diff --git a/sdk/identity/azure-identity/MANIFEST.in b/sdk/identity/azure-identity/MANIFEST.in index fcca83563a8c..07b576fc0eb3 100644 --- a/sdk/identity/azure-identity/MANIFEST.in +++ b/sdk/identity/azure-identity/MANIFEST.in @@ -1,3 +1,4 @@ +recursive-include samples *.py recursive-include tests *.py include *.md -include azure/__init__.py \ No newline at end of file +include azure/__init__.py diff --git a/sdk/identity/azure-identity/samples/README.md b/sdk/identity/azure-identity/samples/README.md new file mode 100644 index 000000000000..35a9cd502650 --- /dev/null +++ b/sdk/identity/azure-identity/samples/README.md @@ -0,0 +1,37 @@ +--- +page_type: sample +languages: + - python +products: + - azure + - azure-identity +urlFragment: identity-samples +--- + +# Azure Identity Library Python Samples + +## Prerequisites + +You must have an [Azure subscription](https://azure.microsoft.com/free) and an +[Azure Key Vault](https://azure.microsoft.com/en-us/services/key-vault/) to run +these samples. You can create a Key Vault in the +[Azure Portal](https://portal.azure.com/#create/Microsoft.KeyVault) or with the +[Azure CLI](https://docs.microsoft.com/en-us/azure/key-vault/secrets/quick-create-cli). + +Azure Key Vault is used only to demonstrate authentication. Azure Identity has +the same API for all compatible client libraries. + +## Setup + +To run these samples, first install the Azure Identity and Key Vault Secrets +client libraries: + +```commandline +pip install azure-identity azure-keyvault-secrets +``` + +## Contents +| File | Description | +|-------------|-------------| +| control_interactive_prompts.py | demonstrates controlling when interactive credentials prompt for user interaction | +| user_authentication.py | demonstrates user authentication API for applications | diff --git a/sdk/identity/azure-identity/samples/control_interactive_prompts.py b/sdk/identity/azure-identity/samples/control_interactive_prompts.py new file mode 100644 index 000000000000..10dabf65e9d2 --- /dev/null +++ b/sdk/identity/azure-identity/samples/control_interactive_prompts.py @@ -0,0 +1,38 @@ +# ------------------------------------ +# Copyright (c) Microsoft Corporation. +# Licensed under the MIT License. +# ------------------------------------ +"""Demonstrates controlling the timing of interactive authentication using InteractiveBrowserCredential. + +DeviceCodeCredential supports the same API. +""" + +import os +import sys +from azure.identity import AuthenticationRequiredError, InteractiveBrowserCredential +from azure.keyvault.secrets import SecretClient + + +# This sample uses Key Vault only for demonstration. Any client accepting azure-identity credentials will work the same. +VAULT_URL = os.environ.get("VAULT_URL") +if not VAULT_URL: + print("This sample expects environment variable 'VAULT_URL' to be set with the URL of a Key Vault.") + sys.exit(1) + + +# If it's important for your application to prompt for authentication only at certain times, +# create the credential with disable_automatic_authentication=True. This configures the credential to raise +# when interactive authentication is required, instead of immediately beginning that authentication. +credential = InteractiveBrowserCredential(disable_automatic_authentication=True) +client = SecretClient(VAULT_URL, credential) + +try: + secret_names = [s.name for s in client.list_properties_of_secrets()] +except AuthenticationRequiredError as ex: + # Interactive authentication is necessary to authorize the client's request. The exception carries the + # requested authentication scopes. If you pass these to 'authenticate', it will cache an access token + # for those scopes. + credential.authenticate(scopes=ex.scopes) + +# the client operation should now succeed +secret_names = [s.name for s in client.list_properties_of_secrets()] diff --git a/sdk/identity/azure-identity/samples/user_authentication.py b/sdk/identity/azure-identity/samples/user_authentication.py new file mode 100644 index 000000000000..2c21c2a44973 --- /dev/null +++ b/sdk/identity/azure-identity/samples/user_authentication.py @@ -0,0 +1,43 @@ +# ------------------------------------ +# Copyright (c) Microsoft Corporation. +# Licensed under the MIT License. +# ------------------------------------ +"""Demonstrates user authentication using InteractiveBrowserCredential. DeviceCodeCredential supports the same API.""" + +import os +import sys +from azure.identity import AuthenticationRecord, InteractiveBrowserCredential +from azure.keyvault.secrets import SecretClient + + +# This sample uses Key Vault only for demonstration. Any client accepting azure-identity credentials will work the same. +VAULT_URL = os.environ.get("VAULT_URL") +if not VAULT_URL: + print("This sample expects environment variable 'VAULT_URL' to be set with the URL of a Key Vault.") + sys.exit(1) + + +# Persistent caching is optional. By default, interactive credentials cache in memory only. +credential = InteractiveBrowserCredential(enable_persistent_cache=True) + +# The 'authenticate' method begins interactive authentication. Call it whenever it's convenient +# for your application to authenticate a user. It returns a record of the authentication. +record = credential.authenticate() + +# The record contains no authentication secrets. You can serialize it to JSON for storage. +record_json = record.serialize() + +# An authenticated credential is ready for use with a client. This request should succeed +# without prompting for authentication again. +client = SecretClient(VAULT_URL, credential) +secret_names = [s.name for s in client.list_properties_of_secrets()] + +# With persistent caching enabled, an authentication record stored by your application enables +# credentials to access data from past authentications. If the cache contains sufficient data, +# this eliminates the need for your application to prompt for authentication every time it runs. +deserialized_record = AuthenticationRecord.deserialize(record_json) +new_credential = InteractiveBrowserCredential(enable_persistent_cache=True, authentication_record=deserialized_record) + +# This request should also succeed without prompting for authentication. +client = SecretClient(VAULT_URL, new_credential) +secret_names = [s.name for s in client.list_properties_of_secrets()]