@microsoft/vscode-azext-azureauth 4.2.2 → 5.1.0

package/CHANGELOG.md

@@ -1,5 +1,15 @@
 # Change Log
 
+## 5.1.0 - 2025-10-27
+
+* [#2102](https://github.com/microsoft/vscode-azuretools/pull/2102) Fixes an issue causing infinite event loops especially in https://vscode.dev/azure
+* [#2110](https://github.com/microsoft/vscode-azuretools/pull/2110) `vscode.authentication.onDidChangeSessions()` is no longer subscribed to unless the caller calls `AzureSubscriptionProvider.onDidSignIn()` or `AzureSubscriptionProvider.onDidSignOut()`.
+
+## 5.0.0 - 2025-10-07
+
+* [#2092](https://github.com/microsoft/vscode-azuretools/pull/2092) Converts from CJS only to CJS+ESM
+* Adopts finalized auth challenges API
+
 ## 4.2.2 - 2025-09-10
 
 * [#2073](https://github.com/microsoft/vscode-azuretools/pull/2073) Changes to adjust to proposed API changes

package/dist/cjs/src/AzureDevOpsSubscriptionProvider.js

@@ -0,0 +1,215 @@
+"use strict";
+/*---------------------------------------------------------------------------------------------
+ *  Copyright (c) Microsoft Corporation. All rights reserved.
+ *  Licensed under the MIT License. See License.txt in the project root for license information.
+ *--------------------------------------------------------------------------------------------*/
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AzureDevOpsSubscriptionProvider = void 0;
+exports.createAzureDevOpsSubscriptionProviderFactory = createAzureDevOpsSubscriptionProviderFactory;
+const configuredAzureEnv_1 = require("./utils/configuredAzureEnv");
+let azureDevOpsSubscriptionProvider;
+function createAzureDevOpsSubscriptionProviderFactory(initializer) {
+    return async () => {
+        azureDevOpsSubscriptionProvider ??= new AzureDevOpsSubscriptionProvider(initializer);
+        return azureDevOpsSubscriptionProvider;
+    };
+}
+/**
+ * AzureSubscriptionProvider implemented to authenticate via federated DevOps service connection, using workflow identity federation
+ * To learn how to configure your DevOps environment to use this provider, refer to the README.md
+ * NOTE: This provider is only available when running in an Azure DevOps pipeline
+ * Reference: https://learn.microsoft.com/en-us/entra/workload-id/workload-identity-federation
+ */
+class AzureDevOpsSubscriptionProvider {
+    _tokenCredential;
+    /**
+    * The resource ID of the Azure DevOps federated service connection,
+    *   which can be found on the `resourceId` field of the URL at the address bar
+    *   when viewing the service connection in the Azure DevOps portal
+    */
+    _SERVICE_CONNECTION_ID;
+    /**
+    * The `Tenant ID` field of the service connection properties
+    */
+    _DOMAIN;
+    /**
+    * The `Service Principal Id` field of the service connection properties
+    */
+    _CLIENT_ID;
+    constructor({ serviceConnectionId, domain, clientId }) {
+        if (!serviceConnectionId || !domain || !clientId) {
+            throw new Error(`Missing initializer values to identify Azure DevOps federated service connection\n
+                Values provided:\n
+                serviceConnectionId: ${serviceConnectionId ? "✅" : "❌"}\n
+                domain: ${domain ? "✅" : "❌"}\n
+                clientId: ${clientId ? "✅" : "❌"}\n
+            `);
+        }
+        this._SERVICE_CONNECTION_ID = serviceConnectionId;
+        this._DOMAIN = domain;
+        this._CLIENT_ID = clientId;
+    }
+    async getSubscriptions(_filter) {
+        // ignore the filter setting because not every consumer of this provider will use the Resources extension
+        const results = [];
+        for (const tenant of await this.getTenants()) {
+            // eslint-disable-next-line @typescript-eslint/no-non-null-assertion
+            const tenantId = tenant.tenantId;
+            results.push(...await this.getSubscriptionsForTenant(tenantId));
+        }
+        const sortSubscriptions = (subscriptions) => subscriptions.sort((a, b) => a.name.localeCompare(b.name));
+        return sortSubscriptions(results);
+    }
+    async isSignedIn() {
+        return !!this._tokenCredential;
+    }
+    async signIn() {
+        this._tokenCredential = await getTokenCredential(this._SERVICE_CONNECTION_ID, this._DOMAIN, this._CLIENT_ID);
+        return !!this._tokenCredential;
+    }
+    async signOut() {
+        this._tokenCredential = undefined;
+    }
+    async getTenants() {
+        return [{
+                tenantId: this._tokenCredential?.tenantId,
+                account: {
+                    id: "test-account-id",
+                    label: "test-account",
+                }
+            }];
+    }
+    /**
+     * Gets the subscriptions for a given tenant.
+     *
+     * @param tenantId The tenant ID to get subscriptions for.
+     *
+     * @returns The list of subscriptions for the tenant.
+     */
+    async getSubscriptionsForTenant(tenantId) {
+        const { client, credential, authentication } = await this.getSubscriptionClient(tenantId);
+        const environment = (0, configuredAzureEnv_1.getConfiguredAzureEnv)();
+        const subscriptions = [];
+        for await (const subscription of client.subscriptions.list()) {
+            subscriptions.push({
+                authentication,
+                environment: environment,
+                credential: credential,
+                isCustomCloud: environment.isCustomCloud,
+                /* eslint-disable @typescript-eslint/no-non-null-assertion */
+                name: subscription.displayName,
+                subscriptionId: subscription.subscriptionId,
+                /* eslint-enable @typescript-eslint/no-non-null-assertion */
+                tenantId,
+                account: {
+                    id: "test-account-id",
+                    label: "test-account",
+                },
+            });
+        }
+        return subscriptions;
+    }
+    /**
+     * Gets a fully-configured subscription client for a given tenant ID
+     *
+     * @param tenantId (Optional) The tenant ID to get a client for
+     *
+     * @returns A client, the credential used by the client, and the authentication function
+     */
+    async getSubscriptionClient(_tenantId, scopes) {
+        const armSubs = await import('@azure/arm-resources-subscriptions');
+        if (!this._tokenCredential) {
+            throw new Error('Not signed in');
+        }
+        const accessToken = (await this._tokenCredential?.getToken("https://management.azure.com/.default"))?.token || '';
+        const getSession = () => {
+            return {
+                accessToken,
+                id: this._tokenCredential?.tenantId || '',
+                account: {
+                    id: this._tokenCredential?.tenantId || '',
+                    label: this._tokenCredential?.tenantId || '',
+                },
+                tenantId: this._tokenCredential?.tenantId || '',
+                scopes: scopes || [],
+            };
+        };
+        return {
+            client: new armSubs.SubscriptionClient(this._tokenCredential),
+            credential: this._tokenCredential,
+            authentication: {
+                getSession,
+                getSessionWithScopes: getSession,
+            }
+        };
+    }
+    onDidSignIn = () => { return { dispose() { } }; };
+    onDidSignOut = () => { return { dispose() { } }; };
+}
+exports.AzureDevOpsSubscriptionProvider = AzureDevOpsSubscriptionProvider;
+/*
+* @param serviceConnectionId The resource ID of the Azure DevOps federated service connection,
+*   which can be found on the `resourceId` field of the URL at the address bar when viewing the service connection in the Azure DevOps portal
+* @param domain The `Tenant ID` field of the service connection properties
+* @param clientId The `Service Principal Id` field of the service connection properties
+*/
+async function getTokenCredential(serviceConnectionId, domain, clientId) {
+    if (!process.env.AGENT_BUILDDIRECTORY) {
+        // Assume that AGENT_BUILDDIRECTORY is set if running in an Azure DevOps pipeline.
+        // So when not running in an Azure DevOps pipeline, throw an error since we cannot use the DevOps federated service connection credential.
+        throw new Error(`Cannot create DevOps federated service connection credential outside of an Azure DevOps pipeline.`);
+    }
+    else {
+        console.log(`Creating DevOps federated service connection credential for service connection..`);
+        // Pre-defined DevOps variable reference: https://learn.microsoft.com/en-us/azure/devops/pipelines/build/variables?view=azure-devops
+        const systemAccessToken = process.env.SYSTEM_ACCESSTOKEN;
+        const teamFoundationCollectionUri = process.env.SYSTEM_TEAMFOUNDATIONCOLLECTIONURI;
+        const teamProjectId = process.env.SYSTEM_TEAMPROJECTID;
+        const planId = process.env.SYSTEM_PLANID;
+        const jobId = process.env.SYSTEM_JOBID;
+        if (!systemAccessToken || !teamFoundationCollectionUri || !teamProjectId || !planId || !jobId) {
+            throw new Error(`Azure DevOps environment variables are not set.\n
+            process.env.SYSTEM_ACCESSTOKEN: ${process.env.SYSTEM_ACCESSTOKEN ? "✅" : "❌"}\n
+            process.env.SYSTEM_TEAMFOUNDATIONCOLLECTIONURI: ${process.env.SYSTEM_TEAMFOUNDATIONCOLLECTIONURI ? "✅" : "❌"}\n
+            process.env.SYSTEM_TEAMPROJECTID: ${process.env.SYSTEM_TEAMPROJECTID ? "✅" : "❌"}\n
+            process.env.SYSTEM_PLANID: ${process.env.SYSTEM_PLANID ? "✅" : "❌"}\n
+            process.env.SYSTEM_JOBID: ${process.env.SYSTEM_JOBID ? "✅" : "❌"}\n
+            REMEMBER: process.env.SYSTEM_ACCESSTOKEN must be explicitly mapped!\n
+            https://learn.microsoft.com/en-us/azure/devops/pipelines/build/variables?view=azure-devops&tabs=yaml#systemaccesstoken
+        `);
+        }
+        const oidcRequestUrl = `${teamFoundationCollectionUri}${teamProjectId}/_apis/distributedtask/hubs/build/plans/${planId}/jobs/${jobId}/oidctoken?api-version=7.1-preview.1&serviceConnectionId=${serviceConnectionId}`;
+        const { ClientAssertionCredential } = await import("@azure/identity");
+        return new ClientAssertionCredential(domain, clientId, async () => await requestOidcToken(oidcRequestUrl, systemAccessToken));
+    }
+}
+/**
+ * API reference: https://learn.microsoft.com/en-us/rest/api/azure/devops/distributedtask/oidctoken/create
+ */
+async function requestOidcToken(oidcRequestUrl, systemAccessToken) {
+    const { ServiceClient } = await import('@azure/core-client');
+    const { createHttpHeaders, createPipelineRequest } = await import('@azure/core-rest-pipeline');
+    const genericClient = new ServiceClient();
+    const request = createPipelineRequest({
+        url: oidcRequestUrl,
+        method: "POST",
+        headers: createHttpHeaders({
+            "Content-Type": "application/json",
+            "Authorization": `Bearer ${systemAccessToken}`
+        })
+    });
+    const response = await genericClient.sendRequest(request);
+    const body = response.bodyAsText?.toString() || "";
+    if (response.status !== 200) {
+        throw new Error(`Failed to get OIDC token:\n
+            Response status: ${response.status}\n
+            Response body: ${body}\n
+            Response headers: ${JSON.stringify(response.headers.toJSON())}
+        `);
+    }
+    else {
+        console.log(`Successfully got OIDC token with status ${response.status}`);
+    }
+    return JSON.parse(body).oidcToken;
+}
+//# sourceMappingURL=AzureDevOpsSubscriptionProvider.js.map

package/dist/cjs/src/NotSignedInError.js

@@ -0,0 +1,63 @@
+"use strict";
+/*---------------------------------------------------------------------------------------------
+ *  Copyright (c) Microsoft Corporation. All rights reserved.
+ *  Licensed under the MIT License. See License.txt in the project root for license information.
+ *--------------------------------------------------------------------------------------------*/
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.NotSignedInError = void 0;
+exports.isNotSignedInError = isNotSignedInError;
+const vscode = __importStar(require("vscode"));
+/**
+ * An error indicating the user is not signed in.
+ */
+class NotSignedInError extends Error {
+    isNotSignedInError = true;
+    constructor() {
+        super(vscode.l10n.t('You are not signed in to an Azure account. Please sign in.'));
+    }
+}
+exports.NotSignedInError = NotSignedInError;
+/**
+ * Tests if an object is a `NotSignedInError`. This should be used instead of `instanceof`.
+ *
+ * @param error The object to test
+ *
+ * @returns True if the object is a NotSignedInError, false otherwise
+ */
+function isNotSignedInError(error) {
+    return !!error && typeof error === 'object' && error.isNotSignedInError === true;
+}
+//# sourceMappingURL=NotSignedInError.js.map

package/dist/cjs/src/VSCodeAzureSubscriptionProvider.js

@@ -0,0 +1,385 @@
+"use strict";
+/*---------------------------------------------------------------------------------------------
+ *  Copyright (c) Microsoft Corporation. All rights reserved.
+ *  Licensed under the MIT License. See License.txt in the project root for license information.
+ *--------------------------------------------------------------------------------------------*/
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.VSCodeAzureSubscriptionProvider = void 0;
+const vscode = __importStar(require("vscode"));
+const getSessionFromVSCode_1 = require("./getSessionFromVSCode");
+const NotSignedInError_1 = require("./NotSignedInError");
+const configuredAzureEnv_1 = require("./utils/configuredAzureEnv");
+const isAuthenticationWwwAuthenticateRequest_1 = require("./utils/isAuthenticationWwwAuthenticateRequest");
+const isGetSubscriptionsFilter_1 = require("./utils/isGetSubscriptionsFilter");
+const EventDebounce = 5 * 1000; // 5 seconds
+let armSubs;
+/**
+ * A class for obtaining Azure subscription information using VSCode's built-in authentication
+ * provider.
+ */
+class VSCodeAzureSubscriptionProvider {
+    logger;
+    lastSignInEventFired = 0;
+    suppressSignInEvents = false;
+    lastSignOutEventFired = 0;
+    priorAccounts;
+    // So that customers can easily share logs, try to only log PII using trace level
+    constructor(logger) {
+        this.logger = logger;
+        // Load accounts initially, then onDidChangeSessions can compare against them
+        void vscode.authentication.getAccounts((0, configuredAzureEnv_1.getConfiguredAuthProviderId)()).then(accounts => {
+            this.priorAccounts = Array.from(accounts); // The Array.from is to get rid of the readonly marker on the array returned by the API
+        });
+    }
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any
+    onDidSignIn(callback, thisArg, disposables) {
+        return this.onDidChangeSessions(true, callback, thisArg, disposables);
+    }
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any
+    onDidSignOut(callback, thisArg, disposables) {
+        return this.onDidChangeSessions(false, callback, thisArg, disposables);
+    }
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any
+    onDidChangeSessions(signIn, callback, thisArg, disposables) {
+        const isASignInEvent = async () => {
+            const currentAccounts = Array.from(await vscode.authentication.getAccounts((0, configuredAzureEnv_1.getConfiguredAuthProviderId)())); // The Array.from is to get rid of the readonly marker on the array returned by the API
+            const priorAccountCount = this.priorAccounts?.length ?? 0;
+            this.priorAccounts = currentAccounts;
+            // The only way a sign out happens is if an account is removed entirely from the list of accounts
+            if (currentAccounts.length === 0 || currentAccounts.length < priorAccountCount) {
+                return false;
+            }
+            return true;
+        };
+        const wrappedCallback = () => {
+            const immediate = setImmediate(() => {
+                clearImmediate(immediate);
+                void callback.call(thisArg);
+            });
+        };
+        const disposable = vscode.authentication.onDidChangeSessions(async (e) => {
+            // Ignore any sign in that isn't for the configured auth provider
+            if (e.provider.id !== (0, configuredAzureEnv_1.getConfiguredAuthProviderId)()) {
+                return;
+            }
+            if (signIn) {
+                if (this.suppressSignInEvents || Date.now() < this.lastSignInEventFired + EventDebounce) {
+                    return;
+                }
+                else if (await isASignInEvent()) {
+                    this.lastSignInEventFired = Date.now();
+                    wrappedCallback();
+                }
+            }
+            else {
+                if (Date.now() < this.lastSignOutEventFired + EventDebounce) {
+                    return;
+                }
+                else if (!await isASignInEvent()) {
+                    this.lastSignOutEventFired = Date.now();
+                    wrappedCallback();
+                }
+            }
+        });
+        disposables?.push(disposable);
+        return disposable;
+    }
+    dispose() {
+        // No-op, this class no longer has disposables
+    }
+    /**
+     * Gets a list of tenants available to the user.
+     * Use {@link isSignedIn} to check if the user is signed in to a particular tenant.
+     *
+     * @param account (Optional) A specific account to get tenants for. If not provided, all accounts will be used.
+     *
+     * @returns A list of tenants.
+     */
+    async getTenants(account) {
+        const startTimeMs = Date.now();
+        const results = [];
+        for await (account of account ? [account] : await vscode.authentication.getAccounts((0, configuredAzureEnv_1.getConfiguredAuthProviderId)())) {
+            // Added check. Without this the getSubscriptionClient function throws the NotSignedInError
+            if (await this.isSignedIn(undefined, account)) {
+                const { client } = await this.getSubscriptionClient(account, undefined, undefined);
+                for await (const tenant of client.tenants.list()) {
+                    results.push({ ...tenant, account });
+                }
+            }
+        }
+        const endTimeMs = Date.now();
+        this.logger?.debug(`auth: Got ${results.length} tenants for account "${account?.label}" in ${endTimeMs - startTimeMs}ms`);
+        return results;
+    }
+    /**
+     * Gets a list of Azure subscriptions available to the user.
+     *
+     * @param filter - Whether to filter the list returned. When:
+     * - `true`: according to the list returned by `getTenantFilters()` and `getSubscriptionFilters()`.
+     * - `false`: return all subscriptions.
+     * - `GetSubscriptionsFilter`: according to the values in the filter.
+     *
+     * Optional, default true.
+     *
+     * @returns A list of Azure subscriptions. The list is sorted by subscription name.
+     * The list can contain duplicate subscriptions if they come from different accounts.
+     *
+     * @throws A {@link NotSignedInError} If the user is not signed in to Azure.
+     * Use {@link isSignedIn} and/or {@link signIn} before this method to ensure
+     * the user is signed in.
+     */
+    async getSubscriptions(filter = true) {
+        this.logger?.debug('auth: Loading subscriptions...');
+        const startTime = Date.now();
+        let tenantIdsToFilterBy;
+        if ((0, isGetSubscriptionsFilter_1.isGetSubscriptionsTenantFilter)(filter)) {
+            // Only filter by the tenant ID option if it is provided
+            tenantIdsToFilterBy = [filter.tenantId];
+        }
+        else if (filter === true) {
+            // Only filter by the configured filter if `filter` is true AND there are tenants in the configured filter
+            const configuredTenantFilter = await this.getTenantFilters();
+            if (configuredTenantFilter.length > 0) {
+                tenantIdsToFilterBy = configuredTenantFilter;
+            }
+        }
+        const allSubscriptions = [];
+        let accountCount; // only used for logging
+        try {
+            this.suppressSignInEvents = true;
+            // Get the list of tenants from each account (filtered or all)
+            const accounts = (0, isGetSubscriptionsFilter_1.isGetSubscriptionsAccountFilter)(filter) ? [filter.account] : await vscode.authentication.getAccounts((0, configuredAzureEnv_1.getConfiguredAuthProviderId)());
+            accountCount = accounts.length;
+            for (const account of accounts) {
+                const tenantIds = (0, isGetSubscriptionsFilter_1.isGetSubscriptionsTenantFilter)(filter) ? [filter.tenantId] : (await this.getTenants(account)).map(t => t.tenantId);
+                for (const tenantId of tenantIds) {
+                    if (tenantIdsToFilterBy?.includes(tenantId) === false) {
+                        continue;
+                    }
+                    // For each tenant, get the list of subscriptions
+                    allSubscriptions.push(...await this.getSubscriptionsForTenant(account, tenantId));
+                }
+                // list subscriptions for the home tenant
+                allSubscriptions.push(...await this.getSubscriptionsForTenant(account));
+            }
+        }
+        finally {
+            this.suppressSignInEvents = false;
+        }
+        // It's possible that by listing subscriptions in all tenants and the "home" tenant there could be duplicate subscriptions
+        // Thus, we remove duplicate subscriptions. However, if multiple accounts have the same subscription, we keep them.
+        // There are also cases where the same subscription could appear in different tenants under the same account so we also need to keep those
+        const subscriptionMap = new Map();
+        allSubscriptions.forEach(sub => subscriptionMap.set(`${sub.account.id}/${sub.tenantId}/${sub.subscriptionId}`, sub));
+        const uniqueSubscriptions = Array.from(subscriptionMap.values());
+        const endTime = Date.now();
+        this.logger?.debug(`auth: Got ${uniqueSubscriptions.length} subscriptions from ${accountCount} accounts in ${endTime - startTime}ms`);
+        const sortSubscriptions = (subscriptions) => subscriptions.sort((a, b) => a.name.localeCompare(b.name));
+        const subscriptionIds = await this.getSubscriptionFilters();
+        if (filter === true && !!subscriptionIds.length) { // If the list is empty it is treated as "no filter"
+            return sortSubscriptions(uniqueSubscriptions.filter(sub => subscriptionIds.includes(sub.subscriptionId)));
+        }
+        return sortSubscriptions(uniqueSubscriptions);
+    }
+    /**
+     * Checks to see if a user is signed in.
+     *
+     * @param tenantId (Optional) Provide to check if a user is signed in to a specific tenant.
+     * @param account (Optional) Provide to check if a user is signed in to a specific account.
+     *
+     * @returns True if the user is signed in, false otherwise.
+     *
+     * If no tenant or account is provided, then
+     * checks all accounts for a session.
+     */
+    async isSignedIn(tenantId, account) {
+        async function silentlyCheckForSession(tenantId, account) {
+            return !!await (0, getSessionFromVSCode_1.getSessionFromVSCode)([], tenantId, { createIfNone: false, silent: true, account });
+        }
+        const innerIsSignedIn = async () => {
+            // If no tenant or account is provided, then check all accounts for a session
+            if (!account && !tenantId) {
+                const accounts = await vscode.authentication.getAccounts((0, configuredAzureEnv_1.getConfiguredAuthProviderId)());
+                if (accounts.length === 0) {
+                    return false;
+                }
+                for (const account of accounts) {
+                    if (await silentlyCheckForSession(tenantId, account)) {
+                        // If any account has a session, then return true because the user is signed in
+                        return true;
+                    }
+                }
+            }
+            return silentlyCheckForSession(tenantId, account);
+        };
+        const result = await innerIsSignedIn();
+        this.logger?.trace(`auth: isSignedIn returned ${result} (account="${account?.label ?? 'none'}") (tenantId="${tenantId ?? 'none'}")`);
+        return result;
+    }
+    /**
+     * Asks the user to sign in or pick an account to use.
+     *
+     * @param tenantId (Optional) Provide to sign in to a specific tenant.
+     * @param account (Optional) Provide to sign in to a specific account.
+     *
+     * @returns True if the user is signed in, false otherwise.
+     */
+    async signIn(tenantId, account) {
+        this.logger?.debug(`auth: Signing in (account="${account?.label ?? 'none'}") (tenantId="${tenantId ?? 'none'}")`);
+        try {
+            this.suppressSignInEvents = true;
+            const session = await (0, getSessionFromVSCode_1.getSessionFromVSCode)([], tenantId, {
+                createIfNone: true,
+                // If no account is provided, then clear the session preference which tells VS Code to show the account picker
+                clearSessionPreference: !account,
+                account,
+            });
+            return !!session;
+        }
+        finally {
+            this.suppressSignInEvents = false;
+        }
+    }
+    /**
+     * Signs the user out
+     *
+     * @deprecated Not currently supported by VS Code auth providers
+     */
+    signOut() {
+        throw new Error(vscode.l10n.t('Signing out programmatically is not supported. You must sign out by selecting the account in the Accounts menu and choosing Sign Out.'));
+    }
+    /**
+     * Gets the tenant filters that are configured in `azureResourceGroups.selectedSubscriptions`. To
+     * override the settings with a custom filter, implement a child class with `getSubscriptionFilters()`
+     * and/or `getTenantFilters()` overridden.
+     *
+     * If no values are returned by `getTenantFilters()`, then all tenants will be scanned for subscriptions.
+     *
+     * @returns A list of tenant IDs that are configured in `azureResourceGroups.selectedSubscriptions`.
+     */
+    async getTenantFilters() {
+        const config = vscode.workspace.getConfiguration('azureResourceGroups');
+        const fullSubscriptionIds = config.get('selectedSubscriptions', []);
+        return fullSubscriptionIds.map(id => id.split('/')[0]);
+    }
+    /**
+     * Gets the subscription filters that are configured in `azureResourceGroups.selectedSubscriptions`. To
+     * override the settings with a custom filter, implement a child class with `getSubscriptionFilters()`
+     * and/or `getTenantFilters()` overridden.
+     *
+     * If no values are returned by `getSubscriptionFilters()`, then all subscriptions will be returned.
+     *
+     * @returns A list of subscription IDs that are configured in `azureResourceGroups.selectedSubscriptions`.
+     */
+    async getSubscriptionFilters() {
+        const config = vscode.workspace.getConfiguration('azureResourceGroups');
+        const fullSubscriptionIds = config.get('selectedSubscriptions', []);
+        return fullSubscriptionIds.map(id => id.split('/')[1]);
+    }
+    /**
+     * Gets the subscriptions for a given tenant.
+     *
+     * @param tenantId The tenant ID to get subscriptions for.
+     * @param account The account to get the subscriptions for.
+     *
+     * @returns The list of subscriptions for the tenant.
+     */
+    async getSubscriptionsForTenant(account, tenantId) {
+        // If the user is not signed in to this tenant or account, then return an empty list
+        // This is to prevent the NotSignedInError from being thrown in getSubscriptionClient
+        if (!await this.isSignedIn(tenantId, account)) {
+            return [];
+        }
+        const { client, credential, authentication } = await this.getSubscriptionClient(account, tenantId, undefined);
+        const environment = (0, configuredAzureEnv_1.getConfiguredAzureEnv)();
+        const subscriptions = [];
+        for await (const subscription of client.subscriptions.list()) {
+            subscriptions.push({
+                authentication: authentication,
+                environment: environment,
+                credential: credential,
+                isCustomCloud: environment.isCustomCloud,
+                /* eslint-disable @typescript-eslint/no-non-null-assertion */
+                name: subscription.displayName,
+                subscriptionId: subscription.subscriptionId,
+                tenantId: tenantId ?? subscription.tenantId,
+                /* eslint-enable @typescript-eslint/no-non-null-assertion */
+                account: account
+            });
+        }
+        return subscriptions;
+    }
+    /**
+     * Gets a fully-configured subscription client for a given tenant ID
+     *
+     * @param tenantId (Optional) The tenant ID to get a client for
+     * @param account The account that you would like to get the session for
+     *
+     * @returns A client, the credential used by the client, and the authentication function
+     */
+    async getSubscriptionClient(account, tenantId, scopes) {
+        armSubs ||= await import('@azure/arm-resources-subscriptions');
+        const session = await (0, getSessionFromVSCode_1.getSessionFromVSCode)(scopes, tenantId, { createIfNone: false, silent: true, account });
+        if (!session) {
+            throw new NotSignedInError_1.NotSignedInError();
+        }
+        const credential = {
+            getToken: async () => {
+                return {
+                    token: session.accessToken,
+                    expiresOnTimestamp: 0
+                };
+            }
+        };
+        const configuredAzureEnv = (0, configuredAzureEnv_1.getConfiguredAzureEnv)();
+        const endpoint = configuredAzureEnv.resourceManagerEndpointUrl;
+        return {
+            client: new armSubs.SubscriptionClient(credential, { endpoint }),
+            credential: credential,
+            authentication: {
+                getSession: () => session,
+                getSessionWithScopes: (scopeListOrRequest) => {
+                    // in order to handle a challenge, we must enable createIfNone so
+                    // that we can prompt the user to step-up their session with MFA
+                    // otherwise, never prompt the user
+                    return (0, getSessionFromVSCode_1.getSessionFromVSCode)(scopeListOrRequest, tenantId, { ...((0, isAuthenticationWwwAuthenticateRequest_1.isAuthenticationWwwAuthenticateRequest)(scopeListOrRequest) ? { createIfNone: true } : { silent: true }), account });
+                },
+            }
+        };
+    }
+}
+exports.VSCodeAzureSubscriptionProvider = VSCodeAzureSubscriptionProvider;
+//# sourceMappingURL=VSCodeAzureSubscriptionProvider.js.map