UNPKG

@azure/identity

Version:

Provides credential implementations for Azure SDK libraries that can authenticate with Microsoft Entra ID

github.com/Azure/azure-sdk-for-js/tree/main/sdk/identity/identity/README.md

Azure/azure-sdk-for-js

182 lines • 8.72 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
"use strict"; // Copyright (c) Microsoft Corporation. // Licensed under the MIT License. Object.defineProperty(exports, "__esModule", { value: true }); exports.AzureDeveloperCliCredential = exports.developerCliCredentialInternals = void 0; const tslib_1 = require("tslib"); const logging_js_1 = require("../util/logging.js"); const errors_js_1 = require("../errors.js"); const child_process_1 = tslib_1.__importDefault(require("child_process")); const tenantIdUtils_js_1 = require("../util/tenantIdUtils.js"); const tracing_js_1 = require("../util/tracing.js"); const scopeUtils_js_1 = require("../util/scopeUtils.js"); const logger = (0, logging_js_1.credentialLogger)("AzureDeveloperCliCredential"); /** * Mockable reference to the Developer CLI credential cliCredentialFunctions * @internal */ exports.developerCliCredentialInternals = { /** * @internal */ getSafeWorkingDir() { if (process.platform === "win32") { let systemRoot = process.env.SystemRoot || process.env["SYSTEMROOT"]; if (!systemRoot) { logger.getToken.warning("The SystemRoot environment variable is not set. This may cause issues when using the Azure Developer CLI credential."); systemRoot = "C:\\Windows"; } return systemRoot; } else { return "/bin"; } }, /** * Gets the access token from Azure Developer CLI * @param scopes - The scopes to use when getting the token * @internal */ async getAzdAccessToken(scopes, tenantId, timeout) { let tenantSection = []; if (tenantId) { tenantSection = ["--tenant-id", tenantId]; } return new Promise((resolve, reject) => { try { const args = [ "auth", "token", "--output", "json", ...scopes.reduce((previous, current) => previous.concat("--scope", current), []), ...tenantSection, ]; const command = ["azd", ...args].join(" "); child_process_1.default.exec(command, { cwd: exports.developerCliCredentialInternals.getSafeWorkingDir(), timeout, }, (error, stdout, stderr) => { resolve({ stdout, stderr, error }); }); } catch (err) { reject(err); } }); }, }; /** * Azure Developer CLI is a command-line interface tool that allows developers to create, manage, and deploy * resources in Azure. It's built on top of the Azure CLI and provides additional functionality specific * to Azure developers. It allows users to authenticate as a user and/or a service principal against * <a href="https://learn.microsoft.com/entra/fundamentals/">Microsoft Entra ID</a>. The * AzureDeveloperCliCredential authenticates in a development environment and acquires a token on behalf of * the logged-in user or service principal in the Azure Developer CLI. It acts as the Azure Developer CLI logged in user or * service principal and executes an Azure CLI command underneath to authenticate the application against * Microsoft Entra ID. * * <h2> Configure AzureDeveloperCliCredential </h2> * * To use this credential, the developer needs to authenticate locally in Azure Developer CLI using one of the * commands below: * * <ol> * <li>Run "azd auth login" in Azure Developer CLI to authenticate interactively as a user.</li> * <li>Run "azd auth login --client-id clientID --client-secret clientSecret * --tenant-id tenantID" to authenticate as a service principal.</li> * </ol> * * You may need to repeat this process after a certain time period, depending on the refresh token validity in your * organization. Generally, the refresh token validity period is a few weeks to a few months. * AzureDeveloperCliCredential will prompt you to sign in again. */ class AzureDeveloperCliCredential { tenantId; additionallyAllowedTenantIds; timeout; /** * Creates an instance of the {@link AzureDeveloperCliCredential}. * * To use this credential, ensure that you have already logged * in via the 'azd' tool using the command "azd auth login" from the commandline. * * @param options - Options, to optionally allow multi-tenant requests. */ constructor(options) { if (options?.tenantId) { (0, tenantIdUtils_js_1.checkTenantId)(logger, options?.tenantId); this.tenantId = options?.tenantId; } this.additionallyAllowedTenantIds = (0, tenantIdUtils_js_1.resolveAdditionallyAllowedTenantIds)(options?.additionallyAllowedTenants); this.timeout = options?.processTimeoutInMs; } /** * Authenticates with Microsoft Entra ID and returns an access token if successful. * If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure. * * @param scopes - The list of scopes for which the token will have access. * @param options - The options used to configure any requests this * TokenCredential implementation might make. */ async getToken(scopes, options = {}) { const tenantId = (0, tenantIdUtils_js_1.processMultiTenantRequest)(this.tenantId, options, this.additionallyAllowedTenantIds); if (tenantId) { (0, tenantIdUtils_js_1.checkTenantId)(logger, tenantId); } let scopeList; if (typeof scopes === "string") { scopeList = [scopes]; } else { scopeList = scopes; } logger.getToken.info(`Using the scopes ${scopes}`); return tracing_js_1.tracingClient.withSpan(`${this.constructor.name}.getToken`, options, async () => { try { scopeList.forEach((scope) => { (0, scopeUtils_js_1.ensureValidScopeForDevTimeCreds)(scope, logger); }); const obj = await exports.developerCliCredentialInternals.getAzdAccessToken(scopeList, tenantId, this.timeout); const isNotLoggedInError = obj.stderr?.match("not logged in, run `azd login` to login") || obj.stderr?.match("not logged in, run `azd auth login` to login"); const isNotInstallError = obj.stderr?.match("azd:(.*)not found") || obj.stderr?.startsWith("'azd' is not recognized"); if (isNotInstallError || (obj.error && obj.error.code === "ENOENT")) { const error = new errors_js_1.CredentialUnavailableError("Azure Developer CLI couldn't be found. To mitigate this issue, see the troubleshooting guidelines at https://aka.ms/azsdk/js/identity/azdevclicredential/troubleshoot."); logger.getToken.info((0, logging_js_1.formatError)(scopes, error)); throw error; } if (isNotLoggedInError) { const error = new errors_js_1.CredentialUnavailableError("Please run 'azd auth login' from a command prompt to authenticate before using this credential. For more information, see the troubleshooting guidelines at https://aka.ms/azsdk/js/identity/azdevclicredential/troubleshoot."); logger.getToken.info((0, logging_js_1.formatError)(scopes, error)); throw error; } try { const resp = JSON.parse(obj.stdout); logger.getToken.info((0, logging_js_1.formatSuccess)(scopes)); return { token: resp.token, expiresOnTimestamp: new Date(resp.expiresOn).getTime(), tokenType: "Bearer", }; } catch (e) { if (obj.stderr) { throw new errors_js_1.CredentialUnavailableError(obj.stderr); } throw e; } } catch (err) { const error = err.name === "CredentialUnavailableError" ? err : new errors_js_1.CredentialUnavailableError(err.message || "Unknown error while trying to retrieve the access token"); logger.getToken.info((0, logging_js_1.formatError)(scopes, error)); throw error; } }); } } exports.AzureDeveloperCliCredential = AzureDeveloperCliCredential; //# sourceMappingURL=azureDeveloperCliCredential.js.map