Skip to main content

Microsoft Azure Identity Broker plugin for Python

Project description

Azure Identity Broker plugin for Python

This package extends the Azure Identity library by providing supplemental credentials for authenticating via an authentication broker.

An authentication broker is an application that runs on a user’s machine that manages the authentication handshakes and token maintenance for connected accounts. Currently, only the Windows authentication broker, Web Account Manager (WAM), is supported.

Source code | Package (PyPI) | API reference documentation | Microsoft Entra ID documentation

Getting started

Install the package

Install the Azure Identity Broker plugin for Python with pip:

pip install azure-identity-broker

Key concepts

This package enables broker support via InteractiveBrowserBrokerCredential which is a subclass of the InteractiveBrowserCredential of the Azure Identity library.

Parent window handles

When authenticating interactively via InteractiveBrowserBrokerCredential, a parent window handle is required to ensure that the authentication dialog is shown correctly over the requesting window. In the context of graphical user interfaces on devices, a window handle is a unique identifier that the operating system assigns to each window. For the Windows operating system, this handle is an integer value that serves as a reference to a specific window.

Microsoft account (MSA) passthrough

Microsoft accounts (MSA) are personal accounts created by users to access Microsoft services. MSA passthrough is a legacy configuration which enables users to get tokens to resources which normally don't accept MSA logins. This feature is only available to first-party applications. Users authenticating with an application that is configured to use MSA passthrough can set enable_msa_passthrough to True inside InteractiveBrowserBrokerCredential to allow these personal accounts to be listed by WAM.

Redirect URIs

Microsoft Entra applications rely on redirect URIs to determine where to send the authentication response after a user has logged in. To enable brokered authentication through WAM, a redirect URI matching the following pattern should be registered to the application:

ms-appx-web://Microsoft.AAD.BrokerPlugin/{client_id}

Examples

Authenticate with InteractiveBrowserBrokerCredential

This example demonstrates using InteractiveBrowserBrokerCredential as a broker-enabled credential for authenticating with the BlobServiceClient from the azure-storage-blob library. Here, the win32gui module from the pywin32 package is used to get the current window.

import win32gui
from azure.identity.broker import InteractiveBrowserBrokerCredential
from azure.storage.blob import BlobServiceClient

# Get the handle of the current window
current_window_handle = win32gui.GetForegroundWindow()

credential = InteractiveBrowserBrokerCredential(parent_window_handle=current_window_handle)
client = BlobServiceClient(account_url, credential=credential)

To bypass the account selection dialog and use the default broker account, set the use_default_broker_account argument to True. The credential will attempt to silently use the default broker account. If using the default account fails, the credential will fall back to interactive authentication.

credential = InteractiveBrowserBrokerCredential(
    parent_window_handle=current_window_handle,
    use_default_broker_account=True
)

Troubleshooting

See the Azure Identity troubleshooting guide for details on how to diagnose various failure scenarios.

Next steps

Client library support

Client and management libraries listed on the Azure SDK release page that support Microsoft Entra authentication accept credentials from this library. You can learn more about using these libraries in their documentation, which is linked from the release page.

Known issues

This library doesn't support Azure AD B2C.

For other open issues, refer to the library's GitHub repository.

Provide feedback

If you encounter bugs or have suggestions, open an issue.

Contributing

This project welcomes contributions and suggestions. Most contributions require you to agree to a Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us the rights to use your contribution. For details, visit https://cla.microsoft.com.

When you submit a pull request, a CLA-bot will automatically determine whether you need to provide a CLA and decorate the PR appropriately (e.g., label, comment). Simply follow the instructions provided by the bot. You will only need to do this once across all repos using our CLA.

This project has adopted the Microsoft Open Source Code of Conduct. For more information see the Code of Conduct FAQ or contact opencode@microsoft.com with any additional questions or comments.

Release History

1.2.0 (2024-10-08)

Other Changes

  • Stable release for the Proof-of-Possession (PoP) token support to InteractiveBrowserBrokerCredential.

1.2.0b1 (2024-09-20)

Features Added

  • InteractiveBrowserBrokerCredential now implements the SupportsTokenInfo protocol. It now has a get_token_info method which returns an AccessTokenInfo object. The get_token_info method is an alternative method to get_token that improves support for more complex authentication scenarios.
  • Added Proof-of-Possession (PoP) token support to InteractiveBrowserBrokerCredential.

1.1.0 (2024-04-09)

Features Added

  • InteractiveBrowserBrokerCredential now supports a use_default_broker_account property to enable the use of the currently logged in operating system account for authentication rather than prompting for a credential.
  • Added enable_support_logging as a keyword argument to InteractiveBrowserBrokerCredential. This allows additional support logging which may contain PII.

Other Changes

  • Python 3.7 is no longer supported. Please use Python version 3.8 or later.
  • Bumped minimum dependency on azure-identity to 1.15.0.

1.0.0 (2023-11-07)

Features Added

  • enable_broker is always on if running on Windows. Automatically fall back into non-broker mode if running on MacOS or Linux.

Breaking Changes

  • Removed UsernamePasswordBrokerCredential

1.0.0b1 (2023-10-12)

Features Added

  • Added azure.identity.broker.InteractiveBrowserBrokerCredential and azure.identity.broker.UsernamePasswordBrokerCredential which have broker support.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

azure_identity_broker-1.2.0.tar.gz (13.0 kB view details)

Uploaded Source

Built Distribution

azure_identity_broker-1.2.0-py3-none-any.whl (10.1 kB view details)

Uploaded Python 3

File details

Details for the file azure_identity_broker-1.2.0.tar.gz.

File metadata

File hashes

Hashes for azure_identity_broker-1.2.0.tar.gz
Algorithm Hash digest
SHA256 487e4408982dc165e3c27afd727d7f5086841e5e6ed04990bc519f8329f1a8e5
MD5 b7482adfe3cee9d02a8d5010b9a21e12
BLAKE2b-256 8ac728e9835cc2611bb9066fc4068a7081123b09e60b632f8d347f70d8b7134d

See more details on using hashes here.

File details

Details for the file azure_identity_broker-1.2.0-py3-none-any.whl.

File metadata

File hashes

Hashes for azure_identity_broker-1.2.0-py3-none-any.whl
Algorithm Hash digest
SHA256 fe282311fb5d6f10ebc8fd1ef2b780bd1bca6b4771aee8b3a686d3e11d17e9e6
MD5 71f087679b9822c862a339f11c290f8d
BLAKE2b-256 40d3ef0cdf79fd0fe530c550467504d5caadd6758d324e5788d5ba193cc06399

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page