[Identity] Adding regional STS support

sdk/identity/identity/CHANGELOG.md

@@ -11,6 +11,14 @@
 
 - Removed the protected method `getAzureCliAccessToken` from the public API of the `AzureCliCredential`. While it will continue to be available as part of v1, we won't be supporting this method as part of v2's public API.
 
+### New Features
+
+- Added regional STS support to client credential types.
+  - Added the `RegionalAuthority` type, that allows specifying Azure regions.
+  - Added `regionalAuthority` property to `ClientSecretCredentialOptions` and `ClientCertificateCredentialOptions`.
+  - If instead of a region, `autoDiscoverRegion` is specified as the value for `regionalAuthority`, MSAL will be used to attempt to discover the region.
+  - A region can also be specified through the `AZURE_REGIONAL_AUTHORITY_NAME` environment variable.
+
 ## 2.0.0-beta.3 (2021-05-12)
 
 ### New features

sdk/identity/identity/package.json

@@ -43,7 +43,8 @@
     "test:node": "npm run clean && npm run build:test && npm run unit-test:node && npm run integration-test:node",
     "test": "npm run clean && npm run build:test && npm run unit-test && npm run integration-test",
     "unit-test:browser": "karma start --single-run",
-    "unit-test:node": "mocha -r esm -r ts-node/register --reporter ../../../common/tools/mocha-multi-reporter.js --timeout 180000 --full-trace --exclude \"test/**/browser/**/*.spec.ts\" \"test/**/*.spec.ts\"",
+    "unit-test:node": "mocha -r esm -r ts-node/register --reporter ../../../common/tools/mocha-multi-reporter.js --timeout 300000 --full-trace --exclude \"test/**/browser/**/*.spec.ts\" \"test/**/*.spec.ts\"",
+    "unit-test:node:no-timeouts": "mocha -r esm -r ts-node/register --reporter ../../../common/tools/mocha-multi-reporter.js  --no-timeouts --full-trace --exclude \"test/**/browser/**/*.spec.ts\" \"test/**/*.spec.ts\"",
     "unit-test": "npm run unit-test:node && npm run unit-test:browser",
     "docs": "typedoc --excludePrivate --excludeNotExported --excludeExternals --stripInternal --mode file --out ./dist/docs ./src"
   },
@@ -81,8 +82,8 @@
     "@azure/core-tracing": "1.0.0-preview.11",
     "@azure/logger": "^1.0.0",
     "@azure/abort-controller": "^1.0.0",
-    "@azure/msal-common": "^4.0.0",
-    "@azure/msal-node": "^1.0.2",
+    "@azure/msal-common": "^4.3.0",
+    "@azure/msal-node": "^1.1.0",
     "@azure/msal-browser": "^2.0.0",
     "@types/stoppable": "^1.1.0",
     "events": "^3.0.0",

sdk/identity/identity/review/identity.api.md

@@ -92,6 +92,7 @@ export class ClientCertificateCredential implements TokenCredential {
 
 // @public
 export interface ClientCertificateCredentialOptions extends TokenCredentialOptions {
+    regionalAuthority?: string;
     sendCertificateChain?: boolean;
 }
 
@@ -103,6 +104,7 @@ export class ClientSecretCredential implements TokenCredential {
 
 // @public
 export interface ClientSecretCredentialOptions extends TokenCredentialOptions {
+    regionalAuthority?: string;
 }
 
 // @public
@@ -210,6 +212,63 @@ export class ManagedIdentityCredential implements TokenCredential {
     getToken(scopes: string | string[], options?: GetTokenOptions): Promise<AccessToken>;
     }
 
+// @public
+export enum RegionalAuthority {
+    AsiaEastValue = "eastasia",
+    AsiaSouthEastValue = "southeastasia",
+    AustraliaCentral2Value = "australiacentral2",
+    AustraliaCentralValue = "australiacentral",
+    AustraliaEastValue = "australiaeast",
+    AustraliaSouthEastValue = "australiasoutheast",
+    AutoDiscoverRegion = "AUTO_DISCOVER",
+    BrazilSouthValue = "brazilsouth",
+    CanadaCentralValue = "canadacentral",
+    CanadaEastValue = "canadaeast",
+    ChinaEast2Value = "chinaeast2",
+    ChinaEastValue = "chinaeast",
+    ChinaNorth2Value = "chinanorth2",
+    ChinaNorthValue = "chinanorth",
+    EuropeNorthValue = "northeurope",
+    EuropeWestValue = "westeurope",
+    FranceCentralValue = "francecentral",
+    FranceSouthValue = "francesouth",
+    GermanyCentralValue = "germanycentral",
+    GermanyNorthEastValue = "germanynortheast",
+    GermanyNorthValue = "germanynorth",
+    GermanyWestCentralValue = "germanywestcentral",
+    GovernmentUSArizonaValue = "usgovarizona",
+    GovernmentUSDodCentralValue = "usdodcentral",
+    GovernmentUSDodEastValue = "usdodeast",
+    GovernmentUSIowaValue = "usgoviowa",
+    GovernmentUSTexasValue = "usgovtexas",
+    GovernmentUSVirginiaValue = "usgovvirginia",
+    IndiaCentralValue = "centralindia",
+    IndiaSouthValue = "southindia",
+    IndiaWestValue = "westindia",
+    JapanEastValue = "japaneast",
+    JapanWestValue = "japanwest",
+    KoreaCentralValue = "koreacentral",
+    KoreaSouthValue = "koreasouth",
+    NorwayEastValue = "norwayeast",
+    NorwayWestValue = "norwaywest",
+    SouthAfricaNorthValue = "southafricanorth",
+    SouthAfricaWestValue = "southafricawest",
+    SwitzerlandNorthValue = "switzerlandnorth",
+    SwitzerlandWestValue = "switzerlandwest",
+    UAECentralValue = "uaecentral",
+    UAENorthValue = "uaenorth",
+    UKSouthValue = "uksouth",
+    UKWestValue = "ukwest",
+    USCentralValue = "centralus",
+    USEast2Value = "eastus2",
+    USEastValue = "eastus",
+    USNorthCentralValue = "northcentralus",
+    USSouthCentralValue = "southcentralus",
+    USWest2Value = "westus2",
+    USWestCentralValue = "westcentralus",
+    USWestValue = "westus"
+}
+
 // @public
 export function serializeAuthenticationRecord(record: AuthenticationRecord): string;
 

sdk/identity/identity/src/credentials/clientCertificateCredentialOptions.ts

@@ -12,4 +12,10 @@ export interface ClientCertificateCredentialOptions extends TokenCredentialOptio
    * Set this option to send base64 encoded public certificate in the client assertion header as an x5c claim
    */
   sendCertificateChain?: boolean;
+  /**
+   * Specifies a regional authority. Please refer to the {@link RegionalAuthority} type for the accepted values.
+   * If {@link RegionalAuthority.AutoDiscoverRegion} is specified, we will try to discover the regional authority endpoint.
+   * If the property is not specified, the credential uses the global authority endpoint.
+   */
+  regionalAuthority?: string;
 }

sdk/identity/identity/src/credentials/clientSecretCredentialOptions.ts

@@ -6,4 +6,11 @@ import { TokenCredentialOptions } from "../client/identityClient";
 /**
  * Optional parameters for the {@link ClientSecretCredential} class.
  */
-export interface ClientSecretCredentialOptions extends TokenCredentialOptions {}
+export interface ClientSecretCredentialOptions extends TokenCredentialOptions {
+  /**
+   * Specifies a regional authority. Please refer to the {@link RegionalAuthority} type for the accepted values.
+   * If {@link RegionalAuthority.AutoDiscoverRegion} is specified, we will try to discover the regional authority endpoint.
+   * If the property is not specified, the credential uses the global authority endpoint.
+   */
+  regionalAuthority?: string;
+}

sdk/identity/identity/src/index.ts

@@ -8,6 +8,7 @@ export { AuthenticationRecord } from "./msal/types";
 export { AuthenticationRequiredError } from "./msal/errors";
 export { serializeAuthenticationRecord, deserializeAuthenticationRecord } from "./msal/utils";
 export { TokenCredentialOptions } from "./client/identityClient";
+export { RegionalAuthority } from "./regionalAuthority";
 export { InteractiveCredentialOptions } from "./credentials/interactiveCredentialOptions";
 
 export { ChainedTokenCredential } from "./credentials/chainedTokenCredential";

sdk/identity/identity/src/msal/nodeFlows/msalClientCertificate.ts

@@ -106,7 +106,8 @@ export class MsalClientCertificate extends MsalNode {
     try {
       const result = await this.confidentialApp!.acquireTokenByClientCredential({
         scopes,
-        correlationId: options.correlationId
+        correlationId: options.correlationId,
+        azureRegion: this.azureRegion
       });
       // Even though we're providing the same default in memory persistence cache that we use for DeviceCodeCredential,
       // The Client Credential flow does not return the account information from the authentication service,

sdk/identity/identity/src/msal/nodeFlows/msalClientSecret.ts

@@ -31,7 +31,8 @@ export class MsalClientSecret extends MsalNode {
     try {
       const result = await this.confidentialApp!.acquireTokenByClientCredential({
         scopes,
-        correlationId: options.correlationId
+        correlationId: options.correlationId,
+        azureRegion: this.azureRegion
       });
       // The Client Credential flow does not return an account,
       // so each time getToken gets called, we will have to acquire a new token through the service.

sdk/identity/identity/src/msal/nodeFlows/nodeCommon.ts

@@ -27,6 +27,12 @@ import {
  */
 export interface MsalNodeOptions extends MsalFlowOptions {
   tokenCredentialOptions: TokenCredentialOptions;
+  /**
+   * Specifies a regional authority. Please refer to the {@link RegionalAuthority} type for the accepted values.
+   * If {@link RegionalAuthority.AutoDiscoverRegion} is specified, we will try to discover the regional authority endpoint.
+   * If the property is not specified, uses a non-regional authority endpoint.
+   */
+  regionalAuthority?: string;
 }
 
 /**
@@ -45,11 +51,13 @@ export abstract class MsalNode extends MsalBaseUtilities implements MsalFlow {
   protected clientId: string;
   protected identityClient?: IdentityClient;
   protected requiresConfidential: boolean = false;
+  protected azureRegion?: string;
 
   constructor(options: MsalNodeOptions) {
     super(options);
     this.msalConfig = this.defaultNodeMsalConfig(options);
     this.clientId = this.msalConfig.auth.clientId;
+    this.azureRegion = options.regionalAuthority || process.env.AZURE_REGIONAL_AUTHORITY_NAME;
   }
 
   /**