@azure/identity
Advanced tools
Comparing version 4.4.1 to 4.5.0-alpha.20240813.2
@@ -6,3 +6,2 @@ // Copyright (c) Microsoft Corporation. | ||
import { createHttpHeaders, createPipelineRequest, } from "@azure/core-rest-pipeline"; | ||
import { AbortController } from "@azure/abort-controller"; | ||
import { AuthenticationError, AuthenticationErrorName } from "../errors"; | ||
@@ -147,3 +146,3 @@ import { getIdentityTokenEndpointSuffix } from "../util/identityTokenEndpoint"; | ||
if (existingOnAbort) { | ||
existingOnAbort(...params); | ||
existingOnAbort.apply(controller.signal, params); | ||
} | ||
@@ -150,0 +149,0 @@ }; |
@@ -6,3 +6,3 @@ // Copyright (c) Microsoft Corporation. | ||
*/ | ||
export const SDK_VERSION = `4.4.1`; | ||
export const SDK_VERSION = `4.5.0-beta.2`; | ||
/** | ||
@@ -9,0 +9,0 @@ * The default client ID for authentication |
// Copyright (c) Microsoft Corporation. | ||
// Licensed under the MIT license. | ||
import { ClientAssertionCredential } from "./clientAssertionCredential"; | ||
import { AuthenticationError, CredentialUnavailableError } from "../errors"; | ||
import { credentialLogger } from "../util/logging"; | ||
import { checkTenantId } from "../util/tenantIdUtils"; | ||
import { createHttpHeaders, createPipelineRequest } from "@azure/core-rest-pipeline"; | ||
import { ClientAssertionCredential } from "./clientAssertionCredential"; | ||
import { IdentityClient } from "../client/identityClient"; | ||
import { checkTenantId } from "../util/tenantIdUtils"; | ||
import { credentialLogger } from "../util/logging"; | ||
const credentialName = "AzurePipelinesCredential"; | ||
@@ -26,5 +26,14 @@ const logger = credentialLogger(credentialName); | ||
constructor(tenantId, clientId, serviceConnectionId, systemAccessToken, options) { | ||
if (!clientId || !tenantId || !serviceConnectionId || !systemAccessToken) { | ||
throw new CredentialUnavailableError(`${credentialName}: is unavailable. tenantId, clientId, serviceConnectionId, and systemAccessToken are required parameters.`); | ||
if (!clientId) { | ||
throw new CredentialUnavailableError(`${credentialName}: is unavailable. clientId is a required parameter.`); | ||
} | ||
if (!tenantId) { | ||
throw new CredentialUnavailableError(`${credentialName}: is unavailable. tenantId is a required parameter.`); | ||
} | ||
if (!serviceConnectionId) { | ||
throw new CredentialUnavailableError(`${credentialName}: is unavailable. serviceConnectionId is a required parameter.`); | ||
} | ||
if (!systemAccessToken) { | ||
throw new CredentialUnavailableError(`${credentialName}: is unavailable. systemAccessToken is a required parameter.`); | ||
} | ||
this.identityClient = new IdentityClient(options); | ||
@@ -31,0 +40,0 @@ checkTenantId(logger, tenantId); |
@@ -111,6 +111,2 @@ // Copyright (c) Microsoft Corporation. | ||
} | ||
let tenantSection = ""; | ||
if (tenantId) { | ||
tenantSection = `-TenantId "${tenantId}"`; | ||
} | ||
const results = await runCommands([ | ||
@@ -122,13 +118,34 @@ [ | ||
"-Command", | ||
"Import-Module Az.Accounts -MinimumVersion 2.2.0 -PassThru", | ||
` | ||
$tenantId = "${tenantId !== null && tenantId !== void 0 ? tenantId : ""}" | ||
$m = Import-Module Az.Accounts -MinimumVersion 2.2.0 -PassThru | ||
$useSecureString = $m.Version -ge [version]'2.17.0' | ||
$params = @{ | ||
ResourceUrl = "${resource}" | ||
} | ||
if ($tenantId.Length -gt 0) { | ||
$params["TenantId"] = $tenantId | ||
} | ||
if ($useSecureString) { | ||
$params["AsSecureString"] = $true | ||
} | ||
$token = Get-AzAccessToken @params | ||
$result = New-Object -TypeName PSObject | ||
$result | Add-Member -MemberType NoteProperty -Name ExpiresOn -Value $token.ExpiresOn | ||
if ($useSecureString) { | ||
$result | Add-Member -MemberType NoteProperty -Name Token -Value (ConvertFrom-SecureString -AsPlainText $token.Token) | ||
} else { | ||
$result | Add-Member -MemberType NoteProperty -Name Token -Value $token.Token | ||
} | ||
Write-Output (ConvertTo-Json $result) | ||
`, | ||
], | ||
[ | ||
powerShellCommand, | ||
"-NoProfile", | ||
"-NonInteractive", | ||
"-Command", | ||
`Get-AzAccessToken ${tenantSection} -ResourceUrl "${resource}" | ConvertTo-Json`, | ||
], | ||
]); | ||
const result = results[1]; | ||
const result = results[0]; | ||
return parseJsonToken(result); | ||
@@ -135,0 +152,0 @@ } |
@@ -5,2 +5,3 @@ // Copyright (c) Microsoft Corporation. | ||
import { processMultiTenantRequest, resolveAdditionallyAllowedTenantIds, } from "../util/tenantIdUtils"; | ||
import { CredentialUnavailableError } from "../errors"; | ||
import { credentialLogger } from "../util/logging"; | ||
@@ -24,5 +25,11 @@ import { tracingClient } from "../util/tracing"; | ||
constructor(tenantId, clientId, getAssertion, options = {}) { | ||
if (!tenantId || !clientId || !getAssertion) { | ||
throw new Error("ClientAssertionCredential: tenantId, clientId, and clientAssertion are required parameters."); | ||
if (!tenantId) { | ||
throw new CredentialUnavailableError("ClientAssertionCredential: tenantId is a required parameter."); | ||
} | ||
if (!clientId) { | ||
throw new CredentialUnavailableError("ClientAssertionCredential: clientId is a required parameter."); | ||
} | ||
if (!getAssertion) { | ||
throw new CredentialUnavailableError("ClientAssertionCredential: clientAssertion is a required parameter."); | ||
} | ||
this.tenantId = tenantId; | ||
@@ -29,0 +36,0 @@ this.additionallyAllowedTenantIds = resolveAdditionallyAllowedTenantIds(options === null || options === void 0 ? void 0 : options.additionallyAllowedTenants); |
@@ -59,3 +59,4 @@ // Copyright (c) Microsoft Corporation. | ||
async buildClientCertificate() { | ||
const parts = await this.parseCertificate(); | ||
var _a; | ||
const parts = await parseCertificate(this.certificateConfiguration, (_a = this.sendCertificateChain) !== null && _a !== void 0 ? _a : false); | ||
let privateKey; | ||
@@ -83,31 +84,38 @@ if (this.certificateConfiguration.certificatePassword !== undefined) { | ||
} | ||
async parseCertificate() { | ||
const certificate = this.certificateConfiguration.certificate; | ||
const certificatePath = this.certificateConfiguration.certificatePath; | ||
const certificateContents = certificate || (await readFile(certificatePath, "utf8")); | ||
const x5c = this.sendCertificateChain ? certificateContents : undefined; | ||
const certificatePattern = /(-+BEGIN CERTIFICATE-+)(\n\r?|\r\n?)([A-Za-z0-9+/\n\r]+=*)(\n\r?|\r\n?)(-+END CERTIFICATE-+)/g; | ||
const publicKeys = []; | ||
// Match all possible certificates, in the order they are in the file. These will form the chain that is used for x5c | ||
let match; | ||
do { | ||
match = certificatePattern.exec(certificateContents); | ||
if (match) { | ||
publicKeys.push(match[3]); | ||
} | ||
} while (match); | ||
if (publicKeys.length === 0) { | ||
throw new Error("The file at the specified path does not contain a PEM-encoded certificate."); | ||
} | ||
/** | ||
* Parses a certificate into its relevant parts | ||
* | ||
* @param certificateConfiguration - The certificate contents or path to the certificate | ||
* @param sendCertificateChain - true if the entire certificate chain should be sent for SNI, false otherwise | ||
* @returns The parsed certificate parts and the certificate contents | ||
*/ | ||
export async function parseCertificate(certificateConfiguration, sendCertificateChain) { | ||
const certificate = certificateConfiguration.certificate; | ||
const certificatePath = certificateConfiguration.certificatePath; | ||
const certificateContents = certificate || (await readFile(certificatePath, "utf8")); | ||
const x5c = sendCertificateChain ? certificateContents : undefined; | ||
const certificatePattern = /(-+BEGIN CERTIFICATE-+)(\n\r?|\r\n?)([A-Za-z0-9+/\n\r]+=*)(\n\r?|\r\n?)(-+END CERTIFICATE-+)/g; | ||
const publicKeys = []; | ||
// Match all possible certificates, in the order they are in the file. These will form the chain that is used for x5c | ||
let match; | ||
do { | ||
match = certificatePattern.exec(certificateContents); | ||
if (match) { | ||
publicKeys.push(match[3]); | ||
} | ||
const thumbprint = createHash("sha1") | ||
.update(Buffer.from(publicKeys[0], "base64")) | ||
.digest("hex") | ||
.toUpperCase(); | ||
return { | ||
certificateContents, | ||
thumbprint, | ||
x5c, | ||
}; | ||
} while (match); | ||
if (publicKeys.length === 0) { | ||
throw new Error("The file at the specified path does not contain a PEM-encoded certificate."); | ||
} | ||
const thumbprint = createHash("sha1") | ||
.update(Buffer.from(publicKeys[0], "base64")) | ||
.digest("hex") | ||
.toUpperCase(); | ||
return { | ||
certificateContents, | ||
thumbprint, | ||
x5c, | ||
}; | ||
} | ||
//# sourceMappingURL=clientCertificateCredential.js.map |
@@ -5,2 +5,3 @@ // Copyright (c) Microsoft Corporation. | ||
import { processMultiTenantRequest, resolveAdditionallyAllowedTenantIds, } from "../util/tenantIdUtils"; | ||
import { CredentialUnavailableError } from "../errors"; | ||
import { credentialLogger } from "../util/logging"; | ||
@@ -30,5 +31,11 @@ import { ensureScopes } from "../util/scopeUtils"; | ||
constructor(tenantId, clientId, clientSecret, options = {}) { | ||
if (!tenantId || !clientId || !clientSecret) { | ||
throw new Error("ClientSecretCredential: tenantId, clientId, and clientSecret are required parameters. To troubleshoot, visit https://aka.ms/azsdk/js/identity/serviceprincipalauthentication/troubleshoot."); | ||
if (!tenantId) { | ||
throw new CredentialUnavailableError("ClientSecretCredential: tenantId is a required parameter. To troubleshoot, visit https://aka.ms/azsdk/js/identity/serviceprincipalauthentication/troubleshoot."); | ||
} | ||
if (!clientId) { | ||
throw new CredentialUnavailableError("ClientSecretCredential: clientId is a required parameter. To troubleshoot, visit https://aka.ms/azsdk/js/identity/serviceprincipalauthentication/troubleshoot."); | ||
} | ||
if (!clientSecret) { | ||
throw new CredentialUnavailableError("ClientSecretCredential: clientSecret is a required parameter. To troubleshoot, visit https://aka.ms/azsdk/js/identity/serviceprincipalauthentication/troubleshoot."); | ||
} | ||
this.clientSecret = clientSecret; | ||
@@ -35,0 +42,0 @@ this.tenantId = tenantId; |
@@ -75,3 +75,3 @@ // Copyright (c) Microsoft Corporation. | ||
* | ||
* If the token can't be retrieved silently, this method will require user interaction to retrieve the token. | ||
* If the token can't be retrieved silently, this method will always generate a challenge for the user. | ||
* | ||
@@ -78,0 +78,0 @@ * @param scopes - The list of scopes for which the token will have access. |
@@ -26,2 +26,3 @@ // Copyright (c) Microsoft Corporation. | ||
"AZURE_ADDITIONALLY_ALLOWED_TENANTS", | ||
"AZURE_CLIENT_SEND_CERTIFICATE_CHAIN", | ||
]; | ||
@@ -35,2 +36,9 @@ function getAdditionallyAllowedTenants() { | ||
const logger = credentialLogger(credentialName); | ||
export function getSendCertificateChain() { | ||
var _a; | ||
const sendCertificateChain = ((_a = process.env.AZURE_CLIENT_SEND_CERTIFICATE_CHAIN) !== null && _a !== void 0 ? _a : "").toLowerCase(); | ||
const result = sendCertificateChain === "true" || sendCertificateChain === "1"; | ||
logger.verbose(`AZURE_CLIENT_SEND_CERTIFICATE_CHAIN: ${process.env.AZURE_CLIENT_SEND_CERTIFICATE_CHAIN}; sendCertificateChain: ${result}`); | ||
return result; | ||
} | ||
/** | ||
@@ -55,2 +63,3 @@ * Enables authentication to Microsoft Entra ID using a client secret or certificate, or as a user | ||
* - `AZURE_CLIENT_CERTIFICATE_PASSWORD`: (optional) password for the certificate file. | ||
* - `AZURE_CLIENT_SEND_CERTIFICATE_CHAIN`: (optional) indicates that the certificate chain should be set in x5c header to support subject name / issuer based authentication. | ||
* | ||
@@ -73,3 +82,4 @@ * Alternatively, users can provide environment variables for username and password authentication: | ||
const additionallyAllowedTenantIds = getAdditionallyAllowedTenants(); | ||
const newOptions = Object.assign(Object.assign({}, options), { additionallyAllowedTenantIds }); | ||
const sendCertificateChain = getSendCertificateChain(); | ||
const newOptions = Object.assign(Object.assign({}, options), { additionallyAllowedTenantIds, sendCertificateChain }); | ||
if (tenantId) { | ||
@@ -76,0 +86,0 @@ checkTenantId(logger, tenantId); |
@@ -74,3 +74,3 @@ // Copyright (c) Microsoft Corporation. | ||
* | ||
* If the token can't be retrieved silently, this method will require user interaction to retrieve the token. | ||
* If the token can't be retrieved silently, this method will always generate a challenge for the user. | ||
* | ||
@@ -77,0 +77,0 @@ * On Node.js, this credential has [Proof Key for Code Exchange (PKCE)](https://datatracker.ietf.org/doc/html/rfc7636) enabled by default. |
@@ -94,2 +94,3 @@ // Copyright (c) Microsoft Corporation. | ||
const isImdsMsi = identitySource === "DefaultToImds" || identitySource === "Imds"; // Neither actually checks that IMDS endpoint is available, just that it's the source the MSAL _would_ try to use. | ||
logger.getToken.info(`MSAL Identity source: ${identitySource}`); | ||
if (isTokenExchangeMsi) { | ||
@@ -106,3 +107,3 @@ // In the AKS scenario we will use the existing tokenExchangeMsi indefinitely. | ||
if (result === null) { | ||
throw new CredentialUnavailableError("The managed identity endpoint was reached, yet no tokens were received."); | ||
throw new CredentialUnavailableError("Attempted to use the token exchange managed identity, but received a null response."); | ||
} | ||
@@ -123,3 +124,3 @@ return result; | ||
if (!isAvailable) { | ||
throw new CredentialUnavailableError(`ManagedIdentityCredential: The managed identity endpoint is not available.`); | ||
throw new CredentialUnavailableError(`ManagedIdentityCredential: Attempted to use the IMDS endpoint, but it is not available.`); | ||
} | ||
@@ -150,5 +151,5 @@ } | ||
if (isNetworkError(err)) { | ||
throw new CredentialUnavailableError(`ManagedIdentityCredential: Network unreachable. Message: ${err.message}`); | ||
throw new CredentialUnavailableError(`ManagedIdentityCredential: Network unreachable. Message: ${err.message}`, { cause: err }); | ||
} | ||
throw new CredentialUnavailableError(`ManagedIdentityCredential: Authentication failed. Message ${err.message}`); | ||
throw new CredentialUnavailableError(`ManagedIdentityCredential: Authentication failed. Message ${err.message}`, { cause: err }); | ||
} | ||
@@ -170,3 +171,3 @@ }); | ||
if (!msalToken) { | ||
throw createError("No response"); | ||
throw createError("No response."); | ||
} | ||
@@ -173,0 +174,0 @@ if (!msalToken.expiresOn) { |
// Copyright (c) Microsoft Corporation. | ||
// Licensed under the MIT license. | ||
import { createMsalClient } from "../msal/nodeFlows/msalClient"; | ||
import { credentialLogger, formatError } from "../util/logging"; | ||
import { processMultiTenantRequest, resolveAdditionallyAllowedTenantIds, } from "../util/tenantIdUtils"; | ||
import { credentialLogger, formatError } from "../util/logging"; | ||
import { CredentialUnavailableError } from "../errors"; | ||
import { createHash } from "node:crypto"; | ||
import { ensureScopes } from "../util/scopeUtils"; | ||
import { readFile } from "node:fs/promises"; | ||
import { tracingClient } from "../util/tracing"; | ||
import { createMsalClient } from "../msal/nodeFlows/msalClient"; | ||
import { readFile } from "node:fs/promises"; | ||
import { createHash } from "node:crypto"; | ||
const credentialName = "OnBehalfOfCredential"; | ||
@@ -21,8 +22,14 @@ const logger = credentialLogger(credentialName); | ||
const { tenantId, clientId, userAssertionToken, additionallyAllowedTenants: additionallyAllowedTenantIds, } = options; | ||
if (!tenantId || | ||
!clientId || | ||
!(clientSecret || certificatePath || getAssertion) || | ||
!userAssertionToken) { | ||
throw new Error(`${credentialName}: tenantId, clientId, clientSecret (or certificatePath or getAssertion) and userAssertionToken are required parameters.`); | ||
if (!tenantId) { | ||
throw new CredentialUnavailableError(`${credentialName}: tenantId is a required parameter. To troubleshoot, visit https://aka.ms/azsdk/js/identity/serviceprincipalauthentication/troubleshoot.`); | ||
} | ||
if (!clientId) { | ||
throw new CredentialUnavailableError(`${credentialName}: clientId is a required parameter. To troubleshoot, visit https://aka.ms/azsdk/js/identity/serviceprincipalauthentication/troubleshoot.`); | ||
} | ||
if (!clientSecret && !certificatePath && !getAssertion) { | ||
throw new CredentialUnavailableError(`${credentialName}: You must provide one of clientSecret, certificatePath, or a getAssertion callback but none were provided. To troubleshoot, visit https://aka.ms/azsdk/js/identity/serviceprincipalauthentication/troubleshoot.`); | ||
} | ||
if (!userAssertionToken) { | ||
throw new CredentialUnavailableError(`${credentialName}: userAssertionToken is a required parameter. To troubleshoot, visit https://aka.ms/azsdk/js/identity/serviceprincipalauthentication/troubleshoot.`); | ||
} | ||
this.certificatePath = certificatePath; | ||
@@ -29,0 +36,0 @@ this.clientSecret = clientSecret; |
// Copyright (c) Microsoft Corporation. | ||
// Licensed under the MIT license. | ||
import { createMsalClient } from "../msal/nodeFlows/msalClient"; | ||
import { processMultiTenantRequest, resolveAdditionallyAllowedTenantIds, } from "../util/tenantIdUtils"; | ||
import { CredentialUnavailableError } from "../errors"; | ||
import { credentialLogger } from "../util/logging"; | ||
import { ensureScopes } from "../util/scopeUtils"; | ||
import { tracingClient } from "../util/tracing"; | ||
import { createMsalClient } from "../msal/nodeFlows/msalClient"; | ||
const logger = credentialLogger("UsernamePasswordCredential"); | ||
@@ -28,5 +29,14 @@ /** | ||
constructor(tenantId, clientId, username, password, options = {}) { | ||
if (!tenantId || !clientId || !username || !password) { | ||
throw new Error("UsernamePasswordCredential: tenantId, clientId, username and password are required parameters. To troubleshoot, visit https://aka.ms/azsdk/js/identity/usernamepasswordcredential/troubleshoot."); | ||
if (!tenantId) { | ||
throw new CredentialUnavailableError("UsernamePasswordCredential: tenantId is a required parameter. To troubleshoot, visit https://aka.ms/azsdk/js/identity/usernamepasswordcredential/troubleshoot."); | ||
} | ||
if (!clientId) { | ||
throw new CredentialUnavailableError("UsernamePasswordCredential: clientId is a required parameter. To troubleshoot, visit https://aka.ms/azsdk/js/identity/usernamepasswordcredential/troubleshoot."); | ||
} | ||
if (!username) { | ||
throw new CredentialUnavailableError("UsernamePasswordCredential: username is a required parameter. To troubleshoot, visit https://aka.ms/azsdk/js/identity/usernamepasswordcredential/troubleshoot."); | ||
} | ||
if (!password) { | ||
throw new CredentialUnavailableError("UsernamePasswordCredential: password is a required parameter. To troubleshoot, visit https://aka.ms/azsdk/js/identity/usernamepasswordcredential/troubleshoot."); | ||
} | ||
this.tenantId = tenantId; | ||
@@ -33,0 +43,0 @@ this.additionallyAllowedTenantIds = resolveAdditionallyAllowedTenantIds(options === null || options === void 0 ? void 0 : options.additionallyAllowedTenants); |
// Copyright (c) Microsoft Corporation. | ||
// Licensed under the MIT license. | ||
import { credentialLogger, processEnvVars } from "../util/logging"; | ||
import { ClientAssertionCredential } from "./clientAssertionCredential"; | ||
import { readFile } from "fs/promises"; | ||
import { CredentialUnavailableError } from "../errors"; | ||
import { credentialLogger, processEnvVars } from "../util/logging"; | ||
import { checkTenantId } from "../util/tenantIdUtils"; | ||
import { readFile } from "fs/promises"; | ||
const credentialName = "WorkloadIdentityCredential"; | ||
@@ -56,6 +56,16 @@ /** | ||
} | ||
if (clientId && tenantId && this.federatedTokenFilePath) { | ||
logger.info(`Invoking ClientAssertionCredential with tenant ID: ${tenantId}, clientId: ${workloadIdentityCredentialOptions.clientId} and federated token path: [REDACTED]`); | ||
this.client = new ClientAssertionCredential(tenantId, clientId, this.readFileContents.bind(this), options); | ||
if (!clientId) { | ||
throw new CredentialUnavailableError(`${credentialName}: is unavailable. clientId is a required parameter. In DefaultAzureCredential and ManagedIdentityCredential, this can be provided as an environment variable - "AZURE_CLIENT_ID". | ||
See the troubleshooting guide for more information: https://aka.ms/azsdk/js/identity/workloadidentitycredential/troubleshoot`); | ||
} | ||
if (!tenantId) { | ||
throw new CredentialUnavailableError(`${credentialName}: is unavailable. tenantId is a required parameter. In DefaultAzureCredential and ManagedIdentityCredential, this can be provided as an environment variable - "AZURE_TENANT_ID". | ||
See the troubleshooting guide for more information: https://aka.ms/azsdk/js/identity/workloadidentitycredential/troubleshoot`); | ||
} | ||
if (!this.federatedTokenFilePath) { | ||
throw new CredentialUnavailableError(`${credentialName}: is unavailable. federatedTokenFilePath is a required parameter. In DefaultAzureCredential and ManagedIdentityCredential, this can be provided as an environment variable - "AZURE_FEDERATED_TOKEN_FILE". | ||
See the troubleshooting guide for more information: https://aka.ms/azsdk/js/identity/workloadidentitycredential/troubleshoot`); | ||
} | ||
logger.info(`Invoking ClientAssertionCredential with tenant ID: ${tenantId}, clientId: ${workloadIdentityCredentialOptions.clientId} and federated token path: [REDACTED]`); | ||
this.client = new ClientAssertionCredential(tenantId, clientId, this.readFileContents.bind(this), options); | ||
} | ||
@@ -76,3 +86,3 @@ /** | ||
"AZURE_CLIENT_ID", | ||
"AZURE_FEDERATED_TOKEN_FILE". See the troubleshooting guide for more information: https://aka.ms/azsdk/js/identity/workloadidentitycredential/troubleshoot `; | ||
"AZURE_FEDERATED_TOKEN_FILE". See the troubleshooting guide for more information: https://aka.ms/azsdk/js/identity/workloadidentitycredential/troubleshoot`; | ||
logger.info(errorMessage); | ||
@@ -79,0 +89,0 @@ throw new CredentialUnavailableError(errorMessage); |
@@ -18,4 +18,5 @@ // Copyright (c) Microsoft Corporation. | ||
export class CredentialUnavailableError extends Error { | ||
constructor(message) { | ||
super(message); | ||
constructor(message, options) { | ||
// @ts-expect-error - TypeScript does not recognize this until we use ES2022 as the target; however, all our major runtimes do support the `cause` property | ||
super(message, options); | ||
this.name = CredentialUnavailableErrorName; | ||
@@ -35,3 +36,3 @@ } | ||
// eslint-disable-next-line @typescript-eslint/ban-types | ||
constructor(statusCode, errorBody) { | ||
constructor(statusCode, errorBody, options) { | ||
let errorResponse = { | ||
@@ -54,4 +55,4 @@ error: "unknown", | ||
errorResponse = { | ||
error: "authority_not_found", | ||
errorDescription: "The specified authority URL was not found.", | ||
error: "invalid_request", | ||
errorDescription: `The service indicated that the request was invalid.\n\n${errorBody}`, | ||
}; | ||
@@ -73,3 +74,5 @@ } | ||
} | ||
super(`${errorResponse.error} Status code: ${statusCode}\nMore details:\n${errorResponse.errorDescription}`); | ||
super(`${errorResponse.error} Status code: ${statusCode}\nMore details:\n${errorResponse.errorDescription},`, | ||
// @ts-expect-error - TypeScript does not recognize this until we use ES2022 as the target; however, all our major runtimes do support the `cause` property | ||
options); | ||
this.statusCode = statusCode; | ||
@@ -117,3 +120,5 @@ this.errorResponse = errorResponse; | ||
options) { | ||
super(options.message); | ||
super(options.message, | ||
// @ts-expect-error - TypeScript does not recognize this until we use ES2022 as the target; however, all our major runtimes do support the `cause` property | ||
options.cause ? { cause: options.cause } : undefined); | ||
this.scopes = options.scopes; | ||
@@ -120,0 +125,0 @@ this.getTokenOptions = options.getTokenOptions; |
@@ -11,4 +11,4 @@ // Copyright (c) Microsoft Corporation. | ||
import { getLogLevel } from "@azure/logger"; | ||
import open from "open"; | ||
import { resolveTenantId } from "../../util/tenantIdUtils"; | ||
import { interactiveBrowserMockable } from "./msalOpenBrowser"; | ||
/** | ||
@@ -19,2 +19,9 @@ * The default logger used if no logger was passed in by the credential. | ||
/** | ||
* A call to open(), but mockable | ||
* @internal | ||
*/ | ||
export const interactiveBrowserMockable = { | ||
open, | ||
}; | ||
/** | ||
* Generates the configuration for MSAL (Microsoft Authentication Library). | ||
@@ -21,0 +28,0 @@ * |
{ | ||
"name": "@azure/identity", | ||
"sdk-type": "client", | ||
"version": "4.4.1", | ||
"version": "4.5.0-alpha.20240813.2", | ||
"description": "Provides credential implementations for Azure SDK libraries that can authenticate with Microsoft Entra ID", | ||
@@ -111,3 +111,3 @@ "main": "dist/index.js", | ||
"dependencies": { | ||
"@azure/abort-controller": "^1.0.0", | ||
"@azure/abort-controller": "^2.0.0", | ||
"@azure/core-auth": "^1.5.0", | ||
@@ -129,4 +129,4 @@ "@azure/core-client": "^1.9.2", | ||
"@azure-tools/test-recorder": "^3.0.0", | ||
"@azure/dev-tool": "^1.0.0", | ||
"@azure/eslint-plugin-azure-sdk": "^3.0.0", | ||
"@azure/dev-tool": ">=1.0.0-alpha <1.0.0-alphb", | ||
"@azure/eslint-plugin-azure-sdk": ">=3.0.0-alpha <3.0.0-alphb", | ||
"@azure/keyvault-keys": "^4.2.0", | ||
@@ -133,0 +133,0 @@ "@azure-tools/test-utils": "^1.0.1", |
@@ -216,3 +216,3 @@ # Azure Identity client library for JavaScript | ||
Credentials default to authenticating to the Microsoft Entra endpoint for Azure Public Cloud. To access resources in other clouds, such as Azure Government or a private cloud, configure credentials with the `authorityHost` argument in the constructor. The `AzureAuthorityHosts` interface defines authorities for well-known clouds. For the US Government cloud, you could instantiate a credential this way: | ||
Credentials default to authenticating to the Microsoft Entra endpoint for Azure Public Cloud. To access resources in other clouds, such as Azure Government or a private cloud, configure credentials with the `authorityHost` argument in the constructor. The [`AzureAuthorityHosts`][authority_hosts] enum defines authorities for well-known clouds. For the US Government cloud, you could instantiate a credential this way: | ||
@@ -231,2 +231,22 @@ ```typescript | ||
As an alternative to specifying the `authorityHost` argument, you can also set the `AZURE_AUTHORITY_HOST` environment variable to the URL of your cloud's authority. This approach is useful when configuring multiple credentials to authenticate to the same cloud or when the deployed environment needs to define the target cloud: | ||
```sh | ||
AZURE_AUTHORITY_HOST=https://login.partner.microsoftonline.cn | ||
``` | ||
The `AzureAuthorityHosts` enum defines authorities for well-known clouds for your convenience; however, if the authority for your cloud isn't listed in `AzureAuthorityHosts`, you may pass any valid authority URL as a string argument. For example: | ||
```typescript | ||
import { AzureAuthorityHosts, ClientSecretCredential } from "@azure/identity"; | ||
const credential = new ClientSecretCredential( | ||
"<YOUR_TENANT_ID>", | ||
"<YOUR_CLIENT_ID>", | ||
"<YOUR_CLIENT_SECRET>", | ||
{ | ||
authorityHost: "https://login.partner.microsoftonline.cn", | ||
} | ||
); | ||
``` | ||
Not all credentials require this configuration. Credentials that authenticate through a development tool, such as `AzureCliCredential`, use that tool's configuration. Similarly, `VisualStudioCodeCredential` accepts an `authorityHost` argument but defaults to the `authorityHost` matching Visual Studio Code's **Azure: Cloud** setting. | ||
@@ -374,3 +394,4 @@ | ||
[azure_identity_broker_readme]: https://github.com/Azure/azure-sdk-for-js/tree/main/sdk/identity/identity-broker | ||
[authority_hosts]: https://learn.microsoft.com/javascript/api/@azure/identity/azureauthorityhosts | ||
![Impressions](https://azure-sdk-impressions.azurewebsites.net/api/impressions/azure-sdk-for-js%2Fsdk%2Fidentity%2Fidentity%2FREADME.png) |
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is too big to display
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is too big to display
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
Environment variable access
Supply chain riskPackage accesses environment variables, which may be a sign of credential stuffing or data theft.
Found 1 instance in 1 package
No v1
QualityPackage is not semver >=1. This means it is not stable and does not support ^ ranges.
Found 1 instance in 1 package
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
395
1551100
216
11824
1
112
- Removed@azure/abort-controller@1.1.0(transitive)