Client applications
Microsoft Authentication Library (MSAL) Python supports two types of client applications: public client applications and confidential client applications. The client types are distinguished by their ability to authenticate securely with the authorization server and to hold sensitive, identity proving information so that it can't be accessed or known to a user within the scope of its access. This article focuses on how to initialize these applications using MSAL Python.
Prerequisites
This article doesn't go deep into defining what a public and confidential client applications are. Visit the identity platform docs to learn more about public and confidential client applications.
Instantiate an application
You require an app registration to initiate an app. Register an app in the Microsoft Entra admin center. From the registration page, you need:
- The application client identifieR. This is a string in the form of a GUID.
- The identity provider URL (the instance) and the sign-in audience for your application. These two parameters are collectively known as the authority.
- If necessary, the tenant identifier (also a GUID) in case you're writing a line of business application scoped to just your organization (also known as a single-tenant application).
- If you're building a confidential client app, create an application secret in the form of a string or certificate.
- For web applications, set the redirect URL that Microsoft Entra ID uses to return the code. For desktop applications, add
http://localhostif you're not relying on authentication brokers.
Instantiate a public client application
Public client applications use the PublicClientApplication class.
import msal
app = msal.PublicClientApplication(
"client_id",
authority="authority",
)
Instantiate a confidential client application
Confidential client applications use the ConfidentialClientApplication class.
import msal
app = msal.ConfidentialClientApplication(
"client_id",
authority="authority",
client_credential="client_secret",
)
Caching
When you instantiate a client application, there are two parameters you can use to define your caching preferences. These parameters are: token_cache and http_cache.
token_cachesets the token cache used by the client application instance. By default, an in-memory cache is created and used. For more information, see token caching in MSAL Python.http_cacheis available in MSAL Python version 1.16+. This automatically caches some finite number of nontoken http responses, so that long-livedPublicClientApplicationandConfidentialClientApplicationinstances would be more performant and responsive in some situations. If thehttp_cacheparameter isn't provided, MSAL uses an in-memory dict. If your app is a command-line app (CLI), you would want to persist yourhttp_cacheacross different CLI runs. For more information, see the reference guide.
Next steps
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for