OnBehalfOfCredential Class
Authenticates a service principal via the on-behalf-of flow.
This flow is typically used by middle-tier services that authorize requests to other services with a delegated user identity. Because this is not an interactive authentication flow, an application using it must have admin consent for any delegated permissions before requesting tokens for them. See Microsoft Entra ID documentation for a more detailed description of the on-behalf-of flow.
- Inheritance
-
azure.identity._internal.msal_credentials.MsalCredentialOnBehalfOfCredentialazure.identity._internal.get_token_mixin.GetTokenMixinOnBehalfOfCredential
Constructor
OnBehalfOfCredential(tenant_id: str, client_id: str, *, client_certificate: bytes | None = None, client_secret: str | None = None, client_assertion_func: Callable[[], str] | None = None, user_assertion: str, password: bytes | str | None = None, send_certificate_chain: bool = False, **kwargs: Any)
Parameters
Name | Description |
---|---|
tenant_id
Required
|
ID of the service principal's tenant. Also called its "directory" ID. |
client_id
Required
|
The service principal's client ID. |
Keyword-Only Parameters
Name | Description |
---|---|
client_secret
|
Optional. A client secret to authenticate the service principal. One of client_secret, client_certificate, or client_assertion_func must be provided. |
client_certificate
|
Optional. The bytes of a certificate in PEM or PKCS12 format including the private key to authenticate the service principal. One of client_secret, client_certificate, or client_assertion_func must be provided. |
client_assertion_func
|
Optional. Function that returns client assertions that authenticate the application to Microsoft Entra ID. This function is called each time the credential requests a token. It must return a valid assertion for the target resource. |
user_assertion
|
Required. The access token the credential will use as the user assertion when requesting on-behalf-of tokens. |
authority
|
Authority of a Microsoft Entra endpoint, for example "login.microsoftonline.com", the authority for Azure Public Cloud (which is the default). AzureAuthorityHosts defines authorities for other clouds. |
password
|
A certificate password. Used only when client_certificate is provided. If this value is a unicode string, it will be encoded as UTF-8. If the certificate requires a different encoding, pass appropriately encoded bytes instead. |
send_certificate_chain
|
If True when client_certificate is provided, the credential will send the public certificate chain in the x5c header of each token request's JWT. This is required for Subject Name/Issuer (SNI) authentication. Defaults to False. |
disable_instance_discovery
|
Determines whether or not instance discovery is performed when attempting to authenticate. Setting this to true will completely disable both instance discovery and authority validation. This functionality is intended for use in scenarios where the metadata endpoint cannot be reached, such as in private clouds or Azure Stack. The process of instance discovery entails retrieving authority metadata from https://login.microsoft.com/ to validate the authority. By setting this to True, the validation of the authority is disabled. As a result, it is crucial to ensure that the configured authority host is valid and trustworthy. |
additionally_allowed_tenants
|
Specifies tenants in addition to the specified "tenant_id" for which the credential may acquire tokens. Add the wildcard value "*" to allow the credential to acquire tokens for any tenant the application can access. |
Examples
Create an OnBehalfOfCredential.
from azure.identity import OnBehalfOfCredential
credential = OnBehalfOfCredential(
tenant_id="<tenant_id>",
client_id="<client_id>",
client_secret="<client_secret>",
user_assertion="<access_token>",
)
Methods
close | |
get_token |
Request an access token for scopes. This method is called automatically by Azure SDK clients. |
get_token_info |
Request an access token for scopes. This is an alternative to get_token to enable certain scenarios that require additional properties on the token. This method is called automatically by Azure SDK clients. |
close
close() -> None
get_token
Request an access token for scopes.
This method is called automatically by Azure SDK clients.
get_token(*scopes: str, claims: str | None = None, tenant_id: str | None = None, enable_cae: bool = False, **kwargs: Any) -> AccessToken
Parameters
Name | Description |
---|---|
scopes
Required
|
desired scopes for the access token. This method requires at least one scope. For more information about scopes, see https://learn.microsoft.com/entra/identity-platform/scopes-oidc. |
Keyword-Only Parameters
Name | Description |
---|---|
claims
|
additional claims required in the token, such as those returned in a resource provider's claims challenge following an authorization failure. |
tenant_id
|
optional tenant to include in the token request. |
enable_cae
|
indicates whether to enable Continuous Access Evaluation (CAE) for the requested token. Defaults to False. |
Returns
Type | Description |
---|---|
An access token with the desired scopes. |
Exceptions
Type | Description |
---|---|
the credential is unable to attempt authentication because it lacks required data, state, or platform support |
|
authentication failed. The error's |
get_token_info
Request an access token for scopes.
This is an alternative to get_token to enable certain scenarios that require additional properties on the token. This method is called automatically by Azure SDK clients.
get_token_info(*scopes: str, options: TokenRequestOptions | None = None) -> AccessTokenInfo
Parameters
Name | Description |
---|---|
scopes
Required
|
desired scopes for the access token. This method requires at least one scope. For more information about scopes, see https://learn.microsoft.com/entra/identity-platform/scopes-oidc. |
Keyword-Only Parameters
Name | Description |
---|---|
options
|
A dictionary of options for the token request. Unknown options will be ignored. Optional. |
Returns
Type | Description |
---|---|
<xref:AccessTokenInfo>
|
An AccessTokenInfo instance containing information about the token. |
Exceptions
Type | Description |
---|---|
the credential is unable to attempt authentication because it lacks required data, state, or platform support |
|
authentication failed. The error's |