Feedback Edit

PublicClientApplication Class

  • Reference
Inheritance
ClientApplication
PublicClientApplication

Constructor

PublicClientApplication(client_id, client_credential=None, **kwargs)

Parameters

client_id
client_credential
default value: None

Methods

acquire_token_by_device_flow

Obtain token by a device flow object, with customizable polling effect.
acquire_token_interactive

Acquire token interactively i.e. via a local browser.

Prerequisite: In Azure Portal, configure the Redirect URI of your "Mobile and Desktop application" as http://localhost.
initiate_device_flow

Initiate a Device Flow instance, which will be used in acquire_token_by_device_flow.

acquire_token_by_device_flow

Obtain token by a device flow object, with customizable polling effect.

acquire_token_by_device_flow(flow, claims_challenge=None, **kwargs)

Parameters

flow
dict
Required

A dict previously generated by initiate_device_flow. By default, this method's polling effect will block current thread. You can abort the polling loop at any time, by changing the value of the flow's "expires_at" key to 0.

claims_challenge
default value: None

The claims_challenge parameter requests specific claims requested by the resource provider in the form of a claims_challenge directive in the www-authenticate header to be returned from the UserInfo Endpoint and/or in the ID Token and/or Access Token. It is a string of a JSON object which contains lists of claims being requested from these locations.

Returns

A dict representing the json response from AAD:

  • A successful response would contain "access_token" key,

  • an error response would contain "error" and usually "error_description".

acquire_token_interactive

Acquire token interactively i.e. via a local browser.

Prerequisite: In Azure Portal, configure the Redirect URI of your "Mobile and Desktop application" as http://localhost.

acquire_token_interactive(scopes, prompt=None, login_hint=None, domain_hint=None, claims_challenge=None, timeout=None, port=None, extra_scopes_to_consent=None, max_age=None, **kwargs)

Parameters

scopes
list
Required

It is a list of case-sensitive strings.

prompt
str
default value: None

By default, no prompt value will be sent, not even "none". You will have to specify a value explicitly. Its valid values are defined in Open ID Connect specs https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest

login_hint
str
default value: None

Optional. Identifier of the user. Generally a User Principal Name (UPN).

domain_hint
default value: None

Can be one of "consumers" or "organizations" or your tenant domain "contoso.com". If included, it will skip the email-based discovery process that user goes through on the sign-in page, leading to a slightly more streamlined user experience. More information on possible values here and here.

claims_challenge
default value: None

The claims_challenge parameter requests specific claims requested by the resource provider in the form of a claims_challenge directive in the www-authenticate header to be returned from the UserInfo Endpoint and/or in the ID Token and/or Access Token. It is a string of a JSON object which contains lists of claims being requested from these locations.

timeout
int
default value: None

This method will block the current thread. This parameter specifies the timeout value in seconds. Default value None means wait indefinitely.

port
int
default value: None

The port to be used to listen to an incoming auth response. By default we will use a system-allocated port. (The rest of the redirect_uri is hard coded as http://localhost.)

extra_scopes_to_consent
list
default value: None

"Extra scopes to consent" is a concept only available in AAD. It refers to other resources you might want to prompt to consent for, in the same interaction, but for which you won't get back a token for in this particular operation.

max_age
int
default value: None

OPTIONAL. Maximum Authentication Age. Specifies the allowable elapsed time in seconds since the last time the End-User was actively authenticated. If the elapsed time is greater than this value, Microsoft identity platform will actively re-authenticate the End-User.

MSAL Python will also automatically validate the auth_time in ID token.

New in version 1.15.

Returns

  • A dict containing no "error" key, and typically contains an "access_token" key.

  • A dict containing an "error" key, when token refresh failed.

initiate_device_flow

Initiate a Device Flow instance, which will be used in acquire_token_by_device_flow.

initiate_device_flow(scopes=None, **kwargs)

Parameters

scopes
list[str]
default value: None

Scopes requested to access a protected API (a resource).

Returns

A dict representing a newly created Device Flow object.

  • A successful response would contain "user_code" key, among others

  • an error response would contain some other readable key/value pairs.

Attributes

DEVICE_FLOW_CORRELATION_ID 

DEVICE_FLOW_CORRELATION_ID = '_correlation_id'