@azure/identity 4.5.1-alpha.20250115.7 → 4.6.0

package/dist-esm/src/credentials/managedIdentityCredential/legacyMsiProvider.js

@@ -0,0 +1,309 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+import { ConfidentialClientApplication } from "@azure/msal-node";
+import { AuthenticationError, AuthenticationRequiredError, CredentialUnavailableError, } from "../../errors";
+import { cloudShellMsi } from "./cloudShellMsi";
+import { credentialLogger, formatError, formatSuccess } from "../../util/logging";
+import { DeveloperSignOnClientId } from "../../constants";
+import { IdentityClient } from "../../client/identityClient";
+import { appServiceMsi2017 } from "./appServiceMsi2017";
+import { appServiceMsi2019 } from "./appServiceMsi2019";
+import { arcMsi } from "./arcMsi";
+import { fabricMsi } from "./fabricMsi";
+import { getLogLevel } from "@azure/logger";
+import { getMSALLogLevel } from "../../msal/utils";
+import { imdsMsi } from "./imdsMsi";
+import { tokenExchangeMsi } from "./tokenExchangeMsi";
+import { tracingClient } from "../../util/tracing";
+const logger = credentialLogger("ManagedIdentityCredential");
+export class LegacyMsiProvider {
+    constructor(clientIdOrOptions, options) {
+        var _a, _b;
+        this.isEndpointUnavailable = null;
+        this.isAppTokenProviderInitialized = false;
+        this.msiRetryConfig = {
+            maxRetries: 5,
+            startDelayInMs: 800,
+            intervalIncrement: 2,
+        };
+        let _options;
+        if (typeof clientIdOrOptions === "string") {
+            this.clientId = clientIdOrOptions;
+            _options = options;
+        }
+        else {
+            this.clientId = clientIdOrOptions === null || clientIdOrOptions === void 0 ? void 0 : clientIdOrOptions.clientId;
+            _options = clientIdOrOptions;
+        }
+        this.resourceId = _options === null || _options === void 0 ? void 0 : _options.resourceId;
+        // For JavaScript users.
+        if (this.clientId && this.resourceId) {
+            throw new Error(`ManagedIdentityCredential - Client Id and Resource Id can't be provided at the same time.`);
+        }
+        if (((_a = _options === null || _options === void 0 ? void 0 : _options.retryOptions) === null || _a === void 0 ? void 0 : _a.maxRetries) !== undefined) {
+            this.msiRetryConfig.maxRetries = _options.retryOptions.maxRetries;
+        }
+        this.identityClient = new IdentityClient(_options);
+        this.isAvailableIdentityClient = new IdentityClient(Object.assign(Object.assign({}, _options), { retryOptions: {
+                maxRetries: 0,
+            } }));
+        /**  authority host validation and metadata discovery to be skipped in managed identity
+         * since this wasn't done previously before adding token cache support
+         */
+        this.confidentialApp = new ConfidentialClientApplication({
+            auth: {
+                authority: "https://login.microsoftonline.com/managed_identity",
+                clientId: (_b = this.clientId) !== null && _b !== void 0 ? _b : DeveloperSignOnClientId,
+                clientSecret: "dummy-secret",
+                cloudDiscoveryMetadata: '{"tenant_discovery_endpoint":"https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration","api-version":"1.1","metadata":[{"preferred_network":"login.microsoftonline.com","preferred_cache":"login.windows.net","aliases":["login.microsoftonline.com","login.windows.net","login.microsoft.com","sts.windows.net"]},{"preferred_network":"login.partner.microsoftonline.cn","preferred_cache":"login.partner.microsoftonline.cn","aliases":["login.partner.microsoftonline.cn","login.chinacloudapi.cn"]},{"preferred_network":"login.microsoftonline.de","preferred_cache":"login.microsoftonline.de","aliases":["login.microsoftonline.de"]},{"preferred_network":"login.microsoftonline.us","preferred_cache":"login.microsoftonline.us","aliases":["login.microsoftonline.us","login.usgovcloudapi.net"]},{"preferred_network":"login-us.microsoftonline.com","preferred_cache":"login-us.microsoftonline.com","aliases":["login-us.microsoftonline.com"]}]}',
+                authorityMetadata: '{"token_endpoint":"https://login.microsoftonline.com/common/oauth2/v2.0/token","token_endpoint_auth_methods_supported":["client_secret_post","private_key_jwt","client_secret_basic"],"jwks_uri":"https://login.microsoftonline.com/common/discovery/v2.0/keys","response_modes_supported":["query","fragment","form_post"],"subject_types_supported":["pairwise"],"id_token_signing_alg_values_supported":["RS256"],"response_types_supported":["code","id_token","code id_token","id_token token"],"scopes_supported":["openid","profile","email","offline_access"],"issuer":"https://login.microsoftonline.com/{tenantid}/v2.0","request_uri_parameter_supported":false,"userinfo_endpoint":"https://graph.microsoft.com/oidc/userinfo","authorization_endpoint":"https://login.microsoftonline.com/common/oauth2/v2.0/authorize","device_authorization_endpoint":"https://login.microsoftonline.com/common/oauth2/v2.0/devicecode","http_logout_supported":true,"frontchannel_logout_supported":true,"end_session_endpoint":"https://login.microsoftonline.com/common/oauth2/v2.0/logout","claims_supported":["sub","iss","cloud_instance_name","cloud_instance_host_name","cloud_graph_host_name","msgraph_host","aud","exp","iat","auth_time","acr","nonce","preferred_username","name","tid","ver","at_hash","c_hash","email"],"kerberos_endpoint":"https://login.microsoftonline.com/common/kerberos","tenant_region_scope":null,"cloud_instance_name":"microsoftonline.com","cloud_graph_host_name":"graph.windows.net","msgraph_host":"graph.microsoft.com","rbac_url":"https://pas.windows.net"}',
+                clientCapabilities: [],
+            },
+            system: {
+                loggerOptions: {
+                    logLevel: getMSALLogLevel(getLogLevel()),
+                },
+            },
+        });
+    }
+    async cachedAvailableMSI(scopes, getTokenOptions) {
+        if (this.cachedMSI) {
+            return this.cachedMSI;
+        }
+        const MSIs = [
+            arcMsi,
+            fabricMsi,
+            appServiceMsi2019,
+            appServiceMsi2017,
+            cloudShellMsi,
+            tokenExchangeMsi,
+            imdsMsi,
+        ];
+        for (const msi of MSIs) {
+            if (await msi.isAvailable({
+                scopes,
+                identityClient: this.isAvailableIdentityClient,
+                clientId: this.clientId,
+                resourceId: this.resourceId,
+                getTokenOptions,
+            })) {
+                this.cachedMSI = msi;
+                return msi;
+            }
+        }
+        throw new CredentialUnavailableError(`ManagedIdentityCredential - No MSI credential available`);
+    }
+    async authenticateManagedIdentity(scopes, getTokenOptions) {
+        const { span, updatedOptions } = tracingClient.startSpan(`ManagedIdentityCredential.authenticateManagedIdentity`, getTokenOptions);
+        try {
+            // Determining the available MSI, and avoiding checking for other MSIs while the program is running.
+            const availableMSI = await this.cachedAvailableMSI(scopes, updatedOptions);
+            return availableMSI.getToken({
+                identityClient: this.identityClient,
+                scopes,
+                clientId: this.clientId,
+                resourceId: this.resourceId,
+                retryConfig: this.msiRetryConfig,
+            }, updatedOptions);
+        }
+        catch (err) {
+            span.setStatus({
+                status: "error",
+                error: err,
+            });
+            throw err;
+        }
+        finally {
+            span.end();
+        }
+    }
+    /**
+     * Authenticates with Microsoft Entra ID and returns an access token if successful.
+     * If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.
+     * If an unexpected error occurs, an {@link AuthenticationError} will be thrown with the details of the failure.
+     *
+     * @param scopes - The list of scopes for which the token will have access.
+     * @param options - The options used to configure any requests this
+     *                TokenCredential implementation might make.
+     */
+    async getToken(scopes, options) {
+        let result = null;
+        const { span, updatedOptions } = tracingClient.startSpan(`ManagedIdentityCredential.getToken`, options);
+        try {
+            // isEndpointAvailable can be true, false, or null,
+            // If it's null, it means we don't yet know whether
+            // the endpoint is available and need to check for it.
+            if (this.isEndpointUnavailable !== true) {
+                const availableMSI = await this.cachedAvailableMSI(scopes, updatedOptions);
+                if (availableMSI.name === "tokenExchangeMsi") {
+                    result = await this.authenticateManagedIdentity(scopes, updatedOptions);
+                }
+                else {
+                    const appTokenParameters = {
+                        correlationId: this.identityClient.getCorrelationId(),
+                        tenantId: (options === null || options === void 0 ? void 0 : options.tenantId) || "managed_identity",
+                        scopes: Array.isArray(scopes) ? scopes : [scopes],
+                        claims: options === null || options === void 0 ? void 0 : options.claims,
+                    };
+                    // Added a check to see if SetAppTokenProvider was already defined.
+                    this.initializeSetAppTokenProvider();
+                    const authenticationResult = await this.confidentialApp.acquireTokenByClientCredential(Object.assign({}, appTokenParameters));
+                    result = this.handleResult(scopes, authenticationResult || undefined);
+                }
+                if (result === null) {
+                    // If authenticateManagedIdentity returns null,
+                    // it means no MSI endpoints are available.
+                    // If so, we avoid trying to reach to them in future requests.
+                    this.isEndpointUnavailable = true;
+                    // It also means that the endpoint answered with either 200 or 201 (see the sendTokenRequest method),
+                    // yet we had no access token. For this reason, we'll throw once with a specific message:
+                    const error = new CredentialUnavailableError("The managed identity endpoint was reached, yet no tokens were received.");
+                    logger.getToken.info(formatError(scopes, error));
+                    throw error;
+                }
+                // Since `authenticateManagedIdentity` didn't throw, and the result was not null,
+                // We will assume that this endpoint is reachable from this point forward,
+                // and avoid pinging again to it.
+                this.isEndpointUnavailable = false;
+            }
+            else {
+                // We've previously determined that the endpoint was unavailable,
+                // either because it was unreachable or permanently unable to authenticate.
+                const error = new CredentialUnavailableError("The managed identity endpoint is not currently available");
+                logger.getToken.info(formatError(scopes, error));
+                throw error;
+            }
+            logger.getToken.info(formatSuccess(scopes));
+            return result;
+        }
+        catch (err) {
+            // CredentialUnavailable errors are expected to reach here.
+            // We intend them to bubble up, so that DefaultAzureCredential can catch them.
+            if (err.name === "AuthenticationRequiredError") {
+                throw err;
+            }
+            // Expected errors to reach this point:
+            // - Errors coming from a method unexpectedly breaking.
+            // - When identityClient.sendTokenRequest throws, in which case
+            //   if the status code was 400, it means that the endpoint is working,
+            //   but no identity is available.
+            span.setStatus({
+                status: "error",
+                error: err,
+            });
+            // If either the network is unreachable,
+            // we can safely assume the credential is unavailable.
+            if (err.code === "ENETUNREACH") {
+                const error = new CredentialUnavailableError(`ManagedIdentityCredential: Unavailable. Network unreachable. Message: ${err.message}`);
+                logger.getToken.info(formatError(scopes, error));
+                throw error;
+            }
+            // If either the host was unreachable,
+            // we can safely assume the credential is unavailable.
+            if (err.code === "EHOSTUNREACH") {
+                const error = new CredentialUnavailableError(`ManagedIdentityCredential: Unavailable. No managed identity endpoint found. Message: ${err.message}`);
+                logger.getToken.info(formatError(scopes, error));
+                throw error;
+            }
+            // If err.statusCode has a value of 400, it comes from sendTokenRequest,
+            // and it means that the endpoint is working, but that no identity is available.
+            if (err.statusCode === 400) {
+                throw new CredentialUnavailableError(`ManagedIdentityCredential: The managed identity endpoint is indicating there's no available identity. Message: ${err.message}`);
+            }
+            // This is a special case for Docker Desktop which responds with a 403 with a message that contains "A socket operation was attempted to an unreachable network" or "A socket operation was attempted to an unreachable host"
+            // rather than just timing out, as expected.
+            if (err.statusCode === 403 || err.code === 403) {
+                if (err.message.includes("unreachable")) {
+                    const error = new CredentialUnavailableError(`ManagedIdentityCredential: Unavailable. Network unreachable. Message: ${err.message}`);
+                    logger.getToken.info(formatError(scopes, error));
+                    throw error;
+                }
+            }
+            // If the error has no status code, we can assume there was no available identity.
+            // This will throw silently during any ChainedTokenCredential.
+            if (err.statusCode === undefined) {
+                throw new CredentialUnavailableError(`ManagedIdentityCredential: Authentication failed. Message ${err.message}`);
+            }
+            // Any other error should break the chain.
+            throw new AuthenticationError(err.statusCode, {
+                error: `ManagedIdentityCredential authentication failed.`,
+                error_description: err.message,
+            });
+        }
+        finally {
+            // Finally is always called, both if we return and if we throw in the above try/catch.
+            span.end();
+        }
+    }
+    /**
+     * Handles the MSAL authentication result.
+     * If the result has an account, we update the local account reference.
+     * If the token received is invalid, an error will be thrown depending on what's missing.
+     */
+    handleResult(scopes, result, getTokenOptions) {
+        var _a;
+        this.ensureValidMsalToken(scopes, result, getTokenOptions);
+        logger.getToken.info(formatSuccess(scopes));
+        return {
+            token: result.accessToken,
+            expiresOnTimestamp: result.expiresOn.getTime(),
+            refreshAfterTimestamp: (_a = result.refreshOn) === null || _a === void 0 ? void 0 : _a.getTime(),
+            tokenType: "Bearer",
+        };
+    }
+    /**
+     * Ensures the validity of the MSAL token
+     */
+    ensureValidMsalToken(scopes, msalToken, getTokenOptions) {
+        const error = (message) => {
+            logger.getToken.info(message);
+            return new AuthenticationRequiredError({
+                scopes: Array.isArray(scopes) ? scopes : [scopes],
+                getTokenOptions,
+                message,
+            });
+        };
+        if (!msalToken) {
+            throw error("No response");
+        }
+        if (!msalToken.expiresOn) {
+            throw error(`Response had no "expiresOn" property.`);
+        }
+        if (!msalToken.accessToken) {
+            throw error(`Response had no "accessToken" property.`);
+        }
+    }
+    initializeSetAppTokenProvider() {
+        if (!this.isAppTokenProviderInitialized) {
+            this.confidentialApp.SetAppTokenProvider(async (appTokenProviderParameters) => {
+                logger.info(`SetAppTokenProvider invoked with parameters- ${JSON.stringify(appTokenProviderParameters)}`);
+                const getTokenOptions = Object.assign({}, appTokenProviderParameters);
+                logger.info(`authenticateManagedIdentity invoked with scopes- ${JSON.stringify(appTokenProviderParameters.scopes)} and getTokenOptions - ${JSON.stringify(getTokenOptions)}`);
+                const resultToken = await this.authenticateManagedIdentity(appTokenProviderParameters.scopes, getTokenOptions);
+                if (resultToken) {
+                    logger.info(`SetAppTokenProvider will save the token in cache`);
+                    const expiresInSeconds = (resultToken === null || resultToken === void 0 ? void 0 : resultToken.expiresOnTimestamp)
+                        ? Math.floor((resultToken.expiresOnTimestamp - Date.now()) / 1000)
+                        : 0;
+                    const refreshInSeconds = (resultToken === null || resultToken === void 0 ? void 0 : resultToken.refreshAfterTimestamp)
+                        ? Math.floor((resultToken.refreshAfterTimestamp - Date.now()) / 1000)
+                        : 0;
+                    return {
+                        accessToken: resultToken === null || resultToken === void 0 ? void 0 : resultToken.token,
+                        expiresInSeconds,
+                        refreshInSeconds,
+                    };
+                }
+                else {
+                    logger.info(`SetAppTokenProvider token has "no_access_token_returned" as the saved token`);
+                    return {
+                        accessToken: "no_access_token_returned",
+                        expiresInSeconds: 0,
+                    };
+                }
+            });
+            this.isAppTokenProviderInitialized = true;
+        }
+    }
+}
+//# sourceMappingURL=legacyMsiProvider.js.map

package/dist-esm/src/credentials/managedIdentityCredential/legacyMsiProvider.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"legacyMsiProvider.js","sourceRoot":"","sources":["../../../../src/credentials/managedIdentityCredential/legacyMsiProvider.ts"],"names":[],"mappings":"AAAA,uCAAuC;AACvC,kCAAkC;AAGlC,OAAO,EAA8B,6BAA6B,EAAE,MAAM,kBAAkB,CAAC;AAC7F,OAAO,EACL,mBAAmB,EACnB,2BAA2B,EAC3B,0BAA0B,GAC3B,MAAM,cAAc,CAAC;AAGtB,OAAO,EAAE,aAAa,EAAE,MAAM,iBAAiB,CAAC;AAChD,OAAO,EAAE,gBAAgB,EAAE,WAAW,EAAE,aAAa,EAAE,MAAM,oBAAoB,CAAC;AAElF,OAAO,EAAE,uBAAuB,EAAE,MAAM,iBAAiB,CAAC;AAC1D,OAAO,EAAE,cAAc,EAAE,MAAM,6BAA6B,CAAC;AAE7D,OAAO,EAAE,iBAAiB,EAAE,MAAM,qBAAqB,CAAC;AACxD,OAAO,EAAE,iBAAiB,EAAE,MAAM,qBAAqB,CAAC;AACxD,OAAO,EAAE,MAAM,EAAE,MAAM,UAAU,CAAC;AAClC,OAAO,EAAE,SAAS,EAAE,MAAM,aAAa,CAAC;AACxC,OAAO,EAAE,WAAW,EAAE,MAAM,eAAe,CAAC;AAC5C,OAAO,EAAE,eAAe,EAAE,MAAM,kBAAkB,CAAC;AACnD,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AACpC,OAAO,EAAE,gBAAgB,EAAE,MAAM,oBAAoB,CAAC;AACtD,OAAO,EAAE,aAAa,EAAE,MAAM,oBAAoB,CAAC;AAEnD,MAAM,MAAM,GAAG,gBAAgB,CAAC,2BAA2B,CAAC,CAAC;AA2B7D,MAAM,OAAO,iBAAiB;IAc5B,YACE,iBAA6D,EAC7D,OAAgC;;QAZ1B,0BAAqB,GAAmB,IAAI,CAAC;QAG7C,kCAA6B,GAAY,KAAK,CAAC;QAC/C,mBAAc,GAAoC;YACxD,UAAU,EAAE,CAAC;YACb,cAAc,EAAE,GAAG;YACnB,iBAAiB,EAAE,CAAC;SACrB,CAAC;QAMA,IAAI,QAA4C,CAAC;QACjD,IAAI,OAAO,iBAAiB,KAAK,QAAQ,EAAE,CAAC;YAC1C,IAAI,CAAC,QAAQ,GAAG,iBAAiB,CAAC;YAClC,QAAQ,GAAG,OAAO,CAAC;QACrB,CAAC;aAAM,CAAC;YACN,IAAI,CAAC,QAAQ,GAAI,iBAAsD,aAAtD,iBAAiB,uBAAjB,iBAAiB,CAAuC,QAAQ,CAAC;YAClF,QAAQ,GAAG,iBAAiB,CAAC;QAC/B,CAAC;QACD,IAAI,CAAC,UAAU,GAAI,QAA6C,aAA7C,QAAQ,uBAAR,QAAQ,CAAuC,UAAU,CAAC;QAC7E,wBAAwB;QACxB,IAAI,IAAI,CAAC,QAAQ,IAAI,IAAI,CAAC,UAAU,EAAE,CAAC;YACrC,MAAM,IAAI,KAAK,CACb,2FAA2F,CAC5F,CAAC;QACJ,CAAC;QACD,IAAI,CAAA,MAAA,QAAQ,aAAR,QAAQ,uBAAR,QAAQ,CAAE,YAAY,0CAAE,UAAU,MAAK,SAAS,EAAE,CAAC;YACrD,IAAI,CAAC,cAAc,CAAC,UAAU,GAAG,QAAQ,CAAC,YAAY,CAAC,UAAU,CAAC;QACpE,CAAC;QACD,IAAI,CAAC,cAAc,GAAG,IAAI,cAAc,CAAC,QAAQ,CAAC,CAAC;QACnD,IAAI,CAAC,yBAAyB,GAAG,IAAI,cAAc,iCAC9C,QAAQ,KACX,YAAY,EAAE;gBACZ,UAAU,EAAE,CAAC;aACd,IACD,CAAC;QAEH;;WAEG;QACH,IAAI,CAAC,eAAe,GAAG,IAAI,6BAA6B,CAAC;YACvD,IAAI,EAAE;gBACJ,SAAS,EAAE,oDAAoD;gBAC/D,QAAQ,EAAE,MAAA,IAAI,CAAC,QAAQ,mCAAI,uBAAuB;gBAClD,YAAY,EAAE,cAAc;gBAC5B,sBAAsB,EACpB,w7BAAw7B;gBAC17B,iBAAiB,EACf,6gDAA6gD;gBAC/gD,kBAAkB,EAAE,EAAE;aACvB;YACD,MAAM,EAAE;gBACN,aAAa,EAAE;oBACb,QAAQ,EAAE,eAAe,CAAC,WAAW,EAAE,CAAC;iBACzC;aACF;SACF,CAAC,CAAC;IACL,CAAC;IAIO,KAAK,CAAC,kBAAkB,CAC9B,MAAyB,EACzB,eAAiC;QAEjC,IAAI,IAAI,CAAC,SAAS,EAAE,CAAC;YACnB,OAAO,IAAI,CAAC,SAAS,CAAC;QACxB,CAAC;QAED,MAAM,IAAI,GAAG;YACX,MAAM;YACN,SAAS;YACT,iBAAiB;YACjB,iBAAiB;YACjB,aAAa;YACb,gBAAgB;YAChB,OAAO;SACR,CAAC;QAEF,KAAK,MAAM,GAAG,IAAI,IAAI,EAAE,CAAC;YACvB,IACE,MAAM,GAAG,CAAC,WAAW,CAAC;gBACpB,MAAM;gBACN,cAAc,EAAE,IAAI,CAAC,yBAAyB;gBAC9C,QAAQ,EAAE,IAAI,CAAC,QAAQ;gBACvB,UAAU,EAAE,IAAI,CAAC,UAAU;gBAC3B,eAAe;aAChB,CAAC,EACF,CAAC;gBACD,IAAI,CAAC,SAAS,GAAG,GAAG,CAAC;gBACrB,OAAO,GAAG,CAAC;YACb,CAAC;QACH,CAAC;QAED,MAAM,IAAI,0BAA0B,CAAC,yDAAyD,CAAC,CAAC;IAClG,CAAC;IAEO,KAAK,CAAC,2BAA2B,CACvC,MAAyB,EACzB,eAAiC;QAEjC,MAAM,EAAE,IAAI,EAAE,cAAc,EAAE,GAAG,aAAa,CAAC,SAAS,CACtD,uDAAuD,EACvD,eAAe,CAChB,CAAC;QAEF,IAAI,CAAC;YACH,oGAAoG;YACpG,MAAM,YAAY,GAAG,MAAM,IAAI,CAAC,kBAAkB,CAAC,MAAM,EAAE,cAAc,CAAC,CAAC;YAC3E,OAAO,YAAY,CAAC,QAAQ,CAC1B;gBACE,cAAc,EAAE,IAAI,CAAC,cAAc;gBACnC,MAAM;gBACN,QAAQ,EAAE,IAAI,CAAC,QAAQ;gBACvB,UAAU,EAAE,IAAI,CAAC,UAAU;gBAC3B,WAAW,EAAE,IAAI,CAAC,cAAc;aACjC,EACD,cAAc,CACf,CAAC;QACJ,CAAC;QAAC,OAAO,GAAQ,EAAE,CAAC;YAClB,IAAI,CAAC,SAAS,CAAC;gBACb,MAAM,EAAE,OAAO;gBACf,KAAK,EAAE,GAAG;aACX,CAAC,CAAC;YACH,MAAM,GAAG,CAAC;QACZ,CAAC;gBAAS,CAAC;YACT,IAAI,CAAC,GAAG,EAAE,CAAC;QACb,CAAC;IACH,CAAC;IAED;;;;;;;;OAQG;IACI,KAAK,CAAC,QAAQ,CACnB,MAAyB,EACzB,OAAyB;QAEzB,IAAI,MAAM,GAAuB,IAAI,CAAC;QACtC,MAAM,EAAE,IAAI,EAAE,cAAc,EAAE,GAAG,aAAa,CAAC,SAAS,CACtD,oCAAoC,EACpC,OAAO,CACR,CAAC;QACF,IAAI,CAAC;YACH,mDAAmD;YACnD,mDAAmD;YACnD,sDAAsD;YACtD,IAAI,IAAI,CAAC,qBAAqB,KAAK,IAAI,EAAE,CAAC;gBACxC,MAAM,YAAY,GAAG,MAAM,IAAI,CAAC,kBAAkB,CAAC,MAAM,EAAE,cAAc,CAAC,CAAC;gBAC3E,IAAI,YAAY,CAAC,IAAI,KAAK,kBAAkB,EAAE,CAAC;oBAC7C,MAAM,GAAG,MAAM,IAAI,CAAC,2BAA2B,CAAC,MAAM,EAAE,cAAc,CAAC,CAAC;gBAC1E,CAAC;qBAAM,CAAC;oBACN,MAAM,kBAAkB,GAA+B;wBACrD,aAAa,EAAE,IAAI,CAAC,cAAc,CAAC,gBAAgB,EAAE;wBACrD,QAAQ,EAAE,CAAA,OAAO,aAAP,OAAO,uBAAP,OAAO,CAAE,QAAQ,KAAI,kBAAkB;wBACjD,MAAM,EAAE,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC;wBACjD,MAAM,EAAE,OAAO,aAAP,OAAO,uBAAP,OAAO,CAAE,MAAM;qBACxB,CAAC;oBAEF,mEAAmE;oBACnE,IAAI,CAAC,6BAA6B,EAAE,CAAC;oBACrC,MAAM,oBAAoB,GAAG,MAAM,IAAI,CAAC,eAAe,CAAC,8BAA8B,mBACjF,kBAAkB,EACrB,CAAC;oBACH,MAAM,GAAG,IAAI,CAAC,YAAY,CAAC,MAAM,EAAE,oBAAoB,IAAI,SAAS,CAAC,CAAC;gBACxE,CAAC;gBACD,IAAI,MAAM,KAAK,IAAI,EAAE,CAAC;oBACpB,+CAA+C;oBAC/C,2CAA2C;oBAC3C,8DAA8D;oBAC9D,IAAI,CAAC,qBAAqB,GAAG,IAAI,CAAC;oBAElC,qGAAqG;oBACrG,yFAAyF;oBACzF,MAAM,KAAK,GAAG,IAAI,0BAA0B,CAC1C,yEAAyE,CAC1E,CAAC;oBACF,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,WAAW,CAAC,MAAM,EAAE,KAAK,CAAC,CAAC,CAAC;oBACjD,MAAM,KAAK,CAAC;gBACd,CAAC;gBAED,iFAAiF;gBACjF,0EAA0E;gBAC1E,iCAAiC;gBACjC,IAAI,CAAC,qBAAqB,GAAG,KAAK,CAAC;YACrC,CAAC;iBAAM,CAAC;gBACN,iEAAiE;gBACjE,2EAA2E;gBAC3E,MAAM,KAAK,GAAG,IAAI,0BAA0B,CAC1C,0DAA0D,CAC3D,CAAC;gBACF,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,WAAW,CAAC,MAAM,EAAE,KAAK,CAAC,CAAC,CAAC;gBACjD,MAAM,KAAK,CAAC;YACd,CAAC;YAED,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,aAAa,CAAC,MAAM,CAAC,CAAC,CAAC;YAC5C,OAAO,MAAM,CAAC;QAChB,CAAC;QAAC,OAAO,GAAQ,EAAE,CAAC;YAClB,2DAA2D;YAC3D,8EAA8E;YAC9E,IAAI,GAAG,CAAC,IAAI,KAAK,6BAA6B,EAAE,CAAC;gBAC/C,MAAM,GAAG,CAAC;YACZ,CAAC;YAED,uCAAuC;YACvC,uDAAuD;YACvD,+DAA+D;YAC/D,uEAAuE;YACvE,kCAAkC;YAElC,IAAI,CAAC,SAAS,CAAC;gBACb,MAAM,EAAE,OAAO;gBACf,KAAK,EAAE,GAAG;aACX,CAAC,CAAC;YAEH,wCAAwC;YACxC,sDAAsD;YACtD,IAAI,GAAG,CAAC,IAAI,KAAK,aAAa,EAAE,CAAC;gBAC/B,MAAM,KAAK,GAAG,IAAI,0BAA0B,CAC1C,yEAAyE,GAAG,CAAC,OAAO,EAAE,CACvF,CAAC;gBAEF,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,WAAW,CAAC,MAAM,EAAE,KAAK,CAAC,CAAC,CAAC;gBACjD,MAAM,KAAK,CAAC;YACd,CAAC;YAED,sCAAsC;YACtC,sDAAsD;YACtD,IAAI,GAAG,CAAC,IAAI,KAAK,cAAc,EAAE,CAAC;gBAChC,MAAM,KAAK,GAAG,IAAI,0BAA0B,CAC1C,wFAAwF,GAAG,CAAC,OAAO,EAAE,CACtG,CAAC;gBAEF,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,WAAW,CAAC,MAAM,EAAE,KAAK,CAAC,CAAC,CAAC;gBACjD,MAAM,KAAK,CAAC;YACd,CAAC;YACD,wEAAwE;YACxE,gFAAgF;YAChF,IAAI,GAAG,CAAC,UAAU,KAAK,GAAG,EAAE,CAAC;gBAC3B,MAAM,IAAI,0BAA0B,CAClC,kHAAkH,GAAG,CAAC,OAAO,EAAE,CAChI,CAAC;YACJ,CAAC;YAED,6NAA6N;YAC7N,4CAA4C;YAC5C,IAAI,GAAG,CAAC,UAAU,KAAK,GAAG,IAAI,GAAG,CAAC,IAAI,KAAK,GAAG,EAAE,CAAC;gBAC/C,IAAI,GAAG,CAAC,OAAO,CAAC,QAAQ,CAAC,aAAa,CAAC,EAAE,CAAC;oBACxC,MAAM,KAAK,GAAG,IAAI,0BAA0B,CAC1C,yEAAyE,GAAG,CAAC,OAAO,EAAE,CACvF,CAAC;oBAEF,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,WAAW,CAAC,MAAM,EAAE,KAAK,CAAC,CAAC,CAAC;oBACjD,MAAM,KAAK,CAAC;gBACd,CAAC;YACH,CAAC;YAED,kFAAkF;YAClF,8DAA8D;YAC9D,IAAI,GAAG,CAAC,UAAU,KAAK,SAAS,EAAE,CAAC;gBACjC,MAAM,IAAI,0BAA0B,CAClC,6DAA6D,GAAG,CAAC,OAAO,EAAE,CAC3E,CAAC;YACJ,CAAC;YAED,0CAA0C;YAC1C,MAAM,IAAI,mBAAmB,CAAC,GAAG,CAAC,UAAU,EAAE;gBAC5C,KAAK,EAAE,kDAAkD;gBACzD,iBAAiB,EAAE,GAAG,CAAC,OAAO;aAC/B,CAAC,CAAC;QACL,CAAC;gBAAS,CAAC;YACT,sFAAsF;YACtF,IAAI,CAAC,GAAG,EAAE,CAAC;QACb,CAAC;IACH,CAAC;IAED;;;;OAIG;IACK,YAAY,CAClB,MAAyB,EACzB,MAAmB,EACnB,eAAiC;;QAEjC,IAAI,CAAC,oBAAoB,CAAC,MAAM,EAAE,MAAM,EAAE,eAAe,CAAC,CAAC;QAC3D,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,aAAa,CAAC,MAAM,CAAC,CAAC,CAAC;QAC5C,OAAO;YACL,KAAK,EAAE,MAAM,CAAC,WAAW;YACzB,kBAAkB,EAAE,MAAM,CAAC,SAAS,CAAC,OAAO,EAAE;YAC9C,qBAAqB,EAAE,MAAA,MAAM,CAAC,SAAS,0CAAE,OAAO,EAAE;YAClD,SAAS,EAAE,QAAQ;SACL,CAAC;IACnB,CAAC;IAED;;OAEG;IACK,oBAAoB,CAC1B,MAAyB,EACzB,SAAqB,EACrB,eAAiC;QAEjC,MAAM,KAAK,GAAG,CAAC,OAAe,EAAS,EAAE;YACvC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;YAC9B,OAAO,IAAI,2BAA2B,CAAC;gBACrC,MAAM,EAAE,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC;gBACjD,eAAe;gBACf,OAAO;aACR,CAAC,CAAC;QACL,CAAC,CAAC;QACF,IAAI,CAAC,SAAS,EAAE,CAAC;YACf,MAAM,KAAK,CAAC,aAAa,CAAC,CAAC;QAC7B,CAAC;QACD,IAAI,CAAC,SAAS,CAAC,SAAS,EAAE,CAAC;YACzB,MAAM,KAAK,CAAC,uCAAuC,CAAC,CAAC;QACvD,CAAC;QACD,IAAI,CAAC,SAAS,CAAC,WAAW,EAAE,CAAC;YAC3B,MAAM,KAAK,CAAC,yCAAyC,CAAC,CAAC;QACzD,CAAC;IACH,CAAC;IAEO,6BAA6B;QACnC,IAAI,CAAC,IAAI,CAAC,6BAA6B,EAAE,CAAC;YACxC,IAAI,CAAC,eAAe,CAAC,mBAAmB,CAAC,KAAK,EAAE,0BAA0B,EAAE,EAAE;gBAC5E,MAAM,CAAC,IAAI,CACT,gDAAgD,IAAI,CAAC,SAAS,CAC5D,0BAA0B,CAC3B,EAAE,CACJ,CAAC;gBACF,MAAM,eAAe,qBAChB,0BAA0B,CAC9B,CAAC;gBACF,MAAM,CAAC,IAAI,CACT,oDAAoD,IAAI,CAAC,SAAS,CAChE,0BAA0B,CAAC,MAAM,CAClC,0BAA0B,IAAI,CAAC,SAAS,CAAC,eAAe,CAAC,EAAE,CAC7D,CAAC;gBACF,MAAM,WAAW,GAAG,MAAM,IAAI,CAAC,2BAA2B,CACxD,0BAA0B,CAAC,MAAM,EACjC,eAAe,CAChB,CAAC;gBAEF,IAAI,WAAW,EAAE,CAAC;oBAChB,MAAM,CAAC,IAAI,CAAC,kDAAkD,CAAC,CAAC;oBAEhE,MAAM,gBAAgB,GAAG,CAAA,WAAW,aAAX,WAAW,uBAAX,WAAW,CAAE,kBAAkB;wBACtD,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,WAAW,CAAC,kBAAkB,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC,GAAG,IAAI,CAAC;wBAClE,CAAC,CAAC,CAAC,CAAC;oBACN,MAAM,gBAAgB,GAAG,CAAA,WAAW,aAAX,WAAW,uBAAX,WAAW,CAAE,qBAAqB;wBACzD,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,WAAW,CAAC,qBAAqB,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC,GAAG,IAAI,CAAC;wBACrE,CAAC,CAAC,CAAC,CAAC;oBACN,OAAO;wBACL,WAAW,EAAE,WAAW,aAAX,WAAW,uBAAX,WAAW,CAAE,KAAK;wBAC/B,gBAAgB;wBAChB,gBAAgB;qBACjB,CAAC;gBACJ,CAAC;qBAAM,CAAC;oBACN,MAAM,CAAC,IAAI,CACT,6EAA6E,CAC9E,CAAC;oBACF,OAAO;wBACL,WAAW,EAAE,0BAA0B;wBACvC,gBAAgB,EAAE,CAAC;qBACpB,CAAC;gBACJ,CAAC;YACH,CAAC,CAAC,CAAC;YACH,IAAI,CAAC,6BAA6B,GAAG,IAAI,CAAC;QAC5C,CAAC;IACH,CAAC;CACF","sourcesContent":["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT License.\n\nimport { AccessToken, GetTokenOptions } from \"@azure/core-auth\";\nimport { AppTokenProviderParameters, ConfidentialClientApplication } from \"@azure/msal-node\";\nimport {\n  AuthenticationError,\n  AuthenticationRequiredError,\n  CredentialUnavailableError,\n} from \"../../errors\";\nimport { MSI, MSIConfiguration, MSIToken } from \"./models\";\nimport { MsalResult, MsalToken, ValidMsalToken } from \"../../msal/types\";\nimport { cloudShellMsi } from \"./cloudShellMsi\";\nimport { credentialLogger, formatError, formatSuccess } from \"../../util/logging\";\n\nimport { DeveloperSignOnClientId } from \"../../constants\";\nimport { IdentityClient } from \"../../client/identityClient\";\nimport { TokenCredentialOptions } from \"../../tokenCredentialOptions\";\nimport { appServiceMsi2017 } from \"./appServiceMsi2017\";\nimport { appServiceMsi2019 } from \"./appServiceMsi2019\";\nimport { arcMsi } from \"./arcMsi\";\nimport { fabricMsi } from \"./fabricMsi\";\nimport { getLogLevel } from \"@azure/logger\";\nimport { getMSALLogLevel } from \"../../msal/utils\";\nimport { imdsMsi } from \"./imdsMsi\";\nimport { tokenExchangeMsi } from \"./tokenExchangeMsi\";\nimport { tracingClient } from \"../../util/tracing\";\n\nconst logger = credentialLogger(\"ManagedIdentityCredential\");\n\n// As part of the migration of Managed Identity to MSAL, this legacy provider captures the existing behavior\n// ported over from the ManagedIdentityCredential verbatim. This is to ensure that the existing behavior\n// is maintained while the new implementation is being tested and validated.\n// https://github.com/Azure/azure-sdk-for-js/issues/30189  tracks deleting this provider once it is no longer needed.\n\n/**\n * Options to send on the {@link ManagedIdentityCredential} constructor.\n * Since this is an internal implementation, uses a looser interface than the public one.\n */\ninterface ManagedIdentityCredentialOptions extends TokenCredentialOptions {\n  /**\n   * The client ID of the user - assigned identity, or app registration(when working with AKS pod - identity).\n   */\n  clientId?: string;\n\n  /**\n   * Allows specifying a custom resource Id.\n   * In scenarios such as when user assigned identities are created using an ARM template,\n   * where the resource Id of the identity is known but the client Id can't be known ahead of time,\n   * this parameter allows programs to use these user assigned identities\n   * without having to first determine the client Id of the created identity.\n   */\n  resourceId?: string;\n}\n\nexport class LegacyMsiProvider {\n  private identityClient: IdentityClient;\n  private clientId: string | undefined;\n  private resourceId: string | undefined;\n  private isEndpointUnavailable: boolean | null = null;\n  private isAvailableIdentityClient: IdentityClient;\n  private confidentialApp: ConfidentialClientApplication;\n  private isAppTokenProviderInitialized: boolean = false;\n  private msiRetryConfig: MSIConfiguration[\"retryConfig\"] = {\n    maxRetries: 5,\n    startDelayInMs: 800,\n    intervalIncrement: 2,\n  };\n\n  constructor(\n    clientIdOrOptions?: string | ManagedIdentityCredentialOptions,\n    options?: TokenCredentialOptions,\n  ) {\n    let _options: TokenCredentialOptions | undefined;\n    if (typeof clientIdOrOptions === \"string\") {\n      this.clientId = clientIdOrOptions;\n      _options = options;\n    } else {\n      this.clientId = (clientIdOrOptions as ManagedIdentityCredentialOptions)?.clientId;\n      _options = clientIdOrOptions;\n    }\n    this.resourceId = (_options as ManagedIdentityCredentialOptions)?.resourceId;\n    // For JavaScript users.\n    if (this.clientId && this.resourceId) {\n      throw new Error(\n        `ManagedIdentityCredential - Client Id and Resource Id can't be provided at the same time.`,\n      );\n    }\n    if (_options?.retryOptions?.maxRetries !== undefined) {\n      this.msiRetryConfig.maxRetries = _options.retryOptions.maxRetries;\n    }\n    this.identityClient = new IdentityClient(_options);\n    this.isAvailableIdentityClient = new IdentityClient({\n      ..._options,\n      retryOptions: {\n        maxRetries: 0,\n      },\n    });\n\n    /**  authority host validation and metadata discovery to be skipped in managed identity\n     * since this wasn't done previously before adding token cache support\n     */\n    this.confidentialApp = new ConfidentialClientApplication({\n      auth: {\n        authority: \"https://login.microsoftonline.com/managed_identity\",\n        clientId: this.clientId ?? DeveloperSignOnClientId,\n        clientSecret: \"dummy-secret\",\n        cloudDiscoveryMetadata:\n          '{\"tenant_discovery_endpoint\":\"https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration\",\"api-version\":\"1.1\",\"metadata\":[{\"preferred_network\":\"login.microsoftonline.com\",\"preferred_cache\":\"login.windows.net\",\"aliases\":[\"login.microsoftonline.com\",\"login.windows.net\",\"login.microsoft.com\",\"sts.windows.net\"]},{\"preferred_network\":\"login.partner.microsoftonline.cn\",\"preferred_cache\":\"login.partner.microsoftonline.cn\",\"aliases\":[\"login.partner.microsoftonline.cn\",\"login.chinacloudapi.cn\"]},{\"preferred_network\":\"login.microsoftonline.de\",\"preferred_cache\":\"login.microsoftonline.de\",\"aliases\":[\"login.microsoftonline.de\"]},{\"preferred_network\":\"login.microsoftonline.us\",\"preferred_cache\":\"login.microsoftonline.us\",\"aliases\":[\"login.microsoftonline.us\",\"login.usgovcloudapi.net\"]},{\"preferred_network\":\"login-us.microsoftonline.com\",\"preferred_cache\":\"login-us.microsoftonline.com\",\"aliases\":[\"login-us.microsoftonline.com\"]}]}',\n        authorityMetadata:\n          '{\"token_endpoint\":\"https://login.microsoftonline.com/common/oauth2/v2.0/token\",\"token_endpoint_auth_methods_supported\":[\"client_secret_post\",\"private_key_jwt\",\"client_secret_basic\"],\"jwks_uri\":\"https://login.microsoftonline.com/common/discovery/v2.0/keys\",\"response_modes_supported\":[\"query\",\"fragment\",\"form_post\"],\"subject_types_supported\":[\"pairwise\"],\"id_token_signing_alg_values_supported\":[\"RS256\"],\"response_types_supported\":[\"code\",\"id_token\",\"code id_token\",\"id_token token\"],\"scopes_supported\":[\"openid\",\"profile\",\"email\",\"offline_access\"],\"issuer\":\"https://login.microsoftonline.com/{tenantid}/v2.0\",\"request_uri_parameter_supported\":false,\"userinfo_endpoint\":\"https://graph.microsoft.com/oidc/userinfo\",\"authorization_endpoint\":\"https://login.microsoftonline.com/common/oauth2/v2.0/authorize\",\"device_authorization_endpoint\":\"https://login.microsoftonline.com/common/oauth2/v2.0/devicecode\",\"http_logout_supported\":true,\"frontchannel_logout_supported\":true,\"end_session_endpoint\":\"https://login.microsoftonline.com/common/oauth2/v2.0/logout\",\"claims_supported\":[\"sub\",\"iss\",\"cloud_instance_name\",\"cloud_instance_host_name\",\"cloud_graph_host_name\",\"msgraph_host\",\"aud\",\"exp\",\"iat\",\"auth_time\",\"acr\",\"nonce\",\"preferred_username\",\"name\",\"tid\",\"ver\",\"at_hash\",\"c_hash\",\"email\"],\"kerberos_endpoint\":\"https://login.microsoftonline.com/common/kerberos\",\"tenant_region_scope\":null,\"cloud_instance_name\":\"microsoftonline.com\",\"cloud_graph_host_name\":\"graph.windows.net\",\"msgraph_host\":\"graph.microsoft.com\",\"rbac_url\":\"https://pas.windows.net\"}',\n        clientCapabilities: [],\n      },\n      system: {\n        loggerOptions: {\n          logLevel: getMSALLogLevel(getLogLevel()),\n        },\n      },\n    });\n  }\n\n  private cachedMSI: MSI | undefined;\n\n  private async cachedAvailableMSI(\n    scopes: string | string[],\n    getTokenOptions?: GetTokenOptions,\n  ): Promise<MSI> {\n    if (this.cachedMSI) {\n      return this.cachedMSI;\n    }\n\n    const MSIs = [\n      arcMsi,\n      fabricMsi,\n      appServiceMsi2019,\n      appServiceMsi2017,\n      cloudShellMsi,\n      tokenExchangeMsi,\n      imdsMsi,\n    ];\n\n    for (const msi of MSIs) {\n      if (\n        await msi.isAvailable({\n          scopes,\n          identityClient: this.isAvailableIdentityClient,\n          clientId: this.clientId,\n          resourceId: this.resourceId,\n          getTokenOptions,\n        })\n      ) {\n        this.cachedMSI = msi;\n        return msi;\n      }\n    }\n\n    throw new CredentialUnavailableError(`ManagedIdentityCredential - No MSI credential available`);\n  }\n\n  private async authenticateManagedIdentity(\n    scopes: string | string[],\n    getTokenOptions?: GetTokenOptions,\n  ): Promise<MSIToken | null> {\n    const { span, updatedOptions } = tracingClient.startSpan(\n      `ManagedIdentityCredential.authenticateManagedIdentity`,\n      getTokenOptions,\n    );\n\n    try {\n      // Determining the available MSI, and avoiding checking for other MSIs while the program is running.\n      const availableMSI = await this.cachedAvailableMSI(scopes, updatedOptions);\n      return availableMSI.getToken(\n        {\n          identityClient: this.identityClient,\n          scopes,\n          clientId: this.clientId,\n          resourceId: this.resourceId,\n          retryConfig: this.msiRetryConfig,\n        },\n        updatedOptions,\n      );\n    } catch (err: any) {\n      span.setStatus({\n        status: \"error\",\n        error: err,\n      });\n      throw err;\n    } finally {\n      span.end();\n    }\n  }\n\n  /**\n   * Authenticates with Microsoft Entra ID and returns an access token if successful.\n   * If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.\n   * If an unexpected error occurs, an {@link AuthenticationError} will be thrown with the details of the failure.\n   *\n   * @param scopes - The list of scopes for which the token will have access.\n   * @param options - The options used to configure any requests this\n   *                TokenCredential implementation might make.\n   */\n  public async getToken(\n    scopes: string | string[],\n    options?: GetTokenOptions,\n  ): Promise<AccessToken> {\n    let result: AccessToken | null = null;\n    const { span, updatedOptions } = tracingClient.startSpan(\n      `ManagedIdentityCredential.getToken`,\n      options,\n    );\n    try {\n      // isEndpointAvailable can be true, false, or null,\n      // If it's null, it means we don't yet know whether\n      // the endpoint is available and need to check for it.\n      if (this.isEndpointUnavailable !== true) {\n        const availableMSI = await this.cachedAvailableMSI(scopes, updatedOptions);\n        if (availableMSI.name === \"tokenExchangeMsi\") {\n          result = await this.authenticateManagedIdentity(scopes, updatedOptions);\n        } else {\n          const appTokenParameters: AppTokenProviderParameters = {\n            correlationId: this.identityClient.getCorrelationId(),\n            tenantId: options?.tenantId || \"managed_identity\",\n            scopes: Array.isArray(scopes) ? scopes : [scopes],\n            claims: options?.claims,\n          };\n\n          // Added a check to see if SetAppTokenProvider was already defined.\n          this.initializeSetAppTokenProvider();\n          const authenticationResult = await this.confidentialApp.acquireTokenByClientCredential({\n            ...appTokenParameters,\n          });\n          result = this.handleResult(scopes, authenticationResult || undefined);\n        }\n        if (result === null) {\n          // If authenticateManagedIdentity returns null,\n          // it means no MSI endpoints are available.\n          // If so, we avoid trying to reach to them in future requests.\n          this.isEndpointUnavailable = true;\n\n          // It also means that the endpoint answered with either 200 or 201 (see the sendTokenRequest method),\n          // yet we had no access token. For this reason, we'll throw once with a specific message:\n          const error = new CredentialUnavailableError(\n            \"The managed identity endpoint was reached, yet no tokens were received.\",\n          );\n          logger.getToken.info(formatError(scopes, error));\n          throw error;\n        }\n\n        // Since `authenticateManagedIdentity` didn't throw, and the result was not null,\n        // We will assume that this endpoint is reachable from this point forward,\n        // and avoid pinging again to it.\n        this.isEndpointUnavailable = false;\n      } else {\n        // We've previously determined that the endpoint was unavailable,\n        // either because it was unreachable or permanently unable to authenticate.\n        const error = new CredentialUnavailableError(\n          \"The managed identity endpoint is not currently available\",\n        );\n        logger.getToken.info(formatError(scopes, error));\n        throw error;\n      }\n\n      logger.getToken.info(formatSuccess(scopes));\n      return result;\n    } catch (err: any) {\n      // CredentialUnavailable errors are expected to reach here.\n      // We intend them to bubble up, so that DefaultAzureCredential can catch them.\n      if (err.name === \"AuthenticationRequiredError\") {\n        throw err;\n      }\n\n      // Expected errors to reach this point:\n      // - Errors coming from a method unexpectedly breaking.\n      // - When identityClient.sendTokenRequest throws, in which case\n      //   if the status code was 400, it means that the endpoint is working,\n      //   but no identity is available.\n\n      span.setStatus({\n        status: \"error\",\n        error: err,\n      });\n\n      // If either the network is unreachable,\n      // we can safely assume the credential is unavailable.\n      if (err.code === \"ENETUNREACH\") {\n        const error = new CredentialUnavailableError(\n          `ManagedIdentityCredential: Unavailable. Network unreachable. Message: ${err.message}`,\n        );\n\n        logger.getToken.info(formatError(scopes, error));\n        throw error;\n      }\n\n      // If either the host was unreachable,\n      // we can safely assume the credential is unavailable.\n      if (err.code === \"EHOSTUNREACH\") {\n        const error = new CredentialUnavailableError(\n          `ManagedIdentityCredential: Unavailable. No managed identity endpoint found. Message: ${err.message}`,\n        );\n\n        logger.getToken.info(formatError(scopes, error));\n        throw error;\n      }\n      // If err.statusCode has a value of 400, it comes from sendTokenRequest,\n      // and it means that the endpoint is working, but that no identity is available.\n      if (err.statusCode === 400) {\n        throw new CredentialUnavailableError(\n          `ManagedIdentityCredential: The managed identity endpoint is indicating there's no available identity. Message: ${err.message}`,\n        );\n      }\n\n      // This is a special case for Docker Desktop which responds with a 403 with a message that contains \"A socket operation was attempted to an unreachable network\" or \"A socket operation was attempted to an unreachable host\"\n      // rather than just timing out, as expected.\n      if (err.statusCode === 403 || err.code === 403) {\n        if (err.message.includes(\"unreachable\")) {\n          const error = new CredentialUnavailableError(\n            `ManagedIdentityCredential: Unavailable. Network unreachable. Message: ${err.message}`,\n          );\n\n          logger.getToken.info(formatError(scopes, error));\n          throw error;\n        }\n      }\n\n      // If the error has no status code, we can assume there was no available identity.\n      // This will throw silently during any ChainedTokenCredential.\n      if (err.statusCode === undefined) {\n        throw new CredentialUnavailableError(\n          `ManagedIdentityCredential: Authentication failed. Message ${err.message}`,\n        );\n      }\n\n      // Any other error should break the chain.\n      throw new AuthenticationError(err.statusCode, {\n        error: `ManagedIdentityCredential authentication failed.`,\n        error_description: err.message,\n      });\n    } finally {\n      // Finally is always called, both if we return and if we throw in the above try/catch.\n      span.end();\n    }\n  }\n\n  /**\n   * Handles the MSAL authentication result.\n   * If the result has an account, we update the local account reference.\n   * If the token received is invalid, an error will be thrown depending on what's missing.\n   */\n  private handleResult(\n    scopes: string | string[],\n    result?: MsalResult,\n    getTokenOptions?: GetTokenOptions,\n  ): AccessToken {\n    this.ensureValidMsalToken(scopes, result, getTokenOptions);\n    logger.getToken.info(formatSuccess(scopes));\n    return {\n      token: result.accessToken,\n      expiresOnTimestamp: result.expiresOn.getTime(),\n      refreshAfterTimestamp: result.refreshOn?.getTime(),\n      tokenType: \"Bearer\",\n    } as AccessToken;\n  }\n\n  /**\n   * Ensures the validity of the MSAL token\n   */\n  private ensureValidMsalToken(\n    scopes: string | string[],\n    msalToken?: MsalToken,\n    getTokenOptions?: GetTokenOptions,\n  ): asserts msalToken is ValidMsalToken {\n    const error = (message: string): Error => {\n      logger.getToken.info(message);\n      return new AuthenticationRequiredError({\n        scopes: Array.isArray(scopes) ? scopes : [scopes],\n        getTokenOptions,\n        message,\n      });\n    };\n    if (!msalToken) {\n      throw error(\"No response\");\n    }\n    if (!msalToken.expiresOn) {\n      throw error(`Response had no \"expiresOn\" property.`);\n    }\n    if (!msalToken.accessToken) {\n      throw error(`Response had no \"accessToken\" property.`);\n    }\n  }\n\n  private initializeSetAppTokenProvider(): void {\n    if (!this.isAppTokenProviderInitialized) {\n      this.confidentialApp.SetAppTokenProvider(async (appTokenProviderParameters) => {\n        logger.info(\n          `SetAppTokenProvider invoked with parameters- ${JSON.stringify(\n            appTokenProviderParameters,\n          )}`,\n        );\n        const getTokenOptions: GetTokenOptions = {\n          ...appTokenProviderParameters,\n        };\n        logger.info(\n          `authenticateManagedIdentity invoked with scopes- ${JSON.stringify(\n            appTokenProviderParameters.scopes,\n          )} and getTokenOptions - ${JSON.stringify(getTokenOptions)}`,\n        );\n        const resultToken = await this.authenticateManagedIdentity(\n          appTokenProviderParameters.scopes,\n          getTokenOptions,\n        );\n\n        if (resultToken) {\n          logger.info(`SetAppTokenProvider will save the token in cache`);\n\n          const expiresInSeconds = resultToken?.expiresOnTimestamp\n            ? Math.floor((resultToken.expiresOnTimestamp - Date.now()) / 1000)\n            : 0;\n          const refreshInSeconds = resultToken?.refreshAfterTimestamp\n            ? Math.floor((resultToken.refreshAfterTimestamp - Date.now()) / 1000)\n            : 0;\n          return {\n            accessToken: resultToken?.token,\n            expiresInSeconds,\n            refreshInSeconds,\n          };\n        } else {\n          logger.info(\n            `SetAppTokenProvider token has \"no_access_token_returned\" as the saved token`,\n          );\n          return {\n            accessToken: \"no_access_token_returned\",\n            expiresInSeconds: 0,\n          };\n        }\n      });\n      this.isAppTokenProviderInitialized = true;\n    }\n  }\n}\n"]}

package/dist-esm/src/credentials/managedIdentityCredential/models.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"models.js","sourceRoot":"","sources":["../../../../src/credentials/managedIdentityCredential/models.ts"],"names":[],"mappings":"AAAA,uCAAuC;AACvC,kCAAkC","sourcesContent":["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT License.\n\nimport { AccessToken, GetTokenOptions } from \"@azure/core-auth\";\n\nimport { IdentityClient } from \"../../client/identityClient\";\n\n/**\n * @internal\n */\nexport interface MSIConfiguration {\n  retryConfig: {\n    maxRetries: number;\n    startDelayInMs: number;\n    intervalIncrement: number;\n  };\n  identityClient: IdentityClient;\n  scopes: string | string[];\n  clientId?: string;\n  resourceId?: string;\n}\n\n/**\n * @internal\n * Represents an access token for {@link ManagedIdentity} for internal usage,\n * with an expiration time and the time in which token should refresh.\n */\nexport declare interface MSIToken extends AccessToken {}\n\n/**\n * @internal\n */\nexport interface MSI {\n  name: string;\n  isAvailable(options: {\n    scopes: string | string[];\n    identityClient?: IdentityClient;\n    clientId?: string;\n    resourceId?: string;\n    getTokenOptions?: GetTokenOptions;\n  }): Promise<boolean>;\n  getToken(\n    configuration: MSIConfiguration,\n    getTokenOptions?: GetTokenOptions,\n  ): Promise<MSIToken | null>;\n}\n"]}

package/{dist/esm/credentials/managedIdentityCredential/index.js → dist-esm/src/credentials/managedIdentityCredential/msalMsiProvider.js}

@@ -1,41 +1,29 @@
 // Copyright (c) Microsoft Corporation.
 // Licensed under the MIT License.
-import { getLogLevel } from "@azure/logger";
+import { AuthenticationRequiredError, CredentialUnavailableError } from "../../errors";
+import { credentialLogger, formatError, formatSuccess } from "../../util/logging";
+import { defaultLoggerCallback, getMSALLogLevel } from "../../msal/utils";
+import { IdentityClient } from "../../client/identityClient";
 import { ManagedIdentityApplication } from "@azure/msal-node";
-import { IdentityClient } from "../../client/identityClient.js";
-import { AuthenticationRequiredError, CredentialUnavailableError } from "../../errors.js";
-import { getMSALLogLevel, defaultLoggerCallback } from "../../msal/utils.js";
-import { imdsRetryPolicy } from "./imdsRetryPolicy.js";
-import { formatSuccess, formatError, credentialLogger } from "../../util/logging.js";
-import { tracingClient } from "../../util/tracing.js";
-import { imdsMsi } from "./imdsMsi.js";
-import { tokenExchangeMsi } from "./tokenExchangeMsi.js";
-import { mapScopesToResource } from "./utils.js";
-const logger = credentialLogger("ManagedIdentityCredential");
-/**
- * Attempts authentication using a managed identity available at the deployment environment.
- * This authentication type works in Azure VMs, App Service instances, Azure Functions applications,
- * Azure Kubernetes Services, Azure Service Fabric instances and inside of the Azure Cloud Shell.
- *
- * More information about configuring managed identities can be found here:
- * https://learn.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview
- */
-export class ManagedIdentityCredential {
-    /**
-     * @internal
-     * @hidden
-     */
-    constructor(clientIdOrOptions, options) {
+import { getLogLevel } from "@azure/logger";
+import { imdsMsi } from "./imdsMsi";
+import { imdsRetryPolicy } from "./imdsRetryPolicy";
+import { mapScopesToResource } from "./utils";
+import { tokenExchangeMsi } from "./tokenExchangeMsi";
+import { tracingClient } from "../../util/tracing";
+const logger = credentialLogger("ManagedIdentityCredential(MSAL)");
+export class MsalMsiProvider {
+    constructor(clientIdOrOptions, options = {}) {
         var _a, _b;
         this.msiRetryConfig = {
             maxRetries: 5,
             startDelayInMs: 800,
             intervalIncrement: 2,
         };
-        let _options;
+        let _options = {};
         if (typeof clientIdOrOptions === "string") {
             this.clientId = clientIdOrOptions;
-            _options = options !== null && options !== void 0 ? options : {};
+            _options = options;
         }
         else {
             this.clientId = clientIdOrOptions === null || clientIdOrOptions === void 0 ? void 0 : clientIdOrOptions.clientId;
@@ -50,7 +38,7 @@ export class ManagedIdentityCredential {
         }
         // ManagedIdentity uses http for local requests
         _options.allowInsecureConnection = true;
-        if (((_a = _options.retryOptions) === null || _a === void 0 ? void 0 : _a.maxRetries) !== undefined) {
+        if (((_a = _options === null || _options === void 0 ? void 0 : _options.retryOptions) === null || _a === void 0 ? void 0 : _a.maxRetries) !== undefined) {
             this.msiRetryConfig.maxRetries = _options.retryOptions.maxRetries;
         }
         this.identityClient = new IdentityClient(Object.assign(Object.assign({}, _options), { additionalPolicies: [{ policy: imdsRetryPolicy(this.msiRetryConfig), position: "perCall" }] }));
@@ -61,11 +49,12 @@ export class ManagedIdentityCredential {
                 userAssignedObjectId: this.objectId,
             },
             system: {
+                // todo: proxyUrl?
                 disableInternalRetries: true,
                 networkClient: this.identityClient,
                 loggerOptions: {
                     logLevel: getMSALLogLevel(getLogLevel()),
-                    piiLoggingEnabled: (_b = _options.loggingOptions) === null || _b === void 0 ? void 0 : _b.enableUnsafeSupportLogging,
+                    piiLoggingEnabled: (_b = options.loggingOptions) === null || _b === void 0 ? void 0 : _b.enableUnsafeSupportLogging,
                     loggerCallback: defaultLoggerCallback(logger),
                 },
             },
@@ -103,7 +92,13 @@ export class ManagedIdentityCredential {
         return tracingClient.withSpan("ManagedIdentityCredential.getToken", options, async () => {
             var _a;
             try {
-                const isTokenExchangeMsi = await tokenExchangeMsi.isAvailable(this.clientId);
+                const isTokenExchangeMsi = await tokenExchangeMsi.isAvailable({
+                    scopes,
+                    clientId: this.clientId,
+                    getTokenOptions: options,
+                    identityClient: this.identityClient,
+                    resourceId: this.resourceId,
+                });
                 // Most scenarios are handled by MSAL except for two:
                 // AKS pod identity - MSAL does not implement the token exchange flow.
                 // IMDS Endpoint probing - MSAL does not do any probing before trying to get a token.
@@ -214,4 +209,4 @@ function isNetworkError(err) {
     }
     return false;
 }
-//# sourceMappingURL=index.js.map
+//# sourceMappingURL=msalMsiProvider.js.map

package/dist-esm/src/credentials/managedIdentityCredential/msalMsiProvider.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"msalMsiProvider.js","sourceRoot":"","sources":["../../../../src/credentials/managedIdentityCredential/msalMsiProvider.ts"],"names":[],"mappings":"AAAA,uCAAuC;AACvC,kCAAkC;AAGlC,OAAO,EAAE,2BAA2B,EAAE,0BAA0B,EAAE,MAAM,cAAc,CAAC;AAEvF,OAAO,EAAE,gBAAgB,EAAE,WAAW,EAAE,aAAa,EAAE,MAAM,oBAAoB,CAAC;AAClF,OAAO,EAAE,qBAAqB,EAAE,eAAe,EAAE,MAAM,kBAAkB,CAAC;AAE1E,OAAO,EAAE,cAAc,EAAE,MAAM,6BAA6B,CAAC;AAE7D,OAAO,EAAE,0BAA0B,EAAE,MAAM,kBAAkB,CAAC;AAE9D,OAAO,EAAE,WAAW,EAAE,MAAM,eAAe,CAAC;AAC5C,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AACpC,OAAO,EAAE,eAAe,EAAE,MAAM,mBAAmB,CAAC;AACpD,OAAO,EAAE,mBAAmB,EAAE,MAAM,SAAS,CAAC;AAC9C,OAAO,EAAE,gBAAgB,EAAE,MAAM,oBAAoB,CAAC;AACtD,OAAO,EAAE,aAAa,EAAE,MAAM,oBAAoB,CAAC;AAEnD,MAAM,MAAM,GAAG,gBAAgB,CAAC,iCAAiC,CAAC,CAAC;AA4BnE,MAAM,OAAO,eAAe;IAa1B,YACE,iBAA6D,EAC7D,UAA4C,EAAE;;QATxC,mBAAc,GAAoC;YACxD,UAAU,EAAE,CAAC;YACb,cAAc,EAAE,GAAG;YACnB,iBAAiB,EAAE,CAAC;SACrB,CAAC;QAOA,IAAI,QAAQ,GAAqC,EAAE,CAAC;QACpD,IAAI,OAAO,iBAAiB,KAAK,QAAQ,EAAE,CAAC;YAC1C,IAAI,CAAC,QAAQ,GAAG,iBAAiB,CAAC;YAClC,QAAQ,GAAG,OAAO,CAAC;QACrB,CAAC;aAAM,CAAC;YACN,IAAI,CAAC,QAAQ,GAAG,iBAAiB,aAAjB,iBAAiB,uBAAjB,iBAAiB,CAAE,QAAQ,CAAC;YAC5C,QAAQ,GAAG,iBAAiB,aAAjB,iBAAiB,cAAjB,iBAAiB,GAAI,EAAE,CAAC;QACrC,CAAC;QACD,IAAI,CAAC,UAAU,GAAG,QAAQ,aAAR,QAAQ,uBAAR,QAAQ,CAAE,UAAU,CAAC;QACvC,IAAI,CAAC,QAAQ,GAAG,QAAQ,aAAR,QAAQ,uBAAR,QAAQ,CAAE,QAAQ,CAAC;QAEnC,wBAAwB;QACxB,MAAM,WAAW,GAAG,CAAC,IAAI,CAAC,QAAQ,EAAE,IAAI,CAAC,UAAU,EAAE,IAAI,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;QACpF,IAAI,WAAW,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAC3B,MAAM,IAAI,KAAK,CACb,oHAAoH,IAAI,CAAC,SAAS,CAChI,EAAE,QAAQ,EAAE,IAAI,CAAC,QAAQ,EAAE,UAAU,EAAE,IAAI,CAAC,UAAU,EAAE,QAAQ,EAAE,IAAI,CAAC,QAAQ,EAAE,CAClF,EAAE,CACJ,CAAC;QACJ,CAAC;QAED,+CAA+C;QAC/C,QAAQ,CAAC,uBAAuB,GAAG,IAAI,CAAC;QAExC,IAAI,CAAA,MAAA,QAAQ,aAAR,QAAQ,uBAAR,QAAQ,CAAE,YAAY,0CAAE,UAAU,MAAK,SAAS,EAAE,CAAC;YACrD,IAAI,CAAC,cAAc,CAAC,UAAU,GAAG,QAAQ,CAAC,YAAY,CAAC,UAAU,CAAC;QACpE,CAAC;QAED,IAAI,CAAC,cAAc,GAAG,IAAI,cAAc,iCACnC,QAAQ,KACX,kBAAkB,EAAE,CAAC,EAAE,MAAM,EAAE,eAAe,CAAC,IAAI,CAAC,cAAc,CAAC,EAAE,QAAQ,EAAE,SAAS,EAAE,CAAC,IAC3F,CAAC;QAEH,IAAI,CAAC,kBAAkB,GAAG,IAAI,0BAA0B,CAAC;YACvD,uBAAuB,EAAE;gBACvB,oBAAoB,EAAE,IAAI,CAAC,QAAQ;gBACnC,sBAAsB,EAAE,IAAI,CAAC,UAAU;gBACvC,oBAAoB,EAAE,IAAI,CAAC,QAAQ;aACpC;YACD,MAAM,EAAE;gBACN,kBAAkB;gBAClB,sBAAsB,EAAE,IAAI;gBAC5B,aAAa,EAAE,IAAI,CAAC,cAAc;gBAClC,aAAa,EAAE;oBACb,QAAQ,EAAE,eAAe,CAAC,WAAW,EAAE,CAAC;oBACxC,iBAAiB,EAAE,MAAA,OAAO,CAAC,cAAc,0CAAE,0BAA0B;oBACrE,cAAc,EAAE,qBAAqB,CAAC,MAAM,CAAC;iBAC9C;aACF;SACF,CAAC,CAAC;QAEH,IAAI,CAAC,yBAAyB,GAAG,IAAI,cAAc,iCAC9C,QAAQ,KACX,YAAY,EAAE;gBACZ,UAAU,EAAE,CAAC;aACd,IACD,CAAC;QAEH,uJAAuJ;QACvJ,IAAI,IAAI,CAAC,kBAAkB,CAAC,wBAAwB,EAAE,KAAK,YAAY,EAAE,CAAC;YACxE,IAAI,IAAI,CAAC,QAAQ,IAAI,IAAI,CAAC,UAAU,IAAI,IAAI,CAAC,QAAQ,EAAE,CAAC;gBACtD,MAAM,CAAC,OAAO,CACZ,+EAA+E,IAAI,CAAC,SAAS,CAC3F;oBACE,QAAQ,EAAE,IAAI,CAAC,QAAQ;oBACvB,UAAU,EAAE,IAAI,CAAC,UAAU;oBAC3B,QAAQ,EAAE,IAAI,CAAC,QAAQ;iBACxB,CACF,GAAG,CACL,CAAC;gBACF,MAAM,IAAI,0BAA0B,CAClC,uNAAuN,CACxN,CAAC;YACJ,CAAC;QACH,CAAC;IACH,CAAC;IAED;;;;;;;;OAQG;IACI,KAAK,CAAC,QAAQ,CACnB,MAAyB,EACzB,UAA2B,EAAE;QAE7B,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,+CAA+C,CAAC,CAAC;QACtE,MAAM,QAAQ,GAAG,mBAAmB,CAAC,MAAM,CAAC,CAAC;QAC7C,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,MAAM,IAAI,0BAA0B,CAClC,yEAAyE,IAAI,CAAC,SAAS,CACrF,MAAM,CACP,EAAE,CACJ,CAAC;QACJ,CAAC;QAED,OAAO,aAAa,CAAC,QAAQ,CAAC,oCAAoC,EAAE,OAAO,EAAE,KAAK,IAAI,EAAE;;YACtF,IAAI,CAAC;gBACH,MAAM,kBAAkB,GAAG,MAAM,gBAAgB,CAAC,WAAW,CAAC;oBAC5D,MAAM;oBACN,QAAQ,EAAE,IAAI,CAAC,QAAQ;oBACvB,eAAe,EAAE,OAAO;oBACxB,cAAc,EAAE,IAAI,CAAC,cAAc;oBACnC,UAAU,EAAE,IAAI,CAAC,UAAU;iBAC5B,CAAC,CAAC;gBAEH,qDAAqD;gBACrD,sEAAsE;gBACtE,qFAAqF;gBACrF,gJAAgJ;gBAChJ,wEAAwE;gBAExE,MAAM,cAAc,GAAG,IAAI,CAAC,kBAAkB,CAAC,wBAAwB,EAAE,CAAC;gBAC1E,MAAM,SAAS,GAAG,cAAc,KAAK,eAAe,IAAI,cAAc,KAAK,MAAM,CAAC,CAAC,kHAAkH;gBAErM,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,yBAAyB,cAAc,EAAE,CAAC,CAAC;gBAEhE,IAAI,kBAAkB,EAAE,CAAC;oBACvB,8EAA8E;oBAC9E,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,4CAA4C,CAAC,CAAC;oBACnE,MAAM,MAAM,GAAG,MAAM,gBAAgB,CAAC,QAAQ,CAAC;wBAC7C,MAAM;wBACN,QAAQ,EAAE,IAAI,CAAC,QAAQ;wBACvB,cAAc,EAAE,IAAI,CAAC,cAAc;wBACnC,WAAW,EAAE,IAAI,CAAC,cAAc;wBAChC,UAAU,EAAE,IAAI,CAAC,UAAU;qBAC5B,CAAC,CAAC;oBAEH,IAAI,MAAM,KAAK,IAAI,EAAE,CAAC;wBACpB,MAAM,IAAI,0BAA0B,CAClC,qFAAqF,CACtF,CAAC;oBACJ,CAAC;oBAED,OAAO,MAAM,CAAC;gBAChB,CAAC;qBAAM,IAAI,SAAS,EAAE,CAAC;oBACrB,8GAA8G;oBAC9G,kKAAkK;oBAClK,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,oDAAoD,CAAC,CAAC;oBAC3E,MAAM,WAAW,GAAG,MAAM,OAAO,CAAC,WAAW,CAAC;wBAC5C,MAAM;wBACN,QAAQ,EAAE,IAAI,CAAC,QAAQ;wBACvB,eAAe,EAAE,OAAO;wBACxB,cAAc,EAAE,IAAI,CAAC,yBAAyB;wBAC9C,UAAU,EAAE,IAAI,CAAC,UAAU;qBAC5B,CAAC,CAAC;oBAEH,IAAI,CAAC,WAAW,EAAE,CAAC;wBACjB,MAAM,IAAI,0BAA0B,CAClC,8DAA8D,CAC/D,CAAC;oBACJ,CAAC;gBACH,CAAC;gBAED,gCAAgC;gBAChC,oCAAoC;gBACpC,0FAA0F;gBAC1F,uDAAuD;gBACvD,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,+CAA+C,CAAC,CAAC;gBACtE,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,kBAAkB,CAAC,YAAY,CAAC;oBACvD,QAAQ;iBACT,CAAC,CAAC;gBAEH,IAAI,CAAC,oBAAoB,CAAC,MAAM,EAAE,KAAK,EAAE,OAAO,CAAC,CAAC;gBAClD,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,aAAa,CAAC,MAAM,CAAC,CAAC,CAAC;gBAE5C,OAAO;oBACL,kBAAkB,EAAE,KAAK,CAAC,SAAS,CAAC,OAAO,EAAE;oBAC7C,KAAK,EAAE,KAAK,CAAC,WAAW;oBACxB,qBAAqB,EAAE,MAAA,KAAK,CAAC,SAAS,0CAAE,OAAO,EAAE;oBACjD,SAAS,EAAE,QAAQ;iBACL,CAAC;YACnB,CAAC;YAAC,OAAO,GAAQ,EAAE,CAAC;gBAClB,MAAM,CAAC,QAAQ,CAAC,KAAK,CAAC,WAAW,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC,CAAC;gBAEhD,sHAAsH;gBACtH,mGAAmG;gBACnG,IAAI,GAAG,CAAC,IAAI,KAAK,6BAA6B,EAAE,CAAC;oBAC/C,MAAM,GAAG,CAAC;gBACZ,CAAC;gBAED,IAAI,cAAc,CAAC,GAAG,CAAC,EAAE,CAAC;oBACxB,MAAM,IAAI,0BAA0B,CAClC,4DAA4D,GAAG,CAAC,OAAO,EAAE,EACzE,EAAE,KAAK,EAAE,GAAG,EAAE,CACf,CAAC;gBACJ,CAAC;gBAED,MAAM,IAAI,0BAA0B,CAClC,6DAA6D,GAAG,CAAC,OAAO,EAAE,EAC1E,EAAE,KAAK,EAAE,GAAG,EAAE,CACf,CAAC;YACJ,CAAC;QACH,CAAC,CAAC,CAAC;IACL,CAAC;IAED;;OAEG;IACK,oBAAoB,CAC1B,MAAyB,EACzB,SAAqB,EACrB,eAAiC;QAEjC,MAAM,WAAW,GAAG,CAAC,OAAe,EAAS,EAAE;YAC7C,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;YAC9B,OAAO,IAAI,2BAA2B,CAAC;gBACrC,MAAM,EAAE,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC;gBACjD,eAAe;gBACf,OAAO;aACR,CAAC,CAAC;QACL,CAAC,CAAC;QACF,IAAI,CAAC,SAAS,EAAE,CAAC;YACf,MAAM,WAAW,CAAC,cAAc,CAAC,CAAC;QACpC,CAAC;QACD,IAAI,CAAC,SAAS,CAAC,SAAS,EAAE,CAAC;YACzB,MAAM,WAAW,CAAC,uCAAuC,CAAC,CAAC;QAC7D,CAAC;QACD,IAAI,CAAC,SAAS,CAAC,WAAW,EAAE,CAAC;YAC3B,MAAM,WAAW,CAAC,yCAAyC,CAAC,CAAC;QAC/D,CAAC;IACH,CAAC;CACF;AAED,SAAS,cAAc,CAAC,GAAQ;IAC9B,aAAa;IACb,IAAI,GAAG,CAAC,SAAS,KAAK,eAAe,EAAE,CAAC;QACtC,OAAO,IAAI,CAAC;IACd,CAAC;IAED,eAAe;IACf,IAAI,GAAG,CAAC,IAAI,KAAK,aAAa,IAAI,GAAG,CAAC,IAAI,KAAK,cAAc,EAAE,CAAC;QAC9D,OAAO,IAAI,CAAC;IACd,CAAC;IAED,6NAA6N;IAC7N,4CAA4C;IAC5C,IAAI,GAAG,CAAC,UAAU,KAAK,GAAG,IAAI,GAAG,CAAC,IAAI,KAAK,GAAG,EAAE,CAAC;QAC/C,IAAI,GAAG,CAAC,OAAO,CAAC,QAAQ,CAAC,aAAa,CAAC,EAAE,CAAC;YACxC,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC","sourcesContent":["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT License.\n\nimport { AccessToken, GetTokenOptions } from \"@azure/core-auth\";\nimport { AuthenticationRequiredError, CredentialUnavailableError } from \"../../errors\";\nimport { MsalToken, ValidMsalToken } from \"../../msal/types\";\nimport { credentialLogger, formatError, formatSuccess } from \"../../util/logging\";\nimport { defaultLoggerCallback, getMSALLogLevel } from \"../../msal/utils\";\n\nimport { IdentityClient } from \"../../client/identityClient\";\nimport { MSIConfiguration } from \"./models\";\nimport { ManagedIdentityApplication } from \"@azure/msal-node\";\nimport { TokenCredentialOptions } from \"../../tokenCredentialOptions\";\nimport { getLogLevel } from \"@azure/logger\";\nimport { imdsMsi } from \"./imdsMsi\";\nimport { imdsRetryPolicy } from \"./imdsRetryPolicy\";\nimport { mapScopesToResource } from \"./utils\";\nimport { tokenExchangeMsi } from \"./tokenExchangeMsi\";\nimport { tracingClient } from \"../../util/tracing\";\n\nconst logger = credentialLogger(\"ManagedIdentityCredential(MSAL)\");\n\n/**\n * Options to send on the {@link ManagedIdentityCredential} constructor.\n * Since this is an internal implementation, uses a looser interface than the public one.\n */\ninterface ManagedIdentityCredentialOptions extends TokenCredentialOptions {\n  /**\n   * The client ID of the user - assigned identity, or app registration(when working with AKS pod - identity).\n   */\n  clientId?: string;\n\n  /**\n   * Allows specifying a custom resource Id.\n   * In scenarios such as when user assigned identities are created using an ARM template,\n   * where the resource Id of the identity is known but the client Id can't be known ahead of time,\n   * this parameter allows programs to use these user assigned identities\n   * without having to first determine the client Id of the created identity.\n   */\n  resourceId?: string;\n\n  /**\n   * Allows specifying the object ID of the underlying service principal used to authenticate a user-assigned managed identity.\n   * This is an alternative to providing a client ID and is not required for system-assigned managed identities.\n   */\n  objectId?: string;\n}\n\nexport class MsalMsiProvider {\n  private managedIdentityApp: ManagedIdentityApplication;\n  private identityClient: IdentityClient;\n  private clientId?: string;\n  private resourceId?: string;\n  private objectId?: string;\n  private msiRetryConfig: MSIConfiguration[\"retryConfig\"] = {\n    maxRetries: 5,\n    startDelayInMs: 800,\n    intervalIncrement: 2,\n  };\n  private isAvailableIdentityClient: IdentityClient;\n\n  constructor(\n    clientIdOrOptions?: string | ManagedIdentityCredentialOptions,\n    options: ManagedIdentityCredentialOptions = {},\n  ) {\n    let _options: ManagedIdentityCredentialOptions = {};\n    if (typeof clientIdOrOptions === \"string\") {\n      this.clientId = clientIdOrOptions;\n      _options = options;\n    } else {\n      this.clientId = clientIdOrOptions?.clientId;\n      _options = clientIdOrOptions ?? {};\n    }\n    this.resourceId = _options?.resourceId;\n    this.objectId = _options?.objectId;\n\n    // For JavaScript users.\n    const providedIds = [this.clientId, this.resourceId, this.objectId].filter(Boolean);\n    if (providedIds.length > 1) {\n      throw new Error(\n        `ManagedIdentityCredential: only one of 'clientId', 'resourceId', or 'objectId' can be provided. Received values: ${JSON.stringify(\n          { clientId: this.clientId, resourceId: this.resourceId, objectId: this.objectId },\n        )}`,\n      );\n    }\n\n    // ManagedIdentity uses http for local requests\n    _options.allowInsecureConnection = true;\n\n    if (_options?.retryOptions?.maxRetries !== undefined) {\n      this.msiRetryConfig.maxRetries = _options.retryOptions.maxRetries;\n    }\n\n    this.identityClient = new IdentityClient({\n      ..._options,\n      additionalPolicies: [{ policy: imdsRetryPolicy(this.msiRetryConfig), position: \"perCall\" }],\n    });\n\n    this.managedIdentityApp = new ManagedIdentityApplication({\n      managedIdentityIdParams: {\n        userAssignedClientId: this.clientId,\n        userAssignedResourceId: this.resourceId,\n        userAssignedObjectId: this.objectId,\n      },\n      system: {\n        // todo: proxyUrl?\n        disableInternalRetries: true,\n        networkClient: this.identityClient,\n        loggerOptions: {\n          logLevel: getMSALLogLevel(getLogLevel()),\n          piiLoggingEnabled: options.loggingOptions?.enableUnsafeSupportLogging,\n          loggerCallback: defaultLoggerCallback(logger),\n        },\n      },\n    });\n\n    this.isAvailableIdentityClient = new IdentityClient({\n      ..._options,\n      retryOptions: {\n        maxRetries: 0,\n      },\n    });\n\n    // CloudShell MSI will ignore any user-assigned identity passed as parameters. To avoid confusion, we prevent this from happening as early as possible.\n    if (this.managedIdentityApp.getManagedIdentitySource() === \"CloudShell\") {\n      if (this.clientId || this.resourceId || this.objectId) {\n        logger.warning(\n          `CloudShell MSI detected with user-provided IDs - throwing. Received values: ${JSON.stringify(\n            {\n              clientId: this.clientId,\n              resourceId: this.resourceId,\n              objectId: this.objectId,\n            },\n          )}.`,\n        );\n        throw new CredentialUnavailableError(\n          \"ManagedIdentityCredential: Specifying a user-assigned managed identity is not supported for CloudShell at runtime. When using Managed Identity in CloudShell, omit the clientId, resourceId, and objectId parameters.\",\n        );\n      }\n    }\n  }\n\n  /**\n   * Authenticates with Microsoft Entra ID and returns an access token if successful.\n   * If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.\n   * If an unexpected error occurs, an {@link AuthenticationError} will be thrown with the details of the failure.\n   *\n   * @param scopes - The list of scopes for which the token will have access.\n   * @param options - The options used to configure any requests this\n   *                TokenCredential implementation might make.\n   */\n  public async getToken(\n    scopes: string | string[],\n    options: GetTokenOptions = {},\n  ): Promise<AccessToken> {\n    logger.getToken.info(\"Using the MSAL provider for Managed Identity.\");\n    const resource = mapScopesToResource(scopes);\n    if (!resource) {\n      throw new CredentialUnavailableError(\n        `ManagedIdentityCredential: Multiple scopes are not supported. Scopes: ${JSON.stringify(\n          scopes,\n        )}`,\n      );\n    }\n\n    return tracingClient.withSpan(\"ManagedIdentityCredential.getToken\", options, async () => {\n      try {\n        const isTokenExchangeMsi = await tokenExchangeMsi.isAvailable({\n          scopes,\n          clientId: this.clientId,\n          getTokenOptions: options,\n          identityClient: this.identityClient,\n          resourceId: this.resourceId,\n        });\n\n        // Most scenarios are handled by MSAL except for two:\n        // AKS pod identity - MSAL does not implement the token exchange flow.\n        // IMDS Endpoint probing - MSAL does not do any probing before trying to get a token.\n        // As a DefaultAzureCredential optimization we probe the IMDS endpoint with a short timeout and no retries before actually trying to get a token\n        // We will continue to implement these features in the Identity library.\n\n        const identitySource = this.managedIdentityApp.getManagedIdentitySource();\n        const isImdsMsi = identitySource === \"DefaultToImds\" || identitySource === \"Imds\"; // Neither actually checks that IMDS endpoint is available, just that it's the source the MSAL _would_ try to use.\n\n        logger.getToken.info(`MSAL Identity source: ${identitySource}`);\n\n        if (isTokenExchangeMsi) {\n          // In the AKS scenario we will use the existing tokenExchangeMsi indefinitely.\n          logger.getToken.info(\"Using the token exchange managed identity.\");\n          const result = await tokenExchangeMsi.getToken({\n            scopes,\n            clientId: this.clientId,\n            identityClient: this.identityClient,\n            retryConfig: this.msiRetryConfig,\n            resourceId: this.resourceId,\n          });\n\n          if (result === null) {\n            throw new CredentialUnavailableError(\n              \"Attempted to use the token exchange managed identity, but received a null response.\",\n            );\n          }\n\n          return result;\n        } else if (isImdsMsi) {\n          // In the IMDS scenario we will probe the IMDS endpoint to ensure it's available before trying to get a token.\n          // If the IMDS endpoint is not available and this is the source that MSAL will use, we will fail-fast with an error that tells DAC to move to the next credential.\n          logger.getToken.info(\"Using the IMDS endpoint to probe for availability.\");\n          const isAvailable = await imdsMsi.isAvailable({\n            scopes,\n            clientId: this.clientId,\n            getTokenOptions: options,\n            identityClient: this.isAvailableIdentityClient,\n            resourceId: this.resourceId,\n          });\n\n          if (!isAvailable) {\n            throw new CredentialUnavailableError(\n              `Attempted to use the IMDS endpoint, but it is not available.`,\n            );\n          }\n        }\n\n        // If we got this far, it means:\n        // - This is not a tokenExchangeMsi,\n        // - We already probed for IMDS endpoint availability and failed-fast if it's unreachable.\n        // We can proceed normally by calling MSAL for a token.\n        logger.getToken.info(\"Calling into MSAL for managed identity token.\");\n        const token = await this.managedIdentityApp.acquireToken({\n          resource,\n        });\n\n        this.ensureValidMsalToken(scopes, token, options);\n        logger.getToken.info(formatSuccess(scopes));\n\n        return {\n          expiresOnTimestamp: token.expiresOn.getTime(),\n          token: token.accessToken,\n          refreshAfterTimestamp: token.refreshOn?.getTime(),\n          tokenType: \"Bearer\",\n        } as AccessToken;\n      } catch (err: any) {\n        logger.getToken.error(formatError(scopes, err));\n\n        // AuthenticationRequiredError described as Error to enforce authentication after trying to retrieve a token silently.\n        // TODO: why would this _ever_ happen considering we're not trying the silent request in this flow?\n        if (err.name === \"AuthenticationRequiredError\") {\n          throw err;\n        }\n\n        if (isNetworkError(err)) {\n          throw new CredentialUnavailableError(\n            `ManagedIdentityCredential: Network unreachable. Message: ${err.message}`,\n            { cause: err },\n          );\n        }\n\n        throw new CredentialUnavailableError(\n          `ManagedIdentityCredential: Authentication failed. Message ${err.message}`,\n          { cause: err },\n        );\n      }\n    });\n  }\n\n  /**\n   * Ensures the validity of the MSAL token\n   */\n  private ensureValidMsalToken(\n    scopes: string | string[],\n    msalToken?: MsalToken,\n    getTokenOptions?: GetTokenOptions,\n  ): asserts msalToken is ValidMsalToken {\n    const createError = (message: string): Error => {\n      logger.getToken.info(message);\n      return new AuthenticationRequiredError({\n        scopes: Array.isArray(scopes) ? scopes : [scopes],\n        getTokenOptions,\n        message,\n      });\n    };\n    if (!msalToken) {\n      throw createError(\"No response.\");\n    }\n    if (!msalToken.expiresOn) {\n      throw createError(`Response had no \"expiresOn\" property.`);\n    }\n    if (!msalToken.accessToken) {\n      throw createError(`Response had no \"accessToken\" property.`);\n    }\n  }\n}\n\nfunction isNetworkError(err: any): boolean {\n  // MSAL error\n  if (err.errorCode === \"network_error\") {\n    return true;\n  }\n\n  // Probe errors\n  if (err.code === \"ENETUNREACH\" || err.code === \"EHOSTUNREACH\") {\n    return true;\n  }\n\n  // This is a special case for Docker Desktop which responds with a 403 with a message that contains \"A socket operation was attempted to an unreachable network\" or \"A socket operation was attempted to an unreachable host\"\n  // rather than just timing out, as expected.\n  if (err.statusCode === 403 || err.code === 403) {\n    if (err.message.includes(\"unreachable\")) {\n      return true;\n    }\n  }\n\n  return false;\n}\n"]}

package/{dist/browser → dist-esm/src}/credentials/managedIdentityCredential/tokenExchangeMsi.js

@@ -1,18 +1,15 @@
 // Copyright (c) Microsoft Corporation.
 // Licensed under the MIT License.
-import { WorkloadIdentityCredential } from "../workloadIdentityCredential.js";
-import { credentialLogger } from "../../util/logging.js";
+import { WorkloadIdentityCredential } from "../workloadIdentityCredential";
+import { credentialLogger } from "../../util/logging";
 const msiName = "ManagedIdentityCredential - Token Exchange";
 const logger = credentialLogger(msiName);
 /**
  * Defines how to determine whether the token exchange MSI is available, and also how to retrieve a token from the token exchange MSI.
- *
- * Token exchange MSI (used by AKS) is the only MSI implementation handled entirely by Azure Identity.
- * The rest have been migrated to MSAL.
  */
 export const tokenExchangeMsi = {
     name: "tokenExchangeMsi",
-    async isAvailable(clientId) {
+    async isAvailable({ clientId }) {
         const env = process.env;
         const result = Boolean((clientId || env.AZURE_CLIENT_ID) &&
             env.AZURE_TENANT_ID &&

package/dist-esm/src/credentials/managedIdentityCredential/tokenExchangeMsi.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"tokenExchangeMsi.js","sourceRoot":"","sources":["../../../../src/credentials/managedIdentityCredential/tokenExchangeMsi.ts"],"names":[],"mappings":"AAAA,uCAAuC;AACvC,kCAAkC;AAIlC,OAAO,EAAE,0BAA0B,EAAE,MAAM,+BAA+B,CAAC;AAC3E,OAAO,EAAE,gBAAgB,EAAE,MAAM,oBAAoB,CAAC;AAGtD,MAAM,OAAO,GAAG,4CAA4C,CAAC;AAC7D,MAAM,MAAM,GAAG,gBAAgB,CAAC,OAAO,CAAC,CAAC;AAEzC;;GAEG;AACH,MAAM,CAAC,MAAM,gBAAgB,GAAQ;IACnC,IAAI,EAAE,kBAAkB;IACxB,KAAK,CAAC,WAAW,CAAC,EAAE,QAAQ,EAAE;QAC5B,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,CAAC;QACxB,MAAM,MAAM,GAAG,OAAO,CACpB,CAAC,QAAQ,IAAI,GAAG,CAAC,eAAe,CAAC;YAC/B,GAAG,CAAC,eAAe;YACnB,OAAO,CAAC,GAAG,CAAC,0BAA0B,CACzC,CAAC;QACF,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,MAAM,CAAC,IAAI,CACT,GAAG,OAAO,qKAAqK,CAChL,CAAC;QACJ,CAAC;QACD,OAAO,MAAM,CAAC;IAChB,CAAC;IACD,KAAK,CAAC,QAAQ,CACZ,aAA+B,EAC/B,kBAAmC,EAAE;QAErC,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,GAAG,aAAa,CAAC;QAC3C,MAAM,oCAAoC,GAAG,EAAE,CAAC;QAChD,MAAM,0BAA0B,GAAG,IAAI,0BAA0B,CAAC,8BAChE,QAAQ,EACR,QAAQ,EAAE,OAAO,CAAC,GAAG,CAAC,eAAe,EACrC,aAAa,EAAE,OAAO,CAAC,GAAG,CAAC,0BAA0B,IAClD,oCAAoC,KACvC,wBAAwB,EAAE,IAAI,GACM,CAAC,CAAC;QACxC,OAAO,0BAA0B,CAAC,QAAQ,CAAC,MAAM,EAAE,eAAe,CAAC,CAAC;IACtE,CAAC;CACF,CAAC","sourcesContent":["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT License.\n\nimport { AccessToken, GetTokenOptions } from \"@azure/core-auth\";\nimport { MSI, MSIConfiguration } from \"./models\";\nimport { WorkloadIdentityCredential } from \"../workloadIdentityCredential\";\nimport { credentialLogger } from \"../../util/logging\";\nimport { WorkloadIdentityCredentialOptions } from \"../workloadIdentityCredentialOptions\";\n\nconst msiName = \"ManagedIdentityCredential - Token Exchange\";\nconst logger = credentialLogger(msiName);\n\n/**\n * Defines how to determine whether the token exchange MSI is available, and also how to retrieve a token from the token exchange MSI.\n */\nexport const tokenExchangeMsi: MSI = {\n  name: \"tokenExchangeMsi\",\n  async isAvailable({ clientId }): Promise<boolean> {\n    const env = process.env;\n    const result = Boolean(\n      (clientId || env.AZURE_CLIENT_ID) &&\n        env.AZURE_TENANT_ID &&\n        process.env.AZURE_FEDERATED_TOKEN_FILE,\n    );\n    if (!result) {\n      logger.info(\n        `${msiName}: Unavailable. The environment variables needed are: AZURE_CLIENT_ID (or the client ID sent through the parameters), AZURE_TENANT_ID and AZURE_FEDERATED_TOKEN_FILE`,\n      );\n    }\n    return result;\n  },\n  async getToken(\n    configuration: MSIConfiguration,\n    getTokenOptions: GetTokenOptions = {},\n  ): Promise<AccessToken | null> {\n    const { scopes, clientId } = configuration;\n    const identityClientTokenCredentialOptions = {};\n    const workloadIdentityCredential = new WorkloadIdentityCredential({\n      clientId,\n      tenantId: process.env.AZURE_TENANT_ID,\n      tokenFilePath: process.env.AZURE_FEDERATED_TOKEN_FILE,\n      ...identityClientTokenCredentialOptions,\n      disableInstanceDiscovery: true,\n    } as WorkloadIdentityCredentialOptions);\n    return workloadIdentityCredential.getToken(scopes, getTokenOptions);\n  },\n};\n"]}

package/{dist/browser → dist-esm/src}/credentials/managedIdentityCredential/utils.js

@@ -1,6 +1,6 @@
 // Copyright (c) Microsoft Corporation.
 // Licensed under the MIT License.
-const DefaultScopeSuffix = "/.default";
+import { DefaultScopeSuffix } from "./constants";
 /**
  * Most MSIs send requests to the IMDS endpoint, or a similar endpoint.
  * These are GET requests that require sending a `resource` parameter on the query.

package/dist-esm/src/credentials/managedIdentityCredential/utils.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"utils.js","sourceRoot":"","sources":["../../../../src/credentials/managedIdentityCredential/utils.ts"],"names":[],"mappings":"AAAA,uCAAuC;AACvC,kCAAkC;AAElC,OAAO,EAAE,kBAAkB,EAAE,MAAM,aAAa,CAAC;AAEjD;;;;;;;;GAQG;AACH,MAAM,UAAU,mBAAmB,CAAC,MAAyB;IAC3D,IAAI,KAAK,GAAG,EAAE,CAAC;IACf,IAAI,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC;QAC1B,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACxB,OAAO;QACT,CAAC;QAED,KAAK,GAAG,MAAM,CAAC,CAAC,CAAC,CAAC;IACpB,CAAC;SAAM,IAAI,OAAO,MAAM,KAAK,QAAQ,EAAE,CAAC;QACtC,KAAK,GAAG,MAAM,CAAC;IACjB,CAAC;IAED,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,kBAAkB,CAAC,EAAE,CAAC;QACxC,OAAO,KAAK,CAAC;IACf,CAAC;IAED,OAAO,KAAK,CAAC,MAAM,CAAC,CAAC,EAAE,KAAK,CAAC,WAAW,CAAC,kBAAkB,CAAC,CAAC,CAAC;AAChE,CAAC;AAeD;;;GAGG;AACH,MAAM,UAAU,wBAAwB,CAAC,IAA6B;IACpE,IAAI,OAAO,IAAI,CAAC,UAAU,KAAK,QAAQ,EAAE,CAAC;QACxC,OAAO,IAAI,CAAC,UAAU,GAAG,IAAI,CAAC;IAChC,CAAC;IAED,IAAI,OAAO,IAAI,CAAC,UAAU,KAAK,QAAQ,EAAE,CAAC;QACxC,MAAM,QAAQ,GAAG,CAAC,IAAI,CAAC,UAAU,CAAC;QAClC,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,EAAE,CAAC;YACrB,OAAO,QAAQ,GAAG,IAAI,CAAC;QACzB,CAAC;QAED,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;QAC3C,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,EAAE,CAAC;YACnB,OAAO,MAAM,CAAC;QAChB,CAAC;IACH,CAAC;IAED,IAAI,OAAO,IAAI,CAAC,UAAU,KAAK,QAAQ,EAAE,CAAC;QACxC,OAAO,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,UAAU,GAAG,IAAI,CAAC;IAC7C,CAAC;IAED,MAAM,IAAI,KAAK,CACb,2DAA2D,IAAI,CAAC,UAAU,kBAAkB,IAAI,CAAC,UAAU,GAAG,CAC/G,CAAC;AACJ,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,qBAAqB,CAAC,IAA6B;IACjE,IAAI,IAAI,CAAC,UAAU,EAAE,CAAC;QACpB,IAAI,OAAO,IAAI,CAAC,UAAU,KAAK,QAAQ,EAAE,CAAC;YACxC,OAAO,IAAI,CAAC,UAAU,GAAG,IAAI,CAAC;QAChC,CAAC;QAED,IAAI,OAAO,IAAI,CAAC,UAAU,KAAK,QAAQ,EAAE,CAAC;YACxC,MAAM,QAAQ,GAAG,CAAC,IAAI,CAAC,UAAU,CAAC;YAClC,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,EAAE,CAAC;gBACrB,OAAO,QAAQ,GAAG,IAAI,CAAC;YACzB,CAAC;YAED,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;YAC3C,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,EAAE,CAAC;gBACnB,OAAO,MAAM,CAAC;YAChB,CAAC;QACH,CAAC;QACD,MAAM,IAAI,KAAK,CAAC,qDAAqD,IAAI,CAAC,UAAU,GAAG,CAAC,CAAC;IAC3F,CAAC;SAAM,CAAC;QACN,OAAO,SAAS,CAAC;IACnB,CAAC;AACH,CAAC","sourcesContent":["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT License.\n\nimport { DefaultScopeSuffix } from \"./constants\";\n\n/**\n * Most MSIs send requests to the IMDS endpoint, or a similar endpoint.\n * These are GET requests that require sending a `resource` parameter on the query.\n * This resource can be derived from the scopes received through the getToken call, as long as only one scope is received.\n * Multiple scopes assume that the resulting token will have access to multiple resources, which won't be the case.\n *\n * For that reason, when we encounter multiple scopes, we return undefined.\n * It's up to the individual MSI implementations to throw the errors (which helps us provide less generic errors).\n */\nexport function mapScopesToResource(scopes: string | string[]): string | undefined {\n  let scope = \"\";\n  if (Array.isArray(scopes)) {\n    if (scopes.length !== 1) {\n      return;\n    }\n\n    scope = scopes[0];\n  } else if (typeof scopes === \"string\") {\n    scope = scopes;\n  }\n\n  if (!scope.endsWith(DefaultScopeSuffix)) {\n    return scope;\n  }\n\n  return scope.substr(0, scope.lastIndexOf(DefaultScopeSuffix));\n}\n\n/**\n * Internal type roughly matching the raw responses of the authentication endpoints.\n *\n * @internal\n */\nexport interface TokenResponseParsedBody {\n  access_token?: string;\n  refresh_token?: string;\n  expires_in: number;\n  expires_on?: number | string;\n  refresh_on?: number | string;\n}\n\n/**\n * Given a token response, return the expiration timestamp as the number of milliseconds from the Unix epoch.\n * @param body - A parsed response body from the authentication endpoint.\n */\nexport function parseExpirationTimestamp(body: TokenResponseParsedBody): number {\n  if (typeof body.expires_on === \"number\") {\n    return body.expires_on * 1000;\n  }\n\n  if (typeof body.expires_on === \"string\") {\n    const asNumber = +body.expires_on;\n    if (!isNaN(asNumber)) {\n      return asNumber * 1000;\n    }\n\n    const asDate = Date.parse(body.expires_on);\n    if (!isNaN(asDate)) {\n      return asDate;\n    }\n  }\n\n  if (typeof body.expires_in === \"number\") {\n    return Date.now() + body.expires_in * 1000;\n  }\n\n  throw new Error(\n    `Failed to parse token expiration from body. expires_in=\"${body.expires_in}\", expires_on=\"${body.expires_on}\"`,\n  );\n}\n\n/**\n * Given a token response, return the expiration timestamp as the number of milliseconds from the Unix epoch.\n * @param body - A parsed response body from the authentication endpoint.\n */\nexport function parseRefreshTimestamp(body: TokenResponseParsedBody): number | undefined {\n  if (body.refresh_on) {\n    if (typeof body.refresh_on === \"number\") {\n      return body.refresh_on * 1000;\n    }\n\n    if (typeof body.refresh_on === \"string\") {\n      const asNumber = +body.refresh_on;\n      if (!isNaN(asNumber)) {\n        return asNumber * 1000;\n      }\n\n      const asDate = Date.parse(body.refresh_on);\n      if (!isNaN(asDate)) {\n        return asDate;\n      }\n    }\n    throw new Error(`Failed to parse refresh_on from body. refresh_on=\"${body.refresh_on}\"`);\n  } else {\n    return undefined;\n  }\n}\n"]}

package/dist-esm/src/credentials/multiTenantTokenCredentialOptions.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"multiTenantTokenCredentialOptions.js","sourceRoot":"","sources":["../../../src/credentials/multiTenantTokenCredentialOptions.ts"],"names":[],"mappings":"AAAA,uCAAuC;AACvC,kCAAkC","sourcesContent":["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT License.\n\nimport { TokenCredentialOptions } from \"../tokenCredentialOptions\";\n\n/**\n * Options for multi-tenant applications which allows for additionally allowed tenants.\n */\nexport interface MultiTenantTokenCredentialOptions extends TokenCredentialOptions {\n  /**\n   * For multi-tenant applications, specifies additional tenants for which the credential may acquire tokens.\n   * Add the wildcard value \"*\" to allow the credential to acquire tokens for any tenant the application is installed.\n   */\n  additionallyAllowedTenants?: string[];\n}\n"]}

package/{dist/browser/credentials/onBehalfOfCredential.js → dist-esm/src/credentials/onBehalfOfCredential.browser.js}

@@ -1,6 +1,6 @@
 // Copyright (c) Microsoft Corporation.
 // Licensed under the MIT License.
-import { credentialLogger, formatError } from "../util/logging.js";
+import { credentialLogger, formatError } from "../util/logging";
 const credentialName = "OnBehalfOfCredential";
 const BrowserNotSupportedError = new Error(`${credentialName}: Not supported in the browser.`);
 const logger = credentialLogger(credentialName);
@@ -20,4 +20,4 @@ export class OnBehalfOfCredential {
         throw BrowserNotSupportedError;
     }
 }
-//# sourceMappingURL=onBehalfOfCredential-browser.mjs.map
+//# sourceMappingURL=onBehalfOfCredential.browser.js.map

package/dist-esm/src/credentials/onBehalfOfCredential.browser.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"onBehalfOfCredential.browser.js","sourceRoot":"","sources":["../../../src/credentials/onBehalfOfCredential.browser.ts"],"names":[],"mappings":"AAAA,uCAAuC;AACvC,kCAAkC;AAGlC,OAAO,EAAE,gBAAgB,EAAE,WAAW,EAAE,MAAM,iBAAiB,CAAC;AAEhE,MAAM,cAAc,GAAG,sBAAsB,CAAC;AAC9C,MAAM,wBAAwB,GAAG,IAAI,KAAK,CAAC,GAAG,cAAc,iCAAiC,CAAC,CAAC;AAC/F,MAAM,MAAM,GAAG,gBAAgB,CAAC,cAAc,CAAC,CAAC;AAEhD;;GAEG;AACH,MAAM,OAAO,oBAAoB;IAC/B;;OAEG;IACH;QACE,MAAM,CAAC,IAAI,CAAC,WAAW,CAAC,EAAE,EAAE,wBAAwB,CAAC,CAAC,CAAC;QACvD,MAAM,wBAAwB,CAAC;IACjC,CAAC;IAEM,QAAQ;QACb,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,WAAW,CAAC,EAAE,EAAE,wBAAwB,CAAC,CAAC,CAAC;QAChE,MAAM,wBAAwB,CAAC;IACjC,CAAC;CACF","sourcesContent":["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT License.\n\nimport { AccessToken, TokenCredential } from \"@azure/core-auth\";\nimport { credentialLogger, formatError } from \"../util/logging\";\n\nconst credentialName = \"OnBehalfOfCredential\";\nconst BrowserNotSupportedError = new Error(`${credentialName}: Not supported in the browser.`);\nconst logger = credentialLogger(credentialName);\n\n/**\n * Enables authentication to Microsoft Entra ID using the [On Behalf Of flow](https://learn.microsoft.com/entra/identity-platform/v2-oauth2-on-behalf-of-flow).\n */\nexport class OnBehalfOfCredential implements TokenCredential {\n  /**\n   * Only available in Node.js\n   */\n  constructor() {\n    logger.info(formatError(\"\", BrowserNotSupportedError));\n    throw BrowserNotSupportedError;\n  }\n\n  public getToken(): Promise<AccessToken | null> {\n    logger.getToken.info(formatError(\"\", BrowserNotSupportedError));\n    throw BrowserNotSupportedError;\n  }\n}\n"]}