Skip to content
This repository has been archived by the owner on Sep 29, 2023. It is now read-only.

Acquire tokens

Navya Canumalla edited this page Jun 1, 2018 · 4 revisions

Acquiring a token depending on the type of application

There are many ways of acquiring a token. Some require user interaction while others don't. In general the way to acquire a token is different based on if the application is a public client application (Desktop / Mobile) or a confidential client application (Web App, Web API, daemon application).

Public client applications:

  • Will often acquire token interactively, having the user sign-in. Acquire tokens by authorization code after letting the user sign-in through the authorization request URL.
  • It's also possible (but not recommended) to get a token with a username and password
  • Finally, for applications running on devices which don't have a web browser, it's possible to acquire a token through the device code mechanism, which provides the user with a URL and a code. The user goes to a web browser on another device, enters the code and signs-in, and then Azure AD returns back a token to the browser-less device.

Confidential client applications:

  • To acquire token as the application itself and not for a user, use client credentials flow. For example, in apps which process users in batches and not a particular user such as in synching tools.
  • In the case of Web Apps or Web APIs calling another downstream Web API in the name of the user, use the On Behalf Of flow to acquire a token based on some user assertion (SAML for instance, or a JWT token). This is currently not supported in ADAL Python.
  • For Web apps in the name of a user, acquire tokens by authorization code after letting the user sign-in through the authorization request URL. This is typically the mechanism used by an application which lets the user sign-in with Open ID Connect, and then wants to access Web APIs for this particular user.

ADAL Python APIs for corresponding flows

These methods return a dict which includes the access token and refresh token.

Public Client flows:

Device Code flow

The library provides the acquire_user_code method to obtain the device code and the acquire_token_with_device_code method to get the token using the device code.

You can find the code snippet of the usage in this sample.

User-Name Password flow

The library provides the acquire_token_with_username_password method to get the token using the username and password of a user.

Authorization Code Flow

The library provides the acquire_token_with_authorization_code method for public clients to get the token using the authorization code.

Confidential Client flows:

Authorization Code Flow

The library provides the acquire_token_with_authorization_code method for confidential clients to get the token using the authorization code.

You can find the code snippet of the usage in this sample.

Client Credential flow

With client ID and secret

The library provides the acquire_token_with_client_credentials method to get the token using the client secrets.

You can find the code snippet of the usage in this sample.

With client certificate

The library provides the acquire_token_with_client_certificate method to get the token using the client secrets.

You can find the code snippet of the usage in this sample.

Service to service on-behalf-of user

This flow is not yet supported in the ADAL Python library.

Token renewal

Acquire Token using Refresh Tokens

The library provides the acquire_token_with_refresh_token method for public and confidential clients to get the token using a refresh token.

You can find the code snippet of the usage in this sample.

ADAL Python acquireToken parameters

The acquire token methods for the different flows might require any of the following parameters:

  • The resource for which you want an access token. Here you can pass either the Resource URI of a Web API, or the client Id of the target Web API. Both work, but it's important to realize that the token will contain the resource as requested (audience), and therefore the form to use is the one accepted by the Web API.

  • The client_id parameter is the client Id/application Id of the application requesting tokens.

  • The client_secret parameter is the application secret of the application requesting tokens.

  • The redirect_uri is the redirect URI of the client application. This is the address to return to upon receiving a response with the token from Azure AD.

  • The code returned after user sign-in from the authorization code endpoint of Azure AD. This is part of the first step in any of the authorization code flows.

  • ​The user_code is the code returned for the device code request which the user has to enter when visiting the URL in another device to verify

  • The certificate is the pem encoded certificate private key. See here for more details.

  • The thumbprint is a hex encoded thumbprint of the certificate. See here for more details.

  • The refresh_token is the token used to refresh the AAD session and exchange for a renewed access token.

Using the token in API calls

The tokens acquired through above methods can then be set as a bearer token in the headers of the request to protected APIs. For example:

SESSION = requests.Session()
token_response = auth_context.acquire_token_with_authorization_code(...)
SESSION.headers.update({'Authorization': "Bearer" + token_response['accessToken']})
SESSION.get(api_endpoint).json()

You can also refer this full sample of a web app using ADAL Python to authenticate users and get tokens for the MS Graph API.