@azure/ms-rest-nodeauth - npm Package Compare versions

Comparing version 3.0.4 to 3.0.5

Changelog.md

 # Changelog
 
-## 3.0.4 - 2020/05/19
+## 3.0.5 - (unreleased)
 
-- Made `buildTenantList` public, to allow users to retrieve all of their tenants after authenticating.
-- Added a new public method to `TokenCredentialsBase` called `setDomain` that can be used to force Adal to renew the token against a different tenant.
-- Added a sample expressing different ways to work around the [issue #89](https://github.com/Azure/ms-rest-nodeauth/issues/89).
+- The helper method `buildTenantList` is made public. This is helpful if one needs to get the Ids of all the tenants in the account programmatically.
+- A new method `setDomain()` which takes the Id of a tenant is now available on all credentials. Use this to change the domain i.e. the tenant against which tokens are created.
+- Fixed typos in error messages.
+- Added support for passing a `clientId` property in the `options` parameter of the MSI based login method `loginWithAppServiceMSI()`. This is required to allow user-assigned managed identities to be used to authenticate through Azure App Services and Azure Functions.
+- Added support for the `IDENTITY_ENDPOINT` and `IDENTITY_SECRET` when using the `MSIAppServiceTokenCredentials` credentials.
 
+## 3.0.4 - 2020/05/19 (deprecated)
+
+- Through a mistake of release automation, a CI job from PR #91 got shipped by accident.
+
 ## 3.0.2 - 2019/08/22
@@ -28,3 +34,3 @@
 - Updated min version of dependency `@azure/ms-rest-js` to `^2.0.3`.
-- Updated min version of dependenct `@azure/ms-rest-azure-env` to `^2.0.0`.
+- Updated min version of dependency `@azure/ms-rest-azure-env` to `^2.0.0`.
 - Improved documentation of `MSIOptions.resource`
@@ -31,0 +37,0 @@ - Improved samples in README.md

dist/lib/credentials/applicationTokenCertificateCredentials.js

@@ -5,7 +5,6 @@ "use strict";
 var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
-    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
     return new (P || (P = Promise))(function (resolve, reject) {
         function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
         function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
-        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        function step(result) { result.done ? resolve(result.value) : new P(function (resolve) { resolve(result.value); }).then(fulfilled, rejected); }
         step((generator = generator.apply(thisArg, _arguments || [])).next());
@@ -15,3 +14,2 @@ });
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.ApplicationTokenCertificateCredentials = void 0;
 const fs_1 = require("fs");
@@ -18,0 +16,0 @@ const crypto_1 = require("crypto");

dist/lib/credentials/applicationTokenCredentials.js

@@ -5,7 +5,6 @@ "use strict";
 var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
-    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
     return new (P || (P = Promise))(function (resolve, reject) {
         function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
         function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
-        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        function step(result) { result.done ? resolve(result.value) : new P(function (resolve) { resolve(result.value); }).then(fulfilled, rejected); }
         step((generator = generator.apply(thisArg, _arguments || [])).next());
@@ -15,3 +14,2 @@ });
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.ApplicationTokenCredentials = void 0;
 const applicationTokenCredentialsBase_1 = require("./applicationTokenCredentialsBase");
@@ -18,0 +16,0 @@ const authConstants_1 = require("../util/authConstants");

dist/lib/credentials/applicationTokenCredentialsBase.js

@@ -5,7 +5,6 @@ "use strict";
 var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
-    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
     return new (P || (P = Promise))(function (resolve, reject) {
         function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
         function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
-        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        function step(result) { result.done ? resolve(result.value) : new P(function (resolve) { resolve(result.value); }).then(fulfilled, rejected); }
         step((generator = generator.apply(thisArg, _arguments || [])).next());
@@ -15,3 +14,2 @@ });
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.ApplicationTokenCredentialsBase = void 0;
 const tokenCredentialsBase_1 = require("./tokenCredentialsBase");
@@ -18,0 +16,0 @@ const authConstants_1 = require("../util/authConstants");

dist/lib/credentials/azureCliCredentials.js

@@ -5,7 +5,6 @@ "use strict";
 var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
-    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
     return new (P || (P = Promise))(function (resolve, reject) {
         function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
         function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
-        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        function step(result) { result.done ? resolve(result.value) : new P(function (resolve) { resolve(result.value); }).then(fulfilled, rejected); }
         step((generator = generator.apply(thisArg, _arguments || [])).next());
@@ -15,3 +14,2 @@ });
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.AzureCliCredentials = void 0;
 const ms_rest_js_1 = require("@azure/ms-rest-js");
@@ -18,0 +16,0 @@ const login_1 = require("../login");

dist/lib/credentials/deviceTokenCredentials.js

@@ -5,3 +5,2 @@ "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.DeviceTokenCredentials = void 0;
 const tokenCredentialsBase_1 = require("./tokenCredentialsBase");
@@ -8,0 +7,0 @@ const authConstants_1 = require("../util/authConstants");

dist/lib/credentials/keyVaultFactory.js

@@ -5,3 +5,2 @@ "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.createAuthenticator = void 0;
 const applicationTokenCredentials_1 = require("./applicationTokenCredentials");
@@ -8,0 +7,0 @@ const applicationTokenCertificateCredentials_1 = require("./applicationTokenCertificateCredentials");

dist/lib/credentials/msiAppServiceTokenCredentials.d.ts

@@ -9,4 +9,3 @@ import { MSITokenCredentials, MSIOptions, MSITokenResponse } from "./msiTokenCredentials";
      * @property {string} [msiEndpoint] - The local URL from which your app can request tokens.
-     * Either provide this parameter or set the environment variable `MSI_ENDPOINT`.
-     * For example: `export MSI_ENDPOINT="http://127.0.0.1:41741/MSI/token/"`
+     * Unless this property is specified, any of the two environment variables `IDENTITY_ENDPOINT` or `MSI_ENDPOINT` will be used as the default value.
      */
@@ -16,4 +15,3 @@ msiEndpoint?: string;
      * @property {string} [msiSecret] - The secret used in communication between your code and the local MSI agent.
-     * Either provide this parameter or set the environment variable `MSI_SECRET`.
-     * For example: `export MSI_SECRET="69418689F1E342DD946CB82994CDA3CB"`
+     * Unless this property is specified, any of the two environment variables `IDENTITY_SECRET` or `MSI_SECRET` will be used as the default value.
      */
@@ -25,2 +23,7 @@ msiSecret?: string;
     msiApiVersion?: string;
+    /**
+     * @property {string} [clientId] - The clientId of the managed identity you would like the token for. Required, if
+     * your app service has user-assigned managed identities.
+     */
+    clientId?: string;
 }
@@ -33,4 +36,3 @@ /**
      * @property {string} msiEndpoint - The local URL from which your app can request tokens.
-     * Either provide this parameter or set the environment variable `MSI_ENDPOINT`.
-     * For example: `MSI_ENDPOINT="http://127.0.0.1:41741/MSI/token/"`
+     * Unless this property is specified, any of the two environment variables `IDENTITY_ENDPOINT` or `MSI_ENDPOINT` will be used as the default value.
      */
@@ -40,4 +42,3 @@ msiEndpoint: string;
      * @property {string} msiSecret - The secret used in communication between your code and the local MSI agent.
-     * Either provide this parameter or set the environment variable `MSI_SECRET`.
-     * For example: `MSI_SECRET="69418689F1E342DD946CB82994CDA3CB"`
+     * Unless this property is specified, any of the two environment variables `IDENTITY_SECRET` or `MSI_SECRET` will be used as the default value.
      */
@@ -50,9 +51,12 @@ msiSecret: string;
     /**
+     * @property {string} [clientId] - The clientId of the managed identity you would like the token for. Required, if
+     * your app service has user-assigned managed identities.
+     */
+    clientId?: string;
+    /**
      * Creates an instance of MSIAppServiceTokenCredentials.
      * @param {string} [options.msiEndpoint] - The local URL from which your app can request tokens.
-     * Either provide this parameter or set the environment variable `MSI_ENDPOINT`.
-     * For example: `MSI_ENDPOINT="http://127.0.0.1:41741/MSI/token/"`
+     * Unless this property is specified, any of the two environment variables `IDENTITY_ENDPOINT` or `MSI_ENDPOINT` will be used as the default value.
      * @param {string} [options.msiSecret] - The secret used in communication between your code and the local MSI agent.
-     * Either provide this parameter or set the environment variable `MSI_SECRET`.
-     * For example: `MSI_SECRET="69418689F1E342DD946CB82994CDA3CB"`
+     * Unless this property is specified, any of the two environment variables `IDENTITY_SECRET` or `MSI_SECRET` will be used as the default value.
      * @param {string} [options.resource] - The resource uri or token audience for which the token is needed.
@@ -63,2 +67,4 @@ * For e.g. it can be:
      * @param {string} [options.msiApiVersion] - The api-version of the local MSI agent. Default value is "2017-09-01".
+     * @param {string} [options.clientId] - The clientId of the managed identity you would like the token for. Required, if
+     * your app service has user-assigned managed identities.
      */
@@ -65,0 +71,0 @@ constructor(options?: MSIAppServiceOptions);

dist/lib/credentials/msiAppServiceTokenCredentials.js

@@ -5,7 +5,6 @@ "use strict";
 var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
-    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
     return new (P || (P = Promise))(function (resolve, reject) {
         function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
         function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
-        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        function step(result) { result.done ? resolve(result.value) : new P(function (resolve) { resolve(result.value); }).then(fulfilled, rejected); }
         step((generator = generator.apply(thisArg, _arguments || [])).next());
@@ -15,3 +14,2 @@ });
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.MSIAppServiceTokenCredentials = void 0;
 const msiTokenCredentials_1 = require("./msiTokenCredentials");
@@ -26,7 +24,5 @@ const ms_rest_js_1 = require("@azure/ms-rest-js");
      * @param {string} [options.msiEndpoint] - The local URL from which your app can request tokens.
-     * Either provide this parameter or set the environment variable `MSI_ENDPOINT`.
-     * For example: `MSI_ENDPOINT="http://127.0.0.1:41741/MSI/token/"`
+     * Unless this property is specified, any of the two environment variables `IDENTITY_ENDPOINT` or `MSI_ENDPOINT` will be used as the default value.
      * @param {string} [options.msiSecret] - The secret used in communication between your code and the local MSI agent.
-     * Either provide this parameter or set the environment variable `MSI_SECRET`.
-     * For example: `MSI_SECRET="69418689F1E342DD946CB82994CDA3CB"`
+     * Unless this property is specified, any of the two environment variables `IDENTITY_SECRET` or `MSI_SECRET` will be used as the default value.
      * @param {string} [options.resource] - The resource uri or token audience for which the token is needed.
@@ -37,2 +33,4 @@ * For e.g. it can be:
      * @param {string} [options.msiApiVersion] - The api-version of the local MSI agent. Default value is "2017-09-01".
+     * @param {string} [options.clientId] - The clientId of the managed identity you would like the token for. Required, if
+     * your app service has user-assigned managed identities.
      */
@@ -43,11 +41,11 @@ constructor(options) {
         super(options);
-        options.msiEndpoint = options.msiEndpoint || process.env["MSI_ENDPOINT"];
-        options.msiSecret = options.msiSecret || process.env["MSI_SECRET"];
+        options.msiEndpoint = options.msiEndpoint || process.env["IDENTITY_ENDPOINT"] || process.env["MSI_ENDPOINT"];
+        options.msiSecret = options.msiSecret || process.env["IDENTITY_SECRET"] || process.env["MSI_SECRET"];
         if (!options.msiEndpoint || (options.msiEndpoint && typeof options.msiEndpoint.valueOf() !== "string")) {
             throw new Error('Either provide "msiEndpoint" as a property of the "options" object ' +
-                'or set the environment variable "MSI_ENDPOINT" and it must be of type "string".');
+                'or set the environment variable "IDENTITY_ENDPOINT" or "MSI_ENDPOINT" and it must be of type "string".');
         }
         if (!options.msiSecret || (options.msiSecret && typeof options.msiSecret.valueOf() !== "string")) {
             throw new Error('Either provide "msiSecret" as a property of the "options" object ' +
-                'or set the environment variable "MSI_SECRET" and it must be of type "string".');
+                'or set the environment variable "IDENTITY_SECRET" or "MSI_SECRET" and it must be of type "string".');
         }
@@ -63,2 +61,3 @@ if (!options.msiApiVersion) {
         this.msiApiVersion = options.msiApiVersion;
+        this.clientId = options.clientId;
     }
@@ -88,10 +87,13 @@ /**
         const endpoint = this.msiEndpoint.endsWith("/") ? this.msiEndpoint : `${this.msiEndpoint}/`;
-        const resource = encodeURIComponent(this.resource);
-        const getUrl = `${endpoint}?resource=${resource}&api-version=${this.msiApiVersion}`;
         const reqOptions = {
-            url: getUrl,
+            url: endpoint,
             headers: {
-                "secret": this.msiSecret
+                secret: this.msiSecret,
             },
-            method: "GET"
+            queryParameters: {
+                "resource": this.resource,
+                "api-version": this.msiApiVersion,
+                "clientid": this.clientId,
+            },
+            method: "GET",
         };
@@ -98,0 +100,0 @@ const webResource = new ms_rest_js_1.WebResource();

dist/lib/credentials/msiTokenCredentials.js

@@ -5,7 +5,6 @@ "use strict";
 var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
-    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
     return new (P || (P = Promise))(function (resolve, reject) {
         function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
         function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
-        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        function step(result) { result.done ? resolve(result.value) : new P(function (resolve) { resolve(result.value); }).then(fulfilled, rejected); }
         step((generator = generator.apply(thisArg, _arguments || [])).next());
@@ -15,3 +14,2 @@ });
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.MSITokenCredentials = void 0;
 const ms_rest_js_1 = require("@azure/ms-rest-js");
@@ -86,3 +84,3 @@ const authConstants_1 = require("../util/authConstants");
                 if (parsedBody["expires_on"].includes(":") || parsedBody["expires_on"].includes("/")) {
-                    parsedBody.expiresOn = new Date(Number(parsedBody["expires_on"]), 10);
+                    parsedBody.expiresOn = new Date(parseInt(parsedBody["expires_on"], 10));
                 }
@@ -89,0 +87,0 @@ else {

dist/lib/credentials/msiVmTokenCredentials.js

@@ -5,7 +5,6 @@ "use strict";
 var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
-    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
     return new (P || (P = Promise))(function (resolve, reject) {
         function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
         function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
-        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        function step(result) { result.done ? resolve(result.value) : new P(function (resolve) { resolve(result.value); }).then(fulfilled, rejected); }
         step((generator = generator.apply(thisArg, _arguments || [])).next());
@@ -15,3 +14,2 @@ });
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.MSIVmTokenCredentials = void 0;
 const msiTokenCredentials_1 = require("./msiTokenCredentials");
@@ -18,0 +16,0 @@ const ms_rest_js_1 = require("@azure/ms-rest-js");

dist/lib/credentials/tokenCredentialsBase.d.ts

@@ -11,5 +11,4 @@ import { WebResource } from "@azure/ms-rest-js";
     tokenCache: TokenCache;
-    private _authContext?;
+    authContext: AuthenticationContext;
     constructor(clientId: string, domain: string, tokenAudience?: string | undefined, environment?: Environment, tokenCache?: TokenCache);
-    get authContext(): AuthenticationContext;
     setDomain(domain: string): void;
@@ -16,0 +15,0 @@ protected getActiveDirectoryResourceId(): string;

dist/lib/credentials/tokenCredentialsBase.js

@@ -5,7 +5,6 @@ "use strict";
 var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
-    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
     return new (P || (P = Promise))(function (resolve, reject) {
         function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
         function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
-        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        function step(result) { result.done ? resolve(result.value) : new P(function (resolve) { resolve(result.value); }).then(fulfilled, rejected); }
         step((generator = generator.apply(thisArg, _arguments || [])).next());
@@ -15,3 +14,2 @@ });
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.TokenCredentialsBase = void 0;
 const ms_rest_js_1 = require("@azure/ms-rest-js");
@@ -34,14 +32,12 @@ const ms_rest_azure_env_1 = require("@azure/ms-rest-azure-env");
         if (this.tokenAudience === "graph" && this.domain.toLowerCase() === "common") {
-            throw new Error(`${"If the tokenAudience is specified as \"graph\" then \"domain\" cannot be defaulted to \"commmon\" tenant.\
-        It must be the actual tenant (preferrably a string in a guid format)."}`);
+            throw new Error(`${"If the tokenAudience is specified as \"graph\" then \"domain\" cannot be defaulted to \"common\" tenant.\
+        It must be the actual tenant (preferably a string in a guid format)."}`);
         }
-        this.setDomain(domain);
+        const authorityUrl = this.environment.activeDirectoryEndpointUrl + this.domain;
+        this.authContext = new adal_node_1.AuthenticationContext(authorityUrl, this.environment.validateAuthority, this.tokenCache);
     }
-    get authContext() {
-        return this._authContext;
-    }
     setDomain(domain) {
         this.domain = domain;
         const authorityUrl = this.environment.activeDirectoryEndpointUrl + this.domain;
-        this._authContext = new adal_node_1.AuthenticationContext(authorityUrl, this.environment.validateAuthority, this.tokenCache);
+        this.authContext = new adal_node_1.AuthenticationContext(authorityUrl, this.environment.validateAuthority, this.tokenCache);
     }
@@ -48,0 +44,0 @@ getActiveDirectoryResourceId() {

dist/lib/credentials/topicCredentials.js

@@ -5,3 +5,2 @@ "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.TopicCredentials = void 0;
 const ms_rest_js_1 = require("@azure/ms-rest-js");
@@ -8,0 +7,0 @@ /**

dist/lib/credentials/userTokenCredentials.d.ts

@@ -19,3 +19,3 @@ import { TokenCredentialsBase } from "./tokenCredentialsBase";
      * @param {string} [tokenAudience] The audience for which the token is requested. Valid values are 'graph', 'batch', or any other resource like 'https://vault.azure.net/'.
-     * If tokenAudience is 'graph' then domain should also be provided and its value should not be the default 'common' tenant. It must be a string (preferrably in a guid format).
+     * If tokenAudience is 'graph' then domain should also be provided and its value should not be the default 'common' tenant. It must be a string (preferably in a guid format).
      * @param {Environment} [environment] The azure environment to authenticate with.
@@ -22,0 +22,0 @@ * @param {object} [tokenCache] The token cache. Default value is the MemoryCache object from adal.

dist/lib/credentials/userTokenCredentials.js

@@ -5,7 +5,6 @@ "use strict";
 var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
-    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
     return new (P || (P = Promise))(function (resolve, reject) {
         function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
         function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
-        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        function step(result) { result.done ? resolve(result.value) : new P(function (resolve) { resolve(result.value); }).then(fulfilled, rejected); }
         step((generator = generator.apply(thisArg, _arguments || [])).next());
@@ -15,3 +14,2 @@ });
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.UserTokenCredentials = void 0;
 const tokenCredentialsBase_1 = require("./tokenCredentialsBase");
@@ -30,3 +28,3 @@ class UserTokenCredentials extends tokenCredentialsBase_1.TokenCredentialsBase {
      * @param {string} [tokenAudience] The audience for which the token is requested. Valid values are 'graph', 'batch', or any other resource like 'https://vault.azure.net/'.
-     * If tokenAudience is 'graph' then domain should also be provided and its value should not be the default 'common' tenant. It must be a string (preferrably in a guid format).
+     * If tokenAudience is 'graph' then domain should also be provided and its value should not be the default 'common' tenant. It must be a string (preferably in a guid format).
      * @param {Environment} [environment] The azure environment to authenticate with.
@@ -84,3 +82,3 @@ * @param {object} [tokenCache] The token cache. Default value is the MemoryCache object from adal.
                         else {
-                            return reject(`The userId "${tokenResponse.userId}" in access token doesn"t match the username "${self.username}" provided during authentication.`);
+                            return reject(`The userId "${tokenResponse.userId}" in access token doesn't match the username "${self.username}" provided during authentication.`);
                         }
@@ -87,0 +85,0 @@ });

dist/lib/login.d.ts

@@ -13,3 +13,3 @@ import * as adal from "adal-node";
 /**
- * @interface AzureTokenCredentialsOptions - Describes optional parameters for serviceprincipal/secret authentication.
+ * @interface AzureTokenCredentialsOptions - Describes optional parameters for servicePrincipal/secret authentication.
  */
@@ -19,3 +19,3 @@ export interface AzureTokenCredentialsOptions {
      * @property {TokenAudience} [tokenAudience] - The audience for which the token is requested. Valid values are 'graph', 'batch', or any other resource like 'https://vault.azure.net/'.
-     * If tokenAudience is 'graph' then domain should also be provided and its value should not be the default 'common' tenant. It must be a string (preferrably in a guid format).
+     * If tokenAudience is 'graph' then domain should also be provided and its value should not be the default 'common' tenant. It must be a string (preferably in a guid format).
      */
@@ -43,3 +43,3 @@ tokenAudience?: TokenAudience;
     /**
-     * @property {string} [domain] - The domain or tenant id containing this application. Default value is "common".
+     * @property {string} [domain] - The domain or tenant Id containing this application. Default value is "common".
      */
@@ -71,3 +71,3 @@ domain?: string;
     /**
-     * @property {Array<LinkedSubscription>} [subscriptions] List of associated subscriptions.
+     * @property {Array<LinkedSubscription>} [subscriptions] List of associated subscriptions. It will be empty for personal accounts, unless the login method is called with a tenant Id sent as the `domain` optional parameter.
      */
@@ -102,2 +102,4 @@ subscriptions?: LinkedSubscription[];
  *
+ * When using personal accounts, the `domain` property in the `options` parameter is required to be set to the Id of a tenant for that account. Otherwise, the resulting credential will not be able to access the account's resources.
+ *
  * @param {string} username The user name for the Organization Id account.
@@ -110,31 +112,35 @@ * @param {string} password The password for the Organization Id account.
  * @param {string} [options.tokenAudience] The audience for which the token is requested. Valid values are 'graph', 'batch', or any other resource like 'https://vault.azure.net/'.
- * If tokenAudience is 'graph' then domain should also be provided and its value should not be the default 'common' tenant. It must be a string (preferrably in a guid format).
- * @param {string} [options.domain] The domain or tenant id containing this application. Default value "common".
+ * If tokenAudience is 'graph' then domain should also be provided and its value should not be the default 'common' tenant. It must be a string (preferably in a guid format).
+ * @param {string} [options.domain] The domain or tenant Id containing this application. Default value "common".
  * @param {Environment} [options.environment] The azure environment to authenticate with.
  * @param {object} [options.tokenCache] The token cache. Default value is the MemoryCache object from adal.
  *
- * @returns {Promise<AuthResponse>} A Promise that resolves to AuthResponse that contains "credentials" and optional "subscriptions" array and rejects with an Error.
+ * @returns {Promise<AuthResponse>} A Promise that resolves to AuthResponse, which contains `credentials` and an optional `subscriptions` array, and rejects with an Error.
  */
 export declare function withUsernamePasswordWithAuthResponse(username: string, password: string, options?: LoginWithUsernamePasswordOptions): Promise<AuthResponse>;
 /**
- * Provides an ApplicationTokenCredentials object and the list of subscriptions associated with that servicePrinicpalId/clientId across all the applicable tenants.
+ * Provides an ApplicationTokenCredentials object and the list of subscriptions associated with that servicePrincipalId/clientId across all the applicable tenants.
  *
- * @param {string} clientId The active directory application client id also known as the SPN (ServicePrincipal Name).
+ * When using personal accounts, the `domain` parameter is required to be set to the Id of a tenant for that account. Otherwise, the resulting credential will not be able to access the account's resources.
+ *
+ * @param {string} clientId The active directory application client Id also known as the SPN (ServicePrincipal Name).
  * See {@link https://azure.microsoft.com/en-us/documentation/articles/active-directory-devquickstarts-dotnet/ Active Directory Quickstart for .Net}
  * for an example.
  * @param {string} secret The application secret for the service principal.
- * @param {string} domain The domain or tenant id containing this application.
+ * @param {string} domain The domain or tenant Id containing this application.
  * @param {object} [options] Object representing optional parameters.
  * @param {string} [options.tokenAudience] The audience for which the token is requested. Valid values are 'graph', 'batch', or any other resource like 'https://vault.azure.net/'.
- * If tokenAudience is 'graph' then domain should also be provided and its value should not be the default 'common' tenant. It must be a string (preferrably in a guid format).
+ * If tokenAudience is 'graph' then domain should also be provided and its value should not be the default 'common' tenant. It must be a string (preferably in a guid format).
  * @param {Environment} [options.environment] The azure environment to authenticate with.
  * @param {object} [options.tokenCache] The token cache. Default value is the MemoryCache object from adal.
  *
- * @returns {Promise<AuthResponse>} A Promise that resolves to AuthResponse that contains "credentials" and optional "subscriptions" array and rejects with an Error.
+ * @returns {Promise<AuthResponse>} A Promise that resolves to AuthResponse, which contains "credentials" and optional "subscriptions" array and rejects with an Error.
  */
 export declare function withServicePrincipalSecretWithAuthResponse(clientId: string, secret: string, domain: string, options?: AzureTokenCredentialsOptions): Promise<AuthResponse>;
 /**
- * Provides an ApplicationTokenCertificateCredentials object and the list of subscriptions associated with that servicePrinicpalId/clientId across all the applicable tenants.
+ * Provides an ApplicationTokenCertificateCredentials object and the list of subscriptions associated with that servicePrincipalId/clientId across all the applicable tenants.
  *
- * @param {string} clientId The active directory application client id also known as the SPN (ServicePrincipal Name).
+ * When using personal accounts, the `domain` parameter is required to be set to the Id of a tenant for that account. Otherwise, the resulting credential will not be able to access the account's resources.
+ *
+ * @param {string} clientId The active directory application client Id also known as the SPN (ServicePrincipal Name).
  * See {@link https://azure.microsoft.com/en-us/documentation/articles/active-directory-devquickstarts-dotnet/ Active Directory Quickstart for .Net}
@@ -145,10 +151,10 @@ * for an example.
  * - CertificateFilePath: **Absolute** file path of the .pem file.
- * @param {string} domain The domain or tenant id containing this application.
+ * @param {string} domain The domain or tenant Id containing this application.
  * @param {object} [options] Object representing optional parameters.
  * @param {string} [options.tokenAudience] The audience for which the token is requested. Valid values are 'graph', 'batch', or any other resource like 'https://vault.azure.net/'.
- * If tokenAudience is 'graph' then domain should also be provided and its value should not be the default 'common' tenant. It must be a string (preferrably in a guid format).
+ * If tokenAudience is 'graph' then domain should also be provided and its value should not be the default 'common' tenant. It must be a string (preferably in a guid format).
  * @param {Environment} [options.environment] The azure environment to authenticate with.
  * @param {object} [options.tokenCache] The token cache. Default value is the MemoryCache object from adal.
  *
- * @returns {Promise<AuthResponse>} A Promise that resolves to AuthResponse that contains "credentials" and optional "subscriptions" array and rejects with an Error.
+ * @returns {Promise<AuthResponse>} A Promise that resolves to AuthResponse, which contains "credentials" and optional "subscriptions" array and rejects with an Error.
  */
@@ -179,9 +185,10 @@ export declare function withServicePrincipalCertificateWithAuthResponse(clientId: string, certificateStringOrFilePath: string, domain: string, options?: AzureTokenCredentialsOptions): Promise<AuthResponse>;
  *
- * @returns {Promise<AuthResponse>} A Promise that resolves to AuthResponse that contains "credentials" and optional "subscriptions" array and rejects with an Error.
+ * @returns {Promise<AuthResponse>} A Promise that resolves to AuthResponse, which contains "credentials" and optional "subscriptions" array and rejects with an Error.
  */
 export declare function withAuthFileWithAuthResponse(options?: LoginWithAuthFileOptions): Promise<AuthResponse>;
 /**
- * Provides a url and code that needs to be copy and pasted in a browser and authenticated over there. If successful, the user will get a
- * DeviceTokenCredentials object and the list of subscriptions associated with that userId across all the applicable tenants.
+ * Provides a url and code that needs to be copy and pasted in a browser and authenticated over there. If successful, the user will get a DeviceTokenCredentials object and the list of subscriptions associated with that userId across all the applicable tenants.
  *
+ * When using personal accounts, the `domain` property in the `options` parameter is required to be set to the Id of a tenant for that account. Otherwise, the resulting credential will not be able to access the account's resources.
+ *
  * @param {object} [options] Object representing optional parameters.
@@ -194,5 +201,5 @@ *
  * @param {string} [options.tokenAudience] The audience for which the token is requested. Valid value is "graph".If tokenAudience is provided
- * then domain should also be provided its value should not be the default "common" tenant. It must be a string (preferrably in a guid format).
+ * then domain should also be provided its value should not be the default "common" tenant. It must be a string (preferably in a guid format).
  *
- * @param {string} [options.domain] The domain or tenant id containing this application. Default value is "common".
+ * @param {string} [options.domain] The domain or tenant Id containing this application. Default value is "common".
  *
@@ -210,3 +217,3 @@ * @param {Environment} [options.environment] The azure environment to authenticate with. Default environment is "Public Azure".
  *
- * @returns {Promise<AuthResponse>} A Promise that resolves to AuthResponse that contains "credentials" and optional "subscriptions" array and rejects with an Error.
+ * @returns {Promise<AuthResponse>} A Promise that resolves to AuthResponse, which contains "credentials" and optional "subscriptions" array and rejects with an Error.
  */
@@ -254,5 +261,6 @@ export declare function withInteractiveWithAuthResponse(options?: InteractiveLoginOptions): Promise<AuthResponse>;
 /**
- * Provides a url and code that needs to be copy and pasted in a browser and authenticated over there. If successful, the user will get a
- * DeviceTokenCredentials object and the list of subscriptions associated with that userId across all the applicable tenants.
+ * Provides a url and code that needs to be copy and pasted in a browser and authenticated over there. If successful, the user will get a DeviceTokenCredentials object and the list of subscriptions associated with that userId across all the applicable tenants.
  *
+ * When using personal accounts, the `domain` property in the `options` parameter is required to be set to the Id of a tenant for that account. Otherwise, the resulting credential will not be able to access the account's resources.
+ *
  * @param {object} [options] Object representing optional parameters.
@@ -263,4 +271,4 @@ * @param {string} [options.clientId] The active directory application client id.
  * @param {string} [options.tokenAudience] The audience for which the token is requested. Valid value is "graph".If tokenAudience is provided
- * then domain should also be provided its value should not be the default "common" tenant. It must be a string (preferrably in a guid format).
- * @param {string} [options.domain] The domain or tenant id containing this application. Default value is "common".
+ * then domain should also be provided its value should not be the default "common" tenant. It must be a string (preferably in a guid format).
+ * @param {string} [options.domain] The domain or tenant Id containing this application. Default value is "common".
  * @param {Environment} [options.environment] The azure environment to authenticate with. Default environment is "Public Azure".
@@ -276,5 +284,5 @@ * @param {object} [options.tokenCache] The token cache. Default value is the MemoryCache object from adal.
  *    {function} optionalCallback(err, credentials)
- *                 {Error}  [err]                           - The Error object if an error occurred, null otherwise.
- *                 {DeviceTokenCredentials} [credentials]   - The DeviceTokenCredentials object.
- *                 {Array}                [subscriptions]   - List of associated subscriptions across all the applicable tenants.
+ *                 {Error}                          [err]  - The Error object if an error occurred, null otherwise.
+ *                 {DeviceTokenCredentials} [credentials]  - The DeviceTokenCredentials object.
+ *                 {Array}                [subscriptions]  - List of associated subscriptions across all the applicable tenants.
  *    {Promise} A promise is returned.
@@ -291,12 +299,14 @@ *             @resolve {DeviceTokenCredentials} The DeviceTokenCredentials object.
 /**
- * Provides an ApplicationTokenCredentials object and the list of subscriptions associated with that servicePrinicpalId/clientId across all the applicable tenants.
+ * Provides an ApplicationTokenCredentials object and the list of subscriptions associated with that servicePrincipalId/clientId across all the applicable tenants.
  *
- * @param {string} clientId The active directory application client id also known as the SPN (ServicePrincipal Name).
+ * When using personal accounts, the `domain` parameter is required to be set to the Id of a tenant for that account. Otherwise, the resulting credential will not be able to access the account's resources.
+ *
+ * @param {string} clientId The active directory application client Id also known as the SPN (ServicePrincipal Name).
  * See {@link https://azure.microsoft.com/en-us/documentation/articles/active-directory-devquickstarts-dotnet/ Active Directory Quickstart for .Net}
  * for an example.
  * @param {string} secret The application secret for the service principal.
- * @param {string} domain The domain or tenant id containing this application.
+ * @param {string} domain The domain or tenant Id containing this application.
  * @param {object} [options] Object representing optional parameters.
  * @param {string} [options.tokenAudience] The audience for which the token is requested. Valid values are 'graph', 'batch', or any other resource like 'https://vault.azure.net/'.
- * If tokenAudience is 'graph' then domain should also be provided and its value should not be the default 'common' tenant. It must be a string (preferrably in a guid format).
+ * If tokenAudience is 'graph' then domain should also be provided and its value should not be the default 'common' tenant. It must be a string (preferably in a guid format).
  * @param {Environment} [options.environment] The azure environment to authenticate with.
@@ -309,5 +319,5 @@ * @param {object} [options.tokenCache] The token cache. Default value is the MemoryCache object from adal.
  *    {function} optionalCallback(err, credentials)
- *                 {Error}  [err]                               - The Error object if an error occurred, null otherwise.
+ *                 {Error}                               [err]  - The Error object if an error occurred, null otherwise.
  *                 {ApplicationTokenCredentials} [credentials]  - The ApplicationTokenCredentials object.
- *                 {Array}                [subscriptions]       - List of associated subscriptions across all the applicable tenants.
+ *                 {Array}                     [subscriptions]  - List of associated subscriptions across all the applicable tenants.
  *    {Promise} A promise is returned.
@@ -324,5 +334,7 @@ *             @resolve {ApplicationTokenCredentials} The ApplicationTokenCredentials object.
 /**
- * Provides an ApplicationTokenCertificateCredentials object and the list of subscriptions associated with that servicePrinicpalId/clientId across all the applicable tenants.
+ * Provides an ApplicationTokenCertificateCredentials object and the list of subscriptions associated with that servicePrincipalId/clientId across all the applicable tenants.
  *
- * @param {string} clientId The active directory application client id also known as the SPN (ServicePrincipal Name).
+ * When using personal accounts, the `domain` parameter is required to be set to the Id of a tenant for that account. Otherwise, the resulting credential will not be able to access the account's resources.
+ *
+ * @param {string} clientId The active directory application client Id also known as the SPN (ServicePrincipal Name).
  * See {@link https://azure.microsoft.com/en-us/documentation/articles/active-directory-devquickstarts-dotnet/ Active Directory Quickstart for .Net}
@@ -333,6 +345,6 @@ * for an example.
  * - CertificateFilePath: **Absolute** file path of the .pem file.
- * @param {string} domain The domain or tenant id containing this application.
+ * @param {string} domain The domain or tenant Id containing this application.
  * @param {object} [options] Object representing optional parameters.
  * @param {string} [options.tokenAudience] The audience for which the token is requested. Valid values are 'graph', 'batch', or any other resource like 'https://vault.azure.net/'.
- * If tokenAudience is 'graph' then domain should also be provided and its value should not be the default 'common' tenant. It must be a string (preferrably in a guid format).
+ * If tokenAudience is 'graph' then domain should also be provided and its value should not be the default 'common' tenant. It must be a string (preferably in a guid format).
  * @param {Environment} [options.environment] The azure environment to authenticate with.
@@ -360,4 +372,7 @@ * @param {object} [options.tokenCache] The token cache. Default value is the MemoryCache object from adal.
  * Provides a UserTokenCredentials object and the list of subscriptions associated with that userId across all the applicable tenants.
+ *
  * This method is applicable only for organizational ids that are not 2FA enabled otherwise please use interactive login.
  *
+ * When using personal accounts, the `domain` property in the `options` parameter is required to be set to the Id of a tenant for that account. Otherwise, the resulting credential will not be able to access the account's resources.
+ *
  * @param {string} username The user name for the Organization Id account.
@@ -370,4 +385,4 @@ * @param {string} password The password for the Organization Id account.
  * @param {string} [options.tokenAudience] The audience for which the token is requested. Valid values are 'graph', 'batch', or any other resource like 'https://vault.azure.net/'.
- * If tokenAudience is 'graph' then domain should also be provided and its value should not be the default 'common' tenant. It must be a string (preferrably in a guid format).
- * @param {string} [options.domain] The domain or tenant id containing this application. Default value "common".
+ * If tokenAudience is 'graph' then domain should also be provided and its value should not be the default 'common' tenant. It must be a string (preferably in a guid format).
+ * @param {string} [options.domain] The domain or tenant Id containing this application. Default value "common".
  * @param {Environment} [options.environment] The azure environment to authenticate with.
@@ -374,0 +389,0 @@ * @param {object} [options.tokenCache] The token cache. Default value is the MemoryCache object from adal.

dist/lib/login.js

@@ -5,7 +5,6 @@ "use strict";
 var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
-    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
     return new (P || (P = Promise))(function (resolve, reject) {
         function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
         function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
-        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        function step(result) { result.done ? resolve(result.value) : new P(function (resolve) { resolve(result.value); }).then(fulfilled, rejected); }
         step((generator = generator.apply(thisArg, _arguments || [])).next());
@@ -15,3 +14,2 @@ });
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.execAz = exports.loginWithAppServiceMSI = exports.loginWithVmMSI = exports.withUsernamePassword = exports.withServicePrincipalCertificate = exports.withServicePrincipalSecret = exports.interactive = exports.withAuthFile = exports.withInteractiveWithAuthResponse = exports.withAuthFileWithAuthResponse = exports.withServicePrincipalCertificateWithAuthResponse = exports.withServicePrincipalSecretWithAuthResponse = exports.withUsernamePasswordWithAuthResponse = void 0;
 const adal = require("adal-node");
@@ -66,2 +64,4 @@ const msRest = require("@azure/ms-rest-js");
  *
+ * When using personal accounts, the `domain` property in the `options` parameter is required to be set to the Id of a tenant for that account. Otherwise, the resulting credential will not be able to access the account's resources.
+ *
  * @param {string} username The user name for the Organization Id account.
@@ -74,8 +74,8 @@ * @param {string} password The password for the Organization Id account.
  * @param {string} [options.tokenAudience] The audience for which the token is requested. Valid values are 'graph', 'batch', or any other resource like 'https://vault.azure.net/'.
- * If tokenAudience is 'graph' then domain should also be provided and its value should not be the default 'common' tenant. It must be a string (preferrably in a guid format).
- * @param {string} [options.domain] The domain or tenant id containing this application. Default value "common".
+ * If tokenAudience is 'graph' then domain should also be provided and its value should not be the default 'common' tenant. It must be a string (preferably in a guid format).
+ * @param {string} [options.domain] The domain or tenant Id containing this application. Default value "common".
  * @param {Environment} [options.environment] The azure environment to authenticate with.
  * @param {object} [options.tokenCache] The token cache. Default value is the MemoryCache object from adal.
  *
- * @returns {Promise<AuthResponse>} A Promise that resolves to AuthResponse that contains "credentials" and optional "subscriptions" array and rejects with an Error.
+ * @returns {Promise<AuthResponse>} A Promise that resolves to AuthResponse, which contains `credentials` and an optional `subscriptions` array, and rejects with an Error.
  */
@@ -98,3 +98,3 @@ function withUsernamePasswordWithAuthResponse(username, password, options) {
         yield creds.getToken();
-        // The token cache gets propulated for all the tenants as a part of building the tenantList.
+        // The token cache gets populated for all the tenants as a part of building the tenantList.
         const tenantList = yield subscriptionUtils_1.buildTenantList(creds);
@@ -107,16 +107,18 @@ const subscriptionList = yield _getSubscriptions(creds, tenantList, options.tokenAudience);
 /**
- * Provides an ApplicationTokenCredentials object and the list of subscriptions associated with that servicePrinicpalId/clientId across all the applicable tenants.
+ * Provides an ApplicationTokenCredentials object and the list of subscriptions associated with that servicePrincipalId/clientId across all the applicable tenants.
  *
- * @param {string} clientId The active directory application client id also known as the SPN (ServicePrincipal Name).
+ * When using personal accounts, the `domain` parameter is required to be set to the Id of a tenant for that account. Otherwise, the resulting credential will not be able to access the account's resources.
+ *
+ * @param {string} clientId The active directory application client Id also known as the SPN (ServicePrincipal Name).
  * See {@link https://azure.microsoft.com/en-us/documentation/articles/active-directory-devquickstarts-dotnet/ Active Directory Quickstart for .Net}
  * for an example.
  * @param {string} secret The application secret for the service principal.
- * @param {string} domain The domain or tenant id containing this application.
+ * @param {string} domain The domain or tenant Id containing this application.
  * @param {object} [options] Object representing optional parameters.
  * @param {string} [options.tokenAudience] The audience for which the token is requested. Valid values are 'graph', 'batch', or any other resource like 'https://vault.azure.net/'.
- * If tokenAudience is 'graph' then domain should also be provided and its value should not be the default 'common' tenant. It must be a string (preferrably in a guid format).
+ * If tokenAudience is 'graph' then domain should also be provided and its value should not be the default 'common' tenant. It must be a string (preferably in a guid format).
  * @param {Environment} [options.environment] The azure environment to authenticate with.
  * @param {object} [options.tokenCache] The token cache. Default value is the MemoryCache object from adal.
  *
- * @returns {Promise<AuthResponse>} A Promise that resolves to AuthResponse that contains "credentials" and optional "subscriptions" array and rejects with an Error.
+ * @returns {Promise<AuthResponse>} A Promise that resolves to AuthResponse, which contains "credentials" and optional "subscriptions" array and rejects with an Error.
  */
@@ -139,5 +141,7 @@ function withServicePrincipalSecretWithAuthResponse(clientId, secret, domain, options) {
 /**
- * Provides an ApplicationTokenCertificateCredentials object and the list of subscriptions associated with that servicePrinicpalId/clientId across all the applicable tenants.
+ * Provides an ApplicationTokenCertificateCredentials object and the list of subscriptions associated with that servicePrincipalId/clientId across all the applicable tenants.
  *
- * @param {string} clientId The active directory application client id also known as the SPN (ServicePrincipal Name).
+ * When using personal accounts, the `domain` parameter is required to be set to the Id of a tenant for that account. Otherwise, the resulting credential will not be able to access the account's resources.
+ *
+ * @param {string} clientId The active directory application client Id also known as the SPN (ServicePrincipal Name).
  * See {@link https://azure.microsoft.com/en-us/documentation/articles/active-directory-devquickstarts-dotnet/ Active Directory Quickstart for .Net}
@@ -148,10 +152,10 @@ * for an example.
  * - CertificateFilePath: **Absolute** file path of the .pem file.
- * @param {string} domain The domain or tenant id containing this application.
+ * @param {string} domain The domain or tenant Id containing this application.
  * @param {object} [options] Object representing optional parameters.
  * @param {string} [options.tokenAudience] The audience for which the token is requested. Valid values are 'graph', 'batch', or any other resource like 'https://vault.azure.net/'.
- * If tokenAudience is 'graph' then domain should also be provided and its value should not be the default 'common' tenant. It must be a string (preferrably in a guid format).
+ * If tokenAudience is 'graph' then domain should also be provided and its value should not be the default 'common' tenant. It must be a string (preferably in a guid format).
  * @param {Environment} [options.environment] The azure environment to authenticate with.
  * @param {object} [options.tokenCache] The token cache. Default value is the MemoryCache object from adal.
  *
- * @returns {Promise<AuthResponse>} A Promise that resolves to AuthResponse that contains "credentials" and optional "subscriptions" array and rejects with an Error.
+ * @returns {Promise<AuthResponse>} A Promise that resolves to AuthResponse, which contains "credentials" and optional "subscriptions" array and rejects with an Error.
  */
@@ -239,3 +243,3 @@ function withServicePrincipalCertificateWithAuthResponse(clientId, certificateStringOrFilePath, domain, options) {
  *
- * @returns {Promise<AuthResponse>} A Promise that resolves to AuthResponse that contains "credentials" and optional "subscriptions" array and rejects with an Error.
+ * @returns {Promise<AuthResponse>} A Promise that resolves to AuthResponse, which contains "credentials" and optional "subscriptions" array and rejects with an Error.
  */
@@ -314,5 +318,6 @@ function withAuthFileWithAuthResponse(options) {
 /**
- * Provides a url and code that needs to be copy and pasted in a browser and authenticated over there. If successful, the user will get a
- * DeviceTokenCredentials object and the list of subscriptions associated with that userId across all the applicable tenants.
+ * Provides a url and code that needs to be copy and pasted in a browser and authenticated over there. If successful, the user will get a DeviceTokenCredentials object and the list of subscriptions associated with that userId across all the applicable tenants.
  *
+ * When using personal accounts, the `domain` property in the `options` parameter is required to be set to the Id of a tenant for that account. Otherwise, the resulting credential will not be able to access the account's resources.
+ *
  * @param {object} [options] Object representing optional parameters.
@@ -325,5 +330,5 @@ *
  * @param {string} [options.tokenAudience] The audience for which the token is requested. Valid value is "graph".If tokenAudience is provided
- * then domain should also be provided its value should not be the default "common" tenant. It must be a string (preferrably in a guid format).
+ * then domain should also be provided its value should not be the default "common" tenant. It must be a string (preferably in a guid format).
  *
- * @param {string} [options.domain] The domain or tenant id containing this application. Default value is "common".
+ * @param {string} [options.domain] The domain or tenant Id containing this application. Default value is "common".
  *
@@ -341,3 +346,3 @@ * @param {Environment} [options.environment] The azure environment to authenticate with. Default environment is "Public Azure".
  *
- * @returns {Promise<AuthResponse>} A Promise that resolves to AuthResponse that contains "credentials" and optional "subscriptions" array and rejects with an Error.
+ * @returns {Promise<AuthResponse>} A Promise that resolves to AuthResponse, which contains "credentials" and optional "subscriptions" array and rejects with an Error.
  */
@@ -631,3 +636,3 @@ function withInteractiveWithAuthResponse(options) {
                     catch (err) {
-                        const msg = `An error occured while parsing the output "${stdout}", of ` +
+                        const msg = `An error occurred while parsing the output "${stdout}", of ` +
                             `the cmd "${cmd}": ${err.stack}.`;
@@ -634,0 +639,0 @@ return reject(new Error(msg));

dist/lib/msRestNodeAuth.js

@@ -6,38 +6,38 @@ "use strict";
 var applicationTokenCredentials_1 = require("./credentials/applicationTokenCredentials");
-Object.defineProperty(exports, "ApplicationTokenCredentials", { enumerable: true, get: function () { return applicationTokenCredentials_1.ApplicationTokenCredentials; } });
+exports.ApplicationTokenCredentials = applicationTokenCredentials_1.ApplicationTokenCredentials;
 var applicationTokenCertificateCredentials_1 = require("./credentials/applicationTokenCertificateCredentials");
-Object.defineProperty(exports, "ApplicationTokenCertificateCredentials", { enumerable: true, get: function () { return applicationTokenCertificateCredentials_1.ApplicationTokenCertificateCredentials; } });
+exports.ApplicationTokenCertificateCredentials = applicationTokenCertificateCredentials_1.ApplicationTokenCertificateCredentials;
 var deviceTokenCredentials_1 = require("./credentials/deviceTokenCredentials");
-Object.defineProperty(exports, "DeviceTokenCredentials", { enumerable: true, get: function () { return deviceTokenCredentials_1.DeviceTokenCredentials; } });
+exports.DeviceTokenCredentials = deviceTokenCredentials_1.DeviceTokenCredentials;
 var keyVaultFactory_1 = require("./credentials/keyVaultFactory");
-Object.defineProperty(exports, "createAuthenticator", { enumerable: true, get: function () { return keyVaultFactory_1.createAuthenticator; } });
+exports.createAuthenticator = keyVaultFactory_1.createAuthenticator;
 var msiAppServiceTokenCredentials_1 = require("./credentials/msiAppServiceTokenCredentials");
-Object.defineProperty(exports, "MSIAppServiceTokenCredentials", { enumerable: true, get: function () { return msiAppServiceTokenCredentials_1.MSIAppServiceTokenCredentials; } });
+exports.MSIAppServiceTokenCredentials = msiAppServiceTokenCredentials_1.MSIAppServiceTokenCredentials;
 var msiTokenCredentials_1 = require("./credentials/msiTokenCredentials");
-Object.defineProperty(exports, "MSITokenCredentials", { enumerable: true, get: function () { return msiTokenCredentials_1.MSITokenCredentials; } });
+exports.MSITokenCredentials = msiTokenCredentials_1.MSITokenCredentials;
 var msiVmTokenCredentials_1 = require("./credentials/msiVmTokenCredentials");
-Object.defineProperty(exports, "MSIVmTokenCredentials", { enumerable: true, get: function () { return msiVmTokenCredentials_1.MSIVmTokenCredentials; } });
+exports.MSIVmTokenCredentials = msiVmTokenCredentials_1.MSIVmTokenCredentials;
 var tokenCredentialsBase_1 = require("./credentials/tokenCredentialsBase");
-Object.defineProperty(exports, "TokenCredentialsBase", { enumerable: true, get: function () { return tokenCredentialsBase_1.TokenCredentialsBase; } });
+exports.TokenCredentialsBase = tokenCredentialsBase_1.TokenCredentialsBase;
 var userTokenCredentials_1 = require("./credentials/userTokenCredentials");
-Object.defineProperty(exports, "UserTokenCredentials", { enumerable: true, get: function () { return userTokenCredentials_1.UserTokenCredentials; } });
+exports.UserTokenCredentials = userTokenCredentials_1.UserTokenCredentials;
 var authConstants_1 = require("./util/authConstants");
-Object.defineProperty(exports, "AuthConstants", { enumerable: true, get: function () { return authConstants_1.AuthConstants; } });
+exports.AuthConstants = authConstants_1.AuthConstants;
 var subscriptionUtils_1 = require("./subscriptionManagement/subscriptionUtils");
-Object.defineProperty(exports, "buildTenantList", { enumerable: true, get: function () { return subscriptionUtils_1.buildTenantList; } });
+exports.buildTenantList = subscriptionUtils_1.buildTenantList;
 var azureCliCredentials_1 = require("./credentials/azureCliCredentials");
-Object.defineProperty(exports, "AzureCliCredentials", { enumerable: true, get: function () { return azureCliCredentials_1.AzureCliCredentials; } });
+exports.AzureCliCredentials = azureCliCredentials_1.AzureCliCredentials;
 var login_1 = require("./login");
-Object.defineProperty(exports, "interactiveLogin", { enumerable: true, get: function () { return login_1.interactive; } });
-Object.defineProperty(exports, "interactiveLoginWithAuthResponse", { enumerable: true, get: function () { return login_1.withInteractiveWithAuthResponse; } });
-Object.defineProperty(exports, "loginWithUsernamePassword", { enumerable: true, get: function () { return login_1.withUsernamePassword; } });
-Object.defineProperty(exports, "loginWithUsernamePasswordWithAuthResponse", { enumerable: true, get: function () { return login_1.withUsernamePasswordWithAuthResponse; } });
-Object.defineProperty(exports, "loginWithServicePrincipalSecret", { enumerable: true, get: function () { return login_1.withServicePrincipalSecret; } });
-Object.defineProperty(exports, "loginWithServicePrincipalSecretWithAuthResponse", { enumerable: true, get: function () { return login_1.withServicePrincipalSecretWithAuthResponse; } });
-Object.defineProperty(exports, "loginWithAuthFile", { enumerable: true, get: function () { return login_1.withAuthFile; } });
-Object.defineProperty(exports, "loginWithAuthFileWithAuthResponse", { enumerable: true, get: function () { return login_1.withAuthFileWithAuthResponse; } });
-Object.defineProperty(exports, "loginWithVmMSI", { enumerable: true, get: function () { return login_1.loginWithVmMSI; } });
-Object.defineProperty(exports, "loginWithAppServiceMSI", { enumerable: true, get: function () { return login_1.loginWithAppServiceMSI; } });
-Object.defineProperty(exports, "loginWithServicePrincipalCertificate", { enumerable: true, get: function () { return login_1.withServicePrincipalCertificate; } });
-Object.defineProperty(exports, "loginWithServicePrincipalCertificateWithAuthResponse", { enumerable: true, get: function () { return login_1.withServicePrincipalCertificateWithAuthResponse; } });
+exports.interactiveLogin = login_1.interactive;
+exports.interactiveLoginWithAuthResponse = login_1.withInteractiveWithAuthResponse;
+exports.loginWithUsernamePassword = login_1.withUsernamePassword;
+exports.loginWithUsernamePasswordWithAuthResponse = login_1.withUsernamePasswordWithAuthResponse;
+exports.loginWithServicePrincipalSecret = login_1.withServicePrincipalSecret;
+exports.loginWithServicePrincipalSecretWithAuthResponse = login_1.withServicePrincipalSecretWithAuthResponse;
+exports.loginWithAuthFile = login_1.withAuthFile;
+exports.loginWithAuthFileWithAuthResponse = login_1.withAuthFileWithAuthResponse;
+exports.loginWithVmMSI = login_1.loginWithVmMSI;
+exports.loginWithAppServiceMSI = login_1.loginWithAppServiceMSI;
+exports.loginWithServicePrincipalCertificate = login_1.withServicePrincipalCertificate;
+exports.loginWithServicePrincipalCertificateWithAuthResponse = login_1.withServicePrincipalCertificateWithAuthResponse;
 //# sourceMappingURL=msRestNodeAuth.js.map

dist/lib/subscriptionManagement/subscriptionUtils.js

@@ -5,7 +5,6 @@ "use strict";
 var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
-    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
     return new (P || (P = Promise))(function (resolve, reject) {
         function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
         function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
-        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        function step(result) { result.done ? resolve(result.value) : new P(function (resolve) { resolve(result.value); }).then(fulfilled, rejected); }
         step((generator = generator.apply(thisArg, _arguments || [])).next());
@@ -15,3 +14,2 @@ });
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.getSubscriptionsFromTenants = exports.buildTenantList = void 0;
 const msRest = require("@azure/ms-rest-js");
@@ -18,0 +16,0 @@ const applicationTokenCredentialsBase_1 = require("../credentials/applicationTokenCredentialsBase");

dist/lib/util/authConstants.d.ts

 export declare const AuthConstants: {
-    AAD_COMMON_TENANT: string;
-    DEFAULT_ADAL_CLIENT_ID: string;
-    SDK_INTERNAL_ERROR: string;
-    DEFAULT_LANGUAGE: string;
-    AZURE_AUTH_LOCATION: string;
-    RESOURCE_MANAGER_ENDPOINT: string;
+    "AAD_COMMON_TENANT": string;
+    "DEFAULT_ADAL_CLIENT_ID": string;
+    "SDK_INTERNAL_ERROR": string;
+    "DEFAULT_LANGUAGE": string;
+    "AZURE_AUTH_LOCATION": string;
+    "RESOURCE_MANAGER_ENDPOINT": string;
 };
 export declare type TokenAudience = "graph" | "batch" | string | undefined;
 //# sourceMappingURL=authConstants.d.ts.map

dist/lib/util/authConstants.js

@@ -5,3 +5,2 @@ "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.AuthConstants = void 0;
 exports.AuthConstants = {
@@ -8,0 +7,0 @@ "AAD_COMMON_TENANT": "common",

lib/credentials/msiAppServiceTokenCredentials.ts

@@ -13,4 +13,3 @@ // Copyright (c) Microsoft Corporation. All rights reserved.
    * @property {string} [msiEndpoint] - The local URL from which your app can request tokens.
-   * Either provide this parameter or set the environment variable `MSI_ENDPOINT`.
-   * For example: `export MSI_ENDPOINT="http://127.0.0.1:41741/MSI/token/"`
+   * Unless this property is specified, any of the two environment variables `IDENTITY_ENDPOINT` or `MSI_ENDPOINT` will be used as the default value.
    */
@@ -20,4 +19,3 @@ msiEndpoint?: string;
    * @property {string} [msiSecret] - The secret used in communication between your code and the local MSI agent.
-   * Either provide this parameter or set the environment variable `MSI_SECRET`.
-   * For example: `export MSI_SECRET="69418689F1E342DD946CB82994CDA3CB"`
+   * Unless this property is specified, any of the two environment variables `IDENTITY_SECRET` or `MSI_SECRET` will be used as the default value.
    */
@@ -29,2 +27,7 @@ msiSecret?: string;
   msiApiVersion?: string;
+  /**
+   * @property {string} [clientId] - The clientId of the managed identity you would like the token for. Required, if
+   * your app service has user-assigned managed identities.
+   */
+  clientId?: string;
 }
@@ -38,4 +41,3 @@
    * @property {string} msiEndpoint - The local URL from which your app can request tokens.
-   * Either provide this parameter or set the environment variable `MSI_ENDPOINT`.
-   * For example: `MSI_ENDPOINT="http://127.0.0.1:41741/MSI/token/"`
+   * Unless this property is specified, any of the two environment variables `IDENTITY_ENDPOINT` or `MSI_ENDPOINT` will be used as the default value.
    */
@@ -45,4 +47,3 @@ msiEndpoint: string;
    * @property {string} msiSecret - The secret used in communication between your code and the local MSI agent.
-   * Either provide this parameter or set the environment variable `MSI_SECRET`.
-   * For example: `MSI_SECRET="69418689F1E342DD946CB82994CDA3CB"`
+   * Unless this property is specified, any of the two environment variables `IDENTITY_SECRET` or `MSI_SECRET` will be used as the default value.
    */
@@ -54,2 +55,7 @@ msiSecret: string;
   msiApiVersion?: string;
+  /**
+   * @property {string} [clientId] - The clientId of the managed identity you would like the token for. Required, if
+   * your app service has user-assigned managed identities.
+   */
+  clientId?: string;
 
@@ -59,7 +65,5 @@ /**
    * @param {string} [options.msiEndpoint] - The local URL from which your app can request tokens.
-   * Either provide this parameter or set the environment variable `MSI_ENDPOINT`.
-   * For example: `MSI_ENDPOINT="http://127.0.0.1:41741/MSI/token/"`
+   * Unless this property is specified, any of the two environment variables `IDENTITY_ENDPOINT` or `MSI_ENDPOINT` will be used as the default value.
    * @param {string} [options.msiSecret] - The secret used in communication between your code and the local MSI agent.
-   * Either provide this parameter or set the environment variable `MSI_SECRET`.
-   * For example: `MSI_SECRET="69418689F1E342DD946CB82994CDA3CB"`
+   * Unless this property is specified, any of the two environment variables `IDENTITY_SECRET` or `MSI_SECRET` will be used as the default value.
    * @param {string} [options.resource] - The resource uri or token audience for which the token is needed.
@@ -70,2 +74,4 @@ * For e.g. it can be:
    * @param {string} [options.msiApiVersion] - The api-version of the local MSI agent. Default value is "2017-09-01".
+   * @param {string} [options.clientId] - The clientId of the managed identity you would like the token for. Required, if
+   * your app service has user-assigned managed identities.
    */
@@ -75,7 +81,7 @@ constructor(options?: MSIAppServiceOptions) {
     super(options);
-    options.msiEndpoint = options.msiEndpoint || process.env["MSI_ENDPOINT"];
-    options.msiSecret = options.msiSecret || process.env["MSI_SECRET"];
+    options.msiEndpoint = options.msiEndpoint || process.env["IDENTITY_ENDPOINT"] || process.env["MSI_ENDPOINT"];
+    options.msiSecret = options.msiSecret || process.env["IDENTITY_SECRET"] || process.env["MSI_SECRET"];
     if (!options.msiEndpoint || (options.msiEndpoint && typeof options.msiEndpoint.valueOf() !== "string")) {
       throw new Error('Either provide "msiEndpoint" as a property of the "options" object ' +
-        'or set the environment variable "MSI_ENDPOINT" and it must be of type "string".');
+        'or set the environment variable "IDENTITY_ENDPOINT" or "MSI_ENDPOINT" and it must be of type "string".');
     }
@@ -85,3 +91,3 @@
       throw new Error('Either provide "msiSecret" as a property of the "options" object ' +
-        'or set the environment variable "MSI_SECRET" and it must be of type "string".');
+        'or set the environment variable "IDENTITY_SECRET" or "MSI_SECRET" and it must be of type "string".');
     }
@@ -98,2 +104,3 @@
     this.msiApiVersion = options.msiApiVersion;
+    this.clientId = options.clientId;
   }
@@ -125,10 +132,13 @@
     const endpoint = this.msiEndpoint.endsWith("/") ? this.msiEndpoint : `${this.msiEndpoint}/`;
-    const resource = encodeURIComponent(this.resource);
-    const getUrl = `${endpoint}?resource=${resource}&api-version=${this.msiApiVersion}`;
     const reqOptions: RequestPrepareOptions = {
-      url: getUrl,
+      url: endpoint,
       headers: {
-        "secret": this.msiSecret
+        secret: this.msiSecret,
       },
-      method: "GET"
+      queryParameters: {
+        "resource": this.resource,
+        "api-version": this.msiApiVersion,
+        "clientid": this.clientId,
+      },
+      method: "GET",
     };
@@ -135,0 +145,0 @@

lib/credentials/msiTokenCredentials.ts

@@ -119,3 +119,3 @@ // Copyright (c) Microsoft Corporation. All rights reserved.
         if (parsedBody["expires_on"].includes(":") || parsedBody["expires_on"].includes("/")) {
-          parsedBody.expiresOn = new Date(Number(parsedBody["expires_on"]), 10);
+          parsedBody.expiresOn = new Date(parseInt(parsedBody["expires_on"], 10));
         } else {
@@ -122,0 +122,0 @@ // normal number as a string '1504130527'

lib/credentials/tokenCredentialsBase.ts

@@ -11,3 +11,3 @@ // Copyright (c) Microsoft Corporation. All rights reserved.
 export abstract class TokenCredentialsBase implements TokenClientCredentials {
-  private _authContext?: AuthenticationContext;
+  public authContext: AuthenticationContext;
 
@@ -19,4 +19,4 @@ public constructor(
     public readonly environment: Environment = Environment.AzureCloud,
-    public tokenCache: TokenCache = new MemoryCache()) {
-
+    public tokenCache: TokenCache = new MemoryCache()
+  ) {
     if (!clientId || typeof clientId.valueOf() !== "string") {
@@ -31,17 +31,14 @@ throw new Error("clientId must be a non empty string.");
     if (this.tokenAudience === "graph" && this.domain.toLowerCase() === "common") {
-      throw new Error(`${"If the tokenAudience is specified as \"graph\" then \"domain\" cannot be defaulted to \"commmon\" tenant.\
-        It must be the actual tenant (preferrably a string in a guid format)."}`);
+      throw new Error(`${"If the tokenAudience is specified as \"graph\" then \"domain\" cannot be defaulted to \"common\" tenant.\
+        It must be the actual tenant (preferably a string in a guid format)."}`);
     }
 
-    this.setDomain(domain);
+    const authorityUrl = this.environment.activeDirectoryEndpointUrl + this.domain;
+    this.authContext = new AuthenticationContext(authorityUrl, this.environment.validateAuthority, this.tokenCache);
   }
 
-  get authContext(): AuthenticationContext {
-    return this._authContext!;
-  }
-
   public setDomain(domain: string): void {
     this.domain = domain;
     const authorityUrl = this.environment.activeDirectoryEndpointUrl + this.domain;
-    this._authContext = new AuthenticationContext(authorityUrl, this.environment.validateAuthority, this.tokenCache);
+    this.authContext = new AuthenticationContext(authorityUrl, this.environment.validateAuthority, this.tokenCache);
   }
@@ -48,0 +45,0 @@

lib/credentials/userTokenCredentials.ts

@@ -25,3 +25,3 @@ // Copyright (c) Microsoft Corporation. All rights reserved.
    * @param {string} [tokenAudience] The audience for which the token is requested. Valid values are 'graph', 'batch', or any other resource like 'https://vault.azure.net/'.
-   * If tokenAudience is 'graph' then domain should also be provided and its value should not be the default 'common' tenant. It must be a string (preferrably in a guid format).
+   * If tokenAudience is 'graph' then domain should also be provided and its value should not be the default 'common' tenant. It must be a string (preferably in a guid format).
    * @param {Environment} [environment] The azure environment to authenticate with.
@@ -95,3 +95,3 @@ * @param {object} [tokenCache] The token cache. Default value is the MemoryCache object from adal.
             } else {
-              return reject(`The userId "${tokenResponse.userId}" in access token doesn"t match the username "${self.username}" provided during authentication.`);
+              return reject(`The userId "${tokenResponse.userId}" in access token doesn't match the username "${self.username}" provided during authentication.`);
             }
@@ -98,0 +98,0 @@ });

lib/login.ts

@@ -57,3 +57,3 @@ // Copyright (c) Microsoft Corporation. All rights reserved.
 /**
- * @interface AzureTokenCredentialsOptions - Describes optional parameters for serviceprincipal/secret authentication.
+ * @interface AzureTokenCredentialsOptions - Describes optional parameters for servicePrincipal/secret authentication.
  */
@@ -63,3 +63,3 @@ export interface AzureTokenCredentialsOptions {
    * @property {TokenAudience} [tokenAudience] - The audience for which the token is requested. Valid values are 'graph', 'batch', or any other resource like 'https://vault.azure.net/'.
-   * If tokenAudience is 'graph' then domain should also be provided and its value should not be the default 'common' tenant. It must be a string (preferrably in a guid format).
+   * If tokenAudience is 'graph' then domain should also be provided and its value should not be the default 'common' tenant. It must be a string (preferably in a guid format).
    */
@@ -88,3 +88,3 @@ tokenAudience?: TokenAudience;
   /**
-   * @property {string} [domain] - The domain or tenant id containing this application. Default value is "common".
+   * @property {string} [domain] - The domain or tenant Id containing this application. Default value is "common".
    */
@@ -118,3 +118,3 @@ domain?: string;
   /**
-   * @property {Array<LinkedSubscription>} [subscriptions] List of associated subscriptions.
+   * @property {Array<LinkedSubscription>} [subscriptions] List of associated subscriptions. It will be empty for personal accounts, unless the login method is called with a tenant Id sent as the `domain` optional parameter.
    */
@@ -151,2 +151,4 @@ subscriptions?: LinkedSubscription[];
  *
+ * When using personal accounts, the `domain` property in the `options` parameter is required to be set to the Id of a tenant for that account. Otherwise, the resulting credential will not be able to access the account's resources.
+ *
  * @param {string} username The user name for the Organization Id account.
@@ -159,8 +161,8 @@ * @param {string} password The password for the Organization Id account.
  * @param {string} [options.tokenAudience] The audience for which the token is requested. Valid values are 'graph', 'batch', or any other resource like 'https://vault.azure.net/'.
- * If tokenAudience is 'graph' then domain should also be provided and its value should not be the default 'common' tenant. It must be a string (preferrably in a guid format).
- * @param {string} [options.domain] The domain or tenant id containing this application. Default value "common".
+ * If tokenAudience is 'graph' then domain should also be provided and its value should not be the default 'common' tenant. It must be a string (preferably in a guid format).
+ * @param {string} [options.domain] The domain or tenant Id containing this application. Default value "common".
  * @param {Environment} [options.environment] The azure environment to authenticate with.
  * @param {object} [options.tokenCache] The token cache. Default value is the MemoryCache object from adal.
  *
- * @returns {Promise<AuthResponse>} A Promise that resolves to AuthResponse that contains "credentials" and optional "subscriptions" array and rejects with an Error.
+ * @returns {Promise<AuthResponse>} A Promise that resolves to AuthResponse, which contains `credentials` and an optional `subscriptions` array, and rejects with an Error.
  */
@@ -184,3 +186,3 @@ export async function withUsernamePasswordWithAuthResponse(username: string, password: string, options?: LoginWithUsernamePasswordOptions): Promise<AuthResponse> {
 
-  // The token cache gets propulated for all the tenants as a part of building the tenantList.
+  // The token cache gets populated for all the tenants as a part of building the tenantList.
   const tenantList = await buildTenantList(creds);
@@ -193,16 +195,18 @@ const subscriptionList: LinkedSubscription[] = await _getSubscriptions(creds, tenantList, options.tokenAudience);
 /**
- * Provides an ApplicationTokenCredentials object and the list of subscriptions associated with that servicePrinicpalId/clientId across all the applicable tenants.
+ * Provides an ApplicationTokenCredentials object and the list of subscriptions associated with that servicePrincipalId/clientId across all the applicable tenants.
  *
- * @param {string} clientId The active directory application client id also known as the SPN (ServicePrincipal Name).
+ * When using personal accounts, the `domain` parameter is required to be set to the Id of a tenant for that account. Otherwise, the resulting credential will not be able to access the account's resources.
+ *
+ * @param {string} clientId The active directory application client Id also known as the SPN (ServicePrincipal Name).
  * See {@link https://azure.microsoft.com/en-us/documentation/articles/active-directory-devquickstarts-dotnet/ Active Directory Quickstart for .Net}
  * for an example.
  * @param {string} secret The application secret for the service principal.
- * @param {string} domain The domain or tenant id containing this application.
+ * @param {string} domain The domain or tenant Id containing this application.
  * @param {object} [options] Object representing optional parameters.
  * @param {string} [options.tokenAudience] The audience for which the token is requested. Valid values are 'graph', 'batch', or any other resource like 'https://vault.azure.net/'.
- * If tokenAudience is 'graph' then domain should also be provided and its value should not be the default 'common' tenant. It must be a string (preferrably in a guid format).
+ * If tokenAudience is 'graph' then domain should also be provided and its value should not be the default 'common' tenant. It must be a string (preferably in a guid format).
  * @param {Environment} [options.environment] The azure environment to authenticate with.
  * @param {object} [options.tokenCache] The token cache. Default value is the MemoryCache object from adal.
  *
- * @returns {Promise<AuthResponse>} A Promise that resolves to AuthResponse that contains "credentials" and optional "subscriptions" array and rejects with an Error.
+ * @returns {Promise<AuthResponse>} A Promise that resolves to AuthResponse, which contains "credentials" and optional "subscriptions" array and rejects with an Error.
  */
@@ -226,5 +230,7 @@ export async function withServicePrincipalSecretWithAuthResponse(clientId: string, secret: string, domain: string, options?: AzureTokenCredentialsOptions): Promise<AuthResponse> {
 /**
- * Provides an ApplicationTokenCertificateCredentials object and the list of subscriptions associated with that servicePrinicpalId/clientId across all the applicable tenants.
+ * Provides an ApplicationTokenCertificateCredentials object and the list of subscriptions associated with that servicePrincipalId/clientId across all the applicable tenants.
  *
- * @param {string} clientId The active directory application client id also known as the SPN (ServicePrincipal Name).
+ * When using personal accounts, the `domain` parameter is required to be set to the Id of a tenant for that account. Otherwise, the resulting credential will not be able to access the account's resources.
+ *
+ * @param {string} clientId The active directory application client Id also known as the SPN (ServicePrincipal Name).
  * See {@link https://azure.microsoft.com/en-us/documentation/articles/active-directory-devquickstarts-dotnet/ Active Directory Quickstart for .Net}
@@ -235,10 +241,10 @@ * for an example.
  * - CertificateFilePath: **Absolute** file path of the .pem file.
- * @param {string} domain The domain or tenant id containing this application.
+ * @param {string} domain The domain or tenant Id containing this application.
  * @param {object} [options] Object representing optional parameters.
  * @param {string} [options.tokenAudience] The audience for which the token is requested. Valid values are 'graph', 'batch', or any other resource like 'https://vault.azure.net/'.
- * If tokenAudience is 'graph' then domain should also be provided and its value should not be the default 'common' tenant. It must be a string (preferrably in a guid format).
+ * If tokenAudience is 'graph' then domain should also be provided and its value should not be the default 'common' tenant. It must be a string (preferably in a guid format).
  * @param {Environment} [options.environment] The azure environment to authenticate with.
  * @param {object} [options.tokenCache] The token cache. Default value is the MemoryCache object from adal.
  *
- * @returns {Promise<AuthResponse>} A Promise that resolves to AuthResponse that contains "credentials" and optional "subscriptions" array and rejects with an Error.
+ * @returns {Promise<AuthResponse>} A Promise that resolves to AuthResponse, which contains "credentials" and optional "subscriptions" array and rejects with an Error.
  */
@@ -331,3 +337,3 @@ export async function withServicePrincipalCertificateWithAuthResponse(clientId: string, certificateStringOrFilePath: string, domain: string, options?: AzureTokenCredentialsOptions): Promise<AuthResponse> {
  *
- * @returns {Promise<AuthResponse>} A Promise that resolves to AuthResponse that contains "credentials" and optional "subscriptions" array and rejects with an Error.
+ * @returns {Promise<AuthResponse>} A Promise that resolves to AuthResponse, which contains "credentials" and optional "subscriptions" array and rejects with an Error.
  */
@@ -405,5 +411,6 @@ export async function withAuthFileWithAuthResponse(options?: LoginWithAuthFileOptions): Promise<AuthResponse> {
 /**
- * Provides a url and code that needs to be copy and pasted in a browser and authenticated over there. If successful, the user will get a
- * DeviceTokenCredentials object and the list of subscriptions associated with that userId across all the applicable tenants.
+ * Provides a url and code that needs to be copy and pasted in a browser and authenticated over there. If successful, the user will get a DeviceTokenCredentials object and the list of subscriptions associated with that userId across all the applicable tenants.
  *
+ * When using personal accounts, the `domain` property in the `options` parameter is required to be set to the Id of a tenant for that account. Otherwise, the resulting credential will not be able to access the account's resources.
+ *
  * @param {object} [options] Object representing optional parameters.
@@ -416,5 +423,5 @@ *
  * @param {string} [options.tokenAudience] The audience for which the token is requested. Valid value is "graph".If tokenAudience is provided
- * then domain should also be provided its value should not be the default "common" tenant. It must be a string (preferrably in a guid format).
+ * then domain should also be provided its value should not be the default "common" tenant. It must be a string (preferably in a guid format).
  *
- * @param {string} [options.domain] The domain or tenant id containing this application. Default value is "common".
+ * @param {string} [options.domain] The domain or tenant Id containing this application. Default value is "common".
  *
@@ -432,3 +439,3 @@ * @param {Environment} [options.environment] The azure environment to authenticate with. Default environment is "Public Azure".
  *
- * @returns {Promise<AuthResponse>} A Promise that resolves to AuthResponse that contains "credentials" and optional "subscriptions" array and rejects with an Error.
+ * @returns {Promise<AuthResponse>} A Promise that resolves to AuthResponse, which contains "credentials" and optional "subscriptions" array and rejects with an Error.
  */
@@ -589,5 +596,6 @@ export async function withInteractiveWithAuthResponse(options?: InteractiveLoginOptions): Promise<AuthResponse> {
 /**
- * Provides a url and code that needs to be copy and pasted in a browser and authenticated over there. If successful, the user will get a
- * DeviceTokenCredentials object and the list of subscriptions associated with that userId across all the applicable tenants.
+ * Provides a url and code that needs to be copy and pasted in a browser and authenticated over there. If successful, the user will get a DeviceTokenCredentials object and the list of subscriptions associated with that userId across all the applicable tenants.
  *
+ * When using personal accounts, the `domain` property in the `options` parameter is required to be set to the Id of a tenant for that account. Otherwise, the resulting credential will not be able to access the account's resources.
+ *
  * @param {object} [options] Object representing optional parameters.
@@ -598,4 +606,4 @@ * @param {string} [options.clientId] The active directory application client id.
  * @param {string} [options.tokenAudience] The audience for which the token is requested. Valid value is "graph".If tokenAudience is provided
- * then domain should also be provided its value should not be the default "common" tenant. It must be a string (preferrably in a guid format).
- * @param {string} [options.domain] The domain or tenant id containing this application. Default value is "common".
+ * then domain should also be provided its value should not be the default "common" tenant. It must be a string (preferably in a guid format).
+ * @param {string} [options.domain] The domain or tenant Id containing this application. Default value is "common".
  * @param {Environment} [options.environment] The azure environment to authenticate with. Default environment is "Public Azure".
@@ -611,5 +619,5 @@ * @param {object} [options.tokenCache] The token cache. Default value is the MemoryCache object from adal.
  *    {function} optionalCallback(err, credentials)
- *                 {Error}  [err]                           - The Error object if an error occurred, null otherwise.
- *                 {DeviceTokenCredentials} [credentials]   - The DeviceTokenCredentials object.
- *                 {Array}                [subscriptions]   - List of associated subscriptions across all the applicable tenants.
+ *                 {Error}                          [err]  - The Error object if an error occurred, null otherwise.
+ *                 {DeviceTokenCredentials} [credentials]  - The DeviceTokenCredentials object.
+ *                 {Array}                [subscriptions]  - List of associated subscriptions across all the applicable tenants.
  *    {Promise} A promise is returned.
@@ -644,12 +652,14 @@ *             @resolve {DeviceTokenCredentials} The DeviceTokenCredentials object.
 /**
- * Provides an ApplicationTokenCredentials object and the list of subscriptions associated with that servicePrinicpalId/clientId across all the applicable tenants.
+ * Provides an ApplicationTokenCredentials object and the list of subscriptions associated with that servicePrincipalId/clientId across all the applicable tenants.
  *
- * @param {string} clientId The active directory application client id also known as the SPN (ServicePrincipal Name).
+ * When using personal accounts, the `domain` parameter is required to be set to the Id of a tenant for that account. Otherwise, the resulting credential will not be able to access the account's resources.
+ *
+ * @param {string} clientId The active directory application client Id also known as the SPN (ServicePrincipal Name).
  * See {@link https://azure.microsoft.com/en-us/documentation/articles/active-directory-devquickstarts-dotnet/ Active Directory Quickstart for .Net}
  * for an example.
  * @param {string} secret The application secret for the service principal.
- * @param {string} domain The domain or tenant id containing this application.
+ * @param {string} domain The domain or tenant Id containing this application.
  * @param {object} [options] Object representing optional parameters.
  * @param {string} [options.tokenAudience] The audience for which the token is requested. Valid values are 'graph', 'batch', or any other resource like 'https://vault.azure.net/'.
- * If tokenAudience is 'graph' then domain should also be provided and its value should not be the default 'common' tenant. It must be a string (preferrably in a guid format).
+ * If tokenAudience is 'graph' then domain should also be provided and its value should not be the default 'common' tenant. It must be a string (preferably in a guid format).
  * @param {Environment} [options.environment] The azure environment to authenticate with.
@@ -662,5 +672,5 @@ * @param {object} [options.tokenCache] The token cache. Default value is the MemoryCache object from adal.
  *    {function} optionalCallback(err, credentials)
- *                 {Error}  [err]                               - The Error object if an error occurred, null otherwise.
+ *                 {Error}                               [err]  - The Error object if an error occurred, null otherwise.
  *                 {ApplicationTokenCredentials} [credentials]  - The ApplicationTokenCredentials object.
- *                 {Array}                [subscriptions]       - List of associated subscriptions across all the applicable tenants.
+ *                 {Array}                     [subscriptions]  - List of associated subscriptions across all the applicable tenants.
  *    {Promise} A promise is returned.
@@ -695,5 +705,7 @@ *             @resolve {ApplicationTokenCredentials} The ApplicationTokenCredentials object.
 /**
- * Provides an ApplicationTokenCertificateCredentials object and the list of subscriptions associated with that servicePrinicpalId/clientId across all the applicable tenants.
+ * Provides an ApplicationTokenCertificateCredentials object and the list of subscriptions associated with that servicePrincipalId/clientId across all the applicable tenants.
  *
- * @param {string} clientId The active directory application client id also known as the SPN (ServicePrincipal Name).
+ * When using personal accounts, the `domain` parameter is required to be set to the Id of a tenant for that account. Otherwise, the resulting credential will not be able to access the account's resources.
+ *
+ * @param {string} clientId The active directory application client Id also known as the SPN (ServicePrincipal Name).
  * See {@link https://azure.microsoft.com/en-us/documentation/articles/active-directory-devquickstarts-dotnet/ Active Directory Quickstart for .Net}
@@ -704,6 +716,6 @@ * for an example.
  * - CertificateFilePath: **Absolute** file path of the .pem file.
- * @param {string} domain The domain or tenant id containing this application.
+ * @param {string} domain The domain or tenant Id containing this application.
  * @param {object} [options] Object representing optional parameters.
  * @param {string} [options.tokenAudience] The audience for which the token is requested. Valid values are 'graph', 'batch', or any other resource like 'https://vault.azure.net/'.
- * If tokenAudience is 'graph' then domain should also be provided and its value should not be the default 'common' tenant. It must be a string (preferrably in a guid format).
+ * If tokenAudience is 'graph' then domain should also be provided and its value should not be the default 'common' tenant. It must be a string (preferably in a guid format).
  * @param {Environment} [options.environment] The azure environment to authenticate with.
@@ -749,4 +761,7 @@ * @param {object} [options.tokenCache] The token cache. Default value is the MemoryCache object from adal.
  * Provides a UserTokenCredentials object and the list of subscriptions associated with that userId across all the applicable tenants.
+ *
  * This method is applicable only for organizational ids that are not 2FA enabled otherwise please use interactive login.
  *
+ * When using personal accounts, the `domain` property in the `options` parameter is required to be set to the Id of a tenant for that account. Otherwise, the resulting credential will not be able to access the account's resources.
+ *
  * @param {string} username The user name for the Organization Id account.
@@ -759,4 +774,4 @@ * @param {string} password The password for the Organization Id account.
  * @param {string} [options.tokenAudience] The audience for which the token is requested. Valid values are 'graph', 'batch', or any other resource like 'https://vault.azure.net/'.
- * If tokenAudience is 'graph' then domain should also be provided and its value should not be the default 'common' tenant. It must be a string (preferrably in a guid format).
- * @param {string} [options.domain] The domain or tenant id containing this application. Default value "common".
+ * If tokenAudience is 'graph' then domain should also be provided and its value should not be the default 'common' tenant. It must be a string (preferably in a guid format).
+ * @param {string} [options.domain] The domain or tenant Id containing this application. Default value "common".
  * @param {Environment} [options.environment] The azure environment to authenticate with.
@@ -966,3 +981,3 @@ * @param {object} [options.tokenCache] The token cache. Default value is the MemoryCache object from adal.
         } catch (err) {
-          const msg = `An error occured while parsing the output "${stdout}", of ` +
+          const msg = `An error occurred while parsing the output "${stdout}", of ` +
             `the cmd "${cmd}": ${err.stack}.`;
@@ -969,0 +984,0 @@ return reject(new Error(msg));

package.json

@@ -8,3 +8,3 @@ {
   },
-  "version": "3.0.4",
+  "version": "3.0.5",
   "description": "Azure Authentication library in node.js with type definitions.",
@@ -54,3 +54,3 @@ "keywords": [
     "tslint": "^5.18.0",
-    "typescript": "^3.5.3"
+    "typescript": "~3.5.3"
   },
@@ -57,0 +57,0 @@ "homepage": "https://github.com/Azure/ms-rest-nodeauth",

README.md

 # ms-rest-nodeauth [![Build Status](https://dev.azure.com/azure-public/adx/_apis/build/status/public.Azure.ms-rest-nodeauth)](https://dev.azure.com/azure-public/adx/_build/latest?definitionId=9)
 
 This library provides different node.js based authentication mechanisms for services in Azure. It also contains rich type definitions thereby providing a good TypeScript experience.
+
 All the authentication methods support callbacks as well as promises. If they are called within an async method in your application then you can use the async/await pattern as well.
 
+**Things to consider when using personal accounts:**
+
+When using personal accounts, the `domain` property in the options passed to the authentication methods is mandatory and should be set to the tenant Id. If this property is not set, the credentials created by the authentication methods will not be able to access any of the resources of the personal account. For that same reason, the list of subscriptions expected in the return value of these methods will be empty.
+
+You can get the tenant Id from Azure portal or the Azure CLI. If you need to fetch the tenant Id programmatically, follow the below steps:
+
+- Use any of the authentication methods without setting the domain to get a credential.
+- Call the `buildTenantLists(credential)` method by sending that same credential as the first parameter to get the list of all tenants in your account.
+
+You can now use any of the authentication methods and pass in the tenant Id or use the `setDomain()` method on the existing credential to change the tenant it uses to create the tokens.
+
 ### Example
@@ -118,2 +130,5 @@
 ### MSI (Managed Service Identity) based login from a virtual machine created in Azure.
+
+The code below works for both system managed and user-assigned managed identities. You can leave the `options` empty if you want to use system managed identity. If you want to use the user-assigned managed identity, you must at least provide the `clientId` in the options. If your VM has multiple user-assigned managed identities, you must include `objectId` and `identityId` in the options as well.
+
 ```typescript
@@ -123,3 +138,19 @@ import * as msRestNodeAuth from "@azure/ms-rest-nodeauth";
 const options: msRestNodeAuth.MSIVmOptions = {
-  port: 50342;
+  // The objectId of the managed identity you would like the token for.
+  // Required, if your VM has multiple user-assigned managed identities.
+  //
+  //     objectId: "your-managed-identity-object-id",
+  //
+
+  // The clientId of the managed identity you would like the token for.
+  // Required, if your VM has any user-assigned managed identity.
+  //
+  //     clientId: "your-managed-identity-client-id",
+  //
+
+  // The `Azure Resource ID` of the managed identity you would like the token for.
+  // Required, if your VM has multiple user-assigned managed identities.
+  //
+  //     identityId: "your-managed-identity-identity-id",
+  //
 }
@@ -135,2 +166,5 @@
 ### MSI (Managed Service Identity) based login from an AppService or Azure Function created in Azure.
+
+The code below works for both system managed and user-assigned managed identities. You can leave the `options` empty if you want to use system managed identity. If you want to use the user-assigned managed identity, you must at least provide the `clientId` in the options.
+
 ```typescript
@@ -140,3 +174,7 @@ import * as msRestNodeAuth from "@azure/ms-rest-nodeauth";
 const options: msRestNodeAuth.MSIAppServiceOptions = {
-  msiEndpoint: "http://127.0.0.1:41741/MSI/token/";
+  // The clientId of the managed identity you would like the token for.
+  // Required, if your app service has user-assigned managed identities.
+  //
+  //     clientId: "your-managed-identity-client-id"
+  //
 }
@@ -184,3 +222,3 @@
 
-    console.log(">>> The new subscription id associated with the credential object is: '%s'.",
+    console.log(">>> The new subscription Id associated with the credential object is: '%s'.",
       creds.subscriptionInfo.id);
@@ -187,0 +225,0 @@ request.url = getUrl(creds.subscriptionInfo.id);

New alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Environment variable access

Supply chain risk

Package accesses environment variables, which may be a sign of credential stuffing or data theft.

Found 2 instances in 1 package

Fixed alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Deprecated

Maintenance

The maintainer of the package marked it as deprecated. This could indicate that a single version should not be used, or that the package is no longer maintained and any new vulnerabilities will not be fixed.

Found 1 instance in 1 package

Improved metrics

Total package byte prevSize

371942

increased by1.65%

Lines of code

5429

increased by0.48%

Number of medium maintenance alerts

0

decreased by-100%

Number of lines in readme file

254

increased by17.59%

Worsened metrics

Number of low supply chain risk alerts

9

increased by28.57%

No dependency changes