Azure Identity client library for JavaScript

NOTE: This is a patched version to support node v20

The Azure Identity library provides Azure Active Directory (Azure AD) token authentication through a set of convenient TokenCredential implementations.

For examples of various credentials, see the Azure Identity examples page.

Key links:

• Source code
• Package (npm)
• API Reference Documentation
• Azure AD documentation
• Samples

Getting started

Migrate from v1 to v2 of @azure/identity

If you're using v1 of @azure/identity, see the migration guide to update to v2.

Currently supported environments

• LTS versions of Node.js
  • Note: If your application runs on Node.js v8 or lower and you cannot upgrade your Node.js version to latest stable version, then pin your @azure/identity dependency to version 1.1.0.
• Latest versions of Safari, Chrome, Edge, and Firefox.
  • Note: Among the different credentials exported in this library, InteractiveBrowserCredential is the only one that is supported in the browser.

See our support policy for more details.

Install the package

Install Azure Identity with npm:

npm install --save @azure/identity

Prerequisites

• An Azure subscription.
• Optional: The Azure CLI and/or Azure PowerShell can also be useful for authenticating in a development environment and managing account roles.

When to use @azure/identity

The credential classes exposed by @azure/identity are focused on providing the most straightforward way to authenticate the Azure SDK clients locally, in your development environments, and in production. We aim for simplicity and reasonable support of the authentication protocols to cover most of the authentication scenarios possible on Azure. We're actively expanding to cover more scenarios. For a full list of the credentials offered, see the Credential Classes section.

All credential types provided by @azure/identity are supported in Node.js. For browsers, InteractiveBrowserCredential is the credential type to be used for basic authentication scenarios.

Most of the credential types offered by @azure/identity use the Microsoft Authentication Library for JavaScript (MSAL.js). Specifically, we use the v2 MSAL.js libraries, which use OAuth 2.0 Authorization Code Flow with PKCE and are OpenID-compliant. While @azure/identity focuses on simplicity, the MSAL.js libraries, such as @azure/msal-common, @azure/msal-node, and @azure/msal-browser, are designed to provide robust support for the authentication protocols that Azure supports.

When to use something else

The @azure/identity credential types are implementations of @azure/core-auth's TokenCredential class. In principle, any object with a getToken method that satisfies getToken(scopes: string | string[], options?: GetTokenOptions): Promise<AccessToken | null> will work as a TokenCredential. This means developers can write their own credential types to support authentication cases not covered by @azure/identity. To learn more, see Custom Credentials.

Though our credential types support many advanced cases, developers may want full control of the authentication protocol. For that use case, we recommend using Microsoft Authentication Library for JavaScript (MSAL.js) directly. You can read more through the following links:

• We portray some advanced use cases of @azure/identity on the Azure Identity Examples page.
  • There, we specifically have an Advanced Examples section.
  • We also have a section that shows how to Authenticate with MSAL directly.

For advanced authentication workflows in the browser, we have a section where we showcase how to use the @azure/msal-browser library directly to authenticate Azure SDK clients.

Authenticate the client in development environment

While we recommend using managed identity or service principal authentication in your production application, it is typical for a developer to use their own account for authenticating calls to Azure services when debugging and executing code locally. There are several developer tools which can be used to perform this authentication in your development environment.

Authenticate via the Azure Developer CLI

Developers coding outside of an IDE can also use the [Azure Developer CLI][azure_developer_cli] to authenticate. Applications using the DefaultAzureCredential or the AzureDeveloperCliCredential can then use this account to authenticate calls in their application when running locally.

To authenticate with the [Azure Developer CLI][azure_developer_cli], users can run the command azd auth login. For users running on a system with a default web browser, the Azure Developer CLI will launch the browser to authenticate the user.

For systems without a default web browser, the azd auth login --use-device-code command will use the device code authentication flow.

Authenticate via the Azure CLI

Applications using the AzureCliCredential, whether directly or via the DefaultAzureCredential, can use the Azure CLI account to authenticate calls in the application when running locally.

To authenticate with the Azure CLI users can run the command az login. For users running on a system with a default web browser the Azure cli will launch the browser to authenticate the user.

For systems without a default web browser, the az login command will use the device code authentication flow. The user can also force the Azure CLI to use the device code flow rather than launching a browser by specifying the --use-device-code argument.

Authenticate via Azure PowerShell

Applications using the AzurePowerShellCredential, whether directly or via the DefaultAzureCredential, can use the account connected to Azure PowerShell to authenticate calls in the application when running locally.

To authenticate with Azure PowerShell users can run the Connect-AzAccount cmdlet. By default, ike the Azure CLI, Connect-AzAccount will launch the default web browser to authenticate a user account.

If interactive authentication cannot be supported in the session, then the -UseDeviceAuthentication argument will force the cmdlet to use a device code authentication flow instead, similar to the corresponding option in the Azure CLI credential.

Authenticate via Visual Studio Code

Developers using Visual Studio Code can use the Azure Account extension to authenticate via the editor. Apps using VisualStudioCodeCredential can then use this account to authenticate calls in their app when running locally.

To authenticate in Visual Studio Code, ensure the Azure Account extension is installed. Once installed, open the Command Palette and run the Azure: Sign In command.

Additionally, use the @azure/identity-vscode plugin package. This package provides the dependencies of VisualStudioCodeCredential and enables it. See Plugins.

It's a known issue that VisualStudioCodeCredential doesn't work with Azure Account extension versions newer than 0.9.11. A long-term fix to this problem is in progress. In the meantime, consider authenticating via the Azure CLI.

Authenticate the client in browsers

To authenticate Azure SDK clients within web browsers, we offer the InteractiveBrowserCredential, which can be set to use redirection or popups to complete the authentication flow. It's necessary to create an Azure App Registration in the Azure portal for your web application first.

Key concepts

If this is your first time using @azure/identity or the Microsoft Identity platform (Azure AD), read Using @azure/identity with Microsoft Identity Platform first. This document provides a deeper understanding of the platform and how to configure your Azure account correctly.

Credentials

A credential is a class which contains or can obtain the data needed for a service client to authenticate requests. Service clients across the Azure SDK accept credentials when they're constructed. Service clients use those credentials to authenticate requests to the service.

The Azure Identity library focuses on OAuth authentication with Azure AD, and it offers a variety of credential classes capable of acquiring an Azure AD token to authenticate service requests. All of the credential classes in this library are implementations of the TokenCredential abstract class, and any of them can be used by to construct service clients capable of authenticating with a TokenCredential.

See Credential Classes.

DefaultAzureCredential

The DefaultAzureCredential is appropriate for most scenarios where the application is intended to ultimately be run in Azure. This is because the DefaultAzureCredential combines credentials commonly used to authenticate when deployed with credentials used to authenticate in a development environment.

Note: DefaultAzureCredential is intended to simplify getting started with the SDK by handling common scenarios with reasonable default behaviors. Developers who want more control or whose scenario isn't served by the default settings should use other credential types.

If used from Node.js, the DefaultAzureCredential will attempt to authenticate via the following mechanisms in order:

1. Environment - The DefaultAzureCredential will read account information specified via environment variables and use it to authenticate.
2. Workload Identity - If the application is deployed to Azure Kubernetes Service with Managed Identity enabled, DefaultAzureCredential will authenticate with it.
3. Managed Identity - If the application is deployed to an Azure host with Managed Identity enabled, the DefaultAzureCredential will authenticate with that account.
4. Azure Developer CLI - If the developer has authenticated an account via the Azure Developer CLI azd auth login command, the DefaultAzureCredential will authenticate with that account.
5. Azure CLI - If the developer has authenticated an account via the Azure CLI az login command, the DefaultAzureCredential will authenticate with that account.
6. Azure PowerShell - If the developer has authenticated using the Azure PowerShell module Connect-AzAccount command, the DefaultAzureCredential will authenticate with that account.

Continuation policy

As of version 3.3.0, DefaultAzureCredential will attempt to authenticate with all developer credentials until one succeeds, regardless of any errors previous developer credentials experienced. For example, a developer credential may attempt to get a token and fail, so DefaultAzureCredential will continue to the next credential in the flow. Deployed service credentials will stop the flow with a thrown exception if they're able to attempt token retrieval, but don't receive one.

This allows for trying all of the developer credentials on your machine while having predictable deployed behavior.

Note about VisualStudioCodeCredential

Due to a known issue, VisualStudioCodeCredential has been removed from the DefaultAzureCredential token chain. When the issue is resolved in a future release, this change will be reverted.

Plugins

Azure Identity for JavaScript provides a plugin API that allows us to provide certain functionality through separate plugin packages. The @azure/identity package exports a top-level function (useIdentityPlugin) that can be used to enable a plugin. We provide two plugin packages:

• @azure/identity-cache-persistence, which provides persistent token caching in Node.js using a native secure storage system provided by your operating system. This plugin allows cached access_token values to persist across sessions, meaning that an interactive login flow does not need to be repeated as long as a cached token is available.
• @azure/identity-vscode, which provides the dependencies of VisualStudioCodeCredential and enables it. Without this plugin, the VisualStudioCodeCredential in this package will throw a CredentialUnavailableError. The plugin provides the underlying implementation of this credential, enabling it for use both on its own and as part of the DefaultAzureCredential described above.

Examples

You can find more examples of using various credentials in Azure Identity Examples Page

Authenticate with the DefaultAzureCredential

This example demonstrates authenticating the KeyClient from the @azure/keyvault-keys client library using the DefaultAzureCredential.

// The default credential first checks environment variables for configuration as described above.
// If environment configuration is incomplete, it will try managed identity.

// Azure Key Vault service to use
import { KeyClient } from "@azure/keyvault-keys";

// Azure authentication library to access Azure Key Vault
import { DefaultAzureCredential } from "@azure/identity";

// Azure SDK clients accept the credential as a parameter
const credential = new DefaultAzureCredential();

// Create authenticated client
const client = new KeyClient(vaultUrl, credential);

Specify a user-assigned managed identity with the DefaultAzureCredential

A relatively common scenario involves authenticating using a user-assigned managed identity for an Azure resource. Explore the example on Authenticating a user-assigned managed identity with DefaultAzureCredential to see how this is made a relatively straightforward task that can be configured using environment variables or in code.

Define a custom authentication flow with the ChainedTokenCredential

While the DefaultAzureCredential is generally the quickest way to get started developing applications for Azure, more advanced users may want to customize the credentials considered when authenticating. The ChainedTokenCredential enables users to combine multiple credential instances to define a customized chain of credentials. This example demonstrates creating a ChainedTokenCredential which will attempt to authenticate using two differently configured instances of ClientSecretCredential, to then authenticate the KeyClient from the @azure/keyvault-keys:

import { ClientSecretCredential, ChainedTokenCredential } from "@azure/identity";

// When an access token is requested, the chain will try each
// credential in order, stopping when one provides a token
const firstCredential = new ClientSecretCredential(tenantId, clientId, clientSecret);
const secondCredential = new ClientSecretCredential(tenantId, anotherClientId, anotherSecret);
const credentialChain = new ChainedTokenCredential(firstCredential, secondCredential);

// The chain can be used anywhere a credential is required
import { KeyClient } from "@azure/keyvault-keys";
const client = new KeyClient(vaultUrl, credentialChain);

Managed identity support

The Managed identity authentication is supported via either the DefaultAzureCredential or the ManagedIdentityCredential credential classes directly for the following Azure services:

• Azure App Service and Azure Functions
• Azure Arc
• Azure Cloud Shell
• Azure Kubernetes Service
• Azure Service Fabric
• Azure Virtual Machines
• Azure Virtual Machines Scale Sets

For examples of how to use managed identity for authentication, see the examples.

Cloud configuration

Credentials default to authenticating to the Azure AD endpoint for Azure Public Cloud. To access resources in other clouds, such as Azure Government or a private cloud, configure credentials with the authorityHost argument in the constructor. The AzureAuthorityHosts interface defines authorities for well-known clouds. For the US Government cloud, you could instantiate a credential this way:

import { AzureAuthorityHosts, ClientSecretCredential } from "@azure/identity";
const credential = new ClientSecretCredential(
  "<YOUR_TENANT_ID>",
  "<YOUR_CLIENT_ID>",
  "<YOUR_CLIENT_SECRET>",
  {
    authorityHost: AzureAuthorityHosts.AzureGovernment,
  }
);

Not all credentials require this configuration. Credentials that authenticate through a development tool, such as AzureCliCredential, use that tool's configuration. Similarly, VisualStudioCodeCredential accepts an authorityHost argument but defaults to the authorityHost matching Visual Studio Code's Azure: Cloud setting.

Credential classes

Authenticate Azure-hosted applications

Authenticate service principals

Authenticate users

Authenticate via development tools

Environment variables

DefaultAzureCredential and EnvironmentCredential can be configured with environment variables. Each type of authentication requires values for specific variables.

Service principal with secret

Service principal with certificate

Username and password

Configuration is attempted in the above order. For example, if values for a client secret and certificate are both present, the client secret will be used.

Continuous Access Evaluation

As of version 3.3.0, accessing resources protected by Continuous Access Evaluation (CAE) is possible on a per-request basis. This can be enabled using the GetTokenOptions.enableCae(boolean) API. CAE isn't supported for developer credentials.

Token caching

Token caching is a feature provided by the Azure Identity library that allows apps to:

• Cache tokens in memory (default) and on disk (opt-in).
• Improve resilience and performance.
• Reduce the number of requests made to Azure AD to obtain access tokens.

The Azure Identity library offers both in-memory and persistent disk caching. For more details, see the token caching documentation.

Troubleshooting

For assistance with troubleshooting, see the troubleshooting guide.

Next steps

Read the documentation

API documentation for this library can be found on our documentation site.

Client library support

Client and management libraries listed on the Azure SDK releases page that support Azure AD authentication accept credentials from this library. Learn more about using these libraries in their documentation, which is linked from the releases page.

Known issues

Azure AD B2C support

This library doesn't support the Azure AD B2C service.

For other open issues, see the library's GitHub repository.

Provide feedback

If you encounter bugs or have suggestions, please open an issue.

Contributing

If you'd like to contribute to this library, please read the contributing guide to learn more about how to build and test the code.

msal-identity

Release History

3.3.1 (Unreleased)

Features Added

Breaking Changes

Bugs Fixed

• Ensure AzurePowershellCredential calls PowerShell with the -NoProfile and "-NonInteractive" flag to avoid loading user profiles for more consistent behavior. (#27023)

  Other Changes

3.3.0 (2023-08-14)

Features Added

• Enabled support for logging personally identifiable information, required for customer support through the enableUnsafeSupportLogging option on loggingOptions under TokenCredentialOptions.
• Continuous Access Evaluation (CAE) is now configurable per-request by setting the enable_cae keyword argument to True in get_token. This applies to user credentials and service principal credentials. (#26614)

Breaking Changes

• CP1 client capabilities for CAE is no longer always-on by default for user credentials. This capability will now be configured as-needed in each getToken request by each SDK. (#26614)
  • Suffixes are now appended to persistent cache names to indicate whether CAE or non-CAE tokens are stored in the cache. This is to prevent CAE and non-CAE tokens from being mixed/overwritten in the same cache. This could potentially cause issues if you are trying to share the same cache between applications that are using different versions of the Azure Identity library as each application would be reading from a different cache file.
  • Since CAE is no longer always enabled for user-credentials, the AZURE_IDENTITY_DISABLE_CP1 environment variable is no longer supported.

3.2.4 (2023-07-21)

Bug Fixes

• Fixed a bug related to Managed Identity Credential intermixing wrong scopes for successive getToken() calls.

3.2.3 (2023-06-20)

Bug Fixes

• Dependency Upgrades of MSAL libraries to the latest versions for incorporating underlying bug fix to resolve this issue.

  Other Changes

  Behavioral breaking change

  • Moved AzureDeveloperCliCredential to the end of the DefaultAzureCredential chain.

3.2.2 (2023-05-15)

Bug Fixes

• Remove console logging in processMultitenantRequest for tenant id and resolved tenant.

3.2.1 (2023-05-10)

Bug Fixes

• Fixed a bug in WorkloadIdentity Credential, to incorporate the case where the options can be undefined in a conditional check. Related issue #25827 with the fix #25829.

3.2.0 (2023-05-09)

Breaking Changes

• Renamed developerCredentialTimeOutInMs to processTimeoutInMs in DefaultAzureCredentialOptions.
• Renamed federatedTokenFilePath to tokenFilePath under WorkloadIdentityOptions.

3.2.0-beta.2 (2023-04-13)

Features Added

• Added configurable process timeout for dev-time credentials - AzureCLI Credential, AzurePowershell Credential and AzureDeveloperCLI Credential.

Bugs Fixed

• Fixed a bug in WorkloadIdentity Credential, to incorporate the case where the options can be undefined in a conditional check. Related issue #25089 with the fix #25119.
• Exported WorkloadIdentityDefaultCredentialOptions which was previously not publicly exported in index.ts.

3.1.4 (2023-04-11)

Bugs Fixed

• Added a workaround of fetching all accounts from token cache to fix the issue of silent authentication not taking place when authenticationRecord is passed. For reference, see issue.

3.2.0-beta.1 (2023-02-28)

Features Added

• Added support to disable instance discovery on AAD credentials.
• Added AzureDeveloperCliCredential #24180 and added it to the DefaultAzureCredential #24826 auth flow
• Added support for WokloadIdentityCredential#24830, added it to DefaultAzureCredential auth flow and replaced the in-house implementation of Token Exchange MSI in ManagedIdentity with WorkloadIdentityCredential.

3.1.3 (2023-01-12)

Other Changes

• Upgraded versions of @azure/msal-node, @azure/msal-common and @azure/msal-browser to remove any dependency versions that were depending on old version of jsonwebtoken which had a security issue

3.1.2 (2022-12-05)

Bugs Fixed

• Fixed bug in ManagedIdentity Credential where "expiresInSeconds" was taking the absolute timestamp instead of relative expiration time period in seconds.

  Other Changes

• Enable msal logging based on log level specified by user for Azure SDK.

• Upgraded version dependencies on msal libraries, since they have additional logging added.

3.1.1 (2022-11-18)

Bugs Fixed

• Fixed bug to update "expiresOnTimestamp" field in Managed Identity to be in seconds and not milliseconds.

3.1.0 (2022-11-08)

Other Changes

• Docs improvements for cross-language alignment

3.0.1 (2022-11-07)

Bugs Fixed

• Fixed bug to enable additionallyAllowedTenants to pass through to MSAL Flow.

3.1.0-beta.1 (2022-10-13)

Features Added

• Added Token Caching support to Managed Identity Credential

3.0.0 (2022-09-19)

Features Added

• Added additionallyAllowedTenants to the following credential options to force explicit opt-in behavior for multi-tenant authentication via the options property bag to the following:
  • AuthorizationCodeCredentialOptions
  • AzureApplicationCredentialOptions
  • AzureCliCredentialOptions
  • AzurePowerShellCredentialOptions
  • ClientAssertionCredentialOptions
  • ClientCertificateCredentialOptions
  • ClientSecretCredentialOptions
  • DefaultAzureCredentialOptions
  • DeviceCodeCredentialOptions
  • EnvironmentCredentialOptions
  • InteractiveCredentialOptions
  • OnBehalfOfCredentialOptions
  • UsernamePasswordCredentialOptions
  • VisualStudioCodeCredentialOptions

Breaking Changes

• Credential types supporting multi-tenant authentication will now throw an error if the requested tenant ID doesn't match the credential's tenant ID, and is not included in the additionallyAllowedTenants option. Applications must now explicitly add additional tenants to the additionallyAllowedTenants list, or add "*" to list, to enable acquiring tokens from tenants other than the originally specified tenant ID. See BREAKING_CHANGES.md.

Bugs Fixed

• Changed the way token expiration for managed identity tokens is calculated to handle different server formats. See PR #23232

  3.0.0-beta.1 (2022-08-24)

Features Added

• Added support in EnvironmentCredential to read a certificate password from an environment variable AZURE_CLIENT_CERTIFICATE_PASSWORD
• Added samples for supporting AAD authentication in Azure Redis Cache

Breaking Changes

• Removed VisualStudioCodeCredential from DefaultAzureCredential token chain. Issue 20500 tracks this.

2.1.0 (2022-07-08)

Features Added

• Added support for new credential ClientAssertionCredential, which accepts a callback function for the signed JWT assertion for a client certificate. See MSAL Client Assertion for more information.

Bugs Fixed

• Fixed a bug that would break the AzureCliCredential if the Azure CLI reported a warning. See: 21075.
• Fixed a bug in AuthorizationCodeCredential where the tenant id was not being used. The common tenant was the only tenant being used by this credential.
• Fixed a bug in AuthorizationCodeCredential where the public client was not being used. Due to this bug, without passing in the client secret, this credential would fail.
• Fixed a bug in DefaultAzureCredential and AzureCLICredential where the errors thrown by the latter credential were not of type CredentialUnavailableError. This caused only the error of AzureCLICredential being thrown and the other chained errors of DefaultAzureCredential were not thrown. See: 22066

Other Changes

• Upgraded to @azure/core-tracing version ^1.0.0.
• Improved the errors displayed on the AzureCliCredential.

2.0.5 (2022-06-22)

Bugs Fixed

• Fixed a bug in InteractiveBrowserCredential for Mac OS where the app was not getting closed after the authorization succeeded.

2.1.0-beta.2 (2022-03-22)

Features Added

• Added stronger types to the DefaultAzureCredential and ManagedIdentityCredential constructors so that TypeScript users will trigger a type error by providing both a Managed Identity client ID and resource ID to the same credential instance.
• Added stronger types to the ClientCertificateCredential and OnBehalfOfCredential constructors so that TypeScript users will trigger a type error by providing both a Client certificate and certificate path to the same credential instance.
• Added support for App Service 2019 resource in Managed Identity Credential.
• All of our credentials now support a new option on their constructor: loggingOptions, which allows configuring the logging options of the HTTP pipelines.
• Within the new loggingOptions we have also added allowLoggingAccountIdentifiers, a property that if set to true logs information specific to the authenticated account after each successful authentication, including: the Client ID, the Tenant ID, the Object ID of the authenticated user, and if possible the User Principal Name.

Bugs Fixed

• Fixed a bug that caused Continuous Access Enforcement (CAE) and Conditional Access authentication context authentication to fail with newer versions of MSAL.

2.1.0-beta.1 (2022-03-02)

Features Added

• Added support for specifying a custom resourceId when creating a ManagedIdentityCredential or DefaultAzureCredential.
  • In some scenarios where a user-assigned managed identity is required, the identity may be known by an ARM resource ID, but not a client ID (such as when user-assigned identities are created using an ARM template). The resourceId option allows an app to select its managed identity by its ARM resource ID to support such scenarios.
  • If resourceId is provided, the managed identity providers for Azure App Service (2017), Azure Arc, Azure Cloud Shell, Azure Service Fabric and Token Exchange authentication will log a warning since this parameter is not supported by the identity endpoints in those services. The authentication attempts will be sent, but the parameter will be ignored by the service.
• Added clientId to the optional parameters of the ManagedIdentityCredential.
• Updated the Troubleshoot guide to have error codes and error messages for the Identity Customer Service Support.

2.0.4 (2022-02-18)

Bugs Fixed

• Fixed a regression in version 2.0.3 in which providing an options bag, but not a client ID, to the ManagedIdentityCredential constructor would discard the options parameter.

2.0.3 (2022-02-16)

Features Added

• Added log warning for non-support of user assigned identity in Managed Identity credentials in Cloud Shell environments.

Bugs Fixed

• Fixed bug that duplicated the tenant Id on the URI of outgoing requests when passing an authorityHost ending with a tenant Id.
• ManagedIdentityCredential now won't retry when it tries to ping the IMDS endpoint.
• Now we are specifying the maximum number of retries to 3 to ensure that maximum retries won't change without notice.

2.0.2 (2022-02-03)

Features Added

• Improved the error message when InteractiveBrowserCredential is used with an unavailable port (such as when no redirectUri is provided, and the port 80 is busy) and when no browser is available.

Bugs Fixed

• Challenge claims now are properly being passed through to the outgoing token requests.
• The ManagedIdentityCredential now properly parses expiration dates from token exchange requests.

Other Changes

• Moved the @types/stoppable dependency to the devDependencies.

2.0.1 (2021-10-28)

Features Added

• The ManagedIdentityCredential now supports the Service Fabric environment.

Bugs Fixed

• Fixed a bug that caused the AzureCliCredential to fail on Windows. Issue 18268.

2.0.0 (2021-10-15)

After multiple beta releases over the past year, we're proud to announce the general availability of version 2 of the @azure/identity package. This version includes the best parts of v1, plus several improvements.

This changelog entry showcases the changes that have been made from version 1 of this package. See the v1-to-v2 migration guide for details on how to upgrade your application to use the version 2 of @azure/identity. For information on troubleshooting the Identity package, see the troubleshooting guide.

Features Added

Plugin API

Identity v2 provides a top-level useIdentityPlugin function, which allows using two new plugin packages:

• @azure/identity-vscode, which provides the dependencies of VisualStudioCodeCredential and enables it.
  • If the @azure/identity-vscode plugin isn't used through the useIdentityPlugin function, the VisualStudioCodeCredential exposed by Identity v2 will throw a CredentialUnavailableError.
• @azure/identity-cache-persistence, which provides persistent token caching.

Most credentials on Identity v2 now support the persistent token caching feature. Such credentials include the property tokenCachePersistenceOptions in the constructor options which can be used to enable this feature.

The following example showcases how to enable persistence caching by first enabling the @azure/identity-cache-persistence plugin with useIdentityPlugin(cachePersistencePlugin), and then passing the tokenCachePersistenceOptions through the constructor of the DeviceCodeCredential:

import { cachePersistencePlugin } from "@azure/identity-cache-persistence";
import { useIdentityPlugin, DeviceCodeCredential } from "@azure/identity";

useIdentityPlugin(cachePersistencePlugin);

async function main() {
  const credential = new DeviceCodeCredential({
    tokenCachePersistenceOptions: {
      enabled: true,
    },
  });
}

New credentials

Identity v2 includes two new credential types:

• AzurePowerShellCredential, which re-uses any account previously authenticated with the Az.Account PowerShell module.
• OnBehalfOfCredential, which enables the On-Behalf-Of authentication flow.

New features in all credentials

Identity v2 enables:

• Support for claims challenges resulting from Continuous Access Enforcement (CAE) and Conditional Access authentication context.
  • By default, credentials of Identity v2 will produce tokens that can be used to trigger the challenge authentication flows. After these tokens expire, the next HTTP requests to Azure will fail, but the response will contain information to re-authenticate.
  • To disable this behavior, set the environment variable AZURE_IDENTITY_DISABLE_CP1 to any value. For more about claims challenges, see Claims challenges, claims requests, and client capabilities.
• Support for multi-tenant authentication on all credentials except ManagedIdentityCredential.
  • At the moment, applications needing multi-tenancy support will need to call to the credentials' getToken directly, sending the new tenantId property.
  • A sample with more context will be provided in a future date.
  • To disable it, set the environment variable AZURE_IDENTITY_DISABLE_MULTITENANTAUTH. For more about multitenancy, see Identity management in multitenant apps.

New features in InteractiveBrowserCredential and DeviceCodeCredential

You can now control when the credential requests user input with the new disableAutomaticAuthentication option added to the options you pass to the credential constructors.

• When enabled, this option stops the getToken() method from requesting user input in case the credential is unable to authenticate silently.
• If getToken() fails to authenticate without user interaction, and disableAutomaticAuthentication has been set to true, a new error will be thrown: AuthenticationRequired. You may use this error to identify scenarios when manual authentication needs to be triggered (with authenticate(), as described in the next point).

A new method authenticate() is added to these credentials which is similar to getToken(), but it does not read the disableAutomaticAuthentication option described above.

• Use this to get an AuthenticationRecord which you can then use to create new credentials that will re-use the token information.
• The AuthenticationRecord object has a serialize() method that allows an authenticated account to be stored as a string and re-used in another credential at any time. Use the new helper function deserializeAuthenticationRecord to de-serialize this string.
• authenticate() might succeed and still return undefined if we're unable to pick just one account record from the cache. This might happen if the cache is being used by more than one credential, or if multiple users have authenticated using the same Client ID and Tenant ID. To ensure consistency on a program with many users, please keep track of the AuthenticationRecord and provide them in the constructors of the credentials on initialization.

Learn more via the below samples

• Samples around controlling user interaction.
• Samples around persisting user authentication data.

New features in ManagedIdentityCredential

In Identity v2, the ManagedIdentityCredential retries with exponential back-off when a request for a token fails with a 404 status code. This change only applies to environments with available IMDS endpoints.

Azure Service Fabric support hasn't been added on the initial version 2 of Identity. Subscribe to issue #12420 for updates on this feature.

Other features

• ClientCertificateCredential now optionally accepts a configuration object as its third constructor parameter, instead of the PEM certificate path. This new object, called ClientCertificateCredentialPEMConfiguration, can contain either the PEM certificate path with the certificatePath property, or the contents of the PEM certificate with the certificate property..
• The Node.js version of InteractiveBrowserCredential has Proof Key for Code Exchange (PKCE) enabled by default.
• InteractiveBrowserCredential has a new loginHint constructor option, which allows a username to be pre-selected for interactive logins.
• In AzureCliCredential, we allow specifying a tenantId in the parameters through the AzureCliCredentialOptions.
• A new error, named AuthenticationRequiredError, has been added. This error shows up when a credential fails to authenticate silently.
• Errors and logged exceptions may point to the new troubleshooting guidelines.
• On all of the credentials we're providing, the initial authentication attempt in the lifetime of your app will include an additional request to first discover relevant endpoint metadata information from Azure.

Breaking changes

Breaking changes from v1

• For ClientCertificateCredential specifically, the validity of the PEM certificate is evaluated on getToken and not on the constructor.
• We have also renamed the error CredentialUnavailable to CredentialUnavailableError, to align with the naming convention used for error classes in the Azure SDKs in JavaScript.
• In v1 of Identity some getToken calls could resolve with null in the case the authentication request succeeded with a malformed output. In v2, issues with the getToken method will always throw errors.

• Breaking changes to InteractiveBrowserCredential

  • The InteractiveBrowserCredential will use the Auth Code Flow with PKCE rather than Implicit Grant Flow to better support browsers with enhanced security restrictions. Learn how to migrate in the migration guide. Read more about the latest InteractiveBrowserCredential here.
  • The default client ID used for InteractiveBrowserCredential was viable only in Node.js and not for the browser. Therefore, on v2 client ID is a required parameter when using this credential in browser apps.
  • Identity v2 also removes the postLogoutRedirectUri from the options to the constructor for InteractiveBrowserCredential. This option wasn't being used. Instead of using this option, use MSAL directly. For more information, see Authenticating with the @azure/msal-browser Public Client.
  • In Identity v2, VisualStudioCodeCredential throws a CredentialUnavailableError unless the new @azure/identity-vscode plugin is used.

• Standardizing the tracing span names to be <className>.<operationName> over <className>-<operationName>

Breaking Changes from 2.0.0-beta.4

• Removed the allowMultiTenantAuthentication option from all of the credentials. Multi-tenant authentication is now enabled by default. On Node.js, it can be disabled with the AZURE_IDENTITY_DISABLE_MULTITENANTAUTH environment variable.
• Removed support for specific Azure regions on ClientSecretCredential and `ClientCertificateCredential. This feature will be added back on the next beta.

Breaking Changes from 2.0.0-beta.6

• Stopped exporting the ApplicationCredential from the package. This will be re-introduced in the future.
• Removed the CredentialPersistenceOptions from DefaultAzureCredential and EnvironmentCredential.
• Merged the configuration and the options bag on the OnBehalfOfCredential into a single options bag.
• AuthenticationRequiredError (introduced in 2.0.0-beta.1) now has its parameters into a single options bag.
• AuthenticationRequiredError (introduced in 2.0.0-beta.1) now has its parameters in a single options bag, AuthenticationRequiredErrorOptions.
• InteractiveBrowserCredentialOptions has been renamed to InteractiveBrowserCredentialNodeOptions, and InteractiveBrowserCredentialBrowserOptions has been named InteractiveBrowserCredentialInBrowserOptions.

Bugs Fixed

• ClientSecretCredential, ClientCertificateCredential, and UsernamePasswordCredential throw if the required parameters aren't provided (even in JavaScript).
• Fixed a bug that caused AzureCliCredential to fail when a custom tenant ID was provided.
• Caught up with the bug fixes for Azure POD Identity that were implemented on version 1.5.1.

Other Changes

Identity v2 no longer includes native dependencies (neither ordinary, peer, nor optional dependencies). Previous distributions of @azure/identity included an optional dependency on keytar, which caused issues for some users in restrictive environments.

Identity v2 for JavaScript now also depends on the latest available versions of @azure/msal-common, @azure/msal-node, and @azure/msal-browser. Our goal is to always be up-to-date with the MSAL versions.

2.0.0-beta.6 (2021-09-09)

Features Added

• Added the OnBehalfOfCredential, which allows users to authenticate through the On-Behalf-Of authentication flow.
• ManagedIdentityCredential now supports token exchange authentication.

Breaking Changes

• ClientCertificateCredential now evaluates the validity of the PEM certificate path on getToken and not on the constructor.

Breaking Changes from 2.0.0-beta.5

• The property named selectedCredential that was added to ChainedTokenCredential and DefaultAzureCredential has been removed, since customers reported that logging was enough.
• Changed the name of the "extension" API to the "plugin" API to reduce confusion between this package and VS Code extensions. The function useIdentityExtension was renamed to useIdentityPlugin, and "extension packages" are now known as "plugin packages".
• Renamed the allowUnencryptedStorage property of TokenCachePersistenceOptions to unsafeAllowUnencryptedStorage to make it clear that enabling the unencrypted storage feature is not generally safe for production use.

Bugs Fixed

• ClientSecretCredential, ClientCertificateCredential and UsernamePasswordCredential now throw if the required parameters are not provided (even in JavaScript).
• Fixed a bug introduced on 2.0.0-beta.5 that caused the ManagedIdentityCredential to fail authenticating in Arc environments. Since our new core disables unsafe requests by default, we had to change the security settings for the first request of the Arc MSI, which retrieves the file path where the authentication value is stored since this request generally happens through an HTTP endpoint.
• Fixed bug on the AggregateAuthenticationError, which caused an inconsistent error message on the ChainedTokenCredential, DefaultAzureCredential and ApplicationCredential.

Other Changes

• The errors thrown by the ManagedIdentityCredential have been improved.

1.5.2 (2021-09-01)

• Fixed a bug introduced on 1.5.0 that caused the ManagedIdentityCredential to fail authenticating in Arc environments. Since our new core disables unsafe requests by default, we had to change the security settings for the first request of the Arc MSI, which retrieves the file path where the authentication value is stored since this request generally happens through an HTTP endpoint.

1.5.1 (2021-08-12)

• Fixed how we verify the IMDS endpoint is available. Now, besides skipping the Metadata header, we skip the URL query. Both will ensure that all the known IMDS endpoints return as early as possible.
• Added support for the AZURE_POD_IDENTITY_AUTHORITY_HOST environment variable. If present, the IMDS endpoint initial verification will be skipped.

2.0.0-beta.5 (2021-08-10)

Features Added

• This release adds support by default for CP1 client capabilities, enabling all credentials to respond to claims challenges that occur due to insufficient claims. Claims challenges, for example, can occur due to requirements of Continuous Access Enforcement (CAE) and Conditional Access authentication context. You may optionally disable this behavior by setting the environment variable AZURE_IDENTITY_DISABLE_CP1 (to any value). You can read more about client capabilities, CAE, and Conditional Access on the Microsoft Documentation.
• ChainedTokenCredential and DefaultAzureCredential now expose a property named selectedCredential, which will store the selected credential once any of the available credentials succeeds.
• Implementation of ApplicationCredential for use by applications which call into Microsoft Graph APIs and which have issues using DefaultAzureCredential. This credential is based on EnvironmentCredential and ManagedIdentityCredential.

Breaking Changes

These changes do not impact the API of stable versions such as 1.6.0. Only code written against a beta version such as 1.7.0b1 may be affected.

• Renamed AZURE_POD_IDENTITY_TOKEN_URL to AZURE_POD_IDENTITY_AUTHORITY_HOST.

Bugs Fixed

• With this release, we've migrated from using @azure/core-http to @azure/core-rest-pipeline for the handling of HTTP requests. See Azure Core v1 vs v2 for more on the difference and benefits of the move. This removes our dependency on node-fetch and along with it issues we have seen in using this dependency in specific environments like Kubernetes pods.

1.5.0 (2021-07-19)

• With this release, we've migrated from using @azure/core-http to @azure/core-rest-pipeline for the handling of HTTP requests. See Azure Core v1 vs v2 for more on the difference and benefits of the move. This removes our dependency on node-fetch and along with it issues we have seen in using this dependency in specific environments like Kubernetes pods.

1.4.0 (2021-07-09)

• With this release, we drop support for Node.js versions that have reached the end of life, like Node.js 8. Read our support policy for more details.
• Updated the default timeout of the first request of the IMDS MSI from half a second to three seconds to compensate for the slowness caused by node-fetch for initial requests in specific environments, like Kubernetes pods.

• Upgraded @azure/core-http to version ^2.0.0, and @azure/core-tracing to version 1.0.0-preview.12.

• Upgraded the AuthorizationCodeCredential to use the latest @azure/msal-node.

2.0.0-beta.4 (2021-07-07)

Features Added

• With the dropping of support for Node.js versions that are no longer in LTS, the dependency on @types/node has been updated to version 12. Read our support policy for more details.
• Introduced an extension API through a top-level method useIdentityExtension. The function accepts an "extension" as an argument, which is a function accepting a context. The extension context is an internal part of the Azure Identity API, so it has an unknown type. Two new packages are designed to be used with this API:
  • @azure/identity-vscode, which provides the dependencies of VisualStudioCodeCredential and enables it (see more below).
  • @azure/identity-cache-persistence, which provides persistent token caching (same as was available in version 2.0.0-beta.2, but now provided through a secondary extension package).
• Reintroduced a stub implementation of VisualStudioCodeCredential. If the @azure/identity-vscode extension is not used, then it will throw a CredentialUnavailableError (similar to how it previously behaved if the keytar package was not installed). The extension now provides the underlying implementation of VisualStudioCodeCredential through dependency injection.
• Reintroduced the TokenCachePersistenceOptions property on most credential constructor options. This property must be present with an enabled property set to true to enable persistent token caching for a credential instance. Credentials that do not support persistent token caching do not have this property.
• Added support to ManagedIdentityCredential for Bridge to Kubernetes local development authentication.
• Enabled PKCE on InteractiveBrowserCredential for Node.js. Proof Key for Code Exchange (PKCE) is a security feature that mitigates authentication code interception attacks.
• Added LoginHint property to InteractiveBrowserCredentialOptions which allows a user name to be pre-selected for interactive logins. Setting this option skips the account selection prompt and immediately attempts to login with the specified account.
• Added regional STS support to client credential types.
  • Added the RegionalAuthority type, that allows specifying Azure regions.
  • Added regionalAuthority property to ClientSecretCredentialOptions and ClientCertificateCredentialOptions.
  • If instead of a region, AutoDiscoverRegion is specified as the value for regionalAuthority, MSAL will be used to attempt to discover the region.
  • A region can also be specified through the AZURE_REGIONAL_AUTHORITY_NAME environment variable.
• AzureCliCredential and AzurePowerShellCredential now allow specifying a tenantId.
• All credentials except ManagedIdentityCredential support enabling multi tenant authentication via the allowMultiTenantAuthentication option.

Breaking Changes

• Removed the protected method getAzureCliAccessToken from the public API of the AzureCliCredential. While it will continue to be available as part of v1, we won't be supporting this method as part of v2's public API.

Key Bugs Fixed

• Fixed an issue in which InteractiveBrowserCredential on Node would sometimes cause the process to not respond if there was no browser available.
• Fixed an issue in which the AZURE_AUTHORITY_HOST environment variable was not properly picked up in Node.js.

2.0.0-beta.3 (2021-05-12)

New features

• Azure Identity for JavaScript no longer carries any native dependencies (neither ordinary, peer, nor optional dependencies). Previous distributions of @azure/identity carried an optional dependency on keytar, which caused issues for some users in restrictive environments.
• Updated the @azure/msal-node dependency to version ^1.0.2, which allows cancelling of an ongoing getToken() operation on DeviceCodeCredential.
• Fixed issue with the logging of success messages on the DefaultAzureCredential and the ChainedTokenCredential. These messages will now mention the internal credential that succeeded.
• AuthenticationRequiredError (introduced in 2.0.0-beta.1) now has the same impact on ChainedTokenCredential as the CredentialUnavailableError which is to allow the next credential in the chain to be tried.
• ManagedIdentityCredential now retries with exponential back-off when a request for a token fails with a 404 status code on environments with available IMDS endpoints.
• Added an AzurePowerShellCredential which will use the authenticated user session from the Az.Account PowerShell module. This credential will attempt to use PowerShell Core by calling pwsh, and on Windows it will fall back to Windows PowerShell (powershell) if PowerShell Core is not available.

Breaking changes from 2.0.0-beta.1

• Removed VisualStudioCodeCredential, since it requires us to list keytar as an optional dependency. keytar contains machine-code components that are difficult to build in certain environments, so this credential will be offered through a separate extension package in the future.
• Removed token persistence through @azure/msal-node-extensions, as its machine-code components have the same problems as keytar. This functionality will similarly be reintroduced through a separate extension package in the future.
• Removed authenticationRecord, disableAutomaticAuthentication and authenticate() from the credential UsernamePasswordCredential. While MSAL does support this, allowing authenticationRecord arguably could result in users authenticating through an account other than the one they're specifying with the username and the password.

2.0.0-beta.2 (2021-04-06)

• Breaking change: Renamed errors CredentialUnavailable to CredentialUnavailableError, and AuthenticationRequired to AuthenticationRequiredError, to align with the naming convention used for error classes in the Azure SDKs in JavaScript.
• Added clientId to the AuthenticationRecord type, alongsides the tenantId that this interface already had. Together they can be used to re-authenticate after recovering a previously serialized AuthenticationRecord.
• The serialize() method on the AuthenticationRecord object that allows an authenticated account to be stored as a string and re-used in another credential at any time, is removed in favor of a standalone function serializeAuthenticationRecord similar to how we have the deserializeAuthenticationRecord function.
• serializeAuthenticationRecord now serializes into a JSON string with camel case properties. This makes it re-usable across languages.
• Removed the interface PersistentCredentialOptions (introduced in 2.0.0-beta.1) and instead inlined the options for the persistent cache feature in the options of individual credentials.
• Added properties scopes and getTokenOptions to the AuthenticationRequired error. These properties hold the values used by the getToken() method on your credential to fetch the access token. You should pass these to the authenticate() method on your credential if you wanted to do manual authentication after catching the AuthenticationRequired error.
• InteractiveBrowserCredential no longer supports Implicit Grant Flow and will only support Auth Code Flow instead. Therefore the flow option introduced in 1.2.4-beta.1 has been removed. More information from the documentation on Implicit Grant Flow:

With the plans for third party cookies to be removed from browsers, the implicit grant flow is no longer a suitable authentication method. The silent SSO features of the implicit flow do not work without third party cookies, causing applications to break when they attempt to get a new token. We strongly recommend that all new applications use the authorization code flow that now supports single page apps in place of the implicit flow, and that existing single page apps begin migrating to the authorization code flow as well.

1.3.0 (2021-04-05)

Tracing Changes

• Updated @azure/core-tracing to version 1.0.0-preview.11. See @azure/core-tracing CHANGELOG for details about breaking changes with tracing.

2.0.0-beta.1 (2021-03-24)

This update marks the preview for the first major version update of the @azure/identity package since the first stable version was released in October, 2019. This is mainly driven by the improvements we are making for the InteractiveBrowserCredential when used in browser applications by updating it to use the new @azure/msal-browser which is replacing the older msal package.

Breaking changes

• Changes to InteractiveBrowserCredential
  • When used in browser applications, the InteractiveBrowserCredential has been updated to use the Auth Code Flow with PKCE rather than Implicit Grant Flow by default to better support browsers with enhanced security restrictions. Please note that this credential always used the Auth Code Flow when used in Node.js applications. Read more on this in our docs on Interactive Browser Credential.
  • The default client ID used for InteractiveBrowserCredential was viable only in Node.js and not for the browser. Therefore, client Id is now a required parameter when constructing this credential in browser applications.
  • The loginStyle and flow options to the constructor for InteractiveBrowserCredential will now show up only when used in browser applications as these were never applicable to Node.js
  • Removed the postLogoutRedirectUri from the options to the constructor for InteractiveBrowserCredential. This option was not being used since we don't have a way for users to log out yet.
• When a token is not available, some credentials had the promise returned by the getToken method resolve with null, others had the getToken method throw the CredentialUnavailable error. This behavior is now made consistent across all credentials to throw the CredentialUnavailable error.
  • This change has no bearing on the user if all they ever did was create the credentials and pass it to the Azure SDKs.
  • This change affects only those users who called the getToken() method directly and did not handle resulting errors.
• The constructor for DeviceCodeCredential always had multiple optional parameters and no required ones. As per our guidelines, this has now been simplified to take a single optional bag of parameters.

New features

• Changes to InteractiveBrowserCredential, DeviceCodeCredential, ClientSecretCredential, ClientCertificateCredential and UsernamePasswordCredential:
  • Migrated to use the latest MSAL. This update improves caching of tokens, significantly reducing the number of network requests.
  • Added the feature of persistence caching of credentials. This is driven by the new tokenCachePersistenceOptions option available in the options you pass to the credential constructors.
    • For now, to use this feature, users will need to install @azure/msal-node-extensions 1.0.0-alpha.6 on their own. This experience will be improved in the next update.
    • This feature uses DPAPI on Windows, it tries to use the Keychain on OSX and the Keyring on Linux.
    • To learn more on the usage, please refer to our docs on the TokenCachePersistenceOptions interface.
    • IMPORTANT: As part of this beta, this feature is only supported in Node 10, 12 and 14.
• Changes to InteractiveBrowserCredential and DeviceCodeCredential:
  • You can now control when the credential requests user input with the new disableAutomaticAuthentication option added to the options you pass to the credential constructors.
    • When enabled, this option stops the getToken() method from requesting user input in case the credential is unable to authenticate silently.
    • If getToken() fails to authenticate without user interaction, and disableAutomaticAuthentication has been set to true, a new error will be thrown: AuthenticationRequired. You may use this error to identify scenarios when manual authentication needs to be triggered (with authenticate(), as described in the next point).
  • A new method authenticate() is added to these credentials which is similar to getToken(), but it does not read the disableAutomaticAuthentication option described above.
    • Use this to get an AuthenticationRecord which you can then use to create new credentials that will re-use the token information.
    • The AuthenticationRecord object has a serialize() method that allows an authenticated account to be stored as a string and re-used in another credential at any time. Use the new helper function deserializeAuthenticationRecord to de-serialize this string.
    • authenticate() might succeed and still return undefined if we're unable to pick just one account record from the cache. This might happen if the cache is being used by more than one credential, or if multiple users have authenticated using the same Client ID and Tenant ID. To ensure consistency on a program with many users, please keep track of the AuthenticationRecord and provide them in the constructors of the credentials on initialization.

Other changes

• Updated the @azure/msal-node dependency to ^1.0.0.
• DefaultAzureCredential's implementation for browsers is simplified to throw the BrowserNotSupportedError in its constructor. Previously, we relied on getting the same error from trying to instantiate the different credentials that DefaultAzureCredential supports in Node.js.
  • As before, please use only the InteractiveBrowserCredential in your browser applications.
• For the InteractiveBrowserCredential for node, replaced the use of the express module with a native http server for Node, shrinking the resulting identity module considerably.

1.2.4 (2021-03-08)

This release doesn't have the changes from 1.2.4-beta.1.

• Bug fix: Now if the managedIdentityClientId optional parameter is provided to DefaultAzureCredential, it will be properly passed through to the underlying ManagedIdentityCredential. Related to customer issue: 13872.
• Bug fix: ManagedIdentityCredential now also properly handles EHOSTUNREACH errors. Fixes issue 13894.

1.2.4-beta.1 (2021-02-12)

• Breaking Change: Updated InteractiveBrowserCredential to use the Auth Code Flow with PKCE rather than Implicit Grant Flow by default in the browser, to better support browsers with enhanced security restrictions. A new file was added to provide more information about this credential here.

1.2.3 (2021-02-09)

• Fixed Azure Stack support for the Node.js version of the InteractiveBrowserCredential. Fixes issue 11220.
• The 'keytar' dependency has been updated to the latest version.
• No longer overrides global Axios defaults. This includes an update in @azure/identity's source, and an update of the @azure/msal-node dependency. Fixes issue 13343.

1.2.2 (2021-01-12)

• Upgrading to the msal-node dependency due to a severe vulnerability in Axios. Link to the documented vulnerability: link. Fixes issue 13088.

1.2.1 (2021-01-07)

• Upgrading to Axios 0.21.1 due to a severe vulnerability in Axios. Link to the documented vulnerability: link. Fixes issue 13088.

1.2.0 (2020-11-11)

Changes since 1.1.*

• With 1.2, we've added support for Azure Arc to our Managed Identity credential.
• We've also added an Interactive Browser credential for Node, which spawns the user's browser and connects via a browser-based auth code flow. This is powered by the Microsoft Authentication Library (MSAL)
• We've moved DeviceCodeCredential to also use the Microsoft Authentication Library (MSAL)
• Identity now supports Subject Name/Issuer (SNI) as part of authentication for ClientCertificateCredential.
• Added Active Directory Federation Services authority host support to the node credentials.
• ManagedIdentityCredential has been aligned with other languages, and now treats expected errors properly.
• Added support for multiple clouds on VisualStudioCodeCredential.

Changes since the latest 1.2-beta

• ManagedIdentityCredential now only checks for available MSIs once per class instance.
• ManagedIdentityCredential now supports Azure Arc environments.
• ManagedIdentityCredential now supports Azure Service Fabric environments.
• Added authority host for multiple clouds on VisualStudioCodeCredential, and specified AzureCloud as the default cloud name.
• DeviceCodeCredential now has both of its constructor parameters, tenantId and clientId, as optional parameters. The default value of tenantId is "organizations", and the Azure CLI's client ID is the default value of clientId.
• We've removed the persistent cache support from the previous beta.

1.2.0-beta.2 (2020-10-06)

• DeviceCodeCredential now by default shows the Device Code message on the console. This can still be overwritten with a custom behavior by specifying a function as the third parameter, userPromptCallback.
• Added support for multiple clouds on VisualStudioCodeCredential. Fixes customer issue 11452.
• ManagedIdentityCredential has been aligned with other languages, now treating expected errors properly. This fixes customer issue 11451.
• InteractiveBrowserCredential authentication now uses the silent flow if the user provides a cache and authentication record for lookup.
• Added Active Directory Federation Services authority host support to the node credentials.
• Reverted a change in 1.2.0-beta.1 which moved @rollup/plugin-json from devDependencies to dependencies. @rollup/plugin-json was placed as a dependency due to an oversight, and it is not a necessary dependency for @azure/identity.

1.2.0-beta.1 (2020-09-08)

• A new InteractiveBrowserCredential for node which will spawn a web server, start a web browser, and allow the user to interactively authenticate with the browser.
• With 1.2.0-beta.1, Identity will now use MSAL to perform authentication. With this beta, DeviceCodeCredential and a new InteractiveBrowserCredential for node are powered by MSAL.
• Identity now supports Subject Name/Issuer (SNI) as part of authentication for ClientCertificateCredential
• Upgraded App Services MSI API version

1.1.0 (2020-08-11)

Changes since 1.0.*

• With 1.1.0, new developer credentials are now available: VisualStudioCodeCredential and AzureCliCredential.
  • VisualStudioCodeCredential allows developers to log into Azure using the credentials available after logging in through the Azure Account extension in Visual Studio Code.
  • AzureCliCredential allows developers to log into Azure using the login credentials after an "az login" call.
• Both VisualStudioCodeCredential and AzureCliCredential may be used directly or indirectly as part of DefaultAzureCredential.
• Added the ability to configure the Managed Identity with a user-assigned client ID via a new option available in the DefaultAzureCredential constructor options: managedIdentityClientId.
• Made a list of known authorities is now available via a new top-level constant: AzureAuthorityHosts.
• Introduced the CredentialUnavailable error, which allows developers to differentiate between a credential not being available and an error happening during authentication.

Changes since the latest 1.1-preview

• Renamed the VSCodeCredential to VisualStudioCodeCredential, and its options parameter from VSCodeCredentialOptions to VisualStudioCodeCredentialOptions.
• Tenant information is now loaded from the Visual Studio Code settings file when the VisualStudioCodeCredential is used.
• Added managedIdentityClientId to optionally pass in a user-assigned client ID for the ManagedIdentityCredential.

1.1.0-preview.5 (2020-07-22)

• Make the keytar dependency optional, allowing for building and running on platforms not supported by keytar PR #10142
• DefaultAzureCredential and VSCodeCredential can now take a tenant id as part of the options object
• KnownAuthorityHosts has been renamed to AzureAuthorityHosts

1.1.0-preview.4 (2020-06-09)

• Switch to using CredentialUnavailable to differentiate from expected and unexpected errors during DefaultAzureCredential startup. PR #8172
• Make all developer credentials public as well as the list used by DefaultAzureCredential PR #9274

1.1.0-preview.3 (2020-05-05)

• Add ability to read AZURE_AUTHORITY_HOST from environment (PR #8226 PR #8343)
• Update to OpenTelemetry 0.6 (PR #7998)
• Set expires_on at a higher precedence for IMDS (PR #8591)

1.1.0-preview.2 (2020-04-07)

• Make KnownAuthorityHosts constants available
• Extended DefaultAzureCredential with an experimental credential that uses the login credential from VSCode's Azure Account extension

1.1.0-preview1 (2020-03-10)

• Extended DefaultAzureCredential with an experimental credential that uses the login credential from Azure CLI
• Fix tracing to set correct span attributes (PR #6565).

1.0.2 (2019-12-03)

• Fixed an issue where an authorization error occurs due to wrong access token being returned by the MSI endpoint when using a user-assigned managed identity with ManagedIdentityCredential (PR #6134)
• Fixed an issue in EnvironmentCredential where authentication silently fails when one or more of the expected environment variables is not present (PR #6313)
• Updated to use OpenTelemetry 0.2 via @azure/core-tracing

1.0.0 (2019-10-29)

• This release marks the general availability of the @azure/identity package.
• EnvironmentCredential now looks for additional environment variables: (PR #5743)
  • AZURE_CLIENT_CERTIFICATE_PATH to configure ClientCertificateCredential
  • AZURE_USERNAME and AZURE_PASSWORD to configure UsernamePasswordCredential
• GetTokenOptions now extends the interface OperationOptions (PR #5899)
• TokenCredentialOptions now extends the interface PipelineOptions (PR #5711)
• Renamed IdentityClientOptions to TokenCredentialOptions (PR #5797)
• Removed the browser bundle. A browser-compatible library can still be created through the use of a bundler such as Rollup, Webpack, or Parcel (PR #5863)

1.0.0-preview.6 (2019-10-22)

• Renamed DeviceCodeDetails to DeviceCodeInfo and improved casing of the fields in the ErrorResponse type (PR #5662)
• Improved the constructor signatures for AuthorizationCodeCredential, DeviceCodeCredential, InteractiveBrowserCredential and managedIdentityCredential so that it's clearer which parameters are optional and what additional values they accept (PR #5668)
• Added logging for authentication flows via the new @azure/logger package (PR #5611)
• Fixed an issue in DeviceCodeCredential where an unexpected authentication error could cause an infinite polling loop (PR #5430)
• Improved the details that appear in the AggregateAuthenticationError (PR #5409)

1.0.0-preview.5 (2019-10-08)

• Update @azure/core-tracing dependency to resolve an issue when running in Internet Explorer 11 (PR #5472)

1.0.0-preview.4 (2019-10-07)

• Introduced the AuthorizationCodeCredential for performing the authorization code flow with AAD (PR #5356)
• Fixed an issue preventing the ManagedIdentityCredential from working inside of Azure Function Apps (PR #5144)
• Added tracing to IdentityClient and credential implementations (PR #5283)
• Improved the exception message for AggregateAuthenticationError so that errors thrown from DefaultAzureCredential are now more actionable (PR #5409)

1.0.0-preview.3 (2019-09-09)

• Fixed a ping timeout issue. The timeout is now configurable. (PR #4941)
• Fixed IMDS endpoint detection false positive (PR #4909)

1.0.0-preview.2 (2019-08-05)

• Introduced the following credential types:
  • DeviceCodeCredential.
  • InteractiveBrowserCredential.
  • UsernamePasswordCredential.
• This library can now be used in the browser! The following credential types supported in browser builds:
  • ClientSecretCredential.
  • UsernamePasswordCredential.
  • InteractiveBrowserCredential.

1.0.0-preview.1 (2019-06-27)

For release notes and more information please visit https://aka.ms/azsdk/releases/july2019preview

• Introduced the following credential types:
  • DefaultAzureCredential.
  • EnvironmentCredential.
  • ManagedIdentityCredential.
  • ClientSecretCredential.
  • ClientCertificateCredential.
  • ChainedTokenCredential.