### Packages impacted by this PR
- @azure/identity
### Issues associated with this PR
### Describe the problem that is addressed by this PR
Bumps the `hookTimeout` and `testTimeout` for @azure/identity tests.
### What are the possible designs available to address the problem? If
there are more than one possible design, why was the one in this PR
chosen?
### Are there test cases added in this PR? _(If not, why?)_
### Provide a list of related PRs _(if any)_
### Command used to generate this PR:**_(Applicable only to SDK release
request PRs)_
### Checklists
- [ ] Added impacted package name to the issue description
- [ ] Does this PR needs any fixes in the SDK Generator?** _(If so,
create an Issue in the
[Autorest/typescript](https://github.com/Azure/autorest.typescript)
repository and link it here)_
- [ ] Added a changelog (if necessary)
A few fixes as a result of the identity ESM migration:
1. Missing `ctx` parameter that's now fixed
2. Default vitest config excludes managed identity tests. Adding a
separate vitest config for managed identity test runs fixes this
### Packages impacted by this PR
@azure/identity-broker
@azure/identity
### Issues associated with this PR
#31338
### Describe the problem that is addressed by this PR
Migrates identity and identity-broker to ESM, tshy, and Vitest
#31185
This PR adds `enableCAE: true` by default. The updated logic for
`BearerAuthenticationPolicy` is as follows:
- Check if initial response returns a challenge
- If CAE challenge, handle it and return whatever response received next
- If not CAE challenge and a custom challenge handler is provided
through `authorizeRequestOnChallenge`, use custom handler to handle the
challenge. If there is another CAE challenge after, handle it and return
whatever response next. At max, the policy will resolve 2 challenges (1
non-CAE and 1 CAE challenge)
### Packages impacted by this PR
@azure/identity
### Issues associated with this PR
Resolves#31208
### Describe the problem that is addressed by this PR
Now that Managed Identity migration to MSAL has been stabilized, we can
finish the migration with my favorite part: deleting code!
This PR deletes all the legacy code, and simplifies where possible.
Obsolete tests have been deleted or updated.
- apply lint:fix results
- revert fixes that are not related to consistent-type-imports and cases error
- regenerate .api.md files
- format
- update core-comparison diff
also remove dependency on `@microsoft/api-extractor` as we already move to
`dev-tool run extract-api` which calls api-extractor Api instead.
***NO_CI***
Drive traffic to the new credential chains doc on Learn. Also, eliminate
duplication in the `DefaultAzureCredential` API docs.
---------
Co-authored-by: Karishma Ghiya <kaghiya@microsoft.com>
Fixes https://github.com/Azure/azure-sdk-for-js/issues/23329
- Added SHR PoP token support to @azure/core-auth
- Added SHR PoP token support to `InteractiveBrowserCredential` Native
Broker Scenarios via @azure/identity and @azure/identity-broker
### Packages impacted by this PR
@azure/identity
### Issues associated with this PR
Resolves#31307
### Describe the problem that is addressed by this PR
It is not clear from our documentation that @azure/identity is optimized
for the "pass a credential to another client library" use-case and that
refreshing / caching / etc. are implementation details without proper API support and
documentation.
This PR attempts to provide additional information regarding when to use
something like MSAL directly.
---------
Co-authored-by: Scott Addie <10702007+scottaddie@users.noreply.github.com>
### Packages impacted by this PR
- @azure/dev-tool
### Issues associated with this PR
### Describe the problem that is addressed by this PR
This PR implements a new dev-tool command: `dev-tool run
update-snippets`.
This command looks for code fences in markdown files and JSDoc comments,
and updates them with the contents of test methods in a file named
`snippets.spec.ts`.
For example, the following fence indicates that the contents of a test
named "new_configurationclient" should be used:
````
```js snippet:new_configurationclient
```
````
After running `dev-tool run update-snippets`, the contents of the
snippet will be populated:
````
```js snippet:new_configurationclient
import { ConfigurationClient } from "@azure/template";
import { DefaultAzureCredential } from "@azure/identity";
const client = new ConfigurationClient(
"<app configuration endpoint>",
new DefaultAzureCredential()
);
```
````
To accomplish this, the command uses the TypeScript compiler API to
extract and transpile snippets from `snippets.spec.ts`. Snippets are the
contents of calls to the `it` function. If syntax with the shape
`it(<literal string>, <function with block>)` appears in
`snippets.spec.ts`, it will be considered a snippet that is valid for
injection.
("Function with block" means either a `function () { ... }` expression
or an arrow function with a block on the arrow side (`() => { ... }`).
An arrow function that has an expression on the right hand side (`() =>
(...)`) will not be recognized.)
For example:
```ts
it("new_configurationclient", function () {
// @ts-ignore
const client = new ConfigurationClient(
process.env.ENDPOINT ?? "<app configuration endpoint>",
new DefaultAzureCredential()
);
});
```
The transpiler automatically "cleans" and validates the snippet using
similar techniques as the sample transpiler. As a result, it enforces
the same syntactic rules that the sample transpiler does. In addition to
those, it removes references to `process.env` (if an alternative is
specified), removes compiler pragmas like `// @ts-ignore`, and
automatically inserts imports for symbols that the snippet uses. So in
the above snippet, imports for `ConfigurationClient` and
`DefaultAzureCredential` are required, automatically detected, and
injected into the resulting snippet.
Snippets without `snippet:${name}` tags are _errors_ when using this
command, so a package must be fully migrated to use it.
### What are the possible designs available to address the problem? If
there are more than one possible design, why was the one in this PR
chosen?
### Are there test cases added in this PR? _(If not, why?)_
### Provide a list of related PRs _(if any)_
- #24536
### Command used to generate this PR:**_(Applicable only to SDK release
request PRs)_
### Checklists
- [ ] Added impacted package name to the issue description
- [ ] Does this PR needs any fixes in the SDK Generator?** _(If so,
create an Issue in the
[Autorest/typescript](https://github.com/Azure/autorest.typescript)
repository and link it here)_
- [ ] Added a changelog (if necessary)
***NO_CI***
- replace version to "~5.6.2"
- rush update
- add `"skipLibCheck": true` for several packages that are affected by https://github.com/vitest-dev/vitest/issues/4688
- [formrecognizer] help TypeScript to understand with more explicit type
- [schema-registry-{avro,json}] skip lib check due to lru-cache issue with the Iterator TReturn change
https://github.com/isaacs/node-lru-cache/issues/348
### Packages impacted by this PR
@azure/identity
### Issues associated with this PR
#30557
### Describe the problem that is addressed by this PR
Looks like we missed one place where we need to read the
AZURE_AUTHORITY_HOST env var when porting logic over to msalClient.
This PR addresses the issue and allows for environment variable to be read
when needed.
To have ClientAssertionCredentialOptions implement
ISupportsTokenCachePersistenceOptions. As a consumer of Identity, Azure
PowerShell is dependent on the Azure Identity library for .NET. Now the
client assertion workflow has increasing usage, so the ask should have
higher priority.
Business Impact:
In the client assertion auth flow, Azure PowerShell customers acquire
the access token with the federated token. The access token must be used
by the subsequent Azure PowerShell cmdlets. We depend on Azure.Identity
to save the tokens to the MSAL cache. As the federated token has a short
lifetime, it's impossible to cache the federated token and
reauthenticate every time a cmdlet is run.
### Packages impacted by this PR
@azure/identity
### Issues associated with this PR
#30187
### Describe the problem that is addressed by this PR
Now that core-util is published with a `calculateRetryDelay` helper, we
can use that instead of duplicating the logic from core-rest-pipeline
### Are there test cases added in this PR? _(If not, why?)_
There's an existing test suite for this policy, and this should be
considered a pure refactor now
**Summary of changes**
- Create new section for credential chains. Listing them in
"Authenticate Azure-hosted applications" is misleading.
- Incorporate Acrolinx feedback
- Remove unused links
- Document the `AZURE_CLIENT_SEND_CERTIFICATE_CHAIN` env var
### Packages impacted by this PR
@azure/identity
### Issues associated with this PR
Resolves#30380
### Describe the problem that is addressed by this PR
If the Cloud Shell ManagedIdentitySource is detected via MSAL and a
user-assigned managed identity clientID or resourceID is supplied, the
ManagedIdentityCredential should throw.
The rationale for taking this minor breaking change is that CloudShell
does not support specifying a clientID or ResourceID and the current
behavior of silently falling back to attempting to use a system-assigned
identity could be unexpected.
### Provide a list of related PRs _(if any)_
https://github.com/Azure/azure-sdk-for-cpp/pull/5837
- [eslint-plugin] github-source-headers rule should use "MIT License".
This change updates our linter rule and the whole repository to have consistent
license header.
***NO_CI***
- remove "All rights reserved." from header
- "MIT license" => "MIT License"
***NO_CI***
- bump typescript-eslint dependencies version to ~8.2.0
- [eslint-plugin] suppress new linting errors appearing with v8
- [eslint-plugin] react to removed typescript-eslint property
related PR https://github.com/typescript-eslint/typescript-eslint/pull/9025
- [eslint-plugin] turn off @typescript-eslint/no-unused-expressions
as no-unused-expressions is already reported by eslint
- [dev-tool] fix new linting errors
- Remove @typescript-eslint/ban-types that no longer exists
and replace with more specific rules wherever applicable.
- [cosmosdb] combine the test eslint config with the main one
- delete catch expression when caught error is not used
- fix or suppress linting errors in code files
### Packages impacted by this PR
@azure/identity
### Issues associated with this PR
Resolves https://github.com/Azure/azure-sdk-for-js-pr/issues/262
### Describe the problem that is addressed by this PR
Adds support for providing an objectID to be used in managed Identity.
### Packages impacted by this PR
@azure/identity
### Issues associated with this PR
N/A - test fixes
### Describe the problem that is addressed by this PR
Identity client libraries need some extensive setup to test various
credentials in different workloads. Some of the commands
require the az cli, and this enables us to login using az cli.
Eventually, my hope is to use this to provide federated credentials for
keyvault managed HSMs resource creation where our credential expires by
the time the HSM is deployed
***NO_CI***
- add one flat config file for perf tests
- update NPM scripts of these packages to use that flat config for perf tests
As eslint v8 still not switched to flat config by default, this change
temporarily uses `cross-env` to set `ESLINT_USE_FLAT_CONFIG=true`
Once we moved to eslint v9 the env var can be removed.
### Packages impacted by this PR
@azure/identity
### Issues associated with this PR
Improve client error messages
### Describe the problem that is addressed by this PR
Noticed in passing in the AzurePipelinesCredential - the error message
lists all required parameters but does not specify _which_ parameter was not
provided.
Now that I am paying attention to errors, I did a sweep of our
credentials updating each credential with better / more specific error messages
### What are the possible designs available to address the problem? If
there are more than one possible design, why was the one in this PR
chosen?
Alternatively we can add some method to collect all required parameters
and which were not provided to avoid getting errors one at a time for each
parameter, but I decided not to go that route here - keeping things
simple and straightforward
### Packages impacted by this PR
@azure/identity
### Issues associated with this PR
Resolves#30356
### Describe the problem that is addressed by this PR
Adds support for the `-AsSecureString` flag for
`AzurePowerShellCredential` in order to support upcoming breaking
changes from Az Pwsh modules in a backwards compat way
### Packages impacted by this PR
@azure/identity
### Issues associated with this PR
N/A
### Describe the problem that is addressed by this PR
A minor cosmetic fix where we only set `cause` if it exists in the
options.
Before this change, node would print `[cause]: undefined` which can be
misleading.
Now, we'll omit `cause` entirely if its not set.
### Packages impacted by this PR
@azure/identity
### Issues associated with this PR
### Describe the problem that is addressed by this PR
### What are the possible designs available to address the problem? If
there are more than one possible design, why was the one in this PR
chosen?
In order to improve the error experience for Managed Identity we want to
do a few things:
1. Remove misleading error messages like authority_not_found for any 400
2. Display the error's cause / InnerException / etc.
3. Provide helpful debugging information in the exception message
(1) and (2) are done here, (3) is still in flux as I need to think about
what information will be helpful without being overwhelming.
### Are there test cases added in this PR? _(If not, why?)_
Printing out the error's cause is an implementation detail of the
runtime and _not_ something that gets stringified
Co-authored-by: Christopher Scott <chriscott@hotmail.com>
Jeremy Meng
Matthew Podwysocki
Maor Leger
Daniel Jurek
Minh-Anh Phan
Scott Addie
Azure SDK Bot
KarishmaGhiya
Wes Haggard
Jeremy Meng