentialName}: You must provide one of clientSecret, certificatePath, or a getAssertion callback but none were provided. To troubleshoot, visit https://aka.ms/azsdk/js/identity/serviceprincipalauthentication/troubleshoot.`);
-        }
-        if (!userAssertionToken) {
-            throw new errors_js_1.CredentialUnavailableError(`${credentialName}: userAssertionToken is a required parameter. To troubleshoot, visit https://aka.ms/azsdk/js/identity/serviceprincipalauthentication/troubleshoot.`);
-        }
-        this.certificatePath = certificatePath;
-        this.clientSecret = clientSecret;
-        this.userAssertionToken = userAssertionToken;
-        this.sendCertificateChain = sendCertificateChain;
-        this.clientAssertion = getAssertion;
-        this.tenantId = tenantId;
-        this.additionallyAllowedTenantIds = (0, tenantIdUtils_js_1.resolveAdditionallyAllowedTenantIds)(additionallyAllowedTenantIds);
-        this.msalClient = (0, msalClient_js_1.createMsalClient)(clientId, this.tenantId, Object.assign(Object.assign({}, options), { logger, tokenCredentialOptions: options }));
-    }
-    /**
-     * Authenticates with Microsoft Entra ID and returns an access token if successful.
-     * If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.
-     *
-     * @param scopes - The list of scopes for which the token will have access.
-     * @param options - The options used to configure the underlying network requests.
-     */
-    async getToken(scopes, options = {}) {
-        return tracing_js_1.tracingClient.withSpan(`${credentialName}.getToken`, options, async (newOptions) => {
-            newOptions.tenantId = (0, tenantIdUtils_js_1.processMultiTenantRequest)(this.tenantId, newOptions, this.additionallyAllowedTenantIds, logger);
-            const arrayScopes = (0, scopeUtils_js_1.ensureScopes)(scopes);
-            if (this.certificatePath) {
-                const clientCertificate = await this.buildClientCertificate(this.certificatePath);
-                return this.msalClient.getTokenOnBehalfOf(arrayScopes, this.userAssertionToken, clientCertificate, newOptions);
-            }
-            else if (this.clientSecret) {
-                return this.msalClient.getTokenOnBehalfOf(arrayScopes, this.userAssertionToken, this.clientSecret, options);
-            }
-            else if (this.clientAssertion) {
-                return this.msalClient.getTokenOnBehalfOf(arrayScopes, this.userAssertionToken, this.clientAssertion, options);
-            }
-            else {
-                // this is an invalid scenario and is a bug, as the constructor should have thrown an error if neither clientSecret nor certificatePath nor clientAssertion were provided
-                throw new Error("Expected either clientSecret or certificatePath or clientAssertion to be defined.");
-            }
-        });
-    }
-    async buildClientCertificate(certificatePath) {
-        try {
-            const parts = await this.parseCertificate({ certificatePath }, this.sendCertificateChain);
-            return {
-                thumbprint: parts.thumbprint,
-                privateKey: parts.certificateContents,
-                x5c: parts.x5c,
-            };
-        }
-        catch (error) {
-            logger.info((0, logging_js_1.formatError)("", error));
-            throw error;
-        }
-    }
-    async parseCertificate(configuration, sendCertificateChain) {
-        const certificatePath = configuration.certificatePath;
-        const certificateContents = await (0, promises_1.readFile)(certificatePath, "utf8");
-        const x5c = sendCertificateChain ? certificateContents : undefined;
-        const certificatePattern = /(-+BEGIN CERTIFICATE-+)(\n\r?|\r\n?)([A-Za-z0-9+/\n\r]+=*)(\n\r?|\r\n?)(-+END CERTIFICATE-+)/g;
-        const publicKeys = [];
-        // Match all possible certificates, in the order they are in the file. These will form the chain that is used for x5c
-        let match;
-        do {
-            match = certificatePattern.exec(certificateContents);
-            if (match) {
-                publicKeys.push(match[3]);
-            }
-        } while (match);
-        if (publicKeys.length === 0) {
-            throw new Error("The file at the specified path does not contain a PEM-encoded certificate.");
-        }
-        const thumbprint = (0, node_crypto_1.createHash)("sha1")
-            .update(Buffer.from(publicKeys[0], "base64"))
-            .digest("hex")
-            .toUpperCase();
-        return {
-            certificateContents,
-            thumbprint,
-            x5c,
-        };
-    }
-}
-exports.OnBehalfOfCredential = OnBehalfOfCredential;
-//# sourceMappingURL=onBehalfOfCredential.js.map

package/dist/commonjs/credentials/onBehalfOfCredential.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"onBehalfOfCredential.js","sourceRoot":"","sources":["../../../src/credentials/onBehalfOfCredential.ts"],"names":[],"mappings":";AAAA,uCAAuC;AACvC,kCAAkC;;;AAIlC,mEAAmE;AAOnE,mDAAmE;AACnE,+DAGkC;AAKlC,4CAA0D;AAE1D,6CAAyC;AACzC,yDAAqD;AACrD,+CAA4C;AAC5C,mDAAmD;AAEnD,MAAM,cAAc,GAAG,sBAAsB,CAAC;AAC9C,MAAM,MAAM,GAAG,IAAA,6BAAgB,EAAC,cAAc,CAAC,CAAC;AAEhD;;GAEG;AACH,MAAa,oBAAoB;IAqG/B,YAAY,OAAoC;QAC9C,MAAM,EAAE,YAAY,EAAE,GAAG,OAA4C,CAAC;QACtE,MAAM,EAAE,eAAe,EAAE,oBAAoB,EAAE,GAC7C,OAAiD,CAAC;QACpD,MAAM,EAAE,YAAY,EAAE,GAAG,OAA+C,CAAC;QACzE,MAAM,EACJ,QAAQ,EACR,QAAQ,EACR,kBAAkB,EAClB,0BAA0B,EAAE,4BAA4B,GACzD,GAAG,OAAO,CAAC;QACZ,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,MAAM,IAAI,sCAA0B,CAClC,GAAG,cAAc,0IAA0I,CAC5J,CAAC;QACJ,CAAC;QAED,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,MAAM,IAAI,sCAA0B,CAClC,GAAG,cAAc,0IAA0I,CAC5J,CAAC;QACJ,CAAC;QAED,IAAI,CAAC,YAAY,IAAI,CAAC,eAAe,IAAI,CAAC,YAAY,EAAE,CAAC;YACvD,MAAM,IAAI,sCAA0B,CAClC,GAAG,cAAc,kNAAkN,CACpO,CAAC;QACJ,CAAC;QAED,IAAI,CAAC,kBAAkB,EAAE,CAAC;YACxB,MAAM,IAAI,sCAA0B,CAClC,GAAG,cAAc,oJAAoJ,CACtK,CAAC;QACJ,CAAC;QACD,IAAI,CAAC,eAAe,GAAG,eAAe,CAAC;QACvC,IAAI,CAAC,YAAY,GAAG,YAAY,CAAC;QACjC,IAAI,CAAC,kBAAkB,GAAG,kBAAkB,CAAC;QAC7C,IAAI,CAAC,oBAAoB,GAAG,oBAAoB,CAAC;QACjD,IAAI,CAAC,eAAe,GAAG,YAAY,CAAC;QAEpC,IAAI,CAAC,QAAQ,GAAG,QAAQ,CAAC;QACzB,IAAI,CAAC,4BAA4B,GAAG,IAAA,sDAAmC,EACrE,4BAA4B,CAC7B,CAAC;QAEF,IAAI,CAAC,UAAU,GAAG,IAAA,gCAAgB,EAAC,QAAQ,EAAE,IAAI,CAAC,QAAQ,kCACrD,OAAO,KACV,MAAM,EACN,sBAAsB,EAAE,OAAO,IAC/B,CAAC;IACL,CAAC;IAED;;;;;;OAMG;IACH,KAAK,CAAC,QAAQ,CAAC,MAAyB,EAAE,UAA2B,EAAE;QACrE,OAAO,0BAAa,CAAC,QAAQ,CAAC,GAAG,cAAc,WAAW,EAAE,OAAO,EAAE,KAAK,EAAE,UAAU,EAAE,EAAE;YACxF,UAAU,CAAC,QAAQ,GAAG,IAAA,4CAAyB,EAC7C,IAAI,CAAC,QAAQ,EACb,UAAU,EACV,IAAI,CAAC,4BAA4B,EACjC,MAAM,CACP,CAAC;YAEF,MAAM,WAAW,GAAG,IAAA,4BAAY,EAAC,MAAM,CAAC,CAAC;YACzC,IAAI,IAAI,CAAC,eAAe,EAAE,CAAC;gBACzB,MAAM,iBAAiB,GAAG,MAAM,IAAI,CAAC,sBAAsB,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC;gBAElF,OAAO,IAAI,CAAC,UAAU,CAAC,kBAAkB,CACvC,WAAW,EACX,IAAI,CAAC,kBAAkB,EACvB,iBAAiB,EACjB,UAAU,CACX,CAAC;YACJ,CAAC;iBAAM,IAAI,IAAI,CAAC,YAAY,EAAE,CAAC;gBAC7B,OAAO,IAAI,CAAC,UAAU,CAAC,kBAAkB,CACvC,WAAW,EACX,IAAI,CAAC,kBAAkB,EACvB,IAAI,CAAC,YAAY,EACjB,OAAO,CACR,CAAC;YACJ,CAAC;iBAAM,IAAI,IAAI,CAAC,eAAe,EAAE,CAAC;gBAChC,OAAO,IAAI,CAAC,UAAU,CAAC,kBAAkB,CACvC,WAAW,EACX,IAAI,CAAC,kBAAkB,EACvB,IAAI,CAAC,eAAe,EACpB,OAAO,CACR,CAAC;YACJ,CAAC;iBAAM,CAAC;gBACN,yKAAyK;gBACzK,MAAM,IAAI,KAAK,CACb,mFAAmF,CACpF,CAAC;YACJ,CAAC;QACH,CAAC,CAAC,CAAC;IACL,CAAC;IAEO,KAAK,CAAC,sBAAsB,CAAC,eAAuB;QAC1D,IAAI,CAAC;YACH,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,gBAAgB,CAAC,EAAE,eAAe,EAAE,EAAE,IAAI,CAAC,oBAAoB,CAAC,CAAC;YAC1F,OAAO;gBACL,UAAU,EAAE,KAAK,CAAC,UAAU;gBAC5B,UAAU,EAAE,KAAK,CAAC,mBAAmB;gBACrC,GAAG,EAAE,KAAK,CAAC,GAAG;aACf,CAAC;QACJ,CAAC;QAAC,OAAO,KAAU,EAAE,CAAC;YACpB,MAAM,CAAC,IAAI,CAAC,IAAA,wBAAW,EAAC,EAAE,EAAE,KAAK,CAAC,CAAC,CAAC;YACpC,MAAM,KAAK,CAAC;QACd,CAAC;IACH,CAAC;IAEO,KAAK,CAAC,gBAAgB,CAC5B,aAAkD,EAClD,oBAA8B;QAE9B,MAAM,eAAe,GAAG,aAAa,CAAC,eAAe,CAAC;QACtD,MAAM,mBAAmB,GAAG,MAAM,IAAA,mBAAQ,EAAC,eAAe,EAAE,MAAM,CAAC,CAAC;QACpE,MAAM,GAAG,GAAG,oBAAoB,CAAC,CAAC,CAAC,mBAAmB,CAAC,CAAC,CAAC,SAAS,CAAC;QAEnE,MAAM,kBAAkB,GACtB,+FAA+F,CAAC;QAClG,MAAM,UAAU,GAAa,EAAE,CAAC;QAEhC,qHAAqH;QACrH,IAAI,KAAK,CAAC;QACV,GAAG,CAAC;YACF,KAAK,GAAG,kBAAkB,CAAC,IAAI,CAAC,mBAAmB,CAAC,CAAC;YACrD,IAAI,KAAK,EAAE,CAAC;gBACV,UAAU,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;YAC5B,CAAC;QACH,CAAC,QAAQ,KAAK,EAAE;QAEhB,IAAI,UAAU,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAC5B,MAAM,IAAI,KAAK,CAAC,4EAA4E,CAAC,CAAC;QAChG,CAAC;QAED,MAAM,UAAU,GAAG,IAAA,wBAAU,EAAC,MAAM,CAAC;aAClC,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC,EAAE,QAAQ,CAAC,CAAC;aAC5C,MAAM,CAAC,KAAK,CAAC;aACb,WAAW,EAAE,CAAC;QAEjB,OAAO;YACL,mBAAmB;YACnB,UAAU;YACV,GAAG;SACJ,CAAC;IACJ,CAAC;CACF;AA5PD,oDA4PC","sourcesContent":["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT License.\n\nimport type { AccessToken, GetTokenOptions, TokenCredential } from \"@azure/core-auth\";\nimport type { MsalClient } from \"../msal/nodeFlows/msalClient.js\";\nimport { createMsalClient } from \"../msal/nodeFlows/msalClient.js\";\nimport type {\n  OnBehalfOfCredentialAssertionOptions,\n  OnBehalfOfCredentialCertificateOptions,\n  OnBehalfOfCredentialOptions,\n  OnBehalfOfCredentialSecretOptions,\n} from \"./onBehalfOfCredentialOptions.js\";\nimport { credentialLogger, formatError } from \"../util/logging.js\";\nimport {\n  processMultiTenantRequest,\n  resolveAdditionallyAllowedTenantIds,\n} from \"../util/tenantIdUtils.js\";\n\nimport type { CertificateParts } from \"../msal/types.js\";\nimport type { ClientCertificatePEMCertificatePath } from \"./clientCertificateCredentialModels.js\";\nimport type { CredentialPersistenceOptions } from \"./credentialPersistenceOptions.js\";\nimport { CredentialUnavailableError } from \"../errors.js\";\nimport type { MultiTenantTokenCredentialOptions } from \"./multiTenantTokenCredentialOptions.js\";\nimport { createHash } from \"node:crypto\";\nimport { ensureScopes } from \"../util/scopeUtils.js\";\nimport { readFile } from \"node:fs/promises\";\nimport { tracingClient } from \"../util/tracing.js\";\n\nconst credentialName = \"OnBehalfOfCredential\";\nconst logger = credentialLogger(credentialName);\n\n/**\n * Enables authentication to Microsoft Entra ID using the [On Behalf Of flow](https://learn.microsoft.com/entra/identity-platform/v2-oauth2-on-behalf-of-flow).\n */\nexport class OnBehalfOfCredential implements TokenCredential {\n  private tenantId: string;\n  private additionallyAllowedTenantIds: string[];\n  private msalClient: MsalClient;\n  private sendCertificateChain?: boolean;\n  private certificatePath?: string;\n  private clientSecret?: string;\n  private userAssertionToken: string;\n  private clientAssertion?: () => Promise<string>;\n\n  /**\n   * Creates an instance of the {@link OnBehalfOfCredential} with the details\n   * needed to authenticate against Microsoft Entra ID with path to a PEM certificate,\n   * and an user assertion.\n   *\n   * Example using the `KeyClient` from [\\@azure/keyvault-keys](https://www.npmjs.com/package/\\@azure/keyvault-keys):\n   *\n   * ```ts snippet:on_behalf_of_credential_pem_example\n   * import { OnBehalfOfCredential } from \"@azure/identity\";\n   * import { KeyClient } from \"@azure/keyvault-keys\";\n   *\n   * const tokenCredential = new OnBehalfOfCredential({\n   *   tenantId: \"tenant-id\",\n   *   clientId: \"client-id\",\n   *   certificatePath: \"/path/to/certificate.pem\",\n   *   userAssertionToken: \"access-token\",\n   * });\n   * const client = new KeyClient(\"vault-url\", tokenCredential);\n   *\n   * await client.getKey(\"key-name\");\n   * ```\n   *\n   * @param options - Optional parameters, generally common across credentials.\n   */\n  constructor(\n    options: OnBehalfOfCredentialCertificateOptions &\n      MultiTenantTokenCredentialOptions &\n      CredentialPersistenceOptions,\n  );\n  /**\n   * Creates an instance of the {@link OnBehalfOfCredential} with the details\n   * needed to authenticate against Microsoft Entra ID with a client\n   * secret and an user assertion.\n   *\n   * Example using the `KeyClient` from [\\@azure/keyvault-keys](https://www.npmjs.com/package/\\@azure/keyvault-keys):\n   *\n   * ```ts snippet:on_behalf_of_credential_secret_example\n   * import { OnBehalfOfCredential } from \"@azure/identity\";\n   * import { KeyClient } from \"@azure/keyvault-keys\";\n   *\n   * const tokenCredential = new OnBehalfOfCredential({\n   *   tenantId: \"tenant-id\",\n   *   clientId: \"client-id\",\n   *   clientSecret: \"client-secret\",\n   *   userAssertionToken: \"access-token\",\n   * });\n   * const client = new KeyClient(\"vault-url\", tokenCredential);\n   *\n   * await client.getKey(\"key-name\");\n   * ```\n   *\n   * @param options - Optional parameters, generally common across credentials.\n   */\n  constructor(\n    options: OnBehalfOfCredentialSecretOptions &\n      MultiTenantTokenCredentialOptions &\n      CredentialPersistenceOptions,\n  );\n\n  /**\n   * Creates an instance of the {@link OnBehalfOfCredential} with the details\n   * needed to authenticate against Microsoft Entra ID with a client `getAssertion`\n   * and an user assertion.\n   *\n   * Example using the `KeyClient` from [\\@azure/keyvault-keys](https://www.npmjs.com/package/\\@azure/keyvault-keys):\n   *\n   * ```ts snippet:on_behalf_of_credential_assertion_example\n   * import { OnBehalfOfCredential } from \"@azure/identity\";\n   * import { KeyClient } from \"@azure/keyvault-keys\";\n   *\n   * const tokenCredential = new OnBehalfOfCredential({\n   *   tenantId: \"tenant-id\",\n   *   clientId: \"client-id\",\n   *   getAssertion: () => {\n   *     return Promise.resolve(\"my-jwt\");\n   *   },\n   *   userAssertionToken: \"access-token\",\n   * });\n   * const client = new KeyClient(\"vault-url\", tokenCredential);\n   *\n   * await client.getKey(\"key-name\");\n   * ```\n   *\n   * @param options - Optional parameters, generally common across credentials.\n   */\n  constructor(\n    options: OnBehalfOfCredentialAssertionOptions &\n      MultiTenantTokenCredentialOptions &\n      CredentialPersistenceOptions,\n  );\n\n  constructor(options: OnBehalfOfCredentialOptions) {\n    const { clientSecret } = options as OnBehalfOfCredentialSecretOptions;\n    const { certificatePath, sendCertificateChain } =\n      options as OnBehalfOfCredentialCertificateOptions;\n    const { getAssertion } = options as OnBehalfOfCredentialAssertionOptions;\n    const {\n      tenantId,\n      clientId,\n      userAssertionToken,\n      additionallyAllowedTenants: additionallyAllowedTenantIds,\n    } = options;\n    if (!tenantId) {\n      throw new CredentialUnavailableError(\n        `${credentialName}: tenantId is a required parameter. To troubleshoot, visit https://aka.ms/azsdk/js/identity/serviceprincipalauthentication/troubleshoot.`,\n      );\n    }\n\n    if (!clientId) {\n      throw new CredentialUnavailableError(\n        `${credentialName}: clientId is a required parameter. To troubleshoot, visit https://aka.ms/azsdk/js/identity/serviceprincipalauthentication/troubleshoot.`,\n      );\n    }\n\n    if (!clientSecret && !certificatePath && !getAssertion) {\n      throw new CredentialUnavailableError(\n        `${credentialName}: You must provide one of clientSecret, certificatePath, or a getAssertion callback but none were provided. To troubleshoot, visit https://aka.ms/azsdk/js/identity/serviceprincipalauthentication/troubleshoot.`,\n      );\n    }\n\n    if (!userAssertionToken) {\n      throw new CredentialUnavailableError(\n        `${credentialName}: userAssertionToken is a required parameter. To troubleshoot, visit https://aka.ms/azsdk/js/identity/serviceprincipalauthentication/troubleshoot.`,\n      );\n    }\n    this.certificatePath = certificatePath;\n    this.clientSecret = clientSecret;\n    this.userAssertionToken = userAssertionToken;\n    this.sendCertificateChain = sendCertificateChain;\n    this.clientAssertion = getAssertion;\n\n    this.tenantId = tenantId;\n    this.additionallyAllowedTenantIds = resolveAdditionallyAllowedTenantIds(\n      additionallyAllowedTenantIds,\n    );\n\n    this.msalClient = createMsalClient(clientId, this.tenantId, {\n      ...options,\n      logger,\n      tokenCredentialOptions: options,\n    });\n  }\n\n  /**\n   * Authenticates with Microsoft Entra ID and returns an access token if successful.\n   * If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.\n   *\n   * @param scopes - The list of scopes for which the token will have access.\n   * @param options - The options used to configure the underlying network requests.\n   */\n  async getToken(scopes: string | string[], options: GetTokenOptions = {}): Promise<AccessToken> {\n    return tracingClient.withSpan(`${credentialName}.getToken`, options, async (newOptions) => {\n      newOptions.tenantId = processMultiTenantRequest(\n        this.tenantId,\n        newOptions,\n        this.additionallyAllowedTenantIds,\n        logger,\n      );\n\n      const arrayScopes = ensureScopes(scopes);\n      if (this.certificatePath) {\n        const clientCertificate = await this.buildClientCertificate(this.certificatePath);\n\n        return this.msalClient.getTokenOnBehalfOf(\n          arrayScopes,\n          this.userAssertionToken,\n          clientCertificate,\n          newOptions,\n        );\n      } else if (this.clientSecret) {\n        return this.msalClient.getTokenOnBehalfOf(\n          arrayScopes,\n          this.userAssertionToken,\n          this.clientSecret,\n          options,\n        );\n      } else if (this.clientAssertion) {\n        return this.msalClient.getTokenOnBehalfOf(\n          arrayScopes,\n          this.userAssertionToken,\n          this.clientAssertion,\n          options,\n        );\n      } else {\n        // this is an invalid scenario and is a bug, as the constructor should have thrown an error if neither clientSecret nor certificatePath nor clientAssertion were provided\n        throw new Error(\n          \"Expected either clientSecret or certificatePath or clientAssertion to be defined.\",\n        );\n      }\n    });\n  }\n\n  private async buildClientCertificate(certificatePath: string): Promise<CertificateParts> {\n    try {\n      const parts = await this.parseCertificate({ certificatePath }, this.sendCertificateChain);\n      return {\n        thumbprint: parts.thumbprint,\n        privateKey: parts.certificateContents,\n        x5c: parts.x5c,\n      };\n    } catch (error: any) {\n      logger.info(formatError(\"\", error));\n      throw error;\n    }\n  }\n\n  private async parseCertificate(\n    configuration: ClientCertificatePEMCertificatePath,\n    sendCertificateChain?: boolean,\n  ): Promise<Omit<CertificateParts, \"privateKey\"> & { certificateContents: string }> {\n    const certificatePath = configuration.certificatePath;\n    const certificateContents = await readFile(certificatePath, \"utf8\");\n    const x5c = sendCertificateChain ? certificateContents : undefined;\n\n    const certificatePattern =\n      /(-+BEGIN CERTIFICATE-+)(\\n\\r?|\\r\\n?)([A-Za-z0-9+/\\n\\r]+=*)(\\n\\r?|\\r\\n?)(-+END CERTIFICATE-+)/g;\n    const publicKeys: string[] = [];\n\n    // Match all possible certificates, in the order they are in the file. These will form the chain that is used for x5c\n    let match;\n    do {\n      match = certificatePattern.exec(certificateContents);\n      if (match) {\n        publicKeys.push(match[3]);\n      }\n    } while (match);\n\n    if (publicKeys.length === 0) {\n      throw new Error(\"The file at the specified path does not contain a PEM-encoded certificate.\");\n    }\n\n    const thumbprint = createHash(\"sha1\")\n      .update(Buffer.from(publicKeys[0], \"base64\"))\n      .digest(\"hex\")\n      .toUpperCase();\n\n    return {\n      certificateContents,\n      thumbprint,\n      x5c,\n    };\n  }\n}\n"]}

package/dist/commonjs/credentials/onBehalfOfCredentialOptions.d.ts

@@ -1,76 +0,0 @@
-import type { AuthorityValidationOptions } from "./authorityValidationOptions.js";
-import type { CredentialPersistenceOptions } from "./credentialPersistenceOptions.js";
-import type { MultiTenantTokenCredentialOptions } from "./multiTenantTokenCredentialOptions.js";
-/**
- * Defines the parameters to authenticate the {@link OnBehalfOfCredential} with a secret.
- */
-export interface OnBehalfOfCredentialSecretOptions {
-    /**
-     * The Microsoft Entra tenant (directory) ID.
-     */
-    tenantId: string;
-    /**
-     * The client (application) ID of an App Registration in the tenant.
-     */
-    clientId: string;
-    /**
-     * A client secret that was generated for the App Registration.
-     */
-    clientSecret: string;
-    /**
-     * The user assertion for the On-Behalf-Of flow.
-     */
-    userAssertionToken: string;
-}
-/**
- * Defines the parameters to authenticate the {@link OnBehalfOfCredential} with a certificate.
- */
-export interface OnBehalfOfCredentialCertificateOptions {
-    /**
-     * The Microsoft Entra tenant (directory) ID.
-     */
-    tenantId: string;
-    /**
-     * The client (application) ID of an App Registration in the tenant.
-     */
-    clientId: string;
-    /**
-     * The path to a PEM-encoded public/private key certificate on the filesystem.
-     */
-    certificatePath: string;
-    /**
-     * The user assertion for the On-Behalf-Of flow.
-     */
-    userAssertionToken: string;
-    /**
-     * Option to include x5c header for SubjectName and Issuer name authorization.
-     * Set this option to send base64 encoded public certificate in the client assertion header as an x5c claim
-     */
-    sendCertificateChain?: boolean;
-}
-/**
- * Defines the parameters to authenticate the {@link OnBehalfOfCredential} with an assertion.
- */
-export interface OnBehalfOfCredentialAssertionOptions {
-    /**
-     * The Microsoft Entra tenant (directory) ID.
-     */
-    tenantId: string;
-    /**
-     * The client (application) ID of an App Registration in the tenant.
-     */
-    clientId: string;
-    /**
-     * A function that retrieves the client assertion for the credential to use
-     */
-    getAssertion: () => Promise<string>;
-    /**
-     * The user assertion for the On-Behalf-Of flow.
-     */
-    userAssertionToken: string;
-}
-/**
- * Optional parameters for the {@link OnBehalfOfCredential} class.
- */
-export type OnBehalfOfCredentialOptions = (OnBehalfOfCredentialSecretOptions | OnBehalfOfCredentialCertificateOptions | OnBehalfOfCredentialAssertionOptions) & MultiTenantTokenCredentialOptions & CredentialPersistenceOptions & AuthorityValidationOptions;
-//# sourceMappingURL=onBehalfOfCredentialOptions.d.ts.map

package/dist/commonjs/credentials/onBehalfOfCredentialOptions.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"onBehalfOfCredentialOptions.d.ts","sourceRoot":"","sources":["../../../src/credentials/onBehalfOfCredentialOptions.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,0BAA0B,EAAE,MAAM,iCAAiC,CAAC;AAClF,OAAO,KAAK,EAAE,4BAA4B,EAAE,MAAM,mCAAmC,CAAC;AACtF,OAAO,KAAK,EAAE,iCAAiC,EAAE,MAAM,wCAAwC,CAAC;AAEhG;;GAEG;AACH,MAAM,WAAW,iCAAiC;IAChD;;OAEG;IACH,QAAQ,EAAE,MAAM,CAAC;IACjB;;OAEG;IACH,QAAQ,EAAE,MAAM,CAAC;IACjB;;OAEG;IACH,YAAY,EAAE,MAAM,CAAC;IACrB;;OAEG;IACH,kBAAkB,EAAE,MAAM,CAAC;CAC5B;AAED;;GAEG;AACH,MAAM,WAAW,sCAAsC;IACrD;;OAEG;IACH,QAAQ,EAAE,MAAM,CAAC;IACjB;;OAEG;IACH,QAAQ,EAAE,MAAM,CAAC;IACjB;;OAEG;IACH,eAAe,EAAE,MAAM,CAAC;IACxB;;OAEG;IACH,kBAAkB,EAAE,MAAM,CAAC;IAC3B;;;OAGG;IACH,oBAAoB,CAAC,EAAE,OAAO,CAAC;CAChC;AAED;;GAEG;AACH,MAAM,WAAW,oCAAoC;IACnD;;OAEG;IACH,QAAQ,EAAE,MAAM,CAAC;IACjB;;OAEG;IACH,QAAQ,EAAE,MAAM,CAAC;IACjB;;OAEG;IACH,YAAY,EAAE,MAAM,OAAO,CAAC,MAAM,CAAC,CAAC;IACpC;;OAEG;IACH,kBAAkB,EAAE,MAAM,CAAC;CAC5B;AACD;;GAEG;AACH,MAAM,MAAM,2BAA2B,GAAG,CACtC,iCAAiC,GACjC,sCAAsC,GACtC,oCAAoC,CACvC,GACC,iCAAiC,GACjC,4BAA4B,GAC5B,0BAA0B,CAAC"}

package/dist/commonjs/credentials/onBehalfOfCredentialOptions.js

@@ -1,5 +0,0 @@
-"use strict";
-// Copyright (c) Microsoft Corporation.
-// Licensed under the MIT License.
-Object.defineProperty(exports, "__esModule", { value: true });
-//# sourceMappingURL=onBehalfOfCredentialOptions.js.map

package/dist/commonjs/credentials/onBehalfOfCredentialOptions.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"onBehalfOfCredentialOptions.js","sourceRoot":"","sources":["../../../src/credentials/onBehalfOfCredentialOptions.ts"],"names":[],"mappings":";AAAA,uCAAuC;AACvC,kCAAkC","sourcesContent":["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT License.\n\nimport type { AuthorityValidationOptions } from \"./authorityValidationOptions.js\";\nimport type { CredentialPersistenceOptions } from \"./credentialPersistenceOptions.js\";\nimport type { MultiTenantTokenCredentialOptions } from \"./multiTenantTokenCredentialOptions.js\";\n\n/**\n * Defines the parameters to authenticate the {@link OnBehalfOfCredential} with a secret.\n */\nexport interface OnBehalfOfCredentialSecretOptions {\n  /**\n   * The Microsoft Entra tenant (directory) ID.\n   */\n  tenantId: string;\n  /**\n   * The client (application) ID of an App Registration in the tenant.\n   */\n  clientId: string;\n  /**\n   * A client secret that was generated for the App Registration.\n   */\n  clientSecret: string;\n  /**\n   * The user assertion for the On-Behalf-Of flow.\n   */\n  userAssertionToken: string;\n}\n\n/**\n * Defines the parameters to authenticate the {@link OnBehalfOfCredential} with a certificate.\n */\nexport interface OnBehalfOfCredentialCertificateOptions {\n  /**\n   * The Microsoft Entra tenant (directory) ID.\n   */\n  tenantId: string;\n  /**\n   * The client (application) ID of an App Registration in the tenant.\n   */\n  clientId: string;\n  /**\n   * The path to a PEM-encoded public/private key certificate on the filesystem.\n   */\n  certificatePath: string;\n  /**\n   * The user assertion for the On-Behalf-Of flow.\n   */\n  userAssertionToken: string;\n  /**\n   * Option to include x5c header for SubjectName and Issuer name authorization.\n   * Set this option to send base64 encoded public certificate in the client assertion header as an x5c claim\n   */\n  sendCertificateChain?: boolean;\n}\n\n/**\n * Defines the parameters to authenticate the {@link OnBehalfOfCredential} with an assertion.\n */\nexport interface OnBehalfOfCredentialAssertionOptions {\n  /**\n   * The Microsoft Entra tenant (directory) ID.\n   */\n  tenantId: string;\n  /**\n   * The client (application) ID of an App Registration in the tenant.\n   */\n  clientId: string;\n  /**\n   * A function that retrieves the client assertion for the credential to use\n   */\n  getAssertion: () => Promise<string>;\n  /**\n   * The user assertion for the On-Behalf-Of flow.\n   */\n  userAssertionToken: string;\n}\n/**\n * Optional parameters for the {@link OnBehalfOfCredential} class.\n */\nexport type OnBehalfOfCredentialOptions = (\n  | OnBehalfOfCredentialSecretOptions\n  | OnBehalfOfCredentialCertificateOptions\n  | OnBehalfOfCredentialAssertionOptions\n) &\n  MultiTenantTokenCredentialOptions &\n  CredentialPersistenceOptions &\n  AuthorityValidationOptions;\n"]}