ClientAssertionCredential Class
Authenticates a service principal with a JWT assertion.
This credential is for advanced scenarios. CertificateCredential has a more convenient API for the most common assertion scenario, authenticating a service principal with a certificate.
- Inheritance
-
azure.identity._internal.get_token_mixin.GetTokenMixinClientAssertionCredential
Constructor
ClientAssertionCredential(tenant_id: str, client_id: str, func: Callable[[], str], **kwargs: Any)
Parameters
Name | Description |
---|---|
tenant_id
Required
|
ID of the principal's tenant. Also called its "directory" ID. |
client_id
Required
|
The principal's client ID |
func
Required
|
A callable that returns a string assertion. The credential will call this every time it acquires a new token. |
Keyword-Only Parameters
Name | Description |
---|---|
authority
|
Authority of a Microsoft Entra endpoint, for example "login.microsoftonline.com", the authority for Azure Public Cloud (which is the default). AzureAuthorityHosts defines authorities for other clouds. |
additionally_allowed_tenants
|
Specifies tenants in addition to the specified "tenant_id" for which the credential may acquire tokens. Add the wildcard value "*" to allow the credential to acquire tokens for any tenant the application can access. |
Examples
Create a ClientAssertionCredential.
from azure.identity import ClientAssertionCredential
def get_assertion():
return "<client-assertion>"
credential = ClientAssertionCredential(
tenant_id="<tenant_id>",
client_id="<client_id>",
func=get_assertion,
)
Methods
close | |
get_token |
Request an access token for scopes. This method is called automatically by Azure SDK clients. |
close
close() -> None
get_token
Request an access token for scopes.
This method is called automatically by Azure SDK clients.
get_token(*scopes: str, claims: str | None = None, tenant_id: str | None = None, enable_cae: bool = False, **kwargs: Any) -> AccessToken
Parameters
Name | Description |
---|---|
scopes
Required
|
desired scopes for the access token. This method requires at least one scope. For more information about scopes, see https://learn.microsoft.com/entra/identity-platform/scopes-oidc. |
Keyword-Only Parameters
Name | Description |
---|---|
claims
|
additional claims required in the token, such as those returned in a resource provider's claims challenge following an authorization failure. |
tenant_id
|
optional tenant to include in the token request. |
enable_cae
|
indicates whether to enable Continuous Access Evaluation (CAE) for the requested token. Defaults to False. |
Returns
Type | Description |
---|---|
An access token with the desired scopes. |
Exceptions
Type | Description |
---|---|
the credential is unable to attempt authentication because it lacks required data, state, or platform support |
|
authentication failed. The error's |
Azure SDK for Python
Feedback
https://aka.ms/ContentUserFeedback.
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see:Submit and view feedback for