Class DeviceCodeCredential

java.lang.Object
com.azure.identity.DeviceCodeCredential
All Implemented Interfaces:
com.azure.core.credential.TokenCredential

public class DeviceCodeCredential extends Object implements com.azure.core.credential.TokenCredential

Device code authentication is a type of authentication flow offered by Microsoft Entra ID that allows users to sign in to applications on devices that don't have a web browser or a keyboard. This authentication method is particularly useful for devices such as smart TVs, gaming consoles, and Internet of Things (IoT) devices that may not have the capability to enter a username and password. With device code authentication, the user is presented with a device code on the device that needs to be authenticated. The user then navigates to a web browser on a separate device and enters the code on the Microsoft sign-in page. After the user enters the code, Microsoft Entra ID verifies it and prompts the user to sign in with their credentials, such as a username and password or a multi-factor authentication (MFA) method. Device code authentication can be initiated using various Microsoft Entra-supported protocols, such as OAuth 2.0 and OpenID Connect, and it can be used with a wide range of Microsoft Entra-integrated applications. The DeviceCodeCredential interactively authenticates a user and acquires a token on devices with limited UI. It works by prompting the user to visit a login URL on a browser-enabled machine when the application attempts to authenticate. The user then enters the device code mentioned in the instructions along with their login credentials. Upon successful authentication, the application that requested authentication gets authenticated successfully on the device it's running on. For more information refer to the device code authentication documentation.

Required configuration:

To authenticate a user through device code flow, use the following steps:

  1. Go to Microsoft Entra ID in Azure portal and find your app registration.
  2. Navigate to the Authentication section.
  3. Under Suggested Redirected URIs, check the URI that ends with /common/oauth2/nativeclient.
  4. Under Default Client Type, select yes for Treat application as a public client.

These steps will let the application authenticate, but it still won't have permission to log you into Active Directory, or access resources on your behalf. To address this issue, navigate to API Permissions, and enable Microsoft Graph and the resources you want to access, such as Azure Service Management, Key Vault, and so on. You also need to be the admin of your tenant to grant consent to your application when you log in for the first time. If you can't configure the device code flow option on your Active Directory, then it may require your app to be multi- tenant. To make your app multi-tenant, navigate to the Authentication panel, then select Accounts in any organizational directory. Then, select yes for Treat application as Public Client.

Sample: Construct DeviceCodeCredential

The following code sample demonstrates the creation of a DeviceCodeCredential, using the DeviceCodeCredentialBuilder to configure it. By default, the credential prints the device code challenge on the command line, to override that behaviours a challengeConsumer can be optionally specified on the DeviceCodeCredentialBuilder. Once this credential is created, it may be passed into the builder of many of the Azure SDK for Java client builders as the 'credential' parameter.

 TokenCredential deviceCodeCredential = new DeviceCodeCredentialBuilder()
     .build();
 
See Also:
  • Method Details

    • getToken

      public Mono<com.azure.core.credential.AccessToken> getToken(com.azure.core.credential.TokenRequestContext request)
      Specified by:
      getToken in interface com.azure.core.credential.TokenCredential
    • getTokenSync

      public com.azure.core.credential.AccessToken getTokenSync(com.azure.core.credential.TokenRequestContext request)
      Specified by:
      getTokenSync in interface com.azure.core.credential.TokenCredential
    • authenticate

      public Mono<AuthenticationRecord> authenticate(com.azure.core.credential.TokenRequestContext request)
      Authenticates a user via the device code flow.

      The credential acquires a verification URL and code from the Microsoft Entra ID. The user must browse to the URL, enter the code, and authenticate with Microsoft Entra ID. If the user authenticates successfully, the credential receives an access token.

      Parameters:
      request - The details of the authentication request.
      Returns:
      The AuthenticationRecord which can be used to silently authenticate the account on future execution if persistent caching was configured via DeviceCodeCredentialBuilder.tokenCachePersistenceOptions(TokenCachePersistenceOptions) when credential was instantiated.
    • authenticate

      public Mono<AuthenticationRecord> authenticate()
      Authenticates a user via the device code flow.

      The credential acquires a verification URL and code from the Microsoft Entra ID. The user must browse to the URL, enter the code, and authenticate with Microsoft Entra ID. If the user authenticates successfully, the credential receives an access token.

      Returns:
      The AuthenticationRecord which can be used to silently authenticate the account on future execution if persistent caching was configured via DeviceCodeCredentialBuilder.tokenCachePersistenceOptions(TokenCachePersistenceOptions) when credential was instantiated.