-
Notifications
You must be signed in to change notification settings - Fork 94
Acquire tokens
There are many ways of acquiring a token. Some require user interaction while others don't. In general the way to acquire a token is different based on if the application is a public client application (Desktop / Mobile) or a confidential client application (Web App, Web API, daemon application).
- Will often acquire token interactively, having the user sign-in. Acquire tokens by authorization code after letting the user sign-in through the authorization request URL.
- It's also possible (but not recommended) to get a token with a username and password
- Finally, for applications running on devices which don't have a web browser, it's possible to acquire a token through the device code mechanism, which provides the user with a URL and a code. The user goes to a web browser on another device, enters the code and signs-in, and then Azure AD returns back a token to the browser-less device.
- To acquire token as the application itself and not for a user, use client credentials flow. For example, in apps which process users in batches and not a particular user such as in synching tools.
- In the case of Web Apps or Web APIs calling another downstream Web API in the name of the user, use the On Behalf Of flow to acquire a token based on some user assertion (SAML for instance, or a JWT token). This is currently not supported in ADAL Python.
- For Web apps in the name of a user, acquire tokens by authorization code after letting the user sign-in through the authorization request URL. This is typically the mechanism used by an application which lets the user sign-in with Open ID Connect, and then wants to access Web APIs for this particular user.
These methods return a dict which includes the access token and refresh token.
The library provides the acquire_user_code
method to obtain the device code and the acquire_token_with_device_code
method to get the token using the device code.
You can find the code snippet of the usage in this sample.
The library provides the acquire_token_with_username_password method to get the token using the username and password of a user.
The library provides the acquire_token_with_authorization_code method for public clients to get the token using the authorization code.
The library provides the acquire_token_with_authorization_code
method for confidential clients to get the token using the authorization code.
You can find the code snippet of the usage in this sample.
With client ID and secret
The library provides the acquire_token_with_client_credentials
method to get the token using the client secrets.
You can find the code snippet of the usage in this sample.
With client certificate
The library provides the acquire_token_with_client_certificate
method to get the token using the client secrets.
You can find the code snippet of the usage in this sample.
This flow is not yet supported in the ADAL Python library.
The library provides the acquire_token_with_refresh_token
method for public and confidential clients to get the token using a refresh token.
You can find the code snippet of the usage in this sample.
The acquire token methods for the different flows might require any of the following parameters:
-
The
resource
for which you want an access token. Here you can pass either the Resource URI of a Web API, or the client Id of the target Web API. Both work, but it's important to realize that the token will contain the resource as requested (audience), and therefore the form to use is the one accepted by the Web API. -
The
client_id
parameter is the client Id/application Id of the application requesting tokens. -
The
client_secret
parameter is the application secret of the application requesting tokens. -
The
redirect_uri
is the redirect URI of the client application. This is the address to return to upon receiving a response with the token from Azure AD. -
The
code
returned after user sign-in from the authorization code endpoint of Azure AD. This is part of the first step in any of the authorization code flows. -
The
user_code
is the code returned for the device code request which the user has to enter when visiting the URL in another device to verify -
The
certificate
is the pem encoded certificate private key. See here for more details. -
The
thumbprint
is a hex encoded thumbprint of the certificate. See here for more details. -
The
refresh_token
is the token used to refresh the AAD session and exchange for a renewed access token.
The tokens acquired through above methods can then be set as a bearer token in the headers of the request to protected APIs. For example:
SESSION = requests.Session()
token_response = auth_context.acquire_token_with_authorization_code(...)
SESSION.headers.update({'Authorization': "Bearer" + token_response['accessToken']})
SESSION.get(api_endpoint).json()
You can also refer this full sample of a web app using ADAL Python to authenticate users and get tokens for the MS Graph API.