@ms-cloudpack/remote-cache 0.8.12 → 0.8.14

package/dist/{getCredential-FLIB2Y4Q.js → getCredential-TGHZRNZU.js}

@@ -8,13 +8,12 @@ import {
   require_package as require_package2
 } from "./chunk-F35F2EJX.js";
 import {
-  require_commonjs as require_commonjs2,
-  require_commonjs2 as require_commonjs3,
-  require_commonjs3 as require_commonjs4,
-  require_commonjs4 as require_commonjs5,
-  require_dist,
+  require_commonjs2,
+  require_commonjs3,
+  require_commonjs4,
+  require_commonjs5,
   require_package
-} from "./chunk-4MIMLTI6.js";
+} from "./chunk-S3ZJNZYB.js";
 import {
   __commonJS,
   __esm,
@@ -26,6 +25,157 @@ import {
   require_commonjs
 } from "./chunk-PAESICSC.js";
 
+// ../../node_modules/.store/@azure-abort-controller-npm-1.1.0-5b4e309629/package/dist/index.js
+var require_dist = __commonJS({
+  "../../node_modules/.store/@azure-abort-controller-npm-1.1.0-5b4e309629/package/dist/index.js"(exports) {
+    "use strict";
+    Object.defineProperty(exports, "__esModule", { value: true });
+    var listenersMap = /* @__PURE__ */ new WeakMap();
+    var abortedMap = /* @__PURE__ */ new WeakMap();
+    var _AbortSignal = class _AbortSignal {
+      constructor() {
+        this.onabort = null;
+        listenersMap.set(this, []);
+        abortedMap.set(this, false);
+      }
+      /**
+       * Status of whether aborted or not.
+       *
+       * @readonly
+       */
+      get aborted() {
+        if (!abortedMap.has(this)) {
+          throw new TypeError("Expected `this` to be an instance of AbortSignal.");
+        }
+        return abortedMap.get(this);
+      }
+      /**
+       * Creates a new AbortSignal instance that will never be aborted.
+       *
+       * @readonly
+       */
+      static get none() {
+        return new _AbortSignal();
+      }
+      /**
+       * Added new "abort" event listener, only support "abort" event.
+       *
+       * @param _type - Only support "abort" event
+       * @param listener - The listener to be added
+       */
+      addEventListener(_type, listener) {
+        if (!listenersMap.has(this)) {
+          throw new TypeError("Expected `this` to be an instance of AbortSignal.");
+        }
+        const listeners = listenersMap.get(this);
+        listeners.push(listener);
+      }
+      /**
+       * Remove "abort" event listener, only support "abort" event.
+       *
+       * @param _type - Only support "abort" event
+       * @param listener - The listener to be removed
+       */
+      removeEventListener(_type, listener) {
+        if (!listenersMap.has(this)) {
+          throw new TypeError("Expected `this` to be an instance of AbortSignal.");
+        }
+        const listeners = listenersMap.get(this);
+        const index = listeners.indexOf(listener);
+        if (index > -1) {
+          listeners.splice(index, 1);
+        }
+      }
+      /**
+       * Dispatches a synthetic event to the AbortSignal.
+       */
+      dispatchEvent(_event) {
+        throw new Error("This is a stub dispatchEvent implementation that should not be used.  It only exists for type-checking purposes.");
+      }
+    };
+    __name(_AbortSignal, "AbortSignal");
+    var AbortSignal = _AbortSignal;
+    function abortSignal(signal) {
+      if (signal.aborted) {
+        return;
+      }
+      if (signal.onabort) {
+        signal.onabort.call(signal);
+      }
+      const listeners = listenersMap.get(signal);
+      if (listeners) {
+        listeners.slice().forEach((listener) => {
+          listener.call(signal, { type: "abort" });
+        });
+      }
+      abortedMap.set(signal, true);
+    }
+    __name(abortSignal, "abortSignal");
+    var _AbortError = class _AbortError extends Error {
+      constructor(message) {
+        super(message);
+        this.name = "AbortError";
+      }
+    };
+    __name(_AbortError, "AbortError");
+    var AbortError = _AbortError;
+    var _AbortController = class _AbortController {
+      // eslint-disable-next-line @typescript-eslint/explicit-module-boundary-types
+      constructor(parentSignals) {
+        this._signal = new AbortSignal();
+        if (!parentSignals) {
+          return;
+        }
+        if (!Array.isArray(parentSignals)) {
+          parentSignals = arguments;
+        }
+        for (const parentSignal of parentSignals) {
+          if (parentSignal.aborted) {
+            this.abort();
+          } else {
+            parentSignal.addEventListener("abort", () => {
+              this.abort();
+            });
+          }
+        }
+      }
+      /**
+       * The AbortSignal associated with this controller that will signal aborted
+       * when the abort method is called on this controller.
+       *
+       * @readonly
+       */
+      get signal() {
+        return this._signal;
+      }
+      /**
+       * Signal that any operations passed this controller's associated abort signal
+       * to cancel any remaining work and throw an `AbortError`.
+       */
+      abort() {
+        abortSignal(this._signal);
+      }
+      /**
+       * Creates a new AbortSignal instance that will abort after the provided ms.
+       * @param ms - Elapsed time in milliseconds to trigger an abort.
+       */
+      static timeout(ms) {
+        const signal = new AbortSignal();
+        const timer = setTimeout(abortSignal, ms, signal);
+        if (typeof timer.unref === "function") {
+          timer.unref();
+        }
+        return signal;
+      }
+    };
+    __name(_AbortController, "AbortController");
+    var AbortController = _AbortController;
+    exports.AbortController = AbortController;
+    exports.AbortError = AbortError;
+    exports.AbortSignal = AbortSignal;
+  }
+});
+
 // ../../node_modules/.store/uuid-npm-8.3.2-eca0baba53/package/dist/esm-node/rng.js
 import crypto from "crypto";
 function rng() {
@@ -4063,9 +4213,9 @@ var require_package14 = __commonJS({
   }
 });
 
-// ../../node_modules/.store/@azure-msal-node-npm-2.14.0-f4e7538145/package/lib/msal-node.cjs
+// ../../node_modules/.store/@azure-msal-node-npm-2.15.0-02a613cb10/package/lib/msal-node.cjs
 var require_msal_node = __commonJS({
-  "../../node_modules/.store/@azure-msal-node-npm-2.14.0-f4e7538145/package/lib/msal-node.cjs"(exports) {
+  "../../node_modules/.store/@azure-msal-node-npm-2.15.0-02a613cb10/package/lib/msal-node.cjs"(exports) {
     "use strict";
     var http = __require("http");
     var https = __require("https");
@@ -12439,7 +12589,7 @@ Headers: ${JSON.stringify(headers)}`
     __name(_ClientAssertion, "ClientAssertion");
     var ClientAssertion = _ClientAssertion;
     var name = "@azure/msal-node";
-    var version2 = "2.14.0";
+    var version2 = "2.15.0";
     var _UsernamePasswordClient = class _UsernamePasswordClient extends BaseClient {
       constructor(configuration) {
         super(configuration);
@@ -14254,7 +14404,7 @@ Headers: ${JSON.stringify(headers)}`
           authority: this.fakeAuthority.canonicalAuthority,
           correlationId: this.cryptoProvider.createNewGuid()
         };
-        if (managedIdentityRequest.forceRefresh) {
+        if (managedIdentityRequestParams.claims || managedIdentityRequest.forceRefresh) {
           return this.managedIdentityClient.sendManagedIdentityTokenRequest(managedIdentityRequest, this.config.managedIdentityId, this.fakeAuthority);
         }
         const [cachedAuthenticationResult, lastCacheOutcome] = await this.fakeClientCredentialClient.getCachedAuthenticationResult(managedIdentityRequest, this.config, this.cryptoProvider, this.fakeAuthority, _ManagedIdentityApplication.nodeStorage);
@@ -14686,12 +14836,12 @@ var require_package18 = __commonJS({
   }
 });
 
-// ../../node_modules/.store/@azure-identity-npm-4.4.1-fea297e975/package/dist/index.js
+// ../../node_modules/.store/@azure-identity-npm-4.3.0-e85334d38f/package/dist/index.js
 var require_dist2 = __commonJS({
-  "../../node_modules/.store/@azure-identity-npm-4.4.1-fea297e975/package/dist/index.js"(exports) {
+  "../../node_modules/.store/@azure-identity-npm-4.3.0-e85334d38f/package/dist/index.js"(exports) {
     "use strict";
     Object.defineProperty(exports, "__esModule", { value: true });
-    var logger$m = require_commonjs();
+    var logger$r = require_commonjs();
     var coreClient = require_commonjs5();
     var coreUtil = require_commonjs2();
     var coreRestPipeline = require_commonjs4();
@@ -14701,12 +14851,13 @@ var require_dist2 = __commonJS({
     var os = __require("os");
     var path4 = __require("path");
     var msalCommon = require_msal_node();
-    var open = require_package18();
+    var fs$1 = __require("node:fs");
+    var https = __require("https");
     var promises = __require("fs/promises");
     var child_process = __require("child_process");
     var crypto4 = __require("crypto");
-    var promises$1 = __require("node:fs/promises");
-    var node_crypto = __require("node:crypto");
+    var open = require_package18();
+    var util = __require("util");
     function _interopNamespaceDefault(e) {
       var n = /* @__PURE__ */ Object.create(null);
       if (e) {
@@ -14728,7 +14879,7 @@ var require_dist2 = __commonJS({
     __name(_interopNamespaceDefault, "_interopNamespaceDefault");
     var msalCommon__namespace = /* @__PURE__ */ _interopNamespaceDefault(msalCommon);
     var child_process__namespace = /* @__PURE__ */ _interopNamespaceDefault(child_process);
-    var SDK_VERSION = `4.4.1`;
+    var SDK_VERSION = `4.3.0-beta.3`;
     var DeveloperSignOnClientId = "04b07795-8ddb-461a-bbee-02f9e1bf7b46";
     var DefaultTenantId = "common";
     exports.AzureAuthorityHosts = void 0;
@@ -14750,6 +14901,10 @@ var require_dist2 = __commonJS({
       }
     };
     var nativeBrokerInfo = void 0;
+    function hasNativeBroker() {
+      return nativeBrokerInfo !== void 0;
+    }
+    __name(hasNativeBroker, "hasNativeBroker");
     var msalNodeFlowNativeBrokerControl = {
       setNativeBroker(broker) {
         nativeBrokerInfo = {
@@ -14797,7 +14952,7 @@ var require_dist2 = __commonJS({
     var msalPlugins = {
       generatePluginConfiguration
     };
-    var logger$l = logger$m.createClientLogger("identity");
+    var logger$q = logger$r.createClientLogger("identity");
     function processEnvVars(supportedEnvVars) {
       return supportedEnvVars.reduce((acc, envVariable) => {
         if (process.env[envVariable]) {
@@ -14821,7 +14976,7 @@ var require_dist2 = __commonJS({
       return `${message} Error message: ${typeof error === "string" ? error : error.message}.`;
     }
     __name(formatError, "formatError");
-    function credentialLoggerInstance(title, parent, log = logger$l) {
+    function credentialLoggerInstance(title, parent, log = logger$q) {
       const fullTitle = parent ? `${parent.fullTitle} ${title}` : title;
       function info(message) {
         log.info(`${fullTitle} =>`, message);
@@ -14849,7 +15004,7 @@ var require_dist2 = __commonJS({
       };
     }
     __name(credentialLoggerInstance, "credentialLoggerInstance");
-    function credentialLogger(title, log = logger$l) {
+    function credentialLogger(title, log = logger$q) {
       const credLogger = credentialLoggerInstance(title, void 0, log);
       return Object.assign(Object.assign({}, credLogger), { parent: log, getToken: credentialLoggerInstance("=> getToken()", credLogger, log) });
     }
@@ -15016,6 +15171,8 @@ ${errorDetail}`);
     var imdsHost = "http://169.254.169.254";
     var imdsEndpointPath = "/metadata/identity/oauth2/token";
     var imdsApiVersion = "2018-02-01";
+    var azureArcAPIVersion = "2019-11-01";
+    var azureFabricVersion = "2019-07-01-preview";
     function mapScopesToResource(scopes) {
       let scope = "";
       if (Array.isArray(scopes)) {
@@ -15075,17 +15232,13 @@ ${errorDetail}`);
         } }, options), { userAgentOptions: {
           userAgentPrefix
         }, baseUri }));
-        this.allowInsecureConnection = false;
         this.authorityHost = baseUri;
         this.abortControllers = /* @__PURE__ */ new Map();
         this.allowLoggingAccountIdentifiers = (_b2 = options === null || options === void 0 ? void 0 : options.loggingOptions) === null || _b2 === void 0 ? void 0 : _b2.allowLoggingAccountIdentifiers;
         this.tokenCredentialOptions = Object.assign({}, options);
-        if (options === null || options === void 0 ? void 0 : options.allowInsecureConnection) {
-          this.allowInsecureConnection = options.allowInsecureConnection;
-        }
       }
       async sendTokenRequest(request) {
-        logger$l.info(`IdentityClient: sending token request to [${request.url}]`);
+        logger$q.info(`IdentityClient: sending token request to [${request.url}]`);
         const response = await this.sendRequest(request);
         if (response.bodyAsText && (response.status === 200 || response.status === 201)) {
           const parsedBody = JSON.parse(response.bodyAsText);
@@ -15100,11 +15253,11 @@ ${errorDetail}`);
             },
             refreshToken: parsedBody.refresh_token
           };
-          logger$l.info(`IdentityClient: [${request.url}] token acquired, expires on ${token.accessToken.expiresOnTimestamp}`);
+          logger$q.info(`IdentityClient: [${request.url}] token acquired, expires on ${token.accessToken.expiresOnTimestamp}`);
           return token;
         } else {
           const error = new AuthenticationError(response.status, response.bodyAsText);
-          logger$l.warning(`IdentityClient: authentication error. HTTP status: ${response.status}, ${error.errorResponse.errorDescription}`);
+          logger$q.warning(`IdentityClient: authentication error. HTTP status: ${response.status}, ${error.errorResponse.errorDescription}`);
           throw error;
         }
       }
@@ -15112,7 +15265,7 @@ ${errorDetail}`);
         if (refreshToken === void 0) {
           return null;
         }
-        logger$l.info(`IdentityClient: refreshing access token with client ID: ${clientId}, scopes: ${scopes} started`);
+        logger$q.info(`IdentityClient: refreshing access token with client ID: ${clientId}, scopes: ${scopes} started`);
         const refreshParams = {
           grant_type: "refresh_token",
           client_id: clientId,
@@ -15138,14 +15291,14 @@ ${errorDetail}`);
               tracingOptions: updatedOptions.tracingOptions
             });
             const response = await this.sendTokenRequest(request);
-            logger$l.info(`IdentityClient: refreshed token for client ID: ${clientId}`);
+            logger$q.info(`IdentityClient: refreshed token for client ID: ${clientId}`);
             return response;
           } catch (err) {
             if (err.name === AuthenticationErrorName && err.errorResponse.error === "interaction_required") {
-              logger$l.info(`IdentityClient: interaction required for client ID: ${clientId}`);
+              logger$q.info(`IdentityClient: interaction required for client ID: ${clientId}`);
               return null;
             } else {
-              logger$l.warning(`IdentityClient: failed refreshing token for client ID: ${clientId}: ${err}`);
+              logger$q.warning(`IdentityClient: failed refreshing token for client ID: ${clientId}: ${err}`);
               throw err;
             }
           }
@@ -15193,7 +15346,6 @@ ${errorDetail}`);
           url,
           method: "GET",
           body: options === null || options === void 0 ? void 0 : options.body,
-          allowInsecureConnection: this.allowInsecureConnection,
           headers: coreRestPipeline.createHttpHeaders(options === null || options === void 0 ? void 0 : options.headers),
           abortSignal: this.generateAbortSignal(noCorrelationId)
         });
@@ -15211,7 +15363,6 @@ ${errorDetail}`);
           method: "POST",
           body: options === null || options === void 0 ? void 0 : options.body,
           headers: coreRestPipeline.createHttpHeaders(options === null || options === void 0 ? void 0 : options.headers),
-          allowInsecureConnection: this.allowInsecureConnection,
           // MSAL doesn't send the correlation ID on the get requests.
           abortSignal: this.generateAbortSignal(this.getCorrelationId(options))
         });
@@ -15255,9 +15406,9 @@ ${errorDetail}`);
           }
           const base64Metadata = accessToken.split(".")[1];
           const { appid, upn, tid, oid } = JSON.parse(Buffer.from(base64Metadata, "base64").toString("utf8"));
-          logger$l.info(`[Authenticated account] Client ID: ${appid}. Tenant ID: ${tid}. User Principal Name: ${upn || unavailableUpn}. Object ID (user): ${oid}`);
+          logger$q.info(`[Authenticated account] Client ID: ${appid}. Tenant ID: ${tid}. User Principal Name: ${upn || unavailableUpn}. Object ID (user): ${oid}`);
         } catch (e) {
-          logger$l.warning("allowLoggingAccountIdentifiers was set, but we couldn't log the account information. Error:", e.message);
+          logger$q.warning("allowLoggingAccountIdentifiers was set, but we couldn't log the account information. Error:", e.message);
         }
       }
     };
@@ -15265,7 +15416,7 @@ ${errorDetail}`);
     var IdentityClient = _IdentityClient;
     var CommonTenantId = "common";
     var AzureAccountClientId = "aebc6443-996d-45c2-90f0-388ff96faa56";
-    var logger$k = credentialLogger("VisualStudioCodeCredential");
+    var logger$p = credentialLogger("VisualStudioCodeCredential");
     var findCredentials = void 0;
     var vsCodeCredentialControl = {
       setVsCodeCredentialFinder(finder) {
@@ -15312,7 +15463,7 @@ ${errorDetail}`);
             return;
         }
       } catch (e) {
-        logger$k.info(`Failed to load the Visual Studio Code configuration file. Error: ${e.message}`);
+        logger$p.info(`Failed to load the Visual Studio Code configuration file. Error: ${e.message}`);
         return;
       }
     }
@@ -15333,7 +15484,7 @@ ${errorDetail}`);
         const authorityHost = mapVSCodeAuthorityHosts[this.cloudName];
         this.identityClient = new IdentityClient(Object.assign({ authorityHost }, options));
         if (options && options.tenantId) {
-          checkTenantId(logger$k, options.tenantId);
+          checkTenantId(logger$p, options.tenantId);
           this.tenantId = options.tenantId;
         } else {
           this.tenantId = CommonTenantId;
@@ -15371,7 +15522,7 @@ ${errorDetail}`);
       async getToken(scopes, options) {
         var _a2, _b2;
         await this.prepareOnce();
-        const tenantId = processMultiTenantRequest(this.tenantId, options, this.additionallyAllowedTenantIds, logger$k) || this.tenantId;
+        const tenantId = processMultiTenantRequest(this.tenantId, options, this.additionallyAllowedTenantIds, logger$p) || this.tenantId;
         if (findCredentials === void 0) {
           throw new CredentialUnavailableError([
             "No implementation of `VisualStudioCodeCredential` is available.",
@@ -15384,7 +15535,7 @@ ${errorDetail}`);
         let scopeString = typeof scopes === "string" ? scopes : scopes.join(" ");
         if (!scopeString.match(/^[0-9a-zA-Z-.:/]+$/)) {
           const error = new Error("Invalid scope was specified by the user or calling client");
-          logger$k.getToken.info(formatError(scopes, error));
+          logger$p.getToken.info(formatError(scopes, error));
           throw error;
         }
         if (scopeString.indexOf("offline_access") < 0) {
@@ -15395,16 +15546,16 @@ ${errorDetail}`);
         if (refreshToken) {
           const tokenResponse = await this.identityClient.refreshAccessToken(tenantId, AzureAccountClientId, scopeString, refreshToken, void 0);
           if (tokenResponse) {
-            logger$k.getToken.info(formatSuccess(scopes));
+            logger$p.getToken.info(formatSuccess(scopes));
             return tokenResponse.accessToken;
           } else {
             const error = new CredentialUnavailableError("Could not retrieve the token associated with Visual Studio Code. Have you connected using the 'Azure Account' extension recently? To troubleshoot, visit https://aka.ms/azsdk/js/identity/vscodecredential/troubleshoot.");
-            logger$k.getToken.info(formatError(scopes, error));
+            logger$p.getToken.info(formatError(scopes, error));
             throw error;
           }
         } else {
           const error = new CredentialUnavailableError("Could not retrieve the token associated with Visual Studio Code. Did you connect using the 'Azure Account' extension? To troubleshoot, visit https://aka.ms/azsdk/js/identity/vscodecredential/troubleshoot.");
-          logger$k.getToken.info(formatError(scopes, error));
+          logger$p.getToken.info(formatError(scopes, error));
           throw error;
         }
       }
@@ -15420,6 +15571,377 @@ ${errorDetail}`);
       plugin(pluginContext);
     }
     __name(useIdentityPlugin2, "useIdentityPlugin");
+    var msiName$6 = "ManagedIdentityCredential - AppServiceMSI 2017";
+    var logger$o = credentialLogger(msiName$6);
+    function prepareRequestOptions$5(scopes, clientId) {
+      const resource = mapScopesToResource(scopes);
+      if (!resource) {
+        throw new Error(`${msiName$6}: Multiple scopes are not supported.`);
+      }
+      const queryParameters = {
+        resource,
+        "api-version": "2017-09-01"
+      };
+      if (clientId) {
+        queryParameters.clientid = clientId;
+      }
+      const query = new URLSearchParams(queryParameters);
+      if (!process.env.MSI_ENDPOINT) {
+        throw new Error(`${msiName$6}: Missing environment variable: MSI_ENDPOINT`);
+      }
+      if (!process.env.MSI_SECRET) {
+        throw new Error(`${msiName$6}: Missing environment variable: MSI_SECRET`);
+      }
+      return {
+        url: `${process.env.MSI_ENDPOINT}?${query.toString()}`,
+        method: "GET",
+        headers: coreRestPipeline.createHttpHeaders({
+          Accept: "application/json",
+          secret: process.env.MSI_SECRET
+        })
+      };
+    }
+    __name(prepareRequestOptions$5, "prepareRequestOptions$5");
+    var appServiceMsi2017 = {
+      name: "appServiceMsi2017",
+      async isAvailable({ scopes }) {
+        const resource = mapScopesToResource(scopes);
+        if (!resource) {
+          logger$o.info(`${msiName$6}: Unavailable. Multiple scopes are not supported.`);
+          return false;
+        }
+        const env = process.env;
+        const result = Boolean(env.MSI_ENDPOINT && env.MSI_SECRET);
+        if (!result) {
+          logger$o.info(`${msiName$6}: Unavailable. The environment variables needed are: MSI_ENDPOINT and MSI_SECRET.`);
+        }
+        return result;
+      },
+      async getToken(configuration, getTokenOptions = {}) {
+        const { identityClient, scopes, clientId, resourceId } = configuration;
+        if (resourceId) {
+          logger$o.warning(`${msiName$6}: managed Identity by resource Id is not supported. Argument resourceId might be ignored by the service.`);
+        }
+        logger$o.info(`${msiName$6}: Using the endpoint and the secret coming form the environment variables: MSI_ENDPOINT=${process.env.MSI_ENDPOINT} and MSI_SECRET=[REDACTED].`);
+        const request = coreRestPipeline.createPipelineRequest(Object.assign(Object.assign({ abortSignal: getTokenOptions.abortSignal }, prepareRequestOptions$5(scopes, clientId)), {
+          // Generally, MSI endpoints use the HTTP protocol, without transport layer security (TLS).
+          allowInsecureConnection: true
+        }));
+        const tokenResponse = await identityClient.sendTokenRequest(request);
+        return tokenResponse && tokenResponse.accessToken || null;
+      }
+    };
+    var msiName$5 = "ManagedIdentityCredential - AppServiceMSI 2019";
+    var logger$n = credentialLogger(msiName$5);
+    function prepareRequestOptions$4(scopes, clientId, resourceId) {
+      const resource = mapScopesToResource(scopes);
+      if (!resource) {
+        throw new Error(`${msiName$5}: Multiple scopes are not supported.`);
+      }
+      const queryParameters = {
+        resource,
+        "api-version": "2019-08-01"
+      };
+      if (clientId) {
+        queryParameters.client_id = clientId;
+      }
+      if (resourceId) {
+        queryParameters.mi_res_id = resourceId;
+      }
+      const query = new URLSearchParams(queryParameters);
+      if (!process.env.IDENTITY_ENDPOINT) {
+        throw new Error(`${msiName$5}: Missing environment variable: IDENTITY_ENDPOINT`);
+      }
+      if (!process.env.IDENTITY_HEADER) {
+        throw new Error(`${msiName$5}: Missing environment variable: IDENTITY_HEADER`);
+      }
+      return {
+        url: `${process.env.IDENTITY_ENDPOINT}?${query.toString()}`,
+        method: "GET",
+        headers: coreRestPipeline.createHttpHeaders({
+          Accept: "application/json",
+          "X-IDENTITY-HEADER": process.env.IDENTITY_HEADER
+        })
+      };
+    }
+    __name(prepareRequestOptions$4, "prepareRequestOptions$4");
+    var appServiceMsi2019 = {
+      name: "appServiceMsi2019",
+      async isAvailable({ scopes }) {
+        const resource = mapScopesToResource(scopes);
+        if (!resource) {
+          logger$n.info(`${msiName$5}: Unavailable. Multiple scopes are not supported.`);
+          return false;
+        }
+        const env = process.env;
+        const result = Boolean(env.IDENTITY_ENDPOINT && env.IDENTITY_HEADER);
+        if (!result) {
+          logger$n.info(`${msiName$5}: Unavailable. The environment variables needed are: IDENTITY_ENDPOINT and IDENTITY_HEADER.`);
+        }
+        return result;
+      },
+      async getToken(configuration, getTokenOptions = {}) {
+        const { identityClient, scopes, clientId, resourceId } = configuration;
+        logger$n.info(`${msiName$5}: Using the endpoint and the secret coming form the environment variables: IDENTITY_ENDPOINT=${process.env.IDENTITY_ENDPOINT} and IDENTITY_HEADER=[REDACTED].`);
+        const request = coreRestPipeline.createPipelineRequest(Object.assign(Object.assign({ abortSignal: getTokenOptions.abortSignal }, prepareRequestOptions$4(scopes, clientId, resourceId)), {
+          // Generally, MSI endpoints use the HTTP protocol, without transport layer security (TLS).
+          allowInsecureConnection: true
+        }));
+        const tokenResponse = await identityClient.sendTokenRequest(request);
+        return tokenResponse && tokenResponse.accessToken || null;
+      }
+    };
+    var msiName$4 = "ManagedIdentityCredential - Azure Arc MSI";
+    var logger$m = credentialLogger(msiName$4);
+    function prepareRequestOptions$3(scopes, clientId, resourceId) {
+      const resource = mapScopesToResource(scopes);
+      if (!resource) {
+        throw new Error(`${msiName$4}: Multiple scopes are not supported.`);
+      }
+      const queryParameters = {
+        resource,
+        "api-version": azureArcAPIVersion
+      };
+      if (clientId) {
+        queryParameters.client_id = clientId;
+      }
+      if (resourceId) {
+        queryParameters.msi_res_id = resourceId;
+      }
+      if (!process.env.IDENTITY_ENDPOINT) {
+        throw new Error(`${msiName$4}: Missing environment variable: IDENTITY_ENDPOINT`);
+      }
+      const query = new URLSearchParams(queryParameters);
+      return coreRestPipeline.createPipelineRequest({
+        // Should be similar to: http://localhost:40342/metadata/identity/oauth2/token
+        url: `${process.env.IDENTITY_ENDPOINT}?${query.toString()}`,
+        method: "GET",
+        headers: coreRestPipeline.createHttpHeaders({
+          Accept: "application/json",
+          Metadata: "true"
+        })
+      });
+    }
+    __name(prepareRequestOptions$3, "prepareRequestOptions$3");
+    async function filePathRequest(identityClient, requestPrepareOptions) {
+      const response = await identityClient.sendRequest(coreRestPipeline.createPipelineRequest(requestPrepareOptions));
+      if (response.status !== 401) {
+        let message = "";
+        if (response.bodyAsText) {
+          message = ` Response: ${response.bodyAsText}`;
+        }
+        throw new AuthenticationError(response.status, `${msiName$4}: To authenticate with Azure Arc MSI, status code 401 is expected on the first request. ${message}`);
+      }
+      const authHeader = response.headers.get("www-authenticate") || "";
+      try {
+        return authHeader.split("=").slice(1)[0];
+      } catch (e) {
+        throw Error(`Invalid www-authenticate header format: ${authHeader}`);
+      }
+    }
+    __name(filePathRequest, "filePathRequest");
+    function platformToFilePath() {
+      switch (process.platform) {
+        case "win32":
+          if (!process.env.PROGRAMDATA) {
+            throw new Error(`${msiName$4}: PROGRAMDATA environment variable has no value.`);
+          }
+          return `${process.env.PROGRAMDATA}\\AzureConnectedMachineAgent\\Tokens`;
+        case "linux":
+          return "/var/opt/azcmagent/tokens";
+        default:
+          throw new Error(`${msiName$4}: Unsupported platform ${process.platform}.`);
+      }
+    }
+    __name(platformToFilePath, "platformToFilePath");
+    function validateKeyFile(filePath) {
+      if (!filePath) {
+        throw new Error(`${msiName$4}: Failed to find the token file.`);
+      }
+      if (!filePath.endsWith(".key")) {
+        throw new Error(`${msiName$4}: unexpected file path from HIMDS service: ${filePath}.`);
+      }
+      const expectedPath = platformToFilePath();
+      if (!filePath.startsWith(expectedPath)) {
+        throw new Error(`${msiName$4}: unexpected file path from HIMDS service: ${filePath}.`);
+      }
+      const stats = fs$1.statSync(filePath);
+      if (stats.size > 4096) {
+        throw new Error(`${msiName$4}: The file at ${filePath} is larger than expected at ${stats.size} bytes.`);
+      }
+    }
+    __name(validateKeyFile, "validateKeyFile");
+    var arcMsi = {
+      name: "arc",
+      async isAvailable({ scopes }) {
+        const resource = mapScopesToResource(scopes);
+        if (!resource) {
+          logger$m.info(`${msiName$4}: Unavailable. Multiple scopes are not supported.`);
+          return false;
+        }
+        const result = Boolean(process.env.IMDS_ENDPOINT && process.env.IDENTITY_ENDPOINT);
+        if (!result) {
+          logger$m.info(`${msiName$4}: The environment variables needed are: IMDS_ENDPOINT and IDENTITY_ENDPOINT`);
+        }
+        return result;
+      },
+      async getToken(configuration, getTokenOptions = {}) {
+        var _a2;
+        const { identityClient, scopes, clientId, resourceId } = configuration;
+        if (clientId) {
+          logger$m.warning(`${msiName$4}: user-assigned identities not supported. The argument clientId might be ignored by the service.`);
+        }
+        if (resourceId) {
+          logger$m.warning(`${msiName$4}: user defined managed Identity by resource Id is not supported. Argument resourceId will be ignored.`);
+        }
+        logger$m.info(`${msiName$4}: Authenticating.`);
+        const requestOptions = Object.assign(Object.assign({ disableJsonStringifyOnBody: true, deserializationMapper: void 0, abortSignal: getTokenOptions.abortSignal }, prepareRequestOptions$3(scopes, clientId, resourceId)), { allowInsecureConnection: true });
+        const filePath = await filePathRequest(identityClient, requestOptions);
+        validateKeyFile(filePath);
+        const key = await fs$1.promises.readFile(filePath, { encoding: "utf-8" });
+        (_a2 = requestOptions.headers) === null || _a2 === void 0 ? void 0 : _a2.set("Authorization", `Basic ${key}`);
+        const request = coreRestPipeline.createPipelineRequest(Object.assign(Object.assign({}, requestOptions), {
+          // Generally, MSI endpoints use the HTTP protocol, without transport layer security (TLS).
+          allowInsecureConnection: true
+        }));
+        const tokenResponse = await identityClient.sendTokenRequest(request);
+        return tokenResponse && tokenResponse.accessToken || null;
+      }
+    };
+    var msiName$3 = "ManagedIdentityCredential - CloudShellMSI";
+    var logger$l = credentialLogger(msiName$3);
+    function prepareRequestOptions$2(scopes, clientId, resourceId) {
+      const resource = mapScopesToResource(scopes);
+      if (!resource) {
+        throw new Error(`${msiName$3}: Multiple scopes are not supported.`);
+      }
+      const body = {
+        resource
+      };
+      if (clientId) {
+        body.client_id = clientId;
+      }
+      if (resourceId) {
+        body.msi_res_id = resourceId;
+      }
+      if (!process.env.MSI_ENDPOINT) {
+        throw new Error(`${msiName$3}: Missing environment variable: MSI_ENDPOINT`);
+      }
+      const params = new URLSearchParams(body);
+      return {
+        url: process.env.MSI_ENDPOINT,
+        method: "POST",
+        body: params.toString(),
+        headers: coreRestPipeline.createHttpHeaders({
+          Accept: "application/json",
+          Metadata: "true",
+          "Content-Type": "application/x-www-form-urlencoded"
+        })
+      };
+    }
+    __name(prepareRequestOptions$2, "prepareRequestOptions$2");
+    var cloudShellMsi = {
+      name: "cloudShellMsi",
+      async isAvailable({ scopes }) {
+        const resource = mapScopesToResource(scopes);
+        if (!resource) {
+          logger$l.info(`${msiName$3}: Unavailable. Multiple scopes are not supported.`);
+          return false;
+        }
+        const result = Boolean(process.env.MSI_ENDPOINT);
+        if (!result) {
+          logger$l.info(`${msiName$3}: Unavailable. The environment variable MSI_ENDPOINT is needed.`);
+        }
+        return result;
+      },
+      async getToken(configuration, getTokenOptions = {}) {
+        const { identityClient, scopes, clientId, resourceId } = configuration;
+        if (clientId) {
+          logger$l.warning(`${msiName$3}: user-assigned identities not supported. The argument clientId might be ignored by the service.`);
+        }
+        if (resourceId) {
+          logger$l.warning(`${msiName$3}: user defined managed Identity by resource Id not supported. The argument resourceId might be ignored by the service.`);
+        }
+        logger$l.info(`${msiName$3}: Using the endpoint coming form the environment variable MSI_ENDPOINT = ${process.env.MSI_ENDPOINT}.`);
+        const request = coreRestPipeline.createPipelineRequest(Object.assign(Object.assign({ abortSignal: getTokenOptions.abortSignal }, prepareRequestOptions$2(scopes, clientId, resourceId)), {
+          // Generally, MSI endpoints use the HTTP protocol, without transport layer security (TLS).
+          allowInsecureConnection: true
+        }));
+        const tokenResponse = await identityClient.sendTokenRequest(request);
+        return tokenResponse && tokenResponse.accessToken || null;
+      }
+    };
+    var msiName$2 = "ManagedIdentityCredential - Fabric MSI";
+    var logger$k = credentialLogger(msiName$2);
+    function prepareRequestOptions$1(scopes, clientId, resourceId) {
+      const resource = mapScopesToResource(scopes);
+      if (!resource) {
+        throw new Error(`${msiName$2}: Multiple scopes are not supported.`);
+      }
+      const queryParameters = {
+        resource,
+        "api-version": azureFabricVersion
+      };
+      if (clientId) {
+        queryParameters.client_id = clientId;
+      }
+      if (resourceId) {
+        queryParameters.msi_res_id = resourceId;
+      }
+      const query = new URLSearchParams(queryParameters);
+      if (!process.env.IDENTITY_ENDPOINT) {
+        throw new Error("Missing environment variable: IDENTITY_ENDPOINT");
+      }
+      if (!process.env.IDENTITY_HEADER) {
+        throw new Error("Missing environment variable: IDENTITY_HEADER");
+      }
+      return {
+        url: `${process.env.IDENTITY_ENDPOINT}?${query.toString()}`,
+        method: "GET",
+        headers: coreRestPipeline.createHttpHeaders({
+          Accept: "application/json",
+          secret: process.env.IDENTITY_HEADER
+        })
+      };
+    }
+    __name(prepareRequestOptions$1, "prepareRequestOptions$1");
+    var fabricMsi = {
+      name: "fabricMsi",
+      async isAvailable({ scopes }) {
+        const resource = mapScopesToResource(scopes);
+        if (!resource) {
+          logger$k.info(`${msiName$2}: Unavailable. Multiple scopes are not supported.`);
+          return false;
+        }
+        const env = process.env;
+        const result = Boolean(env.IDENTITY_ENDPOINT && env.IDENTITY_HEADER && env.IDENTITY_SERVER_THUMBPRINT);
+        if (!result) {
+          logger$k.info(`${msiName$2}: Unavailable. The environment variables needed are: IDENTITY_ENDPOINT, IDENTITY_HEADER and IDENTITY_SERVER_THUMBPRINT`);
+        }
+        return result;
+      },
+      async getToken(configuration, getTokenOptions = {}) {
+        const { scopes, identityClient, clientId, resourceId } = configuration;
+        if (resourceId) {
+          logger$k.warning(`${msiName$2}: user defined managed Identity by resource Id is not supported. Argument resourceId might be ignored by the service.`);
+        }
+        logger$k.info([
+          `${msiName$2}:`,
+          "Using the endpoint and the secret coming from the environment variables:",
+          `IDENTITY_ENDPOINT=${process.env.IDENTITY_ENDPOINT},`,
+          "IDENTITY_HEADER=[REDACTED] and",
+          "IDENTITY_SERVER_THUMBPRINT=[REDACTED]."
+        ].join(" "));
+        const request = coreRestPipeline.createPipelineRequest(Object.assign({ abortSignal: getTokenOptions.abortSignal }, prepareRequestOptions$1(scopes, clientId, resourceId)));
+        request.agent = new https.Agent({
+          // This is necessary because Service Fabric provides a self-signed certificate.
+          // The alternative path is to verify the certificate using the IDENTITY_SERVER_THUMBPRINT env variable.
+          rejectUnauthorized: false
+        });
+        const tokenResponse = await identityClient.sendTokenRequest(request);
+        return tokenResponse && tokenResponse.accessToken || null;
+      }
+    };
     var logger$j = credentialLogger("IdentityUtils");
     var LatestAuthenticationRecordVersion = "1.0";
     function ensureValidMsalToken(scopes, msalToken, getTokenOptions) {
@@ -15497,6 +16019,10 @@ ${errorDetail}`);
       }
     }
     __name(getMSALLogLevel, "getMSALLogLevel");
+    function randomUUID() {
+      return coreUtil.randomUUID();
+    }
+    __name(randomUUID, "randomUUID");
     function handleMsalError(scopes, error, getTokenOptions) {
       if (error.name === "AuthError" || error.name === "ClientAuthError" || error.name === "BrowserAuthError") {
         const msalError = error;
@@ -15666,26 +16192,6 @@ ${errorDetail}`);
         throw new AuthenticationError(404, `${msiName$1}: Failed to retrieve IMDS token after ${configuration.retryConfig.maxRetries} retries.`);
       }
     };
-    var DEFAULT_CLIENT_MAX_RETRY_INTERVAL = 1e3 * 64;
-    function imdsRetryPolicy(msiRetryConfig) {
-      return coreRestPipeline.retryPolicy([
-        {
-          name: "imdsRetryPolicy",
-          retry: /* @__PURE__ */ __name(({ retryCount, response }) => {
-            if ((response === null || response === void 0 ? void 0 : response.status) !== 404) {
-              return { skipStrategy: true };
-            }
-            const exponentialDelay = msiRetryConfig.startDelayInMs * Math.pow(2, retryCount);
-            const clampedExponentialDelay = Math.min(DEFAULT_CLIENT_MAX_RETRY_INTERVAL, exponentialDelay);
-            const retryAfterInMs = clampedExponentialDelay / 2 + coreUtil.getRandomIntegerInclusive(0, clampedExponentialDelay / 2);
-            return { retryAfterInMs };
-          }, "retry")
-        }
-      ], {
-        maxRetries: msiRetryConfig.maxRetries
-      });
-    }
-    __name(imdsRetryPolicy, "imdsRetryPolicy");
     var RegionalAuthority;
     (function(RegionalAuthority2) {
       RegionalAuthority2["AutoDiscoverRegion"] = "AutoDiscoverRegion";
@@ -15754,9 +16260,6 @@ ${errorDetail}`);
       return azureRegion;
     }
     __name(calculateRegionalAuthority, "calculateRegionalAuthority");
-    var interactiveBrowserMockable = {
-      open
-    };
     var msalLogger = credentialLogger("MsalClient");
     function generateMsalConfiguration(clientId, tenantId, msalClientOptions = {}) {
       var _a2, _b2, _c, _d;
@@ -15773,7 +16276,7 @@ ${errorDetail}`);
           networkClient: httpClient,
           loggerOptions: {
             loggerCallback: defaultLoggerCallback((_c = msalClientOptions.logger) !== null && _c !== void 0 ? _c : msalLogger),
-            logLevel: getMSALLogLevel(logger$m.getLogLevel()),
+            logLevel: getMSALLogLevel(logger$r.getLogLevel()),
             piiLoggingEnabled: (_d = msalClientOptions.loggingOptions) === null || _d === void 0 ? void 0 : _d.enableUnsafeSupportLogging
           }
         }
@@ -15857,13 +16360,6 @@ To work with multiple accounts for the same Client ID and Tenant ID, please prov
         return app.acquireTokenSilent(silentRequest);
       }
       __name(getTokenSilent, "getTokenSilent");
-      function calculateRequestAuthority(options) {
-        if (options === null || options === void 0 ? void 0 : options.tenantId) {
-          return getAuthority(options.tenantId, createMsalClientOptions.authorityHost);
-        }
-        return state.msalConfig.auth.authority;
-      }
-      __name(calculateRequestAuthority, "calculateRequestAuthority");
       async function withSilentAuthentication(msalApp, scopes, options, onAuthenticationRequired) {
         var _a3;
         let response = null;
@@ -15904,7 +16400,7 @@ To work with multiple accounts for the same Client ID and Tenant ID, please prov
         try {
           const response = await msalApp.acquireTokenByClientCredential({
             scopes,
-            authority: calculateRequestAuthority(options),
+            authority: state.msalConfig.auth.authority,
             azureRegion: calculateRegionalAuthority(),
             claims: options === null || options === void 0 ? void 0 : options.claims
           });
@@ -15926,7 +16422,7 @@ To work with multiple accounts for the same Client ID and Tenant ID, please prov
         try {
           const response = await msalApp.acquireTokenByClientCredential({
             scopes,
-            authority: calculateRequestAuthority(options),
+            authority: state.msalConfig.auth.authority,
             azureRegion: calculateRegionalAuthority(),
             claims: options === null || options === void 0 ? void 0 : options.claims,
             clientAssertion
@@ -15949,7 +16445,7 @@ To work with multiple accounts for the same Client ID and Tenant ID, please prov
         try {
           const response = await msalApp.acquireTokenByClientCredential({
             scopes,
-            authority: calculateRequestAuthority(options),
+            authority: state.msalConfig.auth.authority,
             azureRegion: calculateRegionalAuthority(),
             claims: options === null || options === void 0 ? void 0 : options.claims
           });
@@ -15973,7 +16469,7 @@ To work with multiple accounts for the same Client ID and Tenant ID, please prov
             scopes,
             cancel: (_b2 = (_a3 = options === null || options === void 0 ? void 0 : options.abortSignal) === null || _a3 === void 0 ? void 0 : _a3.aborted) !== null && _b2 !== void 0 ? _b2 : false,
             deviceCodeCallback,
-            authority: calculateRequestAuthority(options),
+            authority: state.msalConfig.auth.authority,
             claims: options === null || options === void 0 ? void 0 : options.claims
           };
           const deviceCodeRequest = msalApp.acquireTokenByDeviceCode(requestOptions);
@@ -15994,7 +16490,7 @@ To work with multiple accounts for the same Client ID and Tenant ID, please prov
             scopes,
             username,
             password,
-            authority: calculateRequestAuthority(options),
+            authority: state.msalConfig.auth.authority,
             claims: options === null || options === void 0 ? void 0 : options.claims
           };
           return msalApp.acquireTokenByUsernamePassword(requestOptions);
@@ -16022,133 +16518,38 @@ To work with multiple accounts for the same Client ID and Tenant ID, please prov
             scopes,
             redirectUri,
             code: authorizationCode,
-            authority: calculateRequestAuthority(options),
+            authority: state.msalConfig.auth.authority,
             claims: options === null || options === void 0 ? void 0 : options.claims
           });
         });
       }
       __name(getTokenByAuthorizationCode, "getTokenByAuthorizationCode");
-      async function getTokenOnBehalfOf(scopes, userAssertionToken, clientCredentials, options = {}) {
-        msalLogger.getToken.info(`Attempting to acquire token on behalf of another user`);
-        if (typeof clientCredentials === "string") {
-          msalLogger.getToken.info(`Using client secret for on behalf of flow`);
-          state.msalConfig.auth.clientSecret = clientCredentials;
-        } else if (typeof clientCredentials === "function") {
-          msalLogger.getToken.info(`Using client assertion callback for on behalf of flow`);
-          state.msalConfig.auth.clientAssertion = clientCredentials;
-        } else {
-          msalLogger.getToken.info(`Using client certificate for on behalf of flow`);
-          state.msalConfig.auth.clientCertificate = clientCredentials;
-        }
-        const msalApp = await getConfidentialApp(options);
-        try {
-          const response = await msalApp.acquireTokenOnBehalfOf({
-            scopes,
-            authority: calculateRequestAuthority(options),
-            claims: options.claims,
-            oboAssertion: userAssertionToken
-          });
-          ensureValidMsalToken(scopes, response, options);
-          msalLogger.getToken.info(formatSuccess(scopes));
-          return {
-            token: response.accessToken,
-            expiresOnTimestamp: response.expiresOn.getTime()
-          };
-        } catch (err) {
-          throw handleMsalError(scopes, err, options);
-        }
-      }
-      __name(getTokenOnBehalfOf, "getTokenOnBehalfOf");
-      async function getTokenByInteractiveRequest(scopes, options = {}) {
-        msalLogger.getToken.info(`Attempting to acquire token interactively`);
-        const app = await getPublicApp(options);
-        async function getBrokeredToken(useDefaultBrokerAccount) {
-          var _a3;
-          msalLogger.verbose("Authentication will resume through the broker");
-          const interactiveRequest = createBaseInteractiveRequest();
-          if (state.pluginConfiguration.broker.parentWindowHandle) {
-            interactiveRequest.windowHandle = Buffer.from(state.pluginConfiguration.broker.parentWindowHandle);
-          } else {
-            msalLogger.warning("Parent window handle is not specified for the broker. This may cause unexpected behavior. Please provide the parentWindowHandle.");
-          }
-          if (state.pluginConfiguration.broker.enableMsaPassthrough) {
-            ((_a3 = interactiveRequest.tokenQueryParameters) !== null && _a3 !== void 0 ? _a3 : interactiveRequest.tokenQueryParameters = {})["msal_request_type"] = "consumer_passthrough";
-          }
-          if (useDefaultBrokerAccount) {
-            interactiveRequest.prompt = "none";
-            msalLogger.verbose("Attempting broker authentication using the default broker account");
-          } else {
-            msalLogger.verbose("Attempting broker authentication without the default broker account");
-          }
-          try {
-            return await app.acquireTokenInteractive(interactiveRequest);
-          } catch (e) {
-            msalLogger.verbose(`Failed to authenticate through the broker: ${e.message}`);
-            if (useDefaultBrokerAccount) {
-              return getBrokeredToken(
-                /* useDefaultBrokerAccount: */
-                false
-              );
-            } else {
-              throw e;
-            }
-          }
-        }
-        __name(getBrokeredToken, "getBrokeredToken");
-        function createBaseInteractiveRequest() {
-          var _a3, _b2;
-          return {
-            openBrowser: /* @__PURE__ */ __name(async (url) => {
-              this.logger.verbose(`Opening browser to ${url}`);
-              await interactiveBrowserMockable.open(url, { wait: true, newInstance: true });
-            }, "openBrowser"),
-            scopes,
-            authority: calculateRequestAuthority(options),
-            claims: options === null || options === void 0 ? void 0 : options.claims,
-            loginHint: options === null || options === void 0 ? void 0 : options.loginHint,
-            errorTemplate: (_a3 = options === null || options === void 0 ? void 0 : options.browserCustomizationOptions) === null || _a3 === void 0 ? void 0 : _a3.errorMessage,
-            successTemplate: (_b2 = options === null || options === void 0 ? void 0 : options.browserCustomizationOptions) === null || _b2 === void 0 ? void 0 : _b2.successMessage
-          };
-        }
-        __name(createBaseInteractiveRequest, "createBaseInteractiveRequest");
-        return withSilentAuthentication(app, scopes, options, async () => {
-          var _a3;
-          const interactiveRequest = createBaseInteractiveRequest();
-          if (state.pluginConfiguration.broker.isEnabled) {
-            return getBrokeredToken((_a3 = state.pluginConfiguration.broker.useDefaultBrokerAccount) !== null && _a3 !== void 0 ? _a3 : false);
-          }
-          return app.acquireTokenInteractive(interactiveRequest);
-        });
-      }
-      __name(getTokenByInteractiveRequest, "getTokenByInteractiveRequest");
-      return {
-        getActiveAccount,
-        getTokenByClientSecret,
-        getTokenByClientAssertion,
-        getTokenByClientCertificate,
-        getTokenByDeviceCode,
-        getTokenByUsernamePassword,
-        getTokenByAuthorizationCode,
-        getTokenOnBehalfOf,
-        getTokenByInteractiveRequest
-      };
-    }
-    __name(createMsalClient, "createMsalClient");
-    var logger$h = credentialLogger("ClientAssertionCredential");
-    var _ClientAssertionCredential = class _ClientAssertionCredential {
-      /**
-       * Creates an instance of the ClientAssertionCredential with the details
-       * needed to authenticate against Microsoft Entra ID with a client
-       * assertion provided by the developer through the `getAssertion` function parameter.
-       *
-       * @param tenantId - The Microsoft Entra tenant (directory) ID.
-       * @param clientId - The client (application) ID of an App Registration in the tenant.
-       * @param getAssertion - A function that retrieves the assertion for the credential to use.
-       * @param options - Options for configuring the client which makes the authentication request.
-       */
-      constructor(tenantId, clientId, getAssertion, options = {}) {
-        if (!tenantId || !clientId || !getAssertion) {
-          throw new Error("ClientAssertionCredential: tenantId, clientId, and clientAssertion are required parameters.");
+      return {
+        getActiveAccount,
+        getTokenByClientSecret,
+        getTokenByClientAssertion,
+        getTokenByClientCertificate,
+        getTokenByDeviceCode,
+        getTokenByUsernamePassword,
+        getTokenByAuthorizationCode
+      };
+    }
+    __name(createMsalClient, "createMsalClient");
+    var logger$h = credentialLogger("ClientAssertionCredential");
+    var _ClientAssertionCredential = class _ClientAssertionCredential {
+      /**
+       * Creates an instance of the ClientAssertionCredential with the details
+       * needed to authenticate against Microsoft Entra ID with a client
+       * assertion provided by the developer through the `getAssertion` function parameter.
+       *
+       * @param tenantId - The Microsoft Entra tenant (directory) ID.
+       * @param clientId - The client (application) ID of an App Registration in the tenant.
+       * @param getAssertion - A function that retrieves the assertion for the credential to use.
+       * @param options - Options for configuring the client which makes the authentication request.
+       */
+      constructor(tenantId, clientId, getAssertion, options = {}) {
+        if (!tenantId || !clientId || !getAssertion) {
+          throw new Error("ClientAssertionCredential: tenantId, clientId, and clientAssertion are required parameters.");
         }
         this.tenantId = tenantId;
         this.additionallyAllowedTenantIds = resolveAdditionallyAllowedTenantIds(options === null || options === void 0 ? void 0 : options.additionallyAllowedTenants);
@@ -16167,8 +16568,9 @@ To work with multiple accounts for the same Client ID and Tenant ID, please prov
       async getToken(scopes, options = {}) {
         return tracingClient.withSpan(`${this.constructor.name}.getToken`, options, async (newOptions) => {
           newOptions.tenantId = processMultiTenantRequest(this.tenantId, newOptions, this.additionallyAllowedTenantIds, logger$h);
+          const clientAssertion = await this.getAssertion();
           const arrayScopes = Array.isArray(scopes) ? scopes : [scopes];
-          return this.msalClient.getTokenByClientAssertion(arrayScopes, this.getAssertion, newOptions);
+          return this.msalClient.getTokenByClientAssertion(arrayScopes, clientAssertion, newOptions);
         });
       }
     };
@@ -16249,68 +16651,124 @@ To work with multiple accounts for the same Client ID and Tenant ID, please prov
     var WorkloadIdentityCredential = _WorkloadIdentityCredential;
     var msiName = "ManagedIdentityCredential - Token Exchange";
     var logger$f = credentialLogger(msiName);
-    var tokenExchangeMsi = {
-      name: "tokenExchangeMsi",
-      async isAvailable({ clientId }) {
-        const env = process.env;
-        const result = Boolean((clientId || env.AZURE_CLIENT_ID) && env.AZURE_TENANT_ID && process.env.AZURE_FEDERATED_TOKEN_FILE);
-        if (!result) {
-          logger$f.info(`${msiName}: Unavailable. The environment variables needed are: AZURE_CLIENT_ID (or the client ID sent through the parameters), AZURE_TENANT_ID and AZURE_FEDERATED_TOKEN_FILE`);
+    function tokenExchangeMsi() {
+      return {
+        name: "tokenExchangeMsi",
+        async isAvailable({ clientId }) {
+          const env = process.env;
+          const result = Boolean((clientId || env.AZURE_CLIENT_ID) && env.AZURE_TENANT_ID && process.env.AZURE_FEDERATED_TOKEN_FILE);
+          if (!result) {
+            logger$f.info(`${msiName}: Unavailable. The environment variables needed are: AZURE_CLIENT_ID (or the client ID sent through the parameters), AZURE_TENANT_ID and AZURE_FEDERATED_TOKEN_FILE`);
+          }
+          return result;
+        },
+        async getToken(configuration, getTokenOptions = {}) {
+          const { scopes, clientId } = configuration;
+          const identityClientTokenCredentialOptions = {};
+          const workloadIdentityCredential = new WorkloadIdentityCredential(Object.assign(Object.assign({ clientId, tenantId: process.env.AZURE_TENANT_ID, tokenFilePath: process.env.AZURE_FEDERATED_TOKEN_FILE }, identityClientTokenCredentialOptions), { disableInstanceDiscovery: true }));
+          const token = await workloadIdentityCredential.getToken(scopes, getTokenOptions);
+          return token;
         }
-        return result;
-      },
-      async getToken(configuration, getTokenOptions = {}) {
-        const { scopes, clientId } = configuration;
-        const identityClientTokenCredentialOptions = {};
-        const workloadIdentityCredential = new WorkloadIdentityCredential(Object.assign(Object.assign({ clientId, tenantId: process.env.AZURE_TENANT_ID, tokenFilePath: process.env.AZURE_FEDERATED_TOKEN_FILE }, identityClientTokenCredentialOptions), { disableInstanceDiscovery: true }));
-        return workloadIdentityCredential.getToken(scopes, getTokenOptions);
-      }
-    };
-    var logger$e = credentialLogger("ManagedIdentityCredential(MSAL)");
-    var _MsalMsiProvider = class _MsalMsiProvider {
-      constructor(clientIdOrOptions, options = {}) {
+      };
+    }
+    __name(tokenExchangeMsi, "tokenExchangeMsi");
+    var logger$e = credentialLogger("ManagedIdentityCredential");
+    var _ManagedIdentityCredential = class _ManagedIdentityCredential {
+      /**
+       * @internal
+       * @hidden
+       */
+      constructor(clientIdOrOptions, options) {
         var _a2, _b2;
+        this.isEndpointUnavailable = null;
+        this.isAppTokenProviderInitialized = false;
         this.msiRetryConfig = {
           maxRetries: 5,
           startDelayInMs: 800,
           intervalIncrement: 2
         };
-        let _options = {};
+        let _options;
         if (typeof clientIdOrOptions === "string") {
           this.clientId = clientIdOrOptions;
           _options = options;
         } else {
           this.clientId = clientIdOrOptions === null || clientIdOrOptions === void 0 ? void 0 : clientIdOrOptions.clientId;
-          _options = clientIdOrOptions !== null && clientIdOrOptions !== void 0 ? clientIdOrOptions : {};
+          _options = clientIdOrOptions;
         }
         this.resourceId = _options === null || _options === void 0 ? void 0 : _options.resourceId;
         if (this.clientId && this.resourceId) {
-          throw new Error(`ManagedIdentityCredential - Client Id and Resource Id can't be provided at the same time.`);
+          throw new Error(`${_ManagedIdentityCredential.name} - Client Id and Resource Id can't be provided at the same time.`);
         }
-        _options.allowInsecureConnection = true;
         if (((_a2 = _options === null || _options === void 0 ? void 0 : _options.retryOptions) === null || _a2 === void 0 ? void 0 : _a2.maxRetries) !== void 0) {
           this.msiRetryConfig.maxRetries = _options.retryOptions.maxRetries;
         }
-        this.identityClient = new IdentityClient(Object.assign(Object.assign({}, _options), { additionalPolicies: [{ policy: imdsRetryPolicy(this.msiRetryConfig), position: "perCall" }] }));
-        this.managedIdentityApp = new msalCommon.ManagedIdentityApplication({
-          managedIdentityIdParams: {
-            userAssignedClientId: this.clientId,
-            userAssignedResourceId: this.resourceId
+        this.identityClient = new IdentityClient(_options);
+        this.isAvailableIdentityClient = new IdentityClient(Object.assign(Object.assign({}, _options), { retryOptions: {
+          maxRetries: 0
+        } }));
+        this.confidentialApp = new msalCommon.ConfidentialClientApplication({
+          auth: {
+            authority: "https://login.microsoftonline.com/managed_identity",
+            clientId: (_b2 = this.clientId) !== null && _b2 !== void 0 ? _b2 : DeveloperSignOnClientId,
+            clientSecret: "dummy-secret",
+            cloudDiscoveryMetadata: '{"tenant_discovery_endpoint":"https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration","api-version":"1.1","metadata":[{"preferred_network":"login.microsoftonline.com","preferred_cache":"login.windows.net","aliases":["login.microsoftonline.com","login.windows.net","login.microsoft.com","sts.windows.net"]},{"preferred_network":"login.partner.microsoftonline.cn","preferred_cache":"login.partner.microsoftonline.cn","aliases":["login.partner.microsoftonline.cn","login.chinacloudapi.cn"]},{"preferred_network":"login.microsoftonline.de","preferred_cache":"login.microsoftonline.de","aliases":["login.microsoftonline.de"]},{"preferred_network":"login.microsoftonline.us","preferred_cache":"login.microsoftonline.us","aliases":["login.microsoftonline.us","login.usgovcloudapi.net"]},{"preferred_network":"login-us.microsoftonline.com","preferred_cache":"login-us.microsoftonline.com","aliases":["login-us.microsoftonline.com"]}]}',
+            authorityMetadata: '{"token_endpoint":"https://login.microsoftonline.com/common/oauth2/v2.0/token","token_endpoint_auth_methods_supported":["client_secret_post","private_key_jwt","client_secret_basic"],"jwks_uri":"https://login.microsoftonline.com/common/discovery/v2.0/keys","response_modes_supported":["query","fragment","form_post"],"subject_types_supported":["pairwise"],"id_token_signing_alg_values_supported":["RS256"],"response_types_supported":["code","id_token","code id_token","id_token token"],"scopes_supported":["openid","profile","email","offline_access"],"issuer":"https://login.microsoftonline.com/{tenantid}/v2.0","request_uri_parameter_supported":false,"userinfo_endpoint":"https://graph.microsoft.com/oidc/userinfo","authorization_endpoint":"https://login.microsoftonline.com/common/oauth2/v2.0/authorize","device_authorization_endpoint":"https://login.microsoftonline.com/common/oauth2/v2.0/devicecode","http_logout_supported":true,"frontchannel_logout_supported":true,"end_session_endpoint":"https://login.microsoftonline.com/common/oauth2/v2.0/logout","claims_supported":["sub","iss","cloud_instance_name","cloud_instance_host_name","cloud_graph_host_name","msgraph_host","aud","exp","iat","auth_time","acr","nonce","preferred_username","name","tid","ver","at_hash","c_hash","email"],"kerberos_endpoint":"https://login.microsoftonline.com/common/kerberos","tenant_region_scope":null,"cloud_instance_name":"microsoftonline.com","cloud_graph_host_name":"graph.windows.net","msgraph_host":"graph.microsoft.com","rbac_url":"https://pas.windows.net"}',
+            clientCapabilities: []
           },
           system: {
-            // todo: proxyUrl?
-            disableInternalRetries: true,
-            networkClient: this.identityClient,
             loggerOptions: {
-              logLevel: getMSALLogLevel(logger$m.getLogLevel()),
-              piiLoggingEnabled: (_b2 = options.loggingOptions) === null || _b2 === void 0 ? void 0 : _b2.enableUnsafeSupportLogging,
-              loggerCallback: defaultLoggerCallback(logger$e)
+              logLevel: getMSALLogLevel(logger$r.getLogLevel())
             }
           }
         });
-        this.isAvailableIdentityClient = new IdentityClient(Object.assign(Object.assign({}, _options), { retryOptions: {
-          maxRetries: 0
-        } }));
+      }
+      async cachedAvailableMSI(scopes, getTokenOptions) {
+        if (this.cachedMSI) {
+          return this.cachedMSI;
+        }
+        const MSIs = [
+          arcMsi,
+          fabricMsi,
+          appServiceMsi2019,
+          appServiceMsi2017,
+          cloudShellMsi,
+          tokenExchangeMsi(),
+          imdsMsi
+        ];
+        for (const msi of MSIs) {
+          if (await msi.isAvailable({
+            scopes,
+            identityClient: this.isAvailableIdentityClient,
+            clientId: this.clientId,
+            resourceId: this.resourceId,
+            getTokenOptions
+          })) {
+            this.cachedMSI = msi;
+            return msi;
+          }
+        }
+        throw new CredentialUnavailableError(`${_ManagedIdentityCredential.name} - No MSI credential available`);
+      }
+      async authenticateManagedIdentity(scopes, getTokenOptions) {
+        const { span, updatedOptions } = tracingClient.startSpan(`${_ManagedIdentityCredential.name}.authenticateManagedIdentity`, getTokenOptions);
+        try {
+          const availableMSI = await this.cachedAvailableMSI(scopes, updatedOptions);
+          return availableMSI.getToken({
+            identityClient: this.identityClient,
+            scopes,
+            clientId: this.clientId,
+            resourceId: this.resourceId,
+            retryConfig: this.msiRetryConfig
+          }, updatedOptions);
+        } catch (err) {
+          span.setStatus({
+            status: "error",
+            error: err
+          });
+          throw err;
+        } finally {
+          span.end();
+        }
       }
       /**
        * Authenticates with Microsoft Entra ID and returns an access token if successful.
@@ -16321,131 +16779,138 @@ To work with multiple accounts for the same Client ID and Tenant ID, please prov
        * @param options - The options used to configure any requests this
        *                TokenCredential implementation might make.
        */
-      async getToken(scopes, options = {}) {
-        logger$e.getToken.info("Using the MSAL provider for Managed Identity.");
-        const resource = mapScopesToResource(scopes);
-        if (!resource) {
-          throw new CredentialUnavailableError(`ManagedIdentityCredential: Multiple scopes are not supported. Scopes: ${JSON.stringify(scopes)}`);
-        }
-        return tracingClient.withSpan("ManagedIdentityCredential.getToken", options, async () => {
-          try {
-            const isTokenExchangeMsi = await tokenExchangeMsi.isAvailable({
-              scopes,
-              clientId: this.clientId,
-              getTokenOptions: options,
-              identityClient: this.identityClient,
-              resourceId: this.resourceId
-            });
-            const identitySource = this.managedIdentityApp.getManagedIdentitySource();
-            const isImdsMsi = identitySource === "DefaultToImds" || identitySource === "Imds";
-            if (isTokenExchangeMsi) {
-              logger$e.getToken.info("Using the token exchange managed identity.");
-              const result = await tokenExchangeMsi.getToken({
-                scopes,
-                clientId: this.clientId,
-                identityClient: this.identityClient,
-                retryConfig: this.msiRetryConfig,
-                resourceId: this.resourceId
-              });
-              if (result === null) {
-                throw new CredentialUnavailableError("The managed identity endpoint was reached, yet no tokens were received.");
-              }
-              return result;
-            } else if (isImdsMsi) {
-              logger$e.getToken.info("Using the IMDS endpoint to probe for availability.");
-              const isAvailable = await imdsMsi.isAvailable({
-                scopes,
-                clientId: this.clientId,
-                getTokenOptions: options,
-                identityClient: this.isAvailableIdentityClient,
-                resourceId: this.resourceId
-              });
-              if (!isAvailable) {
-                throw new CredentialUnavailableError(`ManagedIdentityCredential: The managed identity endpoint is not available.`);
-              }
+      async getToken(scopes, options) {
+        let result = null;
+        const { span, updatedOptions } = tracingClient.startSpan(`${_ManagedIdentityCredential.name}.getToken`, options);
+        try {
+          if (this.isEndpointUnavailable !== true) {
+            const availableMSI = await this.cachedAvailableMSI(scopes, updatedOptions);
+            if (availableMSI.name === "tokenExchangeMsi") {
+              result = await this.authenticateManagedIdentity(scopes, updatedOptions);
+            } else {
+              const appTokenParameters = {
+                correlationId: this.identityClient.getCorrelationId(),
+                tenantId: (options === null || options === void 0 ? void 0 : options.tenantId) || "managed_identity",
+                scopes: Array.isArray(scopes) ? scopes : [scopes],
+                claims: options === null || options === void 0 ? void 0 : options.claims
+              };
+              this.initializeSetAppTokenProvider();
+              const authenticationResult = await this.confidentialApp.acquireTokenByClientCredential(Object.assign({}, appTokenParameters));
+              result = this.handleResult(scopes, authenticationResult || void 0);
             }
-            logger$e.getToken.info("Calling into MSAL for managed identity token.");
-            const token = await this.managedIdentityApp.acquireToken({
-              resource
-            });
-            this.ensureValidMsalToken(scopes, token, options);
-            logger$e.getToken.info(formatSuccess(scopes));
-            return {
-              expiresOnTimestamp: token.expiresOn.getTime(),
-              token: token.accessToken
-            };
-          } catch (err) {
-            logger$e.getToken.error(formatError(scopes, err));
-            if (err.name === "AuthenticationRequiredError") {
-              throw err;
+            if (result === null) {
+              this.isEndpointUnavailable = true;
+              const error = new CredentialUnavailableError("The managed identity endpoint was reached, yet no tokens were received.");
+              logger$e.getToken.info(formatError(scopes, error));
+              throw error;
             }
-            if (isNetworkError(err)) {
-              throw new CredentialUnavailableError(`ManagedIdentityCredential: Network unreachable. Message: ${err.message}`);
+            this.isEndpointUnavailable = false;
+          } else {
+            const error = new CredentialUnavailableError("The managed identity endpoint is not currently available");
+            logger$e.getToken.info(formatError(scopes, error));
+            throw error;
+          }
+          logger$e.getToken.info(formatSuccess(scopes));
+          return result;
+        } catch (err) {
+          if (err.name === "AuthenticationRequiredError") {
+            throw err;
+          }
+          span.setStatus({
+            status: "error",
+            error: err
+          });
+          if (err.code === "ENETUNREACH") {
+            const error = new CredentialUnavailableError(`${_ManagedIdentityCredential.name}: Unavailable. Network unreachable. Message: ${err.message}`);
+            logger$e.getToken.info(formatError(scopes, error));
+            throw error;
+          }
+          if (err.code === "EHOSTUNREACH") {
+            const error = new CredentialUnavailableError(`${_ManagedIdentityCredential.name}: Unavailable. No managed identity endpoint found. Message: ${err.message}`);
+            logger$e.getToken.info(formatError(scopes, error));
+            throw error;
+          }
+          if (err.statusCode === 400) {
+            throw new CredentialUnavailableError(`${_ManagedIdentityCredential.name}: The managed identity endpoint is indicating there's no available identity. Message: ${err.message}`);
+          }
+          if (err.statusCode === 403 || err.code === 403) {
+            if (err.message.includes("unreachable")) {
+              const error = new CredentialUnavailableError(`${_ManagedIdentityCredential.name}: Unavailable. Network unreachable. Message: ${err.message}`);
+              logger$e.getToken.info(formatError(scopes, error));
+              throw error;
             }
-            throw new CredentialUnavailableError(`ManagedIdentityCredential: Authentication failed. Message ${err.message}`);
           }
-        });
+          if (err.statusCode === void 0) {
+            throw new CredentialUnavailableError(`${_ManagedIdentityCredential.name}: Authentication failed. Message ${err.message}`);
+          }
+          throw new AuthenticationError(err.statusCode, {
+            error: `${_ManagedIdentityCredential.name} authentication failed.`,
+            error_description: err.message
+          });
+        } finally {
+          span.end();
+        }
+      }
+      /**
+       * Handles the MSAL authentication result.
+       * If the result has an account, we update the local account reference.
+       * If the token received is invalid, an error will be thrown depending on what's missing.
+       */
+      handleResult(scopes, result, getTokenOptions) {
+        this.ensureValidMsalToken(scopes, result, getTokenOptions);
+        logger$e.getToken.info(formatSuccess(scopes));
+        return {
+          token: result.accessToken,
+          expiresOnTimestamp: result.expiresOn.getTime()
+        };
       }
       /**
        * Ensures the validity of the MSAL token
        */
       ensureValidMsalToken(scopes, msalToken, getTokenOptions) {
-        const createError = /* @__PURE__ */ __name((message) => {
+        const error = /* @__PURE__ */ __name((message) => {
           logger$e.getToken.info(message);
           return new AuthenticationRequiredError({
             scopes: Array.isArray(scopes) ? scopes : [scopes],
             getTokenOptions,
             message
           });
-        }, "createError");
+        }, "error");
         if (!msalToken) {
-          throw createError("No response");
+          throw error("No response");
         }
         if (!msalToken.expiresOn) {
-          throw createError(`Response had no "expiresOn" property.`);
+          throw error(`Response had no "expiresOn" property.`);
         }
         if (!msalToken.accessToken) {
-          throw createError(`Response had no "accessToken" property.`);
-        }
-      }
-    };
-    __name(_MsalMsiProvider, "MsalMsiProvider");
-    var MsalMsiProvider = _MsalMsiProvider;
-    function isNetworkError(err) {
-      if (err.errorCode === "network_error") {
-        return true;
-      }
-      if (err.code === "ENETUNREACH" || err.code === "EHOSTUNREACH") {
-        return true;
-      }
-      if (err.statusCode === 403 || err.code === 403) {
-        if (err.message.includes("unreachable")) {
-          return true;
+          throw error(`Response had no "accessToken" property.`);
+        }
+      }
+      initializeSetAppTokenProvider() {
+        if (!this.isAppTokenProviderInitialized) {
+          this.confidentialApp.SetAppTokenProvider(async (appTokenProviderParameters) => {
+            logger$e.info(`SetAppTokenProvider invoked with parameters- ${JSON.stringify(appTokenProviderParameters)}`);
+            const getTokenOptions = Object.assign({}, appTokenProviderParameters);
+            logger$e.info(`authenticateManagedIdentity invoked with scopes- ${JSON.stringify(appTokenProviderParameters.scopes)} and getTokenOptions - ${JSON.stringify(getTokenOptions)}`);
+            const resultToken = await this.authenticateManagedIdentity(appTokenProviderParameters.scopes, getTokenOptions);
+            if (resultToken) {
+              logger$e.info(`SetAppTokenProvider will save the token in cache`);
+              const expiresInSeconds = (resultToken === null || resultToken === void 0 ? void 0 : resultToken.expiresOnTimestamp) ? Math.floor((resultToken.expiresOnTimestamp - Date.now()) / 1e3) : 0;
+              return {
+                accessToken: resultToken === null || resultToken === void 0 ? void 0 : resultToken.token,
+                expiresInSeconds
+              };
+            } else {
+              logger$e.info(`SetAppTokenProvider token has "no_access_token_returned" as the saved token`);
+              return {
+                accessToken: "no_access_token_returned",
+                expiresInSeconds: 0
+              };
+            }
+          });
+          this.isAppTokenProviderInitialized = true;
         }
       }
-      return false;
-    }
-    __name(isNetworkError, "isNetworkError");
-    var _ManagedIdentityCredential = class _ManagedIdentityCredential {
-      /**
-       * @internal
-       * @hidden
-       */
-      constructor(clientIdOrOptions, options) {
-        this.implProvider = new MsalMsiProvider(clientIdOrOptions, options);
-      }
-      /**
-       * Authenticates with Microsoft Entra ID and returns an access token if successful.
-       * If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.
-       * If an unexpected error occurs, an {@link AuthenticationError} will be thrown with the details of the failure.
-       *
-       * @param scopes - The list of scopes for which the token will have access.
-       * @param options - The options used to configure any requests this
-       *                TokenCredential implementation might make.
-       */
-      async getToken(scopes, options) {
-        return this.implProvider.getToken(scopes, options);
-      }
     };
     __name(_ManagedIdentityCredential, "ManagedIdentityCredential");
     var ManagedIdentityCredential = _ManagedIdentityCredential;
@@ -16850,7 +17315,11 @@ To work with multiple accounts for the same Client ID and Tenant ID, please prov
             ]
           ]);
           const result = results[1];
-          return parseJsonToken(result);
+          try {
+            return JSON.parse(result);
+          } catch (e) {
+            throw new Error(`Unable to parse the output of PowerShell. Received output: ${result}`);
+          }
         }
         throw new Error(`Unable to execute PowerShell. Ensure that it is installed in your system`);
       }
@@ -16897,33 +17366,6 @@ To work with multiple accounts for the same Client ID and Tenant ID, please prov
     };
     __name(_AzurePowerShellCredential, "AzurePowerShellCredential");
     var AzurePowerShellCredential = _AzurePowerShellCredential;
-    async function parseJsonToken(result) {
-      const jsonRegex = /{[^{}]*}/g;
-      const matches = result.match(jsonRegex);
-      let resultWithoutToken = result;
-      if (matches) {
-        try {
-          for (const item of matches) {
-            try {
-              const jsonContent = JSON.parse(item);
-              if (jsonContent === null || jsonContent === void 0 ? void 0 : jsonContent.Token) {
-                resultWithoutToken = resultWithoutToken.replace(item, "");
-                if (resultWithoutToken) {
-                  logger$b.getToken.warning(resultWithoutToken);
-                }
-                return jsonContent;
-              }
-            } catch (e) {
-              continue;
-            }
-          }
-        } catch (e) {
-          throw new Error(`Unable to parse the output of PowerShell. Received output: ${result}`);
-        }
-      }
-      throw new Error(`No access token found in the output. Received output: ${result}`);
-    }
-    __name(parseJsonToken, "parseJsonToken");
     var logger$a = credentialLogger("ChainedTokenCredential");
     var _ChainedTokenCredential = class _ChainedTokenCredential {
       /**
@@ -17361,6 +17803,362 @@ To work with multiple accounts for the same Client ID and Tenant ID, please prov
     };
     __name(_DefaultAzureCredential, "DefaultAzureCredential");
     var DefaultAzureCredential = _DefaultAzureCredential;
+    var _MsalNode = class _MsalNode {
+      constructor(options) {
+        var _a2, _b2, _c, _d, _e, _f;
+        this.app = {};
+        this.caeApp = {};
+        this.requiresConfidential = false;
+        this.logger = options.logger;
+        this.msalConfig = this.defaultNodeMsalConfig(options);
+        this.tenantId = resolveTenantId(options.logger, options.tenantId, options.clientId);
+        this.additionallyAllowedTenantIds = resolveAdditionallyAllowedTenantIds((_a2 = options === null || options === void 0 ? void 0 : options.tokenCredentialOptions) === null || _a2 === void 0 ? void 0 : _a2.additionallyAllowedTenants);
+        this.clientId = this.msalConfig.auth.clientId;
+        if (options === null || options === void 0 ? void 0 : options.getAssertion) {
+          this.getAssertion = options.getAssertion;
+        }
+        this.enableBroker = (_b2 = options === null || options === void 0 ? void 0 : options.brokerOptions) === null || _b2 === void 0 ? void 0 : _b2.enabled;
+        this.enableMsaPassthrough = (_c = options === null || options === void 0 ? void 0 : options.brokerOptions) === null || _c === void 0 ? void 0 : _c.legacyEnableMsaPassthrough;
+        this.parentWindowHandle = (_d = options.brokerOptions) === null || _d === void 0 ? void 0 : _d.parentWindowHandle;
+        if (persistenceProvider !== void 0 && ((_e = options.tokenCachePersistenceOptions) === null || _e === void 0 ? void 0 : _e.enabled)) {
+          const cacheBaseName = options.tokenCachePersistenceOptions.name || DEFAULT_TOKEN_CACHE_NAME;
+          const nonCaeOptions = Object.assign({ name: `${cacheBaseName}.${CACHE_NON_CAE_SUFFIX}` }, options.tokenCachePersistenceOptions);
+          const caeOptions = Object.assign({ name: `${cacheBaseName}.${CACHE_CAE_SUFFIX}` }, options.tokenCachePersistenceOptions);
+          this.createCachePlugin = () => persistenceProvider(nonCaeOptions);
+          this.createCachePluginCae = () => persistenceProvider(caeOptions);
+        } else if ((_f = options.tokenCachePersistenceOptions) === null || _f === void 0 ? void 0 : _f.enabled) {
+          throw new Error([
+            "Persistent token caching was requested, but no persistence provider was configured.",
+            "You must install the identity-cache-persistence plugin package (`npm install --save @azure/identity-cache-persistence`)",
+            "and enable it by importing `useIdentityPlugin` from `@azure/identity` and calling",
+            "`useIdentityPlugin(cachePersistencePlugin)` before using `tokenCachePersistenceOptions`."
+          ].join(" "));
+        }
+        if (!hasNativeBroker() && this.enableBroker) {
+          throw new Error([
+            "Broker for WAM was requested to be enabled, but no native broker was configured.",
+            "You must install the identity-broker plugin package (`npm install --save @azure/identity-broker`)",
+            "and enable it by importing `useIdentityPlugin` from `@azure/identity` and calling",
+            "`useIdentityPlugin(createNativeBrokerPlugin())` before using `enableBroker`."
+          ].join(" "));
+        }
+        this.azureRegion = calculateRegionalAuthority(options.regionalAuthority);
+      }
+      /**
+       * Generates a MSAL configuration that generally works for Node.js
+       */
+      defaultNodeMsalConfig(options) {
+        var _a2;
+        const clientId = options.clientId || DeveloperSignOnClientId;
+        const tenantId = resolveTenantId(options.logger, options.tenantId, options.clientId);
+        this.authorityHost = options.authorityHost || process.env.AZURE_AUTHORITY_HOST;
+        const authority = getAuthority(tenantId, this.authorityHost);
+        this.identityClient = new IdentityClient(Object.assign(Object.assign({}, options.tokenCredentialOptions), { authorityHost: authority, loggingOptions: options.loggingOptions }));
+        const clientCapabilities = [];
+        return {
+          auth: {
+            clientId,
+            authority,
+            knownAuthorities: getKnownAuthorities(tenantId, authority, options.disableInstanceDiscovery),
+            clientCapabilities
+          },
+          // Cache is defined in this.prepare();
+          system: {
+            networkClient: this.identityClient,
+            loggerOptions: {
+              loggerCallback: defaultLoggerCallback(options.logger),
+              logLevel: getMSALLogLevel(logger$r.getLogLevel()),
+              piiLoggingEnabled: (_a2 = options.loggingOptions) === null || _a2 === void 0 ? void 0 : _a2.enableUnsafeSupportLogging
+            }
+          }
+        };
+      }
+      getApp(appType, enableCae) {
+        const app = enableCae ? this.caeApp : this.app;
+        if (appType === "publicFirst") {
+          return app.public || app.confidential;
+        } else if (appType === "confidentialFirst") {
+          return app.confidential || app.public;
+        } else if (appType === "confidential") {
+          return app.confidential;
+        } else {
+          return app.public;
+        }
+      }
+      /**
+       * Prepares the MSAL applications.
+       */
+      async init(options) {
+        if (options === null || options === void 0 ? void 0 : options.abortSignal) {
+          options.abortSignal.addEventListener("abort", () => {
+            this.identityClient.abortRequests(options.correlationId);
+          });
+        }
+        const app = (options === null || options === void 0 ? void 0 : options.enableCae) ? this.caeApp : this.app;
+        if (options === null || options === void 0 ? void 0 : options.enableCae) {
+          this.msalConfig.auth.clientCapabilities = ["cp1"];
+        }
+        if (app.public || app.confidential) {
+          return;
+        }
+        if ((options === null || options === void 0 ? void 0 : options.enableCae) && this.createCachePluginCae !== void 0) {
+          this.msalConfig.cache = {
+            cachePlugin: await this.createCachePluginCae()
+          };
+        }
+        if (this.createCachePlugin !== void 0) {
+          this.msalConfig.cache = {
+            cachePlugin: await this.createCachePlugin()
+          };
+        }
+        if (hasNativeBroker() && this.enableBroker) {
+          this.msalConfig.broker = {
+            nativeBrokerPlugin: nativeBrokerInfo.broker
+          };
+          if (!this.parentWindowHandle) {
+            this.logger.warning("Parent window handle is not specified for the broker. This may cause unexpected behavior. Please provide the parentWindowHandle.");
+          }
+        }
+        if (options === null || options === void 0 ? void 0 : options.enableCae) {
+          this.caeApp.public = new msalCommon__namespace.PublicClientApplication(this.msalConfig);
+        } else {
+          this.app.public = new msalCommon__namespace.PublicClientApplication(this.msalConfig);
+        }
+        if (this.getAssertion) {
+          this.msalConfig.auth.clientAssertion = await this.getAssertion();
+        }
+        if (this.msalConfig.auth.clientSecret || this.msalConfig.auth.clientAssertion || this.msalConfig.auth.clientCertificate) {
+          if (options === null || options === void 0 ? void 0 : options.enableCae) {
+            this.caeApp.confidential = new msalCommon__namespace.ConfidentialClientApplication(this.msalConfig);
+          } else {
+            this.app.confidential = new msalCommon__namespace.ConfidentialClientApplication(this.msalConfig);
+          }
+        } else {
+          if (this.requiresConfidential) {
+            throw new Error("Unable to generate the MSAL confidential client. Missing either the client's secret, certificate or assertion.");
+          }
+        }
+      }
+      /**
+       * Allows the cancellation of a MSAL request.
+       */
+      withCancellation(promise, abortSignal, onCancel) {
+        return new Promise((resolve, reject) => {
+          promise.then((msalToken) => {
+            return resolve(msalToken);
+          }).catch(reject);
+          if (abortSignal) {
+            abortSignal.addEventListener("abort", () => {
+              onCancel === null || onCancel === void 0 ? void 0 : onCancel();
+            });
+          }
+        });
+      }
+      /**
+       * Returns the existing account, attempts to load the account from MSAL.
+       */
+      async getActiveAccount(enableCae = false) {
+        if (this.account) {
+          return this.account;
+        }
+        const cache = this.getApp("confidentialFirst", enableCae).getTokenCache();
+        const accountsByTenant = await (cache === null || cache === void 0 ? void 0 : cache.getAllAccounts());
+        if (!accountsByTenant) {
+          return;
+        }
+        if (accountsByTenant.length === 1) {
+          this.account = msalToPublic(this.clientId, accountsByTenant[0]);
+        } else {
+          this.logger.info(`More than one account was found authenticated for this Client ID and Tenant ID.
+However, no "authenticationRecord" has been provided for this credential,
+therefore we're unable to pick between these accounts.
+A new login attempt will be requested, to ensure the correct account is picked.
+To work with multiple accounts for the same Client ID and Tenant ID, please provide an "authenticationRecord" when initializing a credential to prevent this from happening.`);
+          return;
+        }
+        return this.account;
+      }
+      /**
+       * Attempts to retrieve a token from cache.
+       */
+      async getTokenSilent(scopes, options) {
+        var _a2, _b2, _c;
+        await this.getActiveAccount(options === null || options === void 0 ? void 0 : options.enableCae);
+        if (!this.account) {
+          throw new AuthenticationRequiredError({
+            scopes,
+            getTokenOptions: options,
+            message: "Silent authentication failed. We couldn't retrieve an active account from the cache."
+          });
+        }
+        const silentRequest = {
+          // To be able to re-use the account, the Token Cache must also have been provided.
+          account: publicToMsal(this.account),
+          correlationId: options === null || options === void 0 ? void 0 : options.correlationId,
+          scopes,
+          authority: options === null || options === void 0 ? void 0 : options.authority,
+          claims: options === null || options === void 0 ? void 0 : options.claims
+        };
+        if (hasNativeBroker() && this.enableBroker) {
+          if (!silentRequest.tokenQueryParameters) {
+            silentRequest.tokenQueryParameters = {};
+          }
+          if (!this.parentWindowHandle) {
+            this.logger.warning("Parent window handle is not specified for the broker. This may cause unexpected behavior. Please provide the parentWindowHandle.");
+          }
+          if (this.enableMsaPassthrough) {
+            silentRequest.tokenQueryParameters["msal_request_type"] = "consumer_passthrough";
+          }
+        }
+        try {
+          this.logger.info("Attempting to acquire token silently");
+          await ((_a2 = this.getApp("publicFirst", options === null || options === void 0 ? void 0 : options.enableCae)) === null || _a2 === void 0 ? void 0 : _a2.getTokenCache().getAllAccounts());
+          const response = (_c = await ((_b2 = this.getApp("confidential", options === null || options === void 0 ? void 0 : options.enableCae)) === null || _b2 === void 0 ? void 0 : _b2.acquireTokenSilent(silentRequest))) !== null && _c !== void 0 ? _c : await this.getApp("public", options === null || options === void 0 ? void 0 : options.enableCae).acquireTokenSilent(silentRequest);
+          return this.handleResult(scopes, response || void 0);
+        } catch (err) {
+          throw handleMsalError(scopes, err, options);
+        }
+      }
+      /**
+       * Wrapper around each MSAL flow get token operation: doGetToken.
+       * If disableAutomaticAuthentication is sent through the constructor, it will prevent MSAL from requesting the user input.
+       */
+      async getToken(scopes, options = {}) {
+        const tenantId = processMultiTenantRequest(this.tenantId, options, this.additionallyAllowedTenantIds) || this.tenantId;
+        options.authority = getAuthority(tenantId, this.authorityHost);
+        options.correlationId = (options === null || options === void 0 ? void 0 : options.correlationId) || randomUUID();
+        await this.init(options);
+        try {
+          const optionsClaims = options.claims;
+          if (optionsClaims) {
+            this.cachedClaims = optionsClaims;
+          }
+          if (this.cachedClaims && !optionsClaims) {
+            options.claims = this.cachedClaims;
+          }
+          return await this.getTokenSilent(scopes, options);
+        } catch (err) {
+          if (err.name !== "AuthenticationRequiredError") {
+            throw err;
+          }
+          if (options === null || options === void 0 ? void 0 : options.disableAutomaticAuthentication) {
+            throw new AuthenticationRequiredError({
+              scopes,
+              getTokenOptions: options,
+              message: "Automatic authentication has been disabled. You may call the authentication() method."
+            });
+          }
+          this.logger.info(`Silent authentication failed, falling back to interactive method.`);
+          return this.doGetToken(scopes, options);
+        }
+      }
+      /**
+       * Handles the MSAL authentication result.
+       * If the result has an account, we update the local account reference.
+       * If the token received is invalid, an error will be thrown depending on what's missing.
+       */
+      handleResult(scopes, result, getTokenOptions) {
+        if (result === null || result === void 0 ? void 0 : result.account) {
+          this.account = msalToPublic(this.clientId, result.account);
+        }
+        ensureValidMsalToken(scopes, result, getTokenOptions);
+        this.logger.getToken.info(formatSuccess(scopes));
+        return {
+          token: result.accessToken,
+          expiresOnTimestamp: result.expiresOn.getTime()
+        };
+      }
+    };
+    __name(_MsalNode, "MsalNode");
+    var MsalNode = _MsalNode;
+    var interactiveBrowserMockable = {
+      open
+    };
+    var _MsalOpenBrowser = class _MsalOpenBrowser extends MsalNode {
+      constructor(options) {
+        var _a2, _b2, _c, _d;
+        super(options);
+        this.loginHint = options.loginHint;
+        this.errorTemplate = (_a2 = options.browserCustomizationOptions) === null || _a2 === void 0 ? void 0 : _a2.errorMessage;
+        this.successTemplate = (_b2 = options.browserCustomizationOptions) === null || _b2 === void 0 ? void 0 : _b2.successMessage;
+        this.logger = credentialLogger("Node.js MSAL Open Browser");
+        this.useDefaultBrokerAccount = ((_c = options.brokerOptions) === null || _c === void 0 ? void 0 : _c.enabled) && ((_d = options.brokerOptions) === null || _d === void 0 ? void 0 : _d.useDefaultBrokerAccount);
+      }
+      async doGetToken(scopes, options = {}) {
+        try {
+          const interactiveRequest = {
+            openBrowser: /* @__PURE__ */ __name(async (url) => {
+              this.logger.verbose(`Opening browser to ${url}`);
+              await interactiveBrowserMockable.open(url, { wait: true, newInstance: true });
+            }, "openBrowser"),
+            scopes,
+            authority: options === null || options === void 0 ? void 0 : options.authority,
+            claims: options === null || options === void 0 ? void 0 : options.claims,
+            correlationId: options === null || options === void 0 ? void 0 : options.correlationId,
+            loginHint: this.loginHint,
+            errorTemplate: this.errorTemplate,
+            successTemplate: this.successTemplate
+          };
+          if (hasNativeBroker() && this.enableBroker) {
+            return this.doGetBrokeredToken(scopes, interactiveRequest, {
+              enableCae: options.enableCae,
+              useDefaultBrokerAccount: this.useDefaultBrokerAccount
+            });
+          }
+          if (hasNativeBroker() && !this.enableBroker) {
+            this.logger.verbose("Authentication will resume normally without the broker, since it's not enabled");
+          }
+          const result = await this.getApp("public", options === null || options === void 0 ? void 0 : options.enableCae).acquireTokenInteractive(interactiveRequest);
+          return this.handleResult(scopes, result || void 0);
+        } catch (err) {
+          throw handleMsalError(scopes, err, options);
+        }
+      }
+      /**
+       * A helper function that supports brokered authentication through the MSAL's public application.
+       *
+       * When options.useDefaultBrokerAccount is true, the method will attempt to authenticate using the default broker account.
+       * If the default broker account is not available, the method will fall back to interactive authentication.
+       */
+      async doGetBrokeredToken(scopes, interactiveRequest, options) {
+        var _a2;
+        this.logger.verbose("Authentication will resume through the broker");
+        if (this.parentWindowHandle) {
+          interactiveRequest.windowHandle = Buffer.from(this.parentWindowHandle);
+        } else {
+          this.logger.warning("Parent window handle is not specified for the broker. This may cause unexpected behavior. Please provide the parentWindowHandle.");
+        }
+        if (this.enableMsaPassthrough) {
+          ((_a2 = interactiveRequest.tokenQueryParameters) !== null && _a2 !== void 0 ? _a2 : interactiveRequest.tokenQueryParameters = {})["msal_request_type"] = "consumer_passthrough";
+        }
+        if (options.useDefaultBrokerAccount) {
+          interactiveRequest.prompt = "none";
+          this.logger.verbose("Attempting broker authentication using the default broker account");
+        } else {
+          interactiveRequest.prompt = void 0;
+          this.logger.verbose("Attempting broker authentication without the default broker account");
+        }
+        try {
+          const result = await this.getApp("public", options === null || options === void 0 ? void 0 : options.enableCae).acquireTokenInteractive(interactiveRequest);
+          if (result.fromNativeBroker) {
+            this.logger.verbose(`This result is returned from native broker`);
+          }
+          return this.handleResult(scopes, result || void 0);
+        } catch (e) {
+          this.logger.verbose(`Failed to authenticate through the broker: ${e.message}`);
+          if (options.useDefaultBrokerAccount) {
+            return this.doGetBrokeredToken(scopes, interactiveRequest, {
+              enableCae: options.enableCae,
+              useDefaultBrokerAccount: false
+            });
+          } else {
+            throw handleMsalError(scopes, e);
+          }
+        }
+      }
+    };
+    __name(_MsalOpenBrowser, "MsalOpenBrowser");
+    var MsalOpenBrowser = _MsalOpenBrowser;
     var logger$4 = credentialLogger("InteractiveBrowserCredential");
     var _InteractiveBrowserCredential = class _InteractiveBrowserCredential {
       /**
@@ -17376,26 +18174,36 @@ To work with multiple accounts for the same Client ID and Tenant ID, please prov
        * @param options - Options for configuring the client which makes the authentication requests.
        */
       constructor(options) {
-        var _a2, _b2, _c, _d, _e;
-        this.tenantId = resolveTenantId(logger$4, options.tenantId, options.clientId);
+        var _a2, _b2, _c, _d;
+        const redirectUri = typeof options.redirectUri === "function" ? options.redirectUri() : options.redirectUri || "http://localhost";
+        this.tenantId = options === null || options === void 0 ? void 0 : options.tenantId;
         this.additionallyAllowedTenantIds = resolveAdditionallyAllowedTenantIds(options === null || options === void 0 ? void 0 : options.additionallyAllowedTenants);
-        const msalClientOptions = Object.assign(Object.assign({}, options), { tokenCredentialOptions: options, logger: logger$4 });
         const ibcNodeOptions = options;
-        this.browserCustomizationOptions = ibcNodeOptions.browserCustomizationOptions;
-        this.loginHint = ibcNodeOptions.loginHint;
         if ((_a2 = ibcNodeOptions === null || ibcNodeOptions === void 0 ? void 0 : ibcNodeOptions.brokerOptions) === null || _a2 === void 0 ? void 0 : _a2.enabled) {
           if (!((_b2 = ibcNodeOptions === null || ibcNodeOptions === void 0 ? void 0 : ibcNodeOptions.brokerOptions) === null || _b2 === void 0 ? void 0 : _b2.parentWindowHandle)) {
             throw new Error("In order to do WAM authentication, `parentWindowHandle` under `brokerOptions` is a required parameter");
           } else {
-            msalClientOptions.brokerOptions = {
-              enabled: true,
-              parentWindowHandle: ibcNodeOptions.brokerOptions.parentWindowHandle,
-              legacyEnableMsaPassthrough: (_c = ibcNodeOptions.brokerOptions) === null || _c === void 0 ? void 0 : _c.legacyEnableMsaPassthrough,
-              useDefaultBrokerAccount: (_d = ibcNodeOptions.brokerOptions) === null || _d === void 0 ? void 0 : _d.useDefaultBrokerAccount
-            };
+            this.msalFlow = new MsalOpenBrowser(Object.assign(Object.assign({}, options), {
+              tokenCredentialOptions: options,
+              logger: logger$4,
+              redirectUri,
+              browserCustomizationOptions: ibcNodeOptions === null || ibcNodeOptions === void 0 ? void 0 : ibcNodeOptions.browserCustomizationOptions,
+              brokerOptions: {
+                enabled: true,
+                parentWindowHandle: ibcNodeOptions.brokerOptions.parentWindowHandle,
+                legacyEnableMsaPassthrough: (_c = ibcNodeOptions.brokerOptions) === null || _c === void 0 ? void 0 : _c.legacyEnableMsaPassthrough,
+                useDefaultBrokerAccount: (_d = ibcNodeOptions.brokerOptions) === null || _d === void 0 ? void 0 : _d.useDefaultBrokerAccount
+              }
+            }));
           }
+        } else {
+          this.msalFlow = new MsalOpenBrowser(Object.assign(Object.assign({}, options), {
+            tokenCredentialOptions: options,
+            logger: logger$4,
+            redirectUri,
+            browserCustomizationOptions: ibcNodeOptions === null || ibcNodeOptions === void 0 ? void 0 : ibcNodeOptions.browserCustomizationOptions
+          }));
         }
-        this.msalClient = createMsalClient((_e = options.clientId) !== null && _e !== void 0 ? _e : DeveloperSignOnClientId, this.tenantId, msalClientOptions);
         this.disableAutomaticAuthentication = options === null || options === void 0 ? void 0 : options.disableAutomaticAuthentication;
       }
       /**
@@ -17414,7 +18222,7 @@ To work with multiple accounts for the same Client ID and Tenant ID, please prov
         return tracingClient.withSpan(`${this.constructor.name}.getToken`, options, async (newOptions) => {
           newOptions.tenantId = processMultiTenantRequest(this.tenantId, newOptions, this.additionallyAllowedTenantIds, logger$4);
           const arrayScopes = ensureScopes(scopes);
-          return this.msalClient.getTokenByInteractiveRequest(arrayScopes, Object.assign(Object.assign({}, newOptions), { disableAutomaticAuthentication: this.disableAutomaticAuthentication, browserCustomizationOptions: this.browserCustomizationOptions, loginHint: this.loginHint }));
+          return this.msalFlow.getToken(arrayScopes, Object.assign(Object.assign({}, newOptions), { disableAutomaticAuthentication: this.disableAutomaticAuthentication }));
         });
       }
       /**
@@ -17433,8 +18241,8 @@ To work with multiple accounts for the same Client ID and Tenant ID, please prov
       async authenticate(scopes, options = {}) {
         return tracingClient.withSpan(`${this.constructor.name}.authenticate`, options, async (newOptions) => {
           const arrayScopes = ensureScopes(scopes);
-          await this.msalClient.getTokenByInteractiveRequest(arrayScopes, Object.assign(Object.assign({}, newOptions), { disableAutomaticAuthentication: false, browserCustomizationOptions: this.browserCustomizationOptions, loginHint: this.loginHint }));
-          return this.msalClient.getActiveAccount();
+          await this.msalFlow.getToken(arrayScopes, newOptions);
+          return this.msalFlow.getActiveAccount();
         });
       }
     };
@@ -17582,48 +18390,32 @@ To work with multiple accounts for the same Client ID and Tenant ID, please prov
           })
         });
         const response = await this.identityClient.sendRequest(request);
-        return handleOidcResponse(response);
+        const text = response.bodyAsText;
+        if (!text) {
+          logger$2.error(`${credentialName$1}: Authenticated Failed. Received null token from OIDC request. Response status- ${response.status}. Complete response - ${JSON.stringify(response)}`);
+          throw new AuthenticationError(response.status, `${credentialName$1}: Authenticated Failed. Received null token from OIDC request. Response status- ${response.status}. Complete response - ${JSON.stringify(response)}`);
+        }
+        try {
+          const result = JSON.parse(text);
+          if (result === null || result === void 0 ? void 0 : result.oidcToken) {
+            return result.oidcToken;
+          } else {
+            let errorMessage = `${credentialName$1}: Authentication Failed. oidcToken field not detected in the response.`;
+            if (response.status !== 200) {
+              errorMessage += `Response = ${JSON.stringify(result)}`;
+            }
+            logger$2.error(errorMessage);
+            throw new AuthenticationError(response.status, errorMessage);
+          }
+        } catch (e) {
+          logger$2.error(e.message);
+          logger$2.error(`${credentialName$1}: Authentication Failed. oidcToken field not detected in the response. Response = ${text}`);
+          throw new AuthenticationError(response.status, `${credentialName$1}: Authentication Failed. oidcToken field not detected in the response. Response = ${text}`);
+        }
       }
     };
     __name(_AzurePipelinesCredential, "AzurePipelinesCredential");
     var AzurePipelinesCredential = _AzurePipelinesCredential;
-    function handleOidcResponse(response) {
-      const text = response.bodyAsText;
-      if (!text) {
-        logger$2.error(`${credentialName$1}: Authentication Failed. Received null token from OIDC request. Response status- ${response.status}. Complete response - ${JSON.stringify(response)}`);
-        throw new AuthenticationError(response.status, {
-          error: `${credentialName$1}: Authentication Failed. Received null token from OIDC request.`,
-          error_description: `${JSON.stringify(response)}. See the troubleshooting guide for more information: https://aka.ms/azsdk/js/identity/azurepipelinescredential/troubleshoot`
-        });
-      }
-      try {
-        const result = JSON.parse(text);
-        if (result === null || result === void 0 ? void 0 : result.oidcToken) {
-          return result.oidcToken;
-        } else {
-          const errorMessage = `${credentialName$1}: Authentication Failed. oidcToken field not detected in the response.`;
-          let errorDescription = ``;
-          if (response.status !== 200) {
-            errorDescription = `Complete response - ${JSON.stringify(result)}. See the troubleshooting guide for more information: https://aka.ms/azsdk/js/identity/azurepipelinescredential/troubleshoot`;
-          }
-          logger$2.error(errorMessage);
-          logger$2.error(errorDescription);
-          throw new AuthenticationError(response.status, {
-            error: errorMessage,
-            error_description: errorDescription
-          });
-        }
-      } catch (e) {
-        const errorDetails = `${credentialName$1}: Authentication Failed. oidcToken field not detected in the response.`;
-        logger$2.error(`Response from service = ${text} and error message = ${e.message}`);
-        logger$2.error(errorDetails);
-        throw new AuthenticationError(response.status, {
-          error: errorDetails,
-          error_description: `Response = ${text}. See the troubleshooting guide for more information: https://aka.ms/azsdk/js/identity/azurepipelinescredential/troubleshoot`
-        });
-      }
-    }
-    __name(handleOidcResponse, "handleOidcResponse");
     var logger$1 = credentialLogger("AuthorizationCodeCredential");
     var _AuthorizationCodeCredential = class _AuthorizationCodeCredential {
       /**
@@ -17665,25 +18457,91 @@ To work with multiple accounts for the same Client ID and Tenant ID, please prov
     };
     __name(_AuthorizationCodeCredential, "AuthorizationCodeCredential");
     var AuthorizationCodeCredential = _AuthorizationCodeCredential;
+    var readFileAsync = util.promisify(fs3.readFile);
+    async function parseCertificate(configuration, sendCertificateChain) {
+      const certificateParts = {};
+      const certificate = configuration.certificate;
+      const certificatePath = configuration.certificatePath;
+      certificateParts.certificateContents = certificate || await readFileAsync(certificatePath, "utf8");
+      if (sendCertificateChain) {
+        certificateParts.x5c = certificateParts.certificateContents;
+      }
+      const certificatePattern = /(-+BEGIN CERTIFICATE-+)(\n\r?|\r\n?)([A-Za-z0-9+/\n\r]+=*)(\n\r?|\r\n?)(-+END CERTIFICATE-+)/g;
+      const publicKeys = [];
+      let match;
+      do {
+        match = certificatePattern.exec(certificateParts.certificateContents);
+        if (match) {
+          publicKeys.push(match[3]);
+        }
+      } while (match);
+      if (publicKeys.length === 0) {
+        throw new Error("The file at the specified path does not contain a PEM-encoded certificate.");
+      }
+      certificateParts.thumbprint = crypto4.createHash("sha1").update(Buffer.from(publicKeys[0], "base64")).digest("hex").toUpperCase();
+      return certificateParts;
+    }
+    __name(parseCertificate, "parseCertificate");
+    var _MsalOnBehalfOf = class _MsalOnBehalfOf extends MsalNode {
+      constructor(options) {
+        super(options);
+        this.logger.info("Initialized MSAL's On-Behalf-Of flow");
+        this.requiresConfidential = true;
+        this.userAssertionToken = options.userAssertionToken;
+        this.certificatePath = options.certificatePath;
+        this.sendCertificateChain = options.sendCertificateChain;
+        this.clientSecret = options.clientSecret;
+      }
+      // Changing the MSAL configuration asynchronously
+      async init(options) {
+        if (this.certificatePath) {
+          try {
+            const parts = await parseCertificate({ certificatePath: this.certificatePath }, this.sendCertificateChain);
+            this.msalConfig.auth.clientCertificate = {
+              thumbprint: parts.thumbprint,
+              privateKey: parts.certificateContents,
+              x5c: parts.x5c
+            };
+          } catch (error) {
+            this.logger.info(formatError("", error));
+            throw error;
+          }
+        } else {
+          this.msalConfig.auth.clientSecret = this.clientSecret;
+        }
+        return super.init(options);
+      }
+      async doGetToken(scopes, options = {}) {
+        try {
+          const result = await this.getApp("confidential", options.enableCae).acquireTokenOnBehalfOf({
+            scopes,
+            correlationId: options.correlationId,
+            authority: options.authority,
+            claims: options.claims,
+            oboAssertion: this.userAssertionToken
+          });
+          return this.handleResult(scopes, result || void 0);
+        } catch (err) {
+          throw handleMsalError(scopes, err, options);
+        }
+      }
+    };
+    __name(_MsalOnBehalfOf, "MsalOnBehalfOf");
+    var MsalOnBehalfOf = _MsalOnBehalfOf;
     var credentialName = "OnBehalfOfCredential";
     var logger = credentialLogger(credentialName);
     var _OnBehalfOfCredential = class _OnBehalfOfCredential {
       constructor(options) {
+        this.options = options;
         const { clientSecret } = options;
-        const { certificatePath, sendCertificateChain } = options;
-        const { getAssertion } = options;
+        const { certificatePath } = options;
         const { tenantId, clientId, userAssertionToken, additionallyAllowedTenants: additionallyAllowedTenantIds } = options;
-        if (!tenantId || !clientId || !(clientSecret || certificatePath || getAssertion) || !userAssertionToken) {
-          throw new Error(`${credentialName}: tenantId, clientId, clientSecret (or certificatePath or getAssertion) and userAssertionToken are required parameters.`);
+        if (!tenantId || !clientId || !(clientSecret || certificatePath) || !userAssertionToken) {
+          throw new Error(`${credentialName}: tenantId, clientId, clientSecret (or certificatePath) and userAssertionToken are required parameters.`);
         }
-        this.certificatePath = certificatePath;
-        this.clientSecret = clientSecret;
-        this.userAssertionToken = userAssertionToken;
-        this.sendCertificateChain = sendCertificateChain;
-        this.clientAssertion = getAssertion;
         this.tenantId = tenantId;
         this.additionallyAllowedTenantIds = resolveAdditionallyAllowedTenantIds(additionallyAllowedTenantIds);
-        this.msalClient = createMsalClient(clientId, this.tenantId, Object.assign(Object.assign({}, options), { logger, tokenCredentialOptions: options }));
+        this.msalFlow = new MsalOnBehalfOf(Object.assign(Object.assign({}, this.options), { logger, tokenCredentialOptions: this.options }));
       }
       /**
        * Authenticates with Microsoft Entra ID and returns an access token if successful.
@@ -17696,54 +18554,9 @@ To work with multiple accounts for the same Client ID and Tenant ID, please prov
         return tracingClient.withSpan(`${credentialName}.getToken`, options, async (newOptions) => {
           newOptions.tenantId = processMultiTenantRequest(this.tenantId, newOptions, this.additionallyAllowedTenantIds, logger);
           const arrayScopes = ensureScopes(scopes);
-          if (this.certificatePath) {
-            const clientCertificate = await this.buildClientCertificate(this.certificatePath);
-            return this.msalClient.getTokenOnBehalfOf(arrayScopes, this.userAssertionToken, clientCertificate, newOptions);
-          } else if (this.clientSecret) {
-            return this.msalClient.getTokenOnBehalfOf(arrayScopes, this.userAssertionToken, this.clientSecret, options);
-          } else if (this.clientAssertion) {
-            return this.msalClient.getTokenOnBehalfOf(arrayScopes, this.userAssertionToken, this.clientAssertion, options);
-          } else {
-            throw new Error("Expected either clientSecret or certificatePath or clientAssertion to be defined.");
-          }
+          return this.msalFlow.getToken(arrayScopes, newOptions);
         });
       }
-      async buildClientCertificate(certificatePath) {
-        try {
-          const parts = await this.parseCertificate({ certificatePath }, this.sendCertificateChain);
-          return {
-            thumbprint: parts.thumbprint,
-            privateKey: parts.certificateContents,
-            x5c: parts.x5c
-          };
-        } catch (error) {
-          logger.info(formatError("", error));
-          throw error;
-        }
-      }
-      async parseCertificate(configuration, sendCertificateChain) {
-        const certificatePath = configuration.certificatePath;
-        const certificateContents = await promises$1.readFile(certificatePath, "utf8");
-        const x5c = sendCertificateChain ? certificateContents : void 0;
-        const certificatePattern = /(-+BEGIN CERTIFICATE-+)(\n\r?|\r\n?)([A-Za-z0-9+/\n\r]+=*)(\n\r?|\r\n?)(-+END CERTIFICATE-+)/g;
-        const publicKeys = [];
-        let match;
-        do {
-          match = certificatePattern.exec(certificateContents);
-          if (match) {
-            publicKeys.push(match[3]);
-          }
-        } while (match);
-        if (publicKeys.length === 0) {
-          throw new Error("The file at the specified path does not contain a PEM-encoded certificate.");
-        }
-        const thumbprint = node_crypto.createHash("sha1").update(Buffer.from(publicKeys[0], "base64")).digest("hex").toUpperCase();
-        return {
-          certificateContents,
-          thumbprint,
-          x5c
-        };
-      }
     };
     __name(_OnBehalfOfCredential, "OnBehalfOfCredential");
     var OnBehalfOfCredential = _OnBehalfOfCredential;
@@ -17806,7 +18619,7 @@ To work with multiple accounts for the same Client ID and Tenant ID, please prov
     exports.deserializeAuthenticationRecord = deserializeAuthenticationRecord2;
     exports.getBearerTokenProvider = getBearerTokenProvider;
     exports.getDefaultAzureCredential = getDefaultAzureCredential;
-    exports.logger = logger$l;
+    exports.logger = logger$q;
     exports.serializeAuthenticationRecord = serializeAuthenticationRecord2;
     exports.useIdentityPlugin = useIdentityPlugin2;
   }
@@ -17939,7 +18752,7 @@ var BasePersistence = _BasePersistence;
 import { promises as fs } from "fs";
 import { dirname } from "path";
 
-// ../../node_modules/.store/@azure-msal-common-npm-14.15.0-a04146a430/package/dist/utils/Constants.mjs
+// ../../node_modules/.store/@azure-msal-common-npm-14.13.0-f77242c157/package/dist/utils/Constants.mjs
 var Constants2 = {
   LIBRARY_NAME: "MSAL.JS",
   SKU: "msal.js.common",
@@ -18019,7 +18832,7 @@ var AUTHORITY_METADATA_CONSTANTS = {
   // 24 Hours
 };
 
-// ../../node_modules/.store/@azure-msal-common-npm-14.15.0-a04146a430/package/dist/logger/Logger.mjs
+// ../../node_modules/.store/@azure-msal-common-npm-14.13.0-f77242c157/package/dist/logger/Logger.mjs
 var LogLevel;
 (function(LogLevel2) {
   LogLevel2[LogLevel2["Error"] = 0] = "Error";
@@ -18881,16 +19694,16 @@ export {
 };
 /*! Bundled license information:
 
-.store/@azure-msal-node-npm-2.14.0-f4e7538145/package/lib/msal-node.cjs:
-  (*! @azure/msal-node v2.14.0 2024-09-20 *)
-  (*! @azure/msal-common v14.15.0 2024-09-20 *)
+.store/@azure-msal-node-npm-2.15.0-02a613cb10/package/lib/msal-node.cjs:
+  (*! @azure/msal-node v2.15.0 2024-10-03 *)
+  (*! @azure/msal-common v14.15.0 2024-10-03 *)
 
-.store/@azure-msal-common-npm-14.15.0-a04146a430/package/dist/utils/Constants.mjs:
-  (*! @azure/msal-common v14.15.0 2024-09-20 *)
+.store/@azure-msal-common-npm-14.13.0-f77242c157/package/dist/utils/Constants.mjs:
+  (*! @azure/msal-common v14.13.0 2024-07-01 *)
 
-.store/@azure-msal-common-npm-14.15.0-a04146a430/package/dist/logger/Logger.mjs:
-  (*! @azure/msal-common v14.15.0 2024-09-20 *)
+.store/@azure-msal-common-npm-14.13.0-f77242c157/package/dist/logger/Logger.mjs:
+  (*! @azure/msal-common v14.13.0 2024-07-01 *)
 
-.store/@azure-msal-common-npm-14.15.0-a04146a430/package/dist/index.mjs:
-  (*! @azure/msal-common v14.15.0 2024-09-20 *)
+.store/@azure-msal-common-npm-14.13.0-f77242c157/package/dist/index.mjs:
+  (*! @azure/msal-common v14.13.0 2024-07-01 *)
 */