InteractiveBrowserCredential Class
Opens a browser to interactively authenticate a user.
get_token opens a browser to a login URL provided by Microsoft Entra ID and authenticates a user there with the authorization code flow, using PKCE (Proof Key for Code Exchange) internally to protect the code.
- Inheritance
-
azure.identity._internal.interactive.InteractiveCredentialInteractiveBrowserCredential
Constructor
InteractiveBrowserCredential(**kwargs: Any)
Keyword-Only Parameters
Name | Description |
---|---|
authority
|
Authority of a Microsoft Entra endpoint, for example "login.microsoftonline.com", the authority for Azure Public Cloud (which is the default). AzureAuthorityHosts defines authorities for other clouds. |
tenant_id
|
a Microsoft Entra tenant ID. Defaults to the "organizations" tenant, which can authenticate work or school accounts. |
client_id
|
Client ID of the Microsoft Entra application that users will sign into. It is recommended that developers register their applications and assign appropriate roles. For more information, visit https://aka.ms/azsdk/identity/AppRegistrationAndRoleAssignment. If not specified, users will authenticate to an Azure development application, which is not recommended for production scenarios. |
login_hint
|
a username suggestion to pre-fill the login page's username/email address field. A user may still log in with a different username. |
redirect_uri
|
a redirect URI for the application identified by client_id as configured in Azure Active Directory, for example "http://localhost:8400". This is only required when passing a value for client_id, and must match a redirect URI in the application's registration. The credential must be able to bind a socket to this URI. |
authentication_record
|
AuthenticationRecord returned by authenticate |
disable_automatic_authentication
|
if True, get_token will raise AuthenticationRequiredError when user interaction is required to acquire a token. Defaults to False. |
cache_persistence_options
|
configuration for persistent token caching. If unspecified, the credential will cache tokens in memory. |
timeout
|
seconds to wait for the user to complete authentication. Defaults to 300 (5 minutes). |
disable_instance_discovery
|
Determines whether or not instance discovery is performed when attempting to authenticate. Setting this to true will completely disable both instance discovery and authority validation. This functionality is intended for use in scenarios where the metadata endpoint cannot be reached, such as in private clouds or Azure Stack. The process of instance discovery entails retrieving authority metadata from https://login.microsoft.com/ to validate the authority. By setting this to True, the validation of the authority is disabled. As a result, it is crucial to ensure that the configured authority host is valid and trustworthy. |
enable_support_logging
|
Enables additional support logging in the underlying MSAL library. This logging potentially contains personally identifiable information and is intended to be used only for troubleshooting purposes. |
Examples
Create an InteractiveBrowserCredential.
from azure.identity import InteractiveBrowserCredential
credential = InteractiveBrowserCredential(
client_id="<client_id>",
)
Methods
authenticate |
Interactively authenticate a user. This method will always generate a challenge to the user. |
close | |
get_token |
Request an access token for scopes. This method is called automatically by Azure SDK clients. |
get_token_info |
Request an access token for scopes. This is an alternative to get_token to enable certain scenarios that require additional properties on the token. This method is called automatically by Azure SDK clients. |
authenticate
Interactively authenticate a user. This method will always generate a challenge to the user.
authenticate(*, scopes: Iterable[str] | None = None, claims: str | None = None, **kwargs: Any) -> AuthenticationRecord
Keyword-Only Parameters
Name | Description |
---|---|
scopes
|
scopes to request during authentication, such as those provided by scopes. If provided, successful authentication will cache an access token for these scopes. |
claims
|
additional claims required in the token, such as those provided by claims |
Returns
Type | Description |
---|---|
Exceptions
Type | Description |
---|---|
authentication failed. The error's |
close
close() -> None
Keyword-Only Parameters
Name | Description |
---|---|
scopes
|
scopes to request during authentication, such as those provided by scopes. If provided, successful authentication will cache an access token for these scopes. |
claims
|
additional claims required in the token, such as those provided by claims |
Exceptions
Type | Description |
---|---|
authentication failed. The error's |
get_token
Request an access token for scopes.
This method is called automatically by Azure SDK clients.
get_token(*scopes: str, claims: str | None = None, tenant_id: str | None = None, enable_cae: bool = False, **kwargs: Any) -> AccessToken
Parameters
Name | Description |
---|---|
scopes
Required
|
desired scopes for the access token. This method requires at least one scope. For more information about scopes, see https://learn.microsoft.com/entra/identity-platform/scopes-oidc. |
Keyword-Only Parameters
Name | Description |
---|---|
claims
|
additional claims required in the token, such as those returned in a resource provider's claims challenge following an authorization failure |
tenant_id
|
optional tenant to include in the token request. |
enable_cae
|
indicates whether to enable Continuous Access Evaluation (CAE) for the requested token. Defaults to False. |
Returns
Type | Description |
---|---|
An access token with the desired scopes. |
Exceptions
Type | Description |
---|---|
the credential is unable to attempt authentication because it lacks required data, state, or platform support |
|
authentication failed. The error's |
|
user interaction is necessary to acquire a token, and the credential is configured not to begin this automatically. Call |
|
to begin interactive authentication. |
get_token_info
Request an access token for scopes.
This is an alternative to get_token to enable certain scenarios that require additional properties on the token. This method is called automatically by Azure SDK clients.
get_token_info(*scopes: str, options: TokenRequestOptions | None = None) -> AccessTokenInfo
Parameters
Name | Description |
---|---|
scopes
Required
|
desired scopes for the access token. This method requires at least one scope. For more information about scopes, see https://learn.microsoft.com/entra/identity-platform/scopes-oidc. |
Keyword-Only Parameters
Name | Description |
---|---|
options
|
A dictionary of options for the token request. Unknown options will be ignored. Optional. |
Returns
Type | Description |
---|---|
<xref:AccessTokenInfo>
|
An AccessTokenInfo instance containing information about the token. |
Exceptions
Type | Description |
---|---|
the credential is unable to attempt authentication because it lacks required data, state, or platform support |
|
authentication failed. The error's |
|
user interaction is necessary to acquire a token, and the credential is configured not to begin this automatically. Call |
|
to begin interactive authentication. |
Azure SDK for Python