py2docfx 0.1.19rc2173760__py3-none-any.whl → 0.1.20__py3-none-any.whl

py2docfx/venv/venv1/Lib/site-packages/azure/identity/_credentials/vscode.py

@@ -2,149 +2,190 @@
 # Copyright (c) Microsoft Corporation.
 # Licensed under the MIT License.
 # ------------------------------------
-import abc
 import os
-import sys
-from typing import cast, Any, Dict, Optional
-import warnings
+import json
+from typing import Any, Optional
 
+import msal
 from azure.core.credentials import AccessToken, TokenRequestOptions, AccessTokenInfo
 from azure.core.exceptions import ClientAuthenticationError
+
+from .._auth_record import AuthenticationRecord
 from .._exceptions import CredentialUnavailableError
-from .._constants import AzureAuthorityHosts, AZURE_VSCODE_CLIENT_ID, EnvironmentVariables
-from .._internal import normalize_authority, validate_tenant_id, within_dac
-from .._internal.aad_client import AadClient, AadClientBase
-from .._internal.get_token_mixin import GetTokenMixin
+from .._constants import AZURE_VSCODE_CLIENT_ID
+from .._internal import within_dac
+
 from .._internal.decorators import log_get_token
+from .._internal.utils import get_broker_credential, validate_tenant_id
 
-if sys.platform.startswith("win"):
-    from .._internal.win_vscode_adapter import get_refresh_token, get_user_settings
-elif sys.platform.startswith("darwin"):
-    from .._internal.macos_vscode_adapter import get_refresh_token, get_user_settings
-else:
-    from .._internal.linux_vscode_adapter import get_refresh_token, get_user_settings
+MAX_AUTH_RECORD_SIZE = 10 * 1024  # 10KB - more than enough for a small auth record
+VSCODE_AUTH_RECORD_PATHS = [
+    "~/.azure/ms-azuretools.vscode-azureresourcegroups/authRecord.json",
+    "~/.Azure/ms-azuretools.vscode-azureresourcegroups/authRecord.json",
+]
 
 
-class _VSCodeCredentialBase(abc.ABC):
-    def __init__(self, **kwargs: Any) -> None:
-        warnings.warn(
-            "This credential is deprecated because the Azure Account extension for Visual Studio Code, which this "
-            "credential relies on, has been deprecated. See the Azure Account extension deprecation notice here: "
-            "https://github.com/microsoft/vscode-azure-account/issues/964. Consider using other developer credentials "
-            "such as AzureCliCredential, AzureDeveloperCliCredential, or AzurePowerShellCredential.",
-            DeprecationWarning,
-            stacklevel=2,
-        )
-        super(_VSCodeCredentialBase, self).__init__()
-
-        user_settings = get_user_settings()
-        self._cloud = user_settings.get("azure.cloud", "AzureCloud")
-        self._refresh_token = None
-        self._unavailable_reason = ""
-
-        self._client = kwargs.get("_client")
-        if not self._client:
-            self._initialize(user_settings, **kwargs)
-        if not (self._client or self._unavailable_reason):
-            self._unavailable_reason = "Initialization failed"
-
-    @abc.abstractmethod
-    def _get_client(self, **kwargs: Any) -> AadClientBase:
-        pass
-
-    def _get_refresh_token(self) -> str:
-        if not self._refresh_token:
-            self._refresh_token = get_refresh_token(self._cloud)
-            if not self._refresh_token:
-                message = (
-                    "Failed to get Azure user details from Visual Studio Code. "
-                    "Currently, the VisualStudioCodeCredential only works with the Azure "
-                    "Account extension version 0.9.11 and earlier. A long-term fix is in "
-                    "progress, see https://github.com/Azure/azure-sdk-for-python/issues/25713"
-                )
-                raise CredentialUnavailableError(message=message)
-        return self._refresh_token
-
-    def _initialize(self, vscode_user_settings: Dict, **kwargs: Any) -> None:
-        """Build a client from kwargs merged with VS Code user settings.
+def load_vscode_auth_record() -> Optional[AuthenticationRecord]:
+    """Load the authentication record corresponding to a known location.
 
-        The first stable version of this credential defaulted to Public Cloud and the "organizations"
-        tenant when it failed to read VS Code user settings. That behavior is preserved here.
+    This will load from ~/.azure/ms-azuretools.vscode-azureresourcegroups/authRecord.json
+    or ~/.Azure/ms-azuretools.vscode-azureresourcegroups/authRecord.json
 
-        :param dict vscode_user_settings: VS Code user settings
-        """
+    :return: The authentication record if it exists, otherwise None.
+    :rtype: Optional[AuthenticationRecord]
+    :raises: ValueError if the authentication record is not in the expected format
+    """
 
-        # Precedence for authority:
-        #  1) VisualStudioCodeCredential(authority=...)
-        #  2) $AZURE_AUTHORITY_HOST
-        #  3) authority matching VS Code's "azure.cloud" setting
-        #  4) default: Public Cloud
-        authority = kwargs.pop("authority", None) or os.environ.get(EnvironmentVariables.AZURE_AUTHORITY_HOST)
-        if not authority:
-            # the application didn't specify an authority, so we figure it out from VS Code settings
-            if self._cloud == "AzureCloud":
-                authority = AzureAuthorityHosts.AZURE_PUBLIC_CLOUD
-            elif self._cloud == "AzureChinaCloud":
-                authority = AzureAuthorityHosts.AZURE_CHINA
-            elif self._cloud == "AzureUSGovernment":
-                authority = AzureAuthorityHosts.AZURE_GOVERNMENT
-            else:
-                # If the value is anything else ("AzureCustomCloud" is the only other known value),
-                # we need the user to provide the authority because VS Code has no setting for it and
-                # we can't guess confidently.
-                self._unavailable_reason = (
-                    'VS Code is configured to use a custom cloud. Set keyword argument "authority"'
-                    + ' with the Microsoft Entra endpoint for cloud "{}"'.format(self._cloud)
+    # Try each possible auth record path
+    for auth_record_path in VSCODE_AUTH_RECORD_PATHS:
+        expanded_path = os.path.expanduser(auth_record_path)
+        if os.path.exists(expanded_path):
+            file_size = os.path.getsize(expanded_path)
+            if file_size > MAX_AUTH_RECORD_SIZE:
+                error_message = (
+                    "VS Code auth record file is unexpectedly large. "
+                    "Please check the file for corruption or unexpected content."
                 )
-                return
-
-        # Precedence for tenant ID:
-        #  1) VisualStudioCodeCredential(tenant_id=...)
-        #  2) "azure.tenant" in VS Code user settings
-        #  3) default: organizations
-        tenant_id = kwargs.pop("tenant_id", None) or vscode_user_settings.get("azure.tenant", "organizations")
-        validate_tenant_id(tenant_id)
-        if tenant_id.lower() == "adfs":
-            self._unavailable_reason = "VisualStudioCodeCredential authentication unavailable. ADFS is not supported."
-            return
-
-        self._client = self._get_client(
-            authority=normalize_authority(authority), client_id=AZURE_VSCODE_CLIENT_ID, tenant_id=tenant_id, **kwargs
-        )
+                raise ValueError(error_message)
+            with open(expanded_path, "r", encoding="utf-8") as f:
+                deserialized = json.load(f)
+
+            # Validate the authentication record for security and structural integrity
+            _validate_auth_record_json(deserialized)
+
+            # Deserialize the authentication record
+            auth_record = AuthenticationRecord(
+                authority=deserialized["authority"],
+                client_id=deserialized["clientId"],
+                home_account_id=deserialized["homeAccountId"],
+                tenant_id=deserialized["tenantId"],
+                username=deserialized["username"],
+            )
+
+            return auth_record
 
+    # No auth record found in any of the expected locations
+    return None
 
-class VisualStudioCodeCredential(_VSCodeCredentialBase, GetTokenMixin):
-    """Authenticates as the Azure user signed in to Visual Studio Code via the 'Azure Account' extension.
 
-    **Deprecated**: This credential is deprecated because the Azure Account extension for Visual Studio Code, which
-    this credential relies on, has been deprecated. See the Azure Account extension deprecation notice here:
-    https://github.com/microsoft/vscode-azure-account/issues/964. Consider using other developer credentials such as
-    AzureCliCredential, AzureDeveloperCliCredential, or AzurePowerShellCredential.
+def _validate_auth_record_json(data: dict) -> None:
+    """Validate the authentication record.
 
-    :keyword str authority: Authority of a Microsoft Entra endpoint, for example "login.microsoftonline.com".
-        This argument is required for a custom cloud and usually unnecessary otherwise. Defaults to the authority
-        matching the "Azure: Cloud" setting in VS Code's user settings or, when that setting has no value, the
-        authority for Azure Public Cloud.
-    :keyword str tenant_id: ID of the tenant the credential should authenticate in. Defaults to the "Azure: Tenant"
-        setting in VS Code's user settings or, when that setting has no value, the "organizations" tenant, which
-        supports only Microsoft Entra work or school accounts.
+    :param dict data: The authentication record data to validate.
+    :raises ValueError: If the authentication record fails validation checks.
+    """
+    errors = []
+
+    # Schema Validation - Required Fields
+    try:
+        tenant_id = data["tenantId"]
+        if not tenant_id or not isinstance(tenant_id, str):
+            errors.append("tenantId must be a non-empty string")
+        else:
+            try:
+                validate_tenant_id(tenant_id)
+            except ValueError as e:
+                errors.append(f"tenantId validation failed: {e}")
+    except KeyError:
+        errors.append("tenantId field is missing")
+
+    try:
+        client_id = data["clientId"]
+        if not client_id or not isinstance(client_id, str):
+            errors.append("clientId must be a non-empty string")
+        elif client_id != AZURE_VSCODE_CLIENT_ID:
+            errors.append(
+                f"clientId must match expected VS Code Azure Resources extension client ID: {AZURE_VSCODE_CLIENT_ID}"
+            )
+    except KeyError:
+        errors.append("clientId field is missing")
+
+    try:
+        username = data["username"]
+        if not username or not isinstance(username, str):
+            errors.append("username must be a non-empty string")
+    except KeyError:
+        errors.append("username field is missing")
+
+    try:
+        home_account_id = data["homeAccountId"]
+        if not home_account_id or not isinstance(home_account_id, str):
+            errors.append("homeAccountId must be a non-empty string")
+    except KeyError:
+        errors.append("homeAccountId field is missing")
+
+    try:
+        authority = data["authority"]
+        if not authority or not isinstance(authority, str):
+            errors.append("authority must be a non-empty string")
+    except KeyError:
+        errors.append("authority field is missing")
+
+    if errors:
+        error_message = "Authentication record validation failed: " + "; ".join(errors)
+        raise ValueError(error_message)
+
+
+class VisualStudioCodeCredential:
+    """Authenticates as the Azure user signed in to Visual Studio Code via the 'Azure Resources' extension.
+
+    This currently only works in Windows/WSL environments and requires the 'azure-identity-broker'
+    package to be installed.
+
+    :keyword str tenant_id: A Microsoft Entra tenant ID. Defaults to the tenant specified in the authentication
+        record file used by the Azure Resources extension.
     :keyword List[str] additionally_allowed_tenants: Specifies tenants in addition to the specified "tenant_id"
         for which the credential may acquire tokens. Add the wildcard value "*" to allow the credential to
         acquire tokens for any tenant the application can access.
     """
 
+    def __init__(self, **kwargs: Any) -> None:
+
+        self._broker_credential = None
+        self._unavailable_message = (
+            "VisualStudioCodeCredential requires the 'azure-identity-broker' package to be installed. "
+            "You must also ensure you have the Azure Resources extension installed and have "
+            "signed in to Azure via Visual Studio Code."
+        )
+
+        broker_credential_class = get_broker_credential()
+        if broker_credential_class:
+            try:
+                # Load the authentication record from the VS Code extension
+                authentication_record = load_vscode_auth_record()
+                if not authentication_record:
+                    self._unavailable_message = (
+                        "VisualStudioCodeCredential requires the user to be signed in to Azure via Visual Studio Code. "
+                        "Please ensure you have the Azure Resources extension installed and have signed in."
+                    )
+                    return
+                self._broker_credential = broker_credential_class(
+                    client_id=AZURE_VSCODE_CLIENT_ID,
+                    authentication_record=authentication_record,
+                    parent_window_handle=msal.PublicClientApplication.CONSOLE_WINDOW_HANDLE,
+                    use_default_broker_account=True,
+                    disable_interactive_fallback=True,
+                    **kwargs,
+                )
+            except ValueError as ex:
+                self._unavailable_message = (
+                    "Failed to load authentication record from Visual Studio Code: "
+                    f"{ex}. Please ensure you have the Azure Resources extension installed and signed in."
+                )
+
     def __enter__(self) -> "VisualStudioCodeCredential":
-        if self._client:
-            self._client.__enter__()
+        if self._broker_credential:
+            self._broker_credential.__enter__()
         return self
 
     def __exit__(self, *args: Any) -> None:
-        if self._client:
-            self._client.__exit__(*args)
+        if self._broker_credential:
+            self._broker_credential.__exit__(*args)
 
     def close(self) -> None:
         """Close the credential's transport session."""
-        self.__exit__()
+        if self._broker_credential:
+            self._broker_credential.close()
 
     @log_get_token
     def get_token(
@@ -166,20 +207,15 @@ class VisualStudioCodeCredential(_VSCodeCredentialBase, GetTokenMixin):
         :raises ~azure.identity.CredentialUnavailableError: the credential cannot retrieve user details from Visual
           Studio Code
         """
-        if self._unavailable_reason:
-            error_message = (
-                self._unavailable_reason + "\n"
-                "Visit https://aka.ms/azsdk/python/identity/vscodecredential/troubleshoot"
-                " to troubleshoot this issue."
-            )
-            raise CredentialUnavailableError(message=error_message)
+        if not self._broker_credential:
+            raise CredentialUnavailableError(message=self._unavailable_message)
         if within_dac.get():
             try:
-                token = super().get_token(*scopes, claims=claims, tenant_id=tenant_id, **kwargs)
+                token = self._broker_credential.get_token(*scopes, claims=claims, tenant_id=tenant_id, **kwargs)
                 return token
             except ClientAuthenticationError as ex:
                 raise CredentialUnavailableError(message=ex.message) from ex
-        return super().get_token(*scopes, claims=claims, tenant_id=tenant_id, **kwargs)
+        return self._broker_credential.get_token(*scopes, claims=claims, tenant_id=tenant_id, **kwargs)
 
     def get_token_info(self, *scopes: str, options: Optional[TokenRequestOptions] = None) -> AccessTokenInfo:
         """Request an access token for `scopes` as the user currently signed in to Visual Studio Code.
@@ -197,29 +233,12 @@ class VisualStudioCodeCredential(_VSCodeCredentialBase, GetTokenMixin):
         :raises ~azure.identity.CredentialUnavailableError: the credential cannot retrieve user details from Visual
           Studio Code.
         """
-        if self._unavailable_reason:
-            error_message = (
-                self._unavailable_reason + "\n"
-                "Visit https://aka.ms/azsdk/python/identity/vscodecredential/troubleshoot"
-                " to troubleshoot this issue."
-            )
-            raise CredentialUnavailableError(message=error_message)
+        if not self._broker_credential:
+            raise CredentialUnavailableError(message=self._unavailable_message)
         if within_dac.get():
             try:
-                token = super().get_token_info(*scopes, options=options)
+                token = self._broker_credential.get_token_info(*scopes, options=options)
                 return token
             except ClientAuthenticationError as ex:
                 raise CredentialUnavailableError(message=ex.message) from ex
-        return super().get_token_info(*scopes, options=options)
-
-    def _acquire_token_silently(self, *scopes: str, **kwargs: Any) -> Optional[AccessTokenInfo]:
-        self._client = cast(AadClient, self._client)
-        return self._client.get_cached_access_token(scopes, **kwargs)
-
-    def _request_token(self, *scopes: str, **kwargs: Any) -> AccessTokenInfo:
-        refresh_token = self._get_refresh_token()
-        self._client = cast(AadClient, self._client)
-        return self._client.obtain_token_by_refresh_token(scopes, refresh_token, **kwargs)
-
-    def _get_client(self, **kwargs: Any) -> AadClient:
-        return AadClient(**kwargs)
+        return self._broker_credential.get_token_info(*scopes, options=options)

py2docfx/venv/venv1/Lib/site-packages/azure/identity/_credentials/workload_identity.py

@@ -11,6 +11,13 @@ from .client_assertion import ClientAssertionCredential
 from .._constants import EnvironmentVariables
 
 
+WORKLOAD_CONFIG_ERROR = (
+    "WorkloadIdentityCredential authentication unavailable. The workload options are not fully "
+    "configured. See the troubleshooting guide for more information: "
+    "https://aka.ms/azsdk/python/identity/workloadidentitycredential/troubleshoot"
+)
+
+
 class TokenFileMixin:
 
     _token_file_path: str
@@ -72,21 +79,25 @@ class WorkloadIdentityCredential(ClientAssertionCredential, TokenFileMixin):
         tenant_id = tenant_id or os.environ.get(EnvironmentVariables.AZURE_TENANT_ID)
         client_id = client_id or os.environ.get(EnvironmentVariables.AZURE_CLIENT_ID)
         token_file_path = token_file_path or os.environ.get(EnvironmentVariables.AZURE_FEDERATED_TOKEN_FILE)
+
+        missing_args = []
         if not tenant_id:
-            raise ValueError(
-                "'tenant_id' is required. Please pass it in or set the "
-                f"{EnvironmentVariables.AZURE_TENANT_ID} environment variable"
-            )
+            missing_args.append("'tenant_id'")
         if not client_id:
-            raise ValueError(
-                "'client_id' is required. Please pass it in or set the "
-                f"{EnvironmentVariables.AZURE_CLIENT_ID} environment variable"
-            )
+            missing_args.append("'client_id'")
         if not token_file_path:
-            raise ValueError(
-                "'token_file_path' is required. Please pass it in or set the "
-                f"{EnvironmentVariables.AZURE_FEDERATED_TOKEN_FILE} environment variable"
-            )
+            missing_args.append("'token_file_path'")
+
+        if missing_args:
+            missing_args_str = ", ".join(missing_args)
+            error_message = f"{WORKLOAD_CONFIG_ERROR}. Missing required arguments: {missing_args_str}."
+            raise ValueError(error_message)
+
+        # Type assertions since we've validated these are not None
+        assert tenant_id is not None
+        assert client_id is not None
+        assert token_file_path is not None
+
         self._token_file_path = token_file_path
         super(WorkloadIdentityCredential, self).__init__(
             tenant_id=tenant_id,

py2docfx/venv/venv1/Lib/site-packages/azure/identity/_internal/__init__.py

@@ -11,6 +11,7 @@ from .interactive import InteractiveCredential
 from .utils import (
     get_default_authority,
     normalize_authority,
+    process_credential_exclusions,
     resolve_tenant,
     validate_scope,
     validate_subscription,
@@ -48,6 +49,7 @@ __all__ = [
     "get_default_authority",
     "InteractiveCredential",
     "normalize_authority",
+    "process_credential_exclusions",
     "resolve_tenant",
     "validate_scope",
     "validate_subscription",

py2docfx/venv/venv1/Lib/site-packages/azure/identity/_internal/pipeline.py

@@ -63,7 +63,8 @@ def _get_policies(config, _per_retry_policies=None, **kwargs):
 def build_pipeline(transport=None, policies=None, **kwargs):
     if not policies:
         config = _get_config(**kwargs)
-        config.retry_policy = RetryPolicy(**kwargs)
+        retry_policy_class = kwargs.pop("retry_policy_class", None)
+        config.retry_policy = retry_policy_class(**kwargs) if retry_policy_class else RetryPolicy(**kwargs)
         policies = _get_policies(config, **kwargs)
     if not transport:
         from azure.core.pipeline.transport import (  # pylint: disable=non-abstract-transport-import, no-name-in-module
@@ -82,7 +83,8 @@ def build_async_pipeline(transport=None, policies=None, **kwargs):
         from azure.core.pipeline.policies import AsyncRetryPolicy
 
         config = _get_config(**kwargs)
-        config.retry_policy = AsyncRetryPolicy(**kwargs)
+        retry_policy_class = kwargs.pop("retry_policy_class", None)
+        config.retry_policy = retry_policy_class(**kwargs) if retry_policy_class else AsyncRetryPolicy(**kwargs)
         policies = _get_policies(config, **kwargs)
     if not transport:
         from azure.core.pipeline.transport import (  # pylint: disable=non-abstract-transport-import, no-name-in-module

py2docfx/venv/venv1/Lib/site-packages/azure/identity/_internal/utils.py

@@ -3,6 +3,7 @@
 # Licensed under the MIT License.
 # ------------------------------------
 import os
+import platform
 import logging
 from contextvars import ContextVar
 from string import ascii_letters, digits
@@ -133,3 +134,87 @@ def resolve_tenant(
         'when creating the credential, or add "*" to additionally_allowed_tenants to allow '
         "acquiring tokens for any tenant.".format(tenant_id)
     )
+
+
+def process_credential_exclusions(credential_config: dict, exclude_flags: dict, user_excludes: dict) -> dict:
+    """Process credential exclusions based on environment variable and user overrides.
+
+    This method handles the AZURE_TOKEN_CREDENTIALS environment variable to determine
+    which credentials should be excluded from the credential chain, and then applies
+    any user-provided exclude overrides which take precedence over environment settings.
+
+    :param credential_config: Configuration mapping for all available credentials, containing
+        exclude parameter names, environment names, and default exclude settings
+    :type credential_config: dict
+    :param exclude_flags: Dictionary of exclude flags for each credential (will be modified)
+    :type exclude_flags: dict
+    :param user_excludes: User-provided exclude overrides from constructor kwargs
+    :type user_excludes: dict
+
+    :return: Dictionary of final exclude flags for each credential
+    :rtype: dict
+
+    :raises ValueError: If token_credentials_env contains an invalid credential name
+    """
+    # Handle AZURE_TOKEN_CREDENTIALS environment variable
+    token_credentials_env = os.environ.get(EnvironmentVariables.AZURE_TOKEN_CREDENTIALS, "").strip().lower()
+
+    if token_credentials_env == "dev":
+        # In dev mode, use only developer credentials
+        dev_credentials = {"visual_studio_code", "cli", "developer_cli", "powershell", "shared_token_cache"}
+        for cred_key in credential_config:
+            exclude_flags[cred_key] = cred_key not in dev_credentials
+    elif token_credentials_env == "prod":
+        # In prod mode, use only production credentials
+        prod_credentials = {"environment", "workload_identity", "managed_identity"}
+        for cred_key in credential_config:
+            exclude_flags[cred_key] = cred_key not in prod_credentials
+    elif token_credentials_env:
+        # If a specific credential is specified, exclude all others except the specified one
+        valid_credentials = {config["env_name"] for config in credential_config.values() if "env_name" in config}
+
+        if token_credentials_env not in valid_credentials:
+            valid_values = ["dev", "prod"] + sorted(valid_credentials)
+            raise ValueError(
+                f"Invalid value for {EnvironmentVariables.AZURE_TOKEN_CREDENTIALS}: {token_credentials_env}. "
+                f"Valid values are: {', '.join(valid_values)}."
+            )
+
+        # Find which credential was selected and exclude all others
+        selected_cred_key = None
+        for cred_key, config in credential_config.items():
+            if config.get("env_name") == token_credentials_env:
+                selected_cred_key = cred_key
+                break
+
+        for cred_key in credential_config:
+            exclude_flags[cred_key] = cred_key != selected_cred_key
+
+    # Apply user-provided exclude flags (these override environment variable settings)
+    for cred_key, user_value in user_excludes.items():
+        if user_value is not None:
+            exclude_flags[cred_key] = user_value
+
+    return exclude_flags
+
+
+def get_broker_credential() -> Optional[type]:
+    """Return the InteractiveBrowserBrokerCredential class if available, otherwise None.
+
+    :return: InteractiveBrowserBrokerCredential class or None
+    :rtype: Optional[type]
+    """
+    try:
+        from azure.identity.broker import InteractiveBrowserBrokerCredential
+
+        return InteractiveBrowserBrokerCredential
+    except ImportError:
+        return None
+
+
+def is_wsl() -> bool:
+    # This is how MSAL checks for WSL.
+    uname = platform.uname()
+    platform_name = getattr(uname, "system", uname[0]).lower()
+    release = getattr(uname, "release", uname[2]).lower()
+    return platform_name == "linux" and "microsoft" in release

py2docfx/venv/venv1/Lib/site-packages/azure/identity/_version.py

@@ -2,4 +2,4 @@
 # Copyright (c) Microsoft Corporation.
 # Licensed under the MIT License.
 # ------------------------------------
-VERSION = "1.23.1"
+VERSION = "1.24.0"

py2docfx/venv/venv1/Lib/site-packages/azure/identity/aio/_credentials/authorization_code.py

@@ -133,7 +133,7 @@ class AuthorizationCodeCredential(AsyncContextManager, GetTokenMixin):
             return token
 
         token = cast(AccessTokenInfo, None)
-        for refresh_token in self._client.get_cached_refresh_tokens(scopes):
+        for refresh_token in self._client.get_cached_refresh_tokens(scopes, **kwargs):
             if "secret" in refresh_token:
                 token = await self._client.obtain_token_by_refresh_token(scopes, refresh_token["secret"], **kwargs)
                 if token: