@microsoft/vscode-azext-azureauth 5.1.1 → 6.0.0-alpha.2

package/dist/cjs/src/utils/Limiter.js

@@ -0,0 +1,41 @@
+"use strict";
+/*---------------------------------------------------------------------------------------------
+ *  Copyright (c) Microsoft Corporation. All rights reserved.
+ *  Licensed under the MIT License. See License.txt in the project root for license information.
+ *--------------------------------------------------------------------------------------------*/
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.Limiter = void 0;
+class Limiter {
+    runningPromises;
+    maxDegreeOfParalellism;
+    outstandingPromises;
+    constructor(maxDegreeOfParalellism) {
+        this.maxDegreeOfParalellism = maxDegreeOfParalellism;
+        this.outstandingPromises = [];
+        this.runningPromises = 0;
+    }
+    queue(factory) {
+        return new Promise((c, e) => {
+            this.outstandingPromises.push({ factory, c, e });
+            this.consume();
+        });
+    }
+    consume() {
+        while (this.outstandingPromises.length && this.runningPromises < this.maxDegreeOfParalellism) {
+            const iLimitedTask = this.outstandingPromises.shift();
+            this.runningPromises++;
+            const promise = iLimitedTask.factory();
+            promise.then(iLimitedTask.c, iLimitedTask.e);
+            promise.then(() => this.consumed(), () => this.consumed());
+        }
+    }
+    consumed() {
+        this.runningPromises--;
+        if (this.outstandingPromises.length > 0) {
+            this.consume();
+        }
+    }
+}
+exports.Limiter = Limiter;
+/* eslint-enable @typescript-eslint/no-explicit-any, @typescript-eslint/no-non-null-assertion */
+//# sourceMappingURL=Limiter.js.map

package/dist/cjs/src/{NotSignedInError.js → utils/NotSignedInError.js}

@@ -51,13 +51,14 @@ class NotSignedInError extends Error {
 }
 exports.NotSignedInError = NotSignedInError;
 /**
- * Tests if an object is a `NotSignedInError`. This should be used instead of `instanceof`.
+ * Tests if an object is a {@link NotSignedInError}. This should be used instead of `instanceof`.
  *
  * @param error The object to test
  *
- * @returns True if the object is a NotSignedInError, false otherwise
+ * @returns True if the object is a {@link NotSignedInError}, false otherwise
  */
 function isNotSignedInError(error) {
+    // eslint-disable-next-line @typescript-eslint/no-unnecessary-boolean-literal-compare, @typescript-eslint/no-unnecessary-condition
     return !!error && typeof error === 'object' && error.isNotSignedInError === true;
 }
 //# sourceMappingURL=NotSignedInError.js.map

package/dist/cjs/src/utils/configuredAzureEnv.js

@@ -52,6 +52,16 @@ var CloudEnvironmentSettingValue;
     CloudEnvironmentSettingValue["USGovernment"] = "USGovernment";
     CloudEnvironmentSettingValue["Custom"] = "custom";
 })(CloudEnvironmentSettingValue || (CloudEnvironmentSettingValue = {}));
+class ExtendedEnvironment extends azureEnv.Environment {
+    isCustomCloud;
+    constructor(parameters, isCustomCloud) {
+        super(parameters);
+        this.isCustomCloud = isCustomCloud;
+        // The Environment constructor only copies required properties. Copy all remaining
+        // optional properties (e.g. storageEndpointSuffix, keyVaultDnsSuffix) from the source.
+        Object.assign(this, parameters);
+    }
+}
 /**
  * Gets the configured Azure environment.
  *
@@ -61,31 +71,19 @@ function getConfiguredAzureEnv() {
     const authProviderConfig = vscode.workspace.getConfiguration(CustomCloudConfigurationSection);
     const environmentSettingValue = authProviderConfig.get(CloudEnvironmentSettingName);
     if (environmentSettingValue === CloudEnvironmentSettingValue.ChinaCloud) {
-        return {
-            ...azureEnv.Environment.ChinaCloud,
-            isCustomCloud: false,
-        };
+        return new ExtendedEnvironment(azureEnv.Environment.ChinaCloud, false);
     }
     else if (environmentSettingValue === CloudEnvironmentSettingValue.USGovernment) {
-        return {
-            ...azureEnv.Environment.USGovernment,
-            isCustomCloud: false,
-        };
+        return new ExtendedEnvironment(azureEnv.Environment.USGovernment, false);
     }
     else if (environmentSettingValue === CloudEnvironmentSettingValue.Custom) {
         const customCloud = authProviderConfig.get(CustomEnvironmentSettingName);
         if (customCloud) {
-            return {
-                ...new azureEnv.Environment(customCloud),
-                isCustomCloud: true,
-            };
+            return new ExtendedEnvironment(customCloud, true);
         }
         throw new Error(vscode.l10n.t('The custom cloud choice is not configured. Please configure the setting `{0}.{1}`.', CustomCloudConfigurationSection, CustomEnvironmentSettingName));
     }
-    return {
-        ...azureEnv.Environment.get(azureEnv.Environment.AzureCloud.name),
-        isCustomCloud: false,
-    };
+    return new ExtendedEnvironment(azureEnv.Environment.AzureCloud, false);
 }
 /**
  * Sets the configured Azure cloud.

package/dist/cjs/src/utils/dedupeSubscriptions.js

@@ -0,0 +1,27 @@
+"use strict";
+/*---------------------------------------------------------------------------------------------
+ *  Copyright (c) Microsoft Corporation. All rights reserved.
+ *  Licensed under the MIT License. See License.txt in the project root for license information.
+ *--------------------------------------------------------------------------------------------*/
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.dedupeSubscriptions = dedupeSubscriptions;
+/**
+ * Deduplicates (and sorts) a list of Azure subscriptions.
+ * In short, the behavior is that the combination of account + tenant + subscriptionId will be unique.
+ * The last appearance of any duplicates will be kept. The resulting list is sorted by subscription name.
+ *
+ * Please note:
+ * - The same tenant may appear under different accounts.
+ * - The same subscriptionId may appear under different accounts that share the same tenant.
+ * - Rarely, the same subscriptionId may also appear under different accounts + different tenants.
+ *
+ * @param subscriptions The list of subscriptions to deduplicate
+ */
+function dedupeSubscriptions(subscriptions) {
+    const deduped = new Map();
+    for (const sub of subscriptions) {
+        deduped.set(`${sub.account.id}/${sub.tenantId}/${sub.subscriptionId}`, sub);
+    }
+    return Array.from(deduped.values()).sort((a, b) => a.name.localeCompare(b.name));
+}
+//# sourceMappingURL=dedupeSubscriptions.js.map

package/dist/cjs/src/utils/getMetricsForTelemetry.js

@@ -0,0 +1,47 @@
+"use strict";
+/*---------------------------------------------------------------------------------------------
+ *  Copyright (c) Microsoft Corporation. All rights reserved.
+ *  Licensed under the MIT License. See License.txt in the project root for license information.
+ *--------------------------------------------------------------------------------------------*/
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.getMetricsForTelemetry = getMetricsForTelemetry;
+/**
+ * Gets telemetry metrics about accounts, tenants, and subscriptions.
+ * @param subscriptionProvider The subscription provider to use to get the metrics.
+ * @throws A NotSignedInError if no accounts are signed in.
+ */
+async function getMetricsForTelemetry(subscriptionProvider) {
+    // Get the total number of accounts (requires no web requests)
+    // Errors are deliberately not caught here, so if no accounts are signed in, this will throw
+    const accounts = await subscriptionProvider.getAccounts();
+    const numAccounts = accounts.length;
+    // Get the total number of tenants across all accounts (requires one web request per account, which is reasonable)
+    let numTenants = 0;
+    for (const account of accounts) {
+        try {
+            const tenants = await subscriptionProvider.getTenantsForAccount(account);
+            numTenants += tenants.length;
+        }
+        catch {
+            continue; // If we can't get tenants for an account, skip it instead of throwing
+        }
+    }
+    // Get as many subscriptions as we can (requires one web request per account+tenant)
+    // This is limited to the first 10 account+tenants, thus a max of 10 web requests
+    // Errors are deliberately not caught here; none are expected since at least one account is signed in
+    const subscriptions = await subscriptionProvider.getAvailableSubscriptions();
+    const numSubscriptions = subscriptions.length;
+    // Get subscription IDs (up to 25)
+    const subscriptionSet = new Set();
+    subscriptions.slice(0, 25).forEach(sub => {
+        subscriptionSet.add(sub.subscriptionId);
+    });
+    return {
+        totalAccounts: numAccounts,
+        visibleTenants: numTenants,
+        visibleSubscriptions: numSubscriptions,
+        subscriptionIdList: JSON.stringify(Array.from(subscriptionSet)),
+        subscriptionIdListIsIncomplete: subscriptions.length > 25,
+    };
+}
+//# sourceMappingURL=getMetricsForTelemetry.js.map

package/dist/cjs/src/{getSessionFromVSCode.js → utils/getSessionFromVSCode.js}

@@ -39,13 +39,16 @@ var __importStar = (this && this.__importStar) || (function () {
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.getSessionFromVSCode = getSessionFromVSCode;
 const vscode = __importStar(require("vscode"));
-const configuredAzureEnv_1 = require("./utils/configuredAzureEnv");
-const isAuthenticationWwwAuthenticateRequest_1 = require("./utils/isAuthenticationWwwAuthenticateRequest");
+const configuredAzureEnv_1 = require("./configuredAzureEnv");
+const isAuthenticationWwwAuthenticateRequest_1 = require("./isAuthenticationWwwAuthenticateRequest");
 function ensureEndingSlash(value) {
     return value.endsWith('/') ? value : `${value}/`;
 }
 function getResourceScopes(scopes) {
     if (scopes === undefined || scopes === "" || scopes.length === 0) {
+        // For https://github.com/microsoft/vscode-azurefunctions/issues/3913, the default scope was changed from
+        // ~'https://management.azure.com/.default' (`AzureEnv.resourceManagerEndpointUrl`) to
+        // ~'https://management.core.windows.net/.default' (`AzureEnv.managementEndpointUrl`)
         scopes = ensureEndingSlash((0, configuredAzureEnv_1.getConfiguredAzureEnv)().managementEndpointUrl);
     }
     const arrScopes = (Array.isArray(scopes) ? scopes : [scopes])

package/dist/cjs/src/utils/getSignalForToken.js

@@ -0,0 +1,29 @@
+"use strict";
+/*---------------------------------------------------------------------------------------------
+ *  Copyright (c) Microsoft Corporation. All rights reserved.
+ *  Licensed under the MIT License. See License.txt in the project root for license information.
+ *--------------------------------------------------------------------------------------------*/
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.getSignalForToken = getSignalForToken;
+/**
+ * Gets an AbortSignal that is tied to the given {@link vscode.CancellationToken}.
+ * @param token The token to convert
+ * @returns The {@link AbortSignal} or undefined if no token is provided
+ */
+function getSignalForToken(token) {
+    if (!token) {
+        return undefined;
+    }
+    const controller = new AbortController();
+    if (token.isCancellationRequested) {
+        controller.abort();
+    }
+    else {
+        const disposable = token.onCancellationRequested(() => {
+            disposable.dispose();
+            controller.abort();
+        });
+    }
+    return controller.signal;
+}
+//# sourceMappingURL=getSignalForToken.js.map

package/dist/cjs/src/utils/map/CaselessMap.js

@@ -0,0 +1,71 @@
+"use strict";
+/*---------------------------------------------------------------------------------------------
+ *  Copyright (c) Microsoft Corporation. All rights reserved.
+ *  Licensed under the MIT License. See License.txt in the project root for license information.
+ *--------------------------------------------------------------------------------------------*/
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.CaselessMap = void 0;
+class CaselessMap {
+    #map = new Map();
+    clear() {
+        this.#map.clear();
+    }
+    delete(key) {
+        return this.#map.delete(this.normalizeKey(key));
+    }
+    /**
+     * @important Keys returned **match original case**!
+     */
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any -- Must exactly match interface
+    forEach(callbackfn, thisArg) {
+        this.#map.forEach(entry => {
+            callbackfn.call(thisArg, entry.value, entry.originalKey, this);
+        });
+    }
+    get(key) {
+        return this.#map.get(this.normalizeKey(key))?.value;
+    }
+    has(key) {
+        return this.#map.has(this.normalizeKey(key));
+    }
+    set(key, value) {
+        this.#map.set(this.normalizeKey(key), { originalKey: key, value });
+        return this;
+    }
+    get size() {
+        return this.#map.size;
+    }
+    /**
+     * @important Keys returned **match original case**!
+     */
+    *entries() {
+        for (const [, entry] of this.#map) {
+            yield [entry.originalKey, entry.value];
+        }
+    }
+    /**
+     * @important Keys returned **match original case**!
+     */
+    *keys() {
+        for (const [, entry] of this.#map) {
+            yield entry.originalKey;
+        }
+    }
+    *values() {
+        for (const [, entry] of this.#map) {
+            yield entry.value;
+        }
+    }
+    /**
+     * @important Keys returned **match original case**!
+     */
+    [Symbol.iterator]() {
+        return this.entries();
+    }
+    [Symbol.toStringTag] = 'CaselessMap';
+    normalizeKey(key) {
+        return key.toLowerCase();
+    }
+}
+exports.CaselessMap = CaselessMap;
+//# sourceMappingURL=CaselessMap.js.map

package/dist/cjs/src/utils/map/TwoKeyCaselessMap.js

@@ -0,0 +1,194 @@
+"use strict";
+/*---------------------------------------------------------------------------------------------
+ *  Copyright (c) Microsoft Corporation. All rights reserved.
+ *  Licensed under the MIT License. See License.txt in the project root for license information.
+ *--------------------------------------------------------------------------------------------*/
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.TwoKeyCaselessMap = void 0;
+const CaselessMap_1 = require("./CaselessMap");
+class TwoKeyCaselessMap {
+    testMode;
+    #map1 = new CaselessMap_1.CaselessMap(); // First map has key1 as the outer key and key2 as the inner key
+    #map2 = new CaselessMap_1.CaselessMap(); // Second key map has key2 as the outer key and key1 as the inner key
+    #size = 0;
+    constructor(testMode = false) {
+        this.testMode = testMode;
+    }
+    clear() {
+        this.#map1.clear();
+        this.#map2.clear();
+        this.#size = 0;
+    }
+    clearByFirstKey(key1) {
+        const innerMap1 = this.#map1.get(key1);
+        if (!innerMap1) {
+            return;
+        }
+        // Decrement size before any deletions
+        this.#size -= innerMap1.size;
+        // Remove all entries from #map2 that reference this key1
+        innerMap1.forEach((_, key2) => {
+            // eslint-disable-next-line @typescript-eslint/no-non-null-assertion -- The existence of innerMap1 ensures this is non-null
+            const innerMap2 = this.#map2.get(key2);
+            innerMap2.delete(key1);
+            if (innerMap2.size === 0) {
+                this.#map2.delete(key2);
+            }
+        });
+        // Remove the entire inner map from #map1
+        this.#map1.delete(key1);
+    }
+    clearBySecondKey(key2) {
+        const innerMap2 = this.#map2.get(key2);
+        if (!innerMap2) {
+            return;
+        }
+        // Decrement size before any deletions
+        this.#size -= innerMap2.size;
+        // Remove all entries from #map1 that reference this key2
+        innerMap2.forEach((_, key1) => {
+            // eslint-disable-next-line @typescript-eslint/no-non-null-assertion -- The existence of innerMap2 ensures this is non-null
+            const innerMap1 = this.#map1.get(key1);
+            innerMap1.delete(key2);
+            if (innerMap1.size === 0) {
+                this.#map1.delete(key1);
+            }
+        });
+        // Remove the entire inner map from #map2
+        this.#map2.delete(key2);
+    }
+    delete(key1, key2) {
+        if (!this.has(key1, key2)) {
+            return false;
+        }
+        // eslint-disable-next-line @typescript-eslint/no-non-null-assertion -- The has() check above ensures non-null
+        const innerMap1 = this.#map1.get(key1);
+        innerMap1.delete(key2);
+        if (innerMap1.size === 0) {
+            this.#map1.delete(key1);
+        }
+        // eslint-disable-next-line @typescript-eslint/no-non-null-assertion -- The has() check above ensures non-null
+        const innerMap2 = this.#map2.get(key2);
+        innerMap2.delete(key1);
+        if (innerMap2.size === 0) {
+            this.#map2.delete(key2);
+        }
+        this.#size--;
+        return true;
+    }
+    /**
+     * @important Keys returned **match original case**!
+     */
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any -- Must exactly match interface
+    forEach(callbackfn, thisArg) {
+        this.#map1.forEach((innerMap1, key1) => {
+            innerMap1.forEach((value, key2) => {
+                callbackfn.call(thisArg, value, key1, key2);
+            });
+        });
+    }
+    get(key1, key2) {
+        return this.#map1.get(key1)?.get(key2);
+    }
+    has(key1, key2) {
+        const result1 = this.#map1.get(key1)?.has(key2);
+        if (this.testMode) {
+            const result2 = this.#map2.get(key2)?.has(key1);
+            if (!!result1 !== !!result2) {
+                throw new Error('Inconsistent state in TwoKeyCaselessMap');
+            }
+        }
+        return result1 ?? false;
+    }
+    set(key1, key2, value) {
+        const alreadyHadEntry = this.has(key1, key2);
+        let innerMap1 = this.#map1.get(key1);
+        if (!innerMap1) {
+            innerMap1 = new CaselessMap_1.CaselessMap();
+            this.#map1.set(key1, innerMap1);
+        }
+        innerMap1.set(key2, value);
+        let innerMap2 = this.#map2.get(key2);
+        if (!innerMap2) {
+            innerMap2 = new CaselessMap_1.CaselessMap();
+            this.#map2.set(key2, innerMap2);
+        }
+        innerMap2.set(key1, value);
+        if (!alreadyHadEntry) {
+            this.#size++;
+        }
+        return this;
+    }
+    get size() {
+        return this.#size;
+    }
+    /**
+     * @important Keys returned **match original case**!
+     */
+    entriesByFirstKey(key1) {
+        return this.#map1.get(key1)?.entries() ?? emptyIterator();
+    }
+    /**
+     * @important Keys returned **match original case**!
+     */
+    entriesBySecondKey(key2) {
+        return this.#map2.get(key2)?.entries() ?? emptyIterator();
+    }
+    /**
+     * @important Keys returned **match original case**!
+     */
+    *entries() {
+        for (const [key1, innerMap1] of this.#map1) {
+            for (const [key2, value] of innerMap1) {
+                yield [key1, key2, value];
+            }
+        }
+    }
+    /**
+     * @important Keys returned **match original case**!
+     */
+    keysByFirstKey(key1) {
+        return this.#map1.get(key1)?.keys() ?? emptyIterator();
+    }
+    /**
+     * @important Keys returned **match original case**!
+     */
+    keysBySecondKey(key2) {
+        return this.#map2.get(key2)?.keys() ?? emptyIterator();
+    }
+    /**
+     * @important Keys returned **match original case**!
+     */
+    *keys() {
+        for (const [key1, innerMap1] of this.#map1) {
+            for (const key2 of innerMap1.keys()) {
+                yield [key1, key2];
+            }
+        }
+    }
+    valuesByFirstKey(key1) {
+        return this.#map1.get(key1)?.values() ?? emptyIterator();
+    }
+    valuesBySecondKey(key2) {
+        return this.#map2.get(key2)?.values() ?? emptyIterator();
+    }
+    *values() {
+        for (const innerMap1 of this.#map1.values()) {
+            for (const value of innerMap1.values()) {
+                yield value;
+            }
+        }
+    }
+    /**
+     * @important Keys returned **match original case**!
+     */
+    [Symbol.iterator]() {
+        return this.entries();
+    }
+    [Symbol.toStringTag] = 'TwoKeyCaselessMap';
+}
+exports.TwoKeyCaselessMap = TwoKeyCaselessMap;
+function emptyIterator() {
+    return [][Symbol.iterator]();
+}
+//# sourceMappingURL=TwoKeyCaselessMap.js.map

package/dist/cjs/src/utils/screen.js

@@ -0,0 +1,62 @@
+"use strict";
+/*---------------------------------------------------------------------------------------------
+ *  Copyright (c) Microsoft Corporation. All rights reserved.
+ *  Licensed under the MIT License. See License.txt in the project root for license information.
+ *--------------------------------------------------------------------------------------------*/
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.screen = screen;
+// These regexes are not perfect, but should work for common cases
+// If they don't work, we'll just return the account ID, which does not need to be screened
+const accountLabelRegex = /^(?<email>[^@]+)@(?<domain>[\w]+(\.[\w]+)+)$/i;
+const domainRegex = /^(?<domain>[^.]+)(?<safeTld>\.com(\..*)?|\.net|\.org|\.co\..*|\.gov)$/i;
+/**
+ * Screens the label or display name of an Azure account or tenant so that it can be logged without exposing PII.
+ * This should *NOT* be considered fool-proof nor safe for telemetry, but is acceptable for local logging.
+ * @param accountOrTenant The account or tenant to screen the label / display name of
+ * @returns The screened label / display name
+ */
+function screen(accountOrTenant) {
+    if ('label' in accountOrTenant && !!accountOrTenant.label) {
+        const match = accountLabelRegex.exec(accountOrTenant.label);
+        if (match?.groups?.email && match.groups.domain) {
+            let screenedEmail = match.groups.email;
+            if (screenedEmail.length <= 2) {
+                screenedEmail = '***';
+            }
+            else {
+                screenedEmail = `${screenedEmail.at(0)}***${screenedEmail.at(-1)}`;
+            }
+            let screenedDomain = match.groups.domain;
+            const domainMatch = domainRegex.exec(match.groups.domain);
+            if (domainMatch?.groups?.domain && domainMatch.groups.safeTld) {
+                if (domainMatch.groups.domain.length <= 2) {
+                    screenedDomain = `***${domainMatch.groups.safeTld}`;
+                }
+                else {
+                    screenedDomain = `${domainMatch.groups.domain.at(0)}***${domainMatch.groups.safeTld}`;
+                }
+            }
+            else if (screenedDomain.length <= 2) {
+                screenedDomain = '***';
+            }
+            else {
+                screenedDomain = `${screenedDomain.at(0)}***${screenedDomain.at(-1)}`;
+            }
+            return `${screenedEmail}@${screenedDomain}`;
+        }
+        // If we can't match it with our simple regex, just return the account ID instead
+        return accountOrTenant.id;
+    }
+    else if ('displayName' in accountOrTenant && !!accountOrTenant.displayName) {
+        if (accountOrTenant.displayName.length <= 2) {
+            // For too-short names, just return the ID
+            return accountOrTenant.tenantId;
+        }
+        else {
+            // Return the first character, three stars, and the last character
+            return `${accountOrTenant.displayName.at(0)}***${accountOrTenant.displayName.at(-1)}`;
+        }
+    }
+    return 'unknown';
+}
+//# sourceMappingURL=screen.js.map

package/dist/cjs/src/{signInToTenant.js → utils/signInToTenant.js}

@@ -39,27 +39,30 @@ var __importStar = (this && this.__importStar) || (function () {
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.signInToTenant = signInToTenant;
 const vscode = __importStar(require("vscode"));
-const getUnauthenticatedTenants_1 = require("./utils/getUnauthenticatedTenants");
 /**
  * Prompts user to select from a list of unauthenticated tenants.
- * Once selected, requests a new session from VS Code specifially for this tenant.
+ * Once selected, requests a new session from VS Code specifically for this tenant.
  */
-async function signInToTenant(subscriptionProvider) {
-    const tenantId = await pickTenant(subscriptionProvider);
-    if (tenantId) {
-        await subscriptionProvider.signIn(tenantId);
+async function signInToTenant(subscriptionProvider, account) {
+    const tenant = await pickTenant(subscriptionProvider, account);
+    if (tenant) {
+        await subscriptionProvider.signIn(tenant);
     }
 }
-async function pickTenant(subscriptionProvider) {
-    const pick = await vscode.window.showQuickPick(getPicks(subscriptionProvider), {
-        placeHolder: 'Select a Tenant (Directory) to Sign In To', // TODO: localize
+async function pickTenant(subscriptionProvider, account) {
+    const pick = await vscode.window.showQuickPick(getPicks(subscriptionProvider, account), {
+        placeHolder: vscode.l10n.t('Select a Tenant (Directory) to Sign In To'),
         matchOnDescription: true, // allow searching by tenantId
         ignoreFocusOut: true,
     });
-    return pick?.tenant.tenantId;
+    return pick?.tenant;
 }
-async function getPicks(subscriptionProvider) {
-    const unauthenticatedTenants = await (0, getUnauthenticatedTenants_1.getUnauthenticatedTenants)(subscriptionProvider);
+async function getPicks(subscriptionProvider, account) {
+    const unauthenticatedTenants = [];
+    const accounts = account ? [account] : await subscriptionProvider.getAccounts();
+    for (const account of accounts) {
+        unauthenticatedTenants.push(...await subscriptionProvider.getUnauthenticatedTenantsForAccount(account));
+    }
     const duplicateTenants = new Set(unauthenticatedTenants
         .filter((tenant, index, self) => index !== self.findIndex(t => t.tenantId === tenant.tenantId))
         .map(tenant => tenant.tenantId));
@@ -69,7 +72,6 @@ async function getPicks(subscriptionProvider) {
         .sort((a, b) => (a.displayName).localeCompare(b.displayName))
         .map(tenant => ({
         label: tenant.displayName ?? '',
-        // eslint-disable-next-line @typescript-eslint/no-non-null-assertion
         description: `${tenant.tenantId}${isDuplicate(tenant.tenantId) ? ` (${tenant.account.label})` : ''}`,
         detail: tenant.defaultDomain ?? '',
         tenant,

package/dist/cjs/src/utils/tryGetTokenExpiration.js

@@ -0,0 +1,25 @@
+"use strict";
+/*---------------------------------------------------------------------------------------------
+ *  Copyright (c) Microsoft Corporation. All rights reserved.
+ *  Licensed under the MIT License. See License.txt in the project root for license information.
+ *--------------------------------------------------------------------------------------------*/
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.tryGetTokenExpiration = tryGetTokenExpiration;
+function tryGetTokenExpiration(session) {
+    try {
+        if (!!session?.idToken) {
+            const idTokenParts = session.idToken.split('.');
+            if (idTokenParts.length === 3) {
+                const payload = JSON.parse(Buffer.from(idTokenParts[1], 'base64').toString());
+                if (payload.exp !== undefined && Number.isInteger(payload.exp)) {
+                    return payload.exp * 1000; // Convert to milliseconds
+                }
+            }
+        }
+    }
+    catch {
+        // Best effort only
+    }
+    return 0;
+}
+//# sourceMappingURL=tryGetTokenExpiration.js.map

package/dist/esm/src/contracts/AzureAccount.d.ts

@@ -0,0 +1,5 @@
+import type * as vscode from 'vscode';
+/**
+ * A shortcut type for {@link vscode.AuthenticationSessionAccountInformation}
+ */
+export type AzureAccount = Readonly<vscode.AuthenticationSessionAccountInformation>;

package/dist/esm/src/contracts/AzureAccount.js

@@ -0,0 +1,6 @@
+/*---------------------------------------------------------------------------------------------
+ *  Copyright (c) Microsoft Corporation. All rights reserved.
+ *  Licensed under the MIT License. See License.txt in the project root for license information.
+ *--------------------------------------------------------------------------------------------*/
+export {};
+//# sourceMappingURL=AzureAccount.js.map

package/dist/esm/src/{AzureAuthentication.d.ts → contracts/AzureAuthentication.d.ts}

@@ -5,7 +5,7 @@ import type * as vscode from 'vscode';
 export interface AzureAuthentication {
     /**
      * Gets a VS Code authentication session for an Azure subscription.
-     * Always uses the default scope, `https://management.azure.com/.default/` and respects `microsoft-sovereign-cloud.environment` setting.
+     * Always uses the default scope, ~`https://management.core.windows.net/.default` and respects `microsoft-sovereign-cloud.environment` setting.
      *
      * @returns A VS Code authentication session or undefined, if none could be obtained.
      */