azure.identity.broker package

class azure.identity.broker.InteractiveBrowserBrokerCredential(**kwargs: Any)[source]

Uses an authentication broker to interactively sign in a user.

Currently, only the Windows authentication broker, Web Account Manager (WAM), is supported. Users on macOS and Linux will be authenticated through a browser.

get_token() opens a browser to a login URL provided by Microsoft Entra ID and authenticates a user there with the authorization code flow, using PKCE (Proof Key for Code Exchange) internally to protect the code.

Keyword Arguments:

  • authority (str) – Authority of a Microsoft Entra endpoint, for example “login.microsoftonline.com”, the authority for Azure Public Cloud (which is the default). AzureAuthorityHosts defines authorities for other clouds.

  • tenant_id (str) – a Microsoft Entra tenant ID. Defaults to the “organizations” tenant, which can authenticate work or school accounts.

  • client_id (str) – Client ID of the Microsoft Entra application users will sign in to. If unspecified, users will authenticate to an Azure development application.

  • login_hint (str) – a username suggestion to pre-fill the login page’s username/email address field. A user may still log in with a different username.

  • timeout (int) – seconds to wait for the user to complete authentication. Defaults to 300 (5 minutes).

  • parent_window_handle (int) – If your app is a GUI app running on a modern Windows system, you are required to also provide its window handle so that the sign in UI window will properly pop up on top of your window.

  • use_default_broker_account (bool) – Enables automatically using the default broker account for authentication instead of prompting the user with an account picker. Defaults to False.

  • enable_msa_passthrough (bool) – Determines whether Microsoft Account (MSA) passthrough is enabled. Note, this is only needed for select legacy first-party applications. Defaults to False.

  • disable_instance_discovery (bool) – Determines whether or not instance discovery is performed when attempting to authenticate. Setting this to true will completely disable both instance discovery and authority validation. This functionality is intended for use in scenarios where the metadata endpoint cannot be reached, such as in private clouds or Azure Stack. The process of instance discovery entails retrieving authority metadata from https://login.microsoft.com/ to validate the authority. By setting this to True, the validation of the authority is disabled. As a result, it is crucial to ensure that the configured authority host is valid and trustworthy.

  • enable_support_logging (bool) – Enables additional support logging in the underlying MSAL library. This logging potentially contains personally identifiable information and is intended to be used only for troubleshooting purposes.

Raises:

ValueError – invalid redirect_uri

authenticate(*, scopes: Iterable[str] | None = None, claims: str | None = None, **kwargs: Any) AuthenticationRecord

Interactively authenticate a user. This method will always generate a challenge to the user.

Keyword Arguments:

  • scopes (Iterable[str]) – scopes to request during authentication, such as those provided by AuthenticationRequiredError.scopes(). If provided, successful authentication will cache an access token for these scopes.

  • claims (str) – additional claims required in the token, such as those provided by AuthenticationRequiredError.claims()

Return type:

AuthenticationRecord

Raises:

ClientAuthenticationError – authentication failed. The error’s message attribute gives a reason.

close() None
get_token(*scopes: str, claims: str | None = None, tenant_id: str | None = None, enable_cae: bool = False, **kwargs: Any) AccessToken

Request an access token for scopes.

This method is called automatically by Azure SDK clients.

Parameters:

scopes (str) – desired scopes for the access token. This method requires at least one scope. For more information about scopes, see https://learn.microsoft.com/entra/identity-platform/scopes-oidc.

Keyword Arguments:

  • claims (str) – additional claims required in the token, such as those returned in a resource provider’s claims challenge following an authorization failure

  • tenant_id (str) – optional tenant to include in the token request.

  • enable_cae (bool) – indicates whether to enable Continuous Access Evaluation (CAE) for the requested token. Defaults to False.

Returns:

An access token with the desired scopes.

Return type:

AccessToken

Raises:

  • CredentialUnavailableError – the credential is unable to attempt authentication because it lacks required data, state, or platform support

  • ClientAuthenticationError – authentication failed. The error’s message attribute gives a reason.

  • AuthenticationRequiredError – user interaction is necessary to acquire a token, and the credential is configured not to begin this automatically. Call authenticate() to begin interactive authentication.

get_token_info(*scopes: str, options: TokenRequestOptions | None = None) AccessTokenInfo

Request an access token for scopes.

This is an alternative to get_token to enable certain scenarios that require additional properties on the token. This method is called automatically by Azure SDK clients.

Parameters:

scopes (str) – desired scopes for the access token. This method requires at least one scope. For more information about scopes, see https://learn.microsoft.com/entra/identity-platform/scopes-oidc.

Keyword Arguments:

options (TokenRequestOptions) – A dictionary of options for the token request. Unknown options will be ignored. Optional.

Return type:

AccessTokenInfo

Returns:

An AccessTokenInfo instance containing information about the token.

Raises:

  • CredentialUnavailableError – the credential is unable to attempt authentication because it lacks required data, state, or platform support

  • ClientAuthenticationError – authentication failed. The error’s message attribute gives a reason.

  • AuthenticationRequiredError – user interaction is necessary to acquire a token, and the credential is configured not to begin this automatically. Call authenticate() to begin interactive authentication.

class azure.identity.broker.PopTokenRequestOptions[source]

Options to use for Proof-of-Possession (PoP) token requests.

clear() None.  Remove all items from D.
copy() a shallow copy of D
fromkeys(value=None, /)

Create a new dictionary with keys from iterable and values set to value.

get(key, default=None, /)

Return the value for key if key is in the dictionary, else default.

items() a set-like object providing a view on D's items
keys() a set-like object providing a view on D's keys
pop(k[, d]) v, remove specified key and return the corresponding value.

PoP token request options.

  • If not specified or False, a non-PoP token request is made.

  • If True, an mTLS PoP token request is made.

  • If a dict, a Signed HTTP Request (SHR) PoP token request is made. The dict must contain the “resource_request_method”, “resource_request_url”, and “nonce” keys.

popitem()

Remove and return a (key, value) pair as a 2-tuple.

Pairs are returned in LIFO (last-in, first-out) order. Raises KeyError if the dict is empty.

setdefault(key, default=None, /)

Insert key with a value of default if key is not in the dictionary.

Return the value for key if key is in the dictionary, else default.

update([E, ]**F) None.  Update D from dict/iterable E and F.

If E is present and has a .keys() method, then does: for k in E: D[k] = E[k] If E is present and lacks a .keys() method, then does: for k, v in E: D[k] = v In either case, this is followed by: for k in F: D[k] = F[k]

values() an object providing a view on D's values
claims: str
enable_cae: bool
tenant_id: str