@azure/identity

  • Version 2.1.0
  • Published
  • 1.24 MB
  • 16 dependencies
  • MIT license

Install

npm i @azure/identity
yarn add @azure/identity
pnpm add @azure/identity

Overview

Provides credential implementations for Azure SDK libraries that can authenticate with Azure Active Directory

Index

Variables

Functions

Classes

Interfaces

Enums

Type Aliases

Variables

variable AggregateAuthenticationErrorName

const AggregateAuthenticationErrorName: string;
  • The Error.name value of an AggregateAuthenticationError

variable AuthenticationErrorName

const AuthenticationErrorName: string;
  • The Error.name value of an AuthenticationError

variable CredentialUnavailableErrorName

const CredentialUnavailableErrorName: string;
  • The Error.name value of an CredentialUnavailable

variable logger

const logger: AzureLogger;
  • The AzureLogger used for all clients within the identity package

Functions

function deserializeAuthenticationRecord

deserializeAuthenticationRecord: (
serializedRecord: string
) => AuthenticationRecord;
  • Deserializes a previously serialized authentication record from a string into an object.

    The input string must contain the following properties:

    - "authority" - "homeAccountId" - "clientId" - "tenantId" - "username" - "version"

    If the version we receive is unsupported, an error will be thrown.

    At the moment, the only available version is: "1.0", which is always set when the authentication record is serialized.

    Parameter serializedRecord

    Authentication record previously serialized into string.

    Returns

    AuthenticationRecord.

function getDefaultAzureCredential

getDefaultAzureCredential: () => TokenCredential;

function serializeAuthenticationRecord

serializeAuthenticationRecord: (record: AuthenticationRecord) => string;
  • Serializes an AuthenticationRecord into a string.

    The output of a serialized authentication record will contain the following properties:

    - "authority" - "homeAccountId" - "clientId" - "tenantId" - "username" - "version"

    To later convert this string to a serialized AuthenticationRecord, please use the exported function deserializeAuthenticationRecord().

function useIdentityPlugin

useIdentityPlugin: (plugin: IdentityPlugin) => void;
  • Extend Azure Identity with additional functionality. Pass a plugin from a plugin package, such as:

    - @azure/identity-cache-persistence: provides persistent token caching - @azure/identity-vscode: provides the dependencies of VisualStudioCodeCredential and enables it

    Example:

    import { cachePersistencePlugin } from "@azure/identity-cache-persistence";
    import { useIdentityPlugin, DefaultAzureCredential } from "@azure/identity";
    useIdentityPlugin(cachePersistencePlugin);
    // The plugin has the capability to extend `DefaultAzureCredential` and to
    // add middleware to the underlying credentials, such as persistence.
    const credential = new DefaultAzureCredential({
    tokenCachePersistenceOptions: {
    enabled: true
    }
    });

    Parameter plugin

    the plugin to register

Classes

class AggregateAuthenticationError

class AggregateAuthenticationError extends Error {}

constructor

constructor(errors: any[], errorMessage?: string);

    property errors

    errors: any[];
    • The array of error objects that were thrown while trying to authenticate with the credentials in a ChainedTokenCredential.

    class AuthenticationError

    class AuthenticationError extends Error {}
    • Provides details about a failure to authenticate with Azure Active Directory. The errorResponse field contains more details about the specific failure.

    constructor

    constructor(statusCode: number, errorBody: string | object);

      property errorResponse

      readonly errorResponse: ErrorResponse;
      • The error response details.

      property statusCode

      readonly statusCode: number;
      • The HTTP status code returned from the authentication request.

      class AuthenticationRequiredError

      class AuthenticationRequiredError extends Error {}
      • Error used to enforce authentication after trying to retrieve a token silently.

      constructor

      constructor(options: AuthenticationRequiredErrorOptions);

        property getTokenOptions

        getTokenOptions?: GetTokenOptions;
        • The options passed to the getToken request.

        property scopes

        scopes: string[];
        • The list of scopes for which the token will have access.

        class AuthorizationCodeCredential

        class AuthorizationCodeCredential implements TokenCredential {}
        • Enables authentication to Azure Active Directory using an authorization code that was obtained through the authorization code flow, described in more detail in the Azure Active Directory documentation:

          https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow

        constructor

        constructor(
        tenantId: string,
        clientId: string,
        clientSecret: string,
        authorizationCode: string,
        redirectUri: string,
        options?: TokenCredentialOptions
        );
        • Creates an instance of AuthorizationCodeCredential with the details needed to request an access token using an authentication that was obtained from Azure Active Directory.

          It is currently necessary for the user of this credential to initiate the authorization code flow to obtain an authorization code to be used with this credential. A full example of this flow is provided here:

          https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/identity/identity/samples/v2/manual/authorizationCodeSample.ts

          Parameter tenantId

          The Azure Active Directory tenant (directory) ID or name. 'common' may be used when dealing with multi-tenant scenarios.

          Parameter clientId

          The client (application) ID of an App Registration in the tenant.

          Parameter clientSecret

          A client secret that was generated for the App Registration

          Parameter authorizationCode

          An authorization code that was received from following the authorization code flow. This authorization code must not have already been used to obtain an access token.

          Parameter redirectUri

          The redirect URI that was used to request the authorization code. Must be the same URI that is configured for the App Registration.

          Parameter options

          Options for configuring the client which makes the access token request.

        constructor

        constructor(
        tenantId: string,
        clientId: string,
        authorizationCode: string,
        redirectUri: string,
        options?: TokenCredentialOptions
        );
        • Creates an instance of AuthorizationCodeCredential with the details needed to request an access token using an authentication that was obtained from Azure Active Directory.

          It is currently necessary for the user of this credential to initiate the authorization code flow to obtain an authorization code to be used with this credential. A full example of this flow is provided here:

          https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/identity/identity/samples/v2/manual/authorizationCodeSample.ts

          Parameter tenantId

          The Azure Active Directory tenant (directory) ID or name. 'common' may be used when dealing with multi-tenant scenarios.

          Parameter clientId

          The client (application) ID of an App Registration in the tenant.

          Parameter authorizationCode

          An authorization code that was received from following the authorization code flow. This authorization code must not have already been used to obtain an access token.

          Parameter redirectUri

          The redirect URI that was used to request the authorization code. Must be the same URI that is configured for the App Registration.

          Parameter options

          Options for configuring the client which makes the access token request.

        method getToken

        getToken: (
        scopes: string | string[],
        options?: GetTokenOptions
        ) => Promise<AccessToken>;
        • Authenticates with Azure Active Directory and returns an access token if successful. If authentication fails, a CredentialUnavailableError will be thrown with the details of the failure.

          Parameter scopes

          The list of scopes for which the token will have access.

          Parameter options

          The options used to configure any requests this TokenCredential implementation might make.

        class AzureCliCredential

        class AzureCliCredential implements TokenCredential {}
        • This credential will use the currently logged-in user login information via the Azure CLI ('az') commandline tool. To do so, it will read the user access token and expire time with Azure CLI command "az account get-access-token".

        constructor

        constructor(options?: AzureCliCredentialOptions);
        • Creates an instance of the AzureCliCredential.

          To use this credential, ensure that you have already logged in via the 'az' tool using the command "az login" from the commandline.

          Parameter options

          Options, to optionally allow multi-tenant requests.

        method getToken

        getToken: (
        scopes: string | string[],
        options?: GetTokenOptions
        ) => Promise<AccessToken>;
        • Authenticates with Azure Active Directory and returns an access token if successful. If authentication fails, a CredentialUnavailableError will be thrown with the details of the failure.

          Parameter scopes

          The list of scopes for which the token will have access.

          Parameter options

          The options used to configure any requests this TokenCredential implementation might make.

        class AzurePowerShellCredential

        class AzurePowerShellCredential implements TokenCredential {}
        • This credential will use the currently logged-in user information from the Azure PowerShell module. To do so, it will read the user access token and expire time with Azure PowerShell command Get-AzAccessToken -ResourceUrl {ResourceScope}

        constructor

        constructor(options?: AzurePowerShellCredentialOptions);
        • Creates an instance of the AzurePowerShellCredential.

          To use this credential: - Install the Azure Az PowerShell module with: Install-Module -Name Az -Scope CurrentUser -Repository PSGallery -Force. - You have already logged in to Azure PowerShell using the command Connect-AzAccount from the command line.

          Parameter options

          Options, to optionally allow multi-tenant requests.

        method getToken

        getToken: (
        scopes: string | string[],
        options?: GetTokenOptions
        ) => Promise<AccessToken>;
        • Authenticates with Azure Active Directory and returns an access token if successful. If the authentication cannot be performed through PowerShell, a CredentialUnavailableError will be thrown.

          Parameter scopes

          The list of scopes for which the token will have access.

          Parameter options

          The options used to configure any requests this TokenCredential implementation might make.

        class ChainedTokenCredential

        class ChainedTokenCredential implements TokenCredential {}
        • Enables multiple TokenCredential implementations to be tried in order until one of the getToken methods returns an access token.

        constructor

        constructor(...sources: TokenCredential[]);
        • Creates an instance of ChainedTokenCredential using the given credentials.

          Parameter sources

          TokenCredential implementations to be tried in order.

          Example usage:

          const firstCredential = new ClientSecretCredential(tenantId, clientId, clientSecret);
          const secondCredential = new ClientSecretCredential(tenantId, anotherClientId, anotherSecret);
          const credentialChain = new ChainedTokenCredential(firstCredential, secondCredential);

        property UnavailableMessage

        protected UnavailableMessage: string;
        • The message to use when the chained token fails to get a token

        method getToken

        getToken: (
        scopes: string | string[],
        options?: GetTokenOptions
        ) => Promise<AccessToken>;
        • Returns the first access token returned by one of the chained TokenCredential implementations. Throws an AggregateAuthenticationError when one or more credentials throws an AuthenticationError and no credentials have returned an access token.

          This method is called automatically by Azure SDK client libraries. You may call this method directly, but you must also handle token caching and token refreshing.

          Parameter scopes

          The list of scopes for which the token will have access.

          Parameter options

          The options used to configure any requests this TokenCredential implementation might make.

        class ClientAssertionCredential

        class ClientAssertionCredential implements TokenCredential {}
        • Authenticates a service principal with a JWT assertion.

        constructor

        constructor(
        tenantId: string,
        clientId: string,
        getAssertion: () => Promise<string>,
        options?: TokenCredentialOptions
        );
        • Creates an instance of the ClientAssertionCredential with the details needed to authenticate against Azure Active Directory with a client assertion provided by the developer through the getAssertion function parameter.

          Parameter tenantId

          The Azure Active Directory tenant (directory) ID.

          Parameter clientId

          The client (application) ID of an App Registration in the tenant.

          Parameter getAssertion

          A function that retrieves the assertion for the credential to use.

          Parameter options

          Options for configuring the client which makes the authentication request.

        method getToken

        getToken: (
        scopes: string | string[],
        options?: GetTokenOptions
        ) => Promise<AccessToken>;
        • Authenticates with Azure Active Directory and returns an access token if successful. If authentication fails, a CredentialUnavailableError will be thrown with the details of the failure.

          Parameter scopes

          The list of scopes for which the token will have access.

          Parameter options

          The options used to configure any requests this TokenCredential implementation might make.

        class ClientCertificateCredential

        class ClientCertificateCredential implements TokenCredential {}
        • Enables authentication to Azure Active Directory using a PEM-encoded certificate that is assigned to an App Registration. More information on how to configure certificate authentication can be found here:

          https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-certificate-credentials#register-your-certificate-with-azure-ad

        constructor

        constructor(
        tenantId: string,
        clientId: string,
        certificatePath: string,
        options?: ClientCertificateCredentialOptions
        );
        • Creates an instance of the ClientCertificateCredential with the details needed to authenticate against Azure Active Directory with a certificate.

          Parameter tenantId

          The Azure Active Directory tenant (directory) ID.

          Parameter clientId

          The client (application) ID of an App Registration in the tenant.

          Parameter certificatePath

          The path to a PEM-encoded public/private key certificate on the filesystem.

          Parameter options

          Options for configuring the client which makes the authentication request.

        constructor

        constructor(
        tenantId: string,
        clientId: string,
        configuration: ClientCertificatePEMCertificatePath,
        options?: ClientCertificateCredentialOptions
        );
        • Creates an instance of the ClientCertificateCredential with the details needed to authenticate against Azure Active Directory with a certificate.

          Parameter tenantId

          The Azure Active Directory tenant (directory) ID.

          Parameter clientId

          The client (application) ID of an App Registration in the tenant.

          Parameter configuration

          Other parameters required, including the path of the certificate on the filesystem. If the type is ignored, we will throw the value of the path to a PEM certificate.

          Parameter options

          Options for configuring the client which makes the authentication request.

        constructor

        constructor(
        tenantId: string,
        clientId: string,
        configuration: ClientCertificatePEMCertificate,
        options?: ClientCertificateCredentialOptions
        );
        • Creates an instance of the ClientCertificateCredential with the details needed to authenticate against Azure Active Directory with a certificate.

          Parameter tenantId

          The Azure Active Directory tenant (directory) ID.

          Parameter clientId

          The client (application) ID of an App Registration in the tenant.

          Parameter configuration

          Other parameters required, including the PEM-encoded certificate as a string. If the type is ignored, we will throw the value of the PEM-encoded certificate.

          Parameter options

          Options for configuring the client which makes the authentication request.

        method getToken

        getToken: (
        scopes: string | string[],
        options?: GetTokenOptions
        ) => Promise<AccessToken>;
        • Authenticates with Azure Active Directory and returns an access token if successful. If authentication fails, a CredentialUnavailableError will be thrown with the details of the failure.

          Parameter scopes

          The list of scopes for which the token will have access.

          Parameter options

          The options used to configure any requests this TokenCredential implementation might make.

        class ClientSecretCredential

        class ClientSecretCredential implements TokenCredential {}
        • Enables authentication to Azure Active Directory using a client secret that was generated for an App Registration. More information on how to configure a client secret can be found here:

          https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-configure-app-access-web-apis#add-credentials-to-your-web-application

        constructor

        constructor(
        tenantId: string,
        clientId: string,
        clientSecret: string,
        options?: ClientSecretCredentialOptions
        );
        • Creates an instance of the ClientSecretCredential with the details needed to authenticate against Azure Active Directory with a client secret.

          Parameter tenantId

          The Azure Active Directory tenant (directory) ID.

          Parameter clientId

          The client (application) ID of an App Registration in the tenant.

          Parameter clientSecret

          A client secret that was generated for the App Registration.

          Parameter options

          Options for configuring the client which makes the authentication request.

        method getToken

        getToken: (
        scopes: string | string[],
        options?: GetTokenOptions
        ) => Promise<AccessToken>;
        • Authenticates with Azure Active Directory and returns an access token if successful. If authentication fails, a CredentialUnavailableError will be thrown with the details of the failure.

          Parameter scopes

          The list of scopes for which the token will have access.

          Parameter options

          The options used to configure any requests this TokenCredential implementation might make.

        class CredentialUnavailableError

        class CredentialUnavailableError extends Error {}
        • This signifies that the credential that was tried in a chained credential was not available to be used as the credential. Rather than treating this as an error that should halt the chain, it's caught and the chain continues

        constructor

        constructor(message?: string);

          class DefaultAzureCredential

          class DefaultAzureCredential extends ChainedTokenCredential {}
          • Provides a default ChainedTokenCredential configuration that should work for most applications that use the Azure SDK.

          constructor

          constructor(options?: DefaultAzureCredentialClientIdOptions);

          constructor

          constructor(options?: DefaultAzureCredentialResourceIdOptions);

          constructor

          constructor(options?: DefaultAzureCredentialOptions);

          class DeviceCodeCredential

          class DeviceCodeCredential implements TokenCredential {}
          • Enables authentication to Azure Active Directory using a device code that the user can enter into https://microsoft.com/devicelogin.

          constructor

          constructor(options?: DeviceCodeCredentialOptions);
          • Creates an instance of DeviceCodeCredential with the details needed to initiate the device code authorization flow with Azure Active Directory.

            A message will be logged, giving users a code that they can use to authenticate once they go to https://microsoft.com/devicelogin

            Developers can configure how this message is shown by passing a custom userPromptCallback:

            const credential = new DeviceCodeCredential({
            tenantId: env.AZURE_TENANT_ID,
            clientId: env.AZURE_CLIENT_ID,
            userPromptCallback: (info) => {
            console.log("CUSTOMIZED PROMPT CALLBACK", info.message);
            }
            });

            Parameter options

            Options for configuring the client which makes the authentication requests.

          method authenticate

          authenticate: (
          scopes: string | string[],
          options?: GetTokenOptions
          ) => Promise<AuthenticationRecord | undefined>;
          • Authenticates with Azure Active Directory and returns an access token if successful. If authentication fails, a CredentialUnavailableError will be thrown with the details of the failure.

            If the token can't be retrieved silently, this method will require user interaction to retrieve the token.

            Parameter scopes

            The list of scopes for which the token will have access.

            Parameter options

            The options used to configure any requests this TokenCredential implementation might make.

          method getToken

          getToken: (
          scopes: string | string[],
          options?: GetTokenOptions
          ) => Promise<AccessToken>;
          • Authenticates with Azure Active Directory and returns an access token if successful. If authentication fails, a CredentialUnavailableError will be thrown with the details of the failure.

            If the user provided the option disableAutomaticAuthentication, once the token can't be retrieved silently, this method won't attempt to request user interaction to retrieve the token.

            Parameter scopes

            The list of scopes for which the token will have access.

            Parameter options

            The options used to configure any requests this TokenCredential implementation might make.

          class EnvironmentCredential

          class EnvironmentCredential implements TokenCredential {}
          • Enables authentication to Azure Active Directory using client secret details configured in environment variables

          constructor

          constructor(options?: EnvironmentCredentialOptions);
          • Creates an instance of the EnvironmentCredential class and decides what credential to use depending on the available environment variables.

            Required environment variables: - AZURE_TENANT_ID: The Azure Active Directory tenant (directory) ID. - AZURE_CLIENT_ID: The client (application) ID of an App Registration in the tenant.

            Environment variables used for client credential authentication: - AZURE_CLIENT_SECRET: A client secret that was generated for the App Registration. - AZURE_CLIENT_CERTIFICATE_PATH: The path to a PEM certificate to use during the authentication, instead of the client secret.

            Alternatively, users can provide environment variables for username and password authentication: - AZURE_USERNAME: Username to authenticate with. - AZURE_PASSWORD: Password to authenticate with.

            If the environment variables required to perform the authentication are missing, a CredentialUnavailableError will be thrown. If the authentication fails, or if there's an unknown error, an AuthenticationError will be thrown.

            Parameter options

            Options for configuring the client which makes the authentication request.

          method getToken

          getToken: (
          scopes: string | string[],
          options?: GetTokenOptions
          ) => Promise<AccessToken>;
          • Authenticates with Azure Active Directory and returns an access token if successful.

            Parameter scopes

            The list of scopes for which the token will have access.

            Parameter options

            Optional parameters. See GetTokenOptions.

          class InteractiveBrowserCredential

          class InteractiveBrowserCredential implements TokenCredential {}
          • Enables authentication to Azure Active Directory inside of the web browser using the interactive login flow.

          constructor

          constructor(
          options?:
          | InteractiveBrowserCredentialNodeOptions
          | InteractiveBrowserCredentialInBrowserOptions
          );
          • Creates an instance of InteractiveBrowserCredential with the details needed.

            This credential uses the [Authorization Code Flow](https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-auth-code-flow). On Node.js, it will open a browser window while it listens for a redirect response from the authentication service. On browsers, it authenticates via popups. The loginStyle optional parameter can be set to redirect to authenticate by redirecting the user to an Azure secure login page, which then will redirect the user back to the web application where the authentication started.

            For Node.js, if a clientId is provided, the Azure Active Directory application will need to be configured to have a "Mobile and desktop applications" redirect endpoint. Follow our guide on [setting up Redirect URIs for Desktop apps that calls to web APIs](https://docs.microsoft.com/azure/active-directory/develop/scenario-desktop-app-registration#redirect-uris).

            Parameter options

            Options for configuring the client which makes the authentication requests.

          method authenticate

          authenticate: (
          scopes: string | string[],
          options?: GetTokenOptions
          ) => Promise<AuthenticationRecord | undefined>;
          • Authenticates with Azure Active Directory and returns an access token if successful. If authentication fails, a CredentialUnavailableError will be thrown with the details of the failure.

            If the token can't be retrieved silently, this method will require user interaction to retrieve the token.

            On Node.js, this credential has [Proof Key for Code Exchange (PKCE)](https://datatracker.ietf.org/doc/html/rfc7636) enabled by default. PKCE is a security feature that mitigates authentication code interception attacks.

            Parameter scopes

            The list of scopes for which the token will have access.

            Parameter options

            The options used to configure any requests this TokenCredential implementation might make.

          method getToken

          getToken: (
          scopes: string | string[],
          options?: GetTokenOptions
          ) => Promise<AccessToken>;
          • Authenticates with Azure Active Directory and returns an access token if successful. If authentication fails, a CredentialUnavailableError will be thrown with the details of the failure.

            If the user provided the option disableAutomaticAuthentication, once the token can't be retrieved silently, this method won't attempt to request user interaction to retrieve the token.

            Parameter scopes

            The list of scopes for which the token will have access.

            Parameter options

            The options used to configure any requests this TokenCredential implementation might make.

          class ManagedIdentityCredential

          class ManagedIdentityCredential implements TokenCredential {}
          • Attempts authentication using a managed identity available at the deployment environment. This authentication type works in Azure VMs, App Service instances, Azure Functions applications, Azure Kubernetes Services, Azure Service Fabric instances and inside of the Azure Cloud Shell.

            More information about configuring managed identities can be found here: https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview

          constructor

          constructor(clientId: string, options?: TokenCredentialOptions);
          • Creates an instance of ManagedIdentityCredential with the client ID of a user-assigned identity, or app registration (when working with AKS pod-identity).

            Parameter clientId

            The client ID of the user-assigned identity, or app registration (when working with AKS pod-identity).

            Parameter options

            Options for configuring the client which makes the access token request.

          constructor

          constructor(options?: ManagedIdentityCredentialClientIdOptions);
          • Creates an instance of ManagedIdentityCredential with clientId

            Parameter options

            Options for configuring the client which makes the access token request.

          constructor

          constructor(options?: ManagedIdentityCredentialResourceIdOptions);
          • Creates an instance of ManagedIdentityCredential with Resource Id

            Parameter options

            Options for configuring the resource which makes the access token request.

          method getToken

          getToken: (
          scopes: string | string[],
          options?: GetTokenOptions
          ) => Promise<AccessToken>;
          • Authenticates with Azure Active Directory and returns an access token if successful. If authentication fails, a CredentialUnavailableError will be thrown with the details of the failure. If an unexpected error occurs, an AuthenticationError will be thrown with the details of the failure.

            Parameter scopes

            The list of scopes for which the token will have access.

            Parameter options

            The options used to configure any requests this TokenCredential implementation might make.

          class OnBehalfOfCredential

          class OnBehalfOfCredential implements TokenCredential {}
          • Enables authentication to Azure Active Directory using the [On Behalf Of flow](https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-on-behalf-of-flow).

          constructor

          constructor(
          options: OnBehalfOfCredentialCertificateOptions &
          TokenCredentialOptions &
          CredentialPersistenceOptions
          );
          • Creates an instance of the OnBehalfOfCredential with the details needed to authenticate against Azure Active Directory with path to a PEM certificate, and an user assertion.

            Example using the KeyClient from [@azure/keyvault-keys](https://www.npmjs.com/package/@azure/keyvault-keys):

            const tokenCredential = new OnBehalfOfCredential({
            tenantId,
            clientId,
            certificatePath: "/path/to/certificate.pem",
            userAssertionToken: "access-token"
            });
            const client = new KeyClient("vault-url", tokenCredential);
            await client.getKey("key-name");

            Parameter options

            Optional parameters, generally common across credentials.

          constructor

          constructor(
          options: OnBehalfOfCredentialSecretOptions &
          TokenCredentialOptions &
          CredentialPersistenceOptions
          );
          • Creates an instance of the OnBehalfOfCredential with the details needed to authenticate against Azure Active Directory with a client secret and an user assertion.

            Example using the KeyClient from [@azure/keyvault-keys](https://www.npmjs.com/package/@azure/keyvault-keys):

            const tokenCredential = new OnBehalfOfCredential({
            tenantId,
            clientId,
            clientSecret,
            userAssertionToken: "access-token"
            });
            const client = new KeyClient("vault-url", tokenCredential);
            await client.getKey("key-name");

            Parameter options

            Optional parameters, generally common across credentials.

          method getToken

          getToken: (
          scopes: string | string[],
          options?: GetTokenOptions
          ) => Promise<AccessToken>;
          • Authenticates with Azure Active Directory and returns an access token if successful. If authentication fails, a CredentialUnavailableError will be thrown with the details of the failure.

            Parameter scopes

            The list of scopes for which the token will have access.

            Parameter options

            The options used to configure the underlying network requests.

          class UsernamePasswordCredential

          class UsernamePasswordCredential implements TokenCredential {}
          • Enables authentication to Azure Active Directory with a user's username and password. This credential requires a high degree of trust so you should only use it when other, more secure credential types can't be used.

          constructor

          constructor(
          tenantId: string,
          clientId: string,
          username: string,
          password: string,
          options?: UsernamePasswordCredentialOptions
          );
          • Creates an instance of the UsernamePasswordCredential with the details needed to authenticate against Azure Active Directory with a username and password.

            Parameter tenantId

            The Azure Active Directory tenant (directory).

            Parameter clientId

            The client (application) ID of an App Registration in the tenant.

            Parameter username

            The user account's e-mail address (user name).

            Parameter password

            The user account's account password

            Parameter options

            Options for configuring the client which makes the authentication request.

          method getToken

          getToken: (
          scopes: string | string[],
          options?: GetTokenOptions
          ) => Promise<AccessToken>;
          • Authenticates with Azure Active Directory and returns an access token if successful. If authentication fails, a CredentialUnavailableError will be thrown with the details of the failure.

            If the user provided the option disableAutomaticAuthentication, once the token can't be retrieved silently, this method won't attempt to request user interaction to retrieve the token.

            Parameter scopes

            The list of scopes for which the token will have access.

            Parameter options

            The options used to configure any requests this TokenCredential implementation might make.

          class VisualStudioCodeCredential

          class VisualStudioCodeCredential implements TokenCredential {}
          • Connects to Azure using the credential provided by the VSCode extension 'Azure Account'. Once the user has logged in via the extension, this credential can share the same refresh token that is cached by the extension.

          constructor

          constructor(options?: VisualStudioCodeCredentialOptions);
          • Creates an instance of VisualStudioCodeCredential to use for automatically authenticating via VSCode.

            **Note**: VisualStudioCodeCredential is provided by a plugin package: @azure/identity-vscode. If this package is not installed and registered using the plugin API (useIdentityPlugin), then authentication using VisualStudioCodeCredential will not be available.

            Parameter options

            Options for configuring the client which makes the authentication request.

          method getToken

          getToken: (
          scopes: string | string[],
          options?: GetTokenOptions
          ) => Promise<AccessToken>;
          • Returns the token found by searching VSCode's authentication cache or returns null if no token could be found.

            Parameter scopes

            The list of scopes for which the token will have access.

            Parameter options

            The options used to configure any requests this TokenCredential implementation might make.

          Interfaces

          interface AuthenticationRecord

          interface AuthenticationRecord {}
          • The record to use to find the cached tokens in the cache.

          property authority

          authority: string;
          • The associated authority, if used.

          property clientId

          clientId: string;
          • The associated client ID.

          property homeAccountId

          homeAccountId: string;
          • The home account Id.

          property tenantId

          tenantId: string;
          • The associated tenant ID.

          property username

          username: string;
          • The username of the logged in account.

          interface AuthenticationRequiredErrorOptions

          interface AuthenticationRequiredErrorOptions {}

          property getTokenOptions

          getTokenOptions?: GetTokenOptions;
          • The options passed to the getToken request.

          property message

          message?: string;
          • The message of the error.

          property scopes

          scopes: string[];
          • The list of scopes for which the token will have access.

          interface AzureCliCredentialOptions

          interface AzureCliCredentialOptions extends TokenCredentialOptions {}

          property tenantId

          tenantId?: string;
          • Allows specifying a tenant ID

          interface AzurePowerShellCredentialOptions

          interface AzurePowerShellCredentialOptions extends TokenCredentialOptions {}

          property tenantId

          tenantId?: string;
          • Allows specifying a tenant ID

          interface ClientCertificateCredentialOptions

          interface ClientCertificateCredentialOptions
          extends TokenCredentialOptions,
          CredentialPersistenceOptions {}

          property sendCertificateChain

          sendCertificateChain?: boolean;
          • Option to include x5c header for SubjectName and Issuer name authorization. Set this option to send base64 encoded public certificate in the client assertion header as an x5c claim

          interface ClientCertificatePEMCertificate

          interface ClientCertificatePEMCertificate {}

          property certificate

          certificate: string;
          • The PEM-encoded public/private key certificate on the filesystem.

          interface ClientCertificatePEMCertificatePath

          interface ClientCertificatePEMCertificatePath {}

          property certificatePath

          certificatePath: string;
          • The path to the PEM-encoded public/private key certificate on the filesystem.

          interface ClientSecretCredentialOptions

          interface ClientSecretCredentialOptions
          extends TokenCredentialOptions,
          CredentialPersistenceOptions {}

          interface CredentialPersistenceOptions

          interface CredentialPersistenceOptions {}
          • Shared configuration options for credentials that support persistent token caching.

          property tokenCachePersistenceOptions

          tokenCachePersistenceOptions?: TokenCachePersistenceOptions;
          • Options to provide to the persistence layer (if one is available) when storing credentials.

            You must first register a persistence provider plugin. See the @azure/identity-cache-persistence package on NPM.

            Example:

            import { cachePersistencePlugin } from "@azure/identity-cache-persistence";
            import { useIdentityPlugin, DeviceCodeCredential } from "@azure/identity";
            useIdentityPlugin(cachePersistencePlugin);
            async function main() {
            const credential = new DeviceCodeCredential({
            tokenCachePersistenceOptions: {
            enabled: true
            }
            });
            }
            main().catch((error) => {
            console.error("An error occurred:", error);
            process.exit(1);
            });

          interface DefaultAzureCredentialClientIdOptions

          interface DefaultAzureCredentialClientIdOptions
          extends DefaultAzureCredentialOptions {}
          • Provides options to configure the DefaultAzureCredential class. This variation supports managedIdentityClientId and not managedIdentityResourceId, since only one of both is supported.

          property managedIdentityClientId

          managedIdentityClientId?: string;

          interface DefaultAzureCredentialOptions

          interface DefaultAzureCredentialOptions extends TokenCredentialOptions {}

          property tenantId

          tenantId?: string;
          • Optionally pass in a Tenant ID to be used as part of the credential. By default it may use a generic tenant ID depending on the underlying credential.

          interface DefaultAzureCredentialResourceIdOptions

          interface DefaultAzureCredentialResourceIdOptions
          extends DefaultAzureCredentialOptions {}
          • Provides options to configure the DefaultAzureCredential class. This variation supports managedIdentityResourceId and not managedIdentityClientId, since only one of both is supported.

          property managedIdentityResourceId

          managedIdentityResourceId: string;
          • Optionally pass in a resource ID to be used by the ManagedIdentityCredential. In scenarios such as when user assigned identities are created using an ARM template, where the resource Id of the identity is known but the client Id can't be known ahead of time, this parameter allows programs to use these user assigned identities without having to first determine the client Id of the created identity.

          interface DeviceCodeCredentialOptions

          interface DeviceCodeCredentialOptions
          extends InteractiveCredentialOptions,
          CredentialPersistenceOptions {}
          • Defines options for the InteractiveBrowserCredential class for Node.js.

          property clientId

          clientId?: string;
          • The client (application) ID of an App Registration in the tenant.

          property tenantId

          tenantId?: string;
          • The Azure Active Directory tenant (directory) ID.

          property userPromptCallback

          userPromptCallback?: DeviceCodePromptCallback;
          • A callback function that will be invoked to show DeviceCodeInfo to the user. If left unassigned, we will automatically log the device code information and the authentication instructions in the console.

          interface DeviceCodeInfo

          interface DeviceCodeInfo {}
          • Provides the user code and verification URI where the code must be entered. Also provides a message to display to the user which contains an instruction with these details.

          property message

          message: string;
          • A message that may be shown to the user to instruct them on how to enter the device code in the page specified by the verification URI.

          property userCode

          userCode: string;
          • The device code that the user must enter into the verification page.

          property verificationUri

          verificationUri: string;
          • The verification URI to which the user must navigate to enter the device code.

          interface EnvironmentCredentialOptions

          interface EnvironmentCredentialOptions extends TokenCredentialOptions {}
          • Enables authentication to Azure Active Directory depending on the available environment variables. Defines options for the EnvironmentCredential class.

          interface ErrorResponse

          interface ErrorResponse {}
          • See the official documentation for more details:

            https://docs.microsoft.com/en-us/azure/active-directory/develop/v1-protocols-oauth-code#error-response-1

            NOTE: This documentation is for v1 OAuth support but the same error response details still apply to v2.

          property correlationId

          correlationId?: string;
          • The correlation ID to be used for tracking the source of the error.

          property error

          error: string;
          • The string identifier for the error.

          property errorCodes

          errorCodes?: number[];
          • An array of codes pertaining to the error(s) that occurred.

          property errorDescription

          errorDescription: string;
          • The error's description.

          property timestamp

          timestamp?: string;
          • The timestamp at which the error occurred.

          property traceId

          traceId?: string;
          • The trace identifier for this error occurrence.

          interface InteractiveBrowserCredentialInBrowserOptions

          interface InteractiveBrowserCredentialInBrowserOptions
          extends InteractiveCredentialOptions {}
          • Defines the common options for the InteractiveBrowserCredential class.

          property clientId

          clientId: string;
          • The client (application) ID of an App Registration in the tenant. This parameter is required on the browser.

          property loginHint

          loginHint?: string;
          • loginHint allows a user name to be pre-selected for interactive logins. Setting this option skips the account selection prompt and immediately attempts to login with the specified account.

          property loginStyle

          loginStyle?: BrowserLoginStyle;
          • Specifies whether a redirect or a popup window should be used to initiate the user authentication flow. Possible values are "redirect" or "popup" (default) for browser and "popup" (default) for node.

          property redirectUri

          redirectUri?: string | (() => string);
          • Gets the redirect URI of the application. This should be same as the value in the application registration portal. Defaults to window.location.href.

          property tenantId

          tenantId?: string;
          • The Azure Active Directory tenant (directory) ID.

          interface InteractiveBrowserCredentialNodeOptions

          interface InteractiveBrowserCredentialNodeOptions
          extends InteractiveCredentialOptions,
          CredentialPersistenceOptions {}
          • Defines the common options for the InteractiveBrowserCredential class.

          property clientId

          clientId?: string;
          • The client (application) ID of an App Registration in the tenant.

          property loginHint

          loginHint?: string;
          • loginHint allows a user name to be pre-selected for interactive logins. Setting this option skips the account selection prompt and immediately attempts to login with the specified account.

          property redirectUri

          redirectUri?: string | (() => string);
          • Gets the redirect URI of the application. This should be same as the value in the application registration portal. Defaults to window.location.href.

          property tenantId

          tenantId?: string;
          • The Azure Active Directory tenant (directory) ID.

          interface InteractiveCredentialOptions

          interface InteractiveCredentialOptions extends TokenCredentialOptions {}
          • Common constructor options for the Identity credentials that requires user interaction.

          property authenticationRecord

          authenticationRecord?: AuthenticationRecord;
          • Result of a previous authentication that can be used to retrieve the cached credentials of each individual account. This is necessary to provide in case the application wants to work with more than one account per Client ID and Tenant ID pair.

            This record can be retrieved by calling to the credential's authenticate() method, as follows:

            const authenticationRecord = await credential.authenticate();

          property disableAutomaticAuthentication

          disableAutomaticAuthentication?: boolean;
          • Makes getToken throw if a manual authentication is necessary. Developers will need to call to authenticate() to control when to manually authenticate.

          interface ManagedIdentityCredentialClientIdOptions

          interface ManagedIdentityCredentialClientIdOptions extends TokenCredentialOptions {}
          • Options to send on the ManagedIdentityCredential constructor. This variation supports clientId and not resourceId, since only one of both is supported.

          property clientId

          clientId?: string;
          • The client ID of the user - assigned identity, or app registration(when working with AKS pod - identity).

          interface ManagedIdentityCredentialResourceIdOptions

          interface ManagedIdentityCredentialResourceIdOptions
          extends TokenCredentialOptions {}
          • Options to send on the ManagedIdentityCredential constructor. This variation supports resourceId and not clientId, since only one of both is supported.

          property resourceId

          resourceId: string;
          • Allows specifying a custom resource Id. In scenarios such as when user assigned identities are created using an ARM template, where the resource Id of the identity is known but the client Id can't be known ahead of time, this parameter allows programs to use these user assigned identities without having to first determine the client Id of the created identity.

          interface OnBehalfOfCredentialCertificateOptions

          interface OnBehalfOfCredentialCertificateOptions {}

          property certificatePath

          certificatePath: string;
          • The path to a PEM-encoded public/private key certificate on the filesystem.

          property clientId

          clientId: string;
          • The client (application) ID of an App Registration in the tenant.

          property sendCertificateChain

          sendCertificateChain?: boolean;
          • Option to include x5c header for SubjectName and Issuer name authorization. Set this option to send base64 encoded public certificate in the client assertion header as an x5c claim

          property tenantId

          tenantId: string;
          • The Azure Active Directory tenant (directory) ID.

          property userAssertionToken

          userAssertionToken: string;
          • The user assertion for the On-Behalf-Of flow.

          interface OnBehalfOfCredentialSecretOptions

          interface OnBehalfOfCredentialSecretOptions {}

          property clientId

          clientId: string;
          • The client (application) ID of an App Registration in the tenant.

          property clientSecret

          clientSecret: string;
          • A client secret that was generated for the App Registration.

          property tenantId

          tenantId: string;
          • The Azure Active Directory tenant (directory) ID.

          property userAssertionToken

          userAssertionToken: string;
          • The user assertion for the On-Behalf-Of flow.

          interface TokenCachePersistenceOptions

          interface TokenCachePersistenceOptions {}
          • Parameters that enable token cache persistence in the Identity credentials.

          property enabled

          enabled: boolean;
          • If set to true, persistent token caching will be enabled for this credential instance.

          property name

          name?: string;
          • Unique identifier for the persistent token cache.

            Based on this identifier, the persistence file will be located in any of the following places: - Darwin: '/Users/user/.IdentityService/' - Windows 8+: 'C:\Users\user\AppData\Local\.IdentityService\' - Linux: '/home/user/.IdentityService/'

          property unsafeAllowUnencryptedStorage

          unsafeAllowUnencryptedStorage?: boolean;
          • If set to true, the cache will be stored without encryption if no OS level user encryption is available. When set to false, the PersistentTokenCache will throw an error if no OS level user encryption is available.

          interface TokenCredentialOptions

          interface TokenCredentialOptions extends CommonClientOptions {}
          • Provides options to configure how the Identity library makes authentication requests to Azure Active Directory.

          property authorityHost

          authorityHost?: string;
          • The authority host to use for authentication requests. Possible values are available through AzureAuthorityHosts. The default is "https://login.microsoftonline.com".

          property loggingOptions

          loggingOptions?: LogPolicyOptions & {
          allowLoggingAccountIdentifiers?: boolean;
          };
          • Allows logging account information once the authentication flow succeeds.

          interface UsernamePasswordCredentialOptions

          interface UsernamePasswordCredentialOptions
          extends TokenCredentialOptions,
          CredentialPersistenceOptions {}

          interface VisualStudioCodeCredentialOptions

          interface VisualStudioCodeCredentialOptions extends TokenCredentialOptions {}
          • Provides options to configure the Visual Studio Code credential.

          property tenantId

          tenantId?: string;
          • Optionally pass in a Tenant ID to be used as part of the credential

          Enums

          enum AzureAuthorityHosts

          enum AzureAuthorityHosts {
          AzureChina = 'https://login.chinacloudapi.cn',
          AzureGermany = 'https://login.microsoftonline.de',
          AzureGovernment = 'https://login.microsoftonline.us',
          AzurePublicCloud = 'https://login.microsoftonline.com',
          }
          • A list of known Azure authority hosts

          member AzureChina

          AzureChina = 'https://login.chinacloudapi.cn'
          • China-based Azure Authority Host

          member AzureGermany

          AzureGermany = 'https://login.microsoftonline.de'
          • Germany-based Azure Authority Host

          member AzureGovernment

          AzureGovernment = 'https://login.microsoftonline.us'
          • US Government Azure Authority Host

          member AzurePublicCloud

          AzurePublicCloud = 'https://login.microsoftonline.com'
          • Public Cloud Azure Authority Host

          Type Aliases

          type BrowserLoginStyle

          type BrowserLoginStyle = 'redirect' | 'popup';
          • (Browser-only feature) The "login style" to use in the authentication flow: - "redirect" redirects the user to the authentication page and then redirects them back to the page once authentication is completed. - "popup" opens a new browser window through with the redirect flow is initiated. The user's existing browser window does not leave the current page

          type ClientCertificateCredentialPEMConfiguration

          type ClientCertificateCredentialPEMConfiguration =
          | ClientCertificatePEMCertificate
          | ClientCertificatePEMCertificatePath;
          • Required configuration options for the ClientCertificateCredential, with either the string contents of a PEM certificate, or the path to a PEM certificate.

          type DeviceCodePromptCallback

          type DeviceCodePromptCallback = (deviceCodeInfo: DeviceCodeInfo) => void;
          • Defines the signature of a callback which will be passed to DeviceCodeCredential for the purpose of displaying authentication details to the user.

          type IdentityPlugin

          type IdentityPlugin = (context: unknown) => void;
          • The type of an Azure Identity plugin, a function accepting a plugin context.

          type OnBehalfOfCredentialOptions

          type OnBehalfOfCredentialOptions = (
          | OnBehalfOfCredentialSecretOptions
          | OnBehalfOfCredentialCertificateOptions
          ) &
          TokenCredentialOptions &
          CredentialPersistenceOptions;

          Package Files (1)

          Dependencies (16)

          Dev Dependencies (40)

          Peer Dependencies (0)

          No peer dependencies.

          Badge

          To add a badge like this onejsDocs.io badgeto your package's README, use the codes available below.

          You may also use Shields.io to create a custom badge linking to https://www.jsdocs.io/package/@azure/identity.

          • Markdown
            [![jsDocs.io](https://img.shields.io/badge/jsDocs.io-reference-blue)](https://www.jsdocs.io/package/@azure/identity)
          • HTML
            <a href="https://www.jsdocs.io/package/@azure/identity"><img src="https://img.shields.io/badge/jsDocs.io-reference-blue" alt="jsDocs.io"></a>