OnBehalfOfCredential Class

  • Reference

Authenticates a service principal via the on-behalf-of flow.

This flow is typically used by middle-tier services that authorize requests to other services with a delegated user identity. Because this is not an interactive authentication flow, an application using it must have admin consent for any delegated permissions before requesting tokens for them. See Microsoft Entra ID documentation for a more detailed description of the on-behalf-of flow.

Inheritance
azure.identity.aio._internal.AsyncContextManager
OnBehalfOfCredential
azure.identity.aio._internal.get_token_mixin.GetTokenMixin
OnBehalfOfCredential

Constructor

OnBehalfOfCredential(tenant_id: str, client_id: str, *, client_certificate: bytes | None = None, client_secret: str | None = None, user_assertion: str, **kwargs: Any)

Parameters

Name Description
tenant_id
Required
str

ID of the service principal's tenant. Also called its "directory" ID.
client_id
Required
str

The service principal's client ID

Keyword-Only Parameters

Name Description
client_secret
str

Optional. A client secret to authenticate the service principal. Either client_secret or client_certificate must be provided.
client_certificate
bytes

Optional. The bytes of a certificate in PEM or PKCS12 format including the private key to authenticate the service principal. Either client_secret or client_certificate must be provided.
user_assertion
str

Required. The access token the credential will use as the user assertion when requesting on-behalf-of tokens
authority
str

Authority of a Microsoft Entra endpoint, for example "login.microsoftonline.com", the authority for Azure Public Cloud (which is the default). AzureAuthorityHosts defines authorities for other clouds.
password
str or bytes

A certificate password. Used only when client_certificate is provided. If this value is a unicode string, it will be encoded as UTF-8. If the certificate requires a different encoding, pass appropriately encoded bytes instead.
additionally_allowed_tenants
List[str]

Specifies tenants in addition to the specified "tenant_id" for which the credential may acquire tokens. Add the wildcard value "*" to allow the credential to acquire tokens for any tenant the application can access.

Examples

Create an OnBehalfOfCredential.


   from azure.identity.aio import OnBehalfOfCredential

   credential = OnBehalfOfCredential(
       tenant_id="<tenant_id>",
       client_id="<client_id>",
       client_secret="<client_secret>",
       user_assertion="<access_token>",
   )

Methods

close
get_token

Request an access token for scopes.

This method is called automatically by Azure SDK clients.

close 

async close() -> None

get_token

Request an access token for scopes.

This method is called automatically by Azure SDK clients.

async get_token(*scopes: str, claims: str | None = None, tenant_id: str | None = None, enable_cae: bool = False, **kwargs: Any) -> AccessToken

Parameters

Name Description
scopes
Required
str

desired scopes for the access token. This method requires at least one scope. For more information about scopes, see https://learn.microsoft.com/entra/identity-platform/scopes-oidc.

Keyword-Only Parameters

Name Description
claims
str

additional claims required in the token, such as those returned in a resource provider's claims challenge following an authorization failure.
tenant_id
str

optional tenant to include in the token request.
enable_cae
bool

indicates whether to enable Continuous Access Evaluation (CAE) for the requested token. Defaults to False.

Returns

Type Description
AccessToken

An access token with the desired scopes.

Exceptions

Type Description
CredentialUnavailableError

the credential is unable to attempt authentication because it lacks required data, state, or platform support
ClientAuthenticationError

authentication failed. The error's message attribute gives a reason.