AuthorizationCodeCredential Class

Authenticates by redeeming an authorization code previously obtained from Microsoft Entra ID.

See Microsoft Entra ID documentation for more information about the authentication flow.

Inheritance

azure.identity._internal.get_token_mixin.GetTokenMixin

AuthorizationCodeCredential

Constructor

AuthorizationCodeCredential(tenant_id: str, client_id: str, authorization_code: str, redirect_uri: str, **kwargs: Any)

Parameters

Name	Description
tenant_id Required	str ID of the application's Microsoft Entra tenant. Also called its "directory" ID.
client_id Required	str The application's client ID
authorization_code Required	str The authorization code from the user's log-in
redirect_uri Required	str The application's redirect URI. Must match the URI used to request the authorization code.

Keyword-Only Parameters

Name	Description
authority	str Authority of a Microsoft Entra endpoint, for example "login.microsoftonline.com", the authority for Azure Public Cloud (which is the default). AzureAuthorityHosts defines authorities for other clouds.
client_secret	str One of the application's client secrets. Required only for web apps and web APIs.
additionally_allowed_tenants	List[str] Specifies tenants in addition to the specified "tenant_id" for which the credential may acquire tokens. Add the wildcard value "*" to allow the credential to acquire tokens for any tenant the application can access.

Examples

Create an AuthorizationCodeCredential.

   from azure.identity import AuthorizationCodeCredential

   credential = AuthorizationCodeCredential(
       tenant_id="<tenant_id>",
       client_id="<client_id>",
       authorization_code="<auth_code>",
       redirect_uri="<redirect_uri>",
   )

Methods

close	Close the credential's transport session.
get_token	Request an access token for scopes. This method is called automatically by Azure SDK clients. The first time this method is called, the credential will redeem its authorization code. On subsequent calls the credential will return a cached access token or redeem a refresh token, if it acquired a refresh token upon redeeming the authorization code.
get_token_info	Request an access token for scopes. This is an alternative to get_token to enable certain scenarios that require additional properties on the token. This method is called automatically by Azure SDK clients. The first time this method is called, the credential will redeem its authorization code. On subsequent calls the credential will return a cached access token or redeem a refresh token, if it acquired a refresh token upon redeeming the authorization code.

close

Close the credential's transport session.

close() -> None

get_token

Request an access token for scopes.

This method is called automatically by Azure SDK clients.

The first time this method is called, the credential will redeem its authorization code. On subsequent calls the credential will return a cached access token or redeem a refresh token, if it acquired a refresh token upon redeeming the authorization code.

get_token(*scopes: str, claims: str | None = None, tenant_id: str | None = None, **kwargs: Any) -> AccessToken

Parameters

Name	Description
scopes Required	str desired scopes for the access token. This method requires at least one scope. For more information about scopes, see https://learn.microsoft.com/entra/identity-platform/scopes-oidc.

Keyword-Only Parameters

Name	Description
claims	str additional claims required in the token, such as those returned in a resource provider's claims challenge following an authorization failure.
tenant_id	str optional tenant to include in the token request.

Returns

Type	Description
AccessToken	An access token with the desired scopes.

Exceptions

Type	Description
ClientAuthenticationError	authentication failed. The error's message attribute gives a reason. Any error response from Microsoft Entra ID is available as the error's response attribute.

get_token_info

Request an access token for scopes.

This is an alternative to get_token to enable certain scenarios that require additional properties on the token. This method is called automatically by Azure SDK clients.

The first time this method is called, the credential will redeem its authorization code. On subsequent calls the credential will return a cached access token or redeem a refresh token, if it acquired a refresh token upon redeeming the authorization code.

get_token_info(*scopes: str, options: TokenRequestOptions | None = None) -> AccessTokenInfo

Parameters

Name	Description
scopes Required	str desired scopes for the access token. This method requires at least one scope. For more information about scopes, see https://learn.microsoft.com/entra/identity-platform/scopes-oidc.

Keyword-Only Parameters

Name	Description
options	TokenRequestOptions A dictionary of options for the token request. Unknown options will be ignored. Optional.

Returns

Type	Description
<xref:AccessTokenInfo>	An AccessTokenInfo instance containing information about the token.

Exceptions

Type	Description
ClientAuthenticationError	authentication failed. The error's message attribute gives a reason. Any error response from Microsoft Entra ID is available as the error's response attribute.