DeviceCodeCredentialBuilder Class

public class DeviceCodeCredentialBuilder
extends AadCredentialBuilderBase<DeviceCodeCredentialBuilder>

Fluent credential builder for instantiating a DeviceCodeCredential.

Device code authentication is a type of authentication flow offered by Microsoft Entra ID that allows users to sign in to applications on devices that don't have a web browser or a keyboard. This authentication method is particularly useful for devices such as smart TVs, gaming consoles, and Internet of Things (IoT) devices that may not have the capability to enter a username and password. With device code authentication, the user is presented with a device code on the device that needs to be authenticated. The user then navigates to a web browser on a separate device and enters the code on the Microsoft sign-in page. After the user enters the code, Microsoft Entra ID verifies it and prompts the user to sign in with their credentials, such as a username and password or a multi-factor authentication (MFA) method. Device code authentication can be initiated using various Microsoft Entra-supported protocols, such as OAuth 2.0 and OpenID Connect, and it can be used with a wide range of Microsoft Entra-integrated applications. The DeviceCodeCredential interactively authenticates a user and acquires a token on devices with limited UI. It works by prompting the user to visit a login URL on a browser-enabled machine when the application attempts to authenticate. The user then enters the device code mentioned in the instructions along with their login credentials. Upon successful authentication, the application that requested authentication gets authenticated successfully on the device it's running on. For more information refer to the conceptual knowledge and configuration details.

These steps will let the application authenticate, but it still won't have permission to log you into Active Directory, or access resources on your behalf. To address this issue, navigate to API Permissions, and enable Microsoft Graph and the resources you want to access, such as Azure Service Management, Key Vault, and so on. You also need to be the admin of your tenant to grant consent to your application when you log in for the first time. If you can't configure the device code flow option on your Active Directory, then it may require your app to be multi- tenant. To make your app multi-tenant, navigate to the Authentication panel, then select Accounts in any organizational directory. Then, select yes for Treat application as Public Client.

Sample: Construct DeviceCodeCredential

The following code sample demonstrates the creation of a DeviceCodeCredential, using the DeviceCodeCredentialBuilder to configure it. By default, the credential prints the device code challenge on the command line, to override that behaviours a challengeConsumer can be optionally specified on the DeviceCodeCredentialBuilder. Once this credential is created, it may be passed into the builder of many of the Azure SDK for Java client builders as the 'credential' parameter.

TokenCredential deviceCodeCredential = new DeviceCodeCredentialBuilder().build();

Constructor Summary

Constructor Description
DeviceCodeCredentialBuilder()

Constructs an instance of DeviceCodeCredentialBuilder.

Method Summary

Modifier and Type Method and Description
DeviceCodeCredentialBuilder additionallyAllowedTenants(String[] additionallyAllowedTenants)

For multi-tenant applications, specifies additional tenants for which the credential may acquire tokens.

DeviceCodeCredentialBuilder additionallyAllowedTenants(List<String> additionallyAllowedTenants)

For multi-tenant applications, specifies additional tenants for which the credential may acquire tokens.

DeviceCodeCredentialBuilder authenticationRecord(AuthenticationRecord authenticationRecord)

Sets the AuthenticationRecord captured from a previous authentication.

DeviceCodeCredential build()

Creates a new DeviceCodeCredential with the current configurations.

DeviceCodeCredentialBuilder challengeConsumer(Consumer<DeviceCodeInfo> challengeConsumer)

Sets the consumer to meet the device code challenge.

DeviceCodeCredentialBuilder clientId(String clientId)

Sets the client ID of the Microsoft Entra application that users will sign in to.

DeviceCodeCredentialBuilder disableAutomaticAuthentication()

Disables the automatic authentication and prevents the DeviceCodeCredential from automatically prompting the user.

DeviceCodeCredentialBuilder tokenCachePersistenceOptions(TokenCachePersistenceOptions tokenCachePersistenceOptions)

Configures the persistent shared token cache options and enables the persistent token cache which is disabled by default.

Methods inherited from AadCredentialBuilderBase

Methods inherited from CredentialBuilderBase

Methods inherited from java.lang.Object

Constructor Details

DeviceCodeCredentialBuilder

public DeviceCodeCredentialBuilder()

Constructs an instance of DeviceCodeCredentialBuilder.

Method Details

additionallyAllowedTenants

public DeviceCodeCredentialBuilder additionallyAllowedTenants(String[] additionallyAllowedTenants)

For multi-tenant applications, specifies additional tenants for which the credential may acquire tokens. Add the wildcard value "*" to allow the credential to acquire tokens for any tenant on which the application is installed. If no value is specified for TenantId this option will have no effect, and the credential will acquire tokens for any requested tenant.

Overrides:

DeviceCodeCredentialBuilder.additionallyAllowedTenants(String[] additionallyAllowedTenants)

Parameters:

additionallyAllowedTenants - the additionally allowed tenants.

Returns:

An updated instance of this builder with the additional tenants configured.

additionallyAllowedTenants

public DeviceCodeCredentialBuilder additionallyAllowedTenants(List additionallyAllowedTenants)

For multi-tenant applications, specifies additional tenants for which the credential may acquire tokens. Add the wildcard value "*" to allow the credential to acquire tokens for any tenant on which the application is installed. If no value is specified for TenantId this option will have no effect, and the credential will acquire tokens for any requested tenant.

Overrides:

DeviceCodeCredentialBuilder.additionallyAllowedTenants(List<String> additionallyAllowedTenants)

Parameters:

additionallyAllowedTenants - the additionally allowed tenants.

Returns:

An updated instance of this builder with the additional tenants configured.

authenticationRecord

public DeviceCodeCredentialBuilder authenticationRecord(AuthenticationRecord authenticationRecord)

Sets the AuthenticationRecord captured from a previous authentication.

Parameters:

authenticationRecord - the authentication record to be configured.

Returns:

An updated instance of this builder with the configured authentication record.

build

public DeviceCodeCredential build()

Creates a new DeviceCodeCredential with the current configurations.

Returns:

a DeviceCodeCredential with the current configurations.

challengeConsumer

public DeviceCodeCredentialBuilder challengeConsumer(Consumer challengeConsumer)

Sets the consumer to meet the device code challenge. If not specified a default consumer is used which prints the device code info message to stdout.

Parameters:

challengeConsumer - A method allowing the user to meet the device code challenge.

Returns:

An updated instance of this builder with the challenge consumer configured.

clientId

public DeviceCodeCredentialBuilder clientId(String clientId)

Sets the client ID of the Microsoft Entra application that users will sign in to. It is recommended that developers register their applications and assign appropriate roles. For more information, visit this doc for app registration. If not specified, users will authenticate to an Azure development application, which is not recommended for production scenarios.

Overrides:

DeviceCodeCredentialBuilder.clientId(String clientId)

Parameters:

clientId - the client ID of the application.

Returns:

An updated instance of this builder with the client ID configured.

disableAutomaticAuthentication

public DeviceCodeCredentialBuilder disableAutomaticAuthentication()

Disables the automatic authentication and prevents the DeviceCodeCredential from automatically prompting the user. If automatic authentication is disabled a AuthenticationRequiredException will be thrown from getToken(TokenRequestContext request) in the case that user interaction is necessary. The application is responsible for handling this exception, and calling authenticate() or authenticate(TokenRequestContext request) to authenticate the user interactively.

Returns:

An updated instance of this builder with automatic authentication disabled.

tokenCachePersistenceOptions

public DeviceCodeCredentialBuilder tokenCachePersistenceOptions(TokenCachePersistenceOptions tokenCachePersistenceOptions)

Configures the persistent shared token cache options and enables the persistent token cache which is disabled by default. If configured, the credential will store tokens in a cache persisted to the machine, protected to the current user, which can be shared by other credentials and processes.

Parameters:

tokenCachePersistenceOptions - the token cache configuration options

Returns:

An updated instance of this builder with the token cache options configured.

Applies to