@redis/entraid 5.0.0-next.6

package/README.md

@@ -0,0 +1,137 @@
+# @redis/entraid
+
+Secure token-based authentication for Redis clients using Microsoft Entra ID (formerly Azure Active Directory).
+
+## Features
+
+- Token-based authentication using Microsoft Entra ID
+- Automatic token refresh before expiration
+- Automatic re-authentication of all connections after token refresh
+- Support for multiple authentication flows:
+  - Managed identities (system-assigned and user-assigned)
+  - Service principals (with or without certificates)
+  - Authorization Code with PKCE flow
+- Built-in retry mechanisms for transient failures
+
+## Installation
+
+```bash
+npm install @redis/client
+npm install @redis/entraid
+```
+
+## Getting Started
+
+The first step to using @redis/entraid is choosing the right credentials provider for your authentication needs. The `EntraIdCredentialsProviderFactory` class provides several factory methods to create the appropriate provider:
+
+- `createForSystemAssignedManagedIdentity`: Use when your application runs in Azure with a system-assigned managed identity
+- `createForUserAssignedManagedIdentity`: Use when your application runs in Azure with a user-assigned managed identity
+- `createForClientCredentials`: Use when authenticating with a service principal using client secret
+- `createForClientCredentialsWithCertificate`: Use when authenticating with a service principal using a certificate
+- `createForAuthorizationCodeWithPKCE`: Use for interactive authentication flows in user applications
+
+## Usage Examples
+
+### Service Principal Authentication
+
+```typescript
+import { createClient } from '@redis/client';
+import { EntraIdCredentialsProviderFactory } from '@redis/entraid';
+
+const provider = EntraIdCredentialsProviderFactory.createForClientCredentials({
+  clientId: 'your-client-id',
+  clientSecret: 'your-client-secret',
+  authorityConfig: {
+    type: 'multi-tenant',
+    tenantId: 'your-tenant-id'
+  },
+  tokenManagerConfig: {
+    expirationRefreshRatio: 0.8 // Refresh token after 80% of its lifetime
+  }
+});
+
+const client = createClient({
+  url: 'redis://your-host',
+  credentialsProvider: provider
+});
+
+await client.connect();
+```
+
+### System-Assigned Managed Identity
+
+```typescript
+const provider = EntraIdCredentialsProviderFactory.createForSystemAssignedManagedIdentity({
+  clientId: 'your-client-id',
+  tokenManagerConfig: {
+    expirationRefreshRatio: 0.8
+  }
+});
+```
+
+### User-Assigned Managed Identity
+
+```typescript
+const provider = EntraIdCredentialsProviderFactory.createForUserAssignedManagedIdentity({
+  clientId: 'your-client-id',
+  userAssignedClientId: 'your-user-assigned-client-id',
+  tokenManagerConfig: {
+    expirationRefreshRatio: 0.8
+  }
+});
+```
+
+## Important Limitations
+
+### RESP2 PUB/SUB Limitations
+
+When using RESP2 (Redis Serialization Protocol 2), there are important limitations with PUB/SUB:
+
+- **No Re-Authentication in PUB/SUB Mode**: In RESP2, once a connection enters PUB/SUB mode, the socket is blocked and cannot process out-of-band commands like AUTH. This means that connections in PUB/SUB mode cannot be re-authenticated when tokens are refreshed.
+- **Connection Eviction**: As a result, PUB/SUB connections will be evicted by the Redis proxy when their tokens expire. The client will need to establish new connections with fresh tokens.
+
+### Transaction Safety
+
+When using token-based authentication, special care must be taken with Redis transactions. The token manager runs in the background and may attempt to re-authenticate connections at any time by sending AUTH commands. This can interfere with manually constructed transactions.
+
+#### ✅ Recommended: Use the Official Transaction API
+
+Always use the official transaction API provided by the client:
+
+```typescript
+// Correct way to handle transactions
+const multi = client.multi();
+multi.set('key1', 'value1');
+multi.set('key2', 'value2');
+await multi.exec();
+```
+
+#### ❌ Avoid: Manual Transaction Construction
+
+Do not manually construct transactions by sending individual MULTI/EXEC commands:
+
+```typescript
+// Incorrect and potentially dangerous
+await client.sendCommand(['MULTI']);
+await client.sendCommand(['SET', 'key1', 'value1']);
+await client.sendCommand(['SET', 'key2', 'value2']);
+await client.sendCommand(['EXEC']); // Risk of AUTH command being injected before EXEC
+```
+
+## Error Handling
+
+The provider includes built-in retry mechanisms for transient errors:
+
+```typescript
+const provider = EntraIdCredentialsProviderFactory.createForClientCredentials({
+  // ... other config ...
+  tokenManagerConfig: {
+    retry: {
+      maxAttempts: 3,
+      initialDelayMs: 100,
+      maxDelayMs: 1000,
+      backoffMultiplier: 2
+    }
+  }
+});
+```

package/dist/lib/entra-id-credentials-provider-factory.d.ts

@@ -0,0 +1,125 @@
+import { AuthenticationResult, PublicClientApplication } from '@azure/msal-node';
+import { RetryPolicy, TokenManagerConfig, ReAuthenticationError } from '@redis/client/dist/lib/authx';
+import { EntraidCredentialsProvider } from './entraid-credentials-provider';
+/**
+ * This class is used to create credentials providers for different types of authentication flows.
+ */
+export declare class EntraIdCredentialsProviderFactory {
+    #private;
+    /**
+     * This method is used to create a ManagedIdentityProvider for both system-assigned and user-assigned managed identities.
+     *
+     * @param params
+     * @param userAssignedClientId For user-assigned managed identities, the developer needs to pass either the client ID,
+     * full resource identifier, or the object ID of the managed identity when creating ManagedIdentityApplication.
+     *
+     */
+    static createManagedIdentityProvider(params: CredentialParams, userAssignedClientId?: string): EntraidCredentialsProvider;
+    /**
+     * This method is used to create a credentials provider for system-assigned managed identities.
+     * @param params
+     */
+    static createForSystemAssignedManagedIdentity(params: CredentialParams): EntraidCredentialsProvider;
+    /**
+     * This method is used to create a credentials provider for user-assigned managed identities.
+     * It will include the client ID as the userAssignedClientId in the ManagedIdentityConfiguration.
+     * @param params
+     */
+    static createForUserAssignedManagedIdentity(params: CredentialParams & {
+        userAssignedClientId: string;
+    }): EntraidCredentialsProvider;
+    /**
+     * This method is used to create a credentials provider for service principals using certificate.
+     * @param params
+     */
+    static createForClientCredentialsWithCertificate(params: ClientCredentialsWithCertificateParams): EntraidCredentialsProvider;
+    /**
+     * This method is used to create a credentials provider for service principals using client secret.
+     * @param params
+     */
+    static createForClientCredentials(params: ClientSecretCredentialsParams): EntraidCredentialsProvider;
+    /**
+     * This method is used to create a credentials provider for the Authorization Code Flow with PKCE.
+     * @param params
+     */
+    static createForAuthorizationCodeWithPKCE(params: AuthCodePKCEParams): {
+        getPKCECodes: () => Promise<{
+            verifier: string;
+            challenge: string;
+            challengeMethod: string;
+        }>;
+        getAuthCodeUrl: (pkceCodes: {
+            challenge: string;
+            challengeMethod: string;
+        }) => Promise<string>;
+        createCredentialsProvider: (params: PKCEParams) => EntraidCredentialsProvider;
+    };
+    static getAuthority(config: AuthorityConfig): string;
+}
+export type AuthorityConfig = {
+    type: 'multi-tenant';
+    tenantId: string;
+} | {
+    type: 'custom';
+    authorityUrl: string;
+} | {
+    type: 'default';
+};
+export type PKCEParams = {
+    code: string;
+    verifier: string;
+    clientInfo?: string;
+};
+export type CredentialParams = {
+    clientId: string;
+    scopes?: string[];
+    authorityConfig?: AuthorityConfig;
+    tokenManagerConfig: TokenManagerConfig;
+    onReAuthenticationError?: (error: ReAuthenticationError) => void;
+};
+export type AuthCodePKCEParams = CredentialParams & {
+    redirectUri: string;
+};
+export type ClientSecretCredentialsParams = CredentialParams & {
+    clientSecret: string;
+};
+export type ClientCredentialsWithCertificateParams = CredentialParams & {
+    certificate: {
+        thumbprint: string;
+        privateKey: string;
+        x5c?: string;
+    };
+};
+/**
+ * The most important part of the RetryPolicy is the `isRetryable` function. This function is used to determine if a request should be retried based
+ * on the error returned from the identity provider. The default for is to retry on network errors only.
+ */
+export declare const DEFAULT_RETRY_POLICY: RetryPolicy;
+export declare const DEFAULT_TOKEN_MANAGER_CONFIG: TokenManagerConfig;
+/**
+ * This class is used to help with the Authorization Code Flow with PKCE.
+ * It provides methods to generate PKCE codes, get the authorization URL, and create the credential provider.
+ */
+export declare class AuthCodeFlowHelper {
+    readonly client: PublicClientApplication;
+    readonly scopes: string[];
+    readonly redirectUri: string;
+    private constructor();
+    getAuthCodeUrl(pkceCodes: {
+        challenge: string;
+        challengeMethod: string;
+    }): Promise<string>;
+    acquireTokenByCode(params: PKCEParams): Promise<AuthenticationResult>;
+    static generatePKCE(): Promise<{
+        verifier: string;
+        challenge: string;
+        challengeMethod: string;
+    }>;
+    static create(params: {
+        clientId: string;
+        redirectUri: string;
+        scopes?: string[];
+        authorityConfig?: AuthorityConfig;
+    }): AuthCodeFlowHelper;
+}
+//# sourceMappingURL=entra-id-credentials-provider-factory.d.ts.map

package/dist/lib/entra-id-credentials-provider-factory.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"entra-id-credentials-provider-factory.d.ts","sourceRoot":"","sources":["../../lib/entra-id-credentials-provider-factory.ts"],"names":[],"mappings":"AACA,OAAO,EAIL,oBAAoB,EACpB,uBAAuB,EAExB,MAAM,kBAAkB,CAAC;AAC1B,OAAO,EAAE,WAAW,EAAgB,kBAAkB,EAAE,qBAAqB,EAAE,MAAM,8BAA8B,CAAC;AACpH,OAAO,EAAE,0BAA0B,EAAE,MAAM,gCAAgC,CAAC;AAG5E;;GAEG;AACH,qBAAa,iCAAiC;;IAE5C;;;;;;;OAOG;WACW,6BAA6B,CACzC,MAAM,EAAE,gBAAgB,EAAE,oBAAoB,CAAC,EAAE,MAAM,GACtD,0BAA0B;IA6B7B;;;OAGG;IACH,MAAM,CAAC,sCAAsC,CAC3C,MAAM,EAAE,gBAAgB,GACvB,0BAA0B;IAI7B;;;;OAIG;IACH,MAAM,CAAC,oCAAoC,CACzC,MAAM,EAAE,gBAAgB,GAAG;QAAE,oBAAoB,EAAE,MAAM,CAAA;KAAE,GAC1D,0BAA0B;IAkC7B;;;OAGG;IACH,MAAM,CAAC,yCAAyC,CAC9C,MAAM,EAAE,sCAAsC,GAC7C,0BAA0B;IAU7B;;;OAGG;IACH,MAAM,CAAC,0BAA0B,CAC/B,MAAM,EAAE,6BAA6B,GACpC,0BAA0B;IAU7B;;;OAGG;IACH,MAAM,CAAC,kCAAkC,CACvC,MAAM,EAAE,kBAAkB,GACzB;QACD,YAAY,EAAE,MAAM,OAAO,CAAC;YAC1B,QAAQ,EAAE,MAAM,CAAC;YACjB,SAAS,EAAE,MAAM,CAAC;YAClB,eAAe,EAAE,MAAM,CAAC;SACzB,CAAC,CAAC;QACH,cAAc,EAAE,CACd,SAAS,EAAE;YAAE,SAAS,EAAE,MAAM,CAAC;YAAC,eAAe,EAAE,MAAM,CAAA;SAAE,KACtD,OAAO,CAAC,MAAM,CAAC,CAAC;QACrB,yBAAyB,EAAE,CACzB,MAAM,EAAE,UAAU,KACf,0BAA0B,CAAC;KACjC;IA2CD,MAAM,CAAC,YAAY,CAAC,MAAM,EAAE,eAAe,GAAG,MAAM;CAarD;AAKD,MAAM,MAAM,eAAe,GACvB;IAAE,IAAI,EAAE,cAAc,CAAC;IAAC,QAAQ,EAAE,MAAM,CAAA;CAAE,GAC1C;IAAE,IAAI,EAAE,QAAQ,CAAC;IAAC,YAAY,EAAE,MAAM,CAAA;CAAE,GACxC;IAAE,IAAI,EAAE,SAAS,CAAA;CAAE,CAAC;AAExB,MAAM,MAAM,UAAU,GAAG;IACvB,IAAI,EAAE,MAAM,CAAC;IACb,QAAQ,EAAE,MAAM,CAAC;IACjB,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB,CAAA;AAED,MAAM,MAAM,gBAAgB,GAAG;IAC7B,QAAQ,EAAE,MAAM,CAAC;IACjB,MAAM,CAAC,EAAE,MAAM,EAAE,CAAC;IAClB,eAAe,CAAC,EAAE,eAAe,CAAC;IAElC,kBAAkB,EAAE,kBAAkB,CAAA;IACtC,uBAAuB,CAAC,EAAE,CAAC,KAAK,EAAE,qBAAqB,KAAK,IAAI,CAAC;CAClE,CAAA;AAED,MAAM,MAAM,kBAAkB,GAAG,gBAAgB,GAAG;IAClD,WAAW,EAAE,MAAM,CAAC;CACrB,CAAC;AAEF,MAAM,MAAM,6BAA6B,GAAG,gBAAgB,GAAG;IAC7D,YAAY,EAAE,MAAM,CAAC;CACtB,CAAC;AAEF,MAAM,MAAM,sCAAsC,GAAG,gBAAgB,GAAG;IACtE,WAAW,EAAE;QACX,UAAU,EAAE,MAAM,CAAC;QACnB,UAAU,EAAE,MAAM,CAAC;QACnB,GAAG,CAAC,EAAE,MAAM,CAAC;KACd,CAAC;CACH,CAAC;AAUF;;;GAGG;AACH,eAAO,MAAM,oBAAoB,EAAE,WASlC,CAAC;AAEF,eAAO,MAAM,4BAA4B,EAAE,kBAG1C,CAAA;AAED;;;GAGG;AACH,qBAAa,kBAAkB;IAE3B,QAAQ,CAAC,MAAM,EAAE,uBAAuB;IACxC,QAAQ,CAAC,MAAM,EAAE,MAAM,EAAE;IACzB,QAAQ,CAAC,WAAW,EAAE,MAAM;IAH9B,OAAO;IAMD,cAAc,CAAC,SAAS,EAAE;QAC9B,SAAS,EAAE,MAAM,CAAC;QAClB,eAAe,EAAE,MAAM,CAAC;KACzB,GAAG,OAAO,CAAC,MAAM,CAAC;IAWb,kBAAkB,CAAC,MAAM,EAAE,UAAU,GAAG,OAAO,CAAC,oBAAoB,CAAC;WAY9D,YAAY,IAAI,OAAO,CAAC;QACnC,QAAQ,EAAE,MAAM,CAAC;QACjB,SAAS,EAAE,MAAM,CAAC;QAClB,eAAe,EAAE,MAAM,CAAC;KACzB,CAAC;IAUF,MAAM,CAAC,MAAM,CAAC,MAAM,EAAE;QACpB,QAAQ,EAAE,MAAM,CAAC;QACjB,WAAW,EAAE,MAAM,CAAC;QACpB,MAAM,CAAC,EAAE,MAAM,EAAE,CAAC;QAClB,eAAe,CAAC,EAAE,eAAe,CAAC;KACnC,GAAG,kBAAkB;CAiBvB"}

package/dist/lib/entra-id-credentials-provider-factory.js

@@ -0,0 +1,240 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AuthCodeFlowHelper = exports.DEFAULT_TOKEN_MANAGER_CONFIG = exports.DEFAULT_RETRY_POLICY = exports.EntraIdCredentialsProviderFactory = void 0;
+const msal_common_1 = require("@azure/msal-common");
+const msal_node_1 = require("@azure/msal-node");
+const authx_1 = require("@redis/client/dist/lib/authx");
+const entraid_credentials_provider_1 = require("./entraid-credentials-provider");
+const msal_identity_provider_1 = require("./msal-identity-provider");
+/**
+ * This class is used to create credentials providers for different types of authentication flows.
+ */
+class EntraIdCredentialsProviderFactory {
+    /**
+     * This method is used to create a ManagedIdentityProvider for both system-assigned and user-assigned managed identities.
+     *
+     * @param params
+     * @param userAssignedClientId For user-assigned managed identities, the developer needs to pass either the client ID,
+     * full resource identifier, or the object ID of the managed identity when creating ManagedIdentityApplication.
+     *
+     */
+    static createManagedIdentityProvider(params, userAssignedClientId) {
+        const config = {
+            // For user-assigned identity, include the client ID
+            ...(userAssignedClientId && {
+                managedIdentityIdParams: {
+                    userAssignedClientId
+                }
+            }),
+            system: {
+                loggerOptions
+            }
+        };
+        const client = new msal_node_1.ManagedIdentityApplication(config);
+        const idp = new msal_identity_provider_1.MSALIdentityProvider(() => client.acquireToken({
+            resource: params.scopes?.[0] ?? REDIS_SCOPE,
+            forceRefresh: true
+        }).then(x => x === null ? Promise.reject('Token is null') : x));
+        return new entraid_credentials_provider_1.EntraidCredentialsProvider(new authx_1.TokenManager(idp, params.tokenManagerConfig), idp, { onReAuthenticationError: params.onReAuthenticationError, credentialsMapper: OID_CREDENTIALS_MAPPER });
+    }
+    /**
+     * This method is used to create a credentials provider for system-assigned managed identities.
+     * @param params
+     */
+    static createForSystemAssignedManagedIdentity(params) {
+        return this.createManagedIdentityProvider(params);
+    }
+    /**
+     * This method is used to create a credentials provider for user-assigned managed identities.
+     * It will include the client ID as the userAssignedClientId in the ManagedIdentityConfiguration.
+     * @param params
+     */
+    static createForUserAssignedManagedIdentity(params) {
+        return this.createManagedIdentityProvider(params, params.userAssignedClientId);
+    }
+    static #createForClientCredentials(authConfig, params) {
+        const config = {
+            auth: {
+                ...authConfig,
+                authority: this.getAuthority(params.authorityConfig ?? { type: 'default' })
+            },
+            system: {
+                loggerOptions
+            }
+        };
+        const client = new msal_node_1.ConfidentialClientApplication(config);
+        const idp = new msal_identity_provider_1.MSALIdentityProvider(() => client.acquireTokenByClientCredential({
+            skipCache: true,
+            scopes: params.scopes ?? [REDIS_SCOPE_DEFAULT]
+        }).then(x => x === null ? Promise.reject('Token is null') : x));
+        return new entraid_credentials_provider_1.EntraidCredentialsProvider(new authx_1.TokenManager(idp, params.tokenManagerConfig), idp, {
+            onReAuthenticationError: params.onReAuthenticationError,
+            credentialsMapper: OID_CREDENTIALS_MAPPER
+        });
+    }
+    /**
+     * This method is used to create a credentials provider for service principals using certificate.
+     * @param params
+     */
+    static createForClientCredentialsWithCertificate(params) {
+        return this.#createForClientCredentials({
+            clientId: params.clientId,
+            clientCertificate: params.certificate
+        }, params);
+    }
+    /**
+     * This method is used to create a credentials provider for service principals using client secret.
+     * @param params
+     */
+    static createForClientCredentials(params) {
+        return this.#createForClientCredentials({
+            clientId: params.clientId,
+            clientSecret: params.clientSecret
+        }, params);
+    }
+    /**
+     * This method is used to create a credentials provider for the Authorization Code Flow with PKCE.
+     * @param params
+     */
+    static createForAuthorizationCodeWithPKCE(params) {
+        const requiredScopes = ['user.read', 'offline_access'];
+        const scopes = [...new Set([...(params.scopes || []), ...requiredScopes])];
+        const authFlow = AuthCodeFlowHelper.create({
+            clientId: params.clientId,
+            redirectUri: params.redirectUri,
+            scopes: scopes,
+            authorityConfig: params.authorityConfig
+        });
+        return {
+            getPKCECodes: AuthCodeFlowHelper.generatePKCE,
+            getAuthCodeUrl: (pkceCodes) => authFlow.getAuthCodeUrl(pkceCodes),
+            createCredentialsProvider: (pkceParams) => {
+                // This is used to store the initial credentials account to be used
+                // for silent token acquisition after the initial token acquisition.
+                let initialCredentialsAccount = null;
+                const idp = new msal_identity_provider_1.MSALIdentityProvider(async () => {
+                    if (!initialCredentialsAccount) {
+                        let authResult = await authFlow.acquireTokenByCode(pkceParams);
+                        initialCredentialsAccount = authResult.account;
+                        return authResult;
+                    }
+                    else {
+                        return authFlow.client.acquireTokenSilent({
+                            forceRefresh: true,
+                            account: initialCredentialsAccount,
+                            scopes
+                        });
+                    }
+                });
+                const tm = new authx_1.TokenManager(idp, params.tokenManagerConfig);
+                return new entraid_credentials_provider_1.EntraidCredentialsProvider(tm, idp, { onReAuthenticationError: params.onReAuthenticationError });
+            }
+        };
+    }
+    static getAuthority(config) {
+        switch (config.type) {
+            case 'multi-tenant':
+                return `https://login.microsoftonline.com/${config.tenantId}`;
+            case 'custom':
+                return config.authorityUrl;
+            case 'default':
+                return 'https://login.microsoftonline.com/common';
+            default:
+                throw new Error('Invalid authority configuration');
+        }
+    }
+}
+exports.EntraIdCredentialsProviderFactory = EntraIdCredentialsProviderFactory;
+const REDIS_SCOPE_DEFAULT = 'https://redis.azure.com/.default';
+const REDIS_SCOPE = 'https://redis.azure.com';
+const loggerOptions = {
+    loggerCallback(loglevel, message, containsPii) {
+        if (!containsPii)
+            console.log(message);
+    },
+    piiLoggingEnabled: false,
+    logLevel: msal_node_1.LogLevel.Error
+};
+/**
+ * The most important part of the RetryPolicy is the `isRetryable` function. This function is used to determine if a request should be retried based
+ * on the error returned from the identity provider. The default for is to retry on network errors only.
+ */
+exports.DEFAULT_RETRY_POLICY = {
+    // currently only retry on network errors
+    isRetryable: (error) => error instanceof msal_common_1.NetworkError,
+    maxAttempts: 10,
+    initialDelayMs: 100,
+    maxDelayMs: 100000,
+    backoffMultiplier: 2,
+    jitterPercentage: 0.1
+};
+exports.DEFAULT_TOKEN_MANAGER_CONFIG = {
+    retry: exports.DEFAULT_RETRY_POLICY,
+    expirationRefreshRatio: 0.7 // Refresh token when 70% of the token has expired
+};
+/**
+ * This class is used to help with the Authorization Code Flow with PKCE.
+ * It provides methods to generate PKCE codes, get the authorization URL, and create the credential provider.
+ */
+class AuthCodeFlowHelper {
+    client;
+    scopes;
+    redirectUri;
+    constructor(client, scopes, redirectUri) {
+        this.client = client;
+        this.scopes = scopes;
+        this.redirectUri = redirectUri;
+    }
+    async getAuthCodeUrl(pkceCodes) {
+        const authCodeUrlParameters = {
+            scopes: this.scopes,
+            redirectUri: this.redirectUri,
+            codeChallenge: pkceCodes.challenge,
+            codeChallengeMethod: pkceCodes.challengeMethod
+        };
+        return this.client.getAuthCodeUrl(authCodeUrlParameters);
+    }
+    async acquireTokenByCode(params) {
+        const tokenRequest = {
+            code: params.code,
+            scopes: this.scopes,
+            redirectUri: this.redirectUri,
+            codeVerifier: params.verifier,
+            clientInfo: params.clientInfo
+        };
+        return this.client.acquireTokenByCode(tokenRequest);
+    }
+    static async generatePKCE() {
+        const cryptoProvider = new msal_node_1.CryptoProvider();
+        const { verifier, challenge } = await cryptoProvider.generatePkceCodes();
+        return {
+            verifier,
+            challenge,
+            challengeMethod: 'S256'
+        };
+    }
+    static create(params) {
+        const config = {
+            auth: {
+                clientId: params.clientId,
+                authority: EntraIdCredentialsProviderFactory.getAuthority(params.authorityConfig ?? { type: 'default' })
+            },
+            system: {
+                loggerOptions
+            }
+        };
+        return new AuthCodeFlowHelper(new msal_node_1.PublicClientApplication(config), params.scopes ?? ['user.read'], params.redirectUri);
+    }
+}
+exports.AuthCodeFlowHelper = AuthCodeFlowHelper;
+const OID_CREDENTIALS_MAPPER = (token) => {
+    // Client credentials flow is app-only authentication (no user context),
+    // so only access token is provided without user-specific claims (uniqueId, idToken, ...)
+    // this means that we need to extract the oid from the access token manually
+    const accessToken = JSON.parse(Buffer.from(token.accessToken.split('.')[1], 'base64').toString());
+    return ({
+        username: accessToken.oid,
+        password: token.accessToken
+    });
+};
+//# sourceMappingURL=entra-id-credentials-provider-factory.js.map

package/dist/lib/entra-id-credentials-provider-factory.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"entra-id-credentials-provider-factory.js","sourceRoot":"","sources":["../../lib/entra-id-credentials-provider-factory.ts"],"names":[],"mappings":";;;AAAA,oDAAkD;AAClD,gDAO0B;AAC1B,wDAAoH;AACpH,iFAA4E;AAC5E,qEAAgE;AAEhE;;GAEG;AACH,MAAa,iCAAiC;IAE5C;;;;;;;OAOG;IACI,MAAM,CAAC,6BAA6B,CACzC,MAAwB,EAAE,oBAA6B;QAEvD,MAAM,MAAM,GAAiC;YAC3C,oDAAoD;YACpD,GAAG,CAAC,oBAAoB,IAAI;gBAC1B,uBAAuB,EAAE;oBACvB,oBAAoB;iBACrB;aACF,CAAC;YACF,MAAM,EAAE;gBACN,aAAa;aACd;SACF,CAAC;QAEF,MAAM,MAAM,GAAG,IAAI,sCAA0B,CAAC,MAAM,CAAC,CAAC;QAEtD,MAAM,GAAG,GAAG,IAAI,6CAAoB,CAClC,GAAG,EAAE,CAAC,MAAM,CAAC,YAAY,CAAC;YACxB,QAAQ,EAAE,MAAM,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC,IAAI,WAAW;YAC3C,YAAY,EAAE,IAAI;SACnB,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,KAAK,IAAI,CAAC,CAAC,CAAC,OAAO,CAAC,MAAM,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAC/D,CAAC;QAEF,OAAO,IAAI,yDAA0B,CACnC,IAAI,oBAAY,CAAC,GAAG,EAAE,MAAM,CAAC,kBAAkB,CAAC,EAChD,GAAG,EACH,EAAE,uBAAuB,EAAE,MAAM,CAAC,uBAAuB,EAAE,iBAAiB,EAAE,sBAAsB,EAAE,CACvG,CAAC;IACJ,CAAC;IAED;;;OAGG;IACH,MAAM,CAAC,sCAAsC,CAC3C,MAAwB;QAExB,OAAO,IAAI,CAAC,6BAA6B,CAAC,MAAM,CAAC,CAAC;IACpD,CAAC;IAED;;;;OAIG;IACH,MAAM,CAAC,oCAAoC,CACzC,MAA2D;QAE3D,OAAO,IAAI,CAAC,6BAA6B,CAAC,MAAM,EAAE,MAAM,CAAC,oBAAoB,CAAC,CAAC;IACjF,CAAC;IAED,MAAM,CAAC,2BAA2B,CAChC,UAA2B,EAC3B,MAAwB;QAExB,MAAM,MAAM,GAAkB;YAC5B,IAAI,EAAE;gBACJ,GAAG,UAAU;gBACb,SAAS,EAAE,IAAI,CAAC,YAAY,CAAC,MAAM,CAAC,eAAe,IAAI,EAAE,IAAI,EAAE,SAAS,EAAE,CAAC;aAC5E;YACD,MAAM,EAAE;gBACN,aAAa;aACd;SACF,CAAC;QAEF,MAAM,MAAM,GAAG,IAAI,yCAA6B,CAAC,MAAM,CAAC,CAAC;QAEzD,MAAM,GAAG,GAAG,IAAI,6CAAoB,CAClC,GAAG,EAAE,CAAC,MAAM,CAAC,8BAA8B,CAAC;YAC1C,SAAS,EAAE,IAAI;YACf,MAAM,EAAE,MAAM,CAAC,MAAM,IAAI,CAAC,mBAAmB,CAAC;SAC/C,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,KAAK,IAAI,CAAC,CAAC,CAAC,OAAO,CAAC,MAAM,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAC/D,CAAC;QAEF,OAAO,IAAI,yDAA0B,CAAC,IAAI,oBAAY,CAAC,GAAG,EAAE,MAAM,CAAC,kBAAkB,CAAC,EAAE,GAAG,EACzF;YACE,uBAAuB,EAAE,MAAM,CAAC,uBAAuB;YACvD,iBAAiB,EAAE,sBAAsB;SAC1C,CAAC,CAAC;IACP,CAAC;IAED;;;OAGG;IACH,MAAM,CAAC,yCAAyC,CAC9C,MAA8C;QAE9C,OAAO,IAAI,CAAC,2BAA2B,CACrC;YACE,QAAQ,EAAE,MAAM,CAAC,QAAQ;YACzB,iBAAiB,EAAE,MAAM,CAAC,WAAW;SACtC,EACD,MAAM,CACP,CAAC;IACJ,CAAC;IAED;;;OAGG;IACH,MAAM,CAAC,0BAA0B,CAC/B,MAAqC;QAErC,OAAO,IAAI,CAAC,2BAA2B,CACrC;YACE,QAAQ,EAAE,MAAM,CAAC,QAAQ;YACzB,YAAY,EAAE,MAAM,CAAC,YAAY;SAClC,EACD,MAAM,CACP,CAAC;IACJ,CAAC;IAED;;;OAGG;IACH,MAAM,CAAC,kCAAkC,CACvC,MAA0B;QAe1B,MAAM,cAAc,GAAG,CAAC,WAAW,EAAE,gBAAgB,CAAC,CAAC;QACvD,MAAM,MAAM,GAAG,CAAC,GAAG,IAAI,GAAG,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,MAAM,IAAI,EAAE,CAAC,EAAE,GAAG,cAAc,CAAC,CAAC,CAAC,CAAC;QAE3E,MAAM,QAAQ,GAAG,kBAAkB,CAAC,MAAM,CAAC;YACzC,QAAQ,EAAE,MAAM,CAAC,QAAQ;YACzB,WAAW,EAAE,MAAM,CAAC,WAAW;YAC/B,MAAM,EAAE,MAAM;YACd,eAAe,EAAE,MAAM,CAAC,eAAe;SACxC,CAAC,CAAC;QAEH,OAAO;YACL,YAAY,EAAE,kBAAkB,CAAC,YAAY;YAC7C,cAAc,EAAE,CAAC,SAAS,EAAE,EAAE,CAAC,QAAQ,CAAC,cAAc,CAAC,SAAS,CAAC;YACjE,yBAAyB,EAAE,CAAC,UAAU,EAAE,EAAE;gBAExC,mEAAmE;gBACnE,oEAAoE;gBACpE,IAAI,yBAAyB,GAAuB,IAAI,CAAC;gBAEzD,MAAM,GAAG,GAAG,IAAI,6CAAoB,CAClC,KAAK,IAAI,EAAE;oBACT,IAAI,CAAC,yBAAyB,EAAE,CAAC;wBAC/B,IAAI,UAAU,GAAG,MAAM,QAAQ,CAAC,kBAAkB,CAAC,UAAU,CAAC,CAAC;wBAC/D,yBAAyB,GAAG,UAAU,CAAC,OAAO,CAAC;wBAC/C,OAAO,UAAU,CAAC;oBACpB,CAAC;yBAAM,CAAC;wBACN,OAAO,QAAQ,CAAC,MAAM,CAAC,kBAAkB,CAAC;4BACxC,YAAY,EAAE,IAAI;4BAClB,OAAO,EAAE,yBAAyB;4BAClC,MAAM;yBACP,CAAC,CAAC;oBACL,CAAC;gBAEH,CAAC,CACF,CAAC;gBACF,MAAM,EAAE,GAAG,IAAI,oBAAY,CAAC,GAAG,EAAE,MAAM,CAAC,kBAAkB,CAAC,CAAC;gBAC5D,OAAO,IAAI,yDAA0B,CAAC,EAAE,EAAE,GAAG,EAAE,EAAE,uBAAuB,EAAE,MAAM,CAAC,uBAAuB,EAAE,CAAC,CAAC;YAC9G,CAAC;SACF,CAAC;IACJ,CAAC;IAED,MAAM,CAAC,YAAY,CAAC,MAAuB;QACzC,QAAQ,MAAM,CAAC,IAAI,EAAE,CAAC;YACpB,KAAK,cAAc;gBACjB,OAAO,qCAAqC,MAAM,CAAC,QAAQ,EAAE,CAAC;YAChE,KAAK,QAAQ;gBACX,OAAO,MAAM,CAAC,YAAY,CAAC;YAC7B,KAAK,SAAS;gBACZ,OAAO,0CAA0C,CAAC;YACpD;gBACE,MAAM,IAAI,KAAK,CAAC,iCAAiC,CAAC,CAAC;QACvD,CAAC;IACH,CAAC;CAEF;AAtMD,8EAsMC;AAED,MAAM,mBAAmB,GAAG,kCAAkC,CAAC;AAC/D,MAAM,WAAW,GAAG,yBAAyB,CAAA;AAsC7C,MAAM,aAAa,GAAG;IACpB,cAAc,CAAC,QAAkB,EAAE,OAAe,EAAE,WAAoB;QACtE,IAAI,CAAC,WAAW;YAAE,OAAO,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;IACzC,CAAC;IACD,iBAAiB,EAAE,KAAK;IACxB,QAAQ,EAAE,oBAAQ,CAAC,KAAK;CACzB,CAAA;AAED;;;GAGG;AACU,QAAA,oBAAoB,GAAgB;IAC/C,yCAAyC;IACzC,WAAW,EAAE,CAAC,KAAc,EAAE,EAAE,CAAC,KAAK,YAAY,0BAAY;IAC9D,WAAW,EAAE,EAAE;IACf,cAAc,EAAE,GAAG;IACnB,UAAU,EAAE,MAAM;IAClB,iBAAiB,EAAE,CAAC;IACpB,gBAAgB,EAAE,GAAG;CAEtB,CAAC;AAEW,QAAA,4BAA4B,GAAuB;IAC9D,KAAK,EAAE,4BAAoB;IAC3B,sBAAsB,EAAE,GAAG,CAAC,kDAAkD;CAC/E,CAAA;AAED;;;GAGG;AACH,MAAa,kBAAkB;IAElB;IACA;IACA;IAHX,YACW,MAA+B,EAC/B,MAAgB,EAChB,WAAmB;QAFnB,WAAM,GAAN,MAAM,CAAyB;QAC/B,WAAM,GAAN,MAAM,CAAU;QAChB,gBAAW,GAAX,WAAW,CAAQ;IAC3B,CAAC;IAEJ,KAAK,CAAC,cAAc,CAAC,SAGpB;QACC,MAAM,qBAAqB,GAA4B;YACrD,MAAM,EAAE,IAAI,CAAC,MAAM;YACnB,WAAW,EAAE,IAAI,CAAC,WAAW;YAC7B,aAAa,EAAE,SAAS,CAAC,SAAS;YAClC,mBAAmB,EAAE,SAAS,CAAC,eAAe;SAC/C,CAAC;QAEF,OAAO,IAAI,CAAC,MAAM,CAAC,cAAc,CAAC,qBAAqB,CAAC,CAAC;IAC3D,CAAC;IAED,KAAK,CAAC,kBAAkB,CAAC,MAAkB;QACzC,MAAM,YAAY,GAA6B;YAC7C,IAAI,EAAE,MAAM,CAAC,IAAI;YACjB,MAAM,EAAE,IAAI,CAAC,MAAM;YACnB,WAAW,EAAE,IAAI,CAAC,WAAW;YAC7B,YAAY,EAAE,MAAM,CAAC,QAAQ;YAC7B,UAAU,EAAE,MAAM,CAAC,UAAU;SAC9B,CAAC;QAEF,OAAO,IAAI,CAAC,MAAM,CAAC,kBAAkB,CAAC,YAAY,CAAC,CAAC;IACtD,CAAC;IAED,MAAM,CAAC,KAAK,CAAC,YAAY;QAKvB,MAAM,cAAc,GAAG,IAAI,0BAAc,EAAE,CAAC;QAC5C,MAAM,EAAE,QAAQ,EAAE,SAAS,EAAE,GAAG,MAAM,cAAc,CAAC,iBAAiB,EAAE,CAAC;QACzE,OAAO;YACL,QAAQ;YACR,SAAS;YACT,eAAe,EAAE,MAAM;SACxB,CAAC;IACJ,CAAC;IAED,MAAM,CAAC,MAAM,CAAC,MAKb;QACC,MAAM,MAAM,GAAG;YACb,IAAI,EAAE;gBACJ,QAAQ,EAAE,MAAM,CAAC,QAAQ;gBACzB,SAAS,EAAE,iCAAiC,CAAC,YAAY,CAAC,MAAM,CAAC,eAAe,IAAI,EAAE,IAAI,EAAE,SAAS,EAAE,CAAC;aACzG;YACD,MAAM,EAAE;gBACN,aAAa;aACd;SACF,CAAC;QAEF,OAAO,IAAI,kBAAkB,CAC3B,IAAI,mCAAuB,CAAC,MAAM,CAAC,EACnC,MAAM,CAAC,MAAM,IAAI,CAAC,WAAW,CAAC,EAC9B,MAAM,CAAC,WAAW,CACnB,CAAC;IACJ,CAAC;CACF;AArED,gDAqEC;AAED,MAAM,sBAAsB,GAAG,CAAC,KAA2B,EAAE,EAAE;IAE7D,wEAAwE;IACxE,yFAAyF;IACzF,4EAA4E;IAC5E,MAAM,WAAW,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,WAAW,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,QAAQ,CAAC,CAAC,QAAQ,EAAE,CAAC,CAAC;IAElG,OAAO,CAAC;QACN,QAAQ,EAAE,WAAW,CAAC,GAAG;QACzB,QAAQ,EAAE,KAAK,CAAC,WAAW;KAC5B,CAAC,CAAA;AAEJ,CAAC,CAAA"}

package/dist/lib/entraid-credentials-provider.d.ts

@@ -0,0 +1,26 @@
+import { AuthenticationResult } from '@azure/msal-common/node';
+import { BasicAuth, StreamingCredentialsProvider, IdentityProvider, TokenManager, ReAuthenticationError, StreamingCredentialsListener, Disposable } from '@redis/client/dist/lib/authx';
+/**
+ * A streaming credentials provider that uses the Entraid identity provider to provide credentials.
+ * Please use one of the factory functions in `entraid-credetfactories.ts` to create an instance of this class for the different
+ * type of authentication flows.
+ */
+export declare class EntraidCredentialsProvider implements StreamingCredentialsProvider {
+    #private;
+    readonly tokenManager: TokenManager<AuthenticationResult>;
+    readonly idp: IdentityProvider<AuthenticationResult>;
+    private readonly options;
+    readonly type = "streaming-credentials-provider";
+    constructor(tokenManager: TokenManager<AuthenticationResult>, idp: IdentityProvider<AuthenticationResult>, options?: {
+        onReAuthenticationError?: (error: ReAuthenticationError) => void;
+        credentialsMapper?: (token: AuthenticationResult) => BasicAuth;
+        onRetryableError?: (error: string) => void;
+    });
+    subscribe(listener: StreamingCredentialsListener<BasicAuth>): Promise<[BasicAuth, Disposable]>;
+    onReAuthenticationError: (error: ReAuthenticationError) => void;
+    hasActiveSubscriptions(): boolean;
+    getSubscriptionsCount(): number;
+    getTokenManager(): TokenManager<AuthenticationResult>;
+    getCurrentCredentials(): BasicAuth | null;
+}
+//# sourceMappingURL=entraid-credentials-provider.d.ts.map

package/dist/lib/entraid-credentials-provider.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"entraid-credentials-provider.d.ts","sourceRoot":"","sources":["../../lib/entraid-credentials-provider.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,oBAAoB,EAAE,MAAM,yBAAyB,CAAC;AAC/D,OAAO,EACL,SAAS,EAAE,4BAA4B,EAAE,gBAAgB,EAAE,YAAY,EACvE,qBAAqB,EAAE,4BAA4B,EAAmB,UAAU,EACjF,MAAM,8BAA8B,CAAC;AAEtC;;;;GAIG;AACH,qBAAa,0BAA2B,YAAW,4BAA4B;;aAe3D,YAAY,EAAE,YAAY,CAAC,oBAAoB,CAAC;aAChD,GAAG,EAAE,gBAAgB,CAAC,oBAAoB,CAAC;IAC3D,OAAO,CAAC,QAAQ,CAAC,OAAO;IAhB1B,QAAQ,CAAC,IAAI,oCAAoC;gBAc/B,YAAY,EAAE,YAAY,CAAC,oBAAoB,CAAC,EAChD,GAAG,EAAE,gBAAgB,CAAC,oBAAoB,CAAC,EAC1C,OAAO,GAAE;QACxB,uBAAuB,CAAC,EAAE,CAAC,KAAK,EAAE,qBAAqB,KAAK,IAAI,CAAC;QACjE,iBAAiB,CAAC,EAAE,CAAC,KAAK,EAAE,oBAAoB,KAAK,SAAS,CAAC;QAC/D,gBAAgB,CAAC,EAAE,CAAC,KAAK,EAAE,MAAM,KAAK,IAAI,CAAC;KACvC;IAMF,SAAS,CACb,QAAQ,EAAE,4BAA4B,CAAC,SAAS,CAAC,GAChD,OAAO,CAAC,CAAC,SAAS,EAAE,UAAU,CAAC,CAAC;IA6BnC,uBAAuB,EAAE,CAAC,KAAK,EAAE,qBAAqB,KAAK,IAAI,CAAC;IA6CzD,sBAAsB,IAAI,OAAO;IAIjC,qBAAqB,IAAI,MAAM;IAI/B,eAAe;IAIf,qBAAqB,IAAI,SAAS,GAAG,IAAI;CAKjD"}

package/dist/lib/entraid-credentials-provider.js

@@ -0,0 +1,104 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.EntraidCredentialsProvider = void 0;
+/**
+ * A streaming credentials provider that uses the Entraid identity provider to provide credentials.
+ * Please use one of the factory functions in `entraid-credetfactories.ts` to create an instance of this class for the different
+ * type of authentication flows.
+ */
+class EntraidCredentialsProvider {
+    tokenManager;
+    idp;
+    options;
+    type = 'streaming-credentials-provider';
+    #listeners = new Set();
+    #tokenManagerDisposable = null;
+    #isStarting = false;
+    #pendingSubscribers = [];
+    constructor(tokenManager, idp, options = {}) {
+        this.tokenManager = tokenManager;
+        this.idp = idp;
+        this.options = options;
+        this.onReAuthenticationError = options.onReAuthenticationError ?? DEFAULT_ERROR_HANDLER;
+        this.#credentialsMapper = options.credentialsMapper ?? DEFAULT_CREDENTIALS_MAPPER;
+    }
+    async subscribe(listener) {
+        const currentToken = this.tokenManager.getCurrentToken();
+        if (currentToken) {
+            return [this.#credentialsMapper(currentToken.value), this.#createDisposable(listener)];
+        }
+        if (this.#isStarting) {
+            return new Promise((resolve, reject) => {
+                this.#pendingSubscribers.push({ resolve, reject, pendingListener: listener });
+            });
+        }
+        this.#isStarting = true;
+        try {
+            const initialToken = await this.#startTokenManagerAndObtainInitialToken();
+            this.#pendingSubscribers.forEach(({ resolve, pendingListener }) => {
+                resolve([this.#credentialsMapper(initialToken.value), this.#createDisposable(pendingListener)]);
+            });
+            this.#pendingSubscribers = [];
+            return [this.#credentialsMapper(initialToken.value), this.#createDisposable(listener)];
+        }
+        finally {
+            this.#isStarting = false;
+        }
+    }
+    onReAuthenticationError;
+    #credentialsMapper;
+    #createTokenManagerListener(subscribers) {
+        return {
+            onError: (error) => {
+                if (!error.isRetryable) {
+                    subscribers.forEach(listener => listener.onError(error));
+                }
+                else {
+                    this.options.onRetryableError?.(error.message);
+                }
+            },
+            onNext: (token) => {
+                const credentials = this.#credentialsMapper(token.value);
+                subscribers.forEach(listener => listener.onNext(credentials));
+            }
+        };
+    }
+    #createDisposable(listener) {
+        this.#listeners.add(listener);
+        return {
+            dispose: () => {
+                this.#listeners.delete(listener);
+                if (this.#listeners.size === 0 && this.#tokenManagerDisposable) {
+                    this.#tokenManagerDisposable.dispose();
+                    this.#tokenManagerDisposable = null;
+                }
+            }
+        };
+    }
+    async #startTokenManagerAndObtainInitialToken() {
+        const initialResponse = await this.idp.requestToken();
+        const token = this.tokenManager.wrapAndSetCurrentToken(initialResponse.token, initialResponse.ttlMs);
+        this.#tokenManagerDisposable = this.tokenManager.start(this.#createTokenManagerListener(this.#listeners), this.tokenManager.calculateRefreshTime(token));
+        return token;
+    }
+    hasActiveSubscriptions() {
+        return this.#tokenManagerDisposable !== null && this.#listeners.size > 0;
+    }
+    getSubscriptionsCount() {
+        return this.#listeners.size;
+    }
+    getTokenManager() {
+        return this.tokenManager;
+    }
+    getCurrentCredentials() {
+        const currentToken = this.tokenManager.getCurrentToken();
+        return currentToken ? this.#credentialsMapper(currentToken.value) : null;
+    }
+}
+exports.EntraidCredentialsProvider = EntraidCredentialsProvider;
+const DEFAULT_CREDENTIALS_MAPPER = (token) => ({
+    username: token.uniqueId,
+    password: token.accessToken
+});
+const DEFAULT_ERROR_HANDLER = (error) => console.error('ReAuthenticationError', error);
+//# sourceMappingURL=entraid-credentials-provider.js.map

package/dist/lib/entraid-credentials-provider.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"entraid-credentials-provider.js","sourceRoot":"","sources":["../../lib/entraid-credentials-provider.ts"],"names":[],"mappings":";;;AAMA;;;;GAIG;AACH,MAAa,0BAA0B;IAenB;IACA;IACC;IAhBV,IAAI,GAAG,gCAAgC,CAAC;IAExC,UAAU,GAAiD,IAAI,GAAG,EAAE,CAAC;IAE9E,uBAAuB,GAAsB,IAAI,CAAC;IAClD,WAAW,GAAY,KAAK,CAAC;IAE7B,mBAAmB,GAId,EAAE,CAAC;IAER,YACkB,YAAgD,EAChD,GAA2C,EAC1C,UAIb,EAAE;QANU,iBAAY,GAAZ,YAAY,CAAoC;QAChD,QAAG,GAAH,GAAG,CAAwC;QAC1C,YAAO,GAAP,OAAO,CAIlB;QAEN,IAAI,CAAC,uBAAuB,GAAG,OAAO,CAAC,uBAAuB,IAAI,qBAAqB,CAAC;QACxF,IAAI,CAAC,kBAAkB,GAAG,OAAO,CAAC,iBAAiB,IAAI,0BAA0B,CAAC;IACpF,CAAC;IAED,KAAK,CAAC,SAAS,CACb,QAAiD;QAGjD,MAAM,YAAY,GAAG,IAAI,CAAC,YAAY,CAAC,eAAe,EAAE,CAAC;QAEzD,IAAI,YAAY,EAAE,CAAC;YACjB,OAAO,CAAC,IAAI,CAAC,kBAAkB,CAAC,YAAY,CAAC,KAAK,CAAC,EAAE,IAAI,CAAC,iBAAiB,CAAC,QAAQ,CAAC,CAAC,CAAC;QACzF,CAAC;QAED,IAAI,IAAI,CAAC,WAAW,EAAE,CAAC;YACrB,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;gBACrC,IAAI,CAAC,mBAAmB,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,MAAM,EAAE,eAAe,EAAE,QAAQ,EAAE,CAAC,CAAC;YAChF,CAAC,CAAC,CAAC;QACL,CAAC;QAED,IAAI,CAAC,WAAW,GAAG,IAAI,CAAC;QACxB,IAAI,CAAC;YACH,MAAM,YAAY,GAAG,MAAM,IAAI,CAAC,uCAAuC,EAAE,CAAC;YAE1E,IAAI,CAAC,mBAAmB,CAAC,OAAO,CAAC,CAAC,EAAE,OAAO,EAAE,eAAe,EAAE,EAAE,EAAE;gBAChE,OAAO,CAAC,CAAC,IAAI,CAAC,kBAAkB,CAAC,YAAY,CAAC,KAAK,CAAC,EAAE,IAAI,CAAC,iBAAiB,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC;YAClG,CAAC,CAAC,CAAC;YACH,IAAI,CAAC,mBAAmB,GAAG,EAAE,CAAC;YAE9B,OAAO,CAAC,IAAI,CAAC,kBAAkB,CAAC,YAAY,CAAC,KAAK,CAAC,EAAE,IAAI,CAAC,iBAAiB,CAAC,QAAQ,CAAC,CAAC,CAAC;QACzF,CAAC;gBAAS,CAAC;YACT,IAAI,CAAC,WAAW,GAAG,KAAK,CAAC;QAC3B,CAAC;IACH,CAAC;IAED,uBAAuB,CAAyC;IAEhE,kBAAkB,CAA6C;IAE/D,2BAA2B,CAAC,WAAyD;QACnF,OAAO;YACL,OAAO,EAAE,CAAC,KAAe,EAAQ,EAAE;gBACjC,IAAI,CAAC,KAAK,CAAC,WAAW,EAAE,CAAC;oBACvB,WAAW,CAAC,OAAO,CAAC,QAAQ,CAAC,EAAE,CAAC,QAAQ,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC;gBAC3D,CAAC;qBAAM,CAAC;oBACN,IAAI,CAAC,OAAO,CAAC,gBAAgB,EAAE,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;gBACjD,CAAC;YACH,CAAC;YACD,MAAM,EAAE,CAAC,KAAsC,EAAQ,EAAE;gBACvD,MAAM,WAAW,GAAG,IAAI,CAAC,kBAAkB,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;gBACzD,WAAW,CAAC,OAAO,CAAC,QAAQ,CAAC,EAAE,CAAC,QAAQ,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC,CAAC;YAChE,CAAC;SACF,CAAC;IACJ,CAAC;IAED,iBAAiB,CAAC,QAAiD;QACjE,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;QAE9B,OAAO;YACL,OAAO,EAAE,GAAG,EAAE;gBACZ,IAAI,CAAC,UAAU,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;gBACjC,IAAI,IAAI,CAAC,UAAU,CAAC,IAAI,KAAK,CAAC,IAAI,IAAI,CAAC,uBAAuB,EAAE,CAAC;oBAC/D,IAAI,CAAC,uBAAuB,CAAC,OAAO,EAAE,CAAC;oBACvC,IAAI,CAAC,uBAAuB,GAAG,IAAI,CAAC;gBACtC,CAAC;YACH,CAAC;SACF,CAAC;IACJ,CAAC;IAED,KAAK,CAAC,uCAAuC;QAC3C,MAAM,eAAe,GAAG,MAAM,IAAI,CAAC,GAAG,CAAC,YAAY,EAAE,CAAC;QACtD,MAAM,KAAK,GAAG,IAAI,CAAC,YAAY,CAAC,sBAAsB,CAAC,eAAe,CAAC,KAAK,EAAE,eAAe,CAAC,KAAK,CAAC,CAAC;QAErG,IAAI,CAAC,uBAAuB,GAAG,IAAI,CAAC,YAAY,CAAC,KAAK,CACpD,IAAI,CAAC,2BAA2B,CAAC,IAAI,CAAC,UAAU,CAAC,EACjD,IAAI,CAAC,YAAY,CAAC,oBAAoB,CAAC,KAAK,CAAC,CAC9C,CAAC;QACF,OAAO,KAAK,CAAC;IACf,CAAC;IAEM,sBAAsB;QAC3B,OAAO,IAAI,CAAC,uBAAuB,KAAK,IAAI,IAAI,IAAI,CAAC,UAAU,CAAC,IAAI,GAAG,CAAC,CAAC;IAC3E,CAAC;IAEM,qBAAqB;QAC1B,OAAO,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC;IAC9B,CAAC;IAEM,eAAe;QACpB,OAAO,IAAI,CAAC,YAAY,CAAC;IAC3B,CAAC;IAEM,qBAAqB;QAC1B,MAAM,YAAY,GAAG,IAAI,CAAC,YAAY,CAAC,eAAe,EAAE,CAAC;QACzD,OAAO,YAAY,CAAC,CAAC,CAAC,IAAI,CAAC,kBAAkB,CAAC,YAAY,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;IAC3E,CAAC;CAEF;AAxHD,gEAwHC;AAED,MAAM,0BAA0B,GAAG,CAAC,KAA2B,EAAa,EAAE,CAAC,CAAC;IAC9E,QAAQ,EAAE,KAAK,CAAC,QAAQ;IACxB,QAAQ,EAAE,KAAK,CAAC,WAAW;CAC5B,CAAC,CAAC;AAEH,MAAM,qBAAqB,GAAG,CAAC,KAA4B,EAAE,EAAE,CAC7D,OAAO,CAAC,KAAK,CAAC,uBAAuB,EAAE,KAAK,CAAC,CAAC"}

package/dist/lib/index.d.ts

@@ -0,0 +1,4 @@
+export * from './entra-id-credentials-provider-factory';
+export * from './entraid-credentials-provider';
+export * from './msal-identity-provider';
+//# sourceMappingURL=index.d.ts.map

package/dist/lib/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../lib/index.ts"],"names":[],"mappings":"AAAA,cAAc,yCAAyC,CAAC;AACxD,cAAc,gCAAgC,CAAC;AAC/C,cAAc,0BAA0B,CAAC"}

package/dist/lib/index.js

@@ -0,0 +1,20 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __exportStar = (this && this.__exportStar) || function(m, exports) {
+    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+__exportStar(require("./entra-id-credentials-provider-factory"), exports);
+__exportStar(require("./entraid-credentials-provider"), exports);
+__exportStar(require("./msal-identity-provider"), exports);
+//# sourceMappingURL=index.js.map

package/dist/lib/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../lib/index.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;AAAA,0EAAwD;AACxD,iEAA+C;AAC/C,2DAAyC"}

package/dist/lib/msal-identity-provider.d.ts

@@ -0,0 +1,8 @@
+import { AuthenticationResult } from '@azure/msal-node';
+import { IdentityProvider, TokenResponse } from '@redis/client/dist/lib/authx';
+export declare class MSALIdentityProvider implements IdentityProvider<AuthenticationResult> {
+    private readonly getToken;
+    constructor(getToken: () => Promise<AuthenticationResult>);
+    requestToken(): Promise<TokenResponse<AuthenticationResult>>;
+}
+//# sourceMappingURL=msal-identity-provider.d.ts.map

package/dist/lib/msal-identity-provider.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"msal-identity-provider.d.ts","sourceRoot":"","sources":["../../lib/msal-identity-provider.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,oBAAoB,EACrB,MAAM,kBAAkB,CAAC;AAC1B,OAAO,EAAE,gBAAgB,EAAE,aAAa,EAAE,MAAM,8BAA8B,CAAC;AAE/E,qBAAa,oBAAqB,YAAW,gBAAgB,CAAC,oBAAoB,CAAC;IACjF,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAsC;gBAEnD,QAAQ,EAAE,MAAM,OAAO,CAAC,oBAAoB,CAAC;IAInD,YAAY,IAAI,OAAO,CAAC,aAAa,CAAC,oBAAoB,CAAC,CAAC;CAgBnE"}

package/dist/lib/msal-identity-provider.js

@@ -0,0 +1,26 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.MSALIdentityProvider = void 0;
+class MSALIdentityProvider {
+    getToken;
+    constructor(getToken) {
+        this.getToken = getToken;
+    }
+    async requestToken() {
+        try {
+            const result = await this.getToken();
+            if (!result?.accessToken || !result?.expiresOn) {
+                throw new Error('Invalid token response');
+            }
+            return {
+                token: result,
+                ttlMs: result.expiresOn.getTime() - Date.now()
+            };
+        }
+        catch (error) {
+            throw error;
+        }
+    }
+}
+exports.MSALIdentityProvider = MSALIdentityProvider;
+//# sourceMappingURL=msal-identity-provider.js.map

package/dist/lib/msal-identity-provider.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"msal-identity-provider.js","sourceRoot":"","sources":["../../lib/msal-identity-provider.ts"],"names":[],"mappings":";;;AAKA,MAAa,oBAAoB;IACd,QAAQ,CAAsC;IAE/D,YAAY,QAA6C;QACvD,IAAI,CAAC,QAAQ,GAAG,QAAQ,CAAC;IAC3B,CAAC;IAED,KAAK,CAAC,YAAY;QAChB,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,QAAQ,EAAE,CAAC;YAErC,IAAI,CAAC,MAAM,EAAE,WAAW,IAAI,CAAC,MAAM,EAAE,SAAS,EAAE,CAAC;gBAC/C,MAAM,IAAI,KAAK,CAAC,wBAAwB,CAAC,CAAC;YAC5C,CAAC;YACD,OAAO;gBACL,KAAK,EAAE,MAAM;gBACb,KAAK,EAAE,MAAM,CAAC,SAAS,CAAC,OAAO,EAAE,GAAG,IAAI,CAAC,GAAG,EAAE;aAC/C,CAAC;QACJ,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,KAAK,CAAC;QACd,CAAC;IACH,CAAC;CAEF;AAvBD,oDAuBC"}

package/dist/lib/test-utils.d.ts

@@ -0,0 +1,18 @@
+import { StreamingCredentialsProvider } from '@redis/client/dist/lib/authx';
+import TestUtils from '@redis/test-utils';
+export declare const testUtils: TestUtils;
+export declare const GLOBAL: {
+    CLUSTERS: {
+        PASSWORD_WITH_REPLICAS: {
+            serverArguments: string[];
+            numberOfMasters: number;
+            numberOfReplicas: number;
+            clusterConfiguration: {
+                defaults: {
+                    credentialsProvider: StreamingCredentialsProvider;
+                };
+            };
+        };
+    };
+};
+//# sourceMappingURL=test-utils.d.ts.map

package/dist/lib/test-utils.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"test-utils.d.ts","sourceRoot":"","sources":["../../lib/test-utils.ts"],"names":[],"mappings":"AACA,OAAO,EAAoB,4BAA4B,EAA+B,MAAM,8BAA8B,CAAC;AAC3H,OAAO,SAAS,MAAM,mBAAmB,CAAC;AAG1C,eAAO,MAAM,SAAS,WAIpB,CAAC;AAgCH,eAAO,MAAM,MAAM;;;;;;;;;;;;;CAIlB,CAAA"}

package/dist/lib/test-utils.js

@@ -0,0 +1,46 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.GLOBAL = exports.testUtils = void 0;
+const authx_1 = require("@redis/client/dist/lib/authx");
+const test_utils_1 = __importDefault(require("@redis/test-utils"));
+const entraid_credentials_provider_1 = require("./entraid-credentials-provider");
+exports.testUtils = new test_utils_1.default({
+    dockerImageName: 'redis/redis-stack',
+    dockerImageVersionArgument: 'redis-version',
+    defaultDockerVersion: '7.4.0-v1'
+});
+const DEBUG_MODE_ARGS = exports.testUtils.isVersionGreaterThan([7]) ?
+    ['--enable-debug-command', 'yes'] :
+    [];
+const idp = {
+    requestToken() {
+        // @ts-ignore
+        return Promise.resolve({
+            ttlMs: 100000,
+            token: {
+                accessToken: 'password'
+            }
+        });
+    }
+};
+const tokenManager = new authx_1.TokenManager(idp, { expirationRefreshRatio: 0.8 });
+const entraIdCredentialsProvider = new entraid_credentials_provider_1.EntraidCredentialsProvider(tokenManager, idp);
+const PASSWORD_WITH_REPLICAS = {
+    serverArguments: ['--requirepass', 'password', ...DEBUG_MODE_ARGS],
+    numberOfMasters: 2,
+    numberOfReplicas: 1,
+    clusterConfiguration: {
+        defaults: {
+            credentialsProvider: entraIdCredentialsProvider
+        }
+    }
+};
+exports.GLOBAL = {
+    CLUSTERS: {
+        PASSWORD_WITH_REPLICAS
+    }
+};
+//# sourceMappingURL=test-utils.js.map

package/dist/lib/test-utils.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"test-utils.js","sourceRoot":"","sources":["../../lib/test-utils.ts"],"names":[],"mappings":";;;;;;AACA,wDAA2H;AAC3H,mEAA0C;AAC1C,iFAA4E;AAE/D,QAAA,SAAS,GAAG,IAAI,oBAAS,CAAC;IACrC,eAAe,EAAE,mBAAmB;IACpC,0BAA0B,EAAE,eAAe;IAC3C,oBAAoB,EAAE,UAAU;CACjC,CAAC,CAAC;AAEH,MAAM,eAAe,GAAG,iBAAS,CAAC,oBAAoB,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IAC3D,CAAC,wBAAwB,EAAE,KAAK,CAAC,CAAC,CAAC;IACnC,EAAE,CAAC;AAEL,MAAM,GAAG,GAA2C;IAClD,YAAY;QACV,aAAa;QACb,OAAO,OAAO,CAAC,OAAO,CAAC;YACrB,KAAK,EAAE,MAAM;YACb,KAAK,EAAE;gBACL,WAAW,EAAE,UAAU;aACxB;SACF,CAAC,CAAA;IACJ,CAAC;CACF,CAAA;AAED,MAAM,YAAY,GAAG,IAAI,oBAAY,CAAuB,GAAG,EAAE,EAAE,sBAAsB,EAAE,GAAG,EAAE,CAAC,CAAC;AAClG,MAAM,0BAA0B,GAAiC,IAAI,yDAA0B,CAAC,YAAY,EAAE,GAAG,CAAC,CAAA;AAElH,MAAM,sBAAsB,GAAG;IAC7B,eAAe,EAAE,CAAC,eAAe,EAAE,UAAU,EAAE,GAAG,eAAe,CAAC;IAClE,eAAe,EAAE,CAAC;IAClB,gBAAgB,EAAE,CAAC;IACnB,oBAAoB,EAAE;QACpB,QAAQ,EAAE;YACR,mBAAmB,EAAE,0BAA0B;SAChD;KACF;CACF,CAAA;AAEY,QAAA,MAAM,GAAG;IACpB,QAAQ,EAAE;QACR,sBAAsB;KACvB;CACF,CAAA"}

package/package.json

@@ -0,0 +1,47 @@
+{
+  "name": "@redis/entraid",
+  "version": "5.0.0-next.6",
+  "license": "MIT",
+  "main": "./dist/index.js",
+  "types": "./dist/index.d.ts",
+  "files": [
+    "dist/",
+    "!dist/tsconfig.tsbuildinfo"
+  ],
+  "scripts": {
+    "clean": "rimraf dist",
+    "build": "npm run clean && tsc",
+    "start:auth-pkce": "tsx --tsconfig tsconfig.samples.json ./samples/auth-code-pkce/index.ts",
+    "test-integration": "mocha -r tsx --tsconfig tsconfig.integration-tests.json './integration-tests/**/*.spec.ts'",
+    "test": "nyc -r text-summary -r lcov mocha -r tsx './lib/**/*.spec.ts'"
+  },
+  "dependencies": {
+    "@azure/msal-node": "^2.16.1"
+  },
+  "peerDependencies": {
+    "@redis/client": "^5.0.0-next.6"
+  },
+  "devDependencies": {
+    "@types/express": "^4.17.21",
+    "@types/express-session": "^1.18.0",
+    "@types/node": "^22.9.0",
+    "dotenv": "^16.3.1",
+    "express": "^4.21.1",
+    "express-session": "^1.18.1",
+    "@redis/test-utils": "*"
+  },
+  "engines": {
+    "node": ">= 18"
+  },
+  "repository": {
+    "type": "git",
+    "url": "git://github.com/redis/node-redis.git"
+  },
+  "bugs": {
+    "url": "https://github.com/redis/node-redis/issues"
+  },
+  "homepage": "https://github.com/redis/node-redis/tree/master/packages/entraid",
+  "keywords": [
+    "redis"
+  ]
+}