@microsoft/vscode-azext-azureauth 4.0.3 → 4.1.1

package/out/src/AzureDevOpsSubscriptionProvider.js

@@ -1,257 +1,257 @@
-"use strict";
-/*---------------------------------------------------------------------------------------------
- *  Copyright (c) Microsoft Corporation. All rights reserved.
- *  Licensed under the MIT License. See License.txt in the project root for license information.
- *--------------------------------------------------------------------------------------------*/
-var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
-    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
-    return new (P || (P = Promise))(function (resolve, reject) {
-        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
-        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
-        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
-        step((generator = generator.apply(thisArg, _arguments || [])).next());
-    });
-};
-var __asyncValues = (this && this.__asyncValues) || function (o) {
-    if (!Symbol.asyncIterator) throw new TypeError("Symbol.asyncIterator is not defined.");
-    var m = o[Symbol.asyncIterator], i;
-    return m ? m.call(o) : (o = typeof __values === "function" ? __values(o) : o[Symbol.iterator](), i = {}, verb("next"), verb("throw"), verb("return"), i[Symbol.asyncIterator] = function () { return this; }, i);
-    function verb(n) { i[n] = o[n] && function (v) { return new Promise(function (resolve, reject) { v = o[n](v), settle(resolve, reject, v.done, v.value); }); }; }
-    function settle(resolve, reject, d, v) { Promise.resolve(v).then(function(v) { resolve({ value: v, done: d }); }, reject); }
-};
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.AzureDevOpsSubscriptionProvider = exports.createAzureDevOpsSubscriptionProviderFactory = void 0;
-const vscode_1 = require("vscode");
-const configuredAzureEnv_1 = require("./utils/configuredAzureEnv");
-let azureDevOpsSubscriptionProvider;
-function createAzureDevOpsSubscriptionProviderFactory(initializer) {
-    return () => __awaiter(this, void 0, void 0, function* () {
-        azureDevOpsSubscriptionProvider !== null && azureDevOpsSubscriptionProvider !== void 0 ? azureDevOpsSubscriptionProvider : (azureDevOpsSubscriptionProvider = new AzureDevOpsSubscriptionProvider(initializer));
-        return azureDevOpsSubscriptionProvider;
-    });
-}
-exports.createAzureDevOpsSubscriptionProviderFactory = createAzureDevOpsSubscriptionProviderFactory;
-/**
- * AzureSubscriptionProvider implemented to authenticate via federated DevOps service connection, using workflow identity federation
- * To learn how to configure your DevOps environment to use this provider, refer to the README.md
- * NOTE: This provider is only available when running in an Azure DevOps pipeline
- * Reference: https://learn.microsoft.com/en-us/entra/workload-id/workload-identity-federation
- */
-class AzureDevOpsSubscriptionProvider {
-    constructor({ serviceConnectionId, domain, clientId }) {
-        this.onDidSignIn = () => { return new vscode_1.Disposable(() => { }); };
-        this.onDidSignOut = () => { return new vscode_1.Disposable(() => { }); };
-        if (!serviceConnectionId || !domain || !clientId) {
-            throw new Error(`Missing initializer values to identify Azure DevOps federated service connection\n
-                Values provided:\n
-                serviceConnectionId: ${serviceConnectionId ? "✅" : "❌"}\n
-                domain: ${domain ? "✅" : "❌"}\n
-                clientId: ${clientId ? "✅" : "❌"}\n
-            `);
-        }
-        this._SERVICE_CONNECTION_ID = serviceConnectionId;
-        this._DOMAIN = domain;
-        this._CLIENT_ID = clientId;
-    }
-    getSubscriptions(_filter) {
-        return __awaiter(this, void 0, void 0, function* () {
-            // ignore the filter setting because not every consumer of this provider will use the Resources extension
-            const results = [];
-            for (const tenant of yield this.getTenants()) {
-                // eslint-disable-next-line @typescript-eslint/no-non-null-assertion
-                const tenantId = tenant.tenantId;
-                results.push(...yield this.getSubscriptionsForTenant(tenantId));
-            }
-            const sortSubscriptions = (subscriptions) => subscriptions.sort((a, b) => a.name.localeCompare(b.name));
-            return sortSubscriptions(results);
-        });
-    }
-    isSignedIn() {
-        return __awaiter(this, void 0, void 0, function* () {
-            return !!this._tokenCredential;
-        });
-    }
-    signIn() {
-        return __awaiter(this, void 0, void 0, function* () {
-            this._tokenCredential = yield getTokenCredential(this._SERVICE_CONNECTION_ID, this._DOMAIN, this._CLIENT_ID);
-            return !!this._tokenCredential;
-        });
-    }
-    signOut() {
-        return __awaiter(this, void 0, void 0, function* () {
-            this._tokenCredential = undefined;
-        });
-    }
-    getTenants() {
-        var _a;
-        return __awaiter(this, void 0, void 0, function* () {
-            return [{
-                    tenantId: (_a = this._tokenCredential) === null || _a === void 0 ? void 0 : _a.tenantId,
-                    account: {
-                        id: "test-account-id",
-                        label: "test-account",
-                    }
-                }];
-        });
-    }
-    /**
-     * Gets the subscriptions for a given tenant.
-     *
-     * @param tenantId The tenant ID to get subscriptions for.
-     *
-     * @returns The list of subscriptions for the tenant.
-     */
-    getSubscriptionsForTenant(tenantId) {
-        var _a, e_1, _b, _c;
-        return __awaiter(this, void 0, void 0, function* () {
-            const { client, credential, authentication } = yield this.getSubscriptionClient(tenantId);
-            const environment = (0, configuredAzureEnv_1.getConfiguredAzureEnv)();
-            const subscriptions = [];
-            try {
-                for (var _d = true, _e = __asyncValues(client.subscriptions.list()), _f; _f = yield _e.next(), _a = _f.done, !_a;) {
-                    _c = _f.value;
-                    _d = false;
-                    try {
-                        const subscription = _c;
-                        subscriptions.push({
-                            authentication,
-                            environment: environment,
-                            credential: credential,
-                            isCustomCloud: environment.isCustomCloud,
-                            /* eslint-disable @typescript-eslint/no-non-null-assertion */
-                            name: subscription.displayName,
-                            subscriptionId: subscription.subscriptionId,
-                            /* eslint-enable @typescript-eslint/no-non-null-assertion */
-                            tenantId,
-                            account: {
-                                id: "test-account-id",
-                                label: "test-account",
-                            },
-                        });
-                    }
-                    finally {
-                        _d = true;
-                    }
-                }
-            }
-            catch (e_1_1) { e_1 = { error: e_1_1 }; }
-            finally {
-                try {
-                    if (!_d && !_a && (_b = _e.return)) yield _b.call(_e);
-                }
-                finally { if (e_1) throw e_1.error; }
-            }
-            return subscriptions;
-        });
-    }
-    /**
-     * Gets a fully-configured subscription client for a given tenant ID
-     *
-     * @param tenantId (Optional) The tenant ID to get a client for
-     *
-     * @returns A client, the credential used by the client, and the authentication function
-     */
-    getSubscriptionClient(_tenantId, scopes) {
-        var _a, _b;
-        return __awaiter(this, void 0, void 0, function* () {
-            const armSubs = yield Promise.resolve().then(() => require('@azure/arm-resources-subscriptions'));
-            if (!this._tokenCredential) {
-                throw new Error('Not signed in');
-            }
-            const accessToken = ((_b = (yield ((_a = this._tokenCredential) === null || _a === void 0 ? void 0 : _a.getToken("https://management.azure.com/.default")))) === null || _b === void 0 ? void 0 : _b.token) || '';
-            const getSession = () => {
-                var _a, _b, _c, _d;
-                return {
-                    accessToken,
-                    id: ((_a = this._tokenCredential) === null || _a === void 0 ? void 0 : _a.tenantId) || '',
-                    account: {
-                        id: ((_b = this._tokenCredential) === null || _b === void 0 ? void 0 : _b.tenantId) || '',
-                        label: ((_c = this._tokenCredential) === null || _c === void 0 ? void 0 : _c.tenantId) || '',
-                    },
-                    tenantId: ((_d = this._tokenCredential) === null || _d === void 0 ? void 0 : _d.tenantId) || '',
-                    scopes: scopes || [],
-                };
-            };
-            return {
-                client: new armSubs.SubscriptionClient(this._tokenCredential),
-                credential: this._tokenCredential,
-                authentication: {
-                    getSession,
-                    getSessionWithScopes: getSession,
-                }
-            };
-        });
-    }
-}
-exports.AzureDevOpsSubscriptionProvider = AzureDevOpsSubscriptionProvider;
-/*
-* @param serviceConnectionId The resource ID of the Azure DevOps federated service connection,
-*   which can be found on the `resourceId` field of the URL at the address bar when viewing the service connection in the Azure DevOps portal
-* @param domain The `Tenant ID` field of the service connection properties
-* @param clientId The `Service Principal Id` field of the service connection properties
-*/
-function getTokenCredential(serviceConnectionId, domain, clientId) {
-    return __awaiter(this, void 0, void 0, function* () {
-        if (!process.env.AGENT_BUILDDIRECTORY) {
-            // Assume that AGENT_BUILDDIRECTORY is set if running in an Azure DevOps pipeline.
-            // So when not running in an Azure DevOps pipeline, throw an error since we cannot use the DevOps federated service connection credential.
-            throw new Error(`Cannot create DevOps federated service connection credential outside of an Azure DevOps pipeline.`);
-        }
-        else {
-            console.log(`Creating DevOps federated service connection credential for service connection..`);
-            // Pre-defined DevOps variable reference: https://learn.microsoft.com/en-us/azure/devops/pipelines/build/variables?view=azure-devops
-            const systemAccessToken = process.env.SYSTEM_ACCESSTOKEN;
-            const teamFoundationCollectionUri = process.env.SYSTEM_TEAMFOUNDATIONCOLLECTIONURI;
-            const teamProjectId = process.env.SYSTEM_TEAMPROJECTID;
-            const planId = process.env.SYSTEM_PLANID;
-            const jobId = process.env.SYSTEM_JOBID;
-            if (!systemAccessToken || !teamFoundationCollectionUri || !teamProjectId || !planId || !jobId) {
-                throw new Error(`Azure DevOps environment variables are not set.\n
-            process.env.SYSTEM_ACCESSTOKEN: ${process.env.SYSTEM_ACCESSTOKEN ? "✅" : "❌"}\n
-            process.env.SYSTEM_TEAMFOUNDATIONCOLLECTIONURI: ${process.env.SYSTEM_TEAMFOUNDATIONCOLLECTIONURI ? "✅" : "❌"}\n
-            process.env.SYSTEM_TEAMPROJECTID: ${process.env.SYSTEM_TEAMPROJECTID ? "✅" : "❌"}\n
-            process.env.SYSTEM_PLANID: ${process.env.SYSTEM_PLANID ? "✅" : "❌"}\n
-            process.env.SYSTEM_JOBID: ${process.env.SYSTEM_JOBID ? "✅" : "❌"}\n
-            REMEMBER: process.env.SYSTEM_ACCESSTOKEN must be explicitly mapped!\n
-            https://learn.microsoft.com/en-us/azure/devops/pipelines/build/variables?view=azure-devops&tabs=yaml#systemaccesstoken
-        `);
-            }
-            const oidcRequestUrl = `${teamFoundationCollectionUri}${teamProjectId}/_apis/distributedtask/hubs/build/plans/${planId}/jobs/${jobId}/oidctoken?api-version=7.1-preview.1&serviceConnectionId=${serviceConnectionId}`;
-            const { ClientAssertionCredential } = yield Promise.resolve().then(() => require("@azure/identity"));
-            return new ClientAssertionCredential(domain, clientId, () => __awaiter(this, void 0, void 0, function* () { return yield requestOidcToken(oidcRequestUrl, systemAccessToken); }));
-        }
-    });
-}
-/**
- * API reference: https://learn.microsoft.com/en-us/rest/api/azure/devops/distributedtask/oidctoken/create
- */
-function requestOidcToken(oidcRequestUrl, systemAccessToken) {
-    var _a;
-    return __awaiter(this, void 0, void 0, function* () {
-        const { ServiceClient } = yield Promise.resolve().then(() => require('@azure/core-client'));
-        const { createHttpHeaders, createPipelineRequest } = yield Promise.resolve().then(() => require('@azure/core-rest-pipeline'));
-        const genericClient = new ServiceClient();
-        const request = createPipelineRequest({
-            url: oidcRequestUrl,
-            method: "POST",
-            headers: createHttpHeaders({
-                "Content-Type": "application/json",
-                "Authorization": `Bearer ${systemAccessToken}`
-            })
-        });
-        const response = yield genericClient.sendRequest(request);
-        const body = ((_a = response.bodyAsText) === null || _a === void 0 ? void 0 : _a.toString()) || "";
-        if (response.status !== 200) {
-            throw new Error(`Failed to get OIDC token:\n
-            Response status: ${response.status}\n
-            Response body: ${body}\n
-            Response headers: ${JSON.stringify(response.headers.toJSON())}
-        `);
-        }
-        else {
-            console.log(`Successfully got OIDC token with status ${response.status}`);
-        }
-        return JSON.parse(body).oidcToken;
-    });
-}
+"use strict";
+/*---------------------------------------------------------------------------------------------
+ *  Copyright (c) Microsoft Corporation. All rights reserved.
+ *  Licensed under the MIT License. See License.txt in the project root for license information.
+ *--------------------------------------------------------------------------------------------*/
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+var __asyncValues = (this && this.__asyncValues) || function (o) {
+    if (!Symbol.asyncIterator) throw new TypeError("Symbol.asyncIterator is not defined.");
+    var m = o[Symbol.asyncIterator], i;
+    return m ? m.call(o) : (o = typeof __values === "function" ? __values(o) : o[Symbol.iterator](), i = {}, verb("next"), verb("throw"), verb("return"), i[Symbol.asyncIterator] = function () { return this; }, i);
+    function verb(n) { i[n] = o[n] && function (v) { return new Promise(function (resolve, reject) { v = o[n](v), settle(resolve, reject, v.done, v.value); }); }; }
+    function settle(resolve, reject, d, v) { Promise.resolve(v).then(function(v) { resolve({ value: v, done: d }); }, reject); }
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AzureDevOpsSubscriptionProvider = exports.createAzureDevOpsSubscriptionProviderFactory = void 0;
+const vscode_1 = require("vscode");
+const configuredAzureEnv_1 = require("./utils/configuredAzureEnv");
+let azureDevOpsSubscriptionProvider;
+function createAzureDevOpsSubscriptionProviderFactory(initializer) {
+    return () => __awaiter(this, void 0, void 0, function* () {
+        azureDevOpsSubscriptionProvider !== null && azureDevOpsSubscriptionProvider !== void 0 ? azureDevOpsSubscriptionProvider : (azureDevOpsSubscriptionProvider = new AzureDevOpsSubscriptionProvider(initializer));
+        return azureDevOpsSubscriptionProvider;
+    });
+}
+exports.createAzureDevOpsSubscriptionProviderFactory = createAzureDevOpsSubscriptionProviderFactory;
+/**
+ * AzureSubscriptionProvider implemented to authenticate via federated DevOps service connection, using workflow identity federation
+ * To learn how to configure your DevOps environment to use this provider, refer to the README.md
+ * NOTE: This provider is only available when running in an Azure DevOps pipeline
+ * Reference: https://learn.microsoft.com/en-us/entra/workload-id/workload-identity-federation
+ */
+class AzureDevOpsSubscriptionProvider {
+    constructor({ serviceConnectionId, domain, clientId }) {
+        this.onDidSignIn = () => { return new vscode_1.Disposable(() => { }); };
+        this.onDidSignOut = () => { return new vscode_1.Disposable(() => { }); };
+        if (!serviceConnectionId || !domain || !clientId) {
+            throw new Error(`Missing initializer values to identify Azure DevOps federated service connection\n
+                Values provided:\n
+                serviceConnectionId: ${serviceConnectionId ? "✅" : "❌"}\n
+                domain: ${domain ? "✅" : "❌"}\n
+                clientId: ${clientId ? "✅" : "❌"}\n
+            `);
+        }
+        this._SERVICE_CONNECTION_ID = serviceConnectionId;
+        this._DOMAIN = domain;
+        this._CLIENT_ID = clientId;
+    }
+    getSubscriptions(_filter) {
+        return __awaiter(this, void 0, void 0, function* () {
+            // ignore the filter setting because not every consumer of this provider will use the Resources extension
+            const results = [];
+            for (const tenant of yield this.getTenants()) {
+                // eslint-disable-next-line @typescript-eslint/no-non-null-assertion
+                const tenantId = tenant.tenantId;
+                results.push(...yield this.getSubscriptionsForTenant(tenantId));
+            }
+            const sortSubscriptions = (subscriptions) => subscriptions.sort((a, b) => a.name.localeCompare(b.name));
+            return sortSubscriptions(results);
+        });
+    }
+    isSignedIn() {
+        return __awaiter(this, void 0, void 0, function* () {
+            return !!this._tokenCredential;
+        });
+    }
+    signIn() {
+        return __awaiter(this, void 0, void 0, function* () {
+            this._tokenCredential = yield getTokenCredential(this._SERVICE_CONNECTION_ID, this._DOMAIN, this._CLIENT_ID);
+            return !!this._tokenCredential;
+        });
+    }
+    signOut() {
+        return __awaiter(this, void 0, void 0, function* () {
+            this._tokenCredential = undefined;
+        });
+    }
+    getTenants() {
+        var _a;
+        return __awaiter(this, void 0, void 0, function* () {
+            return [{
+                    tenantId: (_a = this._tokenCredential) === null || _a === void 0 ? void 0 : _a.tenantId,
+                    account: {
+                        id: "test-account-id",
+                        label: "test-account",
+                    }
+                }];
+        });
+    }
+    /**
+     * Gets the subscriptions for a given tenant.
+     *
+     * @param tenantId The tenant ID to get subscriptions for.
+     *
+     * @returns The list of subscriptions for the tenant.
+     */
+    getSubscriptionsForTenant(tenantId) {
+        var _a, e_1, _b, _c;
+        return __awaiter(this, void 0, void 0, function* () {
+            const { client, credential, authentication } = yield this.getSubscriptionClient(tenantId);
+            const environment = (0, configuredAzureEnv_1.getConfiguredAzureEnv)();
+            const subscriptions = [];
+            try {
+                for (var _d = true, _e = __asyncValues(client.subscriptions.list()), _f; _f = yield _e.next(), _a = _f.done, !_a;) {
+                    _c = _f.value;
+                    _d = false;
+                    try {
+                        const subscription = _c;
+                        subscriptions.push({
+                            authentication,
+                            environment: environment,
+                            credential: credential,
+                            isCustomCloud: environment.isCustomCloud,
+                            /* eslint-disable @typescript-eslint/no-non-null-assertion */
+                            name: subscription.displayName,
+                            subscriptionId: subscription.subscriptionId,
+                            /* eslint-enable @typescript-eslint/no-non-null-assertion */
+                            tenantId,
+                            account: {
+                                id: "test-account-id",
+                                label: "test-account",
+                            },
+                        });
+                    }
+                    finally {
+                        _d = true;
+                    }
+                }
+            }
+            catch (e_1_1) { e_1 = { error: e_1_1 }; }
+            finally {
+                try {
+                    if (!_d && !_a && (_b = _e.return)) yield _b.call(_e);
+                }
+                finally { if (e_1) throw e_1.error; }
+            }
+            return subscriptions;
+        });
+    }
+    /**
+     * Gets a fully-configured subscription client for a given tenant ID
+     *
+     * @param tenantId (Optional) The tenant ID to get a client for
+     *
+     * @returns A client, the credential used by the client, and the authentication function
+     */
+    getSubscriptionClient(_tenantId, scopes) {
+        var _a, _b;
+        return __awaiter(this, void 0, void 0, function* () {
+            const armSubs = yield Promise.resolve().then(() => require('@azure/arm-resources-subscriptions'));
+            if (!this._tokenCredential) {
+                throw new Error('Not signed in');
+            }
+            const accessToken = ((_b = (yield ((_a = this._tokenCredential) === null || _a === void 0 ? void 0 : _a.getToken("https://management.azure.com/.default")))) === null || _b === void 0 ? void 0 : _b.token) || '';
+            const getSession = () => {
+                var _a, _b, _c, _d;
+                return {
+                    accessToken,
+                    id: ((_a = this._tokenCredential) === null || _a === void 0 ? void 0 : _a.tenantId) || '',
+                    account: {
+                        id: ((_b = this._tokenCredential) === null || _b === void 0 ? void 0 : _b.tenantId) || '',
+                        label: ((_c = this._tokenCredential) === null || _c === void 0 ? void 0 : _c.tenantId) || '',
+                    },
+                    tenantId: ((_d = this._tokenCredential) === null || _d === void 0 ? void 0 : _d.tenantId) || '',
+                    scopes: scopes || [],
+                };
+            };
+            return {
+                client: new armSubs.SubscriptionClient(this._tokenCredential),
+                credential: this._tokenCredential,
+                authentication: {
+                    getSession,
+                    getSessionWithScopes: getSession,
+                }
+            };
+        });
+    }
+}
+exports.AzureDevOpsSubscriptionProvider = AzureDevOpsSubscriptionProvider;
+/*
+* @param serviceConnectionId The resource ID of the Azure DevOps federated service connection,
+*   which can be found on the `resourceId` field of the URL at the address bar when viewing the service connection in the Azure DevOps portal
+* @param domain The `Tenant ID` field of the service connection properties
+* @param clientId The `Service Principal Id` field of the service connection properties
+*/
+function getTokenCredential(serviceConnectionId, domain, clientId) {
+    return __awaiter(this, void 0, void 0, function* () {
+        if (!process.env.AGENT_BUILDDIRECTORY) {
+            // Assume that AGENT_BUILDDIRECTORY is set if running in an Azure DevOps pipeline.
+            // So when not running in an Azure DevOps pipeline, throw an error since we cannot use the DevOps federated service connection credential.
+            throw new Error(`Cannot create DevOps federated service connection credential outside of an Azure DevOps pipeline.`);
+        }
+        else {
+            console.log(`Creating DevOps federated service connection credential for service connection..`);
+            // Pre-defined DevOps variable reference: https://learn.microsoft.com/en-us/azure/devops/pipelines/build/variables?view=azure-devops
+            const systemAccessToken = process.env.SYSTEM_ACCESSTOKEN;
+            const teamFoundationCollectionUri = process.env.SYSTEM_TEAMFOUNDATIONCOLLECTIONURI;
+            const teamProjectId = process.env.SYSTEM_TEAMPROJECTID;
+            const planId = process.env.SYSTEM_PLANID;
+            const jobId = process.env.SYSTEM_JOBID;
+            if (!systemAccessToken || !teamFoundationCollectionUri || !teamProjectId || !planId || !jobId) {
+                throw new Error(`Azure DevOps environment variables are not set.\n
+            process.env.SYSTEM_ACCESSTOKEN: ${process.env.SYSTEM_ACCESSTOKEN ? "✅" : "❌"}\n
+            process.env.SYSTEM_TEAMFOUNDATIONCOLLECTIONURI: ${process.env.SYSTEM_TEAMFOUNDATIONCOLLECTIONURI ? "✅" : "❌"}\n
+            process.env.SYSTEM_TEAMPROJECTID: ${process.env.SYSTEM_TEAMPROJECTID ? "✅" : "❌"}\n
+            process.env.SYSTEM_PLANID: ${process.env.SYSTEM_PLANID ? "✅" : "❌"}\n
+            process.env.SYSTEM_JOBID: ${process.env.SYSTEM_JOBID ? "✅" : "❌"}\n
+            REMEMBER: process.env.SYSTEM_ACCESSTOKEN must be explicitly mapped!\n
+            https://learn.microsoft.com/en-us/azure/devops/pipelines/build/variables?view=azure-devops&tabs=yaml#systemaccesstoken
+        `);
+            }
+            const oidcRequestUrl = `${teamFoundationCollectionUri}${teamProjectId}/_apis/distributedtask/hubs/build/plans/${planId}/jobs/${jobId}/oidctoken?api-version=7.1-preview.1&serviceConnectionId=${serviceConnectionId}`;
+            const { ClientAssertionCredential } = yield Promise.resolve().then(() => require("@azure/identity"));
+            return new ClientAssertionCredential(domain, clientId, () => __awaiter(this, void 0, void 0, function* () { return yield requestOidcToken(oidcRequestUrl, systemAccessToken); }));
+        }
+    });
+}
+/**
+ * API reference: https://learn.microsoft.com/en-us/rest/api/azure/devops/distributedtask/oidctoken/create
+ */
+function requestOidcToken(oidcRequestUrl, systemAccessToken) {
+    var _a;
+    return __awaiter(this, void 0, void 0, function* () {
+        const { ServiceClient } = yield Promise.resolve().then(() => require('@azure/core-client'));
+        const { createHttpHeaders, createPipelineRequest } = yield Promise.resolve().then(() => require('@azure/core-rest-pipeline'));
+        const genericClient = new ServiceClient();
+        const request = createPipelineRequest({
+            url: oidcRequestUrl,
+            method: "POST",
+            headers: createHttpHeaders({
+                "Content-Type": "application/json",
+                "Authorization": `Bearer ${systemAccessToken}`
+            })
+        });
+        const response = yield genericClient.sendRequest(request);
+        const body = ((_a = response.bodyAsText) === null || _a === void 0 ? void 0 : _a.toString()) || "";
+        if (response.status !== 200) {
+            throw new Error(`Failed to get OIDC token:\n
+            Response status: ${response.status}\n
+            Response body: ${body}\n
+            Response headers: ${JSON.stringify(response.headers.toJSON())}
+        `);
+        }
+        else {
+            console.log(`Successfully got OIDC token with status ${response.status}`);
+        }
+        return JSON.parse(body).oidcToken;
+    });
+}
 //# sourceMappingURL=AzureDevOpsSubscriptionProvider.js.map

package/out/src/AzureSubscription.d.ts

@@ -1,49 +1,49 @@
-import type { TokenCredential } from '@azure/core-auth';
-import type { Environment } from '@azure/ms-rest-azure-env';
-import * as vscode from "vscode";
-import { AzureAuthentication } from './AzureAuthentication';
-/**
- * A type representing an Azure subscription ID, not including the tenant ID.
- */
-export type SubscriptionId = string;
-/**
- * A type representing an Azure tenant ID.
- */
-export type TenantId = string;
-/**
- * Represents an Azure subscription.
- */
-export interface AzureSubscription {
-    /**
-     * Access to the authentication session associated with this subscription.
-     */
-    readonly authentication: AzureAuthentication;
-    /**
-     * The Azure environment to which this subscription belongs.
-     */
-    readonly environment: Environment;
-    /**
-     * Whether this subscription belongs to a custom cloud.
-     */
-    readonly isCustomCloud: boolean;
-    /**
-     * The display name of this subscription.
-     */
-    readonly name: string;
-    /**
-     * The ID of this subscription.
-     */
-    readonly subscriptionId: SubscriptionId;
-    /**
-     * The ID of the tenant to which this subscription belongs.
-     */
-    readonly tenantId: TenantId;
-    /**
-     * The credential for authentication to this subscription. Compatible with Azure track 2 SDKs.
-     */
-    readonly credential: TokenCredential;
-    /**
-     * The account associated with this subscription.
-     */
-    readonly account: vscode.AuthenticationSessionAccountInformation;
-}
+import type { TokenCredential } from '@azure/core-auth';
+import type { Environment } from '@azure/ms-rest-azure-env';
+import * as vscode from "vscode";
+import { AzureAuthentication } from './AzureAuthentication';
+/**
+ * A type representing an Azure subscription ID, not including the tenant ID.
+ */
+export type SubscriptionId = string;
+/**
+ * A type representing an Azure tenant ID.
+ */
+export type TenantId = string;
+/**
+ * Represents an Azure subscription.
+ */
+export interface AzureSubscription {
+    /**
+     * Access to the authentication session associated with this subscription.
+     */
+    readonly authentication: AzureAuthentication;
+    /**
+     * The Azure environment to which this subscription belongs.
+     */
+    readonly environment: Environment;
+    /**
+     * Whether this subscription belongs to a custom cloud.
+     */
+    readonly isCustomCloud: boolean;
+    /**
+     * The display name of this subscription.
+     */
+    readonly name: string;
+    /**
+     * The ID of this subscription.
+     */
+    readonly subscriptionId: SubscriptionId;
+    /**
+     * The ID of the tenant to which this subscription belongs.
+     */
+    readonly tenantId: TenantId;
+    /**
+     * The credential for authentication to this subscription. Compatible with Azure track 2 SDKs.
+     */
+    readonly credential: TokenCredential;
+    /**
+     * The account associated with this subscription.
+     */
+    readonly account: vscode.AuthenticationSessionAccountInformation;
+}

package/out/src/AzureSubscription.js

@@ -1,7 +1,7 @@
-"use strict";
-/*---------------------------------------------------------------------------------------------
- *  Copyright (c) Microsoft Corporation. All rights reserved.
- *  Licensed under the MIT License. See License.txt in the project root for license information.
- *--------------------------------------------------------------------------------------------*/
-Object.defineProperty(exports, "__esModule", { value: true });
+"use strict";
+/*---------------------------------------------------------------------------------------------
+ *  Copyright (c) Microsoft Corporation. All rights reserved.
+ *  Licensed under the MIT License. See License.txt in the project root for license information.
+ *--------------------------------------------------------------------------------------------*/
+Object.defineProperty(exports, "__esModule", { value: true });
 //# sourceMappingURL=AzureSubscription.js.map