Add documentation on difference between MSAL and azure.identity #664
Replies: 6 comments 1 reply
-
|
Great question! MSAL is one of the building blocks of Azure Identity. When Y is built on top of X, it is better to have Y to talk about the difference. :-) CC @chlowell My general suggestion on choosing libraries/frameworks would be to look into their API surface and samples, to see which one matches your particular use case more closely. MSAL is an authentication (and authorization) library. MSAL's API surface helps you to obtain the tokens, which can then be used to make a Rest API call using any generic HTTP library. MSAL's samples demonstrates some common scenarios and patterns. Azure-Identity provides closer integration with other Azure SDK components, with a different API surface. |
Beta Was this translation helpful? Give feedback.
-
|
azure-identity is the Azure SDK's authentication library, so if you're using the Azure SDK, start there. MSAL and azure-identity support the same authentication flows but azure-identity has a higher level, simpler API because it's designed to integrate with Azure SDK clients and hide the complexity of authentication from applications. If you find yourself wanting to use MSAL directly with an Azure SDK client, please open an issue on our repo because you may have an interesting feature request 😄 If your application is not using the Azure SDK, I think the choice depends on how it authenticates and whether it needs a lower level API. For example, azure-identity can send a user through the authorization code flow but doesn't have an API for acquiring a code without completing the flow. |
Beta Was this translation helpful? Give feedback.
-
Good point on the API "level". By the way, the latest version of MSAL (1.8.0) did provide the higher level |
Beta Was this translation helpful? Give feedback.
-
|
As the developer of Azure CLI core and authentication which use Azure Identity Python and MSAL heavily, the most distinguished difference I noticed is that Azure Identity's various credentials (e.g. class TokenCredential(Protocol):
def get_token(self, *scopes, **kwargs):
pass
When any SDK client is trying to invoke a REST API, class BearerTokenCredentialPolicy(_BearerTokenCredentialPolicyBase, SansIOHTTPPolicy):
def on_request(self, request):
if self._token is None or self._need_new_token:
self._token = self._credential.get_token(*self._scopes) # Get access token
self._update_headers(request.http_request.headers, self._token.token) # Add the access token to headerWithin the implementation of So the invocation hierarchy is My app/script # Azure CLI `az group list`
🠗 # client.resource_groups.list()
Azure Python SDK client # ResourceManagementClient
🠗 # credential.get_token()
Azure Identity # InteractiveBrowserCredential
🠗 # app.acquire_token_silent_with_error()
MSAL # PublicClientApplicationHope it helps. |
Beta Was this translation helpful? Give feedback.
-
|
The invocation hierarchy is very helpful for the understanding. If starting with |
Beta Was this translation helpful? Give feedback.
-
|
LOVE LOVE LOVE this community. So many valuable insights! :-) |
Beta Was this translation helpful? Give feedback.
-
|
Thanks for explaining the difference very clearly! This helped me to know the best approach. So it is indeed valuable :) |
Beta Was this translation helpful? Give feedback.
-
While developing an application, which uploads data to a blob storage and requires authentication, I was wondering what the best Azure authentication module is in Python since there is two:
For me it's difficult to understand the difference between the two, and to decide when to use which one since there is quite some overlap. On the internet I couldn't find any discussions or documentation on the difference. It would be nice to know what the best practice is when using Python to authenticate to Azure. Can you explain the difference or add documentation? Thanks.
Beta Was this translation helpful? Give feedback.
All reactions