ClientApplication Class
You do not usually directly use this class. Use its subclasses instead: PublicClientApplication and ConfidentialClientApplication.
Create an instance of application.
- Inheritance
-
builtins.objectClientApplication
Constructor
ClientApplication(client_id, client_credential=None, authority=None, validate_authority=True, token_cache=None, http_client=None, verify=True, proxies=None, timeout=None, client_claims=None, app_name=None, app_version=None, client_capabilities=None, azure_region=None, exclude_scopes=None, http_cache=None, instance_discovery=None, allow_broker=None, enable_pii_log=None, oidc_authority=None)
Parameters
Name | Description |
---|---|
client_id
Required
|
Your app has a client_id after you register it on Microsoft Entra admin center. |
client_credential
|
For PublicClientApplication, you use None here. For ConfidentialClientApplication, it supports many different input formats for different scenarios. Support using a client secret.Just feed in a string, such as
|
client_claims
|
Added in version 0.5.0: It is a dictionary of extra claims that would be signed by by this ConfidentialClientApplication 's private key. For example, you can use {"client_ip": "x.x.x.x"}. You may also override any of the following default claims:
Default value: None
|
authority
|
A URL that identifies a token authority. It should be of the format
Changed in version 1.17: you can also use predefined constant and a builder like this:
Default value: None
|
validate_authority
|
(optional) Turns authority validation on or off. This parameter default to true. Default value: True
|
token_cache
|
Sets the token cache used by this ClientApplication instance. By default, an in-memory cache will be created and used. Default value: None
|
http_client
|
(optional) Your implementation of abstract class HttpClient <msal.oauth2cli.http.http_client> Defaults to a requests session instance. Since MSAL 1.11.0, the default session would be configured to attempt one retry on connection error. If you are providing your own http_client, it will be your http_client's duty to decide whether to perform retry. Default value: None
|
verify
|
(optional) It will be passed to the verify parameter in the underlying requests library This does not apply if you have chosen to pass your own Http client Default value: True
|
proxies
|
(optional) It will be passed to the proxies parameter in the underlying requests library This does not apply if you have chosen to pass your own Http client Default value: None
|
timeout
|
(optional) It will be passed to the timeout parameter in the underlying requests library This does not apply if you have chosen to pass your own Http client Default value: None
|
app_name
|
(optional) You can provide your application name for Microsoft telemetry purposes. Default value is None, means it will not be passed to Microsoft. Default value: None
|
app_version
|
(optional) You can provide your application version for Microsoft telemetry purposes. Default value is None, means it will not be passed to Microsoft. Default value: None
|
client_capabilities
|
(optional) Allows configuration of one or more client capabilities, e.g. ["CP1"]. Client capability is meant to inform the Microsoft identity platform (STS) what this client is capable for, so STS can decide to turn on certain features. For example, if client is capable to handle claims challenge, STS may issue Continuous Access Evaluation (CAE) access tokens to resources, knowing that when the resource emits a claims challenge the client will be able to handle those challenges. Implementation details: Client capability is implemented using "claims" parameter on the wire, for now. MSAL will combine them into claims parameter which you will later provide via one of the acquire-token request. Default value: None
|
azure_region
|
(optional)
Instructs MSAL to use the Entra regional token service. This legacy feature is only available to
first-party applications. Only Supports 3 values:
Note Region auto-discovery has been tested on VMs and on Azure Functions. It is unreliable. Applications using this option should configure a short timeout. For more details and for the values of the region string see https://video2.skills-academy.com/entra/msal/dotnet/resources/region-discovery-troubleshooting New in version 1.12.0. Default value: None
|
exclude_scopes
|
(optional)
Historically MSAL hardcodes offline_access scope,
which would allow your app to have prolonged access to user's data.
If that is unnecessary or undesirable for your app,
now you can use this parameter to supply an exclusion list of scopes,
such as Default value: None
|
http_cache
|
MSAL has long been caching tokens in the This If your app is a command-line app (CLI), you would want to persist your http_cache across different CLI runs. The following recipe shows a way to do so:
Content inside Content inside New in version 1.16.0. Default value: None
|
instance_discovery
|
<xref:boolean>
Historically, MSAL would connect to a central endpoint located at
This parameter defaults to None, which enables the Instance Discovery. If you know some authorities which you allow MSAL to operate with as-is, without involving any Instance Discovery, the recommended pattern is:
If you do not know some authorities beforehand,
yet still want MSAL to accept any authority that you will provide,
you can use a New in version 1.19.0. Default value: None
|
allow_broker
|
<xref:boolean>
Deprecated. Please use Default value: None
|
enable_pii_log
|
<xref:boolean>
When enabled, logs may include PII (Personal Identifiable Information). This can be useful in troubleshooting broker behaviors. The default behavior is False. New in version 1.24.0. Default value: None
|
oidc_authority
|
Added in version 1.28.0:
It is a URL that identifies an OpenID Connect (OIDC) authority of
the format Note: Broker will NOT be used for OIDC authority. Default value: None
|
Methods
acquire_token_by_auth_code_flow |
Validate the auth response being redirected back, and obtain tokens. It automatically provides nonce protection. |
acquire_token_by_authorization_code |
The second half of the Authorization Code Grant. |
acquire_token_by_refresh_token |
Acquire token(s) based on a refresh token (RT) obtained from elsewhere. You use this method only when you have old RTs from elsewhere, and now you want to migrate them into MSAL. Calling this method results in new tokens automatically storing into MSAL. You do NOT need to use this method if you are already using MSAL. MSAL maintains RT automatically inside its token cache, and an access token can be retrieved when you call acquire_token_silent. |
acquire_token_by_username_password |
Gets a token for a given resource via user credentials. See this page for constraints of Username Password Flow. https://github.com/AzureAD/microsoft-authentication-library-for-python/wiki/Username-Password-Authentication |
acquire_token_silent |
Acquire an access token for given account, without user interaction. It has same parameters as the acquire_token_silent_with_error. The difference is the behavior of the return value. This method will combine the cache empty and refresh error into one return value, None. If your app does not care about the exact token refresh error during token cache look-up, then this method is easier and recommended. |
acquire_token_silent_with_error |
Acquire an access token for given account, without user interaction. It is done either by finding a valid access token from cache, or by finding a valid refresh token from cache and then automatically use it to redeem a new access token. This method will differentiate cache empty from token refresh error. If your app cares the exact token refresh error during token cache look-up, then this method is suitable. Otherwise, the other method acquire_token_silent is recommended. |
get_accounts |
Get a list of accounts which previously signed in, i.e. exists in cache. An account can later be used in acquire_token_silent to find its tokens. |
get_authorization_request_url |
Constructs a URL for you to start a Authorization Code Grant. |
initiate_auth_code_flow |
Initiate an auth code flow. Later when the response reaches your redirect_uri, you can use acquire_token_by_auth_code_flow to complete the authentication/authorization. |
is_pop_supported |
Returns True if this client supports Proof-of-Possession Access Token. |
remove_account |
Sign me out and forget me from token cache |
acquire_token_by_auth_code_flow
Validate the auth response being redirected back, and obtain tokens.
It automatically provides nonce protection.
acquire_token_by_auth_code_flow(auth_code_flow, auth_response, scopes=None, **kwargs)
Parameters
Name | Description |
---|---|
auth_code_flow
Required
|
The same dict returned by initiate_auth_code_flow. |
auth_response
Required
|
A dict of the query string received from auth server. |
scopes
|
Scopes requested to access a protected API (a resource). Most of the time, you can leave it empty. If you requested user consent for multiple resources, here you will need to provide a subset of what you required in initiate_auth_code_flow. OAuth2 was designed mostly for singleton services, where tokens are always meant for the same resource and the only changes are in the scopes. In Microsoft Entra, tokens can be issued for multiple 3rd party resources. You can ask authorization code for multiple resources, but when you redeem it, the token is for only one intended recipient, called audience. So the developer need to specify a scope so that we can restrict the token to be issued for the corresponding audience. Default value: None
|
Returns
Type | Description |
---|---|
|
acquire_token_by_authorization_code
The second half of the Authorization Code Grant.
acquire_token_by_authorization_code(code, scopes, redirect_uri=None, nonce=None, claims_challenge=None, **kwargs)
Parameters
Name | Description |
---|---|
code
Required
|
The authorization code returned from Authorization Server. |
scopes
Required
|
(Required) Scopes requested to access a protected API (a resource). If you requested user consent for multiple resources, here you will typically want to provide a subset of what you required in AuthCode. OAuth2 was designed mostly for singleton services, where tokens are always meant for the same resource and the only changes are in the scopes. In Microsoft Entra, tokens can be issued for multiple 3rd party resources. You can ask authorization code for multiple resources, but when you redeem it, the token is for only one intended recipient, called audience. So the developer need to specify a scope so that we can restrict the token to be issued for the corresponding audience. |
nonce
|
If you provided a nonce when calling get_authorization_request_url, same nonce should also be provided here, so that we'll validate it. An exception will be raised if the nonce in id token mismatches. Default value: None
|
claims_challenge
|
The claims_challenge parameter requests specific claims requested by the resource provider in the form of a claims_challenge directive in the www-authenticate header to be returned from the UserInfo Endpoint and/or in the ID Token and/or Access Token. It is a string of a JSON object which contains lists of claims being requested from these locations. Default value: None
|
redirect_uri
|
Default value: None
|
Returns
Type | Description |
---|---|
A dict representing the json response from Microsoft Entra:
|
acquire_token_by_refresh_token
Acquire token(s) based on a refresh token (RT) obtained from elsewhere.
You use this method only when you have old RTs from elsewhere, and now you want to migrate them into MSAL. Calling this method results in new tokens automatically storing into MSAL.
You do NOT need to use this method if you are already using MSAL. MSAL maintains RT automatically inside its token cache, and an access token can be retrieved when you call acquire_token_silent.
acquire_token_by_refresh_token(refresh_token, scopes, **kwargs)
Parameters
Name | Description |
---|---|
refresh_token
Required
|
The old refresh token, as a string. |
scopes
Required
|
The scopes associate with this old RT. Each scope needs to be in the Microsoft identity platform (v2) format. See Scopes not resources. |
Returns
Type | Description |
---|---|
|
acquire_token_by_username_password
Gets a token for a given resource via user credentials.
See this page for constraints of Username Password Flow. https://github.com/AzureAD/microsoft-authentication-library-for-python/wiki/Username-Password-Authentication
acquire_token_by_username_password(username, password, scopes, claims_challenge=None, auth_scheme=None, **kwargs)
Parameters
Name | Description |
---|---|
username
Required
|
Typically a UPN in the form of an email address. |
password
Required
|
The password. |
scopes
Required
|
Scopes requested to access a protected API (a resource). |
claims_challenge
|
The claims_challenge parameter requests specific claims requested by the resource provider in the form of a claims_challenge directive in the www-authenticate header to be returned from the UserInfo Endpoint and/or in the ID Token and/or Access Token. It is a string of a JSON object which contains lists of claims being requested from these locations. Default value: None
|
auth_scheme
|
You can provide an New in version 1.26.0. Default value: None
|
Returns
Type | Description |
---|---|
A dict representing the json response from Microsoft Entra:
|
acquire_token_silent
Acquire an access token for given account, without user interaction.
It has same parameters as the acquire_token_silent_with_error. The difference is the behavior of the return value. This method will combine the cache empty and refresh error into one return value, None. If your app does not care about the exact token refresh error during token cache look-up, then this method is easier and recommended.
acquire_token_silent(scopes, account, authority=None, force_refresh=False, claims_challenge=None, auth_scheme=None, **kwargs)
Parameters
Name | Description |
---|---|
scopes
Required
|
|
account
Required
|
|
authority
|
Default value: None
|
force_refresh
|
Default value: False
|
claims_challenge
|
Default value: None
|
auth_scheme
|
Default value: None
|
Returns
Type | Description |
---|---|
|
acquire_token_silent_with_error
Acquire an access token for given account, without user interaction.
It is done either by finding a valid access token from cache, or by finding a valid refresh token from cache and then automatically use it to redeem a new access token.
This method will differentiate cache empty from token refresh error. If your app cares the exact token refresh error during token cache look-up, then this method is suitable. Otherwise, the other method acquire_token_silent is recommended.
acquire_token_silent_with_error(scopes, account, authority=None, force_refresh=False, claims_challenge=None, auth_scheme=None, **kwargs)
Parameters
Name | Description |
---|---|
scopes
Required
|
(Required) Scopes requested to access a protected API (a resource). |
account
Required
|
(Required)
One of the account object returned by get_accounts.
Starting from MSAL Python 1.23,
a |
force_refresh
|
If True, it will skip Access Token look-up, and try to find a Refresh Token to obtain a new Access Token. Default value: False
|
claims_challenge
|
The claims_challenge parameter requests specific claims requested by the resource provider in the form of a claims_challenge directive in the www-authenticate header to be returned from the UserInfo Endpoint and/or in the ID Token and/or Access Token. It is a string of a JSON object which contains lists of claims being requested from these locations. Default value: None
|
auth_scheme
|
You can provide an New in version 1.26.0. Default value: None
|
authority
|
Default value: None
|
Returns
Type | Description |
---|---|
|
get_accounts
Get a list of accounts which previously signed in, i.e. exists in cache.
An account can later be used in acquire_token_silent to find its tokens.
get_accounts(username=None)
Parameters
Name | Description |
---|---|
username
|
Filter accounts with this username only. Case insensitive. Default value: None
|
Returns
Type | Description |
---|---|
A list of account objects. Each account is a dict. For now, we only document its "username" field. Your app can choose to display those information to end user, and allow user to choose one of his/her accounts to proceed. |
get_authorization_request_url
Constructs a URL for you to start a Authorization Code Grant.
get_authorization_request_url(scopes, login_hint=None, state=None, redirect_uri=None, response_type='code', prompt=None, nonce=None, domain_hint=None, claims_challenge=None, **kwargs)
Parameters
Name | Description |
---|---|
scopes
Required
|
(Required) Scopes requested to access a protected API (a resource). |
state
|
Recommended by OAuth2 for CSRF protection. Default value: None
|
login_hint
|
Identifier of the user. Generally a User Principal Name (UPN). Default value: None
|
redirect_uri
|
Address to return to upon receiving a response from the authority. Default value: None
|
response_type
|
Default value is "code" for an OAuth2 Authorization Code grant. You could use other content such as "id_token" or "token", which would trigger an Implicit Grant, but that is not recommended. Default value: code
|
prompt
|
By default, no prompt value will be sent, not even string Default value: None
|
nonce
|
A cryptographically random value used to mitigate replay attacks. See also OIDC specs. Default value: None
|
domain_hint
|
Can be one of "consumers" or "organizations" or your tenant domain "contoso.com". If included, it will skip the email-based discovery process that user goes through on the sign-in page, leading to a slightly more streamlined user experience. More information on possible values available in Auth Code Flow doc and domain_hint doc. Default value: None
|
claims_challenge
|
The claims_challenge parameter requests specific claims requested by the resource provider in the form of a claims_challenge directive in the www-authenticate header to be returned from the UserInfo Endpoint and/or in the ID Token and/or Access Token. It is a string of a JSON object which contains lists of claims being requested from these locations. Default value: None
|
Returns
Type | Description |
---|---|
The authorization url as a string. |
initiate_auth_code_flow
Initiate an auth code flow.
Later when the response reaches your redirect_uri, you can use acquire_token_by_auth_code_flow to complete the authentication/authorization.
initiate_auth_code_flow(scopes, redirect_uri=None, state=None, prompt=None, login_hint=None, domain_hint=None, claims_challenge=None, max_age=None, response_mode=None)
Parameters
Name | Description |
---|---|
scopes
Required
|
It is a list of case-sensitive strings. |
redirect_uri
|
Optional. If not specified, server will use the pre-registered one. Default value: None
|
state
|
An opaque value used by the client to maintain state between the request and callback. If absent, this library will automatically generate one internally. Default value: None
|
prompt
|
By default, no prompt value will be sent, not even string Default value: None
|
login_hint
|
Optional. Identifier of the user. Generally a User Principal Name (UPN). Default value: None
|
domain_hint
|
Can be one of "consumers" or "organizations" or your tenant domain "contoso.com". If included, it will skip the email-based discovery process that user goes through on the sign-in page, leading to a slightly more streamlined user experience. More information on possible values available in Auth Code Flow doc and domain_hint doc. Default value: None
|
max_age
|
OPTIONAL. Maximum Authentication Age. Specifies the allowable elapsed time in seconds since the last time the End-User was actively authenticated. If the elapsed time is greater than this value, Microsoft identity platform will actively re-authenticate the End-User. MSAL Python will also automatically validate the auth_time in ID token. New in version 1.15. Default value: None
|
response_mode
|
OPTIONAL. Specifies the method with which response parameters should be returned.
The default value is equivalent to Default value: None
|
claims_challenge
|
Default value: None
|
Returns
Type | Description |
---|---|
The auth code flow. It is a dict in this form:
The caller is expected to:
|
is_pop_supported
Returns True if this client supports Proof-of-Possession Access Token.
is_pop_supported()
remove_account
Sign me out and forget me from token cache
remove_account(account)
Parameters
Name | Description |
---|---|
account
Required
|
|
Attributes
ACQUIRE_TOKEN_BY_AUTHORIZATION_CODE_ID
ACQUIRE_TOKEN_BY_AUTHORIZATION_CODE_ID = '832'
ACQUIRE_TOKEN_BY_DEVICE_FLOW_ID
ACQUIRE_TOKEN_BY_DEVICE_FLOW_ID = '622'
ACQUIRE_TOKEN_BY_REFRESH_TOKEN
ACQUIRE_TOKEN_BY_REFRESH_TOKEN = '85'
ACQUIRE_TOKEN_BY_USERNAME_PASSWORD_ID
ACQUIRE_TOKEN_BY_USERNAME_PASSWORD_ID = '301'
ACQUIRE_TOKEN_FOR_CLIENT_ID
ACQUIRE_TOKEN_FOR_CLIENT_ID = '730'
ACQUIRE_TOKEN_INTERACTIVE
ACQUIRE_TOKEN_INTERACTIVE = '169'
ACQUIRE_TOKEN_ON_BEHALF_OF_ID
ACQUIRE_TOKEN_ON_BEHALF_OF_ID = '523'
ACQUIRE_TOKEN_SILENT_ID
ACQUIRE_TOKEN_SILENT_ID = '84'
ATTEMPT_REGION_DISCOVERY
ATTEMPT_REGION_DISCOVERY = True
GET_ACCOUNTS_ID
GET_ACCOUNTS_ID = '902'
REMOVE_ACCOUNT_ID
REMOVE_ACCOUNT_ID = '903'