AuthorizationCodeCredential Class

Authenticates by redeeming an authorization code previously obtained from Microsoft Entra ID.

See Microsoft Entra ID documentation for more information about the authentication flow.

Inheritance
azure.identity.aio._internal.AsyncContextManager
AuthorizationCodeCredential
azure.identity.aio._internal.get_token_mixin.GetTokenMixin
AuthorizationCodeCredential

Constructor

AuthorizationCodeCredential(tenant_id: str, client_id: str, authorization_code: str, redirect_uri: str, *, client_secret: str | None = None, **kwargs)

Parameters

tenant_id
str
Required

ID of the application's Microsoft Entra tenant. Also called its "directory" ID.

client_id
str
Required

The application's client ID

authorization_code
str
Required

The authorization code from the user's log-in

redirect_uri
str
Required

The application's redirect URI. Must match the URI used to request the authorization code.

authority
str

Authority of a Microsoft Entra endpoint, for example "login.microsoftonline.com", the authority for Azure Public Cloud (which is the default). AzureAuthorityHosts defines authorities for other clouds.

client_secret
str

One of the application's client secrets. Required only for web apps and web APIs.

additionally_allowed_tenants
List[str]

Specifies tenants in addition to the specified "tenant_id" for which the credential may acquire tokens. Add the wildcard value "*" to allow the credential to acquire tokens for any tenant the application can access.

Examples

Create an AuthorizationCodeCredential.


   from azure.identity.aio import AuthorizationCodeCredential

   credential = AuthorizationCodeCredential(
       tenant_id="<tenant_id>",
       client_id="<client_id>",
       authorization_code="<auth_code>",
       redirect_uri="<redirect_uri>",
   )

Methods

close

Close the credential's transport session.

get_token

Request an access token for scopes.

This method is called automatically by Azure SDK clients.

The first time this method is called, the credential will redeem its authorization code. On subsequent calls the credential will return a cached access token or redeem a refresh token, if it acquired a refresh token upon redeeming the authorization code.

close

Close the credential's transport session.

async close()

get_token

Request an access token for scopes.

This method is called automatically by Azure SDK clients.

The first time this method is called, the credential will redeem its authorization code. On subsequent calls the credential will return a cached access token or redeem a refresh token, if it acquired a refresh token upon redeeming the authorization code.

async get_token(*scopes: str, claims: str | None = None, tenant_id: str | None = None, **kwargs: Any) -> AccessToken

Parameters

scopes
str
Required

desired scopes for the access token. This method requires at least one scope. For more information about scopes, see https://learn.microsoft.com/azure/active-directory/develop/scopes-oidc.

claims
str

additional claims required in the token, such as those returned in a resource provider's claims challenge following an authorization failure.

tenant_id
str

optional tenant to include in the token request.

Returns

An access token with the desired scopes.

Return type

Exceptions

authentication failed. The error's message attribute gives a reason. Any error response from Microsoft Entra ID is available as the error's response attribute.