@depup/azure__identity 4.13.0-depup.0

package/dist/esm/credentials/interactiveBrowserCredential.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"interactiveBrowserCredential.js","sourceRoot":"","sources":["../../../src/credentials/interactiveBrowserCredential.ts"],"names":[],"mappings":"AAAA,uCAAuC;AACvC,kCAAkC;AAOlC,OAAO,EACL,yBAAyB,EACzB,mCAAmC,EACnC,eAAe,GAChB,MAAM,0BAA0B,CAAC;AAGlC,OAAO,EAAE,gBAAgB,EAAE,MAAM,oBAAoB,CAAC;AACtD,OAAO,EAAE,YAAY,EAAE,MAAM,uBAAuB,CAAC;AACrD,OAAO,EAAE,aAAa,EAAE,MAAM,oBAAoB,CAAC;AAEnD,OAAO,EAAE,gBAAgB,EAAE,MAAM,iCAAiC,CAAC;AACnE,OAAO,EAAE,uBAAuB,EAAE,MAAM,iBAAiB,CAAC;AAE1D,MAAM,MAAM,GAAG,gBAAgB,CAAC,8BAA8B,CAAC,CAAC;AAEhE;;;GAGG;AACH,MAAM,OAAO,4BAA4B;IAC/B,QAAQ,CAAU;IAClB,4BAA4B,CAAW;IACvC,UAAU,CAAa;IACvB,8BAA8B,CAAW;IACzC,2BAA2B,CAAyE;IACpG,SAAS,CAAU;IAE3B;;;;;;;;;;;OAWG;IACH,YACE,OAA+F;QAE/F,IAAI,CAAC,QAAQ,GAAG,eAAe,CAAC,MAAM,EAAE,OAAO,CAAC,QAAQ,EAAE,OAAO,CAAC,QAAQ,CAAC,CAAC;QAC5E,IAAI,CAAC,4BAA4B,GAAG,mCAAmC,CACrE,OAAO,EAAE,0BAA0B,CACpC,CAAC;QAEF,MAAM,iBAAiB,GAAsB;YAC3C,GAAG,OAAO;YACV,sBAAsB,EAAE,OAAO;YAC/B,MAAM;SACP,CAAC;QACF,MAAM,cAAc,GAAG,OAAkD,CAAC;QAC1E,IAAI,CAAC,2BAA2B,GAAG,cAAc,CAAC,2BAA2B,CAAC;QAC9E,IAAI,CAAC,SAAS,GAAG,cAAc,CAAC,SAAS,CAAC;QAC1C,IAAI,cAAc,EAAE,aAAa,EAAE,OAAO,EAAE,CAAC;YAC3C,IAAI,CAAC,cAAc,EAAE,aAAa,EAAE,kBAAkB,EAAE,CAAC;gBACvD,MAAM,IAAI,KAAK,CACb,uGAAuG,CACxG,CAAC;YACJ,CAAC;iBAAM,CAAC;gBACN,iBAAiB,CAAC,aAAa,GAAG;oBAChC,OAAO,EAAE,IAAI;oBACb,kBAAkB,EAAE,cAAc,CAAC,aAAa,CAAC,kBAAkB;oBACnE,0BAA0B,EAAE,cAAc,CAAC,aAAa,EAAE,0BAA0B;oBACpF,uBAAuB,EAAE,cAAc,CAAC,aAAa,EAAE,uBAAuB;iBAC/E,CAAC;YACJ,CAAC;QACH,CAAC;QACD,IAAI,CAAC,UAAU,GAAG,gBAAgB,CAChC,OAAO,CAAC,QAAQ,IAAI,uBAAuB,EAC3C,IAAI,CAAC,QAAQ,EACb,iBAAiB,CAClB,CAAC;QACF,IAAI,CAAC,8BAA8B,GAAG,OAAO,EAAE,8BAA8B,CAAC;IAChF,CAAC;IAED;;;;;;;;;;;OAWG;IACH,KAAK,CAAC,QAAQ,CAAC,MAAyB,EAAE,UAA2B,EAAE;QACrE,OAAO,aAAa,CAAC,QAAQ,CAC3B,GAAG,IAAI,CAAC,WAAW,CAAC,IAAI,WAAW,EACnC,OAAO,EACP,KAAK,EAAE,UAAU,EAAE,EAAE;YACnB,UAAU,CAAC,QAAQ,GAAG,yBAAyB,CAC7C,IAAI,CAAC,QAAQ,EACb,UAAU,EACV,IAAI,CAAC,4BAA4B,EACjC,MAAM,CACP,CAAC;YAEF,MAAM,WAAW,GAAG,YAAY,CAAC,MAAM,CAAC,CAAC;YACzC,OAAO,IAAI,CAAC,UAAU,CAAC,4BAA4B,CAAC,WAAW,EAAE;gBAC/D,GAAG,UAAU;gBACb,8BAA8B,EAAE,IAAI,CAAC,8BAA8B;gBACnE,2BAA2B,EAAE,IAAI,CAAC,2BAA2B;gBAC7D,SAAS,EAAE,IAAI,CAAC,SAAS;aAC1B,CAAC,CAAC;QACL,CAAC,CACF,CAAC;IACJ,CAAC;IAED;;;;;;;;;;;;OAYG;IACH,KAAK,CAAC,YAAY,CAChB,MAAyB,EACzB,UAA2B,EAAE;QAE7B,OAAO,aAAa,CAAC,QAAQ,CAC3B,GAAG,IAAI,CAAC,WAAW,CAAC,IAAI,eAAe,EACvC,OAAO,EACP,KAAK,EAAE,UAAU,EAAE,EAAE;YACnB,MAAM,WAAW,GAAG,YAAY,CAAC,MAAM,CAAC,CAAC;YACzC,MAAM,IAAI,CAAC,UAAU,CAAC,4BAA4B,CAAC,WAAW,EAAE;gBAC9D,GAAG,UAAU;gBACb,8BAA8B,EAAE,KAAK,EAAE,mDAAmD;gBAC1F,2BAA2B,EAAE,IAAI,CAAC,2BAA2B;gBAC7D,SAAS,EAAE,IAAI,CAAC,SAAS;aAC1B,CAAC,CAAC;YACH,OAAO,IAAI,CAAC,UAAU,CAAC,gBAAgB,EAAE,CAAC;QAC5C,CAAC,CACF,CAAC;IACJ,CAAC;CACF","sourcesContent":["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT License.\n\nimport type { AccessToken, GetTokenOptions, TokenCredential } from \"@azure/core-auth\";\nimport type {\n  InteractiveBrowserCredentialInBrowserOptions,\n  InteractiveBrowserCredentialNodeOptions,\n} from \"./interactiveBrowserCredentialOptions.js\";\nimport {\n  processMultiTenantRequest,\n  resolveAdditionallyAllowedTenantIds,\n  resolveTenantId,\n} from \"../util/tenantIdUtils.js\";\n\nimport type { AuthenticationRecord } from \"../msal/types.js\";\nimport { credentialLogger } from \"../util/logging.js\";\nimport { ensureScopes } from \"../util/scopeUtils.js\";\nimport { tracingClient } from \"../util/tracing.js\";\nimport type { MsalClient, MsalClientOptions } from \"../msal/nodeFlows/msalClient.js\";\nimport { createMsalClient } from \"../msal/nodeFlows/msalClient.js\";\nimport { DeveloperSignOnClientId } from \"../constants.js\";\n\nconst logger = credentialLogger(\"InteractiveBrowserCredential\");\n\n/**\n * Enables authentication to Microsoft Entra ID inside of the web browser\n * using the interactive login flow.\n */\nexport class InteractiveBrowserCredential implements TokenCredential {\n  private tenantId?: string;\n  private additionallyAllowedTenantIds: string[];\n  private msalClient: MsalClient;\n  private disableAutomaticAuthentication?: boolean;\n  private browserCustomizationOptions: InteractiveBrowserCredentialNodeOptions[\"browserCustomizationOptions\"];\n  private loginHint?: string;\n\n  /**\n   * Creates an instance of InteractiveBrowserCredential with the details needed.\n   *\n   * This credential uses the [Authorization Code Flow](https://learn.microsoft.com/entra/identity-platform/v2-oauth2-auth-code-flow).\n   * On Node.js, it will open a browser window while it listens for a redirect response from the authentication service.\n   * On browsers, it authenticates via popups. The `loginStyle` optional parameter can be set to `redirect` to authenticate by redirecting the user to an Azure secure login page, which then will redirect the user back to the web application where the authentication started.\n   *\n   * For Node.js, if a `clientId` is provided, the Microsoft Entra application will need to be configured to have a \"Mobile and desktop applications\" redirect endpoint.\n   * Follow our guide on [setting up Redirect URIs for Desktop apps that calls to web APIs](https://learn.microsoft.com/entra/identity-platform/scenario-desktop-app-registration#redirect-uris).\n   *\n   * @param options - Options for configuring the client which makes the authentication requests.\n   */\n  constructor(\n    options: InteractiveBrowserCredentialNodeOptions | InteractiveBrowserCredentialInBrowserOptions,\n  ) {\n    this.tenantId = resolveTenantId(logger, options.tenantId, options.clientId);\n    this.additionallyAllowedTenantIds = resolveAdditionallyAllowedTenantIds(\n      options?.additionallyAllowedTenants,\n    );\n\n    const msalClientOptions: MsalClientOptions = {\n      ...options,\n      tokenCredentialOptions: options,\n      logger,\n    };\n    const ibcNodeOptions = options as InteractiveBrowserCredentialNodeOptions;\n    this.browserCustomizationOptions = ibcNodeOptions.browserCustomizationOptions;\n    this.loginHint = ibcNodeOptions.loginHint;\n    if (ibcNodeOptions?.brokerOptions?.enabled) {\n      if (!ibcNodeOptions?.brokerOptions?.parentWindowHandle) {\n        throw new Error(\n          \"In order to do WAM authentication, `parentWindowHandle` under `brokerOptions` is a required parameter\",\n        );\n      } else {\n        msalClientOptions.brokerOptions = {\n          enabled: true,\n          parentWindowHandle: ibcNodeOptions.brokerOptions.parentWindowHandle,\n          legacyEnableMsaPassthrough: ibcNodeOptions.brokerOptions?.legacyEnableMsaPassthrough,\n          useDefaultBrokerAccount: ibcNodeOptions.brokerOptions?.useDefaultBrokerAccount,\n        };\n      }\n    }\n    this.msalClient = createMsalClient(\n      options.clientId ?? DeveloperSignOnClientId,\n      this.tenantId,\n      msalClientOptions,\n    );\n    this.disableAutomaticAuthentication = options?.disableAutomaticAuthentication;\n  }\n\n  /**\n   * Authenticates with Microsoft Entra ID and returns an access token if successful.\n   * If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.\n   *\n   * If the user provided the option `disableAutomaticAuthentication`,\n   * once the token can't be retrieved silently,\n   * this method won't attempt to request user interaction to retrieve the token.\n   *\n   * @param scopes - The list of scopes for which the token will have access.\n   * @param options - The options used to configure any requests this\n   *                TokenCredential implementation might make.\n   */\n  async getToken(scopes: string | string[], options: GetTokenOptions = {}): Promise<AccessToken> {\n    return tracingClient.withSpan(\n      `${this.constructor.name}.getToken`,\n      options,\n      async (newOptions) => {\n        newOptions.tenantId = processMultiTenantRequest(\n          this.tenantId,\n          newOptions,\n          this.additionallyAllowedTenantIds,\n          logger,\n        );\n\n        const arrayScopes = ensureScopes(scopes);\n        return this.msalClient.getTokenByInteractiveRequest(arrayScopes, {\n          ...newOptions,\n          disableAutomaticAuthentication: this.disableAutomaticAuthentication,\n          browserCustomizationOptions: this.browserCustomizationOptions,\n          loginHint: this.loginHint,\n        });\n      },\n    );\n  }\n\n  /**\n   * Authenticates with Microsoft Entra ID and returns an access token if successful.\n   * If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.\n   *\n   * If the token can't be retrieved silently, this method will always generate a challenge for the user.\n   *\n   * On Node.js, this credential has [Proof Key for Code Exchange (PKCE)](https://datatracker.ietf.org/doc/html/rfc7636) enabled by default.\n   * PKCE is a security feature that mitigates authentication code interception attacks.\n   *\n   * @param scopes - The list of scopes for which the token will have access.\n   * @param options - The options used to configure any requests this\n   *                  TokenCredential implementation might make.\n   */\n  async authenticate(\n    scopes: string | string[],\n    options: GetTokenOptions = {},\n  ): Promise<AuthenticationRecord | undefined> {\n    return tracingClient.withSpan(\n      `${this.constructor.name}.authenticate`,\n      options,\n      async (newOptions) => {\n        const arrayScopes = ensureScopes(scopes);\n        await this.msalClient.getTokenByInteractiveRequest(arrayScopes, {\n          ...newOptions,\n          disableAutomaticAuthentication: false, // this method should always allow user interaction\n          browserCustomizationOptions: this.browserCustomizationOptions,\n          loginHint: this.loginHint,\n        });\n        return this.msalClient.getActiveAccount();\n      },\n    );\n  }\n}\n"]}

package/dist/esm/credentials/interactiveBrowserCredentialOptions.d.ts

@@ -0,0 +1,77 @@
+import type { BrowserCustomizationOptions } from "./browserCustomizationOptions.js";
+import type { BrokerAuthOptions } from "./brokerAuthOptions.js";
+import type { CredentialPersistenceOptions } from "./credentialPersistenceOptions.js";
+import type { InteractiveCredentialOptions } from "./interactiveCredentialOptions.js";
+/**
+ * (Browser-only feature)
+ * The "login style" to use in the authentication flow:
+ * - "redirect" redirects the user to the authentication page and then
+ *   redirects them back to the page once authentication is completed.
+ * - "popup" opens a new browser window through with the redirect flow
+ *   is initiated.  The user's existing browser window does not leave
+ *   the current page
+ */
+export type BrowserLoginStyle = "redirect" | "popup";
+/**
+ * Defines the common options for the InteractiveBrowserCredential class.
+ */
+export interface InteractiveBrowserCredentialNodeOptions extends InteractiveCredentialOptions, CredentialPersistenceOptions, BrowserCustomizationOptions, BrokerAuthOptions {
+    /**
+     * Gets the redirect URI of the application. This should be same as the value
+     * in the application registration portal.  Defaults to `window.location.href`.
+     * This field is no longer required for Node.js.
+     */
+    redirectUri?: string | (() => string);
+    /**
+     * The Microsoft Entra tenant (directory) ID.
+     */
+    tenantId?: string;
+    /**
+     * The Client ID of the Microsoft Entra application that users will sign into.
+     * It is recommended that developers register their applications and assign appropriate roles.
+     * For more information, visit https://aka.ms/identity/AppRegistrationAndRoleAssignment.
+     * If not specified, users will authenticate to an Azure development application,
+     * which is not recommended for production scenarios.
+     */
+    clientId?: string;
+    /**
+     * loginHint allows a user name to be pre-selected for interactive logins.
+     * Setting this option skips the account selection prompt and immediately attempts to login with the specified account.
+     */
+    loginHint?: string;
+}
+/**
+ * Defines the common options for the InteractiveBrowserCredential class.
+ */
+export interface InteractiveBrowserCredentialInBrowserOptions extends InteractiveCredentialOptions {
+    /**
+     * Gets the redirect URI of the application. This should be same as the value
+     * in the application registration portal.  Defaults to `window.location.href`.
+     * This field is no longer required for Node.js.
+     */
+    redirectUri?: string | (() => string);
+    /**
+     * The Microsoft Entra tenant (directory) ID.
+     */
+    tenantId?: string;
+    /**
+     * The Client ID of the Microsoft Entra application that users will sign into.
+     * This parameter is required on the browser.
+     * Developers need to register their applications and assign appropriate roles.
+     * For more information, visit https://aka.ms/identity/AppRegistrationAndRoleAssignment.
+     */
+    clientId: string;
+    /**
+     * Specifies whether a redirect or a popup window should be used to
+     * initiate the user authentication flow. Possible values are "redirect"
+     * or "popup" (default) for browser and "popup" (default) for node.
+     *
+     */
+    loginStyle?: BrowserLoginStyle;
+    /**
+     * loginHint allows a user name to be pre-selected for interactive logins.
+     * Setting this option skips the account selection prompt and immediately attempts to login with the specified account.
+     */
+    loginHint?: string;
+}
+//# sourceMappingURL=interactiveBrowserCredentialOptions.d.ts.map

package/dist/esm/credentials/interactiveBrowserCredentialOptions.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"interactiveBrowserCredentialOptions.d.ts","sourceRoot":"","sources":["../../../src/credentials/interactiveBrowserCredentialOptions.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,2BAA2B,EAAE,MAAM,kCAAkC,CAAC;AACpF,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,wBAAwB,CAAC;AAChE,OAAO,KAAK,EAAE,4BAA4B,EAAE,MAAM,mCAAmC,CAAC;AACtF,OAAO,KAAK,EAAE,4BAA4B,EAAE,MAAM,mCAAmC,CAAC;AAEtF;;;;;;;;GAQG;AACH,MAAM,MAAM,iBAAiB,GAAG,UAAU,GAAG,OAAO,CAAC;AAErD;;GAEG;AACH,MAAM,WAAW,uCACf,SAAQ,4BAA4B,EAClC,4BAA4B,EAC5B,2BAA2B,EAC3B,iBAAiB;IACnB;;;;OAIG;IACH,WAAW,CAAC,EAAE,MAAM,GAAG,CAAC,MAAM,MAAM,CAAC,CAAC;IAEtC;;OAEG;IACH,QAAQ,CAAC,EAAE,MAAM,CAAC;IAElB;;;;;;OAMG;IACH,QAAQ,CAAC,EAAE,MAAM,CAAC;IAElB;;;OAGG;IACH,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAED;;GAEG;AACH,MAAM,WAAW,4CAA6C,SAAQ,4BAA4B;IAChG;;;;OAIG;IACH,WAAW,CAAC,EAAE,MAAM,GAAG,CAAC,MAAM,MAAM,CAAC,CAAC;IAEtC;;OAEG;IACH,QAAQ,CAAC,EAAE,MAAM,CAAC;IAElB;;;;;OAKG;IACH,QAAQ,EAAE,MAAM,CAAC;IAEjB;;;;;OAKG;IACH,UAAU,CAAC,EAAE,iBAAiB,CAAC;IAE/B;;;OAGG;IACH,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB"}

package/dist/esm/credentials/interactiveBrowserCredentialOptions.js

@@ -0,0 +1,4 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+export {};
+//# sourceMappingURL=interactiveBrowserCredentialOptions.js.map

package/dist/esm/credentials/interactiveBrowserCredentialOptions.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"interactiveBrowserCredentialOptions.js","sourceRoot":"","sources":["../../../src/credentials/interactiveBrowserCredentialOptions.ts"],"names":[],"mappings":"AAAA,uCAAuC;AACvC,kCAAkC","sourcesContent":["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT License.\n\nimport type { BrowserCustomizationOptions } from \"./browserCustomizationOptions.js\";\nimport type { BrokerAuthOptions } from \"./brokerAuthOptions.js\";\nimport type { CredentialPersistenceOptions } from \"./credentialPersistenceOptions.js\";\nimport type { InteractiveCredentialOptions } from \"./interactiveCredentialOptions.js\";\n\n/**\n * (Browser-only feature)\n * The \"login style\" to use in the authentication flow:\n * - \"redirect\" redirects the user to the authentication page and then\n *   redirects them back to the page once authentication is completed.\n * - \"popup\" opens a new browser window through with the redirect flow\n *   is initiated.  The user's existing browser window does not leave\n *   the current page\n */\nexport type BrowserLoginStyle = \"redirect\" | \"popup\";\n\n/**\n * Defines the common options for the InteractiveBrowserCredential class.\n */\nexport interface InteractiveBrowserCredentialNodeOptions\n  extends InteractiveCredentialOptions,\n    CredentialPersistenceOptions,\n    BrowserCustomizationOptions,\n    BrokerAuthOptions {\n  /**\n   * Gets the redirect URI of the application. This should be same as the value\n   * in the application registration portal.  Defaults to `window.location.href`.\n   * This field is no longer required for Node.js.\n   */\n  redirectUri?: string | (() => string);\n\n  /**\n   * The Microsoft Entra tenant (directory) ID.\n   */\n  tenantId?: string;\n\n  /**\n   * The Client ID of the Microsoft Entra application that users will sign into.\n   * It is recommended that developers register their applications and assign appropriate roles.\n   * For more information, visit https://aka.ms/identity/AppRegistrationAndRoleAssignment.\n   * If not specified, users will authenticate to an Azure development application,\n   * which is not recommended for production scenarios.\n   */\n  clientId?: string;\n\n  /**\n   * loginHint allows a user name to be pre-selected for interactive logins.\n   * Setting this option skips the account selection prompt and immediately attempts to login with the specified account.\n   */\n  loginHint?: string;\n}\n\n/**\n * Defines the common options for the InteractiveBrowserCredential class.\n */\nexport interface InteractiveBrowserCredentialInBrowserOptions extends InteractiveCredentialOptions {\n  /**\n   * Gets the redirect URI of the application. This should be same as the value\n   * in the application registration portal.  Defaults to `window.location.href`.\n   * This field is no longer required for Node.js.\n   */\n  redirectUri?: string | (() => string);\n\n  /**\n   * The Microsoft Entra tenant (directory) ID.\n   */\n  tenantId?: string;\n\n  /**\n   * The Client ID of the Microsoft Entra application that users will sign into.\n   * This parameter is required on the browser.\n   * Developers need to register their applications and assign appropriate roles.\n   * For more information, visit https://aka.ms/identity/AppRegistrationAndRoleAssignment.\n   */\n  clientId: string;\n\n  /**\n   * Specifies whether a redirect or a popup window should be used to\n   * initiate the user authentication flow. Possible values are \"redirect\"\n   * or \"popup\" (default) for browser and \"popup\" (default) for node.\n   *\n   */\n  loginStyle?: BrowserLoginStyle;\n\n  /**\n   * loginHint allows a user name to be pre-selected for interactive logins.\n   * Setting this option skips the account selection prompt and immediately attempts to login with the specified account.\n   */\n  loginHint?: string;\n}\n"]}

package/dist/esm/credentials/interactiveCredentialOptions.d.ts

@@ -0,0 +1,25 @@
+import type { AuthenticationRecord } from "../msal/types.js";
+import type { AuthorityValidationOptions } from "./authorityValidationOptions.js";
+import type { MultiTenantTokenCredentialOptions } from "./multiTenantTokenCredentialOptions.js";
+/**
+ * Common constructor options for the Identity credentials that requires user interaction.
+ */
+export interface InteractiveCredentialOptions extends MultiTenantTokenCredentialOptions, AuthorityValidationOptions {
+    /**
+     * Result of a previous authentication that can be used to retrieve the cached credentials of each individual account.
+     * This is necessary to provide in case the application wants to work with more than one account per
+     * Client ID and Tenant ID pair.
+     *
+     * This record can be retrieved by calling to the credential's `authenticate()` method, as follows:
+     *
+     *     const authenticationRecord = await credential.authenticate();
+     *
+     */
+    authenticationRecord?: AuthenticationRecord;
+    /**
+     * Makes getToken throw if a manual authentication is necessary.
+     * Developers will need to call to `authenticate()` to control when to manually authenticate.
+     */
+    disableAutomaticAuthentication?: boolean;
+}
+//# sourceMappingURL=interactiveCredentialOptions.d.ts.map

package/dist/esm/credentials/interactiveCredentialOptions.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"interactiveCredentialOptions.d.ts","sourceRoot":"","sources":["../../../src/credentials/interactiveCredentialOptions.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,kBAAkB,CAAC;AAC7D,OAAO,KAAK,EAAE,0BAA0B,EAAE,MAAM,iCAAiC,CAAC;AAClF,OAAO,KAAK,EAAE,iCAAiC,EAAE,MAAM,wCAAwC,CAAC;AAEhG;;GAEG;AACH,MAAM,WAAW,4BACf,SAAQ,iCAAiC,EACvC,0BAA0B;IAC5B;;;;;;;;;OASG;IACH,oBAAoB,CAAC,EAAE,oBAAoB,CAAC;IAE5C;;;OAGG;IACH,8BAA8B,CAAC,EAAE,OAAO,CAAC;CAC1C"}

package/dist/esm/credentials/interactiveCredentialOptions.js

@@ -0,0 +1,4 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+export {};
+//# sourceMappingURL=interactiveCredentialOptions.js.map

package/dist/esm/credentials/interactiveCredentialOptions.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"interactiveCredentialOptions.js","sourceRoot":"","sources":["../../../src/credentials/interactiveCredentialOptions.ts"],"names":[],"mappings":"AAAA,uCAAuC;AACvC,kCAAkC","sourcesContent":["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT License.\n\nimport type { AuthenticationRecord } from \"../msal/types.js\";\nimport type { AuthorityValidationOptions } from \"./authorityValidationOptions.js\";\nimport type { MultiTenantTokenCredentialOptions } from \"./multiTenantTokenCredentialOptions.js\";\n\n/**\n * Common constructor options for the Identity credentials that requires user interaction.\n */\nexport interface InteractiveCredentialOptions\n  extends MultiTenantTokenCredentialOptions,\n    AuthorityValidationOptions {\n  /**\n   * Result of a previous authentication that can be used to retrieve the cached credentials of each individual account.\n   * This is necessary to provide in case the application wants to work with more than one account per\n   * Client ID and Tenant ID pair.\n   *\n   * This record can be retrieved by calling to the credential's `authenticate()` method, as follows:\n   *\n   *     const authenticationRecord = await credential.authenticate();\n   *\n   */\n  authenticationRecord?: AuthenticationRecord;\n\n  /**\n   * Makes getToken throw if a manual authentication is necessary.\n   * Developers will need to call to `authenticate()` to control when to manually authenticate.\n   */\n  disableAutomaticAuthentication?: boolean;\n}\n"]}

package/dist/esm/credentials/managedIdentityCredential/imdsMsi.d.ts

@@ -0,0 +1,18 @@
+import type { GetTokenOptions } from "@azure/core-auth";
+import type { IdentityClient } from "../../client/identityClient.js";
+/**
+ * Defines how to determine whether the Azure IMDS MSI is available.
+ *
+ * Actually getting the token once we determine IMDS is available is handled by MSAL.
+ */
+export declare const imdsMsi: {
+    name: string;
+    isAvailable(options: {
+        scopes: string | string[];
+        identityClient?: IdentityClient;
+        clientId?: string;
+        resourceId?: string;
+        getTokenOptions?: GetTokenOptions;
+    }): Promise<boolean>;
+};
+//# sourceMappingURL=imdsMsi.d.ts.map

package/dist/esm/credentials/managedIdentityCredential/imdsMsi.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"imdsMsi.d.ts","sourceRoot":"","sources":["../../../../src/credentials/managedIdentityCredential/imdsMsi.ts"],"names":[],"mappings":"AAOA,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,kBAAkB,CAAC;AAIxD,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,gCAAgC,CAAC;AAmCrE;;;;GAIG;AACH,eAAO,MAAM,OAAO;;yBAES;QACzB,MAAM,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC;QAC1B,cAAc,CAAC,EAAE,cAAc,CAAC;QAChC,QAAQ,CAAC,EAAE,MAAM,CAAC;QAClB,UAAU,CAAC,EAAE,MAAM,CAAC;QACpB,eAAe,CAAC,EAAE,eAAe,CAAC;KACnC,GAAG,OAAO,CAAC,OAAO,CAAC;CAgErB,CAAC"}

package/dist/esm/credentials/managedIdentityCredential/imdsMsi.js

@@ -0,0 +1,97 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+import { createHttpHeaders, createPipelineRequest } from "@azure/core-rest-pipeline";
+import { isError } from "@azure/core-util";
+import { credentialLogger } from "../../util/logging.js";
+import { mapScopesToResource } from "./utils.js";
+import { tracingClient } from "../../util/tracing.js";
+const msiName = "ManagedIdentityCredential - IMDS";
+const logger = credentialLogger(msiName);
+const imdsHost = "http://169.254.169.254";
+const imdsEndpointPath = "/metadata/identity/oauth2/token";
+/**
+ * Generates an invalid request options to get a response quickly from IMDS endpoint.
+ * The response indicates the availability of IMSD service; otherwise the request would time out.
+ */
+function prepareInvalidRequestOptions(scopes) {
+    const resource = mapScopesToResource(scopes);
+    if (!resource) {
+        throw new Error(`${msiName}: Multiple scopes are not supported.`);
+    }
+    // Pod Identity will try to process this request even if the Metadata header is missing.
+    // We can exclude the request query to ensure no IMDS endpoint tries to process the ping request.
+    const url = new URL(imdsEndpointPath, process.env.AZURE_POD_IDENTITY_AUTHORITY_HOST ?? imdsHost);
+    const rawHeaders = {
+        Accept: "application/json",
+        // intentionally leave out the Metadata header to invoke an error from IMDS endpoint.
+    };
+    return {
+        // intentionally not including any query
+        url: `${url}`,
+        method: "GET",
+        headers: createHttpHeaders(rawHeaders),
+    };
+}
+/**
+ * Defines how to determine whether the Azure IMDS MSI is available.
+ *
+ * Actually getting the token once we determine IMDS is available is handled by MSAL.
+ */
+export const imdsMsi = {
+    name: "imdsMsi",
+    async isAvailable(options) {
+        const { scopes, identityClient, getTokenOptions } = options;
+        const resource = mapScopesToResource(scopes);
+        if (!resource) {
+            logger.info(`${msiName}: Unavailable. Multiple scopes are not supported.`);
+            return false;
+        }
+        // if the PodIdentityEndpoint environment variable was set no need to probe the endpoint, it can be assumed to exist
+        if (process.env.AZURE_POD_IDENTITY_AUTHORITY_HOST) {
+            return true;
+        }
+        if (!identityClient) {
+            throw new Error("Missing IdentityClient");
+        }
+        const requestOptions = prepareInvalidRequestOptions(resource);
+        return tracingClient.withSpan("ManagedIdentityCredential-pingImdsEndpoint", getTokenOptions ?? {}, async (updatedOptions) => {
+            requestOptions.tracingOptions = updatedOptions.tracingOptions;
+            // Create a request with a timeout since we expect that
+            // not having a "Metadata" header should cause an error to be
+            // returned quickly from the endpoint, proving its availability.
+            const request = createPipelineRequest(requestOptions);
+            // Default to 1000 if the default of 0 is used.
+            // Negative values can still be used to disable the timeout.
+            request.timeout = updatedOptions.requestOptions?.timeout || 1000;
+            // This MSI uses the imdsEndpoint to get the token, which only uses http://
+            request.allowInsecureConnection = true;
+            let response;
+            try {
+                logger.info(`${msiName}: Pinging the Azure IMDS endpoint`);
+                response = await identityClient.sendRequest(request);
+            }
+            catch (err) {
+                // If the request failed, or Node.js was unable to establish a connection,
+                // or the host was down, we'll assume the IMDS endpoint isn't available.
+                if (isError(err)) {
+                    logger.verbose(`${msiName}: Caught error ${err.name}: ${err.message}`);
+                }
+                // This is a special case for Docker Desktop which responds with a 403 with a message that contains "A socket operation was attempted to an unreachable network" or "A socket operation was attempted to an unreachable host"
+                // rather than just timing out, as expected.
+                logger.info(`${msiName}: The Azure IMDS endpoint is unavailable`);
+                return false;
+            }
+            if (response.status === 403) {
+                if (response.bodyAsText?.includes("unreachable")) {
+                    logger.info(`${msiName}: The Azure IMDS endpoint is unavailable`);
+                    logger.info(`${msiName}: ${response.bodyAsText}`);
+                    return false;
+                }
+            }
+            // If we received any response, the endpoint is available
+            logger.info(`${msiName}: The Azure IMDS endpoint is available`);
+            return true;
+        });
+    },
+};
+//# sourceMappingURL=imdsMsi.js.map

package/dist/esm/credentials/managedIdentityCredential/imdsMsi.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"imdsMsi.js","sourceRoot":"","sources":["../../../../src/credentials/managedIdentityCredential/imdsMsi.ts"],"names":[],"mappings":"AAAA,uCAAuC;AACvC,kCAAkC;AAGlC,OAAO,EAAE,iBAAiB,EAAE,qBAAqB,EAAE,MAAM,2BAA2B,CAAC;AACrF,OAAO,EAAE,OAAO,EAAE,MAAM,kBAAkB,CAAC;AAG3C,OAAO,EAAE,gBAAgB,EAAE,MAAM,uBAAuB,CAAC;AACzD,OAAO,EAAE,mBAAmB,EAAE,MAAM,YAAY,CAAC;AACjD,OAAO,EAAE,aAAa,EAAE,MAAM,uBAAuB,CAAC;AAGtD,MAAM,OAAO,GAAG,kCAAkC,CAAC;AACnD,MAAM,MAAM,GAAG,gBAAgB,CAAC,OAAO,CAAC,CAAC;AAEzC,MAAM,QAAQ,GAAG,wBAAwB,CAAC;AAC1C,MAAM,gBAAgB,GAAG,iCAAiC,CAAC;AAE3D;;;GAGG;AACH,SAAS,4BAA4B,CAAC,MAAyB;IAC7D,MAAM,QAAQ,GAAG,mBAAmB,CAAC,MAAM,CAAC,CAAC;IAC7C,IAAI,CAAC,QAAQ,EAAE,CAAC;QACd,MAAM,IAAI,KAAK,CAAC,GAAG,OAAO,sCAAsC,CAAC,CAAC;IACpE,CAAC;IAED,wFAAwF;IACxF,iGAAiG;IACjG,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,gBAAgB,EAAE,OAAO,CAAC,GAAG,CAAC,iCAAiC,IAAI,QAAQ,CAAC,CAAC;IAEjG,MAAM,UAAU,GAA2B;QACzC,MAAM,EAAE,kBAAkB;QAC1B,qFAAqF;KACtF,CAAC;IAEF,OAAO;QACL,wCAAwC;QACxC,GAAG,EAAE,GAAG,GAAG,EAAE;QACb,MAAM,EAAE,KAAK;QACb,OAAO,EAAE,iBAAiB,CAAC,UAAU,CAAC;KACvC,CAAC;AACJ,CAAC;AAED;;;;GAIG;AACH,MAAM,CAAC,MAAM,OAAO,GAAG;IACrB,IAAI,EAAE,SAAS;IACf,KAAK,CAAC,WAAW,CAAC,OAMjB;QACC,MAAM,EAAE,MAAM,EAAE,cAAc,EAAE,eAAe,EAAE,GAAG,OAAO,CAAC;QAC5D,MAAM,QAAQ,GAAG,mBAAmB,CAAC,MAAM,CAAC,CAAC;QAC7C,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,MAAM,CAAC,IAAI,CAAC,GAAG,OAAO,mDAAmD,CAAC,CAAC;YAC3E,OAAO,KAAK,CAAC;QACf,CAAC;QAED,oHAAoH;QACpH,IAAI,OAAO,CAAC,GAAG,CAAC,iCAAiC,EAAE,CAAC;YAClD,OAAO,IAAI,CAAC;QACd,CAAC;QAED,IAAI,CAAC,cAAc,EAAE,CAAC;YACpB,MAAM,IAAI,KAAK,CAAC,wBAAwB,CAAC,CAAC;QAC5C,CAAC;QAED,MAAM,cAAc,GAAG,4BAA4B,CAAC,QAAQ,CAAC,CAAC;QAE9D,OAAO,aAAa,CAAC,QAAQ,CAC3B,4CAA4C,EAC5C,eAAe,IAAI,EAAE,EACrB,KAAK,EAAE,cAAc,EAAE,EAAE;YACvB,cAAc,CAAC,cAAc,GAAG,cAAc,CAAC,cAAc,CAAC;YAE9D,uDAAuD;YACvD,6DAA6D;YAC7D,gEAAgE;YAChE,MAAM,OAAO,GAAG,qBAAqB,CAAC,cAAc,CAAC,CAAC;YAEtD,+CAA+C;YAC/C,4DAA4D;YAC5D,OAAO,CAAC,OAAO,GAAG,cAAc,CAAC,cAAc,EAAE,OAAO,IAAI,IAAI,CAAC;YAEjE,2EAA2E;YAC3E,OAAO,CAAC,uBAAuB,GAAG,IAAI,CAAC;YACvC,IAAI,QAA0B,CAAC;YAC/B,IAAI,CAAC;gBACH,MAAM,CAAC,IAAI,CAAC,GAAG,OAAO,mCAAmC,CAAC,CAAC;gBAC3D,QAAQ,GAAG,MAAM,cAAc,CAAC,WAAW,CAAC,OAAO,CAAC,CAAC;YACvD,CAAC;YAAC,OAAO,GAAY,EAAE,CAAC;gBACtB,0EAA0E;gBAC1E,wEAAwE;gBACxE,IAAI,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC;oBACjB,MAAM,CAAC,OAAO,CAAC,GAAG,OAAO,kBAAkB,GAAG,CAAC,IAAI,KAAK,GAAG,CAAC,OAAO,EAAE,CAAC,CAAC;gBACzE,CAAC;gBACD,6NAA6N;gBAC7N,4CAA4C;gBAC5C,MAAM,CAAC,IAAI,CAAC,GAAG,OAAO,0CAA0C,CAAC,CAAC;gBAClE,OAAO,KAAK,CAAC;YACf,CAAC;YACD,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;gBAC5B,IAAI,QAAQ,CAAC,UAAU,EAAE,QAAQ,CAAC,aAAa,CAAC,EAAE,CAAC;oBACjD,MAAM,CAAC,IAAI,CAAC,GAAG,OAAO,0CAA0C,CAAC,CAAC;oBAClE,MAAM,CAAC,IAAI,CAAC,GAAG,OAAO,KAAK,QAAQ,CAAC,UAAU,EAAE,CAAC,CAAC;oBAClD,OAAO,KAAK,CAAC;gBACf,CAAC;YACH,CAAC;YACD,yDAAyD;YACzD,MAAM,CAAC,IAAI,CAAC,GAAG,OAAO,wCAAwC,CAAC,CAAC;YAChE,OAAO,IAAI,CAAC;QACd,CAAC,CACF,CAAC;IACJ,CAAC;CACF,CAAC","sourcesContent":["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT License.\n\nimport type { PipelineRequestOptions, PipelineResponse } from \"@azure/core-rest-pipeline\";\nimport { createHttpHeaders, createPipelineRequest } from \"@azure/core-rest-pipeline\";\nimport { isError } from \"@azure/core-util\";\n\nimport type { GetTokenOptions } from \"@azure/core-auth\";\nimport { credentialLogger } from \"../../util/logging.js\";\nimport { mapScopesToResource } from \"./utils.js\";\nimport { tracingClient } from \"../../util/tracing.js\";\nimport type { IdentityClient } from \"../../client/identityClient.js\";\n\nconst msiName = \"ManagedIdentityCredential - IMDS\";\nconst logger = credentialLogger(msiName);\n\nconst imdsHost = \"http://169.254.169.254\";\nconst imdsEndpointPath = \"/metadata/identity/oauth2/token\";\n\n/**\n * Generates an invalid request options to get a response quickly from IMDS endpoint.\n * The response indicates the availability of IMSD service; otherwise the request would time out.\n */\nfunction prepareInvalidRequestOptions(scopes: string | string[]): PipelineRequestOptions {\n  const resource = mapScopesToResource(scopes);\n  if (!resource) {\n    throw new Error(`${msiName}: Multiple scopes are not supported.`);\n  }\n\n  // Pod Identity will try to process this request even if the Metadata header is missing.\n  // We can exclude the request query to ensure no IMDS endpoint tries to process the ping request.\n  const url = new URL(imdsEndpointPath, process.env.AZURE_POD_IDENTITY_AUTHORITY_HOST ?? imdsHost);\n\n  const rawHeaders: Record<string, string> = {\n    Accept: \"application/json\",\n    // intentionally leave out the Metadata header to invoke an error from IMDS endpoint.\n  };\n\n  return {\n    // intentionally not including any query\n    url: `${url}`,\n    method: \"GET\",\n    headers: createHttpHeaders(rawHeaders),\n  };\n}\n\n/**\n * Defines how to determine whether the Azure IMDS MSI is available.\n *\n * Actually getting the token once we determine IMDS is available is handled by MSAL.\n */\nexport const imdsMsi = {\n  name: \"imdsMsi\",\n  async isAvailable(options: {\n    scopes: string | string[];\n    identityClient?: IdentityClient;\n    clientId?: string;\n    resourceId?: string;\n    getTokenOptions?: GetTokenOptions;\n  }): Promise<boolean> {\n    const { scopes, identityClient, getTokenOptions } = options;\n    const resource = mapScopesToResource(scopes);\n    if (!resource) {\n      logger.info(`${msiName}: Unavailable. Multiple scopes are not supported.`);\n      return false;\n    }\n\n    // if the PodIdentityEndpoint environment variable was set no need to probe the endpoint, it can be assumed to exist\n    if (process.env.AZURE_POD_IDENTITY_AUTHORITY_HOST) {\n      return true;\n    }\n\n    if (!identityClient) {\n      throw new Error(\"Missing IdentityClient\");\n    }\n\n    const requestOptions = prepareInvalidRequestOptions(resource);\n\n    return tracingClient.withSpan(\n      \"ManagedIdentityCredential-pingImdsEndpoint\",\n      getTokenOptions ?? {},\n      async (updatedOptions) => {\n        requestOptions.tracingOptions = updatedOptions.tracingOptions;\n\n        // Create a request with a timeout since we expect that\n        // not having a \"Metadata\" header should cause an error to be\n        // returned quickly from the endpoint, proving its availability.\n        const request = createPipelineRequest(requestOptions);\n\n        // Default to 1000 if the default of 0 is used.\n        // Negative values can still be used to disable the timeout.\n        request.timeout = updatedOptions.requestOptions?.timeout || 1000;\n\n        // This MSI uses the imdsEndpoint to get the token, which only uses http://\n        request.allowInsecureConnection = true;\n        let response: PipelineResponse;\n        try {\n          logger.info(`${msiName}: Pinging the Azure IMDS endpoint`);\n          response = await identityClient.sendRequest(request);\n        } catch (err: unknown) {\n          // If the request failed, or Node.js was unable to establish a connection,\n          // or the host was down, we'll assume the IMDS endpoint isn't available.\n          if (isError(err)) {\n            logger.verbose(`${msiName}: Caught error ${err.name}: ${err.message}`);\n          }\n          // This is a special case for Docker Desktop which responds with a 403 with a message that contains \"A socket operation was attempted to an unreachable network\" or \"A socket operation was attempted to an unreachable host\"\n          // rather than just timing out, as expected.\n          logger.info(`${msiName}: The Azure IMDS endpoint is unavailable`);\n          return false;\n        }\n        if (response.status === 403) {\n          if (response.bodyAsText?.includes(\"unreachable\")) {\n            logger.info(`${msiName}: The Azure IMDS endpoint is unavailable`);\n            logger.info(`${msiName}: ${response.bodyAsText}`);\n            return false;\n          }\n        }\n        // If we received any response, the endpoint is available\n        logger.info(`${msiName}: The Azure IMDS endpoint is available`);\n        return true;\n      },\n    );\n  },\n};\n"]}

package/dist/esm/credentials/managedIdentityCredential/imdsRetryPolicy.d.ts

@@ -0,0 +1,13 @@
+import type { PipelinePolicy } from "@azure/core-rest-pipeline";
+import type { MSIConfiguration } from "./models.js";
+/**
+ * An additional policy that retries on 404 and 410 errors. The default retry policy does not retry on
+ * 404s or 410s, but the IMDS endpoint can return these when the token is not yet available or when
+ * the identity is still being set up. This policy will retry on 404s and 410s with an exponential backoff.
+ * For 410 responses, it uses a minimum 3-second initial delay to ensure at least 70 seconds total duration.
+ *
+ * @param msiRetryConfig - The retry configuration for the MSI credential.
+ * @returns - The policy that will retry on 404s and 410s.
+ */
+export declare function imdsRetryPolicy(msiRetryConfig: MSIConfiguration["retryConfig"]): PipelinePolicy;
+//# sourceMappingURL=imdsRetryPolicy.d.ts.map

package/dist/esm/credentials/managedIdentityCredential/imdsRetryPolicy.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"imdsRetryPolicy.d.ts","sourceRoot":"","sources":["../../../../src/credentials/managedIdentityCredential/imdsRetryPolicy.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,2BAA2B,CAAC;AAGhE,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AAYpD;;;;;;;;GAQG;AACH,wBAAgB,eAAe,CAAC,cAAc,EAAE,gBAAgB,CAAC,aAAa,CAAC,GAAG,cAAc,CA2B/F"}

package/dist/esm/credentials/managedIdentityCredential/imdsRetryPolicy.js

@@ -0,0 +1,43 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+import { retryPolicy } from "@azure/core-rest-pipeline";
+import { calculateRetryDelay } from "@azure/core-util";
+// Matches the default retry configuration in expontentialRetryStrategy.ts
+const DEFAULT_CLIENT_MAX_RETRY_INTERVAL = 1000 * 64;
+// For 410 responses, we need at least 70 seconds total retry duration
+// With 5 retries using exponential backoff: delays of d, 2d, 4d, 8d, 16d sum to 31d
+// Accounting for jitter (which can reduce delays by 20%), we need 31d * 0.8 >= 70
+// So we need d >= 70/24.8 = 2.82 seconds. Using 3 seconds to be safe.
+const MIN_DELAY_FOR_410_MS = 3000;
+/**
+ * An additional policy that retries on 404 and 410 errors. The default retry policy does not retry on
+ * 404s or 410s, but the IMDS endpoint can return these when the token is not yet available or when
+ * the identity is still being set up. This policy will retry on 404s and 410s with an exponential backoff.
+ * For 410 responses, it uses a minimum 3-second initial delay to ensure at least 70 seconds total duration.
+ *
+ * @param msiRetryConfig - The retry configuration for the MSI credential.
+ * @returns - The policy that will retry on 404s and 410s.
+ */
+export function imdsRetryPolicy(msiRetryConfig) {
+    return retryPolicy([
+        {
+            name: "imdsRetryPolicy",
+            retry: ({ retryCount, response }) => {
+                if (response?.status !== 404 && response?.status !== 410) {
+                    return { skipStrategy: true };
+                }
+                // For 410 responses, use a minimum 3-second delay to ensure at least 70 seconds total retry duration
+                const initialDelayMs = response?.status === 410
+                    ? Math.max(MIN_DELAY_FOR_410_MS, msiRetryConfig.startDelayInMs)
+                    : msiRetryConfig.startDelayInMs;
+                return calculateRetryDelay(retryCount, {
+                    retryDelayInMs: initialDelayMs,
+                    maxRetryDelayInMs: DEFAULT_CLIENT_MAX_RETRY_INTERVAL,
+                });
+            },
+        },
+    ], {
+        maxRetries: msiRetryConfig.maxRetries,
+    });
+}
+//# sourceMappingURL=imdsRetryPolicy.js.map

package/dist/esm/credentials/managedIdentityCredential/imdsRetryPolicy.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"imdsRetryPolicy.js","sourceRoot":"","sources":["../../../../src/credentials/managedIdentityCredential/imdsRetryPolicy.ts"],"names":[],"mappings":"AAAA,uCAAuC;AACvC,kCAAkC;AAGlC,OAAO,EAAE,WAAW,EAAE,MAAM,2BAA2B,CAAC;AAGxD,OAAO,EAAE,mBAAmB,EAAE,MAAM,kBAAkB,CAAC;AAEvD,0EAA0E;AAC1E,MAAM,iCAAiC,GAAG,IAAI,GAAG,EAAE,CAAC;AAEpD,sEAAsE;AACtE,oFAAoF;AACpF,kFAAkF;AAClF,sEAAsE;AACtE,MAAM,oBAAoB,GAAG,IAAI,CAAC;AAElC;;;;;;;;GAQG;AACH,MAAM,UAAU,eAAe,CAAC,cAA+C;IAC7E,OAAO,WAAW,CAChB;QACE;YACE,IAAI,EAAE,iBAAiB;YACvB,KAAK,EAAE,CAAC,EAAE,UAAU,EAAE,QAAQ,EAAE,EAAE,EAAE;gBAClC,IAAI,QAAQ,EAAE,MAAM,KAAK,GAAG,IAAI,QAAQ,EAAE,MAAM,KAAK,GAAG,EAAE,CAAC;oBACzD,OAAO,EAAE,YAAY,EAAE,IAAI,EAAE,CAAC;gBAChC,CAAC;gBAED,qGAAqG;gBACrG,MAAM,cAAc,GAClB,QAAQ,EAAE,MAAM,KAAK,GAAG;oBACtB,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,oBAAoB,EAAE,cAAc,CAAC,cAAc,CAAC;oBAC/D,CAAC,CAAC,cAAc,CAAC,cAAc,CAAC;gBAEpC,OAAO,mBAAmB,CAAC,UAAU,EAAE;oBACrC,cAAc,EAAE,cAAc;oBAC9B,iBAAiB,EAAE,iCAAiC;iBACrD,CAAC,CAAC;YACL,CAAC;SACF;KACF,EACD;QACE,UAAU,EAAE,cAAc,CAAC,UAAU;KACtC,CACF,CAAC;AACJ,CAAC","sourcesContent":["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT License.\n\nimport type { PipelinePolicy } from \"@azure/core-rest-pipeline\";\nimport { retryPolicy } from \"@azure/core-rest-pipeline\";\n\nimport type { MSIConfiguration } from \"./models.js\";\nimport { calculateRetryDelay } from \"@azure/core-util\";\n\n// Matches the default retry configuration in expontentialRetryStrategy.ts\nconst DEFAULT_CLIENT_MAX_RETRY_INTERVAL = 1000 * 64;\n\n// For 410 responses, we need at least 70 seconds total retry duration\n// With 5 retries using exponential backoff: delays of d, 2d, 4d, 8d, 16d sum to 31d\n// Accounting for jitter (which can reduce delays by 20%), we need 31d * 0.8 >= 70\n// So we need d >= 70/24.8 = 2.82 seconds. Using 3 seconds to be safe.\nconst MIN_DELAY_FOR_410_MS = 3000;\n\n/**\n * An additional policy that retries on 404 and 410 errors. The default retry policy does not retry on\n * 404s or 410s, but the IMDS endpoint can return these when the token is not yet available or when\n * the identity is still being set up. This policy will retry on 404s and 410s with an exponential backoff.\n * For 410 responses, it uses a minimum 3-second initial delay to ensure at least 70 seconds total duration.\n *\n * @param msiRetryConfig - The retry configuration for the MSI credential.\n * @returns - The policy that will retry on 404s and 410s.\n */\nexport function imdsRetryPolicy(msiRetryConfig: MSIConfiguration[\"retryConfig\"]): PipelinePolicy {\n  return retryPolicy(\n    [\n      {\n        name: \"imdsRetryPolicy\",\n        retry: ({ retryCount, response }) => {\n          if (response?.status !== 404 && response?.status !== 410) {\n            return { skipStrategy: true };\n          }\n\n          // For 410 responses, use a minimum 3-second delay to ensure at least 70 seconds total retry duration\n          const initialDelayMs =\n            response?.status === 410\n              ? Math.max(MIN_DELAY_FOR_410_MS, msiRetryConfig.startDelayInMs)\n              : msiRetryConfig.startDelayInMs;\n\n          return calculateRetryDelay(retryCount, {\n            retryDelayInMs: initialDelayMs,\n            maxRetryDelayInMs: DEFAULT_CLIENT_MAX_RETRY_INTERVAL,\n          });\n        },\n      },\n    ],\n    {\n      maxRetries: msiRetryConfig.maxRetries,\n    },\n  );\n}\n"]}

package/dist/esm/credentials/managedIdentityCredential/index.d.ts

@@ -0,0 +1,62 @@
+import type { AccessToken, GetTokenOptions, TokenCredential } from "@azure/core-auth";
+import type { TokenCredentialOptions } from "../../tokenCredentialOptions.js";
+import type { ManagedIdentityCredentialClientIdOptions, ManagedIdentityCredentialObjectIdOptions, ManagedIdentityCredentialResourceIdOptions } from "./options.js";
+/**
+ * Attempts authentication using a managed identity available at the deployment environment.
+ * This authentication type works in Azure VMs, App Service instances, Azure Functions applications,
+ * Azure Kubernetes Services, Azure Service Fabric instances and inside of the Azure Cloud Shell.
+ *
+ * More information about configuring managed identities can be found here:
+ * https://learn.microsoft.com/azure/active-directory/managed-identities-azure-resources/overview
+ */
+export declare class ManagedIdentityCredential implements TokenCredential {
+    private managedIdentityApp;
+    private identityClient;
+    private clientId?;
+    private resourceId?;
+    private objectId?;
+    private msiRetryConfig;
+    private isAvailableIdentityClient;
+    private sendProbeRequest;
+    /**
+     * Creates an instance of ManagedIdentityCredential with the client ID of a
+     * user-assigned identity, or app registration (when working with AKS pod-identity).
+     *
+     * @param clientId - The client ID of the user-assigned identity, or app registration (when working with AKS pod-identity).
+     * @param options - Options for configuring the client which makes the access token request.
+     */
+    constructor(clientId: string, options?: TokenCredentialOptions);
+    /**
+     * Creates an instance of ManagedIdentityCredential with a client ID
+     *
+     * @param options - Options for configuring the client which makes the access token request.
+     */
+    constructor(options?: ManagedIdentityCredentialClientIdOptions);
+    /**
+     * Creates an instance of ManagedIdentityCredential with a resource ID
+     *
+     * @param options - Options for configuring the resource which makes the access token request.
+     */
+    constructor(options?: ManagedIdentityCredentialResourceIdOptions);
+    /**
+     * Creates an instance of ManagedIdentityCredential with an object ID
+     *
+     * @param options - Options for configuring the resource which makes the access token request.
+     */
+    constructor(options?: ManagedIdentityCredentialObjectIdOptions);
+    /**
+     * Authenticates with Microsoft Entra ID and returns an access token if successful.
+     * If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.
+     * If an unexpected error occurs, an {@link AuthenticationError} will be thrown with the details of the failure.
+     *
+     * @param scopes - The list of scopes for which the token will have access.
+     * @param options - The options used to configure any requests this
+     *                TokenCredential implementation might make.
+     */
+    getToken(scopes: string | string[], options?: GetTokenOptions): Promise<AccessToken>;
+    /**
+     * Ensures the validity of the MSAL token
+     */
+    private ensureValidMsalToken;
+}
+//# sourceMappingURL=index.d.ts.map

package/dist/esm/credentials/managedIdentityCredential/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../../src/credentials/managedIdentityCredential/index.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,WAAW,EAAE,eAAe,EAAE,eAAe,EAAE,MAAM,kBAAkB,CAAC;AAEtF,OAAO,KAAK,EAAE,sBAAsB,EAAE,MAAM,iCAAiC,CAAC;AAc9E,OAAO,KAAK,EAEV,wCAAwC,EACxC,wCAAwC,EACxC,0CAA0C,EAC3C,MAAM,cAAc,CAAC;AAItB;;;;;;;GAOG;AACH,qBAAa,yBAA0B,YAAW,eAAe;IAC/D,OAAO,CAAC,kBAAkB,CAA6B;IACvD,OAAO,CAAC,cAAc,CAAiB;IACvC,OAAO,CAAC,QAAQ,CAAC,CAAS;IAC1B,OAAO,CAAC,UAAU,CAAC,CAAS;IAC5B,OAAO,CAAC,QAAQ,CAAC,CAAS;IAC1B,OAAO,CAAC,cAAc,CAIpB;IACF,OAAO,CAAC,yBAAyB,CAAiB;IAClD,OAAO,CAAC,gBAAgB,CAAU;IAElC;;;;;;OAMG;gBACS,QAAQ,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,sBAAsB;IAC9D;;;;OAIG;gBACS,OAAO,CAAC,EAAE,wCAAwC;IAC9D;;;;OAIG;gBACS,OAAO,CAAC,EAAE,0CAA0C;IAChE;;;;OAIG;gBACS,OAAO,CAAC,EAAE,wCAAwC;IAyH9D;;;;;;;;OAQG;IACU,QAAQ,CACnB,MAAM,EAAE,MAAM,GAAG,MAAM,EAAE,EACzB,OAAO,GAAE,eAAoB,GAC5B,OAAO,CAAC,WAAW,CAAC;IA0GvB;;OAEG;IACH,OAAO,CAAC,oBAAoB;CAuB7B"}