@microsoft/vscode-azext-azureauth 6.0.0-alpha.8 → 6.1.0-alpha.1

package/CHANGELOG.md

@@ -1,10 +1,39 @@
 # Change Log
 
+## 6.0.0-alpha.8 - 2026-03-27
+
+* [#2248](https://github.com/microsoft/vscode-azuretools/pull/2248) Watch sovereign cloud config and fire `onRefreshSuggested`
+
+## 6.0.0-alpha.7 - 2026-03-27
+
+* [#2246](https://github.com/microsoft/vscode-azuretools/pull/2246) Reduce auth event debounce from 5s to 2s
+* [#2245](https://github.com/microsoft/vscode-azuretools/pull/2245) Ensure `subscriptionFilterChange` events are not suppressed during debounce
+* [#2235](https://github.com/microsoft/vscode-azuretools/pull/2235) npm audit fix in all package subfolders
+
+## 6.0.0-alpha.6 - 2026-03-20
+
+* [#2231](https://github.com/microsoft/vscode-azuretools/pull/2231) Add BearerChallengePolicy for MFA step-up challenges during subscription listing
+
+## 6.0.0-alpha.5 - 2026-03-11
+
+* [#2215](https://github.com/microsoft/vscode-azuretools/pull/2215) Improve error message for `platform_broker_error`
+* [#2214](https://github.com/microsoft/vscode-azuretools/pull/2214) Switch debug logs to info
+
+## 6.0.0-alpha.4 - 2026-03-11
+
+* [#2208](https://github.com/microsoft/vscode-azuretools/pull/2208) Skip failing tenants instead of aborting subscription listing
+
+## 6.0.0-alpha.3 - 2026-03-11
+
+* [#2198](https://github.com/microsoft/vscode-azuretools/pull/2198) Go back to overriding the sdk scopes
+* [#2200](https://github.com/microsoft/vscode-azuretools/pull/2200) Attach environment to account
+* [#2190](https://github.com/microsoft/vscode-azuretools/pull/2190) Updating dependencies
+
 ## 6.0.0-alpha.2 - 2026-02-09
 
-* Fix copy all optional properties in `ExtendedEnvironment` constructor
+* [#2186](https://github.com/microsoft/vscode-azuretools/pull/2186) Fix copy all optional properties in `ExtendedEnvironment` constructor
 
-## 6.0.0 - 2025-12-15
+## 6.0.0-alpha.1 - 2025-12-05
 
 * [#2119](https://github.com/microsoft/vscode-azuretools/pull/2119) Complete rewrite of the auth package. Adds caching, parallelization, and smarter filtering.
 

package/dist/cjs/src/providers/AzureDevOpsSubscriptionProvider.js

@@ -39,6 +39,7 @@ var __importStar = (this && this.__importStar) || (function () {
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.AzureDevOpsSubscriptionProvider = void 0;
 exports.createAzureDevOpsSubscriptionProviderFactory = createAzureDevOpsSubscriptionProviderFactory;
+const api_1 = require("@azure/arm-resources-subscriptions/api");
 const azureEnv = __importStar(require("@azure/ms-rest-azure-env")); // This package is so small that it's not worth lazy loading
 const crypto = __importStar(require("crypto"));
 const configuredAzureEnv_1 = require("../utils/configuredAzureEnv");
@@ -52,7 +53,6 @@ function createAzureDevOpsSubscriptionProviderFactory(initializer) {
         return Promise.resolve(azureDevOpsSubscriptionProvider);
     };
 }
-let armSubs;
 let azIdentity;
 /**
  * AzureSubscriptionProvider implemented to authenticate via federated DevOps service connection, using workflow identity federation
@@ -121,7 +121,7 @@ class AzureDevOpsSubscriptionProvider extends AzureSubscriptionProviderBase_1.Az
     /**
      * @inheritdoc
      */
-    async getSubscriptionClient(tenant) {
+    getSubscriptionContext(tenant) {
         if (!this._tokenCredential) {
             throw new NotSignedInError_1.NotSignedInError();
         }
@@ -140,9 +140,8 @@ class AzureDevOpsSubscriptionProvider extends AzureSubscriptionProviderBase_1.Az
                 scopes: scopes,
             };
         };
-        armSubs ??= await import('@azure/arm-resources-subscriptions');
         return {
-            client: new armSubs.SubscriptionClient(this._tokenCredential),
+            context: (0, api_1.createSubscription)(this._tokenCredential),
             credential: this._tokenCredential,
             authentication: {
                 getSession: () => {

package/dist/cjs/src/providers/AzureSubscriptionProviderBase.js

@@ -38,10 +38,13 @@ var __importStar = (this && this.__importStar) || (function () {
 })();
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.AzureSubscriptionProviderBase = void 0;
-const BearerChallengePolicy_1 = require("../utils/BearerChallengePolicy");
+const api_1 = require("@azure/arm-resources-subscriptions/api");
+const subscriptions_1 = require("@azure/arm-resources-subscriptions/api/subscriptions");
+const tenants_1 = require("@azure/arm-resources-subscriptions/api/tenants");
 const util_1 = require("util");
 const vscode = __importStar(require("vscode"));
 const AzureSubscriptionProviderRequestOptions_1 = require("../contracts/AzureSubscriptionProviderRequestOptions");
+const BearerChallengePolicy_1 = require("../utils/BearerChallengePolicy");
 const configuredAzureEnv_1 = require("../utils/configuredAzureEnv");
 const dedupeSubscriptions_1 = require("../utils/dedupeSubscriptions");
 const getSessionFromVSCode_1 = require("../utils/getSessionFromVSCode");
@@ -55,7 +58,6 @@ const EventDebounce = 2 * 1000; // 2 seconds minimum between `onRefreshSuggested
 const EventSilenceTime = 5 * 1000; // 5 seconds after sign-in to silence `onRefreshSuggested` events
 const TenantListConcurrency = 3; // We will try to list tenants for at most 3 accounts in parallel
 const SubscriptionListConcurrency = 5; // We will try to list subscriptions for at most 5 account+tenants in parallel
-let armSubs;
 /**
  * Base class for Azure subscription providers that use VS Code authentication.
  * Handles actual communication with Azure via the Azure SDK, as well as
@@ -275,9 +277,9 @@ class AzureSubscriptionProviderBase {
         try {
             const startTime = Date.now();
             this.logForAccount(account, 'Fetching tenants for account...');
-            const { client } = await this.getSubscriptionClient({ account: account, tenantId: undefined });
+            const { context } = this.getSubscriptionContext({ account: account, tenantId: undefined });
             const allTenants = [];
-            for await (const tenant of client.tenants.list({ abortSignal: (0, getSignalForToken_1.getSignalForToken)(options.token) })) {
+            for await (const tenant of (0, tenants_1.list)(context, { abortSignal: (0, getSignalForToken_1.getSignalForToken)(options.token) })) {
                 allTenants.push({
                     ...tenant,
                     tenantId: tenant.tenantId, // eslint-disable-line @typescript-eslint/no-non-null-assertion -- This is never null in practice
@@ -301,10 +303,10 @@ class AzureSubscriptionProviderBase {
         try {
             const startTime = Date.now();
             this.logForTenant(tenant, 'Fetching subscriptions for account+tenant...');
-            const { client, credential, authentication } = await this.getSubscriptionClient(tenant);
+            const { context, credential, authentication } = this.getSubscriptionContext(tenant);
             const environment = (0, configuredAzureEnv_1.getConfiguredAzureEnv)();
             const allSubs = [];
-            for await (const subscription of client.subscriptions.list({ abortSignal: (0, getSignalForToken_1.getSignalForToken)(options.token) })) {
+            for await (const subscription of (0, subscriptions_1.list)(context, { abortSignal: (0, getSignalForToken_1.getSignalForToken)(options.token) })) {
                 allSubs.push({
                     authentication: authentication,
                     environment: environment,
@@ -329,12 +331,12 @@ class AzureSubscriptionProviderBase {
         }
     }
     /**
-     * Gets a {@link SubscriptionClient} plus extras for the given account+tenant.
-     * @param tenant (Optional) The account+tenant to get a subscription client for. If not specified, the default account and home tenant
+     * Gets a {@link SubscriptionContext} plus extras for the given account+tenant.
+     * @param tenant (Optional) The account+tenant to get a subscription context for. If not specified, the default account and home tenant
      * will be used.
-     * @returns A {@link SubscriptionClient}, {@link TokenCredential}, and {@link AzureAuthentication} for the given account+tenant.
+     * @returns A {@link SubscriptionContext}, {@link TokenCredential}, and {@link AzureAuthentication} for the given account+tenant.
      */
-    async getSubscriptionClient(tenant) {
+    getSubscriptionContext(tenant) {
         // Credential ignores requested scopes and always uses default scopes (managementEndpointUrl),
         // matching the scope used during signIn(). This avoids a refresh token round-trip that can
         // fail when MSAL has stale cache entries for a different scope.
@@ -351,16 +353,16 @@ class AzureSubscriptionProviderBase {
                 };
             }
         };
-        armSubs ??= await import('@azure/arm-resources-subscriptions');
-        const endpoint = (0, configuredAzureEnv_1.getConfiguredAzureEnv)().resourceManagerEndpointUrl;
-        const client = new armSubs.SubscriptionClient(credential, { endpoint });
-        client.pipeline.addPolicy(new BearerChallengePolicy_1.BearerChallengePolicy(async (challenge) => {
+        const rawEndpoint = (0, configuredAzureEnv_1.getConfiguredAzureEnv)().resourceManagerEndpointUrl;
+        const endpoint = rawEndpoint.endsWith('/') ? rawEndpoint : `${rawEndpoint}/`;
+        const context = (0, api_1.createSubscription)(credential, { endpoint });
+        context.pipeline.addPolicy(new BearerChallengePolicy_1.BearerChallengePolicy(async (challenge) => {
             this.silenceRefreshEvents();
             const session = await (0, getSessionFromVSCode_1.getSessionFromVSCode)(challenge, tenant.tenantId, { createIfNone: true, account: tenant.account });
             return session?.accessToken;
         }, endpoint), { phase: 'Sign', afterPolicies: ['bearerTokenAuthenticationPolicy'] });
         return {
-            client,
+            context: context,
             credential: credential,
             authentication: {
                 getSession: async () => {

package/dist/cjs/src/utils/tryGetTokenExpiration.js

@@ -10,7 +10,7 @@ function tryGetTokenExpiration(session) {
         if (!!session?.idToken) {
             const idTokenParts = session.idToken.split('.');
             if (idTokenParts.length === 3) {
-                const payload = JSON.parse(Buffer.from(idTokenParts[1], 'base64').toString());
+                const payload = JSON.parse(Buffer.from(idTokenParts[1], 'base64url').toString());
                 if (payload.exp !== undefined && Number.isInteger(payload.exp)) {
                     return payload.exp * 1000; // Convert to milliseconds
                 }

package/dist/esm/src/contracts/AzureTenant.d.ts

@@ -1,4 +1,4 @@
-import type { TenantIdDescription } from "@azure/arm-resources-subscriptions";
+import type { TenantIdDescription } from "@azure/arm-resources-subscriptions/models";
 import type { AzureAccount } from "./AzureAccount";
 /**
  * An Azure tenant associated with a specific account

package/dist/esm/src/providers/AzureDevOpsSubscriptionProvider.d.ts

@@ -1,4 +1,4 @@
-import type { SubscriptionClient } from '@azure/arm-resources-subscriptions';
+import { type SubscriptionContext } from '@azure/arm-resources-subscriptions/api';
 import type { TokenCredential } from '@azure/core-auth';
 import type * as vscode from 'vscode';
 import type { AzureAccount } from '../contracts/AzureAccount';
@@ -60,9 +60,9 @@ export declare class AzureDevOpsSubscriptionProvider extends AzureSubscriptionPr
     /**
      * @inheritdoc
      */
-    protected getSubscriptionClient(tenant: TenantIdAndAccount): Promise<{
-        client: SubscriptionClient;
+    protected getSubscriptionContext(tenant: TenantIdAndAccount): {
+        context: SubscriptionContext;
         credential: TokenCredential;
         authentication: AzureAuthentication;
-    }>;
+    };
 }

package/dist/esm/src/providers/AzureDevOpsSubscriptionProvider.js

@@ -2,6 +2,7 @@
  *  Copyright (c) Microsoft Corporation. All rights reserved.
  *  Licensed under the MIT License. See License.txt in the project root for license information.
  *--------------------------------------------------------------------------------------------*/
+import { createSubscription } from '@azure/arm-resources-subscriptions/api';
 import * as azureEnv from '@azure/ms-rest-azure-env'; // This package is so small that it's not worth lazy loading
 import * as crypto from 'crypto';
 import { ExtendedEnvironment } from '../utils/configuredAzureEnv';
@@ -15,7 +16,6 @@ export function createAzureDevOpsSubscriptionProviderFactory(initializer) {
         return Promise.resolve(azureDevOpsSubscriptionProvider);
     };
 }
-let armSubs;
 let azIdentity;
 /**
  * AzureSubscriptionProvider implemented to authenticate via federated DevOps service connection, using workflow identity federation
@@ -84,7 +84,7 @@ export class AzureDevOpsSubscriptionProvider extends AzureSubscriptionProviderBa
     /**
      * @inheritdoc
      */
-    async getSubscriptionClient(tenant) {
+    getSubscriptionContext(tenant) {
         if (!this._tokenCredential) {
             throw new NotSignedInError();
         }
@@ -103,9 +103,8 @@ export class AzureDevOpsSubscriptionProvider extends AzureSubscriptionProviderBa
                 scopes: scopes,
             };
         };
-        armSubs ??= await import('@azure/arm-resources-subscriptions');
         return {
-            client: new armSubs.SubscriptionClient(this._tokenCredential),
+            context: createSubscription(this._tokenCredential),
             credential: this._tokenCredential,
             authentication: {
                 getSession: () => {

package/dist/esm/src/providers/AzureSubscriptionProviderBase.d.ts

@@ -1,4 +1,4 @@
-import type { SubscriptionClient } from '@azure/arm-resources-subscriptions';
+import { type SubscriptionContext } from '@azure/arm-resources-subscriptions/api';
 import type { TokenCredential } from '@azure/core-auth';
 import * as vscode from 'vscode';
 import type { AzureAccount } from '../contracts/AzureAccount';
@@ -54,16 +54,16 @@ export declare abstract class AzureSubscriptionProviderBase implements AzureSubs
      */
     getSubscriptionsForTenant(tenant: TenantIdAndAccount, options?: GetSubscriptionsForTenantOptions): Promise<AzureSubscription[]>;
     /**
-     * Gets a {@link SubscriptionClient} plus extras for the given account+tenant.
-     * @param tenant (Optional) The account+tenant to get a subscription client for. If not specified, the default account and home tenant
+     * Gets a {@link SubscriptionContext} plus extras for the given account+tenant.
+     * @param tenant (Optional) The account+tenant to get a subscription context for. If not specified, the default account and home tenant
      * will be used.
-     * @returns A {@link SubscriptionClient}, {@link TokenCredential}, and {@link AzureAuthentication} for the given account+tenant.
+     * @returns A {@link SubscriptionContext}, {@link TokenCredential}, and {@link AzureAuthentication} for the given account+tenant.
      */
-    protected getSubscriptionClient(tenant: Partial<TenantIdAndAccount>): Promise<{
-        client: SubscriptionClient;
+    protected getSubscriptionContext(tenant: Partial<TenantIdAndAccount>): {
+        context: SubscriptionContext;
         credential: TokenCredential;
         authentication: AzureAuthentication;
-    }>;
+    };
     protected log(message: string): void;
     protected logForAccount(account: AzureAccount, message: string): void;
     protected logForTenant(tenant: TenantIdAndAccount, message: string): void;

package/dist/esm/src/providers/AzureSubscriptionProviderBase.js

@@ -2,10 +2,13 @@
  *  Copyright (c) Microsoft Corporation. All rights reserved.
  *  Licensed under the MIT License. See License.txt in the project root for license information.
  *--------------------------------------------------------------------------------------------*/
-import { BearerChallengePolicy } from '../utils/BearerChallengePolicy';
+import { createSubscription } from '@azure/arm-resources-subscriptions/api';
+import { list as listSubscriptions } from '@azure/arm-resources-subscriptions/api/subscriptions';
+import { list as listTenants } from '@azure/arm-resources-subscriptions/api/tenants';
 import { inspect } from 'util';
 import * as vscode from 'vscode';
 import { DefaultOptions, DefaultSignInOptions } from '../contracts/AzureSubscriptionProviderRequestOptions';
+import { BearerChallengePolicy } from '../utils/BearerChallengePolicy';
 import { getConfiguredAuthProviderId, getConfiguredAzureEnv } from '../utils/configuredAzureEnv';
 import { dedupeSubscriptions } from '../utils/dedupeSubscriptions';
 import { getSessionFromVSCode } from '../utils/getSessionFromVSCode';
@@ -19,7 +22,6 @@ const EventDebounce = 2 * 1000; // 2 seconds minimum between `onRefreshSuggested
 const EventSilenceTime = 5 * 1000; // 5 seconds after sign-in to silence `onRefreshSuggested` events
 const TenantListConcurrency = 3; // We will try to list tenants for at most 3 accounts in parallel
 const SubscriptionListConcurrency = 5; // We will try to list subscriptions for at most 5 account+tenants in parallel
-let armSubs;
 /**
  * Base class for Azure subscription providers that use VS Code authentication.
  * Handles actual communication with Azure via the Azure SDK, as well as
@@ -239,9 +241,9 @@ export class AzureSubscriptionProviderBase {
         try {
             const startTime = Date.now();
             this.logForAccount(account, 'Fetching tenants for account...');
-            const { client } = await this.getSubscriptionClient({ account: account, tenantId: undefined });
+            const { context } = this.getSubscriptionContext({ account: account, tenantId: undefined });
             const allTenants = [];
-            for await (const tenant of client.tenants.list({ abortSignal: getSignalForToken(options.token) })) {
+            for await (const tenant of listTenants(context, { abortSignal: getSignalForToken(options.token) })) {
                 allTenants.push({
                     ...tenant,
                     tenantId: tenant.tenantId, // eslint-disable-line @typescript-eslint/no-non-null-assertion -- This is never null in practice
@@ -265,10 +267,10 @@ export class AzureSubscriptionProviderBase {
         try {
             const startTime = Date.now();
             this.logForTenant(tenant, 'Fetching subscriptions for account+tenant...');
-            const { client, credential, authentication } = await this.getSubscriptionClient(tenant);
+            const { context, credential, authentication } = this.getSubscriptionContext(tenant);
             const environment = getConfiguredAzureEnv();
             const allSubs = [];
-            for await (const subscription of client.subscriptions.list({ abortSignal: getSignalForToken(options.token) })) {
+            for await (const subscription of listSubscriptions(context, { abortSignal: getSignalForToken(options.token) })) {
                 allSubs.push({
                     authentication: authentication,
                     environment: environment,
@@ -293,12 +295,12 @@ export class AzureSubscriptionProviderBase {
         }
     }
     /**
-     * Gets a {@link SubscriptionClient} plus extras for the given account+tenant.
-     * @param tenant (Optional) The account+tenant to get a subscription client for. If not specified, the default account and home tenant
+     * Gets a {@link SubscriptionContext} plus extras for the given account+tenant.
+     * @param tenant (Optional) The account+tenant to get a subscription context for. If not specified, the default account and home tenant
      * will be used.
-     * @returns A {@link SubscriptionClient}, {@link TokenCredential}, and {@link AzureAuthentication} for the given account+tenant.
+     * @returns A {@link SubscriptionContext}, {@link TokenCredential}, and {@link AzureAuthentication} for the given account+tenant.
      */
-    async getSubscriptionClient(tenant) {
+    getSubscriptionContext(tenant) {
         // Credential ignores requested scopes and always uses default scopes (managementEndpointUrl),
         // matching the scope used during signIn(). This avoids a refresh token round-trip that can
         // fail when MSAL has stale cache entries for a different scope.
@@ -315,16 +317,16 @@ export class AzureSubscriptionProviderBase {
                 };
             }
         };
-        armSubs ??= await import('@azure/arm-resources-subscriptions');
-        const endpoint = getConfiguredAzureEnv().resourceManagerEndpointUrl;
-        const client = new armSubs.SubscriptionClient(credential, { endpoint });
-        client.pipeline.addPolicy(new BearerChallengePolicy(async (challenge) => {
+        const rawEndpoint = getConfiguredAzureEnv().resourceManagerEndpointUrl;
+        const endpoint = rawEndpoint.endsWith('/') ? rawEndpoint : `${rawEndpoint}/`;
+        const context = createSubscription(credential, { endpoint });
+        context.pipeline.addPolicy(new BearerChallengePolicy(async (challenge) => {
             this.silenceRefreshEvents();
             const session = await getSessionFromVSCode(challenge, tenant.tenantId, { createIfNone: true, account: tenant.account });
             return session?.accessToken;
         }, endpoint), { phase: 'Sign', afterPolicies: ['bearerTokenAuthenticationPolicy'] });
         return {
-            client,
+            context: context,
             credential: credential,
             authentication: {
                 getSession: async () => {

package/dist/esm/src/utils/tryGetTokenExpiration.js

@@ -7,7 +7,7 @@ export function tryGetTokenExpiration(session) {
         if (!!session?.idToken) {
             const idTokenParts = session.idToken.split('.');
             if (idTokenParts.length === 3) {
-                const payload = JSON.parse(Buffer.from(idTokenParts[1], 'base64').toString());
+                const payload = JSON.parse(Buffer.from(idTokenParts[1], 'base64url').toString());
                 if (payload.exp !== undefined && Number.isInteger(payload.exp)) {
                     return payload.exp * 1000; // Convert to milliseconds
                 }

package/package.json

@@ -1,7 +1,7 @@
 {
     "name": "@microsoft/vscode-azext-azureauth",
     "author": "Microsoft Corporation",
-    "version": "6.0.0-alpha.8",
+    "version": "6.1.0-alpha.1",
     "description": "Azure authentication helpers for Visual Studio Code",
     "tags": [
         "azure",
@@ -48,15 +48,15 @@
         "vscode": "^1.106.0"
     },
     "devDependencies": {
-        "@azure/core-auth": "^1.10.1",
-        "@microsoft/vscode-azext-eng": "1.0.0-alpha.13",
+        "@microsoft/vscode-azext-eng": "^1.1.0-alpha.1",
         "@types/node": "22.x",
         "@types/vscode": "1.106.0"
     },
     "dependencies": {
-        "@azure/arm-resources-subscriptions": "^2.1.0",
-        "@azure/core-rest-pipeline": "^1.22.2",
-        "@azure/identity": "^4.13.0",
+        "@azure/arm-resources-subscriptions": "^3.0.0-beta.1",
+        "@azure/core-auth": "^1.10.1",
+        "@azure/core-rest-pipeline": "^1.23.0",
+        "@azure/identity": "^4.13.1",
         "@azure/ms-rest-azure-env": "^2.0.0"
     },
     "publishConfig": {
@@ -65,10 +65,15 @@
     "mocha": {
         "ui": "tdd",
         "node-option": [
-            "import=tsx"
+            "experimental-transform-types",
+            "disable-warning=ExperimentalWarning",
+            "import=@microsoft/vscode-azext-eng/mocha"
         ],
         "spec": [
             "test/**/*.test.ts"
         ]
+    },
+    "overrides": {
+        "serialize-javascript": "^7.0.5"
     }
 }