@azure/identity
- Version 4.6.0
- Published
- 1.59 MB
- 14 dependencies
- MIT license
Install
npm i @azure/identity
yarn add @azure/identity
pnpm add @azure/identity
Overview
Provides credential implementations for Azure SDK libraries that can authenticate with Microsoft Entra ID
Index
Variables
Functions
Classes
Interfaces
Enums
Type Aliases
Variables
variable AggregateAuthenticationErrorName
const AggregateAuthenticationErrorName: string;
The Error.name value of an AggregateAuthenticationError
variable AuthenticationErrorName
const AuthenticationErrorName: string;
The Error.name value of an AuthenticationError
variable CredentialUnavailableErrorName
const CredentialUnavailableErrorName: string;
The Error.name value of an CredentialUnavailable
variable logger
const logger: AzureLogger;
The AzureLogger used for all clients within the identity package
Functions
function deserializeAuthenticationRecord
deserializeAuthenticationRecord: ( serializedRecord: string) => AuthenticationRecord;
Deserializes a previously serialized authentication record from a string into an object.
The input string must contain the following properties:
- "authority" - "homeAccountId" - "clientId" - "tenantId" - "username" - "version"
If the version we receive is unsupported, an error will be thrown.
At the moment, the only available version is: "1.0", which is always set when the authentication record is serialized.
Parameter serializedRecord
Authentication record previously serialized into string.
Returns
AuthenticationRecord.
function getBearerTokenProvider
getBearerTokenProvider: ( credential: TokenCredential, scopes: string | string[], options?: GetBearerTokenProviderOptions) => () => Promise<string>;
Returns a callback that provides a bearer token. For example, the bearer token can be used to authenticate a request as follows:
import { DefaultAzureCredential, getBearerTokenProvider } from "@azure/identity";import { createPipelineRequest } from "@azure/core-rest-pipeline";const credential = new DefaultAzureCredential();const scope = "https://cognitiveservices.azure.com/.default";const getAccessToken = getBearerTokenProvider(credential, scope);const token = await getAccessToken();// usageconst request = createPipelineRequest({ url: "https://example.com" });request.headers.set("Authorization", `Bearer ${token}`);Parameter credential
The credential used to authenticate the request.
Parameter scopes
The scopes required for the bearer token.
Parameter options
Options to configure the token provider.
Returns
a callback that provides a bearer token.
function getDefaultAzureCredential
getDefaultAzureCredential: () => TokenCredential;
Returns a new instance of the DefaultAzureCredential.
function serializeAuthenticationRecord
serializeAuthenticationRecord: (record: AuthenticationRecord) => string;
Serializes an
AuthenticationRecord
into a string.The output of a serialized authentication record will contain the following properties:
- "authority" - "homeAccountId" - "clientId" - "tenantId" - "username" - "version"
To later convert this string to a serialized
AuthenticationRecord
, please use the exported functiondeserializeAuthenticationRecord()
.
function useIdentityPlugin
useIdentityPlugin: (plugin: IdentityPlugin) => void;
Extend Azure Identity with additional functionality. Pass a plugin from a plugin package, such as:
-
@azure/identity-cache-persistence
: provides persistent token caching -@azure/identity-vscode
: provides the dependencies ofVisualStudioCodeCredential
and enables itExample:
import { useIdentityPlugin, DeviceCodeCredential } from "@azure/identity";useIdentityPlugin(cachePersistencePlugin);// The plugin has the capability to extend `DeviceCodeCredential` and to// add middleware to the underlying credentials, such as persistence.const credential = new DeviceCodeCredential({tokenCachePersistenceOptions: {enabled: true,},});Parameter plugin
the plugin to register
Classes
class AggregateAuthenticationError
class AggregateAuthenticationError extends Error {}
Provides an
errors
array containing AuthenticationError instance for authentication failures from credentials in a ChainedTokenCredential.
constructor
constructor(errors: any[], errorMessage?: string);
property errors
errors: any[];
The array of error objects that were thrown while trying to authenticate with the credentials in a ChainedTokenCredential.
class AuthenticationError
class AuthenticationError extends Error {}
Provides details about a failure to authenticate with Azure Active Directory. The
errorResponse
field contains more details about the specific failure.
constructor
constructor( statusCode: number, errorBody: string | object, options?: { cause?: unknown });
property errorResponse
readonly errorResponse: ErrorResponse;
The error response details.
property statusCode
readonly statusCode: number;
The HTTP status code returned from the authentication request.
class AuthenticationRequiredError
class AuthenticationRequiredError extends Error {}
Error used to enforce authentication after trying to retrieve a token silently.
constructor
constructor(options: AuthenticationRequiredErrorOptions);
property getTokenOptions
getTokenOptions?: GetTokenOptions;
The options passed to the getToken request.
property scopes
scopes: string[];
The list of scopes for which the token will have access.
class AuthorizationCodeCredential
class AuthorizationCodeCredential implements TokenCredential {}
Enables authentication to Microsoft Entra ID using an authorization code that was obtained through the authorization code flow, described in more detail in the Microsoft Entra ID documentation:
https://learn.microsoft.com/entra/identity-platform/v2-oauth2-auth-code-flow
constructor
constructor( tenantId: string, clientId: string, clientSecret: string, authorizationCode: string, redirectUri: string, options?: AuthorizationCodeCredentialOptions);
Creates an instance of AuthorizationCodeCredential with the details needed to request an access token using an authentication that was obtained from Microsoft Entra ID.
It is currently necessary for the user of this credential to initiate the authorization code flow to obtain an authorization code to be used with this credential. A full example of this flow is provided here:
https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/identity/identity/samples/v2/manual/authorizationCodeSample.ts
Parameter tenantId
The Microsoft Entra tenant (directory) ID or name. 'common' may be used when dealing with multi-tenant scenarios.
Parameter clientId
The client (application) ID of an App Registration in the tenant.
Parameter clientSecret
A client secret that was generated for the App Registration
Parameter authorizationCode
An authorization code that was received from following the authorization code flow. This authorization code must not have already been used to obtain an access token.
Parameter redirectUri
The redirect URI that was used to request the authorization code. Must be the same URI that is configured for the App Registration.
Parameter options
Options for configuring the client which makes the access token request.
constructor
constructor( tenantId: string, clientId: string, authorizationCode: string, redirectUri: string, options?: AuthorizationCodeCredentialOptions);
Creates an instance of AuthorizationCodeCredential with the details needed to request an access token using an authentication that was obtained from Microsoft Entra ID.
It is currently necessary for the user of this credential to initiate the authorization code flow to obtain an authorization code to be used with this credential. A full example of this flow is provided here:
https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/identity/identity/samples/v2/manual/authorizationCodeSample.ts
Parameter tenantId
The Microsoft Entra tenant (directory) ID or name. 'common' may be used when dealing with multi-tenant scenarios.
Parameter clientId
The client (application) ID of an App Registration in the tenant.
Parameter authorizationCode
An authorization code that was received from following the authorization code flow. This authorization code must not have already been used to obtain an access token.
Parameter redirectUri
The redirect URI that was used to request the authorization code. Must be the same URI that is configured for the App Registration.
Parameter options
Options for configuring the client which makes the access token request.
method getToken
getToken: ( scopes: string | string[], options?: GetTokenOptions) => Promise<AccessToken>;
Authenticates with Microsoft Entra ID and returns an access token if successful. If authentication fails, a CredentialUnavailableError will be thrown with the details of the failure.
Parameter scopes
The list of scopes for which the token will have access.
Parameter options
The options used to configure any requests this TokenCredential implementation might make.
class AzureCliCredential
class AzureCliCredential implements TokenCredential {}
This credential will use the currently logged-in user login information via the Azure CLI ('az') commandline tool. To do so, it will read the user access token and expire time with Azure CLI command "az account get-access-token".
constructor
constructor(options?: AzureCliCredentialOptions);
Creates an instance of the AzureCliCredential.
To use this credential, ensure that you have already logged in via the 'az' tool using the command "az login" from the commandline.
Parameter options
Options, to optionally allow multi-tenant requests.
method getToken
getToken: ( scopes: string | string[], options?: GetTokenOptions) => Promise<AccessToken>;
Authenticates with Microsoft Entra ID and returns an access token if successful. If authentication fails, a CredentialUnavailableError will be thrown with the details of the failure.
Parameter scopes
The list of scopes for which the token will have access.
Parameter options
The options used to configure any requests this TokenCredential implementation might make.
class AzureDeveloperCliCredential
class AzureDeveloperCliCredential implements TokenCredential {}
Azure Developer CLI is a command-line interface tool that allows developers to create, manage, and deploy resources in Azure. It's built on top of the Azure CLI and provides additional functionality specific to Azure developers. It allows users to authenticate as a user and/or a service principal against Microsoft Entra ID. The AzureDeveloperCliCredential authenticates in a development environment and acquires a token on behalf of the logged-in user or service principal in the Azure Developer CLI. It acts as the Azure Developer CLI logged in user or service principal and executes an Azure CLI command underneath to authenticate the application against Microsoft Entra ID.
Configure AzureDeveloperCliCredential
To use this credential, the developer needs to authenticate locally in Azure Developer CLI using one of the commands below:
Run "azd auth login" in Azure Developer CLI to authenticate interactively as a user. Run "azd auth login --client-id clientID --client-secret clientSecret --tenant-id tenantID" to authenticate as a service principal.
You may need to repeat this process after a certain time period, depending on the refresh token validity in your organization. Generally, the refresh token validity period is a few weeks to a few months. AzureDeveloperCliCredential will prompt you to sign in again.
constructor
constructor(options?: AzureDeveloperCliCredentialOptions);
Creates an instance of the AzureDeveloperCliCredential.
To use this credential, ensure that you have already logged in via the 'azd' tool using the command "azd auth login" from the commandline.
Parameter options
Options, to optionally allow multi-tenant requests.
method getToken
getToken: ( scopes: string | string[], options?: GetTokenOptions) => Promise<AccessToken>;
Authenticates with Microsoft Entra ID and returns an access token if successful. If authentication fails, a CredentialUnavailableError will be thrown with the details of the failure.
Parameter scopes
The list of scopes for which the token will have access.
Parameter options
The options used to configure any requests this TokenCredential implementation might make.
class AzurePipelinesCredential
class AzurePipelinesCredential implements TokenCredential {}
This credential is designed to be used in Azure Pipelines with service connections as a setup for workload identity federation.
constructor
constructor( tenantId: string, clientId: string, serviceConnectionId: string, systemAccessToken: string, options?: AzurePipelinesCredentialOptions);
AzurePipelinesCredential supports Federated Identity on Azure Pipelines through Service Connections.
Parameter tenantId
tenantId associated with the service connection
Parameter clientId
clientId associated with the service connection
Parameter serviceConnectionId
Unique ID for the service connection, as found in the querystring's resourceId key
Parameter systemAccessToken
The pipeline's System.AccessToken value.
Parameter options
The identity client options to use for authentication.
method getToken
getToken: ( scopes: string | string[], options?: GetTokenOptions) => Promise<AccessToken>;
Authenticates with Microsoft Entra ID and returns an access token if successful. If authentication fails, a CredentialUnavailableError or AuthenticationError will be thrown with the details of the failure.
Parameter scopes
The list of scopes for which the token will have access.
Parameter options
The options used to configure any requests this TokenCredential implementation might make.
class AzurePowerShellCredential
class AzurePowerShellCredential implements TokenCredential {}
This credential will use the currently logged-in user information from the Azure PowerShell module. To do so, it will read the user access token and expire time with Azure PowerShell command
Get-AzAccessToken -ResourceUrl {ResourceScope}
constructor
constructor(options?: AzurePowerShellCredentialOptions);
Creates an instance of the AzurePowerShellCredential.
To use this credential: - Install the Azure Az PowerShell module with:
Install-Module -Name Az -Scope CurrentUser -Repository PSGallery -Force
. - You have already logged in to Azure PowerShell using the commandConnect-AzAccount
from the command line.Parameter options
Options, to optionally allow multi-tenant requests.
method getToken
getToken: ( scopes: string | string[], options?: GetTokenOptions) => Promise<AccessToken>;
Authenticates with Microsoft Entra ID and returns an access token if successful. If the authentication cannot be performed through PowerShell, a CredentialUnavailableError will be thrown.
Parameter scopes
The list of scopes for which the token will have access.
Parameter options
The options used to configure any requests this TokenCredential implementation might make.
class ChainedTokenCredential
class ChainedTokenCredential implements TokenCredential {}
Enables multiple
TokenCredential
implementations to be tried in order until one of the getToken methods returns an access token.
constructor
constructor(...sources: TokenCredential[]);
Creates an instance of ChainedTokenCredential using the given credentials.
Parameter sources
TokenCredential
implementations to be tried in order.Example usage:
import { ClientSecretCredential, ChainedTokenCredential } from "@azure/identity";const tenantId = "<tenant-id>";const clientId = "<client-id>";const clientSecret = "<client-secret>";const anotherClientId = "<another-client-id>";const anotherSecret = "<another-client-secret>";const firstCredential = new ClientSecretCredential(tenantId, clientId, clientSecret);const secondCredential = new ClientSecretCredential(tenantId, anotherClientId, anotherSecret);const credentialChain = new ChainedTokenCredential(firstCredential, secondCredential);
method getToken
getToken: ( scopes: string | string[], options?: GetTokenOptions) => Promise<AccessToken>;
Returns the first access token returned by one of the chained
TokenCredential
implementations. Throws an AggregateAuthenticationError when one or more credentials throws an AuthenticationError and no credentials have returned an access token.This method is called automatically by Azure SDK client libraries. You may call this method directly, but you must also handle token caching and token refreshing.
Parameter scopes
The list of scopes for which the token will have access.
Parameter options
The options used to configure any requests this
TokenCredential
implementation might make.
class ClientAssertionCredential
class ClientAssertionCredential implements TokenCredential {}
Authenticates a service principal with a JWT assertion.
constructor
constructor( tenantId: string, clientId: string, getAssertion: () => Promise<string>, options?: ClientAssertionCredentialOptions);
Creates an instance of the ClientAssertionCredential with the details needed to authenticate against Microsoft Entra ID with a client assertion provided by the developer through the
getAssertion
function parameter.Parameter tenantId
The Microsoft Entra tenant (directory) ID.
Parameter clientId
The client (application) ID of an App Registration in the tenant.
Parameter getAssertion
A function that retrieves the assertion for the credential to use.
Parameter options
Options for configuring the client which makes the authentication request.
method getToken
getToken: ( scopes: string | string[], options?: GetTokenOptions) => Promise<AccessToken>;
Authenticates with Microsoft Entra ID and returns an access token if successful. If authentication fails, a CredentialUnavailableError will be thrown with the details of the failure.
Parameter scopes
The list of scopes for which the token will have access.
Parameter options
The options used to configure any requests this TokenCredential implementation might make.
class ClientCertificateCredential
class ClientCertificateCredential implements TokenCredential {}
Enables authentication to Microsoft Entra ID using a PEM-encoded certificate that is assigned to an App Registration. More information on how to configure certificate authentication can be found here:
https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-certificate-credentials#register-your-certificate-with-azure-ad
constructor
constructor( tenantId: string, clientId: string, certificatePath: string, options?: ClientCertificateCredentialOptions);
Creates an instance of the ClientCertificateCredential with the details needed to authenticate against Microsoft Entra ID with a certificate.
Parameter tenantId
The Microsoft Entra tenant (directory) ID.
Parameter clientId
The client (application) ID of an App Registration in the tenant.
Parameter certificatePath
The path to a PEM-encoded public/private key certificate on the filesystem.
Parameter options
Options for configuring the client which makes the authentication request.
constructor
constructor( tenantId: string, clientId: string, configuration: ClientCertificatePEMCertificatePath, options?: ClientCertificateCredentialOptions);
Creates an instance of the ClientCertificateCredential with the details needed to authenticate against Microsoft Entra ID with a certificate.
Parameter tenantId
The Microsoft Entra tenant (directory) ID.
Parameter clientId
The client (application) ID of an App Registration in the tenant.
Parameter configuration
Other parameters required, including the path of the certificate on the filesystem. If the type is ignored, we will throw the value of the path to a PEM certificate.
Parameter options
Options for configuring the client which makes the authentication request.
constructor
constructor( tenantId: string, clientId: string, configuration: ClientCertificatePEMCertificate, options?: ClientCertificateCredentialOptions);
Creates an instance of the ClientCertificateCredential with the details needed to authenticate against Microsoft Entra ID with a certificate.
Parameter tenantId
The Microsoft Entra tenant (directory) ID.
Parameter clientId
The client (application) ID of an App Registration in the tenant.
Parameter configuration
Other parameters required, including the PEM-encoded certificate as a string. If the type is ignored, we will throw the value of the PEM-encoded certificate.
Parameter options
Options for configuring the client which makes the authentication request.
method getToken
getToken: ( scopes: string | string[], options?: GetTokenOptions) => Promise<AccessToken>;
Authenticates with Microsoft Entra ID and returns an access token if successful. If authentication fails, a CredentialUnavailableError will be thrown with the details of the failure.
Parameter scopes
The list of scopes for which the token will have access.
Parameter options
The options used to configure any requests this TokenCredential implementation might make.
class ClientSecretCredential
class ClientSecretCredential implements TokenCredential {}
Enables authentication to Microsoft Entra ID using a client secret that was generated for an App Registration. More information on how to configure a client secret can be found here:
https://learn.microsoft.com/entra/identity-platform/quickstart-configure-app-access-web-apis#add-credentials-to-your-web-application
constructor
constructor( tenantId: string, clientId: string, clientSecret: string, options?: ClientSecretCredentialOptions);
Creates an instance of the ClientSecretCredential with the details needed to authenticate against Microsoft Entra ID with a client secret.
Parameter tenantId
The Microsoft Entra tenant (directory) ID.
Parameter clientId
The client (application) ID of an App Registration in the tenant.
Parameter clientSecret
A client secret that was generated for the App Registration.
Parameter options
Options for configuring the client which makes the authentication request.
method getToken
getToken: ( scopes: string | string[], options?: GetTokenOptions) => Promise<AccessToken>;
Authenticates with Microsoft Entra ID and returns an access token if successful. If authentication fails, a CredentialUnavailableError will be thrown with the details of the failure.
Parameter scopes
The list of scopes for which the token will have access.
Parameter options
The options used to configure any requests this TokenCredential implementation might make.
class CredentialUnavailableError
class CredentialUnavailableError extends Error {}
This signifies that the credential that was tried in a chained credential was not available to be used as the credential. Rather than treating this as an error that should halt the chain, it's caught and the chain continues
constructor
constructor(message?: string, options?: { cause?: unknown });
class DefaultAzureCredential
class DefaultAzureCredential extends ChainedTokenCredential {}
Provides a default ChainedTokenCredential configuration that should work for most applications that use the Azure SDK.
constructor
constructor(options?: DefaultAzureCredentialClientIdOptions);
Creates an instance of the DefaultAzureCredential class with DefaultAzureCredentialClientIdOptions
This credential provides a default ChainedTokenCredential configuration that should work for most applications that use the Azure SDK.
The following credential types will be tried, in order:
- EnvironmentCredential - WorkloadIdentityCredential - ManagedIdentityCredential - AzureCliCredential - AzurePowerShellCredential - AzureDeveloperCliCredential
Consult the documentation of these credential types for more information on how they attempt authentication.
Parameter options
Optional parameters. See DefaultAzureCredentialClientIdOptions.
constructor
constructor(options?: DefaultAzureCredentialResourceIdOptions);
Creates an instance of the DefaultAzureCredential class with DefaultAzureCredentialResourceIdOptions
This credential provides a default ChainedTokenCredential configuration that should work for most applications that use the Azure SDK.
The following credential types will be tried, in order:
- EnvironmentCredential - WorkloadIdentityCredential - ManagedIdentityCredential - AzureCliCredential - AzurePowerShellCredential - AzureDeveloperCliCredential
Consult the documentation of these credential types for more information on how they attempt authentication.
Parameter options
Optional parameters. See DefaultAzureCredentialResourceIdOptions.
constructor
constructor(options?: DefaultAzureCredentialOptions);
Creates an instance of the DefaultAzureCredential class with DefaultAzureCredentialOptions
This credential provides a default ChainedTokenCredential configuration that should work for most applications that use the Azure SDK.
The following credential types will be tried, in order:
- EnvironmentCredential - WorkloadIdentityCredential - ManagedIdentityCredential - AzureCliCredential - AzurePowerShellCredential - AzureDeveloperCliCredential
Consult the documentation of these credential types for more information on how they attempt authentication.
Parameter options
Optional parameters. See DefaultAzureCredentialOptions.
class DeviceCodeCredential
class DeviceCodeCredential implements TokenCredential {}
Enables authentication to Microsoft Entra ID using a device code that the user can enter into https://microsoft.com/devicelogin.
constructor
constructor(options?: DeviceCodeCredentialOptions);
Creates an instance of DeviceCodeCredential with the details needed to initiate the device code authorization flow with Microsoft Entra ID.
A message will be logged, giving users a code that they can use to authenticate once they go to https://microsoft.com/devicelogin
Developers can configure how this message is shown by passing a custom
userPromptCallback
:import { DeviceCodeCredential } from "@azure/identity";const credential = new DeviceCodeCredential({tenantId: process.env.AZURE_TENANT_ID,clientId: process.env.AZURE_CLIENT_ID,userPromptCallback: (info) => {console.log("CUSTOMIZED PROMPT CALLBACK", info.message);},});Parameter options
Options for configuring the client which makes the authentication requests.
method authenticate
authenticate: ( scopes: string | string[], options?: GetTokenOptions) => Promise<AuthenticationRecord | undefined>;
Authenticates with Microsoft Entra ID and returns an access token if successful. If authentication fails, a CredentialUnavailableError will be thrown with the details of the failure.
If the token can't be retrieved silently, this method will always generate a challenge for the user.
Parameter scopes
The list of scopes for which the token will have access.
Parameter options
The options used to configure any requests this TokenCredential implementation might make.
method getToken
getToken: ( scopes: string | string[], options?: GetTokenOptions) => Promise<AccessToken>;
Authenticates with Microsoft Entra ID and returns an access token if successful. If authentication fails, a CredentialUnavailableError will be thrown with the details of the failure.
If the user provided the option
disableAutomaticAuthentication
, once the token can't be retrieved silently, this method won't attempt to request user interaction to retrieve the token.Parameter scopes
The list of scopes for which the token will have access.
Parameter options
The options used to configure any requests this TokenCredential implementation might make.
class EnvironmentCredential
class EnvironmentCredential implements TokenCredential {}
Enables authentication to Microsoft Entra ID using a client secret or certificate, or as a user with a username and password.
constructor
constructor(options?: EnvironmentCredentialOptions);
Creates an instance of the EnvironmentCredential class and decides what credential to use depending on the available environment variables.
Required environment variables: -
AZURE_TENANT_ID
: The Microsoft Entra tenant (directory) ID. -AZURE_CLIENT_ID
: The client (application) ID of an App Registration in the tenant.If setting the AZURE_TENANT_ID, then you can also set the additionally allowed tenants -
AZURE_ADDITIONALLY_ALLOWED_TENANTS
: For multi-tenant applications, specifies additional tenants for which the credential may acquire tokens with a single semicolon delimited string. Use * to allow all tenants.Environment variables used for client credential authentication: -
AZURE_CLIENT_SECRET
: A client secret that was generated for the App Registration. -AZURE_CLIENT_CERTIFICATE_PATH
: The path to a PEM certificate to use during the authentication, instead of the client secret. -AZURE_CLIENT_CERTIFICATE_PASSWORD
: (optional) password for the certificate file. -AZURE_CLIENT_SEND_CERTIFICATE_CHAIN
: (optional) indicates that the certificate chain should be set in x5c header to support subject name / issuer based authentication.Alternatively, users can provide environment variables for username and password authentication: -
AZURE_USERNAME
: Username to authenticate with. -AZURE_PASSWORD
: Password to authenticate with.If the environment variables required to perform the authentication are missing, a CredentialUnavailableError will be thrown. If the authentication fails, or if there's an unknown error, an AuthenticationError will be thrown.
Parameter options
Options for configuring the client which makes the authentication request.
method getToken
getToken: ( scopes: string | string[], options?: GetTokenOptions) => Promise<AccessToken>;
Authenticates with Microsoft Entra ID and returns an access token if successful.
Parameter scopes
The list of scopes for which the token will have access.
Parameter options
Optional parameters. See GetTokenOptions.
class InteractiveBrowserCredential
class InteractiveBrowserCredential implements TokenCredential {}
Enables authentication to Microsoft Entra ID inside of the web browser using the interactive login flow.
constructor
constructor( options: | InteractiveBrowserCredentialNodeOptions | InteractiveBrowserCredentialInBrowserOptions);
Creates an instance of InteractiveBrowserCredential with the details needed.
This credential uses the [Authorization Code Flow](https://learn.microsoft.com/entra/identity-platform/v2-oauth2-auth-code-flow). On Node.js, it will open a browser window while it listens for a redirect response from the authentication service. On browsers, it authenticates via popups. The
loginStyle
optional parameter can be set toredirect
to authenticate by redirecting the user to an Azure secure login page, which then will redirect the user back to the web application where the authentication started.For Node.js, if a
clientId
is provided, the Microsoft Entra application will need to be configured to have a "Mobile and desktop applications" redirect endpoint. Follow our guide on [setting up Redirect URIs for Desktop apps that calls to web APIs](https://learn.microsoft.com/entra/identity-platform/scenario-desktop-app-registration#redirect-uris).Parameter options
Options for configuring the client which makes the authentication requests.
method authenticate
authenticate: ( scopes: string | string[], options?: GetTokenOptions) => Promise<AuthenticationRecord | undefined>;
Authenticates with Microsoft Entra ID and returns an access token if successful. If authentication fails, a CredentialUnavailableError will be thrown with the details of the failure.
If the token can't be retrieved silently, this method will always generate a challenge for the user.
On Node.js, this credential has [Proof Key for Code Exchange (PKCE)](https://datatracker.ietf.org/doc/html/rfc7636) enabled by default. PKCE is a security feature that mitigates authentication code interception attacks.
Parameter scopes
The list of scopes for which the token will have access.
Parameter options
The options used to configure any requests this TokenCredential implementation might make.
method getToken
getToken: ( scopes: string | string[], options?: GetTokenOptions) => Promise<AccessToken>;
Authenticates with Microsoft Entra ID and returns an access token if successful. If authentication fails, a CredentialUnavailableError will be thrown with the details of the failure.
If the user provided the option
disableAutomaticAuthentication
, once the token can't be retrieved silently, this method won't attempt to request user interaction to retrieve the token.Parameter scopes
The list of scopes for which the token will have access.
Parameter options
The options used to configure any requests this TokenCredential implementation might make.
class ManagedIdentityCredential
class ManagedIdentityCredential implements TokenCredential {}
Attempts authentication using a managed identity available at the deployment environment. This authentication type works in Azure VMs, App Service instances, Azure Functions applications, Azure Kubernetes Services, Azure Service Fabric instances and inside of the Azure Cloud Shell.
More information about configuring managed identities can be found here: https://learn.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview
constructor
constructor(clientId: string, options?: TokenCredentialOptions);
Creates an instance of ManagedIdentityCredential with the client ID of a user-assigned identity, or app registration (when working with AKS pod-identity).
Parameter clientId
The client ID of the user-assigned identity, or app registration (when working with AKS pod-identity).
Parameter options
Options for configuring the client which makes the access token request.
constructor
constructor(options?: ManagedIdentityCredentialClientIdOptions);
Creates an instance of ManagedIdentityCredential with a client ID
Parameter options
Options for configuring the client which makes the access token request.
constructor
constructor(options?: ManagedIdentityCredentialResourceIdOptions);
Creates an instance of ManagedIdentityCredential with a resource ID
Parameter options
Options for configuring the resource which makes the access token request.
constructor
constructor(options?: ManagedIdentityCredentialObjectIdOptions);
Creates an instance of ManagedIdentityCredential with an object ID
Parameter options
Options for configuring the resource which makes the access token request.
method getToken
getToken: ( scopes: string | string[], options?: GetTokenOptions) => Promise<AccessToken>;
Authenticates with Microsoft Entra ID and returns an access token if successful. If authentication fails, a CredentialUnavailableError will be thrown with the details of the failure. If an unexpected error occurs, an AuthenticationError will be thrown with the details of the failure.
Parameter scopes
The list of scopes for which the token will have access.
Parameter options
The options used to configure any requests this TokenCredential implementation might make.
class OnBehalfOfCredential
class OnBehalfOfCredential implements TokenCredential {}
Enables authentication to Microsoft Entra ID using the [On Behalf Of flow](https://learn.microsoft.com/entra/identity-platform/v2-oauth2-on-behalf-of-flow).
constructor
constructor( options: OnBehalfOfCredentialCertificateOptions & MultiTenantTokenCredentialOptions & CredentialPersistenceOptions);
Creates an instance of the OnBehalfOfCredential with the details needed to authenticate against Microsoft Entra ID with path to a PEM certificate, and an user assertion.
Example using the
KeyClient
from [@azure/keyvault-keys](https://www.npmjs.com/package/@azure/keyvault-keys):import { OnBehalfOfCredential } from "@azure/identity";import { KeyClient } from "@azure/keyvault-keys";const tokenCredential = new OnBehalfOfCredential({tenantId: "tenant-id",clientId: "client-id",certificatePath: "/path/to/certificate.pem",userAssertionToken: "access-token",});const client = new KeyClient("vault-url", tokenCredential);await client.getKey("key-name");Parameter options
Optional parameters, generally common across credentials.
constructor
constructor( options: OnBehalfOfCredentialSecretOptions & MultiTenantTokenCredentialOptions & CredentialPersistenceOptions);
Creates an instance of the OnBehalfOfCredential with the details needed to authenticate against Microsoft Entra ID with a client secret and an user assertion.
Example using the
KeyClient
from [@azure/keyvault-keys](https://www.npmjs.com/package/@azure/keyvault-keys):import { OnBehalfOfCredential } from "@azure/identity";import { KeyClient } from "@azure/keyvault-keys";const tokenCredential = new OnBehalfOfCredential({tenantId: "tenant-id",clientId: "client-id",clientSecret: "client-secret",userAssertionToken: "access-token",});const client = new KeyClient("vault-url", tokenCredential);await client.getKey("key-name");Parameter options
Optional parameters, generally common across credentials.
constructor
constructor( options: OnBehalfOfCredentialAssertionOptions & MultiTenantTokenCredentialOptions & CredentialPersistenceOptions);
Creates an instance of the OnBehalfOfCredential with the details needed to authenticate against Microsoft Entra ID with a client
getAssertion
and an user assertion.Example using the
KeyClient
from [@azure/keyvault-keys](https://www.npmjs.com/package/@azure/keyvault-keys):import { OnBehalfOfCredential } from "@azure/identity";import { KeyClient } from "@azure/keyvault-keys";const tokenCredential = new OnBehalfOfCredential({tenantId: "tenant-id",clientId: "client-id",getAssertion: () => {return Promise.resolve("my-jwt");},userAssertionToken: "access-token",});const client = new KeyClient("vault-url", tokenCredential);await client.getKey("key-name");Parameter options
Optional parameters, generally common across credentials.
method getToken
getToken: ( scopes: string | string[], options?: GetTokenOptions) => Promise<AccessToken>;
Authenticates with Microsoft Entra ID and returns an access token if successful. If authentication fails, a CredentialUnavailableError will be thrown with the details of the failure.
Parameter scopes
The list of scopes for which the token will have access.
Parameter options
The options used to configure the underlying network requests.
class UsernamePasswordCredential
class UsernamePasswordCredential implements TokenCredential {}
Enables authentication to Microsoft Entra ID with a user's username and password. This credential requires a high degree of trust so you should only use it when other, more secure credential types can't be used.
constructor
constructor( tenantId: string, clientId: string, username: string, password: string, options?: UsernamePasswordCredentialOptions);
Creates an instance of the UsernamePasswordCredential with the details needed to authenticate against Microsoft Entra ID with a username and password.
Parameter tenantId
The Microsoft Entra tenant (directory).
Parameter clientId
The client (application) ID of an App Registration in the tenant.
Parameter username
The user account's e-mail address (user name).
Parameter password
The user account's account password
Parameter options
Options for configuring the client which makes the authentication request.
method getToken
getToken: ( scopes: string | string[], options?: GetTokenOptions) => Promise<AccessToken>;
Authenticates with Microsoft Entra ID and returns an access token if successful. If authentication fails, a CredentialUnavailableError will be thrown with the details of the failure.
If the user provided the option
disableAutomaticAuthentication
, once the token can't be retrieved silently, this method won't attempt to request user interaction to retrieve the token.Parameter scopes
The list of scopes for which the token will have access.
Parameter options
The options used to configure any requests this TokenCredential implementation might make.
class VisualStudioCodeCredential
class VisualStudioCodeCredential implements TokenCredential {}
Connects to Azure using the credential provided by the VSCode extension 'Azure Account'. Once the user has logged in via the extension, this credential can share the same refresh token that is cached by the extension.
It's a [known issue](https://github.com/Azure/azure-sdk-for-js/issues/20500) that this credential doesn't work with [Azure Account extension](https://marketplace.visualstudio.com/items?itemName=ms-vscode.azure-account) versions newer than **0.9.11**. A long-term fix to this problem is in progress. In the meantime, consider authenticating with AzureCliCredential.
constructor
constructor(options?: VisualStudioCodeCredentialOptions);
Creates an instance of VisualStudioCodeCredential to use for automatically authenticating via VSCode.
**Note**:
VisualStudioCodeCredential
is provided by a plugin package:@azure/identity-vscode
. If this package is not installed and registered using the plugin API (useIdentityPlugin
), then authentication usingVisualStudioCodeCredential
will not be available.Parameter options
Options for configuring the client which makes the authentication request.
method getToken
getToken: ( scopes: string | string[], options?: GetTokenOptions) => Promise<AccessToken>;
Returns the token found by searching VSCode's authentication cache or returns null if no token could be found.
Parameter scopes
The list of scopes for which the token will have access.
Parameter options
The options used to configure any requests this
TokenCredential
implementation might make.
class WorkloadIdentityCredential
class WorkloadIdentityCredential implements TokenCredential {}
Workload Identity authentication is a feature in Azure that allows applications running on virtual machines (VMs) to access other Azure resources without the need for a service principal or managed identity. With Workload Identity authentication, applications authenticate themselves using their own identity, rather than using a shared service principal or managed identity. Under the hood, Workload Identity authentication uses the concept of Service Account Credentials (SACs), which are automatically created by Azure and stored securely in the VM. By using Workload Identity authentication, you can avoid the need to manage and rotate service principals or managed identities for each application on each VM. Additionally, because SACs are created automatically and managed by Azure, you don't need to worry about storing and securing sensitive credentials themselves. The WorkloadIdentityCredential supports Microsoft Entra Workload ID authentication on Azure Kubernetes and acquires a token using the SACs available in the Azure Kubernetes environment. Refer to Microsoft Entra Workload ID for more information.
constructor
constructor(options?: WorkloadIdentityCredentialOptions);
WorkloadIdentityCredential supports Microsoft Entra Workload ID on Kubernetes.
Parameter options
The identity client options to use for authentication.
method getToken
getToken: ( scopes: string | string[], options?: GetTokenOptions) => Promise<AccessToken | null>;
Authenticates with Microsoft Entra ID and returns an access token if successful. If authentication fails, a CredentialUnavailableError will be thrown with the details of the failure.
Parameter scopes
The list of scopes for which the token will have access.
Parameter options
The options used to configure any requests this TokenCredential implementation might make.
Interfaces
interface AuthenticationRecord
interface AuthenticationRecord {}
The record to use to find the cached tokens in the cache.
property authority
authority: string;
The associated authority, if used.
property clientId
clientId: string;
The associated client ID.
property homeAccountId
homeAccountId: string;
The home account Id.
property tenantId
tenantId: string;
The associated tenant ID.
property username
username: string;
The username of the logged in account.
interface AuthenticationRequiredErrorOptions
interface AuthenticationRequiredErrorOptions {}
Optional parameters to the AuthenticationRequiredError
property cause
cause?: unknown;
The underlying cause, if any, that caused the authentication to fail.
property getTokenOptions
getTokenOptions?: GetTokenOptions;
The options passed to the getToken request.
property message
message?: string;
The message of the error.
property scopes
scopes: string[];
The list of scopes for which the token will have access.
interface AuthorityValidationOptions
interface AuthorityValidationOptions {}
Provides options to configure how the Identity library does authority validation during authentication requests to Microsoft Entra ID.
property disableInstanceDiscovery
disableInstanceDiscovery?: boolean;
The field determines whether instance discovery is performed when attempting to authenticate. Setting this to
true
will completely disable both instance discovery and authority validation. As a result, it's crucial to ensure that the configured authority host is valid and trustworthy. This functionality is intended for use in scenarios where the metadata endpoint cannot be reached, such as in private clouds or Azure Stack. The process of instance discovery entails retrieving authority metadata from https://login.microsoft.com/ to validate the authority.
interface AuthorizationCodeCredentialOptions
interface AuthorizationCodeCredentialOptions extends MultiTenantTokenCredentialOptions, AuthorityValidationOptions {}
Options for the AuthorizationCodeCredential
interface AzureCliCredentialOptions
interface AzureCliCredentialOptions extends MultiTenantTokenCredentialOptions {}
Options for the AzureCliCredential
property processTimeoutInMs
processTimeoutInMs?: number;
Process timeout configurable for making token requests, provided in milliseconds
property tenantId
tenantId?: string;
Allows specifying a tenant ID
interface AzureDeveloperCliCredentialOptions
interface AzureDeveloperCliCredentialOptions extends MultiTenantTokenCredentialOptions {}
Options for the AzureDeveloperCliCredential
property processTimeoutInMs
processTimeoutInMs?: number;
Process timeout configurable for making token requests, provided in milliseconds
property tenantId
tenantId?: string;
Allows specifying a tenant ID
interface AzurePipelinesCredentialOptions
interface AzurePipelinesCredentialOptions extends MultiTenantTokenCredentialOptions, CredentialPersistenceOptions, AuthorityValidationOptions {}
Optional parameters for the AzurePipelinesCredential class.
interface AzurePowerShellCredentialOptions
interface AzurePowerShellCredentialOptions extends MultiTenantTokenCredentialOptions {}
Options for the AzurePowerShellCredential
property processTimeoutInMs
processTimeoutInMs?: number;
Process timeout configurable for making token requests, provided in milliseconds
property tenantId
tenantId?: string;
Allows specifying a tenant ID
interface BrokerAuthOptions
interface BrokerAuthOptions {}
Configuration options for InteractiveBrowserCredential to support WAM Broker Authentication.
property brokerOptions
brokerOptions?: BrokerOptions;
Options to allow broker authentication when using InteractiveBrowserCredential
interface BrokerDisabledOptions
interface BrokerDisabledOptions {}
Parameters when WAM broker authentication is disabled.
property enabled
enabled: false;
If set to true, broker will be enabled for WAM support on Windows.
property legacyEnableMsaPassthrough
legacyEnableMsaPassthrough?: undefined;
If set to true, MSA account will be passed through, required for WAM authentication.
property parentWindowHandle
parentWindowHandle: undefined;
Window handle for parent window, required for WAM authentication.
interface BrokerEnabledOptions
interface BrokerEnabledOptions {}
Parameters when WAM broker authentication is enabled.
property enabled
enabled: true;
If set to true, broker will be enabled for WAM support on Windows.
property legacyEnableMsaPassthrough
legacyEnableMsaPassthrough?: boolean;
If set to true, MSA account will be passed through, required for WAM authentication.
property parentWindowHandle
parentWindowHandle: Uint8Array;
Window handle for parent window, required for WAM authentication.
property useDefaultBrokerAccount
useDefaultBrokerAccount?: boolean;
If set to true, the credential will attempt to use the default broker account for authentication before falling back to interactive authentication. Default is set to false.
interface BrowserCustomizationOptions
interface BrowserCustomizationOptions {}
Shared configuration options for browser customization
property browserCustomizationOptions
browserCustomizationOptions?: { /** * Format for error messages for display in browser */ errorMessage?: string; /** * Format for success messages for display in browser */ successMessage?: string;};
Shared configuration options for browser customization
interface ClientAssertionCredentialOptions
interface ClientAssertionCredentialOptions extends MultiTenantTokenCredentialOptions, CredentialPersistenceOptions, AuthorityValidationOptions {}
Options for the ClientAssertionCredential
interface ClientCertificateCredentialOptions
interface ClientCertificateCredentialOptions extends MultiTenantTokenCredentialOptions, CredentialPersistenceOptions, AuthorityValidationOptions {}
Optional parameters for the ClientCertificateCredential class.
property sendCertificateChain
sendCertificateChain?: boolean;
Option to include x5c header for SubjectName and Issuer name authorization. Set this option to send base64 encoded public certificate in the client assertion header as an x5c claim
interface ClientCertificatePEMCertificate
interface ClientCertificatePEMCertificate {}
Required configuration options for the ClientCertificateCredential, with the string contents of a PEM certificate
property certificate
certificate: string;
The PEM-encoded public/private key certificate on the filesystem.
property certificatePassword
certificatePassword?: string;
The password for the certificate file.
interface ClientCertificatePEMCertificatePath
interface ClientCertificatePEMCertificatePath {}
Required configuration options for the ClientCertificateCredential, with the path to a PEM certificate.
property certificatePassword
certificatePassword?: string;
The password for the certificate file.
property certificatePath
certificatePath: string;
The path to the PEM-encoded public/private key certificate on the filesystem.
interface ClientSecretCredentialOptions
interface ClientSecretCredentialOptions extends MultiTenantTokenCredentialOptions, CredentialPersistenceOptions, AuthorityValidationOptions {}
Optional parameters for the ClientSecretCredential class.
interface CredentialPersistenceOptions
interface CredentialPersistenceOptions {}
Shared configuration options for credentials that support persistent token caching.
property tokenCachePersistenceOptions
tokenCachePersistenceOptions?: TokenCachePersistenceOptions;
Options to provide to the persistence layer (if one is available) when storing credentials.
You must first register a persistence provider plugin. See the
@azure/identity-cache-persistence
package on NPM.Example:
import { useIdentityPlugin, DeviceCodeCredential } from "@azure/identity";useIdentityPlugin(cachePersistencePlugin);const credential = new DeviceCodeCredential({tokenCachePersistenceOptions: {enabled: true,},});
interface DefaultAzureCredentialClientIdOptions
interface DefaultAzureCredentialClientIdOptions extends DefaultAzureCredentialOptions {}
Provides options to configure the DefaultAzureCredential class. This variation supports
managedIdentityClientId
and notmanagedIdentityResourceId
, since only one of both is supported.
property managedIdentityClientId
managedIdentityClientId?: string;
Optionally pass in a user assigned client ID to be used by the ManagedIdentityCredential. This client ID can also be passed through to the ManagedIdentityCredential through the environment variable: AZURE_CLIENT_ID.
property workloadIdentityClientId
workloadIdentityClientId?: string;
Optionally pass in a user assigned client ID to be used by the WorkloadIdentityCredential. This client ID can also be passed through to the WorkloadIdentityCredential through the environment variable: AZURE_CLIENT_ID.
interface DefaultAzureCredentialOptions
interface DefaultAzureCredentialOptions extends MultiTenantTokenCredentialOptions, AuthorityValidationOptions {}
Provides options to configure the DefaultAzureCredential class.
property processTimeoutInMs
processTimeoutInMs?: number;
Timeout configurable for making token requests for developer credentials, namely, AzurePowershellCredential, AzureDeveloperCliCredential and AzureCliCredential. Process timeout for credentials should be provided in milliseconds.
property tenantId
tenantId?: string;
Optionally pass in a Tenant ID to be used as part of the credential. By default it may use a generic tenant ID depending on the underlying credential.
interface DefaultAzureCredentialResourceIdOptions
interface DefaultAzureCredentialResourceIdOptions extends DefaultAzureCredentialOptions {}
Provides options to configure the DefaultAzureCredential class. This variation supports
managedIdentityResourceId
and notmanagedIdentityClientId
, since only one of both is supported.
property managedIdentityResourceId
managedIdentityResourceId: string;
Optionally pass in a resource ID to be used by the ManagedIdentityCredential. In scenarios such as when user assigned identities are created using an ARM template, where the resource Id of the identity is known but the client Id can't be known ahead of time, this parameter allows programs to use these user assigned identities without having to first determine the client Id of the created identity.
interface DeviceCodeCredentialOptions
interface DeviceCodeCredentialOptions extends InteractiveCredentialOptions, CredentialPersistenceOptions {}
Defines options for the InteractiveBrowserCredential class for Node.js.
property clientId
clientId?: string;
Client ID of the Microsoft Entra application that users will sign into. It is recommended that developers register their applications and assign appropriate roles. For more information, visit https://aka.ms/identity/AppRegistrationAndRoleAssignment. If not specified, users will authenticate to an Azure development application, which is not recommended for production scenarios.
property tenantId
tenantId?: string;
The Microsoft Entra tenant (directory) ID.
property userPromptCallback
userPromptCallback?: DeviceCodePromptCallback;
A callback function that will be invoked to show DeviceCodeInfo to the user. If left unassigned, we will automatically log the device code information and the authentication instructions in the console.
interface DeviceCodeInfo
interface DeviceCodeInfo {}
Provides the user code and verification URI where the code must be entered. Also provides a message to display to the user which contains an instruction with these details.
property message
message: string;
A message that may be shown to the user to instruct them on how to enter the device code in the page specified by the verification URI.
property userCode
userCode: string;
The device code that the user must enter into the verification page.
property verificationUri
verificationUri: string;
The verification URI to which the user must navigate to enter the device code.
interface EnvironmentCredentialOptions
interface EnvironmentCredentialOptions extends MultiTenantTokenCredentialOptions, AuthorityValidationOptions {}
Enables authentication to Microsoft Entra ID depending on the available environment variables. Defines options for the EnvironmentCredential class.
interface ErrorResponse
interface ErrorResponse {}
See the official documentation for more details:
https://learn.microsoft.com/en-us/azure/active-directory/develop/v1-protocols-oauth-code#error-response-1
NOTE: This documentation is for v1 OAuth support but the same error response details still apply to v2.
property correlationId
correlationId?: string;
The correlation ID to be used for tracking the source of the error.
property error
error: string;
The string identifier for the error.
property errorCodes
errorCodes?: number[];
An array of codes pertaining to the error(s) that occurred.
property errorDescription
errorDescription: string;
The error's description.
property timestamp
timestamp?: string;
The timestamp at which the error occurred.
property traceId
traceId?: string;
The trace identifier for this error occurrence.
interface GetBearerTokenProviderOptions
interface GetBearerTokenProviderOptions {}
The options to configure the token provider.
property abortSignal
abortSignal?: AbortSignal;
The abort signal to abort requests to get tokens
property tracingOptions
tracingOptions?: { /** * Tracing Context for the current request to get a token. */ tracingContext?: TracingContext;};
The tracing options for the requests to get tokens
interface InteractiveBrowserCredentialInBrowserOptions
interface InteractiveBrowserCredentialInBrowserOptions extends InteractiveCredentialOptions {}
Defines the common options for the InteractiveBrowserCredential class.
property clientId
clientId: string;
The Client ID of the Microsoft Entra application that users will sign into. This parameter is required on the browser. Developers need to register their applications and assign appropriate roles. For more information, visit https://aka.ms/identity/AppRegistrationAndRoleAssignment.
property loginHint
loginHint?: string;
loginHint allows a user name to be pre-selected for interactive logins. Setting this option skips the account selection prompt and immediately attempts to login with the specified account.
property loginStyle
loginStyle?: BrowserLoginStyle;
Specifies whether a redirect or a popup window should be used to initiate the user authentication flow. Possible values are "redirect" or "popup" (default) for browser and "popup" (default) for node.
property redirectUri
redirectUri?: string | (() => string);
Gets the redirect URI of the application. This should be same as the value in the application registration portal. Defaults to
window.location.href
. This field is no longer required for Node.js.
property tenantId
tenantId?: string;
The Microsoft Entra tenant (directory) ID.
interface InteractiveBrowserCredentialNodeOptions
interface InteractiveBrowserCredentialNodeOptions extends InteractiveCredentialOptions, CredentialPersistenceOptions, BrowserCustomizationOptions, BrokerAuthOptions {}
Defines the common options for the InteractiveBrowserCredential class.
property clientId
clientId?: string;
The Client ID of the Microsoft Entra application that users will sign into. It is recommended that developers register their applications and assign appropriate roles. For more information, visit https://aka.ms/identity/AppRegistrationAndRoleAssignment. If not specified, users will authenticate to an Azure development application, which is not recommended for production scenarios.
property loginHint
loginHint?: string;
loginHint allows a user name to be pre-selected for interactive logins. Setting this option skips the account selection prompt and immediately attempts to login with the specified account.
property redirectUri
redirectUri?: string | (() => string);
Gets the redirect URI of the application. This should be same as the value in the application registration portal. Defaults to
window.location.href
. This field is no longer required for Node.js.
property tenantId
tenantId?: string;
The Microsoft Entra tenant (directory) ID.
interface InteractiveCredentialOptions
interface InteractiveCredentialOptions extends MultiTenantTokenCredentialOptions, AuthorityValidationOptions {}
Common constructor options for the Identity credentials that requires user interaction.
property authenticationRecord
authenticationRecord?: AuthenticationRecord;
Result of a previous authentication that can be used to retrieve the cached credentials of each individual account. This is necessary to provide in case the application wants to work with more than one account per Client ID and Tenant ID pair.
This record can be retrieved by calling to the credential's
authenticate()
method, as follows:const authenticationRecord = await credential.authenticate();
property disableAutomaticAuthentication
disableAutomaticAuthentication?: boolean;
Makes getToken throw if a manual authentication is necessary. Developers will need to call to
authenticate()
to control when to manually authenticate.
interface ManagedIdentityCredentialClientIdOptions
interface ManagedIdentityCredentialClientIdOptions extends TokenCredentialOptions {}
Options to send on the ManagedIdentityCredential constructor. This variation supports
clientId
and notresourceId
, since only one of both is supported.
property clientId
clientId?: string;
The client ID of the user - assigned identity, or app registration(when working with AKS pod - identity).
interface ManagedIdentityCredentialObjectIdOptions
interface ManagedIdentityCredentialObjectIdOptions extends TokenCredentialOptions {}
Options to send on the ManagedIdentityCredential constructor. This variation supports
objectId
as a constructor argument.
property objectId
objectId: string;
Allows specifying the object ID of the underlying service principal used to authenticate a user-assigned managed identity. This is an alternative to providing a client ID or resource ID and is not required for system-assigned managed identities.
interface ManagedIdentityCredentialResourceIdOptions
interface ManagedIdentityCredentialResourceIdOptions extends TokenCredentialOptions {}
Options to send on the ManagedIdentityCredential constructor. This variation supports
resourceId
and notclientId
, since only one of both is supported.
property resourceId
resourceId: string;
Allows specifying a custom resource Id. In scenarios such as when user assigned identities are created using an ARM template, where the resource Id of the identity is known but the client Id can't be known ahead of time, this parameter allows programs to use these user assigned identities without having to first determine the client Id of the created identity.
interface MultiTenantTokenCredentialOptions
interface MultiTenantTokenCredentialOptions extends TokenCredentialOptions {}
Options for multi-tenant applications which allows for additionally allowed tenants.
property additionallyAllowedTenants
additionallyAllowedTenants?: string[];
For multi-tenant applications, specifies additional tenants for which the credential may acquire tokens. Add the wildcard value "*" to allow the credential to acquire tokens for any tenant the application is installed.
interface OnBehalfOfCredentialAssertionOptions
interface OnBehalfOfCredentialAssertionOptions {}
Defines the parameters to authenticate the OnBehalfOfCredential with an assertion.
property clientId
clientId: string;
The client (application) ID of an App Registration in the tenant.
property getAssertion
getAssertion: () => Promise<string>;
A function that retrieves the client assertion for the credential to use
property tenantId
tenantId: string;
The Microsoft Entra tenant (directory) ID.
property userAssertionToken
userAssertionToken: string;
The user assertion for the On-Behalf-Of flow.
interface OnBehalfOfCredentialCertificateOptions
interface OnBehalfOfCredentialCertificateOptions {}
Defines the parameters to authenticate the OnBehalfOfCredential with a certificate.
property certificatePath
certificatePath: string;
The path to a PEM-encoded public/private key certificate on the filesystem.
property clientId
clientId: string;
The client (application) ID of an App Registration in the tenant.
property sendCertificateChain
sendCertificateChain?: boolean;
Option to include x5c header for SubjectName and Issuer name authorization. Set this option to send base64 encoded public certificate in the client assertion header as an x5c claim
property tenantId
tenantId: string;
The Microsoft Entra tenant (directory) ID.
property userAssertionToken
userAssertionToken: string;
The user assertion for the On-Behalf-Of flow.
interface OnBehalfOfCredentialSecretOptions
interface OnBehalfOfCredentialSecretOptions {}
Defines the parameters to authenticate the OnBehalfOfCredential with a secret.
property clientId
clientId: string;
The client (application) ID of an App Registration in the tenant.
property clientSecret
clientSecret: string;
A client secret that was generated for the App Registration.
property tenantId
tenantId: string;
The Microsoft Entra tenant (directory) ID.
property userAssertionToken
userAssertionToken: string;
The user assertion for the On-Behalf-Of flow.
interface TokenCachePersistenceOptions
interface TokenCachePersistenceOptions {}
Parameters that enable token cache persistence in the Identity credentials.
property enabled
enabled: boolean;
If set to true, persistent token caching will be enabled for this credential instance.
property name
name?: string;
Unique identifier for the persistent token cache.
Based on this identifier, the persistence file will be located in any of the following places: - Darwin: '/Users/user/.IdentityService/' - Windows 8+: 'C:\Users\user\AppData\Local\.IdentityService\' - Linux: '/home/user/.IdentityService/'
property unsafeAllowUnencryptedStorage
unsafeAllowUnencryptedStorage?: boolean;
If set to true, the cache will be stored without encryption if no OS level user encryption is available. When set to false, the PersistentTokenCache will throw an error if no OS level user encryption is available.
interface TokenCredentialOptions
interface TokenCredentialOptions extends CommonClientOptions {}
Provides options to configure how the Identity library makes authentication requests to Microsoft Entra ID.
property authorityHost
authorityHost?: string;
The authority host to use for authentication requests. Possible values are available through AzureAuthorityHosts. The default is "https://login.microsoftonline.com".
property loggingOptions
loggingOptions?: LogPolicyOptions & { /** * Allows logging account information once the authentication flow succeeds. */ allowLoggingAccountIdentifiers?: boolean; /** * Allows logging personally identifiable information for customer support. */ enableUnsafeSupportLogging?: boolean;};
Allows users to configure settings for logging policy options, allow logging account information and personally identifiable information for customer support.
interface UsernamePasswordCredentialOptions
interface UsernamePasswordCredentialOptions extends MultiTenantTokenCredentialOptions, CredentialPersistenceOptions, AuthorityValidationOptions {}
Defines options for the UsernamePasswordCredential class.
interface VisualStudioCodeCredentialOptions
interface VisualStudioCodeCredentialOptions extends MultiTenantTokenCredentialOptions {}
Provides options to configure the Visual Studio Code credential.
property tenantId
tenantId?: string;
Optionally pass in a Tenant ID to be used as part of the credential
interface WorkloadIdentityCredentialOptions
interface WorkloadIdentityCredentialOptions extends MultiTenantTokenCredentialOptions, AuthorityValidationOptions {}
Options for the WorkloadIdentityCredential
property clientId
clientId?: string;
The client ID of a Microsoft Entra app registration.
property tenantId
tenantId?: string;
ID of the application's Microsoft Entra tenant. Also called its directory ID.
property tokenFilePath
tokenFilePath?: string;
The path to a file containing a Kubernetes service account token that authenticates the identity.
Enums
enum AzureAuthorityHosts
enum AzureAuthorityHosts { AzureChina = 'https://login.chinacloudapi.cn', AzureGermany = 'https://login.microsoftonline.de', AzureGovernment = 'https://login.microsoftonline.us', AzurePublicCloud = 'https://login.microsoftonline.com',}
A list of known Azure authority hosts
member AzureChina
AzureChina = 'https://login.chinacloudapi.cn'
China-based Azure Authority Host
member AzureGermany
AzureGermany = 'https://login.microsoftonline.de'
Germany-based Azure Authority Host
member AzureGovernment
AzureGovernment = 'https://login.microsoftonline.us'
US Government Azure Authority Host
member AzurePublicCloud
AzurePublicCloud = 'https://login.microsoftonline.com'
Public Cloud Azure Authority Host
Type Aliases
type BrokerOptions
type BrokerOptions = BrokerEnabledOptions | BrokerDisabledOptions;
Parameters that enable WAM broker authentication in the InteractiveBrowserCredential.
type BrowserLoginStyle
type BrowserLoginStyle = 'redirect' | 'popup';
(Browser-only feature) The "login style" to use in the authentication flow: - "redirect" redirects the user to the authentication page and then redirects them back to the page once authentication is completed. - "popup" opens a new browser window through with the redirect flow is initiated. The user's existing browser window does not leave the current page
type ClientCertificateCredentialPEMConfiguration
type ClientCertificateCredentialPEMConfiguration = | ClientCertificatePEMCertificate | ClientCertificatePEMCertificatePath;
Required configuration options for the ClientCertificateCredential, with either the string contents of a PEM certificate, or the path to a PEM certificate.
type DeviceCodePromptCallback
type DeviceCodePromptCallback = (deviceCodeInfo: DeviceCodeInfo) => void;
Defines the signature of a callback which will be passed to DeviceCodeCredential for the purpose of displaying authentication details to the user.
type IdentityPlugin
type IdentityPlugin = (context: unknown) => void;
The type of an Azure Identity plugin, a function accepting a plugin context.
type OnBehalfOfCredentialOptions
type OnBehalfOfCredentialOptions = ( | OnBehalfOfCredentialSecretOptions | OnBehalfOfCredentialCertificateOptions | OnBehalfOfCredentialAssertionOptions) & MultiTenantTokenCredentialOptions & CredentialPersistenceOptions & AuthorityValidationOptions;
Optional parameters for the OnBehalfOfCredential class.
Package Files (1)
Dependencies (14)
Dev Dependencies (38)
- @azure-tools/test-recorder
- @azure-tools/test-utils
- @azure/dev-tool
- @azure/eslint-plugin-azure-sdk
- @azure/keyvault-keys
- @microsoft/api-extractor
- @types/chai
- @types/jsonwebtoken
- @types/jws
- @types/mocha
- @types/ms
- @types/node
- @types/sinon
- @types/stoppable
- @types/uuid
- chai
- cross-env
- dotenv
- eslint
- inherits
- jsonwebtoken
- karma
- karma-chrome-launcher
- karma-coverage
- karma-env-preprocessor
- karma-junit-reporter
- karma-mocha
- karma-mocha-reporter
- karma-sourcemap-loader
- mocha
- ms
- nyc
- puppeteer
- rimraf
- sinon
- ts-node
- typescript
- util
Peer Dependencies (0)
No peer dependencies.
Badge
To add a badge like this oneto your package's README, use the codes available below.
You may also use Shields.io to create a custom badge linking to https://www.jsdocs.io/package/@azure/identity
.
- Markdown[](https://www.jsdocs.io/package/@azure/identity)
- HTML<a href="https://www.jsdocs.io/package/@azure/identity"><img src="https://img.shields.io/badge/jsDocs.io-reference-blue" alt="jsDocs.io"></a>
- Updated .
Package analyzed in 6091 ms. - Missing or incorrect documentation? Open an issue for this package.