@microsoft/teamsfx 0.3.2-rc.0 → 0.3.3-alpha.13914d2e.0

package/dist/{index.js → index.esm2017.mjs}

@@ -1,1530 +1,1491 @@
-'use strict';
+import jwt_decode from 'jwt-decode';
+import { ConfidentialClientApplication } from '@azure/msal-node';
+import { createHash } from 'crypto';
+import { Client } from '@microsoft/microsoft-graph-client';
+import { ManagedIdentityCredential } from '@azure/identity';
+import { ActivityTypes, Channels, TeamsInfo, CardFactory, ActionTypes, MessageFactory, StatusCodes, verifyStateOperationName, tokenExchangeOperationName } from 'botbuilder';
+import { Dialog } from 'botbuilder-dialogs';
+import { v4 } from 'uuid';
 
-Object.defineProperty(exports, '__esModule', { value: true });
-
-var tslib = require('tslib');
-var jwt_decode = require('jwt-decode');
-var crypto = require('crypto');
-var coreHttp = require('@azure/core-http');
-var msalNode = require('@azure/msal-node');
-var botbuilder = require('botbuilder');
-var botbuilderDialogs = require('botbuilder-dialogs');
-var uuid = require('uuid');
-var microsoftGraphClient = require('@microsoft/microsoft-graph-client');
-var identity = require('@azure/identity');
-
-function _interopDefaultLegacy (e) { return e && typeof e === 'object' && 'default' in e ? e : { 'default': e }; }
-
-var jwt_decode__default = /*#__PURE__*/_interopDefaultLegacy(jwt_decode);
-
-// Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
-/**
- * Error code to trace the error types.
- * @beta
- */
-exports.ErrorCode = void 0;
-(function (ErrorCode) {
-    /**
-     * Invalid parameter error.
-     */
-    ErrorCode["InvalidParameter"] = "InvalidParameter";
-    /**
-     * Invalid configuration error.
-     */
-    ErrorCode["InvalidConfiguration"] = "InvalidConfiguration";
-    /**
-     * Invalid certificate error.
-     */
-    ErrorCode["InvalidCertificate"] = "InvalidCertificate";
-    /**
-     * Internal error.
-     */
-    ErrorCode["InternalError"] = "InternalError";
-    /**
-     * Channel is not supported error.
-     */
-    ErrorCode["ChannelNotSupported"] = "ChannelNotSupported";
-    /**
-     * Runtime is not supported error.
-     */
-    ErrorCode["RuntimeNotSupported"] = "RuntimeNotSupported";
-    /**
-     * User failed to finish the AAD consent flow failed.
-     */
-    ErrorCode["ConsentFailed"] = "ConsentFailed";
-    /**
-     * The user or administrator has not consented to use the application error.
-     */
-    ErrorCode["UiRequiredError"] = "UiRequiredError";
-    /**
-     * Token is not within its valid time range error.
-     */
-    ErrorCode["TokenExpiredError"] = "TokenExpiredError";
-    /**
-     * Call service (AAD or simple authentication server) failed.
-     */
-    ErrorCode["ServiceError"] = "ServiceError";
-    /**
-     * Operation failed.
-     */
-    ErrorCode["FailedOperation"] = "FailedOperation";
-})(exports.ErrorCode || (exports.ErrorCode = {}));
-/**
- * @internal
- */
-class ErrorMessage {
-}
-// InvalidConfiguration Error
-ErrorMessage.InvalidConfiguration = "{0} in configuration is invalid: {1}.";
-ErrorMessage.ConfigurationNotExists = "Configuration does not exist. {0}";
-ErrorMessage.ResourceConfigurationNotExists = "{0} resource configuration does not exist.";
-ErrorMessage.MissingResourceConfiguration = "Missing resource configuration with type: {0}, name: {1}.";
-ErrorMessage.AuthenticationConfigurationNotExists = "Authentication configuration does not exist.";
-// RuntimeNotSupported Error
-ErrorMessage.BrowserRuntimeNotSupported = "{0} is not supported in browser.";
-ErrorMessage.NodejsRuntimeNotSupported = "{0} is not supported in Node.";
-// Internal Error
-ErrorMessage.FailToAcquireTokenOnBehalfOfUser = "Failed to acquire access token on behalf of user: {0}";
-// ChannelNotSupported Error
-ErrorMessage.OnlyMSTeamsChannelSupported = "{0} is only supported in MS Teams Channel";
-/**
- * Error class with code and message thrown by the SDK.
- *
- * @beta
- */
-class ErrorWithCode extends Error {
-    /**
-     * Constructor of ErrorWithCode.
-     *
-     * @param {string} message - error message.
-     * @param {ErrorCode} code - error code.
-     *
-     * @beta
-     */
-    constructor(message, code) {
-        if (!code) {
-            super(message);
-            return;
-        }
-        super(message);
-        Object.setPrototypeOf(this, ErrorWithCode.prototype);
-        this.name = `${new.target.name}.${code}`;
-        this.code = code;
-    }
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT license.
+/**
+ * Error code to trace the error types.
+ * @beta
+ */
+var ErrorCode;
+(function (ErrorCode) {
+    /**
+     * Invalid parameter error.
+     */
+    ErrorCode["InvalidParameter"] = "InvalidParameter";
+    /**
+     * Invalid configuration error.
+     */
+    ErrorCode["InvalidConfiguration"] = "InvalidConfiguration";
+    /**
+     * Invalid certificate error.
+     */
+    ErrorCode["InvalidCertificate"] = "InvalidCertificate";
+    /**
+     * Internal error.
+     */
+    ErrorCode["InternalError"] = "InternalError";
+    /**
+     * Channel is not supported error.
+     */
+    ErrorCode["ChannelNotSupported"] = "ChannelNotSupported";
+    /**
+     * Runtime is not supported error.
+     */
+    ErrorCode["RuntimeNotSupported"] = "RuntimeNotSupported";
+    /**
+     * User failed to finish the AAD consent flow failed.
+     */
+    ErrorCode["ConsentFailed"] = "ConsentFailed";
+    /**
+     * The user or administrator has not consented to use the application error.
+     */
+    ErrorCode["UiRequiredError"] = "UiRequiredError";
+    /**
+     * Token is not within its valid time range error.
+     */
+    ErrorCode["TokenExpiredError"] = "TokenExpiredError";
+    /**
+     * Call service (AAD or simple authentication server) failed.
+     */
+    ErrorCode["ServiceError"] = "ServiceError";
+    /**
+     * Operation failed.
+     */
+    ErrorCode["FailedOperation"] = "FailedOperation";
+})(ErrorCode || (ErrorCode = {}));
+/**
+ * @internal
+ */
+class ErrorMessage {
+}
+// InvalidConfiguration Error
+ErrorMessage.InvalidConfiguration = "{0} in configuration is invalid: {1}.";
+ErrorMessage.ConfigurationNotExists = "Configuration does not exist. {0}";
+ErrorMessage.ResourceConfigurationNotExists = "{0} resource configuration does not exist.";
+ErrorMessage.MissingResourceConfiguration = "Missing resource configuration with type: {0}, name: {1}.";
+ErrorMessage.AuthenticationConfigurationNotExists = "Authentication configuration does not exist.";
+// RuntimeNotSupported Error
+ErrorMessage.BrowserRuntimeNotSupported = "{0} is not supported in browser.";
+ErrorMessage.NodejsRuntimeNotSupported = "{0} is not supported in Node.";
+// Internal Error
+ErrorMessage.FailToAcquireTokenOnBehalfOfUser = "Failed to acquire access token on behalf of user: {0}";
+// ChannelNotSupported Error
+ErrorMessage.OnlyMSTeamsChannelSupported = "{0} is only supported in MS Teams Channel";
+/**
+ * Error class with code and message thrown by the SDK.
+ *
+ * @beta
+ */
+class ErrorWithCode extends Error {
+    /**
+     * Constructor of ErrorWithCode.
+     *
+     * @param {string} message - error message.
+     * @param {ErrorCode} code - error code.
+     *
+     * @beta
+     */
+    constructor(message, code) {
+        if (!code) {
+            super(message);
+            return this;
+        }
+        super(message);
+        Object.setPrototypeOf(this, ErrorWithCode.prototype);
+        this.name = `${new.target.name}.${code}`;
+        this.code = code;
+    }
 }
 
-// Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
-/**
- * Log level.
- *
- * @beta
- */
-exports.LogLevel = void 0;
-(function (LogLevel) {
-    /**
-     * Show verbose, information, warning and error message.
-     */
-    LogLevel[LogLevel["Verbose"] = 0] = "Verbose";
-    /**
-     * Show information, warning and error message.
-     */
-    LogLevel[LogLevel["Info"] = 1] = "Info";
-    /**
-     * Show warning and error message.
-     */
-    LogLevel[LogLevel["Warn"] = 2] = "Warn";
-    /**
-     * Show error message.
-     */
-    LogLevel[LogLevel["Error"] = 3] = "Error";
-})(exports.LogLevel || (exports.LogLevel = {}));
-/**
- * Update log level helper.
- *
- * @param { LogLevel } level - log level in configuration
- *
- * @beta
- */
-function setLogLevel(level) {
-    internalLogger.level = level;
-}
-/**
- * Get log level.
- *
- * @returns Log level
- *
- * @beta
- */
-function getLogLevel() {
-    return internalLogger.level;
-}
-class InternalLogger {
-    constructor() {
-        this.level = undefined;
-        this.defaultLogger = {
-            verbose: console.debug,
-            info: console.info,
-            warn: console.warn,
-            error: console.error,
-        };
-    }
-    error(message) {
-        this.log(exports.LogLevel.Error, (x) => x.error, message);
-    }
-    warn(message) {
-        this.log(exports.LogLevel.Warn, (x) => x.warn, message);
-    }
-    info(message) {
-        this.log(exports.LogLevel.Info, (x) => x.info, message);
-    }
-    verbose(message) {
-        this.log(exports.LogLevel.Verbose, (x) => x.verbose, message);
-    }
-    log(logLevel, logFunction, message) {
-        if (message.trim() === "") {
-            return;
-        }
-        const timestamp = new Date().toUTCString();
-        const logHeader = `[${timestamp}] : @microsoft/teamsfx : ${exports.LogLevel[logLevel]} - `;
-        const logMessage = `${logHeader}${message}`;
-        if (this.level !== undefined && this.level <= logLevel) {
-            if (this.customLogger) {
-                logFunction(this.customLogger)(logMessage);
-            }
-            else if (this.customLogFunction) {
-                this.customLogFunction(logLevel, logMessage);
-            }
-            else {
-                logFunction(this.defaultLogger)(logMessage);
-            }
-        }
-    }
-}
-/**
- * Logger instance used internally
- *
- * @internal
- */
-const internalLogger = new InternalLogger();
-/**
- * Set custom logger. Use the output functions if it's set. Priority is higher than setLogFunction.
- *
- * @param {Logger} logger - custom logger. If it's undefined, custom logger will be cleared.
- *
- * @example
- * ```typescript
- * setLogger({
- *   verbose: console.debug,
- *   info: console.info,
- *   warn: console.warn,
- *   error: console.error,
- * });
- * ```
- *
- * @beta
- */
-function setLogger(logger) {
-    internalLogger.customLogger = logger;
-}
-/**
- * Set custom log function. Use the function if it's set. Priority is lower than setLogger.
- *
- * @param {LogFunction} logFunction - custom log function. If it's undefined, custom log function will be cleared.
- *
- * @example
- * ```typescript
- * setLogFunction((level: LogLevel, message: string) => {
- *   if (level === LogLevel.Error) {
- *     console.log(message);
- *   }
- * });
- * ```
- *
- * @beta
- */
-function setLogFunction(logFunction) {
-    internalLogger.customLogFunction = logFunction;
-}
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT license.
+/**
+ * Available resource type.
+ * @beta
+ */
+var ResourceType;
+(function (ResourceType) {
+    /**
+     * SQL database.
+     *
+     */
+    ResourceType[ResourceType["SQL"] = 0] = "SQL";
+    /**
+     * Rest API.
+     *
+     */
+    ResourceType[ResourceType["API"] = 1] = "API";
+})(ResourceType || (ResourceType = {}));
 
-// Copyright (c) Microsoft Corporation.
-/**
- * Parse jwt token payload
- *
- * @param token
- *
- * @returns Payload object
- *
- * @internal
- */
-function parseJwt(token) {
-    try {
-        const tokenObj = jwt_decode__default['default'](token);
-        if (!tokenObj || !tokenObj.exp) {
-            throw new ErrorWithCode("Decoded token is null or exp claim does not exists.", exports.ErrorCode.InternalError);
-        }
-        return tokenObj;
-    }
-    catch (err) {
-        const errorMsg = "Parse jwt token failed in node env with error: " + err.message;
-        internalLogger.error(errorMsg);
-        throw new ErrorWithCode(errorMsg, exports.ErrorCode.InternalError);
-    }
-}
-/**
- * @internal
- */
-function getUserInfoFromSsoToken(ssoToken) {
-    if (!ssoToken) {
-        const errorMsg = "SSO token is undefined.";
-        internalLogger.error(errorMsg);
-        throw new ErrorWithCode(errorMsg, exports.ErrorCode.InvalidParameter);
-    }
-    const tokenObject = parseJwt(ssoToken);
-    const userInfo = {
-        displayName: tokenObject.name,
-        objectId: tokenObject.oid,
-        preferredUserName: "",
-    };
-    if (tokenObject.ver === "2.0") {
-        userInfo.preferredUserName = tokenObject.preferred_username;
-    }
-    else if (tokenObject.ver === "1.0") {
-        userInfo.preferredUserName = tokenObject.upn;
-    }
-    return userInfo;
-}
-/**
- * Format string template with replacements
- *
- * ```typescript
- * const template = "{0} and {1} are fruit. {0} is my favorite one."
- * const formattedStr = formatString(template, "apple", "pear"); // formattedStr: "apple and pear are fruit. apple is my favorite one."
- * ```
- *
- * @param str string template
- * @param replacements replacement string array
- * @returns Formatted string
- *
- * @internal
- */
-function formatString(str, ...replacements) {
-    const args = replacements;
-    return str.replace(/{(\d+)}/g, function (match, number) {
-        return typeof args[number] != "undefined" ? args[number] : match;
-    });
-}
-/**
- * @internal
- */
-function validateScopesType(value) {
-    // string
-    if (typeof value === "string" || value instanceof String) {
-        return;
-    }
-    // empty array
-    if (Array.isArray(value) && value.length === 0) {
-        return;
-    }
-    // string array
-    if (Array.isArray(value) && value.length > 0 && value.every((item) => typeof item === "string")) {
-        return;
-    }
-    const errorMsg = "The type of scopes is not valid, it must be string or string array";
-    internalLogger.error(errorMsg);
-    throw new ErrorWithCode(errorMsg, exports.ErrorCode.InvalidParameter);
-}
-/**
- * @internal
- */
-function getScopesArray(scopes) {
-    const scopesArray = typeof scopes === "string" ? scopes.split(" ") : scopes;
-    return scopesArray.filter((x) => x !== null && x !== "");
-}
-/**
- * @internal
- */
-function getAuthority(authorityHost, tenantId) {
-    const normalizedAuthorityHost = authorityHost.replace(/\/+$/g, "");
-    return normalizedAuthorityHost + "/" + tenantId;
-}
-/**
- * @internal
- */
-function parseCertificate(certificateContent) {
-    if (!certificateContent) {
-        return undefined;
-    }
-    const certificatePattern = /(-+BEGIN CERTIFICATE-+)(\n\r?|\r\n?)([A-Za-z0-9+/\n\r]+=*)(\n\r?|\r\n?)(-+END CERTIFICATE-+)/;
-    const match = certificatePattern.exec(certificateContent);
-    if (!match) {
-        const errorMsg = "The certificate content does not contain a PEM-encoded certificate.";
-        internalLogger.error(errorMsg);
-        throw new ErrorWithCode(errorMsg, exports.ErrorCode.InvalidCertificate);
-    }
-    const thumbprint = crypto.createHash("sha1")
-        .update(Buffer.from(match[3], "base64"))
-        .digest("hex")
-        .toUpperCase();
-    return {
-        thumbprint: thumbprint,
-        privateKey: certificateContent,
-    };
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT license.
+/**
+ * Log level.
+ *
+ * @beta
+ */
+var LogLevel;
+(function (LogLevel) {
+    /**
+     * Show verbose, information, warning and error message.
+     */
+    LogLevel[LogLevel["Verbose"] = 0] = "Verbose";
+    /**
+     * Show information, warning and error message.
+     */
+    LogLevel[LogLevel["Info"] = 1] = "Info";
+    /**
+     * Show warning and error message.
+     */
+    LogLevel[LogLevel["Warn"] = 2] = "Warn";
+    /**
+     * Show error message.
+     */
+    LogLevel[LogLevel["Error"] = 3] = "Error";
+})(LogLevel || (LogLevel = {}));
+/**
+ * Update log level helper.
+ *
+ * @param { LogLevel } level - log level in configuration
+ *
+ * @beta
+ */
+function setLogLevel(level) {
+    internalLogger.level = level;
+}
+/**
+ * Get log level.
+ *
+ * @returns Log level
+ *
+ * @beta
+ */
+function getLogLevel() {
+    return internalLogger.level;
+}
+class InternalLogger {
+    constructor() {
+        this.level = undefined;
+        this.defaultLogger = {
+            verbose: console.debug,
+            info: console.info,
+            warn: console.warn,
+            error: console.error,
+        };
+    }
+    error(message) {
+        this.log(LogLevel.Error, (x) => x.error, message);
+    }
+    warn(message) {
+        this.log(LogLevel.Warn, (x) => x.warn, message);
+    }
+    info(message) {
+        this.log(LogLevel.Info, (x) => x.info, message);
+    }
+    verbose(message) {
+        this.log(LogLevel.Verbose, (x) => x.verbose, message);
+    }
+    log(logLevel, logFunction, message) {
+        if (message.trim() === "") {
+            return;
+        }
+        const timestamp = new Date().toUTCString();
+        const logHeader = `[${timestamp}] : @microsoft/teamsfx : ${LogLevel[logLevel]} - `;
+        const logMessage = `${logHeader}${message}`;
+        if (this.level !== undefined && this.level <= logLevel) {
+            if (this.customLogger) {
+                logFunction(this.customLogger)(logMessage);
+            }
+            else if (this.customLogFunction) {
+                this.customLogFunction(logLevel, logMessage);
+            }
+            else {
+                logFunction(this.defaultLogger)(logMessage);
+            }
+        }
+    }
+}
+/**
+ * Logger instance used internally
+ *
+ * @internal
+ */
+const internalLogger = new InternalLogger();
+/**
+ * Set custom logger. Use the output functions if it's set. Priority is higher than setLogFunction.
+ *
+ * @param {Logger} logger - custom logger. If it's undefined, custom logger will be cleared.
+ *
+ * @example
+ * ```typescript
+ * setLogger({
+ *   verbose: console.debug,
+ *   info: console.info,
+ *   warn: console.warn,
+ *   error: console.error,
+ * });
+ * ```
+ *
+ * @beta
+ */
+function setLogger(logger) {
+    internalLogger.customLogger = logger;
+}
+/**
+ * Set custom log function. Use the function if it's set. Priority is lower than setLogger.
+ *
+ * @param {LogFunction} logFunction - custom log function. If it's undefined, custom log function will be cleared.
+ *
+ * @example
+ * ```typescript
+ * setLogFunction((level: LogLevel, message: string) => {
+ *   if (level === LogLevel.Error) {
+ *     console.log(message);
+ *   }
+ * });
+ * ```
+ *
+ * @beta
+ */
+function setLogFunction(logFunction) {
+    internalLogger.customLogFunction = logFunction;
 }
 
-// Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
-/**
- * Available resource type.
- * @beta
- */
-exports.ResourceType = void 0;
-(function (ResourceType) {
-    /**
-     * SQL database.
-     *
-     */
-    ResourceType[ResourceType["SQL"] = 0] = "SQL";
-    /**
-     * Rest API.
-     *
-     */
-    ResourceType[ResourceType["API"] = 1] = "API";
-})(exports.ResourceType || (exports.ResourceType = {}));
+// Copyright (c) Microsoft Corporation.
+/**
+ * Parse jwt token payload
+ *
+ * @param token
+ *
+ * @returns Payload object
+ *
+ * @internal
+ */
+function parseJwt(token) {
+    try {
+        const tokenObj = jwt_decode(token);
+        if (!tokenObj || !tokenObj.exp) {
+            throw new ErrorWithCode("Decoded token is null or exp claim does not exists.", ErrorCode.InternalError);
+        }
+        return tokenObj;
+    }
+    catch (err) {
+        const errorMsg = "Parse jwt token failed in node env with error: " + err.message;
+        internalLogger.error(errorMsg);
+        throw new ErrorWithCode(errorMsg, ErrorCode.InternalError);
+    }
+}
+/**
+ * @internal
+ */
+function getUserInfoFromSsoToken(ssoToken) {
+    if (!ssoToken) {
+        const errorMsg = "SSO token is undefined.";
+        internalLogger.error(errorMsg);
+        throw new ErrorWithCode(errorMsg, ErrorCode.InvalidParameter);
+    }
+    const tokenObject = parseJwt(ssoToken);
+    const userInfo = {
+        displayName: tokenObject.name,
+        objectId: tokenObject.oid,
+        preferredUserName: "",
+    };
+    if (tokenObject.ver === "2.0") {
+        userInfo.preferredUserName = tokenObject.preferred_username;
+    }
+    else if (tokenObject.ver === "1.0") {
+        userInfo.preferredUserName = tokenObject.upn;
+    }
+    return userInfo;
+}
+/**
+ * Format string template with replacements
+ *
+ * ```typescript
+ * const template = "{0} and {1} are fruit. {0} is my favorite one."
+ * const formattedStr = formatString(template, "apple", "pear"); // formattedStr: "apple and pear are fruit. apple is my favorite one."
+ * ```
+ *
+ * @param str string template
+ * @param replacements replacement string array
+ * @returns Formatted string
+ *
+ * @internal
+ */
+function formatString(str, ...replacements) {
+    const args = replacements;
+    return str.replace(/{(\d+)}/g, function (match, number) {
+        return typeof args[number] != "undefined" ? args[number] : match;
+    });
+}
+/**
+ * @internal
+ */
+function validateScopesType(value) {
+    // string
+    if (typeof value === "string" || value instanceof String) {
+        return;
+    }
+    // empty array
+    if (Array.isArray(value) && value.length === 0) {
+        return;
+    }
+    // string array
+    if (Array.isArray(value) && value.length > 0 && value.every((item) => typeof item === "string")) {
+        return;
+    }
+    const errorMsg = "The type of scopes is not valid, it must be string or string array";
+    internalLogger.error(errorMsg);
+    throw new ErrorWithCode(errorMsg, ErrorCode.InvalidParameter);
+}
+/**
+ * @internal
+ */
+function getScopesArray(scopes) {
+    const scopesArray = typeof scopes === "string" ? scopes.split(" ") : scopes;
+    return scopesArray.filter((x) => x !== null && x !== "");
+}
+/**
+ * @internal
+ */
+function getAuthority(authorityHost, tenantId) {
+    const normalizedAuthorityHost = authorityHost.replace(/\/+$/g, "");
+    return normalizedAuthorityHost + "/" + tenantId;
+}
+/**
+ * @internal
+ */
+const isNode = typeof process !== "undefined" &&
+    !!process.version &&
+    !!process.versions &&
+    !!process.versions.node;
 
-// Copyright (c) Microsoft Corporation.
-/**
- * Global configuration instance
- *
- */
-let config;
-/**
- * Initialize configuration from environment variables or configuration object and set the global instance
- *
- * @param {Configuration} configuration - Optional configuration that overrides the default configuration values. The override depth is 1.
- *
- * @throws {@link ErrorCode|InvalidParameter} when configuration is not passed in browser environment
- *
- * @beta
- */
-function loadConfiguration(configuration) {
-    internalLogger.info("load configuration");
-    // browser environment
-    if (!coreHttp.isNode) {
-        if (!configuration) {
-            const errorMsg = "You are running the code in browser. Configuration must be passed in.";
-            internalLogger.error(errorMsg);
-            throw new ErrorWithCode(errorMsg, exports.ErrorCode.InvalidParameter);
-        }
-        config = configuration;
-        return;
-    }
-    // node environment
-    let newAuthentication;
-    let newResources = [];
-    const defaultResourceName = "default";
-    if (configuration === null || configuration === void 0 ? void 0 : configuration.authentication) {
-        newAuthentication = configuration.authentication;
-    }
-    else {
-        newAuthentication = {
-            authorityHost: process.env.M365_AUTHORITY_HOST,
-            tenantId: process.env.M365_TENANT_ID,
-            clientId: process.env.M365_CLIENT_ID,
-            clientSecret: process.env.M365_CLIENT_SECRET,
-            simpleAuthEndpoint: process.env.SIMPLE_AUTH_ENDPOINT,
-            initiateLoginEndpoint: process.env.INITIATE_LOGIN_ENDPOINT,
-            applicationIdUri: process.env.M365_APPLICATION_ID_URI,
-        };
-    }
-    if (configuration === null || configuration === void 0 ? void 0 : configuration.resources) {
-        newResources = configuration.resources;
-    }
-    else {
-        newResources = [
-            {
-                // SQL resource
-                type: exports.ResourceType.SQL,
-                name: defaultResourceName,
-                properties: {
-                    sqlServerEndpoint: process.env.SQL_ENDPOINT,
-                    sqlUsername: process.env.SQL_USER_NAME,
-                    sqlPassword: process.env.SQL_PASSWORD,
-                    sqlDatabaseName: process.env.SQL_DATABASE_NAME,
-                    sqlIdentityId: process.env.IDENTITY_ID,
-                },
-            },
-            {
-                // API resource
-                type: exports.ResourceType.API,
-                name: defaultResourceName,
-                properties: {
-                    endpoint: process.env.API_ENDPOINT,
-                },
-            },
-        ];
-    }
-    config = {
-        authentication: newAuthentication,
-        resources: newResources,
-    };
-}
-/**
- * Get configuration for a specific resource.
- * @param {ResourceType} resourceType - The type of resource
- * @param {string} resourceName - The name of resource, default value is "default".
- *
- * @returns Resource configuration for target resource from global configuration instance.
- *
- * @throws {@link ErrorCode|InvalidConfiguration} when resource configuration with the specific type and name is not found
- *
- * @beta
- */
-function getResourceConfiguration(resourceType, resourceName = "default") {
-    var _a;
-    internalLogger.info(`Get resource configuration of ${exports.ResourceType[resourceType]} from ${resourceName}`);
-    const result = (_a = config.resources) === null || _a === void 0 ? void 0 : _a.find((item) => item.type === resourceType && item.name === resourceName);
-    if (result) {
-        return result.properties;
-    }
-    const errorMsg = formatString(ErrorMessage.MissingResourceConfiguration, exports.ResourceType[resourceType], resourceName);
-    internalLogger.error(errorMsg);
-    throw new ErrorWithCode(errorMsg, exports.ErrorCode.InvalidConfiguration);
-}
-/**
- * Get configuration for authentication.
- *
- * @returns Authentication configuration from global configuration instance, the value may be undefined if no authentication config exists in current environment.
- *
- * @throws {@link ErrorCode|InvalidConfiguration} when global configuration does not exist
- *
- * @beta
- */
-function getAuthenticationConfiguration() {
-    internalLogger.info("Get authentication configuration");
-    if (config) {
-        return config.authentication;
-    }
-    const errorMsg = "Please call loadConfiguration() first before calling getAuthenticationConfiguration().";
-    internalLogger.error(errorMsg);
-    throw new ErrorWithCode(formatString(ErrorMessage.ConfigurationNotExists, errorMsg), exports.ErrorCode.InvalidConfiguration);
+// Copyright (c) Microsoft Corporation.
+/**
+ * Global configuration instance
+ *
+ */
+let config;
+/**
+ * Initialize configuration from environment variables or configuration object and set the global instance
+ *
+ * @param {Configuration} configuration - Optional configuration that overrides the default configuration values. The override depth is 1.
+ *
+ * @throws {@link ErrorCode|InvalidParameter} when configuration is not passed in browser environment
+ *
+ * @beta
+ */
+function loadConfiguration(configuration) {
+    internalLogger.info("load configuration");
+    // browser environment
+    if (!isNode) {
+        if (!configuration) {
+            const errorMsg = "You are running the code in browser. Configuration must be passed in.";
+            internalLogger.error(errorMsg);
+            throw new ErrorWithCode(errorMsg, ErrorCode.InvalidParameter);
+        }
+        config = configuration;
+        return;
+    }
+    // node environment
+    let newAuthentication;
+    let newResources = [];
+    const defaultResourceName = "default";
+    if (configuration === null || configuration === void 0 ? void 0 : configuration.authentication) {
+        newAuthentication = configuration.authentication;
+    }
+    else {
+        newAuthentication = {
+            authorityHost: process.env.M365_AUTHORITY_HOST,
+            tenantId: process.env.M365_TENANT_ID,
+            clientId: process.env.M365_CLIENT_ID,
+            clientSecret: process.env.M365_CLIENT_SECRET,
+            simpleAuthEndpoint: process.env.SIMPLE_AUTH_ENDPOINT,
+            initiateLoginEndpoint: process.env.INITIATE_LOGIN_ENDPOINT,
+            applicationIdUri: process.env.M365_APPLICATION_ID_URI,
+        };
+    }
+    if (configuration === null || configuration === void 0 ? void 0 : configuration.resources) {
+        newResources = configuration.resources;
+    }
+    else {
+        newResources = [
+            {
+                // SQL resource
+                type: ResourceType.SQL,
+                name: defaultResourceName,
+                properties: {
+                    sqlServerEndpoint: process.env.SQL_ENDPOINT,
+                    sqlUsername: process.env.SQL_USER_NAME,
+                    sqlPassword: process.env.SQL_PASSWORD,
+                    sqlDatabaseName: process.env.SQL_DATABASE_NAME,
+                    sqlIdentityId: process.env.IDENTITY_ID,
+                },
+            },
+            {
+                // API resource
+                type: ResourceType.API,
+                name: defaultResourceName,
+                properties: {
+                    endpoint: process.env.API_ENDPOINT,
+                },
+            },
+        ];
+    }
+    config = {
+        authentication: newAuthentication,
+        resources: newResources,
+    };
+}
+/**
+ * Get configuration for a specific resource.
+ * @param {ResourceType} resourceType - The type of resource
+ * @param {string} resourceName - The name of resource, default value is "default".
+ *
+ * @returns Resource configuration for target resource from global configuration instance.
+ *
+ * @throws {@link ErrorCode|InvalidConfiguration} when resource configuration with the specific type and name is not found
+ *
+ * @beta
+ */
+function getResourceConfiguration(resourceType, resourceName = "default") {
+    var _a;
+    internalLogger.info(`Get resource configuration of ${ResourceType[resourceType]} from ${resourceName}`);
+    const result = (_a = config.resources) === null || _a === void 0 ? void 0 : _a.find((item) => item.type === resourceType && item.name === resourceName);
+    if (result) {
+        return result.properties;
+    }
+    const errorMsg = formatString(ErrorMessage.MissingResourceConfiguration, ResourceType[resourceType], resourceName);
+    internalLogger.error(errorMsg);
+    throw new ErrorWithCode(errorMsg, ErrorCode.InvalidConfiguration);
+}
+/**
+ * Get configuration for authentication.
+ *
+ * @returns Authentication configuration from global configuration instance, the value may be undefined if no authentication config exists in current environment.
+ *
+ * @throws {@link ErrorCode|InvalidConfiguration} when global configuration does not exist
+ *
+ * @beta
+ */
+function getAuthenticationConfiguration() {
+    internalLogger.info("Get authentication configuration");
+    if (config) {
+        return config.authentication;
+    }
+    const errorMsg = "Please call loadConfiguration() first before calling getAuthenticationConfiguration().";
+    internalLogger.error(errorMsg);
+    throw new ErrorWithCode(formatString(ErrorMessage.ConfigurationNotExists, errorMsg), ErrorCode.InvalidConfiguration);
 }
 
-/**
- * @internal
- */
-function createConfidentialClientApplication(authentication) {
-    const authority = getAuthority(authentication.authorityHost, authentication.tenantId);
-    const clientCertificate = parseCertificate(authentication.certificateContent);
-    const auth = {
-        clientId: authentication.clientId,
-        authority: authority,
-    };
-    if (clientCertificate) {
-        auth.clientCertificate = clientCertificate;
-    }
-    else {
-        auth.clientSecret = authentication.clientSecret;
-    }
-    return new msalNode.ConfidentialClientApplication({
-        auth,
-    });
+/**
+ * @internal
+ */
+function createConfidentialClientApplication(authentication) {
+    const authority = getAuthority(authentication.authorityHost, authentication.tenantId);
+    const clientCertificate = parseCertificate(authentication.certificateContent);
+    const auth = {
+        clientId: authentication.clientId,
+        authority: authority,
+    };
+    if (clientCertificate) {
+        auth.clientCertificate = clientCertificate;
+    }
+    else {
+        auth.clientSecret = authentication.clientSecret;
+    }
+    return new ConfidentialClientApplication({
+        auth,
+    });
+}
+/**
+ * @internal
+ */
+function parseCertificate(certificateContent) {
+    if (!certificateContent) {
+        return undefined;
+    }
+    const certificatePattern = /(-+BEGIN CERTIFICATE-+)(\n\r?|\r\n?)([A-Za-z0-9+/\n\r]+=*)(\n\r?|\r\n?)(-+END CERTIFICATE-+)/;
+    const match = certificatePattern.exec(certificateContent);
+    if (!match) {
+        const errorMsg = "The certificate content does not contain a PEM-encoded certificate.";
+        internalLogger.error(errorMsg);
+        throw new ErrorWithCode(errorMsg, ErrorCode.InvalidCertificate);
+    }
+    const thumbprint = createHash("sha1")
+        .update(Buffer.from(match[3], "base64"))
+        .digest("hex")
+        .toUpperCase();
+    return {
+        thumbprint: thumbprint,
+        privateKey: certificateContent,
+    };
 }
 
-// Copyright (c) Microsoft Corporation.
-/**
- * Represent Microsoft 365 tenant identity, and it is usually used when user is not involved like time-triggered automation job.
- *
- * @example
- * ```typescript
- * loadConfiguration(); // load configuration from environment variables
- * const credential = new M365TenantCredential();
- * ```
- *
- * @remarks
- * Only works in in server side.
- *
- * @beta
- */
-class M365TenantCredential {
-    /**
-     * Constructor of M365TenantCredential.
-     *
-     * @remarks
-     * Only works in in server side.
-     *
-     * @throws {@link ErrorCode|InvalidConfiguration} when client id, client secret or tenant id is not found in config.
-     * @throws {@link ErrorCode|RuntimeNotSupported} when runtime is nodeJS.
-     *
-     * @beta
-     */
-    constructor() {
-        internalLogger.info("Create M365 tenant credential");
-        const config = this.loadAndValidateConfig();
-        this.msalClient = createConfidentialClientApplication(config);
-    }
-    /**
-     * Get access token for credential.
-     *
-     * @example
-     * ```typescript
-     * await credential.getToken(["User.Read.All"]) // Get Graph access token for single scope using string array
-     * await credential.getToken("User.Read.All") // Get Graph access token for single scope using string
-     * await credential.getToken(["User.Read.All", "Calendars.Read"]) // Get Graph access token for multiple scopes using string array
-     * await credential.getToken("User.Read.All Calendars.Read") // Get Graph access token for multiple scopes using space-separated string
-     * await credential.getToken("https://graph.microsoft.com/User.Read.All") // Get Graph access token with full resource URI
-     * await credential.getToken(["https://outlook.office.com/Mail.Read"]) // Get Outlook access token
-     * ```
-     *
-     * @param {string | string[]} scopes - The list of scopes for which the token will have access.
-     * @param {GetTokenOptions} options - The options used to configure any requests this TokenCredential implementation might make.
-     *
-     * @throws {@link ErrorCode|ServiceError} when get access token with authentication error.
-     * @throws {@link ErrorCode|InternalError} when get access token with unknown error.
-     * @throws {@link ErrorCode|InvalidParameter} when scopes is not a valid string or string array.
-     * @throws {@link ErrorCode|RuntimeNotSupported} when runtime is nodeJS.
-     *
-     * @returns Access token with expected scopes.
-     * Throw error if get access token failed.
-     *
-     * @beta
-     */
-    getToken(scopes, options) {
-        return tslib.__awaiter(this, void 0, void 0, function* () {
-            let accessToken;
-            validateScopesType(scopes);
-            const scopesStr = typeof scopes === "string" ? scopes : scopes.join(" ");
-            internalLogger.info("Get access token with scopes: " + scopesStr);
-            try {
-                const scopesArray = getScopesArray(scopes);
-                const authenticationResult = yield this.msalClient.acquireTokenByClientCredential({
-                    scopes: scopesArray,
-                });
-                if (authenticationResult) {
-                    accessToken = {
-                        token: authenticationResult.accessToken,
-                        expiresOnTimestamp: authenticationResult.expiresOn.getTime(),
-                    };
-                }
-            }
-            catch (err) {
-                const errorMsg = "Get M365 tenant credential failed with error: " + err.message;
-                internalLogger.error(errorMsg);
-                throw new ErrorWithCode(errorMsg, exports.ErrorCode.ServiceError);
-            }
-            if (!accessToken) {
-                const errorMsg = "Get M365 tenant credential access token failed with empty access token";
-                internalLogger.error(errorMsg);
-                throw new ErrorWithCode(errorMsg, exports.ErrorCode.InternalError);
-            }
-            return accessToken;
-        });
-    }
-    /**
-     * Load and validate authentication configuration
-     * @returns Authentication configuration
-     */
-    loadAndValidateConfig() {
-        internalLogger.verbose("Validate authentication configuration");
-        const config = getAuthenticationConfiguration();
-        if (!config) {
-            internalLogger.error(ErrorMessage.AuthenticationConfigurationNotExists);
-            throw new ErrorWithCode(ErrorMessage.AuthenticationConfigurationNotExists, exports.ErrorCode.InvalidConfiguration);
-        }
-        if (config.clientId && (config.clientSecret || config.certificateContent) && config.tenantId) {
-            return config;
-        }
-        const missingValues = [];
-        if (!config.clientId) {
-            missingValues.push("clientId");
-        }
-        if (!config.clientSecret && !config.certificateContent) {
-            missingValues.push("clientSecret or certificateContent");
-        }
-        if (!config.tenantId) {
-            missingValues.push("tenantId");
-        }
-        const errorMsg = formatString(ErrorMessage.InvalidConfiguration, missingValues.join(", "), "undefined");
-        internalLogger.error(errorMsg);
-        throw new ErrorWithCode(errorMsg, exports.ErrorCode.InvalidConfiguration);
-    }
+// Copyright (c) Microsoft Corporation.
+/**
+ * Represent Microsoft 365 tenant identity, and it is usually used when user is not involved like time-triggered automation job.
+ *
+ * @example
+ * ```typescript
+ * loadConfiguration(); // load configuration from environment variables
+ * const credential = new M365TenantCredential();
+ * ```
+ *
+ * @remarks
+ * Only works in in server side.
+ *
+ * @beta
+ */
+class M365TenantCredential {
+    /**
+     * Constructor of M365TenantCredential.
+     *
+     * @remarks
+     * Only works in in server side.
+     *
+     * @throws {@link ErrorCode|InvalidConfiguration} when client id, client secret or tenant id is not found in config.
+     * @throws {@link ErrorCode|RuntimeNotSupported} when runtime is nodeJS.
+     *
+     * @beta
+     */
+    constructor() {
+        internalLogger.info("Create M365 tenant credential");
+        const config = this.loadAndValidateConfig();
+        this.msalClient = createConfidentialClientApplication(config);
+    }
+    /**
+     * Get access token for credential.
+     *
+     * @example
+     * ```typescript
+     * await credential.getToken(["User.Read.All"]) // Get Graph access token for single scope using string array
+     * await credential.getToken("User.Read.All") // Get Graph access token for single scope using string
+     * await credential.getToken(["User.Read.All", "Calendars.Read"]) // Get Graph access token for multiple scopes using string array
+     * await credential.getToken("User.Read.All Calendars.Read") // Get Graph access token for multiple scopes using space-separated string
+     * await credential.getToken("https://graph.microsoft.com/User.Read.All") // Get Graph access token with full resource URI
+     * await credential.getToken(["https://outlook.office.com/Mail.Read"]) // Get Outlook access token
+     * ```
+     *
+     * @param {string | string[]} scopes - The list of scopes for which the token will have access.
+     * @param {GetTokenOptions} options - The options used to configure any requests this TokenCredential implementation might make.
+     *
+     * @throws {@link ErrorCode|ServiceError} when get access token with authentication error.
+     * @throws {@link ErrorCode|InternalError} when get access token with unknown error.
+     * @throws {@link ErrorCode|InvalidParameter} when scopes is not a valid string or string array.
+     * @throws {@link ErrorCode|RuntimeNotSupported} when runtime is nodeJS.
+     *
+     * @returns Access token with expected scopes.
+     * Throw error if get access token failed.
+     *
+     * @beta
+     */
+    async getToken(scopes, options) {
+        let accessToken;
+        validateScopesType(scopes);
+        const scopesStr = typeof scopes === "string" ? scopes : scopes.join(" ");
+        internalLogger.info("Get access token with scopes: " + scopesStr);
+        try {
+            const scopesArray = getScopesArray(scopes);
+            const authenticationResult = await this.msalClient.acquireTokenByClientCredential({
+                scopes: scopesArray,
+            });
+            if (authenticationResult) {
+                accessToken = {
+                    token: authenticationResult.accessToken,
+                    expiresOnTimestamp: authenticationResult.expiresOn.getTime(),
+                };
+            }
+        }
+        catch (err) {
+            const errorMsg = "Get M365 tenant credential failed with error: " + err.message;
+            internalLogger.error(errorMsg);
+            throw new ErrorWithCode(errorMsg, ErrorCode.ServiceError);
+        }
+        if (!accessToken) {
+            const errorMsg = "Get M365 tenant credential access token failed with empty access token";
+            internalLogger.error(errorMsg);
+            throw new ErrorWithCode(errorMsg, ErrorCode.InternalError);
+        }
+        return accessToken;
+    }
+    /**
+     * Load and validate authentication configuration
+     * @returns Authentication configuration
+     */
+    loadAndValidateConfig() {
+        internalLogger.verbose("Validate authentication configuration");
+        const config = getAuthenticationConfiguration();
+        if (!config) {
+            internalLogger.error(ErrorMessage.AuthenticationConfigurationNotExists);
+            throw new ErrorWithCode(ErrorMessage.AuthenticationConfigurationNotExists, ErrorCode.InvalidConfiguration);
+        }
+        if (config.clientId && (config.clientSecret || config.certificateContent) && config.tenantId) {
+            return config;
+        }
+        const missingValues = [];
+        if (!config.clientId) {
+            missingValues.push("clientId");
+        }
+        if (!config.clientSecret && !config.certificateContent) {
+            missingValues.push("clientSecret or certificateContent");
+        }
+        if (!config.tenantId) {
+            missingValues.push("tenantId");
+        }
+        const errorMsg = formatString(ErrorMessage.InvalidConfiguration, missingValues.join(", "), "undefined");
+        internalLogger.error(errorMsg);
+        throw new ErrorWithCode(errorMsg, ErrorCode.InvalidConfiguration);
+    }
 }
 
-// Copyright (c) Microsoft Corporation.
-/**
- * Represent on-behalf-of flow to get user identity, and it is designed to be used in server side.
- *
- * @example
- * ```typescript
- * loadConfiguration(); // load configuration from environment variables
- * const credential = new OnBehalfOfUserCredential(ssoToken);
- * ```
- *
- * @remarks
- * Can only be used in server side.
- *
- * @beta
- */
-class OnBehalfOfUserCredential {
-    /**
-     * Constructor of OnBehalfOfUserCredential
-     *
-     * @remarks
-     * Only works in in server side.
-     *
-     * @param {string} ssoToken - User token provided by Teams SSO feature.
-     *
-     * @throws {@link ErrorCode|InvalidConfiguration} when client id, client secret, certificate content, authority host or tenant id is not found in config.
-     * @throws {@link ErrorCode|InternalError} when SSO token is not valid.
-     * @throws {@link ErrorCode|RuntimeNotSupported} when runtime is browser.
-     *
-     * @beta
-     */
-    constructor(ssoToken) {
-        var _a, _b, _c, _d, _e;
-        internalLogger.info("Get on behalf of user credential");
-        const missingConfigurations = [];
-        if (!((_a = config === null || config === void 0 ? void 0 : config.authentication) === null || _a === void 0 ? void 0 : _a.clientId)) {
-            missingConfigurations.push("clientId");
-        }
-        if (!((_b = config === null || config === void 0 ? void 0 : config.authentication) === null || _b === void 0 ? void 0 : _b.authorityHost)) {
-            missingConfigurations.push("authorityHost");
-        }
-        if (!((_c = config === null || config === void 0 ? void 0 : config.authentication) === null || _c === void 0 ? void 0 : _c.clientSecret) && !((_d = config === null || config === void 0 ? void 0 : config.authentication) === null || _d === void 0 ? void 0 : _d.certificateContent)) {
-            missingConfigurations.push("clientSecret or certificateContent");
-        }
-        if (!((_e = config === null || config === void 0 ? void 0 : config.authentication) === null || _e === void 0 ? void 0 : _e.tenantId)) {
-            missingConfigurations.push("tenantId");
-        }
-        if (missingConfigurations.length != 0) {
-            const errorMsg = formatString(ErrorMessage.InvalidConfiguration, missingConfigurations.join(", "), "undefined");
-            internalLogger.error(errorMsg);
-            throw new ErrorWithCode(errorMsg, exports.ErrorCode.InvalidConfiguration);
-        }
-        this.msalClient = createConfidentialClientApplication(config.authentication);
-        const decodedSsoToken = parseJwt(ssoToken);
-        this.ssoToken = {
-            token: ssoToken,
-            expiresOnTimestamp: decodedSsoToken.exp,
-        };
-    }
-    /**
-     * Get access token from credential.
-     *
-     * @example
-     * ```typescript
-     * await credential.getToken([]) // Get SSO token using empty string array
-     * await credential.getToken("") // Get SSO token using empty string
-     * await credential.getToken([".default"]) // Get Graph access token with default scope using string array
-     * await credential.getToken(".default") // Get Graph access token with default scope using string
-     * await credential.getToken(["User.Read"]) // Get Graph access token for single scope using string array
-     * await credential.getToken("User.Read") // Get Graph access token for single scope using string
-     * await credential.getToken(["User.Read", "Application.Read.All"]) // Get Graph access token for multiple scopes using string array
-     * await credential.getToken("User.Read Application.Read.All") // Get Graph access token for multiple scopes using space-separated string
-     * await credential.getToken("https://graph.microsoft.com/User.Read") // Get Graph access token with full resource URI
-     * await credential.getToken(["https://outlook.office.com/Mail.Read"]) // Get Outlook access token
-     * ```
-     *
-     * @param {string | string[]} scopes - The list of scopes for which the token will have access.
-     * @param {GetTokenOptions} options - The options used to configure any requests this TokenCredential implementation might make.
-     *
-     * @throws {@link ErrorCode|InternalError} when failed to acquire access token on behalf of user with unknown error.
-     * @throws {@link ErrorCode|TokenExpiredError} when SSO token has already expired.
-     * @throws {@link ErrorCode|UiRequiredError} when need user consent to get access token.
-     * @throws {@link ErrorCode|ServiceError} when failed to get access token from simple auth server.
-     * @throws {@link ErrorCode|InvalidParameter} when scopes is not a valid string or string array.
-     * @throws {@link ErrorCode|RuntimeNotSupported} when runtime is browser.
-     *
-     * @returns Access token with expected scopes.
-     *
-     * @remarks
-     * If scopes is empty string or array, it returns SSO token.
-     * If scopes is non-empty, it returns access token for target scope.
-     *
-     * @beta
-     */
-    getToken(scopes, options) {
-        return tslib.__awaiter(this, void 0, void 0, function* () {
-            validateScopesType(scopes);
-            const scopesArray = getScopesArray(scopes);
-            let result;
-            if (!scopesArray.length) {
-                internalLogger.info("Get SSO token.");
-                if (Math.floor(Date.now() / 1000) > this.ssoToken.expiresOnTimestamp) {
-                    const errorMsg = "Sso token has already expired.";
-                    internalLogger.error(errorMsg);
-                    throw new ErrorWithCode(errorMsg, exports.ErrorCode.TokenExpiredError);
-                }
-                result = this.ssoToken;
-            }
-            else {
-                internalLogger.info("Get access token with scopes: " + scopesArray.join(" "));
-                let authenticationResult;
-                try {
-                    authenticationResult = yield this.msalClient.acquireTokenOnBehalfOf({
-                        oboAssertion: this.ssoToken.token,
-                        scopes: scopesArray,
-                    });
-                }
-                catch (error) {
-                    throw this.generateAuthServerError(error);
-                }
-                if (!authenticationResult) {
-                    const errorMsg = "Access token is null";
-                    internalLogger.error(errorMsg);
-                    throw new ErrorWithCode(formatString(ErrorMessage.FailToAcquireTokenOnBehalfOfUser, errorMsg), exports.ErrorCode.InternalError);
-                }
-                result = {
-                    token: authenticationResult.accessToken,
-                    expiresOnTimestamp: authenticationResult.expiresOn.getTime(),
-                };
-            }
-            return result;
-        });
-    }
-    /**
-     * Get basic user info from SSO token.
-     *
-     * @example
-     * ```typescript
-     * const currentUser = getUserInfo();
-     * ```
-     *
-     * @throws {@link ErrorCode|InternalError} when SSO token is not valid.
-     * @throws {@link ErrorCode|RuntimeNotSupported} when runtime is browser.
-     *
-     * @returns Basic user info with user displayName, objectId and preferredUserName.
-     *
-     * @beta
-     */
-    getUserInfo() {
-        internalLogger.info("Get basic user info from SSO token");
-        return getUserInfoFromSsoToken(this.ssoToken.token);
-    }
-    generateAuthServerError(err) {
-        const errorMessage = err.errorMessage;
-        if (err.name === "InteractionRequiredAuthError") {
-            const fullErrorMsg = "Failed to get access token from AAD server, interaction required: " + errorMessage;
-            internalLogger.warn(fullErrorMsg);
-            return new ErrorWithCode(fullErrorMsg, exports.ErrorCode.UiRequiredError);
-        }
-        else if (errorMessage && errorMessage.indexOf("AADSTS500133") >= 0) {
-            const fullErrorMsg = "Failed to get access token from AAD server, sso token expired: " + errorMessage;
-            internalLogger.error(fullErrorMsg);
-            return new ErrorWithCode(fullErrorMsg, exports.ErrorCode.TokenExpiredError);
-        }
-        else {
-            const fullErrorMsg = formatString(ErrorMessage.FailToAcquireTokenOnBehalfOfUser, errorMessage);
-            internalLogger.error(fullErrorMsg);
-            return new ErrorWithCode(fullErrorMsg, exports.ErrorCode.ServiceError);
-        }
-    }
+// Copyright (c) Microsoft Corporation.
+/**
+ * Represent on-behalf-of flow to get user identity, and it is designed to be used in server side.
+ *
+ * @example
+ * ```typescript
+ * loadConfiguration(); // load configuration from environment variables
+ * const credential = new OnBehalfOfUserCredential(ssoToken);
+ * ```
+ *
+ * @remarks
+ * Can only be used in server side.
+ *
+ * @beta
+ */
+class OnBehalfOfUserCredential {
+    /**
+     * Constructor of OnBehalfOfUserCredential
+     *
+     * @remarks
+     * Only works in in server side.
+     *
+     * @param {string} ssoToken - User token provided by Teams SSO feature.
+     *
+     * @throws {@link ErrorCode|InvalidConfiguration} when client id, client secret, certificate content, authority host or tenant id is not found in config.
+     * @throws {@link ErrorCode|InternalError} when SSO token is not valid.
+     * @throws {@link ErrorCode|RuntimeNotSupported} when runtime is browser.
+     *
+     * @beta
+     */
+    constructor(ssoToken) {
+        var _a, _b, _c, _d, _e;
+        internalLogger.info("Get on behalf of user credential");
+        const missingConfigurations = [];
+        if (!((_a = config === null || config === void 0 ? void 0 : config.authentication) === null || _a === void 0 ? void 0 : _a.clientId)) {
+            missingConfigurations.push("clientId");
+        }
+        if (!((_b = config === null || config === void 0 ? void 0 : config.authentication) === null || _b === void 0 ? void 0 : _b.authorityHost)) {
+            missingConfigurations.push("authorityHost");
+        }
+        if (!((_c = config === null || config === void 0 ? void 0 : config.authentication) === null || _c === void 0 ? void 0 : _c.clientSecret) && !((_d = config === null || config === void 0 ? void 0 : config.authentication) === null || _d === void 0 ? void 0 : _d.certificateContent)) {
+            missingConfigurations.push("clientSecret or certificateContent");
+        }
+        if (!((_e = config === null || config === void 0 ? void 0 : config.authentication) === null || _e === void 0 ? void 0 : _e.tenantId)) {
+            missingConfigurations.push("tenantId");
+        }
+        if (missingConfigurations.length != 0) {
+            const errorMsg = formatString(ErrorMessage.InvalidConfiguration, missingConfigurations.join(", "), "undefined");
+            internalLogger.error(errorMsg);
+            throw new ErrorWithCode(errorMsg, ErrorCode.InvalidConfiguration);
+        }
+        this.msalClient = createConfidentialClientApplication(config.authentication);
+        const decodedSsoToken = parseJwt(ssoToken);
+        this.ssoToken = {
+            token: ssoToken,
+            expiresOnTimestamp: decodedSsoToken.exp,
+        };
+    }
+    /**
+     * Get access token from credential.
+     *
+     * @example
+     * ```typescript
+     * await credential.getToken([]) // Get SSO token using empty string array
+     * await credential.getToken("") // Get SSO token using empty string
+     * await credential.getToken([".default"]) // Get Graph access token with default scope using string array
+     * await credential.getToken(".default") // Get Graph access token with default scope using string
+     * await credential.getToken(["User.Read"]) // Get Graph access token for single scope using string array
+     * await credential.getToken("User.Read") // Get Graph access token for single scope using string
+     * await credential.getToken(["User.Read", "Application.Read.All"]) // Get Graph access token for multiple scopes using string array
+     * await credential.getToken("User.Read Application.Read.All") // Get Graph access token for multiple scopes using space-separated string
+     * await credential.getToken("https://graph.microsoft.com/User.Read") // Get Graph access token with full resource URI
+     * await credential.getToken(["https://outlook.office.com/Mail.Read"]) // Get Outlook access token
+     * ```
+     *
+     * @param {string | string[]} scopes - The list of scopes for which the token will have access.
+     * @param {GetTokenOptions} options - The options used to configure any requests this TokenCredential implementation might make.
+     *
+     * @throws {@link ErrorCode|InternalError} when failed to acquire access token on behalf of user with unknown error.
+     * @throws {@link ErrorCode|TokenExpiredError} when SSO token has already expired.
+     * @throws {@link ErrorCode|UiRequiredError} when need user consent to get access token.
+     * @throws {@link ErrorCode|ServiceError} when failed to get access token from simple auth server.
+     * @throws {@link ErrorCode|InvalidParameter} when scopes is not a valid string or string array.
+     * @throws {@link ErrorCode|RuntimeNotSupported} when runtime is browser.
+     *
+     * @returns Access token with expected scopes.
+     *
+     * @remarks
+     * If scopes is empty string or array, it returns SSO token.
+     * If scopes is non-empty, it returns access token for target scope.
+     *
+     * @beta
+     */
+    async getToken(scopes, options) {
+        validateScopesType(scopes);
+        const scopesArray = getScopesArray(scopes);
+        let result;
+        if (!scopesArray.length) {
+            internalLogger.info("Get SSO token.");
+            if (Math.floor(Date.now() / 1000) > this.ssoToken.expiresOnTimestamp) {
+                const errorMsg = "Sso token has already expired.";
+                internalLogger.error(errorMsg);
+                throw new ErrorWithCode(errorMsg, ErrorCode.TokenExpiredError);
+            }
+            result = this.ssoToken;
+        }
+        else {
+            internalLogger.info("Get access token with scopes: " + scopesArray.join(" "));
+            let authenticationResult;
+            try {
+                authenticationResult = await this.msalClient.acquireTokenOnBehalfOf({
+                    oboAssertion: this.ssoToken.token,
+                    scopes: scopesArray,
+                });
+            }
+            catch (error) {
+                throw this.generateAuthServerError(error);
+            }
+            if (!authenticationResult) {
+                const errorMsg = "Access token is null";
+                internalLogger.error(errorMsg);
+                throw new ErrorWithCode(formatString(ErrorMessage.FailToAcquireTokenOnBehalfOfUser, errorMsg), ErrorCode.InternalError);
+            }
+            result = {
+                token: authenticationResult.accessToken,
+                expiresOnTimestamp: authenticationResult.expiresOn.getTime(),
+            };
+        }
+        return result;
+    }
+    /**
+     * Get basic user info from SSO token.
+     *
+     * @example
+     * ```typescript
+     * const currentUser = getUserInfo();
+     * ```
+     *
+     * @throws {@link ErrorCode|InternalError} when SSO token is not valid.
+     * @throws {@link ErrorCode|RuntimeNotSupported} when runtime is browser.
+     *
+     * @returns Basic user info with user displayName, objectId and preferredUserName.
+     *
+     * @beta
+     */
+    getUserInfo() {
+        internalLogger.info("Get basic user info from SSO token");
+        return getUserInfoFromSsoToken(this.ssoToken.token);
+    }
+    generateAuthServerError(err) {
+        const errorMessage = err.errorMessage;
+        if (err.name === "InteractionRequiredAuthError") {
+            const fullErrorMsg = "Failed to get access token from AAD server, interaction required: " + errorMessage;
+            internalLogger.warn(fullErrorMsg);
+            return new ErrorWithCode(fullErrorMsg, ErrorCode.UiRequiredError);
+        }
+        else if (errorMessage && errorMessage.indexOf("AADSTS500133") >= 0) {
+            const fullErrorMsg = "Failed to get access token from AAD server, sso token expired: " + errorMessage;
+            internalLogger.error(fullErrorMsg);
+            return new ErrorWithCode(fullErrorMsg, ErrorCode.TokenExpiredError);
+        }
+        else {
+            const fullErrorMsg = formatString(ErrorMessage.FailToAcquireTokenOnBehalfOfUser, errorMessage);
+            internalLogger.error(fullErrorMsg);
+            return new ErrorWithCode(fullErrorMsg, ErrorCode.ServiceError);
+        }
+    }
 }
 
-// Copyright (c) Microsoft Corporation.
-/**
- * Represent Teams current user's identity, and it is used within Teams client applications.
- *
- * @remarks
- * Can only be used within Teams.
- *
- * @beta
- */
-class TeamsUserCredential {
-    /**
-     * Constructor of TeamsUserCredential.
-     * @remarks
-     * Can only be used within Teams.
-     * @beta
-     */
-    constructor() {
-        throw new ErrorWithCode(formatString(ErrorMessage.NodejsRuntimeNotSupported, "TeamsUserCredential"), exports.ErrorCode.RuntimeNotSupported);
-    }
-    /**
-     * Popup login page to get user's access token with specific scopes.
-     * @remarks
-     * Can only be used within Teams.
-     * @beta
-     */
-    login(scopes) {
-        return tslib.__awaiter(this, void 0, void 0, function* () {
-            throw new ErrorWithCode(formatString(ErrorMessage.NodejsRuntimeNotSupported, "TeamsUserCredential"), exports.ErrorCode.RuntimeNotSupported);
-        });
-    }
-    /**
-     * Get access token from credential.
-     * @remarks
-     * Can only be used within Teams.
-     * @beta
-     */
-    getToken(scopes, options) {
-        return tslib.__awaiter(this, void 0, void 0, function* () {
-            throw new ErrorWithCode(formatString(ErrorMessage.NodejsRuntimeNotSupported, "TeamsUserCredential"), exports.ErrorCode.RuntimeNotSupported);
-        });
-    }
-    /**
-     * Get basic user info from SSO token
-     * @remarks
-     * Can only be used within Teams.
-     * @beta
-     */
-    getUserInfo() {
-        throw new ErrorWithCode(formatString(ErrorMessage.NodejsRuntimeNotSupported, "TeamsUserCredential"), exports.ErrorCode.RuntimeNotSupported);
-    }
+// Copyright (c) Microsoft Corporation.
+/**
+ * Represent Teams current user's identity, and it is used within Teams client applications.
+ *
+ * @remarks
+ * Can only be used within Teams.
+ *
+ * @beta
+ */
+class TeamsUserCredential {
+    /**
+     * Constructor of TeamsUserCredential.
+     * @remarks
+     * Can only be used within Teams.
+     * @beta
+     */
+    constructor() {
+        throw new ErrorWithCode(formatString(ErrorMessage.NodejsRuntimeNotSupported, "TeamsUserCredential"), ErrorCode.RuntimeNotSupported);
+    }
+    /**
+     * Popup login page to get user's access token with specific scopes.
+     * @remarks
+     * Can only be used within Teams.
+     * @beta
+     */
+    async login(scopes) {
+        throw new ErrorWithCode(formatString(ErrorMessage.NodejsRuntimeNotSupported, "TeamsUserCredential"), ErrorCode.RuntimeNotSupported);
+    }
+    /**
+     * Get access token from credential.
+     * @remarks
+     * Can only be used within Teams.
+     * @beta
+     */
+    async getToken(scopes, options) {
+        throw new ErrorWithCode(formatString(ErrorMessage.NodejsRuntimeNotSupported, "TeamsUserCredential"), ErrorCode.RuntimeNotSupported);
+    }
+    /**
+     * Get basic user info from SSO token
+     * @remarks
+     * Can only be used within Teams.
+     * @beta
+     */
+    getUserInfo() {
+        throw new ErrorWithCode(formatString(ErrorMessage.NodejsRuntimeNotSupported, "TeamsUserCredential"), ErrorCode.RuntimeNotSupported);
+    }
 }
 
-// Copyright (c) Microsoft Corporation.
-const defaultScope = "https://graph.microsoft.com/.default";
-/**
- * Microsoft Graph auth provider for Teams Framework
- *
- * @beta
- */
-class MsGraphAuthProvider {
-    /**
-     * Constructor of MsGraphAuthProvider.
-     *
-     * @param {TokenCredential} credential - Credential used to invoke Microsoft Graph APIs.
-     * @param {string | string[]} scopes - The list of scopes for which the token will have access.
-     *
-     * @throws {@link ErrorCode|InvalidParameter} when scopes is not a valid string or string array.
-     *
-     * @returns An instance of MsGraphAuthProvider.
-     *
-     * @beta
-     */
-    constructor(credential, scopes) {
-        this.credential = credential;
-        let scopesStr = defaultScope;
-        if (scopes) {
-            validateScopesType(scopes);
-            scopesStr = typeof scopes === "string" ? scopes : scopes.join(" ");
-            if (scopesStr === "") {
-                scopesStr = defaultScope;
-            }
-        }
-        internalLogger.info(`Create Microsoft Graph Authentication Provider with scopes: '${scopesStr}'`);
-        this.scopes = scopesStr;
-    }
-    /**
-     * Get access token for Microsoft Graph API requests.
-     *
-     * @throws {@link ErrorCode|InternalError} when get access token failed due to empty token or unknown other problems.
-     * @throws {@link ErrorCode|TokenExpiredError} when SSO token has already expired.
-     * @throws {@link ErrorCode|UiRequiredError} when need user consent to get access token.
-     * @throws {@link ErrorCode|ServiceError} when failed to get access token from simple auth or AAD server.
-     * @throws {@link ErrorCode|InvalidParameter} when scopes is not a valid string or string array.
-     *
-     * @returns Access token from the credential.
-     *
-     */
-    getAccessToken() {
-        return tslib.__awaiter(this, void 0, void 0, function* () {
-            internalLogger.info(`Get Graph Access token with scopes: '${this.scopes}'`);
-            const accessToken = yield this.credential.getToken(this.scopes);
-            return new Promise((resolve, reject) => {
-                if (accessToken) {
-                    resolve(accessToken.token);
-                }
-                else {
-                    const errorMsg = "Graph access token is undefined or empty";
-                    internalLogger.error(errorMsg);
-                    reject(new ErrorWithCode(errorMsg, exports.ErrorCode.InternalError));
-                }
-            });
-        });
-    }
+// Copyright (c) Microsoft Corporation.
+const defaultScope = "https://graph.microsoft.com/.default";
+/**
+ * Microsoft Graph auth provider for Teams Framework
+ *
+ * @beta
+ */
+class MsGraphAuthProvider {
+    /**
+     * Constructor of MsGraphAuthProvider.
+     *
+     * @param {TokenCredential} credential - Credential used to invoke Microsoft Graph APIs.
+     * @param {string | string[]} scopes - The list of scopes for which the token will have access.
+     *
+     * @throws {@link ErrorCode|InvalidParameter} when scopes is not a valid string or string array.
+     *
+     * @returns An instance of MsGraphAuthProvider.
+     *
+     * @beta
+     */
+    constructor(credential, scopes) {
+        this.credential = credential;
+        let scopesStr = defaultScope;
+        if (scopes) {
+            validateScopesType(scopes);
+            scopesStr = typeof scopes === "string" ? scopes : scopes.join(" ");
+            if (scopesStr === "") {
+                scopesStr = defaultScope;
+            }
+        }
+        internalLogger.info(`Create Microsoft Graph Authentication Provider with scopes: '${scopesStr}'`);
+        this.scopes = scopesStr;
+    }
+    /**
+     * Get access token for Microsoft Graph API requests.
+     *
+     * @throws {@link ErrorCode|InternalError} when get access token failed due to empty token or unknown other problems.
+     * @throws {@link ErrorCode|TokenExpiredError} when SSO token has already expired.
+     * @throws {@link ErrorCode|UiRequiredError} when need user consent to get access token.
+     * @throws {@link ErrorCode|ServiceError} when failed to get access token from simple auth or AAD server.
+     * @throws {@link ErrorCode|InvalidParameter} when scopes is not a valid string or string array.
+     *
+     * @returns Access token from the credential.
+     *
+     */
+    async getAccessToken() {
+        internalLogger.info(`Get Graph Access token with scopes: '${this.scopes}'`);
+        const accessToken = await this.credential.getToken(this.scopes);
+        return new Promise((resolve, reject) => {
+            if (accessToken) {
+                resolve(accessToken.token);
+            }
+            else {
+                const errorMsg = "Graph access token is undefined or empty";
+                internalLogger.error(errorMsg);
+                reject(new ErrorWithCode(errorMsg, ErrorCode.InternalError));
+            }
+        });
+    }
 }
 
-// Copyright (c) Microsoft Corporation.
-const invokeResponseType = "invokeResponse";
-/**
- * Response body returned for a token exchange invoke activity.
- *
- * @beta
- */
-class TokenExchangeInvokeResponse {
-    constructor(id, failureDetail) {
-        this.id = id;
-        this.failureDetail = failureDetail;
-    }
-}
-/**
- * Creates a new prompt that leverage Teams Single Sign On (SSO) support for bot to automatically sign in user and
- * help receive oauth token, asks the user to consent if needed.
- *
- * @remarks
- * The prompt will attempt to retrieve the users current token of the desired scopes and store it in
- * the token store.
- *
- * User will be automatically signed in leveraging Teams support of Bot Single Sign On(SSO):
- * https://docs.microsoft.com/en-us/microsoftteams/platform/bots/how-to/authentication/auth-aad-sso-bots
- *
- * @example
- * When used with your bots `DialogSet` you can simply add a new instance of the prompt as a named
- * dialog using `DialogSet.add()`. You can then start the prompt from a waterfall step using either
- * `DialogContext.beginDialog()` or `DialogContext.prompt()`. The user will be prompted to sign in as
- * needed and their access token will be passed as an argument to the callers next waterfall step:
- *
- * ```JavaScript
- * const { ConversationState, MemoryStorage } = require('botbuilder');
- * const { DialogSet, WaterfallDialog } = require('botbuilder-dialogs');
- * const { TeamsBotSsoPrompt } = require('@microsoft/teamsfx');
- *
- * const convoState = new ConversationState(new MemoryStorage());
- * const dialogState = convoState.createProperty('dialogState');
- * const dialogs = new DialogSet(dialogState);
- *
- * loadConfiguration();
- * dialogs.add(new TeamsBotSsoPrompt('TeamsBotSsoPrompt', {
- *    scopes: ["User.Read"],
- * }));
- *
- * dialogs.add(new WaterfallDialog('taskNeedingLogin', [
- *      async (step) => {
- *          return await step.beginDialog('TeamsBotSsoPrompt');
- *      },
- *      async (step) => {
- *          const token = step.result;
- *          if (token) {
- *
- *              // ... continue with task needing access token ...
- *
- *          } else {
- *              await step.context.sendActivity(`Sorry... We couldn't log you in. Try again later.`);
- *              return await step.endDialog();
- *          }
- *      }
- * ]));
- * ```
- *
- * @beta
- */
-class TeamsBotSsoPrompt extends botbuilderDialogs.Dialog {
-    /**
-     * Constructor of TeamsBotSsoPrompt.
-     *
-     * @param dialogId Unique ID of the dialog within its parent `DialogSet` or `ComponentDialog`.
-     * @param settings Settings used to configure the prompt.
-     *
-     * @throws {@link ErrorCode|InvalidParameter} when scopes is not a valid string or string array.
-     * @throws {@link ErrorCode|RuntimeNotSupported} when runtime is browser.
-     *
-     * @beta
-     */
-    constructor(dialogId, settings) {
-        super(dialogId);
-        this.settings = settings;
-        validateScopesType(settings.scopes);
-        internalLogger.info("Create a new Teams Bot SSO Prompt");
-    }
-    /**
-     * Called when a prompt dialog is pushed onto the dialog stack and is being activated.
-     * @remarks
-     * If the task is successful, the result indicates whether the prompt is still
-     * active after the turn has been processed by the prompt.
-     *
-     * @param dc The DialogContext for the current turn of the conversation.
-     *
-     * @throws {@link ErrorCode|InvalidParameter} when timeout property in teams bot sso prompt settings is not number or is not positive.
-     * @throws {@link ErrorCode|ChannelNotSupported} when bot channel is not MS Teams.
-     * @throws {@link ErrorCode|RuntimeNotSupported} when runtime is browser.
-     *
-     * @returns A `Promise` representing the asynchronous operation.
-     *
-     * @beta
-     */
-    beginDialog(dc) {
-        var _a;
-        return tslib.__awaiter(this, void 0, void 0, function* () {
-            internalLogger.info("Begin Teams Bot SSO Prompt");
-            this.ensureMsTeamsChannel(dc);
-            // Initialize prompt state
-            const default_timeout = 900000;
-            let timeout = default_timeout;
-            if (this.settings.timeout) {
-                if (typeof this.settings.timeout != "number") {
-                    const errorMsg = "type of timeout property in teamsBotSsoPromptSettings should be number.";
-                    internalLogger.error(errorMsg);
-                    throw new ErrorWithCode(errorMsg, exports.ErrorCode.InvalidParameter);
-                }
-                if (this.settings.timeout <= 0) {
-                    const errorMsg = "value of timeout property in teamsBotSsoPromptSettings should be positive.";
-                    internalLogger.error(errorMsg);
-                    throw new ErrorWithCode(errorMsg, exports.ErrorCode.InvalidParameter);
-                }
-                timeout = this.settings.timeout;
-            }
-            if (this.settings.endOnInvalidMessage === undefined) {
-                this.settings.endOnInvalidMessage = true;
-            }
-            const state = (_a = dc.activeDialog) === null || _a === void 0 ? void 0 : _a.state;
-            state.state = {};
-            state.options = {};
-            state.expires = new Date().getTime() + timeout;
-            // Send OAuth card to get SSO token
-            yield this.sendOAuthCardAsync(dc.context);
-            return botbuilderDialogs.Dialog.EndOfTurn;
-        });
-    }
-    /**
-     * Called when a prompt dialog is the active dialog and the user replied with a new activity.
-     *
-     * @remarks
-     * If the task is successful, the result indicates whether the dialog is still
-     * active after the turn has been processed by the dialog.
-     * The prompt generally continues to receive the user's replies until it accepts the
-     * user's reply as valid input for the prompt.
-     *
-     * @param dc The DialogContext for the current turn of the conversation.
-     *
-     * @returns A `Promise` representing the asynchronous operation.
-     *
-     * @throws {@link ErrorCode|ChannelNotSupported} when bot channel is not MS Teams.
-     * @throws {@link ErrorCode|RuntimeNotSupported} when runtime is browser.
-     *
-     * @beta
-     */
-    continueDialog(dc) {
-        var _a;
-        return tslib.__awaiter(this, void 0, void 0, function* () {
-            internalLogger.info("Continue Teams Bot SSO Prompt");
-            this.ensureMsTeamsChannel(dc);
-            // Check for timeout
-            const state = (_a = dc.activeDialog) === null || _a === void 0 ? void 0 : _a.state;
-            const isMessage = dc.context.activity.type === botbuilder.ActivityTypes.Message;
-            const isTimeoutActivityType = isMessage ||
-                this.isTeamsVerificationInvoke(dc.context) ||
-                this.isTokenExchangeRequestInvoke(dc.context);
-            // If the incoming Activity is a message, or an Activity Type normally handled by TeamsBotSsoPrompt,
-            // check to see if this TeamsBotSsoPrompt Expiration has elapsed, and end the dialog if so.
-            const hasTimedOut = isTimeoutActivityType && new Date().getTime() > state.expires;
-            if (hasTimedOut) {
-                internalLogger.warn("End Teams Bot SSO Prompt due to timeout");
-                return yield dc.endDialog(undefined);
-            }
-            else {
-                if (this.isTeamsVerificationInvoke(dc.context) ||
-                    this.isTokenExchangeRequestInvoke(dc.context)) {
-                    // Recognize token
-                    const recognized = yield this.recognizeToken(dc);
-                    if (recognized.succeeded) {
-                        return yield dc.endDialog(recognized.value);
-                    }
-                }
-                else if (isMessage && this.settings.endOnInvalidMessage) {
-                    internalLogger.warn("End Teams Bot SSO Prompt due to invalid message");
-                    return yield dc.endDialog(undefined);
-                }
-                return botbuilderDialogs.Dialog.EndOfTurn;
-            }
-        });
-    }
-    /**
-     * Ensure bot is running in MS Teams since TeamsBotSsoPrompt is only supported in MS Teams channel.
-     * @param dc dialog context
-     * @throws {@link ErrorCode|ChannelNotSupported} if bot channel is not MS Teams
-     * @internal
-     */
-    ensureMsTeamsChannel(dc) {
-        if (dc.context.activity.channelId != botbuilder.Channels.Msteams) {
-            const errorMsg = formatString(ErrorMessage.OnlyMSTeamsChannelSupported, "Teams Bot SSO Prompt");
-            internalLogger.error(errorMsg);
-            throw new ErrorWithCode(errorMsg, exports.ErrorCode.ChannelNotSupported);
-        }
-    }
-    /**
-     * Send OAuthCard that tells Teams to obtain an authentication token for the bot application.
-     * For details see https://docs.microsoft.com/en-us/microsoftteams/platform/bots/how-to/authentication/auth-aad-sso-bots.
-     *
-     * @internal
-     */
-    sendOAuthCardAsync(context) {
-        return tslib.__awaiter(this, void 0, void 0, function* () {
-            internalLogger.verbose("Send OAuth card to get SSO token");
-            const account = yield botbuilder.TeamsInfo.getMember(context, context.activity.from.id);
-            internalLogger.verbose("Get Teams member account user principal name: " + account.userPrincipalName);
-            const loginHint = account.userPrincipalName ? account.userPrincipalName : "";
-            const signInResource = this.getSignInResource(loginHint);
-            const card = botbuilder.CardFactory.oauthCard("", "Teams SSO Sign In", "Sign In", signInResource.signInLink, signInResource.tokenExchangeResource);
-            card.content.buttons[0].type = botbuilder.ActionTypes.Signin;
-            const msg = botbuilder.MessageFactory.attachment(card);
-            // Send prompt
-            yield context.sendActivity(msg);
-        });
-    }
-    /**
-     * Get sign in resource.
-     *
-     * @throws {@link ErrorCode|InvalidConfiguration} if client id, tenant id or initiate login endpoint is not found in config.
-     *
-     * @internal
-     */
-    getSignInResource(loginHint) {
-        var _a, _b, _c, _d, _e;
-        internalLogger.verbose("Get sign in authentication configuration");
-        const missingConfigurations = [];
-        if (!((_a = config === null || config === void 0 ? void 0 : config.authentication) === null || _a === void 0 ? void 0 : _a.initiateLoginEndpoint)) {
-            missingConfigurations.push("initiateLoginEndpoint");
-        }
-        if (!((_b = config === null || config === void 0 ? void 0 : config.authentication) === null || _b === void 0 ? void 0 : _b.clientId)) {
-            missingConfigurations.push("clientId");
-        }
-        if (!((_c = config === null || config === void 0 ? void 0 : config.authentication) === null || _c === void 0 ? void 0 : _c.tenantId)) {
-            missingConfigurations.push("tenantId");
-        }
-        if (!((_d = config === null || config === void 0 ? void 0 : config.authentication) === null || _d === void 0 ? void 0 : _d.applicationIdUri)) {
-            missingConfigurations.push("applicationIdUri");
-        }
-        if (missingConfigurations.length != 0) {
-            const errorMsg = formatString(ErrorMessage.InvalidConfiguration, missingConfigurations.join(", "), "undefined");
-            internalLogger.error(errorMsg);
-            throw new ErrorWithCode(errorMsg, exports.ErrorCode.InvalidConfiguration);
-        }
-        const signInLink = `${config.authentication.initiateLoginEndpoint}?scope=${encodeURI(this.settings.scopes.join(" "))}&clientId=${config.authentication.clientId}&tenantId=${config.authentication.tenantId}&loginHint=${loginHint}`;
-        internalLogger.verbose("Sign in link: " + signInLink);
-        const tokenExchangeResource = {
-            id: uuid.v4(),
-            uri: ((_e = config.authentication) === null || _e === void 0 ? void 0 : _e.applicationIdUri.replace(/\/$/, "")) + "/access_as_user",
-        };
-        internalLogger.verbose("Token exchange resource uri: " + tokenExchangeResource.uri);
-        return {
-            signInLink: signInLink,
-            tokenExchangeResource: tokenExchangeResource,
-        };
-    }
-    /**
-     * @internal
-     */
-    recognizeToken(dc) {
-        return tslib.__awaiter(this, void 0, void 0, function* () {
-            const context = dc.context;
-            let tokenResponse;
-            if (this.isTokenExchangeRequestInvoke(context)) {
-                internalLogger.verbose("Receive token exchange request");
-                // Received activity is not a token exchange request
-                if (!(context.activity.value && this.isTokenExchangeRequest(context.activity.value))) {
-                    const warningMsg = "The bot received an InvokeActivity that is missing a TokenExchangeInvokeRequest value. This is required to be sent with the InvokeActivity.";
-                    internalLogger.warn(warningMsg);
-                    yield context.sendActivity(this.getTokenExchangeInvokeResponse(botbuilder.StatusCodes.BAD_REQUEST, warningMsg));
-                }
-                else {
-                    const ssoToken = context.activity.value.token;
-                    const credential = new OnBehalfOfUserCredential(ssoToken);
-                    let exchangedToken;
-                    try {
-                        exchangedToken = yield credential.getToken(this.settings.scopes);
-                        if (exchangedToken) {
-                            yield context.sendActivity(this.getTokenExchangeInvokeResponse(botbuilder.StatusCodes.OK, "", context.activity.value.id));
-                            const ssoTokenExpiration = parseJwt(ssoToken).exp;
-                            tokenResponse = {
-                                ssoToken: ssoToken,
-                                ssoTokenExpiration: new Date(ssoTokenExpiration * 1000).toISOString(),
-                                connectionName: "",
-                                token: exchangedToken.token,
-                                expiration: exchangedToken.expiresOnTimestamp.toString(),
-                            };
-                        }
-                    }
-                    catch (error) {
-                        const warningMsg = "The bot is unable to exchange token. Ask for user consent.";
-                        internalLogger.info(warningMsg);
-                        yield context.sendActivity(this.getTokenExchangeInvokeResponse(botbuilder.StatusCodes.PRECONDITION_FAILED, warningMsg, context.activity.value.id));
-                    }
-                }
-            }
-            else if (this.isTeamsVerificationInvoke(context)) {
-                internalLogger.verbose("Receive Teams state verification request");
-                yield this.sendOAuthCardAsync(dc.context);
-                yield context.sendActivity({ type: invokeResponseType, value: { status: botbuilder.StatusCodes.OK } });
-            }
-            return tokenResponse !== undefined
-                ? { succeeded: true, value: tokenResponse }
-                : { succeeded: false };
-        });
-    }
-    /**
-     * @internal
-     */
-    getTokenExchangeInvokeResponse(status, failureDetail, id) {
-        const invokeResponse = {
-            type: invokeResponseType,
-            value: { status, body: new TokenExchangeInvokeResponse(id, failureDetail) },
-        };
-        return invokeResponse;
-    }
-    /**
-     * @internal
-     */
-    isTeamsVerificationInvoke(context) {
-        const activity = context.activity;
-        return activity.type === botbuilder.ActivityTypes.Invoke && activity.name === botbuilder.verifyStateOperationName;
-    }
-    /**
-     * @internal
-     */
-    isTokenExchangeRequestInvoke(context) {
-        const activity = context.activity;
-        return activity.type === botbuilder.ActivityTypes.Invoke && activity.name === botbuilder.tokenExchangeOperationName;
-    }
-    /**
-     * @internal
-     */
-    isTokenExchangeRequest(obj) {
-        return obj.hasOwnProperty("token");
-    }
+// Copyright (c) Microsoft Corporation.
+/**
+ * Get Microsoft graph client.
+ *
+ * @example
+ * Get Microsoft graph client by TokenCredential
+ * ```typescript
+ * // Sso token example (Azure Function)
+ * const ssoToken = "YOUR_TOKEN_STRING";
+ * const options = {"AAD_APP_ID", "AAD_APP_SECRET"};
+ * const credential = new OnBehalfOfAADUserCredential(ssoToken, options);
+ * const graphClient = await createMicrosoftGraphClient(credential);
+ * const profile = await graphClient.api("/me").get();
+ *
+ * // TeamsBotSsoPrompt example (Bot Application)
+ * const requiredScopes = ["User.Read"];
+ * const config: Configuration = {
+ *    loginUrl: loginUrl,
+ *    clientId: clientId,
+ *    clientSecret: clientSecret,
+ *    tenantId: tenantId
+ * };
+ * const prompt = new TeamsBotSsoPrompt(dialogId, {
+ *    config: config
+ *    scopes: '["User.Read"],
+ * });
+ * this.addDialog(prompt);
+ *
+ * const oboCredential = new OnBehalfOfAADUserCredential(
+ *  getUserId(dialogContext),
+ *  {
+ *    clientId: "AAD_APP_ID",
+ *    clientSecret: "AAD_APP_SECRET"
+ *  });
+ * try {
+ *    const graphClient = await createMicrosoftGraphClient(credential);
+ *    const profile = await graphClient.api("/me").get();
+ * } catch (e) {
+ *    dialogContext.beginDialog(dialogId);
+ *    return Dialog.endOfTurn();
+ * }
+ * ```
+ *
+ * @param {TokenCredential} credential - token credential instance.
+ * @param scopes - The array of Microsoft Token scope of access. Default value is `[.default]`.
+ *
+ * @throws {@link ErrorCode|InvalidParameter} when scopes is not a valid string or string array.
+ *
+ * @returns Graph client with specified scopes.
+ *
+ * @beta
+ */
+function createMicrosoftGraphClient(credential, scopes) {
+    internalLogger.info("Create Microsoft Graph Client");
+    const authProvider = new MsGraphAuthProvider(credential, scopes);
+    const graphClient = Client.initWithMiddleware({
+        authProvider,
+    });
+    return graphClient;
 }
 
-// Copyright (c) Microsoft Corporation.
-/**
- * Get Microsoft graph client.
- *
- * @example
- * Get Microsoft graph client by TokenCredential
- * ```typescript
- * // Sso token example (Azure Function)
- * const ssoToken = "YOUR_TOKEN_STRING";
- * const options = {"AAD_APP_ID", "AAD_APP_SECRET"};
- * const credential = new OnBehalfOfAADUserCredential(ssoToken, options);
- * const graphClient = await createMicrosoftGraphClient(credential);
- * const profile = await graphClient.api("/me").get();
- *
- * // TeamsBotSsoPrompt example (Bot Application)
- * const requiredScopes = ["User.Read"];
- * const config: Configuration = {
- *    loginUrl: loginUrl,
- *    clientId: clientId,
- *    clientSecret: clientSecret,
- *    tenantId: tenantId
- * };
- * const prompt = new TeamsBotSsoPrompt(dialogId, {
- *    config: config
- *    scopes: '["User.Read"],
- * });
- * this.addDialog(prompt);
- *
- * const oboCredential = new OnBehalfOfAADUserCredential(
- *  getUserId(dialogContext),
- *  {
- *    clientId: "AAD_APP_ID",
- *    clientSecret: "AAD_APP_SECRET"
- *  });
- * try {
- *    const graphClient = await createMicrosoftGraphClient(credential);
- *    const profile = await graphClient.api("/me").get();
- * } catch (e) {
- *    dialogContext.beginDialog(dialogId);
- *    return Dialog.endOfTurn();
- * }
- * ```
- *
- * @param {TokenCredential} credential - token credential instance.
- * @param scopes - The array of Microsoft Token scope of access. Default value is `[.default]`.
- *
- * @throws {@link ErrorCode|InvalidParameter} when scopes is not a valid string or string array.
- *
- * @returns Graph client with specified scopes.
- *
- * @beta
- */
-function createMicrosoftGraphClient(credential, scopes) {
-    internalLogger.info("Create Microsoft Graph Client");
-    const authProvider = new MsGraphAuthProvider(credential, scopes);
-    const graphClient = microsoftGraphClient.Client.initWithMiddleware({
-        authProvider,
-    });
-    return graphClient;
-}
+// Copyright (c) Microsoft Corporation.
+/**
+ * SQL connection configuration instance.
+ * @remarks
+ * Only works in in server side.
+ *
+ * @beta
+ *
+ */
+class DefaultTediousConnectionConfiguration {
+    constructor() {
+        /**
+         * MSSQL default scope
+         * https://docs.microsoft.com/en-us/azure/app-service/app-service-web-tutorial-connect-msi
+         */
+        this.defaultSQLScope = "https://database.windows.net/";
+    }
+    /**
+     * Generate connection configuration consumed by tedious.
+     *
+     * @returns Connection configuration of tedious for the SQL.
+     *
+     * @throws {@link ErrorCode|InvalidConfiguration} when SQL config resource configuration is invalid.
+     * @throws {@link ErrorCode|InternalError} when get user MSI token failed or MSI token is invalid.
+     * @throws {@link ErrorCode|RuntimeNotSupported} when runtime is browser.
+     *
+     * @beta
+     */
+    async getConfig() {
+        internalLogger.info("Get SQL configuration");
+        const configuration = getResourceConfiguration(ResourceType.SQL);
+        if (!configuration) {
+            const errMsg = "SQL resource configuration not exist";
+            internalLogger.error(errMsg);
+            throw new ErrorWithCode(errMsg, ErrorCode.InvalidConfiguration);
+        }
+        try {
+            this.isSQLConfigurationValid(configuration);
+        }
+        catch (err) {
+            throw err;
+        }
+        if (!this.isMsiAuthentication()) {
+            const configWithUPS = this.generateDefaultConfig(configuration);
+            internalLogger.verbose("SQL configuration with username and password generated");
+            return configWithUPS;
+        }
+        try {
+            const configWithToken = await this.generateTokenConfig(configuration);
+            internalLogger.verbose("SQL configuration with MSI token generated");
+            return configWithToken;
+        }
+        catch (error) {
+            throw error;
+        }
+    }
+    /**
+     * Check SQL use MSI identity or username and password.
+     *
+     * @returns false - login with SQL MSI identity, true - login with username and password.
+     * @internal
+     */
+    isMsiAuthentication() {
+        internalLogger.verbose("Check connection config using MSI access token or username and password");
+        const configuration = getResourceConfiguration(ResourceType.SQL);
+        if ((configuration === null || configuration === void 0 ? void 0 : configuration.sqlUsername) != null && (configuration === null || configuration === void 0 ? void 0 : configuration.sqlPassword) != null) {
+            internalLogger.verbose("Login with username and password");
+            return false;
+        }
+        internalLogger.verbose("Login with MSI identity");
+        return true;
+    }
+    /**
+     * check configuration is an available configurations.
+     * @param { SqlConfiguration } sqlConfig
+     *
+     * @returns true - SQL configuration has a valid SQL endpoints, SQL username with password or identity ID.
+     *          false - configuration is not valid.
+     * @internal
+     */
+    isSQLConfigurationValid(sqlConfig) {
+        internalLogger.verbose("Check SQL configuration if valid");
+        if (!sqlConfig.sqlServerEndpoint) {
+            internalLogger.error("SQL configuration is not valid without SQL server endpoint exist");
+            throw new ErrorWithCode("SQL configuration error without SQL server endpoint exist", ErrorCode.InvalidConfiguration);
+        }
+        if (!(sqlConfig.sqlUsername && sqlConfig.sqlPassword) && !sqlConfig.sqlIdentityId) {
+            const errMsg = `SQL configuration is not valid without ${sqlConfig.sqlIdentityId ? "" : "identity id "} ${sqlConfig.sqlUsername ? "" : "SQL username "} ${sqlConfig.sqlPassword ? "" : "SQL password"} exist`;
+            internalLogger.error(errMsg);
+            throw new ErrorWithCode(errMsg, ErrorCode.InvalidConfiguration);
+        }
+        internalLogger.verbose("SQL configuration is valid");
+    }
+    /**
+     * Generate tedious connection configuration with default authentication type.
+     *
+     * @param { SqlConfiguration } SQL configuration with username and password.
+     *
+     * @returns Tedious connection configuration with username and password.
+     * @internal
+     */
+    generateDefaultConfig(sqlConfig) {
+        internalLogger.verbose(`SQL server ${sqlConfig.sqlServerEndpoint}, user name ${sqlConfig.sqlUsername}, database name ${sqlConfig.sqlDatabaseName}`);
+        const config = {
+            server: sqlConfig.sqlServerEndpoint,
+            authentication: {
+                type: TediousAuthenticationType.default,
+                options: {
+                    userName: sqlConfig.sqlUsername,
+                    password: sqlConfig.sqlPassword,
+                },
+            },
+            options: {
+                database: sqlConfig.sqlDatabaseName,
+                encrypt: true,
+            },
+        };
+        return config;
+    }
+    /**
+     * Generate tedious connection configuration with azure-active-directory-access-token authentication type.
+     *
+     * @param { SqlConfiguration } SQL configuration with AAD access token.
+     *
+     * @returns Tedious connection configuration with access token.
+     * @internal
+     */
+    async generateTokenConfig(sqlConfig) {
+        internalLogger.verbose("Generate tedious config with MSI token");
+        let token;
+        try {
+            const credential = new ManagedIdentityCredential(sqlConfig.sqlIdentityId);
+            token = await credential.getToken(this.defaultSQLScope);
+        }
+        catch (error) {
+            const errMsg = "Get user MSI token failed";
+            internalLogger.error(errMsg);
+            throw new ErrorWithCode(errMsg, ErrorCode.InternalError);
+        }
+        if (token) {
+            const config = {
+                server: sqlConfig.sqlServerEndpoint,
+                authentication: {
+                    type: TediousAuthenticationType.MSI,
+                    options: {
+                        token: token.token,
+                    },
+                },
+                options: {
+                    database: sqlConfig.sqlDatabaseName,
+                    encrypt: true,
+                },
+            };
+            internalLogger.verbose(`Generate token configuration success, server endpoint is ${sqlConfig.sqlServerEndpoint}, database name is ${sqlConfig.sqlDatabaseName}`);
+            return config;
+        }
+        internalLogger.error(`Generate token configuration, server endpoint is ${sqlConfig.sqlServerEndpoint}, MSI token is not valid`);
+        throw new ErrorWithCode("MSI token is not valid", ErrorCode.InternalError);
+    }
+}
+/**
+ * tedious connection config authentication type.
+ * https://tediousjs.github.io/tedious/api-connection.html
+ * @internal
+ */
+var TediousAuthenticationType;
+(function (TediousAuthenticationType) {
+    TediousAuthenticationType["default"] = "default";
+    TediousAuthenticationType["MSI"] = "azure-active-directory-access-token";
+})(TediousAuthenticationType || (TediousAuthenticationType = {}));
 
-// Copyright (c) Microsoft Corporation.
-/**
- * SQL connection configuration instance.
- * @remarks
- * Only works in in server side.
- *
- * @beta
- *
- */
-class DefaultTediousConnectionConfiguration {
-    constructor() {
-        /**
-         * MSSQL default scope
-         * https://docs.microsoft.com/en-us/azure/app-service/app-service-web-tutorial-connect-msi
-         */
-        this.defaultSQLScope = "https://database.windows.net/";
-    }
-    /**
-     * Generate connection configuration consumed by tedious.
-     *
-     * @returns Connection configuration of tedious for the SQL.
-     *
-     * @throws {@link ErrorCode|InvalidConfiguration} when SQL config resource configuration is invalid.
-     * @throws {@link ErrorCode|InternalError} when get user MSI token failed or MSI token is invalid.
-     * @throws {@link ErrorCode|RuntimeNotSupported} when runtime is browser.
-     *
-     * @beta
-     */
-    getConfig() {
-        return tslib.__awaiter(this, void 0, void 0, function* () {
-            internalLogger.info("Get SQL configuration");
-            const configuration = getResourceConfiguration(exports.ResourceType.SQL);
-            if (!configuration) {
-                const errMsg = "SQL resource configuration not exist";
-                internalLogger.error(errMsg);
-                throw new ErrorWithCode(errMsg, exports.ErrorCode.InvalidConfiguration);
-            }
-            try {
-                this.isSQLConfigurationValid(configuration);
-            }
-            catch (err) {
-                throw err;
-            }
-            if (!this.isMsiAuthentication()) {
-                const configWithUPS = this.generateDefaultConfig(configuration);
-                internalLogger.verbose("SQL configuration with username and password generated");
-                return configWithUPS;
-            }
-            try {
-                const configWithToken = yield this.generateTokenConfig(configuration);
-                internalLogger.verbose("SQL configuration with MSI token generated");
-                return configWithToken;
-            }
-            catch (error) {
-                throw error;
-            }
-        });
-    }
-    /**
-     * Check SQL use MSI identity or username and password.
-     *
-     * @returns false - login with SQL MSI identity, true - login with username and password.
-     * @internal
-     */
-    isMsiAuthentication() {
-        internalLogger.verbose("Check connection config using MSI access token or username and password");
-        const configuration = getResourceConfiguration(exports.ResourceType.SQL);
-        if ((configuration === null || configuration === void 0 ? void 0 : configuration.sqlUsername) != null && (configuration === null || configuration === void 0 ? void 0 : configuration.sqlPassword) != null) {
-            internalLogger.verbose("Login with username and password");
-            return false;
-        }
-        internalLogger.verbose("Login with MSI identity");
-        return true;
-    }
-    /**
-     * check configuration is an available configurations.
-     * @param { SqlConfiguration } sqlConfig
-     *
-     * @returns true - SQL configuration has a valid SQL endpoints, SQL username with password or identity ID.
-     *          false - configuration is not valid.
-     * @internal
-     */
-    isSQLConfigurationValid(sqlConfig) {
-        internalLogger.verbose("Check SQL configuration if valid");
-        if (!sqlConfig.sqlServerEndpoint) {
-            internalLogger.error("SQL configuration is not valid without SQL server endpoint exist");
-            throw new ErrorWithCode("SQL configuration error without SQL server endpoint exist", exports.ErrorCode.InvalidConfiguration);
-        }
-        if (!(sqlConfig.sqlUsername && sqlConfig.sqlPassword) && !sqlConfig.sqlIdentityId) {
-            const errMsg = `SQL configuration is not valid without ${sqlConfig.sqlIdentityId ? "" : "identity id "} ${sqlConfig.sqlUsername ? "" : "SQL username "} ${sqlConfig.sqlPassword ? "" : "SQL password"} exist`;
-            internalLogger.error(errMsg);
-            throw new ErrorWithCode(errMsg, exports.ErrorCode.InvalidConfiguration);
-        }
-        internalLogger.verbose("SQL configuration is valid");
-    }
-    /**
-     * Generate tedious connection configuration with default authentication type.
-     *
-     * @param { SqlConfiguration } SQL configuration with username and password.
-     *
-     * @returns Tedious connection configuration with username and password.
-     * @internal
-     */
-    generateDefaultConfig(sqlConfig) {
-        internalLogger.verbose(`SQL server ${sqlConfig.sqlServerEndpoint}, user name ${sqlConfig.sqlUsername}, database name ${sqlConfig.sqlDatabaseName}`);
-        const config = {
-            server: sqlConfig.sqlServerEndpoint,
-            authentication: {
-                type: TediousAuthenticationType.default,
-                options: {
-                    userName: sqlConfig.sqlUsername,
-                    password: sqlConfig.sqlPassword,
-                },
-            },
-            options: {
-                database: sqlConfig.sqlDatabaseName,
-                encrypt: true,
-            },
-        };
-        return config;
-    }
-    /**
-     * Generate tedious connection configuration with azure-active-directory-access-token authentication type.
-     *
-     * @param { SqlConfiguration } SQL configuration with AAD access token.
-     *
-     * @returns Tedious connection configuration with access token.
-     * @internal
-     */
-    generateTokenConfig(sqlConfig) {
-        return tslib.__awaiter(this, void 0, void 0, function* () {
-            internalLogger.verbose("Generate tedious config with MSI token");
-            let token;
-            try {
-                const credential = new identity.ManagedIdentityCredential(sqlConfig.sqlIdentityId);
-                token = yield credential.getToken(this.defaultSQLScope);
-            }
-            catch (error) {
-                const errMsg = "Get user MSI token failed";
-                internalLogger.error(errMsg);
-                throw new ErrorWithCode(errMsg, exports.ErrorCode.InternalError);
-            }
-            if (token) {
-                const config = {
-                    server: sqlConfig.sqlServerEndpoint,
-                    authentication: {
-                        type: TediousAuthenticationType.MSI,
-                        options: {
-                            token: token.token,
-                        },
-                    },
-                    options: {
-                        database: sqlConfig.sqlDatabaseName,
-                        encrypt: true,
-                    },
-                };
-                internalLogger.verbose(`Generate token configuration success, server endpoint is ${sqlConfig.sqlServerEndpoint}, database name is ${sqlConfig.sqlDatabaseName}`);
-                return config;
-            }
-            internalLogger.error(`Generate token configuration, server endpoint is ${sqlConfig.sqlServerEndpoint}, MSI token is not valid`);
-            throw new ErrorWithCode("MSI token is not valid", exports.ErrorCode.InternalError);
-        });
-    }
+// Copyright (c) Microsoft Corporation.
+const invokeResponseType = "invokeResponse";
+/**
+ * Response body returned for a token exchange invoke activity.
+ *
+ * @beta
+ */
+class TokenExchangeInvokeResponse {
+    constructor(id, failureDetail) {
+        this.id = id;
+        this.failureDetail = failureDetail;
+    }
+}
+/**
+ * Creates a new prompt that leverage Teams Single Sign On (SSO) support for bot to automatically sign in user and
+ * help receive oauth token, asks the user to consent if needed.
+ *
+ * @remarks
+ * The prompt will attempt to retrieve the users current token of the desired scopes and store it in
+ * the token store.
+ *
+ * User will be automatically signed in leveraging Teams support of Bot Single Sign On(SSO):
+ * https://docs.microsoft.com/en-us/microsoftteams/platform/bots/how-to/authentication/auth-aad-sso-bots
+ *
+ * @example
+ * When used with your bots `DialogSet` you can simply add a new instance of the prompt as a named
+ * dialog using `DialogSet.add()`. You can then start the prompt from a waterfall step using either
+ * `DialogContext.beginDialog()` or `DialogContext.prompt()`. The user will be prompted to sign in as
+ * needed and their access token will be passed as an argument to the callers next waterfall step:
+ *
+ * ```JavaScript
+ * const { ConversationState, MemoryStorage } = require('botbuilder');
+ * const { DialogSet, WaterfallDialog } = require('botbuilder-dialogs');
+ * const { TeamsBotSsoPrompt } = require('@microsoft/teamsfx');
+ *
+ * const convoState = new ConversationState(new MemoryStorage());
+ * const dialogState = convoState.createProperty('dialogState');
+ * const dialogs = new DialogSet(dialogState);
+ *
+ * loadConfiguration();
+ * dialogs.add(new TeamsBotSsoPrompt('TeamsBotSsoPrompt', {
+ *    scopes: ["User.Read"],
+ * }));
+ *
+ * dialogs.add(new WaterfallDialog('taskNeedingLogin', [
+ *      async (step) => {
+ *          return await step.beginDialog('TeamsBotSsoPrompt');
+ *      },
+ *      async (step) => {
+ *          const token = step.result;
+ *          if (token) {
+ *
+ *              // ... continue with task needing access token ...
+ *
+ *          } else {
+ *              await step.context.sendActivity(`Sorry... We couldn't log you in. Try again later.`);
+ *              return await step.endDialog();
+ *          }
+ *      }
+ * ]));
+ * ```
+ *
+ * @beta
+ */
+class TeamsBotSsoPrompt extends Dialog {
+    /**
+     * Constructor of TeamsBotSsoPrompt.
+     *
+     * @param dialogId Unique ID of the dialog within its parent `DialogSet` or `ComponentDialog`.
+     * @param settings Settings used to configure the prompt.
+     *
+     * @throws {@link ErrorCode|InvalidParameter} when scopes is not a valid string or string array.
+     * @throws {@link ErrorCode|RuntimeNotSupported} when runtime is browser.
+     *
+     * @beta
+     */
+    constructor(dialogId, settings) {
+        super(dialogId);
+        this.settings = settings;
+        validateScopesType(settings.scopes);
+        internalLogger.info("Create a new Teams Bot SSO Prompt");
+    }
+    /**
+     * Called when a prompt dialog is pushed onto the dialog stack and is being activated.
+     * @remarks
+     * If the task is successful, the result indicates whether the prompt is still
+     * active after the turn has been processed by the prompt.
+     *
+     * @param dc The DialogContext for the current turn of the conversation.
+     *
+     * @throws {@link ErrorCode|InvalidParameter} when timeout property in teams bot sso prompt settings is not number or is not positive.
+     * @throws {@link ErrorCode|ChannelNotSupported} when bot channel is not MS Teams.
+     * @throws {@link ErrorCode|RuntimeNotSupported} when runtime is browser.
+     *
+     * @returns A `Promise` representing the asynchronous operation.
+     *
+     * @beta
+     */
+    async beginDialog(dc) {
+        var _a;
+        internalLogger.info("Begin Teams Bot SSO Prompt");
+        this.ensureMsTeamsChannel(dc);
+        // Initialize prompt state
+        const default_timeout = 900000;
+        let timeout = default_timeout;
+        if (this.settings.timeout) {
+            if (typeof this.settings.timeout != "number") {
+                const errorMsg = "type of timeout property in teamsBotSsoPromptSettings should be number.";
+                internalLogger.error(errorMsg);
+                throw new ErrorWithCode(errorMsg, ErrorCode.InvalidParameter);
+            }
+            if (this.settings.timeout <= 0) {
+                const errorMsg = "value of timeout property in teamsBotSsoPromptSettings should be positive.";
+                internalLogger.error(errorMsg);
+                throw new ErrorWithCode(errorMsg, ErrorCode.InvalidParameter);
+            }
+            timeout = this.settings.timeout;
+        }
+        if (this.settings.endOnInvalidMessage === undefined) {
+            this.settings.endOnInvalidMessage = true;
+        }
+        const state = (_a = dc.activeDialog) === null || _a === void 0 ? void 0 : _a.state;
+        state.state = {};
+        state.options = {};
+        state.expires = new Date().getTime() + timeout;
+        // Send OAuth card to get SSO token
+        await this.sendOAuthCardAsync(dc.context);
+        return Dialog.EndOfTurn;
+    }
+    /**
+     * Called when a prompt dialog is the active dialog and the user replied with a new activity.
+     *
+     * @remarks
+     * If the task is successful, the result indicates whether the dialog is still
+     * active after the turn has been processed by the dialog.
+     * The prompt generally continues to receive the user's replies until it accepts the
+     * user's reply as valid input for the prompt.
+     *
+     * @param dc The DialogContext for the current turn of the conversation.
+     *
+     * @returns A `Promise` representing the asynchronous operation.
+     *
+     * @throws {@link ErrorCode|ChannelNotSupported} when bot channel is not MS Teams.
+     * @throws {@link ErrorCode|RuntimeNotSupported} when runtime is browser.
+     *
+     * @beta
+     */
+    async continueDialog(dc) {
+        var _a;
+        internalLogger.info("Continue Teams Bot SSO Prompt");
+        this.ensureMsTeamsChannel(dc);
+        // Check for timeout
+        const state = (_a = dc.activeDialog) === null || _a === void 0 ? void 0 : _a.state;
+        const isMessage = dc.context.activity.type === ActivityTypes.Message;
+        const isTimeoutActivityType = isMessage ||
+            this.isTeamsVerificationInvoke(dc.context) ||
+            this.isTokenExchangeRequestInvoke(dc.context);
+        // If the incoming Activity is a message, or an Activity Type normally handled by TeamsBotSsoPrompt,
+        // check to see if this TeamsBotSsoPrompt Expiration has elapsed, and end the dialog if so.
+        const hasTimedOut = isTimeoutActivityType && new Date().getTime() > state.expires;
+        if (hasTimedOut) {
+            internalLogger.warn("End Teams Bot SSO Prompt due to timeout");
+            return await dc.endDialog(undefined);
+        }
+        else {
+            if (this.isTeamsVerificationInvoke(dc.context) ||
+                this.isTokenExchangeRequestInvoke(dc.context)) {
+                // Recognize token
+                const recognized = await this.recognizeToken(dc);
+                if (recognized.succeeded) {
+                    return await dc.endDialog(recognized.value);
+                }
+            }
+            else if (isMessage && this.settings.endOnInvalidMessage) {
+                internalLogger.warn("End Teams Bot SSO Prompt due to invalid message");
+                return await dc.endDialog(undefined);
+            }
+            return Dialog.EndOfTurn;
+        }
+    }
+    /**
+     * Ensure bot is running in MS Teams since TeamsBotSsoPrompt is only supported in MS Teams channel.
+     * @param dc dialog context
+     * @throws {@link ErrorCode|ChannelNotSupported} if bot channel is not MS Teams
+     * @internal
+     */
+    ensureMsTeamsChannel(dc) {
+        if (dc.context.activity.channelId != Channels.Msteams) {
+            const errorMsg = formatString(ErrorMessage.OnlyMSTeamsChannelSupported, "Teams Bot SSO Prompt");
+            internalLogger.error(errorMsg);
+            throw new ErrorWithCode(errorMsg, ErrorCode.ChannelNotSupported);
+        }
+    }
+    /**
+     * Send OAuthCard that tells Teams to obtain an authentication token for the bot application.
+     * For details see https://docs.microsoft.com/en-us/microsoftteams/platform/bots/how-to/authentication/auth-aad-sso-bots.
+     *
+     * @internal
+     */
+    async sendOAuthCardAsync(context) {
+        internalLogger.verbose("Send OAuth card to get SSO token");
+        const account = await TeamsInfo.getMember(context, context.activity.from.id);
+        internalLogger.verbose("Get Teams member account user principal name: " + account.userPrincipalName);
+        const loginHint = account.userPrincipalName ? account.userPrincipalName : "";
+        const signInResource = this.getSignInResource(loginHint);
+        const card = CardFactory.oauthCard("", "Teams SSO Sign In", "Sign In", signInResource.signInLink, signInResource.tokenExchangeResource);
+        card.content.buttons[0].type = ActionTypes.Signin;
+        const msg = MessageFactory.attachment(card);
+        // Send prompt
+        await context.sendActivity(msg);
+    }
+    /**
+     * Get sign in resource.
+     *
+     * @throws {@link ErrorCode|InvalidConfiguration} if client id, tenant id or initiate login endpoint is not found in config.
+     *
+     * @internal
+     */
+    getSignInResource(loginHint) {
+        var _a, _b, _c, _d, _e;
+        internalLogger.verbose("Get sign in authentication configuration");
+        const missingConfigurations = [];
+        if (!((_a = config === null || config === void 0 ? void 0 : config.authentication) === null || _a === void 0 ? void 0 : _a.initiateLoginEndpoint)) {
+            missingConfigurations.push("initiateLoginEndpoint");
+        }
+        if (!((_b = config === null || config === void 0 ? void 0 : config.authentication) === null || _b === void 0 ? void 0 : _b.clientId)) {
+            missingConfigurations.push("clientId");
+        }
+        if (!((_c = config === null || config === void 0 ? void 0 : config.authentication) === null || _c === void 0 ? void 0 : _c.tenantId)) {
+            missingConfigurations.push("tenantId");
+        }
+        if (!((_d = config === null || config === void 0 ? void 0 : config.authentication) === null || _d === void 0 ? void 0 : _d.applicationIdUri)) {
+            missingConfigurations.push("applicationIdUri");
+        }
+        if (missingConfigurations.length != 0) {
+            const errorMsg = formatString(ErrorMessage.InvalidConfiguration, missingConfigurations.join(", "), "undefined");
+            internalLogger.error(errorMsg);
+            throw new ErrorWithCode(errorMsg, ErrorCode.InvalidConfiguration);
+        }
+        const signInLink = `${config.authentication.initiateLoginEndpoint}?scope=${encodeURI(this.settings.scopes.join(" "))}&clientId=${config.authentication.clientId}&tenantId=${config.authentication.tenantId}&loginHint=${loginHint}`;
+        internalLogger.verbose("Sign in link: " + signInLink);
+        const tokenExchangeResource = {
+            id: v4(),
+            uri: ((_e = config.authentication) === null || _e === void 0 ? void 0 : _e.applicationIdUri.replace(/\/$/, "")) + "/access_as_user",
+        };
+        internalLogger.verbose("Token exchange resource uri: " + tokenExchangeResource.uri);
+        return {
+            signInLink: signInLink,
+            tokenExchangeResource: tokenExchangeResource,
+        };
+    }
+    /**
+     * @internal
+     */
+    async recognizeToken(dc) {
+        const context = dc.context;
+        let tokenResponse;
+        if (this.isTokenExchangeRequestInvoke(context)) {
+            internalLogger.verbose("Receive token exchange request");
+            // Received activity is not a token exchange request
+            if (!(context.activity.value && this.isTokenExchangeRequest(context.activity.value))) {
+                const warningMsg = "The bot received an InvokeActivity that is missing a TokenExchangeInvokeRequest value. This is required to be sent with the InvokeActivity.";
+                internalLogger.warn(warningMsg);
+                await context.sendActivity(this.getTokenExchangeInvokeResponse(StatusCodes.BAD_REQUEST, warningMsg));
+            }
+            else {
+                const ssoToken = context.activity.value.token;
+                const credential = new OnBehalfOfUserCredential(ssoToken);
+                let exchangedToken;
+                try {
+                    exchangedToken = await credential.getToken(this.settings.scopes);
+                    if (exchangedToken) {
+                        await context.sendActivity(this.getTokenExchangeInvokeResponse(StatusCodes.OK, "", context.activity.value.id));
+                        const ssoTokenExpiration = parseJwt(ssoToken).exp;
+                        tokenResponse = {
+                            ssoToken: ssoToken,
+                            ssoTokenExpiration: new Date(ssoTokenExpiration * 1000).toISOString(),
+                            connectionName: "",
+                            token: exchangedToken.token,
+                            expiration: exchangedToken.expiresOnTimestamp.toString(),
+                        };
+                    }
+                }
+                catch (error) {
+                    const warningMsg = "The bot is unable to exchange token. Ask for user consent.";
+                    internalLogger.info(warningMsg);
+                    await context.sendActivity(this.getTokenExchangeInvokeResponse(StatusCodes.PRECONDITION_FAILED, warningMsg, context.activity.value.id));
+                }
+            }
+        }
+        else if (this.isTeamsVerificationInvoke(context)) {
+            internalLogger.verbose("Receive Teams state verification request");
+            await this.sendOAuthCardAsync(dc.context);
+            await context.sendActivity({ type: invokeResponseType, value: { status: StatusCodes.OK } });
+        }
+        return tokenResponse !== undefined
+            ? { succeeded: true, value: tokenResponse }
+            : { succeeded: false };
+    }
+    /**
+     * @internal
+     */
+    getTokenExchangeInvokeResponse(status, failureDetail, id) {
+        const invokeResponse = {
+            type: invokeResponseType,
+            value: { status, body: new TokenExchangeInvokeResponse(id, failureDetail) },
+        };
+        return invokeResponse;
+    }
+    /**
+     * @internal
+     */
+    isTeamsVerificationInvoke(context) {
+        const activity = context.activity;
+        return activity.type === ActivityTypes.Invoke && activity.name === verifyStateOperationName;
+    }
+    /**
+     * @internal
+     */
+    isTokenExchangeRequestInvoke(context) {
+        const activity = context.activity;
+        return activity.type === ActivityTypes.Invoke && activity.name === tokenExchangeOperationName;
+    }
+    /**
+     * @internal
+     */
+    isTokenExchangeRequest(obj) {
+        return obj.hasOwnProperty("token");
+    }
 }
-/**
- * tedious connection config authentication type.
- * https://tediousjs.github.io/tedious/api-connection.html
- * @internal
- */
-var TediousAuthenticationType;
-(function (TediousAuthenticationType) {
-    TediousAuthenticationType["default"] = "default";
-    TediousAuthenticationType["MSI"] = "azure-active-directory-access-token";
-})(TediousAuthenticationType || (TediousAuthenticationType = {}));
 
-exports.DefaultTediousConnectionConfiguration = DefaultTediousConnectionConfiguration;
-exports.ErrorWithCode = ErrorWithCode;
-exports.M365TenantCredential = M365TenantCredential;
-exports.MsGraphAuthProvider = MsGraphAuthProvider;
-exports.OnBehalfOfUserCredential = OnBehalfOfUserCredential;
-exports.TeamsBotSsoPrompt = TeamsBotSsoPrompt;
-exports.TeamsUserCredential = TeamsUserCredential;
-exports.createMicrosoftGraphClient = createMicrosoftGraphClient;
-exports.getAuthenticationConfiguration = getAuthenticationConfiguration;
-exports.getLogLevel = getLogLevel;
-exports.getResourceConfiguration = getResourceConfiguration;
-exports.loadConfiguration = loadConfiguration;
-exports.setLogFunction = setLogFunction;
-exports.setLogLevel = setLogLevel;
-exports.setLogger = setLogger;
-//# sourceMappingURL=index.js.map
+export { DefaultTediousConnectionConfiguration, ErrorCode, ErrorWithCode, LogLevel, M365TenantCredential, MsGraphAuthProvider, OnBehalfOfUserCredential, ResourceType, TeamsBotSsoPrompt, TeamsUserCredential, createMicrosoftGraphClient, getAuthenticationConfiguration, getLogLevel, getResourceConfiguration, loadConfiguration, setLogFunction, setLogLevel, setLogger };
+//# sourceMappingURL=index.esm2017.mjs.map