CHANGELOG.md

Release History

2.0.0-beta.7 (Unreleased)

Features Added

Breaking Changes

Bugs Fixed

Other Changes

2.0.0-beta.6 (2021-09-09)

Features Added

• Added the OnBehalfOfCredential, which allows users to authenticate through the On-Behalf-Of authentication flow.
• ManagedIdentityCredential now supports token exchange authentication.

Breaking Changes

• ClientCertificateCredential now evaluates the validity of the PEM certificate path on getToken and not on the constructor.

Breaking Changes from 2.0.0-beta.5

• The property named selectedCredential that was added to ChainedTokenCredential and DefaultAzureCredential has been removed, since customers reported that logging was enough.
• Changed the name of the "extension" API to the "plugin" API to reduce confusion between this package and VS Code extensions. The function useIdentityExtension was renamed to useIdentityPlugin, and "extension packages" are now known as "plugin packages".
• Renamed the allowUnencryptedStorage property of TokenCachePersistenceOptions to unsafeAllowUnencryptedStorage to make it clear that enabling the unencrypted storage feature is not generally safe for production use.

Bugs Fixed

• ClientSecretCredential, ClientCertificateCredential and UsernamePasswordCredential now throw if the required parameters are not provided (even in JavaScript).
• Fixed a bug introduced on 2.0.0-beta.5 that caused the ManagedIdentityCredential to fail authenticating in Arc environments. Since our new core disables unsafe requests by default, we had to change the security settings for the first request of the Arc MSI, which retrieves the file path where the authentication value is stored since this request generally happens through an HTTP endpoint.
• Fixed bug on the AggregateAuthenticationError, which caused an inconsistent error message on the ChainedTokenCredential, DefaultAzureCredential and ApplicationCredential.

Other Changes

• The errors thrown by the ManagedIdentityCredential have been improved.

2.0.0-beta.5 (2021-08-10)

Features Added

• This release adds support by default for CP1 client capabilities, enabling all credentials to respond to claims challenges that occur due to insufficient claims. Claims challenges, for example, can occur due to requirements of Continuous Access Enforcement (CAE) and Conditional Access authentication context. You may optionally disable this behavior by setting the environment variable AZURE_IDENTITY_DISABLE_CP1 (to any value). You can read more about client capabilities, CAE, and Conditional Access on the Microsoft Documentation.
• ChainedTokenCredential and DefaultAzureCredential now expose a property named selectedCredential, which will store the selected credential once any of the available credentials succeeds.
• Implementation of ApplicationCredential for use by applications which call into Microsoft Graph APIs and which have issues using DefaultAzureCredential. This credential is based on EnvironmentCredential and ManagedIdentityCredential.

Breaking Changes

These changes do not impact the API of stable versions such as 1.6.0. Only code written against a beta version such as 1.7.0b1 may be affected.

• Renamed AZURE_POD_IDENTITY_TOKEN_URL to AZURE_POD_IDENTITY_AUTHORITY_HOST.

Bugs Fixed

• With this release, we've migrated from using @azure/core-http to @azure/core-rest-pipeline for the handling of HTTP requests. See Azure Core v1 vs v2 for more on the difference and benefits of the move. This removes our dependency on node-fetch and along with it issues we have seen in using this dependency in specific environments like Kubernetes pods.

1.5.2 (2021-09-01)

• Fixed a bug introduced on 1.5.0 that caused the ManagedIdentityCredential to fail authenticating in Arc environments. Since our new core disables unsafe requests by default, we had to change the security settings for the first request of the Arc MSI, which retrieves the file path where the authentication value is stored since this request generally happens through an HTTP endpoint.

1.5.1 (2021-08-12)

• Fixed how we verify the IMDS endpoint is available. Now, besides skipping the Metadata header, we skip the URL query. Both will ensure that all the known IMDS endpoints return as early as possible.
• Added support for the AZURE_POD_IDENTITY_AUTHORITY_HOST environment variable. If present, the IMDS endpoint initial verification will be skipped.

1.5.0 (2021-07-19)

• With this release, we've migrated from using @azure/core-http to @azure/core-rest-pipeline for the handling of HTTP requests. See Azure Core v1 vs v2 for more on the difference and benefits of the move. This removes our dependency on node-fetch and along with it issues we have seen in using this dependency in specific environments like Kubernetes pods.

1.4.0 (2021-07-09)

• With this release, we drop support for Node.js versions that have reached the end of life, like Node.js 8. Read our support policy for more details.

• Updated the default timeout of the first request of the IMDS MSI from half a second to three seconds to compensate for the slowness caused by node-fetch for initial requests in specific environments, like Kubernetes pods.

• Upgraded @azure/core-http to version ^2.0.0, and @azure/core-tracing to version 1.0.0-preview.12.

• Upgraded the AuthorizationCodeCredential to use the latest @azure/msal-node.

2.0.0-beta.4 (2021-07-07)

Features Added

• With the dropping of support for Node.js versions that are no longer in LTS, the dependency on @types/node has been updated to version 12. Read our support policy for more details.
• Introduced an extension API through a top-level method useIdentityExtension. The function accepts an "extension" as an argument, which is a function accepting a context. The extension context is an internal part of the Azure Identity API, so it has an unknown type. Two new packages are designed to be used with this API:
  • @azure/identity-vscode, which provides the dependencies of VisualStudioCodeCredential and enables it (see more below).
  • @azure/identity-cache-persistence, which provides persistent token caching (same as was available in version 2.0.0-beta.2, but now provided through a secondary extension package).
• Reintroduced a stub implementation of VisualStudioCodeCredential. If the @azure/identity-vscode extension is not used, then it will throw a CredentialUnavailableError (similar to how it previously behaved if the keytar package was not installed). The extension now provides the underlying implementation of VisualStudioCodeCredential through dependency injection.
• Reintroduced the TokenCachePersistenceOptions property on most credential constructor options. This property must be present with an enabled property set to true to enable persistent token caching for a credential instance. Credentials that do not support persistent token caching do not have this property.
• Added support to ManagedIdentityCredential for Bridge to Kubernetes local development authentication.
• Enabled PKCE on InteractiveBrowserCredential for Node.js. Proof Key for Code Exchange (PKCE) is a security feature that mitigates authentication code interception attacks.
• Added LoginHint property to InteractiveBrowserCredentialOptions which allows a user name to be pre-selected for interactive logins. Setting this option skips the account selection prompt and immediately attempts to login with the specified account.
• Added regional STS support to client credential types.
  • Added the RegionalAuthority type, that allows specifying Azure regions.
  • Added regionalAuthority property to ClientSecretCredentialOptions and ClientCertificateCredentialOptions.
  • If instead of a region, AutoDiscoverRegion is specified as the value for regionalAuthority, MSAL will be used to attempt to discover the region.
  • A region can also be specified through the AZURE_REGIONAL_AUTHORITY_NAME environment variable.
• AzureCliCredential and AzurePowerShellCredential now allow specifying a tenantId.
• All credentials except ManagedIdentityCredential support enabling multi tenant authentication via the allowMultiTenantAuthentication option.

Breaking Changes

• Removed the protected method getAzureCliAccessToken from the public API of the AzureCliCredential. While it will continue to be available as part of v1, we won't be supporting this method as part of v2's public API.

Key Bugs Fixed

• Fixed an issue in which InteractiveBrowserCredential on Node would sometimes cause the process to hang if there was no browser available.
• Fixed an issue in which the AZURE_AUTHORITY_HOST environment variable was not properly picked up in Node.js.

2.0.0-beta.3 (2021-05-12)

New features

• Azure Identity for JavaScript no longer carries any native dependencies (neither ordinary, peer, nor optional dependencies). Previous distributions of @azure/identity carried an optional dependency on keytar, which caused issues for some users in restrictive environments.
• Updated the @azure/msal-node dependency to version ^1.0.2, which allows cancelling of an ongoing getToken() operation on DeviceCodeCredential.
• Fixed issue with the logging of success messages on the DefaultAzureCredential and the ChainedTokenCredential. These messages will now mention the internal credential that succeeded.
• AuthenticationRequiredError (introduced in 2.0.0-beta.1) now has the same impact on ChainedTokenCredential as the CredentialUnavailableError which is to allow the next credential in the chain to be tried.
• ManagedIdentityCredential now retries with exponential back-off when a request for a token fails with a 404 status code on environments with available IMDS endpoints.
• Added an AzurePowerShellCredential which will use the authenticated user session from the Az.Account PowerShell module. This credential will attempt to use PowerShell Core by calling pwsh, and on Windows it will fall back to Windows PowerShell (powershell) if PowerShell Core is not available.

Breaking changes from 2.0.0-beta.1

• Removed VisualStudioCodeCredential, since it requires us to list keytar as an optional dependency. keytar contains machine-code components that are difficult to build in certain environments, so this credential will be offered through a separate extension package in the future.
• Removed token persistence through @azure/msal-node-extensions, as its machine-code components have the same problems as keytar. This functionality will similarly be reintroduced through a separate extension package in the future.
• Removed authenticationRecord, disableAutomaticAuthentication and authenticate() from the credential UsernamePasswordCredential. While MSAL does support this, allowing authenticationRecord arguably could result in users authenticating through an account other than the one they're specifying with the username and the password.

2.0.0-beta.2 (2021-04-06)

• Breaking change: Renamed errors CredentialUnavailable to CredentialUnavailableError, and AuthenticationRequired to AuthenticationRequiredError, to align with the naming convention used for error classes in the Azure SDKs in JavaScript.
• Added clientId to the AuthenticationRecord type, alongsides the tenantId that this interface already had. Together they can be used to re-authenticate after recovering a previously serialized AuthenticationRecord.
• The serialize() method on the AuthenticationRecord object that allows an authenticated account to be stored as a string and re-used in another credential at any time, is removed in favor of a standalone function serializeAuthenticationRecord similar to how we have the deserializeAuthenticationRecord function.
• serializeAuthenticationRecord now serializes into a JSON string with camel case properties. This makes it re-usable across languages.
• Removed the interface PersistentCredentialOptions (introduced in 2.0.0-beta.1) and instead inlined the options for the persistent cache feature in the options of individual credentials.
• Added properties scopes and getTokenOptions to the AuthenticationRequired error. These properties hold the values used by the getToken() method on your credential to fetch the access token. You should pass these to the authenticate() method on your credential if you wanted to do manual authentication after catching the AuthenticationRequired error.
• InteractiveBrowserCredential no longer supports Implicit Grant Flow and will only support Auth Code Flow instead. Therefore the flow option introduced in 1.2.4-beta.1 has been removed. More information from the documentation on Implicit Grant Flow:

With the plans for third party cookies to be removed from browsers, the implicit grant flow is no longer a suitable authentication method. The silent SSO features of the implicit flow do not work without third party cookies, causing applications to break when they attempt to get a new token. We strongly recommend that all new applications use the authorization code flow that now supports single page apps in place of the implicit flow, and that existing single page apps begin migrating to the authorization code flow as well.

1.3.0 (2021-04-05)

Tracing Changes

• Updated @azure/core-tracing to version 1.0.0-preview.11. See @azure/core-tracing CHANGELOG for details about breaking changes with tracing.

2.0.0-beta.1 (2021-03-24)

This update marks the preview for the first major version update of the @azure/identity package since the first stable version was released in October, 2019. This is mainly driven by the improvements we are making for the InteractiveBrowserCredential when used in browser applications by updating it to use the new @azure/msal-browser which is replacing the older msal package.

Breaking changes

• Changes to InteractiveBrowserCredential
  • When used in browser applications, the InteractiveBrowserCredential has been updated to use the Auth Code Flow with PKCE rather than Implicit Grant Flow by default to better support browsers with enhanced security restrictions. Please note that this credential always used the Auth Code Flow when used in Node.js applications. Read more on this in our docs on Interactive Browser Credential.
  • The default client ID used for InteractiveBrowserCredential was viable only in Node.js and not for the browser. Therefore, client Id is now a required parameter when constructing this credential in browser applications.
  • The loginStyle and flow options to the constructor for InteractiveBrowserCredential will now show up only when used in browser applications as these were never applicable to Node.js
  • Removed the postLogoutRedirectUri from the options to the constructor for InteractiveBrowserCredential. This option was not being used since we don't have a way for users to log out yet.
• When a token is not available, some credentials had the promise returned by the getToken method resolve with null, others had the getToken method throw the CredentialUnavailable error. This behavior is now made consistent across all credentials to throw the CredentialUnavailable error.
  • This change has no bearing on the user if all they ever did was create the credentials and pass it to the Azure SDKs.
  • This change affects only those users who called the getToken() method directly and did not handle resulting errors.
• The constructor for DeviceCodeCredential always had multiple optional parameters and no required ones. As per our guidelines, this has now been simplified to take a single optional bag of parameters.

New features

• Changes to InteractiveBrowserCredential, DeviceCodeCredential, ClientSecretCredential, ClientCertificateCredential and UsernamePasswordCredential:
  • Migrated to use the latest MSAL. This update improves caching of tokens, significantly reducing the number of network requests.
  • Added the feature of persistence caching of credentials. This is driven by the new tokenCachePersistenceOptions option available in the options you pass to the credential constructors.
    • For now, to use this feature, users will need to install @azure/msal-node-extensions 1.0.0-alpha.6 on their own. This experience will be improved in the next update.
    • This feature uses DPAPI on Windows, it tries to use the Keychain on OSX and the Keyring on Linux.
    • To learn more on the usage, please refer to our docs on the TokenCachePersistenceOptions interface.
    • IMPORTANT: As part of this beta, this feature is only supported in Node 10, 12 and 14.
• Changes to InteractiveBrowserCredential, DeviceCodeCredential, and UsernamePasswordCredential:
  • You can now control when the credential requests user input with the new disableAutomaticAuthentication option added to the options you pass to the credential constructors.
    • When enabled, this option stops the getToken() method from requesting user input in case the credential is unable to authenticate silently.
    • If getToken() fails to authenticate without user interaction, and disableAutomaticAuthentication has been set to true, a new error will be thrown: AuthenticationRequired. You may use this error to identify scenarios when manual authentication needs to be triggered (with authenticate(), as described in the next point).
  • A new method authenticate() is added to these credentials which is similar to getToken(), but it does not read the disableAutomaticAuthentication option described above.
    • Use this to get an AuthenticationRecord which you can then use to create new credentials that will re-use the token information.
    • The AuthenticationRecord object has a serialize() method that allows an authenticated account to be stored as a string and re-used in another credential at any time. Use the new helper function deserializeAuthenticationRecord to de-serialize this string.
    • authenticate() might succeed and still return undefined if we're unable to pick just one account record from the cache. This might happen if the cache is being used by more than one credential, or if multiple users have authenticated using the same Client ID and Tenant ID. To ensure consistency on a program with many users, please keep track of the AuthenticationRecord and provide them in the constructors of the credentials on initialization.

Other changes

• Updated the @azure/msal-node dependency to ^1.0.0.
• DefaultAzureCredential's implementation for browsers is simplified to throw the BrowserNotSupportedError in its constructor. Previously, we relied on getting the same error from trying to instantiate the different credentials that DefaultAzureCredential supports in Node.js.
  • As before, please use only the InteractiveBrowserCredential in your browser applications.
• For the InteractiveBrowserCredential for node, replaced the use of the express module with a native http server for Node, shrinking the resulting identity module considerably.

1.2.4 (2021-03-08)

This release doesn't have the changes from 1.2.4-beta.1.

• Bug fix: Now if the managedIdentityClientId optional parameter is provided to DefaultAzureCredential, it will be properly passed through to the underlying ManagedIdentityCredential. Related to customer issue: 13872.
• Bug fix: ManagedIdentityCredential now also properly handles EHOSTUNREACH errors. Fixes issue 13894.

1.2.4-beta.1 (2021-02-12)

• Breaking Change: Updated InteractiveBrowserCredential to use the Auth Code Flow with PKCE rather than Implicit Grant Flow by default in the browser, to better support browsers with enhanced security restrictions. A new file was added to provide more information about this credential here.

1.2.3 (2021-02-09)

• Fixed Azure Stack support for the Node.js version of the InteractiveBrowserCredential. Fixes issue 11220.
• The 'keytar' dependency has been updated to the latest version.
• No longer overrides global Axios defaults. This includes an update in @azure/identity's source, and an update of the @azure/msal-node dependency. Fixes issue 13343.

1.2.2 (2021-01-12)

• Upgrading to the msal-node dependency due to a severe vulnerability in Axios. Link to the documented vulnerability: link. Fixes issue 13088.

1.2.1 (2021-01-07)

• Upgrading to Axios 0.21.1 due to a severe vulnerability in Axios. Link to the documented vulnerability: link. Fixes issue 13088.

1.2.0 (2020-11-11)

Changes since 1.1.*

• With 1.2, we've added support for Azure Arc to our Managed Identity credential.
• We've also added an Interactive Browser credential for Node, which spawns the user's browser and connects via a browser-based auth code flow. This is powered by the Microsoft Authentication Library (MSAL)
• We've moved DeviceCodeCredential to also use the Microsoft Authentication Library (MSAL)
• Identity now supports Subject Name/Issuer (SNI) as part of authentication for ClientCertificateCredential.
• Added Active Directory Federation Services authority host support to the node credentials.
• ManagedIdentityCredential has been aligned with other languages, and now treats expected errors properly.
• Added support for multiple clouds on VisualStudioCodeCredential.

Changes since the latest 1.2-beta

• ManagedIdentityCredential now only checks for available MSIs once per class instance.
• ManagedIdentityCredential now supports Azure Arc environments.
• ManagedIdentityCredential now supports Azure Service Fabric environments.
• Added authority host for multiple clouds on VisualStudioCodeCredential, and specified AzureCloud as the default cloud name.
• DeviceCodeCredential now has both of its constructor parameters, tenantId and clientId, as optional parameters. The default value of tenantId is "organizations", and the Azure CLI's client ID is the default value of clientId.
• We've removed the persistent cache support from the previous beta.

1.2.0-beta.2 (2020-10-06)

• DeviceCodeCredential now by default shows the Device Code message on the console. This can still be overwritten with a custom behavior by specifying a function as the third parameter, userPromptCallback.
• Added support for multiple clouds on VisualStudioCodeCredential. Fixes customer issue 11452.
• ManagedIdentityCredential has been aligned with other languages, now treating expected errors properly. This fixes customer issue 11451.
• InteractiveBrowserCredential authentication now uses the silent flow if the user provides a cache and authentication record for lookup.
• Added Active Directory Federation Services authority host support to the node credentials.
• Reverted a change in 1.2.0-beta.1 which moved @rollup/plugin-json from devDependencies to dependencies. @rollup/plugin-json was placed as a dependency due to an oversight, and it is not a necessary dependency for @azure/identity.

1.2.0-beta.1 (2020-09-08)

• A new InteractiveBrowserCredential for node which will spawn a web server, start a web browser, and allow the user to interactively authenticate with the browser.
• With 1.2.0-beta.1, Identity will now use MSAL to perform authentication. With this beta, DeviceCodeCredential and a new InteractiveBrowserCredential for node are powered by MSAL.
• Identity now supports Subject Name/Issuer (SNI) as part of authentication for ClientCertificateCredential
• Upgraded App Services MSI API version

1.1.0 (2020-08-11)

Changes since 1.0.*

• With 1.1.0, new developer credentials are now available: VisualStudioCodeCredential and AzureCliCredential.
  • VisualStudioCodeCredential allows developers to log into Azure using the credentials available after logging in through the Azure Account extension in Visual Studio Code.
  • AzureCliCredential allows developers to log into Azure using the login credentials after an "az login" call.
• Both VisualStudioCodeCredential and AzureCliCredential may be used directly or indirectly as part of DefaultAzureCredential.
• Added the ability to configure the Managed Identity with a user-assigned client ID via a new option available in the DefaultAzureCredential constructor options: managedIdentityClientId.
• Made a list of known authorities is now available via a new top-level constant: AzureAuthorityHosts.
• Introduced the CredentialUnavailable error, which allows developers to differentiate between a credential not being available and an error happening during authentication.

Changes since the latest 1.1-preview

• Renamed the VSCodeCredential to VisualStudioCodeCredential, and its options parameter from VSCodeCredentialOptions to VisualStudioCodeCredentialOptions.
• Tenant information is now loaded from the Visual Studio Code settings file when the VisualStudioCodeCredential is used.
• Added managedIdentityClientId to optionally pass in a user-assigned client ID for the ManagedIdentityCredential.

1.1.0-preview.5 (2020-07-22)

• Make the keytar dependency optional, allowing for building and running on platforms not supported by keytar PR #10142
• DefaultAzureCredential and VSCodeCredential can now take a tenant id as part of the options object
• KnownAuthorityHosts has been renamed to AzureAuthorityHosts

1.1.0-preview.4 (2020-06-09)

• Switch to using CredentialUnavailable to differentiate from expected and unexpected errors during DefaultAzureCredential startup. PR #8172
• Make all developer credentials public as well as the list used by DefaultAzureCredential PR #9274

1.1.0-preview.3 (2020-05-05)

• Add ability to read AZURE_AUTHORITY_HOST from environment (PR #8226 PR #8343)
• Update to OpenTelemetry 0.6 (PR #7998)
• Set expires_on at a higher precedence for IMDS (PR #8591)

1.1.0-preview.2 (2020-04-07)

• Make KnownAuthorityHosts constants available
• Extended DefaultAzureCredential with an experimental credential that uses the login credential from VSCode's Azure Account extension

1.1.0-preview1 (2020-03-10)

• Extended DefaultAzureCredential with an experimental credential that uses the login credential from Azure CLI
• Fix tracing to set correct span attributes (PR #6565).

1.0.2 (2019-12-03)

• Fixed an issue where an authorization error occurs due to wrong access token being returned by the MSI endpoint when using a user-assigned managed identity with ManagedIdentityCredential (PR #6134)
• Fixed an issue in EnvironmentCredential where authentication silently fails when one or more of the expected environment variables is not present (PR #6313)
• Updated to use OpenTelemetry 0.2 via @azure/core-tracing

1.0.0 (2019-10-29)

• This release marks the general availability of the @azure/identity package.
• EnvironmentCredential now looks for additional environment variables: (PR #5743)
  • AZURE_CLIENT_CERTIFICATE_PATH to configure ClientCertificateCredential
  • AZURE_USERNAME and AZURE_PASSWORD to configure UsernamePasswordCredential
• GetTokenOptions now extends the interface OperationOptions (PR #5899)
• TokenCredentialOptions now extends the interface PipelineOptions (PR #5711)
• Renamed IdentityClientOptions to TokenCredentialOptions (PR #5797)
• Removed the browser bundle. A browser-compatible library can still be created through the use of a bundler such as Rollup, Webpack, or Parcel (PR #5863)

1.0.0-preview.6 (2019-10-22)

• Renamed DeviceCodeDetails to DeviceCodeInfo and improved casing of the fields in the ErrorResponse type (PR #5662)
• Improved the constructor signatures for AuthorizationCodeCredential, DeviceCodeCredential, InteractiveBrowserCredential and managedIdentityCredential so that it's clearer which parameters are optional and what additional values they accept (PR #5668)
• Added logging for authentication flows via the new @azure/logger package (PR #5611)
• Fixed an issue in DeviceCodeCredential where an unexpected authentication error could cause an infinite polling loop (PR #5430)
• Improved the details that appear in the AggregateAuthenticationError (PR #5409)

1.0.0-preview.5 (2019-10-08)

• Update @azure/core-tracing dependency to resolve an issue when running in Internet Explorer 11 (PR #5472)

1.0.0-preview.4 (2019-10-07)

• Introduced the AuthorizationCodeCredential for performing the authorization code flow with AAD (PR #5356)
• Fixed an issue preventing the ManagedIdentityCredential from working inside of Azure Function Apps (PR #5144)
• Added tracing to IdentityClient and credential implementations (PR #5283)
• Improved the exception message for AggregateAuthenticationError so that errors thrown from DefaultAzureCredential are now more actionable (PR #5409)

1.0.0-preview.3 (2019-09-09)

• Fixed a ping timeout issue. The timeout is now configurable. (PR #4941)
• Fixed IMDS endpoint detection false positive (PR #4909)

1.0.0-preview.2 (2019-08-05)

• Introduced the following credential types:
  • DeviceCodeCredential.
  • InteractiveBrowserCredential.
  • UsernamePasswordCredential.
• This library can now be used in the browser! The following credential types supported in browser builds:
  • ClientSecretCredential.
  • UsernamePasswordCredential.
  • InteractiveBrowserCredential.

1.0.0-preview.1 (2019-06-27)

For release notes and more information please visit https://aka.ms/azsdk/releases/july2019preview

• Introduced the following credential types:
  • DefaultAzureCredential.
  • EnvironmentCredential.
  • ManagedIdentityCredential.
  • ClientSecretCredential.
  • ClientCertificateCredential.
  • ChainedTokenCredential.