From 1b68061265b7aa95ff30c4e1eef8022776f7b4fd Mon Sep 17 00:00:00 2001
From: "red-hat-konflux[bot]"
 <126015336+red-hat-konflux[bot]@users.noreply.github.com>
Date: Sun, 21 Jun 2026 06:24:35 +0000
Subject: [PATCH] chore(deps): update module
 github.com/azure/azure-sdk-for-go/sdk/azidentity to v1.14.0

Signed-off-by: red-hat-konflux <126015336+red-hat-konflux[bot]@users.noreply.github.com>
---
 go.mod                                        |   2 +-
 go.sum                                        |   8 +-
 .../sdk/azidentity/CHANGELOG.md               |  50 ++++
 .../sdk/azidentity/TROUBLESHOOTING.md         |  23 +-
 .../sdk/azidentity/authentication_record.go   |   3 -
 .../sdk/azidentity/azidentity.go              |   5 +-
 .../sdk/azidentity/azure_cli_credential.go    |   5 +-
 .../azure_developer_cli_credential.go         |   5 -
 .../azidentity/azure_pipelines_credential.go  |   2 +-
 .../azidentity/chained_token_credential.go    |   3 -
 .../azure-sdk-for-go/sdk/azidentity/ci.yml    |   4 +-
 .../azidentity/client_assertion_credential.go |   3 -
 .../client_certificate_credential.go          |   3 -
 .../azidentity/client_secret_credential.go    |   3 -
 .../sdk/azidentity/confidential_client.go     |   5 +-
 .../azidentity/default_azure_credential.go    |   3 -
 .../azidentity/developer_credential_util.go   |  51 +++-
 .../sdk/azidentity/device_code_credential.go  |   3 -
 .../sdk/azidentity/environment_credential.go  |   3 -
 .../azure-sdk-for-go/sdk/azidentity/errors.go |  55 +++--
 .../azure-sdk-for-go/sdk/azidentity/go.work   |   6 -
 .../interactive_browser_credential.go         |   3 -
 .../internal/customtokenproxy/transport.go    | 233 ++++++++++++++++++
 .../sdk/azidentity/logging.go                 |   3 -
 .../sdk/azidentity/managed_identity_client.go |   5 -
 .../azidentity/managed_identity_credential.go |   3 -
 .../sdk/azidentity/on_behalf_of_credential.go |   3 -
 .../sdk/azidentity/public_client.go           |   3 -
 .../username_password_credential.go           |   3 -
 .../sdk/azidentity/version.go                 |   5 +-
 .../sdk/azidentity/workload_identity.go       |  25 +-
 vendor/modules.txt                            |   5 +-
 32 files changed, 408 insertions(+), 128 deletions(-)
 delete mode 100644 vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/go.work
 create mode 100644 vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/internal/customtokenproxy/transport.go

diff --git a/go.mod b/go.mod
index 0eaa73fbb..075418d57 100644
--- a/go.mod
+++ b/go.mod
@@ -41,7 +41,7 @@ require (
 	dario.cat/mergo v1.0.2 // indirect
 	github.com/42wim/httpsig v1.2.4 // indirect
 	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.22.0 // indirect
-	github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.13.1 // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.14.0 // indirect
 	github.com/Azure/azure-sdk-for-go/sdk/internal v1.12.0 // indirect
 	github.com/Azure/go-ansiterm v0.0.0-20250102033503-faa5f7b0171c // indirect
 	github.com/AzureAD/microsoft-authentication-library-for-go v1.7.2 // indirect
diff --git a/go.sum b/go.sum
index fa87829ea..7875a6273 100644
--- a/go.sum
+++ b/go.sum
@@ -12,10 +12,10 @@ github.com/AdaLogics/go-fuzz-headers v0.0.0-20230811130428-ced1acdcaa24 h1:bvDV9
 github.com/AdaLogics/go-fuzz-headers v0.0.0-20230811130428-ced1acdcaa24/go.mod h1:8o94RPi1/7XTJvwPpRSzSUedZrtlirdB3r9Z20bi2f8=
 github.com/Azure/azure-sdk-for-go/sdk/azcore v1.22.0 h1:aokoqcHvaGjiM3VpjKDfMMnF/8epJ+Q1HLJ7CudztqE=
 github.com/Azure/azure-sdk-for-go/sdk/azcore v1.22.0/go.mod h1:/WYEx9pcM9Y+Dd/APJaNlSvVSvzl54rrMdZT5+Oi2LM=
-github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.13.1 h1:Hk5QBxZQC1jb2Fwj6mpzme37xbCDdNTxU7O9eb5+LB4=
-github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.13.1/go.mod h1:IYus9qsFobWIc2YVwe/WPjcnyCkPKtnHAqUYeebc8z0=
-github.com/Azure/azure-sdk-for-go/sdk/azidentity/cache v0.3.2 h1:yz1bePFlP5Vws5+8ez6T3HWXPmwOK7Yvq8QxDBD3SKY=
-github.com/Azure/azure-sdk-for-go/sdk/azidentity/cache v0.3.2/go.mod h1:Pa9ZNPuoNu/GztvBSKk9J1cDJW6vk/n0zLtV4mgd8N8=
+github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.14.0 h1:CU4+EJeJi3TKYWEcYuSdWsjzw0nVsK/H0MSQOiPcymU=
+github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.14.0/go.mod h1:q0+UTSRvShwUCrR/s5HtyInYphN7Wvxb7snFM3u+SLA=
+github.com/Azure/azure-sdk-for-go/sdk/azidentity/cache v0.4.0 h1:xFaZZ+IubdftrDHnGGwZ6QvQ3KHTtWl2MCK+GMt2vxs=
+github.com/Azure/azure-sdk-for-go/sdk/azidentity/cache v0.4.0/go.mod h1:mCBhUhlMjLLJKr5aqw2TNS/VqJOie8MzWq3DAMJeKso=
 github.com/Azure/azure-sdk-for-go/sdk/internal v1.12.0 h1:fhqpLE3UEXi9lPaBRpQ6XuRW0nU7hgg4zlmZZa+a9q4=
 github.com/Azure/azure-sdk-for-go/sdk/internal v1.12.0/go.mod h1:7dCRMLwisfRH3dBupKeNCioWYUZ4SS09Z14H+7i8ZoY=
 github.com/Azure/go-ansiterm v0.0.0-20250102033503-faa5f7b0171c h1:udKWzYgxTojEKWjV8V+WSxDXJ4NFATAsZjh8iIbsQIg=
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/CHANGELOG.md b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/CHANGELOG.md
index 4a6349e16..ba360a30e 100644
--- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/CHANGELOG.md
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/CHANGELOG.md
@@ -1,11 +1,61 @@
 # Release History
 
+## 1.14.0 (2026-06-15)
+
+### Breaking Changes
+
+> These changes affect only code written against a beta version such as v1.14.0-beta.3
+- Removed `WorkloadIdentityCredentialOptions.EnableAzureProxy`.
+  It will return in v1.15.0-beta.1
+
+### Bugs Fixed
+
+- `AzureDeveloperCLICredential` improved reporting of error messages returned from `azd`
+
+### Other Changes
+
+- Returned `azidentity` errors include links to the troubleshooting guide when appropriate
+- This module now requires a minimum Go version of 1.25
+- Upgraded dependencies
+
+## 1.14.0-beta.3 (2026-02-10)
+
+### Breaking Changes
+
+> These changes affect only code written against a beta version such as v1.14.0-beta.2
+- Renamed `WorkloadIdentityCredentialOptions.EnableAzureTokenProxy` to `EnableAzureProxy`
+
+### Other Changes
+
+- Removed extraneous JSON from `AzureDeveloperCLICredential` errors
+
+## 1.14.0-beta.2 (2025-11-10)
+
+### Breaking Changes
+
+> These changes affect only code written against a beta version such as v1.13.0-beta.1
+- `WorkloadIdentityCredential` identity binding mode is disabled by default. To enable it, set
+  `WorkloadIdentityCredentialOptions.EnableAzureTokenProxy` to `true`
+- Removed identity binding mode support from `DefaultAzureCredential`. To use this feature, use
+  `WorkloadIdentityCredential` directly instead and set
+  `WorkloadIdentityCredentialOptions.EnableAzureTokenProxy` to `true`
+
+### Bugs Fixed
+
+- `AzureCLICredential` quoted arguments incorrectly on Windows
+
 ## 1.13.1 (2025-11-10)
 
 ### Bugs Fixed
 
 - `AzureCLICredential` quoted arguments incorrectly on Windows
 
+## 1.14.0-beta.1 (2025-10-07)
+
+### Features Added
+
+- Restored the `WorkloadIdentityCredential` identity binding mode support removed in v1.13.0
+
 ## 1.13.0 (2025-10-07)
 
 ### Features Added
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/TROUBLESHOOTING.md b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/TROUBLESHOOTING.md
index 517006a42..c69664a84 100644
--- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/TROUBLESHOOTING.md
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/TROUBLESHOOTING.md
@@ -83,7 +83,7 @@ azlog.SetEvents(azidentity.EventAuthentication)
 
 | Error |Description| Mitigation |
 |---|---|---|
-|"DefaultAzureCredential failed to acquire a token"|No credential in the `DefaultAzureCredential` chain provided a token|<ul><li>[Enable logging](#enable-and-configure-logging) to get further diagnostic information.</li><li>Consult the troubleshooting guide for underlying credential types for more information.</li><ul><li>[EnvironmentCredential](#troubleshoot-environmentcredential-authentication-issues)</li><li>[ManagedIdentityCredential](#troubleshoot-managedidentitycredential-authentication-issues)</li><li>[AzureCLICredential](#troubleshoot-azureclicredential-authentication-issues)</li></ul>|
+|"DefaultAzureCredential failed to acquire a token"|No credential in the `DefaultAzureCredential` chain provided a token|<ul><li>[Enable logging](#enable-and-configure-logging) to get further diagnostic information.</li><li>Consult the troubleshooting guide for underlying credential types for more information.</li></ul><ul><li>[EnvironmentCredential](#troubleshoot-environmentcredential-authentication-issues)</li><li>[ManagedIdentityCredential](#troubleshoot-managedidentitycredential-authentication-issues)</li><li>[AzureCLICredential](#troubleshoot-azureclicredential-authentication-issues)</li></ul>|
 |Error from the client with a status code of 401 or 403|Authentication succeeded but the authorizing Azure service responded with a 401 (Unauthorized), or 403 (Forbidden) status code|<ul><li>[Enable logging](#enable-and-configure-logging) to determine which credential in the chain returned the authenticating token.</li><li>If an unexpected credential is returning a token, check application configuration such as environment variables.</li><li>Ensure the correct role is assigned to the authenticated identity. For example, a service specific role rather than the subscription Owner role.</li></ul>|
 |"managed identity timed out"|`DefaultAzureCredential` sets a short timeout on its first managed identity authentication attempt to prevent very long timeouts during local development when no managed identity is available. That timeout causes this error in production when an application requests a token before the hosting environment is ready to provide one.|Use [ManagedIdentityCredential](https://pkg.go.dev/github.com/Azure/azure-sdk-for-go/sdk/azidentity#ManagedIdentityCredential) directly, at least in production. It doesn't set a timeout on its authentication attempts.|
 |invalid AZURE_TOKEN_CREDENTIALS value "..."|AZURE_TOKEN_CREDENTIALS has an unexpected value|Specify a valid value as described in [DefaultAzureCredential documentation](https://pkg.go.dev/github.com/Azure/azure-sdk-for-go/sdk/azidentity#DefaultAzureCredential)
@@ -130,7 +130,7 @@ azlog.SetEvents(azidentity.EventAuthentication)
 |The requested identity hasn’t been assigned to this resource.|The IMDS endpoint responded with a status code of 400, indicating the requested identity isn’t assigned to the VM.|If using a user assigned identity, ensure the specified ID is correct.<p/><p/>If using a system assigned identity, make sure it has been enabled as described in [managed identity documentation](https://learn.microsoft.com/entra/identity/managed-identities-azure-resources/qs-configure-portal-windows-vm#enable-system-assigned-managed-identity-on-an-existing-vm).|
 |The request failed due to a gateway error.|The request to the IMDS endpoint failed due to a gateway error, 502 or 504 status code.|IMDS doesn't support requests via proxy or gateway. Disable proxies or gateways running on the VM for requests to the IMDS endpoint `http://169.254.169.254`|
 |No response received from the managed identity endpoint.|No response was received for the request to IMDS or the request timed out.|<ul><li>Ensure the VM is configured for managed identity as described in [managed identity documentation](https://learn.microsoft.com/entra/identity/managed-identities-azure-resources/qs-configure-portal-windows-vm).</li><li>Verify the IMDS endpoint is reachable on the VM. See [below](#verify-imds-is-available-on-the-vm) for instructions.</li></ul>|
-|Multiple attempts failed to obtain a token from the managed identity endpoint.|The credential has exhausted its retries for a token request.|<ul><li>Refer to the error message for more details on specific failures.<li>Ensure the VM is configured for managed identity as described in [managed identity documentation](https://learn.microsoft.com/entra/identity/managed-identities-azure-resources/qs-configure-portal-windows-vm).</li><li>Verify the IMDS endpoint is reachable on the VM. See [below](#verify-imds-is-available-on-the-vm) for instructions.</li></ul>|
+|Multiple attempts failed to obtain a token from the managed identity endpoint.|The credential has exhausted its retries for a token request.|<ul><li>Refer to the error message for more details on specific failures.</li><li>Ensure the VM is configured for managed identity as described in [managed identity documentation](https://learn.microsoft.com/entra/identity/managed-identities-azure-resources/qs-configure-portal-windows-vm).</li><li>Verify the IMDS endpoint is reachable on the VM. See [below](#verify-imds-is-available-on-the-vm) for instructions.</li></ul>|
 
 #### Verify IMDS is available on the VM
 
@@ -193,17 +193,26 @@ az account get-access-token --output json --resource https://management.core.win
 
 #### Verify the Azure Developer CLI can obtain tokens
 
-You can manually verify that the Azure Developer CLI is properly authenticated and can obtain tokens. First, use the `config` command to verify the account that is currently logged in to the Azure Developer CLI.
+You can manually verify that the Azure Developer CLI is properly authenticated and can obtain tokens. Execute the command corresponding to your CLI version to verify the account currently logged in.
 
-```sh
-azd config list
-```
+- In Azure Developer CLI versions >= 1.23.0:
+
+    ```sh
+    azd auth status
+    ```
+
+- In Azure Developer CLI versions < 1.23.0:
+
+    ```sh
+    azd config list
+    ```
 
 Once you've verified the Azure Developer CLI is using correct account, you can validate that it's able to obtain tokens for this account.
 
 ```sh
 azd auth token --output json --scope https://management.core.windows.net/.default
 ```
+
 >Note that output of this command will contain a valid access token, and SHOULD NOT BE SHARED to avoid compromising account security.
 
 <a id="azure-pwsh"></a>
@@ -239,7 +248,7 @@ Get-AzAccessToken -ResourceUrl "https://management.core.windows.net"
 
 | Error Message |Description| Mitigation |
 |---|---|---|
-|no client ID/tenant ID/token file specified|Incomplete configuration|In most cases these values are provided via environment variables set by Azure Workload Identity.<ul><li>If your application runs on Azure Kubernetes Service (AKS) or a cluster that has deployed the Azure Workload Identity admission webhook, check pod labels and service account configuration. See the [AKS documentation](https://learn.microsoft.com/azure/aks/workload-identity-deploy-cluster#disable-workload-identity) and [Azure Workload Identity troubleshooting guide](https://azure.github.io/azure-workload-identity/docs/troubleshooting.html) for more details.<li>If your application isn't running on AKS or your cluster hasn't deployed the Workload Identity admission webhook, set these values in `WorkloadIdentityCredentialOptions`
+|no client ID/tenant ID/token file specified|Incomplete configuration|In most cases these values are provided via environment variables set by Azure Workload Identity.<ul><li>If your application runs on Azure Kubernetes Service (AKS) or a cluster that has deployed the Azure Workload Identity admission webhook, check pod labels and service account configuration. See the [AKS documentation](https://learn.microsoft.com/azure/aks/workload-identity-deploy-cluster#disable-workload-identity) and [Azure Workload Identity troubleshooting guide](https://azure.github.io/azure-workload-identity/docs/troubleshooting.html) for more details.</li><li>If your application isn't running on AKS or your cluster hasn't deployed the Workload Identity admission webhook, set these values in `WorkloadIdentityCredentialOptions`</li></ul>
 
 <a id="apc"></a>
 ## Troubleshoot AzurePipelinesCredential authentication issues
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/authentication_record.go b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/authentication_record.go
index 840a71469..2b89963e6 100644
--- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/authentication_record.go
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/authentication_record.go
@@ -1,6 +1,3 @@
-//go:build go1.18
-// +build go1.18
-
 // Copyright (c) Microsoft Corporation. All rights reserved.
 // Licensed under the MIT License.
 
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/azidentity.go b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/azidentity.go
index bd196ddd3..e8699c46a 100644
--- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/azidentity.go
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/azidentity.go
@@ -1,6 +1,3 @@
-//go:build go1.18
-// +build go1.18
-
 // Copyright (c) Microsoft Corporation. All rights reserved.
 // Licensed under the MIT License.
 
@@ -154,7 +151,7 @@ func validTenantID(tenantID string) bool {
 		return false
 	}
 	for _, r := range tenantID {
-		if !(alphanumeric(r) || r == '.' || r == '-') {
+		if !alphanumeric(r) && r != '.' && r != '-' {
 			return false
 		}
 	}
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/azure_cli_credential.go b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/azure_cli_credential.go
index 6944152c9..d34a255b3 100644
--- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/azure_cli_credential.go
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/azure_cli_credential.go
@@ -1,6 +1,3 @@
-//go:build go1.18
-// +build go1.18
-
 // Copyright (c) Microsoft Corporation. All rights reserved.
 // Licensed under the MIT License.
 
@@ -57,7 +54,7 @@ func NewAzureCLICredential(options *AzureCLICredentialOptions) (*AzureCLICredent
 		cp = *options
 	}
 	for _, r := range cp.Subscription {
-		if !(alphanumeric(r) || r == '-' || r == '_' || r == ' ' || r == '.') {
+		if !alphanumeric(r) && r != '-' && r != '_' && r != ' ' && r != '.' {
 			return nil, fmt.Errorf(
 				"%s: Subscription %q contains invalid characters. If this is the name of a subscription, use its ID instead",
 				credNameAzureCLI,
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/azure_developer_cli_credential.go b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/azure_developer_cli_credential.go
index f97bf95df..76e2d966c 100644
--- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/azure_developer_cli_credential.go
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/azure_developer_cli_credential.go
@@ -1,6 +1,3 @@
-//go:build go1.18
-// +build go1.18
-
 // Copyright (c) Microsoft Corporation. All rights reserved.
 // Licensed under the MIT License.
 
@@ -115,8 +112,6 @@ func (c *AzureDeveloperCLICredential) GetToken(ctx context.Context, opts policy.
 				mfaRequired+". Run this command then retry the operation: "+commandNoClaims,
 				nil,
 			)
-		case strings.Contains(msg, "azd auth login"):
-			err = newCredentialUnavailableError(credNameAzureDeveloperCLI, `please run "azd auth login" from a command prompt to authenticate before using this credential`)
 		}
 		err = unavailableIfInDAC(err, c.opts.inDefaultChain)
 		return at, err
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/azure_pipelines_credential.go b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/azure_pipelines_credential.go
index a4b8ab6f4..3e7f0082e 100644
--- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/azure_pipelines_credential.go
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/azure_pipelines_credential.go
@@ -89,7 +89,7 @@ func NewAzurePipelinesCredential(tenantID, clientID, serviceConnectionID, system
 		options = &AzurePipelinesCredentialOptions{}
 	}
 	// these headers are useful to the DevOps team when debugging OIDC error responses
-	options.ClientOptions.Logging.AllowedHeaders = append(options.ClientOptions.Logging.AllowedHeaders, xMsEdgeRef, xVssE2eId)
+	options.Logging.AllowedHeaders = append(options.Logging.AllowedHeaders, xMsEdgeRef, xVssE2eId)
 	caco := ClientAssertionCredentialOptions{
 		AdditionallyAllowedTenants: options.AdditionallyAllowedTenants,
 		Cache:                      options.Cache,
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/chained_token_credential.go b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/chained_token_credential.go
index 82342a025..150305a70 100644
--- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/chained_token_credential.go
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/chained_token_credential.go
@@ -1,6 +1,3 @@
-//go:build go1.18
-// +build go1.18
-
 // Copyright (c) Microsoft Corporation. All rights reserved.
 // Licensed under the MIT License.
 
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/ci.yml b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/ci.yml
index 51dd97939..7e05ddcec 100644
--- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/ci.yml
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/ci.yml
@@ -29,13 +29,13 @@ extends:
           SubscriptionConfigurations:
             - $(sub-config-identity-test-resources)
       EnableRaceDetector: true
-      Location: westus2
-      RunLiveTests: true
+      Location: westus3
       ServiceDirectory: azidentity
       UsePipelineProxy: false
 
       ${{ if endsWith(variables['Build.DefinitionName'], 'weekly') }}:
         PersistOidcToken: true
+        RunLiveTests: true
         MatrixConfigs:
           - Name: managed_identity_matrix
             GenerateVMJobs: true
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/client_assertion_credential.go b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/client_assertion_credential.go
index 2307da86f..6be7576be 100644
--- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/client_assertion_credential.go
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/client_assertion_credential.go
@@ -1,6 +1,3 @@
-//go:build go1.18
-// +build go1.18
-
 // Copyright (c) Microsoft Corporation. All rights reserved.
 // Licensed under the MIT License.
 
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/client_certificate_credential.go b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/client_certificate_credential.go
index 9e6bca1c9..45476f942 100644
--- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/client_certificate_credential.go
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/client_certificate_credential.go
@@ -1,6 +1,3 @@
-//go:build go1.18
-// +build go1.18
-
 // Copyright (c) Microsoft Corporation. All rights reserved.
 // Licensed under the MIT License.
 
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/client_secret_credential.go b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/client_secret_credential.go
index f0890fe1e..cd64d8e28 100644
--- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/client_secret_credential.go
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/client_secret_credential.go
@@ -1,6 +1,3 @@
-//go:build go1.18
-// +build go1.18
-
 // Copyright (c) Microsoft Corporation. All rights reserved.
 // Licensed under the MIT License.
 
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/confidential_client.go b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/confidential_client.go
index 58c4b585c..6af3b4147 100644
--- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/confidential_client.go
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/confidential_client.go
@@ -1,6 +1,3 @@
-//go:build go1.18
-// +build go1.18
-
 // Copyright (c) Microsoft Corporation. All rights reserved.
 // Licensed under the MIT License.
 
@@ -111,7 +108,7 @@ func (c *confidentialClient) GetToken(ctx context.Context, tro policy.TokenReque
 			authFailedErr  *AuthenticationFailedError
 			unavailableErr credentialUnavailable
 		)
-		if !(errors.As(err, &unavailableErr) || errors.As(err, &authFailedErr)) {
+		if !errors.As(err, &unavailableErr) && !errors.As(err, &authFailedErr) {
 			err = newAuthenticationFailedErrorFromMSAL(c.name, err)
 		}
 	} else {
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/default_azure_credential.go b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/default_azure_credential.go
index aaaabc5c2..3751ba9c0 100644
--- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/default_azure_credential.go
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/default_azure_credential.go
@@ -1,6 +1,3 @@
-//go:build go1.18
-// +build go1.18
-
 // Copyright (c) Microsoft Corporation. All rights reserved.
 // Licensed under the MIT License.
 
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/developer_credential_util.go b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/developer_credential_util.go
index cb7dbe2e4..e797baf85 100644
--- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/developer_credential_util.go
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/developer_credential_util.go
@@ -1,6 +1,3 @@
-//go:build go1.18
-// +build go1.18
-
 // Copyright (c) Microsoft Corporation. All rights reserved.
 // Licensed under the MIT License.
 
@@ -9,6 +6,7 @@ package azidentity
 import (
 	"bytes"
 	"context"
+	"encoding/json"
 	"errors"
 	"os"
 	"os/exec"
@@ -45,12 +43,15 @@ var shellExec = func(ctx context.Context, credName, command string) ([]byte, err
 		return stdout, nil
 	}
 	if err != nil {
-		msg := stderr.String()
+		msg := strings.Trim(stderr.String(), "\r\n")
 		var exErr *exec.ExitError
 		if errors.As(err, &exErr) && exErr.ExitCode() == 127 || strings.Contains(msg, "' is not recognized") {
 			return nil, newCredentialUnavailableError(credName, "executable not found on path")
 		}
-		if credName == credNameAzurePowerShell {
+		switch credName {
+		case credNameAzureDeveloperCLI:
+			msg = extractAzdError(msg)
+		case credNameAzurePowerShell:
 			if strings.Contains(msg, "Connect-AzAccount") {
 				msg = `Please run "Connect-AzAccount" to set up an account`
 			}
@@ -80,9 +81,47 @@ func unavailableIfInDAC(err error, inDefaultChain bool) error {
 // validScope is for credentials authenticating via external tools. The authority validates scopes for all other credentials.
 func validScope(scope string) bool {
 	for _, r := range scope {
-		if !(alphanumeric(r) || r == '.' || r == '-' || r == '_' || r == '/' || r == ':') {
+		if !alphanumeric(r) && r != '.' && r != '-' && r != '_' && r != '/' && r != ':' {
 			return false
 		}
 	}
 	return true
 }
+
+// extractAzdError extracts a human-readable error message from azd's stderr JSON output.
+// azd writes JSON error messages to stderr. The format depends on the azd version:
+//   - v1.23.7+: {"error":"...","message":"...","suggestion":"..."} (may be preceded by an empty consoleMessage line)
+//   - pre-v1.23.7: {"type":"consoleMessage","data":{"message":"..."}}
+//
+// Prefer the structured "error" format, fall back to legacy consoleMessage.
+func extractAzdError(msg string) string {
+	lines := strings.Split(msg, "\n")
+	fallback := ""
+	for _, line := range lines {
+		line = strings.TrimSpace(line)
+
+		var errObj struct {
+			Error string `json:"error"`
+		}
+		if json.Unmarshal([]byte(line), &errObj) == nil && errObj.Error != "" {
+			return errObj.Error
+		}
+
+		if fallback == "" {
+			var obj struct {
+				Data struct {
+					Message string `json:"message"`
+				} `json:"data"`
+			}
+			if json.Unmarshal([]byte(line), &obj) == nil {
+				if m := strings.TrimSpace(obj.Data.Message); m != "" {
+					fallback = m
+				}
+			}
+		}
+	}
+	if fallback != "" {
+		return fallback
+	}
+	return msg
+}
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/device_code_credential.go b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/device_code_credential.go
index 53ae9767f..88e9215e6 100644
--- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/device_code_credential.go
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/device_code_credential.go
@@ -1,6 +1,3 @@
-//go:build go1.18
-// +build go1.18
-
 // Copyright (c) Microsoft Corporation. All rights reserved.
 // Licensed under the MIT License.
 
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/environment_credential.go b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/environment_credential.go
index f04d40ea4..3c59b5e73 100644
--- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/environment_credential.go
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/environment_credential.go
@@ -1,6 +1,3 @@
-//go:build go1.18
-// +build go1.18
-
 // Copyright (c) Microsoft Corporation. All rights reserved.
 // Licensed under the MIT License.
 
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/errors.go b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/errors.go
index 33cb63be0..9aa9b5b17 100644
--- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/errors.go
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/errors.go
@@ -1,6 +1,3 @@
-//go:build go1.18
-// +build go1.18
-
 // Copyright (c) Microsoft Corporation. All rights reserved.
 // Licensed under the MIT License.
 
@@ -12,6 +9,7 @@ import (
 	"errors"
 	"fmt"
 	"net/http"
+	"strings"
 
 	"github.com/Azure/azure-sdk-for-go/sdk/azcore/policy"
 	"github.com/Azure/azure-sdk-for-go/sdk/azcore/runtime"
@@ -19,6 +17,19 @@ import (
 	msal "github.com/AzureAD/microsoft-authentication-library-for-go/apps/errors"
 )
 
+// tsgAnchors maps credential type names to sections of the troubleshooting
+// guide at https://aka.ms/azsdk/go/identity/troubleshoot
+var tsgAnchors = map[string]string{
+	credNameAzureCLI:          "azure-cli",
+	credNameAzureDeveloperCLI: "azd",
+	credNameAzurePipelines:    "apc",
+	credNameAzurePowerShell:   "azure-pwsh",
+	credNameCert:              "client-cert",
+	credNameManagedIdentity:   "managed-id",
+	credNameSecret:            "client-secret",
+	credNameWorkloadIdentity:  "workload",
+}
+
 // getResponseFromError retrieves the response carried by
 // an AuthenticationFailedError or MSAL CallErr, if any
 func getResponseFromError(err error) *http.Response {
@@ -61,8 +72,19 @@ func newAuthenticationFailedErrorFromMSAL(credType string, err error) error {
 
 // Error implements the error interface. Note that the message contents are not contractual and can change over time.
 func (e *AuthenticationFailedError) Error() string {
+	link := ""
+	if anchor, ok := tsgAnchors[e.credType]; ok {
+		link = "To troubleshoot, visit https://aka.ms/azsdk/go/identity/troubleshoot#" + anchor
+	}
 	if e.RawResponse == nil || e.omitResponse {
-		return e.credType + ": " + e.message
+		if link != "" {
+			prefix := " "
+			if !strings.HasSuffix(e.message, ".") {
+				prefix = ". "
+			}
+			link = prefix + link
+		}
+		return e.credType + ": " + e.message + link
 	}
 	msg := &bytes.Buffer{}
 	fmt.Fprintf(msg, "%s authentication failed. %s\n", e.credType, e.message)
@@ -88,29 +110,10 @@ func (e *AuthenticationFailedError) Error() string {
 	default:
 		fmt.Fprint(msg, "Response contained no body")
 	}
-	fmt.Fprintln(msg, "\n--------------------------------------------------------------------------------")
-	var anchor string
-	switch e.credType {
-	case credNameAzureCLI:
-		anchor = "azure-cli"
-	case credNameAzureDeveloperCLI:
-		anchor = "azd"
-	case credNameAzurePipelines:
-		anchor = "apc"
-	case credNameCert:
-		anchor = "client-cert"
-	case credNameAzurePowerShell:
-		anchor = "azure-pwsh"
-	case credNameSecret:
-		anchor = "client-secret"
-	case credNameManagedIdentity:
-		anchor = "managed-id"
-	case credNameWorkloadIdentity:
-		anchor = "workload"
-	}
-	if anchor != "" {
-		fmt.Fprintf(msg, "To troubleshoot, visit https://aka.ms/azsdk/go/identity/troubleshoot#%s", anchor)
+	if link != "" {
+		link = "\n" + link
 	}
+	fmt.Fprint(msg, "\n--------------------------------------------------------------------------------"+link)
 	return msg.String()
 }
 
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/go.work b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/go.work
deleted file mode 100644
index 6dd5b3d64..000000000
--- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/go.work
+++ /dev/null
@@ -1,6 +0,0 @@
-go 1.23.0
-
-use (
-	.
-	./cache
-)
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/interactive_browser_credential.go b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/interactive_browser_credential.go
index ec89de9b5..2d3eb8c08 100644
--- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/interactive_browser_credential.go
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/interactive_browser_credential.go
@@ -1,6 +1,3 @@
-//go:build go1.18
-// +build go1.18
-
 // Copyright (c) Microsoft Corporation. All rights reserved.
 // Licensed under the MIT License.
 
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/internal/customtokenproxy/transport.go b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/internal/customtokenproxy/transport.go
new file mode 100644
index 000000000..6c0fc6244
--- /dev/null
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/internal/customtokenproxy/transport.go
@@ -0,0 +1,233 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+package customtokenproxy
+
+import (
+	"bytes"
+	"crypto/tls"
+	"crypto/x509"
+	"errors"
+	"fmt"
+	"net/http"
+	"net/url"
+	"os"
+	"time"
+
+	"github.com/Azure/azure-sdk-for-go/sdk/azcore/policy"
+)
+
+const (
+	AzureKubernetesCAData  = "AZURE_KUBERNETES_CA_DATA"
+	AzureKubernetesCAFile  = "AZURE_KUBERNETES_CA_FILE"
+	AzureKubernetesSNIName = "AZURE_KUBERNETES_SNI_NAME"
+
+	AzureKubernetesTokenProxy = "AZURE_KUBERNETES_TOKEN_PROXY"
+)
+
+func parseAndValidate(endpoint string) (*url.URL, error) {
+	tokenProxy, err := url.Parse(endpoint)
+	if err != nil {
+		return nil, fmt.Errorf("failed to parse custom token proxy URL %q: %s", endpoint, err)
+	}
+	if tokenProxy.Scheme != "https" {
+		return nil, fmt.Errorf("custom token endpoint must use https scheme, got %q", tokenProxy.Scheme)
+	}
+	if tokenProxy.User != nil {
+		return nil, fmt.Errorf("custom token endpoint URL %q must not contain user info", tokenProxy)
+	}
+	if tokenProxy.RawQuery != "" {
+		return nil, fmt.Errorf("custom token endpoint URL %q must not contain a query", tokenProxy)
+	}
+	if tokenProxy.EscapedFragment() != "" {
+		return nil, fmt.Errorf("custom token endpoint URL %q must not contain a fragment", tokenProxy)
+	}
+	if tokenProxy.EscapedPath() == "" {
+		// if the path is empty, set it to "/" to avoid stripping the path from req.URL
+		tokenProxy.Path = "/"
+	}
+	return tokenProxy, nil
+}
+
+var (
+	errCustomEndpointEnvSetWithoutTokenProxy = errors.New(
+		"AZURE_KUBERNETES_TOKEN_PROXY is not set but other custom endpoint-related environment variables are present",
+	)
+	errCustomEndpointMultipleCASourcesSet = errors.New(
+		"only one of AZURE_KUBERNETES_CA_FILE and AZURE_KUBERNETES_CA_DATA can be specified",
+	)
+)
+
+func createTransport(sniName string, caPool *x509.CertPool) *http.Transport {
+	var transport *http.Transport
+	if tr, ok := http.DefaultTransport.(*http.Transport); ok {
+		transport = tr.Clone()
+	} else {
+		// this should not happen, but if the user mutates the net/http.DefaultTransport
+		// to something else, we fall back to a sane default
+		transport = &http.Transport{
+			ForceAttemptHTTP2:   true,
+			MaxIdleConns:        100,
+			IdleConnTimeout:     90 * time.Second,
+			TLSHandshakeTimeout: 10 * time.Second,
+		}
+	}
+
+	if transport.TLSClientConfig == nil {
+		transport.TLSClientConfig = &tls.Config{}
+	}
+	transport.TLSClientConfig.ServerName = sniName
+	transport.TLSClientConfig.RootCAs = caPool
+
+	return transport
+}
+
+// Configure configures custom token endpoint mode if the required environment variables are present.
+func Configure(clientOptions *policy.ClientOptions) error {
+	kubernetesTokenProxyStr := os.Getenv(AzureKubernetesTokenProxy)
+
+	kubernetesSNIName := os.Getenv(AzureKubernetesSNIName)
+	kubernetesCAFile := os.Getenv(AzureKubernetesCAFile)
+	kubernetesCAData := os.Getenv(AzureKubernetesCAData)
+
+	if kubernetesTokenProxyStr == "" {
+		// custom token proxy is not set, while other Kubernetes-related environment variables are present,
+		// this is likely a configuration issue so erroring out to avoid misconfiguration
+		if kubernetesSNIName != "" || kubernetesCAFile != "" || kubernetesCAData != "" {
+			return errCustomEndpointEnvSetWithoutTokenProxy
+		}
+
+		return nil
+	}
+	tokenProxy, err := parseAndValidate(kubernetesTokenProxyStr)
+	if err != nil {
+		return err
+	}
+
+	// CAFile and CAData are mutually exclusive, at most one can be set.
+	// If none of CAFile or CAData are set, the default system CA pool will be used.
+	if kubernetesCAFile != "" && kubernetesCAData != "" {
+		return errCustomEndpointMultipleCASourcesSet
+	}
+
+	// preload the transport
+	t := &transport{
+		caFile:     kubernetesCAFile,
+		caData:     []byte(kubernetesCAData),
+		sniName:    kubernetesSNIName,
+		tokenProxy: tokenProxy,
+	}
+	if _, err := t.getTokenTransporter(); err != nil {
+		return err
+	}
+
+	clientOptions.Transport = t
+	return nil
+}
+
+// transport redirects requests to the configured proxy.
+//
+// Lock is not needed for internal caData as this transport is called under confidentialClient's lock.
+type transport struct {
+	caFile     string
+	caData     []byte
+	sniName    string
+	tokenProxy *url.URL
+	transport  *http.Transport
+}
+
+func (t *transport) Do(req *http.Request) (*http.Response, error) {
+	tr, err := t.getTokenTransporter()
+	if err != nil {
+		return nil, err
+	}
+
+	rewriteProxyRequestURL(req, t.tokenProxy)
+
+	resp, err := tr.RoundTrip(req)
+	if err == nil && resp == nil {
+		// transports must handle this rare case.
+		// Returning an error makes the retry policy try the request again
+		err = errors.New("received nil response")
+	}
+	return resp, err
+}
+
+// getTokenTransporter provides the token transport to use for the request.
+//
+// There are a few scenarios need to be handled:
+//  1. no CA overrides, use default transport. The transport is fixed after set.
+//  2. CA data override provided, use a transport with custom CA pool.
+//     This transport is fixed after set.
+//  3. CA file override is provided, use a transport with custom CA pool.
+//     This transport needs to be recreated if the CA file content changes.
+func (t *transport) getTokenTransporter() (*http.Transport, error) {
+	if len(t.caData) == 0 && t.caFile == "" {
+		// no custom CA overrides
+		if t.transport == nil {
+			t.transport = createTransport(t.sniName, nil)
+		}
+		return t.transport, nil
+	}
+
+	if t.caFile == "" {
+		// host provided CA bytes in AZURE_KUBERNETES_CA_DATA and can't change
+		// them now, so we need to create a client only if we haven't done so yet
+		if t.transport != nil {
+			return t.transport, nil
+		}
+
+		caPool := x509.NewCertPool()
+		if !caPool.AppendCertsFromPEM([]byte(t.caData)) {
+			return nil, fmt.Errorf("parse CA data: no valid certificates found")
+		}
+
+		t.transport = createTransport(t.sniName, caPool)
+		return t.transport, nil
+	}
+
+	// host provided the CA bytes in a file whose contents it can change,
+	// so we must read that file and maybe create a new client
+	b, err := os.ReadFile(t.caFile)
+	if err != nil {
+		return nil, fmt.Errorf("read CA file %q: %s", t.caFile, err)
+	}
+	if len(b) == 0 {
+		// this can happen during the middle of CA rotation on the host.
+		if t.transport == nil {
+			// if the transport was never created, error out here to force retrying the call later
+			return nil, fmt.Errorf("CA file %q is empty", t.caFile)
+		}
+		// if the transport was already created, just keep using it
+		return t.transport, nil
+	}
+	if !bytes.Equal(b, t.caData) {
+		// CA has changed, rebuild the transport with new CA pool
+		// invariant: t.transport is nil when t.caData is nil (initial call)
+		caPool := x509.NewCertPool()
+		if !caPool.AppendCertsFromPEM([]byte(b)) {
+			return nil, fmt.Errorf("parse CA file %q: no valid certificates found", t.caFile)
+		}
+		if t.transport != nil {
+			t.transport.CloseIdleConnections()
+		}
+		t.transport = createTransport(t.sniName, caPool)
+		t.caData = b
+	}
+
+	return t.transport, nil
+}
+
+// rewriteProxyRequestURL updates the request URL to target the specified URL.
+// Target is the token proxy URL in custom token endpoint mode.
+//
+// proxyURL should be parsed and validated by parseAndValidate before calling.
+func rewriteProxyRequestURL(req *http.Request, proxyURL *url.URL) {
+	reqRawQuery := req.URL.RawQuery
+	// preserve the original path and append it to the proxy URL's path.
+	// proxyURL path is guaranteed to be non-empty.
+	req.URL = proxyURL.JoinPath(req.URL.EscapedPath())
+	// NOTE: proxyURL doesn't include query, req might include query
+	// we just retain the raw query from req.URL
+	req.URL.RawQuery = reqRawQuery
+}
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/logging.go b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/logging.go
index 1aa1e0fc7..1f67f7b3f 100644
--- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/logging.go
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/logging.go
@@ -1,6 +1,3 @@
-//go:build go1.18
-// +build go1.18
-
 // Copyright (c) Microsoft Corporation. All rights reserved.
 // Licensed under the MIT License.
 
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/managed_identity_client.go b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/managed_identity_client.go
index 0735d1fcb..02f02fec4 100644
--- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/managed_identity_client.go
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/managed_identity_client.go
@@ -1,6 +1,3 @@
-//go:build go1.18
-// +build go1.18
-
 // Copyright (c) Microsoft Corporation. All rights reserved.
 // Licensed under the MIT License.
 
@@ -32,9 +29,7 @@ const (
 	imdsEndpoint             = "http://169.254.169.254/metadata/identity/oauth2/token"
 	miResID                  = "mi_res_id"
 	msiEndpoint              = "MSI_ENDPOINT"
-	msiResID                 = "msi_res_id"
 	msiSecret                = "MSI_SECRET"
-	imdsAPIVersion           = "2018-02-01"
 	azureArcAPIVersion       = "2020-06-01"
 	qpClientID               = "client_id"
 	serviceFabricAPIVersion  = "2019-07-01-preview"
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/managed_identity_credential.go b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/managed_identity_credential.go
index 11b686ccd..d0a5ecf97 100644
--- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/managed_identity_credential.go
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/managed_identity_credential.go
@@ -1,6 +1,3 @@
-//go:build go1.18
-// +build go1.18
-
 // Copyright (c) Microsoft Corporation. All rights reserved.
 // Licensed under the MIT License.
 
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/on_behalf_of_credential.go b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/on_behalf_of_credential.go
index 9dcc82f01..aa7f9b7d7 100644
--- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/on_behalf_of_credential.go
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/on_behalf_of_credential.go
@@ -1,6 +1,3 @@
-//go:build go1.18
-// +build go1.18
-
 // Copyright (c) Microsoft Corporation. All rights reserved.
 // Licensed under the MIT License.
 
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/public_client.go b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/public_client.go
index 053d1785f..48cc4f39f 100644
--- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/public_client.go
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/public_client.go
@@ -1,6 +1,3 @@
-//go:build go1.18
-// +build go1.18
-
 // Copyright (c) Microsoft Corporation. All rights reserved.
 // Licensed under the MIT License.
 
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/username_password_credential.go b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/username_password_credential.go
index 5791e7d22..86054e3f8 100644
--- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/username_password_credential.go
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/username_password_credential.go
@@ -1,6 +1,3 @@
-//go:build go1.18
-// +build go1.18
-
 // Copyright (c) Microsoft Corporation. All rights reserved.
 // Licensed under the MIT License.
 
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/version.go b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/version.go
index 041f11658..f45f59697 100644
--- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/version.go
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/version.go
@@ -1,6 +1,3 @@
-//go:build go1.18
-// +build go1.18
-
 // Copyright (c) Microsoft Corporation. All rights reserved.
 // Licensed under the MIT License.
 
@@ -14,5 +11,5 @@ const (
 	module = "github.com/Azure/azure-sdk-for-go/sdk/" + component
 
 	// Version is the semantic version (see http://semver.org) of this module.
-	version = "v1.13.1"
+	version = "v1.14.0"
 )
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/workload_identity.go b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/workload_identity.go
index 6fecada2f..87399aed3 100644
--- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/workload_identity.go
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/workload_identity.go
@@ -1,6 +1,3 @@
-//go:build go1.18
-// +build go1.18
-
 // Copyright (c) Microsoft Corporation. All rights reserved.
 // Licensed under the MIT License.
 
@@ -16,6 +13,7 @@ import (
 	"github.com/Azure/azure-sdk-for-go/sdk/azcore"
 	"github.com/Azure/azure-sdk-for-go/sdk/azcore/policy"
 	"github.com/Azure/azure-sdk-for-go/sdk/azcore/runtime"
+	"github.com/Azure/azure-sdk-for-go/sdk/azidentity/internal/customtokenproxy"
 )
 
 const credNameWorkloadIdentity = "WorkloadIdentityCredential"
@@ -54,6 +52,15 @@ type WorkloadIdentityCredentialOptions struct {
 	// the application responsible for ensuring the configured authority is valid and trustworthy.
 	DisableInstanceDiscovery bool
 
+	// enableAzureProxy determines whether the credential reads proxy configuration from environment variables. When
+	// this value is true and proxy configuration isn't present or this value is false, the credential will request
+	// tokens directly from Entra ID.
+	//
+	// The proxy feature is designed for applications that deploy to many clusters and clusters that host many
+	// applications. See the Azure Kubernetes Service identity bindings documentation for more information on when
+	// to set this option: https://learn.microsoft.com/azure/aks/identity-bindings-concepts
+	enableAzureProxy bool
+
 	// TenantID of the service principal. Defaults to the value of the environment variable AZURE_TENANT_ID.
 	TenantID string
 
@@ -87,14 +94,22 @@ func NewWorkloadIdentityCredential(options *WorkloadIdentityCredentialOptions) (
 			return nil, errors.New("no tenant ID specified. Check pod configuration or set TenantID in the options")
 		}
 	}
+
 	w := WorkloadIdentityCredential{file: file, mtx: &sync.RWMutex{}}
-	caco := ClientAssertionCredentialOptions{
+	caco := &ClientAssertionCredentialOptions{
 		AdditionallyAllowedTenants: options.AdditionallyAllowedTenants,
 		Cache:                      options.Cache,
 		ClientOptions:              options.ClientOptions,
 		DisableInstanceDiscovery:   options.DisableInstanceDiscovery,
 	}
-	cred, err := NewClientAssertionCredential(tenantID, clientID, w.getAssertion, &caco)
+
+	if options.enableAzureProxy {
+		if err := customtokenproxy.Configure(&caco.ClientOptions); err != nil {
+			return nil, err
+		}
+	}
+
+	cred, err := NewClientAssertionCredential(tenantID, clientID, w.getAssertion, caco)
 	if err != nil {
 		return nil, err
 	}
diff --git a/vendor/modules.txt b/vendor/modules.txt
index 78d21eef9..969bdda06 100644
--- a/vendor/modules.txt
+++ b/vendor/modules.txt
@@ -37,10 +37,11 @@ github.com/Azure/azure-sdk-for-go/sdk/azcore/policy
 github.com/Azure/azure-sdk-for-go/sdk/azcore/runtime
 github.com/Azure/azure-sdk-for-go/sdk/azcore/streaming
 github.com/Azure/azure-sdk-for-go/sdk/azcore/tracing
-# github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.13.1
-## explicit; go 1.23.0
+# github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.14.0
+## explicit; go 1.25.0
 github.com/Azure/azure-sdk-for-go/sdk/azidentity
 github.com/Azure/azure-sdk-for-go/sdk/azidentity/internal
+github.com/Azure/azure-sdk-for-go/sdk/azidentity/internal/customtokenproxy
 # github.com/Azure/azure-sdk-for-go/sdk/internal v1.12.0
 ## explicit; go 1.24.0
 github.com/Azure/azure-sdk-for-go/sdk/internal/diag