@azure/identity 4.6.0 → 4.6.1-alpha.20250116.2

package/dist/esm/credentials/onBehalfOfCredential.d.ts

@@ -0,0 +1,105 @@
+import type { AccessToken, GetTokenOptions, TokenCredential } from "@azure/core-auth";
+import type { OnBehalfOfCredentialAssertionOptions, OnBehalfOfCredentialCertificateOptions, OnBehalfOfCredentialSecretOptions } from "./onBehalfOfCredentialOptions.js";
+import type { CredentialPersistenceOptions } from "./credentialPersistenceOptions.js";
+import type { MultiTenantTokenCredentialOptions } from "./multiTenantTokenCredentialOptions.js";
+/**
+ * Enables authentication to Microsoft Entra ID using the [On Behalf Of flow](https://learn.microsoft.com/entra/identity-platform/v2-oauth2-on-behalf-of-flow).
+ */
+export declare class OnBehalfOfCredential implements TokenCredential {
+    private tenantId;
+    private additionallyAllowedTenantIds;
+    private msalClient;
+    private sendCertificateChain?;
+    private certificatePath?;
+    private clientSecret?;
+    private userAssertionToken;
+    private clientAssertion?;
+    /**
+     * Creates an instance of the {@link OnBehalfOfCredential} with the details
+     * needed to authenticate against Microsoft Entra ID with path to a PEM certificate,
+     * and an user assertion.
+     *
+     * Example using the `KeyClient` from [\@azure/keyvault-keys](https://www.npmjs.com/package/\@azure/keyvault-keys):
+     *
+     * ```ts snippet:on_behalf_of_credential_pem_example
+     * import { OnBehalfOfCredential } from "@azure/identity";
+     * import { KeyClient } from "@azure/keyvault-keys";
+     *
+     * const tokenCredential = new OnBehalfOfCredential({
+     *   tenantId: "tenant-id",
+     *   clientId: "client-id",
+     *   certificatePath: "/path/to/certificate.pem",
+     *   userAssertionToken: "access-token",
+     * });
+     * const client = new KeyClient("vault-url", tokenCredential);
+     *
+     * await client.getKey("key-name");
+     * ```
+     *
+     * @param options - Optional parameters, generally common across credentials.
+     */
+    constructor(options: OnBehalfOfCredentialCertificateOptions & MultiTenantTokenCredentialOptions & CredentialPersistenceOptions);
+    /**
+     * Creates an instance of the {@link OnBehalfOfCredential} with the details
+     * needed to authenticate against Microsoft Entra ID with a client
+     * secret and an user assertion.
+     *
+     * Example using the `KeyClient` from [\@azure/keyvault-keys](https://www.npmjs.com/package/\@azure/keyvault-keys):
+     *
+     * ```ts snippet:on_behalf_of_credential_secret_example
+     * import { OnBehalfOfCredential } from "@azure/identity";
+     * import { KeyClient } from "@azure/keyvault-keys";
+     *
+     * const tokenCredential = new OnBehalfOfCredential({
+     *   tenantId: "tenant-id",
+     *   clientId: "client-id",
+     *   clientSecret: "client-secret",
+     *   userAssertionToken: "access-token",
+     * });
+     * const client = new KeyClient("vault-url", tokenCredential);
+     *
+     * await client.getKey("key-name");
+     * ```
+     *
+     * @param options - Optional parameters, generally common across credentials.
+     */
+    constructor(options: OnBehalfOfCredentialSecretOptions & MultiTenantTokenCredentialOptions & CredentialPersistenceOptions);
+    /**
+     * Creates an instance of the {@link OnBehalfOfCredential} with the details
+     * needed to authenticate against Microsoft Entra ID with a client `getAssertion`
+     * and an user assertion.
+     *
+     * Example using the `KeyClient` from [\@azure/keyvault-keys](https://www.npmjs.com/package/\@azure/keyvault-keys):
+     *
+     * ```ts snippet:on_behalf_of_credential_assertion_example
+     * import { OnBehalfOfCredential } from "@azure/identity";
+     * import { KeyClient } from "@azure/keyvault-keys";
+     *
+     * const tokenCredential = new OnBehalfOfCredential({
+     *   tenantId: "tenant-id",
+     *   clientId: "client-id",
+     *   getAssertion: () => {
+     *     return Promise.resolve("my-jwt");
+     *   },
+     *   userAssertionToken: "access-token",
+     * });
+     * const client = new KeyClient("vault-url", tokenCredential);
+     *
+     * await client.getKey("key-name");
+     * ```
+     *
+     * @param options - Optional parameters, generally common across credentials.
+     */
+    constructor(options: OnBehalfOfCredentialAssertionOptions & MultiTenantTokenCredentialOptions & CredentialPersistenceOptions);
+    /**
+     * Authenticates with Microsoft Entra ID and returns an access token if successful.
+     * If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.
+     *
+     * @param scopes - The list of scopes for which the token will have access.
+     * @param options - The options used to configure the underlying network requests.
+     */
+    getToken(scopes: string | string[], options?: GetTokenOptions): Promise<AccessToken>;
+    private buildClientCertificate;
+    private parseCertificate;
+}
+//# sourceMappingURL=onBehalfOfCredential.d.ts.map

package/dist/esm/credentials/onBehalfOfCredential.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"onBehalfOfCredential.d.ts","sourceRoot":"","sources":["../../../src/credentials/onBehalfOfCredential.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,WAAW,EAAE,eAAe,EAAE,eAAe,EAAE,MAAM,kBAAkB,CAAC;AAGtF,OAAO,KAAK,EACV,oCAAoC,EACpC,sCAAsC,EAEtC,iCAAiC,EAClC,MAAM,kCAAkC,CAAC;AAS1C,OAAO,KAAK,EAAE,4BAA4B,EAAE,MAAM,mCAAmC,CAAC;AAEtF,OAAO,KAAK,EAAE,iCAAiC,EAAE,MAAM,wCAAwC,CAAC;AAShG;;GAEG;AACH,qBAAa,oBAAqB,YAAW,eAAe;IAC1D,OAAO,CAAC,QAAQ,CAAS;IACzB,OAAO,CAAC,4BAA4B,CAAW;IAC/C,OAAO,CAAC,UAAU,CAAa;IAC/B,OAAO,CAAC,oBAAoB,CAAC,CAAU;IACvC,OAAO,CAAC,eAAe,CAAC,CAAS;IACjC,OAAO,CAAC,YAAY,CAAC,CAAS;IAC9B,OAAO,CAAC,kBAAkB,CAAS;IACnC,OAAO,CAAC,eAAe,CAAC,CAAwB;IAEhD;;;;;;;;;;;;;;;;;;;;;;;OAuBG;gBAED,OAAO,EAAE,sCAAsC,GAC7C,iCAAiC,GACjC,4BAA4B;IAEhC;;;;;;;;;;;;;;;;;;;;;;;OAuBG;gBAED,OAAO,EAAE,iCAAiC,GACxC,iCAAiC,GACjC,4BAA4B;IAGhC;;;;;;;;;;;;;;;;;;;;;;;;;OAyBG;gBAED,OAAO,EAAE,oCAAoC,GAC3C,iCAAiC,GACjC,4BAA4B;IAuDhC;;;;;;OAMG;IACG,QAAQ,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,EAAE,EAAE,OAAO,GAAE,eAAoB,GAAG,OAAO,CAAC,WAAW,CAAC;YA0ChF,sBAAsB;YActB,gBAAgB;CAoC/B"}

package/dist/esm/credentials/onBehalfOfCredential.js

@@ -0,0 +1,112 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+import { createMsalClient } from "../msal/nodeFlows/msalClient.js";
+import { credentialLogger, formatError } from "../util/logging.js";
+import { processMultiTenantRequest, resolveAdditionallyAllowedTenantIds, } from "../util/tenantIdUtils.js";
+import { CredentialUnavailableError } from "../errors.js";
+import { createHash } from "node:crypto";
+import { ensureScopes } from "../util/scopeUtils.js";
+import { readFile } from "node:fs/promises";
+import { tracingClient } from "../util/tracing.js";
+const credentialName = "OnBehalfOfCredential";
+const logger = credentialLogger(credentialName);
+/**
+ * Enables authentication to Microsoft Entra ID using the [On Behalf Of flow](https://learn.microsoft.com/entra/identity-platform/v2-oauth2-on-behalf-of-flow).
+ */
+export class OnBehalfOfCredential {
+    constructor(options) {
+        const { clientSecret } = options;
+        const { certificatePath, sendCertificateChain } = options;
+        const { getAssertion } = options;
+        const { tenantId, clientId, userAssertionToken, additionallyAllowedTenants: additionallyAllowedTenantIds, } = options;
+        if (!tenantId) {
+            throw new CredentialUnavailableError(`${credentialName}: tenantId is a required parameter. To troubleshoot, visit https://aka.ms/azsdk/js/identity/serviceprincipalauthentication/troubleshoot.`);
+        }
+        if (!clientId) {
+            throw new CredentialUnavailableError(`${credentialName}: clientId is a required parameter. To troubleshoot, visit https://aka.ms/azsdk/js/identity/serviceprincipalauthentication/troubleshoot.`);
+        }
+        if (!clientSecret && !certificatePath && !getAssertion) {
+            throw new CredentialUnavailableError(`${credentialName}: You must provide one of clientSecret, certificatePath, or a getAssertion callback but none were provided. To troubleshoot, visit https://aka.ms/azsdk/js/identity/serviceprincipalauthentication/troubleshoot.`);
+        }
+        if (!userAssertionToken) {
+            throw new CredentialUnavailableError(`${credentialName}: userAssertionToken is a required parameter. To troubleshoot, visit https://aka.ms/azsdk/js/identity/serviceprincipalauthentication/troubleshoot.`);
+        }
+        this.certificatePath = certificatePath;
+        this.clientSecret = clientSecret;
+        this.userAssertionToken = userAssertionToken;
+        this.sendCertificateChain = sendCertificateChain;
+        this.clientAssertion = getAssertion;
+        this.tenantId = tenantId;
+        this.additionallyAllowedTenantIds = resolveAdditionallyAllowedTenantIds(additionallyAllowedTenantIds);
+        this.msalClient = createMsalClient(clientId, this.tenantId, Object.assign(Object.assign({}, options), { logger, tokenCredentialOptions: options }));
+    }
+    /**
+     * Authenticates with Microsoft Entra ID and returns an access token if successful.
+     * If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.
+     *
+     * @param scopes - The list of scopes for which the token will have access.
+     * @param options - The options used to configure the underlying network requests.
+     */
+    async getToken(scopes, options = {}) {
+        return tracingClient.withSpan(`${credentialName}.getToken`, options, async (newOptions) => {
+            newOptions.tenantId = processMultiTenantRequest(this.tenantId, newOptions, this.additionallyAllowedTenantIds, logger);
+            const arrayScopes = ensureScopes(scopes);
+            if (this.certificatePath) {
+                const clientCertificate = await this.buildClientCertificate(this.certificatePath);
+                return this.msalClient.getTokenOnBehalfOf(arrayScopes, this.userAssertionToken, clientCertificate, newOptions);
+            }
+            else if (this.clientSecret) {
+                return this.msalClient.getTokenOnBehalfOf(arrayScopes, this.userAssertionToken, this.clientSecret, options);
+            }
+            else if (this.clientAssertion) {
+                return this.msalClient.getTokenOnBehalfOf(arrayScopes, this.userAssertionToken, this.clientAssertion, options);
+            }
+            else {
+                // this is an invalid scenario and is a bug, as the constructor should have thrown an error if neither clientSecret nor certificatePath nor clientAssertion were provided
+                throw new Error("Expected either clientSecret or certificatePath or clientAssertion to be defined.");
+            }
+        });
+    }
+    async buildClientCertificate(certificatePath) {
+        try {
+            const parts = await this.parseCertificate({ certificatePath }, this.sendCertificateChain);
+            return {
+                thumbprint: parts.thumbprint,
+                privateKey: parts.certificateContents,
+                x5c: parts.x5c,
+            };
+        }
+        catch (error) {
+            logger.info(formatError("", error));
+            throw error;
+        }
+    }
+    async parseCertificate(configuration, sendCertificateChain) {
+        const certificatePath = configuration.certificatePath;
+        const certificateContents = await readFile(certificatePath, "utf8");
+        const x5c = sendCertificateChain ? certificateContents : undefined;
+        const certificatePattern = /(-+BEGIN CERTIFICATE-+)(\n\r?|\r\n?)([A-Za-z0-9+/\n\r]+=*)(\n\r?|\r\n?)(-+END CERTIFICATE-+)/g;
+        const publicKeys = [];
+        // Match all possible certificates, in the order they are in the file. These will form the chain that is used for x5c
+        let match;
+        do {
+            match = certificatePattern.exec(certificateContents);
+            if (match) {
+                publicKeys.push(match[3]);
+            }
+        } while (match);
+        if (publicKeys.length === 0) {
+            throw new Error("The file at the specified path does not contain a PEM-encoded certificate.");
+        }
+        const thumbprint = createHash("sha1")
+            .update(Buffer.from(publicKeys[0], "base64"))
+            .digest("hex")
+            .toUpperCase();
+        return {
+            certificateContents,
+            thumbprint,
+            x5c,
+        };
+    }
+}
+//# sourceMappingURL=onBehalfOfCredential.js.map

package/dist/esm/credentials/onBehalfOfCredential.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"onBehalfOfCredential.js","sourceRoot":"","sources":["../../../src/credentials/onBehalfOfCredential.ts"],"names":[],"mappings":"AAAA,uCAAuC;AACvC,kCAAkC;AAIlC,OAAO,EAAE,gBAAgB,EAAE,MAAM,iCAAiC,CAAC;AAOnE,OAAO,EAAE,gBAAgB,EAAE,WAAW,EAAE,MAAM,oBAAoB,CAAC;AACnE,OAAO,EACL,yBAAyB,EACzB,mCAAmC,GACpC,MAAM,0BAA0B,CAAC;AAKlC,OAAO,EAAE,0BAA0B,EAAE,MAAM,cAAc,CAAC;AAE1D,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AACzC,OAAO,EAAE,YAAY,EAAE,MAAM,uBAAuB,CAAC;AACrD,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAC5C,OAAO,EAAE,aAAa,EAAE,MAAM,oBAAoB,CAAC;AAEnD,MAAM,cAAc,GAAG,sBAAsB,CAAC;AAC9C,MAAM,MAAM,GAAG,gBAAgB,CAAC,cAAc,CAAC,CAAC;AAEhD;;GAEG;AACH,MAAM,OAAO,oBAAoB;IAqG/B,YAAY,OAAoC;QAC9C,MAAM,EAAE,YAAY,EAAE,GAAG,OAA4C,CAAC;QACtE,MAAM,EAAE,eAAe,EAAE,oBAAoB,EAAE,GAC7C,OAAiD,CAAC;QACpD,MAAM,EAAE,YAAY,EAAE,GAAG,OAA+C,CAAC;QACzE,MAAM,EACJ,QAAQ,EACR,QAAQ,EACR,kBAAkB,EAClB,0BAA0B,EAAE,4BAA4B,GACzD,GAAG,OAAO,CAAC;QACZ,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,MAAM,IAAI,0BAA0B,CAClC,GAAG,cAAc,0IAA0I,CAC5J,CAAC;QACJ,CAAC;QAED,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,MAAM,IAAI,0BAA0B,CAClC,GAAG,cAAc,0IAA0I,CAC5J,CAAC;QACJ,CAAC;QAED,IAAI,CAAC,YAAY,IAAI,CAAC,eAAe,IAAI,CAAC,YAAY,EAAE,CAAC;YACvD,MAAM,IAAI,0BAA0B,CAClC,GAAG,cAAc,kNAAkN,CACpO,CAAC;QACJ,CAAC;QAED,IAAI,CAAC,kBAAkB,EAAE,CAAC;YACxB,MAAM,IAAI,0BAA0B,CAClC,GAAG,cAAc,oJAAoJ,CACtK,CAAC;QACJ,CAAC;QACD,IAAI,CAAC,eAAe,GAAG,eAAe,CAAC;QACvC,IAAI,CAAC,YAAY,GAAG,YAAY,CAAC;QACjC,IAAI,CAAC,kBAAkB,GAAG,kBAAkB,CAAC;QAC7C,IAAI,CAAC,oBAAoB,GAAG,oBAAoB,CAAC;QACjD,IAAI,CAAC,eAAe,GAAG,YAAY,CAAC;QAEpC,IAAI,CAAC,QAAQ,GAAG,QAAQ,CAAC;QACzB,IAAI,CAAC,4BAA4B,GAAG,mCAAmC,CACrE,4BAA4B,CAC7B,CAAC;QAEF,IAAI,CAAC,UAAU,GAAG,gBAAgB,CAAC,QAAQ,EAAE,IAAI,CAAC,QAAQ,kCACrD,OAAO,KACV,MAAM,EACN,sBAAsB,EAAE,OAAO,IAC/B,CAAC;IACL,CAAC;IAED;;;;;;OAMG;IACH,KAAK,CAAC,QAAQ,CAAC,MAAyB,EAAE,UAA2B,EAAE;QACrE,OAAO,aAAa,CAAC,QAAQ,CAAC,GAAG,cAAc,WAAW,EAAE,OAAO,EAAE,KAAK,EAAE,UAAU,EAAE,EAAE;YACxF,UAAU,CAAC,QAAQ,GAAG,yBAAyB,CAC7C,IAAI,CAAC,QAAQ,EACb,UAAU,EACV,IAAI,CAAC,4BAA4B,EACjC,MAAM,CACP,CAAC;YAEF,MAAM,WAAW,GAAG,YAAY,CAAC,MAAM,CAAC,CAAC;YACzC,IAAI,IAAI,CAAC,eAAe,EAAE,CAAC;gBACzB,MAAM,iBAAiB,GAAG,MAAM,IAAI,CAAC,sBAAsB,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC;gBAElF,OAAO,IAAI,CAAC,UAAU,CAAC,kBAAkB,CACvC,WAAW,EACX,IAAI,CAAC,kBAAkB,EACvB,iBAAiB,EACjB,UAAU,CACX,CAAC;YACJ,CAAC;iBAAM,IAAI,IAAI,CAAC,YAAY,EAAE,CAAC;gBAC7B,OAAO,IAAI,CAAC,UAAU,CAAC,kBAAkB,CACvC,WAAW,EACX,IAAI,CAAC,kBAAkB,EACvB,IAAI,CAAC,YAAY,EACjB,OAAO,CACR,CAAC;YACJ,CAAC;iBAAM,IAAI,IAAI,CAAC,eAAe,EAAE,CAAC;gBAChC,OAAO,IAAI,CAAC,UAAU,CAAC,kBAAkB,CACvC,WAAW,EACX,IAAI,CAAC,kBAAkB,EACvB,IAAI,CAAC,eAAe,EACpB,OAAO,CACR,CAAC;YACJ,CAAC;iBAAM,CAAC;gBACN,yKAAyK;gBACzK,MAAM,IAAI,KAAK,CACb,mFAAmF,CACpF,CAAC;YACJ,CAAC;QACH,CAAC,CAAC,CAAC;IACL,CAAC;IAEO,KAAK,CAAC,sBAAsB,CAAC,eAAuB;QAC1D,IAAI,CAAC;YACH,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,gBAAgB,CAAC,EAAE,eAAe,EAAE,EAAE,IAAI,CAAC,oBAAoB,CAAC,CAAC;YAC1F,OAAO;gBACL,UAAU,EAAE,KAAK,CAAC,UAAU;gBAC5B,UAAU,EAAE,KAAK,CAAC,mBAAmB;gBACrC,GAAG,EAAE,KAAK,CAAC,GAAG;aACf,CAAC;QACJ,CAAC;QAAC,OAAO,KAAU,EAAE,CAAC;YACpB,MAAM,CAAC,IAAI,CAAC,WAAW,CAAC,EAAE,EAAE,KAAK,CAAC,CAAC,CAAC;YACpC,MAAM,KAAK,CAAC;QACd,CAAC;IACH,CAAC;IAEO,KAAK,CAAC,gBAAgB,CAC5B,aAAkD,EAClD,oBAA8B;QAE9B,MAAM,eAAe,GAAG,aAAa,CAAC,eAAe,CAAC;QACtD,MAAM,mBAAmB,GAAG,MAAM,QAAQ,CAAC,eAAe,EAAE,MAAM,CAAC,CAAC;QACpE,MAAM,GAAG,GAAG,oBAAoB,CAAC,CAAC,CAAC,mBAAmB,CAAC,CAAC,CAAC,SAAS,CAAC;QAEnE,MAAM,kBAAkB,GACtB,+FAA+F,CAAC;QAClG,MAAM,UAAU,GAAa,EAAE,CAAC;QAEhC,qHAAqH;QACrH,IAAI,KAAK,CAAC;QACV,GAAG,CAAC;YACF,KAAK,GAAG,kBAAkB,CAAC,IAAI,CAAC,mBAAmB,CAAC,CAAC;YACrD,IAAI,KAAK,EAAE,CAAC;gBACV,UAAU,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;YAC5B,CAAC;QACH,CAAC,QAAQ,KAAK,EAAE;QAEhB,IAAI,UAAU,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAC5B,MAAM,IAAI,KAAK,CAAC,4EAA4E,CAAC,CAAC;QAChG,CAAC;QAED,MAAM,UAAU,GAAG,UAAU,CAAC,MAAM,CAAC;aAClC,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC,EAAE,QAAQ,CAAC,CAAC;aAC5C,MAAM,CAAC,KAAK,CAAC;aACb,WAAW,EAAE,CAAC;QAEjB,OAAO;YACL,mBAAmB;YACnB,UAAU;YACV,GAAG;SACJ,CAAC;IACJ,CAAC;CACF","sourcesContent":["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT License.\n\nimport type { AccessToken, GetTokenOptions, TokenCredential } from \"@azure/core-auth\";\nimport type { MsalClient } from \"../msal/nodeFlows/msalClient.js\";\nimport { createMsalClient } from \"../msal/nodeFlows/msalClient.js\";\nimport type {\n  OnBehalfOfCredentialAssertionOptions,\n  OnBehalfOfCredentialCertificateOptions,\n  OnBehalfOfCredentialOptions,\n  OnBehalfOfCredentialSecretOptions,\n} from \"./onBehalfOfCredentialOptions.js\";\nimport { credentialLogger, formatError } from \"../util/logging.js\";\nimport {\n  processMultiTenantRequest,\n  resolveAdditionallyAllowedTenantIds,\n} from \"../util/tenantIdUtils.js\";\n\nimport type { CertificateParts } from \"../msal/types.js\";\nimport type { ClientCertificatePEMCertificatePath } from \"./clientCertificateCredentialModels.js\";\nimport type { CredentialPersistenceOptions } from \"./credentialPersistenceOptions.js\";\nimport { CredentialUnavailableError } from \"../errors.js\";\nimport type { MultiTenantTokenCredentialOptions } from \"./multiTenantTokenCredentialOptions.js\";\nimport { createHash } from \"node:crypto\";\nimport { ensureScopes } from \"../util/scopeUtils.js\";\nimport { readFile } from \"node:fs/promises\";\nimport { tracingClient } from \"../util/tracing.js\";\n\nconst credentialName = \"OnBehalfOfCredential\";\nconst logger = credentialLogger(credentialName);\n\n/**\n * Enables authentication to Microsoft Entra ID using the [On Behalf Of flow](https://learn.microsoft.com/entra/identity-platform/v2-oauth2-on-behalf-of-flow).\n */\nexport class OnBehalfOfCredential implements TokenCredential {\n  private tenantId: string;\n  private additionallyAllowedTenantIds: string[];\n  private msalClient: MsalClient;\n  private sendCertificateChain?: boolean;\n  private certificatePath?: string;\n  private clientSecret?: string;\n  private userAssertionToken: string;\n  private clientAssertion?: () => Promise<string>;\n\n  /**\n   * Creates an instance of the {@link OnBehalfOfCredential} with the details\n   * needed to authenticate against Microsoft Entra ID with path to a PEM certificate,\n   * and an user assertion.\n   *\n   * Example using the `KeyClient` from [\\@azure/keyvault-keys](https://www.npmjs.com/package/\\@azure/keyvault-keys):\n   *\n   * ```ts snippet:on_behalf_of_credential_pem_example\n   * import { OnBehalfOfCredential } from \"@azure/identity\";\n   * import { KeyClient } from \"@azure/keyvault-keys\";\n   *\n   * const tokenCredential = new OnBehalfOfCredential({\n   *   tenantId: \"tenant-id\",\n   *   clientId: \"client-id\",\n   *   certificatePath: \"/path/to/certificate.pem\",\n   *   userAssertionToken: \"access-token\",\n   * });\n   * const client = new KeyClient(\"vault-url\", tokenCredential);\n   *\n   * await client.getKey(\"key-name\");\n   * ```\n   *\n   * @param options - Optional parameters, generally common across credentials.\n   */\n  constructor(\n    options: OnBehalfOfCredentialCertificateOptions &\n      MultiTenantTokenCredentialOptions &\n      CredentialPersistenceOptions,\n  );\n  /**\n   * Creates an instance of the {@link OnBehalfOfCredential} with the details\n   * needed to authenticate against Microsoft Entra ID with a client\n   * secret and an user assertion.\n   *\n   * Example using the `KeyClient` from [\\@azure/keyvault-keys](https://www.npmjs.com/package/\\@azure/keyvault-keys):\n   *\n   * ```ts snippet:on_behalf_of_credential_secret_example\n   * import { OnBehalfOfCredential } from \"@azure/identity\";\n   * import { KeyClient } from \"@azure/keyvault-keys\";\n   *\n   * const tokenCredential = new OnBehalfOfCredential({\n   *   tenantId: \"tenant-id\",\n   *   clientId: \"client-id\",\n   *   clientSecret: \"client-secret\",\n   *   userAssertionToken: \"access-token\",\n   * });\n   * const client = new KeyClient(\"vault-url\", tokenCredential);\n   *\n   * await client.getKey(\"key-name\");\n   * ```\n   *\n   * @param options - Optional parameters, generally common across credentials.\n   */\n  constructor(\n    options: OnBehalfOfCredentialSecretOptions &\n      MultiTenantTokenCredentialOptions &\n      CredentialPersistenceOptions,\n  );\n\n  /**\n   * Creates an instance of the {@link OnBehalfOfCredential} with the details\n   * needed to authenticate against Microsoft Entra ID with a client `getAssertion`\n   * and an user assertion.\n   *\n   * Example using the `KeyClient` from [\\@azure/keyvault-keys](https://www.npmjs.com/package/\\@azure/keyvault-keys):\n   *\n   * ```ts snippet:on_behalf_of_credential_assertion_example\n   * import { OnBehalfOfCredential } from \"@azure/identity\";\n   * import { KeyClient } from \"@azure/keyvault-keys\";\n   *\n   * const tokenCredential = new OnBehalfOfCredential({\n   *   tenantId: \"tenant-id\",\n   *   clientId: \"client-id\",\n   *   getAssertion: () => {\n   *     return Promise.resolve(\"my-jwt\");\n   *   },\n   *   userAssertionToken: \"access-token\",\n   * });\n   * const client = new KeyClient(\"vault-url\", tokenCredential);\n   *\n   * await client.getKey(\"key-name\");\n   * ```\n   *\n   * @param options - Optional parameters, generally common across credentials.\n   */\n  constructor(\n    options: OnBehalfOfCredentialAssertionOptions &\n      MultiTenantTokenCredentialOptions &\n      CredentialPersistenceOptions,\n  );\n\n  constructor(options: OnBehalfOfCredentialOptions) {\n    const { clientSecret } = options as OnBehalfOfCredentialSecretOptions;\n    const { certificatePath, sendCertificateChain } =\n      options as OnBehalfOfCredentialCertificateOptions;\n    const { getAssertion } = options as OnBehalfOfCredentialAssertionOptions;\n    const {\n      tenantId,\n      clientId,\n      userAssertionToken,\n      additionallyAllowedTenants: additionallyAllowedTenantIds,\n    } = options;\n    if (!tenantId) {\n      throw new CredentialUnavailableError(\n        `${credentialName}: tenantId is a required parameter. To troubleshoot, visit https://aka.ms/azsdk/js/identity/serviceprincipalauthentication/troubleshoot.`,\n      );\n    }\n\n    if (!clientId) {\n      throw new CredentialUnavailableError(\n        `${credentialName}: clientId is a required parameter. To troubleshoot, visit https://aka.ms/azsdk/js/identity/serviceprincipalauthentication/troubleshoot.`,\n      );\n    }\n\n    if (!clientSecret && !certificatePath && !getAssertion) {\n      throw new CredentialUnavailableError(\n        `${credentialName}: You must provide one of clientSecret, certificatePath, or a getAssertion callback but none were provided. To troubleshoot, visit https://aka.ms/azsdk/js/identity/serviceprincipalauthentication/troubleshoot.`,\n      );\n    }\n\n    if (!userAssertionToken) {\n      throw new CredentialUnavailableError(\n        `${credentialName}: userAssertionToken is a required parameter. To troubleshoot, visit https://aka.ms/azsdk/js/identity/serviceprincipalauthentication/troubleshoot.`,\n      );\n    }\n    this.certificatePath = certificatePath;\n    this.clientSecret = clientSecret;\n    this.userAssertionToken = userAssertionToken;\n    this.sendCertificateChain = sendCertificateChain;\n    this.clientAssertion = getAssertion;\n\n    this.tenantId = tenantId;\n    this.additionallyAllowedTenantIds = resolveAdditionallyAllowedTenantIds(\n      additionallyAllowedTenantIds,\n    );\n\n    this.msalClient = createMsalClient(clientId, this.tenantId, {\n      ...options,\n      logger,\n      tokenCredentialOptions: options,\n    });\n  }\n\n  /**\n   * Authenticates with Microsoft Entra ID and returns an access token if successful.\n   * If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.\n   *\n   * @param scopes - The list of scopes for which the token will have access.\n   * @param options - The options used to configure the underlying network requests.\n   */\n  async getToken(scopes: string | string[], options: GetTokenOptions = {}): Promise<AccessToken> {\n    return tracingClient.withSpan(`${credentialName}.getToken`, options, async (newOptions) => {\n      newOptions.tenantId = processMultiTenantRequest(\n        this.tenantId,\n        newOptions,\n        this.additionallyAllowedTenantIds,\n        logger,\n      );\n\n      const arrayScopes = ensureScopes(scopes);\n      if (this.certificatePath) {\n        const clientCertificate = await this.buildClientCertificate(this.certificatePath);\n\n        return this.msalClient.getTokenOnBehalfOf(\n          arrayScopes,\n          this.userAssertionToken,\n          clientCertificate,\n          newOptions,\n        );\n      } else if (this.clientSecret) {\n        return this.msalClient.getTokenOnBehalfOf(\n          arrayScopes,\n          this.userAssertionToken,\n          this.clientSecret,\n          options,\n        );\n      } else if (this.clientAssertion) {\n        return this.msalClient.getTokenOnBehalfOf(\n          arrayScopes,\n          this.userAssertionToken,\n          this.clientAssertion,\n          options,\n        );\n      } else {\n        // this is an invalid scenario and is a bug, as the constructor should have thrown an error if neither clientSecret nor certificatePath nor clientAssertion were provided\n        throw new Error(\n          \"Expected either clientSecret or certificatePath or clientAssertion to be defined.\",\n        );\n      }\n    });\n  }\n\n  private async buildClientCertificate(certificatePath: string): Promise<CertificateParts> {\n    try {\n      const parts = await this.parseCertificate({ certificatePath }, this.sendCertificateChain);\n      return {\n        thumbprint: parts.thumbprint,\n        privateKey: parts.certificateContents,\n        x5c: parts.x5c,\n      };\n    } catch (error: any) {\n      logger.info(formatError(\"\", error));\n      throw error;\n    }\n  }\n\n  private async parseCertificate(\n    configuration: ClientCertificatePEMCertificatePath,\n    sendCertificateChain?: boolean,\n  ): Promise<Omit<CertificateParts, \"privateKey\"> & { certificateContents: string }> {\n    const certificatePath = configuration.certificatePath;\n    const certificateContents = await readFile(certificatePath, \"utf8\");\n    const x5c = sendCertificateChain ? certificateContents : undefined;\n\n    const certificatePattern =\n      /(-+BEGIN CERTIFICATE-+)(\\n\\r?|\\r\\n?)([A-Za-z0-9+/\\n\\r]+=*)(\\n\\r?|\\r\\n?)(-+END CERTIFICATE-+)/g;\n    const publicKeys: string[] = [];\n\n    // Match all possible certificates, in the order they are in the file. These will form the chain that is used for x5c\n    let match;\n    do {\n      match = certificatePattern.exec(certificateContents);\n      if (match) {\n        publicKeys.push(match[3]);\n      }\n    } while (match);\n\n    if (publicKeys.length === 0) {\n      throw new Error(\"The file at the specified path does not contain a PEM-encoded certificate.\");\n    }\n\n    const thumbprint = createHash(\"sha1\")\n      .update(Buffer.from(publicKeys[0], \"base64\"))\n      .digest(\"hex\")\n      .toUpperCase();\n\n    return {\n      certificateContents,\n      thumbprint,\n      x5c,\n    };\n  }\n}\n"]}

package/dist/esm/credentials/onBehalfOfCredentialOptions.d.ts

@@ -0,0 +1,76 @@
+import type { AuthorityValidationOptions } from "./authorityValidationOptions.js";
+import type { CredentialPersistenceOptions } from "./credentialPersistenceOptions.js";
+import type { MultiTenantTokenCredentialOptions } from "./multiTenantTokenCredentialOptions.js";
+/**
+ * Defines the parameters to authenticate the {@link OnBehalfOfCredential} with a secret.
+ */
+export interface OnBehalfOfCredentialSecretOptions {
+    /**
+     * The Microsoft Entra tenant (directory) ID.
+     */
+    tenantId: string;
+    /**
+     * The client (application) ID of an App Registration in the tenant.
+     */
+    clientId: string;
+    /**
+     * A client secret that was generated for the App Registration.
+     */
+    clientSecret: string;
+    /**
+     * The user assertion for the On-Behalf-Of flow.
+     */
+    userAssertionToken: string;
+}
+/**
+ * Defines the parameters to authenticate the {@link OnBehalfOfCredential} with a certificate.
+ */
+export interface OnBehalfOfCredentialCertificateOptions {
+    /**
+     * The Microsoft Entra tenant (directory) ID.
+     */
+    tenantId: string;
+    /**
+     * The client (application) ID of an App Registration in the tenant.
+     */
+    clientId: string;
+    /**
+     * The path to a PEM-encoded public/private key certificate on the filesystem.
+     */
+    certificatePath: string;
+    /**
+     * The user assertion for the On-Behalf-Of flow.
+     */
+    userAssertionToken: string;
+    /**
+     * Option to include x5c header for SubjectName and Issuer name authorization.
+     * Set this option to send base64 encoded public certificate in the client assertion header as an x5c claim
+     */
+    sendCertificateChain?: boolean;
+}
+/**
+ * Defines the parameters to authenticate the {@link OnBehalfOfCredential} with an assertion.
+ */
+export interface OnBehalfOfCredentialAssertionOptions {
+    /**
+     * The Microsoft Entra tenant (directory) ID.
+     */
+    tenantId: string;
+    /**
+     * The client (application) ID of an App Registration in the tenant.
+     */
+    clientId: string;
+    /**
+     * A function that retrieves the client assertion for the credential to use
+     */
+    getAssertion: () => Promise<string>;
+    /**
+     * The user assertion for the On-Behalf-Of flow.
+     */
+    userAssertionToken: string;
+}
+/**
+ * Optional parameters for the {@link OnBehalfOfCredential} class.
+ */
+export type OnBehalfOfCredentialOptions = (OnBehalfOfCredentialSecretOptions | OnBehalfOfCredentialCertificateOptions | OnBehalfOfCredentialAssertionOptions) & MultiTenantTokenCredentialOptions & CredentialPersistenceOptions & AuthorityValidationOptions;
+//# sourceMappingURL=onBehalfOfCredentialOptions.d.ts.map

package/dist/esm/credentials/onBehalfOfCredentialOptions.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"onBehalfOfCredentialOptions.d.ts","sourceRoot":"","sources":["../../../src/credentials/onBehalfOfCredentialOptions.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,0BAA0B,EAAE,MAAM,iCAAiC,CAAC;AAClF,OAAO,KAAK,EAAE,4BAA4B,EAAE,MAAM,mCAAmC,CAAC;AACtF,OAAO,KAAK,EAAE,iCAAiC,EAAE,MAAM,wCAAwC,CAAC;AAEhG;;GAEG;AACH,MAAM,WAAW,iCAAiC;IAChD;;OAEG;IACH,QAAQ,EAAE,MAAM,CAAC;IACjB;;OAEG;IACH,QAAQ,EAAE,MAAM,CAAC;IACjB;;OAEG;IACH,YAAY,EAAE,MAAM,CAAC;IACrB;;OAEG;IACH,kBAAkB,EAAE,MAAM,CAAC;CAC5B;AAED;;GAEG;AACH,MAAM,WAAW,sCAAsC;IACrD;;OAEG;IACH,QAAQ,EAAE,MAAM,CAAC;IACjB;;OAEG;IACH,QAAQ,EAAE,MAAM,CAAC;IACjB;;OAEG;IACH,eAAe,EAAE,MAAM,CAAC;IACxB;;OAEG;IACH,kBAAkB,EAAE,MAAM,CAAC;IAC3B;;;OAGG;IACH,oBAAoB,CAAC,EAAE,OAAO,CAAC;CAChC;AAED;;GAEG;AACH,MAAM,WAAW,oCAAoC;IACnD;;OAEG;IACH,QAAQ,EAAE,MAAM,CAAC;IACjB;;OAEG;IACH,QAAQ,EAAE,MAAM,CAAC;IACjB;;OAEG;IACH,YAAY,EAAE,MAAM,OAAO,CAAC,MAAM,CAAC,CAAC;IACpC;;OAEG;IACH,kBAAkB,EAAE,MAAM,CAAC;CAC5B;AACD;;GAEG;AACH,MAAM,MAAM,2BAA2B,GAAG,CACtC,iCAAiC,GACjC,sCAAsC,GACtC,oCAAoC,CACvC,GACC,iCAAiC,GACjC,4BAA4B,GAC5B,0BAA0B,CAAC"}

package/dist/esm/credentials/onBehalfOfCredentialOptions.js

@@ -0,0 +1,4 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+export {};
+//# sourceMappingURL=onBehalfOfCredentialOptions.js.map

package/dist/esm/credentials/onBehalfOfCredentialOptions.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"onBehalfOfCredentialOptions.js","sourceRoot":"","sources":["../../../src/credentials/onBehalfOfCredentialOptions.ts"],"names":[],"mappings":"AAAA,uCAAuC;AACvC,kCAAkC","sourcesContent":["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT License.\n\nimport type { AuthorityValidationOptions } from \"./authorityValidationOptions.js\";\nimport type { CredentialPersistenceOptions } from \"./credentialPersistenceOptions.js\";\nimport type { MultiTenantTokenCredentialOptions } from \"./multiTenantTokenCredentialOptions.js\";\n\n/**\n * Defines the parameters to authenticate the {@link OnBehalfOfCredential} with a secret.\n */\nexport interface OnBehalfOfCredentialSecretOptions {\n  /**\n   * The Microsoft Entra tenant (directory) ID.\n   */\n  tenantId: string;\n  /**\n   * The client (application) ID of an App Registration in the tenant.\n   */\n  clientId: string;\n  /**\n   * A client secret that was generated for the App Registration.\n   */\n  clientSecret: string;\n  /**\n   * The user assertion for the On-Behalf-Of flow.\n   */\n  userAssertionToken: string;\n}\n\n/**\n * Defines the parameters to authenticate the {@link OnBehalfOfCredential} with a certificate.\n */\nexport interface OnBehalfOfCredentialCertificateOptions {\n  /**\n   * The Microsoft Entra tenant (directory) ID.\n   */\n  tenantId: string;\n  /**\n   * The client (application) ID of an App Registration in the tenant.\n   */\n  clientId: string;\n  /**\n   * The path to a PEM-encoded public/private key certificate on the filesystem.\n   */\n  certificatePath: string;\n  /**\n   * The user assertion for the On-Behalf-Of flow.\n   */\n  userAssertionToken: string;\n  /**\n   * Option to include x5c header for SubjectName and Issuer name authorization.\n   * Set this option to send base64 encoded public certificate in the client assertion header as an x5c claim\n   */\n  sendCertificateChain?: boolean;\n}\n\n/**\n * Defines the parameters to authenticate the {@link OnBehalfOfCredential} with an assertion.\n */\nexport interface OnBehalfOfCredentialAssertionOptions {\n  /**\n   * The Microsoft Entra tenant (directory) ID.\n   */\n  tenantId: string;\n  /**\n   * The client (application) ID of an App Registration in the tenant.\n   */\n  clientId: string;\n  /**\n   * A function that retrieves the client assertion for the credential to use\n   */\n  getAssertion: () => Promise<string>;\n  /**\n   * The user assertion for the On-Behalf-Of flow.\n   */\n  userAssertionToken: string;\n}\n/**\n * Optional parameters for the {@link OnBehalfOfCredential} class.\n */\nexport type OnBehalfOfCredentialOptions = (\n  | OnBehalfOfCredentialSecretOptions\n  | OnBehalfOfCredentialCertificateOptions\n  | OnBehalfOfCredentialAssertionOptions\n) &\n  MultiTenantTokenCredentialOptions &\n  CredentialPersistenceOptions &\n  AuthorityValidationOptions;\n"]}

package/dist/esm/credentials/usernamePasswordCredential.d.ts

@@ -0,0 +1,41 @@
+import type { AccessToken, GetTokenOptions, TokenCredential } from "@azure/core-auth";
+import type { UsernamePasswordCredentialOptions } from "./usernamePasswordCredentialOptions.js";
+/**
+ * Enables authentication to Microsoft Entra ID with a user's
+ * username and password. This credential requires a high degree of
+ * trust so you should only use it when other, more secure credential
+ * types can't be used.
+ */
+export declare class UsernamePasswordCredential implements TokenCredential {
+    private tenantId;
+    private additionallyAllowedTenantIds;
+    private msalClient;
+    private username;
+    private password;
+    /**
+     * Creates an instance of the UsernamePasswordCredential with the details
+     * needed to authenticate against Microsoft Entra ID with a username
+     * and password.
+     *
+     * @param tenantId - The Microsoft Entra tenant (directory).
+     * @param clientId - The client (application) ID of an App Registration in the tenant.
+     * @param username - The user account's e-mail address (user name).
+     * @param password - The user account's account password
+     * @param options - Options for configuring the client which makes the authentication request.
+     */
+    constructor(tenantId: string, clientId: string, username: string, password: string, options?: UsernamePasswordCredentialOptions);
+    /**
+     * Authenticates with Microsoft Entra ID and returns an access token if successful.
+     * If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.
+     *
+     * If the user provided the option `disableAutomaticAuthentication`,
+     * once the token can't be retrieved silently,
+     * this method won't attempt to request user interaction to retrieve the token.
+     *
+     * @param scopes - The list of scopes for which the token will have access.
+     * @param options - The options used to configure any requests this
+     *                TokenCredential implementation might make.
+     */
+    getToken(scopes: string | string[], options?: GetTokenOptions): Promise<AccessToken>;
+}
+//# sourceMappingURL=usernamePasswordCredential.d.ts.map

package/dist/esm/credentials/usernamePasswordCredential.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"usernamePasswordCredential.d.ts","sourceRoot":"","sources":["../../../src/credentials/usernamePasswordCredential.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,WAAW,EAAE,eAAe,EAAE,eAAe,EAAE,MAAM,kBAAkB,CAAC;AAStF,OAAO,KAAK,EAAE,iCAAiC,EAAE,MAAM,wCAAwC,CAAC;AAOhG;;;;;GAKG;AACH,qBAAa,0BAA2B,YAAW,eAAe;IAChE,OAAO,CAAC,QAAQ,CAAS;IACzB,OAAO,CAAC,4BAA4B,CAAW;IAC/C,OAAO,CAAC,UAAU,CAAa;IAC/B,OAAO,CAAC,QAAQ,CAAS;IACzB,OAAO,CAAC,QAAQ,CAAS;IAEzB;;;;;;;;;;OAUG;gBAED,QAAQ,EAAE,MAAM,EAChB,QAAQ,EAAE,MAAM,EAChB,QAAQ,EAAE,MAAM,EAChB,QAAQ,EAAE,MAAM,EAChB,OAAO,GAAE,iCAAsC;IAwCjD;;;;;;;;;;;OAWG;IACG,QAAQ,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,EAAE,EAAE,OAAO,GAAE,eAAoB,GAAG,OAAO,CAAC,WAAW,CAAC;CAsB/F"}

package/dist/esm/credentials/usernamePasswordCredential.js

@@ -0,0 +1,67 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+import { createMsalClient } from "../msal/nodeFlows/msalClient.js";
+import { processMultiTenantRequest, resolveAdditionallyAllowedTenantIds, } from "../util/tenantIdUtils.js";
+import { CredentialUnavailableError } from "../errors.js";
+import { credentialLogger } from "../util/logging.js";
+import { ensureScopes } from "../util/scopeUtils.js";
+import { tracingClient } from "../util/tracing.js";
+const logger = credentialLogger("UsernamePasswordCredential");
+/**
+ * Enables authentication to Microsoft Entra ID with a user's
+ * username and password. This credential requires a high degree of
+ * trust so you should only use it when other, more secure credential
+ * types can't be used.
+ */
+export class UsernamePasswordCredential {
+    /**
+     * Creates an instance of the UsernamePasswordCredential with the details
+     * needed to authenticate against Microsoft Entra ID with a username
+     * and password.
+     *
+     * @param tenantId - The Microsoft Entra tenant (directory).
+     * @param clientId - The client (application) ID of an App Registration in the tenant.
+     * @param username - The user account's e-mail address (user name).
+     * @param password - The user account's account password
+     * @param options - Options for configuring the client which makes the authentication request.
+     */
+    constructor(tenantId, clientId, username, password, options = {}) {
+        if (!tenantId) {
+            throw new CredentialUnavailableError("UsernamePasswordCredential: tenantId is a required parameter. To troubleshoot, visit https://aka.ms/azsdk/js/identity/usernamepasswordcredential/troubleshoot.");
+        }
+        if (!clientId) {
+            throw new CredentialUnavailableError("UsernamePasswordCredential: clientId is a required parameter. To troubleshoot, visit https://aka.ms/azsdk/js/identity/usernamepasswordcredential/troubleshoot.");
+        }
+        if (!username) {
+            throw new CredentialUnavailableError("UsernamePasswordCredential: username is a required parameter. To troubleshoot, visit https://aka.ms/azsdk/js/identity/usernamepasswordcredential/troubleshoot.");
+        }
+        if (!password) {
+            throw new CredentialUnavailableError("UsernamePasswordCredential: password is a required parameter. To troubleshoot, visit https://aka.ms/azsdk/js/identity/usernamepasswordcredential/troubleshoot.");
+        }
+        this.tenantId = tenantId;
+        this.additionallyAllowedTenantIds = resolveAdditionallyAllowedTenantIds(options === null || options === void 0 ? void 0 : options.additionallyAllowedTenants);
+        this.username = username;
+        this.password = password;
+        this.msalClient = createMsalClient(clientId, this.tenantId, Object.assign(Object.assign({}, options), { tokenCredentialOptions: options !== null && options !== void 0 ? options : {} }));
+    }
+    /**
+     * Authenticates with Microsoft Entra ID and returns an access token if successful.
+     * If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.
+     *
+     * If the user provided the option `disableAutomaticAuthentication`,
+     * once the token can't be retrieved silently,
+     * this method won't attempt to request user interaction to retrieve the token.
+     *
+     * @param scopes - The list of scopes for which the token will have access.
+     * @param options - The options used to configure any requests this
+     *                TokenCredential implementation might make.
+     */
+    async getToken(scopes, options = {}) {
+        return tracingClient.withSpan(`${this.constructor.name}.getToken`, options, async (newOptions) => {
+            newOptions.tenantId = processMultiTenantRequest(this.tenantId, newOptions, this.additionallyAllowedTenantIds, logger);
+            const arrayScopes = ensureScopes(scopes);
+            return this.msalClient.getTokenByUsernamePassword(arrayScopes, this.username, this.password, newOptions);
+        });
+    }
+}
+//# sourceMappingURL=usernamePasswordCredential.js.map

package/dist/esm/credentials/usernamePasswordCredential.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"usernamePasswordCredential.js","sourceRoot":"","sources":["../../../src/credentials/usernamePasswordCredential.ts"],"names":[],"mappings":"AAAA,uCAAuC;AACvC,kCAAkC;AAIlC,OAAO,EAAE,gBAAgB,EAAE,MAAM,iCAAiC,CAAC;AACnE,OAAO,EACL,yBAAyB,EACzB,mCAAmC,GACpC,MAAM,0BAA0B,CAAC;AAElC,OAAO,EAAE,0BAA0B,EAAE,MAAM,cAAc,CAAC;AAE1D,OAAO,EAAE,gBAAgB,EAAE,MAAM,oBAAoB,CAAC;AACtD,OAAO,EAAE,YAAY,EAAE,MAAM,uBAAuB,CAAC;AACrD,OAAO,EAAE,aAAa,EAAE,MAAM,oBAAoB,CAAC;AAEnD,MAAM,MAAM,GAAG,gBAAgB,CAAC,4BAA4B,CAAC,CAAC;AAE9D;;;;;GAKG;AACH,MAAM,OAAO,0BAA0B;IAOrC;;;;;;;;;;OAUG;IACH,YACE,QAAgB,EAChB,QAAgB,EAChB,QAAgB,EAChB,QAAgB,EAChB,UAA6C,EAAE;QAE/C,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,MAAM,IAAI,0BAA0B,CAClC,gKAAgK,CACjK,CAAC;QACJ,CAAC;QAED,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,MAAM,IAAI,0BAA0B,CAClC,gKAAgK,CACjK,CAAC;QACJ,CAAC;QAED,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,MAAM,IAAI,0BAA0B,CAClC,gKAAgK,CACjK,CAAC;QACJ,CAAC;QAED,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,MAAM,IAAI,0BAA0B,CAClC,gKAAgK,CACjK,CAAC;QACJ,CAAC;QAED,IAAI,CAAC,QAAQ,GAAG,QAAQ,CAAC;QACzB,IAAI,CAAC,4BAA4B,GAAG,mCAAmC,CACrE,OAAO,aAAP,OAAO,uBAAP,OAAO,CAAE,0BAA0B,CACpC,CAAC;QAEF,IAAI,CAAC,QAAQ,GAAG,QAAQ,CAAC;QACzB,IAAI,CAAC,QAAQ,GAAG,QAAQ,CAAC;QAEzB,IAAI,CAAC,UAAU,GAAG,gBAAgB,CAAC,QAAQ,EAAE,IAAI,CAAC,QAAQ,kCACrD,OAAO,KACV,sBAAsB,EAAE,OAAO,aAAP,OAAO,cAAP,OAAO,GAAI,EAAE,IACrC,CAAC;IACL,CAAC;IAED;;;;;;;;;;;OAWG;IACH,KAAK,CAAC,QAAQ,CAAC,MAAyB,EAAE,UAA2B,EAAE;QACrE,OAAO,aAAa,CAAC,QAAQ,CAC3B,GAAG,IAAI,CAAC,WAAW,CAAC,IAAI,WAAW,EACnC,OAAO,EACP,KAAK,EAAE,UAAU,EAAE,EAAE;YACnB,UAAU,CAAC,QAAQ,GAAG,yBAAyB,CAC7C,IAAI,CAAC,QAAQ,EACb,UAAU,EACV,IAAI,CAAC,4BAA4B,EACjC,MAAM,CACP,CAAC;YAEF,MAAM,WAAW,GAAG,YAAY,CAAC,MAAM,CAAC,CAAC;YACzC,OAAO,IAAI,CAAC,UAAU,CAAC,0BAA0B,CAC/C,WAAW,EACX,IAAI,CAAC,QAAQ,EACb,IAAI,CAAC,QAAQ,EACb,UAAU,CACX,CAAC;QACJ,CAAC,CACF,CAAC;IACJ,CAAC;CACF","sourcesContent":["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT License.\n\nimport type { AccessToken, GetTokenOptions, TokenCredential } from \"@azure/core-auth\";\nimport type { MsalClient } from \"../msal/nodeFlows/msalClient.js\";\nimport { createMsalClient } from \"../msal/nodeFlows/msalClient.js\";\nimport {\n  processMultiTenantRequest,\n  resolveAdditionallyAllowedTenantIds,\n} from \"../util/tenantIdUtils.js\";\n\nimport { CredentialUnavailableError } from \"../errors.js\";\nimport type { UsernamePasswordCredentialOptions } from \"./usernamePasswordCredentialOptions.js\";\nimport { credentialLogger } from \"../util/logging.js\";\nimport { ensureScopes } from \"../util/scopeUtils.js\";\nimport { tracingClient } from \"../util/tracing.js\";\n\nconst logger = credentialLogger(\"UsernamePasswordCredential\");\n\n/**\n * Enables authentication to Microsoft Entra ID with a user's\n * username and password. This credential requires a high degree of\n * trust so you should only use it when other, more secure credential\n * types can't be used.\n */\nexport class UsernamePasswordCredential implements TokenCredential {\n  private tenantId: string;\n  private additionallyAllowedTenantIds: string[];\n  private msalClient: MsalClient;\n  private username: string;\n  private password: string;\n\n  /**\n   * Creates an instance of the UsernamePasswordCredential with the details\n   * needed to authenticate against Microsoft Entra ID with a username\n   * and password.\n   *\n   * @param tenantId - The Microsoft Entra tenant (directory).\n   * @param clientId - The client (application) ID of an App Registration in the tenant.\n   * @param username - The user account's e-mail address (user name).\n   * @param password - The user account's account password\n   * @param options - Options for configuring the client which makes the authentication request.\n   */\n  constructor(\n    tenantId: string,\n    clientId: string,\n    username: string,\n    password: string,\n    options: UsernamePasswordCredentialOptions = {},\n  ) {\n    if (!tenantId) {\n      throw new CredentialUnavailableError(\n        \"UsernamePasswordCredential: tenantId is a required parameter. To troubleshoot, visit https://aka.ms/azsdk/js/identity/usernamepasswordcredential/troubleshoot.\",\n      );\n    }\n\n    if (!clientId) {\n      throw new CredentialUnavailableError(\n        \"UsernamePasswordCredential: clientId is a required parameter. To troubleshoot, visit https://aka.ms/azsdk/js/identity/usernamepasswordcredential/troubleshoot.\",\n      );\n    }\n\n    if (!username) {\n      throw new CredentialUnavailableError(\n        \"UsernamePasswordCredential: username is a required parameter. To troubleshoot, visit https://aka.ms/azsdk/js/identity/usernamepasswordcredential/troubleshoot.\",\n      );\n    }\n\n    if (!password) {\n      throw new CredentialUnavailableError(\n        \"UsernamePasswordCredential: password is a required parameter. To troubleshoot, visit https://aka.ms/azsdk/js/identity/usernamepasswordcredential/troubleshoot.\",\n      );\n    }\n\n    this.tenantId = tenantId;\n    this.additionallyAllowedTenantIds = resolveAdditionallyAllowedTenantIds(\n      options?.additionallyAllowedTenants,\n    );\n\n    this.username = username;\n    this.password = password;\n\n    this.msalClient = createMsalClient(clientId, this.tenantId, {\n      ...options,\n      tokenCredentialOptions: options ?? {},\n    });\n  }\n\n  /**\n   * Authenticates with Microsoft Entra ID and returns an access token if successful.\n   * If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.\n   *\n   * If the user provided the option `disableAutomaticAuthentication`,\n   * once the token can't be retrieved silently,\n   * this method won't attempt to request user interaction to retrieve the token.\n   *\n   * @param scopes - The list of scopes for which the token will have access.\n   * @param options - The options used to configure any requests this\n   *                TokenCredential implementation might make.\n   */\n  async getToken(scopes: string | string[], options: GetTokenOptions = {}): Promise<AccessToken> {\n    return tracingClient.withSpan(\n      `${this.constructor.name}.getToken`,\n      options,\n      async (newOptions) => {\n        newOptions.tenantId = processMultiTenantRequest(\n          this.tenantId,\n          newOptions,\n          this.additionallyAllowedTenantIds,\n          logger,\n        );\n\n        const arrayScopes = ensureScopes(scopes);\n        return this.msalClient.getTokenByUsernamePassword(\n          arrayScopes,\n          this.username,\n          this.password,\n          newOptions,\n        );\n      },\n    );\n  }\n}\n"]}

package/dist/esm/credentials/usernamePasswordCredentialOptions.d.ts

@@ -0,0 +1,9 @@
+import type { AuthorityValidationOptions } from "./authorityValidationOptions.js";
+import type { CredentialPersistenceOptions } from "./credentialPersistenceOptions.js";
+import type { MultiTenantTokenCredentialOptions } from "./multiTenantTokenCredentialOptions.js";
+/**
+ * Defines options for the {@link UsernamePasswordCredential} class.
+ */
+export interface UsernamePasswordCredentialOptions extends MultiTenantTokenCredentialOptions, CredentialPersistenceOptions, AuthorityValidationOptions {
+}
+//# sourceMappingURL=usernamePasswordCredentialOptions.d.ts.map

package/dist/esm/credentials/usernamePasswordCredentialOptions.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"usernamePasswordCredentialOptions.d.ts","sourceRoot":"","sources":["../../../src/credentials/usernamePasswordCredentialOptions.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,0BAA0B,EAAE,MAAM,iCAAiC,CAAC;AAClF,OAAO,KAAK,EAAE,4BAA4B,EAAE,MAAM,mCAAmC,CAAC;AACtF,OAAO,KAAK,EAAE,iCAAiC,EAAE,MAAM,wCAAwC,CAAC;AAEhG;;GAEG;AACH,MAAM,WAAW,iCACf,SAAQ,iCAAiC,EACvC,4BAA4B,EAC5B,0BAA0B;CAAG"}

package/dist/esm/credentials/usernamePasswordCredentialOptions.js

@@ -0,0 +1,4 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+export {};
+//# sourceMappingURL=usernamePasswordCredentialOptions.js.map

package/dist/esm/credentials/usernamePasswordCredentialOptions.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"usernamePasswordCredentialOptions.js","sourceRoot":"","sources":["../../../src/credentials/usernamePasswordCredentialOptions.ts"],"names":[],"mappings":"AAAA,uCAAuC;AACvC,kCAAkC","sourcesContent":["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT License.\n\nimport type { AuthorityValidationOptions } from \"./authorityValidationOptions.js\";\nimport type { CredentialPersistenceOptions } from \"./credentialPersistenceOptions.js\";\nimport type { MultiTenantTokenCredentialOptions } from \"./multiTenantTokenCredentialOptions.js\";\n\n/**\n * Defines options for the {@link UsernamePasswordCredential} class.\n */\nexport interface UsernamePasswordCredentialOptions\n  extends MultiTenantTokenCredentialOptions,\n    CredentialPersistenceOptions,\n    AuthorityValidationOptions {}\n"]}

package/dist/esm/credentials/visualStudioCodeCredential.d.ts

@@ -0,0 +1,60 @@
+import type { AccessToken, GetTokenOptions, TokenCredential } from "@azure/core-auth";
+import type { VisualStudioCodeCredentialOptions } from "./visualStudioCodeCredentialOptions.js";
+import type { VSCodeCredentialFinder } from "./visualStudioCodeCredentialPlugin.js";
+export declare const vsCodeCredentialControl: {
+    setVsCodeCredentialFinder(finder: VSCodeCredentialFinder): void;
+};
+/**
+ * Attempts to load a specific property from the VSCode configurations of the current OS.
+ * If it fails at any point, returns undefined.
+ */
+export declare function getPropertyFromVSCode(property: string): string | undefined;
+/**
+ * Connects to Azure using the credential provided by the VSCode extension 'Azure Account'.
+ * Once the user has logged in via the extension, this credential can share the same refresh token
+ * that is cached by the extension.
+ *
+ * It's a [known issue](https://github.com/Azure/azure-sdk-for-js/issues/20500) that this credential doesn't
+ * work with [Azure Account extension](https://marketplace.visualstudio.com/items?itemName=ms-vscode.azure-account)
+ * versions newer than **0.9.11**. A long-term fix to this problem is in progress. In the meantime, consider
+ * authenticating with {@link AzureCliCredential}.
+ */
+export declare class VisualStudioCodeCredential implements TokenCredential {
+    private identityClient;
+    private tenantId;
+    private additionallyAllowedTenantIds;
+    private cloudName;
+    /**
+     * Creates an instance of VisualStudioCodeCredential to use for automatically authenticating via VSCode.
+     *
+     * **Note**: `VisualStudioCodeCredential` is provided by a plugin package:
+     * `@azure/identity-vscode`. If this package is not installed and registered
+     * using the plugin API (`useIdentityPlugin`), then authentication using
+     * `VisualStudioCodeCredential` will not be available.
+     *
+     * @param options - Options for configuring the client which makes the authentication request.
+     */
+    constructor(options?: VisualStudioCodeCredentialOptions);
+    /**
+     * Runs preparations for any further getToken request.
+     */
+    private prepare;
+    /**
+     * The promise of the single preparation that will be executed at the first getToken request for an instance of this class.
+     */
+    private preparePromise;
+    /**
+     * Runs preparations for any further getToken, but only once.
+     */
+    private prepareOnce;
+    /**
+     * Returns the token found by searching VSCode's authentication cache or
+     * returns null if no token could be found.
+     *
+     * @param scopes - The list of scopes for which the token will have access.
+     * @param options - The options used to configure any requests this
+     *                `TokenCredential` implementation might make.
+     */
+    getToken(scopes: string | string[], options?: GetTokenOptions): Promise<AccessToken>;
+}
+//# sourceMappingURL=visualStudioCodeCredential.d.ts.map

package/dist/esm/credentials/visualStudioCodeCredential.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"visualStudioCodeCredential.d.ts","sourceRoot":"","sources":["../../../src/credentials/visualStudioCodeCredential.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,WAAW,EAAE,eAAe,EAAE,eAAe,EAAE,MAAM,kBAAkB,CAAC;AAStF,OAAO,KAAK,EAAE,iCAAiC,EAAE,MAAM,wCAAwC,CAAC;AAChG,OAAO,KAAK,EAAE,sBAAsB,EAAE,MAAM,uCAAuC,CAAC;AAYpF,eAAO,MAAM,uBAAuB;sCACA,sBAAsB,GAAG,IAAI;CAGhE,CAAC;AAwBF;;;GAGG;AACH,wBAAgB,qBAAqB,CAAC,QAAQ,EAAE,MAAM,GAAG,MAAM,GAAG,SAAS,CA6B1E;AAED;;;;;;;;;GASG;AACH,qBAAa,0BAA2B,YAAW,eAAe;IAChE,OAAO,CAAC,cAAc,CAAiB;IACvC,OAAO,CAAC,QAAQ,CAAS;IACzB,OAAO,CAAC,4BAA4B,CAAW;IAC/C,OAAO,CAAC,SAAS,CAAmB;IAEpC;;;;;;;;;OASG;gBACS,OAAO,CAAC,EAAE,iCAAiC;IA2BvD;;OAEG;YACW,OAAO;IASrB;;OAEG;IACH,OAAO,CAAC,cAAc,CAA4B;IAElD;;OAEG;IACH,OAAO,CAAC,WAAW;IAOnB;;;;;;;OAOG;IACU,QAAQ,CACnB,MAAM,EAAE,MAAM,GAAG,MAAM,EAAE,EACzB,OAAO,CAAC,EAAE,eAAe,GACxB,OAAO,CAAC,WAAW,CAAC;CA6ExB"}