@azure/identity - npm Package Compare versions

dist-esm/src/msal/browserFlows/flows.js

dist-esm/src/msal/browserFlows/flows.js.map

3

dist-esm/src/client/identityClient.js

		@@ -6,3 +6,2 @@ // Copyright (c) Microsoft Corporation.
		import { createHttpHeaders, createPipelineRequest, } from "@azure/core-rest-pipeline";
		import { AbortController } from "@azure/abort-controller";
		import { AuthenticationError, AuthenticationErrorName } from "../errors";
		@@ -147,3 +146,3 @@ import { getIdentityTokenEndpointSuffix } from "../util/identityTokenEndpoint";
		if (existingOnAbort) {
		existingOnAbort(...params);
		existingOnAbort.apply(controller.signal, params);
		}
		@@ -150,0 +149,0 @@ };

2

dist-esm/src/constants.js

		@@ -6,3 +6,3 @@ // Copyright (c) Microsoft Corporation.
		*/
		export const SDK_VERSION = `4.5.0-beta.1`;
		export const SDK_VERSION = `4.5.0-beta.2`;
		/**
		@@ -9,0 +9,0 @@ * The default client ID for authentication

76

dist-esm/src/credentials/azurePipelinesCredential.js

		// Copyright (c) Microsoft Corporation.
		// Licensed under the MIT license.
		import { ClientAssertionCredential } from "./clientAssertionCredential";
		import { AuthenticationError, CredentialUnavailableError } from "../errors";
		import { credentialLogger } from "../util/logging";
		import { checkTenantId } from "../util/tenantIdUtils";
		import { createHttpHeaders, createPipelineRequest } from "@azure/core-rest-pipeline";
		import { ClientAssertionCredential } from "./clientAssertionCredential";
		import { IdentityClient } from "../client/identityClient";
		import { checkTenantId } from "../util/tenantIdUtils";
		import { credentialLogger } from "../util/logging";
		const credentialName = "AzurePipelinesCredential";
		@@ -26,5 +26,14 @@ const logger = credentialLogger(credentialName);
		constructor(tenantId, clientId, serviceConnectionId, systemAccessToken, options) {
		if (!clientId \|\| !tenantId \|\| !serviceConnectionId \|\| !systemAccessToken) {
		throw new CredentialUnavailableError(`${credentialName}: is unavailable. tenantId, clientId, serviceConnectionId, and systemAccessToken are required parameters.`);
		if (!clientId) {
		throw new CredentialUnavailableError(`${credentialName}: is unavailable. clientId is a required parameter.`);
		}
		if (!tenantId) {
		throw new CredentialUnavailableError(`${credentialName}: is unavailable. tenantId is a required parameter.`);
		}
		if (!serviceConnectionId) {
		throw new CredentialUnavailableError(`${credentialName}: is unavailable. serviceConnectionId is a required parameter.`);
		}
		if (!systemAccessToken) {
		throw new CredentialUnavailableError(`${credentialName}: is unavailable. systemAccessToken is a required parameter.`);
		}
		this.identityClient = new IdentityClient(options);
		@@ -81,28 +90,43 @@ checkTenantId(logger, tenantId);
		const response = await this.identityClient.sendRequest(request);
		const text = response.bodyAsText;
		if (!text) {
		logger.error(`${credentialName}: Authenticated Failed. Received null token from OIDC request. Response status- ${response.status}. Complete response - ${JSON.stringify(response)}`);
		throw new AuthenticationError(response.status, `${credentialName}: Authenticated Failed. Received null token from OIDC request. Response status- ${response.status}. Complete response - ${JSON.stringify(response)}`);
		return handleOidcResponse(response);
		}
		}
		export function handleOidcResponse(response) {
		const text = response.bodyAsText;
		if (!text) {
		logger.error(`${credentialName}: Authentication Failed. Received null token from OIDC request. Response status- ${response.status}. Complete response - ${JSON.stringify(response)}`);
		throw new AuthenticationError(response.status, {
		error: `${credentialName}: Authentication Failed. Received null token from OIDC request.`,
		error_description: `${JSON.stringify(response)}. See the troubleshooting guide for more information: https://aka.ms/azsdk/js/identity/azurepipelinescredential/troubleshoot`,
		});
		}
		try {
		const result = JSON.parse(text);
		if (result === null \|\| result === void 0 ? void 0 : result.oidcToken) {
		return result.oidcToken;
		}
		try {
		const result = JSON.parse(text);
		if (result === null \|\| result === void 0 ? void 0 : result.oidcToken) {
		return result.oidcToken;
		else {
		const errorMessage = `${credentialName}: Authentication Failed. oidcToken field not detected in the response.`;
		let errorDescription = ``;
		if (response.status !== 200) {
		errorDescription = `Complete response - ${JSON.stringify(result)}. See the troubleshooting guide for more information: https://aka.ms/azsdk/js/identity/azurepipelinescredential/troubleshoot`;
		}
		else {
		let errorMessage = `${credentialName}: Authentication Failed. oidcToken field not detected in the response.`;
		if (response.status !== 200) {
		errorMessage += `Response = ${JSON.stringify(result)}`;
		}
		logger.error(errorMessage);
		throw new AuthenticationError(response.status, errorMessage);
		}
		logger.error(errorMessage);
		logger.error(errorDescription);
		throw new AuthenticationError(response.status, {
		error: errorMessage,
		error_description: errorDescription,
		});
		}
		catch (e) {
		logger.error(e.message);
		logger.error(`${credentialName}: Authentication Failed. oidcToken field not detected in the response. Response = ${text}`);
		throw new AuthenticationError(response.status, `${credentialName}: Authentication Failed. oidcToken field not detected in the response. Response = ${text}`);
		}
		}
		catch (e) {
		const errorDetails = `${credentialName}: Authentication Failed. oidcToken field not detected in the response.`;
		logger.error(`Response from service = ${text} and error message = ${e.message}`);
		logger.error(errorDetails);
		throw new AuthenticationError(response.status, {
		error: errorDetails,
		error_description: `Response = ${text}. See the troubleshooting guide for more information: https://aka.ms/azsdk/js/identity/azurepipelinescredential/troubleshoot`,
		});
		}
		}
		//# sourceMappingURL=azurePipelinesCredential.js.map

82

dist-esm/src/credentials/azurePowerShellCredential.js

		@@ -111,6 +111,2 @@ // Copyright (c) Microsoft Corporation.
		}
		let tenantSection = "";
		if (tenantId) {
		tenantSection = `-TenantId "${tenantId}"`;
		}
		const results = await runCommands([
		@@ -122,19 +118,35 @@ [
		"-Command",
		"Import-Module Az.Accounts -MinimumVersion 2.2.0 -PassThru",
		`
		$tenantId = "${tenantId !== null && tenantId !== void 0 ? tenantId : ""}"
		$m = Import-Module Az.Accounts -MinimumVersion 2.2.0 -PassThru
		$useSecureString = $m.Version -ge [version]'2.17.0'

		$params = @{
		ResourceUrl = "${resource}"
		}

		if ($tenantId.Length -gt 0) {
		$params["TenantId"] = $tenantId
		}

		if ($useSecureString) {
		$params["AsSecureString"] = $true
		}

		$token = Get-AzAccessToken @params

		$result = New-Object -TypeName PSObject
		$result \| Add-Member -MemberType NoteProperty -Name ExpiresOn -Value $token.ExpiresOn
		if ($useSecureString) {
		$result \| Add-Member -MemberType NoteProperty -Name Token -Value (ConvertFrom-SecureString -AsPlainText $token.Token)
		} else {
		$result \| Add-Member -MemberType NoteProperty -Name Token -Value $token.Token
		}

		Write-Output (ConvertTo-Json $result)
		`,
		],
		[
		powerShellCommand,
		"-NoProfile",
		"-NonInteractive",
		"-Command",
		`Get-AzAccessToken ${tenantSection} -ResourceUrl "${resource}" \| ConvertTo-Json`,
		],
		]);
		const result = results[1];
		try {
		return JSON.parse(result);
		}
		catch (e) {
		throw new Error(`Unable to parse the output of PowerShell. Received output: ${result}`);
		}
		const result = results[0];
		return parseJsonToken(result);
		}
		@@ -186,2 +198,34 @@ throw new Error(`Unable to execute PowerShell. Ensure that it is installed in your system`);
		}
		/**
		*
		* @internal
		*/
		export async function parseJsonToken(result) {
		const jsonRegex = /{[^{}]*}/g;
		const matches = result.match(jsonRegex);
		let resultWithoutToken = result;
		if (matches) {
		try {
		for (const item of matches) {
		try {
		const jsonContent = JSON.parse(item);
		if (jsonContent === null \|\| jsonContent === void 0 ? void 0 : jsonContent.Token) {
		resultWithoutToken = resultWithoutToken.replace(item, "");
		if (resultWithoutToken) {
		logger.getToken.warning(resultWithoutToken);
		}
		return jsonContent;
		}
		}
		catch (e) {
		continue;
		}
		}
		}
		catch (e) {
		throw new Error(`Unable to parse the output of PowerShell. Received output: ${result}`);
		}
		}
		throw new Error(`No access token found in the output. Received output: ${result}`);
		}
		//# sourceMappingURL=azurePowerShellCredential.js.map

11

dist-esm/src/credentials/clientAssertionCredential.js

		@@ -5,2 +5,3 @@ // Copyright (c) Microsoft Corporation.
		import { processMultiTenantRequest, resolveAdditionallyAllowedTenantIds, } from "../util/tenantIdUtils";
		import { CredentialUnavailableError } from "../errors";
		import { credentialLogger } from "../util/logging";
		@@ -24,5 +25,11 @@ import { tracingClient } from "../util/tracing";
		constructor(tenantId, clientId, getAssertion, options = {}) {
		if (!tenantId \|\| !clientId \|\| !getAssertion) {
		throw new Error("ClientAssertionCredential: tenantId, clientId, and clientAssertion are required parameters.");
		if (!tenantId) {
		throw new CredentialUnavailableError("ClientAssertionCredential: tenantId is a required parameter.");
		}
		if (!clientId) {
		throw new CredentialUnavailableError("ClientAssertionCredential: clientId is a required parameter.");
		}
		if (!getAssertion) {
		throw new CredentialUnavailableError("ClientAssertionCredential: clientAssertion is a required parameter.");
		}
		this.tenantId = tenantId;
		@@ -29,0 +36,0 @@ this.additionallyAllowedTenantIds = resolveAdditionallyAllowedTenantIds(options === null \|\| options === void 0 ? void 0 : options.additionallyAllowedTenants);

62

dist-esm/src/credentials/clientCertificateCredential.js

		@@ -59,3 +59,4 @@ // Copyright (c) Microsoft Corporation.
		async buildClientCertificate() {
		const parts = await this.parseCertificate();
		var _a;
		const parts = await parseCertificate(this.certificateConfiguration, (_a = this.sendCertificateChain) !== null && _a !== void 0 ? _a : false);
		let privateKey;
		@@ -83,31 +84,38 @@ if (this.certificateConfiguration.certificatePassword !== undefined) {
		}
		async parseCertificate() {
		const certificate = this.certificateConfiguration.certificate;
		const certificatePath = this.certificateConfiguration.certificatePath;
		const certificateContents = certificate \|\| (await readFile(certificatePath, "utf8"));
		const x5c = this.sendCertificateChain ? certificateContents : undefined;
		const certificatePattern = /(-+BEGIN CERTIFICATE-+)(\n\r?\|\r\n?)([A-Za-z0-9+/\n\r]+=*)(\n\r?\|\r\n?)(-+END CERTIFICATE-+)/g;
		const publicKeys = [];
		// Match all possible certificates, in the order they are in the file. These will form the chain that is used for x5c
		let match;
		do {
		match = certificatePattern.exec(certificateContents);
		if (match) {
		publicKeys.push(match[3]);
		}
		} while (match);
		if (publicKeys.length === 0) {
		throw new Error("The file at the specified path does not contain a PEM-encoded certificate.");
		}
		/**
		* Parses a certificate into its relevant parts
		*
		* @param certificateConfiguration - The certificate contents or path to the certificate
		* @param sendCertificateChain - true if the entire certificate chain should be sent for SNI, false otherwise
		* @returns The parsed certificate parts and the certificate contents
		*/
		export async function parseCertificate(certificateConfiguration, sendCertificateChain) {
		const certificate = certificateConfiguration.certificate;
		const certificatePath = certificateConfiguration.certificatePath;
		const certificateContents = certificate \|\| (await readFile(certificatePath, "utf8"));
		const x5c = sendCertificateChain ? certificateContents : undefined;
		const certificatePattern = /(-+BEGIN CERTIFICATE-+)(\n\r?\|\r\n?)([A-Za-z0-9+/\n\r]+=*)(\n\r?\|\r\n?)(-+END CERTIFICATE-+)/g;
		const publicKeys = [];
		// Match all possible certificates, in the order they are in the file. These will form the chain that is used for x5c
		let match;
		do {
		match = certificatePattern.exec(certificateContents);
		if (match) {
		publicKeys.push(match[3]);
		}
		const thumbprint = createHash("sha1")
		.update(Buffer.from(publicKeys[0], "base64"))
		.digest("hex")
		.toUpperCase();
		return {
		certificateContents,
		thumbprint,
		x5c,
		};
		} while (match);
		if (publicKeys.length === 0) {
		throw new Error("The file at the specified path does not contain a PEM-encoded certificate.");
		}
		const thumbprint = createHash("sha1")
		.update(Buffer.from(publicKeys[0], "base64"))
		.digest("hex")
		.toUpperCase();
		return {
		certificateContents,
		thumbprint,
		x5c,
		};
		}
		//# sourceMappingURL=clientCertificateCredential.js.map

11

dist-esm/src/credentials/clientSecretCredential.js

		@@ -5,2 +5,3 @@ // Copyright (c) Microsoft Corporation.
		import { processMultiTenantRequest, resolveAdditionallyAllowedTenantIds, } from "../util/tenantIdUtils";
		import { CredentialUnavailableError } from "../errors";
		import { credentialLogger } from "../util/logging";
		@@ -30,5 +31,11 @@ import { ensureScopes } from "../util/scopeUtils";
		constructor(tenantId, clientId, clientSecret, options = {}) {
		if (!tenantId \|\| !clientId \|\| !clientSecret) {
		throw new Error("ClientSecretCredential: tenantId, clientId, and clientSecret are required parameters. To troubleshoot, visit https://aka.ms/azsdk/js/identity/serviceprincipalauthentication/troubleshoot.");
		if (!tenantId) {
		throw new CredentialUnavailableError("ClientSecretCredential: tenantId is a required parameter. To troubleshoot, visit https://aka.ms/azsdk/js/identity/serviceprincipalauthentication/troubleshoot.");
		}
		if (!clientId) {
		throw new CredentialUnavailableError("ClientSecretCredential: clientId is a required parameter. To troubleshoot, visit https://aka.ms/azsdk/js/identity/serviceprincipalauthentication/troubleshoot.");
		}
		if (!clientSecret) {
		throw new CredentialUnavailableError("ClientSecretCredential: clientSecret is a required parameter. To troubleshoot, visit https://aka.ms/azsdk/js/identity/serviceprincipalauthentication/troubleshoot.");
		}
		this.clientSecret = clientSecret;
		@@ -35,0 +42,0 @@ this.tenantId = tenantId;

2

dist-esm/src/credentials/deviceCodeCredential.js

		@@ -75,3 +75,3 @@ // Copyright (c) Microsoft Corporation.
		*
		* If the token can't be retrieved silently, this method will require user interaction to retrieve the token.
		* If the token can't be retrieved silently, this method will always generate a challenge for the user.
		*
		@@ -78,0 +78,0 @@ * @param scopes - The list of scopes for which the token will have access.

12

dist-esm/src/credentials/environmentCredential.js

		@@ -26,2 +26,3 @@ // Copyright (c) Microsoft Corporation.
		"AZURE_ADDITIONALLY_ALLOWED_TENANTS",
		"AZURE_CLIENT_SEND_CERTIFICATE_CHAIN",
		];
		@@ -35,2 +36,9 @@ function getAdditionallyAllowedTenants() {
		const logger = credentialLogger(credentialName);
		export function getSendCertificateChain() {
		var _a;
		const sendCertificateChain = ((_a = process.env.AZURE_CLIENT_SEND_CERTIFICATE_CHAIN) !== null && _a !== void 0 ? _a : "").toLowerCase();
		const result = sendCertificateChain === "true" \|\| sendCertificateChain === "1";
		logger.verbose(`AZURE_CLIENT_SEND_CERTIFICATE_CHAIN: ${process.env.AZURE_CLIENT_SEND_CERTIFICATE_CHAIN}; sendCertificateChain: ${result}`);
		return result;
		}
		/**
		@@ -55,2 +63,3 @@ * Enables authentication to Microsoft Entra ID using a client secret or certificate, or as a user
		* - `AZURE_CLIENT_CERTIFICATE_PASSWORD`: (optional) password for the certificate file.
		* - `AZURE_CLIENT_SEND_CERTIFICATE_CHAIN`: (optional) indicates that the certificate chain should be set in x5c header to support subject name / issuer based authentication.
		*
		@@ -73,3 +82,4 @@ * Alternatively, users can provide environment variables for username and password authentication:
		const additionallyAllowedTenantIds = getAdditionallyAllowedTenants();
		const newOptions = Object.assign(Object.assign({}, options), { additionallyAllowedTenantIds });
		const sendCertificateChain = getSendCertificateChain();
		const newOptions = Object.assign(Object.assign({}, options), { additionallyAllowedTenantIds, sendCertificateChain });
		if (tenantId) {
		@@ -76,0 +86,0 @@ checkTenantId(logger, tenantId);

2

dist-esm/src/credentials/interactiveBrowserCredential.js

		@@ -74,3 +74,3 @@ // Copyright (c) Microsoft Corporation.
		*
		* If the token can't be retrieved silently, this method will require user interaction to retrieve the token.
		* If the token can't be retrieved silently, this method will always generate a challenge for the user.
		*
		@@ -77,0 +77,0 @@ * On Node.js, this credential has [Proof Key for Code Exchange (PKCE)](https://datatracker.ietf.org/doc/html/rfc7636) enabled by default.

11

dist-esm/src/credentials/managedIdentityCredential/msalMsiProvider.js

		@@ -94,2 +94,3 @@ // Copyright (c) Microsoft Corporation.
		const isImdsMsi = identitySource === "DefaultToImds" \|\| identitySource === "Imds"; // Neither actually checks that IMDS endpoint is available, just that it's the source the MSAL _would_ try to use.
		logger.getToken.info(`MSAL Identity source: ${identitySource}`);
		if (isTokenExchangeMsi) {
		@@ -106,3 +107,3 @@ // In the AKS scenario we will use the existing tokenExchangeMsi indefinitely.
		if (result === null) {
		throw new CredentialUnavailableError("The managed identity endpoint was reached, yet no tokens were received.");
		throw new CredentialUnavailableError("Attempted to use the token exchange managed identity, but received a null response.");
		}
		@@ -123,3 +124,3 @@ return result;
		if (!isAvailable) {
		throw new CredentialUnavailableError(`ManagedIdentityCredential: The managed identity endpoint is not available.`);
		throw new CredentialUnavailableError(`ManagedIdentityCredential: Attempted to use the IMDS endpoint, but it is not available.`);
		}
		@@ -150,5 +151,5 @@ }
		if (isNetworkError(err)) {
		throw new CredentialUnavailableError(`ManagedIdentityCredential: Network unreachable. Message: ${err.message}`);
		throw new CredentialUnavailableError(`ManagedIdentityCredential: Network unreachable. Message: ${err.message}`, { cause: err });
		}
		throw new CredentialUnavailableError(`ManagedIdentityCredential: Authentication failed. Message ${err.message}`);
		throw new CredentialUnavailableError(`ManagedIdentityCredential: Authentication failed. Message ${err.message}`, { cause: err });
		}
		@@ -170,3 +171,3 @@ });
		if (!msalToken) {
		throw createError("No response");
		throw createError("No response.");
		}
		@@ -173,0 +174,0 @@ if (!msalToken.expiresOn) {

25

dist-esm/src/credentials/onBehalfOfCredential.js

		// Copyright (c) Microsoft Corporation.
		// Licensed under the MIT license.
		import { createMsalClient } from "../msal/nodeFlows/msalClient";
		import { credentialLogger, formatError } from "../util/logging";
		import { processMultiTenantRequest, resolveAdditionallyAllowedTenantIds, } from "../util/tenantIdUtils";
		import { credentialLogger, formatError } from "../util/logging";
		import { CredentialUnavailableError } from "../errors";
		import { createHash } from "node:crypto";
		import { ensureScopes } from "../util/scopeUtils";
		import { readFile } from "node:fs/promises";
		import { tracingClient } from "../util/tracing";
		import { createMsalClient } from "../msal/nodeFlows/msalClient";
		import { readFile } from "node:fs/promises";
		import { createHash } from "node:crypto";
		const credentialName = "OnBehalfOfCredential";
		@@ -21,8 +22,14 @@ const logger = credentialLogger(credentialName);
		const { tenantId, clientId, userAssertionToken, additionallyAllowedTenants: additionallyAllowedTenantIds, } = options;
		if (!tenantId \|\|
		!clientId \|\|
		!(clientSecret \|\| certificatePath \|\| getAssertion) \|\|
		!userAssertionToken) {
		throw new Error(`${credentialName}: tenantId, clientId, clientSecret (or certificatePath or getAssertion) and userAssertionToken are required parameters.`);
		if (!tenantId) {
		throw new CredentialUnavailableError(`${credentialName}: tenantId is a required parameter. To troubleshoot, visit https://aka.ms/azsdk/js/identity/serviceprincipalauthentication/troubleshoot.`);
		}
		if (!clientId) {
		throw new CredentialUnavailableError(`${credentialName}: clientId is a required parameter. To troubleshoot, visit https://aka.ms/azsdk/js/identity/serviceprincipalauthentication/troubleshoot.`);
		}
		if (!clientSecret && !certificatePath && !getAssertion) {
		throw new CredentialUnavailableError(`${credentialName}: You must provide one of clientSecret, certificatePath, or a getAssertion callback but none were provided. To troubleshoot, visit https://aka.ms/azsdk/js/identity/serviceprincipalauthentication/troubleshoot.`);
		}
		if (!userAssertionToken) {
		throw new CredentialUnavailableError(`${credentialName}: userAssertionToken is a required parameter. To troubleshoot, visit https://aka.ms/azsdk/js/identity/serviceprincipalauthentication/troubleshoot.`);
		}
		this.certificatePath = certificatePath;
		@@ -29,0 +36,0 @@ this.clientSecret = clientSecret;

16

dist-esm/src/credentials/usernamePasswordCredential.js

		// Copyright (c) Microsoft Corporation.
		// Licensed under the MIT license.
		import { createMsalClient } from "../msal/nodeFlows/msalClient";
		import { processMultiTenantRequest, resolveAdditionallyAllowedTenantIds, } from "../util/tenantIdUtils";
		import { CredentialUnavailableError } from "../errors";
		import { credentialLogger } from "../util/logging";
		import { ensureScopes } from "../util/scopeUtils";
		import { tracingClient } from "../util/tracing";
		import { createMsalClient } from "../msal/nodeFlows/msalClient";
		const logger = credentialLogger("UsernamePasswordCredential");
		@@ -28,5 +29,14 @@ /**
		constructor(tenantId, clientId, username, password, options = {}) {
		if (!tenantId \|\| !clientId \|\| !username \|\| !password) {
		throw new Error("UsernamePasswordCredential: tenantId, clientId, username and password are required parameters. To troubleshoot, visit https://aka.ms/azsdk/js/identity/usernamepasswordcredential/troubleshoot.");
		if (!tenantId) {
		throw new CredentialUnavailableError("UsernamePasswordCredential: tenantId is a required parameter. To troubleshoot, visit https://aka.ms/azsdk/js/identity/usernamepasswordcredential/troubleshoot.");
		}
		if (!clientId) {
		throw new CredentialUnavailableError("UsernamePasswordCredential: clientId is a required parameter. To troubleshoot, visit https://aka.ms/azsdk/js/identity/usernamepasswordcredential/troubleshoot.");
		}
		if (!username) {
		throw new CredentialUnavailableError("UsernamePasswordCredential: username is a required parameter. To troubleshoot, visit https://aka.ms/azsdk/js/identity/usernamepasswordcredential/troubleshoot.");
		}
		if (!password) {
		throw new CredentialUnavailableError("UsernamePasswordCredential: password is a required parameter. To troubleshoot, visit https://aka.ms/azsdk/js/identity/usernamepasswordcredential/troubleshoot.");
		}
		this.tenantId = tenantId;
		@@ -33,0 +43,0 @@ this.additionallyAllowedTenantIds = resolveAdditionallyAllowedTenantIds(options === null \|\| options === void 0 ? void 0 : options.additionallyAllowedTenants);

22

dist-esm/src/credentials/workloadIdentityCredential.js

		// Copyright (c) Microsoft Corporation.
		// Licensed under the MIT license.
		import { credentialLogger, processEnvVars } from "../util/logging";
		import { ClientAssertionCredential } from "./clientAssertionCredential";
		import { readFile } from "fs/promises";
		import { CredentialUnavailableError } from "../errors";
		import { credentialLogger, processEnvVars } from "../util/logging";
		import { checkTenantId } from "../util/tenantIdUtils";
		import { readFile } from "fs/promises";
		const credentialName = "WorkloadIdentityCredential";
		@@ -56,6 +56,16 @@ /**
		}
		if (clientId && tenantId && this.federatedTokenFilePath) {
		logger.info(`Invoking ClientAssertionCredential with tenant ID: ${tenantId}, clientId: ${workloadIdentityCredentialOptions.clientId} and federated token path: [REDACTED]`);
		this.client = new ClientAssertionCredential(tenantId, clientId, this.readFileContents.bind(this), options);
		if (!clientId) {
		throw new CredentialUnavailableError(`${credentialName}: is unavailable. clientId is a required parameter. In DefaultAzureCredential and ManagedIdentityCredential, this can be provided as an environment variable - "AZURE_CLIENT_ID".
		See the troubleshooting guide for more information: https://aka.ms/azsdk/js/identity/workloadidentitycredential/troubleshoot`);
		}
		if (!tenantId) {
		throw new CredentialUnavailableError(`${credentialName}: is unavailable. tenantId is a required parameter. In DefaultAzureCredential and ManagedIdentityCredential, this can be provided as an environment variable - "AZURE_TENANT_ID".
		See the troubleshooting guide for more information: https://aka.ms/azsdk/js/identity/workloadidentitycredential/troubleshoot`);
		}
		if (!this.federatedTokenFilePath) {
		throw new CredentialUnavailableError(`${credentialName}: is unavailable. federatedTokenFilePath is a required parameter. In DefaultAzureCredential and ManagedIdentityCredential, this can be provided as an environment variable - "AZURE_FEDERATED_TOKEN_FILE".
		See the troubleshooting guide for more information: https://aka.ms/azsdk/js/identity/workloadidentitycredential/troubleshoot`);
		}
		logger.info(`Invoking ClientAssertionCredential with tenant ID: ${tenantId}, clientId: ${workloadIdentityCredentialOptions.clientId} and federated token path: [REDACTED]`);
		this.client = new ClientAssertionCredential(tenantId, clientId, this.readFileContents.bind(this), options);
		}
		@@ -76,3 +86,3 @@ /**
		"AZURE_CLIENT_ID",
		"AZURE_FEDERATED_TOKEN_FILE". See the troubleshooting guide for more information: https://aka.ms/azsdk/js/identity/workloadidentitycredential/troubleshoot `;
		"AZURE_FEDERATED_TOKEN_FILE". See the troubleshooting guide for more information: https://aka.ms/azsdk/js/identity/workloadidentitycredential/troubleshoot`;
		logger.info(errorMessage);
		@@ -79,0 +89,0 @@ throw new CredentialUnavailableError(errorMessage);

19

dist-esm/src/errors.js

		@@ -18,4 +18,5 @@ // Copyright (c) Microsoft Corporation.
		export class CredentialUnavailableError extends Error {
		constructor(message) {
		super(message);
		constructor(message, options) {
		// @ts-expect-error - TypeScript does not recognize this until we use ES2022 as the target; however, all our major runtimes do support the `cause` property
		super(message, options);
		this.name = CredentialUnavailableErrorName;
		@@ -35,3 +36,3 @@ }
		// eslint-disable-next-line @typescript-eslint/ban-types
		constructor(statusCode, errorBody) {
		constructor(statusCode, errorBody, options) {
		let errorResponse = {
		@@ -54,4 +55,4 @@ error: "unknown",
		errorResponse = {
		error: "authority_not_found",
		errorDescription: "The specified authority URL was not found.",
		error: "invalid_request",
		errorDescription: `The service indicated that the request was invalid.\n\n${errorBody}`,
		};
		@@ -73,3 +74,5 @@ }
		}
		super(`${errorResponse.error} Status code: ${statusCode}\nMore details:\n${errorResponse.errorDescription}`);
		super(`${errorResponse.error} Status code: ${statusCode}\nMore details:\n${errorResponse.errorDescription},`,
		// @ts-expect-error - TypeScript does not recognize this until we use ES2022 as the target; however, all our major runtimes do support the `cause` property
		options);
		this.statusCode = statusCode;
		@@ -117,3 +120,5 @@ this.errorResponse = errorResponse;
		options) {
		super(options.message);
		super(options.message,
		// @ts-expect-error - TypeScript does not recognize this until we use ES2022 as the target; however, all our major runtimes do support the `cause` property
		options.cause ? { cause: options.cause } : undefined);
		this.scopes = options.scopes;
		@@ -120,0 +125,0 @@ this.getTokenOptions = options.getTokenOptions;

9

dist-esm/src/msal/nodeFlows/msalClient.js

		@@ -11,4 +11,4 @@ // Copyright (c) Microsoft Corporation.
		import { getLogLevel } from "@azure/logger";
		import open from "open";
		import { resolveTenantId } from "../../util/tenantIdUtils";
		import { interactiveBrowserMockable } from "./msalOpenBrowser";
		/**
		@@ -19,2 +19,9 @@ * The default logger used if no logger was passed in by the credential.
		/**
		* A call to open(), but mockable
		* @internal
		*/
		export const interactiveBrowserMockable = {
		open,
		};
		/**
		* Generates the configuration for MSAL (Microsoft Authentication Library).
		@@ -21,0 +28,0 @@ *

6

package.json

		{
		"name": "@azure/identity",
		"sdk-type": "client",
		"version": "4.5.0-beta.1",
		"version": "4.5.0-beta.2",
		"description": "Provides credential implementations for Azure SDK libraries that can authenticate with Microsoft Entra ID",
		@@ -111,3 +111,3 @@ "main": "dist/index.js",
		"dependencies": {
		"@azure/abort-controller": "^1.0.0",
		"@azure/abort-controller": "^2.0.0",
		"@azure/core-auth": "^1.5.0",
		@@ -160,3 +160,3 @@ "@azure/core-client": "^1.9.2",
		"nyc": "^17.0.0",
		"puppeteer": "^22.2.0",
		"puppeteer": "^23.0.2",
		"rimraf": "^5.0.5",
		@@ -163,0 +163,0 @@ "sinon": "^17.0.0",

23

README.md

		@@ -216,3 +216,3 @@ # Azure Identity client library for JavaScript

		Credentials default to authenticating to the Microsoft Entra endpoint for Azure Public Cloud. To access resources in other clouds, such as Azure Government or a private cloud, configure credentials with the `authorityHost` argument in the constructor. The `AzureAuthorityHosts` interface defines authorities for well-known clouds. For the US Government cloud, you could instantiate a credential this way:
		Credentials default to authenticating to the Microsoft Entra endpoint for Azure Public Cloud. To access resources in other clouds, such as Azure Government or a private cloud, configure credentials with the `authorityHost` argument in the constructor. The [`AzureAuthorityHosts`][authority_hosts] enum defines authorities for well-known clouds. For the US Government cloud, you could instantiate a credential this way:

		@@ -231,2 +231,22 @@ ```typescript

		As an alternative to specifying the `authorityHost` argument, you can also set the `AZURE_AUTHORITY_HOST` environment variable to the URL of your cloud's authority. This approach is useful when configuring multiple credentials to authenticate to the same cloud or when the deployed environment needs to define the target cloud:

		```sh
		AZURE_AUTHORITY_HOST=https://login.partner.microsoftonline.cn
		```

		The `AzureAuthorityHosts` enum defines authorities for well-known clouds for your convenience; however, if the authority for your cloud isn't listed in `AzureAuthorityHosts`, you may pass any valid authority URL as a string argument. For example:

		```typescript
		import { AzureAuthorityHosts, ClientSecretCredential } from "@azure/identity";
		const credential = new ClientSecretCredential(
		"<YOUR_TENANT_ID>",
		"<YOUR_CLIENT_ID>",
		"<YOUR_CLIENT_SECRET>",
		{
		authorityHost: "https://login.partner.microsoftonline.cn",
		}
		);
		```

		Not all credentials require this configuration. Credentials that authenticate through a development tool, such as `AzureCliCredential`, use that tool's configuration. Similarly, `VisualStudioCodeCredential` accepts an `authorityHost` argument but defaults to the `authorityHost` matching Visual Studio Code's Azure: Cloud setting.
		@@ -374,3 +394,4 @@
		[azure_identity_broker_readme]: https://github.com/Azure/azure-sdk-for-js/tree/main/sdk/identity/identity-broker
		[authority_hosts]: https://learn.microsoft.com/javascript/api/@azure/identity/azureauthorityhosts

		![Impressions](https://azure-sdk-impressions.azurewebsites.net/api/impressions/azure-sdk-for-js%2Fsdk%2Fidentity%2Fidentity%2FREADME.png)

dist-esm/src/msal/flows.js

dist-esm/src/msal/flows.js.map

dist-esm/src/msal/nodeFlows/msalAuthorizationCode.js

dist-esm/src/msal/nodeFlows/msalAuthorizationCode.js.map

dist-esm/src/msal/nodeFlows/msalClientAssertion.js

dist-esm/src/msal/nodeFlows/msalClientAssertion.js.map

dist-esm/src/msal/nodeFlows/msalClientCertificate.js

dist-esm/src/msal/nodeFlows/msalClientCertificate.js.map

dist-esm/src/msal/nodeFlows/msalClientSecret.js

dist-esm/src/msal/nodeFlows/msalClientSecret.js.map

dist-esm/src/msal/nodeFlows/msalDeviceCode.js

dist-esm/src/msal/nodeFlows/msalDeviceCode.js.map

dist-esm/src/msal/nodeFlows/msalNodeCommon.js

dist-esm/src/msal/nodeFlows/msalNodeCommon.js.map

dist-esm/src/msal/nodeFlows/msalOnBehalfOf.js

dist-esm/src/msal/nodeFlows/msalOnBehalfOf.js.map

dist-esm/src/msal/nodeFlows/msalOpenBrowser.js

dist-esm/src/msal/nodeFlows/msalOpenBrowser.js.map

dist-esm/src/msal/nodeFlows/msalUsernamePassword.js

dist-esm/src/msal/nodeFlows/msalUsernamePassword.js.map

dist-esm/src/client/identityClient.js.map