Skip to content
This repository has been archived by the owner on Sep 29, 2023. It is now read-only.

Acquire tokens

Jump to bottom
Navya Canumalla edited this page May 18, 2018 · 4 revisions

Acquiring a token depending on the type of application

There are many ways of acquiring a token. Some require user interaction while others don't. In general the way to acquire a token is different based on if the application is a public client application (Desktop / Mobile) or a confidential client application (Web App, Web API, daemon application).

Public client applications:

  • Will often acquire token interactively, having the user sign-in. Acquire tokens by authorization code after letting the user sign-in through the authorization request URL.
  • It's also possible (but not recommended) to get a token with a username and password
  • Finally, for applications running on devices which don't have a web browser, it's possible to acquire a token through the device code mechanism, which provides the user with a URL and a code. The user goes to a web browser on another device, enters the code and signs-in, and then Azure AD returns back a token to the browser-less device.

Confidential client applications:

  • To acquire token as the application itself and not for a user, use client credentials flow. For example, in apps which process users in batches and not a particular user such as in synching tools.
  • In the case of Web Apps or Web APIs calling another downstream Web API in the name of the user, use the On Behalf Of flow to acquire a token based on some user assertion (SAML for instance, or a JWT token). This is currently not supported in ADAL Python.
  • For Web apps in the name of a user, acquire tokens by authorization code after letting the user sign-in through the authorization request URL. This is typically the mechanism used by an application which lets the user sign-in with Open ID Connect, and then wants to access Web APIs for this particular user.

ADAL Python APIs for corresponding flows

These methods return a dict which includes the access token and refresh token.

Public Client flows:

Device Code flow

user_code = context.acquire_user_code(resource, client_id)
token = context.acquire_token_with_device_code(resource, user_code, client_id)

Here is a full sample.

User-Name Password flow

token = context.acquire_token_with_username_password(resource, username, password, client_id)

Authorization Code Flow

token = context.acquire_token_with_authorization_code(code, redirect_uri, resource, client_id)

Confidential Client flows:

Authorization Code Flow

token = context.acquire_token_with_authorization_code(code, redirect_uri, resource, client_id, client_secret)

Here is a full sample.

Client Credential flow

With client ID and secret

token = context.acquire_token_with_client_credentials(resource, client_id, client_secret)

Here is a full sample.

With client certificate

token = context.acquire_token_with_client_certificate(resource, client_id, certificate, thumbprint)

Here is a full sample.

Service to service on-behalf-of user

This flow is not yet supported in the ADAL Python library.

Token renewal

Acquire Token using Refresh Tokens

For public client:

token = context.acquire_token_with_refresh_token(refresh_token, client_id, resource)

For confidential client: Without the client_secret, you will get an invalid_client error.

token = context.acquire_token_with_refresh_token(refresh_token, client_id, resource, client_secret)

Here is a full sample.

ADAL Python acquireToken parameters

The acquire token methods for the different flows might require any of the following parameters:

  • The resource for which you want an access token. Here you can pass either the Resource URI of a Web API, or the client Id of the target Web API. Both work, but it's important to realize that the token will contain the resource as requested (audience), and therefore the form to use is the one accepted by the Web API.

  • The client_id parameter is the client Id/application Id of the application requesting tokens.

  • The client_secret parameter is the application secret of the application requesting tokens.

  • The redirect_uri is the redirect URI of the client application. This is the address to return to upon receiving a response with the token from Azure AD.

  • The code returned after user sign-in from the authorization code endpoint of Azure AD. This is part of the first step in any of the authorization code flows.

  • ​The user_code is the code returned for the device code request which the user has to enter when visiting the URL in another device to verify

  • The certificate is the pem encoded certificate private key. See here for more details.

  • The thumbprint is a hex encoded thumbprint of the certificate. See here for more details.

  • The refresh_token is the token used to refresh the AAD session and exchange for a renewed access token.

Using the token in API calls

The tokens acquired through above methods can then be set as a bearer token in the headers of the request to protected APIs as follows:

SESSION = requests.Session()
token_response = auth_context.acquire_token_with_authorization_code(...)
SESSION.headers.update({'Authorization': "Bearer" + token_response['accessToken']})
SESSION.get(api_endpoint).json()

You can also refer this full sample of a web app using ADAL Python to authenticate users and get tokens for the MS Graph API.

Getting started with ADAL Python

Advanced topics

FAQ & Common Issues

Other (external) resources

Clone this wiki locally