@equinor/fusion-framework-module-msal-node 4.0.2 → 4.1.0

package/dist/types/AuthConfigurator.d.ts

@@ -1,3 +1,4 @@
+import type { DeviceCodeRequest } from '@azure/msal-node';
 import { BaseConfigBuilder, type ConfigBuilderCallbackArgs } from '@equinor/fusion-framework-module';
 import type { AuthConfig } from './AuthConfigurator.interface.js';
 /**
@@ -59,6 +60,14 @@ export declare class AuthConfigurator extends BaseConfigBuilder<AuthConfig> {
      * @param token - The static access token string.
      */
     setAccessToken(token: string): void;
+    /**
+     * Sets the callback invoked with the device code response during `device_code` authentication.
+     *
+     * If not set, the default behaviour is `console.log(response.message)`.
+     *
+     * @param callback - The callback, or `undefined` to restore the default handler.
+     */
+    setDeviceCodeCallback(callback: DeviceCodeRequest['deviceCodeCallback'] | undefined): void;
     /**
      * Prepares and finalizes the authentication configuration before validation and use.
      *

package/dist/types/AuthConfigurator.interface.d.ts

@@ -1,4 +1,4 @@
-import type { PublicClientApplication } from '@azure/msal-node';
+import type { DeviceCodeRequest, PublicClientApplication } from '@azure/msal-node';
 import type { IAuthProvider } from './AuthProvider.interface.js';
 /**
  * Represents the configuration for authentication in "token only" mode.
@@ -48,15 +48,39 @@ type AuthConfigInteractiveMode = {
     accessToken?: never;
     parent?: IAuthProvider;
 };
+/**
+ * Configuration type for the device code authentication mode.
+ *
+ * In this mode the user is shown a short code and a URL (`https://microsoft.com/devicelogin`).
+ * They open the URL on any device, enter the code, and authenticate there.
+ * No local HTTP server is required, making this the recommended mode for CLI tools.
+ *
+ * @property mode - Specifies the authentication mode as `'device_code'`.
+ * @property client - An instance of `PublicClientApplication` used for authentication.
+ * @property deviceCodeCallback - Optional callback invoked with the device code response.
+ *   Receives the full {@link DeviceCodeRequest.deviceCodeCallback} response containing
+ *   `userCode`, `verificationUri`, `message`, and expiry details.
+ *   Defaults to printing `response.message` to `console.log`.
+ * @property parent - An optional parent `IAuthProvider` instance for delegation.
+ */
+type AuthConfigDeviceCodeMode = {
+    mode: 'device_code';
+    client: PublicClientApplication;
+    deviceCodeCallback?: DeviceCodeRequest['deviceCodeCallback'];
+    server?: never;
+    accessToken?: never;
+    parent?: IAuthProvider;
+};
 /**
  * Represents the configuration options for authentication.
  *
- * This type is a union of three different authentication modes:
- * - `AuthConfigInteractiveMode`: Configuration for interactive authentication.
- * - `AuthConfigSilentMode`: Configuration for silent authentication.
- * - `AuthConfigTokenMode`: Configuration for token-based authentication.
+ * This type is a union of four different authentication modes:
+ * - `AuthConfigInteractiveMode`: Browser-based login with a local callback server.
+ * - `AuthConfigSilentMode`: Silent authentication using cached/refreshed tokens.
+ * - `AuthConfigTokenMode`: Static pre-obtained token passthrough (CI/CD, automation).
+ * - `AuthConfigDeviceCodeMode`: Device code flow — prints a code for the user to enter at a URL. Recommended for CLI tools.
  */
-export type AuthConfig = AuthConfigInteractiveMode | AuthConfigSilentMode | AuthConfigTokenMode;
+export type AuthConfig = AuthConfigInteractiveMode | AuthConfigSilentMode | AuthConfigTokenMode | AuthConfigDeviceCodeMode;
 /**
  * Interface for configuring authentication settings for the MSAL Node module.
  *
@@ -67,11 +91,20 @@ export type AuthConfig = AuthConfigInteractiveMode | AuthConfigSilentMode | Auth
  * - `token_only`: Use a pre-obtained access token (e.g., for CI/CD or automation).
  * - `silent`: Use MSAL's silent authentication with a configured client (for background services or cached tokens).
  * - `interactive`: Use MSAL's interactive authentication, typically for CLI tools or development, with a local server for browser-based login.
+ * - `device_code`: Use MSAL's device code flow — prints a code for the user to enter at `https://microsoft.com/devicelogin`. No local server required. **Recommended for CLI tools.**
  *
  * Consumers should use the provided methods to configure the module according to their use case.
  * Maintainers should ensure that new authentication flows or configuration options are exposed via this interface for consistency.
  *
  * @example
+ * // --- Device code mode (recommended for CLI tools) ---
+ * ```ts
+ * builder.setMode('device_code');
+ * builder.setClientConfig('your-tenant-id', 'your-client-id');
+ * // Optional: customise the output shown to the user
+ * builder.setDeviceCodeCallback((response) => console.log(response.message));
+ * ```
+ *
  * // --- Interactive mode (browser login, local server) ---
  * ```ts
  * builder.setMode('interactive');
@@ -97,7 +130,7 @@ export interface IAuthConfigurator {
     /**
      * Sets the authentication mode for the module.
      *
-     * @param mode - The authentication mode to use: 'token_only', 'silent', or 'interactive'.
+     * @param mode - The authentication mode to use: `'token_only'`, `'silent'`, `'interactive'`, or `'device_code'`.
      *
      * Consumers: Call this first to define the overall authentication strategy.
      * Maintainers: Add new modes here if supporting additional auth flows.
@@ -149,5 +182,26 @@ export interface IAuthConfigurator {
      * Maintainers: Ensure this is securely handled and not mixed with other modes.
      */
     setAccessToken(token: string): void;
+    /**
+     * Sets a callback invoked with the device code response during `device_code` authentication.
+     *
+     * The callback receives a `DeviceCodeResponse` containing `userCode`, `verificationUri`,
+     * `message`, and expiry information. Typically used to display the code and URL to the user.
+     *
+     * If not set, the default behaviour is to print `response.message` to `console.log`.
+     *
+     * @param callback - The callback function, or `undefined` to restore the default.
+     *
+     * @example
+     * ```ts
+     * builder.setMode('device_code');
+     * builder.setClientConfig('your-tenant-id', 'your-client-id');
+     * builder.setDeviceCodeCallback((response) => {
+     *   console.log(`\nAuthenticate at: ${response.verificationUri}`);
+     *   console.log(`Enter code: ${response.userCode}\n`);
+     * });
+     * ```
+     */
+    setDeviceCodeCallback(callback: DeviceCodeRequest['deviceCodeCallback'] | undefined): void;
 }
 export {};

package/dist/types/AuthProviderDeviceCode.d.ts

@@ -0,0 +1,68 @@
+import type { DeviceCodeRequest } from '@azure/msal-node';
+import type { AuthenticationResult, PublicClientApplication } from '@azure/msal-node';
+import { AuthProvider } from './AuthProvider.js';
+/**
+ * Authentication provider that uses the OAuth 2.0 device code flow.
+ *
+ * When an access token cannot be acquired silently, the provider calls
+ * `acquireTokenByDeviceCode` and invokes `deviceCodeCallback` with the
+ * response containing `userCode`, `verificationUri`, and `message`.
+ * The user opens the URL on any device, enters the code, and authenticates.
+ * No local HTTP server is required, making this the recommended mode for CLI tools.
+ *
+ * @example
+ * ```ts
+ * const provider = new AuthProviderDeviceCode(msalClient, {
+ *   deviceCodeCallback: (response) => console.log(response.message),
+ * });
+ * ```
+ *
+ * @see AuthProviderInteractive - Browser-based login with a local callback server.
+ * @see AuthProvider - Silent-only provider (base class).
+ */
+export declare class AuthProviderDeviceCode extends AuthProvider {
+    #private;
+    /**
+     * Creates an instance of `AuthProviderDeviceCode`.
+     *
+     * @param client - The MSAL `PublicClientApplication` to use for token acquisition.
+     * @param options - Configuration options.
+     * @param options.deviceCodeCallback - Callback invoked with the device code response.
+     *   Defaults to printing `response.message` to `console.log`.
+     */
+    constructor(client: PublicClientApplication, options?: {
+        deviceCodeCallback?: DeviceCodeRequest['deviceCodeCallback'];
+    });
+    /**
+     * Acquires an access token for the specified scopes.
+     *
+     * First attempts silent acquisition using the cached account.
+     * If that fails (e.g. no account or new resource requiring consent),
+     * falls back to the device code flow — invoking `deviceCodeCallback` so
+     * the user can authenticate on any device.
+     *
+     * @param options - Token request options.
+     * @param options.request.scopes - OAuth 2.0 scopes to request.
+     * @returns A promise resolving to an `AuthenticationResult`.
+     * @throws {@link SilentTokenAcquisitionError} If device code acquisition also fails.
+     */
+    acquireToken(options: {
+        request: {
+            scopes: string[];
+        };
+    }): Promise<AuthenticationResult>;
+    /**
+     * Initiates the device code login flow explicitly.
+     *
+     * This is equivalent to calling `acquireToken` and is provided to satisfy
+     * the `IAuthProvider` contract.
+     *
+     * @param options - Login options containing the requested scopes.
+     * @returns A promise resolving to an `AuthenticationResult`.
+     */
+    login(options: {
+        request: {
+            scopes: string[];
+        };
+    }): Promise<AuthenticationResult>;
+}

package/dist/types/index.d.ts

@@ -2,8 +2,9 @@
  * `@equinor/fusion-framework-module-msal-node` provides Azure AD authentication
  * for Node.js applications using Microsoft's MSAL library.
  *
- * Supports three authentication modes:
+ * Supports four authentication modes:
  * - **interactive** — browser-based login with a local callback server (CLI tools, development)
+ * - **device_code** — prints a short code for the user to enter at a URL; no server needed (**recommended for CLI tools**)
  * - **silent** — cached credential reuse without user interaction (background services)
  * - **token_only** — static pre-obtained token passthrough (CI/CD, automation)
  *
@@ -20,6 +21,7 @@
  * @packageDocumentation
  */
 export { AuthProvider } from './AuthProvider.js';
+export { AuthProviderDeviceCode } from './AuthProviderDeviceCode.js';
 export type { IAuthProvider } from './AuthProvider.interface.js';
 export type { IAuthConfigurator, AuthConfig } from './AuthConfigurator.interface.js';
 export { module as authModule, type MsalNodeModule } from './module.js';

package/dist/types/module.d.ts

@@ -11,6 +11,7 @@ import type { IAuthProvider } from './AuthProvider.interface.js';
  *
  * - In `token_only` mode, a static access token is used (see {@link AuthTokenProvider}).
  * - In `interactive` mode, the user is prompted via a local server and browser (see {@link AuthProviderInteractive}).
+ * - In `device_code` mode, the user authenticates by entering a code at a URL on any device (see {@link AuthProviderDeviceCode}). Recommended for CLI tools.
  * - In all other cases, silent authentication is attempted using cached credentials (see {@link AuthProvider}).
  *
  * @see AuthProvider

package/dist/types/version.d.ts

@@ -1 +1 @@
-export declare const version = "4.0.2";
+export declare const version = "4.1.0";

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@equinor/fusion-framework-module-msal-node",
-  "version": "4.0.2",
+  "version": "4.1.0",
   "description": "Fusion Framework module for secure Azure AD authentication in Node.js using MSAL. Supports interactive, silent, and token-only authentication modes with encrypted token storage.",
   "type": "module",
   "main": "dist/esm/index.js",

package/src/AuthConfigurator.interface.ts

@@ -1,4 +1,4 @@
-import type { PublicClientApplication } from '@azure/msal-node';
+import type { DeviceCodeRequest, PublicClientApplication } from '@azure/msal-node';
 
 import type { IAuthProvider } from './AuthProvider.interface.js';
 
@@ -53,15 +53,44 @@ type AuthConfigInteractiveMode = {
   parent?: IAuthProvider;
 };
 
+/**
+ * Configuration type for the device code authentication mode.
+ *
+ * In this mode the user is shown a short code and a URL (`https://microsoft.com/devicelogin`).
+ * They open the URL on any device, enter the code, and authenticate there.
+ * No local HTTP server is required, making this the recommended mode for CLI tools.
+ *
+ * @property mode - Specifies the authentication mode as `'device_code'`.
+ * @property client - An instance of `PublicClientApplication` used for authentication.
+ * @property deviceCodeCallback - Optional callback invoked with the device code response.
+ *   Receives the full {@link DeviceCodeRequest.deviceCodeCallback} response containing
+ *   `userCode`, `verificationUri`, `message`, and expiry details.
+ *   Defaults to printing `response.message` to `console.log`.
+ * @property parent - An optional parent `IAuthProvider` instance for delegation.
+ */
+type AuthConfigDeviceCodeMode = {
+  mode: 'device_code';
+  client: PublicClientApplication;
+  deviceCodeCallback?: DeviceCodeRequest['deviceCodeCallback'];
+  server?: never;
+  accessToken?: never;
+  parent?: IAuthProvider;
+};
+
 /**
  * Represents the configuration options for authentication.
  *
- * This type is a union of three different authentication modes:
- * - `AuthConfigInteractiveMode`: Configuration for interactive authentication.
- * - `AuthConfigSilentMode`: Configuration for silent authentication.
- * - `AuthConfigTokenMode`: Configuration for token-based authentication.
+ * This type is a union of four different authentication modes:
+ * - `AuthConfigInteractiveMode`: Browser-based login with a local callback server.
+ * - `AuthConfigSilentMode`: Silent authentication using cached/refreshed tokens.
+ * - `AuthConfigTokenMode`: Static pre-obtained token passthrough (CI/CD, automation).
+ * - `AuthConfigDeviceCodeMode`: Device code flow — prints a code for the user to enter at a URL. Recommended for CLI tools.
  */
-export type AuthConfig = AuthConfigInteractiveMode | AuthConfigSilentMode | AuthConfigTokenMode;
+export type AuthConfig =
+  | AuthConfigInteractiveMode
+  | AuthConfigSilentMode
+  | AuthConfigTokenMode
+  | AuthConfigDeviceCodeMode;
 
 /**
  * Interface for configuring authentication settings for the MSAL Node module.
@@ -73,11 +102,20 @@ export type AuthConfig = AuthConfigInteractiveMode | AuthConfigSilentMode | Auth
  * - `token_only`: Use a pre-obtained access token (e.g., for CI/CD or automation).
  * - `silent`: Use MSAL's silent authentication with a configured client (for background services or cached tokens).
  * - `interactive`: Use MSAL's interactive authentication, typically for CLI tools or development, with a local server for browser-based login.
+ * - `device_code`: Use MSAL's device code flow — prints a code for the user to enter at `https://microsoft.com/devicelogin`. No local server required. **Recommended for CLI tools.**
  *
  * Consumers should use the provided methods to configure the module according to their use case.
  * Maintainers should ensure that new authentication flows or configuration options are exposed via this interface for consistency.
  *
  * @example
+ * // --- Device code mode (recommended for CLI tools) ---
+ * ```ts
+ * builder.setMode('device_code');
+ * builder.setClientConfig('your-tenant-id', 'your-client-id');
+ * // Optional: customise the output shown to the user
+ * builder.setDeviceCodeCallback((response) => console.log(response.message));
+ * ```
+ *
  * // --- Interactive mode (browser login, local server) ---
  * ```ts
  * builder.setMode('interactive');
@@ -103,7 +141,7 @@ export interface IAuthConfigurator {
   /**
    * Sets the authentication mode for the module.
    *
-   * @param mode - The authentication mode to use: 'token_only', 'silent', or 'interactive'.
+   * @param mode - The authentication mode to use: `'token_only'`, `'silent'`, `'interactive'`, or `'device_code'`.
    *
    * Consumers: Call this first to define the overall authentication strategy.
    * Maintainers: Add new modes here if supporting additional auth flows.
@@ -160,4 +198,26 @@ export interface IAuthConfigurator {
    * Maintainers: Ensure this is securely handled and not mixed with other modes.
    */
   setAccessToken(token: string): void;
+
+  /**
+   * Sets a callback invoked with the device code response during `device_code` authentication.
+   *
+   * The callback receives a `DeviceCodeResponse` containing `userCode`, `verificationUri`,
+   * `message`, and expiry information. Typically used to display the code and URL to the user.
+   *
+   * If not set, the default behaviour is to print `response.message` to `console.log`.
+   *
+   * @param callback - The callback function, or `undefined` to restore the default.
+   *
+   * @example
+   * ```ts
+   * builder.setMode('device_code');
+   * builder.setClientConfig('your-tenant-id', 'your-client-id');
+   * builder.setDeviceCodeCallback((response) => {
+   *   console.log(`\nAuthenticate at: ${response.verificationUri}`);
+   *   console.log(`Enter code: ${response.userCode}\n`);
+   * });
+   * ```
+   */
+  setDeviceCodeCallback(callback: DeviceCodeRequest['deviceCodeCallback'] | undefined): void;
 }

package/src/AuthConfigurator.ts

@@ -1,4 +1,5 @@
 import { PublicClientApplication } from '@azure/msal-node';
+import type { DeviceCodeRequest } from '@azure/msal-node';
 import {
   BaseConfigBuilder,
   type ConfigBuilderCallbackArgs,
@@ -95,6 +96,17 @@ export class AuthConfigurator extends BaseConfigBuilder<AuthConfig> {
     this._set('accessToken', token);
   }
 
+  /**
+   * Sets the callback invoked with the device code response during `device_code` authentication.
+   *
+   * If not set, the default behaviour is `console.log(response.message)`.
+   *
+   * @param callback - The callback, or `undefined` to restore the default handler.
+   */
+  setDeviceCodeCallback(callback: DeviceCodeRequest['deviceCodeCallback'] | undefined) {
+    this._set('deviceCodeCallback', callback ?? undefined);
+  }
+
   /**
    * Prepares and finalizes the authentication configuration before validation and use.
    *
@@ -159,6 +171,13 @@ export class AuthConfigurator extends BaseConfigBuilder<AuthConfig> {
         }
         break;
       }
+      case 'device_code': {
+        // Device code mode requires a valid MSAL client instance
+        if (config.client instanceof PublicClientApplication === false) {
+          throw new Error('Client is required when mode is device_code');
+        }
+        break;
+      }
       case 'token_only': {
         // Token only mode requires a string access token
         if (typeof config.accessToken !== 'string') {

package/src/AuthProviderDeviceCode.ts

@@ -0,0 +1,109 @@
+import type { DeviceCodeRequest } from '@azure/msal-node';
+
+import type { AuthenticationResult, PublicClientApplication } from '@azure/msal-node';
+
+import { AuthProvider } from './AuthProvider.js';
+import { SilentTokenAcquisitionError } from './error.js';
+
+/**
+ * Authentication provider that uses the OAuth 2.0 device code flow.
+ *
+ * When an access token cannot be acquired silently, the provider calls
+ * `acquireTokenByDeviceCode` and invokes `deviceCodeCallback` with the
+ * response containing `userCode`, `verificationUri`, and `message`.
+ * The user opens the URL on any device, enters the code, and authenticates.
+ * No local HTTP server is required, making this the recommended mode for CLI tools.
+ *
+ * @example
+ * ```ts
+ * const provider = new AuthProviderDeviceCode(msalClient, {
+ *   deviceCodeCallback: (response) => console.log(response.message),
+ * });
+ * ```
+ *
+ * @see AuthProviderInteractive - Browser-based login with a local callback server.
+ * @see AuthProvider - Silent-only provider (base class).
+ */
+export class AuthProviderDeviceCode extends AuthProvider {
+  readonly #deviceCodeCallback: DeviceCodeRequest['deviceCodeCallback'];
+
+  /**
+   * Creates an instance of `AuthProviderDeviceCode`.
+   *
+   * @param client - The MSAL `PublicClientApplication` to use for token acquisition.
+   * @param options - Configuration options.
+   * @param options.deviceCodeCallback - Callback invoked with the device code response.
+   *   Defaults to printing `response.message` to `console.log`.
+   */
+  constructor(
+    client: PublicClientApplication,
+    options?: {
+      deviceCodeCallback?: DeviceCodeRequest['deviceCodeCallback'];
+    },
+  ) {
+    super(client);
+    this.#deviceCodeCallback =
+      options?.deviceCodeCallback ?? ((response) => console.log(response.message));
+  }
+
+  /**
+   * Acquires an access token for the specified scopes.
+   *
+   * First attempts silent acquisition using the cached account.
+   * If that fails (e.g. no account or new resource requiring consent),
+   * falls back to the device code flow — invoking `deviceCodeCallback` so
+   * the user can authenticate on any device.
+   *
+   * @param options - Token request options.
+   * @param options.request.scopes - OAuth 2.0 scopes to request.
+   * @returns A promise resolving to an `AuthenticationResult`.
+   * @throws {@link SilentTokenAcquisitionError} If device code acquisition also fails.
+   */
+  public override async acquireToken(options: {
+    request: { scopes: string[] };
+  }): Promise<AuthenticationResult> {
+    // Attempt silent acquisition first (uses cached account / refresh token)
+    const account = await this.getAccount();
+    if (account) {
+      try {
+        return await this._client.acquireTokenSilent({
+          scopes: options.request.scopes,
+          account,
+        });
+      } catch {
+        // Silent failed — fall through to device code flow below
+      }
+    }
+
+    // Fall back to device code flow
+    try {
+      const result = await this._client.acquireTokenByDeviceCode({
+        scopes: options.request.scopes,
+        deviceCodeCallback: this.#deviceCodeCallback,
+      });
+      if (!result) {
+        throw new SilentTokenAcquisitionError('Device code flow returned no result');
+      }
+      return result;
+    } catch (error) {
+      throw new SilentTokenAcquisitionError('Device code token acquisition failed', {
+        cause: error,
+      });
+    }
+  }
+
+  /**
+   * Initiates the device code login flow explicitly.
+   *
+   * This is equivalent to calling `acquireToken` and is provided to satisfy
+   * the `IAuthProvider` contract.
+   *
+   * @param options - Login options containing the requested scopes.
+   * @returns A promise resolving to an `AuthenticationResult`.
+   */
+  public override async login(options: {
+    request: { scopes: string[] };
+  }): Promise<AuthenticationResult> {
+    return this.acquireToken(options);
+  }
+}

package/src/AuthProviderInteractive.ts

@@ -134,6 +134,13 @@ export class AuthProviderInteractive extends AuthProvider {
     if ((await this.getAccount()) === null) {
       return this.login({ request: { scopes } });
     }
-    return super.acquireToken(options);
+    try {
+      return await super.acquireToken(options);
+    } catch {
+      // Silent acquisition failed (e.g. no cached token for this resource/audience).
+      // Fall back to interactive login so the user only needs one browser session
+      // rather than seeing an unhandled error or a separate prompted login elsewhere.
+      return this.login({ request: { scopes } });
+    }
   }
 }

package/src/index.ts

@@ -2,8 +2,9 @@
  * `@equinor/fusion-framework-module-msal-node` provides Azure AD authentication
  * for Node.js applications using Microsoft's MSAL library.
  *
- * Supports three authentication modes:
+ * Supports four authentication modes:
  * - **interactive** — browser-based login with a local callback server (CLI tools, development)
+ * - **device_code** — prints a short code for the user to enter at a URL; no server needed (**recommended for CLI tools**)
  * - **silent** — cached credential reuse without user interaction (background services)
  * - **token_only** — static pre-obtained token passthrough (CI/CD, automation)
  *
@@ -22,6 +23,8 @@
 
 export { AuthProvider } from './AuthProvider.js';
 
+export { AuthProviderDeviceCode } from './AuthProviderDeviceCode.js';
+
 export type { IAuthProvider } from './AuthProvider.interface.js';
 
 export type { IAuthConfigurator, AuthConfig } from './AuthConfigurator.interface.js';

package/src/module.ts

@@ -3,6 +3,7 @@ import { AuthConfigurator } from './AuthConfigurator.js';
 import { AuthProvider } from './AuthProvider.js';
 import { AuthTokenProvider } from './AuthTokenProvider.js';
 import { AuthProviderInteractive } from './AuthProviderInteractive.js';
+import { AuthProviderDeviceCode } from './AuthProviderDeviceCode.js';
 import type { IAuthProvider } from './AuthProvider.interface.js';
 
 /**
@@ -15,6 +16,7 @@ import type { IAuthProvider } from './AuthProvider.interface.js';
  *
  * - In `token_only` mode, a static access token is used (see {@link AuthTokenProvider}).
  * - In `interactive` mode, the user is prompted via a local server and browser (see {@link AuthProviderInteractive}).
+ * - In `device_code` mode, the user authenticates by entering a code at a URL on any device (see {@link AuthProviderDeviceCode}). Recommended for CLI tools.
  * - In all other cases, silent authentication is attempted using cached credentials (see {@link AuthProvider}).
  *
  * @see AuthProvider
@@ -43,6 +45,11 @@ export const module: MsalNodeModule = {
         return new AuthProviderInteractive(client, { server });
       }
 
+      case 'device_code': {
+        const { client, deviceCodeCallback } = config;
+        return new AuthProviderDeviceCode(client, { deviceCodeCallback });
+      }
+
       default:
         return new AuthProvider(config.client);
     }

package/src/version.ts

@@ -1,2 +1,2 @@
 // Generated by genversion.
-export const version = '4.0.2';
+export const version = '4.1.0';