npm - @microsoft/vscode-azext-azureauth - Versions diffs - 5.1.0 → 6.0.0-alpha.1 - Mend

@microsoft/vscode-azext-azureauth 5.1.0 → 6.0.0-alpha.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (85) hide show

package/dist/esm/src/utils/screen.js ADDED Viewed

@@ -0,0 +1,59 @@
+/*---------------------------------------------------------------------------------------------
+ *  Copyright (c) Microsoft Corporation. All rights reserved.
+ *  Licensed under the MIT License. See License.txt in the project root for license information.
+ *--------------------------------------------------------------------------------------------*/
+// These regexes are not perfect, but should work for common cases
+// If they don't work, we'll just return the account ID, which does not need to be screened
+const accountLabelRegex = /^(?<email>[^@]+)@(?<domain>[\w]+(\.[\w]+)+)$/i;
+const domainRegex = /^(?<domain>[^.]+)(?<safeTld>\.com(\..*)?|\.net|\.org|\.co\..*|\.gov)$/i;
+/**
+ * Screens the label or display name of an Azure account or tenant so that it can be logged without exposing PII.
+ * This should *NOT* be considered fool-proof nor safe for telemetry, but is acceptable for local logging.
+ * @param accountOrTenant The account or tenant to screen the label / display name of
+ * @returns The screened label / display name
+ */
+export function screen(accountOrTenant) {
+    if ('label' in accountOrTenant && !!accountOrTenant.label) {
+        const match = accountLabelRegex.exec(accountOrTenant.label);
+        if (match?.groups?.email && match.groups.domain) {
+            let screenedEmail = match.groups.email;
+            if (screenedEmail.length <= 2) {
+                screenedEmail = '***';
+            }
+            else {
+                screenedEmail = `${screenedEmail.at(0)}***${screenedEmail.at(-1)}`;
+            }
+            let screenedDomain = match.groups.domain;
+            const domainMatch = domainRegex.exec(match.groups.domain);
+            if (domainMatch?.groups?.domain && domainMatch.groups.safeTld) {
+                if (domainMatch.groups.domain.length <= 2) {
+                    screenedDomain = `***${domainMatch.groups.safeTld}`;
+                }
+                else {
+                    screenedDomain = `${domainMatch.groups.domain.at(0)}***${domainMatch.groups.safeTld}`;
+                }
+            }
+            else if (screenedDomain.length <= 2) {
+                screenedDomain = '***';
+            }
+            else {
+                screenedDomain = `${screenedDomain.at(0)}***${screenedDomain.at(-1)}`;
+            }
+            return `${screenedEmail}@${screenedDomain}`;
+        }
+        // If we can't match it with our simple regex, just return the account ID instead
+        return accountOrTenant.id;
+    }
+    else if ('displayName' in accountOrTenant && !!accountOrTenant.displayName) {
+        if (accountOrTenant.displayName.length <= 2) {
+            // For too-short names, just return the ID
+            return accountOrTenant.tenantId;
+        }
+        else {
+            // Return the first character, three stars, and the last character
+            return `${accountOrTenant.displayName.at(0)}***${accountOrTenant.displayName.at(-1)}`;
+        }
+    }
+    return 'unknown';
+}
+//# sourceMappingURL=screen.js.map

package/dist/esm/src/utils/signInToTenant.d.ts ADDED Viewed

@@ -0,0 +1,7 @@
+import type { AzureAccount } from '../contracts/AzureAccount';
+import type { AzureSubscriptionProvider } from '../contracts/AzureSubscriptionProvider';
+/**
+ * Prompts user to select from a list of unauthenticated tenants.
+ * Once selected, requests a new session from VS Code specifically for this tenant.
+ */
+export declare function signInToTenant(subscriptionProvider: AzureSubscriptionProvider, account?: AzureAccount): Promise<void>;

package/dist/esm/src/{signInToTenant.js → utils/signInToTenant.js} RENAMED Viewed

@@ -2,28 +2,31 @@
 *  Copyright (c) Microsoft Corporation. All rights reserved.
 *  Licensed under the MIT License. See License.txt in the project root for license information.
 *--------------------------------------------------------------------------------------------*/
-import * as vscode from "vscode";
-import { getUnauthenticatedTenants } from "./utils/getUnauthenticatedTenants";
+import * as vscode from 'vscode';
 /**
  * Prompts user to select from a list of unauthenticated tenants.
- * Once selected, requests a new session from VS Code specifially for this tenant.
+ * Once selected, requests a new session from VS Code specifically for this tenant.
  */
-export async function signInToTenant(subscriptionProvider) {
-    const tenantId = await pickTenant(subscriptionProvider);
-    if (tenantId) {
-        await subscriptionProvider.signIn(tenantId);
+export async function signInToTenant(subscriptionProvider, account) {
+    const tenant = await pickTenant(subscriptionProvider, account);
+    if (tenant) {
+        await subscriptionProvider.signIn(tenant);
     }
 }
-async function pickTenant(subscriptionProvider) {
-    const pick = await vscode.window.showQuickPick(getPicks(subscriptionProvider), {
-        placeHolder: 'Select a Tenant (Directory) to Sign In To', // TODO: localize
+async function pickTenant(subscriptionProvider, account) {
+    const pick = await vscode.window.showQuickPick(getPicks(subscriptionProvider, account), {
+        placeHolder: vscode.l10n.t('Select a Tenant (Directory) to Sign In To'),
         matchOnDescription: true, // allow searching by tenantId
         ignoreFocusOut: true,
     });
-    return pick?.tenant.tenantId;
+    return pick?.tenant;
 }
-async function getPicks(subscriptionProvider) {
-    const unauthenticatedTenants = await getUnauthenticatedTenants(subscriptionProvider);
+async function getPicks(subscriptionProvider, account) {
+    const unauthenticatedTenants = [];
+    const accounts = account ? [account] : await subscriptionProvider.getAccounts();
+    for (const account of accounts) {
+        unauthenticatedTenants.push(...await subscriptionProvider.getUnauthenticatedTenantsForAccount(account));
+    }
     const duplicateTenants = new Set(unauthenticatedTenants
         .filter((tenant, index, self) => index !== self.findIndex(t => t.tenantId === tenant.tenantId))
         .map(tenant => tenant.tenantId));
@@ -33,7 +36,6 @@ async function getPicks(subscriptionProvider) {
         .sort((a, b) => (a.displayName).localeCompare(b.displayName))
         .map(tenant => ({
         label: tenant.displayName ?? '',
-        // eslint-disable-next-line @typescript-eslint/no-non-null-assertion
         description: `${tenant.tenantId}${isDuplicate(tenant.tenantId) ? ` (${tenant.account.label})` : ''}`,
         detail: tenant.defaultDomain ?? '',
         tenant,

package/dist/esm/src/utils/tryGetTokenExpiration.d.ts ADDED Viewed

	@@ -0,0 +1,2 @@
1	+ import type * as vscode from 'vscode';
2	+ export declare function tryGetTokenExpiration(session: vscode.AuthenticationSession \| undefined): number;

package/dist/esm/src/utils/tryGetTokenExpiration.js ADDED Viewed

@@ -0,0 +1,22 @@
+/*---------------------------------------------------------------------------------------------
+ *  Copyright (c) Microsoft Corporation. All rights reserved.
+ *  Licensed under the MIT License. See License.txt in the project root for license information.
+ *--------------------------------------------------------------------------------------------*/
+export function tryGetTokenExpiration(session) {
+    try {
+        if (!!session?.idToken) {
+            const idTokenParts = session.idToken.split('.');
+            if (idTokenParts.length === 3) {
+                const payload = JSON.parse(Buffer.from(idTokenParts[1], 'base64').toString());
+                if (payload.exp !== undefined && Number.isInteger(payload.exp)) {
+                    return payload.exp * 1000; // Convert to milliseconds
+                }
+            }
+        }
+    }
+    catch {
+        // Best effort only
+    }
+    return 0;
+}
+//# sourceMappingURL=tryGetTokenExpiration.js.map

package/package.json CHANGED Viewed

@@ -1,7 +1,7 @@
 {
     "name": "@microsoft/vscode-azext-azureauth",
     "author": "Microsoft Corporation",
-    "version": "5.1.0",
+    "version": "6.0.0-alpha.1",
     "description": "Azure authentication helpers for Visual Studio Code",
     "tags": [
         "azure",
@@ -11,6 +11,18 @@
         "azure",
         "vscode"
     ],
+    "exports": {
+        ".": {
+            "import": "./dist/esm/src/index.js",
+            "require": "./dist/cjs/src/index.js",
+            "types": "./dist/esm/src/index.d.ts"
+        },
+        "./azdo": {
+            "import": "./dist/esm/src/providers/AzureDevOpsSubscriptionProvider.js",
+            "require": "./dist/cjs/src/providers/AzureDevOpsSubscriptionProvider.js",
+            "types": "./dist/esm/src/providers/AzureDevOpsSubscriptionProvider.d.ts"
+        }
+    },
     "module": "dist/esm/src/index.js",
     "main": "dist/cjs/src/index.js",
     "types": "dist/esm/src/index.d.ts",
@@ -27,37 +39,35 @@
         "build": "npm run build:esm && npm run build:cjs",
         "build:esm": "tsc -p ./",
         "build:cjs": "tsc -p ./ --outDir ./dist/cjs --module nodenext --moduleResolution nodenext --declaration false",
-        "lint": "eslint --ext .ts .",
-        "lint-fix": "eslint --ext .ts . --fix",
-        "test": "node ./dist/cjs/test/runTest.js",
+        "lint": "eslint --max-warnings 0",
+        "test": "mocha",
         "package": "npm pack",
         "l10n": "npx @vscode/l10n-dev export --outDir ./l10n ./src"
     },
     "engines": {
-        "vscode": "^1.105.0"
+        "vscode": "^1.106.0"
     },
     "devDependencies": {
-        "@azure/core-auth": "^1.4.0",
-        "@microsoft/eslint-config-azuretools": "^0.2.1",
-        "@types/glob": "^8.1.0",
-        "@types/mocha": "^7.0.2",
-        "@types/node": "^18.18.7",
-        "@types/vscode": "1.105.0",
-        "@typescript-eslint/eslint-plugin": "^5.53.0",
-        "@vscode/test-electron": "^2.3.8",
-        "eslint": "^8.34.0",
-        "eslint-plugin-import": "^2.22.1",
-        "glob": "^7.1.6",
-        "mocha": "^11.1.0",
-        "mocha-junit-reporter": "^2.0.2",
-        "mocha-multi-reporters": "^1.1.7",
-        "typescript": "^5.8.2"
+        "@azure/core-auth": "^1.10.1",
+        "@microsoft/vscode-azext-eng": "1.0.0-alpha.4",
+        "@types/node": "22.x",
+        "@types/vscode": "1.106.0"
     },
     "dependencies": {
         "@azure/arm-resources-subscriptions": "^2.1.0",
-        "@azure/core-client": "^1.9.2",
-        "@azure/core-rest-pipeline": "^1.16.0",
-        "@azure/identity": "^4.2.0",
+        "@azure/identity": "^4.13.0",
         "@azure/ms-rest-azure-env": "^2.0.0"
+    },
+    "publishConfig": {
+        "tag": "alpha"
+    },
+    "mocha": {
+        "ui": "tdd",
+        "node-option": [
+            "import=tsx"
+        ],
+        "spec": [
+            "test/**/*.test.ts"
+        ]
     }
 }

package/AzureFederatedCredentialsGuide.md DELETED Viewed

@@ -1,174 +0,0 @@
-# Setting up workflow identity federation with Azure DevOps
-This guide describes how to set up your Azure DevOps (ADO) and Azure environment to leverage [workflow identity federation](https://learn.microsoft.com/entra/workload-id/workload-identity-federation), enabling you to use
-`AzureDevOpsSubscriptionProvider` provided in this section. See the [README](README.md#azure-devops-subscription-provider) for more details.
-## 1. Create a new service principal
-Create a new service principal on which you will assign the necessary permissions. In this example, we use an app registration:
-1. Navigate to the [App Registrations](https://ms.portal.azure.com/#view/Microsoft_AAD_RegisteredApps/ApplicationsListBlade) page on the Azure portal
-2. Click on `New Registration`
-    ![New Registration](guide-imgs/app_registration.jpg)
-3. Assign any name
-4. Make sure to select the first option for the account type (`Accounts in this organization directory only (Microsoft only - Single tenant)`)
-5. Leave the Redirect URI and Service Tree ID fields empty
-6. Click on `Register`
-    ![Register an application](guide-imgs/app_registration_2.jpg)
-## 2. Create a new Azure DevOps (ADO) Service Connection:
-Create a new ADO service connection under your organization's project. In this example, we create it under the DevDiv project:
- 1. Navigate to the [organization's (DevDiv) ADO page](https://devdiv.visualstudio.com/DevDiv)
- 2. Navigate to the settings page by clicking on the gear icon on the bottom left
- 3. Select the ["service connections"](https://devdiv.visualstudio.com/DevDiv/_settings/adminservices) blade from the panel on the left
-    ![Select service connection](guide-imgs/service_connection_1.jpg)
- 4. Create a new service connection by clicking on the `New service connection` button
-   ![Click on new service connection](guide-imgs/service_connection_2.jpg)
- 5. Select `Azure Resource Manager` as the type
- 6. Select `Workload Identity federation (manual)` for the authentication type
- 7. Provide a new name for your new service connection
- 8. Click on `Next`
- 9.  This will create a new draft service connection, with the `issuer` and `subject identifier` fields already filled in.
- 10. Leave this window open while you finish the next step, which will require those `issuer` and `subject identifier` fields, then you will return to this window to finish creating the service principal
-   ![Draft service connectoin screen](guide-imgs/service_connection_3.jpg)
-## 3. Create a federated credential:
-Create a new "federated credential" on your service principal to connect it to your new service connection:
- 1. Navigate back to the Azure Portal page for your service connection (app registration) from step 1
- 2. Navigate to the `Certificates & secrets` blade
- 3. Navigate to the `Federated credentials` tab
- 4. Click on the `Add credential` button
-   ![Add federated credential](guide-imgs/credential_1.jpg)
- 5. For the scenario, select `Other issuer`
- 6. For the `issuer` and `subject identifier` fields, fill in with the details of your draft service connection from the previous step
- 7. Select a new name for your new federated credential
-    ![Fill in issuer, subject identifier, and name fields](guide-imgs/credential_2.jpg)
- 8. Click on `Add`
-## 4. (Temporary but required) Grant your service principal reader role on the desired subscription:
-This step is not required for running your tests, but _is_ required to finish creating the service connection. This should be revoked after successful creation of the service connection and only necessary roles applied to the service principal.
- 1. On the Azure Portal, navigate to the page for the subscription you want the service principal to have access to.
- 2. Navigate to the `Access control (IAM)` blade
-    ![access control tab](guide-imgs/subscription_1.jpg)
- 3. Navigate to the `Roles` tab
- 4. Click on the `+ Add` button, and choose `Add role assignment`
-   ![add role](guide-imgs/subscription_2.jpg)
- 5. Choose `Reader` and click `Next`
- 6. Choose `User, group, or service principal`, then click on `+ Select members`
-   ![select members](guide-imgs/subscription_3.jpg)
- 7. Select your service principal from step 1
- 8. Click on `Review and assign`
-## 5. Finish creating your service connection:
-Finish creating the draft service connection you created in step 2.
- 1. Navigate back to your draft service connection from step 2
- 2. For Environment, select `Azure Cloud`
- 3. For Scope Level, choose `Subscription`
- 4. Under `Subscription Id`, and `Subscription Name`, write the subscription ID and name (must provide both) for the desired subscription
- 5. For `Service Principal Id`, provide the `Application (client) ID` of your app registration from step 1 (can be found in the `Overview` blade)
- 6. For the `Tenant ID`, provide the `Directory (tenant) ID` of your app registration from step 1 (can be found in `Overview` blade)
- 7. Click on `Verify and save`
-## 6. Revoke unnecessary read access and assign only necessary roles
-Revoke the `Reader` role on the subscription for the service connection after it is created. This is no longer necessary.
- 1. Navigate to `Access control (IAM)` blade.
- 2. Under the `Role assignments` tab, find the role assignment corresponding to the App registered on step 1
- 3. Click on `Remove` then `Yes`
- 4. You can then assign the required roles to specific resources only if required, instead of assigning `Reader` role to the entire subscription.
-## 7. Create a dummy Key Vault
-A dummy Key vault step is required to propagate the necessary environment variables in the context of the pipeline.
- 1. Create a new Key Vault resource in the subscription you want to test on
- 2. Give it a new name as appropriate. You can keep the default settings
-    ![Create key vault](guide-imgs/dummy_kv.jpg)
-## 8. Assign your service principal "key vault reader" role on the dummy Key Vault:
- 1. Navigate to `Access control (IAM)` blade on your newly created dummy key vault
-   ![access control tab](guide-imgs/subscription_1.jpg)
- 2. Navigate to the `Roles` tab
- 3. Click on the `+ Add` button, and choose `Add role assignment`
-   ![add role](guide-imgs/subscription_2.jpg)
- 4. Choose `Key Vault Reader` (**NOT** `Reader`) and click `Next`
- 5. Choose `User, group, or service principal`, then click on `+ Select members`
-   ![select members](guide-imgs/subscription_3.jpg)
- 6. Select your app registration from step 1
- 7. Click on `Review and assign`
-## 9. Add the dummy Key Vault step in the pipeline
-To ensure that the appropriate env variables are propagated in the context of running the pipeline, a dummy Key Vault step is required in that pipeline:
- 1. In the desired pipeline's `.yml` file, add a step as below. The `azureSubscription` field should correspond to the name of your service connection from step 2, while the `keyVaultName` field should correspond to the dummy key vault created in step 7:
-     ```yml
-      # This gives the TestServiceConnection service connection access to this pipeline.
-     - task: AzureKeyVault@1
-       displayName: 'Authorize TestServiceConnection service connection'
-       inputs:
-         azureSubscription: 'TestServiceConnection'
-         KeyVaultName: 'TestDummyKeyVault'
-     ```
- 2. In the step which runs your code (e.g., the npm test step), make sure that the `$(System.AccessToken)` variable is manually propagated as a `SYSTEM_ACCESSTOKEN` environment variable. All other required environment variables should be propagated automatically:
-     ```yml
-     - task: Npm@1
-       displayName: "Test"
-       inputs:
-         command: custom
-         customCommand: test
-      env:
-         SYSTEM_ACCESSTOKEN: $(System.AccessToken)
-        ```
-## 10. Pass the appropriate values to identify your service connection:
-The constructor for `AzureDevOpsSubscriptionProvider` expects three arguments in an initializer object in order to identify your service connection you setup in step 5.
-These are:
-- `serviceConnectionId`: The resource ID of the service connection created in step 2, which can be found on the `resourceId` field of the URL at the address bar, when viewing the service connection in the Azure DevOps portal
-- `domain`: The `Tenant ID` field of the service connection properties, which can be accessed by clicking "Edit" on the service connection page
-- `clientId`: The `Service Principal Id` field of the service connection properties, which can be accessed by clicking "Edit" on the service connection page
-  ![identifier values for service connection](guide-imgs/identifier_values.jpg)
-Make sure you pass an object containing these variables for the `new AzureDevOpsServiceProvider()` constructor. These values are _not_ secrets, so they can be set as environment variables, assigned as pipeline variables in ADO, accessed and assigned using an Azure Key Vault step, or even manually hardcoded in code (not recommended).

package/dist/cjs/src/AzureDevOpsSubscriptionProvider.js DELETED Viewed

@@ -1,215 +0,0 @@
-"use strict";
-/*---------------------------------------------------------------------------------------------
- *  Copyright (c) Microsoft Corporation. All rights reserved.
- *  Licensed under the MIT License. See License.txt in the project root for license information.
- *--------------------------------------------------------------------------------------------*/
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.AzureDevOpsSubscriptionProvider = void 0;
-exports.createAzureDevOpsSubscriptionProviderFactory = createAzureDevOpsSubscriptionProviderFactory;
-const configuredAzureEnv_1 = require("./utils/configuredAzureEnv");
-let azureDevOpsSubscriptionProvider;
-function createAzureDevOpsSubscriptionProviderFactory(initializer) {
-    return async () => {
-        azureDevOpsSubscriptionProvider ??= new AzureDevOpsSubscriptionProvider(initializer);
-        return azureDevOpsSubscriptionProvider;
-    };
-}
-/**
- * AzureSubscriptionProvider implemented to authenticate via federated DevOps service connection, using workflow identity federation
- * To learn how to configure your DevOps environment to use this provider, refer to the README.md
- * NOTE: This provider is only available when running in an Azure DevOps pipeline
- * Reference: https://learn.microsoft.com/en-us/entra/workload-id/workload-identity-federation
- */
-class AzureDevOpsSubscriptionProvider {
-    _tokenCredential;
-    /**
-    * The resource ID of the Azure DevOps federated service connection,
-    *   which can be found on the `resourceId` field of the URL at the address bar
-    *   when viewing the service connection in the Azure DevOps portal
-    */
-    _SERVICE_CONNECTION_ID;
-    /**
-    * The `Tenant ID` field of the service connection properties
-    */
-    _DOMAIN;
-    /**
-    * The `Service Principal Id` field of the service connection properties
-    */
-    _CLIENT_ID;
-    constructor({ serviceConnectionId, domain, clientId }) {
-        if (!serviceConnectionId || !domain || !clientId) {
-            throw new Error(`Missing initializer values to identify Azure DevOps federated service connection\n
-                Values provided:\n
-                serviceConnectionId: ${serviceConnectionId ? "✅" : "❌"}\n
-                domain: ${domain ? "✅" : "❌"}\n
-                clientId: ${clientId ? "✅" : "❌"}\n
-            `);
-        }
-        this._SERVICE_CONNECTION_ID = serviceConnectionId;
-        this._DOMAIN = domain;
-        this._CLIENT_ID = clientId;
-    }
-    async getSubscriptions(_filter) {
-        // ignore the filter setting because not every consumer of this provider will use the Resources extension
-        const results = [];
-        for (const tenant of await this.getTenants()) {
-            // eslint-disable-next-line @typescript-eslint/no-non-null-assertion
-            const tenantId = tenant.tenantId;
-            results.push(...await this.getSubscriptionsForTenant(tenantId));
-        }
-        const sortSubscriptions = (subscriptions) => subscriptions.sort((a, b) => a.name.localeCompare(b.name));
-        return sortSubscriptions(results);
-    }
-    async isSignedIn() {
-        return !!this._tokenCredential;
-    }
-    async signIn() {
-        this._tokenCredential = await getTokenCredential(this._SERVICE_CONNECTION_ID, this._DOMAIN, this._CLIENT_ID);
-        return !!this._tokenCredential;
-    }
-    async signOut() {
-        this._tokenCredential = undefined;
-    }
-    async getTenants() {
-        return [{
-                tenantId: this._tokenCredential?.tenantId,
-                account: {
-                    id: "test-account-id",
-                    label: "test-account",
-                }
-            }];
-    }
-    /**
-     * Gets the subscriptions for a given tenant.
-     *
-     * @param tenantId The tenant ID to get subscriptions for.
-     *
-     * @returns The list of subscriptions for the tenant.
-     */
-    async getSubscriptionsForTenant(tenantId) {
-        const { client, credential, authentication } = await this.getSubscriptionClient(tenantId);
-        const environment = (0, configuredAzureEnv_1.getConfiguredAzureEnv)();
-        const subscriptions = [];
-        for await (const subscription of client.subscriptions.list()) {
-            subscriptions.push({
-                authentication,
-                environment: environment,
-                credential: credential,
-                isCustomCloud: environment.isCustomCloud,
-                /* eslint-disable @typescript-eslint/no-non-null-assertion */
-                name: subscription.displayName,
-                subscriptionId: subscription.subscriptionId,
-                /* eslint-enable @typescript-eslint/no-non-null-assertion */
-                tenantId,
-                account: {
-                    id: "test-account-id",
-                    label: "test-account",
-                },
-            });
-        }
-        return subscriptions;
-    }
-    /**
-     * Gets a fully-configured subscription client for a given tenant ID
-     *
-     * @param tenantId (Optional) The tenant ID to get a client for
-     *
-     * @returns A client, the credential used by the client, and the authentication function
-     */
-    async getSubscriptionClient(_tenantId, scopes) {
-        const armSubs = await import('@azure/arm-resources-subscriptions');
-        if (!this._tokenCredential) {
-            throw new Error('Not signed in');
-        }
-        const accessToken = (await this._tokenCredential?.getToken("https://management.azure.com/.default"))?.token || '';
-        const getSession = () => {
-            return {
-                accessToken,
-                id: this._tokenCredential?.tenantId || '',
-                account: {
-                    id: this._tokenCredential?.tenantId || '',
-                    label: this._tokenCredential?.tenantId || '',
-                },
-                tenantId: this._tokenCredential?.tenantId || '',
-                scopes: scopes || [],
-            };
-        };
-        return {
-            client: new armSubs.SubscriptionClient(this._tokenCredential),
-            credential: this._tokenCredential,
-            authentication: {
-                getSession,
-                getSessionWithScopes: getSession,
-            }
-        };
-    }
-    onDidSignIn = () => { return { dispose() { } }; };
-    onDidSignOut = () => { return { dispose() { } }; };
-}
-exports.AzureDevOpsSubscriptionProvider = AzureDevOpsSubscriptionProvider;
-/*
-* @param serviceConnectionId The resource ID of the Azure DevOps federated service connection,
-*   which can be found on the `resourceId` field of the URL at the address bar when viewing the service connection in the Azure DevOps portal
-* @param domain The `Tenant ID` field of the service connection properties
-* @param clientId The `Service Principal Id` field of the service connection properties
-*/
-async function getTokenCredential(serviceConnectionId, domain, clientId) {
-    if (!process.env.AGENT_BUILDDIRECTORY) {
-        // Assume that AGENT_BUILDDIRECTORY is set if running in an Azure DevOps pipeline.
-        // So when not running in an Azure DevOps pipeline, throw an error since we cannot use the DevOps federated service connection credential.
-        throw new Error(`Cannot create DevOps federated service connection credential outside of an Azure DevOps pipeline.`);
-    }
-    else {
-        console.log(`Creating DevOps federated service connection credential for service connection..`);
-        // Pre-defined DevOps variable reference: https://learn.microsoft.com/en-us/azure/devops/pipelines/build/variables?view=azure-devops
-        const systemAccessToken = process.env.SYSTEM_ACCESSTOKEN;
-        const teamFoundationCollectionUri = process.env.SYSTEM_TEAMFOUNDATIONCOLLECTIONURI;
-        const teamProjectId = process.env.SYSTEM_TEAMPROJECTID;
-        const planId = process.env.SYSTEM_PLANID;
-        const jobId = process.env.SYSTEM_JOBID;
-        if (!systemAccessToken || !teamFoundationCollectionUri || !teamProjectId || !planId || !jobId) {
-            throw new Error(`Azure DevOps environment variables are not set.\n
-            process.env.SYSTEM_ACCESSTOKEN: ${process.env.SYSTEM_ACCESSTOKEN ? "✅" : "❌"}\n
-            process.env.SYSTEM_TEAMFOUNDATIONCOLLECTIONURI: ${process.env.SYSTEM_TEAMFOUNDATIONCOLLECTIONURI ? "✅" : "❌"}\n
-            process.env.SYSTEM_TEAMPROJECTID: ${process.env.SYSTEM_TEAMPROJECTID ? "✅" : "❌"}\n
-            process.env.SYSTEM_PLANID: ${process.env.SYSTEM_PLANID ? "✅" : "❌"}\n
-            process.env.SYSTEM_JOBID: ${process.env.SYSTEM_JOBID ? "✅" : "❌"}\n
-            REMEMBER: process.env.SYSTEM_ACCESSTOKEN must be explicitly mapped!\n
-            https://learn.microsoft.com/en-us/azure/devops/pipelines/build/variables?view=azure-devops&tabs=yaml#systemaccesstoken
-        `);
-        }
-        const oidcRequestUrl = `${teamFoundationCollectionUri}${teamProjectId}/_apis/distributedtask/hubs/build/plans/${planId}/jobs/${jobId}/oidctoken?api-version=7.1-preview.1&serviceConnectionId=${serviceConnectionId}`;
-        const { ClientAssertionCredential } = await import("@azure/identity");
-        return new ClientAssertionCredential(domain, clientId, async () => await requestOidcToken(oidcRequestUrl, systemAccessToken));
-    }
-}
-/**
- * API reference: https://learn.microsoft.com/en-us/rest/api/azure/devops/distributedtask/oidctoken/create
- */
-async function requestOidcToken(oidcRequestUrl, systemAccessToken) {
-    const { ServiceClient } = await import('@azure/core-client');
-    const { createHttpHeaders, createPipelineRequest } = await import('@azure/core-rest-pipeline');
-    const genericClient = new ServiceClient();
-    const request = createPipelineRequest({
-        url: oidcRequestUrl,
-        method: "POST",
-        headers: createHttpHeaders({
-            "Content-Type": "application/json",
-            "Authorization": `Bearer ${systemAccessToken}`
-        })
-    });
-    const response = await genericClient.sendRequest(request);
-    const body = response.bodyAsText?.toString() || "";
-    if (response.status !== 200) {
-        throw new Error(`Failed to get OIDC token:\n
-            Response status: ${response.status}\n
-            Response body: ${body}\n
-            Response headers: ${JSON.stringify(response.headers.toJSON())}
-        `);
-    }
-    else {
-        console.log(`Successfully got OIDC token with status ${response.status}`);
-    }
-    return JSON.parse(body).oidcToken;
-}
-//# sourceMappingURL=AzureDevOpsSubscriptionProvider.js.map