DeviceCodeCredentialBuilder Class
- java.
lang. Object - com.
azure. identity. CredentialBuilderBase<T> - com.
azure. identity. AadCredentialBuilderBase<T> - com.
azure. identity. DeviceCodeCredentialBuilder
- com.
- com.
- com.
public class DeviceCodeCredentialBuilder
extends AadCredentialBuilderBase<DeviceCodeCredentialBuilder>
Fluent credential builder for instantiating a DeviceCodeCredential.
Device code authentication is a type of authentication flow offered by Microsoft Entra ID that allows users to sign in to applications on devices that don't have a web browser or a keyboard. This authentication method is particularly useful for devices such as smart TVs, gaming consoles, and Internet of Things (IoT) devices that may not have the capability to enter a username and password. With device code authentication, the user is presented with a device code on the device that needs to be authenticated. The user then navigates to a web browser on a separate device and enters the code on the Microsoft sign-in page. After the user enters the code, Microsoft Entra ID verifies it and prompts the user to sign in with their credentials, such as a username and password or a multi-factor authentication (MFA) method. Device code authentication can be initiated using various Microsoft Entra-supported protocols, such as OAuth 2.0 and OpenID Connect, and it can be used with a wide range of Microsoft Entra-integrated applications. The DeviceCodeCredential interactively authenticates a user and acquires a token on devices with limited UI. It works by prompting the user to visit a login URL on a browser-enabled machine when the application attempts to authenticate. The user then enters the device code mentioned in the instructions along with their login credentials. Upon successful authentication, the application that requested authentication gets authenticated successfully on the device it's running on. For more information refer to the conceptual knowledge and configuration details.
These steps will let the application authenticate, but it still won't have permission to log you into Active Directory, or access resources on your behalf. To address this issue, navigate to API Permissions, and enable Microsoft Graph and the resources you want to access, such as Azure Service Management, Key Vault, and so on. You also need to be the admin of your tenant to grant consent to your application when you log in for the first time. If you can't configure the device code flow option on your Active Directory, then it may require your app to be multi- tenant. To make your app multi-tenant, navigate to the Authentication panel, then select Accounts in any organizational directory. Then, select yes for Treat application as Public Client.
Sample: Construct DeviceCodeCredential
The following code sample demonstrates the creation of a DeviceCodeCredential, using the DeviceCodeCredentialBuilder to configure it. By default, the credential prints the device code challenge on the command line, to override that behaviours a challengeConsumer
can be optionally specified on the DeviceCodeCredentialBuilder. Once this credential is created, it may be passed into the builder of many of the Azure SDK for Java client builders as the 'credential' parameter.
TokenCredential deviceCodeCredential = new DeviceCodeCredentialBuilder().build();
Constructor Summary
Constructor | Description |
---|---|
DeviceCodeCredentialBuilder() |
Constructs an instance of Device |
Method Summary
Modifier and Type | Method and Description |
---|---|
Device |
additionallyAllowedTenants(String[] additionallyAllowedTenants)
For multi-tenant applications, specifies additional tenants for which the credential may acquire tokens. |
Device |
additionallyAllowedTenants(List<String> additionallyAllowedTenants)
For multi-tenant applications, specifies additional tenants for which the credential may acquire tokens. |
Device |
authenticationRecord(AuthenticationRecord authenticationRecord)
Sets the AuthenticationRecord captured from a previous authentication. |
Device |
build()
Creates a new DeviceCodeCredential with the current configurations. |
Device |
challengeConsumer(Consumer<DeviceCodeInfo> challengeConsumer)
Sets the consumer to meet the device code challenge. |
Device |
clientId(String clientId)
Sets the client ID of the Microsoft Entra application that users will sign in to. |
Device |
disableAutomaticAuthentication()
Disables the automatic authentication and prevents the DeviceCodeCredential from automatically prompting the user. |
Device |
tokenCachePersistenceOptions(TokenCachePersistenceOptions tokenCachePersistenceOptions)
Configures the persistent shared token cache options and enables the persistent token cache which is disabled by default. |
Methods inherited from AadCredentialBuilderBase
Methods inherited from CredentialBuilderBase
Methods inherited from java.lang.Object
Constructor Details
DeviceCodeCredentialBuilder
public DeviceCodeCredentialBuilder()
Constructs an instance of DeviceCodeCredentialBuilder.
Method Details
additionallyAllowedTenants
public DeviceCodeCredentialBuilder additionallyAllowedTenants(String[] additionallyAllowedTenants)
For multi-tenant applications, specifies additional tenants for which the credential may acquire tokens. Add the wildcard value "*" to allow the credential to acquire tokens for any tenant on which the application is installed. If no value is specified for TenantId this option will have no effect, and the credential will acquire tokens for any requested tenant.
Overrides:
DeviceCodeCredentialBuilder.additionallyAllowedTenants(String[] additionallyAllowedTenants)Parameters:
Returns:
additionallyAllowedTenants
public DeviceCodeCredentialBuilder additionallyAllowedTenants(List
For multi-tenant applications, specifies additional tenants for which the credential may acquire tokens. Add the wildcard value "*" to allow the credential to acquire tokens for any tenant on which the application is installed. If no value is specified for TenantId this option will have no effect, and the credential will acquire tokens for any requested tenant.
Overrides:
DeviceCodeCredentialBuilder.additionallyAllowedTenants(List<String> additionallyAllowedTenants)Parameters:
Returns:
authenticationRecord
public DeviceCodeCredentialBuilder authenticationRecord(AuthenticationRecord authenticationRecord)
Sets the AuthenticationRecord captured from a previous authentication.
Parameters:
Returns:
build
public DeviceCodeCredential build()
Creates a new DeviceCodeCredential with the current configurations.
Returns:
challengeConsumer
public DeviceCodeCredentialBuilder challengeConsumer(Consumer
Sets the consumer to meet the device code challenge. If not specified a default consumer is used which prints the device code info message to stdout.
Parameters:
Returns:
clientId
public DeviceCodeCredentialBuilder clientId(String clientId)
Sets the client ID of the Microsoft Entra application that users will sign in to. It is recommended that developers register their applications and assign appropriate roles. For more information, visit this doc for app registration. If not specified, users will authenticate to an Azure development application, which is not recommended for production scenarios.
Overrides:
DeviceCodeCredentialBuilder.clientId(String clientId)Parameters:
Returns:
disableAutomaticAuthentication
public DeviceCodeCredentialBuilder disableAutomaticAuthentication()
Disables the automatic authentication and prevents the DeviceCodeCredential from automatically prompting the user. If automatic authentication is disabled a AuthenticationRequiredException will be thrown from getToken(TokenRequestContext request) in the case that user interaction is necessary. The application is responsible for handling this exception, and calling authenticate() or authenticate(TokenRequestContext request) to authenticate the user interactively.
Returns:
tokenCachePersistenceOptions
public DeviceCodeCredentialBuilder tokenCachePersistenceOptions(TokenCachePersistenceOptions tokenCachePersistenceOptions)
Configures the persistent shared token cache options and enables the persistent token cache which is disabled by default. If configured, the credential will store tokens in a cache persisted to the machine, protected to the current user, which can be shared by other credentials and processes.
Parameters:
Returns: