ChainedTokenCredential Class

A sequence of credentials that is itself a credential.

Its get_token method calls get_token on each credential in the sequence, in order, returning the first valid token received. For more information, see https://aka.ms/azsdk/python/identity/credential-chains#chainedtokencredential-overview.

Inheritance
azure.identity.aio._internal.AsyncContextManager
ChainedTokenCredential

Constructor

ChainedTokenCredential(*credentials: AsyncTokenCredential | AsyncSupportsTokenInfo)

Parameters

Name Description
credentials
Required
<xref:azure.core.credentials.AsyncTokenCredential>

credential instances to form the chain

Examples

Create a ChainedTokenCredential.


   from azure.identity.aio import ChainedTokenCredential, EnvironmentCredential, AzureCliCredential

   credential_chain = (
       # Try EnvironmentCredential first
       EnvironmentCredential(),
       # Fallback to Azure CLI if EnvironmentCredential fails
       AzureCliCredential(),
   )
   credential = ChainedTokenCredential(*credential_chain)

Methods

close

Close the transport sessions of all credentials in the chain.

get_token

Asynchronously request a token from each credential, in order, returning the first token received.

If no credential provides a token, raises ClientAuthenticationError with an error message from each credential.

This method is called automatically by Azure SDK clients.

get_token_info

Request a token from each chained credential, in order, returning the first token received.

If no credential provides a token, raises ClientAuthenticationError with an error message from each credential.

This is an alternative to get_token to enable certain scenarios that require additional properties on the token. This method is called automatically by Azure SDK clients.

close

Close the transport sessions of all credentials in the chain.

async close() -> None

get_token

Asynchronously request a token from each credential, in order, returning the first token received.

If no credential provides a token, raises ClientAuthenticationError with an error message from each credential.

This method is called automatically by Azure SDK clients.

async get_token(*scopes: str, claims: str | None = None, tenant_id: str | None = None, enable_cae: bool = False, **kwargs: Any) -> AccessToken

Parameters

Name Description
scopes
Required
str

desired scopes for the access token. This method requires at least one scope. For more information about scopes, see https://learn.microsoft.com/entra/identity-platform/scopes-oidc.

Keyword-Only Parameters

Name Description
claims
str

additional claims required in the token, such as those returned in a resource provider's claims challenge following an authorization failure.

tenant_id
str

optional tenant to include in the token request.

enable_cae

indicates whether to enable Continuous Access Evaluation (CAE) for the requested token. Defaults to False.

Returns

Type Description

An access token with the desired scopes.

Exceptions

Type Description

no credential in the chain provided a token

get_token_info

Request a token from each chained credential, in order, returning the first token received.

If no credential provides a token, raises ClientAuthenticationError with an error message from each credential.

This is an alternative to get_token to enable certain scenarios that require additional properties on the token. This method is called automatically by Azure SDK clients.

async get_token_info(*scopes: str, options: TokenRequestOptions | None = None) -> AccessTokenInfo

Parameters

Name Description
scopes
Required
str

desired scopes for the access token. This method requires at least one scope. For more information about scopes, see https://learn.microsoft.com/entra/identity-platform/scopes-oidc.

Keyword-Only Parameters

Name Description
options

A dictionary of options for the token request. Unknown options will be ignored. Optional.

Returns

Type Description
<xref:AccessTokenInfo>

An AccessTokenInfo instance containing information about the token.

Exceptions

Type Description

no credential in the chain provided a token.