OnBehalfOfCredential Class

Authenticates a service principal via the on-behalf-of flow.

This flow is typically used by middle-tier services that authorize requests to other services with a delegated user identity. Because this is not an interactive authentication flow, an application using it must have admin consent for any delegated permissions before requesting tokens for them. See Azure Active Directory documentation for a more detailed description of the on-behalf-of flow.

Inheritance

azure.identity._internal.msal_credentials.MsalCredential

OnBehalfOfCredential

azure.identity._internal.get_token_mixin.GetTokenMixin

OnBehalfOfCredential

Constructor

OnBehalfOfCredential(tenant_id: str, client_id: str, **kwargs: Any)

Parameters

tenant_id

str

Required

ID of the service principal's tenant. Also called its "directory" ID.

client_id

str

Required

the service principal's client ID

client_secret

str

Optional. A client secret to authenticate the service principal. Either client_secret or client_certificate must be provided.

client_certificate

bytes

Optional. The bytes of a certificate in PEM or PKCS12 format including the private key to authenticate the service principal. Either client_secret or client_certificate must be provided.

user_assertion

str

Required. The access token the credential will use as the user assertion when requesting on-behalf-of tokens

authority

str

Authority of an Azure Active Directory endpoint, for example "login.microsoftonline.com", the authority for Azure Public Cloud (which is the default). AzureAuthorityHosts defines authorities for other clouds.

password

str or bytes

a certificate password. Used only when client_certificate is provided. If this value is a unicode string, it will be encoded as UTF-8. If the certificate requires a different encoding, pass appropriately encoded bytes instead.