ConfidentialClientApplication Class
Same as <xref:ClientApplication.__init__>,
except that allow_broker
parameter shall remain None
.
Create an instance of application.
- Inheritance
-
ConfidentialClientApplication
Constructor
ConfidentialClientApplication(client_id, client_credential=None, authority=None, validate_authority=True, token_cache=None, http_client=None, verify=True, proxies=None, timeout=None, client_claims=None, app_name=None, app_version=None, client_capabilities=None, azure_region=None, exclude_scopes=None, http_cache=None, instance_discovery=None, allow_broker=None, enable_pii_log=None, oidc_authority=None)
Parameters
Name | Description |
---|---|
client_id
Required
|
Your app has a client_id after you register it on Microsoft Entra admin center. |
client_credential
|
For PublicClientApplication, you use None here. For ConfidentialClientApplication, it supports many different input formats for different scenarios. Support using a client secret.Just feed in a string, such as
|
client_claims
|
Added in version 0.5.0: It is a dictionary of extra claims that would be signed by by this ConfidentialClientApplication 's private key. For example, you can use {"client_ip": "x.x.x.x"}. You may also override any of the following default claims:
Default value: None
|
authority
|
A URL that identifies a token authority. It should be of the format
Changed in version 1.17: you can also use predefined constant and a builder like this:
Default value: None
|
validate_authority
|
(optional) Turns authority validation on or off. This parameter default to true. Default value: True
|
token_cache
|
Sets the token cache used by this ClientApplication instance. By default, an in-memory cache will be created and used. Default value: None
|
http_client
|
(optional) Your implementation of abstract class HttpClient <msal.oauth2cli.http.http_client> Defaults to a requests session instance. Since MSAL 1.11.0, the default session would be configured to attempt one retry on connection error. If you are providing your own http_client, it will be your http_client's duty to decide whether to perform retry. Default value: None
|
verify
|
(optional) It will be passed to the verify parameter in the underlying requests library This does not apply if you have chosen to pass your own Http client Default value: True
|
proxies
|
(optional) It will be passed to the proxies parameter in the underlying requests library This does not apply if you have chosen to pass your own Http client Default value: None
|
timeout
|
(optional) It will be passed to the timeout parameter in the underlying requests library This does not apply if you have chosen to pass your own Http client Default value: None
|
app_name
|
(optional) You can provide your application name for Microsoft telemetry purposes. Default value is None, means it will not be passed to Microsoft. Default value: None
|
app_version
|
(optional) You can provide your application version for Microsoft telemetry purposes. Default value is None, means it will not be passed to Microsoft. Default value: None
|
client_capabilities
|
(optional) Allows configuration of one or more client capabilities, e.g. ["CP1"]. Client capability is meant to inform the Microsoft identity platform (STS) what this client is capable for, so STS can decide to turn on certain features. For example, if client is capable to handle claims challenge, STS may issue Continuous Access Evaluation (CAE) access tokens to resources, knowing that when the resource emits a claims challenge the client will be able to handle those challenges. Implementation details: Client capability is implemented using "claims" parameter on the wire, for now. MSAL will combine them into claims parameter which you will later provide via one of the acquire-token request. Default value: None
|
azure_region
|
(optional)
Instructs MSAL to use the Entra regional token service. This legacy feature is only available to
first-party applications. Only Supports 3 values:
Note Region auto-discovery has been tested on VMs and on Azure Functions. It is unreliable. Applications using this option should configure a short timeout. For more details and for the values of the region string see https://video2.skills-academy.com/entra/msal/dotnet/resources/region-discovery-troubleshooting New in version 1.12.0. Default value: None
|
exclude_scopes
|
(optional)
Historically MSAL hardcodes offline_access scope,
which would allow your app to have prolonged access to user's data.
If that is unnecessary or undesirable for your app,
now you can use this parameter to supply an exclusion list of scopes,
such as Default value: None
|
http_cache
|
MSAL has long been caching tokens in the This If your app is a command-line app (CLI), you would want to persist your http_cache across different CLI runs. The following recipe shows a way to do so:
Content inside Content inside New in version 1.16.0. Default value: None
|
instance_discovery
|
<xref:boolean>
Historically, MSAL would connect to a central endpoint located at
This parameter defaults to None, which enables the Instance Discovery. If you know some authorities which you allow MSAL to operate with as-is, without involving any Instance Discovery, the recommended pattern is:
If you do not know some authorities beforehand,
yet still want MSAL to accept any authority that you will provide,
you can use a New in version 1.19.0. Default value: None
|
allow_broker
|
<xref:boolean>
Deprecated. Please use Default value: None
|
enable_pii_log
|
<xref:boolean>
When enabled, logs may include PII (Personal Identifiable Information). This can be useful in troubleshooting broker behaviors. The default behavior is False. New in version 1.24.0. Default value: None
|
oidc_authority
|
Added in version 1.28.0:
It is a URL that identifies an OpenID Connect (OIDC) authority of
the format Note: Broker will NOT be used for OIDC authority. Default value: None
|
Methods
acquire_token_for_client |
Acquires token for the current confidential client, not for an end user. Since MSAL Python 1.23, it will automatically look for token from cache, and only send request to Identity Provider when cache misses. |
acquire_token_on_behalf_of |
Acquires token using on-behalf-of (OBO) flow. The current app is a middle-tier service which was called with a token representing an end user. The current app can use such token (a.k.a. a user assertion) to request another token to access downstream web API, on behalf of that user. See detail docs here . The current middle-tier app has no user interaction to obtain consent. See how to gain consent upfront for your middle-tier app from this article. https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-on-behalf-of-flow#gaining-consent-for-the-middle-tier-application |
remove_tokens_for_client |
Remove all tokens that were previously acquired via acquire_token_for_client for the current client. |
acquire_token_for_client
Acquires token for the current confidential client, not for an end user.
Since MSAL Python 1.23, it will automatically look for token from cache, and only send request to Identity Provider when cache misses.
acquire_token_for_client(scopes, claims_challenge=None, **kwargs)
Parameters
Name | Description |
---|---|
scopes
Required
|
(Required) Scopes requested to access a protected API (a resource). |
claims_challenge
|
The claims_challenge parameter requests specific claims requested by the resource provider in the form of a claims_challenge directive in the www-authenticate header to be returned from the UserInfo Endpoint and/or in the ID Token and/or Access Token. It is a string of a JSON object which contains lists of claims being requested from these locations. Default value: None
|
Returns
Type | Description |
---|---|
A dict representing the json response from Microsoft Entra:
|
acquire_token_on_behalf_of
Acquires token using on-behalf-of (OBO) flow.
The current app is a middle-tier service which was called with a token representing an end user. The current app can use such token (a.k.a. a user assertion) to request another token to access downstream web API, on behalf of that user. See detail docs here .
The current middle-tier app has no user interaction to obtain consent. See how to gain consent upfront for your middle-tier app from this article. https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-on-behalf-of-flow#gaining-consent-for-the-middle-tier-application
acquire_token_on_behalf_of(user_assertion, scopes, claims_challenge=None, **kwargs)
Parameters
Name | Description |
---|---|
user_assertion
Required
|
The incoming token already received by this app |
scopes
Required
|
Scopes required by downstream API (a resource). |
claims_challenge
|
The claims_challenge parameter requests specific claims requested by the resource provider in the form of a claims_challenge directive in the www-authenticate header to be returned from the UserInfo Endpoint and/or in the ID Token and/or Access Token. It is a string of a JSON object which contains lists of claims being requested from these locations. Default value: None
|
Returns
Type | Description |
---|---|
A dict representing the json response from Microsoft Entra:
|
remove_tokens_for_client
Remove all tokens that were previously acquired via acquire_token_for_client for the current client.
remove_tokens_for_client()