Update support for MSI authentication (Azure#13)

* Add TSLint rule to limit classes per file to one

* Add d.ts and js.map files to gitignore

* Ignore dist directory

* Add empty MSI credential classes

* Update MSIOptions and MSIAppServiceOptions

* Update MsiTokenCredentials

* Add implementation of MSI* credentials

* Fix extra whitespace

* Add typings for ADAL library

* Fix TSLint credential issues

* Temporary commit for fixing overloads

* Fix _withMSI declaration

* Fix loginWithMSI overloads

* Fix loginWithVmMSI overloads

* Fix _withMSI declaration

* Fix loginWithAppServiceMSI overloads

* Fix _withAppServiceMSI declaration

* Fix missing TypeScript types in MSI logging methods

* Make MSITokenCredentials abstract

* Fix TSLint problems in token credential classes

* Remove loginWithMSI method

* Remove dist/lib files from tracking

* Bootstrap test directory

* Add unit tests

* Add tokenClientCredentials class

* Update exports

* Fix extra whitespace

* Move options to corresponding classes

* Adjusting types to newer model

* Updating tests

* Fix compiler errors in unit tests

* Enable injecting custom HttpClient to MSI credentials classses

* Update MSI tests

* Fix promise return type

* Fix tests

* Uncomment tests

* Remove unused package

* Update headers to contain MIT license

* Remove commented code

* Update documentation

* Fix slashes in RM endpoint

* Rempve @types/adal-angular package

* Update missing documentation

* Update README.md

Author: kpajdzik

.gitignore

@@ -54,3 +54,10 @@ jspm_packages/
 # dotenv environment variables file
 .env
 
+# Typescript output
+.nyc_output/
+coverage/
+dist/
+typings/
+*.js
+*.js.map

.vscode/launch.json

@@ -1,17 +1,33 @@
 {
-  // Use IntelliSense to learn about possible Node.js debug attributes.
-  // Hover to view descriptions of existing attributes.
-  // For more information, visit: https://go.microsoft.com/fwlink/?linkid=830387
   "version": "0.2.0",
   "configurations": [
     {
-      "type": "node",
-      "request": "launch",
-      "name": "Launch Program",
-      "program": "${workspaceRoot}/samples/sample.ts",
-      "outFiles": [
-        "${workspaceRoot}/dist/**/*.js"
-      ]
+        "type": "node",
+        "request": "launch",
+        "name": "Mocha All",
+        "program": "${workspaceFolder}/node_modules/mocha/bin/_mocha",
+        "args": [
+            "--timeout",
+            "999999",
+            "--colors",
+            "${workspaceFolder}/test"
+        ],
+        "console": "integratedTerminal",
+        "internalConsoleOptions": "neverOpen"
+    },
+    {
+        "type": "node",
+        "request": "launch",
+        "name": "Mocha Current File",
+        "program": "${workspaceFolder}/node_modules/mocha/bin/_mocha",
+        "args": [
+            "--timeout",
+            "999999",
+            "--colors",
+            "${file}"
+        ],
+        "console": "integratedTerminal",
+        "internalConsoleOptions": "neverOpen"
     }
   ]
 }

README.md

@@ -58,11 +58,31 @@ msRestNodeAuth.loginWithAuthFileWithAuthResponse(options).then((authRes) => {
 });
 ```
 
-### MSI(Managed Service Identity) based login from a virtual machine created in Azure.
+### MSI (Managed Service Identity) based login from a virtual machine created in Azure.
 ```typescript
 import * as msRestNodeAuth from "../lib/msRestNodeAuth";
 
-msRestNodeAuth.loginWithMSI("your-tenantId").then((msiTokenRes) => {
+const options: msRestNodeAuth.MSIVmOptions = {
+  port: 50342;
+}
+
+msRestNodeAuth.loginWithVmMSI(options).then((msiTokenRes) => {
+  console.log(msiTokenRes);
+}).catch((err) => {
+  console.log(err);
+});
+```
+
+
+### MSI (Managed Service Identity) based login from an AppService or Azure Function created in Azure.
+```typescript
+import * as msRestNodeAuth from "../lib/msRestNodeAuth";
+
+const options: msRestNodeAuth.MSIAppServiceOptions = {
+  msiEndpoint: "http://127.0.0.1:41741/MSI/token/";
+}
+
+msRestNodeAuth.loginWithAppServiceMSI(options).then((msiTokenRes) => {
   console.log(msiTokenRes);
 }).catch((err) => {
   console.log(err);

dist/lib/credentials/applicationTokenCredentials.js

@@ -1,9 +1,10 @@
 // Copyright (c) Microsoft Corporation. All rights reserved.
 // Licensed under the MIT License. See License.txt in the project root for license information.
 
-import { TokenCredentialsBase, TokenResponse } from "./tokenCredentialsBase";
+import { TokenCredentialsBase } from "./tokenCredentialsBase";
 import { AzureEnvironment } from "ms-rest-azure-env";
 import { AuthConstants, TokenAudience } from "../util/authConstants";
+import { TokenResponse } from "adal-node";
 
 export class ApplicationTokenCredentials extends TokenCredentialsBase {
 

dist/lib/credentials/deviceTokenCredentials.js

@@ -1,9 +1,10 @@
 // Copyright (c) Microsoft Corporation. All rights reserved.
 // Licensed under the MIT License. See License.txt in the project root for license information.
 
-import { TokenCredentialsBase, TokenResponse } from "./tokenCredentialsBase";
+import { TokenCredentialsBase } from "./tokenCredentialsBase";
 import { AzureEnvironment } from "ms-rest-azure-env";
 import { AuthConstants, TokenAudience } from "../util/authConstants";
+import { TokenResponse } from "adal-node";
 
 export class DeviceTokenCredentials extends TokenCredentialsBase {
 

dist/lib/credentials/msiTokenCredentials.js

@@ -0,0 +1,133 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License. See License.txt in the project root for license information.
+
+import { MSITokenCredentials, MSIOptions, MSITokenResponse } from "./msiTokenCredentials";
+import { HttpOperationResponse, RequestPrepareOptions, WebResource } from "ms-rest-js";
+
+/**
+ * @interface MSIAppServiceOptions Defines the optional parameters for authentication with MSI for AppService.
+ */
+export interface MSIAppServiceOptions extends MSIOptions {
+  /**
+   * @property {string} [msiEndpoint] - The local URL from which your app can request tokens.
+   * Either provide this parameter or set the environment varaible `MSI_ENDPOINT`.
+   * For example: `export MSI_ENDPOINT="http://127.0.0.1:41741/MSI/token/"`
+   */
+  msiEndpoint?: string;
+  /**
+   * @property {string} [msiSecret] - The secret used in communication between your code and the local MSI agent.
+   * Either provide this parameter or set the environment varaible `MSI_SECRET`.
+   * For example: `export MSI_SECRET="69418689F1E342DD946CB82994CDA3CB"`
+   */
+  msiSecret?: string;
+  /**
+   * @property {string} [msiApiVersion] - The api-version of the local MSI agent. Default value is "2017-09-01".
+   */
+  msiApiVersion?: string;
+}
+
+/**
+ * @class MSIAppServiceTokenCredentials
+ */
+export class MSIAppServiceTokenCredentials extends MSITokenCredentials {
+  /**
+   * @property {string} msiEndpoint - The local URL from which your app can request tokens.
+   * Either provide this parameter or set the environment varaible `MSI_ENDPOINT`.
+   * For example: `MSI_ENDPOINT="http://127.0.0.1:41741/MSI/token/"`
+   */
+  msiEndpoint: string;
+  /**
+   * @property {string} msiSecret - The secret used in communication between your code and the local MSI agent.
+   * Either provide this parameter or set the environment varaible `MSI_SECRET`.
+   * For example: `MSI_SECRET="69418689F1E342DD946CB82994CDA3CB"`
+   */
+  msiSecret: string;
+  /**
+   * @property {string} [msiApiVersion] The api-version of the local MSI agent. Default value is "2017-09-01".
+   */
+  msiApiVersion?: string;
+
+  /**
+   * Creates an instance of MSIAppServiceTokenCredentials.
+   * @param {string} [options.msiEndpoint] - The local URL from which your app can request tokens.
+   * Either provide this parameter or set the environment varaible `MSI_ENDPOINT`.
+   * For example: `MSI_ENDPOINT="http://127.0.0.1:41741/MSI/token/"`
+   * @param {string} [options.msiSecret] - The secret used in communication between your code and the local MSI agent.
+   * Either provide this parameter or set the environment varaible `MSI_SECRET`.
+   * For example: `MSI_SECRET="69418689F1E342DD946CB82994CDA3CB"`
+   * @param {string} [options.resource] - The resource uri or token audience for which the token is needed.
+   * For e.g. it can be:
+   * - resource management endpoint "https://management.azure.com/" (default)
+   * - management endpoint "https://management.core.windows.net/"
+   * @param {string} [options.msiApiVersion] - The api-version of the local MSI agent. Default value is "2017-09-01".
+   */
+  constructor(options?: MSIAppServiceOptions) {
+    if (!options) options = {};
+    super(options);
+    options.msiEndpoint = options.msiEndpoint || process.env["MSI_ENDPOINT"];
+    options.msiSecret = options.msiSecret || process.env["MSI_SECRET"];
+    if (!options.msiEndpoint || (options.msiEndpoint && typeof options.msiEndpoint.valueOf() !== "string")) {
+      throw new Error('Either provide "msiEndpoint" as a property of the "options" object ' +
+        'or set the environment variable "MSI_ENDPOINT" and it must be of type "string".');
+    }
+
+    if (!options.msiSecret || (options.msiSecret && typeof options.msiSecret.valueOf() !== "string")) {
+      throw new Error('Either provide "msiSecret" as a property of the "options" object ' +
+        'or set the environment variable "MSI_SECRET" and it must be of type "string".');
+    }
+
+    if (!options.msiApiVersion) {
+      options.msiApiVersion = "2017-09-01";
+    } else if (typeof options.msiApiVersion.valueOf() !== "string") {
+      throw new Error("msiApiVersion must be a uri.");
+    }
+
+    this.msiEndpoint = options.msiEndpoint;
+    this.msiSecret = options.msiSecret;
+    this.msiApiVersion = options.msiApiVersion;
+  }
+
+  /**
+   * Prepares and sends a POST request to a service endpoint hosted on the Azure VM, which responds with the access token.
+   * @param  {function} callback  The callback in the form (err, result)
+   * @return {function} callback
+   *                       {Error} [err]  The error if any
+   *                       {object} [tokenResponse] The tokenResponse (tokenType and accessToken are the two important properties).
+   */
+  async getToken(): Promise<MSITokenResponse> {
+    const reqOptions = this.prepareRequestOptions();
+    let opRes: HttpOperationResponse;
+    let result: MSITokenResponse;
+
+    opRes = await this.httpClient.sendRequest(reqOptions);
+    if (opRes.bodyAsText === undefined || opRes.bodyAsText!.indexOf("ExceptionMessage") !== -1) {
+      throw new Error(`MSI: Failed to retrieve a token from "${reqOptions.url}" with an error: ${opRes.bodyAsText}`);
+    }
+
+    result = this.parseTokenResponse(opRes.bodyAsText!) as MSITokenResponse;
+    if (!result.tokenType) {
+      throw new Error(`Invalid token response, did not find tokenType. Response body is: ${opRes.bodyAsText}`);
+    } else if (!result.accessToken) {
+      throw new Error(`Invalid token response, did not find accessToken. Response body is: ${opRes.bodyAsText}`);
+    }
+
+    return result;
+  }
+
+  protected prepareRequestOptions(): WebResource {
+    const endpoint = this.msiEndpoint.endsWith("/") ? this.msiEndpoint : `${this.msiEndpoint}/`;
+    const getUrl = `${endpoint}?resource=${this.resource}&api-version=${this.msiApiVersion}`;
+    const resource = encodeURIComponent(this.resource);
+    const reqOptions: RequestPrepareOptions = {
+      url: getUrl,
+      headers: {
+        "secret": this.msiSecret
+      },
+      body: `resource=${resource}`,
+      method: "POST"
+    };
+
+    const webResource = new WebResource();
+    return webResource.prepare(reqOptions);
+  }
+}

dist/lib/credentials/tokenCredentialsBase.js

@@ -1,24 +1,33 @@
 // Copyright (c) Microsoft Corporation. All rights reserved.
 // Licensed under the MIT License. See License.txt in the project root for license information.
 
-import * as msRest from "ms-rest-js";
-import { MSIOptions } from "../login";
-
-const defaultPort = 50342;
-const defaultResource = "https://management.azure.com/";
+import { Constants, WebResource, HttpClient, DefaultHttpClient } from "ms-rest-js";
+import { TokenClientCredentials, TokenResponse } from "./tokenClientCredentials";
+import { AuthConstants } from "../util/authConstants";
 
 /**
- * @interface MSITokenResponse - Describes the MSITokenResponse.
+ * @interface MSIOptions Defines the optional parameters for authentication with MSI.
  */
-export interface MSITokenResponse {
+export interface MSIOptions {
   /**
-   * @property {string} token_type - The token type.
+   * @prop {string} [resource] -  The resource uri or token audience for which the token is needed.
+   * For e.g. it can be:
+   * - resourcemanagement endpoint "https://management.azure.com/" (default)
+   * - management endpoint "https://management.core.windows.net/"
    */
-  readonly token_type: string;
+  resource?: string;
+
   /**
-   * @property {string} access_token - The access token.
+   * @property {HttpClient} [httpClient] - The client responsible for sending HTTP requests.
+   * By default it is Axios-based {@link DefaultHttpClient}.
    */
-  readonly access_token: string;
+  httpClient?: HttpClient;
+}
+
+/**
+ * @interface MSITokenResponse - Describes the MSITokenResponse.
+ */
+export interface MSITokenResponse extends TokenResponse {
   /**
    * @property {any} any - Placeholder for unknown properties.
    */
@@ -29,76 +38,94 @@ export interface MSITokenResponse {
  * @class MSITokenCredentials - Provides information about managed service identity token credentials.
  * This object can only be used to acquire token on a virtual machine provisioned in Azure with managed service identity.
  */
-export class MSITokenCredentials {
-
-
-  port: number;
+export abstract class MSITokenCredentials implements TokenClientCredentials {
   resource: string;
+  protected httpClient: HttpClient;
 
-  public constructor(
-    /**
-     * @property {LoginWithMSIOptions} options Optional parameters
-     */
-    public options: MSIOptions) {
-
+  /**
+   * Creates an instance of MSITokenCredentials.
+   * @param {object} [options] - Optional parameters
+   * @param {string} [options.resource] - The resource uri or token audience for which the token is needed.
+   * For e.g. it can be:
+   * - resource management endpoint "https://management.azure.com/"(default)
+   * - management endpoint "https://management.core.windows.net/"
+   */
+  constructor(options: MSIOptions) {
     if (!options) options = {};
 
-    if (options.port === undefined) {
-      options.port = defaultPort;
-    } else if (typeof options.port !== "number") {
-      throw new Error("port must be a number.");
-    }
-
     if (!options.resource) {
-      options.resource = defaultResource;
+      options.resource = AuthConstants.RESOURCE_MANAGER_ENDPOINT;
     } else if (typeof options.resource.valueOf() !== "string") {
       throw new Error("resource must be a uri.");
     }
 
-    this.port = options.port;
     this.resource = options.resource;
+    this.httpClient = options.httpClient || new DefaultHttpClient();
   }
 
   /**
-   * Prepares and sends a POST request to a service endpoint hosted on the Azure VM, which responds with the access token.
-   * @param  {function} callback  The callback in the form (err, result)
-   * @return {function} callback
-   *                       {Error} [err]  The error if any
-   *                       {object} [tokenResponse] The tokenResponse (token_type and access_token are the two important properties).
+   * Parses a tokenResponse json string into a object, and converts properties on the first level to camelCase.
+   * This method tries to standardize the tokenResponse
+   * @param  {string} body  A json string
+   * @return {object} [tokenResponse] The tokenResponse (tokenType and accessToken are the two important properties).
    */
-  async getToken(): Promise<MSITokenResponse> {
-    const reqOptions = this.prepareRequestOptions();
-    const client = new msRest.ServiceClient();
-    let opRes: msRest.HttpOperationResponse;
-    let result: MSITokenResponse;
-    try {
-      opRes = await client.sendRequest(reqOptions);
-      result = opRes.parsedBody as MSITokenResponse;
-      if (!result.token_type) {
-        throw new Error(`Invalid token response, did not find token_type. Response body is: ${opRes.bodyAsText}`);
-      } else if (!result.access_token) {
-        throw new Error(`Invalid token response, did not find access_token. Response body is: ${opRes.bodyAsText}`);
+  parseTokenResponse(body: string): TokenResponse {
+    // Docs show different examples of possible MSI responses for different services. https://docs.microsoft.com/en-us/azure/active-directory/managed-service-identity/overview
+    // expires_on - is a Date like string in this doc
+    //   - https://docs.microsoft.com/en-us/azure/app-service/app-service-managed-service-identity#rest-protocol-examples
+    // In other doc it is stringified number.
+    //   - https://docs.microsoft.com/en-us/azure/active-directory/managed-service-identity/tutorial-linux-vm-access-arm#get-an-access-token-using-the-vms-identity-and-use-it-to-call-resource-manager
+    const parsedBody = JSON.parse(body);
+    parsedBody.accessToken = parsedBody["access_token"];
+    delete parsedBody["access_token"];
+    parsedBody.tokenType = parsedBody["token_type"];
+    delete parsedBody["token_type"];
+    if (parsedBody["refresh_token"]) {
+      parsedBody.refreshToken = parsedBody["refresh_token"];
+      delete parsedBody["refresh_token"];
+    }
+    if (parsedBody["expires_in"]) {
+      parsedBody.expiresIn = parsedBody["expires_in"];
+      if (typeof parsedBody["expires_in"] === "string") {
+        // normal number as a string '1504130527'
+        parsedBody.expiresIn = parseInt(parsedBody["expires_in"], 10);
+      }
+      delete parsedBody["expires_in"];
+    }
+    if (parsedBody["not_before"]) {
+      parsedBody.notBefore = parsedBody["not_before"];
+      if (typeof parsedBody["not_before"] === "string") {
+        // normal number as a string '1504130527'
+        parsedBody.notBefore = parseInt(parsedBody["not_before"], 10);
+      }
+      delete parsedBody["not_before"];
+    }
+    if (parsedBody["expires_on"]) {
+      parsedBody.expiresOn = parsedBody["expires_on"];
+      if (typeof parsedBody["expires_on"] === "string") {
+        // possibly a Date string '09/14/2017 00:00:00 PM +00:00'
+        if (parsedBody["expires_on"].includes(":") || parsedBody["expires_on"].includes("/")) {
+          parsedBody.expiresOn = new Date(parsedBody["expires_on"], 10);
+        } else {
+          // normal number as a string '1504130527'
+          parsedBody.expiresOn = new Date(parseInt(parsedBody["expires_on"], 10));
+        }
       }
-    } catch (err) {
-      return Promise.reject(err);
+      delete parsedBody["expires_on"];
     }
-    return Promise.resolve(result);
+    return parsedBody;
   }
 
-  private prepareRequestOptions(): msRest.RequestPrepareOptions {
-    const resource = encodeURIComponent(this.resource);
-    const reqOptions: msRest.RequestPrepareOptions = {
-      url: `http://localhost:${this.port}/oauth2/token`,
-      headers: {
-        "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8",
-        "Metadata": "true"
-      },
-      body: `resource=${resource}`,
-      method: "POST"
-    };
+  /**
+   * Prepares and sends a POST request to a service endpoint hosted on the Azure VM, which responds with the access token.
+   * @param  {function} callback  The callback in the form (err, result)
+   * @return {function} callback
+   *                       {Error} [err]  The error if any
+   *                       {object} [tokenResponse] The tokenResponse (tokenType and accessToken are the two important properties).
+   */
+  abstract async getToken(): Promise<MSITokenResponse>;
 
-    return reqOptions;
-  }
+  protected abstract prepareRequestOptions(): WebResource;
 
   /**
    * Signs a request with the Authentication header.
@@ -107,9 +134,9 @@ export class MSITokenCredentials {
    * @param {function(error)}  callback  The callback function.
    * @return {undefined}
    */
-  public async signRequest(webResource: msRest.WebResource): Promise<msRest.WebResource> {
+  public async signRequest(webResource: WebResource): Promise<WebResource> {
     const tokenResponse = await this.getToken();
-    webResource.headers.set(msRest.Constants.HeaderConstants.AUTHORIZATION, `${tokenResponse.tokenType} ${tokenResponse.accessToken}`);
+    webResource.headers.set(Constants.HeaderConstants.AUTHORIZATION, `${tokenResponse.tokenType} ${tokenResponse.accessToken}`);
     return Promise.resolve(webResource);
   }
 }

dist/lib/credentials/userTokenCredentials.js

@@ -0,0 +1,74 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License. See License.txt in the project root for license information.
+
+import { MSITokenCredentials, MSIOptions, MSITokenResponse } from "./msiTokenCredentials";
+import { RequestPrepareOptions, HttpOperationResponse, WebResource } from "ms-rest-js";
+
+/**
+ * @interface MSIVmOptions Defines the optional parameters for authentication with MSI for Virtual Machine.
+ */
+export interface MSIVmOptions extends MSIOptions {
+  /**
+   * @prop {number} [port] - port on which the MSI service is running on the host VM. Default port is 50342
+   */
+  port?: number;
+}
+
+/**
+ * @class MSIVmTokenCredentials
+ */
+export class MSIVmTokenCredentials extends MSITokenCredentials {
+  port: number;
+
+  constructor(options?: MSIVmOptions) {
+    if (!options) options = {};
+    super(options);
+    if (!options.port) {
+      options.port = 50342; // default port where token service runs.
+    } else if (typeof options.port !== "number") {
+      throw new Error("port must be a number.");
+    }
+
+    this.port = options.port;
+  }
+
+  /**
+   * Prepares and sends a POST request to a service endpoint hosted on the Azure VM, which responds with the access token.
+   * @param  {function} callback  The callback in the form (err, result)
+   * @return {function} callback
+   *                       {Error} [err]  The error if any
+   *                       {object} [tokenResponse] The tokenResponse (tokenType and accessToken are the two important properties).
+   */
+  async getToken(): Promise<MSITokenResponse> {
+    const reqOptions = this.prepareRequestOptions();
+    let opRes: HttpOperationResponse;
+    let result: MSITokenResponse;
+
+    opRes = await this.httpClient.sendRequest(reqOptions);
+    result = this.parseTokenResponse(opRes.bodyAsText!) as MSITokenResponse;
+    if (!result.tokenType) {
+      throw new Error(`Invalid token response, did not find tokenType. Response body is: ${opRes.bodyAsText}`);
+    } else if (!result.accessToken) {
+      throw new Error(`Invalid token response, did not find accessToken. Response body is: ${opRes.bodyAsText}`);
+    }
+
+
+    return result;
+  }
+
+  protected prepareRequestOptions(): WebResource {
+    const resource = encodeURIComponent(this.resource);
+    const reqOptions: RequestPrepareOptions = {
+      url: `http://localhost:${this.port}/oauth2/token`,
+      headers: {
+        "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8",
+        "Metadata": "true"
+      },
+      body: `resource=${resource}`,
+      method: "POST"
+    };
+
+    const webResource = new WebResource();
+    return webResource.prepare(reqOptions);
+  }
+}

dist/lib/login.js

@@ -0,0 +1,14 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License. See License.txt in the project root for license information.
+
+import { ServiceClientCredentials } from "ms-rest-js";
+
+export interface TokenResponse {
+  readonly tokenType: string;
+  readonly accessToken: string;
+  readonly [x: string]: any;
+}
+
+export interface TokenClientCredentials extends ServiceClientCredentials {
+  getToken<TTokenResponse extends TokenResponse>(): Promise<TokenResponse | TTokenResponse>;
+}

dist/lib/msRestNodeAuth.js

@@ -4,15 +4,11 @@
 import { Constants as MSRestConstants, WebResource } from "ms-rest-js";
 import { AzureEnvironment } from "ms-rest-azure-env";
 import { TokenAudience } from "../util/authConstants";
+import { TokenClientCredentials } from "./tokenClientCredentials";
+import { TokenResponse } from "adal-node";
 const adal = require("adal-node");
 
-export interface TokenResponse {
-  readonly tokenType: string;
-  readonly accessToken: string;
-  readonly [x: string]: any;
-}
-
-export abstract class TokenCredentialsBase {
+export abstract class TokenCredentialsBase implements TokenClientCredentials {
   protected readonly authContext: any;
 
   public constructor(

dist/lib/subscriptionManagement/subscriptionUtils.js

@@ -1,9 +1,10 @@
 // Copyright (c) Microsoft Corporation. All rights reserved.
 // Licensed under the MIT License. See License.txt in the project root for license information.
 
-import { TokenCredentialsBase, TokenResponse } from "./tokenCredentialsBase";
+import { TokenCredentialsBase } from "./tokenCredentialsBase";
 import { AzureEnvironment } from "ms-rest-azure-env";
 import { TokenAudience } from "../util/authConstants";
+import { TokenResponse } from "adal-node";
 
 export class UserTokenCredentials extends TokenCredentialsBase {
 
@@ -81,7 +82,7 @@ export class UserTokenCredentials extends TokenCredentialsBase {
             if (error) {
               reject(error);
             }
-            if (self.crossCheckUserNameWithToken(self.username, tokenResponse.userId)) {
+            if (self.crossCheckUserNameWithToken(self.username, tokenResponse.userId!)) {
               resolve((tokenResponse as TokenResponse));
             } else {
               reject(`The userId "${tokenResponse.userId}" in access token doesn"t match the username "${self.username}" provided during authentication.`);

dist/lib/util/authConstants.js

@@ -1,7 +1,7 @@
 // Copyright (c) Microsoft Corporation. All rights reserved.
 // Licensed under the MIT License. See License.txt in the project root for license information.
 
-const adal = require("adal-node");
+import * as adal from "adal-node";
 import * as fs from "fs";
 import * as msRest from "ms-rest-js";
 import { AzureEnvironment } from "ms-rest-azure-env";
@@ -11,13 +11,15 @@ import { DeviceTokenCredentials } from "./credentials/deviceTokenCredentials";
 import { UserTokenCredentials } from "./credentials/userTokenCredentials";
 import { AuthConstants, TokenAudience } from "./util/authConstants";
 import { buildTenantList, getSubscriptionsFromTenants, LinkedSubscription } from "./subscriptionManagement/subscriptionUtils";
-import { MSITokenCredentials, MSITokenResponse } from "./credentials/msiTokenCredentials";
+import { MSIVmTokenCredentials, MSIVmOptions } from "./credentials/msiVmTokenCredentials";
+import { MSIAppServiceTokenCredentials, MSIAppServiceOptions } from "./credentials/msiAppServiceTokenCredentials";
+import { MSITokenResponse } from "./credentials/msiTokenCredentials";
 
 function turnOnLogging() {
   const log = adal.Logging;
   log.setLoggingOptions(
     {
-      level: log.LOGGING_LEVEL.VERBOSE,
+      level: 3, // Please use log.LOGGING_LEVEL.VERBOSE once AD TypeScript mappings are updated,
       log: function (level: any, message: any, error: any) {
         level;
         console.info(message);
@@ -113,26 +115,12 @@ export interface LoginWithAuthFileOptions {
 }
 
 /**
- * @interface MSIOptions - Describes optional parameters for MSI authentication.
+ * Generic callback type definition.
+ *
+ * @property {Error} error - The error occurred if any, while executing the request; otherwise undefined
+ * @property {TResult} result - Result when call was successful.
  */
-export interface MSIOptions {
-  /**
-   * @property {number} port - Port on which the MSI service is running on the host VM. Default port is 50342
-   */
-  port?: number;
-  /**
-   * @property {string} resource - The resource uri or token audience for which the token is needed.
-   * For e.g. it can be:
-   * - resourcemanagement endpoint "https://management.azure.com"(default)
-   * - management endpoint "https://management.core.windows.net/"
-   */
-  resource?: string;
-  /**
-   * @property {string} aadEndpoint - The add endpoint for authentication. default - "https://login.microsoftonline.com"
-   */
-  aadEndpoint?: string;
-}
-
+export type Callback<TResult> = (error?: Error, result?: TResult) => void;
 /**
  * Provides a UserTokenCredentials object and the list of subscriptions associated with that userId across all the applicable tenants.
  * This method is applicable only for organizational ids that are not 2FA enabled otherwise please use interactive login.
@@ -710,16 +698,24 @@ export function withUsernamePassword(username: string, password: string, options
  * @param {string} domain - required. The tenant id.
  * @param {object} options - Optional parameters
  * @param {string} [options.port] - port on which the MSI service is running on the host VM. Default port is 50342
- * @param {string} [options.resource] - The resource uri or token audience for which the token is needed. Default - "https://management.azure.com"
+ * @param {string} [options.resource] - The resource uri or token audience for which the token is needed. Default - "https://management.azure.com/"
  * @param {string} [options.aadEndpoint] - The add endpoint for authentication. default - "https://login.microsoftonline.com"
  * @param {any} callback - the callback function.
  */
-function _withMSI(domain: string, options?: MSIOptions): Promise<MSITokenResponse> {
+function _withMSI(options?: MSIVmOptions): Promise<MSIVmTokenCredentials> {
   if (!options) {
     options = {};
   }
-  const creds = new MSITokenCredentials(domain, options.port, options.resource, options.aadEndpoint);
-  return creds.getToken();
+
+  return new Promise((resolve, reject) => {
+    const creds = new MSIVmTokenCredentials(options);
+    creds.getToken().then((_tokenResponse) => {
+      // We ignore the token response, it's put in the cache.
+      return resolve(creds);
+    }).catch(error => {
+      reject(error);
+    });
+  });
 }
 
 /**
@@ -741,43 +737,106 @@ function _withMSI(domain: string, options?: MSIOptions): Promise<MSITokenRespons
  * This method makes a request to the authentication service hosted on the VM
  * and gets back an access token.
  *
- * @param {string} [domain] - The domain or tenant id. This is a required parameter.
  * @param {object} [options] - Optional parameters
  * @param {string} [options.port] - port on which the MSI service is running on the host VM. Default port is 50342
  * @param {string} [options.resource] - The resource uri or token audience for which the token is needed.
  * For e.g. it can be:
- * - resourcemanagement endpoint "https://management.azure.com"(default)
+ * - resourcemanagement endpoint "https://management.azure.com/"(default)
  * - management endpoint "https://management.core.windows.net/"
- * @param {string} [options.aadEndpoint] - The add endpoint for authentication. default - "https://login.microsoftonline.com"
  * @param {function} [optionalCallback] The optional callback.
  *
  * @returns {function | Promise} If a callback was passed as the last parameter then it returns the callback else returns a Promise.
  *
  *    {function} optionalCallback(err, credentials)
- *                 {Error}  [err]            - The Error object if an error occurred, null otherwise.
- *                 {object} [tokenResponse]  - The tokenResponse (token_type and access_token are the two important properties)
+ *                 {Error}  [err]                               - The Error object if an error occurred, null otherwise.
+ *                 {object} [tokenResponse]                     - The tokenResponse (tokenType and accessToken are the two important properties)
  *    {Promise} A promise is returned.
- *             @resolve {MSITokenResponse} - The tokenResponse.
- *             @reject {Error} - The error object.
+ *             @resolve {object} - tokenResponse.
+ *             @reject {Error} - error object.
  */
-export function withMSI(domain: string): Promise<MSITokenResponse>;
-export function withMSI(domain: string, options: MSIOptions): Promise<MSITokenResponse>;
-export function withMSI(domain: string, options: MSIOptions, callback: { (err: Error, credentials: MSITokenResponse): void }): void;
-export function withMSI(domain: string, callback: any): any;
-export function withMSI(domain: string, options?: MSIOptions, callback?: { (err: Error, credentials: MSITokenResponse): void }): any {
+export function loginWithVmMSI(): Promise<MSIVmTokenCredentials>;
+export function loginWithVmMSI(options: MSIVmOptions): Promise<MSIVmTokenCredentials>;
+export function loginWithVmMSI(options: MSIVmOptions, callback: Callback<MSIVmTokenCredentials>): void;
+export function loginWithVmMSI(callback: Callback<MSIVmTokenCredentials>): void;
+export function loginWithVmMSI(options?: MSIVmOptions | Callback<MSIVmTokenCredentials>, callback?: Callback<MSIVmTokenCredentials>): void | Promise<MSIVmTokenCredentials> {
   if (!callback && typeof options === "function") {
     callback = options;
     options = {};
   }
   const cb = callback as Function;
   if (!callback) {
-    return _withMSI(domain, options);
+    return _withMSI(options as MSIVmOptions);
   } else {
-    msRest.promiseToCallback(_withMSI(domain, options))((err: Error, tokenRes: MSITokenResponse) => {
+    msRest.promiseToCallback(_withMSI(options as MSIVmOptions))((err: Error, tokenRes: MSITokenResponse) => {
       if (err) {
         return cb(err);
       }
       return cb(undefined, tokenRes);
     });
   }
-}
+}
+
+/**
+ * Private method
+ */
+function _withAppServiceMSI(options: MSIAppServiceOptions): Promise<MSIAppServiceTokenCredentials> {
+  if (!options) {
+    options = {};
+  }
+
+  return new Promise((resolve, reject) => {
+    const creds = new MSIAppServiceTokenCredentials(options);
+    creds.getToken().then((_tokenResponse) => {
+      // We ignore the token response, it's put in the cache.
+      return resolve(creds);
+    }).catch(error => {
+      reject(error);
+    });
+  });
+}
+
+/**
+ * Authenticate using the App Service MSI.
+ * @param {object} [options] - Optional parameters
+ * @param {string} [options.msiEndpoint] - The local URL from which your app can request tokens.
+ * Either provide this parameter or set the environment varaible `MSI_ENDPOINT`.
+ * For example: `MSI_ENDPOINT="http://127.0.0.1:41741/MSI/token/"`
+ * @param {string} [options.msiSecret] - The secret used in communication between your code and the local MSI agent.
+ * Either provide this parameter or set the environment varaible `MSI_SECRET`.
+ * For example: `MSI_SECRET="69418689F1E342DD946CB82994CDA3CB"`
+ * @param {string} [options.resource] - The resource uri or token audience for which the token is needed.
+ * For example, it can be:
+ * - resourcemanagement endpoint "https://management.azure.com/"(default)
+ * - management endpoint "https://management.core.windows.net/"
+ * @param {string} [options.msiApiVersion] - The api-version of the local MSI agent. Default value is "2017-09-01".
+ * @param {function} [optionalCallback] -  The optional callback.
+ * @returns {function | Promise} If a callback was passed as the last parameter then it returns the callback else returns a Promise.
+ *
+ *    {function} optionalCallback(err, credentials)
+ *                 {Error}  [err]                               - The Error object if an error occurred, null otherwise.
+ *                 {object} [tokenResponse]                     - The tokenResponse (tokenType and accessToken are the two important properties)
+ *    {Promise} A promise is returned.
+ *             @resolve {object} - tokenResponse.
+ *             @reject {Error} - error object.
+ */
+export function loginWithAppServiceMSI(): Promise<MSIAppServiceTokenCredentials>;
+export function loginWithAppServiceMSI(options: MSIAppServiceOptions): Promise<MSIAppServiceTokenCredentials>;
+export function loginWithAppServiceMSI(options: MSIAppServiceOptions, callback: Callback<MSIAppServiceTokenCredentials>): void;
+export function loginWithAppServiceMSI(callback: Callback<MSIAppServiceTokenCredentials>): void;
+export function loginWithAppServiceMSI(options?: MSIAppServiceOptions | Callback<MSIAppServiceTokenCredentials>, callback?: Callback<MSIAppServiceTokenCredentials>): void | Promise<MSIAppServiceTokenCredentials> {
+  if (!callback && typeof options === "function") {
+    callback = options;
+    options = {};
+  }
+  const cb = callback as Function;
+  if (!callback) {
+    return _withAppServiceMSI(options as MSIAppServiceOptions);
+  } else {
+    msRest.promiseToCallback(_withAppServiceMSI(options as MSIAppServiceOptions))((err: Error, tokenRes: MSITokenResponse) => {
+      if (err) {
+        return cb(err);
+      }
+      return cb(undefined, tokenRes);
+    });
+  }
+}

lib/credentials/applicationTokenCredentials.ts

@@ -1,16 +1,18 @@
 // Copyright (c) Microsoft Corporation. All rights reserved.
 // Licensed under the MIT License. See License.txt in the project root for license information.
 
-export { TokenCredentialsBase, TokenResponse } from "./credentials/tokenCredentialsBase";
+export { TokenCredentialsBase } from "./credentials/tokenCredentialsBase";
 export { ApplicationTokenCredentials } from "./credentials/applicationTokenCredentials";
 export { DeviceTokenCredentials } from "./credentials/deviceTokenCredentials";
 export { UserTokenCredentials } from "./credentials/userTokenCredentials";
-export { MSITokenCredentials, MSITokenResponse } from "./credentials/msiTokenCredentials";
+export { MSIOptions, MSITokenCredentials, MSITokenResponse } from "./credentials/msiTokenCredentials";
+export { MSIAppServiceOptions, MSIAppServiceTokenCredentials } from "./credentials/msiAppServiceTokenCredentials";
+export { MSIVmOptions, MSIVmTokenCredentials } from "./credentials/msiVmTokenCredentials";
 export { AuthConstants, TokenAudience } from "./util/authConstants";
 export { LinkedSubscription, LinkedUser, UserType } from "./subscriptionManagement/subscriptionUtils";
 export {
   AuthResponse, LoginWithAuthFileOptions, InteractiveLoginOptions,
-  MSIOptions, AzureTokenCredentialsOptions, LoginWithUsernamePasswordOptions,
+  AzureTokenCredentialsOptions, LoginWithUsernamePasswordOptions,
   interactive as interactiveLogin,
   withInteractiveWithAuthResponse as interactiveLoginWithAuthResponse,
   withUsernamePassword as loginWithUsernamePassword,
@@ -19,5 +21,4 @@ export {
   withServicePrincipalSecretWithAuthResponse as loginWithServicePrincipalSecretWithAuthResponse,
   withAuthFile as loginWithAuthFile,
   withAuthFileWithAuthResponse as loginWithAuthFileWithAuthResponse,
-  withMSI as loginWithMSI,
 } from "./login";

lib/credentials/deviceTokenCredentials.ts

@@ -6,7 +6,8 @@ export const AuthConstants = {
   "DEFAULT_ADAL_CLIENT_ID": "04b07795-8ddb-461a-bbee-02f9e1bf7b46",
   "SDK_INTERNAL_ERROR": "SDK_INTERNAL_ERROR",
   "DEFAULT_LANGUAGE": "en-us",
-  "AZURE_AUTH_LOCATION": "AZURE_AUTH_LOCATION"
+  "AZURE_AUTH_LOCATION": "AZURE_AUTH_LOCATION",
+  "RESOURCE_MANAGER_ENDPOINT": "https://management.azure.com/"
 };
 
 export type TokenAudience = "graph" | "batch" | string | undefined;

lib/credentials/msiAppServiceTokenCredentials.ts

@@ -34,10 +34,14 @@
   },
   "license": "MIT",
   "devDependencies": {
-    "@types/mocha": "^2.2.40",
-    "@types/should": "^8.1.30",
+    "@types/chai": "^4.1.4",
+    "@types/mocha": "^2.2.48",
+    "chai": "^4.1.2",
     "mocha": "^5.2.0",
-    "should": "5.2.0",
+    "nock": "^9.6.1",
+    "npm-run-all": "^4.1.3",
+    "nyc": "^13.0.1",
+    "ts-node": "^7.0.1",
     "tslint": "^5.2.0",
     "typescript": "^2.5.2"
   },
@@ -51,7 +55,8 @@
   },
   "scripts": {
     "tsc": "tsc -p tsconfig.json",
-    "test": "npm -s run-script tslint",
+    "test": "run-p tslint test:unit",
+    "test:unit": "nyc mocha",
     "unit": "mocha -t 50000 dist/test",
     "build": "npm -s run-script tsc",
     "tslint": "tslint -p . -c tslint.json --exclude test/**/*.ts"

lib/credentials/msiTokenCredentials.ts

@@ -0,0 +1,158 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License. See License.txt in the project root for license information.
+
+import * as msRestAzure from "../../lib/login";
+import { MSIAppServiceTokenCredentials } from "../../lib/credentials/msiAppServiceTokenCredentials";
+import { expect, assert } from "chai";
+import { WebResource, HttpHeaders, HttpClient, HttpOperationResponse } from "ms-rest-js";
+
+describe("MSI App Service Authentication", function () {
+
+  function getMockHttpClient(response?: any, error?: any): HttpClient {
+    const httpClient = {
+      sendRequest: async (request: WebResource): Promise<HttpOperationResponse> => {
+        if (error === undefined) {
+          const httpResponse: HttpOperationResponse = {
+            request: request,
+            status: 200,
+            headers: new HttpHeaders(),
+            bodyAsText: JSON.stringify(response)
+          };
+          return Promise.resolve(httpResponse);
+        } else {
+          return Promise.reject(error);
+        }
+      }
+    };
+
+    return httpClient;
+  }
+
+  describe("Credential getToken()", async () => {
+    it("should get token from the App service MSI by providing optional properties", async () => {
+      const mockResponse = {
+        access_token: "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1d",
+        expires_in: "3599",
+        expires_on: "1502930996",
+        resource: "https://management.azure.com/",
+        token_type: "Bearer"
+      };
+
+      const httpClient = getMockHttpClient(mockResponse);
+      const msiCredsObj = new MSIAppServiceTokenCredentials({
+        msiEndpoint: "http://127.0.0.1:41741/MSI/token/",
+        msiSecret: "69418689F1E342DD946CB82994CDA3CB",
+        httpClient: httpClient
+      });
+
+      const response = await msiCredsObj.getToken();
+      expect(response).to.exist;
+      expect(response!.accessToken).to.exist;
+      expect(response!.tokenType).to.exist;
+    });
+
+    it("should get token from the App service MSI by reading the environment variables", async () => {
+      const mockResponse = {
+        access_token: "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1d",
+        expires_in: "3599",
+        expires_on: "1502930996",
+        resource: "https://management.azure.com/",
+        token_type: "Bearer"
+      };
+
+
+      const httpClient = getMockHttpClient(mockResponse);
+      process.env["MSI_ENDPOINT"] = "http://127.0.0.1:41741/MSI/token/";
+      process.env["MSI_SECRET"] = "69418689F1E342DD946CB82994CDA3CB";
+      const msiCredsObj = new MSIAppServiceTokenCredentials({ httpClient: httpClient });
+      const response = await msiCredsObj.getToken();
+      expect(response).to.exist;
+      expect(response!.accessToken).to.exist;
+      expect(response!.tokenType).to.exist;
+    });
+
+    it('should throw if the response contains "ExceptionMessage"', async function () {
+      const errorResponse = {
+        "error": "unknown",
+        "error_description": "ExceptionMessage: Failed to retrieve token from the Active directory. For details see logs in C:\\User1\\Logs\\Plugins\\Microsoft.Identity.MSI\\1.0\\service_identity_0.log"
+      };
+
+      const httpClient = getMockHttpClient(undefined, errorResponse);
+      process.env["MSI_ENDPOINT"] = "http://127.0.0.1:41741/MSI/token/";
+      process.env["MSI_SECRET"] = "69418689F1E342DD946CB82994CDA3CB";
+      const msiCredsObj = new MSIAppServiceTokenCredentials({ httpClient: httpClient });
+      try {
+        await msiCredsObj.getToken();
+        assert.fail(undefined, undefined, "getToken should throw an exception");
+      }
+      catch (err) {
+        expect(err);
+      }
+    });
+  });
+
+  describe("loginWithAppServiceMSI (callback)", () => {
+
+    it("should successfully provide MSIAppServiceTokenCredentials object by providing optional properties", (done) => {
+      const mockResponse = {
+        access_token: "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1d",
+        expires_in: "3599",
+        expires_on: "1502930996",
+        resource: "https://management.azure.com/",
+        token_type: "Bearer"
+      };
+
+      const httpClient = getMockHttpClient(mockResponse);
+
+      const options = {
+        msiEndpoint: "http://127.0.0.1:41741/MSI/token/",
+        msiSecret: "69418689F1E342DD946CB82994CDA3CB",
+        httpClient: httpClient
+      };
+
+      msRestAzure.loginWithAppServiceMSI(options, (error, response) => {
+        expect(error).to.not.exist;
+        expect(response).to.exist;
+        expect(response instanceof MSIAppServiceTokenCredentials).to.be.true;
+        done();
+      });
+    });
+
+    it("should successfully provide MSIAppServiceTokenCredentials object by reading the environment variables", async () => {
+      const mockResponse = {
+        access_token: "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1d",
+        expires_in: "3599",
+        expires_on: "1502930996",
+        resource: "https://management.azure.com/",
+        token_type: "Bearer"
+      };
+
+      const httpClient = getMockHttpClient(mockResponse);
+      process.env["MSI_ENDPOINT"] = "http://127.0.0.1:41741/MSI/token/";
+      process.env["MSI_SECRET"] = "69418689F1E342DD946CB82994CDA3CB";
+
+      const response = await msRestAzure.loginWithAppServiceMSI({ httpClient: httpClient });
+
+      expect(response).to.exist;
+      expect(response instanceof MSIAppServiceTokenCredentials).to.be.true;
+    });
+
+    it('should throw if the response contains "ExceptionMessage"', async () => {
+      const errorResponse = {
+        "error": "unknown",
+        "error_description": "ExceptionMessage: Failed to retrieve token from the Active directory. For details see logs in C:\\User1\\Logs\\Plugins\\Microsoft.Identity.MSI\\1.0\\service_identity_0.log"
+      };
+
+      const httpClient = getMockHttpClient(undefined, errorResponse);
+      process.env["MSI_ENDPOINT"] = "http://127.0.0.1:41741/MSI/token/";
+      process.env["MSI_SECRET"] = "69418689F1E342DD946CB82994CDA3CB";
+
+      try {
+        await msRestAzure.loginWithAppServiceMSI({ httpClient: httpClient });
+        assert.fail(undefined, undefined, "loginWithAppServiceMSI should throw an exception");
+      } catch (err) {
+        expect(err).to.exist;
+      }
+    });
+  });
+});

lib/credentials/msiVmTokenCredentials.ts

@@ -0,0 +1,136 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License. See License.txt in the project root for license information.
+
+import { MSIVmTokenCredentials } from "../../lib/credentials/msiVmTokenCredentials";
+import { expect, assert } from "chai";
+import { HttpClient, HttpOperationResponse, WebResource, HttpHeaders } from "ms-rest-js";
+
+describe("MSI Vm Authentication", () => {
+
+  function setupNockResponse(port?: number, request?: any, response?: any, error?: any): HttpClient {
+    if (!port) {
+      port = 50342;
+    }
+
+    const isMatch = (actualRequest: WebResource, expectedResource: any) => {
+      return actualRequest.url === `http://localhost:${port}/oauth2/token` && actualRequest.body === `"resource=${encodeURIComponent(expectedResource.resource)}"`;
+    };
+
+    const httpClient = {
+      sendRequest: async (req: WebResource): Promise<HttpOperationResponse> => {
+        if (error === undefined && isMatch(req, request)) {
+          const httpResponse: HttpOperationResponse = {
+            request: req,
+            status: 200,
+            headers: new HttpHeaders(),
+            bodyAsText: JSON.stringify(response)
+          };
+          return Promise.resolve(httpResponse);
+        } else {
+          return Promise.reject(error);
+        }
+      }
+    };
+
+    return httpClient;
+  }
+
+  it("should get token from the virtual machine with MSI service running at default port", async () => {
+    const mockResponse = {
+      access_token: "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1d",
+      refresh_token: "",
+      expires_in: "3599",
+      expires_on: "1502930996",
+      not_before: "1502927096",
+      resource: "https://management.azure.com/",
+      token_type: "Bearer"
+    };
+
+    const requestBodyToMatch = {
+      "resource": "https://management.azure.com/"
+    };
+
+    const httpClient = setupNockResponse(undefined, requestBodyToMatch, mockResponse);
+
+    const msiCredsObj = new MSIVmTokenCredentials({ httpClient: httpClient });
+    const response = await msiCredsObj.getToken();
+    expect(response).to.exist;
+    expect(response!.accessToken).to.exist;
+    expect(response!.tokenType).to.exist;
+  });
+
+  it("should get token from the virtual machine with MSI service running at custom port", async () => {
+    const mockResponse = {
+      access_token: "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1d",
+      refresh_token: "",
+      expires_in: "3599",
+      expires_on: "1502930996",
+      not_before: "1502927096",
+      resource: "https://management.azure.com/",
+      token_type: "Bearer"
+    };
+
+    const requestBodyToMatch = {
+      "resource": "https://management.azure.com/"
+    };
+
+    const customPort = 50341;
+    const httpClient = setupNockResponse(customPort, requestBodyToMatch, mockResponse);
+
+    const msiCredsObj = new MSIVmTokenCredentials({ port: customPort, httpClient: httpClient });
+    const response = await msiCredsObj.getToken();
+    expect(response).to.exist;
+    expect(response!.accessToken).to.exist;
+    expect(response!.tokenType).to.exist;
+  });
+
+  it("should throw on requests with bad resource", async () => {
+    const errorMessage = "unknown";
+    const errorDescription = "Failed to retrieve token from the Active directory. For details see logs in C:\\User1\\Logs\\Plugins\\Microsoft.Identity.MSI\\1.0\\service_identity_0.log";
+    const errorResponse = {
+      "error": errorMessage,
+      "error_description": errorDescription
+    };
+
+    const requestBodyToMatch = {
+      "resource": "badvalue"
+    };
+
+    const httpClient = setupNockResponse(undefined, requestBodyToMatch, undefined, errorResponse);
+    const msiCredsObj = new MSIVmTokenCredentials({ "resource": "badvalue", httpClient: httpClient });
+
+    try {
+      await msiCredsObj.getToken();
+      assert.fail(undefined, undefined, "getToken should throw an exception");
+    } catch (err) {
+      expect(err).to.exist;
+      expect((err as any).error).to.equal(errorMessage);
+      expect((err as any).error_description).to.equal(errorDescription);
+    }
+  });
+
+  it("should throw on request with empty resource", async () => {
+    const errorMessage = "bad_resource_200";
+    const errorDescription = "Invalid Resource";
+    const errorResponse = {
+      "error": errorMessage,
+      "error_description": errorDescription
+    };
+
+    const requestBodyToMatch = {
+      "resource": "  "
+    };
+
+    const httpClient = setupNockResponse(undefined, requestBodyToMatch, undefined, errorResponse);
+    const msiCredsObj = new MSIVmTokenCredentials({ "resource": "  ", httpClient: httpClient });
+
+    try {
+      await msiCredsObj.getToken();
+      assert.fail(undefined, undefined, "getToken should throw an exception");
+    } catch (err) {
+      expect(err).to.exist;
+      expect((err as any).error).to.equal(errorMessage);
+      expect((err as any).error_description).to.equal(errorDescription);
+    }
+  });
+});

lib/credentials/tokenClientCredentials.ts

@@ -0,0 +1,5 @@
+--require ts-node/register
+--timeout 50000
+--reporter list
+--colors
+test/**/*.ts

lib/credentials/tokenCredentialsBase.ts

@@ -50,6 +50,7 @@
         "prefer-const": true,
         "no-switch-case-fall-through": true,
         "triple-equals": true,
-        "jsdoc-format": true
+        "jsdoc-format": true,
+        "max-classes-per-file": [true, 1]
     }
 }