@azure/identity 4.8.1-alpha.20250410.1 → 4.9.1-alpha.20250416.4

package/dist/workerd/credentials/environmentCredential.d.ts

@@ -0,0 +1,52 @@
+import type { AccessToken, GetTokenOptions, TokenCredential } from "@azure/core-auth";
+import type { EnvironmentCredentialOptions } from "./environmentCredentialOptions.js";
+/**
+ * Contains the list of all supported environment variable names so that an
+ * appropriate error message can be generated when no credentials can be
+ * configured.
+ *
+ * @internal
+ */
+export declare const AllSupportedEnvironmentVariables: string[];
+export declare function getSendCertificateChain(): boolean;
+/**
+ * Enables authentication to Microsoft Entra ID using a client secret or certificate, or as a user
+ * with a username and password.
+ */
+export declare class EnvironmentCredential implements TokenCredential {
+    private _credential?;
+    /**
+     * Creates an instance of the EnvironmentCredential class and decides what credential to use depending on the available environment variables.
+     *
+     * Required environment variables:
+     * - `AZURE_TENANT_ID`: The Microsoft Entra tenant (directory) ID.
+     * - `AZURE_CLIENT_ID`: The client (application) ID of an App Registration in the tenant.
+     *
+     * If setting the AZURE_TENANT_ID, then you can also set the additionally allowed tenants
+     * - `AZURE_ADDITIONALLY_ALLOWED_TENANTS`: For multi-tenant applications, specifies additional tenants for which the credential may acquire tokens with a single semicolon delimited string. Use * to allow all tenants.
+     *
+     * Environment variables used for client credential authentication:
+     * - `AZURE_CLIENT_SECRET`: A client secret that was generated for the App Registration.
+     * - `AZURE_CLIENT_CERTIFICATE_PATH`: The path to a PEM certificate to use during the authentication, instead of the client secret.
+     * - `AZURE_CLIENT_CERTIFICATE_PASSWORD`: (optional) password for the certificate file.
+     * - `AZURE_CLIENT_SEND_CERTIFICATE_CHAIN`: (optional) indicates that the certificate chain should be set in x5c header to support subject name / issuer based authentication.
+     *
+     * Alternatively, users can provide environment variables for username and password authentication:
+     * - `AZURE_USERNAME`: Username to authenticate with.
+     * - `AZURE_PASSWORD`: Password to authenticate with.
+     *
+     * If the environment variables required to perform the authentication are missing, a {@link CredentialUnavailableError} will be thrown.
+     * If the authentication fails, or if there's an unknown error, an {@link AuthenticationError} will be thrown.
+     *
+     * @param options - Options for configuring the client which makes the authentication request.
+     */
+    constructor(options?: EnvironmentCredentialOptions);
+    /**
+     * Authenticates with Microsoft Entra ID and returns an access token if successful.
+     *
+     * @param scopes - The list of scopes for which the token will have access.
+     * @param options - Optional parameters. See {@link GetTokenOptions}.
+     */
+    getToken(scopes: string | string[], options?: GetTokenOptions): Promise<AccessToken>;
+}
+//# sourceMappingURL=environmentCredential.d.ts.map

package/dist/workerd/credentials/environmentCredential.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"environmentCredential.d.ts","sourceRoot":"","sources":["../../../src/credentials/environmentCredential.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,WAAW,EAAE,eAAe,EAAE,eAAe,EAAE,MAAM,kBAAkB,CAAC;AAMtF,OAAO,KAAK,EAAE,4BAA4B,EAAE,MAAM,mCAAmC,CAAC;AAKtF;;;;;;GAMG;AACH,eAAO,MAAM,gCAAgC,UAU5C,CAAC;AAUF,wBAAgB,uBAAuB,IAAI,OAAO,CASjD;AAED;;;GAGG;AACH,qBAAa,qBAAsB,YAAW,eAAe;IAC3D,OAAO,CAAC,WAAW,CAAC,CAGuB;IAC3C;;;;;;;;;;;;;;;;;;;;;;;;OAwBG;gBACS,OAAO,CAAC,EAAE,4BAA4B;IAyDlD;;;;;OAKG;IACG,QAAQ,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,EAAE,EAAE,OAAO,GAAE,eAAoB,GAAG,OAAO,CAAC,WAAW,CAAC;CAqB/F"}

package/dist/workerd/credentials/environmentCredential.js

@@ -0,0 +1,130 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+import { AuthenticationError, CredentialUnavailableError } from "../errors.js";
+import { credentialLogger, formatError, formatSuccess, processEnvVars } from "../util/logging.js";
+import { ClientCertificateCredential } from "./clientCertificateCredential.js";
+import { ClientSecretCredential } from "./clientSecretCredential.js";
+import { UsernamePasswordCredential } from "./usernamePasswordCredential.js";
+import { checkTenantId } from "../util/tenantIdUtils.js";
+import { tracingClient } from "../util/tracing.js";
+/**
+ * Contains the list of all supported environment variable names so that an
+ * appropriate error message can be generated when no credentials can be
+ * configured.
+ *
+ * @internal
+ */
+export const AllSupportedEnvironmentVariables = [
+    "AZURE_TENANT_ID",
+    "AZURE_CLIENT_ID",
+    "AZURE_CLIENT_SECRET",
+    "AZURE_CLIENT_CERTIFICATE_PATH",
+    "AZURE_CLIENT_CERTIFICATE_PASSWORD",
+    "AZURE_USERNAME",
+    "AZURE_PASSWORD",
+    "AZURE_ADDITIONALLY_ALLOWED_TENANTS",
+    "AZURE_CLIENT_SEND_CERTIFICATE_CHAIN",
+];
+function getAdditionallyAllowedTenants() {
+    var _a;
+    const additionallyAllowedValues = (_a = process.env.AZURE_ADDITIONALLY_ALLOWED_TENANTS) !== null && _a !== void 0 ? _a : "";
+    return additionallyAllowedValues.split(";");
+}
+const credentialName = "EnvironmentCredential";
+const logger = credentialLogger(credentialName);
+export function getSendCertificateChain() {
+    var _a;
+    const sendCertificateChain = ((_a = process.env.AZURE_CLIENT_SEND_CERTIFICATE_CHAIN) !== null && _a !== void 0 ? _a : "").toLowerCase();
+    const result = sendCertificateChain === "true" || sendCertificateChain === "1";
+    logger.verbose(`AZURE_CLIENT_SEND_CERTIFICATE_CHAIN: ${process.env.AZURE_CLIENT_SEND_CERTIFICATE_CHAIN}; sendCertificateChain: ${result}`);
+    return result;
+}
+/**
+ * Enables authentication to Microsoft Entra ID using a client secret or certificate, or as a user
+ * with a username and password.
+ */
+export class EnvironmentCredential {
+    /**
+     * Creates an instance of the EnvironmentCredential class and decides what credential to use depending on the available environment variables.
+     *
+     * Required environment variables:
+     * - `AZURE_TENANT_ID`: The Microsoft Entra tenant (directory) ID.
+     * - `AZURE_CLIENT_ID`: The client (application) ID of an App Registration in the tenant.
+     *
+     * If setting the AZURE_TENANT_ID, then you can also set the additionally allowed tenants
+     * - `AZURE_ADDITIONALLY_ALLOWED_TENANTS`: For multi-tenant applications, specifies additional tenants for which the credential may acquire tokens with a single semicolon delimited string. Use * to allow all tenants.
+     *
+     * Environment variables used for client credential authentication:
+     * - `AZURE_CLIENT_SECRET`: A client secret that was generated for the App Registration.
+     * - `AZURE_CLIENT_CERTIFICATE_PATH`: The path to a PEM certificate to use during the authentication, instead of the client secret.
+     * - `AZURE_CLIENT_CERTIFICATE_PASSWORD`: (optional) password for the certificate file.
+     * - `AZURE_CLIENT_SEND_CERTIFICATE_CHAIN`: (optional) indicates that the certificate chain should be set in x5c header to support subject name / issuer based authentication.
+     *
+     * Alternatively, users can provide environment variables for username and password authentication:
+     * - `AZURE_USERNAME`: Username to authenticate with.
+     * - `AZURE_PASSWORD`: Password to authenticate with.
+     *
+     * If the environment variables required to perform the authentication are missing, a {@link CredentialUnavailableError} will be thrown.
+     * If the authentication fails, or if there's an unknown error, an {@link AuthenticationError} will be thrown.
+     *
+     * @param options - Options for configuring the client which makes the authentication request.
+     */
+    constructor(options) {
+        // Keep track of any missing environment variables for error details
+        this._credential = undefined;
+        const assigned = processEnvVars(AllSupportedEnvironmentVariables).assigned.join(", ");
+        logger.info(`Found the following environment variables: ${assigned}`);
+        const tenantId = process.env.AZURE_TENANT_ID, clientId = process.env.AZURE_CLIENT_ID, clientSecret = process.env.AZURE_CLIENT_SECRET;
+        const additionallyAllowedTenantIds = getAdditionallyAllowedTenants();
+        const sendCertificateChain = getSendCertificateChain();
+        const newOptions = Object.assign(Object.assign({}, options), { additionallyAllowedTenantIds, sendCertificateChain });
+        if (tenantId) {
+            checkTenantId(logger, tenantId);
+        }
+        if (tenantId && clientId && clientSecret) {
+            logger.info(`Invoking ClientSecretCredential with tenant ID: ${tenantId}, clientId: ${clientId} and clientSecret: [REDACTED]`);
+            this._credential = new ClientSecretCredential(tenantId, clientId, clientSecret, newOptions);
+            return;
+        }
+        const certificatePath = process.env.AZURE_CLIENT_CERTIFICATE_PATH;
+        const certificatePassword = process.env.AZURE_CLIENT_CERTIFICATE_PASSWORD;
+        if (tenantId && clientId && certificatePath) {
+            logger.info(`Invoking ClientCertificateCredential with tenant ID: ${tenantId}, clientId: ${clientId} and certificatePath: ${certificatePath}`);
+            this._credential = new ClientCertificateCredential(tenantId, clientId, { certificatePath, certificatePassword }, newOptions);
+            return;
+        }
+        const username = process.env.AZURE_USERNAME;
+        const password = process.env.AZURE_PASSWORD;
+        if (tenantId && clientId && username && password) {
+            logger.info(`Invoking UsernamePasswordCredential with tenant ID: ${tenantId}, clientId: ${clientId} and username: ${username}`);
+            this._credential = new UsernamePasswordCredential(tenantId, clientId, username, password, newOptions);
+        }
+    }
+    /**
+     * Authenticates with Microsoft Entra ID and returns an access token if successful.
+     *
+     * @param scopes - The list of scopes for which the token will have access.
+     * @param options - Optional parameters. See {@link GetTokenOptions}.
+     */
+    async getToken(scopes, options = {}) {
+        return tracingClient.withSpan(`${credentialName}.getToken`, options, async (newOptions) => {
+            if (this._credential) {
+                try {
+                    const result = await this._credential.getToken(scopes, newOptions);
+                    logger.getToken.info(formatSuccess(scopes));
+                    return result;
+                }
+                catch (err) {
+                    const authenticationError = new AuthenticationError(400, {
+                        error: `${credentialName} authentication failed. To troubleshoot, visit https://aka.ms/azsdk/js/identity/environmentcredential/troubleshoot.`,
+                        error_description: err.message.toString().split("More details:").join(""),
+                    });
+                    logger.getToken.info(formatError(scopes, authenticationError));
+                    throw authenticationError;
+                }
+            }
+            throw new CredentialUnavailableError(`${credentialName} is unavailable. No underlying credential could be used. To troubleshoot, visit https://aka.ms/azsdk/js/identity/environmentcredential/troubleshoot.`);
+        });
+    }
+}
+//# sourceMappingURL=environmentCredential.js.map

package/dist/workerd/credentials/environmentCredential.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"environmentCredential.js","sourceRoot":"","sources":["../../../src/credentials/environmentCredential.ts"],"names":[],"mappings":"AAAA,uCAAuC;AACvC,kCAAkC;AAGlC,OAAO,EAAE,mBAAmB,EAAE,0BAA0B,EAAE,MAAM,cAAc,CAAC;AAC/E,OAAO,EAAE,gBAAgB,EAAE,WAAW,EAAE,aAAa,EAAE,cAAc,EAAE,MAAM,oBAAoB,CAAC;AAElG,OAAO,EAAE,2BAA2B,EAAE,MAAM,kCAAkC,CAAC;AAC/E,OAAO,EAAE,sBAAsB,EAAE,MAAM,6BAA6B,CAAC;AAErE,OAAO,EAAE,0BAA0B,EAAE,MAAM,iCAAiC,CAAC;AAC7E,OAAO,EAAE,aAAa,EAAE,MAAM,0BAA0B,CAAC;AACzD,OAAO,EAAE,aAAa,EAAE,MAAM,oBAAoB,CAAC;AAEnD;;;;;;GAMG;AACH,MAAM,CAAC,MAAM,gCAAgC,GAAG;IAC9C,iBAAiB;IACjB,iBAAiB;IACjB,qBAAqB;IACrB,+BAA+B;IAC/B,mCAAmC;IACnC,gBAAgB;IAChB,gBAAgB;IAChB,oCAAoC;IACpC,qCAAqC;CACtC,CAAC;AAEF,SAAS,6BAA6B;;IACpC,MAAM,yBAAyB,GAAG,MAAA,OAAO,CAAC,GAAG,CAAC,kCAAkC,mCAAI,EAAE,CAAC;IACvF,OAAO,yBAAyB,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;AAC9C,CAAC;AAED,MAAM,cAAc,GAAG,uBAAuB,CAAC;AAC/C,MAAM,MAAM,GAAG,gBAAgB,CAAC,cAAc,CAAC,CAAC;AAEhD,MAAM,UAAU,uBAAuB;;IACrC,MAAM,oBAAoB,GAAG,CAC3B,MAAA,OAAO,CAAC,GAAG,CAAC,mCAAmC,mCAAI,EAAE,CACtD,CAAC,WAAW,EAAE,CAAC;IAChB,MAAM,MAAM,GAAG,oBAAoB,KAAK,MAAM,IAAI,oBAAoB,KAAK,GAAG,CAAC;IAC/E,MAAM,CAAC,OAAO,CACZ,wCAAwC,OAAO,CAAC,GAAG,CAAC,mCAAmC,2BAA2B,MAAM,EAAE,CAC3H,CAAC;IACF,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;;GAGG;AACH,MAAM,OAAO,qBAAqB;IAKhC;;;;;;;;;;;;;;;;;;;;;;;;OAwBG;IACH,YAAY,OAAsC;QAChD,oEAAoE;QA9B9D,gBAAW,GAGc,SAAS,CAAC;QA6BzC,MAAM,QAAQ,GAAG,cAAc,CAAC,gCAAgC,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACtF,MAAM,CAAC,IAAI,CAAC,8CAA8C,QAAQ,EAAE,CAAC,CAAC;QAEtE,MAAM,QAAQ,GAAG,OAAO,CAAC,GAAG,CAAC,eAAe,EAC1C,QAAQ,GAAG,OAAO,CAAC,GAAG,CAAC,eAAe,EACtC,YAAY,GAAG,OAAO,CAAC,GAAG,CAAC,mBAAmB,CAAC;QAEjD,MAAM,4BAA4B,GAAG,6BAA6B,EAAE,CAAC;QACrE,MAAM,oBAAoB,GAAG,uBAAuB,EAAE,CAAC;QACvD,MAAM,UAAU,mCAAQ,OAAO,KAAE,4BAA4B,EAAE,oBAAoB,GAAE,CAAC;QAEtF,IAAI,QAAQ,EAAE,CAAC;YACb,aAAa,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;QAClC,CAAC;QAED,IAAI,QAAQ,IAAI,QAAQ,IAAI,YAAY,EAAE,CAAC;YACzC,MAAM,CAAC,IAAI,CACT,mDAAmD,QAAQ,eAAe,QAAQ,+BAA+B,CAClH,CAAC;YACF,IAAI,CAAC,WAAW,GAAG,IAAI,sBAAsB,CAAC,QAAQ,EAAE,QAAQ,EAAE,YAAY,EAAE,UAAU,CAAC,CAAC;YAC5F,OAAO;QACT,CAAC;QAED,MAAM,eAAe,GAAG,OAAO,CAAC,GAAG,CAAC,6BAA6B,CAAC;QAClE,MAAM,mBAAmB,GAAG,OAAO,CAAC,GAAG,CAAC,iCAAiC,CAAC;QAC1E,IAAI,QAAQ,IAAI,QAAQ,IAAI,eAAe,EAAE,CAAC;YAC5C,MAAM,CAAC,IAAI,CACT,wDAAwD,QAAQ,eAAe,QAAQ,yBAAyB,eAAe,EAAE,CAClI,CAAC;YACF,IAAI,CAAC,WAAW,GAAG,IAAI,2BAA2B,CAChD,QAAQ,EACR,QAAQ,EACR,EAAE,eAAe,EAAE,mBAAmB,EAAE,EACxC,UAAU,CACX,CAAC;YACF,OAAO;QACT,CAAC;QAED,MAAM,QAAQ,GAAG,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC;QAC5C,MAAM,QAAQ,GAAG,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC;QAC5C,IAAI,QAAQ,IAAI,QAAQ,IAAI,QAAQ,IAAI,QAAQ,EAAE,CAAC;YACjD,MAAM,CAAC,IAAI,CACT,uDAAuD,QAAQ,eAAe,QAAQ,kBAAkB,QAAQ,EAAE,CACnH,CAAC;YACF,IAAI,CAAC,WAAW,GAAG,IAAI,0BAA0B,CAC/C,QAAQ,EACR,QAAQ,EACR,QAAQ,EACR,QAAQ,EACR,UAAU,CACX,CAAC;QACJ,CAAC;IACH,CAAC;IAED;;;;;OAKG;IACH,KAAK,CAAC,QAAQ,CAAC,MAAyB,EAAE,UAA2B,EAAE;QACrE,OAAO,aAAa,CAAC,QAAQ,CAAC,GAAG,cAAc,WAAW,EAAE,OAAO,EAAE,KAAK,EAAE,UAAU,EAAE,EAAE;YACxF,IAAI,IAAI,CAAC,WAAW,EAAE,CAAC;gBACrB,IAAI,CAAC;oBACH,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,WAAW,CAAC,QAAQ,CAAC,MAAM,EAAE,UAAU,CAAC,CAAC;oBACnE,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,aAAa,CAAC,MAAM,CAAC,CAAC,CAAC;oBAC5C,OAAO,MAAM,CAAC;gBAChB,CAAC;gBAAC,OAAO,GAAQ,EAAE,CAAC;oBAClB,MAAM,mBAAmB,GAAG,IAAI,mBAAmB,CAAC,GAAG,EAAE;wBACvD,KAAK,EAAE,GAAG,cAAc,qHAAqH;wBAC7I,iBAAiB,EAAE,GAAG,CAAC,OAAO,CAAC,QAAQ,EAAE,CAAC,KAAK,CAAC,eAAe,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC;qBAC1E,CAAC,CAAC;oBACH,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,WAAW,CAAC,MAAM,EAAE,mBAAmB,CAAC,CAAC,CAAC;oBAC/D,MAAM,mBAAmB,CAAC;gBAC5B,CAAC;YACH,CAAC;YACD,MAAM,IAAI,0BAA0B,CAClC,GAAG,cAAc,sJAAsJ,CACxK,CAAC;QACJ,CAAC,CAAC,CAAC;IACL,CAAC;CACF","sourcesContent":["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT License.\n\nimport type { AccessToken, GetTokenOptions, TokenCredential } from \"@azure/core-auth\";\nimport { AuthenticationError, CredentialUnavailableError } from \"../errors.js\";\nimport { credentialLogger, formatError, formatSuccess, processEnvVars } from \"../util/logging.js\";\n\nimport { ClientCertificateCredential } from \"./clientCertificateCredential.js\";\nimport { ClientSecretCredential } from \"./clientSecretCredential.js\";\nimport type { EnvironmentCredentialOptions } from \"./environmentCredentialOptions.js\";\nimport { UsernamePasswordCredential } from \"./usernamePasswordCredential.js\";\nimport { checkTenantId } from \"../util/tenantIdUtils.js\";\nimport { tracingClient } from \"../util/tracing.js\";\n\n/**\n * Contains the list of all supported environment variable names so that an\n * appropriate error message can be generated when no credentials can be\n * configured.\n *\n * @internal\n */\nexport const AllSupportedEnvironmentVariables = [\n  \"AZURE_TENANT_ID\",\n  \"AZURE_CLIENT_ID\",\n  \"AZURE_CLIENT_SECRET\",\n  \"AZURE_CLIENT_CERTIFICATE_PATH\",\n  \"AZURE_CLIENT_CERTIFICATE_PASSWORD\",\n  \"AZURE_USERNAME\",\n  \"AZURE_PASSWORD\",\n  \"AZURE_ADDITIONALLY_ALLOWED_TENANTS\",\n  \"AZURE_CLIENT_SEND_CERTIFICATE_CHAIN\",\n];\n\nfunction getAdditionallyAllowedTenants(): string[] {\n  const additionallyAllowedValues = process.env.AZURE_ADDITIONALLY_ALLOWED_TENANTS ?? \"\";\n  return additionallyAllowedValues.split(\";\");\n}\n\nconst credentialName = \"EnvironmentCredential\";\nconst logger = credentialLogger(credentialName);\n\nexport function getSendCertificateChain(): boolean {\n  const sendCertificateChain = (\n    process.env.AZURE_CLIENT_SEND_CERTIFICATE_CHAIN ?? \"\"\n  ).toLowerCase();\n  const result = sendCertificateChain === \"true\" || sendCertificateChain === \"1\";\n  logger.verbose(\n    `AZURE_CLIENT_SEND_CERTIFICATE_CHAIN: ${process.env.AZURE_CLIENT_SEND_CERTIFICATE_CHAIN}; sendCertificateChain: ${result}`,\n  );\n  return result;\n}\n\n/**\n * Enables authentication to Microsoft Entra ID using a client secret or certificate, or as a user\n * with a username and password.\n */\nexport class EnvironmentCredential implements TokenCredential {\n  private _credential?:\n    | ClientSecretCredential\n    | ClientCertificateCredential\n    | UsernamePasswordCredential = undefined;\n  /**\n   * Creates an instance of the EnvironmentCredential class and decides what credential to use depending on the available environment variables.\n   *\n   * Required environment variables:\n   * - `AZURE_TENANT_ID`: The Microsoft Entra tenant (directory) ID.\n   * - `AZURE_CLIENT_ID`: The client (application) ID of an App Registration in the tenant.\n   *\n   * If setting the AZURE_TENANT_ID, then you can also set the additionally allowed tenants\n   * - `AZURE_ADDITIONALLY_ALLOWED_TENANTS`: For multi-tenant applications, specifies additional tenants for which the credential may acquire tokens with a single semicolon delimited string. Use * to allow all tenants.\n   *\n   * Environment variables used for client credential authentication:\n   * - `AZURE_CLIENT_SECRET`: A client secret that was generated for the App Registration.\n   * - `AZURE_CLIENT_CERTIFICATE_PATH`: The path to a PEM certificate to use during the authentication, instead of the client secret.\n   * - `AZURE_CLIENT_CERTIFICATE_PASSWORD`: (optional) password for the certificate file.\n   * - `AZURE_CLIENT_SEND_CERTIFICATE_CHAIN`: (optional) indicates that the certificate chain should be set in x5c header to support subject name / issuer based authentication.\n   *\n   * Alternatively, users can provide environment variables for username and password authentication:\n   * - `AZURE_USERNAME`: Username to authenticate with.\n   * - `AZURE_PASSWORD`: Password to authenticate with.\n   *\n   * If the environment variables required to perform the authentication are missing, a {@link CredentialUnavailableError} will be thrown.\n   * If the authentication fails, or if there's an unknown error, an {@link AuthenticationError} will be thrown.\n   *\n   * @param options - Options for configuring the client which makes the authentication request.\n   */\n  constructor(options?: EnvironmentCredentialOptions) {\n    // Keep track of any missing environment variables for error details\n\n    const assigned = processEnvVars(AllSupportedEnvironmentVariables).assigned.join(\", \");\n    logger.info(`Found the following environment variables: ${assigned}`);\n\n    const tenantId = process.env.AZURE_TENANT_ID,\n      clientId = process.env.AZURE_CLIENT_ID,\n      clientSecret = process.env.AZURE_CLIENT_SECRET;\n\n    const additionallyAllowedTenantIds = getAdditionallyAllowedTenants();\n    const sendCertificateChain = getSendCertificateChain();\n    const newOptions = { ...options, additionallyAllowedTenantIds, sendCertificateChain };\n\n    if (tenantId) {\n      checkTenantId(logger, tenantId);\n    }\n\n    if (tenantId && clientId && clientSecret) {\n      logger.info(\n        `Invoking ClientSecretCredential with tenant ID: ${tenantId}, clientId: ${clientId} and clientSecret: [REDACTED]`,\n      );\n      this._credential = new ClientSecretCredential(tenantId, clientId, clientSecret, newOptions);\n      return;\n    }\n\n    const certificatePath = process.env.AZURE_CLIENT_CERTIFICATE_PATH;\n    const certificatePassword = process.env.AZURE_CLIENT_CERTIFICATE_PASSWORD;\n    if (tenantId && clientId && certificatePath) {\n      logger.info(\n        `Invoking ClientCertificateCredential with tenant ID: ${tenantId}, clientId: ${clientId} and certificatePath: ${certificatePath}`,\n      );\n      this._credential = new ClientCertificateCredential(\n        tenantId,\n        clientId,\n        { certificatePath, certificatePassword },\n        newOptions,\n      );\n      return;\n    }\n\n    const username = process.env.AZURE_USERNAME;\n    const password = process.env.AZURE_PASSWORD;\n    if (tenantId && clientId && username && password) {\n      logger.info(\n        `Invoking UsernamePasswordCredential with tenant ID: ${tenantId}, clientId: ${clientId} and username: ${username}`,\n      );\n      this._credential = new UsernamePasswordCredential(\n        tenantId,\n        clientId,\n        username,\n        password,\n        newOptions,\n      );\n    }\n  }\n\n  /**\n   * Authenticates with Microsoft Entra ID and returns an access token if successful.\n   *\n   * @param scopes - The list of scopes for which the token will have access.\n   * @param options - Optional parameters. See {@link GetTokenOptions}.\n   */\n  async getToken(scopes: string | string[], options: GetTokenOptions = {}): Promise<AccessToken> {\n    return tracingClient.withSpan(`${credentialName}.getToken`, options, async (newOptions) => {\n      if (this._credential) {\n        try {\n          const result = await this._credential.getToken(scopes, newOptions);\n          logger.getToken.info(formatSuccess(scopes));\n          return result;\n        } catch (err: any) {\n          const authenticationError = new AuthenticationError(400, {\n            error: `${credentialName} authentication failed. To troubleshoot, visit https://aka.ms/azsdk/js/identity/environmentcredential/troubleshoot.`,\n            error_description: err.message.toString().split(\"More details:\").join(\"\"),\n          });\n          logger.getToken.info(formatError(scopes, authenticationError));\n          throw authenticationError;\n        }\n      }\n      throw new CredentialUnavailableError(\n        `${credentialName} is unavailable. No underlying credential could be used. To troubleshoot, visit https://aka.ms/azsdk/js/identity/environmentcredential/troubleshoot.`,\n      );\n    });\n  }\n}\n"]}

package/dist/workerd/credentials/environmentCredentialOptions.d.ts

@@ -0,0 +1,9 @@
+import type { AuthorityValidationOptions } from "./authorityValidationOptions.js";
+import type { MultiTenantTokenCredentialOptions } from "./multiTenantTokenCredentialOptions.js";
+/**
+ * Enables authentication to Microsoft Entra ID depending on the available environment variables.
+ * Defines options for the EnvironmentCredential class.
+ */
+export interface EnvironmentCredentialOptions extends MultiTenantTokenCredentialOptions, AuthorityValidationOptions {
+}
+//# sourceMappingURL=environmentCredentialOptions.d.ts.map

package/dist/workerd/credentials/environmentCredentialOptions.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"environmentCredentialOptions.d.ts","sourceRoot":"","sources":["../../../src/credentials/environmentCredentialOptions.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,0BAA0B,EAAE,MAAM,iCAAiC,CAAC;AAClF,OAAO,KAAK,EAAE,iCAAiC,EAAE,MAAM,wCAAwC,CAAC;AAEhG;;;GAGG;AACH,MAAM,WAAW,4BACf,SAAQ,iCAAiC,EACvC,0BAA0B;CAAG"}

package/dist/workerd/credentials/environmentCredentialOptions.js

@@ -0,0 +1,4 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+export {};
+//# sourceMappingURL=environmentCredentialOptions.js.map

package/dist/workerd/credentials/environmentCredentialOptions.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"environmentCredentialOptions.js","sourceRoot":"","sources":["../../../src/credentials/environmentCredentialOptions.ts"],"names":[],"mappings":"AAAA,uCAAuC;AACvC,kCAAkC","sourcesContent":["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT License.\n\nimport type { AuthorityValidationOptions } from \"./authorityValidationOptions.js\";\nimport type { MultiTenantTokenCredentialOptions } from \"./multiTenantTokenCredentialOptions.js\";\n\n/**\n * Enables authentication to Microsoft Entra ID depending on the available environment variables.\n * Defines options for the EnvironmentCredential class.\n */\nexport interface EnvironmentCredentialOptions\n  extends MultiTenantTokenCredentialOptions,\n    AuthorityValidationOptions {}\n"]}

package/dist/workerd/credentials/interactiveBrowserCredential.d.ts

@@ -0,0 +1,56 @@
+import type { AccessToken, GetTokenOptions, TokenCredential } from "@azure/core-auth";
+import type { InteractiveBrowserCredentialInBrowserOptions, InteractiveBrowserCredentialNodeOptions } from "./interactiveBrowserCredentialOptions.js";
+import type { AuthenticationRecord } from "../msal/types.js";
+/**
+ * Enables authentication to Microsoft Entra ID inside of the web browser
+ * using the interactive login flow.
+ */
+export declare class InteractiveBrowserCredential implements TokenCredential {
+    private tenantId?;
+    private additionallyAllowedTenantIds;
+    private msalClient;
+    private disableAutomaticAuthentication?;
+    private browserCustomizationOptions;
+    private loginHint?;
+    /**
+     * Creates an instance of InteractiveBrowserCredential with the details needed.
+     *
+     * This credential uses the [Authorization Code Flow](https://learn.microsoft.com/entra/identity-platform/v2-oauth2-auth-code-flow).
+     * On Node.js, it will open a browser window while it listens for a redirect response from the authentication service.
+     * On browsers, it authenticates via popups. The `loginStyle` optional parameter can be set to `redirect` to authenticate by redirecting the user to an Azure secure login page, which then will redirect the user back to the web application where the authentication started.
+     *
+     * For Node.js, if a `clientId` is provided, the Microsoft Entra application will need to be configured to have a "Mobile and desktop applications" redirect endpoint.
+     * Follow our guide on [setting up Redirect URIs for Desktop apps that calls to web APIs](https://learn.microsoft.com/entra/identity-platform/scenario-desktop-app-registration#redirect-uris).
+     *
+     * @param options - Options for configuring the client which makes the authentication requests.
+     */
+    constructor(options: InteractiveBrowserCredentialNodeOptions | InteractiveBrowserCredentialInBrowserOptions);
+    /**
+     * Authenticates with Microsoft Entra ID and returns an access token if successful.
+     * If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.
+     *
+     * If the user provided the option `disableAutomaticAuthentication`,
+     * once the token can't be retrieved silently,
+     * this method won't attempt to request user interaction to retrieve the token.
+     *
+     * @param scopes - The list of scopes for which the token will have access.
+     * @param options - The options used to configure any requests this
+     *                TokenCredential implementation might make.
+     */
+    getToken(scopes: string | string[], options?: GetTokenOptions): Promise<AccessToken>;
+    /**
+     * Authenticates with Microsoft Entra ID and returns an access token if successful.
+     * If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.
+     *
+     * If the token can't be retrieved silently, this method will always generate a challenge for the user.
+     *
+     * On Node.js, this credential has [Proof Key for Code Exchange (PKCE)](https://datatracker.ietf.org/doc/html/rfc7636) enabled by default.
+     * PKCE is a security feature that mitigates authentication code interception attacks.
+     *
+     * @param scopes - The list of scopes for which the token will have access.
+     * @param options - The options used to configure any requests this
+     *                  TokenCredential implementation might make.
+     */
+    authenticate(scopes: string | string[], options?: GetTokenOptions): Promise<AuthenticationRecord | undefined>;
+}
+//# sourceMappingURL=interactiveBrowserCredential.d.ts.map

package/dist/workerd/credentials/interactiveBrowserCredential.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"interactiveBrowserCredential.d.ts","sourceRoot":"","sources":["../../../src/credentials/interactiveBrowserCredential.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,WAAW,EAAE,eAAe,EAAE,eAAe,EAAE,MAAM,kBAAkB,CAAC;AACtF,OAAO,KAAK,EACV,4CAA4C,EAC5C,uCAAuC,EACxC,MAAM,0CAA0C,CAAC;AAOlD,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,kBAAkB,CAAC;AAU7D;;;GAGG;AACH,qBAAa,4BAA6B,YAAW,eAAe;IAClE,OAAO,CAAC,QAAQ,CAAC,CAAS;IAC1B,OAAO,CAAC,4BAA4B,CAAW;IAC/C,OAAO,CAAC,UAAU,CAAa;IAC/B,OAAO,CAAC,8BAA8B,CAAC,CAAU;IACjD,OAAO,CAAC,2BAA2B,CAAyE;IAC5G,OAAO,CAAC,SAAS,CAAC,CAAS;IAE3B;;;;;;;;;;;OAWG;gBAED,OAAO,EAAE,uCAAuC,GAAG,4CAA4C;IAqCjG;;;;;;;;;;;OAWG;IACG,QAAQ,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,EAAE,EAAE,OAAO,GAAE,eAAoB,GAAG,OAAO,CAAC,WAAW,CAAC;IAuB9F;;;;;;;;;;;;OAYG;IACG,YAAY,CAChB,MAAM,EAAE,MAAM,GAAG,MAAM,EAAE,EACzB,OAAO,GAAE,eAAoB,GAC5B,OAAO,CAAC,oBAAoB,GAAG,SAAS,CAAC;CAgB7C"}

package/dist/workerd/credentials/interactiveBrowserCredential.js

@@ -0,0 +1,91 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+import { processMultiTenantRequest, resolveAdditionallyAllowedTenantIds, resolveTenantId, } from "../util/tenantIdUtils.js";
+import { credentialLogger } from "../util/logging.js";
+import { ensureScopes } from "../util/scopeUtils.js";
+import { tracingClient } from "../util/tracing.js";
+import { createMsalClient } from "../msal/nodeFlows/msalClient.js";
+import { DeveloperSignOnClientId } from "../constants.js";
+const logger = credentialLogger("InteractiveBrowserCredential");
+/**
+ * Enables authentication to Microsoft Entra ID inside of the web browser
+ * using the interactive login flow.
+ */
+export class InteractiveBrowserCredential {
+    /**
+     * Creates an instance of InteractiveBrowserCredential with the details needed.
+     *
+     * This credential uses the [Authorization Code Flow](https://learn.microsoft.com/entra/identity-platform/v2-oauth2-auth-code-flow).
+     * On Node.js, it will open a browser window while it listens for a redirect response from the authentication service.
+     * On browsers, it authenticates via popups. The `loginStyle` optional parameter can be set to `redirect` to authenticate by redirecting the user to an Azure secure login page, which then will redirect the user back to the web application where the authentication started.
+     *
+     * For Node.js, if a `clientId` is provided, the Microsoft Entra application will need to be configured to have a "Mobile and desktop applications" redirect endpoint.
+     * Follow our guide on [setting up Redirect URIs for Desktop apps that calls to web APIs](https://learn.microsoft.com/entra/identity-platform/scenario-desktop-app-registration#redirect-uris).
+     *
+     * @param options - Options for configuring the client which makes the authentication requests.
+     */
+    constructor(options) {
+        var _a, _b, _c, _d, _e;
+        this.tenantId = resolveTenantId(logger, options.tenantId, options.clientId);
+        this.additionallyAllowedTenantIds = resolveAdditionallyAllowedTenantIds(options === null || options === void 0 ? void 0 : options.additionallyAllowedTenants);
+        const msalClientOptions = Object.assign(Object.assign({}, options), { tokenCredentialOptions: options, logger });
+        const ibcNodeOptions = options;
+        this.browserCustomizationOptions = ibcNodeOptions.browserCustomizationOptions;
+        this.loginHint = ibcNodeOptions.loginHint;
+        if ((_a = ibcNodeOptions === null || ibcNodeOptions === void 0 ? void 0 : ibcNodeOptions.brokerOptions) === null || _a === void 0 ? void 0 : _a.enabled) {
+            if (!((_b = ibcNodeOptions === null || ibcNodeOptions === void 0 ? void 0 : ibcNodeOptions.brokerOptions) === null || _b === void 0 ? void 0 : _b.parentWindowHandle)) {
+                throw new Error("In order to do WAM authentication, `parentWindowHandle` under `brokerOptions` is a required parameter");
+            }
+            else {
+                msalClientOptions.brokerOptions = {
+                    enabled: true,
+                    parentWindowHandle: ibcNodeOptions.brokerOptions.parentWindowHandle,
+                    legacyEnableMsaPassthrough: (_c = ibcNodeOptions.brokerOptions) === null || _c === void 0 ? void 0 : _c.legacyEnableMsaPassthrough,
+                    useDefaultBrokerAccount: (_d = ibcNodeOptions.brokerOptions) === null || _d === void 0 ? void 0 : _d.useDefaultBrokerAccount,
+                };
+            }
+        }
+        this.msalClient = createMsalClient((_e = options.clientId) !== null && _e !== void 0 ? _e : DeveloperSignOnClientId, this.tenantId, msalClientOptions);
+        this.disableAutomaticAuthentication = options === null || options === void 0 ? void 0 : options.disableAutomaticAuthentication;
+    }
+    /**
+     * Authenticates with Microsoft Entra ID and returns an access token if successful.
+     * If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.
+     *
+     * If the user provided the option `disableAutomaticAuthentication`,
+     * once the token can't be retrieved silently,
+     * this method won't attempt to request user interaction to retrieve the token.
+     *
+     * @param scopes - The list of scopes for which the token will have access.
+     * @param options - The options used to configure any requests this
+     *                TokenCredential implementation might make.
+     */
+    async getToken(scopes, options = {}) {
+        return tracingClient.withSpan(`${this.constructor.name}.getToken`, options, async (newOptions) => {
+            newOptions.tenantId = processMultiTenantRequest(this.tenantId, newOptions, this.additionallyAllowedTenantIds, logger);
+            const arrayScopes = ensureScopes(scopes);
+            return this.msalClient.getTokenByInteractiveRequest(arrayScopes, Object.assign(Object.assign({}, newOptions), { disableAutomaticAuthentication: this.disableAutomaticAuthentication, browserCustomizationOptions: this.browserCustomizationOptions, loginHint: this.loginHint }));
+        });
+    }
+    /**
+     * Authenticates with Microsoft Entra ID and returns an access token if successful.
+     * If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.
+     *
+     * If the token can't be retrieved silently, this method will always generate a challenge for the user.
+     *
+     * On Node.js, this credential has [Proof Key for Code Exchange (PKCE)](https://datatracker.ietf.org/doc/html/rfc7636) enabled by default.
+     * PKCE is a security feature that mitigates authentication code interception attacks.
+     *
+     * @param scopes - The list of scopes for which the token will have access.
+     * @param options - The options used to configure any requests this
+     *                  TokenCredential implementation might make.
+     */
+    async authenticate(scopes, options = {}) {
+        return tracingClient.withSpan(`${this.constructor.name}.authenticate`, options, async (newOptions) => {
+            const arrayScopes = ensureScopes(scopes);
+            await this.msalClient.getTokenByInteractiveRequest(arrayScopes, Object.assign(Object.assign({}, newOptions), { disableAutomaticAuthentication: false, browserCustomizationOptions: this.browserCustomizationOptions, loginHint: this.loginHint }));
+            return this.msalClient.getActiveAccount();
+        });
+    }
+}
+//# sourceMappingURL=interactiveBrowserCredential.js.map

package/dist/workerd/credentials/interactiveBrowserCredential.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"interactiveBrowserCredential.js","sourceRoot":"","sources":["../../../src/credentials/interactiveBrowserCredential.ts"],"names":[],"mappings":"AAAA,uCAAuC;AACvC,kCAAkC;AAOlC,OAAO,EACL,yBAAyB,EACzB,mCAAmC,EACnC,eAAe,GAChB,MAAM,0BAA0B,CAAC;AAGlC,OAAO,EAAE,gBAAgB,EAAE,MAAM,oBAAoB,CAAC;AACtD,OAAO,EAAE,YAAY,EAAE,MAAM,uBAAuB,CAAC;AACrD,OAAO,EAAE,aAAa,EAAE,MAAM,oBAAoB,CAAC;AAEnD,OAAO,EAAE,gBAAgB,EAAE,MAAM,iCAAiC,CAAC;AACnE,OAAO,EAAE,uBAAuB,EAAE,MAAM,iBAAiB,CAAC;AAE1D,MAAM,MAAM,GAAG,gBAAgB,CAAC,8BAA8B,CAAC,CAAC;AAEhE;;;GAGG;AACH,MAAM,OAAO,4BAA4B;IAQvC;;;;;;;;;;;OAWG;IACH,YACE,OAA+F;;QAE/F,IAAI,CAAC,QAAQ,GAAG,eAAe,CAAC,MAAM,EAAE,OAAO,CAAC,QAAQ,EAAE,OAAO,CAAC,QAAQ,CAAC,CAAC;QAC5E,IAAI,CAAC,4BAA4B,GAAG,mCAAmC,CACrE,OAAO,aAAP,OAAO,uBAAP,OAAO,CAAE,0BAA0B,CACpC,CAAC;QAEF,MAAM,iBAAiB,mCAClB,OAAO,KACV,sBAAsB,EAAE,OAAO,EAC/B,MAAM,GACP,CAAC;QACF,MAAM,cAAc,GAAG,OAAkD,CAAC;QAC1E,IAAI,CAAC,2BAA2B,GAAG,cAAc,CAAC,2BAA2B,CAAC;QAC9E,IAAI,CAAC,SAAS,GAAG,cAAc,CAAC,SAAS,CAAC;QAC1C,IAAI,MAAA,cAAc,aAAd,cAAc,uBAAd,cAAc,CAAE,aAAa,0CAAE,OAAO,EAAE,CAAC;YAC3C,IAAI,CAAC,CAAA,MAAA,cAAc,aAAd,cAAc,uBAAd,cAAc,CAAE,aAAa,0CAAE,kBAAkB,CAAA,EAAE,CAAC;gBACvD,MAAM,IAAI,KAAK,CACb,uGAAuG,CACxG,CAAC;YACJ,CAAC;iBAAM,CAAC;gBACN,iBAAiB,CAAC,aAAa,GAAG;oBAChC,OAAO,EAAE,IAAI;oBACb,kBAAkB,EAAE,cAAc,CAAC,aAAa,CAAC,kBAAkB;oBACnE,0BAA0B,EAAE,MAAA,cAAc,CAAC,aAAa,0CAAE,0BAA0B;oBACpF,uBAAuB,EAAE,MAAA,cAAc,CAAC,aAAa,0CAAE,uBAAuB;iBAC/E,CAAC;YACJ,CAAC;QACH,CAAC;QACD,IAAI,CAAC,UAAU,GAAG,gBAAgB,CAChC,MAAA,OAAO,CAAC,QAAQ,mCAAI,uBAAuB,EAC3C,IAAI,CAAC,QAAQ,EACb,iBAAiB,CAClB,CAAC;QACF,IAAI,CAAC,8BAA8B,GAAG,OAAO,aAAP,OAAO,uBAAP,OAAO,CAAE,8BAA8B,CAAC;IAChF,CAAC;IAED;;;;;;;;;;;OAWG;IACH,KAAK,CAAC,QAAQ,CAAC,MAAyB,EAAE,UAA2B,EAAE;QACrE,OAAO,aAAa,CAAC,QAAQ,CAC3B,GAAG,IAAI,CAAC,WAAW,CAAC,IAAI,WAAW,EACnC,OAAO,EACP,KAAK,EAAE,UAAU,EAAE,EAAE;YACnB,UAAU,CAAC,QAAQ,GAAG,yBAAyB,CAC7C,IAAI,CAAC,QAAQ,EACb,UAAU,EACV,IAAI,CAAC,4BAA4B,EACjC,MAAM,CACP,CAAC;YAEF,MAAM,WAAW,GAAG,YAAY,CAAC,MAAM,CAAC,CAAC;YACzC,OAAO,IAAI,CAAC,UAAU,CAAC,4BAA4B,CAAC,WAAW,kCAC1D,UAAU,KACb,8BAA8B,EAAE,IAAI,CAAC,8BAA8B,EACnE,2BAA2B,EAAE,IAAI,CAAC,2BAA2B,EAC7D,SAAS,EAAE,IAAI,CAAC,SAAS,IACzB,CAAC;QACL,CAAC,CACF,CAAC;IACJ,CAAC;IAED;;;;;;;;;;;;OAYG;IACH,KAAK,CAAC,YAAY,CAChB,MAAyB,EACzB,UAA2B,EAAE;QAE7B,OAAO,aAAa,CAAC,QAAQ,CAC3B,GAAG,IAAI,CAAC,WAAW,CAAC,IAAI,eAAe,EACvC,OAAO,EACP,KAAK,EAAE,UAAU,EAAE,EAAE;YACnB,MAAM,WAAW,GAAG,YAAY,CAAC,MAAM,CAAC,CAAC;YACzC,MAAM,IAAI,CAAC,UAAU,CAAC,4BAA4B,CAAC,WAAW,kCACzD,UAAU,KACb,8BAA8B,EAAE,KAAK,EACrC,2BAA2B,EAAE,IAAI,CAAC,2BAA2B,EAC7D,SAAS,EAAE,IAAI,CAAC,SAAS,IACzB,CAAC;YACH,OAAO,IAAI,CAAC,UAAU,CAAC,gBAAgB,EAAE,CAAC;QAC5C,CAAC,CACF,CAAC;IACJ,CAAC;CACF","sourcesContent":["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT License.\n\nimport type { AccessToken, GetTokenOptions, TokenCredential } from \"@azure/core-auth\";\nimport type {\n  InteractiveBrowserCredentialInBrowserOptions,\n  InteractiveBrowserCredentialNodeOptions,\n} from \"./interactiveBrowserCredentialOptions.js\";\nimport {\n  processMultiTenantRequest,\n  resolveAdditionallyAllowedTenantIds,\n  resolveTenantId,\n} from \"../util/tenantIdUtils.js\";\n\nimport type { AuthenticationRecord } from \"../msal/types.js\";\nimport { credentialLogger } from \"../util/logging.js\";\nimport { ensureScopes } from \"../util/scopeUtils.js\";\nimport { tracingClient } from \"../util/tracing.js\";\nimport type { MsalClient, MsalClientOptions } from \"../msal/nodeFlows/msalClient.js\";\nimport { createMsalClient } from \"../msal/nodeFlows/msalClient.js\";\nimport { DeveloperSignOnClientId } from \"../constants.js\";\n\nconst logger = credentialLogger(\"InteractiveBrowserCredential\");\n\n/**\n * Enables authentication to Microsoft Entra ID inside of the web browser\n * using the interactive login flow.\n */\nexport class InteractiveBrowserCredential implements TokenCredential {\n  private tenantId?: string;\n  private additionallyAllowedTenantIds: string[];\n  private msalClient: MsalClient;\n  private disableAutomaticAuthentication?: boolean;\n  private browserCustomizationOptions: InteractiveBrowserCredentialNodeOptions[\"browserCustomizationOptions\"];\n  private loginHint?: string;\n\n  /**\n   * Creates an instance of InteractiveBrowserCredential with the details needed.\n   *\n   * This credential uses the [Authorization Code Flow](https://learn.microsoft.com/entra/identity-platform/v2-oauth2-auth-code-flow).\n   * On Node.js, it will open a browser window while it listens for a redirect response from the authentication service.\n   * On browsers, it authenticates via popups. The `loginStyle` optional parameter can be set to `redirect` to authenticate by redirecting the user to an Azure secure login page, which then will redirect the user back to the web application where the authentication started.\n   *\n   * For Node.js, if a `clientId` is provided, the Microsoft Entra application will need to be configured to have a \"Mobile and desktop applications\" redirect endpoint.\n   * Follow our guide on [setting up Redirect URIs for Desktop apps that calls to web APIs](https://learn.microsoft.com/entra/identity-platform/scenario-desktop-app-registration#redirect-uris).\n   *\n   * @param options - Options for configuring the client which makes the authentication requests.\n   */\n  constructor(\n    options: InteractiveBrowserCredentialNodeOptions | InteractiveBrowserCredentialInBrowserOptions,\n  ) {\n    this.tenantId = resolveTenantId(logger, options.tenantId, options.clientId);\n    this.additionallyAllowedTenantIds = resolveAdditionallyAllowedTenantIds(\n      options?.additionallyAllowedTenants,\n    );\n\n    const msalClientOptions: MsalClientOptions = {\n      ...options,\n      tokenCredentialOptions: options,\n      logger,\n    };\n    const ibcNodeOptions = options as InteractiveBrowserCredentialNodeOptions;\n    this.browserCustomizationOptions = ibcNodeOptions.browserCustomizationOptions;\n    this.loginHint = ibcNodeOptions.loginHint;\n    if (ibcNodeOptions?.brokerOptions?.enabled) {\n      if (!ibcNodeOptions?.brokerOptions?.parentWindowHandle) {\n        throw new Error(\n          \"In order to do WAM authentication, `parentWindowHandle` under `brokerOptions` is a required parameter\",\n        );\n      } else {\n        msalClientOptions.brokerOptions = {\n          enabled: true,\n          parentWindowHandle: ibcNodeOptions.brokerOptions.parentWindowHandle,\n          legacyEnableMsaPassthrough: ibcNodeOptions.brokerOptions?.legacyEnableMsaPassthrough,\n          useDefaultBrokerAccount: ibcNodeOptions.brokerOptions?.useDefaultBrokerAccount,\n        };\n      }\n    }\n    this.msalClient = createMsalClient(\n      options.clientId ?? DeveloperSignOnClientId,\n      this.tenantId,\n      msalClientOptions,\n    );\n    this.disableAutomaticAuthentication = options?.disableAutomaticAuthentication;\n  }\n\n  /**\n   * Authenticates with Microsoft Entra ID and returns an access token if successful.\n   * If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.\n   *\n   * If the user provided the option `disableAutomaticAuthentication`,\n   * once the token can't be retrieved silently,\n   * this method won't attempt to request user interaction to retrieve the token.\n   *\n   * @param scopes - The list of scopes for which the token will have access.\n   * @param options - The options used to configure any requests this\n   *                TokenCredential implementation might make.\n   */\n  async getToken(scopes: string | string[], options: GetTokenOptions = {}): Promise<AccessToken> {\n    return tracingClient.withSpan(\n      `${this.constructor.name}.getToken`,\n      options,\n      async (newOptions) => {\n        newOptions.tenantId = processMultiTenantRequest(\n          this.tenantId,\n          newOptions,\n          this.additionallyAllowedTenantIds,\n          logger,\n        );\n\n        const arrayScopes = ensureScopes(scopes);\n        return this.msalClient.getTokenByInteractiveRequest(arrayScopes, {\n          ...newOptions,\n          disableAutomaticAuthentication: this.disableAutomaticAuthentication,\n          browserCustomizationOptions: this.browserCustomizationOptions,\n          loginHint: this.loginHint,\n        });\n      },\n    );\n  }\n\n  /**\n   * Authenticates with Microsoft Entra ID and returns an access token if successful.\n   * If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.\n   *\n   * If the token can't be retrieved silently, this method will always generate a challenge for the user.\n   *\n   * On Node.js, this credential has [Proof Key for Code Exchange (PKCE)](https://datatracker.ietf.org/doc/html/rfc7636) enabled by default.\n   * PKCE is a security feature that mitigates authentication code interception attacks.\n   *\n   * @param scopes - The list of scopes for which the token will have access.\n   * @param options - The options used to configure any requests this\n   *                  TokenCredential implementation might make.\n   */\n  async authenticate(\n    scopes: string | string[],\n    options: GetTokenOptions = {},\n  ): Promise<AuthenticationRecord | undefined> {\n    return tracingClient.withSpan(\n      `${this.constructor.name}.authenticate`,\n      options,\n      async (newOptions) => {\n        const arrayScopes = ensureScopes(scopes);\n        await this.msalClient.getTokenByInteractiveRequest(arrayScopes, {\n          ...newOptions,\n          disableAutomaticAuthentication: false, // this method should always allow user interaction\n          browserCustomizationOptions: this.browserCustomizationOptions,\n          loginHint: this.loginHint,\n        });\n        return this.msalClient.getActiveAccount();\n      },\n    );\n  }\n}\n"]}

package/dist/workerd/credentials/interactiveBrowserCredentialOptions.d.ts

@@ -0,0 +1,77 @@
+import type { BrowserCustomizationOptions } from "./browserCustomizationOptions.js";
+import type { BrokerAuthOptions } from "./brokerAuthOptions.js";
+import type { CredentialPersistenceOptions } from "./credentialPersistenceOptions.js";
+import type { InteractiveCredentialOptions } from "./interactiveCredentialOptions.js";
+/**
+ * (Browser-only feature)
+ * The "login style" to use in the authentication flow:
+ * - "redirect" redirects the user to the authentication page and then
+ *   redirects them back to the page once authentication is completed.
+ * - "popup" opens a new browser window through with the redirect flow
+ *   is initiated.  The user's existing browser window does not leave
+ *   the current page
+ */
+export type BrowserLoginStyle = "redirect" | "popup";
+/**
+ * Defines the common options for the InteractiveBrowserCredential class.
+ */
+export interface InteractiveBrowserCredentialNodeOptions extends InteractiveCredentialOptions, CredentialPersistenceOptions, BrowserCustomizationOptions, BrokerAuthOptions {
+    /**
+     * Gets the redirect URI of the application. This should be same as the value
+     * in the application registration portal.  Defaults to `window.location.href`.
+     * This field is no longer required for Node.js.
+     */
+    redirectUri?: string | (() => string);
+    /**
+     * The Microsoft Entra tenant (directory) ID.
+     */
+    tenantId?: string;
+    /**
+     * The Client ID of the Microsoft Entra application that users will sign into.
+     * It is recommended that developers register their applications and assign appropriate roles.
+     * For more information, visit https://aka.ms/identity/AppRegistrationAndRoleAssignment.
+     * If not specified, users will authenticate to an Azure development application,
+     * which is not recommended for production scenarios.
+     */
+    clientId?: string;
+    /**
+     * loginHint allows a user name to be pre-selected for interactive logins.
+     * Setting this option skips the account selection prompt and immediately attempts to login with the specified account.
+     */
+    loginHint?: string;
+}
+/**
+ * Defines the common options for the InteractiveBrowserCredential class.
+ */
+export interface InteractiveBrowserCredentialInBrowserOptions extends InteractiveCredentialOptions {
+    /**
+     * Gets the redirect URI of the application. This should be same as the value
+     * in the application registration portal.  Defaults to `window.location.href`.
+     * This field is no longer required for Node.js.
+     */
+    redirectUri?: string | (() => string);
+    /**
+     * The Microsoft Entra tenant (directory) ID.
+     */
+    tenantId?: string;
+    /**
+     * The Client ID of the Microsoft Entra application that users will sign into.
+     * This parameter is required on the browser.
+     * Developers need to register their applications and assign appropriate roles.
+     * For more information, visit https://aka.ms/identity/AppRegistrationAndRoleAssignment.
+     */
+    clientId: string;
+    /**
+     * Specifies whether a redirect or a popup window should be used to
+     * initiate the user authentication flow. Possible values are "redirect"
+     * or "popup" (default) for browser and "popup" (default) for node.
+     *
+     */
+    loginStyle?: BrowserLoginStyle;
+    /**
+     * loginHint allows a user name to be pre-selected for interactive logins.
+     * Setting this option skips the account selection prompt and immediately attempts to login with the specified account.
+     */
+    loginHint?: string;
+}
+//# sourceMappingURL=interactiveBrowserCredentialOptions.d.ts.map

package/dist/workerd/credentials/interactiveBrowserCredentialOptions.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"interactiveBrowserCredentialOptions.d.ts","sourceRoot":"","sources":["../../../src/credentials/interactiveBrowserCredentialOptions.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,2BAA2B,EAAE,MAAM,kCAAkC,CAAC;AACpF,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,wBAAwB,CAAC;AAChE,OAAO,KAAK,EAAE,4BAA4B,EAAE,MAAM,mCAAmC,CAAC;AACtF,OAAO,KAAK,EAAE,4BAA4B,EAAE,MAAM,mCAAmC,CAAC;AAEtF;;;;;;;;GAQG;AACH,MAAM,MAAM,iBAAiB,GAAG,UAAU,GAAG,OAAO,CAAC;AAErD;;GAEG;AACH,MAAM,WAAW,uCACf,SAAQ,4BAA4B,EAClC,4BAA4B,EAC5B,2BAA2B,EAC3B,iBAAiB;IACnB;;;;OAIG;IACH,WAAW,CAAC,EAAE,MAAM,GAAG,CAAC,MAAM,MAAM,CAAC,CAAC;IAEtC;;OAEG;IACH,QAAQ,CAAC,EAAE,MAAM,CAAC;IAElB;;;;;;OAMG;IACH,QAAQ,CAAC,EAAE,MAAM,CAAC;IAElB;;;OAGG;IACH,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAED;;GAEG;AACH,MAAM,WAAW,4CAA6C,SAAQ,4BAA4B;IAChG;;;;OAIG;IACH,WAAW,CAAC,EAAE,MAAM,GAAG,CAAC,MAAM,MAAM,CAAC,CAAC;IAEtC;;OAEG;IACH,QAAQ,CAAC,EAAE,MAAM,CAAC;IAElB;;;;;OAKG;IACH,QAAQ,EAAE,MAAM,CAAC;IAEjB;;;;;OAKG;IACH,UAAU,CAAC,EAAE,iBAAiB,CAAC;IAE/B;;;OAGG;IACH,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB"}

package/dist/workerd/credentials/interactiveBrowserCredentialOptions.js

@@ -0,0 +1,4 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+export {};
+//# sourceMappingURL=interactiveBrowserCredentialOptions.js.map

package/dist/workerd/credentials/interactiveBrowserCredentialOptions.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"interactiveBrowserCredentialOptions.js","sourceRoot":"","sources":["../../../src/credentials/interactiveBrowserCredentialOptions.ts"],"names":[],"mappings":"AAAA,uCAAuC;AACvC,kCAAkC","sourcesContent":["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT License.\n\nimport type { BrowserCustomizationOptions } from \"./browserCustomizationOptions.js\";\nimport type { BrokerAuthOptions } from \"./brokerAuthOptions.js\";\nimport type { CredentialPersistenceOptions } from \"./credentialPersistenceOptions.js\";\nimport type { InteractiveCredentialOptions } from \"./interactiveCredentialOptions.js\";\n\n/**\n * (Browser-only feature)\n * The \"login style\" to use in the authentication flow:\n * - \"redirect\" redirects the user to the authentication page and then\n *   redirects them back to the page once authentication is completed.\n * - \"popup\" opens a new browser window through with the redirect flow\n *   is initiated.  The user's existing browser window does not leave\n *   the current page\n */\nexport type BrowserLoginStyle = \"redirect\" | \"popup\";\n\n/**\n * Defines the common options for the InteractiveBrowserCredential class.\n */\nexport interface InteractiveBrowserCredentialNodeOptions\n  extends InteractiveCredentialOptions,\n    CredentialPersistenceOptions,\n    BrowserCustomizationOptions,\n    BrokerAuthOptions {\n  /**\n   * Gets the redirect URI of the application. This should be same as the value\n   * in the application registration portal.  Defaults to `window.location.href`.\n   * This field is no longer required for Node.js.\n   */\n  redirectUri?: string | (() => string);\n\n  /**\n   * The Microsoft Entra tenant (directory) ID.\n   */\n  tenantId?: string;\n\n  /**\n   * The Client ID of the Microsoft Entra application that users will sign into.\n   * It is recommended that developers register their applications and assign appropriate roles.\n   * For more information, visit https://aka.ms/identity/AppRegistrationAndRoleAssignment.\n   * If not specified, users will authenticate to an Azure development application,\n   * which is not recommended for production scenarios.\n   */\n  clientId?: string;\n\n  /**\n   * loginHint allows a user name to be pre-selected for interactive logins.\n   * Setting this option skips the account selection prompt and immediately attempts to login with the specified account.\n   */\n  loginHint?: string;\n}\n\n/**\n * Defines the common options for the InteractiveBrowserCredential class.\n */\nexport interface InteractiveBrowserCredentialInBrowserOptions extends InteractiveCredentialOptions {\n  /**\n   * Gets the redirect URI of the application. This should be same as the value\n   * in the application registration portal.  Defaults to `window.location.href`.\n   * This field is no longer required for Node.js.\n   */\n  redirectUri?: string | (() => string);\n\n  /**\n   * The Microsoft Entra tenant (directory) ID.\n   */\n  tenantId?: string;\n\n  /**\n   * The Client ID of the Microsoft Entra application that users will sign into.\n   * This parameter is required on the browser.\n   * Developers need to register their applications and assign appropriate roles.\n   * For more information, visit https://aka.ms/identity/AppRegistrationAndRoleAssignment.\n   */\n  clientId: string;\n\n  /**\n   * Specifies whether a redirect or a popup window should be used to\n   * initiate the user authentication flow. Possible values are \"redirect\"\n   * or \"popup\" (default) for browser and \"popup\" (default) for node.\n   *\n   */\n  loginStyle?: BrowserLoginStyle;\n\n  /**\n   * loginHint allows a user name to be pre-selected for interactive logins.\n   * Setting this option skips the account selection prompt and immediately attempts to login with the specified account.\n   */\n  loginHint?: string;\n}\n"]}

package/dist/workerd/credentials/interactiveCredentialOptions.d.ts

@@ -0,0 +1,25 @@
+import type { AuthenticationRecord } from "../msal/types.js";
+import type { AuthorityValidationOptions } from "./authorityValidationOptions.js";
+import type { MultiTenantTokenCredentialOptions } from "./multiTenantTokenCredentialOptions.js";
+/**
+ * Common constructor options for the Identity credentials that requires user interaction.
+ */
+export interface InteractiveCredentialOptions extends MultiTenantTokenCredentialOptions, AuthorityValidationOptions {
+    /**
+     * Result of a previous authentication that can be used to retrieve the cached credentials of each individual account.
+     * This is necessary to provide in case the application wants to work with more than one account per
+     * Client ID and Tenant ID pair.
+     *
+     * This record can be retrieved by calling to the credential's `authenticate()` method, as follows:
+     *
+     *     const authenticationRecord = await credential.authenticate();
+     *
+     */
+    authenticationRecord?: AuthenticationRecord;
+    /**
+     * Makes getToken throw if a manual authentication is necessary.
+     * Developers will need to call to `authenticate()` to control when to manually authenticate.
+     */
+    disableAutomaticAuthentication?: boolean;
+}
+//# sourceMappingURL=interactiveCredentialOptions.d.ts.map

package/dist/workerd/credentials/interactiveCredentialOptions.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"interactiveCredentialOptions.d.ts","sourceRoot":"","sources":["../../../src/credentials/interactiveCredentialOptions.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,kBAAkB,CAAC;AAC7D,OAAO,KAAK,EAAE,0BAA0B,EAAE,MAAM,iCAAiC,CAAC;AAClF,OAAO,KAAK,EAAE,iCAAiC,EAAE,MAAM,wCAAwC,CAAC;AAEhG;;GAEG;AACH,MAAM,WAAW,4BACf,SAAQ,iCAAiC,EACvC,0BAA0B;IAC5B;;;;;;;;;OASG;IACH,oBAAoB,CAAC,EAAE,oBAAoB,CAAC;IAE5C;;;OAGG;IACH,8BAA8B,CAAC,EAAE,OAAO,CAAC;CAC1C"}

package/dist/workerd/credentials/interactiveCredentialOptions.js

@@ -0,0 +1,4 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+export {};
+//# sourceMappingURL=interactiveCredentialOptions.js.map

package/dist/workerd/credentials/interactiveCredentialOptions.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"interactiveCredentialOptions.js","sourceRoot":"","sources":["../../../src/credentials/interactiveCredentialOptions.ts"],"names":[],"mappings":"AAAA,uCAAuC;AACvC,kCAAkC","sourcesContent":["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT License.\n\nimport type { AuthenticationRecord } from \"../msal/types.js\";\nimport type { AuthorityValidationOptions } from \"./authorityValidationOptions.js\";\nimport type { MultiTenantTokenCredentialOptions } from \"./multiTenantTokenCredentialOptions.js\";\n\n/**\n * Common constructor options for the Identity credentials that requires user interaction.\n */\nexport interface InteractiveCredentialOptions\n  extends MultiTenantTokenCredentialOptions,\n    AuthorityValidationOptions {\n  /**\n   * Result of a previous authentication that can be used to retrieve the cached credentials of each individual account.\n   * This is necessary to provide in case the application wants to work with more than one account per\n   * Client ID and Tenant ID pair.\n   *\n   * This record can be retrieved by calling to the credential's `authenticate()` method, as follows:\n   *\n   *     const authenticationRecord = await credential.authenticate();\n   *\n   */\n  authenticationRecord?: AuthenticationRecord;\n\n  /**\n   * Makes getToken throw if a manual authentication is necessary.\n   * Developers will need to call to `authenticate()` to control when to manually authenticate.\n   */\n  disableAutomaticAuthentication?: boolean;\n}\n"]}

package/dist/workerd/credentials/managedIdentityCredential/imdsMsi.d.ts

@@ -0,0 +1,18 @@
+import type { GetTokenOptions } from "@azure/core-auth";
+import type { IdentityClient } from "../../client/identityClient.js";
+/**
+ * Defines how to determine whether the Azure IMDS MSI is available.
+ *
+ * Actually getting the token once we determine IMDS is available is handled by MSAL.
+ */
+export declare const imdsMsi: {
+    name: string;
+    isAvailable(options: {
+        scopes: string | string[];
+        identityClient?: IdentityClient;
+        clientId?: string;
+        resourceId?: string;
+        getTokenOptions?: GetTokenOptions;
+    }): Promise<boolean>;
+};
+//# sourceMappingURL=imdsMsi.d.ts.map

package/dist/workerd/credentials/managedIdentityCredential/imdsMsi.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"imdsMsi.d.ts","sourceRoot":"","sources":["../../../../src/credentials/managedIdentityCredential/imdsMsi.ts"],"names":[],"mappings":"AAOA,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,kBAAkB,CAAC;AAIxD,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,gCAAgC,CAAC;AAmCrE;;;;GAIG;AACH,eAAO,MAAM,OAAO;;yBAES;QACzB,MAAM,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC;QAC1B,cAAc,CAAC,EAAE,cAAc,CAAC;QAChC,QAAQ,CAAC,EAAE,MAAM,CAAC;QAClB,UAAU,CAAC,EAAE,MAAM,CAAC;QACpB,eAAe,CAAC,EAAE,eAAe,CAAC;KACnC,GAAG,OAAO,CAAC,OAAO,CAAC;CAgErB,CAAC"}